- Created contrib/ subdirectory. Included helpers from Phil Hands'

   Debian package, README file and chroot patch from Ricardo Cerqueira
   <rmcc@clix.pt>
 - Moved gnome-ssh-askpass.c to contrib directory and reomved config
   option.
 - Slight cleanup to doc files

7 files changed, 1598 insertions, 0 deletions

diff --git a/contrib/README b/contrib/README
new file mode 100644
index 00000000..fda244f6
--- /dev/null
+++ b/contrib/README
@@ -0,0 +1,49 @@
+Other patches and addons for OpenSSH. Please send submissions to 
+djm@ibs.com.au
+
+In this directory
+-----------------
+
+chroot.diff:
+
+Ricardo Cerqueira's <rmcc@clix.pt> patch to enable chrooting using the
+wu-ftpd style magic home directories (containing '/./'). More details in
+the head of the patch itself.
+
+make-ssh-known-hosts:
+
+Tero Kivinen's <Tero.Kivinen@hut.fi> PERL script to generate
+ssh_known_hosts files by trawling tjhrough the DNS. More details in the
+manpage.
+
+ssh-copy-id:
+
+Phil Hands' <phil@hands.com> shell script to automate the process of adding
+your public key to a remote machine's ~/.ssh/authorized_keys file.
+
+gnome-ssh-askpass:
+
+A GNOME passphrase requester of my own creation. Compilation instructions
+are in the top of the file.
+
+Externally maintained
+---------------------
+
+liblogin:
+
+liblogin is Andre Lucas' cross platform login library. It handles all the 
+yucky details of wtmp, utmp and lastlog (which every OS vendor has
+seen fit to implement differently) in one clean library.
+
+OpenSSH will require liblogin in the near future, but for now it is 
+recommended for users with login logging problems or curiosity.
+
+http://dspace.dial.pipex.com/andre.lucas/liblogin.html
+
+X11 SSH Askpass:
+
+Jim Knoble <jmknoble@pobox.com> has written an excellent X11
+passphrase requester. This is highly recommended:
+
+http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/index.html
+
diff --git a/contrib/chroot.diff b/contrib/chroot.diff
new file mode 100644
index 00000000..850bd8ff
--- /dev/null
+++ b/contrib/chroot.diff
@@ -0,0 +1,134 @@
+From: Ricardo Cerqueira <rmcc@clix.pt>
+
+A patch to cause sshd to chroot when it encounters the magic token
+'/./' in a users home directory. The directory portion before the
+token is the directory to chroot() to, the portion after the
+token is the user's home directory relative to the new root.
+
+
+
+diff -ruN openssh-1.2.3pre2-orig/acconfig.h openssh-1.2.3pre2/acconfig.h
+--- openssh-1.2.3pre2-orig/acconfig.h	Sat Mar 11 20:45:40 2000
++++ openssh-1.2.3pre2/acconfig.h	Wed Mar 15 11:44:33 2000
+@@ -159,6 +159,9 @@
+ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
+ #undef IPV4_IN_IPV6
+ 
++/* Define if you want to enable chrooted users */
++#undef CHROOT
++
+ @BOTTOM@
+ 
+ /* ******************* Shouldn't need to edit below this line ************** */
+diff -ruN openssh-1.2.3pre2-orig/config.h.in openssh-1.2.3pre2/config.h.in
+--- openssh-1.2.3pre2-orig/config.h.in	Wed Mar 15 11:51:02 2000
++++ openssh-1.2.3pre2/config.h.in	Wed Mar 15 11:46:33 2000
+@@ -140,6 +140,9 @@
+ /* Detect IPv4 in IPv6 mapped addresses and treat as IPv4 */
+ #undef IPV4_IN_IPV6
+ 
++/* Define if you want to enable chrooted users */
++#undef CHROOT
++
+ /* The number of bytes in a char.  */
+ #undef SIZEOF_CHAR
+ 
+diff -ruN openssh-1.2.3pre2-orig/configure openssh-1.2.3pre2/configure
+--- openssh-1.2.3pre2-orig/configure	Wed Mar 15 11:51:03 2000
++++ openssh-1.2.3pre2/configure	Wed Mar 15 11:46:34 2000
+@@ -52,6 +52,8 @@
+ ac_help="$ac_help
+   --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses"
+ ac_help="$ac_help
++  --with-chroot           Enable chroot using /./ directory token"
++ac_help="$ac_help
+   --with-pid-dir=PATH     Specify location of ssh.pid file"
+ 
+ # Initialize some variables set by options.
+@@ -3605,6 +3607,22 @@
+ 
+ 		else
+ 			echo "$ac_t""no (default)" 1>&6
++		fi
++	
++
++fi
++
++
++# Whether to enable the magic chroot token
++# Check whether --with-chroot or --without-chroot was given.
