PSARC/2017/022 OpenSSH 7.4
25295722 upgrade OpenSSH to 7.4p1
25295787 problem in UTILITY/OPENSSH
25295804 problem in UTILITY/OPENSSH
25295822 problem in UTILITY/OPENSSH
25295840 problem in UTILITY/OPENSSH
#
# Some options in OpenSSH have different default values from those in SunSSH.
# To make the transition smoother from SunSSH to OpenSSH, we change default
# values for the following options to be as same as those in SunSSH.
#
# GSSAPIAuthentication (for both server and client)
# X11Forwarding (for server)
# ForwardX11Trusted (for client)
#
# This is for Solaris only, we will not contribute back these changes to the
# upstream.
#
diff -pur old/readconf.c new/readconf.c
--- old/readconf.c
+++ new/readconf.c
@@ -1936,7 +1936,11 @@ fill_default_options(Options * options)
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->forward_x11_trusted = 1;
+#else
options->forward_x11_trusted = 0;
+#endif
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
/*
@@ -1969,7 +1973,11 @@ fill_default_options(Options * options)
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->gss_authentication = 1;
+#else
options->gss_authentication = 0;
+#endif
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
diff -pur old/servconf.c new/servconf.c
--- old/servconf.c
+++ new/servconf.c
@@ -249,7 +249,11 @@ fill_default_server_options(ServerOption
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->x11_forwarding = 1;
+#else
options->x11_forwarding = 0;
+#endif
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -283,7 +287,11 @@ fill_default_server_options(ServerOption
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->gss_authentication = 1;
+#else
options->gss_authentication = 0;
+#endif
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->gss_strict_acceptor == -1)
diff -pur old/ssh_config.5 new/ssh_config.5
--- old/ssh_config.5
+++ new/ssh_config.5
@@ -714,12 +714,11 @@ The default is to disable untrusted X11
elapsed.
.It Cm ForwardX11Trusted
If this option is set to
-.Cm yes ,
+.Cm yes (the default on Solaris),
remote X11 clients will have full access to the original X11 display.
.Pp
If this option is set to
-.Cm no
-(the default),
+.Cm no,
remote X11 clients will be considered untrusted and prevented
from stealing or tampering with data belonging to trusted X11
clients.
@@ -754,8 +753,8 @@ The default is
.Pa /etc/ssh/ssh_known_hosts2 .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Cm no .
+The default on Solaris is
+.Cm yes .
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
The default is
diff -pur old/sshd_config.5 new/sshd_config.5
--- old/sshd_config.5
+++ new/sshd_config.5
@@ -621,8 +621,8 @@ The default is
.Cm no .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Cm no .
+The default on Solaris is
+.Cm yes .
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
on logout.
@@ -1527,8 +1527,8 @@ The argument must be
.Cm yes
or
.Cm no .
-The default is
-.Cm no .
+The default on Solaris is
+.Cm yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the