- Remove references to SSLeay.

 - Big OpenBSD CVS update
  - markus@cvs.openbsd.org
    [clientloop.c]
    - typo
    [session.c]
    - update proctitle on pty alloc/dealloc, e.g. w/ windows client
    [session.c]
    - update proctitle for proto 1, too
    [channels.h nchan.c serverloop.c session.c sshd.c]
    - use c-style comments
  - deraadt@cvs.openbsd.org
    [scp.c]
    - more atomicio
  - markus@cvs.openbsd.org
    [channels.c]
    - set O_NONBLOCK
    [ssh.1]
    - update AUTHOR
    [readconf.c ssh-keygen.c ssh.h]
    - default DSA key file ~/.ssh/id_dsa
    [clientloop.c]
    - typo, rm verbose debug
  - deraadt@cvs.openbsd.org
    [ssh-keygen.1]
    - document DSA use of ssh-keygen
    [sshd.8]
    - a start at describing what i understand of the DSA side
    [ssh-keygen.1]
    - document -X and -x
    [ssh-keygen.c]
    - simplify usage
  - markus@cvs.openbsd.org
    [sshd.8]
    - there is no rhosts_dsa
    [ssh-keygen.1]
    - document -y, update -X,-x
    [nchan.c]
    - fix close for non-open ssh1 channels
    [servconf.c servconf.h ssh.h sshd.8 sshd.c ]
    - s/DsaKey/HostDSAKey/, document option
    [sshconnect2.c]
    - respect number_of_password_prompts
    [channels.c channels.h servconf.c servconf.h session.c sshd.8]
    - GatewayPorts for sshd, ok deraadt@
    [ssh-add.1 ssh-agent.1 ssh.1]
    - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
    [ssh.1]
    - more info on proto 2
    [sshd.8]
    - sync AUTHOR w/ ssh.1
    [key.c key.h sshconnect.c]
    - print key type when talking about host keys
    [packet.c]
    - clear padding in ssh2
    [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
    - replace broken uuencode w/ libc b64_ntop
    [auth2.c]
    - log failure before sending the reply
    [key.c radix.c uuencode.c]
    - remote trailing comments before calling __b64_pton
    [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
    [sshconnect2.c sshd.8]
    - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
 - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])

36 files changed, 961 insertions, 261 deletions

diff --git a/ChangeLog b/ChangeLog
index d7143d5d..c6e3548a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,70 @@
+20000507
+ - Remove references to SSLeay.
+ - Big OpenBSD CVS update
+  - markus@cvs.openbsd.org
+    [clientloop.c]
+    - typo
+    [session.c]
+    - update proctitle on pty alloc/dealloc, e.g. w/ windows client
+    [session.c]
+    - update proctitle for proto 1, too
+    [channels.h nchan.c serverloop.c session.c sshd.c]
+    - use c-style comments
+  - deraadt@cvs.openbsd.org
+    [scp.c]
+    - more atomicio
+  - markus@cvs.openbsd.org 
+    [channels.c]
+    - set O_NONBLOCK
+    [ssh.1]
+    - update AUTHOR
+    [readconf.c ssh-keygen.c ssh.h]
+    - default DSA key file ~/.ssh/id_dsa
+    [clientloop.c]
+    - typo, rm verbose debug
+  - deraadt@cvs.openbsd.org
+    [ssh-keygen.1]
+    - document DSA use of ssh-keygen
+    [sshd.8]
+    - a start at describing what i understand of the DSA side
+    [ssh-keygen.1]
+    - document -X and -x
+    [ssh-keygen.c]
+    - simplify usage
+  - markus@cvs.openbsd.org 
+    [sshd.8]
+    - there is no rhosts_dsa
+    [ssh-keygen.1]
+    - document -y, update -X,-x
+    [nchan.c]
+    - fix close for non-open ssh1 channels
+    [servconf.c servconf.h ssh.h sshd.8 sshd.c ]
+    - s/DsaKey/HostDSAKey/, document option
+    [sshconnect2.c]
+    - respect number_of_password_prompts
+    [channels.c channels.h servconf.c servconf.h session.c sshd.8]
+    - GatewayPorts for sshd, ok deraadt@
+    [ssh-add.1 ssh-agent.1 ssh.1]
+    - more doc on: DSA, id_dsa, known_hosts2, authorized_keys2
+    [ssh.1]
+    - more info on proto 2
+    [sshd.8]
+    - sync AUTHOR w/ ssh.1
+    [key.c key.h sshconnect.c]
+    - print key type when talking about host keys
+    [packet.c]
+    - clear padding in ssh2
+    [dsa.c key.c radix.c ssh.h sshconnect1.c uuencode.c uuencode.h]
+    - replace broken uuencode w/ libc b64_ntop
+    [auth2.c]
+    - log failure before sending the reply
+    [key.c radix.c uuencode.c]
+    - remote trailing comments before calling __b64_pton
+    [auth2.c readconf.c readconf.h servconf.c servconf.h ssh.1]
+    [sshconnect2.c sshd.8]
+    - add DSAAuthetication option to ssh/sshd, document SSH2 in sshd.8
+ - Bring in b64_ntop and b64_pton from OpenBSD libc (bsd-base64.[ch])
+
 20000502
  - OpenBSD CVS update
    [channels.c]
diff --git a/Makefile.in b/Makefile.in
index 646201c0..de2fbd26 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -33,7 +33,7 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
 
