165 files changed, 20712 insertions, 396 deletions
diff --git a/crypto/heimdal/appl/Makefile.in b/crypto/heimdal/appl/Makefile.in
index 2690db2..ae89497 100644
--- a/crypto/heimdal/appl/Makefile.in
+++ b/crypto/heimdal/appl/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 @OTP_TRUE@dir_otp = @OTP_TRUE@otp
@@ -227,7 +230,7 @@ DIST_SUBDIRS =  afsutil ftp login otp popper push rsh rcp su xnlock \
 telnet test kx kf dceutils
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/Makefile
 
@@ -268,11 +271,16 @@ mostlyclean-recursive clean-recursive distclean-recursive \
 maintainer-clean-recursive:
 	@set fnord $(MAKEFLAGS); amf=$$2; \
 	dot_seen=no; \
-	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
-	  rev="$$subdir $$rev"; \
-	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
 	done; \
-	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	rev="$$rev ."; \
 	target=`echo $@ | sed s/-recursive//`; \
 	for subdir in $$rev; do \
 	  echo "Making $$target in $$subdir"; \
@@ -318,6 +326,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/afsutil/ChangeLog b/crypto/heimdal/appl/afsutil/ChangeLog
index af83aef..8dfd532 100644
--- a/crypto/heimdal/appl/afsutil/ChangeLog
+++ b/crypto/heimdal/appl/afsutil/ChangeLog
@@ -1,3 +1,7 @@
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): call free_getarg_strings
+
 2000-12-31  Assar Westerlund  <assar@sics.se>
 
 	* afslog.c (main): handle krb5_init_context failure consistently
diff --git a/crypto/heimdal/appl/afsutil/Makefile.in b/crypto/heimdal/appl/afsutil/Makefile.in
index 24f5a61..44d5b58 100644
--- a/crypto/heimdal/appl/afsutil/Makefile.in
+++ b/crypto/heimdal/appl/afsutil/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 @KRB4_TRUE@AFSPROGS = @KRB4_TRUE@afslog pagsh
@@ -253,7 +256,7 @@ OBJECTS = $(am_afslog_OBJECTS) $(am_pagsh_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/afsutil/Makefile
 
@@ -349,6 +352,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/afsutil/afslog.c b/crypto/heimdal/appl/afsutil/afslog.c
index f557421..5451b22 100644
--- a/crypto/heimdal/appl/afsutil/afslog.c
+++ b/crypto/heimdal/appl/afsutil/afslog.c
@@ -33,7 +33,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: afslog.c,v 1.14 2001/01/25 12:44:46 assar Exp $");
+RCSID("$Id: afslog.c,v 1.16 2001/05/16 22:10:15 assar Exp $");
 #endif
 #include <ctype.h>
 #include <krb5.h>
@@ -179,7 +179,7 @@ main(int argc, char **argv)
     int num;
     int ret = 0;
     
-    set_progname(argv[0]);
+    setprogname(argv[0]);
 
     if(getarg(args, num_args, argc, argv, &optind))
 	usage(1);
@@ -206,10 +206,12 @@ main(int argc, char **argv)
     for(i = 0; i < files.num_strings; i++){
 	afslog_file(context, id, files.strings[i]);
 	num++;
+	free_getarg_strings (&files);
     }
     for(i = 0; i < cells.num_strings; i++){
 	afslog_cell(context, id, cells.strings[i], 1);
 	num++;
+	free_getarg_strings (&cells);
     }
     for(i = optind; i < argc; i++){
 	num++;
diff --git a/crypto/heimdal/appl/dceutils/ChangeLog b/crypto/heimdal/appl/dceutils/ChangeLog
new file mode 100644
index 0000000..8d991ca
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/ChangeLog
@@ -0,0 +1,18 @@
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (dpagaix): needs to be linked with ld, add an
+	explicit command for it.  from Ake Sandgren <ake@cs.umu.se>
+
+2000-10-02  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: link with roken on everything except irix, where
+	apperently it fails.  reported by Ake Sandgren <ake@cs.umu.se>
+
+2000-07-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* Makefile.am: set compiler flags
+
+2000-07-01  Assar Westerlund  <assar@sics.se>
+
+	* imported stuff from Ake Sandgren <ake@cs.umu.se>
+
diff --git a/crypto/heimdal/appl/dceutils/Makefile.am b/crypto/heimdal/appl/dceutils/Makefile.am
new file mode 100644
index 0000000..bc7ebef
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/Makefile.am
@@ -0,0 +1,30 @@
+# $Id: Makefile.am,v 1.6 2001/02/07 22:45:37 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+
+DFSPROGS = k5dcecon
+if AIX
+AIX_DFSPROGS = dpagaix
+endif
+
+libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS)
+
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDFLAGS = @dpagaix_LDFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+
+dpagaix: $(dpagaix_OBJECTS)
+	ld -edpagaix -o dpagaix $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp
+
+LIB_dce = -ldce
+
+k5dcecon_SOURCES  = k5dcecon.c k5dce.h
+
+dpagaix_SOURCES = dpagaix.c
+
+if IRIX
+LDADD = $(LIB_dce)
+else
+LDADD = $(LIB_roken) $(LIB_dce)
+endif
diff --git a/crypto/heimdal/appl/dceutils/Makefile.in b/crypto/heimdal/appl/dceutils/Makefile.in
new file mode 100644
index 0000000..4138b1c
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/Makefile.in
@@ -0,0 +1,594 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.6 2001/02/07 22:45:37 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+DFSPROGS = k5dcecon
+@AIX_TRUE@AIX_DFSPROGS = @AIX_TRUE@dpagaix
+
+libexec_PROGRAMS = $(DFSPROGS) $(AIX_DFSPROGS)
+
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDFLAGS = @dpagaix_LDFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+
+LIB_dce = -ldce
+
+k5dcecon_SOURCES = k5dcecon.c k5dce.h
+
+dpagaix_SOURCES = dpagaix.c
+@IRIX_TRUE@LDADD = @IRIX_TRUE@$(LIB_dce)
+@IRIX_FALSE@LDADD = @IRIX_FALSE@$(LIB_roken) $(LIB_dce)
+subdir = appl/dceutils
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@AIX_FALSE@libexec_PROGRAMS =  k5dcecon$(EXEEXT)
+@AIX_TRUE@libexec_PROGRAMS =  k5dcecon$(EXEEXT) dpagaix$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_dpagaix_OBJECTS =  dpagaix-dpagaix.$(OBJEXT)
+dpagaix_OBJECTS =  $(am_dpagaix_OBJECTS)
+dpagaix_DEPENDENCIES = 
+am_k5dcecon_OBJECTS =  k5dcecon.$(OBJEXT)
+k5dcecon_OBJECTS =  $(am_k5dcecon_OBJECTS)
+k5dcecon_LDADD = $(LDADD)
+@IRIX_FALSE@k5dcecon_DEPENDENCIES = 
+@IRIX_TRUE@k5dcecon_DEPENDENCIES = 
+k5dcecon_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(dpagaix_SOURCES) $(k5dcecon_SOURCES)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in compile
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(dpagaix_SOURCES) $(k5dcecon_SOURCES)
+OBJECTS = $(am_dpagaix_OBJECTS) $(am_k5dcecon_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/dceutils/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+dpagaix-dpagaix.$(OBJEXT): dpagaix.c
+	$(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(dpagaix_CFLAGS) $(CFLAGS) -c -o dpagaix-dpagaix.$(OBJEXT) `test -f dpagaix.c || echo '$(srcdir)/'`dpagaix.c
+
+dpagaix$(EXEEXT): $(dpagaix_OBJECTS) $(dpagaix_DEPENDENCIES)
+	@rm -f dpagaix$(EXEEXT)
+	$(LINK) $(dpagaix_LDFLAGS) $(dpagaix_OBJECTS) $(dpagaix_LDADD) $(LIBS)
+
+k5dcecon$(EXEEXT): $(k5dcecon_OBJECTS) $(k5dcecon_DEPENDENCIES)
+	@rm -f k5dcecon$(EXEEXT)
+	$(LINK) $(k5dcecon_LDFLAGS) $(k5dcecon_OBJECTS) $(k5dcecon_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-compile \
+		distclean-libtool distclean-tags distclean-generic \
+		clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+dpagaix: $(dpagaix_OBJECTS)
+	ld -edpagaix -o dpagaix $(dpagaix_OBJECTS) $(srcdir)/dfspag.exp
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/dceutils/README.dcedfs b/crypto/heimdal/appl/dceutils/README.dcedfs
new file mode 100644
index 0000000..80a06fe
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/README.dcedfs
@@ -0,0 +1,59 @@
+This is a set of patches and files to get a DFS ticket from a k5 ticket.
+This code comes from Doug Engert, Argonne Nat. Lab (See dce/README.original
+for more info)
+
+The files in dce are;
+testpag: for testing if this is at all possible.
+k5dfspag: included in libkrb5
+k5dcecon: Creates (or searches for) the actual DFSPAG ticketfile.
+dpagaix: An AIX syscall stub.
+README.original: Original README file from Doug Engert
+
+
+Certain applications (rshd/telnetd) have been patched to call the
+functions in k5dfspag when the situation is right. They are ifdef
+with DCE. The patches are also originally from Doug but they
+where against MIT krb5 code and have been merged into heimdal by me.
+I will try to fix ftpd soon...
+
+There is also an ifdefs for DCE && AIX that can be used to make AIX
+use DCE for getting group/passwd entries. This is needed if one is running
+with a bare bones passwd/group file and AUTHSTATE set to DCE (This will be
+more or less clear to people doing this...) I have forced this on for now.
+
+k5dfspag.c is in lib/krb5
+k5dfspag.c is dependent on DCE only.
+It is also POSIX systems only. There are defines for the location of
+k5dcecon and dpagaix that needs a correct configure setting.
+
+k5dcecon needs no special things for the compile except whatever is needed
+on the target system to compile dce programs.
+(On aix the dce compile flags are: -D_THREAD_SAFE -D_AIX32_THREADS=1 -D_AIX41 -D_AES_SOURCE or one can use xlc_r4 if it is version 3.6.4 or later)
+
+k5dcecon wants the following libs (on aix 4.3):
+-ldce (and setenv from somewhere)
+
+dpagaix is only needed on AIX (see k5dfspag.c).
+dpagaix needs dfspag.exp and is linked with
+ld -edpagaix -o dpagaix dpagaix.o dfspag.exp
+
+
+Hope to get this into heimdal soon :-) although I know that you will have to
+change some things to get it cleanly into configure. Since I don't know the
+structure of the code (heimdal), nor enough of configure, good enough I
+just won't try it myself.
+
+One more thing, to get this to work one has to put fcache_version = x in
+krb5.conf where x = whatever the DCE implementation understands, (usually
+1 or 2).
+Thanks for adding that...
+
+
+�ke Sandgren (ake@hpc2n.umu.se)
+HPC2N
+Ume� University
+Sweden
+
+PS
+I have now added patches for configure.in and some Makefile.am's to get this
+all cleanly (I hope) into heimdal.
diff --git a/crypto/heimdal/appl/dceutils/README.original b/crypto/heimdal/appl/dceutils/README.original
new file mode 100644
index 0000000..7283c38
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/README.original
@@ -0,0 +1,335 @@
+KERBEROS and DCE INTEROPERABILITY ROUTINES
+
+WHAT'S NEW
+
+When k5dcecon was examining the ticket caches looking to 
+update one with a newer TGT, it might update the wrong
+one for the correct user.  This problem was reported by PNNL,
+and is now fixed.
+
+Any Kerberized application can now use a forwarded TGT to establish a
+DCE context, or can use a previously established DCE context. This is
+both a functional improvement and a performance improvement.
+
+BACKGROUND
+
+The MIT Kerberos 5 Release 1.x and DCE 1.1 can interoperate in a
+number of ways. This is possible because:
+
+ o DCE used Kerberos 5 internally. Based on the MIT code as of beta 4
+   or so, with additional changes. 
+
+ o The DCE security server can act as a K5 KDC, as defined in RFC 1510
+   and responds on port 88. 
+
+ o On the clients, DCE and Kerberos use the same format for the ticket
+   cache, and then can share it. The KRB5CCNAME environment variable points
+   at the cache.   
+ 
+ o On the clients, DCE and Kerberos use the same format for the srvtab
+   file. DCE refers to is a /krb5/v5srvtab and Kerberos as
+   /etc/krb5.keytab. They can be symlinked.  
+
+ o MIT has added many options to the krb5.conf configuration file
+   which allows newer features of Release 1.0 to be turned off to match
+   the earlier version of Kerberos upon which DCE is based. 
+
+ o DCE will accept a externally obtained Kerberos TGT in place of a
+   password when establishing a DCE context. 
+
+There are some areas where they differ, including the following:
+ 
+ o Administration of the database and the keytab files is done by the
+   DCE routines, rather the the Kerberos kadmin.
+
+ o User password changes must be done using the DCE commands. Kpasswd
+   does not work. (But there are mods to Kerberos to use the v5passwd 
+   with DCE.  
+
+ o DCE goes beyond authentication only, and provides authorization via
+   the PAC, and the dce-ptgt tickets stored in the cache. Thus a
+   Kerberos KDC can not act as a DCE security server. 
+
+ o A DCE cell and Kerberos realm can cross-realm authenticate, but 
+   there can be no intermediate realms. (There are other problems
+   in this area as well. But directly connected realms/cells do work.)
+
+ o You can't link a module with the DCE library and the Kerberos
+   library. They have conflicting routines, static data and structures.  
+ 
+One of the main features of DCE is the Distributed File System
+DFS. Access to DFS requires authentication and authorization, and when
+one uses a Kerberized network utility such as telnet, a forwarded
+Kerberos ticket can be used to establish the DCE context to allow
+access to DFS.  
+
+
+NEW TO THIS RELEASE
+
+This release introduces sharing of a DCE context, and PAG, and allows
+any Kerberized application to establish or share the context. This is
+made possible by using an undocumented feature of DCE which is on at
+least the Transarc and IBM releases of DCE 1.1.
+
+I am in the process of trying to get this contributed to the general
+DCE 1.2.2 release as a patch, so it could be included in other vendors
+products.  HP has expressed interest in doing this, as well as the
+OpenGroup if the modification is contributed. You can help by
+requesting Transarc and/or IBM to submit this modification to the
+OpenGroup and ask your vendor to adopt this modification.
+
+The feature is a modification to the setpag() system call which will
+allow an authorized process to set the PAG to a specific value, and
+thus allow unrelated processes to share the same PAG.
+
+This then allows the Kerberized daemons such as kshd, to exec a DCE
+module which established the DCE context. Kshd then sets the
+KRB5CCNAME environment variable and then issues the setpag() to use
+this context. This solves the linking problem. This is done via the
+k5dfspag.c routine.
+
+The k5dfspag.c code is compiled with the lib/krb5/os routines and
+included in the libkrb5. A daemon calls krb5_dfs_pag after the
+krb5_kuserok has determined that the Kerberos principal and local
+userid pair are acceptable. This should be done early so as to give
+the daemon access to the home directory which may be located on DFS.  
+If the .k5login file is used by krb5_kuserok it will need to be
+accessed by the daemon and will need special ACL handling.  
+
+The krb5_dfs_pag routine will exec the k5dcecon module to do all the
+real work. Upon return, if a PAG is obtained, krb5_dfs_pag with set
+the PAG for the current process to the returned PAG value. It will
+also set the KRB5CCNAME environment as well. Under DCE the PAG value
+is the nnnnnnn part of the name of the cache:
+FILE:/opt/dcelocal/var/security/creds/dcecred_nnnnnnnn. 
+
+The k5dcecon routine will attempt to use TGT which may have been
+forwarded, to convert it to a DCE context. If there is no TGT, an
+attempt will be made to join an existing PAG for the local userid, and
+Kerberos principal. If there are existing PAGs, and a forwarded TGT,
+k5dcecon will check the lifetime of the forwarded TGT, and if it is
+less then the lifetime of the PAG, it will just join the PAG. If it
+is greater, it will refresh the PAG using the forwarded TGT. 
+This approach has the advantage of not requiring many new tickets from
+having to be obtained, and allows one to refresh a DCE context, or use
+an already established context. 
+
+If the system also has AFS, the AFS krb5_afs_pag should be called
+after the krb5_dfs_pag, since cache pointed at via the KRB5CCNAME may
+have changed, such as if a DFS PAG has been joined. The AFS code does
+not have the capability to join an existing AFS PAG, but can use the
+same cache which might already had a
+afsx/<afs.cell.name>@<k5.realm.name> service ticket.
+
+
+WHAT'S IN THIS RELEASE
+
+The k5prelogin, k5dcelogin, k5afslogin (with ak5log) were designed to
+be slipped in between telnetd or klogind and login.krb5. They would
+use a forwarded Kerberos ticket to establish a DCE context.  They are
+the older programs which are included here. They work on all DCE
+platforms, and don't take advantage of the undocumented setpag
+feature. (A version of k5dcelogin is being included with DCE 1.2.2)
+ 
+K5dcecon is the new program which can be used to create, update or
+join a DCE context. k5dcecon returns KRB5CCNAME string which contains
+the PAG.
+
+k5dfspag.c is to be built in the MIT Kerberos 5 release 1.0 patchlevel
+1 and added to the libkrb5. It will exec k5dcecon and upon return set
+the KRB5CCNAME and PAG. Mods to Kerberized klogind, rshd, telnetd,
+ftpd are available to use the k5dfspag. 
+
+Testpag.c is a test programs to see if the PAG can be set.
+
+The cpwkey.c routine can be used to change a key in the DCE registry,
+by adding the key directly, or by setting the salt/pepper and password
+or by providing the key and the pepper. This could be useful when
+coping keys from a K4 or AFS database to DCE. It can also be used when
+setting a DCE to K5 cross-cell key.  This program is a test program
+For mass inserts, it should be rewritten to read from stdin.
+
+K5dcelogin can also be called directly, much like dce_login.
+I use the following commands in effect do the same thing as dce_login
+and get a forwardable ticket, DCE context and an AFS token:
+
+  #!/bin/csh
+  # simulate a dce_login using krb5 kinit and k5dcelogin
+  #
+  setenv KRB5CCNAME FILE:/tmp/krb5cc_p$$
+  /krb5/bin/kinit -f
+  exec /krb5/sbin/k5dcelogin /krb5/sbin/k5afslogin /bin/csh
+  #exec /krb5/sbin/k5dcelogin  /bin/csh
+
+This could be useful in a mixed cell where "AS_REQ" messages are
+handled by a K5 KDC, but DCE RPCs are handled by the DCE security
+server.
+
+TESTING THE SETPAG
+
+The krb5_dfs_pag routine relies on an undocumented feature which is
+in the AIX and Transarc Solaris ports of DCE and has been recently
+added to the SGI version.  To test if this feature is present 
+on some other DFS implementation use the testpag routine. 
+
+The testpag routine attempts to set a PAG value to one you supply. It
+uses the afs_syscall with the afs_setpag, and passes the supplied 
+PAG value as the next parameter. On an unmodifed system, this 
+will be ignored, and a new will be set. You should also check that
+if run as a user, you cannot join a PAG owned by another user. 
+When run as root, any PAG should be usable. 
+
+On a machine with DFS running, do a dce_login to get a DCE context and
+PAG. ECHO the KRB5CCNAME and look at the nnnnnnnn at the end. It
+should look like an 8 char hex value, which may be 41ffxxxx on some
+systems. 
+
+Su to root and unsetenv KRB5CCNAME. Do a testpag -n nnnnnnnn where
+nnnnnnnn is the PAG obtained for the above name. 
+
+It should look like this example on an AIX 4.1.4 system:
+
+   pembroke# ./testpag -n 63dc9997
+   calling k5dcepag newpag=63dc9997
+   PAG returned = 63dc9997
+
+You will be running under a new shell with the PAG and KRB5CCNAME set.
+If the PAG returned is the same as the newpag, then it worked. You can
+further verify this by doing a DCE klist, cd to DFS and a DCE klist
+again. The klist should show some tickets for DFS servers.
+
+If the PAG returned is not the same, and repeated attempts show a
+returned PAG decremented by 1 from the previous returned PAG, then
+this system does not have the modification For example: 
+ 
+   # ./testpag -n 41fffff9
+   calling k5dcepag newpag=41fffff9
+   PAG returned = 41fffff8
+   # ./testpag -n 41fffff9
+   calling k5dcepag newpag=41fffff9
+   PAG returned = 41fffff7
+
+In this case the syscall is ignoring the newpag parameter. 
+
+Running it with -n 0 should get the next PAG value with or without
+this modification. 
+
+If the DFS kernel extensions are not installed, you would get
+something like this:
+
+  caliban.ctd.anl.gov% ./testpag -n 012345678
+  calling k5dcepag newpag=012345678
+  Setpag failed with a system error
+  PAG returned = ffffffff
+  Not a good pag value
+
+If you DFS implementation does not have this modification, you could
+attempt to install it yourself. But this requires source and requires
+modifications to the kernel extensions. At the end of this note is an
+untested sample using the DCE 1.2.2 source code. You can also contact
+your system vendor and ask for this modification.
+
+UNICOS has a similar function setppag(newpag) which can be used to set
+the PAG of the parent. Contact me if you are interested. 
+
+HOW TO INSTALL
+
+Examine the k5dfspag.c file to make sure the DFS syscalls are correct
+for your platform. See the /opt/dcelocal/share/include/dcedfs/syscall.h
+on Solaris for example. 
+
+You should build the testpag routine and make sure it works before 
+adding all the other mods. If it fails you can still use the klogind
+and telnetd with the k5prelogin and k5dcelogin code. 
+
+If you intend to install with a prefix other then /krb5, change:
+DPAGAIX and K5DCECON in k5dfspag.c; the three references in
+k5prelogin.c; and the DESTDIR in the Makefile.
+
+Get k5101.cdiff.xxxxxx.tar file and install the mods for ANL_DFS_PAG
+and ANL_DCE to the MIT Kerberos 5 source. These mods turn on some DCE
+related changes and the calls to krb5_dfs_pag. 
+
+Symlink or copy the k5dfspag.c to the src/lib/krb5/os directory. 
+
+Add the -DANL_DFS_PAG and -DANL_DCE flags to the configuration. 
+
+Configure and Build the Kerberos v5. 
+
+Modify the k5dce Makefile for your system. 
+
+Build the k5dcecon and related programs. 
+
+Install both the MIT Kerberos v5 and the k5dcecon and dpagaix if AIX.    
+
+The makefile can also build k5dcelogin and k5prelogin.  The install
+can install k5dcelogin, k5prelogin and update the links for login.krb5
+-> k5prelogin and moving login.krb5 to login.k5. If you will be using
+the k5dcecon/k5dfspag with the Kerberos mods, you don't need
+k5prelogin, or the links changed, and may not need k5dcelogin.
+
+Note that Transarc has obfuscated the entries to the lib, and 
+the 1.0.3a is different from the 1.1. You may need to build two
+versions of the k5dcelogin and/or k5dcecon one for each. 
+
+AIX ONLY
+
+The dpagaix routine is needed for AIX because of the way they do the 
+syscalls. 
+
+The following fix.aix.libdce.mk is not needed if dce 2.1.0.21
+has been installed. This PTF exposed the needed entrypoints. 
+
+The fix.aix.libdce.mk is a Makefile for AIX 4.x to add the required
+external entry points to the libdce.a.  These are needed by k5dcecon
+and k5dcelogin.  A bug report was submitted to IBM on this, and it was
+rejected. But since DCE 1.2.2 will have a k5dcelogin, this should not
+be needed with 1.2.2
+
+Copy /usr/lib/libdce.a to /usr/libdce.a.orig before starting. Copy the
+makefile to its own directory. It will create a new libdce.a which you
+need to copy back to /usr/lib/libdce.a You will need to reboot the
+machine.  See the /usr/lpp/dce/examples/inst/README.AIX for a similar
+procedure.  IBM was not responsive in a request to have these added.
+
+UNTESTED KERNEL EXTENSION FOR SETPAG
+
+*** src/file/osi/,osi_pag.c  Wed Oct  2 13:03:05 1996
+--- src/file/osi/osi_pag.c   Mon Jul 28 13:53:13 1997
+***************
+*** 293,298 ****
+--- 293,302 ----
+      int code;
+  
+      osi_MakePreemptionRight();
++    /* allow sharing of a PAG by non child processes DEE- 6/6/97 */
++    if (unused && osi_GetUID(osi_getucred()) == 0) {
++     newpag = unused;
++    } else {
+      osi_mutex_enter(&osi_pagLock);
+      now = osi_Time();
+      soonest = osi_firstPagTime +
+***************
+*** 309,314 ****
+--- 313,319 ----
+      }
+      osi_mutex_exit(&osi_pagLock);
+      newpag = osi_genpag();
++    }
+      osi_pcred_lock(p);
+      credp = crcopy(osi_getucred());
+      code = osi_SetPagInCred(credp, newpag);
+
+Created     07/08/96
+Modified    09/30/96
+Modified    11/19/96
+Modified    12/19/96
+Modified    06/20/97
+Modified    07/28/97
+Modified    02/18/98
+
+ Douglas E. Engert  <DEEngert@anl.gov>
+ Argonne National Laboratory
+ 9700 South Cass Avenue
+ Argonne, Illinois  60439 
+ (630) 252-5444
diff --git a/crypto/heimdal/appl/dceutils/compile b/crypto/heimdal/appl/dceutils/compile
new file mode 100755
index 0000000..d4a34aa
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/compile
@@ -0,0 +1,82 @@
+#! /bin/sh
+
+# Wrapper for compilers which do not understand `-c -o'.
+
+# Copyright 1999, 2000 Free Software Foundation, Inc.
+# Written by Tom Tromey <tromey@cygnus.com>.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+# Usage:
+# compile PROGRAM [ARGS]...
+# `-o FOO.o' is removed from the args passed to the actual compile.
+
+prog=$1
+shift
+
+ofile=
+cfile=
+args=
+while test $# -gt 0; do
+   case "$1" in
+    -o)
+       ofile=$2
+       shift
+       ;;
+    *.c)
+       cfile=$1
+       args="$args $1"
+       ;;
+    *)
+       args="$args $1"
+       ;;
+   esac
+   shift
+done
+
+test -z "$ofile" && {
+   echo "compile: no \`-o' option seen" 1>&2
+   exit 1
+}
+
+test -z "$cfile" && {
+   echo "compile: no \`.c' file seen" 1>&2
+   exit 1
+}
+
+# Name of file we expect compiler to create.
+cofile=`echo $cfile | sed -e 's|^.*/||' -e 's/\.c$/.o/'`
+
+# Create the lock directory.
+lockdir=`echo $ofile | sed -e 's|/|_|g'`
+while true; do
+   if mkdir $lockdir > /dev/null 2>&1; then
+      break
+   fi
+   sleep 1
+done
+# FIXME: race condition here if user kills between mkdir and trap.
+trap "rmdir $lockdir; exit 1" 1 2 15
+
+# Run the compile.
+"$prog" $args
+status=$?
+
+if test -f "$cofile"; then
+   mv "$cofile" "$ofile"
+fi
+
+rmdir $lockdir
+exit $status
diff --git a/crypto/heimdal/appl/dceutils/dfspag.exp b/crypto/heimdal/appl/dceutils/dfspag.exp
new file mode 100644
index 0000000..ed39788
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/dfspag.exp
@@ -0,0 +1,3 @@
+#!/unix
+* kernel extentions used to get the pag
+kafs_syscall syscall
diff --git a/crypto/heimdal/appl/dceutils/dpagaix.c b/crypto/heimdal/appl/dceutils/dpagaix.c
new file mode 100644
index 0000000..cbc23cb
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/dpagaix.c
@@ -0,0 +1,23 @@
+/*
+ * dpagaix.c
+ * On AIX we need to get the kernel extentions
+ * with the DFS kafs_syscall in it. 
+ * We might be running on a system
+ * where DFS is not active. 
+ * So we use this dummy routine which 
+ * might not load to do the dirty work
+ *
+ * DCE does this with the /usr/lib/drivers/dfsloadobj 
+ *
+ */
+ 
+ int dpagaix(parm1, parm2, parm3, parm4, parm5, parm6)
+   int parm1;
+   int parm2;
+   int parm3;
+   int parm4;
+   int parm5;
+   int parm6;
+ {
+   return(kafs_syscall(parm1, parm2, parm3, parm4, parm5, parm6));
+ }
diff --git a/crypto/heimdal/appl/dceutils/k5dce.h b/crypto/heimdal/appl/dceutils/k5dce.h
new file mode 100644
index 0000000..424ebdc
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/k5dce.h
@@ -0,0 +1,165 @@
+/* dummy K5 routines which are needed to get this to 
+ * compile without having access ti the DCE versions 
+ * of the header files.
+ * Thiis is very crude, and OSF needs to expose the K5
+ * API.
+ */
+
+#ifdef sun
+/* Transarc obfascates these routines */
+#ifdef DCE_1_1
+
+#define krb5_init_ets                   _dce_PkjKqOaklP 
+#define krb5_copy_creds                 _dce_LuFxPiITzD
+#define krb5_unparse_name               _dce_LWHtAuNgRV
+#define krb5_get_default_realm          _dce_vDruhprWGh
+#define krb5_build_principal            _dce_qwAalSzTtF
+#define krb5_build_principal_ext        _dce_vhafIQlejW
+#define krb5_build_principal_va         _dce_alsqToMmuJ
+#define krb5_cc_default                 _dce_KZRshhTXhE
+#define krb5_cc_default_name            _dce_bzJVAjHXVQ
+#define sec_login_krb5_add_cred			_dce_ePDtOJTZvU
+
+#else /* DCE 1.0.3a */
+
+#define krb5_init_ets                   _dce_BmLRpOVsBo
+#define krb5_copy_creds                 _dce_VGwSEBNwaf
+#define krb5_unparse_name               _dce_PgAOkJoMXA
+#define krb5_get_default_realm          _dce_plVOzStKyK
+#define krb5_build_principal            _dce_uAKSsluIFy
+#define krb5_build_principal_ext        _dce_tRMpPiRada
+#define krb5_build_principal_va         _dce_SxnLejZemH
+#define krb5_cc_default                 _dce_SeKosWFnsv
+#define krb5_cc_default_name            _dce_qJeaphJWVc
+#define sec_login_krb5_add_cred         _dce_uHwRasumsN
+
+#endif
+#endif
+
+/* Define the bare minimum k5 structures which are needed
+ * by this program. Since the krb5 includes are not supplied 
+ * with DCE, these were based on the MIT Kerberos 5 beta 3
+ * which should match the DCE as of 1.0.3 at least.
+ * The tricky one is the krb5_creds, since one is allocated
+ * by this program, and it needs access to the client principal
+ * in it.
+ * Note that there are no function prototypes, so there is no 
+ * compile time checking.
+ * DEE 07/11/95
+ */
+#define     NPROTOTYPE(x) () 
+typedef int krb5_int32;  /* assuming all DCE systems are 32 bit */
+typedef short krb5short; /* assuming short is 16 bit */
+typedef krb5_int32      krb5_error_code;
+typedef unsigned char   krb5_octet;
+typedef krb5_octet      krb5_boolean;
+typedef krb5short       krb5_keytype; /* in k5.2 it's a short */
+typedef krb5_int32      krb5_flags;
+typedef krb5_int32  krb5_timestamp;
+
+typedef char * krb5_pointer;  /* pointer to unexposed data */
+
+typedef struct _krb5_ccache {
+    struct _krb5_cc_ops *ops;
+    krb5_pointer data;
+} *krb5_ccache;
+
+typedef struct _krb5_cc_ops {
+    char *prefix;
+    char *(*get_name) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*resolve) NPROTOTYPE((krb5_ccache *, char *));
+    krb5_error_code (*gen_new) NPROTOTYPE((krb5_ccache *));
+    krb5_error_code (*init) NPROTOTYPE((krb5_ccache, krb5_principal));
+    krb5_error_code (*destroy) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*close) NPROTOTYPE((krb5_ccache));
+    krb5_error_code (*store) NPROTOTYPE((krb5_ccache, krb5_creds *));
+    krb5_error_code (*retrieve) NPROTOTYPE((krb5_ccache, krb5_flags,
+                   krb5_creds *, krb5_creds *));
+    krb5_error_code (*get_princ) NPROTOTYPE((krb5_ccache,
+                        krb5_principal *));
+    krb5_error_code (*get_first) NPROTOTYPE((krb5_ccache,
+                        krb5_cc_cursor *));
+    krb5_error_code (*get_next) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *,
+                   krb5_creds *));
+    krb5_error_code (*end_get) NPROTOTYPE((krb5_ccache, krb5_cc_cursor *));
+    krb5_error_code (*remove_cred) NPROTOTYPE((krb5_ccache, krb5_flags,
+                      krb5_creds *));
+    krb5_error_code (*set_flags) NPROTOTYPE((krb5_ccache, krb5_flags));
+} krb5_cc_ops;
+
+typedef struct _krb5_keyblock {
+	krb5_keytype keytype;
+	int length;
+	krb5_octet *contents;
+} krb5_keyblock;
+
+typedef struct _krb5_ticket_times {
+	krb5_timestamp authtime;
+	krb5_timestamp starttime;
+	krb5_timestamp endtime;
+	krb5_timestamp renew_till;
+} krb5_ticket_times;
+
+typedef krb5_pointer krb5_cc_cursor;
+
+typedef struct _krb5_data {
+   int length;
+   char *data;
+} krb5_data;
+
+typedef struct _krb5_authdata {
+   int ad_type;
+   int length;
+   krb5_octet *contents;
+} krb5_authdata;
+
+typedef struct _krb5_creds {
+    krb5_pointer client;
+    krb5_pointer server;
+    krb5_keyblock keyblock;
+    krb5_ticket_times times;
+    krb5_boolean is_skey;
+    krb5_flags ticket_flags;
+    krb5_pointer **addresses;
+    krb5_data ticket;
+    krb5_data second_ticket;
+    krb5_pointer **authdata;
+} krb5_creds;
+
+typedef krb5_pointer krb5_principal; 
+ 
+#define KRB5_CC_END                              336760974
+#define KRB5_TC_OPENCLOSE              0x00000001
+
+/* Ticket flags */
+/* flags are 32 bits; each host is responsible to put the 4 bytes
+   representing these bits into net order before transmission */
+/* #define  TKT_FLG_RESERVED    0x80000000 */
+#define TKT_FLG_FORWARDABLE     0x40000000
+#define TKT_FLG_FORWARDED       0x20000000
+#define TKT_FLG_PROXIABLE       0x10000000
+#define TKT_FLG_PROXY           0x08000000
+#define TKT_FLG_MAY_POSTDATE    0x04000000
+#define TKT_FLG_POSTDATED       0x02000000
+#define TKT_FLG_INVALID         0x01000000
+#define TKT_FLG_RENEWABLE       0x00800000
+#define TKT_FLG_INITIAL         0x00400000
+#define TKT_FLG_PRE_AUTH        0x00200000
+#define TKT_FLG_HW_AUTH         0x00100000
+#ifdef PK_INIT
+#define TKT_FLG_PUBKEY_PREAUTH          0x00080000
+#define TKT_FLG_DIGSIGN_PREAUTH         0x00040000
+#define TKT_FLG_PRIVKEY_PREAUTH         0x00020000
+#endif
+
+
+#define krb5_cc_get_principal(cache, principal) (*(cache)->ops->get_princ)(cache, principal)
+#define krb5_cc_set_flags(cache, flags) (*(cache)->ops->set_flags)(cache, flags)
+#define krb5_cc_get_name(cache) (*(cache)->ops->get_name)(cache)
+#define krb5_cc_start_seq_get(cache, cursor) (*(cache)->ops->get_first)(cache, cursor)
+#define krb5_cc_next_cred(cache, cursor, creds) (*(cache)->ops->get_next)(cache, cursor, creds)
+#define krb5_cc_destroy(cache) (*(cache)->ops->destroy)(cache)
+#define krb5_cc_end_seq_get(cache, cursor) (*(cache)->ops->end_get)(cache, cursor)
+
+/* end of k5 dummy typedefs */
+
diff --git a/crypto/heimdal/appl/dceutils/k5dcecon.c b/crypto/heimdal/appl/dceutils/k5dcecon.c
new file mode 100644
index 0000000..38acee9
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/k5dcecon.c
@@ -0,0 +1,791 @@
+/*
+ * (c) Copyright 1995 HEWLETT-PACKARD COMPANY
+ * 
+ * To anyone who acknowledges that this file is provided 
+ * "AS IS" without any express or implied warranty:
+ * permission to use, copy, modify, and distribute this 
+ * file for any purpose is hereby granted without fee, 
+ * provided that the above copyright notice and this 
+ * notice appears in all copies, and that the name of 
+ * Hewlett-Packard Company not be used in advertising or 
+ * publicity pertaining to distribution of the software 
+ * without specific, written prior permission.  Hewlett-
+ * Packard Company makes no representations about the 
+ * suitability of this software for any purpose.
+ *
+ */
+/*
+ * k5dcecon - Program to convert a K5 TGT to a DCE context,
+ * for use with DFS and its PAG.
+ * 
+ * The program is designed to be called as a sub process, 
+ * and return via stdout the name of the cache which implies 
+ * the PAG which should be used. This program itself does not 
+ * use the cache or PAG itself, so the PAG in the kernel for 
+ * this program may not be set. 
+ * 
+ * The calling program can then use the name of the cache
+ * to set the KRB5CCNAME and PAG for its self and its children. 
+ *
+ * If no ticket was passed, an attemplt to join an existing
+ * PAG will be made. 
+ * 
+ * If a forwarded K5 TGT is passed in, either a new DCE 
+ * context will be created, or an existing one will be updated.
+ * If the same ticket was already used to create an existing
+ * context, it will be joined instead. 
+ * 
+ * Parts of this program are based on k5dceauth,c which was
+ * given to me by HP and by the k5dcelogin.c which I developed. 
+ * A slightly different version of k5dcelogin.c, was added to
+ * DCE 1.2.2
+ * 
+ * D. E. Engert 6/17/97 ANL
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/types.h>
+#include <dirent.h>
+#include <sys/stat.h>
+#include <locale.h>
+#include <pwd.h>
+#include <string.h>
+#include <time.h>
+
+#include <errno.h>
+#include "k5dce.h"
+
+#include <dce/sec_login.h>
+#include <dce/dce_error.h>
+#include <dce/passwd.h>
+
+/* #define DEBUG */
+#if defined(DEBUG)
+#define DEEDEBUG(A) fprintf(stderr,A); fflush(stderr)
+#define DEEDEBUG2(A,B) fprintf(stderr,A,B); fflush(stderr)
+#else
+#define DEEDEBUG(A)
+#define DEEDEBUG2(A,B)
+#endif
+
+#ifdef __hpux
+#define seteuid(A)		setresuid(-1,A,-1);
+#endif
+
+
+int k5dcecreate (uid_t, char *, char*, krb5_creds **);
+int k5dcecon (uid_t, char *, char *);
+int k5dcegettgt (krb5_ccache *, char *, char *, krb5_creds **);
+int k5dcematch (uid_t, char *, char *, off_t *, krb5_creds **);
+int k5dcesession (uid_t, char *, krb5_creds **, int *,krb5_flags);
+
+
+char *progname = "k5dcecon";
+static time_t now;
+
+#ifdef notdef
+#ifdef _AIX
+/*---------------------------------------------*/
+ /* AIX with DCE 1.1 does not have the com_err in the libdce.a
+  * do a half hearted job of substituting for it. 
+  */ 
+void com_err(char *p1, int code, ...) 
+{
+    int lst;
+    dce_error_string_t  err_string;
+    dce_error_inq_text(code, err_string, &lst);
+    fprintf(stderr,"Error %d in %s: %s\n", code, p1, err_string );
+}
+
+/*---------------------------------------------*/
+void krb5_init_ets()
+{
+
+}
+#endif
+#endif
+
+
+/*------------------------------------------------*/
+/* find a cache to use  for our new pag           */
+/* Since there is no simple way to determine which
+ * caches are associated with a pag, we will have
+ * do look around and see what makes most sense on 
+ * different systems. 
+ * on a Solaris system, and in the DCE source, 
+ * the pags always start with a 41. 
+ * this is not true on the IBM, where there does not
+ * appear to be any pattern. 
+ * 
+ * But since we are always certifing our creds when
+ * they are received, we can us that fact, and look
+ * at the first word of the associated data file
+ * to see that it has a "5". If not don't use. 
+ */
+
+int k5dcesession(luid, pname, tgt, ppag, tflags)
+  uid_t luid;
+  char *pname;
+  krb5_creds **tgt;
+  int *ppag;
+  krb5_flags tflags;
+{
+  DIR *dirp;
+  struct dirent *direntp;
+  off_t size;
+  krb5_timestamp endtime;
+  int better = 0;
+  krb5_creds *xtgt;
+
+  char prev_name[17] = "";  
+  krb5_timestamp prev_endtime;
+  off_t prev_size;
+  u_long prev_pag = 0;
+
+  char ccname[64] = "FILE:/opt/dcelocal/var/security/creds/";
+ 
+  error_status_t st;
+  sec_login_handle_t lcontext = 0;
+  dce_error_string_t  err_string;
+  int lst;
+
+  DEEDEBUG2("k5dcesession looking for flags %8.8x\n",tflags);
+
+  dirp = opendir("/opt/dcelocal/var/security/creds/");
+  if (dirp == NULL) {
+	return 1;
+  }
+
+  while ( (direntp = readdir( dirp )) != NULL ) {
+
+/*  
+ * (but root has the ffffffff which we are not interested in)
+ */
+    if (!strncmp(direntp->d_name,"dcecred_",8)
+         && (strlen(direntp->d_name) == 16)) {
+
+      /* looks like a cache name, lets do the stat, etc */
+
+      strcpy(ccname+38,direntp->d_name);
+      if (!k5dcematch(luid, pname, ccname, &size, &xtgt))  {
+
+        /* its one of our caches, see if it is better  
+         * i.e. the endtime is farther, and if the endtimes
+         * are the same, take the larger, as he who has the 
+         * most tickets wins.
+         * it must also had the same set of flags at least
+         * i.e. if the forwarded TGT is forwardable, this one must 
+         * be as well.   
+         */
+
+        DEEDEBUG2("Cache:%s",direntp->d_name);
+        DEEDEBUG2(" size:%d",size);
+		DEEDEBUG2(" flags:%8.8x",xtgt->ticket_flags);
+		DEEDEBUG2(" %s",ctime((time_t *)&xtgt->times.endtime));
+ 
+        if ((xtgt->ticket_flags & tflags) == tflags ) {
+          if (prev_name[0]) {
+            if (xtgt->times.endtime > prev_endtime) {
+              better = 1;
+            } else if ((xtgt->times.endtime = prev_endtime) 
+                  && (size > prev_size)){
+              better = 1;
+	        }
+          } else {   /* the first */
+            if (xtgt->times.endtime >= now) {
+            better = 1;
+	        }
+          }
+          if (better) {
+            strcpy(prev_name, direntp->d_name);
+	  	    prev_endtime = xtgt->times.endtime;
+            prev_size = size;
+            sscanf(prev_name+8,"%8X",&prev_pag);
+			*tgt = xtgt;
+            better = 0;
+          }
+        }
+      } 
+    }
+  }
+  (void)closedir( dirp );
+
+  if (!prev_name[0])  
+	 return 1; /* failed to find one */
+
+   DEEDEBUG2("Best: %s\n",prev_name);
+
+   if (ppag)
+      *ppag = prev_pag;
+
+   strcpy(ccname+38,prev_name);
+   setenv("KRB5CCNAME",ccname,1);
+ 
+   return(0);
+}
+
+
+/*----------------------------------------------*/
+/* see if this cache is for this this principal */
+
+int k5dcematch(luid, pname, ccname, sizep, tgt) 
+  uid_t luid;
+  char *pname;
+  char *ccname;
+  off_t *sizep;  /* size of the file */
+  krb5_creds **tgt;
+{
+
+  krb5_ccache cache;
+  struct stat stbuf;
+  char ccdata[256];
+  int fd;
+  int status;
+
+  /* DEEDEBUG2("k5dcematch called: cache=%s\n",ccname+38); */
+
+  if (!strncmp(ccname,"FILE:",5)) {
+
+    strcpy(ccdata,ccname+5);
+    strcat(ccdata,".data");
+
+    /* DEEDEBUG2("Checking the .data file for %s\n",ccdata); */
+
+    if (stat(ccdata, &stbuf))
+      return(1);
+ 
+    if (stbuf.st_uid != luid)
+      return(1);
+
+    if ((fd = open(ccdata,O_RDONLY)) == -1)
+      return(1);
+    
+    if ((read(fd,&status,4)) != 4) {
+      close(fd);
+      return(1);
+    }
+    
+    /* DEEDEBUG2(".data file status = %d\n", status); */
+
+    if (status != 5)
+     return(1);
+
+    if (stat(ccname+5, &stbuf))
+      return(1);
+
+    if (stbuf.st_uid != luid)
+      return(1);
+
+    *sizep = stbuf.st_size;
+  }
+
+  return(k5dcegettgt(&cache, ccname, pname, tgt));
+}
+
+
+/*----------------------------------------*/
+/* k5dcegettgt - get the tgt from a cache */
+
+int k5dcegettgt(pcache, ccname, pname, tgt)
+  krb5_ccache *pcache;
+  char *ccname;
+  char *pname;
+  krb5_creds **tgt;
+
+{
+  krb5_ccache cache;
+  krb5_cc_cursor cur;
+  krb5_creds creds;
+  int code;
+  int found = 1;
+  krb5_principal princ;
+  char *kusername;
+  krb5_flags flags;
+  char *sname, *realm, *tgtname = NULL;
+
+  /* Since DCE does not expose much of the Kerberos interface,
+   * we will have to use what we can. This means setting the 
+   * KRB5CCNAME for each file we want to test
+   * We will also not worry about freeing extra cache structures
+   * as this this routine is also not exposed, and this should not 
+   * effect this module. 
+   * We should also free the creds contents, but that is not exposed
+   * either. 
+   */
+
+  setenv("KRB5CCNAME",ccname,1);
+  cache = NULL;
+  *tgt = NULL;
+
+  if (code = krb5_cc_default(pcache)) {
+     com_err(progname, code, "while getting ccache");
+     goto return2;
+  }
+
+  DEEDEBUG("Got cache\n");
+  flags = 0;
+  if (code = krb5_cc_set_flags(*pcache, flags)) {
+    com_err(progname, code,"While setting flags"); 
+    goto return2;
+  }
+  DEEDEBUG("Set flags\n");
+  if (code = krb5_cc_get_principal(*pcache, &princ)) {
+	com_err(progname, code, "While getting princ");
+    goto return1;
+  }
+  DEEDEBUG("Got principal\n");
+  if (code = krb5_unparse_name(princ, &kusername)) {
+    com_err(progname, code, "While unparsing principal");
+    goto return1;
+  }
+
+  DEEDEBUG2("Unparsed to \"%s\"\n", kusername);
+  DEEDEBUG2("pname is \"%s\"\n", pname);
+  if (strcmp(kusername, pname)) {
+   DEEDEBUG("Principals not equal\n");
+   goto return1;
+  }
+  DEEDEBUG("Principals equal\n");
+
+  realm = strchr(pname,'@');
+  realm++;
+
+  if ((tgtname = malloc(9 + 2 * strlen(realm))) == 0) {
+       fprintf(stderr,"Malloc failed for tgtname\n");
+       goto return1;
+  }
+
+  strcpy(tgtname,"krbtgt/");
+  strcat(tgtname,realm);
+  strcat(tgtname,"@");
+  strcat(tgtname,realm);
+ 
+  DEEDEBUG2("Getting tgt %s\n", tgtname);
+  if (code = krb5_cc_start_seq_get(*pcache, &cur)) {
+    com_err(progname, code, "while starting to retrieve tickets");
+    goto return1;
+  }
+
+  while (!(code = krb5_cc_next_cred(*pcache, &cur, &creds))) {
+    krb5_creds *cred = &creds;
+
+    if (code = krb5_unparse_name(cred->server, &sname)) {
+      com_err(progname, code, "while unparsing server name");
+      continue;
+    }
+
+    if (strncmp(sname, tgtname, strlen(tgtname)) == 0) {
+      DEEDEBUG("FOUND\n");
+      if (code = krb5_copy_creds(&creds, tgt)) {
+        com_err(progname, code, "while copying TGT");
+        goto return1;
+      }
+      found = 0;
+      break;
+    } 
+    /* we should do a krb5_free_cred_contents(creds); */
+  }
+
+  if (code = krb5_cc_end_seq_get(*pcache, &cur)) {
+    com_err(progname, code, "while finishing retrieval"); 
+    goto return2;
+  }
+
+return1:
+  flags = KRB5_TC_OPENCLOSE; 
+  krb5_cc_set_flags(*pcache, flags); /* force a close */
+   
+return2:
+  if (tgtname)
+    free(tgtname);
+
+  return(found);
+}
+
+
+/*------------------------------------------*/
+/* Convert a forwarded TGT to a DCE context */
+int k5dcecon(luid, luser, pname)
+  uid_t luid;
+  char *luser;
+  char *pname;
+{
+
+  krb5_creds *ftgt = NULL;
+  krb5_creds *tgt = NULL;
+  unsigned32 dfspag;
+  boolean32 reset_passwd = 0;
+  int lst;
+  dce_error_string_t  err_string;
+  char *shell_prog;
+  krb5_ccache fcache;
+  char *ccname;
+  char *kusername;
+  char *urealm;
+  char *cp;
+  int pag;
+  int code;
+  krb5_timestamp endtime;
+
+
+  /* If there is no cache to be converted, we should not be here */
+
+  if ((ccname = getenv("KRB5CCNAME")) == NULL) {
+    DEEDEBUG("No KRB5CCNAME\n");
+    return(1);
+  }
+
+  if (k5dcegettgt(&fcache, ccname, pname, &ftgt)) {
+    fprintf(stderr, "%s: Did not find TGT\n", progname);
+    return(1);
+  }
+
+ 
+  DEEDEBUG2("flags=%x\n",ftgt->ticket_flags);
+  if (!(ftgt->ticket_flags & TKT_FLG_FORWARDABLE)){
+    fprintf(stderr,"Ticket not forwardable\n");
+    return(0); /* but OK to continue */
+  }
+
+  setenv("KRB5CCNAME","",1);
+    
+#define TKT_ACCEPTABLE (TKT_FLG_FORWARDABLE | TKT_FLG_PROXIABLE \
+         | TKT_FLG_MAY_POSTDATE | TKT_FLG_RENEWABLE | TKT_FLG_HW_AUTH \
+         | TKT_FLG_PRE_AUTH)
+
+  if (!k5dcesession(luid, pname, &tgt, &pag, 
+        (ftgt->ticket_flags & TKT_ACCEPTABLE))) {
+    if (ftgt->times.endtime > tgt->times.endtime) {
+      DEEDEBUG("Updating existing cache\n"); 
+      return(k5dceupdate(&ftgt, pag));
+    } else {
+      DEEDEBUG("Using existing cache\n");
+      return(0); /* use the original one */
+    }
+  } 
+    /* see if the tgts match up */
+
+  if ((code = k5dcecreate(luid, luser, pname, &ftgt))) {
+	return (code);
+  }
+
+  /*
+   * Destroy the Kerberos5 cred cache file.
+   * but dont care aout the return code. 
+   */
+
+  DEEDEBUG("Destroying the old cache\n");
+  if ((code = krb5_cc_destroy(fcache))) {
+    com_err(progname, code, "while destroying Kerberos5 ccache");
+  }
+  return (0);
+}
+
+
+/*--------------------------------------------------*/
+/* k5dceupdate - update the cache with a new TGT    */
+/* Assumed that the KRB5CCNAME has been set         */
+
+int k5dceupdate(krbtgt, pag) 
+   krb5_creds **krbtgt;
+   int pag;
+{
+ 
+  krb5_ccache ccache;
+  int code;
+
+  if (code = krb5_cc_default(&ccache)) {
+    com_err(progname, code, "while opening cache for update");
+    return(2);
+   }
+
+  if (code = ccache->ops->init(ccache,(*krbtgt)->client)) {
+    com_err(progname, code, "while reinitilizing cache");
+    return(3);
+  } 
+
+    /* krb5_cc_store_cred */
+  if (code = ccache->ops->store(ccache, *krbtgt)) {
+    com_err(progname, code, "while updating cache");
+    return(2);
+  }
+
+  sec_login_pag_new_tgt(pag, (*krbtgt)->times.endtime);
+  return(0);
+}
+/*--------------------------------------------------*/
+/* k5dcecreate - create a new DCE context           */
+
+int k5dcecreate(luid, luser, pname, krbtgt)
+   uid_t luid;
+   char *luser;
+   char *pname;
+   krb5_creds **krbtgt;
+{
+   
+    char *cp;
+    char *urealm;
+    char *username;
+    char *defrealm;
+    uid_t uid;
+
+    error_status_t st;
+    sec_login_handle_t lcontext = 0;
+    sec_login_auth_src_t auth_src = 0;
+    boolean32 reset_passwd = 0;
+    int lst;
+    dce_error_string_t  err_string;
+
+	setenv("KRB5CCNAME","",1); /* make sure it not misused */
+
+	uid = getuid();
+	DEEDEBUG2("uid=%d\n",uid);
+    
+	/* if run as root, change to user, so as to have the
+	 * cache created for the local user even if cross-cell
+	 * If run as a user, let standard file protection work.
+	 */
+
+	if (uid == 0) {
+		seteuid(luid);
+	}  
+
+	cp = strchr(pname,'@');
+	*cp = '\0';
+	urealm = ++cp;
+
+ DEEDEBUG2("basename=%s\n",cp);
+ DEEDEBUG2("realm=%s\n",urealm);
+
+    /* now build the username as a single string or a /.../cell/user
+     * if this is a cross cell
+     */
+
+	if ((username = malloc(7+strlen(pname)+strlen(urealm))) == 0) {
+         fprintf(stderr,"Malloc failed for username\n");
+         goto abort;
+    }
+    if (krb5_get_default_realm(&defrealm)) {
+        DEEDEBUG("krb5_get_default_realm failed\n");
+        goto abort;
+    }
+
+
+    if (!strcmp(urealm,defrealm)) {
+        strcpy(username,pname);
+    } else {
+        strcpy(username,"/.../");
+        strcat(username,urealm);
+        strcat(username,"/");
+        strcat(username,pname);
+    }
+
+    /*
+     * Setup a DCE login context
+     */
+
+    if (sec_login_setup_identity((unsigned_char_p_t)username, 
+				 (sec_login_external_tgt|sec_login_proxy_cred),
+				 &lcontext, &st)) {
+	/*
+	 * Add our TGT.
+	 */
+	  DEEDEBUG("Adding our new TGT\n");
+	  sec_login_krb5_add_cred(lcontext, *krbtgt, &st);
+	  if (st) {
+	    dce_error_inq_text(st, err_string, &lst);
+	    fprintf(stderr,
+				"Error while adding credentials for %s because %s\n", 
+				username, err_string);
+	    goto abort;
+	  }	
+	  DEEDEBUG("validating and certifying\n");
+	  /*
+	   * Now "validate" and certify the identity,
+	   *  usually we would pass a password here, but...
+	   * sec_login_valid_and_cert_ident
+	   * sec_login_validate_identity
+	   */
+
+	  if (sec_login_validate_identity(lcontext, 0, &reset_passwd,
+		 &auth_src, &st)) {
+	    DEEDEBUG2("validate_identity st=%d\n",st);
+	    if (st) {
+		  dce_error_inq_text(st, err_string, &lst);
+		  fprintf(stderr, "Validation error for %s because %s\n",
+				 username, err_string);
+		  goto abort;
+	    }
+		if (!sec_login_certify_identity(lcontext,&st)) {
+			dce_error_inq_text(st, err_string, &lst);
+			fprintf(stderr,
+			"Credentials not certified because %s\n",err_string);
+		}
+	    if (reset_passwd) {
+		 fprintf(stderr,
+                "Password must be changed for %s\n", username);
+	    }
+	    if (auth_src == sec_login_auth_src_local) {
+		fprintf(stderr,
+			 "Credentials obtained from local registry for %s\n", 
+			 username);
+	    }
+	    if (auth_src == sec_login_auth_src_overridden) {
+		  fprintf(stderr, "Validated %s from local override entry, no network credentials obtained\n", username);
+		  goto abort; 
+
+	    }
+	    /*
+	     * Actually create the cred files.
+	     */
+		DEEDEBUG("Ceating new cred files.\n");
+	    sec_login_set_context(lcontext, &st);
+	    if (st) {
+		  dce_error_inq_text(st, err_string, &lst);
+		  fprintf(stderr, 
+                "Unable to set context for %s because %s\n",
+		    username, err_string);
+		  goto abort;
+	    }
+
+        /*
+         * Now free up the local context and leave the 
+         * network context with its pag
+         */
+#if 0
+        sec_login_release_context(&lcontext, &st);
+        if (st) {
+          dce_error_inq_text(st, err_string, &lst);
+          fprintf(stderr,
+               "Unable to release context for %s because %s\n",
+            username, err_string);
+          goto abort;
+        }
+#endif
+	}
+	else {
+	  DEEDEBUG2("validate failed %d\n",st);
+	  dce_error_inq_text(st, err_string, &lst);
+	  fprintf(stderr,
+             "Unable to validate %s because %s\n", username, 
+			err_string);
+	  goto abort;
+	}
+  }
+  else {
+	dce_error_inq_text(st, err_string, &lst);
+	fprintf(stderr, 
+          "Unable to setup login entry for %s because %s\n",
+       username, err_string);
+	  goto abort;
+  }
+
+ done:
+    /* if we were root, get back to root */
+
+    DEEDEBUG2("sec_login_inq_pag %8.8x\n",
+             sec_login_inq_pag(lcontext, &st));
+
+    if (uid == 0) {
+      seteuid(0);
+    }  
+
+	DEEDEBUG("completed\n");
+	return(0);
+
+ abort:
+    if (uid == 0) {
+      seteuid(0);
+    }  
+
+    DEEDEBUG("Aborting\n");
+    return(2);
+}
+
+
+
+/*-------------------------------------------------*/
+main(argc, argv)
+  int argc;
+  char *argv[];
+{
+  int status;
+  extern int optind;
+  extern char *optarg;
+  int rv;
+
+  char *lusername = NULL;
+  char *pname = NULL;
+  int fflag = 0;
+  struct passwd *pw;
+  uid_t luid;
+  uid_t myuid;
+  char *ccname;
+  krb5_creds *tgt = NULL;
+
+#ifdef DEBUG
+  close(2);
+  open("/tmp/k5dce.debug",O_WRONLY|O_CREAT|O_APPEND);
+#endif
+
+  if (myuid = getuid()) {
+    DEEDEBUG2("UID = %d\n",myuid);
+    exit(33); /* must be root to run this, get out now */
+  }
+
+  while ((rv = getopt(argc,argv,"l:p:fs")) != -1) {
+    DEEDEBUG2("Arg = %c\n", rv);
+    switch(rv) {
+      case 'l':         /* user name */
+	lusername = optarg;
+	DEEDEBUG2("Optarg = %s\n", optarg);
+	break;
+      case 'p':         /* principal name */
+        pname = optarg; 
+	DEEDEBUG2("Optarg = %s\n", optarg);
+        break;
+      case 'f':         /* convert a forwarded TGT to a context */
+        fflag++;
+        break;
+      case 's':      /* old test parameter, ignore it */
+        break; 
+    }
+  }
+
+  setlocale(LC_ALL, "");
+  krb5_init_ets();
+  time(&now); /* set time to check expired tickets */
+
+  /* if lusername == NULL, Then user is passed as the USER= variable */ 
+
+  if (!lusername) {
+    lusername = getenv("USER");
+    if (!lusername) {
+      fprintf(stderr, "USER not in environment\n");
+      return(3);
+    }
+  }
+
+  if ((pw = getpwnam(lusername)) == NULL) {
+    fprintf(stderr, "Who are you?\n");
+    return(44);
+  }
+
+  luid = pw->pw_uid;
+
+  if (fflag) {  
+    status = k5dcecon(luid, lusername, pname); 
+  } else {
+    status = k5dcesession(luid, pname, &tgt, NULL, 0);
+  }
+ 
+  if (!status) {
+    printf("%s",getenv("KRB5CCNAME")); /* return via stdout to caller */
+    DEEDEBUG2("KRB5CCNAME=%s\n",getenv("KRB5CCNAME"));
+  }
+
+  DEEDEBUG2("Returning status %d\n",status);
+  return (status);
+}
diff --git a/crypto/heimdal/appl/dceutils/testpag.c b/crypto/heimdal/appl/dceutils/testpag.c
new file mode 100644
index 0000000..4613fba
--- /dev/null
+++ b/crypto/heimdal/appl/dceutils/testpag.c
@@ -0,0 +1,150 @@
+/* Test the k5dcepag routine by setting a pag, and 
+ * and execing a shell under this pag. 
+ * 
+ * This allows you to join a PAG which was created  
+ * earlier by some other means. 
+ * for example k5dcecon
+ * 
+ * Must be run as root for testing only. 
+ *
+ */
+
+#include <stdio.h>
+#include <sys/stat.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <errno.h>
+
+#define POSIX_SETJMP
+#define POSIX_SIGNALS
+
+#ifdef POSIX_SIGNALS
+typedef struct sigaction handler;
+#define handler_init(H,F)       (sigemptyset(&(H).sa_mask), \
+                     (H).sa_flags=0, \
+                     (H).sa_handler=(F))
+#define handler_swap(S,NEW,OLD)     sigaction(S, &NEW, &OLD)
+#define handler_set(S,OLD)      sigaction(S, &OLD, NULL)
+#else
+typedef sigtype (*handler)();
+#define handler_init(H,F)       ((H) = (F))
+#define handler_swap(S,NEW,OLD)     ((OLD) = signal ((S), (NEW)))
+
+#define handler_set(S,OLD)      (signal ((S), (OLD)))
+#endif
+
+typedef void sigtype;
+
+/*
+ * We could include the dcedfs/syscall.h which should have these
+ * numbers, but it has extra baggage. So for
+ * simplicity sake now, we define these here.
+ */
+
+
+#define AFSCALL_SETPAG 2
+#define AFSCALL_GETPAG 11
+
+#if defined(sun)
+#define AFS_SYSCALL  72
+
+#elif defined(hpux)
+/* assume HPUX 10 +  or is it 50 */
+#define AFS_SYSCALL 326
+
+#elif defined(_AIX)
+#define DPAGAIX "dpagaix"
+/* #define DPAGAIX "/krb5/sbin/dpagaix" */
+
+#elif defined(sgi) || defined(_sgi)
+#define AFS_SYSCALL  206+1000
+
+#else
+#define AFS_SYSCALL (Unknown_DFS_AFS_SYSCALL)
+#endif
+
+static sigjmp_buf setpag_buf;
+
+static sigtype mysig()
+{
+  siglongjmp(setpag_buf, 1);
+}
+
+
+int  krb5_dfs_newpag(new_pag)
+  int new_pag;
+{
+  handler sa1, osa1;
+  handler sa2, osa2;
+  int pag = -1;
+
+  handler_init (sa1, mysig);
+  handler_init (sa2, mysig);
+  handler_swap (SIGSYS, sa1, osa1);
+  handler_swap (SIGSEGV, sa2, osa2);
+ 
+  if (sigsetjmp(setpag_buf, 1) == 0) {
+#if defined(_AIX)
+    int (*dpagaix)(int, int, int, int, int, int);
+
+    if (dpagaix = load(DPAGAIX, 0, 0)) 
+      pag = (*dpagaix)(AFSCALL_SETPAG, new_pag, 0, 0, 0, 0);
+#else
+    pag = syscall(AFS_SYSCALL,AFSCALL_SETPAG, new_pag, 0, 0, 0, 0);
+#endif
+    handler_set (SIGSYS, osa1);
+    handler_set (SIGSEGV, osa2);
+    return(pag);
+  }
+
+  fprintf(stderr,"Setpag failed with a system error\n");
+  /* syscall failed! return 0 */
+  handler_set (SIGSYS, osa1);
+  handler_set (SIGSEGV, osa2);
+  return(-1);
+}
+
+main(argc, argv)
+	int argc;
+	char *argv[];
+{
+  extern int optind;
+  extern char *optarg;
+  int rv;
+  int rc;
+  unsigned int pag;
+  unsigned int newpag = 0;
+  char ccname[256];
+  int nflag = 0;
+  
+  while((rv = getopt(argc,argv,"n:")) != -1) {
+    switch(rv) {
+     case 'n':
+       nflag++;
+       sscanf(optarg,"%8x",&newpag);
+       break;
+     default:
+       printf("Usage: k5dcepagt -n pag \n");
+       exit(1);
+    }
+  }
+
+  if (nflag) {
+    fprintf (stderr,"calling k5dcepag newpag=%8.8x\n",newpag);
+    pag = krb5_dfs_newpag(newpag);
+
+    fprintf (stderr,"PAG returned = %8.8x\n",pag);
+    if ((pag != 0) && (pag != -1)) {
+      sprintf (ccname,
+        "FILE:/opt/dcelocal/var/security/creds/dcecred_%8.8x", 
+        pag);
+      esetenv("KRB5CCNAME",ccname,1);
+      execl("/bin/csh","csh",0);
+    }
+    else {
+      fprintf(stderr," Not a good pag value\n");
+    }
+  }
+}
diff --git a/crypto/heimdal/appl/ftp/ChangeLog b/crypto/heimdal/appl/ftp/ChangeLog
index 58dd9f8..226902f 100644
--- a/crypto/heimdal/appl/ftp/ChangeLog
+++ b/crypto/heimdal/appl/ftp/ChangeLog
@@ -1,3 +1,25 @@
+2001-04-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* ftpd/ftpd.c (do_store): call closefunc before claiming that
+	everything went ok, if the close fails the file might not have
+	been stored properly
+
+2001-03-26  Assar Westerlund  <assar@sics.se>
+
+	* ftpd/ftpd.c, ftpd/popen.c: always use GLOB_LIMIT
+	* ftpd/popen.c (ftpd_popen): use GLOB_LIMIT if defined
+	* ftpd/ftpd.c (send_file_list): use GLOB_LIMIT if defined
+
+2001-02-15  Assar Westerlund  <assar@sics.se>
+
+	* ftp/cmds.c (setpeer): handle both service names and port numbers
+	for the second optional argument.  also make parsing more robust
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* ftp/security.c (sec_end): only clean app_data if there is any
+	(*): do realloc consistently
+
 2001-02-05  Assar Westerlund  <assar@sics.se>
 
 	* ftpd/popen.c (ftpd_popen): avoid overwriting the bounds of argv
diff --git a/crypto/heimdal/appl/ftp/Makefile.in b/crypto/heimdal/appl/ftp/Makefile.in
index e25633c..d704ee8 100644
--- a/crypto/heimdal/appl/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 SUBDIRS = common ftp ftpd
@@ -205,9 +208,10 @@ DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
 GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/Makefile
 
@@ -248,11 +252,16 @@ mostlyclean-recursive clean-recursive distclean-recursive \
 maintainer-clean-recursive:
 	@set fnord $(MAKEFLAGS); amf=$$2; \
 	dot_seen=no; \
-	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
-	  rev="$$subdir $$rev"; \
-	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
 	done; \
-	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	rev="$$rev ."; \
 	target=`echo $@ | sed s/-recursive//`; \
 	for subdir in $$rev; do \
 	  echo "Making $$target in $$subdir"; \
@@ -298,6 +307,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/ftp/common/Makefile.in b/crypto/heimdal/appl/ftp/common/Makefile.in
index a46eff6..525c6bd 100644
--- a/crypto/heimdal/appl/ftp/common/Makefile.in
+++ b/crypto/heimdal/appl/ftp/common/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 noinst_LIBRARIES = libcommon.a
@@ -231,7 +234,7 @@ OBJECTS = $(am_libcommon_a_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/common/Makefile
 
@@ -305,6 +308,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/ftp/ftp/Makefile.in b/crypto/heimdal/appl/ftp/ftp/Makefile.in
index 1a28ad9..1986d3e 100644
--- a/crypto/heimdal/appl/ftp/ftp/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftp/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = 
 
 bin_PROGRAMS = ftp
@@ -284,7 +287,7 @@ OBJECTS = $(am_ftp_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftp/Makefile
 
@@ -417,6 +420,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/ftp/ftp/cmds.c b/crypto/heimdal/appl/ftp/ftp/cmds.c
index c7a066d..3f1933e 100644
--- a/crypto/heimdal/appl/ftp/ftp/cmds.c
+++ b/crypto/heimdal/appl/ftp/ftp/cmds.c
@@ -36,7 +36,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: cmds.c,v 1.41 2000/07/18 10:00:31 joda Exp $");
+RCSID("$Id: cmds.c,v 1.42 2001/02/15 04:17:09 assar Exp $");
 
 typedef void (*sighand)(int);
 
@@ -81,7 +81,7 @@ void
 setpeer(int argc, char **argv)
 {
 	char *host;
-	short port;
+	u_short port;
 	struct servent *sp;
 
