57 files changed, 2947 insertions, 0 deletions

diff --git a/crypto/openssh/regress/Makefile b/crypto/openssh/regress/Makefile
new file mode 100644
index 0000000..5399563
--- /dev/null
+++ b/crypto/openssh/regress/Makefile
@@ -0,0 +1,98 @@
+#	$OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
+
+REGRESS_TARGETS=	t1 t2 t3 t4 t5 t6 t7 t-exec
+tests:		$(REGRESS_TARGETS)
+
+clean:
+	for F in $(CLEANFILES); do rm -f $(OBJ)$$F; done
+distclean:	clean
+
+LTESTS= 	connect \
+		proxy-connect \
+		connect-privsep \
+		proto-version \
+		proto-mismatch \
+		exit-status \
+		envpass \
+		transfer \
+		banner \
+		rekey \
+		stderr-data \
+		stderr-after-eof \
+		broken-pipe \
+		try-ciphers \
+		yes-head \
+		login-timeout \
+		agent \
+		agent-getpeereid \
+		agent-timeout \
+		agent-ptrace \
+		keyscan \
+		keygen-change \
+		scp \
+		sftp \
+		sftp-cmds \
+		sftp-badcmds \
+		sftp-batch \
+		sftp-glob \
+		reconfigure \
+		dynamic-forward \
+		forwarding \
+		multiplex \
+		reexec \
+		brokenkeys \
+		cfgmatch \
+		forcecommand
+
+USER!=		id -un
+CLEANFILES=	t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
+		authorized_keys_${USER} known_hosts pidfile \
+		ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
+		rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
+		rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
+		ls.copy banner.in banner.out empty.in \
+		scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
+		sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
+
+#LTESTS +=	ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
+
+t1:
+	ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
+
+t2:
+	cat ${.CURDIR}/rsa_openssh.prv > $(OBJ)/t2.out
+	chmod 600 $(OBJ)/t2.out
+	ssh-keygen -yf $(OBJ)/t2.out | diff - ${.CURDIR}/rsa_openssh.pub
+
+t3:
+	ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >$(OBJ)/rsa_secsh.pub
+	ssh-keygen -if $(OBJ)/rsa_secsh.pub | diff - ${.CURDIR}/rsa_openssh.pub
+	rm -f ${.CURDIR}/rsa_secsh.pub
+
+t4:
+	ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\
+		awk '{print $$2}' | diff - ${.CURDIR}/t4.ok
+
+t5:
+	ssh-keygen -Bf ${.CURDIR}/rsa_openssh.pub |\
+		awk '{print $$2}' | diff - ${.CURDIR}/t5.ok
+
+t6:
+	ssh-keygen -if ${.CURDIR}/dsa_ssh2.prv > $(OBJ)/t6.out1
+	ssh-keygen -if ${.CURDIR}/dsa_ssh2.pub > $(OBJ)/t6.out2
+	chmod 600 $(OBJ)/t6.out1
+	ssh-keygen -yf $(OBJ)/t6.out1 | diff - $(OBJ)/t6.out2
+
+$(OBJ)/t7.out:
+	ssh-keygen -q -t rsa -N '' -f $@
+
+t7: $(OBJ)/t7.out
+	ssh-keygen -lf $(OBJ)/t7.out > /dev/null
+	ssh-keygen -Bf $(OBJ)/t7.out > /dev/null
+
+t-exec:	${LTESTS:=.sh}
+	@if [ "x$?" = "x" ]; then exit 0; fi; \
+	for TEST in ""$?; do \
+		echo "run test $${TEST}" ... 1>&2; \
+		(env SUDO=${SUDO} sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$${TEST}) || exit $$?; \
+	done
diff --git a/crypto/openssh/regress/README.regress b/crypto/openssh/regress/README.regress
new file mode 100644
index 0000000..5aaf734
--- /dev/null
+++ b/crypto/openssh/regress/README.regress
@@ -0,0 +1,108 @@
+Overview.
+
+$ ./configure && make tests
+
+You'll see some progress info. A failure will cause either the make to
+abort or the driver script to report a "FATAL" failure.
+
+The test consists of 2 parts. The first is the file-based tests which is
+driven by the Makefile, and the second is a set of network or proxycommand
+based tests, which are driven by a driver script (test-exec.sh) which is
+called multiple times by the Makefile.
+
+Failures in the first part will cause the Makefile to return an error.
+Failures in the second part will print a "FATAL" message for the failed
+test and continue.
+
+OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
+suite is based on OpenBSD's with modifications.
+
+
+Environment variables.
+
+SUDO: path to sudo command, if desired. Note that some systems (notably
+	systems using PAM) require sudo to execute some tests.
+TEST_SSH_TRACE: set to "yes" for verbose output from tests 
+TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
+TEST_SSH_x: path to "ssh" command under test, where x=SSH,SSHD,SSHAGENT,SSHADD
+	SSHKEYGEN,SSHKEYSCAN,SFTP,SFTPSERVER
+OBJ: used by test scripts to access build dir.
+TEST_SHELL: shell used for running the test scripts.
+TEST_SSH_PORT: TCP port to be used for the listening tests.
+TEST_SSH_SSH_CONFOTPS: Configuration directives to be added to ssh_config
+	before running each test.
+TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
+	before running each test.
+
+
+Individual tests.
+
+You can run an individual test from the top-level Makefile, eg:
+$ make tests LTESTS=agent-timeout
+
+If you need to manipulate the environment more you can invoke test-exec.sh
+directly if you set up the path to find the binaries under test and the
+test scripts themselves, for example:
+
+$ cd regress
+$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
+    agent-timeout.sh
+ok agent timeout test
+
+
+Files.
+
+test-exec.sh: the main test driver. Sets environment, creates config files
+and keys and runs the specified test.
+
+At the time of writing, the individual tests are:
+agent-timeout.sh:	agent timeout test
+agent.sh:		simple agent test
+broken-pipe.sh:		broken pipe test
+connect-privsep.sh:	proxy connect with privsep
+connect.sh:		simple connect
+exit-status.sh:		remote exit status
+forwarding.sh:		local and remote forwarding
+keygen-change.sh:	change passphrase for key
+keyscan.sh:		keyscan
+proto-mismatch.sh:	protocol version mismatch
+proto-version.sh:	sshd version with different protocol combinations
+proxy-connect.sh:	proxy connect
+sftp.sh:		basic sftp put/get
+ssh-com-client.sh:	connect with ssh.com client
+ssh-com-keygen.sh:	ssh.com key import
+ssh-com-sftp.sh:	basic sftp put/get with ssh.com server
+ssh-com.sh:		connect to ssh.com server
+stderr-after-eof.sh:	stderr data after eof
+stderr-data.sh:		stderr data transfer
+transfer.sh:		transfer data
+try-ciphers.sh:		try ciphers
+yes-head.sh:		yes pipe head
+
+
+Problems?
+
+Run the failing test with shell tracing (-x) turned on:
+$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
+
+Failed tests can be difficult to diagnose. Suggestions:
+- run the individual test via ./test-exec.sh `pwd` [testname]
+- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
+  auth.debug (eg to /var/log/authlog).
+
+
+Known Issues.
+
+- If your build requires ssh-rand-helper regress tests will fail
+  unless ssh-rand-helper is in pre-installed (the path to
+  ssh-rand-helper is hard coded).
+
+- Similarly, if you do not have "scp" in your system's $PATH then the
+  multiplex scp tests will fail (since the system's shell startup scripts
+  will determine where the shell started by sshd will look for scp).
+
+- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
+  test to fail.  The old behaviour can be restored by setting (and
+  exporting) _POSIX2_VERSION=199209 before running the tests.
+
+$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $
diff --git a/crypto/openssh/regress/agent-getpeereid.sh b/crypto/openssh/regress/agent-getpeereid.sh
new file mode 100644
index 0000000..e5fcedd
--- /dev/null
+++ b/crypto/openssh/regress/agent-getpeereid.sh
@@ -0,0 +1,45 @@
+#	$OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
+#	Placed in the Public Domain.
+
+tid="disallow agent attach from other uid"
+
+UNPRIV=nobody
+ASOCK=${OBJ}/agent
+SSH_AUTH_SOCK=/nonexistant
+
+if grep "#undef.*HAVE_GETPEEREID" ${BUILDDIR}/config.h >/dev/null 2>&1
+then
+	echo "skipped (not supported on this platform)"
+	exit 0
+fi
+if [ -z "$SUDO" ]; then
+	echo "skipped: need SUDO to switch to uid $UNPRIV"
+	exit 0
+fi
+
+
+trace "start agent"
+eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	chmod 644 ${SSH_AUTH_SOCK}
+
+	ssh-add -l > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 1 ]; then
+		fail "ssh-add failed with $r != 1"
+	fi
+
+	< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
+	r=$?
+	if [ $r -lt 2 ]; then
+		fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi
+
+rm -f ${OBJ}/agent
diff --git a/crypto/openssh/regress/agent-ptrace.sh b/crypto/openssh/regress/agent-ptrace.sh
new file mode 100644
index 0000000..4de2638
--- /dev/null
+++ b/crypto/openssh/regress/agent-ptrace.sh
@@ -0,0 +1,53 @@
+#	$OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
+#	Placed in the Public Domain.
+
+tid="disallow agent ptrace attach"
+
+if have_prog uname ; then
+	case `uname` in
+	AIX|CYGWIN*|OSF1)
+		echo "skipped (not supported on this platform)"
+		exit 0
+		;;
+	esac
+fi
+
+if have_prog gdb ; then
+	: ok
+else
+	echo "skipped (gdb not found)"
+	exit 0
+fi
+
+if test -z "$SUDO" ; then
+	echo "skipped (SUDO not set)"
+	exit 0
+else
+	$SUDO chown 0 ${SSHAGENT}
+	$SUDO chgrp 0 ${SSHAGENT}
+	$SUDO chmod 2755 ${SSHAGENT}
+fi
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	# ls -l ${SSH_AUTH_SOCK}
+	gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
+		quit
+EOF
+	if [ $? -ne 0 ]; then
+		fail "gdb failed: exit code $?"
+	fi
+	egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace attach: Permission denied.|procfs:.*: Invalid argument.' >/dev/null ${OBJ}/gdb.out
+	r=$?
+	rm -f ${OBJ}/gdb.out
+	if [ $r -ne 0 ]; then
+		fail "ptrace succeeded?: exit code $r"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi
diff --git a/crypto/openssh/regress/agent-timeout.sh b/crypto/openssh/regress/agent-timeout.sh
new file mode 100644
index 0000000..3a40e7a
--- /dev/null
+++ b/crypto/openssh/regress/agent-timeout.sh
@@ -0,0 +1,36 @@
+#	$OpenBSD: agent-timeout.sh,v 1.1 2002/06/06 00:38:40 markus Exp $
+#	Placed in the Public Domain.
+
+tid="agent timeout test"
+
+SSHAGENT_TIMEOUT=10
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	trace "add keys with timeout"
+	for t in rsa rsa1; do
+		${SSHADD} -t ${SSHAGENT_TIMEOUT} $OBJ/$t > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add did succeed exit code 0"
+		fi
+	done
+	n=`${SSHADD} -l 2> /dev/null | wc -l`
+	trace "agent has $n keys"
+	if [ $n -ne 2 ]; then
+		fail "ssh-add -l did not return 2 keys: $n"
+	fi
+	trace "sleeping 2*${SSHAGENT_TIMEOUT} seconds"
+	sleep ${SSHAGENT_TIMEOUT}
+	sleep ${SSHAGENT_TIMEOUT}
+	${SSHADD} -l 2> /dev/null | grep 'The agent has no identities.' >/dev/null
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -l still returns keys after timeout"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi
diff --git a/crypto/openssh/regress/agent.sh b/crypto/openssh/regress/agent.sh
new file mode 100644
index 0000000..b344877
--- /dev/null
+++ b/crypto/openssh/regress/agent.sh
@@ -0,0 +1,75 @@
+#	$OpenBSD: agent.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="simple agent test"
+
+SSH_AUTH_SOCK=/nonexistant ${SSHADD} -l > /dev/null 2>&1
+if [ $? -ne 2 ]; then
+	fail "ssh-add -l did not fail with exit code 2"
+fi
+
+trace "start agent"
+eval `${SSHAGENT} -s` > /dev/null
+r=$?
+if [ $r -ne 0 ]; then
+	fail "could not start ssh-agent: exit code $r"
+else
+	${SSHADD} -l > /dev/null 2>&1
+	if [ $? -ne 1 ]; then
+		fail "ssh-add -l did not fail with exit code 1"
+	fi
+	trace "overwrite authorized keys"
+	echon > $OBJ/authorized_keys_$USER
+	for t in rsa rsa1; do
+		# generate user key for agent
+		rm -f $OBJ/$t-agent
+		${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
+			 fail "ssh-keygen for $t-agent failed"
+		# add to authorized keys
+		cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER
+		# add privat key to agent
+		${SSHADD} $OBJ/$t-agent > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add did succeed exit code 0"
+		fi
+	done
+	${SSHADD} -l > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -l failed: exit code $?"
