deraadt and millert ok

We could use skeyinfo(1) to check but this is much cheaper.

--
Patch from: wilfried@ via PR#1761
Ok'd by: deraadt@

get false positives for YP stuff.  Closes PR 1755

just save the md5 checksums so we can still determine when something
change.  Entries in /etc/changelist that are prefixed with a '+'
will only have their md5 checksums saved, not the actual files.

not readable by other" block.  Remove ~/.ssh/random_seed as it is
not used in OpenSSH.
Add ~/.ssh/authorized_keys2, and ~/.ssh/known_hosts to the "must be
owned by user and not writable"  block.

use printf(1) here.  This way there is no possibility of format
string problems and we use a shell builtin instead of an external
command.

inspiration from dynamo@ime.net.
also a typo fix.

-q flag to ls(1) so that non-printable characters will appear as '?'. This
prevents a malicious user from fooling the administrator into thinking the
contents of a file name are actually valid script output (note that you can
put newlines in file names); deraadt@ ok

millert@ ok.

changed so files are e.g. backups/etc_passwd not backups/_etc_passwd

user basis.

/etc/csh.login and .login.  From Chris Jones <cjones@rupert.oscs.montana.edu>

2. /-ro/   ->  /^-ro$/ : allows hostnames containing "*-ro*" and
ignores "-root"

Also, take into account users w/ the blowfish cypher.

Don't bitch about star'd out logins unless they have a .rhosts/.shosts/.klogin
file (ie: something that would let them in via rsh/ssh).

don't bitch about root-owned .rhosts since multiple system accounts
share root's homedir.

Can't do "find -ls" since we need to store the date in an absolute format
(ls -T).  Use "find -print0" | xargs -0 instead.

showing up in the setuid list ;-)

lines in /etc/exports

Thanks to deraadt for pointing out the -ls flag on find.

have '+' in them even when they don't.  Escaped the + to fix.