++if test "${with_chroot+set}" = set; then
++  withval="$with_chroot"
++  
++		if test "x$withval" != "xno" ; then	
++			cat >> confdefs.h <<\EOF
++#define CHROOT 1
++EOF
++
+ 		fi
+ 	
+ 
+diff -ruN openssh-1.2.3pre2-orig/configure.in openssh-1.2.3pre2/configure.in
+--- openssh-1.2.3pre2-orig/configure.in	Sat Mar 11 20:45:41 2000
++++ openssh-1.2.3pre2/configure.in	Wed Mar 15 11:46:04 2000
+@@ -810,6 +810,16 @@
+ 	]
+ )
+ 
++# Whether to enable the magic chroot token
++AC_ARG_WITH(chroot,
++	[  --with-chroot           Enable chroot using /./ directory token],
++	[
++		if test "x$withval" != "xno" ; then	
++			AC_DEFINE(CHROOT)
++		fi
++	]
++)
++
+ # Where to place sshd.pid
+ piddir=/var/run
+ AC_ARG_WITH(pid-dir,
+diff -ruN openssh-1.2.3pre2-orig/sshd.c openssh-1.2.3pre2/sshd.c
+--- openssh-1.2.3pre2-orig/sshd.c	Sat Mar 11 11:58:29 2000
++++ openssh-1.2.3pre2/sshd.c	Wed Mar 15 11:43:38 2000
+@@ -2365,6 +2365,10 @@
+ 	extern char **environ;
+ 	struct stat st;
+ 	char *argv[10];
++#ifdef CHROOT /* patch by rmcc */
++        char *user_dir;
++        char *new_root;
++#endif /* CHROOT */
+ 
+ #ifndef USE_PAM /* pam_nologin handles this */
+ 	/* Check /etc/nologin. */
+@@ -2422,6 +2426,29 @@
+ 		krb_afslog(0, 0);
+ 	}
+ #endif /* AFS */
++
++#ifdef CHROOT /* patch by rmcc */
++
++        user_dir = xstrdup(pw->pw_dir);
++        new_root = user_dir;                                  
++
++        while((new_root = strchr(new_root, '.')) != NULL){
++          new_root--;
++          if(strncmp(new_root, "/./", 3) == 0){
++            *new_root = 0;
++            new_root += 2;
++            if(chroot(user_dir) != 0){
++              printf("Couldn't chroot!\n");
++              exit(1);
++            }
++            pw->pw_dir = new_root;
++            break;
++          }
++          new_root +=2;
++        }
++
++
++#endif /* CHROOT */
+ 
+ 	/* Initialize the environment. */
+ 	envsize = 100;
diff --git a/contrib/gnome-ssh-askpass.c b/contrib/gnome-ssh-askpass.c
new file mode 100644
index 00000000..fd537e67
--- /dev/null
+++ b/contrib/gnome-ssh-askpass.c
@@ -0,0 +1,134 @@
+/*
+   Compile with:
+
+   cc `gnome-config --cflags gnome gnomeui` \
+     gnome-ssh-askpass.c -o gnome-ssh-askpass \
+     `gnome-config --libs gnome gnomeui`
+
+*/
+
+/*
+**
+** GNOME ssh passphrase requestor
+**
+** Damien Miller <djm@ibs.com.au>
+** 
+** Copyright 1999 Internet Business Solutions
+**
+** Permission is hereby granted, free of charge, to any person
+** obtaining a copy of this software and associated documentation
+** files (the "Software"), to deal in the Software without
+** restriction, including without limitation the rights to use, copy,
+** modify, merge, publish, distribute, sublicense, and/or sell copies
+** of the Software, and to permit persons to whom the Software is
+** furnished to do so, subject to the following conditions:
+**
+** The above copyright notice and this permission notice shall be
+** included in all copies or substantial portions of the Software.
+**
+** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
+** KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+** WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
+** AND NONINFRINGEMENT.  IN NO EVENT SHALL DAMIEN MILLER OR INTERNET
+** BUSINESS SOLUTIONS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+** ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE
+** OR OTHER DEALINGS IN THE SOFTWARE.
+**
+** Except as contained in this notice, the name of Internet Business
+** Solutions shall not be used in advertising or otherwise to promote
+** the sale, use or other dealings in this Software without prior
+** written authorization from Internet Business Solutions.
