# HG changeset patch # User Huie-Ying Lee # Date 1410211508 25200 # Node ID a9add24444207bd5f0009843868ef06ef9cea229 # Parent 521c7d4794e944471639bf7afdcb07522017118a 19570656 GSSAPIAuthentication option should default to yes diff -r 521c7d4794e9 -r a9add2444420 components/openssh/Makefile --- a/components/openssh/Makefile Fri Sep 05 11:42:19 2014 -0600 +++ b/components/openssh/Makefile Mon Sep 08 14:25:08 2014 -0700 @@ -47,7 +47,17 @@ # Enable ASLR for this component ASLR_MODE = $(ASLR_ENABLE) -CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS) -DSET_USE_PAM -DDEPRECATE_SUNSSH_OPT -DKRB5_BUILD_FIX -DAUE_openssh=6172 -DDTRACE_SFTP -DDISABLE_BANNER -DPAM_ENHANCEMENT -DPAM_BUGFIX" +CFLAGS += -DSET_USE_PAM +CFLAGS += -DDEPRECATE_SUNSSH_OPT +CFLAGS += -DKRB5_BUILD_FIX +CFLAGS += -DAUE_openssh=6172 +CFLAGS += -DDTRACE_SFTP +CFLAGS += -DDISABLE_BANNER +CFLAGS += -DPAM_ENHANCEMENT +CFLAGS += -DPAM_BUGFIX +CFLAGS += -DOPTION_DEFAULT_VALUE + +CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)" # We need to disable lazyloading of dynamic dependent libraries. During the # pre-authentication phase, sshd will chroot to /var/empty which doesn't diff -r 521c7d4794e9 -r a9add2444420 components/openssh/patches/017-option_default_value.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/components/openssh/patches/017-option_default_value.patch Mon Sep 08 14:25:08 2014 -0700 @@ -0,0 +1,60 @@ +# +# The default value of the GSSAPIAuthentication option is yes in SunSSH, but +# no in OpenSSH. To make the transition smoother from SunSSH to OpenSSH, we +# change the default value of this option to be yes in OpenSSH also. This is +# for Solaris only, we will not contribute back this changes to the upstream. +# +--- orig/readconf.c Thu Sep 4 17:27:04 2014 ++++ new/readconf.c Thu Sep 4 17:51:24 2014 +@@ -1593,7 +1593,11 @@ + if (options->challenge_response_authentication == -1) + options->challenge_response_authentication = 1; + if (options->gss_authentication == -1) ++#ifdef OPTION_DEFAULT_VALUE ++ options->gss_authentication = 1; ++#else + options->gss_authentication = 0; ++#endif + if (options->gss_deleg_creds == -1) + options->gss_deleg_creds = 0; + if (options->password_authentication == -1) +--- orig/servconf.c Thu Sep 4 17:17:58 2014 ++++ new/servconf.c Thu Sep 4 17:50:50 2014 +@@ -244,7 +244,11 @@ + if (options->kerberos_get_afs_token == -1) + options->kerberos_get_afs_token = 0; + if (options->gss_authentication == -1) ++#ifdef OPTION_DEFAULT_VALUE ++ options->gss_authentication = 1; ++#else + options->gss_authentication = 0; ++#endif + if (options->gss_cleanup_creds == -1) + options->gss_cleanup_creds = 1; + if (options->password_authentication == -1) +--- orig/ssh_config.5 Thu Sep 4 17:58:05 2014 ++++ new/ssh_config.5 Thu Sep 4 17:59:06 2014 +@@ -673,8 +673,8 @@ + .Pa /etc/ssh/ssh_known_hosts2 . + .It Cm GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. +-The default is +-.Dq no . ++The default on Solaris is ++.Dq yes . + Note that this option applies to protocol version 2 only. + .It Cm GSSAPIDelegateCredentials + Forward (delegate) credentials to the server. +--- orig/sshd_config.5 Thu Sep 4 17:58:07 2014 ++++ new/sshd_config.5 Thu Sep 4 17:59:40 2014 +@@ -490,8 +490,8 @@ + .Dq no . + .It Cm GSSAPIAuthentication + Specifies whether user authentication based on GSSAPI is allowed. +-The default is +-.Dq no . ++The default on Solaris is ++.Dq yes . + Note that this option applies to protocol version 2 only. + .It Cm GSSAPICleanupCredentials + Specifies whether to automatically destroy the user's credentials cache