- (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
   contrib/cygwin/ssh-user-config] Modernizes and improve readability of
   the Cygwin README file (which hasn't been updated for ages), drop
   unsupported OSes from the ssh-host-config help text, and drop an
   unneeded option from ssh-user-config.  Patch from vinschen at redhat com.
diff --git a/ChangeLog b/ChangeLog
index 526a051..54b4677 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+20130702
+ - (dtucker) [contrib/cygwin/README contrib/cygwin/ssh-host-config
+   contrib/cygwin/ssh-user-config] Modernizes and improve readability of
+   the Cygwin README file (which hasn't been updated for ages), drop
+   unsupported OSes from the ssh-host-config help text, and drop an
+   unneeded option from ssh-user-config.  Patch from vinschen at redhat com.
+
 20130610
  - (djm) OpenBSD CVS Sync
    - dtucker@cvs.openbsd.org 2013/06/07 15:37:52
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 5f911e9..2562b61 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -4,115 +4,18 @@
 not run on older versions.  Please check http://cygwin.com/ for information
 about current Cygwin releases.
 
-Build instructions are at the end of the file.
-
-===========================================================================
-Important change since 3.7.1p2-2:
-
-The ssh-host-config file doesn't create the /etc/ssh_config and
-/etc/sshd_config files from builtin here-scripts anymore, but it uses
-skeleton files installed in /etc/defaults/etc.
-
-Also it now tries hard to create appropriate permissions on files.
-Same applies for ssh-user-config.
-
-After creating the sshd service with ssh-host-config, it's advisable to
-call ssh-user-config for all affected users, also already exising user
-configurations.  In the latter case, file and directory permissions are
-checked and changed, if requireed to match the host configuration.
-
-Important note for Windows 2003 Server users:
----------------------------------------------
-
-2003 Server has a funny new feature.  When starting services under SYSTEM
-account, these services have nearly all user rights which SYSTEM holds...
-except for the "Create a token object" right, which is needed to allow
-public key authentication :-(
-
-There's no way around this, except for creating a substitute account which
-has the appropriate privileges.  Basically, this account should be member
-of the administrators group, plus it should have the following user rights:
-
-	Create a token object
-	Logon as a service
-	Replace a process level token
-	Increase Quota
-
-The ssh-host-config script asks you, if it should create such an account,
-called "sshd_server".  If you say "no" here, you're on your own.  Please
-follow the instruction in ssh-host-config exactly if possible.  Note that
-ssh-user-config sets the permissions on 2003 Server machines dependent of
-whether a sshd_server account exists or not.
-===========================================================================
-
-===========================================================================
-Important change since 3.4p1-2:
-
-This version adds privilege separation as default setting, see
-/usr/doc/openssh/README.privsep.  According to that document the
-privsep feature requires a non-privileged account called 'sshd'.
-
-The new ssh-host-config file which is part of this version asks
-to create 'sshd' as local user if you want to use privilege
-separation.  If you confirm, it creates that NT user and adds
-the necessary entry to /etc/passwd.
-
-On 9x/Me systems the script just sets UsePrivilegeSeparation to "no"
-since that feature doesn't make any sense on a system which doesn't
-differ between privileged and unprivileged users.
-
-The new ssh-host-config script also adds the /var/empty directory
-needed by privilege separation.  When creating the /var/empty directory
-by yourself, please note that in contrast to the README.privsep document
-the owner sshould not be "root" but the user which is running sshd.  So,
-in the standard configuration this is SYSTEM.  The ssh-host-config script
-chowns /var/empty accordingly.
-===========================================================================
-
-===========================================================================
-Important change since 3.0.1p1-2:
-
-This version introduces the ability to register sshd as service on
-Windows 9x/Me systems.  This is done only when the options -D and/or
--d are not given.
-===========================================================================
-
-===========================================================================
-Important change since 2.9p2:
-
-Since Cygwin is able to switch user context without password beginning
-with version 1.3.2, OpenSSH now allows to do so when it's running under
-a version >= 1.3.2. Keep in mind that `ntsec' has to be activated to
-allow that feature.
-===========================================================================
-
-===========================================================================
-Important change since 2.3.0p1:
-
-When using `ntea' or `ntsec' you now have to care for the ownership
-and permission bits of your host key files and your private key files.
-The host key files have to be owned by the NT account which starts
-sshd. The user key files have to be owned by the user. The permission
-bits of the private key files (host and user) have to be at least
-rw------- (0600)!
-
-Note that this is forced under `ntsec' only if the files are on a NTFS
-filesystem (which is recommended) due to the lack of any basic security
-features of the FAT/FAT32 filesystems.
-===========================================================================
+==================
+Host configuration
+==================
 