+	fi
+	# the same for full pubkey output
+	${SSHADD} -L > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -L failed: exit code $?"
+	fi
+
+	trace "simple connect via agent"
+	for p in 1 2; do
+		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
+		if [ $? -ne 5$p ]; then
+			fail "ssh connect with protocol $p failed (exit code $?)"
+		fi
+	done
+
+	trace "agent forwarding"
+	for p in 1 2; do
+		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
+		fi
+		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
+			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
+		if [ $? -ne 5$p ]; then
+			fail "agent fwd proto $p failed (exit code $?)"
+		fi
+	done
+
+	trace "delete all agent keys"
+	${SSHADD} -D > /dev/null 2>&1
+	if [ $? -ne 0 ]; then
+		fail "ssh-add -D failed: exit code $?"
+	fi
+
+	trace "kill agent"
+	${SSHAGENT} -k > /dev/null
+fi
diff --git a/crypto/openssh/regress/banner.sh b/crypto/openssh/regress/banner.sh
new file mode 100644
index 0000000..0b9c950
--- /dev/null
+++ b/crypto/openssh/regress/banner.sh
@@ -0,0 +1,44 @@
+#	$OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="banner"
+echo "Banner $OBJ/banner.in" >> $OBJ/sshd_proxy
+
+rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
+touch $OBJ/empty.in
+
+trace "test missing banner file"
+verbose "test $tid: missing banner file"
+( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	cmp $OBJ/empty.in $OBJ/banner.out ) || \
+	fail "missing banner file"
+
+for s in 0 10 100 1000 10000 100000 ; do
+	if [ "$s" = "0" ]; then
+		# create empty banner
+		touch $OBJ/banner.in
+	elif [ "$s" = "10" ]; then
+		# create 10-byte banner file
+		echo "abcdefghi" >$OBJ/banner.in
+	else
+		# increase size 10x
+		cp $OBJ/banner.in $OBJ/banner.out
+		for i in 0 1 2 3 4 5 6 7 8 ; do
+			cat $OBJ/banner.out >> $OBJ/banner.in
+		done
+	fi
+
+	trace "test banner size $s"
+	verbose "test $tid: size $s"
+	( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+		cmp $OBJ/banner.in $OBJ/banner.out ) || \
+		fail "banner size $s mismatch"
+done
+
+trace "test suppress banner (-q)"
+verbose "test $tid: suppress banner (-q)"
+( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	cmp $OBJ/empty.in $OBJ/banner.out ) || \
+	fail "suppress banner (-q)"
+
+rm -f $OBJ/banner.out $OBJ/banner.in $OBJ/empty.in
diff --git a/crypto/openssh/regress/broken-pipe.sh b/crypto/openssh/regress/broken-pipe.sh
new file mode 100644
index 0000000..c08c849
--- /dev/null
+++ b/crypto/openssh/regress/broken-pipe.sh
@@ -0,0 +1,15 @@
+#	$OpenBSD: broken-pipe.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="broken pipe test"
+
+for p in 1 2; do
+	trace "protocol $p"
+	for i in 1 2 3 4; do
+		${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
+		r=$?
+		if [ $r -ne 0 ]; then
+			fail "broken pipe returns $r for protocol $p"
+		fi
+	done
+done
diff --git a/crypto/openssh/regress/brokenkeys.sh b/crypto/openssh/regress/brokenkeys.sh
new file mode 100644
index 0000000..3e70c34
--- /dev/null
+++ b/crypto/openssh/regress/brokenkeys.sh
@@ -0,0 +1,23 @@
+#	$OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
+#	Placed in the Public Domain.
+
+tid="broken keys"
+
+KEYS="$OBJ/authorized_keys_${USER}"
+
+start_sshd
+
+mv ${KEYS} ${KEYS}.bak
+
+# Truncated key
+echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
+cat ${KEYS}.bak >> ${KEYS}
+cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+
+${SSH} -2 -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with protocol $p failed"
+fi
+
+mv ${KEYS}.bak ${KEYS}
+
diff --git a/crypto/openssh/regress/bsd.regress.mk b/crypto/openssh/regress/bsd.regress.mk
new file mode 100644
index 0000000..9b8011a
--- /dev/null
+++ b/crypto/openssh/regress/bsd.regress.mk
@@ -0,0 +1,79 @@
+#	$OpenBSD: bsd.regress.mk,v 1.9 2002/02/17 01:10:15 marc Exp $
+# No man pages for regression tests.
+NOMAN=
+
+# No installation.
+install:
+
+# If REGRESSTARGETS is defined and PROG is not defined, set NOPROG
+.if defined(REGRESSTARGETS) && !defined(PROG)
+NOPROG=
+.endif
+
+.include <bsd.prog.mk>
+
+.MAIN: all
+all: regress
+
+# XXX - Need full path to REGRESSLOG, otherwise there will be much pain.
+
+REGRESSLOG?=/dev/null
+REGRESSNAME=${.CURDIR:S/${BSDSRCDIR}\/regress\///}
+
+.if defined(PROG) && !empty(PROG)
+run-regress-${PROG}: ${PROG}
+	./${PROG}
+.endif
+
+.if !defined(REGRESSTARGETS)
+REGRESSTARGETS=run-regress-${PROG}
+.  if defined(REGRESSSKIP)
+REGRESSSKIPTARGETS=run-regress-${PROG}
+.  endif
+.endif
+
+REGRESSSKIPSLOW?=no
+
+#.if (${REGRESSSKIPSLOW:L} == "yes") && defined(REGRESSSLOWTARGETS)
+
+.if (${REGRESSSKIPSLOW} == "yes") && defined(REGRESSSLOWTARGETS)
+REGRESSSKIPTARGETS+=${REGRESSSLOWTARGETS}
+.endif
+
+.if defined(REGRESSROOTTARGETS)
+ROOTUSER!=id -g
+SUDO?=
+. if (${ROOTUSER} != 0) && empty(SUDO)
+REGRESSSKIPTARGETS+=${REGRESSROOTTARGETS}
+. endif
+.endif
+
+REGRESSSKIPTARGETS?=
+
+regress:
+.for RT in ${REGRESSTARGETS} 
+.  if ${REGRESSSKIPTARGETS:M${RT}}
+	@echo -n "SKIP " >> ${REGRESSLOG}
+.  else
+# XXX - we need a better method to see if a test fails due to timeout or just
+#       normal failure.
+.   if !defined(REGRESSMAXTIME)
+	@if cd ${.CURDIR} && ${MAKE} ${RT}; then \
+	    echo -n "SUCCESS " >> ${REGRESSLOG} ; \
+	else \
+	    echo -n "FAIL " >> ${REGRESSLOG} ; \
+	    echo FAILED ; \
+	fi
+.   else
+	@if cd ${.CURDIR} && (ulimit -t ${REGRESSMAXTIME} ; ${MAKE} ${RT}); then \
+	    echo -n "SUCCESS " >> ${REGRESSLOG} ; \
+	else \
+	    echo -n "FAIL (possible timeout) " >> ${REGRESSLOG} ; \
+	    echo FAILED ; \
+	fi
+.   endif
+.  endif
+	@echo ${REGRESSNAME}/${RT:S/^run-regress-//} >> ${REGRESSLOG}
+.endfor
+
+.PHONY: regress
diff --git a/crypto/openssh/regress/cfgmatch.sh b/crypto/openssh/regress/cfgmatch.sh
new file mode 100644
index 0000000..d987dcb
--- /dev/null
+++ b/crypto/openssh/regress/cfgmatch.sh
@@ -0,0 +1,106 @@
+#	$OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="sshd_config match"
+
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+
+stop_client()
+{
+	pid=`cat $pidfile`
+	if [ ! -z "$pid" ]; then
+		kill $pid
+		sleep 1
+	fi
+}
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+
+start_sshd
+
+#set -x
+
+# Test Match + PermitOpen in sshd_config.  This should be permitted
+for p in 1 2; do
+	rm -f $pidfile
+	trace "match permitopen localhost proto $p"
+	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+	    fail "match permitopen proto $p sshd failed"
+	sleep 1;
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+	    fail "match permitopen permit proto $p"
+	stop_client
+done
+
+# Same but from different source.  This should not be permitted
+for p in 1 2; do
+	rm -f $pidfile
+	trace "match permitopen proxy proto $p"
+	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+	    fail "match permitopen proxy proto $p sshd failed"
+	sleep 1;
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match permitopen deny proto $p"
+	stop_client
+done
+
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+	rm -f $pidfile
+	trace "match permitopen proxy w/key opts proto $p"
+	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+	    fail "match permitopen w/key opt proto $p sshd failed"
+	sleep 1;
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match permitopen deny w/key opt proto $p"
+	stop_client
+done
+
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+	rm -f $pidfile
+	trace "match permitopen localhost proto $p"
+	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+	    fail "match permitopen proto $p sshd failed"
+	sleep 1;
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+	    fail "match permitopen permit proto $p"
+	stop_client
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+	rm -f $pidfile
+	trace "match permitopen proxy w/key opts proto $p"
+	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+	    fail "match override permitopen proto $p sshd failed"
+	sleep 1;
+	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+	    fail "match override permitopen proto $p"
+	stop_client
+done
diff --git a/crypto/openssh/regress/cipher-speed.sh b/crypto/openssh/regress/cipher-speed.sh
new file mode 100644
index 0000000..5925111
--- /dev/null
+++ b/crypto/openssh/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
+#	$OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
+#	Placed in the Public Domain.
+
+tid="cipher speed"
+
+getbytes ()
+{
+	sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+	arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+
+for c in $ciphers; do for m in $macs; do
+	trace "proto 2 cipher $c mac $m"
+	for x in $tries; do
+		echo -n "$c/$m:\t"
+		( ${SSH} -o 'compression no' \
+			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+			exec sh -c \'"dd of=/dev/null obs=32k"\' \
+		< ${DATA} ) 2>&1 | getbytes
+
+		if [ $? -ne 0 ]; then
+			fail "ssh -2 failed with mac $m cipher $c"
+		fi
+	done
+done; done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+	trace "proto 1 cipher $c"
+	for x in $tries; do
+		echo -n "$c:\t"
+		( ${SSH} -o 'compression no' \
+			-F $OBJ/ssh_proxy -1 -c $c somehost \
+			exec sh -c \'"dd of=/dev/null obs=32k"\' \
+		< ${DATA} ) 2>&1 | getbytes
+		if [ $? -ne 0 ]; then
+			fail "ssh -1 failed with cipher $c"
+		fi
+	done
+done
diff --git a/crypto/openssh/regress/connect-privsep.sh b/crypto/openssh/regress/connect-privsep.sh
new file mode 100644
index 0000000..d23cadb
--- /dev/null
+++ b/crypto/openssh/regress/connect-privsep.sh
@@ -0,0 +1,13 @@
+#	$OpenBSD: connect-privsep.sh,v 1.1 2002/03/21 21:45:07 markus Exp $
+#	Placed in the Public Domain.
