Source snapshot from Powershell\openssh-portable

2025-07-22 05:24:43 +02:00 · 2016-11-29 14:50:13 -08:00 · 2016-11-29 14:50:13 -08:00 · 7c62169a93
commit 7c62169a93
parent 6411a23af7
430 changed files with 13774 additions and 100814 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1,28 +0,0 @@
 *.0
 *.out
 Makefile
 autom4te.cache
 buildit.sh
 buildpkg.sh
 config.cache
 config.h
 config.h.in
 config.log
 config.status
 configure
 openssh.xml
 opensshd.init
 scp
 sftp
 sftp-server
 ssh
 ssh-add
 ssh-agent
 ssh-keygen
 ssh-keyscan
 ssh-keysign
 ssh-pkcs11-helper
 sshd
 stamp-h.in
 survey
 survey.sh
--- a/.gitattributes
+++ b/.gitattributes
@ -1,31 +0,0 @@
 # Auto detect text files and perform LF normalization
 * text=auto
 # Custom for Visual Studio
 *.cs     diff=csharp
 # Standard to msysgit
 *.doc	 diff=astextplain
 *.DOC	 diff=astextplain
 *.docx diff=astextplain
 *.DOCX diff=astextplain
 *.dot  diff=astextplain
 *.DOT  diff=astextplain
 *.pdf  diff=astextplain
 *.PDF	 diff=astextplain
 *.rtf	 diff=astextplain
 *.RTF	 diff=astextplain
 # conditions for Win32-OpenSSH
 *.sh text eol=lf
 config.sub text eol=lf
 fixalgorithms text eol=lf
 runconfigure text eol=lf
 configure text eol=lf
 config.guess text eol=lf
 config.sub text eol=lf
 win32_build text eol=lf
 win32_config.guess text eol=lf
 win32_config.sub text eol=lf
--- a/.gitignore
+++ b/.gitignore
@ -1,37 +1,14 @@
-#################
+################################################################################
-## Eclipse
+# This .gitignore file was automatically created by Microsoft(R) Visual Studio.
-#################
+################################################################################
-*.pydevproject
+/bin/x64/Debug
-.project
+/contrib/win32/openssh/.vs/Win32-OpenSSH/v14
-.metadata
+/contrib/win32/openssh/lib
-bin/
+/contrib/win32/openssh/Win32/Debug/config/config.tlog
-tmp/
+/contrib/win32/openssh/Win32/Debug/libssh/libssh.tlog
-*.tmp
+/contrib/win32/openssh/Win32/Debug/libssh
-*.bak
+/config.h
 *.swp
 *~.nib
 local.properties
 .classpath
 .settings/
 .loadpath
 # External tool builders
 .externalToolBuilders/
 # Locally stored "Eclipse launch configurations"
 *.launch
 # CDT-specific
 .cproject
 # PDT-specific
 .buildpath
 #################
 ## Visual Studio
 #################
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
@ -39,23 +16,51 @@ local.properties
 # User-specific files
 *.suo
 *.user
 *.userosscache
 *.sln.docstates
-# Build results
+# User-specific files (MonoDevelop/Xamarin Studio)
 *.userprefs
 # Build results
 [Dd]ebug/
 [Dd]ebugPublic/
 [Rr]elease/
 [Rr]eleases/
 x64/
-build/
+x86/
 bld/
 [Bb]in/
 [Oo]bj/
 [Ll]og/
 # Visual Studio 2015 cache/options directory
 .vs/
 # Uncomment if you have tasks that create the project's static files in wwwroot
 #wwwroot/
 # MSTest test Results
 [Tt]est[Rr]esult*/
 [Bb]uild[Ll]og.*
 # NUNIT
 *.VisualState.xml
 TestResult.xml
 # Build Results of an ATL Project
 [Dd]ebugPS/
 [Rr]eleasePS/
 dlldata.c
 # DNX
 project.lock.json
 project.fragment.lock.json
 artifacts/
 Properties/launchSettings.json
 *_i.c
 *_p.c
 *_i.h
 *.ilk
 *.meta
 *.obj
@ -75,21 +80,33 @@ build/
 *.vssscc
 .builds
 *.pidb
-*.log
+*.svclog
 *.scc
 *.c.bak
 *.h.bak
 # Chutzpah Test files
 _Chutzpah*
 # Visual C++ cache files
 ipch/
 *.aps
 *.ncb
 *.opendb
 *.opensdf
 *.sdf
 *.cachefile
 *.VC.db
 *.VC.VC.opendb
 # Visual Studio profiler
 *.psess
 *.vsp
 *.vspx
 *.sap
 # TFS 2012 Local Workspace
 $tf/
 # Guidance Automation Toolkit
 *.gpState
@ -97,6 +114,10 @@ ipch/
 # ReSharper is a .NET coding add-in
 _ReSharper*/
 *.[Rr]e[Ss]harper
 *.DotSettings.user
 # JustCode is a .NET coding add-in
 .JustCode
 # TeamCity is a build add-in
 _TeamCity*
@ -104,9 +125,21 @@ _TeamCity*
 # DotCover is a Code Coverage Tool
 *.dotCover
 # Visual Studio code coverage results
 *.coverage
 *.coveragexml
 # NCrunch
-*.ncrunch*
+_NCrunch_*
 .*crunch*.local.xml
 nCrunchTemp_*
 # MightyMoose
 *.mm.*
 AutoTest.Net/
 # Web workbench (sass)
 .sass-cache/
 # Installshield output folder
 [Ee]xpress/
@ -125,169 +158,129 @@ DocProject/Help/html
 publish/
 # Publish Web Output
-*.Publish.xml
+*.[Pp]ublish.xml
 *.azurePubxml
 # TODO: Comment the next line if you want to checkin your web deploy settings
 # but database connection strings (with potential passwords) will be unencrypted
 *.pubxml
 *.publishproj
-# NuGet Packages Directory
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
-## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+# checkin your Azure Web App publish settings, but sensitive information contained
-#packages/
+# in these scripts will be unencrypted
 PublishScripts/
-# Windows Azure Build Output
+# NuGet Packages
-csx
+*.nupkg
 # The packages folder can be ignored because of Package Restore
 **/packages/*
 # except build/, which is used as an MSBuild target.
 !**/packages/build/
 # Uncomment if necessary however generally it will be regenerated when needed
 #!**/packages/repositories.config
 # NuGet v3's project.json files produces more ignoreable files
 *.nuget.props
 *.nuget.targets
 # Microsoft Azure Build Output
 csx/
 *.build.csdef
-# Windows Store app package directory
+# Microsoft Azure Emulator
 ecf/
 rcf/
 # Windows Store app package directories and files
 AppPackages/
 BundleArtifacts/
 Package.StoreAssociation.xml
 _pkginfo.txt
 # Visual Studio cache files
 # files ending in .cache can be ignored
 *.[Cc]ache
 # but keep track of directories ending in .cache
 !*.[Cc]ache/
 # Others
 sql/
 *.Cache
 ClientBin/
 [Ss]tyle[Cc]op.*
 ~$*
 *~
 *.dbmdl
-*.[Pp]ublish.xml
+*.dbproj.schemaview
 *.jfm
 *.pfx
 *.publishsettings
 node_modules/
 orleans.codegen.cs
 # Since there are multiple workflows, uncomment next line to ignore bower_components
 # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
 #bower_components/
 # RIA/Silverlight projects
 Generated_Code/
-# Backup & report files from converting an old project file to a newer
+# Backup & report files from converting an old project file
-# Visual Studio version. Backup files are not needed, because we have git ;-)
+# to a newer Visual Studio version. Backup files are not needed,
 # because we have git ;-)
 _UpgradeReport_Files/
 Backup*/
 UpgradeLog*.XML
 UpgradeLog*.htm
 # SQL Server files
-App_Data/*.mdf
+*.mdf
-App_Data/*.ldf
+*.ldf
-#############
+# Business Intelligence projects
-## Windows detritus
+*.rdl.data
-#############
+*.bim.layout
 *.bim_*.settings
-# Windows image file caches
+# Microsoft Fakes
-Thumbs.db
+FakesAssemblies/
 ehthumbs.db
-# Folder config file
+# GhostDoc plugin setting file
-Desktop.ini
+*.GhostDoc.xml
-# Recycle Bin used on file shares
+# Node.js Tools for Visual Studio
-$RECYCLE.BIN/
+.ntvs_analysis.dat
-# Mac crap
+# Visual Studio 6 build log
-.DS_Store
+*.plg
 # Visual Studio 6 workspace options file
 *.opt
-#############
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
-## Python
+*.vbw
 #############
-*.py[cod]
+# Visual Studio LightSwitch build output
 **/*.HTMLClient/GeneratedArtifacts
 **/*.DesktopClient/GeneratedArtifacts
 **/*.DesktopClient/ModelManifest.xml
 **/*.Server/GeneratedArtifacts
 **/*.Server/ModelManifest.xml
 _Pvt_Extensions
-# Packages
+# Paket dependency manager
-*.egg
+.paket/paket.exe
-*.egg-info
+paket-files/
 dist/
 build/
 eggs/
 parts/
 var/
 sdist/
 develop-eggs/
 .installed.cfg
-# Installer logs
+# FAKE - F# Make
-pip-log.txt
+.fake/
-# Unit test / coverage reports
+# JetBrains Rider
-.coverage
+.idea/
-.tox
+*.sln.iml
-#Translations
+# CodeRush
-*.mo
+.cr/
-#Mr Developer
+# Python Tools for Visual Studio (PTVS)
-.mr.developer.cfg
+__pycache__/
 *.pyc
-##################
+# Cake - Uncomment if you are using it
-# Win32-OpenSSH
+# tools/
 ##################
 *.o
 *.dll
 *.exe
 *.out
 *.a
 #Makefile
 config.status
 openssh.xml
 opensshd.init
 survey.sh
 buildpkg.sh
 ssh_host_rsa_key.pub
 ssh_host_rsa_key
 ssh_host_rsa_key
 ssh_host_rsa_key
 ssh_host_dsa_key
 ssh_host_dsa_key.pub
 ssh_host_ecdsa_key.pub
 ssh_host_ecdsa_key
 ssh_host_ed25519_key
 ssh_host_ed25519_key.pub
 ssh_host_rsa_key.pub
 id_rsa.pub
 id_rsa
 id_dsa.pub
 id_dsa
 is_rsa
 is_rsa.pub
 regress/t10.out.pub
 regress/t12.out.pub
 regress/t6.out1
 regress/t8.out.pub
 regress/t9.out.pub
 regress/t6.out1
 regress/t10.out.pub
 regress/t10.out.pub
 regress/t6.out1
 Makefile
 openbsd-compat/Makefile
 openbsd-compat/regress/Makefile
 contrib/win32/win32compat/Makefile
 regress/rsa_ssh2_cr.prv
 regress/rsa_ssh2_crnl.prv
 regress/t7.out.pub
 regress/t6.out2
 config.h
 config.h.in
 configure
 config.h.tail
 config.sub
 config.guess
 Makefile.in
 #temp key files
 d2utmpa*
 configure
 contrib/win32/openssh/Win32-OpenSSH.VC.opendb
 contrib/win32/openssh/Win32-OpenSSH.VC.db
 *.opendb
 *.db
 # Visual C++ cache files
 ipch/
 *.aps
 *.ncb
 *.opendb
 *.opensdf
 *.sdf
 *.cachefile
 *.VC.db
 *.VC.VC.opendb
--- a/.skipped-commit-ids
+++ b/.skipped-commit-ids
@ -0,0 +1,11 @@
 321065a95a7ccebdd5fd08482a1e19afbf524e35	Update DH groups
 d4f699a421504df35254cf1c6f1a7c304fb907ca	Remove 1k bit groups
 aafe246655b53b52bc32c8a24002bc262f4230f7	Remove intermediate moduli
 8fa9cd1dee3c3339ae329cf20fb591db6d605120	put back SSH1 for 6.9
 f31327a48dd4103333cc53315ec53fe65ed8a17a	Generate new moduli
 edbfde98c40007b7752a4ac106095e060c25c1ef	Regen moduli
 052fd565e3ff2d8cec3bc957d1788f50c827f8e2	Switch to tame-based sandbox
 7cf73737f357492776223da1c09179fa6ba74660	Remove moduli <2k
 180d84674be1344e45a63990d60349988187c1ae	Update moduli
 f6ae971186ba68d066cd102e57d5b0b2c211a5ee	systrace is dead.
 96c5054e3e1f170c6276902d5bc65bb3b87a2603	remove DEBUGLIBS from Makefile
--- a/1723
+++ b/1723
--- a/5
+++ b/5
@ -7,14 +7,15 @@ OpenSSL)
 Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
 http://www.gzip.org/zlib/
-libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
+libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
 LibreSSL http://www.libressl.org/ ; or
 OpenSSL http://www.openssl.org/
 LibreSSL/OpenSSL should be compiled as a position-independent library
 (i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
 If you must use a non-position-independent libcrypto, then you may need
-to configure OpenSSH --without-pie.
+to configure OpenSSH --without-pie.  Note that because of API changes,
 OpenSSL 1.1.x is not currently supported.
 The remaining items are optional.
--- a/INSTALL.win32
+++ b/INSTALL.win32
@ -1,227 +0,0 @@
 STEP 1: Prepare the Cygwin environment
 ======================================
 1. Download the Cygwin installer from  www.cygwin.com
 2. Launch the Cygwin installer, and ensure that packages listed below are selected as  'install':
   devel/mingw-*
   devel/mingw64-*
   perl/*
   devel/make: GNU Tool
   devel/autoconf
   devel/autoconf-2.69-2
   See REFERENCE VERSIONS below for the detailed list of packages used for reference build.
 STEP 2: Compile
 ===============
 Build with Cygwin 32-bit
 ------------------------
 1. Ensure that are you using correct mingw32 toolchain. You must have administrative rights.
   To do that, create symbolic links:
   /bin/i686-pc-mingw32-* |-> /bin/*
   or run the <openssh_dir>/scripts/set-mingw32.sh script  from the Cygwin /bin directory
 2. Prepare the 32-bit libssl.a and libcrypto.a libraries and the openssl headers.
   These libraries are used by 32-bit openssh and 32-bit ssh-lsa.
   - Download OpenSSL sources from http://www.openssl.org/source/.
     Version used as reference build is openssl-1.0.1e.
   - Compile sources by running:
     $./Configure mingw
     $make
 3. Prepare 32-bit libz.a and zlib.dll.
   - Download ZLIB sources from http://www.zlib.net
     Version used as reference build is 1.2.8.
   - Compile sources by running:
     make -f win32/Makefile.gcc
 4. Build 32-bit OpenSSH:
 Run the following commands under a Cygwin shell in the openssh directory:
     $autoreconf
     $./configure --build=i686-pc-mingw32 
                  --host=i686-pc-mingw32 
                  --with-ssl-dir=<OPENSSL_DIR> 
                  --with-zlib=<ZLIB_DIR>
                  --with-kerberos5
 where <OPENSSL_DIR> is a directory where openssl sources are extracted and <ZLIB_DIR> is a directory where zlib sources are extracted
     $cat config.h.tail >> config.h   
 Build one of SSH family tool:
 Run:
      $make <program>
       where <program> is any of the OpenSSH tools ported to Win32.
       sftp.exe          available starting from openssh-5.9p1-win32
       ssh-agent.exe     available starting from openssh-4.7p1-win32
       ssh-add.exe       available starting from openssh-4.7p1-win32
       ssh-keygen.exe    available starting from openssh-4.7p1-win32
       sftp-server.exe   available starting from openssh-4.7p1-win32
       ssh.exe
       sshd.exe
 4. Build 32-bit ssh-lsa for native RSA/DSA key authorization
 Move to <openssh_directory>contribwin32win32compatlsa directory and run:
    $export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
    $make -f Makefile.mingw32
  - This command should produce the 32-bit ssh-lsa.dll file.
 Build with Cygwin 64-bit
 ------------------------
 1. Build 32-bit openssl, zlib and openssh following 1-4 steps from  32-bit instruction.  OpenSSH tools are always 32-bit.
 2. Ensure that you are using correct mingw64 toolchain. You must have administrative rights.
   To do that you must create symbolic links:
   /bin/x86_64-w64-mingw32-* |-> /bin/*
   or run <openssh_dir>/scripts/set-mingw64.sh from the Cygwin /bin directory.
 3. Prepare the 64-bit libssl.a and libcrypto.a libraries and the openssl headers. These libraries are used by 64-bit ssh-lsa.
   - Move clean OpenSSL sources into another directory, e.g. openssl-64.
   - Compile sources by running:
     $./Configure mingw64
     $make
 4. Build 64-bit ssh-lsa for native RSA/DSA key authorization
  - Move to <openssh_directory>contribwin32win32compatlsa directory and run:
    $export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
    $make -f Makefile.mingw32
  - This command should produce 64-bit ssh-lsa.dll file.
 STEP 3 - Install ssh-lsa on system where sshd server is running
 ===============================================================
 - Copy the ssh-lsa.dll to the %WINDIR%/System32 directory.
 IMPORTANT NOTE:
 If your Windows is at 64-bit, be sure that you use a 64-bit file manager to copy ssh-lsa.dll, otherwise this dll will be not visible on the 64-bit OS.
 For example:
 - Drag and drop file using Windows explorer.
 Or:
 -  Run copy ssh-lsa.dll c:/windows/system32 under a cmd.exe console. 
 - Then, by using the regedit tool, add 'ssh-lsa' string to the end of the registry key below:
    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages
 Reboot the machine.
 REFERENCE VERSIONS 
 ==================
 CYGWIN PACKAGES
 ---------------
 13-1           Devel/autoconf: Wrapper for autoconf command
 2.13-12        Devel/autoconf2.1: Stable version of the automatic configure builder
 2.69-2         Devel/autoconf2.5: An extensible package of m4 macros shell scripts
                                  to automatically configure software code packages
 2.23.51-1      Devel/binutils: The GNU assembler, linker and binary utilites
 4.8.2-1        Devel/libgcc1: GCC C runtime library
 4.8.2-1        Devel/libssp0: GCC Stack-smashing Protection runtime library
 4.8.2-1        Devel/libstdc++6: GCC C++ runtime library
 4.0-2          Devel/make: The GNU version of 'make' utility
 2.23.1-1       Devel/mingw-binutils: Bintutils for MinGW.org win32 toolchain (util)
 4.7.3-1        Devel/mingw-gcc-core
 4.7.3-1        Devel/mingw-gcc-g++
 4.7.3-1        Devel/mingw-gcc-obj
 20110507-2     Devel/mingw-pthreads: Libpthread for MinGW.org
 4.0-1          Devel/mingw-runtime: MinGW.org MSVC & compiler runtime header and libraries
 4.0-1          Devel/mingw-w32api
 2.22.52-1      Devel/mingw64-i686-binutils
 4.7.3-1        Devel/mingw64-i686-gcc-core
 4.7.3-1        Devel/mingw64-i686-gcc-g++
 3.0.0-1        Devel/mingw64-i686-headers
 20100619-5     Devel/mingw64-i686-pthreads
 3.0.0-1        Devel/mingw64-i686-runtime
 3.0b_svn5935-1 Devel/mingw64-winpthreads
 2.22.52-1      Devel/mingw64-x86_64-binutils
 4.7.3-1        Devel/mingw64-x86_64-gcc
 4.7.3-1        Devel/mingw64-x86_64-core
 4.7.3-1        Devel/mingw64-x86_64-g++
 3.0.0-1        Devel/mingw64-x86_64-headers
 20100619-5     Devel/mingw64-x86_64-pthreads
 3.0.0-1        Devel/mingw64-x86_64-runtime
 3.0b-svn5935-1 Devel/mingw64-x86_64-winpthreads
 5.14.2-3       Perl/perl
 OpenSSL
 -------
 openssl-1.0.1e
 ZLIB 
 ----
 zlib-1.2.8
--- a/Makefile.in
+++ b/Makefile.in
@ -82,7 +82,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	compat.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
 	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
+	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o utf8.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
 	ssh-pkcs11.o smult_curve25519_ref.o \
@ -91,11 +91,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
 	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o openssl-dh.o openssl-bn.o
+	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
 	platform-pledge.o platform-tracing.o
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
+	sshconnect.o sshconnect1.o sshconnect2.o mux.o
 	roaming_common.o roaming_client.o
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
@ -108,9 +108,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
 	roaming_common.o roaming_serv.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o
+	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@ -178,14 +178,14 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
+ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@ -223,7 +223,7 @@ umac128.o:	umac.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
 	    -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
 	    -Dumac_update=umac128_update -Dumac_final=umac128_final \
-	    -Dumac_delete=umac128_delete
+	    -Dumac_delete=umac128_delete -Dumac_ctx=umac128_ctx
 clean:	regressclean
 	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
@ -240,6 +240,8 @@ clean:	regressclean
 	rm -f regress/unittests/hostkeys/test_hostkeys
 	rm -f regress/unittests/kex/*.o
 	rm -f regress/unittests/kex/test_kex
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz
 	(cd openbsd-compat && $(MAKE) clean)
 distclean:	regressclean
@ -260,6 +262,7 @@ distclean:	regressclean
 	rm -f regress/unittests/hostkeys/test_hostkeys
 	rm -f regress/unittests/kex/*.o
 	rm -f regress/unittests/kex/test_kex
 	rm -f regress/unittests/misc/kexfuzz
 	(cd openbsd-compat && $(MAKE) distclean)
 	if test -d pkg ; then \
 		rm -fr pkg ; \
@ -327,10 +330,6 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
 	-rm -f $(DESTDIR)$(bindir)/slogin
 	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 install-sysconf:
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@ -359,41 +358,19 @@ install-sysconf:
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
-		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
+		./ssh-keygen -A; \
-			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
+	fi
 		else \
 			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
 		fi ; \
 		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
 			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
 		else \
 			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
 		fi ; \
 		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
 			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
 		else \
 			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
 		fi ; \
 		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
 			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
 		else \
 			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
 		fi ; \
 		if [ -z "@COMMENT_OUT_ECC@" ] ; then \
 		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
 			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
 		    else \
 			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
 		    fi ; \
 		fi ; \
 	fi ;
-host-key-force: ssh-keygen$(EXEEXT)
+host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
-	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
+	if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
 		./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
 	fi
 	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
 	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
 	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
-	test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
+	if ./ssh -Q key | grep ecdsa >/dev/null ; then \
 		./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""; \
 	fi
 uninstallall:	uninstall
 	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
@ -407,7 +384,6 @@ uninstallall:	uninstall
 	-rmdir $(DESTDIR)$(libexecdir)
 uninstall:
 	-rm -f $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
@ -430,7 +406,6 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 regress-prep:
 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
@ -447,19 +422,27 @@ regress-prep:
 		mkdir -p `pwd`/regress/unittests/hostkeys
 	[ -d `pwd`/regress/unittests/kex ] || \
 		mkdir -p `pwd`/regress/unittests/kex
 	[ -d `pwd`/regress/misc/kexfuzz ] || \
 		mkdir -p `pwd`/regress/misc/kexfuzz
 	[ -f `pwd`/regress/Makefile ] || \
 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
-regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
+REGRESSLIBS=libssh.a $(LIBCOMPAT)
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c $(REGRESSLIBS)
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/modpipe.c \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
+regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c $(REGRESSLIBS)
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/setuid-allowed.c \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
+regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c $(REGRESSLIBS)
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/netcat.c \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c $(REGRESSLIBS)
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $(srcdir)/regress/check-perm.c \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 UNITTESTS_TEST_HELPER_OBJS=\
@ -510,8 +493,7 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
 UNITTESTS_TEST_KEX_OBJS=\
 	regress/unittests/kex/tests.o \
-	regress/unittests/kex/test_kex.o \
+	regress/unittests/kex/test_kex.o
 	roaming_dummy.o
 regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
    regress/unittests/test_helper/libtest_helper.a libssh.a
@ -530,17 +512,25 @@ regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-REGRESS_BINARIES=\
+MISC_KEX_FUZZ_OBJS=\
-	regress/modpipe$(EXEEXT) \
+	regress/misc/kexfuzz/kexfuzz.o
 regress/misc/kexfuzz/kexfuzz$(EXEEXT): ${MISC_KEX_FUZZ_OBJS} libssh.a
 	$(LD) -o $@ $(LDFLAGS) $(MISC_KEX_FUZZ_OBJS) \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 regress-binaries: regress/modpipe$(EXEEXT) \
 	regress/setuid-allowed$(EXEEXT) \
 	regress/netcat$(EXEEXT) \
 	regress/check-perm$(EXEEXT) \
 	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
 	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
 	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
 	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
-	regress/unittests/kex/test_kex$(EXEEXT)
+	regress/unittests/kex/test_kex$(EXEEXT) \
 	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
-tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
+tests interop-tests t-exec: regress-prep regress-binaries $(TARGETS)
 	BUILDDIR=`pwd`; \
 	TEST_SSH_SCP="$${BUILDDIR}/scp"; \
 	TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
@ -565,6 +555,7 @@ tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
 		OBJ="$${BUILDDIR}/regress/" \
 		PATH="$${BUILDDIR}:$${PATH}" \
 		TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
 		TEST_MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
 		TEST_SSH_SCP="$${TEST_SSH_SCP}" \
 		TEST_SSH_SSH="$${TEST_SSH_SSH}" \
 		TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
--- a/4
+++ b/4
@ -247,6 +247,8 @@ to request that the server make a connection to a Unix domain socket.
 	uint32		initial window size
 	uint32		maximum packet size
 	string		socket path
 	string		reserved
 	uint32		reserved
 Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
 server when the client has previously send the server a streamlocal-forward
@ -452,4 +454,4 @@ respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
-$OpenBSD: PROTOCOL,v 1.29 2015/07/17 03:09:19 djm Exp $
+$OpenBSD: PROTOCOL,v 1.30 2016/04/08 06:35:54 djm Exp $
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@ -206,6 +206,28 @@ ECDSA certificates may be added with:
 	string			key_comment
 	constraint[]		key_constraints
 ED25519 keys may be added using the following request
 	byte			SSH2_AGENTC_ADD_IDENTITY or
 				SSH2_AGENTC_ADD_ID_CONSTRAINED
 	string			"ssh-ed25519"
 	string			ed25519_public_key
 	string			ed25519_private_key || ed25519_public_key
 	string			key_comment
 	constraint[]		key_constraints
 ED25519 certificates may be added with:
 	byte			SSH2_AGENTC_ADD_IDENTITY or
 				SSH2_AGENTC_ADD_ID_CONSTRAINED
 	string			"ssh-ed25519-cert-v01@openssh.com"
 	string			certificate
 	string			ed25519_public_key
 	string			ed25519_private_key || ed25519_public_key
 	string			key_comment
 	constraint[]		key_constraints
 For both ssh-ed25519 and ssh-ed25519-cert-v01@openssh.com keys, the private
 key has the public key appended (for historical reasons).
 RSA keys may be added with this request:
 	byte			SSH2_AGENTC_ADD_IDENTITY or
@ -557,4 +579,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
 	SSH_AGENT_CONSTRAIN_LIFETIME			1
 	SSH_AGENT_CONSTRAIN_CONFIRM			2
-$OpenBSD: PROTOCOL.agent,v 1.8 2015/05/08 03:56:51 djm Exp $
+$OpenBSD: PROTOCOL.agent,v 1.11 2016/05/19 07:45:32 djm Exp $
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@ -100,9 +100,9 @@ DSA certificate
 ECDSA certificate
-    string    "ecdsa-sha2-nistp256@openssh.com" |
+    string    "ecdsa-sha2-nistp256-v01@openssh.com" |
-              "ecdsa-sha2-nistp384@openssh.com" |
+              "ecdsa-sha2-nistp384-v01@openssh.com" |
-              "ecdsa-sha2-nistp521@openssh.com"
+              "ecdsa-sha2-nistp521-v01@openssh.com"
    string    nonce
    string    curve
    string    public_key
@ -118,6 +118,23 @@ ECDSA certificate
    string    signature key
    string    signature
 ED25519 certificate
    string    "ssh-ed25519-cert-v01@openssh.com"
    string    nonce
    string    pk
    uint64    serial
    uint32    type
    string    key id
    string    valid principals
    uint64    valid after
    uint64    valid before
    string    critical options
    string    extensions
    string    reserved
    string    signature key
    string    signature
 The nonce field is a CA-provided random bitstring of arbitrary length
 (but typically 16 or 32 bytes) included to make attacks that depend on
 inducing collisions in the signature hash infeasible.
@ -129,6 +146,9 @@ p, q, g, y are the DSA parameters as described in FIPS-186-2.
 curve and public key are respectively the ECDSA "[identifier]" and "Q"
 defined in section 3.1 of RFC5656.
 pk is the encoded Ed25519 public key as defined by
 draft-josefsson-eddsa-ed25519-03.
 serial is an optional certificate serial number set by the CA to
 provide an abbreviated way to refer to certificates from that CA.
 If a CA does not wish to number its certificates it must set this
@ -146,7 +166,7 @@ strings packed inside it. These principals list the names for which this
 certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
 usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
 zero-length "valid principals" field means the certificate is valid for
-any principal of the specified type. XXX DNS wildcards?
+any principal of the specified type.
 "valid after" and "valid before" specify a validity period for the
 certificate. Each represents a time in seconds since 1970-01-01
@ -183,7 +203,7 @@ signature is computed over all preceding fields from the initial string
 up to, and including the signature key. Signatures are computed and
 encoded according to the rules defined for the CA's public key algorithm
 (RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
-types).
+types), and draft-josefsson-eddsa-ed25519-03 for Ed25519.
 Critical options
 ----------------
@ -203,8 +223,9 @@ option-specific information (see below). All options are
 "critical", if an implementation does not recognise a option
 then the validating party should refuse to accept the certificate.
-The supported options and the contents and structure of their
+No critical options are defined for host certificates at present. The
-data fields are:
+supported user certificate options and the contents and structure of
 their data fields are:
 Name                    Format        Description
 -----------------------------------------------------------------------------
@ -233,8 +254,9 @@ as is the requirement that each name appear only once.
 If an implementation does not recognise an extension, then it should
 ignore it.
-The supported extensions and the contents and structure of their data
+No extensions are defined for host certificates at present. The
-fields are:
+supported user certificate extensions and the contents and structure of
 their data fields are:
 Name                    Format        Description
 -----------------------------------------------------------------------------
@ -262,4 +284,4 @@ permit-user-rc          empty         Flag indicating that execution of
                                      of this script will not be permitted if
                                      this option is not present.
-$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
+$OpenBSD: PROTOCOL.certkeys,v 1.10 2016/05/03 10:27:59 djm Exp $
--- a/PROTOCOL.chacha20poly1305
+++ b/PROTOCOL.chacha20poly1305
@ -34,6 +34,8 @@ Detailed Construction
 The chacha20-poly1305@openssh.com cipher requires 512 bits of key
 material as output from the SSH key exchange. This forms two 256 bit
 keys (K_1 and K_2), used by two separate instances of chacha20.
 The first 256 bits consitute K_2 and the second 256 bits become
 K_1.
 The instance keyed by K_1 is a stream cipher that is used only
 to encrypt the 4 byte packet length field. The second instance,
@ -101,5 +103,5 @@ References
 [3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
-$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $
+$OpenBSD: PROTOCOL.chacha20poly1305,v 1.3 2016/05/03 13:10:24 djm Exp $
--- a/3
+++ b/3
@ -1,5 +1,4 @@
-See http://www.openssh.com/txt/release-7.1 for the release notes.
+See http://www.openssh.com/txt/release-7.3p1 for the release notes.
 See https://github.com/PowerShell/Win32-OpenSSH/wiki for build/deployment information
 Please read http://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or
--- a/README.md
+++ b/README.md
@ -1,13 +0,0 @@
 # OpenSSH
 Win32 port of OpenSSH
 See the [wiki](https://github.com/PowerShell/Win32-OpenSSH/wiki) for installation instructions and help
 [First release announcement](http://blogs.msdn.com/b/powershell/archive/2015/10/19/openssh-for-windows-update.aspx
 )
 ### Chocolatey
 [![](http://img.shields.io/chocolatey/dt/win32-openssh.svg)](https://chocolatey.org/packages/win32-openssh) [![](http://img.shields.io/chocolatey/v/win32-openssh.svg)](https://chocolatey.org/packages/win32-openssh)
--- a/README.platform
+++ b/README.platform
@ -36,6 +36,9 @@ loginrestrictions() function, in particular that the user has the
 "rlogin" attribute set.  This check is not done for the root account,
 instead the PermitRootLogin setting in sshd_config is used.
 If you are using the IBM compiler you probably want to use CC=xlc rather
 than the default of cc.
 Cygwin
 ------
--- a/README.win32
+++ b/README.win32
@ -1,180 +0,0 @@
 README.win32
 openssh-5.9p1-win32-3
 - Added the INSTALL.win32 to the package. It provides installation
  instructions for the OpenSSH win32 port.
 openssh-5.9p1-win32-2
 - Adjusted sources to compile with mingw-gcc 4.7.
 openssh-5.9p1-win32-1
 Implemented:
 - Ported statvfs and fstatvfs extensions in sftp-server on
   Windows.
 - Added support for Windows domain accounts.
 - Added support for network logon if interactive one failed on Windows.
 - Implemented Kerberos authentication using MIT/Kerberos and native
   SSPI/Kerberos.
 - Disabled stdin echo while reading password on Windows.
 - sshd doesn't need lsa, when target user is owner of sshd
   process on Windows.
 - integrated ssh-lsa with openssh tree.
 Bug fixes:
 - Fixed resource leaks in sshd on Windows.
 - Fixed possible hang up in ssh on Windows.
 - Fixed clean up of Winsta0 DACL on server side.
 - Added 'PamLibrary' option to sshd_config. This option changes
   default path to libpam.so. if no specified default path is used.
 - Ported -oAuthorizedKeysFile to Windows.
 - Fixed path expanding under SYSTEM account on Windows.
 - Fixed block issue when the same socket used for stdin and stdout in
   sftp-server on Windows.
 - Fixed possible heap corruption on file copying in sftp-server.
 - Fixed possible connection drop, when copying big files in
   sftp-server on Windows.
 - Removed one redundant code page conversion in sftp-server on Windows.
 - Fixed access to root directory in sftp-server on Windows.
 - Fixed wrong exit code in SERVICE_CONTROL_STOP handler on Windows.
 - Changed encoding local characters while formatting error messages on
   Windows.
 - Speeded up retreving HANDLE's type, when socket used on Windows.
 - Set stdout to binary mode as default if pipe is used in ssh on
   Windows.
 openssh-5.9p1-win32
 - Updated to OpenSSH version 5.9p1.
 - The openSSH SFTP client has been ported to Win 32.
 openssh-4.7p1-win32-1
 - The following tools have been ported to Win32: ssh-agent, ssh-add,
  sftp-server program and ssh-keygen. All the basic functionalities
  related to the creation of the key-pairs are fully supported. The
  managing of the known_hosts file is missing.
 - Added support to SSH client for MIT Kerberos for Windows and for
  authorization based on smartcard devices.
 - Updated SSH server to support login also when the account doesn't
  have administrative privileges.
 - Added support for native RSA/DSA key authorization via ssh-lsa.
  Installing this tool requires administrative privileges and
  a reboot of the machine.
 - The ProxyCommand option is now supported on Win32.
 - Added support for installing SSHD as a service by means of sc.exe
  command line tool for Windows. Since command line parameters are not
  passed to the SSHD process, a default sshd_config file is searched
  in the following locations: in the installation directory where
  sshd.exe is located (e.g. C:\sshd); the directory 'etc' under
  the installation directory (e.g. C:\sshd\etc), and the directory 'etc'  
  in the installation directory (e.g C:\etc).
 - Improved SSH server to be fully operative on Windows Vista. SSHD can
  work on Windows XP without SP1.
 - Improved logging facilities of SSHD: now all instances of the SSH
  server log to the same file and SSHD creates a minidump file if a
  crash occurs.
 - Solved problem with processes that may be left running when the SSHD
  service is stopped or after an abnormal closure of the SSH session.
 - Fixed some memory leaks.
 - Fixed possible crashes of SSHD when a great number of connections is
  established.
 - Fixed possible hanging of the SSHD service that may occurr when the
  SSH session is closing and when reading a passphrase.
 - Fixed logging behavior of SSH client. Now when the client is run in
  debug mode, output of packet dumps can be redirected to a file.
  Solved other issues occurring when packet dumps when standard error
  is redirected.
 - Fixed a problem related to the inheritance of handles in SSHD.
 - Fixed a bug in the session_get() function causing a segmentation
  fault of SSHD.
 - Fixed the closure of startup pipes. This solves a problem which was
  limiting the number of sessions to 10.
 - Fixed a problem causing a delay in establishing the connection when
  SSHD is started as a Win32 service. Speeded-up login.
 - Disabled the privilege separation on Win32.
 - Solved issues preventing the correct detection of home directory
  either on Windows 7 and when the user domain is set to NULL.
 - Fixed a segmentation fault of SSHD on Windows 7 at 64bit.
 - Added the setting of the USERPROFILE variable to the value detected
  just after a successful login.
 openssh-5.4p1-win32
 - Updated to OpenSSH version 5.4p1.
 openssh-4.7p1-win32
 - Added the Win32 compat layer.
 - The Win32 layer provides support for: User identity and password
  management functions like getuid(),setuid(),getpw*() and others;
  string management functions like strcasecmp(), strncasecmp() and
  other functions such as gettimeofday() and gethomedir(); management
  of file descriptors, file handlers and sockets in an unified way;
  file descriptor and sockets functions such as fstat(), fdopen(),
  open(), dup(),dup2(), pipe(),create(),shutdown(),accept(),read(),
  write(),close(), socket(), setsockopt(),getsockopt(), getpeername(),
  getsockname(), ioctlsocket(), listen(),bind(),connect(), and others;
  the select() function which can work on sockets, files, pipes and
  console handlers; Windows users authentication.
 - Introduced some changes to the OpenSSH code for: supporting the
  CreateProcess() function replacing fork() and allowing compilation
  on Win32 platform.
 - Open Issues: SSHD cannot be installed as a Windows service by means
  of Win32 administrative tools; if SSHD is running as a Windows
  service, it requires that property 'Allow service to interact with
  desktop' is set; to allow the connecting user to be authenticated by
  SSHD, it is necessary that the user belongs to the 'Administrators'
  group; if the connecting user has been authorized with public key
  authentication, the GetUserName() function always returns 'SYSTEM'
  instead of the username; possible crashes may occur during autho-
  rization phase when SSHD is running on Vista; port of the ssh-keygen
  tool is not available in this version.
--- a/aclocal.m4
+++ b/aclocal.m4
@ -1,4 +1,4 @@
-dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
+dnl $Id: aclocal.m4,v 1.13 2014/01/22 10:30:12 djm Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@ -8,19 +8,104 @@ dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
 dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
 dnl 'check_flag'.
 AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
-	AC_MSG_CHECKING([if $CC supports $1])
+	AC_MSG_CHECKING([if $CC supports compile flag $1])
 	saved_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS $1"
+	CFLAGS="$CFLAGS $WERROR $1"
 	_define_flag="$2"
 	test "x$_define_flag" = "x" && _define_flag="$1"
-	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
+	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
-		[ AC_MSG_RESULT([yes])
+#include <stdlib.h>
-		  CFLAGS="$saved_CFLAGS $_define_flag"],
+#include <stdio.h>
 int main(int argc, char **argv) {
 	/* Some math to catch -ftrapv problems in the toolchain */
 	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
 	exit(0);
 }
 	]])],
 		[
 if `grep -i "unrecognized option" conftest.err >/dev/null`
 then
 		AC_MSG_RESULT([no])
 		CFLAGS="$saved_CFLAGS"
 else
 		AC_MSG_RESULT([yes])
 		 CFLAGS="$saved_CFLAGS $_define_flag"
 fi],
 		[ AC_MSG_RESULT([no])
 		  CFLAGS="$saved_CFLAGS" ]
 	)
 }])
 dnl OSSH_CHECK_CFLAG_LINK(check_flag[, define_flag])
 dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
 dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
 dnl 'check_flag'.
