PSARC 2015/227 SunSSH EOF and Removal
authorHuie-Ying Lee <huieying.lee@oracle.com>
Thu, 03 Mar 2016 14:55:30 -0800
changeset 5544 16204c8a93ff
parent 5541 e93ae190039c
child 5546 f320041f6f69
PSARC 2015/227 SunSSH EOF and Removal 22451594 Add SSH service/config files and re-arrange OpenSSH packages (step 3-2) 22012870 ssh should handle LANG and LC_* variables from client to server 22707439 The IPS version number should be 7.1.0.2 for OpenSSH 7.1p2 22102387 Misleading LoginGraceTime comment in default sshd_config 19806472 ssh filesystem dependencies to allow earlier start
components/meta-packages/history/history
components/openssh/Makefile
components/openssh/history
components/openssh/network-ssh.p5m
components/openssh/openssh.p5m
components/openssh/patches/023-gsskex.patch
components/openssh/patches/040-default_config_files.patch
components/openssh/service-network-ssh.p5m
components/openssh/sources/ssh.xml
components/openssh/sources/sshd.sh
--- a/components/meta-packages/history/history	Wed Mar 02 12:23:26 2016 -0800
+++ b/components/meta-packages/history/history	Thu Mar 03 14:55:30 2016 -0800
@@ -253,6 +253,8 @@
 [email protected],5.11-0.133 audio/[email protected]
 [email protected],5.11-0.133 web/fastcgi/[email protected]
 [email protected],5.11-0.133 web/proxy/[email protected]
[email protected],5.11-0.133 network/[email protected],5.11-0.133
[email protected],5.11-0.133 network/ssh/[email protected],5.11-0.133
 [email protected],5.11-0.175.0.0.0.0.0 service/security/[email protected]
 [email protected],5.11-0.133 security/[email protected]
 [email protected],5.11-0.133 library/java/[email protected]
@@ -345,6 +347,7 @@
 network/chat/[email protected]
 network/nntp/[email protected]
 network/[email protected],5.11-0.170
+network/ssh/[email protected] network/[email protected]
 print/lp/filter/[email protected],5.11-0.173.0.0.0.0.0 print/filter/[email protected],5.11-0.173.0.0.0.0.0
 runtime/ocaml/[email protected],5.11-0.170
 runtime/python-26/[email protected]
--- a/components/openssh/Makefile	Wed Mar 02 12:23:26 2016 -0800
+++ b/components/openssh/Makefile	Thu Mar 03 14:55:30 2016 -0800
@@ -30,7 +30,7 @@
 # Version for IPS.  The encoding rules are:
 #   OpenSSH <x>.<y>p<n>     => IPS <x>.<y>.0.<n>
 #   OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
-IPS_COMPONENT_VERSION=	7.1.0.1
+IPS_COMPONENT_VERSION=	7.1.0.2
 
 COMPONENT_PROJECT_URL=	http://www.openssh.org/
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
@@ -133,7 +133,9 @@
 REQUIRED_PACKAGES += library/zlib
 REQUIRED_PACKAGES += security/kerberos-5
 REQUIRED_PACKAGES += service/security/kerberos-5
+REQUIRED_PACKAGES += system/core-os
 REQUIRED_PACKAGES += system/library
 REQUIRED_PACKAGES += system/library/gcc/gcc-c-runtime
 REQUIRED_PACKAGES += system/library/security/gss
+REQUIRED_PACKAGES += system/network
 REQUIRED_PACKAGES += text/groff/groff-core
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/history	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,1 @@
+network/[email protected] network/ssh
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/network-ssh.p5m	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,72 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
+set name=pkg.fmri \
+    value=pkg:/network/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="OpenSSH client and associated utilities"
+set name=pkg.description \
+    value="OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including user name and password) over the wire in unencrypted form. OpenSSH provides the SSH known host mechanism which verifies that the system you connect to is really the one you intended to. OpenSSH provides secure tunneling capabilities and several authentication methods. It also supports forwarding X11 connections and arbitrary TCP ports over the secure channel."