+
+tid="proxy connect with privsep"
+
+echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	if [ $? -ne 0 ]; then
+		fail "ssh privsep+proxyconnect protocol $p failed"
+	fi
+done
diff --git a/crypto/openssh/regress/connect.sh b/crypto/openssh/regress/connect.sh
new file mode 100644
index 0000000..2186fa6
--- /dev/null
+++ b/crypto/openssh/regress/connect.sh
@@ -0,0 +1,13 @@
+#	$OpenBSD: connect.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="simple connect"
+
+start_sshd
+
+for p in 1 2; do
+	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh connect with protocol $p failed"
+	fi
+done
diff --git a/crypto/openssh/regress/copy.1 b/crypto/openssh/regress/copy.1
new file mode 100755
index 0000000..92d4d20
--- /dev/null
+++ b/crypto/openssh/regress/copy.1
diff --git a/crypto/openssh/regress/copy.2 b/crypto/openssh/regress/copy.2
new file mode 100755
index 0000000..92d4d20
--- /dev/null
+++ b/crypto/openssh/regress/copy.2
diff --git a/crypto/openssh/regress/dsa_ssh2.prv b/crypto/openssh/regress/dsa_ssh2.prv
new file mode 100644
index 0000000..c93b403
--- /dev/null
+++ b/crypto/openssh/regress/dsa_ssh2.prv
@@ -0,0 +1,14 @@
+---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
+P2/56wAAAgIAAAAmZGwtbW9kcHtzaWdue2RzYS1uaXN0LXNoYTF9LGRoe3BsYWlufX0AAA
+AEbm9uZQAAAcQAAAHAAAAAAAAABACwUfm3AxZTut3icBmwCcD48nY64HzuELlQ+vEqjIcR
+Lo49es/DQTeLNQ+kdKRCfouosGNv0WqxRtF0tUsWdXxS37oHGa4QPugBdHRd7YlZGZv8kg
+x7FsoepY7v7E683/97dv2zxL3AGagTEzWr7fl0yPexAaZoDvtQrrjX44BLmwAABACWQkvv
+MxnD8eFkS1konFfMJ1CkuRfTN34CBZ6dY7VTSGemy4QwtFdMKmoufD0eKgy3p5WOeWCYKt
+F4FhjHKZk/aaxFjjIbtkrnlvXg64QI11dSZyBN6/ViQkHPSkUDF+A6AAEhrNbQbAFSvao1
+kTvNtPCtL0AkUIduEMzGQfLCTAAAAKDeC043YVo9Zo0zAEeIA4uZh4LBCQAAA/9aj7Y5ik
+ehygJ4qTDSlVypsPuV+n59tMS0e2pfrSG87yf5r94AKBmJeho5OO6wYaXCxsVB7AFbSUD6
+75AK8mHF4v1/+7SWKk5f8xlMCMSPZ9K0+j/W1d/q2qkhnnDZolOHDomLA+U00i5ya/jnTV
+zyDPWLFpWK8u3xGBPAYX324gAAAKDHFvooRnaXdZbeWGTTqmgHB1GU9A==
+---- END SSH2 ENCRYPTED PRIVATE KEY ----
diff --git a/crypto/openssh/regress/dsa_ssh2.pub b/crypto/openssh/regress/dsa_ssh2.pub
new file mode 100644
index 0000000..215d73ba
--- /dev/null
+++ b/crypto/openssh/regress/dsa_ssh2.pub
@@ -0,0 +1,13 @@
+---- BEGIN SSH2 PUBLIC KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit dsa, Tue Jan 08 2002 22:00:23 +0100"
+AAAAB3NzaC1kc3MAAACBALBR+bcDFlO63eJwGbAJwPjydjrgfO4QuVD68SqMhxEujj16z8
+NBN4s1D6R0pEJ+i6iwY2/RarFG0XS1SxZ1fFLfugcZrhA+6AF0dF3tiVkZm/ySDHsWyh6l
+ju/sTrzf/3t2/bPEvcAZqBMTNavt+XTI97EBpmgO+1CuuNfjgEubAAAAFQDeC043YVo9Zo
+0zAEeIA4uZh4LBCQAAAIEAlkJL7zMZw/HhZEtZKJxXzCdQpLkX0zd+AgWenWO1U0hnpsuE
+MLRXTCpqLnw9HioMt6eVjnlgmCrReBYYxymZP2msRY4yG7ZK55b14OuECNdXUmcgTev1Yk
+JBz0pFAxfgOgABIazW0GwBUr2qNZE7zbTwrS9AJFCHbhDMxkHywkwAAACAWo+2OYpHocoC
+eKkw0pVcqbD7lfp+fbTEtHtqX60hvO8n+a/eACgZiXoaOTjusGGlwsbFQewBW0lA+u+QCv
+JhxeL9f/u0lipOX/MZTAjEj2fStPo/1tXf6tqpIZ5w2aJThw6JiwPlNNIucmv4501c8gz1
+ixaVivLt8RgTwGF99uI=
+---- END SSH2 PUBLIC KEY ----
diff --git a/crypto/openssh/regress/dynamic-forward.sh b/crypto/openssh/regress/dynamic-forward.sh
new file mode 100644
index 0000000..4674a7b
--- /dev/null
+++ b/crypto/openssh/regress/dynamic-forward.sh
@@ -0,0 +1,50 @@
+#	$OpenBSD: dynamic-forward.sh,v 1.4 2004/06/22 22:55:56 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="dynamic forwarding"
+
+FWDPORT=`expr $PORT + 1`
+
+DATA=/bin/ls${EXEEXT}
+
+if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
+	proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
+elif have_prog connect; then
+	proxycmd="connect -S 127.0.0.1:$FWDPORT -"
+else
+	echo "skipped (no suitable ProxyCommand found)"
+	exit 0
+fi
+trace "will use ProxyCommand $proxycmd"
+
+start_sshd
+
+for p in 1 2; do
+	trace "start dynamic forwarding, fork to background"
+	${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q somehost \
+		exec sh -c \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+
+	for s in 4 5; do
+	    for h in 127.0.0.1 localhost; do
+		trace "testing ssh protocol $p socks version $s host $h"
+		${SSH} -F $OBJ/ssh_config \
+			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+			somehost cat $DATA > $OBJ/ls.copy
+		test -f $OBJ/ls.copy	 || fail "failed copy $DATA"
+		cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
+	    done
+	done
+
+	if [ -f $OBJ/remote_pid ]; then
+		remote=`cat $OBJ/remote_pid`
+		trace "terminate remote shell, pid $remote"
+		if [ $remote -gt 1 ]; then
+			kill -HUP $remote
+		fi
+	else
+		fail "no pid file: $OBJ/remote_pid"
+	fi
+
+	# Must allow time for connection tear-down
+	sleep 2
+done
diff --git a/crypto/openssh/regress/envpass.sh b/crypto/openssh/regress/envpass.sh
new file mode 100644
index 0000000..af7eafe
--- /dev/null
+++ b/crypto/openssh/regress/envpass.sh
@@ -0,0 +1,60 @@
+#	$OpenBSD: envpass.sh,v 1.4 2005/03/04 08:48:46 djm Exp $
+#	Placed in the Public Domain.
+
+tid="environment passing"
+
+# NB accepted env vars are in test-exec.sh (_XXX_TEST_* and _XXX_TEST)
+
+# Prepare a custom config to test for a configuration parsing bug fixed in 4.0
+cat << EOF > $OBJ/ssh_proxy_envpass
+Host test-sendenv-confparse-bug
+	SendEnv *
+EOF
+cat $OBJ/ssh_proxy >> $OBJ/ssh_proxy_envpass
+
+trace "pass env, don't accept"
+verbose "test $tid: pass env, don't accept"
+_TEST_ENV=blah ${SSH} -oSendEnv="*" -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test -z "$_TEST_ENV"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment found"
+fi
+
+trace "don't pass env, accept"
+verbose "test $tid: don't pass env, accept"
+_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test -z "$_XXX_TEST_A" && test -z "$_XXX_TEST_B"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment found"
+fi
+
+trace "pass single env, accept single env"
+verbose "test $tid: pass single env, accept single env"
+_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -F $OBJ/ssh_proxy_envpass \
+    otherhost sh << 'EOF'
+	test X"$_XXX_TEST" = X"blah"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment not found"
+fi
+
+trace "pass multiple env, accept multiple env"
+verbose "test $tid: pass multiple env, accept multiple env"
+_XXX_TEST_A=1 _XXX_TEST_B=2 ${SSH} -oSendEnv="_XXX_TEST_*" \
+    -F $OBJ/ssh_proxy_envpass otherhost \
+	sh << 'EOF'
+	test X"$_XXX_TEST_A" = X"1" -a X"$_XXX_TEST_B" = X"2"
+EOF
+r=$?
+if [ $r -ne 0 ]; then
+	fail "environment not found"
+fi
+
+rm -f $OBJ/ssh_proxy_envpass
diff --git a/crypto/openssh/regress/exit-status.sh b/crypto/openssh/regress/exit-status.sh
new file mode 100644
index 0000000..56b78a6
--- /dev/null
+++ b/crypto/openssh/regress/exit-status.sh
@@ -0,0 +1,24 @@
+#	$OpenBSD: exit-status.sh,v 1.6 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="remote exit status"
+
+for p in 1 2; do
+	for s in 0 1 4 5 44; do
+		trace "proto $p status $s"
+		verbose "test $tid: proto $p status $s"
+		${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
+		r=$?
+		if [ $r -ne $s ]; then
+			fail "exit code mismatch for protocol $p: $r != $s"
+		fi
+
+		# same with early close of stdout/err
+		${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
+                	exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+		r=$?
+		if [ $r -ne $s ]; then
+			fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+		fi
+	done
+done
diff --git a/crypto/openssh/regress/forcecommand.sh b/crypto/openssh/regress/forcecommand.sh
new file mode 100644
index 0000000..99e51a6
--- /dev/null
+++ b/crypto/openssh/regress/forcecommand.sh
@@ -0,0 +1,42 @@
+#	$OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="forced command"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echon 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+for p in 1 2; do
+	trace "forced command in key option proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done
+
+echon 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echon 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	trace "forced command in sshd_config overrides key option proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo "    ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+	trace "forced command with match proto $p"
+	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+	    fail "forced command in key proto $p"
+done
diff --git a/crypto/openssh/regress/forwarding.sh b/crypto/openssh/regress/forwarding.sh
new file mode 100644
index 0000000..9ffbb3d
--- /dev/null
+++ b/crypto/openssh/regress/forwarding.sh
@@ -0,0 +1,95 @@
+#	$OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
+#	Placed in the Public Domain.
+
+tid="local and remote forwarding"
+DATA=/bin/ls${EXEEXT}
+
+start_sshd
+
+base=33
+last=$PORT
+fwd=""
+for j in 0 1 2; do
+	for i in 0 1 2; do
+		a=$base$j$i
+		b=`expr $a + 50`
+		c=$last
+		# fwd chain: $a -> $b -> $c
+		fwd="$fwd -L$a:127.0.0.1:$b -R$b:127.0.0.1:$c"
+		last=$a
+	done
+done
+for p in 1 2; do
+	q=`expr 3 - $p`
+	trace "start forwarding, fork to background"
+	${SSH} -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
+
+	trace "transfer over forwarded channels and check result"
+	${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
+		somehost cat $DATA > $OBJ/ls.copy
+	test -f $OBJ/ls.copy			|| fail "failed copy $DATA"
+	cmp $DATA $OBJ/ls.copy			|| fail "corrupted copy of $DATA"
+
+	sleep 10
+done
+
+for p in 1 2; do
+for d in L R; do
+	trace "exit on -$d forward failure, proto $p"
+
+	# this one should succeed
+	${SSH} -$p -F $OBJ/ssh_config \
+	    -$d ${base}01:127.0.0.1:$PORT \
+	    -$d ${base}02:127.0.0.1:$PORT \
+	    -$d ${base}03:127.0.0.1:$PORT \
+	    -$d ${base}04:127.0.0.1:$PORT \
+	    -oExitOnForwardFailure=yes somehost true
+	if [ $? != 0 ]; then
+		fail "connection failed, should not"
+	else
+		# this one should fail
+		${SSH} -q -$p -F $OBJ/ssh_config \
+		    -$d ${base}01:127.0.0.1:$PORT \
+		    -$d ${base}02:127.0.0.1:$PORT \
+		    -$d ${base}03:127.0.0.1:$PORT \
+		    -$d ${base}01:127.0.0.1:$PORT \
+		    -$d ${base}04:127.0.0.1:$PORT \
+		    -oExitOnForwardFailure=yes somehost true
+		r=$?
+		if [ $r != 255 ]; then
+			fail "connection not termintated, but should ($r)"
+		fi
+	fi
+done
+done
+
+for p in 1 2; do
+	trace "simple clear forwarding proto $p"
+	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+	trace "clear local forward proto $p"
+	${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+	    -oClearAllForwardings=yes somehost sleep 10
+	if [ $? != 0 ]; then
+		fail "connection failed with cleared local forwarding"
+	else
+		# this one should fail
+		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+		     2>${TEST_SSH_LOGFILE} && \
+			fail "local forwarding not cleared"
+	fi
+	sleep 10
+	
+	trace "clear remote forward proto $p"
+	${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+	    -oClearAllForwardings=yes somehost sleep 10
+	if [ $? != 0 ]; then
+		fail "connection failed with cleared remote forwarding"
+	else
+		# this one should fail
+		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
+		     2>${TEST_SSH_LOGFILE} && \
+			fail "remote forwarding not cleared"
+	fi
+	sleep 10
+done
diff --git a/crypto/openssh/regress/keygen-change.sh b/crypto/openssh/regress/keygen-change.sh
new file mode 100644
index 0000000..08d3590
--- /dev/null
+++ b/crypto/openssh/regress/keygen-change.sh
@@ -0,0 +1,23 @@
+#	$OpenBSD: keygen-change.sh,v 1.2 2002/07/16 09:15:55 markus Exp $
+#	Placed in the Public Domain.