 	if (connected) {
@@ -102,14 +102,23 @@ setpeer(int argc, char **argv)
 		errx(1, "You bastard. You removed ftp/tcp from services");
 	port = sp->s_port;
 	if (argc > 2) {
-		port = atoi(argv[2]);
-		if (port <= 0) {
-			printf("%s: bad port number-- %s\n", argv[1], argv[2]);
-			printf ("usage: %s host-name [port]\n", argv[0]);
-			code = -1;
-			return;
+		sp = getservbyname(argv[2], "tcp");
+		if (sp != NULL) {
+			port = sp->s_port;
+		} else {
+			char *ep;
+
+			port = strtol(argv[2], &ep, 0);
+			if (argv[2] == ep) {
+				printf("%s: bad port number-- %s\n",
+				       argv[1], argv[2]);
+				printf ("usage: %s host-name [port]\n",
+					argv[0]);
+				code = -1;
+				return;
+			}
+			port = htons(port);
 		}
-		port = htons(port);
 	}
 	host = hookup(argv[1], port);
 	if (host) {
diff --git a/crypto/heimdal/appl/ftp/ftp/ftp.cat1 b/crypto/heimdal/appl/ftp/ftp/ftp.cat1
new file mode 100644
index 0000000..66262de
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftp/ftp.cat1
@@ -0,0 +1,650 @@
+
+FTP(1)                       UNIX Reference Manual                      FTP(1)
+
+NNAAMMEE
+     ffttpp - ARPANET file transfer program
+
+SSYYNNOOPPSSIISS
+     ffttpp [--tt] [--vv] [--dd] [--ii] [--nn] [--gg] [--pp] [--ll] [_h_o_s_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     FFttpp is the user interface to the ARPANET standard File Transfer Protocol.
+     The program allows a user to transfer files to and from a remote network
+     site.
+
+     Modifications has been made so that it almost follows the ftpsec Internet
+     draft.
+
+     Options may be specified at the command line, or to the command inter-
+     preter.
+
+     --tt    Enables packet tracing.
+
+     --vv    Verbose option forces ffttpp to show all responses from the remote
+           server, as well as report on data transfer statistics.
+
+     --nn    Restrains ffttpp from attempting ``auto-login'' upon initial connec-
+           tion.  If auto-login is enabled, ffttpp will check the _._n_e_t_r_c (see be-
+           low) file in the user's home directory for an entry describing an
+           account on the remote machine.  If no entry exists, ffttpp will prompt
+           for the remote machine login name (default is the user identity on
+           the local machine), and, if necessary, prompt for a password and an
+           account with which to login.
+
+     --ii    Turns off interactive prompting during multiple file transfers.
+
+     --pp    Turn on passive mode.
+
+     --dd    Enables debugging.
+
+     --gg    Disables file name globbing.
+
+     --ll    Disables command line editing.
+
+     The client host with which ffttpp is to communicate may be specified on the
+     command line.  If this is done, ffttpp will immediately attempt to establish
+     a connection to an FTP server on that host; otherwise, ffttpp will enter its
+     command interpreter and await instructions from the user.  When ffttpp is
+     awaiting commands from the user the prompt `ftp>' is provided to the us-
+     er.  The following commands are recognized by ffttpp:
+
+     !! [_c_o_m_m_a_n_d [_a_r_g_s]]
+                 Invoke an interactive shell on the local machine.  If there
+                 are arguments, the first is taken to be a command to execute
+                 directly, with the rest of the arguments as its arguments.
+
+     $$ _m_a_c_r_o_-_n_a_m_e [_a_r_g_s]
+                 Execute the macro _m_a_c_r_o_-_n_a_m_e that was defined with the mmaaccddeeff
+                 command.  Arguments are passed to the macro unglobbed.
+
+     aaccccoouunntt [_p_a_s_s_w_d]
+                 Supply a supplemental password required by a remote system
+                 for access to resources once a login has been successfully
+                 completed.  If no argument is included, the user will be
+
+
+                 prompted for an account password in a non-echoing input mode.
+
+     aappppeenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 Append a local file to a file on the remote machine.  If
+                 _r_e_m_o_t_e_-_f_i_l_e is left unspecified, the local file name is used
+                 in naming the remote file after being altered by any nnttrraannss
+                 or nnmmaapp setting.  File transfer uses the current settings for
+                 ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
+
+     aasscciiii       Set the file transfer ttyyppee to network ASCII. This is the de-
+                 fault type.
+
+     bbeellll        Arrange that a bell be sounded after each file transfer com-
+                 mand is completed.
+
+     bbiinnaarryy      Set the file transfer ttyyppee to support binary image transfer.
+
+     bbyyee         Terminate the FTP session with the remote server and exit
+                 ffttpp. An end of file will also terminate the session and exit.
+
+     ccaassee        Toggle remote computer file name case mapping during mmggeett
+                 commands.  When ccaassee is on (default is off), remote computer
+                 file names with all letters in upper case are written in the
+                 local directory with the letters mapped to lower case.
+
+     ccdd _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y
+                 Change the working directory on the remote machine to _r_e_m_o_t_e_-
+                 _d_i_r_e_c_t_o_r_y.
+
+     ccdduupp        Change the remote machine working directory to the parent of
+                 the current remote machine working directory.
+
+     cchhmmoodd _m_o_d_e _f_i_l_e_-_n_a_m_e
+                 Change the permission modes of the file _f_i_l_e_-_n_a_m_e on the re-
+                 mote sytem to _m_o_d_e.
+
+     cclloossee       Terminate the FTP session with the remote server, and return
+                 to the command interpreter.  Any defined macros are erased.
+
+     ccrr          Toggle carriage return stripping during ascii type file re-
+                 trieval.  Records are denoted by a carriage return/linefeed
+                 sequence during ascii type file transfer.  When ccrr is on (the
+                 default), carriage returns are stripped from this sequence to
+                 conform with the UNIX single linefeed record delimiter.
+                 Records on non-UNIX remote systems may contain single line-
+                 feeds; when an ascii type transfer is made, these linefeeds
+                 may be distinguished from a record delimiter only when ccrr is
+                 off.
+
+     ddeelleettee _r_e_m_o_t_e_-_f_i_l_e
+                 Delete the file _r_e_m_o_t_e_-_f_i_l_e on the remote machine.
+
+     ddeebbuugg [_d_e_b_u_g_-_v_a_l_u_e]
+                 Toggle debugging mode.  If an optional _d_e_b_u_g_-_v_a_l_u_e is speci-
+                 fied it is used to set the debugging level.  When debugging
+                 is on, ffttpp prints each command sent to the remote machine,
+                 preceded by the string `-->'
+
+     ddiirr [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a listing of the directory contents in the directory,
+                 _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y, and, optionally, placing the output in
+                 _l_o_c_a_l_-_f_i_l_e. If interactive prompting is on, ffttpp will prompt
+                 the user to verify that the last argument is indeed the tar-
+                 get local file for receiving ddiirr output.  If no directory is
+                 specified, the current working directory on the remote ma-
+                 chine is used.  If no local file is specified, or _l_o_c_a_l_-_f_i_l_e
+
+                 is --, output comes to the terminal.
+
+     ddiissccoonnnneecctt  A synonym for _c_l_o_s_e.
+
+     ffoorrmm _f_o_r_m_a_t
+                 Set the file transfer ffoorrmm to _f_o_r_m_a_t. The default format is
+                 ``file''.
+
+     ggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 Retrieve the _r_e_m_o_t_e_-_f_i_l_e and store it on the local machine.
+                 If the local file name is not specified, it is given the same
+                 name it has on the remote machine, subject to alteration by
+                 the current ccaassee, nnttrraannss, and nnmmaapp settings.  The current
+                 settings for ttyyppee, ffoorrmm, mmooddee, and ssttrruuccttuurree are used while
+                 transferring the file.
+
+     gglloobb        Toggle filename expansion for mmddeelleettee, mmggeett and mmppuutt. If
+                 globbing is turned off with gglloobb, the file name arguments are
+                 taken literally and not expanded.  Globbing for mmppuutt is done
+                 as in csh(1).  For mmddeelleettee and mmggeett, each remote file name is
+                 expanded separately on the remote machine and the lists are
+                 not merged.  Expansion of a directory name is likely to be
+                 different from expansion of the name of an ordinary file: the
+                 exact result depends on the foreign operating system and ftp
+                 server, and can be previewed by doing `mls remote-files -'.
+                 As a security measure, remotely globbed files that starts
+                 with `/' or contains `../', will not be automatically re-
+                 ceived. If you have interactive prompting turned off, these
+                 filenames will be ignored.  Note: mmggeett and mmppuutt are not meant
+                 to transfer entire directory subtrees of files.  That can be
+                 done by transferring a tar(1) archive of the subtree (in bi-
+                 nary mode).
+
+     hhaasshh        Toggle hash-sign (``#'') printing for each data block trans-
+                 ferred.  The size of a data block is 1024 bytes.
+
+     hheellpp [_c_o_m_m_a_n_d]
+                 Print an informative message about the meaning of _c_o_m_m_a_n_d. If
+                 no argument is given, ffttpp prints a list of the known com-
+                 mands.
+
+     iiddllee [_s_e_c_o_n_d_s]
+                 Set the inactivity timer on the remote server to _s_e_c_o_n_d_s sec-
+                 onds.  If _s_e_c_o_n_d_s is omitted, the current inactivity timer is
+                 printed.
+
+     llccdd [_d_i_r_e_c_t_o_r_y]
+                 Change the working directory on the local machine.  If no
+                 _d_i_r_e_c_t_o_r_y is specified, the user's home directory is used.
+
+     llss [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a listing of the contents of a directory on the remote
+                 machine.  The listing includes any system-dependent informa-
+                 tion that the server chooses to include; for example, most
+                 UNIX systems will produce output from the command `ls -l'.
+                 (See also nnlliisstt.) If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified,
+                 the current working directory is used.  If interactive
+                 prompting is on, ffttpp will prompt the user to verify that the
+                 last argument is indeed the target local file for receiving
+                 llss output.  If no local file is specified, or if _l_o_c_a_l_-_f_i_l_e
+                 is `--', the output is sent to the terminal.
+
+     mmaaccddeeff _m_a_c_r_o_-_n_a_m_e
+                 Define a macro.  Subsequent lines are stored as the macro
+                 _m_a_c_r_o_-_n_a_m_e; a null line (consecutive newline characters in a
+                 file or carriage returns from the terminal) terminates macro
+                 input mode.  There is a limit of 16 macros and 4096 total
+                 characters in all defined macros.  Macros remain defined un-
+                 til a cclloossee command is executed.  The macro processor inter-
+                 prets `$' and `\' as special characters.  A `$' followed by a
+                 number (or numbers) is replaced by the corresponding argument
+                 on the macro invocation command line.  A `$' followed by an
+                 `i' signals that macro processor that the executing macro is
+                 to be looped.  On the first pass `$i' is replaced by the
+                 first argument on the macro invocation command line, on the
+                 second pass it is replaced by the second argument, and so on.
+                 A `\' followed by any character is replaced by that charac-
+                 ter.  Use the `\' to prevent special treatment of the `$'.
+
+     mmddeelleettee [_r_e_m_o_t_e_-_f_i_l_e_s]
+                 Delete the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine.
+
+     mmddiirr _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
+                 Like ddiirr, except multiple remote files may be specified.  If
+                 interactive prompting is on, ffttpp will prompt the user to ver-
+                 ify that the last argument is indeed the target local file
+                 for receiving mmddiirr output.
+
+     mmggeett _r_e_m_o_t_e_-_f_i_l_e_s
+                 Expand the _r_e_m_o_t_e_-_f_i_l_e_s on the remote machine and do a ggeett
+                 for each file name thus produced.  See gglloobb for details on
+                 the filename expansion.  Resulting file names will then be
+                 processed according to ccaassee, nnttrraannss, and nnmmaapp settings.
+                 Files are transferred into the local working directory, which
+                 can be changed with `lcd directory'; new local directories
+                 can be created with `! mkdir directory'.
+
+     mmkkddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
+                 Make a directory on the remote machine.
+
+     mmllss _r_e_m_o_t_e_-_f_i_l_e_s _l_o_c_a_l_-_f_i_l_e
+                 Like nnlliisstt, except multiple remote files may be specified,
+                 and the _l_o_c_a_l_-_f_i_l_e must be specified.  If interactive prompt-
+                 ing is on, ffttpp will prompt the user to verify that the last
+                 argument is indeed the target local file for receiving mmllss
+                 output.
+
+     mmooddee [_m_o_d_e_-_n_a_m_e]
+                 Set the file transfer mmooddee to _m_o_d_e_-_n_a_m_e. The default mode is
+                 ``stream'' mode.
+
+     mmooddttiimmee _f_i_l_e_-_n_a_m_e
+                 Show the last modification time of the file on the remote ma-
+                 chine.
+
+     mmppuutt _l_o_c_a_l_-_f_i_l_e_s
+                 Expand wild cards in the list of local files given as argu-
+                 ments and do a ppuutt for each file in the resulting list.  See
+                 gglloobb for details of filename expansion.  Resulting file names
+                 will then be processed according to nnttrraannss and nnmmaapp settings.
+
+     nneewweerr _f_i_l_e_-_n_a_m_e
+                 Get the file only if the modification time of the remote file
+                 is more recent that the file on the current system.  If the
+                 file does not exist on the current system, the remote file is
+                 considered nneewweerr. Otherwise, this command is identical to
+                 _g_e_t.
+
+     nnlliisstt [_r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y] [_l_o_c_a_l_-_f_i_l_e]
+                 Print a  list of the files in a directory on the remote ma-
+                 chine.  If _r_e_m_o_t_e_-_d_i_r_e_c_t_o_r_y is left unspecified, the current
+                 working directory is used.  If interactive prompting is on,
+                 ffttpp will prompt the user to verify that the last argument is
+                 indeed the target local file for receiving nnlliisstt output.  If
+                 no local file is specified, or if _l_o_c_a_l_-_f_i_l_e is --, the output
+                 is sent to the terminal.
+
+     nnmmaapp [_i_n_p_a_t_t_e_r_n _o_u_t_p_a_t_t_e_r_n]
+                 Set or unset the filename mapping mechanism.  If no arguments
+                 are specified, the filename mapping mechanism is unset.  If
+                 arguments are specified, remote filenames are mapped during
+                 mmppuutt commands and ppuutt commands issued without a specified re-
+                 mote target filename.  If arguments are specified, local
+                 filenames are mapped during mmggeett commands and ggeett commands
+                 issued without a specified local target filename.  This com-
+                 mand is useful when connecting to a non-UNIX remote computer
+                 with different file naming conventions or practices.  The
+                 mapping follows the pattern set by _i_n_p_a_t_t_e_r_n and _o_u_t_p_a_t_t_e_r_n.
+                 [_I_n_p_a_t_t_e_r_n] is a template for incoming filenames (which may
+                 have already been processed according to the nnttrraannss and ccaassee
+                 settings).  Variable templating is accomplished by including
+                 the sequences `$1', `$2', ..., `$9' in _i_n_p_a_t_t_e_r_n. Use `\' to
+                 prevent this special treatment of the `$' character.  All
+                 other characters are treated literally, and are used to de-
+                 termine the nnmmaapp [_i_n_p_a_t_t_e_r_n] variable values.  For example,
+                 given _i_n_p_a_t_t_e_r_n $1.$2 and the remote file name "mydata.data",
+                 $1 would have the value "mydata", and $2 would have the value
+                 "data".  The _o_u_t_p_a_t_t_e_r_n determines the resulting mapped file-
+                 name.  The sequences `$1', `$2', ...., `$9' are replaced by
+                 any value resulting from the _i_n_p_a_t_t_e_r_n template.  The se-
+                 quence `$0' is replace by the original filename.  Additional-
+                 ly, the sequence `[_s_e_q_1, _s_e_q_2]' is replaced by [_s_e_q_1] if _s_e_q_1
+                 is not a null string; otherwise it is replaced by _s_e_q_2. For
+                 example, the command
+
+                       nmap $1.$2.$3 [$1,$2].[$2,file]
+
+                 would yield the output filename "myfile.data" for input file-
+                 names "myfile.data" and "myfile.data.old", "myfile.file" for
+                 the input filename "myfile", and "myfile.myfile" for the in-
+                 put filename ".myfile".  Spaces may be included in
+                 _o_u_t_p_a_t_t_e_r_n, as in the example: `nmap $1 sed "s/  *$//" > $1'
+                 .  Use the `\' character to prevent special treatment of the
+                 `$','[','[', and `,' characters.
+
+     nnttrraannss [_i_n_c_h_a_r_s [_o_u_t_c_h_a_r_s]]
+                 Set or unset the filename character translation mechanism.
+                 If no arguments are specified, the filename character trans-
+                 lation mechanism is unset.  If arguments are specified, char-
+                 acters in remote filenames are translated during mmppuutt com-
+                 mands and ppuutt commands issued without a specified remote tar-
+                 get filename.  If arguments are specified, characters in lo-
+                 cal filenames are translated during mmggeett commands and ggeett
+                 commands issued without a specified local target filename.
+                 This command is useful when connecting to a non-UNIX remote
+                 computer with different file naming conventions or practices.
+                 Characters in a filename matching a character in _i_n_c_h_a_r_s are
+                 replaced with the corresponding character in _o_u_t_c_h_a_r_s. If the
+                 character's position in _i_n_c_h_a_r_s is longer than the length of
+                 _o_u_t_c_h_a_r_s, the character is deleted from the file name.
+
+     ooppeenn _h_o_s_t [_p_o_r_t]
+                 Establish a connection to the specified _h_o_s_t FTP server.  An
+                 optional port number may be supplied, in which case, ffttpp will
+                 attempt to contact an FTP server at that port.  If the aauuttoo--
+                 llooggiinn option is on (default), ffttpp will also attempt to auto-
+
+                 matically log the user in to the FTP server (see below).
+
+     ppaassssiivvee     Toggle passive mode.  If passive mode is turned on (default
+                 is off), the ftp client will send a PASV command for all data
+                 connections instead of the usual PORT command.  The PASV com-
+                 mand requests that the remote server open a port for the data
+                 connection and return the address of that port.  The remote
+                 server listens on that port and the client connects to it.
+                 When using the more traditional PORT command, the client lis-
+                 tens on a port and sends that address to the remote server,
+                 who connects back to it.  Passive mode is useful when using
+                 ffttpp through a gateway router or host that controls the direc-
+                 tionality of traffic.  (Note that though ftp servers are re-
+                 quired to support the PASV command by RFC 1123, some do not.)
+
+     pprroommpptt      Toggle interactive prompting.  Interactive prompting occurs
+                 during multiple file transfers to allow the user to selec-
+                 tively retrieve or store files.  If prompting is turned off
+                 (default is on), any mmggeett or mmppuutt will transfer all files,
+                 and any mmddeelleettee will delete all files.
+
+     pprrooxxyy _f_t_p_-_c_o_m_m_a_n_d
+                 Execute an ftp command on a secondary control connection.
+                 This command allows simultaneous connection to two remote ftp
+                 servers for transferring files between the two servers.  The
+                 first pprrooxxyy command should be an ooppeenn, to establish the sec-
+                 ondary control connection.  Enter the command "proxy ?" to
+                 see other ftp commands executable on the secondary connec-
+                 tion.  The following commands behave differently when pref-
+                 aced by pprrooxxyy: ooppeenn will not define new macros during the au-
+                 to-login process, cclloossee will not erase existing macro defini-
+                 tions, ggeett and mmggeett transfer files from the host on the pri-
+                 mary control connection to the host on the secondary control
+                 connection, and ppuutt, mmppuutt, and aappppeenndd transfer files from the
+                 host on the secondary control connection to the host on the
+                 primary control connection.  Third party file transfers de-
+                 pend upon support of the ftp protocol PASV command by the
+                 server on the secondary control connection.
+
+     ppuutt _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 Store a local file on the remote machine.  If _r_e_m_o_t_e_-_f_i_l_e is
+                 left unspecified, the local file name is used after process-
+                 ing according to any nnttrraannss or nnmmaapp settings in naming the
+                 remote file.  File transfer uses the current settings for
+                 ttyyppee, ffoorrmmaatt, mmooddee, and ssttrruuccttuurree.
+
+     ppwwdd         Print the name of the current working directory on the remote
+                 machine.
+
+     qquuiitt        A synonym for bbyyee.
+
+     qquuoottee _a_r_g_1 _a_r_g_2 _._._.
+                 The arguments specified are sent, verbatim, to the remote FTP
+                 server.
+
+     rreeccvv _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 A synonym for get.
+
+     rreeggeett _r_e_m_o_t_e_-_f_i_l_e [_l_o_c_a_l_-_f_i_l_e]
+                 Reget acts like get, except that if _l_o_c_a_l_-_f_i_l_e exists and is
+                 smaller than _r_e_m_o_t_e_-_f_i_l_e, _l_o_c_a_l_-_f_i_l_e is presumed to be a par-
+                 tially transferred copy of _r_e_m_o_t_e_-_f_i_l_e and the transfer is
+                 continued from the apparent point of failure.  This command
+                 is useful when transferring very large files over networks
+
+
+                 that are prone to dropping connections.
+
+     rreemmootteehheellpp [_c_o_m_m_a_n_d_-_n_a_m_e]
+                 Request help from the remote FTP server.  If a _c_o_m_m_a_n_d_-_n_a_m_e
+                 is specified it is supplied to the server as well.
+
+     rreemmootteessttaattuuss [_f_i_l_e_-_n_a_m_e]
+                 With no arguments, show status of remote machine.  If _f_i_l_e_-
+                 _n_a_m_e is specified, show status of _f_i_l_e_-_n_a_m_e on remote ma-
+                 chine.
+
+     rreennaammee [_f_r_o_m] [_t_o]
+                 Rename the file _f_r_o_m on the remote machine, to the file _t_o.
+
+     rreesseett       Clear reply queue.  This command re-synchronizes command/re-
+                 ply sequencing with the remote ftp server.  Resynchronization
+                 may be necessary following a violation of the ftp protocol by
+                 the remote server.
+
+     rreessttaarrtt _m_a_r_k_e_r
+                 Restart the immediately following ggeett or ppuutt at the indicated
+                 _m_a_r_k_e_r. On UNIX systems, marker is usually a byte offset into
+                 the file.
+
+     rrmmddiirr _d_i_r_e_c_t_o_r_y_-_n_a_m_e
+                 Delete a directory on the remote machine.
+
+     rruunniiqquuee     Toggle storing of files on the local system with unique file-
+                 names.  If a file already exists with a name equal to the
+                 target local filename for a ggeett or mmggeett command, a ".1" is
+                 appended to the name.  If the resulting name matches another
+                 existing file, a ".2" is appended to the original name.  If
+                 this process continues up to ".99", an error message is
+                 printed, and the transfer does not take place.  The generated
+                 unique filename will be reported.  Note that rruunniiqquuee will not
+                 affect local files generated from a shell command (see be-
+                 low).  The default value is off.
+
+     sseenndd _l_o_c_a_l_-_f_i_l_e [_r_e_m_o_t_e_-_f_i_l_e]
+                 A synonym for put.
+
+     sseennddppoorrtt    Toggle the use of PORT commands.  By default, ffttpp will at-
+                 tempt to use a PORT command when establishing a connection
+                 for each data transfer.  The use of PORT commands can prevent
+                 delays when performing multiple file transfers.  If the PORT
+                 command fails, ffttpp will use the default data port.  When the
+                 use of PORT commands is disabled, no attempt will be made to
+                 use PORT commands for each data transfer.  This is useful for
+                 certain FTP implementations which do ignore PORT commands
+                 but, incorrectly, indicate they've been accepted.
+
+     ssiittee _a_r_g_1 _a_r_g_2 _._._.
+                 The arguments specified are sent, verbatim, to the remote FTP
+                 server as a SITE command.
+
+     ssiizzee _f_i_l_e_-_n_a_m_e
+                 Return size of _f_i_l_e_-_n_a_m_e on remote machine.
+
+     ssttaattuuss      Show the current status of ffttpp.
+
+     ssttrruucctt [_s_t_r_u_c_t_-_n_a_m_e]
+                 Set the file transfer _s_t_r_u_c_t_u_r_e to _s_t_r_u_c_t_-_n_a_m_e. By default
+                 ``stream'' structure is used.
+
+     ssuunniiqquuee     Toggle storing of files on remote machine under unique file
+                 names.  Remote ftp server must support ftp protocol STOU com-
+                 mand for successful completion.  The remote server will re-
+                 port unique name.  Default value is off.
+
+     ssyysstteemm      Show the type of operating system running on the remote ma-
+                 chine.
+
+     tteenneexx       Set the file transfer type to that needed to talk to TENEX
+                 machines.
+
+     ttrraaccee       Toggle packet tracing.
+
+     ttyyppee [_t_y_p_e_-_n_a_m_e]
+                 Set the file transfer ttyyppee to _t_y_p_e_-_n_a_m_e. If no type is speci-
+                 fied, the current type is printed.  The default type is net-
+                 work ASCII.
+
+     uummaasskk [_n_e_w_m_a_s_k]
+                 Set the default umask on the remote server to _n_e_w_m_a_s_k. If
+                 _n_e_w_m_a_s_k is omitted, the current umask is printed.
+
+     uusseerr _u_s_e_r_-_n_a_m_e [_p_a_s_s_w_o_r_d] [_a_c_c_o_u_n_t]
+                 Identify yourself to the remote FTP server.  If the _p_a_s_s_w_o_r_d
+                 is not specified and the server requires it, ffttpp will prompt
+                 the user for it (after disabling local echo).  If an _a_c_c_o_u_n_t
+                 field is not specified, and the FTP server requires it, the
+                 user will be prompted for it.  If an _a_c_c_o_u_n_t field is speci-
+                 fied, an account command will be relayed to the remote server
+                 after the login sequence is completed if the remote server
+                 did not require it for logging in.  Unless ffttpp is invoked
+                 with ``auto-login'' disabled, this process is done automati-
+                 cally on initial connection to the FTP server.
+
+     vveerrbboossee     Toggle verbose mode.  In verbose mode, all responses from the
+                 FTP server are displayed to the user.  In addition, if ver-
+                 bose is on, when a file transfer completes, statistics re-
+                 garding the efficiency of the transfer are reported.  By de-
+                 fault, verbose is on.
+
+     ?? [_c_o_m_m_a_n_d]
+                 A synonym for help.
+
+     The following command can be used with ftpsec-aware servers.
+
+     pprroott _c_l_e_a_r | _s_a_f_e | _c_o_n_f_i_d_e_n_t_i_a_l | _p_r_i_v_a_t_e
+                 Set the data protection level to the requested level.
+
+     The following command can be used with ftp servers that has implemented
+     the KAUTH site command.
+
+     kkaauutthh [_p_r_i_n_c_i_p_a_l]
+                 Obtain remote tickets.
+
+     Command arguments which have embedded spaces may be quoted with quote `"'
+     marks.
+
+AABBOORRTTIINNGG AA FFIILLEE TTRRAANNSSFFEERR
+     To abort a file transfer, use the terminal interrupt key (usually Ctrl-
+     C).  Sending transfers will be immediately halted.  Receiving transfers
+     will be halted by sending a ftp protocol ABOR command to the remote serv-
+     er, and discarding any further data received.  The speed at which this is
+     accomplished depends upon the remote server's support for ABOR process-
+     ing.  If the remote server does not support the ABOR command, an `ftp>'
+     prompt will not appear until the remote server has completed sending the
+     requested file.
+
+
+     The terminal interrupt key sequence will be ignored when ffttpp has complet-
+     ed any local processing and is awaiting a reply from the remote server.
+     A long delay in this mode may result from the ABOR processing described
+     above, or from unexpected behavior by the remote server, including viola-
+     tions of the ftp protocol.  If the delay results from unexpected remote
+     server behavior, the local ffttpp program must be killed by hand.
+
+FFIILLEE NNAAMMIINNGG CCOONNVVEENNTTIIOONNSS
+     Files specified as arguments to ffttpp commands are processed according to
+     the following rules.
+
+     1.   If the file name `--' is specified, the _s_t_d_i_n (for reading) or _s_t_d_o_u_t
+          (for writing) is used.
+
+     2.   If the first character of the file name is `|', the remainder of the
+          argument is interpreted as a shell command.  FFttpp then forks a shell,
+          using popen(3) with the argument supplied, and reads (writes) from
+          the stdout (stdin).  If the shell command includes spaces, the argu-
+          ment must be quoted; e.g.  ``" ls -lt"''.  A particularly useful ex-
+          ample of this mechanism is: ``dir more''.
+
+     3.   Failing the above checks, if ``globbing'' is enabled, local file
+          names are expanded according to the rules used in the csh(1);  c.f.
+          the gglloobb command.  If the ffttpp command expects a single local file
+          (.e.g.  ppuutt), only the first filename generated by the "globbing"
+          operation is used.
+
+     4.   For mmggeett commands and ggeett commands with unspecified local file
+          names, the local filename is the remote filename, which may be al-
+          tered by a ccaassee, nnttrraannss, or nnmmaapp setting.  The resulting filename
+          may then be altered if rruunniiqquuee is on.
+
+     5.   For mmppuutt commands and ppuutt commands with unspecified remote file
+          names, the remote filename is the local filename, which may be al-
+          tered by a nnttrraannss or nnmmaapp setting.  The resulting filename may then
+          be altered by the remote server if ssuunniiqquuee is on.
+
+FFIILLEE TTRRAANNSSFFEERR PPAARRAAMMEETTEERRSS
+     The FTP specification specifies many parameters which may affect a file
+     transfer.  The ttyyppee may be one of ``ascii'', ``image'' (binary),
+     ``ebcdic'', and ``local byte size'' (for PDP-10's and PDP-20's mostly).
+     FFttpp supports the ascii and image types of file transfer, plus local byte
+     size 8 for tteenneexx mode transfers.
+
+     FFttpp supports only the default values for the remaining file transfer pa-
+     rameters: mmooddee, ffoorrmm, and ssttrruucctt.
+
+TTHHEE ..nneettrrcc FFIILLEE
+     The _._n_e_t_r_c file contains login and initialization information used by the
+     auto-login process.  It resides in the user's home directory.  The fol-
+     lowing tokens are recognized; they may be separated by spaces, tabs, or
+     new-lines:
+
+     mmaacchhiinnee _n_a_m_e
+               Identify a remote machine _n_a_m_e. The auto-login process searches
+               the _._n_e_t_r_c file for a mmaacchhiinnee token that matches the remote ma-
+               chine specified on the ffttpp command line or as an ooppeenn command
+               argument.  Once a match is made, the subsequent _._n_e_t_r_c tokens
+               are processed, stopping when the end of file is reached or an-
+               other mmaacchhiinnee or a ddeeffaauulltt token is encountered.
+
+     ddeeffaauulltt   This is the same as mmaacchhiinnee _n_a_m_e except that ddeeffaauulltt matches
+               any name.  There can be only one ddeeffaauulltt token, and it must be
+               after all mmaacchhiinnee tokens.  This is normally used as:
+
+
+                     default login anonymous password user@site
+
+               thereby giving the user _a_u_t_o_m_a_t_i_c anonymous ftp login to ma-
+               chines not specified in _._n_e_t_r_c. This can be overridden by using
+               the --nn flag to disable auto-login.
+
+     llooggiinn _n_a_m_e
+               Identify a user on the remote machine.  If this token is pre-
+               sent, the auto-login process will initiate a login using the
+               specified _n_a_m_e.
+
+     ppaasssswwoorrdd _s_t_r_i_n_g
+               Supply a password.  If this token is present, the auto-login
+               process will supply the specified string if the remote server
+               requires a password as part of the login process.  Note that if
+               this token is present in the _._n_e_t_r_c file for any user other
+               than _a_n_o_n_y_m_o_u_s, ffttpp will abort the auto-login process if the
+               _._n_e_t_r_c is readable by anyone besides the user.
+
+     aaccccoouunntt _s_t_r_i_n_g
+               Supply an additional account password.  If this token is pre-
+               sent, the auto-login process will supply the specified string
+               if the remote server requires an additional account password,
+               or the auto-login process will initiate an ACCT command if it
+               does not.
+
+     mmaaccddeeff _n_a_m_e
+               Define a macro.  This token functions like the ffttpp mmaaccddeeff com-
+               mand functions.  A macro is defined with the specified name;
+               its contents begin with the next _._n_e_t_r_c line and continue until
+               a null line (consecutive new-line characters) is encountered.
+               If a macro named iinniitt is defined, it is automatically executed
+               as the last step in the auto-login process.
+
+EENNVVIIRROONNMMEENNTT
+     FFttpp utilizes the following environment variables.
+
+     HOME        For default location of a _._n_e_t_r_c file, if one exists.
+
+     SHELL       For default shell.
+
+SSEEEE AALLSSOO
+     ftpd(8),  _R_F_C_2_2_2_8
+
+HHIISSTTOORRYY
+     The ffttpp command appeared in 4.2BSD.
+
+BBUUGGSS
+     Correct execution of many commands depends upon proper behavior by the
+     remote server.
+
+     An error in the treatment of carriage returns in the 4.2BSD ascii-mode
+     transfer code has been corrected.  This correction may result in incor-
+     rect transfers of binary files to and from 4.2BSD servers using the ascii
+     type.  Avoid this problem by using the binary image type.
+
+4.2 Berkeley Distribution       April 27, 1996                              10
diff --git a/crypto/heimdal/appl/ftp/ftp/main.c b/crypto/heimdal/appl/ftp/ftp/main.c
index e1a4e14..3531579 100644
--- a/crypto/heimdal/appl/ftp/ftp/main.c
+++ b/crypto/heimdal/appl/ftp/ftp/main.c
@@ -36,7 +36,7 @@
  */
 
 #include "ftp_locl.h"
-RCSID("$Id: main.c,v 1.30 2000/11/15 22:56:35 assar Exp $");
+RCSID("$Id: main.c,v 1.31 2001/02/20 01:44:43 assar Exp $");
 
 int
 main(int argc, char **argv)
@@ -46,7 +46,7 @@ main(int argc, char **argv)
 	char homedir[MaxPathLen];
 	struct servent *sp;
 
-	set_progname(argv[0]);
+	setprogname(argv[0]);
 
 	sp = getservbyname("ftp", "tcp");
 	if (sp == 0)
@@ -127,7 +127,7 @@ main(int argc, char **argv)
 		exit(0);
 	    signal(SIGINT, intr);
 	    signal(SIGPIPE, lostpeer);
-	    xargv[0] = (char*)__progname;
+	    xargv[0] = (char*)getprogname();
 	    xargv[1] = argv[0];
 	    xargv[2] = argv[1];
 	    xargv[3] = argv[2];
diff --git a/crypto/heimdal/appl/ftp/ftp/security.c b/crypto/heimdal/appl/ftp/ftp/security.c
index ab3785a..a8fff1d 100644
--- a/crypto/heimdal/appl/ftp/ftp/security.c
+++ b/crypto/heimdal/appl/ftp/ftp/security.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998-2000 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1998-2001 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -37,7 +37,7 @@
 #include "ftp_locl.h"
 #endif
 
-RCSID("$Id: security.c,v 1.17 2000/11/08 23:30:32 joda Exp $");
+RCSID("$Id: security.c,v 1.18 2001/02/07 10:49:43 assar Exp $");
 
 static enum protection_level command_prot;
 static enum protection_level data_prot;
@@ -166,6 +166,7 @@ sec_get_data(int fd, struct buffer *buf, int level)
 {
     int len;
     int b;
+    void *tmp;
 
     b = block_read(fd, &len, sizeof(len));
     if (b == 0)
@@ -173,7 +174,10 @@ sec_get_data(int fd, struct buffer *buf, int level)
     else if (b < 0)
 	return -1;
     len = ntohl(len);
-    buf->data = realloc(buf->data, len);
+    tmp = realloc(buf->data, len);
+    if (tmp == NULL)
+	return -1;
+    buf->data = tmp;
     b = block_read(fd, buf->data, len);
     if (b == 0)
 	return 0;
@@ -424,9 +428,17 @@ void
 auth(char *auth_name)
 {
     int i;
+    void *tmp;
+
     for(i = 0; (mech = mechs[i]) != NULL; i++){
 	if(!strcasecmp(auth_name, mech->name)){
-	    app_data = realloc(app_data, mech->size);
+	    tmp = realloc(app_data, mech->size);
+	    if (tmp == NULL) {
+		reply(431, "Unable to accept %s at this time", mech->name);
+		return;
+	    }
+	    app_data = tmp;
+
 	    if(mech->init && (*mech->init)(app_data) != 0) {
 		reply(431, "Unable to accept %s at this time", mech->name);
 		return;
@@ -443,6 +455,7 @@ auth(char *auth_name)
 	}
     }
     free (app_data);
+    app_data = NULL;
     reply(504, "%s is unknown to me", auth_name);
 }
 
@@ -776,9 +789,11 @@ sec_end(void)
     if (mech != NULL) {
 	if(mech->end)
 	    (*mech->end)(app_data);
-	memset(app_data, 0, mech->size);
-	free(app_data);
-	app_data = NULL;
+	if (app_data != NULL) {
+	    memset(app_data, 0, mech->size);
+	    free(app_data);
+	    app_data = NULL;
+	}
     }
     sec_complete = 0;
     data_prot = (enum protection_level)0;
diff --git a/crypto/heimdal/appl/ftp/ftpd/Makefile.in b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
index a3fa628..cd67376 100644
--- a/crypto/heimdal/appl/ftp/ftpd/Makefile.in
+++ b/crypto/heimdal/appl/ftp/ftpd/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = 
 
 libexec_PROGRAMS = ftpd
@@ -288,7 +291,7 @@ OBJECTS = $(am_ftpd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x .y
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj .y
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/ftp/ftpd/Makefile
 
@@ -462,6 +465,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
index 745090c..32d5002 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.8
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.8
@@ -40,7 +40,7 @@
 .Nm ftpd
 .Nd Internet File Transfer Protocol server
 .Sh SYNOPSIS
-.Nm ftpd
+.Nm
 .Op Fl a Ar authmode
 .Op Fl dilv
 .Op Fl g Ar umask
@@ -48,6 +48,8 @@
 .Op Fl T Ar maxtimeout
 .Op Fl t Ar timeout
 .Op Fl u Ar default umask
+.Op Fl B | Fl -builtin-ls
+.Op Fl -good-chars= Ns Ar string
 .Sh DESCRIPTION
 .Nm Ftpd
 is the
@@ -128,6 +130,15 @@ seconds (the default is 15 minutes).
 Set the initial umask to something else than the default 027.
 .It Fl v
 Verbose mode.
+.It Xo
+.Fl B Ns ,
+.Fl -builtin-ls
+.Xc
+use built-in ls to list files
+.It Xo
+.Fl -good-chars= Ns Ar string
+.Xc
+allowed anonymous upload filename chars
 .El
 .Pp
 The file
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.c b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
index 4db5e9f..faf07ff 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpd.c
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.c
@@ -38,7 +38,7 @@
 #endif
 #include "getarg.h"
 
-RCSID("$Id: ftpd.c,v 1.153 2001/01/18 09:14:59 joda Exp $");
+RCSID("$Id: ftpd.c,v 1.157 2001/04/19 14:41:29 joda Exp $");
 
 static char version[] = "Version 6.00";
 
@@ -262,7 +262,7 @@ main(int argc, char **argv)
 
     int optind = 0;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
 
     /* detach from any tickets and tokens */
     {
@@ -1187,18 +1187,22 @@ do_store(char *name, char *mode, int unique)
 		goto done;
 	set_buffer_size(fileno(din), 1);
 	if (receive_data(din, fout) == 0) {
+	    if((*closefunc)(fout) < 0)
+		perror_reply(552, name);
+	    else {
 		if (unique)
 			reply(226, "Transfer complete (unique file name:%s).",
 			    name);
 		else
 			reply(226, "Transfer complete.");
-	}
+	    }
+	} else
+	    (*closefunc)(fout);
 	fclose(din);
 	data = -1;
 	pdata = -1;
 done:
 	LOGBYTES(*mode == 'w' ? "put" : "append", name, byte_count);
-	(*closefunc)(fout);
 }
 
 static FILE *
@@ -2161,7 +2165,7 @@ send_file_list(char *whichf)
   char buf[MaxPathLen];
 
   if (strpbrk(whichf, "~{[*?") != NULL) {
-    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+    int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE|GLOB_LIMIT;
 
     memset(&gl, 0, sizeof(gl));
     freeglob = 1;
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8 b/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8
new file mode 100644
index 0000000..d4af02e
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpd.cat8
@@ -0,0 +1,296 @@
+
+FTPD(8)                  UNIX System Manager's Manual                  FTPD(8)
+
+NNAAMMEE
+     ffttppdd - Internet File Transfer Protocol server
+
+SSYYNNOOPPSSIISS
+     ffttppdd [--aa _a_u_t_h_m_o_d_e] [--ddiillvv] [--gg _u_m_a_s_k] [--pp _p_o_r_t] [--TT _m_a_x_t_i_m_e_o_u_t] [--tt
+     _t_i_m_e_o_u_t] [--uu _d_e_f_a_u_l_t _u_m_a_s_k] [--BB | ----bbuuiillttiinn--llss] [----ggoooodd--cchhaarrss==_s_t_r_i_n_g]
+
+DDEESSCCRRIIPPTTIIOONN
+     FFttppdd is the Internet File Transfer Protocol server process.  The server
+     uses the TCP protocol and listens at the port specified in the ``ftp''
+     service specification; see services(5).
+
+     Available options:
+
+     --aa      Select the level of authentication required.  Kerberised login
+             can not be turned off. The default is to only allow kerberised
+             login.  Other possibilities can be turned on by giving a string
+             of comma separated flags as argument to --aa. Recognised flags are:
+
+             _p_l_a_i_n  Allow logging in with plaintext password. The password can
+                    be a(n) OTP or an ordinary password.
+
+             _o_t_p    Same as _p_l_a_i_n, but only OTP is allowed.
+
+             _f_t_p    Allow anonymous login.
+
+             The following combination modes exists for backwards compatibili-
+             ty:
+
+             _n_o_n_e   Same as _p_l_a_i_n_,_f_t_p.
+
+             _s_a_f_e   Same as _f_t_p.
+
+             _u_s_e_r   Ignored.
+
+     --dd      Debugging information is written to the syslog using LOG_FTP.
+
+     --gg      Anonymous users will get a umask of _u_m_a_s_k.
+
+     --ii      Open a socket and wait for a connection. This is mainly used for
+             debugging when ftpd isn't started by inetd.
+
+     --ll      Each successful and failed ftp(1) session is logged using syslog
+             with a facility of LOG_FTP.  If this option is specified twice,
+             the retrieve (get), store (put), append, delete, make directory,
+             remove directory and rename operations and their filename argu-
+             ments are also logged.
+
+     --pp      Use _p_o_r_t (a service name or number) instead of the default
+             _f_t_p_/_t_c_p.
+
+     --TT      A client may also request a different timeout period; the maximum
+             period allowed may be set to _t_i_m_e_o_u_t seconds with the --TT option.
+             The default limit is 2 hours.
+
+     --tt      The inactivity timeout period is set to _t_i_m_e_o_u_t seconds (the de-
+             fault is 15 minutes).
+
+     --uu      Set the initial umask to something else than the default 027.
+
+
+
+     --vv      Verbose mode.
+
+     --BB, ----bbuuiillttiinn--llss
+             use built-in ls to list files
+
+     ----ggoooodd--cchhaarrss==_s_t_r_i_n_g
+             allowed anonymous upload filename chars
+
+     The file _/_e_t_c_/_n_o_l_o_g_i_n can be used to disable ftp access.  If the file ex-
+     ists, ffttppdd displays it and exits.  If the file _/_e_t_c_/_f_t_p_w_e_l_c_o_m_e exists,
+     ffttppdd prints it before issuing the ``ready'' message.  If the file
+     _/_e_t_c_/_m_o_t_d exists, ffttppdd prints it after a successful login.
+
+     The ftp server currently supports the following ftp requests.  The case
+     of the requests is ignored.
+
+           Request    Description
+           ABOR       abort previous command
+           ACCT       specify account (ignored)
+           ALLO       allocate storage (vacuously)
+           APPE       append to a file
+           CDUP       change to parent of current working directory
+           CWD        change working directory
+           DELE       delete a file
+           HELP       give help information
+           LIST       give list files in a directory (``ls -lgA'')
+           MKD        make a directory
+           MDTM       show last modification time of file
+           MODE       specify data transfer _m_o_d_e
+           NLST       give name list of files in directory
+           NOOP       do nothing
+           PASS       specify password
+           PASV       prepare for server-to-server transfer
+           PORT       specify data connection port
+           PWD        print the current working directory
+           QUIT       terminate session
+           REST       restart incomplete transfer
+           RETR       retrieve a file
+           RMD        remove a directory
+           RNFR       specify rename-from file name
+           RNTO       specify rename-to file name
+           SITE       non-standard commands (see next section)
+           SIZE       return size of file
+           STAT       return status of server
+           STOR       store a file
+           STOU       store a file with a unique name
+           STRU       specify data transfer _s_t_r_u_c_t_u_r_e
+           SYST       show operating system type of server system
+           TYPE       specify data transfer _t_y_p_e
+           USER       specify user name
+           XCUP       change to parent of current working directory
+                      (deprecated)
+           XCWD       change working directory (deprecated)
+           XMKD       make a directory (deprecated)
+           XPWD       print the current working directory (deprecated)
+           XRMD       remove a directory (deprecated)
+
+     The following commands are specified by RFC2228.
+
+           AUTH       authentication/security mechanism
+           ADAT       authentication/security data
+           PROT       data channel protection level
+           PBSZ       protection buffer size
+           MIC        integrity protected command
+
+
+           CONF       confidentiality protected command
+           ENC        privacy protected command
+           CCC        clear command channel
+
+     The following non-standard or UNIX specific commands are supported by the
+     SITE request.
+
+           UMASK      change umask, (e.g. SSIITTEE UUMMAASSKK 000022)
+           IDLE       set idle-timer, (e.g. SSIITTEE IIDDLLEE 6600)
+           CHMOD      change mode of a file (e.g. SSIITTEE CCHHMMOODD 775555 ffiilleennaammee)
+           FIND       quickly find a specific file with GNU locate(1).
+           HELP       give help information.
+
+     The following Kerberos related site commands are understood.
+
+           KAUTH      obtain remote tickets.
+           KLIST      show remote tickets
+
+     The remaining ftp requests specified in Internet RFC 959 are recognized,
+     but not implemented.  MDTM and SIZE are not specified in RFC 959, but
+     will appear in the next updated FTP RFC.
+
+     The ftp server will abort an active file transfer only when the ABOR com-
+     mand is preceded by a Telnet "Interrupt Process" (IP) signal and a Telnet
+     "Synch" signal in the command Telnet stream, as described in Internet RFC
+     959.  If a STAT command is received during a data transfer, preceded by a
+     Telnet IP and Synch, transfer status will be returned.
+
+     FFttppdd interprets file names according to the ``globbing'' conventions used
+     by csh(1).  This allows users to utilize the metacharacters ``*?[]{}~''.
+
+     FFttppdd authenticates users according to these rules.
+
+           1.   If Kerberos authentication is used, the user must pass valid
+                tickets and the principal must be allowed to login as the re-
+                mote user.
+
+           2.   The login name must be in the password data base, and not have
+                a null password (if kerberos is used the password field is not
+                checked).  In this case a password must be provided by the
+                client before any file operations may be performed.  If the
+                user has an OTP key, the response from a successful USER com-
+                mand will include an OTP challenge. The client may choose to
+                respond with a PASS command giving either a standard password
+                or an OTP one-time password. The server will automatically de-
+                termine which type of password it has been given and attempt
+                to authenticate accordingly. See otp(1) for more information
+                on OTP authentication.
+
+           3.   The login name must not appear in the file _/_e_t_c_/_f_t_p_u_s_e_r_s.
+
+           4.   The user must have a standard shell returned by
+                getusershell(3).
+
+           5.   If the user name appears in the file _/_e_t_c_/_f_t_p_c_h_r_o_o_t the ses-
+                sion's root will be changed to the user's login directory by
+                chroot(2) as for an ``anonymous'' or ``ftp'' account (see next
+                item).  However, the user must still supply a password.  This
+                feature is intended as a compromise between a fully anonymous
+                account and a fully privileged account.  The account should
+                also be set up as for an anonymous account.
+
+           6.   If the user name is ``anonymous'' or ``ftp'', an anonymous ftp
+                account must be present in the password file (user ``ftp'').
+                In this case the user is allowed to log in by specifying any
+                password (by convention an email address for the user should
+                be used as the password).
+
+     In the last case, ffttppdd takes special measures to restrict the client's
+     access privileges.  The server performs a chroot(2) to the home directory
+     of the ``ftp'' user.  In order that system security is not breached, it
+     is recommended that the ``ftp'' subtree be constructed with care, consid-
+     er following these guidelines for anonymous ftp.
+
+     In general all files should be owned by ``root'', and have non-write per-
+     missions (644 or 755 depending on the kind of file). No files should be
+     owned or writable by ``ftp'' (possibly with exception for the
+     _~_f_t_p_/_i_n_c_o_m_i_n_g, as specified below).
+
+           _~_f_t_p      The ``ftp'' homedirectory should be owned by root.
+
+           _~_f_t_p_/_b_i_n  The directory for external programs (such as ls(1)).
+                     These programs must either be statically linked, or you
+                     must setup an environment for dynamic linking when run-
+                     ning chrooted.  These programs will be used if present:
+
+                           ls      Used when listing files.
+
+                           compress
+                                   When retrieving a filename that ends in _._Z,
+                                   and that file isn't present, ffttppdd will try
+                                   to find the filename without _._Z and com-
+                                   press it on the fly.
+
+                           gzip    Same as compress, just with files ending in
+                                   _._g_z.
+
+                           gtar    Enables retrieval of whole directories as
+                                   files ending in _._t_a_r. Can also be combined
+                                   with compression. You must use GNU Tar (or
+                                   some other that supports the --zz and --ZZ
+                                   flags).
+
+                           locate  Will enable ``fast find'' with the SSIITTEE
+                                   FFIINNDD command. You must also create a
+                                   _l_o_c_a_t_e_d_b file in _~_f_t_p_/_e_t_c.
+
+           _~_f_t_p_/_e_t_c  If you put copies of the passwd(5) and group(5) files
+                     here, ls will be able to produce owner names rather than
+                     numbers. Remember to remove any passwords from these
+                     files.
+
+                     The file _m_o_t_d, if present, will be printed after a suc-
+                     cessful login.
+
+           _~_f_t_p_/_d_e_v  Put a copy of /dev/null(7) here.
+
+           _~_f_t_p_/_p_u_b  Traditional place to put whatever you want to make pub-
+                     lic.
+
+     If you want guests to be able to upload files, create a _~_f_t_p_/_i_n_c_o_m_i_n_g di-
+     rectory owned by ``root'', and group ``ftp'' with mode 730 (make sure
+     ``ftp'' is member of group ``ftp''). The following restrictions apply to
+     anonymous users:
+
+     ++oo   Directories created will have mode 700.
+
+     ++oo   Uploaded files will be created with an umask of 777, if not changed
+         with the --gg option.
+
+     ++oo   These command are not accessible: DDEELLEE, RRMMDD, RRNNTTOO, RRNNFFRR, SSIITTEE UUMMAASSKK,
+
+         and SSIITTEE CCHHMMOODD.
+
+     ++oo   Filenames must start with an alpha-numeric character, and consist of
+         alpha-numeric characters or any of the following: + (plus), - (mi-
+         nus), = (equal), _ (underscore), . (period), and , (comma).
+
+FFIILLEESS
+     /etc/ftpusers    Access list for users.
+     /etc/ftpchroot   List of normal users who should be chroot'd.
+     /etc/ftpwelcome  Welcome notice.
+     /etc/motd        Welcome notice after login.
+     /etc/nologin     Displayed and access refused.
+     ~/.klogin        Login access for Kerberos.
+
+SSEEEE AALLSSOO
+     ftp(1),  otp(1),  getusershell(3),  ftpusers(5),  syslogd(8),
+
+SSTTAANNDDAARRDDSS
+     RRFFCC 995599   FTP PROTOCOL SPECIFICATION
+     RRFFCC 11993388  OTP Specification
+     RRFFCC 22222288  FTP Security Extensions.
+
+BBUUGGSS
+     The server must run as the super-user to create sockets with privileged
+     port numbers.  It maintains an effective user id of the logged in user,
+     reverting to the super-user only when binding addresses to sockets.  The
+     possible security holes have been extensively scrutinized, but are possi-
+     bly incomplete.
+
+HHIISSTTOORRYY
+     The ffttppdd command appeared in 4.2BSD.
+
+4.2 Berkeley Distribution       April 19, 1997                               5
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
index d10d15a..631f11b 100644
--- a/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.5
@@ -1,4 +1,4 @@
-.\"	$Id: ftpusers.5,v 1.3 2001/01/11 16:16:26 assar Exp $
+.\"	$Id: ftpusers.5,v 1.4 2001/05/02 08:59:20 assar Exp $
 .\"
 .Dd May 7, 1997
 .Dt FTPUSERS 5
diff --git a/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5 b/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5
new file mode 100644
index 0000000..d2ee3d3
--- /dev/null
+++ b/crypto/heimdal/appl/ftp/ftpd/ftpusers.cat5
@@ -0,0 +1,27 @@
+
+FTPUSERS(5)                UNIX Programmer's Manual                FTPUSERS(5)
+
+NNAAMMEE
+     _/_e_t_c_/_f_t_p_u_s_e_r_s - FTP access list file
+
+DDEESSCCRRIIPPTTIIOONN
+     _/_e_t_c_/_f_t_p_u_s_e_r_s contains a list of users that should be allowed or denied
+     FTP access. Each line contains a user, optionally followed by ``allow''
+     (anything but ``allow'' is ignored).  The semi-user ``*'' matches any us-
+     er.  Users that has an explicit ``allow'', or that does not match any
+     line, are allowed access. Anyone else is denied access.
+
+     Note that this is compatible with the old format, where this file con-
+     tained a list of users that should be denied access.
+
+EEXXAAMMPPLLEESS
+     This will deny anyone but ``foo'' and ``bar'' to use FTP:
+
+     foo allow
+     bar allow
+     *
+
+SSEEEE AALLSSOO
+     ftpd(8)
+
+ KTH-KRB                          May 7, 1997                                1
diff --git a/crypto/heimdal/appl/ftp/ftpd/popen.c b/crypto/heimdal/appl/ftp/ftpd/popen.c
index d8a4996..52c8824 100644
--- a/crypto/heimdal/appl/ftp/ftpd/popen.c
+++ b/crypto/heimdal/appl/ftp/ftpd/popen.c
@@ -37,7 +37,7 @@
 
 #ifdef HAVE_CONFIG_H
 #include <config.h>
-RCSID("$Id: popen.c,v 1.22 2001/02/05 07:51:51 assar Exp $");
+RCSID("$Id: popen.c,v 1.24 2001/03/26 11:41:02 assar Exp $");
 #endif
 
 #include <sys/types.h>
@@ -138,7 +138,8 @@ ftpd_popen(char *program, char *type, int do_stderr, int no_glob)
 	/* glob each piece */
 	for (gargc = argc = 1; argv[argc] && gargc < MAXGLOBS - 1; argc++) {
 		glob_t gl;
-		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
+		int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE
+		    | GLOB_LIMIT;
 
 		memset(&gl, 0, sizeof(gl));
 		if (no_glob || glob(argv[argc], flags, NULL, &gl))
diff --git a/crypto/heimdal/appl/kf/Makefile.in b/crypto/heimdal/appl/kf/Makefile.in
index fe2a23b..16a599c 100644
--- a/crypto/heimdal/appl/kf/Makefile.in
+++ b/crypto/heimdal/appl/kf/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = kf
@@ -251,7 +254,7 @@ OBJECTS = $(am_kf_OBJECTS) $(am_kfd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kf/Makefile
 
@@ -451,6 +454,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/kf/kf.c b/crypto/heimdal/appl/kf/kf.c
index 0800ce9..3288dae 100644
--- a/crypto/heimdal/appl/kf/kf.c
+++ b/crypto/heimdal/appl/kf/kf.c
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kf.c,v 1.14 2000/12/31 07:31:06 assar Exp $");
+RCSID("$Id: kf.c,v 1.15 2001/02/20 01:44:44 assar Exp $");
 
 krb5_context context;
 static int help_flag;
@@ -71,7 +71,7 @@ client_setup(krb5_context *context, int *argc, char **argv)
     int port = 0;
     int status;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
  
     status = krb5_init_context (context);
     if (status)
diff --git a/crypto/heimdal/appl/kf/kf.cat1 b/crypto/heimdal/appl/kf/kf.cat1
new file mode 100644
index 0000000..b87ed85
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kf.cat1
@@ -0,0 +1,46 @@
+
+KF(1)                        UNIX Reference Manual                       KF(1)
+
+NNAAMMEE
+     kkff - securly forward tickets
+
+SSYYNNOOPPSSIISS
+     kkff [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ll _l_o_g_i_n | ----llooggiinn=_l_o_g_i_n] [--cc _c_c_a_c_h_e |
+     ----ccccaacchhee=_c_c_a_c_h_e] [--FF | ----ffoorrwwaarrddaabbllee] [--GG | ----nnoo--ffoorrwwaarrddaabbllee] [--hh |
+     ----hheellpp] [----vveerrssiioonn] _h_o_s_t _._._.
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkff program forwards tickets to a remove host through an authenticated
+     and encrypted stream.  Options supported are:
+
+     --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
+             port to connect to
+
+     --ll _l_o_g_i_n, ----llooggiinn=_l_o_g_i_n
+             remote login name
+
+     --cc _c_c_a_c_h_e, ----ccccaacchhee=_c_c_a_c_h_e
+             remote cred cache
+
+     --FF, ----ffoorrwwaarrddaabbllee
+             forward forwardable credentials
+
+     --GG, ----nnoo--ffoorrwwaarrddaabbllee
+             do not forward forwardable credentials
+
+     --hh, ----hheellpp
+
+     ----vveerrssiioonn
+
+     kkff is useful when you do not want to enter your password on a remote host
+     but want to have your tickets one for example afs.
+
+     In order for kkff to work you will need to acquire your initial ticket with
+     forwardable flag, ie kkiinniitt ----ffoorrwwaarrddaabbllee.
+
+     tteellnneett is able to forward ticket by itself.
+
+SSEEEE AALLSSOO
+     kinit(1),  telnet(1),  kfd(8)
+
+ Heimdal                         July 2, 2000                                1
diff --git a/crypto/heimdal/appl/kf/kfd.c b/crypto/heimdal/appl/kf/kfd.c
index 3791579..6dc2666 100644
--- a/crypto/heimdal/appl/kf/kfd.c
+++ b/crypto/heimdal/appl/kf/kfd.c
@@ -32,7 +32,7 @@
  */
 
 #include "kf_locl.h"
-RCSID("$Id: kfd.c,v 1.8 2001/01/09 18:43:10 assar Exp $");
+RCSID("$Id: kfd.c,v 1.9 2001/02/20 01:44:44 assar Exp $");
 