+**
+*/
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <gnome.h>
+#include <X11/Xlib.h>
+#include <gdk/gdkx.h>
+
+int passphrase_dialog(char **passphrase_p, char *message)
+{
+	char *passphrase;
+	int result;
+	
+	GtkWidget *dialog, *entry, *label;
+
+	dialog = gnome_dialog_new("OpenSSH", GNOME_STOCK_BUTTON_OK, 
+									  GNOME_STOCK_BUTTON_CANCEL, NULL);
+
+	label = gtk_label_new(message);
+	gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), label, FALSE, 
+							 FALSE, 0);
+
+	entry = gtk_entry_new();
+	gtk_box_pack_start(GTK_BOX(GNOME_DIALOG(dialog)->vbox), entry, FALSE, 
+							 FALSE, 0);
+	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+	gtk_widget_grab_focus(entry);
+
+	/* Center window and prepare for grab */
+	gtk_object_set(GTK_OBJECT(dialog), "type", GTK_WINDOW_POPUP, NULL);
+	gnome_dialog_set_default(GNOME_DIALOG(dialog), 0);
+	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+	gtk_window_set_policy(GTK_WINDOW(dialog), FALSE, FALSE, TRUE);
+	gnome_dialog_close_hides(GNOME_DIALOG(dialog), TRUE);
+	gtk_container_set_border_width(GTK_CONTAINER(GNOME_DIALOG(dialog)->vbox), GNOME_PAD);
+	gtk_widget_show_all(dialog);
+
+	/* Grab focus */
+	XGrabServer(GDK_DISPLAY());
+	gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME);
+	gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME);
+
+	/* Make <enter> close dialog */
+	gnome_dialog_editable_enters(GNOME_DIALOG(dialog), GTK_EDITABLE(entry));
+
+	/* Run dialog */
+	result = gnome_dialog_run(GNOME_DIALOG(dialog));
+		
+	/* Ungrab */
+	XUngrabServer(GDK_DISPLAY());
+	gdk_pointer_ungrab(GDK_CURRENT_TIME);
+	gdk_keyboard_ungrab(GDK_CURRENT_TIME);
+	gdk_flush();
+
+	passphrase = gtk_entry_get_text(GTK_ENTRY(entry));
+
+	/* Take copy of passphrase if user selected OK */
+	if (result == 0)	
+		*passphrase_p = strdup(passphrase);
+	else
+		*passphrase_p = NULL;
+		
+	/* Zero existing passphrase */
+	memset(passphrase, '\0', strlen(passphrase));
+	gtk_entry_set_text(GTK_ENTRY(entry), passphrase);
+			
+	gnome_dialog_close(GNOME_DIALOG(dialog));
+
+ 	return (result == 0);
+}
+
+int main(int argc, char **argv)
+{
+	char *passphrase;
+	char *message;
+	
+	gnome_init("GNOME ssh-askpass", "0.1", argc, argv);
+
+	if (argc == 2)
+		message = argv[1];
+	else
+		message = "Enter your OpenSSH passphrase:";
+
+	if (passphrase_dialog(&passphrase, message))
+	{
+		puts(passphrase);
+		memset(passphrase, '\0', strlen(passphrase));
+	}
+	
+	return 0;
+}
diff --git a/contrib/make-ssh-known-hosts.1 b/contrib/make-ssh-known-hosts.1
new file mode 100644
index 00000000..cf0d52f0
--- /dev/null
+++ b/contrib/make-ssh-known-hosts.1
@@ -0,0 +1,432 @@
+.\" -*- nroff -*-
+.\" ----------------------------------------------------------------------
+.\" make-ssh-known-hosts.1 -- Make ssh-known-hosts file
+.\" Copyright (c) 1995 Tero Kivinen
+.\" All Rights Reserved.
+.\"
+.\" Make-ssh-known-hosts is distributed in the hope that it will be
+.\" useful, but WITHOUT ANY WARRANTY.  No author or distributor accepts
+.\" responsibility to anyone for the consequences of using it or for
+.\" whether it serves any particular purpose or works at all, unless he
+.\" says so in writing.  Refer to the General Public License for full
+.\" details.
+.\"
+.\" Everyone is granted permission to copy, modify and redistribute
+.\" make-ssh-known-hosts, but only under the conditions described in
+.\" the General Public License.  A copy of this license is supposed to
+.\" have been given to you along with make-ssh-known-hosts so you can
+.\" know your rights and responsibilities.  It should be in a file named
+.\" COPYING.  Among other things, the copyright notice and this notice
+.\" must be preserved on all copies.
+.\" ----------------------------------------------------------------------
+.\"       Program: make-ssh-known-hosts.1
+.\"	  $Source: /var/cvs/openssh/contrib/Attic/make-ssh-known-hosts.1,v $
+.\"	  Author : $Author: damien $
+.\"
+.\"	  (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
+.\"
+.\"	  Creation          : 03:51 Jun 28 1995 kivinen
+.\"	  Last Modification : 03:44 Jun 28 1995 kivinen
+.\"	  Last check in     : $Date: 2000/03/15 01:13:03 $
+.\"	  Revision number   : $Revision: 1.1 $
+.\"	  State             : $State: Exp $
+.\"	  Version	    : 1.1
+.\"
+.\"	  Description       : Manual page for make-ssh-known-hosts.pl
+.\"
+.\"	  $Log: make-ssh-known-hosts.1,v $
+.\"	  Revision 1.1  2000/03/15 01:13:03  damien
+.\"	   - Created contrib/ subdirectory. Included helpers from Phil Hands'
+.\"	     Debian package, README file and chroot patch from Ricardo Cerqueira
+.\"	     <rmcc@clix.pt>
+.\"	   - Moved gnome-ssh-askpass.c to contrib directory and reomved config
+.\"	     option.