+
+tid="change passphrase for key"
+
+S1="secret1"
+S2="2secret"
+
+for t in rsa dsa rsa1; do
+	# generate user key for agent
+	trace "generating $t key"
+	rm -f $OBJ/$t-key
+	${SSHKEYGEN} -q -N ${S1} -t $t -f $OBJ/$t-key
+	if [ $? -eq 0 ]; then
+		${SSHKEYGEN} -p -P ${S1} -N ${S2} -f $OBJ/$t-key > /dev/null
+		if [ $? -ne 0 ]; then
+			fail "ssh-keygen -p failed for $t-key"
+		fi
+	else
+		fail "ssh-keygen for $t-key failed"
+	fi
+	rm -f $OBJ/$t-key $OBJ/$t-key.pub
+done
diff --git a/crypto/openssh/regress/keyscan.sh b/crypto/openssh/regress/keyscan.sh
new file mode 100644
index 0000000..33f14f0
--- /dev/null
+++ b/crypto/openssh/regress/keyscan.sh
@@ -0,0 +1,19 @@
+#	$OpenBSD: keyscan.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="keyscan"
+
+# remove DSA hostkey
+rm -f ${OBJ}/host.dsa
+
+start_sshd
+
+for t in rsa1 rsa dsa; do
+	trace "keyscan type $t"
+	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
+		> /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-keyscan -t $t failed with: $r"
+	fi
+done
diff --git a/crypto/openssh/regress/login-timeout.sh b/crypto/openssh/regress/login-timeout.sh
new file mode 100644
index 0000000..15a887f
--- /dev/null
+++ b/crypto/openssh/regress/login-timeout.sh
@@ -0,0 +1,29 @@
+#	$OpenBSD: login-timeout.sh,v 1.4 2005/02/27 23:13:36 djm Exp $
+#	Placed in the Public Domain.
+
+tid="connect after login grace timeout"
+
+trace "test login grace with privsep"
+echo "LoginGraceTime 10s" >> $OBJ/sshd_config
+echo "MaxStartups 1" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect after login grace timeout failed with privsep"
+fi
+
+$SUDO kill `cat $PIDFILE`
+
+trace "test login grace without privsep"
+echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
+start_sshd
+
+(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
+sleep 15
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect after login grace timeout failed without privsep"
+fi
diff --git a/crypto/openssh/regress/multiplex.sh b/crypto/openssh/regress/multiplex.sh
new file mode 100644
index 0000000..4fba7b5
--- /dev/null
+++ b/crypto/openssh/regress/multiplex.sh
@@ -0,0 +1,92 @@
+#	$OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
+#	Placed in the Public Domain.
+
+CTL=/tmp/openssh.regress.ctl-sock.$$
+
+tid="connection multiplexing"
+
+if grep "#define.*DISABLE_FD_PASSING" ${BUILDDIR}/config.h >/dev/null 2>&1
+then
+	echo "skipped (not supported on this platform)"
+	exit 0
+fi
+
+DATA=/bin/ls${EXEEXT}
+COPY=$OBJ/ls.copy
+LOG=$TEST_SSH_LOGFILE
+
+start_sshd
+
+trace "start master, fork to background"
+${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost &
+MASTER_PID=$!
+
+# Wait for master to start and authenticate
+sleep 5
+
+verbose "test $tid: envpass"
+trace "env passing over multiplexed connection"
+_XXX_TEST=blah ${SSH} -oSendEnv="_XXX_TEST" -S$CTL otherhost sh << 'EOF'
+	test X"$_XXX_TEST" = X"blah"
+EOF
+if [ $? -ne 0 ]; then
+	fail "environment not found"
+fi
+
+verbose "test $tid: transfer"
+rm -f ${COPY}
+trace "ssh transfer over multiplexed connection and check result"
+${SSH} -S$CTL otherhost cat ${DATA} > ${COPY}
+test -f ${COPY}			|| fail "ssh -Sctl: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "ssh -Sctl: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "ssh transfer over multiplexed connection and check result"
+${SSH} -S $CTL otherhost cat ${DATA} > ${COPY}
+test -f ${COPY}			|| fail "ssh -S ctl: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "ssh -S ctl: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "sftp transfer over multiplexed connection and check result"
+echo "get ${DATA} ${COPY}" | \
+	${SFTP} -S ${SSH} -oControlPath=$CTL otherhost >$LOG 2>&1
+test -f ${COPY}			|| fail "sftp: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "sftp: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+trace "scp transfer over multiplexed connection and check result"
+${SCP} -S ${SSH} -oControlPath=$CTL otherhost:${DATA} ${COPY} >$LOG 2>&1
+test -f ${COPY}			|| fail "scp: failed copy ${DATA}" 
+cmp ${DATA} ${COPY}		|| fail "scp: corrupted copy of ${DATA}"
+
+rm -f ${COPY}
+
+for s in 0 1 4 5 44; do
+	trace "exit status $s over multiplexed connection"
+	verbose "test $tid: status $s"
+	${SSH} -S $CTL otherhost exit $s
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code mismatch for protocol $p: $r != $s"
+	fi
+
+	# same with early close of stdout/err
+	trace "exit status $s with early close over multiplexed connection"
+	${SSH} -S $CTL -n otherhost \
+                exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+	fi
+done
+
+trace "test check command"
+${SSH} -S $CTL -Ocheck otherhost || fail "check command failed" 
+
+trace "test exit command"
+${SSH} -S $CTL -Oexit otherhost || fail "send exit command failed" 
+
+# Wait for master to exit
+sleep 2
+
+kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed" 
diff --git a/crypto/openssh/regress/proto-mismatch.sh b/crypto/openssh/regress/proto-mismatch.sh
new file mode 100644
index 0000000..fb521f2
--- /dev/null
+++ b/crypto/openssh/regress/proto-mismatch.sh
@@ -0,0 +1,19 @@
+#	$OpenBSD: proto-mismatch.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="protocol version mismatch"
+
+mismatch ()
+{
+	server=$1
+	client=$2
+	banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
+	r=$?
+	trace "sshd prints ${banner}"
+	if [ $r -ne 255 ]; then
+		fail "sshd prints ${banner} and accepts connect with version ${client}"
+	fi
+}
+
+mismatch	2	SSH-1.5-HALLO
+mismatch	1	SSH-2.0-HALLO
diff --git a/crypto/openssh/regress/proto-version.sh b/crypto/openssh/regress/proto-version.sh
new file mode 100644
index 0000000..1651a69
--- /dev/null
+++ b/crypto/openssh/regress/proto-version.sh
@@ -0,0 +1,34 @@
+#	$OpenBSD: proto-version.sh,v 1.3 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="sshd version with different protocol combinations"
+
+# we just start sshd in inetd mode and check the banner
+check_version ()
+{
+	version=$1
+	expect=$2
+	banner=`echon | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+	case ${banner} in
+	SSH-1.99-*)
+		proto=199
+		;;
+	SSH-2.0-*)
+		proto=20
+		;;
+	SSH-1.5-*)
+		proto=15
+		;;
+	*)
+		proto=0
+		;;
+	esac
+	if [ ${expect} -ne ${proto} ]; then
+		fail "wrong protocol version ${banner} for ${version}"
+	fi
+}
+
+check_version	2,1	199
+check_version	1,2	199
+check_version	2	20
+check_version	1	15
diff --git a/crypto/openssh/regress/proxy-connect.sh b/crypto/openssh/regress/proxy-connect.sh
new file mode 100644
index 0000000..6a36b25
--- /dev/null
+++ b/crypto/openssh/regress/proxy-connect.sh
@@ -0,0 +1,18 @@
+#	$OpenBSD: proxy-connect.sh,v 1.5 2002/12/09 15:28:46 markus Exp $
+#	Placed in the Public Domain.
+
+tid="proxy connect"
+
+for p in 1 2; do
+	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	if [ $? -ne 0 ]; then
+		fail "ssh proxyconnect protocol $p failed"
+	fi
+	SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'`
+	if [ $? -ne 0 ]; then
+		fail "ssh proxyconnect protocol $p failed"
+	fi
+	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+		fail "bad SSH_CONNECTION"
+	fi
+done
diff --git a/crypto/openssh/regress/reconfigure.sh b/crypto/openssh/regress/reconfigure.sh
new file mode 100644
index 0000000..1daf29f
--- /dev/null
+++ b/crypto/openssh/regress/reconfigure.sh
@@ -0,0 +1,36 @@
+#	$OpenBSD: reconfigure.sh,v 1.2 2003/06/21 09:14:05 markus Exp $
+#	Placed in the Public Domain.
+
+tid="simple connect after reconfigure"
+
+# we need the full path to sshd for -HUP
+case $SSHD in
+/*)
+	# full path is OK 
+	;;
+*)
+	# otherwise make fully qualified
+	SSHD=$OBJ/$SSHD
+esac
+
+start_sshd
+
+PID=`cat $PIDFILE`
+rm -f $PIDFILE
+$SUDO kill -HUP $PID
+
+trace "wait for sshd to restart"
+i=0;
+while [ ! -f $PIDFILE -a $i -lt 10 ]; do
+	i=`expr $i + 1`
+	sleep $i
+done
+
+test -f $PIDFILE || fatal "sshd did not restart"
+
+for p in 1 2; do
+	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh connect with protocol $p failed after reconfigure"
+	fi
+done
diff --git a/crypto/openssh/regress/reexec.sh b/crypto/openssh/regress/reexec.sh
new file mode 100644
index 0000000..4f824a3
--- /dev/null
+++ b/crypto/openssh/regress/reexec.sh
@@ -0,0 +1,72 @@
+#	$OpenBSD: reexec.sh,v 1.5 2004/10/08 02:01:50 djm Exp $
+#	Placed in the Public Domain.
+
+tid="reexec tests"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+SSHD_ORIG=$SSHD${EXEEXT}
+SSHD_COPY=$OBJ/sshd${EXEEXT}
+
+# Start a sshd and then delete it
+start_sshd_copy ()
+{
+	cp $SSHD_ORIG $SSHD_COPY
+	SSHD=$SSHD_COPY
+	start_sshd
+	SSHD=$SSHD_ORIG
+}
+
+# Do basic copy tests
+copy_tests ()
+{
+	rm -f ${COPY}
+	for p in 1 2; do
+		verbose "$tid: proto $p"
+		${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
+		    cat ${DATA} > ${COPY}
+		if [ $? -ne 0 ]; then
+			fail "ssh cat $DATA failed"
+		fi
+		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+		rm -f ${COPY}
+	done
+}
+
+verbose "test config passing"
+
+cp $OBJ/sshd_config $OBJ/sshd_config.orig
+start_sshd
+echo "InvalidXXX=no" >> $OBJ/sshd_config
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+cp $OBJ/sshd_config.orig $OBJ/sshd_config
+
+verbose "test reexec fallback"
+
+start_sshd_copy
+rm -f $SSHD_COPY
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+verbose "test reexec fallback without privsep"
+
+cp $OBJ/sshd_config.orig $OBJ/sshd_config
+echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config
+
+start_sshd_copy
+rm -f $SSHD_COPY
+
+copy_tests
+
+$SUDO kill `cat $PIDFILE`
+rm -f $PIDFILE
+
+
diff --git a/crypto/openssh/regress/rekey.sh b/crypto/openssh/regress/rekey.sh
new file mode 100644
index 0000000..3c5f266
--- /dev/null
+++ b/crypto/openssh/regress/rekey.sh
@@ -0,0 +1,32 @@
+#	$OpenBSD: rekey.sh,v 1.1 2003/03/28 13:58:28 markus Exp $
+#	Placed in the Public Domain.
