86 files changed, 1802 insertions, 4071 deletions

diff --git a/crypto/openssh/COPYING.Ylonen b/crypto/openssh/COPYING.Ylonen
deleted file mode 100644
index 5e681ed..0000000
--- a/crypto/openssh/COPYING.Ylonen
+++ /dev/null
@@ -1,70 +0,0 @@
-This file is part of the ssh software, Copyright (c) 1995 Tatu Ylonen, Finland
-
-
-COPYING POLICY AND OTHER LEGAL ISSUES
-
-As far as I am concerned, the code I have written for this software
-can be used freely for any purpose.  Any derived versions of this
-software must be clearly marked as such, and if the derived work is
-incompatible with the protocol description in the RFC file, it must be
-called by a name other than "ssh" or "Secure Shell".
-
-However, I am not implying to give any licenses to any patents or
-copyrights held by third parties, and the software includes parts that
-are not under my direct control.  As far as I know, all included
-source code is used in accordance with the relevant license agreements
-and can be used freely for any purpose (the GNU license being the most
-restrictive); see below for details.
-
-[ RSA is no longer included. ]
-[ IDEA is no longer included. ]
-[ DES is now external. ]
-[ GMP is now external. No more GNU licence. ]
-[ Zlib is now external. ]
-[ The make-ssh-known-hosts script is no longer included. ]
-[ TSS has been removed. ]
-[ MD5 is now external. ]
-[ RC4 support has been removed. ]
-[ Blowfish is now external. ]
-
-The 32-bit CRC implementation in crc32.c is due to Gary S. Brown.
-Comments in the file indicate it may be used for any purpose without
-restrictions.
-
-The 32-bit CRC compensation attack detector in deattack.c was
-contributed by CORE SDI S.A. under a BSD-style license. See
-http://www.core-sdi.com/english/ssh/ for details.
-
-Note that any information and cryptographic algorithms used in this
-software are publicly available on the Internet and at any major
-bookstore, scientific library, and patent office worldwide.  More
-information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-The legal status of this program is some combination of all these
-permissions and restrictions.  Use only at your own responsibility.
-You will be responsible for any legal consequences yourself; I am not
-making any claims whether possessing or using this is legal or not in
-your country, and I am not taking any responsibility on your behalf.
-
-
-			    NO WARRANTY
-
-BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
diff --git a/crypto/openssh/FREEBSD-Xlist b/crypto/openssh/FREEBSD-Xlist
new file mode 100644
index 0000000..6d8ac04
--- /dev/null
+++ b/crypto/openssh/FREEBSD-Xlist
@@ -0,0 +1,10 @@
+$FreeBSD$
+*.0
+*/.cvsignore
+.cvsignore
+autom4te*
+config.h.in
+configure
+contrib
+regress/*.[0-9]
+stamp-h.in
diff --git a/crypto/openssh/FREEBSD-tricks b/crypto/openssh/FREEBSD-tricks
new file mode 100644
index 0000000..4ae5439
--- /dev/null
+++ b/crypto/openssh/FREEBSD-tricks
@@ -0,0 +1,19 @@
+# $FreeBSD$
+
+# Shell code to remove FreeBSD tags before merging
+grep -rl '\$Fre.BSD:' . >tags
+cat tags | while read f ; do
+    sed -i.orig -e '/\$Fre.BSD:/d' $f
+done
+
+# Shell + Perl code to add FreeBSD tags wherever an OpenBSD or Id tag occurs
+cat tags |
+xargs perl -n -i.orig -e 'print; s/\$(Id|OpenBSD): [^\$]*\$/\$FreeBSD\$/ && print'
+
+# Shell code to reexpand FreeBSD tags
+cat tags | while read f ; do
+    id=$(cvs diff $f | grep '\$Fre.BSD:' | sed 's/.*\(\$Fre.BSD:.*\$\).*/\1/') ;
+    if [ -n "$id" ] ; then
+        sed -i.orig -e "s@\\\$Fre.BSD\\\$@$id@" $f ;
+    fi ;
+done
diff --git a/crypto/openssh/FREEBSD-upgrade b/crypto/openssh/FREEBSD-upgrade
new file mode 100644
index 0000000..331d83a
--- /dev/null
+++ b/crypto/openssh/FREEBSD-upgrade
@@ -0,0 +1,129 @@
+
+
+	    FreeBSD maintainer's guide to OpenSSH-portable
+	    ==============================================
+
+
+0) Make sure your mail spool has plenty of free space.  It'll fill up
+   pretty fast once you're done with this checklist.
+
+1) Grab the latest OpenSSH-portable tarball from the OpenBSD FTP
+   site (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/)
+
+2) Unpack the tarball in a suitable directory.
+
+3) Remove trash:
+
+	$ tail +2 /usr/src/crypto/openssh/FREEBSD-Xlist |
+		while read glob ; do eval "rm -rvf $glob" ; done
+
+   Make sure that took care of everything, and if it didn't, make sure
+   to update FREEBSD-Xlist so you won't miss it the next time.  A good
+   way to do this is to run a test import and see if any new files
+   show up:
+
+	$ cvs -n import src/crypto/openssh OPENSSH x | grep \^N
+
+4) Import the sources:
+
+	$ cvs import src/crypto/openssh OPENSSH OpenSSH_X_YpZ
+
+5) Resolve conflicts.  Remember to bump the version number and
+   addendum in version.h, and update the default value in
+   ssh{,d}_config and ssh{,d}_config.5.
+
+6) Generate configure and config.h.in:
+
+	$ autoconf
+	$ autoheader
+
+   Note: this requires a recent version of autoconf, not autoconf213.
+
+7) Run configure with the appropriate arguments:
+
+	$ ./configure --prefix=/usr --sysconfdir=/etc/ssh \
+		--with-pam --with-tcp-wrappers
+
+   Note that we don't want to configure OpenSSH for Kerberos using
+   configure since we have to be able to turn it on or off depending
+   on the value of NO_KERBEROS.  Our Makefiles take care of this.
+
+8) Commit the resulting config.h.  Make sure you don't accidentally
+   commit any other files created by autoconf, autoheader or
+   configure; they'll just clutter up the repo and cause trouble at
+   the next upgrade.
+
+9) Build and test.
+
+A) Re-commit everything on freefall (you *did* use a test repo for
+   this, didn't you?)
+
+
+
+	  An overview of FreeBSD changes to OpenSSH-portable
+	  ==================================================
+
+0) VersionAddendum
+
+   The SSH protocol allows for a human-readable version string of up
+   to 40 characters to be appended to the protocol version string.
+   FreeBSD takes advantage of this to include a date indicating the
+   "patch level", so people can easily determine whether their system
+   is vulnerable when an OpenSSH advisory goes out.  Some people,
+   however, dislike advertising their patch level in the protocol
+   handshake, so we've added a VersionAddendum configuration variable
+   to allow them to change or disable it.
+
+1) Modified server-side defaults
+
+   We've modified some configuration defaults in sshd:
+
+      - Protocol defaults to "2".
+
+      - PasswordAuthentication defaults to "no" when PAM is enabled.
+
+      - For protocol version 2, we don't load RSA host keys by
+        default.  If both RSA and DSA keys are present, we prefer DSA
+        to RSA.
+
+      - LoginGraceTime defaults to 120 seconds instead of 600.
+
+      - PermitRootLogin defaults to "no".
+
+      - X11Forwarding defaults to "yes" (it's a threat to the client,
+        not to the server.)
+
+2) Modified client-side defaults
+
+   We've modified some configuration defaults in ssh:
+
+      - For protocol version 2, if both RSA and DSA keys are present,
+        we prefer DSA to RSA.
+
+      - CheckHostIP defaults to "no".
+
+3) Canonic host names
+
+   We've added code to ssh.c to canonicize the target host name after
+   reading options but before trying to connect.  This eliminates the
+   usual problem with duplicate known_hosts entries.
+
+4) OPIE
+
+   We've added support for using OPIE as a drop-in replacement for
+   S/Key.
+
+5) setusercontext() environment
+
+   Our setusercontext(3) can set environment variables, which we must
+   take care to transfer to the child's environment.
+
+
+
+This port was brought to you by (in no particular order) DARPA, NAI
+Labs, ThinkSec, Nescafé, the Aberlour Glenlivet Distillery Co.,
+Suzanne Vega, and a Sanford's #69 Deluxe Marker.
+
+					-- des@FreeBSD.org
+
+$FreeBSD$
diff --git a/crypto/openssh/Makefile b/crypto/openssh/Makefile
deleted file mode 100644
index 0b9c668..0000000
--- a/crypto/openssh/Makefile
+++ /dev/null
@@ -1,14 +0,0 @@
-#	$OpenBSD: Makefile,v 1.11 2002/05/23 19:24:30 markus Exp $
-
-.include <bsd.own.mk>
-
-SUBDIR=	lib ssh sshd ssh-add ssh-keygen ssh-agent scp sftp-server \
-	ssh-keysign ssh-keyscan sftp scard
-
-distribution:
-	install -C -o root -g wheel -m 0644 ${.CURDIR}/ssh_config \
-	    ${DESTDIR}/etc/ssh/ssh_config
-	install -C -o root -g wheel -m 0644 ${.CURDIR}/sshd_config \
-	    ${DESTDIR}/etc/ssh/sshd_config
-
-.include <bsd.subdir.mk>
diff --git a/crypto/openssh/README.openssh2 b/crypto/openssh/README.openssh2
deleted file mode 100644
index 12c90aa..0000000
--- a/crypto/openssh/README.openssh2
+++ /dev/null
@@ -1,44 +0,0 @@
-$Id: README.openssh2,v 1.8 2000/05/07 18:30:03 markus Exp $
-
-howto:
-	1) generate server key:
-		$ ssh-keygen -d -f /etc/ssh_host_dsa_key -N ''
-	2) enable ssh2:
-		server: add 'Protocol 2,1' to /etc/sshd_config
-		client: ssh -o 'Protocol 2,1', or add to .ssh/config
-	3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys2)
-	   interop w/ ssh.com dsa-keys:
-		ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2
-	   and vice versa
-		ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub
-		echo Key mykey.pub >> ~/.ssh2/authorization
-
-works:
-	secsh-transport: works w/o rekey
-		proposal exchange, i.e. different enc/mac/comp per direction
-		encryption: blowfish-cbc, 3des-cbc, arcfour, cast128-cbc
-		mac: hmac-md5, hmac-sha1, (hmac-ripemd160)
-		compression: zlib, none
-	secsh-userauth: passwd and pubkey with DSA
-	secsh-connection: pty+shell or command, flow control works (window adjust)
-		tcp-forwarding: -L works, -R incomplete
-		x11-fwd
-	dss/dsa: host key database in ~/.ssh/known_hosts2
-	client interops w/ sshd2, lshd
-	server interops w/ ssh2, lsh, ssh.com's Windows client, SecureCRT, F-Secure SSH Client 4.0, SecureFX (secure ftp)
-	server supports multiple concurrent sessions (e.g. with SSH.com Windows client)
-todo:
-	re-keying
-	secsh-connection features:
-		 tcp-forwarding, agent-fwd
-	auth other than passwd, and DSA-pubkey:
-		 keyboard-interactive, (PGP-pubkey?)
-	config
-	server-auth w/ old host-keys
-	cleanup
-	advanced key storage?
-	keynote
-	sftp
-
--markus
-$Date: 2000/05/07 18:30:03 $
diff --git a/crypto/openssh/acconfig.h b/crypto/openssh/acconfig.h
index f143535..abeecda 100644
--- a/crypto/openssh/acconfig.h
+++ b/crypto/openssh/acconfig.h
@@ -1,4 +1,5 @@
-/* $Id: acconfig.h,v 1.177 2004/04/15 23:22:40 dtucker Exp $ */
+/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */
+/* $FreeBSD$ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -131,9 +132,6 @@
 /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
 #undef AIX_LOGINFAILED_4ARG
 
-/* Define if your skeychallenge() function takes 4 arguments (eg NetBSD) */
-#undef SKEYCHALLENGE_4ARG
-
 /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
 #undef WITH_IRIX_ARRAY
 
@@ -205,9 +203,6 @@
 /* Define if you don't want to use lastlog in session.c */
 #undef NO_SSH_LASTLOG
 
-/* Define if have krb5_init_ets */
-#undef KRB5_INIT_ETS
-
 /* Define if you don't want to use utmp */
 #undef DISABLE_UTMP
 
@@ -271,6 +266,9 @@
 /* Define if you want S/Key support */
 #undef SKEY
 
+/* Define if you want OPIE support */
+#undef OPIE
+
 /* Define if you want TCP Wrappers support */
 #undef LIBWRAP
 
@@ -353,9 +351,6 @@
 /* getaddrinfo is broken (if present) */
 #undef BROKEN_GETADDRINFO
 
-/* updwtmpx is broken (if present) */
-#undef BROKEN_UPDWTMPX
-
 /* Workaround more Linux IPv6 quirks */
 #undef DONT_TRY_OTHER_AF
 
diff --git a/crypto/openssh/auth-chall.c b/crypto/openssh/auth-chall.c
index a9d314d..dbe04cd 100644
--- a/crypto/openssh/auth-chall.c
+++ b/crypto/openssh/auth-chall.c
@@ -24,6 +24,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth-chall.c,v 1.9 2003/11/03 09:03:37 djm Exp $");
+RCSID("$FreeBSD$");
 
 #include "auth.h"
 #include "log.h"
diff --git a/crypto/openssh/auth-krb5.c b/crypto/openssh/auth-krb5.c
index f4aa541..7270326 100644
--- a/crypto/openssh/auth-krb5.c
+++ b/crypto/openssh/auth-krb5.c
@@ -1,7 +1,7 @@
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
- * $FreeBSD$
+ * $xFreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp$
  */
 /*
  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
@@ -29,6 +29,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth-krb5.c,v 1.15 2003/11/21 11:57:02 djm Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -54,9 +55,7 @@ krb5_init(void *context)
 		problem = krb5_init_context(&authctxt->krb5_ctx);
 		if (problem)
 			return (problem);
-#ifdef KRB5_INIT_ETS
 		krb5_init_ets(authctxt->krb5_ctx);
-#endif
 	}
 	return (0);
 }
@@ -72,7 +71,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 #endif
 	krb5_error_code problem;
 	krb5_ccache ccache = NULL;
-	int len;
 
 	if (!authctxt->valid)
 		return (0);
@@ -178,11 +176,6 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 
 	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
 
-	len = strlen(authctxt->krb5_ticket_file) + 6;
-	authctxt->krb5_ccname = xmalloc(len);
-	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-	    authctxt->krb5_ticket_file);
-
  out:
 	restore_uid();
 
diff --git a/crypto/openssh/auth-pam.c b/crypto/openssh/auth-pam.c
index 91f0030..0ea983f 100644
--- a/crypto/openssh/auth-pam.c
+++ b/crypto/openssh/auth-pam.c
@@ -29,9 +29,10 @@
  * SUCH DAMAGE.
  */
 
-/* Based on $FreeBSD$ */
+/* Based on $xFreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
 #include "includes.h"
-RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $");
+RCSID("$Id: auth-pam.c,v 1.95 2004/02/17 12:20:08 dtucker Exp $");
+RCSID("$FreeBSD$");
 
 #ifdef USE_PAM
 #if defined(HAVE_SECURITY_PAM_APPL_H)
@@ -58,7 +59,6 @@ RCSID("$Id: auth-pam.c,v 1.100 2004/04/18 01:00:26 dtucker Exp $");
 extern ServerOptions options;
 extern Buffer loginmsg;
 extern int compat20;
-extern u_int utmp_len;
 
 #ifdef USE_POSIX_THREADS
 #include <pthread.h>
@@ -118,7 +118,6 @@ pthread_create(sp_pthread_t *thread, const void *attr __unused,
 {
 	pid_t pid;
 
-	sshpam_thread_status = -1;
 	switch ((pid = fork())) {
 	case -1:
 		error("fork(): %s", strerror(errno));
@@ -161,7 +160,7 @@ static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static char **sshpam_env = NULL;
-static Authctxt *sshpam_authctxt = NULL;
+static int *force_pwchange;
 
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@@ -181,9 +180,7 @@ void
 pam_password_change_required(int reqd)
 {
 	debug3("%s %d", __func__, reqd);
-	if (sshpam_authctxt == NULL)
-		fatal("%s: PAM authctxt not initialized", __func__);
-	sshpam_authctxt->force_pwchange = reqd;
+	*force_pwchange = reqd;
 	if (reqd) {
 		no_port_forwarding_flag |= 2;
 		no_agent_forwarding_flag |= 2;
@@ -205,7 +202,6 @@ import_environments(Buffer *b)
 
 	debug3("PAM: %s entering", __func__);
 
-#ifndef USE_POSIX_THREADS
 	/* Import variables set by do_pam_account */
 	sshpam_account_status = buffer_get_int(b);
 	pam_password_change_required(buffer_get_int(b));
@@ -233,7 +229,6 @@ import_environments(Buffer *b)
 		}
 #endif
 	}
-#endif
 }
 
 /*
@@ -342,9 +337,6 @@ sshpam_thread(void *ctxtp)
 	sshpam_conv.conv = sshpam_thread_conv;
 	sshpam_conv.appdata_ptr = ctxt;
 
-	if (sshpam_authctxt == NULL)
-		fatal("%s: PAM authctxt not initialized", __func__);
-
 	buffer_init(&buffer);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&sshpam_conv);
@@ -357,7 +349,7 @@ sshpam_thread(void *ctxtp)
 	if (compat20) {
 		if (!do_pam_account())
 			goto auth_fail;
-		if (sshpam_authctxt->force_pwchange) {
+		if (*force_pwchange) {
 			sshpam_err = pam_chauthtok(sshpam_handle,
 			    PAM_CHANGE_EXPIRED_AUTHTOK);
 			if (sshpam_err != PAM_SUCCESS)
@@ -371,7 +363,7 @@ sshpam_thread(void *ctxtp)
 #ifndef USE_POSIX_THREADS
 	/* Export variables set by do_pam_account */
 	buffer_put_int(&buffer, sshpam_account_status);
-	buffer_put_int(&buffer, sshpam_authctxt->force_pwchange);
+	buffer_put_int(&buffer, *force_pwchange);
 
 	/* Export any environment strings set in child */
 	for(i = 0; environ[i] != NULL; i++)
@@ -452,10 +444,11 @@ sshpam_cleanup(void)
 }
 
 static int
-sshpam_init(Authctxt *authctxt)
+sshpam_init(const char *user)
 {
+	extern u_int utmp_len;
 	extern char *__progname;
-	const char *pam_rhost, *pam_user, *user = authctxt->user;
+	const char *pam_rhost, *pam_user;
 
 	if (sshpam_handle != NULL) {
 		/* We already have a PAM context; check if the user matches */
@@ -469,8 +462,6 @@ sshpam_init(Authctxt *authctxt)
 	debug("PAM: initializing for \"%s\"", user);
 	sshpam_err =
 	    pam_start(SSHD_PAM_SERVICE, user, &null_conv, &sshpam_handle);
-	sshpam_authctxt = authctxt;
-
 	if (sshpam_err != PAM_SUCCESS) {
 		pam_end(sshpam_handle, sshpam_err);
 		sshpam_handle = NULL;
@@ -513,7 +504,7 @@ sshpam_init_ctx(Authctxt *authctxt)
 		return NULL;
 
 	/* Initialize PAM */
-	if (sshpam_init(authctxt) == -1) {
+	if (sshpam_init(authctxt->user) == -1) {
 		error("PAM: initialization failed");
 		return (NULL);
 	}
@@ -521,6 +512,8 @@ sshpam_init_ctx(Authctxt *authctxt)
 	ctxt = xmalloc(sizeof *ctxt);
 	memset(ctxt, 0, sizeof(*ctxt));
 
+	force_pwchange = &(authctxt->force_pwchange);
+
 	/* Start the authentication thread */
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
 		error("PAM: failed create sockets: %s", strerror(errno));
@@ -599,10 +592,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				xfree(msg);
 				return (0);
 			}
-			error("PAM: %s for %s%.100s from %.100s", msg,
-			    sshpam_authctxt->valid ? "" : "illegal user ",
-			    sshpam_authctxt->user,
-			    get_remote_name_or_ip(utmp_len, options.use_dns));
+			error("PAM: %s", msg);
 			/* FALLTHROUGH */
 		default:
 			*num = 0;
@@ -682,12 +672,12 @@ KbdintDevice mm_sshpam_device = {
  * This replaces auth-pam.c
  */
 void
-start_pam(Authctxt *authctxt)
+start_pam(const char *user)
 {
 	if (!options.use_pam)
 		fatal("PAM: initialisation requested when UsePAM=no");
 
-	if (sshpam_init(authctxt) == -1)
+	if (sshpam_init(user) == -1)
 		fatal("PAM: initialisation failed");
 }
 
diff --git a/crypto/openssh/auth-pam.h b/crypto/openssh/auth-pam.h
index 1b3706e..cf74dd5 100644
--- a/crypto/openssh/auth-pam.h
+++ b/crypto/openssh/auth-pam.h
@@ -1,4 +1,5 @@
-/* $Id: auth-pam.h,v 1.25 2004/03/08 12:04:07 dtucker Exp $ */
+/* $Id: auth-pam.h,v 1.24 2004/02/10 02:23:29 dtucker Exp $ */
+/* $FreeBSD$ */
 
 /*
  * Copyright (c) 2000 Damien Miller.  All rights reserved.
@@ -31,7 +32,7 @@
 # define SSHD_PAM_SERVICE		__progname
 #endif
 
-void start_pam(Authctxt *);
+void start_pam(const char *);
 void finish_pam(void);
 u_int do_pam_account(void);
 void do_pam_session(void);
diff --git a/crypto/openssh/auth-passwd.c b/crypto/openssh/auth-passwd.c
index beaf0fa..70e1491 100644
--- a/crypto/openssh/auth-passwd.c
+++ b/crypto/openssh/auth-passwd.c
@@ -37,6 +37,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include "packet.h"
 #include "log.h"
@@ -73,6 +74,13 @@ auth_password(Authctxt *authctxt, const char *password)
 	if (*password == '\0' && options.permit_empty_passwd == 0)
 		return 0;
 
+#if defined(HAVE_OSF_SIA)
+	/*
+	 * XXX: any reason this is before krb?  could be moved to
+	 * sys_auth_passwd()?  -dt
+	 */
+	return auth_sia_password(authctxt, password) && ok;
+#endif
 #ifdef KRB5
 	if (options.kerberos_authentication == 1) {
 		int ret = auth_krb5_password(authctxt, password);
diff --git a/crypto/openssh/auth-skey.c b/crypto/openssh/auth-skey.c
index ac1af69..a534e35 100644
--- a/crypto/openssh/auth-skey.c
+++ b/crypto/openssh/auth-skey.c
@@ -23,10 +23,19 @@
  */
 #include "includes.h"
 RCSID("$OpenBSD: auth-skey.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$FreeBSD$");
 
 #ifdef SKEY
 
+#ifdef OPIE
+#include <opie.h>
+#define skey			opie
+#define skeychallenge(k, u, c)	opiechallenge((k), (u), (c))
+#define skey_haskey(u)		opie_haskey((u))
+#define skey_passcheck(u, r)	opie_passverify((u), (r))
+#else
 #include <skey.h>
+#endif
 
 #include "xmalloc.h"
 #include "auth.h"
@@ -47,8 +56,7 @@ skey_query(void *ctx, char **name, char **infotxt,
 	int len;
 	struct skey skey;
 
-	if (_compat_skeychallenge(&skey, authctxt->user, challenge, 
-	    sizeof(challenge)) == -1)
+	if (skeychallenge(&skey, authctxt->user, challenge) == -1)
 		return -1;
 
 	*name  = xstrdup("");
diff --git a/crypto/openssh/auth.c b/crypto/openssh/auth.c
index 6d99922..6bed01c 100644
--- a/crypto/openssh/auth.c
+++ b/crypto/openssh/auth.c
@@ -24,6 +24,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth.c,v 1.51 2003/11/21 11:57:02 djm Exp $");
+RCSID("$FreeBSD$");
 
 #ifdef HAVE_LOGIN_H
 #include <login.h>
@@ -494,7 +495,7 @@ getpwnamallow(const char *user)
 	if (!allowed_user(pw))
 		return (NULL);
 #ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
+	if ((lc = login_getpwclass(pw)) == NULL) {
 		debug("unable to get login class: %s", user);
 		return (NULL);
 	}
diff --git a/crypto/openssh/auth.h b/crypto/openssh/auth.h
index 3a7d222..2a5679b 100644
--- a/crypto/openssh/auth.h
+++ b/crypto/openssh/auth.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: auth.h,v 1.49 2004/01/30 09:48:57 markus Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -66,7 +67,6 @@ struct Authctxt {
 	krb5_ccache	 krb5_fwd_ccache;
 	krb5_principal	 krb5_user;
 	char		*krb5_ticket_file;
-	char		*krb5_ccname;
 #endif
 	void		*methoddata;
 };
@@ -185,5 +185,12 @@ struct passwd *fakepw(void);
 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
 #define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
 
+#ifdef SKEY
+#ifdef OPIE
+#define SKEY_PROMPT "\nOPIE Password: "
+#else
 #define SKEY_PROMPT "\nS/Key Password: "
 #endif
+#endif
+
+#endif
diff --git a/crypto/openssh/auth1.c b/crypto/openssh/auth1.c
index f145cf0..64aa86e 100644
--- a/crypto/openssh/auth1.c
+++ b/crypto/openssh/auth1.c
@@ -11,6 +11,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth1.c,v 1.55 2003/11/08 16:02:40 jakob Exp $");
+RCSID("$FreeBSD$");
 
 #include "xmalloc.h"
 #include "rsa.h"
@@ -307,7 +308,7 @@ do_authentication(Authctxt *authctxt)
 
 #ifdef USE_PAM
 	if (options.use_pam)
-		PRIVSEP(start_pam(authctxt));
+		PRIVSEP(start_pam(user));
 #endif
 
 	/*
diff --git a/crypto/openssh/auth2-chall.c b/crypto/openssh/auth2-chall.c
index aacbf0b..4e2a0f9 100644
--- a/crypto/openssh/auth2-chall.c
+++ b/crypto/openssh/auth2-chall.c
@@ -24,6 +24,7 @@
  */
 #include "includes.h"
 RCSID("$OpenBSD: auth2-chall.c,v 1.20 2002/06/30 21:59:45 deraadt Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh2.h"
 #include "auth.h"
diff --git a/crypto/openssh/auth2-kbdint.c b/crypto/openssh/auth2-kbdint.c
index 1696ef4..15c20b3 100644
--- a/crypto/openssh/auth2-kbdint.c
+++ b/crypto/openssh/auth2-kbdint.c
@@ -24,6 +24,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth2-kbdint.c,v 1.2 2002/05/31 11:35:15 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include "packet.h"
 #include "auth.h"
diff --git a/crypto/openssh/auth2-skey.c b/crypto/openssh/auth2-skey.c
deleted file mode 100644
index 9de08fc..0000000
--- a/crypto/openssh/auth2-skey.c
+++ /dev/null
@@ -1,104 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: auth2-skey.c,v 1.1 2000/10/11 20:14:38 markus Exp $");
-
-#include "ssh.h"
-#include "ssh2.h"
-#include "auth.h"
-#include "packet.h"
-#include "xmalloc.h"
-#include "dispatch.h"
-
-void	send_userauth_into_request(Authctxt *authctxt, int echo);
-void	input_userauth_info_response(int type, int plen, void *ctxt);
-
-/*
- * try skey authentication, always return -1 (= postponed) since we have to
- * wait for the s/key response.
- */
-int
-auth2_skey(Authctxt *authctxt)
-{
-	send_userauth_into_request(authctxt, 0);
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &input_userauth_info_response);
-	return -1;
-}
-
-void
-send_userauth_into_request(Authctxt *authctxt, int echo)
-{
-	int retval = -1;
-	struct skey skey;
-	char challenge[SKEY_MAX_CHALLENGE];
-	char *fake;
-
-	if (authctxt->user == NULL)
-		fatal("send_userauth_into_request: internal error: no user");
-
-	/* get skey challenge */
-	if (authctxt->valid)
-		retval = skeychallenge(&skey, authctxt->user, challenge);
-
-	if (retval == -1) {
-		fake = skey_fake_keyinfo(authctxt->user);
-		strlcpy(challenge, fake, sizeof challenge);
-	}
-	/* send our info request */
-	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-	packet_put_cstring("S/Key Authentication");	/* Name */
-	packet_put_cstring(challenge);			/* Instruction */
-	packet_put_cstring("");				/* Language */
-	packet_put_int(1);			 	/* Number of prompts */
-	packet_put_cstring(echo ?
-		 "Response [Echo]: ": "Response: ");	/* Prompt */
-	packet_put_char(echo);				/* Echo */
-	packet_send();
-	packet_write_wait();
-	memset(challenge, 'c', sizeof challenge);
-}
-
-void
-input_userauth_info_response(int type, int plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	int authenticated = 0;
-	unsigned int nresp, rlen;
-	char *resp, *method;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_info_response: no authentication context");
-
-	if (authctxt->attempt++ >= AUTH_FAIL_MAX)
-		packet_disconnect("too many failed userauth_requests");
-
-	nresp = packet_get_int();
-	if (nresp == 1) {
-		/* we only support s/key and assume s/key for nresp == 1 */
-		method = "s/key";
-		resp = packet_get_string(&rlen);
-		packet_done();
-		if (strlen(resp) == 0) {
-			/*
-			 * if we received a null response, resend prompt with
-			 * echo enabled
-			 */
-			authenticated = -1;
-			userauth_log(authctxt, authenticated, method);
-			send_userauth_into_request(authctxt, 1);
-		} else {
-			/* verify skey response */
-			if (authctxt->valid &&
-			    skey_haskey(authctxt->pw->pw_name) == 0 &&
-			    skey_passcheck(authctxt->pw->pw_name, resp) != -1) {
-				authenticated = 1;
-			} else {
-				authenticated = 0;
-			}
-			memset(resp, 'r', rlen);
-			/* unregister callback */
-			dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-			userauth_log(authctxt, authenticated, method);
-			userauth_reply(authctxt, authenticated);
-		}
-		xfree(resp);
-	}
-}
diff --git a/crypto/openssh/auth2.c b/crypto/openssh/auth2.c
index 1177efa..a6b95dd 100644
--- a/crypto/openssh/auth2.c
+++ b/crypto/openssh/auth2.c
@@ -24,7 +24,9 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
+RCSID("$FreeBSD$");
 