+.\"	   - Slight cleanup to doc files
+.\"	
+.\"	  Revision 1.4  1998/07/08 00:40:14  kivinen
+.\"	  	Changed to do similar commercial #ifdef processing than other
+.\"	  	files.
+.\"
+.\"	  Revision 1.3  1998/06/11 00:07:21  kivinen
+.\"	  	Fixed comment characters.
+.\"
+.\" Revision 1.2  1997/04/27  21:48:28  kivinen
+.\" 	Added F-SECURE stuff.
+.\"
+.\"	  Revision 1.1.1.1  1996/02/18 21:38:13  ylo
+.\"	  	Imported ssh-1.2.13.
+.\"
+.\" Revision 1.5  1995/10/02  01:23:23  ylo
+.\" 	Make substitutions by configure.
+.\"
+.\" Revision 1.4  1995/08/31  09:21:35  ylo
+.\" 	Minor cleanup.
+.\"
+.\" Revision 1.3  1995/08/29  22:37:10  ylo
+.\" 	Minor cleanup.
+.\"
+.\" Revision 1.2  1995/07/15  13:26:11  ylo
+.\" 	Changes from kivinen.
+.\"
+.\" Revision 1.1.1.1  1995/07/12  22:41:05  ylo
+.\" Imported ssh-1.0.0.
+.\"
+.\"
+.\"
+.\" If you have any useful modifications or extensions please send them to
+.\" Tero.Kivinen@hut.fi
+.\"
+.\"
+.\"
+.\"
+.\"
+.\" #ifndef F_SECURE_COMMERCIAL
+.TH MAKE-SSH-KNOWN-HOSTS 1 "November 8, 1995" "SSH TOOLS" "SSH TOOLS"
+.\" #endif F_SECURE_COMMERCIAL
+.SH NAME
+make-ssh-known-hosts \- make ssh_known_hosts file from DNS data
+.SH SYNOPSIS
+.na
+.TP
+.B make-ssh-known-hosts
+.RB "[\|" "\-\-initialdns "\c
+.I initial_dns\c
+\|]
+.br
+.RB "[\|" "\-\-server "\c
+.I domain_name_server\c
+\|]
+.br
+.RB "[\|" "\-\-subdomains "\c
+.I comma_separated_list_of_subdomains\c
+\|]
+.br
+.RB "[\|" "\-\-debug "\c
+.I debug_level\c
+\|]
+.br
+.RB "[\|" "\-\-timeout "\c
+.I ssh_exec_timeout\c
+\|]
+.br
+.RB "[\|" "\-\-pingtimeout "\c
+.I ping_timeout\c
+\|]
+.br
+.RB "[\|" "\-\-passwordtimeout "\c
+.I timeout_when_asking_password\c
+\|]
+.br
+.RB "[\|" "\-\-notrustdaemon" "\|]"
+.br
+.RB "[\|" "\-\-norecursive" "\|]"
+.br
+.RB "[\|" "\-\-domainnamesplit" "\|]"
+.br
+.RB "[\|" "\-\-silent" "\|]"
+.br
+.RB "[\|" "\-\-keyscan" "\|]"
+.br
+.RB "[\|" "\-\-nslookup "\c
+.I path_to_nslookup_program\c
+\|]
+.br
+.RB "[\|" "\-\-ssh "\c
+.I path_to_ssh_program\c
+\|]
+.br
+.IR "domain_name " "[\|" "take_regexp " "[\|" "remove_regexp"\|]\|]"
+
+.SH DESCRIPTION
+.LP
+.B make-ssh-known-hosts
+is a perl5 script that helps create the
+.I /etc/ssh_known_hosts
+file, which is used by
+.B ssh
+to contain the host keys of all publicly known hosts.  
+.B Ssh
+does not normally permit login using rhosts or /etc/hosts.equiv
+authentication unless the server knows the client's host key.  In
+addition, the host keys are used to prevent man-in-the-middle attacks.
+.LP
+In addition to
+.IR /etc/ssh_known_hosts ",
+.B ssh
+also uses the
+.I $HOME/.ssh/known_hosts
+file.  This file, however, is intended to contain only those hosts
+that the particular user needs but are not in the global file.  It is
+intended that the
+.I /etc/ssh_known_hosts
+file be maintained by the system administration, and periodically
+updated to contain the host keys for any new hosts.
