20100410
 - (dtucker) [configure.ac] Put the check for the existence of getaddrinfo
   back so we disable the IPv6 tests if we don't have it.

20100409
 - (dtucker) [contrib/cygwin/Makefile] Don't overwrite files with the wrong
   ones.  Based on a patch from Roumen Petrov.
 - (dtucker) [configure.ac] Bug #1744: use pkg-config for libedit flags if we
   have it and the path is not provided to --with-libedit.  Based on a patch
   from Iain Morgan.
 - (dtucker) [configure.ac defines.h loginrec.c logintest.c] Bug #1732: enable
   utmpx support on FreeBSD where possible.  Patch from Ed Schouten, ok djm@

20100326
 - (djm) [openbsd-compat/bsd-arc4random.c] Fix preprocessor detection
   for arc4random_buf() and arc4random_uniform(); from Josh Gilkerson
 - (dtucker) [configure.ac] Bug #1741: Add section for Haiku, patch originally
   by Ingo Weinhold via Scott McCreary, ok djm@
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/03/25 23:38:28
     [servconf.c]
     from portable: getcwd(NULL, 0) doesn't work on all platforms, so
     use a stack buffer; ok dtucker@
   - djm@cvs.openbsd.org 2010/03/26 00:26:58
     [ssh.1]
     mention that -S none disables connection sharing; from Colin Watson
 - (djm) [session.c] Allow ChrootDirectory to work on SELinux platforms -
   set up SELinux execution context before chroot() call. From Russell
   Coker via Colin watson; bz#1726 ok dtucker@
 - (djm) [channels.c] Check for EPFNOSUPPORT as a socket() errno; bz#1721
   ok dtucker@
 - (dtucker) Bug #1725: explicitly link libX11 into gnome-ssh-askpass2 using
   pkg-config, patch from Colin Watson.  Needed for newer linkers (ie gold).
 - (djm) [contrib/ssh-copy-id] Don't blow up when the agent has no keys;
   bz#1723 patch from Adeodato Simóvia Colin Watson; ok dtucker@
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/03/26 01:06:13
     [ssh_config.5]
     Reformat default value of PreferredAuthentications entry (current
     formatting implies ", " is acceptable as a separator, which it's not.
     ok djm@

20100324
 - (dtucker) [contrib/cygwin/ssh-host-config] Mount the Windows directory
   containing the services file explicitely case-insensitive.  This allows to
   tweak the Windows services file reliably.  Patch from vinschen at redhat.

20100321
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2010/03/08 09:41:27
     [ssh-keygen.1]
     sort the list of constraints (to -O); ok djm
   - jmc@cvs.openbsd.org 2010/03/10 07:40:35
     [ssh-keygen.1]
     typos; from Ross Richardson
     closes prs 6334 and 6335
   - djm@cvs.openbsd.org 2010/03/10 23:27:17
     [auth2-pubkey.c]
     correct certificate logging and make it more consistent between
     authorized_keys and TrustedCAKeys; ok markus@
   - djm@cvs.openbsd.org 2010/03/12 01:06:25
     [servconf.c]
     unbreak AuthorizedKeys option with a $HOME-relative path; reported by
     vinschen AT redhat.com, ok dtucker@
   - markus@cvs.openbsd.org 2010/03/12 11:37:40
     [servconf.c]
     do not prepend AuthorizedKeysFile with getcwd(), unbreaks relative paths
     free() (not xfree()) the buffer returned by getcwd()
   - djm@cvs.openbsd.org 2010/03/13 21:10:38
     [clientloop.c]
     protocol conformance fix: send language tag when disconnecting normally;
     spotted by 1.41421 AT gmail.com, ok markus@ deraadt@
   - djm@cvs.openbsd.org 2010/03/13 21:45:46
     [ssh-keygen.1]
     Certificates are named *-cert.pub, not *_cert.pub; committing a diff
     from stevesk@ ok me
   - jmc@cvs.openbsd.org 2010/03/13 23:38:13
     [ssh-keygen.1]
     fix a formatting error (args need quoted); noted by stevesk
   - stevesk@cvs.openbsd.org 2010/03/15 19:40:02
     [key.c key.h ssh-keygen.c]
     also print certificate type (user or host) for ssh-keygen -L
     ok djm kettenis
   - stevesk@cvs.openbsd.org 2010/03/16 15:46:52
     [auth-options.c]
     spelling in error message. ok djm kettenis
   - djm@cvs.openbsd.org 2010/03/16 16:36:49
     [version.h]
     crank version to openssh-5.5 since we have a few fixes since 5.4;
     requested deraadt@ kettenis@
 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   [contrib/suse/openssh.spec] Crank version numbers

20100314
 - (djm) [ssh-pkcs11-helper.c] Move #ifdef to after #defines to fix
   compilation failure when !HAVE_DLOPEN. Reported by felix-mindrot
   AT fefe.de
 - (djm) [Makefile.in] Respecify -lssh after -lopenbsd-compat for
   ssh-pkcs11-helper to repair static builds (we do the same for
   ssh-keyscan). Reported by felix-mindrot AT fefe.de

20100312
 - (tim) [Makefile.in] Now that scard is gone, no need to make $(datadir)
 - (tim) [Makefile.in] Add missing $(EXEEXT) to install targets.
   Patch from Corinna Vinschen.
 - (tim) [contrib/cygwin/Makefile] Fix list of documentation files to install
   on a Cygwin installation. Patch from Corinna Vinschen.

20100311
 - (tim) [contrib/suse/openssh.spec] crank version number here too.
   report by imorgan AT nas.nasa.gov

20100309
 - (dtucker) [configure.ac] Use a proper AC_CHECK_DECL for BROKEN_GETADDRINFO
   so setting it in CFLAGS correctly skips IPv6 tests.

