| author | Drew Fisher <drew.fisher@oracle.com> |
| Thu, 29 Sep 2016 08:21:19 -0700 | |
| branch | s11u3-sru |
| changeset 7115 | 0c932cebfc40 |
| parent 5324 | 5683175b6e99 |
| permissions | -rw-r--r-- |
|
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
1 |
# |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
2 |
# Originally we planned to only deprecate client config (ssh_config) options |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
3 |
# and leave it up to system administrators to remove all SunSSH specific |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
4 |
# server config (sshd_config) options. In internal testing we have discovered, |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
5 |
# that this would bring too much trouble to the said administrators. |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
6 |
# The probability of these options appearing in existing sshd_config files |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
7 |
# is higher than initially though, because some of the options have been in |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
8 |
# default sshd_config file for very long time. Also the consequence of |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
9 |
# unknown server option is harsh - ssh service goes to maintenance mode |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
10 |
# possible rendering the instance not accessible. For this reason we will |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
11 |
# deprecate SunSSH specific sshd_config options too. |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
12 |
# |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
13 |
# This is a Solaris specific change to ease the transition and will not be |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
14 |
# offered upstream. |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
15 |
# |
|
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
16 |
diff -pur old/servconf.c new/servconf.c |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
17 |
--- old/servconf.c |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
18 |
+++ new/servconf.c |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
19 |
@@ -518,6 +518,7 @@ static struct {
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
20 |
{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
21 |
#ifdef GSSAPI |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
22 |
{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
23 |
+ { "gssauthentication", sGssAuthentication, SSHCFG_ALL }, /* alias */
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
24 |
#ifdef USE_GSS_STORE_CRED |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
25 |
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
26 |
#else /* USE_GSS_STORE_CRED */ |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
27 |
@@ -526,6 +527,7 @@ static struct {
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
28 |
{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
29 |
#else |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
30 |
{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
31 |
+ { "gssauthentication", sUnsupported, SSHCFG_ALL }, /* alias */
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
32 |
{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
33 |
{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
34 |
#endif |
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
35 |
@@ -592,6 +594,30 @@ static struct {
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
36 |
{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
37 |
{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
|
|
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
38 |
#endif |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
39 |
+#ifdef DEPRECATE_SUNSSH_OPT |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
40 |
+ /* |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
41 |
+ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
42 |
+ * as possible, we will deprecate SunSSH-only options in OpenSSH. |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
43 |
+ * Therefore on a system having one of the following options in |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
44 |
+ * /etc/ssh/sshd_config, change to OpenSSH will not result in service |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
45 |
+ * network/ssh going to maintenance. Instead, a warning will be printed |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
46 |
+ * to /var/svc/log/network-ssh:default.log. Note that |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
47 |
+ * this is an interim enhancement to OpenSSH to make the transition |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
48 |
+ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
49 |
+ * later, then it will be changed from deprecated to supported. |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
50 |
+ */ |
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
51 |
+ { "maxauthtrieslog", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
52 |
+ { "lookupclienthostnames", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
53 |
+ { "useopensslengine", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
54 |
+ { "preuserauthhook", sDeprecated, SSHCFG_ALL},
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
55 |
+ { "kmfpolicydatabase", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
56 |
+ { "kmfpolicyname", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
57 |
+ { "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
58 |
+ { "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
|
|
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
59 |
+ { "usefips140", sDeprecated, SSHCFG_ALL},
|
|
4935
ed3830c87e7b
21279048 OpenSSH missing dependency on xauth
Ivo Raisr <ivo.raisr@oracle.com>
parents:
4401
diff
changeset
|
60 |
+ { "gssapistoredelegatedcredentials", sDeprecated, SSHCFG_ALL },
|
|
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
61 |
+ { "gssstoredelegcreds", sDeprecated, SSHCFG_ALL },
|
|
3946
b1e0e68de63b
PSARC 2012/335 OpenSSH migration
Huie-Ying Lee <huieying.lee@oracle.com>
parents:
diff
changeset
|
62 |
+#endif |
|
5324
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
63 |
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
64 |
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
5683175b6e99
PSARC/2015/395 OpenSSH 7.1p1
Jan Parcel <jan.parcel@oracle.com>
parents:
4935
diff
changeset
|
65 |
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|