 AC_DEFUN([OSSH_CHECK_CFLAG_LINK], [{
 	AC_MSG_CHECKING([if $CC supports compile flag $1 and linking succeeds])
 	saved_CFLAGS="$CFLAGS"
 	CFLAGS="$CFLAGS $WERROR $1"
 	_define_flag="$2"
 	test "x$_define_flag" = "x" && _define_flag="$1"
 	AC_LINK_IFELSE([AC_LANG_SOURCE([[
 #include <stdlib.h>
 #include <stdio.h>
 int main(int argc, char **argv) {
 	/* Some math to catch -ftrapv problems in the toolchain */
 	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
 	exit(0);
 }
 	]])],
 		[
 if `grep -i "unrecognized option" conftest.err >/dev/null`
 then
 		AC_MSG_RESULT([no])
 		CFLAGS="$saved_CFLAGS"
 else
 		AC_MSG_RESULT([yes])
 		 CFLAGS="$saved_CFLAGS $_define_flag"
 fi],
 		[ AC_MSG_RESULT([no])
 		  CFLAGS="$saved_CFLAGS" ]
 	)
 }])
 dnl OSSH_CHECK_LDFLAG_LINK(check_flag[, define_flag])
 dnl Check that $LD accepts a flag 'check_flag'. If it is supported append
 dnl 'define_flag' to $LDFLAGS. If 'define_flag' is not specified, then append
 dnl 'check_flag'.
 AC_DEFUN([OSSH_CHECK_LDFLAG_LINK], [{
 	AC_MSG_CHECKING([if $LD supports link flag $1])
 	saved_LDFLAGS="$LDFLAGS"
 	LDFLAGS="$LDFLAGS $WERROR $1"
 	_define_flag="$2"
 	test "x$_define_flag" = "x" && _define_flag="$1"
 	AC_LINK_IFELSE([AC_LANG_SOURCE([[
 #include <stdlib.h>
 #include <stdio.h>
 int main(int argc, char **argv) {
 	/* Some math to catch -ftrapv problems in the toolchain */
 	int i = 123 * argc, j = 456 + argc, k = 789 - argc;
 	float l = i * 2.1;
 	double m = l / 0.5;
 	long long int n = argc * 12345LL, o = 12345LL * (long long int)argc;
 	printf("%d %d %d %f %f %lld %lld\n", i, j, k, l, m, n, o);
 	exit(0);
 }
 		]])],
 		[ AC_MSG_RESULT([yes])
 		  LDFLAGS="$saved_LDFLAGS $_define_flag"],
 		[ AC_MSG_RESULT([no])
 		  LDFLAGS="$saved_LDFLAGS" ]
 	)
 }])
 dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
 dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
--- a/acss.c
+++ b/acss.c
@ -1,267 +0,0 @@
 /*	$Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
 /*
 * Copyright (c) 2004 The OpenBSD project
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "includes.h"
 #include <string.h>
 #include <openssl/evp.h>
 #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
 #include "acss.h"
 /* decryption sbox */
 static unsigned char sboxdec[] = {
 	0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
 	0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
 	0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
 	0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
 	0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
 	0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
 	0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
 	0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
 	0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
 	0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
 	0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
 	0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
 	0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
 	0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
 	0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
 	0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
 	0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
 	0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
 	0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
 	0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
 	0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
 	0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
 	0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
 	0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
 	0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
 	0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
 	0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
 	0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
 	0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
 	0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
 	0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
 	0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
 };
 /* encryption sbox */
 static unsigned char sboxenc[] = {
 	0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
 	0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
 	0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
 	0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
 	0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
 	0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
 	0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
 	0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
 	0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
 	0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
 	0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
 	0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
 	0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
 	0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
 	0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
 	0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
 	0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
 	0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
 	0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
 	0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
 	0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
 	0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
 	0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
 	0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
 	0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
 	0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
 	0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
 	0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
 	0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
 	0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
 	0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
 	0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
 };
 static unsigned char reverse[] = {
 	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
 	0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
 	0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
 	0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
 	0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
 	0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
 	0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
 	0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
 	0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
 	0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
 	0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
 	0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
 	0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
 	0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
 	0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
 	0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
 	0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
 	0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
 	0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
 	0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
 	0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
 	0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
 	0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
 	0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
 	0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
 	0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
 	0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
 	0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
 	0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
 	0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
 	0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
 	0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
 };
 /*
 * Two linear feedback shift registers are used:
 *
 * lfsr17:  polynomial of degree 17, primitive modulo 2 (listed in Schneier)
 *          x^15 + x + 1
 * lfsr25:  polynomial of degree 25, not know if primitive modulo 2
 *          x^13 + x^5 + x^4 + x^1 + 1
 *
 * Output bits are discarded, instead the feedback bits are added to produce
 * the cipher stream.  Depending on the mode, feedback bytes may be inverted
 * bit-wise before addition.
 *
 * The lfsrs are seeded with bytes from the raw key:
 *
 * lfsr17:  byte 0[0:7] at bit 9
 *          byte 1[0:7] at bit 0
 *
 * lfsr25:  byte 2[0:4] at bit 16
 *          byte 2[5:7] at bit 22
 *          byte 3[0:7] at bit 8
 *          byte 4[0:7] at bit 0
 *
 * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
 * lfsr25.
 *
 */
 int
 acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
    unsigned char *out)
 {
 	unsigned long i;
 	unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
 	lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
 	/* keystream is sum of lfsrs */
 	for (i = 0; i < len; i++) {
 		lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
 		key->lfsr17 = (key->lfsr17 >> 8)
 			^ (lfsr17tmp << 9)
 			^ (lfsr17tmp << 12)
 			^ (lfsr17tmp << 15);
 		key->lfsr17 &= 0x1ffff;	/* 17 bit LFSR */
 		lfsr25tmp = key->lfsr25
 			^ (key->lfsr25 >> 3)
 			^ (key->lfsr25 >> 4)
 			^ (key->lfsr25 >> 12);
 		key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
 		key->lfsr25 &= 0x1ffffff;	/* 25 bit LFSR */
 		lfsrsumtmp = key->lfsrsum;
 		/* addition */
 		switch (key->mode) {
 		case ACSS_AUTHENTICATE:
 		case ACSS_DATA:
 			key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
 			key->lfsrsum += key->lfsr25 >> 17;
 			break;
 		case ACSS_SESSIONKEY:
 			key->lfsrsum = key->lfsr17 >> 9;
 			key->lfsrsum += key->lfsr25 >> 17;
 			break;
 		case ACSS_TITLEKEY:
 			key->lfsrsum = key->lfsr17 >> 9;
 			key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
 			break;
 		default:
 			return 1;
 		}
 		key->lfsrsum += (lfsrsumtmp >> 8);
 		if (key->encrypt) {
 			out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
 		} else {
 			out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
 		}
 	}
 	return 0;
 }
 static void
 acss_seed(ACSS_KEY *key)
 {
 	int i;
 	/* if available, mangle with subkey */
 	if (key->subkey_avilable) {
 		for (i = 0; i < ACSS_KEYSIZE; i++)
 			key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
 	} else {
 		for (i = 0; i < ACSS_KEYSIZE; i++)
 			key->seed[i] = reverse[key->data[i]];
 	}
 	/* seed lfsrs */
 	key->lfsr17 = key->seed[1]
 		| (key->seed[0] << 9)
 		| (1 << 8);	/* inject 1 at bit 9 */
 	key->lfsr25 = key->seed[4]
 		| (key->seed[3] << 8)
 		| ((key->seed[2] & 0x1f) << 16)
 		| ((key->seed[2] & 0xe0) << 17)
 			| (1 << 21);	/* inject 1 at bit 22 */
 	key->lfsrsum = 0;
 }
 void
 acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
 {
 	memcpy(key->data, data, sizeof(key->data));
 	memset(key->subkey, 0, sizeof(key->subkey));
 	if (enc != -1)
 		key->encrypt = enc;
 	key->mode = mode;
 	key->subkey_avilable = 0;
 	acss_seed(key);
 }
 void
 acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
 {
 	memcpy(key->subkey, subkey, sizeof(key->subkey));
 	key->subkey_avilable = 1;
 	acss_seed(key);
 }
 #endif
--- a/acss.h
+++ b/acss.h
@ -1,47 +0,0 @@
 /*	$Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
 /*
 * Copyright (c) 2004 The OpenBSD project
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #ifndef _ACSS_H_
 #define _ACSS_H_
 /* 40bit key */
 #define ACSS_KEYSIZE		5
 /* modes of acss */
 #define ACSS_AUTHENTICATE	0
 #define ACSS_SESSIONKEY		1
 #define ACSS_TITLEKEY		2
 #define ACSS_DATA		3
 typedef struct acss_key_st {
 	unsigned int	lfsr17;		/* current state of lfsrs */
 	unsigned int	lfsr25;
 	unsigned int	lfsrsum;
 	unsigned char	seed[ACSS_KEYSIZE];
 	unsigned char	data[ACSS_KEYSIZE];
 	unsigned char	subkey[ACSS_KEYSIZE];
 	int		encrypt;	/* XXX make these bit flags? */
 	int		mode;
 	int		seeded;
 	int		subkey_avilable;
 } ACSS_KEY;
 void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
 void acss_setsubkey(ACSS_KEY *, const unsigned char *);
 int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
 #endif /* ifndef _ACSS_H_ */
--- a/appveyor.yml
+++ b/appveyor.yml
@ -0,0 +1,42 @@
 version: 0.0.4.0.{build}
 image: Visual Studio 2015
 branches:
  only:
    - V_7_3w
 init:
  - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
 build_script:
  - ps: |
      Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
      Invoke-AppVeyorBuild
 after_build:
  - ps: |
      Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
      Install-OpenSSH
  - ps: Write-Verbose "Restart computer ..."
  - ps: Restart-Computer -ComputerName localhost -Force
  - ps: Start-Sleep -s 5 # Needs to be proceeded with -ps: as it's interpreted by AppVeyor
  - ps: Write-Verbose "Restart computer completed"
 before_test:
  - ps: |
      Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
      Install-TestDependencies  
 test_script:
  - cmd: |
      "%ProgramFiles%\PowerShell\6.0.0.12\powershell.exe" -Command "Import-Module \"%APPVEYOR_BUILD_FOLDER%\contrib\win32\openssh\AppVeyor.psm1\";Run-OpenSSHTests"
 after_test:
  - ps: |
      Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1
      Upload-OpenSSHTestResults
 on_finish:
  - ps: |
      Import-Module $env:APPVEYOR_BUILD_FOLDER\contrib\win32\openssh\AppVeyor.psm1      
      Publish-Artifact
--- a/atomicio.c
+++ b/atomicio.c
@ -54,7 +54,7 @@ atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
 {
 	char *s = _s;
 	size_t pos = 0;
-	int res;
+	ssize_t res;
 	struct pollfd pfd;
 #ifndef BROKEN_READ_COMPARISON
--- a/audit-bsm.c
+++ b/audit-bsm.c
@ -35,7 +35,6 @@
 /* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
 #include "includes.h"
 #if defined(USE_BSM_AUDIT)
 #include <sys/types.h>
--- a/audit-linux.c
+++ b/audit-linux.c
@ -36,17 +36,17 @@
 #include "log.h"
 #include "audit.h"
 #include "canohost.h"
 #include "packet.h"
 const char *audit_username(void);
 int
-linux_audit_record_event(int uid, const char *username,
+linux_audit_record_event(int uid, const char *username, const char *hostname,
-    const char *hostname, const char *ip, const char *ttyn, int success)
+    const char *ip, const char *ttyn, int success)
 {
 	int audit_fd, rc, saved_errno;
-	audit_fd = audit_open();
+	if ((audit_fd = audit_open()) < 0) {
 	if (audit_fd < 0) {
 		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
 		    errno == EAFNOSUPPORT)
 			return 1; /* No audit support in kernel */
@ -58,6 +58,7 @@ linux_audit_record_event(int uid, const char *username,
 	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
 	saved_errno = errno;
 	close(audit_fd);
 	/*
 	 * Do not report error if the error is EPERM and sshd is run as non
 	 * root user.
@ -65,7 +66,8 @@ linux_audit_record_event(int uid, const char *username,
 	if ((rc == -EPERM) && (geteuid() != 0))
 		rc = 0;
 	errno = saved_errno;
-	return (rc >= 0);
+
 	return rc >= 0;
 }
 /* Below is the sshd audit API code */
@ -73,8 +75,8 @@ linux_audit_record_event(int uid, const char *username,
 void
 audit_connection_from(const char *host, int port)
 {
 }
 	/* not implemented */
 }
 void
 audit_run_command(const char *command)
@ -85,8 +87,8 @@ audit_run_command(const char *command)
 void
 audit_session_open(struct logininfo *li)
 {
-	if (linux_audit_record_event(li->uid, NULL, li->hostname,
+	if (linux_audit_record_event(li->uid, NULL, li->hostname, NULL,
-	    NULL, li->line, 1) == 0)
+	    li->line, 1) == 0)
 		fatal("linux_audit_write_entry failed: %s", strerror(errno));
 }
@ -99,6 +101,8 @@ audit_session_close(struct logininfo *li)
 void
 audit_event(ssh_audit_event_t event)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	switch(event) {
 	case SSH_AUTH_SUCCESS:
 	case SSH_CONNECTION_CLOSE:
@ -106,7 +110,6 @@ audit_event(ssh_audit_event_t event)
 	case SSH_LOGIN_EXCEED_MAXTRIES:
 	case SSH_LOGIN_ROOT_DENIED:
 		break;
 	case SSH_AUTH_FAIL_NONE:
 	case SSH_AUTH_FAIL_PASSWD:
 	case SSH_AUTH_FAIL_KBDINT:
@ -115,12 +118,11 @@ audit_event(ssh_audit_event_t event)
 	case SSH_AUTH_FAIL_GSSAPI:
 	case SSH_INVALID_USER:
 		linux_audit_record_event(-1, audit_username(), NULL,
-			get_remote_ipaddr(), "sshd", 0);
+		    ssh_remote_ipaddr(ssh), "sshd", 0);
 		break;
 	default:
 		debug("%s: unhandled event %d", __func__, event);
 		break;
 	}
 }
 #endif /* USE_LINUX_AUDIT */
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
@ -24,14 +24,6 @@
 */
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <stdarg.h>
@ -111,7 +103,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
 	if (!authctxt->valid)
 		return -1;
-	if (authctxt->as == 0)
+	if (authctxt->as == NULL)
 		error("bsdauth_respond: no bsd auth session");
 	if (numresponses != 1)
--- a/auth-krb5.c
+++ b/auth-krb5.c
@ -1,8 +1,8 @@
-/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.22 2016/05/04 14:22:33 markus Exp $ */
 /*
 *    Kerberos v5 authentication and ticket-passing routines.
 *
- * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
+ * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
 */
 /*
 * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
@ -30,22 +30,12 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <pwd.h>
 #include <stdarg.h>
 #include "xmalloc.h"
 #include "ssh.h"
 #include "ssh1.h"
 #include "packet.h"
 #include "log.h"
 #include "buffer.h"
--- a/auth-options.c
+++ b/auth-options.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.71 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -12,15 +12,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <netdb.h>
@ -38,6 +29,7 @@
 #include "ssherr.h"
 #include "log.h"
 #include "canohost.h"
 #include "packet.h"
 #include "sshbuf.h"
 #include "misc.h"
 #include "channels.h"
@ -84,18 +76,44 @@ auth_clear_options(void)
 		free(ce->s);
 		free(ce);
 	}
 	if (forced_command) {
 	free(forced_command);
 	forced_command = NULL;
 	}
 	if (authorized_principals) {
 	free(authorized_principals);
 	authorized_principals = NULL;
 	}
 	forced_tun_device = -1;
 	channel_clear_permitted_opens();
 }
 /*
 * Match flag 'opt' in *optsp, and if allow_negate is set then also match
 * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
 * if negated option matches. 
 * If the option or negated option matches, then *optsp is updated to
 * point to the first character after the option and, if 'msg' is not NULL
 * then a message based on it added via auth_debug_add().
 */
 static int
 match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
 {
 	size_t opt_len = strlen(opt);
 	char *opts = *optsp;
 	int negate = 0;
 	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
 		opts += 3;
 		negate = 1;
 	}
 	if (strncasecmp(opts, opt, opt_len) == 0) {
 		*optsp = opts + opt_len;
 		if (msg != NULL) {
 			auth_debug_add("%s %s.", msg,
 			    negate ? "disabled" : "enabled");
 		}
 		return negate ? 0 : 1;
 	}
 	return -1;
 }
 /*
 * return 1 if access is granted, 0 if not.
 * side effect: sets key option flags
@ -103,8 +121,9 @@ auth_clear_options(void)
 int
 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 {
 	struct ssh *ssh = active_state;		/* XXX */
 	const char *cp;
-	int i;
+	int i, r;
 	/* reset options */
 	auth_clear_options();
@ -113,51 +132,47 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		return 1;
 	while (*opts && *opts != ' ' && *opts != '\t') {
-		cp = "cert-authority";
+		if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			key_is_cert_authority = r;
 			key_is_cert_authority = 1;
 			opts += strlen(cp);
 			goto next_option;
 		}
-		cp = "no-port-forwarding";
+		if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+			auth_debug_add("Key is restricted.");
 			auth_debug_add("Port forwarding disabled.");
 			no_port_forwarding_flag = 1;
 			opts += strlen(cp);
 			goto next_option;
 		}
 		cp = "no-agent-forwarding";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			auth_debug_add("Agent forwarding disabled.");
 			no_agent_forwarding_flag = 1;
 			opts += strlen(cp);
 			goto next_option;
 		}
 		cp = "no-X11-forwarding";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			auth_debug_add("X11 forwarding disabled.");
 			no_x11_forwarding_flag = 1;
 			opts += strlen(cp);
 			goto next_option;
 		}
 		cp = "no-pty";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			auth_debug_add("Pty allocation disabled.");
 			no_pty_flag = 1;
-			opts += strlen(cp);
+			no_user_rc = 1;
 			goto next_option;
 		}
-		cp = "no-user-rc";
+		if ((r = match_flag("port-forwarding", 1, &opts,
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+		    "Port forwarding")) != -1) {
-			auth_debug_add("User rc file execution disabled.");
+			no_port_forwarding_flag = r != 1;
-			no_user_rc = 1;
+			goto next_option;
-			opts += strlen(cp);
+		}
 		if ((r = match_flag("agent-forwarding", 1, &opts,
 		    "Agent forwarding")) != -1) {
 			no_agent_forwarding_flag = r != 1;
 			goto next_option;
 		}
 		if ((r = match_flag("x11-forwarding", 1, &opts,
 		    "X11 forwarding")) != -1) {
 			no_x11_forwarding_flag = r != 1;
 			goto next_option;
 		}
 		if ((r = match_flag("pty", 1, &opts,
 		    "PTY allocation")) != -1) {
 			no_pty_flag = r != 1;
 			goto next_option;
 		}
 		if ((r = match_flag("user-rc", 1, &opts,
 		    "User rc execution")) != -1) {
 			no_user_rc = r != 1;
 			goto next_option;
 		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
 			if (forced_command != NULL)
 			free(forced_command);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
@ -188,7 +203,6 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		cp = "principals=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
 			if (authorized_principals != NULL)
 			free(authorized_principals);
 			authorized_principals = xmalloc(strlen(opts) + 1);
 			i = 0;
@ -261,9 +275,9 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		}
 		cp = "from=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			const char *remote_ip = get_remote_ipaddr();
+			const char *remote_ip = ssh_remote_ipaddr(ssh);
-			const char *remote_host = get_canonical_hostname(
+			const char *remote_host = auth_get_canonical_hostname(
-			    options.use_dns);
+			    ssh, options.use_dns);
 			char *patterns = xmalloc(strlen(opts) + 1);
 			opts += strlen(cp);
@ -445,6 +459,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
    char **cert_forced_command,
    int *cert_source_address_done)
 {
 	struct ssh *ssh = active_state;		/* XXX */
 	char *command, *allowed;
 	const char *remote_ip;
 	char *name = NULL;
@ -518,7 +533,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
 					free(allowed);
 					goto out;
 				}
-				remote_ip = get_remote_ipaddr();
+				remote_ip = ssh_remote_ipaddr(ssh);
 				result = addr_match_cidr_list(remote_ip,
 				    allowed);
 				free(allowed);
@ -575,7 +590,6 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
 		free(*cert_forced_command);
 		*cert_forced_command = NULL;
 	}
 	if (name != NULL)
 	free(name);
 	sshbuf_free(data);
 	sshbuf_free(c);
@ -620,7 +634,6 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
 	no_user_rc |= cert_no_user_rc;
 	/* CA-specified forced command supersedes key option */
 	if (cert_forced_command != NULL) {
 		if (forced_command != NULL)
 		free(forced_command);
 		forced_command = cert_forced_command;
 	}
--- a/auth-pam.c
+++ b/auth-pam.c
@ -45,16 +45,9 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
+/* Based on FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des */
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
-#ifdef WIN32_FIXME
+#include "includes.h"
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
@ -75,9 +68,9 @@
 /* OpenGroup RFC86.0 and XSSO specify no "const" on arguments */
 #ifdef PAM_SUN_CODEBASE
-# define sshpam_const		/* Solaris, HP-UX, AIX */
+# define sshpam_const		/* Solaris, HP-UX, SunOS */
 #else
-# define sshpam_const	const	/* LinuxPAM, OpenPAM */
+# define sshpam_const	const	/* LinuxPAM, OpenPAM, AIX */
 #endif
 /* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
@ -161,9 +154,12 @@ sshpam_sigchld_handler(int sig)
 	    <= 0) {
 		/* PAM thread has not exitted, privsep slave must have */
 		kill(cleanup_ctxt->pam_thread, SIGTERM);
-		if (waitpid(cleanup_ctxt->pam_thread, &sshpam_thread_status, 0)
+		while (waitpid(cleanup_ctxt->pam_thread,
-		    <= 0)
+		    &sshpam_thread_status, 0) == -1) {
-			return; /* could not wait */
+			if (errno == EINTR)
 				continue;
 			return;
 		}
 	}
 	if (WIFSIGNALED(sshpam_thread_status) &&
 	    WTERMSIG(sshpam_thread_status) == SIGTERM)
@ -224,7 +220,11 @@ pthread_join(sp_pthread_t thread, void **value)
 	if (sshpam_thread_status != -1)
 		return (sshpam_thread_status);
 	signal(SIGCHLD, sshpam_oldsig);
-	waitpid(thread, &status, 0);
+	while (waitpid(thread, &status, 0) == -1) {
 		if (errno == EINTR)
 			continue;
 		fatal("%s: waitpid: %s", __func__, strerror(errno));
 	}
 	return (status);
 }
 #endif
@ -236,10 +236,10 @@ static int sshpam_authenticated = 0;
 static int sshpam_session_open = 0;
 static int sshpam_cred_established = 0;
 static int sshpam_account_status = -1;
 static int sshpam_maxtries_reached = 0;
 static char **sshpam_env = NULL;
 static Authctxt *sshpam_authctxt = NULL;
 static const char *sshpam_password = NULL;
 static char badpw[] = "\b\n\r\177INCORRECT";
 /* Some PAM implementations don't implement this */
 #ifndef HAVE_PAM_GETENVLIST
@ -372,17 +372,6 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
 	for (i = 0; i < n; ++i) {
 		switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
 		case PAM_PROMPT_ECHO_OFF:
 			buffer_put_cstring(&buffer,
 			    PAM_MSG_MEMBER(msg, i, msg));
 			if (ssh_msg_send(ctxt->pam_csock,
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
 				goto fail;
 			if (ssh_msg_recv(ctxt->pam_csock, &buffer) == -1)
 				goto fail;
 			if (buffer_get_char(&buffer) != PAM_AUTHTOK)
 				goto fail;
 			reply[i].resp = buffer_get_string(&buffer, NULL);
 			break;
 		case PAM_PROMPT_ECHO_ON:
 			buffer_put_cstring(&buffer,
 			    PAM_MSG_MEMBER(msg, i, msg));
@ -396,12 +385,6 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
 			reply[i].resp = buffer_get_string(&buffer, NULL);
 			break;
 		case PAM_ERROR_MSG:
 			buffer_put_cstring(&buffer,
 			    PAM_MSG_MEMBER(msg, i, msg));
 			if (ssh_msg_send(ctxt->pam_csock,
 			    PAM_MSG_MEMBER(msg, i, msg_style), &buffer) == -1)
 				goto fail;
 			break;
 		case PAM_TEXT_INFO:
 			buffer_put_cstring(&buffer,
 			    PAM_MSG_MEMBER(msg, i, msg));
@ -475,6 +458,8 @@ sshpam_thread(void *ctxtp)
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	if (sshpam_err == PAM_MAXTRIES)
 		sshpam_set_maxtries_reached(1);
 	if (sshpam_err != PAM_SUCCESS)
 		goto auth_fail;
@ -526,6 +511,8 @@ sshpam_thread(void *ctxtp)
 	/* XXX - can't do much about an error here */
 	if (sshpam_err == PAM_ACCT_EXPIRED)
 		ssh_msg_send(ctxt->pam_csock, PAM_ACCT_EXPIRED, &buffer);
 	else if (sshpam_maxtries_reached)
 		ssh_msg_send(ctxt->pam_csock, PAM_MAXTRIES, &buffer);
 	else
 		ssh_msg_send(ctxt->pam_csock, PAM_AUTH_ERR, &buffer);
 	buffer_free(&buffer);
@ -631,6 +618,7 @@ sshpam_init(Authctxt *authctxt)
 	extern char *__progname;
 	const char *pam_rhost, *pam_user, *user = authctxt->user;
 	const char **ptr_pam_user = &pam_user;
 	struct ssh *ssh = active_state; /* XXX */
 	if (sshpam_handle != NULL) {
 		/* We already have a PAM context; check if the user matches */
@ -651,7 +639,7 @@ sshpam_init(Authctxt *authctxt)
 		sshpam_handle = NULL;
 		return (-1);
 	}
-	pam_rhost = get_remote_name_or_ip(utmp_len, options.use_dns);
+	pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
 	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
 	if (sshpam_err != PAM_SUCCESS) {
@ -722,6 +710,7 @@ static int
 sshpam_query(void *ctx, char **name, char **info,
    u_int *num, char ***prompts, u_int **echo_on)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	Buffer buffer;
 	struct pam_ctxt *ctxt = ctx;
 	size_t plen;
@ -764,7 +753,11 @@ sshpam_query(void *ctx, char **name, char **info,
 			free(msg);
 			break;
 		case PAM_ACCT_EXPIRED:
 		case PAM_MAXTRIES:
 			if (type == PAM_ACCT_EXPIRED)
 				sshpam_account_status = 0;
 			if (type == PAM_MAXTRIES)
 				sshpam_set_maxtries_reached(1);
 			/* FALLTHROUGH */
 		case PAM_AUTH_ERR:
 			debug3("PAM: %s", pam_strerror(sshpam_handle, type));
@ -804,7 +797,7 @@ sshpam_query(void *ctx, char **name, char **info,
 			error("PAM: %s for %s%.100s from %.100s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,
-			    get_remote_name_or_ip(utmp_len, options.use_dns));
+			    auth_get_canonical_hostname(ssh, options.use_dns));
 			/* FALLTHROUGH */
 		default:
 			*num = 0;
@ -817,12 +810,35 @@ sshpam_query(void *ctx, char **name, char **info,
 	return (-1);
 }
 /*
 * Returns a junk password of identical length to that the user supplied.
 * Used to mitigate timing attacks against crypt(3)/PAM stacks that
 * vary processing time in proportion to password length.
 */
 static char *
 fake_password(const char *wire_password)
 {
 	const char junk[] = "\b\n\r\177INCORRECT";
 	char *ret = NULL;
 	size_t i, l = wire_password != NULL ? strlen(wire_password) : 0;
 	if (l >= INT_MAX)
 		fatal("%s: password length too long: %zu", __func__, l);
 	ret = malloc(l + 1);
 	for (i = 0; i < l; i++)
 		ret[i] = junk[i % (sizeof(junk) - 1)];
 	ret[i] = '\0';
 	return ret;
 }
 /* XXX - see also comment in auth-chall.c:verify_response */
 static int
 sshpam_respond(void *ctx, u_int num, char **resp)
 {
 	Buffer buffer;
 	struct pam_ctxt *ctxt = ctx;
 	char *fake;
 	debug2("PAM: %s entering, %u responses", __func__, num);
 	switch (ctxt->pam_done) {
@ -843,8 +859,11 @@ sshpam_respond(void *ctx, u_int num, char **resp)
 	    (sshpam_authctxt->pw->pw_uid != 0 ||
 	    options.permit_root_login == PERMIT_YES))
 		buffer_put_cstring(&buffer, *resp);
-	else
+	else {
-		buffer_put_cstring(&buffer, badpw);
+		fake = fake_password(*resp);
 		buffer_put_cstring(&buffer, fake);
 		free(fake);
 	}
 	if (ssh_msg_send(ctxt->pam_psock, PAM_AUTHTOK, &buffer) == -1) {
 		buffer_free(&buffer);
 		return (-1);
@ -1188,6 +1207,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 {
 	int flags = (options.permit_empty_passwd == 0 ?
 	    PAM_DISALLOW_NULL_AUTHTOK : 0);
 	char *fake = NULL;
 	if (!options.use_pam || sshpam_handle == NULL)
 		fatal("PAM: %s called when PAM disabled or failed to "
@ -1203,7 +1223,7 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 	 */
 	if (!authctxt->valid || (authctxt->pw->pw_uid == 0 &&
 	    options.permit_root_login != PERMIT_YES))
-		sshpam_password = badpw;
+		sshpam_password = fake = fake_password(password);
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
 	    (const void *)&passwd_conv);
@ -1213,6 +1233,9 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 	sshpam_err = pam_authenticate(sshpam_handle, flags);
 	sshpam_password = NULL;
 	free(fake);
 	if (sshpam_err == PAM_MAXTRIES)
 		sshpam_set_maxtries_reached(1);
 	if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
 		debug("PAM: password authentication accepted for %.100s",
 		    authctxt->user);
@ -1224,4 +1247,21 @@ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
 		return 0;
 	}
 }
 int
 sshpam_get_maxtries_reached(void)
 {
 	return sshpam_maxtries_reached;
 }
 void
 sshpam_set_maxtries_reached(int reached)
 {
 	if (reached == 0 || sshpam_maxtries_reached)
 		return;
 	sshpam_maxtries_reached = 1;
 	options.password_authentication = 0;
 	options.kbd_interactive_authentication = 0;
 	options.challenge_response_authentication = 0;
 }
 #endif /* USE_PAM */
--- a/auth-pam.h
+++ b/auth-pam.h
@ -45,6 +45,8 @@ void free_pam_environment(char **);
 void sshpam_thread_cleanup(void);
 void sshpam_cleanup(void);
 int sshpam_auth_passwd(Authctxt *, const char *);
 int sshpam_get_maxtries_reached(void);
 void sshpam_set_maxtries_reached(int);
 int is_pam_session_open(void);
 #endif /* USE_PAM */
--- a/auth-passwd.c
+++ b/auth-passwd.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.45 2016/07/21 01:39:35 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -37,18 +37,6 @@
 */
 #include "includes.h"
 #ifdef WIN32_FIXME
 #include "xmalloc.h"
 #endif
 /*
  * We support only client side kerberos on Windows.
  */
 #ifdef WIN32_FIXME
 #undef GSSAPI
 #undef KRB5
 #endif
 #include <sys/types.h>
@ -78,6 +66,8 @@ extern login_cap_t *lc;
 #define DAY		(24L * 60 * 60) /* 1 day in seconds */
 #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
 #define MAX_PASSWORD_LEN	1024
 void
 disable_forwarding(void)
 {
@ -99,6 +89,9 @@ auth_password(Authctxt *authctxt, const char *password)
 	static int expire_checked = 0;
 #endif
 	if (strlen(password) > MAX_PASSWORD_LEN)
 		return 0;
 #ifndef HAVE_CYGWIN
 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
 		ok = 0;
@ -201,7 +194,9 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	}
 }
-#elif defined(WIN32_FIXME)
+#endif
 #ifdef WINDOWS
 extern int auth_sock;
 int sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
@ -246,7 +241,7 @@ int
 sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
 	struct passwd *pw = authctxt->pw;
-	char *encrypted_password;
+	char *encrypted_password, *salt = NULL;
 	/* Just use the supplied fake password if authctxt is invalid */
 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
@ -255,9 +250,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
 		return (1);
-	/* Encrypt the candidate password using the proper salt. */
+	/*
-	encrypted_password = xcrypt(password,
+	 * Encrypt the candidate password using the proper salt, or pass a
-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
+	 * NULL and let xcrypt pick one.
 	 */
 	if (authctxt->valid && pw_password[0] && pw_password[1])
 		salt = pw_password;
 	encrypted_password = xcrypt(password, salt);
 	/*
 	 * Authentication is accepted if the encrypted passwords
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
+/* $OpenBSD: auth-rh-rsa.c,v 1.45 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -15,11 +15,6 @@
 #include "includes.h"
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #ifdef WITH_SSH1
 #include <sys/types.h>
@ -47,8 +42,8 @@
 extern ServerOptions options;
 int
-auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
+auth_rhosts_rsa_key_allowed(struct passwd *pw, const char *cuser,
-    Key *client_host_key)
+    const char *chost, Key *client_host_key)
 {
 	HostStatus host_status;
@ -73,7 +68,8 @@ auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
 int
 auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
 {
-	char *chost;
+	struct ssh *ssh = active_state; /* XXX */
 	const char *chost;
 	struct passwd *pw = authctxt->pw;
 	debug("Trying rhosts with RSA host authentication for client user %.100s",
@ -83,7 +79,7 @@ auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
 	    client_host_key->rsa == NULL)
 		return 0;
-	chost = (char *)get_canonical_hostname(options.use_dns);
+	chost = auth_get_canonical_hostname(ssh, options.use_dns);
 	debug("Rhosts RSA authentication: canonical host %.900s", chost);
 	if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.47 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -16,15 +16,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
@ -39,14 +30,15 @@
 #include <unistd.h>
 #include "packet.h"
 #include "buffer.h"
 #include "uidswap.h"
 #include "pathnames.h"
 #include "log.h"
 #include "misc.h"
 #include "buffer.h" /* XXX */
 #include "key.h" /* XXX */
 #include "servconf.h"
 #include "canohost.h"
-#include "key.h"
+#include "sshkey.h"
 #include "hostfile.h"
 #include "auth.h"
@ -203,10 +195,11 @@ check_rhosts_file(const char *filename, const char *hostname,
 int
 auth_rhosts(struct passwd *pw, const char *client_user)
 {
 	struct ssh *ssh = active_state;	/* XXX */
 	const char *hostname, *ipaddr;
-	hostname = get_canonical_hostname(options.use_dns);
+	hostname = auth_get_canonical_hostname(ssh, options.use_dns);
-	ipaddr = get_remote_ipaddr();
+	ipaddr = ssh_remote_ipaddr(ssh);
 	return auth_rhosts2(pw, client_user, hostname, ipaddr);
 }
--- a/auth-rsa.c
+++ b/auth-rsa.c
@ -16,15 +16,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #ifdef WITH_SSH1
 #include <sys/types.h>
--- a/auth-skey.c
+++ b/auth-skey.c
@ -25,15 +25,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #ifdef SKEY
 #include <sys/types.h>
--- a/auth.c
+++ b/auth.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.115 2016/06/15 00:40:40 dtucker Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -27,6 +27,7 @@
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
@ -50,6 +51,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <limits.h>
 #include <netdb.h>
 #include "xmalloc.h"
 #include "match.h"
@ -97,6 +99,7 @@ int auth_debug_init;
 int
 allowed_user(struct passwd * pw)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	struct stat st;
 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
 	u_int i;
@ -184,8 +187,8 @@ allowed_user(struct passwd * pw)
 	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
 	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-		hostname = get_canonical_hostname(options.use_dns);
+		hostname = auth_get_canonical_hostname(ssh, options.use_dns);
-		ipaddr = get_remote_ipaddr();
+		ipaddr = ssh_remote_ipaddr(ssh);
 	}
 	/* Return false if user is listed in DenyUsers */
@ -276,6 +279,7 @@ void
 auth_log(Authctxt *authctxt, int authenticated, int partial,
    const char *method, const char *submethod)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	void (*authlog) (const char *fmt,...) = verbose;
 	char *authmsg;
@ -302,8 +306,8 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
 	    authctxt->valid ? "" : "invalid user ",
 	    authctxt->user,
-	    get_remote_ipaddr(),
+	    ssh_remote_ipaddr(ssh),
-	    get_remote_port(),
+	    ssh_remote_port(ssh),
 	    compat20 ? "ssh2" : "ssh1",
 	    authctxt->info != NULL ? ": " : "",
 	    authctxt->info != NULL ? authctxt->info : "");
@ -316,11 +320,12 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 	    strncmp(method, "keyboard-interactive", 20) == 0 ||
 	    strcmp(method, "challenge-response") == 0))
 		record_failed_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh");
+		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 # ifdef WITH_AIXAUTHENTICATE
 	if (authenticated)
 		sys_auth_record_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
+		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
 		    &loginmsg);
 # endif
 #endif
 #ifdef SSH_AUDIT_EVENTS
@ -333,12 +338,14 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 void
 auth_maxtries_exceeded(Authctxt *authctxt)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	error("maximum authentication attempts exceeded for "
 	    "%s%.100s from %.200s port %d %s",
 	    authctxt->valid ? "" : "invalid user ",
 	    authctxt->user,
-	    get_remote_ipaddr(),
+	    ssh_remote_ipaddr(ssh),
-	    get_remote_port(),
+	    ssh_remote_port(ssh),
 	    compat20 ? "ssh2" : "ssh1");
 	packet_disconnect("Too many authentication failures");
 	/* NOTREACHED */
@ -350,6 +357,8 @@ auth_maxtries_exceeded(Authctxt *authctxt)
 int
 auth_root_allowed(const char *method)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	switch (options.permit_root_login) {
 	case PERMIT_YES:
 		return 1;
@ -366,7 +375,8 @@ auth_root_allowed(const char *method)
 		}
 		break;
 	}
-	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
+	logit("ROOT LOGIN REFUSED FROM %.200s port %d",
 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 	return 0;
 }
@ -378,7 +388,6 @@ auth_root_allowed(const char *method)
 *
 * This returns a buffer allocated by xmalloc.
 */
 char *
 expand_authorized_keys(const char *filename, struct passwd *pw)
 {
@ -620,6 +629,7 @@ auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
 struct passwd *
 getpwnamallow(const char *user)
 {
 	struct ssh *ssh = active_state; /* XXX */
 #ifdef HAVE_LOGIN_CAP
 	extern login_cap_t *lc;
 #ifdef BSD_AUTH
@ -655,11 +665,11 @@ getpwnamallow(const char *user)
 	}
 #endif
 	if (pw == NULL) {
-		logit("Invalid user %.100s from %.100s",
+		logit("Invalid user %.100s from %.100s port %d",
-		    user, get_remote_ipaddr());
+		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
 #ifdef CUSTOM_FAILED_LOGIN
 		record_failed_login(user,
-		    get_canonical_hostname(options.use_dns), "ssh");
+		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
 #endif
 #ifdef SSH_AUDIT_EVENTS
 		audit_event(SSH_INVALID_USER);
@ -789,3 +799,117 @@ fakepw(void)
 	return (&fake);
 }
 /*
 * Returns the remote DNS hostname as a string. The returned string must not
 * be freed. NB. this will usually trigger a DNS query the first time it is
 * called.
 * This function does additional checks on the hostname to mitigate some
 * attacks on legacy rhosts-style authentication.
 * XXX is RhostsRSAAuthentication vulnerable to these?
 * XXX Can we remove these checks? (or if not, remove RhostsRSAAuthentication?)
 */
 static char *
 remote_hostname(struct ssh *ssh)
 {
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	struct addrinfo hints, *ai, *aitop;
 	char name[NI_MAXHOST], ntop2[NI_MAXHOST];
 	const char *ntop = ssh_remote_ipaddr(ssh);
 	/* Get IP address of client. */
 	fromlen = sizeof(from);
 	memset(&from, 0, sizeof(from));
 	if (getpeername(ssh_packet_get_connection_in(ssh),
 	    (struct sockaddr *)&from, &fromlen) < 0) {
 		debug("getpeername failed: %.100s", strerror(errno));
 		return strdup(ntop);
 	}
 	ipv64_normalise_mapped(&from, &fromlen);
 	if (from.ss_family == AF_INET6)
 		fromlen = sizeof(struct sockaddr_in6);
 	debug3("Trying to reverse map address %.100s.", ntop);
 	/* Map the IP address to a host name. */
 	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 	    NULL, 0, NI_NAMEREQD) != 0) {
 		/* Host name not found.  Use ip address. */
 		return strdup(ntop);
 	}
 	/*
 	 * if reverse lookup result looks like a numeric hostname,
 	 * someone is trying to trick us by PTR record like following:
 	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
 	 */
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 	hints.ai_flags = AI_NUMERICHOST;
 	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
 		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
 		    name, ntop);
 		freeaddrinfo(ai);
 		return strdup(ntop);
 	}
 	/* Names are stored in lowercase. */
 	lowercase(name);
 	/*
 	 * Map it back to an IP address and check that the given
 	 * address actually is an address of this host.  This is
 	 * necessary because anyone with access to a name server can
 	 * define arbitrary names for an IP address. Mapping from
 	 * name to IP address can be trusted better (but can still be
 	 * fooled if the intruder has access to the name server of
 	 * the domain).