+#include "canohost.h"
 #include "ssh2.h"
 #include "xmalloc.h"
 #include "packet.h"
@@ -134,6 +136,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 	int authenticated = 0;
+#ifdef HAVE_LOGIN_CAP
+	login_cap_t *lc;
+	const char *from_host, *from_ip;
+
+        from_host = get_canonical_hostname(options.use_dns);
+        from_ip = get_remote_ipaddr();
+#endif
 
 	if (authctxt == NULL)
 		fatal("input_userauth_request: no authctxt");
@@ -150,24 +159,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	if (authctxt->attempt++ == 0) {
 		/* setup auth context */
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
-		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt));
+				PRIVSEP(start_pam(authctxt->pw->pw_name));
 #endif
 		} else {
 			logit("input_userauth_request: illegal user %s", user);
 			authctxt->pw = fakepw();
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt));
+				PRIVSEP(start_pam(user));
 #endif
 		}
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
 		    use_privsep ? " [net]" : "");
+		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 		if (use_privsep)
@@ -178,6 +187,27 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
 	}
+
+#ifdef HAVE_LOGIN_CAP
+        if (authctxt->pw != NULL) {
+                lc = login_getpwclass(authctxt->pw);
+                if (lc == NULL)
+                        lc = login_getclassbyname(NULL, authctxt->pw);
+                if (!auth_hostok(lc, from_host, from_ip)) {
+                        logit("Denied connection for %.200s from %.200s [%.200s].",
+                            authctxt->pw->pw_name, from_host, from_ip);
+                        packet_disconnect("Sorry, you are not allowed to connect.");
+                }
+                if (!auth_timeok(lc, time(NULL))) {
+                        logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
+                            authctxt->pw->pw_name, from_host);
+                        packet_disconnect("Logins not available right now.");
+                }
+                login_close(lc);
+                lc = NULL;
+        }
+#endif  /* HAVE_LOGIN_CAP */
+
 	/* reset state */
 	auth2_challenge_stop(authctxt);
 
diff --git a/crypto/openssh/aux.c b/crypto/openssh/aux.c
deleted file mode 100644
index 899142d..0000000
--- a/crypto/openssh/aux.c
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "includes.h"
-RCSID("$OpenBSD: aux.c,v 1.2 2000/05/17 09:47:59 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
-	char *t = s;
-	while (*t) {
-		if(*t == '\n' || *t == '\r') {
-			*t = '\0';
-			return s;
-		}
-		t++;
-	}
-	return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
-	int val;
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return;
-	}
-	if (val & O_NONBLOCK)
-		return;
-	debug("fd %d setting O_NONBLOCK", fd);
-	val |= O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1)
-		error("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, strerror(errno));
-}
diff --git a/crypto/openssh/bufaux.c b/crypto/openssh/bufaux.c
index bf14831..adbb4bd 100644
--- a/crypto/openssh/bufaux.c
+++ b/crypto/openssh/bufaux.c
@@ -38,6 +38,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: bufaux.c,v 1.32 2004/02/23 15:12:46 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/bn.h>
 #include "bufaux.h"
diff --git a/crypto/openssh/canohost.c b/crypto/openssh/canohost.c
index a0067af..f514592 100644
--- a/crypto/openssh/canohost.c
+++ b/crypto/openssh/canohost.c
@@ -44,9 +44,6 @@ get_remote_hostname(int socket, int use_dns)
 		cleanup_exit(255);
 	}
 
-	if (from.ss_family == AF_INET)
-		check_ip_options(socket, ntop);
-
 	ipv64_normalise_mapped(&from, &fromlen);
 
 	if (from.ss_family == AF_INET6)
@@ -59,6 +56,9 @@ get_remote_hostname(int socket, int use_dns)
 	if (!use_dns)
 		return xstrdup(ntop);
 