 TARGETS=ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS)
 
-LIBOBJS= atomicio.o authfd.o authfile.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o 
+LIBOBJS= atomicio.o authfd.o authfile.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fake-getaddrinfo.o fake-getnameinfo.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o 
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
 
diff --git a/auth2.c b/auth2.c
index e77358a3..3d997f45 100644
--- a/auth2.c
+++ b/auth2.c
@@ -27,7 +27,7 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.5 2000/05/01 23:13:39 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.7 2000/05/06 17:45:36 markus Exp $");
 
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
@@ -188,9 +188,29 @@ input_userauth_request(int type, int plen)
 			authenticated = 0;
 #endif /* USE_PAM */
 
-	/* XXX todo: check if multiple auth methods are needed */
+	/* Raise logging level */
+	if (authenticated == 1 ||
+	    attempt == AUTH_FAIL_LOG ||
+	    strcmp(method, "password") == 0)
+		authlog = log;
+
+	/* Log before sending the reply */
 	if (authenticated == 1) {
 		authmsg = "Accepted";
+	} else if (authenticated == 0) {
+		authmsg = "Failed";
+	} else {
+		authmsg = "Postponed";
+	}
+	authlog("%s %s for %.200s from %.200s port %d ssh2",
+		authmsg,
+		method,
+		pw && pw->pw_uid == 0 ? "ROOT" : user,
+		get_remote_ipaddr(),
+		get_remote_port());
+
+	/* XXX todo: check if multiple auth methods are needed */
+	if (authenticated == 1) {
 		/* turn off userauth */
 		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
 		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
@@ -199,27 +219,12 @@ input_userauth_request(int type, int plen)
 		/* now we can break out */
 		userauth_success = 1;
 	} else if (authenticated == 0) {
-		authmsg = "Failed";
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring("publickey,password");	/* XXX dynamic */
 		packet_put_char(0);				/* XXX partial success, unused */
 		packet_send();
 		packet_write_wait();
-	} else {
-		authmsg = "Postponed";
 	}
-	/* Raise logging level */
-	if (authenticated == 1||
-	    attempt == AUTH_FAIL_LOG ||
-	    strcmp(method, "password") == 0)
-		authlog = log;
-
-	authlog("%s %s for %.200s from %.200s port %d ssh2",
-		authmsg,
-		method,
-		pw && pw->pw_uid == 0 ? "ROOT" : user,
-		get_remote_ipaddr(),
-		get_remote_port());
 
 	xfree(service);
 	xfree(user);
@@ -269,7 +274,7 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
 	int have_sig;
 	int authenticated = 0;
 
