#

# Originally we planned to only deprecate client config (ssh_config) options 

# and leave it up to system administrators to remove all SunSSH specific

# server config (sshd_config) options. In internal testing we have discovered,

# that this would bring too much trouble to the said administrators.

# The probability of these options appearing in existing sshd_config files

# is higher than initially though, because some of the options have been in

# default sshd_config file for very long time. Also the consequence of

# unknown server option is harsh - ssh service goes to maintenance mode

# possible rendering the instance not accessible. For this reason we will

# deprecate SunSSH specific sshd_config options too.

#

# This is a Solaris specific change to ease the transition and will not be

# offered upstream.

#

diff -pur old/servconf.c new/servconf.c

--- old/servconf.c

+++ new/servconf.c

@@ -518,6 +518,7 @@ static struct {

 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },

 #ifdef GSSAPI

 	{ "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },

+	{ "gssauthentication", sGssAuthentication, SSHCFG_ALL },   /* alias */

 #ifdef USE_GSS_STORE_CRED

 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },

 #else /* USE_GSS_STORE_CRED */

@@ -526,6 +527,7 @@ static struct {

 	{ "gssapistrictacceptorcheck", sGssStrictAcceptor, SSHCFG_GLOBAL },

 #else

 	{ "gssapiauthentication", sUnsupported, SSHCFG_ALL },

+	{ "gssauthentication", sUnsupported, SSHCFG_ALL },          /* alias */

 	{ "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },

 	{ "gssapistrictacceptorcheck", sUnsupported, SSHCFG_GLOBAL },

 #endif

@@ -592,6 +594,30 @@ static struct {

 	{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },

 	{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },

 #endif

+#ifdef DEPRECATE_SUNSSH_OPT

+	/*

+	 * On Solaris, to make the transition from SunSSH to OpenSSH as smooth

+	 * as possible, we will deprecate SunSSH-only options in OpenSSH.

+	 * Therefore on a system having one of the following options in

+	 * /etc/ssh/sshd_config, change to OpenSSH will not result in service

+	 * network/ssh going to maintenance. Instead, a warning will be printed

+	 * to /var/svc/log/network-ssh:default.log. Note that

+	 * this is an interim enhancement to OpenSSH to make the transition

+	 * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH

+	 * later, then it will be changed from deprecated to supported.

+	 */

+	{ "maxauthtrieslog", sDeprecated, SSHCFG_GLOBAL },

+	{ "lookupclienthostnames", sDeprecated, SSHCFG_GLOBAL },

+	{ "useopensslengine", sDeprecated, SSHCFG_GLOBAL },

+	{ "preuserauthhook", sDeprecated, SSHCFG_ALL},

+	{ "kmfpolicydatabase", sDeprecated, SSHCFG_GLOBAL },

+	{ "kmfpolicyname", sDeprecated, SSHCFG_GLOBAL },

+	{ "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },

+	{ "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },

+	{ "usefips140", sDeprecated, SSHCFG_ALL},

+	{ "gssapistoredelegatedcredentials", sDeprecated, SSHCFG_ALL },

+	{ "gssstoredelegcreds", sDeprecated, SSHCFG_ALL },

+#endif

 	{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },

 	{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },

 	{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },