Import Maemo changes from 0.52-2

Taken from source tarball http://maemo.org/packages/source/view/fremantle_extras-devel_free_source/dropbear/0.52-2/
2025-06-26 18:17:32 +00:00 · 2022-09-23 18:38:58 +08:00
59 changed files with 3558 additions and 4978 deletions
--- a/.github/workflows/autoconf.yml
+++ b/.github/workflows/autoconf.yml
@@ -8,7 +8,7 @@ on:
      - master
 jobs:
  autoconf:
-    runs-on: 'ubuntu-22.04'
+    runs-on: 'ubuntu-20.04'
    steps:
      - name: deps
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -9,7 +9,7 @@ on:
      - master
 jobs:
  build:
-    runs-on: ${{ matrix.os || 'ubuntu-22.04' }}
+    runs-on: ${{ matrix.os || 'ubuntu-20.04' }}
    strategy:
      matrix:
        # XXX uncomment the line below to work with act, see https://github.com/nektos/act/issues/996
@@ -50,12 +50,11 @@ jobs:
          - name: c89
            extracflags: -std=c89 -Wdeclaration-after-statement
-          - name: macos 12
+          - name: macos 10.15
-            os: macos-12
+            os: macos-10.15
            cc: clang
-            # OS X says daemon() and utmp are deprecated.
+            # OS X says daemon() and utmp are deprecated
-            # OS X tests for undefined TARGET_OS_EMBEDDED in libc headers
+            extracflags: -Wno-deprecated-declarations
            extracflags: -Wno-deprecated-declarations -Wno-undef
            runcheck: 'no'
            apt: 'no'
            # fails with:
@@ -65,7 +64,7 @@ jobs:
          - name: macos 11
            os: macos-11
            cc: clang
-            extracflags: -Wno-deprecated-declarations -Wno-undef
+            extracflags: -Wno-deprecated-declarations
            runcheck: 'no'
            apt: 'no'
            ranlib: ranlib -no_warning_for_no_symbols
@@ -75,11 +74,6 @@ jobs:
            localoptions: |
              #define DEBUG_TRACE 5
          # Check off-by-default options don't bitrot
          - name: nondefault options
            nondefault: 1
            configure_flags: --enable-pam
          # # Fuzzers run standalone. A bit superfluous with cifuzz, but
          # # good to run the whole corpus to keep it working.
          # - name: fuzzing with address sanitizer
@@ -121,7 +115,7 @@ jobs:
        if: ${{ matrix.apt != 'no' }}
        run: |
          sudo apt-get -y update
-          sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv libpam0g-dev $CC
+          sudo apt-get -y install zlib1g-dev libtomcrypt-dev libtommath-dev mercurial python3-venv $CC
      - uses: actions/checkout@v2
@@ -135,19 +129,8 @@ jobs:
      - name: localoptions
        run: |
          echo "$LOCALOPTIONS" > localoptions.h
          echo "#define DROPBEAR_DSS 1" >> localoptions.h
          cat localoptions.h
      - name: nondefault
        if: ${{ matrix.nondefault }}
        run: |
          # Turn on anything that's off by default. Rough but seems sufficient
          grep ' 0$' default_options.h | sed 's/0$/1/' > localoptions.h
          # PAM clashes with password
          echo "#define DROPBEAR_SVR_PASSWORD_AUTH 0" >> localoptions.h
          # 1 second timeout is too short
          sed -i "s/DEFAULT_IDLE_TIMEOUT 1/DEFAULT_IDLE_TIMEOUT 99/" localoptions.h
      - name: make
        run: make -j3
--- a/.github/workflows/tarball.yml
+++ b/.github/workflows/tarball.yml
@@ -5,7 +5,7 @@ on:
      - master
 jobs:
  tarball:
-    runs-on: 'ubuntu-22.04'
+    runs-on: 'ubuntu-20.04'
    steps:
      - uses: actions/checkout@v2
--- a/116
+++ b/116
@@ -1,108 +1,3 @@
 2022.83 - 14 November 2022
 Features and Changes:
  Note >> for compatibility/configuration changes
 - >> Disable DROPBEAR_DSS by default
  It is only 1024 bit and uses sha1, most distros disable it by default already.
 - Added DROPBEAR_RSA_SHA1 option to allow disabling sha1 rsa signatures.
  >> RSA with sha1 will be disabled in a future release (rsa keys will continue
  to work OK, with sha256 signatures used instead).
 - Add option for requiring both password and pubkey (-t)
  Patch from Jackkal
 - Add 'no-touch-required' and 'verify-required' options for sk keys
  Patch from Egor Duda
  - >> DROPBEAR_SK_KEYS config option now replaces separate DROPBEAR_SK_ECDSA
  and DROPBEAR_SK_ED25519 options.
 - Add 'permitopen' option for authorized_keys to restrict forwarded ports
  Patch from Tuomas Haikarainen
 - >> Added LTM_CFLAGS configure argument to set flags for building
  bundled libtommath. This also restores the previous arguments used
  in 2020.81 (-O3 -funroll-loops). That gives a big speedup for RSA
  key generation, which regressed in 2022.82.
  There is a tradeoff with code size, so -Os can be used if required.
  https://github.com/mkj/dropbear/issues/174
  Reported by David Bernard
 - Add '-z' flag to disable setting QoS traffic class. This may be necessary
  to work with broken networks or network drivers, exposed after changes to use
  AF21 in 2022.82
  https://github.com/mkj/dropbear/issues/193
  Reported by yuhongwei380, patch from Petr Štetiar
 - Allow overriding user shells with COMPAT_USER_SHELLS
  Based on a patch from Matt Robinson
 - Improve permission error message
  Patch from k-kurematsu
 - >> Remove HMAC_MD5 entirely
 Regression fixes from 2022.82:
 - Fix X11 build
 - Fix build warning
 - Fix compilation when disabling pubkey authentication
  Patch from MaxMougg
 - Fix MAX_UNAUTH_CLIENTS regression
  Reported by ptpt52
 - Avoid using slower prime testing in bundled libtomcrypt when DSS is disabled
  https://github.com/mkj/dropbear/issues/174
  Suggested by Steffen Jaeckel
 - Fix Dropbear plugin support
  https://github.com/mkj/dropbear/issues/194
  Reported by Struan Bartlett
 Other fixes:
 - Fix long standing incorrect compression size check. Dropbear
  (client or server) would erroneously exit with
  "bad packet, oversized decompressed"
  when receiving a compressed packet of exactly the maximum size.
 - Fix missing setsid() removed in 2020.79
  https://github.com/mkj/dropbear/issues/180
  Reported and debugged by m5jt and David Bernard
 - Try keyboard-interactive auth before password, in dbclient.
  This was unintentionally changed back in 2013
  https://github.com/mkj/dropbear/pull/190
  Patch from Michele Giacomoli
 - Drain the terminal when reading the fingerprint confirmation response
  https://github.com/mkj/dropbear/pull/191
  Patch from Michele Giacomoli
 - Fix utx wtmp variable typo. This has been wrong for a long time but
  only recently became a problem when wtmp was detected.
  https://github.com/mkj/dropbear/pull/189
  Patch from Michele Giacomoli
 - Improve configure test for hardening options.
  Fixes building on AIX
  https://github.com/mkj/dropbear/issues/158
 - Fix debian/dropbear.init newline
  From wulei-student
 Infrastructure:
 - Test off-by-default compile options
 - Set -Wundef to catch typos in #if statements
 2022.82 - 1 April 2022
 Features and Changes:
@@ -159,13 +54,10 @@ Features and Changes:
  Patch from Raphaël Hertzog
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
- Added client option "-o DisableTrivialAuth". It disallows a server immediately
+- Added client option "-o DisableTrivialAuth". This can be used to prevent
-  giving successful authentication (without presenting any password/pubkey prompt).
+  the server immediately accepting successful authentication (before any auth
-  This avoids a UI confusion issue where it may appear that the user is accepting
+  request) which could cause UI confusion and security issues with agent
-  a SSH agent prompt from their local machine, but are actually accepting a prompt
+  forwarding - it isn't clear which host is prompting to use a key.
  sent immediately by the remote server. 
  CVE-2021-36369 though the description there is a bit confused. It only applies
  to Dropbear as a client.
  Thanks to Manfred Kaiser from Austrian MilCERT
 - Add -q client option to hide remote banner, from Hans Harder
--- a/2
+++ b/2
@@ -58,7 +58,7 @@ Compiling for uClibc should be the same as normal, just set CC to the magic
 uClibc toolchain compiler (ie export CC=i386-uclibc-gcc or whatever).
 You can use "make STATIC=1" to make statically linked binaries, and it is
 advisable to strip the binaries too. If you're looking to make a small binary,
-you should remove unneeded ciphers and algorithms, by editing localoptions.h
+you should remove unneeded ciphers and MD5, by editing localoptions.h
 It is possible to compile zlib in, by copying zlib.h and zconf.h into a
 subdirectory (ie zlibincludes), and 
--- a/Makefile.in
+++ b/Makefile.in
@@ -43,7 +43,7 @@ COMMONOBJS=dbutil.o buffer.o dbhelpers.o \
 SVROBJS=svr-kex.o svr-auth.o sshpty.o \
 		svr-authpasswd.o svr-authpubkey.o svr-authpubkeyoptions.o svr-session.o svr-service.o \
 		svr-chansession.o svr-runopts.o svr-agentfwd.o svr-main.o svr-x11fwd.o\
-		svr-tcpfwd.o svr-authpam.o
+		svr-tcpfwd.o svr-authpam.o @CRYPTLIB@
 CLIOBJS=cli-main.o cli-auth.o cli-authpasswd.o cli-kex.o \
 		cli-session.o cli-runopts.o cli-chansession.o \
--- a/2
+++ b/2
@@ -8,8 +8,6 @@ which performs multiple tasks, to save disk space)
 SMALL has some tips on creating small binaries.
 A mirror of the Dropbear website and tarballs is available at https://dropbear.nl/mirror/
 Please contact me if you have any questions/bugs found/features/ideas/comments etc :)
 There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear
--- a/6
+++ b/6
@@ -47,10 +47,4 @@ deciding.
 Of course using small C libraries such as uClibc and dietlibc can also help.
 ---
 Libtommath has its own default CFLAGS to improve speed. You can use
 ./configure LTM_CFLAGS=-Os
 to reduce size at the expense of speed.
 If you have any queries, mail me and I'll see if I can help.
