Adding upstream version 1:9.2p1.upstream/1%9.2p1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

34 files changed, 4950 insertions, 0 deletions

diff --git a/contrib/Makefile b/contrib/Makefile
new file mode 100644
index 0000000..45d878b
--- /dev/null
+++ b/contrib/Makefile
@@ -0,0 +1,22 @@
+PKG_CONFIG = pkg-config
+
+all:
+	@echo "Valid targets: gnome-ssh-askpass1 gnome-ssh-askpass2 gnome-ssk-askpass3"
+
+gnome-ssh-askpass1: gnome-ssh-askpass1.c
+	$(CC) $(CFLAGS) `gnome-config --cflags gnome gnomeui` \
+		gnome-ssh-askpass1.c -o gnome-ssh-askpass1 \
+		`gnome-config --libs gnome gnomeui`
+
+gnome-ssh-askpass2: gnome-ssh-askpass2.c
+	$(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-2.0` \
+		gnome-ssh-askpass2.c -o gnome-ssh-askpass2 \
+		`$(PKG_CONFIG) --libs gtk+-2.0 x11`
+
+gnome-ssh-askpass3: gnome-ssh-askpass3.c
+	$(CC) $(CFLAGS) `$(PKG_CONFIG) --cflags gtk+-3.0` \
+		gnome-ssh-askpass3.c -o gnome-ssh-askpass3 \
+		`$(PKG_CONFIG) --libs gtk+-3.0 x11`
+
+clean:
+	rm -f *.o gnome-ssh-askpass gnome-ssh-askpass[123]
diff --git a/contrib/README b/contrib/README
new file mode 100644
index 0000000..60e19ba
--- /dev/null
+++ b/contrib/README
@@ -0,0 +1,70 @@
+Other patches and addons for OpenSSH. Please send submissions to
+djm@mindrot.org
+
+Externally maintained
+---------------------
+
+SSH Proxy Command -- connect.c
+
+Shun-ichi GOTO <gotoh@imasy.or.jp> has written a very useful ProxyCommand
+which allows the use of outbound SSH from behind a SOCKS4, SOCKS5 or
+https CONNECT style proxy server. His page for connect.c has extensive
+documentation on its use as well as compiled versions for Win32.
+
+https://bitbucket.org/gotoh/connect/wiki/Home
+
+
+X11 SSH Askpass:
+
+Jim Knoble <jmknoble@pobox.com> has written an excellent X11
+passphrase requester. This is highly recommended:
+
+http://www.jmknoble.net/software/x11-ssh-askpass/
+
+
+In this directory
+-----------------
+
+ssh-copy-id:
+
+Phil Hands' <phil@hands.com> shell script to automate the process of adding
+your public key to a remote machine's ~/.ssh/authorized_keys file.
+
+gnome-ssh-askpass[12]:
+
+A GNOME and Gtk2 passphrase requesters. Use "make gnome-ssh-askpass1" or
+"make gnome-ssh-askpass2" to build.
+
+sshd.pam.generic:
+
+A generic PAM config file which may be useful on your system. YMMV
+
+sshd.pam.freebsd:
+
+A PAM config file which works with FreeBSD's PAM port. Contributed by
+Dominik Brettnacher <domi@saargate.de>
+
+findssl.sh:
+
+Search for all instances of OpenSSL headers and libraries and print their 
+versions.  This is intended to help diagnose OpenSSH's "OpenSSL headers do not
+match your library" errors. 
+
+aix:
+    Files to build an AIX native (installp or SMIT installable) package.
+
+caldera:
+    RPM spec file and scripts for building Caldera OpenLinuix packages
+
+cygwin:
+    Support files for Cygwin
+
+hpux:
+    Support files for HP-UX
+
+redhat:
+    RPM spec file and scripts for building Redhat packages
+
+suse:
+    RPM spec file and scripts for building SuSE packages
+
diff --git a/contrib/aix/README b/contrib/aix/README
new file mode 100644
index 0000000..1aa5919
--- /dev/null
+++ b/contrib/aix/README
@@ -0,0 +1,49 @@
+Overview:
+
+This directory contains files to build an AIX native (installp or SMIT
+installable) openssh package.
+
+
+Directions:
+
+(optional) create config.local in your build dir
+./configure [options]
+contrib/aix/buildbff.sh
+
+The file config.local or the environment is read to set the following options
+(default first):
+PERMIT_ROOT_LOGIN=[no|yes]
+X11_FORWARDING=[no|yes]
+AIX_SRC=[no|yes]
+
+Acknowledgements:
+
+The contents of this directory are based on Ben Lindstrom's Solaris
+buildpkg.sh. Ben also supplied inventory.sh.
+
+Jim Abbey's (GPL'ed) lppbuild-2.1 was used to learn how to build .bff's
+and for comparison with the output from this script, however no code
+from lppbuild is included and it is not required for operation.
+
+SRC support based on examples provided by Sandor Sklar and Maarten Kreuger.
+PrivSep account handling fixes contributed by W. Earl Allen.
+
+
+Other notes:
+
+The script treats all packages as USR packages (not ROOT+USR when
+appropriate).  It seems to work, though......
+
+If there are any patches to this that have not yet been integrated they
+may be found at http://www.dtucker.net/openssh/.
+
+
+Disclaimer:
+
+It is hoped that it is useful but there is no warranty. If it breaks
+you get to keep both pieces.
+
+
+	- Darren Tucker (dtucker at zip dot com dot au)
+	  2002/03/01
+
diff --git a/contrib/aix/buildbff.sh b/contrib/aix/buildbff.sh
new file mode 100755
index 0000000..55113d9
--- /dev/null
+++ b/contrib/aix/buildbff.sh
@@ -0,0 +1,366 @@
+#!/bin/sh
+#
+# buildbff.sh: Create AIX SMIT-installable OpenSSH packages
+#
+# Author: Darren Tucker (dtucker at zip dot com dot au)
+# This file is placed in the public domain and comes with absolutely
+# no warranty.
+#
+# Based originally on Ben Lindstrom's buildpkg.sh for Solaris
+#
+
+#
+# Tunable configuration settings
+# 	create a "config.local" in your build directory or set
+#	environment variables to override these.
+#
+[ -z "$PERMIT_ROOT_LOGIN" ] && PERMIT_ROOT_LOGIN=no
+[ -z "$X11_FORWARDING" ] && X11_FORWARDING=no
+[ -z "$AIX_SRC" ] && AIX_SRC=no
+
+umask 022
+
+startdir=`pwd`
+
+perl -v >/dev/null || (echo perl required; exit 1)
+
+# Path to inventory.sh: same place as buildbff.sh
+if  echo $0 | egrep '^/'
+then
+	inventory=`dirname $0`/inventory.sh		# absolute path
+else
+	inventory=`pwd`/`dirname $0`/inventory.sh	# relative path
+fi
+
+#
+# We still support running from contrib/aix, but this is deprecated
+#
+if pwd | egrep 'contrib/aix$'
+then
+	echo "Changing directory to `pwd`/../.."
+	echo "Please run buildbff.sh from your build directory in future."
+	cd ../..
+	contribaix=1
+fi
+
+if [ ! -f Makefile ]
+then
+	echo "Makefile not found (did you run configure?)"
+	exit 1
+fi
+
+#
+# Directories used during build:
+# current dir = $objdir		directory you ran ./configure in.
+# $objdir/$PKGDIR/ 		directory package files are constructed in
+# $objdir/$PKGDIR/root/		package root ($FAKE_ROOT)
+#
+objdir=`pwd`
+PKGNAME=openssh
+PKGDIR=package
+
+#
+# Collect local configuration settings to override defaults
+#
+if [ -s ./config.local ]
+then
+	echo Reading local settings from config.local
+	. ./config.local
+fi
+
+#
+# Fill in some details from Makefile, like prefix and sysconfdir
+#	the eval also expands variables like sysconfdir=${prefix}/etc
+#	provided they are eval'ed in the correct order
+#
+for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir mansubdir sysconfdir piddir srcdir
+do
+	eval $confvar=`grep "^$confvar=" $objdir/Makefile | cut -d = -f 2`
+done
+
+#
+# Collect values of privsep user and privsep path
+#	currently only found in config.h
+#
+for confvar in SSH_PRIVSEP_USER PRIVSEP_PATH
+do
+	eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' $objdir/config.h`
+done
+
+# Set privsep defaults if not defined
+if [ -z "$SSH_PRIVSEP_USER" ]
+then
+	SSH_PRIVSEP_USER=sshd
+fi
+if [ -z "$PRIVSEP_PATH" ]
+then
+	PRIVSEP_PATH=/var/empty
+fi
+
+# Clean package build directory
+rm -rf $objdir/$PKGDIR
+FAKE_ROOT=$objdir/$PKGDIR/root
+mkdir -p $FAKE_ROOT
+
+# Start by faking root install
+echo "Faking root install..."
+cd $objdir
+make install-nokeys DESTDIR=$FAKE_ROOT
+
+if [ $? -gt 0 ]
+then
+	echo "Fake root install failed, stopping."
+	exit 1
+fi
+
+#
+# Copy informational files to include in package
+#
+cp $srcdir/LICENCE $objdir/$PKGDIR/
+cp $srcdir/README* $objdir/$PKGDIR/
+
+#
+# Extract common info requires for the 'info' part of the package.
+#	AIX requires 4-part version numbers
+#
+VERSION=`./ssh -V 2>&1 | cut -f 1 -d , | cut -f 2 -d _`
+MAJOR=`echo $VERSION | cut -f 1 -d p | cut -f 1 -d .`
+MINOR=`echo $VERSION | cut -f 1 -d p | cut -f 2 -d .`
+PATCH=`echo $VERSION | cut -f 1 -d p | cut -f 3 -d .`
+PORTABLE=`echo $VERSION | awk 'BEGIN{FS="p"}{print $2}'`
+[ "$PATCH" = "" ] && PATCH=0
+[ "$PORTABLE" = "" ] && PORTABLE=0
+BFFVERSION=`printf "%d.%d.%d.%d" $MAJOR $MINOR $PATCH $PORTABLE`
+
+echo "Building BFF for $PKGNAME $VERSION (package version $BFFVERSION)"
+
+#
+# Set ssh and sshd parameters as per config.local
+#
+if [ "${PERMIT_ROOT_LOGIN}" = no ]
+then
+	perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
+		$FAKE_ROOT/${sysconfdir}/sshd_config
+fi
+if [ "${X11_FORWARDING}" = yes ]
+then
+	perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
+		$FAKE_ROOT/${sysconfdir}/sshd_config
+fi
+
+
+# Rename config files; postinstall script will copy them if necessary
+for cfgfile in ssh_config sshd_config
+do
+	mv $FAKE_ROOT/$sysconfdir/$cfgfile $FAKE_ROOT/$sysconfdir/$cfgfile.default
+done
+
+#
+# Generate lpp control files.
+#	working dir is $FAKE_ROOT but files are generated in dir above
+#	and moved into place just before creation of .bff
+#
+cd $FAKE_ROOT
+echo Generating LPP control files
+find . ! -name . -print >../openssh.al
+$inventory >../openssh.inventory
+
+cat <<EOD >../openssh.copyright
+This software is distributed under a BSD-style license.
+For the full text of the license, see /usr/lpp/openssh/LICENCE
+EOD
+
+#
+# openssh.size file allows filesystem expansion as required
+# generate list of directories containing files
+# then calculate disk usage for each directory and store in openssh.size
+#
+files=`find . -type f -print`
+dirs=`for file in $files; do dirname $file; done | sort -u`
+for dir in $dirs
+do
+	du $dir
+done > ../openssh.size
+
+#
+# Create postinstall script
+#
+cat <<EOF >>../openssh.post_i
+#!/bin/sh
+
+echo Creating configs from defaults if necessary.
+for cfgfile in ssh_config sshd_config
+do
+	if [ ! -f $sysconfdir/\$cfgfile ]
+	then
+		echo "Creating \$cfgfile from default"
+		cp $sysconfdir/\$cfgfile.default $sysconfdir/\$cfgfile
+	else
+		echo "\$cfgfile already exists."
+	fi
+done
+echo
+
+# Create PrivilegeSeparation user and group if not present
+echo Checking for PrivilegeSeparation user and group.
+if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
+then
+	echo "PrivSep group $SSH_PRIVSEP_USER already exists."
+else
+	echo "Creating PrivSep group $SSH_PRIVSEP_USER."
+	mkgroup -A $SSH_PRIVSEP_USER
+fi
+
+# Create user if required
+if lsuser "$SSH_PRIVSEP_USER" >/dev/null
+then
+	echo "PrivSep user $SSH_PRIVSEP_USER already exists."
+else
+	echo "Creating PrivSep user $SSH_PRIVSEP_USER."
+	mkuser gecos='SSHD PrivSep User' login=false rlogin=false account_locked=true pgrp=$SSH_PRIVSEP_USER $SSH_PRIVSEP_USER
+fi
+
+if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null
+then
+	echo UsePrivilegeSeparation not enabled, privsep directory not required.
+else
+	# create chroot directory if required
+	if [ -d $PRIVSEP_PATH ]
+	then
+		echo "PrivSep chroot directory $PRIVSEP_PATH already exists."
+	else
+		echo "Creating PrivSep chroot directory $PRIVSEP_PATH."
+		mkdir $PRIVSEP_PATH
+		chown 0 $PRIVSEP_PATH
+		chgrp 0 $PRIVSEP_PATH
+		chmod 755 $PRIVSEP_PATH
+	fi
+fi
+echo
+
+# Generate keys unless they already exist
+echo Creating host keys if required.
+$bindir/ssh-keygen -A
+echo
+
+# Set startup command depending on SRC support
+if [ "$AIX_SRC" = "yes" ]
+then
+	echo Creating SRC sshd subsystem.
+	rmssys -s sshd 2>&1 >/dev/null
+	mkssys -s sshd -p "$sbindir/sshd" -a '-D' -u 0 -S -n 15 -f 9 -R -G tcpip
+	startupcmd="start $sbindir/sshd \\\"\\\$src_running\\\""
+	oldstartcmd="$sbindir/sshd"
+else
+	startupcmd="$sbindir/sshd"
+	oldstartcmd="start $sbindir/sshd \\\"$src_running\\\""
+fi
+
+# If migrating to or from SRC, change previous startup command
+# otherwise add to rc.tcpip
+if egrep "^\$oldstartcmd" /etc/rc.tcpip >/dev/null
+then
+	if sed "s|^\$oldstartcmd|\$startupcmd|g" /etc/rc.tcpip >/etc/rc.tcpip.new
+	then
+		chmod 0755 /etc/rc.tcpip.new
+		mv /etc/rc.tcpip /etc/rc.tcpip.old && \
+		mv /etc/rc.tcpip.new /etc/rc.tcpip
+	else
+		echo "Updating /etc/rc.tcpip failed, please check."
+	fi
+else
+	# Add to system startup if required
+	if grep "^\$startupcmd" /etc/rc.tcpip >/dev/null
+	then
+		echo "sshd found in rc.tcpip, not adding."
+	else
+		echo "Adding sshd to rc.tcpip"
+		echo >>/etc/rc.tcpip
+		echo "# Start sshd" >>/etc/rc.tcpip
+		echo "\$startupcmd" >>/etc/rc.tcpip
+	fi
+fi
+EOF
+
+#
+# Create liblpp.a and move control files into it
+#
+echo Creating liblpp.a
+(
+	cd ..
+	for i in openssh.al openssh.copyright openssh.inventory openssh.post_i openssh.size LICENCE README*
+	do
+		ar -r liblpp.a $i
+		rm $i
+	done
+)
+
+#
+# Create lpp_name
+#
+# This will end up looking something like:
+# 4 R I OpenSSH {
+# OpenSSH 3.0.2.1 1 N U en_US OpenSSH 3.0.2p1 Portable for AIX
+# [
+# %
+# /usr/local/bin 8073
+# /usr/local/etc 189
+# /usr/local/libexec 185
+# /usr/local/man/man1 145
+# /usr/local/man/man8 83
+# /usr/local/sbin 2105
+# /usr/local/share 3
+# %
+# ]
+# }
+
+echo Creating lpp_name
+cat <<EOF >../lpp_name
+4 R I $PKGNAME {
+$PKGNAME $BFFVERSION 1 N U en_US OpenSSH $VERSION Portable for AIX
+[
+%
+EOF
+
+for i in $bindir $sysconfdir $libexecdir $mandir/${mansubdir}1 $mandir/${mansubdir}8 $sbindir $datadir /usr/lpp/openssh
+do
+	# get size in 512 byte blocks
+	if [ -d $FAKE_ROOT/$i ]
+	then
+		size=`du $FAKE_ROOT/$i | awk '{print $1}'`
+		echo "$i $size" >>../lpp_name
+	fi
+done
+
+echo '%' >>../lpp_name
+echo ']' >>../lpp_name
+echo '}' >>../lpp_name
+
+#
+# Move pieces into place
+#
+mkdir -p usr/lpp/openssh
+mv ../liblpp.a usr/lpp/openssh
+mv ../lpp_name .
+
+#
+# Now invoke backup to create .bff file
+#	note: lpp_name needs to be the first file so we generate the
+#	file list on the fly and feed it to backup using -i
+#
+echo Creating $PKGNAME-$VERSION.bff with backup...
+rm -f $PKGNAME-$VERSION.bff
+(
+	echo "./lpp_name"
+	find . ! -name lpp_name -a ! -name . -print
+) | backup  -i -q -f ../$PKGNAME-$VERSION.bff $filelist
+
+#
+# Move package into final location and clean up
+#
+mv ../$PKGNAME-$VERSION.bff $startdir
+cd $startdir
+rm -rf $objdir/$PKGDIR
+
+echo $0: done.
+
diff --git a/contrib/aix/inventory.sh b/contrib/aix/inventory.sh
new file mode 100755
index 0000000..7d76f49
--- /dev/null
+++ b/contrib/aix/inventory.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+#
+# inventory.sh
+#
+# Originally written by Ben Lindstrom, modified by Darren Tucker to use perl
+# This file is placed into the public domain.
+#
+# This will produce an AIX package inventory file, which looks like:
+#
+# /usr/local/bin:
+#          class=apply,inventory,openssh
+#          owner=root
+#          group=system
+#          mode=755
+#          type=DIRECTORY
+# /usr/local/bin/slogin:
+#          class=apply,inventory,openssh
+#          owner=root
+#          group=system
+#          mode=777
+#          type=SYMLINK
+#          target=ssh
+# /usr/local/share/Ssh.bin:
+#          class=apply,inventory,openssh
+#          owner=root
+#          group=system
+#          mode=644
+#          type=FILE
+#          size=VOLATILE
+#          checksum=VOLATILE
+
+find . ! -name . -print | perl -ne '{
+	chomp;
+	if ( -l $_ ) {
+		($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=lstat;
+	} else {
+		($dev,$ino,$mod,$nl,$uid,$gid,$rdev,$sz,$at,$mt,$ct,$bsz,$blk)=stat;
+	}
+
+	# Start to display inventory information
+	$name = $_;
+	$name =~ s|^.||;	# Strip leading dot from path
+	print "$name:\n";
+	print "\tclass=apply,inventory,openssh\n";
+	print "\towner=root\n";
+	print "\tgroup=system\n";
+	printf "\tmode=%lo\n", $mod & 07777;	# Mask perm bits
+	
+	if ( -l $_ ) {
+		# Entry is SymLink
+		print "\ttype=SYMLINK\n";
+		printf "\ttarget=%s\n", readlink($_);
+	} elsif ( -f $_ ) {
+		# Entry is File
+		print "\ttype=FILE\n";
+		print "\tsize=$sz\n";
+		print "\tchecksum=VOLATILE\n";
+	} elsif ( -d $_ ) {
+		# Entry is Directory
+		print "\ttype=DIRECTORY\n";
+	}
+}'
diff --git a/contrib/aix/pam.conf b/contrib/aix/pam.conf
new file mode 100644
index 0000000..f1528b0
--- /dev/null
+++ b/contrib/aix/pam.conf
@@ -0,0 +1,20 @@
+#
+# PAM configuration file /etc/pam.conf
+# Example for OpenSSH on AIX 5.2
+#
+
+# Authentication Management
+sshd    auth            required        /usr/lib/security/pam_aix
+OTHER   auth            required        /usr/lib/security/pam_aix
+
+# Account Management
+sshd    account         required        /usr/lib/security/pam_aix
+OTHER   account         required        /usr/lib/security/pam_aix
+
+# Password Management
+sshd    password        required        /usr/lib/security/pam_aix
+OTHER   password        required        /usr/lib/security/pam_aix
+
+# Session Management
+sshd    session         required        /usr/lib/security/pam_aix
+OTHER   session         required        /usr/lib/security/pam_aix
diff --git a/contrib/cygwin/Makefile b/contrib/cygwin/Makefile
new file mode 100644
index 0000000..4b78cd9
--- /dev/null
+++ b/contrib/cygwin/Makefile
@@ -0,0 +1,78 @@
+srcdir=../..
+copyidsrcdir=..