 krb5_context context;
 char krb5_tkfile[MAXPATHLEN];
@@ -315,7 +315,7 @@ main(int argc, char **argv)
     int port;
     int ret;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
     roken_openlog (argv[0], LOG_ODELAY | LOG_PID,LOG_AUTH);
     port = server_setup(&context, argc, argv);
     ret = doit (port, service);
diff --git a/crypto/heimdal/appl/kf/kfd.cat8 b/crypto/heimdal/appl/kf/kfd.cat8
new file mode 100644
index 0000000..396ffdc
--- /dev/null
+++ b/crypto/heimdal/appl/kf/kfd.cat8
@@ -0,0 +1,31 @@
+
+KFD(8)                   UNIX System Manager's Manual                   KFD(8)
+
+NNAAMMEE
+     kkffdd - receive forwarded tickets
+
+SSYYNNOOPPSSIISS
+     kkffdd [--pp _p_o_r_t | ----ppoorrtt=_p_o_r_t] [--ii | ----iinneettdd] [--RR _r_e_g_p_a_g | ----rreeggppaagg=_r_e_g_p_a_g]
+     [--hh | ----hheellpp] [----vveerrssiioonn]
+
+DDEESSCCRRIIPPTTIIOONN
+     This is the daemon for kf(1).  Supported options:
+
+     --pp _p_o_r_t, ----ppoorrtt=_p_o_r_t
+             port to listen to
+
+     --ii, ----iinneettdd
+             not started from inetd
+
+     --RR _r_e_g_p_a_g, ----rreeggppaagg==_r_e_g_p_a_g
+             path to regpag binary
+
+EEXXAAMMPPLLEESS
+     Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
+
+     kf      stream  tcp     nowait  root    /usr/heimdal/libexec/kfd        kfd
+
+SSEEEE AALLSSOO
+     kf(1)
+
+ Heimdal                         July 2, 2000                                1
diff --git a/crypto/heimdal/appl/kx/ChangeLog b/crypto/heimdal/appl/kx/ChangeLog
new file mode 100644
index 0000000..3050e2e
--- /dev/null
+++ b/crypto/heimdal/appl/kx/ChangeLog
@@ -0,0 +1,317 @@
+2001-01-17  Johan Danielsson  <joda@pdc.kth.se>
+
+	* common.c: don't write to string constants
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* krb5.c (krb5_make_context): handle krb5_init_context failure
+	consistently
+
+2000-10-08  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): check that fds are not too large to select
+	on
+	* kx.c (doit_active): check that fds are not too large to select
+	on
+	* krb5.c (krb5_copy_encrypted): check that fds are not too large
+	to select on
+	* krb4.c (krb4_copy_encrypted): check that fds are not too large
+	to select on
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in: use INSTALL_SCRIPT for installing rxterm, rxtelnet,
+	tenletxr
+
+2000-04-19  Assar Westerlund  <assar@sics.se>
+
+	* common.c: try hostname uncanonified if getaddrinfo() fails
+
+2000-02-06  Assar Westerlund  <assar@sics.se>
+
+	* kx.h: remove old prorotypes
+
+2000-01-08  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): handle ai_canonname being set in
+	any of the addresses returnedby getaddrinfo.  glibc apparently
+	returns the reverse lookup of every address in ai_canonname.
+
+1999-12-28  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (main): call krb5_getportbyname with the default in
+ 	host-byte-order
+
+1999-12-17  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): remove extra brace.  spotted by
+ 	Jakob Schlyter <jakob@cdg.chalmers.se>
+
+1999-12-16  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): handle ai_canonname not being set
+
+1999-12-06  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): the NAT address might not be the one
+	for the relevant realm, try anyway.
+	* kxd.c (recv_conn): type correctness
+	* kx.c (connect_host): typo
+
+1999-12-05  Assar Westerlund  <assar@sics.se>
+
+	* common.c (INADDR_LOOPBACK): remove.  now in roken.
+
+	* kxd.c (recv_conn): use getnameinfo_verified
+	* kxd.c (recv_conn): replace inaddr2str with getnameinfo
+
+1999-12-04  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (connect_host): use getaddrinfo
+	* common.c (find_auth_cookie, match_local_auth): re-write to use
+	getaddrinfo
+
+1999-11-27  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): better errors when getting unrecognized data
+
+1999-11-25  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): obtain the `local' address when
+	doing NAT.  also turn on passive mode.  From <thn@stacken.kth.se>
+	
+1999-11-18  Assar Westerlund  <assar@sics.se>
+
+	* krb5.c (krb5_destroy): free the correct part of the context
+	
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (main): redo the v4/v5 selection for consistency.  -4 ->
+ 	try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (CLEANFILES): add generated files so that they get
+ 	cleaned away
+
+1999-09-29  Assar Westerlund  <assar@sics.se>
+
+	* common.c (match_local_auth): only look for FamilyLocal (and
+ 	FamilyWild) cookies.  This will not work when we start talking tcp
+ 	to the local X-server but `connect_local_xsocket' and the rest of
+ 	the code doesn't handle it anyway and the old code could (and did)
+ 	pick up the wrong cookie sometimes.  If we have to match
+ 	FamilyInternet cookies, the search order has to be changed anyway
+
+1999-09-02  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (childhandler): watch for child `wait_on_pid' to die.
+	(recv_conn): set `wait_on_pid' instead of looping on waitpid here
+	also.  This should solve the problem of kxd looping which was
+ 	caused by the signal handler getting invoked before this waitpid
+ 	and reaping the child leaving this poor loop without any child
+
+1999-08-19  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): give better error message
+	(doit_active): don't die if fork gives EAGAIN
+
+1999-08-19  Johan Danielsson  <joda@pdc.kth.se>
+
+	* kxd.c (recv_conn): call setjob on crays;
+	(doit_passive): if fork fails with EAGAIN, don't shutdown, just close
+	the connection re-implement `-t' flag
+
+1999-07-12  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: handle not building X programs
+
+1999-06-23  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: conditionalize krb_enable_debug
+
+1999-06-20  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (main): hopefully do inetd confusion right
+
+1999-06-15  Assar Westerlund  <assar@sics.se>
+
+	* krb4.c (krb4_authenticate): get rid of a warning
+
+	* kx.h: const-pollution
+
+	* kx.c: use get_default_username and resulting const pollution
+
+	* context.c (context_set): const pollution
+
+1999-05-22  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (recv_conn): fix syslog messages
+	(main): fix inetd_flag thinko
+
+1999-05-21  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (main): don't byte-swap the argument to krb5_getportbyname
+
+	* kx.c (main): try to use $USERNAME
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (SOURCES*): update sources list
+	
+	* kx.c (main): forgot to conditionalize some KRB5 code
+	
+	* kxd.c (main): use getarg
+	(*): handle v4 and/or v5
+
+	* kx.h: update
+	
+	* kx.c (main): use getarg.
+	(*): handle v4 and/or v5
+
+	* common.c (do_enccopy, copy_encrypted): remove use
+	net_{read,write} instead of krb_net_{read,write}
+	(krb_get_int, krb_put_int): include fallback of these for when we
+	compile without krb4
+	
+	* Makefile.am (*_SOURCES): remove encdata, add krb[45].c,
+	context.c
+	(LDADD): add krb5
+
+	* krb4.c, krb5.c, context.c: new files
+
+1999-05-08  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): handle error code from
+ 	create_and_write_cookie
+
+	* kx.c (doit_active): handle error code from
+ 	create_and_write_cookie
+
+	* common.c (create_and_write_cookie): try to return better (and
+ 	correct) errors.  Based on a patch from Love <lha@e.kth.se>
+
+	* common.c (try_pie): more braces
+	(match_local_auth): new function
+	(find_auth_cookie): new function
+	(replace_cookie): don't just take the first auth cookie.  based on
+	patch from Ake Sandgren <ake@@cs.umu.se>
+
+Wed Apr  7 23:39:23 1999  Assar Westerlund  <assar@sics.se>
+	
+	* common.c (get_xsockets): init local variable to get rid of a gcc
+ 	warning
+
+Thu Apr  1 21:11:36 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.in: fix for writeauth.o
+
+Fri Mar 19 15:12:31 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kx.c: add gcc-braces
+
+Thu Mar 18 11:18:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar 11 14:58:32 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* writeauth.c: protoize
+
+	* common.c: fix some warnings
+
+Wed Mar 10 19:33:39 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kxd.c: openlog -> roken_openlog
+
+Wed Feb  3 22:01:55 1999  Assar Westerlund  <assar@sics.se>
+
+	* rxtelnet.in: print out what telnet program we are running.  From
+ 	<nissej@pdc.kth.se>
+
+	* tenletxr.in: add --version, [-h | --help], -v
+
+	* rxterm.in: add --version, [-h | --help], -v
+
+	* rxtelnet.in: add --version, [-h | --help], -v
+
+	* Makefile.in (rxterm, rxtelnet, telnetxr): substitute VERSION and
+ 	PACKAGE
+
+	* rxtelnet.in: update usage string
+
+Fri Jan 22 23:51:05 1999  Assar Westerlund  <assar@sics.se>
+
+	* common.c (verify_and_remove_cookies): give back a meaningful
+ 	error message if we're using the wrong cookie
+
+Fri Dec 18 17:42:02 1998  Assar Westerlund  <assar@sics.se>
+
+	* common.c (replace_cookie): try to handle the case of not finding
+ 	any cookies
+
+Sun Nov 22 10:31:53 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Wed Nov 18 20:25:37 1998  Assar Westerlund  <assar@sics.se>
+
+	* rxtelnet.in: new argument -n for not starting any terminal
+ 	emulator
+
+	* kx.c (doit_passive): parse $DISPLAY correctly
+
+Fri Oct  2 06:34:51 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c (doit_active): check DISPLAY to figure out what local
+ 	socket to connect to.  From �ke Sandgren <ake@cs.umu.se>
+
+Thu Oct  1 23:02:29 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* kx.h: case MAY_HAVE_X11_PIPES with Solaris
+
+Tue Sep 29 02:22:44 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: fix from Ake Sandgren <ake@cs.umu.se>
+
+Mon Sep 28 18:04:03 1998  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* common.c (try_pipe): return -1 if I_PUSH fails with ENOSYS
+
+Sat Sep 26 17:34:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c: create sockets before setuid to handle Solaris' strange
+ 	permissions on /tmp/.X11-{unix,pipe}
+
+	* common.c (chown_xsockets): new function
+
+	* kx.h (chown_xsockets): new prototype
+
+Sun Aug 16 18:34:30 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit_passive): conditionalize stream pipe code
+
+	* implement support for Solaris's named-pipe X transport
+
+Thu May 28 17:20:39 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* common.c: fix for (compiler?) bug in solaris 2.4 bind
+
+	* kx.c: get_xsockets returns int, not unsigned
+
+Wed May 27 04:20:20 1998  Assar Westerlund  <assar@sics.se>
+
+	* kxd.c (doit): better error reporting
+
+Tue May 26 17:41:23 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* kx.c: use krb_enable_debug
+
+Mon May 25 05:22:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (clean): remove encdata.c
+
+Fri May  1 07:16:36 1998  Assar Westerlund  <assar@sics.se>
+
+	* kx.c: unifdef -DHAVE_H_ERRNO
+
diff --git a/crypto/heimdal/appl/kx/Makefile.am b/crypto/heimdal/appl/kx/Makefile.am
new file mode 100644
index 0000000..ec3f249
--- /dev/null
+++ b/crypto/heimdal/appl/kx/Makefile.am
@@ -0,0 +1,73 @@
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+if HAVE_X
+
+bin_PROGRAMS = kx
+bin_SCRIPTS = rxterm rxtelnet tenletxr
+libexec_PROGRAMS = kxd
+
+else
+
+bin_PROGRAMS = 
+bin_SCRIPTS = 
+libexec_PROGRAMS = 
+
+endif
+
+CLEANFILES = rxterm rxtelnet tenletxr
+
+if NEED_WRITEAUTH
+XauWriteAuth_c = writeauth.c
+endif
+
+kx_SOURCES = \
+	kx.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+EXTRA_kx_SOURCES = writeauth.c
+
+kxd_SOURCES = \
+	kxd.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+EXTRA_kxd_SOURCES = writeauth.c
+
+EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in
+
+man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8
+
+rxterm: rxterm.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@
+	chmod +x $@
+
+rxtelnet: rxtelnet.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@
+	chmod +x $@
+
+tenletxr: tenletxr.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@
+	chmod +x $@
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5) \
+	$(LIB_krb4)				\
+	$(LIB_des)	\
+	$(LIB_roken)				\
+	$(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS)
diff --git a/crypto/heimdal/appl/kx/Makefile.in b/crypto/heimdal/appl/kx/Makefile.in
new file mode 100644
index 0000000..9d327ec
--- /dev/null
+++ b/crypto/heimdal/appl/kx/Makefile.in
@@ -0,0 +1,801 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.12 2000/11/15 22:51:08 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+@HAVE_X_TRUE@bin_PROGRAMS = @HAVE_X_TRUE@kx
+@HAVE_X_FALSE@bin_PROGRAMS = 
+@HAVE_X_TRUE@bin_SCRIPTS = @HAVE_X_TRUE@rxterm rxtelnet tenletxr
+@HAVE_X_FALSE@bin_SCRIPTS = 
+@HAVE_X_TRUE@libexec_PROGRAMS = @HAVE_X_TRUE@kxd
+@HAVE_X_FALSE@libexec_PROGRAMS = 
+
+CLEANFILES = rxterm rxtelnet tenletxr
+
+@NEED_WRITEAUTH_TRUE@XauWriteAuth_c = @NEED_WRITEAUTH_TRUE@writeauth.c
+
+kx_SOURCES = \
+	kx.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+
+EXTRA_kx_SOURCES = writeauth.c
+
+kxd_SOURCES = \
+	kxd.c \
+	kx.h \
+	common.c \
+	context.c \
+	krb4.c \
+	krb5.c \
+	$(XauWriteAuth_c)
+
+
+EXTRA_kxd_SOURCES = writeauth.c
+
+EXTRA_DIST = rxterm.in rxtelnet.in tenletxr.in
+
+man_MANS = kx.1 rxtelnet.1 rxterm.1 tenletxr.1 kxd.8
+
+LDADD = \
+	$(LIB_kafs)				\
+	$(LIB_krb5) \
+	$(LIB_krb4)				\
+	$(LIB_des)	\
+	$(LIB_roken)				\
+	$(X_LIBS) $(LIB_XauReadAuth) $(X_PRE_LIBS) $(X_EXTRA_LIBS)
+
+subdir = appl/kx
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@HAVE_X_FALSE@bin_PROGRAMS = 
+@HAVE_X_FALSE@libexec_PROGRAMS = 
+PROGRAMS =  $(bin_PROGRAMS) $(libexec_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+@NEED_WRITEAUTH_FALSE@am_kx_OBJECTS =  kx.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_FALSE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT)
+@NEED_WRITEAUTH_TRUE@am_kx_OBJECTS =  kx.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@writeauth.$(OBJEXT)
+kx_OBJECTS =  $(am_kx_OBJECTS)
+kx_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@kx_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@kx_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@kx_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@kx_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kx_LDFLAGS = 
+@NEED_WRITEAUTH_FALSE@am_kxd_OBJECTS =  kxd.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_FALSE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT)
+@NEED_WRITEAUTH_TRUE@am_kxd_OBJECTS =  kxd.$(OBJEXT) common.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@context.$(OBJEXT) krb4.$(OBJEXT) krb5.$(OBJEXT) \
+@NEED_WRITEAUTH_TRUE@writeauth.$(OBJEXT)
+kxd_OBJECTS =  $(am_kxd_OBJECTS)
+kxd_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@kxd_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@kxd_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@kxd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@kxd_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+kxd_LDFLAGS = 
+SCRIPTS =  $(bin_SCRIPTS)
+
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) \
+$(EXTRA_kxd_SOURCES)
+man1dir = $(mandir)/man1
+man8dir = $(mandir)/man8
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(kx_SOURCES) $(EXTRA_kx_SOURCES) $(kxd_SOURCES) $(EXTRA_kxd_SOURCES)
+OBJECTS = $(am_kx_OBJECTS) $(am_kxd_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/kx/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+kx$(EXEEXT): $(kx_OBJECTS) $(kx_DEPENDENCIES)
+	@rm -f kx$(EXEEXT)
+	$(LINK) $(kx_LDFLAGS) $(kx_OBJECTS) $(kx_LDADD) $(LIBS)
+
+kxd$(EXEEXT): $(kxd_OBJECTS) $(kxd_DEPENDENCIES)
+	@rm -f kxd$(EXEEXT)
+	$(LINK) $(kxd_LDFLAGS) $(kxd_OBJECTS) $(kxd_LDADD) $(LIBS)
+
+install-binSCRIPTS: $(bin_SCRIPTS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  if test -f $$p; then \
+	    echo " $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $$p $(DESTDIR)$(bindir)/$$f; \
+	  elif test -f $(srcdir)/$$p; then \
+	    echo " $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(INSTALL_SCRIPT) $(srcdir)/$$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binSCRIPTS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_SCRIPTS)'; for p in $$list; do \
+	  f="`echo $$p|sed '$(transform)'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+install-man8:
+	$(mkinstalldirs) $(DESTDIR)$(man8dir)
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man8dir)/$$inst; \
+	done
+
+uninstall-man8:
+	@list='$(man8_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.8*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man8dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man8dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1 install-man8
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1 uninstall-man8
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
+		install-binSCRIPTS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-libexecPROGRAMS \
+		uninstall-binSCRIPTS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(SCRIPTS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(libexecdir) \
+		$(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 \
+		$(DESTDIR)$(mandir)/man8
+
+
+mostlyclean-generic:
+
+clean-generic:
+	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-libexecPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-libexecPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-libexecPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS mostlyclean-compile \
+distclean-compile clean-compile maintainer-clean-compile \
+mostlyclean-libtool distclean-libtool clean-libtool \
+maintainer-clean-libtool uninstall-binSCRIPTS install-binSCRIPTS \
+install-man1 uninstall-man1 install-man8 uninstall-man8 install-man \
+uninstall-man tags mostlyclean-tags distclean-tags clean-tags \
+maintainer-clean-tags distdir info-am info dvi-am dvi check-local check \
+check-am installcheck-am installcheck install-exec-am install-exec \
+install-data-local install-data-am install-data install-am install \
+uninstall-am uninstall all-local all-redirect all-am all install-strip \
+installdirs mostlyclean-generic distclean-generic clean-generic \
+maintainer-clean-generic clean mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+rxterm: rxterm.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxterm.in > $@
+	chmod +x $@
+
+rxtelnet: rxtelnet.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/rxtelnet.in > $@
+	chmod +x $@
+
+tenletxr: tenletxr.in
+	sed -e "s!%bindir%!$(bindir)!" $(srcdir)/tenletxr.in > $@
+	chmod +x $@
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/kx/common.c b/crypto/heimdal/appl/kx/common.c
new file mode 100644
index 0000000..0d23169
--- /dev/null
+++ b/crypto/heimdal/appl/kx/common.c
@@ -0,0 +1,794 @@
+/*
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: common.c,v 1.62 2001/02/15 04:20:51 assar Exp $");
+
+char x_socket[MaxPathLen];
+
+u_int32_t display_num;
+char display[MaxPathLen];
+int display_size = sizeof(display);
+char xauthfile[MaxPathLen];
+int xauthfile_size = sizeof(xauthfile);
+u_char cookie[16];
+size_t cookie_len = sizeof(cookie);
+
+#ifndef X_UNIX_PATH
+#define X_UNIX_PATH "/tmp/.X11-unix/X"
+#endif
+
+#ifndef X_PIPE_PATH
+#define X_PIPE_PATH "/tmp/.X11-pipe/X"
+#endif
+
+/*
+ * Allocate a unix domain socket in `s' for display `dpy' and with
+ * filename `pattern'
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used */
+
+static int
+try_socket (struct x_socket *s, int dpy, const char *pattern)
+{
+    struct sockaddr_un addr;
+    int fd;
+
+    fd = socket (AF_UNIX, SOCK_STREAM, 0);
+    if (fd < 0)
+	err (1, "socket AF_UNIX");
+    memset (&addr, 0, sizeof(addr));
+    addr.sun_family = AF_UNIX;
+    snprintf (addr.sun_path, sizeof(addr.sun_path), pattern, dpy);
+    if(bind(fd,
+	    (struct sockaddr *)&addr,
+	    sizeof(addr)) < 0) {
+	close (fd);
+	if (errno == EADDRINUSE ||
+	    errno == EACCES  /* Cray return EACCESS */
+#ifdef ENOTUNIQ
+	    || errno == ENOTUNIQ /* bug in Solaris 2.4 */
+#endif
+	    )
+	    return 1;
+	else
+	    return -1;
+    }
+    s->fd = fd;
+    s->pathname = strdup (addr.sun_path);
+    if (s->pathname == NULL)
+	errx (1, "strdup: out of memory");
+    s->flags = UNIX_SOCKET;
+    return 0;
+}
+
+#ifdef MAY_HAVE_X11_PIPES
+/*
+ * Allocate a stream (masqueraded as a named pipe)
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used
+ */
+
+static int
+try_pipe (struct x_socket *s, int dpy, const char *pattern)
+{
+    char path[MAXPATHLEN];
+    int ret;
+    int fd;
+    int pipefd[2];
+    
+    snprintf (path, sizeof(path), pattern, dpy);
+    fd = open (path, O_WRONLY | O_CREAT | O_EXCL, 0600);
+    if (fd < 0) {
+	if (errno == EEXIST)
+	    return 1;
+	else
+	    return -1;
+    }
+
+    close (fd);
+
+    ret = pipe (pipefd);
+    if (ret < 0)
+	err (1, "pipe");
+
+    ret = ioctl (pipefd[1], I_PUSH, "connld");
+    if (ret < 0) {
+	if(errno == ENOSYS)
+	    return -1;
+	err (1, "ioctl I_PUSH");
+    }
+
+    ret = fattach (pipefd[1], path);
+    if (ret < 0)
+	err (1, "fattach %s", path);
+
+    s->fd  = pipefd[0];
+    close (pipefd[1]);
+    s->pathname = strdup (path);
+    if (s->pathname == NULL)
+	errx (1, "strdup: out of memory");
+    s->flags = STREAM_PIPE;
+    return 0;
+}
+#endif /* MAY_HAVE_X11_PIPES */
+
+/*
+ * Try to create a TCP socket in `s' corresponding to display `dpy'.
+ *
+ * 0 if all is OK
+ * -1 if bind failed badly
+ * 1 if dpy is already used
+ */
+
+static int
+try_tcp (struct x_socket *s, int dpy)
+{
+    struct sockaddr_in tcpaddr;
+    struct in_addr local;
+    int one = 1;
+    int fd;
+
+    memset(&local, 0, sizeof(local));
+    local.s_addr = htonl(INADDR_LOOPBACK);
+
+    fd = socket (AF_INET, SOCK_STREAM, 0);
+    if (fd < 0)
+	err (1, "socket AF_INET");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+    setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+		sizeof(one));
+#endif
+    memset (&tcpaddr, 0, sizeof(tcpaddr));
+    tcpaddr.sin_family = AF_INET;
+    tcpaddr.sin_addr = local;
+    tcpaddr.sin_port = htons(6000 + dpy);
+    if (bind (fd, (struct sockaddr *)&tcpaddr,
+	      sizeof(tcpaddr)) < 0) {
+	close (fd);
+	if (errno == EADDRINUSE)
+	    return 1;
+	else
+	    return -1;
+    }
+    s->fd = fd;
+    s->pathname = NULL;
+    s->flags = TCP;
+    return 0;
+}
+
+/*
+ * The potential places to create unix sockets.
+ */
+
+static char *x_sockets[] = {
+X_UNIX_PATH "%u",
+"/var/X/.X11-unix/X" "%u",
+"/usr/spool/sockets/X11/" "%u",
+NULL
+};
+
+/*
+ * Dito for stream pipes.
+ */
+
+#ifdef MAY_HAVE_X11_PIPES
+static char *x_pipes[] = {
+X_PIPE_PATH "%u",
+"/var/X/.X11-pipe/X" "%u",
+NULL
+};
+#endif
+
+/*
+ * Create the directory corresponding to dirname of `path' or fail.
+ */
+
+static void
+try_mkdir (const char *path)
+{
+    char *dir;
+    char *p;
+    int oldmask;
+
+    if((dir = strdup (path)) == NULL)
+	errx (1, "strdup: out of memory");
+    p = strrchr (dir, '/');
+    if (p)
+	*p = '\0';
+
+    oldmask = umask(0);
+    mkdir (dir, 01777);
+    umask (oldmask);
+    free (dir);
+}
+
+/*
+ * Allocate a display, returning the number of sockets in `number' and
+ * all the corresponding sockets in `sockets'.  If `tcp_socket' is
+ * true, also allcoaet a TCP socket.
+ *
+ * The return value is the display allocated or -1 if an error occurred.
+ */
+
+int
+get_xsockets (int *number, struct x_socket **sockets, int tcp_socket)
+{
+     int dpy;
+     struct x_socket *s;
+     int n;
+     int i;
+
+     s = malloc (sizeof(*s) * 5);
+     if (s == NULL)
+	 errx (1, "malloc: out of memory");
+
+     try_mkdir (X_UNIX_PATH);
+     try_mkdir (X_PIPE_PATH);
+
+     for(dpy = 4; dpy < 256; ++dpy) {
+	 char **path;
+	 int tmp = 0;
+
+	 n = 0;
+	 for (path = x_sockets; *path; ++path) {
+	     tmp = try_socket (&s[n], dpy, *path);
+	     if (tmp == -1) {
+		 if (errno != ENOTDIR && errno != ENOENT)
+		     return -1;
+	     } else if (tmp == 1) {
+		 while(--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+	 if (tmp == 1)
+	     continue;
+
+#ifdef MAY_HAVE_X11_PIPES
+	 for (path = x_pipes; *path; ++path) {
+	     tmp = try_pipe (&s[n], dpy, *path);
+	     if (tmp == -1) {
+		 if (errno != ENOTDIR && errno != ENOENT && errno != ENOSYS)
+		     return -1;
+	     } else if (tmp == 1) {
+		 while (--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+
+	 if (tmp == 1)
+	     continue;
+#endif
+
+	 if (tcp_socket) {
+	     tmp = try_tcp (&s[n], dpy);
+	     if (tmp == -1)
+		 return -1;
+	     else if (tmp == 1) {
+		 while (--n >= 0) {
+		     close (s[n].fd);
+		     free (s[n].pathname);
+		 }
+		 break;
+	     } else if (tmp == 0)
+		 ++n;
+	 }
+	 break;
+     }
+     if (dpy == 256)
+	 errx (1, "no free x-servers");
+     for (i = 0; i < n; ++i)
+	 if (s[i].flags & LISTENP
+	     && listen (s[i].fd, SOMAXCONN) < 0)
+	     err (1, "listen %s", s[i].pathname ? s[i].pathname : "tcp");
+     *number = n;
+     *sockets = s;
+     return dpy;
+}
+
+/*
+ * Change owner on the `n' sockets in `sockets' to `uid', `gid'.
+ * Return 0 is succesful or -1 if an error occurred.
+ */
+
+int
+chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid)
+{
+    int i;
+
+    for (i = 0; i < n; ++i)
+	if (sockets[i].pathname != NULL)
+	    if (chown (sockets[i].pathname, uid, gid) < 0)
+		return -1;
+    return 0;
+}
+
+/*
+ * Connect to local display `dnr' with local transport.
+ * Return a file descriptor.
+ */
+
+int
+connect_local_xsocket (unsigned dnr)
+{
+     int fd;
+     struct sockaddr_un addr;
+     char **path;
+
+     for (path = x_sockets; *path; ++path) {
+	 fd = socket (AF_UNIX, SOCK_STREAM, 0);
+	 if (fd < 0)
+	     err (1, "socket AF_UNIX");
+	 memset (&addr, 0, sizeof(addr));
+	 addr.sun_family = AF_UNIX;
+	 snprintf (addr.sun_path, sizeof(addr.sun_path), *path, dnr);
+	 if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) == 0)
+	     return fd;
+     }
+     err (1, "connecting to local display %u", dnr);
+}
+
+/*
+ * Create a cookie file with a random cookie for the localhost.  The
+ * file name will be stored in `xauthfile' (but not larger than
+ * `xauthfile_size'), and the cookie returned in `cookie', `cookie_sz'.
+ * Return 0 if succesful, or errno.
+ */
+
+int
+create_and_write_cookie (char *xauthfile,
+			 size_t xauthfile_size,
+			 u_char *cookie,
+			 size_t cookie_sz)
+{
+     Xauth auth;
+     char tmp[64];
+     int fd;
+     FILE *f;
+     char hostname[MaxHostNameLen];
+     struct in_addr loopback;
+     int saved_errno;
+
+     gethostname (hostname, sizeof(hostname));
+     loopback.s_addr = htonl(INADDR_LOOPBACK);
+     
+     auth.family = FamilyLocal;
+     auth.address = hostname;
+     auth.address_length = strlen(auth.address);
+     snprintf (tmp, sizeof(tmp), "%d", display_num);
+     auth.number_length = strlen(tmp);
+     auth.number = tmp;
+     auth.name = COOKIE_TYPE;
+     auth.name_length = strlen(auth.name);
+     auth.data_length = cookie_sz;
+     auth.data = (char*)cookie;
+#ifdef HAVE_OPENSSL_DES_H
+     krb5_generate_random_block (cookie, cookie_sz);
+#else
+     des_rand_data (cookie, cookie_sz);
+#endif
+
+     strlcpy(xauthfile, "/tmp/AXXXXXX", xauthfile_size);
+     fd = mkstemp(xauthfile);
+     if(fd < 0) {
+	 saved_errno = errno;
+	 syslog(LOG_ERR, "create_and_write_cookie: mkstemp: %m");
+         return saved_errno;
+     }
+     f = fdopen(fd, "r+");
+     if(f == NULL){
+	 saved_errno = errno;
+	 close(fd);
+	 return errno;
+     }
+     if(XauWriteAuth(f, &auth) == 0) {
+	 saved_errno = errno;
+	 fclose(f);
+	 return saved_errno;
+     }
+
+     /*
+      * I would like to write a cookie for localhost:n here, but some
+      * stupid code in libX11 will not look for cookies of that type,
+      * so we are forced to use FamilyWild instead.
+      */
+
+     auth.family  = FamilyWild;
+     auth.address_length = 0;
+
+#if 0 /* XXX */
+     auth.address = (char *)&loopback;
+     auth.address_length = sizeof(loopback);
+#endif
+
+     if (XauWriteAuth(f, &auth) == 0) {
+	 saved_errno = errno;
+	 fclose (f);
+	 return saved_errno;
+     }
+
+     if(fclose(f))
+	 return errno;
+     return 0;
+}
+
+/*
+ * Verify and remove cookies.  Read and parse a X-connection from
+ * `fd'. Check the cookie used is the same as in `cookie'.  Remove the
+ * cookie and copy the rest of it to `sock'.
+ * Expect cookies iff cookiesp.
+ * Return 0 iff ok.
+ *
+ * The protocol is as follows:
+ *
+ * C->S:	[Bl]				1
+ *		unused				1
+ *		protocol major version		2
+ *		protocol minor version		2
+ *		length of auth protocol name(n)	2
+ *		length of auth protocol data	2
+ *		unused				2
+ *		authorization protocol name	n
+ *		pad				pad(n)
+ *		authorization protocol data	d
+ *		pad				pad(d)
+ *
+ * S->C:	Failed
+ *		0				1
+ *		length of reason		1
+ *		protocol major version		2
+ *		protocol minor version		2
+ *		length in 4 bytes unit of
+ *		additional data (n+p)/4		2
+ *		reason				n
+ *		unused				p = pad(n)
+ */
+
+int
+verify_and_remove_cookies (int fd, int sock, int cookiesp)
+{
+     u_char beg[12];
+     int bigendianp;
+     unsigned n, d, npad, dpad;
+     char *protocol_name, *protocol_data;
+     u_char zeros[6] = {0, 0, 0, 0, 0, 0};
+     u_char refused[20] = {0, 10, 
+			   0, 0, /* protocol major version  */
+			   0, 0, /* protocol minor version */
+			   0, 0, /* length of additional data / 4 */
+			   'b', 'a', 'd', ' ', 'c', 'o', 'o', 'k', 'i', 'e',
+			   0, 0};
+
+     if (net_read (fd, beg, sizeof(beg)) != sizeof(beg))
+	  return 1;
+     if (net_write (sock, beg, 6) != 6)
+	  return 1;
+     bigendianp = beg[0] == 'B';
+     if (bigendianp) {
+	  n = (beg[6] << 8) | beg[7];
+	  d = (beg[8] << 8) | beg[9];
+     } else {
+	  n = (beg[7] << 8) | beg[6];
+	  d = (beg[9] << 8) | beg[8];
+     }
+     npad = (4 - (n % 4)) % 4;
+     dpad = (4 - (d % 4)) % 4;
+     protocol_name = malloc(n + npad);
+     if (n + npad != 0 && protocol_name == NULL)
+	 return 1;
+     protocol_data = malloc(d + dpad);
+     if (d + dpad != 0 && protocol_data == NULL) {
+	 free (protocol_name);
+	 return 1;
+     }
+     if (net_read (fd, protocol_name, n + npad) != n + npad)
+	 goto fail;
+     if (net_read (fd, protocol_data, d + dpad) != d + dpad)
+	 goto fail;
+     if (cookiesp) {
+	 if (strncmp (protocol_name, COOKIE_TYPE, strlen(COOKIE_TYPE)) != 0)
+	     goto refused;
+	 if (d != cookie_len ||
+	     memcmp (protocol_data, cookie, cookie_len) != 0)
+	     goto refused;
+     }
+     free (protocol_name);
+     free (protocol_data);
+     if (net_write (sock, zeros, 6) != 6)
+	  return 1;
+     return 0;
+refused:
+     refused[2] = beg[2];
+     refused[3] = beg[3];
+     refused[4] = beg[4];
+     refused[5] = beg[5];
+     if (bigendianp)
+	 refused[7] = 3;
+     else
+	 refused[6] = 3;
+
+     net_write (fd, refused, sizeof(refused));
+fail:
+     free (protocol_name);
+     free (protocol_data);
+     return 1;
+}
+
+/* 
+ * Return 0 iff `cookie' is compatible with the cookie for the
+ * localhost with name given in `ai' (or `hostname') and display
+ * number in `disp_nr'.
+ */
+
+static int
+match_local_auth (Xauth* auth,
+		  struct addrinfo *ai, const char *hostname, int disp_nr)
+{
+    int auth_disp;
+    char *tmp_disp;
+    struct addrinfo *a;
+    
+    tmp_disp = strndup (auth->number, auth->number_length);
+    if (tmp_disp == NULL)
+	return -1;
+    auth_disp = atoi(tmp_disp);
+    free (tmp_disp);
+    if (auth_disp != disp_nr)
+	return 1;
+    for (a = ai; a != NULL; a = a->ai_next) {
+	if ((auth->family == FamilyLocal
+	     || auth->family == FamilyWild)
+	    && a->ai_canonname != NULL
+	    && strncmp (auth->address,
+			a->ai_canonname,
+			auth->address_length) == 0)
+	    return 0;
+    }
+    if (hostname != NULL
+	&& (auth->family    == FamilyLocal
+	    || auth->family == FamilyWild)
+	&& strncmp (auth->address, hostname, auth->address_length) == 0)
+	return 0;
+    return 1;
+}
+
+/*
+ * Find `our' cookie from the cookie file `f' and return it or NULL.
+ */
+
+static Xauth*
+find_auth_cookie (FILE *f)
+{
+    Xauth *ret = NULL;
+    char local_hostname[MaxHostNameLen];
+    char *display = getenv("DISPLAY");
+    char d[MaxHostNameLen + 4];
+    char *colon;
+    struct addrinfo *ai;
+    struct addrinfo hints;
+    int disp;
+    int error;
+
+    if(display == NULL)
+	display = ":0";
+    strlcpy(d, display, sizeof(d));
+    display = d;
+    colon = strchr (display, ':');
+    if (colon == NULL)
+	disp = 0;
+    else {
+	*colon = '\0';
+	disp = atoi (colon + 1);
+    }
+    if (strcmp (display, "") == 0
+	|| strncmp (display, "unix", 4) == 0
+	|| strncmp (display, "localhost", 9) == 0) {
+	gethostname (local_hostname, sizeof(local_hostname));
+	display = local_hostname;
+    }
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_flags    = AI_CANONNAME;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    error = getaddrinfo (display, NULL, &hints, &ai);
+    if (error)
+	ai = NULL;
+
+    for (; (ret = XauReadAuth (f)) != NULL; XauDisposeAuth(ret)) {
+	if (match_local_auth (ret, ai, display, disp) == 0) {
+	    if (ai != NULL)
+		freeaddrinfo (ai);
+	    return ret;
+	}
+    }
+    if (ai != NULL)
+	freeaddrinfo (ai);
+    return NULL;
+}
+
+/*
+ * Get rid of the cookie that we were sent and get the correct one
+ * from our own cookie file instead.
+ */
+
+int
+replace_cookie(int xserver, int fd, char *filename, int cookiesp) /* XXX */
+{
+     u_char beg[12];
+     int bigendianp;
+     unsigned n, d, npad, dpad;
+     FILE *f;
+     u_char zeros[6] = {0, 0, 0, 0, 0, 0};
+
+     if (net_read (fd, beg, sizeof(beg)) != sizeof(beg))
+	  return 1;
+     if (net_write (xserver, beg, 6) != 6)
+	  return 1;
+     bigendianp = beg[0] == 'B';
+     if (bigendianp) {
+	  n = (beg[6] << 8) | beg[7];
+	  d = (beg[8] << 8) | beg[9];
+     } else {
+	  n = (beg[7] << 8) | beg[6];
+	  d = (beg[9] << 8) | beg[8];
+     }
+     if (n != 0 || d != 0)
+	  return 1;
+     f = fopen(filename, "r");
+     if (f != NULL) {
+	 Xauth *auth = find_auth_cookie (f);
+	 u_char len[6] = {0, 0, 0, 0, 0, 0};
+	 
+	 fclose (f);
+
+	 if (auth != NULL) {
+	     n = auth->name_length;
+	     d = auth->data_length;
+	 } else {
+	     n = 0;
+	     d = 0;
+	 }
+	 if (bigendianp) {
+	     len[0] = n >> 8;
+	     len[1] = n & 0xFF;
+	     len[2] = d >> 8;
+	     len[3] = d & 0xFF;
+	 } else {
+	     len[0] = n & 0xFF;
+	     len[1] = n >> 8;
+	     len[2] = d & 0xFF;
+	     len[3] = d >> 8;
+	 }
+	 if (net_write (xserver, len, 6) != 6) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 if(n != 0 && net_write (xserver, auth->name, n) != n) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 npad = (4 - (n % 4)) % 4;
+	 if (npad && net_write (xserver, zeros, npad) != npad) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 if (d != 0 && net_write (xserver, auth->data, d) != d) {
+	     XauDisposeAuth(auth);
+	     return 1;
+	 }
+	 XauDisposeAuth(auth);
+	 dpad = (4 - (d % 4)) % 4;
+	 if (dpad && net_write (xserver, zeros, dpad) != dpad)
+	     return 1;
+     } else {
+	 if(net_write(xserver, zeros, 6) != 6)
+	     return 1;
+     }
+     return 0;
+}
+
+/*
+ * Some simple controls on the address and corresponding socket
+ */
+
+int
+suspicious_address (int sock, struct sockaddr_in addr)
+{
+    char data[40];
+    socklen_t len = sizeof(data);
+
+    return addr.sin_addr.s_addr != htonl(INADDR_LOOPBACK)
+#if defined(IP_OPTIONS) && defined(HAVE_GETSOCKOPT)
+	|| getsockopt (sock, IPPROTO_IP, IP_OPTIONS, data, &len) < 0
+	|| len != 0
+#endif
+    ;
+}
+
+/*
+ * This really sucks, but these functions are used and if we're not
+ * linking against libkrb they don't exist.  Using the heimdal storage
+ * functions will not work either cause we do not always link with
+ * libkrb5 either.
+ */
+
+#ifndef KRB4
+
+int
+krb_get_int(void *f, u_int32_t *to, int size, int lsb)
+{
+    int i;
+    unsigned char *from = (unsigned char *)f;
+
+    *to = 0;
+    if(lsb){
+	for(i = size-1; i >= 0; i--)
+	    *to = (*to << 8) | from[i];
+    }else{
+	for(i = 0; i < size; i++)
+	    *to = (*to << 8) | from[i];
+    }
+    return size;
+}
+
+int
+krb_put_int(u_int32_t from, void *to, size_t rem, int size)
+{
+    int i;
+    unsigned char *p = (unsigned char *)to;
+
+    if (rem < size)
+	return -1;
+
+    for(i = size - 1; i >= 0; i--){
+	p[i] = from & 0xff;
+	from >>= 8;
+    }
+    return size;
+}
+
+#endif /* !KRB4 */
diff --git a/crypto/heimdal/appl/kx/context.c b/crypto/heimdal/appl/kx/context.c
new file mode 100644
index 0000000..bbc8da9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/context.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1995 - 1999 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: context.c,v 1.4 1999/12/02 16:58:32 joda Exp $");
+
+/*
+ * Set the common part of the context `kc'
+ */
+
+void
+context_set (kx_context *kc, const char *host, const char *user, int port,
+	     int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    kc->host		= host;
+    kc->user		= user;
+    kc->port		= port;
+    kc->debug_flag	= debug_flag;
+    kc->keepalive_flag	= keepalive_flag;
+    kc->tcp_flag	= tcp_flag;
+}
+
+/*
+ * dispatch functions
+ */
+
+void
+context_destroy (kx_context *kc)
+{
+    (*kc->destroy)(kc);
+}
+
+int
+context_authenticate (kx_context *kc, int s)
+{
+    return (*kc->authenticate)(kc, s);
+}
+
+int
+context_userok (kx_context *kc, char *user)
+{
+    return (*kc->userok)(kc, user);
+}
+
+ssize_t
+kx_read (kx_context *kc, int fd, void *buf, size_t len)
+{
+    return (*kc->read)(kc, fd, buf, len);
+}
+
+ssize_t
+kx_write (kx_context *kc, int fd, const void *buf, size_t len)
+{
+    return (*kc->write)(kc, fd, buf, len);
+}
+
+int
+copy_encrypted (kx_context *kc, int fd1, int fd2)
+{
+    return (*kc->copy_encrypted)(kc, fd1, fd2);
+}
diff --git a/crypto/heimdal/appl/kx/krb4.c b/crypto/heimdal/appl/kx/krb4.c
new file mode 100644
index 0000000..07852c9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/krb4.c
@@ -0,0 +1,361 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: krb4.c,v 1.8 2000/10/08 13:19:22 assar Exp $");
+
+#ifdef KRB4
+
+struct krb4_kx_context {
+    des_cblock key;
+    des_key_schedule schedule;
+    AUTH_DAT auth;
+};
+
+typedef struct krb4_kx_context krb4_kx_context;
+
+/*
+ * Destroy the krb4 context in `c'.
+ */
+
+static void
+krb4_destroy (kx_context *c)
+{
+    memset (c->data, 0, sizeof(krb4_kx_context));
+    free (c->data);
+}
+
+/*
+ * Read the authentication information from `s' and return 0 if
+ * succesful, else -1.
+ */
+
+static int
+krb4_authenticate (kx_context *kc, int s)
+{
+    CREDENTIALS cred;
+    KTEXT_ST text;
+    MSG_DAT msg;
+    int status;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    const char *host = kc->host;
+
+#ifdef HAVE_KRB_GET_OUR_IP_FOR_REALM
+    if (krb_get_config_bool("nat_in_use")) {
+	struct in_addr natAddr;
+
+	if (krb_get_our_ip_for_realm(krb_realmofhost(kc->host),
+				     &natAddr) == KSUCCESS
+	    || krb_get_our_ip_for_realm (NULL, &natAddr) == KSUCCESS)
+	    kc->thisaddr.sin_addr = natAddr;
+    }
+#endif
+
+    status = krb_sendauth (KOPT_DO_MUTUAL, s, &text, "rcmd",
+			   (char *)host, krb_realmofhost (host),
+			   getpid(), &msg, &cred, c->schedule,
+			   &kc->thisaddr, &kc->thataddr, KX_VERSION);
+    if (status != KSUCCESS) {
+	warnx ("%s: %s\n", host, krb_get_err_text(status));
+	return -1;
+    }
+    memcpy (c->key, cred.session, sizeof(des_cblock));
+    return 0;
+}
+
+/*
+ * Read a krb4 priv packet from `fd' into `buf' (of size `len').
+ * Return the number of bytes read or 0 on EOF or -1 on error.
+ */
+
+static ssize_t
+krb4_read (kx_context *kc,
+	   int fd, void *buf, size_t len)
+{
+    unsigned char tmp[4];
+    ssize_t ret;
+    size_t l;
+    int status;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    MSG_DAT msg;
+
+    ret = krb_net_read (fd, tmp, 4);
+    if (ret == 0)
+	return ret;
+    if (ret != 4)
+	return -1;
+    l = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+    if (l > len)
+	return -1;
+    if (krb_net_read (fd, buf, l) != l)
+	return -1;
+    status = krb_rd_priv (buf, l, c->schedule, &c->key,
+			  &kc->thataddr, &kc->thisaddr, &msg);
+    if (status != RD_AP_OK) {
+	warnx ("krb4_read: %s", krb_get_err_text(status));
+	return -1;
+    }
+    memmove (buf, msg.app_data, msg.app_length);
+    return msg.app_length;
+}
+
+/*
+ * Write a krb4 priv packet on `fd' with the data in `buf, len'.
+ * Return len or -1 on error
+ */
+
+static ssize_t
+krb4_write(kx_context *kc,
+	   int fd, const void *buf, size_t len)
+{
+    void *outbuf;
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    int outlen;
+    unsigned char tmp[4];
+
+    outbuf = malloc (len + 30);
+    if (outbuf == NULL)
+	return -1;
+    outlen = krb_mk_priv ((void *)buf, outbuf, len, c->schedule, &c->key,
+			  &kc->thisaddr, &kc->thataddr);
+    if (outlen < 0) {
+	free (outbuf);
+	return -1;
+    }
+    tmp[0] = (outlen >> 24) & 0xFF;
+    tmp[1] = (outlen >> 16) & 0xFF;
+    tmp[2] = (outlen >>  8) & 0xFF;
+    tmp[3] = (outlen >>  0) & 0xFF;
+
+    if (krb_net_write (fd, tmp, 4) != 4 ||
+	krb_net_write (fd, outbuf, outlen) != outlen) {
+	free (outbuf);
+	return -1;
+    }
+    free (outbuf);
+    return len;
+}
+
+/*
+ * Copy data from `fd1' to `fd2', {en,de}crypting with cfb64
+ * with `mode' and state stored in `iv', `schedule', and `num'.
+ * Return -1 if error, 0 if eof, else 1
+ */
+
+static int
+do_enccopy (int fd1, int fd2, int mode, des_cblock *iv,
+	    des_key_schedule schedule, int *num)
+{
+     int ret;
+     u_char buf[BUFSIZ];
+
+     ret = read (fd1, buf, sizeof(buf));
+     if (ret == 0)
+	  return 0;
+     if (ret < 0) {
+	 warn ("read");
+	 return ret;
+     }
+#ifndef NOENCRYPTION
+     des_cfb64_encrypt (buf, buf, ret, schedule, iv,
+			num, mode);
+#endif
+     ret = krb_net_write (fd2, buf, ret);
+     if (ret < 0) {
+	 warn ("write");
+	 return ret;
+     }
+     return 1;
+}
+
+/*
+ * Copy data between fd1 and fd2, encrypting one way and decrypting
+ * the other.
+ */
+
+static int
+krb4_copy_encrypted (kx_context *kc,
+		     int fd1, int fd2)
+{
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    des_cblock iv1, iv2;
+    int num1 = 0, num2 = 0;
+
+    memcpy (iv1, c->key, sizeof(iv1));
+    memcpy (iv2, c->key, sizeof(iv2));
+    for (;;) {
+	fd_set fdset;
+	int ret;
+
+	if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) {
+	    warnx ("fd too large");
+	    return 1;
+	}
+
+	FD_ZERO(&fdset);
+	FD_SET(fd1, &fdset);
+	FD_SET(fd2, &fdset);
+
+	ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR) {
+	    warn ("select");
+	    return 1;
+	}
+	if (FD_ISSET(fd1, &fdset)) {
+	    ret = do_enccopy (fd1, fd2, DES_ENCRYPT, &iv1, c->schedule, &num1);
+	    if (ret <= 0)
+		return ret;
+	}
+	if (FD_ISSET(fd2, &fdset)) {
+	    ret = do_enccopy (fd2, fd1, DES_DECRYPT, &iv2, c->schedule, &num2);
+	    if (ret <= 0)
+		return ret;
+	}
+    }
+}
+
+/*
+ * Return 0 if the user authenticated on `kc' is allowed to login as
+ * `user'.
+ */
+
+static int
+krb4_userok (kx_context *kc, char *user)
+{
+    krb4_kx_context *c = (krb4_kx_context *)kc->data;
+    char *tmp;
+
+    tmp = krb_unparse_name_long (c->auth.pname,
+				 c->auth.pinst,
+				 c->auth.prealm);
+    kc->user = strdup (tmp);
+    if (kc->user == NULL)
+	err (1, "malloc");
+
+
+    return kuserok (&c->auth, user);
+}
+
+/*
+ * Create an instance of an krb4 context.
+ */
+
+void
+krb4_make_context (kx_context *kc)
+{
+    kc->authenticate	= krb4_authenticate;
+    kc->userok		= krb4_userok;
+    kc->read		= krb4_read;
+    kc->write		= krb4_write;
+    kc->copy_encrypted	= krb4_copy_encrypted;
+    kc->destroy		= krb4_destroy;
+    kc->user		= NULL;
+    kc->data		= malloc(sizeof(krb4_kx_context));
+
+    if (kc->data == NULL)
+	err (1, "malloc");
+}
+
+/*
+ * Receive authentication information on `sock' (first four bytes
+ * in `buf').
+ */
+
+int
+recv_v4_auth (kx_context *kc, int sock, u_char *buf)
+{
+    int status;
+    KTEXT_ST ticket;
+    char instance[INST_SZ + 1];
+    char version[KRB_SENDAUTH_VLEN + 1];
+    krb4_kx_context *c;
+    AUTH_DAT auth;
+    des_key_schedule schedule;
+
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (net_read (sock, buf + 4, KRB_SENDAUTH_VLEN - 4) !=
+	KRB_SENDAUTH_VLEN - 4) {
+	syslog (LOG_ERR, "read: %m");
+	exit (1);
+    }
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0) {
+	syslog (LOG_ERR, "unrecognized auth protocol: %.8s", buf);
+	exit (1);
+    }
+
+    k_getsockinst (sock, instance, sizeof(instance));
+    status = krb_recvauth (KOPT_IGNORE_PROTOCOL | KOPT_DO_MUTUAL,
+			   sock,
+			   &ticket,
+			   "rcmd",
+			   instance,
+			   &kc->thataddr,
+			   &kc->thisaddr,
+			   &auth,
+			   "",
+			   schedule,
+			   version);
+    if (status != KSUCCESS) {
+	syslog (LOG_ERR, "krb_recvauth: %s", krb_get_err_text(status));
+	exit (1);
+    }
+    if (strncmp (version, KX_VERSION, KRB_SENDAUTH_VLEN) != 0) {
+	 /* Try to be nice to old kx's */
+	 if (strncmp (version, KX_OLD_VERSION, KRB_SENDAUTH_VLEN) == 0) {
+	     char *old_errmsg = "\001Old version of kx. Please upgrade.";
+	     char user[64];
+
+	     syslog (LOG_ERR, "Old version client (%s)", version);
+
+	     krb_net_read (sock, user, sizeof(user));
+	     krb_net_write (sock, old_errmsg, strlen(old_errmsg) + 1);
+	     exit (1);
+	 } else {
+	     syslog (LOG_ERR, "bad version: %s", version);
+	     exit (1);
+	 }
+    }
+
+    krb4_make_context (kc);
+    c = (krb4_kx_context *)kc->data;
+
+    c->auth     = auth;
+    memcpy (c->key, &auth.session, sizeof(des_cblock));
+    memcpy (c->schedule, schedule, sizeof(schedule));
+
+    return 0;
+}
+
+#endif /* KRB4 */
diff --git a/crypto/heimdal/appl/kx/krb5.c b/crypto/heimdal/appl/kx/krb5.c
new file mode 100644
index 0000000..0b4a083
--- /dev/null
+++ b/crypto/heimdal/appl/kx/krb5.c
@@ -0,0 +1,421 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: krb5.c,v 1.7 2000/12/31 07:32:03 assar Exp $");
+
+#ifdef KRB5
+
+struct krb5_kx_context {
+    krb5_context context;
+    krb5_keyblock *keyblock;
+    krb5_crypto crypto;
+    krb5_principal client;
+};
+
+typedef struct krb5_kx_context krb5_kx_context;
+
+/*
+ * Destroy the krb5 context in `c'.
+ */
+
+static void
+krb5_destroy (kx_context *c)
+{
+    krb5_kx_context *kc = (krb5_kx_context *)c->data;
+
+    if (kc->keyblock)
+	krb5_free_keyblock (kc->context, kc->keyblock);
+    if (kc->crypto)
+	krb5_crypto_destroy (kc->context, kc->crypto);
+    if (kc->client)
+	krb5_free_principal (kc->context, kc->client);
+    if (kc->context)
+	krb5_free_context (kc->context);
+    free (kc);
+}
+
+/*
+ * Read the authentication information from `s' and return 0 if
+ * succesful, else -1.
+ */
+
+static int
+krb5_authenticate (kx_context *kc, int s)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_auth_context auth_context = NULL;
+    krb5_error_code ret;
+    krb5_principal server;
+    const char *host = kc->host;
+
+    ret = krb5_sname_to_principal (context,
+				   host, "host", KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	return 1;
+    }
+
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 KX_VERSION,
+			 NULL,
+			 server,
+			 AP_OPTS_MUTUAL_REQUIRED,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+    if (ret) {
+	warnx ("krb5_sendauth: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	return 1;
+    }
+
+    ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
+    if (ret) {
+	warnx ("krb5_auth_con_getkey: %s: %s", host,
+	       krb5_get_err_text(context, ret));
+	krb5_auth_con_free (context, auth_context);
+	return 1;
+    }
+    
+    ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
+    if (ret) {
+	warnx ("krb5_crypto_init: %s", krb5_get_err_text (context, ret));
+	krb5_auth_con_free (context, auth_context);
+	return 1;
+    }
+    return 0;
+}
+
+/*
+ * Read an encapsulated krb5 packet from `fd' into `buf' (of size
+ * `len').  Return the number of bytes read or 0 on EOF or -1 on
+ * error.
+ */
+
+static ssize_t
+krb5_read (kx_context *kc,
+	   int fd, void *buf, size_t len)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    size_t data_len, outer_len;
+    krb5_error_code ret;
+    unsigned char tmp[4];
+    krb5_data data;
+    int l;
+
+    l = krb5_net_read (context, &fd, tmp, 4);
+    if (l == 0)
+	return l;
+    if (l != 4)
+	return -1;
+    data_len  = (tmp[0] << 24) | (tmp[1] << 16) | (tmp[2] << 8) | tmp[3];
+    outer_len = krb5_get_wrapped_length (context, c->crypto, data_len);
+    if (outer_len > len)
+	return -1;
+    if (krb5_net_read (context, &fd, buf, outer_len) != outer_len)
+	return -1;
+
+    ret = krb5_decrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
+			buf, outer_len, &data);
+    if (ret) {
+	warnx ("krb5_decrypt: %s", krb5_get_err_text(context, ret));
+	return -1;
+    }
+    if (data_len > data.length) {
+	krb5_data_free (&data);
+	return -1;
+    }
+    memmove (buf, data.data, data_len);
+    krb5_data_free (&data);
+    return data_len;
+}
+
+/*
+ * Write an encapsulated krb5 packet on `fd' with the data in `buf,
+ * len'.  Return len or -1 on error.
+ */
+
+static ssize_t
+krb5_write(kx_context *kc,
+	   int fd, const void *buf, size_t len)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_data data;
+    krb5_error_code ret;
+    unsigned char tmp[4];
+    size_t outlen;
+
+    ret = krb5_encrypt (context, c->crypto, KRB5_KU_OTHER_ENCRYPTED,
+			(void *)buf, len, &data);
+    if (ret){
+	warnx ("krb5_write: %s", krb5_get_err_text (context, ret));
+	return -1;
+    }
+
+    outlen = data.length;
+    tmp[0] = (len >> 24) & 0xFF;
+    tmp[1] = (len >> 16) & 0xFF;
+    tmp[2] = (len >>  8) & 0xFF;
+    tmp[3] = (len >>  0) & 0xFF;
+
+    if (krb5_net_write (context, &fd, tmp, 4) != 4 ||
+	krb5_net_write (context, &fd, data.data, outlen) != outlen) {
+	krb5_data_free (&data);
+	return -1;
+    }
+    krb5_data_free (&data);
+    return len;
+}
+
+/*
+ * Copy from the unix socket `from_fd' encrypting to `to_fd'.
+ * Return 0, -1 or len.
+ */
+
+static int
+copy_out (kx_context *kc, int from_fd, int to_fd)
+{
+    char buf[32768];
+    ssize_t len;
+
+    len = read (from_fd, buf, sizeof(buf));
+    if (len == 0)
+	return 0;
+    if (len < 0) {
+	warn ("read");
+	return len;
+    }
+    return krb5_write (kc, to_fd, buf, len);
+}
+	
+/*
+ * Copy from the socket `from_fd' decrypting to `to_fd'.
+ * Return 0, -1 or len.
+ */
+
+static int
+copy_in (kx_context *kc, int from_fd, int to_fd)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    char buf[33000];		/* XXX */
+
+    ssize_t len;
+
+    len = krb5_read (kc, from_fd, buf, sizeof(buf));
+    if (len == 0)
+	return 0;
+    if (len < 0) {
+	warn ("krb5_read");
+	return len;
+    }
+
+    return krb5_net_write (c->context, &to_fd, buf, len);
+}
+
+/*
+ * Copy data between `fd1' and `fd2', encrypting in one direction and
+ * decrypting in the other.
+ */
+
+static int
+krb5_copy_encrypted (kx_context *kc, int fd1, int fd2)
+{
+    for (;;) {
+	fd_set fdset;
+	int ret;
+
+	if (fd1 >= FD_SETSIZE || fd2 >= FD_SETSIZE) {
+	    warnx ("fd too large");
+	    return 1;
+	}
+
+	FD_ZERO(&fdset);
+	FD_SET(fd1, &fdset);
+	FD_SET(fd2, &fdset);
+
+	ret = select (max(fd1, fd2)+1, &fdset, NULL, NULL, NULL);
+	if (ret < 0 && errno != EINTR) {
+	    warn ("select");
+	    return 1;
+	}
+	if (FD_ISSET(fd1, &fdset)) {
+	    ret = copy_out (kc, fd1, fd2);
+	    if (ret <= 0)
+		return ret;
+	}
+	if (FD_ISSET(fd2, &fdset)) {
+	    ret = copy_in (kc, fd2, fd1);
+	    if (ret <= 0)
+		return ret;
+	}
+    }
+}
+
+/*
+ * Return 0 if the user authenticated on `kc' is allowed to login as
+ * `user'.
+ */
+
+static int
+krb5_userok (kx_context *kc, char *user)
+{
+    krb5_kx_context *c = (krb5_kx_context *)kc->data;
+    krb5_context context = c->context;
+    krb5_error_code ret;
+    char *tmp;
+
+    ret = krb5_unparse_name (context, c->client, &tmp);
+    if (ret)
+	krb5_err (context, 1, ret, "krb5_unparse_name");
+    kc->user = tmp;
+
+    return !krb5_kuserok (context, c->client, user);
+}
+
+/*
+ * Create an instance of an krb5 context.
+ */
+
+void
+krb5_make_context (kx_context *kc)
+{
+    krb5_kx_context *c;
+    krb5_error_code ret;
+
+    kc->authenticate	= krb5_authenticate;
+    kc->userok		= krb5_userok;
+    kc->read		= krb5_read;
+    kc->write		= krb5_write;
+    kc->copy_encrypted	= krb5_copy_encrypted;
+    kc->destroy		= krb5_destroy;
+    kc->user		= NULL;
+    kc->data		= malloc(sizeof(krb5_kx_context));
+
+    if (kc->data == NULL)
+	err (1, "malloc");
+    memset (kc->data, 0, sizeof(krb5_kx_context));
+    c = (krb5_kx_context *)kc->data;
+    ret = krb5_init_context (&c->context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+}
+
+/*
+ * Receive authentication information on `sock' (first four bytes
+ * in `buf').
+ */
+
+int
+recv_v5_auth (kx_context *kc, int sock, u_char *buf)
+{
+    u_int32_t len;
+    krb5_error_code ret;
+    krb5_kx_context *c;
+    krb5_context context;
+    krb5_principal server;
+    krb5_auth_context auth_context = NULL;
+    krb5_ticket *ticket;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return 1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+    if (net_read(sock, buf, len) != len) {
+	syslog (LOG_ERR, "read: %m");
+	exit (1);
+    }
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0) {
+	syslog (LOG_ERR, "bad sendauth version: %.8s", buf);
+	exit (1);
+    }
+
+    krb5_make_context (kc);
+    c = (krb5_kx_context *)kc->data;
+    context = c->context;
+
+    ret = krb5_sock_to_principal (context, sock, "host",
+				  KRB5_NT_SRV_HST, &server);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_sock_to_principal: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_recvauth (context,
+			 &auth_context,
+			 &sock,
+			 KX_VERSION,
+			 server,
+			 KRB5_RECVAUTH_IGNORE_VERSION,
+			 NULL,
+			 &ticket);
+    krb5_free_principal (context, server);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_sock_to_principal: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_auth_con_getkey (context, auth_context, &c->keyblock);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_auth_con_getkey: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    ret = krb5_crypto_init (context, c->keyblock, 0, &c->crypto);
+    if (ret) {
+	syslog (LOG_ERR, "krb5_crypto_init: %s",
+		krb5_get_err_text (context, ret));
+	exit (1);
+    }
+
+    c->client = ticket->client;
+    ticket->client = NULL;
+    krb5_free_ticket (context, ticket);
+
+    return 0;
+}
+
+#endif /* KRB5 */
diff --git a/crypto/heimdal/appl/kx/kx.1 b/crypto/heimdal/appl/kx/kx.1
new file mode 100644
index 0000000..fe621d8
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.1
@@ -0,0 +1,62 @@
+.\" $Id: kx.1,v 1.7 1997/09/01 15:59:07 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt KX 1
+.Os KTH-KRB
+.Sh NAME
+.Nm kx
+.Nd
+securely forward X conections
+.Sh SYNOPSIS
+.Ar kx
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl d
+.Op Fl t
+.Op Fl p Ar port
+.Op Fl P
+.Ar host
+.Sh DESCRIPTION
+The
+.Nm
+program forwards a X connection from a remote client to a local screen
+through an authenticated and encrypted stream.  Options supported by
+.Nm kx :
+.Bl -tag -width Ds
+.It Fl l
+Log in on remote the host as user
+.Ar username .
+.It Fl k
+Do not enable keep-alives on the TCP connections.
+.It Fl d
+Do not fork. This is mainly useful for debugging.
+.It Fl t
+Listen not only on a UNIX-domain socket but on a TCP socket as well.
+.It Fl p
+Use the port
+.Ar port .
+.It Fl P
+Force passive mode.
+.El
+.Pp
+This program is used by
+.Nm rxtelnet
+and
+.Nm rxterm
+and you should not need to run it directly.
+.Pp
+It connects to a
+.Nm kxd
+on the host
+.Ar host
+and then will relay the traffic from the remote X clients to the local
+server.  When started, it prints the display and Xauthority-file to be
+used on host
+.Ar host
+and then goes to the background, waiting for connections from the
+remote
+.Nm kxd.
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr rxterm 1 ,
+.Xr kxd 8
diff --git a/crypto/heimdal/appl/kx/kx.c b/crypto/heimdal/appl/kx/kx.c
new file mode 100644
index 0000000..63e1595
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.c
@@ -0,0 +1,765 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: kx.c,v 1.68 2001/02/20 01:44:45 assar Exp $");
+
+static int nchild;
+static int donep;
+
+/*
+ * Signal handler that justs waits for the children when they die.
+ */
+
+static RETSIGTYPE
+childhandler (int sig)
+{
+     pid_t pid;
+     int status;
+
+     do { 
+	 pid = waitpid (-1, &status, WNOHANG|WUNTRACED);
+	 if (pid > 0 && (WIFEXITED(status) || WIFSIGNALED(status)))
+	     if (--nchild == 0 && donep)
+		 exit (0);
+     } while(pid > 0);
+     signal (SIGCHLD, childhandler);
+     SIGRETURN(0);
+}
+
+/*
+ * Handler for SIGUSR1.
+ * This signal means that we should wait until there are no children
+ * left and then exit.
+ */
+
+static RETSIGTYPE
+usr1handler (int sig)
+{
+    donep = 1;
+
+    SIGRETURN(0);
+}
+
+/*
+ * Almost the same as for SIGUSR1, except we should exit immediately
+ * if there are no active children.
+ */
+
+static RETSIGTYPE
+usr2handler (int sig)
+{
+    donep = 1;
+    if (nchild == 0)
+	exit (0);
+
+    SIGRETURN(0);
+}
+
+/*
+ * Establish authenticated connection.  Return socket or -1.
+ */
+
+static int
+connect_host (kx_context *kc)
+{
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    int error;
+    char portstr[NI_MAXSERV];
+    socklen_t addrlen;
+    int s;
+    struct sockaddr_storage thisaddr_ss;
+    struct sockaddr *thisaddr = (struct sockaddr *)&thisaddr_ss;
+
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_protocol = IPPROTO_TCP;
+
+    snprintf (portstr, sizeof(portstr), "%u", ntohs(kc->port));
+
+    error = getaddrinfo (kc->host, portstr, &hints, &ai);
+    if (error) {
+	warnx ("%s: %s", kc->host, gai_strerror(error));
+	return -1;
+    }
+    
+    for (a = ai; a != NULL; a = a->ai_next) {
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    warn ("connect(%s)", kc->host);
+	    close (s);
+	    continue;
+	}
+	break;
+    }
+
+    if (a == NULL) {
+	freeaddrinfo (ai);
+	return -1;
+    }
+
+    addrlen = a->ai_addrlen;
+    if (getsockname (s, thisaddr, &addrlen) < 0 ||
+	addrlen != a->ai_addrlen)
+	err(1, "getsockname(%s)", kc->host);
+    memcpy (&kc->thisaddr, thisaddr, sizeof(kc->thisaddr));
+    memcpy (&kc->thataddr, a->ai_addr, sizeof(kc->thataddr));
+    freeaddrinfo (ai);
+    if ((*kc->authenticate)(kc, s))
+	return -1;
+    return s;
+}
+
+/*
+ * Get rid of the cookie that we were sent and get the correct one
+ * from our own cookie file instead and then just copy data in both
+ * directions.
+ */
+
+static int
+passive_session (int xserver, int fd, kx_context *kc)
+{
+    if (replace_cookie (xserver, fd, XauFileName(), 1))
+	return 1;
+    else
+	return copy_encrypted (kc, xserver, fd);
+}
+
+static int
+active_session (int xserver, int fd, kx_context *kc)
+{
+    if (verify_and_remove_cookies (xserver, fd, 1))
+	return 1;
+    else
+	return copy_encrypted (kc, xserver, fd);
+}
+
+/*
+ * fork (unless debugp) and print the output that will be used by the
+ * script to capture the display, xauth cookie and pid.
+ */
+
+static void
+status_output (int debugp)
+{
+    if(debugp)
+	printf ("%u\t%s\t%s\n", (unsigned)getpid(), display, xauthfile);
+    else {
+	pid_t pid;
+	
+	pid = fork();
+	if (pid < 0) {
+	    err(1, "fork");
+	} else if (pid > 0) {
+	    printf ("%u\t%s\t%s\n", (unsigned)pid, display, xauthfile);
+	    exit (0);
+	} else {
+	    fclose(stdout);
+	}
+    }
+}
+
+/*
+ * Obtain an authenticated connection on `kc'.  Send a kx message
+ * saying we are `kc->user' and want to use passive mode.  Wait for
+ * answer on that connection and fork of a child for every new
+ * connection we have to make.
+ */
+
+static int
+doit_passive (kx_context *kc)
+{
+     int otherside;
+     u_char msg[1024], *p;
+     int len;
+     u_int32_t tmp;
+     const char *host = kc->host;
+
+     otherside = connect_host (kc);
+
+     if (otherside < 0)
+	 return 1;
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (kc->keepalive_flag) {
+	 int one = 1;
+
+	 setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+
+     p = msg;
+     *p++ = INIT;
+     len = strlen(kc->user);
+     p += KRB_PUT_INT (len, p, sizeof(msg) - 1, 4);
+     memcpy(p, kc->user, len);
+     p += len;
+     *p++ = PASSIVE | (kc->keepalive_flag ? KEEP_ALIVE : 0);
+     if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	 err (1, "write to %s", host);
+     len = kx_read (kc, otherside, msg, sizeof(msg));
+     if (len <= 0)
+	 errx (1,
+	       "error reading initial message from %s: "
+	       "this probably means it's using an old version.",
+	       host);
+     p = (u_char *)msg;
+     if (*p == ERROR) {
+	 p++;
+	 p += krb_get_int (p, &tmp, 4, 0);
+	 errx (1, "%s: %.*s", host, (int)tmp, p);
+     } else if (*p != ACK) {
+	 errx (1, "%s: strange msg %d", host, *p);
+     } else
+	 p++;
+     p += krb_get_int (p, &tmp, 4, 0);
+     memcpy(display, p, tmp);
+     display[tmp] = '\0';
+     p += tmp;
+
+     p += krb_get_int (p, &tmp, 4, 0);
+     memcpy(xauthfile, p, tmp);
+     xauthfile[tmp] = '\0';
+     p += tmp;
+
+     status_output (kc->debug_flag);
+     for (;;) {
+	 pid_t child;
+
+	 len = kx_read (kc, otherside, msg, sizeof(msg));
+	 if (len < 0)
+	     err (1, "read from %s", host);
+	 else if (len == 0)
+	     return 0;
+
+	 p = (u_char *)msg;
+	 if (*p == ERROR) {
+	     p++;
+	     p += krb_get_int (p, &tmp, 4, 0);
+	     errx (1, "%s: %.*s", host, (int)tmp, p);
+	 } else if(*p != NEW_CONN) {
+	     errx (1, "%s: strange msg %d", host, *p);
+	 } else {
+	     p++;
+	     p += krb_get_int (p, &tmp, 4, 0);
+	 }
+	 
+	 ++nchild;
+	 child = fork ();
+	 if (child < 0) {
+	     warn("fork");
+	     continue;
+	 } else if (child == 0) {
+	     struct sockaddr_in addr;
+	     int fd;
+	     int xserver;
+
+	     addr = kc->thataddr;
+	     close (otherside);
+
+	     addr.sin_port = htons(tmp);
+	     fd = socket (AF_INET, SOCK_STREAM, 0);
+	     if (fd < 0)
+		 err(1, "socket");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+	     {
+		 int one = 1;
+
+		 setsockopt (fd, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+			     sizeof(one));
+	     }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+	     if (kc->keepalive_flag) {
+		 int one = 1;
+
+		 setsockopt (fd, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+			     sizeof(one));
+	     }
+#endif
+
+	     if (connect (fd, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+		 err(1, "connect(%s)", host);
+	     {
+		 int d = 0;
+		 char *s;
+
+		 s = getenv ("DISPLAY");
+		 if (s != NULL) {
+		     s = strchr (s, ':');
+		     if (s != NULL)
+			 d = atoi (s + 1);
+		 }
+
+		 xserver = connect_local_xsocket (d);
+		 if (xserver < 0)
+		     return 1;
+	     }
+	     return passive_session (xserver, fd, kc);
+	 } else {
+	 }
+     }
+}
+
+/*
+ * Allocate a local pseudo-xserver and wait for connections 
+ */
+
+static int
+doit_active (kx_context *kc)
+{
+    int otherside;
+    int nsockets;
+    struct x_socket *sockets;
+    u_char msg[1024], *p;
+    int len = strlen(kc->user);
+    int tmp, tmp2;
+    char *s;
+    int i;
+    size_t rem;
+    u_int32_t other_port;
+    int error;
+    const char *host = kc->host;
+
+    otherside = connect_host (kc);
+    if (otherside < 0)
+	return 1;
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+    if (kc->keepalive_flag) {
+	int one = 1;
+
+	setsockopt (otherside, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		    sizeof(one));
+    }
+#endif
+    p = msg;
+    rem = sizeof(msg);
+    *p++ = INIT;
+    --rem;
+    len = strlen(kc->user);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    p += tmp;
+    rem -= tmp;
+    memcpy(p, kc->user, len);
+    p += len;
+    rem -= len;
+    *p++ = (kc->keepalive_flag ? KEEP_ALIVE : 0);
+    --rem;
+
+    s = getenv("DISPLAY");
+    if (s == NULL || (s = strchr(s, ':')) == NULL) 
+	s = ":0";
+    len = strlen (s);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    rem -= tmp;
+    p += tmp;
+    memcpy (p, s, len);
+    p += len;
+    rem -= len;
+
+    s = getenv("XAUTHORITY");
+    if (s == NULL)
+	s = "";
+    len = strlen (s);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0)
+	return 1;
+    p += len;
+    rem -= len;
+    memcpy (p, s, len);
+    p += len;
+    rem -= len;
+
+    if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	err (1, "write to %s", host);
+
+    len = kx_read (kc, otherside, msg, sizeof(msg));
+    if (len < 0)
+	err (1, "read from %s", host);
+    p = (u_char *)msg;
+    if (*p == ERROR) {
+	u_int32_t u32;
+
+	p++;
+	p += krb_get_int (p, &u32, 4, 0);
+	errx (1, "%s: %.*s", host, (int)u32, p);
+    } else if (*p != ACK) {
+	errx (1, "%s: strange msg %d", host, *p);
+    } else
+	p++;
+
+    tmp2 = get_xsockets (&nsockets, &sockets, kc->tcp_flag);
+    if (tmp2 < 0)
+	return 1;
+    display_num = tmp2;
+    if (kc->tcp_flag)
+	snprintf (display, display_size, "localhost:%u", display_num);
+    else
+	snprintf (display, display_size, ":%u", display_num);
+    error = create_and_write_cookie (xauthfile, xauthfile_size,
+				     cookie, cookie_len);
+    if (error) {
+	warnx ("failed creating cookie file: %s", strerror(error));
+	return 1;
+    }
+    status_output (kc->debug_flag);
+    for (;;) {
+	fd_set fdset;
+	pid_t child;
+	int fd, thisfd = -1;
+	socklen_t zero = 0;
+
+	FD_ZERO(&fdset);
+	for (i = 0; i < nsockets; ++i) {
+	    if (sockets[i].fd >= FD_SETSIZE) 
+		errx (1, "fd too large");
+	    FD_SET(sockets[i].fd, &fdset);
+	}
+	if (select(FD_SETSIZE, &fdset, NULL, NULL, NULL) <= 0)
+	    continue;
+	for (i = 0; i < nsockets; ++i)
+	    if (FD_ISSET(sockets[i].fd, &fdset)) {
+		thisfd = sockets[i].fd;
+		break;
+	    }
+	fd = accept (thisfd, NULL, &zero);
+	if (fd < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		err(1, "accept");
+	}
+
+	p = msg;
+	*p++ = NEW_CONN;
+	if (kx_write (kc, otherside, msg, p - msg) != p - msg)
+	    err (1, "write to %s", host);
+	len = kx_read (kc, otherside, msg, sizeof(msg));
+	if (len < 0)
+	    err (1, "read from %s", host);
+	p = (u_char *)msg;
+	if (*p == ERROR) {
+	    u_int32_t val;
+
+	    p++;
+	    p += krb_get_int (p, &val, 4, 0);
+	    errx (1, "%s: %.*s", host, (int)val, p);
+	} else if (*p != NEW_CONN) {
+	    errx (1, "%s: strange msg %d", host, *p);
+	} else {
+	    p++;
+	    p += krb_get_int (p, &other_port, 4, 0);
+	}
+
+	++nchild;
+	child = fork ();
+	if (child < 0) {
+	    warn("fork");
+	    continue;
+	} else if (child == 0) {
+	    int s;
+	    struct sockaddr_in addr;
+
+	    for (i = 0; i < nsockets; ++i)
+		close (sockets[i].fd);
+
+	    addr = kc->thataddr;
+	    close (otherside);
+
+	    addr.sin_port = htons(other_port);
+	    s = socket (AF_INET, SOCK_STREAM, 0);
+	    if (s < 0)
+		err(1, "socket");
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+	    {
+		int one = 1;
+
+		setsockopt (s, IPPROTO_TCP, TCP_NODELAY, (void *)&one,
+			    sizeof(one));
+	    }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+	    if (kc->keepalive_flag) {
+		int one = 1;
+
+		setsockopt (s, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+			    sizeof(one));
+	    }
+#endif
+
+	    if (connect (s, (struct sockaddr *)&addr, sizeof(addr)) < 0)
+		err(1, "connect");
+
+	    return active_session (fd, s, kc);
+	} else {
+	    close (fd);
+	}
+    }
+}
+
+/*
+ * Should we interpret `disp' as this being a passive call?
+ */
+
+static int
+check_for_passive (const char *disp)
+{
+    char local_hostname[MaxHostNameLen];
+
+    gethostname (local_hostname, sizeof(local_hostname));
+
+    return disp != NULL &&
+	(*disp == ':'
+	 || strncmp(disp, "unix", 4) == 0
+	 || strncmp(disp, "localhost", 9) == 0
+	 || strncmp(disp, local_hostname, strlen(local_hostname)) == 0);
+}
+
+/*
+ * Set up signal handlers and then call the functions.
+ */
+
+static int
+doit (kx_context *kc, int passive_flag)
+{
+    signal (SIGCHLD, childhandler);
+    signal (SIGUSR1, usr1handler);
+    signal (SIGUSR2, usr2handler);
+    if (passive_flag)
+	return doit_passive (kc);
+    else
+	return doit_active  (kc);
+}
+
+#ifdef KRB4
+
+/*
+ * Start a v4-authenticatated kx connection.
+ */
+
+static int
+doit_v4 (const char *host, int port, const char *user, 
+	 int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+
+    krb4_make_context (&context);
+    context_set (&context,
+		 host, user, port, debug_flag, keepalive_flag, tcp_flag);
+
+    ret = doit (&context, passive_flag);
+    context_destroy (&context);
+    return ret;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+
+/*
+ * Start a v5-authenticatated kx connection.
+ */
+
+static int
+doit_v5 (const char *host, int port, const char *user,
+	 int passive_flag, int debug_flag, int keepalive_flag, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+
+    krb5_make_context (&context);
+    context_set (&context,
+		 host, user, port, debug_flag, keepalive_flag, tcp_flag);
+
+    ret = doit (&context, passive_flag);
+    context_destroy (&context);
+    return ret;
+}
+#endif /* KRB5 */
+
+/*
+ * Variables set from the arguments
+ */
+
+#ifdef KRB4
+static int use_v4		= -1;
+#ifdef HAVE_KRB_ENABLE_DEBUG
+static int krb_debug_flag	= 0;
+#endif /* HAVE_KRB_ENABLE_DEBUG */
+#endif /* KRB4 */
+#ifdef KRB5
+static int use_v5		= -1;
+#endif
+static char *port_str		= NULL;
+static const char *user		= NULL;
+static int tcp_flag		= 0;
+static int passive_flag		= 0;
+static int keepalive_flag	= 1;
+static int debug_flag		= 0;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#ifdef HAVE_KRB_ENABLE_DEBUG
+    { "krb4-debug", 'D', arg_flag,	&krb_debug_flag,
+      "enable krb4 debugging" },
+#endif /* HAVE_KRB_ENABLE_DEBUG */
+#endif /* KRB4 */
+#ifdef KRB5
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+#endif
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-of-service" },
+    { "user",	'l', arg_string,	&user,		"Run as this user",
+      NULL },
+    { "tcp",	't', arg_flag,		&tcp_flag,
+      "Use a TCP connection for X11" },
+    { "passive", 'P', arg_flag,		&passive_flag,
+      "Force a passive connection" },
+    { "keepalive", 'k', arg_negative_flag, &keepalive_flag,
+      "disable keep-alives" },
+    { "debug",	'd',	arg_flag,	&debug_flag,
+      "Enable debug information" },
+    { "version", 0,  arg_flag,		&version_flag,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&help_flag,	NULL,
+      NULL }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host");
+    exit (ret);
+}
+
+/*
+ * kx - forward an x-connection over a kerberos-encrypted channel.
+ */
+
+int
+main(int argc, char **argv)
+{
+    int port	= 0;
+    int optind	= 0;
+    int ret	= 1;
+    char *host	= NULL;
+
+    setprogname (argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if (optind != argc - 1)
+	usage (1);
+
+    host = argv[optind];
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+
+    if (user == NULL) {
+	user = get_default_username ();
+	if (user == NULL)
+	    errx (1, "who are you?");
+    }
+
+    if (!passive_flag)
+	passive_flag = check_for_passive (getenv("DISPLAY"));
+
+#if defined(HAVE_KERNEL_ENABLE_DEBUG)
+    if (krb_debug_flag)
+	krb_enable_debug ();
+#endif
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	if (port == 0)
+	    port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT);
+	ret = doit_v5 (host, port, user,
+		       passive_flag, debug_flag, keepalive_flag, tcp_flag);
+    }
+#endif
+#ifdef KRB4
+    if (ret && use_v4) {
+	if (port == 0)
+	    port = k_getportbyname("kx", "tcp", htons(KX_PORT));
+	ret = doit_v4 (host, port, user, 
+		       passive_flag, debug_flag, keepalive_flag, tcp_flag);
+    }
+#endif
+    return ret;
+}
diff --git a/crypto/heimdal/appl/kx/kx.cat1 b/crypto/heimdal/appl/kx/kx.cat1
new file mode 100644
index 0000000..ce22926
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.cat1
@@ -0,0 +1,39 @@
+
+KX(1)                        UNIX Reference Manual                       KX(1)
+
+NNAAMMEE
+     kkxx - securely forward X conections
+
+SSYYNNOOPPSSIISS
+     _k_x [--ll _u_s_e_r_n_a_m_e] [--kk] [--dd] [--tt] [--pp _p_o_r_t] [--PP] _h_o_s_t
+
+DDEESSCCRRIIPPTTIIOONN
+     The kkxx program forwards a X connection from a remote client to a local
+     screen through an authenticated and encrypted stream.  Options supported
+     by kkxx:
+
+     --ll      Log in on remote the host as user _u_s_e_r_n_a_m_e.
+
+     --kk      Do not enable keep-alives on the TCP connections.
+
+     --dd      Do not fork. This is mainly useful for debugging.
+
+     --tt      Listen not only on a UNIX-domain socket but on a TCP socket as
+             well.
+
+     --pp      Use the port _p_o_r_t.
+
+     --PP      Force passive mode.
+
+     This program is used by rrxxtteellnneett and rrxxtteerrmm and you should not need to
+     run it directly.
+
+     It connects to a kkxxdd on the host _h_o_s_t and then will relay the traffic
+     from the remote X clients to the local server.  When started, it prints
+     the display and Xauthority-file to be used on host _h_o_s_t and then goes to
+     the background, waiting for connections from the remote kkxxdd..
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  rxterm(1),  kxd(8)
+
+ KTH-KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/kx.h b/crypto/heimdal/appl/kx/kx.h
new file mode 100644
index 0000000..fdda414
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kx.h
@@ -0,0 +1,259 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: kx.h,v 1.38 2000/02/06 05:52:03 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_TCP_H
+#include <netinet/tcp.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#include <X11/X.h>
+#include <X11/Xlib.h>
+#include <X11/Xauth.h>
+
+#ifdef HAVE_SYS_STREAM_H
+#include <sys/stream.h>
+#endif
+#ifdef HAVE_SYS_STROPTS_H
+#include <sys/stropts.h>
+#endif
+
+/* as far as we know, this is only used with later versions of Slowlaris */
+#if SunOS >= 50 && defined(HAVE_SYS_STROPTS_H) && defined(HAVE_FATTACH) && defined(I_PUSH)
+#define MAY_HAVE_X11_PIPES
+#endif
+
+#ifdef SOCKS
+#include <socks.h>
+/* This doesn't belong here. */
+struct tm *localtime(const time_t *);
+struct hostent  *gethostbyname(const char *);
+#endif
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#include <err.h>
+#include <getarg.h>
+#include <roken.h>
+
+struct x_socket {
+    char *pathname;
+    int fd;
+    enum {
+	LISTENP     = 0x80,
+	TCP         = LISTENP | 1,
+	UNIX_SOCKET = LISTENP | 2,
+	STREAM_PIPE = 3
+    } flags;
+};
+
+extern char x_socket[];
+extern u_int32_t display_num;
+extern char display[];
+extern int display_size;
+extern char xauthfile[];
+extern int xauthfile_size;
+extern u_char cookie[];
+extern size_t cookie_len;
+
+int get_xsockets (int *number, struct x_socket **sockets, int tcpp);
+int chown_xsockets (int n, struct x_socket *sockets, uid_t uid, gid_t gid);
+
+int connect_local_xsocket (unsigned dnr);
+int create_and_write_cookie (char *xauthfile,
+			     size_t size,
+			     u_char *cookie,
+			     size_t sz);
+int verify_and_remove_cookies (int fd, int sock, int cookiesp);
+int replace_cookie(int xserver, int fd, char *filename, int cookiesp);
+
+int suspicious_address (int sock, struct sockaddr_in addr);
+
+#define KX_PORT 2111
+
+#define KX_OLD_VERSION "KXSERV.1"
+#define KX_VERSION "KXSERV.2"
+
+#define COOKIE_TYPE "MIT-MAGIC-COOKIE-1"
+
+enum { INIT = 0, ACK = 1, NEW_CONN = 2, ERROR = 3 };
+
+enum kx_flags { PASSIVE = 1, KEEP_ALIVE = 2 };
+
+typedef enum kx_flags kx_flags;
+
+struct kx_context {
+    int (*authenticate)(struct kx_context *kc, int s);
+    int (*userok)(struct kx_context *kc, char *user);
+    ssize_t (*read)(struct kx_context *kc,
+		    int fd, void *buf, size_t len);
+    ssize_t (*write)(struct kx_context *kc,
+		     int fd, const void *buf, size_t len);
+    int (*copy_encrypted)(struct kx_context *kc,
+			  int fd1, int fd2);
+    void (*destroy)(struct kx_context *kc);
+    const char *host;
+    const char *user;
+    int port;
+    int debug_flag;
+    int keepalive_flag;
+    int tcp_flag;
+    struct sockaddr_in thisaddr, thataddr;
+    void *data;
+};
+
+typedef struct kx_context kx_context;
+
+void
+context_set (kx_context *kc, const char *host, const char *user, int port,
+	     int debug_flag, int keepalive_flag, int tcp_flag);
+
+void
+context_destroy (kx_context *kc);
+
+int
+context_authenticate (kx_context *kc, int s);
+
+int
+context_userok (kx_context *kc, char *user);
+
+ssize_t
+kx_read (kx_context *kc, int fd, void *buf, size_t len);
+
+ssize_t
+kx_write (kx_context *kc, int fd, const void *buf, size_t len);
+
+int
+copy_encrypted (kx_context *kc, int fd1, int fd2);
+
+#ifdef KRB4
+
+void
+krb4_make_context (kx_context *c);
+
+int
+recv_v4_auth (kx_context *kc, int sock, u_char *buf);
+
+#endif
+
+#ifdef KRB5
+
+void
+krb5_make_context (kx_context *c);
+
+int
+recv_v5_auth (kx_context *kc, int sock, u_char *buf);
+
+#endif
+
+void
+fatal (kx_context *kc, int fd, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+#ifndef KRB4
+
+int
+krb_get_int(void *f, u_int32_t *to, int size, int lsb);
+
+int
+krb_put_int(u_int32_t from, void *to, size_t rem, int size);
+
+#endif
diff --git a/crypto/heimdal/appl/kx/kxd.8 b/crypto/heimdal/appl/kx/kxd.8
new file mode 100644
index 0000000..04b7db5
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.8
@@ -0,0 +1,53 @@
+.\" $Id: kxd.8,v 1.5 2001/01/11 16:16:26 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt KXD 8
+.Os KTH-KRB
+.Sh NAME
+.Nm kxd
+.Nd
+securely forward X conections
+.Sh SYNOPSIS
+.Ar kxd
+.Op Fl t
+.Op Fl i
+.Op Fl p Ar port
+.Sh DESCRIPTION
+This is the daemon for
+.Nm kx .
+.Pp
+Options supported by
+.Nm kxd :
+.Bl -tag -width Ds
+.It Fl t
+TCP.  Normally
+.Nm kxd
+will only listen for X connections on a UNIX socket, but some machines
+(for example, Cray) have X libraries that are not able to use UNIX
+sockets and thus you need to use TCP to talk to the pseudo-xserver
+created by
+.Nm kxd.
+This option decreases the security significantly and should only be
+used when it is necessary and you have considered the consequences of
+doing so.
+.It Fl i
+Interactive.  Do not expect to be started by
+.Nm inetd,
+but allocate and listen to the socket yourself.  Handy for testing
+and debugging.
+.It Fl p
+Port.  Listen on the port
+.Ar port .
+Only usable with
+.Fl i .
+.El
+.Sh EXAMPLES
+Put the following in
+.Pa /etc/inetd.conf :
+.Bd -literal
+kx	stream	tcp	nowait	root	/usr/athena/libexec/kxd	kxd
+.Ed
+.Sh SEE ALSO
+.Xr kx 1 ,
+.Xr rxtelnet 1 ,
+.Xr rxterm 1
diff --git a/crypto/heimdal/appl/kx/kxd.c b/crypto/heimdal/appl/kx/kxd.c
new file mode 100644
index 0000000..65f6165
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.c
@@ -0,0 +1,754 @@
+/*
+ * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kx.h"
+
+RCSID("$Id: kxd.c,v 1.69 2001/02/20 01:44:45 assar Exp $");
+
+static pid_t wait_on_pid = -1;
+static int   done        = 0;
+
+/*
+ * Signal handler that justs waits for the children when they die.
+ */
+
+static RETSIGTYPE
+childhandler (int sig)
+{
+     pid_t pid;
+     int status;
+
+     do { 
+       pid = waitpid (-1, &status, WNOHANG|WUNTRACED);
+       if (pid > 0 && pid == wait_on_pid)
+	   done = 1;
+     } while(pid > 0);
+     signal (SIGCHLD, childhandler);
+     SIGRETURN(0);
+}
+
+/*
+ * Print the error message `format' and `...' on fd and die.
+ */
+
+void
+fatal (kx_context *kc, int fd, char *format, ...)
+{
+    u_char msg[1024];
+    u_char *p;
+    va_list args;
+    int len;
+
+    va_start(args, format);
+    p = msg;
+    *p++ = ERROR;
+    vsnprintf ((char *)p + 4, sizeof(msg) - 5, format, args);
+    syslog (LOG_ERR, "%s", (char *)p + 4);
+    len = strlen ((char *)p + 4);
+    p += KRB_PUT_INT (len, p, 4, 4);
+    p += len;
+    kx_write (kc, fd, msg, p - msg);
+    va_end(args);
+    exit (1);
+}
+
+/*
+ * Remove all sockets and cookie files.
+ */
+
+static void
+cleanup(int nsockets, struct x_socket *sockets)
+{
+    int i;
+
+    if(xauthfile[0])
+	unlink(xauthfile);
+    for (i = 0; i < nsockets; ++i) {
+	if (sockets[i].pathname != NULL) {
+	    unlink (sockets[i].pathname);
+	    free (sockets[i].pathname);
+	}
+    }
+}
+
+/*
+ * Prepare to receive a connection on `sock'.
+ */
+
+static int
+recv_conn (int sock, kx_context *kc,
+	   int *dispnr, int *nsockets, struct x_socket **sockets,
+	   int tcp_flag)
+{
+     u_char msg[1024], *p;
+     char user[256];
+     socklen_t addrlen;
+     struct passwd *passwd;
+     struct sockaddr_in thisaddr, thataddr;
+     char remotehost[MaxHostNameLen];
+     char remoteaddr[INET6_ADDRSTRLEN];
+     int ret = 1;
+     int flags;
+     int len;
+     u_int32_t tmp32;
+
+     addrlen = sizeof(thisaddr);
+     if (getsockname (sock, (struct sockaddr *)&thisaddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thisaddr)) {
+	 syslog (LOG_ERR, "getsockname: %m");
+	 exit (1);
+     }
+     addrlen = sizeof(thataddr);
+     if (getpeername (sock, (struct sockaddr *)&thataddr, &addrlen) < 0 ||
+	 addrlen != sizeof(thataddr)) {
+	 syslog (LOG_ERR, "getpeername: %m");
+	 exit (1);
+     }
+
+     kc->thisaddr = thisaddr;
+     kc->thataddr = thataddr;
+
+     getnameinfo_verified ((struct sockaddr *)&thataddr, addrlen,
+			   remotehost, sizeof(remotehost),
+			   NULL, 0, 0);
+
+     if (net_read (sock, msg, 4) != 4) {
+	 syslog (LOG_ERR, "read: %m");
+	 exit (1);
+     }
+
+#ifdef KRB5
+     if (ret && recv_v5_auth (kc, sock, msg) == 0)
+	 ret = 0;
+#endif
+#ifdef KRB4
+     if (ret && recv_v4_auth (kc, sock, msg) == 0)
+	 ret = 0;
+#endif
+     if (ret) {
+	 syslog (LOG_ERR, "unrecognized auth protocol: %x %x %x %x",
+		 msg[0], msg[1], msg[2], msg[3]);
+	 exit (1);
+     }
+
+     len = kx_read (kc, sock, msg, sizeof(msg));
+     if (len < 0) {
+	 syslog (LOG_ERR, "kx_read failed");
+	 exit (1);
+     }
+     p = (u_char *)msg;
+     if (*p != INIT)
+	 fatal(kc, sock, "Bad message");
+     p++;
+     p += krb_get_int (p, &tmp32, 4, 0);
+     len = min(sizeof(user), tmp32);
+     memcpy (user, p, len);
+     p += tmp32;
+     user[len] = '\0';
+
+     passwd = k_getpwnam (user);
+     if (passwd == NULL)
+	 fatal (kc, sock, "cannot find uid for %s", user);
+
+     if (context_userok (kc, user) != 0)
+	 fatal (kc, sock, "%s not allowed to login as %s",
+		kc->user, user);
+
+     flags = *p++;
+
+     if (flags & PASSIVE) {
+	 pid_t pid;
+	 int tmp;
+
+	 tmp = get_xsockets (nsockets, sockets, tcp_flag);
+	 if (tmp < 0) {
+	     fatal (kc, sock, "Cannot create X socket(s): %s",
+		    strerror(errno));
+	 }
+	 *dispnr = tmp;
+
+	 if (chown_xsockets (*nsockets, *sockets,
+			    passwd->pw_uid, passwd->pw_gid)) {
+	     cleanup (*nsockets, *sockets);
+	     fatal (kc, sock, "Cannot chown sockets: %s",
+		    strerror(errno));
+	 }
+
+	 pid = fork();
+	 if (pid == -1) {
+	     cleanup (*nsockets, *sockets);
+	     fatal (kc, sock, "fork: %s", strerror(errno));
+	 } else if (pid != 0) {
+	     wait_on_pid = pid;
+	     while (!done)
+		 pause ();
+	     cleanup (*nsockets, *sockets);
+	     exit (0);
+	 }
+     }
+
+     if (setgid (passwd->pw_gid) ||
+	 initgroups(passwd->pw_name, passwd->pw_gid) ||
+#ifdef HAVE_GETUDBNAM /* XXX this happens on crays */
+	 setjob(passwd->pw_uid, 0) == -1 ||
+#endif
+	 setuid(passwd->pw_uid)) {
+	 syslog(LOG_ERR, "setting uid/groups: %m");
+	 fatal (kc, sock, "cannot set uid");
+     }
+     inet_ntop (thataddr.sin_family,
+		&thataddr.sin_addr, remoteaddr, sizeof(remoteaddr));
+
+     syslog (LOG_INFO, "from %s(%s): %s -> %s",
+	     remotehost, remoteaddr,
+	     kc->user, user);
+     umask(077);
+     if (!(flags & PASSIVE)) {
+	 p += krb_get_int (p, &tmp32, 4, 0);
+	 len = min(tmp32, display_size);
+	 memcpy (display, p, len);
+	 display[len] = '\0';
+	 p += tmp32;
+	 p += krb_get_int (p, &tmp32, 4, 0);
+	 len = min(tmp32, xauthfile_size);
+	 memcpy (xauthfile, p, len);
+	 xauthfile[len] = '\0';
+	 p += tmp32;
+     }
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (flags & KEEP_ALIVE) {
+	 int one = 1;
+
+	 setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+     return flags;
+}
+
+/*
+ *
+ */
+
+static int
+passive_session (kx_context *kc, int fd, int sock, int cookiesp)
+{
+    if (verify_and_remove_cookies (fd, sock, cookiesp))
+	return 1;
+    else
+	return copy_encrypted (kc, fd, sock);
+}
+
+/*
+ *
+ */
+
+static int
+active_session (kx_context *kc, int fd, int sock, int cookiesp)
+{
+    fd = connect_local_xsocket(0);
+
+    if (replace_cookie (fd, sock, xauthfile, cookiesp))
+	return 1;
+    else
+	return copy_encrypted (kc, fd, sock);
+}
+
+/*
+ * Handle a new connection.
+ */
+
+static int
+doit_conn (kx_context *kc,
+	   int fd, int meta_sock, int flags, int cookiesp)
+{
+    int sock, sock2;
+    struct sockaddr_in addr;
+    struct sockaddr_in thisaddr;
+    socklen_t addrlen;
+    u_char msg[1024], *p;
+
+    sock = socket (AF_INET, SOCK_STREAM, 0);
+    if (sock < 0) {
+	syslog (LOG_ERR, "socket: %m");
+	return 1;
+    }
+#if defined(TCP_NODELAY) && defined(HAVE_SETSOCKOPT)
+    {
+	int one = 1;
+	setsockopt (sock, IPPROTO_TCP, TCP_NODELAY, (void *)&one, sizeof(one));
+    }
+#endif
+#if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
+     if (flags & KEEP_ALIVE) {
+	 int one = 1;
+
+	 setsockopt (sock, SOL_SOCKET, SO_KEEPALIVE, (void *)&one,
+		     sizeof(one));
+     }
+#endif
+    memset (&addr, 0, sizeof(addr));
+    addr.sin_family = AF_INET;
+    if (bind (sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
+	syslog (LOG_ERR, "bind: %m");
+	return 1;
+    }
+    addrlen = sizeof(addr);
+    if (getsockname (sock, (struct sockaddr *)&addr, &addrlen) < 0) {
+	syslog (LOG_ERR, "getsockname: %m");
+	return 1;
+    }
+    if (listen (sock, SOMAXCONN) < 0) {
+	syslog (LOG_ERR, "listen: %m");
+	return 1;
+    }
+    p = msg;
+    *p++ = NEW_CONN;
+    p += KRB_PUT_INT (ntohs(addr.sin_port), p, 4, 4);
+
+    if (kx_write (kc, meta_sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	return 1;
+    }
+
+    addrlen = sizeof(thisaddr);
+    sock2 = accept (sock, (struct sockaddr *)&thisaddr, &addrlen);
+    if (sock2 < 0) {
+	syslog (LOG_ERR, "accept: %m");
+	return 1;
+    }
+    close (sock);
+    close (meta_sock);
+
+    if (flags & PASSIVE)
+	return passive_session (kc, fd, sock2, cookiesp);
+    else
+	return active_session (kc, fd, sock2, cookiesp);
+}
+
+/*
+ *  Is the current user the owner of the console?
+ */
+
+static void
+check_user_console (kx_context *kc, int fd)
+{
+     struct stat sb;
+
+     if (stat ("/dev/console", &sb) < 0)
+	 fatal (kc, fd, "Cannot stat /dev/console: %s", strerror(errno));
+     if (getuid() != sb.st_uid)
+	 fatal (kc, fd, "Permission denied");
+}
+
+/* close down the new connection with a reasonable error message */
+static void
+close_connection(int fd, const char *message)
+{
+    char buf[264]; /* max message */
+    char *p;
+    int lsb = 0;
+    size_t mlen;
+
+    mlen = strlen(message);
+    if(mlen > 255)
+	mlen = 255;
+    
+    /* read first part of connection packet, to get byte order */
+    if(read(fd, buf, 6) != 6) {
+	close(fd);
+	return;
+    }
+    if(buf[0] == 0x6c)
+	lsb++;
+    p = buf;
+    *p++ = 0;				/* failed */
+    *p++ = mlen;			/* length of message */
+    p += 4;				/* skip protocol version */
+    p += 2;				/* skip additional length */
+    memcpy(p, message, mlen);		/* copy message */
+    p += mlen;
+    while((p - buf) % 4)		/* pad to multiple of 4 bytes */
+	*p++ = 0;
+	
+    /* now fill in length of additional data */
+    if(lsb) { 
+	buf[6] = (p - buf - 8) / 4;
+	buf[7] = 0;
+    }else{
+	buf[6] = 0;
+	buf[7] = (p - buf - 8) / 4;
+    }
+    write(fd, buf, p - buf);
+    close(fd);
+}
+
+
+/*
+ * Handle a passive session on `sock'
+ */
+
+static int
+doit_passive (kx_context *kc,
+	      int sock,
+	      int flags,
+	      int dispnr,
+	      int nsockets,
+	      struct x_socket *sockets,
+	      int tcp_flag)
+{
+    int tmp;
+    int len;
+    size_t rem;
+    u_char msg[1024], *p;
+    int error;
+
+    display_num = dispnr;
+    if (tcp_flag)
+	snprintf (display, display_size, "localhost:%u", display_num);
+    else
+	snprintf (display, display_size, ":%u", display_num);
+    error = create_and_write_cookie (xauthfile, xauthfile_size, 
+				     cookie, cookie_len);
+    if (error) {
+	cleanup(nsockets, sockets);
+	fatal (kc, sock, "Cookie-creation failed: %s", strerror(error));
+	return 1;
+    }
+
+    p = msg;
+    rem = sizeof(msg);
+    *p++ = ACK;
+    --rem;
+
+    len = strlen (display);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0 || rem < len + 4) {
+	syslog (LOG_ERR, "doit: buffer too small");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    p += tmp;
+    rem -= tmp;
+
+    memcpy (p, display, len);
+    p += len;
+    rem -= len;
+
+    len = strlen (xauthfile);
+    tmp = KRB_PUT_INT (len, p, rem, 4);
+    if (tmp < 0 || rem < len + 4) {
+	syslog (LOG_ERR, "doit: buffer too small");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    p += tmp;
+    rem -= tmp;
+
+    memcpy (p, xauthfile, len);
+    p += len;
+    rem -= len;
+	  
+    if(kx_write (kc, sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	cleanup(nsockets, sockets);
+	return 1;
+    }
+    for (;;) {
+	pid_t child;
+	int fd = -1;
+	fd_set fds;
+	int i;
+	int ret;
+	int cookiesp = TRUE;
+	       
+	FD_ZERO(&fds);
+	if (sock >= FD_SETSIZE) {
+	    syslog (LOG_ERR, "fd too large");
+	    cleanup(nsockets, sockets);
+	    return 1;
+	}
+
+	FD_SET(sock, &fds);
+	for (i = 0; i < nsockets; ++i) {
+	    if (sockets[i].fd >= FD_SETSIZE) {
+		syslog (LOG_ERR, "fd too large");
+		cleanup(nsockets, sockets);
+		return 1;
+	    }
+	    FD_SET(sockets[i].fd, &fds);
+	}
+	ret = select(FD_SETSIZE, &fds, NULL, NULL, NULL);
+	if(ret <= 0)
+	    continue;
+	if(FD_ISSET(sock, &fds)){
+	    /* there are no processes left on the remote side
+	     */
+	    cleanup(nsockets, sockets);
+	    exit(0);
+	} else if(ret) {
+	    for (i = 0; i < nsockets; ++i) {
+		if (FD_ISSET(sockets[i].fd, &fds)) {
+		    if (sockets[i].flags == TCP) {
+			struct sockaddr_in peer;
+			socklen_t len = sizeof(peer);
+
+			fd = accept (sockets[i].fd,
+				     (struct sockaddr *)&peer,
+				     &len);
+			if (fd < 0 && errno != EINTR)
+			    syslog (LOG_ERR, "accept: %m");
+
+			/* XXX */
+			if (fd >= 0 && suspicious_address (fd, peer)) {
+			    close (fd);
+			    fd = -1;
+			    errno = EINTR;
+			}
+		    } else if(sockets[i].flags == UNIX_SOCKET) {
+			socklen_t zero = 0;
+
+			fd = accept (sockets[i].fd, NULL, &zero);
+
+			if (fd < 0 && errno != EINTR)
+			    syslog (LOG_ERR, "accept: %m");
+#ifdef MAY_HAVE_X11_PIPES
+		    } else if(sockets[i].flags == STREAM_PIPE) {
+			/*
+			 * this code tries to handle the
+			 * send fd-over-pipe stuff for
+			 * solaris
+			 */
+
+			struct strrecvfd strrecvfd;
+
+			ret = ioctl (sockets[i].fd,
+				     I_RECVFD, &strrecvfd);
+			if (ret < 0 && errno != EINTR) {
+			    syslog (LOG_ERR, "ioctl I_RECVFD: %m");
+			}
+
+			/* XXX */
+			if (ret == 0) {
+			    if (strrecvfd.uid != getuid()) {
+				close (strrecvfd.fd);
+				fd = -1;
+				errno = EINTR;
+			    } else {
+				fd = strrecvfd.fd;
+				cookiesp = FALSE;
+			    }
+			}
+#endif /* MAY_HAVE_X11_PIPES */
+		    } else
+			abort ();
+		    break;
+		}
+	    }
+	}
+	if (fd < 0) {
+	    if (errno == EINTR)
+		continue;
+	    else
+		return 1;
+	}
+
+	child = fork ();
+	if (child < 0) {
+	    syslog (LOG_ERR, "fork: %m");
+	    if(errno != EAGAIN)
+		return 1;
+	    close_connection(fd, strerror(errno));
+	} else if (child == 0) {
+	    for (i = 0; i < nsockets; ++i)
+		close (sockets[i].fd);
+	    return doit_conn (kc, fd, sock, flags, cookiesp);
+	} else {
+	    close (fd);
+	}
+    }
+}
+
+/*
+ * Handle an active session on `sock'
+ */
+
+static int
+doit_active (kx_context *kc,
+	     int sock,
+	     int flags,
+	     int tcp_flag)
+{
+    u_char msg[1024], *p;
+
+    check_user_console (kc, sock);
+
+    p = msg;
+    *p++ = ACK;
+	  
+    if(kx_write (kc, sock, msg, p - msg) < 0) {
+	syslog (LOG_ERR, "write: %m");
+	return 1;
+    }
+    for (;;) {
+	pid_t child;
+	int len;
+	      
+	len = kx_read (kc, sock, msg, sizeof(msg));
+	if (len < 0) {
+	    syslog (LOG_ERR, "read: %m");
+	    return 1;
+	}
+	p = (u_char *)msg;
+	if (*p != NEW_CONN) {
+	    syslog (LOG_ERR, "bad_message: %d", *p);
+	    return 1;
+	}
+
+	child = fork ();
+	if (child < 0) {
+	    syslog (LOG_ERR, "fork: %m");
+	    if (errno != EAGAIN)
+		return 1;
+	} else if (child == 0) {
+	    return doit_conn (kc, sock, sock, flags, 1);
+	} else {
+	}
+    }
+}
+
+/*
+ * Receive a connection on `sock' and process it.
+ */
+
+static int
+doit(int sock, int tcp_flag)
+{
+    int ret;
+    kx_context context;
+    int dispnr;
+    int nsockets;
+    struct x_socket *sockets;
+    int flags;
+
+    flags = recv_conn (sock, &context, &dispnr, &nsockets, &sockets, tcp_flag);
+
+    if (flags & PASSIVE)
+	ret = doit_passive (&context, sock, flags, dispnr,
+			    nsockets, sockets, tcp_flag);
+    else
+	ret = doit_active (&context, sock, flags, tcp_flag);
+    context_destroy (&context);
+    return ret;
+}
+
+static char *port_str		= NULL;
+static int inetd_flag		= 1;
+static int tcp_flag		= 0;
+static int version_flag		= 0;
+static int help_flag		= 0;
+
+struct getargs args[] = {
+    { "inetd",		'i',	arg_negative_flag,	&inetd_flag,
+      "Not started from inetd" },
+    { "tcp",		't',	arg_flag,	&tcp_flag,	"Use TCP" },
+    { "port",		'p',	arg_string,	&port_str,	"Use this port",
+      "port" },
+    { "version",	0, 	arg_flag,		&version_flag },
+    { "help",		0, 	arg_flag,		&help_flag }
+};
+
+static void
+usage(int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "host");
+    exit (ret);
+}
+
+/*
+ * kxd - receive a forwarded X conncection
+ */
+
+int
+main (int argc, char **argv)
+{
+    int port;
+    int optind = 0;
+
+    setprogname (argv[0]);
+    roken_openlog ("kxd", LOG_ODELAY | LOG_PID, LOG_DAEMON);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    if (help_flag)
+	usage (0);
+
+    if (version_flag) {
+	print_version (NULL);
+	return 0;
+    }
+
+    if(port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    } else {
+#if defined(KRB5)
+	port = krb5_getportbyname(NULL, "kx", "tcp", KX_PORT);
+#elif defined(KRB4)
+	port = k_getportbyname ("kx", "tcp", htons(KX_PORT));
+#else
+#error define KRB4 or KRB5
+#endif
+    }
+
+    if (!inetd_flag)
+	mini_inetd (port);
+
+     signal (SIGCHLD, childhandler);
+     return doit(STDIN_FILENO, tcp_flag);
+}
diff --git a/crypto/heimdal/appl/kx/kxd.cat8 b/crypto/heimdal/appl/kx/kxd.cat8
new file mode 100644
index 0000000..e033cee
--- /dev/null
+++ b/crypto/heimdal/appl/kx/kxd.cat8
@@ -0,0 +1,37 @@
+
+KXD(8)                   UNIX System Manager's Manual                   KXD(8)
+
+NNAAMMEE
+     kkxxdd - securely forward X conections
+
+SSYYNNOOPPSSIISS
+     _k_x_d [--tt] [--ii] [--pp _p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     This is the daemon for kkxx.
+
+     Options supported by kkxxdd:
+
+     --tt      TCP.  Normally kkxxdd will only listen for X connections on a UNIX
+             socket, but some machines (for example, Cray) have X libraries
+             that are not able to use UNIX sockets and thus you need to use
+             TCP to talk to the pseudo-xserver created by kkxxdd.. This option de-
+             creases the security significantly and should only be used when
+             it is necessary and you have considered the consequences of doing
+             so.
+
+     --ii      Interactive.  Do not expect to be started by iinneettdd,, but allocate
+             and listen to the socket yourself.  Handy for testing and debug-
+             ging.
+
+     --pp      Port.  Listen on the port _p_o_r_t. Only usable with --ii.
+
+EEXXAAMMPPLLEESS
+     Put the following in _/_e_t_c_/_i_n_e_t_d_._c_o_n_f:
+
+     kx      stream  tcp     nowait  root    /usr/athena/libexec/kxd kxd
+
+SSEEEE AALLSSOO
+     kx(1),  rxtelnet(1),  rxterm(1)
+
+ KTH-KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.1 b/crypto/heimdal/appl/kx/rxtelnet.1
new file mode 100644
index 0000000..7c37a7a
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.1
@@ -0,0 +1,80 @@
+.\" $Id: rxtelnet.1,v 1.6 2001/01/11 16:16:26 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt RXTELNET 1
+.Os KTH_KRB
+.Sh NAME
+.Nm rxtelnet
+.Nd
+start a telnet and forward X-connections.
+.Sh SYNOPSIS
+.Nm rxtelnet
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl t Ar telnet_args
+.Op Fl x Ar xterm_args
+.Op Fl w Ar term_emulator
+.Op Fl n
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program starts a
+.Nm xterm
+window with a telnet to host
+.Ar host .
+From this window you will also be able to run X clients that will be
+able to connect securily to your X server. If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disables keep-alives
+.It Fl t
+Send
+.Ar telnet_args
+as arguments to
+.Nm telnet
+.It Fl x
+Send
+.Ar xterm_args
+as arguments to
+.Nm xterm
+.It Fl w
+Use
+.Ar term_emulator
+instead of xterm.
+.It Fl n
+Do not start any terminal emulator.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+(where your display is)
+to host
+.Va bar ,
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new window with a
+.Nm telnet
+to
+.Va bar .
+In this window you will be able to start X clients.
+.El
+.Sh SEE ALSO
+.Xr rxterm 1 ,
+.Xr tenletxr 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr telnet 1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.cat1 b/crypto/heimdal/appl/kx/rxtelnet.cat1
new file mode 100644
index 0000000..ad3f420
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.cat1
@@ -0,0 +1,43 @@
+
+RXTELNET(1)                  UNIX Reference Manual                 RXTELNET(1)
+
+NNAAMMEE
+     rrxxtteellnneett - start a telnet and forward X-connections.
+
+SSYYNNOOPPSSIISS
+     rrxxtteellnneett [--ll _u_s_e_r_n_a_m_e] [--kk] [--tt _t_e_l_n_e_t___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
+              _t_e_r_m___e_m_u_l_a_t_o_r] [--nn] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The rrxxtteellnneett program starts a xxtteerrmm window with a telnet to host _h_o_s_t.
+     From this window you will also be able to run X clients that will be able
+     to connect securily to your X server. If _p_o_r_t is given, that port will be
+     used instead of the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disables keep-alives
+
+     --tt      Send _t_e_l_n_e_t___a_r_g_s as arguments to tteellnneett
+
+     --xx      Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
+
+     --ww      Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
+
+     --nn      Do not start any terminal emulator.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o (where your display is) to host _b_a_r, you might do
+     the following.
+
+     1.   On foo: rrxxtteellnneett _b_a_r
+
+     2.   You will get a new window with a tteellnneett to _b_a_r. In this window you
+          will be able to start X clients.
+
+SSEEEE AALLSSOO
+     rxterm(1),  tenletxr(1),  kx(1),  kxd(8),  telnet(1)
+
+ KTH_KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxtelnet.in b/crypto/heimdal/appl/kx/rxtelnet.in
new file mode 100644
index 0000000..233f10b
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxtelnet.in
@@ -0,0 +1,63 @@
+#!/bin/sh
+# $Id: rxtelnet.in,v 1.26 1999/02/04 21:19:50 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-t args_to_telnet] [-x args_to_xterm] [-w term_emulator] [-n] [-v] [-h | --help] [--version] host [port]"
+term=
+kx_args=-P
+while true
+do
+  case $1 in
+  -l) telnet_args="${telnet_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;;
+  -t) telnet_args="${telnet_args} $2 "; shift 2;;
+  -x) xterm_args="${xterm_args} $2 "; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  -n) term=none; shift;;
+  -w) term=$2; shift 2;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; verb=1; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo $usage
+  exit 1
+fi
+host=$1
+port=$2
+title="${title}${host}"
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+oldifs=$IFS
+IFS=:
+set -- $PATH
+IFS=$oldifs
+if test -z "$term"; then
+  for j in xterm dtterm aixterm dxterm hpterm; do
+    for i in $*; do
+      test -n "$i" || i="."
+      if test -x $i/$j; then
+	term=$j; break 2
+      fi
+    done
+  done
+fi
+test "$verb" && echo "Telnet command used is `type telnet`."
+if test -n "$term" -a "$term" != "none"; then
+  ($term -title $title -n $title $xterm_args -e env DISPLAY=$disp XAUTHORITY=$auth telnet -D $telnet_args $host $port; kill -USR2 $pid) &
+else
+  env DISPLAY=$disp XAUTHORITY=$auth telnet -D $telnet_args $host $port
+  kill -USR2 $pid
+fi
diff --git a/crypto/heimdal/appl/kx/rxterm.1 b/crypto/heimdal/appl/kx/rxterm.1
new file mode 100644
index 0000000..e8dd0c8
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.1
@@ -0,0 +1,77 @@
+.\" $Id: rxterm.1,v 1.4 1997/06/03 00:58:23 assar Exp $
+.\"
+.Dd September 27, 1996
+.Dt RXTERM 1
+.Os KTH_KRB
+.Sh NAME
+.Nm rxterm
+.Nd
+start a secure remote xterm
+.Sh SYNOPSIS
+.Nm rxterm
+.Op Fl l Ar username
+.Op Fl k
+.Op Fl r Ar rsh_args
+.Op Fl x Ar xterm_args
+.Op Fl w Ar term_emulator
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program starts a
+.Nm xterm
+window on host
+.Ar host .
+From this window you will also be able to run X clients that will be
+able to connect securily to your X server. If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disable keep-alives
+.It Fl r
+Send
+.Ar rsh_args
+as arguments to
+.Nm rsh
+.It Fl x
+Send
+.Ar xterm_args
+as arguments to
+.Nm xterm
+.It Fl w
+Use
+.Ar term_emulator
+instead of xterm.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+(where your display is)
+to host
+.Va bar ,
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new window running an
+.Nm xterm
+on host
+.Va bar .
+In this window you will be able to start X clients.
+.El
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr tenletxr 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr rsh 1
diff --git a/crypto/heimdal/appl/kx/rxterm.cat1 b/crypto/heimdal/appl/kx/rxterm.cat1
new file mode 100644
index 0000000..56eec66
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.cat1
@@ -0,0 +1,41 @@
+
+RXTERM(1)                    UNIX Reference Manual                   RXTERM(1)
+
+NNAAMMEE
+     rrxxtteerrmm - start a secure remote xterm
+
+SSYYNNOOPPSSIISS
+     rrxxtteerrmm [--ll _u_s_e_r_n_a_m_e] [--kk] [--rr _r_s_h___a_r_g_s] [--xx _x_t_e_r_m___a_r_g_s] [--ww
+            _t_e_r_m___e_m_u_l_a_t_o_r] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The rrxxtteerrmm program starts a xxtteerrmm window on host _h_o_s_t. From this window
+     you will also be able to run X clients that will be able to connect se-
+     curily to your X server. If _p_o_r_t is given, that port will be used instead
+     of the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disable keep-alives
+
+     --rr      Send _r_s_h___a_r_g_s as arguments to rrsshh
+
+     --xx      Send _x_t_e_r_m___a_r_g_s as arguments to xxtteerrmm
+
+     --ww      Use _t_e_r_m___e_m_u_l_a_t_o_r instead of xterm.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o (where your display is) to host _b_a_r, you might do
+     the following.
+
+     1.   On foo: rrxxtteerrmm _b_a_r
+
+     2.   You will get a new window running an xxtteerrmm on host _b_a_r. In this win-
+          dow you will be able to start X clients.
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  tenletxr(1),  kx(1),  kxd(8),  rsh(1)
+
+ KTH_KRB                      September 27, 1996                             1
diff --git a/crypto/heimdal/appl/kx/rxterm.in b/crypto/heimdal/appl/kx/rxterm.in
new file mode 100644
index 0000000..dab3645
--- /dev/null
+++ b/crypto/heimdal/appl/kx/rxterm.in
@@ -0,0 +1,41 @@
+#!/bin/sh
+# $Id: rxterm.in,v 1.20 1999/02/04 09:29:49 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-r rsh_args] [-x xterm_args] [-w term_emulator] [-v] [-h | --help] [--version] host"
+term=xterm
+while true
+do
+  case $1 in
+  -l) rsh_args="${rsh_args} -l $2 "; kx_args="${kx_args} -l $2"; title="${2}@"; shift 2;;
+  -r) rsh_args="${rsh_args} $2 "; shift 2;;
+  -x) xterm_args="${xterm_args} $2 "; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  -w) term=$2; shift 2;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo "Usage: $0 host [arguments to $term]"
+  exit 1
+fi
+host=$1
+title="${title}${host}"
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+kill -USR1 $pid
+rsh -n $rsh_args $host "/bin/sh -c 'DISPLAY=$disp XAUTHORITY=$auth $term -T $title -n $title $xterm_args </dev/null >/dev/null 2>/dev/null &'"
diff --git a/crypto/heimdal/appl/kx/tenletxr.1 b/crypto/heimdal/appl/kx/tenletxr.1
new file mode 100644
index 0000000..ae7c858
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.1
@@ -0,0 +1,61 @@
+.\" $Id: tenletxr.1,v 1.2 1997/03/31 03:43:33 assar Exp $
+.\"
+.Dd March 31, 1997
+.Dt TENLETXR 1
+.Os KTH_KRB
+.Sh NAME
+.Nm tenletxr
+.Nd
+forward X-connections backwards.
+.Sh SYNOPSIS
+.Nm tenletxr
+.Op Fl l Ar username
+.Op Fl k
+.Ar host
+.Op Ar port
+.Sh DESCRIPTION
+The
+.Nm
+program
+enables forwarding of X-connections from this machine to host
+.Ar host .
+If
+.Ar port
+is given, that port will be used instead of the default.
+.Pp
+The supported options are:
+.Bl -tag -width Ds
+.It Fl l
+Log in on the remote host as user
+.Ar username
+.It Fl k
+Disables keep-alives.
+.El
+.Sh EXAMPLE
+To login from host
+.Va foo
+to host
+.Va bar
+(where your display is),
+you might do the following.
+.Bl -enum
+.It
+On foo: 
+.Nm
+.Va bar
+.It
+You will get a new shell where you will be able to start X clients
+that will show their windows on
+.Va bar .
+.El
+.Sh BUGS
+It currently checks if you have permission to run it by checking if
+you own
+.Pa /dev/console
+on the remote host.
+.Sh SEE ALSO
+.Xr rxtelnet 1 ,
+.Xr rxterm 1 ,
+.Xr kx 1 ,
+.Xr kxd 8 ,
+.Xr telnet 1
diff --git a/crypto/heimdal/appl/kx/tenletxr.cat1 b/crypto/heimdal/appl/kx/tenletxr.cat1
new file mode 100644
index 0000000..c1714e7
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.cat1
@@ -0,0 +1,37 @@
+
+TENLETXR(1)                  UNIX Reference Manual                 TENLETXR(1)
+
+NNAAMMEE
+     tteennlleettxxrr - forward X-connections backwards.
+
+SSYYNNOOPPSSIISS
+     tteennlleettxxrr [--ll _u_s_e_r_n_a_m_e] [--kk] _h_o_s_t [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteennlleettxxrr program enables forwarding of X-connections from this ma-
+     chine to host _h_o_s_t. If _p_o_r_t is given, that port will be used instead of
+     the default.
+
+     The supported options are:
+
+     --ll      Log in on the remote host as user _u_s_e_r_n_a_m_e
+
+     --kk      Disables keep-alives.
+
+EEXXAAMMPPLLEE
+     To login from host _f_o_o to host _b_a_r (where your display is), you might do
+     the following.
+
+     1.   On foo: tteennlleettxxrr _b_a_r
+
+     2.   You will get a new shell where you will be able to start X clients
+          that will show their windows on _b_a_r.
+
+BBUUGGSS
+     It currently checks if you have permission to run it by checking if you
+     own _/_d_e_v_/_c_o_n_s_o_l_e on the remote host.
+
+SSEEEE AALLSSOO
+     rxtelnet(1),  rxterm(1),  kx(1),  kxd(8),  telnet(1)
+
+ KTH_KRB                        March 31, 1997                               1
diff --git a/crypto/heimdal/appl/kx/tenletxr.in b/crypto/heimdal/appl/kx/tenletxr.in
new file mode 100644
index 0000000..5c05dc9
--- /dev/null
+++ b/crypto/heimdal/appl/kx/tenletxr.in
@@ -0,0 +1,37 @@
+#!/bin/sh
+# $Id: tenletxr.in,v 1.3 1999/02/04 09:29:59 assar Exp $
+#
+usage="Usage: $0 [-l username] [-k] [-v] [-h | --help] [--version] host [port]"
+while true
+do
+  case $1 in
+  -l) kx_args="${kx_args} -l $2"; shift 2;;
+  -k) kx_args="${kx_args} -k"; shift;;
+  --version) echo "$0: %PACKAGE% %VERSION%"; exit 0;;
+  -h) echo $usage; exit 0;;
+  --help) echo $usage; exit 0;;
+  -v) set -x; shift;;
+  -*) echo "$0: Bad option $1"; echo $usage; exit 1;;
+  *) break;;
+  esac
+done
+if test $# -lt 1; then
+  echo $usage
+  exit 1
+fi
+host=$1
+port=$2
+bindir=%bindir%
+pdc_trams=`dirname $0`
+PATH=$pdc_trams:$bindir:$PATH
+export PATH
+set -- `kx $kx_args $host`
+if test $# -ne 3; then
+  exit 1
+fi
+screen=`echo $DISPLAY | sed -ne 's/[^:]*:[0-9]*\(\.[0-9]*\)/\1/p'`
+pid=$1
+disp=${2}${screen}
+auth=$3
+env DISPLAY=$disp XAUTHORITY=$auth $SHELL
+kill -USR2 $pid
diff --git a/crypto/heimdal/appl/kx/writeauth.c b/crypto/heimdal/appl/kx/writeauth.c
new file mode 100644
index 0000000..11dc72d
--- /dev/null
+++ b/crypto/heimdal/appl/kx/writeauth.c
@@ -0,0 +1,73 @@
+/* $XConsortium: AuWrite.c,v 1.6 94/04/17 20:15:45 gildea Exp $ */
+
+/*
+
+Copyright (c) 1988  X Consortium
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE
+X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
+AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+Except as contained in this notice, the name of the X Consortium shall not be
+used in advertising or otherwise to promote the sale, use or other dealings
+in this Software without prior written authorization from the X Consortium.
+
+*/
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: writeauth.c,v 1.4 1999/05/12 17:59:44 assar Exp $");
+#endif
+
+#include <X11/Xauth.h>
+
+static int
+write_short (unsigned short s, FILE *file)
+{
+    unsigned char   file_short[2];
+
+    file_short[0] = (s & (unsigned)0xff00) >> 8;
+    file_short[1] = s & 0xff;
+    if (fwrite (file_short, sizeof (file_short), 1, file) != 1)
+	return 0;
+    return 1;
+}
+
+static int
+write_counted_string (unsigned short count, char *string, FILE *file)
+{
+    if (write_short (count, file) == 0)
+	return 0;
+    if (fwrite (string, (int) sizeof (char), (int) count, file) != count)
+	return 0;
+    return 1;
+}
+
+int
+XauWriteAuth (FILE *auth_file, Xauth *auth)
+{
+    if (write_short (auth->family, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->address_length, auth->address, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->number_length, auth->number, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->name_length, auth->name, auth_file) == 0)
+	return 0;
+    if (write_counted_string (auth->data_length, auth->data, auth_file) == 0)
+	return 0;
+    return 1;
+}
diff --git a/crypto/heimdal/appl/login/ChangeLog b/crypto/heimdal/appl/login/ChangeLog
index fc9f7554..15d01be 100644
--- a/crypto/heimdal/appl/login/ChangeLog
+++ b/crypto/heimdal/appl/login/ChangeLog
@@ -1,3 +1,8 @@
+2001-02-08  Assar Westerlund  <assar@sics.se>
+
+	* utmp_login.c, utmpx_login.c: try to write a useful string as
+	host in utmp, using the same algoritm as telnetd
+
 2001-01-29  Assar Westerlund  <assar@sics.se>
 
