X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/7c6d759d3d58c93331f503a631459a5f3c0b307c..06617857197c00b4fdd0e1456bf25c82c796f4cf:/configure.ac

diff --git a/configure.ac b/configure.ac
index 3cc93650..6f07b7e3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,6 +21,7 @@ AC_PATH_PROGS(FILEPRIV, filepriv, true, /sbin:/usr/sbin)
 AC_PATH_PROG(TEST_MINUS_S_SH, bash)
 AC_PATH_PROG(TEST_MINUS_S_SH, ksh)
 AC_PATH_PROG(TEST_MINUS_S_SH, sh)
+AC_PATH_PROG(SH, sh)
 
 # System features
 AC_SYS_LARGEFILE
@@ -57,15 +58,27 @@ case "$host" in
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib"
 	if (test "$LD" != "gcc" && test -z "$blibpath"); then
-		blibpath="/usr/lib:/lib:/usr/local/lib"
+		AC_MSG_CHECKING([if linkage editor ($LD) accepts -blibpath])
+		saved_LDFLAGS="$LDFLAGS"
+		LDFLAGS="$LDFLAGS -blibpath:/usr/lib:/lib:/usr/local/lib"
+		AC_TRY_LINK([],
+			[],
+			[
+				AC_MSG_RESULT(yes)
+				blibpath="/usr/lib:/lib:/usr/local/lib"
+			],
+			[ AC_MSG_RESULT(no) ]
+		)
+		LDFLAGS="$saved_LDFLAGS"
 	fi
 	AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)])
 	AC_DEFINE(BROKEN_GETADDRINFO)
+	AC_DEFINE(BROKEN_REALPATH)
 	dnl AIX handles lastlog as part of its login message
 	AC_DEFINE(DISABLE_LASTLOG)
 	;;
 *-*-cygwin*)
-	LIBS="$LIBS -lregex /usr/lib/textmode.o"
+	LIBS="$LIBS /usr/lib/textmode.o"
 	AC_DEFINE(HAVE_CYGWIN)
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(DISABLE_SHADOW)
@@ -79,6 +92,22 @@ case "$host" in
 *-*-darwin*)
 	AC_DEFINE(BROKEN_GETADDRINFO)
 	;;
+*-*-hpux10.26)
+	if test -z "$GCC"; then
+		CFLAGS="$CFLAGS -Ae"
+	fi
+	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
+	IPADDR_IN_DISPLAY=yes
+	AC_DEFINE(HAVE_SECUREWARE)
+	AC_DEFINE(USE_PIPES)
+	AC_DEFINE(LOGIN_NO_ENDOPT)
+	AC_DEFINE(LOGIN_NEEDS_UTMPX)
+	AC_DEFINE(DISABLE_SHADOW)
+	AC_DEFINE(DISABLE_UTMP)
+	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+	LIBS="$LIBS -lxnet -lsec -lsecpw"
+	disable_ptmx_check=yes
+	;;
 *-*-hpux10*)
 	if test -z "$GCC"; then
 		CFLAGS="$CFLAGS -Ae"
@@ -86,6 +115,8 @@ case "$host" in
 	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
 	IPADDR_IN_DISPLAY=yes
 	AC_DEFINE(USE_PIPES)
+	AC_DEFINE(LOGIN_NO_ENDOPT)
+	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
@@ -96,6 +127,8 @@ case "$host" in
 	IPADDR_IN_DISPLAY=yes
 	AC_DEFINE(PAM_SUN_CODEBASE)
 	AC_DEFINE(USE_PIPES)
+	AC_DEFINE(LOGIN_NO_ENDOPT)
+	AC_DEFINE(LOGIN_NEEDS_UTMPX)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(DISABLE_UTMP)
 	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
@@ -106,6 +139,7 @@ case "$host" in
 	LDFLAGS="$LDFLAGS"
 	PATH="$PATH:/usr/etc"
 	AC_DEFINE(BROKEN_INET_NTOA)
+	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	;;
 *-*-irix6*)
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -116,6 +150,7 @@ case "$host" in
 	AC_DEFINE(WITH_IRIX_AUDIT)
 	AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)])
 	AC_DEFINE(BROKEN_INET_NTOA)
+	AC_DEFINE(WITH_ABBREV_NO_TTY)
 	;;
 *-*-linux*)
 	no_dev_ptmx=1
@@ -127,9 +162,6 @@ case "$host" in
 mips-sony-bsd|mips-sony-newsos4)
 	AC_DEFINE(HAVE_NEWS4)
 	SONY=1
-	AC_CHECK_LIB(iberty, xatexit, AC_DEFINE(HAVE_XATEXIT),
-		AC_MSG_ERROR([*** libiberty missing - please install first or check config.log ***])
-        )
 	;;
 *-*-netbsd*)
 	need_dash_r=1
@@ -173,7 +205,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	CPPFLAGS="$CPPFLAGS -DSUNOS4"
 	AC_CHECK_FUNCS(getpwanam)
 	AC_DEFINE(PAM_SUN_CODEBASE)
-	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
 	conf_utmp_location=/etc/utmp
 	conf_wtmp_location=/var/adm/wtmp
 	conf_lastlog_location=/var/adm/lastlog
@@ -183,7 +214,7 @@ mips-sony-bsd|mips-sony-newsos4)
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
 	LDFLAGS="$LDFLAGS -L/usr/local/lib"
 	LIBS="$LIBS -lc89"
-	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
+	AC_DEFINE(USE_PIPES)
 	;;
 *-sni-sysv*)
 	CPPFLAGS="$CPPFLAGS -I/usr/local/include"
@@ -192,7 +223,6 @@ mips-sony-bsd|mips-sony-newsos4)
 	IPADDR_IN_DISPLAY=yes
 	AC_DEFINE(USE_PIPES)
 	AC_DEFINE(IP_TOS_IS_BROKEN)
-	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
 	# /usr/ucblib/libucb.a no longer needed on ReliantUNIX
 	# Attention: always take care to bind libsocket and libnsl before libc,
 	# otherwise you will find lots of "SIOCGPGRP errno 22" on syslog
@@ -222,9 +252,8 @@ mips-sony-bsd|mips-sony-newsos4)
 	no_dev_ptmx=1
 	AC_DEFINE(BROKEN_SYS_TERMIO_H)
 	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
+	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
-	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
 	AC_CHECK_FUNCS(getluid setluid)
 	MANTYPE=man
@@ -237,9 +266,8 @@ mips-sony-bsd|mips-sony-newsos4)
 	no_dev_ptmx=1
 	rsh_path="/usr/bin/rcmd"
 	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
+	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
-	AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H)
 	AC_CHECK_FUNCS(getluid setluid)
 	MANTYPE=man
 	;;
@@ -317,45 +345,17 @@ AC_ARG_WITH(libs,
 	]	
 )
 