+.LP
+The
+.B make-ssh-known-hosts
+program finds all the hosts in a domain by making a DNS query to the
+master domain name server of the domain. The master domain name server
+is located by searching for the SOA record of the domain from the initial
+domain name server (which can be specified with the
+.B \-\-initialdns
+option). The master domain name server can also be given directly with
+the
+.B \-\-server
+option.
+.LP
+After getting the hostname list
+.B make-ssh-known-hosts
+tries to get the public key from every host in the domain. It first
+tries to connect ssh port to check check if the host is alive, and if
+so, it tries to run the command
+.B cat /etc/ssh_host_key.pub
+on the remote machine using
+.BR ssh ".
+If the command succeeds, it knows the remote machine has
+.B ssh
+installed properly, and it then extracts the public key from the
+output, and prints the
+.B /etc/ssh_known_hosts
+entry for it to 
+.BR STDOUT ". Because
+.B make-ssh-known-hosts
+is usually run before
+remote machines have /etc/ssh_known_hosts file you may have to use
+RSA-authentication to allow access to hosts. 
+.LP
+If the command fails for some reason, it checks if the
+.B ssh
+client still got the public key from the remote host in the initial dialog,
+and if so, it will print a proper entry, and if
+.B \-\-notrustdaemon
+option is given comment it out.
+.LP
+.I Domain_name
+is the domain name for which the file is to be generated. By default 
+.B make-ssh-known-hosts
+extracts also all subdomains of domain. Many sites will want to
+include several domains in their
+.I /etc/ssh_known_hosts
+file.  The entries for each domain should be extracted separately by
+running
+.B make-ssh-known-hosts
+once for each domain.  The results should then be combined to create
+the final file.
+.LP
+.I Take_regexp
+is a perl regular expression that matches the hosts to be taken from the
+domain. The data matched contains all the DNS records in the form "\|\c
+.B fieldname=value\c
+\|". The fields are separated with newline, and the perl match is made in
+multiline mode and it is case insensetive. The multiline mode means
+that you can use a regexp like "\|\c
+.B ^wks=.*telnet.*$\c
+\|" to match all hosts that have WKS (well known services) field that
+contains value "telnet".
+.LP
+.I Remove_regexp
+is similar but those hosts that match the regexp are not added (it can
+be used for example to filter out PCs and Macs using the hinfo field: "\|\c
+.B ^hinfo=.*(mac|pc)\c
+\|").
+
+.SH OPTIONS
+.TP
+.BI "\-\-initialdns " "initial_dns"\c
+.TP
+.BI "\-i " "initial_dns"\c
+\&Set the initial domain name server used to query the SOA record of the
+domain.
+
+.TP
+.BI "\-\-server " "domain_name_server"\c
+.TP
+.BI "\-se " "domain_name_server"\c
+\&Set the master domain name server of the domain. This host is used
+to query the DNS list of the domain.
+
+.TP
+.BI "\-\-subdomains " "subdomainlist"\c
+.TP
+.BI "\-su " "subdomainlist"\c
+\&Comma separated list of subdomains that are added to hostnames. For
+example, if subdomainlist is "\|\c
+.I ,foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
+\|" then when host foobar is added to
+.B /etc/ssh_known_hosts
+file it has aliases "\|\c
+.I foobar, foobar.foo, foobar.foo.bar, foobar.foo.bar.zappa, foobar.foo.bar.zappa.hut.fi\c
+\|". The default action is to take all subparts of the host but the
+second last on a host by host basis.  (The last element is usually the
+country code, and something like 
+.I foobar.foo.bar.zappa.hut 
+would not make sense.)
+
+.TP
+.BI "\-\-debug " "debug_level"\c
+.TP
+.BI "\-de " "debug_level"\c
+\&Set the debug level. Default is 5, bigger values give more output.
+Using a big value (like 999) will print lots of debugging output.
+
+.TP
+.BI "\-\-timeout " "ssh_exec_timeout"\c
+.TP
+.BI "\-ti " "ssh_exec_timeout"\c
+\&Timeout when executing
+.B ssh
+command.  The default is 60 seconds.
+
+.TP
+.BI "\-\-pingtimeout " "ping_timeout"\c
+.TP
+.BI "\-pi " "ping_timeout"\c
+\&Timeout when trying to ping the ssh port.  The default is 3 seconds.
+
+.TP
+.BI "\-\-passwordtimeout " "timeout_when_asking_password"\c
+.TP
+.BI "\-pa " "timeout_when_asking_password"\c
+\&Timeout when asking password for ssh command. Default is that no
+passwords are queried. Use value 0 to have no timeout for password queries.