-	if (options.rsa_authentication == 0) {
+	if (options.dsa_authentication == 0) {
 		debug("pubkey auth disabled");
 		return 0;
 	}
@@ -306,6 +311,13 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
 			debug("test key...");
 			/* test whether pkalg/pkblob are acceptable */
 			/* XXX fake reply and always send PK_OK ? */
+			/*
+			 * XXX this allows testing whether a user is allowed
+			 * to login: if you happen to have a valid pubkey this
+			 * message is sent. the message is NEVER sent at all
+			 * if a user is not allowed to login. is this an
+			 * issue? -markus
+			 */
 			if (user_dsa_key_allowed(pw, key)) {
 				packet_start(SSH2_MSG_USERAUTH_PK_OK);
 				packet_put_string(pkalg, alen);
diff --git a/bsd-base64.c b/bsd-base64.c
new file mode 100644
index 00000000..57a95736
--- /dev/null
+++ b/bsd-base64.c
@@ -0,0 +1,315 @@
+/*	$OpenBSD: base64.c,v 1.3 1997/11/08 20:46:55 deraadt Exp $	*/
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/*
+ * Portions Copyright (c) 1995 by International Business Machines, Inc.
+ *
+ * International Business Machines, Inc. (hereinafter called IBM) grants
+ * permission under its copyrights to use, copy, modify, and distribute this
+ * Software with or without fee, provided that the above copyright notice and
+ * all paragraphs of this notice appear in all copies, and that the name of IBM
+ * not be used in connection with the marketing of any product incorporating
+ * the Software or modifications thereof, without specific, written prior
+ * permission.
+ *
+ * To the extent it has a right to do so, IBM grants an immunity from suit
+ * under its patents, if any, for the use, sale or manufacture of products to
+ * the extent that such products are used for performing Domain Name System
+ * dynamic updates in TCP/IP networks by means of the Software.  No immunity is
+ * granted for any product per se or for any other function of any product.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", AND IBM DISCLAIMS ALL WARRANTIES,
+ * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE.  IN NO EVENT SHALL IBM BE LIABLE FOR ANY SPECIAL,
+ * DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE, EVEN
+ * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
+ */
+
+#include "config.h"
+
+#ifndef HAVE_B64_NTOP
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <ctype.h>
+#include <resolv.h>
+#include <stdio.h>
+
+#include <stdlib.h>
+#include <string.h>
+
+#define Assert(Cond) if (!(Cond)) abort()
+
+static const char Base64[] =
+	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+static const char Pad64 = '=';
+
+/* (From RFC1521 and draft-ietf-dnssec-secext-03.txt)
+   The following encoding technique is taken from RFC 1521 by Borenstein
+   and Freed.  It is reproduced here in a slightly edited form for
+   convenience.
+
+   A 65-character subset of US-ASCII is used, enabling 6 bits to be
+   represented per printable character. (The extra 65th character, "=",
+   is used to signify a special processing function.)
+
+   The encoding process represents 24-bit groups of input bits as output
+   strings of 4 encoded characters. Proceeding from left to right, a
+   24-bit input group is formed by concatenating 3 8-bit input groups.
+   These 24 bits are then treated as 4 concatenated 6-bit groups, each
+   of which is translated into a single digit in the base64 alphabet.
+
+   Each 6-bit group is used as an index into an array of 64 printable
+   characters. The character referenced by the index is placed in the
+   output string.
+
+                         Table 1: The Base64 Alphabet
+
+      Value Encoding  Value Encoding  Value Encoding  Value Encoding
+          0 A            17 R            34 i            51 z
+          1 B            18 S            35 j            52 0
+          2 C            19 T            36 k            53 1
+          3 D            20 U            37 l            54 2
+          4 E            21 V            38 m            55 3
+          5 F            22 W            39 n            56 4
+          6 G            23 X            40 o            57 5
+          7 H            24 Y            41 p            58 6
+          8 I            25 Z            42 q            59 7
+          9 J            26 a            43 r            60 8
+         10 K            27 b            44 s            61 9
+         11 L            28 c            45 t            62 +
+         12 M            29 d            46 u            63 /
+         13 N            30 e            47 v
+         14 O            31 f            48 w         (pad) =
+         15 P            32 g            49 x
+         16 Q            33 h            50 y
+
+   Special processing is performed if fewer than 24 bits are available
+   at the end of the data being encoded.  A full encoding quantum is
+   always completed at the end of a quantity.  When fewer than 24 input
+   bits are available in an input group, zero bits are added (on the
+   right) to form an integral number of 6-bit groups.  Padding at the
+   end of the data is performed using the '=' character.
+
+   Since all base64 input is an integral number of octets, only the
+         -------------------------------------------------                       
+   following cases can arise:
+   
+       (1) the final quantum of encoding input is an integral
+           multiple of 24 bits; here, the final unit of encoded
+	   output will be an integral multiple of 4 characters
+	   with no "=" padding,
+       (2) the final quantum of encoding input is exactly 8 bits;