+
+tid="rekey during transfer data"
+
+DATA=${OBJ}/data
+COPY=${OBJ}/copy
+LOG=${OBJ}/log
+
+rm -f ${COPY} ${LOG} ${DATA}
+touch ${DATA}
+dd if=/bin/ls${EXEEXT} of=${DATA} bs=1k seek=511 count=1 > /dev/null 2>&1
+
+for s in 16 1k 128k 256k; do
+	trace "rekeylimit ${s}"
+	rm -f ${COPY}
+	cat $DATA | \
+		${SSH} -oCompression=no -oRekeyLimit=$s \
+			-v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" \
+		2> ${LOG}
+	if [ $? -ne 0 ]; then
+		fail "ssh failed"
+	fi
+	cmp $DATA ${COPY}		|| fail "corrupted copy"
+	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
+	n=`expr $n - 1`
+	trace "$n rekeying(s)"
+	if [ $n -lt 1 ]; then
+		fail "no rekeying occured"
+	fi
+done
+rm -f ${COPY} ${LOG} ${DATA}
diff --git a/crypto/openssh/regress/rsa_openssh.prv b/crypto/openssh/regress/rsa_openssh.prv
new file mode 100644
index 0000000..2675555
--- /dev/null
+++ b/crypto/openssh/regress/rsa_openssh.prv
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICWgIBAAKBgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko
++dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3
+xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQIDAQAB
+An8nH5VzvHkMbSqJ6eOYDsVwomRvYbH5IEaYl1x6VATITNvAu9kUdQ4NsSpuMc+7
+Jj9gKZvmO1y2YCKc0P/iO+i/eV0L+yQh1Rw18jQZll+12T+LZrKRav03YNvMx0gN
+wqWY48Kt6hv2/N/ebQzKRe79+D0t2cTh92hT7xENFLIBAkEBGnoGKFjAUkJCwO1V
+mzpUqMHpRZVOrqP9hUmPjzNJ5oBPFGe4+h1hoSRFOAzaNuZt8ssbqaLCkzB8bfzj
+qhZqAQJBANZekuUpp8iBLeLSagw5FkcPwPzq6zfExbhvsZXb8Bo/4SflNs4JHXwI
+7SD9Z8aJLvM4uQ/5M70lblDMQ40i3o0CQQDIJvBYBFL5tlOgakq/O7yi+wt0L5BZ
+9H79w5rCSAA0IHRoK/qI1urHiHC3f3vbbLk5UStfrqEaND/mm0shyNIBAkBLsYdC
+/ctt5Bc0wUGK4Vl5bBmj9LtrrMJ4FpBpLwj/69BwCuKoK9XKZ0h73p6XHveCEGRg
+PIlFX4MtaoLrwgU9AkBV2k4dgIws+X8YX65EsyyFjnlDqX4x0nSOjQB1msIKfHBr
+dh5XLDBTTCxnKhMJ0Yx/opgOvf09XHBFwaQntR5i
+-----END RSA PRIVATE KEY-----
diff --git a/crypto/openssh/regress/rsa_openssh.pub b/crypto/openssh/regress/rsa_openssh.pub
new file mode 100644
index 0000000..b504730
--- /dev/null
+++ b/crypto/openssh/regress/rsa_openssh.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ==
diff --git a/crypto/openssh/regress/rsa_ssh2.prv b/crypto/openssh/regress/rsa_ssh2.prv
new file mode 100644
index 0000000..1ece3d7
--- /dev/null
+++ b/crypto/openssh/regress/rsa_ssh2.prv
@@ -0,0 +1,16 @@
+---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----
+Subject: ssh-keygen test
+Comment: "1024-bit rsa, Sat Jun 23 2001 12:21:26 -0400"
+P2/56wAAAi4AAAA3aWYtbW9kbntzaWdue3JzYS1wa2NzMS1zaGExfSxlbmNyeXB0e3JzYS
+1wa2NzMXYyLW9hZXB9fQAAAARub25lAAAB3wAAAdsAAAARAQABAAAD9icflXO8eQxtKonp
+45gOxXCiZG9hsfkgRpiXXHpUBMhM28C72RR1Dg2xKm4xz7smP2Apm+Y7XLZgIpzQ/+I76L
+95XQv7JCHVHDXyNBmWX7XZP4tmspFq/Tdg28zHSA3CpZjjwq3qG/b8395tDMpF7v34PS3Z
+xOH3aFPvEQ0UsgEAAAQA7IpcCnGijesEjDXdVoEPfh0akBJA9JAk1bba2sxrtDoQVN1JKP
+nRQ9SKdAsXV5jduSUFsTmBe4fznLvD948790U1/O8SkdGM5V0y1/ki7Rf8knm0t8Vj65X0
+VA4YdN4UeVfvMcb78vcInT2CsP6CLcBkrnjrBKtS03Mwg79nQI0AAAH/VdpOHYCMLPl/GF
++uRLMshY55Q6l+MdJ0jo0AdZrCCnxwa3YeVywwU0wsZyoTCdGMf6KYDr39PVxwRcGkJ7Ue
+YgAAAgDWXpLlKafIgS3i0moMORZHD8D86us3xMW4b7GV2/AaP+En5TbOCR18CO0g/WfGiS
+7zOLkP+TO9JW5QzEONIt6NAAACAQEaegYoWMBSQkLA7VWbOlSowelFlU6uo/2FSY+PM0nm
+gE8UZ7j6HWGhJEU4DNo25m3yyxuposKTMHxt/OOqFmoB
+---- END SSH2 ENCRYPTED PRIVATE KEY ----
+---
diff --git a/crypto/openssh/regress/runtests.sh b/crypto/openssh/regress/runtests.sh
new file mode 100755
index 0000000..9808eb8
--- /dev/null
+++ b/crypto/openssh/regress/runtests.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+TEST_SSH_SSH=../ssh
+TEST_SSH_SSHD=../sshd
+TEST_SSH_SSHAGENT=../ssh-agent
+TEST_SSH_SSHADD=../ssh-add
+TEST_SSH_SSHKEYGEN=../ssh-keygen
+TEST_SSH_SSHKEYSCAN=../ssh-keyscan
+TEST_SSH_SFTP=../sftp
+TEST_SSH_SFTPSERVER=../sftp-server
+
+pmake
+
diff --git a/crypto/openssh/regress/scp-ssh-wrapper.sh b/crypto/openssh/regress/scp-ssh-wrapper.sh
new file mode 100644
index 0000000..d1005a9
--- /dev/null
+++ b/crypto/openssh/regress/scp-ssh-wrapper.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+#       $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
+#       Placed in the Public Domain.
+
+printname () {
+	NAME=$1
+	save_IFS=$IFS
+	IFS=/
+	set -- `echo "$NAME"`
+	IFS="$save_IFS"
+	while [ $# -ge 1 ] ; do
+		if [ "x$1" != "x" ]; then
+			echo "D0755 0 $1"
+		fi
+		shift;
+	done
+}
+
+# Discard all but last argument.  We use arg later.
+while test "$1" != ""; do
+	arg="$1"
+	shift
+done
+
+BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
+
+case "$SCPTESTMODE" in
+badserver_0)
+	echo "D0755 0 /${DIR}/rootpathdir"
+	echo "C755 2 rootpathfile"
+	echo "X"
+	;;
+badserver_1)
+	echo "D0755 0 $BAD"
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_2)
+	echo "D0755 0 $BAD"
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_3)
+	printname $BAD
+	echo "C755 2 file"
+	echo "X"
+	;;
+badserver_4)
+	printname $BAD
+	echo "D0755 0 .."
+	echo "C755 2 file"
+	echo "X"
+	;;
+*)
+	exec $arg
+	;;
+esac
diff --git a/crypto/openssh/regress/scp.sh b/crypto/openssh/regress/scp.sh
new file mode 100644
index 0000000..c5d412d
--- /dev/null
+++ b/crypto/openssh/regress/scp.sh
@@ -0,0 +1,127 @@
+#	$OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
+#	Placed in the Public Domain.
+
+tid="scp"
+
+#set -x
+
+# Figure out if diff understands "-N"
+if diff -N ${SRC}/scp.sh ${SRC}/scp.sh 2>/dev/null; then
+	DIFFOPT="-rN"
+else
+	DIFFOPT="-r"
+fi
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+COPY2=${OBJ}/copy2
+DIR=${COPY}.dd
+DIR2=${COPY}.dd2
+
+SRC=`dirname ${SCRIPT}`
+cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
+chmod 755 ${OBJ}/scp-ssh-wrapper.scp
+scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp"
+
+scpclean() {
+	rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
+	mkdir ${DIR} ${DIR2}
+}
+
+verbose "$tid: simple copy local file to local file"
+scpclean
+$SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to remote file"
+scpclean
+$SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy remote file to local file"
+scpclean
+$SCP $scpopts somehost:${DATA} ${COPY} || fail "copy failed"
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to remote dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: simple copy local file to local dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: simple copy remote file to local dir"
+scpclean
+cp ${DATA} ${COPY}
+$SCP $scpopts somehost:${COPY} ${DIR} || fail "copy failed"
+cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
+
+verbose "$tid: recursive local dir to remote dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
+diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: recursive local dir to local dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
+diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: recursive remote dir to local dir"
+scpclean
+rm -rf ${DIR2}
+cp ${DATA} ${DIR}/copy
+$SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
+diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+
+verbose "$tid: shell metacharacters"
+scpclean
+(cd ${DIR} && \
+touch '`touch metachartest`' && \
+$SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
+[ ! -f metachartest ] ) || fail "shell metacharacters"
+
+if [ ! -z "$SUDO" ]; then
+	verbose "$tid: skipped file after scp -p with failed chown+utimes"
+	scpclean
+	cp -p ${DATA} ${DIR}/copy
+	cp -p ${DATA} ${DIR}/copy2
+	cp ${DATA} ${DIR2}/copy
+	chmod 660 ${DIR2}/copy
+	$SUDO chown root ${DIR2}/copy
+	$SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
+	$SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+	$SUDO rm ${DIR2}/copy
+fi
+
+for i in 0 1 2 3 4; do
+	verbose "$tid: disallow bad server #$i"
+	SCPTESTMODE=badserver_$i
+	export DIR SCPTESTMODE
+	scpclean
+	$SCP $scpopts somehost:${DATA} ${DIR} >/dev/null 2>/dev/null
+	[ -d {$DIR}/rootpathdir ] && fail "allows dir relative to root dir"
+	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation in non-recursive mode"
+
+	scpclean
+	$SCP -r $scpopts somehost:${DATA} ${DIR2} >/dev/null 2>/dev/null
+	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
+done
+
+verbose "$tid: detect non-directory target"
+scpclean
+echo a > ${COPY}
+echo b > ${COPY2}
+$SCP $scpopts ${DATA} ${COPY} ${COPY2}
+cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
+
+scpclean
+rm -f ${OBJ}/scp-ssh-wrapper.scp
diff --git a/crypto/openssh/regress/sftp-badcmds.sh b/crypto/openssh/regress/sftp-badcmds.sh
new file mode 100644
index 0000000..eac189a
--- /dev/null
+++ b/crypto/openssh/regress/sftp-badcmds.sh
@@ -0,0 +1,78 @@
+#	$OpenBSD: sftp-badcmds.sh,v 1.2 2003/05/15 04:07:12 mouring Exp $
+#	Placed in the Public Domain.
+
+tid="sftp invalid commands"
+
+DATA=/bin/ls${EXEEXT}
+DATA2=/bin/sh${EXEEXT}
+NONEXIST=/NONEXIST.$$
+COPY=${OBJ}/copy
+GLOBFILES=`(cd /bin;echo l*)`
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
+
+rm -f ${COPY}
+verbose "$tid: get nonexistent"
+echo "get $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get nonexistent failed"
+test -f ${COPY} && fail "existing copy after get nonexistent"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to nonexistent directory"
+echo "get /bin/l* $NONEXIST" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after get nonexistent"
+done
+
+rm -f ${COPY}
+verbose "$tid: put nonexistent"
+echo "put $NONEXIST $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put nonexistent failed"
+test -f ${COPY} && fail "existing copy after put nonexistent"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to nonexistent directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "put nonexistent failed"
+for x in $GLOBFILES; do
+        test -f ${COPY}.dd/$x && fail "existing copy after nonexistent"
+done
+
+rm -f ${COPY}
+verbose "$tid: rename nonexistent"
+echo "rename $NONEXIST ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename nonexist failed"
+test -f ${COPY}.1 && fail "file exists after rename nonexistent"
+
+rm -f ${COPY} ${COPY}.1
+cp $DATA $COPY
+cp $DATA2 ${COPY}.1
+verbose "$tid: rename target exists"
+echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename target exists failed"
+test -f ${COPY} || fail "oldname missing after rename target exists"
+test -f ${COPY}.1 || fail "newname missing after rename target exists"
+cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists"
+cmp $DATA2 ${COPY}.1 >/dev/null 2>&1 || fail "corrupted newname after rename target exists"
+
+rm -rf ${COPY} ${COPY}.dd
+cp $DATA $COPY
+mkdir ${COPY}.dd
+verbose "$tid: rename target exists (directory)"
+echo "rename $COPY ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename target exists (directory) failed"
+test -f ${COPY} || fail "oldname missing after rename target exists (directory)"
+test -d ${COPY}.dd || fail "newname missing after rename target exists (directory)"
+cmp $DATA ${COPY} >/dev/null 2>&1 || fail "corrupted oldname after rename target exists (directory)"
+
+rm -f ${COPY}.dd/*
+rm -rf ${COPY}
+cp ${DATA2} ${COPY}
+verbose "$tid: glob put files to local file"
+echo "put /bin/l* $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 
+cmp ${DATA2} ${COPY} || fail "put successed when it should have failed"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd
+
+
diff --git a/crypto/openssh/regress/sftp-batch.sh b/crypto/openssh/regress/sftp-batch.sh
new file mode 100644
index 0000000..365c47c
--- /dev/null
+++ b/crypto/openssh/regress/sftp-batch.sh
@@ -0,0 +1,57 @@
+#     $OpenBSD: sftp-batch.sh,v 1.3 2004/01/13 09:49:06 djm Exp $
+#	Placed in the Public Domain.