--- a/auth.h
+++ b/auth.h
@@ -28,7 +28,6 @@
 #include "includes.h"
 #include "signkey.h"
 #include "chansession.h"
 #include "list.h"
 void svr_authinitialise(void);
@@ -46,7 +45,6 @@ int svr_pubkey_allows_agentfwd(void);
 int svr_pubkey_allows_tcpfwd(void);
 int svr_pubkey_allows_x11fwd(void);
 int svr_pubkey_allows_pty(void);
 int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port);
 void svr_pubkey_set_forced_command(struct ChanSess *chansess);
 void svr_pubkey_options_cleanup(void);
 int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filename);
@@ -56,9 +54,6 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
 #define svr_pubkey_allows_tcpfwd() 1
 #define svr_pubkey_allows_x11fwd() 1
 #define svr_pubkey_allows_pty() 1
 static inline int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port)
 	{ (void)host; (void)port; return 1; }
 static inline void svr_pubkey_set_forced_command(struct ChanSess *chansess) { }
 static inline void svr_pubkey_options_cleanup(void) { }
 #define svr_add_pubkey_options(x,y,z) DROPBEAR_SUCCESS
@@ -98,7 +93,6 @@ void cli_auth_pubkey_cleanup(void);
 #define AUTH_METHOD_INTERACT "keyboard-interactive"
 #define AUTH_METHOD_INTERACT_LEN 20
 #define PUBKEY_OPTIONS_ANY_PORT UINT_MAX
 /* This structure is shared between server and client - it contains
@@ -145,18 +139,6 @@ struct PubKeyOptions {
 	int no_pty_flag;
 	/* "command=" option. */
 	char * forced_command;
 	/* "permitopen=" option */
 	m_list *permit_open_destinations;
 #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
 	int no_touch_required_flag;
 	int verify_required_flag;
 #endif
 };
 struct PermitTCPFwdEntry {
 	char *host;
 	unsigned int port;
 };
 #endif
--- a/cli-auth.c
+++ b/cli-auth.c
@@ -296,6 +296,18 @@ int cli_auth_try() {
 	}
 #endif
 #if DROPBEAR_CLI_PASSWORD_AUTH
 	if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
 		if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
 			fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
 		} else {
 			cli_auth_password();
 			finished = 1;
 			cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
 		}
 	}
 #endif
 #if DROPBEAR_CLI_INTERACT_AUTH
 	if (!finished && (ses.authstate.authtypes & AUTH_TYPE_INTERACT)) {
 		if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
@@ -310,18 +322,6 @@ int cli_auth_try() {
 	}
 #endif
 #if DROPBEAR_CLI_PASSWORD_AUTH
 	if (!finished && (ses.authstate.authtypes & AUTH_TYPE_PASSWORD)) {
 		if (ses.keys->trans.algo_crypt->cipherdesc == NULL) {
 			fprintf(stderr, "Sorry, I won't let you use password auth unencrypted.\n");
 		} else {
 			cli_auth_password();
 			finished = 1;
 			cli_ses.lastauthtype = AUTH_TYPE_PASSWORD;
 		}
 	}
 #endif
 	TRACE(("cli_auth_try lastauthtype %d", cli_ses.lastauthtype))
 	if (finished) {
--- a/cli-kex.c
+++ b/cli-kex.c
@@ -229,8 +229,6 @@ static void ask_to_confirm(const unsigned char* keyblob, unsigned int keybloblen
 		fclose(tty);
 	} else {
 		response = getc(stdin);
 		/* flush stdin buffer */
 		while ((getchar()) != '\n');
 	}
 	if (response == 'y') {
--- a/cli-runopts.c
+++ b/cli-runopts.c
@@ -83,7 +83,6 @@ static void printhelp() {
 					"-W <receive_window_buffer> (default %d, larger may be faster, max 10MB)\n"
 					"-K <keepalive>  (0 is never, default %d)\n"
 					"-I <idle_timeout>  (0 is never, default %d)\n"
 					"-z    disable QoS\n"
 #if DROPBEAR_CLI_NETCAT
 					"-B <endhost:endport> Netcat-alike forwarding\n"
 #endif				
@@ -326,9 +325,6 @@ void cli_getopts(int argc, char ** argv) {
 				case 'b':
 					next = &bind_arg;
 					break;
 				case 'z':
 					opts.disable_ip_tos = 1;
 					break;
 				default:
 					fprintf(stderr,
 						"WARNING: Ignoring unknown option -%c\n", c);
--- a/common-algo.c
+++ b/common-algo.c
@@ -114,6 +114,10 @@ static const struct dropbear_hash dropbear_sha2_256 =
 static const struct dropbear_hash dropbear_sha2_512 =
 	{&sha512_desc, 64, 64};
 #endif
 #if DROPBEAR_MD5_HMAC
 static const struct dropbear_hash dropbear_md5 = 
 	{&md5_desc, 16, 16};
 #endif
 const struct dropbear_hash dropbear_nohash =
 	{NULL, 16, 0}; /* used initially */
@@ -181,6 +185,9 @@ algo_type sshhashes[] = {
 #endif
 #if DROPBEAR_SHA2_512_HMAC
 	{"hmac-sha2-512", 0, &dropbear_sha2_512, 1, NULL},
 #endif
 #if DROPBEAR_MD5_HMAC
 	{"hmac-md5", 0, (void*)&dropbear_md5, 1, NULL},
 #endif
 	{NULL, 0, NULL, 0, NULL}
 };
--- a/compat.c
+++ b/compat.c
@@ -231,7 +231,8 @@ void setusershell() {
 }
 static char **initshells() {
-	static const char *okshells[] = { COMPAT_USER_SHELLS, NULL };
+	/* don't touch this list. */
 	static const char *okshells[] = { "/bin/sh", "/bin/csh", NULL };
 	register char **sp, *cp;
 	register FILE *fp;
 	struct stat statb;
--- a/config.guess
+++ b/config.guess
@@ -4,7 +4,7 @@
 # shellcheck disable=SC2006,SC2268 # see below for rationale
-timestamp='2022-09-17'
+timestamp='2022-01-09'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -966,12 +966,6 @@ EOF
 	GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
 	GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
 	;;
    x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
 	GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
 	;;
    *:[Mm]anagarm:*:*)
 	GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
 	;;
    *:Minix:*:*)
 	GUESS=$UNAME_MACHINE-unknown-minix
 	;;
@@ -1042,7 +1036,7 @@ EOF
    k1om:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
-    loongarch32:Linux:*:* | loongarch64:Linux:*:*)
+    loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
 	;;
    m32r*:Linux:*:*)
@@ -1157,27 +1151,16 @@ EOF
 	;;
    x86_64:Linux:*:*)
 	set_cc_for_build
 	CPU=$UNAME_MACHINE
 	LIBCABI=$LIBC
 	if test "$CC_FOR_BUILD" != no_compiler_found; then
-	    ABI=64
+	    if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \
-	    sed 's/^	    //' << EOF > "$dummy.c"
+		(CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
-	    #ifdef __i386__
+		grep IS_X32 >/dev/null
-	    ABI=x86
+	    then
-	    #else
+		LIBCABI=${LIBC}x32
-	    #ifdef __ILP32__
+	    fi
 	    ABI=x32
 	    #endif
 	    #endif
 EOF
 	    cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'`
 	    eval "$cc_set_abi"
 	    case $ABI in
 		x86) CPU=i686 ;;
 		x32) LIBCABI=${LIBC}x32 ;;
 	    esac
 	fi
-	GUESS=$CPU-pc-linux-$LIBCABI
+	GUESS=$UNAME_MACHINE-pc-linux-$LIBCABI
 	;;
    xtensa*:Linux:*:*)
 	GUESS=$UNAME_MACHINE-unknown-linux-$LIBC
@@ -1384,11 +1367,8 @@ EOF
    BePC:Haiku:*:*)	# Haiku running on Intel PC compatible.
 	GUESS=i586-pc-haiku
 	;;
-    ppc:Haiku:*:*)	# Haiku running on Apple PowerPC
+    x86_64:Haiku:*:*)
-	GUESS=powerpc-apple-haiku
+	GUESS=x86_64-unknown-haiku
 	;;
    *:Haiku:*:*)	# Haiku modern gcc (not bound by BeOS compat)
 	GUESS=$UNAME_MACHINE-unknown-haiku
 	;;
    SX-4:SUPER-UX:*:*)
 	GUESS=sx4-nec-superux$UNAME_RELEASE
--- a/config.h.in
+++ b/config.h.in
@@ -180,6 +180,9 @@
 /* Define to 1 if you have the <mach/mach_time.h> header file. */
 #undef HAVE_MACH_MACH_TIME_H
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 /* Define to 1 if you have the `memset_s' function. */
 #undef HAVE_MEMSET_S
@@ -234,9 +237,6 @@
 /* Define to 1 if you have the <stdint.h> header file. */
 #undef HAVE_STDINT_H
 /* Define to 1 if you have the <stdio.h> header file. */
 #undef HAVE_STDIO_H
 /* Define to 1 if you have the <stdlib.h> header file. */
 #undef HAVE_STDLIB_H
@@ -417,14 +417,17 @@
 /* Define to the type of arg 5 for `select'. */
 #undef SELECT_TYPE_ARG5
-/* Define to 1 if all of the C90 standard headers exist (not just the ones
+/* Define to 1 if you have the ANSI C header files. */
   required in a freestanding environment). This macro is provided for
   backward compatibility; new code need not use it. */
 #undef STDC_HEADERS
 /* Use /dev/ptmx */
 #undef USE_DEV_PTMX
 /* Enable large inode numbers on Mac OS X 10.5.  */
 #ifndef _DARWIN_USE_64_BIT_INODE
 # define _DARWIN_USE_64_BIT_INODE 1
 #endif
 /* Number of bits in a file offset, on hosts where this is settable. */
 #undef _FILE_OFFSET_BITS
@@ -443,7 +446,7 @@
 /* Define to `int' if <sys/types.h> does not define. */
 #undef mode_t
-/* Define as a signed integer type capable of holding a process identifier. */
+/* Define to `int' if <sys/types.h> does not define. */
 #undef pid_t
 /* Define to `unsigned int' if <sys/types.h> does not define. */
--- a/config.sub
+++ b/config.sub
@@ -4,7 +4,7 @@
 # shellcheck disable=SC2006,SC2268 # see below for rationale
-timestamp='2022-09-17'
+timestamp='2022-01-03'
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -145,7 +145,7 @@ case $1 in
 			nto-qnx* | linux-* | uclinux-uclibc* \
 			| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
 			| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
-			| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
+			| storm-chaos* | os2-emx* | rtmk-nova*)
 				basic_machine=$field1
 				basic_os=$maybe_os
 				;;
@@ -1207,7 +1207,7 @@ case $cpu-$vendor in
 			| k1om \
 			| le32 | le64 \
 			| lm32 \
-			| loongarch32 | loongarch64 \
+			| loongarch32 | loongarch64 | loongarchx32 \
 			| m32c | m32r | m32rle \
 			| m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k \
 			| m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \
@@ -1341,10 +1341,6 @@ EOF
 		kernel=linux
 		os=`echo "$basic_os" | sed -e 's|linux|gnu|'`
 		;;
 	managarm*)
 		kernel=managarm
 		os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'`
 		;;
 	*)
 		kernel=
 		os=$basic_os
@@ -1758,7 +1754,7 @@ case $os in
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
 	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
-	     | fiwix* | mlibc* )
+	     | fiwix* )
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1766,9 +1762,6 @@ case $os in
 		;;
 	none)
 		;;
 	kernel* )
 		# Restricted further below
 		;;
 	*)
 		echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
 		exit 1
@@ -1779,26 +1772,16 @@ esac
 # (given a valid OS), if there is a kernel.
 case $kernel-$os in
 	linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \
-		   | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* )
+		   | linux-musl* | linux-relibc* | linux-uclibc* )
 		;;
 	uclinux-uclibc* )
 		;;
-	managarm-mlibc* | managarm-kernel* )
+	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* )
 		;;
 	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
 		# These are just libc implementations, not actual OSes, and thus
 		# require a kernel.
 		echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
 		exit 1
 		;;
 	-kernel* )
 		echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
 		exit 1
 		;;
 	*-kernel* )
 		echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
 		exit 1
 		;;
 	kfreebsd*-gnu* | kopensolaris*-gnu*)
 		;;
 	vxworks-simlinux | vxworks-simwindows | vxworks-spe)
--- a/7230
+++ b/7230
--- a/configure.ac
+++ b/configure.ac
@@ -23,15 +23,15 @@ AC_PROG_CC
 if test -z "$LD" ; then
 	LD=$CC
 fi
-AC_SUBST(LD)
+AC_SUBST(LD)	
-AC_DEFUN(DB_TRYADDCFLAGS,
+AC_DEFUN(DB_TRYADDCFLAGS, 
 [{
 		OLDFLAGS="$CFLAGS"
 		TESTFLAGS="$1"
-		CFLAGS="$TESTFLAGS $CFLAGS"
+		CFLAGS="$CFLAGS $TESTFLAGS"
-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+		AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
-			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDFLAGS" ]
 			)
 }])
@@ -42,25 +42,12 @@ if test -z "$ORIGCFLAGS" && test "$GCC" = "yes"; then
 	CFLAGS="-Os -W -Wall"
 fi
 # LTM_CFLAGS is given to ./configure by the user, 
 # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
 DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
 if test -z "$DROPBEAR_LTM_CFLAGS"; then
 	DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
 fi
 AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
 AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
 AC_SUBST(DROPBEAR_LTM_CFLAGS)
 AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
 DB_TRYADDCFLAGS([-Wno-pointer-sign])
 AC_MSG_NOTICE([Checking if compiler '$CC' supports -fno-strict-overflow])
 DB_TRYADDCFLAGS([-fno-strict-overflow])
 AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wundef])
 DB_TRYADDCFLAGS([-Wundef])
 # needed for various extensions. define early before autoconf tests
 AC_DEFINE([_GNU_SOURCE], [], [Use GNU extensions if glibc])
@@ -94,15 +81,15 @@ if test "$hardenbuild" -eq 1; then
 		OLDLDFLAGS="$LDFLAGS"
 		TESTFLAGS="-Wl,-pie"
-		LDFLAGS="$TESTFLAGS $LDFLAGS"
+		LDFLAGS="$LDFLAGS $TESTFLAGS"
-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 			[
 				LDFLAGS="$OLDLDFLAGS"
 				TESTFLAGS="-pie"
-				LDFLAGS="$TESTFLAGS $LDFLAGS"
+				LDFLAGS="$LDFLAGS $TESTFLAGS"
-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-					[AC_MSG_NOTICE([Setting $TESTFLAGS])],
+					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 					)
 			]
@@ -110,24 +97,24 @@ if test "$hardenbuild" -eq 1; then
 		# readonly elf relocation sections (relro)
 		OLDLDFLAGS="$LDFLAGS"
 		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
-		LDFLAGS="$TESTFLAGS $LDFLAGS"
+		LDFLAGS="$LDFLAGS $TESTFLAGS"
-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
-			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
+			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 			)
 	fi # non-static
 	# stack protector. -strong is good but only in gcc 4.9 or later
 	OLDCFLAGS="$CFLAGS"
 	TESTFLAGS="-fstack-protector-strong"
-	CFLAGS="$TESTFLAGS $CFLAGS"
+	CFLAGS="$CFLAGS $TESTFLAGS"
-	AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 	    [
 			CFLAGS="$OLDCFLAGS"
 			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
-			CFLAGS="$TESTFLAGS $CFLAGS"
+			CFLAGS="$CFLAGS $TESTFLAGS"
-			AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
+			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
 			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
 			    )
 	    ]
@@ -187,7 +174,7 @@ case "$host" in
 	# OpenSSH thinks it's broken. If it isn't, let me know.
 	AC_DEFINE(BROKEN_GETADDRINFO,1,Broken getaddrinfo)
 	;;
-
+	
 *-*-hpux*)
 	LIBS="$LIBS -lsec"
 	# It's probably broken.
@@ -204,7 +191,7 @@ AC_CHECK_TOOL(STRIP, strip, :)
 AC_CHECK_TOOL(INSTALL, install, :)
 dnl Can't use login() or logout() with uclibc
-AC_CHECK_DECL(__UCLIBC__,
+AC_CHECK_DECL(__UCLIBC__, 
 	[
 	no_loginfunc_check=1
 	AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.])