+set name=pkg.human-version value=$(HUMAN_VERSION)
+set name=info.classification \
+    value=org.opensolaris.category.2008:Applications/Internet \
+    value=org.opensolaris.category.2008:System/Security
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2012/335
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file path=etc/ssh/ssh_config group=sys mode=0644 \
+    original_name=SUNWssh:etc/ssh/ssh_config overlay=true preserve=renamenew
+file path=usr/bin/scp mode=0555
+file path=usr/bin/sftp mode=0555
+file path=usr/bin/ssh mode=0555
+file path=usr/bin/ssh-add mode=0555
+file path=usr/bin/ssh-agent mode=2555
+file path=usr/bin/ssh-keygen mode=0555
+file path=usr/bin/ssh-keyscan mode=0555
+file path=usr/share/man/man1/scp.1 mode=0444
+file path=usr/share/man/man1/sftp.1 mode=0444
+file path=usr/share/man/man1/ssh-add.1 mode=0444
+file path=usr/share/man/man1/ssh-agent.1 mode=0444
+file path=usr/share/man/man1/ssh-keygen.1 mode=0444
+file path=usr/share/man/man1/ssh-keyscan.1 mode=0444
+file path=usr/share/man/man1/ssh.1 mode=0444
+file path=usr/share/man/man5/ssh_config.5
+legacy pkg=SUNWsshcu desc="Secure Shell protocol common Utilities" \
+    name="SSH Common, (Usr)"
+legacy pkg=SUNWsshr \
+    desc="Secure Shell protocol Client and associated Utilities" \
+    name="SSH Client and utilities, (Root)"
+legacy pkg=SUNWsshu \
+    desc="Secure Shell protocol Client and associated Utilities" \
+    name="SSH Client and utilities, (Usr)"
+license openssh.license license="BSD, BSD-like (OpenSSH)" \
+    com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \
+    com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \
+    com.oracle.info.version=$(COMPONENT_VERSION)
+license openssh.license license="BSD, BSD-like (gsskex)" \
+    com.oracle.info.description="GSS-API authenticated key exchange" \
+    com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \
+    com.oracle.info.version=5.7p1
+depend type=conditional fmri=pkg:/x11/session/xauth \
+    predicate=pkg:/x11/library/libxau
+depend type=optional fmri=network/[email protected]
--- a/components/openssh/openssh.p5m	Wed Mar 02 12:23:26 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,77 +0,0 @@
-#
-# CDDL HEADER START
-#
-# The contents of this file are subject to the terms of the
-# Common Development and Distribution License (the "License").
-# You may not use this file except in compliance with the License.
-#
-# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
-# or http://www.opensolaris.org/os/licensing.
-# See the License for the specific language governing permissions
-# and limitations under the License.
-#
-# When distributing Covered Code, include this CDDL HEADER in each
-# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
-# If applicable, add the following below this CDDL HEADER, with the
-# fields enclosed by brackets "[]" replaced with your own identifying
-# information: Portions Copyright [yyyy] [name of copyright owner]
-#
-# CDDL HEADER END
-#
-# Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
-#
-<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
-set name=pkg.fmri \
-    value=pkg:/network/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
-set name=pkg.summary value=OpenSSH
-set name=pkg.description \
-    value="OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including user name and password) over the wire in unencrypted form. OpenSSH provides the SSH known host mechanism which verifies that the system you connect to is really the one you intended to. OpenSSH provides secure tunneling capabilities and several authentication methods. It also supports forwarding X11 connections and arbitrary TCP ports over the secure channel."
-set name=pkg.human-version value=$(HUMAN_VERSION)
-set name=info.classification \
-    value=org.opensolaris.category.2008:Applications/Internet \
-    value=org.opensolaris.category.2008:System/Security
-set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
-set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
-set name=org.opensolaris.arc-caseid value=PSARC/2012/335
-set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
-file path=usr/bin/scp mode=0555
-file path=usr/bin/sftp mode=0555
-file path=usr/bin/ssh mode=0555
-file path=usr/bin/ssh-add mode=0555
-file path=usr/bin/ssh-agent mode=2555
-file path=usr/bin/ssh-keygen mode=0555
