diff -c openssh-5.1p1_clean/auth.h openssh-5.2p1_rh/auth.h
*** openssh-5.1p1_clean/auth.h	2009-05-27 08:07:14.000000000 -0500
--- openssh-5.2p1_rh/auth.h	2009-05-27 09:17:31.000000000 -0500
***************
*** 41,46 ****
--- 41,51 ----
  #ifdef KRB5
  #include <krb5.h>
  #endif
+ #ifndef AFS_GSI
+ #ifdef AFS_KRB5
+ #include <krbafs.h>
+ #endif
+ #endif
  
  typedef struct Authctxt Authctxt;
  typedef struct Authmethod Authmethod;
diff -c openssh-5.1p1_clean/config.h.in openssh-5.2p1_rh/config.h.in
*** openssh-5.1p1_clean/config.h.in	2009-05-27 08:07:18.000000000 -0500
--- openssh-5.2p1_rh/config.h.in	2009-05-27 09:17:31.000000000 -0500
***************
*** 1,5 ****
--- 1,11 ----
  /* config.h.in.  Generated from configure.ac by autoheader.  */
  
+ /*Define this if you want to use AFS option, which runs aklog with afs libsys*/
+ #undef AFS_GSI
+  
+ /* Define this if you want to use AFS/Kerberos 5 option, which runs aklog. */
+ #undef AFS_KRB5
+ 
  /* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
     */
  #undef AIX_GETNAMEINFO_HACK
***************
*** 7,12 ****
--- 13,21 ----
  /* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
  #undef AIX_LOGINFAILED_4ARG
  
+ /* Define this if you want to use AFS/Kerberos 5 option, which runs aklog. */
+ #undef AKLOG_PATH
+ 
  /* System only supports IPv4 audit records */
  #undef AU_IPv4
  
diff -c openssh-5.1p1_clean/configure.ac openssh-5.2p1_rh/configure.ac
*** openssh-5.1p1_clean/configure.ac	2009-05-27 08:07:14.000000000 -0500
--- openssh-5.2p1_rh/configure.ac	2009-05-27 09:17:31.000000000 -0500
***************
*** 3449,3454 ****
--- 3449,3516 ----
  	fi
  	]
  )
+ AFS_LIBPATH=""
+ AC_ARG_WITH(afs-libsys,
+ 	[  --with-afs-libsys[[=AFSLIBSYS_PATH]]  Enable lsetpag  to get token (default=/usr/lib64/afs/libsys.a).],
+ 	[
+ 		if test "x$withval" != "xno" ; then
+  			if test "x$withval" != "xyes" ; then
+  				AC_DEFINE_UNQUOTED(AFSLIBSYS_PATH, "$withval",
+  					[Define this if you want to use AFS option, which runs gssklog.])
+  				AFS_LIBPATH=$withval
+  			else
+  				AC_DEFINE_UNQUOTED(AFSLIBSYS_PATH,
+  					"/usr/lib64/afs/libsys.a",
+  					[Define this if you want to use AFS option, which runs gssklog.])
+  				AFS_LIBPATH=/usr/lib64/afs/libsys.a
+  			fi
+  
+  			LIBS="$AFS_LIBPATH  $LIBS"
+  			AC_DEFINE(AFS_GSI, 1,
+  				[Define this if you want to use AFS option, which runs gssklog.])
+  		fi
+ 	]
+ )
+ 
+ 
+ # Check whether user wants AFS_KRB5 support
+ AFS_KRB5_MSG="no"
+ AC_ARG_WITH(afs-krb5,
+ 	[  --with-afs-krb5[[=AKLOG_PATH]]  Enable aklog to get token (default=/usr/bin/aklog).],
+ 	[
+ 		if test "x$withval" != "xno" ; then
+ 
+ 			if test "x$withval" != "xyes" ; then
+ 				AC_DEFINE_UNQUOTED(AKLOG_PATH, "$withval",
+ 					[Define this if you want to use AFS/Kerberos 5 option, which runs aklog.])
+ 			else
+ 				AC_DEFINE_UNQUOTED(AKLOG_PATH,
+ 					"/usr/bin/aklog",
+ 					[Define this if you want to use AFS/Kerberos 5 option, which runs aklog.])
+ 			fi
+ 
+ 			if test -z "$KRB5ROOT" ; then
+ 				AC_MSG_WARN([AFS_KRB5 requires Kerberos 5 support, build may fail])
+ 			fi
+ 			
+ 			if test -z "$AFS_LIBPATH" ; then
+ 			 LIBS="-lkrbafs -lkrb4  $LIBS"
+ 			fi
+ 			 if test ! -z "$AFS_LIBS" ; then
+ 			 	LIBS="$LIBS $AFS_LIBS"
+ 			 fi
+ 
+ 			AC_DEFINE(AFS_KRB5, 1,
+ 				[Define this if you want to use AFS/Kerberos 5 option, which runs aklog.])
+ 			AFS_KRB5_MSG="yes"
+ 		fi
+ 	]
+ )
+ 
+ AC_ARG_WITH(session-hooks,
+         [  --with-session-hooks    Enable hooks for executing external commands                                       before/after a session],
+         [ AC_DEFINE(SESSION_HOOKS, 1, [Define this if you want support for startup/shutdown hooks]) ]
+ )
  