 	* login.c: remove some krb5_free_context that might happen at
diff --git a/crypto/heimdal/appl/login/Makefile.in b/crypto/heimdal/appl/login/Makefile.in
index ba353de..64f94b3 100644
--- a/crypto/heimdal/appl/login/Makefile.in
+++ b/crypto/heimdal/appl/login/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = login
@@ -260,7 +263,7 @@ OBJECTS = $(am_login_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/login/Makefile
 
@@ -352,6 +355,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/login/login.c b/crypto/heimdal/appl/login/login.c
index 2ada921..7cd405b 100644
--- a/crypto/heimdal/appl/login/login.c
+++ b/crypto/heimdal/appl/login/login.c
@@ -39,7 +39,7 @@
 #include <sys/capability.h>
 #endif
 
-RCSID("$Id: login.c,v 1.46 2001/01/29 02:18:03 assar Exp $");
+RCSID("$Id: login.c,v 1.47 2001/02/20 01:44:45 assar Exp $");
 
 static int login_timeout = 60;
 
@@ -650,7 +650,7 @@ main(int argc, char **argv)
     int ask = 1;
     struct sigaction sa;
     
-    set_progname(argv[0]);
+    setprogname(argv[0]);
 
 #ifdef KRB5
     {
diff --git a/crypto/heimdal/appl/login/login_protos.h b/crypto/heimdal/appl/login/login_protos.h
index e19a598..4bb8207 100644
--- a/crypto/heimdal/appl/login/login_protos.h
+++ b/crypto/heimdal/appl/login/login_protos.h
@@ -64,6 +64,12 @@ read_string __P((
 	int echo));
 
 void
+shrink_hostname __P((
+	const char *hostname,
+	char *dst,
+	size_t dst_sz));
+
+void
 stty_default __P((void));
 
 void
diff --git a/crypto/heimdal/appl/login/osfc2.c b/crypto/heimdal/appl/login/osfc2.c
index 5d4d087..056484c 100644
--- a/crypto/heimdal/appl/login/osfc2.c
+++ b/crypto/heimdal/appl/login/osfc2.c
@@ -32,7 +32,7 @@
  */
 
 #include "login_locl.h"
-RCSID("$Id: osfc2.c,v 1.3 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: osfc2.c,v 1.4 2001/02/20 01:44:46 assar Exp $");
 
 int
 do_osfc2_magic(uid_t uid)
@@ -42,7 +42,7 @@ do_osfc2_magic(uid_t uid)
     char *argv[2];
     
     /* fake */
-    argv[0] = (char*)__progname;
+    argv[0] = (char*)getprogname();
     argv[1] = NULL;
     set_auth_parameters(1, argv);
     
diff --git a/crypto/heimdal/appl/login/utmp_login.c b/crypto/heimdal/appl/login/utmp_login.c
index b584326b..0be6cdb 100644
--- a/crypto/heimdal/appl/login/utmp_login.c
+++ b/crypto/heimdal/appl/login/utmp_login.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 1996, 1997, 1999 Kungliga Tekniska H�gskolan
+ * Copyright (c) 1995 - 2001 Kungliga Tekniska H�gskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,49 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: utmp_login.c,v 1.17 1999/12/02 17:04:56 joda Exp $");
+RCSID("$Id: utmp_login.c,v 1.18 2001/02/08 16:08:26 assar Exp $");
+
+/* try to put something useful from hostname into dst, dst_sz:
+ * full name, first component or address */
+
+void
+shrink_hostname (const char *hostname,
+		 char *dst, size_t dst_sz)
+{
+    char local_hostname[MaxHostNameLen];
+    char *ld, *hd;
+    int ret;
+    struct addrinfo *ai;
+
+    if (strlen(hostname) < dst_sz) {
+	strlcpy (dst, hostname, dst_sz);
+	return;
+    }
+    gethostname (local_hostname, sizeof(local_hostname));
+    hd = strchr (hostname, '.');
+    ld = strchr (local_hostname, '.');
+    if (hd != NULL && ld != NULL && strcmp(hd, ld) == 0
+	&& hd - hostname < dst_sz) {
+	strlcpy (dst, hostname, dst_sz);
+	dst[hd - hostname] = '\0';
+	return;
+    }
+
+    ret = getaddrinfo (hostname, NULL, NULL, &ai);
+    if (ret) {
+	strncpy (dst, hostname, dst_sz);
+	return;
+    }
+    ret = getnameinfo (ai->ai_addr, ai->ai_addrlen,
+		       dst, dst_sz,
+		       NULL, 0,
+		       NI_NUMERICHOST);
+    freeaddrinfo (ai);
+    if (ret) {
+	strncpy (dst, hostname, dst_sz);
+	return;
+    }
+}
 
 void
 prepare_utmp (struct utmp *utmp, char *tty, 
@@ -60,7 +102,7 @@ prepare_utmp (struct utmp *utmp, char *tty,
 # endif
 
 # ifdef HAVE_STRUCT_UTMP_UT_HOST
-    strncpy(utmp->ut_host, hostname, sizeof(utmp->ut_host));
+    shrink_hostname (hostname, utmp->ut_host, sizeof(utmp->ut_host));
 # endif
 
 # ifdef HAVE_STRUCT_UTMP_UT_TYPE
diff --git a/crypto/heimdal/appl/login/utmpx_login.c b/crypto/heimdal/appl/login/utmpx_login.c
index 745d64c..46d7f15 100644
--- a/crypto/heimdal/appl/login/utmpx_login.c
+++ b/crypto/heimdal/appl/login/utmpx_login.c
@@ -2,7 +2,7 @@
 
 #include "login_locl.h"
 
-RCSID("$Id: utmpx_login.c,v 1.24 1999/08/04 17:03:15 assar Exp $");
+RCSID("$Id: utmpx_login.c,v 1.25 2001/02/08 16:08:47 assar Exp $");
 