-file path=usr/bin/ssh-keyscan mode=0555
-file usr/lib/dtrace/64/sftp64.d path=usr/lib/dtrace/sftp.d mode=0555
-file path=usr/lib/ssh/sftp-server mode=0555
-file path=usr/lib/ssh/ssh-keysign mode=4555
-file path=usr/lib/ssh/ssh-pkcs11-helper mode=0555
-file path=usr/lib/ssh/sshd mode=0555
-file path=usr/share/man/man1/scp.1 mode=0444
-file path=usr/share/man/man1/sftp.1 mode=0444
-file path=usr/share/man/man1/ssh-add.1 mode=0444
-file path=usr/share/man/man1/ssh-agent.1 mode=0444
-file path=usr/share/man/man1/ssh-keygen.1 mode=0444
-file path=usr/share/man/man1/ssh-keyscan.1 mode=0444
-file path=usr/share/man/man1/ssh.1 mode=0444
-file path=usr/share/man/man5/moduli.5
-file path=usr/share/man/man5/ssh_config.5
-file path=usr/share/man/man5/sshd_config.5
-file path=usr/share/man/man8/sftp-server.8
-file path=usr/share/man/man8/ssh-keysign.8
-file path=usr/share/man/man8/ssh-pkcs11-helper.8
-file path=usr/share/man/man8/sshd.8
-dir  path=var/empty owner=root group=sys mode=0755 sysattr=readonly
-group groupname=sshd gid=22
-user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \
-    home-dir=/var/empty login-shell=/bin/false uid=22
-license openssh.license license="BSD, BSD-like (OpenSSH)" \
-    com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \
-    com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \
-    com.oracle.info.version=$(COMPONENT_VERSION)
-license openssh.license license="BSD, BSD-like (gsskex)" \
-    com.oracle.info.description="GSS-API authenticated key exchange" \
-    com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \
-    com.oracle.info.version=5.7p1
-depend type=conditional fmri=pkg:/x11/session/xauth \
-    predicate=pkg:/x11/library/libxau
-depend type=require fmri=service/network/ssh-common
--- a/components/openssh/patches/023-gsskex.patch	Wed Mar 02 12:23:26 2016 -0800
+++ b/components/openssh/patches/023-gsskex.patch	Thu Mar 03 14:55:30 2016 -0800
@@ -920,17 +920,6 @@
  #endif /* GSSAPI */
  
  #endif /* _SSH_GSS_H */
-diff -pur old/ssh_config new/ssh_config
---- old/ssh_config
-+++ new/ssh_config
[email protected]@ -26,6 +26,7 @@
- #   HostbasedAuthentication no
- #   GSSAPIAuthentication no
- #   GSSAPIDelegateCredentials no
-+#   GSSAPIKeyExchange yes
- #   BatchMode no
- #   CheckHostIP yes
- #   AddressFamily any
 diff -pur old/ssh_config.5 new/ssh_config.5
 --- old/ssh_config.5
 +++ new/ssh_config.5
@@ -1202,20 +1191,6 @@
  	kex->server = 1;
  	kex->client_version_string=client_version_string;
  	kex->server_version_string=server_version_string;
-diff -pur old/sshd_config new/sshd_config
---- old/sshd_config
-+++ new/sshd_config
[email protected]@ -82,8 +82,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
- #KerberosGetAFSToken no
- 
- # GSSAPI options
--#GSSAPIAuthentication no
-+#GSSAPIAuthentication yes
- #GSSAPICleanupCredentials yes
-+#GSSAPIKeyExchange yes
- 
- # Set this to 'yes' to enable PAM authentication, account processing,
- # and session processing. If this is enabled, PAM authentication will
 diff -pur old/sshd_config.5 new/sshd_config.5
 --- old/sshd_config.5
 +++ new/sshd_config.5
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/040-default_config_files.patch	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,231 @@
+#
+# This patch contains changes to the default SSH system configurations for
+# /etc/ssh/sshd_config and /etc/ssh/ssh_config on Solaris.
+#
+# This is a Solaris specific patch and will not be contributed back to tge
+# upstream community.
+#
+--- orig/ssh_config	Wed Feb 10 16:52:14 2016
++++ new/ssh_config	Wed Feb 10 18:32:20 2016
[email protected]@ -24,8 +24,9 @@
+ #   RSAAuthentication yes
+ #   PasswordAuthentication yes
+ #   HostbasedAuthentication no
+-#   GSSAPIAuthentication no
++#   GSSAPIAuthentication yes
+ #   GSSAPIDelegateCredentials no
++#   GSSAPIKeyExchange yes
+ #   BatchMode no
+ #   CheckHostIP yes
+ #   AddressFamily any
[email protected]@ -46,3 +47,7 @@
+ #   VisualHostKey no
+ #   ProxyCommand ssh -q -W %h:%p gateway.example.com
+ #   RekeyLimit 1G 1h
++
++# Send the LANG and LC_* environment variables to server.
++SendEnv LANG
++SendEnv LC_*
+--- orig/sshd_config	Wed Feb 10 16:52:20 2016
++++ new/sshd_config	Tue Feb 23 16:40:15 2016
[email protected]@ -2,132 +2,95 @@
+ 
+ # This is the sshd server system-wide configuration file.  See
+ # sshd_config(5) for more information.