+prefix=/usr
+exec_prefix=$(prefix)
+bindir=$(prefix)/bin
+datadir=$(prefix)/share
+mandir=$(datadir)/man
+docdir=$(datadir)/doc
+sshdocdir=$(docdir)/openssh
+cygdocdir=$(docdir)/Cygwin
+sysconfdir=/etc
+defaultsdir=$(sysconfdir)/defaults/etc
+inetdefdir=$(defaultsdir)/inetd.d
+PRIVSEP_PATH=/var/empty
+INSTALL=/usr/bin/install -c
+MKDIR_P=$(srcdir)/mkinstalldirs
+
+DESTDIR=
+
+all:
+	@echo
+	@echo "Use \`make cygwin-postinstall DESTDIR=[package directory]'"
+	@echo "Be sure having DESTDIR set correctly!"
+	@echo
+
+move-config-files: $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(sysconfdir)/sshd_config
+	$(MKDIR_P) $(DESTDIR)$(defaultsdir)
+	mv $(DESTDIR)$(sysconfdir)/ssh_config $(DESTDIR)$(defaultsdir)
+	mv $(DESTDIR)$(sysconfdir)/sshd_config $(DESTDIR)$(defaultsdir)
+
+remove-empty-dir:
+	rm -rf $(DESTDIR)$(PRIVSEP_PATH)
+
+install-inetd-config:
+	$(MKDIR_P) $(DESTDIR)$(inetdefdir)
+	$(INSTALL) -m 644 sshd-inetd  $(DESTDIR)$(inetdefdir)/sshd-inetd
+
+install-sshdoc:
+	$(MKDIR_P) $(DESTDIR)$(sshdocdir)
+	-$(INSTALL) -m 644 $(srcdir)/CREDITS $(DESTDIR)$(sshdocdir)/CREDITS
+	-$(INSTALL) -m 644 $(srcdir)/ChangeLog $(DESTDIR)$(sshdocdir)/ChangeLog
+	-$(INSTALL) -m 644 $(srcdir)/LICENCE $(DESTDIR)$(sshdocdir)/LICENCE
+	-$(INSTALL) -m 644 $(srcdir)/OVERVIEW $(DESTDIR)$(sshdocdir)/OVERVIEW
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL $(DESTDIR)$(sshdocdir)/PROTOCOL
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.agent $(DESTDIR)$(sshdocdir)/PROTOCOL.agent
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.certkeys $(DESTDIR)$(sshdocdir)/PROTOCOL.certkeys
+	-$(INSTALL) -m 644 $(srcdir)/PROTOCOL.mux $(DESTDIR)$(sshdocdir)/PROTOCOL.mux
+	-$(INSTALL) -m 644 $(srcdir)/README $(DESTDIR)$(sshdocdir)/README
+	-$(INSTALL) -m 644 $(srcdir)/README.dns $(DESTDIR)$(sshdocdir)/README.dns
+	-$(INSTALL) -m 644 $(srcdir)/README.platform $(DESTDIR)$(sshdocdir)/README.platform
+	-$(INSTALL) -m 644 $(srcdir)/README.privsep $(DESTDIR)$(sshdocdir)/README.privsep
+	-$(INSTALL) -m 644 $(srcdir)/README.tun $(DESTDIR)$(sshdocdir)/README.tun
+	-$(INSTALL) -m 644 $(srcdir)/TODO $(DESTDIR)$(sshdocdir)/TODO
+
+install-cygwindoc: README
+	$(MKDIR_P) $(DESTDIR)$(cygdocdir)
+	$(INSTALL) -m 644 README $(DESTDIR)$(cygdocdir)/openssh.README
+
+install-doc: install-sshdoc install-cygwindoc
+
+install-scripts: ssh-host-config ssh-user-config
+	$(MKDIR_P) $(DESTDIR)$(bindir)
+	$(INSTALL) -m 755 ssh-host-config $(DESTDIR)$(bindir)/ssh-host-config
+	$(INSTALL) -m 755 ssh-user-config $(DESTDIR)$(bindir)/ssh-user-config
+
+install-copy-id: $(copyidsrcdir)/ssh-copy-id $(copyidsrcdir)/ssh-copy-id.1
+	$(INSTALL) -m 755 $(copyidsrcdir)/ssh-copy-id $(DESTDIR)$(bindir)/ssh-copy-id
+	$(INSTALL) -m 644 $(copyidsrcdir)/ssh-copy-id.1 $(DESTDIR)$(mandir)/man1/ssh-copy-id.1
+
+gzip-man-pages:
+	rm $(DESTDIR)$(mandir)/man1/slogin.1
+	gzip $(DESTDIR)$(mandir)/man1/*.1
+	gzip $(DESTDIR)$(mandir)/man5/*.5
+	gzip $(DESTDIR)$(mandir)/man8/*.8
+	cd $(DESTDIR)$(mandir)/man1 && ln -s ssh.1.gz slogin.1.gz
+
+cygwin-postinstall: move-config-files remove-empty-dir install-inetd-config install-doc install-scripts install-copy-id gzip-man-pages
+	@echo "Cygwin specific configuration finished."
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
new file mode 100644
index 0000000..3745051
--- /dev/null
+++ b/contrib/cygwin/README
@@ -0,0 +1,91 @@
+This package describes important Cygwin specific stuff concerning OpenSSH.
+
+The binary package is usually built for recent Cygwin versions and might
+not run on older versions.  Please check http://cygwin.com/ for information
+about current Cygwin releases.
+
+==================
+Host configuration
+==================
+
+If you are installing OpenSSH the first time, you can generate global config
+files and server keys, as well as installing sshd as a service, by running
+
+   /usr/bin/ssh-host-config
+
+Note that this binary archive doesn't contain default config files in /etc.
+That files are only created if ssh-host-config is started.
+
+To support testing and unattended installation ssh-host-config got
+some options:
+
+usage: ssh-host-config [OPTION]...
+Options:
+    --debug  -d            Enable shell's debug output.
+    --yes    -y            Answer all questions with "yes" automatically.
+    --no     -n            Answer all questions with "no" automatically.
+    --cygwin -c <options>  Use "options" as value for CYGWIN environment var.
+    --name   -N <name>     sshd windows service name.
+    --port   -p <n>        sshd listens on port n.
+    --user   -u <account>  privileged user for service, default 'cyg_server'.
+    --pwd    -w <passwd>   Use "pwd" as password for privileged user.
+    --privileged           On Windows XP, require privileged user
+                           instead of LocalSystem for sshd service.
+
+Installing sshd as daemon via ssh-host-config is recommended.
+
+Alternatively you can start sshd via inetd, if you have the inetutils
+package installed.  Just run ssh-host-config, but answer "no" when asked
+to install sshd as service.  The ssh-host-config script also adds the
+required lines to /etc/inetd.conf and /etc/services.
+
+==================
+User configuration
+==================
+
+Any user can simplify creating the own private and public keys by running
+
+  /usr/bin/ssh-user-config
+
+To support testing and unattended installation ssh-user-config got
+some options as well:
+
+usage: ssh-user-config [OPTION]...
+Options:
+    --debug      -d        Enable shell's debug output.
+    --yes        -y        Answer all questions with "yes" automatically.
+    --no         -n        Answer all questions with "no" automatically.
+    --passphrase -p word   Use "word" as passphrase automatically.
+
+Please note that OpenSSH does never use the value of $HOME to
+search for the users configuration files! It always uses the
+value of the pw_dir field in /etc/passwd as the home directory.
+If no home directory is set in /etc/passwd, the root directory
+is used instead!
+
+================
+Building OpenSSH
+================
+
+Building from source is easy.  Just unpack the source archive, cd to that
+directory, and call cygport:
+
+	cygport openssh.cygport all
+
+You must have installed the following packages to be able to build OpenSSH
+with the aforementioned cygport script:
+
+  zlib
+  crypt
+  libssl-devel
+  libedit-devel
+  libkrb5-devel
+
+Please send requests, error reports etc. to cygwin@cygwin.com.
+
+
+Have fun,
+
+Corinna Vinschen
+Cygwin Developer
+Red Hat Inc.
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
new file mode 100644
index 0000000..a8572e2
--- /dev/null
+++ b/contrib/cygwin/ssh-host-config
@@ -0,0 +1,714 @@
+#!/bin/bash
+#
+# ssh-host-config, Copyright 2000-2014 Red Hat Inc.
+#
+# This file is part of the Cygwin port of OpenSSH.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   
+# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   
+# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    
+# THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               
+
+# ======================================================================
+# Initialization
+# ======================================================================
+
+CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
+
+# List of apps used.  This is checkad for existence in csih_sanity_check
+# Don't use *any* transient commands before sourcing the csih helper script,
+# otherwise the sanity checks are short-circuited.
+declare -a csih_required_commands=(
+  /usr/bin/basename coreutils
+  /usr/bin/cat coreutils
+  /usr/bin/chmod coreutils
+  /usr/bin/dirname coreutils
+  /usr/bin/id coreutils
+  /usr/bin/mv coreutils
+  /usr/bin/rm coreutils
+  /usr/bin/cygpath cygwin
+  /usr/bin/mkpasswd cygwin
+  /usr/bin/mount cygwin
+  /usr/bin/ps cygwin
+  /usr/bin/umount cygwin
+  /usr/bin/cmp diffutils
+  /usr/bin/grep grep
+  /usr/bin/awk gawk
+  /usr/bin/ssh-keygen openssh
+  /usr/sbin/sshd openssh
+  /usr/bin/sed sed
+)
+csih_sanity_check_server=yes
+source ${CSIH_SCRIPT}
+
+PROGNAME=$(/usr/bin/basename $0)
+_tdir=$(/usr/bin/dirname $0)
+PROGDIR=$(cd $_tdir && pwd)
+
+# Subdirectory where the new package is being installed
+PREFIX=/usr
+
+# Directory where the config files are stored
+SYSCONFDIR=/etc
+LOCALSTATEDIR=/var
+
+sshd_config_configured=no
+port_number=22
+service_name=cygsshd
+strictmodes=yes
+cygwin_value=""
+user_account=
+password_value=
+opt_force=no
+
+# ======================================================================
+# Routine: update_services_file
+# ======================================================================
+update_services_file() {
+  local _my_etcdir="/ssh-host-config.$$"
+  local _win_etcdir
+  local _services
+  local _spaces
+  local _serv_tmp
+  local _wservices
+  local ret=0
+
+  _win_etcdir="${SYSTEMROOT}\\system32\\drivers\\etc"
+  _services="${_my_etcdir}/services"
+  _spaces="                           #"
+  _serv_tmp="${_my_etcdir}/srv.out.$$"
+
+  /usr/bin/mount -o text,posix=0,noacl -f "${_win_etcdir}" "${_my_etcdir}"
+
+  # Depends on the above mount
+  _wservices=`cygpath -w "${_services}"`
+
+  # Add ssh 22/tcp  and ssh 22/udp to services
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
+  then
+    if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
+    then
+      if /usr/bin/mv "${_serv_tmp}" "${_services}"
+      then
+	csih_inform "Added ssh to ${_wservices}"
+      else
+	csih_warning "Adding ssh to ${_wservices} failed!"
+	let ++ret
+      fi
+      /usr/bin/rm -f "${_serv_tmp}"
+    else
+      csih_warning "Adding ssh to ${_wservices} failed!"
+      let ++ret
+    fi
+  fi
+  /usr/bin/umount "${_my_etcdir}"
+  return $ret
+} # --- End of update_services_file --- #
+
+# ======================================================================
+# Routine: sshd_strictmodes
+#  MODIFIES: strictmodes
+# ======================================================================
+sshd_strictmodes() {
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    echo
+    csih_inform "StrictModes is set to 'yes' by default."
+    csih_inform "This is the recommended setting, but it requires that the POSIX"
+    csih_inform "permissions of the user's home directory, the user's .ssh"
+    csih_inform "directory, and the user's ssh key files are tight so that"
+    csih_inform "only the user has write permissions."
+    csih_inform "On the other hand, StrictModes don't work well with default"
+    csih_inform "Windows permissions of a home directory mounted with the"
+    csih_inform "'noacl' option, and they don't work at all if the home"
+    csih_inform "directory is on a FAT or FAT32 partition."
+    if ! csih_request "Should StrictModes be used?"
+    then
+      strictmodes=no
+    fi
+  fi
+  return 0
+}
+
+# ======================================================================
+# Routine: sshd_privsep
+# Try to create ssshd user account
+# ======================================================================
+sshd_privsep() {
+  local ret=0
+
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    if ! csih_create_unprivileged_user sshd
+    then
+      csih_error_recoverable "Could not create user 'sshd'!"
+      csih_error_recoverable "You will not be able to run an sshd service"
+      csih_error_recoverable "under a privileged account successfully."
+      csih_error_recoverable "Make sure to create a non-privileged user 'sshd'"
+      csih_error_recoverable "manually before trying to run the service!"
+      let ++ret
+    fi
+  fi
+  return $ret
+} # --- End of sshd_privsep --- #
+
+# ======================================================================
+# Routine: sshd_config_tweak
+# ======================================================================
+sshd_config_tweak() {
+  local ret=0
+
+  # Modify sshd_config
+  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+  if [ "${port_number}" -ne 22 ]
+  then
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting listening port to ${port_number} failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
+    fi
+  fi
+  if [ "${strictmodes}" = "no" ]
+  then
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting StrictModes to 'no' failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
+    fi
+  fi
+  return $ret
+} # --- End of sshd_config_tweak --- #
+
+# ======================================================================
+# Routine: update_inetd_conf
+# ======================================================================
+update_inetd_conf() {
+  local _inetcnf="${SYSCONFDIR}/inetd.conf"
+  local _inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$"
+  local _inetcnf_dir="${SYSCONFDIR}/inetd.d"
+  local _sshd_inetd_conf="${_inetcnf_dir}/sshd-inetd"
+  local _sshd_inetd_conf_tmp="${_inetcnf_dir}/sshd-inetd.$$"
+  local _with_comment=1
+  local ret=0
+
+  if [ -d "${_inetcnf_dir}" ]
+  then
+    # we have inetutils-1.5 inetd.d support
+    if [ -f "${_inetcnf}" ]
+    then
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
+
+      # check for sshd OR ssh in top-level inetd.conf file, and remove
+      # will be replaced by a file in inetd.d/
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
+      then
+	/usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
+	if [ -f "${_inetcnf_tmp}" ]
+	then
+	  if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
+	  then
+  	    csih_inform "Removed ssh[d] from ${_inetcnf}"
+	  else
+  	    csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+	    let ++ret
+	  fi
+	  /usr/bin/rm -f "${_inetcnf_tmp}"
+	else
+	  csih_warning "Removing ssh[d] from ${_inetcnf} failed!"
+	  let ++ret
+	fi
+      fi
+    fi
+
+    csih_install_config "${_sshd_inetd_conf}"   "${SYSCONFDIR}/defaults"
+    if /usr/bin/cmp "${SYSCONFDIR}/defaults${_sshd_inetd_conf}" "${_sshd_inetd_conf}" >/dev/null 2>&1
+    then
+      if [ "${_with_comment}" -eq 0 ]
+      then
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+      else
+	/usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+      fi
+      if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
+      then
+	csih_inform "Updated ${_sshd_inetd_conf}"
+      else
+	csih_warning "Updating ${_sshd_inetd_conf} failed!"
+	let ++ret
+      fi
+    fi
+
+  elif [ -f "${_inetcnf}" ]
+  then
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
+
+    # check for sshd in top-level inetd.conf file, and remove
+    # will be replaced by a file in inetd.d/
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    then
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      if [ -f "${_inetcnf_tmp}" ]
+      then
+	if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
+	then
+	    csih_inform "Removed sshd from ${_inetcnf}"
+	else
+	    csih_warning "Removing sshd from ${_inetcnf} failed!"
+	    let ++ret
+	fi
+	/usr/bin/rm -f "${_inetcnf_tmp}"
+      else
+	csih_warning "Removing sshd from ${_inetcnf} failed!"
+	let ++ret
+      fi
+    fi
+
+    # Add ssh line to inetd.conf
+    if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -ne 0 ]
+    then
+      if [ "${_with_comment}" -eq 0 ]
+      then
+	echo 'ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+      else
+	echo '# ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i' >> "${_inetcnf}"
+      fi
+      if [ $? -eq 0 ]
+      then
+	csih_inform "Added ssh to ${_inetcnf}"
+      else
+	csih_warning "Adding ssh to ${_inetcnf} failed!"
+	let ++ret
+      fi
+    fi
+  fi
+  return $ret
+} # --- End of update_inetd_conf --- #
+
+# ======================================================================
+# Routine: check_service_files_ownership
+#   Checks that the files in /etc and /var belong to the right owner
+# ======================================================================
+check_service_files_ownership() {
+  local run_service_as=$1
+  local ret=0
+
+  if [ -z "${run_service_as}" ]
+  then
+    accnt_name=$(/usr/bin/cygrunsrv -VQ "${service_name}" |
+    		 /usr/bin/sed -ne 's/^Account *: *//gp')
+    if [ "${accnt_name}" = "LocalSystem" ]
+    then
+      # Convert "LocalSystem" to "SYSTEM" as is the correct account name
+      run_service_as="SYSTEM"
+    else
+      dom="${accnt_name%%\\*}"
+      accnt_name="${accnt_name#*\\}"
+      if [ "${dom}" = '.' ]
+      then
+	# Check local account
+	run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+			 /usr/bin/awk -F: '{print $1;}')
+      else
+      	# Check domain
+	run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
+			 /usr/bin/awk -F: '{print $1;}')
+      fi
+    fi
+    if [ -z "${run_service_as}" ]
+    then
+      csih_warning "Couldn't determine name of user running ${service_name} service from account database!"
+      csih_warning "As a result, this script cannot make sure that the files used"
+      csih_warning "by the ${service_name} service belong to the user running the service."
+      return 1
+    fi
+  fi
+  for i in "${SYSCONFDIR}"/ssh_config "${SYSCONFDIR}"/sshd_config "${SYSCONFDIR}"/ssh_host_*key "${SYSCONFDIR}"/ssh_host_*key.pub
+  do
+    if [ -f "$i" ]
+    then
+      if ! chown "${run_service_as}".544 "$i" >/dev/null 2>&1
+      then
+	csih_warning "Couldn't change owner of $i!"
+	let ++ret
+      fi
+    fi
+  done
+  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/empty >/dev/null 2>&1
+  then
+    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/empty!"
+    let ++ret
+  fi
+  if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
+  then
+    csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/lastlog!"
+    let ++ret
+  fi
+  if [ -f ${LOCALSTATEDIR}/log/sshd.log ]
+  then
+    if ! chown "${run_service_as}".544 ${LOCALSTATEDIR}/log/sshd.log >/dev/null 2>&1
+    then
+      csih_warning "Couldn't change owner of ${LOCALSTATEDIR}/log/sshd.log!"
+      let ++ret
+    fi
+  fi
+  if [ $ret -ne 0 ]
+  then
+    csih_warning "Couldn't change owner of important files to ${run_service_as}!"
+    csih_warning "This may cause the ${service_name} service to fail!  Please make sure that"
+    csih_warning "you have sufficient permissions to change the ownership of files"
+    csih_warning "and try to run the ssh-host-config script again."
+  fi
+  return $ret
+} # --- End of check_service_files_ownership --- #
+
+# ======================================================================
+# Routine: install_service
+#   Install sshd as a service
+# ======================================================================
+install_service() {
+  local run_service_as
+  local password
+  local ret=0
+
+  echo
+  if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
+  then
+    csih_inform "Sshd service is already installed."
+    check_service_files_ownership "" || let ret+=$?
+  else
+    echo -e "${_csih_QUERY_STR} Do you want to install sshd as a service?"
+    if csih_request "(Say \"no\" if it is already installed as a service)"
+    then
+      csih_get_cygenv "${cygwin_value}"
+
+      if ( [ "$csih_FORCE_PRIVILEGED_USER" != "yes" ] )
+      then
+	# Enforce using privileged user on 64 bit Vista or W7 under WOW64
+	is_wow64=$(/usr/bin/uname | /usr/bin/grep -q 'WOW' && echo 1 || echo 0)
+
+	if ( csih_is_nt2003 && ! csih_is_windows8 && [ "${is_wow64}" = "1" ] )
+	then
+	  csih_inform "Running 32 bit Cygwin on 64 bit Windows Vista or Windows 7"
+	  csih_inform "the SYSTEM account is not sufficient to setuid to a local"
+	  csih_inform "user account.  You need to have or to create a privileged"
+	  csih_inform "account.  This script will help you do so."
+	  echo
+	  csih_FORCE_PRIVILEGED_USER=yes
+	fi
+      fi
+
+      if ( [ "$csih_FORCE_PRIVILEGED_USER" = "yes" ] )
+      then
+	[ "${opt_force}" = "yes" ] && opt_f=-f
+	[ -n "${user_account}" ] && opt_u="-u ""${user_account}"""
+	csih_select_privileged_username ${opt_f} ${opt_u} sshd
+
+	if ! csih_create_privileged_user "${password_value}"
+	then
+	  csih_error_recoverable "There was a serious problem creating a privileged user."