+	if (from.ss_family == AF_INET)
+		check_ip_options(socket, ntop);
+
 	debug3("Trying to reverse map address %.100s.", ntop);
 	/* Map the IP address to a host name. */
 	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
diff --git a/crypto/openssh/cli.c b/crypto/openssh/cli.c
deleted file mode 100644
index 8f0b2b8..0000000
--- a/crypto/openssh/cli.c
+++ /dev/null
@@ -1,231 +0,0 @@
-/*	$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: cli.c,v 1.11 2001/03/06 00:33:04 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "log.h"
-#include "cli.h"
-
-#include <vis.h>
-
-static int cli_input = -1;
-static int cli_output = -1;
-static int cli_from_stdin = 0;
-
-sigset_t oset;
-sigset_t nset;
-struct sigaction nsa;
-struct sigaction osa;
-struct termios ntio;
-struct termios otio;
-int echo_modified;
-
-volatile int intr;
-
-static int
-cli_open(int from_stdin)
-{
-	if (cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin)
-		return 1;
-
-	if (from_stdin) {
-		if (!cli_from_stdin && cli_input >= 0) {
-			(void)close(cli_input);
-		}
-		cli_input = STDIN_FILENO;
-		cli_output = STDERR_FILENO;
-	} else {
-		cli_input = cli_output = open(_PATH_TTY, O_RDWR);
-		if (cli_input < 0)
-			fatal("You have no controlling tty.  Cannot read passphrase.");
-	}
-
-	cli_from_stdin = from_stdin;
-
-	return cli_input >= 0 && cli_output >= 0 && cli_from_stdin == from_stdin;
-}
-
-static void
-cli_close(void)
-{
-	if (!cli_from_stdin && cli_input >= 0)
-		close(cli_input);
-	cli_input = -1;
-	cli_output = -1;
-	cli_from_stdin = 0;
-	return;
-}
-
-void
-intrcatch(int sig)
-{
-	intr = 1;
-}
-
-static void
-cli_echo_disable(void)
-{
-	sigemptyset(&nset);
-	sigaddset(&nset, SIGTSTP);
-	(void) sigprocmask(SIG_BLOCK, &nset, &oset);
-
-	intr = 0;
-
-	memset(&nsa, 0, sizeof(nsa));
-	nsa.sa_handler = intrcatch;
-	(void) sigaction(SIGINT, &nsa, &osa);
-
-	echo_modified = 0;
-	if (tcgetattr(cli_input, &otio) == 0 && (otio.c_lflag & ECHO)) {
-		echo_modified = 1;
-		ntio = otio;
-		ntio.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL);
-		(void) tcsetattr(cli_input, TCSANOW, &ntio);
-	}
-	return;
-}
-
-static void
-cli_echo_restore(void)
-{
-	if (echo_modified != 0) {
-		tcsetattr(cli_input, TCSANOW, &otio);
-		echo_modified = 0;
-	}
-
-	(void) sigprocmask(SIG_SETMASK, &oset, NULL);
-	(void) sigaction(SIGINT, &osa, NULL);
-
-	if (intr != 0) {
-		kill(getpid(), SIGINT);
-		sigemptyset(&nset);
-		/* XXX tty has not neccessarily drained by now? */
-		sigsuspend(&nset);
-		intr = 0;
-	}
-	return;
-}
-
-static int
-cli_read(char* buf, int size, int echo)
-{
-	char ch = 0;
-	int i = 0;
-	int n;
-
-	if (!echo)
-		cli_echo_disable();
-
-	while (ch != '\n') {
-		n = read(cli_input, &ch, 1);
-		if (n == -1 && (errno == EAGAIN || errno == EINTR))
-			continue;
-		if (n != 1)
-			break;
-		if (ch == '\n' || intr != 0)
-			break;
-		if (i < size)
-			buf[i++] = ch;
-	}
-	buf[i] = '\0';
-
-	if (!echo)
-		cli_echo_restore();
-	if (!intr && !echo)
-		(void) write(cli_output, "\n", 1);
-	return i;
-}
-
-static int
-cli_write(char* buf, int size)
-{
-	int i, len, pos, ret = 0;
-	char *output, *p;
-
-	output = xmalloc(4*size);
-	for (p = output, i = 0; i < size; i++) {
-		if (buf[i] == '\n' || buf[i] == '\r')
-			*p++ = buf[i];
-		else
-			p = vis(p, buf[i], 0, 0);
-	}
-	len = p - output;
-
-	for (pos = 0; pos < len; pos += ret) {
-		ret = write(cli_output, output + pos, len - pos);
-		if (ret == -1) {
-			xfree(output);
-			return -1;
-		}
-	}
-	xfree(output);
-	return 0;
-}
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
- * of response depending on arg.  Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char*
-cli_read_passphrase(char* prompt, int from_stdin, int echo_enable)
-{
-	char	buf[BUFSIZ];
-	char*	p;
-
-	if (!cli_open(from_stdin))
-		fatal("Cannot read passphrase.");
-
-	fflush(stdout);
-
-	cli_write(prompt, strlen(prompt));
-	cli_read(buf, sizeof buf, echo_enable);
-
-	cli_close();
-
-	p = xstrdup(buf);
-	memset(buf, 0, sizeof(buf));
-	return (p);
-}
-
-char*
-cli_prompt(char* prompt, int echo_enable)
-{
-	return cli_read_passphrase(prompt, 0, echo_enable);
-}
-
-void
-cli_mesg(char* mesg)
-{
-	cli_open(0);
-	cli_write(mesg, strlen(mesg));
-	cli_write("\n", strlen("\n"));
-	cli_close();
-	return;
-}
diff --git a/crypto/openssh/cli.h b/crypto/openssh/cli.h
deleted file mode 100644
index 6f57c9b..0000000
--- a/crypto/openssh/cli.h
+++ /dev/null
@@ -1,42 +0,0 @@
-/*	$OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* $OpenBSD: cli.h,v 1.4 2001/03/01 03:38:33 deraadt Exp $ */
-
-#ifndef CLI_H
-#define CLI_H
-
-/*
- * Presents a prompt and returns the response allocated with xmalloc().
- * Uses /dev/tty or stdin/out depending on arg.  Optionally disables echo
- * of response depending on arg.  Tries to ensure that no other userland
- * buffer is storing the response.
- */
-char *	cli_read_passphrase(char * prompt, int from_stdin, int echo_enable);
-char *	cli_prompt(char * prompt, int echo_enable);
-void	cli_mesg(char * mesg);
-
-#endif /* CLI_H */
diff --git a/crypto/openssh/compat.c b/crypto/openssh/compat.c
index 2fdebe7..482caba 100644
--- a/crypto/openssh/compat.c
+++ b/crypto/openssh/compat.c
@@ -24,6 +24,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: compat.c,v 1.70 2003/11/02 11:01:03 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include "buffer.h"
 #include "packet.h"
diff --git a/crypto/openssh/config.h b/crypto/openssh/config.h
new file mode 100644
index 0000000..cf31a0d
--- /dev/null
+++ b/crypto/openssh/config.h
@@ -0,0 +1,1061 @@
+/* config.h.  Generated by configure.  */
+/* config.h.in.  Generated from configure.ac by autoheader.  */
+/* $Id: acconfig.h,v 1.173 2004/02/06 05:24:31 dtucker Exp $ */
+/* $FreeBSD$ */
+
+/*
+ * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _CONFIG_H
+#define _CONFIG_H
+
+/* Generated automatically from acconfig.h by autoheader. */
+/* Please make your changes there */
+
+
+/* Define if your platform breaks doing a seteuid before a setuid */
+/* #undef SETEUID_BREAKS_SETUID */
+
+/* Define if your setreuid() is broken */
+/* #undef BROKEN_SETREUID */
+
+/* Define if your setregid() is broken */
+/* #undef BROKEN_SETREGID */
+
+/* Define if your setresuid() is broken */
+/* #undef BROKEN_SETRESUID */
+
+/* Define if your setresgid() is broken */
+/* #undef BROKEN_SETRESGID */
+
+/* Define to a Set Process Title type if your system is */
+/* supported by bsd-setproctitle.c */
+/* #undef SPT_TYPE */
+/* #undef SPT_PADCHAR */
+
+/* setgroups() NOOP allowed */
+/* #undef SETGROUPS_NOOP */
+
+/* SCO workaround */
+/* #undef BROKEN_SYS_TERMIO_H */
+
+/* Define if you have SecureWare-based protected password database */
+/* #undef HAVE_SECUREWARE */
+
+/* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
+/* from environment and PATH */
+#define LOGIN_PROGRAM_FALLBACK "/usr/bin/login"
+
+/* Full path of your "passwd" program */
+#define _PATH_PASSWD_PROG "/usr/bin/passwd"
+
+/* Define if your password has a pw_class field */
+#define HAVE_PW_CLASS_IN_PASSWD 1
+
+/* Define if your password has a pw_expire field */
+#define HAVE_PW_EXPIRE_IN_PASSWD 1
+
+/* Define if your password has a pw_change field */
+#define HAVE_PW_CHANGE_IN_PASSWD 1
+
+/* Define if your system uses access rights style file descriptor passing */
+/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */
+
+/* Define if your system uses ancillary data style file descriptor passing */
+#define HAVE_CONTROL_IN_MSGHDR 1
+
+/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
+/* #undef BROKEN_INET_NTOA */
+
+/* Define if your system defines sys_errlist[] */
+#define HAVE_SYS_ERRLIST 1
+
+/* Define if your system defines sys_nerr */
+#define HAVE_SYS_NERR 1
+
+/* Define if your system choked on IP TOS setting */
+/* #undef IP_TOS_IS_BROKEN */
+
+/* Define if you have the getuserattr function.  */
+/* #undef HAVE_GETUSERATTR */
+
+/* Define if you have the basename function. */
+#define HAVE_BASENAME 1
+
+/* Work around problematic Linux PAM modules handling of PAM_TTY */
+/* #undef PAM_TTY_KLUDGE */
+
+/* Use PIPES instead of a socketpair() */
+/* #undef USE_PIPES */
+
+/* Define if your snprintf is busted */
+/* #undef BROKEN_SNPRINTF */
+
+/* Define if you are on Cygwin */
+/* #undef HAVE_CYGWIN */
+
+/* Define if you have a broken realpath. */
+/* #undef BROKEN_REALPATH */
+
+/* Define if you are on NeXT */
+/* #undef HAVE_NEXT */
+
+/* Define if you are on NEWS-OS */
+/* #undef HAVE_NEWS4 */
+
+/* Define if you want to enable PAM support */
+#define USE_PAM 1
+
+/* Define if you want to enable AIX4's authenticate function */
+/* #undef WITH_AIXAUTHENTICATE */
+
+/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
+/* #undef AIX_LOGINFAILED_4ARG */
+
+/* Define if you have/want arrays (cluster-wide session managment, not C arrays) */
+/* #undef WITH_IRIX_ARRAY */
+
+/* Define if you want IRIX project management */
+/* #undef WITH_IRIX_PROJECT */
+
+/* Define if you want IRIX audit trails */
+/* #undef WITH_IRIX_AUDIT */
+
+/* Define if you want IRIX kernel jobs */
+/* #undef WITH_IRIX_JOBS */
+
+/* Location of PRNGD/EGD random number socket */
+/* #undef PRNGD_SOCKET */
+
+/* Port number of PRNGD/EGD random number socket */
+/* #undef PRNGD_PORT */
+
+/* Builtin PRNG command timeout */
+#define ENTROPY_TIMEOUT_MSEC 200
+
+/* non-privileged user for privilege separation */
+#define SSH_PRIVSEP_USER "sshd"
+
+/* Define if you want to install preformatted manpages.*/
+/* #undef MANTYPE */
+
+/* Define if your ssl headers are included with #include <openssl/header.h>  */
+#define HAVE_OPENSSL 1
+
+/* Define if you are linking against RSAref.  Used only to print the right
+ * message at run-time. */
+/* #undef RSAREF */
+
+/* struct timeval */
+#define HAVE_STRUCT_TIMEVAL 1
+
+/* struct utmp and struct utmpx fields */
+#define HAVE_HOST_IN_UTMP 1
+/* #undef HAVE_HOST_IN_UTMPX */
+/* #undef HAVE_ADDR_IN_UTMP */
+/* #undef HAVE_ADDR_IN_UTMPX */
+/* #undef HAVE_ADDR_V6_IN_UTMP */
+/* #undef HAVE_ADDR_V6_IN_UTMPX */
+/* #undef HAVE_SYSLEN_IN_UTMPX */
+/* #undef HAVE_PID_IN_UTMP */
+/* #undef HAVE_TYPE_IN_UTMP */
+/* #undef HAVE_TYPE_IN_UTMPX */
+/* #undef HAVE_TV_IN_UTMP */
+/* #undef HAVE_TV_IN_UTMPX */
+/* #undef HAVE_ID_IN_UTMP */
+/* #undef HAVE_ID_IN_UTMPX */
+/* #undef HAVE_EXIT_IN_UTMP */
+#define HAVE_TIME_IN_UTMP 1
+/* #undef HAVE_TIME_IN_UTMPX */
+
+/* Define if you don't want to use your system's login() call */
+/* #undef DISABLE_LOGIN */
+
+/* Define if you don't want to use pututline() etc. to write [uw]tmp */
+/* #undef DISABLE_PUTUTLINE */
+
+/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
+/* #undef DISABLE_PUTUTXLINE */
+
+/* Define if you don't want to use lastlog */
+/* #undef DISABLE_LASTLOG */
+
+/* Define if you don't want to use lastlog in session.c */
+/* #undef NO_SSH_LASTLOG */
+
+/* Define if you don't want to use utmp */
+/* #undef DISABLE_UTMP */
+
+/* Define if you don't want to use utmpx */
+#define DISABLE_UTMPX 1
+
+/* Define if you don't want to use wtmp */
+/* #undef DISABLE_WTMP */
+
+/* Define if you don't want to use wtmpx */
+#define DISABLE_WTMPX 1
+
+/* Some systems need a utmpx entry for /bin/login to work */
+/* #undef LOGIN_NEEDS_UTMPX */
+
+/* Some versions of /bin/login need the TERM supplied on the commandline */
+/* #undef LOGIN_NEEDS_TERM */
+
+/* Define if your login program cannot handle end of options ("--") */
+/* #undef LOGIN_NO_ENDOPT */
+
+/* Define if you want to specify the path to your lastlog file */
+/* #undef CONF_LASTLOG_FILE */
+
+/* Define if you want to specify the path to your utmp file */
+#define CONF_UTMP_FILE "/var/run/utmp"
+
+/* Define if you want to specify the path to your wtmp file */
+#define CONF_WTMP_FILE "/var/log/wtmp"
+
+/* Define if you want to specify the path to your utmpx file */
+/* #undef CONF_UTMPX_FILE */
+
+/* Define if you want to specify the path to your wtmpx file */
+/* #undef CONF_WTMPX_FILE */
+
+/* Define if you want external askpass support */
+/* #undef USE_EXTERNAL_ASKPASS */
+
+/* Define if libc defines __progname */
+#define HAVE___PROGNAME 1
+
+/* Define if compiler implements __FUNCTION__ */
+#define HAVE___FUNCTION__ 1
+
+/* Define if compiler implements __func__ */
+#define HAVE___func__ 1
+
+/* Define this is you want GSSAPI support in the version 2 protocol */
+/* #undef GSSAPI */
+
+/* Define if you want Kerberos 5 support */
+/* #undef KRB5 */
+
+/* Define this if you are using the Heimdal version of Kerberos V5 */
+/* #undef HEIMDAL */
+
+/* Define this if you want to use libkafs' AFS support */
+/* #undef USE_AFS */
+
+/* Define if you want S/Key support */
+/* #undef SKEY */
+
+/* Define if you want OPIE support */
+/* #undef OPIE */
+
+/* Define if you want TCP Wrappers support */
+#define LIBWRAP 1
+
+/* Define if your libraries define login() */
+#define HAVE_LOGIN 1
+
+/* Define if your libraries define daemon() */
+#define HAVE_DAEMON 1
+
+/* Define if your libraries define getpagesize() */
+#define HAVE_GETPAGESIZE 1
+
+/* Define if xauth is found in your path */
+#define XAUTH_PATH "/usr/X11R6/bin/xauth"
+
+/* Define if you want to allow MD5 passwords */
+/* #undef HAVE_MD5_PASSWORDS */
+
+/* Define if you want to disable shadow passwords */
+/* #undef DISABLE_SHADOW */
+
+/* Define if you want to use shadow password expire field */
+/* #undef HAS_SHADOW_EXPIRE */
+
+/* Define if you have Digital Unix Security Integration Architecture */
+/* #undef HAVE_OSF_SIA */
+
+/* Define if you have getpwanam(3) [SunOS 4.x] */
+/* #undef HAVE_GETPWANAM */
+
+/* Define if you have an old version of PAM which takes only one argument */
+/* to pam_strerror */
+/* #undef HAVE_OLD_PAM */
+
+/* Define if you are using Solaris-derived PAM which passes pam_messages  */
+/* to the conversation function with an extra level of indirection */
+/* #undef PAM_SUN_CODEBASE */
+
+/* Set this to your mail directory if you don't have maillock.h */
+#define MAIL_DIRECTORY "/var/mail"
+
+/* Data types */
+#define HAVE_U_INT 1
+#define HAVE_INTXX_T 1
+#define HAVE_U_INTXX_T 1
+#define HAVE_UINTXX_T 1
+#define HAVE_INT64_T 1
+#define HAVE_U_INT64_T 1
+#define HAVE_U_CHAR 1
+#define HAVE_SIZE_T 1
+#define HAVE_SSIZE_T 1
+#define HAVE_CLOCK_T 1
+#define HAVE_MODE_T 1
+#define HAVE_PID_T 1
+#define HAVE_SA_FAMILY_T 1
+#define HAVE_STRUCT_SOCKADDR_STORAGE 1
+#define HAVE_STRUCT_ADDRINFO 1
+#define HAVE_STRUCT_IN6_ADDR 1
+#define HAVE_STRUCT_SOCKADDR_IN6 1
+
+/* Fields in struct sockaddr_storage */
+#define HAVE_SS_FAMILY_IN_SS 1
+/* #undef HAVE___SS_FAMILY_IN_SS */
+
+/* Define if you have /dev/ptmx */
+/* #undef HAVE_DEV_PTMX */
+
+/* Define if you have /dev/ptc */
+/* #undef HAVE_DEV_PTS_AND_PTC */
+
+/* Define if you need to use IP address instead of hostname in $DISPLAY */
+/* #undef IPADDR_IN_DISPLAY */
+
+/* Specify default $PATH */
+/* #undef USER_PATH */
+
+/* Specify location of ssh.pid */
+#define _PATH_SSH_PIDDIR "/var/run"
+
+/* getaddrinfo is broken (if present) */
+/* #undef BROKEN_GETADDRINFO */
+
+/* Workaround more Linux IPv6 quirks */
+/* #undef DONT_TRY_OTHER_AF */
+
+/* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
+/* #undef IPV4_IN_IPV6 */
+
+/* Define if you have BSD auth support */
+/* #undef BSD_AUTH */
+
+/* Define if X11 doesn't support AF_UNIX sockets on that system */
+/* #undef NO_X11_UNIX_SOCKETS */
+
+/* Define if the concept of ports only accessible to superusers isn't known */
+/* #undef NO_IPPORT_RESERVED_CONCEPT */
+
+/* Needed for SCO and NeXT */
+/* #undef BROKEN_SAVED_UIDS */
+
+/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
+#define GLOB_HAS_ALTDIRFUNC 1
+
+/* Define if your system glob() function has gl_matchc options in glob_t */
+/* #undef GLOB_HAS_GL_MATCHC */
+
+/* Define in your struct dirent expects you to allocate extra space for d_name */
+/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */
+
+/* Define if your system has /etc/default/login */
+/* #undef HAVE_ETC_DEFAULT_LOGIN */
+
+/* Define if your getopt(3) defines and uses optreset */
+#define HAVE_GETOPT_OPTRESET 1
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_NFDBITS */
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_HOWMANY */
+
+/* Define on *nto-qnx systems */
+/* #undef MISSING_FD_MASK */
+
+/* Define if you want smartcard support */
+/* #undef SMARTCARD */
+
+/* Define if you want smartcard support using sectok */
+/* #undef USE_SECTOK */
+
+/* Define if you want smartcard support using OpenSC */
+/* #undef USE_OPENSC */
+
+/* Define if you want to use OpenSSL's internally seeded PRNG only */
+#define OPENSSL_PRNG_ONLY 1
+
+/* Define if you shouldn't strip 'tty' from your ttyname in [uw]tmp */
+/* #undef WITH_ABBREV_NO_TTY */
+
+/* Define if you want a different $PATH for the superuser */
+/* #undef SUPERUSER_PATH */
+
+/* Path that unprivileged child will chroot() to in privep mode */
+/* #undef PRIVSEP_PATH */
+
+/* Define if your platform needs to skip post auth file descriptor passing */
+/* #undef DISABLE_FD_PASSING */
+
+/* Silly mkstemp() */
+/* #undef HAVE_STRICT_MKSTEMP */
+
+/* Some systems put this outside of libc */
+#define HAVE_NANOSLEEP 1
+
+/* Define if sshd somehow reacquires a controlling TTY after setsid() */
+/* #undef SSHD_ACQUIRES_CTTY */
+
+/* Define if cmsg_type is not passed correctly */
+/* #undef BROKEN_CMSG_TYPE */
+
+/* Strings used in /etc/passwd to denote locked account */
+/* #undef LOCKED_PASSWD_STRING */
+/* #undef LOCKED_PASSWD_PREFIX */
+/* #undef LOCKED_PASSWD_SUBSTR */
+
+/* Define if getrrsetbyname() exists */
+/* #undef HAVE_GETRRSETBYNAME */
+
+/* Define if HEADER.ad exists in arpa/nameser.h */
+#define HAVE_HEADER_AD 1
+
+/* Define if your resolver libs need this for getrrsetbyname */
+/* #undef BIND_8_COMPAT */
+
+
+/* Define to 1 if the `getpgrp' function requires zero arguments. */
+#define GETPGRP_VOID 1
+
+/* Define to 1 if you have the `arc4random' function. */
+#define HAVE_ARC4RANDOM 1
+
+/* Define to 1 if you have the `b64_ntop' function. */
+/* #undef HAVE_B64_NTOP */
+
+/* Define to 1 if you have the `b64_pton' function. */
+/* #undef HAVE_B64_PTON */
+
+/* Define to 1 if you have the `bcopy' function. */
+#define HAVE_BCOPY 1
+
+/* Define to 1 if you have the `bindresvport_sa' function. */
+#define HAVE_BINDRESVPORT_SA 1
+
+/* Define to 1 if you have the <bstring.h> header file. */
+/* #undef HAVE_BSTRING_H */
+
+/* Define to 1 if you have the `clock' function. */
+#define HAVE_CLOCK 1
+
+/* Define if gai_strerror() returns const char * */
+/* #undef HAVE_CONST_GAI_STRERROR_PROTO */
+
+/* Define to 1 if you have the <crypt.h> header file. */
+/* #undef HAVE_CRYPT_H */
+
+/* Define to 1 if you have the `dirname' function. */
+#define HAVE_DIRNAME 1
+
+/* Define to 1 if you have the <endian.h> header file. */
+/* #undef HAVE_ENDIAN_H */
+
+/* Define to 1 if you have the `endutent' function. */
+/* #undef HAVE_ENDUTENT */
+
+/* Define to 1 if you have the `endutxent' function. */
+/* #undef HAVE_ENDUTXENT */
+
+/* Define to 1 if you have the `fchmod' function. */
+#define HAVE_FCHMOD 1
+
+/* Define to 1 if you have the `fchown' function. */
+#define HAVE_FCHOWN 1
+
+/* Define to 1 if you have the <features.h> header file. */
+/* #undef HAVE_FEATURES_H */
+
+/* Define to 1 if you have the <floatingpoint.h> header file. */
+#define HAVE_FLOATINGPOINT_H 1
+
+/* Define to 1 if you have the `freeaddrinfo' function. */
+#define HAVE_FREEADDRINFO 1
+
+/* Define to 1 if you have the `futimes' function. */
+#define HAVE_FUTIMES 1
+
+/* Define to 1 if you have the `gai_strerror' function. */
+#define HAVE_GAI_STRERROR 1
+
+/* Define to 1 if you have the `getaddrinfo' function. */
+#define HAVE_GETADDRINFO 1
+
+/* Define to 1 if you have the `getcwd' function. */
+#define HAVE_GETCWD 1
+
+/* Define to 1 if you have the `getgrouplist' function. */
+#define HAVE_GETGROUPLIST 1
+
+/* Define to 1 if you have the `getluid' function. */
+/* #undef HAVE_GETLUID */
+
+/* Define to 1 if you have the `getnameinfo' function. */
+#define HAVE_GETNAMEINFO 1
+
+/* Define to 1 if you have the `getopt' function. */
+#define HAVE_GETOPT 1
+
+/* Define to 1 if you have the <getopt.h> header file. */
+#define HAVE_GETOPT_H 1
+
+/* Define to 1 if you have the `getpeereid' function. */
+#define HAVE_GETPEEREID 1
+
+/* Define to 1 if you have the `getpwanam' function. */
+/* #undef HAVE_GETPWANAM */
+
+/* Define to 1 if you have the `getrlimit' function. */
+#define HAVE_GETRLIMIT 1
+
+/* Define to 1 if you have the `getrusage' function. */
+/* #undef HAVE_GETRUSAGE */
+
+/* Define to 1 if you have the `gettimeofday' function. */
+#define HAVE_GETTIMEOFDAY 1
+
+/* Define to 1 if you have the `getttyent' function. */
+#define HAVE_GETTTYENT 1
+
+/* Define to 1 if you have the `getutent' function. */
+/* #undef HAVE_GETUTENT */
+
+/* Define to 1 if you have the `getutid' function. */
+/* #undef HAVE_GETUTID */
+
+/* Define to 1 if you have the `getutline' function. */
+/* #undef HAVE_GETUTLINE */
+
+/* Define to 1 if you have the `getutxent' function. */
+/* #undef HAVE_GETUTXENT */
+
+/* Define to 1 if you have the `getutxid' function. */
+/* #undef HAVE_GETUTXID */
+
+/* Define to 1 if you have the `getutxline' function. */
+/* #undef HAVE_GETUTXLINE */
+
+/* Define to 1 if you have the `glob' function. */
+#define HAVE_GLOB 1
+
+/* Define to 1 if you have the <glob.h> header file. */
+#define HAVE_GLOB_H 1
+
+/* Define to 1 if you have the <gssapi_generic.h> header file. */
+/* #undef HAVE_GSSAPI_GENERIC_H */
+
+/* Define to 1 if you have the <gssapi/gssapi_generic.h> header file. */
+/* #undef HAVE_GSSAPI_GSSAPI_GENERIC_H */
+
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+/* #undef HAVE_GSSAPI_GSSAPI_H */
+
+/* Define to 1 if you have the <gssapi/gssapi_krb5.h> header file. */
+/* #undef HAVE_GSSAPI_GSSAPI_KRB5_H */
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#define HAVE_GSSAPI_H 1
+
+/* Define to 1 if you have the <gssapi_krb5.h> header file. */
+/* #undef HAVE_GSSAPI_KRB5_H */
+
+/* Define to 1 if you have the <ia.h> header file. */
+/* #undef HAVE_IA_H */
+
+/* Define to 1 if you have the `inet_aton' function. */
+#define HAVE_INET_ATON 1
+
+/* Define to 1 if you have the `inet_ntoa' function. */
+#define HAVE_INET_NTOA 1
+
+/* Define to 1 if you have the `inet_ntop' function. */
+#define HAVE_INET_NTOP 1
+
+/* Define to 1 if you have the `innetgr' function. */
+#define HAVE_INNETGR 1
+
+/* Define to 1 if you have the <inttypes.h> header file. */
+#define HAVE_INTTYPES_H 1
+
+/* Define to 1 if you have the <lastlog.h> header file. */
+/* #undef HAVE_LASTLOG_H */
+
+/* Define to 1 if you have the `crypt' library (-lcrypt). */
+/* #undef HAVE_LIBCRYPT */
+
+/* Define to 1 if you have the `dl' library (-ldl). */
+/* #undef HAVE_LIBDL */
+
+/* Define to 1 if you have the <libgen.h> header file. */
+#define HAVE_LIBGEN_H 1
+
+/* Define to 1 if you have the `nsl' library (-lnsl). */
+/* #undef HAVE_LIBNSL */
+
+/* Define to 1 if you have the `pam' library (-lpam). */
+#define HAVE_LIBPAM 1
+
+/* Define to 1 if you have the `sectok' library (-lsectok). */
+/* #undef HAVE_LIBSECTOK */
+
+/* Define to 1 if you have the `socket' library (-lsocket). */
+/* #undef HAVE_LIBSOCKET */
+
+/* Define to 1 if you have the <libutil.h> header file. */
+#define HAVE_LIBUTIL_H 1
+
+/* Define to 1 if you have the `xnet' library (-lxnet). */
+/* #undef HAVE_LIBXNET */
+
+/* Define to 1 if you have the `z' library (-lz). */
+#define HAVE_LIBZ 1
+
+/* Define to 1 if you have the <limits.h> header file. */
+#define HAVE_LIMITS_H 1
+
+/* Define to 1 if you have the <login_cap.h> header file. */
+#define HAVE_LOGIN_CAP_H 1
+
+/* Define to 1 if you have the `login_getcapbool' function. */
+#define HAVE_LOGIN_GETCAPBOOL 1
+
+/* Define to 1 if you have the <login.h> header file. */
+/* #undef HAVE_LOGIN_H */
+
+/* Define to 1 if you have the `logout' function. */
+#define HAVE_LOGOUT 1
+
+/* Define to 1 if you have the `logwtmp' function. */
+#define HAVE_LOGWTMP 1
+
+/* Define to 1 if you have the <maillock.h> header file. */
+/* #undef HAVE_MAILLOCK_H */
+
+/* Define to 1 if you have the `md5_crypt' function. */
+/* #undef HAVE_MD5_CRYPT */
+
+/* Define to 1 if you have the `memmove' function. */
+#define HAVE_MEMMOVE 1
+
+/* Define to 1 if you have the <memory.h> header file. */
+#define HAVE_MEMORY_H 1
+
+/* Define to 1 if you have the `mkdtemp' function. */
+#define HAVE_MKDTEMP 1
+
+/* Define to 1 if you have the `mmap' function. */
+#define HAVE_MMAP 1
+
+/* Define to 1 if you have the <netdb.h> header file. */
+#define HAVE_NETDB_H 1
+
+/* Define to 1 if you have the <netgroup.h> header file. */
+/* #undef HAVE_NETGROUP_H */
+
+/* Define to 1 if you have the <netinet/in_systm.h> header file. */
+#define HAVE_NETINET_IN_SYSTM_H 1
+
+/* Define to 1 if you have the `ngetaddrinfo' function. */
+/* #undef HAVE_NGETADDRINFO */
+
+/* Define to 1 if you have the `nsleep' function. */
+/* #undef HAVE_NSLEEP */
+
+/* Define to 1 if you have the `ogetaddrinfo' function. */
+/* #undef HAVE_OGETADDRINFO */
+
+/* Define to 1 if you have the `openlog_r' function. */
+/* #undef HAVE_OPENLOG_R */
+
+/* Define to 1 if you have the `openpty' function. */
+#define HAVE_OPENPTY 1
+
+/* Define to 1 if you have the `pam_getenvlist' function. */
+#define HAVE_PAM_GETENVLIST 1
+
+/* Define to 1 if you have the <pam/pam_appl.h> header file. */
+/* #undef HAVE_PAM_PAM_APPL_H */
+
+/* Define to 1 if you have the `pam_putenv' function. */
+#define HAVE_PAM_PUTENV 1
+
+/* Define to 1 if you have the <paths.h> header file. */
+#define HAVE_PATHS_H 1
+
+/* Define to 1 if you have the `pstat' function. */
+/* #undef HAVE_PSTAT */
+
+/* Define to 1 if you have the <pty.h> header file. */
+/* #undef HAVE_PTY_H */
+
+/* Define to 1 if you have the `pututline' function. */
+/* #undef HAVE_PUTUTLINE */
+
+/* Define to 1 if you have the `pututxline' function. */
+/* #undef HAVE_PUTUTXLINE */
+
+/* Define to 1 if you have the `readpassphrase' function. */
+#define HAVE_READPASSPHRASE 1
+
+/* Define to 1 if you have the <readpassphrase.h> header file. */
+#define HAVE_READPASSPHRASE_H 1
+
+/* Define to 1 if you have the `realpath' function. */
+#define HAVE_REALPATH 1
+
+/* Define to 1 if you have the `recvmsg' function. */
+#define HAVE_RECVMSG 1
+
+/* Define to 1 if you have the <rpc/types.h> header file. */
+#define HAVE_RPC_TYPES_H 1
+
+/* Define to 1 if you have the `rresvport_af' function. */
+#define HAVE_RRESVPORT_AF 1
+
+/* Define to 1 if you have the <sectok.h> header file. */
+/* #undef HAVE_SECTOK_H */
+
+/* Define to 1 if you have the <security/pam_appl.h> header file. */
+#define HAVE_SECURITY_PAM_APPL_H 1
+
+/* Define to 1 if you have the `sendmsg' function. */
+#define HAVE_SENDMSG 1
+
+/* Define to 1 if you have the `setauthdb' function. */
+/* #undef HAVE_SETAUTHDB */
+
+/* Define to 1 if you have the `setdtablesize' function. */
+/* #undef HAVE_SETDTABLESIZE */
+
+/* Define to 1 if you have the `setegid' function. */
+#define HAVE_SETEGID 1
+
+/* Define to 1 if you have the `setenv' function. */
+#define HAVE_SETENV 1
+
+/* Define to 1 if you have the `seteuid' function. */
+#define HAVE_SETEUID 1
+
+/* Define to 1 if you have the `setgroups' function. */
+#define HAVE_SETGROUPS 1
+
+/* Define to 1 if you have the `setlogin' function. */
+#define HAVE_SETLOGIN 1
+
+/* Define to 1 if you have the `setluid' function. */
+/* #undef HAVE_SETLUID */
+
+/* Define to 1 if you have the `setpcred' function. */
+/* #undef HAVE_SETPCRED */
+
+/* Define to 1 if you have the `setproctitle' function. */
+#define HAVE_SETPROCTITLE 1
+
+/* Define to 1 if you have the `setregid' function. */
+#define HAVE_SETREGID 1
+
+/* Define to 1 if you have the `setresgid' function. */
+#define HAVE_SETRESGID 1
+
+/* Define to 1 if you have the `setresuid' function. */
+#define HAVE_SETRESUID 1
+
+/* Define to 1 if you have the `setreuid' function. */
+#define HAVE_SETREUID 1
+
+/* Define to 1 if you have the `setrlimit' function. */
+#define HAVE_SETRLIMIT 1
+
+/* Define to 1 if you have the `setsid' function. */
+#define HAVE_SETSID 1
+
+/* Define to 1 if you have the `setutent' function. */
+/* #undef HAVE_SETUTENT */
+
+/* Define to 1 if you have the `setutxent' function. */
+/* #undef HAVE_SETUTXENT */
+
+/* Define to 1 if you have the `setvbuf' function. */
+#define HAVE_SETVBUF 1
+
+/* Define to 1 if you have the <shadow.h> header file. */
+/* #undef HAVE_SHADOW_H */
+
+/* Define to 1 if you have the `sigaction' function. */
+#define HAVE_SIGACTION 1
+
+/* Define to 1 if you have the `sigvec' function. */
+#define HAVE_SIGVEC 1
+
+/* Define to 1 if the system has the type `sig_atomic_t'. */
+#define HAVE_SIG_ATOMIC_T 1
+
+/* Define to 1 if you have the `snprintf' function. */
+#define HAVE_SNPRINTF 1
+
+/* Define to 1 if you have the `socketpair' function. */
+#define HAVE_SOCKETPAIR 1
+
+/* Define to 1 if you have the <stddef.h> header file. */
+#define HAVE_STDDEF_H 1
+
+/* Define to 1 if you have the <stdint.h> header file. */
+#define HAVE_STDINT_H 1
+
+/* Define to 1 if you have the <stdlib.h> header file. */
+#define HAVE_STDLIB_H 1
+
+/* Define to 1 if you have the `strerror' function. */
+#define HAVE_STRERROR 1
+
+/* Define to 1 if you have the `strftime' function. */
+#define HAVE_STRFTIME 1
+
+/* Define to 1 if you have the <strings.h> header file. */
+#define HAVE_STRINGS_H 1
+
+/* Define to 1 if you have the <string.h> header file. */
+#define HAVE_STRING_H 1
+
+/* Define to 1 if you have the `strlcat' function. */
+#define HAVE_STRLCAT 1
+
+/* Define to 1 if you have the `strlcpy' function. */
+#define HAVE_STRLCPY 1
+
+/* Define to 1 if you have the `strmode' function. */
+#define HAVE_STRMODE 1
+
+/* Define to 1 if you have the `strnvis' function. */
+/* #undef HAVE_STRNVIS */
+
+/* Define to 1 if you have the `strsep' function. */
+#define HAVE_STRSEP 1
+
+/* Define to 1 if you have the `strtoul' function. */
+#define HAVE_STRTOUL 1
+
+/* Define to 1 if `st_blksize' is member of `struct stat'. */
+#define HAVE_STRUCT_STAT_ST_BLKSIZE 1
+
+/* Define to 1 if the system has the type `struct timespec'. */
+#define HAVE_STRUCT_TIMESPEC 1
+
+/* Define to 1 if you have the `sysconf' function. */
+#define HAVE_SYSCONF 1
+
+/* Define to 1 if you have the <sys/audit.h> header file. */
+/* #undef HAVE_SYS_AUDIT_H */
+
+/* Define to 1 if you have the <sys/bitypes.h> header file. */
+/* #undef HAVE_SYS_BITYPES_H */
+
+/* Define to 1 if you have the <sys/bsdtty.h> header file. */
+/* #undef HAVE_SYS_BSDTTY_H */
+
+/* Define to 1 if you have the <sys/cdefs.h> header file. */
+#define HAVE_SYS_CDEFS_H 1
+
+/* Define to 1 if you have the <sys/mman.h> header file. */
+#define HAVE_SYS_MMAN_H 1
+
+/* Define to 1 if you have the <sys/pstat.h> header file. */
+/* #undef HAVE_SYS_PSTAT_H */
+
+/* Define to 1 if you have the <sys/ptms.h> header file. */
+/* #undef HAVE_SYS_PTMS_H */
+
+/* Define to 1 if you have the <sys/select.h> header file. */
+#define HAVE_SYS_SELECT_H 1
+
+/* Define to 1 if you have the <sys/stat.h> header file. */
+#define HAVE_SYS_STAT_H 1
+
+/* Define to 1 if you have the <sys/stream.h> header file. */
+/* #undef HAVE_SYS_STREAM_H */
+
+/* Define to 1 if you have the <sys/stropts.h> header file. */
+/* #undef HAVE_SYS_STROPTS_H */
+
+/* Define to 1 if you have the <sys/strtio.h> header file. */
+/* #undef HAVE_SYS_STRTIO_H */
+
+/* Define to 1 if you have the <sys/sysmacros.h> header file. */
+/* #undef HAVE_SYS_SYSMACROS_H */
+
+/* Define to 1 if you have the <sys/timers.h> header file. */
+#define HAVE_SYS_TIMERS_H 1
+
+/* Define to 1 if you have the <sys/time.h> header file. */
+#define HAVE_SYS_TIME_H 1
+
+/* Define to 1 if you have the <sys/types.h> header file. */
+#define HAVE_SYS_TYPES_H 1
+
+/* Define to 1 if you have the <sys/un.h> header file. */
+#define HAVE_SYS_UN_H 1
+
+/* Define to 1 if you have the `tcgetpgrp' function. */
+#define HAVE_TCGETPGRP 1
+
+/* Define to 1 if you have the `tcsendbreak' function. */
+#define HAVE_TCSENDBREAK 1
+
+/* Define to 1 if you have the `time' function. */
+#define HAVE_TIME 1
+
+/* Define to 1 if you have the <time.h> header file. */
+#define HAVE_TIME_H 1
+
+/* Define to 1 if you have the <tmpdir.h> header file. */
+/* #undef HAVE_TMPDIR_H */
+
+/* Define to 1 if you have the `truncate' function. */
+#define HAVE_TRUNCATE 1
+
+/* Define to 1 if you have the <ttyent.h> header file. */
+#define HAVE_TTYENT_H 1
+
+/* Define to 1 if you have the <unistd.h> header file. */
+#define HAVE_UNISTD_H 1
+
+/* Define to 1 if you have the `updwtmp' function. */
+/* #undef HAVE_UPDWTMP */
+
+/* Define to 1 if you have the `updwtmpx' function. */
+/* #undef HAVE_UPDWTMPX */
+
+/* Define to 1 if you have the <usersec.h> header file. */
+/* #undef HAVE_USERSEC_H */
+
+/* Define to 1 if you have the <util.h> header file. */
+/* #undef HAVE_UTIL_H */
+
+/* Define to 1 if you have the `utimes' function. */
+#define HAVE_UTIMES 1
+
+/* Define to 1 if you have the <utime.h> header file. */
+#define HAVE_UTIME_H 1
+
+/* Define to 1 if you have the `utmpname' function. */
+/* #undef HAVE_UTMPNAME */
+
+/* Define to 1 if you have the `utmpxname' function. */
+/* #undef HAVE_UTMPXNAME */
+
+/* Define to 1 if you have the <utmpx.h> header file. */
+/* #undef HAVE_UTMPX_H */
+
+/* Define to 1 if you have the <utmp.h> header file. */
+#define HAVE_UTMP_H 1
+
+/* Define to 1 if you have the `vhangup' function. */
+/* #undef HAVE_VHANGUP */
+
+/* Define to 1 if you have the <vis.h> header file. */
+#define HAVE_VIS_H 1
+
+/* Define to 1 if you have the `vsnprintf' function. */
+#define HAVE_VSNPRINTF 1
+
+/* Define to 1 if you have the `waitpid' function. */
+#define HAVE_WAITPID 1
+
+/* Define to 1 if you have the `_getlong' function. */
+#define HAVE__GETLONG 1
+
+/* Define to 1 if you have the `_getpty' function. */
+/* #undef HAVE__GETPTY */
+
+/* Define to 1 if you have the `_getshort' function. */
+#define HAVE__GETSHORT 1
+
+/* Define to 1 if you have the `__b64_ntop' function. */
+#define HAVE___B64_NTOP 1
+
+/* Define to 1 if you have the `__b64_pton' function. */
+#define HAVE___B64_PTON 1
+
+/* Define to the address where bug reports for this package should be sent. */
+#define PACKAGE_BUGREPORT ""
+
+/* Define to the full name of this package. */
+#define PACKAGE_NAME ""
+
+/* Define to the full name and version of this package. */
+#define PACKAGE_STRING ""
+
+/* Define to the one symbol short name of this package. */
+#define PACKAGE_TARNAME ""
+
+/* Define to the version of this package. */
+#define PACKAGE_VERSION ""
+
+/* The size of a `char', as computed by sizeof. */
+#define SIZEOF_CHAR 1
+
+/* The size of a `int', as computed by sizeof. */
+#define SIZEOF_INT 4
+
+/* The size of a `long int', as computed by sizeof. */
+#define SIZEOF_LONG_INT 4
+
+/* The size of a `long long int', as computed by sizeof. */
+#define SIZEOF_LONG_LONG_INT 8
+
+/* The size of a `short int', as computed by sizeof. */
+#define SIZEOF_SHORT_INT 2
+
+/* Define to 1 if you have the ANSI C header files. */
+#define STDC_HEADERS 1
+
+/* Define to 1 if your processor stores words with the most significant byte
+   first (like Motorola and SPARC, unlike Intel and VAX). */
+/* #undef WORDS_BIGENDIAN */
+
+/* Number of bits in a file offset, on hosts where this is settable. */
+/* #undef _FILE_OFFSET_BITS */
+
+/* Define for large files, on AIX-style hosts. */
+/* #undef _LARGE_FILES */
+
+/* Define as `__inline' if that's what the C compiler calls it, or to nothing
+   if it is not supported. */
+/* #undef inline */
+
+/* type to use in place of socklen_t if not defined */
+/* #undef socklen_t */
+
+/* ******************* Shouldn't need to edit below this line ************** */
+
+#endif /* _CONFIG_H */
diff --git a/crypto/openssh/configure.ac b/crypto/openssh/configure.ac
index 6ba4d24..e6f4c88 100644
--- a/crypto/openssh/configure.ac
+++ b/crypto/openssh/configure.ac
@@ -1,18 +1,5 @@
-# $Id: configure.ac,v 1.214 2004/04/17 03:03:07 tim Exp $
-#
-# Copyright (c) 1999-2004 Damien Miller
-#
-# Permission to use, copy, modify, and distribute this software for any
-# purpose with or without fee is hereby granted, provided that the above
-# copyright notice and this permission notice appear in all copies.
-#
-# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $
+# $FreeBSD$
 
 AC_INIT
 AC_CONFIG_SRCDIR([ssh.c])
@@ -209,7 +196,10 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(DISABLE_UTMP)
 	AC_DEFINE(LOCKED_PASSWD_STRING, "*")
 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
-	check_for_hpux_broken_getaddrinfo=1
+	case "$host" in
+	*-*-hpux11.11*)
+		AC_DEFINE(BROKEN_GETADDRINFO);;
+	esac
 	LIBS="$LIBS -lsec"
 	AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***]))
 	;;
@@ -232,7 +222,6 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	AC_DEFINE(SETEUID_BREAKS_SETUID)
 	AC_DEFINE(BROKEN_SETREUID)
 	AC_DEFINE(BROKEN_SETREGID)
-	AC_DEFINE(BROKEN_UPDWTMPX)
 	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	AC_DEFINE(LOCKED_PASSWD_STRING, "*LK*")
 	;;
@@ -242,7 +231,7 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	check_for_openpty_ctty_bug=1
 	AC_DEFINE(DONT_TRY_OTHER_AF)
 	AC_DEFINE(PAM_TTY_KLUDGE)
-	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!")
+	AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!")
 	AC_DEFINE(SPT_TYPE,SPT_REUSEARGV)
 	inet6_default_4in6=yes
 	case `uname -r` in
@@ -280,9 +269,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
 	;;
 *-*-solaris*)
-	if test "x$withval" != "xno" ; then	
-		need_dash_r=1
-	fi
 	AC_DEFINE(PAM_SUN_CODEBASE)
 	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(LOGIN_NEEDS_TERM)
@@ -359,9 +345,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
-	AC_DEFINE(SETEUID_BREAKS_SETUID)
-	AC_DEFINE(BROKEN_SETREUID)
-	AC_DEFINE(BROKEN_SETREGID)
 	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	AC_CHECK_FUNCS(getluid setluid)
 	MANTYPE=man
@@ -509,10 +492,10 @@ AC_CHECK_HEADERS(bstring.h crypt.h endian.h features.h floatingpoint.h \
 	netinet/in_systm.h pam/pam_appl.h paths.h pty.h readpassphrase.h \
 	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
 	strings.h sys/strtio.h sys/audit.h sys/bitypes.h sys/bsdtty.h \
-	sys/cdefs.h sys/mman.h sys/prctl.h sys/pstat.h sys/ptms.h \
-	sys/select.h sys/stat.h sys/stream.h sys/stropts.h \
-	sys/sysmacros.h sys/time.h sys/timers.h sys/un.h time.h tmpdir.h \
-	ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h)
+	sys/cdefs.h sys/mman.h sys/pstat.h sys/ptms.h sys/select.h sys/stat.h \
+	sys/stream.h sys/stropts.h sys/sysmacros.h sys/time.h sys/timers.h \
+	sys/un.h time.h tmpdir.h ttyent.h usersec.h \
+	util.h utime.h utmp.h utmpx.h vis.h)
 
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
@@ -746,15 +729,41 @@ int main() { char *ff = skey_keyinfo(""); ff=""; exit(0); }
 					AC_MSG_RESULT(no)
 					AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
 				])
-                 	AC_MSG_CHECKING(if skeychallenge takes 4 arguments)
-			AC_TRY_COMPILE(
-				[#include <stdio.h>
-				 #include <skey.h>],
-				[(void)skeychallenge(NULL,"name","",0);],
-				[AC_MSG_RESULT(yes)
-				 AC_DEFINE(SKEYCHALLENGE_4ARG)],
-				[AC_MSG_RESULT(no)]
-        		)
+		fi
+	]
+)
+
+# Check whether user wants OPIE support
+OPIE_MSG="no" 
+AC_ARG_WITH(opie,
+	[  --with-opie[[=PATH]]      Enable OPIE support
+                            (optionally in PATH)],
+	[
+		if test "x$withval" != "xno" ; then
+
+			if test "x$withval" != "xyes" ; then
+				CPPFLAGS="$CPPFLAGS -I${withval}/include"
+				LDFLAGS="$LDFLAGS -L${withval}/lib"
+			fi
+
+			AC_DEFINE(SKEY)
+			AC_DEFINE(OPIE)
+			LIBS="-lopie $LIBS"
+			OPIE_MSG="yes" 
+	
+			AC_MSG_CHECKING([for opie support])
+			AC_TRY_RUN(
+				[
+#include <sys/types.h>
+#include <stdio.h>
+#include <opie.h>
+int main() { char *ff = opie_keyinfo(""); ff=""; return 0; }
+				],
+				[AC_MSG_RESULT(yes)],
+				[
+					AC_MSG_RESULT(no)
+					AC_MSG_ERROR([** Incomplete or missing opie libraries.])
+				])
 		fi
 	]
 )
@@ -794,9 +803,6 @@ AC_ARG_WITH(tcp-wrappers,
 			AC_MSG_CHECKING(for libwrap)
 			AC_TRY_LINK(
 				[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
 #include <tcpd.h>
 					int deny_severity = 0, allow_severity = 0;
 				],
@@ -824,12 +830,12 @@ AC_CHECK_FUNCS(\
 	getpeereid _getpty getrlimit getttyent glob inet_aton \
 	inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove \
 	mkdtemp mmap ngetaddrinfo nsleep ogetaddrinfo openlog_r openpty \
-	pstat prctl readpassphrase realpath recvmsg rresvport_af sendmsg \
+	pstat readpassphrase realpath recvmsg rresvport_af sendmsg \
 	setdtablesize setegid setenv seteuid setgroups setlogin setpcred \
 	setproctitle setregid setreuid setrlimit \
 	setsid setvbuf sigaction sigvec snprintf socketpair strerror \
 	strlcat strlcpy strmode strnvis strtoul sysconf tcgetpgrp \
-	truncate unsetenv updwtmpx utimes vhangup vsnprintf waitpid \
+	truncate updwtmpx utimes vhangup vsnprintf waitpid \
 )
 
