15366793 sshd calls pam_authenticate() for none method if PermitEmptyPasswords=yes
23316839 SSH + annotation fails for userauth types which aren't able to prompt the user
--- a/components/openssh/service-network-ssh.p5m Fri May 27 14:04:06 2016 -0600
+++ b/components/openssh/service-network-ssh.p5m Fri May 27 13:40:36 2016 -0700
@@ -34,6 +34,16 @@
set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
set name=org.opensolaris.arc-caseid value=PSARC/2015/227 value=PSARC/2016/216
set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+file sources/sshd-gssapi path=etc/pam.d/sshd-gssapi group=sys mode=0644 \
+ overlay=allow preserve=renamenew
+file sources/sshd-hostbased path=etc/pam.d/sshd-hostbased group=sys mode=0644 \
+ overlay=allow preserve=renamenew
+file sources/sshd-none path=etc/pam.d/sshd-none group=sys mode=0644 \
+ overlay=allow preserve=renamenew
+file sources/sshd-password path=etc/pam.d/sshd-password group=sys mode=0644 \
+ overlay=allow preserve=renamenew
+file sources/sshd-pubkey path=etc/pam.d/sshd-pubkey group=sys mode=0644 \
+ overlay=allow preserve=renamenew
file path=etc/ssh/moduli group=sys mode=0644 overlay=allow preserve=renamenew
file path=etc/ssh/sshd_config group=sys mode=0644 \
original_name=SUNWsshd:etc/ssh/sshd_config overlay=allow preserve=renamenew
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-gssapi Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH GSSAPI authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using GSSAPI authentication.
+#
+auth definitive pam_user_policy.so.1
+auth required pam_unix_cred.so.1 noannotation
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-hostbased Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH hostbased authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using hostbased authentication.
+#
+auth definitive pam_user_policy.so.1
+auth required pam_unix_cred.so.1 noannotation
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-none Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,16 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for the SSH user authentication type of 'none' which is
+# used when no authentication is required at all. This PAM fragment prevents
+# authentication using sshd-none to avoid unnecessary interaction with
+# failed logins tracking in certain SSH and PAM configurations. If SSH
+# logins are desired without any authentication then this is possible by
+# configuring both the sshd_config(5) options 'PasswordAuthentication' and
+# 'PermitEmptyPasswords' to be 'yes' and using either the 'password' or
+# 'keyboard-interactive' user authentication methods.
+#
+auth definitive pam_deny.so.1
+account definitive pam_deny.so.1
+session definitive pam_deny.so.1
+password definitive pam_deny.so.1
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-password Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,10 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH password authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using password authentication.
+#
+auth definitive pam_user_policy.so.1
+auth required pam_unix_auth.so.1 noannotation
+auth required pam_unix_cred.so.1 noannotation
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/sshd-pubkey Fri May 27 13:40:36 2016 -0700
@@ -0,0 +1,9 @@
+#
+# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+#
+# PAM configuration for SSH public key authentication which turns off
+# prompting for an annotation string since it isn't possible to interact
+# with a user when using public key authentication.
+#
+auth definitive pam_user_policy.so.1
+auth required pam_unix_cred.so.1 noannotation