 	 */
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = from.ss_family;
 	hints.ai_socktype = SOCK_STREAM;
 	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
 		logit("reverse mapping checking getaddrinfo for %.700s "
 		    "[%s] failed.", name, ntop);
 		return strdup(ntop);
 	}
 	/* Look for the address from the list of addresses. */
 	for (ai = aitop; ai; ai = ai->ai_next) {
 		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
 		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
 		    (strcmp(ntop, ntop2) == 0))
 				break;
 	}
 	freeaddrinfo(aitop);
 	/* If we reached the end of the list, the address was not there. */
 	if (ai == NULL) {
 		/* Address not found for the host name. */
 		logit("Address %.100s maps to %.600s, but this does not "
 		    "map back to the address.", ntop, name);
 		return strdup(ntop);
 	}
 	return strdup(name);
 }
 /*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.
 */
 const char *
 auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
 {
 	static char *dnsname;
 	if (!use_dns)
 		return ssh_remote_ipaddr(ssh);
 	else if (dnsname != NULL)
 		return dnsname;
 	else {
 		dnsname = remote_hostname(ssh);
 		return dnsname;
 	}
 }
--- a/auth.h
+++ b/auth.h
@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.88 2016/05/04 14:04:40 markus Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@ -42,10 +42,8 @@
 #include <krb5.h>
 #endif
-#ifdef WIN32_FIXME
+#ifdef WINDOWS
 #include <windows.h>
 #endif
 struct ssh;
@ -130,7 +128,8 @@ BIGNUM	*auth_rsa_generate_challenge(Key *);
 int	 auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
 int	 auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
-int	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
+int	 auth_rhosts_rsa_key_allowed(struct passwd *, const char *,
    const char *, Key *);
 int	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 int	 user_key_allowed(struct passwd *, Key *, int);
 void	 pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
@ -197,13 +196,14 @@ int	verify_response(Authctxt *, const char *);
 void	abandon_challenge_response(Authctxt *);
 char	*expand_authorized_keys(const char *, struct passwd *pw);
 char	*authorized_principals_file(struct passwd *);
 FILE	*auth_openkeyfile(const char *, struct passwd *, int);
 FILE	*auth_openprincipals(const char *, struct passwd *, int);
 int	 auth_key_is_revoked(Key *);
 const char	*auth_get_canonical_hostname(struct ssh *, int);
 HostStatus
 check_key_in_hostfiles(struct passwd *, Key *, const char *,
    const char *, const char *);
@ -216,7 +216,7 @@ Key	*get_hostkey_private_by_type(int, int, struct ssh *);
 int	 get_hostkey_index(Key *, int, struct ssh *);
 int	 ssh1_session_key(BIGNUM *);
 int	 sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
-	     const u_char *, size_t, u_int);
+	     const u_char *, size_t, const char *, u_int);
 /* debug messages during authentication */
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
--- a/auth1.c
+++ b/auth1.c
@ -12,16 +12,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #ifdef WITH_SSH1
 #include <sys/types.h>
--- a/auth2-chall.c
+++ b/auth2-chall.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.44 2016/05/02 08:49:03 djm Exp $ */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2001 Per Allansson.  All rights reserved.
@ -122,8 +122,8 @@ kbdint_alloc(const char *devs)
 			buffer_append(&b, devices[i]->name,
 			    strlen(devices[i]->name));
 		}
-		buffer_append(&b, "\0", 1);
+		if ((kbdintctxt->devices = sshbuf_dup_string(&b)) == NULL)
-		kbdintctxt->devices = xstrdup(buffer_ptr(&b));
+			fatal("%s: sshbuf_dup_string failed", __func__);
 		buffer_free(&b);
 	} else {
 		kbdintctxt->devices = xstrdup(devs);
--- a/auth2-gss.c
+++ b/auth2-gss.c
@ -26,15 +26,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #ifdef GSSAPI
 #include <sys/types.h>
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.26 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -25,15 +25,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <pwd.h>
@ -169,6 +160,7 @@ int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
    Key *key)
 {
 	struct ssh *ssh = active_state; /* XXX */
 	const char *resolvedname, *ipaddr, *lookup, *reason;
 	HostStatus host_status;
 	int len;
@ -177,8 +169,8 @@ hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
 	if (auth_key_is_revoked(key))
 		return 0;
-	resolvedname = get_canonical_hostname(options.use_dns);
+	resolvedname = auth_get_canonical_hostname(ssh, options.use_dns);
-	ipaddr = get_remote_ipaddr();
+	ipaddr = ssh_remote_ipaddr(ssh);
 	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
 	    chost, resolvedname, ipaddr);
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@ -1,563 +0,0 @@
 /* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */
 /*
 * Copyright (c) 2008 Damien Miller.  All rights reserved.
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /*
 * Server side of zero-knowledge password auth using J-PAKE protocol
 * as described in:
 *
 * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
 * 16th Workshop on Security Protocols, Cambridge, April 2008
 *
 * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
 */
 #ifdef JPAKE
 #include <sys/types.h>
 #include <sys/param.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <string.h>
 #include <login_cap.h>
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include "xmalloc.h"
 #include "ssh2.h"
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
 #include "buffer.h"
 #include "packet.h"
 #include "dispatch.h"
 #include "log.h"
 #include "servconf.h"
 #include "auth-options.h"
 #include "canohost.h"
 #ifdef GSSAPI
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
 #include "schnorr.h"
 #include "jpake.h"
 /*
 * XXX options->permit_empty_passwd (at the moment, they will be refused
 * anyway because they will mismatch on fake salt.
 */
 /* Dispatch handlers */
 static void input_userauth_jpake_client_step1(int, u_int32_t, void *);
 static void input_userauth_jpake_client_step2(int, u_int32_t, void *);
 static void input_userauth_jpake_client_confirm(int, u_int32_t, void *);
 static int auth2_jpake_start(Authctxt *);
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 /*
 * Attempt J-PAKE authentication.
 */
 static int
 userauth_jpake(Authctxt *authctxt)
 {
 	int authenticated = 0;
 	packet_check_eom();
 	debug("jpake-01@openssh.com requested");
 	if (authctxt->user != NULL) {
 		if (authctxt->jpake_ctx == NULL)
 			authctxt->jpake_ctx = jpake_new();
 		if (options.zero_knowledge_password_authentication)
 			authenticated = auth2_jpake_start(authctxt);
 	}
 	return authenticated;
 }
 Authmethod method_jpake = {
 	"jpake-01@openssh.com",
 	userauth_jpake,
 	&options.zero_knowledge_password_authentication
 };
 /* Clear context and callbacks */
 void
 auth2_jpake_stop(Authctxt *authctxt)
 {
 	/* unregister callbacks */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
 	if (authctxt->jpake_ctx != NULL) {
 		jpake_free(authctxt->jpake_ctx);
 		authctxt->jpake_ctx = NULL;
 	}
 }
 /* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */
 static int
 valid_crypt_salt(int c)
 {
 	if (c >= 'A' && c <= 'Z')
 		return 1;
 	if (c >= 'a' && c <= 'z')
 		return 1;
 	if (c >= '.' && c <= '9')
 		return 1;
 	return 0;
 }
 /*
 * Derive fake salt as H(username || first_private_host_key)
 * This provides relatively stable fake salts for non-existent
 * users and avoids the jpake method becoming an account validity
 * oracle.
 */
 static void
 derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
 {
 	u_char *digest;
 	u_int digest_len;
 	Buffer b;
 	Key *k;
 	buffer_init(&b);
 	buffer_put_cstring(&b, username);
 	if ((k = get_hostkey_by_index(0)) == NULL ||
 	    (k->flags & KEY_FLAG_EXT))
 		fatal("%s: no hostkeys", __func__);
 	switch (k->type) {
 	case KEY_RSA1:
 	case KEY_RSA:
 		if (k->rsa->p == NULL || k->rsa->q == NULL)
 			fatal("%s: RSA key missing p and/or q", __func__);
 		buffer_put_bignum2(&b, k->rsa->p);
 		buffer_put_bignum2(&b, k->rsa->q);
 		break;
 	case KEY_DSA:
 		if (k->dsa->priv_key == NULL)
 			fatal("%s: DSA key missing priv_key", __func__);
 		buffer_put_bignum2(&b, k->dsa->priv_key);
 		break;
 	case KEY_ECDSA:
 		if (EC_KEY_get0_private_key(k->ecdsa) == NULL)
 			fatal("%s: ECDSA key missing priv_key", __func__);
 		buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa));
 		break;
 	default:
 		fatal("%s: unknown key type %d", __func__, k->type);
 	}
 	if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
 	    &digest, &digest_len) != 0)
 		fatal("%s: hash_buffer", __func__);
 	buffer_free(&b);
 	if (len > digest_len)
 		fatal("%s: not enough bytes for rawsalt (want %u have %u)",
 		    __func__, len, digest_len);
 	memcpy(rawsalt, digest, len);
 	bzero(digest, digest_len);
 	xfree(digest);
 }
 /* ASCII an integer [0, 64) for inclusion in a password/salt */
 static char
 pw_encode64(u_int i64)
 {
 	const u_char e64[] =
 	    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 	return e64[i64 % 64];
 }
 /* Generate ASCII salt bytes for user */
 static char *
 makesalt(u_int want, const char *user)
 {
 	u_char rawsalt[32];
 	static char ret[33];
 	u_int i;
 	if (want > sizeof(ret) - 1)
 		fatal("%s: want %u", __func__, want);
 	derive_rawsalt(user, rawsalt, sizeof(rawsalt));
 	bzero(ret, sizeof(ret));
 	for (i = 0; i < want; i++)
 		ret[i] = pw_encode64(rawsalt[i]);
 	bzero(rawsalt, sizeof(rawsalt));
 	return ret;
 }
 /*
 * Select the system's default password hashing scheme and generate
 * a stable fake salt under it for use by a non-existent account.
 * Prevents jpake method being used to infer the validity of accounts.
 */
 static void
 fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
 {
 	char *rounds_s, *style;
 	long long rounds;
 	login_cap_t *lc;
 	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL &&
 	    (lc = login_getclass(NULL)) == NULL)
 		fatal("%s: login_getclass failed", __func__);
 	style = login_getcapstr(lc, "localcipher", NULL, NULL);
 	if (style == NULL)
 		style = xstrdup("blowfish,6");
 	login_close(lc);
 	if ((rounds_s = strchr(style, ',')) != NULL)
 		*rounds_s++ = '\0';
 	rounds = strtonum(rounds_s, 1, 1<<31, NULL);
 	if (strcmp(style, "md5") == 0) {
 		xasprintf(salt, "$1$%s$", makesalt(8, authctxt->user));
 		*scheme = xstrdup("md5");
 	} else if (strcmp(style, "old") == 0) {
 		*salt = xstrdup(makesalt(2, authctxt->user));
 		*scheme = xstrdup("crypt");
 	} else if (strcmp(style, "newsalt") == 0) {
 		rounds = MAX(rounds, 7250);
 		rounds = MIN(rounds, (1<<24) - 1);
 		xasprintf(salt, "_%c%c%c%c%s",
 		    pw_encode64(rounds), pw_encode64(rounds >> 6),
 		    pw_encode64(rounds >> 12), pw_encode64(rounds >> 18),
 		    makesalt(4, authctxt->user));
 		*scheme = xstrdup("crypt-extended");
 	} else {
 		/* Default to blowfish */
 		rounds = MAX(rounds, 3);
 		rounds = MIN(rounds, 31);
 		xasprintf(salt, "$2a$%02lld$%s", rounds,
 		    makesalt(22, authctxt->user));
 		*scheme = xstrdup("bcrypt");
 	}
 	xfree(style);
 	debug3("%s: fake %s salt for user %s: %s",
 	    __func__, *scheme, authctxt->user, *salt);
 }
 /*
 * Fetch password hashing scheme, password salt and derive shared secret
 * for user. If user does not exist, a fake but stable and user-unique
 * salt will be returned.
 */
 void
 auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
    char **hash_scheme, char **salt)
 {
 	char *cp;
 	u_char *secret;
 	u_int secret_len, salt_len;
 #ifdef JPAKE_DEBUG
 	debug3("%s: valid %d pw %.5s...", __func__,
 	    authctxt->valid, authctxt->pw->pw_passwd);
 #endif
 	*salt = NULL;
 	*hash_scheme = NULL;
 	if (authctxt->valid) {
 		if (strncmp(authctxt->pw->pw_passwd, "$2$", 3) == 0 &&
 		    strlen(authctxt->pw->pw_passwd) > 28) {
 			/*
 			 * old-variant bcrypt:
 			 *     "$2$", 2 digit rounds, "$", 22 bytes salt
 			 */
 			salt_len = 3 + 2 + 1 + 22 + 1;
 			*salt = xmalloc(salt_len);
 			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
 			*hash_scheme = xstrdup("bcrypt");
 		} else if (strncmp(authctxt->pw->pw_passwd, "$2a$", 4) == 0 &&
 		    strlen(authctxt->pw->pw_passwd) > 29) {
 			/*
 			 * current-variant bcrypt:
 			 *     "$2a$", 2 digit rounds, "$", 22 bytes salt
 			 */
 			salt_len = 4 + 2 + 1 + 22 + 1;
 			*salt = xmalloc(salt_len);
 			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
 			*hash_scheme = xstrdup("bcrypt");
 		} else if (strncmp(authctxt->pw->pw_passwd, "$1$", 3) == 0 &&
 		    strlen(authctxt->pw->pw_passwd) > 5) {
 			/*
 			 * md5crypt:
 			 *     "$1$", salt until "$"
 			 */
 			cp = strchr(authctxt->pw->pw_passwd + 3, '$');
 			if (cp != NULL) {
 				salt_len = (cp - authctxt->pw->pw_passwd) + 1;
 				*salt = xmalloc(salt_len);
 				strlcpy(*salt, authctxt->pw->pw_passwd,
 				    salt_len);
 				*hash_scheme = xstrdup("md5crypt");
 			}
 		} else if (strncmp(authctxt->pw->pw_passwd, "_", 1) == 0 &&
 		    strlen(authctxt->pw->pw_passwd) > 9) {
 			/*
 			 * BSDI extended crypt:
 			 *     "_", 4 digits count, 4 chars salt
 			 */
 			salt_len = 1 + 4 + 4 + 1;
 			*salt = xmalloc(salt_len);
 			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
 			*hash_scheme = xstrdup("crypt-extended");
 		} else if (strlen(authctxt->pw->pw_passwd) == 13  &&
 		    valid_crypt_salt(authctxt->pw->pw_passwd[0]) &&
 		    valid_crypt_salt(authctxt->pw->pw_passwd[1])) {
 			/*
 			 * traditional crypt:
 			 *     2 chars salt
 			 */
 			salt_len = 2 + 1;
 			*salt = xmalloc(salt_len);
 			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
 			*hash_scheme = xstrdup("crypt");
 		}
 		if (*salt == NULL) {
 			debug("%s: unrecognised crypt scheme for user %s",
 			    __func__, authctxt->pw->pw_name);
 		}
 	}
 	if (*salt == NULL)
 		fake_salt_and_scheme(authctxt, salt, hash_scheme);
 	if (hash_buffer(authctxt->pw->pw_passwd,
 	    strlen(authctxt->pw->pw_passwd), EVP_sha256(),
 	    &secret, &secret_len) != 0)
 		fatal("%s: hash_buffer", __func__);
 	if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL)
 		fatal("%s: BN_bin2bn (secret)", __func__);
 #ifdef JPAKE_DEBUG
 	debug3("%s: salt = %s (len %u)", __func__,
 	    *salt, (u_int)strlen(*salt));
 	debug3("%s: scheme = %s", __func__, *hash_scheme);
 	JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
 #endif
 	bzero(secret, secret_len);
 	xfree(secret);
 }
 /*
 * Begin authentication attempt.
 * Note, sets authctxt->postponed while in subprotocol
 */
 static int
 auth2_jpake_start(Authctxt *authctxt)
 {
 	struct jpake_ctx *pctx = authctxt->jpake_ctx;
 	u_char *x3_proof, *x4_proof;
 	u_int x3_proof_len, x4_proof_len;
 	char *salt, *hash_scheme;
 	debug("%s: start", __func__);
 	PRIVSEP(jpake_step1(pctx->grp,
 	    &pctx->server_id, &pctx->server_id_len,
 	    &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
 	    &x3_proof, &x3_proof_len,
 	    &x4_proof, &x4_proof_len));
 	PRIVSEP(auth2_jpake_get_pwdata(authctxt, &pctx->s,
 	    &hash_scheme, &salt));
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
 	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1);
 	packet_put_cstring(hash_scheme);
 	packet_put_cstring(salt);
 	packet_put_string(pctx->server_id, pctx->server_id_len);
 	packet_put_bignum2(pctx->g_x3);
 	packet_put_bignum2(pctx->g_x4);
 	packet_put_string(x3_proof, x3_proof_len);
 	packet_put_string(x4_proof, x4_proof_len);
 	packet_send();
 	packet_write_wait();
 	bzero(hash_scheme, strlen(hash_scheme));
 	bzero(salt, strlen(salt));
 	xfree(hash_scheme);
 	xfree(salt);
 	bzero(x3_proof, x3_proof_len);
 	bzero(x4_proof, x4_proof_len);
 	xfree(x3_proof);
 	xfree(x4_proof);
 	/* Expect step 1 packet from peer */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
 	    input_userauth_jpake_client_step1);
 	authctxt->postponed = 1;
 	return 0;
 }
 /* ARGSUSED */
 static void
 input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	struct jpake_ctx *pctx = authctxt->jpake_ctx;
 	u_char *x1_proof, *x2_proof, *x4_s_proof;
 	u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
 	/* Disable this message */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
 	/* Fetch step 1 values */
 	if ((pctx->g_x1 = BN_new()) == NULL ||
 	    (pctx->g_x2 = BN_new()) == NULL)
 		fatal("%s: BN_new", __func__);
 	pctx->client_id = packet_get_string(&pctx->client_id_len);
 	packet_get_bignum2(pctx->g_x1);
 	packet_get_bignum2(pctx->g_x2);
 	x1_proof = packet_get_string(&x1_proof_len);
 	x2_proof = packet_get_string(&x2_proof_len);
 	packet_check_eom();
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
 	PRIVSEP(jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
 	    pctx->g_x1, pctx->g_x2, pctx->x4,
 	    pctx->client_id, pctx->client_id_len,
 	    pctx->server_id, pctx->server_id_len,
 	    x1_proof, x1_proof_len,
 	    x2_proof, x2_proof_len,
 	    &pctx->b,
 	    &x4_s_proof, &x4_s_proof_len));
 	bzero(x1_proof, x1_proof_len);
 	bzero(x2_proof, x2_proof_len);
 	xfree(x1_proof);
 	xfree(x2_proof);
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
 	/* Send values for step 2 */
 	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2);
 	packet_put_bignum2(pctx->b);
 	packet_put_string(x4_s_proof, x4_s_proof_len);
 	packet_send();
 	packet_write_wait();
 	bzero(x4_s_proof, x4_s_proof_len);
 	xfree(x4_s_proof);
 	/* Expect step 2 packet from peer */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
 	    input_userauth_jpake_client_step2);
 }
 /* ARGSUSED */
 static void
 input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	struct jpake_ctx *pctx = authctxt->jpake_ctx;
 	u_char *x2_s_proof;
 	u_int x2_s_proof_len;
 	/* Disable this message */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
 	if ((pctx->a = BN_new()) == NULL)
 		fatal("%s: BN_new", __func__);
 	/* Fetch step 2 values */
 	packet_get_bignum2(pctx->a);
 	x2_s_proof = packet_get_string(&x2_s_proof_len);
 	packet_check_eom();
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
 	/* Derive shared key and calculate confirmation hash */
 	PRIVSEP(jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
 	    pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
 	    pctx->server_id, pctx->server_id_len,
 	    pctx->client_id, pctx->client_id_len,
 	    session_id2, session_id2_len,
 	    x2_s_proof, x2_s_proof_len,
 	    &pctx->k,
 	    &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
 	bzero(x2_s_proof, x2_s_proof_len);
 	xfree(x2_s_proof);
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
 	/* Send key confirmation proof */
 	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM);
 	packet_put_string(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
 	packet_send();
 	packet_write_wait();
 	/* Expect confirmation from peer */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM,
 	    input_userauth_jpake_client_confirm);
 }
 /* ARGSUSED */
 static void
 input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
 {
 	Authctxt *authctxt = ctxt;
 	struct jpake_ctx *pctx = authctxt->jpake_ctx;
 	int authenticated = 0;
 	/* Disable this message */
 	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
 	pctx->h_k_cid_sessid = packet_get_string(&pctx->h_k_cid_sessid_len);
 	packet_check_eom();
 	if (!use_privsep)
 		JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
 	/* Verify expected confirmation hash */
 	if (PRIVSEP(jpake_check_confirm(pctx->k,
 	    pctx->client_id, pctx->client_id_len,
 	    session_id2, session_id2_len,
 	    pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len)) == 1)
 		authenticated = authctxt->valid ? 1 : 0;
 	else
 		debug("%s: confirmation mismatch", __func__);
 	/* done */
 	authctxt->postponed = 0;
 	jpake_free(authctxt->jpake_ctx);
 	authctxt->jpake_ctx = NULL;
 	userauth_finish(authctxt, authenticated, method_jpake.name);
 }
 #endif /* JPAKE */
--- a/auth2-none.c
+++ b/auth2-none.c
@ -25,15 +25,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/uio.h>
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -25,15 +25,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
@ -96,19 +87,19 @@ userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
-	char *pkalg, *userstyle;
+	char *pkalg, *userstyle, *fp = NULL;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
 	int authenticated = 0;
 	if (!authctxt->valid) {
-		debug2("userauth_pubkey: disabled because of invalid user");
+		debug2("%s: disabled because of invalid user", __func__);
 		return 0;
 	}
 	have_sig = packet_get_char();
 	if (datafellows & SSH_BUG_PKAUTH) {
-		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+		debug2("%s: SSH_BUG_PKAUTH", __func__);
 		/* no explicit pkalg given */
 		pkblob = packet_get_string(&blen);
 		buffer_init(&b);
@ -123,18 +114,18 @@ userauth_pubkey(Authctxt *authctxt)
 	pktype = key_type_from_name(pkalg);
 	if (pktype == KEY_UNSPEC) {
 		/* this is perfectly legal */
-		logit("userauth_pubkey: unsupported public key algorithm: %s",
+		logit("%s: unsupported public key algorithm: %s",
-		    pkalg);
+		    __func__, pkalg);
 		goto done;
 	}
 	key = key_from_blob(pkblob, blen);
 	if (key == NULL) {
-		error("userauth_pubkey: cannot decode key: %s", pkalg);
+		error("%s: cannot decode key: %s", __func__, pkalg);
 		goto done;
 	}
 	if (key->type != pktype) {
-		error("userauth_pubkey: type mismatch for decoded key "
+		error("%s: type mismatch for decoded key "
-		    "(received %d, expected %d)", key->type, pktype);
+		    "(received %d, expected %d)", __func__, key->type, pktype);
 		goto done;
 	}
 	if (key_type_plain(key->type) == KEY_RSA &&
@ -143,6 +134,7 @@ userauth_pubkey(Authctxt *authctxt)
 		    "signature scheme");
 		goto done;
 	}
 	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
 	if (auth2_userkey_already_used(authctxt, key)) {
 		logit("refusing previously-used %s key", key_type(key));
 		goto done;
@ -155,6 +147,8 @@ userauth_pubkey(Authctxt *authctxt)
 	}
 	if (have_sig) {
 		debug3("%s: have signature for %s %s",
 		    __func__, sshkey_type(key), fp);
 		sig = packet_get_string(&slen);
 		packet_check_eom();
 		buffer_init(&b);
@ -216,6 +210,7 @@ userauth_pubkey(Authctxt *authctxt)
 					break;
 				}
 				debug3("auth agent authenticated %s", authctxt->pw->pw_name);
 				break;
 			}
@ -247,7 +242,8 @@ userauth_pubkey(Authctxt *authctxt)
   #endif /* else #ifdef WIN32_FIXME. */
 	} else {
-		debug("test whether pkalg/pkblob are acceptable");
+		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
 		    __func__, sshkey_type(key), fp);
 		packet_check_eom();
 		/* XXX fake reply and always send PK_OK ? */
@ -277,11 +273,12 @@ userauth_pubkey(Authctxt *authctxt)
 	if (authenticated != 1)
 		auth_clear_options();
 done:
-	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
+	debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
 	if (key != NULL)
 		key_free(key);
 	free(pkalg);
 	free(pkblob);
 	free(fp);
 	return authenticated;
 }
@ -796,7 +793,6 @@ match_principals_command(struct passwd *user_pw, struct sshkey_cert *cert)
 * Checks whether key is allowed in authorized_keys-format file,
 * returns 1 if the key is allowed or 0 otherwise.
 */
 static int
 check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 {
@ -880,8 +876,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 				free(fp);
 				continue;
 			}
-			verbose("Accepted certificate ID \"%s\" "
+			verbose("Accepted certificate ID \"%s\" (serial %llu) "
 			    "signed by %s CA %s via %s", key->cert->key_id,
 			    (unsigned long long)key->cert->serial,
 			    key_type(found), fp, file);
 			free(fp);
 			found_key = 1;
@ -959,8 +956,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (auth_cert_options(key, pw) != 0)
 		goto out;
-	verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
+	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
-	    key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+	    "%s CA %s via %s", key->cert->key_id,
 	    (unsigned long long)key->cert->serial,
 	    key_type(key->cert->signature_key), ca_fp,
 	    options.trusted_user_ca_keys);
 	ret = 1;
--- a/auth2.c
+++ b/auth2.c
@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.135 2015/01/19 20:07:45 markus Exp $ */
+/* $OpenBSD: auth2.c,v 1.136 2016/05/02 08:49:03 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@ -25,15 +25,6 @@
 #include "includes.h"
 /*
 * We support only client side kerberos on Windows.
 */
 #ifdef WIN32_FIXME
  #undef GSSAPI
  #undef KRB5
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <sys/uio.h>
@ -433,8 +424,8 @@ authmethods_get(Authctxt *authctxt)
 		buffer_append(&b, authmethods[i]->name,
 		    strlen(authmethods[i]->name));
 	}
-	buffer_append(&b, "\0", 1);
+	if ((list = sshbuf_dup_string(&b)) == NULL)
-	list = xstrdup(buffer_ptr(&b));
+		fatal("%s: sshbuf_dup_string failed", __func__);
 	buffer_free(&b);
 	return list;
 }
--- a/authfd.c
+++ b/authfd.c
@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -161,7 +161,11 @@ ssh_get_authentication_socket(int *fdp)
 }
 /* Communicate with agent: send request and read reply */
 #ifdef WINDOWS
 int
 #else
 static int
 #endif
 ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
 {
 	int r;
@ -466,11 +470,24 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
 }
 #endif
 /* encode signature algoritm in flag bits, so we can keep the msg format */
 static u_int
 agent_encode_alg(struct sshkey *key, const char *alg)
 {
 	if (alg != NULL && key->type == KEY_RSA) {
 		if (strcmp(alg, "rsa-sha2-256") == 0)
 			return SSH_AGENT_RSA_SHA2_256;
 		else if (strcmp(alg, "rsa-sha2-512") == 0)
 			return SSH_AGENT_RSA_SHA2_512;
 	}
 	return 0;
 }
 /* ask agent to sign data, returns err.h code on error, 0 on success */
 int
 ssh_agent_sign(int sock, struct sshkey *key,
    u_char **sigp, size_t *lenp,
-    const u_char *data, size_t datalen, u_int compat)
+    const u_char *data, size_t datalen, const char *alg, u_int compat)
 {
 	struct sshbuf *msg;
 	u_char *blob = NULL, type;
@ -489,12 +506,13 @@ ssh_agent_sign(int sock, struct sshkey *key,
 		return SSH_ERR_ALLOC_FAIL;
 	if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
 		goto out;
 	flags |= agent_encode_alg(key, alg);
 	if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
 	    (r = sshbuf_put_string(msg, blob, blen)) != 0 ||
 	    (r = sshbuf_put_string(msg, data, datalen)) != 0 ||
 	    (r = sshbuf_put_u32(msg, flags)) != 0)
 		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg) != 0))
+	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
 		goto out;
 	if ((r = sshbuf_get_u8(msg, &type)) != 0)
 		goto out;
--- a/authfd.h
+++ b/authfd.h
@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -41,7 +41,7 @@ int	ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
 	    u_char session_id[16], u_char response[16]);
 int	ssh_agent_sign(int sock, struct sshkey *key,
 	    u_char **sigp, size_t *lenp,
-	    const u_char *data, size_t datalen, u_int compat);
+	    const u_char *data, size_t datalen, const char *alg, u_int compat);
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
@ -86,5 +86,7 @@ int	ssh_agent_sign(int sock, struct sshkey *key,
 #define SSH_COM_AGENT2_FAILURE			102
 #define	SSH_AGENT_OLD_SIGNATURE			0x01
 #define	SSH_AGENT_RSA_SHA2_256			0x02
 #define	SSH_AGENT_RSA_SHA2_512			0x04
 #endif				/* AUTHFD_H */
--- a/authfile.c
+++ b/authfile.c
@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.121 2016/04/09 12:39:30 djm Exp $ */
 /*
 * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
 *
@ -149,6 +149,7 @@ sshkey_load_public_rsa1(int fd, struct sshkey **keyp, char **commentp)
 	struct sshbuf *b = NULL;
 	int r;
 	if (keyp != NULL)
 		*keyp = NULL;
 	if (commentp != NULL)
 		*commentp = NULL;
@ -205,12 +206,12 @@ sshkey_load_private_type(int type, const char *filename, const char *passphrase,
 {
 	int fd, r;
 	if (keyp != NULL)
 		*keyp = NULL;
 	if (commentp != NULL)
 		*commentp = NULL;
 	if ((fd = open(filename, O_RDONLY)) < 0) {
 		if (perm_ok != NULL)
 			*perm_ok = 0;
 		return SSH_ERR_SYSTEM_ERROR;
@ -237,6 +238,8 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
 	struct sshbuf *buffer = NULL;
 	int r;
 	if (keyp != NULL)
 		*keyp = NULL;
 	if ((buffer = sshbuf_new()) == NULL) {
 		r = SSH_ERR_ALLOC_FAIL;
 		goto out;
@ -249,7 +252,6 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
 	/* success */
 	r = 0;
 out:
 	if (buffer != NULL)
 	sshbuf_free(buffer);
 	return r;
 }
@ -262,6 +264,7 @@ sshkey_load_private(const char *filename, const char *passphrase,
 	struct sshbuf *buffer = NULL;
 	int r, fd;
 	if (keyp != NULL)
 		*keyp = NULL;
 	if (commentp != NULL)
 		*commentp = NULL;
@ -278,13 +281,12 @@ sshkey_load_private(const char *filename, const char *passphrase,
 		goto out;
 	}
 	if ((r = sshkey_load_file(fd, buffer)) != 0 ||
-	    (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
+	    (r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
-	    keyp, commentp)) != 0)
+	    commentp)) != 0)
 		goto out;
 	r = 0;
 out:
 	close(fd);
 	if (buffer != NULL)
 	sshbuf_free(buffer);
 	return r;
 }
@ -416,6 +418,7 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
 	char *file = NULL;
 	int r = SSH_ERR_INTERNAL_ERROR;
 	if (keyp != NULL)
 		*keyp = NULL;
 	if (asprintf(&file, "%s-cert.pub", filename) == -1)
@ -426,15 +429,14 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
 	}
 	if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
 		goto out;
-
+	/* success */
 	if (keyp != NULL) {
 		*keyp = pub;
 		pub = NULL;
 	}
 	r = 0;
 out:
 	if (file != NULL)
 	free(file);
 	if (pub != NULL)
 	sshkey_free(pub);
 	return r;
 }
@ -447,6 +449,7 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
 	struct sshkey *key = NULL, *cert = NULL;
 	int r;
 	if (keyp != NULL)
 		*keyp = NULL;
 	switch (type) {
@ -477,12 +480,12 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
 	    (r = sshkey_cert_copy(cert, key)) != 0)
 		goto out;
 	r = 0;
 	if (keyp != NULL) {
 		*keyp = key;
 		key = NULL;
 	}
 out:
 	if (key != NULL)
 	sshkey_free(key);
 	if (cert != NULL)
 	sshkey_free(cert);
 	return r;
 }
@ -544,7 +547,6 @@ sshkey_in_file(struct sshkey *key, const char *filename, int strict_type,
 	}
 	r = SSH_ERR_KEY_NOT_FOUND;
 out:
 	if (pub != NULL)
 	sshkey_free(pub);
 	fclose(f);
 	return r;
--- a/bitmap.c
+++ b/bitmap.c
@ -53,7 +53,7 @@ void
 bitmap_free(struct bitmap *b)
 {
 	if (b != NULL && b->d != NULL) {
-		memset(b->d, 0, b->len);
+		explicit_bzero(b->d, b->len);
 		free(b->d);
 	}
 	free(b);
--- a/bufaux.c
+++ b/bufaux.c
@ -257,4 +257,3 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
 		fatal("%s: %s", __func__, ssh_err(ret));
 }
--- a/build.sh
+++ b/build.sh
@ -1,9 +0,0 @@
 autoreconf
 ./configure --build=i686-pc-mingw32 --host=i686-pc-mingw32 --with-ssl-dir=../openssl-1.0.1e  --with-kerberos5 --with-zlib=../zlib-1.2.8
 cat config.h.tail >> config.h
 make ssh.exe
 make sshd.exe
 make sftp.exe
 make sftp-server.exe
 make ssh-agent.exe
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@ -337,17 +337,17 @@ then
 else
 	if [ "\${USE_SYM_LINKS}" = yes ]
 	then
-		[ "$RCS_D" = yes ]  &&  \
+		[ "$RCS_D" = yes ]  &&  \\
 	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		[ "$RC1_D" = no ]  ||  \
+		[ "$RC1_D" = no ]  ||  \\
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
 	else
-		[ "$RCS_D" = yes ]  &&  \
+		[ "$RCS_D" = yes ]  &&  \\
 	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		[ "$RC1_D" = no ]  ||  \
+		[ "$RC1_D" = no ]  ||  \\
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
 		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
 	fi
@ -538,10 +538,10 @@ then
 PRE_INS_STOP=no
 POST_INS_START=no
 # determine if should restart the daemon
-if [ -s ${piddir}/sshd.pid  ] && \
+if [ -s ${piddir}/sshd.pid  ] && \\
    /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
 then
-	ans=\`ckyorn -d n \
+	ans=\`ckyorn -d n \\
 -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
 	case \$ans in
 		[y,Y]*)	PRE_INS_STOP=yes
@ -552,7 +552,7 @@ then
 else
 # determine if we should start sshd
-	ans=\`ckyorn -d n \
+	ans=\`ckyorn -d n \\
 -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
 	case \$ans in
 		[y,Y]*)	POST_INS_START=yes ;;
@ -573,7 +573,7 @@ USE_SYM_LINKS=no
 PRE_INS_STOP=no
 POST_INS_START=no
 # Use symbolic links?
-ans=\`ckyorn -d n \
+ans=\`ckyorn -d n \\
 -p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
 case \$ans in
 	[y,Y]*)	USE_SYM_LINKS=yes ;;
@ -582,7 +582,7 @@ esac
 # determine if should restart the daemon
 if [ -s ${piddir}/sshd.pid  -a  -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
 then
-	ans=\`ckyorn -d n \
+	ans=\`ckyorn -d n \\
 -p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
 	case \$ans in
 		[y,Y]*)	PRE_INS_STOP=yes
@ -593,7 +593,7 @@ then
 else
 # determine if we should start sshd
-	ans=\`ckyorn -d n \
+	ans=\`ckyorn -d n \\
 -p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
 	case \$ans in
 		[y,Y]*)	POST_INS_START=yes ;;
--- a/canohost.c
+++ b/canohost.c
@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.c,v 1.72 2015/03/01 15:44:40 millert Exp $ */
+/* $OpenBSD: canohost.c,v 1.73 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -35,147 +35,6 @@
 #include "canohost.h"
 #include "misc.h"
 static void check_ip_options(int, char *);
 static char *canonical_host_ip = NULL;
 static int cached_port = -1;
 /*
 * Return the canonical name of the host at the other end of the socket. The
 * caller should free the returned string.
 */
 static char *
 get_remote_hostname(int sock, int use_dns)
 {
 	struct sockaddr_storage from;
 	socklen_t fromlen;
 	struct addrinfo hints, *ai, *aitop;
 	char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
 	/* Get IP address of client. */
 	fromlen = sizeof(from);
 	memset(&from, 0, sizeof(from));
 	if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
 		debug("getpeername failed: %.100s", strerror(errno));
 		cleanup_exit(255);
 	}
 	if (from.ss_family == AF_INET)
 		check_ip_options(sock, ntop);
 	ipv64_normalise_mapped(&from, &fromlen);
 	if (from.ss_family == AF_INET6)
 		fromlen = sizeof(struct sockaddr_in6);
 	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
 	    NULL, 0, NI_NUMERICHOST) != 0)
 		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
 	if (!use_dns)
 		return xstrdup(ntop);
 	debug3("Trying to reverse map address %.100s.", ntop);
 	/* Map the IP address to a host name. */
 	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
 	    NULL, 0, NI_NAMEREQD) != 0) {
 		/* Host name not found.  Use ip address. */
 		return xstrdup(ntop);
 	}
 	/*
 	 * if reverse lookup result looks like a numeric hostname,
 	 * someone is trying to trick us by PTR record like following:
 	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
 	 */
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
 	hints.ai_flags = AI_NUMERICHOST;
 	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
 		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
 		    name, ntop);
 		freeaddrinfo(ai);
 		return xstrdup(ntop);
 	}
 	/* Names are stores in lowercase. */
 	lowercase(name);
 	/*
 	 * Map it back to an IP address and check that the given
 	 * address actually is an address of this host.  This is
 	 * necessary because anyone with access to a name server can
 	 * define arbitrary names for an IP address. Mapping from
 	 * name to IP address can be trusted better (but can still be
 	 * fooled if the intruder has access to the name server of
 	 * the domain).
 	 */
 	memset(&hints, 0, sizeof(hints));
 	hints.ai_family = from.ss_family;
 	hints.ai_socktype = SOCK_STREAM;
 	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
 		logit("reverse mapping checking getaddrinfo for %.700s "
 		    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
 		return xstrdup(ntop);
 	}
 	/* Look for the address from the list of addresses. */
 	for (ai = aitop; ai; ai = ai->ai_next) {
 		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
 		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
 		    (strcmp(ntop, ntop2) == 0))
 				break;
 	}
 	freeaddrinfo(aitop);
 	/* If we reached the end of the list, the address was not there. */
 	if (!ai) {
 		/* Address not found for the host name. */
 		logit("Address %.100s maps to %.600s, but this does not "
 		    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
 		    ntop, name);
 		return xstrdup(ntop);
 	}
 	return xstrdup(name);
 }
 /*
 * If IP options are supported, make sure there are none (log and
 * disconnect them if any are found).  Basically we are worried about
 * source routing; it can be used to pretend you are somebody
 * (ip-address) you are not. That itself may be "almost acceptable"
 * under certain circumstances, but rhosts autentication is useless
 * if source routing is accepted. Notice also that if we just dropped
 * source routing here, the other side could use IP spoofing to do
 * rest of the interaction and could still bypass security.  So we
 * exit here if we detect any IP options.
