Vendor import of OpenSSH 6.3p1

Makefile.in

-# $Id: Makefile.in,v 1.336 2013/03/07 15:37:13 tim Exp $
+# $Id: Makefile.in,v 1.340 2013/06/11 01:26:10 dtucker Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -121,6 +121,8 @@ PATHSUBS	= \
 	-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
 
 FIXPATHSCMD	= $(SED) $(PATHSUBS)
+FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
+		     @UNSUPPORTED_ALGORITHMS@
 
 all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
 
@@ -184,9 +186,10 @@ $(MANPAGES): $(MANPAGES_IN)
 		manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
 	fi; \
 	if test "$(MANTYPE)" = "man"; then \
-		$(FIXPATHSCMD) $${manpage} | $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
+		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
+		    $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
 	else \
-		$(FIXPATHSCMD) $${manpage} > $@; \
+		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
 	fi
 
 $(CONFIGFILES): $(CONFIGFILES_IN)
@@ -382,15 +385,14 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
-	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
-	$(CC) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
+	[ -f `pwd`/regress/Makefile ]  || \
+	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT)
 	BUILDDIR=`pwd`; \
-	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
-	[ -f `pwd`/regress/Makefile ]  || \
-	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile ; \
 	TEST_SHELL="@TEST_SHELL@"; \
 	TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
 	TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \

README

-See http://www.openssh.com/txt/release-6.2p2 for the release notes.
+See http://www.openssh.com/txt/release-6.3 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.82.2.1 2013/05/10 06:12:54 djm Exp $
+$Id: README,v 1.83 2013/07/25 02:34:00 djm Exp $

aclocal.m4

-dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
+dnl $Id: aclocal.m4,v 1.9 2013/06/02 21:31:27 tim Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@@ -14,8 +14,15 @@ AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
 	_define_flag="$2"
 	test "x$_define_flag" = "x" && _define_flag="$1"
 	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
-		[ AC_MSG_RESULT([yes])
-		  CFLAGS="$saved_CFLAGS $_define_flag"],
+		[
+if `grep -i "unrecognized option" conftest.err >/dev/null`
+then
+		AC_MSG_RESULT([no])
+		CFLAGS="$saved_CFLAGS"
+else
+		AC_MSG_RESULT([yes])
+		 CFLAGS="$saved_CFLAGS $_define_flag"
+fi],
 		[ AC_MSG_RESULT([no])
 		  CFLAGS="$saved_CFLAGS" ]
 	)

addrmatch.c

-/*	$OpenBSD: addrmatch.c,v 1.6 2012/06/21 00:16:07 dtucker Exp $ */
+/*	$OpenBSD: addrmatch.c,v 1.7 2013/05/17 00:13:13 djm Exp $ */
 
 /*
  * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
@@ -420,7 +420,7 @@ addr_match_list(const char *addr, const char *_list)
 				goto foundit;
 		}
 	}
-	xfree(o);
+	free(o);
 
 	return ret;
 }
@@ -494,7 +494,7 @@ addr_match_cidr_list(const char *addr, const char *_list)
 			continue;
 		}
 	}
-	xfree(o);
+	free(o);
 
 	return ret;
 }

auth-chall.c

-/* $OpenBSD: auth-chall.c,v 1.12 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -69,11 +69,11 @@ get_challenge(Authctxt *authctxt)
 		fatal("get_challenge: numprompts < 1");
 	challenge = xstrdup(prompts[0]);
 	for (i = 0; i < numprompts; i++)
-		xfree(prompts[i]);
-	xfree(prompts);
-	xfree(name);
-	xfree(echo_on);
-	xfree(info);
+		free(prompts[i]);
+	free(prompts);
+	free(name);
+	free(echo_on);
+	free(info);
 
 	return (challenge);
 }
@@ -102,11 +102,11 @@ verify_response(Authctxt *authctxt, const char *response)
 			authenticated = 1;
 
 		for (i = 0; i < numprompts; i++)
-			xfree(prompts[i]);
-		xfree(prompts);
-		xfree(name);
-		xfree(echo_on);
-		xfree(info);
+			free(prompts[i]);
+		free(prompts);
+		free(name);
+		free(echo_on);
+		free(info);
 		break;
 	}
 	device->free_ctx(authctxt->kbdintctxt);

auth-krb5.c

-/* $OpenBSD: auth-krb5.c,v 1.19 2006/08/03 03:34:41 deraadt Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
@@ -79,6 +79,7 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	krb5_ccache ccache = NULL;
 	int len;
 	char *client, *platform_client;
+	const char *errmsg;
 
 	/* get platform-specific kerberos client principal name (if it exists) */
 	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
@@ -96,7 +97,12 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 		goto out;
 
