# HG changeset patch # User Huie-Ying Lee # Date 1387570654 28800 # Node ID 3f2ec017627f23241206229d27e382d9d01980e9 # Parent 6b7edd68c53f43e7fb11ec9fdf09b25b80d2e32d PSARC 2012/335 OpenSSH migration PSARC 2013/115 Shared configuration for SunSSH & OpenSSH 15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate (OpenSSH migration phase 2) 16306216 problem in UTILITY/OPENSSH diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/Makefile --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/Makefile Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,75 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +# +include ../../make-rules/shared-macros.mk + +COMPONENT_NAME= openssh +COMPONENT_VERSION= 6.0 +COMPONENT_PORTABLE_VERSION = $(COMPONENT_VERSION)p1 +COMPONENT_PROJECT_URL= http://www.openssh.org/ +COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_PORTABLE_VERSION) +COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz +COMPONENT_ARCHIVE_HASH= sha256:589d48e952d6c017e667873486b5df63222f9133d417d0002bd6429d9bd882de +COMPONENT_ARCHIVE_URL= http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE) +COMPONENT_BUGDB=utility/openssh + +include ../../make-rules/prep.mk +include ../../make-rules/configure.mk +include ../../make-rules/ips.mk + +# Enable ASLR for this component +ASLR_MODE = $(ASLR_ENABLE) + +CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DLASTLOG_FIX -DKRB5_BUILD_FIX -DAUE_openssh=6172" + +# We need to disable lazyloading of dynamic dependent libraries. During the +# pre-authentication phase, sshd will chroot to /var/empty which doesn't +# contain any files. If we use lazyloading, sshd will fail to find any +# libraries that it needs. +CONFIGURE_OPTIONS += LDFLAGS="$(LDFLAGS) -B direct -z nolazyload" + +CONFIGURE_OPTIONS += --with-audit=bsm +CONFIGURE_OPTIONS += --with-libedit +CONFIGURE_OPTIONS += --with-kerberos5 +CONFIGURE_OPTIONS += --with-pam +CONFIGURE_OPTIONS += --with-sandbox=no +CONFIGURE_OPTIONS += --with-solaris-contracts +CONFIGURE_OPTIONS += --with-solaris-projects +CONFIGURE_OPTIONS += --with-tcp-wrappers +CONFIGURE_OPTIONS += --with-4in6 +CONFIGURE_OPTIONS += --enable-strip=no +CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh +CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh +CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh + +# common targets +build: $(BUILD_32) + +install: $(INSTALL_32) + +# Because of certain set up requirement, the regress test suite is ported to +# the STC gate. +test: $(NO_TESTS) + +BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS) + +include ../../make-rules/depend.mk diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/openssh.license --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/openssh.license Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,340 @@ +This file is part of the OpenSSH software. + +The licences which components of this software fall under are as +follows. First, we will summarize and say that all components +are under a BSD licence, or a licence more free than that. + +OpenSSH contains no GPL code. + +1) + * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland + * All rights reserved + * + * As far as I am concerned, the code I have written for this software + * can be used freely for any purpose. Any derived versions of this + * software must be clearly marked as such, and if the derived work is + * incompatible with the protocol description in the RFC file, it must be + * called by a name other than "ssh" or "Secure Shell". + + [Tatu continues] + * However, I am not implying to give any licenses to any patents or + * copyrights held by third parties, and the software includes parts that + * are not under my direct control. As far as I know, all included + * source code is used in accordance with the relevant license agreements + * and can be used freely for any purpose (the GNU license being the most + * restrictive); see below for details. + + [However, none of that term is relevant at this point in time. All of + these restrictively licenced software components which he talks about + have been removed from OpenSSH, i.e., + + - RSA is no longer included, found in the OpenSSL library + - IDEA is no longer included, its use is deprecated + - DES is now external, in the OpenSSL library + - GMP is no longer used, and instead we call BN code from OpenSSL + - Zlib is now external, in a library + - The make-ssh-known-hosts script is no longer included + - TSS has been removed + - MD5 is now external, in the OpenSSL library + - RC4 support has been replaced with ARC4 support from OpenSSL + - Blowfish is now external, in the OpenSSL library + + [The licence continues] + + Note that any information and cryptographic algorithms used in this + software are publicly available on the Internet and at any major + bookstore, scientific library, and patent office worldwide. More + information can be found e.g. at "http://www.cs.hut.fi/crypto". + + The legal status of this program is some combination of all these + permissions and restrictions. Use only at your own responsibility. + You will be responsible for any legal consequences yourself; I am not + making any claims whether possessing or using this is legal or not in + your country, and I am not taking any responsibility on your behalf. + + + NO WARRANTY + + BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY + FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN + OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES + PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED + OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS + TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE + PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, + REPAIR OR CORRECTION. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR + REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, + INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING + OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED + TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY + YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER + PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE + POSSIBILITY OF SUCH DAMAGES. + +2) + The 32-bit CRC compensation attack detector in deattack.c was + contributed by CORE SDI S.A. under a BSD-style license. + + * Cryptographic attack detector for ssh - source code + * + * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. + * + * All rights reserved. Redistribution and use in source and binary + * forms, with or without modification, are permitted provided that + * this copyright notice is retained. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR + * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS + * SOFTWARE. + * + * Ariel Futoransky + * + +3) + ssh-keyscan was contributed by David Mazieres under a BSD-style + license. + + * Copyright 1995, 1996 by David Mazieres . + * + * Modification and redistribution in source and binary forms is + * permitted provided that due credit is given to the author and the + * OpenBSD project by leaving this copyright notice intact. + +4) + The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers + and Paulo Barreto is in the public domain and distributed + with the following license: + + * @version 3.0 (December 2000) + * + * Optimised ANSI C code for the Rijndael cipher (now AES) + * + * @author Vincent Rijmen + * @author Antoon Bosselaers + * @author Paulo Barreto + * + * This code is hereby placed in the public domain. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS + * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +5) + One component of the ssh source code is under a 3-clause BSD license, + held by the University of California, since we pulled these parts from + original Berkeley code. + + * Copyright (c) 1983, 1990, 1992, 1993, 1995 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + +6) + Remaining components of the software are provided under a standard + 2-term BSD licence with the following names as copyright holders: + + Markus Friedl + Theo de Raadt + Niels Provos + Dug Song + Aaron Campbell + Damien Miller + Kevin Steves + Daniel Kouril + Wesley Griffin + Per Allansson + Nils Nordman + Simon Wilkinson + + Portable OpenSSH additionally includes code from the following copyright + holders, also under the 2-term BSD license: + + Ben Lindstrom + Tim Rice + Andre Lucas + Chris Adams + Corinna Vinschen + Cray Inc. + Denis Parker + Gert Doering + Jakob Schlyter + Jason Downs + Juha Yrjölä + Michael Stone + Networks Associates Technology, Inc. + Solar Designer + Todd C. Miller + Wayne Schroeder + William Jones + Darren Tucker + Sun Microsystems + The SCO Group + Daniel Walsh + Red Hat, Inc + Simon Vallet / Genoscope + + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +8) Portable OpenSSH contains the following additional licenses: + + a) md5crypt.c, md5crypt.h + + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this + * notice you can do whatever you want with this stuff. If we meet + * some day, and you think this stuff is worth it, you can buy me a + * beer in return. Poul-Henning Kamp + + b) snprintf replacement + + * Copyright Patrick Powell 1995 + * This code is based on code written by Patrick Powell + * (papowell@astart.com) It may be used for any purpose as long as this + * notice remains intact on all source code distributions + + c) Compatibility code (openbsd-compat) + + Apart from the previously mentioned licenses, various pieces of code + in the openbsd-compat/ subdirectory are licensed as follows: + + Some code is licensed under a 3-term BSD license, to the following + copyright holders: + + Todd C. Miller + Theo de Raadt + Damien Miller + Eric P. Allman + The Regents of the University of California + Constantin S. Svintsoff + + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + + Some code is licensed under an ISC-style license, to the following + copyright holders: + + Internet Software Consortium. + Todd C. Miller + Reyk Floeter + Chad Mynhier + + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL + * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE + * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + + Some code is licensed under a MIT-style license to the following + copyright holders: + + Free Software Foundation, Inc. + + * Permission is hereby granted, free of charge, to any person obtaining a * + * copy of this software and associated documentation files (the * + * "Software"), to deal in the Software without restriction, including * + * without limitation the rights to use, copy, modify, merge, publish, * + * distribute, distribute with modifications, sublicense, and/or sell * + * copies of the Software, and to permit persons to whom the Software is * + * furnished to do so, subject to the following conditions: * + * * + * The above copyright notice and this permission notice shall be included * + * in all copies or substantial portions of the Software. * + * * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * + * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * + * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * + * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, * + * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR * + * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR * + * THE USE OR OTHER DEALINGS IN THE SOFTWARE. * + * * + * Except as contained in this notice, the name(s) of the above copyright * + * holders shall not be used in advertising or otherwise to promote the * + * sale, use or other dealings in this Software without prior written * + * authorization. * + ****************************************************************************/ + + +------ +$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $ diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/openssh.p5m --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/openssh.p5m Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,124 @@ +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# +# Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. +# + default mangler.man.stability uncommitted> +set name=pkg.fmri \ + value=pkg:/network/openssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION) +set name=pkg.summary value="OPENSSH 6.0" +set name=info.classification value=org.opensolaris.category.2008:System/Security +set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) +set name=org.opensolaris.arc-caseid value=PSARC/2012/335 +set name=org.opensolaris.consolidation value=$(CONSOLIDATION) +link path=usr/bin/scp target=../lib/openssh/bin/scp mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/sftp target=../lib/openssh/bin/sftp mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/ssh target=../lib/openssh/bin/ssh mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/ssh-add target=../lib/openssh/bin/ssh-add mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/ssh-agent target=../lib/openssh/bin/ssh-agent mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/ssh-keygen