+	  csih_request "Do you want to proceed anyway?" || exit 1
+	  let ++ret
+	fi
+	# Never returns empty if NT or above
+	run_service_as=$(csih_service_should_run_as)
+      else
+	run_service_as="SYSTEM"
+      fi
+
+      if [ "${run_service_as}" = "${csih_PRIVILEGED_USERNAME}" ]
+      then
+	password="${csih_PRIVILEGED_PASSWORD}"
+	if [ -z "${password}" ]
+	then
+	  csih_get_value "Please enter the password for user '${run_service_as}':" "-s"
+	  password="${csih_value}"
+	fi
+      fi
+
+      # At this point, we either have $run_service_as = "system" and
+      # $password is empty, or $run_service_as is some privileged user and
+      # (hopefully) $password contains the correct password.  So, from here
+      # out, we use '-z "${password}"' to discriminate the two cases.
+
+      csih_check_user "${run_service_as}"
+
+      if [ -n "${csih_cygenv}" ]
+      then
+	cygwin_env=( -e "CYGWIN=${csih_cygenv}" )
+      fi
+      if [ -z "${password}" ]
+      then
+	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
+			      -a "-D" -y tcpip "${cygwin_env[@]}"
+	then
+	  echo
+	  csih_inform "The sshd service has been installed under the LocalSystem"
+	  csih_inform "account (also known as SYSTEM). To start the service now, call"
+	  csih_inform "\`net start ${service_name}' or \`cygrunsrv -S ${service_name}'.  Otherwise, it"
+	  csih_inform "will start automatically after the next reboot."
+	fi
+      else
+	if /usr/bin/cygrunsrv -I ${service_name} -d "CYGWIN ${service_name}" -p /usr/sbin/sshd \
+			      -a "-D" -y tcpip "${cygwin_env[@]}" \
+			      -u "${run_service_as}" -w "${password}"
+	then
+	  /usr/bin/editrights -u "${run_service_as}" -a SeServiceLogonRight
+	  echo
+	  csih_inform "The sshd service has been installed under the '${run_service_as}'"
+	  csih_inform "account.  To start the service now, call \`net start ${service_name}' or"
+	  csih_inform "\`cygrunsrv -S ${service_name}'.  Otherwise, it will start automatically"
+	  csih_inform "after the next reboot."
+	fi
+      fi
+
+      if /usr/bin/cygrunsrv -Q ${service_name} >/dev/null 2>&1
+      then
+	check_service_files_ownership "${run_service_as}" || let ret+=$?
+      else
+	csih_error_recoverable "Installing sshd as a service failed!"
+	let ++ret
+      fi
+    fi # user allowed us to install as service
+  fi # service not yet installed
+  return $ret
+} # --- End of install_service --- #
+
+# ======================================================================
+# Main Entry Point
+# ======================================================================
+
+# Check how the script has been started.  If
+#   (1) it has been started by giving the full path and
+#       that path is /etc/postinstall, OR
+#   (2) Otherwise, if the environment variable
+#       SSH_HOST_CONFIG_AUTO_ANSWER_NO is set
+# then set auto_answer to "no".  This allows automatic
+# creation of the config files in /etc w/o overwriting
+# them if they already exist.  In both cases, color
+# escape sequences are suppressed, so as to prevent
+# cluttering setup's logfiles.
+if [ "$PROGDIR" = "/etc/postinstall" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+  opt_force=yes
+fi
+if [ -n "${SSH_HOST_CONFIG_AUTO_ANSWER_NO}" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+  opt_force=yes
+fi
+
+# ======================================================================
+# Parse options
+# ======================================================================
+while :
+do
+  case $# in
+  0)
+    break
+    ;;
+  esac
+
+  option=$1
+  shift
+
+  case "${option}" in
+  -d | --debug )
+    set -x
+    csih_trace_on
+    ;;
+
+  -y | --yes )
+    csih_auto_answer=yes
+    opt_force=yes
+    ;;
+
+  -n | --no )
+    csih_auto_answer=no
+    opt_force=yes
+    ;;
+
+  -c | --cygwin )
+    cygwin_value="$1"
+    shift
+    ;;
+
+  -N | --name )
+    service_name=$1
+    shift
+    ;;
+
+  -p | --port )
+    port_number=$1
+    shift
+    ;;
+
+  -u | --user )
+    user_account="$1"
+    shift
+    ;;
+    
+  -w | --pwd )
+    password_value="$1"
+    shift
+    ;;
+
+  --privileged )
+    csih_FORCE_PRIVILEGED_USER=yes
+    ;;
+
+  *)
+    echo "usage: ${progname} [OPTION]..."
+    echo
+    echo "This script creates an OpenSSH host configuration."
+    echo
+    echo "Options:"
+    echo "  --debug  -d            Enable shell's debug output."
+    echo "  --yes    -y            Answer all questions with \"yes\" automatically."
+    echo "  --no     -n            Answer all questions with \"no\" automatically."
+    echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
+    echo "  --name   -N <name>     sshd windows service name."
+    echo "  --port   -p <n>        sshd listens on port n."
+    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
+    echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
+    echo "  --privileged           On Windows XP, require privileged user"
+    echo "                         instead of LocalSystem for sshd service."
+    echo
+    exit 1
+    ;;
+
+  esac
+done
+
+# ======================================================================
+# Action!
+# ======================================================================
+
+# Check for running ssh/sshd processes first. Refuse to do anything while
+# some ssh processes are still running
+if /usr/bin/ps -ef | /usr/bin/grep -q '/sshd\?$'
+then
+  echo
+  csih_error "There are still ssh processes running. Please shut them down first."
+fi
+
+# Make sure the user is running in an administrative context
+admin=$(/usr/bin/id -G | /usr/bin/grep -Eq '\<544\>' && echo yes || echo no)
+if [ "${admin}" != "yes" ]
+then
+  echo
+  csih_warning "Running this script typically requires administrator privileges!"
+  csih_warning "However, it seems your account does not have these privileges."
+  csih_warning "Here's the list of groups in your user token:"
+  echo
+  /usr/bin/id -Gnz | xargs -0n1 echo "   "
+  echo
+  csih_warning "This usually means you're running this script from a non-admin"
+  csih_warning "desktop session, or in a non-elevated shell under UAC control."
+  echo
+  csih_warning "Make sure you have the appropriate privileges right now,"
+  csih_warning "otherwise parts of this script will probably fail!"
+  echo
+  echo -e "${_csih_QUERY_STR} Are you sure you want to continue?  (Say \"no\" if you're not sure"
+  if ! csih_request "you have the required privileges)"
+  then
+    echo
+    csih_inform "Ok.  Exiting.  Make sure to switch to an administrative account"
+    csih_inform "or to start this script from an elevated shell."
+    exit 1
+  fi
+fi
+
+echo
+
+warning_cnt=0
+
+# Create /var/log/lastlog if not already exists
+if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
+then
+  echo
+  csih_error_multi "${LOCALSTATEDIR}/log/lastlog exists, but is not a file." \
+		   "Cannot create ssh host configuration."
+fi
+if [ ! -e ${LOCALSTATEDIR}/log/lastlog ]
+then
+  /usr/bin/cat /dev/null > ${LOCALSTATEDIR}/log/lastlog
+  if ! /usr/bin/chmod 644 ${LOCALSTATEDIR}/log/lastlog >/dev/null 2>&1
+  then
+    csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log/lastlog!"
+    let ++warning_cnt
+  fi
+fi
+
+# Create /var/empty file used as chroot jail for privilege separation
+csih_make_dir "${LOCALSTATEDIR}/empty" "Cannot create ${LOCALSTATEDIR}/empty directory."
+if ! /usr/bin/chmod 755 "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
+then
+  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
+  let ++warning_cnt
+fi
+
+# generate missing host keys
+csih_inform "Generating missing SSH host keys"
+/usr/bin/ssh-keygen -A || let warning_cnt+=$?
+
+# handle ssh_config
+csih_install_config "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
+if /usr/bin/cmp "${SYSCONFDIR}/ssh_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/ssh_config" >/dev/null 2>&1
+then
+  if [ "${port_number}" != "22" ]
+  then
+    csih_inform "Updating ${SYSCONFDIR}/ssh_config file with requested port"
+    echo "Host localhost" >> ${SYSCONFDIR}/ssh_config
+    echo "    Port ${port_number}" >> ${SYSCONFDIR}/ssh_config
+  fi
+fi
+
+# handle sshd_config
+# make sure not to change the existing file
+mod_before=""
+if [ -e "${SYSCONFDIR}/sshd_config" ]
+then
+  mod_before=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
+fi
+csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
+mod_now=$(stat "${SYSCONFDIR}/sshd_config" | grep '^Modify:')
+if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+then
+  sshd_config_configured=yes
+fi
+if [ "${mod_before}" != "${mod_now}" ]
+then
+  sshd_strictmodes || let warning_cnt+=$?
+  sshd_config_tweak || let warning_cnt+=$?
+fi
+#sshd_privsep || let warning_cnt+=$?
+update_services_file || let warning_cnt+=$?
+update_inetd_conf || let warning_cnt+=$?
+install_service || let warning_cnt+=$?
+
+echo
+if [ $warning_cnt -eq 0 ]
+then
+  csih_inform "Host configuration finished. Have fun!"
+else
+  csih_warning "Host configuration exited with ${warning_cnt} errors or warnings!"
+  csih_warning "Make sure that all problems reported are fixed,"
+  csih_warning "then re-run ssh-host-config."
+fi
+exit $warning_cnt
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
new file mode 100644
index 0000000..6fa4bb3
--- /dev/null
+++ b/contrib/cygwin/ssh-user-config
@@ -0,0 +1,257 @@
+#!/bin/bash
+#
+# ssh-user-config, Copyright 2000-2014 Red Hat Inc.
+#
+# This file is part of the Cygwin port of OpenSSH.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   
+# IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   
+# DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    
+# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    
+# THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               
+
+# ======================================================================
+# Initialization
+# ======================================================================
+PROGNAME=$(basename -- $0)
+_tdir=$(dirname -- $0)
+PROGDIR=$(cd $_tdir && pwd)
+
+CSIH_SCRIPT=/usr/share/csih/cygwin-service-installation-helper.sh
+
+# Subdirectory where the new package is being installed
+PREFIX=/usr
+
+# Directory where the config files are stored
+SYSCONFDIR=/etc
+
+source ${CSIH_SCRIPT}
+
+auto_passphrase="no"
+passphrase=""
+pwdhome=
+with_passphrase=
+
+# ======================================================================
+# Routine: create_identity
+#   optionally create identity of type argument in ~/.ssh
+#   optionally add result to ~/.ssh/authorized_keys
+# ======================================================================
+create_identity() {
+  local file="$1"
+  local type="$2"
+  local name="$3"
+  if [ ! -f "${pwdhome}/.ssh/${file}" ]
+  then
+    if csih_request "Shall I create a ${name} identity file for you?"
+    then
+      csih_inform "Generating ${pwdhome}/.ssh/${file}"
+      if [ "${with_passphrase}" = "yes" ]
+      then
+        ssh-keygen -t "${type}" -N "${passphrase}" -f "${pwdhome}/.ssh/${file}" > /dev/null
+      else
+        ssh-keygen -t "${type}" -f "${pwdhome}/.ssh/${file}" > /dev/null
+      fi
+      if csih_request "Do you want to use this identity to login to this machine?"
+      then
+        csih_inform "Adding to ${pwdhome}/.ssh/authorized_keys"
+        cat "${pwdhome}/.ssh/${file}.pub" >> "${pwdhome}/.ssh/authorized_keys"
+      fi
+    fi
+  fi
+} # === End of create_ssh1_identity() === #
+readonly -f create_identity
+
+# ======================================================================
+# Routine: check_user_homedir
+#   Perform various checks on the user's home directory
+# SETS GLOBAL VARIABLE:
+#   pwdhome
+# ======================================================================
+check_user_homedir() {
+  pwdhome=$(getent passwd $UID | awk -F: '{ print $6; }')
+  if [ "X${pwdhome}" = "X" ]
+  then
+    csih_error_multi \
+      "There is no home directory set for you in the account database." \
+      'Setting $HOME is not sufficient!'
+  fi
+  
+  if [ ! -d "${pwdhome}" ]
+  then
+    csih_error_multi \
+      "${pwdhome} is set in the account database as your home directory" \
+      'but it is not a valid directory. Cannot create user identity files.'
+  fi
+  
+  # If home is the root dir, set home to empty string to avoid error messages
+  # in subsequent parts of that script.
+  if [ "X${pwdhome}" = "X/" ]
+  then
+    # But first raise a warning!
+    csih_warning "Your home directory in the account database is set to root (/). This is not recommended!"
+    if csih_request "Would you like to proceed anyway?"
+    then
+      pwdhome=''
+    else
+      csih_warning "Exiting. Configuration is not complete"
+      exit 1
+    fi
+  fi
+  
+  if [ -d "${pwdhome}" -a -n "`chmod -c g-w,o-w "${pwdhome}"`" ]
+  then
+    echo
+    csih_warning 'group and other have been revoked write permission to your home'
+    csih_warning "directory ${pwdhome}."
+    csih_warning 'This is required by OpenSSH to allow public key authentication using'
+    csih_warning 'the key files stored in your .ssh subdirectory.'
+    csih_warning 'Revert this change ONLY if you know what you are doing!'
+    echo
+  fi
+} # === End of check_user_homedir() === #
+readonly -f check_user_homedir
+
+# ======================================================================
+# Routine: check_user_dot_ssh_dir
+#   Perform various checks on the ~/.ssh directory
+# PREREQUISITE:
+#   pwdhome -- check_user_homedir()
+# ======================================================================
+check_user_dot_ssh_dir() {
+  if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ]
+  then
+    csih_error "${pwdhome}/.ssh is existent but not a directory. Cannot create user identity files."
+  fi
+  
+  if [ ! -e "${pwdhome}/.ssh" ]
+  then
+    mkdir "${pwdhome}/.ssh"
+    if [ ! -e "${pwdhome}/.ssh" ]
+    then
+      csih_error "Creating users ${pwdhome}/.ssh directory failed"
+    fi
+  fi
+} # === End of check_user_dot_ssh_dir() === #
+readonly -f check_user_dot_ssh_dir
+
+# ======================================================================
+# Routine: fix_authorized_keys_perms
+#   Corrects the permissions of ~/.ssh/authorized_keys
+# PREREQUISITE:
+#   pwdhome   -- check_user_homedir()
+# ======================================================================
+fix_authorized_keys_perms() {
+  if [ -e "${pwdhome}/.ssh/authorized_keys" ]
+  then
+    setfacl -b "${pwdhome}/.ssh/authorized_keys" 2>/dev/null || echo -n
+    if ! chmod u-x,g-wx,o-wx "${pwdhome}/.ssh/authorized_keys"
+    then
+      csih_warning "Setting correct permissions to ${pwdhome}/.ssh/authorized_keys"
+      csih_warning "failed.  Please care for the correct permissions.  The minimum requirement"
+      csih_warning "is, the owner needs read permissions."
+      echo
+    fi
+  fi
+} # === End of fix_authorized_keys_perms() === #
+readonly -f fix_authorized_keys_perms
+
+
+# ======================================================================
+# Main Entry Point
+# ======================================================================
+
+# Check how the script has been started.  If
+#   (1) it has been started by giving the full path and
+#       that path is /etc/postinstall, OR
+#   (2) Otherwise, if the environment variable
+#       SSH_USER_CONFIG_AUTO_ANSWER_NO is set
+# then set auto_answer to "no".  This allows automatic
+# creation of the config files in /etc w/o overwriting
+# them if they already exist.  In both cases, color
+# escape sequences are suppressed, so as to prevent
+# cluttering setup's logfiles.
+if [ "$PROGDIR" = "/etc/postinstall" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+fi
+if [ -n "${SSH_USER_CONFIG_AUTO_ANSWER_NO}" ]
+then
+  csih_auto_answer="no"
+  csih_disable_color
+fi
+
+# ======================================================================
+# Parse options
+# ======================================================================
+while :
+do
+  case $# in
+  0)
+    break
+    ;;
+  esac
+
+  option=$1
+  shift
+
+  case "$option" in
+  -d | --debug )
+    set -x
+    csih_trace_on
+    ;;
+
+  -y | --yes )
+    csih_auto_answer=yes
+    ;;
+
+  -n | --no )
+    csih_auto_answer=no
+    ;;
+
+  -p | --passphrase )
+    with_passphrase="yes"
+    passphrase=$1
+    shift
+    ;;
+
+  *)
+    echo "usage: ${PROGNAME} [OPTION]..."
+    echo
+    echo "This script creates an OpenSSH user configuration."
+    echo
+    echo "Options:"
+    echo "    --debug      -d        Enable shell's debug output."
+    echo "    --yes        -y        Answer all questions with \"yes\" automatically."
+    echo "    --no         -n        Answer all questions with \"no\" automatically."
+    echo "    --passphrase -p word   Use \"word\" as passphrase automatically."
+    echo
+    exit 1
+    ;;
+
+  esac
+done
+
+# ======================================================================
+# Action!
+# ======================================================================
+
+check_user_homedir
+check_user_dot_ssh_dir
+create_identity id_rsa rsa "SSH2 RSA"
+create_identity id_dsa dsa "SSH2 DSA"
+create_identity id_ecdsa ecdsa "SSH2 ECDSA"
+create_identity identity rsa1 "(deprecated) SSH1 RSA"
+fix_authorized_keys_perms
+
+echo
+csih_inform "Configuration finished. Have fun!"
+
+
diff --git a/contrib/cygwin/sshd-inetd b/contrib/cygwin/sshd-inetd
new file mode 100644
index 0000000..aa6bf07
--- /dev/null
+++ b/contrib/cygwin/sshd-inetd
@@ -0,0 +1,4 @@
+# This file can be used to enable sshd as a slave of the inetd service
+# To do so, the line below should be uncommented.
+@COMMENT@ ssh  stream  tcp     nowait  root    /usr/sbin/sshd sshd -i
+
diff --git a/contrib/findssl.sh b/contrib/findssl.sh
new file mode 100644
index 0000000..95a0d66
--- /dev/null
+++ b/contrib/findssl.sh
@@ -0,0 +1,184 @@
+#!/bin/sh
+#
+# findssl.sh
+#	Search for all instances of OpenSSL headers and libraries
+#	and print their versions.
+#	Intended to help diagnose OpenSSH's "OpenSSL headers do not
+#	match your library" errors.
+#
+#	Written by Darren Tucker (dtucker at zip dot com dot au)
+#	This file is placed in the public domain.
+#
+#	Release history:
+#	2002-07-27: Initial release.
+#	2002-08-04: Added public domain notice.
+#	2003-06-24: Incorporated readme, set library paths. First cvs version.
+#	2004-12-13: Add traps to cleanup temp files, from Amarendra Godbole.
+#
+# "OpenSSL headers do not match your library" are usually caused by
+# OpenSSH's configure picking up an older version of OpenSSL headers
+# or libraries.  You can use the following # procedure to help identify
+# the cause.
+#
+# The  output  of  configure  will  tell you the versions of the OpenSSL
+# headers and libraries that were picked up, for example:
+#
+# checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002)
+# checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)
+# checking whether OpenSSL's headers match the library... no
+# configure: error: Your OpenSSL headers do not match your library
+#
+# Now run findssl.sh. This should identify the headers and libraries
+# present  and  their  versions.  You  should  be  able  to identify the
+# libraries  and headers used and adjust your CFLAGS or remove incorrect
+# versions.  The  output will show OpenSSL's internal version identifier
+# and should look something like:
+
+# $ ./findssl.sh
+# Searching for OpenSSL header files.
+# 0x0090604fL /usr/include/openssl/opensslv.h
+# 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h
+#
+# Searching for OpenSSL shared library files.
+# 0x0090602fL /lib/libcrypto.so.0.9.6b
+# 0x0090602fL /lib/libcrypto.so.2
+# 0x0090581fL /usr/lib/libcrypto.so.0
+# 0x0090602fL /usr/lib/libcrypto.so
+# 0x0090581fL /usr/lib/libcrypto.so.0.9.5a
+# 0x0090600fL /usr/lib/libcrypto.so.0.9.6
+# 0x0090600fL /usr/lib/libcrypto.so.1
+#
+# Searching for OpenSSL static library files.
+# 0x0090602fL /usr/lib/libcrypto.a
+# 0x0090604fL /usr/local/ssl/lib/libcrypto.a
+#
+# In  this  example, I gave configure no extra flags, so it's picking up
+# the  OpenSSL header from /usr/include/openssl (90604f) and the library
+# from /usr/lib/ (90602f).
+
+#
+# Adjust these to suit your compiler.
+# You may also need to set the *LIB*PATH environment variables if
+# DEFAULT_LIBPATH is not correct for your system.