 */
 /* IPv4 only */
 static void
 check_ip_options(int sock, char *ipaddr)
 {
 #ifdef IP_OPTIONS
 	u_char options[200];
 	char text[sizeof(options) * 3 + 1];
 	socklen_t option_size, i;
 	int ipproto;
 	struct protoent *ip;
 	if ((ip = getprotobyname("ip")) != NULL)
 		ipproto = ip->p_proto;
 	else
 		ipproto = IPPROTO_IP;
 	option_size = sizeof(options);
 	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
 	    &option_size) >= 0 && option_size != 0) {
 		text[0] = '\0';
 		for (i = 0; i < option_size; i++)
 			snprintf(text + i*3, sizeof(text) - i*3,
 			    " %2.2x", options[i]);
 		fatal("Connection from %.100s with IP options:%.800s",
 		    ipaddr, text);
 	}
 #endif /* IP_OPTIONS */
 }
 void
 ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
 {
@ -201,38 +60,6 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
 	a4->sin_port = port;
 }
 /*
 * Return the canonical name of the host in the other side of the current
 * connection.  The host name is cached, so it is efficient to call this
 * several times.
 */
 const char *
 get_canonical_hostname(int use_dns)
 {
 	char *host;
 	static char *canonical_host_name = NULL;
 	static char *remote_ip = NULL;
 	/* Check if we have previously retrieved name with same option. */
 	if (use_dns && canonical_host_name != NULL)
 		return canonical_host_name;
 	if (!use_dns && remote_ip != NULL)
 		return remote_ip;
 	/* Get the real hostname if socket; otherwise return UNKNOWN. */
 	if (packet_connection_is_on_socket())
 		host = get_remote_hostname(packet_get_connection_in(), use_dns);
 	else
 		host = "UNKNOWN";
 	if (use_dns)
 		canonical_host_name = host;
 	else
 		remote_ip = host;
 	return host;
 }
 /*
 * Returns the local/remote IP-address/hostname of socket as a string.
 * The returned string must be freed.
@ -250,12 +77,10 @@ get_socket_address(int sock, int remote, int flags)
 	memset(&addr, 0, sizeof(addr));
 	if (remote) {
-		if (getpeername(sock, (struct sockaddr *)&addr, &addrlen)
+		if (getpeername(sock, (struct sockaddr *)&addr, &addrlen) != 0)
 		    < 0)
 			return NULL;
 	} else {
-		if (getsockname(sock, (struct sockaddr *)&addr, &addrlen)
+		if (getsockname(sock, (struct sockaddr *)&addr, &addrlen) != 0)
 		    < 0)
 			return NULL;
 	}
@ -271,7 +96,7 @@ get_socket_address(int sock, int remote, int flags)
 		/* Get the address in ascii. */
 		if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
 		    sizeof(ntop), NULL, 0, flags)) != 0) {
-			error("get_socket_address: getnameinfo %d failed: %s",
+			error("%s: getnameinfo %d failed: %s", __func__,
 			    flags, ssh_gai_strerror(r));
 			return NULL;
 		}
@ -316,7 +141,8 @@ get_local_name(int fd)
 	/* Handle the case where we were passed a pipe */
 	if (gethostname(myname, sizeof(myname)) == -1) {
-		verbose("get_local_name: gethostname: %s", strerror(errno));
+		verbose("%s: gethostname: %s", __func__, strerror(errno));
 		host = xstrdup("UNKNOWN");
 	} else {
 		host = xstrdup(myname);
 	}
@ -324,51 +150,9 @@ get_local_name(int fd)
 	return host;
 }
 void
 clear_cached_addr(void)
 {
 	free(canonical_host_ip);
 	canonical_host_ip = NULL;
 	cached_port = -1;
 }
 /*
 * Returns the IP-address of the remote host as a string.  The returned
 * string must not be freed.
 */
 const char *
 get_remote_ipaddr(void)
 {
 	/* Check whether we have cached the ipaddr. */
 	if (canonical_host_ip == NULL) {
 		if (packet_connection_is_on_socket()) {
 			canonical_host_ip =
 			    get_peer_ipaddr(packet_get_connection_in());
 			if (canonical_host_ip == NULL)
 				cleanup_exit(255);
 		} else {
 			/* If not on socket, return UNKNOWN. */
 			canonical_host_ip = xstrdup("UNKNOWN");
 		}
 	}
 	return canonical_host_ip;
 }
 const char *
 get_remote_name_or_ip(u_int utmp_len, int use_dns)
 {
 	static const char *remote = "";
 	if (utmp_len > 0)
 		remote = get_canonical_hostname(use_dns);
 	if (utmp_len == 0 || strlen(remote) > utmp_len)
 		remote = get_remote_ipaddr();
 	return remote;
 }
 /* Returns the local/remote port for the socket. */
-int
+static int
 get_sock_port(int sock, int local)
 {
 	struct sockaddr_storage from;
@ -402,27 +186,11 @@ get_sock_port(int sock, int local)
 	/* Return port number. */
 	if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
 	    strport, sizeof(strport), NI_NUMERICSERV)) != 0)
-		fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s",
+		fatal("%s: getnameinfo NI_NUMERICSERV failed: %s", __func__,
 		    ssh_gai_strerror(r));
 	return atoi(strport);
 }
 /* Returns remote/local port number for the current connection. */
 static int
 get_port(int local)
 {
 	/*
 	 * If the connection is not a socket, return 65535.  This is
 	 * intentionally chosen to be an unprivileged port number.
 	 */
 	if (!packet_connection_is_on_socket())
 		return 65535;
 	/* Get socket and return the port number. */
 	return get_sock_port(packet_get_connection_in(), local);
 }
 int
 get_peer_port(int sock)
 {
@ -430,17 +198,7 @@ get_peer_port(int sock)
 }
 int
-get_remote_port(void)
+get_local_port(int sock)
 {
-	/* Cache to avoid getpeername() on a dead connection */
+	return get_sock_port(sock, 1);
 	if (cached_port == -1)
 		cached_port = get_port(0);
 	return cached_port;
 }
 int
 get_local_port(void)
 {
 	return get_port(1);
 }
--- a/canohost.h
+++ b/canohost.h
@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
+/* $OpenBSD: canohost.h,v 1.12 2016/03/07 19:02:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -12,18 +12,15 @@
 * called by a name other than "ssh" or "Secure Shell".
 */
-const char	*get_canonical_hostname(int);
+#ifndef _CANOHOST_H
-const char	*get_remote_ipaddr(void);
+#define _CANOHOST_H
 const char	*get_remote_name_or_ip(u_int, int);
 char		*get_peer_ipaddr(int);
 int		 get_peer_port(int);
 char		*get_local_ipaddr(int);
 char		*get_local_name(int);
 int		get_local_port(int);
-int		 get_remote_port(void);
+#endif /* _CANOHOST_H */
 int		 get_local_port(void);
 int		 get_sock_port(int, int);
 void		 clear_cached_addr(void);
 void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
--- a/channels.c
+++ b/channels.c
@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.347 2015/07/01 02:26:31 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.351 2016/07/19 11:38:53 dtucker Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -41,7 +41,6 @@
 #include "includes.h"
 #include <sys/types.h>
 #include <sys/param.h>	/* MIN MAX */
 #include <sys/stat.h>
@ -84,7 +83,6 @@
 #include "authfd.h"
 #include "pathnames.h"
 /* -- channel core */
 /*
@ -140,6 +138,9 @@ static int num_adm_permitted_opens = 0;
 /* special-case port number meaning allow any port */
 #define FWD_PERMIT_ANY_PORT	0
 /* special-case wildcard meaning allow any host */
 #define FWD_PERMIT_ANY_HOST	"*"
 /*
 * If this is true, all opens are permitted.  This is the case on the server
 * on which we have to trust the client anyway, and the user could do
@ -664,7 +665,7 @@ channel_open_message(void)
 		case SSH_CHANNEL_INPUT_DRAINING:
 		case SSH_CHANNEL_OUTPUT_DRAINING:
 			snprintf(buf, sizeof buf,
-			    "  #%d %.300s (t%d r%d i%d/%d o%d/%d fd %d/%d cc %d)\r\n",
+			    "  #%d %.300s (t%d r%d i%u/%d o%u/%d fd %d/%d cc %d)\r\n",
 			    c->self, c->remote_name,
 			    c->type, c->remote_id,
 			    c->istate, buffer_len(&c->input),
@ -1371,9 +1372,8 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
 			errno = oerrno;
 		}
 		if (newsock < 0) {
-			if (errno != EINTR && errno != EWOULDBLOCK 
+			if (errno != EINTR && errno != EWOULDBLOCK &&
-			&& errno != ECONNABORTED
+			    errno != ECONNABORTED)
 			)
 				error("accept: %.100s", strerror(errno));
 			if (errno == EMFILE || errno == ENFILE)
 				c->notbefore = monotime() + 1;
@ -1419,7 +1419,7 @@ port_open_helper(Channel *c, char *rtype)
 {
 	char buf[1024];
 	char *local_ipaddr = get_local_ipaddr(c->sock);
-	int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1);
+	int local_port = c->sock == -1 ? 65536 : get_local_port(c->sock);
 	char *remote_ipaddr = get_peer_ipaddr(c->sock);
 	int remote_port = get_peer_port(c->sock);
@ -1540,9 +1540,8 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
 		addrlen = sizeof(addr);
 		newsock = accept(c->sock, (struct sockaddr *)&addr, &addrlen);
 		if (newsock < 0) {
-			if (errno != EINTR && errno != EWOULDBLOCK 
+			if (errno != EINTR && errno != EWOULDBLOCK &&
-			&& errno != ECONNABORTED
+			    errno != ECONNABORTED)
 			)
 				error("accept: %.100s", strerror(errno));
 			if (errno == EMFILE || errno == ENFILE)
 				c->notbefore = monotime() + 1;
@ -1908,13 +1907,13 @@ read_mux(Channel *c, u_int need)
 	if (buffer_len(&c->input) < need) {
 		rlen = need - buffer_len(&c->input);
 		len = read(c->rfd, buf, MIN(rlen, CHAN_RBUF));
 		if (len < 0 && (errno == EINTR || errno == EAGAIN))
 			return buffer_len(&c->input);
 		if (len <= 0) {
 			if (errno != EINTR && errno != EAGAIN) {
 			debug2("channel %d: ctl read<=0 rfd %d len %d",
 			    c->self, c->rfd, len);
 			chan_read_failed(c);
 			return 0;
 			}
 		} else
 			buffer_append(&c->input, buf, len);
 	}
@ -2212,9 +2211,6 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
 	u_int n, sz, nfdset;
 	n = MAX(*maxfdp, channel_max_fd);
  /*
   * Winsock can't support this sort of fdset reallocation 
   */
 	nfdset = howmany(n+1, NFDBITS);
 	/* Explicitly test here, because xrealloc isn't always called */
@ -2228,9 +2224,7 @@ channel_prepare_select(fd_set **readsetp, fd_set **writesetp, int *maxfdp,
 		*writesetp = xreallocarray(*writesetp, nfdset, sizeof(fd_mask));
 		*nallocp = sz;
 	}
 	*maxfdp = n;
 	memset(*readsetp, 0, sz);
 	memset(*writesetp, 0, sz);
@ -2376,6 +2370,7 @@ channel_output_poll(void)
 	}
 }
 /* -- protocol input */
 /* ARGSUSED */
@ -2431,12 +2426,10 @@ channel_input_data(int type, u_int32_t seq, void *ctxt)
 		}
 		c->local_window -= win_len;
 	}
 	if (c->datagram)
 		buffer_put_string(&c->output, data, data_len);
-	else {
+	else
 		buffer_append(&c->output, data, data_len);
 	}
 	packet_check_eom();
 	return 0;
 }
@ -2449,10 +2442,6 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
 	char *data;
 	u_int data_len, tcode;
 	Channel *c;
 #ifdef WIN32_FIXME
        char *respbuf = NULL;
        size_t resplen = 0;
 #endif
 	/* Get the channel number and verify it. */
 	id = packet_get_int();
@ -2488,20 +2477,7 @@ channel_input_extended_data(int type, u_int32_t seq, void *ctxt)
 	}
 	debug2("channel %d: rcvd ext data %d", c->self, data_len);
 	c->local_window -= data_len;
 	#ifndef WIN32_FIXME//N
 	buffer_append(&c->extended, data, data_len);
 	#else
        if (c->client_tty) {
                if (telProcessNetwork(data, data_len, &respbuf, &resplen) > 0) // run it by ANSI engine if it is the ssh client
                        buffer_append(&c->extended, data, data_len);
                if (respbuf != NULL) {
                        sshbuf_put(&c->input, respbuf, resplen);
                }
        }
 	else
 		buffer_append(&c->extended, data, data_len);
 	#endif
 	free(data);
 	return 0;
 }
@ -2971,7 +2947,7 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
 		if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 &&
 		    allocated_listen_port != NULL &&
 		    *allocated_listen_port == 0) {
-			*allocated_listen_port = get_sock_port(sock, 1);
+			*allocated_listen_port = get_local_port(sock);
 			debug("Allocated listen port %d",
 			    *allocated_listen_port);
 		}
@ -3334,7 +3310,8 @@ open_match(ForwardPermission *allowed_open, const char *requestedhost,
 	if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
 	    allowed_open->port_to_connect != requestedport)
 		return 0;
-	if (strcmp(allowed_open->host_to_connect, requestedhost) != 0)
+	if (strcmp(allowed_open->host_to_connect, FWD_PERMIT_ANY_HOST) != 0 &&
 	    strcmp(allowed_open->host_to_connect, requestedhost) != 0)
 		return 0;
 	return 1;
 }
@ -3899,7 +3876,6 @@ channel_connect_to_path(const char *path, char *ctype, char *rname)
 void
 channel_send_window_changes(void)
 {
 	u_int i;
 	struct winsize ws;
@ -3908,20 +3884,11 @@ channel_send_window_changes(void)
 		    channels[i]->type != SSH_CHANNEL_OPEN)
 			continue;
 #ifndef WIN32_FIXME
 		if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
 			continue
 #else
 		{
 			CONSOLE_SCREEN_BUFFER_INFO c_info;
                /* TODO - Fix this for multiple channels*/
 			if (!GetConsoleScreenBufferInfo(GetStdHandle(STD_OUTPUT_HANDLE), &c_info))
 				continue;
 			ws.ws_col = c_info.dwSize.X;
 			ws.ws_row = c_info.dwSize.Y;
 			ws.ws_xpixel = 640;
 			ws.ws_ypixel = 480;
 		}
 #endif
                if (ioctl(channels[i]->rfd, TIOCGWINSZ, &ws) < 0)
                        continue;
 		channel_request_start(i, "window-change", 0);
 		packet_put_int((u_int)ws.ws_col);
 		packet_put_int((u_int)ws.ws_row);
@ -3931,7 +3898,6 @@ channel_send_window_changes(void)
 	}
 }
 /* -- X11 forwarding */
 /*
--- a/channels.h
+++ b/channels.h
@ -228,7 +228,6 @@ void	 channel_cancel_cleanup(int);
 int	 channel_close_fd(int *);
 void	 channel_send_window_changes(void);
 /* protocol handler */
 int	 channel_input_close(int, u_int32_t, void *);
--- a/cipher-acss.c
+++ b/cipher-acss.c
@ -1,86 +0,0 @@
 /*
 * Copyright (c) 2004 The OpenBSD project
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "includes.h"
 #include <openssl/evp.h>
 #include <string.h>
 #if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 #include "acss.h"
 #include "openbsd-compat/openssl-compat.h"
 #define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
 typedef struct {
 	ACSS_KEY ks;
 } EVP_ACSS_KEY;
 #define EVP_CTRL_SET_ACSS_MODE          0xff06
 #define EVP_CTRL_SET_ACSS_SUBKEY        0xff07
 static int
 acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
    const unsigned char *iv, int enc)
 {
 	acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
 	return 1;
 }
 static int
 acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
    LIBCRYPTO_EVP_INL_TYPE inl)
 {
 	acss(&data(ctx)->ks,inl,in,out);
 	return 1;
 }
 static int
 acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
 {
 	switch(type) {
 	case EVP_CTRL_SET_ACSS_MODE:
 		data(ctx)->ks.mode = arg;
 		return 1;
 	case EVP_CTRL_SET_ACSS_SUBKEY:
 		acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
 		return 1;
 	default:
 		return -1;
 	}
 }
 const EVP_CIPHER *
 evp_acss(void)
 {
 	static EVP_CIPHER acss_cipher;
 	memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
 	acss_cipher.nid = NID_undef;
 	acss_cipher.block_size = 1;
 	acss_cipher.key_len = 5;
 	acss_cipher.init = acss_init_key;
 	acss_cipher.do_cipher = acss_ciph;
 	acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
 	acss_cipher.ctrl = acss_ctrl;
 	return (&acss_cipher);
 }
 #endif
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@ -20,7 +20,7 @@
 #include "includes.h"
-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF)
 #include <sys/types.h>
@ -100,4 +100,4 @@ evp_ssh1_bf(void)
 	ssh1_bf.key_len = 32;
 	return (&ssh1_bf);
 }
-#endif /* WITH_OPENSSL */
+#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_NO_BF) */
--- a/cipher.c
+++ b/cipher.c
@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */
+/* $OpenBSD: cipher.c,v 1.101 2015/12/10 17:08:40 mmcc Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -43,7 +43,6 @@
 #include <stdarg.h>
 #include <stdio.h>
 #include "cipher.h"
 #include "misc.h"
 #include "sshbuf.h"
@ -52,12 +51,6 @@
 #include "openbsd-compat/openssl-compat.h"
 #ifdef USE_MSCNG
 #undef WITH_OPENSSL
 #endif
 #ifdef WITH_SSH1
 extern const EVP_CIPHER *evp_ssh1_bf(void);
 extern const EVP_CIPHER *evp_ssh1_3des(void);
@ -88,18 +81,26 @@ static const struct sshcipher ciphers[] = {
 #ifdef WITH_SSH1
 	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
 	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
 # ifndef OPENSSL_NO_BF
 	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
 # endif /* OPENSSL_NO_BF */
 #endif /* WITH_SSH1 */
 #ifdef WITH_OPENSSL
 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
 	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
 # ifndef OPENSSL_NO_BF
 	{ "blowfish-cbc",
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
 # endif /* OPENSSL_NO_BF */
 # ifndef OPENSSL_NO_CAST
 	{ "cast128-cbc",
 			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
 # endif /* OPENSSL_NO_CAST */
 # ifndef OPENSSL_NO_RC4
 	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
 	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
 	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
 # endif /* OPENSSL_NO_RC4 */
 	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
 	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
 	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
@ -115,19 +116,9 @@ static const struct sshcipher ciphers[] = {
 			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 # endif /* OPENSSL_HAVE_EVPGCM */
 #else /* WITH_OPENSSL */
 #ifdef USE_MSCNG
 	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
 	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
 	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CTR, NULL },
 	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },
 	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },
 	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, _CNG_CIPHER_AES | _CNG_MODE_CBC, NULL },	
 #else
 	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
 	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
 	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
 #endif	
 	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
 #endif /* WITH_OPENSSL */
 	{ "chacha20-poly1305@openssh.com",
@ -310,8 +301,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
    int do_encrypt)
 {
 #ifdef WITH_OPENSSL
 	int ret = SSH_ERR_INTERNAL_ERROR;
 	const EVP_CIPHER *type;
@ -335,25 +324,11 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
 		return chachapoly_init(&cc->cp_ctx, key, keylen);
 	}
 #ifndef WITH_OPENSSL
 #ifdef USE_MSCNG
    /* cng shares cipher flag with NONE.  Make sure the NONE cipher isn't requested */
 	if ((cc->cipher->flags & CFLAG_NONE) == 0)
 	{
 		if (cng_cipher_init(&cc->cng_ctx,key,keylen,iv, ivlen,cc->cipher->flags))
 			return SSH_ERR_LIBCRYPTO_ERROR;
 		return 0;
 	}
 #else
 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
 		aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
 		aesctr_ivsetup(&cc->ac_ctx, iv);
 		return 0;
 	}
 #endif	
 	if ((cc->cipher->flags & CFLAG_NONE) != 0)
 		return 0;
 	return SSH_ERR_INVALID_ARGUMENT;
@ -386,7 +361,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
 	if (cipher->discard_len > 0) {
 		if ((junk = malloc(cipher->discard_len)) == NULL ||
 		    (discard = malloc(cipher->discard_len)) == NULL) {
 			if (junk != NULL)
 			free(junk);
 			ret = SSH_ERR_ALLOC_FAIL;
 			goto bad;
@ -406,7 +380,6 @@ cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
 	return 0;
 }
 /*
 * cipher_crypt() operates as following:
 * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
@ -421,34 +394,11 @@ int
 cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
   const u_char *src, u_int len, u_int aadlen, u_int authlen)
 {
 #ifdef USE_MSCNG
 	int ret = 0;
 #endif 	
 	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
 		return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
 		    len, aadlen, authlen, cc->encrypt);
 	}
 #ifndef WITH_OPENSSL
 #ifdef USE_MSCNG
    /* cng shares cipher flag with NONE.  Make sure the NONE cipher isn't requested */
 	if ((cc->cipher->flags & CFLAG_NONE) == 0)
 	{
 		if (aadlen)
 			memcpy(dest, src, aadlen);
 		if (cc->encrypt)
 			ret = cng_cipher_encrypt(&cc->cng_ctx,dest+aadlen, len, src+aadlen,len);
 		else
 			ret = cng_cipher_decrypt(&cc->cng_ctx,dest+aadlen, len, src+aadlen, len);
 		if (ret != len){
 			return SSH_ERR_LIBCRYPTO_ERROR;
 		}
 		return 0;
 	}
 #else
 	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
 		if (aadlen)
 			memcpy(dest, src, aadlen);
@ -456,9 +406,6 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
 		    dest + aadlen, len);
 		return 0;
 	}
 #endif 
 	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
 		memcpy(dest, src, aadlen + len);
 		return 0;
@ -531,10 +478,6 @@ cipher_cleanup(struct sshcipher_ctx *cc)
 #ifdef WITH_OPENSSL
 	else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
 		return SSH_ERR_LIBCRYPTO_ERROR;
 #endif
 #ifdef USE_MSCNG
 	else
 		cng_cipher_cleanup(&cc->cng_ctx);
 #endif
 	return 0;
 }
@ -690,7 +633,7 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
 int
 cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
 {
-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
 	const struct sshcipher *c = cc->cipher;
 	int plen = 0;
@ -709,7 +652,7 @@ cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
 void
 cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
 {
-#ifdef WITH_OPENSSL
+#if defined(WITH_OPENSSL) && !defined(OPENSSL_NO_RC4)
 	const struct sshcipher *c = cc->cipher;
 	int plen;
--- a/cipher.h
+++ b/cipher.h
@ -41,9 +41,7 @@
 #include <openssl/evp.h>
 #include "cipher-chachapoly.h"
 #include "cipher-aesctr.h"
-#ifdef USE_MSCNG
+
 #include "contrib/win32/win32compat/cng_cipher.h"
 #endif
 /*
 * Cipher types for SSH-1.  New types can be added, but old types should not
 * be removed for compatibility.  The maximum allowed value is 31.
@ -72,10 +70,6 @@ struct sshcipher_ctx {
 	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
 	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
 	const struct sshcipher *cipher;
 	#ifdef USE_MSCNG
 	struct ssh_cng_cipher_ctx  cng_ctx;
 	#endif
 };
 u_int	 cipher_mask_ssh1(int);
--- a/clientloop.c
+++ b/clientloop.c
@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.275 2015/07/10 06:21:53 markus Exp $ */
+/* $OpenBSD: clientloop.c,v 1.286 2016/07/23 02:54:08 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -111,7 +111,6 @@
 #include "sshpty.h"
 #include "match.h"
 #include "msg.h"
 #include "roaming.h"
 #include "ssherr.h"
 #include "hostfile.h"
@ -132,6 +131,9 @@ extern int stdin_null_flag;
 /* Flag indicating that no shell has been requested */
 extern int no_shell_flag;
 /* Flag indicating that ssh should daemonise after authentication is complete */
 extern int fork_after_authentication_flag;
 /* Control socket */
 extern int muxserver_sock; /* XXX use mux_client_cleanup() instead */
@ -177,8 +179,6 @@ static u_int x11_refuse_time;	/* If >0, refuse x11 opens after this time. */
 static void client_init_dispatch(void);
 int	session_ident = -1;
 int	session_resumed = 0;
 /* Track escape per proto2 channel */
 struct escape_filter_ctx {
 	int escape_pending;
@ -296,6 +296,9 @@ client_x11_display_valid(const char *display)
 {
 	size_t i, dlen;
 	if (display == NULL)
 		return 0;
 	dlen = strlen(display);
 	for (i = 0; i < dlen; i++) {
 		if (!isalnum((u_char)display[i]) &&
@ -309,35 +312,34 @@ client_x11_display_valid(const char *display)
 #define SSH_X11_PROTO		"MIT-MAGIC-COOKIE-1"
 #define X11_TIMEOUT_SLACK	60
-void
+int
 client_x11_get_proto(const char *display, const char *xauth_path,
    u_int trusted, u_int timeout, char **_proto, char **_data)
 {
-	char cmd[1024];
+	char cmd[1024], line[512], xdisplay[512];
-	char line[512];
+	char xauthfile[PATH_MAX], xauthdir[PATH_MAX];
 	char xdisplay[512];
 	static char proto[512], data[512];
 	FILE *f;
-	int got_data = 0, generated = 0, do_unlink = 0, i;
+	int got_data = 0, generated = 0, do_unlink = 0, i, r;
 	char *xauthdir, *xauthfile;
 	struct stat st;
 	u_int now, x11_timeout_real;
 	xauthdir = xauthfile = NULL;
 	*_proto = proto;
 	*_data = data;
-	proto[0] = data[0] = '\0';
+	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
-	if (xauth_path == NULL ||(stat(xauth_path, &st) == -1)) {
+	if (!client_x11_display_valid(display)) {
-		debug("No xauth program.");
+		if (display != NULL)
-	} else if (!client_x11_display_valid(display)) {
+			logit("DISPLAY \"%s\" invalid; disabling X11 forwarding",
 		logit("DISPLAY '%s' invalid, falling back to fake xauth data",
 			    display);
-	} else {
+		return -1;
 		if (display == NULL) {
 			debug("x11_get_proto: DISPLAY not set");
 			return;
 	}
 	if (xauth_path != NULL && stat(xauth_path, &st) == -1) {
 		debug("No xauth program.");
 		xauth_path = NULL;
 	}
 	if (xauth_path != NULL) {
 		/*
 		 * Handle FamilyLocal case where $DISPLAY does
 		 * not match an authorization entry.  For this we
@ -346,46 +348,61 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 		 *      is not perfect.
 		 */
 		if (strncmp(display, "localhost:", 10) == 0) {
-			snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
+			if ((r = snprintf(xdisplay, sizeof(xdisplay), "unix:%s",
-			    display + 10);
+			    display + 10)) < 0 ||
 			    (size_t)r >= sizeof(xdisplay)) {
 				error("%s: display name too long", __func__);
 				return -1;
 			}
 			display = xdisplay;
 		}
 		if (trusted == 0) {
 			xauthdir = xmalloc(PATH_MAX);
 			xauthfile = xmalloc(PATH_MAX);
 			mktemp_proto(xauthdir, PATH_MAX);
 			/*
 			 * Generate an untrusted X11 auth cookie.
 			 *
 			 * The authentication cookie should briefly outlive
 			 * ssh's willingness to forward X11 connections to
 			 * avoid nasty fail-open behaviour in the X server.
 			 */
 			mktemp_proto(xauthdir, sizeof(xauthdir));
 			if (mkdtemp(xauthdir) == NULL) {
 				error("%s: mkdtemp: %s",
 				    __func__, strerror(errno));
 				return -1;
 			}
 			do_unlink = 1;
 			if ((r = snprintf(xauthfile, sizeof(xauthfile),
 			    "%s/xauthfile", xauthdir)) < 0 ||
 			    (size_t)r >= sizeof(xauthfile)) {
 				error("%s: xauthfile path too long", __func__);
 				unlink(xauthfile);
 				rmdir(xauthdir);
 				return -1;
 			}
 			if (timeout >= UINT_MAX - X11_TIMEOUT_SLACK)
 				x11_timeout_real = UINT_MAX;
 			else
 				x11_timeout_real = timeout + X11_TIMEOUT_SLACK;
-			if (mkdtemp(xauthdir) != NULL) {
+			if ((r = snprintf(cmd, sizeof(cmd),
 				do_unlink = 1;
 				snprintf(xauthfile, PATH_MAX, "%s/xauthfile",
 				    xauthdir);
 				snprintf(cmd, sizeof(cmd),
 			    "%s -f %s generate %s " SSH_X11_PROTO
 			    " untrusted timeout %u 2>" _PATH_DEVNULL,
 			    xauth_path, xauthfile, display,
-				    x11_timeout_real);
+			    x11_timeout_real)) < 0 ||
-				debug2("x11_get_proto: %s", cmd);
+			    (size_t)r >= sizeof(cmd))
 				fatal("%s: cmd too long", __func__);
 			debug2("%s: %s", __func__, cmd);
 			if (x11_refuse_time == 0) {
 				now = monotime() + 1;
 				if (UINT_MAX - timeout < now)
 					x11_refuse_time = UINT_MAX;
 				else
 					x11_refuse_time = now + timeout;
-					channel_set_x11_refuse_time(
+				channel_set_x11_refuse_time(x11_refuse_time);
 					    x11_refuse_time);
 			}
 			if (system(cmd) == 0)
 				generated = 1;
 		}
 		}
 		/*
 		 * When in untrusted mode, we read the cookie only if it was
@ -406,17 +423,20 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 				got_data = 1;
 			if (f)
 				pclose(f);
-		} else
+		}
 			error("Warning: untrusted X11 forwarding setup failed: "
 			    "xauth key data not generated");
 	}
 	if (do_unlink) {
 		unlink(xauthfile);
 		rmdir(xauthdir);
 	}
-	free(xauthdir);
+
-	free(xauthfile);
+	/* Don't fall back to fake X11 data for untrusted forwarding */
 	if (!trusted && !got_data) {
 		error("Warning: untrusted X11 forwarding setup failed: "
 		    "xauth key data not generated");
 		return -1;
 	}
 	/*
 	 * If we didn't get authentication data, just make up some
@ -440,6 +460,8 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 			rnd >>= 8;
 		}
 	}
 	return 0;
 }
 /*
@ -537,7 +559,6 @@ client_make_packets_from_stdin_data(void)
 static void
 client_check_window_change(void)
 {
 	struct winsize ws;
 	if (! received_window_change_signal)
@ -550,7 +571,6 @@ client_check_window_change(void)
 	if (compat20) {
 		channel_send_window_changes();
 	} else {
 #ifndef WIN32_FIXME
 		if (ioctl(fileno(stdin), TIOCGWINSZ, &ws) < 0)
 			return;
 		packet_start(SSH_CMSG_WINDOW_SIZE);
@ -559,7 +579,6 @@ client_check_window_change(void)
 		packet_put_int((u_int)ws.ws_xpixel);
 		packet_put_int((u_int)ws.ws_ypixel);
 		packet_send();
 #endif
 	}
 }
@ -748,7 +767,7 @@ client_suspend_self(Buffer *bin, Buffer *bout, Buffer *berr)
 static void
 client_process_net_input(fd_set *readset)
 {
-	int len, cont = 0;
+	int len;
 	char buf[SSH_IOBUFSZ];
 	/*
@ -757,8 +776,8 @@ client_process_net_input(fd_set *readset)
 	 */
 	if (FD_ISSET(connection_in, readset)) {
 		/* Read as much as possible. */
-		len = roaming_read(connection_in, buf, sizeof(buf), &cont);
+		len = read(connection_in, buf, sizeof(buf));
-		if (len == 0 && cont == 0) {
+		if (len == 0) {
 			/*
 			 * Received EOF.  The remote host has closed the
 			 * connection.
@ -907,7 +926,6 @@ process_cmdline(void)
 	leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
 	handler = signal(SIGINT, SIG_IGN);
 	cmd = s = read_passphrase("\r\nssh> ", RP_ECHO);
 	if (s == NULL)
 		goto out;
@ -1487,32 +1505,6 @@ client_simple_escape_filter(Channel *c, char *buf, int len)
 	    buf, len);
 }
 #ifdef WIN32_FIXME
 u_char * client_ansi_parser_filter(Channel *c, u_char **buf, u_int *len) {
 	/* TODO - account for error/extended stream*/
        char *respbuf = NULL;
        size_t resplen = 0;
 	if (c->client_tty) {
                if (telProcessNetwork(buffer_ptr(&c->output), buffer_len(&c->output), &respbuf, &resplen) == 0)
                        buffer_clear(&c->output);
                if (respbuf != NULL) {
                        sshbuf_put(&c->input, respbuf, resplen);
                        buffer_clear(&c->output);
                }
                *buf = buffer_ptr(&c->output);
 		*len = buffer_len(&c->output);
 		return *buf;
 	}
 	else {
 		*buf = buffer_ptr(&c->output);
 		*len = buffer_len(&c->output);
 		return *buf;
 	}
 }
 #endif
 static void
 client_channel_closed(int id, void *arg)
 {
@ -1533,13 +1525,44 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 {
 	fd_set *readset = NULL, *writeset = NULL;
 	double start_time, total_time;
-	int r, max_fd = 0, max_fd2 = 0, len, rekeying = 0;
+	int r, max_fd = 0, max_fd2 = 0, len;
 	u_int64_t ibytes, obytes;
 	u_int nalloc = 0;
 	char buf[100];
 	debug("Entering interactive session.");
 	if (options.control_master &&
 	    !option_clear_or_none(options.control_path)) {
 		debug("pledge: id");
 		if (pledge("stdio rpath wpath cpath unix inet dns recvfd proc exec id tty",
 		    NULL) == -1)
 			fatal("%s pledge(): %s", __func__, strerror(errno));
 	} else if (options.forward_x11 || options.permit_local_command) {
 		debug("pledge: exec");
 		if (pledge("stdio rpath wpath cpath unix inet dns proc exec tty",
 		    NULL) == -1)
 			fatal("%s pledge(): %s", __func__, strerror(errno));
 	} else if (options.update_hostkeys) {
 		debug("pledge: filesystem full");
 		if (pledge("stdio rpath wpath cpath unix inet dns proc tty",
 		    NULL) == -1)
 			fatal("%s pledge(): %s", __func__, strerror(errno));
 	} else if (!option_clear_or_none(options.proxy_command) ||
 	    fork_after_authentication_flag) {
 		debug("pledge: proc");
 		if (pledge("stdio cpath unix inet dns proc tty", NULL) == -1)
 			fatal("%s pledge(): %s", __func__, strerror(errno));
 	} else {
 		debug("pledge: network");
 		if (pledge("stdio unix inet dns tty", NULL) == -1)
 			fatal("%s pledge(): %s", __func__, strerror(errno));
 	}
 	start_time = get_current_time();
 	/* Initialize variables. */
@ -1578,7 +1601,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 	 * Set signal handlers, (e.g. to restore non-blocking mode)
 	 * but don't overwrite SIG_IGN, matches behaviour from rsh(1)
 	 */
 	if (signal(SIGHUP, SIG_IGN) != SIG_IGN)
 		signal(SIGHUP, signal_handler);
 	if (signal(SIGINT, SIG_IGN) != SIG_IGN)
@ -1597,11 +1619,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		if (session_ident != -1) {
 			if (escape_char_arg != SSH_ESCAPECHAR_NONE) {
 				channel_register_filter(session_ident,
 #ifdef WIN32_FIXME
 				    client_simple_escape_filter, client_ansi_parser_filter,
 #else
 				    client_simple_escape_filter, NULL,
 #endif
 				    client_filter_cleanup,
 				    client_new_escape_filter_ctx(
 				    escape_char_arg));
@ -1623,10 +1641,15 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		if (compat20 && session_closed && !channel_still_open())
 			break;
-		rekeying = (active_state->kex != NULL && !active_state->kex->done);
+		if (ssh_packet_is_rekeying(active_state)) {
 		if (rekeying) {
 			debug("rekeying in progress");
 		} else if (need_rekeying) {
 			/* manual rekey request */
 			debug("need rekeying");
 			if ((r = kex_start_rekex(active_state)) != 0)
 				fatal("%s: kex_start_rekex: %s", __func__,
 				    ssh_err(r));
 			need_rekeying = 0;
 		} else {
 			/*
 			 * Make packets of buffered stdin data, and buffer
@ -1657,23 +1680,14 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		 */
 		max_fd2 = max_fd;
 		client_wait_until_can_do_something(&readset, &writeset,
-		    &max_fd2, &nalloc, rekeying);
+		    &max_fd2, &nalloc, ssh_packet_is_rekeying(active_state));
 		if (quit_pending)
 			break;
 		/* Do channel operations unless rekeying in progress. */
-		if (!rekeying) {
+		if (!ssh_packet_is_rekeying(active_state))
 			channel_after_select(readset, writeset);
 			if (need_rekeying || packet_need_rekeying()) {
 				debug("need rekeying");
 				active_state->kex->done = 0;
 				if ((r = kex_send_kexinit(active_state)) != 0)
 					fatal("%s: kex_send_kexinit: %s",
 					    __func__, ssh_err(r));
 				need_rekeying = 0;
 			}
 		}
 		/* Buffer input from the connection.  */
 		client_process_net_input(readset);
@ -1691,14 +1705,6 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 			client_process_output(writeset);
 		}
 		if (session_resumed) {
 			connection_in = packet_get_connection_in();
 			connection_out = packet_get_connection_out();
 			max_fd = MAX(max_fd, connection_out);
 			max_fd = MAX(max_fd, connection_in);
 			session_resumed = 0;
 		}
 		/*
 		 * Send as much buffered packet data as possible to the
 		 * sender.
@ -1792,7 +1798,7 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 	}
 	/* Clear and free any buffers. */
-	memset(buf, 0, sizeof(buf));
+	explicit_bzero(buf, sizeof(buf));
 	buffer_free(&stdin_buffer);
 	buffer_free(&stdout_buffer);
 	buffer_free(&stderr_buffer);
@ -2570,18 +2576,15 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 	    options.ip_qos_interactive, options.ip_qos_bulk);
 	if (want_tty) {
 #ifndef WIN32_FIXME
 		struct winsize ws;
 		/* Store window size in the packet. */
 		if (ioctl(in_fd, TIOCGWINSZ, &ws) < 0)
 			memset(&ws, 0, sizeof(ws));
 #endif /* !WIN32_FIXME */
 		channel_request_start(id, "pty-req", 1);
 		client_expect_confirm(id, "PTY allocation", CONFIRM_TTY);
 #ifndef WIN32_FIXME
 		packet_put_cstring(term != NULL ? term : "");
 		packet_put_int((u_int)ws.ws_col);
 		packet_put_int((u_int)ws.ws_row);
@ -2591,14 +2594,6 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 			tiop = get_saved_tio();
 		tty_make_modes(-1, tiop);
 #else
 		packet_put_cstring(term != NULL ? term : "ansi");
 		packet_put_int((u_int) ScreenX);
 		packet_put_int((u_int) ScrollBottom);
 		packet_put_int((u_int) 640);
 		packet_put_int((u_int) 480);
 		tty_make_modes(-1, NULL);
 #endif /* else !WIN32_FIXME */
 		packet_send();
 		/* XXX wait for reply */
 		c->client_tty = 1;
--- a/clientloop.h
+++ b/clientloop.h
@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.h,v 1.31 2013/06/02 23:36:29 dtucker Exp $ */
+/* $OpenBSD: clientloop.h,v 1.32 2016/01/13 23:04:47 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -39,7 +39,7 @@
 /* Client side main loop for the interactive session. */
 int	 client_loop(int, int, int);
-void	 client_x11_get_proto(const char *, const char *, u_int, u_int,
+int	 client_x11_get_proto(const char *, const char *, u_int, u_int,
 	    char **, char **);
 void	 client_global_request_reply_fwd(int, u_int32_t, void *);
 void	 client_session2_setup(int, int, int, const char *, struct termios *,
--- a/compat.c
+++ b/compat.c
@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.97 2015/08/19 23:21:42 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.99 2016/05/24 02:31:57 dtucker Exp $ */
 /*
 * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
 *
--- a/compress.c
+++ b/compress.c
@ -1,169 +0,0 @@
 /* $OpenBSD: compress.c,v 1.26 2010/09/08 04:13:31 deraadt Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * Interface to packet compression for ssh.