 /* utmpx_login - update utmp and wtmp after login */
 
@@ -21,7 +21,7 @@ utmpx_update(struct utmpx *ut, char *line, const char *user, const char *host)
     strncpy(ut->ut_id, make_id(clean_tty), sizeof(ut->ut_id));
 #endif
     strncpy(ut->ut_user, user, sizeof(ut->ut_user));
-    strncpy(ut->ut_host, host, sizeof(ut->ut_host));
+    shrink_hostname (host, ut->ut_host, sizeof(ut->ut_host));
 #ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
     ut->ut_syslen = strlen(host) + 1;
     if (ut->ut_syslen > sizeof(ut->ut_host))
diff --git a/crypto/heimdal/appl/otp/ChangeLog b/crypto/heimdal/appl/otp/ChangeLog
new file mode 100644
index 0000000..cffff9e
--- /dev/null
+++ b/crypto/heimdal/appl/otp/ChangeLog
@@ -0,0 +1,40 @@
+2000-11-29  Johan Danielsson  <joda@pdc.kth.se>
+
+	* otpprint.1: sort parameters and close a list
+
+	* otp.1: sort parameters and close a list
+
+1999-09-14  Assar Westerlund  <assar@sics.se>
+
+	* otp.c (verify_user_otp): check return value from
+ 	des_read_pw_string
+
+Thu Apr  1 16:51:07 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* otpprint.c: use getarg
+
+	* otp.c: use getarg
+
+Thu Mar 18 12:08:58 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Thu Mar  4 19:45:40 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: DESTDIR
+
+Sat Feb 27 19:44:25 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: add
+
+Sun Nov 22 10:32:50 1998  Assar Westerlund  <assar@sics.se>
+
+	* otpprint.c: more braces
+
+	* Makefile.in (WFLAGS): set
+
+Sun Dec 21 09:31:30 1997  Assar Westerlund  <assar@sics.se>
+
+	* otp.c (renew): don't set the OTP if the reading of the string
+ 	fails.
+
diff --git a/crypto/heimdal/appl/otp/Makefile.am b/crypto/heimdal/appl/otp/Makefile.am
new file mode 100644
index 0000000..0597a73
--- /dev/null
+++ b/crypto/heimdal/appl/otp/Makefile.am
@@ -0,0 +1,16 @@
+# $Id: Makefile.am,v 1.9 2000/11/15 22:51:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = otp otpprint
+bin_SUIDS = otp
+otp_SOURCES = otp.c otp_locl.h
+otpprint_SOURCES = otpprint.c otp_locl.h
+
+man_MANS = otp.1  otpprint.1
+
+LDADD = \
+	$(top_builddir)/lib/otp/libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/otp/Makefile.in b/crypto/heimdal/appl/otp/Makefile.in
new file mode 100644
index 0000000..7c576b8
--- /dev/null
+++ b/crypto/heimdal/appl/otp/Makefile.in
@@ -0,0 +1,628 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.9 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+bin_PROGRAMS = otp otpprint
+bin_SUIDS = otp
+otp_SOURCES = otp.c otp_locl.h
+otpprint_SOURCES = otpprint.c otp_locl.h
+
+man_MANS = otp.1  otpprint.1
+
+LDADD = \
+	$(top_builddir)/lib/otp/libotp.la \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+subdir = appl/otp
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+bin_PROGRAMS =  otp$(EXEEXT) otpprint$(EXEEXT)
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+am_otp_OBJECTS =  otp.$(OBJEXT)
+otp_OBJECTS =  $(am_otp_OBJECTS)
+otp_LDADD = $(LDADD)
+otp_DEPENDENCIES =  $(top_builddir)/lib/otp/libotp.la
+otp_LDFLAGS = 
+am_otpprint_OBJECTS =  otpprint.$(OBJEXT)
+otpprint_OBJECTS =  $(am_otpprint_OBJECTS)
+otpprint_LDADD = $(LDADD)
+otpprint_DEPENDENCIES =  $(top_builddir)/lib/otp/libotp.la
+otpprint_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  $(otp_SOURCES) $(otpprint_SOURCES)
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = $(otp_SOURCES) $(otpprint_SOURCES)
+OBJECTS = $(am_otp_OBJECTS) $(am_otpprint_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/otp/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+otp$(EXEEXT): $(otp_OBJECTS) $(otp_DEPENDENCIES)
+	@rm -f otp$(EXEEXT)
+	$(LINK) $(otp_LDFLAGS) $(otp_OBJECTS) $(otp_LDADD) $(LIBS)
+
+otpprint$(EXEEXT): $(otpprint_OBJECTS) $(otpprint_DEPENDENCIES)
+	@rm -f otpprint$(EXEEXT)
+	$(LINK) $(otpprint_LDFLAGS) $(otpprint_OBJECTS) $(otpprint_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/otp/otp.1 b/crypto/heimdal/appl/otp/otp.1
new file mode 100644
index 0000000..473a4b0
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.1
@@ -0,0 +1,60 @@
+.\" $Id: otp.1,v 1.2 2000/11/29 18:18:22 joda Exp $
+.\"
+.Dd November 17, 1996
+.Dt OTP 1
+.Os KTH-KRB
+.Sh NAME
+.Nm otp
+.Nd
+manages one-time passwords
+.Sh SYNOPSIS
+.Nm otp
+.Op Fl dhlor
+.Op Fl f Ar algorithm
+.Op Fl u Ar user
+.Ar sequence-number
+.Ar seed
+.Sh DESCRIPTION
+The
+.Nm
+program initializes and updates your current series of one-time
+passwords (OTPs).
+.Pp
+Use this to set a new series of one-time passwords.  Only perform this
+on the console or over an encrypted link as you will have to supply
+your pass-phrase.  The other two parameters are
+.Ar sequence-number
+and
+.Ar seed .
+.Pp
+Options are:
+.Bl -tag -width Ds
+.It Fl d
+To delete a one-time password.
+.It Fl f
+Choose a different
+.Ar algorithm
+from the default md5.  Pick any of: md4, md5, and sha.
+.It Fl h
+For getting a help message.
+.It Fl l
+List the current table of one-time passwords.
+.It Fl o
+To open (unlock) the otp-entry for a user.
+.It Fl r
+To renew a one-time password series.  This operation can be performed
+over an potentially eavesdropped link because you do not supply the
+pass-phrase.  First you need to supply the current one-time password
+and then the new one corresponding to the supplied
+.Ar sequence-number
+and
+.Ar seed .
+.It Fl u
+To choose a different
+.Ar user
+to set one-time passwords for.  This only works when running
+.Nm
+as root.
+.El
+.Sh SEE ALSO
+.Xr otpprint 1
diff --git a/crypto/heimdal/appl/otp/otp.c b/crypto/heimdal/appl/otp/otp.c
new file mode 100644
index 0000000..66de4e0
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.c
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 1995-1997, 1999 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "otp_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: otp.c,v 1.33 2001/02/20 01:44:46 assar Exp $");
+
+static int listp;
+static int deletep;
+static int openp;
+static int renewp;
+static char* alg_string;
+static char *user;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "list", 'l', arg_flag, &listp, "list OTP status" },
+    { "delete", 'd', arg_flag, &deletep, "delete OTP" },
+    { "open", 'o', arg_flag, &openp, "open a locked OTP" },
+    { "renew", 'r', arg_flag, &renewp, "securely renew OTP" },
+    { "hash", 'f', arg_string, &alg_string, 
+      "hash algorithm (md4, md5, or sha)", "algorithm"},
+    { "user", 'u', arg_string, &user, 
+      "user other than current user (root only)", "user" },
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 'h', arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "[num seed]");
+    exit(code);
+}
+
+/* 
+ * Renew the OTP for a user. 
+ * The pass-phrase is not required (RFC 1938/8.0)
+ */
+
+static int
+renew (int argc, char **argv, OtpAlgorithm *alg, char *user)
+{
+    OtpContext newctx, *ctx;
+    char prompt[128];
+    char pw[64];
+    void *dbm;
+    int ret;
+
+    newctx.alg = alg;
+    newctx.user = user;
+    newctx.n = atoi (argv[0]);
+    strlcpy (newctx.seed, argv[1], sizeof(newctx.seed));
+    strlwr(newctx.seed);
+    snprintf (prompt, sizeof(prompt),
+	      "[ otp-%s %u %s ]",
+	      newctx.alg->name,
+	      newctx.n, 
+	      newctx.seed);
+    if (des_read_pw_string (pw, sizeof(pw), prompt, 0) == 0 &&
+	otp_parse (newctx.key, pw, alg) == 0) {
+	ctx = &newctx;
+	ret = 0;
+    } else
+	return 1;
+
+    dbm = otp_db_open ();
+    if (dbm == NULL) {
+	warnx ("otp_db_open failed");
+	return 1;
+    }
+    otp_put (dbm, ctx);
+    otp_db_close (dbm);
+    return ret;
+}
+
+/*
+ * Return 0 if the user could enter the next OTP.
+ * I would rather have returned !=0 but it's shell-like here around.
+ */
+
+static int 
+verify_user_otp(char *username)
+{
+    OtpContext ctx;
+    char passwd[OTP_MAX_PASSPHRASE + 1];
+    char prompt[128], ss[256];
+
+    if (otp_challenge (&ctx, username, ss, sizeof(ss)) != 0) {
+	warnx("no otp challenge found for %s", username);
+	return 1; 
+    }
+
+    snprintf (prompt, sizeof(prompt), "%s's %s Password: ", username, ss);
+    if(des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0))
+	return 1;
+    return otp_verify_user (&ctx, passwd);
+}
+
+/* 
+ * Set the OTP for a user
+ */
+
+static int
+set (int argc, char **argv, OtpAlgorithm *alg, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    char pw[OTP_MAX_PASSPHRASE + 1];
+    int ret;
+    int i;
+
+    ctx.alg = alg;
+    ctx.user = strdup (user);
+    if (ctx.user == NULL)
+	err (1, "out of memory");
+
+    ctx.n = atoi (argv[0]);
+    strlcpy (ctx.seed, argv[1], sizeof(ctx.seed));
+    strlwr(ctx.seed);
+    do {
+	if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 1))
+	    return 1;
+	if (strlen (pw) < OTP_MIN_PASSPHRASE)
+	    printf ("Too short pass-phrase.  Use at least %d characters\n",
+		    OTP_MIN_PASSPHRASE);
+    } while(strlen(pw) < OTP_MIN_PASSPHRASE);
+    ctx.alg->init (ctx.key, pw, ctx.seed);
+    for (i = 0; i < ctx.n; ++i)
+	ctx.alg->next (ctx.key);
+    db = otp_db_open ();
+    if(db == NULL) {
+	free (ctx.user);
+	err (1, "otp_db_open failed");
+    }
+    ret = otp_put (db, &ctx);
+    otp_db_close (db);
+    free (ctx.user);
+    return ret;
+}
+
+/*
+ * Delete otp of user from the database
+ */
+
+static int
+delete_otp (int argc, char **argv, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if(db == NULL)
+	errx (1, "otp_db_open failed");
+
+    ctx.user = user;
+    ret = otp_delete(db, &ctx);
+    otp_db_close (db);
+    return ret;
+}
+
+/* 
+ * Tell whether the user has an otp
+ */
+
+static int
+has_an_otp(char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if(db == NULL) {
+	warnx ("otp_db_open failed");
+	return 0; /* if no db no otp! */
+    }
+  
+    ctx.user = user;
+    ret = otp_simple_get(db, &ctx); 
+
+    otp_db_close (db);
+    return !ret;
+}
+
+/*
+ * Get and print out the otp entry for some user
+ */
+
+static void
+print_otp_entry_for_name (void *db, char *user)
+{
+    OtpContext ctx;
+
+    ctx.user = user;
+    if (!otp_simple_get(db, &ctx)) {
+	fprintf(stdout,
+		"%s\totp-%s %d %s",
+		ctx.user, ctx.alg->name, ctx.n, ctx.seed);
+	if (ctx.lock_time)
+	    fprintf(stdout,
+		    "\tlocked since %s",
+		    ctime(&ctx.lock_time));
+	else
+	    fprintf(stdout, "\n");
+    }
+}
+
+static int
+open_otp (int argc, char **argv, char *user)
+{
+    void *db;
+    OtpContext ctx;
+    int ret;
+
+    db = otp_db_open ();
+    if (db == NULL)
+	errx (1, "otp_db_open failed");
+  
+    ctx.user = user;
+    ret = otp_simple_get (db, &ctx);
+    if (ret == 0)
+	ret = otp_put (db, &ctx);
+    otp_db_close (db);
+    return ret;
+}
+
+/*
+ * Print otp entries for one or all users
+ */
+
+static int
+list_otps (int argc, char **argv, char *user)
+{
+    void *db;
+    struct passwd *pw;
+
+    db = otp_db_open ();
+    if(db == NULL)
+	errx (1, "otp_db_open failed");
+
+    if (user)
+	print_otp_entry_for_name(db, user);
+    else
+	/* scans all users... so as to get a deterministic order */
+	while ((pw = getpwent()))
+	    print_otp_entry_for_name(db, pw->pw_name);
+
+    otp_db_close (db);
+    return 0;
+}
+
+int
+main (int argc, char **argv)
+{
+    int defaultp = 0;
+    int uid = getuid();
+    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
+    int optind = 0;
+  
+    setprogname (argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(deletep && uid != 0)
+	errx (1, "Only root can delete OTPs");
+    if(alg_string) {
+	alg = otp_find_alg (alg_string);
+	if (alg == NULL)
+	    errx (1, "Unknown algorithm: %s", alg_string);
+    }
+    if (user && uid != 0)
+	errx (1, "Only root can use `-u'");
+    argc -= optind;
+    argv += optind;
+
+    if (!(listp || deletep || renewp || openp))
+	defaultp = 1;
+
+    if ( listp + deletep + renewp + defaultp + openp != 1) 
+	usage(1); /* one of -d or -l or -r or none */
+
+    if(deletep || openp || listp) {
+	if(argc != 0)
+	    errx(1, "delete, open, and list requires no arguments\n");
+    } else {
+	if(argc != 2)
+	    errx(1, "setup, and renew requires `num', and `seed'");
+    }
+    if (listp)
+	return list_otps (argc, argv, user);
+
+    if (user == NULL) {
+	struct passwd *pwd;
+
+	pwd = k_getpwuid(uid);
+	if (pwd == NULL)
+	    err (1, "You don't exist");
+	user = pwd->pw_name;
+    }
+  
+    /*
+     * users other that root must provide the next OTP to update the sequence.
+     * it avoids someone to use a pending session to change an OTP sequence.
+     * see RFC 1938/8.0.
+     */
+    if (uid != 0 && (defaultp || renewp)) {
+	if (!has_an_otp(user)) {
+	    errx (1, "Only root can set an initial OTP");
+	} else { /* Check the next OTP (RFC 1938/8.0: SHOULD) */
+	    if (verify_user_otp(user) != 0) {
+		errx (1, "User authentification failed");
+	    }
+	}
+    }
+
+    if (deletep)
+	return delete_otp (argc, argv, user);
+    else if (renewp)
+	return renew (argc, argv, alg, user);
+    else if (openp)
+	return open_otp (argc, argv, user);
+    else
+	return set (argc, argv, alg, user);
+}
diff --git a/crypto/heimdal/appl/otp/otp.cat1 b/crypto/heimdal/appl/otp/otp.cat1
new file mode 100644
index 0000000..588bcc2
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp.cat1
@@ -0,0 +1,43 @@
+
+OTP(1)                       UNIX Reference Manual                      OTP(1)
+
+NNAAMMEE
+     oottpp - manages one-time passwords
+
+SSYYNNOOPPSSIISS
+     oottpp [--ddhhlloorr] [--ff _a_l_g_o_r_i_t_h_m] [--uu _u_s_e_r] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d
+
+DDEESSCCRRIIPPTTIIOONN
+     The oottpp program initializes and updates your current series of one-time
+     passwords (OTPs).
+
+     Use this to set a new series of one-time passwords.  Only perform this on
+     the console or over an encrypted link as you will have to supply your
+     pass-phrase.  The other two parameters are _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
+
+     Options are:
+
+     --dd      To delete a one-time password.
+
+     --ff      Choose a different _a_l_g_o_r_i_t_h_m from the default md5.  Pick any of:
+             md4, md5, and sha.
+
+     --hh      For getting a help message.
+
+     --ll      List the current table of one-time passwords.
+
+     --oo      To open (unlock) the otp-entry for a user.
+
+     --rr      To renew a one-time password series.  This operation can be per-
+             formed over an potentially eavesdropped link because you do not
+             supply the pass-phrase.  First you need to supply the current
+             one-time password and then the new one corresponding to the sup-
+             plied _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and _s_e_e_d.
+
+     --uu      To choose a different _u_s_e_r to set one-time passwords for.  This
+             only works when running oottpp as root.
+
+SSEEEE AALLSSOO
+     otpprint(1)
+
+ KTH-KRB                       November 17, 1996                             1
diff --git a/crypto/heimdal/appl/otp/otp_locl.h b/crypto/heimdal/appl/otp/otp_locl.h
new file mode 100644
index 0000000..971ec68
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otp_locl.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id: otp_locl.h,v 1.8 2001/02/15 04:20:51 assar Exp $ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#include <roken.h>
+#include <err.h>
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
+#include <des.h>
+#endif
+#include <otp.h>
diff --git a/crypto/heimdal/appl/otp/otpprint.1 b/crypto/heimdal/appl/otp/otpprint.1
new file mode 100644
index 0000000..7f7d5be
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.1
@@ -0,0 +1,52 @@
+.\" $Id: otpprint.1,v 1.4 2001/06/08 20:44:46 assar Exp $
+.\"
+.Dd November 17, 1996
+.Dt OTP 1
+.Os KTH-KRB
+.Sh NAME
+.Nm otpprint
+.Nd
+print lists of one-time passwords
+.Sh SYNOPSIS
+.Nm otp
+.Op Fl n Ar count
+.Op Fl e
+.Op Fl h
+.Op Fl f Ar algorithm
+.Ar sequence-number
+.Ar seed
+.Sh DESCRIPTION
+The
+.Nm
+program prints lists of OTPs.
+.Pp
+Use this to print out a series of one-time passwords.  You will have
+to supply the
+.Ar sequence number
+and the
+.Ar seed
+as arguments and then the program will prompt you for your pass-phrase.
+.Pp
+There are several different print formats.  The default is to print
+each password with six short english words.
+.Pp
+Options are:
+.Bl -tag -width Ds
+.It Fl e
+Print the passwords in ``extended'' format.  In this format a prefix
+that says ``hex:'' or ``word:'' is included.
+.It Fl f
+To choose a different
+.Ar algorithm
+from the default md5.  Pick any of: md4, md5, and sha.
+.It Fl h
+Print the passwords in hex.
+.It Fl n
+Print
+.Ar count
+one-time passwords, starting at
+.Ar sequence-number
+and going backwards. The default is 10.
+.El
+.Sh SEE ALSO
+.Xr otp 1
diff --git a/crypto/heimdal/appl/otp/otpprint.c b/crypto/heimdal/appl/otp/otpprint.c
new file mode 100644
index 0000000..b1d0a84
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.c
@@ -0,0 +1,135 @@
+/*
+ * Copyright (c) 1995-1999 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "otp_locl.h"
+#include <getarg.h>
+
+RCSID("$Id: otpprint.c,v 1.14 2001/02/20 01:44:46 assar Exp $");
+
+static int extendedp;
+static int count = 10;
+static int hexp;
+static char* alg_string;
+static int version_flag;
+static int help_flag;
+
+struct getargs args[] = {
+    { "extended", 'e', arg_flag, &extendedp, "print keys in extended format" },
+    { "count", 'n', arg_integer, &count, "number of keys to print" },
+    { "hexadecimal", 'h', arg_flag, &hexp, "output in hexadecimal" },
+    { "hash", 'f', arg_string, &alg_string, 
+      "hash algorithm (md4, md5, or sha)", "algorithm"},
+    { "version", 0, arg_flag, &version_flag },
+    { "help", 0, arg_flag, &help_flag }
+};
+
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static void
+usage(int code)
+{
+    arg_printusage(args, num_args, NULL, "num seed");
+    exit(code);
+}
+
+static int
+print (int argc,
+       char **argv,
+       int count,
+       OtpAlgorithm *alg,
+       void (*print_fn)(OtpKey, char *, size_t))
+{
+  char pw[64];
+  OtpKey key;
+  int n;
+  int i;
+  char *seed;
+
+  if (argc != 2)
+      usage (1);
+  n = atoi(argv[0]);
+  seed = argv[1];
+  if (des_read_pw_string (pw, sizeof(pw), "Pass-phrase: ", 0))
+    return 1;
+  alg->init (key, pw, seed);
+  for (i = 0; i < n; ++i) {
+    char s[64];
+
+    alg->next (key);
+    if (i >= n - count) {
+      (*print_fn)(key, s, sizeof(s));
+      printf ("%d: %s\n", i + 1, s);
+    }
+  }
+  return 0;
+}
+
+int
+main (int argc, char **argv)
+{
+    int optind = 0;
+    void (*fn)(OtpKey, char *, size_t);
+    OtpAlgorithm *alg = otp_find_alg (OTP_ALG_DEFAULT);
+
+    setprogname (argv[0]);
+    if(getarg(args, num_args, argc, argv, &optind))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(alg_string) {
+	alg = otp_find_alg (alg_string);
+	if (alg == NULL)
+	    errx(1, "Unknown algorithm: %s", alg_string);
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (hexp) {
+	if (extendedp)
+	    fn = otp_print_hex_extended;
+	else
+	    fn = otp_print_hex;
+    } else {
+	if (extendedp)
+	    fn = otp_print_stddict_extended;
+	else
+	    fn = otp_print_stddict;
+    }
+
+    return print (argc, argv, count, alg, fn);
+}
diff --git a/crypto/heimdal/appl/otp/otpprint.cat1 b/crypto/heimdal/appl/otp/otpprint.cat1
new file mode 100644
index 0000000..1c4d244
--- /dev/null
+++ b/crypto/heimdal/appl/otp/otpprint.cat1
@@ -0,0 +1,36 @@
+
+OTP(1)                       UNIX Reference Manual                      OTP(1)
+
+NNAAMMEE
+     oottpppprriinntt - print lists of one-time passwords
+
+SSYYNNOOPPSSIISS
+     oottpp [--nn _c_o_u_n_t] [--ee] [--hh] [--ff _a_l_g_o_r_i_t_h_m] _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r _s_e_e_d
+
+DDEESSCCRRIIPPTTIIOONN
+     The oottpppprriinntt program prints lists of OTPs.
+
+     Use this to print out a series of one-time passwords.  You will have to
+     supply the _s_e_q_u_e_n_c_e _n_u_m_b_e_r and the _s_e_e_d as arguments and then the program
+     will prompt you for your pass-phrase.
+
+     There are several different print formats.  The default is to print each
+     password with six short english words.
+
+     Options are:
+
+     --ee      Print the passwords in ``extended'' format.  In this format a
+             prefix that says ``hex:'' or ``word:'' is included.
+
+     --ff      To choose a different _a_l_g_o_r_i_t_h_m from the default md5.  Pick any
+             of: md4, md5, and sha.
+
+     --hh      Print the passwords in hex.
+
+     --nn      Print _c_o_u_n_t one-time passwords, starting at _s_e_q_u_e_n_c_e_-_n_u_m_b_e_r and
+             going backwards. The default is 10.
+
+SSEEEE AALLSSOO
+     otp(1)
+
+ KTH-KRB                       November 17, 1996                             1
diff --git a/crypto/heimdal/appl/popper/ChangeLog b/crypto/heimdal/appl/popper/ChangeLog
new file mode 100644
index 0000000..8c85793
--- /dev/null
+++ b/crypto/heimdal/appl/popper/ChangeLog
@@ -0,0 +1,169 @@
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (pop_init): handle krb5_init_context failure
+	consistently
+	* pop_debug.c (doit_v5): handle krb5_init_context failure
+	consistently
+
+2000-06-10  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (krb4_authenticate): do not exit on failure, just
+	return
+	(krb5_authenticate): log errors from krb5_recvauth
+
+2000-04-12  Assar Westerlund  <assar@sics.se>
+
+	* *.c: replace all erroneous calls to pop_log with POP_FAILURE
+	with POP_PRIORITY.  reported by Janne Johansson <jj@it.kth.se>'
+
+2000-01-27  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): figure out port number
+
+1999-12-20  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c (pop_init): use getnameinfo_verified
+
+	* pop_debug.c (get_socket): use getaddrinfo
+
+1999-12-03  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c: optionally trace connected addresses to a file
+
+1999-11-02  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): redo the v4/v5 selection for consistency.
+  	-4 -> try only v4 -5 -> try only v5 none, -45 -> try v5, v4
+
+1999-10-16  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c (krb5_authenticate): don't use the principal
+	associated with the socket for authentication, instead let
+	krb5_rd_req pick the correct one from the ticket; just check that
+	it actually was a pop-ticket
+
+1999-08-12  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pop_init.c (pop_init): don't freehostent if ch == NULL
+
+	* pop_dele.c: implement XDELE to delete a range of messages
+
+1999-08-05  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c: v6-ify
+
+	* pop_debug.c: v6-ify
+
+1999-05-10  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (doit_v5): call krb5_sendauth with ccache == NULL
+	
+1999-04-11  Assar Westerlund  <assar@sics.se>
+
+	* pop_debug.c (main): use print_version
+
+Thu Apr  8 15:07:11 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_pass.c: remove definition of KRB_VERIFY_USER (moved to
+ 	config.h)
+
+Thu Mar 18 12:55:42 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_pass.c: define KRB_VERIFY_SECURE if not defined
+
+	* Makefile.am: include Makefile.am.common
+
+Wed Mar 17 23:36:21 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (krb4_verify_password): use KRB_VERIFY_SECURE instead
+ 	of 1
+
+Tue Mar 16 22:28:52 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c: krb_verify_user_multiple -> krb_verify_user
+
+Sat Mar 13 22:17:29 1999  Assar Westerlund  <assar@sics.se>
+
+	* pop_parse.c (pop_parse): cast when calling is* to get rid of a
+ 	warning
+
+Mon Mar  8 11:50:06 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_init.c: use print_version
+
+Fri Mar  5 15:14:29 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* pop_send.c: fix handling of messages w/o body
+
+Sun Nov 22 10:33:29 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (pop_pass): try to always log
+
+	* Makefile.in (WFLAGS): set
+
+Fri Jul 10 01:14:25 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_init.c: s/net_read/pop_net_read/
+
+Tue Jun  2 17:33:54 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* pop_send.c: add missing newlines
+
+Sun May 24 20:59:45 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* maildir.c (make_path): fix reversed args
+
+Sat May 16 00:02:18 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: link with DBLIB
+
+Sun Apr 26 11:47:58 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c (pop_pass): check return value from changeuser
+
+	* pop_dropcopy.c (changeuser): check that `setuid' and `setgid'
+ 	succeeded.
+
+	* popper.h: changeuser now returns int
+
+Thu Apr 23 00:54:38 1998  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* Add support for maildir spoolfiles.
+
+	* popper.h (MsgInfoList): replace `del_flag' and `retr_flag' with
+	single `flags'
+
+	* pop_dropcopy.c: Fix mismatched parenthesis.
+
+Sat Apr  4 15:13:56 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_dropcopy.c (pop_dropcopy): first do mkstemp and then fdopen.
+  	Originally from <map@stacken.kth.se>
+
+	* popper.h: include <io.h>
+
+Sat Feb  7 10:07:39 1998  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c(krb4_verify_password: Don't use REALM_SZ + 1, just
+ 	REALM_SZ
+
+Mon Dec 29 16:37:26 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_updt.c (pop_updt): lseek before ftruncating the file.  From
+ 	<map@stacken.kth.se>
+
+Sat Nov 22 13:46:39 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* pop_pass.c: Destroy tickets after verification.
+
+Sun Nov  9 09:11:14 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_dropinfo.c: be careful with mails without msg-id, subject,
+ 	or from
+
+Wed Oct 29 02:09:24 1997  Assar Westerlund  <assar@sics.se>
+
+	* pop_pass.c: conditionalize OTP-support
+
+	* pop_init.c: conditionalize OTP-support
+
diff --git a/crypto/heimdal/appl/popper/Makefile.am b/crypto/heimdal/appl/popper/Makefile.am
new file mode 100644
index 0000000..d52d0cf
--- /dev/null
+++ b/crypto/heimdal/appl/popper/Makefile.am
@@ -0,0 +1,29 @@
+# $Id: Makefile.am,v 1.13 2000/11/15 22:51:09 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4)
+
+noinst_PROGRAMS = pop_debug
+
+libexec_PROGRAMS = popper
+
+popper_SOURCES = \
+	pop_dele.c pop_dropcopy.c pop_dropinfo.c \
+	pop_get_command.c pop_init.c \
+	pop_last.c pop_list.c pop_log.c \
+	pop_msg.c pop_parse.c pop_pass.c pop_quit.c \
+	pop_rset.c pop_send.c pop_stat.c pop_updt.c \
+	pop_user.c pop_uidl.c pop_xover.c popper.c \
+	maildir.c popper.h version.h
+
+EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \
+	popper.README.release README-FIRST README-KRB4
+
+LDADD = \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
diff --git a/crypto/heimdal/appl/popper/Makefile.in b/crypto/heimdal/appl/popper/Makefile.in
new file mode 100644
index 0000000..0185f12
--- /dev/null
+++ b/crypto/heimdal/appl/popper/Makefile.in
@@ -0,0 +1,623 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS = @WFLAGS@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.13 2000/11/15 22:51:09 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+noinst_PROGRAMS = pop_debug
+
+libexec_PROGRAMS = popper
+
+popper_SOURCES = \
+	pop_dele.c pop_dropcopy.c pop_dropinfo.c \
+	pop_get_command.c pop_init.c \
+	pop_last.c pop_list.c pop_log.c \
+	pop_msg.c pop_parse.c pop_pass.c pop_quit.c \
+	pop_rset.c pop_send.c pop_stat.c pop_updt.c \
+	pop_user.c pop_uidl.c pop_xover.c popper.c \
+	maildir.c popper.h version.h
+
+
+EXTRA_DIST = pop3.rfc1081 pop3e.rfc1082 \
+	popper.README.release README-FIRST README-KRB4
+
+
+LDADD = \
+	$(LIB_otp) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(DBLIB)
+
+subdir = appl/popper
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+libexec_PROGRAMS =  popper$(EXEEXT)
+noinst_PROGRAMS =  pop_debug$(EXEEXT)
+PROGRAMS =  $(libexec_PROGRAMS) $(noinst_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+pop_debug_SOURCES = pop_debug.c
+pop_debug_OBJECTS =  pop_debug.$(OBJEXT)
+pop_debug_LDADD = $(LDADD)
+@KRB5_FALSE@pop_debug_DEPENDENCIES = 
+@KRB5_TRUE@pop_debug_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+pop_debug_LDFLAGS = 
+am_popper_OBJECTS =  pop_dele.$(OBJEXT) pop_dropcopy.$(OBJEXT) \
+pop_dropinfo.$(OBJEXT) pop_get_command.$(OBJEXT) pop_init.$(OBJEXT) \
+pop_last.$(OBJEXT) pop_list.$(OBJEXT) pop_log.$(OBJEXT) \
+pop_msg.$(OBJEXT) pop_parse.$(OBJEXT) pop_pass.$(OBJEXT) \
+pop_quit.$(OBJEXT) pop_rset.$(OBJEXT) pop_send.$(OBJEXT) \
+pop_stat.$(OBJEXT) pop_updt.$(OBJEXT) pop_user.$(OBJEXT) \
+pop_uidl.$(OBJEXT) pop_xover.$(OBJEXT) popper.$(OBJEXT) \
+maildir.$(OBJEXT)
+popper_OBJECTS =  $(am_popper_OBJECTS)
+popper_LDADD = $(LDADD)
+@KRB5_FALSE@popper_DEPENDENCIES = 
+@KRB5_TRUE@popper_DEPENDENCIES =  $(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+popper_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  pop_debug.c $(popper_SOURCES)
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = pop_debug.c $(popper_SOURCES)
+OBJECTS = pop_debug.$(OBJEXT) $(am_popper_OBJECTS)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/popper/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-libexecPROGRAMS:
+
+clean-libexecPROGRAMS:
+	-test -z "$(libexec_PROGRAMS)" || rm -f $(libexec_PROGRAMS)
+
+distclean-libexecPROGRAMS:
+
+maintainer-clean-libexecPROGRAMS:
+
+install-libexecPROGRAMS: $(libexec_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(libexecdir)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(libexecdir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-libexecPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(libexec_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(libexecdir)/$$f"; \
+	  rm -f $(DESTDIR)$(libexecdir)/$$f; \
+	done
+
+mostlyclean-noinstPROGRAMS:
+
+clean-noinstPROGRAMS:
+	-test -z "$(noinst_PROGRAMS)" || rm -f $(noinst_PROGRAMS)
+
+distclean-noinstPROGRAMS:
+
+maintainer-clean-noinstPROGRAMS:
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+pop_debug$(EXEEXT): $(pop_debug_OBJECTS) $(pop_debug_DEPENDENCIES)
+	@rm -f pop_debug$(EXEEXT)
+	$(LINK) $(pop_debug_LDFLAGS) $(pop_debug_OBJECTS) $(pop_debug_LDADD) $(LIBS)
+
+popper$(EXEEXT): $(popper_OBJECTS) $(popper_DEPENDENCIES)
+	@rm -f popper$(EXEEXT)
+	$(LINK) $(popper_LDFLAGS) $(popper_OBJECTS) $(popper_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-libexecPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-libexecPROGRAMS
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(libexecdir)
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-libexecPROGRAMS mostlyclean-noinstPROGRAMS \
+		mostlyclean-compile mostlyclean-libtool \
+		mostlyclean-tags mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-libexecPROGRAMS clean-noinstPROGRAMS clean-compile \
+		clean-libtool clean-tags clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-libexecPROGRAMS distclean-noinstPROGRAMS \
+		distclean-compile distclean-libtool distclean-tags \
+		distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-libexecPROGRAMS \
+		maintainer-clean-noinstPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-libexecPROGRAMS distclean-libexecPROGRAMS \
+clean-libexecPROGRAMS maintainer-clean-libexecPROGRAMS \
+uninstall-libexecPROGRAMS install-libexecPROGRAMS \
+mostlyclean-noinstPROGRAMS distclean-noinstPROGRAMS \
+clean-noinstPROGRAMS maintainer-clean-noinstPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool tags mostlyclean-tags \
+distclean-tags clean-tags maintainer-clean-tags distdir info-am info \
+dvi-am dvi check-local check check-am installcheck-am installcheck \
+install-exec-am install-exec install-data-local install-data-am \
+install-data install-am install uninstall-am uninstall all-local \
+all-redirect all-am all install-strip installdirs mostlyclean-generic \
+distclean-generic clean-generic maintainer-clean-generic clean \
+mostlyclean distclean maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/popper/README b/crypto/heimdal/appl/popper/README
new file mode 100644
index 0000000..0735fdd
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README
@@ -0,0 +1,381 @@
+@(#)@(#)README	2.6   2.6 4/2/91
+
+
+The Post Office Protocol Server:  Installation Guide
+
+
+
+Introduction
+
+The Post Office Protocol server runs on a variety of Unix[1] computers
+to manage electronic mail for Macintosh and MS-DOS computers.  The
+server was developed at the University of California at Berkeley and
+conforms fully to the specifications in RFC 1081[2] and RFC 1082[3].
+The Berkeley server also has extensions to send electronic mail on
+behalf of a client.
+
+This guide explains how to install the POP server on your Unix
+computer.  It assumes that you are not only familiar with Unix but also
+capable of performing Unix system administration.
+
+
+How to Obtain the Server
+
+The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU
+(128.32.136.9, 128.32.206.12).  It is in two files in the pub directory:
+a compressed tar file popper-version.tar.Z and a Macintosh StuffIt archive
+in BinHex format called MacPOP.sit.hqx.
+
+
+Contents of the Distribution
+
+The distribution contains the following:
+
++   All of the C source necessary to create the server program.
+
++   A visual representation of how the POP system works.
+
++   Reprints of RFC 1081 and RFC 1082.
+
++   A HyperCard stack POP client implementation using MacTCP.
+
++   A man page for the popper daemon.
+
++   This guide.
+
+
+Compatibility
+
+The Berkeley POP server has been successfully tested on the following
+Unix operating systems:
+
++   Berkeley Systems Distribution 4.3
+
++   Sun Microsystems Operating System versions 3.5 and 4.0
+
++   Ultrix version 2.3
+
+The following POP clients operate correctly with the Berkeley POP server:
+
++   The Berkeley HyperMail HyperCard stack for the Apple Macintosh 
+    (distributed with the server).
+
++   The Stanford University Macintosh Internet Protocol MacMH program.
+
++   The Stanford University Personal Computer Internet Protocol MH 
+    program.
+
++   The mh version 6.0 programs for Unix.
+
+
+Support
+
+The Berkeley POP server is not officially supported and is without any
+warranty, explicit or implied.  However, we are interested in your
+experiences using the server.  Bugs, comments and suggestions should be
+sent electronically to netinfo@garnet.Berkeley.EDU.
+
+
+Operational Characteristics
+
+The POP Transaction Cycle
+
+The Berkeley POP server is a single program (called popper) that is
+launched by inetd when it gets a service request on the POP TCP port.
+(The official port number specified in RFC 1081 for POP version 3 is
+port 110.  However, some POP3 clients attempt to contact the server at
+port 109, the POP version 2 port.  Unless you are running both POP2 and
+POP3 servers, you can simply define both ports for use by the POP3
+server.  This is explained in the installation instructions later on.)
+The popper program initializes and verifies that the peer IP address is
+registered in the local domain, logging a warning message when a
+connection is made to a client whose IP address does not have a
+canonical name.  For systems using BSD 4.3 bind, it also checks to see
+if a cannonical name lookup for the client returns the same peer IP
+address, logging a warning message if it does not.  The the server
+enters the authorization state, during which the client must correctly
+identify itself by providing a valid Unix userid and password on the
+server's host machine.  No other exchanges are allowed during this
+state (other than a request to quit.)  If authentication fails, a
+warning message is logged and the session ends.  Once the user is
+identified, popper changes its user and group ids to match that of the
+user and enters the transaction state.  The server makes a temporary
+copy of the user's maildrop (ordinarily in /usr/spool/mail) which is
+used for all subsequent transactions.  These include the bulk of POP
+commands to retrieve mail, delete mail, undelete mail, and so forth.  A
+Berkeley extension also allows the user to submit a mail parcel to the
+server who mails it using the sendmail program (this extension is
+supported in the HyperMail client distributed with the server).  When
+the client quits, the server enters the final update state during which
+the network connection is terminated and the user's maildrop is updated
+with the (possibly) modified temporary maildrop.
+
+
+Logging
+
+The POP server uses syslog to keep a record of its activities.  On
+systems with BSD 4.3 syslogging, the server logs (by default) to the
+"local0" facility at priority "notice" for all messages except
+debugging which is logged at priority "debug".  The default log file is
+/usr/spool/mqueue/POPlog.  These can be changed, if desired.  On
+systems with 4.2 syslogging all messages are logged to the local log
+file, usually /usr/spool/mqueue/syslog.
+
+Problems
+
+If the filesystem which holds the /usr/spool/mail fills up users will 
+experience difficulties.  The filesystem must have enough space to hold
+(approximately) two copies of the largest mail box.  Popper (v1.81 and
+above) is designed to be robust in the face of this problem, but you may
+end up with a situation where some of the user's mail is in
+
+	/usr/spool/mail/.userid.pop
+
+and some of the mail is in
+
+	/usr/spool/mail/userid
+
+If this happens the System Administrator should clear enough disk space
+so that the filesystem has at least as much free disk as both mailboxes
+hold and probably a little more.  Then the user should initiate a POP
+session, and do nothing but quit.  If the POP session ends without an
+error the user can then use POP or another mail program to clean up his/her
+mailbox.
+
+Alternatively, the System Administrator can combine the two files (but
+popper will do this for you if there is enough disk space).
+
+
+Debugging
+
+The popper program will log debugging information when the -d parameter
+is specified after its invocation in the inetd.conf file.  Care should
+be exercised in using this option since it generates considerable
+output in the syslog file.  Alternatively, the "-t <file-name>" option
+will place debugging information into file "<file-name>" using fprintf
+instead of syslog.  (To enable debugging, you must edit the Makefile
+to add -DDEBUG to the compiler options.)
+
+For SunOS version 3.5, the popper program is launched by inetd from
+/etc/servers.  This file does not allow you to specify command line
+arguments.  Therefore, if you want to enable debugging, you can specify
+a shell script in /etc/servers to be launched instead of popper and in
+this script call popper with the desired arguments.
+
+
+Installation
+
+1.  Examine this file for the latest information, warnings, etc.
+
+2.  Check the Makefile for conformity with your system.
+
+3.  Issue the make command in the directory containing the popper 
+    source.
+
+4.  Issue the make install command in the directory containing the 
+    popper source to copy the program to /usr/etc.
+
+5.  Enable syslogging:
+
+    +   For systems with 4.3 syslogging:
+
+        Add the following line to the /etc/syslog.conf file:
+
+            local0.notice;local0.debug  /usr/spool/mqueue/POPlog
+
+        Create the empty file /usr/spool/mqueue/POPlog.
+
+        Kill and restart the syslogd daemon.
+
+    +   For systems with 4.2 syslogging:
+
+        Be sure that you are logging messages of priority 7 and higher.  
+        For example:
+
+            7/usr/spool/mqueue/syslog
+            9/dev/null
+
+6.  Update /etc/services:
+
+    Add the following line to the /etc/services file:
+
+        pop 110/tcp
+
+    Note:  This is the official port number for version 3 of the
+    Post Office Protocol as defined in RFC 1081.  However, some
+    POP3 clients use port 109, the port number for the previous
+    version (2) of POP.  Therefore you may also want to add the
+    following line to the /etc/services file:
+
+    pop2    109/tcp
+
+    For Sun systems running yp, also do the following:
+
+    +   Change to the /var/yp directory.
+
+    +   Issue the make services command.
+
+7.  Update the inetd daemon configuration.  Include the second line ONLY if you
+    are running the server at both ports.
+
+    +   On BSD 4.3 and SunOS 4.0 systems, add the following line to the 
+        /etc/inetd.conf file:
+
+        pop stream tcp nowait root /usr/etc/popper popper
+        pop2 stream tcp nowait root /usr/etc/popper popper
+
+    +   On Ultrix systems, add the following line to the 
+        /etc/inetd.conf file:
+
+        pop stream tcp nowait /usr/etc/popper popper
+        pop2 stream tcp nowait /usr/etc/popper popper
+
+    +   On SunOS 3.5 systems, add the following line to the 
+        /etc/servers file:
+
+        pop tcp /usr/etc/popper
+        pop2 tcp /usr/etc/popper
+
+        Kill and restart the inetd daemon.
+
+You can confirm that the POP server is running on Unix by telneting to
+port 110 (or 109 if you set it up that way).  For example:
+
+%telnet myhost 110
+Trying...
+Connected to myhost.berkeley.edu.
+Escape character is '^]'.
++OK UCB Pop server (version 1.6) at myhost starting.
+quit
+Connection closed by foreign host.
+
+
+Release Notes
+
+1.83    Make sure that everything we do as root is non-destructive.
+
+1.82	Make the /usr/spool/mail/.userid.pop file owned by the user rather
+	than owned by root.
+
+1.81	There were two versions of 1.7 floating around, 1.7b4 and 1.7b5.
+	The difference is that 1.7b5 attempted to save disk space on 
+	/usr/spool/mail by deleting the users permanent maildrop after
+	making the temporary copy.  Unfortunately, if compiled with 
+	-DDEBUG, this version could easily wipe out a users' mail file.
+	This is now fixed.
+
+	This version also fixes a security hole for systems that have
+	/usr/spool/mail writeable by all users.
+
+	With this version we go to all new SCCS IDs for all files.  This
+	is unfortunate, and we hope it is not too much of a problem.
+
+	Thanks to Steve Dorner of UIUC for pointing out the major problem.
+
+1.7     Extensive re-write of the maildrop processing code contributed by 
+        Viktor Dukhovni <viktor@math.princeton.edu> that greatly reduces the
+        possibility that the maildrop can be corrupted as the result of
+        simultaneous access by two or more processes.
+
+        Added "pop_dropcopy" module to create a temporary maildrop from
+        the existing, standard maildrop as root before the setuid and 
+        setgid for the user is done.  This allows the temporary maildrop
+        to be created in a mail spool area that is not world read-writable.
+
+        This version does *not* send the sendmail "From " delimiter line
+        in response to a TOP or RETR command.
+
+        Encased all debugging code in #ifdef DEBUG constructs.  This code can
+        be included by specifying the DEGUG compiler flag.  Note:  You still
+        need to use the -d or -t option to obtain debugging output.
+
+1.6     Corrects a bug that causes the server to crash on SunOS
+        4.0 systems.
+
+        Uses varargs and vsprintf (if available) in pop_log and
+        pop_msg.  This is enabled by the "HAVE_VSPRINTF"
+        compiler flag.
+
+        For systems with BSD 4.3 bind, performs a cannonical
+        name lookup and searches the returned address(es) for
+        the client's address, logging a warning message if it
+        is not located.  This is enabled by the "BIND43"
+        comiler flag.
+
+        Removed all the includes from popper.h and distributed
+        them throughout the porgrams files, as needed.
+
+        Reformatted the source to convert tabs to spaces and
+        shorten lines for display on 80-column terminals.
+
+1.5     Creates the temporary maildrop with mode "600" and
+        immediately unlinks it.
+
+        Uses client's IP address in lieu of a canonical name if
+        the latter cannot be obtained.
+
+        Added "-t <file-name>" option.  The presence of this
+        option causes debugging output to be placed in the file
+        "file-name" using fprintf instead of the system log
+        file using syslog.
+
+        Corrected maildrop parsing problem.
+
+1.4     Copies user's mail into a temporary maildrop on which
+        all subsequent activity is performed.
+
+        Added "pop_log" function and replaced "syslog" calls
+        throughout the code with it.
+
+1.3     Corrected updating of Status: header line.
+
+        Added strncasecmp for systems that do not have one.
+        Used strncasecmp in all appropriate places.  This is
+        enabled by the STRNCASECMP compiler flag.
+
+1.2     Support for version 4.2 syslogging added.  This is
+        enabled by the SYSLOG42 compiler flag.
+
+1.1     Several bugs fixed.
+
+1.0     Original version.
+
+
+Limitations
+
++   The POP server copies the user's entire maildrop to /tmp and
+    then operates on that copy.  If the maildrop is particularly
+    large, or inadequate space is available in /tmp, then the
+    server will refuse to continue and terminate the connection.
+
++   Simultaneous modification of a single maildrop can result in 
+    confusing results.  For example, manipulating messages in a
+    maildrop using the Unix /usr/ucb/mail command while a copy of
+    it is being processed by the POP server can cause the changes
+    made by one program to be lost when the other terminates.  This
+    problem is being worked on and will be fixed in a later
+    release.
+
+
+Credits
+
+The POP server was written by Edward Moy and Austin Shelton with
+contributions from Robert Campbell (U.C. Berkeley) and Viktor Dukhovni
+(Princeton University).  Edward Moy wrote the HyperMail stack and drew
+the POP operation diagram.  This installation guide was written by
+Austin Shelton.
+
+
+Footnotes
+
+[1] Copyright (c) 1990 Regents of the University of California.
+    All rights reserved.  The Berkeley software License Agreement
+    specifies the terms and conditions for redistribution.  Unix is
+    a registered trademark of AT&T corporation.  HyperCard and
+    Macintosh are registered trademarks of Apple Corporation.
+
+[2] M. Rose, Post Office Protocol - Version 3.  RFC  1081, NIC, 
+    November 1988.
+
+[3] M. Rose, Post Office Protocol - Version 3 Extended Service 
+    Offerings.  RFC 1082, NIC, November 1988.
diff --git a/crypto/heimdal/appl/popper/README-FIRST b/crypto/heimdal/appl/popper/README-FIRST
new file mode 100644
index 0000000..3d78fb6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README-FIRST
@@ -0,0 +1,11 @@
+This kerberized popper was based on popper-1.831beta
+which was later announced as "offical" and not beta.
+
+This program is able to talk both the pop3 and the kpop3 protocol.
+
+Please note that the server principal is pop.hostname and not
+rcmd.hostname. I.e an additional entry is needed in your mailhub's
+/etc/srvtab. Use ksrvutil to add the extra prinicpal.
+
+The server is usually started from inetd and there is already an entry
+for that in inetd.conf.changes.
diff --git a/crypto/heimdal/appl/popper/README-KRB4 b/crypto/heimdal/appl/popper/README-KRB4
new file mode 100644
index 0000000..f029cf9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/README-KRB4
@@ -0,0 +1,3 @@
+Define KERBEROS if you want support for Kerberos V4 style
+authentification, then you will be able to start a kerberise pop with
+the `-k' flag.
diff --git a/crypto/heimdal/appl/popper/maildir.c b/crypto/heimdal/appl/popper/maildir.c
new file mode 100644
index 0000000..4c9a441
--- /dev/null
+++ b/crypto/heimdal/appl/popper/maildir.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 1998 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden). 
+ * All rights reserved. 
+ *
+ * Redistribution and use in source and binary forms, with or without 
+ * modification, are permitted provided that the following conditions 
+ * are met: 
+ *
+ * 1. Redistributions of source code must retain the above copyright 
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright 
+ *    notice, this list of conditions and the following disclaimer in the 
+ *    documentation and/or other materials provided with the distribution. 
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors 
+ *    may be used to endorse or promote products derived from this software 
+ *    without specific prior written permission. 
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+ * SUCH DAMAGE. 
+ */
+
+#include <popper.h>
+#include <dirent.h>
+RCSID("$Id: maildir.c,v 1.5 1999/12/02 16:58:33 joda Exp $");
+
+static void
+make_path(POP *p, MsgInfoList *mp, int new, char *buf, size_t len)
+{
+    snprintf(buf, len, "%s/%s%s%s", p->drop_name, 
+	     new ? "new" : "cur", mp ? "/" : "", mp ? mp->name : "");
+}
+
+static int
+scan_file(POP *p, MsgInfoList *mp)
+{
+    char path[MAXDROPLEN];
+    FILE *f;
+    char buf[1024];
+    int eoh = 0;
+
+    make_path(p, mp, mp->flags & NEW_FLAG, path, sizeof(path));
+    f = fopen(path, "r");
+
+    if(f == NULL) {
+#ifdef DEBUG
+	if(p->debug)
+	    pop_log(p, POP_DEBUG, 
+		    "Failed to open message file `%s': %s", 
+		    path, strerror(errno));
+#endif
+	return pop_msg (p, POP_FAILURE,
+			"Failed to open message file `%s'", path);
+    }
+    while(fgets(buf, sizeof(buf), f)) {
+	if(buf[strlen(buf) - 1] == '\n')
+	    mp->lines++;
+	mp->length += strlen(buf);
+	if(eoh)
+	    continue;
+	if(strcmp(buf, "\n") == 0)
+	    eoh = 1;
+	parse_header(mp, buf);
+    }
+    fclose(f);
+    return add_missing_headers(p, mp);
+}
+
+static int
+scan_dir(POP *p, int new)
+{
+    char tmp[MAXDROPLEN];
+    DIR *dir;
+    struct dirent *dent;
+    MsgInfoList *mp = p->mlp;
+    int n_mp = p->msg_count;
+    int e;
+
+    make_path(p, NULL, new, tmp, sizeof(tmp));
+    mkdir(tmp, 0700);
+    dir = opendir(tmp);
+    while((dent = readdir(dir)) != NULL) {
+	if(strcmp(dent->d_name, ".") == 0 || strcmp(dent->d_name, "..") == 0)
+	    continue;
+	mp = realloc(mp, (n_mp + 1) * sizeof(*mp));
+	if(mp == NULL) {
+	    p->msg_count = 0;
+	    return pop_msg (p, POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+	memset(mp + n_mp, 0, sizeof(*mp));
+	mp[n_mp].name = strdup(dent->d_name);
+	if(mp[n_mp].name == NULL) {
+	    p->msg_count = 0;
+	    return pop_msg (p, POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+	mp[n_mp].number = n_mp + 1;
+	mp[n_mp].flags = 0;
+	if(new)
+	    mp[n_mp].flags |= NEW_FLAG;
+	e = scan_file(p, &mp[n_mp]);
+	if(e != POP_SUCCESS)
+	    return e;
+        p->drop_size += mp[n_mp].length;
+	n_mp++;
+    }
+    closedir(dir);
+    p->mlp = mp;
+    p->msg_count = n_mp;
+    return POP_SUCCESS;
+}
+
+int
+pop_maildir_info(POP *p)
+{
+    int e;
+    
+    p->temp_drop[0] = '\0';
+    p->mlp = NULL;
+    p->msg_count = 0;
+
+    e = scan_dir(p, 0);
+    if(e != POP_SUCCESS) return e;
+
+    e = scan_dir(p, 1);
+    if(e != POP_SUCCESS) return e;
+    return POP_SUCCESS;
+}
+
+int
+pop_maildir_update(POP *p)
+{
+    int i;
+    char tmp1[MAXDROPLEN], tmp2[MAXDROPLEN];
+    for(i = 0; i < p->msg_count; i++) {
+	make_path(p, &p->mlp[i], p->mlp[i].flags & NEW_FLAG, 
+		  tmp1, sizeof(tmp1));
+	if(p->mlp[i].flags & DEL_FLAG) {
+#ifdef DEBUG
+	    if(p->debug)
+		pop_log(p, POP_DEBUG, "Removing `%s'", tmp1);
+#endif
+	    if(unlink(tmp1) < 0) {
+#ifdef DEBUG
+		if(p->debug)
+		    pop_log(p, POP_DEBUG, "Failed to remove `%s': %s", 
+			    tmp1, strerror(errno));
+#endif
+		/* return failure? */
+	    }
+	} else if((p->mlp[i].flags & NEW_FLAG) && 
+		  (p->mlp[i].flags & RETR_FLAG)) {
+	    make_path(p, &p->mlp[i], 0, tmp2, sizeof(tmp2));
+#ifdef DEBUG
+	    if(p->debug)
+		pop_log(p, POP_DEBUG, "Linking `%s' to `%s'", tmp1, tmp2);
+#endif
+	    if(link(tmp1, tmp2) == 0) {
+#ifdef DEBUG
+		if(p->debug)
+		    pop_log(p, POP_DEBUG, "Removing `%s'", tmp1);
+#endif
+		if(unlink(tmp1) < 0) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Failed to remove `%s'", tmp1);
+#endif
+		    /* return failure? */
+		}
+	    } else {
+		if(errno == EXDEV) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Trying to rename `%s' to `%s'", 
+				tmp1, tmp2);
+#endif
+		    if(rename(tmp1, tmp2) < 0) {
+#ifdef DEBUG
+		    if(p->debug)
+			pop_log(p, POP_DEBUG, "Failed to rename `%s' to `%s'", 
+				tmp1, tmp2);
+#endif
+		    }
+		}
+	    }
+	}
+    }
+    return(pop_quit(p));
+}
+
+int
+pop_maildir_open(POP *p, MsgInfoList *mp)
+{
+    char tmp[MAXDROPLEN];
+    make_path(p, mp, mp->flags & NEW_FLAG, tmp, sizeof(tmp));
+    if(p->drop)
+	fclose(p->drop);
+    p->drop = fopen(tmp, "r");
+    if(p->drop == NULL)
+	return pop_msg(p, POP_FAILURE, "Failed to open message file");
+    return POP_SUCCESS;
+}
diff --git a/crypto/heimdal/appl/popper/pop3.rfc1081 b/crypto/heimdal/appl/popper/pop3.rfc1081
new file mode 100644
index 0000000..08ea6dd
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop3.rfc1081
@@ -0,0 +1,898 @@
+
+
+
+
+
+
+Network Working Group                                            M. Rose
+Request for Comments: 1081                                           TWG
+                                                           November 1988
+
+                    Post Office Protocol - Version 3
+
+
+Status of this Memo
+
+   This memo suggests a simple method for workstations to dynamically
+   access mail from a mailbox server.  This RFC specifies a proposed
+   protocol for the Internet community, and requests discussion and
+   suggestions for improvements.  Distribution of this memo is
+   unlimited.
+
+   This memo is based on RFC 918 (since revised as RFC 937).  Although
+   similar in form to the original Post Office Protocol (POP) proposed
+   for the Internet community, the protocol discussed in this memo is
+   similar in spirit to the ideas investigated by the MZnet project at
+   the University of California, Irvine.
+
+   Further, substantial work was done on examining POP in a PC-based
+   environment.  This work, which resulted in additional functionality
+   in this protocol, was performed by the ACIS Networking Systems Group
+   at Stanford University.  The author gratefully acknowledges their
+   interest.
+
+Introduction
+
+   On certain types of smaller nodes in the Internet it is often
+   impractical to maintain a message transport system (MTS).  For
+   example, a workstation may not have sufficient resources (cycles,
+   disk space) in order to permit a SMTP server and associated local
+   mail delivery system to be kept resident and continuously running.
+   Similarly, it may be expensive (or impossible) to keep a personal
+   computer interconnected to an IP-style network for long amounts of
+   time (the node is lacking the resource known as "connectivity").
+
+   Despite this, it is often very useful to be able to manage mail on
+   these smaller nodes, and they often support a user agent (UA) to aid
+   the tasks of mail handling.  To solve this problem, a node which can
+   support an MTS entity offers a maildrop service to these less endowed
+   nodes.  The Post Office Protocol - Version 3 (POP3) is intended to
+   permit a workstation to dynamically access a maildrop on a server
+   host in a useful fashion.  Usually, this means that the POP3 is used
+   to allow a workstation to retrieve mail that the server is holding
+   for it.
+
+
+
+
+Rose                                                            [Page 1]
+
+RFC 1081                          POP3                     November 1988
+
+
+   For the remainder of this memo, the term "client host" refers to a
+   host making use of the POP3 service, while the term "server host"
+   refers to a host which offers the POP3 service.
+
+A Short Digression
+
+   This memo does not specify how a client host enters mail into the
+   transport system, although a method consistent with the philosophy of
+   this memo is presented here:
+
+      When the user agent on a client host wishes to enter a message
+      into the transport system, it establishes an SMTP connection to
+      its relay host (this relay host could be, but need not be, the
+      POP3 server host for the client host).
+
+   If this method is followed, then the client host appears to the MTS
+   as a user agent, and should NOT be regarded as a "trusted" MTS entity
+   in any sense whatsoever.  This concept, along with the role of the
+   POP3 as a part of a split-UA model is discussed later in this memo.
+
+   Initially, the server host starts the POP3 service by listening on
+   TCP port 110.  When a client host wishes to make use of the service,
+   it establishes a TCP connection with the server host.  When the
+   connection is established, the POP3 server sends a greeting.  The
+   client and POP3 server then exchange commands and responses
+   (respectively) until the connection is closed or aborted.
+
+   Commands in the POP3 consist of a keyword possibly followed by an
+   argument.  All commands are terminated by a CRLF pair.
+
+   Responses in the POP3 consist of a success indicator and a keyword
+   possibly followed by additional information.  All responses are
+   terminated by a CRLF pair.  There are currently two success
+   indicators: positive ("+OK") and negative ("-ERR").
+
+   Responses to certain commands are multi-line.  In these cases, which
+   are clearly indicated below, after sending the first line of the
+   response and a CRLF, any additional lines are sent, each terminated
+   by a CRLF pair.  When all lines of the response have been sent, a
+   final line is sent, consisting of a termination octet (decimal code
+   046, ".") and a CRLF pair.  If any line of the multi-line response
+   begins with the termination octet, the line is "byte-stuffed" by
+   pre-pending the termination octet to that line of the response.
+   Hence a multi-line response is terminated with the five octets
+   "CRLF.CRLF".  When examining a multi-line response, the client checks
+   to see if the line begins with the termination octet.  If so and if
+   octets other than CRLF follow, the the first octet of the line (the
+   termination octet) is stripped away.  If so and if CRLF immediately
+
+
+
+Rose                                                            [Page 2]
+
+RFC 1081                          POP3                     November 1988
+
+
+   follows the termination character, then the response from the POP
+   server is ended and the line containing ".CRLF" is not considered
+   part of the multi-line response.
+
+   A POP3 session progresses through a number of states during its
+   lifetime.  Once the TCP connection has been opened and the POP3
+   server has sent the greeting, the session enters the AUTHORIZATION
+   state.  In this state, the client must identify itself to the POP3
+   server.  Once the client has successfully done this, the server
+   acquires resources associated with the client's maildrop, and the
+   session enters the TRANSACTION state.  In this state, the client
+   requests actions on the part of the POP3 server.  When the client has
+   finished its transactions, the session enters the UPDATE state.  In
+   this state, the POP3 server releases any resources acquired during
+   the TRANSACTION state and says goodbye.  The TCP connection is then
+   closed.
+
+The AUTHORIZATION State
+
+   Once the TCP connection has been opened by a POP3 client, the POP3
+   server issues a one line greeting.  This can be any string terminated
+   by CRLF.  An example might be:
+
+      S.  +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU)
+
+   Note that this greeting is a POP3 reply.  The POP3 server should
+   always give a positive response as the greeting.
+
+   The POP3 session is now in the AUTHORIZATION state.  The client must
+   now issue the USER command.  If the POP3 server responds with a
+   positive success indicator ("+OK"), then the client may issue either
+   the PASS command to complete the authorization, or the QUIT command
+   to terminate the POP3 session.  If the POP3 server responds with a
+   negative success indicator ("-ERR") to the USER command, then the
+   client may either issue a new USER command or may issue the QUIT
+   command.
+
+   When the client issues the PASS command, the POP3 server uses the
+   argument pair from the USER and PASS commands to determine if the
+   client should be given access to the appropriate maildrop.  If so,
+   the POP3 server then acquires an exclusive-access lock on the
+   maildrop.  If the lock is successfully acquired, the POP3 server
+   parses the maildrop into individual messages (read note below),
+   determines the last message (if any) present in the maildrop that was
+   referenced by the RETR command, and responds with a positive success
+   indicator.  The POP3 session now enters the TRANSACTION state.  If
+   the lock can not be acquired or the client should is denied access to
+   the appropriate maildrop or the maildrop can't be parsed for some
+
+
+
+Rose                                                            [Page 3]
+
+RFC 1081                          POP3                     November 1988
+
+
+   reason, the POP3 server responds with a negative success indicator.
+   (If a lock was acquired but the POP3 server intends to respond with a
+   negative success indicator, the POP3 server must release the lock
+   prior to rejecting the command.)  At this point, the client may
+   either issue a new USER command and start again, or the client may
+   issue the QUIT command.
+
+                 NOTE: Minimal implementations of the POP3 need only be
+                 able to break a maildrop into its component messages;
+                 they need NOT be able to parse individual messages.
+                 More advanced implementations may wish to have this
+                 capability, for reasons discussed later.
+
+   After the POP3 server has parsed the maildrop into individual
+   messages, it assigns a message-id to each message, and notes the size
+   of the message in octets.  The first message in the maildrop is
+   assigned a message-id of "1", the second is assigned "2", and so on,
+   so that the n'th message in a maildrop is assigned a message-id of
+   "n".  In POP3 commands and responses, all message-id's and message
+   sizes are expressed in base-10 (i.e., decimal).
+
+   It sets the "highest number accessed" to be that of the last message
+   referenced by the RETR command.
+
+   Here are summaries for the three POP3 commands discussed thus far:
+
+           USER name
+               Arguments: a server specific user-id (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after the POP3 greeting or after an
+                   unsuccessful USER or PASS command
+               Possible Responses:
+                   +OK name is welcome here
+                   -ERR never heard of name
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                     ...
+                   C:    USER frated
+                   S:    -ERR sorry, frated doesn't get his mail here
+
+           PASS string
+               Arguments: a server/user-id specific password (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after a successful USER command
+               Possible Responses:
+                   +OK maildrop locked and ready
+                   -ERR invalid password
+
+
+
+Rose                                                            [Page 4]
+
+RFC 1081                          POP3                     November 1988
+
+
+                   -ERR unable to lock maildrop
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    PASS secret
+                   S:    +OK mrose's maildrop has 2 messages
+                         (320 octets)
+                     ...
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    PASS secret
+                   S:    -ERR unable to lock mrose's maildrop, file
+                         already locked
+
+           QUIT
+               Arguments: none
+               Restrictions: none
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off
+
+
+The TRANSACTION State
+
+   Once the client has successfully identified itself to the POP3 server
+   and the POP3 server has locked and burst the appropriate maildrop,
+   the POP3 session is now in the TRANSACTION state.  The client may now
+   issue any of the following POP3 commands repeatedly.  After each
+   command, the POP3 server issues a response.  Eventually, the client
+   issues the QUIT command and the POP3 session enters the UPDATE state.
+
+   Here are the POP3 commands valid in the TRANSACTION state:
+
+           STAT
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server issues a positive response with a line
+                 containing information for the maildrop.  This line is
+                 called a "drop listing" for that maildrop.
+
+                 In order to simplify parsing, all POP3 servers are
+                 required to use a certain format for drop listings.
+                 The first octets present must indicate the number of
+                 messages in the maildrop.  Following this is the size
+
+
+
+Rose                                                            [Page 5]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 of the maildrop in octets.  This memo makes no
+                 requirement on what follows the maildrop size.
+                 Minimal implementations should just end that line of
+                 the response with a CRLF pair.  More advanced
+                 implementations may include other information.
+
+                      NOTE: This memo STRONGLY discourages
+                      implementations from supplying additional
+                      information in the drop listing.  Other,
+                      optional, facilities are discussed later on
+                      which permit the client to parse the messages
+                      in the maildrop.
+
+                 Note that messages marked as deleted are not counted in
+                 either total.
+
+               Possible Responses:
+                   +OK nn mm
+               Examples:
+                   C:    STAT
+                   S:    +OK 2 320
+
+           LIST [msg]
+               Arguments: a message-id (optionally)  If a message-id is
+                   given, it may NOT refer to a message marked as
+                   deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If an argument was given and the POP3 server issues a
+                 positive response with a line containing information
+                 for that message.  This line is called a "scan listing"
+                 for that message.
+
+                 If no argument was given and the POP3 server issues a
+                 positive response, then the response given is
+                 multi-line.  After the initial +OK, for each message
+                 in the maildrop, the POP3 server responds with a line
+                 containing information for that message.  This line
+                 is called a "scan listing" for that message.
+
+                 In order to simplify parsing, all POP3 servers are
+                 required to use a certain format for scan listings.
+                 The first octets present must be the message-id of
+                 the message.  Following the message-id is the size of
+                 the message in octets.  This memo makes no requirement
+                 on what follows the message size in the scan listing.
+                 Minimal implementations should just end that line of
+
+
+
+Rose                                                            [Page 6]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 the response with a CRLF pair.  More advanced
+                 implementations may include other information, as
+                 parsed from the message.
+
+                      NOTE: This memo STRONGLY discourages
+                      implementations from supplying additional
+                      information in the scan listing.  Other, optional,
+                      facilities are discussed later on which permit
+                      the client to parse the messages in the maildrop.
+
+                 Note that messages marked as deleted are not listed.
+
+               Possible Responses:
+                   +OK scan listing follows
+                   -ERR no such message
+               Examples:
+                   C:    LIST
+                   S:    +OK 2 messages (320 octets)
+                   S:    1 120
+                   S:    2 200
+                   S:    .
+                     ...
+                   C:    LIST 2
+                   S:    +OK 2 200
+                     ...
+                   C:    LIST 3
+                   S:    -ERR no such message, only 2 messages in
+                         maildrop
+
+           RETR msg
+               Arguments: a message-id (required)  This message-id may
+                   NOT refer to a message marked as deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If the POP3 server issues a positive response, then the
+                 response given is multi-line.  After the initial +OK,
+                 the POP3 server sends the message corresponding to the
+                 given message-id, being careful to byte-stuff the
+                 termination character (as with all multi-line
+                 responses).
+
+                 If the number associated with this message is higher
+                 than the "highest number accessed" in the maildrop, the
+                 POP3 server updates the "highest number accessed" to
+                 the number associated with this message.
+
+
+
+
+
+Rose                                                            [Page 7]
+
+RFC 1081                          POP3                     November 1988
+
+
+               Possible Responses:
+                   +OK message follows
+                   -ERR no such message
+               Examples:
+                   C:    RETR 1
+                   S:    +OK 120 octets
+                   S:    <the POP3 server sends the entire message here>
+                   S:    .
+
+           DELE msg
+               Arguments: a message-id (required)  This message-id
+                   may NOT refer to a message marked as deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server marks the message as deleted.  Any
+                 future reference to the message-id associated with the
+                 message in a POP3 command generates an error.  The POP3
+                 server does not actually delete the message until the
+                 POP3 session enters the UPDATE state.
+
+                 If the number associated with this message is higher
+                 than the "highest number accessed" in the maildrop,
+                 the POP3 server updates the "highest number accessed"
+                 to the number associated with this message.
+
+               Possible Responses:
+                   +OK message deleted
+                   -ERR no such message
+               Examples:
+                   C:    DELE 1
+                   S:    +OK message 1 deleted
+                     ...
+                   C:    DELE 2
+                   S:    -ERR message 2 already deleted
+
+           NOOP
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server does nothing, it merely replies with a
+                 positive response.
+
+               Possible Responses:
+                   +OK
+
+
+
+
+
+Rose                                                            [Page 8]
+
+RFC 1081                          POP3                     November 1988
+
+
+               Examples:
+                   C:    NOOP
+                   S:    +OK
+
+           LAST
+               Arguments: none
+               Restrictions: may only be issued in the TRANSACTION state.
+               Discussion:
+
+                 The POP3 server issues a positive response with a line
+                 containing the highest message number which accessed.
+                 Zero is returned in case no message in the maildrop has
+                 been accessed during previous transactions.  A client
+                 may thereafter infer that messages, if any, numbered
+                 greater than the response to the LAST command are
+                 messages not yet accessed by the client.
+
+             Possible Response:
+                   +OK nn
+
+             Examples:
+                   C:      STAT
+                   S:      +OK 4 320
+                   C:      LAST
+                   S:      +OK 1
+                   C:      RETR 3
+                   S:      +OK 120 octets
+                   S:      <the POP3 server sends the entire message
+                           here>
+                   S:      .
+                   C:      LAST
+                   S:      +OK 3
+                   C:      DELE 2
+                   S:      +OK message 2 deleted
+                   C:      LAST
+                   S:      +OK 3
+                   C:      RSET
+                   S:      +OK
+                   C:      LAST
+                   S:      +OK 1
+
+           RSET
+               Arguments: none
+               Restrictions: may only be given in the TRANSACTION
+                   state.
+               Discussion:
+
+                 If any messages have been marked as deleted by the POP3
+
+
+
+Rose                                                            [Page 9]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 server, they are unmarked.  The POP3 server then
+                 replies with a positive response.  In addition, the
+                 "highest number accessed" is also reset to the value
+                 determined at the beginning of the POP3 session.
+
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    RSET
+                   S:    +OK maildrop has 2 messages (320 octets)
+
+
+
+The UPDATE State
+
+   When the client issues the QUIT command from the TRANSACTION state,
+   the POP3 session enters the UPDATE state.  (Note that if the client
+   issues the QUIT command from the AUTHORIZATION state, the POP3
+   session terminates but does NOT enter the UPDATE state.)
+
+           QUIT
+               Arguments: none
+               Restrictions: none
+               Discussion:
+
+                 The POP3 server removes all messages marked as deleted
+                 from the maildrop.  It then releases the
+                 exclusive-access lock on the maildrop and replies as
+                 to the success of
+                 these operations.  The TCP connection is then closed.
+
+               Possible Responses:
+                   +OK
+               Examples:
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off (maildrop
+                         empty)
+                     ...
+                   C:    QUIT
+                   S:    +OK dewey POP3 server signing off (2 messages
+                         left)
+                     ...
+
+
+Optional POP3 Commands
+
+   The POP3 commands discussed above must be supported by all minimal
+   implementations of POP3 servers.
+
+
+
+Rose                                                           [Page 10]
+
+RFC 1081                          POP3                     November 1988
+
+
+   The optional POP3 commands described below permit a POP3 client
+   greater freedom in message handling, while preserving a simple POP3
+   server implementation.
+
+                 NOTE: This memo STRONGLY encourages implementations to
+                 support these commands in lieu of developing augmented
+                 drop and scan listings.  In short, the philosophy of
+                 this memo is to put intelligence in the part of the
+                 POP3 client and not the POP3 server.
+
+           TOP msg n
+               Arguments: a message-id (required) and a number.  This
+                   message-id may NOT refer to a message marked as
+                   deleted.
+               Restrictions: may only be given in the TRANSACTION state.
+               Discussion:
+
+                 If the POP3 server issues a positive response, then
+                 the response given is multi-line.  After the initial
+                 +OK, the POP3 server sends the headers of the message,
+                 the blank line separating the headers from the body,
+                 and then the number of lines indicated message's body,
+                 being careful to byte-stuff the termination character
+                 (as with all multi-line responses).
+
+                 Note that if the number of lines requested by the POP3
+                 client is greater than than the number of lines in the
+                 body, then the POP3 server sends the entire message.
+
+               Possible Responses:
+                   +OK top of message follows
+                   -ERR no such message
+               Examples:
+                   C:    TOP 10
+                   S:    +OK
+                   S:    <the POP3 server sends the headers of the
+                          message, a blank line, and the first 10 lines
+                          of the body of the message>
+                   S:    .
+                     ...
+                   C:    TOP 100
+                   S:    -ERR no such message
+
+           RPOP user
+               Arguments: a client specific user-id (required)
+               Restrictions: may only be given in the AUTHORIZATION
+                   state after a successful USER command; in addition,
+                   may only be given if the client used a reserved
+
+
+
+Rose                                                           [Page 11]
+
+RFC 1081                          POP3                     November 1988
+
+
+                   (privileged) TCP port to connect to the server.
+               Discussion:
+
+                 The RPOP command may be used instead of the PASS
+                 command to authenticate access to the maildrop.  In
+                 order for this command to be successful, the POP3
+                 client must use a reserved TCP port (port < 1024) to
+                 connect tothe server.  The POP3 server uses the
+                 argument pair from the USER and RPOP commands to
+                 determine if the client should be given access to
+                 the appropriate maildrop.  Unlike the PASS command
+                 however, the POP3 server considers if the remote user
+                 specified by the RPOP command who resides on the POP3
+                 client host is allowed to access the maildrop for the
+                 user specified by the USER command (e.g., on Berkeley
+                 UNIX, the .rhosts mechanism is used).  With the
+                 exception of this differing in authentication, this
+                 command is identical to the PASS command.
+
+                 Note that the use of this feature has allowed much wider
+                 penetration into numerous hosts on local networks (and
+                 sometimes remote networks) by those who gain illegal
+                 access to computers by guessing passwords or otherwise
+                 breaking into the system.
+
+               Possible Responses:
+                   +OK maildrop locked and ready
+                   -ERR permission denied
+               Examples:
+                   C:    USER mrose
+                   S:    +OK mrose is a real hoopy frood
+                   C:    RPOP mrose
+                   S:    +OK mrose's maildrop has 2 messages (320
+                         octets)
+
+       Minimal POP3 Commands:
+           USER name               valid in the AUTHORIZATION state
+           PASS string
+           QUIT
+
+           STAT                    valid in the TRANSACTION state
+           LIST [msg]
+           RETR msg
+           DELE msg
+           NOOP
+           LAST
+           RSET
+
+
+
+
+Rose                                                           [Page 12]
+
+RFC 1081                          POP3                     November 1988
+
+
+           QUIT                    valid in the UPDATE state
+
+       Optional POP3 Commands:
+           RPOP user               valid in the AUTHORIZATION state
+
+           TOP msg n               valid in the TRANSACTION state
+
+       POP3 Replies:
+           +OK
+           -ERR
+
+       Note that with the exception of the STAT command, the reply given
+       by the POP3 server to any command is significant only to "+OK"
+       and "-ERR".  Any text occurring after this reply may be ignored
+       by the client.
+
+Example POP3 Session
+
+    S: <wait for connection on TCP port 110>
+        ...
+    C: <open connection>
+    S:    +OK dewey POP3 server ready (Comments to: PostMaster@UDEL.EDU)
+    C:    USER mrose
+    S:    +OK mrose is a real hoopy frood
+    C:    PASS secret
+    S:    +OK mrose's maildrop has 2 messages (320 octets)
+    C:    STAT
+    S:    +OK 2 320
+    C:    LIST
+    S:    +OK 2 messages (320 octets)
+    S:    1 120
+    S:    2 200
+    S:    .
+    C:    RETR 1
+    S:    +OK 120 octets
+    S:    <the POP3 server sends message 1>
+    S:    .
+    C:    DELE 1
+    S:    +OK message 1 deleted
+    C:    RETR 2
+    S:    +OK 200 octets
+    S:    <the POP3 server sends message 2>
+    S:    .
+    C:    DELE 2
+    S:    +OK message 2 deleted
+    C:    QUIT
+
+
+
+
+
+Rose                                                           [Page 13]
+
+RFC 1081                          POP3                     November 1988
+
+
+    S:    +OK dewey POP3 server signing off (maildrop empty)
+    C:  <close connection>
+    S:  <wait for next connection>
+
+Message Format
+
+   All messages transmitted during a POP3 session are assumed to conform
+   to the standard for the format of Internet text messages [RFC822].
+
+   It is important to note that the byte count for a message on the
+   server host may differ from the octet count assigned to that message
+   due to local conventions for designating end-of-line.  Usually,
+   during the AUTHORIZATION state of the POP3 session, the POP3 client
+   can calculate the size of each message in octets when it parses the
+   maildrop into messages.  For example, if the POP3 server host
+   internally represents end-of-line as a single character, then the
+   POP3 server simply counts each occurrence of this character in a
+   message as two octets.  Note that lines in the message which start
+   with the termination octet need not be counted twice, since the POP3
+   client will remove all byte-stuffed termination characters when it
+   receives a multi-line response.
+
+The POP and the Split-UA model
+
+   The underlying paradigm in which the POP3 functions is that of a
+   split-UA model.  The POP3 client host, being a remote PC based
+   workstation, acts solely as a client to the message transport system.
+   It does not provide delivery/authentication services to others.
+   Hence, it is acting as a UA, on behalf of the person using the
+   workstation.  Furthermore, the workstation uses SMTP to enter mail
+   into the MTS.
+
+   In this sense, we have two UA functions which interface to the
+   message transport system: Posting (SMTP) and Retrieval (POP3).  The
+   entity which supports this type of environment is called a split-UA
+   (since the user agent is split between two hosts which must
+   interoperate to provide these functions).
+
+                 ASIDE:  Others might term this a remote-UA instead.
+                 There are arguments supporting the use of both terms.
+
+   This memo has explicitly referenced TCP as the underlying transport
+   agent for the POP3.  This need not be the case.  In the MZnet split-
+   UA, for example, personal micro-computer systems are used which do
+   not have IP-style networking capability.  To connect to the POP3
+   server host, a PC establishes a terminal connection using some simple
+   protocol (PhoneNet).  A program on the PC drives the connection,
+   first establishing a login session as a normal user.  The login shell
+
+
+
+Rose                                                           [Page 14]
+
+RFC 1081                          POP3                     November 1988
+
+
+   for this pseudo-user is a program which drives the other half of the
+   terminal protocol and communicates with one of two servers.  Although
+   MZnet can support several PCs, a single pseudo-user login is present
+   on the server host.  The user-id and password for this pseudo-user
+   login is known to all members of MZnet.  Hence, the first action of
+   the login shell, after starting the terminal protocol, is to demand a
+   USER/PASS authorization pair from the PC.  This second level of
+   authorization is used to ascertain who is interacting with the MTS.
+   Although the server host is deemed to support a "trusted" MTS entity,
+   PCs in MZnet are not.  Naturally, the USER/PASS authorization pair
+   for a PC is known only to the owner of the PC (in theory, at least).
+
+   After successfully verifying the identity of the client, a modified
+   SMTP server is started, and the PC posts mail with the server host.
+   After the QUIT command is given to the SMTP server and it terminates,
+   a modified POP3 server is started, and the PC retrieves mail from the
+   server host.  After the QUIT command is given to the POP3 server and
+   it terminates, the login shell for the pseudo-user terminates the
+   terminal protocol and logs the job out.  The PC then closes the
+   terminal connection to the server host.
+
+   The SMTP server used by MZnet is modified in the sense that it knows
+   that it's talking to a user agent and not a "trusted" entity in the
+   message transport system.  Hence, it does performs the validation
+   activities normally performed by an entity in the MTS when it accepts
+   a message from a UA.
+
+   The POP3 server used by MZnet is modified in the sense that it does
+   not require a USER/PASS combination before entering the TRANSACTION
+   state.  The reason for this (of course) is that the PC has already
+   identified itself during the second-level authorization step
+   described above.
+
+                 NOTE: Truth in advertising laws require that the author
+                 of this memo state that MZnet has not actually been
+                 fully implemented.  The concepts presented and proven
+                 by the project led to the notion of the MZnet
+                 split-slot model.  This notion has inspired the
+                 split-UA concept described in this memo, led to the
+                 author's interest in the POP, and heavily influenced
+                 the the description of the POP3 herein.
+
+   In fact, some UAs present in the Internet already support the notion
+   of posting directly to an SMTP server and retrieving mail directly
+   from a POP server, even if the POP server and client resided on the
+   same host!
+
+                 ASIDE: this discussion raises an issue which this memo
+
+
+
+Rose                                                           [Page 15]
+
+RFC 1081                          POP3                     November 1988
+
+
+                 purposedly avoids: how does SMTP know that it's talking
+                 to a "trusted" MTS entity?
+
+References
+
+     [MZnet]   Stefferud, E., J. Sweet, and T. Domae, "MZnet: Mail
+               Service for Personal Micro-Computer Systems",
+               Proceedings, IFIP 6.5 International Conference on
+               Computer Message Systems, Nottingham, U.K., May 1984.
+
+     [RFC821]  Postel, J., "Simple Mail Transfer Protocol",
+               USC/Information Sciences Institute, August 1982.
+
+     [RFC822]  Crocker, D., "Standard for the Format of ARPA-Internet
+               Text Messages", University of Delaware, August 1982.
+
+     [RFC937]  Butler, M., J. Postel, D. Chase, J. Goldberger, and J.
+               Reynolds, "Post Office Protocol - Version 2", RFC 937,
+               USC/Information Sciences Institute, February 1985.
+
+     [RFC1010] Reynolds, J., and J. Postel, "Assigned Numbers", RFC
+               1010, USC/Information Sciences Institute, May 1987.
+
+Author's Address:
+
+
+   Marshall Rose
+   The Wollongong Group
+   1129 San Antonio Rd.
+   Palo Alto, California 94303
+
+   Phone: (415) 962-7100
+
+   Email: MRose@TWG.COM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                           [Page 16]
diff --git a/crypto/heimdal/appl/popper/pop3e.rfc1082 b/crypto/heimdal/appl/popper/pop3e.rfc1082
new file mode 100644
index 0000000..ac49448
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop3e.rfc1082
@@ -0,0 +1,619 @@
+
+
+
+
+
+
+Network Working Group                                            M. Rose
+Request for Comments: 1082                                           TWG
+                                                           November 1988
+
+
+
+                    Post Office Protocol - Version 3
+                       Extended Service Offerings
+
+Status of This Memo
+
+   This memo suggests a simple method for workstations to dynamically
+   access mail from a discussion group server, as an extension to an
+   earlier memo which dealt with dynamically accessing mail from a
+   mailbox server using the Post Office Protocol -  Version 3 (POP3).
+   This RFC specifies a proposed protocol for the Internet community,
+   and requests discussion and suggestions for improvements.  All of the
+   extensions described in this memo to the POP3 are OPTIONAL.
+   Distribution of this memo is unlimited.
+
+Introduction and Motivation
+
+   It is assumed that the reader is familiar with RFC 1081 that
+   discusses the Post Office Protocol - Version 3 (POP3) [RFC1081].
+   This memo describes extensions to the POP3 which enhance the service
+   it offers to clients.  This additional service permits a client host
+   to access discussion group mail, which is often kept in a separate
+   spool area, using the general POP3 facilities.
+
+   The next section describes the evolution of discussion groups and the
+   technologies currently used to implement them.  To summarize:
+
+       o An exploder is used to map from a single address to
+       a list of addresses which subscribe to the list, and redirects
+       any subsequent error reports associated with the delivery of
+       each message.  This has two primary advantages:
+             - Subscribers need know only a single address
+             - Responsible parties get the error reports and not
+               the subscribers
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                            [Page 1]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+       o Typically, each subscription address is not a person's private
+       maildrop, but a system-wide maildrop, which can be accessed
+       by more than one user.  This has several advantages:
+             - Only a single copy of each message need traverse the
+               net for a given site (which may contain several local
+               hosts).  This conserves bandwidth and cycles.
+             - Only a single copy of each message need reside on each
+               subscribing host.  This conserves disk space.
+             - The private maildrop for each user is not cluttered
+               with discussion group mail.
+
+   Despite this optimization of resources, further economy can be
+   achieved at sites with more than one host.  Typically, sites with
+   more than one host either:
+
+        1.  Replicate discussion group mail on each host.  This
+        results in literally gigabytes of disk space committed to
+        unnecessarily store redundant information.
+
+        2.  Keep discussion group mail on one host and give all users a
+        login on that host (in addition to any other logins they may
+        have).  This is usually a gross inconvenience for users who
+        work on other hosts, or a burden to users who are forced to
+        work on that host.
+
+   As discussed in [RFC1081], the problem of giving workstations dynamic
+   access to mail from a mailbox server has been explored in great
+   detail (originally there was [RFC918], this prompted the author to
+   write [RFC1081], independently of this [RFC918] was upgraded to
+   [RFC937]).  A natural solution to the problem outlined above is to
+   keep discussion group mail on a mailbox server at each site and
+   permit different hosts at that site to employ the POP3 to access
+   discussion group mail.  If implemented properly, this avoids the
+   problems of both strategies outlined above.
+
+        ASIDE:     It might be noted that a good distributed filesystem
+                   could also solve this problem.  Sadly, "good"
+                   distributed filesystems, which do not suffer
+                   unacceptable response time for interactive use, are
+                   few and far between these days!
+
+   Given this motivation, now let's consider discussion groups, both in
+   general and from the point of view of a user agent.  Following this,
+   extensions to the POP3 defined in [RFC1081] are presented.  Finally,
+   some additional policy details are discussed along with some initial
+   experiences.
+
+
+
+
+
+Rose                                                            [Page 2]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+What's in a Discussion Group
+
+   Since mailers and user agents first crawled out of the primordial
+   ARPAnet, the value of discussion groups have been appreciated,
+   (though their implementation has not always been well-understood).
+
+   Described simply, a discussion group is composed of a number of
+   subscribers with a common interest.  These subscribers post mail to a
+   single address, known as a distribution address.  From this
+   distribution address, a copy of the message is sent to each
+   subscriber.  Each group has a moderator, which is the person that
+   administrates the group.  The moderator can usually be reached at a
+   special address, known as a request address.  Usually, the
+   responsibilities of the moderator are quite simple, since the mail
+   system handles the distribution to subscribers automatically.  In
+   some cases, the interest group, instead of being distributed directly
+   to its subscribers, is put into a digest format by the moderator and
+   then sent to the subscribers.  Although this requires more work on
+   the part of the moderator, such groups tend to be better organized.
+
+   Unfortunately, there are a few problems with the scheme outlined
+   above.  First, if two users on the same host subscribe to the same
+   interest group, two copies of the message get delivered.  This is
+   wasteful of both processor and disk resources.
+
+   Second, some of these groups carry a lot of traffic.  Although
+   subscription to an group does indicate interest on the part of a
+   subscriber, it is usually not interesting to get 50 messages or so
+   delivered to the user's private maildrop each day, interspersed with
+   personal mail, that is likely to be of a much more important and
+   timely nature.
+
+   Third, if a subscriber on the distribution list for a group becomes
+   "bad" somehow, the originator of the message and not the moderator of
+   the group is notified.  It is not uncommon for a large list to have
+   10 or so bogus addresses present.  This results in the originator
+   being flooded with "error messages" from mailers across the Internet
+   stating that a given address on the list was bad.  Needless to say,
+   the originator usually could not care less if the bogus addresses got
+   a copy of the message or not.  The originator is merely interested in
+   posting a message to the group at large.  Furthermore, the moderator
+   of the group does care if there are bogus addresses on the list, but
+   ironically does not receive notification.
+
+   There are various approaches which can be used to solve some or all
+   of these problems.  Usually these involve placing an exploder agent
+   at the distribution source of the discussion group, which expands the
+   name of the group into the list of subscription addresses for the
+
+
+
+Rose                                                            [Page 3]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   group.  In the process, the exploder will also change the address
+   that receives error notifications to be the request address or other
+   responsible party.
+
+   A complementary approach, used in order to cut down on resource
+   utilization of all kinds, replaces all the subscribers at a single
+   host (or group of hosts under a single administration) with a single
+   address at that host.  This address maps to a file on the host,
+   usually in a spool area, which all users can access.  (Advanced
+   implementations can also implement private discussion groups this
+   way, in which a single copy of each message is kept, but is
+   accessible to only a select number of users on the host.)
+
+   The two approaches can be combined to avoid all of the problems
+   described above.
+
+   Finally, a third approach can be taken, which can be used to aid user
+   agents processing mail for the discussion group:  In order to speed
+   querying of the maildrop which contains the local host's copy of the
+   discussion group, two other items are usually associated with the
+   discussion group, on a local basis.  These are the maxima and the
+   last-date.  Each time a message is received for the group on the
+   local host, the maxima is increased by at least one.  Furthermore,
+   when a new maxima is generated, the current date is determined.  This
+   is called the last date.  As the message is entered into the local
+   maildrop, it is given the current maxima and last-date.  This permits
+   the user agent to quickly determine if new messages are present in
+   the maildrop.
+
+       NOTE:      The maxima may be characterized as a monotonically
+                  increasing quanity.  Although sucessive values of the
+                  maxima need not be consecutive, any maxima assigned
+                  is always greater than any previously assigned value.
+
+Definition of Terms
+
+   To formalize these notions somewhat, consider the following 7
+   parameters which describe a given discussion group from the
+   perspective of the user agent (the syntax given is from [RFC822]):
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                            [Page 4]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+         NAME            Meaning: the name of the discussion group
+                         Syntax:  TOKEN (ALPHA *[ ALPHA / DIGIT / "-" ])
+                                  (case-insensitive recognition)
+                         Example: unix-wizards
+
+         ALIASES         Meaning: alternates names for the group, which
+                                  are locally meaningful; these are
+                                  typically used to shorten user typein
+                         Syntax:  TOKEN (case-insensitive recognition)
+                         Example: uwiz
+
+         ADDRESS         Meaning: the primary source of the group
+                         Syntax:  822 address
+                         Example: Unix-Wizards@BRL.MIL
+
+         REQUEST         Meaning: the primary moderator of the group
+                         Syntax:  822 address
+                         Example: Unix-Wizards-Request@BRL.MIL
+
+         FLAGS           Meaning: locally meaningful flags associated
+                                  with the discussion group; this memo
+                                  leaves interpretation of this
+                                  parameter to each POP3 implementation
+                         Syntax:  octal number
+                         Example: 01
+
+         MAXIMA          Meaning: the magic cookie associated with the
+                                  last message locally received for the
+                                  group; it is the property of the magic
+                                  cookie that it's value NEVER
+                                  decreases, and increases by at least
+                                  one each time a message is locally
+                                  received
+                         Syntax:  decimal number
+                         Example: 1004
+
+         LASTDATE        Meaning: the date that the last message was
+                                  locally received
+                         Syntax:  822 date
+                         Example: Thu, 19 Dec 85 10:26:48 -0800
+
+   Note that the last two values are locally determined for the maildrop
+   associated with the discussion group and with each message in that
+   maildrop.  Note however that the last message in the maildrop have a
+   different MAXIMA and LASTDATE than the discussion group.  This often
+   occurs when the maildrop has been archived.
+
+
+
+
+
+Rose                                                            [Page 5]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   Finally, some local systems provide mechanisms for automatically
+   archiving discussion group mail.  In some cases, a two-level archive
+   scheme is used:  current mail is kept in the standard maildrop,
+   recent mail is kept in an archive maildrop, and older mail is kept
+   off-line.  With this scheme, in addition to having a "standard"
+   maildrop for each discussion group, an "archive" maildrop may also be
+   available.  This permits a user agent to examine the most recent
+   archive using the same mechanisms as those used on the current mail.
+
+The XTND Command
+
+   The following commands are valid only in the TRANSACTION state of the
+   POP3.  This implies that the POP3 server has already opened the
+   user's maildrop (which may be empty).  This maildrop is called the
+   "default maildrop".  The phrase "closes the current maildrop" has two
+   meanings, depending on whether the current maildrop is the default
+   maildrop or is a maildrop associated with a discussion group.
+
+   In the former context, when the current maildrop is closed any
+   messages marked as deleted are removed from the maildrop currently in
+   use.  The exclusive-access lock on the maildrop is then released
+   along with any implementation-specific resources (e.g., file-
+   descriptors).
+
+   In the latter context, a maildrop associated with a discussion group
+   is considered to be read-only to the POP3 client.  In this case, the
+   phrase "closes the current maildrop" merely means that any
+   implementation-specific resources are released.  (Hence, the POP3
+   command DELE is a no-op.)
+
+   All the new facilities are introduced via a single POP3 command,
+   XTND.  All positive reponses to the XTND command are multi-line.
+
+   The most common multi-line response to the commands contains a
+   "discussion group listing" which presents the name of the discussion
+   group along with it's maxima.  In order to simplify parsing all POP3
+   servers are required to use a certain format for discussion group
+   listings:
+
+                              NAME SP MAXIMA
+
+   This memo makes no requirement on what follows the maxima in the
+   listing.  Minimal implementations should just end that line of the
+   response with a CRLF pair.  More advanced implementations may include
+   other information, as parsed from the message.
+
+       NOTE:      This memo STRONGLY discourages implementations from
+                  supplying additional information in the listing.
+
+
+
+Rose                                                            [Page 6]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   XTND BBOARDS [name]
+   Arguments: the name of a discussion group (optionally)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   If an argument was given, the POP3 server closes the current
+   maildrop.  The POP3 server then validates the argument as the name of
+   a discussion group.  If this is successful, it opens the maildrop
+   associated with the group, and returns a multi-line response
+   containing the discussion group listing.  If the discussion group
+   named is not valid, or the associated archive maildrop is not
+   readable by the user, then an error response is returned.
+
+   If no argument was given, the POP3 server issues a multi-line
+   response.  After the initial +OK, for each discussion group known,
+   the POP3 server responds with a line containing the listing for that
+   discussion group.  Note that only world-readable discussion groups
+   are included in the multi-line response.
+
+   In order to aid user agents, this memo requires an extension to the
+   scan listing when an "XTND BBOARDS" command has been given.
+   Normally, a scan listing, as generated by the LIST, takes the form:
+
+          MSGNO SIZE
+
+   where MSGNO is the number of the message being listed and SIZE is the
+   size of the message in octets.  When reading a maildrop accessed via
+   "XTND BBOARDS", the scan listing takes the form
+
+          MSGNO SIZE MAXIMA
+
+   where MAXIMA is the maxima that was assigned to the message when it
+   was placed in the BBoard.
+
+   Possible Responses:
+       +OK XTND
+       -ERR no such bboard
+   Examples:
+       C:    XTND BBOARDS
+       S:    +OK XTND
+       S:    system 10
+       S:    mh-users 100
+       S:    .
+       C:    XTND BBOARDS system
+       S:    + OK XTND
+       S:    system 10
+       S:    .
+
+
+
+
+Rose                                                            [Page 7]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   XTND ARCHIVE name
+   Arguments: the name of a discussion group (required)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   The POP3 server closes the current maildrop.  The POP3 server then
+   validates the argument as the name of a discussion group.  If this is
+   successful, it opens the archive maildrop associated with the group,
+   and returns a multi-line response containing the discussion group
+   listing.  If the discussion group named is not valid, or the
+   associated archive maildrop is not readable by the user, then an
+   error response is returned.
+
+   In addition, the scan listing generated by the LIST command is
+   augmented (as described above).
+
+   Possible Responses:
+       +OK XTND
+       -ERR no such bboard Examples:
+       C:    XTND ARCHIVE system
+       S:    + OK XTND
+       S:    system 3
+       S:    .
+
+   XTND X-BBOARDS name
+   Arguments: the name of a discussion group (required)
+   Restrictions: may only be given in the TRANSACTION state.
+   Discussion:
+
+   The POP3 server validates the argument as the name of a
+   discussion group.  If this is unsuccessful, then an error
+   response is returned.  Otherwise a multi-line response is
+   returned.  The first 14 lines of this response (after the
+   initial +OK) are defined in this memo.  Minimal implementations
+   need not include other information (and may omit certain
+   information, outputing a bare CRLF pair).  More advanced
+   implementations may include other information.
+
+           Line    Information (refer to "Definition of Terms")
+           ----    -----------
+             1     NAME
+             2     ALIASES, separated by SP
+             3     system-specific: maildrop
+             4     system-specific: archive maildrop
+             5     system-specific: information
+             6     system-specific: maildrop map
+             7     system-specific: encrypted password
+             8     system-specific: local leaders, separated by SP
+
+
+
+Rose                                                            [Page 8]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+             9     ADDRESS
+            10     REQUEST
+            11     system-specific: incoming feed
+            12     system-specific: outgoing feeds
+            13     FLAGS SP MAXIMA
+            14     LASTDATE
+
+   Most of this information is entirely too specific to the UCI Version
+   of the Rand MH Message Handling System [MRose85].  Nevertheless,
+   lines 1, 2, 9, 10, 13, and 14 are of general interest, regardless of
+   the implementation.
+
+           Possible Responses:
+               +OK XTND
+               -ERR no such bboard
+           Examples:
+               C:    XTND X-BBOARDS system
+               S:    + OK XTND
+               S:    system
+               S:    local general
+               S:    /usr/bboards/system.mbox
+               S:    /usr/bboards/archive/system.mbox
+               S:    /usr/bboards/.system.cnt
+               S:    /usr/bboards/.system.map
+               S:    *
+               S:    mother
+               S:    system@nrtc.northrop.com
+               S:    system-request@nrtc.northrop.com
+               S:
+               S:    dist-system@nrtc-gremlin.northrop.com
+               S:    01 10
+               S:    Thu, 19 Dec 85 00:08:49 -0800
+               S:    .
+
+Policy Notes
+
+   Depending on the particular entity administrating the POP3 service
+   host, two additional policies might be implemented:
+
+   1.  Private Discussion Groups
+
+   In the general case, discussion groups are world-readable, any user,
+   once logged in (via a terminal, terminal server, or POP3, etc.), is
+   able to read the maildrop for each discussion group known to the POP3
+   service host.  Nevertheless, it is desirable, usually for privacy
+   reasons, to implement private discussion groups as well.
+
+   Support of this is consistent with the extensions outlined in this
+
+
+
+Rose                                                            [Page 9]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   memo.  Once the AUTHORIZATION state has successfully concluded, the
+   POP3 server grants the user access to exactly those discussion groups
+   the POP3 service host permits the authenticated user to access.  As a
+   "security" feature, discussion groups associated with unreadable
+   maildrops should not be listed in a positive response to the XTND
+   BBOARDS command.
+
+   2.  Anonymous POP3 Users
+
+   In order to minimize the authentication problem, a policy permitting
+   "anonymous" access to the world-readable maildrops for discussion
+   groups on the POP3 server may be implemented.
+
+   Support of this is consistent with the extensions outlined in this
+   memo.  The POP3 server can be modified to accept a USER command for a
+   well-known pseudonym (i.e., "anonymous") which is valid with any PASS
+   command.  As a "security" feature, it is advisable to limit this kind
+   of access to only hosts at the local site, or to hosts named in an
+   access list.
+
+Experiences and Conclusions
+
+   All of the facilities described in this memo and in [RFC1081] have
+   been implemented in MH #6.1.  Initial experiences have been, on the
+   whole, very positive.
+
+   After the first implementation, some performance tuning was required.
+   This consisted primarily of caching the datastructures which describe
+   discussion groups in the POP3 server.  A second optimization
+   pertained to the client:  the program most commonly used to read
+   BBoards in MH was modified to retrieve messages only when needed.
+   Two schemes are used:
+
+         o If only the headers (and the first few lines of the body) of
+           the message are required (e.g., for a scan listing), then only
+           these are retrieved.  The resulting output is then cached, on
+           a per-message basis.
+
+         o If the entire message is required, then it is retrieved intact,
+            and cached locally.
+
+   With these optimizations, response time is quite adequate when the
+   POP3 server and client are connected via a high-speed local area
+   network.  In fact, the author uses this mechanism to access certain
+   private discussion groups over the Internet.  In this case, response
+   is still good.  When a 9.6Kbps modem is inserted in the path,
+   response went from good to almost tolerable (fortunately the author
+   only reads a few discussion groups in this fashion).
+
+
+
+Rose                                                           [Page 10]
+
+RFC 1082                 POP3 Extended Service             November 1988
+
+
+   To conclude: the POP3 is a good thing, not only for personal mail but
+   for discussion group mail as well.
+
+
+References
+
+     [RFC1081] Rose, M., "Post Office Protocol - Verison 3 (POP3)", RFC
+               1081, TWG, November 1988.
+
+     [MRose85] Rose, M., and J. Romine, "The Rand MH Message Handling
+               System: User's Manual", University of California, Irvine,
+               November 1985.
+
+     [RFC822]  Crocker, D., "Standard for the Format of ARPA-Internet
+               Text Messages", RFC 822, University of Delaware, August
+               1982.
+
+     [RFC918]  Reynolds, J., "Post Office Protocol", RFC 918,
+               USC/Information Sciences Institute, October 1984.
+
+     [RFC937]  Butler, M., J. Postel, D. Chase, J. Goldberger, and J.
+               Reynolds, "Post Office Protocol - Version 2", RFC 937,
+               USC/Information Sciences Institute, February 1985.
+
+Author's Address:
+
+
+   Marshall Rose
+   The Wollongong Group
+   1129 San Antonio Rd.
+   Palo Alto, California 94303
+
+   Phone: (415) 962-7100
+
+   Email: MRose@TWG.COM
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rose                                                           [Page 11]
+
diff --git a/crypto/heimdal/appl/popper/pop_auth.c b/crypto/heimdal/appl/popper/pop_auth.c
new file mode 100644
index 0000000..525beaa
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_auth.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the Kungliga Tekniska
+ *      H�gskolan and its contributors.
+ * 
+ * 4. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <popper.h>
+#include <base64.h>
+RCSID("$Id: pop_auth.c,v 1.2 2000/04/12 15:37:45 assar Exp $");
+
+#ifdef KRB4
+
+enum {
+    NO_PROT   = 1,
+    INT_PROT  = 2,
+    PRIV_PROT = 4
+};
+
+static int
+auth_krb4(POP *p)
+{
+    int ret;
+    des_cblock key;
+    u_int32_t nonce, nonce_reply;
+    u_int32_t max_client_packet;
+    int protocols = NO_PROT | INT_PROT | PRIV_PROT;
+    char data[8];
+    int len;
+    char *s;
+    char instance[INST_SZ];  
+    KTEXT_ST authent;
+    des_key_schedule schedule;
+    struct passwd *pw;
+
+    /* S -> C: 32 bit nonce in MSB base64 */
+
+    des_new_random_key(&key);
+    nonce = (key[0] | (key[1] << 8) | (key[2] << 16) | (key[3] << 24)
+	     | key[4] | (key[5] << 8) | (key[6] << 16) | (key[7] << 24));
+    krb_put_int(nonce, data, 4, 8);
+    len = base64_encode(data, 4, &s);
+
+    pop_msg(p, POP_CONTINUE, "%s", s);
+    free(s);
+
+    /* C -> S: ticket and authenticator */
+
+    ret = sch_readline(p->input, &s);
+    if (ret <= 0 || strcmp (s, "*") == 0)
+	return pop_msg(p, POP_FAILURE,
+		       "authentication aborted by client");
+    len = strlen(s);
+    if (len > sizeof(authent.dat)) {
+	return pop_msg(p, POP_FAILURE, "data packet too long");
+    }
+
+    authent.length = base64_decode(s, authent.dat);
+
+    k_getsockinst (0, instance, sizeof(instance));
+    ret = krb_rd_req(&authent, "pop", instance,
+		     p->in_addr.sin_addr.s_addr,
+		     &p->kdata, NULL);
+    if (ret != 0) {
+	return pop_msg(p, POP_FAILURE, "rd_req: %s",
+		       krb_get_err_text(ret));
+    }
+    if (p->kdata.checksum != nonce) {
+	return pop_msg(p, POP_FAILURE, "data stream modified");
+    }
+
+    /* S -> C: nonce + 1 | bit | max segment */
+
+    krb_put_int(nonce + 1, data, 4, 7);
+    data[4] = protocols;
+    krb_put_int(1024, data + 5, 3, 3); /* XXX */
+    des_key_sched(&p->kdata.session, schedule);
+    des_pcbc_encrypt((des_cblock*)data,
+		     (des_cblock*)data, 8,
+		     schedule,
+		     &p->kdata.session,
+		     DES_ENCRYPT);
+    len = base64_encode(data, 8, &s);
+    pop_msg(p, POP_CONTINUE, "%s", s);
+
+    free(s);
+
+    /* C -> S: nonce | bit | max segment | username */
+
+    ret = sch_readline(p->input, &s);
+    if (ret <= 0 || strcmp (s, "*") == 0)
+	return pop_msg(p, POP_FAILURE,
+		       "authentication aborted");
+    len = strlen(s);
+    if (len > sizeof(authent.dat)) {
+	return pop_msg(p, POP_FAILURE, "data packet too long");
+    }
+
+    authent.length = base64_decode(s, authent.dat);
+    
+    if (authent.length % 8 != 0) {
+	return pop_msg(p, POP_FAILURE, "reply is not a multiple of 8 bytes");
+    }
+
+    des_key_sched(&p->kdata.session, schedule);
+    des_pcbc_encrypt((des_cblock*)authent.dat,
+		     (des_cblock*)authent.dat,
+		     authent.length,
+		     schedule,
+		     &p->kdata.session,
+		     DES_DECRYPT);
+
+    krb_get_int(authent.dat, &nonce_reply, 4, 0);
+    if (nonce_reply != nonce) {
+	return pop_msg(p, POP_FAILURE, "data stream modified");
+    }
+    protocols &= authent.dat[4];
+    krb_get_int(authent.dat + 5, &max_client_packet, 3, 0);
+    if(authent.dat[authent.length - 1] != '\0') {
+	return pop_msg(p, POP_FAILURE, "bad format of username");
+    }
+    strncpy (p->user, authent.dat + 8, sizeof(p->user));
+    pw = k_getpwnam(p->user);
+    if (pw == NULL) {
+	return (pop_msg(p,POP_FAILURE,
+			"Password supplied for \"%s\" is incorrect.",
+			p->user));
+    }
+
+    if (kuserok(&p->kdata, p->user)) {
+	pop_log(p, POP_PRIORITY,
+		"%s: (%s.%s@%s) tried to retrieve mail for %s.",
+		p->client, p->kdata.pname, p->kdata.pinst,
+		p->kdata.prealm, p->user);
+	return(pop_msg(p,POP_FAILURE,
+		       "Popping not authorized"));
+    }
+    pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
+	    p->ipaddr,
+	    p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+	    p->user);
+    ret = pop_login(p, pw);
+    if (protocols & PRIV_PROT)
+	;
+    else if (protocols & INT_PROT)
+	;
+    else
+	;
+    
+    return ret;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+auth_gssapi(POP *p)
+{
+    
+}
+#endif /* KRB5 */
+
+/* 
+ *  auth: RFC1734
+ */
+
+static struct {
+    const char *name;
+    int (*func)(POP *);
+} methods[] = {
+#ifdef KRB4
+    {"KERBEROS_V4",	auth_krb4},
+#endif
+#ifdef KRB5
+    {"GSSAPI",		auth_gssapi},
+#endif
+    {NULL,		NULL}
+};
+
+int
+pop_auth (POP *p)
+{
+    int i;
+
+    for (i = 0; methods[i].name != NULL; ++i)
+	if (strcasecmp(p->pop_parm[1], methods[i].name) == 0)
+	    return (*methods[i].func)(p);
+    return pop_msg(p, POP_FAILURE,
+		   "Authentication method %s unknown", p->pop_parm[1]);
+}
diff --git a/crypto/heimdal/appl/popper/pop_debug.c b/crypto/heimdal/appl/popper/pop_debug.c
new file mode 100644
index 0000000..e400278
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_debug.c
@@ -0,0 +1,280 @@
+/*
+ * Copyright (c) 1995 - 2000 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* Tiny program to help debug popper */
+
+#include "popper.h"
+RCSID("$Id: pop_debug.c,v 1.21 2001/02/20 01:44:47 assar Exp $");
+
+static void
+loop(int s)
+{
+    char cmd[1024];
+    char buf[1024];
+    fd_set fds;
+    while(1){
+	FD_ZERO(&fds);
+	FD_SET(0, &fds);
+	FD_SET(s, &fds);
+	if(select(s+1, &fds, 0, 0, 0) < 0)
+	    err(1, "select");
+	if(FD_ISSET(0, &fds)){
+	    fgets(cmd, sizeof(cmd), stdin);
+	    cmd[strlen(cmd) - 1] = '\0';
+	    strlcat (cmd, "\r\n", sizeof(cmd));
+	    write(s, cmd, strlen(cmd));
+	}
+	if(FD_ISSET(s, &fds)){
+	    int n = read(s, buf, sizeof(buf));
+	    if(n == 0)
+		exit(0);
+	    fwrite(buf, n, 1, stdout);
+	}
+    }
+}
+
+static int
+get_socket (const char *hostname, int port)
+{
+    int ret;
+    struct addrinfo *ai, *a;
+    struct addrinfo hints;
+    char portstr[NI_MAXSERV];
+    
+    memset (&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    snprintf (portstr, sizeof(portstr), "%d", ntohs(port));
+    ret = getaddrinfo (hostname, portstr, &hints, &ai);
+    if (ret)
+	errx (1, "getaddrinfo %s: %s", hostname, gai_strerror (ret));
+
+    for (a = ai; a != NULL; a = a->ai_next) {
+	int s;
+
+	s = socket (a->ai_family, a->ai_socktype, a->ai_protocol);
+	if (s < 0)
+	    continue;
+	if (connect (s, a->ai_addr, a->ai_addrlen) < 0) {
+	    close (s);
+	    continue;
+	}
+	freeaddrinfo (ai);
+	return s;
+    }
+    err (1, "failed to connect to %s", hostname);
+}
+
+#ifdef KRB4
+static int
+doit_v4 (char *host, int port)
+{
+    KTEXT_ST ticket;
+    MSG_DAT msg_data;
+    CREDENTIALS cred;
+    des_key_schedule sched;
+    int ret;
+    int s = get_socket (host, port);
+
+    ret = krb_sendauth(0,
+		       s,
+		       &ticket, 
+		       "pop",
+		       host,
+		       krb_realmofhost(host),
+		       getpid(),
+		       &msg_data,
+		       &cred,
+		       sched,
+		       NULL,
+		       NULL,
+		       "KPOPV0.1");
+    if(ret) {
+	warnx("krb_sendauth: %s", krb_get_err_text(ret));
+	return 1;
+    }
+    loop(s);
+    return 0;
+}
+#endif
+
+#ifdef KRB5
+static int
+doit_v5 (char *host, int port)
+{
+    krb5_error_code ret;
+    krb5_context context;
+    krb5_auth_context auth_context = NULL;
+    krb5_principal server;
+    int s = get_socket (host, port);
+
+    ret = krb5_init_context (&context);
+    if (ret)
+	errx (1, "krb5_init_context failed: %d", ret);
+    
+    ret = krb5_sname_to_principal (context,
+				   host,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	warnx ("krb5_sname_to_principal: %s",
+	       krb5_get_err_text (context, ret));
+	return 1;
+    }
+    ret = krb5_sendauth (context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL,
+			 server,
+			 0,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL,
+			 NULL);
+     if (ret) {
+	 warnx ("krb5_sendauth: %s",
+		krb5_get_err_text (context, ret));
+	 return 1;
+     }
+     loop (s);
+     return 0;
+}
+#endif
+
+
+#ifdef KRB4
+static int use_v4 = -1;
+#endif
+static int use_v5 = -1;
+static char *port_str;
+static int do_version;
+static int do_help;
+
+struct getargs args[] = {
+#ifdef KRB4
+    { "krb4",	'4', arg_flag,		&use_v4,	"Use Kerberos V4",
+      NULL },
+#endif
+    { "krb5",	'5', arg_flag,		&use_v5,	"Use Kerberos V5",
+      NULL },
+    { "port",	'p', arg_string,	&port_str,	"Use this port",
+      "number-or-service" },
+    { "version", 0,  arg_flag,		&do_version,	"Print version",
+      NULL },
+    { "help",	 0,  arg_flag,		&do_help,	NULL,
+      NULL }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "hostname");
+    exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+    int port = 0;
+    int ret = 1;
+    int optind = 0;
+
+    setprogname(argv[0]);
+
+    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		&optind))
+	usage (1);
+
+    argc -= optind;
+    argv += optind;
+
+    if (do_help)
+	usage (0);
+
+    if (do_version) {
+	print_version (NULL);
+	return 0;
+    }
+	
+    if (argc < 1)
+	usage (1);
+
+    if (port_str) {
+	struct servent *s = roken_getservbyname (port_str, "tcp");
+
+	if (s)
+	    port = s->s_port;
+	else {
+	    char *ptr;
+
+	    port = strtol (port_str, &ptr, 10);
+	    if (port == 0 && ptr == port_str)
+		errx (1, "Bad port `%s'", port_str);
+	    port = htons(port);
+	}
+    }
+    if (port == 0) {
+#ifdef KRB5
+	port = krb5_getportbyname (NULL, "kpop", "tcp", 1109);
+#elif defined(KRB4)
+	port = k_getportbyname ("kpop", "tcp", 1109);
+#else
+#error must define KRB4 or KRB5
+#endif
+    }
+
+#if defined(KRB4) && defined(KRB5)
+    if(use_v4 == -1 && use_v5 == 1)
+	use_v4 = 0;
+    if(use_v5 == -1 && use_v4 == 1)
+	use_v5 = 0;
+#endif    
+
+#ifdef KRB5
+    if (ret && use_v5) {
+	ret = doit_v5 (argv[0], port);
+    }
+#endif
+#ifdef KRB4
+    if (ret && use_v4) {
+	ret = doit_v4 (argv[0], port);
+    }
+#endif
+    return ret;
+}
diff --git a/crypto/heimdal/appl/popper/pop_dele.c b/crypto/heimdal/appl/popper/pop_dele.c
new file mode 100644
index 0000000..f1c2952
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dele.c
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dele.c,v 1.10 1999/08/12 11:35:26 joda Exp $");
+
+/* 
+ *  dele:   Delete a message from the POP maildrop
+ */
+int
+pop_dele (POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to message info list */
+    int                 msg_num;
+
+    /*  Convert the message number parameter to an integer */
+    msg_num = atoi(p->pop_parm[1]);
+
+    /*  Is requested message out of range? */
+    if ((msg_num < 1) || (msg_num > p->msg_count))
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num));
+
+    /*  Get a pointer to the message in the message list */
+    mp = &(p->mlp[msg_num-1]);
+
+    /*  Is the message already flagged for deletion? */
+    if (mp->flags & DEL_FLAG)
+        return (pop_msg (p,POP_FAILURE,"Message %d has already been deleted.",
+            msg_num));
+
+    /*  Flag the message for deletion */
+    mp->flags |= DEL_FLAG;
+
+#ifdef DEBUG
+    if(p->debug)
+        pop_log(p, POP_DEBUG,
+		"Deleting message %u at offset %ld of length %ld\n",
+		mp->number, mp->offset, mp->length);
+#endif /* DEBUG */
+
+    /*  Update the messages_deleted and bytes_deleted counters */
+    p->msgs_deleted++;
+    p->bytes_deleted += mp->length;
+
+    /*  Update the last-message-accessed number if it is lower than 
+        the deleted message */
+    if (p->last_msg < msg_num) p->last_msg = msg_num;
+
+    return (pop_msg (p,POP_SUCCESS,"Message %d has been deleted.",msg_num));
+}
+
+#ifdef XDELE
+/* delete a range of messages */
+int
+pop_xdele(POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to message info list */
+
+    int msg_min, msg_max;
+    int i;
+
+
+    msg_min = atoi(p->pop_parm[1]);
+    if(p->parm_count == 1)
+	msg_max = msg_min;
+    else
+	msg_max = atoi(p->pop_parm[2]);
+
+    if (msg_min < 1)
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_min));
+    if(msg_max > p->msg_count)
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_max));
+    for(i = msg_min; i <= msg_max; i++) {
+
+	/*  Get a pointer to the message in the message list */
+	mp = &(p->mlp[i - 1]);
+
+	/*  Is the message already flagged for deletion? */
+	if (mp->flags & DEL_FLAG)
+	    continue; /* no point in returning error */
+	/*  Flag the message for deletion */
+	mp->flags |= DEL_FLAG;
+	
+#ifdef DEBUG
+	if(p->debug)
+	    pop_log(p, POP_DEBUG,
+		    "Deleting message %u at offset %ld of length %ld\n",
+		    mp->number, mp->offset, mp->length);
+#endif /* DEBUG */
+	
+	/*  Update the messages_deleted and bytes_deleted counters */
+	p->msgs_deleted++;
+	p->bytes_deleted += mp->length;
+    }
+
+    /*  Update the last-message-accessed number if it is lower than 
+	the deleted message */
+    if (p->last_msg < msg_max) p->last_msg = msg_max;
+    
+    return (pop_msg (p,POP_SUCCESS,"Messages %d-%d has been deleted.",
+		     msg_min, msg_max));
+    
+}
+#endif /* XDELE */
diff --git a/crypto/heimdal/appl/popper/pop_dropcopy.c b/crypto/heimdal/appl/popper/pop_dropcopy.c
new file mode 100644
index 0000000..f33cfb0
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dropcopy.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dropcopy.c,v 1.25 1999/09/16 20:38:49 assar Exp $");
+
+/*
+ * Run as the user in `pwd'
+ */
+
+int
+changeuser(POP *p, struct passwd *pwd)
+{
+    if(setgid(pwd->pw_gid) < 0) {
+	pop_log (p, POP_PRIORITY,
+		 "Unable to change to gid %u: %s",
+		 (unsigned)pwd->pw_gid,
+		 strerror(errno));
+	return pop_msg (p, POP_FAILURE,
+			"Unable to change gid");
+    }
+    if(setuid(pwd->pw_uid) < 0) {
+	pop_log (p, POP_PRIORITY,
+		 "Unable to change to uid %u: %s",
+		 (unsigned)pwd->pw_uid,
+		 strerror(errno));
+	return pop_msg (p, POP_FAILURE,
+			"Unable to change uid");
+    }
+#ifdef DEBUG
+    if(p->debug)
+	pop_log(p, POP_DEBUG,"uid = %u, gid = %u",
+	       (unsigned)getuid(),
+	       (unsigned)getgid());
+#endif /* DEBUG */
+    return POP_SUCCESS;
+}
+
+/* 
+ *  dropcopy:   Make a temporary copy of the user's mail drop and 
+ *  save a stream pointer for it.
+ */
+
+int
+pop_dropcopy(POP *p, struct passwd *pwp)
+{
+    int                     mfd;                    /*  File descriptor for 
+                                                        the user's maildrop */
+    int                     dfd;                    /*  File descriptor for 
+                                                        the SERVER maildrop */
+    FILE		    *tf;		    /*  The temp file */
+    char		    template[POP_TMPSIZE];  /*  Temp name holder */
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+    long                    offset;                 /*  Old/New boundary */
+    int                     nchar;                  /*  Bytes written/read */
+    int                     tf_fd;                  /*  fd for temp file */
+    int			    ret;
+
+    /*  Create a temporary maildrop into which to copy the updated maildrop */
+    snprintf(p->temp_drop, sizeof(p->temp_drop), POP_DROP,p->user);
+
+#ifdef DEBUG
+    if(p->debug)
+        pop_log(p,POP_DEBUG,"Creating temporary maildrop '%s'",
+            p->temp_drop);
+#endif /* DEBUG */
+
+    /* Here we work to make sure the user doesn't cause us to remove or
+     * write over existing files by limiting how much work we do while
+     * running as root.
+     */
+
+    strlcpy(template, POP_TMPDROP, sizeof(template));
+    if ((tf_fd = mkstemp(template)) < 0 ||
+	(tf = fdopen(tf_fd, "w+")) == NULL) {
+        pop_log(p,POP_PRIORITY,
+            "Unable to create temporary temporary maildrop '%s': %s",template,
+		strerror(errno));
+        return pop_msg(p,POP_FAILURE,
+		"System error, can't create temporary file.");
+    }
+
+    /* Now give this file to the user	*/
+    chown(template, pwp->pw_uid, pwp->pw_gid);
+    chmod(template, 0600);
+
+    /* Now link this file to the temporary maildrop.  If this fails it
+     * is probably because the temporary maildrop already exists.  If so,
+     * this is ok.  We can just go on our way, because by the time we try
+     * to write into the file we will be running as the user.
+     */
+    link(template,p->temp_drop);
+    fclose(tf);
+    unlink(template);
+
+    ret = changeuser(p, pwp);
+    if (ret != POP_SUCCESS)
+	return ret;
+
+    /* Open for append,  this solves the crash recovery problem */
+    if ((dfd = open(p->temp_drop,O_RDWR|O_APPEND|O_CREAT,0600)) == -1){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open temporary maildrop '%s': %s",p->temp_drop,
+		strerror(errno));
+        return pop_msg(p,POP_FAILURE,
+		"System error, can't open temporary file, do you own it?");
+    }
+
+    /*  Lock the temporary maildrop */
+    if ( flock (dfd, (LOCK_EX | LOCK_NB)) == -1 ) 
+    switch(errno) {
+        case EWOULDBLOCK:
+            return pop_msg(p,POP_FAILURE,
+                 "Maildrop lock busy!  Is another session active?");
+            /* NOTREACHED */
+        default:
+            return pop_msg(p,POP_FAILURE,"flock: '%s': %s", p->temp_drop,
+		strerror(errno));
+            /* NOTREACHED */
+        }
+    
+    /* May have grown or shrunk between open and lock! */
+    offset = lseek(dfd,0, SEEK_END);
+
+    /*  Open the user's maildrop, If this fails,  no harm in assuming empty */
+    if ((mfd = open(p->drop_name,O_RDWR)) > 0) {
+
+        /*  Lock the maildrop */
+        if (flock (mfd, LOCK_EX) == -1) {
+            close(mfd) ;
+            return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop,
+		strerror(errno));
+        }
+
+        /*  Copy the actual mail drop into the temporary mail drop */
+        while ( (nchar=read(mfd,buffer,BUFSIZ)) > 0 )
+            if ( nchar != write(dfd,buffer,nchar) ) {
+                nchar = -1 ;
+                break ;
+            }
+
+        if ( nchar != 0 ) {
+            /* Error adding new mail.  Truncate to original size,
+               and leave the maildrop as is.  The user will not 
+               see the new mail until the error goes away.
+               Should let them process the current backlog,  in case
+               the error is a quota problem requiring deletions! */
+            ftruncate(dfd,(int)offset) ;
+        } else {
+            /* Mail transferred!  Zero the mail drop NOW,  that we
+               do not have to do gymnastics to figure out what's new
+               and what is old later */
+            ftruncate(mfd,0) ;
+        }
+
+        /*  Close the actual mail drop */
+        close (mfd);
+    }
+
+    /*  Acquire a stream pointer for the temporary maildrop */
+    if ( (p->drop = fdopen(dfd,"a+")) == NULL ) {
+        close(dfd) ;
+        return pop_msg(p,POP_FAILURE,"Cannot assign stream for %s",
+            p->temp_drop);
+    }
+
+    rewind (p->drop);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_dropinfo.c b/crypto/heimdal/appl/popper/pop_dropinfo.c
new file mode 100644
index 0000000..71922d2
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_dropinfo.c
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_dropinfo.c,v 1.24 1999/09/16 20:38:49 assar Exp $");
+
+#if defined(UIDL) || defined(XOVER)
+
+/*
+ * Copy the string found after after : into a malloced buffer. Stop
+ * copying at end of string or end of line. End of line delimiter is
+ * not part of the resulting copy.
+ */
+static
+char *
+find_value_after_colon(char *p)
+{
+  char *t, *tmp;
+
+  for (; *p != 0 && *p != ':'; p++) /* Find : */
+    ;
+
+  if (*p == 0)
+    goto error;
+
+  p++;				/* Skip over : */
+
+  for(; *p == ' ' || *p == '\t'; p++) /* Remove white space */
+    ;
+
+  for (t = p; *t != 0 && *t != '\n' && *t != '\r'; t++)	/* Find end of str */
+    ;
+
+  tmp = t = malloc(t - p + 1);
+  if (tmp == 0)
+    goto error;
+
+  for (; *p != 0 && *p != '\n' && *p != '\r'; p++, t++)	/* Copy characters */
+    *t = *p;
+  *t = 0;			/* Terminate string */
+  return tmp;
+
+error:
+  return "ErrorUIDL";
+}
+#endif
+
+void
+parse_header(MsgInfoList *mp, char *buffer)
+{
+#if defined(UIDL) || defined(XOVER)
+    if (strncasecmp("Message-Id:",buffer, 11) == 0) {
+	if (mp->msg_id == NULL)
+	    mp->msg_id = find_value_after_colon(buffer);
+    } 
+#ifdef UIDL
+    else if (strncasecmp(buffer, "X-UIDL:", 7) == 0) {
+	/* Courtesy to Qualcomm, there really is no such 
+	   thing as X-UIDL */
+	mp->msg_id = find_value_after_colon(buffer);
+    }
+#endif
+#endif
+#ifdef XOVER
+    else if (strncasecmp("Subject:", buffer, 8) == 0) {
+	if(mp->subject == NULL){
+	    char *p;
+	    mp->subject = find_value_after_colon(buffer);
+	    for(p = mp->subject; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+    else if (strncasecmp("From:", buffer, 5) == 0) {
+	if(mp->from == NULL){
+	    char *p;
+	    mp->from = find_value_after_colon(buffer);
+	    for(p = mp->from; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+    else if (strncasecmp("Date:", buffer, 5) == 0) {
+	if(mp->date == NULL){
+	    char *p;
+	    mp->date = find_value_after_colon(buffer);
+	    for(p = mp->date; *p; p++)
+		if(*p == '\t') *p = ' ';
+	}
+    }
+#endif
+}
+
+int
+add_missing_headers(POP *p, MsgInfoList *mp)
+{
+#if defined(UIDL) || defined(XOVER)
+    if (mp->msg_id == NULL) {
+	asprintf(&mp->msg_id, "no-message-id-%d", mp->number);
+	if(mp->msg_id == NULL) {
+	    fclose (p->drop);
+	    p->msg_count = 0;
+	    return pop_msg (p,POP_FAILURE,
+			    "Can't build message list for '%s': Out of memory",
+                            p->user);
+	}
+    }
+#endif	    
+#ifdef XOVER
+    if (mp->subject == NULL)
+	mp->subject = "<none>";
+    if (mp->from == NULL)
+	mp->from = "<unknown>";
+    if (mp->date == NULL)
+	mp->date = "<unknown>";
+#endif
+    return POP_SUCCESS;
+}
+
+/* 
+ *  dropinfo:   Extract information about the POP maildrop and store 
+ *  it for use by the other POP routines.
+ */
+
+int
+pop_dropinfo(POP *p)
+{
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+    MsgInfoList         *   mp;                     /*  Pointer to message 
+                                                        info list */
+    int			    msg_num;                /*  Current message 
+                                                        counter */
+    int                     nchar;                  /*  Bytes written/read */
+    int blank_line = 1; /* previous line was blank */
+    int in_header = 0; /* if we are in a header block */
+    
+    /*  Initialize maildrop status variables in the POP parameter block */
+    p->msg_count = 0;
+    p->msgs_deleted = 0;
+    p->last_msg = 0;
+    p->bytes_deleted = 0;
+    p->drop_size = 0;
+
+    /*  Allocate memory for message information structures */
+    p->msg_count = ALLOC_MSGS;
+    p->mlp = (MsgInfoList *)calloc((unsigned)p->msg_count,sizeof(MsgInfoList));
+    if (p->mlp == NULL){
+        fclose (p->drop);
+        p->msg_count = 0;
+        return pop_msg (p,POP_FAILURE,
+            "Can't build message list for '%s': Out of memory", p->user);
+    }
+
+    rewind (p->drop);
+
+    /*  Scan the file, loading the message information list with 
+        information about each message */
+
+    for (msg_num = p->drop_size = 0, mp = p->mlp - 1;
+             fgets(buffer,MAXMSGLINELEN,p->drop);) {
+
+        nchar  = strlen(buffer);
+
+        if (blank_line && strncmp(buffer,"From ",5) == 0) {
+	    in_header = 1;
+            if (++msg_num > p->msg_count) {
+                p->mlp=(MsgInfoList *) realloc(p->mlp,
+                    (p->msg_count+=ALLOC_MSGS)*sizeof(MsgInfoList));
+                if (p->mlp == NULL){
+                    fclose (p->drop);
+                    p->msg_count = 0;
+                    return pop_msg (p,POP_FAILURE,
+                        "Can't build message list for '%s': Out of memory",
+                            p->user);
+                }
+                mp = p->mlp + msg_num - 2;
+            }
+            ++mp;
+            mp->number = msg_num;
+            mp->length = 0;
+            mp->lines = 0;
+            mp->offset = ftell(p->drop) - nchar;
+            mp->flags = 0;
+#if defined(UIDL) || defined(XOVER)
+	    mp->msg_id = 0;
+#endif
+#ifdef XOVER
+	    mp->subject = 0;
+	    mp->from = 0;
+	    mp->date = 0;
+#endif
+#ifdef DEBUG
+            if(p->debug)
+                pop_log(p, POP_DEBUG,
+			"Msg %d at offset %ld being added to list",
+			mp->number, mp->offset);
+#endif /* DEBUG */
+        } else if(in_header)
+	    parse_header(mp, buffer);
+	blank_line = (strncmp(buffer, "\n", nchar) == 0);
+	if(blank_line) {
+	    int e;
+	    in_header = 0;
+	    e = add_missing_headers(p, mp);
+	    if(e != POP_SUCCESS)
+		return e;
+	}
+        mp->length += nchar;
+        p->drop_size += nchar;
+        mp->lines++;
+    }
+    p->msg_count = msg_num;
+
+#ifdef DEBUG
+    if(p->debug && msg_num > 0) {
+        int i;
+        for (i = 0, mp = p->mlp; i < p->msg_count; i++, mp++)
+#ifdef UIDL
+	    pop_log(p,POP_DEBUG,
+		    "Msg %d at offset %ld is %ld octets long and has %u lines and id %s.",
+                    mp->number,mp->offset,mp->length,mp->lines, mp->msg_id);
+#else	
+            pop_log(p,POP_DEBUG,
+                "Msg %d at offset %d is %d octets long and has %u lines.",
+                    mp->number,mp->offset,mp->length,mp->lines);
+#endif
+    }
+#endif /* DEBUG */
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_get_command.c b/crypto/heimdal/appl/popper/pop_get_command.c
new file mode 100644
index 0000000..e43c1d9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_get_command.c
@@ -0,0 +1,118 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_get_command.c,v 1.15 1999/09/16 20:38:49 assar Exp $");
+
+/* 
+ *  get_command:    Extract the command from an input line form a POP client
+ */
+
+static state_table states[] = {
+        {auth1,  "user", 1,  1,  pop_user,   {auth1, auth2}},
+        {auth2,  "pass", 1,  99, pop_pass,   {auth1, trans}},
+#ifdef RPOP
+        {auth2,  "rpop", 1,  1,  pop_rpop,   {auth1, trans}},
+#endif /* RPOP */
+        {auth1,  "quit", 0,  0,  pop_quit,   {halt,  halt}},
+        {auth2,  "quit", 0,  0,  pop_quit,   {halt,  halt}},
+        {trans,  "stat", 0,  0,  pop_stat,   {trans, trans}},
+        {trans,  "list", 0,  1,  pop_list,   {trans, trans}},
+        {trans,  "retr", 1,  1,  pop_send,   {trans, trans}},
+        {trans,  "dele", 1,  1,  pop_dele,   {trans, trans}},
+        {trans,  "noop", 0,  0,  NULL,       {trans, trans}},
+        {trans,  "rset", 0,  0,  pop_rset,   {trans, trans}},
+        {trans,  "top",  2,  2,  pop_send,   {trans, trans}},
+        {trans,  "last", 0,  0,  pop_last,   {trans, trans}},
+        {trans,  "quit", 0,  0,  pop_updt,   {halt,  halt}},
+	{trans,  "help", 0,  0,  pop_help,   {trans, trans}},
+#ifdef UIDL
+        {trans,  "uidl", 0,  1,  pop_uidl,   {trans, trans}},
+#endif
+#ifdef XOVER
+	{trans,	"xover", 0,  0,	 pop_xover,  {trans, trans}},
+#endif
+#ifdef XDELE
+        {trans,  "xdele", 1,  2,  pop_xdele,   {trans, trans}},
+#endif
+        {(state) 0,  NULL,   0,  0,  NULL,       {halt,  halt}},
+};
+
+state_table *
+pop_get_command(POP *p, char *mp)
+{
+    state_table     *   s;
+    char                buf[MAXMSGLINELEN];
+
+    /*  Save a copy of the original client line */
+#ifdef DEBUG
+    if(p->debug) strlcpy (buf, mp, sizeof(buf));
+#endif /* DEBUG */
+
+    /*  Parse the message into the parameter array */
+    if ((p->parm_count = pop_parse(p,mp)) < 0) return(NULL);
+
+    /*  Do not log cleartext passwords */
+#ifdef DEBUG
+    if(p->debug){
+        if(strcmp(p->pop_command,"pass") == 0)
+            pop_log(p,POP_DEBUG,"Received: \"%s xxxxxxxxx\"",p->pop_command);
+        else {
+            /*  Remove trailing <LF> */
+            buf[strlen(buf)-2] = '\0';
+            pop_log(p,POP_DEBUG,"Received: \"%s\"",buf);
+        }
+    }
+#endif /* DEBUG */
+
+    /*  Search for the POP command in the command/state table */
+    for (s = states; s->command; s++) {
+
+        /*  Is this a valid command for the current operating state? */
+        if (strcmp(s->command,p->pop_command) == 0
+             && s->ValidCurrentState == p->CurrentState) {
+
+            /*  Were too few parameters passed to the command? */
+            if (p->parm_count < s->min_parms) {
+                pop_msg(p,POP_FAILURE,
+			"Too few arguments for the %s command.",
+			p->pop_command);
+		return NULL;
+	    }
+
+            /*  Were too many parameters passed to the command? */
+            if (p->parm_count > s->max_parms) {
+                pop_msg(p,POP_FAILURE,
+			"Too many arguments for the %s command.",
+			p->pop_command);
+		return NULL;
+	   }
+
+            /*  Return a pointer to the entry for this command in 
+                the command/state table */
+            return (s);
+        }
+    }
+    /*  The client command was not located in the command/state table */
+    pop_msg(p,POP_FAILURE,
+	    "Unknown command: \"%s\".",p->pop_command);
+    return NULL;
+}
+
+int
+pop_help (POP *p)
+{
+    state_table		*s;
+
+    pop_msg(p, POP_SUCCESS, "help");
+
+    for (s = states; s->command; s++) {
+	fprintf (p->output, "%s\r\n", s->command);
+    }
+    fprintf (p->output, ".\r\n");
+    fflush (p->output);
+    return POP_SUCCESS;
+}
diff --git a/crypto/heimdal/appl/popper/pop_init.c b/crypto/heimdal/appl/popper/pop_init.c
new file mode 100644
index 0000000..7487ce6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_init.c
@@ -0,0 +1,398 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_init.c,v 1.58 2001/02/20 01:44:47 assar Exp $");
+
+
+#if defined(KRB4) || defined(KRB5)
+
+static int
+pop_net_read(POP *p, int fd, void *buf, size_t len)
+{
+#ifdef KRB5
+    return krb5_net_read(p->context, &fd, buf, len);
+#elif defined(KRB4)
+    return krb_net_read(fd, buf, len);
+#endif
+}
+#endif
+
+static char *addr_log;
+
+static void
+pop_write_addr(POP *p, struct sockaddr *addr)
+{
+    char ts[32];
+    char as[128];
+    time_t t;
+    FILE *f;
+    if(addr_log == NULL)
+	return;
+    t = time(NULL);
+    strftime(ts, sizeof(ts), "%Y%m%d%H%M%S", localtime(&t));
+    if(inet_ntop (addr->sa_family, socket_get_address(addr), 
+		  as, sizeof(as)) == NULL) {
+        pop_log(p, POP_PRIORITY, "failed to print address");
+	return;
+    }
+    
+    f = fopen(addr_log, "a");
+    if(f == NULL) {
+        pop_log(p, POP_PRIORITY, "failed to open address log (%s)", addr_log);
+	return;
+    }
+    fprintf(f, "%s %s\n", as, ts);
+    fclose(f);
+}
+
+#ifdef KRB4
+static int
+krb4_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
+{
+    Key_schedule schedule;
+    KTEXT_ST ticket;
+    char instance[INST_SZ];  
+    char version[9];
+    int auth;
+  
+    if (memcmp (buf, KRB_SENDAUTH_VERS, 4) != 0)
+	return -1;
+    if (pop_net_read (p, s, buf + 4,
+		      KRB_SENDAUTH_VLEN - 4) != KRB_SENDAUTH_VLEN - 4)
+	return -1;
+    if (memcmp (buf, KRB_SENDAUTH_VERS, KRB_SENDAUTH_VLEN) != 0)
+	return -1;
+
+    k_getsockinst (0, instance, sizeof(instance));
+    auth = krb_recvauth(KOPT_IGNORE_PROTOCOL,
+			s,
+			&ticket,
+			"pop",
+			instance,
+                        (struct sockaddr_in *)addr,
+			(struct sockaddr_in *) NULL,
+                        &p->kdata,
+			"",
+			schedule,
+			version);
+    
+    if (auth != KSUCCESS) {
+        pop_msg(p, POP_FAILURE, "Kerberos authentication failure: %s", 
+                krb_get_err_text(auth));
+        pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client, 
+                p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		krb_get_err_text(auth));
+	return -1;
+    }
+
+#ifdef DEBUG
+    pop_log(p, POP_DEBUG, "%s.%s@%s (%s): ok", p->kdata.pname, 
+            p->kdata.pinst, p->kdata.prealm, p->ipaddr);
+#endif /* DEBUG */
+    return 0;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+krb5_authenticate (POP *p, int s, u_char *buf, struct sockaddr *addr)
+{
+    krb5_error_code ret;
+    krb5_auth_context auth_context = NULL;
+    u_int32_t len;
+    krb5_ticket *ticket;
+    char *server;
+
+    if (memcmp (buf, "\x00\x00\x00\x13", 4) != 0)
+	return -1;
+    len = (buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | (buf[3]);
+	
+    if (krb5_net_read(p->context, &s, buf, len) != len)
+	return -1;
+    if (len != sizeof(KRB5_SENDAUTH_VERSION)
+	|| memcmp (buf, KRB5_SENDAUTH_VERSION, len) != 0)
+	return -1;
+
+    ret = krb5_recvauth (p->context,
+			 &auth_context,
+			 &s,
+			 "KPOPV1.0",
+			 NULL, /* let rd_req figure out what server to use */
+			 KRB5_RECVAUTH_IGNORE_VERSION,
+			 NULL,
+			 &ticket);
+    if (ret) {
+	pop_log(p, POP_PRIORITY, "krb5_recvauth: %s",
+		krb5_get_err_text(p->context, ret));
+	return -1;
+    }
+
+
+    ret = krb5_unparse_name(p->context, ticket->server, &server);
+    if(ret) {
+	pop_log(p, POP_PRIORITY, "krb5_unparse_name: %s", 
+		krb5_get_err_text(p->context, ret));
+	ret = -1;
+	goto out;
+    }
+    /* does this make sense? */
+    if(strncmp(server, "pop/", 4) != 0) {
+	pop_log(p, POP_PRIORITY,
+		"Got ticket for service `%s'", server);
+	ret = -1;
+	goto out;
+    } else if(p->debug)
+	pop_log(p, POP_DEBUG, 
+		"Accepted ticket for service `%s'", server);
+    free(server);
+ out:
+    krb5_auth_con_free (p->context, auth_context);
+    krb5_copy_principal (p->context, ticket->client, &p->principal);
+    krb5_free_ticket (p->context, ticket);
+
+    return ret;
+}
+#endif
+
+static int
+krb_authenticate(POP *p, struct sockaddr *addr)
+{
+#if defined(KRB4) || defined(KRB5)
+    u_char buf[BUFSIZ];
+
+    if (pop_net_read (p, 0, buf, 4) != 4) {
+	pop_msg(p, POP_FAILURE, "Reading four bytes: %s",
+		strerror(errno));
+	exit (1);
+    }
+#ifdef KRB4
+    if (krb4_authenticate (p, 0, buf, addr) == 0){
+	pop_write_addr(p, addr);
+	p->version = 4;
+	return POP_SUCCESS;
+    }
+#endif
+#ifdef KRB5
+    if (krb5_authenticate (p, 0, buf, addr) == 0){
+	pop_write_addr(p, addr);
+	p->version = 5;
+	return POP_SUCCESS;
+    }
+#endif
+    exit (1);
+	
+#endif /* defined(KRB4) || defined(KRB5) */
+
+    return(POP_SUCCESS);
+}
+
+static int
+plain_authenticate (POP *p, struct sockaddr *addr)
+{
+    return(POP_SUCCESS);
+}
+
+static int kerberos_flag;
+static char *auth_str;
+static int debug_flag;
+static int interactive_flag;
+static char *port_str;
+static char *trace_file;
+static int timeout;
+static int help_flag;
+static int version_flag;
+
+static struct getargs args[] = {
+#if defined(KRB4) || defined(KRB5)
+    { "kerberos", 'k', arg_flag, &kerberos_flag, "use kerberos" },
+#endif
+    { "auth-mode", 'a', arg_string, &auth_str, "required authentication" },
+    { "debug", 'd', arg_flag, &debug_flag },
+    { "interactive", 'i', arg_flag, &interactive_flag, "create new socket" },
+    { "port", 'p', arg_string, &port_str, "port to listen to", "port" },
+    { "trace-file", 't', arg_string, &trace_file, "trace all command to file", "file" },
+    { "timeout", 'T', arg_integer, &timeout, "timeout", "seconds" },
+    { "address-log", 0, arg_string, &addr_log, "enable address log", "file" },
+    { "help", 'h', arg_flag, &help_flag },
+    { "version", 'v', arg_flag, &version_flag }
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+/* 
+ *  init:   Start a Post Office Protocol session
+ */
+
+static int
+pop_getportbyname(POP *p, const char *service, 
+		  const char *proto, short def)
+{
+#ifdef KRB5
+    return krb5_getportbyname(p->context, service, proto, def);
+#elif defined(KRB4)
+    return k_getportbyname(service, proto, htons(def));
+#else
+    return htons(default);
+#endif
+}
+
+int
+pop_init(POP *p,int argcount,char **argmessage)
+{
+    struct sockaddr_storage cs_ss;
+    struct sockaddr *cs = (struct sockaddr *)&cs_ss;
+    socklen_t		    len;
+    char                *   trace_file_name = "/tmp/popper-trace";
+    int			    portnum = 0;
+    int 		    optind = 0;
+    int			    error;
+
+    /*  Initialize the POP parameter block */
+    memset (p, 0, sizeof(POP));
+
+    setprogname(argmessage[0]);
+
+    /*  Save my name in a global variable */
+    p->myname = (char*)getprogname();
+
+    /*  Get the name of our host */
+    gethostname(p->myhost,MaxHostNameLen);
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+
+	ret = krb5_init_context (&p->context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+
+	krb5_openlog(p->context, p->myname, &p->logf);
+	krb5_set_warn_dest(p->context, p->logf);
+    }
+#else
+    /*  Open the log file */
+    roken_openlog(p->myname,POP_LOGOPTS,POP_FACILITY);
+#endif
+
+    p->auth_level = AUTH_NONE;
+
+    if(getarg(args, num_args, argcount, argmessage, &optind)){
+	arg_printusage(args, num_args, NULL, "");
+	exit(1);
+    }
+    if(help_flag){
+	arg_printusage(args, num_args, NULL, "");
+	exit(0);
+    }
+    if(version_flag){
+	print_version(NULL);
+	exit(0);
+    }
+
+    argcount -= optind;
+    argmessage += optind;
+
+    if (argcount != 0) {
+	arg_printusage(args, num_args, NULL, "");
+	exit(1);
+    }
+
+    if(auth_str){
+	if (strcmp (auth_str, "none") == 0)
+	    p->auth_level = AUTH_NONE;
+	else if(strcmp(auth_str, "otp") == 0)
+	    p->auth_level = AUTH_OTP;
+	else
+	    warnx ("bad value for -a: %s", optarg);
+    }
+    /*  Debugging requested */
+    p->debug = debug_flag;
+
+    if(port_str)
+	portnum = htons(atoi(port_str));
+    if(trace_file){
+	p->debug++;
+	if ((p->trace = fopen(trace_file, "a+")) == NULL) {
+	    pop_log(p, POP_PRIORITY,
+		    "Unable to open trace file \"%s\", err = %d",
+		    optarg,errno);
+	    exit (1);
+	}
+	trace_file_name = trace_file;
+    }
+
+#if defined(KRB4) || defined(KRB5)
+    p->kerberosp = kerberos_flag;
+#endif
+
+    if(timeout)
+	pop_timeout = timeout;
+    
+    /* Fake inetd */
+    if (interactive_flag) {
+	if (portnum == 0)
+	    portnum = p->kerberosp ?
+		pop_getportbyname(p, "kpop", "tcp", 1109) :
+	    pop_getportbyname(p, "pop", "tcp", 110);
+	mini_inetd (portnum);
+    }
+
+    /*  Get the address and socket of the client to whom I am speaking */
+    len = sizeof(cs_ss);
+    if (getpeername(STDIN_FILENO, cs, &len) < 0) {
+        pop_log(p,POP_PRIORITY,
+            "Unable to obtain socket and address of client, err = %d",errno);
+        exit (1);
+    }
+
+    /*  Save the dotted decimal form of the client's IP address 
+        in the POP parameter block */
+    inet_ntop (cs->sa_family, socket_get_address (cs),
+	       p->ipaddr, sizeof(p->ipaddr));
+
+    /*  Save the client's port */
+    p->ipport = ntohs(socket_get_port (cs));
+
+    /*  Get the canonical name of the host to whom I am speaking */
+    error = getnameinfo_verified (cs, len, p->client, sizeof(p->client),
+				  NULL, 0, 0);
+    if (error) {
+	pop_log (p, POP_PRIORITY,
+		 "getnameinfo: %s", gai_strerror (error));
+	strlcpy (p->client, p->ipaddr, sizeof(p->client));
+    }
+
+    /*  Create input file stream for TCP/IP communication */
+    if ((p->input = fdopen(STDIN_FILENO,"r")) == NULL){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open communication stream for input, err = %d",errno);
+        exit (1);
+    }
+
+    /*  Create output file stream for TCP/IP communication */
+    if ((p->output = fdopen(STDOUT_FILENO,"w")) == NULL){
+        pop_log(p,POP_PRIORITY,
+            "Unable to open communication stream for output, err = %d",errno);
+        exit (1);
+    }
+
+    pop_log(p,POP_PRIORITY,
+        "(v%s) Servicing request from \"%s\" at %s\n",
+            VERSION,p->client,p->ipaddr);
+
+#ifdef DEBUG
+    if (p->trace)
+        pop_log(p,POP_PRIORITY,
+            "Tracing session and debugging information in file \"%s\"",
+                trace_file_name);
+    else if (p->debug)
+        pop_log(p,POP_PRIORITY,"Debugging turned on");
+#endif /* DEBUG */
+
+
+    return((p->kerberosp ? krb_authenticate : plain_authenticate)(p, cs));
+}
diff --git a/crypto/heimdal/appl/popper/pop_last.c b/crypto/heimdal/appl/popper/pop_last.c
new file mode 100644
index 0000000..36fdd0d
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_last.c
@@ -0,0 +1,18 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_last.c,v 1.6 1996/10/28 16:25:28 assar Exp $");
+
+/* 
+ *  last:   Display the last message touched in a POP session
+ */
+
+int
+pop_last (POP *p)
+{
+    return (pop_msg(p,POP_SUCCESS,"%u is the last message seen.",p->last_msg));
+}
diff --git a/crypto/heimdal/appl/popper/pop_list.c b/crypto/heimdal/appl/popper/pop_list.c
new file mode 100644
index 0000000..aa7666a
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_list.c
@@ -0,0 +1,59 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_list.c,v 1.10 1998/04/23 17:37:47 joda Exp $");
+
+/* 
+ *  list:   List the contents of a POP maildrop
+ */
+
+int
+pop_list (POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+    int			    msg_num;
+
+    /*  Was a message number provided? */
+    if (p->parm_count > 0) {
+        msg_num = atoi(p->pop_parm[1]);
+
+        /*  Is requested message out of range? */
+        if ((msg_num < 1) || (msg_num > p->msg_count))
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d does not exist.",msg_num));
+
+        /*  Get a pointer to the message in the message list */
+        mp = &p->mlp[msg_num-1];
+
+        /*  Is the message already flagged for deletion? */
+        if (mp->flags & DEL_FLAG)
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d has been deleted.",msg_num));
+
+        /*  Display message information */
+        return (pop_msg(p,POP_SUCCESS,"%d %ld",msg_num,mp->length));
+    }
+    
+    /*  Display the entire list of messages */
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u %lu\r\n",mp->number,mp->length);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_log.c b/crypto/heimdal/appl/popper/pop_log.c
new file mode 100644
index 0000000..deb9841
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_log.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_log.c,v 1.13 1997/10/14 21:59:07 joda Exp $");
+
+/* 
+ *  log:    Make a log entry
+ */
+
+int
+pop_log(POP *p, int stat, char *format, ...)
+{
+    char msgbuf[MAXLINELEN];
+    va_list     ap;
+
+    va_start(ap, format);
+    vsnprintf(msgbuf, sizeof(msgbuf), format, ap);
+
+    if (p->debug && p->trace) {
+        fprintf(p->trace,"%s\n",msgbuf);
+        fflush(p->trace);
+    } else {
+#ifdef KRB5
+	krb5_log(p->context, p->logf, stat, "%s", msgbuf);
+#else
+        syslog (stat,"%s",msgbuf);
+#endif
+    }
+    va_end(ap);
+
+    return(stat);
+}
diff --git a/crypto/heimdal/appl/popper/pop_msg.c b/crypto/heimdal/appl/popper/pop_msg.c
new file mode 100644
index 0000000..12887a4
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_msg.c
@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_msg.c,v 1.16 1999/09/16 20:38:50 assar Exp $");
+
+/* 
+ *  msg:    Send a formatted line to the POP client
+ */
+
+int
+pop_msg(POP *p, int stat, char *format, ...)
+{
+    char	       *mp;
+    char                message[MAXLINELEN];
+    va_list             ap;
+
+    va_start(ap, format);
+    
+    /*  Point to the message buffer */
+    mp = message;
+
+    /*  Format the POP status code at the beginning of the message */
+    snprintf (mp, sizeof(message), "%s ",
+	      (stat == POP_SUCCESS) ? POP_OK : POP_ERR);
+
+    /*  Point past the POP status indicator in the message message */
+    mp += strlen(mp);
+
+    /*  Append the message (formatted, if necessary) */
+    if (format) 
+	vsnprintf (mp, sizeof(message) - strlen(message),
+		   format, ap);
+    
+    /*  Log the message if debugging is turned on */
+#ifdef DEBUG
+    if (p->debug && stat == POP_SUCCESS)
+        pop_log(p,POP_DEBUG,"%s",message);
+#endif /* DEBUG */
+
+    /*  Log the message if a failure occurred */
+    if (stat != POP_SUCCESS) 
+        pop_log(p,POP_PRIORITY,"%s",message);
+
+    /*  Append the <CR><LF> */
+    strlcat(message, "\r\n", sizeof(message));
+        
+    /*  Send the message to the client */
+    fputs(message, p->output);
+    fflush(p->output);
+
+    va_end(ap);
+    return(stat);
+}
diff --git a/crypto/heimdal/appl/popper/pop_parse.c b/crypto/heimdal/appl/popper/pop_parse.c
new file mode 100644
index 0000000..37aef36
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_parse.c
@@ -0,0 +1,55 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_parse.c,v 1.9 1999/03/13 21:17:27 assar Exp $");
+
+/* 
+ *  parse:  Parse a raw input line from a POP client 
+ *  into null-delimited tokens
+ */
+
+int
+pop_parse(POP *p, char *buf)
+{
+    char            *   mp;
+    int        i;
+    
+    /*  Loop through the POP command array */
+    for (mp = buf, i = 0; ; i++) {
+    
+        /*  Skip leading spaces and tabs in the message */
+        while (isspace((unsigned char)*mp))mp++;
+
+        /*  Are we at the end of the message? */
+        if (*mp == 0) break;
+
+        /*  Have we already obtained the maximum allowable parameters? */
+        if (i >= MAXPARMCOUNT) {
+            pop_msg(p,POP_FAILURE,"Too many arguments supplied.");
+            return(-1);
+        }
+
+        /*  Point to the start of the token */
+        p->pop_parm[i] = mp;
+
+        /*  Search for the first space character (end of the token) */
+        while (!isspace((unsigned char)*mp) && *mp) mp++;
+
+        /*  Delimit the token with a null */
+        if (*mp) *mp++ = 0;
+    }
+
+    /*  Were any parameters passed at all? */
+    if (i == 0) return (-1);
+
+    /*  Convert the first token (POP command) to lower case */
+    strlwr(p->pop_command);
+
+    /*  Return the number of tokens extracted minus the command itself */
+    return (i-1);
+    
+}
diff --git a/crypto/heimdal/appl/popper/pop_pass.c b/crypto/heimdal/appl/popper/pop_pass.c
new file mode 100644
index 0000000..cebd780
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_pass.c
@@ -0,0 +1,220 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_pass.c,v 1.41 2000/04/12 15:37:46 assar Exp $");
+
+#ifdef KRB4
+static int
+krb4_verify_password (POP *p)
+{
+    int status;
+    char lrealm[REALM_SZ];
+    char tkt[MaxPathLen];
+
+    status = krb_get_lrealm(lrealm,1);
+    if (status == KFAILURE) {
+        pop_log(p, POP_PRIORITY, "%s: (%s.%s@%s) %s", p->client,
+		p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		krb_get_err_text(status));
+	return 1;
+    }
+    snprintf(tkt, sizeof(tkt), "%s_popper.%u", TKT_ROOT, (unsigned)getpid());
+    krb_set_tkt_string (tkt);
+
+    status = krb_verify_user(p->user, "", lrealm,
+			     p->pop_parm[1], KRB_VERIFY_SECURE, "pop");
+    dest_tkt(); /* no point in keeping the tickets */
+    return status;
+}
+#endif /* KRB4 */
+
+#ifdef KRB5
+static int
+krb5_verify_password (POP *p)
+{
+    krb5_preauthtype pre_auth_types[] = {KRB5_PADATA_ENC_TIMESTAMP};
+    krb5_get_init_creds_opt get_options;
+    krb5_verify_init_creds_opt verify_options;
+    krb5_error_code ret;
+    krb5_principal client, server;
+    krb5_creds creds;
+
+    krb5_get_init_creds_opt_init (&get_options);
+
+    krb5_get_init_creds_opt_set_preauth_list (&get_options,
+					      pre_auth_types,
+					      1);
+
+    krb5_verify_init_creds_opt_init (&verify_options);
+    
+    ret = krb5_parse_name (p->context, p->user, &client);
+    if (ret) {
+	pop_log(p, POP_PRIORITY, "krb5_parse_name: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_get_init_creds_password (p->context,
+					&creds,
+					client,
+					p->pop_parm[1],
+					NULL,
+					NULL,
+					0,
+					NULL,
+					&get_options);
+    if (ret) {
+	pop_log(p, POP_PRIORITY,
+		"krb5_get_init_creds_password: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_sname_to_principal (p->context,
+				   p->myhost,
+				   "pop",
+				   KRB5_NT_SRV_HST,
+				   &server);
+    if (ret) {
+	pop_log(p, POP_PRIORITY,
+		"krb5_get_init_creds_password: %s",
+		krb5_get_err_text (p->context, ret));
+	return 1;
+    }
+
+    ret = krb5_verify_init_creds (p->context,
+				  &creds,
+				  server,
+				  NULL,
+				  NULL,
+				  &verify_options);
+    krb5_free_principal (p->context, client);
+    krb5_free_principal (p->context, server);
+    krb5_free_creds_contents (p->context, &creds);
+    return ret;
+}
+#endif
+/* 
+ *  pass:   Obtain the user password from a POP client
+ */
+
+int
+pop_pass (POP *p)
+{
+    struct passwd  *pw;
+    int i;
+    struct stat st;
+
+    /* Make one string of all these parameters */
+    
+    for (i = 1; i < p->parm_count; ++i)
+	p->pop_parm[i][strlen(p->pop_parm[i])] = ' ';
+
+    /*  Look for the user in the password file */
+    if ((pw = k_getpwnam(p->user)) == NULL)
+	return (pop_msg(p,POP_FAILURE,
+			"Password supplied for \"%s\" is incorrect.",
+			p->user));
+
+    if (p->kerberosp) {
+#ifdef KRB4
+	if (p->version == 4) {
+	    if(kuserok (&p->kdata, p->user)) {
+		pop_log(p, POP_PRIORITY,
+			"%s: (%s.%s@%s) tried to retrieve mail for %s.",
+			p->client, p->kdata.pname, p->kdata.pinst,
+			p->kdata.prealm, p->user);
+		return(pop_msg(p,POP_FAILURE,
+			       "Popping not authorized"));
+	    }
+	    pop_log(p, POP_INFO, "%s: %s.%s@%s -> %s",
+		    p->ipaddr,
+		    p->kdata.pname, p->kdata.pinst, p->kdata.prealm,
+		    p->user);
+	} else
+#endif /* KRB4 */
+#ifdef KRB5
+	if (p->version == 5) {
+	    char *name;
+	    
+	    if (!krb5_kuserok (p->context, p->principal, p->user)) {
+		pop_log (p, POP_PRIORITY,
+			 "krb5 permission denied");
+		return pop_msg(p, POP_FAILURE,
+			       "Popping not authorized");
+	    }
+	    if(krb5_unparse_name (p->context, p->principal, &name) == 0) {
+		pop_log(p, POP_INFO, "%s: %s -> %s",
+			p->ipaddr, name, p->user);
+		free (name);
+	    }
+	} else {
+	    pop_log (p, POP_PRIORITY, "kerberos authentication failed");
+	    return pop_msg (p, POP_FAILURE,
+			    "kerberos authentication failed");
+	}
+#endif
+	{ }
+    } else {
+	 /*  We don't accept connections from users with null passwords */
+	 if (pw->pw_passwd == NULL)
+	      return (pop_msg(p,
+			      POP_FAILURE,
+			      "Password supplied for \"%s\" is incorrect.",
+			      p->user));
+
+#ifdef OTP
+	 if (otp_verify_user (&p->otp_ctx, p->pop_parm[1]) == 0)
+	     /* pass OK */;
+	 else
+#endif
+	 /*  Compare the supplied password with the password file entry */
+	 if (p->auth_level != AUTH_NONE)
+	     return pop_msg(p, POP_FAILURE,
+			    "Password supplied for \"%s\" is incorrect.",
+			    p->user);
+	 else if (!strcmp(crypt(p->pop_parm[1], pw->pw_passwd), pw->pw_passwd))
+	     /* pass OK */;
+	 else {
+	     int ret = -1;
+#ifdef KRB4
+	     ret = krb4_verify_password (p);
+#endif
+#ifdef KRB5
+	     if(ret)
+		 ret = krb5_verify_password (p);
+#endif
+	     if(ret)
+		 return pop_msg(p, POP_FAILURE,
+				"Password incorrect");
+	 }
+    }
+    pop_log(p, POP_INFO, "login from %s as %s",
+	    p->ipaddr, p->user);
+
+    /*  Build the name of the user's maildrop */
+    snprintf(p->drop_name, sizeof(p->drop_name), "%s/%s", POP_MAILDIR, p->user);
+
+    if(stat(p->drop_name, &st) < 0 || !S_ISDIR(st.st_mode)){
+	/*  Make a temporary copy of the user's maildrop */
+	/*    and set the group and user id */
+	if (pop_dropcopy(p, pw) != POP_SUCCESS) return (POP_FAILURE);
+	
+	/*  Get information about the maildrop */
+	if (pop_dropinfo(p) != POP_SUCCESS) return(POP_FAILURE);
+    } else {
+	if(changeuser(p, pw) != POP_SUCCESS) return POP_FAILURE;
+	if(pop_maildir_info(p) != POP_SUCCESS) return POP_FAILURE;
+    }
+    /*  Initialize the last-message-accessed number */
+    p->last_msg = 0;
+
+    /*  Authorization completed successfully */
+    return (pop_msg (p, POP_SUCCESS,
+		     "%s has %d message(s) (%ld octets).",
+		     p->user, p->msg_count, p->drop_size));
+}
diff --git a/crypto/heimdal/appl/popper/pop_quit.c b/crypto/heimdal/appl/popper/pop_quit.c
new file mode 100644
index 0000000..429b181
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_quit.c
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_quit.c,v 1.7 1996/11/19 22:48:30 assar Exp $");
+
+/* 
+ *  quit:   Terminate a POP session
+ */
+
+int
+pop_quit (POP *p)
+{
+    /*  Release the message information list */
+    if (p->mlp) free (p->mlp);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_rset.c b/crypto/heimdal/appl/popper/pop_rset.c
new file mode 100644
index 0000000..6888ebf
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_rset.c
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_rset.c,v 1.9 1998/04/23 17:38:08 joda Exp $");
+
+/* 
+ *  rset:   Unflag all messages flagged for deletion in a POP maildrop
+ */
+
+int
+pop_rset (POP *p)
+{
+    MsgInfoList     *   mp;         /*  Pointer to the message info list */
+    int		        i;
+
+    /*  Unmark all the messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++)
+        mp->flags &= ~DEL_FLAG;
+    
+    /*  Reset the messages-deleted and bytes-deleted counters */
+    p->msgs_deleted = 0;
+    p->bytes_deleted = 0;
+    
+    /*  Reset the last-message-access flag */
+    p->last_msg = 0;
+
+    return (pop_msg(p,POP_SUCCESS,"Maildrop has %u messages (%ld octets)",
+		    p->msg_count, p->drop_size));
+}
diff --git a/crypto/heimdal/appl/popper/pop_send.c b/crypto/heimdal/appl/popper/pop_send.c
new file mode 100644
index 0000000..166b990
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_send.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_send.c,v 1.25 1999/03/05 14:14:28 joda Exp $");
+
+/*
+ *  sendline:   Send a line of a multi-line response to a client.
+ */
+static int
+pop_sendline(POP *p, char *buffer)
+{
+    char        *   bp;
+
+    /*  Byte stuff lines that begin with the termination octet */
+    if (*buffer == POP_TERMINATE) 
+      fputc(POP_TERMINATE,p->output);
+
+    /*  Look for a <NL> in the buffer */
+    if ((bp = strchr(buffer, '\n')))
+      *bp = 0;
+
+    /*  Send the line to the client */
+    fputs(buffer,p->output);
+
+#ifdef DEBUG
+    if(p->debug)
+      pop_log(p,POP_DEBUG,"Sending line \"%s\"",buffer);
+#endif /* DEBUG */
+
+    /*  Put a <CR><NL> if a newline was removed from the buffer */
+    if (bp)
+      fputs ("\r\n",p->output);
+    return bp != NULL;
+}
+
+/* 
+ *  send:   Send the header and a specified number of lines 
+ *          from a mail message to a POP client.
+ */
+
+int
+pop_send(POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            msg_num;
+    int			    msg_lines;
+    char                    buffer[MAXMSGLINELEN];
+#ifdef RETURN_PATH_HANDLING
+    char		*   return_path_adr;
+    char		*   return_path_end;
+    int			    return_path_sent;
+    int			    return_path_linlen;
+#endif
+    int			sent_nl = 0;
+
+    /*  Convert the first parameter into an integer */
+    msg_num = atoi(p->pop_parm[1]);
+
+    /*  Is requested message out of range? */
+    if ((msg_num < 1) || (msg_num > p->msg_count))
+        return (pop_msg (p,POP_FAILURE,"Message %d does not exist.",msg_num));
+
+    /*  Get a pointer to the message in the message list */
+    mp = &p->mlp[msg_num-1];
+
+    /*  Is the message flagged for deletion? */
+    if (mp->flags & DEL_FLAG)
+        return (pop_msg (p,POP_FAILURE,
+			 "Message %d has been deleted.",msg_num));
+
+    /*  If this is a TOP command, get the number of lines to send */
+    if (strcmp(p->pop_command, "top") == 0) {
+        /*  Convert the second parameter into an integer */
+        msg_lines = atoi(p->pop_parm[2]);
+    }
+    else {
+        /*  Assume that a RETR (retrieve) command was issued */
+        msg_lines = -1;
+        /*  Flag the message as retreived */
+        mp->flags |= RETR_FLAG;
+    }
+    
+    /*  Display the number of bytes in the message */
+    pop_msg(p, POP_SUCCESS, "%ld octets", mp->length);
+
+    if(IS_MAILDIR(p)) {
+	int e = pop_maildir_open(p, mp);
+	if(e != POP_SUCCESS)
+	    return e;
+    }
+
+    /*  Position to the start of the message */
+    fseek(p->drop, mp->offset, 0);
+
+    return_path_sent = 0;
+
+    if(!IS_MAILDIR(p)) {
+	/*  Skip the first line (the sendmail "From" line) */
+	fgets (buffer,MAXMSGLINELEN,p->drop);
+
+#ifdef RETURN_PATH_HANDLING
+	if (strncmp(buffer,"From ",5) == 0) {
+	    return_path_linlen = strlen(buffer);
+	    for (return_path_adr = buffer+5;
+		 (*return_path_adr == ' ' || *return_path_adr == '\t') &&
+		     return_path_adr < buffer + return_path_linlen;
+		 return_path_adr++)
+		;
+	    if (return_path_adr < buffer + return_path_linlen) {
+		if ((return_path_end = strchr(return_path_adr, ' ')) != NULL)
+		    *return_path_end = '\0';
+		if (strlen(return_path_adr) != 0 && *return_path_adr != '\n') {
+		    static char tmpbuf[MAXMSGLINELEN + 20];
+		    if (snprintf (tmpbuf,
+				  sizeof(tmpbuf),
+				  "Return-Path: %s\n",
+				  return_path_adr) < MAXMSGLINELEN) {
+			pop_sendline (p,tmpbuf);
+			if (hangup)
+			    return pop_msg (p, POP_FAILURE,
+					    "SIGHUP or SIGPIPE flagged");
+			return_path_sent++;
+		    }
+		}
+	    }
+	}
+#endif
+    }
+
+    /*  Send the header of the message followed by a blank line */
+    while (fgets(buffer,MAXMSGLINELEN,p->drop)) {
+#ifdef RETURN_PATH_HANDLING
+	/* Don't send existing Return-Path-header if already sent own */
+	if (!return_path_sent || strncasecmp(buffer, "Return-Path:", 12) != 0)
+#endif
+	    sent_nl = pop_sendline (p,buffer);
+        /*  A single newline (blank line) signals the 
+            end of the header.  sendline() converts this to a NULL, 
+            so that's what we look for. */
+        if (*buffer == 0) break;
+        if (hangup)
+	    return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged"));
+    }
+    /*  Send the message body */
+    {
+	int blank_line = 1;
+	while (fgets(buffer, MAXMSGLINELEN-1, p->drop)) {
+	    /*  Look for the start of the next message */
+	    if (!IS_MAILDIR(p) && blank_line && strncmp(buffer,"From ",5) == 0)
+		break;
+	    blank_line = (strncmp(buffer, "\n", 1) == 0);
+	    /*  Decrement the lines sent (for a TOP command) */
+	    if (msg_lines >= 0 && msg_lines-- == 0) break;
+	    sent_nl = pop_sendline(p,buffer);
+	    if (hangup)
+		return (pop_msg (p,POP_FAILURE,"SIGHUP or SIGPIPE flagged"));
+	}
+	/* add missing newline at end */
+	if(!sent_nl)
+	    fputs("\r\n", p->output);
+	/* some pop-clients want a blank line at the end of the
+           message, we always add one here, but what the heck -- in
+           outer (white) space, no one can hear you scream */
+	if(IS_MAILDIR(p))
+	    fputs("\r\n", p->output);
+    }
+    /*  "." signals the end of a multi-line transmission */
+    fputs(".\r\n",p->output);
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
diff --git a/crypto/heimdal/appl/popper/pop_stat.c b/crypto/heimdal/appl/popper/pop_stat.c
new file mode 100644
index 0000000..9ab2800
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_stat.c
@@ -0,0 +1,26 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_stat.c,v 1.7 1997/05/11 11:04:35 assar Exp $");
+
+/* 
+ *  stat:   Display the status of a POP maildrop to its client
+ */
+
+int
+pop_stat (POP *p)
+{
+#ifdef DEBUG
+    if (p->debug) pop_log(p,POP_DEBUG,"%d message(s) (%ld octets).",
+			  p->msg_count-p->msgs_deleted,
+			  p->drop_size-p->bytes_deleted);
+#endif /* DEBUG */
+    return (pop_msg (p,POP_SUCCESS,
+		     "%d %ld",
+		     p->msg_count-p->msgs_deleted,
+		     p->drop_size-p->bytes_deleted));
+}
diff --git a/crypto/heimdal/appl/popper/pop_uidl.c b/crypto/heimdal/appl/popper/pop_uidl.c
new file mode 100644
index 0000000..42dc12d
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_uidl.c
@@ -0,0 +1,88 @@
+/*
+ * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska H�gskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_uidl.c,v 1.9 1999/12/02 16:58:33 joda Exp $");
+
+#ifdef UIDL
+/* 
+ *  uidl:   Uidl the contents of a POP maildrop
+ */
+
+int
+pop_uidl (POP *p)
+{
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+    int			    msg_num;
+
+    /*  Was a message number provided? */
+    if (p->parm_count > 0) {
+        msg_num = atoi(p->pop_parm[1]);
+
+        /*  Is requested message out of range? */
+        if ((msg_num < 1) || (msg_num > p->msg_count))
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d does not exist.",msg_num));
+
+        /*  Get a pointer to the message in the message list */
+        mp = &p->mlp[msg_num-1];
+
+        /*  Is the message already flagged for deletion? */
+        if (mp->flags & DEL_FLAG)
+            return (pop_msg (p,POP_FAILURE,
+                "Message %d has been deleted.",msg_num));
+
+        /*  Display message information */
+        return (pop_msg(p,POP_SUCCESS,"%u %s",msg_num,mp->msg_id));
+    }
+    
+    /*  Display the entire list of messages */
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u %s\r\n",mp->number,mp->msg_id);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+}
+#endif /* UIDL */
diff --git a/crypto/heimdal/appl/popper/pop_updt.c b/crypto/heimdal/appl/popper/pop_updt.c
new file mode 100644
index 0000000..0130132
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_updt.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_updt.c,v 1.19 1998/04/23 18:36:51 joda Exp $");
+
+static char standard_error[] =
+    "Error error updating primary drop. Mailbox unchanged";
+
+/* 
+ *  updt:   Apply changes to a user's POP maildrop
+ */
+
+int
+pop_updt (POP *p)
+{
+    FILE                *   md;                     /*  Stream pointer for 
+                                                        the user's maildrop */
+    int                     mfd;                    /*  File descriptor for
+                                                        above */
+    char                    buffer[BUFSIZ];         /*  Read buffer */
+
+    MsgInfoList         *   mp;                     /*  Pointer to message 
+                                                        info list */
+    int		            msg_num;                /*  Current message 
+                                                        counter */
+    int			    status_written;         /*  Status header field 
+                                                        written */
+    int                     nchar;                  /* Bytes read/written */
+
+    long                    offset;                 /* New mail offset */
+
+    int			    blank_line;
+
+#ifdef DEBUG
+    if (p->debug) {
+        pop_log(p,POP_DEBUG,"Performing maildrop update...");
+        pop_log(p,POP_DEBUG,"Checking to see if all messages were deleted");
+    }
+#endif /* DEBUG */
+
+    if(IS_MAILDIR(p))
+	return pop_maildir_update(p);
+
+    if (p->msgs_deleted == p->msg_count) {
+        /* Truncate before close, to avoid race condition,  DO NOT UNLINK!
+           Another process may have opened,  and not yet tried to lock */
+        ftruncate ((int)fileno(p->drop),0);
+        fclose(p->drop) ;
+        return (POP_SUCCESS);
+    }
+
+#ifdef DEBUG
+    if (p->debug) 
+        pop_log(p,POP_DEBUG,"Opening mail drop \"%s\"",p->drop_name);
+#endif /* DEBUG */
+
+    /*  Open the user's real maildrop */
+    if ((mfd = open(p->drop_name,O_RDWR|O_CREAT,0600)) == -1 ||
+        (md = fdopen(mfd,"r+")) == NULL) {
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /*  Lock the user's real mail drop */
+    if ( flock(mfd, LOCK_EX) == -1 ) {
+        fclose(md) ;
+        return pop_msg(p,POP_FAILURE, "flock: '%s': %s", p->temp_drop,
+		       strerror(errno));
+    }
+
+    /* Go to the right places */
+    offset = lseek((int)fileno(p->drop),0,SEEK_END) ; 
+
+    /*  Append any messages that may have arrived during the session 
+        to the temporary maildrop */
+    while ((nchar=read(mfd,buffer,BUFSIZ)) > 0)
+        if ( nchar != write((int)fileno(p->drop),buffer,nchar) ) {
+            nchar = -1;
+            break ;
+        }
+    if ( nchar != 0 ) {
+        fclose(md) ;
+        ftruncate((int)fileno(p->drop),(int)offset) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    rewind(md);
+    lseek(mfd,0,SEEK_SET);
+    ftruncate(mfd,0) ;
+
+    /* Synch stdio and the kernel for the POP drop */
+    rewind(p->drop);
+    lseek((int)fileno(p->drop),0,SEEK_SET);
+
+    /*  Transfer messages not flagged for deletion from the temporary 
+        maildrop to the new maildrop */
+#ifdef DEBUG
+    if (p->debug) 
+        pop_log(p,POP_DEBUG,"Creating new maildrop \"%s\" from \"%s\"",
+                p->drop_name,p->temp_drop);
+#endif /* DEBUG */
+
+    for (msg_num = 0; msg_num < p->msg_count; ++msg_num) {
+
+        int doing_body;
+
+        /*  Get a pointer to the message information list */
+        mp = &p->mlp[msg_num];
+
+        if (mp->flags & DEL_FLAG) {
+#ifdef DEBUG
+            if(p->debug)
+                pop_log(p,POP_DEBUG,
+                    "Message %d flagged for deletion.",mp->number);
+#endif /* DEBUG */
+            continue;
+        }
+
+        fseek(p->drop,mp->offset,0);
+
+#ifdef DEBUG
+        if(p->debug)
+            pop_log(p,POP_DEBUG,"Copying message %d.",mp->number);
+#endif /* DEBUG */
+	blank_line = 1;
+        for(status_written = doing_body = 0 ;
+            fgets(buffer,MAXMSGLINELEN,p->drop);) {
+
+            if (doing_body == 0) { /* Header */
+
+                /*  Update the message status */
+                if (strncasecmp(buffer,"Status:",7) == 0) {
+                    if (mp->flags & RETR_FLAG)
+                        fputs("Status: RO\n",md);
+                    else
+                        fputs(buffer, md);
+                    status_written++;
+                    continue;
+                }
+                /*  A blank line signals the end of the header. */
+                if (*buffer == '\n') {
+                    doing_body = 1;
+                    if (status_written == 0) {
+                        if (mp->flags & RETR_FLAG)
+                            fputs("Status: RO\n\n",md);
+                        else
+                            fputs("Status: U\n\n",md);
+                    }
+                    else fputs ("\n", md);
+                    continue;
+                }
+                /*  Save another header line */
+                fputs (buffer, md);
+            } 
+            else { /* Body */ 
+                if (blank_line && strncmp(buffer,"From ",5) == 0) break;
+                fputs (buffer, md);
+		blank_line = (*buffer == '\n');
+            }
+        }
+    }
+
+    /* flush and check for errors now!  The new mail will writen
+       without stdio,  since we need not separate messages */
+
+    fflush(md) ;
+    if (ferror(md)) {
+        ftruncate(mfd,0) ;
+        fclose(md) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /* Go to start of new mail if any */
+    lseek((int)fileno(p->drop),offset,SEEK_SET);
+
+    while((nchar=read((int)fileno(p->drop),buffer,BUFSIZ)) > 0)
+        if ( nchar != write(mfd,buffer,nchar) ) {
+            nchar = -1;
+            break ;
+        }
+    if ( nchar != 0 ) {
+        ftruncate(mfd,0) ;
+        fclose(md) ;
+        fclose(p->drop) ;
+        return pop_msg(p,POP_FAILURE,standard_error);
+    }
+
+    /*  Close the maildrop and empty temporary maildrop */
+    fclose(md);
+    ftruncate((int)fileno(p->drop),0);
+    fclose(p->drop);
+
+    return(pop_quit(p));
+}
diff --git a/crypto/heimdal/appl/popper/pop_user.c b/crypto/heimdal/appl/popper/pop_user.c
new file mode 100644
index 0000000..be771e6
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_user.c
@@ -0,0 +1,36 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: pop_user.c,v 1.15 1999/09/16 20:38:50 assar Exp $");
+
+/* 
+ *  user:   Prompt for the user name at the start of a POP session
+ */
+
+int
+pop_user (POP *p)
+{
+    char ss[256];
+
+    strlcpy(p->user, p->pop_parm[1], sizeof(p->user));
+
+#ifdef OTP
+    if (otp_challenge (&p->otp_ctx, p->user, ss, sizeof(ss)) == 0) {
+	return pop_msg(p, POP_SUCCESS, "Password %s required for %s.",
+		       ss, p->user);
+    } else
+#endif
+    if (p->auth_level != AUTH_NONE) {
+	char *s = NULL;
+#ifdef OTP
+	s = otp_error(&p->otp_ctx);
+#endif
+	return pop_msg(p, POP_FAILURE, "Permission denied%s%s",
+		       s ? ":" : "", s ? s : "");
+    } else
+	return pop_msg(p, POP_SUCCESS, "Password required for %s.", p->user);
+}
diff --git a/crypto/heimdal/appl/popper/pop_xover.c b/crypto/heimdal/appl/popper/pop_xover.c
new file mode 100644
index 0000000..94936f9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/pop_xover.c
@@ -0,0 +1,37 @@
+#include <popper.h>
+RCSID("$Id: pop_xover.c,v 1.4 1998/04/23 17:39:31 joda Exp $");
+
+int
+pop_xover (POP *p)
+{
+#ifdef XOVER
+    MsgInfoList         *   mp;         /*  Pointer to message info list */
+    int		            i;
+
+    pop_msg(p,POP_SUCCESS,
+	    "%d messages (%ld octets)",
+            p->msg_count-p->msgs_deleted,
+	    p->drop_size-p->bytes_deleted);
+    
+    /*  Loop through the message information list.  Skip deleted messages */
+    for (i = p->msg_count, mp = p->mlp; i > 0; i--, mp++) {
+        if (!(mp->flags & DEL_FLAG)) 
+            fprintf(p->output,"%u\t%s\t%s\t%s\t%s\t%lu\t%u\r\n",
+		    mp->number,
+		    mp->subject,
+		    mp->from,
+		    mp->date, 
+		    mp->msg_id,
+		    mp->length,
+		    mp->lines);
+    }
+
+    /*  "." signals the end of a multi-line transmission */
+    fprintf(p->output,".\r\n");
+    fflush(p->output);
+
+    return(POP_SUCCESS);
+#else
+    return pop_msg(p, POP_FAILURE, "Command not implemented.");
+#endif
+}
diff --git a/crypto/heimdal/appl/popper/popper.8 b/crypto/heimdal/appl/popper/popper.8
new file mode 100644
index 0000000..30dc5b9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.8
@@ -0,0 +1,179 @@
+.\" Copyright (c) 1980 Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms are permitted
+.\" provided that this notice is preserved and that due credit is given
+.\" to the University of California at Berkeley. The name of the University
+.\" may not be used to endorse or promote products derived from this
+.\" software without specific prior written permission. This software
+.\" is provided ``as is'' without express or implied warranty.
+.\"
+.\" @(#)@(#)popper.8	2.3    2.3    (CCS)   4/2/91     Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n
+.\"
+.TH popper 8 "August 1990"
+.UC 6
+.ad
+.SH NAME
+popper \- pop 3 server
+.SH SYNOPSIS
+.B /usr/etc/popper
+[ -d ]
+[ -a ]
+[ -k ]
+[ -t trace-file]
+[ -i ]
+[ -p portnum]
+.SH DESCRIPTION
+.I Popper
+is an implementation of the Post Office Protocol server that runs on a
+variety of Unix computers to manage electronic mail for Macintosh
+and MS-DOS computers.  The server was developed at the University of
+California at Berkeley and conforms fully to the specifications in RFC
+1081 and RFC 1082.  The Berkeley server also has extensions to
+send electronic mail on behalf of a client.
+.PP
+The 
+.B \-d
+flag sets the socket to debugging and turns on debugging.  All debugging
+information is saved using syslog(8).  
+.PP
+The 
+.B \-t trace\-file
+flag turns on debugging and saves the trace information in
+.I trace\-file
+using fprintf(s).
+.PP
+The
+.B \-k
+flag tells popper to talk the kerberised POP protocol (KPOP).
+.PP
+The
+.B \-a
+flag tells popper not to accept any cleartext passwords, but only OTPs.
+.PP
+The
+.B \-i
+flag tells popper it has not been started by inetd and should create
+its own socket and listen on it.  This is useful for debugging.
+.PP
+The
+.B \-p portnum
+flag tells popper on which port it should listen for connections when
+creating a socket.
+.SH HOW TO OBTAIN THE SERVER
+.PP
+The POP server is available via anonymous ftp from ftp.CC.Berkeley.EDU
+(128.32.136.9, 128.32.206.12).  It is in two files in the pub directory:
+a compressed
+tar file popper.tar.Z and a Macintosh StuffIt archive in BinHex format
+called MacPOP.sit.hqx.
+.SH THE POP TRANSACTION CYCLE
+.PP
+The Berkeley POP server is a single program (called popper) that is
+launched by inetd when it gets a service request on the POP TCP port.
+(The official port number specified in RFC 1081 for POP version 3 is
+port 110.  However, some POP3 clients attempt to contact the server at
+port 109, the POP version 2 port.  Unless you are running both POP2 and
+POP3 servers, you can simply define both ports for use by the POP3
+server.  This is explained in the installation instructions later on.)
+The popper program initializes and verifies that the peer IP address is
+registered in the local domain, logging a warning message when a
+connection is made to a client whose IP address does not have a
+canonical name.  For systems using BSD 4.3 bind, it also checks to see
+if a cannonical name lookup for the client returns the same peer IP
+address, logging a warning message if it does not.  The the server
+enters the authorization state, during which the client must correctly
+identify itself by providing a valid Unix userid and password on the
+server's host machine.  No other exchanges are allowed during this
+state (other than a request to quit.)  If authentication fails, a
+warning message is logged and the session ends.  Once the user is
+identified, popper changes its user and group ids to match that of the
+user and enters the transaction state.  The server makes a temporary
+copy of the user's maildrop (ordinarily in /usr/spool/mail) which is
+used for all subsequent transactions.  These include the bulk of POP
+commands to retrieve mail, delete mail, undelete mail, and so forth.  A
+Berkeley extension also allows the user to submit a mail parcel to the
+server who mails it using the sendmail program (this extension is
+supported in the HyperMail client distributed with the server).  When
+the client quits, the server enters the final update state during which
+the network connection is terminated and the user's maildrop is updated
+with the (possibly) modified temporary maildrop.
+.SH LOGGING
+.PP
+The POP server uses syslog to keep a record of its activities.  On
+systems with BSD 4.3 syslogging, the server logs (by default) to the
+"local0" facility at priority "notice" for all messages except
+debugging which is logged at priority "debug".  The default log file is
+/usr/spool/mqueue/POPlog.  These can be changed, if desired.  On
+systems with 4.2 syslogging all messages are logged to the local log
+file, usually /usr/spool/mqueue/syslog.
+.SH DEBUGGING
+.PP
+The popper program will log debugging information when the -d parameter
+is specified after its invocation in the inetd.conf file.  Care should
+be exercised in using this option since it generates considerable
+output in the syslog file.  Alternatively, the "-t <file-name>" option
+will place debugging information into file "<file-name>" using fprintf
+instead of syslog.
+.PP
+For SunOS version 3.5, the popper program is launched by inetd from
+/etc/servers.  This file does not allow you to specify command line
+arguments.  Therefore, if you want to enable debugging, you can specify
+a shell script in /etc/servers to be launched instead of popper and in
+this script call popper with the desired arguments.
+.PP
+You can confirm that the POP server is running on Unix by telneting to
+port 110 (or 109 if you set it up that way).  For example:
+.PP
+.nf
+%telnet myhost 110
+Trying...
+Connected to myhost.berkeley.edu.
+Escape character is '^]'.
++OK UCB Pop server (version 1.6) at myhost starting.
+quit
+Connection closed by foreign host.
+.fi
+.SH VERSION 1.7 RELEASE NOTES
+Extensive re-write of the maildrop processing code contributed by 
+Viktor Dukhovni <viktor@math.princeton.edu> that greatly reduces the
+possibility that the maildrop can be corrupted as the result of
+simultaneous access by two or more processes.
+.PP
+Added "pop_dropcopy" module to create a temporary maildrop from
+the existing, standard maildrop as root before the setuid and 
+setgid for the user is done.  This allows the temporary maildrop
+to be created in a mail spool area that is not world read-writable.
+.PP
+This version does *not* send the sendmail "From " delimiter line
+in response to a TOP or RETR command.
+.PP
+Encased all debugging code in #ifdef DEBUG constructs.  This code can
+be included by specifying the DEGUG compiler flag.  Note:  You still
+need to use the -d or -t option to obtain debugging output.
+.SH LIMITATIONS
+The POP server copies the user's entire maildrop to /tmp and
+then operates on that copy.  If the maildrop is particularly
+large, or inadequate space is available in /tmp, then the
+server will refuse to continue and terminate the connection.
+.PP
+Simultaneous modification of a single maildrop can result in 
+confusing results.  For example, manipulating messages in a
+maildrop using the Unix /usr/ucb/mail command while a copy of
+it is being processed by the POP server can cause the changes
+made by one program to be lost when the other terminates.  This
+problem is being worked on and will be fixed in a later
+release.
+.SH FILES
+.nf
+/usr/spool/mail         mail files
+/etc/inetd.conf         pop program invocation
+/etc/syslog.conf        logging specifications
+.fi
+.SH "SEE ALSO"
+inetd(8), 
+RFC1081, 
+RFC1082
+.SH AUTHORS
+Bob Campbell, Edward Moy, Austin Shelton, Marshall T Rose, and cast of
+thousands at Rand, UDel, UCI, and elsewhere
diff --git a/crypto/heimdal/appl/popper/popper.README.release b/crypto/heimdal/appl/popper/popper.README.release
new file mode 100644
index 0000000..c0b313e
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.README.release
@@ -0,0 +1,45 @@
+Release Notes:
+
+popper-1.831beta is no longer beta	30 July 91
+	Removed popper-1.7.tar.Z
+
+popper-1.831beta.tar.Z	03 April 91
+	Changed mkstemp to mktemp for Ultrix.  Sigh.
+
+popper-1.83beta.tar.Z	02 April 91
+
+	This version makes certain that while running as root we do nothing
+	at all destructive.
+
+popper-1.82beta.tar.Z	27 March 91
+
+	This version fixes problems on Encore MultiMax and some Sun releases
+	which wouldn't allow a user to ftruncate() a file from an open
+	file descripter unless the user owns the file.  Now the user
+	owns the /usr/spool/mail/.userid.pop file.  Thanks to Ben Levy
+	of FTP Software and Henry Holtzman of Apple.
+
+popper-1.81beta.tar.Z	20 March 91
+
+	This version of popper is supposed to fix three problems reported
+	with various versions of popper (all called 1.7 or 1.7something).
+
+	1)  Dropped network connections meant lost mail files.  Some 1.7
+	    versions also risked corrupting mail files.
+
+	2)  Some versions of 1.7 created temporary drop files with world
+	    read and write permissions.
+
+	3)  Some versions of 1.7 were not careful about opening the temporary
+	    drop file.
+
+popper-1.7.tar.Z       09 September 90	(updated 20 March 91)
+
+	This version will exhibit the first problem listed above if it is
+	compiled with -DDEBUG and run without the "-d" (debug) flag.
+
+	If it is compiled without -DDEBUG it will exhibit only the second
+	and third bug listed above.
+
+Cliff Frost	poptest@nettlesome.berkeley.edu
+UC Berkeley
diff --git a/crypto/heimdal/appl/popper/popper.c b/crypto/heimdal/appl/popper/popper.c
new file mode 100644
index 0000000..28d6ab9
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.c
@@ -0,0 +1,117 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ */
+
+#include <popper.h>
+RCSID("$Id: popper.c,v 1.15 1997/05/11 11:04:37 assar Exp $");
+
+int hangup = FALSE ;
+
+static RETSIGTYPE
+catchSIGHUP(int sig)
+{
+    hangup = TRUE ;
+
+    /* This should not be a problem on BSD systems */
+    signal(SIGHUP,  catchSIGHUP);
+    signal(SIGPIPE, catchSIGHUP);
+    SIGRETURN(0);
+}
+
+int     pop_timeout = POP_TIMEOUT;
+
+jmp_buf env;
+
+static RETSIGTYPE
+ring(int sig)
+{
+  longjmp(env,1);
+}
+  
+/*
+ * fgets, but with a timeout
+ */
+static char *
+tgets(char *str, int size, FILE *fp, int timeout)
+{
+  signal(SIGALRM, ring);
+  alarm(timeout);
+  if (setjmp(env))
+    str = NULL;
+  else
+    str = fgets(str,size,fp);
+  alarm(0);
+  signal(SIGALRM,SIG_DFL);
+  return(str);
+}
+
+/* 
+ *  popper: Handle a Post Office Protocol version 3 session
+ */
+int
+main (int argc, char **argv)
+{
+    POP                 p;
+    state_table     *   s;
+    char                message[MAXLINELEN];
+
+    signal(SIGHUP,  catchSIGHUP);
+    signal(SIGPIPE, catchSIGHUP);
+
+    /*  Start things rolling */
+    pop_init(&p,argc,argv);
+
+    /*  Tell the user that we are listenting */
+    pop_msg(&p,POP_SUCCESS,
+        "UCB based pop server (version %s at %s) starting.",VERSION,p.myhost);
+
+    /*  State loop.  The POP server is always in a particular state in 
+        which a specific suite of commands can be executed.  The following 
+        loop reads a line from the client, gets the command, and processes 
+        it in the current context (if allowed) or rejects it.  This continues 
+        until the client quits or an error occurs. */
+
+    for (p.CurrentState=auth1;p.CurrentState!=halt&&p.CurrentState!=error;) {
+        if (hangup) {
+            pop_msg(&p, POP_FAILURE, "POP hangup: %s", p.myhost);
+            if (p.CurrentState > auth2 && !pop_updt(&p))
+                pop_msg(&p, POP_FAILURE,
+			"POP mailbox update failed: %s", p.myhost);
+            p.CurrentState = error;
+        } else if (tgets(message, MAXLINELEN, p.input, pop_timeout) == NULL) {
+	    pop_msg(&p, POP_FAILURE, "POP timeout: %s", p.myhost);
+	    if (p.CurrentState > auth2 && !pop_updt(&p))
+                pop_msg(&p,POP_FAILURE,
+			"POP mailbox update failed: %s", p.myhost);
+            p.CurrentState = error;
+        }
+        else {
+            /*  Search for the command in the command/state table */
+            if ((s = pop_get_command(&p,message)) == NULL) continue;
+
+            /*  Call the function associated with this command in 
+                the current state */
+            if (s->function) p.CurrentState = s->result[(*s->function)(&p)];
+
+            /*  Otherwise assume NOOP and send an OK message to the client */
+            else {
+                p.CurrentState = s->success_state;
+                pop_msg(&p,POP_SUCCESS,NULL);
+            }
+        }       
+    }
+
+    /*  Say goodbye to the client */
+    pop_msg(&p,POP_SUCCESS,"Pop server at %s signing off.",p.myhost);
+
+    /*  Log the end of activity */
+    pop_log(&p,POP_PRIORITY,
+        "(v%s) Ending request from \"%s\" at %s\n",VERSION,p.client,p.ipaddr);
+
+    /*  Stop logging */
+    closelog();
+
+    return(0);
+}
diff --git a/crypto/heimdal/appl/popper/popper.h b/crypto/heimdal/appl/popper/popper.h
new file mode 100644
index 0000000..22707da
--- /dev/null
+++ b/crypto/heimdal/appl/popper/popper.h
@@ -0,0 +1,347 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ *
+ * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n";
+ * static char SccsId[] = "@(#)@(#)popper.h	2.2  2.2 4/2/91";
+ *
+ */
+
+/* $Id: popper.h,v 1.49 1999/08/12 11:37:55 joda Exp $ */
+
+/* 
+ *  Header file for the POP programs
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#define UIDL
+#define XOVER
+#define XDELE
+#define DEBUG
+#define RETURN_PATH_HANDLING
+#endif
+
+/* Common include files */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <signal.h>
+#include <setjmp.h>
+#include <ctype.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_IO_H
+#include <io.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_SYS_STAT_H
+#include <sys/stat.h>
+#endif
+#ifdef HAVE_SYS_FILE_H
+#include <sys/file.h>
+#endif
+#ifdef TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#elif defined(HAVE_SYS_TIME_H)
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#ifdef HAVE_SYS_RESOURCE_H
+#include <sys/resource.h>
+#endif
+#ifdef HAVE_SYS_WAIT_H
+#include <sys/wait.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_PARAM_H
+#include <sys/param.h>
+#endif
+#include "version.h"
+
+#ifdef SOCKS
+#include <socks.h>
+#endif
+
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+#ifdef KRB4
+#include <krb.h>
+#include <prot.h>
+#endif
+#ifdef KRB5
+#include <krb5.h>
+#endif
+
+#define MAXUSERNAMELEN  65
+#define MAXDROPLEN      64
+#define MAXLINELEN      1024
+#define MAXMSGLINELEN   1024
+#define MAXCMDLEN       4
+#define MAXPARMCOUNT    10
+#define MAXPARMLEN      10
+#define ALLOC_MSGS  20
+#define MAIL_COMMAND    "/usr/lib/sendmail"
+
+#define POP_FACILITY    LOG_LOCAL0
+#define POP_PRIORITY    LOG_NOTICE
+#define POP_DEBUG       LOG_DEBUG
+#define POP_INFO	LOG_INFO
+#define POP_LOGOPTS     0
+
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+#ifdef HAVE_MAILLOCK_H
+#include <maillock.h>
+#endif
+
+#ifdef OTP
+#include <otp.h>
+#endif
+
+#if defined(KRB4_MAILDIR)
+#define POP_MAILDIR	KRB4_MAILDIR
+#elif defined(_PATH_MAILDIR)
+#define POP_MAILDIR     _PATH_MAILDIR
+#elif defined(MAILDIR)
+#define POP_MAILDIR	MAILDIR
+#else
+#define POP_MAILDIR	"/usr/spool/mail"
+#endif
+
+#define POP_DROP        POP_MAILDIR "/.%s.pop"
+	/* POP_TMPSIZE needs to be big enough to hold the string
+	 * defined by POP_TMPDROP.  POP_DROP and POP_TMPDROP
+	 * must be in the same filesystem.
+	 */
+#define POP_TMPDROP     POP_MAILDIR "/tmpXXXXXX"
+#define POP_TMPSIZE	256
+#define POP_TMPXMIT     "/tmp/xmitXXXXXX"
+#define POP_OK          "+OK"
+#define POP_ERR         "-ERR"
+#define POP_SUCCESS     1
+#define POP_FAILURE     0
+#define POP_TERMINATE   '.'
+#define POP_TIMEOUT     120     /* timeout connection after this many secs */
+
+extern int              pop_timeout;
+
+extern int              hangup;
+
+#define AUTH_NONE 0
+#define AUTH_OTP  1
+
+#define pop_command         pop_parm[0]     /*  POP command is first token */
+#define pop_subcommand      pop_parm[1]     /*  POP XTND subcommand is the 
+                                                second token */
+
+typedef enum {                              /*  POP processing states */
+    auth1,                                  /*  Authorization: waiting for 
+                                                USER command */
+    auth2,                                  /*  Authorization: waiting for 
+                                                PASS command */
+    trans,                                  /*  Transaction */
+    update,                                 /*  Update:  session ended, 
+                                                process maildrop changes */
+    halt,                                   /*  (Halt):  stop processing 
+                                                and exit */
+    error                                   /*  (Error): something really 
+                                                bad happened */
+} state;
+
+
+#define DEL_FLAG	1
+#define RETR_FLAG	2
+#define NEW_FLAG	4
+
+typedef struct {                                /*  Message information */
+    int         number;                         /*  Message number relative to 
+                                                    the beginning of list */
+    long        length;                         /*  Length of message in 
+                                                    bytes */
+    int         lines;                          /*  Number of (null-terminated)                                                     lines in the message */
+    long        offset;                         /*  Offset from beginning of 
+                                                    file */
+    unsigned	flags;
+
+#if defined(UIDL) || defined(XOVER)
+    char        *msg_id;	                /*  The POP UIDL uniqueifier */
+#endif
+#ifdef XOVER
+    char	*subject;
+    char	*from;
+    char	*date;
+#endif
+    char	*name;
+} MsgInfoList;
+
+#define IS_MAILDIR(P) ((P)->temp_drop[0] == '\0')
+
+typedef struct  {                               /*  POP parameter block */
+    int                 debug;                  /*  Debugging requested */
+    char            *   myname;                 /*  The name of this POP 
+                                                    daemon program */
+    char                myhost[MaxHostNameLen]; /*  The name of our host 
+                                                    computer */
+    char		client[MaxHostNameLen];	/*  Canonical name of client 
+                                                    computer */
+    char                ipaddr[MaxHostNameLen];	/*  Dotted-notation format of 
+                                                    client IP address */
+    unsigned short      ipport;                 /*  Client port for privileged 
+                                                    operations */
+    char                user[MAXUSERNAMELEN];   /*  Name of the POP user */
+    state               CurrentState;           /*  The current POP operational                                                     state */
+    MsgInfoList     *   mlp;                    /*  Message information list */
+    int                 msg_count;              /*  Number of messages in 
+                                                    the maildrop */
+    int                 msgs_deleted;           /*  Number of messages flagged 
+                                                    for deletion */
+    int                 last_msg;               /*  Last message touched by 
+                                                    the user */
+    long                bytes_deleted;          /*  Number of maildrop bytes 
+                                                    flagged for deletion */
+    char                drop_name[MAXDROPLEN];  /*  The name of the user's 
+                                                    maildrop */
+    char                temp_drop[MAXDROPLEN];  /*  The name of the user's 
+                                                    temporary maildrop */
+    long                drop_size;              /*  Size of the maildrop in
+                                                    bytes */
+    FILE            *   drop;                   /*  (Temporary) mail drop */
+    FILE            *   input;                  /*  Input TCP/IP communication 
+                                                    stream */
+    FILE            *   output;                 /*  Output TCP/IP communication                                                     stream */
+    FILE            *   trace;                  /*  Debugging trace file */
+    char            *   pop_parm[MAXPARMCOUNT]; /*  Parse POP parameter list */
+    int                 parm_count;             /*  Number of parameters in 
+                                                    parsed list */
+    int			kerberosp;		/*  Using KPOP? */
+#ifdef KRB4
+    AUTH_DAT		kdata;
+#endif
+#ifdef KRB5
+    krb5_context	context;
+    krb5_principal	principal;              /*  principal auth as */
+    krb5_log_facility*  logf;
+#endif
+    int			version;                /*  4 or 5? */
+    int			auth_level;		/*  Dont allow cleartext */
+#ifdef OTP
+    OtpContext		otp_ctx;		/*  OTP context */
+#endif
+} POP;
+
+typedef struct {                                /*  State information for 
+                                                    each POP command */
+    state       ValidCurrentState;              /*  The operating state of 
+                                                    the command */
+    char   *    command;                        /*  The POP command */
+    int         min_parms;                      /*  Minimum number of parms 
+                                                    for the command */
+    int         max_parms;                      /*  Maximum number of parms 
+                                                    for the command */
+    int         (*function) ();                 /*  The function that process 
+                                                    the command */
+    state       result[2];                      /*  The resulting state after 
+                                                    command processing */
+#define success_state   result[0]               /*  State when a command 
+                                                    succeeds */
+} state_table;
+
+typedef struct {                                /*  Table of extensions */
+    char   *    subcommand;                     /*  The POP XTND subcommand */
+    int         min_parms;                      /*  Minimum number of parms for
+                                                    the subcommand */
+    int         max_parms;                      /*  Maximum number of parms for
+                                                    the subcommand */
+    int         (*function) ();                 /*  The function that processes 
+                                                    the subcommand */
+} xtnd_table;
+
+int pop_dele(POP *p);
+int pop_dropcopy(POP *p, struct passwd *pwp);
+int pop_dropinfo(POP *p);
+int pop_init(POP *p,int argcount,char **argmessage);
+int pop_last(POP *p);
+int pop_list(POP *p);
+int pop_parse(POP *p, char *buf);
+int pop_pass(POP *p);
+int pop_quit(POP *p);
+int pop_rset(POP *p);
+int pop_send(POP *p);
+int pop_stat(POP *p);
+int pop_updt(POP *p);
+int pop_user(POP *p);
+#ifdef UIDL
+int pop_uidl(POP *p);
+#endif
+#ifdef XOVER
+int pop_xover(POP *p);
+#endif
+#ifdef XDELE
+int pop_xdele(POP *p);
+#endif
+int pop_help(POP *p);
+state_table *pop_get_command(POP *p, char *mp);
+void pop_lower(char *buf);
+
+int pop_log(POP *p, int stat, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+int pop_msg(POP *p, int stat, char *format, ...)
+#ifdef __GNUC__
+__attribute__ ((format (printf, 3, 4)))
+#endif
+;
+
+int pop_maildir_info (POP*);
+int pop_maildir_open (POP*, MsgInfoList*);
+int pop_maildir_update (POP*);
+
+int changeuser(POP*, struct passwd*);
+void parse_header(MsgInfoList*, char*);
+int add_missing_headers(POP*, MsgInfoList*);
diff --git a/crypto/heimdal/appl/popper/version.h b/crypto/heimdal/appl/popper/version.h
new file mode 100644
index 0000000..1b5d135
--- /dev/null
+++ b/crypto/heimdal/appl/popper/version.h
@@ -0,0 +1,19 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.  The Berkeley software License Agreement
+ * specifies the terms and conditions for redistribution.
+ *
+ * static char copyright[] = "Copyright (c) 1990 Regents of the University of California.\nAll rights reserved.\n";
+ * static char SccsId[] = "@(#)@(#)version.h	2.6  2.6 4/3/91";
+ *
+ */
+
+/* $Id: version.h,v 1.5 1997/08/08 22:50:13 assar Exp $ */
+
+/*
+ *  Current version of this POP implementation
+ */
+
+#if 0
+#define VERSION         krb4_version
+#endif
diff --git a/crypto/heimdal/appl/push/Makefile.in b/crypto/heimdal/appl/push/Makefile.in
index e677966..5dd6d72 100644
--- a/crypto/heimdal/appl/push/Makefile.in
+++ b/crypto/heimdal/appl/push/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_SCRIPTS = pfrom
@@ -250,7 +253,7 @@ OBJECTS = $(am_push_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/push/Makefile
 