+#
+CC=gcc
+STATIC=-static
+
+#
+# Cleanup on interrupt
+#
+trap 'rm -f conftest.c' INT HUP TERM
+
+#
+# Set up conftest C source
+#
+rm -f findssl.log
+cat >conftest.c <<EOD
+#include <stdio.h>
+int main(){printf("0x%08xL\n", SSLeay());}
+EOD
+
+#
+# Set default library paths if not already set
+#
+DEFAULT_LIBPATH=/usr/lib:/usr/local/lib
+LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
+LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
+LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
+export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+
+# not all platforms have a 'which' command
+if which ls >/dev/null 2>/dev/null; then
+    : which is defined
+else
+    which () {
+	saveIFS="$IFS"
+	IFS=:
+	for p in $PATH; do
+	    if test -x "$p/$1" -a -f "$p/$1"; then
+		IFS="$saveIFS"
+		echo "$p/$1"
+		return 0
+	    fi
+	done
+	IFS="$saveIFS"
+	return 1
+    }
+fi
+
+#
+# Search for OpenSSL headers and print versions
+#
+echo Searching for OpenSSL header files.
+if [ -x "`which locate`" ]
+then
+	headers=`locate opensslv.h`
+else
+	headers=`find / -name opensslv.h -print 2>/dev/null`
+fi
+
+for header in $headers
+do
+	ver=`awk '/OPENSSL_VERSION_NUMBER/{printf \$3}' $header`
+	echo "$ver $header"
+done
+echo
+
+#
+# Search for shared libraries.
+# Relies on shared libraries looking like "libcrypto.s*"
+#
+echo Searching for OpenSSL shared library files.
+if [ -x "`which locate`" ]
+then
+	libraries=`locate libcrypto.s`
+else
+	libraries=`find / -name 'libcrypto.s*' -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+	(echo "Trying libcrypto $lib" >>findssl.log
+	dir=`dirname $lib`
+	LIBPATH="$dir:$LIBPATH"
+	LD_LIBRARY_PATH="$dir:$LIBPATH"
+	LIBRARY_PATH="$dir:$LIBPATH"
+	export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
+	${CC} -o conftest conftest.c $lib 2>>findssl.log
+	if [ -x ./conftest ]
+	then
+		ver=`./conftest 2>/dev/null`
+		rm -f ./conftest
+		echo "$ver $lib"
+	fi)
+done
+echo
+
+#
+# Search for static OpenSSL libraries and print versions
+#
+echo Searching for OpenSSL static library files.
+if [ -x "`which locate`" ]
+then
+	libraries=`locate libcrypto.a`
+else
+	libraries=`find / -name libcrypto.a -print 2>/dev/null`
+fi
+
+for lib in $libraries
+do
+	libdir=`dirname $lib`
+	echo "Trying libcrypto $lib" >>findssl.log
+	${CC} ${STATIC} -o conftest conftest.c -L${libdir} -lcrypto 2>>findssl.log
+	if [ -x ./conftest ]
+	then
+		ver=`./conftest 2>/dev/null`
+		rm -f ./conftest
+		echo "$ver $lib"
+	fi
+done
+
+#
+# Clean up
+#
+rm -f conftest.c
diff --git a/contrib/gnome-ssh-askpass1.c b/contrib/gnome-ssh-askpass1.c
new file mode 100644
index 0000000..4c92c17
--- /dev/null
+++ b/contrib/gnome-ssh-askpass1.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
+ * you don't trust your X server. We grab the keyboard always.
+ */
+
+/*
+ * Compile with:
+ *
+ * cc `gnome-config --cflags gnome gnomeui` \
+ *    gnome-ssh-askpass1.c -o gnome-ssh-askpass \
+ *    `gnome-config --libs gnome gnomeui`
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnome.h>
+#include <X11/Xlib.h>
+#include <gdk/gdkx.h>
+
+void
+report_failed_grab (void)
+{
+	GtkWidget *err;
+
+	err = gnome_message_box_new("Could not grab keyboard or mouse.\n"
+		"A malicious client may be eavesdropping on your session.",
+				    GNOME_MESSAGE_BOX_ERROR, "EXIT", NULL);
+	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+	gtk_object_set(GTK_OBJECT(err), "type", GTK_WINDOW_POPUP, NULL);
+
+	gnome_dialog_run_and_close(GNOME_DIALOG(err));
+}
+
+int
+passphrase_dialog(char *message)
+{
+	char *passphrase;
+	char **messages;
+	int result, i, grab_server, grab_pointer;
+	GtkWidget *dialog, *entry, *label;
+
+	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+	grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+
+	dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK,
+	    GNOME_STOCK_BUTTON_CANCEL, NULL);
+
+	messages = g_strsplit(message, "\\n", 0);
+	if (messages)
+		for(i = 0; messages[i]; i++) {
+			label = gtk_label_new(messages[i]);
+			gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox),
+			    label, FALSE, FALSE, 0);
+		}
+
+	entry = gtk_entry_new();
+	gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE,
+	    FALSE, 0);
+	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+	gtk_widget_grab_focus(entry);
+
+	/* Center window and prepare for grab */
+	gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
+	gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
+	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+	gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
+	gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
+	gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox),
+	    GNOME_PAD);
+	gtk_widget_show_all(dialog);
+
+	/* Grab focus */
+	if (grab_server)
+		XGrabServer(GDK_DISPLAY());
+	if (grab_pointer && gdk_pointer_grab(dialog->window, TRUE, 0,
+	    NULL, NULL, GDK_CURRENT_TIME))
+		goto nograb;
+	if (gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME))
+		goto nograbkb;
+
+	/* Make <enter> close dialog */
+	gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
+
+	/* Run dialog */
+	result = gnome_dialog_run(GNOME_DIALOG(dialog));
+
+	/* Ungrab */
+	if (grab_server)
+		XUngrabServer(GDK_DISPLAY());
+	if (grab_pointer)
+		gdk_pointer_ungrab(GDK_CURRENT_TIME);
+	gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+	gdk_flush();
+
+	/* Report passphrase if user selected OK */
+	passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
+	if (result == 0)
+		puts(passphrase);
+		
+	/* Zero passphrase in memory */
+	memset(passphrase, '\0', strlen(passphrase));
+	gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+			
+	gnome_dialog_close(GNOME_DIALOG(dialog));
+	return (result == 0 ? 0 : -1);
+
+	/*
+	 * At least one grab failed - ungrab what we got, and report the
+	 * failure to the user. Note that XGrabServer() cannot fail.
+	 */
+ nograbkb:
+	gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ nograb:
+	if (grab_server)
+		XUngrabServer(GDK_DISPLAY());
+	gnome_dialog_close(GNOME_DIALOG(dialog));
+	
+	report_failed_grab();
+	return (-1);
+}
+
+int
+main(int argc, char **argv)
+{
+	char *message;
+	int result;
+
+	gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
+
+	if (argc == 2)
+		message = argv[1];
+	else
+		message = "Enter your OpenSSH passphrase:";
+
+	setvbuf(stdout, 0, _IONBF, 0);
+	result = passphrase_dialog(message);
+
+	return (result);
+}
diff --git a/contrib/gnome-ssh-askpass2.c b/contrib/gnome-ssh-askpass2.c
new file mode 100644
index 0000000..a62f981
--- /dev/null
+++ b/contrib/gnome-ssh-askpass2.c
@@ -0,0 +1,341 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
+
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
+ * you don't trust your X server. We grab the keyboard always.
+ */
+
+#define GRAB_TRIES	16
+#define GRAB_WAIT	250 /* milliseconds */
+
+#define PROMPT_ENTRY	0
+#define PROMPT_CONFIRM	1
+#define PROMPT_NONE	2
+
+/*
+ * Compile with:
+ *
+ * cc -Wall `pkg-config --cflags gtk+-2.0` \
+ *    gnome-ssh-askpass2.c -o gnome-ssh-askpass \
+ *    `pkg-config --libs gtk+-2.0`
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <X11/Xlib.h>
+#include <gtk/gtk.h>
+#include <gdk/gdkx.h>
+#include <gdk/gdkkeysyms.h>
+
+static void
+report_failed_grab (GtkWidget *parent_window, const char *what)
+{
+	GtkWidget *err;
+
+	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
+	    GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
+	    "Could not grab %s. A malicious client may be eavesdropping "
+	    "on your session.", what);
+	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+
+	gtk_dialog_run(GTK_DIALOG(err));
+
+	gtk_widget_destroy(err);
+}
+
+static void
+ok_dialog(GtkWidget *entry, gpointer dialog)
+{
+	g_return_if_fail(GTK_IS_DIALOG(dialog));
+	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+}
+
+static gboolean
+check_none(GtkWidget *widget, GdkEventKey *event, gpointer dialog)
+{
+	switch (event->keyval) {
+	case GDK_KEY_Escape:
+		/* esc -> close dialog */
+		gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_CLOSE);
+		return TRUE;
+	case GDK_KEY_Tab:
+		/* tab -> focus close button */
+		gtk_widget_grab_focus(gtk_dialog_get_widget_for_response(
+		    dialog, GTK_RESPONSE_CLOSE));
+		return TRUE;
+	default:
+		/* eat all other key events */
+		return TRUE;
+	}
+}
+
+static int
+parse_env_hex_color(const char *env, GdkColor *c)
+{
+	const char *s;
+	unsigned long ul;
+	char *ep;
+	size_t n;
+
+	if ((s = getenv(env)) == NULL)
+		return 0;
+
+	memset(c, 0, sizeof(*c));
+
+	/* Permit hex rgb or rrggbb optionally prefixed by '#' or '0x' */
+	if (*s == '#')
+		s++;
+	else if (strncmp(s, "0x", 2) == 0)
+		s += 2;
+	n = strlen(s);
+	if (n != 3 && n != 6)
+		goto bad;
+	ul = strtoul(s, &ep, 16);
+	if (*ep != '\0' || ul > 0xffffff) {
+ bad:
+		fprintf(stderr, "Invalid $%s - invalid hex color code\n", env);
+		return 0;
+	}
+	/* Valid hex sequence; expand into a GdkColor */
+	if (n == 3) {
+		/* 4-bit RGB */
+		c->red = ((ul >> 8) & 0xf) << 12;
+		c->green = ((ul >> 4) & 0xf) << 12;
+		c->blue = (ul & 0xf) << 12;
+	} else {
+		/* 8-bit RGB */
+		c->red = ((ul >> 16) & 0xff) << 8;
+		c->green = ((ul >> 8) & 0xff) << 8;
+		c->blue = (ul & 0xff) << 8;
+	}
+	return 1;
+}
+
+static int
+passphrase_dialog(char *message, int prompt_type)
+{
+	const char *failed;
+	char *passphrase, *local;
+	int result, grab_tries, grab_server, grab_pointer;
+	int buttons, default_response;
+	GtkWidget *parent_window, *dialog, *entry;
+	GdkGrabStatus status;
+	GdkColor fg, bg;
+	int fg_set = 0, bg_set = 0;
+
+	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+	grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+	grab_tries = 0;
+
+	fg_set = parse_env_hex_color("GNOME_SSH_ASKPASS_FG_COLOR", &fg);
+	bg_set = parse_env_hex_color("GNOME_SSH_ASKPASS_BG_COLOR", &bg);
+
+	/* Create an invisible parent window so that GtkDialog doesn't
+	 * complain.  */
+	parent_window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+
+	switch (prompt_type) {
+	case PROMPT_CONFIRM:
+		buttons = GTK_BUTTONS_YES_NO;
+		default_response = GTK_RESPONSE_YES;
+		break;
+	case PROMPT_NONE:
+		buttons = GTK_BUTTONS_CLOSE;
+		default_response = GTK_RESPONSE_CLOSE;
+		break;
+	default:
+		buttons = GTK_BUTTONS_OK_CANCEL;
+		default_response = GTK_RESPONSE_OK;
+		break;
+	}
+
+	dialog = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
+	    GTK_MESSAGE_QUESTION, buttons, "%s", message);
+
+	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+	gtk_dialog_set_default_response(GTK_DIALOG(dialog), default_response);
+	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+
+	if (fg_set)
+		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
+	if (bg_set)
+		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
+
+	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
+		entry = gtk_entry_new();
+		if (fg_set)
+			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
+		if (bg_set)
+			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
+		gtk_box_pack_start(
+		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
+		    entry, FALSE, FALSE, 0);
+		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+		gtk_widget_grab_focus(entry);
+		if (prompt_type == PROMPT_ENTRY) {
+			gtk_widget_show(entry);
+			/* Make <enter> close dialog */
+			g_signal_connect(G_OBJECT(entry), "activate",
+					 G_CALLBACK(ok_dialog), dialog);
+		} else {
+			/*
+			 * Ensure the 'close' button is not focused by default
+			 * but is still reachable via tab. This is a bit of a
+			 * hack - it uses a hidden entry that responds to a
+			 * couple of keypress events (escape and tab only).
+			 */
+			gtk_widget_realize(entry);
+			g_signal_connect(G_OBJECT(entry), "key_press_event",
+			    G_CALLBACK(check_none), dialog);
+		}
+	}
+
+	/* Grab focus */
+	gtk_widget_show_now(dialog);
+	if (grab_pointer) {
+		for(;;) {
+			status = gdk_pointer_grab(
+			    (gtk_widget_get_window(GTK_WIDGET(dialog))), TRUE,
+			    0, NULL, NULL, GDK_CURRENT_TIME);
+			if (status == GDK_GRAB_SUCCESS)
+				break;
+			usleep(GRAB_WAIT * 1000);
+			if (++grab_tries > GRAB_TRIES) {
+				failed = "mouse";
+				goto nograb;
+			}
+		}
+	}
+	for(;;) {
+		status = gdk_keyboard_grab(
+		    gtk_widget_get_window(GTK_WIDGET(dialog)), FALSE,
+		    GDK_CURRENT_TIME);
+		if (status == GDK_GRAB_SUCCESS)
+			break;
+		usleep(GRAB_WAIT * 1000);
+		if (++grab_tries > GRAB_TRIES) {
+			failed = "keyboard";
+			goto nograbkb;
+		}
+	}
+	if (grab_server) {
+		gdk_x11_grab_server();
+	}
+
+	result = gtk_dialog_run(GTK_DIALOG(dialog));
+
+	/* Ungrab */
+	if (grab_server)
+		XUngrabServer(gdk_x11_get_default_xdisplay());
+	if (grab_pointer)
+		gdk_pointer_ungrab(GDK_CURRENT_TIME);
+	gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+	gdk_flush();
+
+	/* Report passphrase if user selected OK */
+	if (prompt_type == PROMPT_ENTRY) {
+		passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
+		if (result == GTK_RESPONSE_OK) {
+			local = g_locale_from_utf8(passphrase,
+			    strlen(passphrase), NULL, NULL, NULL);
+			if (local != NULL) {
+				puts(local);
+				memset(local, '\0', strlen(local));
+				g_free(local);
+			} else {
+				puts(passphrase);
+			}
+		}
+		/* Zero passphrase in memory */
+		memset(passphrase, '\b', strlen(passphrase));
+		gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+		memset(passphrase, '\0', strlen(passphrase));
+		g_free(passphrase);
+	}
+
+	gtk_widget_destroy(dialog);
+	if (result != GTK_RESPONSE_OK && result != GTK_RESPONSE_YES)
+		return -1;
+	return 0;
+
+ nograbkb:
+	/*
+	 * At least one grab failed - ungrab what we got, and report
+	 * the failure to the user.  Note that XGrabServer() cannot
+	 * fail.
+	 */
+	gdk_pointer_ungrab(GDK_CURRENT_TIME);
+ nograb:
+	if (grab_server)
+		XUngrabServer(gdk_x11_get_default_xdisplay());
+	gtk_widget_destroy(dialog);
+	
+	report_failed_grab(parent_window, failed);
+
+	return (-1);
+}
+
+int
+main(int argc, char **argv)
+{
+	char *message, *prompt_mode;
+	int result, prompt_type = PROMPT_ENTRY;
+
+	gtk_init(&argc, &argv);
+
+	if (argc > 1) {
+		message = g_strjoinv(" ", argv + 1);
+	} else {
+		message = g_strdup("Enter your OpenSSH passphrase:");
+	}
+
+	if ((prompt_mode = getenv("SSH_ASKPASS_PROMPT")) != NULL) {
+		if (strcasecmp(prompt_mode, "confirm") == 0)
+			prompt_type = PROMPT_CONFIRM;
+		else if (strcasecmp(prompt_mode, "none") == 0)
+			prompt_type = PROMPT_NONE;
+	}
+
+	setvbuf(stdout, 0, _IONBF, 0);
+	result = passphrase_dialog(message, prompt_type);
+	g_free(message);
+
+	return (result);
+}
diff --git a/contrib/gnome-ssh-askpass3.c b/contrib/gnome-ssh-askpass3.c
new file mode 100644
index 0000000..e1a0533
--- /dev/null
+++ b/contrib/gnome-ssh-askpass3.c
@@ -0,0 +1,305 @@
+/*
+ * Copyright (c) 2000-2002 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* GTK2 support by Nalin Dahyabhai <nalin@redhat.com> */
+
+/*
+ * This is a simple GNOME SSH passphrase grabber. To use it, set the
+ * environment variable SSH_ASKPASS to point to the location of
+ * gnome-ssh-askpass before calling "ssh-add < /dev/null".
+ *
+ * There is only two run-time options: if you set the environment variable
+ * "GNOME_SSH_ASKPASS_GRAB_SERVER=true" then gnome-ssh-askpass will grab
+ * the X server. If you set "GNOME_SSH_ASKPASS_GRAB_POINTER=true", then the
+ * pointer will be grabbed too. These may have some benefit to security if
+ * you don't trust your X server. We grab the keyboard always.
+ */
+
+#define GRAB_TRIES	16
+#define GRAB_WAIT	250 /* milliseconds */
+
+#define PROMPT_ENTRY	0
+#define PROMPT_CONFIRM	1
+#define PROMPT_NONE	2
+
+/*
+ * Compile with:
+ *
+ * cc -Wall `pkg-config --cflags gtk+-2.0` \
+ *    gnome-ssh-askpass2.c -o gnome-ssh-askpass \
+ *    `pkg-config --libs gtk+-2.0`
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <X11/Xlib.h>
+#include <gtk/gtk.h>
+#include <gdk/gdkx.h>
+#include <gdk/gdkkeysyms.h>
+
+static void
+ok_dialog(GtkWidget *entry, gpointer dialog)
+{
+	g_return_if_fail(GTK_IS_DIALOG(dialog));
+	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+}
+
+static gboolean
+check_none(GtkWidget *widget, GdkEventKey *event, gpointer dialog)
+{
+	switch (event->keyval) {
+	case GDK_KEY_Escape:
+		/* esc -> close dialog */
+		gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_CLOSE);
+		return TRUE;
+	case GDK_KEY_Tab:
+		/* tab -> focus close button */
+		gtk_widget_grab_focus(gtk_dialog_get_widget_for_response(
+		    dialog, GTK_RESPONSE_CLOSE));
+		return TRUE;
+	default:
+		/* eat all other key events */
+		return TRUE;
+	}
+}
+
+static int
+parse_env_hex_color(const char *env, GdkColor *c)
+{
+	const char *s;
+	unsigned long ul;
+	char *ep;
+	size_t n;
+
+	if ((s = getenv(env)) == NULL)
+		return 0;
+
+	memset(c, 0, sizeof(*c));
+
+	/* Permit hex rgb or rrggbb optionally prefixed by '#' or '0x' */
+	if (*s == '#')
+		s++;
+	else if (strncmp(s, "0x", 2) == 0)
+		s += 2;
+	n = strlen(s);
+	if (n != 3 && n != 6)
+		goto bad;
+	ul = strtoul(s, &ep, 16);
+	if (*ep != '\0' || ul > 0xffffff) {
+ bad:
+		fprintf(stderr, "Invalid $%s - invalid hex color code\n", env);
+		return 0;
+	}
+	/* Valid hex sequence; expand into a GdkColor */
+	if (n == 3) {
+		/* 4-bit RGB */
+		c->red = ((ul >> 8) & 0xf) << 12;
+		c->green = ((ul >> 4) & 0xf) << 12;
+		c->blue = (ul & 0xf) << 12;
+	} else {
+		/* 8-bit RGB */
+		c->red = ((ul >> 16) & 0xff) << 8;
+		c->green = ((ul >> 8) & 0xff) << 8;
+		c->blue = (ul & 0xff) << 8;
+	}
+	return 1;
+}
+
+static int
+passphrase_dialog(char *message, int prompt_type)
+{
+	const char *failed;
+	char *passphrase, *local;
+	int result, grab_tries, grab_server, grab_pointer;
+	int buttons, default_response;
+	GtkWidget *parent_window, *dialog, *entry, *err;
+	GdkGrabStatus status;
+	GdkColor fg, bg;
+	GdkSeat *seat;
+	GdkDisplay *display;
+	GdkSeatCapabilities caps;
+	int fg_set = 0, bg_set = 0;
+
+	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+	grab_pointer = (getenv("GNOME_SSH_ASKPASS_GRAB_POINTER") != NULL);
+	grab_tries = 0;
+
+	fg_set = parse_env_hex_color("GNOME_SSH_ASKPASS_FG_COLOR", &fg);
+	bg_set = parse_env_hex_color("GNOME_SSH_ASKPASS_BG_COLOR", &bg);
+
+	/* Create an invisible parent window so that GtkDialog doesn't
+	 * complain.  */
+	parent_window = gtk_window_new(GTK_WINDOW_TOPLEVEL);
+
+	switch (prompt_type) {
+	case PROMPT_CONFIRM:
+		buttons = GTK_BUTTONS_YES_NO;
+		default_response = GTK_RESPONSE_YES;
+		break;
+	case PROMPT_NONE:
+		buttons = GTK_BUTTONS_CLOSE;
+		default_response = GTK_RESPONSE_CLOSE;
+		break;
+	default:
+		buttons = GTK_BUTTONS_OK_CANCEL;
+		default_response = GTK_RESPONSE_OK;
+		break;
+	}
+
+	dialog = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
+	    GTK_MESSAGE_QUESTION, buttons, "%s", message);
+
+	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+	gtk_dialog_set_default_response(GTK_DIALOG(dialog), default_response);
+	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+
+	if (fg_set)
+		gtk_widget_modify_fg(dialog, GTK_STATE_NORMAL, &fg);
+	if (bg_set)
+		gtk_widget_modify_bg(dialog, GTK_STATE_NORMAL, &bg);
+
+	if (prompt_type == PROMPT_ENTRY || prompt_type == PROMPT_NONE) {
+		entry = gtk_entry_new();
+		if (fg_set)
+			gtk_widget_modify_fg(entry, GTK_STATE_NORMAL, &fg);
+		if (bg_set)
+			gtk_widget_modify_bg(entry, GTK_STATE_NORMAL, &bg);
+		gtk_box_pack_start(
+		    GTK_BOX(gtk_dialog_get_content_area(GTK_DIALOG(dialog))),
+		    entry, FALSE, FALSE, 0);
+		gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+		gtk_widget_grab_focus(entry);
+		if (prompt_type == PROMPT_ENTRY) {
+			gtk_widget_show(entry);
+			/* Make <enter> close dialog */
+			g_signal_connect(G_OBJECT(entry), "activate",
+					 G_CALLBACK(ok_dialog), dialog);
+		} else {
+			/*
+			 * Ensure the 'close' button is not focused by default
+			 * but is still reachable via tab. This is a bit of a
+			 * hack - it uses a hidden entry that responds to a
+			 * couple of keypress events (escape and tab only).