 # IRIX has a const char return value for gai_strerror()
@@ -997,74 +1003,6 @@ main()
 	)
 fi
 
-if test "x$ac_cv_func_getaddrinfo" = "xyes" -a "x$check_for_hpux_broken_getaddrinfo" = "x1"; then
-	AC_MSG_CHECKING(if getaddrinfo seems to work)
-	AC_TRY_RUN(
-		[
-#include <stdio.h>
-#include <sys/socket.h>
-#include <netdb.h>
-#include <errno.h>
-#include <netinet/in.h>
-
-#define TEST_PORT "2222"
-
-int
-main(void)
-{
-	int err, sock;
-	struct addrinfo *gai_ai, *ai, hints;
-	char ntop[NI_MAXHOST], strport[NI_MAXSERV], *name = NULL;
-
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = PF_UNSPEC;
-	hints.ai_socktype = SOCK_STREAM;
-	hints.ai_flags = AI_PASSIVE;
-
-	err = getaddrinfo(name, TEST_PORT, &hints, &gai_ai);
-	if (err != 0) {
-		fprintf(stderr, "getaddrinfo failed (%s)", gai_strerror(err));
-		exit(1);
-	}
-
-	for (ai = gai_ai; ai != NULL; ai = ai->ai_next) {
-		if (ai->ai_family != AF_INET6)
-			continue;
-
-		err = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop,
-		    sizeof(ntop), strport, sizeof(strport),
-		    NI_NUMERICHOST|NI_NUMERICSERV);
-
-		if (err != 0) {
-			if (err == EAI_SYSTEM)
-				perror("getnameinfo EAI_SYSTEM");
-			else
-				fprintf(stderr, "getnameinfo failed: %s\n",
-				    gai_strerror(err));
-			exit(2);
-		}
-
-		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
-		if (sock < 0)
-			perror("socket");
-		if (bind(sock, ai->ai_addr, ai->ai_addrlen) < 0) {
-			if (errno == EBADF)
-				exit(3);
-		}
-	}
-	exit(0);
-}
-		],
-		[
-			AC_MSG_RESULT(yes)
-		],
-		[
-			AC_MSG_RESULT(no)
-			AC_DEFINE(BROKEN_GETADDRINFO)
-		]
-	)
-fi
-
 AC_FUNC_GETPGRP
 
 # Check for PAM libs
@@ -2063,7 +2001,11 @@ AC_CACHE_CHECK([whether getopt has optreset support],
 		ac_cv_have_getopt_optreset, [
 	AC_TRY_LINK(
 		[
+#if HAVE_GETOPT_H
 #include <getopt.h>
+#elif HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 		],
 		[ extern int optreset; optreset = 0; ],
 		[ ac_cv_have_getopt_optreset="yes" ],
@@ -2255,7 +2197,6 @@ AC_ARG_WITH(kerberos5,
 
 	LIBS="$LIBS $K5LIBS"
 	AC_SEARCH_LIBS(k_hasafs, kafs, AC_DEFINE(USE_AFS))
-	AC_SEARCH_LIBS(krb5_init_ets, $K5LIBS, AC_DEFINE(KRB5_INIT_ETS))
 	]
 )
 
@@ -2914,6 +2855,7 @@ echo "                       PAM support: $PAM_MSG"
 echo "                 KerberosV support: $KRB5_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
+echo "                      OPIE support: $OPIE_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
diff --git a/crypto/openssh/dsa.c b/crypto/openssh/dsa.c
deleted file mode 100644
index 4ff4b58..0000000
--- a/crypto/openssh/dsa.c
+++ /dev/null
@@ -1,304 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: dsa.c,v 1.11 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include "buffer.h"
-#include "bufaux.h"
-#include "compat.h"
-
-#include <openssl/bn.h>
-#include <openssl/dh.h>
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#include <openssl/evp.h>
-#include <openssl/bio.h>
-#include <openssl/pem.h>
-
-#include <openssl/hmac.h>
-#include "kex.h"
-#include "key.h"
-#include "uuencode.h"
-
-#define INTBLOB_LEN	20
-#define SIGBLOB_LEN	(2*INTBLOB_LEN)
-
-Key *
-dsa_key_from_blob(char *blob, int blen)
-{
-	Buffer b;
-	char *ktype;
-	int rlen;
-	DSA *dsa;
-	Key *key;
-
-#ifdef DEBUG_DSS
-	dump_base64(stderr, blob, blen);
-#endif
-	/* fetch & parse DSA/DSS pubkey */
-	buffer_init(&b);
-	buffer_append(&b, blob, blen);
-	ktype = buffer_get_string(&b, NULL);
-	if (strcmp(KEX_DSS, ktype) != 0) {
-		error("dsa_key_from_blob: cannot handle type %s", ktype);
-		buffer_free(&b);
-		xfree(ktype);
-		return NULL;
-	}
-	key = key_new(KEY_DSA);
-	dsa = key->dsa;
-	buffer_get_bignum2(&b, dsa->p);
-	buffer_get_bignum2(&b, dsa->q);
-	buffer_get_bignum2(&b, dsa->g);
-	buffer_get_bignum2(&b, dsa->pub_key);
-	rlen = buffer_len(&b);
-	if(rlen != 0)
-		error("dsa_key_from_blob: remaining bytes in key blob %d", rlen);
-	buffer_free(&b);
-	xfree(ktype);
-
-#ifdef DEBUG_DSS
-	DSA_print_fp(stderr, dsa, 8);
-#endif
-	return key;
-}
-int
-dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp)
-{
-	Buffer b;
-	int len;
-	unsigned char *buf;
-
-	if (key == NULL || key->type != KEY_DSA)
-		return 0;
-	buffer_init(&b);
-	buffer_put_cstring(&b, KEX_DSS);
-	buffer_put_bignum2(&b, key->dsa->p);
-	buffer_put_bignum2(&b, key->dsa->q);
-	buffer_put_bignum2(&b, key->dsa->g);
-	buffer_put_bignum2(&b, key->dsa->pub_key);
-	len = buffer_len(&b);
-	buf = xmalloc(len);
-	memcpy(buf, buffer_ptr(&b), len);
-	memset(buffer_ptr(&b), 0, len);
-	buffer_free(&b);
-	if (lenp != NULL)
-		*lenp = len;
-	if (blobp != NULL)
-		*blobp = buf;
-	return len;
-}
-int
-dsa_sign(
-    Key *key,
-    unsigned char **sigp, int *lenp,
-    unsigned char *data, int datalen)
-{
-	unsigned char *digest;
-	unsigned char *ret;
-	DSA_SIG *sig;
-	EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	unsigned int rlen;
-	unsigned int slen;
-	unsigned int len;
-	unsigned char sigblob[SIGBLOB_LEN];
-	Buffer b;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("dsa_sign: no DSA key");
-		return -1;
-	}
-	digest = xmalloc(evp_md->md_size);
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, NULL);
-
-	sig = DSA_do_sign(digest, evp_md->md_size, key->dsa);
-	if (sig == NULL) {
-		fatal("dsa_sign: cannot sign");
-	}
-
-	rlen = BN_num_bytes(sig->r);
-	slen = BN_num_bytes(sig->s);
-	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
-		error("bad sig size %d %d", rlen, slen);
-		DSA_SIG_free(sig);
-		return -1;
-	}
-	debug("sig size %d %d", rlen, slen);
-
-	memset(sigblob, 0, SIGBLOB_LEN);
-	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
-	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
-	DSA_SIG_free(sig);
-
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		debug("datafellows");
-		ret = xmalloc(SIGBLOB_LEN);
-		memcpy(ret, sigblob, SIGBLOB_LEN);
-		if (lenp != NULL)
-			*lenp = SIGBLOB_LEN;
-		if (sigp != NULL)
-			*sigp = ret;
-	} else {
-		/* ietf-drafts */
-		buffer_init(&b);
-		buffer_put_cstring(&b, KEX_DSS);
-		buffer_put_string(&b, sigblob, SIGBLOB_LEN);
-		len = buffer_len(&b);
-		ret = xmalloc(len);
-		memcpy(ret, buffer_ptr(&b), len);
-		buffer_free(&b);
-		if (lenp != NULL)
-			*lenp = len;
-		if (sigp != NULL)
-			*sigp = ret;
-	}
-	return 0;
-}
-int
-dsa_verify(
-    Key *key,
-    unsigned char *signature, int signaturelen,
-    unsigned char *data, int datalen)
-{
-	Buffer b;
-	unsigned char *digest;
-	DSA_SIG *sig;
-	EVP_MD *evp_md = EVP_sha1();
-	EVP_MD_CTX md;
-	unsigned char *sigblob;
-	char *txt;
-	unsigned int len;
-	int rlen;
-	int ret;
-
-	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
-		error("dsa_verify: no DSA key");
-		return -1;
-	}
-
-	if (!(datafellows & SSH_BUG_SIGBLOB) &&
-	    signaturelen == SIGBLOB_LEN) {
-		datafellows |= ~SSH_BUG_SIGBLOB;
-		log("autodetect SSH_BUG_SIGBLOB");
-	} else if ((datafellows & SSH_BUG_SIGBLOB) &&
-	    signaturelen != SIGBLOB_LEN) {
-		log("autoremove SSH_BUG_SIGBLOB");
-		datafellows &= ~SSH_BUG_SIGBLOB;
-	}
-
-	debug("len %d datafellows %d", signaturelen, datafellows);
-
-	/* fetch signature */
-	if (datafellows & SSH_BUG_SIGBLOB) {
-		sigblob = signature;
-		len = signaturelen;
-	} else {
-		/* ietf-drafts */
-		char *ktype;
-		buffer_init(&b);
-		buffer_append(&b, (char *) signature, signaturelen);
-		ktype = buffer_get_string(&b, NULL);
-		if (strcmp(KEX_DSS, ktype) != 0) {
-			error("dsa_verify: cannot handle type %s", ktype);
-			buffer_free(&b);
-			return -1;
-		}
-		sigblob = (unsigned char *)buffer_get_string(&b, &len);
-		rlen = buffer_len(&b);
-		if(rlen != 0) {
-			error("remaining bytes in signature %d", rlen);
-			buffer_free(&b);
-			return -1;
-		}
-		buffer_free(&b);
-		xfree(ktype);
-	}
-
-	if (len != SIGBLOB_LEN) {
-		fatal("bad sigbloblen %d != SIGBLOB_LEN", len);
-	}
-
-	/* parse signature */
-	sig = DSA_SIG_new();
-	sig->r = BN_new();
-	sig->s = BN_new();
-	BN_bin2bn(sigblob, INTBLOB_LEN, sig->r);
-	BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s);
-
-	if (!(datafellows & SSH_BUG_SIGBLOB)) {
-		memset(sigblob, 0, len);
-		xfree(sigblob);
-	}
-	
-	/* sha1 the data */
-	digest = xmalloc(evp_md->md_size);
-	EVP_DigestInit(&md, evp_md);
-	EVP_DigestUpdate(&md, data, datalen);
-	EVP_DigestFinal(&md, digest, NULL);
-
-	ret = DSA_do_verify(digest, evp_md->md_size, sig, key->dsa);
-
-	memset(digest, 0, evp_md->md_size);
-	xfree(digest);
-	DSA_SIG_free(sig);
-
-	switch (ret) {
-	case 1:
-		txt = "correct";
-		break;
-	case 0:
-		txt = "incorrect";
-		break;
-	case -1:
-	default:
-		txt = "error";
-		break;
-	}
-	debug("dsa_verify: signature %s", txt);
-	return ret;
-}
-
-Key *
-dsa_generate_key(unsigned int bits)
-{
-	DSA *dsa = DSA_generate_parameters(bits, NULL, 0, NULL, NULL, NULL, NULL);
-	Key *k;
-	if (dsa == NULL) {
-		fatal("DSA_generate_parameters failed");
-	}
-	if (!DSA_generate_key(dsa)) {
-		fatal("DSA_generate_keys failed");
-	}
-
-	k = key_new(KEY_EMPTY);
-	k->type = KEY_DSA;
-	k->dsa = dsa;
-	return k;
-}
diff --git a/crypto/openssh/dsa.h b/crypto/openssh/dsa.h
deleted file mode 100644
index 252e788..0000000
--- a/crypto/openssh/dsa.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef DSA_H
-#define DSA_H
-
-Key	*dsa_key_from_blob(char *blob, int blen);
-int	dsa_make_key_blob(Key *key, unsigned char **blobp, unsigned int *lenp);
-
-int
-dsa_sign(
-    Key *key,
-    unsigned char **sigp, int *lenp,
-    unsigned char *data, int datalen);
-
-int
-dsa_verify(
-    Key *key,
-    unsigned char *signature, int signaturelen,
-    unsigned char *data, int datalen);
-
-Key *
-dsa_generate_key(unsigned int bits);
-
-#endif
diff --git a/crypto/openssh/fingerprint.c b/crypto/openssh/fingerprint.c
deleted file mode 100644
index 4b0966d..0000000
--- a/crypto/openssh/fingerprint.c
+++ /dev/null
@@ -1,69 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$Id: fingerprint.c,v 1.6 2000/04/12 09:39:10 markus Exp $");
-
-#include "ssh.h"
-#include "xmalloc.h"
-#include <openssl/md5.h>
-
-#define FPRINT "%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x:%02x"
-
-/*
- * Generate key fingerprint in ascii format.
- * Based on ideas and code from Bjoern Groenvall <bg@sics.se>
- */
-char *
-fingerprint(BIGNUM *e, BIGNUM *n)
-{
-	static char retval[80];
-	MD5_CTX md;
-	unsigned char d[16];
-	unsigned char *buf;
-	int nlen, elen;
-
-	nlen = BN_num_bytes(n);
-	elen = BN_num_bytes(e);
-
-	buf = xmalloc(nlen + elen);
-
-	BN_bn2bin(n, buf);
-	BN_bn2bin(e, buf + nlen);
-
-	MD5_Init(&md);
-	MD5_Update(&md, buf, nlen + elen);
-	MD5_Final(d, &md);
-	snprintf(retval, sizeof(retval), FPRINT,
-	    d[0], d[1], d[2], d[3], d[4], d[5], d[6], d[7],
-	    d[8], d[9], d[10], d[11], d[12], d[13], d[14], d[15]);
-	memset(buf, 0, nlen + elen);
-	xfree(buf);
-	return retval;
-}
diff --git a/crypto/openssh/fingerprint.h b/crypto/openssh/fingerprint.h
deleted file mode 100644
index fbb0d4c..0000000
--- a/crypto/openssh/fingerprint.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *      This product includes software developed by Markus Friedl.
- * 4. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-/* RCSID("$Id: fingerprint.h,v 1.3 1999/11/24 16:15:25 markus Exp $"); */
-
-#ifndef FINGERPRINT_H
-#define FINGERPRINT_H
-char   *fingerprint(BIGNUM * e, BIGNUM * n);
-#endif
diff --git a/crypto/openssh/hmac.c b/crypto/openssh/hmac.c
deleted file mode 100644
index 48a1763..0000000
--- a/crypto/openssh/hmac.c
+++ /dev/null
@@ -1,54 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: hmac.c,v 1.4 2000/09/07 20:27:51 deraadt Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "getput.h"
-
-#include <openssl/hmac.h>
-
-unsigned char *
-hmac(
-    EVP_MD *evp_md,
-    unsigned int seqno,
-    unsigned char *data, int datalen,
-    unsigned char *key, int keylen)
-{
-	HMAC_CTX c;
-	static unsigned char m[EVP_MAX_MD_SIZE];
-	unsigned char b[4];
-
-	if (key == NULL)
-		fatal("hmac: no key");
-	HMAC_Init(&c, key, keylen, evp_md);
-	PUT_32BIT(b, seqno);
-	HMAC_Update(&c, b, sizeof b);
-	HMAC_Update(&c, data, datalen);
-	HMAC_Final(&c, m, NULL);
-	HMAC_cleanup(&c);
-	return(m);
-}
diff --git a/crypto/openssh/hmac.h b/crypto/openssh/hmac.h
deleted file mode 100644
index 281300e..0000000
--- a/crypto/openssh/hmac.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-#ifndef HMAC_H
-#define HMAC_H
-
-unsigned char *
-hmac(
-    EVP_MD *evp_md,
-    unsigned int seqno,
-    unsigned char *data, int datalen,
-    unsigned char *key, int len);
-
-#endif
diff --git a/crypto/openssh/includes.h b/crypto/openssh/includes.h
index ca943c7..32e9b84 100644
--- a/crypto/openssh/includes.h
+++ b/crypto/openssh/includes.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: includes.h,v 1.17 2002/01/26 16:44:22 stevesk Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -17,7 +18,7 @@
 #define INCLUDES_H
 
 #define RCSID(msg) \
-static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+__RCSID(msg)
 
 #include "config.h"
 
diff --git a/crypto/openssh/lib/Makefile b/crypto/openssh/lib/Makefile
deleted file mode 100644
index ac950a9..0000000
--- a/crypto/openssh/lib/Makefile
+++ /dev/null
@@ -1,35 +0,0 @@
-#	$OpenBSD: Makefile,v 1.36 2002/06/11 15:23:29 hin Exp $
-
-.PATH:		${.CURDIR}/..
-
-LIB=	ssh
-SRCS=	authfd.c authfile.c bufaux.c buffer.c canohost.c channels.c \
-	cipher.c compat.c compress.c crc32.c deattack.c fatal.c \
-	hostfile.c log.c match.c mpaux.c nchan.c packet.c readpass.c \
-	rsa.c tildexpand.c ttymodes.c xmalloc.c atomicio.c \
-	key.c dispatch.c kex.c mac.c uuencode.c misc.c \
-	rijndael.c ssh-dss.c ssh-rsa.c dh.c kexdh.c kexgex.c \
-	scard.c monitor_wrap.c monitor_fdpass.c msg.c
-
-DEBUGLIBS= no
-NOPROFILE= yes
-NOPIC=	yes
-
-install:
-	@echo -n
-
-.include <bsd.own.mk>
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-SRCS+=  radix.c
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.lib.mk>
diff --git a/crypto/openssh/log-client.c b/crypto/openssh/log-client.c
deleted file mode 100644
index 505c8c3..0000000
--- a/crypto/openssh/log-client.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Client-side versions of debug(), log(), etc.  These print to stderr.
- * This is a stripped down version of log-server.c.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-client.c,v 1.12 2000/09/12 20:53:10 markus Exp $");
-
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-
-/* Initialize the log.
- *   av0	program name (should be argv[0])
- *   level	logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility ignored1, int ignored2)
-{
-	switch (level) {
-	case SYSLOG_LEVEL_QUIET:
-	case SYSLOG_LEVEL_ERROR:
-	case SYSLOG_LEVEL_FATAL:
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-	case SYSLOG_LEVEL_DEBUG1:
-	case SYSLOG_LEVEL_DEBUG2:
-	case SYSLOG_LEVEL_DEBUG3:
-		log_level = level;
-		break;
-	default:
-		/* unchanged */
-		break;
-	}
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
-	char msgbuf[MSGBUFSIZ];
-
-	if (level > log_level)
-		return;
-	if (level >= SYSLOG_LEVEL_DEBUG1)
-		fprintf(stderr, "debug: ");
-	vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	fprintf(stderr, "%s\r\n", msgbuf);
-}
diff --git a/crypto/openssh/log-server.c b/crypto/openssh/log-server.c
deleted file mode 100644
index de3d5cf..0000000
--- a/crypto/openssh/log-server.c
+++ /dev/null
@@ -1,173 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Server-side versions of debug(), log(), etc.  These normally send the output
- * to the system log.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: log-server.c,v 1.17 2000/09/12 20:53:10 markus Exp $");
-
-#include <syslog.h>
-#include "packet.h"
-#include "xmalloc.h"
-#include "ssh.h"
-
-static LogLevel log_level = SYSLOG_LEVEL_INFO;
-static int log_on_stderr = 0;
-static int log_facility = LOG_AUTH;
-
-/* Initialize the log.
- *   av0	program name (should be argv[0])
- *   on_stderr	print also on stderr
- *   level	logging level
- */
-
-void
-log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
-{
-	switch (level) {
-	case SYSLOG_LEVEL_QUIET:
-	case SYSLOG_LEVEL_ERROR:
-	case SYSLOG_LEVEL_FATAL:
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-	case SYSLOG_LEVEL_DEBUG1:
-	case SYSLOG_LEVEL_DEBUG2:
-	case SYSLOG_LEVEL_DEBUG3:
-		log_level = level;
-		break;
-	default:
-		fprintf(stderr, "Unrecognized internal syslog level code %d\n",
-			(int) level);
-		exit(1);
-	}
-	switch (facility) {
-	case SYSLOG_FACILITY_DAEMON:
-		log_facility = LOG_DAEMON;
-		break;
-	case SYSLOG_FACILITY_USER:
-		log_facility = LOG_USER;
-		break;
-	case SYSLOG_FACILITY_AUTH:
-		log_facility = LOG_AUTH;
-		break;
-	case SYSLOG_FACILITY_LOCAL0:
-		log_facility = LOG_LOCAL0;
-		break;
-	case SYSLOG_FACILITY_LOCAL1:
-		log_facility = LOG_LOCAL1;
-		break;
-	case SYSLOG_FACILITY_LOCAL2:
-		log_facility = LOG_LOCAL2;
-		break;
-	case SYSLOG_FACILITY_LOCAL3:
-		log_facility = LOG_LOCAL3;
-		break;
-	case SYSLOG_FACILITY_LOCAL4:
-		log_facility = LOG_LOCAL4;
-		break;
-	case SYSLOG_FACILITY_LOCAL5:
-		log_facility = LOG_LOCAL5;
-		break;
-	case SYSLOG_FACILITY_LOCAL6:
-		log_facility = LOG_LOCAL6;
-		break;
-	case SYSLOG_FACILITY_LOCAL7:
-		log_facility = LOG_LOCAL7;
-		break;
-	default:
-		fprintf(stderr, "Unrecognized internal syslog facility code %d\n",
-			(int) facility);
-		exit(1);
-	}
-	log_on_stderr = on_stderr;
-}
-
-#define MSGBUFSIZ 1024
-
-void
-do_log(LogLevel level, const char *fmt, va_list args)
-{
-	char msgbuf[MSGBUFSIZ];
-	char fmtbuf[MSGBUFSIZ];
-	char *txt = NULL;
-	int pri = LOG_INFO;
-	extern char *__progname;
-
-	if (level > log_level)
-		return;
-	switch (level) {
-	case SYSLOG_LEVEL_ERROR:
-		txt = "error";
-		pri = LOG_ERR;
-		break;
-	case SYSLOG_LEVEL_FATAL:
-		txt = "fatal";
-		pri = LOG_ERR;
-		break;
-	case SYSLOG_LEVEL_INFO:
-	case SYSLOG_LEVEL_VERBOSE:
-		pri = LOG_INFO;
-		break;
-	case SYSLOG_LEVEL_DEBUG1:
-		txt = "debug1";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG2:
-		txt = "debug2";
-		pri = LOG_DEBUG;
-		break;
-	case SYSLOG_LEVEL_DEBUG3:
-		txt = "debug3";
-		pri = LOG_DEBUG;
-		break;
-	default:
-		txt = "internal error";
-		pri = LOG_ERR;
-		break;
-	}
-	if (txt != NULL) {
-		snprintf(fmtbuf, sizeof(fmtbuf), "%s: %s", txt, fmt);
-		vsnprintf(msgbuf, sizeof(msgbuf), fmtbuf, args);
-	} else {
-		vsnprintf(msgbuf, sizeof(msgbuf), fmt, args);
-	}
-	if (log_on_stderr) {
-		fprintf(stderr, "%s\n", msgbuf);
-	} else {
-		openlog(__progname, LOG_PID, log_facility);
-		syslog(pri, "%.500s", msgbuf);
-		closelog();
-	}
-}
diff --git a/crypto/openssh/log.h b/crypto/openssh/log.h
index e026319..ca4d7bf 100644
--- a/crypto/openssh/log.h
+++ b/crypto/openssh/log.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: log.h,v 1.10 2003/09/23 20:17:11 markus Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -53,6 +54,14 @@ void     log_init(char *, LogLevel, SyslogFacility, int);
 SyslogFacility	log_facility_number(char *);
 LogLevel log_level_number(char *);
 
+#define fatal	ssh_fatal
+#define error	ssh_error
+#define logit	ssh_logit
+#define verbose	ssh_verbose
+#define debug	ssh_debug
+#define debug2	ssh_debug2
+#define debug3	ssh_debug3
+
 void     fatal(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     error(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     logit(const char *, ...) __attribute__((format(printf, 1, 2)));
diff --git a/crypto/openssh/login.c b/crypto/openssh/login.c
deleted file mode 100644
index 1d59cd8..0000000
--- a/crypto/openssh/login.c
+++ /dev/null
@@ -1,145 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file performs some of the things login(1) normally does.  We cannot
- * easily use something like login -p -h host -f user, because there are
- * several different logins around, and it is hard to determined what kind of
- * login the current system has.  Also, we want to be able to execute commands
- * on a tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: login.c,v 1.15 2000/09/07 20:27:52 deraadt Exp $");
-
-#include <util.h>
-#include <utmp.h>
-#include "ssh.h"
-
-/*
- * Returns the time when the user last logged in.  Returns 0 if the
- * information is not available.  This must be called before record_login.
- * The host the user logged in from will be returned in buf.
- */
-
-/*
- * Returns the time when the user last logged in (or 0 if no previous login
- * is found).  The name of the host used last time is returned in buf.
- */
-
-unsigned long
-get_last_login_time(uid_t uid, const char *logname,
-		    char *buf, unsigned int bufsize)
-{
-	struct lastlog ll;
-	char *lastlog;
-	int fd;
-
-	lastlog = _PATH_LASTLOG;
-	buf[0] = '\0';
-
-	fd = open(lastlog, O_RDONLY);
-	if (fd < 0)
-		return 0;
-	lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
-	if (read(fd, &ll, sizeof(ll)) != sizeof(ll)) {
-		close(fd);
-		return 0;
-	}
-	close(fd);
-	if (bufsize > sizeof(ll.ll_host) + 1)
-		bufsize = sizeof(ll.ll_host) + 1;
-	strncpy(buf, ll.ll_host, bufsize - 1);
-	buf[bufsize - 1] = 0;
-	return ll.ll_time;
-}
-
-/*
- * Records that the user has logged in.  I these parts of operating systems
- * were more standardized.
- */
-
-void
-record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
-	     const char *host, struct sockaddr * addr)
-{
-	int fd;
-	struct lastlog ll;
-	char *lastlog;
-	struct utmp u;
-	const char *utmp, *wtmp;
-
-	/* Construct an utmp/wtmp entry. */
-	memset(&u, 0, sizeof(u));
-	strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line));
-	u.ut_time = time(NULL);
-	strncpy(u.ut_name, user, sizeof(u.ut_name));
-	strncpy(u.ut_host, host, sizeof(u.ut_host));
-
-	/* Figure out the file names. */
-	utmp = _PATH_UTMP;
-	wtmp = _PATH_WTMP;
-
-	login(&u);
-	lastlog = _PATH_LASTLOG;
-
-	/* Update lastlog unless actually recording a logout. */
-	if (strcmp(user, "") != 0) {
-		/*
-		 * It is safer to bzero the lastlog structure first because
-		 * some systems might have some extra fields in it (e.g. SGI)
-		 */
-		memset(&ll, 0, sizeof(ll));
-
-		/* Update lastlog. */
-		ll.ll_time = time(NULL);
-		strncpy(ll.ll_line, ttyname + 5, sizeof(ll.ll_line));
-		strncpy(ll.ll_host, host, sizeof(ll.ll_host));
-		fd = open(lastlog, O_RDWR);
-		if (fd >= 0) {
-			lseek(fd, (off_t) ((long) uid * sizeof(ll)), SEEK_SET);
-			if (write(fd, &ll, sizeof(ll)) != sizeof(ll))
-				log("Could not write %.100s: %.100s", lastlog, strerror(errno));
-			close(fd);
-		}
-	}
-}
-
-/* Records that the user has logged out. */
-
-void
-record_logout(pid_t pid, const char *ttyname)
-{
-	const char *line = ttyname + 5;	/* /dev/ttyq8 -> ttyq8 */
-	if (logout(line))
-		logwtmp(line, "", "");
-}
diff --git a/crypto/openssh/loginrec.c b/crypto/openssh/loginrec.c
index b74d412..da69da3 100644
--- a/crypto/openssh/loginrec.c
+++ b/crypto/openssh/loginrec.c
@@ -158,7 +158,8 @@
 #include "log.h"
 #include "atomicio.h"
 