-AC_ARG_WITH(pcre,
-	[  --with-pcre[[=PATH]]      Override built in regex library with pcre
-                            (optionally in PATH)],
-	[
-		case "$withval" in
-		no) ;;
-		*)
-			if test "x$withval" != "xyes"; then
-				if test -d "$withval/lib"; then
-					if test -n "${need_dash_r}"; then
-						LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-					else
-						LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-					fi
-				else
-					if test -n "${need_dash_r}"; then
-						LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-					else
-						LDFLAGS="-L${withval} ${LDFLAGS}"
-					fi
-				fi
-				if test -d "$withval/include"; then
-					CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-				else
-					CPPFLAGS="-I${withval} ${CPPFLAGS}"
-				fi
-			fi
-
-			AC_CHECK_HEADER(pcreposix.h,
-				AC_CHECK_LIB(pcre, pcre_info,[
-					AC_DEFINE(HAVE_LIBPCRE)
-					LIBS="$LIBS -lpcreposix -lpcre"
-					no_comp_check=yes],
-					AC_MSG_ERROR([*** unable to locate pcre library ***])),
-				AC_MSG_ERROR([*** unable to locate pcreposix.h include file ***]))
-			;;
-		esac
-	]	
-)
+# Checks for header files.
+AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
+	getopt.h glob.h lastlog.h limits.h login.h \
+	login_cap.h maillock.h netdb.h netgroup.h \
+	netinet/in_systm.h paths.h pty.h \
+	rpc/types.h security/pam_appl.h shadow.h stddef.h stdint.h \
+	strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
+	sys/mman.h sys/select.h sys/stat.h \
+	sys/stropts.h sys/sysmacros.h sys/time.h \
+	sys/un.h time.h ttyent.h usersec.h \
+	util.h utime.h utmp.h utmpx.h)
 
 # Checks for libraries.
 AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match))
@@ -371,10 +371,25 @@ fi
 AC_CHECK_FUNC(getspnam, ,
 	AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen"))
 
+AC_ARG_WITH(rpath,
+	[  --without-rpath         Disable auto-added -R linker paths],
+	[
+		if test "x$withval" = "xno" ; then	
+			need_dash_r=""
+		fi
+		if test "x$withval" = "xyes" ; then
+			need_dash_r=1
+		fi
+	]
+)
+
 dnl zlib is required
 AC_ARG_WITH(zlib,
 	[  --with-zlib=PATH        Use zlib in PATH],
 	[
+		if test "x$withval" = "xno" ; then
+			AC_MSG_ERROR([*** zlib is required ***])
+		fi
 		if test -d "$withval/lib"; then
 			if test -n "${need_dash_r}"; then
 				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
@@ -398,23 +413,6 @@ AC_ARG_WITH(zlib,
 
 AC_CHECK_LIB(z, deflate, ,AC_MSG_ERROR([*** zlib missing - please install first or check config.log ***]))
 
-# We don't want to check if we did an pcre override.
-if test -z "$no_comp_check" ; then
-	AC_CHECK_FUNC(regcomp, 
-		[ AC_DEFINE(HAVE_REGCOMP)],
-		[
-			AC_CHECK_LIB(pcre, pcre_info, 
-			[
-				AC_DEFINE(HAVE_LIBPCRE)
-				LIBS="$LIBS -lpcreposix -lpcre"
-			],
-			[
-				AC_MSG_ERROR([*** No regex library found.])
-			])
-		]
-	)
-fi
-
 dnl UnixWare 2.x
 AC_CHECK_FUNC(strcasecmp, 
 	[], [ AC_CHECK_LIB(resolv, strcasecmp, LIBS="$LIBS -lresolv") ]
@@ -430,18 +428,6 @@ AC_CHECK_FUNCS(logout updwtmp logwtmp)
 
 AC_FUNC_STRFTIME
 
-# Checks for header files.
-AC_CHECK_HEADERS(bstring.h crypt.h endian.h floatingpoint.h \
-	getopt.h glob.h lastlog.h limits.h login.h \
-	login_cap.h maillock.h netdb.h netgroup.h \
-	netinet/in_systm.h paths.h poll.h pty.h regex.h \
-	security/pam_appl.h shadow.h stddef.h stdint.h \
-	strings.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h \
-	sys/poll.h sys/queue.h sys/select.h sys/stat.h \
-	sys/stropts.h sys/sysmacros.h sys/time.h \
-	sys/ttcompat.h sys/un.h time.h ttyent.h usersec.h \
-	util.h utime.h utmp.h utmpx.h)
-
 # Check for ALTDIRFUNC glob() extension
 AC_MSG_CHECKING(for GLOB_ALTDIRFUNC support)
 AC_EGREP_CPP(FOUNDIT,
@@ -507,9 +493,16 @@ AC_ARG_WITH(skey,
 			LIBS="-lskey $LIBS"
 			SKEY_MSG="yes" 
 	
-			AC_CHECK_FUNC(skey_keyinfo,
-				[],
+			AC_MSG_CHECKING([for s/key support])
+			AC_TRY_RUN(
 				[
+#include <stdio.h>
+#include <skey.h>
+int main() { char *ff = skey_keyinfo(""); ff=""; return 0; }
+				],
+				[AC_MSG_RESULT(yes)],
+				[
+					AC_MSG_RESULT(no)
 					AC_MSG_ERROR([** Incomplete or missing s/key libraries.])
 				])
 		fi
@@ -546,7 +539,8 @@ AC_ARG_WITH(tcp-wrappers,
 					CPPFLAGS="-I${withval} ${CPPFLAGS}"
 				fi
 			fi
-			LIBS="-lwrap $LIBS"
+			LIBWRAP="-lwrap"
+			LIBS="$LIBWRAP $LIBS"
 			AC_MSG_CHECKING(for libwrap)
 			AC_TRY_LINK(
 				[
@@ -557,27 +551,29 @@ AC_ARG_WITH(tcp-wrappers,
 				[
 					AC_MSG_RESULT(yes)
 					AC_DEFINE(LIBWRAP)
+					AC_SUBST(LIBWRAP)
 					TCPW_MSG="yes"
 				],
 				[
 					AC_MSG_ERROR([*** libwrap missing])
 				]
 			)
+			LIBS="$saved_LIBS"
 		fi
 	]
 )
 