+			 */
+			gtk_widget_realize(entry);
+			g_signal_connect(G_OBJECT(entry), "key_press_event",
+			    G_CALLBACK(check_none), dialog);
+		}
+	}
+	/* Grab focus */
+	gtk_widget_show_now(dialog);
+	display = gtk_widget_get_display(GTK_WIDGET(dialog));
+	seat = gdk_display_get_default_seat(display);
+	caps = GDK_SEAT_CAPABILITY_KEYBOARD;
+	if (grab_pointer)
+		caps |= GDK_SEAT_CAPABILITY_ALL_POINTING;
+	if (grab_server)
+		caps = GDK_SEAT_CAPABILITY_ALL;
+	for (;;) {
+		status = gdk_seat_grab(seat, gtk_widget_get_window(dialog),
+		    caps, TRUE, NULL, NULL, NULL, NULL);
+		if (status == GDK_GRAB_SUCCESS)
+			break;
+		usleep(GRAB_WAIT * 1000);
+		if (++grab_tries > GRAB_TRIES)
+			goto nograb;
+	}
+
+	result = gtk_dialog_run(GTK_DIALOG(dialog));
+
+	/* Ungrab */
+	gdk_seat_ungrab(seat);
+	gdk_display_flush(display);
+
+	/* Report passphrase if user selected OK */
+	if (prompt_type == PROMPT_ENTRY) {
+		passphrase = g_strdup(gtk_entry_get_text(GTK_ENTRY(entry)));
+		if (result == GTK_RESPONSE_OK) {
+			local = g_locale_from_utf8(passphrase,
+			    strlen(passphrase), NULL, NULL, NULL);
+			if (local != NULL) {
+				puts(local);
+				memset(local, '\0', strlen(local));
+				g_free(local);
+			} else {
+				puts(passphrase);
+			}
+		}
+		/* Zero passphrase in memory */
+		memset(passphrase, '\b', strlen(passphrase));
+		gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+		memset(passphrase, '\0', strlen(passphrase));
+		g_free(passphrase);
+	}
+
+	gtk_widget_destroy(dialog);
+	if (result != GTK_RESPONSE_OK && result != GTK_RESPONSE_YES)
+		return -1;
+	return 0;
+
+ nograb:
+	gtk_widget_destroy(dialog);
+	err = gtk_message_dialog_new(GTK_WINDOW(parent_window), 0,
+	    GTK_MESSAGE_ERROR, GTK_BUTTONS_CLOSE,
+	    "Could not grab input. A malicious client may be eavesdropping "
+	    "on your session.");
+	gtk_window_set_position(GTK_WINDOW(err), GTK_WIN_POS_CENTER);
+	gtk_dialog_run(GTK_DIALOG(err));
+	gtk_widget_destroy(err);
+	return -1;
+}
+
+int
+main(int argc, char **argv)
+{
+	char *message, *prompt_mode;
+	int result, prompt_type = PROMPT_ENTRY;
+
+	gtk_init(&argc, &argv);
+
+	if (argc > 1) {
+		message = g_strjoinv(" ", argv + 1);
+	} else {
+		message = g_strdup("Enter your OpenSSH passphrase:");
+	}
+
+	if ((prompt_mode = getenv("SSH_ASKPASS_PROMPT")) != NULL) {
+		if (strcasecmp(prompt_mode, "confirm") == 0)
+			prompt_type = PROMPT_CONFIRM;
+		else if (strcasecmp(prompt_mode, "none") == 0)
+			prompt_type = PROMPT_NONE;
+	}
+
+	setvbuf(stdout, 0, _IONBF, 0);
+	result = passphrase_dialog(message, prompt_type);
+	g_free(message);
+
+	return (result);
+}
diff --git a/contrib/hpux/README b/contrib/hpux/README
new file mode 100644
index 0000000..f8bfa84
--- /dev/null
+++ b/contrib/hpux/README
@@ -0,0 +1,45 @@
+README for OpenSSH HP-UX contrib files
+Kevin Steves <stevesk@pobox.com>
+
+sshd:		configuration file for sshd.rc
+sshd.rc:	SSH startup script
+egd:		configuration file for egd.rc
+egd.rc:		EGD (entropy gathering daemon) startup script
+
+To install:
+
+sshd.rc:
+
+o Verify paths in sshd.rc match your local installation
+  (WHAT_PATH and WHAT_PID)
+o Customize sshd if needed (SSHD_ARGS)
+o Install:
+
+  # cp sshd /etc/rc.config.d
+  # chmod 444 /etc/rc.config.d/sshd
+  # cp sshd.rc /sbin/init.d
+  # chmod 555 /sbin/init.d/sshd.rc
+  # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K100sshd
+  # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S900sshd
+
+egd.rc:
+
+o Verify egd.pl path in egd.rc matches your local installation
+  (WHAT_PATH)
+o Customize egd if needed (EGD_ARGS and EGD_LOG)
+o Add pseudo account:
+
+  # groupadd egd
+  # useradd -g egd egd
+  # mkdir -p /etc/opt/egd
+  # chown egd:egd /etc/opt/egd
+  # chmod 711 /etc/opt/egd
+
+o Install:
+
+  # cp egd /etc/rc.config.d
+  # chmod 444 /etc/rc.config.d/egd
+  # cp egd.rc /sbin/init.d
+  # chmod 555 /sbin/init.d/egd.rc
+  # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd
+  # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd
diff --git a/contrib/hpux/egd b/contrib/hpux/egd
new file mode 100644
index 0000000..21af0bd
--- /dev/null
+++ b/contrib/hpux/egd
@@ -0,0 +1,15 @@
+# EGD_START:		Set to 1 to start entropy gathering daemon
+# EGD_ARGS:		Command line arguments to pass to egd
+# EGD_LOG:		EGD stdout and stderr log file (default /etc/opt/egd/egd.log)
+#
+# To configure the egd environment:
+
+# groupadd egd
+# useradd -g egd egd
+# mkdir -p /etc/opt/egd
+# chown egd:egd /etc/opt/egd
+# chmod 711 /etc/opt/egd
+
+EGD_START=1
+EGD_ARGS='/etc/opt/egd/entropy'
+EGD_LOG=
diff --git a/contrib/hpux/egd.rc b/contrib/hpux/egd.rc
new file mode 100755
index 0000000..919dea7
--- /dev/null
+++ b/contrib/hpux/egd.rc
@@ -0,0 +1,98 @@
+#!/sbin/sh
+
+#
+# egd.rc: EGD start-up and shutdown script
+#
+
+# Allowed exit values:
+#       0 = success; causes "OK" to show up in checklist.
+#       1 = failure; causes "FAIL" to show up in checklist.
+#       2 = skip; causes "N/A" to show up in the checklist.
+#           Use this value if execution of this script is overridden
+#           by the use of a control variable, or if this script is not
+#           appropriate to execute for some other reason.
+#       3 = reboot; causes the system to be rebooted after execution.
+
+# Input and output:
+#       stdin is redirected from /dev/null
+#
+#       stdout and stderr are redirected to the /etc/rc.log file
+#       during checklist mode, or to the console in raw mode.
+
+umask 022
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+WHAT='EGD (entropy gathering daemon)'
+WHAT_PATH=/opt/perl/bin/egd.pl
+WHAT_CONFIG=/etc/rc.config.d/egd
+WHAT_LOG=/etc/opt/egd/egd.log
+
+# NOTE: If your script executes in run state 0 or state 1, then /usr might
+#       not be available.  Do not attempt to access commands or files in
+#       /usr unless your script executes in run state 2 or greater.  Other
+#       file systems typically not mounted until run state 2 include /var
+#       and /opt.
+
+rval=0
+
+# Check the exit value of a command run by this script.  If non-zero, the
+# exit code is echoed to the log file and the return value of this script
+# is set to indicate failure.
+
+set_return() {
+	x=$?
+	if [ $x -ne 0 ]; then
+		echo "EXIT CODE: $x"
+		rval=1	# script FAILed
+	fi
+}
+
+case $1 in
+'start_msg')
+	echo "Starting $WHAT"
+	;;
+
+'stop_msg')
+	echo "Stopping $WHAT"
+	;;
+
+'start')
+	if [ -f $WHAT_CONFIG ] ; then
+		. $WHAT_CONFIG
+	else
+		echo "ERROR: $WHAT_CONFIG defaults file MISSING"
+	fi
+	
+
+	if [ "$EGD_START" -eq 1 -a -x $WHAT_PATH ]; then
+		EGD_LOG=${EGD_LOG:-$WHAT_LOG}
+		su egd -c "nohup $WHAT_PATH $EGD_ARGS >$EGD_LOG 2>&1" &&
+			echo $WHAT started
+		set_return
+	else
+		rval=2
+	fi
+	;;
+
+'stop')
+	pid=`ps -fuegd | awk '$1 == "egd" { print $2 }'`
+	if [ "X$pid" != "X" ]; then
+		if kill "$pid"; then
+			echo "$WHAT stopped"
+		else
+			rval=1
+			echo "Unable to stop $WHAT"
+		fi
+	fi
+	set_return
+	;;
+
+*)
+	echo "usage: $0 {start|stop|start_msg|stop_msg}"
+	rval=1
+	;;
+esac
+
+exit $rval
diff --git a/contrib/hpux/sshd b/contrib/hpux/sshd
new file mode 100644
index 0000000..8eb5e92
--- /dev/null
+++ b/contrib/hpux/sshd
@@ -0,0 +1,5 @@
+# SSHD_START:		Set to 1 to start SSH daemon
+# SSHD_ARGS:		Command line arguments to pass to sshd
+#
+SSHD_START=1
+SSHD_ARGS=
diff --git a/contrib/hpux/sshd.rc b/contrib/hpux/sshd.rc
new file mode 100755
index 0000000..f9a1099
--- /dev/null
+++ b/contrib/hpux/sshd.rc
@@ -0,0 +1,90 @@
+#!/sbin/sh
+
+#
+# sshd.rc: SSH daemon start-up and shutdown script
+#
+
+# Allowed exit values:
+#	0 = success; causes "OK" to show up in checklist.
+#	1 = failure; causes "FAIL" to show up in checklist.
+#	2 = skip; causes "N/A" to show up in the checklist.
+#           Use this value if execution of this script is overridden
+#	    by the use of a control variable, or if this script is not
+#	    appropriate to execute for some other reason.
+#       3 = reboot; causes the system to be rebooted after execution.
+
+# Input and output:
+#	stdin is redirected from /dev/null
+#
+#	stdout and stderr are redirected to the /etc/rc.log file
+#	during checklist mode, or to the console in raw mode.
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+WHAT='OpenSSH'
+WHAT_PATH=/opt/openssh/sbin/sshd
+WHAT_PID=/var/run/sshd.pid
+WHAT_CONFIG=/etc/rc.config.d/sshd
+
+# NOTE: If your script executes in run state 0 or state 1, then /usr might
+#	not be available.  Do not attempt to access commands or files in
+#	/usr unless your script executes in run state 2 or greater.  Other
+#	file systems typically not mounted until run state 2 include /var
+#	and /opt.
+
+rval=0
+
+# Check the exit value of a command run by this script.  If non-zero, the
+# exit code is echoed to the log file and the return value of this script
+# is set to indicate failure.
+
+set_return() {
+	x=$?
+	if [ $x -ne 0 ]; then
+		echo "EXIT CODE: $x"
+		rval=1	# script FAILed
+	fi
+}
+
+case $1 in
+'start_msg')
+	echo "Starting $WHAT"
+	;;
+
+'stop_msg')
+	echo "Stopping $WHAT"
+	;;
+
+'start')
+	if [ -f $WHAT_CONFIG ] ; then
+		. $WHAT_CONFIG
+	else
+		echo "ERROR: $WHAT_CONFIG defaults file MISSING"
+	fi
+	
+	if [ "$SSHD_START" -eq 1 -a -x "$WHAT_PATH" ]; then
+		$WHAT_PATH $SSHD_ARGS && echo "$WHAT started"
+		set_return
+	else
+		rval=2
+	fi
+	;;
+
+'stop')
+	if kill `cat $WHAT_PID`; then
+		echo "$WHAT stopped"
+	else
+		rval=1
+		echo "Unable to stop $WHAT"
+	fi
+	set_return
+	;;
+
+*)
+	echo "usage: $0 {start|stop|start_msg|stop_msg}"
+	rval=1
+	;;
+esac
+
+exit $rval
diff --git a/contrib/redhat/gnome-ssh-askpass.csh b/contrib/redhat/gnome-ssh-askpass.csh
new file mode 100644
index 0000000..dd77712
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.csh
@@ -0,0 +1 @@
+setenv SSH_ASKPASS /usr/libexec/openssh/gnome-ssh-askpass
diff --git a/contrib/redhat/gnome-ssh-askpass.sh b/contrib/redhat/gnome-ssh-askpass.sh
new file mode 100644
index 0000000..355189f
--- /dev/null
+++ b/contrib/redhat/gnome-ssh-askpass.sh
@@ -0,0 +1,2 @@
+SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
+export SSH_ASKPASS
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
new file mode 100644
index 0000000..423079a
--- /dev/null
+++ b/contrib/redhat/openssh.spec
@@ -0,0 +1,850 @@
+%global ver 9.2p1
+%global rel 1%{?dist}
+
+# OpenSSH privilege separation requires a user & group ID
+%global sshd_uid    74
+%global sshd_gid    74
+
+# Version of ssh-askpass
+%global aversion 1.2.4.1
+
+# Do we want to disable building of x11-askpass? (1=yes 0=no)
+%global no_x11_askpass 0
+
+# Do we want to disable building of gnome-askpass? (1=yes 0=no)
+%global no_gnome_askpass 0
+
+# Do we want to link against a static libcrypto? (1=yes 0=no)
+%global static_libcrypto 0
+
+# Do we want smartcard support (1=yes 0=no)
+%global scard 0
+
+# Use GTK2 instead of GNOME in gnome-ssh-askpass
+%global gtk2 1
+
+# Use build6x options for older RHEL builds
+# RHEL 7 not yet supported
+%if 0%{?rhel} > 6
+%global build6x 0
+%else
+%global build6x 1
+%endif
+
+%if 0%{?fedora} >= 26
+%global compat_openssl 1
+%else
+%global compat_openssl 0
+%endif
+
+# Do we want kerberos5 support (1=yes 0=no)
+%global kerberos5 1
+
+# Reserve options to override askpass settings with:
+# rpm -ba|--rebuild --define 'skip_xxx 1'
+%{?skip_x11_askpass:%global no_x11_askpass 1}
+%{?skip_gnome_askpass:%global no_gnome_askpass 1}
+
+# Add option to build without GTK2 for older platforms with only GTK+.
+# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
+# rpm -ba|--rebuild --define 'no_gtk2 1'
+%{?no_gtk2:%global gtk2 0}
+
+# Is this a build for RHL 6.x or earlier?
+%{?build_6x:%global build6x 1}
+
+# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
+%if %{build6x}
+%global _sysconfdir /etc
+%endif
+
+# Options for static OpenSSL link:
+# rpm -ba|--rebuild --define "static_openssl 1"
+%{?static_openssl:%global static_libcrypto 1}
+
+# Options for Smartcard support: (needs libsectok and openssl-engine)
+# rpm -ba|--rebuild --define "smartcard 1"
+%{?smartcard:%global scard 1}
+
+# Is this a build for the rescue CD (without PAM)? (1=yes 0=no)
+%global rescue 0
+%{?build_rescue:%global rescue 1}
+
+# Turn off some stuff for resuce builds
+%if %{rescue}
+%global kerberos5 0
+%endif
+
+Summary: The OpenSSH implementation of SSH protocol version 2.
+Name: openssh
+Version: %{ver}
+%if %{rescue}
+Release: %{rel}rescue
+%else
+Release: %{rel}
+%endif
+URL: https://www.openssh.com/portable.html
+Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
+Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
+License: BSD
+Group: Applications/Internet
+BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
+Obsoletes: ssh
+%if %{build6x}
+PreReq: initscripts >= 5.00
+%else
+Requires: initscripts >= 5.20
+%endif
+BuildRequires: perl
+%if %{compat_openssl}
+BuildRequires: compat-openssl10-devel
+%else
+BuildRequires: openssl-devel >= 1.0.1
+BuildRequires: openssl-devel < 1.1
+%endif
+BuildRequires: /bin/login
+%if ! %{build6x}
+BuildRequires: glibc-devel, pam
+%else
+BuildRequires: /usr/include/security/pam_appl.h
+%endif
+%if ! %{no_x11_askpass}
+BuildRequires: /usr/include/X11/Xlib.h
+# Xt development tools
+BuildRequires: libXt-devel
+# Provides xmkmf
+BuildRequires: imake
+# Rely on relatively recent gtk
+BuildRequires: gtk2-devel
+%endif
+%if ! %{no_gnome_askpass}
+BuildRequires: pkgconfig
+%endif
+%if %{kerberos5}
+BuildRequires: krb5-devel
+BuildRequires: krb5-libs
+%endif
+
+%package clients
+Summary: OpenSSH clients.
+Requires: openssh = %{version}-%{release}
+Group: Applications/Internet
+Obsoletes: ssh-clients
+
+%package server
+Summary: The OpenSSH server daemon.
+Group: System Environment/Daemons
+Obsoletes: ssh-server
+Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
+%if ! %{build6x}
+Requires: /etc/pam.d/system-auth
+%endif
+
+%package askpass
+Summary: A passphrase dialog for OpenSSH and X.
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: ssh-extras
+
+%package askpass-gnome
+Summary: A passphrase dialog for OpenSSH, X, and GNOME.
+Group: Applications/Internet
+Requires: openssh = %{version}-%{release}
+Obsoletes: ssh-extras
+
+%description
+SSH (Secure SHell) is a program for logging into and executing
+commands on a remote machine. SSH is intended to replace rlogin and
+rsh, and to provide secure encrypted communications between two
+untrusted hosts over an insecure network. X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's version of the last free version of SSH, bringing
+it up to date in terms of security and features, as well as removing
+all patented algorithms to separate libraries.
+
+This package includes the core files necessary for both the OpenSSH
+client and server. To make this package useful, you should also
+install openssh-clients, openssh-server, or both.
+
+%description clients
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package includes
+the clients necessary to make encrypted connections to SSH servers.
+You'll also need to install the openssh package on OpenSSH clients.
+
+%description server
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+the secure shell daemon (sshd). The sshd daemon allows SSH clients to
+securely connect to your SSH server. You also need to have the openssh
+package installed.
+
+%description askpass
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH.
+
+%description askpass-gnome
+OpenSSH is a free version of SSH (Secure SHell), a program for logging
+into and executing commands on a remote machine. This package contains
+an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
+environment.