-RCSID("$Id: loginrec.c,v 1.56 2004/04/08 06:16:06 dtucker Exp $");
+RCSID("$Id: loginrec.c,v 1.54 2004/02/10 05:49:35 dtucker Exp $");
+RCSID("$FreeBSD$");
 
 #ifdef HAVE_UTIL_H
 #  include <util.h>
@@ -652,7 +653,8 @@ construct_utmp(struct logininfo *li,
 	/* Use strncpy because we don't necessarily want null termination */
 	strncpy(ut->ut_name, li->username, MIN_SIZEOF(ut->ut_name, li->username));
 # ifdef HAVE_HOST_IN_UTMP
-	strncpy(ut->ut_host, li->hostname, MIN_SIZEOF(ut->ut_host, li->hostname));
+	realhostname_sa(ut->ut_host, sizeof ut->ut_host,
+	    &li->hostaddr.sa, li->hostaddr.sa.sa_len);
 # endif
 # ifdef HAVE_ADDR_IN_UTMP
 	/* this is just a 32-bit IP address */
@@ -1354,7 +1356,7 @@ static int
 syslogin_perform_logout(struct logininfo *li)
 {
 # ifdef HAVE_LOGOUT
-	char line[UT_LINESIZE];
+	char line[8];
 
 	(void)line_stripname(line, li->line, sizeof(line));
 
diff --git a/crypto/openssh/monitor.c b/crypto/openssh/monitor.c
index 9c30c1c..0fda0df 100644
--- a/crypto/openssh/monitor.c
+++ b/crypto/openssh/monitor.c
@@ -26,24 +26,27 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/dh.h>
 
 #ifdef SKEY
+#ifdef OPIE
+#include <opie.h>
+#define skey                    opie
+#define skeychallenge(k, u, c)  opiechallenge((k), (u), (c))
+#define skey_haskey(u)          opie_haskey((u))
+#define skey_passcheck(u, r)    opie_passverify((u), (r))
+#else
 #include <skey.h>
 #endif
+#endif
 
 #include "ssh.h"
 #include "auth.h"
 #include "kex.h"
 #include "dh.h"
-#ifdef TARGET_OS_MAC	/* XXX Broken krb5 headers on Mac */
-#undef TARGET_OS_MAC
-#include "zlib.h"
-#define TARGET_OS_MAC 1
-#else
 #include "zlib.h"
-#endif
 #include "packet.h"
 #include "auth-options.h"
 #include "sshpty.h"
@@ -744,8 +747,7 @@ mm_answer_skeyquery(int socket, Buffer *m)
 	char challenge[1024];
 	u_int success;
 
-	success = _compat_skeychallenge(&skey, authctxt->user, challenge,
-	    sizeof(challenge)) < 0 ? 0 : 1;
+	success = skeychallenge(&skey, authctxt->user, challenge) < 0 ? 0 : 1;
 
 	buffer_clear(m);
 	buffer_put_int(m, success);
@@ -789,10 +791,16 @@ mm_answer_skeyrespond(int socket, Buffer *m)
 int
 mm_answer_pam_start(int socket, Buffer *m)
 {
+	char *user;
+
 	if (!options.use_pam)
 		fatal("UsePAM not set, but ended up in %s anyway", __func__);
 
-	start_pam(authctxt);
+	user = buffer_get_string(m, NULL);
+
+	start_pam(user);
+
+	xfree(user);
 
 	monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
 
diff --git a/crypto/openssh/monitor.h b/crypto/openssh/monitor.h
index 621a4ad..feab93f 100644
--- a/crypto/openssh/monitor.h
+++ b/crypto/openssh/monitor.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: monitor.h,v 1.13 2003/11/17 11:06:07 markus Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
diff --git a/crypto/openssh/monitor_wrap.c b/crypto/openssh/monitor_wrap.c
index ee2dc20..b250af5 100644
--- a/crypto/openssh/monitor_wrap.c
+++ b/crypto/openssh/monitor_wrap.c
@@ -26,6 +26,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: monitor_wrap.c,v 1.35 2003/11/17 11:06:07 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/bn.h>
 #include <openssl/dh.h>
@@ -40,13 +41,7 @@ RCSID("$OpenBSD: monitor_wrap.c,v 1.35 2003/11/17 11:06:07 markus Exp $");
 #include "packet.h"
 #include "mac.h"
 #include "log.h"
-#ifdef TARGET_OS_MAC    /* XXX Broken krb5 headers on Mac */
-#undef TARGET_OS_MAC
 #include "zlib.h"
-#define TARGET_OS_MAC 1
-#else
-#include "zlib.h"
-#endif
 #include "monitor.h"
 #include "monitor_wrap.h"
 #include "xmalloc.h"
@@ -692,7 +687,7 @@ mm_session_pty_cleanup2(Session *s)
 
 #ifdef USE_PAM
 void
-mm_start_pam(Authctxt *authctxt)
+mm_start_pam(char *user)
 {
 	Buffer m;
 
@@ -701,6 +696,8 @@ mm_start_pam(Authctxt *authctxt)
 		fatal("UsePAM=no, but ended up in %s anyway", __func__);
 
 	buffer_init(&m);
+	buffer_put_cstring(&m, user);
+
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_START, &m);
 
 	buffer_free(&m);
@@ -914,6 +911,7 @@ mm_bsdauth_respond(void *ctx, u_int numresponses, char **responses)
 	return ((authok == 0) ? -1 : 0);
 }
 
+#ifdef SKEY
 int
 mm_skey_query(void *ctx, char **name, char **infotxt,
    u_int *numprompts, char ***prompts, u_int **echo_on)
@@ -977,6 +975,7 @@ mm_skey_respond(void *ctx, u_int numresponses, char **responses)
 
 	return ((authok == 0) ? -1 : 0);
 }
+#endif
 
 void
 mm_ssh1_session_id(u_char session_id[16])
diff --git a/crypto/openssh/monitor_wrap.h b/crypto/openssh/monitor_wrap.h
index 2170b13..c31bd2e 100644
--- a/crypto/openssh/monitor_wrap.h
+++ b/crypto/openssh/monitor_wrap.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: monitor_wrap.h,v 1.13 2003/11/17 11:06:07 markus Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -66,7 +67,7 @@ OM_uint32 mm_ssh_gssapi_checkmic(Gssctxt *, gss_buffer_t, gss_buffer_t);
 #endif
 
 #ifdef USE_PAM
-void mm_start_pam(struct Authctxt *);
+void mm_start_pam(char *);
 u_int mm_do_pam_account(void);
 void *mm_sshpam_init_ctx(struct Authctxt *);
 int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **);
diff --git a/crypto/openssh/myproposal.h b/crypto/openssh/myproposal.h
index 8b431d9..065dd44 100644
--- a/crypto/openssh/myproposal.h
+++ b/crypto/openssh/myproposal.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: myproposal.h,v 1.15 2003/05/17 04:27:52 markus Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -24,7 +25,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #define KEX_DEFAULT_KEX		"diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1"
-#define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
+#define	KEX_DEFAULT_PK_ALG	"ssh-dss,ssh-rsa"
 #define	KEX_DEFAULT_ENCRYPT \
 	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \
 	"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
diff --git a/crypto/openssh/nchan.h b/crypto/openssh/nchan.h
deleted file mode 100644
index 623eccc..0000000
--- a/crypto/openssh/nchan.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright (c) 1999 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* RCSID("$OpenBSD: nchan.h,v 1.10 2001/02/28 08:54:55 markus Exp $"); */
-
-#ifndef NCHAN_H
-#define NCHAN_H
-
-/*
- * SSH Protocol 1.5 aka New Channel Protocol
- * Thanks to Martina, Axel and everyone who left Erlangen, leaving me bored.
- * Written by Markus Friedl in October 1999
- *
- * Protocol versions 1.3 and 1.5 differ in the handshake protocol used for the
- * tear down of channels:
- *
- * 1.3:	strict request-ack-protocol:
- * 	CLOSE	->
- * 		<-  CLOSE_CONFIRM
- *
- * 1.5:	uses variations of:
- * 	IEOF	->
- * 		<-  OCLOSE
- * 		<-  IEOF
- * 	OCLOSE	->
- * 	i.e. both sides have to close the channel
- *
- * See the debugging output from 'ssh -v' and 'sshd -d' of
- * ssh-1.2.27 as an example.
- *
- */
-
-/* ssh-proto-1.5 overloads prot-1.3-message-types */
-#define SSH_MSG_CHANNEL_INPUT_EOF	SSH_MSG_CHANNEL_CLOSE
-#define SSH_MSG_CHANNEL_OUTPUT_CLOSE	SSH_MSG_CHANNEL_CLOSE_CONFIRMATION
-
-/* possible input states */
-#define CHAN_INPUT_OPEN			0x01
-#define CHAN_INPUT_WAIT_DRAIN		0x02
-#define CHAN_INPUT_WAIT_OCLOSE		0x04
-#define CHAN_INPUT_CLOSED		0x08
-
-/* possible output states */
-#define CHAN_OUTPUT_OPEN		0x10
-#define CHAN_OUTPUT_WAIT_DRAIN		0x20
-#define CHAN_OUTPUT_WAIT_IEOF		0x40
-#define CHAN_OUTPUT_CLOSED		0x80
-
-#define CHAN_CLOSE_SENT			0x01
-#define CHAN_CLOSE_RCVD			0x02
-
-
-/* Channel EVENTS */
-typedef void    chan_event_fn(Channel * c);
-
-/* for the input state */
-extern chan_event_fn	*chan_rcvd_oclose;
-extern chan_event_fn	*chan_read_failed;
-extern chan_event_fn	*chan_ibuf_empty;
-
-/* for the output state */
-extern chan_event_fn	*chan_rcvd_ieof;
-extern chan_event_fn	*chan_write_failed;
-extern chan_event_fn	*chan_obuf_empty;
-
-int chan_is_dead(Channel * c);
-
-void    chan_init_iostates(Channel * c);
-void	chan_init(void);
-#endif
diff --git a/crypto/openssh/openbsd-compat/fake-rfc2553.h b/crypto/openssh/openbsd-compat/fake-rfc2553.h
index baea070..be93ee8 100644
--- a/crypto/openssh/openbsd-compat/fake-rfc2553.h
+++ b/crypto/openssh/openbsd-compat/fake-rfc2553.h
@@ -1,4 +1,5 @@
-/* $Id: fake-rfc2553.h,v 1.9 2004/03/10 10:06:33 dtucker Exp $ */
+/* $Id: fake-rfc2553.h,v 1.8 2004/02/10 02:05:41 dtucker Exp $ */
+/* $FreeBSD$ */
 
 /*
  * Copyright (C) 2000-2003 Damien Miller.  All rights reserved.
@@ -113,7 +114,7 @@ struct sockaddr_in6 {
 # define NI_MAXHOST 1025
 #endif /* !NI_MAXHOST */
 
-#ifndef EAI_NODATA
+#ifndef EAI_NONAME
 # define EAI_NODATA	1
 # define EAI_MEMORY	2
 # define EAI_NONAME	3
@@ -133,9 +134,6 @@ struct addrinfo {
 #endif /* !HAVE_STRUCT_ADDRINFO */
 
 #ifndef HAVE_GETADDRINFO
-#ifdef getaddrinfo
-# undef getaddrinfo
-#endif
 #define getaddrinfo(a,b,c,d)	(ssh_getaddrinfo(a,b,c,d))
 int getaddrinfo(const char *, const char *, 
     const struct addrinfo *, struct addrinfo **);
diff --git a/crypto/openssh/pty.c b/crypto/openssh/pty.c
deleted file mode 100644
index 9300bd5..0000000
--- a/crypto/openssh/pty.c
+++ /dev/null
@@ -1,275 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Allocating a pseudo-terminal, and making it the controlling tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: pty.c,v 1.16 2000/09/07 21:13:37 markus Exp $");
-
-#include <util.h>
-#include "pty.h"
-#include "ssh.h"
-
-/* Pty allocated with _getpty gets broken if we do I_PUSH:es to it. */
-#if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY)
-#undef HAVE_DEV_PTMX
-#endif
-
-#ifndef O_NOCTTY
-#define O_NOCTTY 0
-#endif
-
-/*
- * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated.  On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-
-int
-pty_allocate(int *ptyfd, int *ttyfd, char *namebuf, int namebuflen)
-{
-#if defined(HAVE_OPENPTY) || defined(BSD4_4)
-	/* openpty(3) exists in OSF/1 and some other os'es */
-	char buf[64];
-	int i;
-
-	i = openpty(ptyfd, ttyfd, buf, NULL, NULL);
-	if (i < 0) {
-		error("openpty: %.100s", strerror(errno));
-		return 0;
-	}
-	strlcpy(namebuf, buf, namebuflen);	/* possible truncation */
-	return 1;
-#else /* HAVE_OPENPTY */
-#ifdef HAVE__GETPTY
-	/*
-	 * _getpty(3) exists in SGI Irix 4.x, 5.x & 6.x -- it generates more
-	 * pty's automagically when needed
-	 */
-	char *slave;
-
-	slave = _getpty(ptyfd, O_RDWR, 0622, 0);
-	if (slave == NULL) {
-		error("_getpty: %.100s", strerror(errno));
-		return 0;
-	}
-	strlcpy(namebuf, slave, namebuflen);
-	/* Open the slave side. */
-	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("%.200s: %.100s", namebuf, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	return 1;
-#else /* HAVE__GETPTY */
-#ifdef HAVE_DEV_PTMX
-	/*
-	 * This code is used e.g. on Solaris 2.x.  (Note that Solaris 2.3
-	 * also has bsd-style ptys, but they simply do not work.)
-	 */
-	int ptm;
-	char *pts;
-
-	ptm = open("/dev/ptmx", O_RDWR | O_NOCTTY);
-	if (ptm < 0) {
-		error("/dev/ptmx: %.100s", strerror(errno));
-		return 0;
-	}
-	if (grantpt(ptm) < 0) {
-		error("grantpt: %.100s", strerror(errno));
-		return 0;
-	}
-	if (unlockpt(ptm) < 0) {
-		error("unlockpt: %.100s", strerror(errno));
-		return 0;
-	}
-	pts = ptsname(ptm);
-	if (pts == NULL)
-		error("Slave pty side name could not be obtained.");
-	strlcpy(namebuf, pts, namebuflen);
-	*ptyfd = ptm;
-
-	/* Open the slave side. */
-	*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("%.100s: %.100s", namebuf, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	/* Push the appropriate streams modules, as described in Solaris pts(7). */
-	if (ioctl(*ttyfd, I_PUSH, "ptem") < 0)
-		error("ioctl I_PUSH ptem: %.100s", strerror(errno));
-	if (ioctl(*ttyfd, I_PUSH, "ldterm") < 0)
-		error("ioctl I_PUSH ldterm: %.100s", strerror(errno));
-	if (ioctl(*ttyfd, I_PUSH, "ttcompat") < 0)
-		error("ioctl I_PUSH ttcompat: %.100s", strerror(errno));
-	return 1;
-#else /* HAVE_DEV_PTMX */
-#ifdef HAVE_DEV_PTS_AND_PTC
-	/* AIX-style pty code. */
-	const char *name;
-
-	*ptyfd = open("/dev/ptc", O_RDWR | O_NOCTTY);
-	if (*ptyfd < 0) {
-		error("Could not open /dev/ptc: %.100s", strerror(errno));
-		return 0;
-	}
-	name = ttyname(*ptyfd);
-	if (!name)
-		fatal("Open of /dev/ptc returns device for which ttyname fails.");
-	strlcpy(namebuf, name, namebuflen);
-	*ttyfd = open(name, O_RDWR | O_NOCTTY);
-	if (*ttyfd < 0) {
-		error("Could not open pty slave side %.100s: %.100s",
-		      name, strerror(errno));
-		close(*ptyfd);
-		return 0;
-	}
-	return 1;
-#else /* HAVE_DEV_PTS_AND_PTC */
-	/* BSD-style pty code. */
-	char buf[64];
-	int i;
-	const char *ptymajors = "pqrstuvwxyzabcdefghijklmnoABCDEFGHIJKLMNOPQRSTUVWXYZ";
-	const char *ptyminors = "0123456789abcdef";
-	int num_minors = strlen(ptyminors);
-	int num_ptys = strlen(ptymajors) * num_minors;
-
-	for (i = 0; i < num_ptys; i++) {
-		snprintf(buf, sizeof buf, "/dev/pty%c%c", ptymajors[i / num_minors],
-			 ptyminors[i % num_minors]);
-		*ptyfd = open(buf, O_RDWR | O_NOCTTY);
-		if (*ptyfd < 0)
-			continue;
-		snprintf(namebuf, namebuflen, "/dev/tty%c%c",
-		    ptymajors[i / num_minors], ptyminors[i % num_minors]);
-
-		/* Open the slave side. */
-		*ttyfd = open(namebuf, O_RDWR | O_NOCTTY);
-		if (*ttyfd < 0) {
-			error("%.100s: %.100s", namebuf, strerror(errno));
-			close(*ptyfd);
-			return 0;
-		}
-		return 1;
-	}
-	return 0;
-#endif /* HAVE_DEV_PTS_AND_PTC */
-#endif /* HAVE_DEV_PTMX */
-#endif /* HAVE__GETPTY */
-#endif /* HAVE_OPENPTY */
-}
-
-/* Releases the tty.  Its ownership is returned to root, and permissions to 0666. */
-
-void
-pty_release(const char *ttyname)
-{
-	if (chown(ttyname, (uid_t) 0, (gid_t) 0) < 0)
-		error("chown %.100s 0 0 failed: %.100s", ttyname, strerror(errno));
-	if (chmod(ttyname, (mode_t) 0666) < 0)
-		error("chmod %.100s 0666 failed: %.100s", ttyname, strerror(errno));
-}
-
-/* Makes the tty the processes controlling tty and sets it to sane modes. */
-
-void
-pty_make_controlling_tty(int *ttyfd, const char *ttyname)
-{
-	int fd;
-
-	/* First disconnect from the old controlling tty. */
-#ifdef TIOCNOTTY
-	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		(void) ioctl(fd, TIOCNOTTY, NULL);
-		close(fd);
-	}
-#endif /* TIOCNOTTY */
-	if (setsid() < 0)
-		error("setsid: %.100s", strerror(errno));
-
-	/*
-	 * Verify that we are successfully disconnected from the controlling
-	 * tty.
-	 */
-	fd = open("/dev/tty", O_RDWR | O_NOCTTY);
-	if (fd >= 0) {
-		error("Failed to disconnect from controlling tty.");
-		close(fd);
-	}
-	/* Make it our controlling tty. */
-#ifdef TIOCSCTTY
-	debug("Setting controlling tty using TIOCSCTTY.");
-	/*
-	 * We ignore errors from this, because HPSUX defines TIOCSCTTY, but
-	 * returns EINVAL with these arguments, and there is absolutely no
-	 * documentation.
-	 */
-	ioctl(*ttyfd, TIOCSCTTY, NULL);
-#endif /* TIOCSCTTY */
-	fd = open(ttyname, O_RDWR);
-	if (fd < 0)
-		error("%.100s: %.100s", ttyname, strerror(errno));
-	else
-		close(fd);
-
-	/* Verify that we now have a controlling tty. */
-	fd = open("/dev/tty", O_WRONLY);
-	if (fd < 0)
-		error("open /dev/tty failed - could not set controlling tty: %.100s",
-		      strerror(errno));
-	else {
-		close(fd);
-	}
-}
-
-/* Changes the window size associated with the pty. */
-
-void
-pty_change_window_size(int ptyfd, int row, int col,
-		       int xpixel, int ypixel)
-{
-	struct winsize w;
-	w.ws_row = row;
-	w.ws_col = col;
-	w.ws_xpixel = xpixel;
-	w.ws_ypixel = ypixel;
-	(void) ioctl(ptyfd, TIOCSWINSZ, &w);
-}
-
-void
-pty_setowner(struct passwd *pw, const char *ttyname)
-{
-	struct group *grp;
-	gid_t gid;
-	mode_t mode;
-
-	/* Determine the group to make the owner of the tty. */
-	grp = getgrnam("tty");
-	if (grp) {
-		gid = grp->gr_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP;
-	} else {
-		gid = pw->pw_gid;
-		mode = S_IRUSR | S_IWUSR | S_IWGRP | S_IWOTH;
-	}
-
-	/* Change ownership of the tty. */
-	if (chown(ttyname, pw->pw_uid, gid) < 0)
-		fatal("chown(%.100s, %d, %d) failed: %.100s",
-		    ttyname, pw->pw_uid, gid, strerror(errno));
-	if (chmod(ttyname, mode) < 0)
-		fatal("chmod(%.100s, 0%o) failed: %.100s",
-		    ttyname, mode, strerror(errno));
-}
diff --git a/crypto/openssh/pty.h b/crypto/openssh/pty.h
deleted file mode 100644
index 13d8e60..0000000
--- a/crypto/openssh/pty.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for allocating a pseudo-terminal and making it the controlling
- * tty.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-/* RCSID("$OpenBSD: pty.h,v 1.8 2000/09/07 20:27:52 deraadt Exp $"); */
-
-#ifndef PTY_H
-#define PTY_H
-
-/*
- * Allocates and opens a pty.  Returns 0 if no pty could be allocated, or
- * nonzero if a pty was successfully allocated.  On success, open file
- * descriptors for the pty and tty sides and the name of the tty side are
- * returned (the buffer must be able to hold at least 64 characters).
- */
-int     pty_allocate(int *ptyfd, int *ttyfd, char *ttyname, int ttynamelen);
-
-/*
- * Releases the tty.  Its ownership is returned to root, and permissions to
- * 0666.
- */
-void    pty_release(const char *ttyname);
-
-/*
- * Makes the tty the processes controlling tty and sets it to sane modes.
- * This may need to reopen the tty to get rid of possible eavesdroppers.
- */
-void    pty_make_controlling_tty(int *ttyfd, const char *ttyname);
-
-/* Changes the window size associated with the pty. */
-void
-pty_change_window_size(int ptyfd, int row, int col,
-    int xpixel, int ypixel);
-
-void	pty_setowner(struct passwd *pw, const char *ttyname);
-
-#endif				/* PTY_H */
diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c
index ce0d1f7..1494abd 100644
--- a/crypto/openssh/readconf.c
+++ b/crypto/openssh/readconf.c
@@ -12,7 +12,8 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: readconf.c,v 1.128 2004/03/05 10:53:58 markus Exp $");
+RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -105,7 +106,8 @@ typedef enum {
 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-	oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
+	oServerAliveInterval, oServerAliveCountMax,
+	oVersionAddendum,
 	oDeprecated, oUnsupported
 } OpCodes;
 
@@ -147,7 +149,6 @@ static struct {
 	{ "usersh", oDeprecated },
 	{ "identityfile", oIdentityFile },
 	{ "identityfile2", oIdentityFile },			/* alias */
-	{ "identitiesonly", oIdentitiesOnly },
 	{ "hostname", oHostName },
 	{ "hostkeyalias", oHostKeyAlias },
 	{ "proxycommand", oProxyCommand },
@@ -193,6 +194,7 @@ static struct {
 	{ "addressfamily", oAddressFamily },
 	{ "serveraliveinterval", oServerAliveInterval },
 	{ "serveralivecountmax", oServerAliveCountMax },
+	{ "versionaddendum", oVersionAddendum },
 	{ NULL, oBadOption }
 };
 
@@ -737,10 +739,6 @@ parse_int:
 		intptr = &options->enable_ssh_keysign;
 		goto parse_flag;
 
-	case oIdentitiesOnly:
-		intptr = &options->identities_only;
-		goto parse_flag;
-
 	case oServerAliveInterval:
 		intptr = &options->server_alive_interval;
 		goto parse_time;
@@ -749,6 +747,13 @@ parse_int:
 		intptr = &options->server_alive_count_max;
 		goto parse_int;
 
+	case oVersionAddendum:
+		ssh_version_set_addendum(strtok(s, "\n"));
+		do {
+			arg = strdelim(&s);
+		} while (arg != NULL && *arg != '\0');
+		break;
+
 	case oDeprecated:
 		debug("%s line %d: Deprecated option \"%s\"",
 		    filename, linenum, keyword);
@@ -874,7 +879,6 @@ initialize_options(Options * options)
 	options->smartcard_device = NULL;
 	options->enable_ssh_keysign = - 1;
 	options->no_host_authentication_for_localhost = - 1;
-	options->identities_only = - 1;
 	options->rekey_limit = - 1;
 	options->verify_host_key_dns = -1;
 	options->server_alive_interval = -1;
@@ -924,7 +928,7 @@ fill_default_options(Options * options)
 	if (options->batch_mode == -1)
 		options->batch_mode = 0;
 	if (options->check_host_ip == -1)
-		options->check_host_ip = 1;
+		options->check_host_ip = 0;
 	if (options->strict_host_key_checking == -1)
 		options->strict_host_key_checking = 2;	/* 2 is default */
 	if (options->compression == -1)
@@ -987,8 +991,6 @@ fill_default_options(Options * options)
 		clear_forwardings(options);
 	if (options->no_host_authentication_for_localhost == - 1)
 		options->no_host_authentication_for_localhost = 0;
-	if (options->identities_only == -1)
-		options->identities_only = 0;
 	if (options->enable_ssh_keysign == -1)
 		options->enable_ssh_keysign = 0;
 	if (options->rekey_limit == -1)
diff --git a/crypto/openssh/readconf.h b/crypto/openssh/readconf.h
index 93d833c..3f27af9 100644
--- a/crypto/openssh/readconf.h
+++ b/crypto/openssh/readconf.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: readconf.h,v 1.60 2004/03/05 10:53:58 markus Exp $	*/
+/*	$OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -100,7 +100,6 @@ typedef struct {
 	int	enable_ssh_keysign;
 	int	rekey_limit;
 	int	no_host_authentication_for_localhost;
-	int	identities_only;
 	int	server_alive_interval; 
 	int	server_alive_count_max;
 }       Options;
diff --git a/crypto/openssh/scard/Makefile b/crypto/openssh/scard/Makefile
deleted file mode 100644
index 1cf7bbd..0000000
--- a/crypto/openssh/scard/Makefile
+++ /dev/null
@@ -1,20 +0,0 @@
-#	$OpenBSD: Makefile,v 1.2 2001/06/29 07:02:09 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-CARDLET=	Ssh.bin
-DATADIR=	/usr/libdata/ssh
-
-all: ${CARDLET}
-
-clean:
-	rm -f ${CARDLET}
-
-install: ${CARDLET}
-	install -c -m ${LIBMODE} -o ${LIBOWN} -g ${LIBGRP} \
-	    ${CARDLET} ${DESTDIR}${DATADIR}
-
-Ssh.bin: ${.CURDIR}/Ssh.bin.uu
-	uudecode ${.CURDIR}/$@.uu
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/scp-common.c b/crypto/openssh/scp-common.c
deleted file mode 100644
index 7e5f09c..0000000
--- a/crypto/openssh/scp-common.c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: scp-common.c,v 1.1 2001/04/16 02:31:43 mouring Exp $");
-
-char *
-cleanhostname(host)
-	char *host;
-{
-	if (*host == '[' && host[strlen(host) - 1] == ']') {
-		host[strlen(host) - 1] = '\0';
-		return (host + 1);
-	} else
-		return host;
-}
-
-char *
-colon(cp)
-	char *cp;
-{
-	int flag = 0;
-
-	if (*cp == ':')		/* Leading colon is part of file name. */
-		return (0);
-	if (*cp == '[')
-		flag = 1;
-
-	for (; *cp; ++cp) {
-		if (*cp == '@' && *(cp+1) == '[')
-			flag = 1;
-		if (*cp == ']' && *(cp+1) == ':' && flag)
-			return (cp+1);
-		if (*cp == ':' && !flag)
-			return (cp);
-		if (*cp == '/')
-			return (0);
-	}
-	return (0);
-}
diff --git a/crypto/openssh/scp-common.h b/crypto/openssh/scp-common.h
deleted file mode 100644
index e0ab6ec..0000000
--- a/crypto/openssh/scp-common.h
+++ /dev/null
@@ -1,64 +0,0 @@
-/* $OpenBSD: scp-common.h,v 1.1 2001/04/16 02:31:43 mouring Exp $ */
-/*
- * Copyright (c) 1999 Theo de Raadt.  All rights reserved.
- * Copyright (c) 1999 Aaron Campbell.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Parts from:
- *
- * Copyright (c) 1983, 1990, 1992, 1993, 1995
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- */
-
-char *cleanhostname(char *host);
-char *colon(char *cp);
diff --git a/crypto/openssh/scp/Makefile b/crypto/openssh/scp/Makefile
deleted file mode 100644
index c8959bb..0000000
--- a/crypto/openssh/scp/Makefile
+++ /dev/null
@@ -1,15 +0,0 @@
-#	$OpenBSD: Makefile,v 1.13 2001/05/03 23:09:55 mouring Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	scp
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	scp.1
-
-SRCS=	scp.c misc.c
-
-.include <bsd.prog.mk>
diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c
index a72246b..2afd6eb 100644
--- a/crypto/openssh/servconf.c
+++ b/crypto/openssh/servconf.c
@@ -11,6 +11,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh.h"
 #include "log.h"
@@ -111,11 +112,11 @@ fill_default_server_options(ServerOptions *options)
 {
 	/* Portable-specific options */
 	if (options->use_pam == -1)
-		options->use_pam = 0;
+		options->use_pam = 1;
 