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 */
 #include "includes.h"
 #include <sys/types.h>
 #include <stdarg.h>
 #include "log.h"
 #include "buffer.h"
 #include "compress.h"
 #ifndef WIN32_ZLIB_NO
 #include <zlib.h>
 #endif
 z_stream incoming_stream;
 z_stream outgoing_stream;
 static int compress_init_send_called = 0;
 static int compress_init_recv_called = 0;
 static int inflate_failed = 0;
 static int deflate_failed = 0;
 /*
 * Initializes compression; level is compression level from 1 to 9
 * (as in gzip).
 */
 void
 buffer_compress_init_send(int level)
 {
 	if (compress_init_send_called == 1)
 		deflateEnd(&outgoing_stream);
 	compress_init_send_called = 1;
 	debug("Enabling compression at level %d.", level);
 	if (level < 1 || level > 9)
 		fatal("Bad compression level %d.", level);
 	deflateInit(&outgoing_stream, level);
 }
 void
 buffer_compress_init_recv(void)
 {
 	if (compress_init_recv_called == 1)
 		inflateEnd(&incoming_stream);
 	compress_init_recv_called = 1;
 	inflateInit(&incoming_stream);
 }
 /* Frees any data structures allocated for compression. */
 void
 buffer_compress_uninit(void)
 {
 	debug("compress outgoing: raw data %llu, compressed %llu, factor %.2f",
 	    (unsigned long long)outgoing_stream.total_in,
 	    (unsigned long long)outgoing_stream.total_out,
 	    outgoing_stream.total_in == 0 ? 0.0 :
 	    (double) outgoing_stream.total_out / outgoing_stream.total_in);
 	debug("compress incoming: raw data %llu, compressed %llu, factor %.2f",
 	    (unsigned long long)incoming_stream.total_out,
 	    (unsigned long long)incoming_stream.total_in,
 	    incoming_stream.total_out == 0 ? 0.0 :
 	    (double) incoming_stream.total_in / incoming_stream.total_out);
 	if (compress_init_recv_called == 1 && inflate_failed == 0)
 		inflateEnd(&incoming_stream);
 	if (compress_init_send_called == 1 && deflate_failed == 0)
 		deflateEnd(&outgoing_stream);
 }
 /*
 * Compresses the contents of input_buffer into output_buffer.  All packets
 * compressed using this function will form a single compressed data stream;
 * however, data will be flushed at the end of every call so that each
 * output_buffer can be decompressed independently (but in the appropriate
 * order since they together form a single compression stream) by the
 * receiver.  This appends the compressed data to the output buffer.
 */
 void
 buffer_compress(Buffer * input_buffer, Buffer * output_buffer)
 {
 	u_char buf[4096];
 	int status;
 	/* This case is not handled below. */
 	if (buffer_len(input_buffer) == 0)
 		return;
 	/* Input is the contents of the input buffer. */
 	outgoing_stream.next_in = buffer_ptr(input_buffer);
 	outgoing_stream.avail_in = buffer_len(input_buffer);
 	/* Loop compressing until deflate() returns with avail_out != 0. */
 	do {
 		/* Set up fixed-size output buffer. */
 		outgoing_stream.next_out = buf;
 		outgoing_stream.avail_out = sizeof(buf);
 		/* Compress as much data into the buffer as possible. */
 		status = deflate(&outgoing_stream, Z_PARTIAL_FLUSH);
 		switch (status) {
 		case Z_OK:
 			/* Append compressed data to output_buffer. */
 			buffer_append(output_buffer, buf,
 			    sizeof(buf) - outgoing_stream.avail_out);
 			break;
 		default:
 			deflate_failed = 1;
 			fatal("buffer_compress: deflate returned %d", status);
 			/* NOTREACHED */
 		}
 	} while (outgoing_stream.avail_out == 0);
 }
 /*
 * Uncompresses the contents of input_buffer into output_buffer.  All packets
 * uncompressed using this function will form a single compressed data
 * stream; however, data will be flushed at the end of every call so that
 * each output_buffer.  This must be called for the same size units that the
 * buffer_compress was called, and in the same order that buffers compressed
 * with that.  This appends the uncompressed data to the output buffer.
 */
 void
 buffer_uncompress(Buffer * input_buffer, Buffer * output_buffer)
 {
 	u_char buf[4096];
 	int status;
 	incoming_stream.next_in = buffer_ptr(input_buffer);
 	incoming_stream.avail_in = buffer_len(input_buffer);
 	for (;;) {
 		/* Set up fixed-size output buffer. */
 		incoming_stream.next_out = buf;
 		incoming_stream.avail_out = sizeof(buf);
 		status = inflate(&incoming_stream, Z_PARTIAL_FLUSH);
 		switch (status) {
 		case Z_OK:
 			buffer_append(output_buffer, buf,
 			    sizeof(buf) - incoming_stream.avail_out);
 			break;
 		case Z_BUF_ERROR:
 			/*
 			 * Comments in zlib.h say that we should keep calling
 			 * inflate() until we get an error.  This appears to
 			 * be the error that we get.
 			 */
 			return;
 		default:
 			inflate_failed = 1;
 			fatal("buffer_uncompress: inflate returned %d", status);
 			/* NOTREACHED */
 		}
 	}
 }
--- a/compress.h
+++ b/compress.h
@ -1,25 +0,0 @@
 /* $OpenBSD: compress.h,v 1.12 2006/03/25 22:22:43 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * Interface to packet compression for ssh.
 *
 * As far as I am concerned, the code I have written for this software
 * can be used freely for any purpose.  Any derived versions of this
 * software must be clearly marked as such, and if the derived work is
 * incompatible with the protocol description in the RFC file, it must be
 * called by a name other than "ssh" or "Secure Shell".
 */
 #ifndef COMPRESS_H
 #define COMPRESS_H
 void	 buffer_compress_init_send(int);
 void	 buffer_compress_init_recv(void);
 void     buffer_compress_uninit(void);
 void     buffer_compress(Buffer *, Buffer *);
 void     buffer_uncompress(Buffer *, Buffer *);
 #endif				/* COMPRESS_H */
--- a/config.h.in
+++ b/config.h.in
--- a/36863
+++ b/36863
--- a/configure.ac
+++ b/configure.ac
@ -140,7 +140,7 @@ else
 fi
 AC_ARG_WITH([ssh1],
-	[  --without-ssh1          Enable support for SSH protocol 1],
+	[  --with-ssh1             Enable support for SSH protocol 1],
 	[
 		if test "x$withval" = "xyes" ; then
 			if test "x$openssl" = "xno" ; then
@ -373,6 +373,7 @@ AC_CHECK_HEADERS([ \
 	dirent.h \
 	endian.h \
 	elf.h \
 	err.h \
 	features.h \
 	fcntl.h \
 	floatingpoint.h \
@ -381,6 +382,7 @@ AC_CHECK_HEADERS([ \
 	ia.h \
 	iaf.h \
 	inttypes.h \
 	langinfo.h \
 	limits.h \
 	locale.h \
 	login.h \
@ -433,6 +435,7 @@ AC_CHECK_HEADERS([ \
 	utmp.h \
 	utmpx.h \
 	vis.h \
 	wchar.h \
 ])
 # lastlog.h requires sys/time.h to be included first on Solaris
@ -469,6 +472,11 @@ AC_CHECK_HEADERS([sys/un.h], [], [], [
 SIA_MSG="no"
 SPC_MSG="no"
 SP_MSG="no"
 SPP_MSG="no"
 # Support for Solaris/Illumos privileges (this test is used by both
 # the --with-solaris-privs option and --with-sandbox=solaris).
 SOLARIS_PRIVS="no"
 # Check for some target-specific stuff
 case "$host" in
@ -575,13 +583,12 @@ case "$host" in
 	LIBS="$LIBS /usr/lib/textreadmode.o"
 	AC_DEFINE([HAVE_CYGWIN], [1], [Define if you are on Cygwin])
 	AC_DEFINE([USE_PIPES], [1], [Use PIPES instead of a socketpair()])
 	AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
 		[Define to disable UID restoration test])
 	AC_DEFINE([DISABLE_SHADOW], [1],
 		[Define if you want to disable shadow passwords])
 	AC_DEFINE([NO_X11_UNIX_SOCKETS], [1],
 		[Define if X11 doesn't support AF_UNIX sockets on that system])
 	AC_DEFINE([NO_IPPORT_RESERVED_CONCEPT], [1],
 		[Define if the concept of ports only accessible to
 		superusers isn't known])
 	AC_DEFINE([DISABLE_FD_PASSING], [1],
 		[Define if your platform needs to skip post auth
 		file descriptor passing])
@ -637,6 +644,9 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 		supported by bsd-setproctitle.c])
 	AC_CHECK_FUNCS([sandbox_init])
 	AC_CHECK_HEADERS([sandbox.h])
 	AC_CHECK_LIB([sandbox], [sandbox_apply], [
 	    SSHDLIBS="$SSHDLIBS -lsandbox"
 	])
 	;;
 *-*-dragonfly*)
 	SSHDLIBS="$SSHDLIBS -lcrypt"
@ -787,6 +797,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
 	aarch64*-*)
 		seccomp_audit_arch=AUDIT_ARCH_AARCH64
 		;;
 	s390x-*)
 		seccomp_audit_arch=AUDIT_ARCH_S390X
 		;;
 	s390-*)
 		seccomp_audit_arch=AUDIT_ARCH_S390
 		;;
 	powerpc64-*)
 		seccomp_audit_arch=AUDIT_ARCH_PPC64
 		;;
 	powerpc64le-*)
 		seccomp_audit_arch=AUDIT_ARCH_PPC64LE
 		;;
 	mips-*)
 		seccomp_audit_arch=AUDIT_ARCH_MIPS
 		;;
 	mipsel-*)
 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL
 		;;
 	mips64-*)
 		seccomp_audit_arch=AUDIT_ARCH_MIPS64
 		;;
 	mips64el-*)
 		seccomp_audit_arch=AUDIT_ARCH_MIPSEL64
 		;;
 	esac
 	if test "x$seccomp_audit_arch" != "x" ; then
 		AC_MSG_RESULT(["$seccomp_audit_arch"])
@ -805,14 +839,13 @@ mips-sony-bsd|mips-sony-newsos4)
 	if test "x$withval" != "xno" ; then
 		need_dash_r=1
 	fi
 	CPPFLAGS="$CPPFLAGS -D_OPENBSD_SOURCE"
 	AC_DEFINE([SSH_TUN_FREEBSD], [1], [Open tunnel devices the FreeBSD way])
 	AC_CHECK_HEADER([net/if_tap.h], ,
 	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
 	AC_DEFINE([SSH_TUN_PREPEND_AF], [1],
 	    [Prepend the address family to IP tunnel traffic])
 	TEST_MALLOC_OPTIONS="AJRX"
 	AC_DEFINE([BROKEN_STRNVIS], [1],
 	    [NetBSD strnvis argument order is swapped compared to OpenBSD])
 	AC_DEFINE([BROKEN_READ_COMPARISON], [1],
 	    [NetBSD read function is sometimes redirected, breaking atomicio comparisons against it])
 	;;
@ -823,8 +856,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	AC_CHECK_HEADER([net/if_tap.h], ,
 	    AC_DEFINE([SSH_TUN_NO_L2], [1], [No layer 2 tunnel support]))
 	AC_DEFINE([BROKEN_GLOB], [1], [FreeBSD glob does not do what we need])
 	AC_DEFINE([BROKEN_STRNVIS], [1],
 	    [FreeBSD strnvis argument order is swapped compared to OpenBSD])
 	TEST_MALLOC_OPTIONS="AJRX"
 	# Preauth crypto occasionally uses file descriptors for crypto offload
 	# and will crash if they cannot be opened.
@ -889,13 +920,17 @@ mips-sony-bsd|mips-sony-newsos4)
 	else
 		AC_MSG_RESULT([no])
 	fi
 	AC_CHECK_FUNCS([setpflags])
 	AC_CHECK_FUNCS([setppriv])
 	AC_CHECK_FUNCS([priv_basicset])
 	AC_CHECK_HEADERS([priv.h])
 	AC_ARG_WITH([solaris-contracts],
 		[  --with-solaris-contracts Enable Solaris process contracts (experimental)],
 		[
 		AC_CHECK_LIB([contract], [ct_tmpl_activate],
 			[ AC_DEFINE([USE_SOLARIS_PROCESS_CONTRACTS], [1],
 				[Define if you have Solaris process contracts])
-			  SSHDLIBS="$SSHDLIBS -lcontract"
+			  LIBS="$LIBS -lcontract"
 			  SPC_MSG="yes" ], )
 		],
 	)
@ -905,10 +940,29 @@ mips-sony-bsd|mips-sony-newsos4)
 		AC_CHECK_LIB([project], [setproject],
 			[ AC_DEFINE([USE_SOLARIS_PROJECTS], [1],
 				[Define if you have Solaris projects])
-			SSHDLIBS="$SSHDLIBS -lproject"
+			LIBS="$LIBS -lproject"
 			SP_MSG="yes" ], )
 		],
 	)
 	AC_ARG_WITH([solaris-privs],
 		[  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)],
 		[
 		AC_MSG_CHECKING([for Solaris/Illumos privilege support])
 		if test "x$ac_cv_func_setppriv" = "xyes" -a \
 			"x$ac_cv_header_priv_h" = "xyes" ; then
 			SOLARIS_PRIVS=yes
 			AC_MSG_RESULT([found])
 			AC_DEFINE([NO_UID_RESTORATION_TEST], [1],
 				[Define to disable UID restoration test])
 			AC_DEFINE([USE_SOLARIS_PRIVS], [1],
 				[Define if you have Solaris privileges])
 			SPP_MSG="yes"
 		else
 			AC_MSG_RESULT([not found])
 			AC_MSG_ERROR([*** must have support for Solaris privileges to use --with-solaris-privs])
 		fi
 		],
 	)
 	TEST_SHELL=$SHELL	# let configure find us a capable shell
 	;;
 *-*-sunos4*)
@ -1122,7 +1176,6 @@ AC_RUN_IFELSE([AC_LANG_PROGRAM([[ #include <stdio.h> ]], [[ exit(0); ]])],
 dnl Checks for header files.
 # Checks for libraries.
 AC_CHECK_FUNC([yp_match], , [AC_CHECK_LIB([nsl], [yp_match])])
 AC_CHECK_FUNC([setsockopt], , [AC_CHECK_LIB([socket], [setsockopt])])
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
@ -1286,8 +1339,10 @@ AC_SEARCH_LIBS([openpty], [util bsd])
 AC_SEARCH_LIBS([updwtmp], [util bsd])
 AC_CHECK_FUNCS([fmt_scaled scan_scaled login logout openpty updwtmp logwtmp])
-# On some platforms, inet_ntop may be found in libresolv or libnsl.
+# On some platforms, inet_ntop and gethostbyname may be found in libresolv
 # or libnsl.
 AC_SEARCH_LIBS([inet_ntop], [resolv nsl])
 AC_SEARCH_LIBS([gethostbyname], [resolv nsl])
 AC_FUNC_STRFTIME
@ -1345,6 +1400,9 @@ g.gl_statv = NULL;
 AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
 AC_CHECK_DECL([VIS_ALL], ,
    AC_DEFINE(BROKEN_STRNVIS, 1, [missing VIS_ALL]), [#include <vis.h>])
 AC_MSG_CHECKING([whether struct dirent allocates space for d_name])
 AC_RUN_IFELSE(
 	[AC_LANG_PROGRAM([[
@ -1633,6 +1691,8 @@ AC_CHECK_FUNCS([ \
 	closefrom \
 	dirfd \
 	endgrent \
 	err \
 	errx \
 	explicit_bzero \
 	fchmod \
 	fchown \
@ -1659,7 +1719,6 @@ AC_CHECK_FUNCS([ \
 	inet_ntop \
 	innetgr \
 	login_getcapbool \
 	mblen \
 	md5_crypt \
 	memmove \
 	memset_s \
@ -1669,6 +1728,7 @@ AC_CHECK_FUNCS([ \
 	nsleep \
 	ogetaddrinfo \
 	openlog_r \
 	pledge \
 	poll \
 	prctl \
 	pstat \
@ -1723,8 +1783,15 @@ AC_CHECK_FUNCS([ \
 	vasprintf \
 	vsnprintf \
 	waitpid \
 	warn \
 ])
 dnl Wide character support.  Linux man page says it needs _XOPEN_SOURCE.
 saved_CFLAGS="$CFLAGS"
 CFLAGS="$CFLAGS -D_XOPEN_SOURCE"
 AC_CHECK_FUNCS([mblen mbtowc nl_langinfo wcwidth])
 CFLAGS="$saved_CFLAGS"
 AC_LINK_IFELSE(
        [AC_LANG_PROGRAM(
           [[ #include <ctype.h> ]],
@ -1732,8 +1799,18 @@ AC_LINK_IFELSE(
 	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
 ])
 disable_pkcs11=
 AC_ARG_ENABLE([pkcs11],
 	[  --disable-pkcs11        disable PKCS#11 support code [no]],
 	[
 		if test "x$enableval" = "xno" ; then
 			disable_pkcs11=1
 		fi
 	]
 )
 # PKCS11 depends on OpenSSL.
-if test "x$openssl" = "xyes" ; then
+if test "x$openssl" = "xyes" && test "x$disable_pkcs11" = "x"; then
 	# PKCS#11 support requires dlopen() and co
 	AC_SEARCH_LIBS([dlopen], [dl],
 	    [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
@ -2252,6 +2329,41 @@ if test "x$check_for_conflicting_getspnam" = "x1"; then
 	)
 fi
 dnl NetBSD added an strnvis and unfortunately made it incompatible with the
 dnl existing one in OpenBSD and Linux's libbsd (the former having existed
 dnl for over ten years). Despite this incompatibility being reported during
 dnl development (see http://gnats.netbsd.org/44977) they still shipped it.
 dnl Even more unfortunately FreeBSD and later MacOS picked up this incompatible
 dnl implementation.  Try to detect this mess, and assume the only safe option
 dnl if we're cross compiling.
 dnl
 dnl OpenBSD, 2001: strnvis(char *dst, const char *src, size_t dlen, int flag);
 dnl NetBSD: 2012,  strnvis(char *dst, size_t dlen, const char *src, int flag);
 if test "x$ac_cv_func_strnvis" = "xyes"; then
 	AC_MSG_CHECKING([for working strnvis])
 	AC_RUN_IFELSE(
 		[AC_LANG_PROGRAM([[
 #include <signal.h>
 #include <stdlib.h>
 #include <string.h>
 #include <vis.h>
 static void sighandler(int sig) { _exit(1); }
 		]], [[
 	char dst[16];
 	signal(SIGSEGV, sighandler);
 	if (strnvis(dst, "src", 4, 0) && strcmp(dst, "src") == 0)
 		exit(0);
 	exit(1)
 		]])],
 		[AC_MSG_RESULT([yes])],
 		[AC_MSG_RESULT([no])
 		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis detected broken])],
 		[AC_MSG_WARN([cross compiling: assuming broken])
 		 AC_DEFINE([BROKEN_STRNVIS], [1], [strnvis assumed broken])]
 	)
 fi
 AC_FUNC_GETPGRP
 # Search for OpenSSL
@ -2309,10 +2421,10 @@ openssl_engine=no
 AC_ARG_WITH([ssl-engine],
 	[  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support ],
 	[
 		if test "x$withval" != "xno" ; then
 			if test "x$openssl" = "xno" ; then
 				AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
 			fi
 		if test "x$withval" != "xno" ; then
 			openssl_engine=yes
 		fi
 	]
@ -2345,6 +2457,7 @@ if test "x$openssl" = "xyes" ; then
 	AC_MSG_CHECKING([OpenSSL header version])
 	AC_RUN_IFELSE(
 		[AC_LANG_PROGRAM([[
 	#include <stdlib.h>
 	#include <stdio.h>
 	#include <string.h>
 	#include <openssl/opensslv.h>
@ -2357,7 +2470,9 @@ if test "x$openssl" = "xyes" ; then
 		if(fd == NULL)
 			exit(1);
-		if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+		if ((rc = fprintf(fd, "%08lx (%s)\n",
 		    (unsigned long)OPENSSL_VERSION_NUMBER,
 		     OPENSSL_VERSION_TEXT)) < 0)
 			exit(1);
 		exit(0);
@ -2392,7 +2507,7 @@ if test "x$openssl" = "xyes" ; then
 		if(fd == NULL)
 			exit(1);
-		if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
+		if ((rc = fprintf(fd, "%08lx (%s)\n", (unsigned long)SSLeay(),
 		    SSLeay_version(SSLEAY_VERSION))) < 0)
 			exit(1);
@ -2424,6 +2539,7 @@ if test "x$openssl" = "xyes" ; then
 		[AC_LANG_PROGRAM([[
 	#include <string.h>
 	#include <openssl/opensslv.h>
 	#include <openssl/crypto.h>
 		]], [[
 		exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
 		]])],
@ -2567,7 +2683,8 @@ if test "x$openssl" = "xyes" ; then
 		[
 			AC_MSG_RESULT([no])
 			unsupported_algorithms="$unsupported_cipers \
-			   aes128-gcm@openssh.com aes256-gcm@openssh.com"
+			   aes128-gcm@openssh.com \
 			   aes256-gcm@openssh.com"
 		]
 	)
@ -2610,16 +2727,18 @@ if test "x$openssl" = "xyes" ; then
 	# Search for SHA256 support in libc and/or OpenSSL
 	AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
 	    [unsupported_algorithms="$unsupported_algorithms \
-		hmac-sha2-256 hmac-sha2-512 \
+		hmac-sha2-256 \
 		hmac-sha2-512 \
 		diffie-hellman-group-exchange-sha256 \
-		hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
+		hmac-sha2-256-etm@openssh.com \
 		hmac-sha2-512-etm@openssh.com"
 	     ]
 	)
 	# Search for RIPE-MD support in OpenSSL
 	AC_CHECK_FUNCS([EVP_ripemd160], ,
 	    [unsupported_algorithms="$unsupported_algorithms \
-		hmac-ripemd160
+		hmac-ripemd160 \
-		hmac-ripemd160@openssh.com
+		hmac-ripemd160@openssh.com \
 		hmac-ripemd160-etm@openssh.com"
 	     ]
 	)
@ -2720,24 +2839,30 @@ if test "x$openssl" = "xyes" ; then
 		TEST_SSH_ECC=yes
 		COMMENT_OUT_ECC=""
 	else
-		unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
+		unsupported_algorithms="$unsupported_algorithms \
-		    ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
+			ecdsa-sha2-nistp256 \
 			ecdh-sha2-nistp256 \
 			ecdsa-sha2-nistp256-cert-v01@openssh.com"
 	fi
 	if test x$enable_nistp384 = x1; then
 		AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
 		TEST_SSH_ECC=yes
 		COMMENT_OUT_ECC=""
 	else
-		unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
+		unsupported_algorithms="$unsupported_algorithms \
-		    ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
+			ecdsa-sha2-nistp384 \
 			ecdh-sha2-nistp384 \
 			ecdsa-sha2-nistp384-cert-v01@openssh.com"
 	fi
 	if test x$enable_nistp521 = x1; then
 		AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
 		TEST_SSH_ECC=yes
 		COMMENT_OUT_ECC=""
 	else
-		unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
+		unsupported_algorithms="$unsupported_algorithms \
-		    ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
+			ecdh-sha2-nistp521 \
 			ecdsa-sha2-nistp521 \
 			ecdsa-sha2-nistp521-cert-v01@openssh.com"
 	fi
 	AC_SUBST([TEST_SSH_ECC])
@ -2998,7 +3123,7 @@ fi
 # Decide which sandbox style to use
 sandbox_arg=""
 AC_ARG_WITH([sandbox],
-	[  --with-sandbox=style    Specify privilege separation sandbox (no, darwin, rlimit, systrace, seccomp_filter, capsicum)],
+	[  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)],
 	[
 		if test "x$withval" = "xyes" ; then
 			sandbox_arg=""
@ -3094,7 +3219,13 @@ AC_RUN_IFELSE(
 	[AC_MSG_WARN([cross compiling: assuming yes])]
 )
-if test "x$sandbox_arg" = "xsystrace" || \
+if test "x$sandbox_arg" = "xpledge" || \
   ( test -z "$sandbox_arg" && test "x$ac_cv_func_pledge" = "xyes" ) ; then
 	test "x$ac_cv_func_pledge" != "xyes" && \
 		AC_MSG_ERROR([pledge sandbox requires pledge(2) support])
 	SANDBOX_STYLE="pledge"
 	AC_DEFINE([SANDBOX_PLEDGE], [1], [Sandbox using pledge(2)])
 elif test "x$sandbox_arg" = "xsystrace" || \
   ( test -z "$sandbox_arg" && test "x$have_systr_policy_kill" = "x1" ) ; then
 	test "x$have_systr_policy_kill" != "x1" && \
 		AC_MSG_ERROR([systrace sandbox requires systrace headers and SYSTR_POLICY_KILL support])
@ -3147,6 +3278,10 @@ elif test "x$sandbox_arg" = "xrlimit" || \
 		AC_MSG_ERROR([rlimit sandbox requires select to work with rlimit])
 	SANDBOX_STYLE="rlimit"
 	AC_DEFINE([SANDBOX_RLIMIT], [1], [Sandbox using setrlimit(2)])
 elif test "x$sandbox_arg" = "xsolaris" || \
   ( test -z "$sandbox_arg" && test "x$SOLARIS_PRIVS" = "xyes" ) ; then
 	SANDBOX_STYLE="solaris"
 	AC_DEFINE([SANDBOX_SOLARIS], [1], [Sandbox using Solaris/Illumos privileges])
 elif test -z "$sandbox_arg" || test "x$sandbox_arg" = "xno" || \
     test "x$sandbox_arg" = "xnone" || test "x$sandbox_arg" = "xnull" ; then
 	SANDBOX_STYLE="none"
@ -3970,7 +4105,10 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([[
 #include <arpa/nameser.h>
 #include <resolv.h>
 extern struct __res_state _res;
-		]], [[ ]])],
+		]], [[
 struct __res_state *volatile p = &_res;  /* force resolution of _res */
 return 0;
 		]],)],
 		[AC_MSG_RESULT([yes])
 		 AC_DEFINE([HAVE__RES_EXTERN], [1],
 		    [Define if you have struct __res_state _res as an extern])
@ -4063,7 +4201,6 @@ AC_ARG_WITH([kerberos5],
 					   [K5LIBS="$K5LIBS -ldes"])
 				       ], [ AC_MSG_RESULT([no])
 					 K5LIBS="-lkrb5 -lk5crypto -lcom_err"
 			])
 			AC_SEARCH_LIBS([dn_expand], [resolv])
@ -4933,6 +5070,7 @@ echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 echo "           Solaris project support: $SP_MSG"
 echo "         Solaris privilege support: $SPP_MSG"
 echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
--- a/contrib/Makefile
+++ b/contrib/Makefile
@ -1,15 +1,17 @@
 PKG_CONFIG = pkg-config
 all:
 	@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2"
 gnome-ssh-askpass1: gnome-ssh-askpass1.c
-	$(CC) `gnome-config --cflags gnome gnomeui` \
+	$(CC) $(CFLAGS) `gnome-config --cflags gnome gnomeui` \
 		gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
 		`gnome-config --libs gnome gnomeui`
 gnome-ssh-askpass2: gnome-ssh-askpass2.c
-	$(CC) `pkg-config --cflags gtk+-2.0` \
+	$(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-2.0` \
 		gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
-		`pkg-config --libs gtk+-2.0 x11`
+		`$(PKG_CONFIG) --libs gtk+-2.0 x11`
 clean:
 	rm -f *.o gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssh-askpass
--- a/contrib/README
+++ b/contrib/README
@ -11,7 +11,7 @@ which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
 https CONNECT style proxy server. His page for connect.c has extensive
 documentation on its use as well as compiled versions for Win32.
-http://www.taiyo.co.jp/~gotoh/ssh/connect.html
+https://bitbucket.org/gotoh/connect/wiki/Home
 X11 SSH Askpass:
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@ -1,366 +0,0 @@
 # Some of this will need re-evaluation post-LSB.  The SVIdir is there
 # because the link appeared broken.  The rest is for easy compilation,
 # the tradeoff open to discussion.  (LC957)
 %define	SVIdir		/etc/rc.d/init.d
 %{!?_defaultdocdir:%define	_defaultdocdir	%{_prefix}/share/doc/packages}
 %{!?SVIcdir:%define		SVIcdir		/etc/sysconfig/daemons}
 %define _mandir		%{_prefix}/share/man/en
 %define _sysconfdir	/etc/ssh
 %define	_libexecdir	%{_libdir}/ssh
 # Do we want to disable root_login? (1=yes 0=no)
 %define no_root_login 0
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable	1
 %define version 	5.9p1
 %if %{use_stable}
  %define cvs		%{nil}
  %define release 	1
 %else
  %define cvs		cvs20050315
  %define release 	0r1
 %endif
 %define xsa		x11-ssh-askpass		
 %define askpass		%{xsa}-1.2.4.1
 # OpenSSH privilege separation requires a user & group ID
 %define sshd_uid    67
 %define sshd_gid    67
 Name        	: openssh
 Version     	: %{version}%{cvs}
 Release     	: %{release}
 Group       	: System/Network
 Summary     	: OpenSSH free Secure Shell (SSH) implementation.
 Summary(de) 	: OpenSSH - freie Implementation der Secure Shell (SSH).
 Summary(es) 	: OpenSSH implementación libre de Secure Shell (SSH).
 Summary(fr) 	: Implémentation libre du shell sécurisé OpenSSH (SSH).
 Summary(it) 	: Implementazione gratuita OpenSSH della Secure Shell.
 Summary(pt) 	: Implementação livre OpenSSH do protocolo 'Secure Shell' (SSH).
 Summary(pt_BR) 	: Implementação livre OpenSSH do protocolo Secure Shell (SSH).
 Copyright   	: BSD
 Packager    	: Raymund Will <ray@caldera.de>
 URL         	: http://www.openssh.com/
 Obsoletes   	: ssh, ssh-clients, openssh-clients
 BuildRoot   	: /tmp/%{name}-%{version}
 BuildRequires	: XFree86-imake
 # %{use_stable}==1:	ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable
 # %{use_stable}==0:	:pserver:cvs@bass.directhit.com:/cvs/openssh_cvs
 Source0: see-above:/.../openssh-%{version}.tar.gz
 %if %{use_stable}
 Source1: see-above:/.../openssh-%{version}.tar.gz.asc
 %endif
 Source2: http://www.jmknoble.net/software/%{xsa}/%{askpass}.tar.gz
 Source3: http://www.openssh.com/faq.html
 %Package server
 Group       	: System/Network
 Requires    	: openssh = %{version}
 Obsoletes   	: ssh-server
 Summary     	: OpenSSH Secure Shell protocol server (sshd).
 Summary(de) 	: OpenSSH Secure Shell Protocol-Server (sshd).
 Summary(es) 	: Servidor del protocolo OpenSSH Secure Shell (sshd).
 Summary(fr) 	: Serveur de protocole du shell sécurisé OpenSSH (sshd).
 Summary(it) 	: Server OpenSSH per il protocollo Secure Shell (sshd).
 Summary(pt) 	: Servidor do protocolo 'Secure Shell' OpenSSH (sshd).
 Summary(pt_BR) 	: Servidor do protocolo Secure Shell OpenSSH (sshd).
 %Package askpass
 Group       	: System/Network
 Requires    	: openssh = %{version}
 URL       	: http://www.jmknoble.net/software/x11-ssh-askpass/
 Obsoletes   	: ssh-extras
 Summary     	: OpenSSH X11 pass-phrase dialog.
 Summary(de) 	: OpenSSH X11 Passwort-Dialog.
 Summary(es) 	: Aplicación de petición de frase clave OpenSSH X11.
 Summary(fr) 	: Dialogue pass-phrase X11 d'OpenSSH.
 Summary(it) 	: Finestra di dialogo X11 per la frase segreta di OpenSSH.
 Summary(pt) 	: Diálogo de pedido de senha para X11 do OpenSSH.
 Summary(pt_BR) 	: Diálogo de pedido de senha para X11 do OpenSSH.
 %Description
 OpenSSH (Secure Shell) provides access to a remote system. It replaces
 telnet, rlogin,  rexec, and rsh, and provides secure encrypted 
 communications between two untrusted hosts over an insecure network.  
 X11 connections and arbitrary TCP/IP ports can also be forwarded over 
 the secure channel.
 %Description -l de
 OpenSSH (Secure Shell) stellt den Zugang zu anderen Rechnern her. Es ersetzt
 telnet, rlogin, rexec und rsh und stellt eine sichere, verschlüsselte
 Verbindung zwischen zwei nicht vertrauenswürdigen Hosts über eine unsicheres
 Netzwerk her. X11 Verbindungen und beliebige andere TCP/IP Ports können ebenso
 über den sicheren Channel weitergeleitet werden.
 %Description -l es
 OpenSSH (Secure Shell) proporciona acceso a sistemas remotos. Reemplaza a
 telnet, rlogin, rexec, y rsh, y proporciona comunicaciones seguras encriptadas
 entre dos equipos entre los que no se ha establecido confianza a través de una
 red insegura. Las conexiones X11 y puertos TCP/IP arbitrarios también pueden
 ser canalizadas sobre el canal seguro.
 %Description -l fr
 OpenSSH (Secure Shell) fournit un accès à un système distant. Il remplace
 telnet, rlogin, rexec et rsh, tout en assurant des communications cryptées
 securisées entre deux hôtes non fiabilisés sur un réseau non sécurisé. Des
 connexions X11 et des ports TCP/IP arbitraires peuvent également être
 transmis sur le canal sécurisé.
 %Description -l it
 OpenSSH (Secure Shell) fornisce l'accesso ad un sistema remoto.
 Sostituisce telnet, rlogin, rexec, e rsh, e fornisce comunicazioni sicure
 e crittate tra due host non fidati su una rete non sicura. Le connessioni
 X11 ad una porta TCP/IP arbitraria possono essere inoltrate attraverso
 un canale sicuro.
 %Description -l pt
 OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
 telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e cifradas
 entre duas máquinas sem confiança mútua sobre uma rede insegura.
 Ligações X11 e portos TCP/IP arbitrários também poder ser reenviados
 pelo canal seguro.
 %Description -l pt_BR
 O OpenSSH (Secure Shell) fornece acesso a um sistema remoto. Substitui o
 telnet, rlogin, rexec, e o rsh e fornece comunicações seguras e criptografadas
 entre duas máquinas sem confiança mútua sobre uma rede insegura.
 Ligações X11 e portas TCP/IP arbitrárias também podem ser reenviadas
 pelo canal seguro.
 %Description server
 This package installs the sshd, the server portion of OpenSSH. 
 %Description -l de server
 Dieses Paket installiert den sshd, den Server-Teil der OpenSSH.
 %Description -l es server
 Este paquete instala sshd, la parte servidor de OpenSSH.
 %Description -l fr server
 Ce paquetage installe le 'sshd', partie serveur de OpenSSH.
 %Description -l it server
 Questo pacchetto installa sshd, il server di OpenSSH.
 %Description -l pt server
 Este pacote intala o sshd, o servidor do OpenSSH.
 %Description -l pt_BR server
 Este pacote intala o sshd, o servidor do OpenSSH.
 %Description askpass
 This package contains an X11-based pass-phrase dialog used per
 default by ssh-add(1). It is based on %{askpass}
 by Jim Knoble <jmknoble@pobox.com>.
 %Prep
 %setup %([ -z "%{cvs}" ] || echo "-n %{name}_cvs") -a2
 %if ! %{use_stable}
  autoreconf
 %endif
 %Build
 CFLAGS="$RPM_OPT_FLAGS" \
 %configure \
            --with-pam \
            --with-tcp-wrappers \
 	    --with-privsep-path=%{_var}/empty/sshd \
 	    #leave this line for easy edits.
 %__make
 cd %{askpass}
 %configure \
 	    #leave this line for easy edits.
 xmkmf
 %__make includes
 %__make
 %Install
 [ %{buildroot} != "/" ] && rm -rf %{buildroot}
 make install DESTDIR=%{buildroot}
 %makeinstall -C %{askpass} \
    BINDIR=%{_libexecdir} \
    MANPATH=%{_mandir} \
    DESTDIR=%{buildroot}
 # OpenLinux specific configuration
 mkdir -p %{buildroot}{/etc/pam.d,%{SVIcdir},%{SVIdir}}
 mkdir -p %{buildroot}%{_var}/empty/sshd
 # enabling X11 forwarding on the server is convenient and okay,
 # on the client side it's a potential security risk!
 %__perl -pi -e 's:#X11Forwarding no:X11Forwarding yes:g' \
    %{buildroot}%{_sysconfdir}/sshd_config
 %if %{no_root_login}
 %__perl -pi -e 's:#PermitRootLogin yes:PermitRootLogin no:g' \
    %{buildroot}%{_sysconfdir}/sshd_config
 %endif
 install -m644 contrib/caldera/sshd.pam %{buildroot}/etc/pam.d/sshd
 # FIXME: disabled, find out why this doesn't work with nis
 %__perl -pi -e 's:(.*pam_limits.*):#$1:' \
    %{buildroot}/etc/pam.d/sshd
 install -m 0755 contrib/caldera/sshd.init %{buildroot}%{SVIdir}/sshd
 # the last one is needless, but more future-proof
 find %{buildroot}%{SVIdir} -type f -exec \
    %__perl -pi -e 's:\@SVIdir\@:%{SVIdir}:g;\
 		    s:\@sysconfdir\@:%{_sysconfdir}:g; \
 		    s:/usr/sbin:%{_sbindir}:g'\
    \{\} \;
 cat <<-EoD > %{buildroot}%{SVIcdir}/sshd
 	IDENT=sshd
 	DESCRIPTIVE="OpenSSH secure shell daemon"
 	# This service will be marked as 'skipped' on boot if there
 	# is no host key. Use ssh-host-keygen to generate one
 	ONBOOT="yes"
 	OPTIONS=""
 EoD
 SKG=%{buildroot}%{_sbindir}/ssh-host-keygen
 install -m 0755 contrib/caldera/ssh-host-keygen $SKG
 # Fix up some path names in the keygen toy^Hol
    %__perl -pi -e 's:\@sysconfdir\@:%{_sysconfdir}:g; \
 		    s:\@sshkeygen\@:%{_bindir}/ssh-keygen:g' \
 	%{buildroot}%{_sbindir}/ssh-host-keygen
 # This looks terrible.  Expect it to change.
 # install remaining docs
 DocD="%{buildroot}%{_defaultdocdir}/%{name}-%{version}"
 mkdir -p $DocD/%{askpass}
 cp -a CREDITS ChangeLog LICENCE OVERVIEW README* TODO PROTOCOL* $DocD
 install -p -m 0444 %{SOURCE3}  $DocD/faq.html
 cp -a %{askpass}/{README,ChangeLog,TODO,SshAskpass*.ad}  $DocD/%{askpass}
 %if %{use_stable}
  cp -p %{askpass}/%{xsa}.man $DocD/%{askpass}/%{xsa}.1
 %else
  cp -p %{askpass}/%{xsa}.man %{buildroot}%{_mandir}man1/%{xsa}.1
  ln -s  %{xsa}.1 %{buildroot}%{_mandir}man1/ssh-askpass.1
 %endif
 find %{buildroot}%{_mandir} -type f -not -name	'*.gz' -print0 | xargs -0r %__gzip -9nf
 rm %{buildroot}%{_mandir}/man1/slogin.1 && \
    ln -s %{_mandir}/man1/ssh.1.gz \
    %{buildroot}%{_mandir}/man1/slogin.1.gz
 %Clean
 #%{rmDESTDIR}
 [ %{buildroot} != "/" ] && rm -rf %{buildroot}
 %Post
 # Generate host key when none is present to get up and running,
 # both client and server require this for host-based auth!
 # ssh-host-keygen checks for existing keys.
 /usr/sbin/ssh-host-keygen
 : # to protect the rpm database
 %pre server
 %{_sbindir}/groupadd -g %{sshd_gid} sshd 2>/dev/null || :
 %{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
 	-c "SSH Daemon virtual user" -g sshd sshd 2>/dev/null || :
 : # to protect the rpm database
 %Post server
 if [ -x %{LSBinit}-install ]; then
  %{LSBinit}-install sshd
 else
  lisa --SysV-init install sshd S55 2:3:4:5 K45 0:1:6
 fi
 ! %{SVIdir}/sshd status || %{SVIdir}/sshd restart
 : # to protect the rpm database
 %PreUn server
 [ "$1" = 0 ] || exit 0
 ! %{SVIdir}/sshd status || %{SVIdir}/sshd stop
 if [ -x %{LSBinit}-remove ]; then
  %{LSBinit}-remove sshd
 else
  lisa --SysV-init remove sshd $1
 fi
 : # to protect the rpm database
 %Files 
 %defattr(-,root,root)
 %dir %{_sysconfdir}
 %config %{_sysconfdir}/ssh_config
 %{_bindir}/scp
 %{_bindir}/sftp
 %{_bindir}/ssh
 %{_bindir}/slogin
 %{_bindir}/ssh-add
 %attr(2755,root,nobody) %{_bindir}/ssh-agent
 %{_bindir}/ssh-keygen
 %{_bindir}/ssh-keyscan
 %dir %{_libexecdir}
 %attr(4711,root,root) %{_libexecdir}/ssh-keysign
 %{_libexecdir}/ssh-pkcs11-helper
 %{_sbindir}/ssh-host-keygen
 %dir %{_defaultdocdir}/%{name}-%{version}
 %{_defaultdocdir}/%{name}-%{version}/CREDITS
 %{_defaultdocdir}/%{name}-%{version}/ChangeLog
 %{_defaultdocdir}/%{name}-%{version}/LICENCE
 %{_defaultdocdir}/%{name}-%{version}/OVERVIEW
 %{_defaultdocdir}/%{name}-%{version}/README*
 %{_defaultdocdir}/%{name}-%{version}/TODO
 %{_defaultdocdir}/%{name}-%{version}/faq.html
 %{_mandir}/man1/*
 %{_mandir}/man8/ssh-keysign.8.gz
 %{_mandir}/man8/ssh-pkcs11-helper.8.gz
 %{_mandir}/man5/ssh_config.5.gz
 %Files server
 %defattr(-,root,root)
 %dir %{_var}/empty/sshd
 %config %{SVIdir}/sshd
 %config /etc/pam.d/sshd
 %config %{_sysconfdir}/moduli
 %config %{_sysconfdir}/sshd_config
 %config %{SVIcdir}/sshd
 %{_libexecdir}/sftp-server
 %{_sbindir}/sshd
 %{_mandir}/man5/moduli.5.gz
 %{_mandir}/man5/sshd_config.5.gz
 %{_mandir}/man8/sftp-server.8.gz
 %{_mandir}/man8/sshd.8.gz
 %Files askpass
 %defattr(-,root,root)
 %{_libexecdir}/ssh-askpass
 %{_libexecdir}/x11-ssh-askpass
 %{_defaultdocdir}/%{name}-%{version}/%{askpass}
 %ChangeLog
 * Tue Jan 18 2011 Tim Rice <tim@multitalents.net>
 - Use CFLAGS from Makefile instead of RPM so build completes.
