--- /dev/null
+--- openssh-3.7.1p2/servconf.c 2003-09-23 11:24:21.000000000 +0200
++++ openssh-3.7.1p2.pius/servconf.c 2003-10-07 20:49:08.000000000 +0200
+@@ -41,7 +41,9 @@
+
+ /* Portable-specific options */
+ options->use_pam = -1;
+-
++
++ options->use_chroot = -1;
++
+ /* Standard Options */
+ options->num_ports = 0;
+ options->ports_from_cmdline = 0;
+@@ -112,6 +114,9 @@
+ if (options->use_pam == -1)
+ options->use_pam = 0;
+
++ if (options->use_chroot == -1)
++ options->use_chroot = 0;
++
+ /* Standard Options */
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+ options->protocol = SSH_PROTO_1|SSH_PROTO_2;
+@@ -245,6 +250,7 @@
+ sBadOption, /* == unknown option */
+ /* Portable-specific options */
+ sUsePAM,
++ sUseChroot,
+ /* Standard Options */
+ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
+ sPermitRootLogin, sLogFacility, sLogLevel,
+@@ -278,6 +284,11 @@
+ #else
+ { "usepam", sUnsupported },
+ #endif
++#ifdef CHROOT
++ { "usechroot", sUseChroot },
++#else
++ { "usechroot", sUnsupported },
++#endif /* CHROOT */
+ { "pamauthenticationviakbdint", sDeprecated },
+ /* Standard Options */
+ { "port", sPort },
+@@ -437,6 +448,10 @@
+ intptr = &options->use_pam;
+ goto parse_flag;
+
++ case sUseChroot:
++ intptr = &options->use_chroot;
++ goto parse_flag;
++
+ /* Standard Options */
+ case sBadOption:
+ return -1;
+--- openssh-3.7.1p2/servconf.h 2003-09-02 14:58:22.000000000 +0200
++++ openssh-3.7.1p2.pius/servconf.h 2003-10-07 20:49:08.000000000 +0200
+@@ -109,6 +109,7 @@
+ int max_startups_rate;
+ int max_startups;
+ char *banner; /* SSH-2 banner message */
++ int use_chroot; /* Enable chrooted enviroment support */
+ int use_dns;
+ int client_alive_interval; /*
+ * poke the client this often to
+--- openssh-3.7.1p2/session.c 2003-09-23 10:59:08.000000000 +0200
++++ openssh-3.7.1p2.pius/session.c 2003-10-07 20:49:08.000000000 +0200
+@@ -1231,6 +1231,10 @@
+ void
+ do_setusercontext(struct passwd *pw)
+ {
++#ifdef CHROOT
++ char *user_dir;
++ char *new_root;
++#endif /* CHROOT */
+ #ifndef HAVE_CYGWIN
+ if (getuid() == 0 || geteuid() == 0)
+ #endif /* HAVE_CYGWIN */
+@@ -1268,6 +1272,28 @@
+ exit(1);
+ }
+ endgrent();
++
++#ifdef CHROOT
++ if (options.use_chroot) {
++ user_dir = xstrdup(pw->pw_dir);
++ new_root = user_dir + 1;
++
++ while((new_root = strchr(new_root, '.')) != NULL) {
++ new_root--;
++ if(strncmp(new_root, "/./", 3) == 0) {
++ *new_root = '\0';
++ new_root += 2;
++
++ if(chroot(user_dir) != 0)
++ fatal("Couldn't chroot to user directory %s", user_dir);
++ pw->pw_dir = new_root;
++ break;
++ }
++ new_root += 2;
++ }
++ }
++#endif /* CHROOT */
++
+ # ifdef USE_PAM
+ /*
+ * PAM credentials may take the form of supplementary groups.
+--- openssh-3.7.1p2/sshd_config 2003-09-02 14:51:18.000000000 +0200
++++ openssh-3.7.1p2.pius/sshd_config 2003-10-07 20:49:08.000000000 +0200
+@@ -71,6 +71,10 @@
+ # bypass the setting of 'PasswordAuthentication'
+ #UsePAM yes
+
++# Set this to 'yes' to enable support for chrooted user environment.
++# You must create such environment before you can use this feature.