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
-		options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+		options->protocol = SSH_PROTO_2;
 	if (options->num_host_key_files == 0) {
 		/* fill default hostkeys for protocols */
 		if (options->protocol & SSH_PROTO_1)
@@ -123,8 +124,6 @@ fill_default_server_options(ServerOptions *options)
 			    _PATH_HOST_KEY_FILE;
 		if (options->protocol & SSH_PROTO_2) {
 			options->host_key_files[options->num_host_key_files++] =
-			    _PATH_HOST_RSA_KEY_FILE;
-			options->host_key_files[options->num_host_key_files++] =
 			    _PATH_HOST_DSA_KEY_FILE;
 		}
 	}
@@ -141,7 +140,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->key_regeneration_time == -1)
 		options->key_regeneration_time = 3600;
 	if (options->permit_root_login == PERMIT_NOT_SET)
-		options->permit_root_login = PERMIT_YES;
+		options->permit_root_login = PERMIT_NO;
 	if (options->ignore_rhosts == -1)
 		options->ignore_rhosts = 1;
 	if (options->ignore_user_known_hosts == -1)
@@ -151,7 +150,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->print_lastlog == -1)
 		options->print_lastlog = 1;
 	if (options->x11_forwarding == -1)
-		options->x11_forwarding = 0;
+		options->x11_forwarding = 1;
 	if (options->x11_display_offset == -1)
 		options->x11_display_offset = 10;
 	if (options->x11_use_localhost == -1)
@@ -189,7 +188,11 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gss_cleanup_creds == -1)
 		options->gss_cleanup_creds = 1;
 	if (options->password_authentication == -1)
+#ifdef USE_PAM
+		options->password_authentication = 0;
+#else
 		options->password_authentication = 1;
+#endif
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)
@@ -268,6 +271,7 @@ typedef enum {
 	sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
 	sGssAuthentication, sGssCleanupCreds,
 	sUsePrivilegeSeparation,
+	sVersionAddendum,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -366,6 +370,7 @@ static struct {
 	{ "authorizedkeysfile", sAuthorizedKeysFile },
 	{ "authorizedkeysfile2", sAuthorizedKeysFile2 },
 	{ "useprivilegeseparation", sUsePrivilegeSeparation},
+	{ "versionaddendum", sVersionAddendum },
 	{ NULL, sBadOption }
 };
 
@@ -892,6 +897,13 @@ parse_flag:
 		intptr = &options->client_alive_count_max;
 		goto parse_int;
 
+	case sVersionAddendum:
+                ssh_version_set_addendum(strtok(cp, "\n"));
+                do {
+                        arg = strdelim(&cp);
+                } while (arg != NULL && *arg != '\0');
+		break;
+
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
diff --git a/crypto/openssh/servconf.h b/crypto/openssh/servconf.h
index 57c7e5f..7b1ba7f 100644
--- a/crypto/openssh/servconf.h
+++ b/crypto/openssh/servconf.h
@@ -1,4 +1,5 @@
 /*	$OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $	*/
+/*	$FreeBSD$	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
diff --git a/crypto/openssh/session.c b/crypto/openssh/session.c
index 55db2ff..3913214 100644
--- a/crypto/openssh/session.c
+++ b/crypto/openssh/session.c
@@ -34,6 +34,7 @@
 
 #include "includes.h"
 RCSID("$OpenBSD: session.c,v 1.172 2004/01/30 09:48:57 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -201,7 +202,6 @@ display_loginmsg(void)
 		printf("%s\n", (char *)buffer_ptr(&loginmsg));
 		buffer_clear(&loginmsg);
 	}
-	fflush(stdout);
 }
 
 void
@@ -493,13 +493,6 @@ do_exec_no_pty(Session *s, const char *command)
 	close(err[0]);
 
 	/*
-	 * Clear loginmsg, since it's the child's responsibility to display
-	 * it to the user, otherwise multiple sessions may accumulate
-	 * multiple copies of the login messages.
-	 */
-	buffer_clear(&loginmsg);
-
-	/*
 	 * Enter the interactive session.  Note: server_loop must be able to
 	 * handle the case that fdin and fdout are the same.
 	 */
@@ -748,6 +741,24 @@ do_motd(void)
 {
 	FILE *f;
 	char buf[256];
+#ifdef HAVE_LOGIN_CAP
+	const char *fname;
+#endif
+
+#ifdef HAVE_LOGIN_CAP
+	fname = login_getcapstr(lc, "copyright", NULL, NULL);
+	if (fname != NULL && (f = fopen(fname, "r")) != NULL) {
+		while (fgets(buf, sizeof(buf), f) != NULL)
+			fputs(buf, stdout);
+			fclose(f);
+	} else
+#endif /* HAVE_LOGIN_CAP */
+		(void)printf("%s\n\t%s %s\n",
+	"Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
+	"The Regents of the University of California. ",
+	"All rights reserved.");
+
+	(void)printf("\n");
 
 	if (options.print_motd) {
 #ifdef HAVE_LOGIN_CAP
@@ -972,6 +983,10 @@ do_setup_env(Session *s, const char *shell)
 	char buf[256];
 	u_int i, envsize;
 	char **env, *laddr, *path = NULL;
+#ifdef HAVE_LOGIN_CAP
+	extern char **environ;
+	char **senv, **var;
+#endif
 	struct passwd *pw = s->pw;
 
 	/* Initialize the environment. */
@@ -987,6 +1002,9 @@ do_setup_env(Session *s, const char *shell)
 	copy_environment(environ, &env, &envsize);
 #endif
 
+	if (getenv("TZ"))
+		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+
 #ifdef GSSAPI
 	/* Allow any GSSAPI methods that we've used to alter
 	 * the childs environment as they see fit
@@ -1002,11 +1020,22 @@ do_setup_env(Session *s, const char *shell)
 		child_set_env(&env, &envsize, "LOGIN", pw->pw_name);
 #endif
 		child_set_env(&env, &envsize, "HOME", pw->pw_dir);
+		snprintf(buf, sizeof buf, "%.200s/%.50s",
+			 _PATH_MAILDIR, pw->pw_name);
+		child_set_env(&env, &envsize, "MAIL", buf);
 #ifdef HAVE_LOGIN_CAP
-		if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETPATH) < 0)
-			child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
-		else
-			child_set_env(&env, &envsize, "PATH", getenv("PATH"));
+		child_set_env(&env, &envsize, "PATH", _PATH_STDPATH);
+		child_set_env(&env, &envsize, "TERM", "su");
+		senv = environ;
+		environ = xmalloc(sizeof(char *));
+		*environ = NULL;
+		(void) setusercontext(lc, pw, pw->pw_uid,
+		    LOGIN_SETENV|LOGIN_SETPATH);
+		copy_environment(environ, &env, &envsize);
+		for (var = environ; *var != NULL; ++var)
+			xfree(*var);
+		xfree(environ);
+		environ = senv;
 #else /* HAVE_LOGIN_CAP */
 # ifndef HAVE_CYGWIN
 		/*
@@ -1027,15 +1056,9 @@ do_setup_env(Session *s, const char *shell)
 # endif /* HAVE_CYGWIN */
 #endif /* HAVE_LOGIN_CAP */
 
-		snprintf(buf, sizeof buf, "%.200s/%.50s",
-			 _PATH_MAILDIR, pw->pw_name);
-		child_set_env(&env, &envsize, "MAIL", buf);
-
 		/* Normal systems set SHELL by default. */
 		child_set_env(&env, &envsize, "SHELL", shell);
 	}
-	if (getenv("TZ"))
-		child_set_env(&env, &envsize, "TZ", getenv("TZ"));
 
 	/* Set custom environment options from RSA authentication. */
 	if (!options.use_login) {
@@ -1093,9 +1116,9 @@ do_setup_env(Session *s, const char *shell)
 	}
 #endif
 #ifdef KRB5
-	if (s->authctxt->krb5_ccname)
+	if (s->authctxt->krb5_ticket_file)
 		child_set_env(&env, &envsize, "KRB5CCNAME",
-		    s->authctxt->krb5_ccname);
+		    s->authctxt->krb5_ticket_file);
 #endif
 #ifdef USE_PAM
 	/*
@@ -1255,7 +1278,7 @@ do_setusercontext(struct passwd *pw)
 		}
 # endif /* USE_PAM */
 		if (setusercontext(lc, pw, pw->pw_uid,
-		    (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) {
+		    (LOGIN_SETALL & ~(LOGIN_SETENV|LOGIN_SETPATH))) < 0) {
 			perror("unable to set user context");
 			exit(1);
 		}
@@ -1391,6 +1414,9 @@ do_child(Session *s, const char *command)
 	char *argv[10];
 	const char *shell, *shell0, *hostname = NULL;
 	struct passwd *pw = s->pw;
+#ifdef HAVE_LOGIN_CAP
+	int lc_requirehome;
+#endif
 
 	/* remove hostkey from the child's memory */
 	destroy_sensitive_data();
@@ -1461,6 +1487,10 @@ do_child(Session *s, const char *command)
 	 */
 	environ = env;
 