+           here, the final unit of encoded output will be two
+	   characters followed by two "=" padding characters, or
+       (3) the final quantum of encoding input is exactly 16 bits;
+           here, the final unit of encoded output will be three
+	   characters followed by one "=" padding character.
+   */
+
+int
+b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
+{
+	size_t datalength = 0;
+	u_char input[3];
+	u_char output[4];
+	int i;
+
+	while (2 < srclength) {
+		input[0] = *src++;
+		input[1] = *src++;
+		input[2] = *src++;
+		srclength -= 3;
+
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		output[3] = input[2] & 0x3f;
+		Assert(output[0] < 64);
+		Assert(output[1] < 64);
+		Assert(output[2] < 64);
+		Assert(output[3] < 64);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		target[datalength++] = Base64[output[2]];
+		target[datalength++] = Base64[output[3]];
+	}
+    
+	/* Now we worry about padding. */
+	if (0 != srclength) {
+		/* Get what's left. */
+		input[0] = input[1] = input[2] = '\0';
+		for (i = 0; i < srclength; i++)
+			input[i] = *src++;
+	
+		output[0] = input[0] >> 2;
+		output[1] = ((input[0] & 0x03) << 4) + (input[1] >> 4);
+		output[2] = ((input[1] & 0x0f) << 2) + (input[2] >> 6);
+		Assert(output[0] < 64);
+		Assert(output[1] < 64);
+		Assert(output[2] < 64);
+
+		if (datalength + 4 > targsize)
+			return (-1);
+		target[datalength++] = Base64[output[0]];
+		target[datalength++] = Base64[output[1]];
+		if (srclength == 1)
+			target[datalength++] = Pad64;
+		else
+			target[datalength++] = Base64[output[2]];
+		target[datalength++] = Pad64;
+	}
+	if (datalength >= targsize)
+		return (-1);
+	target[datalength] = '\0';	/* Returned value doesn't count \0. */
+	return (datalength);
+}
+
+/* skips all whitespace anywhere.
+   converts characters, four at a time, starting at (or after)
+   src from base - 64 numbers into three 8 bit bytes in the target area.
+   it returns the number of data bytes stored at the target, or -1 on error.
+ */
+
+int
+b64_pton(char const *src, u_char *target, size_t targsize)
+{
+	int tarindex, state, ch;
+	char *pos;
+
+	state = 0;
+	tarindex = 0;
+
+	while ((ch = *src++) != '\0') {
+		if (isspace(ch))	/* Skip whitespace anywhere. */
+			continue;
+
+		if (ch == Pad64)
+			break;
+
+		pos = strchr(Base64, ch);
+		if (pos == 0) 		/* A non-base64 character. */
+			return (-1);
+
+		switch (state) {
+		case 0:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] = (pos - Base64) << 2;
+			}
+			state = 1;
+			break;
+		case 1:
+			if (target) {
+				if (tarindex + 1 >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 4;
+				target[tarindex+1]  = ((pos - Base64) & 0x0f)
+							<< 4 ;
+			}
+			tarindex++;
+			state = 2;
+			break;
+		case 2:
+			if (target) {
+				if (tarindex + 1 >= targsize)
+					return (-1);
+				target[tarindex]   |=  (pos - Base64) >> 2;
+				target[tarindex+1]  = ((pos - Base64) & 0x03)
+							<< 6;
+			}
+			tarindex++;
+			state = 3;
+			break;
+		case 3:
+			if (target) {
+				if (tarindex >= targsize)
+					return (-1);
+				target[tarindex] |= (pos - Base64);
+			}
+			tarindex++;
+			state = 0;
+			break;
+		}
+	}
+
+	/*
+	 * We are done decoding Base-64 chars.  Let's see if we ended
+	 * on a byte boundary, and/or with erroneous trailing characters.
+	 */
+
+	if (ch == Pad64) {		/* We got a pad char. */
+		ch = *src++;		/* Skip it, get next. */
+		switch (state) {
+		case 0:		/* Invalid = in first position */
+		case 1:		/* Invalid = in second position */
+			return (-1);
+
+		case 2:		/* Valid, means one byte of info */
+			/* Skip any number of spaces. */
+			for (; ch != '\0'; ch = *src++)
+				if (!isspace(ch))
+					break;
+			/* Make sure there is another trailing = sign. */
+			if (ch != Pad64)
+				return (-1);
+			ch = *src++;		/* Skip the = */
+			/* Fall through to "single trailing =" case. */
+			/* FALLTHROUGH */
+
+		case 3:		/* Valid, means two bytes of info */
+			/*
+			 * We know this char is an =.  Is there anything but
+			 * whitespace after it?
+			 */
+			for (; ch != '\0'; ch = *src++)
+				if (!isspace(ch))
+					return (-1);
+
+			/*
+			 * Now make sure for cases 2 and 3 that the "extra"
+			 * bits that slopped past the last full byte were
+			 * zeros.  If we don't check them, they become a
+			 * subliminal channel.
+			 */
+			if (target && target[tarindex] != 0)
+				return (-1);
+		}
+	} else {
+		/*
+		 * We ended by seeing the end of the string.  Make sure we
+		 * have no partial bytes lying around.
+		 */
+		if (state != 0)
+			return (-1);
+	}
+
+	return (tarindex);
+}
+
+#endif /* HAVE_B64_NTOP */
diff --git a/bsd-base64.h b/bsd-base64.h
new file mode 100644
index 00000000..c5dace7c
--- /dev/null
+++ b/bsd-base64.h
@@ -0,0 +1,19 @@
+#ifndef _BSD_BASE64_H
+#define _BSD_BASE64_H
+
+#include "config.h"
+
+#ifndef HAVE___B64_NTOP
+# ifdef HAVE_B64_NTOP
+#  define __b64_ntop b64_ntop
+#  define __b64_pton b64_pton
+# else /* !HAVE_B64_NTOP */
+
+int b64_ntop(u_char const *src, size_t srclength, char *target, 
+    size_t targsize);
+int b64_pton(char const *src, u_char *target, size_t targsize);
+
+# endif /* HAVE_B64_NTOP */
+#endif /* HAVE___B64_NTOP */
+
+#endif /* _BSD_BINRESVPORT_H */
diff --git a/channels.c b/channels.c
index bd8c337e..f833e1bb 100644
--- a/channels.c
+++ b/channels.c
@@ -17,7 +17,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: channels.c,v 1.28 2000/05/01 23:23:45 damien Exp $");
+RCSID("$Id: channels.c,v 1.29 2000/05/07 02:03:15 damien Exp $");
 