@@ -440,6 +443,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/push/pfrom.1 b/crypto/heimdal/appl/push/pfrom.1
index 6f4110c..89af229 100644
--- a/crypto/heimdal/appl/push/pfrom.1
+++ b/crypto/heimdal/appl/push/pfrom.1
@@ -1,4 +1,4 @@
-.\" $Id: pfrom.1,v 1.2 2000/11/29 18:26:27 joda Exp $
+.\" $Id: pfrom.1,v 1.3 2001/05/02 08:59:21 assar Exp $
 .\"
 .Dd Mars 4, 2000
 .Dt PFROM 1
diff --git a/crypto/heimdal/appl/push/pfrom.cat1 b/crypto/heimdal/appl/push/pfrom.cat1
new file mode 100644
index 0000000..8abf68a
--- /dev/null
+++ b/crypto/heimdal/appl/push/pfrom.cat1
@@ -0,0 +1,17 @@
+
+PFROM(1)                     UNIX Reference Manual                    PFROM(1)
+
+NNAAMMEE
+     ppffrroomm - fetch a list of the current mail via POP
+
+SSYYNNOOPPSSIISS
+     ppffrroomm [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--cc | ----ccoouunntt]
+     [----hheeaaddeerr] [--pp _p_o_r_t_-_s_p_e_c | ----ppoorrtt==_p_o_r_t_-_s_p_e_c]
+
+DDEESSCCRRIIPPTTIIOONN
+     ppffrroomm is a script that does push --from.
+
+SSEEEE AALLSSOO
+     push(8)
+
+ HEIMDAL                         Mars 4, 2000                                1
diff --git a/crypto/heimdal/appl/push/push.8 b/crypto/heimdal/appl/push/push.8
index f9e36dd..3915fe5 100644
--- a/crypto/heimdal/appl/push/push.8
+++ b/crypto/heimdal/appl/push/push.8
@@ -1,4 +1,4 @@
-.\" $Id: push.8,v 1.8 2001/01/11 16:16:28 assar Exp $
+.\" $Id: push.8,v 1.10 2001/05/15 12:14:24 assar Exp $
 .\"
 .Dd May 31, 1998
 .Dt PUSH 8
@@ -103,7 +103,7 @@ points to the post office, if no other hostname is specified.
 .\".Sh FILES
 .Sh EXAMPLES
 .Bd -literal -offset indent
-$ push cornfield:roosta ~/.gnus-crash-box
+$ push cornfield:roosta ~/.emacs-mail-crash-box
 .Ed
 .Pp
 tries to fetch mail for the user
@@ -111,7 +111,7 @@ tries to fetch mail for the user
 from the post office at
 .Dq cornfield ,
 and stores the mail in
-.Pa ~/.gnus-crash-box  
+.Pa ~/.emacs-mail-crash-box
 (you are using Gnus, aren't you?)
 .Bd -literal -offset indent
 $ push --from -5 havregryn
diff --git a/crypto/heimdal/appl/push/push.c b/crypto/heimdal/appl/push/push.c
index 4e9a7d1..eb4b814 100644
--- a/crypto/heimdal/appl/push/push.c
+++ b/crypto/heimdal/appl/push/push.c
@@ -32,7 +32,7 @@
  */
 
 #include "push_locl.h"
-RCSID("$Id: push.c,v 1.43 2000/12/31 07:35:59 assar Exp $");
+RCSID("$Id: push.c,v 1.44 2001/02/20 01:44:47 assar Exp $");
 
 #ifdef KRB4
 static int use_v4 = -1;
@@ -714,7 +714,7 @@ main(int argc, char **argv)
     const char *host, *user, *filename = NULL;
     char *pobox = NULL;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
 
 #ifdef KRB5
     {
diff --git a/crypto/heimdal/appl/push/push.cat8 b/crypto/heimdal/appl/push/push.cat8
new file mode 100644
index 0000000..dff390e
--- /dev/null
+++ b/crypto/heimdal/appl/push/push.cat8
@@ -0,0 +1,77 @@
+
+PUSH(8)                  UNIX System Manager's Manual                  PUSH(8)
+
+NNAAMMEE
+     ppuusshh - fetch mail via POP
+
+SSYYNNOOPPSSIISS
+     ppuusshh [--44 | ----kkrrbb44] [--55 | ----kkrrbb55] [--vv | ----vveerrbboossee] [--ff | ----ffoorrkk] [--ll |
+     ----lleeaavvee] [----ffrroomm] [--cc | ----ccoouunntt] [----hheeaaddeerrss=_h_e_a_d_e_r_s] [--pp _p_o_r_t_-_s_p_e_c |
+     ----ppoorrtt=_p_o_r_t_-_s_p_e_c] _p_o_-_b_o_x _f_i_l_e_n_a_m_e
+
+DDEESSCCRRIIPPTTIIOONN
+     ppuusshh retrieves mail from the post office box _p_o_-_b_o_x, and stores the mail
+     in mbox format in _f_i_l_e_n_a_m_e. The _p_o_-_b_o_x can have any of the following for-
+     mats:
+           `hostname:username'
+           `po:hostname:username'
+           `username@hostname'
+           `po:username@hostname'
+           `hostname'
+           `po:username'
+
+     If no username is specified, ppuusshh assumes that it's the same as on the
+     local machine; _h_o_s_t_n_a_m_e defaults to the value of the MAILHOST environment
+     variable.
+
+     Supported options:
+
+     --44, ----kkrrbb44
+             use Kerberos 4 (if compiled with support for Kerberos 4)
+
+     --55, ----kkrrbb55
+             use Kerberos 5 (if compiled with support for Kerberos 5)
+
+     --ff, ----ffoorrkk
+             fork before starting to delete messages
+
+     --ll, ----lleeaavvee
+             don't delete fetched mail
+
+     ----ffrroomm  behave like from.
+
+     --cc, ----ccoouunntt
+             first print how many messages and bytes there are.
+
+     ----hheeaaddeerrss=_h_e_a_d_e_r_s
+             a list of comma-separated headers that should get printed.
+
+     --pp _p_o_r_t_-_s_p_e_c, ----ppoorrtt=_p_o_r_t_-_s_p_e_c
+             use this port instead of the default `kpop' or `1109'.
+
+     The default is to first try Kerberos 5 authentication and then, if that
+     fails, Kerberos 4.
+
+EENNVVIIRROONNMMEENNTT
+     MAILHOST
+             points to the post office, if no other hostname is specified.
+
+EEXXAAMMPPLLEESS
+           $ push cornfield:roosta ~/.emacs-mail-crash-box
+
+     tries to fetch mail for the user _r_o_o_s_t_a from the post office at
+     ``cornfield'', and stores the mail in _~_/_._e_m_a_c_s_-_m_a_i_l_-_c_r_a_s_h_-_b_o_x (you are
+     using Gnus, aren't you?)
+
+           $ push --from -5 havregryn
+
+     tries to fetch FFrroomm:: lines for current user at post office ``havregryn''
+     using Kerberos 5.
+
+SSEEEE AALLSSOO
+     movemail(8),  popper(8),  from(1),  pfrom(1)
+
+HHIISSTTOORRYY
+     ppuusshh was written while waiting for mmoovveemmaaiill to finish getting the mail.
+
+ HEIMDAL                         May 31, 1998                                2
diff --git a/crypto/heimdal/appl/rcp/ChangeLog b/crypto/heimdal/appl/rcp/ChangeLog
index 0685061..e8a4f05 100644
--- a/crypto/heimdal/appl/rcp/ChangeLog
+++ b/crypto/heimdal/appl/rcp/ChangeLog
@@ -1,3 +1,14 @@
+2001-04-21  Johan Danielsson  <joda@pdc.kth.se>
+
+	* rcp.c: convert to use getarg
+
+	* rcp.c: do a better job of supporting files larger than 2GB
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* rcp.c: add -F for forwarding ticket, from Ake Sandgren
+	<ake@cs.umu.se>
+
 2001-01-29  Assar Westerlund  <assar@sics.se>
 
 	* util.c (roundup): add fallback definition
diff --git a/crypto/heimdal/appl/rcp/Makefile.in b/crypto/heimdal/appl/rcp/Makefile.in
index f0ee151..0f76540 100644
--- a/crypto/heimdal/appl/rcp/Makefile.in
+++ b/crypto/heimdal/appl/rcp/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = rcp
@@ -230,7 +233,7 @@ OBJECTS = $(am_rcp_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rcp/Makefile
 
@@ -322,6 +325,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/rcp/rcp.c b/crypto/heimdal/appl/rcp/rcp.c
index 1c532ad..d4a062d 100644
--- a/crypto/heimdal/appl/rcp/rcp.c
+++ b/crypto/heimdal/appl/rcp/rcp.c
@@ -32,16 +32,16 @@
  */
 
 #include "rcp_locl.h"
+#include <getarg.h>
 
 #define RSH_PROGRAM "rsh"
-#define	OPTIONS "5dfKpP:rtxz"
 
 struct  passwd *pwd;
 uid_t	userid;
 int     errs, remin, remout;
 int     pflag, iamremote, iamrecursive, targetshouldbedirectory;
 int     doencrypt, noencrypt;
-int     usebroken, usekrb5;
+int     usebroken, usekrb5, forwardtkt;
 char    *port;
 
 #define	CMDNEEDS	64
@@ -53,58 +53,57 @@ void	 sink (int, char *[]);
 void	 source (int, char *[]);
 void	 tolocal (int, char *[]);
 void	 toremote (char *, int, char *[]);
-void	 usage (void);
 
 int      do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout);
 
+static int fflag, tflag;
+
+static int version_flag, help_flag;
+
+struct getargs args[] = {
+    { NULL,	'5', arg_flag,		&usekrb5,	"use Kerberos 5 authentication" },
+    { NULL,	'F', arg_flag,		&forwardtkt,	"forward credentials" },
+    { NULL,	'K', arg_flag,		&usebroken,	"use BSD authentication" },
+    { NULL,	'P', arg_string,	&port,		"non-default port", "port" },
+    { NULL,	'p', arg_flag,		&pflag,	"preserve file permissions" },
+    { NULL,	'r', arg_flag,		&iamrecursive,	"recursive mode" },
+    { NULL,	'x', arg_flag,		&doencrypt,	"use encryption" },
+    { NULL,	'z', arg_flag,		&noencrypt,	"don't encrypt" },
+    { NULL,	'd', arg_flag,		&targetshouldbedirectory },
+    { NULL,	'f', arg_flag,		&fflag },
+    { NULL,	't', arg_flag,		&tflag },
+    { "version", 0,  arg_flag,		&version_flag },
+    { "help",	 0,  arg_flag,		&help_flag }
+};
+
+static void
+usage (int ret)
+{
+    arg_printusage (args,
+		    sizeof(args) / sizeof(args[0]),
+		    NULL,
+		    "file1 file2|file... directory");
+    exit (ret);
+}
+
 int
-main(argc, argv)
-	int argc;
-	char *argv[];
+main(int argc, char **argv)
 {
-	int ch, fflag, tflag;
 	char *targ;
+	int optind = 0;
+
+	if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
+		    &optind))
+	    usage (1);
+	if(help_flag)
+	    usage(0);
+	if (version_flag) {
+	    print_version (NULL);
+	    return 0;
+	}
+	    
+	iamremote = (fflag || tflag);
 
-	fflag = tflag = 0;
-	while ((ch = getopt(argc, argv, OPTIONS)) != -1)
-		switch(ch) {			/* User-visible flags. */
-		case '5':
-			usekrb5 = 1;
-			break;
-		case 'K':
-			usebroken = 1;
-			break;
-		case 'P':
-			port = optarg;
-			break;			
-		case 'p':
-			pflag = 1;
-			break;
-		case 'r':
-			iamrecursive = 1;
-			break;
-		case 'x':
-			doencrypt = 1;
-			break;			
-		case 'z':
-			noencrypt = 1;
-			break;
-						/* Server options. */
-		case 'd':
-			targetshouldbedirectory = 1;
-			break;
-		case 'f':			/* "from" */
-			iamremote = 1;
-			fflag = 1;
-			break;
-		case 't':			/* "to" */
-			iamremote = 1;
-			tflag = 1;
-			break;
-		case '?':
-		default:
-			usage();
-		}
 	argc -= optind;
 	argv += optind;
 
@@ -115,29 +114,29 @@ main(argc, argv)
 	remout = STDOUT_FILENO;
 
 	if (fflag) {			/* Follow "protocol", send data. */
-		(void)response();
-		(void)setuid(userid);
+		response();
+		setuid(userid);
 		source(argc, argv);
 		exit(errs);
 	}
 
 	if (tflag) {			/* Receive data. */
-		(void)setuid(userid);
+		setuid(userid);
 		sink(argc, argv);
 		exit(errs);
 	}
 
 	if (argc < 2)
-		usage();
+	    usage(1);
 	if (argc > 2)
 		targetshouldbedirectory = 1;
 
 	remin = remout = -1;
 	/* Command to be executed on remote system using "rsh". */
-	(void) sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "", 
+	 sprintf(cmd, "rcp%s%s%s", iamrecursive ? " -r" : "", 
 		       pflag ? " -p" : "", targetshouldbedirectory ? " -d" : "");
 
-	(void)signal(SIGPIPE, lostconn);
+	signal(SIGPIPE, lostconn);
 
 	if ((targ = colon(argv[argc - 1])))	/* Dest is remote host. */
 		toremote(targ, argc, argv);
@@ -150,9 +149,7 @@ main(argc, argv)
 }
 
 void
-toremote(targ, argc, argv)
-	char *targ, *argv[];
-	int argc;
+toremote(char *targ, int argc, char **argv)
 {
 	int i, len;
 	char *bp, *host, *src, *suser, *thost, *tuser;
@@ -193,25 +190,25 @@ toremote(targ, argc, argv)
 					suser = pwd->pw_name;
 				else if (!okname(suser))
 					continue;
-				(void)snprintf(bp, len,
+				snprintf(bp, len,
 				    "%s %s -l %s -n %s %s '%s%s%s:%s'",
 				    _PATH_RSH, host, suser, cmd, src,
 				    tuser ? tuser : "", tuser ? "@" : "",
 				    thost, targ);
 			} else
-				(void)snprintf(bp, len,
+				snprintf(bp, len,
 				    "exec %s %s -n %s %s '%s%s%s:%s'",
 				    _PATH_RSH, argv[i], cmd, src,
 				    tuser ? tuser : "", tuser ? "@" : "",
 				    thost, targ);
-			(void)susystem(bp, userid);
-			(void)free(bp);
+			susystem(bp, userid);
+			free(bp);
 		} else {			/* local to remote */
 			if (remin == -1) {
 				len = strlen(targ) + CMDNEEDS + 20;
 				if (!(bp = malloc(len)))
 					err(1, "malloc");
-				(void)snprintf(bp, len, "%s -t %s", cmd, targ);
+				snprintf(bp, len, "%s -t %s", cmd, targ);
 				host = thost;
 
 				if (do_cmd(host, tuser, bp, &remin, &remout) < 0)
@@ -219,8 +216,8 @@ toremote(targ, argc, argv)
 
 				if (response() < 0)
 					exit(1);
-				(void)free(bp);
-				(void)setuid(userid);
+				free(bp);
+				setuid(userid);
 			}
 			source(1, argv+i);
 		}
@@ -228,9 +225,7 @@ toremote(targ, argc, argv)
 }
 
 void
-tolocal(argc, argv)
-	int argc;
-	char *argv[];
+tolocal(int argc, char **argv)
 {
 	int i, len;
 	char *bp, *host, *src, *suser;
@@ -241,12 +236,12 @@ tolocal(argc, argv)
 			    strlen(argv[argc - 1]) + 20;
 			if (!(bp = malloc(len)))
 				err(1, "malloc");
-			(void)snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
+			snprintf(bp, len, "exec %s%s%s %s %s", _PATH_CP,
 			    iamrecursive ? " -PR" : "", pflag ? " -p" : "",
 			    argv[i], argv[argc - 1]);
 			if (susystem(bp, userid))
 				++errs;
-			(void)free(bp);
+			free(bp);
 			continue;
 		}
 		*src++ = 0;
@@ -266,24 +261,38 @@ tolocal(argc, argv)
 		len = strlen(src) + CMDNEEDS + 20;
 		if ((bp = malloc(len)) == NULL)
 			err(1, "malloc");
-		(void)snprintf(bp, len, "%s -f %s", cmd, src);
+		snprintf(bp, len, "%s -f %s", cmd, src);
 		if (do_cmd(host, suser, bp, &remin, &remout) < 0) {
-			(void)free(bp);
+			free(bp);
 			++errs;
 			continue;
 		}
-		(void)free(bp);
+		free(bp);
 		sink(1, argv + argc - 1);
-		(void)seteuid(0);
-		(void)close(remin);
+		seteuid(0);
+		close(remin);
 		remin = remout = -1;
 	}
 }
 
+static char *
+sizestr(off_t size)
+{
+    static char ss[32];
+    char *p;
+    ss[sizeof(ss) - 1] = '\0';
+    for(p = ss + sizeof(ss) - 2; p >= ss; p--) {
+	*p = '0' + size % 10;
+	size /= 10;
+	if(size == 0)
+	    break;
+    }
+    return ss;
+}
+		    
+
 void
-source(argc, argv)
-	int argc;
-	char *argv[];
+source(int argc, char **argv)
 {
 	struct stat stb;
 	static BUF buffer;
@@ -322,21 +331,21 @@ syserr:			run_err("%s: %s", name, strerror(errno));
 			 * Make it compatible with possible future
 			 * versions expecting microseconds.
 			 */
-			(void)snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
+			snprintf(buf, sizeof(buf), "T%ld 0 %ld 0\n",
 			    (long)stb.st_mtime,
 			    (long)stb.st_atime);
-			(void)write(remout, buf, strlen(buf));
+			write(remout, buf, strlen(buf));
 			if (response() < 0)
 				goto next;
 		}
 #define	MODEMASK	(S_ISUID|S_ISGID|S_ISVTX|S_IRWXU|S_IRWXG|S_IRWXO)
-		(void)snprintf(buf, sizeof(buf), "C%04o %lu %s\n",
-		    stb.st_mode & MODEMASK, (unsigned long)stb.st_size, last);
-		(void)write(remout, buf, strlen(buf));
+		snprintf(buf, sizeof(buf), "C%04o %s %s\n",
+			 stb.st_mode & MODEMASK, sizestr(stb.st_size), last);
+		write(remout, buf, strlen(buf));
 		if (response() < 0)
 			goto next;
 		if ((bp = allocbuf(&buffer, fd, BUFSIZ)) == NULL) {
-next:			(void)close(fd);
+next:			close(fd);
 			continue;
 		}
 
@@ -351,7 +360,7 @@ next:			(void)close(fd);
 					haderr = result >= 0 ? EIO : errno;
 			}
 			if (haderr)
-				(void)write(remout, bp->buf, amt);
+				write(remout, bp->buf, amt);
 			else {
 				result = write(remout, bp->buf, amt);
 				if (result != amt)
@@ -361,17 +370,15 @@ next:			(void)close(fd);
 		if (close(fd) && !haderr)
 			haderr = errno;
 		if (!haderr)
-			(void)write(remout, "", 1);
+			write(remout, "", 1);
 		else
 			run_err("%s: %s", name, strerror(haderr));
-		(void)response();
+		response();
 	}
 }
 
 void
-rsource(name, statp)
-	char *name;
-	struct stat *statp;
+rsource(char *name, struct stat *statp)
 {
 	DIR *dirp;
 	struct dirent *dp;
@@ -387,18 +394,18 @@ rsource(name, statp)
 	else
 		last++;
 	if (pflag) {
-		(void)snprintf(path, sizeof(path), "T%ld 0 %ld 0\n",
+		snprintf(path, sizeof(path), "T%ld 0 %ld 0\n",
 		    (long)statp->st_mtime,
 		    (long)statp->st_atime);
-		(void)write(remout, path, strlen(path));
+		write(remout, path, strlen(path));
 		if (response() < 0) {
 			closedir(dirp);
 			return;
 		}
 	}
-	(void)snprintf(path, sizeof(path),
+	snprintf(path, sizeof(path),
 	    "D%04o %d %s\n", statp->st_mode & MODEMASK, 0, last);
-	(void)write(remout, path, strlen(path));
+	write(remout, path, strlen(path));
 	if (response() < 0) {
 		closedir(dirp);
 		return;
@@ -412,19 +419,17 @@ rsource(name, statp)
 			run_err("%s/%s: name too long", name, dp->d_name);
 			continue;
 		}
-		(void)snprintf(path, sizeof(path), "%s/%s", name, dp->d_name);
+		snprintf(path, sizeof(path), "%s/%s", name, dp->d_name);
 		vect[0] = path;
 		source(1, vect);
 	}
-	(void)closedir(dirp);
-	(void)write(remout, "E\n", 2);
-	(void)response();
+	closedir(dirp);
+	write(remout, "E\n", 2);
+	response();
 }
 
 void
-sink(argc, argv)
-	int argc;
-	char *argv[];
+sink(int argc, char **argv)
 {
 	static BUF buffer;
 	struct stat stb;
@@ -443,7 +448,7 @@ sink(argc, argv)
 	setimes = targisdir = 0;
 	mask = umask(0);
 	if (!pflag)
-		(void)umask(mask);
+		umask(mask);
 	if (argc != 1) {
 		run_err("ambiguous target");
 		exit(1);
@@ -451,7 +456,7 @@ sink(argc, argv)
 	targ = *argv;
 	if (targetshouldbedirectory)
 		verifydir(targ);
-	(void)write(remout, "", 1);
+	write(remout, "", 1);
 	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
 		targisdir = 1;
 	for (first = 1;; first = 0) {
@@ -469,7 +474,7 @@ sink(argc, argv)
 
 		if (buf[0] == '\01' || buf[0] == '\02') {
 			if (iamremote == 0)
-				(void)write(STDERR_FILENO,
+				write(STDERR_FILENO,
 				    buf + 1, strlen(buf + 1));
 			if (buf[0] == '\02')
 				exit(1);
@@ -477,7 +482,7 @@ sink(argc, argv)
 			continue;
 		}
 		if (buf[0] == 'E') {
-			(void)write(remout, "", 1);
+			write(remout, "", 1);
 			return;
 		}
 
@@ -500,7 +505,7 @@ sink(argc, argv)
 			atime.tv_usec = strtol(cp, &cp, 10);
 			if (!cp || *cp++ != '\0')
 				SCREWUP("atime.usec not delimited");
-			(void)write(remout, "", 1);
+			write(remout, "", 1);
 			continue;
 		}
 		if (*cp != 'C' && *cp != 'D') {
@@ -540,7 +545,7 @@ sink(argc, argv)
 				if (!(namebuf = malloc(need)))
 					run_err("%s", strerror(errno));
 			}
-			(void)snprintf(namebuf, need, "%s%s%s", targ,
+			snprintf(namebuf, need, "%s%s%s", targ,
 			    *targ ? "/" : "", cp);
 			np = namebuf;
 		} else
@@ -554,7 +559,7 @@ sink(argc, argv)
 					goto bad;
 				}
 				if (pflag)
-					(void)chmod(np, mode);
+					chmod(np, mode);
 			} else {
 				/* Handle copying from a read-only directory */
 				mod_flag = 1;
@@ -570,7 +575,7 @@ sink(argc, argv)
 					np, strerror(errno));
 			}
 			if (mod_flag)
-				(void)chmod(np, mode);
+				chmod(np, mode);
 			continue;
 		}
 		omode = mode;
@@ -579,9 +584,9 @@ sink(argc, argv)
 bad:			run_err("%s: %s", np, strerror(errno));
 			continue;
 		}
-		(void)write(remout, "", 1);
+		write(remout, "", 1);
 		if ((bp = allocbuf(&buffer, ofd, BUFSIZ)) == NULL) {
-			(void)close(ofd);
+			close(ofd);
 			continue;
 		}
 		cp = bp->buf;
@@ -591,16 +596,13 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			if (i + amt > size)
 				amt = size - i;
 			count += amt;
-			do {
-				j = read(remin, cp, amt);
-				if (j <= 0) {
-					run_err("%s", j ? strerror(errno) :
-					    "dropped connection");
-					exit(1);
-				}
-				amt -= j;
-				cp += j;
-			} while (amt > 0);
+			if((j = net_read(remin, cp, amt)) != amt) {
+			    run_err("%s", j ? strerror(errno) :
+				    "dropped connection");
+			    exit(1);
+			}
+			amt -= j;
+			cp += j;
 			if (count == bp->cnt) {
 				/* Keep reading so we stay sync'd up. */
 				if (wrerr == NO) {
@@ -634,8 +636,8 @@ bad:			run_err("%s: %s", np, strerror(errno));
 					run_err("%s: set mode: %s",
 					    np, strerror(errno));
 		}
-		(void)close(ofd);
-		(void)response();
+		close(ofd);
+		response();
 		if (setimes && wrerr == NO) {
 			setimes = 0;
 			if (utimes(np, tv) < 0) {
@@ -649,7 +651,7 @@ bad:			run_err("%s: %s", np, strerror(errno));
 			run_err("%s: %s", np, strerror(wrerrno));
 			break;
 		case NO:
-			(void)write(remout, "", 1);
+			write(remout, "", 1);
 			break;
 		case DISPLAYED:
 			break;
@@ -661,7 +663,7 @@ screwup:
 }
 
 int
-response()
+response(void)
 {
 	char ch, *cp, resp, rbuf[BUFSIZ];
 
@@ -684,7 +686,7 @@ response()
 		} while (cp < &rbuf[BUFSIZ] && ch != '\n');
 
 		if (!iamremote)
-			(void)write(STDERR_FILENO, rbuf, cp - rbuf);
+			write(STDERR_FILENO, rbuf, cp - rbuf);
 		++errs;
 		if (resp == 1)
 			return (-1);
@@ -693,15 +695,6 @@ response()
 	/* NOTREACHED */
 }
 
-void
-usage()
-{
-	(void)fprintf(stderr, "%s\n%s\n",
-		      "usage: rcp [-5FKpx] [-P port] f1 f2",
-		      "       rcp [-5FKprx] [-P port] f1 ... fn directory");
-	exit(1);
-}
-
 #include <stdarg.h>
 
 void
@@ -714,11 +707,11 @@ run_err(const char *fmt, ...)
 	++errs;
 	if (fp == NULL && !(fp = fdopen(remout, "w")))
 		return;
-	(void)fprintf(fp, "%c", 0x01);
-	(void)fprintf(fp, "rcp: ");
-	(void)vfprintf(fp, fmt, ap);
-	(void)fprintf(fp, "\n");
-	(void)fflush(fp);
+	fprintf(fp, "%c", 0x01);
+	fprintf(fp, "rcp: ");
+	vfprintf(fp, fmt, ap);
+	fprintf(fp, "\n");
+	fflush(fp);
 
 	if (!iamremote)
 		vwarnx(fmt, ap);
@@ -780,6 +773,8 @@ do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout)
 			args[i++] = "-K";
 		if (doencrypt)
 			args[i++] = "-x";
+		if (forwardtkt)
+			args[i++] = "-F";
 		if (noencrypt)
 			args[i++] = "-z";
 		if (port != NULL) {
diff --git a/crypto/heimdal/appl/rsh/ChangeLog b/crypto/heimdal/appl/rsh/ChangeLog
index 4a40ac7..a66ce22 100644
--- a/crypto/heimdal/appl/rsh/ChangeLog
+++ b/crypto/heimdal/appl/rsh/ChangeLog
@@ -1,3 +1,12 @@
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add login_access
+	* rshd.c (login_access): add prototype
+	(syslog_and_die, fatal): add printf attributes
+	(*): AIX -> _AIX
+	(doit): use login_access
+	based on patches from Ake Sandgren <ake@cs.umu.se>
+
 2001-01-09  Assar Westerlund  <assar@sics.se>
 
 	* rshd.c (save_krb5_creds): use krb5_rd_cred2 instead of
diff --git a/crypto/heimdal/appl/rsh/Makefile.am b/crypto/heimdal/appl/rsh/Makefile.am
index 3c340ad..8b5065b 100644
--- a/crypto/heimdal/appl/rsh/Makefile.am
+++ b/crypto/heimdal/appl/rsh/Makefile.am
@@ -1,8 +1,8 @@
-# $Id: Makefile.am,v 1.15 2000/11/15 22:51:10 assar Exp $
+# $Id: Makefile.am,v 1.16 2001/02/07 05:09:06 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
-INCLUDES += $(INCLUDE_krb4)
+INCLUDES += $(INCLUDE_krb4) -I$(srcdir)/../login
 
 bin_PROGRAMS = rsh
 
@@ -10,10 +10,14 @@ libexec_PROGRAMS = rshd
 
 rsh_SOURCES  = rsh.c common.c rsh_locl.h
 
-rshd_SOURCES = rshd.c common.c rsh_locl.h
+rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
+
+login_access.c:
+	$(LN_S) $(srcdir)/../login/login_access.c .
 