20100308
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/03/07 22:16:01
     [ssh-keygen.c]
     make internal strptime string match strftime format;
     suggested by vinschen AT redhat.com and markus@
   - djm@cvs.openbsd.org 2010/03/08 00:28:55
     [ssh-keygen.1]
     document permit-agent-forwarding certificate constraint; patch from
     stevesk@
   - djm@cvs.openbsd.org 2010/03/07 22:01:32
     [version.h]
     openssh-5.4
 - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   crank version numbers
 - (djm) Release OpenSSH-5.4p1

20100307
 - (dtucker) [auth.c] Bug #1710: call setauthdb on AIX before getpwuid so that
   it gets the passwd struct from the LAM that knows about the user which is
   not necessarily the default.  Patch from Alexandre Letourneau.
 - (dtucker) [session.c] Bug #1567: move setpcred call to before chroot and
   do not set real uid, since that's needed for the chroot, and will be set
   by permanently_set_uid.
 - (dtucker) [session.c] Also initialize creds to NULL for handing to
    setpcred.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/03/07 11:57:13
     [auth-rhosts.c monitor.c monitor_wrap.c session.c auth-options.c sshd.c]
     Hold authentication debug messages until after successful authentication.
     Fixes an info leak of environment variables specified in authorized_keys,
     reported by Jacob Appelbaum.  ok djm@

20100305
 - OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2010/03/04 12:51:25
     [ssh.1 sshd_config.5]
     tweak previous;
   - djm@cvs.openbsd.org 2010/03/04 20:35:08
     [ssh-keygen.1 ssh-keygen.c]
     Add a -L flag to print the contents of a certificate; ok markus@
   - jmc@cvs.openbsd.org 2010/03/04 22:52:40
     [ssh-keygen.1]
     fix Bk/Ek;
   - djm@cvs.openbsd.org 2010/03/04 23:17:25
     [sshd_config.5]
     missing word; spotted by jmc@
   - djm@cvs.openbsd.org 2010/03/04 23:19:29
     [ssh.1 sshd.8]
     move section on CA and revoked keys from ssh.1 to sshd.8's known hosts
     format section and rework it a bit; requested by jmc@
   - djm@cvs.openbsd.org 2010/03/04 23:27:25
     [auth-options.c ssh-keygen.c]
     "force-command" is not spelled "forced-command"; spotted by
     imorgan AT nas.nasa.gov
   - djm@cvs.openbsd.org 2010/03/05 02:58:11
     [auth.c]
     make the warning for a revoked key louder and more noticable
   - jmc@cvs.openbsd.org 2010/03/05 06:50:35
     [ssh.1 sshd.8]
     tweak previous;
   - jmc@cvs.openbsd.org 2010/03/05 08:31:20
     [ssh.1]
     document certificate authentication; help/ok djm
   - djm@cvs.openbsd.org 2010/03/05 10:28:21
     [ssh-add.1 ssh.1 ssh_config.5]
     mention loading of certificate files from [private]-cert.pub when
     they are present; feedback and ok jmc@
 - (tim) [ssh-pkcs11.c] Fix "non-constant initializer" errors in older
   compilers. OK djm@
 - (djm) [ssh-rand-helper.c] declare optind, avoiding compilation failure
   on some platforms
 - (djm) [configure.ac] set -fno-strict-aliasing for gcc4; ok dtucker@

20100304
 - (djm) [ssh-keygen.c] Use correct local variable, instead of
   maybe-undefined global "optarg"
 - (djm) [contrib/redhat/openssh.spec] Replace obsolete BuildPreReq
   on XFree86-devel with neutral /usr/include/X11/Xlib.h;
   imorgan AT nas.nasa.gov in bz#1731
 - (djm) [.cvsignore] Ignore ssh-pkcs11-helper
 - (djm) [regress/Makefile] Cleanup sshd_proxy_orig
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/03/03 01:44:36
     [auth-options.c key.c]
     reject strings with embedded ASCII nul chars in certificate key IDs,
     principal names and constraints
   - djm@cvs.openbsd.org 2010/03/03 22:49:50
     [sshd.8]
     the authorized_keys option for CA keys is "cert-authority", not
     "from=cert-authority". spotted by imorgan AT nas.nasa.gov
   - djm@cvs.openbsd.org 2010/03/03 22:50:40
     [PROTOCOL.certkeys]
     s/similar same/similar/; from imorgan AT nas.nasa.gov
   - djm@cvs.openbsd.org 2010/03/04 01:44:57
     [key.c]
     use buffer_get_string_ptr_ret() where we are checking the return
     value explicitly instead of the fatal()-causing buffer_get_string_ptr()
   - djm@cvs.openbsd.org 2010/03/04 10:36:03
     [auth-rh-rsa.c auth-rsa.c auth.c auth.h auth2-hostbased.c auth2-pubkey.c]
     [authfile.c authfile.h hostfile.c hostfile.h servconf.c servconf.h]
     [ssh-keygen.c ssh.1 sshconnect.c sshd_config.5]
     Add a TrustedUserCAKeys option to sshd_config to specify CA keys that
     are trusted to authenticate users (in addition than doing it per-user
     in authorized_keys).
     
     Add a RevokedKeys option to sshd_config and a @revoked marker to
     known_hosts to allow keys to me revoked and banned for user or host
     authentication.
     
     feedback and ok markus@
   - djm@cvs.openbsd.org 2010/03/03 00:47:23
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     add an extra test to ensure that authentication with the wrong
     certificate fails as it should (and it does)
   - djm@cvs.openbsd.org 2010/03/04 10:38:23
     [regress/cert-hostkey.sh regress/cert-userkey.sh]
     additional regression tests for revoked keys and TrustedUserCAKeys

20100303
 - (djm) [PROTOCOL.certkeys] Add RCS Ident
 - OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2010/02/26 22:09:28
     [ssh-keygen.1 ssh.1 sshd.8]
     tweak previous;
   - otto@cvs.openbsd.org 2010/03/01 11:07:06
     [ssh-add.c]
     zap what seems to be a left-over debug message; ok markus@
   - djm@cvs.openbsd.org 2010/03/02 23:20:57
     [ssh-keygen.c]
     POSIX strptime is stricter than OpenBSD's so do a little dance to
     appease it.
 - (djm) [regress/cert-userkey.sh] s/echo -n/echon/ here too

20100302
 - (tim) [config.guess config.sub] Bug 1722: Update to latest versions from
   http://git.savannah.gnu.org/gitweb/ (2009-12-30 and 2010-01-22
   respectively).