+
+tid="sftp batchfile"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+BATCH=${OBJ}/sftp.bb
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+cat << EOF > ${BATCH}.pass.1
+	get $DATA $COPY
+	put ${COPY} ${COPY}.1
+	rm ${COPY}
+	-put ${COPY} ${COPY}.2
+EOF
+
+cat << EOF > ${BATCH}.pass.2
+	# This is a comment
+
+	# That was a blank line
+	ls
+EOF
+
+cat << EOF > ${BATCH}.fail.1
+	get $DATA $COPY
+	put ${COPY} ${COPY}.3
+	rm ${COPY}.*
+	# The next command should fail
+	put ${COPY}.3 ${COPY}.4
+EOF
+
+cat << EOF > ${BATCH}.fail.2
+	# The next command should fail
+	jajajajaja
+EOF
+
+verbose "$tid: good commands"
+${SFTP} -b ${BATCH}.pass.1 -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "good commands failed"
+
+verbose "$tid: bad commands"
+${SFTP} -b ${BATCH}.fail.1 -P ${SFTPSERVER} >/dev/null 2>&1 \
+	&& fail "bad commands succeeded"
+
+verbose "$tid: comments and blanks"
+${SFTP} -b ${BATCH}.pass.2 -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "comments & blanks failed"
+
+verbose "$tid: junk command"
+${SFTP} -b ${BATCH}.fail.2 -P ${SFTPSERVER} >/dev/null 2>&1 \
+	&& fail "junk command succeeded"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${BATCH}.*
+
+
diff --git a/crypto/openssh/regress/sftp-cmds.sh b/crypto/openssh/regress/sftp-cmds.sh
new file mode 100644
index 0000000..31b21d1
--- /dev/null
+++ b/crypto/openssh/regress/sftp-cmds.sh
@@ -0,0 +1,211 @@
+#	$OpenBSD: sftp-cmds.sh,v 1.6 2003/10/07 07:04:52 djm Exp $
+#	Placed in the Public Domain.
+
+# XXX - TODO: 
+# - chmod / chown / chgrp
+# - -p flag for get & put
+
+tid="sftp commands"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+# test that these files are readable!
+for i in `(cd /bin;echo l*)`
+do
+	if [ -r $i ]; then
+		GLOBFILES="$GLOBFILES $i"
+	fi
+done
+
+if have_prog uname
+then
+	case `uname` in
+	CYGWIN*)
+		os=cygwin
+		;;
+	*)
+		os=`uname`
+		;;
+	esac
+else
+	os="unknown"
+fi
+
+# Path with embedded quote
+QUOTECOPY=${COPY}".\"blah\""
+QUOTECOPY_ARG=${COPY}'.\"blah\"'
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
+mkdir ${COPY}.dd
+
+verbose "$tid: lls"
+echo "lls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lls failed"
+# XXX always successful
+
+verbose "$tid: ls"
+echo "ls ${OBJ}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "ls failed"
+# XXX always successful
+
+verbose "$tid: shell"
+echo "!echo hi there" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "shell failed"
+# XXX always successful
+
+verbose "$tid: pwd"
+echo "pwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "pwd failed"
+# XXX always successful
+
+verbose "$tid: lpwd"
+echo "lpwd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lpwd failed"
+# XXX always successful
+
+verbose "$tid: quit"
+echo "quit" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "quit failed"
+# XXX always successful
+
+verbose "$tid: help"
+echo "help" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "help failed"
+# XXX always successful
+
+rm -f ${COPY}
+verbose "$tid: get"
+echo "get $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get failed"
+cmp $DATA ${COPY} || fail "corrupted copy after get"
+
+rm -f ${COPY}
+verbose "$tid: get quoted"
+echo "get \"$DATA\" $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "get failed"
+cmp $DATA ${COPY} || fail "corrupted copy after get"
+
+if [ "$os" != "cygwin" ]; then
+rm -f ${QUOTECOPY}
+cp $DATA ${QUOTECOPY}
+verbose "$tid: get filename with quotes"
+echo "get \"$QUOTECOPY_ARG\" ${COPY}" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp ${COPY} ${QUOTECOPY} || fail "corrupted copy after get with quotes"
+rm -f ${QUOTECOPY} ${COPY}
+fi
+
+rm -f ${COPY}.dd/*
+verbose "$tid: get to directory"
+echo "get $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to directory"
+echo "get /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
+
+rm -f ${COPY}.dd/*
+verbose "$tid: get to local dir"
+(echo "lcd ${COPY}.dd"; echo "get $DATA" ) | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after get"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob get to local dir"
+(echo "lcd ${COPY}.dd"; echo "get /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+        || fail "get failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after get"
+done
+
+rm -f ${COPY}
+verbose "$tid: put"
+echo "put $DATA $COPY" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${COPY} || fail "corrupted copy after put"
+
+if [ "$os" != "cygwin" ]; then
+rm -f ${QUOTECOPY}
+verbose "$tid: put filename with quotes"
+echo "put $DATA \"$QUOTECOPY_ARG\"" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${QUOTECOPY} || fail "corrupted copy after put with quotes"
+fi
+
+rm -f ${COPY}.dd/*
+verbose "$tid: put to directory"
+echo "put $DATA ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to directory"
+echo "put /bin/l* ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+for x in $GLOBFILES; do
+	cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
+
+rm -f ${COPY}.dd/*
+verbose "$tid: put to local dir"
+(echo "cd ${COPY}.dd"; echo "put $DATA") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+cmp $DATA ${COPY}.dd/`basename $DATA` || fail "corrupted copy after put"
+
+rm -f ${COPY}.dd/*
+verbose "$tid: glob put to local dir"
+(echo "cd ${COPY}.dd"; echo "put /bin/l*") | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "put failed"
+for x in $GLOBFILES; do
+        cmp /bin/$x ${COPY}.dd/$x || fail "corrupted copy after put"
+done
+
+verbose "$tid: rename"
+echo "rename $COPY ${COPY}.1" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename failed"
+test -f ${COPY}.1 || fail "missing file after rename"
+cmp $DATA ${COPY}.1 >/dev/null 2>&1 || fail "corrupted copy after rename"
+
+verbose "$tid: rename directory"
+echo "rename ${COPY}.dd ${COPY}.dd2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rename directory failed"
+test -d ${COPY}.dd && fail "oldname exists after rename directory"
+test -d ${COPY}.dd2 || fail "missing newname after rename directory"
+
+verbose "$tid: ln"
+echo "ln ${COPY}.1 ${COPY}.2" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 || fail "ln failed"
+test -h ${COPY}.2 || fail "missing file after ln"
+
+verbose "$tid: mkdir"
+echo "mkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "mkdir failed"
+test -d ${COPY}.dd || fail "missing directory after mkdir"
+
+# XXX do more here
+verbose "$tid: chdir"
+echo "chdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "chdir failed"
+
+verbose "$tid: rmdir"
+echo "rmdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "rmdir failed"
+test -d ${COPY}.1 && fail "present directory after rmdir"
+
+verbose "$tid: lmkdir"
+echo "lmkdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lmkdir failed"
+test -d ${COPY}.dd || fail "missing directory after lmkdir"
+
+# XXX do more here
+verbose "$tid: lchdir"
+echo "lchdir ${COPY}.dd" | ${SFTP} -P ${SFTPSERVER} >/dev/null 2>&1 \
+	|| fail "lchdir failed"
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.2 ${COPY}.dd ${COPY}.dd2
+
+
diff --git a/crypto/openssh/regress/sftp-glob.sh b/crypto/openssh/regress/sftp-glob.sh
new file mode 100644
index 0000000..e238356
--- /dev/null
+++ b/crypto/openssh/regress/sftp-glob.sh
@@ -0,0 +1,28 @@
+#	$OpenBSD: sftp-glob.sh,v 1.1 2004/12/10 01:31:30 fgsch Exp $
+#	Placed in the Public Domain.
+
+tid="sftp glob"
+
+BASE=${OBJ}/glob
+DIR=${BASE}/dir
+DATA=${DIR}/file
+
+rm -rf ${BASE}
+mkdir -p ${DIR}
+touch ${DATA}
+
+verbose "$tid: ls file"
+echo "ls -l ${DIR}/fil*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \
+	grep ${DATA} >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "globbed ls file failed"
+fi
+
+verbose "$tid: ls dir"
+echo "ls -l ${BASE}/d*" | ${SFTP} -P ${SFTPSERVER} 2>/dev/null | \
+	grep file >/dev/null 2>&1
+if [ $? -ne 0 ]; then
+	fail "globbed ls dir failed"
+fi
+
+rm -rf ${BASE}
diff --git a/crypto/openssh/regress/sftp.sh b/crypto/openssh/regress/sftp.sh
new file mode 100644
index 0000000..0e22f8f
--- /dev/null
+++ b/crypto/openssh/regress/sftp.sh
@@ -0,0 +1,35 @@
+#	$OpenBSD: sftp.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="basic sftp put/get"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+
+SFTPCMDFILE=${OBJ}/batch
+cat >$SFTPCMDFILE <<EOF
+version
+get $DATA ${COPY}.1
+put $DATA ${COPY}.2
+EOF
+
+BUFFERSIZE="5 1000 32000 64000"
+REQUESTS="1 2 10"
+
+for B in ${BUFFERSIZE}; do
+	for R in ${REQUESTS}; do
+                verbose "test $tid: buffer_size $B num_requests $R"
+		rm -f ${COPY}.1 ${COPY}.2                
+		${SFTP} -P ${SFTPSERVER} -B $B -R $R -b $SFTPCMDFILE \
+		> /dev/null 2>&1
+		r=$?
+		if [ $r -ne 0 ]; then
+			fail "sftp failed with $r"
+		else 
+			cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+			cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
+		fi
+	done
+done
+rm -f ${COPY}.1 ${COPY}.2                
+rm -f $SFTPCMDFILE
diff --git a/crypto/openssh/regress/ssh-com-client.sh b/crypto/openssh/regress/ssh-com-client.sh
new file mode 100644
index 0000000..324a0a7
--- /dev/null
+++ b/crypto/openssh/regress/ssh-com-client.sh
@@ -0,0 +1,134 @@
+#	$OpenBSD: ssh-com-client.sh,v 1.6 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="connect with ssh.com client"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+# 2.0.10 2.0.12 2.0.13 don't like the test setup
+
+# setup authorized keys
+SRC=`dirname ${SCRIPT}`
+cp ${SRC}/dsa_ssh2.prv ${OBJ}/id.com
+chmod 600 ${OBJ}/id.com
+${SSHKEYGEN} -i -f ${OBJ}/id.com	> $OBJ/id.openssh
+chmod 600 ${OBJ}/id.openssh
+${SSHKEYGEN} -y -f ${OBJ}/id.openssh	> $OBJ/authorized_keys_$USER
+${SSHKEYGEN} -e -f ${OBJ}/id.openssh	> $OBJ/id.com.pub
+echo IdKey ${OBJ}/id.com > ${OBJ}/id.list
+
+# we need a DSA host key
+t=dsa
+rm -f                             ${OBJ}/$t ${OBJ}/$t.pub
+${SSHKEYGEN} -q -N '' -t $t -f	  ${OBJ}/$t
+$SUDO cp $OBJ/$t $OBJ/host.$t
+echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
+
+# add hostkeys to known hosts
+mkdir -p ${OBJ}/${USER}/hostkeys
+HK=${OBJ}/${USER}/hostkeys/key_${PORT}_127.0.0.1
+${SSHKEYGEN} -e -f ${OBJ}/rsa.pub > ${HK}.ssh-rsa.pub
+${SSHKEYGEN} -e -f ${OBJ}/dsa.pub > ${HK}.ssh-dss.pub
+
+cat > ${OBJ}/ssh2_config << EOF
+*:
+	QuietMode			yes
+	StrictHostKeyChecking		yes
+	Port				${PORT}
+	User				${USER}
+	Host				127.0.0.1
+	IdentityFile			${OBJ}/id.list
+	RandomSeedFile			${OBJ}/random_seed
+        UserConfigDirectory             ${OBJ}/%U
+	AuthenticationSuccessMsg	no
+	BatchMode			yes
+	ForwardX11			no
+EOF
+
+# we need a real server (no ProxyConnect option)
+start_sshd
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+rm -f ${COPY}
+
+# go for it
+for v in ${VERSIONS}; do
+	ssh2=${TEST_COMBASE}/${v}/ssh2
+	if [ ! -x ${ssh2} ]; then
+		continue
+	fi
+	verbose "ssh2 ${v}"
+	key=ssh-dss
+	skipcat=0
+        case $v in
+        2.1.*|2.3.0)
+                skipcat=1
+                ;;
+        3.0.*)
+                key=ssh-rsa
+                ;;
+        esac
+	cp ${HK}.$key.pub ${HK}.pub
+
+	# check exit status
+	${ssh2} -q -F ${OBJ}/ssh2_config somehost exit 42
+	r=$?