 #include "ssh.h"
 #include "packet.h"
@@ -147,8 +147,25 @@ channel_lookup(int id)
 	return c;
 }
 
+void
+set_nonblock(int fd)
+{
+	int val;
+	val = fcntl(fd, F_GETFL, 0);
+	if (val < 0) {
+		error("fcntl(%d, F_GETFL, 0): %s", fd, strerror(errno));
+		return;
+	}
+	if (val & O_NONBLOCK)
+		return;
+	debug("fd %d setting O_NONBLOCK", fd);
+	val |= O_NONBLOCK;
+	if (fcntl(fd, F_SETFL, val) == -1)
+		error("fcntl(%d, F_SETFL, O_NONBLOCK): %s", fd, strerror(errno));
+}
+
 /*
- * register filedescriptors for a channel, used when allocating a channel or
+ * Register filedescriptors for a channel, used when allocating a channel or
  * when the channel consumer/producer is ready, e.g. shell exec'd
  */
 
@@ -163,11 +180,18 @@ channel_register_fds(Channel *c, int rfd, int wfd, int efd, int extusage)
 	if (efd > channel_max_fd_value)
 		channel_max_fd_value = efd;
 	/* XXX set close-on-exec -markus */
+
 	c->rfd = rfd;
 	c->wfd = wfd;
 	c->sock = (rfd == wfd) ? rfd : -1;
 	c->efd = efd;
 	c->extended_usage = extusage;
+	if (rfd != -1)
+		set_nonblock(rfd);
+	if (wfd != -1)
+		set_nonblock(wfd);
+	if (efd != -1)
+		set_nonblock(efd);
 }
 
 /*
@@ -1532,7 +1556,7 @@ channel_request_remote_forwarding(u_short listen_port, const char *host_to_conne
  */
 
 void
-channel_input_port_forward_request(int is_root)
+channel_input_port_forward_request(int is_root, int gateway_ports)
 {
 	u_short port, host_port;
 	char *hostname;
@@ -1551,9 +1575,8 @@ channel_input_port_forward_request(int is_root)
 				  port);
 	/*
 	 * Initiate forwarding,
-	 * bind port to localhost only (gateway ports == 0).
 	 */
-	channel_request_local_forwarding(port, hostname, host_port, 0);
+	channel_request_local_forwarding(port, hostname, host_port, gateway_ports);
 