20100301
 - (dtucker) [regress/{cert-hostkey,cfgmatch,cipher-speed}.sh} Replace
   "echo -n" with "echon" for portability.
 - (dtucker) [openbsd-compat/port-linux.c] Make failure to write to the OOM
   adjust log at verbose only, since according to cjwatson in bug #1470
   some virtualization platforms don't allow writes.

20100228
 - (djm) [auth.c] On Cygwin, refuse usernames that have differences in
   case from that matched in the system password database. On this
   platform, passwords are stored case-insensitively, but sshd requires
   exact case matching for Match blocks in sshd_config(5). Based on
   a patch from vinschen AT redhat.com.
 - (tim) [ssh-pkcs11-helper.c] Move declarations before calling functions
   to make older compilers (gcc 2.95) happy.

20100227
 - (djm) [ssh-pkcs11-helper.c ] Ensure RNG is initialised and seeded
 - (djm) [openbsd-compat/bsd-cygwin_util.c] Reduce the set of environment
   variables copied into sshd child processes. From vinschen AT redhat.com

20100226
 - OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/02/26 20:29:54
     [PROTOCOL PROTOCOL.agent PROTOCOL.certkeys addrmatch.c auth-options.c]
     [auth-options.h auth.h auth2-pubkey.c authfd.c dns.c dns.h hostfile.c]
     [hostfile.h kex.h kexdhs.c kexgexs.c key.c key.h match.h monitor.c]
     [myproposal.h servconf.c servconf.h ssh-add.c ssh-agent.c ssh-dss.c]
     [ssh-keygen.1 ssh-keygen.c ssh-rsa.c ssh.1 ssh.c ssh2.h sshconnect.c]
     [sshconnect2.c sshd.8 sshd.c sshd_config.5]
     Add support for certificate key types for users and hosts.
     
     OpenSSH certificate key types are not X.509 certificates, but a much
     simpler format that encodes a public key, identity information and
     some validity constraints and signs it with a CA key. CA keys are
     regular SSH keys. This certificate style avoids the attack surface
     of X.509 certificates and is very easy to deploy.
     
     Certified host keys allow automatic acceptance of new host keys
     when a CA certificate is marked as trusted in ~/.ssh/known_hosts.
     see VERIFYING HOST KEYS in ssh(1) for details.
     
     Certified user keys allow authentication of users when the signing
     CA key is marked as trusted in authorized_keys. See "AUTHORIZED_KEYS
     FILE FORMAT" in sshd(8) for details.
     
     Certificates are minted using ssh-keygen(1), documentation is in
     the "CERTIFICATES" section of that manpage.
     
     Documentation on the format of certificates is in the file
     PROTOCOL.certkeys
     
     feedback and ok markus@
   - djm@cvs.openbsd.org 2010/02/26 20:33:21
     [Makefile regress/cert-hostkey.sh regress/cert-userkey.sh]
     regression tests for certified keys

20100224
 - (djm) [pkcs11.h ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
   [ssh-pkcs11.h] Add $OpenBSD$ RCS idents so we can sync portable
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/02/11 20:37:47
     [pathnames.h]
     correct comment
   - dtucker@cvs.openbsd.org 2009/11/09 04:20:04
     [regress/Makefile]
     add regression test for ssh-keygen pubkey conversions
   - dtucker@cvs.openbsd.org 2010/01/11 02:53:44
     [regress/forwarding.sh]
     regress test for stdio forwarding
   - djm@cvs.openbsd.org 2010/02/09 04:57:36
     [regress/addrmatch.sh]
     clean up droppings
   - djm@cvs.openbsd.org 2010/02/09 06:29:02
     [regress/Makefile]
     turn on all the malloc(3) checking options when running regression
     tests. this has caught a few bugs for me in the past; ok dtucker@
   - djm@cvs.openbsd.org 2010/02/24 06:21:56
     [regress/test-exec.sh]
     wait for sshd to fully stop in cleanup() function; avoids races in tests
     that do multiple start_sshd/cleanup cycles; "I hate pidfiles" deraadt@
   - markus@cvs.openbsd.org 2010/02/08 10:52:47
     [regress/agent-pkcs11.sh]
     test for PKCS#11 support (currently disabled)
 - (djm) [Makefile.in ssh-pkcs11-helper.8] Add manpage for PKCS#11 helper
 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   [contrib/suse/openssh.spec] Add PKCS#11 helper binary and manpage

20100212
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/02/02 22:49:34
     [bufaux.c]
     make buffer_get_string_ret() really non-fatal in all cases (it was
     using buffer_get_int(), which could fatal() on buffer empty);
     ok markus dtucker
   - markus@cvs.openbsd.org 2010/02/08 10:50:20
     [pathnames.h readconf.c readconf.h scp.1 sftp.1 ssh-add.1 ssh-add.c]
     [ssh-agent.c ssh-keygen.1 ssh-keygen.c ssh.1 ssh.c ssh_config.5]
     replace our obsolete smartcard code with PKCS#11.
        ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20.pdf
     ssh(1) and ssh-keygen(1) use dlopen(3) directly to talk to a PKCS#11
     provider (shared library) while ssh-agent(1) delegates PKCS#11 to
     a forked a ssh-pkcs11-helper process.
     PKCS#11 is currently a compile time option.
     feedback and ok djm@; inspired by patches from Alon Bar-Lev
   - jmc@cvs.openbsd.org 2010/02/08 22:03:05
     [ssh-add.1 ssh-keygen.1 ssh.1 ssh.c]
     tweak previous; ok markus
   - djm@cvs.openbsd.org 2010/02/09 00:50:36
     [ssh-agent.c]
     fallout from PKCS#11: unbreak -D
   - djm@cvs.openbsd.org 2010/02/09 00:50:59
     [ssh-keygen.c]
     fix -Wall
   - djm@cvs.openbsd.org 2010/02/09 03:56:28
     [buffer.c buffer.h]
     constify the arguments to buffer_len, buffer_ptr and buffer_dump
   - djm@cvs.openbsd.org 2010/02/09 06:18:46
     [auth.c]
     unbreak ChrootDirectory+internal-sftp by skipping check for executable
     shell when chrooting; reported by danh AT wzrd.com; ok dtucker@
   - markus@cvs.openbsd.org 2010/02/10 23:20:38
     [ssh-add.1 ssh-keygen.1 ssh.1 ssh_config.5]
     pkcs#11 is no longer optional; improve wording; ok jmc@
   - jmc@cvs.openbsd.org 2010/02/11 13:23:29
     [ssh.1]
     libarary -> library;
 - (djm) [INSTALL Makefile.in README.smartcard configure.ac scard-opensc.c]
   [scard.c scard.h pkcs11.h scard/Makefile.in scard/Ssh.bin.uu scard/Ssh.java]
   Remove obsolete smartcard support
 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
   Make it compile on OSX
 - (djm) [ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c]
   Use ssh_get_progname to fill __progname
 - (djm) [configure.ac] Enable PKCS#11 support only when we find a working
   dlopen()

