diff --git a/auth-pam.c b/auth-pam.c
index 348fe37..69174be 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -794,10 +794,11 @@ sshpam_query(void *ctx, char **name, char **info,
 				free(msg);
 				return (0);
 			}
-			error("PAM: %s for %s%.100s from %.100s", msg,
+			error("PAM: %s for %s%.100s from %.100s via %s", msg,
 			    sshpam_authctxt->valid ? "" : "illegal user ",
 			    sshpam_authctxt->user,
-			    auth_get_canonical_hostname(ssh, options.use_dns));
+			    auth_get_canonical_hostname(ssh, options.use_dns),
+			    get_local_ipaddr(packet_get_connection_in()));
 			/* FALLTHROUGH */
 		default:
 			*num = 0;
diff --git a/servconf.c b/servconf.c
index 873b0d0..ac0ba24 100644
--- a/servconf.c
+++ b/servconf.c
@@ -199,7 +199,7 @@ fill_default_server_options(ServerOptions *options)
 
 	/* Portable-specific options */
 	if (options->use_pam == -1)
-		options->use_pam = 0;
+		options->use_pam = 1;
 
 	/* Standard Options */
 	if (options->protocol == SSH_PROTO_UNKNOWN)
diff --git a/sshd.c b/sshd.c
index 799c771..0fbef54 100644
--- a/sshd.c
+++ b/sshd.c
@@ -2288,6 +2288,12 @@ main(int ac, char **av)
 	audit_event(SSH_AUTH_SUCCESS);
 #endif
 
+#ifdef USE_PAM
+	if (options.use_pam) {
+		do_pam_setcred(1);
+		do_pam_session();
+	}
+#endif
 #ifdef GSSAPI
 	if (options.gss_authentication) {
 		temporarily_use_uid(authctxt->pw);
@@ -2295,12 +2301,6 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
-#ifdef USE_PAM
-	if (options.use_pam) {
-		do_pam_setcred(1);
-		do_pam_session();
-	}
-#endif
 
 	/*
 	 * In privilege separation, we fork another child and prepare
diff --git a/sshd_config b/sshd_config
index 75ae8e7..4d48910 100644
--- a/sshd_config
+++ b/sshd_config
@@ -93,7 +93,10 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+# Also, PAM will deny null passwords by default.  If you need to allow
+# null passwords, add the "	nullok" option to the end of the
+# securityserver.so line in /etc/pam.d/sshd.
+#UsePAM yes
 
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
diff --git a/sshd_config.0 b/sshd_config.0
index 85379dc..1ce56c1 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -958,7 +958,7 @@ DESCRIPTION
              either PasswordAuthentication or ChallengeResponseAuthentication.
 
              If UsePAM is enabled, you will not be able to run sshd(8) as a
-             non-root user.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+             non-root user.  The default is M-bM-^@M-^\yesM-bM-^@M-^].
 
      UsePrivilegeSeparation
              Specifies whether sshd(8) separates privileges by creating an
diff --git a/sshd_config.5 b/sshd_config.5
index 1bc26ec..c9db1ca 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1595,7 +1595,7 @@ is enabled, you will not be able to run
 .Xr sshd 8
 as a non-root user.
 The default is
-.Dq no .
+.Dq yes .
 .It Cm UsePrivilegeSeparation
 Specifies whether
 .Xr sshd 8

diff --git a/Makefile.in b/Makefile.in
index 12991cd..a59285e 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -355,6 +355,11 @@ install-sysconf:
 	else \
 		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
 	fi
+	@if [ ! -f $(DESTDIR)$(sysconfdir)/org.openssh.sshd.sb ]; then \
+		$(INSTALL) -m 644 org.openssh.sshd.sb $(DESTDIR)$(sysconfdir); \
+	else \
+		echo "$(DESTDIR)$(sysconfdir)/org.openssh.sshd.sb already exists, install will not overwrite"; \
+	fi
 
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
diff --git a/org.openssh.sshd.sb b/org.openssh.sshd.sb
new file mode 100644
index 0000000..73e9efd
--- /dev/null
+++ b/org.openssh.sshd.sb
@@ -0,0 +1,21 @@
+;; Copyright (c) 2008 Apple Inc.  All Rights reserved.
+;;
+;; sshd - profile for privilege separated children
+;;
+;; WARNING: The sandbox rules in this file currently constitute
+;; Apple System Private Interface and are subject to change at any time and
+;; without notice.
+;;
+
+(version 1)
+
+(deny default)
+
+(allow file-chroot)
+(allow file-read-metadata (literal "/var"))
+
+(allow sysctl-read)
+(allow mach-per-user-lookup)
+(allow mach-lookup
+	(global-name "com.apple.system.notification_center")
+	(global-name "com.apple.system.logger"))
diff --git a/pathnames.h b/pathnames.h
index f5e11ab..10e942a 100644
--- a/pathnames.h
+++ b/pathnames.h
@@ -35,6 +35,7 @@
  * should be world-readable.
  */
 #define _PATH_SERVER_CONFIG_FILE	SSHDIR "/sshd_config"
+#define _PATH_SANDBOX_FILE		SSHDIR "/org.openssh.sshd.sb"
 #define _PATH_HOST_CONFIG_FILE		SSHDIR "/ssh_config"
 #define _PATH_HOST_KEY_FILE		SSHDIR "/ssh_host_key"
 #define _PATH_HOST_DSA_KEY_FILE		SSHDIR "/ssh_host_dsa_key"
diff --git a/sandbox-darwin.c b/sandbox-darwin.c
index 35f0c4d..4857901 100644
--- a/sandbox-darwin.c
+++ b/sandbox-darwin.c
@@ -32,6 +32,7 @@
 #include "log.h"
 #include "sandbox.h"
 #include "xmalloc.h"
+#include "pathnames.h"
 
 /* Darwin/OS X sandbox */
 
@@ -62,8 +63,16 @@ ssh_sandbox_child(struct ssh_sandbox *box)
 	struct rlimit rl_zero;
 
 	debug3("%s: starting Darwin sandbox", __func__);
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+#ifndef SANDBOX_NAMED_EXTERNAL
+#define SANDBOX_NAMED_EXTERNAL (0x3)
+#endif
+	if (sandbox_init(_PATH_SANDBOX_FILE,
+		SANDBOX_NAMED_EXTERNAL, &errmsg) == -1)
+#else
 	if (sandbox_init(kSBXProfilePureComputation, SANDBOX_NAMED,
 	    &errmsg) == -1)
+#endif
 		fatal("%s: sandbox_init: %s", __func__, errmsg);
 
 	/*
diff --git a/sshd.c b/sshd.c
index 0fbef54..5d73630 100644
--- a/sshd.c
+++ b/sshd.c
@@ -719,10 +719,17 @@ privsep_preauth(Authctxt *authctxt)
 		/* Arrange for logging to be sent to the monitor */
 		set_log_handler(mm_log_handler, pmonitor);
 
+#ifdef __APPLE_SANDBOX_NAMED_EXTERNAL__
+		/* We need to do this before we chroot() so we can read sshd.sb */
+		if (box != NULL)
+			ssh_sandbox_child(box);
+#endif
 		privsep_preauth_child();
 		setproctitle("%s", "[net]");
+#ifndef __APPLE_SANDBOX_NAMED_EXTERNAL__
 		if (box != NULL)
 			ssh_sandbox_child(box);
+#endif
 
 		return 0;
 	}

diff --git a/channels.c b/channels.c
index 9f9e972..443e243 100644
--- a/channels.c
+++ b/channels.c
@@ -4041,15 +4041,35 @@ x11_connect_display(void)
 	 * connection to the real X server.
 	 */
 
-	/* Check if the display is from launchd. */
 #ifdef __APPLE__
-	if (strncmp(display, "/tmp/launch", 11) == 0) {
-		sock = connect_local_xsocket_path(display);
-		if (sock < 0)
-			return -1;
+	/* Check if the display is a path to a socket (as set by launchd). */
+	{
+		char path[PATH_MAX];
+		struct stat sbuf;
+		int is_path_to_socket = 0;
+
+		strlcpy(path, display, sizeof(path));
+		if (0 == stat(path, &sbuf)) {
+			is_path_to_socket = 1;
+		} else {
+			char *dot = strrchr(path, '.');
+			if (dot) {
+				*dot = '\0';
+				/* screen = atoi(dot + 1); */
+				if (0 == stat(path, &sbuf)) {
+					is_path_to_socket=1;
+				}
+			}
+		}
 
-		/* OK, we now have a connection to the display. */
-		return sock;
+		if (is_path_to_socket) {
+			sock = connect_local_xsocket_path(path);
+			if (sock < 0)
+				return -1;
+
+			/* OK, we now have a connection to the display. */
+			return sock;
+		}
 	}
 #endif
 	/*
diff --git a/clientloop.c b/clientloop.c
index 2c44f5d..2cca231 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -316,6 +316,10 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 	struct stat st;
 	u_int now, x11_timeout_real;
 
+#if __APPLE__
+	int is_path_to_socket = 0;
+#endif /* __APPLE__ */
+
 	*_proto = proto;
 	*_data = data;
 	proto[0] = data[0] = xauthfile[0] = xauthdir[0] = '\0';
@@ -332,6 +336,33 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 	}
 
 	if (xauth_path != NULL) {
+#if __APPLE__
+		{
+			/*
+			 * If using launchd socket, remove the screen number from the end
+			 * of $DISPLAY. is_path_to_socket is used later in this function
+			 * to determine if an error should be displayed.
+			 */
+			char path[PATH_MAX];
+			struct stat sbuf;
+
+			strlcpy(path, display, sizeof(path));
+			if (0 == stat(path, &sbuf)) {
+				is_path_to_socket = 1;
+			} else {
+				char *dot = strrchr(path, '.');
+				if (dot) {
+					*dot = '\0';
+					/* screen = atoi(dot + 1); */
+					if (0 == stat(path, &sbuf)) {
+						is_path_to_socket = 1;
+						debug("x11_get_proto: $DISPLAY is launchd, removing screennum");
+						setenv("DISPLAY", path, 1);
+					}
+				}
+			}
+		}
+#endif /* __APPLE__ */
 		/*
 		 * Handle FamilyLocal case where $DISPLAY does
 		 * not match an authorization entry.  For this we
@@ -441,6 +472,9 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 	if (!got_data) {
 		u_int32_t rnd = 0;
 
+#if __APPLE__
+		if (!is_path_to_socket)
+#endif /* __APPLE__ */
 		logit("Warning: No xauth data; "
 		    "using fake authentication data for X11 forwarding.");
 		strlcpy(proto, SSH_X11_PROTO, sizeof proto);

diff --git a/Makefile.in b/Makefile.in
index a59285e..1bae84d 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -59,6 +59,7 @@ SED=@SED@
 ENT=@ENT@
 XAUTH_PATH=@XAUTH_PATH@
 LDFLAGS=-L. -Lopenbsd-compat/ @LDFLAGS@
+KEYCHAIN_LDFLAGS=@KEYCHAIN_LDFLAGS@
 EXEEXT=@EXEEXT@
 MANFMT=@MANFMT@
 
@@ -112,6 +113,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
 	sandbox-solaris.o
 
+KEYCHAINOBJS=keychain.o
+
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 MANTYPE		= @MANTYPE@
@@ -147,6 +150,7 @@ all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
 $(LIBSSH_OBJS): Makefile.in config.h
 $(SSHOBJS): Makefile.in config.h
 $(SSHDOBJS): Makefile.in config.h
+$(KEYCHAINOBJS): Makefile.in config.h
 
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
@@ -160,8 +164,8 @@ libssh.a: $(LIBSSH_OBJS)
 	$(AR) rv $@ $(LIBSSH_OBJS)
 	$(RANLIB) $@
 
-ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
+ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(KEYCHAINOBJS)
+	$(LD) -o $@ $(SSHOBJS) $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
@@ -169,11 +173,11 @@ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
-	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(KEYCHAINOBJS)
+	$(LD) -o $@ ssh-add.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
-	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS)
+	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(KEYCHAINOBJS) $(LDFLAGS) $(KEYCHAIN_LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -312,7 +316,7 @@ install-files:
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
+	$(INSTALL) -m 0711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
diff --git a/audit-bsm.c b/audit-bsm.c
index 6135591..f3ff7a5 100644
--- a/audit-bsm.c
+++ b/audit-bsm.c
@@ -263,7 +263,12 @@ bsm_audit_record(int typ, char *string, au_event_t event_no)
 	pid_t		pid = getpid();
 	AuditInfoTermID	tid = ssh_bsm_tid;
 
-	if (the_authctxt != NULL && the_authctxt->valid) {
+	if (the_authctxt == NULL) {
+		error("BSM audit: audit record internal error (NULL ctxt)");
+		abort();
+	}
+
+	if (the_authctxt->valid) {
 		uid = the_authctxt->pw->pw_uid;
 		gid = the_authctxt->pw->pw_gid;
 	}
diff --git a/auth.c b/auth.c
index 24527dd..3085b33 100644
--- a/auth.c
+++ b/auth.c
@@ -215,7 +215,7 @@ allowed_user(struct passwd * pw)
 	}
 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
 		/* Get the user's group access list (primary and supplementary) */
-		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+		if (ga_init(pw) == 0) {
 			logit("User %.100s from %.100s not allowed because "
 			    "not in any group", pw->pw_name, hostname);
 			return 0;
diff --git a/authfd.c b/authfd.c
index a634bcb..fe018c1 100644
--- a/authfd.c
+++ b/authfd.c
@@ -165,6 +165,29 @@ ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
 }
 
 /*
+ * Adds identities using passphrases stored in the keychain.  This call is not
+ * meant to be used by normal applications.
+ */
+
+int
+ssh_add_from_keychain(int agent_fd)
+{
+	Buffer msg;
+	int type;
+
+	buffer_init(&msg);
+	buffer_put_char(&msg, SSH_AGENTC_ADD_FROM_KEYCHAIN);
+
+	if (ssh_request_reply(agent_fd, &msg, &msg) == 0) {
+		buffer_free(&msg);
+		return 0;
+	}
+	type = buffer_get_char(&msg);
+	buffer_free(&msg);
+	return decode_reply(type);
+}
+
+/*
  * Closes the agent socket if it should be closed (depends on how it was
  * obtained).  The argument must have been returned by
  * ssh_get_authentication_socket().
diff --git a/authfd.h b/authfd.h
index 4b417e3..33ce33e 100644
--- a/authfd.h
+++ b/authfd.h
@@ -43,6 +43,9 @@ int	ssh_agent_sign(int sock, struct sshkey *key,
 	    u_char **sigp, size_t *lenp,
 	    const u_char *data, size_t datalen, const char *alg, u_int compat);
 
+int
+ssh_add_from_keychain(int agent_fd);
+
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
 #define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
@@ -76,6 +79,9 @@ int	ssh_agent_sign(int sock, struct sshkey *key,
 #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
 #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
 
+/* keychain */
+#define SSH_AGENTC_ADD_FROM_KEYCHAIN		27
+
 #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
 #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
 
diff --git a/config.h.in b/config.h.in
index 39d018f..c7fb869 100644
--- a/config.h.in
+++ b/config.h.in
@@ -78,6 +78,18 @@
 /* missing VIS_ALL */
 #undef BROKEN_STRNVIS
 
+/* platform uses an in-memory credentials cache */
+#undef USE_CCAPI
+
+/* platform has a Security Authorization Session API */
+#undef USE_SECURITY_SESSION_API
+
+/* Define to 1 if you have the `copyfile' function. */
+#undef HAVE_COPYFILE
+
+/* Define to 1 if you have the <copyfile.h> header file. */
+#undef HAVE_COPYFILE_H
+
 /* tcgetattr with ICANON may hang */
 #undef BROKEN_TCGETATTR_ICANON
 
diff --git a/configure.ac b/configure.ac
index 373d21b..ff275d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4972,10 +4972,40 @@ AC_CHECK_MEMBER([struct utmp.ut_line], [], [
 #endif
 	])
 