 dnl    Checks for library functions.
-AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa \
+AC_CHECK_FUNCS(arc4random b64_ntop bcopy bindresvport_sa \
 	clock fchmod fchown freeaddrinfo futimes gai_strerror \
 	getaddrinfo getcwd getgrouplist getnameinfo getopt \
 	getrlimit getrusage getttyent glob inet_aton inet_ntoa \
 	inet_ntop innetgr login_getcapbool md5_crypt memmove \
-	mkdtemp on_exit openpty readpassphrase realpath \
-	rresvport_af setdtablesize setegid setenv seteuid \
-	setlogin setproctitle setresgid setreuid setrlimit \
-	setsid setvbuf sigaction sigvec snprintf strerror \
-	strlcat strlcpy strmode strsep sysconf tcgetpgrp utimes \
+	mkdtemp mmap ngetaddrinfo openpty ogetaddrinfo readpassphrase \
+	realpath recvmsg rresvport_af sendmsg setdtablesize setegid \
+	setenv seteuid setlogin setproctitle setresgid setreuid setrlimit \
+	setsid setvbuf sigaction sigvec snprintf socketpair strerror \
+	strlcat strlcpy strmode strsep sysconf tcgetpgrp truncate utimes \
 	vhangup vsnprintf waitpid __b64_ntop _getpty)
 
 dnl IRIX and Solaris 2.5.1 have dirname() in libgen
@@ -678,6 +674,12 @@ AC_ARG_WITH(pam,
 			PAM_MSG="yes"
 
 			AC_DEFINE(USE_PAM)
+			if test $ac_cv_lib_dl_dlopen = yes; then
+				LIBPAM="-lpam -ldl"
+			else
+				LIBPAM="-lpam"
+			fi
+			AC_SUBST(LIBPAM)
 		fi
 	]
 )
@@ -701,175 +703,276 @@ if test "x$PAM_MSG" = "xyes" ; then
 	)
 fi
 
-# The big search for OpenSSL
+# Search for OpenSSL
+saved_CPPFLAGS="$CPPFLAGS"
+saved_LDFLAGS="$LDFLAGS"
 AC_ARG_WITH(ssl-dir,
 	[  --with-ssl-dir=PATH     Specify path to OpenSSL installation ],
 	[
 		if test "x$withval" != "xno" ; then
-			tryssldir=$withval
-		fi
-	]
-)
-
-saved_LIBS="$LIBS"
-saved_LDFLAGS="$LDFLAGS"
-saved_CPPFLAGS="$CPPFLAGS"
-if test "x$prefix" != "xNONE" ; then
-	tryssldir="$tryssldir $prefix"
-fi
-AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [
-	for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do
-		CPPFLAGS="$saved_CPPFLAGS"
-		LDFLAGS="$saved_LDFLAGS"
-		LIBS="$saved_LIBS -lcrypto"
-		
-		# Skip directories if they don't exist
-		if test ! -z "$ssldir" -a ! -d "$ssldir" ; then
-			continue;
-		fi
-		if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then
-			# Try to use $ssldir/lib if it exists, otherwise 
-			# $ssldir
-			if test -d "$ssldir/lib" ; then
-				LDFLAGS="-L$ssldir/lib $saved_LDFLAGS"
-				if test ! -z "$need_dash_r" ; then
-					LDFLAGS="-R$ssldir/lib $LDFLAGS"
+			if test -d "$withval/lib"; then
+				if test -n "${need_dash_r}"; then
+					LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+				else
+					LDFLAGS="-L${withval}/lib ${LDFLAGS}"
 				fi
 			else
-				LDFLAGS="-L$ssldir $saved_LDFLAGS"
-				if test ! -z "$need_dash_r" ; then
-					LDFLAGS="-R$ssldir $LDFLAGS"
+				if test -n "${need_dash_r}"; then
+					LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
+				else
+					LDFLAGS="-L${withval} ${LDFLAGS}"
 				fi
 			fi
-			# Try to use $ssldir/include if it exists, otherwise 
-			# $ssldir
-			if test -d "$ssldir/include" ; then
-				CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS"
+			if test -d "$withval/include"; then
+				CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
 			else
-				CPPFLAGS="-I$ssldir $saved_CPPFLAGS"
+				CPPFLAGS="-I${withval} ${CPPFLAGS}"
 			fi
 		fi
-
-		# Basic test to check for compatible version and correct linking
-		# *does not* test for RSA - that comes later.
-		AC_TRY_RUN(
+	]
+)
+LIBS="$LIBS -lcrypto"
+AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
+	[
+		dnl Check default openssl install dir
+		if test -n "${need_dash_r}"; then
+			LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
+		else
+			LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
+		fi
+		CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
+		AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL),
 			[
+				AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
+			]
+		)
+	]
+)
+
+
+# Sanity check OpenSSL headers
+AC_MSG_CHECKING([whether OpenSSL's headers match the library])
+AC_TRY_RUN(
+	[
+#include <string.h>
+#include <openssl/opensslv.h>
+int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); }
+	],
+	[
+		AC_MSG_RESULT(yes)
+	],
+	[
+		AC_MSG_RESULT(no)
+		AC_MSG_ERROR(Your OpenSSL headers do not match your library)
+	]
+)
+
+# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 
+# version in OpenSSL. Skip this for PAM
+if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then
+	AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
+fi
+
+
+### Configure cryptographic random number support
+
+# Check wheter OpenSSL seeds itself
+AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
+AC_TRY_RUN(
+	[
 #include <string.h>
 #include <openssl/rand.h>
-int main(void) 
-{
-	char a[2048];
-	memset(a, 0, sizeof(a));
-	RAND_add(a, sizeof(a), sizeof(a));
-	return(RAND_status() <= 0);
-}
-			],
-			[
-				found_crypto=1
-				break;
-			], []
-		)
+int main(void) { return(RAND_status() == 1 ? 0 : 1); }
+	],
+	[
+		OPENSSL_SEEDS_ITSELF=yes
+		AC_MSG_RESULT(yes)
+	],
+	[
+		AC_MSG_RESULT(no)
+		# Default to use of the rand helper if OpenSSL doesn't
+		# seed itself
+		USE_RAND_HELPER=yes
+	]
+)
 