+
+.TP
+.BI "\-\-notrustdaemon"\c
+.TP
+.BI "\-notr"\c
+\&If the
+.B ssh
+command fails, use the public key stored in the local known hosts file
+and trust it is the correct key for the host. If this option is not
+given such entries are commented out in the generated
+.B /etc/ssh_known_hosts
+file.
+
+.TP
+.BI "\-\-norecursive"\c
+.TP
+.BI "\-nor"\c
+\&Tell
+.B make-ssh-known-hosts
+that it should only extract keys for the given domain, and not to be
+recursive. 
+
+.TP
+.BI "\-\-domainnamesplit"\c
+.TP
+.BI "\-do"\c
+\&Split the domainname to get the list of subdomains. Use this option
+if you don't want hostname to splitted to pieces automatically.
+Default splitting is done host by host basis. If the domain is
+zappa.hut.fi, and the host name is foo.bar then default action adds
+entries "\|\c
+.I foo, foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
+\|" and this options adds entries "\|\c
+.I foo.bar, foo.bar.zappa, foo.bar.zappa.hut.fi\c
+\|").
+
+.TP
+.BI "\-\-silent"\c
+.TP
+.BI "\-si"\c
+\&Be silent.
+
+.TP
+.BI "\-\-keyscan"\c
+.TP
+.BI "\-k"\c
+\&Output list of all hosts in format "ipaddr1,ipaddr2,...ipaddrn
+hostname.domain.co,hostname,ipaddr1,ipaddr2,all_other_hostname_entries".
+The output of this can be feeded to ssh-keyscan to fetch keys.
+
+.TP
+.BI "\-\-nslookup " "path_to_nslookup_program"\c
+.TP
+.BI "\-n " "path_to_nslookup_program"\c
+\&Path to the
+.B nslookup
+program. 
+
+.TP
+.BI "\-\-ssh " "path_to_ssh_program"\c
+.TP
+.BI "\-ss " "path_to_ssh_program"\c
+\&Path to the
+.B ssh
+program, including all options.
+
+.SH EXAMPLES
+.LP
+The following command:
+.IP
+.B example# make-ssh-known-hosts cs.hut.fi > \c
+.B /etc/ssh_known_hosts
+.LP
+finds all public keys of the hosts in
+.B cs.hut.fi
+domain and put them to
+.B /etc/ssh_known_hosts
+file splitting domain names on a per host basis.
+.LP
+The command
+.IP
+.B example% make-ssh-known-hosts hut.fi '^wks=.*ssh' > \c
+.B hut-hosts
+.LP
+finds all hosts in
+.B hut.fi
+domain, and its subdomains having own name server (cs.hut.fi,
+tf.hut.fi, tky.hut.fi) that have ssh service and puts their public key
+to hut-hosts file. This would require that the domain name server of
+hut.fi would define all hosts running ssh to have entry ssh in their
+WKS record. Because nobody yet adds ssh to WKS, it would be better to
+use command
+.IP
+.B example% make-ssh-known-hosts hut.fi '^wks=.*telnet' > \c
+.B hut-hosts
+.LP
+that would take those host having telnet service. This uses default
+subdomain list.
+
+.LP
+The command:
+.IP
+.B example% make-ssh-known-hosts hut.fi 'dipoli.hut.fi' '^hinfo=.*(mac|pc)' > \c
+.B dipoli-hosts
+.LP
+finds all hosts in hut.fi domain that are in dipoli.hut.fi subdomain
+(note dipoli.hut.fi does not have own name server so its entries are
+in hut.fi-server) and that are not Mac or PC.
+
+.SH FILES
+.ta 3i
+/etc/ssh_known_hosts	Global host public key list
+
+.SH "SEE ALSO"
+.BR ssh (1),
+.BR sshd (8),
+.BR ssh-keygen (1),
+.BR ping (8),
+.BR nslookup (8),
+.BR perl (1),
+.BR perlre (1)
+
+.SH AUTHOR
+Tero Kivinen <kivinen@hut.fi>
+
+.SH COPYING
+.LP
+Permission is granted to make and distribute verbatim copies of
+this manual provided the copyright notice and this permission notice
+are preserved on all copies.
+.LP
+Permission is granted to copy and distribute modified versions of this
+manual under the conditions for verbatim copying, provided that the
+entire resulting derived work is distributed under the terms of a
+permission notice identical to this one.
+.LP
+Permission is granted to copy and distribute translations of this
+manual into another language, under the above conditions for modified
+versions, except that this permission notice may be included in
+translations approved by the the author instead of in the original
+English.
diff --git a/contrib/make-ssh-known-hosts.pl b/contrib/make-ssh-known-hosts.pl
new file mode 100644
index 00000000..49c9f618
--- /dev/null
+++ b/contrib/make-ssh-known-hosts.pl
@@ -0,0 +1,737 @@
+#!/usr/bin/perl -w
+# -*- perl -*-
+######################################################################
+# make-ssh-known-hosts.pl -- Make ssh-known-hosts file
+# Copyright (c) 1995 Tero Kivinen
+# All Rights Reserved.