++#
+ 
+-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+-
+-# The strategy used for options in the default sshd_config shipped with
+-# OpenSSH is to specify options with their default value where
+-# possible, but leave them commented.  Uncommented options override the
+-# default value.
+-
++# Listen port (the IANA registered port number for ssh is 22)
+ #Port 22
++
++# The default listen address is all interfaces, this may need to be changed
++# if you wish to restrict the interfaces sshd listens on for a multi homed host.
++# Multiple ListenAddress entries are allowed.
+ #AddressFamily any
+ #ListenAddress 0.0.0.0
+ #ListenAddress ::
+ 
+-# The default requires explicit activation of protocol 1
+-#Protocol 2
++# If port forwarding is enabled (default), specify if the server can bind to
++# INADDR_ANY. 
++# This allows the local port forwarding to work when connections are received
++# from any remote host.
++#GatewayPorts no
+ 
+-# HostKey for protocol version 1
+-#HostKey /etc/ssh/ssh_host_key
+-# HostKeys for protocol version 2
+-#HostKey /etc/ssh/ssh_host_rsa_key
+-#HostKey /etc/ssh/ssh_host_dsa_key
+-#HostKey /etc/ssh/ssh_host_ecdsa_key
+-#HostKey /etc/ssh/ssh_host_ed25519_key
++# X11 tunneling options
++#X11DisplayOffset 10
++#X11UseLocalhost yes
++X11Forwarding yes
+ 
+-# Lifetime and size of ephemeral version 1 server key
+-#KeyRegenerationInterval 1h
+-#ServerKeyBits 1024
++# The maximum number of concurrent unauthenticated connections to sshd.
++# start:rate:full see sshd(1) for more information.
++#MaxStartups 10:30:100
+ 
+-# Ciphers and keying
+-#RekeyLimit default none
++# Banner to be printed before authentication starts.
++Banner /etc/issue
+ 
+-# Logging
+-# obsoletes QuietMode and FascistLogging
+-#SyslogFacility AUTH
+-#LogLevel INFO
++# Should sshd print the /etc/motd file and check for mail.
++# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
++PrintMotd no
+ 
+-# Authentication:
++# KeepAlive specifies whether keep alive messages are sent to the client.
++# See sshd(1) for detailed description of what this means.
++# Note that the client may also be sending keep alive messages to the server.
++#KeepAlive yes
+ 
+-#LoginGraceTime 2m
+-#PermitRootLogin prohibit-password
+-#StrictModes yes
+-#MaxAuthTries 6
+-#MaxSessions 10
++# Syslog facility and level 
++#SyslogFacility auth
++#LogLevel info
+ 
+-#RSAAuthentication yes
+-#PubkeyAuthentication yes
++#
++# Authentication configuration
++# 
+ 
+-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+-# but this is overridden so installations will only check .ssh/authorized_keys
+-AuthorizedKeysFile	.ssh/authorized_keys
++# Host private key files
++# Must be on a local disk and readable only by the root user (root:sys 600).
++HostKey /etc/ssh/ssh_host_rsa_key
++HostKey /etc/ssh/ssh_host_dsa_key
+ 
+-#AuthorizedPrincipalsFile none
++# sshd regenerates the key every KeyRegenerationInterval seconds.
++# The key is never stored anywhere except the memory of sshd.
++# The default is 1 hour (3600 seconds).
++#KeyRegenerationInterval 3600
+ 
+-#AuthorizedKeysCommand none
+-#AuthorizedKeysCommandUser nobody
++# Ensure secure permissions on users .ssh directory.
++#StrictModes yes
+ 
+-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+-#RhostsRSAAuthentication no
+-# similar for protocol version 2
+-#HostbasedAuthentication no
+-# Change to yes if you don't trust ~/.ssh/known_hosts for
+-# RhostsRSAAuthentication and HostbasedAuthentication
+-#IgnoreUserKnownHosts no
+-# Don't read the user's ~/.rhosts and ~/.shosts files
+-#IgnoreRhosts yes
++# Length of time in seconds before a client that hasn't completed
++# authentication is disconnected.
++# Default is 120 seconds. 0 means no time limit.
++#LoginGraceTime 120
+ 
+-# To disable tunneled clear text passwords, change to no here!
+-#PasswordAuthentication yes
++# Maximum number of retries for authentication
++# Default is 6.
++#MaxAuthTries	6
++
++# Are logins to accounts with empty passwords allowed.
++# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK 
++# to pam_authenticate(3PAM).
+ #PermitEmptyPasswords no
+ 
+-# Change to no to disable s/key passwords
+-#ChallengeResponseAuthentication yes
++# To disable tunneled clear text passwords, change PasswordAuthentication to no.
++#PasswordAuthentication yes
+ 
+-# Kerberos options
+-#KerberosAuthentication no
+-#KerberosOrLocalPasswd yes
+-#KerberosTicketCleanup yes
+-#KerberosGetAFSToken no
++# Are root logins permitted using sshd.
++# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
++# maybe denied access by a PAM module regardless of this setting.
++# Valid options are yes, without-password, no.
++PermitRootLogin no
+ 
+-# GSSAPI options
+-#GSSAPIAuthentication no
+-#GSSAPICleanupCredentials yes
++# sftp subsystem
++Subsystem	sftp	internal-sftp
+ 
+-# Set this to 'yes' to enable PAM authentication, account processing,
+-# and session processing. If this is enabled, PAM authentication will
+-# be allowed through the ChallengeResponseAuthentication and
+-# PasswordAuthentication.  Depending on your PAM configuration,
+-# PAM authentication via ChallengeResponseAuthentication may bypass
+-# the setting of "PermitRootLogin without-password".
+-# If you just want the PAM account and session checks to run without
+-# PAM authentication, then enable this but set PasswordAuthentication
+-# and ChallengeResponseAuthentication to 'no'.
+-#UsePAM no
++# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
++#IgnoreUserKnownHosts yes
+ 
+-#AllowAgentForwarding yes
+-#AllowTcpForwarding yes
+-#GatewayPorts no
+-#X11Forwarding no
+-#X11DisplayOffset 10
+-#X11UseLocalhost yes
+-#PermitTTY yes
+-#PrintMotd yes
+-#PrintLastLog yes
+-#TCPKeepAlive yes
+-#UseLogin no
+-UsePrivilegeSeparation sandbox		# Default for new installations.
+-#PermitUserEnvironment no
+-#Compression delayed
+-#ClientAliveInterval 0
+-#ClientAliveCountMax 3
+-#UseDNS no
+-#PidFile /var/run/sshd.pid
+-#MaxStartups 10:30:100
+-#PermitTunnel no
+-#ChrootDirectory none
+-#VersionAddendum none
+-
+-# no default banner path
+-#Banner none
+-
+-# override default of no subsystems
+-Subsystem	sftp	/usr/libexec/sftp-server
+-
+-# Example of overriding settings on a per-user basis
+-#Match User anoncvs
+-#	X11Forwarding no
+-#	AllowTcpForwarding no
+-#	PermitTTY no
+-#	ForceCommand cvs server
++# Accept the LANG and LC_* environment variables sent by the client.
++AcceptEnv LANG
++AcceptEnv LC_*
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/service-network-ssh.p5m	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,68 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+<transform file path=usr.*/man/.+ -> default mangler.man.stability "Pass-through Uncommitted">
+set name=pkg.fmri \
+    value=pkg:/service/network/[email protected]$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value="OpenSSH servers and SSH (Secure Shell) services"
+set name=pkg.description \
+    value="Provides OpenSSH server support for the Secure Shell (SSH) service which creates RSA and DSA host keys if they are not available and start or stop the sshd (Secure Shell daemon)."