-		if test ! -z "$found_crypto" ; then
-			break;
+
+# Do we want to force the use of the rand helper?
+AC_ARG_WITH(rand-helper,
+	[  --with-rand-helper      Use subprocess to gather strong randomness ],
+	[
+		if test "x$withval" = "xno" ; then
+			# Force use of OpenSSL's internal RNG, even if 
+			# the previous test showed it to be unseeded.
+			if test -z "$OPENSSL_SEEDS_ITSELF" ; then
+				AC_MSG_WARN([*** Forcing use of OpenSSL's non-self-seeding PRNG])
+				OPENSSL_SEEDS_ITSELF=yes
+				USE_RAND_HELPER=""
+			fi
+		else
+			USE_RAND_HELPER=yes
 		fi
-	done
+	],
+)	
 
-	if test -z "$found_crypto" ; then
-		AC_MSG_ERROR([Could not find working OpenSSL library, please install or check config.log])	
-	fi
-	if test -z "$ssldir" ; then
-		ssldir="(system)"
-	fi
+# Which randomness source do we use?
+if test ! -z "$OPENSSL_SEEDS_ITSELF" -a -z "$USE_RAND_HELPER" ; then
+	# OpenSSL only
+	AC_DEFINE(OPENSSL_PRNG_ONLY)
+	RAND_MSG="OpenSSL internal ONLY"
+	INSTALL_SSH_RAND_HELPER=""
+elif test ! -z "$USE_RAND_HELPER" ; then
+	# install rand helper
+	RAND_MSG="ssh-rand-helper"
+	INSTALL_SSH_RAND_HELPER="yes"
+fi
+AC_SUBST(INSTALL_SSH_RAND_HELPER)
 
-	ac_cv_openssldir=$ssldir
-])
+### Configuration of ssh-rand-helper
 
-if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then
-	AC_DEFINE(HAVE_OPENSSL)
-	dnl Need to recover ssldir - test above runs in subshell
-	ssldir=$ac_cv_openssldir
-	if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then
-		# Try to use $ssldir/lib if it exists, otherwise 
-		# $ssldir
-		if test -d "$ssldir/lib" ; then
-			LDFLAGS="-L$ssldir/lib $saved_LDFLAGS"
-			if test ! -z "$need_dash_r" ; then
-				LDFLAGS="-R$ssldir/lib $LDFLAGS"
+# PRNGD TCP socket
+AC_ARG_WITH(prngd-port,
+	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT],
+	[
+		case "$withval" in
+		no)
+			withval=""
+			;;
+		[[0-9]]*)
+			;;
+		*)
+			AC_MSG_ERROR(You must specify a numeric port number for --with-prngd-port)
+			;;
+		esac
+		if test ! -z "$withval" ; then
+			PRNGD_PORT="$withval"
+			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
+		fi
+	]
+)
+
+# PRNGD Unix domain socket
+AC_ARG_WITH(prngd-socket,
+	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
+	[
+		case "$withval" in
+		yes)
+			withval="/var/run/egd-pool"
+			;;
+		no)
+			withval=""
+			;;
+		/*)
+			;;
+		*)
+			AC_MSG_ERROR(You must specify an absolute path to the entropy socket)
+			;;
+		esac
+
+		if test ! -z "$withval" ; then
+			if test ! -z "$PRNGD_PORT" ; then
+				AC_MSG_ERROR(You may not specify both a PRNGD/EGD port and socket)
 			fi
-		else
-			LDFLAGS="-L$ssldir $saved_LDFLAGS"
-			if test ! -z "$need_dash_r" ; then
-				LDFLAGS="-R$ssldir $LDFLAGS"
+			if test ! -r "$withval" ; then
+				AC_MSG_WARN(Entropy socket is not readable)
 			fi
+			PRNGD_SOCKET="$withval"
+			AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
 		fi
-		# Try to use $ssldir/include if it exists, otherwise 
-		# $ssldir
-		if test -d "$ssldir/include" ; then
-			CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS"
-		else
-			CPPFLAGS="-I$ssldir $saved_CPPFLAGS"
+	],
+	[
+		# Check for existing socket only if we don't have a random device already
+		if test "$USE_RAND_HELPER" = yes ; then
+			AC_MSG_CHECKING(for PRNGD/EGD socket)
+			# Insert other locations here
+			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
+				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
+					PRNGD_SOCKET="$sock"
+					AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
+					break;
+				fi
+			done
+			if test ! -z "$PRNGD_SOCKET" ; then
+				AC_MSG_RESULT($PRNGD_SOCKET)
+			else
+				AC_MSG_RESULT(not found)
+			fi
 		fi
-	fi
-fi
-LIBS="$saved_LIBS -lcrypto"
+	]
+)
 