+
+%prep
+
+%if ! %{no_x11_askpass}
+%setup -q -a 1
+%else
+%setup -q
+%endif
+
+%build
+%if %{rescue}
+CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
+%endif
+
+%configure \
+	--sysconfdir=%{_sysconfdir}/ssh \
+	--libexecdir=%{_libexecdir}/openssh \
+	--datadir=%{_datadir}/openssh \
+	--with-default-path=/usr/local/bin:/bin:/usr/bin \
+	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
+	--with-privsep-path=%{_var}/empty/sshd \
+	--mandir=%{_mandir} \
+	--with-mantype=man \
+	--disable-strip \
+%if %{scard}
+	--with-smartcard \
+%endif
+%if %{rescue}
+	--without-pam \
+%else
+	--with-pam \
+%endif
+%if %{kerberos5}
+	 --with-kerberos5=$K5DIR \
+%endif
+
+
+%if %{static_libcrypto}
+perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
+%endif
+
+make
+
+%if ! %{no_x11_askpass}
+pushd x11-ssh-askpass-%{aversion}
+%configure --libexecdir=%{_libexecdir}/openssh
+xmkmf -a
+make
+popd
+%endif
+
+# Define a variable to toggle gnome1/gtk2 building.  This is necessary
+# because RPM doesn't handle nested %if statements.
+%if %{gtk2}
+	gtk2=yes
+%else
+	gtk2=no
+%endif
+
+%if ! %{no_gnome_askpass}
+pushd contrib
+if [ $gtk2 = yes ] ; then
+	make gnome-ssh-askpass2
+	mv gnome-ssh-askpass2 gnome-ssh-askpass
+else
+	make gnome-ssh-askpass1
+	mv gnome-ssh-askpass1 gnome-ssh-askpass
+fi
+popd
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
+mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
+
+make install DESTDIR=$RPM_BUILD_ROOT
+
+install -d $RPM_BUILD_ROOT/etc/pam.d/
+install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
+install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
+%if %{build6x}
+install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
+%else
+install -m644 contrib/redhat/sshd.pam     $RPM_BUILD_ROOT/etc/pam.d/sshd
+%endif
+install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
+
+%if ! %{no_x11_askpass}
+install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
+ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
+%endif
+
+%if ! %{no_gnome_askpass}
+install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
+%endif
+
+%if ! %{scard}
+	 rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
+%endif
+
+%if ! %{no_gnome_askpass}
+install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
+%endif
+
+perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%triggerun server -- ssh-server
+if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
+	touch /var/run/sshd.restart
+fi
+
+%triggerun server -- openssh-server < 2.5.0p1
+# Count the number of HostKey and HostDsaKey statements we have.
+gawk	'BEGIN {IGNORECASE=1}
+	 /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
+	 END {exit sawhostkey}' /etc/ssh/sshd_config
+# And if we only found one, we know the client was relying on the old default
+# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
+# specified.  Now that HostKey is used for both SSH1 and SSH2 keys, specifying
+# one nullifies the default, which would have loaded both.
+if [ $? -eq 1 ] ; then
+	echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
+	echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
+fi
+
+%triggerpostun server -- ssh-server
+if [ "$1" != 0 ] ; then
+	/sbin/chkconfig --add sshd
+	if test -f /var/run/sshd.restart ; then
+		rm -f /var/run/sshd.restart
+		/sbin/service sshd start > /dev/null 2>&1 || :
+	fi
+fi
+
+%pre server
+%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
+%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
+	-g sshd -M -r sshd 2>/dev/null || :
+
+%post server
+/sbin/chkconfig --add sshd
+
+%postun server
+/sbin/service sshd condrestart > /dev/null 2>&1 || :
+
+%preun server
+if [ "$1" = 0 ]
+then
+	/sbin/service sshd stop > /dev/null 2>&1 || :
+	/sbin/chkconfig --del sshd
+fi
+
+%files
+%defattr(-,root,root)
+%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
+%attr(0755,root,root) %{_bindir}/scp
+%attr(0644,root,root) %{_mandir}/man1/scp.1*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%if ! %{rescue}
+%attr(0755,root,root) %{_bindir}/ssh-keygen
+%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
+%attr(0755,root,root) %dir %{_libexecdir}/openssh
+%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
+%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
+%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
+%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
+%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
+%endif
+%if %{scard}
+%attr(0755,root,root) %dir %{_datadir}/openssh
+%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
+%endif
+
+%files clients
+%defattr(-,root,root)
+%attr(0755,root,root) %{_bindir}/ssh
+%attr(0644,root,root) %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%if ! %{rescue}
+%attr(2755,root,nobody) %{_bindir}/ssh-agent
+%attr(0755,root,root) %{_bindir}/ssh-add
+%attr(0755,root,root) %{_bindir}/ssh-keyscan
+%attr(0755,root,root) %{_bindir}/sftp
+%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
+%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
+%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
+%attr(0644,root,root) %{_mandir}/man1/sftp.1*
+%endif
+
+%if ! %{rescue}
+%files server
+%defattr(-,root,root)
+%dir %attr(0111,root,root) %{_var}/empty/sshd
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
+%attr(0644,root,root) %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) %{_mandir}/man5/moduli.5*
+%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
+%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
+%endif
+
+%if ! %{no_x11_askpass}
+%files askpass
+%defattr(-,root,root)
+%doc x11-ssh-askpass-%{aversion}/README
+%doc x11-ssh-askpass-%{aversion}/ChangeLog
+%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
+%{_libexecdir}/openssh/ssh-askpass
+%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
+%endif
+
+%if ! %{no_gnome_askpass}
+%files askpass-gnome
+%defattr(-,root,root)
+%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
+%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
+%endif
+
+%changelog
+* Thu Oct 28 2021 Damien Miller <djm@mindrot.org>
+- Remove remaining traces of --with-md5-passwords
+
+* Mon Jul 20 2020 Damien Miller <djm@mindrot.org>
+- Add ssh-sk-helper and corresponding manual page.
+
+* Sat Feb 10 2018 Darren Tucker <dtucker@dtucker.net>
+- Update openssl-devel dependency to match current requirements.
+- Handle Fedora >=6 openssl 1.0 compat libs.
+- Remove SSH1 from description.
+- Don't strip binaries at build time so that debuginfo package can be
+  created.
+
+* Sun Nov 16 2014 Nico Kadel-Garcia <nakdel@gmail.com>
+- Add '--mandir' and '--with-mantype' for RHEL 5 compatibility
+- Add 'dist' option to 'ver' so package names reflect OS at build time
+- Always include x11-ssh-askpass tarball in SRPM
+- Add openssh-x11-aspass BuildRequires for libXT-devel, imake, gtk2-devel
+- Discard 'K5DIR' reporting, not usable inside 'mock' for RHEL 5 compatibility
+- Discard obsolete '--with-rsh' configure option
+- Update openssl-devel dependency to 0.9.8f, as found in autoconf
+
+* Wed Jul 14 2010 Tim Rice <tim@multitalents.net>
+- test for skip_x11_askpass (line 77) should have been for no_x11_askpass
+
+* Mon Jun 2 2003 Damien Miller <djm@mindrot.org>
+- Remove noip6 option. This may be controlled at run-time in client config
+  file using new AddressFamily directive
+
+* Mon May 12 2003 Damien Miller <djm@mindrot.org>
+- Don't install profile.d scripts when not building with GNOME/GTK askpass
+  (patch from bet@rahul.net)
+
+* Tue Oct 01 2002 Damien Miller <djm@mindrot.org>
+- Install ssh-agent setgid nobody to prevent ptrace() key theft attacks
+
+* Mon Sep 30 2002 Damien Miller <djm@mindrot.org>
+- Use contrib/ Makefile for building askpass programs
+
+* Fri Jun 21 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from seba@iq.pl (Sebastian Pachuta)
+- Add new {ssh,sshd}_config.5 manpages
+- Add new ssh-keysign program and remove setuid from ssh client
+
+* Fri May 10 2002 Damien Miller <djm@mindrot.org>
+- Merge in spec changes from RedHat, reorgansie a little
+- Add Privsep user, group and directory
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-2
+- bump and grind (through the build system)
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-1
+- require sharutils for building (mindrot #137)
+- require db1-devel only when building for 6.x (#55105), which probably won't
+  work anyway (3.1 requires OpenSSL 0.9.6 to build), but what the heck
+- require pam-devel by file (not by package name) again
+- add Markus's patch to compile with OpenSSL 0.9.5a (from
+  http://bugzilla.mindrot.org/show_bug.cgi?id=141) and apply it if we're
+  building for 6.x
+
+* Thu Mar  7 2002 Nalin Dahyabhai <nalin@redhat.com> 3.1p1-0
+- update to 3.1p1
+
+* Tue Mar  5 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020305
+- update to SNAP-20020305
+- drop debug patch, fixed upstream
+
+* Wed Feb 20 2002 Nalin Dahyabhai <nalin@redhat.com> SNAP-20020220
+- update to SNAP-20020220 for testing purposes (you've been warned, if there's
+  anything to be warned about, gss patches won't apply, I don't mind)
+
+* Wed Feb 13 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-3
+- add patches from Simon Wilkinson and Nicolas Williams for GSSAPI key
+  exchange, authentication, and named key support
+
+* Wed Jan 23 2002 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-2
+- remove dependency on db1-devel, which has just been swallowed up whole
+  by gnome-libs-devel
+
+* Sat Dec 29 2001 Nalin Dahyabhai <nalin@redhat.com>
+- adjust build dependencies so that build6x actually works right (fix
+  from Hugo van der Kooij)
+
+* Tue Dec  4 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.2p1-1
+- update to 3.0.2p1
+
+* Fri Nov 16 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0.1p1-1
+- update to 3.0.1p1
+
+* Tue Nov 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to current CVS (not for use in distribution)
+
+* Thu Nov  8 2001 Nalin Dahyabhai <nalin@redhat.com> 3.0p1-1
+- merge some of Damien Miller <djm@mindrot.org> changes from the upstream
+  3.0p1 spec file and init script
+
+* Wed Nov  7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 3.0p1
+- update to x11-ssh-askpass 1.2.4.1
+- change build dependency on a file from pam-devel to the pam-devel package
+- replace primes with moduli
+
+* Thu Sep 27 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-9
+- incorporate fix from Markus Friedl's advisory for IP-based authorization bugs
+
+* Thu Sep 13 2001 Bernhard Rosenkraenzer <bero@redhat.com> 2.9p2-8
+- Merge changes to rescue build from current sysadmin survival cd
+
+* Thu Sep  6 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-7
+- fix scp's server's reporting of file sizes, and build with the proper
+  preprocessor define to get large-file capable open(), stat(), etc.
+  (sftp has been doing this correctly all along) (#51827)
+- configure without --with-ipv4-default on RHL 7.x and newer (#45987,#52247)
+- pull cvs patch to fix support for /etc/nologin for non-PAM logins (#47298)
+- mark profile.d scriptlets as config files (#42337)
+- refer to Jason Stone's mail for zsh workaround for exit-hanging quasi-bug
+- change a couple of log() statements to debug() statements (#50751)
+- pull cvs patch to add -t flag to sshd (#28611)
+- clear fd_sets correctly (one bit per FD, not one byte per FD) (#43221)
+
+* Mon Aug 20 2001 Nalin Dahyabhai <nalin@redhat.com> 2.9p2-6
+- add db1-devel as a BuildPrerequisite (noted by Hans Ecke)
+
+* Thu Aug 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to fix remote port forwarding with protocol 2
+
+* Thu Aug  9 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pull cvs patch to add session initialization to no-pty sessions
+- pull cvs patch to not cut off challengeresponse auth needlessly
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+  it by default on a system that doesn't have X installed (#49263)
+
+* Wed Aug  8 2001 Nalin Dahyabhai <nalin@redhat.com>
+- don't apply patches to code we don't intend to build (spotted by Matt Galgoci)
+
+* Mon Aug  6 2001 Nalin Dahyabhai <nalin@redhat.com>
+- pass OPTIONS correctly to initlog (#50151)
+
+* Wed Jul 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- switch to x11-ssh-askpass 1.2.2
+
+* Wed Jul 11 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Jun 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- disable the gssapi patch
+
+* Mon Jun 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9p2
+- refresh to a new version of the gssapi patch
+
+* Thu Jun  7 2001 Nalin Dahyabhai <nalin@redhat.com>
+- change Copyright: BSD to License: BSD
+- add Markus Friedl's unverified patch for the cookie file deletion problem
+  so that we can verify it
+- drop patch to check if xauth is present (was folded into cookie patch)
+- don't apply gssapi patches for the errata candidate
+- clear supplemental groups list at startup
+
+* Fri May 25 2001 Nalin Dahyabhai <nalin@redhat.com>
+- fix an error parsing the new default sshd_config
+- add a fix from Markus Friedl (via openssh-unix-dev) for ssh-keygen not
+  dealing with comments right
+
+* Thu May 24 2001 Nalin Dahyabhai <nalin@redhat.com>
+- add in Simon Wilkinson's GSSAPI patch to give it some testing in-house,
+  to be removed before the next beta cycle because it's a big departure
+  from the upstream version
+
+* Thu May  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- finish marking strings in the init script for translation
+- modify init script to source /etc/sysconfig/sshd and pass $OPTIONS to sshd
+  at startup (change merged from openssh.com init script, originally by
+  Pekka Savola)
+- refuse to do X11 forwarding if xauth isn't there, handy if you enable
+  it by default on a system that doesn't have X installed
+
+* Wed May  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.9
+- drop various patches that came from or went upstream or to or from CVS
+
+* Wed Apr 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- only require initscripts 5.00 on 6.2 (reported by Peter Bieringer)
+
+* Sun Apr  8 2001 Preston Brown <pbrown@redhat.com>
+- remove explicit openssl requirement, fixes builddistro issue
+- make initscript stop() function wait until sshd really dead to avoid
+  races in condrestart
+
+* Mon Apr  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- mention that challengereponse supports PAM, so disabling password doesn't
+  limit users to pubkey and rsa auth (#34378)
+- bypass the daemon() function in the init script and call initlog directly,
+  because daemon() won't start a daemon it detects is already running (like
+  open connections)
+- require the version of openssl we had when we were built
+
+* Fri Mar 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- make do_pam_setcred() smart enough to know when to establish creds and
+  when to reinitialize them
+- add in a couple of other fixes from Damien for inclusion in the errata
+
+* Thu Mar 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p2
+- call setcred() again after initgroups, because the "creds" could actually
+  be group memberships
+
+* Tue Mar 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- update to 2.5.2p1 (includes endianness fixes in the rijndael implementation)
+- don't enable challenge-response by default until we find a way to not
+  have too many userauth requests (we may make up to six pubkey and up to
+  three password attempts as it is)
+- remove build dependency on rsh to match openssh.com's packages more closely
+
+* Sat Mar  3 2001 Nalin Dahyabhai <nalin@redhat.com>
+- remove dependency on openssl -- would need to be too precise
+
+* Fri Mar  2 2001 Nalin Dahyabhai <nalin@redhat.com>
+- rebuild in new environment
+
+* Mon Feb 26 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Revert the patch to move pam_open_session.
+- Init script and spec file changes from Pekka Savola. (#28750)
+- Patch sftp to recognize '-o protocol' arguments. (#29540)
+
+* Thu Feb 22 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Chuck the closing patch.
+- Add a trigger to add host keys for protocol 2 to the config file, now that
+  configuration file syntax requires us to specify it with HostKey if we
+  specify any other HostKey values, which we do.
+
+* Tue Feb 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Redo patch to move pam_open_session after the server setuid()s to the user.
+- Rework the nopam patch to use be picked up by autoconf.
+
+* Mon Feb 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.1p1.
+- Add init script mods from Pekka Savola.
+- Tweak the init script to match the CVS contrib script more closely.
+- Redo patch to ssh-add to try to adding both identity and id_dsa to also try
+  adding id_rsa.
+
+* Fri Feb 16 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Update for 2.5.0p1.
+- Use $RPM_OPT_FLAGS instead of -O when building gnome-ssh-askpass
+- Resync with parts of Damien Miller's openssh.spec from CVS, including
+  update of x11 askpass to 1.2.0.
+- Only require openssl (don't prereq) because we generate keys in the init
+  script now.
+
+* Tue Feb 13 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Don't open a PAM session until we've forked and become the user (#25690).
+- Apply Andrew Bartlett's patch for letting pam_authenticate() know which
+  host the user is attempting a login from.
+- Resync with parts of Damien Miller's openssh.spec from CVS.
+- Don't expose KbdInt responses in debug messages (from CVS).
+- Detect and handle errors in rsa_{public,private}_decrypt (from CVS).
+
+* Wed Feb  7 2001 Trond Eivind Glomsrxd <teg@redhat.com>
+- i18n-tweak to initscript.
+
+* Tue Jan 23 2001 Nalin Dahyabhai <nalin@redhat.com>
+- More gettextizing.
+- Close all files after going into daemon mode (needs more testing).
+- Extract patch from CVS to handle auth banners (in the client).
+- Extract patch from CVS to handle compat weirdness.
+
+* Fri Jan 19 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Finish with the gettextizing.
+
+* Thu Jan 18 2001 Nalin Dahyabhai <nalin@redhat.com>
+- Fix a bug in auth2-pam.c (#23877)
+- Gettextize the init script.
+
+* Wed Dec 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate a switch for using PAM configs for 6.x, just in case.
+
+* Tue Dec  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Incorporate Bero's changes for a build specifically for rescue CDs.
+
+* Wed Nov 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Don't treat pam_setcred() failure as fatal unless pam_authenticate() has
+  succeeded, to allow public-key authentication after a failure with "none"
+  authentication.  (#21268)
+
+* Tue Nov 28 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to x11-askpass 1.1.1. (#21301)
+- Don't second-guess fixpaths, which causes paths to get fixed twice. (#21290)
+
+* Mon Nov 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Merge multiple PAM text messages into subsequent prompts when possible when
+  doing keyboard-interactive authentication.
+
+* Sun Nov 26 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Disable the built-in MD5 password support.  We're using PAM.
+- Take a crack at doing keyboard-interactive authentication with PAM, and
+  enable use of it in the default client configuration so that the client
+  will try it when the server disallows password authentication.
+- Build with debugging flags.  Build root policies strip all binaries anyway.
+
+* Tue Nov 21 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Use DESTDIR instead of %%makeinstall.
+- Remove /usr/X11R6/bin from the path-fixing patch.
+
+* Mon Nov 20 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add the primes file from the latest snapshot to the main package (#20884).
+- Add the dev package to the prereq list (#19984).
+- Remove the default path and mimic login's behavior in the server itself.
+
+* Fri Nov 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Resync with conditional options in Damien Miller's .spec file for an errata.
+- Change libexecdir from %%{_libexecdir}/ssh to %%{_libexecdir}/openssh.
+
+* Tue Nov  7 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to OpenSSH 2.3.0p1.
+- Update to x11-askpass 1.1.0.
+- Enable keyboard-interactive authentication.
+
+* Mon Oct 30 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to ssh-askpass-x11 1.0.3.
+- Change authentication related messages to be private (#19966).
+
+* Tue Oct 10 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch ssh-keygen to be able to list signatures for DSA public key files
+  it generates.
+
+* Thu Oct  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add BuildRequires on /usr/include/security/pam_appl.h to be sure we always
+  build PAM authentication in.
+- Try setting SSH_ASKPASS if gnome-ssh-askpass is installed.
+- Clean out no-longer-used patches.
+- Patch ssh-add to try to add both identity and id_dsa, and to error only
+  when neither exists.
+
+* Mon Oct  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update x11-askpass to 1.0.2. (#17835)
+- Add BuildRequiress for /bin/login and /usr/bin/rsh so that configure will
+  always find them in the right place. (#17909)
+- Set the default path to be the same as the one supplied by /bin/login, but
+  add /usr/X11R6/bin. (#17909)
+- Try to handle obsoletion of ssh-server more cleanly.  Package names
+  are different, but init script name isn't. (#17865)
+
+* Wed Sep  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.0p1. (#17835)
+- Tweak the init script to allow proper restarting. (#18023)
+
+* Wed Aug 23 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 20000823 snapshot.
+- Change subpackage requirements from %%{version} to %%{version}-%%{release}
+- Back out the pipe patch.
+
+* Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p4, which includes fixes for config file parsing problems.
+- Move the init script back.
+- Add Damien's quick fix for wackiness.
+
+* Wed Jul 12 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p3, which includes fixes for X11 forwarding and strtok().
+
+* Thu Jul  6 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Move condrestart to server postun.
+- Move key generation to init script.
+- Actually use the right patch for moving the key generation to the init script.
+- Clean up the init script a bit.
+
+* Wed Jul  5 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Fix X11 forwarding, from mail post by Chan Shih-Ping Richard.
+
+* Sun Jul  2 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.1.1p2.
+- Use of strtok() considered harmful.
+
+* Sat Jul  1 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Get the build root out of the man pages.
+
+* Thu Jun 29 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Add and use condrestart support in the init script.
+- Add newer initscripts as a prereq.
+
+* Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Build in new environment (release 2)
+- Move -clients subpackage to Applications/Internet group
+
+* Fri Jun  9 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Update to 2.2.1p1
+
+* Sat Jun  3 2000 Nalin Dahyabhai <nalin@redhat.com>
+- Patch to build with neither RSA nor RSAref.