target=../lib/openssh/bin/ssh-keygen mediator=ssh \ + mediator-implementation=openssh +link path=usr/bin/ssh-keyscan target=../lib/openssh/bin/ssh-keyscan \ + mediator=ssh mediator-implementation=openssh +file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555 +file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555 +file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555 +file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555 +file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555 +file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555 +file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555 +file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555 +file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555 +file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \ + mode=0555 +file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555 +link path=usr/lib/ssh/sftp-server target=../openssh/lib/sftp-server \ + mediator=ssh mediator-implementation=openssh +link path=usr/lib/ssh/ssh-keysign target=../openssh/lib/ssh-keysign \ + mediator=ssh mediator-implementation=openssh +link path=usr/lib/ssh/ssh-pkcs11-helper \ + target=../openssh/lib/ssh-pkcs11-helper mediator=ssh \ + mediator-implementation=openssh +link path=usr/lib/ssh/sshd target=../openssh/lib/sshd mediator=ssh \ + mediator-implementation=openssh restart_fmri=svc:/network/ssh:default +link path=usr/share/man/man1/scp.1 target=./scp.openssh.1 mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man1/scp.1 path=usr/share/man/man1/scp.openssh.1 mode=0444 +link path=usr/share/man/man1/sftp.1 target=./sftp.openssh.1 mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man1/sftp.1 path=usr/share/man/man1/sftp.openssh.1 mode=0444 +link path=usr/share/man/man1/ssh-add.1 target=./ssh-add.openssh.1 mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man1/ssh-add.1 path=usr/share/man/man1/ssh-add.openssh.1 \ + mode=0444 +link path=usr/share/man/man1/ssh-agent.1 target=./ssh-agent.openssh.1 \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man1/ssh-agent.1 \ + path=usr/share/man/man1/ssh-agent.openssh.1 mode=0444 +link path=usr/share/man/man1/ssh-keygen.1 target=./ssh-keygen.openssh.1 \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man1/ssh-keygen.1 \ + path=usr/share/man/man1/ssh-keygen.openssh.1 mode=0444 +link path=usr/share/man/man1/ssh-keyscan.1 target=./ssh-keyscan.openssh.1 \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man1/ssh-keyscan.1 \ + path=usr/share/man/man1/ssh-keyscan.openssh.1 mode=0444 +link path=usr/share/man/man1/ssh.1 target=./ssh.openssh.1 mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man1/ssh.1 path=usr/share/man/man1/ssh.openssh.1 mode=0444 +link path=usr/share/man/man1m/sftp-server.1m target=./sftp-server.openssh.1m \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man8/sftp-server.8 \ + path=usr/share/man/man1m/sftp-server.openssh.1m +link path=usr/share/man/man1m/ssh-keysign.1m target=./ssh-keysign.openssh.1m \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man8/ssh-keysign.8 \ + path=usr/share/man/man1m/ssh-keysign.openssh.1m +link path=usr/share/man/man1m/ssh-pkcs11-helper.1m \ + target=./ssh-pkcs11-helper.openssh.1m mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man8/ssh-pkcs11-helper.8 \ + path=usr/share/man/man1m/ssh-pkcs11-helper.openssh.1m +link path=usr/share/man/man1m/sshd.1m target=./sshd.openssh.1m mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man8/sshd.8 path=usr/share/man/man1m/sshd.openssh.1m +link path=usr/share/man/man4/moduli.4 target=./moduli.openssh.4 mediator=ssh \ + mediator-implementation=openssh +file usr/share/man/man5/moduli.5 path=usr/share/man/man4/moduli.openssh.4 +link path=usr/share/man/man4/ssh_config.4 target=./ssh_config.openssh.4 \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man5/ssh_config.5 \ + path=usr/share/man/man4/ssh_config.openssh.4 +link path=usr/share/man/man4/sshd_config.4 target=./sshd_config.openssh.4 \ + mediator=ssh mediator-implementation=openssh +file usr/share/man/man5/sshd_config.5 \ + path=usr/share/man/man4/sshd_config.openssh.4 +dir path=var/empty owner=root group=sys mode=0755 +group groupname=sshd gid=22 +user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \ + home-dir=/var/empty login-shell=/bin/false uid=22 +license openssh.license license="BSD, BSD-like" +depend type=require fmri=service/network/ssh-common diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/001-skip_config_check.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/001-skip_config_check.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,27 @@ +# +# This change is to remove some misleading error messages when running +# "gmake install". OpenSSH mixes the building and running together. Some +# system setup checking for running the program needs to be removed, because +# they are not suitable in a build system. This is for Solaris only, so we +# will not contribute back this change to the upstream community. +# +--- orig/Makefile.in Wed Mar 27 16:56:36 2013 ++++ new/Makefile.in Wed Mar 27 17:05:06 2013 +@@ -237,7 +237,16 @@ + install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files + + check-config: +- -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config ++# On Solaris, to workaround OpenSSH's unlucky mixing of 'building ssh' and ++# 'running ssh', on build machine the following requisites shouldn't be ++# enforced: ++# 1) existence of privsep user sshd ++# 2) existence of privsep directory /var/empty ++# 3) read permissions for /etc/ssh/ssh_host_[rsa,dsa]_key ++# ++# -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config ++# ++ @echo 'Oracle Solaris: skipping check-config' + + install-files: + $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/002-pam_support.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/002-pam_support.