-# Now test RSA support
-saved_LIBS="$LIBS"
-AC_MSG_CHECKING([for RSA support])
-for WANTS_RSAREF in "" 1 ; do
-	if test -z "$WANTS_RSAREF" ; then
-		LIBS="$saved_LIBS"
-	else
-		LIBS="$saved_LIBS -lRSAglue -lrsaref"
-	fi
-	AC_TRY_RUN([
-#include <string.h>
-#include <openssl/rand.h>
-#include <openssl/rsa.h>
-#include <openssl/bn.h>
-#include <openssl/sha.h>
-int main(void) 
-{
-	int num; RSA *key; static unsigned char p_in[] = "blahblah";
-	unsigned char c[256], p[256];
-	memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c));
-	if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1);
-	num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING);
-	return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING));
-}
-	],
+# Change default command timeout for hashing entropy source
+entropy_timeout=200
+AC_ARG_WITH(entropy-timeout,
+	[  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
 	[
-		rsa_works=1
-		break;
-	], [])
-done
-LIBS="$saved_LIBS"
-
-if test ! -z "$no_rsa" ; then
-	AC_MSG_RESULT(disabled)
-	RSA_MSG="disabled"
-else
-	if test -z "$rsa_works" ; then
-		AC_MSG_WARN([*** No RSA support found *** ])
-		RSA_MSG="no"
-	else
-		if test -z "$WANTS_RSAREF" ; then
-			AC_MSG_RESULT(yes)
-			RSA_MSG="yes"
-		else
-			RSA_MSG="yes (using RSAref)"
-			AC_MSG_RESULT(using RSAref)
-			LIBS="$LIBS -lcrypto -lRSAglue -lrsaref"
+		if test "x$withval" != "xno" ; then
+			entropy_timeout=$withval
 		fi
+	]	
+)
+AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
+
+ssh_privsep_user=sshd
+AC_ARG_WITH(privsep-user,
+	[  --with-privsep-user     Specify non-privileged user for privilege separation],
+	[
+		if test -n "$withval"; then
+			ssh_privsep_user=$withval
+		fi
+	]	
+)
+AC_DEFINE_UNQUOTED(SSH_PRIVSEP_USER, "$ssh_privsep_user")
+
+# We do this little dance with the search path to insure
+# that programs that we select for use by installed programs
+# (which may be run by the super-user) come from trusted
+# locations before they come from the user's private area.
+# This should help avoid accidentally configuring some
+# random version of a program in someone's personal bin.
+
+OPATH=$PATH
+PATH=/bin:/usr/bin
+test -h /bin 2> /dev/null && PATH=/usr/bin
+test -d /sbin && PATH=$PATH:/sbin
+test -d /usr/sbin && PATH=$PATH:/usr/sbin
+PATH=$PATH:/etc:$OPATH
+
+# These programs are used by the command hashing source to gather entropy 
+OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
+OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
+OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp)
+OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
+OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
+OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
+OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
+OSSH_PATH_ENTROPY_PROG(PROG_W, w)
+OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
+OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
+OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog)
+OSSH_PATH_ENTROPY_PROG(PROG_DF, df)
+OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat)
+OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime)
+OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs)
+OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail)
+# restore PATH
+PATH=$OPATH
+
+# Where does ssh-rand-helper get its randomness from?
+INSTALL_SSH_PRNG_CMDS=""
+if test ! -z "$INSTALL_SSH_RAND_HELPER" ; then
+	if test ! -z "$PRNGD_PORT" ; then
+		RAND_HELPER_MSG="TCP localhost:$PRNGD_PORT"
+	elif test ! -z "$PRNGD_SOCKET" ; then
+		RAND_HELPER_MSG="Unix domain socket \"$PRNGD_SOCKET\""
+	else
+		RAND_HELPER_MSG="Command hashing (timeout $entropy_timeout)"
+		RAND_HELPER_CMDHASH=yes
+		INSTALL_SSH_PRNG_CMDS="yes"
 	fi
 fi
+AC_SUBST(INSTALL_SSH_PRNG_CMDS)
 
-# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 
-# version in OpenSSL. Skip this for PAM
-if test "x$PAM_MSG" = "xno" -a "x$check_for_libcrypt_later" = "x1"; then
-	AC_CHECK_LIB(crypt, crypt, LIBS="$LIBS -lcrypt")
-fi
 
 # Cheap hack to ensure NEWS-OS libraries are arranged right.
 if test ! -z "$SONY" ; then
@@ -883,6 +986,11 @@ AC_CHECK_SIZEOF(int, 4)
 AC_CHECK_SIZEOF(long int, 4)
 AC_CHECK_SIZEOF(long long int, 8)
 
+# Sanity check long long for some platforms (AIX)
+if test "x$ac_cv_sizeof_long_long_int" = "x4" ; then
+	ac_cv_sizeof_long_long_int=0
+fi
+
 # More checks for data types
 AC_CACHE_CHECK([for u_int type], ac_cv_have_u_int, [
 	AC_TRY_COMPILE(
@@ -951,6 +1059,19 @@ if test -z "$have_int64_t" ; then
 	)
 fi
 
+if test -z "$have_int64_t" ; then
+    AC_MSG_CHECKING([for int64_t type in sys/bitypes.h])
+	AC_TRY_COMPILE(
+		[ #include <sys/bitypes.h> ], 
+		[ int64_t a; a = 1],
+		[
+			AC_DEFINE(HAVE_INT64_T)
+			AC_MSG_RESULT(yes)
+		],
+		[ AC_MSG_RESULT(no) ]
+	)
+fi
+
 AC_CACHE_CHECK([for u_intXX_t types], ac_cv_have_u_intxx_t, [
 	AC_TRY_COMPILE(
 		[ #include <sys/types.h> ], 
@@ -990,6 +1111,19 @@ if test "x$ac_cv_have_u_int64_t" = "xyes" ; then
 	have_u_int64_t=1
 fi
 
+if test -z "$have_u_int64_t" ; then
+    AC_MSG_CHECKING([for u_int64_t type in sys/bitypes.h])
+	AC_TRY_COMPILE(
+		[ #include <sys/bitypes.h> ], 
+		[ u_int64_t a; a = 1],
+		[
+			AC_DEFINE(HAVE_U_INT64_T)
+			AC_MSG_RESULT(yes)
+		],
+		[ AC_MSG_RESULT(no) ]
+	)
+fi
+
 if test -z "$have_u_intxx_t" ; then
 	AC_CACHE_CHECK([for uintXX_t types], ac_cv_have_uintxx_t, [
 		AC_TRY_COMPILE(
@@ -1058,6 +1192,8 @@ fi
 
 TYPE_SOCKLEN_T
 
+AC_CHECK_TYPES(sig_atomic_t,,,[#include <signal.h>])
+
 AC_CACHE_CHECK([for size_t], ac_cv_have_size_t, [
 	AC_TRY_COMPILE(
 		[
@@ -1363,6 +1499,40 @@ if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then
 	AC_DEFINE(HAVE_PW_CHANGE_IN_PASSWD)
 fi
 
+AC_CACHE_CHECK([for msg_accrights field in struct msghdr],
+		ac_cv_have_accrights_in_msghdr, [
+	AC_TRY_COMPILE(
+		[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+		],
+		[ struct msghdr m; m.msg_accrights = 0; ],
+		[ ac_cv_have_accrights_in_msghdr="yes" ],
+		[ ac_cv_have_accrights_in_msghdr="no" ]
+	)
+])
+if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then
+	AC_DEFINE(HAVE_ACCRIGHTS_IN_MSGHDR)
+fi
+
+AC_CACHE_CHECK([for msg_control field in struct msghdr],
+		ac_cv_have_control_in_msghdr, [
+	AC_TRY_COMPILE(
+		[
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/uio.h>
+		],
+		[ struct msghdr m; m.msg_control = 0; ],
+		[ ac_cv_have_control_in_msghdr="yes" ],
+		[ ac_cv_have_control_in_msghdr="no" ]
+	)
+])
+if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then
+	AC_DEFINE(HAVE_CONTROL_IN_MSGHDR)
+fi
+
 AC_CACHE_CHECK([if libc defines __progname], ac_cv_libc_defines___progname, [
 	AC_TRY_LINK([], 
 		[ extern char *__progname; printf("%s", __progname); ], 
@@ -1374,6 +1544,32 @@ if test "x$ac_cv_libc_defines___progname" = "xyes" ; then
 	AC_DEFINE(HAVE___PROGNAME)
 fi
 
