PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
#
# Some options in OpenSSH have different default values from those in SunSSH.
# To make the transition smoother from SunSSH to OpenSSH, we change default
# values for the following options to be as same as those in SunSSH.
#
# GSSAPIAuthentication (for both server and client)
# X11Forwarding (for server)
# ForwardX11Trusted (for client)
#
# This is for Solaris only, we will not contribute back these changes to the
# upstream.
#
--- orig/readconf.c Thu Sep 4 17:27:04 2014
+++ new/readconf.c Tue Sep 9 17:33:50 2014
@@ -1575,7 +1575,11 @@
if (options->forward_x11 == -1)
options->forward_x11 = 0;
if (options->forward_x11_trusted == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->forward_x11_trusted = 1;
+#else
options->forward_x11_trusted = 0;
+#endif
if (options->forward_x11_timeout == -1)
options->forward_x11_timeout = 1200;
if (options->exit_on_forward_failure == -1)
@@ -1593,7 +1597,11 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->gss_authentication = 1;
+#else
options->gss_authentication = 0;
+#endif
if (options->gss_deleg_creds == -1)
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
--- orig/servconf.c Thu Sep 4 17:17:58 2014
+++ new/servconf.c Tue Sep 9 17:36:32 2014
@@ -208,7 +208,11 @@
if (options->print_lastlog == -1)
options->print_lastlog = 1;
if (options->x11_forwarding == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->x11_forwarding = 1;
+#else
options->x11_forwarding = 0;
+#endif
if (options->x11_display_offset == -1)
options->x11_display_offset = 10;
if (options->x11_use_localhost == -1)
@@ -244,7 +248,11 @@
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
+#ifdef OPTION_DEFAULT_VALUE
+ options->gss_authentication = 1;
+#else
options->gss_authentication = 0;
+#endif
if (options->gss_cleanup_creds == -1)
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
--- orig/ssh_config.5 Thu Sep 4 17:58:05 2014
+++ new/ssh_config.5 Tue Sep 9 17:48:39 2014
@@ -643,8 +643,8 @@
token used for the session will be set to expire after 20 minutes.
Remote clients will be refused access after this time.
.Pp
-The default is
-.Dq no .
+The default on Solaris is
+.Dq yes .
.Pp
See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.
@@ -673,8 +673,8 @@
.Pa /etc/ssh/ssh_known_hosts2 .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Dq no .
+The default on Solaris is
+.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
--- orig/sshd_config.5 Thu Sep 4 17:58:07 2014
+++ new/sshd_config.5 Tue Sep 9 17:49:58 2014
@@ -490,8 +490,8 @@
.Dq no .
.It Cm GSSAPIAuthentication
Specifies whether user authentication based on GSSAPI is allowed.
-The default is
-.Dq no .
+The default on Solaris is
+.Dq yes .
Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
@@ -1239,8 +1239,8 @@
.Dq yes
or
.Dq no .
-The default is
-.Dq no .
+The default on Solaris is
+.Dq yes .
.Pp
When X11 forwarding is enabled, there may be additional exposure to
the server and to client displays if the