 #ifdef HEIMDAL
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+	     krb5_mcc_ops.prefix, NULL, &ccache);
+# else
 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
+# endif
 	if (problem)
 		goto out;
 
@@ -115,8 +121,13 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
 	if (problem)
 		goto out;
 
+# ifdef HAVE_KRB5_CC_NEW_UNIQUE
+	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
+	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
+# else
 	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
 	    &authctxt->krb5_fwd_ccache);
+# endif
 	if (problem)
 		goto out;
 
@@ -181,17 +192,19 @@ auth_krb5_password(Authctxt *authctxt, const char *password)
  out:
 	restore_uid();
 	
-	if (platform_client != NULL)
-		xfree(platform_client);
+	free(platform_client);
 
 	if (problem) {
 		if (ccache)
 			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
 
-		if (authctxt->krb5_ctx != NULL && problem!=-1)
-			debug("Kerberos password authentication failed: %s",
-			    krb5_get_err_text(authctxt->krb5_ctx, problem));
-		else
+		if (authctxt->krb5_ctx != NULL && problem!=-1) {
+			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
+			    problem);
+ 			debug("Kerberos password authentication failed: %s",
+			    errmsg);
+			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
+		} else
 			debug("Kerberos password authentication failed: %d",
 			    problem);
 

auth-options.c

-/* $OpenBSD: auth-options.c,v 1.57 2012/12/02 20:46:11 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.59 2013/07/12 00:19:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -72,15 +72,15 @@ auth_clear_options(void)
 	while (custom_environment) {
 		struct envstring *ce = custom_environment;
 		custom_environment = ce->next;
-		xfree(ce->s);
-		xfree(ce);
+		free(ce->s);
+		free(ce);
 	}
 	if (forced_command) {
-		xfree(forced_command);
+		free(forced_command);
 		forced_command = NULL;
 	}
 	if (authorized_principals) {
-		xfree(authorized_principals);
+		free(authorized_principals);
 		authorized_principals = NULL;
 	}
 	forced_tun_device = -1;
@@ -149,7 +149,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
 			if (forced_command != NULL)
-				xfree(forced_command);
+				free(forced_command);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -167,7 +167,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				xfree(forced_command);
+				free(forced_command);
 				forced_command = NULL;
 				goto bad_option;
 			}
@@ -180,7 +180,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
 			if (authorized_principals != NULL)
-				xfree(authorized_principals);
+				free(authorized_principals);
 			authorized_principals = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -198,7 +198,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				xfree(authorized_principals);
+				free(authorized_principals);
 				authorized_principals = NULL;
 				goto bad_option;
 			}
@@ -232,7 +232,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				xfree(s);
+				free(s);
 				goto bad_option;
 			}
 			s[i] = '\0';
@@ -269,7 +269,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				xfree(patterns);
+				free(patterns);
 				goto bad_option;
 			}
 			patterns[i] = '\0';
@@ -277,7 +277,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			switch (match_host_and_ip(remote_host, remote_ip,
 			    patterns)) {
 			case 1:
-				xfree(patterns);
+				free(patterns);
 				/* Host name matches. */
 				goto next_option;
 			case -1:
@@ -287,7 +287,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    "invalid criteria", file, linenum);
 				/* FALLTHROUGH */
 			case 0:
-				xfree(patterns);
+				free(patterns);
 				logit("Authentication tried for %.100s with "
 				    "correct key but not from a permitted "
 				    "host (host=%.200s, ip=%.200s).",