+- Miscellaneous FHS-compliance tweaks.
+- Fix for possibly-compressed man pages.
+
+* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
+- Updated for new location
+- Updated for new gnome-ssh-askpass build
+
+* Sun Dec 26 1999 Damien Miller <djm@mindrot.org>
+- Added Jim Knoble's <jmknoble@pobox.com> askpass
+
+* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
+- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
+
+* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
+- Added 'Obsoletes' directives
+
+* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
+- Use make install
+- Subpackages
+
+* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
+- Added links for slogin
+- Fixed perms on manpages
+
+* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
+- Renamed init script
+
+* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
+- Back to old binary names
+
+* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
+- Use autoconf
+- New binary names
+
+* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
+- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
diff --git a/contrib/redhat/sshd.init b/contrib/redhat/sshd.init
new file mode 100755
index 0000000..8ee5fcd
--- /dev/null
+++ b/contrib/redhat/sshd.init
@@ -0,0 +1,105 @@
+#!/bin/bash
+#
+# Init file for OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: OpenSSH server daemon
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+# source function library
+. /etc/rc.d/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+
+RETVAL=0
+prog="sshd"
+
+# Some functions to make the below more readable
+SSHD=/usr/sbin/sshd
+PID_FILE=/var/run/sshd.pid
+
+do_restart_sanity_check()
+{
+	$SSHD -t
+	RETVAL=$?
+	if [ $RETVAL -ne 0 ]; then
+		failure $"Configuration file or keys are invalid"
+		echo
+	fi
+}
+
+start()
+{
+	# Create keys if necessary
+	/usr/bin/ssh-keygen -A
+	if [ -x /sbin/restorecon ]; then
+		/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
+		/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
+		/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
+	fi
+
+	echo -n $"Starting $prog:"
+	$SSHD $OPTIONS && success || failure
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
+	echo
+}
+
+stop()
+{
+	echo -n $"Stopping $prog:"
+	killproc $SSHD -TERM
+	RETVAL=$?
+	[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd
+	echo
+}
+
+reload()
+{
+	echo -n $"Reloading $prog:"
+	killproc $SSHD -HUP
+	RETVAL=$?
+	echo
+}
+
+case "$1" in
+	start)
+		start
+		;;
+	stop)
+		stop
+		;;
+	restart)
+		stop
+		start
+		;;
+	reload)
+		reload
+		;;
+	condrestart)
+		if [ -f /var/lock/subsys/sshd ] ; then
+			do_restart_sanity_check
+			if [ $RETVAL -eq 0 ] ; then
+				stop
+				# avoid race
+				sleep 3
+				start
+			fi
+		fi
+		;;
+	status)
+		status $SSHD
+		RETVAL=$?
+		;;
+	*)
+		echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}"
+		RETVAL=1
+esac
+exit $RETVAL
diff --git a/contrib/redhat/sshd.pam b/contrib/redhat/sshd.pam
new file mode 100644
index 0000000..ffa5adb
--- /dev/null
+++ b/contrib/redhat/sshd.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth       required     pam_stack.so service=system-auth
+account    required     pam_nologin.so
+account    required     pam_stack.so service=system-auth
+password   required     pam_stack.so service=system-auth
+session    required     pam_stack.so service=system-auth
diff --git a/contrib/solaris/README b/contrib/solaris/README
new file mode 100644
index 0000000..cabecaa
--- /dev/null
+++ b/contrib/solaris/README
@@ -0,0 +1,30 @@
+The following is a new package build script for Solaris.   This is being
+introduced into OpenSSH 3.0 and above in hopes of simplifying the build
+process.  As of 3.1p2 the script should work on all platforms that have
+SVR4 style package tools.
+
+The build process is called a 'dummy install'.. Which means the software does
+a  "make install-nokeys DESTDIR=[fakeroot]".  This way all manpages should
+be handled correctly and key are deferred until the first time the sshd
+is started.
+
+Directions:
+
+1. make -F Makefile.in distprep  (Only if you are getting from the CVS tree)
+2. ./configure --with-pam [..any other options you want..]
+3. look at the top of buildpkg.sh for the configurable options and put
+   any changes you want in openssh-config.local. Additional customizations
+   can be done to the build process by creating one or more of the following
+   scripts that will be sourced by buildpkg.sh.
+	pkg_post_make_install_fixes.sh pkg-post-prototype-edit.sh
+	pkg-preinstall.local pkg-postinstall.local pkg-preremove.local
+	pkg-postremove.local pkg-request.local
+4. Run "make package"
+
+If all goes well you should have a solaris package ready to be installed.
+
+If you have any problems with this script please post them to
+openssh-unix-dev@mindrot.org and I will try to assist you as best as I can.
+
+- Ben Lindstrom
+
diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
new file mode 100644
index 0000000..cd122de
--- /dev/null
+++ b/contrib/ssh-copy-id
@@ -0,0 +1,377 @@
+#!/bin/sh
+
+# Copyright (c) 1999-2020 Philip Hands <phil@hands.com>
+#               2020 Matthias Blümel <blaimi@blaimi.de>
+#               2017 Sebastien Boyron <seb@boyron.eu>
+#               2013 Martin Kletzander <mkletzan@redhat.com>
+#               2010 Adeodato =?iso-8859-1?Q?Sim=F3?= <asp16@alu.ua.es>
+#               2010 Eric Moret <eric.moret@gmail.com>
+#               2009 Xr <xr@i-jeuxvideo.com>
+#               2007 Justin Pryzby <justinpryzby@users.sourceforge.net>
+#               2004 Reini Urban <rurban@x-ray.at>
+#               2003 Colin Watson <cjwatson@debian.org>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# Shell script to install your public key(s) on a remote machine
+# See the ssh-copy-id(1) man page for details
+
+# shellcheck shell=dash
+
+# check that we have something mildly sane as our shell, or try to find something better
+if false ^ printf "%s: WARNING: ancient shell, hunting for a more modern one... " "$0"
+then
+  SANE_SH=${SANE_SH:-/usr/bin/ksh}
+  if printf 'true ^ false\n' | "$SANE_SH"
+  then
+    printf "'%s' seems viable.\\n" "$SANE_SH"
+    exec "$SANE_SH" "$0" "$@"
+  else
+    cat <<-EOF
+	oh dear.
+
+	  If you have a more recent shell available, that supports \$(...) etc.
+	  please try setting the environment variable SANE_SH to the path of that
+	  shell, and then retry running this script. If that works, please report
+	  a bug describing your setup, and the shell you used to make it work.
+
+	EOF
+    printf '%s: ERROR: Less dimwitted shell required.\n' "$0"
+    exit 1
+  fi
+fi
+
+# shellcheck disable=SC2010
+DEFAULT_PUB_ID_FILE=$(ls -t "${HOME}"/.ssh/id*.pub 2>/dev/null | grep -v -- '-cert.pub$' | head -n 1)
+SSH="ssh -a -x"
+umask 0177
+
+usage () {
+  printf 'Usage: %s [-h|-?|-f|-n|-s] [-i [identity_file]] [-p port] [-F alternative ssh_config file] [[-o <ssh -o options>] ...] [user@]hostname\n' "$0" >&2
+  printf '\t-f: force mode -- copy keys without trying to check if they are already installed\n' >&2
+  printf '\t-n: dry run    -- no keys are actually copied\n' >&2
+  printf '\t-s: use sftp   -- use sftp instead of executing remote-commands. Can be useful if the remote only allows sftp\n' >&2
+  printf '\t-h|-?: print this help\n' >&2
+  exit 1
+}
+
+# escape any single quotes in an argument
+quote() {
+  printf '%s\n' "$1" | sed -e "s/'/'\\\\''/g"
+}
+
+use_id_file() {
+  L_ID_FILE="$1"
+
+  if [ -z "$L_ID_FILE" ] ; then
+    printf '%s: ERROR: no ID file found\n' "$0"
+    exit 1
+  fi
+
+  if expr "$L_ID_FILE" : '.*\.pub$' >/dev/null ; then
+    PUB_ID_FILE="$L_ID_FILE"
+  else
+    PUB_ID_FILE="$L_ID_FILE.pub"
+  fi
+
+  [ "$FORCED" ] || PRIV_ID_FILE=$(dirname "$PUB_ID_FILE")/$(basename "$PUB_ID_FILE" .pub)
+
+  # check that the files are readable
+  for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
+    ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
+      L_PRIVMSG=""
+      [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG="	(to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
+      printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
+      exit 1
+    }
+  done
+  printf '%s: INFO: Source of key(s) to be installed: "%s"\n' "$0" "$PUB_ID_FILE" >&2
+  GET_ID="cat \"$PUB_ID_FILE\""
+}
+
+if [ -n "$SSH_AUTH_SOCK" ] && ssh-add -L >/dev/null 2>&1 ; then
+  GET_ID="ssh-add -L"
+fi
+
+while getopts "i:o:p:F:fnsh?" OPT
+do
+  case "$OPT" in
+    i)
+      [ "${SEEN_OPT_I}" ] && {
+        printf '\n%s: ERROR: -i option must not be specified more than once\n\n' "$0"
+        usage
+      }
+      SEEN_OPT_I="yes"
+      use_id_file "${OPTARG:-$DEFAULT_PUB_ID_FILE}"
+      ;;
+    o|p|F)
+      SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }-$OPT '$(quote "${OPTARG}")'"
+      ;;
+    f)
+      FORCED=1
+      ;;
+    n)
+      DRY_RUN=1
+      ;;
+    s)
+      SFTP=sftp
+      ;;
+    h|\?)
+      usage
+      ;;
+  esac
+done 
+#shift all args to keep only USER_HOST
+shift $((OPTIND-1))
+
+if [ $# = 0 ] ; then
+  usage
+fi
+if [ $# != 1 ] ; then
+  printf '%s: ERROR: Too many arguments.  Expecting a target hostname, got: %s\n\n' "$0" "$SAVEARGS" >&2
+  usage
+fi
+
+# drop trailing colon
+USER_HOST="$*"
+# tack the hostname onto SSH_OPTS
+SSH_OPTS="${SSH_OPTS:+$SSH_OPTS }'$(quote "$USER_HOST")'"
+# and populate "$@" for later use (only way to get proper quoting of options)
+eval set -- "$SSH_OPTS"
+
+# shellcheck disable=SC2086
+if [ -z "$(eval $GET_ID)" ] && [ -r "${PUB_ID_FILE:=$DEFAULT_PUB_ID_FILE}" ] ; then
+  use_id_file "$PUB_ID_FILE"
+fi
+
+# shellcheck disable=SC2086
+if [ -z "$(eval $GET_ID)" ] ; then
+  printf '%s: ERROR: No identities found\n' "$0" >&2
+  exit 1
+fi
+
+# filter_ids()
+# tries to log in using the keys piped to it, and filters out any that work
+filter_ids() {
+  L_SUCCESS="$1"
+  L_TMP_ID_FILE="$SCRATCH_DIR"/popids_tmp_id
+  L_OUTPUT_FILE="$SCRATCH_DIR"/popids_output
+
+  # repopulate "$@" inside this function
+  eval set -- "$SSH_OPTS"
+
+  while read -r ID || [ "$ID" ] ; do
+    printf '%s\n' "$ID" > "$L_TMP_ID_FILE"
+
+    # the next line assumes $PRIV_ID_FILE only set if using a single id file - this
+    # assumption will break if we implement the possibility of multiple -i options.
+    # The point being that if file based, ssh needs the private key, which it cannot
+    # find if only given the contents of the .pub file in an unrelated tmpfile
+    $SSH -i "${PRIV_ID_FILE:-$L_TMP_ID_FILE}" \
+      -o ControlPath=none \
+      -o LogLevel=INFO \
+      -o PreferredAuthentications=publickey \
+      -o IdentitiesOnly=yes "$@" exit >"$L_OUTPUT_FILE" 2>&1 </dev/null
+    if [ "$?" = "$L_SUCCESS" ] || {
+         [ "$SFTP" ] && grep 'allows sftp connections only' "$L_OUTPUT_FILE" >/dev/null
+         # this error counts as a success if we're setting up an sftp connection
+       }
+    then
+      : > "$L_TMP_ID_FILE"
+    else
+      grep 'Permission denied' "$L_OUTPUT_FILE" >/dev/null || {
+        sed -e 's/^/ERROR: /' <"$L_OUTPUT_FILE" >"$L_TMP_ID_FILE"
+        cat >/dev/null #consume the other keys, causing loop to end
+      }
+    fi
+
+    cat "$L_TMP_ID_FILE"
+  done
+}
+
+# populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
+# and has the side effect of setting $NEW_IDS
+populate_new_ids() {
+  if [ "$FORCED" ] ; then
+    # shellcheck disable=SC2086
+    NEW_IDS=$(eval $GET_ID)
+    return
+  fi
+
+  printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
+  # shellcheck disable=SC2086
+  NEW_IDS=$(eval $GET_ID | filter_ids $1)
+
+  if expr "$NEW_IDS" : "^ERROR: " >/dev/null ; then
+    printf '\n%s: %s\n\n' "$0" "$NEW_IDS" >&2
+    exit 1
+  fi
+  if [ -z "$NEW_IDS" ] ; then
+    printf '\n%s: WARNING: All keys were skipped because they already exist on the remote system.\n' "$0" >&2
+    printf '\t\t(if you think this is a mistake, you may want to use -f option)\n\n' >&2
+    exit 0
+  fi
+  printf '%s: INFO: %d key(s) remain to be installed -- if you are prompted now it is to install the new keys\n' "$0" "$(printf '%s\n' "$NEW_IDS" | wc -l)" >&2
+}
+
+# installkey_sh [target_path]
+#    produce a one-liner to add the keys to remote authorized_keys file
+#    optionally takes an alternative path for authorized_keys
+installkeys_sh() {
+  AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
+  AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
+
+  # In setting INSTALLKEYS_SH:
+  #    the tr puts it all on one line (to placate tcsh)
+  #      (hence the excessive use of semi-colons (;) )
+  # then in the command:
+  #    cd to be at $HOME, just in case;
+  #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
+  #    the cat adds the keys we're getting via STDIN
+  #    and if available restorecon is used to restore the SELinux context
+  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
+	cd;
+	umask 077;
+	mkdir -p "${AUTH_KEY_DIR}" &&
+		{ [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] ||
+			echo >> "${AUTH_KEY_FILE}" || exit 1; } &&
+		cat >> "${AUTH_KEY_FILE}" || exit 1;
+	if type restorecon >/dev/null 2>&1; then
+		restorecon -F "${AUTH_KEY_DIR}" "${AUTH_KEY_FILE}";
+	fi
+	EOF
+  )
+
+  # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
+  printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
+}
+
+#shellcheck disable=SC2120 # the 'eval set' confuses this
+installkeys_via_sftp() {
+
+  # repopulate "$@" inside this function
+  eval set -- "$SSH_OPTS"
+
+  L_KEYS=$SCRATCH_DIR/authorized_keys
+  L_SHARED_CON=$SCRATCH_DIR/master-conn
+  $SSH -f -N -M -S "$L_SHARED_CON" "$@"
+  L_CLEANUP="$SSH -S $L_SHARED_CON -O exit 'ignored' >/dev/null 2>&1 ; $SCRATCH_CLEANUP"
+  #shellcheck disable=SC2064
+  trap "$L_CLEANUP" EXIT TERM INT QUIT
+  sftp -b - -o "ControlPath=$L_SHARED_CON" "ignored" <<-EOF || return 1
+	-get .ssh/authorized_keys $L_KEYS
+	EOF
+  # add a newline or create file if it's missing, same like above
+  [ -z "$(tail -1c "$L_KEYS" 2>/dev/null)" ] || echo >> "$L_KEYS"
+  # append the keys being piped in here
+  cat >> "$L_KEYS"
+  sftp -b - -o "ControlPath=$L_SHARED_CON" "ignored" <<-EOF || return 1
+	-mkdir .ssh
+	chmod 700 .ssh
+	put $L_KEYS .ssh/authorized_keys
+	chmod 600 .ssh/authorized_keys
+	EOF
+  #shellcheck disable=SC2064
+  eval "$L_CLEANUP" && trap "$SCRATCH_CLEANUP" EXIT TERM INT QUIT
+}
+
+
+# create a scratch dir for any temporary files needed
+if SCRATCH_DIR=$(mktemp -d ~/.ssh/ssh-copy-id.XXXXXXXXXX) &&
+    [ "$SCRATCH_DIR" ] && [ -d "$SCRATCH_DIR" ]
+then
+  chmod 0700 "$SCRATCH_DIR"
+  SCRATCH_CLEANUP="rm -rf \"$SCRATCH_DIR\""
+  #shellcheck disable=SC2064
+  trap "$SCRATCH_CLEANUP" EXIT TERM INT QUIT
+else
+  printf '%s: ERROR: failed to create required temporary directory under ~/.ssh\n' "$0" >&2
+  exit 1
+fi
+
+REMOTE_VERSION=$($SSH -v -o PreferredAuthentications=',' -o ControlPath=none "$@" 2>&1 |
+                 sed -ne 's/.*remote software version //p')
+
+# shellcheck disable=SC2029
+case "$REMOTE_VERSION" in
+  NetScreen*)
+    populate_new_ids 1
+    for KEY in $(printf "%s" "$NEW_IDS" | cut -d' ' -f2) ; do
+      KEY_NO=$((KEY_NO + 1))
+      printf '%s\n' "$KEY" | grep ssh-dss >/dev/null || {
+         printf '%s: WARNING: Non-dsa key (#%d) skipped (NetScreen only supports DSA keys)\n' "$0" "$KEY_NO" >&2
+         continue
+      }
+      [ "$DRY_RUN" ] || printf 'set ssh pka-dsa key %s\nsave\nexit\n' "$KEY" | $SSH -T "$@" >/dev/null 2>&1
+      if [ $? = 255 ] ; then
+        printf '%s: ERROR: installation of key #%d failed (please report a bug describing what caused this, so that we can make this message useful)\n' "$0" "$KEY_NO" >&2
+      else
+        ADDED=$((ADDED + 1))
+      fi
+    done
+    if [ -z "$ADDED" ] ; then
+      exit 1
+    fi
+    ;;
+  dropbear*)
+    populate_new_ids 0
+    [ "$DRY_RUN" ] || printf '%s\n' "$NEW_IDS" | \
+      $SSH "$@" "$(installkeys_sh /etc/dropbear/authorized_keys)" \
+      || exit 1
+    ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
+    ;;
+  *)
+    # Assuming that the remote host treats ~/.ssh/authorized_keys as one might expect
+    populate_new_ids 0
+    if ! [ "$DRY_RUN" ] ; then
+      printf '%s\n' "$NEW_IDS" | \
+        if [ "$SFTP" ] ; then
+          #shellcheck disable=SC2119
+          installkeys_via_sftp
+        else
+          $SSH "$@" "$(installkeys_sh)"
+        fi || exit 1
+    fi
+    ADDED=$(printf '%s\n' "$NEW_IDS" | wc -l)
+    ;;
+esac
+
+if [ "$DRY_RUN" ] ; then
+  cat <<-EOF
+	=-=-=-=-=-=-=-=
+	Would have added the following key(s):
+
+	$NEW_IDS
+	=-=-=-=-=-=-=-=
+	EOF
+else
+  cat <<-EOF
+
+	Number of key(s) added: $ADDED
+
+	Now try logging into the machine, with:   "${SFTP:-ssh} $SSH_OPTS"
+	and check to make sure that only the key(s) you wanted were added.
+
+	EOF
+fi
+
+# =-=-=-=
diff --git a/contrib/ssh-copy-id.1 b/contrib/ssh-copy-id.1
new file mode 100644
index 0000000..c141a29
--- /dev/null
+++ b/contrib/ssh-copy-id.1
@@ -0,0 +1,198 @@
+.ig \"  -*- nroff -*-
+Copyright (c) 1999-2020 hands.com Ltd. <http://hands.com/>
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+..
+.Dd $Mdocdate: June 17 2010 $
+.Dt SSH-COPY-ID 1
+.Os
+.Sh NAME
+.Nm ssh-copy-id
+.Nd use locally available keys to authorise logins on a remote machine
+.Sh SYNOPSIS
+.Nm
+.Op Fl f
+.Op Fl n
+.Op Fl s
+.Op Fl i Op Ar identity_file
+.Op Fl p Ar port
+.Op Fl o Ar ssh_option
+.Op Ar user Ns @ Ns
+.Ar hostname
+.Nm
+.Fl h | Fl ?
+.br
+.Sh DESCRIPTION
+.Nm
+is a script that uses
+.Xr ssh 1
+to log into a remote machine (presumably using a login password,
+so password authentication should be enabled, unless you've done some
+clever use of multiple identities).  It assembles a list of one or more
+fingerprints (as described below) and tries to log in with each key, to
+see if any of them are already installed (of course, if you are not using
+.Xr ssh-agent 1
+this may result in you being repeatedly prompted for pass-phrases).
+It then assembles a list of those that failed to log in, and using ssh,
+enables logins with those keys on the remote server.  By default it adds
+the keys by appending them to the remote user's
+.Pa ~/.ssh/authorized_keys
+(creating the file, and directory, if necessary).  It is also capable
+of detecting if the remote system is a NetScreen, and using its
+.Ql set ssh pka-dsa key ...