 - Signatures were changed to .asc since 4.1p1.
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 $Id: openssh.spec,v 1.75.2.1 2011/09/05 00:28:11 djm Exp $
--- a/contrib/caldera/ssh-host-keygen
+++ b/contrib/caldera/ssh-host-keygen
@ -1,36 +0,0 @@
 #! /bin/sh
 #
 # $Id: ssh-host-keygen,v 1.3 2008/11/03 09:16:01 djm Exp $
 #
 # This script is normally run only *once* for a given host
 # (in a given period of time) -- on updates/upgrades/recovery
 # the ssh_host_key* files _should_ be retained! Otherwise false
 # "man-in-the-middle-attack" alerts will frighten unsuspecting
 # clients...
 keydir=@sysconfdir@
 keygen=@sshkeygen@
 if [ -f $keydir/ssh_host_key -o \
 	     -f $keydir/ssh_host_key.pub ]; then
  echo "You already have an SSH1 RSA host key in $keydir/ssh_host_key."
 else
  echo "Generating SSH1 RSA host key."
  $keygen -t rsa1 -f $keydir/ssh_host_key -C '' -N ''
 fi
 if [ -f $keydir/ssh_host_rsa_key -o \
 	     -f $keydir/ssh_host_rsa_key.pub ]; then
  echo "You already have an SSH2 RSA host key in $keydir/ssh_host_rsa_key."
 else
  echo "Generating SSH2 RSA host key."
  $keygen -t rsa -f $keydir/ssh_host_rsa_key -C '' -N ''
 fi
 if [ -f $keydir/ssh_host_dsa_key -o \
 	     -f $keydir/ssh_host_dsa_key.pub ]; then
  echo "You already have an SSH2 DSA host key in $keydir/ssh_host_dsa_key."
 else
  echo "Generating SSH2 DSA host key."
  $keygen -t dsa -f $keydir/ssh_host_dsa_key -C '' -N ''
 fi
--- a/contrib/caldera/sshd.init
+++ b/contrib/caldera/sshd.init
@ -1,125 +0,0 @@
 #! /bin/bash
 #
 # $Id: sshd.init,v 1.4 2003/11/21 12:48:57 djm Exp $
 #
 ### BEGIN INIT INFO
 # Provides:
 # Required-Start: $network
 # Required-Stop:
 # Default-Start:  3 4 5
 # Default-Stop:   0 1 2 6
 # Description: sshd
 #                Bring up/down the OpenSSH secure shell daemon.
 ### END INIT INFO
 #
 # Written by Miquel van Smoorenburg <miquels@drinkel.ow.org>.
 # Modified for Debian GNU/Linux by Ian Murdock <imurdock@gnu.ai.mit.edu>.
 # Modified for OpenLinux by Raymund Will <ray@caldera.de>
 NAME=sshd
 DAEMON=/usr/sbin/$NAME
 # Hack-Alert(TM)!  This is necessary to get around the 'reload'-problem
 # created by recent OpenSSH daemon/ssd combinations. See Caldera internal
 # PR [linux/8278] for details...
 PIDF=/var/run/$NAME.pid
 NAME=$DAEMON
 _status() {
  [ -z "$1" ] || local pidf="$1"
  local ret=-1
  local pid
  if [ -n "$pidf" ] && [  -r "$pidf" ]; then
    pid=$(head -1 $pidf)
  else
    pid=$(pidof $NAME)
  fi
  if [ ! -e $SVIlock ]; then
    # no lock-file => not started == stopped?
    ret=3
  elif [ -n "$pidf" -a ! -f "$pidf" ] || [ -z "$pid" ]; then
    # pid-file given but not present or no pid => died, but was not stopped
    ret=2
  elif [ -r /proc/$pid/cmdline ] &&
       echo -ne $NAME'\000' | cmp -s - /proc/$pid/cmdline; then
    # pid-file given and present or pid found => check process...
    # but don't compare exe, as this will fail after an update!
    # compares OK => all's well, that ends well...
    ret=0
  else
    # no such process or exe does not match => stale pid-file or process died
    #   just recently...
    ret=1
  fi
  return $ret
 }
 # Source function library (and set vital variables).
 . @SVIdir@/functions
 case "$1" in
 start)
  [ ! -e $SVIlock ] || exit 0
  [ -x $DAEMON ] || exit 5
  SVIemptyConfig @sysconfdir@/sshd_config && exit 6
  if [ ! \( -f @sysconfdir@/ssh_host_key -a            \
 	    -f @sysconfdir@/ssh_host_key.pub \) -a     \
       ! \( -f @sysconfdir@/ssh_host_rsa_key -a        \
 	    -f @sysconfdir@/ssh_host_rsa_key.pub \) -a \
       ! \( -f @sysconfdir@/ssh_host_dsa_key -a        \
 	    -f @sysconfdir@/ssh_host_dsa_key.pub \) ]; then
    echo "$SVIsubsys: host key not initialized: skipped!"
    echo "$SVIsubsys: use ssh-host-keygen to generate one!"
    exit 6
  fi
  echo -n "Starting $SVIsubsys services: "
  ssd -S -x $DAEMON -n $NAME -- $OPTIONS
  ret=$?
  echo  "."
  touch $SVIlock
  ;;
 stop)
  [ -e $SVIlock ] || exit 0
  echo -n "Stopping $SVIsubsys services: "
  ssd -K -p $PIDF -n $NAME
  ret=$?
  echo "."
  rm -f $SVIlock
  ;;
 force-reload|reload)
  [ -e $SVIlock ] || exit 0
  echo "Reloading $SVIsubsys configuration files: "
  ssd -K --signal 1 -q -p $PIDF -n $NAME
  ret=$?
  echo "done."
  ;;
 restart)
  $0 stop
  $0 start
  ret=$?
  ;;
 status)
  _status $PIDF
  ret=$?
  ;;
 *)
  echo "Usage: $SVIscript {[re]start|stop|[force-]reload|status}"
  ret=2
  ;;
 esac
 exit $ret
--- a/contrib/caldera/sshd.pam
+++ b/contrib/caldera/sshd.pam
@ -1,8 +0,0 @@
 #%PAM-1.0
 auth       required     /lib/security/pam_pwdb.so shadow nodelay
 account    required     /lib/security/pam_nologin.so
 account    required     /lib/security/pam_pwdb.so
 password   required     /lib/security/pam_cracklib.so
 password   required     /lib/security/pam_pwdb.so shadow nullok use_authtok
 session    required     /lib/security/pam_pwdb.so
 session    required     /lib/security/pam_limits.so
--- a/contrib/cygwin/Makefile
+++ b/contrib/cygwin/Makefile
@ -36,21 +36,20 @@ install-inetd-config:
 install-sshdoc:
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(sshdocdir)
-	$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
+	-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
-	$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
+	-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
-	$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
+	-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
-	$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
+	-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
-	$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
-	$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
-	$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
-	$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
-	$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
+	-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
-	$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
+	-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
-	$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
+	-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
-	$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
+	-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
-	$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
+	-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
-	$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
+	-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
 	$(INSTALL) -m 644 $(srcdir)/WARNING.RNG $(DESTDIR)$(sshdocdir)/WARNING.RNG
 install-cygwindoc: README
 	$(srcdir)/mkinstalldirs $(DESTDIR)$(cygdocdir)
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@ -4,115 +4,18 @@ The binary package is usually built for recent Cygwin versions and might
 not run on older versions.  Please check http://cygwin.com/ for information
 about current Cygwin releases.
-Build instructions are at the end of the file.
+==================
-
+Host configuration
-===========================================================================
+==================
 Important change since 3.7.1p2-2:
 The ssh-host-config file doesn't create the /etc/ssh_config and
 /etc/sshd_config files from builtin here-scripts anymore, but it uses
 skeleton files installed in /etc/defaults/etc.
 Also it now tries hard to create appropriate permissions on files.
 Same applies for ssh-user-config.
 After creating the sshd service with ssh-host-config, it's advisable to
 call ssh-user-config for all affected users, also already exising user
 configurations.  In the latter case, file and directory permissions are
 checked and changed, if requireed to match the host configuration.
 Important note for Windows 2003 Server users:
 ---------------------------------------------
 2003 Server has a funny new feature.  When starting services under SYSTEM
 account, these services have nearly all user rights which SYSTEM holds...
 except for the "Create a token object" right, which is needed to allow
 public key authentication :-(
 There's no way around this, except for creating a substitute account which
 has the appropriate privileges.  Basically, this account should be member
 of the administrators group, plus it should have the following user rights:
 	Create a token object
 	Logon as a service
 	Replace a process level token
 	Increase Quota
 The ssh-host-config script asks you, if it should create such an account,
 called "sshd_server".  If you say "no" here, you're on your own.  Please
 follow the instruction in ssh-host-config exactly if possible.  Note that
 ssh-user-config sets the permissions on 2003 Server machines dependent of
 whether a sshd_server account exists or not.
 ===========================================================================
 ===========================================================================
 Important change since 3.4p1-2:
 This version adds privilege separation as default setting, see
 /usr/doc/openssh/README.privsep.  According to that document the
 privsep feature requires a non-privileged account called 'sshd'.
 The new ssh-host-config file which is part of this version asks
 to create 'sshd' as local user if you want to use privilege
 separation.  If you confirm, it creates that NT user and adds
 the necessary entry to /etc/passwd.
 On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
 since that feature doesn't make any sense on a system which doesn't
 differ between privileged and unprivileged users.
 The new ssh-host-config script also adds the /var/empty directory
 needed by privilege separation.  When creating the /var/empty directory
 by yourself, please note that in contrast to the README.privsep document
 the owner sshould not be "root" but the user which is running sshd.  So,
 in the standard configuration this is SYSTEM.  The ssh-host-config script
 chowns /var/empty accordingly.
 ===========================================================================
 ===========================================================================
 Important change since 3.0.1p1-2:
 This version introduces the ability to register sshd as service on
 Windows 9x/Me systems.  This is done only when the options -D and/or
 -d are not given.
 ===========================================================================
 ===========================================================================
 Important change since 2.9p2:
 Since Cygwin is able to switch user context without password beginning
 with version 1.3.2, OpenSSH now allows to do so when it's running under
 a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
 allow that feature.
 ===========================================================================
 ===========================================================================
 Important change since 2.3.0p1:
 When using `ntea' or `ntsec' you now have to care for the ownership
 and permission bits of your host key files and your private key files.
 The host key files have to be owned by the NT account which starts
 sshd. The user key files have to be owned by the user. The permission
 bits of the private key files (host and user) have to be at least
 rw------- (0600)!
 Note that this is forced under `ntsec' only if the files are on a NTFS
 filesystem (which is recommended) due to the lack of any basic security
 features of the FAT/FAT32 filesystems.
 ===========================================================================
 If you are installing OpenSSH the first time, you can generate global config
-files and server keys by running
+files and server keys, as well as installing sshd as a service, by running
   /usr/bin/ssh-host-config
 Note that this binary archive doesn't contain default config files in /etc.
 That files are only created if ssh-host-config is started.
 If you are updating your installation you may run the above ssh-host-config
 as well to move your configuration files to the new location and to
 erase the files at the old location.
 To support testing and unattended installation ssh-host-config got
 some options:
@ -122,18 +25,28 @@ Options:
    --yes    -y            Answer all questions with "yes" automatically.
    --no     -n            Answer all questions with "no" automatically.
    --cygwin -c <options>  Use "options" as value for CYGWIN environment var.
    --name   -N <name>     sshd windows service name.
    --port   -p <n>        sshd listens on port n.
-    --pwd    -w <passwd>   Use "pwd" as password for user 'sshd_server'.
+    --user   -u <account>  privileged user for service, default 'cyg_server'.
    --pwd    -w <passwd>   Use "pwd" as password for privileged user.
    --privileged           On Windows XP, require privileged user
                           instead of LocalSystem for sshd service.
-Additionally ssh-host-config now asks if it should install sshd as a
+Installing sshd as daemon via ssh-host-config is recommended.
 service when running under NT/W2K. This requires cygrunsrv installed.
-You can create the private and public keys for a user now by running
+Alternatively you can start sshd via inetd, if you have the inetutils
 package installed.  Just run ssh-host-config, but answer "no" when asked
 to install sshd as service.  The ssh-host-config script also adds the
 required lines to /etc/inetd.conf and /etc/services.
 ==================
 User configuration
 ==================
 Any user can simplify creating the own private and public keys by running
  /usr/bin/ssh-user-config
 under the users account.
 To support testing and unattended installation ssh-user-config got
 some options as well:
@ -144,88 +57,29 @@ Options:
    --no         -n        Answer all questions with "no" automatically.
    --passphrase -p word   Use "word" as passphrase automatically.
 Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
 (results in very slow deamon startup!) or from the command line (recommended
 on 9X/ME).
 If you start sshd as deamon via cygrunsrv.exe you MUST give the
 "-D" option to sshd. Otherwise the service can't get started at all.
 If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
 following line to your inetd.conf file:
 ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
 Moreover you'll have to add the following line to your
 ${SYSTEMROOT}/system32/drivers/etc/services file:
   ssh         22/tcp          #SSH daemon
 Please note that OpenSSH does never use the value of $HOME to
 search for the users configuration files! It always uses the
 value of the pw_dir field in /etc/passwd as the home directory.
 If no home diretory is set in /etc/passwd, the root directory
 is used instead!
-You may use all features of the CYGWIN=ntsec setting the same
+================
-way as they are used by Cygwin's login(1) port:
+Building OpenSSH
 ================
-  The pw_gecos field may contain an additional field, that begins
+Building from source is easy.  Just unpack the source archive, cd to that
-  with (upper case!) "U-", followed by the domain and the username
+directory, and call cygport:
  separated by a backslash.
  CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
  BTW: The field separator in pw_gecos is the comma.
  The username in pw_name itself may be any nice name:
-    domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
+	cygport openssh.cygport all
-  Now you may use `domuser' as your login name with telnet!
+You must have installed the following packages to be able to build OpenSSH
-  This is possible additionally for local users, if you don't like
+with the aforementioned cygport script:
  your NT login name ;-) You only have to leave out the domain:
-    locuser::1104:513:John Doe,U-user,S-1-5-21-...
+  zlib
-
+  crypt
-Note that the CYGWIN=ntsec setting is required for public key authentication.
+  openssl-devel
-
+  libedit-devel
-SSH2 server and user keys are generated by the `ssh-*-config' scripts
+  libkrb5-devel
 as well.
 If you want to build from source, the following options to
 configure are used for the Cygwin binary distribution:
 	--prefix=/usr \
 	--sysconfdir=/etc \
 	--libexecdir='${sbindir}' \
 	--localstatedir=/var \
 	--datadir='${prefix}/share' \
 	--mandir='${datadir}/man' \
 	--infodir='${datadir}/info'
 	--with-tcp-wrappers
 	--with-libedit
 If you want to create a Cygwin package, equivalent to the one
 in the Cygwin binary distribution, install like this:
 	mkdir /tmp/cygwin-ssh
 	cd ${builddir}
 	make install DESTDIR=/tmp/cygwin-ssh
 	cd ${srcdir}/contrib/cygwin
 	make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
 	cd /tmp/cygwin-ssh
 	find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
 You must have installed the following packages to be able to build OpenSSH:
 - zlib
 - openssl-devel
 If you want to build with --with-tcp-wrappers, you also need the package
 - tcp_wrappers
 If you want to build with --with-libedit, you also need the package
 - libedit-devel
 Please send requests, error reports etc. to cygwin@cygwin.com.
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# ssh-host-config, Copyright 2000-2011 Red Hat Inc.
+# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
 #
 # This file is part of the Cygwin port of OpenSSH.
 #
@ -34,9 +34,9 @@ declare -a csih_required_commands=(
  /usr/bin/mv coreutils
  /usr/bin/rm coreutils
  /usr/bin/cygpath cygwin
  /usr/bin/mkpasswd cygwin
  /usr/bin/mount cygwin
  /usr/bin/ps cygwin
  /usr/bin/setfacl cygwin
  /usr/bin/umount cygwin
  /usr/bin/cmp diffutils
  /usr/bin/grep grep
@ -59,62 +59,16 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
 sshd_config_configured=no
 port_number=22
-privsep_configured=no
+service_name=sshd
 strictmodes=yes
 privsep_used=yes
 cygwin_value=""
 user_account=
 password_value=
 opt_force=no
 # ======================================================================
 # Routine: create_host_keys
 # ======================================================================
 create_host_keys() {
  local ret=0
  if [ ! -f "${SYSCONFDIR}/ssh_host_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_key"
    if ! /usr/bin/ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null
    then
    	csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
 	let ++ret
    fi
  fi
  if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_rsa_key"
    if ! /usr/bin/ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null
    then
    	csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
 	let ++ret
    fi
  fi
  if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_dsa_key"
    if ! /usr/bin/ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null
    then
    	csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
 	let ++ret
    fi
  fi
  if [ ! -f "${SYSCONFDIR}/ssh_host_ecdsa_key" ]
  then
    csih_inform "Generating ${SYSCONFDIR}/ssh_host_ecdsa_key"
    if ! /usr/bin/ssh-keygen -t ecdsa -f ${SYSCONFDIR}/ssh_host_ecdsa_key -N '' > /dev/null
    then
    	csih_warning "Generating ${SYSCONFDIR}/ssh_host_key failed!"
 	let ++ret
    fi
  fi
  return $ret
 } # --- End of create_host_keys --- #
 # ======================================================================
 # Routine: update_services_file
 # ======================================================================
@ -137,28 +91,8 @@ update_services_file() {
  # Depends on the above mount
  _wservices=`cygpath -w "${_services}"`
  # Remove sshd 22/port from services
  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
  then
    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
    if [ -f "${_serv_tmp}" ]
    then
      if /usr/bin/mv "${_serv_tmp}" "${_services}"
      then
 	csih_inform "Removing sshd from ${_wservices}"
      else
 	csih_warning "Removing sshd from ${_wservices} failed!"
 	let ++ret
      fi
      /usr/bin/rm -f "${_serv_tmp}"
    else
      csih_warning "Removing sshd from ${_wservices} failed!"
      let ++ret
    fi
  fi
  # Add ssh 22/tcp  and ssh 22/udp to services
-  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
  then
    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
    then
@ -179,18 +113,46 @@ update_services_file() {
  return $ret
 } # --- End of update_services_file --- #
 # ======================================================================
 # Routine: sshd_strictmodes
 #  MODIFIES: strictmodes
 # ======================================================================
 sshd_strictmodes() {
  if [ "${sshd_config_configured}" != "yes" ]
  then
    echo
    csih_inform "StrictModes is set to 'yes' by default."
    csih_inform "This is the recommended setting, but it requires that the POSIX"
    csih_inform "permissions of the user's home directory, the user's .ssh"
    csih_inform "directory, and the user's ssh key files are tight so that"
    csih_inform "only the user has write permissions."
    csih_inform "On the other hand, StrictModes don't work well with default"
    csih_inform "Windows permissions of a home directory mounted with the"
    csih_inform "'noacl' option, and they don't work at all if the home"
    csih_inform "directory is on a FAT or FAT32 partition."
    if ! csih_request "Should StrictModes be used?"
    then
      strictmodes=no
    fi
  fi
  return 0
 }
 # ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_configured  privsep_used
+#  MODIFIES: privsep_used
 # ======================================================================
 sshd_privsep() {
  local sshdconfig_tmp
  local ret=0
-  if [ "${privsep_configured}" != "yes" ]
+  if [ "${sshd_config_configured}" != "yes" ]
  then
-    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
+    echo
-    csih_inform "However, this requires a non-privileged account called 'sshd'."
+    csih_inform "Privilege separation is set to 'sandbox' by default since"
    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
    csih_inform "to 'yes' or 'no'."
    csih_inform "However, using privilege separation requires a non-privileged account"
    csih_inform "called 'sshd'."
    csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
    if csih_request "Should privilege separation be used?"
    then
@ -207,36 +169,53 @@ sshd_privsep() {
      privsep_used=no
    fi
  fi
  return $ret
 } # --- End of sshd_privsep --- #
-  # Create default sshd_config from skeleton files in /etc/defaults/etc or
+# ======================================================================
-  # modify to add the missing privsep configuration option
+# Routine: sshd_config_tweak
-  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+# ======================================================================
-  then
+sshd_config_tweak() {
  local ret=0
  # Modify sshd_config
  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
-    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
+  if [ "${port_number}" -ne 22 ]
    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
  	  s/^#Port 22/Port ${port_number}/
  	  s/^#StrictModes yes/StrictModes no/" \
 	< ${SYSCONFDIR}/sshd_config \
 	> "${sshdconfig_tmp}"
    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
  then
-	csih_warning "Setting privilege separation to 'yes' failed!"
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
      csih_warning "Setting listening port to ${port_number} failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
-  elif [ "${privsep_configured}" != "yes" ]
+  fi
  if [ "${strictmodes}" = "no" ]
  then
-    echo >> ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
-    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
-	csih_warning "Setting privilege separation to 'yes' failed!"
+      csih_warning "Setting StrictModes to 'no' failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
  fi
  if [ "${sshd_config_configured}" != "yes" ]
  then
    /usr/bin/sed -i -e "
      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
      ${SYSCONFDIR}/sshd_config
    if [ $? -ne 0 ]
    then
      csih_warning "Setting privilege separation failed!"
      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
      let ++ret
    fi
  fi
  return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
 # ======================================================================
 # Routine: update_inetd_conf
@ -255,11 +234,11 @@ update_inetd_conf() {
    # we have inetutils-1.5 inetd.d support
    if [ -f "${_inetcnf}" ]
    then
-      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
      # check for sshd OR ssh in top-level inetd.conf file, and remove
      # will be replaced by a file in inetd.d/
-      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
      then
 	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
 	if [ -f "${_inetcnf_tmp}" ]
@ -284,9 +263,9 @@ update_inetd_conf() {
    then
      if [ "${_with_comment}" -eq 0 ]
      then
-	/usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      else
-	/usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
      fi
      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
      then
@ -299,13 +278,13 @@ update_inetd_conf() {
  elif [ -f "${_inetcnf}" ]
  then
-    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
    # check for sshd in top-level inetd.conf file, and remove
    # will be replaced by a file in inetd.d/
-    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
    then
-      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
      if [ -f "${_inetcnf_tmp}" ]
      then
 	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@ -353,24 +332,31 @@ check_service_files_ownership() {
  if [ -z "${run_service_as}" ]
  then
-    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
+    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
    		 /usr/bin/sed -ne 's/^Account *: *//gp')
    if [ "${accnt_name}" = "LocalSystem" ]
    then
      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
-      accnt_name="SYSTEM:"
+      run_service_as="SYSTEM"
-    elif [[ "${accnt_name}" =~ ^\.\\ ]]
+    else
      dom="${accnt_name%%\\*}"
      accnt_name="${accnt_name#*\\}"
      if [ "${dom}" = '.' ]
      then
-      # Convert "." domain to local machine name
+	# Check local account
-      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
 			 /usr/bin/awk -F: '{print $1;}')
      else
      	# Check domain
 	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
 			 /usr/bin/awk -F: '{print $1;}')
      fi
    fi
    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
    if [ -z "${run_service_as}" ]
    then
-      csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
+      csih_warning "Couldn't determine name of user running sshd service from account database!"
      csih_warning "As a result, this script cannot make sure that the files used"
      csih_warning "by the sshd service belong to the user running the service."
      csih_warning "Please re-run the mkpasswd tool to make sure the /etc/passwd"
      csih_warning "file is in a good shape."
      return 1
    fi
  fi
@ -423,7 +409,7 @@ install_service() {
  local ret=0
  echo
-  if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
+  if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
  then
    csih_inform "Sshd service is already installed."
    check_service_files_ownership "" || let ret+=$?
@ -479,7 +465,7 @@ install_service() {
      fi
      if [ -z "${password}" ]
      then
-	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
 			      -a "-D" -y tcpip "${cygwin_env[@]}"
 	then
 	  echo
@ -489,19 +475,20 @@ install_service() {
 	  csih_inform "will start automatically after the next reboot."
 	fi
      else
-	if /usr/bin/cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd \
+	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
 			      -a "-D" -y tcpip "${cygwin_env[@]}" \
 			      -u "${run_service_as}" -w "${password}"
 	then
 	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
 	  echo
 	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
-	  csih_inform "account.  To start the service now, call \`net start sshd' or"
+	  csih_inform "account.  To start the service now, call \`net start ${service_name}' or"
-	  csih_inform "\`cygrunsrv -S sshd'.  Otherwise, it will start automatically"
+	  csih_inform "\`cygrunsrv -S ${service_name}'.  Otherwise, it will start automatically"
 	  csih_inform "after the next reboot."
 	fi
      fi
-      if /usr/bin/cygrunsrv -Q sshd >/dev/null 2>&1
+      if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
      then
 	check_service_files_ownership "${run_service_as}" || let ret+=$?
      else
@ -575,6 +562,11 @@ do
    shift
    ;;
  -N | --name )
    service_name=$1
    shift
    ;;
  -p | --port )
    port_number=$1
    shift
@ -604,10 +596,11 @@ do
    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
    echo "  --no     -n            Answer all questions with \"no\" automatically."
    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
    echo "  --name   -N <name>     sshd windows service name."
    echo "  --port   -p <n>        sshd listens on port n."
-    echo "  --user   -u <account>  privileged user for service."
+    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
-    echo "  --privileged           On Windows NT/2k/XP, require privileged user"
+    echo "  --privileged           On Windows XP, require privileged user"
    echo "                         instead of LocalSystem for sshd service."
    echo
    exit 1
@ -637,10 +630,7 @@ then
  csih_warning "However, it seems your account does not have these privileges."
  csih_warning "Here's the list of groups in your user token:"
  echo
-  for i in $(/usr/bin/id -G)
+  /usr/bin/id -Gnz | xargs -0n1 echo "   "
  do
    /usr/bin/awk -F: "/[^:]*:[^:]*:$i:/{ print \"    \" \$1; }" /etc/group
  done
  echo
  csih_warning "This usually means you're running this script from a non-admin"
  csih_warning "desktop session, or in a non-elevated shell under UAC control."
@ -662,32 +652,6 @@ echo
 warning_cnt=0
 # Check for ${SYSCONFDIR} directory
 csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
 if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
 then
  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
  let ++warning_cnt
 fi
 if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
 then
  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
  let ++warning_cnt
 fi
 # Check for /var/log directory
 csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
 if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
 then
  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
  let ++warning_cnt
 fi
 if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
 then
  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
  let ++warning_cnt
 fi
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@ -712,14 +676,10 @@ then
  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
  let ++warning_cnt
 fi
 if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
 then
  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
  let ++warning_cnt
 fi
-# host keys
+# generate missing host keys
-create_host_keys || let warning_cnt+=$?
+csih_inform "Generating missing SSH host keys"
 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
 # handle ssh_config
 csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
@ -737,10 +697,11 @@ fi
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+  sshd_config_configured=yes
 fi
 sshd_strictmodes || let warning_cnt+=$?
 sshd_privsep || let warning_cnt+=$?
-
+sshd_config_tweak || let warning_cnt+=$?
 update_services_file || let warning_cnt+=$?
 update_inetd_conf || let warning_cnt+=$?
 install_service || let warning_cnt+=$?
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# ssh-user-config, Copyright 2000-2008 Red Hat Inc.
+# ssh-user-config, Copyright 2000-2014 Red Hat Inc.
 #
 # This file is part of the Cygwin port of OpenSSH.
 #
@ -75,19 +75,18 @@ readonly -f create_identity
 #   pwdhome
 # ======================================================================
 check_user_homedir() {
-  local uid=$(id -u)
+  pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }')
  pwdhome=$(awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < ${SYSCONFDIR}/passwd)
  if [ "X${pwdhome}" = "X" ]
  then
    csih_error_multi \
-      "There is no home directory set for you in ${SYSCONFDIR}/passwd." \
+      "There is no home directory set for you in the account database." \
      'Setting $HOME is not sufficient!'
  fi
  if [ ! -d "${pwdhome}" ]
  then
    csih_error_multi \
-      "${pwdhome} is set in ${SYSCONFDIR}/passwd as your home directory" \
+      "${pwdhome} is set in the account database as your home directory" \
      'but it is not a valid directory. Cannot create user identity files.'
  fi
@ -96,7 +95,7 @@ check_user_homedir() {
  if [ "X${pwdhome}" = "X/" ]
  then
    # But first raise a warning!
-    csih_warning "Your home directory in ${SYSCONFDIR}/passwd is set to root (/). This is not recommended!"
+    csih_warning "Your home directory in the account database is set to root (/). This is not recommended!"
    if csih_request "Would you like to proceed anyway?"
    then
      pwdhome=''
@ -106,7 +105,7 @@ check_user_homedir() {
    fi
  fi
-  if [ -d "${pwdhome}" -a csih_is_nt -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
+  if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
  then
    echo
    csih_warning 'group and other have been revoked write permission to your home'
@ -149,9 +148,10 @@ readonly -f check_user_dot_ssh_dir
 #   pwdhome   -- check_user_homedir()
 # ======================================================================
 fix_authorized_keys_perms() {
-  if [ csih_is_nt -a -e "${pwdhome}/.ssh/authorized_keys" ]
+  if [ -e "${pwdhome}/.ssh/authorized_keys" ]
  then
-    if ! setfacl -m "u::rw-,g::---,o::---" "${pwdhome}/.ssh/authorized_keys"
+    setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n
    if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys"
    then
      csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
      csih_warning "failed.  Please care for the correct permissions.  The minimum requirement"
@ -222,10 +222,6 @@ do
    shift
    ;;
  --privileged )
    csih_FORCE_PRIVILEGED_USER=yes
    ;;
  *)
    echo "usage: ${PROGNAME} [OPTION]..."
    echo
@ -236,8 +232,6 @@ do
    echo "    --yes        -y        Answer all questions with \"yes\" automatically."
    echo "    --no         -n        Answer all questions with \"no\" automatically."
    echo "    --passphrase -p word   Use \"word\" as passphrase automatically."
    echo "    --privileged           On Windows NT/2k/XP, assume privileged user"
    echo "                           instead of LocalSystem for sshd service."
    echo
    exit 1
    ;;
@ -249,15 +243,6 @@ done
 # Action!
 # ======================================================================
 # Check passwd file
 if [ ! -f ${SYSCONFDIR}/passwd ]
 then
  csih_error_multi \
    "${SYSCONFDIR}/passwd is nonexistant. Please generate an ${SYSCONFDIR}/passwd file" \
    'first using mkpasswd. Check if it contains an entry for you and' \
    'please care for the home directory in your entry as well.'
 fi
 check_user_homedir
 check_user_dot_ssh_dir
 create_identity id_rsa rsa "SSH2 RSA"
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@ -1,4 +1,4 @@
-%define ver 5.9p1
+%define ver 7.3p1
 %define rel 1
 # OpenSSH privilege separation requires a user & group ID
@ -86,10 +86,10 @@ PreReq: initscripts >= 5.00
 %else
 Requires: initscripts >= 5.20
 %endif
-BuildRequires: perl, openssl-devel, tcp_wrappers
+BuildRequires: perl, openssl-devel
 BuildRequires: /bin/login
 %if ! %{build6x}
-BuildPreReq: glibc-devel, pam
+BuildRequires: glibc-devel, pam
 %else
 BuildRequires: /usr/include/security/pam_appl.h
 %endif
@ -184,7 +184,7 @@ CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
 %endif
 %if %{kerberos5}
-K5DIR=`rpm -ql krb5-devel | grep include/krb5.h | sed 's,\/include\/krb5.h,,'`
+K5DIR=`rpm -ql krb5-devel | grep 'include/krb5\.h' | sed 's,\/include\/krb5.h,,'`
 echo K5DIR=$K5DIR
 %endif
@ -192,8 +192,6 @@ echo K5DIR=$K5DIR
 	--sysconfdir=%{_sysconfdir}/ssh \
 	--libexecdir=%{_libexecdir}/openssh \
 	--datadir=%{_datadir}/openssh \
 	--with-tcp-wrappers \
 	--with-rsh=%{_bindir}/rsh \
 	--with-default-path=/usr/local/bin:/bin:/usr/bin \
 	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
 	--with-privsep-path=%{_var}/empty/sshd \
@ -335,7 +333,7 @@ fi
 %files
 %defattr(-,root,root)
-%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO WARNING*
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
 %attr(0755,root,root) %{_bindir}/scp
 %attr(0644,root,root) %{_mandir}/man1/scp.1*
 %attr(0755,root,root) %dir %{_sysconfdir}/ssh
@ -360,8 +358,6 @@ fi
 %attr(0644,root,root) %{_mandir}/man1/ssh.1*
 %attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
 %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
 %attr(-,root,root) %{_bindir}/slogin
 %attr(-,root,root) %{_mandir}/man1/slogin.1*
 %if ! %{rescue}
 %attr(2755,root,nobody) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
--- a/contrib/redhat/sshd.init
+++ b/contrib/redhat/sshd.init
@ -29,7 +29,7 @@ do_restart_sanity_check()
 {
 	$SSHD -t
 	RETVAL=$?
-	if [ ! "$RETVAL" = 0 ]; then
+	if [ $RETVAL -ne 0 ]; then
 		failure $"Configuration file or keys are invalid"
 		echo
 	fi
@ -49,7 +49,7 @@ start()
 	echo -n $"Starting $prog:"
 	$SSHD $OPTIONS && success || failure
 	RETVAL=$?
-	[ "$RETVAL" = 0 ] && touch /var/lock/subsys/sshd
+	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
 	echo
 }
@ -58,7 +58,7 @@ stop()
 	echo -n $"Stopping $prog:"
 	killproc $SSHD -TERM
 	RETVAL=$?
-	[ "$RETVAL" = 0 ] && rm -f /var/lock/subsys/sshd
+	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
 	echo
 }
@ -87,7 +87,7 @@ case "$1" in
 	condrestart)
 		if [ -f /var/lock/subsys/sshd ] ; then
 			do_restart_sanity_check
-			if [ "$RETVAL" = 0 ] ; then
+			if [ $RETVAL -eq 0 ] ; then
 				stop
 				# avoid race
 				sleep 3
--- a/contrib/ssh-copy-id
+++ b/contrib/ssh-copy-id
@ -1,54 +1,317 @@
 #!/bin/sh
-# Shell script to install your public key on a remote machine
+# Copyright (c) 1999-2013 Philip Hands <phil@hands.com>
-# Takes the remote machine name as an argument.
+#               2013 Martin Kletzander <mkletzan@redhat.com>
-# Obviously, the remote machine must accept password authentication,
+#               2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
-# or one of the other keys in your ssh-agent, for this to work.
+#               2010 Eric Moret <eric.moret@gmail.com>
 #               2009 Xr <xr@i-jeuxvideo.com>
 #               2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
 #               2004 Reini Urban <rurban@x-ray.at>
 #               2003 Colin Watson <cjwatson@debian.org>
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 1. Redistributions of source code must retain the above copyright
 #    notice, this list of conditions and the following disclaimer.
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
 #
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 # IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 # OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 # IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 # INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 # NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 # THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-ID_FILE="${HOME}/.ssh/id_rsa.pub"
+# Shell script to install your public key(s) on a remote machine
 # See the ssh-copy-id(1) man page for details
-if [ "-i" = "$1" ]; then
+# check that we have something mildly sane as our shell, or try to find something better
-  shift
+if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
-  # check if we have 2 parameters left, if so the first is the new ID file
+then
-  if [ -n "$2" ]; then
+  SANE_SH=${SANE_SH:-/usr/bin/ksh}
-    if expr "$1" : ".*\.pub" > /dev/null ; then
+  if printf 'true ^ false\n' | "$SANE_SH"
-      ID_FILE="$1"
+  then
    printf "'%s' seems viable.\n" "$SANE_SH"
    exec "$SANE_SH" "$0" "$@"
  else
-      ID_FILE="$1.pub"
+    cat <<-EOF
-    fi
+	oh dear.
    shift         # and this should leave $1 as the target name
  fi
 else
  if [ x$SSH_AUTH_SOCK != x ] && ssh-add -L >/dev/null 2>&1; then
    GET_ID="$GET_ID ssh-add -L"
  fi
 fi
-if [ -z "`eval $GET_ID`" ] && [ -r "${ID_FILE}" ] ; then
+	  If you have a more recent shell available, that supports \$(...) etc.
-  GET_ID="cat \"${ID_FILE}\""
+	  please try setting the environment variable SANE_SH to the path of that
-fi
+	  shell, and then retry running this script. If that works, please report
-
+	  a bug describing your setup, and the shell you used to make it work.
 if [ -z "`eval $GET_ID`" ]; then
  echo "$0: ERROR: No identities found" >&2
  exit 1
 fi
 if [ "$#" -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 [-i [identity_file]] [user@]machine" >&2
  exit 1
 fi
 # strip any trailing colon
 host=`echo $1 | sed 's/:$//'`
 { eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1
 cat <<EOF
 Now try logging into the machine, with "ssh '$host'", and check in:
  ~/.ssh/authorized_keys
 to make sure we haven't added extra keys that you weren't expecting.