20100210
 - (djm) add -lselinux to LIBS before calling AC_CHECK_FUNCS for
   getseuserbyname; patch from calebcase AT gmail.com via
   cjwatson AT debian.org

20100202
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/01/30 21:08:33
     [sshd.8]
     debug output goes to stderr, not "the system log"; ok markus dtucker
   - djm@cvs.openbsd.org 2010/01/30 21:12:08
     [channels.c]
     fake local addr:port when stdio fowarding as some servers (Tectia at
     least) validate that they are well-formed;
     reported by imorgan AT nas.nasa.gov
     ok dtucker

20100130
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/01/28 00:21:18
     [clientloop.c]
     downgrade an error() to a debug() - this particular case can be hit in
     normal operation for certain sequences of mux slave vs session closure
     and is harmless
   - djm@cvs.openbsd.org 2010/01/29 00:20:41
     [sshd.c]
     set FD_CLOEXEC on sock_in/sock_out; bz#1706 from jchadima AT redhat.com
     ok dtucker@
   - djm@cvs.openbsd.org 2010/01/29 20:16:17
     [mux.c]
     kill correct channel (was killing already-dead mux channel, not
     its session channel)
   - djm@cvs.openbsd.org 2010/01/30 02:54:53
     [mux.c]
     don't mark channel as read failed if it is already closing; suppresses
     harmless error messages when connecting to SSH.COM Tectia server
     report by imorgan AT nas.nasa.gov

20100129
 - (dtucker) [openbsd-compat/openssl-compat.c] Bug #1707: Call OPENSSL_config()
   after registering the hardware engines, which causes the openssl.cnf file to
   be processed.  See OpenSSL's man page for OPENSSL_config(3) for details.
   Patch from Solomon Peachy, ok djm@.

20100128
 - (djm) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/01/26 02:15:20
     [mux.c]
     -Wuninitialized and remove a // comment; from portable
     (Id sync only)
   - djm@cvs.openbsd.org 2010/01/27 13:26:17
     [mux.c]
     fix bug introduced in mux rewrite:
     
     In a mux master, when a socket to a mux slave closes before its server
     session (as may occur when the slave has been signalled), gracefully
     close the server session rather than deleting its channel immediately.
     A server may have more messages on that channel to send (e.g. an exit
     message) that will fatal() the client if they are sent to a channel that
     has been prematurely deleted.
     
     spotted by imorgan AT nas.nasa.gov
   - djm@cvs.openbsd.org 2010/01/27 19:21:39
     [sftp.c]
     add missing "p" flag to getopt optstring;
     bz#1704 from imorgan AT nas.nasa.gov

20100126
 - (djm) OpenBSD CVS Sync
   - tedu@cvs.openbsd.org 2010/01/17 21:49:09
     [ssh-agent.1]
     Correct and clarify ssh-add's password asking behavior.
     Improved text dtucker and ok jmc
   - dtucker@cvs.openbsd.org 2010/01/18 01:50:27
     [roaming_client.c]
     s/long long unsigned/unsigned long long/, from tim via portable
     (Id sync only, change already in portable)
   - djm@cvs.openbsd.org 2010/01/26 01:28:35
     [channels.c channels.h clientloop.c clientloop.h mux.c nchan.c ssh.c]
     rewrite ssh(1) multiplexing code to a more sensible protocol.
     
     The new multiplexing code uses channels for the listener and
     accepted control sockets to make the mux master non-blocking, so
     no stalls when processing messages from a slave.
     
     avoid use of fatal() in mux master protocol parsing so an errant slave
     process cannot take down a running master.
     
     implement requesting of port-forwards over multiplexed sessions. Any
     port forwards requested by the slave are added to those the master has
     established.
     
     add support for stdio forwarding ("ssh -W host:port ...") in mux slaves.
     
     document master/slave mux protocol so that other tools can use it to
     control a running ssh(1). Note: there are no guarantees that this
     protocol won't be incompatibly changed (though it is versioned).
     
     feedback Salvador Fandino, dtucker@
     channel changes ok markus@

20100122
 - (tim) [configure.ac] Due to constraints in Windows Sockets in terms of
   socket inheritance, reduce the default SO_RCVBUF/SO_SNDBUF buffer size
   in Cygwin to 65535. Patch from Corinna Vinschen.

20100117
 - (tim) [configure.ac] OpenServer 5 needs BROKEN_GETADDRINFO too.
 - (tim) [configure.ac] On SVR5 systems, use the C99-conforming functions
   snprintf() and vsnprintf() named _xsnprintf() and _xvsnprintf().

20100116
 - (dtucker) [openbsd-compat/pwcache.c] Pull in includes.h and thus defines.h
   so we correctly detect whether or not we have a native user_from_uid.
 - (dtucker) [openbsd-compat/openbsd-compat.h] Prototypes for user_from_uid
   and group_from_gid.
 - (dtucker) [openbsd-compat/openbsd-compat.h] Fix prototypes, spotted by
   Tim.
 - (dtucker) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2010/01/15 09:24:23
     [sftp-common.c]
     unused
 - (dtucker) [openbsd-compat/pwcache.c] Shrink ifdef area to prevent unused
   variable warnings.
 - (dtucker) [openbsd-compat/openbsd-compat.h] Typo.
 - (tim) [regress/portnum.sh] Shell portability fix.
 - (tim) [configure.ac] Define BROKEN_GETADDRINFO on SVR5 systems. The native
   getaddrinfo() is too old and limited for addr_pton() in addrmatch.c.
 - (tim) [roaming_client.c] Use of <sys/queue.h> is not really portable so we
   use "openbsd-compat/sys-queue.h". s/long long unsigned/unsigned long long/
   to keep USL compilers happy.