@@ -212,14 +199,14 @@ AC_CHECK_DECL(__UCLIBC__,
 dnl We test for crypt() specially. On Linux (and others?) it resides in libcrypt
 dnl but we don't want link all binaries to -lcrypt, just dropbear server.
-dnl OS X doesn't need -lcrypt
+dnl OS X doesn't need -lcrypt 
 AC_CHECK_FUNC(crypt, found_crypt_func=here)
-AC_CHECK_LIB(crypt, crypt,
+AC_CHECK_LIB(crypt, crypt, 
 	[
 	CRYPTLIB="-lcrypt"
 	found_crypt_func=here
 	])
-AC_SUBST(CRYPTLIB)
+AC_SUBST(CRYPTLIB)	
 if test "t$found_crypt_func" = there; then
 AC_DEFINE(HAVE_CRYPT, 1, [crypt() function])
 fi
@@ -581,7 +568,7 @@ AC_ARG_ENABLE(bundled-libtom,
 )
 if test $BUNDLED_LIBTOM = 1 ; then
-	AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom)
+	AC_DEFINE(BUNDLED_LIBTOM,1,Use bundled libtom) 
 fi
 AC_SUBST(LIBTOM_LIBS)
@@ -654,7 +641,7 @@ AC_ARG_ENABLE(pututxline,
 AC_ARG_WITH(lastlog,
  [  --with-lastlog=FILE|DIR specify lastlog location [common locations]],
 	[
-		if test "x$withval" = "xno" ; then
+		if test "x$withval" = "xno" ; then	
 			AC_DEFINE(DISABLE_LASTLOG)
 		else
 			conf_lastlog_location=$withval
@@ -729,7 +716,7 @@ fi
 if test -n "$conf_lastlog_location"; then
 	AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location)
-fi
+fi	
 dnl utmp detection
 AC_MSG_CHECKING([if your system defines UTMP_FILE])
@@ -759,7 +746,7 @@ if test -z "$conf_utmp_location"; then
 fi
 if test -n "$conf_utmp_location"; then
 	AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location)
-fi
+fi	
 dnl wtmp detection
 AC_MSG_CHECKING([if your system defines WTMP_FILE])
@@ -791,7 +778,7 @@ if test -z "$conf_wtmp_location"; then
 fi
 if test -n "$conf_wtmp_location"; then
 	AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location)
-fi
+fi	
 dnl utmpx detection - I don't know any system so perverse as to require
@@ -819,7 +806,7 @@ if test -z "$conf_utmpx_location"; then
 	fi
 else
 	AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location)
-fi
+fi	
 dnl wtmpx detection
 AC_MSG_CHECKING([if your system defines WTMPX_FILE])
@@ -846,7 +833,7 @@ if test -z "$conf_wtmpx_location"; then
 	fi
 else
 	AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location)
-fi
+fi	
 # Checks for library functions.
 AC_PROG_GCC_TRADITIONAL
@@ -882,7 +869,7 @@ fi
 AC_EXEEXT
 if test $BUNDLED_LIBTOM = 1 ; then
-(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv
+(cd $srcdir; find libtomcrypt -type d) | xargs mkdir -pv 
 LIBTOM_FILES="libtomcrypt/Makefile libtommath/Makefile"
 fi
--- a/crypto_desc.c
+++ b/crypto_desc.c
@@ -34,6 +34,9 @@ void crypto_init() {
 #if DROPBEAR_SHA1_HMAC
 		&sha1_desc,
 #endif
 #if DROPBEAR_MD5_HMAC
 		&md5_desc,
 #endif
 #if DROPBEAR_SHA256
 		&sha256_desc,
 #endif
--- a/dbclient.1
+++ b/dbclient.1
@@ -94,18 +94,7 @@ is performed at all, this is usually undesirable.
 .B \-A
 Forward agent connections to the remote host. dbclient will use any
 OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for
-public key authentication.  Forwarding is only enabled if \fI-A\fR is specified.
+public key authentication.  Forwarding is only enabled if -A is specified.
 Beware that a forwarded agent connection will allow the remote server to have
 the same authentication credentials as you have used locally. A compromised
 remote server could use that to log in to other servers. 
 In many situations Dropbear's multi-hop mode is a better and more secure alternative
 to agent forwarding, avoiding having to trust the intermediate server.
 If the SSH agent program is set to prompt when a key is used, the 
 \fI-o DisableTrivialAuth\fR option can prevent UI confusion.
 .TP
 .B \-W \fIwindowsize
 Specify the per-channel receive window buffer size. Increasing this 
@@ -122,9 +111,6 @@ if 0 disables keepalives. If no response is received for 3 consecutive keepalive
 .B \-I \fIidle_timeout
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
 .B \-z
 By default Dropbear will send network traffic with the \fBAF21\fR setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, \fI-z\fR can be used to disable it.
 .TP
 .\" TODO: how to avoid a line break between these two -J arguments?
 .B \-J \fIproxy_command
@@ -170,13 +156,6 @@ Send dbclient log messages to syslog in addition to stderr.
 .TP
 .B Port
 Specify a listening port, like the \fI-p\fR argument.
 .TP
 .B DisableTrivialAuth
 Disallow a server immediately
 giving successful authentication (without presenting any password/pubkey prompt).
 This avoids a UI confusion issue where it may appear that the user is accepting
 a SSH agent prompt from their local machine, but are actually accepting a prompt
 sent immediately by the remote server. 
 .RE
 .TP
 .B \-s 
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,3 @@
 dropbear (2022.83-0.1) unstable; urgency=low
  * New upstream release.
 -- Matt Johnston <matt@ucc.asn.au>  Mon, 14 Nov 2022 22:51:57 +0800
 dropbear (2022.82-0.1) unstable; urgency=low
  * New upstream release.
@@ -179,6 +173,24 @@ dropbear (0.53-0.1) unstable; urgency=low
 -- Matt Johnston <matt@ucc.asn.au>  Thu, 24 Feb 2011 22:54:00 +0900
 dropbear (0.52-2) unstable; urgency=low
  * Make key utils part of dropbear-server package (since it's
  required anyway, single binary saves space), rename -common to
  -keyutils
  * Don't make clean between builds, just rm *.o since only
  top-level files change
 -- Matt Johnston <matt@ucc.asn.au>  Wed, 19 Nov 2008 21:54:00 +0900
 dropbear (0.52-1) unstable; urgency=low
  * Maemo port, split into 5 packages
  (dropbear, dropbear-server, dropbear-client, dropbear-common, dropbear-scp).
  This avoids conflicts with openssh package.
 -- Matt Johnston <matt@ucc.asn.au>  Wed, 19 Nov 2008 20:54:00 +0900
 dropbear (0.52-0.1) unstable; urgency=low
  * New upstream release.
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
 Source: dropbear
-Section: net
+Section: user/network
 Priority: optional
-Maintainer: Gerrit Pape <pape@smarden.org>
+Maintainer: Matt Johnston <matt@ucc.asn.au>
 Build-Depends: libz-dev
 Standards-Version: 3.7.3.0
@@ -9,6 +9,9 @@ Package: dropbear
 Architecture: any
 Depends: ${shlibs:Depends}
 Suggests: openssh-client, runit
 Section: user/network
 Conflicts: dropbear-server, dropbear-client, dropbear-keyutils, dropbear-scp
 XB-Maemo-Display-Name: Dropbear SSH Client and Server
 Description: lightweight SSH2 server and client
 dropbear is a SSH 2 server and client designed to be small enough to
 be used in small memory environments, while still being functional and
@@ -17,4 +20,76 @@ Description: lightweight SSH2 server and client
 It implements most required features of the SSH 2 protocol, and other
 features such as X11 and authentication agent forwarding.
 .
 This package provides Dropbear client and server as a single binary,
 as well as key utilities and SCP.
 .
 See http://matt.ucc.asn.au/dropbear/dropbear.html
 Package: dropbear-server
 Architecture: any
 Depends: ${shlibs:Depends}
 Section: user/network
 Conflicts: dropbear, dropbear-keyutils
 Provides: dropbear-keyutils
 Recommends: dropbear-scp
 XB-Maemo-Display-Name: Dropbear SSH Server
 Description: lightweight SSH2 server
 dropbear is a SSH 2 server and client designed to be small enough to
 be used in small memory environments, while still being functional and
 secure enough for general use.
 .
 It implements most required features of the SSH 2 protocol, and other
 features such as X11 and authentication agent forwarding.
 .
 This package provides only the Dropbear server.
 .
 See http://matt.ucc.asn.au/dropbear/dropbear.html
 Package: dropbear-client
 Architecture: any
 Conflicts: dropbear
 Section: user/network
 Depends: ${shlibs:Depends}
 Recommends: dropbear-scp
 Suggests: dropbear-keyutils
 XB-Maemo-Display-Name: Dropbear SSH Client
 Description: lightweight SSH2 client
 dropbear is a SSH 2 server and client designed to be small enough to
 be used in small memory environments, while still being functional and
 secure enough for general use.
 .
 It implements most required features of the SSH 2 protocol, and other
 features such as X11 and authentication agent forwarding.
 .
 This package provides only the Dropbear client.
 .
 See http://matt.ucc.asn.au/dropbear/dropbear.html
 Package: dropbear-keyutils
 Architecture: any
 Conflicts: dropbear, dropbear-server
 Section: user/network
 XB-Maemo-Display-Name: Dropbear SSH Key Utils
 Depends: ${shlibs:Depends}
 Description: lightweight SSH2, key management utilities
 dropbear is a SSH 2 server and client designed to be small enough to
 be used in small memory environments, while still being functional and
 secure enough for general use.
 .
 This package provides dropbearkey and dropbearconvert programs,
 for generating keys and converting to/from OpenSSH keys.
 .
 See http://matt.ucc.asn.au/dropbear/dropbear.html
 Package: dropbear-scp
 Architecture: any
 Section: user/network
 Conflicts: dropbear
 XB-Maemo-Display-Name: Dropbear SCP
 Depends: ${shlibs:Depends}
 Description: lightweight SSH2 scp
 dropbear is a SSH 2 server and client designed to be small enough to
 be used in small memory environments, while still being functional and
 secure enough for general use.
 .
 This dropbear-scp package provides /usr/bin/scp.
--- a/debian/dropbear-server.conffiles
+++ b/debian/dropbear-server.conffiles
@@ -0,0 +1,3 @@
 /etc/init.d/dropbear
 /etc/dropbear/run
 /etc/dropbear/log/run
--- a/debian/dropbear-server.postinst
+++ b/debian/dropbear-server.postinst
@@ -0,0 +1,79 @@
 #!/bin/sh
 set -e
 test "$1" = 'configure' || exit 0
 if test ! -e /etc/dropbear/dropbear_rsa_host_key; then
  if test -f /etc/ssh/ssh_host_rsa_key; then
    echo "Converting existing OpenSSH RSA host key to Dropbear format."