+dnl Keychain support
+AC_ARG_WITH(keychain,
+	[  --with-keychain=apple   Use Mac OS X Keychain],
+	[
+		case "$withval" in
+		apple|no)
+			KEYCHAIN=$withval
+			;;
+		*)
+			AC_MSG_ERROR(invalid keychain type: $withval)
+			;;
+		esac
+	]
+)
+if test ! -z "$KEYCHAIN" -a "$KEYCHAIN" != "no"; then
+	case "$KEYCHAIN" in
+	apple)
+		AC_CHECK_HEADERS(Security/Security.h, [
+				CPPFLAGS="$CPPFLAGS -D__APPLE_KEYCHAIN__"
+				KEYCHAIN_LDFLAGS="-framework Security -framework CoreFoundation"
+				AC_SUBST(KEYCHAIN_LDFLAGS)
+				],
+				AC_MSG_WARN([Security framework not found. Disabling Mac OS X Keychain support.]))
+		;;
+	esac
+fi
+
 dnl Adding -Werror to CFLAGS early prevents configure tests from running.
 dnl Add now.
 CFLAGS="$CFLAGS $werror_flags"
 
+AC_CHECK_FUNCS(copyfile)
+AC_CHECK_HEADERS(copyfile.h)
+
 if test "x$ac_cv_func_getaddrinfo" != "xyes" ; then
 	TEST_SSH_IPV6=no
 else
diff --git a/groupaccess.c b/groupaccess.c
index 2518c84..f5e8c36 100644
--- a/groupaccess.c
+++ b/groupaccess.c
@@ -34,38 +34,67 @@
 #include <string.h>
 #include <limits.h>
 
+#ifdef __APPLE_MEMBERSHIP__
+#include <membership.h>
+#endif
+
 #include "xmalloc.h"
 #include "groupaccess.h"
 #include "match.h"
 #include "log.h"
 
+#ifdef __APPLE_MEMBERSHIP__
+// SPI for 5235093
+int32_t getgrouplist_2(const char *, gid_t, gid_t **);
+int32_t getgroupcount(const char *, gid_t);
+#endif
+
 static int ngroups;
 static char **groups_byname;
+#ifdef __APPLE_MEMBERSHIP__
+uuid_t u_uuid;
+#endif
 
 /*
  * Initialize group access list for user with primary (base) and
  * supplementary groups.  Return the number of groups in the list.
  */
 int
-ga_init(const char *user, gid_t base)
+ga_init(struct passwd *pw)
 {
-	gid_t *groups_bygid;
+	gid_t *groups_bygid = NULL;
 	int i, j;
 	struct group *gr;
 
+#ifdef __APPLE_MEMBERSHIP__
+	if (0 != mbr_uid_to_uuid(pw->pw_uid, u_uuid))
+		return 0;
+#endif
+
 	if (ngroups > 0)
 		ga_free();
 
+#ifndef __APPLE_MEMBERSHIP__
 	ngroups = NGROUPS_MAX;
 #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX)
 	ngroups = MAX(NGROUPS_MAX, sysconf(_SC_NGROUPS_MAX));
 #endif
-
 	groups_bygid = xcalloc(ngroups, sizeof(*groups_bygid));
+#else
+	if (-1 == (ngroups = getgrouplist_2(pw->pw_name, pw->pw_gid,
+	    &groups_bygid))) {
+		logit("getgrouplist_2 failed");
+		return 0;
+	}
+#endif
 	groups_byname = xcalloc(ngroups, sizeof(*groups_byname));
-
-	if (getgrouplist(user, base, groups_bygid, &ngroups) == -1)
-		logit("getgrouplist: groups list too small");
+#ifndef __APPLE_MEMBERSHIP__
+	if (getgrouplist(pw->pw_name, pw->pw_gid, groups_bygid, &ngroups) == -1) {
+	    logit("getgrouplist: groups list too small");
+		free(groups_bygid);
+		return 0;
+	}
+#endif
 	for (i = 0, j = 0; i < ngroups; i++)
 		if ((gr = getgrgid(groups_bygid[i])) != NULL)
 			groups_byname[j++] = xstrdup(gr->gr_name);
@@ -76,16 +105,32 @@ ga_init(const char *user, gid_t base)
 /*
  * Return 1 if one of user's groups is contained in groups.
  * Return 0 otherwise.  Use match_pattern() for string comparison.
+ * Use mbr_check_membership() for membership checking on Mac OS X.
  */
 int
 ga_match(char * const *groups, int n)
 {
+#ifdef __APPLE_MEMBERSHIP__
+	int i, ismember = 0;
+	uuid_t g_uuid;
+	struct group *grp;
+
+	for (i = 0; i < n; i++) {
+		if ((grp = getgrnam(groups[i])) == NULL ||
+		   (mbr_gid_to_uuid(grp->gr_gid, g_uuid) != 0) ||
+		   (mbr_check_membership(u_uuid, g_uuid, &ismember) != 0))
+			return 0;
+		if (ismember)
+			return 1;
+	}
+#else
 	int i, j;
 
 	for (i = 0; i < ngroups; i++)
 		for (j = 0; j < n; j++)
 			if (match_pattern(groups_byname[i], groups[j]))
 				return 1;
+#endif
 	return 0;
 }
 
diff --git a/groupaccess.h b/groupaccess.h
index 000578e..ddea117 100644
--- a/groupaccess.h
+++ b/groupaccess.h
@@ -27,7 +27,7 @@
 #ifndef GROUPACCESS_H
 #define GROUPACCESS_H
 