 	/* Free the argument string. */
 	xfree(hostname);
diff --git a/channels.h b/channels.h
index 26393426..9763edf8 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* RCSID("$Id: channels.h,v 1.8 2000/04/30 00:00:54 damien Exp $"); */
+/* RCSID("$Id: channels.h,v 1.9 2000/05/07 02:03:15 damien Exp $"); */
 
 #ifndef CHANNELS_H
 #define CHANNELS_H
@@ -56,7 +56,7 @@ typedef struct Channel {
 
 	char   *ctype;		/* type */
 
-	// callback
+	/* callback */
 	channel_callback_fn	*cb_fn;
 	void	*cb_arg;
 	int	cb_event;
@@ -175,7 +175,7 @@ void    channel_permit_all_opens(void);
  * listening for the port, and sends back a success reply (or disconnect
  * message if there was an error).  This never returns if there was an error.
  */
-void    channel_input_port_forward_request(int is_root);
+void    channel_input_port_forward_request(int is_root, int gateway_ports);
 
 /*
  * Creates a port for X11 connections, and starts listening for it. Returns
diff --git a/clientloop.c b/clientloop.c
index 0ee9fc32..382cfe1f 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -16,7 +16,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: clientloop.c,v 1.13 2000/04/30 00:00:54 damien Exp $");
+RCSID("$Id: clientloop.c,v 1.14 2000/05/07 02:03:16 damien Exp $");
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -971,7 +971,7 @@ client_input_channel_open(int type, int plen)
 	rwindow = packet_get_int();
 	rmaxpack = packet_get_int();
 
-	log("server_input_open: ctype %s rchan %d win %d max %d",
+	debug("client_input_channel_open: ctype %s rchan %d win %d max %d",
 	    ctype, rchan, rwindow, rmaxpack);
 
 	if (strcmp(ctype, "x11") == 0) {
@@ -1077,7 +1077,7 @@ client_input_channel_req(int id, void *arg)
 	rtype = packet_get_string(&len);
 	reply = packet_get_char();
 
-	debug("session_input_channel_req: rtype %s reply %d", rtype, reply);
+	debug("client_input_channel_req: rtype %s reply %d", rtype, reply);
 
 	c = channel_lookup(id);
 	if (c == NULL)
diff --git a/configure.in b/configure.in
index be2a63df..1b099c6b 100644
--- a/configure.in
+++ b/configure.in
@@ -132,7 +132,7 @@ fi
 AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h util.h utmp.h utmpx.h)
 
 # Checks for library functions.
-AC_CHECK_FUNCS(arc4random bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty)
+AC_CHECK_FUNCS(arc4random b64_ntop bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt mkdtemp openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy updwtmpx vsnprintf vhangup _getpty __b64_ntop)
 
 AC_CHECK_FUNC(login, 
 	[AC_DEFINE(HAVE_LOGIN)],
@@ -196,7 +196,7 @@ saved_CFLAGS="$CFLAGS"
 if test "x$prefix" != "xNONE" ; then
 	tryssldir="$tryssldir $prefix"
 fi
-AC_MSG_CHECKING([for OpenSSL/SSLeay directory])
+AC_MSG_CHECKING([for OpenSSL directory])
 for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
 	if test ! -z "$ssldir" ; then
 		LDFLAGS="$saved_LDFLAGS -L$ssldir/lib -L$ssldir"
diff --git a/dsa.c b/dsa.c
index a4f6d3e7..58059080 100644
--- a/dsa.c
+++ b/dsa.c
@@ -28,7 +28,7 @@
  */
 
 #include "includes.h"
-RCSID("$Id: dsa.c,v 1.5 2000/04/26 20:56:29 markus Exp $");
+RCSID("$Id: dsa.c,v 1.6 2000/05/04 22:37:59 markus Exp $");
 
 #include "ssh.h"
 #include "xmalloc.h"
@@ -63,7 +63,7 @@ dsa_key_from_blob(
 	Key *key;
 
 #ifdef DEBUG_DSS
-	dump_base64(blob, blen);
+	dump_base64(stderr, blob, blen);
 #endif
 	/* fetch & parse DSA/DSS pubkey */
 	key = key_new(KEY_DSA);