+#ifdef HAVE_LOGIN_CAP
+	lc_requirehome = login_getcapbool(lc, "requirehome", 0);
+	login_close(lc);
+#endif
 #if defined(KRB5) && defined(USE_AFS)
 	/*
 	 * At this point, we check to see if AFS is active and if we have
@@ -1492,7 +1522,7 @@ do_child(Session *s, const char *command)
 		fprintf(stderr, "Could not chdir to home directory %s: %s\n",
 		    pw->pw_dir, strerror(errno));
 #ifdef HAVE_LOGIN_CAP
-		if (login_getcapbool(lc, "requirehome", 0))
+		if (lc_requirehome)
 			exit(1);
 #endif
 	}
diff --git a/crypto/openssh/sftp-glob.h b/crypto/openssh/sftp-glob.h
deleted file mode 100644
index f879e87..0000000
--- a/crypto/openssh/sftp-glob.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* $OpenBSD: sftp-glob.h,v 1.8 2002/09/11 22:41:50 djm Exp $ */
-
-/*
- * Copyright (c) 2001,2002 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* Remote sftp filename globbing */
-
-#ifndef _SFTP_GLOB_H
-#define _SFTP_GLOB_H
-
-#include "sftp-client.h"
-
-int remote_glob(struct sftp_conn *, const char *, int,
-    int (*)(const char *, int), glob_t *);
-
-#endif
diff --git a/crypto/openssh/sftp-int.c b/crypto/openssh/sftp-int.c
deleted file mode 100644
index c93eaab..0000000
--- a/crypto/openssh/sftp-int.c
+++ /dev/null
@@ -1,1191 +0,0 @@
-/*
- * Copyright (c) 2001,2002 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* XXX: recursive operations */
-
-#include "includes.h"
-RCSID("$OpenBSD: sftp-int.c,v 1.62 2003/08/25 08:13:09 fgsch Exp $");
-
-#include "buffer.h"
-#include "xmalloc.h"
-#include "log.h"
-#include "pathnames.h"
-
-#include "sftp.h"
-#include "sftp-common.h"
-#include "sftp-glob.h"
-#include "sftp-client.h"
-#include "sftp-int.h"
-
-/* File to read commands from */
-extern FILE *infile;
-
-/* Size of buffer used when copying files */
-extern size_t copy_buffer_len;
-
-/* Number of concurrent outstanding requests */
-extern int num_requests;
-
-/* This is set to 0 if the progressmeter is not desired. */
-int showprogress = 1;
-
-/* Seperators for interactive commands */
-#define WHITESPACE " \t\r\n"
-
-/* Define what type of ls view (0 - multi-column) */
-#define LONG_VIEW 1		/* Full view ala ls -l */
-#define SHORT_VIEW 2		/* Single row view ala ls -1 */
-
-/* Commands for interactive mode */
-#define I_CHDIR		1
-#define I_CHGRP		2
-#define I_CHMOD		3
-#define I_CHOWN		4
-#define I_GET		5
-#define I_HELP		6
-#define I_LCHDIR	7
-#define I_LLS		8
-#define I_LMKDIR	9
-#define I_LPWD		10
-#define I_LS		11
-#define I_LUMASK	12
-#define I_MKDIR		13
-#define I_PUT		14
-#define I_PWD		15
-#define I_QUIT		16
-#define I_RENAME	17
-#define I_RM		18
-#define I_RMDIR		19
-#define I_SHELL		20
-#define I_SYMLINK	21
-#define I_VERSION	22
-#define I_PROGRESS	23
-
-struct CMD {
-	const char *c;
-	const int n;
-};
-
-static const struct CMD cmds[] = {
-	{ "bye",	I_QUIT },
-	{ "cd",		I_CHDIR },
-	{ "chdir",	I_CHDIR },
-	{ "chgrp",	I_CHGRP },
-	{ "chmod",	I_CHMOD },
-	{ "chown",	I_CHOWN },
-	{ "dir",	I_LS },
-	{ "exit",	I_QUIT },
-	{ "get",	I_GET },
-	{ "mget",	I_GET },
-	{ "help",	I_HELP },
-	{ "lcd",	I_LCHDIR },
-	{ "lchdir",	I_LCHDIR },
-	{ "lls",	I_LLS },
-	{ "lmkdir",	I_LMKDIR },
-	{ "ln",		I_SYMLINK },
-	{ "lpwd",	I_LPWD },
-	{ "ls",		I_LS },
-	{ "lumask",	I_LUMASK },
-	{ "mkdir",	I_MKDIR },
-	{ "progress",	I_PROGRESS },
-	{ "put",	I_PUT },
-	{ "mput",	I_PUT },
-	{ "pwd",	I_PWD },
-	{ "quit",	I_QUIT },
-	{ "rename",	I_RENAME },
-	{ "rm",		I_RM },
-	{ "rmdir",	I_RMDIR },
-	{ "symlink",	I_SYMLINK },
-	{ "version",	I_VERSION },
-	{ "!",		I_SHELL },
-	{ "?",		I_HELP },
-	{ NULL,			-1}
-};
-
-static void
-help(void)
-{
-	printf("Available commands:\n");
-	printf("cd path                       Change remote directory to 'path'\n");
-	printf("lcd path                      Change local directory to 'path'\n");
-	printf("chgrp grp path                Change group of file 'path' to 'grp'\n");
-	printf("chmod mode path               Change permissions of file 'path' to 'mode'\n");
-	printf("chown own path                Change owner of file 'path' to 'own'\n");
-	printf("help                          Display this help text\n");
-	printf("get remote-path [local-path]  Download file\n");
-	printf("lls [ls-options [path]]       Display local directory listing\n");
-	printf("ln oldpath newpath            Symlink remote file\n");
-	printf("lmkdir path                   Create local directory\n");
-	printf("lpwd                          Print local working directory\n");
-	printf("ls [path]                     Display remote directory listing\n");
-	printf("lumask umask                  Set local umask to 'umask'\n");
-	printf("mkdir path                    Create remote directory\n");
-	printf("progress                      Toggle display of progress meter\n");
-	printf("put local-path [remote-path]  Upload file\n");
-	printf("pwd                           Display remote working directory\n");
-	printf("exit                          Quit sftp\n");
-	printf("quit                          Quit sftp\n");
-	printf("rename oldpath newpath        Rename remote file\n");
-	printf("rmdir path                    Remove remote directory\n");
-	printf("rm path                       Delete remote file\n");
-	printf("symlink oldpath newpath       Symlink remote file\n");
-	printf("version                       Show SFTP version\n");
-	printf("!command                      Execute 'command' in local shell\n");
-	printf("!                             Escape to local shell\n");
-	printf("?                             Synonym for help\n");
-}
-
-static void
-local_do_shell(const char *args)
-{
-	int status;
-	char *shell;
-	pid_t pid;
-
-	if (!*args)
-		args = NULL;
-
-	if ((shell = getenv("SHELL")) == NULL)
-		shell = _PATH_BSHELL;
-
-	if ((pid = fork()) == -1)
-		fatal("Couldn't fork: %s", strerror(errno));
-
-	if (pid == 0) {
-		/* XXX: child has pipe fds to ssh subproc open - issue? */
-		if (args) {
-			debug3("Executing %s -c \"%s\"", shell, args);
-			execl(shell, shell, "-c", args, (char *)NULL);
-		} else {
-			debug3("Executing %s", shell);
-			execl(shell, shell, (char *)NULL);
-		}
-		fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell,
-		    strerror(errno));
-		_exit(1);
-	}
-	while (waitpid(pid, &status, 0) == -1)
-		if (errno != EINTR)
-			fatal("Couldn't wait for child: %s", strerror(errno));
-	if (!WIFEXITED(status))
-		error("Shell exited abormally");
-	else if (WEXITSTATUS(status))
-		error("Shell exited with status %d", WEXITSTATUS(status));
-}
-
-static void
-local_do_ls(const char *args)
-{
-	if (!args || !*args)
-		local_do_shell(_PATH_LS);
-	else {
-		int len = strlen(_PATH_LS " ") + strlen(args) + 1;
-		char *buf = xmalloc(len);
-
-		/* XXX: quoting - rip quoting code from ftp? */
-		snprintf(buf, len, _PATH_LS " %s", args);
-		local_do_shell(buf);
-		xfree(buf);
-	}
-}
-
-/* Strip one path (usually the pwd) from the start of another */
-static char *
-path_strip(char *path, char *strip)
-{
-	size_t len;
-
-	if (strip == NULL)
-		return (xstrdup(path));
-
-	len = strlen(strip);
-	if (strip != NULL && strncmp(path, strip, len) == 0) {
-		if (strip[len - 1] != '/' && path[len] == '/')
-			len++;
-		return (xstrdup(path + len));
-	}
-
-	return (xstrdup(path));
-}
-
-static char *
-path_append(char *p1, char *p2)
-{
-	char *ret;
-	int len = strlen(p1) + strlen(p2) + 2;
-
-	ret = xmalloc(len);
-	strlcpy(ret, p1, len);
-	if (p1[strlen(p1) - 1] != '/')
-		strlcat(ret, "/", len);
-	strlcat(ret, p2, len);
-
-	return(ret);
-}
-
-static char *
-make_absolute(char *p, char *pwd)
-{
-	char *abs;
-
-	/* Derelativise */
-	if (p && p[0] != '/') {
-		abs = path_append(pwd, p);
-		xfree(p);
-		return(abs);
-	} else
-		return(p);
-}
-
-static int
-infer_path(const char *p, char **ifp)
-{
-	char *cp;
-
-	cp = strrchr(p, '/');
-	if (cp == NULL) {
-		*ifp = xstrdup(p);
-		return(0);
-	}
-
-	if (!cp[1]) {
-		error("Invalid path");
-		return(-1);
-	}
-
-	*ifp = xstrdup(cp + 1);
-	return(0);
-}
-
-static int
-parse_getput_flags(const char **cpp, int *pflag)
-{
-	const char *cp = *cpp;
-
-	/* Check for flags */
-	if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) {
-		switch (cp[1]) {
-		case 'p':
-		case 'P':
-			*pflag = 1;
-			break;
-		default:
-			error("Invalid flag -%c", cp[1]);
-			return(-1);
-		}
-		cp += 2;
-		*cpp = cp + strspn(cp, WHITESPACE);
-	}
-
-	return(0);
-}
-
-static int
-parse_ls_flags(const char **cpp, int *lflag)
-{
-	const char *cp = *cpp;
-
-	/* Check for flags */
-	if (cp++[0] == '-') {
-		for(; strchr(WHITESPACE, *cp) == NULL; cp++) {
-			switch (*cp) {
-			case 'l':
-				*lflag = LONG_VIEW;
-				break;
-			case '1':
-				*lflag = SHORT_VIEW;
-				break;
-			default:
-				error("Invalid flag -%c", *cp);
-				return(-1);
-			}
-		}
-		*cpp = cp + strspn(cp, WHITESPACE);
-	}
-
-	return(0);
-}
-
-static int
-get_pathname(const char **cpp, char **path)
-{
-	const char *cp = *cpp, *end;
-	char quot;
-	int i, j;
-
-	cp += strspn(cp, WHITESPACE);
-	if (!*cp) {
-		*cpp = cp;
-		*path = NULL;
-		return (0);
-	}
-
-	*path = xmalloc(strlen(cp) + 1);
-
-	/* Check for quoted filenames */
-	if (*cp == '\"' || *cp == '\'') {
-		quot = *cp++;
-
-		/* Search for terminating quote, unescape some chars */
-		for (i = j = 0; i <= strlen(cp); i++) {
-			if (cp[i] == quot) {	/* Found quote */
-				(*path)[j] = '\0';
-				i++;
-				break;
-			}
-			if (cp[i] == '\0') {	/* End of string */
-				error("Unterminated quote");
-				goto fail;
-			}
-			if (cp[i] == '\\') {	/* Escaped characters */
-				i++;
-				if (cp[i] != '\'' && cp[i] != '\"' && 
-				    cp[i] != '\\') {
-					error("Bad escaped character '\%c'",
-					    cp[i]);
-					goto fail;
-				}
-			}
-			(*path)[j++] = cp[i];
-		}
-
-		if (j == 0) {
-			error("Empty quotes");
-			goto fail;
-		}
-		*cpp = cp + i + strspn(cp + i, WHITESPACE);
-	} else {
-		/* Read to end of filename */
-		end = strpbrk(cp, WHITESPACE);
-		if (end == NULL)
-			end = strchr(cp, '\0');
-		*cpp = end + strspn(end, WHITESPACE);
-
-		memcpy(*path, cp, end - cp);
-		(*path)[end - cp] = '\0';
-	}
-	return (0);
-
- fail:
- 	xfree(*path);
-	*path = NULL;	
-	return (-1);
-}
-
-static int
-is_dir(char *path)
-{
-	struct stat sb;
-
-	/* XXX: report errors? */
-	if (stat(path, &sb) == -1)
-		return(0);
-
-	return(sb.st_mode & S_IFDIR);
-}
-
-static int
-is_reg(char *path)
-{
-	struct stat sb;
-
-	if (stat(path, &sb) == -1)
-		fatal("stat %s: %s", path, strerror(errno));
-
-	return(S_ISREG(sb.st_mode));
-}
-
-static int
-remote_is_dir(struct sftp_conn *conn, char *path)
-{
-	Attrib *a;
-
-	/* XXX: report errors? */
-	if ((a = do_stat(conn, path, 1)) == NULL)
-		return(0);
-	if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS))
-		return(0);
-	return(a->perm & S_IFDIR);
-}
-
-static int
-process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
-{
-	char *abs_src = NULL;
-	char *abs_dst = NULL;
-	char *tmp;
-	glob_t g;
-	int err = 0;
-	int i;
-
-	abs_src = xstrdup(src);
-	abs_src = make_absolute(abs_src, pwd);
-
-	memset(&g, 0, sizeof(g));
-	debug3("Looking up %s", abs_src);
-	if (remote_glob(conn, abs_src, 0, NULL, &g)) {
-		error("File \"%s\" not found.", abs_src);
-		err = -1;
-		goto out;
-	}
-
-	/* If multiple matches, dst must be a directory or unspecified */
-	if (g.gl_matchc > 1 && dst && !is_dir(dst)) {
-		error("Multiple files match, but \"%s\" is not a directory",
-		    dst);
-		err = -1;
-		goto out;
-	}
-
-	for (i = 0; g.gl_pathv[i]; i++) {
-		if (infer_path(g.gl_pathv[i], &tmp)) {
-			err = -1;
-			goto out;
-		}
-
-		if (g.gl_matchc == 1 && dst) {
-			/* If directory specified, append filename */
-			if (is_dir(dst)) {
-				if (infer_path(g.gl_pathv[0], &tmp)) {
-					err = 1;
-					goto out;
-				}
-				abs_dst = path_append(dst, tmp);
-				xfree(tmp);
-			} else
-				abs_dst = xstrdup(dst);
-		} else if (dst) {
-			abs_dst = path_append(dst, tmp);
-			xfree(tmp);
-		} else
-			abs_dst = tmp;
-
-		printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst);
-		if (do_download(conn, g.gl_pathv[i], abs_dst, pflag) == -1)
-			err = -1;
-		xfree(abs_dst);
-		abs_dst = NULL;
-	}
-
-out:
-	xfree(abs_src);
-	if (abs_dst)
-		xfree(abs_dst);
-	globfree(&g);
-	return(err);
-}
-
-static int
-process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd, int pflag)
-{
-	char *tmp_dst = NULL;
-	char *abs_dst = NULL;
-	char *tmp;
-	glob_t g;
-	int err = 0;
-	int i;
-
-	if (dst) {
-		tmp_dst = xstrdup(dst);
-		tmp_dst = make_absolute(tmp_dst, pwd);
-	}
-
-	memset(&g, 0, sizeof(g));
-	debug3("Looking up %s", src);
-	if (glob(src, 0, NULL, &g)) {
-		error("File \"%s\" not found.", src);
-		err = -1;
-		goto out;
-	}
-
-	/* If multiple matches, dst may be directory or unspecified */
-	if (g.gl_matchc > 1 && tmp_dst && !remote_is_dir(conn, tmp_dst)) {
-		error("Multiple files match, but \"%s\" is not a directory",
-		    tmp_dst);
-		err = -1;
-		goto out;
-	}
-
-	for (i = 0; g.gl_pathv[i]; i++) {
-		if (!is_reg(g.gl_pathv[i])) {
-			error("skipping non-regular file %s", 
-			    g.gl_pathv[i]);
-			continue;
-		}
-		if (infer_path(g.gl_pathv[i], &tmp)) {
-			err = -1;
-			goto out;
-		}
-
-		if (g.gl_matchc == 1 && tmp_dst) {
-			/* If directory specified, append filename */
-			if (remote_is_dir(conn, tmp_dst)) {
-				if (infer_path(g.gl_pathv[0], &tmp)) {
-					err = 1;
-					goto out;
-				}
-				abs_dst = path_append(tmp_dst, tmp);
-				xfree(tmp);
-			} else
-				abs_dst = xstrdup(tmp_dst);
-
-		} else if (tmp_dst) {
-			abs_dst = path_append(tmp_dst, tmp);
-			xfree(tmp);
-		} else
-			abs_dst = make_absolute(tmp, pwd);
-
-		printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
-		if (do_upload(conn, g.gl_pathv[i], abs_dst, pflag) == -1)
-			err = -1;
-	}
-
-out:
-	if (abs_dst)
-		xfree(abs_dst);
-	if (tmp_dst)
-		xfree(tmp_dst);
-	globfree(&g);
-	return(err);
-}
-
-static int
-sdirent_comp(const void *aa, const void *bb)
-{
-	SFTP_DIRENT *a = *(SFTP_DIRENT **)aa;
-	SFTP_DIRENT *b = *(SFTP_DIRENT **)bb;
-
-	return (strcmp(a->filename, b->filename));
-}
-
-/* sftp ls.1 replacement for directories */
-static int
-do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
-{
-	int n, c = 1, colspace = 0, columns = 1;
-	SFTP_DIRENT **d;
-
-	if ((n = do_readdir(conn, path, &d)) != 0)
-		return (n);
-
-	if (!(lflag & SHORT_VIEW)) {
-		int m = 0, width = 80;
-		struct winsize ws;
-
-		/* Count entries for sort and find longest filename */
-		for (n = 0; d[n] != NULL; n++)
-			m = MAX(m, strlen(d[n]->filename));
-
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1) 
-			width = ws.ws_col;
-
-		columns = width / (m + 2);
-		columns = MAX(columns, 1);
-		colspace = width / columns;
-	}
-
-	qsort(d, n, sizeof(*d), sdirent_comp);
-
-	for (n = 0; d[n] != NULL; n++) {
-		char *tmp, *fname;
-
-		tmp = path_append(path, d[n]->filename);
-		fname = path_strip(tmp, strip_path);
-		xfree(tmp);
-
-		if (lflag & LONG_VIEW) {
-			char *lname;
-			struct stat sb;
-
-			memset(&sb, 0, sizeof(sb));
-			attrib_to_stat(&d[n]->a, &sb);
-			lname = ls_file(fname, &sb, 1);
-			printf("%s\n", lname);
-			xfree(lname);
-		} else {
-			printf("%-*s", colspace, fname);
-			if (c >= columns) {
-				printf("\n");
-				c = 1;
-			} else
-				c++;
-		}
-
-		xfree(fname);
-	}
-
-	if (!(lflag & LONG_VIEW) && (c != 1))
-		printf("\n");
-
-	free_sftp_dirents(d);
-	return (0);
-}
-
-/* sftp ls.1 replacement which handles path globs */
-static int
-do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
-    int lflag)
-{
-	glob_t g;
-	int i, c = 1, colspace = 0, columns = 1;
-	Attrib *a;
-
-	memset(&g, 0, sizeof(g));
-
-	if (remote_glob(conn, path, GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE,
-	    NULL, &g)) {
-		error("Can't ls: \"%s\" not found", path);
-		return (-1);
-	}
-
-	/*
-	 * If the glob returns a single match, which is the same as the
-	 * input glob, and it is a directory, then just list its contents
-	 */
-	if (g.gl_pathc == 1 &&
-	    strncmp(path, g.gl_pathv[0], strlen(g.gl_pathv[0]) - 1) == 0) {
-		if ((a = do_lstat(conn, path, 1)) == NULL) {
-			globfree(&g);
-	    		return (-1);
-		}
-		if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) &&
-		    S_ISDIR(a->perm)) {
-			globfree(&g);
-			return (do_ls_dir(conn, path, strip_path, lflag));
-		}
-	}
-
-	if (!(lflag & SHORT_VIEW)) {
-		int m = 0, width = 80;
-		struct winsize ws;	
-
-		/* Count entries for sort and find longest filename */
- 		for (i = 0; g.gl_pathv[i]; i++)
-			m = MAX(m, strlen(g.gl_pathv[i]));
-
-		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) != -1)
-			width = ws.ws_col;
-
-		columns = width / (m + 2);
-		columns = MAX(columns, 1);
-		colspace = width / columns;
-	}
-
-	for (i = 0; g.gl_pathv[i]; i++) {
-		char *fname;
-
-		fname = path_strip(g.gl_pathv[i], strip_path);
-
-		if (lflag & LONG_VIEW) {
-			char *lname;
-			struct stat sb;
-
-			/*
-			 * XXX: this is slow - 1 roundtrip per path
-			 * A solution to this is to fork glob() and
-			 * build a sftp specific version which keeps the
-			 * attribs (which currently get thrown away)
-			 * that the server returns as well as the filenames.
-			 */
-			memset(&sb, 0, sizeof(sb));
-			a = do_lstat(conn, g.gl_pathv[i], 1);
-			if (a != NULL)
-				attrib_to_stat(a, &sb);
-			lname = ls_file(fname, &sb, 1);
-			printf("%s\n", lname);
-			xfree(lname);
-		} else {
-			printf("%-*s", colspace, fname);
-			if (c >= columns) {
-				printf("\n");
-				c = 1;
-			} else
-				c++;
-		}
-		xfree(fname);
-	}
-
-	if (!(lflag & LONG_VIEW) && (c != 1))
-		printf("\n");
-
-	if (g.gl_pathc)
-		globfree(&g);
-
-	return (0);
-}
-
-static int
-parse_args(const char **cpp, int *pflag, int *lflag, int *iflag,
-    unsigned long *n_arg, char **path1, char **path2)
-{
-	const char *cmd, *cp = *cpp;
-	char *cp2;
-	int base = 0;
-	long l;
-	int i, cmdnum;
-
-	/* Skip leading whitespace */
-	cp = cp + strspn(cp, WHITESPACE);
-
-	/* Ignore blank lines and lines which begin with comment '#' char */
-	if (*cp == '\0' || *cp == '#')
-		return (0);
-
-	/* Check for leading '-' (disable error processing) */
-	*iflag = 0;
-	if (*cp == '-') {
-		*iflag = 1;
-		cp++;
-	}
-		
-	/* Figure out which command we have */
-	for (i = 0; cmds[i].c; i++) {
-		int cmdlen = strlen(cmds[i].c);
-
-		/* Check for command followed by whitespace */
-		if (!strncasecmp(cp, cmds[i].c, cmdlen) &&
-		    strchr(WHITESPACE, cp[cmdlen])) {
-			cp += cmdlen;
-			cp = cp + strspn(cp, WHITESPACE);
-			break;
-		}
-	}
-	cmdnum = cmds[i].n;
-	cmd = cmds[i].c;
-
-	/* Special case */
-	if (*cp == '!') {
-		cp++;
-		cmdnum = I_SHELL;
-	} else if (cmdnum == -1) {
-		error("Invalid command.");
-		return (-1);
-	}
-
-	/* Get arguments and parse flags */
-	*lflag = *pflag = *n_arg = 0;
-	*path1 = *path2 = NULL;
-	switch (cmdnum) {
-	case I_GET:
-	case I_PUT:
-		if (parse_getput_flags(&cp, pflag))
-			return(-1);
-		/* Get first pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify at least one path after a "
-			    "%s command.", cmd);
-			return(-1);
-		}
-		/* Try to get second pathname (optional) */
-		if (get_pathname(&cp, path2))
-			return(-1);
-		break;
-	case I_RENAME:
-	case I_SYMLINK:
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (get_pathname(&cp, path2))
-			return(-1);
-		if (!*path1 || !*path2) {
-			error("You must specify two paths after a %s "
-			    "command.", cmd);
-			return(-1);
-		}
-		break;
-	case I_RM:
-	case I_MKDIR:
-	case I_RMDIR:
-	case I_CHDIR:
-	case I_LCHDIR:
-	case I_LMKDIR:
-		/* Get pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify a path after a %s command.",
-			    cmd);
-			return(-1);
-		}
-		break;
-	case I_LS:
-		if (parse_ls_flags(&cp, lflag))
-			return(-1);
-		/* Path is optional */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		break;
-	case I_LLS:
-	case I_SHELL:
-		/* Uses the rest of the line */
-		break;
-	case I_LUMASK:
-		base = 8;
-	case I_CHMOD:
-		base = 8;
-	case I_CHOWN:
-	case I_CHGRP:
-		/* Get numeric arg (mandatory) */
-		l = strtol(cp, &cp2, base);
-		if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) &&
-		    errno == ERANGE) || l < 0) {
-			error("You must supply a numeric argument "
-			    "to the %s command.", cmd);
-			return(-1);
-		}
-		cp = cp2;
-		*n_arg = l;
-		if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp))
-			break;
-		if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) {
-			error("You must supply a numeric argument "
-			    "to the %s command.", cmd);
-			return(-1);
-		}
-		cp += strspn(cp, WHITESPACE);
-
-		/* Get pathname (mandatory) */
-		if (get_pathname(&cp, path1))
-			return(-1);
-		if (*path1 == NULL) {
-			error("You must specify a path after a %s command.",
-			    cmd);
-			return(-1);
-		}
-		break;
-	case I_QUIT:
-	case I_PWD:
-	case I_LPWD:
-	case I_HELP:
-	case I_VERSION:
-	case I_PROGRESS:
-		break;
-	default:
-		fatal("Command not implemented");
-	}
-
-	*cpp = cp;
-	return(cmdnum);
-}
-
-static int
-parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
-    int err_abort)
-{
-	char *path1, *path2, *tmp;
-	int pflag, lflag, iflag, cmdnum, i;
-	unsigned long n_arg;
-	Attrib a, *aa;
-	char path_buf[MAXPATHLEN];
-	int err = 0;
-	glob_t g;
-
-	path1 = path2 = NULL;
-	cmdnum = parse_args(&cmd, &pflag, &lflag, &iflag, &n_arg,
-	    &path1, &path2);
-
-	if (iflag != 0)
-		err_abort = 0;
-
-	memset(&g, 0, sizeof(g));
-
-	/* Perform command */
-	switch (cmdnum) {
-	case 0:
-		/* Blank line */
-		break;
-	case -1:
-		/* Unrecognized command */
-		err = -1;
-		break;
-	case I_GET:
-		err = process_get(conn, path1, path2, *pwd, pflag);
-		break;
-	case I_PUT:
-		err = process_put(conn, path1, path2, *pwd, pflag);
-		break;
-	case I_RENAME:
-		path1 = make_absolute(path1, *pwd);
-		path2 = make_absolute(path2, *pwd);
-		err = do_rename(conn, path1, path2);
-		break;
-	case I_SYMLINK:
-		path2 = make_absolute(path2, *pwd);
-		err = do_symlink(conn, path1, path2);
-		break;
-	case I_RM:
-		path1 = make_absolute(path1, *pwd);
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i]; i++) {
-			printf("Removing %s\n", g.gl_pathv[i]);
-			err = do_rm(conn, g.gl_pathv[i]);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_MKDIR:
-		path1 = make_absolute(path1, *pwd);
-		attrib_clear(&a);
-		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
-		a.perm = 0777;
-		err = do_mkdir(conn, path1, &a);
-		break;
-	case I_RMDIR:
-		path1 = make_absolute(path1, *pwd);
-		err = do_rmdir(conn, path1);
-		break;
-	case I_CHDIR:
-		path1 = make_absolute(path1, *pwd);
-		if ((tmp = do_realpath(conn, path1)) == NULL) {
-			err = 1;
-			break;
-		}
-		if ((aa = do_stat(conn, tmp, 0)) == NULL) {
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) {
-			error("Can't change directory: Can't check target");
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		if (!S_ISDIR(aa->perm)) {
-			error("Can't change directory: \"%s\" is not "
-			    "a directory", tmp);
-			xfree(tmp);
-			err = 1;
-			break;
-		}
-		xfree(*pwd);
-		*pwd = tmp;
-		break;
-	case I_LS:
-		if (!path1) {
-			do_globbed_ls(conn, *pwd, *pwd, lflag);
-			break;
-		}
-
-		/* Strip pwd off beginning of non-absolute paths */
-		tmp = NULL;
-		if (*path1 != '/')
-			tmp = *pwd;
-
-		path1 = make_absolute(path1, *pwd);
-		err = do_globbed_ls(conn, path1, tmp, lflag);
-		break;
-	case I_LCHDIR:
-		if (chdir(path1) == -1) {
-			error("Couldn't change local directory to "
-			    "\"%s\": %s", path1, strerror(errno));
-			err = 1;
-		}
-		break;
-	case I_LMKDIR:
-		if (mkdir(path1, 0777) == -1) {
-			error("Couldn't create local directory "
-			    "\"%s\": %s", path1, strerror(errno));
-			err = 1;
-		}
-		break;
-	case I_LLS:
-		local_do_ls(cmd);
-		break;
-	case I_SHELL:
-		local_do_shell(cmd);
-		break;
-	case I_LUMASK:
-		umask(n_arg);
-		printf("Local umask: %03lo\n", n_arg);
-		break;
-	case I_CHMOD:
-		path1 = make_absolute(path1, *pwd);
-		attrib_clear(&a);
-		a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS;
-		a.perm = n_arg;
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i]; i++) {
-			printf("Changing mode on %s\n", g.gl_pathv[i]);
-			err = do_setstat(conn, g.gl_pathv[i], &a);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_CHOWN:
-	case I_CHGRP:
-		path1 = make_absolute(path1, *pwd);
-		remote_glob(conn, path1, GLOB_NOCHECK, NULL, &g);
-		for (i = 0; g.gl_pathv[i]; i++) {
-			if (!(aa = do_stat(conn, g.gl_pathv[i], 0))) {
-				if (err != 0 && err_abort)
-					break;
-				else
-					continue;
-			}
-			if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) {
-				error("Can't get current ownership of "
-				    "remote file \"%s\"", g.gl_pathv[i]);
-				if (err != 0 && err_abort)
-					break;
-				else
-					continue;
-			}
-			aa->flags &= SSH2_FILEXFER_ATTR_UIDGID;
-			if (cmdnum == I_CHOWN) {
-				printf("Changing owner on %s\n", g.gl_pathv[i]);
-				aa->uid = n_arg;
-			} else {
-				printf("Changing group on %s\n", g.gl_pathv[i]);
-				aa->gid = n_arg;
-			}
-			err = do_setstat(conn, g.gl_pathv[i], aa);
-			if (err != 0 && err_abort)
-				break;
-		}
-		break;
-	case I_PWD:
-		printf("Remote working directory: %s\n", *pwd);
-		break;
-	case I_LPWD:
-		if (!getcwd(path_buf, sizeof(path_buf))) {
-			error("Couldn't get local cwd: %s", strerror(errno));
-			err = -1;
-			break;
-		}
-		printf("Local working directory: %s\n", path_buf);
-		break;
-	case I_QUIT:
-		/* Processed below */
-		break;
-	case I_HELP:
-		help();
-		break;
-	case I_VERSION:
-		printf("SFTP protocol version %u\n", sftp_proto_version(conn));
-		break;
-	case I_PROGRESS:
-		showprogress = !showprogress;
-		if (showprogress)
-			printf("Progress meter enabled\n");
-		else
-			printf("Progress meter disabled\n");
-		break;
-	default:
-		fatal("%d is not implemented", cmdnum);
-	}
-
-	if (g.gl_pathc)
-		globfree(&g);
-	if (path1)
-		xfree(path1);
-	if (path2)
-		xfree(path2);
-
-	/* If an unignored error occurs in batch mode we should abort. */
-	if (err_abort && err != 0)
-		return (-1);
-	else if (cmdnum == I_QUIT)
-		return (1);
-
-	return (0);
-}
-
-int
-interactive_loop(int fd_in, int fd_out, char *file1, char *file2)
-{
-	char *pwd;
-	char *dir = NULL;
-	char cmd[2048];
-	struct sftp_conn *conn;
-	int err;
-
-	conn = do_init(fd_in, fd_out, copy_buffer_len, num_requests);
-	if (conn == NULL)
-		fatal("Couldn't initialise connection to server");
-
-	pwd = do_realpath(conn, ".");
-	if (pwd == NULL)
-		fatal("Need cwd");
-
-	if (file1 != NULL) {
-		dir = xstrdup(file1);
-		dir = make_absolute(dir, pwd);
-
-		if (remote_is_dir(conn, dir) && file2 == NULL) {
-			printf("Changing to: %s\n", dir);
-			snprintf(cmd, sizeof cmd, "cd \"%s\"", dir);
-			if (parse_dispatch_command(conn, cmd, &pwd, 1) != 0)
-				return (-1);
-		} else {
-			if (file2 == NULL)
-				snprintf(cmd, sizeof cmd, "get %s", dir);
-			else
-				snprintf(cmd, sizeof cmd, "get %s %s", dir,
-				    file2);
-
-			err = parse_dispatch_command(conn, cmd, &pwd, 1);
-			xfree(dir);
-			xfree(pwd);
-			return (err);
-		}
-		xfree(dir);
-	}
-
-#if HAVE_SETVBUF
-	setvbuf(stdout, NULL, _IOLBF, 0);
-	setvbuf(infile, NULL, _IOLBF, 0);
-#else
-	setlinebuf(stdout);
-	setlinebuf(infile);
-#endif
-
-	err = 0;
-	for (;;) {
-		char *cp;
-
-		printf("sftp> ");
-
-		/* XXX: use libedit */
-		if (fgets(cmd, sizeof(cmd), infile) == NULL) {
-			printf("\n");
-			break;
-		} else if (infile != stdin) /* Bluff typing */
-			printf("%s", cmd);
-
-		cp = strrchr(cmd, '\n');
-		if (cp)
-			*cp = '\0';
-
-		err = parse_dispatch_command(conn, cmd, &pwd, infile != stdin);
-		if (err != 0)
-			break;
-	}
-	xfree(pwd);
-
-	/* err == 1 signifies normal "quit" exit */
-	return (err >= 0 ? 0 : -1);
-}
-
diff --git a/crypto/openssh/sftp-int.h b/crypto/openssh/sftp-int.h
deleted file mode 100644
index 8a04a03..0000000
--- a/crypto/openssh/sftp-int.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* $OpenBSD: sftp-int.h,v 1.6 2003/01/08 23:53:26 djm Exp $ */
-
-/*
- * Copyright (c) 2001,2002 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-int	 interactive_loop(int, int, char *, char *);
diff --git a/crypto/openssh/sftp-server/Makefile b/crypto/openssh/sftp-server/Makefile
deleted file mode 100644
index e068239..0000000
--- a/crypto/openssh/sftp-server/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.5 2001/03/03 23:59:36 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sftp-server
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/libexec
-MAN=	sftp-server.8
-
-SRCS=	sftp-server.c sftp-common.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/sftp/Makefile b/crypto/openssh/sftp/Makefile
deleted file mode 100644
index 3f5d866..0000000
--- a/crypto/openssh/sftp/Makefile
+++ /dev/null
@@ -1,19 +0,0 @@
-#	$OpenBSD: Makefile,v 1.5 2001/05/03 23:09:57 mouring Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sftp
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	sftp.1
-
-SRCS=	sftp.c sftp-client.c sftp-int.c sftp-common.c sftp-glob.c misc.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
-
diff --git a/crypto/openssh/ssh-add/Makefile b/crypto/openssh/ssh-add/Makefile
deleted file mode 100644
index 2f7bf42..0000000
--- a/crypto/openssh/ssh-add/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.20 2001/03/04 00:51:25 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-add
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-add.1
-
-SRCS=	ssh-add.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+= ${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-agent.c b/crypto/openssh/ssh-agent.c
index f5fce6b..f7fe0cd 100644
--- a/crypto/openssh/ssh-agent.c
+++ b/crypto/openssh/ssh-agent.c
@@ -36,6 +36,7 @@
 #include "includes.h"
 #include "openbsd-compat/sys-queue.h"
 RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/evp.h>
 #include <openssl/md5.h>
@@ -57,10 +58,6 @@ RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $");
 #include "scard.h"
 #endif
 
-#if defined(HAVE_SYS_PRCTL_H)
-#include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
-#endif
-
 typedef enum {
 	AUTH_UNUSED,
 	AUTH_SOCKET,
@@ -1026,11 +1023,7 @@ main(int ac, char **av)
 	/* drop */
 	setegid(getgid());
 	setgid(getgid());
-
-#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
-	/* Disable ptrace on Linux without sgid bit */
-	prctl(PR_SET_DUMPABLE, 0);
-#endif
+	setuid(geteuid());
 
 	SSLeay_add_all_algorithms();
 
diff --git a/crypto/openssh/ssh-agent/Makefile b/crypto/openssh/ssh-agent/Makefile
deleted file mode 100644
index c252dbd..0000000
--- a/crypto/openssh/ssh-agent/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-agent
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-agent.1
-
-SRCS=	ssh-agent.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keygen/Makefile b/crypto/openssh/ssh-keygen/Makefile
deleted file mode 100644
index d175813..0000000
--- a/crypto/openssh/ssh-keygen/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.21 2001/06/27 19:29:16 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keygen
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-keygen.1
-
-SRCS=	ssh-keygen.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto
-DPADD+=	${LIBCRYPTO}
diff --git a/crypto/openssh/ssh-keyscan.c b/crypto/openssh/ssh-keyscan.c
index 266b23c..68b6a0a 100644
--- a/crypto/openssh/ssh-keyscan.c
+++ b/crypto/openssh/ssh-keyscan.c
@@ -7,7 +7,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keyscan.c,v 1.47 2004/03/08 09:38:05 djm Exp $");
+RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -489,7 +489,7 @@ conrecycle(int s)
 static void
 congreet(int s)
 {
-	int remote_major = 0, remote_minor = 0, n = 0;
+	int remote_major, remote_minor, n = 0;
 	char buf[256], *cp;
 	char remote_version[sizeof buf];
 	size_t bufsiz;
diff --git a/crypto/openssh/ssh-keyscan/Makefile b/crypto/openssh/ssh-keyscan/Makefile
deleted file mode 100644
index 2ea5c23..0000000
--- a/crypto/openssh/ssh-keyscan/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.4 2001/08/05 23:18:20 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keyscan
-BINOWN=	root
-
-BINMODE?=555
-
-BINDIR=	/usr/bin
-MAN=	ssh-keyscan.1
-
-SRCS=	ssh-keyscan.c
-
-.include <bsd.prog.mk>
-
-LDADD+= -lcrypto -lz
-DPADD+= ${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh-keysign/Makefile b/crypto/openssh/ssh-keysign/Makefile
deleted file mode 100644
index 1a13d9e..0000000
--- a/crypto/openssh/ssh-keysign/Makefile
+++ /dev/null
@@ -1,18 +0,0 @@
-#	$OpenBSD: Makefile,v 1.3 2002/05/31 10:30:33 markus Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh-keysign
-BINOWN=	root
-
-BINMODE?=4555
-
-BINDIR=	/usr/libexec
-MAN=	ssh-keysign.8
-
-SRCS=	ssh-keysign.c
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lz
-DPADD+=	${LIBCRYPTO} ${LIBZ}
diff --git a/crypto/openssh/ssh.1 b/crypto/openssh/ssh.1
index 31eb66c..9a140fa 100644
--- a/crypto/openssh/ssh.1
+++ b/crypto/openssh/ssh.1
@@ -34,7 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.182 2004/03/05 10:53:58 markus Exp $
+.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -105,7 +106,7 @@ is executed on the remote host instead of a login shell.
 First, if the machine the user logs in from is listed in
 .Pa /etc/hosts.equiv
 or
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv
 on the remote machine, and the user names are
 the same on both sides, the user is immediately permitted to log in.
 Second, if
@@ -129,7 +130,7 @@ It means that if the login would be permitted by
 .Pa $HOME/.shosts ,
 .Pa /etc/hosts.equiv ,
 or
-.Pa /etc/shosts.equiv ,
+.Pa /etc/ssh/shosts.equiv ,
 and if additionally the server can verify the client's
 host key (see
 .Pa /etc/ssh/ssh_known_hosts
@@ -332,6 +333,7 @@ The user should not manually set
 .Ev DISPLAY .
 Forwarding of X11 connections can be
 configured on the command line or in configuration files.
+Take note that X11 forwarding can represent a security hazard.
 .Pp
 The
 .Ev DISPLAY
@@ -634,7 +636,6 @@ For full details of the options listed below, and their possible values, see
 .It HostKeyAlias
 .It HostName
 .It IdentityFile
-.It IdentitiesOnly
 .It LocalForward
 .It LogLevel
 .It MACs
@@ -1004,7 +1005,7 @@ same.
 Additionally, successful RSA host authentication is normally
 required.
 This file should only be writable by root.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
 This file is processed exactly as
 .Pa /etc/hosts.equiv .
 This file may be useful to permit logins using
diff --git a/crypto/openssh/ssh.c b/crypto/openssh/ssh.c
index e655e68..b47f301 100644
--- a/crypto/openssh/ssh.c
+++ b/crypto/openssh/ssh.c
@@ -40,7 +40,8 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: ssh.c,v 1.209 2004/03/11 10:21:17 markus Exp $");
+RCSID("$OpenBSD: ssh.c,v 1.206 2003/12/16 15:49:51 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/evp.h>
 #include <openssl/err.h>
@@ -146,12 +147,49 @@ pid_t proxy_command_pid = 0;
 static void
 usage(void)
 {
-	fprintf(stderr,
-"usage: ssh [-1246AaCfghkNnqsTtVvXxY] [-b bind_address] [-c cipher_spec]\n"
-"           [-D port] [-e escape_char] [-F configfile] [-i identity_file]\n"
-"           [-L port:host:hostport] [-l login_name] [-m mac_spec] [-o option]\n"
-"           [-p port] [-R port:host:hostport] [user@]hostname [command]\n"
-	);
+	fprintf(stderr, "Usage: %s [options] host [command]\n", __progname);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -l user     Log in using this user name.\n");
+	fprintf(stderr, "  -n          Redirect input from " _PATH_DEVNULL ".\n");
+	fprintf(stderr, "  -F config   Config file (default: ~/%s).\n",
+	     _PATH_SSH_USER_CONFFILE);
+	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
+	fprintf(stderr, "  -a          Disable authentication agent forwarding (default).\n");
+	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
+	fprintf(stderr, "  -Y          Enable trusted X11 connection forwarding.\n");
+	fprintf(stderr, "  -x          Disable X11 connection forwarding (default).\n");
+	fprintf(stderr, "  -i file     Identity for public key authentication "
+	    "(default: ~/.ssh/identity)\n");
+#ifdef SMARTCARD
+	fprintf(stderr, "  -I reader   Set smartcard reader.\n");
+#endif
+	fprintf(stderr, "  -t          Tty; allocate a tty even if command is given.\n");
+	fprintf(stderr, "  -T          Do not allocate a tty.\n");
+	fprintf(stderr, "  -v          Verbose; display verbose debugging messages.\n");
+	fprintf(stderr, "              Multiple -v increases verbosity.\n");
+	fprintf(stderr, "  -V          Display version number only.\n");
+	fprintf(stderr, "  -q          Quiet; don't display any warning messages.\n");
+	fprintf(stderr, "  -f          Fork into background after authentication.\n");
+	fprintf(stderr, "  -e char     Set escape character; ``none'' = disable (default: ~).\n");
+
+	fprintf(stderr, "  -c cipher   Select encryption algorithm\n");
+	fprintf(stderr, "  -m macs     Specify MAC algorithms for protocol version 2.\n");
+	fprintf(stderr, "  -p port     Connect to this port.  Server must be on the same port.\n");
+	fprintf(stderr, "  -L listen-port:host:port   Forward local port to remote address\n");
+	fprintf(stderr, "  -R listen-port:host:port   Forward remote port to local address\n");
+	fprintf(stderr, "              These cause %s to listen for connections on a port, and\n", __progname);
+	fprintf(stderr, "              forward them to the other side by connecting to host:port.\n");
+	fprintf(stderr, "  -D port     Enable dynamic application-level port forwarding.\n");
+	fprintf(stderr, "  -C          Enable compression.\n");
+	fprintf(stderr, "  -N          Do not execute a shell or command.\n");
+	fprintf(stderr, "  -g          Allow remote hosts to connect to forwarded ports.\n");
+	fprintf(stderr, "  -1          Force protocol version 1.\n");
+	fprintf(stderr, "  -2          Force protocol version 2.\n");
+	fprintf(stderr, "  -4          Use IPv4 only.\n");
+	fprintf(stderr, "  -6          Use IPv6 only.\n");
+	fprintf(stderr, "  -o 'option' Process the option as if it was read from a configuration file.\n");
+	fprintf(stderr, "  -s          Invoke command (mandatory) as SSH2 subsystem.\n");
+	fprintf(stderr, "  -b addr     Local IP address.\n");
 	exit(1);
 }
 
@@ -310,8 +348,12 @@ again:
 			}
 			/* fallthrough */
 		case 'V':
-			fprintf(stderr, "%s, %s\n",
-			    SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
+			fprintf(stderr,
+			    "%s, SSH protocols %d.%d/%d.%d, %s\n",
+			    SSH_VERSION,
+			    PROTOCOL_MAJOR_1, PROTOCOL_MINOR_1,
+			    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2,
+			    SSLeay_version(SSLEAY_VERSION));
 			if (opt == 'V')
 				exit(0);
 			break;
@@ -554,6 +596,23 @@ again:
 	if (options.hostname != NULL)
 		host = options.hostname;
 