+AC_CACHE_CHECK([whether $CC implements __FUNCTION__], ac_cv_cc_implements___FUNCTION__, [
+	AC_TRY_LINK([
+#include <stdio.h>
+], 
+		[ printf("%s", __FUNCTION__); ], 
+		[ ac_cv_cc_implements___FUNCTION__="yes" ],
+		[ ac_cv_cc_implements___FUNCTION__="no" ]
+	)
+])
+if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then
+	AC_DEFINE(HAVE___FUNCTION__)
+fi
+
+AC_CACHE_CHECK([whether $CC implements __func__], ac_cv_cc_implements___func__, [
+	AC_TRY_LINK([
+#include <stdio.h>
+], 
+		[ printf("%s", __func__); ], 
+		[ ac_cv_cc_implements___func__="yes" ],
+		[ ac_cv_cc_implements___func__="no" ]
+	)
+])
+if test "x$ac_cv_cc_implements___func__" = "xyes" ; then
+	AC_DEFINE(HAVE___func__)
+fi
+
 AC_CACHE_CHECK([whether getopt has optreset support],
 		ac_cv_have_getopt_optreset, [
 	AC_TRY_LINK(
@@ -1412,11 +1608,11 @@ if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then
 	AC_DEFINE(HAVE_SYS_NERR)
 fi
 
-
-# Check whether user wants Kerberos support
 SCARD_MSG="no" 
-AC_ARG_WITH(smartcard,
-	[  --with-smartcard        Enable smartcard support],
+
+# Check whether user wants sectok support
+AC_ARG_WITH(sectok,
+	[  --with-sectok           Enable smartcard support using libsectok],
 	[
 		if test "x$withval" != "xno" ; then
 			if test "x$withval" != "xyes" ; then
@@ -1438,12 +1634,70 @@ AC_ARG_WITH(smartcard,
 				AC_MSG_ERROR(Can't find libsectok)
 			fi
 			AC_DEFINE(SMARTCARD)
-			SCARD_MSG="yes" 
+			AC_DEFINE(USE_SECTOK)
+			SCARD_MSG="yes, using sectok" 
 		fi
 	]
 )
 
-# Check whether user wants Kerberos support
+# Check whether user wants OpenSC support
+AC_ARG_WITH(opensc,
+	AC_HELP_STRING([--with-opensc=PFX],
+		       [Enable smartcard support using OpenSC]),
+	opensc_config_prefix="$withval", opensc_config_prefix="")
+if test x$opensc_config_prefix != x ; then
+  OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config
+  AC_PATH_PROG(OPENSC_CONFIG, opensc-config, no)
+  if test "$OPENSC_CONFIG" != "no"; then
+    LIBOPENSC_CFLAGS=`$OPENSC_CONFIG --cflags`
+    LIBOPENSC_LIBS=`$OPENSC_CONFIG --libs`
+    CPPFLAGS="$CPPFLAGS $LIBOPENSC_CFLAGS"
+    LDFLAGS="$LDFLAGS $LIBOPENSC_LIBS"
+    AC_DEFINE(SMARTCARD)
+    AC_DEFINE(USE_OPENSC)
+    SCARD_MSG="yes, using OpenSC" 
+  fi
+fi
+
+# Check whether user wants Kerberos 5 support
+KRB5_MSG="no" 
+AC_ARG_WITH(kerberos5,
+        [  --with-kerberos5=PATH   Enable Kerberos 5 support],
+        [
+                if test "x$withval" != "xno" ; then
+                        if test "x$withval" = "xyes" ; then
+                                KRB5ROOT="/usr/local"
+                        else
+                                KRB5ROOT=${withval}
+                        fi
+			CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include"
+                        LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib"
+                        AC_DEFINE(KRB5)
+			KRB5_MSG="yes"
+                        AC_MSG_CHECKING(whether we are using Heimdal)
+                        AC_TRY_COMPILE([ #include <krb5.h> ],
+                                       [ char *tmp = heimdal_version; ],
+                                       [ AC_MSG_RESULT(yes)
+                                         AC_DEFINE(HEIMDAL)
+                                         K5LIBS="-lkrb5 -ldes -lcom_err -lasn1 -lroken"
+                                       ],
+                                       [ AC_MSG_RESULT(no)
+                                         K5LIBS="-lkrb5 -lk5crypto -lcom_err"
+                                       ]
+                        )
+                        if test ! -z "$need_dash_r" ; then
+                                LDFLAGS="$LDFLAGS -R${KRB5ROOT}/lib"
+                        fi
+                        if test ! -z "$blibpath" ; then
+                                blibpath="$blibpath:${KRB5ROOT}/lib"
+                        fi
+                        AC_CHECK_LIB(resolv, dn_expand, , )
+
+                        KRB5=yes
+                fi
+        ]
+)
+# Check whether user wants Kerberos 4 support
 KRB4_MSG="no" 
 AC_ARG_WITH(kerberos4,
 	[  --with-kerberos4=PATH   Enable Kerberos 4 support],
@@ -1523,7 +1777,7 @@ AC_ARG_WITH(afs,
 		fi
 	]
 )
-LIBS="$LIBS $KLIBS"
+LIBS="$LIBS $KLIBS $K5LIBS"
 
 # Looking for programs, paths and files
 AC_ARG_WITH(rsh,
@@ -1572,12 +1826,14 @@ if test ! -z "$MAIL" ; then
 fi
 
 if test -z "$no_dev_ptmx" ; then
-	AC_CHECK_FILE("/dev/ptmx", 
-		[
-			AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
-			have_dev_ptmx=1
-		]
-	)
+	if test "x$disable_ptmx_check" != "xyes" ; then
+		AC_CHECK_FILE("/dev/ptmx", 
+			[
+				AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
+				have_dev_ptmx=1
+			]
+		)
+	fi
 fi
 AC_CHECK_FILE("/dev/ptc", 
 	[
@@ -1587,97 +1843,6 @@ AC_CHECK_FILE("/dev/ptc",
 )
 