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,42 @@ +# +# To comply to the Solaris PAM policy, the UsePAM option is changed to be +# always on and not configurable on Solaris. This is for Solaris only, so we +# will not contribute the changes to the upstream community. +# +*** orig/servconf.c Mon Dec 5 17:23:03 2011 +--- new/servconf.c Wed Dec 7 13:41:04 2011 +*************** +*** 145,151 **** +--- 145,156 ---- + { + /* Portable-specific options */ + if (options->use_pam == -1) ++ #ifdef SET_USE_PAM ++ /* use_pam should be always set to 1 on Solaris */ ++ options->use_pam = 1; ++ #else + options->use_pam = 0; ++ #endif + + /* Standard Options */ + if (options->protocol == SSH_PROTO_UNKNOWN) +*************** +*** 755,762 **** +--- 760,776 ---- + switch (opcode) { + /* Portable-specific options */ + case sUsePAM: ++ #ifdef SET_USE_PAM ++ /* UsePAM is always on and not configurable on Solaris */ ++ logit("%s line %d: ignoring UsePAM option value." ++ " This option is always on.", filename, linenum); ++ while (arg) ++ arg = strdelim(&cp); ++ break; ++ #else + intptr = &options->use_pam; + goto parse_flag; ++ #endif + + /* Standard Options */ + case sBadOption: diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/003-last_login.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/003-last_login.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,90 @@ +# +# We changed the OpenSSH to not record the last login time when the "UsePAM" +# option is on, because the PAM session module in Solaris will record the last +# login time. This is for Solaris only, so we will not contribute back this +# change to the upstream community. +# +*** orig/sshd.c Thu Oct 4 16:08:28 2012 +--- new/sshd.c Thu Oct 4 16:06:05 2012 +*************** +*** 128,133 **** +--- 128,137 ---- + int deny_severity; + #endif /* LIBWRAP */ + ++ #if defined(LASTLOG_FIX) && defined(USE_PAM) ++ #include "sshlogin.h" ++ #endif ++ + #ifndef O_NOCTTY + #define O_NOCTTY 0 + #endif +*************** +*** 2028,2033 **** +--- 2032,2041 ---- + #endif + #ifdef USE_PAM + if (options.use_pam) { ++ #ifdef LASTLOG_FIX ++ store_lastlog_message(authctxt->pw->pw_name, ++ authctxt->pw->pw_uid); ++ #endif + do_pam_setcred(1); + do_pam_session(); + } +*** orig/sshlogin.h Thu Oct 4 16:08:54 2012 +--- new/sshlogin.h Thu Oct 4 16:06:31 2012 +*************** +*** 14,19 **** +--- 14,22 ---- + + void record_login(pid_t, const char *, const char *, uid_t, + const char *, struct sockaddr *, socklen_t); ++ #ifdef LASTLOG_FIX ++ void store_lastlog_message(const char *, uid_t); ++ #endif + void record_logout(pid_t, const char *, const char *); + time_t get_last_login_time(uid_t, const char *, char *, u_int); + +*** orig/sshlogin.c Thu Oct 4 16:08:42 2012 +--- new/sshlogin.c Thu Oct 4 16:35:27 2012 +*************** +*** 83,89 **** +--- 83,93 ---- + * Generate and store last login message. This must be done before + * login_login() is called and lastlog is updated. + */ ++ #ifndef LASTLOG_FIX + static void ++ #else ++ void ++ #endif + store_lastlog_message(const char *user, uid_t uid) + { + #ifndef NO_SSH_LASTLOG +*************** +*** 128,133 **** +--- 132,141 ---- + { + struct logininfo *li; + ++ #ifdef LASTLOG_FIX ++ /* In Solaris, PAM takes care of last login tracking */ ++ if (!options.use_pam) { ++ #endif + /* save previous login details before writing new */ + store_lastlog_message(user, uid); + +*************** +*** 135,140 **** +--- 143,152 ---- + login_set_addr(li, addr, addrlen); + login_login(li); + login_free_entry(li); ++ ++ #ifdef LASTLOG_FIX ++ } ++ #endif + } + + #ifdef LOGIN_NEEDS_UTMPX diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/004-broken_bsm_api.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/004-broken_bsm_api.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,30 @@ +# +# OpenSSH has special hacks in the code to deal with Solaris private API +# changes in audit (au_close, getacna) for S11. This patch merely modifies the +# configure script to consider any S11+ a 'newer Solaris' too, not just S11. +# +# We reported this problem to the OpenSSH upstream community on Dec 06 2013. +# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2178 +# +--- openssh-6.0p1/configure 2012-04-19 22:03:38.000000000 -0700 ++++ new/configure 2013-01-10 03:10:29.200564881 -0800 +@@ -9393,7 +9393,7 @@ + + $as_echo "#define USE_BSM_AUDIT 1" >>confdefs.h + +- if test "$sol2ver" -eq 11; then ++ if test "$sol2ver" -ge 11; then + SSHDLIBS="$SSHDLIBS -lscf" + + $as_echo "#define BROKEN_BSM_API 1" >>confdefs.h +--- openssh-6.0p1/configure.ac 2013-12-05 05:31:15.809371483 -0800 ++++ new/configure.ac 2013-12-05 05:31:25.689099600 -0800 +@@ -1483,7 +1483,7 @@ + # These are optional + AC_CHECK_FUNCS([getaudit_addr aug_get_machine]) + AC_DEFINE([USE_BSM_AUDIT], [1], [Use BSM audit module]) +- if test "$sol2ver" -eq 11; then ++ if test "$sol2ver" -ge 11; then + SSHDLIBS="$SSHDLIBS -lscf" + AC_DEFINE([BROKEN_BSM_API], [1], + [The system has incomplete BSM API]) diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/005-openssh_krb5_build_fix.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/005-openssh_krb5_build_fix.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,142 @@ +# +# This is to work around an unresloved symbol problem with the Kerberos +# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function +# is not supported on Solaris, because it violates API abstraction. This +# workaround disables delegated credentials storing on server side. +# +# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos +# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project). +# After that, function gss_krb5_copy_ccache() will be available in Solaris and +# the delegating credentials functionality will be made available using the +# upstream code. +# +diff -ur old/configure new/configure +--- old/configure 2012-10-22 01:40:00.738542671 -0700 ++++ new/configure 2012-10-22 02:18:52.991019932 -0700 +@@ -15022,6 +15022,12 @@ + fi + K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" + K5LIBS="`$KRB5CONF --libs $k5confopts`" ++ ++ # Oracle Solaris ++ # OpenSSH is mixed-up gssapi AND krb5 aplication ++ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`" ++ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`" ++ + CPPFLAGS="$CPPFLAGS $K5CFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5 + $as_echo_n "checking whether we are using Heimdal... " >&6; } +diff -ru old/ssh-gss.h new/ssh-gss.h +--- old/ssh-gss.h 2012-10-22 02:42:41.469718263 -0700 ++++ new/ssh-gss.h 2012-10-22 02:52:00.222302785 -0700 +@@ -45,7 +45,13 @@ + /* MIT Kerberos doesn't seem to define GSS_NT_HOSTBASED_SERVICE */ + + #ifndef GSS_C_NT_HOSTBASED_SERVICE ++/* ++ * on Solaris in gssapi.h there is: ++ * extern const gss_OID GSS_C_NT_HOSTBASED_SERVICE; ++ */ ++#ifndef KRB5_BUILD_FIX + #define GSS_C_NT_HOSTBASED_SERVICE gss_nt_service_name ++#endif /* KRB5_BUILD_FIX */ + #endif /* GSS_C_NT_... */ + #endif /* !HEIMDAL */ + #endif /* KRB5 */ +diff -u -r old/auth2-gss.c new/auth2-gss.c +--- old/auth2-gss.c 2011-05-04 21:04:11.000000000 -0700 ++++ new/auth2-gss.c 2012-10-25 02:57:42.332456661 -0700 +@@ -47,6 +47,10 @@ + + extern ServerOptions options; + ++#ifdef KRB5_BUILD_FIX ++ extern gss_OID_set g_supported; ++#endif ++ + static void input_gssapi_token(int type, u_int32_t plen, void *ctxt); + static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt); + static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt); +@@ -77,7 +81,12 @@ + return (0); + } + ++#ifdef KRB5_BUILD_FIX ++ /* use value obtained in privileged parent */ ++ supported = g_supported; ++#else + ssh_gssapi_supported_oids(&supported); ++#endif + do { + mechs--; + +diff -u -r old/sshd.c new/sshd.c +--- old/sshd.c 2012-10-22 01:28:17.260247177 -0700 ++++ new/sshd.c 2012-10-25 02:53:41.663248837 -0700 +@@ -257,6 +257,11 @@ + /* Unprivileged user */ + struct passwd *privsep_pw = NULL; + ++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) ++/* Temporary storing supported GSS mechs */ ++gss_OID_set g_supported; ++#endif ++ + /* Prototypes for various functions defined later in this file. */ + void destroy_sensitive_data(void); + void demote_sensitive_data(void); +@@ -1351,6 +1356,9 @@ + compat_init_setproctitle(ac, av); + av = saved_argv; + #endif ++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) ++ OM_uint32 ms; ++#endif + + if (geteuid() == 0 && setgroups(0, NULL) == -1) + debug("setgroups(): %.200s", strerror(errno)); +@@ -1984,6 +1992,11 @@ + buffer_init(&loginmsg); + auth_debug_reset(); + ++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) ++ /* collect gss mechs for later use in privsep child */ ++ ssh_gssapi_supported_oids(&g_supported); ++#endif ++ + if (use_privsep) + if (privsep_preauth(authctxt) == 1) + goto authenticated; +@@ -2018,6 +2031,9 @@ + close(startup_pipe); + startup_pipe = -1; + } ++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI) ++ gss_release_oid_set(&ms, &g_supported); ++#endif + + #ifdef SSH_AUDIT_EVENTS + audit_event(SSH_AUTH_SUCCESS); +--- old/gss-serv-krb5.c 2006-08-31 22:38:36.000000000 -0700 ++++ new/gss-serv-krb5.c 2012-10-25 03:09:36.080638790 -0700 +@@ -126,6 +126,12 @@ + return; + } + ++#ifdef KRB5_BUILD_FIX ++ /* currently unimplemented - print an error, but continue */ ++ error("Delegated credentials storing not implemented."); ++ return; ++#else ++ + if (ssh_gssapi_krb5_init() == 0) + return; + +@@ -182,6 +188,7 @@ + krb5_cc_close(krb_context, ccache); + + return; ++#endif /* KRB5_BUILD_FIX */ + } + + ssh_gssapi_mech gssapi_kerberos_mech = { diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/006-umac_align_fix.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/006-umac_align_fix.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,49 @@ +# +# This is to fix an alignment problem on Sparc. We reported the problem to the +# OpenSSH upstream community with suggested fixes in May 2013. The upstream +# accepted the union fix and has integrated the fix in the 6.3 release. In the +# future, when we upgrade OpenSSH to 6.3 or later, we should remove this patch. +# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2101 +# +--- orig/mac.c Fri Sep 20 14:53:41 2013 ++++ new/mac.c Fri Sep 20 15:04:13 2013 +@@ -132,12 +132,15 @@ + u_char * + mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen) + { +- static u_char m[EVP_MAX_MD_SIZE]; ++ static union { ++ u_char m[EVP_MAX_MD_SIZE]; ++ u_int64_t for_align; ++ } u; + u_char b[4], nonce[8]; + +- if (mac->mac_len > sizeof(m)) ++ if (mac->mac_len > sizeof(u)) + fatal("mac_compute: mac too long %u %lu", +- mac->mac_len, (u_long)sizeof(m)); ++ mac->mac_len, (u_long)sizeof(u)); + + switch (mac->type) { + case SSH_EVP: +@@ -146,17 +149,17 @@ + HMAC_Init(&mac->evp_ctx, NULL, 0, NULL); + HMAC_Update(&mac->evp_ctx, b, sizeof(b)); + HMAC_Update(&mac->evp_ctx, data, datalen); +- HMAC_Final(&mac->evp_ctx, m, NULL); ++ HMAC_Final(&mac->evp_ctx, u.m, NULL); + break; + case SSH_UMAC: + put_u64(nonce, seqno); + umac_update(mac->umac_ctx, data, datalen); +- umac_final(mac->umac_ctx, m, nonce); ++ umac_final(mac->umac_ctx, u.m, nonce); + break; + default: + fatal("mac_compute: unknown MAC type"); + } +- return (m); ++ return (u.m); + } + + void diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/007-manpages.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/007-manpages.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,701 @@ +# +# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV +# man page scheme used in Solaris. In order to comply to the Solaris man page +# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man +# pages, the section numbers of some OpenSSH man pages are changed to be as +# same as their corresponding ones in SunSSH. +# +--- orig/moduli.5 Thu Jan 10 15:04:00 2013 ++++ new/moduli.5 Thu Jan 10 17:25:53 2013 +@@ -14,7 +14,7 @@ + .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + .Dd $Mdocdate: October 14 2010 $ +-.Dt MODULI 5 ++.Dt MODULI 4 + .Os + .Sh NAME + .Nm moduli +@@ -23,7 +23,7 @@ + The + .Pa /etc/moduli + file contains prime numbers and generators for use by +-.Xr sshd 8 ++.Xr sshd 1M + in the Diffie-Hellman Group Exchange key exchange method. + .Pp + New moduli may be generated with +@@ -40,7 +40,7 @@ + .Ic ssh-keygen -T , + provides a high degree of assurance that the numbers are prime and are + safe for use in Diffie-Hellman operations by +-.Xr sshd 8 . ++.Xr sshd 1M . + This + .Nm + format is used as the output from each pass. +@@ -70,7 +70,7 @@ + Further primality testing with + .Xr ssh-keygen 1 + produces safe prime moduli (type 2) that are ready for use in +-.Xr sshd 8 . ++.Xr sshd 1M . + Other types are not used by OpenSSH. + .It tests + Decimal number indicating the type of primality tests that the number +@@ -105,16 +105,16 @@ + .El + .Pp + When performing Diffie-Hellman Group Exchange, +-.Xr sshd 8 ++.Xr sshd 1M + first estimates the size of the modulus required to produce enough + Diffie-Hellman output to sufficiently key the selected symmetric cipher. +-.Xr sshd 8 ++.Xr sshd 1M + then randomly selects a modulus from + .Fa /etc/moduli + that best meets the size requirement. + .Sh SEE ALSO + .Xr ssh-keygen 1 , +-.Xr sshd 8 ++.Xr sshd 1M + .Rs + .%R RFC 4419 + .%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol" +--- orig/sftp-server.8 Thu Jan 10 15:04:00 2013 ++++ new/sftp-server.8 Thu Jan 10 15:48:21 2013 +@@ -23,7 +23,7 @@ + .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + .\" + .Dd $Mdocdate: January 9 2010 $ +-.Dt SFTP-SERVER 8 ++.Dt SFTP-SERVER 1M + .Os + .Sh NAME + .Nm sftp-server +@@ -40,7 +40,7 @@ + to stdout and expects client requests from stdin. + .Nm + is not intended to be called directly, but from +-.Xr sshd 8 ++.Xr sshd 1M + using the + .Cm Subsystem + option. +@@ -51,7 +51,7 @@ + .Cm Subsystem + declaration. + See +-.Xr sshd_config 5 ++.Xr sshd_config 4 + for more information. + .Pp + Valid options are: +@@ -106,8 +106,8 @@ + .Sh SEE ALSO + .Xr sftp 1 , + .Xr ssh 1 , +-.Xr sshd_config 5 , +-.Xr sshd 8 ++.Xr sshd_config 4 , ++.Xr sshd 1M + .Rs + .%A T. Ylonen + .%A S. Lehtinen +--- orig/ssh_config.5 Thu Jan 10 15:04:00 2013 ++++ new/ssh_config.5 Thu Jan 10 15:48:48 2013 +@@ -35,7 +35,7 @@ + .\" + .\" $OpenBSD: ssh_config.5,v 1.154 2011/09/09 00:43:00 djm Exp $ + .Dd $Mdocdate: September 9 2011 $ +-.Dt SSH_CONFIG 5 ++.Dt SSH_CONFIG 4 + .Os + .Sh NAME + .Nm ssh_config +@@ -353,7 +353,7 @@ + .Dq Fl O No exit + option). + If set to a time in seconds, or a time in any of the formats documented in +-.Xr sshd_config 5 , ++.Xr sshd_config 4 , + then the backgrounded master connection will automatically terminate + after it has remained idle (with no client connections) for the + specified time. +@@ -473,7 +473,7 @@ + using the format described in the + .Sx TIME FORMATS + section of +-.Xr sshd_config 5 . ++.Xr sshd_config 4 . + X11 connections received by + .Xr ssh 1 + after this time will be refused. +@@ -540,7 +540,7 @@ + These hashed names may be used normally by + .Xr ssh 1 + and +-.Xr sshd 8 , ++.Xr sshd 1M , + but they do not reveal identifying information should the file's contents + be disclosed. + The default is +@@ -885,7 +885,7 @@ + The command can be basically anything, + and should read from its standard input and write to its standard output. + It should eventually connect an +-.Xr sshd 8 ++.Xr sshd 1M + server running on some machine, or execute + .Ic sshd -i + somewhere. +@@ -967,7 +967,7 @@ + will only succeed if the server's + .Cm GatewayPorts + option is enabled (see +-.Xr sshd_config 5 ) . ++.Xr sshd_config 4 ) . + .It Cm RequestTTY + Specifies whether to request a pseudo-tty for the session. + The argument may be one of: +@@ -1019,7 +1019,7 @@ + Refer to + .Cm AcceptEnv + in +-.Xr sshd_config 5 ++.Xr sshd_config 4 + for how to configure the server. + Variables are specified by name, which may contain wildcard characters. + Multiple environment variables may be separated by whitespace or spread +--- orig/ssh-keysign.8 Thu Jan 10 15:04:00 2013 ++++ new/ssh-keysign.8 Thu Jan 10 15:49:23 2013 +@@ -23,7 +23,7 @@ + .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + .\" + .Dd $Mdocdate: August 31 2010 $ +-.Dt SSH-KEYSIGN 8 ++.Dt SSH-KEYSIGN 1M + .Os + .Sh NAME + .Nm ssh-keysign +@@ -52,7 +52,7 @@ + See + .Xr ssh 1 + and +-.Xr sshd 8 ++.Xr sshd 1M + for more information about host-based authentication. + .Sh FILES + .Bl -tag -width Ds -compact +@@ -81,8 +81,8 @@ + .Sh SEE ALSO + .Xr ssh 1 , + .Xr ssh-keygen 1 , +-.Xr ssh_config 5 , +-.Xr sshd 8 ++.Xr ssh_config 4 , ++.Xr sshd 1M + .Sh HISTORY + .Nm + first appeared in +--- orig/ssh-pkcs11-helper.8 Thu Jan 10 15:04:00 2013 ++++ new/ssh-pkcs11-helper.8 Thu Jan 10 15:49:48 2013 +@@ -15,7 +15,7 @@ + .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + .\" + .Dd $Mdocdate: February 10 2010 $ +-.Dt SSH-PKCS11-HELPER 8 ++.Dt SSH-PKCS11-HELPER 1M + .Os + .Sh NAME + .Nm ssh-pkcs11-helper +--- orig/sshd_config.5 Thu Jan 10 15:04:00 2013 ++++ new/sshd_config.5 Fri Jan 11 15:56:09 2013 +@@ -35,7 +35,7 @@ + .\" + .\" $OpenBSD: sshd_config.5,v 1.136 2011/09/09 00:43:00 djm Exp $ + .Dd $Mdocdate: September 9 2011 $ +-.Dt SSHD_CONFIG 5 ++.Dt SSHD_CONFIG 4 + .Os + .Sh NAME + .Nm sshd_config +@@ -43,7 +43,7 @@ + .Sh SYNOPSIS + .Nm /etc/ssh/sshd_config + .Sh DESCRIPTION +-.Xr sshd 8 ++.Xr sshd 1M + reads configuration data from + .Pa /etc/ssh/sshd_config + (or the file specified with +@@ -68,7 +68,7 @@ + See + .Cm SendEnv + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for how to configure the client. + Note that environment passing is only supported for protocol 2. + Variables are specified by name, which may contain the wildcard characters +@@ -85,7 +85,7 @@ + The default is not to accept any environment variables. + .It Cm AddressFamily + Specifies which address family should be used by +-.Xr sshd 8 . ++.Xr sshd 1M . + Valid arguments are + .Dq any , + .Dq inet +@@ -120,7 +120,7 @@ + See + .Sx PATTERNS + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for more information on patterns. + .It Cm AllowTcpForwarding + Specifies whether TCP forwarding is permitted. +@@ -149,7 +149,7 @@ + See + .Sx PATTERNS + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for more information on patterns. + .It Cm AuthorizedKeysFile + Specifies the file that contains the public keys that can be used +@@ -157,7 +157,7 @@ + The format is described in the + .Sx AUTHORIZED_KEYS FILE FORMAT + section of +-.Xr sshd 8 . ++.Xr sshd 1M . + .Cm AuthorizedKeysFile + may contain tokens of the form %T which are substituted during connection + setup. +@@ -182,7 +182,7 @@ + in + .Sx AUTHORIZED_KEYS FILE FORMAT + in +-.Xr sshd 8 ) . ++.Xr sshd 1M ) . + Empty lines and comments starting with + .Ql # + are ignored. +@@ -210,7 +210,7 @@ + though the + .Cm principals= + key option offers a similar facility (see +-.Xr sshd 8 ++.Xr sshd 1M + for details). + .It Cm Banner + The contents of the specified file are sent to the remote user before +@@ -233,7 +233,7 @@ + All components of the pathname must be root-owned directories that are + not writable by any other user or group. + After the chroot, +-.Xr sshd 8 ++.Xr sshd 1M + changes the working directory to the user's home directory. + .Pp + The pathname may contain the following tokens that are expanded at runtime once +@@ -266,7 +266,7 @@ + though sessions which use logging do require + .Pa /dev/log + inside the chroot directory (see +-.Xr sftp-server 8 ++.Xr sftp-server 1M + for details). + .Pp + The default is not to +@@ -297,7 +297,7 @@ + .It Cm ClientAliveCountMax + Sets the number of client alive messages (see below) which may be + sent without +-.Xr sshd 8 ++.Xr sshd 1M + receiving any messages back from the client. + If this threshold is reached while client alive messages are being sent, + sshd will disconnect the client, terminating the session. +@@ -324,7 +324,7 @@ + .It Cm ClientAliveInterval + Sets a timeout interval in seconds after which if no data has been received + from the client, +-.Xr sshd 8 ++.Xr sshd 1M + will send a message through the encrypted + channel to request a response from the client. + The default +@@ -357,7 +357,7 @@ + See + .Sx PATTERNS + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for more information on patterns. + .It Cm DenyUsers + This keyword can be followed by a list of user name patterns, separated +@@ -378,7 +378,7 @@ + See + .Sx PATTERNS + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for more information on patterns. + .It Cm ForceCommand + Forces the execution of the command specified by +@@ -403,7 +403,7 @@ + Specifies whether remote hosts are allowed to connect to ports + forwarded for the client. + By default, +-.Xr sshd 8 ++.Xr sshd 1M + binds remote port forwardings to the loopback address. + This prevents other remote hosts from connecting to forwarded ports. + .Cm GatewayPorts +@@ -451,7 +451,7 @@ + A setting of + .Dq yes + means that +-.Xr sshd 8 ++.Xr sshd 1M + uses the name supplied by the client rather than + attempting to resolve the name from the TCP connection itself. + The default is +@@ -462,7 +462,7 @@ + by + .Cm HostKey . + The default behaviour of +-.Xr sshd 8 ++.Xr sshd 1M + is not to load any certificates. + .It Cm HostKey + Specifies a file containing a private host key +@@ -476,7 +476,7 @@ + .Pa /etc/ssh/ssh_host_rsa_key + for protocol version 2. + Note that +-.Xr sshd 8 ++.Xr sshd 1M + will refuse to use a file if it is group/world-accessible. + It is possible to have multiple host key files. + .Dq rsa1 +@@ -504,7 +504,7 @@ + .Dq yes . + .It Cm IgnoreUserKnownHosts + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should ignore the user's + .Pa ~/.ssh/known_hosts + during +@@ -580,7 +580,7 @@ + Multiple algorithms must be comma-separated. + The default is + .Dq ecdh-sha2-nistp256 , +-.Dq ecdh-sha2-nistp384 , ++.Dq ecdh-sha2-nistp834 , + .Dq ecdh-sha2-nistp521 , + .Dq diffie-hellman-group-exchange-sha256 , + .Dq diffie-hellman-group-exchange-sha1 , +@@ -597,7 +597,7 @@ + The default is 3600 (seconds). + .It Cm ListenAddress + Specifies the local addresses +-.Xr sshd 8 ++.Xr sshd 1M + should listen on. + The following forms may be used: + .Pp +@@ -640,7 +640,7 @@ + The default is 120 seconds. + .It Cm LogLevel + Gives the verbosity level that is used when logging messages from +-.Xr sshd 8 . ++.Xr sshd 1M . + The possible values are: + QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3. + The default is INFO. +@@ -681,7 +681,7 @@ + lists and may use the wildcard and negation operators described in the + .Sx PATTERNS + section of +-.Xr ssh_config 5 . ++.Xr ssh_config 4 . + .Pp + The patterns in an + .Cm Address +@@ -751,7 +751,7 @@ + the three colon separated values + .Dq start:rate:full + (e.g. "10:30:60"). +-.Xr sshd 8 ++.Xr sshd 1M + will refuse connection attempts with a probability of + .Dq rate/100 + (30%) +@@ -855,7 +855,7 @@ + options in + .Pa ~/.ssh/authorized_keys + are processed by +-.Xr sshd 8 . ++.Xr sshd 1M . + The default is + .Dq no . + Enabling environment processing may enable users to bypass access +@@ -868,7 +868,7 @@ + .Pa /var/run/sshd.pid . + .It Cm Port + Specifies the port number that +-.Xr sshd 8 ++.Xr sshd 1M + listens on. + The default is 22. + Multiple options of this type are permitted. +@@ -876,7 +876,7 @@ + .Cm ListenAddress . + .It Cm PrintLastLog + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should print the date and time of the last user login when a user logs + in interactively. + The default is +@@ -883,7 +883,7 @@ + .Dq yes . + .It Cm PrintMotd + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should print + .Pa /etc/motd + when a user logs in interactively. +@@ -891,10 +891,11 @@ + .Pa /etc/profile , + or equivalent.) + The default is +-.Dq yes . ++.Dq no ++on Solaris. + .It Cm Protocol + Specifies the protocol versions +-.Xr sshd 8 ++.Xr sshd 1M + supports. + The possible values are + .Sq 1 +@@ -936,7 +937,7 @@ + The minimum value is 512, and the default is 1024. + .It Cm StrictModes + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should check file modes and ownership of the + user's files and home directory before accepting login. + This is normally desirable because novices sometimes accidentally leave their +@@ -952,7 +953,7 @@ + to execute upon subsystem request. + .Pp + The command +-.Xr sftp-server 8 ++.Xr sftp-server 1M + implements the + .Dq sftp + file transfer subsystem. +@@ -970,7 +971,7 @@ + Note that this option applies to protocol version 2 only. + .It Cm SyslogFacility + Gives the facility code that is used when logging messages from +-.Xr sshd 8 . ++.Xr sshd 1M . + The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, + LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. + The default is AUTH. +@@ -1013,7 +1014,7 @@ + .Xr ssh-keygen 1 . + .It Cm UseDNS + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should look up the remote host name and check that + the resolved host name for the remote IP address maps back to the + very same IP address. +@@ -1058,13 +1059,14 @@ + If + .Cm UsePAM + is enabled, you will not be able to run +-.Xr sshd 8 ++.Xr sshd 1M + as a non-root user. + The default is +-.Dq no . ++.Dq yes ++on Solaris. + .It Cm UsePrivilegeSeparation + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + separates privileges by creating an unprivileged child process + to deal with incoming network traffic. + After successful authentication, another process will be created that has +@@ -1081,7 +1083,7 @@ + restrictions. + .It Cm X11DisplayOffset + Specifies the first display number available for +-.Xr sshd 8 Ns 's ++.Xr sshd 1M Ns 's + X11 forwarding. + This prevents sshd from interfering with real X11 servers. + The default is 10. +@@ -1096,7 +1098,7 @@ + .Pp + When X11 forwarding is enabled, there may be additional exposure to + the server and to client displays if the +-.Xr sshd 8 ++.Xr sshd 1M + proxy display is configured to listen on the wildcard address (see + .Cm X11UseLocalhost + below), though this is not the default. +@@ -1107,7 +1109,7 @@ + forwarding (see the warnings for + .Cm ForwardX11 + in +-.Xr ssh_config 5 ) . ++.Xr ssh_config 4 ) . + A system administrator may have a stance in which they want to + protect clients that may expose themselves to attack by unwittingly + requesting X11 forwarding, which can warrant a +@@ -1121,7 +1123,7 @@ + is enabled. + .It Cm X11UseLocalhost + Specifies whether +-.Xr sshd 8 ++.Xr sshd 1M + should bind the X11 forwarding server to the loopback address or to + the wildcard address. + By default, +@@ -1152,7 +1154,7 @@ + .Pa /usr/X11R6/bin/xauth . + .El + .Sh TIME FORMATS +-.Xr sshd 8 ++.Xr sshd 1M + command-line arguments and configuration file options that specify time + may be expressed using a sequence of the form: + .Sm off +@@ -1196,12 +1198,12 @@ + .Bl -tag -width Ds + .It Pa /etc/ssh/sshd_config + Contains configuration data for +-.Xr sshd 8 . ++.Xr sshd 1M . + This file should be writable by root only, but it is recommended + (though not necessary) that it be world-readable. + .El + .Sh SEE ALSO +-.Xr sshd 8 ++.Xr sshd 1M + .Sh AUTHORS + OpenSSH is a derivative of the original and free + ssh 1.2.12 release by Tatu Ylonen. +--- orig/sshd.8 Thu Jan 10 15:04:00 2013 ++++ new/sshd.8 Thu Jan 10 15:53:31 2013 +@@ -35,7 +35,7 @@ + .