PSARC/2016/216 OpenSSH 7.2p2 upgrade. Host keys and moduli updates
22931214 upgrade OpenSSH to 7.2p2
22931349 problem in UTILITY/OPENSSH
20955968 remove servconf.c portion of 003-last_login.patch when upgrading to OpenSSH 7.2
22489925 Re-enable Curve25519 in OpenSSH
#
# This patch contains changes to the default SSH system configurations for
# /etc/ssh/sshd_config and /etc/ssh/ssh_config on Solaris.
#
# This is a Solaris specific patch and will not be contributed back to the
# upstream community.
#
diff -pur old/ssh_config new/ssh_config
--- old/ssh_config
+++ new/ssh_config
@@ -24,8 +24,9 @@
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
-# GSSAPIAuthentication no
+# GSSAPIAuthentication yes
# GSSAPIDelegateCredentials no
+# GSSAPIKeyExchange yes
# BatchMode no
# CheckHostIP yes
# AddressFamily any
@@ -48,3 +49,7 @@
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
+
+# Send the LANG and LC_* environment variables to server.
+SendEnv LANG
+SendEnv LC_*
diff -pur old/sshd_config new/sshd_config
--- old/sshd_config
+++ new/sshd_config
@@ -1,133 +1,96 @@
-# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
+# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
+#
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
+# Listen port (the IANA registered port number for ssh is 22)
#Port 22
+
+# The default listen address is all interfaces, this may need to be changed
+# if you wish to restrict the interfaces sshd listens on for a multi homed host.
+# Multiple ListenAddress entries are allowed.
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
-# The default requires explicit activation of protocol 1
-#Protocol 2
+# If port forwarding is enabled (default), specify if the server can bind to
+# INADDR_ANY.
+# This allows the local port forwarding to work when connections are received
+# from any remote host.
+#GatewayPorts no
-# HostKey for protocol version 1
-#HostKey /etc/ssh/ssh_host_key
-# HostKeys for protocol version 2
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_dsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Lifetime and size of ephemeral version 1 server key
-#KeyRegenerationInterval 1h
-#ServerKeyBits 1024
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-# obsoletes QuietMode and FascistLogging
-#SyslogFacility AUTH
-#LogLevel INFO
+# X11 tunneling options
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+X11Forwarding yes
-# Authentication:
+# The maximum number of concurrent unauthenticated connections to sshd.
+# start:rate:full see sshd(1) for more information.
+#MaxStartups 10:30:100
-#LoginGraceTime 2m
-#PermitRootLogin prohibit-password
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
+# Banner to be printed before authentication starts.
+Banner /etc/issue
-#RSAAuthentication yes
-#PubkeyAuthentication yes
+# Should sshd print the /etc/motd file and check for mail.
+# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
+PrintMotd no
+
+# KeepAlive specifies whether keep alive messages are sent to the client.
+# See sshd(1) for detailed description of what this means.
+# Note that the client may also be sending keep alive messages to the server.
+#KeepAlive yes
+
+# Syslog facility and level
+#SyslogFacility auth
+#LogLevel info
+
+#
+# Authentication configuration
+#
+
+# Host private key files
+# Must be on a local disk and readable only by the root user (root:sys 600).
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+
+# sshd regenerates the key every KeyRegenerationInterval seconds.
+# The key is never stored anywhere except the memory of sshd.
+# The default is 1 hour (3600 seconds).
+#KeyRegenerationInterval 3600
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile .ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#RhostsRSAAuthentication no
-# similar for protocol version 2
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# RhostsRSAAuthentication and HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
+# Ensure secure permissions on users .ssh directory.
+#StrictModes yes
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+# Length of time in seconds before a client that hasn't completed
+# authentication is disconnected.
+# Default is 120 seconds. 0 means no time limit.
+#LoginGraceTime 120
+
+# Maximum number of retries for authentication
+# Default is 6.
+#MaxAuthTries 6
+
+# Are logins to accounts with empty passwords allowed.
+# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
+# to pam_authenticate(3PAM).
#PermitEmptyPasswords no
-# Change to no to disable s/key passwords
-#ChallengeResponseAuthentication yes
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-#UsePAM no
+# To disable tunneled clear text passwords, change PasswordAuthentication to no.
+#PasswordAuthentication yes
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-#X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-#PrintMotd yes
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# override default of no subsystems
-Subsystem sftp /usr/libexec/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
+# Are root logins permitted using sshd.
+# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
+# maybe denied access by a PAM module regardless of this setting.
+# Valid options are yes, without-password, no.
+PermitRootLogin no
+
+# sftp subsystem
+Subsystem sftp internal-sftp
+
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
+#IgnoreUserKnownHosts yes
+
+# Accept the LANG and LC_* environment variables sent by the client.
+AcceptEnv LANG
+AcceptEnv LC_*