-int	 ga_init(const char *, gid_t);
+int	 ga_init(struct passwd *);
 int	 ga_match(char * const *, int);
 int	 ga_match_pattern_list(const char *);
 void	 ga_free(void);
diff --git a/keychain.c b/keychain.c
new file mode 100644
index 0000000..51d6ad9
--- /dev/null
+++ b/keychain.c
@@ -0,0 +1,694 @@
+/*
+ * Copyright (c) 2007 Apple Inc. All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Inc. ("Apple") nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
+#include "includes.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#include "xmalloc.h"
+#include "key.h"
+#include "authfd.h"
+#include "authfile.h"
+
+#if defined(__APPLE_KEYCHAIN__)
+
+#include <CoreFoundation/CoreFoundation.h>
+#include <Security/Security.h>
+
+/* Our Security/SecPassword.h is not yet API, so I will define the constants that I am using here. */
+int kSecPasswordGet     = 1<<0;  // Get password from keychain or user
+int kSecPasswordSet     = 1<<1;  // Set password (passed in if kSecPasswordGet not set, otherwise from user)
+int kSecPasswordFail    = 1<<2;  // Wrong password (ignore item in keychain and flag error)
+OSStatus SecGenericPasswordCreate(SecKeychainAttributeList *searchAttrList, SecKeychainAttributeList *itemAttrList, SecPasswordRef *itemRef);
+OSStatus SecPasswordAction(SecPasswordRef itemRef, CFTypeRef message, UInt32 flags, UInt32 *length, const void **data);
+OSStatus SecPasswordSetInitialAccess(SecPasswordRef itemRef, SecAccessRef accessRef);
+
+#endif
+
+/*
+ * Platform-specific helper functions.
+ */
+
+#if defined(__APPLE_KEYCHAIN__)
+
+static int get_boolean_preference(const char *key, int default_value,
+    int foreground)
+{
+	int value = default_value;
+	CFStringRef keyRef = NULL;
+	CFPropertyListRef valueRef = NULL;
+
+	keyRef = CFStringCreateWithCString(NULL, key, kCFStringEncodingUTF8);
+	if (keyRef != NULL)
+		valueRef = CFPreferencesCopyAppValue(keyRef,
+		    CFSTR("org.openbsd.openssh"));
+	if (valueRef != NULL)
+		if (CFGetTypeID(valueRef) == CFBooleanGetTypeID())
+			value = CFBooleanGetValue(valueRef);
+		else if (foreground)
+			fprintf(stderr, "Ignoring nonboolean %s preference.\n", key);
+
+	if (keyRef)
+		CFRelease(keyRef);
+	if (valueRef)
+		CFRelease(valueRef);
+
+	return value;
+}
+
+#endif
+
+/*
+ * Store the passphrase for a given identity in the keychain.
+ */
+void
+store_in_keychain(const char *filename, const char *passphrase)
+{
+
+#if defined(__APPLE_KEYCHAIN__)
+
+	/*
+	 * store_in_keychain
+	 * Mac OS X implementation
+	 */
+
+	CFStringRef cfstr_relative_filename = NULL;
+	CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
+	CFStringRef cfstr_filename = NULL;
+	CFDataRef cfdata_filename = NULL;
+	CFIndex filename_len;
+	UInt8 *label = NULL;
+	UInt8 *utf8_filename;
+	OSStatus rv;
+	SecKeychainItemRef itemRef = NULL;
+	SecTrustedApplicationRef apps[] = {NULL, NULL, NULL};
+	CFArrayRef trustedlist = NULL;
+	SecAccessRef initialAccess = NULL;
+
+	/* Bail out if KeychainIntegration preference is -bool NO */
+	if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
+		fprintf(stderr, "Keychain integration is disabled.\n");
+		goto err;
+	}
+
+	/* Interpret filename with the correct encoding. */
+	if ((cfstr_relative_filename =
+	    CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
+	    {
+		fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
+		goto err;
+	}
+	if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
+	    cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
+		fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
+	    NULL) {
+		fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
+		goto err;
+	}
+	if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
+	    kCFURLPOSIXPathStyle)) == NULL) {
+		fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
+	    cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
+		fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
+		goto err;
+	}
+	filename_len = CFDataGetLength(cfdata_filename);
+	if ((label = xmalloc(filename_len + 5)) == NULL) {
+		fprintf(stderr, "xmalloc failed\n");
+		goto err;
+	}
+	memcpy(label, "SSH: ", 5);
+	utf8_filename = label + 5;
+	CFDataGetBytes(cfdata_filename, CFRangeMake(0, filename_len),
+	    utf8_filename);
+
+	/* Check if we already have this passphrase. */
+	rv = SecKeychainFindGenericPassword(NULL, 3, "SSH", filename_len,
+	    (char *)utf8_filename, NULL, NULL, &itemRef);
+	if (rv == errSecItemNotFound) {
+		/* Add a new keychain item. */
+		SecKeychainAttribute attrs[] = {
+			{kSecLabelItemAttr, filename_len + 5, label},
+			{kSecServiceItemAttr, 3, "SSH"},
+			{kSecAccountItemAttr, filename_len, utf8_filename}
+		};
+		SecKeychainAttributeList attrList =
+		    {sizeof(attrs) / sizeof(attrs[0]), attrs};
+		if (SecTrustedApplicationCreateFromPath("/usr/bin/ssh-agent",
+		    &apps[0]) != noErr ||
+		    SecTrustedApplicationCreateFromPath("/usr/bin/ssh-add",
+		    &apps[1]) != noErr ||
+		    SecTrustedApplicationCreateFromPath("/usr/bin/ssh",
+		    &apps[2]) != noErr) {
+			fprintf(stderr, "SecTrustedApplicationCreateFromPath failed\n");
+			goto err;
+		}
+		if ((trustedlist = CFArrayCreate(NULL, (const void **)apps,
+		    sizeof(apps) / sizeof(apps[0]), &kCFTypeArrayCallBacks)) ==
+		    NULL) {
+			fprintf(stderr, "CFArrayCreate failed\n");
+			goto err;
+		}
+		if (SecAccessCreate(cfstr_filename, trustedlist,
+		    &initialAccess) != noErr) {
+			fprintf(stderr, "SecAccessCreate failed\n");
+			goto err;
+		}
+		if (SecKeychainItemCreateFromContent(
+		    kSecGenericPasswordItemClass, &attrList, strlen(passphrase),
+		    passphrase, NULL, initialAccess, NULL) == noErr)
+			fprintf(stderr, "Passphrase stored in keychain: %s\n", filename);
+		else
+			fprintf(stderr, "Could not create keychain item\n");
+	} else if (rv == noErr) {
+		/* Update an existing keychain item. */
+		if (SecKeychainItemModifyAttributesAndData(itemRef, NULL,
+		    strlen(passphrase), passphrase) == noErr)
+			fprintf(stderr, "Passphrase updated in keychain: %s\n", filename);
+		else
+			fprintf(stderr, "Could not modify keychain item\n");
+	} else
+		fprintf(stderr, "Could not access keychain\n");
+
+err:	/* Clean up. */
+	if (cfstr_relative_filename)
+		CFRelease(cfstr_relative_filename);
+	if (cfurl_relative_filename)
+		CFRelease(cfurl_relative_filename);
+	if (cfurl_filename)
+		CFRelease(cfurl_filename);
+	if (cfstr_filename)
+		CFRelease(cfstr_filename);
+	if (cfdata_filename)
+		CFRelease(cfdata_filename);
+	if (label)
+		free(label);
+	if (itemRef)
+		CFRelease(itemRef);
+	if (apps[0])
+		CFRelease(apps[0]);
+	if (apps[1])
+		CFRelease(apps[1]);
+	if (apps[2])
+		CFRelease(apps[2]);
+	if (trustedlist)
+		CFRelease(trustedlist);
+	if (initialAccess)
+		CFRelease(initialAccess);
+
+#else
+
+	/*
+	 * store_in_keychain
+	 * no keychain implementation
+	 */
+
+	fprintf(stderr, "Keychain is not available on this system\n");
+
+#endif
+
+}
+
+/*
+ * Remove the passphrase for a given identity from the keychain.
+ */
+void
+remove_from_keychain(const char *filename)
+{
+
+#if defined(__APPLE_KEYCHAIN__)
+
+	/*
+	 * remove_from_keychain
+	 * Mac OS X implementation
+	 */
+
+	CFStringRef cfstr_relative_filename = NULL;
+	CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
+	CFStringRef cfstr_filename = NULL;
+	CFDataRef cfdata_filename = NULL;
+	CFIndex filename_len;
+	const UInt8 *utf8_filename;
+	OSStatus rv;
+	SecKeychainItemRef itemRef = NULL;
+
+	/* Bail out if KeychainIntegration preference is -bool NO */
+	if (get_boolean_preference("KeychainIntegration", 1, 1) == 0) {
+		fprintf(stderr, "Keychain integration is disabled.\n");
+		goto err;
+	}
+
+	/* Interpret filename with the correct encoding. */
+	if ((cfstr_relative_filename =
+	    CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
+	    {
+		fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
+		goto err;
+	}
+	if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
+	    cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
+		fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
+	    NULL) {
+		fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
+		goto err;
+	}
+	if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
+	    kCFURLPOSIXPathStyle)) == NULL) {
+		fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
+	    cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
+		fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
+		goto err;
+	}
+	filename_len = CFDataGetLength(cfdata_filename);
+	utf8_filename = CFDataGetBytePtr(cfdata_filename);
+
+	/* Check if we already have this passphrase. */
+	rv = SecKeychainFindGenericPassword(NULL, 3, "SSH", filename_len,
+	    (const char *)utf8_filename, NULL, NULL, &itemRef);
+	if (rv == noErr) {
+		/* Remove the passphrase from the keychain. */
+		if (SecKeychainItemDelete(itemRef) == noErr)
+			fprintf(stderr, "Passphrase removed from keychain: %s\n", filename);
+		else
+			fprintf(stderr, "Could not remove keychain item\n");
+	} else if (rv != errSecItemNotFound)
+		fprintf(stderr, "Could not access keychain\n");
+
+err:	/* Clean up. */
+	if (cfstr_relative_filename)
+		CFRelease(cfstr_relative_filename);
+	if (cfurl_relative_filename)
+		CFRelease(cfurl_relative_filename);
+	if (cfurl_filename)
+		CFRelease(cfurl_filename);
+	if (cfstr_filename)
+		CFRelease(cfstr_filename);
+	if (cfdata_filename)
+		CFRelease(cfdata_filename);
+	if (itemRef)
+		CFRelease(itemRef);
+
+#else
+
+	/*
+	 * remove_from_keychain
+	 * no keychain implementation
+	 */
+
+	fprintf(stderr, "Keychain is not available on this system\n");
+
+#endif
+
+}
+
+/*
+ * Add identities to ssh-agent using passphrases stored in the keychain.
+ * Returns zero on success and nonzero on failure.
+ * add_identity is a callback into ssh-agent.  It takes a filename and a
+ * passphrase, and attempts to add the identity to the agent.  It returns
+ * zero on success and nonzero on failure.
+ */
+int
+add_identities_using_keychain(int (*add_identity)(const char *, const char *))
+{
+
+#if defined(__APPLE_KEYCHAIN__)
+
+	/*
+	 * add_identities_using_keychain
+	 * Mac OS X implementation
+	 */
+
+	OSStatus rv;
+	SecKeychainSearchRef searchRef;
+	SecKeychainItemRef itemRef;
+	UInt32 length;
+	void *data;
+	CFIndex maxsize;
+
+	/* Bail out if KeychainIntegration preference is -bool NO */
+	if (get_boolean_preference("KeychainIntegration", 1, 0) == 0)
+		return 0;
+
+	/* Search for SSH passphrases in the keychain */
+	SecKeychainAttribute attrs[] = {
+		{kSecServiceItemAttr, 3, "SSH"}
+	};
+	SecKeychainAttributeList attrList =
+	    {sizeof(attrs) / sizeof(attrs[0]), attrs};
+	if ((rv = SecKeychainSearchCreateFromAttributes(NULL,
+	    kSecGenericPasswordItemClass, &attrList, &searchRef)) != noErr)
+		return 0;
+
+	/* Iterate through the search results. */
+	while ((rv = SecKeychainSearchCopyNext(searchRef, &itemRef)) == noErr) {
+		UInt32 tag = kSecAccountItemAttr;
+		UInt32 format = kSecFormatUnknown;
+		SecKeychainAttributeInfo info = {1, &tag, &format};
+		SecKeychainAttributeList *itemAttrList = NULL;
+		CFStringRef cfstr_filename = NULL;
+		char *filename = NULL;
+		char *passphrase = NULL;
+
+		/* Retrieve filename and passphrase. */
+		if ((rv = SecKeychainItemCopyAttributesAndData(itemRef, &info,
+		    NULL, &itemAttrList, &length, &data)) != noErr)
+			goto err;
+		if (itemAttrList->count != 1)
+			goto err;
+		cfstr_filename = CFStringCreateWithBytes(NULL,
+		    itemAttrList->attr->data, itemAttrList->attr->length,
+		    kCFStringEncodingUTF8, true);
+		maxsize = CFStringGetMaximumSizeOfFileSystemRepresentation(
+		    cfstr_filename);
+		if ((filename = xmalloc(maxsize)) == NULL)
+			goto err;
+		if (CFStringGetFileSystemRepresentation(cfstr_filename,
+		    filename, maxsize) == false)
+			goto err;
+		if ((passphrase = xmalloc(length + 1)) == NULL)
+			goto err;
+		memcpy(passphrase, data, length);
+		passphrase[length] = '\0';
+
+		/* Add the identity. */
+		add_identity(filename, passphrase);
+
+err:		/* Clean up. */
+		if (itemRef)
+			CFRelease(itemRef);
+		if (cfstr_filename)
+			CFRelease(cfstr_filename);
+		if (filename)
+			free(filename);
+		if (passphrase)
+			free(passphrase);
+		if (itemAttrList)
+			SecKeychainItemFreeAttributesAndData(itemAttrList,
+			    data);
+	}
+
+	CFRelease(searchRef);
+
+	return 0;
+
+#else
+
+	/*
+	 * add_identities_using_keychain
+	 * no implementation
+	 */
+
+	return 1;
+
+#endif
+
+}
+
+/*
+ * Prompt the user for a key's passphrase.  The user will be offered the option
+ * of storing the passphrase in their keychain.  Returns the passphrase
+ * (which the caller is responsible for freeing), or NULL if this function
+ * fails or is not implemented.  If this function is not implemented, ssh will
+ * fall back on the standard read_passphrase function, and the user will need
+ * to use ssh-add -K to add their keys to the keychain.
+ */
+char *
+keychain_read_passphrase(const char *filename, int oAskPassGUI)
+{
+
+#if defined(__APPLE_KEYCHAIN__)
+
+	/*
+	 * keychain_read_passphrase
+	 * Mac OS X implementation
+	 */
+
+	CFStringRef cfstr_relative_filename = NULL;
+	CFURLRef cfurl_relative_filename = NULL, cfurl_filename = NULL;
+	CFStringRef cfstr_filename = NULL;
+	CFDataRef cfdata_filename = NULL;
+	CFIndex filename_len;
+	UInt8 *label = NULL;
+	UInt8 *utf8_filename;
+	SecPasswordRef passRef = NULL;
+	SecTrustedApplicationRef apps[] = {NULL, NULL, NULL};
+	CFArrayRef trustedlist = NULL;
+	SecAccessRef initialAccess = NULL;
+	CFURLRef path = NULL;
+	CFStringRef pathFinal = NULL;
+	CFURLRef bundle_url = NULL;
+	CFBundleRef bundle = NULL;
+	CFStringRef promptTemplate = NULL, prompt = NULL;
+	UInt32 length;
+	const void *data;
+	int sock = -1;
+	char *result = NULL;
+
+	/* Bail out if KeychainIntegration preference is -bool NO */
+	if (get_boolean_preference("KeychainIntegration", 1, 1) == 0)
+		goto err;
+
+	/* Bail out if the user set AskPassGUI preference to -bool NO */
+	if (get_boolean_preference("AskPassGUI", 1, 1) == 0 || oAskPassGUI == 0)
+		goto err;
+
+	/* Bail out if we can't communicate with ssh-agent */
+	if ((ssh_get_authentication_socket(&sock)) != 0)
+		goto err;
+
+	/* Interpret filename with the correct encoding. */
+	if ((cfstr_relative_filename =
+	    CFStringCreateWithFileSystemRepresentation(NULL, filename)) == NULL)
+	    {
+		fprintf(stderr, "CFStringCreateWithFileSystemRepresentation failed\n");
+		goto err;
+	}
+	if ((cfurl_relative_filename = CFURLCreateWithFileSystemPath(NULL,
+	    cfstr_relative_filename, kCFURLPOSIXPathStyle, false)) == NULL) {
+		fprintf(stderr, "CFURLCreateWithFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfurl_filename = CFURLCopyAbsoluteURL(cfurl_relative_filename)) ==
+	    NULL) {
+		fprintf(stderr, "CFURLCopyAbsoluteURL failed\n");
+		goto err;
+	}
+	if ((cfstr_filename = CFURLCopyFileSystemPath(cfurl_filename,
+	    kCFURLPOSIXPathStyle)) == NULL) {
+		fprintf(stderr, "CFURLCopyFileSystemPath failed\n");
+		goto err;
+	}
+	if ((cfdata_filename = CFStringCreateExternalRepresentation(NULL,
+	    cfstr_filename, kCFStringEncodingUTF8, 0)) == NULL) {
+		fprintf(stderr, "CFStringCreateExternalRepresentation failed\n");
+		goto err;
+	}
+	filename_len = CFDataGetLength(cfdata_filename);
+	if ((label = xmalloc(filename_len + 5)) == NULL) {
+		fprintf(stderr, "xmalloc failed\n");
+		goto err;
+	}
+	memcpy(label, "SSH: ", 5);
+	utf8_filename = label + 5;
+	CFDataGetBytes(cfdata_filename, CFRangeMake(0, filename_len),
+	    utf8_filename);
+
+	/* Build a SecPasswordRef. */
+	SecKeychainAttribute searchAttrs[] = {
+		{kSecServiceItemAttr, 3, "SSH"},
+		{kSecAccountItemAttr, filename_len, utf8_filename}
+	};
+	SecKeychainAttributeList searchAttrList =
+	    {sizeof(searchAttrs) / sizeof(searchAttrs[0]), searchAttrs};
+	SecKeychainAttribute attrs[] = {
+		{kSecLabelItemAttr, filename_len + 5, label},
+		{kSecServiceItemAttr, 3, "SSH"},
+		{kSecAccountItemAttr, filename_len, utf8_filename}
+	};
+	SecKeychainAttributeList attrList =
+	    {sizeof(attrs) / sizeof(attrs[0]), attrs};
+	if (SecGenericPasswordCreate(&searchAttrList, &attrList, &passRef) !=
+	    noErr) {
+		fprintf(stderr, "SecGenericPasswordCreate failed\n");
+		goto err;
+	}
+	if (SecTrustedApplicationCreateFromPath("/usr/bin/ssh-agent", &apps[0])
+	    != noErr ||
+	    SecTrustedApplicationCreateFromPath("/usr/bin/ssh-add", &apps[1])
+	    != noErr ||
+	    SecTrustedApplicationCreateFromPath("/usr/bin/ssh", &apps[2])
+	    != noErr) {
+		fprintf(stderr, "SecTrustedApplicationCreateFromPath failed\n");
+		goto err;
+	}
+	if ((trustedlist = CFArrayCreate(NULL, (const void **)apps,
+	    sizeof(apps) / sizeof(apps[0]), &kCFTypeArrayCallBacks)) == NULL) {
+		fprintf(stderr, "CFArrayCreate failed\n");
+		goto err;
+	}
+	if (SecAccessCreate(cfstr_filename, trustedlist, &initialAccess)
+	    != noErr) {
+		fprintf(stderr, "SecAccessCreate failed\n");
+		goto err;
+	}
+	if (SecPasswordSetInitialAccess(passRef, initialAccess) != noErr) {
+		fprintf(stderr, "SecPasswordSetInitialAccess failed\n");
+		goto err;
+	}
+
+	/* Request the passphrase from the user. */
+	if ((path = CFURLCreateFromFileSystemRepresentation(NULL,
+	    (UInt8 *)filename, strlen(filename), false)) == NULL) {
+		fprintf(stderr, "CFURLCreateFromFileSystemRepresentation failed\n");
+		goto err;
+	}
+	if ((pathFinal = CFURLCopyLastPathComponent(path)) == NULL) {
+		fprintf(stderr, "CFURLCopyLastPathComponent failed\n");
+		goto err;
+	}
+	if (!((bundle_url = CFURLCreateWithFileSystemPath(NULL,
+	    CFSTR("/System/Library/CoreServices/"), kCFURLPOSIXPathStyle, true))
+	    != NULL && (bundle = CFBundleCreate(NULL, bundle_url)) != NULL &&
+	    (promptTemplate = CFCopyLocalizedStringFromTableInBundle(
+	    CFSTR("Enter your password for the SSH key \"%@\"."),
+	    CFSTR("OpenSSH"), bundle, "Text of the dialog asking the user for"
+	    "their passphrase.  The %@ will be replaced with the filename of a"
+	    "specific key.")) != NULL) &&
+	    (promptTemplate = CFStringCreateCopy(NULL,
+	    CFSTR("Enter your password for the SSH key \"%@\"."))) == NULL) {
+		fprintf(stderr, "CFStringCreateCopy failed\n");
+		goto err;
+	}
+	if ((prompt = CFStringCreateWithFormat(NULL, NULL, promptTemplate,
+	    pathFinal)) == NULL) {
+		fprintf(stderr, "CFStringCreateWithFormat failed\n");
+		goto err;
+	}
+	switch (SecPasswordAction(passRef, prompt,
+	    kSecPasswordGet|kSecPasswordFail, &length, &data)) {
+	case noErr:
+		result = xmalloc(length + 1);
+		memcpy(result, data, length);
+		result[length] = '\0';
+
+		/* Save password in keychain if requested. */
+		if (noErr != SecPasswordAction(passRef, CFSTR(""), kSecPasswordSet, &length, &data))
+			fprintf(stderr, "Saving password to keychain failed\n");
+
+		/* Add password to agent. */
+		char *comment = NULL;
+		Key *private = key_load_private(filename, result, &comment);
+		if (NULL == private)
+			break;
+		if (ssh_add_identity_constrained(sock, private, comment, 0, 0))
+			fprintf(stderr, "Identity added: %s (%s)\n", filename, comment);
+		else
+			fprintf(stderr, "Could not add identity: %s\n", filename);
+		free(comment);
+		key_free(private);
+		break;
+	case errAuthorizationCanceled:
+		result = xmalloc(1);
+		*result = '\0';
+		break;
+	default:
+		goto err;
+	}
+
+err:	/* Clean up. */
+	if (cfstr_relative_filename)
+		CFRelease(cfstr_relative_filename);
+	if (cfurl_relative_filename)
+		CFRelease(cfurl_relative_filename);
+	if (cfurl_filename)
+		CFRelease(cfurl_filename);
+	if (cfstr_filename)
+		CFRelease(cfstr_filename);
+	if (cfdata_filename)
+		CFRelease(cfdata_filename);
+	if (label)
+		free(label);
+	if (passRef)
+		CFRelease(passRef);
+	if (apps[0])
+		CFRelease(apps[0]);
+	if (apps[1])
+		CFRelease(apps[1]);
+	if (apps[2])
+		CFRelease(apps[2]);
+	if (trustedlist)
+		CFRelease(trustedlist);
+	if (initialAccess)
+		CFRelease(initialAccess);
+	if (path)
+		CFRelease(path);
+	if (pathFinal)
+		CFRelease(pathFinal);
+	if (bundle_url)
+		CFRelease(bundle_url);
+	if (bundle)
+		CFRelease(bundle);
+	if (promptTemplate)
+		CFRelease(promptTemplate);
+	if (prompt)
+		CFRelease(prompt);
+	if (sock != -1)
+		ssh_close_authentication_socket(sock);
+
+	return result;
+
+#else
+
+	/*
+	 * keychain_read_passphrase
+	 * no implementation
+	 */
+
+	return NULL;
+
+#endif
+
+}
diff --git a/keychain.h b/keychain.h
new file mode 100644
index 0000000..9bb8c22
--- /dev/null
+++ b/keychain.h
@@ -0,0 +1,45 @@
+/*
+ * Copyright (c) 2007 Apple Inc. All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Inc. ("Apple") nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ */
+
+/*
+ * KEYCHAIN indicates that keychain functionality is present.
+ * KEYCHAIN_* indicates the implementation to use, and implies KEYCHAIN.
+ */
+#if defined(__APPLE_KEYCHAIN__)
+#define KEYCHAIN
+#endif
+
+void	 store_in_keychain(const char *filename, const char *passphrase);
+void	 remove_from_keychain(const char *filename);
+int	 add_identities_using_keychain(
+	     int (*add_identity)(const char *, const char *));
+char	*keychain_read_passphrase(const char *filename, int oAskPassGUI);
diff --git a/readconf.c b/readconf.c
index c177202..888ce11 100644
--- a/readconf.c
+++ b/readconf.c
@@ -168,6 +168,9 @@ typedef enum {
 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
 	oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+#ifdef __APPLE_KEYCHAIN__
+	oAskPassGUI,
+#endif
 	oStreamLocalBindMask, oStreamLocalBindUnlink, oRevokedHostKeys,
 	oFingerprintHash, oUpdateHostkeys, oHostbasedKeyTypes,
 	oPubkeyAcceptedKeyTypes, oProxyJump,
@@ -296,6 +299,9 @@ static struct {
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
 	{ "ignoreunknown", oIgnoreUnknown },
 	{ "proxyjump", oProxyJump },
+#ifdef __APPLE_KEYCHAIN__
+	{ "askpassgui", oAskPassGUI },
+#endif
 