+        if [ $r -ne 42 ]; then
+                fail "ssh2 ${v} exit code test failed (got $r, expected 42)"
+        fi
+
+	# data transfer
+	rm -f ${COPY}
+	${ssh2} -F ${OBJ}/ssh2_config somehost cat ${DATA} > ${COPY}
+        if [ $? -ne 0 ]; then
+                fail "ssh2 ${v} cat test (receive) failed"
+        fi
+	cmp ${DATA} ${COPY}	|| fail "ssh2 ${v} cat test (receive) data mismatch"
+
+	# data transfer, again
+	if [ $skipcat -eq 0 ]; then
+		rm -f ${COPY}
+		cat ${DATA} | \
+			${ssh2} -F ${OBJ}/ssh2_config host "cat > ${COPY}"
+		if [ $? -ne 0 ]; then
+			fail "ssh2 ${v} cat test (send) failed"
+		fi
+		cmp ${DATA} ${COPY}	|| \
+			fail "ssh2 ${v} cat test (send) data mismatch"
+	fi
+
+	# no stderr after eof
+	rm -f ${COPY}
+	${ssh2} -F ${OBJ}/ssh2_config somehost \
+		exec sh -c \'"exec > /dev/null; sleep 1; echo bla 1>&2; exit 0"\' \
+		2> /dev/null
+        if [ $? -ne 0 ]; then
+                fail "ssh2 ${v} stderr test failed"
+        fi
+done
+
+rm -rf ${OBJ}/${USER}
+for i in ssh2_config random_seed dsa.pub dsa host.dsa \
+    id.list id.com id.com.pub id.openssh; do
+	rm -f ${OBJ}/$i
+done
diff --git a/crypto/openssh/regress/ssh-com-keygen.sh b/crypto/openssh/regress/ssh-com-keygen.sh
new file mode 100644
index 0000000..29b02d9
--- /dev/null
+++ b/crypto/openssh/regress/ssh-com-keygen.sh
@@ -0,0 +1,74 @@
+#	$OpenBSD: ssh-com-keygen.sh,v 1.4 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="ssh.com key import"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.10
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+COMPRV=${OBJ}/comkey
+COMPUB=${COMPRV}.pub
+OPENSSHPRV=${OBJ}/opensshkey
+OPENSSHPUB=${OPENSSHPRV}.pub
+
+# go for it
+for v in ${VERSIONS}; do
+	keygen=${TEST_COMBASE}/${v}/ssh-keygen2
+	if [ ! -x ${keygen} ]; then
+		continue
+	fi
+	types="dss"
+        case $v in
+        2.3.1|3.*)
+                types="$types rsa"
+                ;;
+        esac
+	for t in $types; do
+		verbose "ssh-keygen $v/$t"
+		rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB
+		${keygen} -q -P -t $t ${COMPRV} > /dev/null 2>&1
+		if [ $? -ne 0 ]; then
+			fail "${keygen} -t $t failed"
+			continue
+		fi
+		${SSHKEYGEN} -if ${COMPUB} > ${OPENSSHPUB}
+		if [ $? -ne 0 ]; then
+			fail "import public key ($v/$t) failed"
+			continue
+		fi
+		${SSHKEYGEN} -if ${COMPRV} > ${OPENSSHPRV}
+		if [ $? -ne 0 ]; then
+			fail "import private key ($v/$t) failed"
+			continue
+		fi
+		chmod 600 ${OPENSSHPRV}
+		${SSHKEYGEN} -yf ${OPENSSHPRV} |\
+			diff - ${OPENSSHPUB}
+		if [ $? -ne 0 ]; then
+			fail "public keys ($v/$t) differ"
+		fi
+	done
+done
+
+rm -f $COMPRV $COMPUB $OPENSSHPRV $OPENSSHPUB
diff --git a/crypto/openssh/regress/ssh-com-sftp.sh b/crypto/openssh/regress/ssh-com-sftp.sh
new file mode 100644
index 0000000..936b4cc
--- /dev/null
+++ b/crypto/openssh/regress/ssh-com-sftp.sh
@@ -0,0 +1,67 @@
+#	$OpenBSD: ssh-com-sftp.sh,v 1.5 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="basic sftp put/get with ssh.com server"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+SFTPCMDFILE=${OBJ}/batch
+
+cat >$SFTPCMDFILE <<EOF
+version
+get $DATA ${COPY}.1
+put $DATA ${COPY}.2
+EOF
+
+BUFFERSIZE="5 1000 32000 64000"
+REQUESTS="1 2 10"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.10
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.3.1
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+
+# go for it
+for v in ${VERSIONS}; do
+	server=${TEST_COMBASE}/${v}/sftp-server2
+	if [ ! -x ${server} ]; then
+		continue
+	fi
+	verbose "sftp-server $v"
+	for B in ${BUFFERSIZE}; do
+		for R in ${REQUESTS}; do
+			verbose "test $tid: buffer_size $B num_requests $R"
+			rm -f ${COPY}.1 ${COPY}.2
+			${SFTP} -P ${server} -B $B -R $R -b $SFTPCMDFILE \
+			> /dev/null 2>&1
+			r=$?
+			if [ $r -ne 0 ]; then
+				fail "sftp failed with $r"
+			else                                
+				cmp $DATA ${COPY}.1 || fail "corrupted copy after get"
+				cmp $DATA ${COPY}.2 || fail "corrupted copy after put"
+			fi
+		done
+	done
+done
+rm -f ${COPY}.1 ${COPY}.2                
+rm -f $SFTPCMDFILE
diff --git a/crypto/openssh/regress/ssh-com.sh b/crypto/openssh/regress/ssh-com.sh
new file mode 100644
index 0000000..7bcd85b
--- /dev/null
+++ b/crypto/openssh/regress/ssh-com.sh
@@ -0,0 +1,119 @@
+#	$OpenBSD: ssh-com.sh,v 1.7 2004/02/24 17:06:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="connect to ssh.com server"
+
+#TEST_COMBASE=/path/to/ssh/com/binaries
+if [ "X${TEST_COMBASE}" = "X" ]; then
+	fatal '$TEST_COMBASE is not set'
+fi
+
+VERSIONS="
+	2.0.12
+	2.0.13
+	2.1.0
+	2.2.0
+	2.3.0
+	2.4.0
+	3.0.0
+	3.1.0
+	3.2.0
+	3.2.2
+	3.2.3
+	3.2.5
+	3.2.9
+	3.2.9.1
+	3.3.0"
+# 2.0.10 does not support UserConfigDirectory
+# 2.3.1 requires a config in $HOME/.ssh2
+
+SRC=`dirname ${SCRIPT}`
+
+# ssh.com
+cat << EOF > $OBJ/sshd2_config
+#*:
+	# Port and ListenAddress are not used.
+	QuietMode			yes
+	Port				4343
+	ListenAddress			127.0.0.1
+	UserConfigDirectory		${OBJ}/%U
+	Ciphers				AnyCipher
+	PubKeyAuthentication		yes
+	#AllowedAuthentications		publickey
+	AuthorizationFile		authorization
+	HostKeyFile			${SRC}/dsa_ssh2.prv
+	PublicHostKeyFile		${SRC}/dsa_ssh2.pub
+	RandomSeedFile			${OBJ}/random_seed
+	MaxConnections			0 
+	PermitRootLogin			yes
+	VerboseMode			no
+	CheckMail			no
+	Ssh1Compatibility		no
+EOF
+
+# create client config 
+sed "s/HostKeyAlias.*/HostKeyAlias ssh2-localhost-with-alias/" \
+	< $OBJ/ssh_config > $OBJ/ssh_config_com
+
+# we need a DSA key for
+rm -f                             ${OBJ}/dsa ${OBJ}/dsa.pub
+${SSHKEYGEN} -q -N '' -t dsa -f	  ${OBJ}/dsa
+
+# setup userdir, try rsa first
+mkdir -p ${OBJ}/${USER}
+cp /dev/null ${OBJ}/${USER}/authorization
+for t in rsa dsa; do
+	${SSHKEYGEN} -e -f ${OBJ}/$t.pub	>  ${OBJ}/${USER}/$t.com
+	echo Key $t.com			>> ${OBJ}/${USER}/authorization
+	echo IdentityFile ${OBJ}/$t	>> ${OBJ}/ssh_config_com
+done
+
+# convert and append DSA hostkey
+(
+	echon 'ssh2-localhost-with-alias,127.0.0.1,::1 '
+	${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub
+) >> $OBJ/known_hosts
+
+# go for it
+for v in ${VERSIONS}; do
+	sshd2=${TEST_COMBASE}/${v}/sshd2
+	if [ ! -x ${sshd2} ]; then
+		continue
+	fi
+	trace "sshd2 ${v}"
+	PROXY="proxycommand ${sshd2} -qif ${OBJ}/sshd2_config 2> /dev/null"
+	${SSH} -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
+        if [ $? -ne 0 ]; then
+                fail "ssh connect to sshd2 ${v} failed"
+        fi
+
+	ciphers="3des-cbc blowfish-cbc arcfour"
+	macs="hmac-md5"
+	case $v in
+	2.4.*)
+		ciphers="$ciphers cast128-cbc"
+		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
+		;;
+	3.*)
+		ciphers="$ciphers aes128-cbc cast128-cbc"
+		macs="$macs hmac-sha1 hmac-sha1-96 hmac-md5-96"
+		;;
+	esac
+	#ciphers="3des-cbc"
+	for m in $macs; do
+	for c in $ciphers; do
+		trace "sshd2 ${v} cipher $c mac $m"
+		verbose "test ${tid}: sshd2 ${v} cipher $c mac $m"
+		${SSH} -c $c -m $m -qF ${OBJ}/ssh_config_com -o "${PROXY}" dummy exit 0
+		if [ $? -ne 0 ]; then
+			fail "ssh connect to sshd2 ${v} with $c/$m failed"
+		fi
+	done
+	done
+done
+
+rm -rf ${OBJ}/${USER}
+for i in sshd_config_proxy ssh_config_proxy random_seed \
+	sshd2_config dsa.pub dsa ssh_config_com; do
+	rm -f ${OBJ}/$i
+done
diff --git a/crypto/openssh/regress/sshd-log-wrapper.sh b/crypto/openssh/regress/sshd-log-wrapper.sh
new file mode 100644
index 0000000..c7a5ef3
--- /dev/null
+++ b/crypto/openssh/regress/sshd-log-wrapper.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+#       $OpenBSD: sshd-log-wrapper.sh,v 1.2 2005/02/27 11:40:30 dtucker Exp $
+#       Placed in the Public Domain.
+#
+# simple wrapper for sshd proxy mode to catch stderr output
+# sh sshd-log-wrapper.sh /path/to/sshd /path/to/logfile
+
+sshd=$1
+log=$2
+shift
+shift
+
+exec $sshd $@ -e 2>>$log
diff --git a/crypto/openssh/regress/stderr-after-eof.sh b/crypto/openssh/regress/stderr-after-eof.sh
new file mode 100644
index 0000000..05a5ea5
--- /dev/null
+++ b/crypto/openssh/regress/stderr-after-eof.sh
@@ -0,0 +1,40 @@
+#	$OpenBSD: stderr-after-eof.sh,v 1.1 2002/03/23 16:38:09 markus Exp $
+#	Placed in the Public Domain.
+
+tid="stderr data after eof"
+
+DATA=/etc/motd
+DATA=${OBJ}/data
+COPY=${OBJ}/copy
+
+if have_prog md5sum; then
+	CHECKSUM=md5sum
+elif have_prog openssl; then
+	CHECKSUM="openssl md5"
+elif have_prog cksum; then
+	CHECKSUM=cksum
+elif have_prog sum; then
+	CHECKSUM=sum
+else
+	fatal "No checksum program available, aborting $tid test"
+fi
+
+# setup data
+rm -f ${DATA} ${COPY}
+cp /dev/null ${DATA}
+for i in 1 2 3 4 5 6; do
+	(date;echo $i) | $CHECKSUM >> ${DATA}
+done
+
+${SSH} -2 -F $OBJ/ssh_proxy otherhost \
+	exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
+	2> ${COPY}
+r=$?
+if [ $r -ne 0 ]; then
+	fail "ssh failed with exit code $r"
+fi
+egrep 'Disconnecting: Received extended_data after EOF' ${COPY} &&
+	fail "ext data received after eof"
+cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+
+rm -f ${DATA} ${COPY}
diff --git a/crypto/openssh/regress/stderr-data.sh b/crypto/openssh/regress/stderr-data.sh
new file mode 100644
index 0000000..1daf79b
--- /dev/null
+++ b/crypto/openssh/regress/stderr-data.sh
@@ -0,0 +1,33 @@
+#	$OpenBSD: stderr-data.sh,v 1.2 2002/03/27 22:39:52 markus Exp $
+#	Placed in the Public Domain.
+
+tid="stderr data transfer"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+rm -f ${COPY}
+
+for n in '' -n; do
+for p in 1 2; do
+	verbose "test $tid: proto $p ($n)"
+	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
+		exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+		2> ${COPY}
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh failed with exit code $r"
+	fi
+	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+	rm -f ${COPY}
+
+	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
+		exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+		> /dev/null 2> ${COPY}
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh failed with exit code $r"
+	fi
+	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
+	rm -f ${COPY}
+done
+done
diff --git a/crypto/openssh/regress/t4.ok b/crypto/openssh/regress/t4.ok
new file mode 100644
index 0000000..8c4942b
--- /dev/null
+++ b/crypto/openssh/regress/t4.ok
@@ -0,0 +1 @@
+3b:dd:44:e9:49:18:84:95:f1:e7:33:6b:9d:93:b1:36
diff --git a/crypto/openssh/regress/t5.ok b/crypto/openssh/regress/t5.ok
new file mode 100644
index 0000000..bd622f3
--- /dev/null
+++ b/crypto/openssh/regress/t5.ok
@@ -0,0 +1 @@
+xokes-lylis-byleh-zebib-kalus-bihas-tevah-haroz-suhar-foved-noxex
diff --git a/crypto/openssh/regress/test-exec.sh b/crypto/openssh/regress/test-exec.sh
new file mode 100644
index 0000000..59ae33c
--- /dev/null
+++ b/crypto/openssh/regress/test-exec.sh
@@ -0,0 +1,307 @@
+#	$OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
+#	Placed in the Public Domain.