++#UseChroot yes
++
+ #AllowTcpForwarding yes
+ #GatewayPorts no
+ #X11Forwarding no
+--- openssh-3.7.1p2/sshd_config.0 2003-09-23 11:55:19.000000000 +0200
++++ openssh-3.7.1p2.pius/sshd_config.0 2003-10-07 20:49:08.000000000 +0200
+@@ -349,6 +349,16 @@
+ CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de-
+ fault is AUTH.
+
++ UseChroot
++ Specifies whether to use chroot-jail environment with ssh/sftp,
++ i.e. restrict users to a particular area in the filesystem. This
++ is done by setting user home directory to, for example,
++ /path/to/chroot/./home/username. sshd looks for a '.' in the
++ users home directory, then calls chroot(2) to whatever directory
++ was before the . and continues with the normal ssh functionality.
++ For this to work properly you have to create special chroot-jail
++ environment in a /path/to/chroot directory.
++
+ UseDNS Specifies whether sshd should lookup the remote host name and
+ check that the resolved host name for the remote IP address maps
+ back to the very same IP address. The default is ``yes''.
+--- openssh-3.8p1/sshd_config.5.orig 2004-02-18 04:31:24.000000000 +0100
++++ openssh-3.8p1/sshd_config.5 2004-02-25 21:17:23.000000000 +0100
+@@ -552,6 +552,16 @@
+ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
++.It Cm UseChroot
++Specifies whether to use chroot-jail environment with ssh/sftp, i.e. restrict
++users to a particular area in the filesystem. This is done by setting user
++home directory to, for example, /path/to/chroot/./home/username.
++.Nm sshd
++looks for a '.' in the users home directory, then calls
++.Xr chroot 2
++to whatever directory was before the . and continues with the normal ssh
++functionality. For this to work properly you have to create special chroot-jail
++environment in a /path/to/chroot directory.
+ .It Cm TCPKeepAlive
+ Specifies whether the system should send TCP keepalive messages to the
+ other side.
--- /dev/null
+diff -ur openssh-3.7.1p2/auth-pam.c openssh-3.7.1p2-pam/auth-pam.c
+--- openssh-3.7.1p2/auth-pam.c 2003-09-23 11:24:21.000000000 +0200
++++ openssh-3.7.1p2-pam/auth-pam.c 2003-09-23 18:44:46.000000000 +0200
+@@ -175,12 +175,14 @@
+ case PAM_ERROR_MSG:
+ buffer_put_cstring(&buffer,
+ PAM_MSG_MEMBER(msg, i, msg));
++ buffer_put_char(&buffer, '\n');
+ ssh_msg_send(ctxt->pam_csock,
+ PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
+ break;
+ case PAM_TEXT_INFO:
+ buffer_put_cstring(&buffer,
+ PAM_MSG_MEMBER(msg, i, msg));
++ buffer_put_char(&buffer, '\n');
+ ssh_msg_send(ctxt->pam_csock,
+ PAM_MSG_MEMBER(msg, i, msg_style), &buffer);
+ break;
--- /dev/null
+# This is the ssh client system-wide configuration file. See
+# ssh_config(5) for more information. This file provides defaults for
+# users, and the values can be changed in per-user configuration files
+# or on the command line.
+
+# Configuration data is parsed as follows:
+# 1. command line options
+# 2. user-specific file
+# 3. system-wide file
+# Any configuration value is only changed the first time it is set.
+# Thus, host-specific definitions should be at the beginning of the
+# configuration file, and defaults at the end.
+
+# Site-wide defaults for various options
+
+# Host *
+# ForwardAgent no
+# ForwardX11 no
+# RhostsAuthentication no
+# RhostsRSAAuthentication no
+# RSAAuthentication yes
+# PasswordAuthentication yes
+# BatchMode no
+# CheckHostIP yes
+# StrictHostKeyChecking ask
+# IdentityFile ~/.ssh/identity
+# IdentityFile ~/.ssh/id_rsa
+# IdentityFile ~/.ssh/id_dsa
+# Port 22
+# Protocol 2,1
+# Cipher 3des
+# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
+# EscapeChar ~
+
+# Be paranoid by default
+Host *
+ ForwardAgent no
+ ForwardX11 no
+ ForwardX11Trusted no
+ StrictHostKeyChecking no