 	{ NULL, oBadOption }
 };
@@ -1543,6 +1549,12 @@ parse_keytypes:
 		charptr = &options->ignored_unknown;
 		goto parse_string;
 
+#ifdef __APPLE_KEYCHAIN__
+	case oAskPassGUI:
+		intptr = &options->ask_pass_gui;
+		goto parse_flag;
+#endif
+
 	case oProxyUseFdpass:
 		intptr = &options->proxy_use_fdpass;
 		goto parse_flag;
@@ -1848,6 +1860,9 @@ initialize_options(Options * options)
 	options->request_tty = -1;
 	options->proxy_use_fdpass = -1;
 	options->ignored_unknown = NULL;
+#ifdef __APPLE_KEYCHAIN__
+	options->ask_pass_gui = -1;
+#endif
 	options->num_canonical_domains = 0;
 	options->num_permitted_cnames = 0;
 	options->canonicalize_max_dots = -1;
@@ -2033,6 +2048,10 @@ fill_default_options(Options * options)
 		options->ip_qos_bulk = IPTOS_THROUGHPUT;
 	if (options->request_tty == -1)
 		options->request_tty = REQUEST_TTY_AUTO;
+#ifdef __APPLE_KEYCHAIN__
+	if (options->ask_pass_gui == -1)
+		options->ask_pass_gui = 1;
+#endif
 	if (options->proxy_use_fdpass == -1)
 		options->proxy_use_fdpass = 0;
 	if (options->canonicalize_max_dots == -1)
diff --git a/readconf.h b/readconf.h
index cef55f7..913c938 100644
--- a/readconf.h
+++ b/readconf.h
@@ -169,6 +169,10 @@ typedef struct {
 	char   *jump_extra;
 
 	char	*ignored_unknown; /* Pattern list of unknown tokens to ignore */
+
+#ifdef __APPLE_KEYCHAIN__
+	int ask_pass_gui;
+#endif
 }       Options;
 
 #define SSH_CANONICALISE_NO	0
diff --git a/scp.1 b/scp.1
index 4ae8777..3535932 100644
--- a/scp.1
+++ b/scp.1
@@ -19,7 +19,7 @@
 .Sh SYNOPSIS
 .Nm scp
 .Bk -words
-.Op Fl 12346BCpqrv
+.Op Fl 12346BCEpqrv
 .Op Fl c Ar cipher
 .Op Fl F Ar ssh_config
 .Op Fl i Ar identity_file
@@ -95,6 +95,8 @@ Passes the
 flag to
 .Xr ssh 1
 to enable compression.
+.It Fl E
+Preserves extended attributes, resource forks, and ACLs.  Requires both ends to be running Mac OS X 10.4 or later.
 .It Fl c Ar cipher
 Selects the cipher to use for encrypting the data transfer.
 This option is directly passed to
diff --git a/scp.c b/scp.c
index 43ca3fa..39924af 100644
--- a/scp.c
+++ b/scp.c
@@ -78,6 +78,9 @@
 #ifdef HAVE_SYS_STAT_H
 # include <sys/stat.h>
 #endif
+#ifdef __APPLE_XSAN__
+#include <sys/mount.h>
+#endif
 #ifdef HAVE_POLL_H
 #include <poll.h>
 #else
@@ -117,6 +120,11 @@
 #include "progressmeter.h"
 #include "utf8.h"
 
+#ifdef HAVE_COPYFILE_H
+#include <libgen.h>
+#include <copyfile.h>
+#endif
+
 extern char *__progname;
 
 #define COPY_BUFLEN	16384
@@ -153,6 +161,12 @@ char *ssh_program = _PATH_SSH_PROGRAM;
 /* This is used to store the pid of ssh_program */
 pid_t do_cmd_pid = -1;
 
+#ifdef HAVE_COPYFILE
+int copy_xattr = 0;
+int md_flag = 0;
+#endif
+
+
 static void
 killchild(int signo)
 {
@@ -400,7 +414,11 @@ main(int argc, char **argv)
 	addargs(&args, "-oClearAllForwardings=yes");
 
 	fflag = tflag = 0;
+#if HAVE_COPYFILE
+	while ((ch = getopt(argc, argv, "dfl:prtvBCEc:i:P:q12346S:o:F:")) != -1)
+#else
 	while ((ch = getopt(argc, argv, "dfl:prtvBCc:i:P:q12346S:o:F:")) != -1)
+#endif
 		switch (ch) {
 		/* User-visible flags. */
 		case '1':
@@ -461,6 +479,11 @@ main(int argc, char **argv)
 			showprogress = 0;
 			break;
 
+#ifdef HAVE_COPYFILE
+		case 'E':
+			copy_xattr = 1;
+			break;
+#endif
 		/* Server options. */
 		case 'd':
 			targetshouldbedirectory = 1;
@@ -520,7 +543,12 @@ main(int argc, char **argv)
 	remin = remout = -1;
 	do_cmd_pid = -1;
 	/* Command to be executed on remote system using "ssh". */
+#if HAVE_COPYFILE
+	(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s%s",
+	    copy_xattr ? " -E" : "",
+#else
 	(void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s",
+#endif
 	    verbose_mode ? " -v" : "",
 	    iamrecursive ? " -r" : "", pflag ? " -p" : "",
 	    targetshouldbedirectory ? " -d" : "");
@@ -766,6 +794,10 @@ source(int argc, char **argv)
 	int fd = -1, haderr, indx;
 	char *last, *name, buf[2048], encname[PATH_MAX];
 	int len;
+#if HAVE_COPYFILE
+	char md_name[MAXPATHLEN];
+	char *md_tmp;
+#endif
 
 	for (indx = 0; indx < argc; ++indx) {
 		name = argv[indx];
@@ -773,8 +805,22 @@ source(int argc, char **argv)
 		len = strlen(name);
 		while (len > 1 && name[len-1] == '/')
 			name[--len] = '\0';
+#if HAVE_COPYFILE
+md_next:
+		statbytes = 0;
+		if (md_flag) {
+		    fd = open(md_tmp, O_RDONLY, 0);
+		    unlink(md_tmp);
+		    free(md_tmp);
+		    if (fd < 0)
+			goto syserr;
+		} else {
+#endif
 		if ((fd = open(name, O_RDONLY|O_NONBLOCK, 0)) < 0)
 			goto syserr;
+#if HAVE_COPYFILE
+		}
+#endif
 		if (strchr(name, '\n') != NULL) {
 			strnvis(encname, name, sizeof(encname), VIS_NL);
 			name = encname;
@@ -862,6 +908,36 @@ next:			if (fd != -1) {
 		else
 			run_err("%s: %s", name, strerror(haderr));
 		(void) response();
+#ifdef HAVE_COPYFILE
+		if (copy_xattr && md_flag == 0)
+		{
+		    if (!copyfile(name, NULL, 0,
+			    COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_CHECK))
+			continue;
+
+		    /*
+		     * this file will hold the actual metadata
+		     * to be transferred
+		     */
+		    md_tmp = strdup("/tmp/scp.md.XXXXXX");
+		    md_tmp = mktemp(md_tmp);
+
+		    if(copyfile(name, md_tmp, 0,
+				COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_PACK) == 0)
+		    {
+			/*
+			 * this is the fake name to display
+			 */
+			snprintf(md_name, sizeof md_name, "%s/._%s", dirname(name), basename(name));
+			name = md_name;
+			md_flag = 1;
+			if (verbose_mode)
+			    fprintf(stderr, "copyfile(%s, %s, PACK)\n", name, md_tmp);
+			goto md_next;
+		    }
+		} else
+		    md_flag = 0;
+#endif
 		if (showprogress)
 			stop_progress_meter();
 	}
@@ -955,6 +1031,10 @@ sink(int argc, char **argv)
 	if (stat(targ, &stb) == 0 && S_ISDIR(stb.st_mode))
 		targisdir = 1;
 	for (first = 1;; first = 0) {
+#if HAVE_COPYFILE
+		char md_src[MAXPATHLEN];
+		char md_dst[MAXPATHLEN];
+#endif
 		cp = buf;
 		if (atomicio(read, remin, cp, 1) != 1)
 			return;
@@ -1103,10 +1183,51 @@ sink(int argc, char **argv)
 		}
 		omode = mode;
 		mode |= S_IWUSR;
+
+#if HAVE_COPYFILE
+		if (copy_xattr && !strncmp(basename(curfile), "._", 2))
+		{
+			int mdfd;
+			if (targisdir)
+			{
+			    snprintf(md_src, sizeof md_src, "%s.XXXXXX", np);
+			    snprintf(md_dst, sizeof md_dst, "%s/%s",
+				    dirname(np), basename(np) + 2);
+			    if((mdfd = mkstemp(md_src)) < 0)
+				continue;
+			}
+			else
+			{
+			    snprintf(md_src, sizeof md_src, "%s/._%s.XXXXXX",
+				    dirname(np), basename(np));
+			    snprintf(md_dst, sizeof md_dst, "%s", np);
+			    if((mdfd = mkstemp(md_src)) < 0)
+				continue;
+			}
+			if (mdfd >= 0)
+				close(mdfd);
+			np = md_src;
+		}
+#endif
 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
 bad:			run_err("%s: %s", np, strerror(errno));
 			continue;
 		}
+#ifdef __APPLE_XSAN__
+		{
+			/*
+			 * Pre-allocate blocks for the destination file.
+			 */
+			fstore_t fst;
+
+			fst.fst_flags = 0;
+			fst.fst_posmode = F_PEOFPOSMODE;
+			fst.fst_offset = 0;
+			fst.fst_length = size;
+
+			(void) fcntl(ofd, F_PREALLOCATE, &fst);
+		}
+#endif /* __APPLE_XSAN__ */
 		(void) atomicio(vwrite, remout, "", 1);
 		if ((bp = allocbuf(&buffer, ofd, COPY_BUFLEN)) == NULL) {
 			(void) close(ofd);
@@ -1191,6 +1312,29 @@ bad:			run_err("%s: %s", np, strerror(errno));
 		(void) response();
 		if (showprogress)
 			stop_progress_meter();
+#ifdef HAVE_COPYFILE
+		if (copy_xattr && strncmp(basename(np), "._", 2) == 0)
+		{
+			if (verbose_mode)
+			    fprintf(stderr, "copyfile(%s, %s, UNPACK)\n", md_src, md_dst);
+			if(!copyfile(md_src, md_dst, 0,
+			    COPYFILE_ACL | COPYFILE_XATTR | COPYFILE_UNPACK) < 0)
+			{
+			    snprintf(md_dst, sizeof md_dst, "%s/._%s",
+				    dirname(md_dst), basename(md_dst));
+			    rename(md_src, md_dst);
+			} else
+			    unlink(md_src);
+			if (setimes && wrerr == NO) {
+				setimes = 0;
+				if (utimes(md_dst, tv) < 0) {
+					run_err("%s: set times: %s",
+					np, strerror(errno));
+					wrerr = DISPLAYED;
+				}
+			}
+		} else
+#endif
 		if (setimes && wrerr == NO) {
 			setimes = 0;
 			if (utimes(np, tv) < 0) {
@@ -1257,7 +1401,11 @@ void
 usage(void)
 {
 	(void) fprintf(stderr,
+#if HAVE_COPYFILE
+	    "usage: scp [-12346BCEpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
+#else
 	    "usage: scp [-12346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
+#endif
 	    "           [-l limit] [-o ssh_option] [-P port] [-S program]\n"
 	    "           [[user@]host1:]file1 ... [[user@]host2:]file2\n");
 	exit(1);
diff --git a/servconf.c b/servconf.c
index ac0ba24..0f47979 100644
--- a/servconf.c
+++ b/servconf.c
@@ -292,7 +292,7 @@ fill_default_server_options(ServerOptions *options)
 	if (options->gss_strict_acceptor == -1)
 		options->gss_strict_acceptor = 0;
 	if (options->password_authentication == -1)
-		options->password_authentication = 1;
+		options->password_authentication = 0;
 	if (options->kbd_interactive_authentication == -1)
 		options->kbd_interactive_authentication = 0;
 	if (options->challenge_response_authentication == -1)
@@ -771,7 +771,7 @@ match_cfg_line_group(const char *grps, int line, const char *user)
 	if ((pw = getpwnam(user)) == NULL) {
 		debug("Can't match group at line %d because user %.100s does "
 		    "not exist", line, user);
-	} else if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
+	} else if (ga_init(pw) == 0) {
 		debug("Can't Match group because user %.100s not in any group "
 		    "at line %d", user, line);
 	} else if (ga_match_pattern_list(grps) != 1) {
diff --git a/session.c b/session.c
index 2235f26..0f36d1a 100644
--- a/session.c
+++ b/session.c
@@ -104,6 +104,13 @@
 #include <selinux/selinux.h>
 #endif
 
+#ifdef __APPLE__
+# include <AvailabilityMacros.h>
+# if (MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_5)
+#  define __APPLE_PRIVPTY__
+# endif
+#endif
+
 #define IS_INTERNAL_SFTP(c) \
 	(!strncmp(c, INTERNAL_SFTP_NAME, sizeof(INTERNAL_SFTP_NAME) - 1) && \
 	 (c[sizeof(INTERNAL_SFTP_NAME) - 1] == '\0' || \
@@ -2140,8 +2147,10 @@ session_pty_req(Session *s)
 		n_bytes = packet_remaining();
 	tty_parse_modes(s->ttyfd, &n_bytes);
 
+#ifndef __APPLE_PRIVPTY__
 	if (!use_privsep)
 		pty_setowner(s->pw, s->tty);
+#endif
 
 	/* Set window size from the packet. */
 	pty_change_window_size(s->ptyfd, s->row, s->col, s->xpixel, s->ypixel);
@@ -2387,9 +2396,11 @@ session_pty_cleanup2(Session *s)
 	if (s->pid != 0)
 		record_logout(s->pid, s->tty, s->pw->pw_name);
 
+#ifndef __APPLE_PRIVPTY__
 	/* Release the pseudo-tty. */
 	if (getuid() == 0)
 		pty_release(s->tty);
+#endif
 
 	/*
 	 * Close the server side of the socket pairs.  We must do this after
diff --git a/ssh-add.0 b/ssh-add.0
index 706bfe6..9d3a044 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -4,7 +4,7 @@ NAME
      ssh-add M-bM-^@M-^S adds private key identities to the authentication agent
 
 SYNOPSIS
-     ssh-add [-cDdkLlXx] [-E fingerprint_hash] [-t life] [file ...]
+     ssh-add [-cDdkLlMmXx] [-E fingerprint_hash] [-t life] [file ...]
      ssh-add -s pkcs11
      ssh-add -e pkcs11
 
@@ -60,6 +60,13 @@ DESCRIPTION
      -l      Lists fingerprints of all identities currently represented by the
              agent.
 