+#
+# Make-ssh-known-hosts is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY.  No author or distributor accepts
+# responsibility to anyone for the consequences of using it or for
+# whether it serves any particular purpose or works at all, unless he
+# says so in writing.  Refer to the GNU General Public License for full
+# details.
+#
+# Everyone is granted permission to copy, modify and redistribute
+# make-ssh-known-hosts, but only under the conditions described in
+# the GNU General Public License.  A copy of this license is supposed to
+# have been given to you along with make-ssh-known-hosts so you can
+# know your rights and responsibilities.  It should be in a file named
+# gnu-COPYING-GPL.  Among other things, the copyright notice and this notice
+# must be preserved on all copies.
+######################################################################
+#         Program: make-ssh-known-hosts.pl
+#	  $Source: /var/cvs/openssh/contrib/Attic/make-ssh-known-hosts.pl,v $
+#	  Author : $Author: damien $
+#
+#	  (C) Tero Kivinen 1995 <Tero.Kivinen@hut.fi>
+#
+#	  Creation          : 19:52 Jun 27 1995 kivinen
+#	  Last Modification : 00:07 Jul  8 1998 kivinen
+#	  Last check in     : $Date: 2000/03/15 01:13:03 $
+#	  Revision number   : $Revision: 1.1 $
+#	  State             : $State: Exp $
+#	  Version	    : 1.343
+#	  Edit time	    : 242 min
+#
+#	  Description       : Make ssh-known-host file from dns data.
+#
+#	  $Log: make-ssh-known-hosts.pl,v $
+#	  Revision 1.1  2000/03/15 01:13:03  damien
+#	   - Created contrib/ subdirectory. Included helpers from Phil Hands'
+#	     Debian package, README file and chroot patch from Ricardo Cerqueira
+#	     <rmcc@clix.pt>
+#	   - Moved gnome-ssh-askpass.c to contrib directory and reomved config
+#	     option.
+#	   - Slight cleanup to doc files
+#	
+#	  Revision 1.6  1998/07/08 00:44:23  kivinen
+#	  	Fixed to understand bind 8 nslookup output.
+#
+# Revision 1.5  1998/04/30  01:53:33  kivinen
+# 	Moved kill before close and added sending SIGINT first and
+# 	then 1 second sleep before sending SIGKILL.
+#
+#	  Revision 1.4  1998/04/17 00:39:19  kivinen
+#	  	Changed to close ssh program filedescriptor before killing it.
+#	  	Removed ^ from the password matching prompt.
+#
+#	  Revision 1.3  1997/04/17 04:21:27  kivinen
+#	  	Changed to use 3des by default.
+#
+#	  Revision 1.2  1997/03/26 07:14:01  kivinen
+#	  	Added EWOULDBLOCK.
+#
+#	  Revision 1.1.1.1  1996/02/18 21:38:10  ylo
+#	  	Imported ssh-1.2.13.
+#
+# Revision 1.4  1995/10/02  01:23:45  ylo
+# 	Ping packet size fixes from Kivinen.
+#
+# Revision 1.3  1995/08/29  22:37:39  ylo
+# 	Now uses GlobalKnownHostsFile and UserKnownHostsFile.
+#
+# Revision 1.2  1995/07/15  13:26:37  ylo
+# 	Changes from kivinen.
+#
+# Revision 1.1.1.1  1995/07/12  22:41:05  ylo
+# Imported ssh-1.0.0.