20100115
 - (dtucker) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2010/01/13 12:48:34
     [sftp.1 sftp.c]
     sftp.1: put ls -h in the right place
     sftp.c: as above, plus add -p to get/put, and shorten their arg names
     to keep the help usage nicely aligned
     ok djm
   - djm@cvs.openbsd.org 2010/01/13 23:47:26
     [auth.c]
     when using ChrootDirectory, make sure we test for the existence of the
     user's shell inside the chroot; bz #1679, patch from alex AT rtfs.hu;
     ok dtucker
   - dtucker@cvs.openbsd.org 2010/01/14 23:41:49
     [sftp-common.c]
     use user_from{uid,gid} to lookup up ids since it keeps a small cache.
     ok djm
   - guenther@cvs.openbsd.org 2010/01/15 00:05:22
     [sftp.c]
     Reset SIGTERM to SIG_DFL before executing ssh, so that even if sftp
     inherited SIGTERM as ignored it will still be able to kill the ssh it
     starts.
     ok dtucker@
 - (dtucker) [openbsd-compat/pwcache.c] Pull in pwcache.c from OpenBSD (no
   changes yet but there will be some to come).
 - (dtucker) [configure.ac openbsd-compat/{Makefile.in,pwcache.c} Portability
   for pwcache.  Also, added caching of negative hits.

20100114
 - (djm) [platform.h] Add missing prototype for
   platform_krb5_get_principal_name

20100113
 - (dtucker) [monitor_fdpass.c] Wrap poll.h include in ifdefs.
 - (dtucker) [openbsd-compat/readpassphrase.c] Resync against OpenBSD's r1.18:
   missing restore of SIGTTOU and some whitespace.
 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.21.
 - (dtucker) [openbsd-compat/readpassphrase.c] Update to OpenBSD's r1.22.
   Fixes bz #1590, where sometimes you could not interrupt a connection while
   ssh was prompting for a passphrase or password.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/01/13 00:19:04
     [sshconnect.c auth.c]
     Fix a couple of typos/mispellings in comments
   - dtucker@cvs.openbsd.org 2010/01/13 01:10:56
     [key.c]
     Ignore and log any Protocol 1 keys where the claimed size is not equal to
     the actual size.  Noted by Derek Martin, ok djm@
   - dtucker@cvs.openbsd.org 2010/01/13 01:20:20
     [canohost.c ssh-keysign.c sshconnect2.c]
     Make HostBased authentication work with a ProxyCommand.  bz #1569, patch
     from imorgan at nas nasa gov, ok djm@
   - djm@cvs.openbsd.org 2010/01/13 01:40:16
     [sftp.c sftp-server.c sftp.1 sftp-common.c sftp-common.h]
     support '-h' (human-readable units) for sftp's ls command, just like
     ls(1); ok dtucker@
   - djm@cvs.openbsd.org 2010/01/13 03:48:13
     [servconf.c servconf.h sshd.c]
     avoid run-time failures when specifying hostkeys via a relative
     path by prepending the cwd in these cases; bz#1290; ok dtucker@
   - djm@cvs.openbsd.org 2010/01/13 04:10:50
     [sftp.c]
     don't append a space after inserting a completion of a directory (i.e.
     a path ending in '/') for a slightly better user experience; ok dtucker@
 - (dtucker) [sftp-common.c] Wrap include of util.h in an ifdef.
 - (tim) [defines.h] openbsd-compat/readpassphrase.c now needs _NSIG. 
   feedback and ok dtucker@

20100112
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/01/11 01:39:46
     [ssh_config channels.c ssh.1 channels.h ssh.c]
     Add a 'netcat mode' (ssh -W).  This connects stdio on the client to a
     single port forward on the server.  This allows, for example, using ssh as
     a ProxyCommand to route connections via intermediate servers.
     bz #1618, man page help from jmc@, ok markus@
   - dtucker@cvs.openbsd.org 2010/01/11 04:46:45
     [authfile.c sshconnect2.c]
     Do not prompt for a passphrase if we fail to open a keyfile, and log the
     reason the open failed to debug.
     bz #1693, found by tj AT castaglia org, ok djm@
   - djm@cvs.openbsd.org 2010/01/11 10:51:07
     [ssh-keygen.c]
     when converting keys, truncate key comments at 72 chars as per RFC4716;
     bz#1630 reported by tj AT castaglia.org; ok markus@
   - dtucker@cvs.openbsd.org 2010/01/12 00:16:47
     [authfile.c]
     Fix bug introduced in r1.78 (incorrect brace location) that broke key auth.
     Patch from joachim joachimschipper nl.
   - djm@cvs.openbsd.org 2010/01/12 00:58:25
     [monitor_fdpass.c]
     avoid spinning when fd passing on nonblocking sockets by calling poll()
     in the EINTR/EAGAIN path, much like we do in atomicio; ok dtucker@
   - djm@cvs.openbsd.org 2010/01/12 00:59:29
     [roaming_common.c]
     delete with extreme prejudice a debug() that fired with every keypress;
     ok dtucker deraadt
   - dtucker@cvs.openbsd.org 2010/01/12 01:31:05
     [session.c]
     Do not allow logins if /etc/nologin exists but is not readable by the user
     logging in.  Noted by Jan.Pechanec at Sun, ok djm@ deraadt@
   - djm@cvs.openbsd.org 2010/01/12 01:36:08
     [buffer.h bufaux.c]
     add a buffer_get_string_ptr_ret() that does the same as
     buffer_get_string_ptr() but does not fatal() on error; ok dtucker@
   - dtucker@cvs.openbsd.org 2010/01/12 08:33:17
     [session.c]
     Add explicit stat so we reliably detect nologin with bad perms.
     ok djm markus