+     -m      Add identities to the agent using any passphrases stored in your
+             Mac OS X keychain.
+
+     -M      When adding identities, each passphrase will also be stored in
+             your Mac OS X keychain.  When removing identities with -d, each
+             passphrase will be removed from your Mac OS X keychain.
+
      -s pkcs11
              Add keys provided by the PKCS#11 shared library pkcs11.
 
diff --git a/ssh-add.1 b/ssh-add.1
index f02b595..d53b956 100644
--- a/ssh-add.1
+++ b/ssh-add.1
@@ -43,7 +43,7 @@
 .Nd adds private key identities to the authentication agent
 .Sh SYNOPSIS
 .Nm ssh-add
-.Op Fl cDdkLlXx
+.Op Fl cDdkLlMmXx
 .Op Fl E Ar fingerprint_hash
 .Op Fl t Ar life
 .Op Ar
@@ -127,6 +127,13 @@ Lists public key parameters of all identities currently represented
 by the agent.
 .It Fl l
 Lists fingerprints of all identities currently represented by the agent.
+.It Fl m
+Add identities to the agent using any passphrases stored in your Mac OS
+X keychain.
+.It Fl M
+When adding identities, each passphrase will also be stored in your Mac OS
+Xkeychain.  When removing identities with -d, each passphrase will be removed
+from your Mac OS X keychain.
 .It Fl s Ar pkcs11
 Add keys provided by the PKCS#11 shared library
 .Ar pkcs11 .
diff --git a/ssh-add.c b/ssh-add.c
index fb9a53e..ba52975 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -65,6 +65,7 @@
 #include "misc.h"
 #include "ssherr.h"
 #include "digest.h"
+#include "keychain.h"
 
 /* argv0 */
 extern char *__progname;
@@ -106,12 +107,25 @@ clear_pass(void)
 }
 
 static int
-delete_file(int agent_fd, const char *filename, int key_only)
+add_from_keychain(int agent_fd)
+{
+	if (ssh_add_from_keychain(agent_fd) == 0)
+		return -1;
+
+	fprintf(stderr, "Added keychain identities.\n");
+	return 0;
+}
+
+static int
+delete_file(int agent_fd, int keychain, const char *filename, int key_only)
 {
 	struct sshkey *public, *cert = NULL;
 	char *certpath = NULL, *comment = NULL;
 	int r, ret = -1;
 
+	if (keychain)
+		remove_from_keychain(filename);
+
 	if ((r = sshkey_load_public(filename, &public,  &comment)) != 0) {
 		printf("Bad key file %s: %s\n", filename, ssh_err(r));
 		return -1;
@@ -178,7 +192,7 @@ delete_all(int agent_fd)
 }
 
 static int
-add_file(int agent_fd, const char *filename, int key_only)
+add_file(int agent_fd, int keychain, const char *filename, int key_only)
 {
 	struct sshkey *private, *cert;
 	char *comment = NULL;
@@ -222,6 +236,10 @@ add_file(int agent_fd, const char *filename, int key_only)
 		    filename, ssh_err(r));
 		goto fail_load;
 	}
+
+	if (keychain && private != NULL)
+		store_in_keychain(filename, "");
+
 	/* try last */
 	if (private == NULL && pass != NULL) {
 		if ((r = sshkey_parse_private_fileblob(keyblob, pass, &private,
@@ -257,6 +275,8 @@ add_file(int agent_fd, const char *filename, int key_only)
 			    "Bad passphrase, try again for %s%s: ", filename,
 			    confirm ? " (will confirm each use)" : "");
 		}
+		if (keychain && private != NULL)
+			store_in_keychain(filename, pass);
 	}
 	if (comment == NULL || *comment == '\0')
 		comment = xstrdup(filename);
@@ -440,13 +460,13 @@ lock_agent(int agent_fd, int lock)
 }
 
 static int
-do_file(int agent_fd, int deleting, int key_only, char *file)
+do_file(int agent_fd, int deleting, int keychain, int key_only, char *file)
 {
 	if (deleting) {
-		if (delete_file(agent_fd, file, key_only) == -1)
+		if (delete_file(agent_fd, keychain, file, key_only) == -1)
 			return -1;
 	} else {
-		if (add_file(agent_fd, file, key_only) == -1)
+		if (add_file(agent_fd, keychain, file, key_only) == -1)
 			return -1;
 	}
 	return 0;
@@ -469,6 +489,11 @@ usage(void)
 	fprintf(stderr, "  -X          Unlock agent.\n");
 	fprintf(stderr, "  -s pkcs11   Add keys from PKCS#11 provider.\n");
 	fprintf(stderr, "  -e pkcs11   Remove keys provided by PKCS#11 provider.\n");
+#ifdef KEYCHAIN
+	fprintf(stderr, "  -m          Add all identities stored in your Mac OS X keychain.\n");
+	fprintf(stderr, "  -M          Store passphrases in your Mac OS X keychain.\n");
+	fprintf(stderr, "              With -d, remove passphrases from your Mac OS X keychain.\n");
+#endif
 }
 
 int
@@ -480,6 +505,7 @@ main(int argc, char **argv)
 	char *pkcs11provider = NULL;
 	int r, i, ch, deleting = 0, ret = 0, key_only = 0;
 	int xflag = 0, lflag = 0, Dflag = 0;
+	int keychain = 0;
 
 	ssh_malloc_init();	/* must be called before any mallocs */
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
@@ -507,7 +533,7 @@ main(int argc, char **argv)
 		exit(2);
 	}
 
-	while ((ch = getopt(argc, argv, "klLcdDxXE:e:s:t:")) != -1) {
+	while ((ch = getopt(argc, argv, "klLcdDxXmME:e:s:t:")) != -1) {
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -552,6 +578,13 @@ main(int argc, char **argv)
 				goto done;
 			}
 			break;
+		case 'm':
+			if (add_from_keychain(agent_fd) == -1)
+				ret = 1;
+			goto done;
+		case 'M':
+			keychain = 1;
+			break;
 		default:
 			usage();
 			ret = 1;
@@ -600,7 +633,7 @@ main(int argc, char **argv)
 			    default_files[i]);
 			if (stat(buf, &st) < 0)
 				continue;
-			if (do_file(agent_fd, deleting, key_only, buf) == -1)
+			if (do_file(agent_fd, deleting, keychain, key_only, buf) == -1)
 				ret = 1;
 			else
 				count++;
@@ -609,7 +642,7 @@ main(int argc, char **argv)
 			ret = 1;
 	} else {
 		for (i = 0; i < argc; i++) {
-			if (do_file(agent_fd, deleting, key_only,
+			if (do_file(agent_fd, deleting, keychain, key_only,
 			    argv[i]) == -1)
 				ret = 1;
 		}
diff --git a/ssh-agent.c b/ssh-agent.c
index 25d6ebc..a0f88b3 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -71,6 +71,9 @@
 #ifdef HAVE_UTIL_H
 # include <util.h>
 #endif
+#ifdef __APPLE_LAUNCHD__
+#include <launch.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh.h"
@@ -78,11 +81,14 @@
 #include "sshbuf.h"
 #include "sshkey.h"
 #include "authfd.h"
+#include "authfile.h"
 #include "compat.h"
 #include "log.h"
 #include "misc.h"
 #include "digest.h"
 #include "ssherr.h"
+#include "keychain.h"
+#include "key.h"
 
 #ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
@@ -837,6 +843,61 @@ process_remove_smartcard_key(SocketEntry *e)
 }
 #endif /* ENABLE_PKCS11 */
 
+static int
+add_identity_callback(const char *filename, const char *passphrase)
+{
+	Key *k;
+	int version;
+	Idtab *tab;
+
+	if ((k = key_load_private(filename, passphrase, NULL)) == NULL)
+		return 1;
+	switch (k->type) {
+	case KEY_RSA:
+	case KEY_RSA1:
+		if (RSA_blinding_on(k->rsa, NULL) != 1) {
+			key_free(k);
+			return 1;
+		}
+		break;
+	}
+	version = k->type == KEY_RSA1 ? 1 : 2;
+	tab = idtab_lookup(version);
+	if (lookup_identity(k, version) == NULL) {
+		Identity *id = xmalloc(sizeof(Identity));
+		id->key = k;
+		id->comment = xstrdup(filename);
+		if (id->comment == NULL) {
+			key_free(k);
+			return 1;
+		}
+		id->death = 0;
+		id->confirm = 0;
+		TAILQ_INSERT_TAIL(&tab->idlist, id, next);
+		tab->nentries++;
+	} else {
+		key_free(k);
+		return 1;
+	}
+
+	return 0;
+}
+
+static void
+process_add_from_keychain(SocketEntry *e)
+{
+	int result;
+
+	result = add_identities_using_keychain(&add_identity_callback);
+
+	/* e will be NULL when ssh-agent adds keys on its own at startup */
+	if (e) {
+		buffer_put_int(e->output, 1);
+		buffer_put_char(e->output,
+		    result ? SSH_AGENT_FAILURE : SSH_AGENT_SUCCESS);
+	}
+}
+
 /* dispatch incoming messages */
 
 static void
@@ -931,6 +992,9 @@ process_message(SocketEntry *e)
 		process_remove_smartcard_key(e);
 		break;
 #endif /* ENABLE_PKCS11 */
+	case SSH_AGENTC_ADD_FROM_KEYCHAIN:
+		process_add_from_keychain(e);
+		break;
 	default:
 		/* Unknown message.  Respond with failure. */
 		error("Unknown message %d", type);
@@ -1181,7 +1245,11 @@ usage(void)
 int
 main(int ac, char **av)
 {
+#ifdef __APPLE_LAUNCHD__
+	int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0, l_flag = 0;
+#else
 	int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0;
+#endif
 	int sock, fd, ch, result, saved_errno;
 	u_int nalloc;
 	char *shell, *format, *pidstr, *agentsocket = NULL;
@@ -1214,7 +1282,11 @@ main(int ac, char **av)
 	__progname = ssh_get_progname(av[0]);
 	seed_rng();
 
+#ifdef __APPLE_LAUNCHD__
+	while ((ch = getopt(ac, av, "cDdklsE:a:t:")) != -1) {
+#else
 	while ((ch = getopt(ac, av, "cDdksE:a:t:")) != -1) {
+#endif
 		switch (ch) {
 		case 'E':
 			fingerprint_hash = ssh_digest_alg_by_name(optarg);
@@ -1229,6 +1301,11 @@ main(int ac, char **av)
 		case 'k':
 			k_flag++;
 			break;
+#ifdef __APPLE_LAUNCHD__
+		case 'l':
+			l_flag++;
+			break;
+#endif
 		case 's':
 			if (c_flag)
 				usage();
@@ -1260,7 +1337,11 @@ main(int ac, char **av)
 	ac -= optind;
 	av += optind;
 
+#ifdef __APPPLE_LAUNCHD__
+	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag || l_flag))
+#else
 	if (ac > 0 && (c_flag || k_flag || s_flag || d_flag || D_flag))
+#endif
 		usage();
 
 	if (ac == 0 && !c_flag && !s_flag) {
@@ -1316,6 +1397,53 @@ main(int ac, char **av)
 	 * Create socket early so it will exist before command gets run from
 	 * the parent.
 	 */
+#ifdef __APPLE_LAUNCHD__
+	if (l_flag) {
+		launch_data_t resp, msg, tmp;
+		size_t listeners_i;
+
+		msg = launch_data_new_string(LAUNCH_KEY_CHECKIN);
+
+		resp = launch_msg(msg);
+
+		if (NULL == resp) {
+			perror("launch_msg");
+			exit(1);
+		}
+		launch_data_free(msg);
+		switch (launch_data_get_type(resp)) {
+		case LAUNCH_DATA_ERRNO:
+			errno = launch_data_get_errno(resp);
+			perror("launch_msg response");
+			exit(1);
+		case LAUNCH_DATA_DICTIONARY:
+			break;
+		default:
+			fprintf(stderr, "launch_msg unknown response");
+			exit(1);
+		}
+		tmp = launch_data_dict_lookup(resp, LAUNCH_JOBKEY_SOCKETS);
+
+		if (NULL == tmp) {
+			fprintf(stderr, "no sockets\n");
+			exit(1);
+		}
+
+		tmp = launch_data_dict_lookup(tmp, "Listeners");
+
+		if (NULL == tmp) {
+			fprintf(stderr, "no known listeners\n");
+			exit(1);
+		}
+
+		for (listeners_i = 0; listeners_i < launch_data_array_get_count(tmp); listeners_i++) {
+			launch_data_t obj_at_ind = launch_data_array_get_index(tmp, listeners_i);
+			new_socket(AUTH_SOCKET, launch_data_get_fd(obj_at_ind));
+		}
+
+		launch_data_free(resp);
+	} else {
+#endif
 	prev_mask = umask(0177);
 	sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
 	if (sock < 0) {
@@ -1324,6 +1452,14 @@ main(int ac, char **av)
 		cleanup_exit(1);
 	}
 	umask(prev_mask);
+#ifdef __APPLE_LAUNCHD__
+	}
+#endif
+
+#ifdef __APPLE_LAUNCHD__
+	if (l_flag)
+		goto skip2;
+#endif
 
 	/*
 	 * Fork, and have the parent execute the command, if any, or present
@@ -1401,6 +1537,7 @@ skip:
 	pkcs11_init(0);
 #endif
 	new_socket(AUTH_SOCKET, sock);
+skip2:
 	if (ac > 0)
 		parent_alive_interval = 10;
 	idtab_init();
@@ -1410,6 +1547,10 @@ skip:
 	signal(SIGTERM, cleanup_handler);
 	nalloc = 0;
 
+#ifdef KEYCHAIN
+	process_add_from_keychain(NULL);
+#endif
+
 	if (pledge("stdio cpath unix id proc exec", NULL) == -1)
 		fatal("%s: pledge: %s", __progname, strerror(errno));
 	platform_pledge_agent();
diff --git a/ssh-keysign.8 b/ssh-keysign.8
index 19b0dbc..5cacf70 100644
--- a/ssh-keysign.8
+++ b/ssh-keysign.8
@@ -72,6 +72,9 @@ accessible to others.
 Since they are readable only by root,
 .Nm
 must be set-uid root if host-based authentication is used.
+Note that
+.Nm
+is not set-uid by default on Mac OS X.
 .Pp
 .It Pa /etc/ssh/ssh_host_dsa_key-cert.pub
 .It Pa /etc/ssh/ssh_host_ecdsa_key-cert.pub
diff --git a/sshconnect1.c b/sshconnect1.c
index bfc523b..adf3369 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -51,6 +51,7 @@
 #include "auth.h"
 #include "digest.h"
 #include "ssherr.h"
+#include "keychain.h"
 
 /* Session id for the current session. */
 u_char session_id[16];
@@ -274,6 +275,10 @@ try_rsa_authentication(int idx)
 		snprintf(buf, sizeof(buf),
 		    "Enter passphrase for RSA key '%.100s': ", comment);
 		for (i = 0; i < options.number_of_password_prompts; i++) {
+#ifdef __APPLE_KEYCHAIN__
+			passphrase = keychain_read_passphrase(comment, options.ask_pass_gui);
+			if (passphrase == NULL)
+#endif
 			passphrase = read_passphrase(buf, 0);
 			if (strcmp(passphrase, "") != 0) {
 				private = key_load_private_type(KEY_RSA1,
diff --git a/sshconnect2.c b/sshconnect2.c
index fae8b0f..e83884c 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -72,6 +72,7 @@
 #include "hostfile.h"
 #include "ssherr.h"
 #include "utf8.h"
+#include "keychain.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -1205,6 +1206,10 @@ load_identity_file(Identity *id)
 		if (i == 0)
 			passphrase = "";
 		else {
+#ifdef __APPLE_KEYCHAIN__
+			passphrase = keychain_read_passphrase(id->filename, options.ask_pass_gui);
+			if (passphrase == NULL)
+#endif
 			passphrase = read_passphrase(prompt, 0);
 			if (*passphrase == '\0') {
 				debug2("no passphrase given, try next key");
diff --git a/sshd.0 b/sshd.0
index 0f7db5f..a79634a 100644
--- a/sshd.0
+++ b/sshd.0
@@ -651,8 +651,7 @@ FILES
 
 SEE ALSO
      scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
-     ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
-     inetd(8), sftp-server(8)
+     ssh-keyscan(1), chroot(2), moduli(5), sshd_config(5), sftp-server(8)
 
 AUTHORS
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
diff --git a/sshd.8 b/sshd.8
index 6c521f2..33f2f5f 100644
--- a/sshd.8
+++ b/sshd.8
@@ -986,10 +986,8 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
-.Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
-.Xr inetd 8 ,
 .Xr sftp-server 8
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
diff --git a/sshd_config b/sshd_config
index 4d48910..ee48626 100644
--- a/sshd_config
+++ b/sshd_config
@@ -34,7 +34,7 @@
 #RekeyLimit default none
 
 # Logging
-#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
 #LogLevel INFO
 
 # Authentication:
@@ -67,8 +67,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# To disable tunneled clear text passwords, change to no here! Also,
+# remember to set the UsePAM setting to 'no'.
+#PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
diff --git a/sshd_config.0 b/sshd_config.0
index 1ce56c1..f11a13c 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -696,7 +696,7 @@ DESCRIPTION
 
      PasswordAuthentication
              Specifies whether password authentication is allowed.  The
-             default is M-bM-^@M-^\yesM-bM-^@M-^].
+             default is M-bM-^@M-^\noM-bM-^@M-^].
 