    /usr/lib/dropbear/dropbearconvert openssh dropbear \
      /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
  else
    echo "Generating Dropbear RSA key. Please wait."
    dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
  fi
 fi
 if test ! -e /etc/dropbear/dropbear_dss_host_key; then
  if test -f /etc/ssh/ssh_host_dsa_key; then
    echo "Converting existing OpenSSH RSA host key to Dropbear format."
    /usr/lib/dropbear/dropbearconvert openssh dropbear \
      /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key
  else
    echo "Generating Dropbear DSS key. Please wait."
    dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
  fi
 fi
 if test ! -s /etc/default/dropbear; then 
  # check whether OpenSSH seems to be installed.
  if test -x /usr/sbin/sshd; then
    cat <<EOT
 OpenSSH appears to be installed.  Setting /etc/default/dropbear so that
 Dropbear will not start by default.  Edit this file to change this behaviour.
 EOT
    cat >>/etc/default/dropbear <<EOT
 # disabled because OpenSSH is installed
 # change to NO_START=0 to enable Dropbear
 NO_START=1
 EOT
  fi
  cat >>/etc/default/dropbear <<EOT
 # the TCP port that Dropbear listens on
 DROPBEAR_PORT=22
 # any additional arguments for Dropbear
 DROPBEAR_EXTRA_ARGS=
 # specify an optional banner file containing a message to be
 # sent to clients before they connect, such as "/etc/issue.net"
 DROPBEAR_BANNER=""
 # RSA hostkey file (default: /etc/dropbear/dropbear_rsa_host_key)
 #DROPBEAR_RSAKEY="/etc/dropbear/dropbear_rsa_host_key"
 # DSS hostkey file (default: /etc/dropbear/dropbear_dss_host_key)
 #DROPBEAR_DSSKEY="/etc/dropbear/dropbear_dss_host_key"
 # Receive window size - this is a tradeoff between memory and
 # network performance
 DROPBEAR_RECEIVE_WINDOW=65536
 EOT
 fi
 if test -x /etc/init.d/dropbear; then
  update-rc.d dropbear defaults >/dev/null
  if test -x /usr/sbin/invoke-rc.d; then
    invoke-rc.d dropbear restart
  else
    /etc/init.d/dropbear restart
  fi
 fi
 if test -n "$2" && dpkg --compare-versions "$2" lt '0.50-4' &&
 update-service --check dropbear 2>/dev/null; then
  update-service --remove /etc/dropbear 2>/dev/null || :
  sleep 6
  rm -rf /var/run/dropbear /var/run/dropbear.log
  update-service --add /etc/dropbear || :
 fi
--- a/debian/dropbear-server.postrm
+++ b/debian/dropbear-server.postrm
@@ -0,0 +1,12 @@
 #! /bin/sh
 set -e
 test "$1" = 'purge' || exit 0
 if test -e /etc/dropbear; then
  rm -f /etc/dropbear/dropbear_rsa_host_key
  rm -f /etc/dropbear/dropbear_dss_host_key
  rmdir --ignore-fail-on-non-empty /etc/dropbear
 fi
 update-rc.d dropbear remove >/dev/null
 rm -f /etc/default/dropbear
 rm -rf /etc/dropbear/supervise /etc/dropbear/log/supervise
--- a/debian/dropbear-server.prerm
+++ b/debian/dropbear-server.prerm
@@ -0,0 +1,11 @@
 #!/bin/sh
 set -e
 test "$1" = 'remove' || test "$1" = 'deconfigure' || exit 0
 if test -x /etc/init.d/dropbear; then
  if test -x /usr/sbin/invoke-rc.d; then
    invoke-rc.d dropbear stop
  else
    /etc/init.d/dropbear stop
  fi
 fi
--- a/debian/dropbear.init
+++ b/debian/dropbear.init
@@ -25,7 +25,7 @@ set -e
 cancel() { echo "$1" >&2; exit 0; };
 test ! -r /etc/default/dropbear || . /etc/default/dropbear
 test -x "$DAEMON" || cancel "$DAEMON does not exist or is not executable."
-test ! -x /usr/sbin/update-service || ! update-service --check dropbear || \
+test ! -x /usr/sbin/update-service || ! update-service --check dropbear ||
  cancel 'The dropbear service is controlled through runit, use the sv(8) program'
 test -z "$DROPBEAR_BANNER" || \
@@ -39,7 +39,7 @@ test -n "$DROPBEAR_RECEIVE_WINDOW" || \
 case "$1" in
  start)
-	test "$NO_START" = "0" || cancel 'NO_START is not set to zero.'
+	test "$NO_START" = "0" || cancel '/etc/default/dropbear NO_START is set, Dropbear will not run.'
 	echo -n "Starting $DESC: "
 	start-stop-daemon --start --quiet --pidfile /var/run/"$NAME".pid \
 	  --exec "$DAEMON" -- -d "$DROPBEAR_DSSKEY" -r "$DROPBEAR_RSAKEY" \
@@ -52,7 +52,7 @@ case "$1" in
 	echo "$NAME."
 	;;
  restart|force-reload)
-	test "$NO_START" = "0" || cancel 'NO_START is not set to zero.'
+	test "$NO_START" = "0" || cancel '/etc/default/dropbear NO_START is set, Dropbear will not run.'
 	echo -n "Restarting $DESC: "
 	start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/"$NAME".pid
 	sleep 1
--- a/debian/rules
+++ b/debian/rules
@@ -20,8 +20,6 @@ ifneq (,$(findstring diet,$(DEB_BUILD_OPTIONS)))
  CC =diet -v -Os gcc -nostdinc
 endif
 DIR =$(shell pwd)/debian/dropbear
 patch: deb-checkdir patch-stamp
 patch-stamp:
 	for i in `ls -1 debian/diff/*.diff || :`; do \
@@ -36,13 +34,15 @@ config.status: patch-stamp configure
 	    --build='$(DEB_BUILD_GNU_TYPE)' --prefix=/usr \
 	    --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \
 	    $(CONFFLAGS)
 	$(MAKE) clean
 build: deb-checkdir build-stamp
 build-stamp: config.status
 	$(MAKE) CC='$(CC)' LD='$(CC)'
 	touch build-stamp
-clean: deb-checkdir deb-checkuid
+clean: DIR=$(shell pwd)/debian/dropbear
 clean: deb-checkdir deb-checkuid 
 	test ! -r Makefile || $(MAKE) distclean
 	rm -f libtomcrypt/Makefile libtommath/Makefile
 	test ! -e patch-stamp || \
@@ -51,22 +51,117 @@ clean: deb-checkdir deb-checkuid
 	  done
 	rm -f patch-stamp build-stamp config.log config.status
 	rm -rf '$(DIR)'
 	rm -rf '$(DIR)'-client
 	rm -rf '$(DIR)'-server
 	rm -rf '$(DIR)'-keyutils
 	rm -rf '$(DIR)'-scp
 	rm -f debian/files debian/substvars debian/copyright changelog
-install: deb-checkdir deb-checkuid build-stamp
+install-server: DIR=$(shell pwd)/debian/dropbear-server
-	rm -rf '$(DIR)'
+install-server: deb-checkdir deb-checkuid config.status 
 	rm -f '$(DIR)'
 	rm *.o
 	$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbear dropbearkey dropbearconvert" MULTI=1
 	install -d -m0755 '$(DIR)'/etc/dropbear
 	# programs
 	install -d -m0755 '$(DIR)'/usr/sbin
 	install -m0755 dropbear '$(DIR)'/usr/sbin/dropbear
 	install -d -m0755 '$(DIR)'/usr/bin
-	install -m0755 dbclient '$(DIR)'/usr/bin/dbclient
+	install -d -m0755 '$(DIR)'/usr/sbin
 	install -m0755 dropbearkey '$(DIR)'/usr/bin/dropbearkey
 	install -d -m0755 '$(DIR)'/usr/lib/dropbear
-	install -m0755 dropbearconvert \
+	install -m0755 dropbearmulti \
-	  '$(DIR)'/usr/lib/dropbear/dropbearconvert
+	  '$(DIR)'/usr/lib/dropbear/dropbearmulti
-	$(STRIP) -R .comment -R .note '$(DIR)'/usr/sbin/* \
+	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
-	  '$(DIR)'/usr/bin/* '$(DIR)'/usr/lib/dropbear/*
+	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/sbin/dropbear
 	ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
 	# init and run scripts
 	install -d -m0755 '$(DIR)'/etc/init.d
 	install -m0755 debian/dropbear.init '$(DIR)'/etc/init.d/dropbear
 	install -m0755 debian/service/run '$(DIR)'/etc/dropbear/run
 	install -d -m0755 '$(DIR)'/etc/dropbear/log
 	install -m0755 debian/service/log '$(DIR)'/etc/dropbear/log/run
 	ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main
 	install -d -m0755 '$(DIR)'/usr/share/man/man8
 	for i in dropbear.8 ; do \
 	  install -m644 $$i '$(DIR)'/usr/share/man/man8/ || exit 1; \
 	done
 	gzip -9 '$(DIR)'/usr/share/man/man8/*.8
 	# copyright, changelog
 	cat debian/copyright.in LICENSE > debian/copyright
 	test -r changelog || ln -s CHANGES changelog
 	$(STRIP) -R .comment -R .note '$(DIR)'/usr/lib/dropbear/*
 	install -d -m0755 '$(DIR)'/DEBIAN
 	test '$(CC)' != 'gcc' || \
 	  dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
 install-client: DIR=$(shell pwd)/debian/dropbear-client
 install-client: deb-checkdir deb-checkuid config.status 
 	rm -f '$(DIR)'
 	rm *.o
 	$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS=dbclient dbclient
 	install -d -m0755 '$(DIR)'/usr/bin
 	install -m0755 dbclient '$(DIR)'/usr/bin/dbclient
 	install -d -m0755 '$(DIR)'/usr/share/man/man1
 	install -m644 dbclient.1 '$(DIR)'/usr/share/man/man1/
 	gzip -9 '$(DIR)'/usr/share/man/man1/*.1
 	$(STRIP) -R .comment -R .note '$(DIR)'/usr/bin/* 
 	install -d -m0755 '$(DIR)'/DEBIAN
 	test '$(CC)' != 'gcc' || \
 	  dpkg-shlibdeps  '$(DIR)'/usr/bin/*
 install-keyutils: DIR=$(shell pwd)/debian/dropbear-keyutils
 install-keyutils: deb-checkdir deb-checkuid config.status 
 	rm -f '$(DIR)'
 	rm *.o
 	$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbearkey dropbearconvert" MULTI=1
 	install -d -m0755 '$(DIR)'/usr/bin
 	install -d -m0755 '$(DIR)'/usr/lib/dropbear
 	install -m0755 dropbearmulti \
 	  '$(DIR)'/usr/lib/dropbear/dropbearmulti
 	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
 	ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
 	install -d -m0755 '$(DIR)'/usr/share/man/man8
 	for i in dropbearkey.8; do \
 	  install -m644 $$i '$(DIR)'/usr/share/man/man8/ || exit 1; \
 	done
 	gzip -9 '$(DIR)'/usr/share/man/man8/*.8
 	$(STRIP) -R .comment -R .note \
 	   '$(DIR)'/usr/lib/dropbear/*
 	install -d -m0755 '$(DIR)'/DEBIAN
 	test '$(CC)' != 'gcc' || \
 	  dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
 install-scp: DIR=$(shell pwd)/debian/dropbear-scp
 install-scp: deb-checkdir deb-checkuid config.status 
 	rm -f '$(DIR)'
 	rm *.o
 	$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="scp" scp 
 	install -d -m0755 '$(DIR)'/usr/bin
 	install -m0755 scp '$(DIR)'/usr/bin/scp
 	$(STRIP) -R .comment -R .note '$(DIR)'/usr/bin/*
 	install -d -m0755 '$(DIR)'/DEBIAN
 	test '$(CC)' != 'gcc' || \
 	  dpkg-shlibdeps '$(DIR)'/usr/bin/* 
 install-multi: DIR=$(shell pwd)/debian/dropbear
 install-multi: deb-checkdir deb-checkuid config.status 
 	rm -f '$(DIR)'
 	rm *.o
 	$(MAKE) CC='$(CC)' LD='$(LD)' PROGRAMS="dropbearkey dropbearconvert scp dropbear dbclient" MULTI=1
 	install -d -m0755 '$(DIR)'/etc/dropbear
 	# programs
 	install -d -m0755 '$(DIR)'/usr/bin
 	install -d -m0755 '$(DIR)'/usr/sbin
 	install -d -m0755 '$(DIR)'/usr/lib/dropbear
 	install -m0755 dropbearmulti \
 	  '$(DIR)'/usr/lib/dropbear/dropbearmulti
 	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dropbearkey
 	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/dbclient
 	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/bin/scp
 	ln -s ../lib/dropbear/dropbearmulti '$(DIR)'/usr/sbin/dropbear
 	ln -s dropbearmulti '$(DIR)'/usr/lib/dropbear/dropbearconvert
 	# init and run scripts
 	install -d -m0755 '$(DIR)'/etc/init.d
 	install -m0755 debian/dropbear.init '$(DIR)'/etc/init.d/dropbear
@@ -74,7 +169,6 @@ install: deb-checkdir deb-checkuid build-stamp
 	install -d -m0755 '$(DIR)'/etc/dropbear/log
 	install -m0755 debian/service/log '$(DIR)'/etc/dropbear/log/run
 	ln -s /var/log/dropbear '$(DIR)'/etc/dropbear/log/main
 	# man pages
 	install -d -m0755 '$(DIR)'/usr/share/man/man8
 	install -d -m0755 '$(DIR)'/usr/share/man/man1
 	install -m644 dropbear.8 '$(DIR)'/usr/share/man/man8/
@@ -83,18 +177,26 @@ install: deb-checkdir deb-checkuid build-stamp
 	done
 	gzip -9 '$(DIR)'/usr/share/man/man8/*.8
 	gzip -9 '$(DIR)'/usr/share/man/man1/*.1
-	# copyright, changelog
+	$(STRIP) -R .comment -R .note '$(DIR)'/usr/lib/dropbear/*
 	cat debian/copyright.in LICENSE >debian/copyright
 	test -r changelog || ln -s CHANGES changelog
 	install -d -m0755 '$(DIR)'/DEBIAN
 	test '$(CC)' != 'gcc' || \
 	  dpkg-shlibdeps '$(DIR)'/usr/lib/dropbear/*
 install: install-client install-server install-keyutils install-multi install-scp
 binary-indep:
-binary-arch: install dropbear.deb
+binary-arch: install dropbear.deb dropbear-server.deb dropbear-keyutils.deb dropbear-scp.deb dropbear-client.deb
-	test '$(CC)' != 'gcc' || \
+	dpkg-gencontrol -isp -pdropbear -P'$(shell pwd)/debian'/dropbear
-	  dpkg-shlibdeps '$(DIR)'/usr/sbin/* '$(DIR)'/usr/bin/* \
+	dpkg-gencontrol -isp -pdropbear-server -P'$(shell pwd)/debian'/dropbear-server
-	    '$(DIR)'/usr/lib/dropbear/*
+	dpkg-gencontrol -isp -pdropbear-client -P'$(shell pwd)/debian'/dropbear-client
-	dpkg-gencontrol -isp -pdropbear -P'$(DIR)'
+	dpkg-gencontrol -isp -pdropbear-keyutils -P'$(shell pwd)/debian'/dropbear-keyutils
-	dpkg -b '$(DIR)' ..