 	EOF
    printf "%s: ERROR: Less dimwitted shell required.\n" "$0"
    exit 1
  fi
 fi
 DEFAULT_PUB_ID_FILE="$HOME/$(cd "$HOME" ; ls -t .ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)"
 usage () {
  printf 'Usage: %s [-h|-?|-f|-n] [-i [identity_file]] [-p port] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
  printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
  printf '\t-n: dry run    -- no keys are actually copied\n' >&2
  printf '\t-h|-?: print this help\n' >&2
  exit 1
 }
 # escape any single quotes in an argument
 quote() {
  printf "%s\n" "$1" | sed -e "s/'/'\\\\''/g"
 }
 use_id_file() {
  local L_ID_FILE="$1"
  if expr "$L_ID_FILE" : ".*\.pub$" >/dev/null ; then
    PUB_ID_FILE="$L_ID_FILE"
  else
    PUB_ID_FILE="$L_ID_FILE.pub"
  fi
  [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
  # check that the files are readable
  for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
    ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
      local L_PRIVMSG=""
      [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG="	(to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
      printf "\n%s: ERROR: failed to open ID file '%s': %s\n" "$0" "$f" "$(printf "%s\n%s\n" "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
      exit 1
    }
  done
  printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
  GET_ID="cat \"$PUB_ID_FILE\""
 }
 if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
  GET_ID="ssh-add -L"
 fi
 while test "$#" -gt 0
 do
  [ "${SEEN_OPT_I}" ] && expr "$1" : "[-]i" >/dev/null && {
        printf "\n%s: ERROR: -i option must not be specified more than once\n\n" "$0"
        usage
  }
  OPT= OPTARG=
  # implement something like getopt to avoid Solaris pain
  case "$1" in
    -i?*|-o?*|-p?*)
      OPT="$(printf -- "$1"|cut -c1-2)"
      OPTARG="$(printf -- "$1"|cut -c3-)"
      shift
      ;;
    -o|-p)
      OPT="$1"
      OPTARG="$2"
      shift 2
      ;;
    -i)
      OPT="$1"
      test "$#" -le 2 || expr "$2" : "[-]" >/dev/null || {
        OPTARG="$2"
        shift
      }
      shift
      ;;
    -f|-n|-h|-\?)
      OPT="$1"
      OPTARG=
      shift
      ;;
    --)
      shift
      while test "$#" -gt 0
      do
        SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
        shift
      done
      break
      ;;
    -*)
      printf "\n%s: ERROR: invalid option (%s)\n\n" "$0" "$1"
      usage
      ;;
    *)
      SAVEARGS="${SAVEARGS:+$SAVEARGS }'$(quote "$1")'"
      shift
      continue
      ;;
  esac
  case "$OPT" in
    -i)
      SEEN_OPT_I="yes"
      use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
      ;;
    -o|-p)
      SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }$OPT '$(quote "$OPTARG")'"
      ;;
    -f)
      FORCED=1
      ;;
    -n)
      DRY_RUN=1
      ;;
    -h|-\?)
      usage
      ;;
  esac
 done 
 eval set -- "$SAVEARGS"
 if [ $# = 0 ] ; then
  usage
 fi
 if [ $# != 1 ] ; then
  printf '%s: ERROR: Too many arguments.  Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
  usage
 fi
 # drop trailing colon
 USER_HOST=$(printf "%s\n" "$1" | sed 's/:$//')
 # tack the hostname onto SSH_OPTS
 SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
 # and populate "$@" for later use (only way to get proper quoting of options)
 eval set -- "$SSH_OPTS"
 if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
  use_id_file "$PUB_ID_FILE"
 fi
 if [ -z "$(eval $GET_ID)" ] ; then
  printf '%s: ERROR: No identities found\n' "$0" >&2
  exit 1
 fi
 # populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
 # and has the side effect of setting $NEW_IDS
 populate_new_ids() {
  local L_SUCCESS="$1"
  if [ "$FORCED" ] ; then
    NEW_IDS=$(eval $GET_ID)
    return
  fi
  # repopulate "$@" inside this function 
  eval set -- "$SSH_OPTS"
  umask 0177
  local L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
  if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
    printf '%s: ERROR: mktemp failed\n' "$0" >&2
    exit 1
  fi
  local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
  trap "$L_CLEANUP" EXIT TERM INT QUIT
  printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
  NEW_IDS=$(
    eval $GET_ID | {
      while read ID || [ "$ID" ] ; do
        printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
        # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
        # assumption will break if we implement the possibility of multiple -i options.
        # The point being that if file based, ssh needs the private key, which it cannot
        # find if only given the contents of the .pub file in an unrelated tmpfile
        ssh -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
            -o ControlPath=none \
            -o LogLevel=INFO \
            -o PreferredAuthentications=publickey \
            -o IdentitiesOnly=yes "$@" exit 2>"$L_TMP_ID_FILE.stderr" </dev/null
        if [ "$?" = "$L_SUCCESS" ] ; then
          : > "$L_TMP_ID_FILE"
        else
          grep 'Permission denied' "$L_TMP_ID_FILE.stderr" >/dev/null || {
            sed -e 's/^/ERROR: /' <"$L_TMP_ID_FILE.stderr" >"$L_TMP_ID_FILE"
            cat >/dev/null #consume the other keys, causing loop to end
          }
        fi
        cat "$L_TMP_ID_FILE"
      done
    }
  )
  eval "$L_CLEANUP" && trap - EXIT TERM INT QUIT
  if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
    printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
    exit 1
  fi
  if [ -z "$NEW_IDS" ] ; then
    printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' "$0" >&2
    exit 0
  fi
  printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
 }
 REMOTE_VERSION=$(ssh -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
                 sed -ne 's/.*remote software version //p')
 case "$REMOTE_VERSION" in
  NetScreen*)
    populate_new_ids 1
    for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
      KEY_NO=$(($KEY_NO + 1))
      printf "%s\n" "$KEY" | grep ssh-dss >/dev/null || {
         printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
         continue
      }
      [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | ssh -T "$@" >/dev/null 2>&1
      if [ $? = 255 ] ; then
        printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
      else
        ADDED=$(($ADDED + 1))
      fi
    done
    if [ -z "$ADDED" ] ; then
      exit 1
    fi
    ;;
  *)
    # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
    populate_new_ids 0
    # in ssh below - to defend against quirky remote shells: use 'exec sh -c' to get POSIX; 'cd' to be at $HOME; and all on one line, because tcsh.
    [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
      ssh "$@" "exec sh -c 'cd ; umask 077 ; mkdir -p .ssh && cat >> .ssh/authorized_keys || exit 1 ; if type restorecon >/dev/null 2>&1 ; then restorecon -F .ssh .ssh/authorized_keys ; fi'" \
      || exit 1
    ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
    ;;
 esac
 if [ "$DRY_RUN" ] ; then
  cat <<-EOF
 	=-=-=-=-=-=-=-=
 	Would have added the following key(s):
 	$NEW_IDS
 	=-=-=-=-=-=-=-=
 	EOF
 else
  cat <<-EOF
 	Number of key(s) added: $ADDED
 	Now try logging into the machine, with:   "ssh $SSH_OPTS"
 	and check to make sure that only the key(s) you wanted were added.
 	EOF
 fi
 # =-=-=-=
--- a/contrib/ssh-copy-id.1
+++ b/contrib/ssh-copy-id.1
@ -1,75 +1,191 @@
 .ig \"  -*- nroff -*-
-Copyright (c) 1999 Philip Hands Computing <http://www.hands.com/>
+Copyright (c) 1999-2013 hands.com Ltd. <http://hands.com/>
-Permission is granted to make and distribute verbatim copies of
+Redistribution and use in source and binary forms, with or without
-this manual provided the copyright notice and this permission notice
+modification, are permitted provided that the following conditions
-are preserved on all copies.
+are met:
 1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.
-Permission is granted to copy and distribute modified versions of this
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-manual under the conditions for verbatim copying, provided that the
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-entire resulting derived work is distributed under the terms of a
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-permission notice identical to this one.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-Permission is granted to copy and distribute translations of this
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-manual into another language, under the above conditions for modified
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-versions, except that this permission notice may be included in
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-translations approved by the Free Software Foundation instead of in
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-the original English.
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 ..
-.TH SSH-COPY-ID 1 "14 November 1999" "OpenSSH"
+.Dd $Mdocdate: June 17 2010 $
-.SH NAME
+.Dt SSH-COPY-ID 1
-ssh-copy-id \- install your public key in a remote machine's authorized_keys
+.Os
-.SH SYNOPSIS
+.Sh NAME
-.B ssh-copy-id [-i [identity_file]]
+.Nm ssh-copy-id
-.I "[user@]machine"
+.Nd use locally available keys to authorise logins on a remote machine
 .Sh SYNOPSIS
 .Nm
 .Op Fl f
 .Op Fl n
 .Op Fl i Op Ar identity_file
 .Op Fl p Ar port
 .Op Fl o Ar ssh_option
 .Op Ar user Ns @ Ns
 .Ar hostname
 .Nm
 .Fl h | Fl ?
 .br
-.SH DESCRIPTION
+.Sh DESCRIPTION
-.BR ssh-copy-id
+.Nm
-is a script that uses ssh to log into a remote machine and
+is a script that uses
-append the indicated identity file to that machine's
+.Xr ssh 1
-.B ~/.ssh/authorized_keys
+to log into a remote machine (presumably using a login password,
-file.
+so password authentication should be enabled, unless you've done some
-.PP
+clever use of multiple identities).  It assembles a list of one or more
-If the
+fingerprints (as described below) and tries to log in with each key, to
-.B -i
+see if any of them are already installed (of course, if you are not using
-option is given then the identity file (defaults to
+.Xr ssh-agent 1
-.BR ~/.ssh/id_rsa.pub )
+this may result in you being repeatedly prompted for pass-phrases).
-is used, regardless of whether there are any keys in your
+It then assembles a list of those that failed to log in, and using ssh,
-.BR ssh-agent .
+enables logins with those keys on the remote server.  By default it adds
-Otherwise, if this:
+the keys by appending them to the remote user's
-.PP
+.Pa ~/.ssh/authorized_keys
-.B "      ssh-add -L"
+(creating the file, and directory, if necessary).  It is also capable
-.PP
+of detecting if the remote system is a NetScreen, and using its
-provides any output, it uses that in preference to the identity file.
+.Ql set ssh pka-dsa key ...
-.PP
+command instead.
-If the
+.Pp
-.B -i
+The options are as follows:
-option is used, or the
+.Bl -tag -width Ds
-.B ssh-add
+.It Fl i Ar identity_file
-produced no output, then it uses the contents of the identity
+Use only the key(s) contained in
-file.  Once it has one or more fingerprints (by whatever means) it
+.Ar identity_file
-uses ssh to append them to
+(rather than looking for identities via
-.B ~/.ssh/authorized_keys
+.Xr ssh-add 1
-on the remote machine (creating the file, and directory, if necessary.)
+or in the
-
+.Ic default_ID_file ) .
-.SH NOTES
+If the filename does not end in
-This program does not modify the permissions of any
+.Pa .pub
-pre-existing files or directories. Therefore, if the remote
+this is added.  If the filename is omitted, the 
-.B sshd
+.Ic default_ID_file
-has
+is used.
-.B StrictModes
+.Pp
-set in its
+Note that this can be used to ensure that the keys copied have the
-configuration, then the user's home,
+comment one prefers and/or extra options applied, by ensuring that the
-.B ~/.ssh
+key file has these set as preferred before the copy is attempted.
-folder, and
+.It Fl f
-.B ~/.ssh/authorized_keys
+Forced mode: doesn't check if the keys are present on the remote server.
-file may need to have group writability disabled manually, e.g. via
+This means that it does not need the private key.  Of course, this can result
-
+in more than one copy of the key being installed on the remote system.
-.B "      chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys"
+.It Fl n
-
+do a dry-run.  Instead of installing keys on the remote system simply
-on the remote machine.
+prints the key(s) that would have been installed.
-
+.It Fl h , Fl ?
-.SH "SEE ALSO"
+Print Usage summary
-.BR ssh (1),
+.It Fl p Ar port , Fl o Ar ssh_option
-.BR ssh-agent (1),
+These two options are simply passed through untouched, along with their
-.BR sshd (8)
+argument, to allow one to set the port or other
 .Xr ssh 1
 options, respectively.
 .Pp
 Rather than specifying these as command line options, it is often better to use (per-host) settings in
 .Xr ssh 1 Ns 's
 configuration file:
 .Xr ssh_config 5 .
 .El
 .Pp
 Default behaviour without
 .Fl i ,
 is to check if
 .Ql ssh-add -L
 provides any output, and if so those keys are used.  Note that this results in
 the comment on the key being the filename that was given to
 .Xr ssh-add 1
 when the key was loaded into your
 .Xr ssh-agent 1
 rather than the comment contained in that file, which is a bit of a shame.
 Otherwise, if
 .Xr ssh-add 1
 provides no keys contents of the 
 .Ic default_ID_file
 will be used.
 .Pp
 The
 .Ic default_ID_file
 is the most recent file that matches:
 .Pa ~/.ssh/id*.pub ,
 (excluding those that match
 .Pa ~/.ssh/*-cert.pub )
 so if you create a key that is not the one you want
 .Nm
 to use, just use
 .Xr touch 1
 on your preferred key's 
 .Pa .pub
 file to reinstate it as the most recent.
 .Pp
 .Sh EXAMPLES
 If you have already installed keys from one system on a lot of remote
 hosts, and you then create a new key, on a new client machine, say,
 it can be difficult to keep track of which systems on which you've
 installed the new key.  One way of dealing with this is to load both
 the new key and old key(s) into your
 .Xr ssh-agent 1 .
 Load the new key first, without the
 .Fl c
 option, then load one or more old keys into the agent, possibly by
 ssh-ing to the client machine that has that old key, using the
 .Fl A
 option to allow agent forwarding:
 .Pp
 .D1 user@newclient$ ssh-add
 .D1 user@newclient$ ssh -A old.client
 .D1 user@oldl$ ssh-add -c
 .D1 No   ... prompt for pass-phrase ...
 .D1 user@old$ logoff
 .D1 user@newclient$ ssh someserver
 .Pp
 now, if the new key is installed on the server, you'll be allowed in
 unprompted, whereas if you only have the old key(s) enabled, you'll be
 asked for confirmation, which is your cue to log back out and run
 .Pp
 .D1 user@newclient$ ssh-copy-id -i someserver
 .Pp
 The reason you might want to specify the -i option in this case is to
 ensure that the comment on the installed key is the one from the
 .Pa .pub
 file, rather than just the filename that was loaded into you agent.
 It also ensures that only the id you intended is installed, rather than
 all the keys that you have in your
 .Xr ssh-agent 1 .
 Of course, you can specify another id, or use the contents of the
 .Xr ssh-agent 1
 as you prefer.
 .Pp
 Having mentioned
 .Xr ssh-add 1 Ns 's
 .Fl c
 option, you might consider using this whenever using agent forwarding
 to avoid your key being hijacked, but it is much better to instead use
 .Xr ssh 1 Ns 's
 .Ar ProxyCommand
 and 
 .Fl W
 option,
 to bounce through remote servers while always doing direct end-to-end
 authentication. This way the middle hop(s) don't get access to your
 .Xr ssh-agent 1 .
 A web search for
 .Ql ssh proxycommand nc
 should prove enlightening (N.B. the modern approach is to use the
 .Fl W
 option, rather than
 .Xr nc 1 ) .
 .Sh "SEE ALSO"
 .Xr ssh 1 ,
 .Xr ssh-agent 1 ,
 .Xr sshd 8
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@ -13,7 +13,7 @@
 Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:		openssh
-Version:	5.9p1
+Version:	7.3p1
 URL:		http://www.openssh.com/
 Release:	1
 Source0:	openssh-%{version}.tar.gz
@ -28,11 +28,9 @@ Provides:	ssh
 # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
 # building prerequisites -- stuff for
 #   OpenSSL (openssl-devel),
 #   TCP Wrappers (tcpd-devel),
 #   and Gnome (glibdev, gtkdev, and gnlibsd)
 #
 BuildPrereq:	openssl
 BuildPrereq:	tcpd-devel
 BuildPrereq:	zlib-devel
 #BuildPrereq:	glibdev
 #BuildPrereq:	gtkdev
@ -140,7 +138,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
 		--mandir=%{_mandir} \
 		--with-privsep-path=/var/lib/empty \
 		--with-pam \
 		--with-tcp-wrappers \
 		--libexecdir=%{_libdir}/ssh
 make
@ -205,7 +202,6 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) %{_bindir}/ssh-keygen
 %attr(0755,root,root) %{_bindir}/scp
 %attr(0755,root,root) %{_bindir}/ssh
 %attr(-,root,root) %{_bindir}/slogin
 %attr(0755,root,root) %{_bindir}/ssh-agent
 %attr(0755,root,root) %{_bindir}/ssh-add
 %attr(0755,root,root) %{_bindir}/ssh-keyscan
@ -217,7 +213,6 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
 %attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
 %attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
 %attr(-,root,root) %doc %{_mandir}/man1/slogin.1*
 %attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
 %attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
 %attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
--- a/contrib/suse/rc.sshd
+++ b/contrib/suse/rc.sshd
@ -49,7 +49,7 @@ case "$1" in
 	## Start daemon with startproc(8). If this fails
 	## the echo return value is set appropriate.
-	startproc -f -p $SSHD_PIDFILE /usr/sbin/sshd $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" 
+	startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" 
 	# Remember status and be verbose
 	rc_status -v
@ -59,7 +59,7 @@ case "$1" in
 	## Stop daemon with killproc(8) and if this fails
 	## set echo the echo return value.
-	killproc -p $SSHD_PIDFILE -TERM /usr/sbin/sshd
+	killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
 	# Remember status and be verbose
 	rc_status -v
@ -87,7 +87,7 @@ case "$1" in
 	echo -n "Reload service sshd"
-	killproc -p $SSHD_PIDFILE -HUP /usr/sbin/sshd
+	killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
        rc_status -v
@ -103,7 +103,7 @@ case "$1" in
        # 2 - service dead, but /var/lock/ lock file exists
        # 3 - service not running
-	checkproc -p $SSHD_PIDFILE /usr/sbin/sshd
+	checkproc -p $SSHD_PIDFILE $SSHD_BIN
 	rc_status -v
 	;;
--- a/contrib/win32/openssh/VSWithBuildTools.xml
+++ b/contrib/win32/openssh/VSWithBuildTools.xml
@ -0,0 +1,84 @@
 <?xml version="1.0" encoding="utf-8"?>
 <AdminDeploymentCustomizations xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/wix/2011/AdminDeployment">
    <BundleCustomizations TargetDir="C:\Program Files (x86)\Microsoft Visual Studio 14.0" NoCacheOnlyMode="default" NoWeb="default" NoRefresh="default" SuppressRefreshPrompt="default" Feed="default" />
    <SelectableItemCustomizations>
        <SelectableItemCustomization Id="VSUV3RTMV1" Hidden="no" Selected="yes" FriendlyName="Visual Studio 2015 Update 3" />
        <SelectableItemCustomization Id="MicroUpdateV3.1" Selected="yes" FriendlyName="Update for Microsoft Visual Studio 2015 (KB3165756)" />
        <SelectableItemCustomization Id="NativeLanguageSupport_VCV1" Hidden="no" Selected="yes" FriendlyName="Common Tools for Visual C++ 2015" />
        <SelectableItemCustomization Id="Win81SDK_HiddenV1" Hidden="no" Selected="yes" FriendlyName="Windows 8.1 SDK and Universal CRT SDK" />
        <SelectableItemCustomization Id="PythonToolsForVisualStudioV6" Hidden="no" Selected="no" FriendlyName="Python Tools for Visual Studio (June 2016)" />
        <SelectableItemCustomization Id="WebToolsV1" Hidden="no" Selected="no" FriendlyName="Microsoft Web Developer Tools" />
        <SelectableItemCustomization Id="Windows10_ToolsAndSDKV12" Hidden="no" Selected="yes" FriendlyName="Tools (1.4) and Windows 10 SDK (10.0.10586)" />
        <SelectableItemCustomization Id="Win10_EmulatorV2" Hidden="no" Selected="no" FriendlyName="Emulators for Windows 10 Mobile (10.0.10586)" />
        <SelectableItemCustomization Id="XamarinVSCoreV4" Hidden="no" Selected="no" FriendlyName="C#/.NET (Xamarin v4.1.0)" />
        <SelectableItemCustomization Id="XamarinPT_V1" Selected="no" FriendlyName="Xamarin Preparation Tool" />
        <SelectableItemCustomization Id="AndroidNDKV1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 32 bits)" />
        <SelectableItemCustomization Id="AndroidNDK_32_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 32 bits)" />
        <SelectableItemCustomization Id="AndroidSDKV1" Hidden="no" Selected="no" FriendlyName="Android SDK" />
        <SelectableItemCustomization Id="AndroidSDK_API1921V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 19 and 21)" />
        <SelectableItemCustomization Id="AndroidSDK_API23V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 23)" />
        <SelectableItemCustomization Id="JavaJDKV1" Hidden="no" Selected="no" FriendlyName="Java SE Development Kit (7.0.550.13)" />
        <SelectableItemCustomization Id="Node.jsV1" Hidden="no" Selected="no" FriendlyName="Joyent Node.js" />
        <SelectableItemCustomization Id="VSEmu_AndroidV1.0.60404.1" Hidden="no" Selected="no" FriendlyName="Microsoft Visual Studio Emulator for Android (April 2016)" />
        <SelectableItemCustomization Id="ToolsForWin81_WP80_WP81V1" Hidden="no" Selected="no" FriendlyName="Tools and Windows SDKs" />
        <SelectableItemCustomization Id="GitForWindowsx64V5" Hidden="no" Selected="yes" FriendlyName="Git for Windows" />
        <SelectableItemCustomization Id="GitForWindowsx86V5" Hidden="no" Selected="yes" FriendlyName="Git for Windows" />
        <SelectableItemCustomization Id="GitHubVSV1" Hidden="no" Selected="yes" FriendlyName="GitHub Extension for Visual Studio" />
        <SelectableItemCustomization Id="VS_SDK_GroupV5" Hidden="no" Selected="yes" FriendlyName="Visual Studio Extensibility Tools Update 3" />
        <SelectableItemCustomization Id="VS_SDK_Breadcrumb_GroupV5" Selected="yes" FriendlyName="Visual Studio Extensibility Tools Update 3" />
        <SelectableItemCustomization Id="Win10_VSToolsV12" Hidden="no" Selected="no" FriendlyName="Tools for Universal Windows Apps (1.4) and Windows 10 SDK (10.0.10586)" />
        <SelectableItemCustomization Id="Win10SDK_HiddenV3" Selected="yes" FriendlyName="Windows 10 SDK (10.0.10586)" />
        <SelectableItemCustomization Id="JavaScript_HiddenV1" Selected="no" FriendlyName="JavaScript Project System for Visual Studio" />
        <SelectableItemCustomization Id="JavaScript_HiddenV11" Selected="no" FriendlyName="JavaScript Project System for Visual Studio" />
        <SelectableItemCustomization Id="MDDJSDependencyHiddenV1" Selected="no" FriendlyName="MDDJSDependencyHidden" />
        <SelectableItemCustomization Id="AppInsightsToolsVisualStudioHiddenRTMV1" Selected="no" FriendlyName="Application Insights Tools" />
        <SelectableItemCustomization Id="AppInsightsToolsVisualStudioHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
        <SelectableItemCustomization Id="BlissHidden" Selected="no" FriendlyName="BlissHidden" />
        <SelectableItemCustomization Id="HelpHidden" Selected="yes" FriendlyName="HelpHidden" />
        <SelectableItemCustomization Id="JavaScript" Selected="yes" FriendlyName="JavascriptHidden" />
        <SelectableItemCustomization Id="NetFX4Hidden" Selected="no" FriendlyName="NetFX4Hidden" />
        <SelectableItemCustomization Id="NetFX45Hidden" Selected="no" FriendlyName="NetFX45Hidden" />
        <SelectableItemCustomization Id="NetFX451MTPackHidden" Selected="no" FriendlyName="NetFX451MTPackHidden" />
        <SelectableItemCustomization Id="NetFX451MTPackCoreHidden" Selected="no" FriendlyName="NetFX451MTPackCoreHidden" />
        <SelectableItemCustomization Id="NetFX452MTPackHidden" Selected="no" FriendlyName="NetFX452MTPackHidden" />
        <SelectableItemCustomization Id="NetFX46MTPackHidden" Selected="no" FriendlyName="NetFX46MTPackHidden" />
        <SelectableItemCustomization Id="PortableDTPHidden" Selected="yes" FriendlyName="PortableDTPHidden" />
        <SelectableItemCustomization Id="PreEmptiveDotfuscatorHidden" Selected="no" FriendlyName="PreEmptiveDotfuscatorHidden" />
        <SelectableItemCustomization Id="PreEmptiveAnalyticsHidden" Selected="no" FriendlyName="PreEmptiveAnalyticsHidden" />
        <SelectableItemCustomization Id="ProfilerHidden" Selected="no" FriendlyName="ProfilerHidden" />
        <SelectableItemCustomization Id="RoslynLanguageServicesHidden" Selected="no" FriendlyName="RoslynLanguageServicesHidden" />
        <SelectableItemCustomization Id="SDKTools3Hidden" Selected="no" FriendlyName="SDKTools3Hidden" />
        <SelectableItemCustomization Id="SDKTools4Hidden" Selected="no" FriendlyName="SDKTools4Hidden" />
        <SelectableItemCustomization Id="WCFDataServicesHidden" Selected="no" FriendlyName="WCFDataServicesHidden" />
        <SelectableItemCustomization Id="VSUV1PreReqV1" Selected="no" FriendlyName="Visual Studio 2015 Update 1 Prerequisite" />
        <SelectableItemCustomization Id="MicroUpdateV3" Selected="no" FriendlyName="MicroUpdate 3.0 for Visual Studio 2015 Update 3" />
        <SelectableItemCustomization Id="NativeLanguageSupport_MFCV1" Hidden="no" Selected="no" FriendlyName="Microsoft Foundation Classes for C++" />
        <SelectableItemCustomization Id="NativeLanguageSupport_XPV1" Hidden="no" Selected="no" FriendlyName="Windows XP Support for C++" />
        <SelectableItemCustomization Id="FSharpV1" Hidden="no" Selected="no" FriendlyName="Visual F#" />
        <SelectableItemCustomization Id="ClickOnceV1" Hidden="no" Selected="no" FriendlyName="ClickOnce Publishing Tools" />
        <SelectableItemCustomization Id="SQLV1" Hidden="no" Selected="no" FriendlyName="Microsoft SQL Server Data Tools" />
        <SelectableItemCustomization Id="PowerShellToolsV1" Hidden="no" Selected="no" FriendlyName="PowerShell Tools for Visual Studio" />
        <SelectableItemCustomization Id="SilverLight_Developer_KitV1" Hidden="no" Selected="no" FriendlyName="Silverlight Development Kit" />
        <SelectableItemCustomization Id="Win10_EmulatorV1" Selected="no" FriendlyName="Emulators for Windows 10 Mobile (10.0.10240)" />
        <SelectableItemCustomization Id="MDDJSCoreV11" Hidden="no" Selected="no" FriendlyName="HTML/JavaScript (Apache Cordova) Update 10" />
        <SelectableItemCustomization Id="AndroidNDK11C_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 32 bits)" />
        <SelectableItemCustomization Id="AndroidNDK11C_32_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 32 bits)" />
        <SelectableItemCustomization Id="AndroidNDK11C_64_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R11C, 64 bits)" />
        <SelectableItemCustomization Id="AndroidNDK_64_V1" Hidden="no" Selected="no" FriendlyName="Android Native Development Kit (R10E, 64 bits)" />
        <SelectableItemCustomization Id="AndroidSDK_API22V1" Hidden="no" Selected="no" FriendlyName="Android SDK Setup (API Level 22)" />
        <SelectableItemCustomization Id="AntV1" Hidden="no" Selected="no" FriendlyName="Apache Ant (1.9.3)" />
        <SelectableItemCustomization Id="L_MDDCPlusPlus_iOS_V7" Hidden="no" Selected="no" FriendlyName="Visual C++ iOS Development (Update 3)" />
        <SelectableItemCustomization Id="L_MDDCPlusPlus_Android_V7" Hidden="no" Selected="no" FriendlyName="Visual C++ Android Development (Update 3)" />
        <SelectableItemCustomization Id="L_MDDCPlusPlus_ClangC2_V5" Hidden="no" Selected="no" FriendlyName="Clang with Microsoft CodeGen (May 2016)" />
        <SelectableItemCustomization Id="L_IncrediBuild_V1" Selected="no" FriendlyName="IncrediBuild" />
        <SelectableItemCustomization Id="WebSocket4NetV1" Hidden="no" Selected="no" FriendlyName="WebSocket4Net" />
        <SelectableItemCustomization Id="WindowsPhone81EmulatorsV1" Hidden="no" Selected="no" FriendlyName="Emulators for Windows Phone 8.1" />
        <SelectableItemCustomization Id="Win10SDK_HiddenV1" Hidden="no" Selected="no" FriendlyName="Windows 10 SDK (10.0.10240)" />
        <SelectableItemCustomization Id="Win10SDK_HiddenV2" Selected="no" FriendlyName="Windows 10 SDK (10.0.10586)" />
        <SelectableItemCustomization Id="Win10SDK_VisibleV1" Hidden="no" Selected="no" FriendlyName="Windows 10 SDK 10.0.10240" />
        <SelectableItemCustomization Id="UWPPatch_KB3073097_HiddenV3" Selected="no" FriendlyName="KB3073097" />
        <SelectableItemCustomization Id="AppInsightsToolsVSWinExpressHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
        <SelectableItemCustomization Id="AppInsightsToolsVWDExpressHiddenVSU3RTMV1" Selected="no" FriendlyName="Developer Analytics Tools v7.0.2" />
    </SelectableItemCustomizations>
 </AdminDeploymentCustomizations>
--- a/contrib/win32/openssh/Win32-OpenSSH.sln
+++ b/contrib/win32/openssh/Win32-OpenSSH.sln
@ -67,13 +67,6 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "config", "config.vcxproj",
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-lsa", "ssh-lsa.vcxproj", "{02FB3D98-6516-42C6-9762-98811A99960F}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "win32compatUnittests", "win32compatUnittests.vcxproj", "{780CAFE4-4BC5-407B-B3A6-71C4114826A7}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "win32iocompat", "win32iocompat.vcxproj", "{0D02F0F0-013B-4EE3-906D-86517F3822C0}"
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ssh-shellhost", "ssh-shellhost.vcxproj", "{C0AE8A30-E4FA-49CE-A2B5-0C072C77EC64}"
@ -104,6 +97,62 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scp", "scp.vcxproj", "{29B9
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-bitmap", "unittest-bitmap.vcxproj", "{D901596E-76C7-4608-9CFA-2B42A9FD7250}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-kex", "unittest-kex.vcxproj", "{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshbuf", "unittest-sshbuf.vcxproj", "{CD9740CE-C96E-49B3-823F-012E09D17806}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-win32compat", "unittest-win32compat.vcxproj", "{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-utf8", "unittest-utf8.vcxproj", "{114CAA59-46C0-4B87-BA86-C1946A68101D}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-hostkeys", "unittest-hostkeys.vcxproj", "{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unittest-sshkey", "unittest-sshkey.vcxproj", "{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}"
 	ProjectSection(ProjectDependencies) = postProject
 		{05E1115F-8529-46D0-AAAF-52A404CE79A7} = {05E1115F-8529-46D0-AAAF-52A404CE79A7}
 		{DD483F7D-C553-4740-BC1A-903805AD0174} = {DD483F7D-C553-4740-BC1A-903805AD0174}
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0} = {0D02F0F0-013B-4EE3-906D-86517F3822C0}
 		{8660C2FE-9874-432D-B047-E042BB41DBE0} = {8660C2FE-9874-432D-B047-E042BB41DBE0}
 	EndProjectSection
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|x64 = Debug|x64
@ -192,14 +241,6 @@ Global
 		{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x64.Build.0 = Release|x64
 		{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x86.ActiveCfg = Release|Win32
 		{02FB3D98-6516-42C6-9762-98811A99960F}.Release|x86.Build.0 = Release|Win32
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x64.ActiveCfg = Debug|x64
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x64.Build.0 = Debug|x64
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x86.ActiveCfg = Debug|Win32
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Debug|x86.Build.0 = Debug|Win32
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x64.ActiveCfg = Release|x64
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x64.Build.0 = Release|x64
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x86.ActiveCfg = Release|Win32
 		{780CAFE4-4BC5-407B-B3A6-71C4114826A7}.Release|x86.Build.0 = Release|Win32
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x64.ActiveCfg = Debug|x64
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x64.Build.0 = Debug|x64
 		{0D02F0F0-013B-4EE3-906D-86517F3822C0}.Debug|x86.ActiveCfg = Debug|Win32
@ -240,6 +281,62 @@ Global
 		{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x64.Build.0 = Release|x64
 		{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x86.ActiveCfg = Release|Win32
 		{29B98ADF-1285-49CE-BF6C-AA92C5D2FB24}.Release|x86.Build.0 = Release|Win32
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x64.ActiveCfg = Debug|x64
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x64.Build.0 = Debug|x64
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x86.ActiveCfg = Debug|Win32
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Debug|x86.Build.0 = Debug|Win32
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x64.ActiveCfg = Release|x64
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x64.Build.0 = Release|x64
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x86.ActiveCfg = Release|Win32
 		{D901596E-76C7-4608-9CFA-2B42A9FD7250}.Release|x86.Build.0 = Release|Win32
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x64.ActiveCfg = Debug|x64
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x64.Build.0 = Debug|x64
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x86.ActiveCfg = Debug|Win32
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Debug|x86.Build.0 = Debug|Win32
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x64.ActiveCfg = Release|x64
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x64.Build.0 = Release|x64
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x86.ActiveCfg = Release|Win32
 		{8EC56B06-5A9A-4D6D-804D-037FE26FD43E}.Release|x86.Build.0 = Release|Win32
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x64.ActiveCfg = Debug|x64
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x64.Build.0 = Debug|x64
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x86.ActiveCfg = Debug|Win32
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Debug|x86.Build.0 = Debug|Win32
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x64.ActiveCfg = Release|x64
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x64.Build.0 = Release|x64
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x86.ActiveCfg = Release|Win32
 		{CD9740CE-C96E-49B3-823F-012E09D17806}.Release|x86.Build.0 = Release|Win32
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x64.ActiveCfg = Debug|x64
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x64.Build.0 = Debug|x64
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x86.ActiveCfg = Debug|Win32
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Debug|x86.Build.0 = Debug|Win32
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x64.ActiveCfg = Release|x64
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x64.Build.0 = Release|x64
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x86.ActiveCfg = Release|Win32
 		{BF295BA9-4BF8-43F8-8CBF-FAE84815466C}.Release|x86.Build.0 = Release|Win32
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x64.ActiveCfg = Debug|x64
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x64.Build.0 = Debug|x64
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x86.ActiveCfg = Debug|Win32
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Debug|x86.Build.0 = Debug|Win32
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x64.ActiveCfg = Release|x64
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x64.Build.0 = Release|x64
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x86.ActiveCfg = Release|Win32
 		{114CAA59-46C0-4B87-BA86-C1946A68101D}.Release|x86.Build.0 = Release|Win32
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x64.ActiveCfg = Debug|x64
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x64.Build.0 = Debug|x64
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x86.ActiveCfg = Debug|Win32
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Debug|x86.Build.0 = Debug|Win32
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x64.ActiveCfg = Release|x64
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x64.Build.0 = Release|x64
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x86.ActiveCfg = Release|Win32
 		{890C6129-286F-4CD8-8252-FB8D3B4E6E1B}.Release|x86.Build.0 = Release|Win32
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x64.ActiveCfg = Debug|x64
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x64.Build.0 = Debug|x64
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x86.ActiveCfg = Debug|Win32
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Debug|x86.Build.0 = Debug|Win32
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x64.ActiveCfg = Release|x64
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x64.Build.0 = Release|x64
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x86.ActiveCfg = Release|Win32
 		{FC568FF0-60F2-4B2E-AF62-FD392EDBA1B9}.Release|x86.Build.0 = Release|Win32
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
--- a/contrib/win32/openssh/appveyor.psm1
+++ b/contrib/win32/openssh/appveyor.psm1
@ -0,0 +1,619 @@
 $ErrorActionPreference = 'Stop'
 Import-Module $PSScriptRoot\build.psm1
 $repoRoot = Get-RepositoryRoot
 # Sets a build variable
 Function Set-BuildVariable
 {
    param(
        [Parameter(Mandatory=$true)]
        [string]
        $Name,
        [Parameter(Mandatory=$true)]
        [string]
        $Value
    )
    if($env:AppVeyor)
    {
        Set-AppveyorBuildVariable @PSBoundParameters
    }
    else 
    {
        Set-Item env:/$name -Value $Value
    }
 }
 # Emulates running all of AppVeyor but locally
 # should not be used on AppVeyor
 function Invoke-AppVeyorFull
 {
    param(
        [switch] $APPVEYOR_SCHEDULED_BUILD,
        [switch] $CleanRepo
    )
    if($CleanRepo)
    {
        Clear-PSRepo
    }
    if($env:APPVEYOR)
    {
        throw "This function is to simulate appveyor, but not to be run from appveyor!"
    }
    if($APPVEYOR_SCHEDULED_BUILD)
    {
        $env:APPVEYOR_SCHEDULED_BUILD = 'True'
    }
    try {        
        Invoke-AppVeyorBuild
        Install-OpenSSH
        Install-TestDependencies
        & "$env:ProgramFiles\PowerShell\6.0.0.12\powershell.exe" -Command {Import-Module $($repoRoot.FullName)\contrib\win32\openssh\AppVeyor.psm1;Run-OpenSSHTests -uploadResults}
        Run-OpenSSHTests
        Publish-Artifact        
    }
    finally {
        if($APPVEYOR_SCHEDULED_BUILD -and $env:APPVEYOR_SCHEDULED_BUILD)
        {
            Remove-Item env:APPVEYOR_SCHEDULED_BUILD
        }
    }
 }
 # Implements the AppVeyor 'build_script' step
 function Invoke-AppVeyorBuild
 {  
      Start-SSHBuild -Configuration Release -NativeHostArch x64 -Verbose
      Start-SSHBuild -Configuration Debug -NativeHostArch x64 -Verbose
      Start-SSHBuild -Configuration Release -NativeHostArch x86 -Verbose
      Start-SSHBuild -Configuration Debug -NativeHostArch x86 -Verbose
 }
 <#
    .Synopsis
    This function invokes msiexec.exe to install PSCore on the AppVeyor build machine
 #>
 function Invoke-MSIEXEC
 {
  [CmdletBinding()]  
  param(
    [Parameter(Mandatory=$true)]
    [string] $InstallFile
  )
    Write-Verbose "Installing $InstallFile..."
    $arguments = @(
    "/i"
    "`"$InstallFile`""
    "/qn"
    "/norestart"
    )
    $process = Start-Process -FilePath msiexec.exe -ArgumentList $arguments -Wait -PassThru
    if ($process.ExitCode -eq 0){
        Write-Output "$InstallFile has been successfully installed"
    }
    else {
        Write-Output  "installer exit code  $($process.ExitCode) for file  $($InstallFile)"
    }
  return $process.ExitCode
 }
 <#
    .Synopsis
    This function installs PSCore MSI on the AppVeyor build machine
 #>
 function Install-PSCoreFromGithub
 {
  $downloadLocation = Download-PSCoreMSI
  Write-Output "Installing PSCore ..."
  if(-not [string]::IsNullOrEmpty($downloadLocation))
  {
    $processExitCode = Invoke-MSIEXEC -InstallFile $downloadLocation
    Write-Output "Process exitcode: $processExitCode"
  }
 }
 <#
    .Synopsis
    Retuns MSI location for PSCore for Win10, Windows 8.1 and 2012 R2
 #>
 function Get-PSCoreMSIDownloadURL
 {
  $osversion = [String][Environment]::OSVersion.Version
  Write-Host "osversion:$osversion"
  if($osversion.StartsWith("6"))
  {
      if ($($env:PROCESSOR_ARCHITECTURE).Contains('64'))
      {
        return 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.12/PowerShell_6.0.0.12-alpha.12-win81-x64.msi'
      }
      else
      {
        return ''
      }
  }
  elseif ($osversion.Contains("10.0"))
  {
    if ($($env:PROCESSOR_ARCHITECTURE).Contains('64'))
      {
        return 'https://github.com/PowerShell/PowerShell/releases/download/v6.0.0-alpha.12/PowerShell_6.0.0.12-alpha.12-win10-x64.msi'
      }
      else
      {        
        return ''
      }
  }
 }
 <#
    .Synopsis
    This functions downloads MSI and returns the path where the file is downloaded.