      PermitEmptyPasswords
              When password authentication is allowed, it specifies whether the
diff --git a/sshd_config.5 b/sshd_config.5
index c9db1ca..35cf138 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -1180,7 +1180,7 @@ are refused if the number of unauthenticated connections reaches
 .It Cm PasswordAuthentication
 Specifies whether password authentication is allowed.
 The default is
-.Dq yes .
+.Dq no .
 .It Cm PermitEmptyPasswords
 When password authentication is allowed, it specifies whether the
 server allows login to accounts with empty password strings.

diff --git a/HPN-README b/HPN-README
new file mode 100644
index 0000000..f6e993b
--- /dev/null
+++ b/HPN-README
@@ -0,0 +1,130 @@
+Notes:
+
+MULTI-THREADED CIPHER:
+The AES cipher in CTR mode has been multithreaded (MTR-AES-CTR). This will allow ssh installations
+on hosts with multiple cores to use more than one processing core during encryption.
+Tests have show significant throughput performance increases when using MTR-AES-CTR up
+to and including a full gigabit per second on quad core systems. It should be possible to
+achieve full line rate on dual core systems but OS and data management overhead makes this
+more difficult to achieve. The cipher stream from MTR-AES-CTR is entirely compatible with single
+thread AES-CTR (ST-AES-CTR) implementations and should be 100% backward compatible. Optimal
+performance requires the MTR-AES-CTR mode be enabled on both ends of the connection.
+The MTR-AES-CTR replaces ST-AES-CTR and is used in exactly the same way with the same
+nomenclature.
+Use examples:
+		ssh -caes128-ctr you@host.com
+		scp -oCipher=aes256-ctr file you@host.com:~/file
+
+NONE CIPHER:
+To use the NONE option you must have the NoneEnabled switch set on the server and
+you *must* have *both* NoneEnabled and NoneSwitch set to yes on the client. The NONE
+feature works with ALL ssh subsystems (as far as we can tell) *AS LONG AS* a tty is not
+spawned. If a user uses the -T switch to prevent a tty being created the NONE cipher will
+be disabled.
+
+The performance increase will only be as good as the network and TCP stack tuning
+on the receiver side of the connection allows. As a rule of thumb a user will need
+at least 10Mb/s connection with a 100ms RTT to see a doubling of performance. The
+HPN-SSH home page describes this in greater detail.
+
+http://www.psc.edu/networking/projects/hpn-ssh
+
+BUFFER SIZES:
+
+If HPN is disabled the receive buffer size will be set to the
+OpenSSH default of 64K.
+
+If an HPN system connects to a nonHPN system the receive buffer will
+be set to the HPNBufferSize value. The default is 2MB but user adjustable.
+
+If an HPN to HPN connection is established a number of different things might
+happen based on the user options and conditions.
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
+HPN Buffer Size = up to 64MB
+This is the default state. The HPN buffer size will grow to a maximum of 64MB
+as the TCP receive buffer grows. The maximum HPN Buffer size of 64MB is
+geared towards 10GigE transcontinental connections.
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
+HPN Buffer Size = TCP receive buffer value.
+Users on non-autotuning systesm should disable TCPRcvBufPoll in the
+ssh_cofig and sshd_config
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf NOT Set
+HPN Buffer Size = minmum of TCP receive buffer and HPNBufferSize.
+This would be the system defined TCP receive buffer (RWIN).
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll disabled, TCPRcvBuf SET
+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
+Generally there is no need to set both.
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf NOT Set
+HPN Buffer Size = grows to HPNBufferSize
+The buffer will grow up to the maximum size specified here.
+
+Conditions: HPNBufferSize SET, TCPRcvBufPoll enabled, TCPRcvBuf SET
+HPN Buffer Size = minmum of TCPRcvBuf and HPNBufferSize.
+Generally there is no need to set both of these, especially on autotuning
+systems. However, if the users wishes to override the autotuning this would be
+one way to do it.
+
+Conditions: HPNBufferSize NOT Set, TCPRcvBufPoll enabled, TCPRcvBuf SET
+HPN Buffer Size = TCPRcvBuf.
+This will override autotuning and set the TCP receive buffer to the user defined
+value.
+
+
+HPN Specific Configuration options
+
+TcpRcvBuf=[int]KB client
+	set the TCP socket receive buffer to n Kilobytes. It can be set up to the
+maximum socket size allowed by the system. This is useful in situations where
+the tcp receive window is set low but the maximum buffer size is set
+higher (as is typical). This works on a per TCP connection basis. You can also
+use this to artifically limit the transfer rate of the connection. In these
+cases the throughput will be no more than n/RTT. The minimum buffer size is 1KB.
+Default is the current system wide tcp receive buffer size.
+
+TcpRcvBufPoll=[yes/no] client/server
+	enable of disable the polling of the tcp receive buffer through the life
+of the connection. You would want to make sure that this option is enabled
+for systems making use of autotuning kernels (linux 2.4.24+, 2.6, MS Vista)
+default is yes.
+
+NoneEnabled=[yes/no] client/server
+	enable or disable the use of the None cipher. Care must always be used
+when enabling this as it will allow users to send data in the clear. However,
+it is important to note that authentication information remains encrypted
+even if this option is enabled. Set to no by default.
+
+NoneSwitch=[yes/no] client
+	Switch the encryption cipher being used to the None cipher after
+authentication takes place. NoneEnabled must be enabled on both the client
+and server side of the connection. When the connection switches to the NONE
+cipher a warning is sent to STDERR. The connection attempt will fail with an
+error if a client requests a NoneSwitch from the server that does not explicitly
+have NoneEnabled set to yes. Note: The NONE cipher cannot be used in
+interactive (shell) sessions and it will fail silently. Set to no by default.
+
+HPNDisabled=[yes/no] client/server
+	In some situations, such as transfers on a local area network, the impact
+of the HPN code produces a net decrease in performance. In these cases it is
+helpful to disable the HPN functionality. By default HPNDisabled is set to no.
+
+HPNBufferSize=[int]KB client/server
+	This is the default buffer size the HPN functionality uses when interacting
+with nonHPN SSH installations. Conceptually this is similar to the TcpRcvBuf
+option as applied to the internal SSH flow control. This value can range from
+1KB to 64MB (1-65536). Use of oversized or undersized buffers can cause performance
+problems depending on the length of the network path. The default size of this buffer
+is 2MB.
+
+
+Credits: This patch was conceived, designed, and led by Chris Rapier (rapier@psc.edu)
+	 The majority of the actual coding for versions up to HPN12v1 was performed
+	 by Michael Stevens (mstevens@andrew.cmu.edu). The MT-AES-CTR cipher was
+	 implemented by Ben Bennet (ben@psc.edu) and improved by Mike Tasota
+	 (tasota@gmail.com) an NSF REU grant recipient for 2013.
+	 This work was financed, in part, by Cisco System, Inc., the National
+	 Library of Medicine, and the National Science Foundation.
diff --git a/auth2.c b/auth2.c
index 9108b86..17367a0 100644
--- a/auth2.c
+++ b/auth2.c
@@ -73,6 +73,8 @@ extern Authmethod method_hostbased;
 extern Authmethod method_gssapi;
 #endif
 
+static int log_flag = 0;
+
 Authmethod *authmethods[] = {
 	&method_none,
 	&method_pubkey,
@@ -224,6 +226,11 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	service = packet_get_cstring(NULL);
 	method = packet_get_cstring(NULL);
 	debug("userauth-request for user %s service %s method %s", user, service, method);
+	if (!log_flag) {
+		logit("SSH: Server; Ltype: Authname; Remote: %s-%d;Name: %s",
+		      ssh_remote_ipaddr(active_state), ssh_remote_port(active_state), user);
+		log_flag = 1;
+	}
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
 	if ((style = strchr(user, ':')) != NULL)
diff --git a/channels.c b/channels.c
index 443e243..d6b1b5b 100644
--- a/channels.c
+++ b/channels.c
@@ -189,6 +189,10 @@ static void port_open_helper(Channel *c, char *rtype);
 static int connect_next(struct channel_connect *);
 static void channel_connect_ctx_free(struct channel_connect *);
 
+
+static int hpn_disabled = 0;
+static int hpn_buffer_size = 2 * 1024 * 1024;
+
 /* -- channel core */
 
 Channel *
@@ -339,6 +343,7 @@ channel_new(char *ctype, int type, int rfd, int wfd, int efd,
 	c->local_window_max = window;
 	c->local_consumed = 0;
 	c->local_maxpacket = maxpack;
+	c->dynamic_window = 0;
 	c->remote_id = -1;
 	c->remote_name = xstrdup(remote_name);
 	c->remote_window = 0;
@@ -843,11 +848,39 @@ channel_pre_open_13(Channel *c, fd_set *readset, fd_set *writeset)
 		FD_SET(c->sock, writeset);
 }
 
+static int
+channel_tcpwinsz(void)
+{
+	u_int32_t tcpwinsz = 0;
+	socklen_t optsz = sizeof(tcpwinsz);
+	int ret = -1;
+
+	/* if we aren't on a socket return 128KB */
+	if (!packet_connection_is_on_socket())
+		return 128 * 1024;
+
+	ret = getsockopt(packet_get_connection_in(),
+			 SOL_SOCKET, SO_RCVBUF, &tcpwinsz, &optsz);
+	/* return no more than SSHBUF_SIZE_MAX (currently 256MB) */
+	if ((ret == 0) && tcpwinsz > SSHBUF_SIZE_MAX)
+		tcpwinsz = SSHBUF_SIZE_MAX;
+
+	debug2("tcpwinsz: %d for connection: %d", tcpwinsz,
+	       packet_get_connection_in());
+	return tcpwinsz;
+}
+
 static void
 channel_pre_open(Channel *c, fd_set *readset, fd_set *writeset)
 {
 	u_int limit = compat20 ? c->remote_window : packet_get_maxsize();
 
+	/* check buffer limits */
+	if ((!c->tcpwinsz) || (c->dynamic_window > 0))
+		c->tcpwinsz = channel_tcpwinsz();
+
+	limit = MIN(limit, 2 * c->tcpwinsz);
+
 	if (c->istate == CHAN_INPUT_OPEN &&
 	    limit > 0 &&
 	    buffer_len(&c->input) < limit &&
@@ -1865,14 +1898,21 @@ channel_check_window(Channel *c)
 	    c->local_maxpacket*3) ||
 	    c->local_window < c->local_window_max/2) &&
 	    c->local_consumed > 0) {
+		u_int addition = 0;
+		/* adjust max window size if we are in a dynamic environment */
+		if (c->dynamic_window && (c->tcpwinsz > c->local_window_max)) {
+			/* grow the window somewhat aggressively to maintain pressure */
+			addition = 1.5 * (c->tcpwinsz - c->local_window_max);
+			c->local_window_max += addition;
+		}
 		packet_start(SSH2_MSG_CHANNEL_WINDOW_ADJUST);
 		packet_put_int(c->remote_id);
-		packet_put_int(c->local_consumed);
+		packet_put_int(c->local_consumed + addition);
 		packet_send();
 		debug2("channel %d: window %d sent adjust %d",
 		    c->self, c->local_window,
 		    c->local_consumed);
-		c->local_window += c->local_consumed;
+		c->local_window += c->local_consumed + addition;
 		c->local_consumed = 0;
 	}
 	return 1;
@@ -2816,6 +2856,15 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
 	return addr;
 }
 
+
+void
+channel_set_hpn(int external_hpn_disabled, int external_hpn_buffer_size)
+{
+	hpn_disabled = external_hpn_disabled;
+	hpn_buffer_size = external_hpn_buffer_size;
+	debug("HPN Disabled: %d, HPN Buffer Size: %d", hpn_disabled, hpn_buffer_size);
+}
+
 static int
 channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
     int *allocated_listen_port, struct ForwardOptions *fwd_opts)
@@ -2944,9 +2993,15 @@ channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
 		}
 
 		/* Allocate a channel number for the socket. */
-		c = channel_new("port listener", type, sock, sock, -1,
-		    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
-		    0, "port listener", 1);
+		/* explicitly test for hpn disabled option. if true use smaller window size */
+		if (hpn_disabled)
+			c = channel_new("port listener", type, sock, sock, -1,
+			    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+			    0, "port listener", 1);
+		else
+			c = channel_new("port listener", type, sock, sock, -1,
+			    hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+			    0, "port listener", 1);
 		c->path = xstrdup(host);
 		c->host_port = fwd->connect_port;
 		c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
@@ -3979,10 +4034,17 @@ x11_create_display_inet(int x11_display_offset, int x11_use_localhost,
 	*chanids = xcalloc(num_socks + 1, sizeof(**chanids));
 	for (n = 0; n < num_socks; n++) {
 		sock = socks[n];
+		/* Is this really necassary? */
+		if (hpn_disabled)
 		nc = channel_new("x11 listener",
 		    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
 		    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 		    0, "X11 inet listener", 1);
+		else
+			nc = channel_new("x11 listener",
+			    SSH_CHANNEL_X11_LISTENER, sock, sock, -1,
+			    hpn_buffer_size, CHAN_X11_PACKET_DEFAULT,
+			    0, "X11 inet listener", 1);
 		nc->single_connection = single_connection;
 		(*chanids)[n] = nc->self;
 	}
diff --git a/channels.h b/channels.h
index 9d76c9d..7504a7b 100644
--- a/channels.h
+++ b/channels.h
@@ -134,8 +134,10 @@ struct Channel {
 	u_int	local_window_max;
 	u_int	local_consumed;
 	u_int	local_maxpacket;
+	int	dynamic_window;
 	int     extended_usage;
 	int	single_connection;
+	u_int	tcpwinsz;
 
 	char   *ctype;		/* type */
 
@@ -312,4 +314,7 @@ void	 chan_rcvd_ieof(Channel *);
 void	 chan_write_failed(Channel *);
 void	 chan_obuf_empty(Channel *);
 