\" + .\" $OpenBSD: sshd.8,v 1.264 2011/09/23 00:22:04 dtucker Exp $ + .Dd $Mdocdate: September 23 2011 $ +-.Dt SSHD 8 ++.Dt SSHD 1M + .Os + .Sh NAME + .Nm sshd +@@ -79,7 +79,7 @@ + .Nm + can be configured using command-line options or a configuration file + (by default +-.Xr sshd_config 5 ) ; ++.Xr sshd_config 4 ) ; + command-line options override values specified in the + configuration file. + .Nm +@@ -204,7 +204,7 @@ + This is useful for specifying options for which there is no separate + command-line flag. + For full details of the options, and their values, see +-.Xr sshd_config 5 . ++.Xr sshd_config 4 . + .It Fl p Ar port + Specifies the port on which the server listens for connections + (default 22). +@@ -274,7 +274,7 @@ + though this can be changed via the + .Cm Protocol + option in +-.Xr sshd_config 5 . ++.Xr sshd_config 4 . + Protocol 2 supports DSA, ECDSA and RSA keys; + protocol 1 only supports RSA keys. + For both protocols, +@@ -399,7 +399,7 @@ + See the + .Cm PermitUserEnvironment + option in +-.Xr sshd_config 5 . ++.Xr sshd_config 4 . + .It + Changes to user's home directory. + .It +@@ -542,7 +542,7 @@ + environment variable. + Note that this option applies to shell, command or subsystem execution. + Also note that this command may be superseded by either a +-.Xr sshd_config 5 ++.Xr sshd_config 4 + .Cm ForceCommand + directive or a command embedded in a certificate. + .It Cm environment="NAME=value" +@@ -565,7 +565,7 @@ + See + .Sx PATTERNS + in +-.Xr ssh_config 5 ++.Xr ssh_config 4 + for more information on patterns. + .Pp + In addition to the wildcard matching that may be applied to hostnames or +@@ -859,7 +859,7 @@ + .It Pa /etc/moduli + Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange". + The file format is described in +-.Xr moduli 5 . ++.Xr moduli 4 . + .Pp + .It Pa /etc/motd + See +@@ -918,7 +918,7 @@ + Contains configuration data for + .Nm sshd . + The file format and configuration options are described in +-.Xr sshd_config 5 . ++.Xr sshd_config 4 . + .Pp + .It Pa /etc/ssh/sshrc + Similar to +@@ -954,10 +954,10 @@ + .Xr chroot 2 , + .Xr hosts_access 5 , + .Xr login.conf 5 , +-.Xr moduli 5 , +-.Xr sshd_config 5 , +-.Xr inetd 8 , +-.Xr sftp-server 8 ++.Xr moduli 4 , ++.Xr sshd_config 4 , ++.Xr inetd 1M , ++.Xr sftp-server 1M + .Sh AUTHORS + OpenSSH is a derivative of the original and free + ssh 1.2.12 release by Tatu Ylonen. diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/008-deprecate_sunssh_opt.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,38 @@ +# +# To make the transition from SunSSH to OpenSSH as smooth as possible, we +# added SunSSH-only options as deprecated options in OpenSSH. Note that this +# is an interim enhancement to OpenSSH to make the transition smoother. If a +# deprecated SunSSH-only option is migrated to OpenSSH later, then it will be +# changed from deprecated to supported. Since this is for Solaris only, we will +# not contribute back this change to the upstream community. +# +--- orig/readconf.c Thu Nov 15 13:32:50 2012 ++++ new/readconf.c Wed Mar 27 14:51:55 2013 +@@ -246,7 +246,26 @@ + { "kexalgorithms", oKexAlgorithms }, + { "ipqos", oIPQoS }, + { "requesttty", oRequestTTY }, +- ++#ifdef DEPRECATE_SUNSSH_OPT ++ /* ++ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth ++ * as possible, we will deprecate SunSSH-only options in OpenSSH. ++ * Therefore, on a system that is running OpenSSH with a deprecated ++ * option from the user's config file (~/.ssh/config), the ssh ++ * connection will proceed without the deprecated option. Note that ++ * this is an interim enhancement to OpenSSH to make the transition ++ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH ++ * later, then it will be changed from deprecated to supported. ++ */ ++ { "disablebanner", oDeprecated }, ++ { "gssapikeyexchange", oDeprecated }, ++ { "ignoreifunknown", oDeprecated }, ++ { "kmfpolicydatabase", oDeprecated }, ++ { "kmfpolicyname", oDeprecated }, ++ { "trustedanchorkeystore", oDeprecated }, ++ { "usefips140", oDeprecated }, ++ { "useopensslengine", oDeprecated }, ++#endif + { NULL, oBadOption } + }; + diff -r 6b7edd68c53f -r 3f2ec017627f components/openssh/patches/009-CVE-2010-5107.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/009-CVE-2010-5107.patch Fri Dec 20 12:17:34 2013 -0800 @@ -0,0 +1,44 @@ +# +# This is to fix the CVE-2010-5107 security bug. The bug fix code came from +# OpenSSH and is in version 6.2 of OpenSSH. When we upgrade OpenSSH to +# version 6.2 or later, we will remove this patch file. +# +--- orig/servconf.c Wed Feb 27 16:03:18 2013 ++++ new/servconf.c Wed Feb 27 16:10:09 2013 +@@ -248,11 +248,11 @@ + if (options->gateway_ports == -1) + options->gateway_ports = 0; + if (options->max_startups == -1) +- options->max_startups = 10; ++ options->max_startups = 100; + if (options->max_startups_rate == -1) +- options->max_startups_rate = 100; /* 100% */ ++ options->max_startups_rate = 30; /* 30% */ + if (options->max_startups_begin == -1) +- options->max_startups_begin = options->max_startups; ++ options->max_startups_begin = 10; + if (options->max_authtries == -1) + options->max_authtries = DEFAULT_AUTH_FAIL_MAX; + if (options->max_sessions == -1) +--- orig/sshd_config Wed Feb 27 16:05:01 2013 ++++ new/sshd_config Wed Feb 27 16:11:50 2013 +@@ -104,7 +104,7 @@ + #ClientAliveCountMax 3 + #UseDNS yes + #PidFile /var/run/sshd.pid +-#MaxStartups 10 ++#MaxStartups 10:30:100 + #PermitTunnel no + #ChrootDirectory none + +--- orig/sshd_config.5 Wed Feb 27 16:04:36 2013 ++++ new/sshd_config.5 Wed Feb 27 16:15:03 2013 +@@ -745,7 +745,7 @@ + Additional connections will be dropped until authentication succeeds or the + .Cm LoginGraceTime + expires for a connection. +-The default is 10. ++The default is 10:30:100. + .Pp + Alternatively, random early drop can be enabled by specifying + the three colon separated values