+	dpkg-gencontrol -isp -pdropbear-scp -P'$(shell pwd)/debian'/dropbear-scp
 	dpkg -b '$(shell pwd)/debian'/dropbear ..
 	dpkg -b '$(shell pwd)/debian'/dropbear-server ..
 	dpkg -b '$(shell pwd)/debian'/dropbear-keyutils ..
 	dpkg -b '$(shell pwd)/debian'/dropbear-scp ..
 	dpkg -b '$(shell pwd)/debian'/dropbear-client ..
 binary: binary-arch binary-indep
--- a/default_options.h
+++ b/default_options.h
@@ -122,43 +122,30 @@ IMPORTANT: Some options will require "make clean" after changes */
   sha1 for compatibility */
 #define DROPBEAR_SHA1_HMAC 1
 #define DROPBEAR_SHA2_256_HMAC 1
 #define DROPBEAR_SHA2_512_HMAC 0
 #define DROPBEAR_SHA1_96_HMAC 0
 /* Hostkey/public key algorithms - at least one required, these are used
 * for hostkey as well as for verifying signatures with pubkey auth.
 * Removing either of these won't save very much space.
 * RSA is recommended.
- *
+ * DSS may be necessary to connect to some systems though
 * is not recommended for new keys.
 * See: RSA_PRIV_FILENAME and DSS_PRIV_FILENAME */
 #define DROPBEAR_RSA 1
-/* Newer SSH implementations use SHA256 for RSA signatures. SHA1
+#define DROPBEAR_DSS 1
 * support is required to communicate with some older implementations.
 * It will be removed in future due to SHA1 insecurity, it can be
 * disabled with DROPBEAR_RSA_SHA1 set to 0 */
 #define DROPBEAR_RSA_SHA1 1
 /* DSS may be necessary to connect to some systems but is not
 * recommended for new keys (1024 bits is small, and it uses SHA1).
 * RSA key generation will be faster with bundled libtommath
 * if DROPBEAR_DSS is disabled.
 * https://github.com/mkj/dropbear/issues/174#issuecomment-1267374858 */
 #define DROPBEAR_DSS 0
 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
 * code (either ECDSA or ECDH) increases binary size - around 30kB
 * on x86-64.
 * See: ECDSA_PRIV_FILENAME  */
 #define DROPBEAR_ECDSA 1
 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
 * binary size - around 7,5kB on x86-64.
 * See: ED25519_PRIV_FILENAME  */
 #define DROPBEAR_ED25519 1
-
+/* SK_ECDSA/SK_ED25519 allows u2f security keys for public key auth.
 /* Allow U2F security keys for public key auth, with
 * sk-ecdsa-sha2-nistp256@openssh.com or sk-ssh-ed25519@openssh.com keys.
 * The corresponding DROPBEAR_ECDSA or DROPBEAR_ED25519 also needs to be set.
 * This is currently server-only. */
-#define DROPBEAR_SK_KEYS 1
+#define DROPBEAR_SK_ECDSA 1
 #define DROPBEAR_SK_ED25519 1
 /* RSA must be >=1024 */
 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
--- a/dropbear.8
+++ b/dropbear.8
@@ -53,10 +53,6 @@ Disable password logins.
 .B \-g
 Disable password logins for root.
 .TP
 .B \-t
 Enable two-factor authentication. Both password login and public key authentication are
 required. Should not be used with the '-s' option.
 .TP
 .B \-j
 Disable local port forwarding.
 .TP
@@ -101,9 +97,6 @@ of 0 disables keepalives. If no response is received for 3 consecutive keepalive
 .B \-I \fIidle_timeout
 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
 .TP
 .B \-z
 By default Dropbear will send network traffic with the \fBAF21\fR setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, \fI-z\fR can be used to disable it.
 .TP
 .B \-T \fImax_authentication_attempts
 Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)
 .TP
@@ -151,14 +144,6 @@ same functionality with other means even if no-pty is set.
 .B restrict
 Applies all the no- restrictions listed above.
 .TP
 .B permitopen=\fR"\fIhost:port\fR"
 Restrict local port forwarding so that connection is allowed only to the
 specified host and port. Multiple permitopen options separated by commas
 can be set in authorized_keys. Wildcard character ('*') may be used in
 port specification for matching any port. Hosts must be literal domain names or
 IP addresses.
 .TP
 .B command=\fR"\fIforced_command\fR"
 Disregard the command provided by the user and always run \fIforced_command\fR.
--- a/dropbear_lint.sh
+++ b/dropbear_lint.sh
@@ -3,6 +3,6 @@
 EXITCODE=0
 # #ifdef instead of #if
-grep '#ifdef DROPBEAR' -I -- *.c *.h && EXITCODE=1
+grep '#ifdef DROPBEAR' -I *.c *.h && EXITCODE=1
 exit $EXITCODE
--- a/dropbearkey.c
+++ b/dropbearkey.c
@@ -127,13 +127,13 @@ static void check_signkey_bits(enum signkey_type type, int bits)
 #endif
 #if DROPBEAR_RSA
 		case DROPBEAR_SIGNKEY_RSA:
-			if (bits < 1024 || bits > 4096 || (bits % 8 != 0)) {
+			if (bits < 512 || bits > 4096 || (bits % 8 != 0)) {
-				dropbear_exit("Bits must satisfy 1024 <= bits <= 4096, and be a"
+				dropbear_exit("Bits must satisfy 512 <= bits <= 4096, and be a"
 				              " multiple of 8\n");
 			}
 			break;
 #endif
-#if DROPBEAR_DSS
+#if DROPEAR_DSS
 		case DROPBEAR_SIGNKEY_DSS:
 			if (bits != 1024) {
 				dropbear_exit("DSS keys have a fixed size of 1024 bits\n");
--- a/fuzz/fuzzer-verify.c
+++ b/fuzz/fuzzer-verify.c
@@ -3,7 +3,6 @@
 #include "fuzz-wrapfd.h"
 #include "debug.h"
 #include "dss.h"
 #include "ed25519.h"
 static void setup_fuzzer(void) {
 	fuzz_common_setup();
@@ -60,21 +59,6 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 					/* Could also check g**q mod p == 1 */
 				}
 				if (keytype == DROPBEAR_SIGNKEY_SK_ED25519 || keytype == DROPBEAR_SIGNKEY_ED25519) {
 					dropbear_ed25519_key **eck = (dropbear_ed25519_key**)signkey_key_ptr(key, keytype);
 					if (eck && *eck) {
 						int i;
 						/* we've seen all-zero keys validate */
 						boguskey = 1;
 						for (i = 0; i < CURVE25519_LEN; i++) {
 							if ((*eck)->priv[i] != 0x00 || (*eck)->pub[i] != 0x00) {
 								boguskey = 0;
 							}
 						}
 					}
 				}
 				if (!boguskey) {
 					printf("Random key/signature managed to verify!\n");
 					abort();
--- a/keyimport.c
+++ b/keyimport.c
@@ -302,7 +302,6 @@ static int ber_read_id_len(void *source, int sourcelen,
 * Will avoid writing anything if dest is NULL, but still return
 * amount of space required.
 */
 #if DROPBEAR_DSS
 static int ber_write_id_len(void *dest, int id, int length, int flags)
 {
 	unsigned char *d = (unsigned char *)dest;
@@ -357,7 +356,6 @@ static int ber_write_id_len(void *dest, int id, int length, int flags)
 	return len;
 }
 #endif /* DROPBEAR_DSS */
 /* Simple structure to point to an mp-int within a blob. */
@@ -901,16 +899,15 @@ static int openssh_write(const char *filename, sign_key *key,
 	buffer * extrablob = NULL; /* used for calculated values to write */
 	unsigned char *outblob = NULL;
 	int outlen = -9999;
-	int pos = 0, len = 0, i;
+	struct mpint_pos numbers[9];
 	int nnumbers = -1, pos = 0, len = 0, seqlen, i;
 	char *header = NULL, *footer = NULL;
 	char zero[1];
 	int ret = 0;
 	FILE *fp;
 #if DROPBEAR_DSS
 	if (key->type == DROPBEAR_SIGNKEY_DSS) {
 		char zero[1];
 		struct mpint_pos numbers[9];
 		int nnumbers = -1, seqlen;
 		/*
 		 * Fetch the key blobs.