+#
+#
+#
+# If you have any useful modifications or extensions please send them to
+# Tero.Kivinen@hut.fi
+#
+######################################################################
+# initialization
+
+require 5.000;
+use Getopt::Long;
+use FileHandle;
+use POSIX;
+use Socket;
+use Fcntl;
+
+$version = ' $Id: make-ssh-known-hosts.pl,v 1.1 2000/03/15 01:13:03 damien Exp $ ';
+
+$command_line = "$0 ";
+foreach $a (@ARGV) {
+    $command_line .= $a . " ";
+}
+STDERR->autoflush(1);
+
+######################################################################
+# default values for options
+
+$debug = 5;
+$defserver = '';
+$bell='\a';
+$public_key = '/etc/ssh_host_key.pub';
+$private_ssh_known_hosts = "/tmp/ssh_known_hosts$$";
+$timeout = 60;
+$ping_timeout = 3;
+$passwordtimeout = undef;
+$trustdaemon = 1;
+$domainnamesplit = 0;
+$recursive = 1;
+
+######################################################################
+# Programs and their options
+
+$nslookup = "nslookup";
+
+$ssh="ssh -a -c 3des -x -o 'ConnectionAttempts 1' -o 'FallBackToRsh no' -o 'GlobalKnownHostsFile /dev/null' -o 'KeepAlive yes' -o 'StrictHostKeyChecking no' -o 'UserKnownHostsFile $private_ssh_known_hosts'";
+$sshdisablepasswordoption="-o 'BatchMode yes' -o 'PasswordAuthentication no'";
+
+######################################################################
+# Cleanup and initialization
+
+unlink($private_ssh_known_hosts);
+$sockaddr = 'S n a4 x8';
+($junk, $junk, $sshport) = getservbyname("ssh", "tcp");
+if (!defined($sshport)) {
+    $sshport = 22;
+}
+($tcpprotoname, $junk, $tcpproto) = getprotobyname('tcp');
+defined($tcpprotoname) || die "getprotobyname : $!";
+
+######################################################################
+# Parse options
+
+GetOptions("initialdns=s", "server=s", "subdomains=s",
+	   "debug=i", "timeout=i", "passwordtimeout=i",
+	   "trustdaemon!", "domainnamesplit", "silent",
+	   "nslookup=s", "pingtimeout=i", "recursive!",
+	   "keyscan", 
+	   "ssh=s")
+    || die "Getopt : $!";
+
+if (defined($opt_initialdns)) { $defserver = $opt_initialdns; }
+
+if (defined($opt_server)) { $server = $opt_server; }
+
+if (defined($opt_subdomains)) { @subdomains = split(/,/, $opt_subdomains); }
+
+if (defined($opt_debug)) { $debug = $opt_debug; }
+
+if (defined($opt_timeout)) { $timeout = $opt_timeout; }
+
+if (defined($opt_pingtimeout)) { $ping_timeout = $opt_pingtimeout; }
+
+if (defined($opt_passwordtimeout)) {
+    $passwordtimeout = $opt_passwordtimeout;
+    $sshdisablepasswordoption = '';
+}
+
+if (defined($opt_trustdaemon)) { $trustdaemon = $opt_trustdaemon; }
+
+if (defined($opt_recursive)) { $recursive = $opt_recursive; }
+
+if (defined($opt_domainnamesplit)) { $domainnamesplit = $opt_domainnamesplit; }
+
+if (defined($opt_silent)) { $bell = ''; }
+
+if (defined($opt_nslookup)) { $nslookup = $opt_nslookup; }
+
+if (defined($opt_ssh)) { $ssh = $opt_ssh; } else {
+    $ssh = "$ssh $sshdisablepasswordoption";
+}
+
+if ($#ARGV == 0) {
+    $domain = "\L$ARGV[0]\E";
+    $grep_yes = '.*';
+    $grep_no = '^$';
+} elsif ($#ARGV == 1) {
+    $domain = "\L$ARGV[0]\E";
+    $grep_yes = $ARGV[1];
+    $grep_no = '^$';
+} elsif ($#ARGV == 2) {
+    $domain = "\L$ARGV[0]\E";
+    $grep_yes = $ARGV[1];
+    $grep_no = $ARGV[2];
+} else {
+    print(STDERR "$0 [--initialdns initial_dns_server] [--server dns_server] [--subdomains sub.sub.domain,sub.sub,sub,] [--debug debug_level] [--timeout ssh_exec_timeout_in_secs] [--pingtimeout ping_timeout_in_secs] [--passwordtimeout timeout_for_password_in_secs] [--notrustdaemon] [--norecursive] [--domainnamesplit] [--silent] [--keyscan] [--nslookup path_to_nslookup] [--ssh path_to_ssh] full.domain [ host_info_take_regexp [ host_info_remove_regex ]]\n");
+    exit(1);
+}
+
+######################################################################
+# Check that ssh program exists
+
+if (system("$ssh > /dev/null 2>&1 ") != 256) {
+    print(STDERR "Error: Could not run ssh program ($ssh): $!\nError: Try giving the path to it with --ssh option\n");
+    exit(1);
+}
+
+######################################################################
+# Generate subdomains list
+
+if (!$domainnamesplit) {
+    debug(6, "Auto splitting host entries");
+} elsif (!defined(@subdomains)) {
+    debug(6, "Generating subdomain list");
+    
+    # split domain to pieces
+    @domain_pieces = split(/\./, $domain);
+    
+    # add empty domain part
+    push(@subdomains, '');
+    
+    # add rest parts, except the one before full domain name
+    $entry='';
+    for(; $#domain_pieces > 1; ) {
+	$entry .= "." . shift(@domain_pieces);
+	push(@subdomains, $entry);
+    }
+    
+    # add full domain name
+    push(@subdo