PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
#
# This is to work around an unresloved symbol problem with the Kerberos
# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
# is not supported on Solaris, because it violates API abstraction. This
# workaround disables delegated credentials storing on server side.
#
# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
# After that, function gss_krb5_copy_ccache() will be available in Solaris and
# the delegating credentials functionality will be made available using the
# upstream code.
#
--- orig/auth2-gss.c Fri Mar 21 10:41:03 2014
+++ new/auth2-gss.c Fri Mar 21 11:13:57 2014
@@ -47,6 +47,10 @@
extern ServerOptions options;
+#ifdef KRB5_BUILD_FIX
+ extern gss_OID_set g_supported;
+#endif
+
static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
@@ -77,7 +81,13 @@
return (0);
}
+#ifdef KRB5_BUILD_FIX
+ /* use value obtained in privileged parent */
+ supported = g_supported;
+#else
ssh_gssapi_supported_oids(&supported);
+#endif
+
do {
mechs--;
--- orig/configure Fri Mar 21 10:41:03 2014
+++ new/configure Fri Mar 21 11:02:11 2014
@@ -16634,6 +16634,12 @@
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
+
+ # Oracle Solaris
+ # OpenSSH is mixed-up gssapi AND krb5 aplication
+ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
+ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
$as_echo_n "checking whether we are using Heimdal... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--- orig/sshd.c Fri Mar 21 10:41:03 2014
+++ new/sshd.c Fri Mar 21 11:09:30 2014
@@ -259,6 +259,11 @@
/* Unprivileged user */
struct passwd *privsep_pw = NULL;
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+/* Temporary storing supported GSS mechs */
+gss_OID_set g_supported;
+#endif
+
/* Prototypes for various functions defined later in this file. */
void destroy_sensitive_data(void);
void demote_sensitive_data(void);
@@ -1407,6 +1412,10 @@
av = saved_argv;
#endif
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ OM_uint32 ms;
+#endif
+
if (geteuid() == 0 && setgroups(0, NULL) == -1)
debug("setgroups(): %.200s", strerror(errno));
@@ -2083,6 +2092,11 @@
buffer_init(&loginmsg);
auth_debug_reset();
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ /* collect gss mechs for later use in privsep child */
+ ssh_gssapi_supported_oids(&g_supported);
+#endif
+
if (use_privsep) {
if (privsep_preauth(authctxt) == 1)
goto authenticated;
@@ -2120,6 +2134,10 @@
startup_pipe = -1;
}
+#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
+ gss_release_oid_set(&ms, &g_supported);
+#endif
+
#ifdef SSH_AUDIT_EVENTS
audit_event(SSH_AUTH_SUCCESS);
#endif