20100110
 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c]
   Remove hacks add for RoutingDomain in preparation for its removal.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2010/01/09 23:04:13
     [channels.c ssh.1 servconf.c sshd_config.5 sshd.c channels.h servconf.h
     ssh-keyscan.1 ssh-keyscan.c readconf.c sshconnect.c misc.c ssh.c
     readconf.h scp.1 sftp.1 ssh_config.5 misc.h]
     Remove RoutingDomain from ssh since it's now not needed.  It can be
     replaced with "route exec" or "nc -V" as a proxycommand.  "route exec"
     also ensures that trafic such as DNS lookups stays withing the specified
     routingdomain.  For example (from reyk):
     # route -T 2 exec /usr/sbin/sshd
     or inherited from the parent process
     $ route -T 2 exec sh
     $ ssh 10.1.2.3
     ok deraadt@ markus@ stevesk@ reyk@
   - dtucker@cvs.openbsd.org 2010/01/10 03:51:17
     [servconf.c]
     Add ChrootDirectory to sshd.c test-mode output
   - dtucker@cvs.openbsd.org 2010/01/10 07:15:56
     [auth.c]
     Output a debug if we can't open an existing keyfile.  bz#1694, ok djm@

20100109
 - (dtucker) Wrap use of IPPROTO_IPV6 in an ifdef for platforms that don't
   have it.
 - (dtucker) [defines.h] define PRIu64 for platforms that don't have it.
 - (dtucker) [roaming_client.c] Wrap inttypes.h in an ifdef.
 - (dtucker) [loginrec.c] Use the SUSv3 specified name for the user name
   when using utmpx.  Patch from Ed Schouten.
 - (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2010/01/09 00:20:26
     [sftp-server.c sftp-server.8]
     add a 'read-only' mode to sftp-server(8) that disables open in write mode
     and all other fs-modifying protocol methods. bz#430 ok dtucker@
   - djm@cvs.openbsd.org 2010/01/09 00:57:10
     [PROTOCOL]
     tweak language
   - jmc@cvs.openbsd.org 2010/01/09 03:36:00
     [sftp-server.8]
     bad place to forget a comma...
   - djm@cvs.openbsd.org 2010/01/09 05:04:24
     [mux.c sshpty.h clientloop.c sshtty.c]
     quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
     usually don't actually have a tty to read/set; bz#1686 ok dtucker@
   - dtucker@cvs.openbsd.org 2010/01/09 05:17:00
     [roaming_client.c]
     Remove a PRIu64 format string that snuck in with roaming.  ok djm@
   - dtucker@cvs.openbsd.org 2010/01/09 11:13:02
     [sftp.c]
     Prevent sftp from derefing a null pointer when given a "-" without a
     command.  Also, allow whitespace to follow a "-".  bz#1691, path from
     Colin Watson via Debian.  ok djm@ deraadt@
   - dtucker@cvs.openbsd.org 2010/01/09 11:17:56
     [sshd.c]
     Afer sshd receives a SIGHUP, ignore subsequent HUPs while sshd re-execs
     itself.  Prevents two HUPs in quick succession from resulting in sshd
     dying.  bz#1692, patch from Colin Watson via Ubuntu.
 - (dtucker) [defines.h] Remove now-undeeded PRIu64 define.