 #>
 function Download-PSCoreMSI
 {
    $url = Get-PSCoreMSIDownloadURL
    if([string]::IsNullOrEmpty($url))
    {
        Write-Output "url is empty"
        return ''
    }
    $parsed = $url.Substring($url.LastIndexOf("/") + 1)
    if(-not (Test-path "$env:SystemDrive\PScore" -PathType Container))
    {
        New-Item -ItemType Directory -Force -Path "$env:SystemDrive\PScore" | out-null 
    }
    $downloadLocation = "$env:SystemDrive\PScore\$parsed"
    if(-not (Test-path $downloadLocation -PathType Leaf))
    {
        Invoke-WebRequest -Uri $url -OutFile $downloadLocation -ErrorVariable v
    }
    if ($v)
    {
        throw "Failed to download PSCore MSI package from $url"
    }
    else
    {
        return $downloadLocation
    }
 }
 <#
      .SYNOPSIS
      This function installs the tools required by our tests
      1) Pester for running the tests  
      2) sysinternals required by the tests on windows.    
  #>
 function Install-TestDependencies
 {
    [CmdletBinding()]
    param ()
    $isModuleAvailable = Get-Module 'Pester' -ListAvailable
    if (-not ($isModuleAvailable))
    {
      Write-Output 'Installing Pester...'
      choco install Pester -y --force
    }
    if ( -not (Test-Path "$env:ProgramData\chocolatey\lib\sysinternals\tools" ) ) {
        Write-Output "sysinternals not present. Installing sysinternals."
        choco install sysinternals -y            
    }
    Write-Output "Installing pscore..."
    Install-PSCoreFromGithub
 }
 <#
    .Synopsis
    Deploy all required files to a location and install the binaries
 #>
 function Install-OpenSSH
 {
    [CmdletBinding()]
    param
    (    
        [string] $OpenSSHDir = "$env:SystemDrive\OpenSSH",
        [ValidateSet('Debug', 'Release')]
        [string]$Configuration = "Debug",
        [ValidateSet('x86', 'x64', '')]
        [string]$NativeHostArch = ""
    )
    Build-Win32OpenSSHPackage @PSBoundParameters
    Push-Location $OpenSSHDir 
    &( "$OpenSSHDir\install-sshd.ps1")
    .\ssh-keygen.exe -A
    Start-Service ssh-agent
    &( "$OpenSSHDir\install-sshlsa.ps1")
    Set-Service sshd -StartupType Automatic 
    Set-Service ssh-agent -StartupType Automatic
    Start-Service sshd
    Pop-Location
 }
 <#
    .Synopsis
    uninstalled sshd and sshla
 #>
 function UnInstall-OpenSSH
 {
    [CmdletBinding()]
    param
    (    
        [string] $OpenSSHDir = "$env:SystemDrive\OpenSSH"
    )    
    Push-Location $OpenSSHDir
    Stop-Service sshd    
    &( "$OpenSSHDir\uninstall-sshd.ps1")
    &( "$OpenSSHDir\uninstall-sshlsa.ps1")
    Pop-Location
 }
 <#
    .Synopsis
    Deploy all required files to build a package and create zip file.
 #>
 function Build-Win32OpenSSHPackage
 {
    [CmdletBinding()]
    param
    (    
        [string] $OpenSSHDir = "$env:SystemDrive\OpenSSH",
        [ValidateSet('Debug', 'Release')]
        [string]$Configuration = "Debug",
        [ValidateSet('x86', 'x64', '')]
        [string]$NativeHostArch = ""
    )
    if (-not (Test-Path -Path $OpenSSHDir -PathType Container))
    {
        New-Item -Path $OpenSSHDir -ItemType Directory -Force -ErrorAction Stop
    }
    [string] $platform = $env:PROCESSOR_ARCHITECTURE
    if(-not [String]::IsNullOrEmpty($NativeHostArch))
    {
        $folderName = $NativeHostArch
        if($NativeHostArch -eq 'x86')
        {
            $folderName = "Win32"
        }
    }
    else
    {
        if($platform -ieq "AMD64")
        {
            $folderName = "x64"
        }
        else
        {
            $folderName = "Win32"
        }
    }
    [System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot
    $sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "bin\$folderName\$Configuration"
    Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHDir -Include *.exe,*.dll -Exclude *unittest*.* -Force -ErrorAction Stop
    $sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "contrib\win32\openssh"
    Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHDir -Include *.ps1,sshd_config -Exclude AnalyzeCodeDiff.ps1 -Force -ErrorAction Stop    
    $packageName = "rktools.2003"
    $rktoolsPath = "${env:ProgramFiles(x86)}\Windows Resource Kits\Tools\ntrights.exe"
    if (-not (Test-Path -Path $rktoolsPath))
    {
        Write-Information -MessageData "$packageName not present. Installing $packageName."        
        choco install $packageName -y --force
    }
    Copy-Item -Path $rktoolsPath -Destination $OpenSSHDir -Force -ErrorAction Stop
    $packageFolder = $env:SystemDrive
    if ($env:APPVEYOR_BUILD_FOLDER)
    {
        $packageFolder = $env:APPVEYOR_BUILD_FOLDER
    }
    $package = "$packageFolder\Win32OpenSSH$Configuration$folderName.zip"
    $allPackage = "$packageFolder\Win32OpenSSH*.zip"
    if (Test-Path $allPackage)
    {
        Remove-Item -Path $allPackage -Force -ErrorAction SilentlyContinue
    }
    Add-Type -assemblyname System.IO.Compression.FileSystem
    [System.IO.Compression.ZipFile]::CreateFromDirectory($OpenSSHDir, $package)    
 }
 <#
    .Synopsis
    After build and test run completes, upload all artifacts from the build machine.
 #>
 function Deploy-OpenSSHTests
 {
    [CmdletBinding()]
    param
    (    
        [string] $OpenSSHTestDir = "$env:SystemDrive\OpenSSH",
        [ValidateSet('Debug', 'Release')]
        [string]$Configuration = "Debug",
        [ValidateSet('x86', 'x64', '')]
        [string]$NativeHostArch = ""
    )
    if (-not (Test-Path -Path $OpenSSHTestDir -PathType Container))
    {
        New-Item -Path $OpenSSHTestDir -ItemType Directory -Force -ErrorAction Stop
    }
    [string] $platform = $env:PROCESSOR_ARCHITECTURE
    if(-not [String]::IsNullOrEmpty($NativeHostArch))
    {
        $folderName = $NativeHostArch
        if($NativeHostArch -eq 'x86')
        {
            $folderName = "Win32"
        }
    }
    else
    {
        if($platform -ieq "AMD64")
        {
            $folderName = "x64"
        }
        else
        {
            $folderName = "Win32"
        }
    }
    [System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot    
    $sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "regress\pesterTests"
    Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHTestDir -Include *.ps1,*.psm1 -Force -ErrorAction Stop
    $sourceDir = Join-Path $repositoryRoot.FullName -ChildPath "bin\$folderName\$Configuration"    
    Copy-Item -Path "$sourceDir\*" -Destination $OpenSSHTestDir -Exclude ssh-agent.exe, sshd.exe -Force -ErrorAction Stop
 }
 <#
    .Synopsis
    Adds a build log to the list of published artifacts.
    .Description
    If a build log exists, it is renamed to reflect the associated CLR runtime then added to the list of
    artifacts to publish.  If it doesn't exist, a warning is written and the file is skipped.
    The rename is needed since publishing overwrites the artifact if it already exists.
    .Parameter artifacts
    An array list to add the fully qualified build log path
    .Parameter buildLog
    The build log file produced by the build.    
 #>
 function Add-BuildLog
 {
    param
    (
        [ValidateNotNull()]
        [System.Collections.ArrayList] $artifacts,
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string] $buildLog
    )
    if (Test-Path -Path $buildLog)
    {
        Write-Output "Adding $buildLog to local artifacts"
        $null = $artifacts.Add($buildLog)
        Write-Output "Adding $buildLog to local artifacts- completed"
    }
    else
    {
        Write-Warning "Skip publishing build log. $buildLog does not exist"
    }
 }
 <#
    .Synopsis
    Publishes package build artifacts.    
    .Parameter artifacts
    An array list to add the fully qualified build log path
    .Parameter packageFile
    Path to the package
 #>
 function Add-Artifact
 {
    param
    (
        [ValidateNotNull()]
        [System.Collections.ArrayList] $artifacts,
        [string] $FileToAdd = "$env:SystemDrive\Win32OpenSSH*.zip"
    )    
    $files = Get-ChildItem -Path $FileToAdd -ErrorAction Ignore
    if ($files -ne $null)
    {
        $files | % {
            Write-Output "Adding $($_.FullName) to local artifacts"
            $null = $artifacts.Add($_.FullName) 
            Write-Output "Adding $($_.FullName) to local artifacts- completed"
         }
    }
    else
    {
        Write-Warning "Skip publishing package artifacts. $FileToAdd does not exist"
    }
 }
 <#
    .Synopsis
    After build and test run completes, upload all artifacts from the build machine.
 #>
 function Publish-Artifact
 {
    Write-Output "Publishing project artifacts"
    [System.Collections.ArrayList] $artifacts = [System.Collections.ArrayList]::new()
    $packageFolder = $env:SystemDrive
    if ($env:APPVEYOR_BUILD_FOLDER)
    {
        $packageFolder = $env:APPVEYOR_BUILD_FOLDER
    }
    Add-Artifact  -artifacts $artifacts -FileToAdd "$packageFolder\Win32OpenSSH*.zip"
    Add-Artifact  -artifacts $artifacts -FileToAdd "$packageFolder\OpenSSH\UnitTestResults.txt"
    # Get the build.log file for each build configuration    
    #Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Release -NativeHostArch x86)
    #Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Debug -NativeHostArch x86)
    #Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Release -NativeHostArch x64)
    Add-BuildLog -artifacts $artifacts -buildLog (Get-BuildLogFile -root $repoRoot.FullName -Configuration Debug -NativeHostArch x64)
    foreach ($artifact in $artifacts)
    {
        Write-Output "Publishing $artifact as Appveyor artifact"
        # NOTE: attempt to publish subsequent artifacts even if the current one fails
        Push-AppveyorArtifact $artifact -ErrorAction "Continue"
    }
 }
 <#
    .Synopsis
    Run OpenSSH pester tests.
 #>
 function Run-OpenSSHPesterTest
 {
    param($testRoot, $outputXml) 
   # Discover all CI tests and run them.
    Push-Location $testRoot 
    Write-Output "Running OpenSSH Pester tests..."
    $testFolders = Get-ChildItem *.tests.ps1 -Recurse | ForEach-Object{ Split-Path $_.FullName} | Sort-Object -Unique 
    Invoke-Pester $testFolders -OutputFormat NUnitXml -OutputFile  $outputXml -Tag 'CI'
    Pop-Location
 }
 <#
    .Synopsis
    Run unit tests.
 #>
 function Run-OpenSSHUnitTest
 {
    param($testRoot, $unitTestOutputFile)
   # Discover all CI tests and run them.
    Push-Location $testRoot
    Write-Output "Running OpenSSH unit tests..."
    if (Test-Path $unitTestOutputFile)    
    {
        Remove-Item -Path $unitTestOutputFile -Force -ErrorAction SilentlyContinue
    }
    $unitTestFiles = Get-ChildItem -Path "$testRoot\unittest*.exe"
    $testFailed = $false
    if ($unitTestFiles -ne $null)
    {        
        $unitTestFiles | % {
            Write-Output "Running OpenSSH unit $($_.FullName)..."
            & $_.FullName >> $unitTestOutputFile
            $errorCode = $LASTEXITCODE
            if ($errorCode -ne 0)
            {
                $testFailed = $true
                Write-Output "$($_.FullName) test failed for OpenSSH.`nExitCode: $error"
            }
        }        
        if($testFailed)
        {
            throw "SSH unit tests failed" 
        }
    }
    Pop-Location
 }
 <#
      .Synopsis
      Runs the tests for this repo
      .Parameter testResultsFile
      The name of the xml file to write pester results.
      The default value is '.\testResults.xml'
      .Parameter uploadResults
      Uploads the tests results.      
      .Example
      .\RunTests.ps1 
      Runs the tests and creates the default 'testResults.xml'
      .Example
      .\RunTests.ps1 -uploadResults
      Runs the tests and creates teh default 'testResults.xml' and uploads it to appveyor.
  #>
 function Run-OpenSSHTests
 {  
  [CmdletBinding()]
  param
  (    
      [string] $testResultsFile = "$env:SystemDrive\OpenSSH\TestResults.xml",
      [string] $unitTestResultsFile = "$env:SystemDrive\OpenSSH\UnitTestResults.txt",
      [string] $testInstallFolder = "$env:SystemDrive\OpenSSH"      
  )  
  Deploy-OpenSSHTests -OpenSSHTestDir $testInstallFolder
  # Run all pester tests.
  Run-OpenSSHPesterTest -testRoot $testInstallFolder -outputXml $testResultsFile
  $xml = [xml](Get-Content -raw $testResultsFile) 
  if ([int]$xml.'test-results'.failures -gt 0) 
  { 
     throw "$($xml.'test-results'.failures) tests in regress\pesterTests failed" 
  }
  # Writing out warning when the $Error.Count is non-zero. Tests Should clean $Error after success.
  if ($Error.Count -gt 0) 
  { 
      $Error| Out-File "$env:SystemDrive\OpenSSH\TestError.txt" -Append
  }
  Run-OpenSSHUnitTest -testRoot $testInstallFolder -unitTestOutputFile $unitTestResultsFile
 }
 function Upload-OpenSSHTestResults
 {  
  [CmdletBinding()]
  param
  (    
      [string] $testResultsFile = "$env:SystemDrive\OpenSSH\TestResults.xml"
  )
  if ($env:APPVEYOR_JOB_ID)
  {
      (New-Object 'System.Net.WebClient').UploadFile("https://ci.appveyor.com/api/testresults/nunit/$($env:APPVEYOR_JOB_ID)", (Resolve-Path $testResultsFile))      
  }
 }
--- a/contrib/win32/openssh/build.psm1
+++ b/contrib/win32/openssh/build.psm1
@ -0,0 +1,383 @@
 Set-StrictMode -Version Latest
 [string] $script:platform = $env:PROCESSOR_ARCHITECTURE
 [string] $script:vcPath = $null
 [System.IO.DirectoryInfo] $script:OpenSSHRoot = $null
 [bool] $script:Verbose = $false
 [string] $script:BuildLogFile = $null
 <#
    Called by Write-BuildMsg to write to the build log, if it exists. 
 #>
 function Write-Log
 {
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string] $Message
    )
    # write it to the log file, if present.
    if (-not ([string]::IsNullOrEmpty($script:BuildLogFile)))
    {
        Add-Content -Path $script:BuildLogFile -Value $Message
    }  
 }
 <#
 .Synopsis
    Writes a build message.
 .Parameter Message
    The message to write.
 .Parameter AsInfo
    Writes a user message using Write-Information.
 .Parameter AsVerbose
    Writes a message using Write-Verbose and to the build log if -Verbose was specified to Start-DscBuild.
 .Parameter AsWarning
    Writes a message using Write-Warning and to the build log.
 .Parameter AsError
    Writes a message using Write-Error and to the build log.
 .Parameter Silent
    Writes the message only to the log.
 .Parameter ErrorAction
    Determines if the script is terminated when errors are written.
    This parameter is ignored when -Silent is specified.
 .Example
    Write-BuildMsg -AsInfo 'Starting the build'
    Writes an informational message to the log and to the user
 .Example
    Write-BuildMsg -AsError 'Terminating build' -Silent
    Writes an error message only to the log
 .Example
    Write-BuildMsg -AsError 'Terminating build' -ErrorAction Stop
    Writes an error message to the log and the user and terminates the build.
 .Example
    Write-BuildMsg -AsInfo 'Nuget is already installed' -Silent:(-not $script:Verbose)
    Writes an informational message to the log. If -Verbose was specified, also
    writes to message to the user.
 #>
 function Write-BuildMsg
 {
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [string] $Message,
        [Parameter(ParameterSetName='Info')]
        [switch] $AsInfo,
        [Parameter(ParameterSetName='Verbose')]
        [switch] $AsVerbose,
        [Parameter(ParameterSetName='Warning')]
        [switch] $AsWarning,
        [Parameter(ParameterSetName='Error')]
        [switch] $AsError,
        [switch] $Silent
    )
    if ($AsVerbose)
    {
        if ($script:Verbose)
        {
            Write-Log -Message "VERBOSE: $message"
            if (-not $Silent)
            {
                Write-Verbose -Message $message -Verbose
            }
        }
        return
    }
    if ($AsInfo)
    {
        Write-Log -Message "INFO: $message"
        if (-not $Silent)
        {
            Write-Information -MessageData $message -InformationAction Continue
        }
        return
    }
    if ($AsWarning)
    {
        Write-Log -Message "WARNING: $message"
        if (-not $Silent)
        {
            Write-Warning -Message $message
        }
        return
    }
    if ($AsError)
    {
        Write-Log -Message "ERROR: $message"
        if (-not $Silent)
        {
            Write-Error -Message $message
        }
        return
    }
    # if we reached here, no output type switch was specified.
    Write-BuildMsg -AsError -ErrorAction Stop -Message 'Write-BuildMsg was called without selecting an output type.'
 }
 <#
 .Synopsis
    Verifies all tools and dependencies required for building Open SSH are installed on the machine.
 #>
 function Start-SSHBootstrap
 {
    Set-StrictMode -Version Latest
    Write-BuildMsg -AsInfo -Message "Checking tools and dependencies"
    $machinePath = [Environment]::GetEnvironmentVariable('Path', 'MACHINE')
    $newMachineEnvironmentPath = $machinePath
    # NOTE: Unless -Verbose is specified, most informational output will only go to the log file.
    [bool] $silent = -not $script:Verbose
    # Install chocolatey
    $chocolateyPath = "$env:AllUsersProfile\chocolatey\bin"
    if(Get-Command "choco" -ErrorAction SilentlyContinue)
    {
        Write-BuildMsg -AsVerbose -Message "Chocolatey is already installed. Skipping installation." -Silent:$silent
    }
    else
    {
        Write-BuildMsg -AsInfo -Message "Chocolatey not present. Installing chocolatey."
        Invoke-Expression ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))
        if (-not ($machinePath.ToLower().Contains($chocolateyPath.ToLower())))
        {
            Write-BuildMsg -AsVerbose -Message "Adding $chocolateyPath to Path environment variable"
            $newMachineEnvironmentPath += ";$chocolateyPath"
            $env:Path += ";$chocolateyPath"
        }
        else
        {
            Write-BuildMsg -AsVerbose -Message "$chocolateyPath already present in Path environment variable"
        }
    }
    # Add git\cmd to the path
    $gitCmdPath = "$env:ProgramFiles\git\cmd"
    if (-not ($machinePath.ToLower().Contains($gitCmdPath.ToLower())))
    {
        Write-BuildMsg -AsVerbose -Message "Adding $gitCmdPath to Path environment variable"
        $newMachineEnvironmentPath = "$gitCmdPath;$newMachineEnvironmentPath"
    }
    else
    {
        Write-BuildMsg -AsVerbose -Message "$gitCmdPath already present in Path environment variable" -Silent:$silent
    }
    $nativeMSBuildPath = "${env:ProgramFiles(x86)}\MSBuild\14.0\bin"
    if($script:platform -ieq "AMD64")
    {
        $nativeMSBuildPath += "\amd64"
    }
    if (-not ($machinePath.ToLower().Contains($nativeMSBuildPath.ToLower())))
    {
        Write-BuildMsg -AsVerbose -Message "Adding $nativeMSBuildPath to Path environment variable"
        $newMachineEnvironmentPath += ";$nativeMSBuildPath"
        $env:Path += ";$nativeMSBuildPath"
    }
    else
    {
        Write-BuildMsg -AsVerbose -Message "$nativeMSBuildPath already present in Path environment variable" -Silent:$silent
    }
    # Update machine environment path
    if ($newMachineEnvironmentPath -ne $machinePath)
    {
        [Environment]::SetEnvironmentVariable('Path', $newMachineEnvironmentPath, 'MACHINE')
    }
    # install nasm
    $packageName = "nasm"
    $nasmPath = "${env:ProgramFiles(x86)}\NASM"
    if (-not (Test-Path -Path $nasmPath -PathType Container))
    {
        Write-BuildMsg -AsInfo -Message "$packageName not present. Installing $packageName."        
        choco install $packageName -y --force  --execution-timeout 10000 
    }
    else
    {
        Write-BuildMsg -AsVerbose -Message "$packageName present. Skipping installation." -Silent:$silent
    }
    # Install Visual Studio 2015 Community
    $packageName = "VisualStudio2015Community"
    $VSPackageInstalled = Get-ItemProperty "HKLM:\software\WOW6432Node\Microsoft\VisualStudio\14.0\setup\vs" -ErrorAction SilentlyContinue
    if ($null -eq $VSPackageInstalled)
    {
        Write-BuildMsg -AsInfo -Message "$packageName not present. Installing $packageName." 
        $adminFilePath = "$script:OpenSSHRoot\contrib\win32\openssh\VSWithBuildTools.xml"
        choco install $packageName -packageParameters "--AdminFile $adminFilePath" -y --force  --execution-timeout 10000
    }
    else
    {
        Write-BuildMsg -AsVerbose -Message "$packageName present. Skipping installation." -Silent:$silent
    }
    # Install Windows 8.1 SDK
    $packageName = "windows-sdk-8.1"
    $sdkPath = "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\register_app.vbs"
    if (-not (Test-Path -Path $sdkPath))
    {
        Write-BuildMsg -AsInfo  -Message "Windows 8.1 SDK not present. Installing $packageName."
        choco install $packageName -y --force
    }
    else
    {
        Write-BuildMsg -AsInfo -Message "$packageName present. Skipping installation." -Silent:$silent
    }
    # Require restarting PowerShell session
    if ($null -eq $VSPackageInstalled)
    {
        Write-Host "To apply changes, please close this PowerShell window, open a new one and call Start-SSHBuild or Start-DscBootstrap again." -ForegroundColor Black -BackgroundColor Yellow
        Write-Host -NoNewLine 'Press any key to close this PowerShell window...' -ForegroundColor Black -BackgroundColor Yellow
        $null = $Host.UI.RawUI.ReadKey('NoEcho,IncludeKeyDown')
        exit
    }
    # Ensure the VS C toolset is installed
    if ($null -eq $env:VS140COMNTOOLS)
    {
        Write-BuildMsg -AsError -ErrorAction Stop -Message "Cannot find Visual Studio 2015 Environment variable VS140COMNTOOlS"
    }
    $item = Get-Item(Join-Path -Path $env:VS140COMNTOOLS -ChildPath '../../vc')
    $script:vcPath = $item.FullName
    Write-BuildMsg -AsVerbose -Message "vcPath: $script:vcPath"
    if ((Test-Path -Path "$script:vcPath\vcvarsall.bat") -eq $false)
    {
        Write-BuildMsg -AsError -ErrorAction Stop -Message "Could not find Visual Studio vcvarsall.bat at" + $script:vcPath
    }
 }
 function Start-SSHBuild
 {
    [CmdletBinding(SupportsShouldProcess=$false)]    
    param
    (        
        [ValidateSet('x86', 'x64')]
        [string]$NativeHostArch = "x64",
        [ValidateSet('Debug', 'Release', '')]
        [string]$Configuration = "Debug"
    )
    Set-StrictMode -Version Latest
    $script:BuildLogFile = $null
    [System.IO.DirectoryInfo] $repositoryRoot = Get-RepositoryRoot
    # Get openssh-portable root    
    $script:OpenSSHRoot = Get-Item -Path $repositoryRoot.FullName
    if($PSBoundParameters.ContainsKey("Verbose"))
    {
        $script:Verbose =  ($PSBoundParameters['Verbose']).IsPresent
    }    
    $script:BuildLogFile = Get-BuildLogFile -root $repositoryRoot.FullName -Configuration $Configuration -NativeHostArch $NativeHostArch
    if (Test-Path -Path $script:BuildLogFile)
    {
        Remove-Item -Path $script:BuildLogFile
    }
    Write-BuildMsg -AsInfo -Message "Starting Open SSH build."
    Write-BuildMsg -AsInfo -Message "Build Log: $($script:BuildLogFile)"
    Start-SSHBootstrap
    $msbuildCmd = "msbuild.exe"
    $solutionFile = Get-SolutionFile -root $repositoryRoot.FullName
    $cmdMsg = @("${solutionFile}", "/p:Platform=${NativeHostArch}", "/p:Configuration=${Configuration}", "/fl", "/flp:LogFile=${script:BuildLogFile}`;Append`;Verbosity=diagnostic")
    Write-Information -MessageData $msbuildCmd
    Write-Information -MessageData $cmdMsg    
    & $msbuildCmd $cmdMsg
    $errorCode = $LASTEXITCODE
    if ($errorCode -ne 0)
    {
        Write-BuildMsg -AsError -ErrorAction Stop -Message "Build failed for OpenSSH.`nExitCode: $error"
    }
    Write-BuildMsg -AsVerbose -Message "Finished Open SSH build."
 }
 function Get-BuildLogFile
 {
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNull()]
        [System.IO.DirectoryInfo] $root,
        [ValidateSet('x86', 'x64')]
        [string]$NativeHostArch = "x64",
        [ValidateSet('Debug', 'Release', '')]
        [string]$Configuration = "Debug"
    )    
    return Join-Path -Path $root -ChildPath "contrib\win32\openssh\OpenSSH$($Configuration)$($NativeHostArch).log"    
 }
 function Get-SolutionFile
 {
    param
    (
        [Parameter(Mandatory=$true)]
        [ValidateNotNull()]
        [System.IO.DirectoryInfo] $root        
    )    
    return Join-Path -Path $root -ChildPath "contrib\win32\openssh\Win32-OpenSSH.sln"    
 }
 <#
 .Synopsis
    Finds the root of the git repository
 .Outputs
    A System.IO.DirectoryInfo for the location of the root.
 .Inputs
    None
 .Notes
    FileNotFoundException is thrown if the current directory does not contain a CMakeLists.txt file.
 #>
 function Get-RepositoryRoot
 {
    Set-StrictMode -Version Latest
    $currentDir = (Get-Item -Path $PSCommandPath).Directory
    while ($null -ne $currentDir.Parent)
    {
        $path = Join-Path -Path $currentDir.FullName -ChildPath '.git'
        if (Test-Path -Path $path)
        {
            return $currentDir
        }
        $currentDir = $currentDir.Parent
    }
    throw new-object System.IO.DirectoryNotFoundException("Could not find the root of the GIT repository")
 }
 Export-ModuleMember -Function Start-SSHBuild, Get-RepositoryRoot, Get-BuildLogFile
--- a/contrib/win32/openssh/config.h.vs
+++ b/contrib/win32/openssh/config.h.vs
@ -218,7 +218,8 @@
 /* #undef HAVE_B64_PTON */
 /* Define if you have the basename function. */
-#define HAVE_BASENAME 1
+/* For Windows, this is defined in dirent.h, but that header is not included in sftp.c */
 /* #define HAVE_BASENAME */
 /* Define to 1 if you have the `bcopy' function. */
 /* #undef HAVE_BCOPY */
@ -336,7 +337,7 @@
 /* #undef HAVE_DIRFD */
 /* Define to 1 if you have the `dirname' function. */
-#define HAVE_DIRNAME 1
+/* #define HAVE_DIRNAME 1 */
 /* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
 #define HAVE_DSA_GENERATE_PARAMETERS_EX 1
@ -770,7 +771,7 @@
 /* #undef HAVE_READPASSPHRASE_H */
 /* Define to 1 if you have the `realpath' function. */
-#define HAVE_REALPATH 1
+/* #define HAVE_REALPATH 1 */
 /* Define to 1 if you have the `recvmsg' function. */
 /* #undef HAVE_RECVMSG */
@ -1642,13 +1643,12 @@
 #undef HAVE_SYS_SYSMACROS_H
 #undef HAVE_SYS_MMAN_H
 #undef HAVE_SYS_UN_H
 #define _STRUCT_WINSIZE 1
 #define HAVE_TCGETPGRP 1
 #undef HAVE_TIME
 #define HAVE_TRUNCATE 1
 #define HAVE_VIS_H 1
 #define MISSING_FD_MASK 1
@ -1680,14 +1680,6 @@
 #define WIN32_ZLIB_NO 1
 #define USE_MSCNG 1
 #ifndef ssize_t
 #ifdef _WIN64
 typedef __int64		 ssize_t;
 #else
 typedef long ssize_t;
 #endif
 #endif
 #define HAVE_STRTOULL 1
 #define HAVE_USLEEP 1
@ -1704,11 +1696,10 @@ typedef long ssize_t;
 //#define SHUT_WR		   1
 //#define SHUT_RD        0
 #define HAVE_EXPLICIT_BZERO
 #define WIN32_ZLIB_NO 1
-
+#define HAVE_MBTOWC 1
 #include <signal.h>
 #include <io.h>
@ -1724,6 +1715,10 @@ typedef long ssize_t;
 // works remotely over SSH like they operate in a local machine
 //#define WIN32_PRAGMA_REMCON
 #define umac128_new umac_new
 #define umac128_update umac_update 
 #define umac_final umac128_final
 #define umac_delete umac128_delete
 #define HAVE_MBLEN 1
--- a/contrib/win32/openssh/keygen.vcxproj
+++ b/contrib/win32/openssh/keygen.vcxproj
@ -150,7 +150,7 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>win32iocompat.lib;bcrypt.lib;Netapi32.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -173,7 +173,7 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>win32iocompat.lib;bcrypt.lib;Netapi32.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
@ -183,6 +183,7 @@
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClCompile Include="$(OpenSSH-Src-Path)ssh-keygen.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc" />
--- a/contrib/win32/openssh/keygen.vcxproj.filters
+++ b/contrib/win32/openssh/keygen.vcxproj.filters
@ -18,6 +18,9 @@
    <ClCompile Include="$(OpenSSH-Src-Path)ssh-keygen.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc">
--- a/contrib/win32/openssh/libssh.vcxproj
+++ b/contrib/win32/openssh/libssh.vcxproj
@ -190,8 +190,12 @@
    <ClCompile Include="$(OpenSSH-Src-Path)compat.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)crc32.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)deattack.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)dh.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)dh.c">
-    <ClCompile Include="$(OpenSSH-Src-Path)digest-libc.c" />
+		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)digest-libc.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)dispatch.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)dns.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)ed25519.c" />
@ -203,19 +207,34 @@
    <ClCompile Include="$(OpenSSH-Src-Path)hash.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)hmac.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)hostfile.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)jpake.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)kex.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)kexc25519.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)kexc25519c.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)kexc25519s.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)kexdh.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)kexdh.c">
-    <ClCompile Include="$(OpenSSH-Src-Path)kexdhc.c" />
+		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
-    <ClCompile Include="$(OpenSSH-Src-Path)kexdhs.c" />
+    </ClCompile>
-    <ClCompile Include="$(OpenSSH-Src-Path)kexecdh.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)kexdhc.c">
-    <ClCompile Include="$(OpenSSH-Src-Path)kexecdhc.c" />
+		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
-    <ClCompile Include="$(OpenSSH-Src-Path)kexecdhs.c" />
+    </ClCompile>
-    <ClCompile Include="$(OpenSSH-Src-Path)kexgex.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)kexdhs.c">
-    <ClCompile Include="$(OpenSSH-Src-Path)kexgexc.c" />
+		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kexecdh.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kexecdhc.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kexecdhs.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kexgex.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kexgexc.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)key.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)krl.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)log.c" />
@ -233,15 +252,22 @@
    <ClCompile Include="$(OpenSSH-Src-Path)progressmeter.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)readpass.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)rijndael.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)rsa.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)rsa.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)sc25519.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)schnorr.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)smult_curve25519_ref.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)ssh-dss.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)ssh-dss.c">
-    <ClCompile Include="$(OpenSSH-Src-Path)ssh-ecdsa.c" />
+		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)ssh-ecdsa.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)ssh-ed25519.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)ssh-pkcs11.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)ssh-rsa.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)ssh-rsa.c">
 		<ExcludedFromBuild Condition="$(UseOpenSSL)==false">true</ExcludedFromBuild>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)sshbuf-getput-basic.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sshbuf-getput-crypto.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sshbuf-misc.c" />
@ -252,20 +278,13 @@
    <ClCompile Include="$(OpenSSH-Src-Path)ttymodes.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)uidswap.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)umac.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)umac128.c">
      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Release|x64'">UMAC_OUTPUT_LEN=16;umac_new=umac128_new;umac_update=umac128_update;umac_final=umac128_final;umac_delete=umac128_delete;%(PreprocessorDefinitions)</PreprocessorDefinitions>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)uuencode.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)verify.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)xmalloc.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)openssl-bn.c" />
+    <ClCompile Include="..\..\..\platform-pledge.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)openssl-dh.c">
+    <ClCompile Include="..\..\..\platform-tracing.c" />
-      <ExcludedFromBuild Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">true</ExcludedFromBuild>
+    <ClCompile Include="..\..\..\platform.c" />
-    </ClCompile>
+    <ClCompile Include="..\..\..\sandbox-pledge.c" />
    <ClCompile Include="..\..\..\openssl-epoint.c" />
    <ClCompile Include="..\..\..\utf8.c" />
  </ItemGroup>
  <ItemGroup>
--- a/contrib/win32/openssh/libssh.vcxproj.filters
+++ b/contrib/win32/openssh/libssh.vcxproj.filters
@ -126,9 +126,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)hostfile.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)jpake.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)kex.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -222,9 +219,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)sc25519.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)schnorr.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)smult_curve25519_ref.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -273,9 +267,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)umac.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)umac128.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)uuencode.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -285,16 +276,22 @@
    <ClCompile Include="$(OpenSSH-Src-Path)xmalloc.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openssl-bn.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openssl-dh.c">
      <Filter>Source Files</Filter>
    </ClCompile>
-    <ClCompile Include="..\..\..\openssl-epoint.c">
+    <ClCompile Include="..\..\..\utf8.c">
      <Filter>Source Files</Filter>
    </ClCompile>
-    <ClCompile Include="..\..\..\utf8.c">
+    <ClCompile Include="..\..\..\platform-pledge.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="..\..\..\sandbox-pledge.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="..\..\..\platform.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="..\..\..\platform-tracing.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
--- a/contrib/win32/openssh/openbsd_compat.vcxproj
+++ b/contrib/win32/openssh/openbsd_compat.vcxproj
@ -26,7 +26,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bcrypt_pbkdf.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bindresvport.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\blowfish.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-arc4random.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-asprintf.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-closefrom.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-cray.c" />
@ -47,7 +46,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\fmt_scaled.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getcwd.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getgrouplist.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt_long.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getrrsetbyname-ldns.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\inet_aton.c" />
@ -73,7 +71,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strlcat.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strlcpy.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strmode.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strnlen.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strptime.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strsep.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strtoll.c" />
@ -84,6 +81,7 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\vis.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xcrypt.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xmmap.c" />
    <ClCompile Include="..\..\..\openbsd-compat\glob.c" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h" />
--- a/contrib/win32/openssh/openbsd_compat.vcxproj.filters
+++ b/contrib/win32/openssh/openbsd_compat.vcxproj.filters
@ -33,9 +33,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\blowfish.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-arc4random.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\bsd-asprintf.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -96,9 +93,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getgrouplist.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\getopt_long.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -174,9 +168,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strmode.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strnlen.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\strptime.c">
      <Filter>Source Files</Filter>
    </ClCompile>
@ -207,6 +198,9 @@
    <ClCompile Include="$(OpenSSH-Src-Path)openbsd-compat\xmmap.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="..\..\..\openbsd-compat\glob.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="$(OpenSSH-Src-Path)openbsd-compat\base64.h">
--- a/contrib/win32/openssh/paths.targets
+++ b/contrib/win32/openssh/paths.targets
@ -4,10 +4,11 @@
    <OpenSSH-Src-Path>$(SolutionDir)..\..\..\</OpenSSH-Src-Path> 
    <OpenSSH-Bin-Path>$(SolutionDir)..\..\..\bin\</OpenSSH-Bin-Path>
    <OpenSSH-Lib-Path>$(SolutionDir)lib\</OpenSSH-Lib-Path>
-    <OpenSSL-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\</OpenSSL-Path>
+    <OpenSSL-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d</OpenSSL-Path>
-    <OpenSSL-Win32-Release-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\Win32\Release\</OpenSSL-Win32-Release-Path>
+    <OpenSSL-Win32-Release-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\Win32\Release\</OpenSSL-Win32-Release-Path>
-    <OpenSSL-Win32-Debug-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\Win32\Debug\</OpenSSL-Win32-Debug-Path>
+    <OpenSSL-Win32-Debug-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\Win32\Debug\</OpenSSL-Win32-Debug-Path>
-    <OpenSSL-x64-Release-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\x64\Release\</OpenSSL-x64-Release-Path>
+    <OpenSSL-x64-Release-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\x64\Release\</OpenSSL-x64-Release-Path>
-    <OpenSSL-x64-Debug-Path>$(SolutionDir)..\..\..\..\OpenSSL\1.0.2d\VS2015\x64\Debug\</OpenSSL-x64-Debug-Path>
+    <OpenSSL-x64-Debug-Path>$(SolutionDir)\OpenSSLSDK\1.0.2d\x64\Debug\</OpenSSL-x64-Debug-Path>
 	<!-- <UseOpenSSL>false</UseOpenSSL> -->
  </PropertyGroup>
 </Project>
--- a/contrib/win32/openssh/scp.vcxproj
+++ b/contrib/win32/openssh/scp.vcxproj
@ -21,7 +21,7 @@
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="$(OpenSSH-Src-Path)scp.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc" />
@ -117,7 +117,6 @@
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -137,7 +136,6 @@
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -157,11 +155,10 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -181,11 +178,10 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>No</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
--- a/contrib/win32/openssh/scp.vcxproj.filters
+++ b/contrib/win32/openssh/scp.vcxproj.filters
@ -18,7 +18,7 @@
    <ClCompile Include="$(OpenSSH-Src-Path)scp.c">
      <Filter>Source Files</Filter>
    </ClCompile>
-    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
+    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
--- a/contrib/win32/openssh/sftp-server.vcxproj
+++ b/contrib/win32/openssh/sftp-server.vcxproj
@ -23,7 +23,7 @@
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-server-main.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-server.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc" />
@ -120,7 +120,6 @@
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
--- a/contrib/win32/openssh/sftp-server.vcxproj.filters
+++ b/contrib/win32/openssh/sftp-server.vcxproj.filters
@ -24,9 +24,6 @@
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-server.c">
      <Filter>Source Files</Filter>
    </ClCompile>
    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc">
--- a/contrib/win32/openssh/sftp.vcxproj
+++ b/contrib/win32/openssh/sftp.vcxproj
@ -25,7 +25,7 @@
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-common.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sftp-glob.c" />
    <ClCompile Include="$(OpenSSH-Src-Path)sftp.c" />
-    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c" />
+    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c" />
  </ItemGroup>
  <ItemGroup>
    <ResourceCompile Include="version.rc" />
@ -122,7 +122,6 @@
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -143,7 +142,6 @@
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Debug-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -163,11 +161,10 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-Win32-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
@ -187,11 +184,10 @@
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
-      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
      <AdditionalDependencies>Netapi32.lib;win32iocompat.lib;bcrypt.lib;Userenv.lib;Ws2_32.lib;Secur32.lib;Shlwapi.lib;openbsd_compat.lib;libssh.lib;win32compat.lib;libeay32.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies)</AdditionalDependencies>
      <AdditionalLibraryDirectories>$(OpenSSH-Lib-Path)$(Platform)\$(Configuration);$(OpenSSL-x64-Release-Path)lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
      <EntryPointSymbol>wmainCRTStartup</EntryPointSymbol>
    </Link>
--- a/contrib/win32/openssh/sftp.vcxproj.filters
+++ b/contrib/win32/openssh/sftp.vcxproj.filters
@ -30,7 +30,7 @@
    <ClCompile Include="$(OpenSSH-Src-Path)sftp.c">
      <Filter>Source Files</Filter>
    </ClCompile>
-    <ClCompile Include="$(OpenSSH-Src-Path)win32_dirent.c">
+    <ClCompile Include="$(OpenSSH-Src-Path)contrib\win32\win32compat\wmain_common.c">
      <Filter>Source Files</Filter>
    </ClCompile>
  </ItemGroup>
--- a/Show More
+++ b/Show More
`@ -257,4 +257,3 @@ buffer_put_bignum2_from_string(Buffer buffer, const u_char s, u_int l)`
	`fatal("%s: %s", __func__, ssh_err(ret));`	`fatal("%s: %s", __func__, ssh_err(ret));`
	`}`	`}`