| author | Tomas Kuthan <tomas.kuthan@oracle.com> |
| Thu, 18 Jun 2015 07:01:42 -0700 | |
| changeset 4503 | bf30d46ab06e |
| parent 2182 | 9f1202f3ddbd |
| child 4709 | fd98db93ff7c |
| permissions | -rw-r--r-- |
|
2182
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
1 |
# |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
2 |
# Originally we planned to only deprecate client config (ssh_config) options |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
3 |
# and leave it up to system administrators to remove all SunSSH specific |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
4 |
# server config (sshd_config) options. In internal testing we have discovered, |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
5 |
# that this would bring too much trouble to the said administrators. |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
6 |
# The probability of these options appearing in existing sshd_config files |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
7 |
# is higher than initially though, because some of the options have been in |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
8 |
# default sshd_config file for very long time. Also the consequence of |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
9 |
# unknown server option is harsh - ssh service goes to maintenance mode |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
10 |
# possible rendering the instance not accessible. For this reason we will |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
11 |
# deprecate SunSSH specific sshd_config options too. |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
12 |
# |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
13 |
# This is a Solaris specific change to ease the transition and will not be |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
14 |
# offered upstream. |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
15 |
# |
|
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
16 |
diff -pur old/servconf.c new/servconf.c |
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
17 |
--- old/servconf.c 2015-03-28 22:31:16.652020119 +0100 |
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
18 |
+++ new/servconf.c 2015-03-28 22:34:36.569887785 +0100 |
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
19 |
@@ -557,6 +557,28 @@ static struct {
|
|
2182
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
20 |
{ "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
21 |
{ "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
22 |
#endif |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
23 |
+#ifdef DEPRECATE_SUNSSH_OPT |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
24 |
+ /* |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
25 |
+ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
26 |
+ * as possible, we will deprecate SunSSH-only options in OpenSSH. |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
27 |
+ * Therefore on a system having one of the following options in |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
28 |
+ * /etc/ssh/sshd_config, change to OpenSSH will not result in service |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
29 |
+ * network/ssh going to maintenance. Instead, a warning will be printed |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
30 |
+ * to /var/svc/log/network-ssh:default.log. Note that |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
31 |
+ * this is an interim enhancement to OpenSSH to make the transition |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
32 |
+ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
33 |
+ * later, then it will be changed from deprecated to supported. |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
34 |
+ */ |
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
35 |
+ { "maxauthtrieslog", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
36 |
+ { "lookupclienthostnames", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
37 |
+ { "useopensslengine", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
38 |
+ { "preuserauthhook", sDeprecated, SSHCFG_ALL},
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
39 |
+ { "kmfpolicydatabase", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
40 |
+ { "kmfpolicyname", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
41 |
+ { "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
42 |
+ { "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
43 |
+ { "usefips140", sDeprecated, SSHCFG_ALL},
|
|
9f1202f3ddbd
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
diff
changeset
|
44 |
+#endif |
|
4503
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
45 |
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
|
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
46 |
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
|
|
bf30d46ab06e
PSARC/2015/179 OpenSSH 6.8
Tomas Kuthan <tomas.kuthan@oracle.com>
parents:
2182
diff
changeset
|
47 |
{ "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
|