+set name=pkg.human-version value=$(HUMAN_VERSION)
+set name=info.classification \
+    value=org.opensolaris.category.2008:Applications/Internet \
+    value=org.opensolaris.category.2008:System/Security
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2015/227
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file path=etc/ssh/moduli group=sys mode=0644 overlay=true preserve=renamenew
+file path=etc/ssh/sshd_config group=sys mode=0644 \
+    original_name=SUNWsshd:etc/ssh/sshd_config overlay=true preserve=renamenew
+file sources/ssh.xml path=lib/svc/manifest/network/ssh.xml group=sys mode=0444 \
+    overlay=true preserve=true
+file sources/sshd.sh path=lib/svc/method/sshd mode=0555 overlay=true \
+    preserve=true
+file usr/lib/dtrace/64/sftp64.d path=usr/lib/dtrace/sftp.d
+file path=usr/lib/ssh/sftp-server mode=0555
+file path=usr/lib/ssh/ssh-keysign mode=4555
+file path=usr/lib/ssh/ssh-pkcs11-helper mode=0555
+file path=usr/lib/ssh/sshd mode=0555
+file path=usr/share/man/man5/moduli.5
+file path=usr/share/man/man5/sshd_config.5
+file path=usr/share/man/man8/sftp-server.8
+file path=usr/share/man/man8/ssh-keysign.8
+file path=usr/share/man/man8/ssh-pkcs11-helper.8
+file path=usr/share/man/man8/sshd.8
+dir  path=var/empty owner=root group=sys mode=0755 sysattr=readonly
+group groupname=sshd gid=22
+user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \
+    home-dir=/var/empty login-shell=/bin/false uid=22
+license openssh.license license="BSD, BSD-like (OpenSSH)" \
+    com.oracle.info.description="OpenSSH, a suite of tools that help secure network connections" \
+    com.oracle.info.name=openssh com.oracle.info.tpno=$(TPNO_OPENSSH) \
+    com.oracle.info.version=$(COMPONENT_VERSION)
+license openssh.license license="BSD, BSD-like (gsskex)" \
+    com.oracle.info.description="GSS-API authenticated key exchange" \
+    com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \
+    com.oracle.info.version=5.7p1
+depend type=conditional fmri=pkg:/x11/session/xauth \
+    predicate=pkg:/x11/library/libxau
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/ssh.xml	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,158 @@
+<?xml version="1.0"?>
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+Copyright (c) 2004, 2016, Oracle and/or its affiliates. All rights reserved.
+
+        NOTE:  This service manifest is not editable; its contents will
+        be overwritten by package or patch operations, including
+        operating system upgrade.  Make customizations in a different
+        file.
+-->
+
+<service_bundle type='manifest' name='SUNWsshdr:ssh'>
+
+<service
+	name='network/ssh'
+	type='service'
+	version='1'>
+
+	<create_default_instance enabled='false' />
+
+	<single_instance />
+
+	<dependency name='fs-min'
+		grouping='require_all'
+		restart_on='none'
+		type='service'>
+		<service_fmri
+			value='svc:/system/filesystem/minimal' />
+	</dependency>
+
+	<dependency name='net-loopback'
+		grouping='require_all'
+		restart_on='none'
+		type='service'>
+		<service_fmri value='svc:/network/loopback' />
+	</dependency>
+
+	<dependency name='net-physical'
+		grouping='require_all'
+		restart_on='none'
+		type='service'>
+		<service_fmri value='svc:/network/physical:default' />
+	</dependency>
+
+	<dependency name='utmp'
+		grouping='require_all'
+		restart_on='none'
+		type='service'>
+		<service_fmri value='svc:/system/utmp' />
+	</dependency>
+
+	<dependency name='network_ipfilter'
+		grouping='optional_all'
+		restart_on='error'
+		type='service'>
+		<service_fmri value='svc:/network/ipfilter:default' />
+	</dependency>
+
+	<dependency name='config_data'
+		grouping='require_all'
+		restart_on='restart'
+		type='path'>
+		<service_fmri
+		    value='file://localhost/etc/ssh/sshd_config' />
+	</dependency>
+
+	<dependent
+		name='ssh_multi-user-server'
+		grouping='optional_all'
+		restart_on='none'>
+			<service_fmri
+			    value='svc:/milestone/multi-user-server' />
+	</dependent>
+
+	<dependent
+		name='ssh-self-assembly-complete'
+		grouping='optional_all'
+		restart_on='none'>
+		<service_fmri value='svc:/milestone/self-assembly-complete' />
+	</dependent>
+
+	<method_context>
+		<method_credential user='root' clearance='ADMIN_HIGH' />
+	</method_context>
+
+	<exec_method
+		type='method'
+		name='start'
+		exec='/lib/svc/method/sshd start'
+		timeout_seconds='60'/>
+
+	<exec_method
+		type='method'