@@ -323,7 +323,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing "
 				    "end quote", file, linenum);
-				xfree(patterns);
+				free(patterns);
 				goto bad_option;
 			}
 			patterns[i] = '\0';
@@ -337,7 +337,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				auth_debug_add("%.100s, line %lu: "
 				    "Bad permitopen specification", file,
 				    linenum);
-				xfree(patterns);
+				free(patterns);
 				goto bad_option;
 			}
 			host = cleanhostname(host);
@@ -346,12 +346,12 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    "<%.100s>", file, linenum, p ? p : "");
 				auth_debug_add("%.100s, line %lu: "
 				    "Bad permitopen port", file, linenum);
-				xfree(patterns);
+				free(patterns);
 				goto bad_option;
 			}
 			if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
 				channel_add_permitted_opens(host, port);
-			xfree(patterns);
+			free(patterns);
 			goto next_option;
 		}
 		cp = "tunnel=\"";
@@ -370,13 +370,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
-				xfree(tun);
+				free(tun);
 				forced_tun_device = -1;
 				goto bad_option;
 			}
 			tun[i] = '\0';
 			forced_tun_device = a2tun(tun, NULL);
-			xfree(tun);
+			free(tun);
 			if (forced_tun_device == SSH_TUNID_ERR) {
 				debug("%.100s, line %lu: invalid tun device",
 				    file, linenum);
@@ -432,7 +432,8 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 {
 	char *command, *allowed;
 	const char *remote_ip;
-	u_char *name = NULL, *data_blob = NULL;
+	char *name = NULL;
+	u_char *data_blob = NULL;
 	u_int nlen, dlen, clen;
 	Buffer c, data;
 	int ret = -1, found;
@@ -484,7 +485,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 				if (*cert_forced_command != NULL) {
 					error("Certificate has multiple "
 					    "force-command options");
-					xfree(command);
+					free(command);
 					goto out;
 				}
 				*cert_forced_command = command;
@@ -500,7 +501,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 				if ((*cert_source_address_done)++) {
 					error("Certificate has multiple "
 					    "source-address options");
-					xfree(allowed);
+					free(allowed);
 					goto out;
 				}
 				remote_ip = get_remote_ipaddr();
@@ -508,7 +509,7 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 				    allowed)) {
 				case 1:
 					/* accepted */
-					xfree(allowed);
+					free(allowed);
 					break;
 				case 0:
 					/* no match */
@@ -521,12 +522,12 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 					    "is not permitted to use this "
 					    "certificate for login.",
 					    remote_ip);
-					xfree(allowed);
+					free(allowed);
 					goto out;
 				case -1:
 					error("Certificate source-address "
 					    "contents invalid");
-					xfree(allowed);
+					free(allowed);
 					goto out;
 				}
 				found = 1;
@@ -548,9 +549,10 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 			goto out;
 		}
 		buffer_clear(&data);
-		xfree(name);
-		xfree(data_blob);
-		name = data_blob = NULL;
+		free(name);
+		free(data_blob);
+		name = NULL;
+		data_blob = NULL;
 	}
 	/* successfully parsed all options */
 	ret = 0;
@@ -559,13 +561,13 @@ parse_option_list(u_char *optblob, size_t optblob_len, struct passwd *pw,
 	if (ret != 0 &&
 	    cert_forced_command != NULL &&
 	    *cert_forced_command != NULL) {
-		xfree(*cert_forced_command);
+		free(*cert_forced_command);
 		*cert_forced_command = NULL;
 	}
 	if (name != NULL)
-		xfree(name);
+		free(name);
 	if (data_blob != NULL)
-		xfree(data_blob);
+		free(data_blob);
 	buffer_free(&data);
 	buffer_free(&c);
 	return ret;
@@ -627,7 +629,7 @@ auth_cert_options(Key *k, struct passwd *pw)
 	/* CA-specified forced command supersedes key option */
 	if (cert_forced_command != NULL) {
 		if (forced_command != NULL)
-			xfree(forced_command);
+			free(forced_command);
 		forced_command = cert_forced_command;
 	}
 	return 0;