 		 */
@@ -927,6 +924,7 @@ static int openssh_write(const char *filename, sign_key *key,
 		 */
 		numbers[0].start = zero; numbers[0].bytes = 1; zero[0] = '\0';
 	#if DROPBEAR_DSS
 		if (key->type == DROPBEAR_SIGNKEY_DSS) {
 			/* p */
@@ -958,6 +956,7 @@ static int openssh_write(const char *filename, sign_key *key,
 			header = "-----BEGIN DSA PRIVATE KEY-----\n";
 			footer = "-----END DSA PRIVATE KEY-----\n";
 		}
 	#endif /* DROPBEAR_DSS */
 		/*
 		 * Now count up the total size of the ASN.1 encoded integers,
--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
+++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
@@ -54,6 +54,10 @@
 #define LTC_SHA1
 #endif
 #if DROPBEAR_MD5
 #define LTC_MD5
 #endif
 /* ECC */
 #if DROPBEAR_ECC
 #define LTC_MECC
--- a/libtommath/Makefile.in
+++ b/libtommath/Makefile.in
@@ -25,14 +25,8 @@ endif
 coverage: LIBNAME:=-Wl,--whole-archive $(LIBNAME)  -Wl,--no-whole-archive
 # Dropbear sets its own flags below
 IGNORE_SPEED=1
 include $(srcdir)/makefile_include.mk
 # override makefile_include.mk flags
 LTM_CFLAGS += @DROPBEAR_LTM_CFLAGS@
 %.o: %.c $(HEADERS)
 ifneq ($V,1)
 	@echo "   * ${CC} $@"
--- a/libtommath/makefile_include.mk
+++ b/libtommath/makefile_include.mk
@@ -104,7 +104,7 @@ LIBTOOLFLAGS += -no-undefined
 endif
 # add in the standard FLAGS
-LTM_CFLAGS := $(CFLAGS) $(LTM_CFLAGS)
+LTM_CFLAGS += $(CFLAGS)
 LTM_LFLAGS += $(LFLAGS)
 LTM_LDFLAGS += $(LDFLAGS)
 LTM_LIBTOOLFLAGS += $(LIBTOOLFLAGS)
--- a/loginrec.c
+++ b/loginrec.c
@@ -829,7 +829,7 @@ utmpx_perform_login(struct logininfo *li)
 		return 0;
 	}
 # else
-	if (!utmpx_write_direct(li, &utx)) {
+	if (!utmpx_write_direct(li, &ut)) {
 		dropbear_log(LOG_WARNING, "utmpx_perform_login: utmp_write_direct() failed");
 		return 0;
 	}
--- a/netio.c
+++ b/netio.c
@@ -3,7 +3,6 @@
 #include "dbutil.h"
 #include "session.h"
 #include "debug.h"
 #include "runopts.h"
 struct dropbear_progress_connection {
 	struct addrinfo *res;
@@ -378,7 +377,6 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
 	/* Don't log ENOTSOCK errors so that this can harmlessly be called
 	 * on a client '-J' proxy pipe */
 	if (opts.disable_ip_tos == 0) {
 #ifdef IP_TOS
 	/* Set the DSCP field for outbound IP packet priority.
 	rfc4594 has some guidance to meanings.
@@ -411,7 +409,6 @@ void set_sock_priority(int sock, enum dropbear_prio prio) {
 		TRACE(("Couldn't set IP_TOS (%s)", strerror(errno)));
 	}
 #endif /* IP_TOS */
 	}
 #ifdef HAVE_LINUX_PKT_SCHED_H
 	/* Set scheduling priority within the local Linux network stack */
--- a/packet.c
+++ b/packet.c
@@ -430,32 +430,44 @@ static buffer* buf_decompress(const buffer* buf, unsigned int len) {
 	z_streamp zstream;
 	zstream = ses.keys->recv.zstream;
-	/* We use RECV_MAX_PAYLOAD_LEN+1 here to ensure that
+	ret = buf_new(len);
 	   we can detect an oversized payload after inflate() */
 	ret = buf_new(RECV_MAX_PAYLOAD_LEN+1);
 	zstream->avail_in = len;
 	zstream->next_in = buf_getptr(buf, len);
 	zstream->avail_out = ret->size;
 	zstream->next_out = ret->data;
-	result = inflate(zstream, Z_SYNC_FLUSH);
+	/* decompress the payload, incrementally resizing the output buffer */
-	if (result != Z_OK) {
+	while (1) {
-		dropbear_exit("zlib error");
+
 		zstream->avail_out = ret->size - ret->pos;
 		zstream->next_out = buf_getwriteptr(ret, zstream->avail_out);
 		result = inflate(zstream, Z_SYNC_FLUSH);
 		buf_setlen(ret, ret->size - zstream->avail_out);
 		buf_setpos(ret, ret->len);
 		if (result != Z_BUF_ERROR && result != Z_OK) {
 			dropbear_exit("zlib error");
 		}
 		if (zstream->avail_in == 0 &&
 		   		(zstream->avail_out != 0 || result == Z_BUF_ERROR)) {
 			/* we can only exit if avail_out hasn't all been used,
 			 * and there's no remaining input */
 			return ret;
 		}
 		if (zstream->avail_out == 0) {
 			int new_size = 0;
 			if (ret->size >= RECV_MAX_PAYLOAD_LEN) {
 				/* Already been increased as large as it can go,
 				 * yet didn't finish up the decompression */
 				dropbear_exit("bad packet, oversized decompressed");
 			}
 			new_size = MIN(RECV_MAX_PAYLOAD_LEN, ret->size + ZLIB_DECOMPRESS_INCR);
 			ret = buf_resize(ret, new_size);
 		}
 	}
 	buf_setlen(ret, ret->size - zstream->avail_out);
 	if (zstream->avail_in > 0 || ret->len > RECV_MAX_PAYLOAD_LEN) {
 		/* The remote side sent larger than a payload size
 		 * of uncompressed data.
 		 */
 		dropbear_exit("bad packet, oversized decompressed");
 	}
 	/* Success. All input was consumed and avail_out > 0 */
 	return ret;
 }
 #endif
--- a/runopts.h
+++ b/runopts.h
@@ -33,7 +33,6 @@
 typedef struct runopts {
 	int disable_ip_tos;
 #if DROPBEAR_SVR_REMOTETCPFWD || DROPBEAR_CLI_LOCALTCPFWD \
    || DROPBEAR_CLI_REMOTETCPFWD
 	int listen_fwd_all;
@@ -80,9 +79,8 @@ typedef struct svr_runopts {
 	char *addresses[DROPBEAR_MAX_PORTS];
 	int inetdmode;
-	/* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself,
+	/* Hidden "-2" flag indicates it's re-executing itself */
-	   stores the childpipe preauth file descriptor. Set to -1 otherwise. */
+	int reexec_child;
 	int reexec_childpipe;
 	/* Flags indicating whether to use ipv4 and ipv6 */
 	/* not used yet
@@ -107,7 +105,6 @@ typedef struct svr_runopts {
 	int noauthpass;
 	int norootpass;
 	int allowblankpass;
 	int multiauthmethod;
 	unsigned int maxauthtries;
 #if DROPBEAR_SVR_REMOTETCPFWD
@@ -130,10 +127,8 @@ typedef struct svr_runopts {
 	char * forced_command;
 #if DROPBEAR_PLUGIN 
-	/* malloced */
+        char *pubkey_plugin;
-	char *pubkey_plugin;
+        char *pubkey_plugin_options;
 	/* points into pubkey_plugin */
 	char *pubkey_plugin_options;
 #endif
 	int pass_on_env;
--- a/signkey.c
+++ b/signkey.c
@@ -587,7 +587,7 @@ void buf_put_sign(buffer* buf, sign_key *key, enum signature_type sigtype,
 	buffer *sigblob = buf_new(MAX_PUBKEY_SIZE);
 	enum signkey_type keytype = signkey_type_from_signature(sigtype);
-#if DEBUG_TRACE > DROPBEAR_VERBOSE_LEVEL
+#if DEBUG_TRACE
 	{
 		const char* signame = signature_name_from_type(sigtype, NULL);
 		TRACE(("buf_put_sign type %d %s", sigtype, signame));
@@ -688,7 +688,7 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
 	if (keytype == DROPBEAR_SIGNKEY_SK_ECDSA_NISTP256) {
 		ecc_key **eck = (ecc_key**)signkey_key_ptr(key, keytype);
 		if (eck && *eck) {
-			return buf_sk_ecdsa_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask);
+			return buf_sk_ecdsa_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen);
 		}
 	}
 #endif
@@ -696,7 +696,7 @@ int buf_verify(buffer * buf, sign_key *key, enum signature_type expect_sigtype,
 	if (keytype == DROPBEAR_SIGNKEY_SK_ED25519) {
 		dropbear_ed25519_key **eck = (dropbear_ed25519_key**)signkey_key_ptr(key, keytype);
 		if (eck && *eck) {
-			return buf_sk_ed25519_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen, key->sk_flags_mask);
+			return buf_sk_ed25519_verify(buf, *eck, data_buf, key->sk_app, key->sk_applen);
 		}
 	}
 #endif
--- a/signkey.h
+++ b/signkey.h
@@ -127,7 +127,6 @@ struct SIGN_key {
 	/* application ID for U2F/FIDO key types, a malloced string */
 	char * sk_app;
 	unsigned int sk_applen;
 	unsigned char sk_flags_mask;
 #endif
 };
--- a/sk-ecdsa.c
+++ b/sk-ecdsa.c
@@ -8,9 +8,7 @@
 #include "sk-ecdsa.h"
 #include "ssh.h"
-int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
+int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
 			const char* app, unsigned int applen,
 			unsigned char sk_flags_mask) {
 	hash_state hs;
 	unsigned char subhash[SHA256_HASH_SIZE];
 	buffer *sk_buffer = NULL, *sig_buffer = NULL;
@@ -43,18 +41,13 @@ int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
 	buf_free(sk_buffer);
 	buf_free(sig_buffer);
-	if (~flags & sk_flags_mask & SSH_SK_USER_PRESENCE_REQD) {
+	/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
 	if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
 		if (ret == DROPBEAR_SUCCESS) {
 			dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
 		}
 		ret = DROPBEAR_FAILURE;
 	}
 	if (~flags & sk_flags_mask & SSH_SK_USER_VERIFICATION_REQD) {
 		if (ret == DROPBEAR_SUCCESS) {
 			dropbear_log(LOG_WARNING, "Rejecting, user-verification not set");
 		}
 		ret = DROPBEAR_FAILURE;
 	}
 	TRACE(("leave buf_sk_ecdsa_verify, ret=%d", ret))
 	return ret;
--- a/sk-ecdsa.h
+++ b/sk-ecdsa.h
@@ -8,9 +8,7 @@
 #include "buffer.h"
 #include "signkey.h"
-int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf,
+int buf_sk_ecdsa_verify(buffer *buf, const ecc_key *key, const buffer *data_buf, const char* app, unsigned int applen);
 			const char* app, unsigned int applen,
 			unsigned char sk_flags_mask);
 #endif
--- a/sk-ed25519.c
+++ b/sk-ed25519.c
@@ -8,9 +8,7 @@
 #include "ed25519.h"
 #include "ssh.h"
-int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf,
+int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen) {
 			const char* app, unsigned int applen,
 			unsigned char sk_flags_mask) {
 	int ret = DROPBEAR_FAILURE;
 	unsigned char *s;
@@ -54,18 +52,13 @@ int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const bu
 		ret = DROPBEAR_SUCCESS;
 	}
-	if (~flags & sk_flags_mask & SSH_SK_USER_PRESENCE_REQD) {
+	/* TODO: allow "no-touch-required" or "verify-required" authorized_keys options */
 	if (!(flags & SSH_SK_USER_PRESENCE_REQD)) {
 		if (ret == DROPBEAR_SUCCESS) {
 			dropbear_log(LOG_WARNING, "Rejecting, user-presence not set");
 		}
 		ret = DROPBEAR_FAILURE;
 	}
 	if (~flags & sk_flags_mask & SSH_SK_USER_VERIFICATION_REQD) {
 		if (ret == DROPBEAR_SUCCESS) {
 			dropbear_log(LOG_WARNING, "Rejecting, user-verification not set");
 		}
 		ret = DROPBEAR_FAILURE;
 	}
 out:
 	buf_free(sk_buffer);
 	TRACE(("leave buf_sk_ed25519_verify: ret %d", ret))
--- a/sk-ed25519.h
+++ b/sk-ed25519.h
@@ -8,9 +8,7 @@
 #include "buffer.h"
 #include "ed25519.h"
-int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf,
+int buf_sk_ed25519_verify(buffer *buf, const dropbear_ed25519_key *key, const buffer *data_buf, const char* app, unsigned int applen);
 			const char* app, unsigned int applen,
 			unsigned char sk_flags_mask);
 #endif
--- a/svr-authpam.c
+++ b/svr-authpam.c
@@ -30,7 +30,6 @@
 #include "buffer.h"
 #include "dbutil.h"
 #include "auth.h"
 #include "runopts.h"