  # Looking for programs, paths and files
  
diff -c openssh-5.1p1_clean/session.c openssh-5.2p1_rh/session.c
*** openssh-5.1p1_clean/session.c	2009-05-27 08:07:14.000000000 -0500
--- openssh-5.2p1_rh/session.c	2009-05-27 09:17:31.000000000 -0500
***************
*** 1420,1426 ****
  			memcpy(component, path, cp - path);
  			component[cp - path] = '\0';
  		}
! 	
  		debug3("%s: checking '%s'", __func__, component);
  
  		if (stat(component, &st) != 0)
--- 1420,1426 ----
  			memcpy(component, path, cp - path);
  			component[cp - path] = '\0';
  		}
! 
  		debug3("%s: checking '%s'", __func__, component);
  
  		if (stat(component, &st) != 0)
***************
*** 1428,1434 ****
  			    component, strerror(errno));
  		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
  			fatal("bad ownership or modes for chroot "
! 			    "directory %s\"%s\"", 
  			    cp == NULL ? "" : "component ", component);
  		if (!S_ISDIR(st.st_mode))
  			fatal("chroot path %s\"%s\" is not a directory",
--- 1428,1434 ----
  			    component, strerror(errno));
  		if (st.st_uid != 0 || (st.st_mode & 022) != 0)
  			fatal("bad ownership or modes for chroot "
! 			    "directory %s\"%s\"",
  			    cp == NULL ? "" : "component ", component);
  		if (!S_ISDIR(st.st_mode))
  			fatal("chroot path %s\"%s\" is not a directory",
***************
*** 1645,1650 ****
--- 1645,1664 ----
  	struct passwd *pw = s->pw;
  	int r = 0;
  
+ #ifdef AFS_KRB5
+ /* Default place to look for aklog. */
+ #ifdef AKLOG_PATH
+ #define KPROGDIR AKLOG_PATH
+ #else
+ #define KPROGDIR "/usr/bin/aklog"
+ #endif /* AKLOG_PATH */
+ #ifdef AFS_GSI
+ 	struct stat stx;
+ #endif
+ 	struct stat st;
+ 	char *aklog_path;
+ #endif /* AFS_KRB5 */
+ 
  	/* remove hostkey from the child's memory */
  	destroy_sensitive_data();
  
***************
*** 1756,1761 ****
--- 1770,1826 ----
  		    s->authctxt->krb5_fwd_ccache, NULL, NULL, pw->pw_dir);
  	}
  #endif
+ #ifndef AFS_GSI
+ #ifdef AFS_KRB5
+ 	/* User has authenticated, and if a ticket was going to be
+ 	 * passed we would have it.  KRB5CCNAME should already be set.
+ 	 * Now try to get an AFS token using aklog.
+ 	 */
+ 	if (k_hasafs()) {  /* Do we have AFS? */
+ 		aklog_path = xstrdup(KPROGDIR);
+ 
+ 		/*
+ 		 * Make sure it exists before we try to run it
+ 		 */
+ 		if (stat(aklog_path, &st) == 0) {
+ 			debug("Running %s to get afs token.",aklog_path);
+ 			system(aklog_path);
+ 		} else {
+ 			debug("%s does not exist.",aklog_path);
+ 		}
+ 
+ 		xfree(aklog_path);
+ 	}
+ 
+ #endif /*AFS_KRB5 */
+ #endif /*AFS_GSI */
+ 
+ #if defined(AFS_KRB5) && defined(AFS_GSI)
+ 
+ 
+ 	/* User has authenticated, and if a ticket was going to be
+ 	 * passed we would have it.  KRB5CCNAME should already be set.
+ 	 * Now try to get an AFS token using aklog.
+ 	 */
+ /*	if (k_hasafs()) { */ /* Do we have AFS? */
+ 	if ((stat("/afs",&stx) == 0) &&
+         (stat("/usr/vice/etc/ThisCell",&stx) == 0)) {
+         lsetpag();
+ 		aklog_path = xstrdup(KPROGDIR);
+ 
+ 		/*
+ 		 * Make sure it exists before we try to run it
+ 		 */
+ 		if (stat(aklog_path, &st) == 0) {
+ 			debug("Running %s to get afs token.",aklog_path);
+ 			system(aklog_path);
+ 		} else {
+ 			debug("%s does not exist.",aklog_path);
+ 		}
+ 
+ 		xfree(aklog_path);
+ 	}
+ #endif /* defined(AFS_KRB5) && defined(AFS_GSI)*/
  
  	/* Change current directory to the user's home directory. */
  	if (chdir(pw->pw_dir) < 0) {
diff -c openssh-5.1p1_clean/sshd.c openssh-5.2p1_rh/sshd.c
*** openssh-5.1p1_clean/sshd.c	2009-05-27 08:07:14.000000000 -0500
--- openssh-5.2p1_rh/sshd.c	2009-05-27 09:17:31.000000000 -0500
***************
*** 1836,1842 ****
  		alarm(options.login_grace_time);
  
  	sshd_exchange_identification(sock_in, sock_out);
! 
  	/* In inetd mode, generate ephemeral key only for proto 1 connections */
  	if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
  		generate_ephemeral_server_key();
--- 1836,1851 ----
  		alarm(options.login_grace_time);
  
  	sshd_exchange_identification(sock_in, sock_out);
! #ifndef AFS_GSI
! #if defined(AFS_KRB5)
! 	/* If machine has AFS, set process authentication group. */
! /*	if (k_hasafs()) {
! 		k_setpag();
! 		k_unlog();
! 	}
! */
! #endif /* AFS || AFS_KRB5 */
! #endif /* AFS_GSI */
  	/* In inetd mode, generate ephemeral key only for proto 1 connections */
  	if (!compat20 && inetd_flag && sensitive_data.server_key == NULL)
  		generate_ephemeral_server_key();