+	/* Find canonic host name. */
+	if (strchr(host, '.') == 0) {
+		struct addrinfo hints;
+		struct addrinfo *ai = NULL;
+		int errgai;
+		memset(&hints, 0, sizeof(hints));
+		hints.ai_family = options.address_family;
+		hints.ai_flags = AI_CANONNAME;
+		hints.ai_socktype = SOCK_STREAM;
+		errgai = getaddrinfo(host, NULL, &hints, &ai);
+		if (errgai == 0) {
+			if (ai->ai_canonname != NULL)
+				host = xstrdup(ai->ai_canonname);
+			freeaddrinfo(ai);
+		}
+	}
+
 	/* force lowercase for hostkey matching */
 	if (options.host_key_alias != NULL) {
 		for (p = options.host_key_alias; *p; p++)
@@ -736,7 +795,7 @@ x11_get_proto(char **_proto, char **_data)
 				    xauthdir);
 				snprintf(cmd, sizeof(cmd),
 				    "%s -f %s generate %s " SSH_X11_PROTO
-				    " untrusted timeout 1200 2>" _PATH_DEVNULL,
+				    " untrusted timeout 120 2>" _PATH_DEVNULL,
 				    options.xauth_location, xauthfile, display);
 				debug2("x11_get_proto: %s", cmd);
 				if (system(cmd) == 0)
diff --git a/crypto/openssh/ssh/Makefile b/crypto/openssh/ssh/Makefile
deleted file mode 100644
index 80511de..0000000
--- a/crypto/openssh/ssh/Makefile
+++ /dev/null
@@ -1,40 +0,0 @@
-#	$OpenBSD: Makefile,v 1.42 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	ssh
-BINOWN=	root
-
-#BINMODE?=4555
-
-BINDIR=	/usr/bin
-MAN=	ssh.1 ssh_config.5
-LINKS=	${BINDIR}/ssh ${BINDIR}/slogin
-MLINKS=	ssh.1 slogin.1
-
-SRCS=	ssh.c readconf.c clientloop.c sshtty.c \
-	sshconnect.c sshconnect1.c sshconnect2.c
-
-.include <bsd.own.mk> # for AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+= -DKRB5 -I${DESTDIR}/usr/include/kerberosV
-LDADD+=  -lkrb5 -lasn1 -lcom_err
-DPADD+=  ${LIBKRB5} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-LDADD+=	 -lkrb
-DPADD+=	 ${LIBKRB}
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+=  -lkafs
-DPADD+=  ${LIBKAFS}
-.endif # AFS
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lz -ldes
-DPADD+=	${LIBCRYPTO} ${LIBZ} ${LIBDES}
diff --git a/crypto/openssh/ssh_config b/crypto/openssh/ssh_config
index 2692e89..d71689b 100644
--- a/crypto/openssh/ssh_config
+++ b/crypto/openssh/ssh_config
@@ -1,4 +1,5 @@
 #	$OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
+#	$FreeBSD$
 
 # This is the ssh client system-wide configuration file.  See
 # ssh_config(5) for more information.  This file provides defaults for
@@ -23,7 +24,7 @@
 #   PasswordAuthentication yes
 #   HostbasedAuthentication no
 #   BatchMode no
-#   CheckHostIP yes
+#   CheckHostIP no
 #   AddressFamily any
 #   ConnectTimeout 0
 #   StrictHostKeyChecking ask
@@ -35,3 +36,4 @@
 #   Cipher 3des
 #   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
 #   EscapeChar ~
+#   VersionAddendum FreeBSD-20040226
diff --git a/crypto/openssh/ssh_config.5 b/crypto/openssh/ssh_config.5
index 05581ec..0b75c9e 100644
--- a/crypto/openssh/ssh_config.5
+++ b/crypto/openssh/ssh_config.5
@@ -34,7 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.29 2004/03/05 10:53:58 markus Exp $
+.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSH_CONFIG 5
 .Os
@@ -161,7 +162,7 @@ If the option is set to
 .Dq no ,
 the check will not be executed.
 The default is
-.Dq yes .
+.Dq no .
 .It Cm Cipher
 Specifies the cipher to use for encrypting the session
 in protocol version 1.
@@ -406,24 +407,6 @@ syntax to refer to a user's home directory.
 It is possible to have
 multiple identity files specified in configuration files; all these
 identities will be tried in sequence.
-.It Cm IdentitiesOnly
-Specifies that
-.Nm ssh
-should only use the authentication identity files configured in the
-.Nm 
-files,
-even if the
-.Nm ssh-agent
-offers more identities.
-The argument to this keyword must be
-.Dq yes
-or
-.Dq no .
-This option is intented for situations where
-.Nm ssh-agent
-offers many different identities.
-The default is
-.Dq no .
 .It Cm LocalForward
 Specifies that a TCP/IP port on the local machine be forwarded over
 the secure channel to the specified host and port from the remote machine.
@@ -714,6 +697,11 @@ or
 The default is
 .Dq no .
 Note that this option applies to protocol version 2 only.
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-20040226 .
 .It Cm XAuthLocation
 Specifies the full pathname of the
 .Xr xauth 1
diff --git a/crypto/openssh/sshconnect2.c b/crypto/openssh/sshconnect2.c
index c261dfd..3a21811 100644
--- a/crypto/openssh/sshconnect2.c
+++ b/crypto/openssh/sshconnect2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.135 2004/03/05 10:53:58 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.134 2004/01/19 21:25:15 markus Exp $");
 
 #include "openbsd-compat/sys-queue.h"
 
@@ -1044,7 +1044,7 @@ pubkey_prepare(Authctxt *authctxt)
 					break;
 				}
 			}
-			if (!found && !options.identities_only) {
+			if (!found) {
 				id = xmalloc(sizeof(*id));
 				memset(id, 0, sizeof(*id));
 				id->key = key;
diff --git a/crypto/openssh/sshd.8 b/crypto/openssh/sshd.8
index 34413e2..2ed44cc 100644
--- a/crypto/openssh/sshd.8
+++ b/crypto/openssh/sshd.8
@@ -35,6 +35,7 @@
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
 .\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -67,7 +68,7 @@ install and use as possible.
 .Nm
 is the daemon that listens for connections from clients.
 It is normally started at boot from
-.Pa /etc/rc .
+.Pa /etc/rc.d/sshd .
 It forks a new
 daemon for each incoming connection.
 The forked daemons handle
@@ -253,8 +254,6 @@ host key files are normally not readable by anyone but root).
 The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
 .Pa /etc/ssh/ssh_host_dsa_key
 for protocol version 2.
 It is possible to have multiple host key files for
@@ -365,8 +364,9 @@ section).
 If the login is on a tty, records login time.
 .It
 Checks
-.Pa /etc/nologin ;
-if it exists, prints contents and quits
+.Pa /etc/nologin and
+.Pa /var/run/nologin ;
+if one exists, it prints the contents and quits
 (unless root).
 .It
 Changes to run with normal user privileges.
@@ -388,11 +388,12 @@ If
 exists, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
-it; otherwise runs xauth.
+it; otherwise runs
+.Xr xauth 1 .
 The
 .Dq rc
 files are given the X11
-authentication protocol and cookie in standard input.
+authentication protocol and cookie (if applicable) in standard input.
 .It
 Runs user's shell or command.
 .El
@@ -596,15 +597,15 @@ Contains configuration data for
 .Nm sshd .
 The file format and configuration options are described in
 .Xr sshd_config 5 .
-.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key
-These three files contain the private parts of the host keys.
+.It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key
+These two files contain the private parts of the host keys.
 These files should only be owned by root, readable only by root, and not
 accessible to others.
 Note that
 .Nm
 does not start if this file is group/world-accessible.
-.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub
-These three files contain the public parts of the host keys.
+.It Pa /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub
+These two files contain the public parts of the host keys.
 These files should be world-readable but writable only by
 root.
 Their contents should match the respective private parts.
@@ -613,7 +614,7 @@ really used for anything; they are provided for the convenience of
 the user so their contents can be copied to known hosts files.
 These files are created using
 .Xr ssh-keygen 1 .
-.It Pa /etc/moduli
+.It Pa /etc/ssh/moduli
 Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
 The file format is described in
 .Xr moduli 5 .
@@ -725,7 +726,7 @@ The only valid use for user names that I can think
 of is in negative entries.
 .Pp
 Note that this warning also applies to rsh/rlogin.
-.It Pa /etc/shosts.equiv
+.It Pa /etc/ssh/shosts.equiv
 This is processed exactly as
 .Pa /etc/hosts.equiv .
 However, this file may be useful in environments that want to run both
diff --git a/crypto/openssh/sshd.c b/crypto/openssh/sshd.c
index 6342842..c660fc2 100644
--- a/crypto/openssh/sshd.c
+++ b/crypto/openssh/sshd.c
@@ -42,7 +42,8 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.290 2004/03/11 10:21:17 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $");
+RCSID("$FreeBSD$");
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
@@ -53,6 +54,10 @@ RCSID("$OpenBSD: sshd.c,v 1.290 2004/03/11 10:21:17 markus Exp $");
 #include <prot.h>
 #endif
 
+#ifdef __FreeBSD__
+#include <resolv.h>
+#endif
+
 #include "ssh.h"
 #include "ssh1.h"
 #include "ssh2.h"
@@ -101,6 +106,7 @@ extern char *__progname;
 #else
 char *__progname;
 #endif
+extern char **environ;
 
 /* Server configuration options. */
 ServerOptions options;
@@ -567,7 +573,7 @@ privsep_preauth_child(void)
 	debug3("privsep user:group %u:%u", (u_int)pw->pw_uid,
 	    (u_int)pw->pw_gid);
 #if 0
-	/* XXX not ready, too heavy after chroot */
+	/* XXX not ready, to heavy after chroot */
 	do_setusercontext(pw);
 #else
 	gidset[0] = pw->pw_gid;
@@ -763,12 +769,26 @@ drop_connection(int startups)
 static void
 usage(void)
 {
-	fprintf(stderr, "%s, %s\n",
+	fprintf(stderr, "sshd version %s, %s\n",
 	    SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
-	fprintf(stderr,
-"usage: sshd [-46Ddeiqt] [-b bits] [-f config_file] [-g login_grace_time]\n"
-"            [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]\n"
-	);
+	fprintf(stderr, "Usage: %s [options]\n", __progname);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "  -f file    Configuration file (default %s)\n", _PATH_SERVER_CONFIG_FILE);
+	fprintf(stderr, "  -d         Debugging mode (multiple -d means more debugging)\n");
+	fprintf(stderr, "  -i         Started from inetd\n");
+	fprintf(stderr, "  -D         Do not fork into daemon mode\n");
+	fprintf(stderr, "  -t         Only test configuration file and keys\n");
+	fprintf(stderr, "  -q         Quiet (no logging)\n");
+	fprintf(stderr, "  -p port    Listen on the specified port (default: 22)\n");
+	fprintf(stderr, "  -k seconds Regenerate server key every this many seconds (default: 3600)\n");
+	fprintf(stderr, "  -g seconds Grace period for authentication (default: 600)\n");
+	fprintf(stderr, "  -b bits    Size of server RSA key (default: 768 bits)\n");
+	fprintf(stderr, "  -h file    File from which to read host key (default: %s)\n",
+	    _PATH_HOST_KEY_FILE);
+	fprintf(stderr, "  -u len     Maximum hostname length for utmp recording\n");
+	fprintf(stderr, "  -4         Use IPv4 only\n");
+	fprintf(stderr, "  -6         Use IPv6 only\n");
+	fprintf(stderr, "  -o option  Process the option as if it was read from a configuration file.\n");
 	exit(1);
 }
 
@@ -817,9 +837,6 @@ main(int ac, char **av)
 	av = saved_argv;
 #endif
 
-	if (geteuid() == 0 && setgroups(0, NULL) == -1)
-		debug("setgroups(): %.200s", strerror(errno));
-
 	/* Initialize configuration options to their default values. */
 	initialize_server_options(&options);
 
@@ -928,13 +945,6 @@ main(int ac, char **av)
 	    SYSLOG_FACILITY_AUTH : options.log_facility,
 	    log_stderr || !inetd_flag);
 
-#ifdef _AIX
-	/*
-	 * Unset KRB5CCNAME, otherwise the user's session may inherit it from
-	 * root's environment
-	 */ 
-	unsetenv("KRB5CCNAME");
-#endif /* _AIX */
 #ifdef _UNICOS
 	/* Cray can define user privs drop all prives now!
 	 * Not needed on PRIV_SU systems!
@@ -1101,6 +1111,11 @@ main(int ac, char **av)
 	   unmounted if desired. */
 	chdir("/");
 
+#ifndef HAVE_CYGWIN
+	/* Clear environment */
+	environ[0] = NULL;
+#endif
+
 	/* ignore SIGPIPE */
 	signal(SIGPIPE, SIG_IGN);
 
@@ -1379,7 +1394,6 @@ main(int ac, char **av)
 	}
 
 	/* This is the child processing a new connection. */
-	setproctitle("%s", "[accepted]");
 
 	/*
 	 * Create a new session and process group since the 4.4BSD
@@ -1415,6 +1429,17 @@ main(int ac, char **av)
 	    sizeof(on)) < 0)
 		error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno));
 
+#ifdef __FreeBSD__
+	/*
+	 * Initialize the resolver.  This may not happen automatically
+	 * before privsep chroot().                                   
+	 */
+	if ((_res.options & RES_INIT) == 0) {
+		debug("res_init()");         
+		res_init();         
+	}
+#endif
+
 	/*
 	 * Register our connection.  This turns encryption off because we do
 	 * not have a key.
diff --git a/crypto/openssh/sshd/Makefile b/crypto/openssh/sshd/Makefile
deleted file mode 100644
index 14ef3e0..0000000
--- a/crypto/openssh/sshd/Makefile
+++ /dev/null
@@ -1,56 +0,0 @@
-#	$OpenBSD: Makefile,v 1.51 2002/06/20 19:56:07 stevesk Exp $
-
-.PATH:		${.CURDIR}/..
-
-PROG=	sshd
-BINOWN=	root
-BINMODE=555
-BINDIR=	/usr/sbin
-MAN=	sshd.8 sshd_config.5
-CFLAGS+=-DHAVE_LOGIN_CAP -DBSD_AUTH
-
-SRCS=	sshd.c auth-rhosts.c auth-passwd.c auth-rsa.c auth-rh-rsa.c \
-	sshpty.c sshlogin.c servconf.c serverloop.c uidswap.c \
-	auth.c auth1.c auth2.c auth-options.c session.c \
-	auth-chall.c auth2-chall.c groupaccess.c \
-	auth-skey.c auth-bsdauth.c monitor_mm.c monitor.c \
-	auth2-none.c auth2-passwd.c auth2-pubkey.c \
-	auth2-hostbased.c auth2-kbdint.c
-
-.include <bsd.own.mk> # for KERBEROS and AFS
-
-.if (${KERBEROS5:L} == "yes")
-CFLAGS+=-DKRB5 -I${DESTDIR}/usr/include/kerberosV
-SRCS+=  auth-krb5.c
-LDADD+= -lkrb5 -lkafs -lasn1 -lcom_err
-DPADD+= ${LIBKRB5} ${LIBKAFS} ${LIBASN1} ${LIBCOM_ERR}
-.endif # KERBEROS5
-
-.if (${KERBEROS:L} == "yes")
-.if (${AFS:L} == "yes")
-CFLAGS+= -DAFS
-LDADD+=  -lkafs
-DPADD+=  ${LIBKAFS}
-.endif # AFS
-CFLAGS+= -DKRB4 -I${DESTDIR}/usr/include/kerberosIV
-SRCS+=	auth-krb4.c
-LDADD+=	 -lkrb
-DPADD+=	 ${LIBKRB}
-.endif # KERBEROS
-
-.include <bsd.prog.mk>
-
-LDADD+=	-lcrypto -lutil -lz -ldes
-DPADD+=	${LIBCRYPTO} ${LIBUTIL} ${LIBZ} ${LIBDES}
-
-.if (${TCP_WRAPPERS:L} == "yes")
-CFLAGS+= -DLIBWRAP
-LDADD+= -lwrap
-DPADD+= ${LIBWRAP}
-.endif
-
-#.if (${SKEY:L} == "yes")
-#CFLAGS+= -DSKEY
-#LDADD+= -lskey
-#DPADD+= ${SKEY}
-#.endif
diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config
index b45c8c5..3e0ede9 100644
--- a/crypto/openssh/sshd_config
+++ b/crypto/openssh/sshd_config
@@ -1,4 +1,5 @@
 #	$OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
+#	$FreeBSD$
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -10,15 +11,19 @@
 # possible, but leave them commented.  Uncommented options change a
 # default value.
 
+# Note that some of FreeBSD's defaults differ from OpenBSD's, and
+# FreeBSD has a few additional options.
+
+#VersionAddendum FreeBSD-20040226
+
 #Port 22
-#Protocol 2,1
+#Protocol 2
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
 # HostKey for protocol version 1
 #HostKey /etc/ssh/ssh_host_key
 # HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_dsa_key
 
 # Lifetime and size of ephemeral version 1 server key
@@ -33,7 +38,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin yes
+#PermitRootLogin no
 #StrictModes yes
 
 #RSAAuthentication yes
@@ -50,11 +55,11 @@
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Change to yes to enable built-in password authentication.
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
-# Change to no to disable s/key passwords
+# Change to no to disable PAM authentication
 #ChallengeResponseAuthentication yes
 
 # Kerberos options
@@ -67,14 +72,13 @@
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 
-# Set this to 'yes' to enable PAM authentication (via challenge-response)
-# and session processing. Depending on your PAM configuration, this may
-# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
-#UsePAM no
+# Set this to 'no' to disable PAM authentication (via challenge-response)
+# and session processing.
+#UsePAM yes
 
 #AllowTcpForwarding yes
 #GatewayPorts no
-#X11Forwarding no
+#X11Forwarding yes
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5
index e15a225..d812409 100644
--- a/crypto/openssh/sshd_config.5
+++ b/crypto/openssh/sshd_config.5
@@ -34,7 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.29 2004/03/08 10:18:57 dtucker Exp $
+.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $
+.\" $FreeBSD$
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -122,10 +123,17 @@ This option is only available for protocol version 2.
 By default, no banner is displayed.
 .Pp
 .It Cm ChallengeResponseAuthentication
-Specifies whether challenge response authentication is allowed.
-All authentication styles from
-.Xr login.conf 5
-are supported.
+Specifies whether challenge-response authentication is allowed.
+Specifically, in
+.Fx ,
+this controls the use of PAM (see
+.Xr pam 3 )
+for authentication.
+Note that this affects the effectiveness of the
+.Cm PasswordAuthentication
+and
+.Cm PermitRootLogin
+variables.
 The default is
 .Dq yes .
 .It Cm Ciphers
@@ -251,8 +259,6 @@ used by SSH.
 The default is
 .Pa /etc/ssh/ssh_host_key
 for protocol version 1, and
-.Pa /etc/ssh/ssh_host_rsa_key
-and
 .Pa /etc/ssh/ssh_host_dsa_key
 for protocol version 2.
 Note that
@@ -277,7 +283,7 @@ or
 .Pp
 .Pa /etc/hosts.equiv
 and
-.Pa /etc/shosts.equiv
+.Pa /etc/ssh/shosts.equiv 
 are still used.
 The default is
 .Dq yes .
@@ -300,11 +306,6 @@ To use this option, the server needs a
 Kerberos servtab which allows the verification of the KDC's identity.
 Default is
 .Dq no .
-.It Cm KerberosGetAFSToken
-If AFS is active and the user has a Kerberos 5 TGT, attempt to aquire
-an AFS token before accessing the user's home directory.
-Default is
-.Dq no .
 .It Cm KerberosOrLocalPasswd
 If set then if password authentication through Kerberos fails then
 the password will be validated via any additional local mechanism
@@ -414,7 +415,22 @@ are refused if the number of unauthenticated connections reaches
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
+.Dq no ,
+unless
+.Nm sshd
+was built without PAM support, in which case the default is
 .Dq yes .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+and the PAM authentication policy for
+.Nm sshd
+includes
+.Xr pam_unix 8 ,
+password authentication will be allowed through the challenge-response
+mechanism regardless of the value of
+.Cm PasswordAuthentication .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.
@@ -430,13 +446,18 @@ The argument must be
 or
 .Dq no .
 The default is
-.Dq yes .
+.Dq no .
+Note that if
+.Cm ChallengeResponseAuthentication
+is
+.Dq yes ,
+the root user may be allowed in with its password even if
+.Cm PermitRootLogin is set to
+.Dq without-password .
 .Pp
 If this option is set to
 .Dq without-password
-password authentication is disabled for root.  Note that other authentication
-methods (e.g., keyboard-interactive/PAM) may still allow root to login using
-a password.
+password authentication is disabled for root.
 .Pp
 If this option is set to
 .Dq forced-commands-only
@@ -506,7 +527,7 @@ and
 .Dq 2 .
 Multiple versions must be comma-separated.
 The default is
-.Dq 2,1 .
+.Dq 2 .
 Note that the order of the protocol list does not indicate preference,
 because the client selects among multiple protocol versions offered
 by the server.
@@ -520,7 +541,9 @@ The default is
 .Dq yes .
 Note that this option applies to protocol version 2 only.
 .It Cm RhostsRSAAuthentication
-Specifies whether rhosts or /etc/hosts.equiv authentication together
+Specifies whether rhosts or
+.Pa /etc/hosts.equiv
+authentication together
 with successful RSA host authentication is allowed.
 The default is
 .Dq no .
@@ -614,7 +637,7 @@ If you enable this, you should probably disable
 If you enable
 .CM UsePAM
 then you will not be able to run sshd as a non-root user.  The default is
-.Dq no .
+.Dq yes .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Nm sshd
@@ -626,6 +649,11 @@ The goal of privilege separation is to prevent privilege
 escalation by containing any corruption within the unprivileged processes.
 The default is
 .Dq yes .
+.It Cm VersionAddendum
+Specifies a string to append to the regular version string to identify
+OS- or site-specific modifications.
+The default is
+.Dq FreeBSD-20040226 .
 .It Cm X11DisplayOffset
 Specifies the first display number available for
 .Nm sshd Ns 's
@@ -641,7 +669,7 @@ The argument must be
 or
 .Dq no .
 The default is
-.Dq no .
+.Dq yes .
 .Pp
 When X11 forwarding is enabled, there may be additional exposure to
 the server and to client displays if the
diff --git a/crypto/openssh/sshlogin.c b/crypto/openssh/sshlogin.c
index e1cc4cc..36b6489 100644
--- a/crypto/openssh/sshlogin.c
+++ b/crypto/openssh/sshlogin.c
@@ -52,11 +52,11 @@ u_long
 get_last_login_time(uid_t uid, const char *logname,
     char *buf, u_int bufsize)
 {
-	struct logininfo li;
+  struct logininfo li;
 
-	login_get_lastlog(&li, uid);
-	strlcpy(buf, li.hostname, bufsize);
-	return li.tv_sec;
+  login_get_lastlog(&li, uid);
+  strlcpy(buf, li.hostname, bufsize);
+  return li.tv_sec;
 }
 
 /*
@@ -67,12 +67,12 @@ void
 record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
     const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
-	struct logininfo *li;
+  struct logininfo *li;
 
-	li = login_alloc_entry(pid, user, host, ttyname);
-	login_set_addr(li, addr, addrlen);
-	login_login(li);
-	login_free_entry(li);
+  li = login_alloc_entry(pid, user, host, ttyname);
+  login_set_addr(li, addr, addrlen);
+  login_login(li);
+  login_free_entry(li);
 }
 
 #ifdef LOGIN_NEEDS_UTMPX
@@ -80,12 +80,12 @@ void
 record_utmp_only(pid_t pid, const char *ttyname, const char *user,
 		 const char *host, struct sockaddr * addr, socklen_t addrlen)
 {
-	struct logininfo *li;
+  struct logininfo *li;
 
-	li = login_alloc_entry(pid, user, host, ttyname);
-	login_set_addr(li, addr, addrlen);
-	login_utmp_only(li);
-	login_free_entry(li);
+  li = login_alloc_entry(pid, user, host, ttyname);
+  login_set_addr(li, addr, addrlen);
+  login_utmp_only(li);
+  login_free_entry(li);
 }
 #endif
 
@@ -93,9 +93,9 @@ record_utmp_only(pid_t pid, const char *ttyname, const char *user,
 void
 record_logout(pid_t pid, const char *ttyname, const char *user)
 {
-	struct logininfo *li;
+  struct logininfo *li;
 
-	li = login_alloc_entry(pid, user, NULL, ttyname);
-	login_logout(li);
-	login_free_entry(li);
+  li = login_alloc_entry(pid, user, NULL, ttyname);
+  login_logout(li);
+  login_free_entry(li);
 }
diff --git a/crypto/openssh/util.c b/crypto/openssh/util.c
deleted file mode 100644
index 1a591a6..0000000
--- a/crypto/openssh/util.c
+++ /dev/null
@@ -1,96 +0,0 @@
-/*	$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $	*/
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-RCSID("$OpenBSD: util.c,v 1.6 2000/10/27 07:32:19 markus Exp $");
-
-#include "ssh.h"
-
-char *
-chop(char *s)
-{
-	char *t = s;
-	while (*t) {
-		if(*t == '\n' || *t == '\r') {
-			*t = '\0';
-			return s;
-		}
-		t++;
-	}
-	return s;
-
-}
-
-void
-set_nonblock(int fd)
-{
-	int val;
-	val = fcntl(fd, F_GETFL, 0);
-	if (val < 0) {
-		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
-		return;
-	}
-	if (val & O_NONBLOCK) {
-		debug("fd %d IS O_NONBLOCK", fd);
-		return;
-	}
-	debug("fd %d setting O_NONBLOCK", fd);
-	val |= O_NONBLOCK;
-	if (fcntl(fd, F_SETFL, val) == -1)
-		if (errno != ENODEV)
-			error("fcntl(%d, F_SETFL, O_NONBLOCK): %s",
-			    fd, strerror(errno));
-}
-
-/* Characters considered whitespace in strsep calls. */
-#define WHITESPACE " \t\r\n"
-
-char *
-strdelim(char **s)
-{
-	char *old;
-	int wspace = 0;
-
-	if (*s == NULL)
-		return NULL;
-
-	old = *s;
-
-	*s = strpbrk(*s, WHITESPACE "=");
-	if (*s == NULL)
-		return (old);
-
-	/* Allow only one '=' to be skipped */
-	if (*s[0] == '=')
-		wspace = 1;
-	*s[0] = '\0';
-
-	*s += strspn(*s + 1, WHITESPACE) + 1;
-	if (*s[0] == '=' && !wspace)
-		*s += strspn(*s + 1, WHITESPACE) + 1;
-
-	return (old);
-}
diff --git a/crypto/openssh/version.c b/crypto/openssh/version.c
new file mode 100644
index 0000000..a661439
--- /dev/null
+++ b/crypto/openssh/version.c
@@ -0,0 +1,59 @@
+/*-
+ * Copyright (c) 2001 Brian Fundakowski Feldman
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include "includes.h"
+#include "version.h"
+#include "xmalloc.h"
+
+
+static char *version = NULL;
+
+const char *
+ssh_version_get(void) {
+
+	if (version == NULL)
+		version = xstrdup(SSH_VERSION_BASE " " SSH_VERSION_ADDENDUM);
+	return (version);
+}
+
+void
+ssh_version_set_addendum(const char *add) {
+	char *newvers;
+	size_t size;
+
+	if (add != NULL) {
+		size = strlen(SSH_VERSION_BASE) + 1 + strlen(add) + 1;
+		newvers = xmalloc(size);
+		snprintf(newvers, size, "%s %s", SSH_VERSION_BASE, add);
+	} else {
+		newvers = xstrdup(SSH_VERSION_BASE);
+	}
+	if (version != NULL)
+		xfree(version);
+	version = newvers;
+}
diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h
index e5ba5dd..5253723 100644
--- a/crypto/openssh/version.h
+++ b/crypto/openssh/version.h
@@ -1,3 +1,12 @@
-/* $OpenBSD: version.h,v 1.41 2004/03/20 10:40:59 markus Exp $ */
+/* $OpenBSD: version.h,v 1.40 2004/02/23 15:16:46 markus Exp $ */
+/* $FreeBSD$ */
 
-#define SSH_VERSION	"OpenSSH_3.8.1p1"
+#ifndef SSH_VERSION
+
+#define SSH_VERSION             (ssh_version_get())
+#define SSH_VERSION_BASE        "OpenSSH_3.8p1"
+#define SSH_VERSION_ADDENDUM    "FreeBSD-20040226"
+
+const char *ssh_version_get(void);
+void ssh_version_set_addendum(const char *add);
+#endif /* SSH_VERSION */