+/* hpn handler */
+void     channel_set_hpn(int, int);
+
 #endif
diff --git a/clientloop.c b/clientloop.c
index 2cca231..cb47411 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1998,9 +1998,15 @@ client_request_x11(const char *request_type, int rchan)
 	sock = x11_connect_display();
 	if (sock < 0)
 		return NULL;
+	/* again is this really necessary for X11? */
+	if (options.hpn_disabled)
 	c = channel_new("x11",
 	    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
+	else
+		c = channel_new("x11",
+		    SSH_CHANNEL_X11_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_X11_PACKET_DEFAULT, 0, "x11", 1);
 	c->force_drain = 1;
 	return c;
 }
@@ -2023,9 +2029,15 @@ client_request_agent(const char *request_type, int rchan)
 			    __func__, ssh_err(r));
 		return NULL;
 	}
+	if (options.hpn_disabled)
+	c = channel_new("authentication agent connection",
+	    SSH_CHANNEL_OPEN, sock, sock, -1,
+		    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+		    "authentication agent connection", 1);
+	else
 	c = channel_new("authentication agent connection",
 	    SSH_CHANNEL_OPEN, sock, sock, -1,
-	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
+	    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0,
 	    "authentication agent connection", 1);
 	c->force_drain = 1;
 	return c;
@@ -2053,10 +2065,18 @@ client_request_tun_fwd(int tun_mode, int local_tun, int remote_tun)
 		return -1;
 	}
 
+	if(options.hpn_disabled)
 	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
-	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+				CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+				0, "tun", 1);
+	else
+	c = channel_new("tun", SSH_CHANNEL_OPENING, fd, fd, -1,
+				options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT,
+				0, "tun", 1);
 	c->datagram = 1;
 
+
+
 #if defined(SSH_TUN_FILTER)
 	if (options.tun_open == SSH_TUNMODE_POINTOPOINT)
 		channel_register_filter(c->self, sys_tun_infilter,
diff --git a/compat.c b/compat.c
index 69a104f..b6ea89e 100644
--- a/compat.c
+++ b/compat.c
@@ -210,6 +210,13 @@ compat_datafellows(const char *version)
 			debug("match: %s pat %s compat 0x%08x",
 			    version, check[i].pat, check[i].bugs);
 			datafellows = check[i].bugs;	/* XXX for now */
+			/* Check to see if the remote side is OpenSSH and not HPN */
+			if (strstr(version, "OpenSSH") != NULL) {
+				if (strstr(version, "hpn") == NULL) {
+					datafellows |= SSH_BUG_LARGEWINDOW;
+					debug("Remote is NON-HPN aware");
+				}
+			}
 			return check[i].bugs;
 		}
 	}
diff --git a/compat.h b/compat.h
index 2be290a..318fb98 100644
--- a/compat.h
+++ b/compat.h
@@ -62,6 +62,7 @@
 #define SSH_BUG_CURVE25519PAD	0x10000000
 #define SSH_BUG_HOSTKEYS	0x20000000
 #define SSH_BUG_DHGEX_LARGE	0x40000000
+#define SSH_BUG_LARGEWINDOW	0x80000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
diff --git a/kex.c b/kex.c
index 50c7a0f..a0fbeed 100644
--- a/kex.c
+++ b/kex.c
@@ -754,6 +754,7 @@ kex_choose_conf(struct ssh *ssh)
 	int nenc, nmac, ncomp;
 	u_int mode, ctos, need, dh_need, authlen;
 	int r, first_kex_follows;
+	int log_flag = 0;
 
 	debug2("local %s KEXINIT proposal", kex->server ? "server" : "client");
 	if ((r = kex_buf2prop(kex->my, NULL, &my)) != 0)
@@ -831,6 +832,22 @@ kex_choose_conf(struct ssh *ssh)
 		    newkeys->enc.name,
 		    authlen == 0 ? newkeys->mac.name : "<implicit>",
 		    newkeys->comp.name);
+		/*
+		 * client starts with ctos = 0 && log flag = 0 and no log.
+		 * 2nd client pass ctos = 1 and flag = 1 so no log.
+		 * server starts with ctos = 1 && log_flag = 0 so log.
+		 * 2nd sever pass ctos = 1 && log flag = 1 so no log.
+		 * -cjr
+		 */
+		if (ctos && !log_flag) {
+			logit("SSH: Server;Ltype: Kex;Remote: %s-%d;Enc: %s;MAC: %s;Comp: %s",
+			      ssh_remote_ipaddr(ssh),
+			      ssh_remote_port(ssh),
+			      newkeys->enc.name,
+			      authlen == 0 ? newkeys->mac.name : "<implicit>",
+			      newkeys->comp.name);
+		}
+		log_flag = 1;
 	}
 	need = dh_need = 0;
 	for (mode = 0; mode < MODE_MAX; mode++) {
diff --git a/progressmeter.c b/progressmeter.c
index fe9bf52..85667b2 100644
--- a/progressmeter.c
+++ b/progressmeter.c
@@ -69,6 +69,8 @@ static const char *file;	/* name of the file being transferred */
 static off_t start_pos;		/* initial position of transfer */
 static off_t end_pos;		/* ending position of transfer */
 static off_t cur_pos;		/* transfer position as of last refresh */
+static off_t last_pos;
+static off_t max_delta_pos = 0;
 static volatile off_t *counter;	/* progress counter */
 static long stalled;		/* how long we have been stalled */
 static int bytes_per_second;	/* current speed in bytes per second */
@@ -128,12 +130,17 @@ refresh_progress_meter(void)
 	int hours, minutes, seconds;
 	int i, len;
 	int file_len;
+	off_t delta_pos;
 
 	transferred = *counter - (cur_pos ? cur_pos : start_pos);
 	cur_pos = *counter;
 	now = monotime_double();
 	bytes_left = end_pos - cur_pos;
 
+	delta_pos = cur_pos - last_pos;
+	if (delta_pos > max_delta_pos)
+		max_delta_pos = delta_pos;
+
 	if (bytes_left > 0)
 		elapsed = now - last_update;
 	else {
@@ -158,7 +165,7 @@ refresh_progress_meter(void)
 
 	/* filename */
 	buf[0] = '\0';
-	file_len = win_size - 35;
+	file_len = win_size - 45;
 	if (file_len > 0) {
 		len = snprintf(buf, file_len + 1, "\r%s", file);
 		if (len < 0)
@@ -188,6 +195,15 @@ refresh_progress_meter(void)
 	    (off_t)bytes_per_second);
 	strlcat(buf, "/s ", win_size);
 
+	/* instantaneous rate */
+	if (bytes_left > 0)
+		format_rate(buf + strlen(buf), win_size - strlen(buf),
+			    delta_pos);
+	else
+		format_rate(buf + strlen(buf), win_size - strlen(buf),
+			    max_delta_pos);
+	strlcat(buf, "/s ", win_size);
+
 	/* ETA */
 	if (!transferred)
 		stalled += elapsed;
@@ -224,6 +240,7 @@ refresh_progress_meter(void)
 
 	atomicio(vwrite, STDOUT_FILENO, buf, win_size - 1);
 	last_update = now;
+	last_pos = cur_pos;
 }
 
 /*ARGSUSED*/
diff --git a/readconf.c b/readconf.c
index 888ce11..0324b68 100644
--- a/readconf.c
+++ b/readconf.c
@@ -66,6 +66,7 @@
 #include "uidswap.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "sshbuf.h"
 
 /* Format of the configuration file:
 
@@ -164,6 +165,7 @@ typedef enum {
 	oSendEnv, oControlPath, oControlMaster, oControlPersist,
 	oHashKnownHosts,
 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+	oTcpRcvBufPoll, oTcpRcvBuf, oHPNDisabled, oHPNBufferSize,
 	oVisualHostKey,
 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
 	oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -298,6 +300,10 @@ static struct {
 	{ "hostbasedkeytypes", oHostbasedKeyTypes },
 	{ "pubkeyacceptedkeytypes", oPubkeyAcceptedKeyTypes },
 	{ "ignoreunknown", oIgnoreUnknown },
+	{ "tcprcvbufpoll", oTcpRcvBufPoll },
+	{ "tcprcvbuf", oTcpRcvBuf },
+	{ "hpndisabled", oHPNDisabled },
+	{ "hpnbuffersize", oHPNBufferSize },
 	{ "proxyjump", oProxyJump },
 #ifdef __APPLE_KEYCHAIN__
 	{ "askpassgui", oAskPassGUI },
@@ -980,6 +986,18 @@ parse_time:
 		intptr = &options->check_host_ip;
 		goto parse_flag;
 
+	case oHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case oHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
+
+	case oTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
 	case oVerifyHostKeyDNS:
 		intptr = &options->verify_host_key_dns;
 		multistate_ptr = multistate_yesnoask;
@@ -1172,6 +1190,10 @@ parse_int:
 		intptr = &options->connection_attempts;
 		goto parse_int;
 
+	case oTcpRcvBuf:
+		intptr = &options->tcp_rcv_buf;
+		goto parse_int;
+
 	case oCipher:
 		intptr = &options->cipher;
 		arg = strdelim(&s);
@@ -1858,6 +1880,10 @@ initialize_options(Options * options)
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->request_tty = -1;
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
+	options->tcp_rcv_buf_poll = -1;
+	options->tcp_rcv_buf = -1;
 	options->proxy_use_fdpass = -1;
 	options->ignored_unknown = NULL;
 #ifdef __APPLE_KEYCHAIN__
@@ -2024,6 +2050,27 @@ fill_default_options(Options * options)
 		options->server_alive_interval = 0;
 	if (options->server_alive_count_max == -1)
 		options->server_alive_count_max = 3;
+	if (options->hpn_disabled == -1)
+		options->hpn_disabled = 0;
+	if (options->hpn_buffer_size > -1) {
+		/* if a user tries to set the size to 0 set it to 1KB */
+		if (options->hpn_buffer_size == 0)
+			options->hpn_buffer_size = 1;
+		options->hpn_buffer_size *= 1024;
+		/* limit the buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+		if (options->hpn_buffer_size > SSHBUF_SIZE_MAX) {
+			options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+			debug("User requested buffer larger than 256MB. Request reverted to 256MB");
+		}
+		debug("hpn_buffer_size set to %d", options->hpn_buffer_size);
+	}
+	if (options->tcp_rcv_buf > -1) {
+		if (options->tcp_rcv_buf == 0)
+			options->tcp_rcv_buf = 1;
+		options->tcp_rcv_buf *=1024;
+	}
+	if (options->tcp_rcv_buf_poll == -1)
+		options->tcp_rcv_buf_poll = 1;
 	if (options->control_master == -1)
 		options->control_master = 0;
 	if (options->control_persist == -1) {
diff --git a/readconf.h b/readconf.h
index 913c938..e76cb2c 100644
--- a/readconf.h
+++ b/readconf.h
@@ -57,6 +57,10 @@ typedef struct {
 	int     compression_level;	/* Compression level 1 (fast) to 9
 					 * (best). */
 	int     tcp_keep_alive;	/* Set SO_KEEPALIVE. */
+	int     tcp_rcv_buf; /* user switch to set tcp recv buffer */
+	int     tcp_rcv_buf_poll; /* Option to poll recv buf every window transfer */
+	int     hpn_disabled;    /* Switch to disable HPN buffer management */
+	int     hpn_buffer_size; /* User definable size for HPN buffer window */
 	int	ip_qos_interactive;	/* IP ToS/DSCP/class for interactive */
 	int	ip_qos_bulk;		/* IP ToS/DSCP/class for bulk traffic */
 	LogLevel log_level;	/* Level for logging. */
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c..31e12e4 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -147,6 +147,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_exit_group
 	SC_ALLOW(exit_group),
 #endif
+#ifdef __NR_getpeername /* not defined on archs that go via socketcall(2) */
+	SC_ALLOW(getpeername),
+#endif
 #ifdef __NR_getpgid
 	SC_ALLOW(getpgid),
 #endif
@@ -198,6 +201,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_sigprocmask
 	SC_ALLOW(sigprocmask),
 #endif
+#ifdef __NR_socketcall
+	SC_ALLOW(socketcall),
+#endif
 #ifdef __NR_time
 	SC_ALLOW(time),
 #endif
diff --git a/scp.c b/scp.c
index 39924af..aa11af1 100644
--- a/scp.c
+++ b/scp.c
@@ -792,7 +792,7 @@ source(int argc, char **argv)
 	off_t i, statbytes;
 	size_t amt, nr;
 	int fd = -1, haderr, indx;
-	char *last, *name, buf[2048], encname[PATH_MAX];
+	char *last, *name, buf[16384], encname[PATH_MAX];
 	int len;
 #if HAVE_COPYFILE
 	char md_name[MAXPATHLEN];
@@ -1008,7 +1008,7 @@ sink(int argc, char **argv)
 	off_t size, statbytes;
 	unsigned long long ull;
 	int setimes, targisdir, wrerrno = 0;
-	char ch, *cp, *np, *targ, *why, *vect[1], buf[2048], visbuf[2048];
+	char ch, *cp, *np, *targ, *why, *vect[1], buf[16384], visbuf[2048];
 	struct timeval tv[2];
 
 #define	atime	tv[0]
diff --git a/servconf.c b/servconf.c
index 0f47979..fbb4c31 100644
--- a/servconf.c
+++ b/servconf.c
@@ -57,6 +57,7 @@
 #include "auth.h"
 #include "myproposal.h"
 #include "digest.h"
+#include "sshbuf.h"
 
 static void add_listen_addr(ServerOptions *, char *, int);
 static void add_one_listen_addr(ServerOptions *, char *, int);
@@ -165,6 +166,9 @@ initialize_server_options(ServerOptions *options)
 	options->authorized_principals_file = NULL;
 	options->authorized_principals_command = NULL;
 	options->authorized_principals_command_user = NULL;
+	options->tcp_rcv_buf_poll = -1;
+	options->hpn_disabled = -1;
+	options->hpn_buffer_size = -1;
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
@@ -196,6 +200,10 @@ void
 fill_default_server_options(ServerOptions *options)
 {
 	int i;
+	/* needed for hpn socket tests */
+	int sock;
+	int socksize;
+	int socksizelen = sizeof(int);
 
 	/* Portable-specific options */
 	if (options->use_pam == -1)
@@ -341,6 +349,36 @@ fill_default_server_options(ServerOptions *options)
 	}
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
+	if (options->hpn_disabled == -1)
+		options->hpn_disabled = 0;
+	if (options->hpn_buffer_size == -1) {
+		/* option not explicitly set. Now we have to figure out
+		 * what value to use */
+		if (options->hpn_disabled) {
+			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+		} else {
+			/* get the current RCV size and set it to that
+			 * create a socket but don't connect it
+			 * we use that the get the rcv socket size */
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+			close(sock);
+			options->hpn_buffer_size = socksize;
+			debug("HPN Buffer Size: %d", options->hpn_buffer_size);
+		}
+	} else {
+		if (!options->hpn_disabled) {
+			if (options->hpn_buffer_size == 0)
+				options->hpn_buffer_size = 1;
+			options->hpn_buffer_size *= 1024;
+			/* limit the maximum buffer to SSHBUF_SIZE_MAX (currently 256MB) */
+			if (options->hpn_buffer_size > SSHBUF_SIZE_MAX) {
+				options->hpn_buffer_size = SSHBUF_SIZE_MAX;
+			}
+		} else
+			options->hpn_buffer_size = CHAN_TCP_WINDOW_DEFAULT;
+	}
 	if (options->ip_qos_interactive == -1)
 		options->ip_qos_interactive = IPTOS_LOWDELAY;
 	if (options->ip_qos_bulk == -1)
@@ -415,6 +453,7 @@ typedef enum {
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
+	sTcpRcvBufPoll, sHPNDisabled, sHPNBufferSize,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sPermitTTY, sStrictModes, sEmptyPasswd, sTCPKeepAlive,
 	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
@@ -568,6 +607,9 @@ static struct {
 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
+	{ "hpndisabled", sHPNDisabled, SSHCFG_ALL },
+	{ "hpnbuffersize", sHPNBufferSize, SSHCFG_ALL },
+	{ "tcprcvbufpoll", sTcpRcvBufPoll, SSHCFG_ALL },
 	{ "kexalgorithms", sKexAlgorithms, SSHCFG_GLOBAL },
 	{ "ipqos", sIPQoS, SSHCFG_ALL },
 	{ "authorizedkeyscommand", sAuthorizedKeysCommand, SSHCFG_ALL },
@@ -1185,6 +1227,18 @@ process_server_config_line(ServerOptions *options, char *line,
 			*intptr = value;
 		break;
 