 #if DROPBEAR_SVR_PAM_AUTH
@@ -279,22 +278,12 @@ void svr_auth_pam(int valid_user) {
 		goto cleanup;
 	}
-	if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PASSWORD)) {
+	/* successful authentication */
-			/* successful PAM password authentication, but extra auth required */
+	dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
-			dropbear_log(LOG_NOTICE,
+			ses.authstate.pw_name,
-					"PAM password auth succeeded for '%s' from %s, extra auth required",
+			svr_ses.addrstring);
-					ses.authstate.pw_name,
+	send_msg_userauth_success();
-					svr_ses.addrstring);
+
 			ses.authstate.authtypes &= ~AUTH_TYPE_PASSWORD; /* PAM password auth ok, delete the method flag */
 			send_msg_userauth_failure(1, 0);  /* Send partial success */
 		} else {
 			/* successful authentication */
 			dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
 				ses.authstate.pw_name,
 				svr_ses.addrstring);
 			send_msg_userauth_success();
 		}
 cleanup:
 	if (password != NULL) {
 		m_burn(password, passwordlen);
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -106,22 +106,12 @@ void svr_auth_password(int valid_user) {
 	}
 	if (constant_time_strcmp(testcrypt, passwdcrypt) == 0) {
-		if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PASSWORD)) {
+		/* successful authentication */
-			/* successful password authentication, but extra auth required */
+		dropbear_log(LOG_NOTICE, 
-			dropbear_log(LOG_NOTICE,
+				"Password auth succeeded for '%s' from %s",
-					"Password auth succeeded for '%s' from %s, extra auth required",
+				ses.authstate.pw_name,
-					ses.authstate.pw_name,
+				svr_ses.addrstring);
-					svr_ses.addrstring);
+		send_msg_userauth_success();
 			ses.authstate.authtypes &= ~AUTH_TYPE_PASSWORD; /* password auth ok, delete the method flag */
 			send_msg_userauth_failure(1, 0);  /* Send partial success */
 		} else {
 			/* successful authentication */
 			dropbear_log(LOG_NOTICE, 
 					"Password auth succeeded for '%s' from %s",
 					ses.authstate.pw_name,
 					svr_ses.addrstring);
 			send_msg_userauth_success();
 		}
 	} else {
 		dropbear_log(LOG_WARNING,
 				"Bad password attempt for '%s' from %s",
--- a/svr-authpubkey.c
+++ b/svr-authpubkey.c
@@ -64,7 +64,6 @@
 #include "ssh.h"
 #include "packet.h"
 #include "algo.h"
 #include "runopts.h"
 #if DROPBEAR_SVR_PUBKEY_AUTH
@@ -183,16 +182,6 @@ void svr_auth_pubkey(int valid_user) {
 		goto out;
 	}
 #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
 	key->sk_flags_mask = SSH_SK_USER_PRESENCE_REQD;
 	if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->no_touch_required_flag) {
 		key->sk_flags_mask &= ~SSH_SK_USER_PRESENCE_REQD;
 	}
 	if (ses.authstate.pubkey_options && ses.authstate.pubkey_options->verify_required_flag) {
 		key->sk_flags_mask |= SSH_SK_USER_VERIFICATION_REQD;
 	}
 #endif
 	/* create the data which has been signed - this a string containing
 	 * session_id, concatenated with the payload packet up to the signature */
 	assert(ses.payload_beginning <= ses.payload->pos);
@@ -212,24 +201,12 @@ void svr_auth_pubkey(int valid_user) {
 	/* ... and finally verify the signature */
 	fp = sign_key_fingerprint(keyblob, keybloblen);
 	if (buf_verify(ses.payload, key, sigtype, signbuf) == DROPBEAR_SUCCESS) {
-		if (svr_opts.multiauthmethod && (ses.authstate.authtypes & ~AUTH_TYPE_PUBKEY)) {
+		dropbear_log(LOG_NOTICE,
-			/* successful pubkey authentication, but extra auth required */
+				"Pubkey auth succeeded for '%s' with %s key %s from %s",
-			dropbear_log(LOG_NOTICE,
+				ses.authstate.pw_name,
-					"Pubkey auth succeeded for '%s' with %s key %s from %s, extra auth required",
+				signkey_name_from_type(keytype, NULL), fp,
-					ses.authstate.pw_name,
+				svr_ses.addrstring);
-					signkey_name_from_type(keytype, NULL), fp,
+		send_msg_userauth_success();
 					svr_ses.addrstring);
 			ses.authstate.authtypes &= ~AUTH_TYPE_PUBKEY; /* pubkey auth ok, delete the method flag */
 			send_msg_userauth_failure(1, 0); /* Send partial success */
 		} else {
 			/* successful authentication */
 			dropbear_log(LOG_NOTICE,
 					"Pubkey auth succeeded for '%s' with %s key %s from %s",
 					ses.authstate.pw_name,
 					signkey_name_from_type(keytype, NULL), fp,
 					svr_ses.addrstring);
 			send_msg_userauth_success();
 		}
 #if DROPBEAR_PLUGIN
                if ((ses.plugin_session != NULL) && (svr_ses.plugin_instance->auth_success != NULL)) {
                    /* Was authenticated through the external plugin. tell plugin that signature verification was ok */
@@ -603,7 +580,7 @@ static int checkfileperm(char * filename) {
 	if (badperm) {
 		if (!ses.authstate.perm_warn) {
 			ses.authstate.perm_warn = 1;
-			dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by group or others", filename);
+			dropbear_log(LOG_INFO, "%s must be owned by user or root, and not writable by others", filename);
 		}
 		TRACE(("leave checkfileperm: failure perms/owner"))
 		return DROPBEAR_FAILURE;
--- a/svr-authpubkeyoptions.c
+++ b/svr-authpubkeyoptions.c
@@ -46,7 +46,6 @@
 #include "dbutil.h"
 #include "signkey.h"
 #include "auth.h"
 #include "runopts.h"
 #if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
@@ -89,29 +88,6 @@ int svr_pubkey_allows_pty() {
 	return 1;
 }
 /* Returns 1 if pubkey allows local tcp fowarding to the provided destination,
 * 0 otherwise */
 int svr_pubkey_allows_local_tcpfwd(const char *host, unsigned int port) {
 	if (ses.authstate.pubkey_options
 		&& ses.authstate.pubkey_options->permit_open_destinations) {
 		m_list_elem *iter = ses.authstate.pubkey_options->permit_open_destinations->first;
 		while (iter) {
 			struct PermitTCPFwdEntry *entry = (struct PermitTCPFwdEntry*)iter->item;
 			if (strcmp(entry->host, host) == 0) {
 				if ((entry->port == PUBKEY_OPTIONS_ANY_PORT) || (entry->port == port)) {
 					return 1;
 				}
 			}
 			iter = iter->next;
 		}
 		return 0;
 	}
 	return 1;
 }
 /* Set chansession command to the one forced 
 * by any 'command' public key option. */
 void svr_pubkey_set_forced_command(struct ChanSess *chansess) {
@@ -137,16 +113,6 @@ void svr_pubkey_options_cleanup() {
 		if (ses.authstate.pubkey_options->forced_command) {
 			m_free(ses.authstate.pubkey_options->forced_command);
 		}
 		if (ses.authstate.pubkey_options->permit_open_destinations) {
 			m_list_elem *iter = ses.authstate.pubkey_options->permit_open_destinations->first;
 			while (iter) {
 				struct PermitTCPFwdEntry *entry = (struct PermitTCPFwdEntry*)list_remove(iter);
 				m_free(entry->host);
 				m_free(entry);
 				iter = ses.authstate.pubkey_options->permit_open_destinations->first;
 			}
 			m_free(ses.authstate.pubkey_options->permit_open_destinations);
 		}
 		m_free(ses.authstate.pubkey_options);
 	}
 	if (ses.authstate.pubkey_info) {
@@ -240,69 +206,6 @@ int svr_add_pubkey_options(buffer *options_buf, int line_num, const char* filena
 			goto bad_option;
 		}
 		if (match_option(options_buf, "permitopen=\"") == DROPBEAR_SUCCESS) {
 			int valid_option = 0;
 			const unsigned char* permitopen_start = buf_getptr(options_buf, 0);
 			if (!ses.authstate.pubkey_options->permit_open_destinations) {
 				ses.authstate.pubkey_options->permit_open_destinations = list_new();
 			}
 			while (options_buf->pos < options_buf->len) {
 				const char c = buf_getbyte(options_buf);
 				if (c == '"') {
 					char *spec = NULL;
 					char *portstring = NULL;
 					const int permitopen_len = buf_getptr(options_buf, 0) - permitopen_start;
 					struct PermitTCPFwdEntry *entry =
 							(struct PermitTCPFwdEntry*)m_malloc(sizeof(struct PermitTCPFwdEntry));
 					list_append(ses.authstate.pubkey_options->permit_open_destinations, entry);
 					spec = m_malloc(permitopen_len);
 					memcpy(spec, permitopen_start, permitopen_len - 1);
 					spec[permitopen_len - 1] = '\0';
 					if ((split_address_port(spec, &entry->host, &portstring) == DROPBEAR_SUCCESS)
 						&& entry->host && portstring) {
 						if (strcmp(portstring, "*") == 0) {
 							valid_option = 1;
 							entry->port = PUBKEY_OPTIONS_ANY_PORT;
 							TRACE(("local port forwarding allowed to host '%s'", entry->host));
 						} else if (m_str_to_uint(portstring, &entry->port) == DROPBEAR_SUCCESS) {
 							valid_option = 1;
 							TRACE(("local port forwarding allowed to host '%s' and port '%u'",
 									entry->host, entry->port));
 						}
 					}
 					m_free(spec);
 					m_free(portstring);
 					break;
 				}
 			}
 			if (valid_option) {
 				goto next_option;
 			} else {
 				dropbear_log(LOG_WARNING, "Badly formatted permitopen= authorized_keys option");
 				goto bad_option;
 			}
 		}
 		if (match_option(options_buf, "no-touch-required") == DROPBEAR_SUCCESS) {
 #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
 			dropbear_log(LOG_WARNING, "No user presence check required for U2F/FIDO key.");
 			ses.authstate.pubkey_options->no_touch_required_flag = 1;
 #endif
 			goto next_option;
 		}
 		if (match_option(options_buf, "verify-required") == DROPBEAR_SUCCESS) {
 #if DROPBEAR_SK_ECDSA || DROPBEAR_SK_ED25519
 			dropbear_log(LOG_WARNING, "User verification required for U2F/FIDO key.");
 			ses.authstate.pubkey_options->verify_required_flag = 1;
 #endif
 			goto next_option;
 		}
 next_option:
 		/*
 		 * Skip the comma, and move to the next option
--- a/svr-chansession.c
+++ b/svr-chansession.c
@@ -1040,11 +1040,9 @@ static void execchild(const void *user_data) {
 	if (chansess->original_command) {
 		addnewvar("SSH_ORIGINAL_COMMAND", chansess->original_command);
 	}
-#if DROPBEAR_SVR_PUBKEY_OPTIONS_BUILT
+        if (ses.authstate.pubkey_info != NULL) {
-	if (ses.authstate.pubkey_info != NULL) {
+                addnewvar("SSH_PUBKEYINFO", ses.authstate.pubkey_info);
-		addnewvar("SSH_PUBKEYINFO", ses.authstate.pubkey_info);
+        }
 	}
 #endif
 	/* change directory */
 	if (chdir(ses.authstate.pw_dir) < 0) {
--- a/svr-main.c
+++ b/svr-main.c
@@ -71,7 +71,7 @@ int main(int argc, char ** argv)
 #endif
 #if DROPBEAR_DO_REEXEC
-	if (svr_opts.reexec_childpipe >= 0) {
+	if (svr_opts.reexec_child) {
 #ifdef PR_SET_NAME
 		/* Fix the "Name:" in /proc/pid/status, otherwise it's
 		a FD number from fexecve.