auth-pam.c

@@ -412,10 +412,9 @@ sshpam_thread_conv(int n, sshpam_const struct pam_message **msg,
 
  fail:
 	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
+		free(reply[i].resp);
 	}
-	xfree(reply);
+	free(reply);
 	buffer_free(&buffer);
 	return (PAM_CONV_ERR);
 }
@@ -586,10 +585,9 @@ sshpam_store_conv(int n, sshpam_const struct pam_message **msg,
 
  fail:
 	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
+		free(reply[i].resp);
 	}
-	xfree(reply);
+	free(reply);
 	return (PAM_CONV_ERR);
 }
 
@@ -693,7 +691,7 @@ sshpam_init_ctx(Authctxt *authctxt)
 	/* Start the authentication thread */
 	if (socketpair(AF_UNIX, SOCK_STREAM, PF_UNSPEC, socks) == -1) {
 		error("PAM: failed create sockets: %s", strerror(errno));
-		xfree(ctxt);
+		free(ctxt);
 		return (NULL);
 	}
 	ctxt->pam_psock = socks[0];
@@ -703,7 +701,7 @@ sshpam_init_ctx(Authctxt *authctxt)
 		    strerror(errno));
 		close(socks[0]);
 		close(socks[1]);
-		xfree(ctxt);
+		free(ctxt);
 		return (NULL);
 	}
 	cleanup_ctxt = ctxt;
@@ -742,7 +740,7 @@ sshpam_query(void *ctx, char **name, char **info,
 			strlcpy(**prompts + plen, msg, len - plen);
 			plen += mlen;
 			**echo_on = (type == PAM_PROMPT_ECHO_ON);
-			xfree(msg);
+			free(msg);
 			return (0);
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
@@ -753,7 +751,7 @@ sshpam_query(void *ctx, char **name, char **info,
 			plen += mlen;
 			strlcat(**prompts + plen, "\n", len - plen);
 			plen++;
-			xfree(msg);
+			free(msg);
 			break;
 		case PAM_ACCT_EXPIRED:
 			sshpam_account_status = 0;
@@ -766,7 +764,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				*num = 0;
 				**echo_on = 0;
 				ctxt->pam_done = -1;
-				xfree(msg);
+				free(msg);
 				return 0;
 			}
 			/* FALLTHROUGH */
@@ -776,7 +774,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				debug("PAM: %s", **prompts);
 				buffer_append(&loginmsg, **prompts,
 				    strlen(**prompts));
-				xfree(**prompts);
+				free(**prompts);
 				**prompts = NULL;
 			}
 			if (type == PAM_SUCCESS) {
@@ -790,7 +788,7 @@ sshpam_query(void *ctx, char **name, char **info,
 				*num = 0;
 				**echo_on = 0;
 				ctxt->pam_done = 1;
-				xfree(msg);
+				free(msg);
 				return (0);
 			}
 			error("PAM: %s for %s%.100s from %.100s", msg,
@@ -801,7 +799,7 @@ sshpam_query(void *ctx, char **name, char **info,
 		default:
 			*num = 0;
 			**echo_on = 0;
-			xfree(msg);
+			free(msg);
 			ctxt->pam_done = -1;
 			return (-1);
 		}
@@ -852,7 +850,7 @@ sshpam_free_ctx(void *ctxtp)
 
 	debug3("PAM: %s entering", __func__);
 	sshpam_thread_cleanup();
-	xfree(ctxt);
+	free(ctxt);
 	/*
 	 * We don't call sshpam_cleanup() here because we may need the PAM
 	 * handle at a later stage, e.g. when setting up a session.  It's
@@ -1006,10 +1004,9 @@ sshpam_tty_conv(int n, sshpam_const struct pam_message **msg,
 
  fail:
 	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
+		free(reply[i].resp);
 	}
-	xfree(reply);
+	free(reply);
 	return (PAM_CONV_ERR);
 }
 
@@ -1081,7 +1078,7 @@ do_pam_putenv(char *name, char *value)
 
 	snprintf(compound, len, "%s=%s", name, value);
 	ret = pam_putenv(sshpam_handle, compound);
-	xfree(compound);
+	free(compound);
 #endif
 
 	return (ret);
@@ -1108,8 +1105,8 @@ free_pam_environment(char **env)
 		return;
 
 	for (envp = env; *envp; envp++)
-		xfree(*envp);
-	xfree(env);
+		free(*envp);
+	free(env);
 }
 
 /*
@@ -1165,10 +1162,9 @@ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
 
  fail:
 	for(i = 0; i < n; i++) {
-		if (reply[i].resp != NULL)
-			xfree(reply[i].resp);
+		free(reply[i].resp);
 	}
-	xfree(reply);
+	free(reply);
 	return (PAM_CONV_ERR);
 }
 

auth-rsa.c

-/* $OpenBSD: auth-rsa.c,v 1.81 2012/10/30 21:29:54 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -164,9 +164,8 @@ static int
 rsa_key_allowed_in_file(struct passwd *pw, char *file,
     const BIGNUM *client_n, Key **rkey)
 {
-	char line[SSH_MAX_PUBKEY_BYTES];
-	int allowed = 0;
-	u_int bits;
+	char *fp, line[SSH_MAX_PUBKEY_BYTES];
+	int allowed = 0, bits;
 	FILE *f;
 	u_long linenum = 0;
 	Key *key;
@@ -227,11 +226,16 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
 
 		/* check the real bits  */
 		keybits = BN_num_bits(key->rsa->n);
-		if (keybits < 0 || bits != (u_int)keybits)
+		if (keybits < 0 || bits != keybits)
 			logit("Warning: %s, line %lu: keysize mismatch: "
 			    "actual %d vs. announced %d.",
 			    file, linenum, BN_num_bits(key->rsa->n), bits);
 
+		fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+		debug("matching key found: file %s, line %lu %s %s",
+		    file, linenum, key_type(key), fp);
+		free(fp);
+
 		/* Never accept a revoked key */
 		if (auth_key_is_revoked(key))
 			break;
@@ -281,7 +285,7 @@ auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 		file = expand_authorized_keys(
 		    options.authorized_keys_files[i], pw);
 		allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
-		xfree(file);
+		free(file);
 	}
 
 	restore_uid();
@@ -298,7 +302,6 @@ int
 auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
 {
 	Key *key;
-	char *fp;
 	struct passwd *pw = authctxt->pw;
 
 	/* no user given */
@@ -328,11 +331,7 @@ auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
 	 * options; this will be reset if the options cause the
 	 * authentication to be rejected.