+		name='stop'
+		exec=':kill'
+		timeout_seconds='60' />
+
+	<exec_method
+		type='method'
+		name='refresh'
+		exec='/lib/svc/method/sshd restart'
+		timeout_seconds='60' />
+
+        <exec_method
+                type='method'
+                name='unconfigure'
+                exec='/lib/svc/method/sshd -u'
+                timeout_seconds='60' />
+
+	<property_group name='startd'
+		type='framework'>
+		<!-- sub-process core dumps shouldn't restart session -->
+		<propval name='ignore_error'
+		    type='astring' value='core,signal' />
+	</property_group>
+
+        <property_group name='general' type='framework'>
+                <!-- to start stop sshd -->
+                <propval name='action_authorization' type='astring'
+                        value='solaris.smf.manage.ssh' />
+        </property_group>
+
+	<property_group name='firewall_context' type='com.sun,fw_definition'>
+		<propval name='name' type='astring' value='ssh' />
+		<propval name='ipf_method' type='astring'
+		    value='/lib/svc/method/sshd ipfilter' />
+	</property_group>
+
+	<property_group name='firewall_config' type='com.sun,fw_configuration'>
+		<propval name='policy' type='astring' value='use_global' />
+		<propval name='apply_to' type='astring' value='' />
+		<propval name='exceptions' type='astring' value='' />
+		<propval name='value_authorization' type='astring'
+			value='solaris.smf.value.firewall.config' />
+	</property_group>
+
+        <property_group name='sysconfig' type='sysconfig'>
+                <stability value='Unstable' />
+                <propval name='group' type='astring' value='network' />
+                <propval name='reconfigurable' type='boolean' value='false' />
+        </property_group>
+
+	<stability value='Unstable' />
+
+	<template>
+		<common_name>
+			<loctext xml:lang='C'>
+			SSH server
+			</loctext>
+		</common_name>
+		<documentation>
+			<manpage title='sshd' section='1M' manpath='/usr/share/man' />
+		</documentation>
+	</template>
+
+</service>
+
+</service_bundle>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd.sh	Thu Mar 03 14:55:30 2016 -0800
@@ -0,0 +1,203 @@
+#!/usr/sbin/sh
+#
+# Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+#
+
+. /lib/svc/share/smf_include.sh
+. /lib/svc/share/ipf_include.sh
+
+SSHDIR=/etc/ssh
+KEYGEN="/usr/bin/ssh-keygen -q"
+PIDFILE=$SMF_SYSVOL_FS/sshd.pid
+
+# Checks to see if RSA, and DSA host keys are available
+# if any of these keys are not present, the respective keys are created.
+create_key()
+{
+	keypath=$1
+	keytype=$2
+
+	if [ ! -f $keypath ]; then
+		# 
+		# HostKey keywords in sshd_config may be preceded or
+		# followed by a mix of any number of space or tabs,
+		# and optionally have an = between keyword and
+		# argument.  We use two grep invocations such that we
+		# can match HostKey case insensitively but still have
+		# the case of the path name be significant, keeping
+		# the pattern somewhat more readable.
+		#
+		# The character classes below contain one literal
+		# space and one literal tab.
+		#
+		grep -i "^[ 	]*HostKey[ 	]*=\{0,1\}[ 	]*$keypath" \
+		    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
+
+		if [ $? -eq 0 ]; then
+			echo Creating new $keytype public/private host key pair
+			$KEYGEN -f $keypath -t $keytype -N ''
+			if [ $? -ne 0 ]; then
+				echo "Could not create $keytype key: $keypath"
+				exit $SMF_EXIT_ERR_CONFIG
+			fi
+		fi
+	fi
+}
+
+create_ipf_rules()
+{
+	FMRI=$1
+	ipf_file=`fmri_to_file ${FMRI} $IPF_SUFFIX`
+	policy=`get_policy ${FMRI}`
+
+	#
+	# Get port from /etc/ssh/sshd_config
+	#
+	tports=`grep "^Port" /etc/ssh/sshd_config 2>/dev/null | \
+	    awk '{print $2}'`
+
+	echo "# $FMRI" >$ipf_file
+	for port in $tports; do
+		generate_rules $FMRI $policy "tcp" "any" $port $ipf_file
+	done
+}
+
+remove_key()
+{
+        keypath=$1
+        if [ -f $keypath ]; then
+                grep -i "^[     ]*HostKey[      ]*=\{0,1\}[     ]*$keypath" \
+                    $SSHDIR/sshd_config | grep "$keypath" > /dev/null 2>&1
+                if [ $? -eq 0 ]; then
+                        rm -f ${keypath} ${keypath}.pub
+                fi
+        fi
+}
+
+#
+# Makes sure, that /etc/ssh/sshd_config does not contain single line
+# 'ListenAddress ::'. 
+#
+# This used to be part of default SunSSH sshd_config and instructed SunSSH
+# to listen on all interfaces. For OpenSSH, the same line means listen on all
+# IPv6 interfaces.