20100108
 - (dtucker) OpenBSD CVS Sync
   - andreas@cvs.openbsd.org 2009/10/24 11:11:58
     [roaming.h]
     Declarations needed for upcoming changes.
     ok markus@
   - andreas@cvs.openbsd.org 2009/10/24 11:13:54
     [sshconnect2.c kex.h kex.c]
     Let the client detect if the server supports roaming by looking
     for the resume@appgate.com kex algorithm.
     ok markus@
   - andreas@cvs.openbsd.org 2009/10/24 11:15:29
     [clientloop.c]
     client_loop() must detect if the session has been suspended and resumed,
     and take appropriate action in that case.
     From Martin Forssen, maf at appgate dot com
   - andreas@cvs.openbsd.org 2009/10/24 11:19:17
     [ssh2.h]
     Define the KEX messages used when resuming a suspended connection.
     ok markus@
   - andreas@cvs.openbsd.org 2009/10/24 11:22:37
     [roaming_common.c]
     Do the actual suspend/resume in the client. This won't be useful until
     the server side supports roaming.
     Most code from Martin Forssen, maf at appgate dot com. Some changes by
     me and markus@
     ok markus@
   - andreas@cvs.openbsd.org 2009/10/24 11:23:42
     [ssh.c]
     Request roaming to be enabled if UseRoaming is true and the server
     supports it.
     ok markus@
   - reyk@cvs.openbsd.org 2009/10/28 16:38:18
     [ssh_config.5 sshd.c misc.h ssh-keyscan.1 readconf.h sshconnect.c
     channels.c channels.h servconf.h servconf.c ssh.1 ssh-keyscan.c scp.1
     sftp.1 sshd_config.5 readconf.c ssh.c misc.c]
     Allow to set the rdomain in ssh/sftp/scp/sshd and ssh-keyscan.
     ok markus@
   - jmc@cvs.openbsd.org 2009/10/28 21:45:08
     [sshd_config.5 sftp.1]
     tweak previous;
   - djm@cvs.openbsd.org 2009/11/10 02:56:22
     [ssh_config.5]
     explain the constraints on LocalCommand some more so people don't
     try to abuse it.
   - djm@cvs.openbsd.org 2009/11/10 02:58:56
     [sshd_config.5]
     clarify that StrictModes does not apply to ChrootDirectory. Permissions
     and ownership are always checked when chrooting. bz#1532
   - dtucker@cvs.openbsd.org 2009/11/10 04:30:45
     [sshconnect2.c channels.c sshconnect.c]
     Set close-on-exec on various descriptors so they don't get leaked to
     child processes.  bz #1643, patch from jchadima at redhat, ok deraadt.
   - markus@cvs.openbsd.org 2009/11/11 21:37:03
     [channels.c channels.h]
     fix race condition in x11/agent channel allocation: don't read after
     the end of the select read/write fdset and make sure a reused FD
     is not touched before the pre-handlers are called.
     with and ok djm@
   - djm@cvs.openbsd.org 2009/11/17 05:31:44
     [clientloop.c]
     fix incorrect exit status when multiplexing and channel ID 0 is recycled
     bz#1570 reported by peter.oliver AT eon-is.co.uk; ok dtucker
   - djm@cvs.openbsd.org 2009/11/19 23:39:50
     [session.c]
     bz#1606: error when an attempt is made to connect to a server
     with ForceCommand=internal-sftp with a shell session (i.e. not a
     subsystem session). Avoids stuck client when attempting to ssh to such a
     service. ok dtucker@
   - dtucker@cvs.openbsd.org 2009/11/20 00:15:41
     [session.c]
     Warn but do not fail if stat()ing the subsystem binary fails.  This helps
     with chrootdirectory+forcecommand=sftp-server and restricted shells.
     bz #1599, ok djm.
   - djm@cvs.openbsd.org 2009/11/20 00:54:01
     [sftp.c]
     bz#1588 change "Connecting to host..." message to "Connected to host."
     and delay it until after the sftp protocol connection has been established.
     Avoids confusing sequence of messages when the underlying ssh connection
     experiences problems. ok dtucker@
   - dtucker@cvs.openbsd.org 2009/11/20 00:59:36
     [sshconnect2.c]
     Use the HostKeyAlias when prompting for passwords.  bz#1039, ok djm@
   - djm@cvs.openbsd.org 2009/11/20 03:24:07
     [misc.c]
     correct off-by-one in percent_expand(): we would fatal() when trying
     to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to actually
     work.  Note that nothing in OpenSSH actually uses close to this limit at
     present.  bz#1607 from Jan.Pechanec AT Sun.COM
   - halex@cvs.openbsd.org 2009/11/22 13:18:00
     [sftp.c]
     make passing of zero-length arguments to ssh safe by
     passing "-<switch>" "<value>" rather than "-<switch><value>"
     ok dtucker@, guenther@, djm@
   - dtucker@cvs.openbsd.org 2009/12/06 23:41:15
     [sshconnect2.c]
     zap unused variable and strlen; from Steve McClellan, ok djm
   - djm@cvs.openbsd.org 2009/12/06 23:53:45
     [roaming_common.c]
     use socklen_t for getsockopt optlen parameter; reported by
     Steve.McClellan AT radisys.com, ok dtucker@
   - dtucker@cvs.openbsd.org 2009/12/06 23:53:54
     [sftp.c]
     fix potential divide-by-zero in sftp's "df" output when talking to a server
     that reports zero files on the filesystem (Unix filesystems always have at
     least the root inode).  From Steve McClellan at radisys, ok djm@
   - markus@cvs.openbsd.org 2009/12/11 18:16:33
     [key.c]
     switch from 35 to the more common value of RSA_F4 == (2**16)+1 == 65537
     for the RSA public exponent; discussed with provos; ok djm@
   - guenther@cvs.openbsd.org 2009/12/20 07:28:36
     [ssh.c sftp.c scp.c]
     When passing user-controlled options with arguments to other programs,
     pass the option and option argument as separate argv entries and
     not smashed into one (e.g., as -l foo and not -lfoo).  Also, always
     pass a "--" argument to stop option parsing, so that a positional
     argument that starts with a '-' isn't treated as an option.  This
     fixes some error cases as well as the handling of hostnames and
     filenames that start with a '-'.
     Based on a diff by halex@
     ok halex@ djm@ deraadt@
   - djm@cvs.openbsd.org 2009/12/20 23:20:40
     [PROTOCOL]
     fix an incorrect magic number and typo in PROTOCOL; bz#1688
     report and fix from ueno AT unixuser.org
   - stevesk@cvs.openbsd.org 2009/12/25 19:40:21
     [readconf.c servconf.c misc.h ssh-keyscan.c misc.c]
     validate routing domain is in range 0-RT_TABLEID_MAX.
     'Looks right' deraadt@
   - stevesk@cvs.openbsd.org 2009/12/29 16:38:41
     [sshd_config.5 readconf.c ssh_config.5 scp.1 servconf.c sftp.1 ssh.1]
     Rename RDomain config option to RoutingDomain to be more clear and
     consistent with other options.
     NOTE: if you currently use RDomain in the ssh client or server config,
     or ssh/sshd -o, you must update to use RoutingDomain.
     ok markus@ djm@
   - jmc@cvs.openbsd.org 2009/12/29 18:03:32
     [sshd_config.5 ssh_config.5]
     sort previous;
   - dtucker@cvs.openbsd.org 2010/01/04 01:45:30
     [sshconnect2.c]
     Don't escape backslashes in the SSH2 banner.  bz#1533, patch from
     Michal Gorny via Gentoo.
   - djm@cvs.openbsd.org 2010/01/04 02:03:57
     [sftp.c]
     Implement tab-completion of commands, local and remote filenames for sftp.
     Hacked on and off for some time by myself, mouring, Carlos Silva (via 2009
     Google Summer of Code) and polished to a fine sheen by myself again.
     It should deal more-or-less correctly with the ikky corner-cases presented
     by quoted filenames, but the UI could still be slightly improved.
     In particular, it is quite slow for remote completion on large directories.
     bz#200; ok markus@
   - djm@cvs.openbsd.org 2010/01/04 02:25:15
     [sftp-server.c]
     bz#1566 don't unnecessarily dup() in and out fds for sftp-server;
     ok markus@
   - dtucker@cvs.openbsd.org 2010/01/08 21:50:49
     [sftp.c]
     Fix two warnings: possibly used unitialized and use a nul byte instead of
     NULL pointer.  ok djm@
 - (dtucker) [Makefile.in added roaming_client.c roaming_serv.c] Import new
   files for roaming and add to Makefile.
 - (dtucker) [Makefile.in] .c files do not belong in the OBJ lines.
 - (dtucker) [sftp.c] ifdef out the sftp completion bits for platforms that
   don't have libedit.
 - (dtucker) [configure.ac misc.c readconf.c servconf.c ssh-keyscan.c] Make
   RoutingDomain an unsupported option on platforms that don't have it.
 - (dtucker) [sftp.c] Expand ifdef for libedit to cover complete_is_remote
   too.
 - (dtucker) [misc.c] Move the routingdomain ifdef to allow the socket to
   be created.
 - (dtucker] [misc.c] Shrink the area covered by USE_ROUTINGDOMAIN more
   to eliminate an unused variable warning.
 - (dtucker) [roaming_serv.c] Include includes.h for u_intXX_t types.