 If you are installing OpenSSH the first time, you can generate global config
-files and server keys by running
+files and server keys, as well as installing sshd as a service, by running
 
    /usr/bin/ssh-host-config
 
 Note that this binary archive doesn't contain default config files in /etc.
 That files are only created if ssh-host-config is started.
 
-If you are updating your installation you may run the above ssh-host-config
-as well to move your configuration files to the new location and to
-erase the files at the old location.
-
 To support testing and unattended installation ssh-host-config got
 some options:
 
@@ -123,17 +26,26 @@
     --no     -n            Answer all questions with "no" automatically.
     --cygwin -c <options>  Use "options" as value for CYGWIN environment var.
     --port   -p <n>        sshd listens on port n.
-    --pwd    -w <passwd>   Use "pwd" as password for user 'sshd_server'.
+    --user   -u <account>  privileged user for service, default 'cyg_server'.
+    --pwd    -w <passwd>   Use "pwd" as password for privileged user.
+    --privileged           On Windows XP, require privileged user
+                           instead of LocalSystem for sshd service.
 
-Additionally ssh-host-config now asks if it should install sshd as a
-service when running under NT/W2K. This requires cygrunsrv installed.
+Installing sshd as daemon via ssh-host-config is recommended.
 
-You can create the private and public keys for a user now by running
+Alternatively you can start sshd via inetd, if you have the inetutils
+package installed.  Just run ssh-host-config, but answer "no" when asked
+to install sshd as service.  The ssh-host-config script also adds the
+required lines to /etc/inetd.conf and /etc/services.
+
+==================
+User configuration
+==================
+
+Any user can simplify creating the own private and public keys by running
 
   /usr/bin/ssh-user-config
 
-under the users account.
-
 To support testing and unattended installation ssh-user-config got
 some options as well:
 
@@ -144,88 +56,30 @@
     --no         -n        Answer all questions with "no" automatically.
     --passphrase -p word   Use "word" as passphrase automatically.
 
-Install sshd as daemon via cygrunsrv.exe (recommended on NT/W2K), via inetd
-(results in very slow deamon startup!) or from the command line (recommended
-on 9X/ME).
-
-If you start sshd as deamon via cygrunsrv.exe you MUST give the
-"-D" option to sshd. Otherwise the service can't get started at all.
-
-If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the
-following line to your inetd.conf file:
-
-ssh stream tcp nowait root /usr/sbin/in.sshd sshd -i
-
-Moreover you'll have to add the following line to your
-${SYSTEMROOT}/system32/drivers/etc/services file:
-
-   ssh         22/tcp          #SSH daemon
-
 Please note that OpenSSH does never use the value of $HOME to
 search for the users configuration files! It always uses the
 value of the pw_dir field in /etc/passwd as the home directory.
 If no home diretory is set in /etc/passwd, the root directory
 is used instead!
 