 LDADD = $(LIB_kafs) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
 	$(LIB_des) \
-	$(LIB_roken)
+	$(LIB_roken) \
+	$(LIB_kdfs)
diff --git a/crypto/heimdal/appl/rsh/Makefile.in b/crypto/heimdal/appl/rsh/Makefile.in
index 0ba1b86..08950b58 100644
--- a/crypto/heimdal/appl/rsh/Makefile.in
+++ b/crypto/heimdal/appl/rsh/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -113,20 +114,20 @@ dpagaix_CFLAGS = @dpagaix_CFLAGS@
 dpagaix_LDADD = @dpagaix_LDADD@
 install_sh = @install_sh@
 
-# $Id: Makefile.am,v 1.15 2000/11/15 22:51:10 assar Exp $
+# $Id: Makefile.am,v 1.16 2001/02/07 05:09:06 assar Exp $
 
 
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
 
 SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 
-INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4)
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) -I$(srcdir)/../login
 
 AM_CFLAGS =  $(WFLAGS)
 
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = rsh
@@ -193,13 +196,14 @@ libexec_PROGRAMS = rshd
 
 rsh_SOURCES = rsh.c common.c rsh_locl.h
 
-rshd_SOURCES = rshd.c common.c rsh_locl.h
+rshd_SOURCES = rshd.c common.c login_access.c rsh_locl.h
 
 LDADD = $(LIB_kafs) \
 	$(LIB_krb5) \
 	$(LIB_krb4) \
 	$(LIB_des) \
-	$(LIB_roken)
+	$(LIB_roken) \
+	$(LIB_kdfs)
 
 subdir = appl/rsh
 mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
@@ -220,30 +224,59 @@ X_PRE_LIBS = @X_PRE_LIBS@
 am_rsh_OBJECTS =  rsh.$(OBJEXT) common.$(OBJEXT)
 rsh_OBJECTS =  $(am_rsh_OBJECTS)
 rsh_LDADD = $(LDADD)
-@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = 
-@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
-@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES = 
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rsh_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
 rsh_LDFLAGS = 
-am_rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT)
+am_rshd_OBJECTS =  rshd.$(OBJEXT) common.$(OBJEXT) \
+login_access.$(OBJEXT)
 rshd_OBJECTS =  $(am_rshd_OBJECTS)
 rshd_LDADD = $(LDADD)
-@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = 
-@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
-@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
-@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES = 
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@rshd_DEPENDENCIES =  \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
 rshd_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -263,7 +296,7 @@ OBJECTS = $(am_rsh_OBJECTS) $(am_rshd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/rsh/Makefile
 
@@ -387,6 +420,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
@@ -624,6 +662,9 @@ check-local::
 	  test "$$failed" -eq 0; \
 	fi
 
+login_access.c:
+	$(LN_S) $(srcdir)/../login/login_access.c .
+
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
diff --git a/crypto/heimdal/appl/rsh/rsh.c b/crypto/heimdal/appl/rsh/rsh.c
index 7b97f58..5898099 100644
--- a/crypto/heimdal/appl/rsh/rsh.c
+++ b/crypto/heimdal/appl/rsh/rsh.c
@@ -32,7 +32,7 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rsh.c,v 1.57 2000/12/31 07:36:54 assar Exp $");
+RCSID("$Id: rsh.c,v 1.58 2001/02/20 01:44:47 assar Exp $");
 
 enum auth_method auth_method;
 int do_encrypt       = -1;
@@ -836,7 +836,7 @@ main(int argc, char **argv)
     if (setuid (uid) || (uid != 0 && setuid(0) == 0))
 	err (1, "setuid");
     
-    set_progname (argv[0]);
+    setprogname (argv[0]);
 
     if (argc >= 2 && argv[1][0] != '-') {
 	host = argv[host_index = 1];
diff --git a/crypto/heimdal/appl/rsh/rshd.c b/crypto/heimdal/appl/rsh/rshd.c
index cd7eb7b..d22f3cf 100644
--- a/crypto/heimdal/appl/rsh/rshd.c
+++ b/crypto/heimdal/appl/rsh/rshd.c
@@ -32,7 +32,10 @@
  */
 
 #include "rsh_locl.h"
-RCSID("$Id: rshd.c,v 1.39 2001/01/09 18:44:29 assar Exp $");
+RCSID("$Id: rshd.c,v 1.41 2001/02/20 01:44:48 assar Exp $");
+
+int
+login_access( struct passwd *user, char *from);
 
 enum auth_method auth_method;
 
@@ -72,6 +75,10 @@ krb5_ticket *user_ticket;
 
 static void
 syslog_and_die (const char *m, ...)
+    __attribute__ ((format (printf, 1, 2)));
+
+static void
+syslog_and_die (const char *m, ...)
 {
     va_list args;
 
@@ -83,6 +90,10 @@ syslog_and_die (const char *m, ...)
 
 static void
 fatal (int sock, const char *m, ...)
+    __attribute__ ((format (printf, 2, 3)));
+
+static void
+fatal (int sock, const char *m, ...)
 {
     va_list args;
     char buf[BUFSIZ];
@@ -586,7 +597,7 @@ doit (int do_kerberos, int check_rhosts)
     struct sockaddr *thataddr = (struct sockaddr *)&thataddr_ss;
     struct sockaddr_storage erraddr_ss;
     struct sockaddr *erraddr = (struct sockaddr *)&erraddr_ss;
-    socklen_t addrlen;
+    socklen_t thisaddr_len, thataddr_len;
     int port;
     int errsock = -1;
     char client_user[COMMAND_SZ], server_user[USERNAME_SZ];
@@ -594,12 +605,14 @@ doit (int do_kerberos, int check_rhosts)
     struct passwd *pwd;
     int s = STDIN_FILENO;
     char **env;
+    int ret;
+    char that_host[NI_MAXHOST];
 
-    addrlen = sizeof(thisaddr_ss);
-    if (getsockname (s, thisaddr, &addrlen) < 0)
+    thisaddr_len = sizeof(thisaddr_ss);
+    if (getsockname (s, thisaddr, &thisaddr_len) < 0)
 	syslog_and_die("getsockname: %m");
-    addrlen = sizeof(thataddr_ss);
-    if (getpeername (s, thataddr, &addrlen) < 0)
+    thataddr_len = sizeof(thataddr_ss);
+    if (getpeername (s, thataddr, &thataddr_len) < 0)
 	syslog_and_die ("getpeername: %m");
 
     if (!do_kerberos && !is_reserved(socket_get_port(thataddr)))
@@ -689,7 +702,7 @@ doit (int do_kerberos, int check_rhosts)
 	    syslog_and_die("recv_bsd_auth failed");
     }
 
-#if defined(DCE) && defined(AIX)
+#if defined(DCE) && defined(_AIX)
     esetenv("AUTHSTATE", "DCE", 1);
 #endif
 
@@ -703,6 +716,19 @@ doit (int do_kerberos, int check_rhosts)
     if (pwd->pw_uid != 0 && access (_PATH_NOLOGIN, F_OK) == 0)
 	fatal (s, "Login disabled.");
 
+
+    ret = getnameinfo_verified (thataddr, thataddr_len,
+				that_host, sizeof(that_host),
+				NULL, 0, 0);
+    if (ret)
+	fatal (s, "getnameinfo: %s", gai_strerror(ret));
+
+    if (login_access(pwd, that_host) == 0) {
+	syslog(LOG_NOTICE, "Kerberos rsh denied to %s from %s",
+	       server_user, that_host);
+	fatal(s, "Permission denied");
+    }
+
 #ifdef HAVE_GETSPNAM
     {
 	struct spwd *sp;
@@ -844,7 +870,7 @@ usage (int ret)
 			NULL,
 			"");
     else
-	syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", __progname);
+	syslog (LOG_ERR, "Usage: %s [-ikxlvPL] [-p port]", getprogname());
     exit (ret);
 }
 
@@ -855,7 +881,7 @@ main(int argc, char **argv)
     int optind = 0;
     int port = 0;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
     roken_openlog ("rshd", LOG_ODELAY | LOG_PID, LOG_AUTH);
 
     if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv,
diff --git a/crypto/heimdal/appl/su/Makefile.in b/crypto/heimdal/appl/su/Makefile.in
index 93033f0..33f934b 100644
--- a/crypto/heimdal/appl/su/Makefile.in
+++ b/crypto/heimdal/appl/su/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 bin_PROGRAMS = su
@@ -240,7 +243,7 @@ OBJECTS = $(am_su_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/su/Makefile
 
@@ -332,6 +335,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/su/su.c b/crypto/heimdal/appl/su/su.c
index a5fd442..b43894b 100644
--- a/crypto/heimdal/appl/su/su.c
+++ b/crypto/heimdal/appl/su/su.c
@@ -32,7 +32,7 @@
 
 #include <config.h>
 
-RCSID("$Id: su.c,v 1.18 2001/01/26 16:02:49 joda Exp $");
+RCSID("$Id: su.c,v 1.20 2001/02/20 01:44:48 assar Exp $");
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -50,7 +50,11 @@ RCSID("$Id: su.c,v 1.18 2001/01/26 16:02:49 joda Exp $");
 
 #include <pwd.h>
 
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
 #include <des.h>
+#endif
 #include <krb5.h>
 #include <kafs.h>
 #include <err.h>
@@ -274,7 +278,7 @@ main(int argc, char **argv)
     int ok = 0;
     int kerberos_error=1;
 
-    set_progname (argv[0]);
+    setprogname (argv[0]);
 
     if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
 	usage(1);
diff --git a/crypto/heimdal/appl/telnet/ChangeLog b/crypto/heimdal/appl/telnet/ChangeLog
index 6857151..147066a 100644
--- a/crypto/heimdal/appl/telnet/ChangeLog
+++ b/crypto/heimdal/appl/telnet/ChangeLog
@@ -1,3 +1,36 @@
+2001-04-25  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (start_login): give the correct error if exec
+	fails
+	* telnetd/utility.c (fatalperror_errno): add a new function with
+	explicit errno parameter
+
+2001-03-07  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c: some minimal more amount of
+ 	const-correctness
+
+2001-02-24  Assar Westerlund  <assar@sics.se>
+
+	* libtelnet/enc_des.c: learn to live with libcrypto (from openssl)
+
+2001-02-20  Assar Westerlund  <assar@sics.se>
+
+	* telnet/commands.c (tn): copy the hostname so it doesn't get
+	overwritten while reading ~/.telnetrc
+	(*): removed some unneeded externs
+
+2001-02-08  Assar Westerlund  <assar@sics.se>
+
+	* telnetd/sys_term.c (startslave, start_login): re-write code to
+	keep track both of remote hostname and utmp string to be used
+	* telnetd/telnetd.c (doit, my_telnet): re-write code to keep track
+	both of remote hostname and utmp string to be used
+
+2001-02-07  Assar Westerlund  <assar@sics.se>
+
+	* telnet/Makefile.am, telnetd/Makefile.am: add LIB_kdfs
+
 2001-01-09  Assar Westerlund  <assar@sics.se>
 
 	* libtelnet/kerberos5.c (kerberos5_is): use krb5_rd_cred2 instead
@@ -21,6 +54,9 @@
 
 2000-12-07  Assar Westerlund  <assar@sics.se>
 
+	* telnetd/telnetd.h: move include files around to avoid getting SE
+	from sys/*.h on HP to override SE from telnet.h
+
 	* telnetd/sys_term.c (scrub_env): remove some const-ness
 	* telnetd/sys_term.c (scrub_env): add LOGNAME and POSIXLY_CORRECT
 	to the list of authorized environment variables to be compatible
diff --git a/crypto/heimdal/appl/telnet/Makefile.in b/crypto/heimdal/appl/telnet/Makefile.in
index ad4a164..8a24b8b 100644
--- a/crypto/heimdal/appl/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 SUBDIRS = libtelnet telnet telnetd
@@ -207,9 +210,10 @@ DIST_COMMON =  ChangeLog Makefile.am Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 
 GZIP_ENV = --best
+DIST_SUBDIRS =  $(SUBDIRS)
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .et .h .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/Makefile
 
@@ -250,11 +254,16 @@ mostlyclean-recursive clean-recursive distclean-recursive \
 maintainer-clean-recursive:
 	@set fnord $(MAKEFLAGS); amf=$$2; \
 	dot_seen=no; \
-	rev=''; list='$(SUBDIRS)'; for subdir in $$list; do \
-	  rev="$$subdir $$rev"; \
-	  if test "$$subdir" = "."; then dot_seen=yes; else :; fi; \
+	case "$@" in \
+	  distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+	  *) list='$(SUBDIRS)' ;; \
+	esac; \
+	rev=''; for subdir in $$list; do \
+	  if test "$$subdir" = "."; then :; else \
+	    rev="$$subdir $$rev"; \
+	  fi; \
 	done; \
-	test "$$dot_seen" = "no" && rev=". $$rev"; \
+	rev="$$rev ."; \
 	target=`echo $@ | sed s/-recursive//`; \
 	for subdir in $$rev; do \
 	  echo "Making $$target in $$subdir"; \
@@ -300,6 +309,11 @@ TAGS: tags-recursive $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
index a43a6d5..efa9ad1 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/libtelnet/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 noinst_LIBRARIES = libtelnet.a
@@ -245,7 +248,7 @@ OBJECTS = $(am_libtelnet_a_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/libtelnet/Makefile
 
@@ -319,6 +322,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
index a24bfa7..a847138 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/enc_des.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $");
+RCSID("$Id: enc_des.c,v 1.18 2001/02/24 05:47:39 assar Exp $");
 
 #if	defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
 #include <arpa/telnet.h>
@@ -50,7 +50,11 @@ RCSID("$Id: enc_des.c,v 1.16 1998/07/09 23:16:23 assar Exp $");
 #include "encrypt.h"
 #include "misc-proto.h"
 
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#else
 #include <des.h>
+#endif
 
 extern int encrypt_debug_mode;
 
@@ -404,7 +408,7 @@ static void fb64_session(Session_Key *key, int server, struct fb *fbp)
 	fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
 
 	if (fbp->once == 0) {
-#ifndef OLD_DES_RANDOM_KEY
+#if !defined(OLD_DES_RANDOM_KEY) && !defined(HAVE_OPENSSL_DES_H)
 		des_init_random_number_generator(&fbp->krbdes_key);
 #endif
 		fbp->once = 1;
diff --git a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
index 5919db5..7bc69db 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
+++ b/crypto/heimdal/appl/telnet/libtelnet/encrypt.h
@@ -55,7 +55,7 @@
  * or implied warranty.
  */
 
-/* $Id: encrypt.h,v 1.4 1997/01/24 23:10:56 assar Exp $ */
+/* $Id: encrypt.h,v 1.6 2001/02/15 06:46:28 assar Exp $ */
 
 #ifndef	__ENCRYPT__
 #define	__ENCRYPT__
@@ -90,6 +90,13 @@ typedef struct {
 
 #define	SK_DES		1	/* Matched Kerberos v5 KEYTYPE_DES */
 
+#ifdef HAVE_OPENSSL_DES_H
+#include <openssl/des.h>
+#define des_new_random_key des_random_key
+#else
+#include <des.h>
+#endif
+
 #include "enc-proto.h"
 
 extern int encrypt_debug_mode;
diff --git a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
index a003007..ea5a51e 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/kerberos.c
@@ -55,7 +55,7 @@
 #include <config.h>
 #endif
 
-RCSID("$Id: kerberos.c,v 1.50 2000/11/23 02:28:06 joda Exp $");
+RCSID("$Id: kerberos.c,v 1.51 2001/02/15 04:20:52 assar Exp $");
 
 #ifdef	KRB4
 #ifdef HAVE_SYS_TYPES_H
@@ -65,7 +65,6 @@ RCSID("$Id: kerberos.c,v 1.50 2000/11/23 02:28:06 joda Exp $");
 #include <arpa/telnet.h>
 #endif
 #include <stdio.h>
-#include <des.h>	/* BSD wont include this in krb.h, so we do it here */
 #include <krb.h>
 #include <pwd.h>
 #include <stdlib.h>
diff --git a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
index a85d562c..0a4ff86 100644
--- a/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
+++ b/crypto/heimdal/appl/telnet/libtelnet/krb4encpwd.c
@@ -33,7 +33,7 @@
 
 #include <config.h>
 
-RCSID("$Id: krb4encpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
+RCSID("$Id: krb4encpwd.c,v 1.19 2001/02/15 04:20:52 assar Exp $");
 
 #ifdef	KRB4_ENCPWD
 /*
@@ -74,7 +74,6 @@ RCSID("$Id: krb4encpwd.c,v 1.18 1999/09/16 20:41:34 assar Exp $");
 #include <pwd.h>
 #include <stdio.h>
 
-#include <des.h>
 #include <krb.h>
 #include <stdlib.h>
 #include <string.h>
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.am b/crypto/heimdal/appl/telnet/telnet/Makefile.am
index 7dd9c19..3107850 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am,v 1.15 2001/02/07 06:11:52 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -19,4 +19,5 @@ LDADD = ../libtelnet/libtelnet.a \
 	$(LIB_krb4) \
 	$(LIB_des) \
 	$(LIB_tgetent) \
+	$(LIB_kdfs) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnet/Makefile.in b/crypto/heimdal/appl/telnet/telnet/Makefile.in
index 0a23fd9..02dedee 100644
--- a/crypto/heimdal/appl/telnet/telnet/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnet/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -113,13 +114,13 @@ dpagaix_CFLAGS = @dpagaix_CFLAGS@
 dpagaix_LDADD = @dpagaix_LDADD@
 install_sh = @install_sh@
 
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am,v 1.15 2001/02/07 06:11:52 assar Exp $
 
 
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = 
 
 bin_PROGRAMS = telnet
@@ -201,6 +204,7 @@ LDADD = ../libtelnet/libtelnet.a \
 	$(LIB_krb4) \
 	$(LIB_des) \
 	$(LIB_tgetent) \
+	$(LIB_kdfs) \
 	$(LIB_roken)
 
 subdir = appl/telnet/telnet
@@ -223,10 +227,16 @@ network.$(OBJEXT) ring.$(OBJEXT) sys_bsd.$(OBJEXT) telnet.$(OBJEXT) \
 terminal.$(OBJEXT) utilities.$(OBJEXT)
 telnet_OBJECTS =  $(am_telnet_OBJECTS)
 telnet_LDADD = $(LDADD)
-@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a
-@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
-@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a
+@DCE_FALSE@@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB5_FALSE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB5_TRUE@telnet_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
 telnet_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -248,7 +258,7 @@ OBJECTS = $(am_telnet_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnet/Makefile
 
@@ -381,6 +391,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/telnet/telnet/commands.c b/crypto/heimdal/appl/telnet/telnet/commands.c
index 7d71979..9ddcfd9 100644
--- a/crypto/heimdal/appl/telnet/telnet/commands.c
+++ b/crypto/heimdal/appl/telnet/telnet/commands.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: commands.c,v 1.64 2000/12/11 01:44:01 assar Exp $");
+RCSID("$Id: commands.c,v 1.65 2001/02/20 03:12:09 assar Exp $");
 
 #if	defined(IPPROTO_IP) && defined(IP_TOS)
 int tos = -1;
@@ -988,7 +988,6 @@ unsetcmd(int argc, char *argv[])
  * 'mode' command.
  */
 #ifdef	KLUDGELINEMODE
-extern int kludgelinemode;
 
 static int
 dokludgemode(void)
@@ -1030,7 +1029,6 @@ static int
 dolmmode(int bit, int on)
 {
     unsigned char c;
-    extern int linemode;
 
     if (my_want_state_is_wont(TELOPT_LINEMODE)) {
 	printf("?Need to have LINEMODE option enabled first.\r\n");
@@ -1328,8 +1326,6 @@ shell(int argc, char **argv)
 static int
 bye(int argc, char **argv)
 {
-    extern int resettermname;
-
     if (connected) {
 	shutdown(net, 2);
 	printf("Connection closed.\r\n");
@@ -1551,7 +1547,6 @@ env_find(unsigned char *var)
 void
 env_init(void)
 {
-	extern char **environ;
 	char **epp, *cp;
 	struct env_lst *ep;
 
@@ -1972,7 +1967,7 @@ status(int argc, char **argv)
 /*
  * Function that gets called when SIGINFO is received.
  */
-void
+RETSIGTYPE
 ayt_status(int ignore)
 {
     call(status, "status", "notmuch", 0);
@@ -2117,6 +2112,7 @@ tn(int argc, char **argv)
 	goto usage;
 
     strlcpy (_hostname, hostp, sizeof(_hostname));
+    hostp = _hostname;
     if (hostp[0] == '@' || hostp[0] == '!') {
 	char *p;
 	hostname = NULL;
diff --git a/crypto/heimdal/appl/telnet/telnet/externs.h b/crypto/heimdal/appl/telnet/telnet/externs.h
index 10d8dcc..14337af 100644
--- a/crypto/heimdal/appl/telnet/telnet/externs.h
+++ b/crypto/heimdal/appl/telnet/telnet/externs.h
@@ -33,7 +33,7 @@
  *	@(#)externs.h	8.3 (Berkeley) 5/30/95
  */
 
-/* $Id: externs.h,v 1.20 2000/11/15 23:01:29 assar Exp $ */
+/* $Id: externs.h,v 1.21 2001/03/06 20:10:13 assar Exp $ */
 
 #ifndef	BSD
 # define BSD 43
@@ -223,7 +223,7 @@ int 	EncryptStatus (void);
 #endif
 
 #ifdef SIGINFO
-void ayt_status(int);
+RETSIGTYPE ayt_status(int);
 #endif
 int tn(int argc, char **argv);
 void command(int top, char *tbuf, int cnt);
@@ -428,3 +428,8 @@ extern Ring
     ttyoring,
     ttyiring;
 
+extern int resettermname;
+extern int linemode;
+#ifdef KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
diff --git a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
index e47079e..9b3f9da 100644
--- a/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
+++ b/crypto/heimdal/appl/telnet/telnet/sys_bsd.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: sys_bsd.c,v 1.26 2000/10/19 21:19:57 assar Exp $");
+RCSID("$Id: sys_bsd.c,v 1.27 2001/03/06 20:10:14 assar Exp $");
 
 /*
  * The following routines try to encapsulate what is system dependent
@@ -118,9 +118,6 @@ TerminalAutoFlush(void)
 #endif	/* LNOFLSH */
 }
 
-#ifdef	KLUDGELINEMODE
-extern int kludgelinemode;
-#endif
 /*
  * TerminalSpecialChars()
  *
diff --git a/crypto/heimdal/appl/telnet/telnet/telnet.cat1 b/crypto/heimdal/appl/telnet/telnet/telnet.cat1
new file mode 100644
index 0000000..708994e
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnet/telnet.cat1
@@ -0,0 +1,718 @@
+
+TELNET(1)                    UNIX Reference Manual                   TELNET(1)
+
+NNAAMMEE
+     tteellnneett - user interface to the TELNET protocol
+
+SSYYNNOOPPSSIISS
+     tteellnneett [--7788EEFFKKLLaaccddffrrxx] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--ee _e_s_c_a_p_e_c_h_a_r] [--kk _r_e_a_l_m]
+            [--ll _u_s_e_r] [--nn _t_r_a_c_e_f_i_l_e] [_h_o_s_t [port]]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteellnneett command is used to communicate with another host using the
+     TELNET protocol.  If tteellnneett is invoked without the _h_o_s_t argument, it en-
+     ters command mode, indicated by its prompt (tteellnneett>>). In this mode, it
+     accepts and executes the commands listed below.  If it is invoked with
+     arguments, it performs an ooppeenn command with those arguments.
+
+     Options:
+
+     --88      Specifies an 8-bit data path.  This causes an attempt to negoti-
+             ate the TELNET BINARY option on both input and output.
+
+     --77      Do not try to negotiate TELNET BINARY option.
+
+     --EE      Stops any character from being recognized as an escape character.
+
+     --FF      If Kerberos V5 authentication is being used, the --FF option allows
+             the local credentials to be forwarded to the remote system, in-
+             cluding any credentials that have already been forwarded into the
+             local environment.
+
+     --KK      Specifies no automatic login to the remote system.
+
+     --LL      Specifies an 8-bit data path on output.  This causes the BINARY
+             option to be negotiated on output.
+
+     --SS _t_o_s  Sets the IP type-of-service (TOS) option for the telnet connec-
+             tion to the value _t_o_s, which can be a numeric TOS value or, on
+             systems that support it, a symbolic TOS name found in the
+             /etc/iptos file.
+
+     --XX _a_t_y_p_e
+             Disables the _a_t_y_p_e type of authentication.
+
+     --aa      Attempt automatic login.  Currently, this sends the user name via
+             the USER variable of the ENVIRON option if supported by the re-
+             mote system.  The name used is that of the current user as re-
+             turned by getlogin(2) if it agrees with the current user ID, oth-
+             erwise it is the name associated with the user ID.
+
+     --cc      Disables the reading of the user's _._t_e_l_n_e_t_r_c file.  (See the
+             ttooggggllee sskkiipprrcc command on this man page.)
+
+     --dd      Sets the initial value of the ddeebbuugg toggle to TRUE
+
+     --ee _e_s_c_a_p_e _c_h_a_r
+             Sets the initial tteellnneett tteellnneett escape character to _e_s_c_a_p_e _c_h_a_r.
+             If _e_s_c_a_p_e _c_h_a_r is omitted, then there will be no escape charac-
+             ter.
+
+     --ff      If Kerberos V5 authentication is being used, the --ff option allows
+             the local credentials to be forwarded to the remote system.
+
+     --kk _r_e_a_l_m
+             If Kerberos authentication is being used, the --kk option requests
+             that telnet obtain tickets for the remote host in realm realm in-
+             stead of the remote host's realm, as determined by
+             krb_realmofhost(3).
+
+     --ll _u_s_e_r
+             When connecting to the remote system, if the remote system under-
+             stands the ENVIRON option, then _u_s_e_r will be sent to the remote
+             system as the value for the variable USER.  This option implies
+             the --aa option.  This option may also be used with the ooppeenn com-
+             mand.
+
+     --nn _t_r_a_c_e_f_i_l_e
+             Opens _t_r_a_c_e_f_i_l_e for recording trace information.  See the sseett
+             ttrraacceeffiillee command below.
+
+     --rr      Specifies a user interface similar to rlogin(1).  In this mode,
+             the escape character is set to the tilde (~) character, unless
+             modified by the -e option.
+
+     --xx      Turns on encryption of the data stream if possible. This is cur-
+             rently the default and when it fails a warning is issued.
+
+     _h_o_s_t    Indicates the official name, an alias, or the Internet address of
+             a remote host.
+
+     _p_o_r_t    Indicates a port number (address of an application).  If a number
+             is not specified, the default tteellnneett port is used.
+
+     When in rlogin mode, a line of the form ~.  disconnects from the remote
+     host; ~ is the telnet escape character.  Similarly, the line ~^Z suspends
+     the telnet session.  The line ~^] escapes to the normal telnet escape
+     prompt.
+
+     Once a connection has been opened, tteellnneett will attempt to enable the
+     TELNET LINEMODE option.  If this fails, then tteellnneett will revert to one of
+     two input modes: either ``character at a time'' or ``old line by line''
+     depending on what the remote system supports.
+
+     When LINEMODE is enabled, character processing is done on the local sys-
+     tem, under the control of the remote system.  When input editing or char-
+     acter echoing is to be disabled, the remote system will relay that infor-
+     mation.  The remote system will also relay changes to any special charac-
+     ters that happen on the remote system, so that they can take effect on
+     the local system.
+
+     In ``character at a time'' mode, most text typed is immediately sent to
+     the remote host for processing.
+
+     In ``old line by line'' mode, all text is echoed locally, and (normally)
+     only completed lines are sent to the remote host.  The ``local echo char-
+     acter'' (initially ``^E'') may be used to turn off and on the local echo
+     (this would mostly be used to enter passwords without the password being
+     echoed).
+
+     If the LINEMODE option is enabled, or if the llooccaallcchhaarrss toggle is TRUE
+     (the default for ``old line by line``; see below), the user's qquuiitt, iinnttrr,
+     and fflluusshh characters are trapped locally, and sent as TELNET protocol se-
+     quences to the remote side.  If LINEMODE has ever been enabled, then the
+     user's ssuusspp and eeooff are also sent as TELNET protocol sequences, and qquuiitt
+     is sent as a TELNET ABORT instead of BREAK There are options (see ttooggggllee
+     aauuttoofflluusshh and ttooggggllee aauuttoossyynncchh below) which cause this action to flush
+     subsequent output to the terminal (until the remote host acknowledges the
+     TELNET sequence) and flush previous terminal input (in the case of qquuiitt
+     and iinnttrr).
+
+
+     While connected to a remote host, tteellnneett command mode may be entered by
+     typing the tteellnneett ``escape character'' (initially ``^]'').  When in com-
+     mand mode, the normal terminal editing conventions are available.
+
+     The following tteellnneett commands are available.  Only enough of each command
+     to uniquely identify it need be typed (this is also true for arguments to
+     the mmooddee, sseett, ttooggggllee, uunnsseett, ssllcc, eennvviirroonn, and ddiissppllaayy commands).
+
+     aauutthh _a_r_g_u_m_e_n_t _._._.
+                The auth command manipulates the information sent through the
+                TELNET AUTHENTICATE option.  Valid arguments for the auth com-
+                mand are as follows:
+
+                ddiissaabbllee _t_y_p_e  Disables the specified type of authentication.
+                              To obtain a list of available types, use the
+                              aauutthh ddiissaabbllee ?? command.
+
+                eennaabbllee _t_y_p_e   Enables the specified type of authentication.
+                              To obtain a list of available types, use the
+                              aauutthh eennaabbllee ?? command.
+
+                ssttaattuuss        Lists the current status of the various types of
+                              authentication.
+
+     cclloossee      Close a TELNET session and return to command mode.
+
+     ddiissppllaayy _a_r_g_u_m_e_n_t _._._.
+                Displays all, or some, of the sseett and ttooggggllee values (see be-
+                low).
+
+     eennccrryypptt _a_r_g_u_m_e_n_t _._._.
+                The encrypt command manipulates the information sent through
+                the TELNET ENCRYPT option.
+
+                Note:  Because of export controls, the TELNET ENCRYPT option
+                is not supported outside of the United States and Canada.
+
+                Valid arguments for the encrypt command are as follows:
+
+                ddiissaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
+                              Disables the specified type of encryption.  If
+                              you omit the input and output, both input and
+                              output are disabled.  To obtain a list of avail-
+                              able types, use the eennccrryypptt ddiissaabbllee ?? command.
+
+                eennaabbllee _t_y_p_e [iinnppuutt | oouuttppuutt]
+                              Enables the specified type of encryption.  If
+                              you omit input and output, both input and output
+                              are enabled.  To obtain a list of available
+                              types, use the eennccrryypptt eennaabbllee ?? command.
+
+                iinnppuutt         This is the same as the eennccrryypptt ssttaarrtt iinnppuutt com-
+                              mand.
+
+                --iinnppuutt        This is the same as the eennccrryypptt ssttoopp iinnppuutt com-
+                              mand.
+
+                oouuttppuutt        This is the same as the eennccrryypptt ssttaarrtt oouuttppuutt
+                              command.
+
+                --oouuttppuutt       This is the same as the eennccrryypptt ssttoopp oouuttppuutt com-
+                              mand.
+
+                ssttaarrtt [iinnppuutt | oouuttppuutt]
+                              Attempts to start encryption.  If you omit iinnppuutt
+                              and oouuttppuutt, both input and output are enabled.
+                              To obtain a list of available types, use the
+                              eennccrryypptt eennaabbllee ?? command.
+
+                ssttaattuuss        Lists the current status of encryption.
+
+                ssttoopp [iinnppuutt | oouuttppuutt]
+                              Stops encryption.  If you omit input and output,
+                              encryption is on both input and output.
+
+                ttyyppee _t_y_p_e     Sets the default type of encryption to be used
+                              with later eennccrryypptt ssttaarrtt or eennccrryypptt ssttoopp com-
+                              mands.
+
+     eennvviirroonn _a_r_g_u_m_e_n_t_s _._._.
+                The eennvviirroonn command is used to manipulate the the variables
+                that my be sent through the TELNET ENVIRON option.  The ini-
+                tial set of variables is taken from the users environment,
+                with only the DISPLAY and PRINTER variables being exported by
+                default.  The USER variable is also exported if the --aa or --ll
+                options are used.
+
+                Valid arguments for the eennvviirroonn command are:
+
+                ddeeffiinnee _v_a_r_i_a_b_l_e _v_a_l_u_e
+                            Define the variable _v_a_r_i_a_b_l_e to have a value of
+                            _v_a_l_u_e. Any variables defined by this command are
+                            automatically exported.  The _v_a_l_u_e may be enclosed
+                            in single or double quotes so that tabs and spaces
+                            may be included.
+
+                uunnddeeffiinnee _v_a_r_i_a_b_l_e
+                            Remove _v_a_r_i_a_b_l_e from the list of environment vari-
+                            ables.
+
+                eexxppoorrtt _v_a_r_i_a_b_l_e
+                            Mark the variable _v_a_r_i_a_b_l_e to be exported to the
+                            remote side.
+
+                uunneexxppoorrtt _v_a_r_i_a_b_l_e
+                            Mark the variable _v_a_r_i_a_b_l_e to not be exported un-
+                            less explicitly asked for by the remote side.
+
+                lliisstt        List the current set of environment variables.
+                            Those marked with a ** will be sent automatically,
+                            other variables will only be sent if explicitly
+                            requested.
+
+                ??           Prints out help information for the eennvviirroonn com-
+                            mand.
+
+     llooggoouutt     Sends the TELNET LOGOUT option to the remote side.  This com-
+                mand is similar to a cclloossee command; however, if the remote
+                side does not support the LOGOUT option, nothing happens.  If,
+                however, the remote side does support the LOGOUT option, this
+                command should cause the remote side to close the TELNET con-
+                nection.  If the remote side also supports the concept of sus-
+                pending a user's session for later reattachment, the logout
+                argument indicates that you should terminate the session imme-
+                diately.
+
+     mmooddee _t_y_p_e  _T_y_p_e is one of several options, depending on the state of the
+                TELNET session.  The remote host is asked for permission to go
+                into the requested mode.  If the remote host is capable of en-
+                tering that mode, the requested mode will be entered.
+
+                cchhaarraacctteerr     Disable the TELNET LINEMODE option, or, if the
+                              remote side does not understand the LINEMODE op-
+                              tion, then enter ``character at a time`` mode.
+
+                lliinnee          Enable the TELNET LINEMODE option, or, if the
+                              remote side does not understand the LINEMODE op-
+                              tion, then attempt to enter ``old-line-by-line``
+                              mode.
+
+                iissiigg (--iissiigg)  Attempt to enable (disable) the TRAPSIG mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                eeddiitt (--eeddiitt)  Attempt to enable (disable) the EDIT mode of the
+                              LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                ssooffttttaabbss (--ssooffttttaabbss)
+                              Attempt to enable (disable) the SOFT_TAB mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                lliitteecchhoo (--lliitteecchhoo)
+                              Attempt to enable (disable) the LIT_ECHO mode of
+                              the LINEMODE option.  This requires that the
+                              LINEMODE option be enabled.
+
+                ??             Prints out help information for the mmooddee com-
+                              mand.
+
+     ooppeenn _h_o_s_t [--ll _u_s_e_r] [[--]_p_o_r_t]
+                Open a connection to the named host.  If no port number is
+                specified, tteellnneett will attempt to contact a TELNET server at
+                the default port.  The host specification may be either a host
+                name (see hosts(5))  or an Internet address specified in the
+                ``dot notation'' (see inet(3)).  The [--ll] option may be used
+                to specify the user name to be passed to the remote system via
+                the ENVIRON option.  When connecting to a non-standard port,
+                tteellnneett omits any automatic initiation of TELNET options.  When
+                the port number is preceded by a minus sign, the initial op-
+                tion negotiation is done.  After establishing a connection,
+                the file _._t_e_l_n_e_t_r_c in the users home directory is opened.
+                Lines beginning with a # are comment lines.  Blank lines are
+                ignored.  Lines that begin without white space are the start
+                of a machine entry.  The first thing on the line is the name
+                of the machine that is being connected to.  The rest of the
+                line, and successive lines that begin with white space are as-
+                sumed to be tteellnneett commands and are processed as if they had
+                been typed in manually to the tteellnneett command prompt.
+
+     qquuiitt       Close any open TELNET session and exit tteellnneett. An end of file
+                (in command mode) will also close a session and exit.
+
+     sseenndd _a_r_g_u_m_e_n_t_s
+                Sends one or more special character sequences to the remote
+                host.  The following are the arguments which may be specified
+                (more than one argument may be specified at a time):
+
+                aabboorrtt   Sends the TELNET ABORT (Abort processes) sequence.
+
+                aaoo      Sends the TELNET AO (Abort Output) sequence, which
+                        should cause the remote system to flush all output
+                        _f_r_o_m the remote system _t_o the user's terminal.
+
+                aayytt     Sends the TELNET AYT (Are You There) sequence, to
+                        which the remote system may or may not choose to re-
+
+                        spond.
+
+                bbrrkk     Sends the TELNET BRK (Break) sequence, which may have
+                        significance to the remote system.
+
+                eecc      Sends the TELNET EC (Erase Character) sequence, which
+                        should cause the remote system to erase the last char-
+                        acter entered.
+
+                eell      Sends the TELNET EL (Erase Line) sequence, which
+                        should cause the remote system to erase the line cur-
+                        rently being entered.
+
+                eeooff     Sends the TELNET EOF (End Of File) sequence.
+
+                eeoorr     Sends the TELNET EOR (End of Record) sequence.
+
+                eessccaappee  Sends the current tteellnneett escape character (initially
+                        ``^'').
+
+                ggaa      Sends the TELNET GA (Go Ahead) sequence, which likely
+                        has no significance to the remote system.
+
+                ggeettssttaattuuss
+                        If the remote side supports the TELNET STATUS command,
+                        ggeettssttaattuuss will send the subnegotiation to request that
+                        the server send its current option status.
+
+                iipp      Sends the TELNET IP (Interrupt Process) sequence,
+                        which should cause the remote system to abort the cur-
+                        rently running process.
+
+                nnoopp     Sends the TELNET NOP (No OPeration) sequence.
+
+                ssuusspp    Sends the TELNET SUSP (SUSPend process) sequence.
+
+                ssyynncchh   Sends the TELNET SYNCH sequence.  This sequence causes
+                        the remote system to discard all previously typed (but
+                        not yet read) input.  This sequence is sent as TCP ur-
+                        gent data (and may not work if the remote system is a
+                        4.2BSD system -- if it doesn't work, a lower case
+                        ``r'' may be echoed on the terminal).
+
+                ddoo _c_m_d
+
+                ddoonntt _c_m_d
+
+                wwiillll _c_m_d
+
+                wwoonntt _c_m_d
+                        Sends the TELNET DO _c_m_d sequence.  _C_m_d can be either a
+                        decimal number between 0 and 255, or a symbolic name
+                        for a specific TELNET command.  _C_m_d can also be either
+                        hheellpp or ?? to print out help information, including a
+                        list of known symbolic names.
+
+                ??       Prints out help information for the sseenndd command.
+
+     sseett _a_r_g_u_m_e_n_t _v_a_l_u_e
+
+     uunnsseett _a_r_g_u_m_e_n_t _v_a_l_u_e
+                The sseett command will set any one of a number of tteellnneett vari-
+                ables to a specific value or to TRUE. The special value ooffff
+                turns off the function associated with the variable, this is
+                equivalent to using the uunnsseett command.  The uunnsseett command will
+                disable or set to FALSE any of the specified functions.  The
+                values of variables may be interrogated with the ddiissppllaayy com-
+                mand.  The variables which may be set or unset, but not tog-
+                gled, are listed here.  In addition, any of the variables for
+                the ttooggggllee command may be explicitly set or unset using the
+                sseett and uunnsseett commands.
+
+                aayytt     If TELNET is in localchars mode, or LINEMODE is en-
+                        abled, and the status character is typed, a TELNET AYT
+                        sequence (see sseenndd aayytt preceding) is sent to the re-
+                        mote host.  The initial value for the "Are You There"
+                        character is the terminal's status character.
+
+                eecchhoo    This is the value (initially ``^E'') which, when in
+                        ``line by line'' mode, toggles between doing local
+                        echoing of entered characters (for normal processing),
+                        and suppressing echoing of entered characters (for en-
+                        tering, say, a password).
+
+                eeooff     If tteellnneett is operating in LINEMODE or ``old line by
+                        line'' mode, entering this character as the first
+                        character on a line will cause this character to be
+                        sent to the remote system.  The initial value of the
+                        eof character is taken to be the terminal's eeooff char-
+                        acter.
+
+                eerraassee   If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below), aanndd if tteellnneett is operating in ``character at a
+                        time'' mode, then when this character is typed, a
+                        TELNET EC sequence (see sseenndd eecc above) is sent to the
+                        remote system.  The initial value for the erase char-
+                        acter is taken to be the terminal's eerraassee character.
+
+                eessccaappee  This is the tteellnneett escape character (initially ``^['')
+                        which causes entry into tteellnneett command mode (when con-
+                        nected to a remote system).
+
+                fflluusshhoouuttppuutt
+                        If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the fflluusshhoouuttppuutt character is typed, a
+                        TELNET AO sequence (see sseenndd aaoo above) is sent to the
+                        remote host.  The initial value for the flush charac-
+                        ter is taken to be the terminal's fflluusshh character.
+
+                ffoorrww11
+
+                ffoorrww22   If TELNET is operating in LINEMODE, these are the
+                        characters that, when typed, cause partial lines to be
+                        forwarded to the remote system.  The initial value for
+                        the forwarding characters are taken from the termi-
+                        nal's eol and eol2 characters.
+
+                iinntteerrrruupptt
+                        If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the iinntteerrrruupptt character is typed, a TELNET
+                        IP sequence (see sseenndd iipp above) is sent to the remote
+                        host.  The initial value for the interrupt character
+                        is taken to be the terminal's iinnttrr character.
+
+                kkiillll    If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below), aanndd if tteellnneett is operating in ``character at a
+                        time'' mode, then when this character is typed, a
+                        TELNET EL sequence (see sseenndd eell above) is sent to the
+                        remote system.  The initial value for the kill charac-
+                        ter is taken to be the terminal's kkiillll character.
+
+                llnneexxtt   If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's llnneexxtt character.  The initial value for the
+                        lnext character is taken to be the terminal's llnneexxtt
+                        character.
+
+                qquuiitt    If tteellnneett is in llooccaallcchhaarrss mode (see ttooggggllee llooccaallcchhaarrss
+                        below) and the qquuiitt character is typed, a TELNET BRK
+                        sequence (see sseenndd bbrrkk above) is sent to the remote
+                        host.  The initial value for the quit character is
+                        taken to be the terminal's qquuiitt character.
+
+                rreepprriinntt
+                        If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's rreepprriinntt character.  The initial value for
+                        the reprint character is taken to be the terminal's
+                        rreepprriinntt character.
+
+                rrllooggiinn  This is the rlogin escape character.  If set, the nor-
+                        mal TELNET escape character is ignored unless it is
+                        preceded by this character at the beginning of a line.
+                        This character, at the beginning of a line followed by
+                        a "."  closes the connection; when followed by a ^Z it
+                        suspends the telnet command.  The initial state is to
+                        disable the rlogin escape character.
+
+                ssttaarrtt   If the TELNET TOGGLE-FLOW-CONTROL option has been en-
+                        abled, then this character is taken to be the termi-
+                        nal's ssttaarrtt character.  The initial value for the kill
+                        character is taken to be the terminal's ssttaarrtt charac-
+                        ter.
+
+                ssttoopp    If the TELNET TOGGLE-FLOW-CONTROL option has been en-
+                        abled, then this character is taken to be the termi-
+                        nal's ssttoopp character.  The initial value for the kill
+                        character is taken to be the terminal's ssttoopp charac-
+                        ter.
+
+                ssuusspp    If tteellnneett is in llooccaallcchhaarrss mode, or LINEMODE is en-
+                        abled, and the ssuussppeenndd character is typed, a TELNET
+                        SUSP sequence (see sseenndd ssuusspp above) is sent to the re-
+                        mote host.  The initial value for the suspend charac-
+                        ter is taken to be the terminal's ssuussppeenndd character.
+
+                ttrraacceeffiillee
+                        This is the file to which the output, caused by
+                        nneettddaattaa or ooppttiioonn tracing being TRUE, will be written.
+                        If it is set to ``--'', then tracing information will
+                        be written to standard output (the default).
+
+                wwoorrddeerraassee
+                        If tteellnneett is operating in LINEMODE or ``old line by
+                        line`` mode, then this character is taken to be the
+                        terminal's wwoorrddeerraassee character.  The initial value for
+                        the worderase character is taken to be the terminal's
+                        wwoorrddeerraassee character.
+
+                ??       Displays the legal sseett (uunnsseett) commands.
+
+     ssllcc _s_t_a_t_e  The ssllcc command (Set Local Characters) is used to set or
+                change the state of the the special characters when the TELNET
+                LINEMODE option has been enabled.  Special characters are
+                characters that get mapped to TELNET commands sequences (like
+                iipp or qquuiitt) or line editing characters (like eerraassee and kkiillll).
+
+
+                By default, the local special characters are exported.
+
+                cchheecckk       Verify the current settings for the current spe-
+                            cial characters.  The remote side is requested to
+                            send all the current special character settings,
+                            and if there are any discrepancies with the local
+                            side, the local side will switch to the remote
+                            value.
+
+                eexxppoorrtt      Switch to the local defaults for the special char-
+                            acters.  The local default characters are those of
+                            the local terminal at the time when tteellnneett was
+                            started.
+
+                iimmppoorrtt      Switch to the remote defaults for the special
+                            characters.  The remote default characters are
+                            those of the remote system at the time when the
+                            TELNET connection was established.
+
+                ??           Prints out help information for the ssllcc command.
+
+     ssttaattuuss     Show the current status of tteellnneett. This includes the peer one
+                is connected to, as well as the current mode.
+
+     ttooggggllee _a_r_g_u_m_e_n_t_s _._._.
+                Toggle (between TRUE and FALSE) various flags that control how
+                tteellnneett responds to events.  These flags may be set explicitly
+                to TRUE or FALSE using the sseett and uunnsseett commands listed
+                above.  More than one argument may be specified.  The state of
+                these flags may be interrogated with the ddiissppllaayy command.
+                Valid arguments are:
+
+                aauutthhddeebbuugg     Turns on debugging information for the authenti-
+                              cation code.
+
+                aauuttoofflluusshh     If aauuttoofflluusshh and llooccaallcchhaarrss are both TRUE, then
+                              when the aaoo, or qquuiitt characters are recognized
+                              (and transformed into TELNET sequences; see sseett
+                              above for details), tteellnneett refuses to display
+                              any data on the user's terminal until the remote
+                              system acknowledges (via a TELNET TIMING MARK
+                              option) that it has processed those TELNET se-
+                              quences.  The initial value for this toggle is
+                              TRUE if the terminal user had not done an "stty
+                              noflsh", otherwise FALSE (see stty(1)).
+
+                aauuttooddeeccrryypptt   When the TELNET ENCRYPT option is negotiated, by
+                              default the actual encryption (decryption) of
+                              the data stream does not start automatically.
+                              The autoencrypt (autodecrypt) command states
+                              that encryption of the output (input) stream
+                              should be enabled as soon as possible.
+
+                              Note:  Because of export controls, the TELNET
+                              ENCRYPT option is not supported outside the
+                              United States and Canada.
+
+                aauuttoollooggiinn     If the remote side supports the TELNET
+                              AUTHENTICATION option TELNET attempts to use it
+                              to perform automatic authentication.  If the
+                              AUTHENTICATION option is not supported, the us-
+                              er's login name are propagated through the
+                              TELNET ENVIRON option.  This command is the same
+                              as specifying _a option on the ooppeenn command.
+
+                aauuttoossyynncchh     If aauuttoossyynncchh and llooccaallcchhaarrss are both TRUE, then
+                              when either the iinnttrr or qquuiitt characters is typed
+                              (see sseett above for descriptions of the iinnttrr and
+                              qquuiitt characters), the resulting TELNET sequence
+                              sent is followed by the TELNET SYNCH sequence.
+                              This procedure sshhoouulldd cause the remote system to
+                              begin throwing away all previously typed input
+                              until both of the TELNET sequences have been
+                              read and acted upon.  The initial value of this
+                              toggle is FALSE.
+
+                bbiinnaarryy        Enable or disable the TELNET BINARY option on
+                              both input and output.
+
+                iinnbbiinnaarryy      Enable or disable the TELNET BINARY option on
+                              input.
+
+                oouuttbbiinnaarryy     Enable or disable the TELNET BINARY option on
+                              output.
+
+                ccrrllff          If this is TRUE, then carriage returns will be
+                              sent as <CR><LF>. If this is FALSE, then car-
+                              riage returns will be send as <CR><NUL>. The
+                              initial value for this toggle is FALSE.
+
+                ccrrmmoodd         Toggle carriage return mode.  When this mode is
+                              enabled, most carriage return characters re-
+                              ceived from the remote host will be mapped into
+                              a carriage return followed by a line feed.  This
+                              mode does not affect those characters typed by
+                              the user, only those received from the remote
+                              host.  This mode is not very useful unless the
+                              remote host only sends carriage return, but nev-
+                              er line feed.  The initial value for this toggle
+                              is FALSE.
+
+                ddeebbuugg         Toggles socket level debugging (useful only to
+                              the ssuuppeerr uusseerr). The initial value for this tog-
+                              gle is FALSE.
+
+                eennccddeebbuugg      Turns on debugging information for the encryp-
+                              tion code.
+
+                llooccaallcchhaarrss    If this is TRUE, then the fflluusshh, iinntteerrrruupptt,
+                              qquuiitt, eerraassee, and kkiillll characters (see sseett above)
+                              are recognized locally, and transformed into
+                              (hopefully) appropriate TELNET control sequences
+                              (respectively aaoo, iipp, bbrrkk, eecc, and eell; see sseenndd
+                              above).  The initial value for this toggle is
+                              TRUE in ``old line by line'' mode, and FALSE in
+                              ``character at a time'' mode.  When the LINEMODE
+                              option is enabled, the value of llooccaallcchhaarrss is
+                              ignored, and assumed to always be TRUE. If
+                              LINEMODE has ever been enabled, then qquuiitt is
+                              sent as aabboorrtt, and eeooff and ssuussppeenndd are sent as
+                              eeooff and ssuusspp, see sseenndd above).
+
+                nneettddaattaa       Toggles the display of all network data (in hex-
+                              adecimal format).  The initial value for this
+                              toggle is FALSE.
+
+                ooppttiioonnss       Toggles the display of some internal tteellnneett pro-
+                              tocol processing (having to do with TELNET op-
+                              tions).  The initial value for this toggle is
+                              FALSE.
+
+                pprreettttyydduummpp    When the nneettddaattaa toggle is enabled, if
+                              pprreettttyydduummpp is enabled the output from the
+                              nneettddaattaa command will be formatted in a more user
+                              readable format.  Spaces are put between each
+                              character in the output, and the beginning of
+                              any TELNET escape sequence is preceded by a '*'
+                              to aid in locating them.
+
+                sskkiipprrcc        When the skiprc toggle is TRUE, TELNET skips the
+                              reading of the _._t_e_l_n_e_t_r_c file in the users home
+                              directory when connections are opened.  The ini-
+                              tial value for this toggle is FALSE.
+
+                tteerrmmddaattaa      Toggles the display of all terminal data (in
+                              hexadecimal format).  The initial value for this
+                              toggle is FALSE.
+
+                vveerrbboossee__eennccrryypptt
+                              When the vveerrbboossee__eennccrryypptt toggle is TRUE, TELNET
+                              prints out a message each time encryption is en-
+                              abled or disabled.  The initial value for this
+                              toggle is FALSE. Note:  Because of export con-
+                              trols, data encryption is not supported outside
+                              of the United States and Canada.
+
+                ??             Displays the legal ttooggggllee commands.
+
+     zz          Suspend tteellnneett. This command only works when the user is using
+                the csh(1).
+
+     !! [_c_o_m_m_a_n_d]
+                Execute a single command in a subshell on the local system.
+                If ccoommmmaanndd is omitted, then an interactive subshell is in-
+                voked.
+
+     ?? [_c_o_m_m_a_n_d]
+                Get help.  With no arguments, tteellnneett prints a help summary.
+                If a command is specified, tteellnneett will print the help informa-
+                tion for just that command.
+
+EENNVVIIRROONNMMEENNTT
+     TTeellnneett uses at least the HOME, SHELL, DISPLAY, and TERM environment vari-
+     ables.  Other environment variables may be propagated to the other side
+     via the TELNET ENVIRON option.
+
+FFIILLEESS
+     ~/.telnetrc  user customized telnet startup values
+
+HHIISSTTOORRYY
+     The TTeellnneett command appeared in 4.2BSD.
+
+NNOOTTEESS
+     On some remote systems, echo has to be turned off manually when in ``old
+     line by line'' mode.
+
+     In ``old line by line'' mode or LINEMODE the terminal's eeooff character is
+     only recognized (and sent to the remote system) when it is the first
+     character on a line.
+
+4.2 Berkeley Distribution        June 1, 1994                               11
diff --git a/crypto/heimdal/appl/telnet/telnet/terminal.c b/crypto/heimdal/appl/telnet/telnet/terminal.c
index 4404384..44e1611 100644
--- a/crypto/heimdal/appl/telnet/telnet/terminal.c
+++ b/crypto/heimdal/appl/telnet/telnet/terminal.c
@@ -33,7 +33,7 @@
 
 #include "telnet_locl.h"
 
-RCSID("$Id: terminal.c,v 1.10 1997/12/15 19:53:06 joda Exp $");
+RCSID("$Id: terminal.c,v 1.11 2001/03/06 20:10:14 assar Exp $");
 
 Ring		ttyoring, ttyiring;
 unsigned char	ttyobuf[2*BUFSIZ], ttyibuf[BUFSIZ];
@@ -151,11 +151,7 @@ ttyflush(int drop)
 int
 getconnmode(void)
 {
-    extern int linemode;
     int mode = 0;
-#ifdef	KLUDGELINEMODE
-    extern int kludgelinemode;
-#endif
 
     if (my_want_state_is_dont(TELOPT_ECHO))
 	mode |= MODE_ECHO;
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.am b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
index d8497c3..c375a05 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.am
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am,v 1.15 2001/02/07 06:12:02 assar Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -20,4 +20,5 @@ LDADD = \
 	$(LIB_des) \
 	$(LIB_tgetent) \
 	$(LIB_logwtmp) \
+	$(LIB_kdfs) \
 	$(LIB_roken)
diff --git a/crypto/heimdal/appl/telnet/telnetd/Makefile.in b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
index 07ac35b..c62a8ba 100644
--- a/crypto/heimdal/appl/telnet/telnetd/Makefile.in
+++ b/crypto/heimdal/appl/telnet/telnetd/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -113,13 +114,13 @@ dpagaix_CFLAGS = @dpagaix_CFLAGS@
 dpagaix_LDADD = @dpagaix_LDADD@
 install_sh = @install_sh@
 
-# $Id: Makefile.am,v 1.14 2000/11/15 22:51:11 assar Exp $
+# $Id: Makefile.am,v 1.15 2001/02/07 06:12:02 assar Exp $
 
 
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = 
 
 libexec_PROGRAMS = telnetd
@@ -202,6 +205,7 @@ LDADD = \
 	$(LIB_des) \
 	$(LIB_tgetent) \
 	$(LIB_logwtmp) \
+	$(LIB_kdfs) \
 	$(LIB_roken)
 
 subdir = appl/telnet/telnetd
@@ -224,10 +228,16 @@ termstat.$(OBJEXT) slc.$(OBJEXT) sys_term.$(OBJEXT) utility.$(OBJEXT) \
 global.$(OBJEXT) authenc.$(OBJEXT)
 telnetd_OBJECTS =  $(am_telnetd_OBJECTS)
 telnetd_LDADD = $(LDADD)
-@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a
-@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
-@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
-@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_FALSE@@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a
+@DCE_FALSE@@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@DCE_TRUE@@KRB5_FALSE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kdfs/libkdfs.la
+@DCE_TRUE@@KRB5_TRUE@telnetd_DEPENDENCIES =  ../libtelnet/libtelnet.a \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la \
+@DCE_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
 telnetd_LDFLAGS = 
 COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
 LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -249,7 +259,7 @@ OBJECTS = $(am_telnetd_OBJECTS)
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/telnet/telnetd/Makefile
 
@@ -382,6 +392,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/telnet/telnetd/ext.h b/crypto/heimdal/appl/telnet/telnetd/ext.h
index 4c122f8..1cba5b6 100644
--- a/crypto/heimdal/appl/telnet/telnetd/ext.h
+++ b/crypto/heimdal/appl/telnet/telnetd/ext.h
@@ -33,7 +33,7 @@
  *	@(#)ext.h	8.2 (Berkeley) 12/15/93
  */
 
-/* $Id: ext.h,v 1.20 2000/11/15 23:03:38 assar Exp $ */
+/* $Id: ext.h,v 1.22 2001/04/24 23:12:11 assar Exp $ */
 
 #ifndef __EXT_H__
 #define __EXT_H__
@@ -116,15 +116,15 @@ void tty_tspeed (int val);
 void tty_rspeed (int val);
 void getptyslave (void);
 int cleanopen (char *line);
-void startslave (char *host, int autologin, char *autoname);
+void startslave (const char *host, const char *, int autologin, char *autoname);
 void init_env (void);
-void start_login (char *host, int autologin, char *name);
+void start_login (const char *host, int autologin, char *name);
 void cleanup (int sig);
 int main (int argc, char **argv);
 int getterminaltype (char *name, size_t);
 void _gettermname (void);
 int terminaltypeok (char *s);
-void my_telnet (int f, int p, char*, int, char*);
+void my_telnet (int f, int p, const char*, const char *, int, char*);
 void interrupt (void);
 void sendbrk (void);
 void sendsusp (void);
@@ -141,6 +141,7 @@ void netflush (void);
 void writenet (unsigned char *ptr, int len);
 void fatal (int f, char *msg);
 void fatalperror (int f, const char *msg);
+void fatalperror_errno (int f, const char *msg, int error);
 void edithost (char *pat, char *host);
 void putstr (char *s);
 void putchr (int cc);
diff --git a/crypto/heimdal/appl/telnet/telnetd/sys_term.c b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
index 7c529af..067f8da 100644
--- a/crypto/heimdal/appl/telnet/telnetd/sys_term.c
+++ b/crypto/heimdal/appl/telnet/telnetd/sys_term.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: sys_term.c,v 1.97 2000/12/08 23:32:06 assar Exp $");
+RCSID("$Id: sys_term.c,v 1.100 2001/04/24 23:11:43 assar Exp $");
 
 #if defined(_CRAY) || (defined(__hpux) && !defined(HAVE_UTMPX_H))
 # define PARENT_DOES_UTMP
@@ -1110,7 +1110,8 @@ make_id (char *tty)
 
 /* ARGSUSED */
 void
-startslave(char *host, int autologin, char *autoname)
+startslave(const char *host, const char *utmp_host,
+	   int autologin, char *autoname)
 {
     int i;
 
@@ -1158,7 +1159,7 @@ startslave(char *host, int autologin, char *autoname)
 	wtmp.ut_type = LOGIN_PROCESS;
 	wtmp.ut_pid = pid;
 	strncpy(wtmp.ut_user,  "LOGIN", sizeof(wtmp.ut_user));
-	strncpy(wtmp.ut_host,  host, sizeof(wtmp.ut_host));
+	strncpy(wtmp.ut_host,  utmp_host, sizeof(wtmp.ut_host));
 	strncpy(wtmp.ut_line,  clean_ttyname(line), sizeof(wtmp.ut_line));
 #ifdef HAVE_STRUCT_UTMP_UT_ID
 	strncpy(wtmp.ut_id, wtmp.ut_line + 3, sizeof(wtmp.ut_id));
@@ -1192,7 +1193,6 @@ extern char **environ;
 void
 init_env(void)
 {
-    extern char *getenv(const char *);
     char **envp;
 
     envp = envinit;
@@ -1259,10 +1259,10 @@ scrub_env(void)
 struct arg_val {
     int size;
     int argc;
-    char **argv;
+    const char **argv;
 };
 
-static void addarg(struct arg_val*, char*);
+static void addarg(struct arg_val*, const char*);
 
 /*
  * start_login(host)
@@ -1272,10 +1272,11 @@ static void addarg(struct arg_val*, char*);
  */
 
 void
-start_login(char *host, int autologin, char *name)
+start_login(const char *host, int autologin, char *name)
 {
     struct arg_val argv;
     char *user;
+    int save_errno;
 
 #ifdef HAVE_UTMPX_H
     int pid = getpid();
@@ -1316,7 +1317,7 @@ start_login(char *host, int autologin, char *name)
     /* init argv structure */ 
     argv.size=0;
     argv.argc=0;
-    argv.argv=(char**)malloc(0); /*so we can call realloc later */
+    argv.argv=malloc(0); /*so we can call realloc later */
     addarg(&argv, "login");
     addarg(&argv, "-h");
     addarg(&argv, host);
@@ -1371,14 +1372,14 @@ start_login(char *host, int autologin, char *name)
     sleep(1);
 
     execv(new_login, argv.argv);
-
+    save_errno = errno;
     syslog(LOG_ERR, "%s: %m\n", new_login);
-    fatalperror(net, new_login);
+    fatalperror_errno(net, new_login, save_errno);
     /*NOTREACHED*/
 }
 
 static void
-addarg(struct arg_val *argv, char *val)
+addarg(struct arg_val *argv, const char *val)
 {
     if(argv->size <= argv->argc+1) {
 	argv->argv = realloc(argv->argv, sizeof(char*) * (argv->size + 10));
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.c b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
index b788574..af63ce1 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.c
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.c
@@ -33,7 +33,7 @@
 
 #include "telnetd.h"
 
-RCSID("$Id: telnetd.c,v 1.63 2000/10/08 13:32:28 assar Exp $");
+RCSID("$Id: telnetd.c,v 1.64 2001/02/08 16:06:27 assar Exp $");
 
 #ifdef _SC_CRAY_SECURE_SYS
 #include <sys/sysv.h>
@@ -289,9 +289,14 @@ main(int argc, char **argv)
 #endif
 	    break;
 
-	case 'u':
-	    utmp_len = atoi(optarg);
+	case 'u': {
+	    char *eptr;
+
+	    utmp_len = strtol(optarg, &eptr, 0);
+	    if (optarg == eptr)
+		fprintf(stderr, "telnetd: unknown utmp len (%s)\n", optarg);
 	    break;
+	}
 
 	case 'U':
 	    registerd_host_only = 1;
@@ -490,7 +495,6 @@ int
 getterminaltype(char *name, size_t name_sz)
 {
     int retval = -1;
-    void _gettermname();
 
     settimer(baseline);
 #ifdef AUTHENTICATION
@@ -629,7 +633,7 @@ getterminaltype(char *name, size_t name_sz)
 }  /* end of getterminaltype */
 
 void
-_gettermname()
+_gettermname(void)
 {
     /*
      * If the client turned off the option,
@@ -653,9 +657,9 @@ terminaltypeok(char *s)
 }
 
 
-char *hostname;
 char host_name[MaxHostNameLen];
 char remote_host_name[MaxHostNameLen];
+char remote_utmp_name[MaxHostNameLen];
 
 /*
  * Get a pty, scan input lines.
@@ -663,12 +667,10 @@ char remote_host_name[MaxHostNameLen];
 static void
 doit(struct sockaddr *who, int who_len)
 {
-    char *host = NULL;
     int level;
     int ptynum;
     char user_name[256];
     int error;
-    char host_addr[256];
 
     /*
      * Find an available pty to use.
@@ -693,43 +695,42 @@ doit(struct sockaddr *who, int who_len)
     }
 #endif	/* _SC_CRAY_SECURE_SYS */
 
-    error = getnameinfo_verified (who, who_len, host_addr, sizeof(host_addr),
+    error = getnameinfo_verified (who, who_len,
+				  remote_host_name,
+				  sizeof(remote_host_name),
 				  NULL, 0, 
 				  registerd_host_only ? NI_NAMEREQD : 0);
     if (error)
 	fatal(net, "Couldn't resolve your address into a host name.\r\n\
 Please contact your net administrator");
 
-    /*
-     * We must make a copy because Kerberos is probably going
-     * to also do a gethost* and overwrite the static data...
-     */
-    strlcpy(remote_host_name, host_addr, sizeof(remote_host_name));
-    host = remote_host_name;
-
-    /* XXX - should be k_gethostname? */
     gethostname(host_name, sizeof (host_name));
-    hostname = host_name;
+
+    strlcpy (remote_utmp_name, remote_host_name, sizeof(remote_utmp_name));
 
     /* Only trim if too long (and possible) */
-    if (strlen(remote_host_name) > abs(utmp_len)) {
+    if (strlen(remote_utmp_name) > utmp_len) {
 	char *domain = strchr(host_name, '.');
-	char *p = strchr(remote_host_name, '.');
-	if (domain && p && (strcmp(p, domain) == 0))
-	    *p = 0; /* remove domain part */
+	char *p = strchr(remote_utmp_name, '.');
+	if (domain != NULL && p != NULL && (strcmp(p, domain) == 0))
+	    *p = '\0'; /* remove domain part */
     }
 
-
     /*
      * If hostname still doesn't fit utmp, use ipaddr.
      */
-    if (strlen(remote_host_name) > abs(utmp_len))
-	strlcpy(remote_host_name,
-		host_addr,
-		sizeof(remote_host_name));
+    if (strlen(remote_utmp_name) > utmp_len) {
+	error = getnameinfo (who, who_len,
+			     remote_utmp_name,
+			     sizeof(remote_utmp_name),
+			     NULL, 0,
+			     NI_NUMERICHOST);
+	if (error)
+	    fatal(net, "Couldn't get numeric address\r\n");
+    }
 
 #ifdef AUTHENTICATION
-    auth_encrypt_init(hostname, host, "TELNETD", 1);
+    auth_encrypt_init(host_name, remote_host_name, "TELNETD", 1);
 #endif
 
     init_env();
@@ -750,7 +751,8 @@ Please contact your net administrator");
 #endif	/* _SC_CRAY_SECURE_SYS */
 
     /* begin server processing */
-    my_telnet(net, ourpty, host, level, user_name);
+    my_telnet(net, ourpty, remote_host_name, remote_utmp_name,
+	      level, user_name);
     /*NOTREACHED*/
 }  /* end of doit */
 
@@ -777,7 +779,8 @@ show_issue(void)
  * hand data to telnet receiver finite state machine.
  */
 void
-my_telnet(int f, int p, char *host, int level, char *autoname)
+my_telnet(int f, int p, const char *host, const char *utmp_host,
+	  int level, char *autoname)
 {
     int on = 1;
     char *he;
@@ -960,7 +963,7 @@ my_telnet(int f, int p, char *host, int level, char *autoname)
            indefinitely */
 	if(!startslave_called && (!encrypt_delay() || timeout > time(NULL))){
 	    startslave_called = 1;
-	    startslave(host, level, autoname);
+	    startslave(host, utmp_host, level, autoname);
 	}
 
 	if (ncc < 0 && pcc < 0)
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8 b/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8
new file mode 100644
index 0000000..988bf31
--- /dev/null
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.cat8
@@ -0,0 +1,297 @@
+
+TELNETD(8)               UNIX System Manager's Manual               TELNETD(8)
+
+NNAAMMEE
+     tteellnneettdd - DARPA TELNET protocol server
+
+SSYYNNOOPPSSIISS
+     tteellnneettdd [--BBUUhhkkllnn] [--DD _d_e_b_u_g_m_o_d_e] [--SS _t_o_s] [--XX _a_u_t_h_t_y_p_e] [--aa _a_u_t_h_m_o_d_e]
+             [--rr_l_o_w_p_t_y_-_h_i_g_h_p_t_y] [--uu _l_e_n] [--ddeebbuugg] [--LL _/_b_i_n_/_l_o_g_i_n] [_p_o_r_t]
+
+DDEESSCCRRIIPPTTIIOONN
+     The tteellnneettdd command is a server which supports the DARPA standard TELNET
+     virtual terminal protocol.  TTeellnneettdd is normally invoked by the internet
+     server (see inetd(8))  for requests to connect to the TELNET port as in-
+     dicated by the _/_e_t_c_/_s_e_r_v_i_c_e_s file (see services(5)).  The --ddeebbuugg option
+     may be used to start up tteellnneettdd manually, instead of through inetd(8).
+     If started up this way, _p_o_r_t may be specified to run tteellnneettdd on an alter-
+     nate TCP port number.
+
+     The tteellnneettdd command accepts the following options:
+
+     --aa _a_u_t_h_m_o_d_e  This option may be used for specifying what mode should be
+                  used for authentication.  Note that this option is only use-
+                  ful if tteellnneettdd has been compiled with support for the
+                  AUTHENTICATION option.  There are several valid values for
+                  _a_u_t_h_m_o_d_e:
+
+                  debug  Turns on authentication debugging code.
+
+                  user   Only allow connections when the remote user can pro-
+                         vide valid authentication information to identify the
+                         remote user, and is allowed access to the specified
+                         account without providing a password.
+
+                  valid  Only allow connections when the remote user can pro-
+                         vide valid authentication information to identify the
+                         remote user.  The login(1) command will provide any
+                         additional user verification needed if the remote us-
+                         er is not allowed automatic access to the specified
+                         account.
+
+                  other  Only allow connections that supply some authentica-
+                         tion information.  This option is currently not sup-
+                         ported by any of the existing authentication mecha-
+                         nisms, and is thus the same as specifying --aa vvaalliidd.
+
+                  otp    Only allow authenticated connections (as with --aa
+                         uusseerr) and also logins with one-time passwords (OTPs).
+                         This option will call login with an option so that
+                         only OTPs are accepted.  The user can of course still
+                         type secret information at the prompt.
+
+                  none   This is the default state.  Authentication informa-
+                         tion is not required.  If no or insufficient authen-
+                         tication information is provided, then the login(1)
+                         program will provide the necessary user verification.
+
+                  off    This disables the authentication code.  All user ver-
+                         ification will happen through the login(1) program.
+
+     --BB           Ignored.
+
+     --DD _d_e_b_u_g_m_o_d_e
+                  This option may be used for debugging purposes.  This allows
+                  tteellnneettdd to print out debugging information to the connec-
+                  tion, allowing the user to see what tteellnneettdd is doing.  There
+                  are several possible values for _d_e_b_u_g_m_o_d_e:
+
+                  ooppttiioonnss   Prints information about the negotiation of TELNET
+                            options.
+
+                  rreeppoorrtt    Prints the ooppttiioonnss information, plus some addi-
+                            tional information about what processing is going
+                            on.
+
+                  nneettddaattaa   Displays the data stream received by tteellnneettdd.
+
+                  ppttyyddaattaa   Displays data written to the pty.
+
+                  eexxeerrcciissee  Has not been implemented yet.
+
+     --hh           Disables the printing of host-specific information before
+                  login has been completed.
+
+     --kk
+
+     --ll           Ignored.
+
+     --nn           Disable TCP keep-alives.  Normally tteellnneettdd enables the TCP
+                  keep-alive mechanism to probe connections that have been
+                  idle for some period of time to determine if the client is
+                  still there, so that idle connections from machines that
+                  have crashed or can no longer be reached may be cleaned up.
+
+     --rr _l_o_w_p_t_y_-_h_i_g_h_p_t_y
+                  This option is only enabled when tteellnneettdd is compiled for
+                  UNICOS. It specifies an inclusive range of pseudo-terminal
+                  devices to use.  If the system has sysconf variable
+                  _SC_CRAY_NPTY configured, the default pty search range is 0
+                  to _SC_CRAY_NPTY; otherwise, the default range is 0 to 128.
+                  Either _l_o_w_p_t_y or _h_i_g_h_p_t_y may be omitted to allow changing
+                  either end of the search range.  If _l_o_w_p_t_y is omitted, the -
+                  character is still required so that tteellnneettdd can differenti-
+                  ate _h_i_g_h_p_t_y from _l_o_w_p_t_y.
+
+     --SS _t_o_s
+
+     --uu _l_e_n       This option is used to specify the size of the field in the
+                  utmp structure that holds the remote host name.  If the re-
+                  solved host name is longer than _l_e_n, the dotted decimal val-
+                  ue will be used instead.  This allows hosts with very long
+                  host names that overflow this field to still be uniquely
+                  identified.  Specifying --uu00 indicates that only dotted deci-
+                  mal addresses should be put into the _u_t_m_p file.
+
+     --UU           This option causes tteellnneettdd to refuse connections from ad-
+                  dresses that cannot be mapped back into a symbolic name via
+                  the gethostbyaddr(3) routine.
+
+     --XX _a_u_t_h_t_y_p_e  This option is only valid if tteellnneettdd has been built with
+                  support for the authentication option.  It disables the use
+                  of _a_u_t_h_t_y_p_e authentication, and can be used to temporarily
+                  disable a specific authentication type without having to re-
+                  compile tteellnneettdd.
+
+     --LL --ppaatthhnnaammee
+                  Specify pathname to an alternative login program.
+
+     TTeellnneettdd operates by allocating a pseudo-terminal device (see pty(4))  for
+     a client, then creating a login process which has the slave side of the
+     pseudo-terminal as stdin, stdout and stderr. TTeellnneettdd manipulates the mas-
+     ter side of the pseudo-terminal, implementing the TELNET protocol and
+     passing characters between the remote client and the login process.
+
+     When a TELNET session is started up, tteellnneettdd sends TELNET options to the
+     client side indicating a willingness to do the following TELNET options,
+     which are described in more detail below:
+
+           DO AUTHENTICATION
+           WILL ENCRYPT
+           DO TERMINAL TYPE
+           DO TSPEED
+           DO XDISPLOC
+           DO NEW-ENVIRON
+           DO ENVIRON
+           WILL SUPPRESS GO AHEAD
+           DO ECHO
+           DO LINEMODE
+           DO NAWS
+           WILL STATUS
+           DO LFLOW
+           DO TIMING-MARK
+
+     The pseudo-terminal allocated to the client is configured to operate in
+     ``cooked'' mode, and with XTABS and CRMOD enabled (see tty(4)).
+
+     TTeellnneettdd has support for enabling locally the following TELNET options:
+
+     WILL ECHO          When the LINEMODE option is enabled, a WILL ECHO or
+                        WONT ECHO will be sent to the client to indicate the
+                        current state of terminal echoing.  When terminal echo
+                        is not desired, a WILL ECHO is sent to indicate that
+                        telnetd will take care of echoing any data that needs
+                        to be echoed to the terminal, and then nothing is
+                        echoed.  When terminal echo is desired, a WONT ECHO is
+                        sent to indicate that telnetd will not be doing any
+                        terminal echoing, so the client should do any terminal
+                        echoing that is needed.
+
+     WILL BINARY        Indicates that the client is willing to send a 8 bits
+                        of data, rather than the normal 7 bits of the Network
+                        Virtual Terminal.
+
+     WILL SGA           Indicates that it will not be sending IAC GA, go
+                        ahead, commands.
+
+     WILL STATUS        Indicates a willingness to send the client, upon re-
+                        quest, of the current status of all TELNET options.
+
+     WILL TIMING-MARK   Whenever a DO TIMING-MARK command is received, it is
+                        always responded to with a WILL TIMING-MARK
+
+     WILL LOGOUT        When a DO LOGOUT is received, a WILL LOGOUT is sent in
+                        response, and the TELNET session is shut down.
+
+     WILL ENCRYPT       Only sent if tteellnneettdd is compiled with support for data
+                        encryption, and indicates a willingness to decrypt the
+                        data stream.
+
+     TTeellnneettdd has support for enabling remotely the following TELNET options:
+
+     DO BINARY          Sent to indicate that telnetd is willing to receive an
+                        8 bit data stream.
+
+     DO LFLOW           Requests that the client handle flow control charac-
+
+
+                        ters remotely.
+
+     DO ECHO            This is not really supported, but is sent to identify
+                        a 4.2BSD telnet(1) client, which will improperly re-
+                        spond with WILL ECHO. If a WILL ECHO is received, a
+                        DONT ECHO will be sent in response.
+
+     DO TERMINAL-TYPE   Indicates a desire to be able to request the name of
+                        the type of terminal that is attached to the client
+                        side of the connection.
+
+     DO SGA             Indicates that it does not need to receive IAC GA, the
+                        go ahead command.
+
+     DO NAWS            Requests that the client inform the server when the
+                        window (display) size changes.
+
+     DO TERMINAL-SPEED  Indicates a desire to be able to request information
+                        about the speed of the serial line to which the client
+                        is attached.
+
+     DO XDISPLOC        Indicates a desire to be able to request the name of
+                        the X windows display that is associated with the tel-
+                        net client.
+
+     DO NEW-ENVIRON     Indicates a desire to be able to request environment
+                        variable information, as described in RFC 1572.
+
+     DO ENVIRON         Indicates a desire to be able to request environment
+                        variable information, as described in RFC 1408.
+
+     DO LINEMODE        Only sent if tteellnneettdd is compiled with support for
+                        linemode, and requests that the client do line by line
+                        processing.
+
+     DO TIMING-MARK     Only sent if tteellnneettdd is compiled with support for both
+                        linemode and kludge linemode, and the client responded
+                        with WONT LINEMODE. If the client responds with WILL
+                        TM, the it is assumed that the client supports kludge
+                        linemode.  Note that the [--kk] option can be used to
+                        disable this.
+
+     DO AUTHENTICATION  Only sent if tteellnneettdd is compiled with support for au-
+                        thentication, and indicates a willingness to receive
+                        authentication information for automatic login.
+
+     DO ENCRYPT         Only sent if tteellnneettdd is compiled with support for data
+                        encryption, and indicates a willingness to decrypt the
+                        data stream.
+
+EENNVVIIRROONNMMEENNTT
+FFIILLEESS
+     /etc/services
+     /etc/inittab   (UNICOS systems only)
+     /etc/iptos     (if supported)
+
+SSEEEE AALLSSOO
+     telnet(1),  login(1)
+
+SSTTAANNDDAARRDDSS
+     RRFFCC--885544   TELNET PROTOCOL SPECIFICATION
+     RRFFCC--885555   TELNET OPTION SPECIFICATIONS
+     RRFFCC--885566   TELNET BINARY TRANSMISSION
+     RRFFCC--885577   TELNET ECHO OPTION
+
+
+     RRFFCC--885588   TELNET SUPPRESS GO AHEAD OPTION
+     RRFFCC--885599   TELNET STATUS OPTION
+     RRFFCC--886600   TELNET TIMING MARK OPTION
+     RRFFCC--886611   TELNET EXTENDED OPTIONS - LIST OPTION
+     RRFFCC--888855   TELNET END OF RECORD OPTION
+     RRFFCC--11007733  Telnet Window Size Option
+     RRFFCC--11007799  Telnet Terminal Speed Option
+     RRFFCC--11009911  Telnet Terminal-Type Option
+     RRFFCC--11009966  Telnet X Display Location Option
+     RRFFCC--11112233  Requirements for Internet Hosts -- Application and Support
+     RRFFCC--11118844  Telnet Linemode Option
+     RRFFCC--11337722  Telnet Remote Flow Control Option
+     RRFFCC--11441166  Telnet Authentication Option
+     RRFFCC--11441111  Telnet Authentication: Kerberos Version 4
+     RRFFCC--11441122  Telnet Authentication: SPX
+     RRFFCC--11557711  Telnet Environment Option Interoperability Issues
+     RRFFCC--11557722  Telnet Environment Option
+
+BBUUGGSS
+     Some TELNET commands are only partially implemented.
+
+     Because of bugs in the original 4.2 BSD telnet(1),  tteellnneettdd performs some
+     dubious protocol exchanges to try to discover if the remote client is, in
+     fact, a 4.2 BSD telnet(1).
+
+     Binary mode has no common interpretation except between similar operating
+     systems (Unix in this case).
+
+     The terminal type name received from the remote client is converted to
+     lower case.
+
+     TTeellnneettdd never sends TELNET IAC GA (go ahead) commands.
+
+4.2 Berkeley Distribution        June 1, 1994                                5
diff --git a/crypto/heimdal/appl/telnet/telnetd/telnetd.h b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
index fdda3d7..6504607 100644
--- a/crypto/heimdal/appl/telnet/telnetd/telnetd.h
+++ b/crypto/heimdal/appl/telnet/telnetd/telnetd.h
@@ -166,7 +166,6 @@ struct hostent  *gethostbyname(const char *);
 #endif
 
 #ifdef KRB4
-#include <des.h>
 #include <krb.h>
 #endif
 
diff --git a/crypto/heimdal/appl/telnet/telnetd/utility.c b/crypto/heimdal/appl/telnet/telnetd/utility.c
index a2e542d..496152c 100644
--- a/crypto/heimdal/appl/telnet/telnetd/utility.c
+++ b/crypto/heimdal/appl/telnet/telnetd/utility.c
@@ -34,7 +34,7 @@
 #define PRINTOPTIONS
 #include "telnetd.h"
 
-RCSID("$Id: utility.c,v 1.23 2000/10/08 13:34:27 assar Exp $");
+RCSID("$Id: utility.c,v 1.25 2001/05/17 00:34:42 assar Exp $");
 
 /*
  * utility functions performing io related tasks
@@ -363,14 +363,20 @@ void fatal(int f, char *msg)
 }
 
 void
-fatalperror(int f, const char *msg)
+fatalperror_errno(int f, const char *msg, int error)
 {
     char buf[BUFSIZ];
     
-    snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno));
+    snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(error));
     fatal(f, buf);
 }
 
+void
+fatalperror(int f, const char *msg)
+{
+    fatalperror_errno(f, msg, errno);
+}
+
 char editedhost[32];
 
 void edithost(char *pat, char *host)
diff --git a/crypto/heimdal/appl/test/Makefile.in b/crypto/heimdal/appl/test/Makefile.in
index b95c37a..ff1332d 100644
--- a/crypto/heimdal/appl/test/Makefile.in
+++ b/crypto/heimdal/appl/test/Makefile.in
@@ -1,6 +1,7 @@
-# Makefile.in generated automatically by automake 1.4a from Makefile.am
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
 
-# Copyright (C) 1994, 1995-9, 2000 Free Software Foundation, Inc.
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
 # with or without modifications, as long as this notice is preserved.
@@ -119,7 +120,7 @@ install_sh = @install_sh@
 # $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
 
 
-# $Id: Makefile.am.common,v 1.23 2000/12/05 09:11:09 joda Exp $
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
 
 
 AUTOMAKE_OPTIONS = foreign no-dependencies
@@ -185,6 +186,8 @@ NROFF_MAN = groff -mandoc -Tascii
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
 @KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
 
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
 CHECK_LOCAL = $(PROGRAMS)
 
 noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
@@ -309,7 +312,7 @@ OBJECTS = $(am_gssapi_client_OBJECTS) $(am_gssapi_server_OBJECTS) $(am_nt_gss_cl
 
 all: all-redirect
 .SUFFIXES:
-.SUFFIXES: .1 .3 .5 .8 .c .cat1 .cat3 .cat5 .cat8 .et .h .lo .o .obj .x
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
 $(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
 	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/test/Makefile
 
@@ -410,6 +413,11 @@ TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
 	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
 	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
 