+
+#SUDO=sudo
+
+# Unbreak GNU head(1)
+_POSIX2_VERSION=199209
+export _POSIX2_VERSION
+
+case `uname -s 2>/dev/null` in
+OSF1*)
+	BIN_SH=xpg4
+	export BIN_SH
+	;;
+esac
+
+if [ ! -z "$TEST_SSH_PORT" ]; then
+	PORT="$TEST_SSH_PORT"
+else
+	PORT=4242
+fi
+
+if [ -x /usr/ucb/whoami ]; then
+	USER=`/usr/ucb/whoami`
+elif whoami >/dev/null 2>&1; then
+	USER=`whoami`
+elif logname >/dev/null 2>&1; then
+	USER=`logname`
+else
+	USER=`id -un`
+fi
+
+OBJ=$1
+if [ "x$OBJ" = "x" ]; then
+	echo '$OBJ not defined'
+	exit 2
+fi
+if [ ! -d $OBJ ]; then
+	echo "not a directory: $OBJ"
+	exit 2
+fi
+SCRIPT=$2
+if [ "x$SCRIPT" = "x" ]; then
+	echo '$SCRIPT not defined'
+	exit 2
+fi
+if [ ! -f $SCRIPT ]; then
+	echo "not a file: $SCRIPT"
+	exit 2
+fi
+if $TEST_SHELL -n $SCRIPT; then
+	true
+else
+	echo "syntax error in $SCRIPT"
+	exit 2
+fi
+unset SSH_AUTH_SOCK
+
+SRC=`dirname ${SCRIPT}`
+
+# defaults
+SSH=ssh
+SSHD=sshd
+SSHAGENT=ssh-agent
+SSHADD=ssh-add
+SSHKEYGEN=ssh-keygen
+SSHKEYSCAN=ssh-keyscan
+SFTP=sftp
+SFTPSERVER=/usr/libexec/openssh/sftp-server
+SCP=scp
+
+if [ "x$TEST_SSH_SSH" != "x" ]; then
+	SSH="${TEST_SSH_SSH}"
+fi
+if [ "x$TEST_SSH_SSHD" != "x" ]; then
+	SSHD="${TEST_SSH_SSHD}"
+fi
+if [ "x$TEST_SSH_SSHAGENT" != "x" ]; then
+	SSHAGENT="${TEST_SSH_SSHAGENT}"
+fi
+if [ "x$TEST_SSH_SSHADD" != "x" ]; then
+	SSHADD="${TEST_SSH_SSHADD}"
+fi
+if [ "x$TEST_SSH_SSHKEYGEN" != "x" ]; then
+	SSHKEYGEN="${TEST_SSH_SSHKEYGEN}"
+fi
+if [ "x$TEST_SSH_SSHKEYSCAN" != "x" ]; then
+	SSHKEYSCAN="${TEST_SSH_SSHKEYSCAN}"
+fi
+if [ "x$TEST_SSH_SFTP" != "x" ]; then
+	SFTP="${TEST_SSH_SFTP}"
+fi
+if [ "x$TEST_SSH_SFTPSERVER" != "x" ]; then
+	SFTPSERVER="${TEST_SSH_SFTPSERVER}"
+fi
+if [ "x$TEST_SSH_SCP" != "x" ]; then
+	SCP="${TEST_SSH_SCP}"
+fi
+
+# Path to sshd must be absolute for rexec
+case "$SSHD" in
+/*) ;;
+*) SSHD=`which sshd` ;;
+esac
+
+if [ "x$TEST_SSH_LOGFILE" = "x" ]; then
+	TEST_SSH_LOGFILE=/dev/null
+fi
+
+# these should be used in tests
+export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
+#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
+
+# helper
+echon()
+{
+       if [ "x`echo -n`" = "x" ]; then
+               echo -n "$@"
+       elif [ "x`echo '\c'`" = "x" ]; then
+               echo "$@\c"
+       else
+               fatal "Don't know how to echo without newline."
+       fi
+}
+
+have_prog()
+{
+	saved_IFS="$IFS"
+	IFS=":"
+	for i in $PATH
+	do
+		if [ -x $i/$1 ]; then
+			IFS="$saved_IFS"
+			return 0
+		fi
+	done
+	IFS="$saved_IFS"
+	return 1
+}
+
+cleanup ()
+{
+	if [ -f $PIDFILE ]; then
+		pid=`cat $PIDFILE`
+		if [ "X$pid" = "X" ]; then
+			echo no sshd running
+		else
+			if [ $pid -lt 2 ]; then
+				echo bad pid for ssd: $pid
+			else
+				$SUDO kill $pid
+			fi
+		fi
+	fi
+}
+
+trace ()
+{
+	echo "trace: $@" >>$TEST_SSH_LOGFILE
+	if [ "X$TEST_SSH_TRACE" = "Xyes" ]; then
+		echo "$@"
+	fi
+}
+
+verbose ()
+{
+	echo "verbose: $@" >>$TEST_SSH_LOGFILE
+	if [ "X$TEST_SSH_QUIET" != "Xyes" ]; then
+		echo "$@"
+	fi
+}
+
+
+fail ()
+{
+	echo "FAIL: $@" >>$TEST_SSH_LOGFILE
+	RESULT=1
+	echo "$@"
+}
+
+fatal ()
+{
+	echo "FATAL: $@" >>$TEST_SSH_LOGFILE
+	echon "FATAL: "
+	fail "$@"
+	cleanup
+	exit $RESULT
+}
+
+RESULT=0
+PIDFILE=$OBJ/pidfile
+
+trap fatal 3 2
+
+# create server config
+cat << EOF > $OBJ/sshd_config
+	StrictModes		no
+	Port			$PORT
+	AddressFamily		inet
+	ListenAddress		127.0.0.1
+	#ListenAddress		::1
+	PidFile			$PIDFILE
+	AuthorizedKeysFile	$OBJ/authorized_keys_%u
+	LogLevel		VERBOSE
+	AcceptEnv		_XXX_TEST_*
+	AcceptEnv		_XXX_TEST
+	Subsystem	sftp	$SFTPSERVER
+EOF
+
+if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
+	trace "adding sshd_config option $TEST_SSH_SSHD_CONFOPTS"
+	echo "$TEST_SSH_SSHD_CONFOPTS" >> $OBJ/sshd_config
+fi
+
+# server config for proxy connects
+cp $OBJ/sshd_config $OBJ/sshd_proxy
+
+# allow group-writable directories in proxy-mode
+echo 'StrictModes no' >> $OBJ/sshd_proxy
+
+# create client config
+cat << EOF > $OBJ/ssh_config
+Host *
+	Hostname		127.0.0.1
+	HostKeyAlias		localhost-with-alias
+	Port			$PORT
+	User			$USER
+	GlobalKnownHostsFile	$OBJ/known_hosts
+	UserKnownHostsFile	$OBJ/known_hosts
+	RSAAuthentication	yes
+	PubkeyAuthentication	yes
+	ChallengeResponseAuthentication	no
+	HostbasedAuthentication	no
+	PasswordAuthentication	no
+	BatchMode		yes
+	StrictHostKeyChecking	yes
+EOF
+
+if [ ! -z "$TEST_SSH_SSH_CONFOPTS" ]; then
+	trace "adding ssh_config option $TEST_SSH_SSHD_CONFOPTS"
+	echo "$TEST_SSH_SSH_CONFOPTS" >> $OBJ/ssh_config
+fi
+
+rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
+
+trace "generate keys"
+for t in rsa rsa1; do
+	# generate user key
+	rm -f $OBJ/$t
+	${SSHKEYGEN} -b 1024 -q -N '' -t $t  -f $OBJ/$t ||\
+		fail "ssh-keygen for $t failed"
+
+	# known hosts file for client
+	(
+		echon 'localhost-with-alias,127.0.0.1,::1 '
+		cat $OBJ/$t.pub
+	) >> $OBJ/known_hosts
+
+	# setup authorized keys
+	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+	echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
+
+	# use key as host key, too
+	$SUDO cp $OBJ/$t $OBJ/host.$t
+	echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
+
+	# don't use SUDO for proxy connect
+	echo HostKey $OBJ/$t >> $OBJ/sshd_proxy
+done
+chmod 644 $OBJ/authorized_keys_$USER
+
+# create a proxy version of the client config
+(
+	cat $OBJ/ssh_config
+	echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy
+) > $OBJ/ssh_proxy
+
+# check proxy config
+${SSHD} -t -f $OBJ/sshd_proxy	|| fatal "sshd_proxy broken"
+
+start_sshd ()
+{
+	# start sshd
+	$SUDO ${SSHD} -f $OBJ/sshd_config -t	|| fatal "sshd_config broken"
+	$SUDO ${SSHD} -f $OBJ/sshd_config -e >>$TEST_SSH_LOGFILE 2>&1
+
+	trace "wait for sshd"
+	i=0;
+	while [ ! -f $PIDFILE -a $i -lt 10 ]; do
+		i=`expr $i + 1`
+		sleep $i
+	done
+
+	test -f $PIDFILE || fatal "no sshd running on port $PORT"
+}
+
+# source test body
+. $SCRIPT
+
+# kill sshd
+cleanup
+if [ $RESULT -eq 0 ]; then
+	verbose ok $tid
+else
+	echo failed $tid
+fi
+exit $RESULT
diff --git a/crypto/openssh/regress/transfer.sh b/crypto/openssh/regress/transfer.sh
new file mode 100644
index 0000000..13ea367
--- /dev/null
+++ b/crypto/openssh/regress/transfer.sh
@@ -0,0 +1,29 @@
+#	$OpenBSD: transfer.sh,v 1.1 2002/03/27 00:03:37 markus Exp $
+#	Placed in the Public Domain.
+
+tid="transfer data"
+
+DATA=/bin/ls${EXEEXT}
+COPY=${OBJ}/copy
+
+for p in 1 2; do
+	verbose "$tid: proto $p"
+	rm -f ${COPY}
+	${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+	for s in 10 100 1k 32k 64k 128k 256k; do
+		trace "proto $p dd-size ${s}"
+		rm -f ${COPY}
+		dd if=$DATA obs=${s} 2> /dev/null | \
+			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+		if [ $? -ne 0 ]; then
+			fail "ssh cat $DATA failed"
+		fi
+		cmp $DATA ${COPY}		|| fail "corrupted copy"
+	done
+done
+rm -f ${COPY}
diff --git a/crypto/openssh/regress/try-ciphers.sh b/crypto/openssh/regress/try-ciphers.sh
new file mode 100644
index 0000000..379fe35
--- /dev/null
+++ b/crypto/openssh/regress/try-ciphers.sh
@@ -0,0 +1,49 @@
+#	$OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
+#	Placed in the Public Domain.
+
+tid="try ciphers"
+
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
+	arcfour128 arcfour256 arcfour 
+	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
+	aes128-ctr aes192-ctr aes256-ctr"
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+
+for c in $ciphers; do
+	for m in $macs; do
+		trace "proto 2 cipher $c mac $m"
+		verbose "test $tid: proto 2 cipher $c mac $m"
+		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+		if [ $? -ne 0 ]; then
+			fail "ssh -2 failed with mac $m cipher $c"
+		fi
+	done
+done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+	trace "proto 1 cipher $c"
+	verbose "test $tid: proto 1 cipher $c"
+	${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh -1 failed with cipher $c"
+	fi
+done
+
+if ${SSH} -oCiphers=acss@openssh.org 2>&1 | grep "Bad SSH2 cipher" >/dev/null
+then
+	:
+else
+
+echo "Ciphers acss@openssh.org" >> $OBJ/sshd_proxy
+c=acss@openssh.org
+for m in $macs; do
+	trace "proto 2 $c mac $m"
+	verbose "test $tid: proto 2 cipher $c mac $m"
+	${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+	if [ $? -ne 0 ]; then
+		fail "ssh -2 failed with mac $m cipher $c"
+	fi
+done
+
+fi
diff --git a/crypto/openssh/regress/yes-head.sh b/crypto/openssh/regress/yes-head.sh
new file mode 100644
index 0000000..a8e6bc8
--- /dev/null
+++ b/crypto/openssh/regress/yes-head.sh
@@ -0,0 +1,15 @@
+#	$OpenBSD: yes-head.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	Placed in the Public Domain.
+
+tid="yes pipe head"
+
+for p in 1 2; do
+	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
+	if [ $? -ne 0 ]; then
+		fail "yes|head test failed"
+		lines = 0;
+	fi
+	if [ $lines -ne 2000 ]; then
+		fail "yes|head returns $lines lines instead of 2000"
+	fi
+done