-You may use all features of the CYGWIN=ntsec setting the same
-way as they are used by Cygwin's login(1) port:
+================
+Building OpenSSH
+================
 
-  The pw_gecos field may contain an additional field, that begins
-  with (upper case!) "U-", followed by the domain and the username
-  separated by a backslash.
-  CAUTION: The SID _must_ remain the _last_ field in pw_gecos!
-  BTW: The field separator in pw_gecos is the comma.
-  The username in pw_name itself may be any nice name:
+Building from source is easy.  Just unpack the source archive, cd to that
+directory, and call cygport:
 
-    domuser::1104:513:John Doe,U-domain\user,S-1-5-21-...
+	cygport openssh.cygport almostall
 
-  Now you may use `domuser' as your login name with telnet!
-  This is possible additionally for local users, if you don't like
-  your NT login name ;-) You only have to leave out the domain:
+You must have installed the following packages to be able to build OpenSSH
+with the aforementioned cygport script:
 
-    locuser::1104:513:John Doe,U-user,S-1-5-21-...
-
-Note that the CYGWIN=ntsec setting is required for public key authentication.
-
-SSH2 server and user keys are generated by the `ssh-*-config' scripts
-as well.
-
-If you want to build from source, the following options to
-configure are used for the Cygwin binary distribution:
-
-	--prefix=/usr \
-	--sysconfdir=/etc \
-	--libexecdir='${sbindir}' \
-	--localstatedir=/var \
-	--datadir='${prefix}/share' \
-	--mandir='${datadir}/man' \
-	--infodir='${datadir}/info'
-	--with-tcp-wrappers
-	--with-libedit
-
-If you want to create a Cygwin package, equivalent to the one
-in the Cygwin binary distribution, install like this:
-
-	mkdir /tmp/cygwin-ssh
-	cd ${builddir}
-	make install DESTDIR=/tmp/cygwin-ssh
-	cd ${srcdir}/contrib/cygwin
-	make cygwin-postinstall DESTDIR=/tmp/cygwin-ssh
-	cd /tmp/cygwin-ssh
-	find * \! -type d | tar cvjfT my-openssh.tar.bz2 -
-
-You must have installed the following packages to be able to build OpenSSH:
-
-- zlib
-- openssl-devel
-
-If you want to build with --with-tcp-wrappers, you also need the package
-
-- tcp_wrappers
-
-If you want to build with --with-libedit, you also need the package
-
-- libedit-devel
+  zlib
+  crypt
+  openssl-devel
+  libwrap-devel
+  libedit-devel
+  libkrb5-devel
 
 Please send requests, error reports etc. to cygwin@cygwin.com.
 
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 3c9046f..c542d5c 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -606,9 +606,9 @@
     echo "  --no     -n            Answer all questions with \"no\" automatically."
     echo "  --cygwin -c <options>  Use \"options\" as value for CYGWIN environment var."
     echo "  --port   -p <n>        sshd listens on port n."
-    echo "  --user   -u <account>  privileged user for service."
+    echo "  --user   -u <account>  privileged user for service, default 'cyg_server'."
     echo "  --pwd    -w <passwd>   Use \"pwd\" as password for privileged user."
-    echo "  --privileged           On Windows NT/2k/XP, require privileged user"
+    echo "  --privileged           On Windows XP, require privileged user"
     echo "                         instead of LocalSystem for sshd service."
     echo
     exit 1
diff --git a/contrib/cygwin/ssh-user-config b/contrib/cygwin/ssh-user-config
index 027ae60..8708b7a 100644
--- a/contrib/cygwin/ssh-user-config
+++ b/contrib/cygwin/ssh-user-config
@@ -222,10 +222,6 @@
     shift
     ;;
 
-  --privileged )
-    csih_FORCE_PRIVILEGED_USER=yes
-    ;;
-
   *)
     echo "usage: ${PROGNAME} [OPTION]..."
     echo
@@ -236,8 +232,6 @@
     echo "    --yes        -y        Answer all questions with \"yes\" automatically."
     echo "    --no         -n        Answer all questions with \"no\" automatically."
     echo "    --passphrase -p word   Use \"word\" as passphrase automatically."
-    echo "    --privileged           On Windows NT/2k/XP, assume privileged user"
-    echo "                           instead of LocalSystem for sshd service."
     echo
     exit 1
     ;;