+command instead.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl i Ar identity_file
+Use only the key(s) contained in
+.Ar identity_file
+(rather than looking for identities via
+.Xr ssh-add 1
+or in the
+.Ic default_ID_file ) .
+If the filename does not end in
+.Pa .pub
+this is added.  If the filename is omitted, the 
+.Ic default_ID_file
+is used.
+.Pp
+Note that this can be used to ensure that the keys copied have the
+comment one prefers and/or extra options applied, by ensuring that the
+key file has these set as preferred before the copy is attempted.
+.It Fl f
+Forced mode: doesn't check if the keys are present on the remote server.
+This means that it does not need the private key.  Of course, this can result
+in more than one copy of the key being installed on the remote system.
+.It Fl n
+do a dry-run.  Instead of installing keys on the remote system simply
+prints the key(s) that would have been installed.
+.It Fl s
+SFTP mode: usually the public keys are installed by executing commands on the remote side.
+With this option the user's
+.Pa ~/.ssh/authorized_keys
+file will be downloaded, modified locally and uploaded with sftp.
+This option is useful if the server has restrictions on commands which can be used on the remote side.
+.It Fl h , Fl ?
+Print Usage summary
+.It Fl p Ar port , Fl o Ar ssh_option
+These two options are simply passed through untouched, along with their
+argument, to allow one to set the port or other
+.Xr ssh 1
+options, respectively.
+.Pp
+Rather than specifying these as command line options, it is often better to use (per-host) settings in
+.Xr ssh 1 Ns 's
+configuration file:
+.Xr ssh_config 5 .
+.El
+.Pp
+Default behaviour without
+.Fl i ,
+is to check if
+.Ql ssh-add -L
+provides any output, and if so those keys are used.  Note that this results in
+the comment on the key being the filename that was given to
+.Xr ssh-add 1
+when the key was loaded into your
+.Xr ssh-agent 1
+rather than the comment contained in that file, which is a bit of a shame.
+Otherwise, if
+.Xr ssh-add 1
+provides no keys contents of the 
+.Ic default_ID_file
+will be used.
+.Pp
+The
+.Ic default_ID_file
+is the most recent file that matches:
+.Pa ~/.ssh/id*.pub ,
+(excluding those that match
+.Pa ~/.ssh/*-cert.pub )
+so if you create a key that is not the one you want
+.Nm
+to use, just use
+.Xr touch 1
+on your preferred key's 
+.Pa .pub
+file to reinstate it as the most recent.
+.Pp
+.Sh EXAMPLES
+If you have already installed keys from one system on a lot of remote
+hosts, and you then create a new key, on a new client machine, say,
+it can be difficult to keep track of which systems on which you've
+installed the new key.  One way of dealing with this is to load both
+the new key and old key(s) into your
+.Xr ssh-agent 1 .
+Load the new key first, without the
+.Fl c
+option, then load one or more old keys into the agent, possibly by
+ssh-ing to the client machine that has that old key, using the
+.Fl A
+option to allow agent forwarding:
+.Pp
+.D1 user@newclient$ ssh-add
+.D1 user@newclient$ ssh -A old.client
+.D1 user@oldl$ ssh-add -c
+.D1 No   ... prompt for pass-phrase ...
+.D1 user@old$ logoff
+.D1 user@newclient$ ssh someserver
+.Pp
+now, if the new key is installed on the server, you'll be allowed in
+unprompted, whereas if you only have the old key(s) enabled, you'll be
+asked for confirmation, which is your cue to log back out and run
+.Pp
+.D1 user@newclient$ ssh-copy-id -i someserver
+.Pp
+The reason you might want to specify the -i option in this case is to
+ensure that the comment on the installed key is the one from the
+.Pa .pub
+file, rather than just the filename that was loaded into your agent.
+It also ensures that only the id you intended is installed, rather than
+all the keys that you have in your
+.Xr ssh-agent 1 .
+Of course, you can specify another id, or use the contents of the
+.Xr ssh-agent 1
+as you prefer.
+.Pp
+Having mentioned
+.Xr ssh-add 1 Ns 's
+.Fl c
+option, you might consider using this whenever using agent forwarding
+to avoid your key being hijacked, but it is much better to instead use
+.Xr ssh 1 Ns 's
+.Ar ProxyCommand
+and 
+.Fl W
+option,
+to bounce through remote servers while always doing direct end-to-end
+authentication. This way the middle hop(s) don't get access to your
+.Xr ssh-agent 1 .
+A web search for
+.Ql ssh proxycommand nc
+should prove enlightening (N.B. the modern approach is to use the
+.Fl W
+option, rather than
+.Xr nc 1 ) .
+.Sh "SEE ALSO"
+.Xr ssh 1 ,
+.Xr ssh-agent 1 ,
+.Xr sshd 8
diff --git a/contrib/sshd.pam.freebsd b/contrib/sshd.pam.freebsd
new file mode 100644
index 0000000..c0bc364
--- /dev/null
+++ b/contrib/sshd.pam.freebsd
@@ -0,0 +1,5 @@
+sshd    auth      required  pam_unix.so    try_first_pass
+sshd    account   required  pam_unix.so
+sshd    password  required  pam_permit.so
+sshd    session   required  pam_permit.so
+
diff --git a/contrib/sshd.pam.generic b/contrib/sshd.pam.generic
new file mode 100644
index 0000000..215f0fe
--- /dev/null
+++ b/contrib/sshd.pam.generic
@@ -0,0 +1,8 @@
+#%PAM-1.0
+auth       required     /lib/security/pam_unix.so shadow nodelay
+account    required     /lib/security/pam_nologin.so
+account    required     /lib/security/pam_unix.so
+password   required     /lib/security/pam_cracklib.so
+password   required     /lib/security/pam_unix.so shadow nullok use_authtok
+session    required     /lib/security/pam_unix.so
+session    required     /lib/security/pam_limits.so
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
new file mode 100644
index 0000000..e533ed5
--- /dev/null
+++ b/contrib/suse/openssh.spec
@@ -0,0 +1,245 @@
+# Default values for additional components
+%define build_x11_askpass	1
+
+# Define the UID/GID to use for privilege separation
+%define sshd_gid	65
+%define sshd_uid	71
+
+# The version of x11-ssh-askpass to use
+%define xversion	1.2.4.1
+
+# Allow the ability to override defaults with -D skip_xxx=1
+%{?skip_x11_askpass:%define build_x11_askpass 0}
+
+Summary:	OpenSSH, a free Secure Shell (SSH) protocol implementation
+Name:		openssh
+Version:	9.2p1
+URL:		https://www.openssh.com/
+Release:	1
+Source0:	openssh-%{version}.tar.gz
+Source1:	x11-ssh-askpass-%{xversion}.tar.gz
+License:	BSD
+Group:		Productivity/Networking/SSH
+BuildRoot:	%{_tmppath}/openssh-%{version}-buildroot
+PreReq:		openssl
+Obsoletes:	ssh
+Provides:	ssh
+#
+# (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
+# building prerequisites -- stuff for
+#   OpenSSL (openssl-devel),
+#   and Gnome (glibdev, gtkdev, and gnlibsd)
+#
+BuildPrereq:	openssl
+BuildPrereq:	zlib-devel
+#BuildPrereq:	glibdev
+#BuildPrereq:	gtkdev
+#BuildPrereq:	gnlibsd
+
+%package	askpass
+Summary:	A passphrase dialog for OpenSSH and the X window System.
+Group:		Productivity/Networking/SSH
+Requires:	openssh = %{version}
+Obsoletes:	ssh-extras
+Provides:	openssh:${_libdir}/ssh/ssh-askpass
+
+%if %{build_x11_askpass}
+BuildPrereq:	XFree86-devel
+%endif
+
+%description
+Ssh (Secure Shell) is a program for logging into a remote machine and for
+executing commands in a remote machine.  It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network.  X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
+up to date in terms of security and features, as well as removing all
+patented algorithms to separate libraries (OpenSSL).
+
+This package includes all files necessary for both the OpenSSH
+client and server.
+
+%description askpass
+Ssh (Secure Shell) is a program for logging into a remote machine and for
+executing commands in a remote machine.  It is intended to replace
+rlogin and rsh, and provide secure encrypted communications between
+two untrusted hosts over an insecure network.  X11 connections and
+arbitrary TCP/IP ports can also be forwarded over the secure channel.
+
+OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it
+up to date in terms of security and features, as well as removing all
+patented algorithms to separate libraries (OpenSSL).
+
+This package contains an X Window System passphrase dialog for OpenSSH.
+
+%changelog
+* Mon Jul 20 2020 Damien Miller <djm@mindrto.org>
+- Add ssh-sk-helper and corresponding manual page.
+* Wed Oct 26 2005 Iain Morgan <imorgan@nas.nasa.gov>
+- Removed accidental inclusion of --without-zlib-version-check
+* Tue Oct 25 2005 Iain Morgan <imorgan@nas.nasa.gov>
+- Overhaul to deal with newer versions of SuSE and OpenSSH
+* Mon Jun 12 2000 Damien Miller <djm@mindrot.org>
+- Glob manpages to catch compressed files
+* Wed Mar 15 2000 Damien Miller <djm@ibs.com.au>
+- Updated for new location
+- Updated for new gnome-ssh-askpass build
+* Sun Dec 26 1999 Chris Saia <csaia@wtower.com>
+- Made symlink to gnome-ssh-askpass called ssh-askpass
+* Wed Nov 24 1999 Chris Saia <csaia@wtower.com>
+- Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and
+  /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into
+  his released tarfile
+- Changed permissions on ssh_config in the install procedure to 644 from 600
+  even though it was correct in the %files section and thus right in the RPMs
+- Postinstall script for the server now only prints "Generating SSH host
+  key..." if we need to actually do this, in order to eliminate a confusing
+  message if an SSH host key is already in place
+- Marked all manual pages as %doc(umentation)
+* Mon Nov 22 1999 Chris Saia <csaia@wtower.com>
+- Added flag to configure daemon with TCP Wrappers support
+- Added building prerequisites (works in RPM 3.0 and newer)
+* Thu Nov 18 1999 Chris Saia <csaia@wtower.com>
+- Made this package correct for SuSE.
+- Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly
+  with SuSE, and lib_pwdb.so isn't installed by default.
+* Mon Nov 15 1999 Damien Miller <djm@mindrot.org>
+- Split subpackages further based on patch from jim knoble <jmknoble@pobox.com>
+* Sat Nov 13 1999 Damien Miller <djm@mindrot.org>
+- Added 'Obsoletes' directives
+* Tue Nov 09 1999 Damien Miller <djm@ibs.com.au>
+- Use make install
+- Subpackages
+* Mon Nov 08 1999 Damien Miller <djm@ibs.com.au>
+- Added links for slogin
+- Fixed perms on manpages
+* Sat Oct 30 1999 Damien Miller <djm@ibs.com.au>
+- Renamed init script
+* Fri Oct 29 1999 Damien Miller <djm@ibs.com.au>
+- Back to old binary names
+* Thu Oct 28 1999 Damien Miller <djm@ibs.com.au>
+- Use autoconf
+- New binary names
+* Wed Oct 27 1999 Damien Miller <djm@ibs.com.au>
+- Initial RPMification, based on Jan "Yenya" Kasprzak's <kas@fi.muni.cz> spec.
+
+%prep
+
+%if %{build_x11_askpass}
+%setup -q -a 1
+%else
+%setup -q
+%endif
+
+%build
+CFLAGS="$RPM_OPT_FLAGS" \
+%configure	--prefix=/usr \
+		--sysconfdir=%{_sysconfdir}/ssh \
+		--mandir=%{_mandir} \
+		--with-privsep-path=/var/lib/empty \
+		--with-pam \
+		--libexecdir=%{_libdir}/ssh
+make
+
+%if %{build_x11_askpass}
+cd x11-ssh-askpass-%{xversion}
+%configure	--mandir=/usr/X11R6/man \
+		--libexecdir=%{_libdir}/ssh
+xmkmf -a
+make
+cd ..
+%endif
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT/
+install -d $RPM_BUILD_ROOT/etc/pam.d/
+install -d $RPM_BUILD_ROOT/etc/init.d/
+install -d $RPM_BUILD_ROOT/var/adm/fillup-templates
+install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd
+install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/etc/init.d/sshd
+install -m744 contrib/suse/sysconfig.ssh \
+   $RPM_BUILD_ROOT/var/adm/fillup-templates
+
+%if %{build_x11_askpass}
+cd x11-ssh-askpass-%{xversion}
+make install install.man BINDIR=%{_libdir}/ssh DESTDIR=$RPM_BUILD_ROOT/
+rm -f $RPM_BUILD_ROOT/usr/share/Ssh.bin
+%endif
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+/usr/sbin/groupadd -g %{sshd_gid} -o -r sshd 2> /dev/null || :
+/usr/sbin/useradd -r -o -g sshd -u %{sshd_uid} -s /bin/false -c "SSH Privilege Separation User" -d /var/lib/sshd sshd 2> /dev/null || :
+
+%post
+/usr/bin/ssh-keygen -A
+%{fillup_and_insserv -n -y ssh sshd}
+%run_permissions
+
+%verifyscript
+%verify_permissions -e /etc/ssh/sshd_config -e /etc/ssh/ssh_config -e /usr/bin/ssh
+
+%preun
+%stop_on_removal sshd
+
+%postun
+%restart_on_update sshd
+%{insserv_cleanup}
+
+%files
+%defattr(-,root,root)
+%doc ChangeLog OVERVIEW README* PROTOCOL*
+%doc TODO CREDITS LICENCE
+%attr(0755,root,root) %dir %{_sysconfdir}/ssh
+%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
+%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
+%attr(0644,root,root) %config(noreplace) /etc/pam.d/sshd
+%attr(0755,root,root) %config /etc/init.d/sshd
+%attr(0755,root,root) %{_bindir}/ssh-keygen
+%attr(0755,root,root) %{_bindir}/scp
+%attr(0755,root,root) %{_bindir}/ssh
+%attr(0755,root,root) %{_bindir}/ssh-agent
+%attr(0755,root,root) %{_bindir}/ssh-add
+%attr(0755,root,root) %{_bindir}/ssh-keyscan
+%attr(0755,root,root) %{_bindir}/sftp
+%attr(0755,root,root) %{_sbindir}/sshd
+%attr(0755,root,root) %dir %{_libdir}/ssh
+%attr(0755,root,root) %{_libdir}/ssh/sftp-server
+%attr(4711,root,root) %{_libdir}/ssh/ssh-keysign
+%attr(0755,root,root) %{_libdir}/ssh/ssh-pkcs11-helper
+%attr(0755,root,root) %{_libdir}/ssh/ssh-sk-helper
+%attr(0644,root,root) %doc %{_mandir}/man1/scp.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/sftp.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-add.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-agent.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keygen.1*
+%attr(0644,root,root) %doc %{_mandir}/man1/ssh-keyscan.1*
+%attr(0644,root,root) %doc %{_mandir}/man5/moduli.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/ssh_config.5*
+%attr(0644,root,root) %doc %{_mandir}/man5/sshd_config.5*
+%attr(0644,root,root) %doc %{_mandir}/man8/sftp-server.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/ssh-keysign.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/ssh-pkcs11-helper.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/ssh-sk-helper.8*
+%attr(0644,root,root) %doc %{_mandir}/man8/sshd.8*
+%attr(0644,root,root) /var/adm/fillup-templates/sysconfig.ssh
+
+%if %{build_x11_askpass}
+%files askpass
+%defattr(-,root,root)
+%doc x11-ssh-askpass-%{xversion}/README
+%doc x11-ssh-askpass-%{xversion}/ChangeLog
+%doc x11-ssh-askpass-%{xversion}/SshAskpass*.ad
+%attr(0755,root,root) %{_libdir}/ssh/ssh-askpass
+%attr(0755,root,root) %{_libdir}/ssh/x11-ssh-askpass
+%attr(0644,root,root) %doc /usr/X11R6/man/man1/ssh-askpass.1x*
+%attr(0644,root,root) %doc /usr/X11R6/man/man1/x11-ssh-askpass.1x*
+%attr(0644,root,root) %config /usr/X11R6/lib/X11/app-defaults/SshAskpass
+%endif
diff --git a/contrib/suse/rc.config.sshd b/contrib/suse/rc.config.sshd
new file mode 100644
index 0000000..baaa7a5
--- /dev/null
+++ b/contrib/suse/rc.config.sshd
@@ -0,0 +1,5 @@
+#
+# Start the Secure Shell (SSH) Daemon?
+#
+START_SSHD="yes"
+
diff --git a/contrib/suse/rc.sshd b/contrib/suse/rc.sshd
new file mode 100644
index 0000000..28f28e4
--- /dev/null
+++ b/contrib/suse/rc.sshd
@@ -0,0 +1,121 @@
+#! /bin/sh
+# Copyright (c) 1995-2000 SuSE GmbH Nuernberg, Germany.
+#
+# Author: Jiri Smid <feedback@suse.de>
+#
+# /etc/init.d/sshd
+#
+#   and symbolic its link
+#
+# /usr/sbin/rcsshd
+#
+### BEGIN INIT INFO
+# Provides: sshd
+# Required-Start: $network $remote_fs
+# Required-Stop: $network $remote_fs
+# Default-Start: 3 5
+# Default-Stop: 0 1 2 6
+# Description: Start the sshd daemon
+### END INIT INFO
+
+SSHD_BIN=/usr/sbin/sshd
+test -x $SSHD_BIN || exit 5
+
+SSHD_SYSCONFIG=/etc/sysconfig/ssh
+test -r $SSHD_SYSCONFIG || exit 6
+. $SSHD_SYSCONFIG
+
+SSHD_PIDFILE=/var/run/sshd.init.pid
+
+. /etc/rc.status
+
+# Shell functions sourced from /etc/rc.status:
+#      rc_check         check and set local and overall rc status
+#      rc_status        check and set local and overall rc status
+#      rc_status -v     ditto but be verbose in local rc status
+#      rc_status -v -r  ditto and clear the local rc status
+#      rc_failed        set local and overall rc status to failed
+#      rc_reset         clear local rc status (overall remains)
+#      rc_exit          exit appropriate to overall rc status
+
+# First reset status of this service
+rc_reset
+
+case "$1" in
+    start)
+	# Generate any missing host keys
+	ssh-keygen -A
+	echo -n "Starting SSH daemon"
+	## Start daemon with startproc(8). If this fails
+	## the echo return value is set appropriate.
+
+	startproc -f -p $SSHD_PIDFILE $SSHD_BIN $SSHD_OPTS -o "PidFile=$SSHD_PIDFILE" 
+
+	# Remember status and be verbose
+	rc_status -v
+	;;
+    stop)
+	echo -n "Shutting down SSH daemon"
+	## Stop daemon with killproc(8) and if this fails
+	## set echo the echo return value.
+
+	killproc -p $SSHD_PIDFILE -TERM $SSHD_BIN
+
+	# Remember status and be verbose
+	rc_status -v
+	;;
+    try-restart)
+        ## Stop the service and if this succeeds (i.e. the 
+        ## service was running before), start it again.
+        $0 status >/dev/null &&  $0 restart
+
+        # Remember status and be quiet
+        rc_status
+        ;;
+    restart)
+        ## Stop the service and regardless of whether it was
+        ## running or not, start it again.
+        $0 stop
+        $0 start
+
+        # Remember status and be quiet
+        rc_status
+        ;;
+    force-reload|reload)
+	## Signal the daemon to reload its config. Most daemons
+	## do this on signal 1 (SIGHUP).
+
+	echo -n "Reload service sshd"
+
+	killproc -p $SSHD_PIDFILE -HUP $SSHD_BIN
+
+        rc_status -v
+
+        ;;
+    status)
+	echo -n "Checking for service sshd "
+        ## Check status with checkproc(8), if process is running
+        ## checkproc will return with exit status 0.
+
+        # Status has a slightly different for the status command:
+        # 0 - service running
+        # 1 - service dead, but /var/run/  pid  file exists
+        # 2 - service dead, but /var/lock/ lock file exists
+        # 3 - service not running
+
+	checkproc -p $SSHD_PIDFILE $SSHD_BIN
+
+	rc_status -v
+	;;
+    probe)
+	## Optional: Probe for the necessity of a reload,
+	## give out the argument which is required for a reload.
+
+        test /etc/ssh/sshd_config -nt $SSHD_PIDFILE && echo reload
+	;;
+    *)
+	echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
+	exit 1
+	;;
+esac
+rc_exit
diff --git a/contrib/suse/sysconfig.ssh b/contrib/suse/sysconfig.ssh
new file mode 100644
index 0000000..c6a37e5
--- /dev/null
+++ b/contrib/suse/sysconfig.ssh
@@ -0,0 +1,9 @@
+## Path:	Network/Remote access/SSH
+## Description:	SSH server settings
+## Type:	string
+## Default:	""
+## ServiceRestart: sshd
+#
+# Options for sshd
+#
+SSHD_OPTS=""