+#
+fix_listenaddress()
+{
+	fbackup="$SSHDIR/sshd_config.pre_listenaddress_fix"
+	reason4change="#\n\
+# Historically default sshd_config was shipped with 'ListenAddress ::',\n\
+# which means 'listen on all interfaces' in SunSSH.\n\
+# In OpenSSH this setting means 'listen on all IPv6 interfaces'.\n\
+# To avoid loss of service after transitioning to OpenSSH, the following\n\
+# line was commented out by the network/ssh service method script on\n\
+#     $(date).\n\
+# Original file was backed up to $fbackup\n\
+#\n\
+# "
+	expl4log="Historically default sshd_config was shipped with \
+'ListenAddress ::', which means 'listen on all interfaces' in SunSSH. \
+In OpenSSH this setting means 'listen on all IPv6 interfaces'. \
+For both SunSSH and OpenSSH the default behavior when no ListenAddress \
+is specified is to listen on all interfaces (both IPv4 and IPv6)."
+	msg_not_removed="Custom ListenAddress setting detected in \
+$SSHDIR/sshd_config, the file will not be modified. Please, check your \
+ListenAddress settings. $expl4log"
+	msg_removed="Removing 'ListenAddress ::'. $expl4log Original file has \
+been backed up to $fbackup"
+	
+	# only modify sshd_config, if ssh implementation is OpenSSH
+	if [[ "$(ssh -V 2>&1)" == Sun_SSH_* ]]; then
+		return 0;
+	fi
+
+	# comment '# IPv4 & IPv6' indicates an old default sshd_config
+	grep -q '^# IPv4 & IPv6$' $SSHDIR/sshd_config || return 0;
+
+	# backup
+	cp $SSHDIR/sshd_config $fbackup
+
+	# if 'ListenAddress ::' is the only ListenAddress line, comment it out
+	listen_address=$(grep -i '^[ \t]*ListenAddress' $SSHDIR/sshd_config)
+	if [[ "$listen_address" == 'ListenAddress ::' ]]; then
+		echo $msg_removed
+		awk_prog="/^ListenAddress ::$/ {printf(\"$reason4change\")}\
+			  !/^# IPv4 & IPv6$/   {print}"
+	elif [[ -z "$listen_address" ]]; then
+		# no ListenAddress setting => OK, silently remove comment
+		awk_prog="!/^# IPv4 & IPv6$/   {print}"
+	else
+		# send warning message both to log and console
+		echo $msg_not_removed | smf_console
+		awk_prog="!/^# IPv4 & IPv6$/   {print}"
+	fi;
+
+	sshd_config=$(nawk "$awk_prog" $SSHDIR/sshd_config)
+	if [[ $? -ne 0 ]]; then
+		echo "Update error! Check your ListenAddress settings."
+		return 1;
+	else
+		# write the fixed content to the file
+		echo "$sshd_config" > $SSHDIR/sshd_config
+		return 0;
+	fi
+
+}
+
+# This script is being used for two purposes: as part of an SMF
+# start/stop/refresh method, and as a sysidconfig(1M)/sys-unconfig(1M)
+# application.
+#
+# Both, the SMF methods and sysidconfig/sys-unconfig use different
+# arguments..
+
+case $1 in 
+	# sysidconfig/sys-unconfig arguments (-c and -u)
+'-c')
+	create_key $SSHDIR/ssh_host_rsa_key rsa
+	create_key $SSHDIR/ssh_host_dsa_key dsa
+	;;
+
+'-u')
+	# sysconfig unconfigure to remove the sshd host keys
+	remove_key $SSHDIR/ssh_host_rsa_key
+	remove_key $SSHDIR/ssh_host_dsa_key
+	;;
+
+	# SMF arguments (start and restart [really "refresh"])
+
+'ipfilter')
+	create_ipf_rules $2
+	;;
+
+'start')
+	#
+	# If host keys don't exist when the service is started, create
+	# them; sysidconfig is not run in every situation (such as on
+	# the install media).
+	# 
+	create_key $SSHDIR/ssh_host_rsa_key rsa
+	create_key $SSHDIR/ssh_host_dsa_key dsa
+
+	#
+	# Make sure, that /etc/ssh/sshd_config does not contain single line
+	# 'ListenAddress ::'.
+	#
+	fix_listenaddress
+
+	/usr/lib/ssh/sshd
+	;;
+
+'restart')
+	if [ -f "$PIDFILE" ]; then
+		/usr/bin/kill -HUP `/usr/bin/cat $PIDFILE`
+	fi
+	;;
+
+*)
+	echo "Usage: $0 { start | restart }"
+	exit 1
+	;;
+esac	
+
+exit $?