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
 mostlyclean-tags:
 
 clean-tags:
diff --git a/crypto/heimdal/appl/xnlock/ChangeLog b/crypto/heimdal/appl/xnlock/ChangeLog
new file mode 100644
index 0000000..822b4f7
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/ChangeLog
@@ -0,0 +1,64 @@
+2001-03-15  Johan Danielsson  <joda@pdc.kth.se>
+
+	* xnlock.c: don't explicitly set the krb4 ticket file
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (main): handle krb5_init_context failure consistently
+
+2000-04-09  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (verfiy_krb5): get the v4-realm from the v5-ticket and
+	not from the default one.
+	* xnlock.c (verify_krb5): add obtainting of v4 tickets.
+
+1999-11-17  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: only build when we have X11.  From: Simon Josefsson
+ 	<jas@pdc.kth.se>
+
+Thu Mar 18 11:21:44 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* Makefile.am: include Makefile.am.common
+
+Wed Mar 17 23:35:51 1999  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (verify): use KRB_VERIFY_SECURE instead of 1
+
+Tue Mar 16 22:29:14 1999  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: krb_verify_user_multiple -> krb_verify_user
+
+Thu Mar 11 14:59:20 1999  Johan Danielsson  <joda@hella.pdc.kth.se>
+
+	* xnlock.c: add some if-braces to keep gcc happy
+
+Sun Nov 22 10:36:45 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (WFLAGS): set
+
+Wed Jul  8 01:37:37 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (main): create place-holder ticket file with
+ 	open(O_EXCL | O_CREAT) instead of creat
+
+Sat Mar 28 12:53:46 1998  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.in (install, uninstall): transform the man page
+
+Tue Mar 24 05:20:34 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: remove redundant preprocessor stuff
+
+Sat Mar 21 14:36:21 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c (init_words): recognize both `-p' and `-prog'
+
+Sat Feb  7 10:08:07 1998  Assar Westerlund  <assar@sics.se>
+
+	* xnlock.c: Don't use REALM_SZ + 1, just REALM_SZ
+
+Sat Nov 29 04:58:19 1997  Johan Danielsson  <joda@emma.pdc.kth.se>
+
+	* xnlock.c: Make it build w/o krb4.
+
diff --git a/crypto/heimdal/appl/xnlock/Makefile.am b/crypto/heimdal/appl/xnlock/Makefile.am
new file mode 100644
index 0000000..a8e6440
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/Makefile.am
@@ -0,0 +1,30 @@
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $
+
+include $(top_srcdir)/Makefile.am.common
+
+INCLUDES += $(INCLUDE_krb4) $(X_CFLAGS)
+
+WFLAGS += $(WFLAGS_NOIMPLICITINT)
+
+if HAVE_X
+
+bin_PROGRAMS = xnlock
+
+else
+
+bin_PROGRAMS =
+
+endif
+
+man_MANS = xnlock.1
+
+EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \
+	nose.down nose.front nose.left.front nose.right.front
+
+LDADD = \
+	$(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS)
diff --git a/crypto/heimdal/appl/xnlock/Makefile.in b/crypto/heimdal/appl/xnlock/Makefile.in
new file mode 100644
index 0000000..a023f23
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/Makefile.in
@@ -0,0 +1,633 @@
+# Makefile.in generated automatically by automake 1.4b from Makefile.am
+
+# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000
+# Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+SHELL = @SHELL@
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+VPATH = @srcdir@
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+
+bindir = @bindir@
+sbindir = @sbindir@
+libexecdir = @libexecdir@
+datadir = @datadir@
+sysconfdir = @sysconfdir@
+sharedstatedir = @sharedstatedir@
+localstatedir = @localstatedir@
+libdir = @libdir@
+infodir = @infodir@
+mandir = @mandir@
+includedir = @includedir@
+oldincludedir = /usr/include
+
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+
+top_builddir = ../..
+
+ACLOCAL = @ACLOCAL@
+AUTOCONF = @AUTOCONF@
+AUTOMAKE = @AUTOMAKE@
+AUTOHEADER = @AUTOHEADER@
+
+INSTALL = @INSTALL@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_FLAG =
+transform = @program_transform_name@
+
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+
+@SET_MAKE@
+host_alias = @host_alias@
+host_triplet = @host@
+AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@
+AMDEP = @AMDEP@
+AMTAR = @AMTAR@
+AS = @AS@
+AWK = @AWK@
+CANONICAL_HOST = @CANONICAL_HOST@
+CATMAN = @CATMAN@
+CATMANEXT = @CATMANEXT@
+CC = @CC@
+CPP = @CPP@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+DBLIB = @DBLIB@
+DEPDIR = @DEPDIR@
+DIR_des = @DIR_des@
+DIR_roken = @DIR_roken@
+DLLTOOL = @DLLTOOL@
+EXEEXT = @EXEEXT@
+EXTRA_LIB45 = @EXTRA_LIB45@
+GROFF = @GROFF@
+INCLUDES_roken = @INCLUDES_roken@
+INCLUDE_ = @INCLUDE_@
+LEX = @LEX@
+LIBOBJS = @LIBOBJS@
+LIBTOOL = @LIBTOOL@
+LIB_ = @LIB_@
+LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@
+LIB_des = @LIB_des@
+LIB_des_appl = @LIB_des_appl@
+LIB_kdb = @LIB_kdb@
+LIB_otp = @LIB_otp@
+LIB_roken = @LIB_roken@
+LIB_security = @LIB_security@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAKEINFO = @MAKEINFO@
+NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
+NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
+NROFF = @NROFF@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+RANLIB = @RANLIB@
+STRIP = @STRIP@
+VERSION = @VERSION@
+VOID_RETSIGTYPE = @VOID_RETSIGTYPE@
+WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@
+WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@
+YACC = @YACC@
+dpagaix_CFLAGS = @dpagaix_CFLAGS@
+dpagaix_LDADD = @dpagaix_LDADD@
+install_sh = @install_sh@
+
+# $Id: Makefile.am,v 1.15 2000/11/15 22:51:12 assar Exp $
+
+
+# $Id: Makefile.am.common,v 1.3 1999/04/01 14:58:43 joda Exp $
+
+
+# $Id: Makefile.am.common,v 1.26 2001/05/21 13:27:48 joda Exp $
+
+
+AUTOMAKE_OPTIONS = foreign no-dependencies
+
+SUFFIXES = .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x
+
+INCLUDES = -I$(top_builddir)/include $(INCLUDES_roken) $(INCLUDE_krb4) $(X_CFLAGS)
+
+AM_CFLAGS =  $(WFLAGS)
+
+CP = cp
+
+COMPILE_ET = $(top_builddir)/lib/com_err/compile_et
+
+buildinclude = $(top_builddir)/include
+
+LIB_XauReadAuth = @LIB_XauReadAuth@
+LIB_crypt = @LIB_crypt@
+LIB_dbm_firstkey = @LIB_dbm_firstkey@
+LIB_dbopen = @LIB_dbopen@
+LIB_dlopen = @LIB_dlopen@
+LIB_dn_expand = @LIB_dn_expand@
+LIB_el_init = @LIB_el_init@
+LIB_getattr = @LIB_getattr@
+LIB_gethostbyname = @LIB_gethostbyname@
+LIB_getpwent_r = @LIB_getpwent_r@
+LIB_getpwnam_r = @LIB_getpwnam_r@
+LIB_getsockopt = @LIB_getsockopt@
+LIB_logout = @LIB_logout@
+LIB_logwtmp = @LIB_logwtmp@
+LIB_odm_initialize = @LIB_odm_initialize@
+LIB_pidfile = @LIB_pidfile@
+LIB_readline = @LIB_readline@
+LIB_res_search = @LIB_res_search@
+LIB_setpcred = @LIB_setpcred@
+LIB_setsockopt = @LIB_setsockopt@
+LIB_socket = @LIB_socket@
+LIB_syslog = @LIB_syslog@
+LIB_tgetent = @LIB_tgetent@
+
+LIBS = @LIBS@
+
+HESIODLIB = @HESIODLIB@
+HESIODINCLUDE = @HESIODINCLUDE@
+INCLUDE_hesiod = @INCLUDE_hesiod@
+LIB_hesiod = @LIB_hesiod@
+
+INCLUDE_krb4 = @INCLUDE_krb4@
+LIB_krb4 = @LIB_krb4@
+
+INCLUDE_openldap = @INCLUDE_openldap@
+LIB_openldap = @LIB_openldap@
+
+INCLUDE_readline = @INCLUDE_readline@
+
+LEXLIB = @LEXLIB@
+
+NROFF_MAN = groff -mandoc -Tascii
+
+@KRB4_TRUE@LIB_kafs = @KRB4_TRUE@$(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+
+@KRB5_TRUE@LIB_krb5 = @KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
+@KRB5_TRUE@LIB_gssapi = @KRB5_TRUE@$(top_builddir)/lib/gssapi/libgssapi.la
+
+@DCE_TRUE@LIB_kdfs = @DCE_TRUE@$(top_builddir)/lib/kdfs/libkdfs.la
+
+CHECK_LOCAL = $(PROGRAMS)
+
+WFLAGS = @WFLAGS@ $(WFLAGS_NOIMPLICITINT)
+
+@HAVE_X_TRUE@bin_PROGRAMS = @HAVE_X_TRUE@xnlock
+@HAVE_X_FALSE@bin_PROGRAMS = 
+
+man_MANS = xnlock.1
+
+EXTRA_DIST = $(man_MANS) nose.0.left nose.0.right nose.1.left nose.1.right \
+	nose.down nose.front nose.left.front nose.right.front
+
+
+LDADD = \
+	$(LIB_kafs) \
+	$(LIB_krb5) \
+	$(LIB_krb4) \
+	$(LIB_des) \
+	$(LIB_roken) \
+	$(X_LIBS) -lXt $(X_PRE_LIBS) -lX11 $(X_EXTRA_LIBS)
+
+subdir = appl/xnlock
+mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+CONFIG_HEADER = ../../include/config.h
+CONFIG_CLEAN_FILES = 
+@HAVE_X_FALSE@bin_PROGRAMS = 
+PROGRAMS =  $(bin_PROGRAMS)
+
+
+DEFS = @DEFS@ -I. -I$(srcdir) -I../../include
+CPPFLAGS = @CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+X_CFLAGS = @X_CFLAGS@
+X_LIBS = @X_LIBS@
+X_EXTRA_LIBS = @X_EXTRA_LIBS@
+X_PRE_LIBS = @X_PRE_LIBS@
+xnlock_SOURCES = xnlock.c
+xnlock_OBJECTS =  xnlock.$(OBJEXT)
+xnlock_LDADD = $(LDADD)
+@KRB4_FALSE@@KRB5_FALSE@xnlock_DEPENDENCIES = 
+@KRB4_FALSE@@KRB5_TRUE@xnlock_DEPENDENCIES =  \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_FALSE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+@KRB4_TRUE@@KRB5_FALSE@xnlock_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_FALSE@$(top_builddir)/lib/kafs/libkafs.la
+@KRB4_TRUE@@KRB5_TRUE@xnlock_DEPENDENCIES =  \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/kafs/libkafs.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/krb5/libkrb5.la \
+@KRB4_TRUE@@KRB5_TRUE@$(top_builddir)/lib/asn1/libasn1.la
+xnlock_LDFLAGS = 
+COMPILE = $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) --mode=compile $(CC) $(DEFS) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+CFLAGS = @CFLAGS@
+CCLD = $(CC)
+LINK = $(LIBTOOL) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@
+DIST_SOURCES =  xnlock.c
+man1dir = $(mandir)/man1
+MANS = $(man_MANS)
+depcomp = 
+DIST_COMMON =  README ChangeLog Makefile.am Makefile.in
+
+
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+
+GZIP_ENV = --best
+SOURCES = xnlock.c
+OBJECTS = xnlock.$(OBJEXT)
+
+all: all-redirect
+.SUFFIXES:
+.SUFFIXES: .et .h .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .x .c .lo .o .obj
+$(srcdir)/Makefile.in: Makefile.am $(top_srcdir)/configure.in $(ACLOCAL_M4) $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common
+	cd $(top_srcdir) && $(AUTOMAKE) --foreign appl/xnlock/Makefile
+
+Makefile: $(srcdir)/Makefile.in  $(top_builddir)/config.status
+	cd $(top_builddir) \
+	  && CONFIG_FILES=$(subdir)/$@ CONFIG_HEADERS= $(SHELL) ./config.status
+
+
+mostlyclean-binPROGRAMS:
+
+clean-binPROGRAMS:
+	-test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS)
+
+distclean-binPROGRAMS:
+
+maintainer-clean-binPROGRAMS:
+
+install-binPROGRAMS: $(bin_PROGRAMS)
+	@$(NORMAL_INSTALL)
+	$(mkinstalldirs) $(DESTDIR)$(bindir)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  if test -f $$p; then \
+	    f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	    echo " $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f"; \
+	    $(LIBTOOL)  --mode=install $(INSTALL_PROGRAM) $(INSTALL_STRIP_FLAG) $$p $(DESTDIR)$(bindir)/$$f; \
+	  else :; fi; \
+	done
+
+uninstall-binPROGRAMS:
+	@$(NORMAL_UNINSTALL)
+	@list='$(bin_PROGRAMS)'; for p in $$list; do \
+	  f="`echo $$p|sed -e 's/$(EXEEXT)$$//' -e '$(transform)' -e 's/$$/$(EXEEXT)/'`"; \
+	  echo " rm -f $(DESTDIR)$(bindir)/$$f"; \
+	  rm -f $(DESTDIR)$(bindir)/$$f; \
+	done
+
+mostlyclean-compile:
+	-rm -f *.o core *.core
+	-rm -f *.$(OBJEXT)
+
+clean-compile:
+
+distclean-compile:
+	-rm -f *.tab.c
+
+maintainer-clean-compile:
+
+mostlyclean-libtool:
+	-rm -f *.lo
+
+clean-libtool:
+	-rm -rf .libs _libs
+
+distclean-libtool:
+
+maintainer-clean-libtool:
+
+xnlock$(EXEEXT): $(xnlock_OBJECTS) $(xnlock_DEPENDENCIES)
+	@rm -f xnlock$(EXEEXT)
+	$(LINK) $(xnlock_LDFLAGS) $(xnlock_OBJECTS) $(xnlock_LDADD) $(LIBS)
+.c.o:
+	$(COMPILE) -c $<
+.c.obj:
+	$(COMPILE) -c `cygpath -w $<`
+.c.lo:
+	$(LTCOMPILE) -c -o $@ $<
+
+install-man1:
+	$(mkinstalldirs) $(DESTDIR)$(man1dir)
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
+	  else file=$$i; fi; \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst"; \
+	  $(INSTALL_DATA) $$file $(DESTDIR)$(man1dir)/$$inst; \
+	done
+
+uninstall-man1:
+	@list='$(man1_MANS)'; \
+	l2='$(man_MANS)'; for i in $$l2; do \
+	  case "$$i" in \
+	    *.1*) list="$$list $$i" ;; \
+	  esac; \
+	done; \
+	for i in $$list; do \
+	  ext=`echo $$i | sed -e 's/^.*\\.//'`; \
+	  inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
+	  inst=`echo $$inst | sed -e 's/^.*\///'`; \
+	  inst=`echo $$inst | sed '$(transform)'`.$$ext; \
+	  echo " rm -f $(DESTDIR)$(man1dir)/$$inst"; \
+	  rm -f $(DESTDIR)$(man1dir)/$$inst; \
+	done
+install-man: $(MANS)
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-man1
+uninstall-man:
+	@$(NORMAL_UNINSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) uninstall-man1
+
+tags: TAGS
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	mkid -fID $$unique $(LISP)
+
+TAGS:  $(HEADERS) $(SOURCES)  $(TAGS_DEPENDENCIES) \
+		$(TAGS_FILES) $(LISP)
+	tags=; \
+	here=`pwd`; \
+	list='$(SOURCES) $(HEADERS) $(TAGS_FILES)'; \
+	unique=`for i in $$list; do \
+	    if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+	  done | \
+	  $(AWK) '    { files[$$0] = 1; } \
+	       END { for (i in files) print i; }'`; \
+	test -z "$(ETAGS_ARGS)$$unique$(LISP)$$tags" \
+	  || etags $(ETAGS_ARGS) $$tags  $$unique $(LISP)
+
+GTAGS:
+	here=`CDPATH=: && cd $(top_builddir) && pwd` \
+	  && cd $(top_srcdir) \
+	  && gtags -i $$here
+
+mostlyclean-tags:
+
+clean-tags:
+
+distclean-tags:
+	-rm -f TAGS ID
+
+maintainer-clean-tags:
+
+distdir = $(top_builddir)/$(PACKAGE)-$(VERSION)/$(subdir)
+
+distdir: $(DISTFILES)
+	@for file in $(DISTFILES); do \
+	  d=$(srcdir); \
+	  if test -d $$d/$$file; then \
+	    cp -pR $$d/$$file $(distdir) \
+	    || exit 1; \
+	  else \
+	    test -f $(distdir)/$$file \
+	    || cp -p $$d/$$file $(distdir)/$$file \
+	    || exit 1; \
+	  fi; \
+	done
+	$(MAKE) $(AM_MAKEFLAGS) top_distdir="$(top_distdir)" distdir="$(distdir)" dist-hook
+info-am:
+info: info-am
+dvi-am:
+dvi: dvi-am
+check-am: all-am
+	$(MAKE) $(AM_MAKEFLAGS) check-local
+check: check-am
+installcheck-am:
+installcheck: installcheck-am
+install-exec-am: install-binPROGRAMS
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-exec-hook
+install-exec: install-exec-am
+
+install-data-am: install-man install-data-local
+install-data: install-data-am
+
+install-am: all-am
+	@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+install: install-am
+uninstall-am: uninstall-binPROGRAMS uninstall-man
+uninstall: uninstall-am
+all-am: Makefile $(PROGRAMS) $(MANS) all-local
+all-redirect: all-am
+install-strip:
+	$(MAKE) $(AM_MAKEFLAGS) INSTALL_STRIP_FLAG=-s install
+installdirs:
+	$(mkinstalldirs)  $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1
+
+
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+	-rm -f Makefile $(CONFIG_CLEAN_FILES)
+	-rm -f config.cache config.log stamp-h stamp-h[0-9]*
+
+maintainer-clean-generic:
+	-rm -f Makefile.in
+mostlyclean-am:  mostlyclean-binPROGRAMS mostlyclean-compile \
+		mostlyclean-libtool mostlyclean-tags \
+		mostlyclean-generic
+
+mostlyclean: mostlyclean-am
+
+clean-am:  clean-binPROGRAMS clean-compile clean-libtool clean-tags \
+		clean-generic mostlyclean-am
+
+clean: clean-am
+
+distclean-am:  distclean-binPROGRAMS distclean-compile distclean-libtool \
+		distclean-tags distclean-generic clean-am
+	-rm -f libtool
+
+distclean: distclean-am
+
+maintainer-clean-am:  maintainer-clean-binPROGRAMS \
+		maintainer-clean-compile maintainer-clean-libtool \
+		maintainer-clean-tags maintainer-clean-generic \
+		distclean-am
+	@echo "This command is intended for maintainers to use;"
+	@echo "it deletes files that may require special tools to rebuild."
+
+maintainer-clean: maintainer-clean-am
+
+.PHONY: mostlyclean-binPROGRAMS distclean-binPROGRAMS clean-binPROGRAMS \
+maintainer-clean-binPROGRAMS uninstall-binPROGRAMS install-binPROGRAMS \
+mostlyclean-compile distclean-compile clean-compile \
+maintainer-clean-compile mostlyclean-libtool distclean-libtool \
+clean-libtool maintainer-clean-libtool install-man1 uninstall-man1 \
+install-man uninstall-man tags mostlyclean-tags distclean-tags \
+clean-tags maintainer-clean-tags distdir info-am info dvi-am dvi \
+check-local check check-am installcheck-am installcheck install-exec-am \
+install-exec install-data-local install-data-am install-data install-am \
+install uninstall-am uninstall all-local all-redirect all-am all \
+install-strip installdirs mostlyclean-generic distclean-generic \
+clean-generic maintainer-clean-generic clean mostlyclean distclean \
+maintainer-clean
+
+
+install-suid-programs:
+	@foo='$(bin_SUIDS)'; \
+	for file in $$foo; do \
+	x=$(DESTDIR)$(bindir)/$$file; \
+	if chown 0:0 $$x && chmod u+s $$x; then :; else \
+	echo "*"; \
+	echo "* Failed to install $$x setuid root"; \
+	echo "*"; \
+	fi; done
+
+install-exec-hook: install-suid-programs
+
+install-build-headers:: $(include_HEADERS) $(build_HEADERZ)
+	@foo='$(include_HEADERS) $(build_HEADERZ)'; \
+	for f in $$foo; do \
+		f=`basename $$f`; \
+		if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \
+		else file="$$f"; fi; \
+		if cmp -s  $$file $(buildinclude)/$$f 2> /dev/null ; then \
+		: ; else \
+			echo " $(CP) $$file $(buildinclude)/$$f"; \
+			$(CP) $$file $(buildinclude)/$$f; \
+		fi ; \
+	done
+
+all-local: install-build-headers
+#NROFF_MAN = nroff -man
+.1.cat1:
+	$(NROFF_MAN) $< > $@
+.3.cat3:
+	$(NROFF_MAN) $< > $@
+.5.cat5:
+	$(NROFF_MAN) $< > $@
+.8.cat8:
+	$(NROFF_MAN) $< > $@
+
+dist-cat1-mans:
+	@foo='$(man1_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.1) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat3-mans:
+	@foo='$(man3_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.3) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat5-mans:
+	@foo='$(man5_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.5) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-cat8-mans:
+	@foo='$(man8_MANS)'; \
+	bar='$(man_MANS)'; \
+	for i in $$bar; do \
+	case $$i in \
+	*.8) foo="$$foo $$i";; \
+	esac; done ;\
+	for i in $$foo; do \
+		x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \
+		echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \
+		$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \
+	done
+
+dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
+
+install-cat-mans:
+	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
+
+install-data-local: install-cat-mans
+
+.et.h:
+	$(COMPILE_ET) $<
+.et.c:
+	$(COMPILE_ET) $<
+
+.x.c:
+	@cmp -s $< $@ 2> /dev/null || cp $< $@
+
+check-local::
+	@foo='$(CHECK_LOCAL)'; \
+	  if test "$$foo"; then \
+	  failed=0; all=0; \
+	  for i in $$foo; do \
+	    all=`expr $$all + 1`; \
+	    if ./$$i --version > /dev/null 2>&1; then \
+	      echo "PASS: $$i"; \
+	    else \
+	      echo "FAIL: $$i"; \
+	      failed=`expr $$failed + 1`; \
+	    fi; \
+	  done; \
+	  if test "$$failed" -eq 0; then \
+	    banner="All $$all tests passed"; \
+	  else \
+	    banner="$$failed of $$all tests failed"; \
+	  fi; \
+	  dashes=`echo "$$banner" | sed s/./=/g`; \
+	  echo "$$dashes"; \
+	  echo "$$banner"; \
+	  echo "$$dashes"; \
+	  test "$$failed" -eq 0; \
+	fi
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/crypto/heimdal/appl/xnlock/README b/crypto/heimdal/appl/xnlock/README
new file mode 100644
index 0000000..5b16c52
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/README
@@ -0,0 +1,21 @@
+xnlock -- Dan Heller, 1990
+"nlock" is a "new lockscreen" type program... something that prevents
+screen burnout by making most of it "black" while providing something
+of interest to be displayed in case anyone is watching.  The program
+also provides added security.
+
+"xnlock" is the X11 version of the program.
+
+Original sunview version written by Dan Heller 1985 (not included).
+
+For a real description of how this program works, read the
+man page or just try running it.
+
+The one major outstanding bug with this program is that every
+once in a while, two horizontal lines appear below the little
+figure that runs around the screen.  If someone can find and
+fix this bug, *please* let me know -- I don't have time to
+look and if I waited till I had time, you'd never see this
+program...  It has something to do with the "looking down"
+position and then directly moving up and right or left...
+
diff --git a/crypto/heimdal/appl/xnlock/nose.0.left b/crypto/heimdal/appl/xnlock/nose.0.left
new file mode 100644
index 0000000..cb3d152
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.0.left
@@ -0,0 +1,38 @@
+#define nose_0_left_width 64
+#define nose_0_left_height 64
+static unsigned char nose_0_left_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00,
+ 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00,
+ 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00,
+ 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00,
+ 0x18,0x00,0x20,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x40,0x00,0x80,0x00,0x00,
+ 0x00,0x08,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x00,0x01,0x20,0x00,
+ 0x00,0x00,0x04,0x00,0x00,0x06,0x18,0x00,0x00,0x00,0x06,0x00,0x00,0xf8,0x07,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00,
+ 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xc0,0x00,0x03,0x03,0x10,0x00,0x00,
+ 0x00,0x30,0x00,0x0c,0x01,0x20,0x00,0x00,0x00,0x08,0x00,0x98,0x00,0x20,0x00,
+ 0x00,0x00,0x0c,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20,
+ 0x00,0x00,0x00,0x42,0x00,0x80,0x00,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,
+ 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,
+ 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x01,0x00,
+ 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00,
+ 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00,
+ 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.0.right b/crypto/heimdal/appl/xnlock/nose.0.right
new file mode 100644
index 0000000..f387baa
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.0.right
@@ -0,0 +1,38 @@
+#define nose_0_right_width 64
+#define nose_0_right_height 64
+static unsigned char nose_0_right_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f,
+ 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c,
+ 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00,
+ 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,
+ 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x18,0x00,0x00,0x80,0x00,
+ 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x01,0x00,0x02,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x80,0x00,0x00,0x60,0x00,0x00,0x00,0x18,0x60,0x00,0x00,0x40,0x00,
+ 0x00,0x00,0xe0,0x1f,0x00,0x00,0x80,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0xc0,0xc0,0x00,0x03,0x00,
+ 0x00,0x00,0x04,0x80,0x30,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x19,0x00,0x10,
+ 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x30,0x00,0x00,0x00,0x04,0x00,0x03,0x00,
+ 0x43,0x00,0x00,0x00,0x04,0x00,0x01,0x00,0x42,0x00,0x00,0x00,0x04,0x80,0x00,
+ 0x00,0x84,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00,
+ 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00,
+ 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.1.left b/crypto/heimdal/appl/xnlock/nose.1.left
new file mode 100644
index 0000000..8a6b829
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.1.left
@@ -0,0 +1,38 @@
+#define nose_1_left_width 64
+#define nose_1_left_height 64
+static unsigned char nose_1_left_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x08,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,0xf0,0x03,0x00,0x00,0x80,0x00,
+ 0x00,0x00,0x0e,0x0c,0x00,0x00,0x80,0x01,0x00,0x00,0x03,0x30,0x00,0x00,0x00,
+ 0x01,0x00,0x80,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x40,0x00,0xc0,0x00,0x00,
+ 0x00,0x02,0x00,0x20,0x00,0x80,0x00,0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,
+ 0x00,0x00,0x04,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x0c,0x00,0x08,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x08,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x01,0x00,0x00,
+ 0x18,0x00,0x10,0x00,0x00,0x01,0x00,0x00,0x08,0x00,0x20,0x00,0x80,0x00,0x00,
+ 0x00,0x08,0x00,0x40,0x00,0x40,0x00,0x00,0x00,0x0c,0x00,0x80,0x00,0x20,0x00,
+ 0x00,0x00,0xe4,0x00,0x00,0x03,0x18,0x00,0x00,0x00,0x26,0x03,0x00,0xfc,0x07,
+ 0x00,0x00,0x00,0x12,0x0c,0x00,0x00,0xf8,0xff,0xff,0xff,0x11,0x10,0x80,0x1f,
+ 0x00,0x00,0x00,0x00,0x08,0x20,0x60,0x60,0xc0,0x07,0x00,0x00,0x04,0x40,0x10,
+ 0xc0,0x20,0x08,0x00,0x1f,0x02,0x40,0x08,0x00,0x21,0x10,0xc0,0x60,0x02,0x40,
+ 0x04,0x00,0x12,0x20,0x20,0x80,0x02,0x20,0xc2,0x00,0x14,0x40,0x18,0x00,0x03,
+ 0x20,0x22,0x00,0x0c,0x80,0x04,0x03,0x02,0x10,0x12,0x00,0x08,0x80,0x86,0x00,
+ 0x04,0x10,0x12,0x00,0x10,0x80,0x42,0x00,0x18,0x08,0x12,0x00,0x10,0x40,0x42,
+ 0x00,0x00,0x04,0x02,0x00,0x20,0x40,0x42,0x00,0x00,0x04,0x02,0x00,0x00,0x20,
+ 0x42,0x00,0x00,0x02,0x04,0x00,0x00,0x20,0x02,0x00,0x00,0x01,0x04,0x00,0x00,
+ 0x20,0x02,0x00,0x00,0x01,0x08,0x00,0x00,0x20,0x04,0x00,0x80,0x00,0x10,0x00,
+ 0x00,0x20,0x0c,0x00,0x80,0x00,0x60,0x00,0x00,0x10,0x08,0x00,0x40,0x00,0x80,
+ 0xff,0xff,0x0f,0x30,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0x0f,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.1.right b/crypto/heimdal/appl/xnlock/nose.1.right
new file mode 100644
index 0000000..f7c8962
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.1.right
@@ -0,0 +1,38 @@
+#define nose_1_right_width 64
+#define nose_1_right_height 64
+static unsigned char nose_1_right_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,0x00,0x01,0x00,0x00,0xc0,0x0f,
+ 0x00,0x00,0x80,0x01,0x00,0x00,0x30,0x70,0x00,0x00,0x80,0x00,0x00,0x00,0x0c,
+ 0xc0,0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x01,0x00,0x40,0x00,0x00,0x00,
+ 0x03,0x00,0x02,0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x04,0x00,0x20,0x00,0x00,
+ 0x00,0x00,0x00,0x08,0x00,0x30,0x00,0x00,0x00,0x00,0x00,0x08,0x00,0x10,0x00,
+ 0x00,0x00,0x00,0x00,0x10,0x00,0x10,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,
+ 0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,
+ 0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,
+ 0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,
+ 0x10,0x00,0x08,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x18,0x00,0x00,0x80,0x00,
+ 0x00,0x08,0x00,0x10,0x00,0x00,0x80,0x00,0x00,0x08,0x00,0x10,0x00,0x00,0x00,
+ 0x01,0x00,0x04,0x00,0x30,0x00,0x00,0x00,0x02,0x00,0x02,0x00,0x27,0x00,0x00,
+ 0x00,0x04,0x00,0x01,0xc0,0x64,0x00,0x00,0x00,0x18,0xc0,0x00,0x30,0x48,0x00,
+ 0x00,0x00,0xe0,0x3f,0x00,0x08,0x88,0xff,0xff,0xff,0x1f,0x00,0x00,0x04,0x10,
+ 0x00,0x00,0x00,0x00,0xf8,0x01,0x02,0x20,0x00,0x00,0xe0,0x03,0x06,0x06,0x02,
+ 0x40,0xf8,0x00,0x10,0x04,0x03,0x08,0x02,0x40,0x06,0x03,0x08,0x84,0x00,0x10,
+ 0x04,0x40,0x01,0x04,0x04,0x48,0x00,0x20,0x04,0xc0,0x00,0x18,0x02,0x28,0x00,
+ 0x43,0x08,0x40,0xc0,0x20,0x01,0x30,0x00,0x44,0x08,0x20,0x00,0x61,0x01,0x10,
+ 0x00,0x48,0x10,0x18,0x00,0x42,0x01,0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,
+ 0x08,0x00,0x48,0x20,0x00,0x00,0x42,0x02,0x04,0x00,0x40,0x40,0x00,0x00,0x42,
+ 0x04,0x00,0x00,0x40,0x80,0x00,0x00,0x40,0x04,0x00,0x00,0x20,0x80,0x00,0x00,
+ 0x40,0x04,0x00,0x00,0x20,0x00,0x01,0x00,0x20,0x04,0x00,0x00,0x10,0x00,0x01,
+ 0x00,0x30,0x04,0x00,0x00,0x08,0x00,0x02,0x00,0x10,0x08,0x00,0x00,0x06,0x00,
+ 0x0c,0x00,0x0c,0xf0,0xff,0xff,0x01,0x00,0xf0,0xff,0x03,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.down b/crypto/heimdal/appl/xnlock/nose.down
new file mode 100644
index 0000000..e8bdba4
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.down
@@ -0,0 +1,38 @@
+#define nose_down_width 64
+#define nose_down_height 64
+static unsigned char nose_down_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0xfc,0xff,0x01,0x00,0x00,0x00,0x00,0xc0,0x03,0x00,0x1e,0x00,
+ 0x00,0x00,0x00,0x38,0x00,0x00,0xe0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,
+ 0x03,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x04,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x00,0x08,0x00,0x00,0x20,0x00,0x00,0x00,0x00,0x30,0x00,0x00,0x10,0x00,0x80,
+ 0x1f,0x00,0x40,0x00,0x00,0x08,0x00,0x60,0x60,0x00,0x80,0x00,0x00,0x08,0x00,
+ 0x10,0x80,0x00,0x80,0x00,0x00,0x04,0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x04,
+ 0x00,0x08,0x00,0x01,0x00,0x01,0x00,0x02,0x00,0x18,0x80,0x01,0x00,0x02,0x00,
+ 0x02,0x00,0x68,0x60,0x01,0x00,0x02,0x00,0x02,0x00,0x88,0x1f,0x01,0x00,0x02,
+ 0x00,0x02,0x00,0x08,0x00,0x01,0x00,0x02,0x00,0x02,0x00,0x10,0x80,0x00,0x00,
+ 0x03,0x00,0x06,0x00,0x60,0x60,0x00,0x80,0x02,0x00,0x0c,0x00,0x80,0x1f,0x00,
+ 0x40,0x01,0x00,0x14,0x00,0x00,0x00,0x00,0x20,0x01,0x00,0x28,0x00,0x00,0x00,
+ 0x00,0x90,0x00,0x00,0x50,0x00,0x00,0x00,0x00,0x48,0x00,0x00,0xa0,0x01,0x00,
+ 0x00,0x00,0x26,0x00,0x00,0x40,0x1e,0x00,0x00,0xc0,0x11,0x00,0x00,0x80,0xe1,
+ 0x03,0x00,0x3c,0x0c,0x00,0x00,0x00,0x0e,0xfc,0xff,0x83,0x03,0x00,0x00,0x00,
+ 0xf0,0x01,0x00,0x78,0x00,0x00,0x00,0x00,0x00,0xfe,0xff,0x0f,0x00,0x00,0x00,
+ 0x00,0x80,0x03,0x00,0x0c,0x00,0x00,0x00,0x00,0x80,0x02,0x00,0x14,0x00,0x00,
+ 0x00,0x00,0x60,0x04,0x00,0x12,0x00,0x00,0xc0,0x7f,0x10,0x04,0x00,0x22,0xe0,
+ 0x01,0x70,0xc0,0x18,0x08,0x00,0x61,0x1c,0x06,0x10,0x00,0x0f,0x30,0xc0,0x80,
+ 0x07,0x08,0x08,0x00,0x06,0xc0,0x3f,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x02,
+ 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80,
+ 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00,
+ 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00,
+ 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84,
+ 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08,
+ 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff,
+ 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.front b/crypto/heimdal/appl/xnlock/nose.front
new file mode 100644
index 0000000..64b8201
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.front
@@ -0,0 +1,38 @@
+#define nose_front_width 64
+#define nose_front_height 64
+static unsigned char nose_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0xc0,0x1f,0x00,0x20,0x00,0x00,0x08,0x00,0x30,0x60,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0x0f,0x80,0xff,0x3f,0x00,0x00,0x00,0x02,0x02,0x00,0x82,0x00,
+ 0x00,0x00,0x00,0x03,0x01,0x00,0x84,0x01,0x00,0x00,0x00,0x81,0x00,0x00,0x08,
+ 0x01,0x00,0x00,0x80,0x80,0x00,0x00,0x08,0x02,0x00,0x00,0x80,0x40,0x00,0x00,
+ 0x10,0x02,0x00,0x00,0x40,0x40,0x00,0x00,0x10,0x04,0x00,0x00,0x40,0x20,0x00,
+ 0x00,0x20,0x04,0x00,0x00,0x60,0x20,0x00,0x00,0x20,0x0c,0x00,0x00,0x20,0x20,
+ 0x00,0x00,0x20,0x08,0x00,0x00,0x20,0x20,0x00,0x00,0x20,0x08,0x00,0x00,0x10,
+ 0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,
+ 0x10,0x20,0x00,0x00,0x20,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,
+ 0x00,0x10,0x40,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,
+ 0x00,0x00,0x10,0x80,0x00,0x00,0x08,0x10,0x00,0x00,0x30,0x00,0x01,0x00,0x04,
+ 0x18,0x00,0x00,0x20,0x00,0x02,0x00,0x02,0x08,0x00,0x00,0x20,0x00,0x0c,0x80,
+ 0x01,0x08,0x00,0x00,0x60,0x00,0x30,0x60,0x00,0x0c,0x00,0x00,0x40,0x00,0xc0,
+ 0x1f,0x00,0x04,0x00,0x00,0xc0,0x00,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x80,0x0f,0xc0,0x0f,0x00,0x00,0x00,
+ 0x00,0x40,0x10,0x20,0x10,0x00,0x00,0x00,0x00,0x20,0x60,0x30,0x20,0x00,0x00,
+ 0x00,0x00,0x20,0xc0,0x18,0x20,0x00,0x00,0xc0,0x7f,0x10,0x80,0x0d,0x40,0xe0,
+ 0x01,0x70,0xc0,0x18,0x00,0x05,0x40,0x1c,0x06,0x10,0x00,0x0f,0x00,0x05,0x80,
+ 0x07,0x08,0x08,0x00,0x06,0x00,0x05,0x80,0x01,0x08,0x08,0x00,0x18,0x00,0x05,
+ 0xc0,0x00,0x10,0x04,0x00,0x30,0x00,0x05,0x30,0x00,0x10,0x04,0x00,0x00,0x80,
+ 0x08,0x18,0x00,0x20,0x04,0x00,0x00,0x80,0x08,0x00,0x00,0x20,0x04,0x00,0x00,
+ 0x40,0x10,0x00,0x00,0x20,0x24,0x00,0x00,0x40,0x10,0x00,0x00,0x22,0x24,0x00,
+ 0x00,0x40,0x10,0x00,0x00,0x22,0x44,0x00,0x00,0x40,0x10,0x00,0x00,0x11,0x84,
+ 0x01,0x00,0xc0,0x18,0x00,0xc0,0x10,0x08,0x00,0x00,0x80,0x08,0x00,0x00,0x08,
+ 0x30,0x00,0x00,0x80,0x08,0x00,0x00,0x04,0xe0,0xff,0xff,0xff,0xf8,0xff,0xff,
+ 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.left.front b/crypto/heimdal/appl/xnlock/nose.left.front
new file mode 100644
index 0000000..3a871ea
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.left.front
@@ -0,0 +1,38 @@
+#define nose_left_front_width 64
+#define nose_left_front_height 64
+static unsigned char nose_left_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xc0,0xff,0xff,0x07,0x00,0x00,0x00,0x00,0x40,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,
+ 0x00,0x00,0x04,0x00,0x00,0x00,0x00,0x40,0x00,0x00,0x04,0x00,0x00,0x00,0x00,
+ 0x40,0x00,0x00,0x04,0x00,0x00,0x00,0xf8,0xff,0xff,0xff,0xff,0x3f,0x00,0x00,
+ 0x08,0x00,0xe0,0x0f,0x00,0x20,0x00,0x00,0x08,0x00,0x18,0x30,0x00,0x20,0x00,
+ 0x00,0xf8,0xff,0x07,0xc0,0xff,0x3f,0x00,0x00,0x00,0x02,0x01,0x00,0x81,0x00,
+ 0x00,0x00,0x00,0x83,0x00,0x00,0x82,0x01,0x00,0x00,0x00,0x41,0x00,0x00,0x04,
+ 0x01,0x00,0x00,0x80,0x40,0x00,0x00,0x04,0x02,0x00,0x00,0x80,0x20,0x00,0x00,
+ 0x08,0x02,0x00,0x00,0x40,0x20,0x00,0x00,0x08,0x04,0x00,0x00,0x40,0x10,0x00,
+ 0x00,0x10,0x04,0x00,0x00,0x60,0x10,0x00,0x00,0x10,0x0c,0x00,0x00,0x20,0x10,
+ 0x00,0x00,0x10,0x08,0x00,0x00,0x30,0x10,0x00,0x00,0x10,0x08,0x00,0x00,0x10,
+ 0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,
+ 0x10,0x10,0x00,0x00,0x10,0x10,0x00,0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,
+ 0x00,0x10,0x20,0x00,0x00,0x08,0x10,0x00,0x00,0x10,0x40,0x00,0x00,0x04,0x10,
+ 0x00,0x00,0x30,0x40,0x00,0x00,0x04,0x10,0x00,0x00,0x20,0x80,0x00,0x00,0x02,
+ 0x18,0x00,0x00,0x20,0x00,0x01,0x00,0x01,0x08,0x00,0x00,0x60,0x00,0x06,0xc0,
+ 0x00,0x08,0x00,0x00,0x80,0x00,0x18,0x30,0x00,0x0c,0x00,0x00,0x80,0x00,0xe0,
+ 0x0f,0x00,0x04,0x00,0x00,0x80,0x01,0x00,0x00,0x00,0x06,0x00,0x00,0x00,0x01,
+ 0x00,0x00,0x00,0x02,0x00,0x00,0x00,0xfe,0xff,0xff,0xff,0x01,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf8,0x0f,0x00,0x00,0x00,
+ 0x00,0xff,0x00,0x04,0x10,0x00,0x00,0x00,0xe0,0x00,0x07,0x02,0x10,0x00,0x00,
+ 0x00,0x30,0x00,0x8c,0x01,0x20,0x00,0x00,0x00,0x0c,0x00,0x90,0x00,0x20,0x00,
+ 0x00,0x00,0x04,0x03,0x60,0x00,0x20,0x00,0x00,0x00,0xc2,0x00,0xc0,0x00,0x20,
+ 0x00,0x00,0x00,0x42,0x00,0x00,0x01,0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x02,
+ 0x20,0x00,0x00,0x00,0x21,0x00,0x00,0x06,0x20,0x00,0x00,0x00,0x21,0x00,0x00,
+ 0x00,0x20,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x03,0x00,
+ 0x00,0x00,0x40,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,0x00,
+ 0x18,0x00,0x00,0x00,0x20,0x00,0x00,0x00,0x70,0x00,0x00,0x00,0x10,0x00,0x00,
+ 0x00,0xc0,0xff,0xff,0xff,0x0f,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/nose.right.front b/crypto/heimdal/appl/xnlock/nose.right.front
new file mode 100644
index 0000000..f821417
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/nose.right.front
@@ -0,0 +1,38 @@
+#define nose_right_front_width 64
+#define nose_right_front_height 64
+static unsigned char nose_right_front_bits[] = {
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0xe0,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x20,0x00,
+ 0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,
+ 0x00,0x00,0x02,0x00,0x00,0x00,0x00,0x20,0x00,0x00,0x02,0x00,0x00,0x00,0x00,
+ 0x20,0x00,0x00,0x02,0x00,0x00,0x00,0xfc,0xff,0xff,0xff,0xff,0x1f,0x00,0x00,
+ 0x04,0x00,0xf0,0x07,0x00,0x10,0x00,0x00,0x04,0x00,0x0c,0x18,0x00,0x10,0x00,
+ 0x00,0xfc,0xff,0x03,0xe0,0xff,0x1f,0x00,0x00,0x00,0x81,0x00,0x80,0x40,0x00,
+ 0x00,0x00,0x80,0x41,0x00,0x00,0xc1,0x00,0x00,0x00,0x80,0x20,0x00,0x00,0x82,
+ 0x00,0x00,0x00,0x40,0x20,0x00,0x00,0x02,0x01,0x00,0x00,0x40,0x10,0x00,0x00,
+ 0x04,0x01,0x00,0x00,0x20,0x10,0x00,0x00,0x04,0x02,0x00,0x00,0x20,0x08,0x00,
+ 0x00,0x08,0x02,0x00,0x00,0x30,0x08,0x00,0x00,0x08,0x06,0x00,0x00,0x10,0x08,
+ 0x00,0x00,0x08,0x04,0x00,0x00,0x10,0x08,0x00,0x00,0x08,0x0c,0x00,0x00,0x08,
+ 0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,
+ 0x08,0x08,0x00,0x00,0x08,0x08,0x00,0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,
+ 0x00,0x08,0x10,0x00,0x00,0x04,0x08,0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x08,
+ 0x00,0x00,0x08,0x20,0x00,0x00,0x02,0x0c,0x00,0x00,0x18,0x40,0x00,0x00,0x01,
+ 0x04,0x00,0x00,0x10,0x80,0x00,0x80,0x00,0x04,0x00,0x00,0x10,0x00,0x03,0x60,
+ 0x00,0x06,0x00,0x00,0x30,0x00,0x0c,0x18,0x00,0x01,0x00,0x00,0x20,0x00,0xf0,
+ 0x07,0x00,0x01,0x00,0x00,0x60,0x00,0x00,0x00,0x80,0x01,0x00,0x00,0x40,0x00,
+ 0x00,0x00,0x80,0x00,0x00,0x00,0x80,0xff,0xff,0xff,0x7f,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xf0,0x1f,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x08,0x20,0x00,0xff,0x00,0x00,0x00,0x00,0x08,0x40,0xe0,0x00,0x07,0x00,
+ 0x00,0x00,0x04,0x80,0x31,0x00,0x0c,0x00,0x00,0x00,0x04,0x00,0x09,0x00,0x30,
+ 0x00,0x00,0x00,0x04,0x00,0x06,0xc0,0x20,0x00,0x00,0x00,0x04,0x00,0x03,0x00,
+ 0x43,0x00,0x00,0x00,0x04,0x80,0x00,0x00,0x42,0x00,0x00,0x00,0x04,0x40,0x00,
+ 0x00,0x84,0x00,0x00,0x00,0x04,0x60,0x00,0x00,0x84,0x00,0x00,0x00,0x04,0x00,
+ 0x00,0x00,0x84,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x80,0x00,0x00,0x00,0x02,
+ 0x00,0x00,0x00,0xc0,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,
+ 0x02,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x04,0x00,0x00,0x00,0x20,0x00,0x00,
+ 0x00,0x04,0x00,0x00,0x00,0x18,0x00,0x00,0x00,0x08,0x00,0x00,0x00,0x0e,0x00,
+ 0x00,0x00,0xf0,0xff,0xff,0xff,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+ 0x00,0x00};
diff --git a/crypto/heimdal/appl/xnlock/xnlock.1 b/crypto/heimdal/appl/xnlock/xnlock.1
new file mode 100644
index 0000000..c62417d
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.1
@@ -0,0 +1,123 @@
+.\" xnlock -- Dan Heller 1985 <argv@sun.com>
+.TH XNLOCK 1L "19 April 1990"
+.SH NAME
+xnlock \- amusing lock screen program with message for passers-by
+.SH SYNOPSIS
+.B xnlock
+[
+\fIoptions\fP
+]
+[
+\fImessage\fP
+]
+.SH DESCRIPTION
+.I xnlock
+is a program that acts as a screen saver for workstations running X11.
+It also "locks" the screen such that the workstation can be left
+unattended without worry that someone else will walk up to it and
+mess everything up.  When \fIxnlock\fP is running, a little man with
+a big nose and a hat runs around spewing out messages to the screen.
+By default, the messages are "humorous", but that depends on your
+sense of humor.
+.LP
+If a key or mouse button is pressed, a prompt is printed requesting the
+user's password.  If a RETURN is not typed within 30 seconds,
+the little man resumes running around.
+.LP
+Text on the command line is used as the message.  For example:
+.br
+	% xnlock I\'m out to lunch for a couple of hours.
+.br
+Note the need to quote shell metacharacters.
+.LP
+In the absence of flags or text, \fIxnlock\fP displays random fortunes.
+.SH OPTIONS
+Command line options override all resource specifications.
+All arguments that are not associated with a command line option
+is taken to be message text that the little man will "say" every
+once in a while.  The resource \fBxnlock.text\fP may be set to
+a string.
+.TP
+.BI \-fn " fontname"
+The default font is the first 18 point font in the \fInew century schoolbook\fP
+family.  While larger fonts are recokmmended over smaller ones, any font
+in the server's font list will work.  The resource to use for this option
+is \fBxnlock.font\fP.
+.TP
+.BI \-filename "  filename"
+Take the message to be displayed from the file \fIfilename\fP.
+If \fIfilename\fP is not specified, \fI$HOME/.msgfile\fP is used.
+If the contents of the file are changed during runtime, the most recent text
+of the file is used (allowing the displayed message to be altered remotely).
+Carriage returns within the text are allowed, but tabs or other control
+characters are not translated and should not be used.
+The resource available for this option is \fBxnlock.file\fP.
+.TP
+.BI \-ar
+Accept root's password to unlock screen.  This option is true by
+default.  The reason for this is so that someone's screen may be
+unlocked by autorized users in case of emergency and the person
+running the program is still out to lunch.  The resource available
+for specifying this option is \fBxnlock.acceptRootPasswd\fP.
+.TP
+.BI \-noar
+Don't accept root's password.  This option is for paranoids who
+fear their peers might breakin using root's password and remove
+their files anyway.  Specifying this option on the command line
+overrides the \fBxnlock.acceptRootPasswd\fP if set to True.
+.TP
+.BI \-ip
+Ignore password prompt.
+The resource available for this option is \fBxnlock.ignorePasswd\fP.
+.TP
+.BI \-noip
+Don't ignore password prompt.  This is available in order to
+override the resource \fBignorePasswd\fP if set to True.
+.TP
+.BI -fg " color"
+Specifies the foreground color.  The resource available for this
+is \fBxnlock.foreground\fP.
+.TP
+.BI -bg " color"
+Specifies the background color.  The resource available for this
+is \fBxnlock.background\fP.
+.TP
+.BI \-rv
+Reverse the foreground and background colors.
+The resource for this is \fBxvnlock.reverseVideo\fP.
+.TP
+.BI \-norv
+Don't use reverse video.  This is available to override the reverseVideo
+resource if set to True.
+.TP
+.BI \-prog " program"
+Receive message text from the running program \fIprogram\fP. If there
+are arguments to \fIprogram\fP, encase them with the name of the program in
+quotes (e.g. xnlock -t "fortune -o").
+The resource for this is \fBxnlock.program\fP.
+.SH RESOURCES
+.br
+xnlock.font:               fontname
+.br
+xnlock.foreground:         color
+.br
+xnlock.background:         color
+.br
+xnlock.reverseVideo:       True/False
+.br
+xnlock.text:               Some random text string
+.br
+xnlock.program:            program [args]
+.br
+xnlock.ignorePasswd:       True/False
+.br
+xnlock.acceptRootPasswd:   True/False
+.SH FILES
+\fIxnlock\fP               executable file
+.br
+~/.msgfile                 default message file
+.SH AUTHOR
+Dan Heller <argv@sun.com>  Copyright (c) 1985, 1990.
+.br
+The original version of this program was written using pixrects on
+a Sun 2 running SunOS 1.1.
diff --git a/crypto/heimdal/appl/xnlock/xnlock.c b/crypto/heimdal/appl/xnlock/xnlock.c
new file mode 100644
index 0000000..da61baf
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.c
@@ -0,0 +1,1117 @@
+/*
+ * xnlock -- Dan Heller, 1990
+ * "nlock" is a "new lockscreen" type program... something that prevents
+ * screen burnout by making most of it "black" while providing something
+ * of interest to be displayed in case anyone is watching.
+ * "xnlock" is the X11 version of the program.
+ * Original sunview version written by Dan Heller 1985 (not included here).
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id: xnlock.c,v 1.85 2001/03/15 17:13:13 joda Exp $");
+#endif
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <X11/StringDefs.h>
+#include <X11/Intrinsic.h>
+#include <X11/keysym.h>
+#include <X11/Shell.h>
+#include <X11/Xos.h>
+#ifdef strerror
+#undef strerror
+#endif
+#include <ctype.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#ifdef KRB4
+#include <krb.h>
+#include <kafs.h>
+#endif
+
+#include <roken.h>
+#include <err.h>
+
+static char login[16];
+static char userprompt[128];
+#ifdef KRB4
+static char name[ANAME_SZ];
+static char inst[INST_SZ];
+static char realm[REALM_SZ];
+#endif
+#ifdef KRB5
+static krb5_context context;
+static krb5_principal client;
+#endif
+
+#define font_height(font)	  	(font->ascent + font->descent)
+
+static char *SPACE_STRING = "                                                      ";
+static char STRING[] = "****************";
+
+#define STRING_LENGTH (sizeof(STRING))
+#define MAX_PASSWD_LENGTH 256
+/* (sizeof(STRING)) */
+
+#define PROMPT	    "Password: "
+#define FAIL_MSG    "Sorry, try again"
+#define LEFT 	001
+#define RIGHT 	002
+#define DOWN 	004
+#define UP 	010
+#define FRONT	020
+#define X_INCR 3
+#define Y_INCR 2
+#define XNLOCK_CTRL 1
+#define XNLOCK_NOCTRL 0
+
+static XtAppContext	app;
+static Display        *dpy;
+static unsigned short	Width, Height;
+static Widget		widget;
+static GC		gc;
+static XtIntervalId	timeout_id;
+static char	       *words;
+static int		x, y;
+static Pixel		Black, White;
+static XFontStruct    *font;
+static char		root_cpass[128];
+static char		user_cpass[128];
+static int		time_left, prompt_x, prompt_y, time_x, time_y;
+static unsigned long	interval;
+static Pixmap		left0, left1, right0, right1, left_front,
+			right_front, front, down;
+
+#define MAXLINES 40
+
+#define IS_MOVING  1
+#define GET_PASSWD 2
+static int state; /* indicates states: walking or getting passwd */
+
+static int ALLOW_LOGOUT = (60*10);	/* Allow logout after nn seconds */
+#define LOGOUT_PASSWD "enuHDmTo5Lq4g" /* when given password "LOGOUT" */
+static time_t locked_at;
+
+struct appres_t {
+    Pixel bg;
+    Pixel fg;
+    XFontStruct *font;
+    Boolean ignore_passwd;
+    Boolean do_reverse;
+    Boolean accept_root;
+    char *text, *text_prog, *file, *logoutPasswd;
+    Boolean no_screensaver;
+    Boolean destroytickets;
+} appres;
+
+static XtResource resources[] = {
+    { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel), 
+      XtOffsetOf(struct appres_t, bg), XtRString, "black" },
+
+    { XtNforeground, XtCForeground, XtRPixel, sizeof(Pixel), 
+      XtOffsetOf(struct appres_t, fg), XtRString, "white" },
+
+    { XtNfont, XtCFont, XtRFontStruct, sizeof (XFontStruct *),
+      XtOffsetOf(struct appres_t, font), 
+      XtRString, "-*-new century schoolbook-*-*-*-18-*" },
+
+    { "ignorePasswd", "IgnorePasswd", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,ignore_passwd),XtRImmediate,(XtPointer)False },
+
+    { "acceptRootPasswd", "AcceptRootPasswd", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t, accept_root), XtRImmediate, (XtPointer)True },
+
+    { "text", "Text", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, text), XtRString, "I'm out running around." },
+    
+    { "program", "Program", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, text_prog), XtRImmediate, NULL },
+
+    { "file", "File", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t,file), XtRImmediate, NULL },
+
+    { "logoutPasswd", "logoutPasswd", XtRString, sizeof(String),
+      XtOffsetOf(struct appres_t, logoutPasswd), XtRString, LOGOUT_PASSWD },
+    
+    { "noScreenSaver", "NoScreenSaver", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,no_screensaver), XtRImmediate, (XtPointer)True },
+
+    { "destroyTickets", "DestroyTickets", XtRBoolean, sizeof(Boolean),
+      XtOffsetOf(struct appres_t,destroytickets), XtRImmediate, (XtPointer)True },
+};
+
+static XrmOptionDescRec options[] = {
+    { "-fg", ".foreground", XrmoptionSepArg, NULL }, 
+    { "-foreground", ".foreground", XrmoptionSepArg, NULL }, 
+    { "-fn", ".font", XrmoptionSepArg, NULL }, 
+    { "-font", ".font", XrmoptionSepArg, NULL }, 
+    { "-ip", ".ignorePasswd", XrmoptionNoArg, "True" },
+    { "-noip", ".ignorePasswd", XrmoptionNoArg, "False" },
+    { "-ar",  ".acceptRootPasswd", XrmoptionNoArg, "True" },
+    { "-noar", ".acceptRootPasswd", XrmoptionNoArg, "False" },
+    { "-nonoscreensaver", ".noScreenSaver", XrmoptionNoArg, "False" },
+    { "-nodestroytickets", ".destroyTickets", XrmoptionNoArg, "False" },
+};
+
+static char*
+get_words(void)
+{
+    FILE *pp = NULL;
+    static char buf[512];
+    long n;
+
+    if (appres.text_prog) {
+	pp = popen(appres.text_prog, "r");
+	if (!pp) {
+	    warn("popen %s", appres.text_prog);
+	    return appres.text;
+	}
+	n = fread(buf, 1, sizeof(buf) - 1, pp);
+	buf[n] = 0;
+	pclose(pp);
+	return buf;
+    }
+    if (appres.file) {
+	pp = fopen(appres.file, "r");
+	if (!pp) {
+	    warn("fopen %s", appres.file);
+	    return appres.text;
+	}
+	n = fread(buf, 1, sizeof(buf) - 1, pp);
+	buf[n] = 0;
+	fclose(pp);
+	return buf;
+    }
+
+    return appres.text;
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr, "usage: %s [options] [message]\n", getprogname());
+    fprintf(stderr, "-fg color     foreground color\n");
+    fprintf(stderr, "-bg color     background color\n");
+    fprintf(stderr, "-rv           reverse foreground/background colors\n");
+    fprintf(stderr, "-nrv          no reverse video\n");
+    fprintf(stderr, "-ip           ignore passwd\n");
+    fprintf(stderr, "-nip          don't ignore passwd\n");
+    fprintf(stderr, "-ar           accept root's passwd to unlock\n");
+    fprintf(stderr, "-nar          don't accept root's passwd\n");
+    fprintf(stderr, "-f [file]     message is read from file or ~/.msgfile\n");
+    fprintf(stderr, "-prog program  text is gotten from executing `program'\n");
+    fprintf(stderr, "-nodestroytickets keep kerberos tickets\n");
+    exit(1);
+}
+
+static void
+init_words (int argc, char **argv)
+{
+    int i = 0;
+
+    while(argv[i]) {
+	if(strcmp(argv[i], "-p") == 0
+	   || strcmp(argv[i], "-prog") == 0) {
+	    i++;
+	    if(argv[i]) {
+		appres.text_prog = argv[i];
+		i++;
+	    } else {
+		warnx ("-p requires an argument");
+		usage();
+	    }
+	} else if(strcmp(argv[i], "-f") == 0) {
+	    i++;
+	    if(argv[i]) {
+		appres.file = argv[i];
+		i++;
+	    } else {
+		asprintf (&appres.file,
+			  "%s/.msgfile", getenv("HOME"));
+		if (appres.file == NULL)
+		    errx (1, "cannot allocate memory for message");
+	    }
+	} else {
+	    int j;
+	    int len = 1;
+	    for(j = i; argv[j]; j++)
+		len += strlen(argv[j]) + 1;
+	    appres.text = malloc(len);
+	    if (appres.text == NULL)
+		errx (1, "cannot allocate memory for message");
+	    appres.text[0] = 0;
+	    for(; i < j; i++){
+		strlcat(appres.text, argv[i], len);
+		strlcat(appres.text, " ", len);
+	    }
+	}
+    }
+}
+
+static void
+ScreenSaver(int save)
+{
+    static int timeout, interval, prefer_blank, allow_exp;
+    if(!appres.no_screensaver){
+	if (save) {
+	    XGetScreenSaver(dpy, &timeout, &interval, 
+			    &prefer_blank, &allow_exp);
+	    XSetScreenSaver(dpy, 0, interval, prefer_blank, allow_exp);
+	} else
+	    /* restore state */
+	    XSetScreenSaver(dpy, timeout, interval, prefer_blank, allow_exp);
+    }
+}
+
+/* Forward decls necessary */
+static void talk(int force_erase);
+static unsigned long look(void);
+
+static int
+zrefresh(void)
+{
+  switch (fork()) {
+  case -1:
+      warn ("zrefresh: fork");
+      return -1;
+  case 0:
+      /* Child */
+      execlp("zrefresh", "zrefresh", 0);
+      execl(BINDIR "/zrefresh", "zrefresh", 0);
+      return -1;
+  default:
+      /* Parent */
+      break;
+  }
+  return 0;
+}
+
+static void
+leave(void)
+{
+    XUngrabPointer(dpy, CurrentTime);
+    XUngrabKeyboard(dpy, CurrentTime);
+    ScreenSaver(0);
+    XCloseDisplay(dpy);
+    zrefresh();
+    exit(0);
+}
+
+static void
+walk(int dir)
+{
+    int incr = 0;
+    static int lastdir;
+    static int up = 1;
+    static Pixmap frame;
+
+    XSetForeground(dpy, gc, White);
+    XSetBackground(dpy, gc, Black);
+    if (dir & (LEFT|RIGHT)) { /* left/right movement (mabye up/down too) */
+	up = -up; /* bouncing effect (even if hit a wall) */
+	if (dir & LEFT) {
+	    incr = X_INCR;
+	    frame = (up < 0) ? left0 : left1;
+	} else {
+	    incr = -X_INCR;
+	    frame = (up < 0) ? right0 : right1;
+	}
+	if ((lastdir == FRONT || lastdir == DOWN) && dir & UP) {
+	    /* workaround silly bug that leaves screen dust when
+	     * guy is facing forward or down and moves up-left/right.
+	     */
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+	    XFlush(dpy);
+	}
+	/* note that maybe neither UP nor DOWN is set! */
+	if (dir & UP && y > Y_INCR)
+	    y -= Y_INCR;
+	else if (dir & DOWN && y < (int)Height - 64)
+	    y += Y_INCR;
+    }
+    /* Explicit up/down movement only (no left/right) */
+    else if (dir == UP)
+	XCopyPlane(dpy, front, XtWindow(widget), gc,
+	    0,0, 64,64, x, y -= Y_INCR, 1L);
+    else if (dir == DOWN)
+	XCopyPlane(dpy, down, XtWindow(widget), gc,
+	    0,0, 64,64, x, y += Y_INCR, 1L);
+    else if (dir == FRONT && frame != front) {
+	if (up > 0)
+	    up = -up;
+	if (lastdir & LEFT)
+	    frame = left_front;
+	else if (lastdir & RIGHT)
+	    frame = right_front;
+	else
+	    frame = front;
+	XCopyPlane(dpy, frame, XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+    }
+    if (dir & LEFT)
+	while(--incr >= 0) {
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc,
+		0,0, 64,64, --x, y+up, 1L);
+	    XFlush(dpy);
+	}
+    else if (dir & RIGHT)
+	while(++incr <= 0) {
+	    XCopyPlane(dpy, frame, XtWindow(widget), gc,
+		0,0, 64,64, ++x, y+up, 1L);
+	    XFlush(dpy);
+	}
+    lastdir = dir;
+}
+
+static int
+think(void)
+{
+    if (rand() & 1)
+	walk(FRONT);
+    if (rand() & 1) {
+	words = get_words();
+	return 1;
+    }
+    return 0;
+}
+
+static void
+move(XtPointer _p, XtIntervalId *_id)
+{
+    static int length, dir;
+
+    if (!length) {
+	int tries = 0;
+	dir = 0;
+	if ((rand() & 1) && think()) {
+	    talk(0); /* sets timeout to itself */
+	    return;
+	}
+	if (!(rand() % 3) && (interval = look())) {
+	    timeout_id = XtAppAddTimeOut(app, interval, move, NULL);
+	    return;
+	}
+	interval = 20 + rand() % 100;
+	do  {
+	    if (!tries)
+		length = Width/100 + rand() % 90, tries = 8;
+	    else
+		tries--;
+	    switch (rand() % 8) {
+		case 0:
+		    if (x - X_INCR*length >= 5)
+			dir = LEFT;
+		case 1:
+		    if (x + X_INCR*length <= (int)Width - 70)
+			dir = RIGHT;
+		case 2:
+		    if (y - (Y_INCR*length) >= 5)
+			dir = UP, interval = 40;
+		case 3:
+		    if (y + Y_INCR*length <= (int)Height - 70)
+			dir = DOWN, interval = 20;
+		case 4:
+		    if (x - X_INCR*length >= 5 && y - (Y_INCR*length) >= 5)
+			dir = (LEFT|UP);
+		case 5:
+		    if (x + X_INCR * length <= (int)Width - 70 &&
+			y-Y_INCR * length >= 5)
+			dir = (RIGHT|UP);
+		case 6:
+		    if (x - X_INCR * length >= 5 &&
+			y + Y_INCR * length <= (int)Height - 70)
+			dir = (LEFT|DOWN);
+		case 7:
+		    if (x + X_INCR*length <= (int)Width - 70 &&
+			y + Y_INCR*length <= (int)Height - 70)
+			dir = (RIGHT|DOWN);
+	    }
+	} while (!dir);
+    }
+    walk(dir);
+    --length;
+    timeout_id = XtAppAddTimeOut(app, interval, move, NULL);
+}
+
+static void
+post_prompt_box(Window window)
+{
+    int width = (Width / 3);
+    int height = font_height(font) * 6;
+    int box_x, box_y;
+
+    /* make sure the entire nose icon fits in the box */
+    if (height < 100)
+	height = 100;
+
+    if(width < 105 + font->max_bounds.width*STRING_LENGTH)
+	width = 105 + font->max_bounds.width*STRING_LENGTH;
+    box_x = (Width - width) / 2;
+    time_x = prompt_x = box_x + 105;
+
+    time_y = prompt_y = Height / 2;
+    box_y = prompt_y - 3 * font_height(font);
+
+    /* erase current guy -- text message may still exist */
+    XSetForeground(dpy, gc, Black);
+    XFillRectangle(dpy, window, gc, x, y, 64, 64);
+    talk(1); /* forcefully erase message if one is being displayed */
+    /* Clear area in middle of screen for prompt box */
+    XSetForeground(dpy, gc, White);
+    XFillRectangle(dpy, window, gc, box_x, box_y, width, height);
+
+    /* make a box that's 5 pixels thick. Then add a thin box inside it */
+    XSetForeground(dpy, gc, Black);
+    XSetLineAttributes(dpy, gc, 5, 0, 0, 0);
+    XDrawRectangle(dpy, window, gc, box_x+5, box_y+5, width-10, height-10);
+    XSetLineAttributes(dpy, gc, 0, 0, 0, 0);
+    XDrawRectangle(dpy, window, gc, box_x+12, box_y+12, width-23, height-23);
+
+    XDrawString(dpy, window, gc,
+		prompt_x, prompt_y-font_height(font), 
+		userprompt, strlen(userprompt));
+    XDrawString(dpy, window, gc, prompt_x, prompt_y, PROMPT, strlen(PROMPT));
+    /* set background for copyplane and DrawImageString; need reverse video */
+    XSetBackground(dpy, gc, White);
+    XCopyPlane(dpy, right0, window, gc, 0,0, 64,64,
+	       box_x + 20, box_y + (height - 64)/2, 1L);
+    prompt_x += XTextWidth(font, PROMPT, strlen(PROMPT));
+    time_y += 2*font_height(font);
+}
+
+static void
+RaiseWindow(Widget w, XEvent *ev, String *s, Cardinal *n)
+{
+  Widget x;
+  if(!XtIsRealized(w))
+    return;
+  x = XtParent(w);
+  XRaiseWindow(dpy, XtWindow(x));
+}
+
+
+static void
+ClearWindow(Widget w, XEvent *_event, String *_s, Cardinal *_n)
+{
+    XExposeEvent *event = (XExposeEvent *)_event;
+    if (!XtIsRealized(w))
+	return;
+    XClearArea(dpy, XtWindow(w), event->x, event->y, 
+	       event->width, event->height, False);
+    if (state == GET_PASSWD)
+	post_prompt_box(XtWindow(w));
+    if (timeout_id == 0 && event->count == 0) {
+	timeout_id = XtAppAddTimeOut(app, 1000L, move, NULL);
+	/* first grab the input focus */
+	XSetInputFocus(dpy, XtWindow(w), RevertToPointerRoot, CurrentTime);
+	/* now grab the pointer and keyboard and contrain to this window */
+	XGrabPointer(dpy, XtWindow(w), TRUE, 0, GrabModeAsync,
+	     GrabModeAsync, XtWindow(w), None, CurrentTime);
+    }
+}
+
+static void
+countdown(XtPointer _t, XtIntervalId *_d)
+{
+    int *timeout = (int *)_t;
+    char buf[128];
+    time_t seconds;
+
+    if (--(*timeout) < 0) {
+	XExposeEvent event;
+	XtRemoveTimeOut(timeout_id);
+	state = IS_MOVING;
+	event.x = event.y = 0;
+	event.width = Width, event.height = Height;
+	ClearWindow(widget, (XEvent *)&event, 0, 0);
+	timeout_id = XtAppAddTimeOut(app, 200L, move, NULL);
+	return;
+    }
+    seconds = time(0) - locked_at;
+    if (seconds >= 3600)
+      snprintf(buf, sizeof(buf),
+	       "Locked for %d:%02d:%02d    ",
+	       (int)seconds/3600, (int)seconds/60%60, (int)seconds%60);
+    else
+      snprintf(buf, sizeof(buf),
+	       "Locked for %2d:%02d    ",
+	       (int)seconds/60, (int)seconds%60);
+      
+    XDrawImageString(dpy, XtWindow(widget), gc,
+	time_x, time_y, buf, strlen(buf));
+    XtAppAddTimeOut(app, 1000L, countdown, timeout);
+    return;
+}
+
+#ifdef KRB5
+static int
+verify_krb5(const char *password)
+{
+    krb5_error_code ret;
+    krb5_ccache id;
+    
+    krb5_cc_default(context, &id);
+    ret = krb5_verify_user(context,
+			   client, 
+			   id,
+			   password, 
+			   0,
+			   NULL);
+    if (ret == 0){
+#ifdef KRB4
+	if (krb5_config_get_bool(context, NULL,
+				 "libdefaults",
+				 "krb4_get_tickets",
+				 NULL)) {
+	    CREDENTIALS c;
+	    krb5_creds mcred, cred;
+	    char krb4tkfile[MAXPATHLEN];
+
+	    krb5_make_principal(context, &mcred.server,
+				client->realm,
+				"krbtgt",
+				client->realm,
+				NULL);
+	    ret = krb5_cc_retrieve_cred(context, id, 0, &mcred, &cred);
+	    if(ret == 0) {
+		ret = krb524_convert_creds_kdc(context, id, &cred, &c);
+		if(ret == 0) 
+		    tf_setup(&c, c.pname, c.pinst);
+		memset(&c, 0, sizeof(c));
+		krb5_free_creds_contents(context, &cred);
+	    }
+	    krb5_free_principal(context, mcred.server);
+	}
+	if (k_hasafs())
+	    krb5_afslog(context, id, NULL, NULL);
+#endif
+	return 0;
+    }
+    if (ret != KRB5KRB_AP_ERR_MODIFIED)
+	krb5_warn(context, ret, "verify_krb5");
+    
+    return -1;
+}
+#endif
+
+static int
+verify(char *password)
+{
+    int ret;
+
+    /*
+     * First try with root password, if allowed.
+     */
+    if (   appres.accept_root
+	&& strcmp(crypt(password, root_cpass), root_cpass) == 0)
+      return 0;
+
+    /*
+     * Password that log out user
+     */
+    if (getuid() != 0 &&
+	geteuid() != 0 &&
+	(time(0) - locked_at) > ALLOW_LOGOUT &&
+	strcmp(crypt(password, appres.logoutPasswd), appres.logoutPasswd) == 0)
+	    {
+		signal(SIGHUP, SIG_IGN);
+		kill(-1, SIGHUP);
+		sleep(5);
+		/* If the X-server shut down then so will we, else
+		 * continue */
+		signal(SIGHUP, SIG_DFL);
+	    }
+
+    /*
+     * Try copy of users password.
+     */
+    if (strcmp(crypt(password, user_cpass), user_cpass) == 0)
+      return 0;
+
+    /*
+     * Try to verify as user in case password change.
+     */
+    if (unix_verify_user(login, password) == 0)
+	return 0;
+
+#ifdef KRB5
+    /*
+     * Try to verify as user with kerberos 5.
+     */
+    if(verify_krb5(password) == 0)
+	return 0;
+#endif
+
+#ifdef KRB4
+    /*
+     * Try to verify as user with kerberos 4.
+     */
+    ret = krb_verify_user(name, inst, realm, password,
+			  KRB_VERIFY_NOT_SECURE, NULL);
+    if (ret == KSUCCESS){
+	if (k_hasafs())
+	    krb_afslog(NULL, NULL);
+	return 0;
+    }
+    if (ret != INTK_BADPW)
+	warnx ("warning: %s",
+	       (ret < 0) ? strerror(ret) : krb_get_err_text(ret));
+#endif
+    
+    return -1;
+}
+
+
+static void
+GetPasswd(Widget w, XEvent *_event, String *_s, Cardinal *_n)
+{
+    XKeyEvent *event = (XKeyEvent *)_event;
+    static char passwd[MAX_PASSWD_LENGTH];
+    static int cnt;
+    static int is_ctrl = XNLOCK_NOCTRL;
+    char c;
+    KeySym keysym;
+    int echolen;
+    int old_state = state;
+
+    if (event->type == ButtonPress) {
+	x = event->x, y = event->y;
+	return;
+    }
+    if (state == IS_MOVING) {
+	/* guy is running around--change to post prompt box. */
+	XtRemoveTimeOut(timeout_id);
+	state = GET_PASSWD;
+	if (appres.ignore_passwd || !strlen(user_cpass))
+	    leave();
+	post_prompt_box(XtWindow(w));
+	cnt = 0;
+	time_left = 30;
+	countdown((XtPointer)&time_left, 0);
+    }
+    if (event->type == KeyRelease) {
+      keysym = XLookupKeysym(event, 0);
+      if (keysym == XK_Control_L || keysym == XK_Control_R) {
+	is_ctrl = XNLOCK_NOCTRL;
+      }
+    }
+    if (event->type != KeyPress)
+	return;
+
+    time_left = 30;
+    
+    keysym = XLookupKeysym(event, 0);
+    if (keysym == XK_Control_L || keysym == XK_Control_R) {
+      is_ctrl = XNLOCK_CTRL;
+      return;
+    }
+    if (!XLookupString(event, &c, 1, &keysym, 0))
+	return;
+    if (keysym == XK_Return || keysym == XK_Linefeed) {
+	passwd[cnt] = 0;
+	if(old_state == IS_MOVING)
+	    return;
+	XtRemoveTimeOut(timeout_id);
+
+	if(verify(passwd) == 0)
+	    leave();
+
+	cnt = 0;
+
+	XDrawImageString(dpy, XtWindow(widget), gc,
+	    time_x, time_y, FAIL_MSG, strlen(FAIL_MSG));
+	time_left = 0;
+	timeout_id = XtAppAddTimeOut(app, 2000L, countdown, &time_left);
+	return;
+    }
+    if (keysym == XK_BackSpace || keysym == XK_Delete || keysym == XK_Left) {
+	if (cnt)
+	    passwd[cnt--] = ' ';
+    } else if (keysym == XK_u && is_ctrl == XNLOCK_CTRL) {
+      while (cnt) {
+	passwd[cnt--] = ' ';
+	echolen = min(cnt, STRING_LENGTH);
+	XDrawImageString(dpy, XtWindow(w), gc,
+		    prompt_x, prompt_y, STRING, echolen);
+	XDrawImageString(dpy, XtWindow(w), gc,
+			 prompt_x + XTextWidth(font, STRING, echolen),
+			 prompt_y, SPACE_STRING, STRING_LENGTH - echolen + 1);
+      }
+    } else if (isprint(c)) {
+	if ((cnt + 1) >= MAX_PASSWD_LENGTH)
+	    XBell(dpy, 50);
+	else
+	    passwd[cnt++] = c;
+    } else
+	return;
+    echolen = min(cnt, STRING_LENGTH);
+    XDrawImageString(dpy, XtWindow(w), gc,
+	prompt_x, prompt_y, STRING, echolen);
+    XDrawImageString(dpy, XtWindow(w), gc,
+	prompt_x + XTextWidth(font, STRING, echolen),
+	prompt_y, SPACE_STRING, STRING_LENGTH - echolen +1);
+}
+
+#include "nose.0.left"
+#include "nose.1.left"
+#include "nose.0.right"
+#include "nose.1.right"
+#include "nose.left.front"
+#include "nose.right.front"
+#include "nose.front"
+#include "nose.down"
+
+static void
+init_images(void)
+{
+    static Pixmap *images[] = {
+	&left0, &left1, &right0, &right1,
+	&left_front, &right_front, &front, &down 
+    };
+    static unsigned char *bits[] = {
+	nose_0_left_bits, nose_1_left_bits, nose_0_right_bits,
+	nose_1_right_bits, nose_left_front_bits, nose_right_front_bits,
+	nose_front_bits, nose_down_bits
+    };
+    int i;
+
+    for (i = 0; i < XtNumber(images); i++)
+	if (!(*images[i] =
+		XCreatePixmapFromBitmapData(dpy, DefaultRootWindow(dpy),
+		    (char*)(bits[i]), 64, 64, 1, 0, 1)))
+	    XtError("Can't load nose images");
+}
+
+static void
+talk(int force_erase)
+{
+    int width = 0, height, Z, total = 0;
+    static int X, Y, talking;
+    static struct { int x, y, width, height; } s_rect;
+    char *p, *p2;
+    char buf[BUFSIZ], args[MAXLINES][256];
+
+    /* clear what we've written */
+    if (talking || force_erase) {
+	if (!talking)
+	    return;
+	if (talking == 2) {
+	    XSetForeground(dpy, gc, Black);
+	    XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words));
+	} else if (talking == 1) {
+	    XSetForeground(dpy, gc, Black);
+	    XFillRectangle(dpy, XtWindow(widget), gc, s_rect.x-5, s_rect.y-5,
+			   s_rect.width+10, s_rect.height+10);
+	}
+	talking = 0;
+	if (!force_erase)
+	    timeout_id = XtAppAddTimeOut(app, 40L,
+					 (XtTimerCallbackProc)move,
+					 NULL);
+	return;
+    }
+    XSetForeground(dpy, gc, White);
+    talking = 1;
+    walk(FRONT);
+    strlcpy (buf, words, sizeof(buf));
+    p = buf;
+
+    /* possibly avoid a lot of work here
+     * if no CR or only one, then just print the line
+     */
+    if (!(p2 = strchr(p, '\n')) || !p2[1]) {
+	int w;
+
+	if (p2)
+	    *p2 = 0;
+	w = XTextWidth(font, words, strlen(words));
+	X = x + 32 - w/2;
+	Y = y - 5 - font_height(font);
+	/* give us a nice 5 pixel margin */
+	if (X < 5)
+	    X = 5;
+	else if (X + w + 15 > (int)Width + 5)
+	    X = Width - w - 5;
+	if (Y < 5)
+	    Y = y + 64 + 5 + font_height(font);
+	XDrawString(dpy, XtWindow(widget), gc, X, Y, words, strlen(words));
+	timeout_id = XtAppAddTimeOut(app, 5000L, (XtTimerCallbackProc)talk, 
+				     NULL);
+	talking++;
+	return;
+    }
+
+    /* p2 now points to the first '\n' */
+    for (height = 0; p; height++) {
+	int w;
+	*p2 = 0;
+	if ((w = XTextWidth(font, p, p2 - p)) > width)
+	    width = w;
+	total += p2 - p; /* total chars; count to determine reading time */
+	strlcpy(args[height], p, sizeof(args[height]));
+	if (height == MAXLINES - 1) {
+	    puts("Message too long!");
+	    break;
+	}
+	p = p2+1;
+	if (!(p2 = strchr(p, '\n')))
+	    break;
+    }
+    height++;
+
+    /* Figure out the height and width in pixels (height, width) extend
+     * the new box by 15 pixels on the sides (30 total) top and bottom.
+     */
+    s_rect.width = width + 30;
+    s_rect.height = height * font_height(font) + 30;
+    if (x - s_rect.width - 10 < 5)
+	s_rect.x = 5;
+    else
+	if ((s_rect.x = x+32-(s_rect.width+15)/2)
+					 + s_rect.width+15 > (int)Width-5)
+	    s_rect.x = Width - 15 - s_rect.width;
+    if (y - s_rect.height - 10 < 5)
+	s_rect.y = y + 64 + 5;
+    else
+	s_rect.y = y - 5 - s_rect.height;
+
+    XSetForeground(dpy, gc, White);
+    XFillRectangle(dpy, XtWindow(widget), gc,
+       s_rect.x-5, s_rect.y-5, s_rect.width+10, s_rect.height+10);
+
+    /* make a box that's 5 pixels thick. Then add a thin box inside it */
+    XSetForeground(dpy, gc, Black);
+    XSetLineAttributes(dpy, gc, 5, 0, 0, 0);
+    XDrawRectangle(dpy, XtWindow(widget), gc,
+		   s_rect.x, s_rect.y, s_rect.width-1, s_rect.height-1);
+    XSetLineAttributes(dpy, gc, 0, 0, 0, 0);
+    XDrawRectangle(dpy, XtWindow(widget), gc,
+		   s_rect.x + 7, s_rect.y + 7, s_rect.width - 15, 
+		   s_rect.height - 15);
+
+    X = 15;
+    Y = 15 + font_height(font);
+
+    /* now print each string in reverse order (start at bottom of box) */
+    for (Z = 0; Z < height; Z++) {
+	XDrawString(dpy, XtWindow(widget), gc, s_rect.x+X, s_rect.y+Y,
+	    args[Z], strlen(args[Z]));
+	Y += font_height(font);
+    }
+    timeout_id = XtAppAddTimeOut(app, (total/15) * 1000, 
+				 (XtTimerCallbackProc)talk, NULL);
+}
+
+static unsigned long
+look(void)
+{
+    XSetForeground(dpy, gc, White);
+    XSetBackground(dpy, gc, Black);
+    if (rand() % 3) {
+	XCopyPlane(dpy, (rand() & 1)? down : front, XtWindow(widget), gc,
+	    0, 0, 64,64, x, y, 1L);
+	return 1000L;
+    }
+    if (!(rand() % 5))
+	return 0;
+    if (rand() % 3) {
+	XCopyPlane(dpy, (rand() & 1)? left_front : right_front,
+	    XtWindow(widget), gc, 0, 0, 64,64, x, y, 1L);
+	return 1000L;
+    }
+    if (!(rand() % 5))
+	return 0;
+    XCopyPlane(dpy, (rand() & 1)? left0 : right0, XtWindow(widget), gc,
+	0, 0, 64,64, x, y, 1L);
+    return 1000L;
+}
+
+int
+main (int argc, char **argv)
+{
+    int i;
+    Widget override;
+    XGCValues gcvalues;
+
+    setprogname (argv[0]);
+
+    /*
+     * Must be setuid root to read /etc/shadow, copy encrypted
+     * passwords here and then switch to sane uid.
+     */
+    {
+      struct passwd *pw;
+      uid_t uid = getuid();
+      if (!(pw = k_getpwuid(0)))
+	errx (1, "can't get root's passwd!");
+      strlcpy(root_cpass, pw->pw_passwd, sizeof(root_cpass));
+
+      if (!(pw = k_getpwuid(uid)))
+	errx (1, "Can't get your password entry!");
+      strlcpy(user_cpass, pw->pw_passwd, sizeof(user_cpass));
+      setuid(uid);
+      if (uid != 0 && setuid(0) != -1) {
+	fprintf(stderr, "Failed to drop privileges!\n");
+	exit(1);
+      }
+      /* Now we're no longer running setuid root. */
+      strlcpy(login, pw->pw_name, sizeof(login));
+    }
+
+    srand(getpid());
+    for (i = 0; i < STRING_LENGTH; i++)
+	STRING[i] = ((unsigned long)rand() % ('~' - ' ')) + ' ';
+
+    locked_at = time(0);
+
+    snprintf(userprompt, sizeof(userprompt), "User: %s", login);
+#ifdef KRB4
+    krb_get_default_principal(name, inst, realm);
+    snprintf(userprompt, sizeof(userprompt), "User: %s", 
+	     krb_unparse_name_long(name, inst, realm));
+#endif
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+	char *str;
+
+	ret = krb5_init_context(&context);
+	if (ret)
+	    errx (1, "krb5_init_context failed: %d", ret);
+	krb5_get_default_principal(context, &client);
+	krb5_unparse_name(context, client, &str);
+	snprintf(userprompt, sizeof(userprompt), "User: %s", str);
+	free(str);
+    }
+#endif
+
+    override = XtVaAppInitialize(&app, "XNlock", options, XtNumber(options),
+				 (Cardinal*)&argc, argv, NULL, 
+				 XtNoverrideRedirect, True, 
+				 NULL);
+    
+    XtVaGetApplicationResources(override,(XtPointer)&appres,
+				resources,XtNumber(resources),
+				NULL);
+    /* the background is black and the little guy is white */
+    Black = appres.bg;
+    White = appres.fg;
+
+    if (appres.destroytickets) {
+#ifdef KRB4
+	int fd;
+
+        dest_tkt();		/* Nuke old ticket file */
+				/* but keep a place holder */
+	fd = open (TKT_FILE, O_WRONLY | O_CREAT | O_EXCL, 0600);
+	if (fd >= 0)
+	    close (fd);
+#endif
+    }
+
+    dpy = XtDisplay(override);
+    
+    if (dpy == 0)
+      errx (1, "Error: Can't open display");
+
+    Width = DisplayWidth(dpy, DefaultScreen(dpy)) + 2;
+    Height = DisplayHeight(dpy, DefaultScreen(dpy)) + 2;
+    
+    for(i = 0; i < ScreenCount(dpy); i++){
+	Widget shell, core;
+
+	struct xxx{
+	    Pixel bg;
+	}res;
+	
+	XtResource Res[] = {
+	    { XtNbackground, XtCBackground, XtRPixel, sizeof(Pixel),
+	      XtOffsetOf(struct xxx, bg), XtRString, "black" }
+	};
+
+	if(i == DefaultScreen(dpy))
+	    continue;
+      
+	shell = XtVaAppCreateShell(NULL,NULL, applicationShellWidgetClass, dpy, 
+				   XtNscreen, ScreenOfDisplay(dpy, i), 
+				   XtNoverrideRedirect, True, 
+				   XtNx, -1, 
+				   XtNy, -1,
+				   NULL);
+      
+	XtVaGetApplicationResources(shell, (XtPointer)&res, 
+				    Res, XtNumber(Res),
+				    NULL);
+
+	core = XtVaCreateManagedWidget("_foo", widgetClass, shell,
+				       XtNwidth, DisplayWidth(dpy, i),
+				       XtNheight, DisplayHeight(dpy, i),
+				       XtNbackground, res.bg, 
+				       NULL);
+	XtRealizeWidget(shell);
+    }
+
+    widget = XtVaCreateManagedWidget("_foo", widgetClass, override,
+				     XtNwidth,	Width,
+				     XtNheight,	Height,
+				     XtNbackground, Black, 
+				     NULL);
+
+    init_words(--argc, ++argv);
+    init_images();
+
+    gcvalues.foreground = Black;
+    gcvalues.background = White;
+
+
+    font = appres.font;
+    gcvalues.font = font->fid;
+    gcvalues.graphics_exposures = False;
+    gc = XCreateGC(dpy, DefaultRootWindow(dpy),
+	GCForeground | GCBackground | GCGraphicsExposures | GCFont,
+	&gcvalues);
+
+    x = Width / 2;
+    y = Height / 2;
+    srand (time(0));
+    state = IS_MOVING;
+
+    {
+	static XtActionsRec actions[] = {
+	    { "ClearWindow",	ClearWindow  },
+	    { "GetPasswd",	GetPasswd    },
+	    { "RaiseWindow", 	RaiseWindow  },
+	};
+	XtAppAddActions(app, actions, XtNumber(actions));
+	XtOverrideTranslations(widget,
+	       XtParseTranslationTable(
+				       "<Expose>:	ClearWindow()	\n"
+				       "<BtnDown>:	GetPasswd()	\n"
+				       "<Visible>: RaiseWindow() \n"
+				       "<KeyRelease>:  GetPasswd()     \n"
+				       "<KeyPress>:	GetPasswd()"));
+    }
+
+    XtRealizeWidget(override);
+    if((i = XGrabPointer(dpy, XtWindow(widget), True, 0, GrabModeAsync,
+			 GrabModeAsync, XtWindow(widget), 
+			 None, CurrentTime)) != 0) 
+	errx(1, "Failed to grab pointer (%d)", i);
+	
+    if((i = XGrabKeyboard(dpy, XtWindow(widget), True, GrabModeAsync,
+			  GrabModeAsync, CurrentTime)) != 0)
+	errx(1, "Failed to grab keyboard (%d)", i);
+    ScreenSaver(1);
+    XtAppMainLoop(app);
+    exit(0);
+}
+
diff --git a/crypto/heimdal/appl/xnlock/xnlock.cat1 b/crypto/heimdal/appl/xnlock/xnlock.cat1
new file mode 100644
index 0000000..dde8eef
--- /dev/null
+++ b/crypto/heimdal/appl/xnlock/xnlock.cat1
@@ -0,0 +1,132 @@
+
+
+
+XNLOCK(1L)                                                         XNLOCK(1L)
+
+
+
+NAME
+  xnlock - amusing lock screen program with message for passers-by
+
+SYNOPSIS
+  xxnnlloocckk [ _o_p_t_i_o_n_s ] [ _m_e_s_s_a_g_e ]
+
+DESCRIPTION
+  _x_n_l_o_c_k is a program that acts as a screen saver for workstations running
+  X11.  It also "locks" the screen such that the workstation can be left
+  unattended without worry that someone else will walk up to it and mess
+  everything up.  When _x_n_l_o_c_k is running, a little man with a big nose and a
+  hat runs around spewing out messages to the screen.  By default, the mes-
+  sages are "humorous", but that depends on your sense of humor.
+
+  If a key or mouse button is pressed, a prompt is printed requesting the
+  user's password.  If a RETURN is not typed within 30 seconds, the little
+  man resumes running around.
+
+  Text on the command line is used as the message.  For example:
+          % xnlock I'm out to lunch for a couple of hours.
+  Note the need to quote shell metacharacters.
+
+  In the absence of flags or text, _x_n_l_o_c_k displays random fortunes.
+
+OPTIONS
+  Command line options override all resource specifications.  All arguments
+  that are not associated with a command line option is taken to be message
+  text that the little man will "say" every once in a while.  The resource
+  xxnnlloocckk..tteexxtt may be set to a string.
+
+  --ffnn _f_o_n_t_n_a_m_e
+       The default font is the first 18 point font in the _n_e_w _c_e_n_t_u_r_y _s_c_h_o_o_l_-
+       _b_o_o_k family.  While larger fonts are recokmmended over smaller ones,
+       any font in the server's font list will work.  The resource to use for
+       this option is xxnnlloocckk..ffoonntt.
+
+  --ffiilleennaammee  _f_i_l_e_n_a_m_e
+       Take the message to be displayed from the file _f_i_l_e_n_a_m_e.  If _f_i_l_e_n_a_m_e
+       is not specified, _$_H_O_M_E_/_._m_s_g_f_i_l_e is used.  If the contents of the file
+       are changed during runtime, the most recent text of the file is used
+       (allowing the displayed message to be altered remotely).  Carriage
+       returns within the text are allowed, but tabs or other control charac-
+       ters are not translated and should not be used.  The resource avail-
+       able for this option is xxnnlloocckk..ffiillee.
+
+  --aarr  Accept root's password to unlock screen.  This option is true by
+       default.  The reason for this is so that someone's screen may be
+       unlocked by autorized users in case of emergency and the person run-
+       ning the program is still out to lunch.  The resource available for
+       specifying this option is xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd.
+
+  --nnooaarr
+       Don't accept root's password.  This option is for paranoids who fear
+       their peers might breakin using root's password and remove their files
+       anyway.  Specifying this option on the command line overrides the
+       xxnnlloocckk..aacccceeppttRRoooottPPaasssswwdd if set to True.
+
+  --iipp  Ignore password prompt.  The resource available for this option is
+       xxnnlloocckk..iiggnnoorreePPaasssswwdd.
+
+  --nnooiipp
+       Don't ignore password prompt.  This is available in order to override
+       the resource iiggnnoorreePPaasssswwdd if set to True.
+
+  --ffgg _c_o_l_o_r
+       Specifies the foreground color.  The resource available for this is
+       xxnnlloocckk..ffoorreeggrroouunndd.
+
+  --bbgg _c_o_l_o_r
+       Specifies the background color.  The resource available for this is
+       xxnnlloocckk..bbaacckkggrroouunndd.
+
+  --rrvv  Reverse the foreground and background colors.  The resource for this
+       is xxvvnnlloocckk..rreevveerrsseeVViiddeeoo.
+
+  --nnoorrvv
+       Don't use reverse video.  This is available to override the reverseV-
+       ideo resource if set to True.
+
+  --pprroogg _p_r_o_g_r_a_m
+       Receive message text from the running program _p_r_o_g_r_a_m. If there are
+       arguments to _p_r_o_g_r_a_m, encase them with the name of the program in
+       quotes (e.g. xnlock -t "fortune -o").  The resource for this is
+       xxnnlloocckk..pprrooggrraamm.
+
+RESOURCES
+  xnlock.font:               fontname
+  xnlock.foreground:         color
+  xnlock.background:         color
+  xnlock.reverseVideo:       True/False
+  xnlock.text:               Some random text string
+  xnlock.program:            program [args]
+  xnlock.ignorePasswd:       True/False
+  xnlock.acceptRootPasswd:   True/False
+
+FILES
+  _x_n_l_o_c_k               executable file
+  ~/.msgfile                 default message file
+
+AUTHOR
+  Dan Heller <argv@sun.com>  Copyright (c) 1985, 1990.
+  The original version of this program was written using pixrects on a Sun 2
+  running SunOS 1.1.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+