@@ -102,7 +102,7 @@ static void main_inetd() {
 	seedrandom();
-	if (svr_opts.reexec_childpipe < 0) {
+	if (!svr_opts.reexec_child) {
 		/* In case our inetd was lax in logging source addresses */
 		get_socket_address(0, NULL, NULL, &host, &port, 0);
 			dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
@@ -115,8 +115,10 @@ static void main_inetd() {
 		setsid();
 	}
-	/* -1 for childpipe in the inetd case is discarded */
+	/* Start service program 
-	svr_session(0, svr_opts.reexec_childpipe);
+	 * -1 is a dummy childpipe, just something we can close() without 
 	 * mattering. */
 	svr_session(0, -1);
 	/* notreached */
 }
@@ -330,7 +332,7 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
 				m_free(remote_host);
 				m_free(remote_port);
-#if !DEBUG_NOFORK
+#ifndef DEBUG_NOFORK
 				if (setsid() < 0) {
 					dropbear_exit("setsid: %s", strerror(errno));
 				}
@@ -345,10 +347,9 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
 				if (execfd >= 0) {
 #if DROPBEAR_DO_REEXEC
-					/* Add "-2 childpipe[1]" to the args and re-execute ourself. */
+					/* Add "-2" to the args and re-execute ourself. */
-					char **new_argv = m_malloc(sizeof(char*) * (argc+4));
+					char **new_argv = m_malloc(sizeof(char*) * (argc+3));
-					char buf[10];
+					int pos0 = 0, new_argc = argc+1;
 					int pos0 = 0, new_argc = argc+2;
 					/* We need to specially handle "dropbearmulti dropbear". */
 					if (multipath) {
@@ -358,9 +359,7 @@ static void main_noinetd(int argc, char ** argv, const char* multipath) {
 					}
 					memcpy(&new_argv[pos0], argv, sizeof(char*) * argc);
-					new_argv[new_argc-2] = "-2";
+					new_argv[new_argc-1] = "-2";
 					snprintf(buf, sizeof(buf), "%d", childpipe[1]);
 					new_argv[new_argc-1] = buf;
 					new_argv[new_argc] = NULL;
 					if ((dup2(childsock, STDIN_FILENO) < 0)) {
--- a/svr-runopts.c
+++ b/svr-runopts.c
@@ -81,7 +81,6 @@ static void printhelp(const char * progname) {
 					"-s		Disable password logins\n"
 					"-g		Disable password logins for root\n"
 					"-B		Allow blank password logins\n"
 					"-t		Enable two-factor authentication (both password and public key required)\n"
 #endif
 					"-T		Maximum authentication tries (default %d)\n"
 #if DROPBEAR_SVR_LOCALTCPFWD
@@ -104,7 +103,6 @@ static void printhelp(const char * progname) {
 					"-W <receive_window_buffer> (default %d, larger may be faster, max 10MB)\n"
 					"-K <keepalive>  (0 is never, default %d, in seconds)\n"
 					"-I <idle_timeout>  (0 is never, default %d, in seconds)\n"
 					"-z    disable QoS\n"
 #if DROPBEAR_PLUGIN
                                        "-A <authplugin>[,<options>]\n"
                                        "               Enable external public key auth through <authplugin>\n"
@@ -140,7 +138,6 @@ void svr_getopts(int argc, char ** argv) {
 	char* keepalive_arg = NULL;
 	char* idle_timeout_arg = NULL;
 	char* maxauthtries_arg = NULL;
 	char* reexec_fd_arg = NULL;
 	char* keyfile = NULL;
 	char c;
 #if DROPBEAR_PLUGIN
@@ -161,7 +158,6 @@ void svr_getopts(int argc, char ** argv) {
 	svr_opts.noauthpass = 0;
 	svr_opts.norootpass = 0;
 	svr_opts.allowblankpass = 0;
 	svr_opts.multiauthmethod = 0;
 	svr_opts.maxauthtries = MAX_AUTH_TRIES;
 	svr_opts.inetdmode = 0;
 	svr_opts.portcount = 0;
@@ -179,7 +175,6 @@ void svr_getopts(int argc, char ** argv) {
        svr_opts.pubkey_plugin_options = NULL;
 #endif
 	svr_opts.pass_on_env = 0;
 	svr_opts.reexec_childpipe = -1;
 #ifndef DISABLE_ZLIB
 	opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
@@ -202,7 +197,6 @@ void svr_getopts(int argc, char ** argv) {
 #if DROPBEAR_SVR_REMOTETCPFWD
 	opts.listen_fwd_all = 0;
 #endif
 	opts.disable_ip_tos = 0;
 	for (i = 1; i < (unsigned int)argc; i++) {
 		if (argv[i][0] != '-' || argv[i][1] == '\0')
@@ -256,12 +250,12 @@ void svr_getopts(int argc, char ** argv) {
 #if DROPBEAR_DO_REEXEC && NON_INETD_MODE
 				/* For internal use by re-exec */
 				case '2':
-					next = &reexec_fd_arg;
+					svr_opts.reexec_child = 1;
 					break;
 #endif
 				case 'p':
-					nextisport = 1;
+				  nextisport = 1;
-					break;
+				  break;
 				case 'P':
 					next = &svr_opts.pidfile;
 					break;
@@ -301,9 +295,6 @@ void svr_getopts(int argc, char ** argv) {
 				case 'B':
 					svr_opts.allowblankpass = 1;
 					break;
 				case 't':
 					svr_opts.multiauthmethod = 1;
 					break;
 #endif
 				case 'h':
 					printhelp(argv[0]);
@@ -326,9 +317,6 @@ void svr_getopts(int argc, char ** argv) {
 					print_version();
 					exit(EXIT_SUCCESS);
 					break;
 				case 'z':
 					opts.disable_ip_tos = 1;
 					break;
 				default:
 					fprintf(stderr, "Invalid option -%c\n", c);
 					printhelp(argv[0]);
@@ -438,13 +426,6 @@ void svr_getopts(int argc, char ** argv) {
 		dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
 	}
 	if (reexec_fd_arg) {
 		if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
 			|| svr_opts.reexec_childpipe < 0) {
 			dropbear_exit("Bad -2");
 		}
 	}
 #if INETD_MODE
 	if (svr_opts.inetdmode && (
 		opts.usingsyslog == 0
@@ -457,20 +438,16 @@ void svr_getopts(int argc, char ** argv) {
 	}
 #endif
 	if (svr_opts.multiauthmethod && svr_opts.noauthpass) {
 		dropbear_exit("-t and -s are incompatible");
 	}
 #if DROPBEAR_PLUGIN
-	if (pubkey_plugin) {
+        if (pubkey_plugin) {
-		svr_opts.pubkey_plugin = m_strdup(pubkey_plugin);
+            char *args = strchr(pubkey_plugin, ',');
-		char *args = strchr(svr_opts.pubkey_plugin, ',');
+            if (args) {
-		if (args) {
+                *args='\0';
-			*args='\0';
+                ++args;
-			++args;
+            }
-		}
+            svr_opts.pubkey_plugin = pubkey_plugin;
-		svr_opts.pubkey_plugin_options = args;
+            svr_opts.pubkey_plugin_options = args;
-	}
+        }
 #endif
 }
--- a/svr-session.c
+++ b/svr-session.c
@@ -208,7 +208,7 @@ void svr_session(int sock, int childpipe) {
 }
-/* cleanup and exit - format must be <= 100 chars */
+/* failure exit - format must be <= 100 chars */
 void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
 	char exitmsg[150];
 	char fullmsg[300];
@@ -217,12 +217,10 @@ void svr_dropbear_exit(int exitcode, const char* format, va_list param) {
 	int add_delay = 0;
 #if DROPBEAR_PLUGIN
-	if ((ses.plugin_session != NULL)) {
+        if ((ses.plugin_session != NULL)) {
-		svr_ses.plugin_instance->delete_session(ses.plugin_session);
+            svr_ses.plugin_instance->delete_session(ses.plugin_session);
-	}
+        }
-	ses.plugin_session = NULL;
+        ses.plugin_session = NULL;
 	svr_opts.pubkey_plugin_options = NULL;
 	m_free(svr_opts.pubkey_plugin);
 #endif
 	/* Render the formatted exit message */
--- a/svr-tcpfwd.c
+++ b/svr-tcpfwd.c
@@ -289,11 +289,6 @@ static int newtcpdirect(struct Channel * channel) {
 		goto out;
 	}
 	if (!svr_pubkey_allows_local_tcpfwd(desthost, destport)) {
 		TRACE(("leave newtcpdirect: local tcp forwarding not permitted to requested destination"));
 		goto out;
 	}
 	snprintf(portstring, sizeof(portstring), "%u", destport);
 	channel->conn_pending = connect_remote(desthost, portstring, channel_connect_done,
 		channel, NULL, NULL, DROPBEAR_PRIO_NORMAL);
--- a/svr-x11fwd.c
+++ b/svr-x11fwd.c
@@ -206,7 +206,7 @@ void x11cleanup(struct ChanSess *chansess) {
 }
 static int x11_inithandler(struct Channel *channel) {
-	channel->prio = DROPBEAR_PRIO_LOWDELAY;
+	channel->prio = DROPBEAR_CHANNEL_PRIO_INTERACTIVE;
 	return 0;
 }
--- a/sysoptions.h
+++ b/sysoptions.h
@@ -1,10 +1,10 @@
 /*******************************************************************
- * You shouldn't edit this file unless you know you need to.
+ * You shouldn't edit this file unless you know you need to. 
 * This file is only included from options.h
 *******************************************************************/
 #ifndef DROPBEAR_VERSION
-#define DROPBEAR_VERSION "2022.83"
+#define DROPBEAR_VERSION "2022.82"
 #endif
 #define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
@@ -68,6 +68,7 @@
 #define MAX_TERM_LEN 200 /* max length of TERM name */
 #define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
 #define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */
 #define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
 								 ipv4 and ipv6 don't count twice */
@@ -79,21 +80,12 @@
 #define _PATH_CP "/bin/cp"
 /* Default contents of /etc/shells if system getusershell() doesn't exist.
 * Paths taken from getusershell(3) manpage. These can be customised
 * on other platforms. One the commandline for CFLAGS it would look like eg
  -DCOMPAT_USER_SHELLS='"/bin/sh","/apps/bin/sh","/data/bin/zsh"'
 */
 #ifndef COMPAT_USER_SHELLS
 #define COMPAT_USER_SHELLS "/bin/sh","/bin/csh"
 #endif
 #define DROPBEAR_ESCAPE_CHAR '~'
 /* success/failure defines */
 #define DROPBEAR_SUCCESS 0
 #define DROPBEAR_FAILURE -1
-
+ 
 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
 #define DROPBEAR_NGROUP_MAX 1024
@@ -111,6 +103,7 @@
 #define SHA1_HASH_SIZE 20
 #define SHA256_HASH_SIZE 32
 #define MD5_HASH_SIZE 16
 #define MAX_HASH_SIZE 64 /* sha512 */
 #if DROPBEAR_CHACHA20POLY1305
@@ -133,6 +126,11 @@
 #define DROPBEAR_SHA2_512_HMAC 0
 #endif
 /* might be needed for compatibility with very old implementations */
 #ifndef DROPBEAR_MD5_HMAC
 #define DROPBEAR_MD5_HMAC 0
 #endif
 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
 /* Debian doesn't define this in system headers */
@@ -158,15 +156,6 @@
 #define DROPBEAR_RSA_SHA256 DROPBEAR_RSA
 #endif
 /* Miller-Rabin primality testing is sufficient for RSA but not DSS.
 * It's a compile-time setting for libtommath, we can get a speedup
 * for key generation if DSS is disabled.
 * https://github.com/mkj/dropbear/issues/174#issuecomment-1267374858
 */
 #if !DROPBEAR_DSS
 #define LTM_USE_ONLY_MR 1
 #endif
 /* hashes which will be linked and registered */
 #define DROPBEAR_SHA1 (DROPBEAR_RSA_SHA1 || DROPBEAR_DSS \
 				|| DROPBEAR_SHA1_HMAC || DROPBEAR_SHA1_96_HMAC \
@@ -178,18 +167,12 @@
 #define DROPBEAR_SHA512 ((DROPBEAR_SHA2_512_HMAC) || (DROPBEAR_ECC_521) \
 			|| (DROPBEAR_SHA384) || (DROPBEAR_DH_GROUP16) \
 			|| (DROPBEAR_ED25519))
 #define DROPBEAR_MD5 (DROPBEAR_MD5_HMAC)
 #define DROPBEAR_DH_GROUP14 ((DROPBEAR_DH_GROUP14_SHA256) || (DROPBEAR_DH_GROUP14_SHA1))
 #define DROPBEAR_NORMAL_DH ((DROPBEAR_DH_GROUP1) || (DROPBEAR_DH_GROUP14) || (DROPBEAR_DH_GROUP16))
 #ifndef DROPBEAR_SK_ECDSA
 #define DROPBEAR_SK_ECDSA DROPBEAR_SK_KEYS
 #endif
 #ifndef DROPBEAR_SK_ED25519
 #define DROPBEAR_SK_ED25519 DROPBEAR_SK_KEYS
 #endif
 /* Dropbear only uses server-sig-algs, only needed if we have rsa-sha256 pubkey auth */
 #define DROPBEAR_EXT_INFO ((DROPBEAR_RSA_SHA256) \
 		&& ((DROPBEAR_CLI_PUBKEY_AUTH) || (DROPBEAR_SVR_PUBKEY_AUTH)))
@@ -374,18 +357,5 @@
 #define DROPBEAR_MSAN 0
 #endif
 #ifndef DEBUG_DSS_VERIFY
 #define DEBUG_DSS_VERIFY 0
 #endif
 #ifndef DROPBEAR_MULTI
 #define DROPBEAR_MULTI 0
 #endif
 /* Fuzzing expects all key types to be enabled */
 #if defined(DROPBEAR_DSS)
 #undef DROPBEAR_DSS
 #endif
 #define DROPBEAR_DSS 1
 /* no include guard for this file */