 # Options from here on. Some of these are preset by platform above
-
-# Check for user-specified random device, otherwise check /dev/urandom
-AC_ARG_WITH(random,
-	[  --with-random=FILE      read entropy from FILE (default=/dev/urandom)],
-	[
-		if test "x$withval" != "xno" ; then
-			RANDOM_POOL="$withval";
-			AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL")
-		fi
-	],
-	[
-		# Check for random device
-		AC_CHECK_FILE("/dev/urandom",
-			[
-				RANDOM_POOL="/dev/urandom"; 
-				AC_SUBST(RANDOM_POOL)
-				AC_DEFINE_UNQUOTED(RANDOM_POOL, "$RANDOM_POOL")
-			]
-		)
-	]
-)
-
-# Check for PRNGD/EGD pool file
-AC_ARG_WITH(prngd-port,
-	[  --with-prngd-port=PORT  read entropy from PRNGD/EGD localhost:PORT],
-	[
-		if test ! -z "$withval" -a "x$withval" != "xno" ; then
-			PRNGD_PORT="$withval"
-			AC_DEFINE_UNQUOTED(PRNGD_PORT, $PRNGD_PORT)
-		fi
-	]
-)
-
-# Check for PRNGD/EGD pool file
-AC_ARG_WITH(prngd-socket,
-	[  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)],
-	[
-		if test "x$withval" != "xno" ; then
-			PRNGD_SOCKET="$withval"
-			AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
-		fi
-	],
-	[
-		# Check for existing socket only if we don't have a random device already
-		if test -z "$RANDOM_POOL" ; then
-			AC_MSG_CHECKING(for PRNGD/EGD socket)
-			# Insert other locations here
-			for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do
-				if test -r $sock && $TEST_MINUS_S_SH -c "test -S $sock -o -p $sock" ; then
-					PRNGD_SOCKET="$sock"
-					AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET")
-					break;
-				fi
-			done
-			if test ! -z "$PRNGD_SOCKET" ; then
-				AC_MSG_RESULT($PRNGD_SOCKET)
-			else
-				AC_MSG_RESULT(not found)
-			fi
-		fi
-	]
-)
-
-
-# detect pathnames for entropy gathering commands, if we need them
-INSTALL_SSH_PRNG_CMDS=""
-rm -f prng_commands
-if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then
-	# Use these commands to collect entropy
-	OSSH_PATH_ENTROPY_PROG(PROG_LS, ls)
-	OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat)
-	OSSH_PATH_ENTROPY_PROG(PROG_ARP, arp)
-	OSSH_PATH_ENTROPY_PROG(PROG_IFCONFIG, ifconfig)
-	OSSH_PATH_ENTROPY_PROG(PROG_JSTAT, jstat)
-	OSSH_PATH_ENTROPY_PROG(PROG_PS, ps)
-	OSSH_PATH_ENTROPY_PROG(PROG_SAR, sar)
-	OSSH_PATH_ENTROPY_PROG(PROG_W, w)
-	OSSH_PATH_ENTROPY_PROG(PROG_WHO, who)
-	OSSH_PATH_ENTROPY_PROG(PROG_LAST, last)
-	OSSH_PATH_ENTROPY_PROG(PROG_LASTLOG, lastlog)
-	OSSH_PATH_ENTROPY_PROG(PROG_DF, df)
-	OSSH_PATH_ENTROPY_PROG(PROG_VMSTAT, vmstat)
-	OSSH_PATH_ENTROPY_PROG(PROG_UPTIME, uptime)
-	OSSH_PATH_ENTROPY_PROG(PROG_IPCS, ipcs)
-	OSSH_PATH_ENTROPY_PROG(PROG_TAIL, tail)
-
-	INSTALL_SSH_PRNG_CMDS="yes"
-fi
-AC_SUBST(INSTALL_SSH_PRNG_CMDS)
-
-
 AC_ARG_WITH(mantype,
 	[  --with-mantype=man|cat|doc  Set man page type],
 	[
@@ -1768,17 +1933,28 @@ else
 	)
 fi
 
+dnl BSD systems use /etc/login.conf so --with-default-path= has no effect
+if test $ac_cv_func_login_getcapbool = "yes" -a \
+	$ac_cv_header_login_cap_h = "yes" ; then
+	USES_LOGIN_CONF=yes
+fi
 # Whether to mess with the default path
 SERVER_PATH_MSG="(default)" 
 AC_ARG_WITH(default-path,
 	[  --with-default-path=PATH Specify default \$PATH environment for server],
 	[
-		if test "x$withval" != "xno" ; then	
+		if test "$USES_LOGIN_CONF" = "yes" ; then
+			AC_MSG_WARN([
+--with-default-path=PATH has no effect on this system.
+Edit /etc/login.conf instead.])
+		elif test "x$withval" != "xno" ; then	
 			user_path="$withval"
 			SERVER_PATH_MSG="$withval" 
 		fi
 	],
-	[
+	[ if test "$USES_LOGIN_CONF" = "yes" ; then
+	AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf])
+	else
 	AC_TRY_RUN(
 		[
 /* find out what STDPATH is */
@@ -1828,10 +2004,25 @@ main()
 				AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work)
 			fi
 		fi
+	fi ]
+)
+if test "$USES_LOGIN_CONF" != "yes" ; then
+	AC_DEFINE_UNQUOTED(USER_PATH, "$user_path")
+	AC_SUBST(user_path)
+fi
+
+# Set superuser path separately to user path
+MD5_MSG="no" 
+AC_ARG_WITH(superuser-path,
+	[  --with-superuser-path=  Specify different path for super-user],
+	[
+		if test "x$withval" != "xno" ; then
+			AC_DEFINE_UNQUOTED(SUPERUSER_PATH, "$withval")
+			superuser_path=$withval
+		fi
 	]
 )
-AC_DEFINE_UNQUOTED(USER_PATH, "$user_path")
-AC_SUBST(user_path)
+
 
 # Whether to force IPv4 by default (needed on broken glibc Linux)
 IPV4_HACK_MSG="no" 
@@ -1869,12 +2060,13 @@ AC_ARG_WITH(4in6,
 )
 
 # Whether to enable BSD auth support
+BSD_AUTH_MSG=no
 AC_ARG_WITH(bsd-auth,
 	[  --with-bsd-auth         Enable BSD auth support],
 	[
 		if test "x$withval" != "xno" ; then	
 			AC_DEFINE(BSD_AUTH)
-			bsd_auth=yes
+			BSD_AUTH_MSG=yes
 		fi
 	]
 )
@@ -1900,23 +2092,26 @@ AC_SUBST(SSHMODE)
 