20091226
 - (tim) [contrib/cygwin/Makefile] Install ssh-copy-id and ssh-copy-id.1
   Gzip all man pages. Patch from Corinna Vinschen.

20091221
 - (dtucker) [auth-krb5.c platform.{c,h} openbsd-compat/port-aix.{c,h}]
   Bug #1583: Use system's kerberos principal name on AIX if it's available.
   Based on a patch from and tested by Miguel Sanders 

20091208
 - (dtucker) Bug #1470: Disable OOM-killing of the listening sshd on Linux,
   based on a patch from Vaclav Ovsik and Colin Watson.  ok djm.

20091207
 - (dtucker) Bug #1160: use pkg-config for opensc config if it's available.
   Tested by Martin Paljak.
 - (dtucker) Bug #1677: add conditionals around the source for ssh-askpass.

20091121
 - (tim) [opensshd.init.in] If PidFile is set in sshd_config, use it.
   Bug 1628. OK dtucker@

20091120
 - (djm) [ssh-rand-helper.c] Print error and usage() when passed command-
   line arguments as none are supported. Exit when passed unrecognised
   commandline flags. bz#1568 from gson AT araneus.fi

20091118
 - (djm) [channels.c misc.c misc.h sshd.c] add missing setsockopt() to
   set IPV6_V6ONLY for local forwarding with GatwayPorts=yes. Unify
   setting IPV6_V6ONLY behind a new function misc.c:sock_set_v6only()
   bz#1648, report and fix from jan.kratochvil AT redhat.com
 - (djm) [contrib/gnome-ssh-askpass2.c] Make askpass dialog desktop-modal.
   bz#1645, patch from jchadima AT redhat.com

20091107
 - (dtucker) [authfile.c] Fall back to 3DES for the encryption of private
    keys when built with OpenSSL versions that don't do AES.

20091105
 - (dtucker) [authfile.c] Add OpenSSL compat header so this still builds with
   older versions of OpenSSL.

20091024
 - (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2009/10/11 23:03:15
     [hostfile.c]
     mention the host name that we are looking for in check_host_in_hostfile()
   - sobrado@cvs.openbsd.org 2009/10/17 12:10:39
     [sftp-server.c]
     sort flags.
   - sobrado@cvs.openbsd.org 2009/10/22 12:35:53
     [ssh.1 ssh-agent.1 ssh-add.1]
     use the UNIX-related macros (.At and .Ux) where appropriate.
     ok jmc@
   - sobrado@cvs.openbsd.org 2009/10/22 15:02:12
     [ssh-agent.1 ssh-add.1 ssh.1]
     write UNIX-domain in a more consistent way; while here, replace a
     few remaining ".Tn UNIX" macros with ".Ux" ones.
     pointed out by ratchov@, thanks!
     ok jmc@
   - djm@cvs.openbsd.org 2009/10/22 22:26:13
     [authfile.c]
     switch from 3DES to AES-128 for encryption of passphrase-protected
     SSH protocol 2 private keys; ok several
   - djm@cvs.openbsd.org 2009/10/23 01:57:11
     [sshconnect2.c]
     disallow a hostile server from checking jpake auth by sending an
     out-of-sequence success message. (doesn't affect code enabled by default)
   - dtucker@cvs.openbsd.org 2009/10/24 00:48:34
     [ssh-keygen.1]
     ssh-keygen now uses AES-128 for private keys
 - (dtucker) [mdoc2man.awk] Teach it to understand the .Ux macro.
 - (dtucker) [session.c openbsd-compat/port-linux.{c,h}] Bug #1637: if selinux
   is enabled set the security context to "sftpd_t" before running the
   internal sftp server   Based on a patch from jchadima at redhat.

20091011
 - (dtucker) [configure.ac sftp-client.c] Remove the gyrations required for
   dirent d_type and DTTOIF as we've switched OpenBSD to the more portable
   lstat.
 - (dtucker) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2009/10/08 14:03:41
     [sshd_config readconf.c ssh_config.5 servconf.c sshd_config.5]
     disable protocol 1 by default (after a transition period of about 10 years)
     ok deraadt
   - jmc@cvs.openbsd.org 2009/10/08 20:42:12
     [sshd_config.5 ssh_config.5 sshd.8 ssh.1]
     some tweaks now that protocol 1 is not offered by default; ok markus
   - dtucker@cvs.openbsd.org 2009/10/11 10:41:26
     [sftp-client.c]
     d_type isn't portable so use lstat to get dirent modes.  Suggested by and
     "looks sane" deraadt@
   - markus@cvs.openbsd.org 2009/10/08 18:04:27
     [regress/test-exec.sh]
     re-enable protocol v1 for the tests.

20091007
 - (dtucker) OpenBSD CVS Sync
   - djm@cvs.openbsd.org 2009/08/12 00:13:00
     [sftp.c sftp.1]
     support most of scp(1)'s commandline arguments in sftp(1), as a first
     step towards making sftp(1) a drop-in replacement for scp(1).
     One conflicting option (-P) has not been changed, pending further
     discussion.
     Patch from carlosvsilvapt@gmail.com as part of his work in the
     Google Summer of Code
  - jmc@cvs.openbsd.org 2009/08/12 06:31:42
     [sftp.1]
     sort options;
   - djm@cvs.openbsd.org 2009/08/13 01:11:19
     [sftp.1 sftp.c]
     Swizzle options: "-P sftp_server_path" moves to "-D sftp_server_path",
     add "-P port" to match scp(1). Fortunately, the -P option is only really
     used by our regression scripts.
     part of larger patch from carlosvsilvapt@gmail.com for his Google Summer
     of Code work; ok deraadt markus
   - jmc@cvs.openbsd.org 2009/08/13 13:39:54
     [sftp.1 sftp.c]
     sync synopsis and usage();
   - djm@cvs.openbsd.org 2009/08/14 18:17:49
     [sftp-client.c]
     make the "get_handle: ..." error messages vaguely useful by allowing
     callers to specify their own error message strings.
   - fgsch@cvs.openbsd.org 2009/08/15 18:56:34
     [auth.h]
     remove unused define. markus@ ok.
     (Id sync only, Portable still uses this.)
   - dtucker@cvs.openbsd.org 2009/08/16 23:29:26
     [sshd_config.5]
[--snip--]
