--- openssh-4.5p1/servconf.h.vendor	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.5p1/servconf.h	2006-12-20 22:06:27.000000000 +0100
@@ -120,6 +120,7 @@
 	int	max_startups;
 	int	max_authtries;
 	char   *banner;			/* SSH-2 banner message */
+	int	show_patchlevel;	/* Show vendor patch level to clients */
 	int	use_dns;
 	int	client_alive_interval;	/*
 					 * poke the client this often to
--- openssh-4.5p1/sshd_config.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config	2006-12-20 22:06:27.000000000 +0100
@@ -106,6 +106,7 @@
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
+#ShowPatchLevel no
 #UseDNS yes
 #PidFile /var/run/sshd.pid
 #MaxStartups 10
--- openssh-4.5p1/sshd.c.vendor	2006-11-07 13:14:42.000000000 +0100
+++ openssh-4.5p1/sshd.c	2006-12-20 22:06:27.000000000 +0100
@@ -418,7 +418,8 @@
 		major = PROTOCOL_MAJOR_1;
 		minor = PROTOCOL_MINOR_1;
 	}
-	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor, SSH_VERSION);
+	snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", major, minor,
+		 (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_VERSION);
 	server_version_string = xstrdup(buf);
 
 	/* Send our protocol version identification. */
@@ -1429,7 +1430,8 @@
 		exit(1);
 	}
 
-	debug("sshd version %.100s", SSH_RELEASE);
+	debug("sshd version %.100s",
+	      (options.show_patchlevel == 1) ? SSH_VENDOR_PATCHLEVEL : SSH_RELEASE);
 
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
--- openssh-4.5p1/configure.ac.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/configure.ac	2006-12-20 22:06:27.000000000 +0100
@@ -3729,6 +3729,12 @@
 		fi
 	]
 )
+AC_ARG_ENABLE(vendor-patchlevel,
+  [  --enable-vendor-patchlevel=TAG  specify a vendor patch level],
+  [AC_DEFINE_UNQUOTED(SSH_VENDOR_PATCHLEVEL,[SSH_RELEASE "-" "$enableval"],[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL="$enableval"],
+  [AC_DEFINE(SSH_VENDOR_PATCHLEVEL,SSH_RELEASE,[Define to your vendor patch level, if it has been modified from the upstream source release.])
+   SSH_VENDOR_PATCHLEVEL=none])
 
 dnl lastlog, [uw]tmpx? detection
 dnl  NOTE: set the paths in the platform section to avoid the
@@ -3978,6 +3984,7 @@
 echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
 echo "                  BSD Auth support: $BSD_AUTH_MSG"
 echo "              Random number source: $RAND_MSG"
+echo "                Vendor patch level: $SSH_VENDOR_PATCHLEVEL"
 if test ! -z "$USE_RAND_HELPER" ; then
 echo "     ssh-rand-helper collects from: $RAND_HELPER_MSG"
 fi
--- openssh-4.5p1/sshd_config.0.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config.0	2006-12-20 22:06:27.000000000 +0100
@@ -413,6 +413,11 @@
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 768.
 
+     ShowPatchLevel
+	     Specifies whether sshd will display the specific patch level of
+	     the binary in the server identification string.  The patch level
+	     is set at compile-time.  The default is M-bM-^@M-^\noM-bM-^@M-^].
+
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
--- openssh-4.5p1/servconf.c.vendor	2006-08-18 16:23:15.000000000 +0200
+++ openssh-4.5p1/servconf.c	2006-12-20 22:08:41.000000000 +0100
@@ -113,6 +113,7 @@
 	options->max_startups = -1;
 	options->max_authtries = -1;
 	options->banner = NULL;
+	options->show_patchlevel = -1;
 	options->use_dns = -1;
 	options->client_alive_interval = -1;
 	options->client_alive_count_max = -1;
@@ -250,6 +251,9 @@
 	if (options->permit_tun == -1)
 		options->permit_tun = SSH_TUNMODE_NO;
 
+	if (options->show_patchlevel == -1)
+		options->show_patchlevel = 0;
+
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
 		use_privsep = 1;
@@ -293,6 +297,7 @@
 	sGssAuthentication, sGssCleanupCreds, sAcceptEnv, sPermitTunnel,
 	sMatch, sPermitOpen, sForceCommand,
 	sUsePrivilegeSeparation,
+	sShowPatchLevel,
 	sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -390,6 +395,7 @@
 	{ "maxstartups", sMaxStartups, SSHCFG_GLOBAL },
 	{ "maxauthtries", sMaxAuthTries, SSHCFG_GLOBAL },
 	{ "banner", sBanner, SSHCFG_GLOBAL },
+	{ "showpatchlevel", sShowPatchLevel, SSHCFG_GLOBAL },
 	{ "usedns", sUseDNS, SSHCFG_GLOBAL },
 	{ "verifyreversemapping", sDeprecated, SSHCFG_GLOBAL },
 	{ "reversemappingcheck", sDeprecated, SSHCFG_GLOBAL },
@@ -1006,6 +1012,10 @@
 		intptr = &use_privsep;
 		goto parse_flag;
 
+	case sShowPatchLevel:
+		intptr = &options->show_patchlevel;
+		goto parse_flag;
+
 	case sAllowUsers:
 		while ((arg = strdelim(&cp)) && *arg != '\0') {
 			if (options->num_allow_users >= MAX_ALLOW_USERS)
--- openssh-4.5p1/sshd_config.5.vendor	2006-12-20 22:06:27.000000000 +0100
+++ openssh-4.5p1/sshd_config.5	2006-12-20 22:06:27.000000000 +0100
@@ -717,6 +717,14 @@
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 768.
+.It Cm ShowPatchLevel
+Specifies whether
+.Nm sshd
+will display the patch level of the binary in the identification string.
+The patch level is set at compile-time.
+The default is
+.Dq no .
+This option applies to protocol version 1 only.
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8