+	case sTcpRcvBufPoll:
+		intptr = &options->tcp_rcv_buf_poll;
+		goto parse_flag;
+
+	case sHPNDisabled:
+		intptr = &options->hpn_disabled;
+		goto parse_flag;
+
+	case sHPNBufferSize:
+		intptr = &options->hpn_buffer_size;
+		goto parse_int;
+
 	case sIgnoreUserKnownHosts:
 		intptr = &options->ignore_user_known_hosts;
 		goto parse_flag;
diff --git a/servconf.h b/servconf.h
index f4137af..79f57b3 100644
--- a/servconf.h
+++ b/servconf.h
@@ -173,6 +173,10 @@ typedef struct {
 
 	int	use_pam;		/* Enable auth via PAM */
 
+	int	tcp_rcv_buf_poll;	/* poll tcp rcv window in autotuning kernels */
+	int	hpn_disabled;		/* disable hpn functionality. false by default */
+	int	hpn_buffer_size;	/* set the hpn buffer size - default 3MB */
+
 	int	permit_tun;
 
 	int	num_permitted_opens;
diff --git a/serverloop.c b/serverloop.c
index 3563e5d..e4bfb0d 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1045,8 +1045,12 @@ server_request_tun(void)
 	sock = tun_open(tun, mode);
 	if (sock < 0)
 		goto done;
+	if (options.hpn_disabled)
 	c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
 	    CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
+	else
+		c = channel_new("tun", SSH_CHANNEL_OPEN, sock, sock, -1,
+		    options.hpn_buffer_size, CHAN_TCP_PACKET_DEFAULT, 0, "tun", 1);
 	c->datagram = 1;
 #if defined(SSH_TUN_FILTER)
 	if (mode == SSH_TUNMODE_POINTOPOINT)
@@ -1082,6 +1086,8 @@ server_request_session(void)
 	c = channel_new("session", SSH_CHANNEL_LARVAL,
 	    -1, -1, -1, /*window size*/0, CHAN_SES_PACKET_DEFAULT,
 	    0, "server-session", 1);
+	if ((options.tcp_rcv_buf_poll) && (!options.hpn_disabled))
+		c->dynamic_window = 1;
 	if (session_open(the_authctxt, c->self) != 1) {
 		debug("session open failed, free channel %d", c->self);
 		channel_free(c);
diff --git a/session.c b/session.c
index 0f36d1a..e60401d 100644
--- a/session.c
+++ b/session.c
@@ -229,6 +229,7 @@ auth_input_request_forwarding(struct passwd * pw)
 		goto authsock_err;
 
 	/* Allocate a channel for the authentication agent socket. */
+	/* this shouldn't matter if its hpn or not - cjr */
 	nc = channel_new("auth socket",
 	    SSH_CHANNEL_AUTH_SOCKET, sock, sock, -1,
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
@@ -2370,10 +2371,16 @@ session_set_fds(Session *s, int fdin, int fdout, int fderr, int ignore_fderr,
 	 */
 	if (s->chanid == -1)
 		fatal("no channel for session %d", s->self);
+	if (options.hpn_disabled)
 	channel_set_fds(s->chanid,
 	    fdout, fdin, fderr,
 	    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
 	    1, is_tty, CHAN_SES_WINDOW_DEFAULT);
+	else
+		channel_set_fds(s->chanid,
+		    fdout, fdin, fderr,
+		    ignore_fderr ? CHAN_EXTENDED_IGNORE : CHAN_EXTENDED_READ,
+		    1, is_tty, options.hpn_buffer_size);
 }
 
 /*
diff --git a/sftp.1 b/sftp.1
index fbdd00a..47dd655 100644
--- a/sftp.1
+++ b/sftp.1
@@ -266,7 +266,8 @@ diagnostic messages from
 Specify how many requests may be outstanding at any one time.
 Increasing this may slightly improve file transfer speed
 but will increase memory usage.
-The default is 64 outstanding requests.
+The default is 256 outstanding requests providing for 8MB
+of outstanding data with a 32KB buffer.
 .It Fl r
 Recursively copy entire directories when uploading and downloading.
 Note that
diff --git a/sftp.c b/sftp.c
index 08e13a7..431f43e 100644
--- a/sftp.c
+++ b/sftp.c
@@ -73,7 +73,7 @@ typedef void EditLine;
 #include "sftp-client.h"
 
 #define DEFAULT_COPY_BUFLEN	32768	/* Size of buffer for up/download */
-#define DEFAULT_NUM_REQUESTS	64	/* # concurrent outstanding requests */
+#define DEFAULT_NUM_REQUESTS	256	/* # concurrent outstanding requests */
 
 /* File to read commands from */
 FILE* infile;
diff --git a/ssh.c b/ssh.c
index 03a23fb..b879d46 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1895,6 +1895,78 @@ ssh_session2_setup(int id, int success, void *arg)
 	    NULL, fileno(stdin), &command, environ);
 }
 
+static void
+hpn_options_init(void)
+{
+	/*
+	 * We need to check to see if what they want to do about buffer
+	 * sizes here. In a hpn to nonhpn connection we want to limit
+	 * the window size to something reasonable in case the far side
+	 * has the large window bug. In hpn to hpn connection we want to
+	 * use the max window size but allow the user to override it
+	 * lastly if they disabled hpn then use the ssh std window size.
+	 *
+	 * So why don't we just do a getsockopt() here and set the
+	 * ssh window to that? In the case of a autotuning receive
+	 * window the window would get stuck at the initial buffer
+	 * size generally less than 96k. Therefore we need to set the
+	 * maximum ssh window size to the maximum hpn buffer size
+	 * unless the user has specifically set the tcprcvbufpoll
+	 * to no. In which case we *can* just set the window to the
+	 * minimum of the hpn buffer size and tcp receive buffer size.
+	 */
+
+	if (tty_flag)
+		options.hpn_buffer_size = CHAN_SES_WINDOW_DEFAULT;
+	else
+		options.hpn_buffer_size = 2 * 1024 * 1024;
+
+	if (datafellows & SSH_BUG_LARGEWINDOW) {
+		debug("HPN to Non-HPN Connection");
+	} else {
+		int sock, socksize;
+		socklen_t socksizelen;
+		if (options.tcp_rcv_buf_poll <= 0) {
+			sock = socket(AF_INET, SOCK_STREAM, 0);
+			socksizelen = sizeof(socksize);
+			getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+			close(sock);
+			debug("socksize %d", socksize);
+			options.hpn_buffer_size = socksize;
+			debug("HPNBufferSize set to TCP RWIN: %d", options.hpn_buffer_size);
+		} else {
+			if (options.tcp_rcv_buf > 0) {
+				/*
+				 * Create a socket but don't connect it:
+				 * we use that the get the rcv socket size
+				 */
+				sock = socket(AF_INET, SOCK_STREAM, 0);
+				/*
+				 * If they are using the tcp_rcv_buf option,
+				 * attempt to set the buffer size to that.
+				 */
+				if (options.tcp_rcv_buf) {
+					socksizelen = sizeof(options.tcp_rcv_buf);
+					setsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+						   &options.tcp_rcv_buf, socksizelen);
+				}
+				socksizelen = sizeof(socksize);
+				getsockopt(sock, SOL_SOCKET, SO_RCVBUF,
+					   &socksize, &socksizelen);
+				close(sock);
+				debug("socksize %d", socksize);
+				options.hpn_buffer_size = socksize;
+				debug("HPNBufferSize set to user TCPRcvBuf: %d", options.hpn_buffer_size);
+			}
+		}
+	}
+
+	debug("Final hpn_buffer_size = %d", options.hpn_buffer_size);
+
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+}
+
 /* open new channel for a session */
 static int
 ssh_session2_open(void)
@@ -1921,9 +1993,11 @@ ssh_session2_open(void)
 	if (!isatty(err))
 		set_nonblock(err);
 
-	window = CHAN_SES_WINDOW_DEFAULT;
+	window = options.hpn_buffer_size;
+
 	packetmax = CHAN_SES_PACKET_DEFAULT;
 	if (tty_flag) {
+		window = CHAN_SES_WINDOW_DEFAULT;
 		window >>= 1;
 		packetmax >>= 1;
 	}
@@ -1932,6 +2006,10 @@ ssh_session2_open(void)
 	    window, packetmax, CHAN_EXTENDED_WRITE,
 	    "client-session", /*nonblock*/0);
 
+	if ((options.tcp_rcv_buf_poll > 0) && (!options.hpn_disabled)) {
+		c->dynamic_window = 1;
+		debug("Enabled Dynamic Window Scaling");
+	}
 	debug3("ssh_session2_open: channel_new: %d", c->self);
 
 	channel_send_open(c->self);
@@ -1947,6 +2025,13 @@ ssh_session2(void)
 {
 	int id = -1;
 
+	/*
+	 * We need to initialize this early because the forwarding logic below
+	 * might open channels that use the hpn buffer sizes.  We can't send a
+	 * window of -1 (the default) to the server as it breaks things.
+	 */
+	hpn_options_init();
+
 	/* XXX should be pre-session */
 	if (!options.control_persist)
 		ssh_init_stdio_forwarding();
diff --git a/sshbuf.h b/sshbuf.h
index 52ff017..494e5ac 100644
--- a/sshbuf.h
+++ b/sshbuf.h
@@ -28,7 +28,7 @@
 # endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 
-#define SSHBUF_SIZE_MAX		0x8000000	/* Hard maximum size */
+#define SSHBUF_SIZE_MAX		0xF000000	/* Hard maximum size 256MB */
 #define SSHBUF_REFS_MAX		0x100000	/* Max child buffers */
 #define SSHBUF_MAX_BIGNUM	(16384 / 8)	/* Max bignum *bytes* */
 #define SSHBUF_MAX_ECPOINT	((528 * 2 / 8) + 1) /* Max EC point *bytes* */
diff --git a/sshconnect.c b/sshconnect.c
index 356ec79..43fb63c 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -268,6 +268,31 @@ ssh_kill_proxy_command(void)
 }
 
 /*
+ * Set TCP receive buffer if requested.
+ * Note: tuning needs to happen after the socket is
+ * created but before the connection happens
+ * so winscale is negotiated properly -cjr
+ */
+static void
+ssh_set_socket_recvbuf(int sock)
+{
+	void *buf = (void *)&options.tcp_rcv_buf;
+	int sz = sizeof(options.tcp_rcv_buf);
+	int socksize;
+	int socksizelen = sizeof(int);
+
+	debug("setsockopt Attempting to set SO_RCVBUF to %d", options.tcp_rcv_buf);
+	if (setsockopt(sock, SOL_SOCKET, SO_RCVBUF, buf, sz) >= 0) {
+	  getsockopt(sock, SOL_SOCKET, SO_RCVBUF, &socksize, &socksizelen);
+	  debug("setsockopt SO_RCVBUF: %.100s %d", strerror(errno), socksize);
+	}
+	else
+		error("Couldn't set socket receive buffer to %d: %.100s",
+		    options.tcp_rcv_buf, strerror(errno));
+}
+
+
+/*
  * Creates a (possibly privileged) socket for use as the ssh connection.
  */
 static int
@@ -283,6 +308,9 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
 	}
 	fcntl(sock, F_SETFD, FD_CLOEXEC);
 
+	if (options.tcp_rcv_buf > 0)
+		ssh_set_socket_recvbuf(sock);
+
 	/* Bind the socket to an alternative local IP address */
 	if (options.bind_address == NULL && !privileged)
 		return sock;
@@ -527,10 +555,10 @@ send_client_banner(int connection_out, int minor1)
 	/* Send our own protocol version identification. */
 	if (compat20) {
 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
-		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_VERSION);
+		    PROTOCOL_MAJOR_2, PROTOCOL_MINOR_2, SSH_RELEASE);
 	} else {
 		xasprintf(&client_version_string, "SSH-%d.%d-%.100s\n",
-		    PROTOCOL_MAJOR_1, minor1, SSH_VERSION);
+		    PROTOCOL_MAJOR_1, minor1, SSH_RELEASE);
 	}
 	if (atomicio(vwrite, connection_out, client_version_string,
 	    strlen(client_version_string)) != strlen(client_version_string))
diff --git a/sshd.c b/sshd.c
index 5d73630..29b9c17 100644
--- a/sshd.c
+++ b/sshd.c
@@ -432,7 +432,7 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
 	}
 
 	xasprintf(&server_version_string, "SSH-%d.%d-%.100s%s%s%s",
-	    major, minor, SSH_VERSION,
+	    major, minor, SSH_RELEASE,
 	    *options.version_addendum == '\0' ? "" : " ",
 	    options.version_addendum, newline);
 
@@ -487,6 +487,9 @@ sshd_exchange_identification(struct ssh *ssh, int sock_in, int sock_out)
 	}
 	debug("Client protocol version %d.%d; client software version %.100s",
 	    remote_major, remote_minor, remote_version);
+	logit("SSH: Server;Ltype: Version;Remote: %s-%d;Protocol: %d.%d;Client: %.100s",
+	      ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
+	      remote_major, remote_minor, remote_version);
 
 	ssh->compat = compat_datafellows(remote_version);
 
@@ -1184,6 +1187,8 @@ server_listen(void)
 	int ret, listen_sock, on = 1;
 	struct addrinfo *ai;
 	char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+	int socksize;
+	int socksizelen = sizeof(int);
 
 	for (ai = options.listen_addrs; ai; ai = ai->ai_next) {
 		if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6)
@@ -1224,6 +1229,11 @@ server_listen(void)
 
 		debug("Bind to port %s on %s.", strport, ntop);
 
+		getsockopt(listen_sock, SOL_SOCKET, SO_RCVBUF,
+				   &socksize, &socksizelen);
+		debug("Server TCP RWIN socket size: %d", socksize);
+		debug("HPN Buffer Size: %d", options.hpn_buffer_size);
+
 		/* Bind the socket to the desired port. */
 		if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) {
 			error("Bind to port %s on %s failed: %.200s.",
@@ -2214,6 +2224,9 @@ main(int ac, char **av)
 	    remote_ip, remote_port, laddr,  ssh_local_port(ssh));
 	free(laddr);
 
+	/* set the HPN options for the child */
+	channel_set_hpn(options.hpn_disabled, options.hpn_buffer_size);
+
 	/*
 	 * We don't want to listen forever unless the other side
 	 * successfully authenticates itself.  So we set up an alarm which is
diff --git a/sshd_config b/sshd_config
index ee48626..add6c7c 100644
--- a/sshd_config
+++ b/sshd_config
@@ -128,6 +128,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # override default of no subsystems
 Subsystem	sftp	/usr/libexec/sftp-server
 
+# the following are HPN related configuration options
+# tcp receive buffer polling. disable in non autotuning kernels
+#TcpRcvBufPoll yes
+
+# disable hpn performance boosts
+#HPNDisabled no
+
+# buffer size for hpn to non-hpn connections
+#HPNBufferSize 2048
+
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
diff --git a/version.h b/version.h
index 617ab62..3cd4754 100644
--- a/version.h
+++ b/version.h
@@ -3,4 +3,5 @@
 #define SSH_VERSION	"OpenSSH_7.3"
 
 #define SSH_PORTABLE	"p1"
-#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE
+#define SSH_HPN		"-hpn14v11"
+#define SSH_RELEASE	SSH_VERSION SSH_PORTABLE SSH_HPN