 # Where to place sshd.pid
 piddir=/var/run
+# make sure the directory exists
+if test ! -d $piddir ; then	
+	piddir=`eval echo ${sysconfdir}`
+	case $piddir in
+ 		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
+	esac
+fi
+
 AC_ARG_WITH(pid-dir,
 	[  --with-pid-dir=PATH     Specify location of ssh.pid file],
 	[
 		if test "x$withval" != "xno" ; then	
 			piddir=$withval
+			if test ! -d $piddir ; then	
+			AC_MSG_WARN([** no $piddir directory on this system **])
+			fi
 		fi
 	]
 )
 
-# make sure the directory exists
-if test ! -d $piddir ; then	
-	piddir=`eval echo ${sysconfdir}`
-	case $piddir in
- 		NONE/*) piddir=`echo $piddir | sed "s~NONE~$ac_default_prefix~"` ;;
-	esac
-fi
-
 AC_DEFINE_UNQUOTED(_PATH_SSH_PIDDIR, "$piddir")
 AC_SUBST(piddir)
 
@@ -2141,44 +2336,25 @@ else
 fi	
 
 
-# Change default command timeout for builtin PRNG
-entropy_timeout=200
-AC_ARG_WITH(entropy-timeout,
-	[  --with-entropy-timeout  Specify entropy gathering command timeout (msec)],
-	[
-		if test "x$withval" != "xno" ; then
-			entropy_timeout=$withval
-		fi
-	]	
-)
-AC_DEFINE_UNQUOTED(ENTROPY_TIMEOUT_MSEC, $entropy_timeout)
-
-
 if test ! -z "$blibpath" ; then
 	LDFLAGS="$LDFLAGS -blibpath:$blibpath"
 	AC_MSG_WARN([Please check and edit -blibpath in LDFLAGS in Makefile])
 fi
 
-AC_EXEEXT
+dnl remove pam and dl because they are in $LIBPAM
+if test "$PAM_MSG" = yes ; then
+	LIBS=`echo $LIBS | sed 's/-lpam //'`
+fi
+if test "$ac_cv_lib_pam_pam_set_item" = yes ; then
+	LIBS=`echo $LIBS | sed 's/-ldl //'`
+fi
 
+AC_EXEEXT
 AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds])
 AC_OUTPUT
 
 # Print summary of options
 
-if test ! -z "$RANDOM_POOL" ; then
-	RAND_MSG="Device ($RANDOM_POOL)"
-else
-	if test ! -z "$PRNGD_PORT" ; then
-		RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)"
-	elif test ! -z "$PRNGD_SOCKET" ; then
-		RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)"
-	else
-		RAND_MSG="Builtin (timeout $entropy_timeout)"
-		BUILTIN_RNG=1
-	fi
-fi
-
 # Someone please show me a better way :)
 A=`eval echo ${prefix}` ; A=`eval echo ${A}`
 B=`eval echo ${bindir}` ; B=`eval echo ${B}`
@@ -2188,6 +2364,7 @@ E=`eval echo ${libexecdir}/ssh-askpass` ; E=`eval echo ${E}`
 F=`eval echo ${mandir}/${mansubdir}X` ; F=`eval echo ${F}`
 G=`eval echo ${piddir}` ; G=`eval echo ${G}`
 H=`eval echo ${user_path}` ; H=`eval echo ${H}`
+I=`eval echo ${superuser_path}` ; I=`eval echo ${I}`
 
 echo ""
 echo "OpenSSH has been configured with the following options:"
@@ -2197,11 +2374,18 @@ echo "           Configuration files: $D"
 echo "               Askpass program: $E"
 echo "                  Manual pages: $F"
 echo "                      PID file: $G"
+if test "$USES_LOGIN_CONF" = "yes" ; then
+echo "        At runtime, sshd will use the path defined in /etc/login.conf"
+else
 echo "        sshd default user PATH: $H"
-echo "      Random number collection: $RAND_MSG"
+fi
+if test ! -z "$superuser_path" ; then
+echo "      sshd superuser user PATH: $I"
+fi
 echo "                Manpage format: $MANTYPE"
 echo "                   PAM support: ${PAM_MSG}"
 echo "            KerberosIV support: $KRB4_MSG"
+echo "             KerberosV support: $KRB5_MSG"
 echo "             Smartcard support: $SCARD_MSG"
 echo "                   AFS support: $AFS_MSG"
 echo "                 S/KEY support: $SKEY_MSG"
@@ -2210,9 +2394,10 @@ echo "          MD5 password support: $MD5_MSG"
 echo "   IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
 echo "      Use IPv4 by default hack: $IPV4_HACK_MSG"
 echo "       Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
-
-if test ! -z "$bsd_auth"; then
-	echo "              BSD Auth support: yes"
+echo "              BSD Auth support: $BSD_AUTH_MSG"
+echo "          Random number source: $RAND_MSG"
+if test ! -z "$USE_RAND_HELPER" ; then
+	echo " ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
 
 echo ""
@@ -2222,27 +2407,29 @@ echo "          Compiler: ${CC}"
 echo "    Compiler flags: ${CFLAGS}"
 echo "Preprocessor flags: ${CPPFLAGS}"
 echo "      Linker flags: ${LDFLAGS}"
-echo "         Libraries: ${LIBS}"
+echo "         Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}"
 
 echo ""
 
 if test "x$PAM_MSG" = "xyes" ; then
-	echo "PAM is enabled. You may need to install a PAM control file for sshd,"
-	echo "otherwise password authentication may fail. Example PAM control files"
-	echo "can be found in the contrib/ subdirectory"
+	echo "PAM is enabled. You may need to install a PAM control file "
+	echo "for sshd, otherwise password authentication may fail. "
+	echo "Example PAM control files can be found in the contrib/ " 
+	echo "subdirectory"
 	echo ""
 fi
 
-if test ! -z "$BUILTIN_RNG" ; then
-	echo "WARNING: you are using the builtin random number collection service."
-	echo "Please read WARNING.RNG and request that your OS vendor includes"
-	echo "/dev/random in future versions of their OS."
+if test ! -z "$NO_SFTP"; then
+	echo "sftp-server will be disabled.  Your compiler does not "
+	echo "support 64bit integers."
 	echo ""
 fi
 
-if test ! -z "$NO_SFTP"; then
-	echo "sftp-server will be disabled.  Your compiler does not support"
-	echo "64bit integers."
+if test ! -z "$RAND_HELPER_CMDHASH" ; then
+	echo "WARNING: you are using the builtin random number collection "
+	echo "service. Please read WARNING.RNG and request that your OS "
+	echo "vendor includes kernel-based random number collection in "
+	echo "future versions of your OS."
 	echo ""
 fi