PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/Makefile Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,100 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+#
+include ../../make-rules/shared-macros.mk
+
+COMPONENT_NAME= openssh
+COMPONENT_VERSION= 6.5p1
+HUMAN_VERSION= $(COMPONENT_VERSION)
+COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
+
+# Version for IPS. The encoding rules are:
+# OpenSSH <x>.<y>p<n> => IPS <x>.<y>.0.<n>
+# OpenSSH <x>.<y>.<z>p<n> => IPS <x>.<y>.<z>.<n>
+IPS_COMPONENT_VERSION= 6.5.0.1
+
+COMPONENT_PROJECT_URL= http://www.openssh.org/
+COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
+COMPONENT_ARCHIVE_HASH= sha256:a1195ed55db945252d5a1730d4a2a2a5c1c9a6aa01ef2e5af750a962623d9027
+COMPONENT_ARCHIVE_URL= http://mirror.team-cymru.org/pub/OpenBSD/OpenSSH/portable/$(COMPONENT_ARCHIVE)
+COMPONENT_BUGDB=utility/openssh
+
+TPNO= 16633
+
+include $(WS_MAKE_RULES)/prep.mk
+include $(WS_MAKE_RULES)/configure.mk
+include $(WS_MAKE_RULES)/ips.mk
+
+# Enable ASLR for this component
+ASLR_MODE = $(ASLR_ENABLE)
+
+COMPILER= gcc
+
+CFLAGS += -DSET_USE_PAM
+CFLAGS += -DDEPRECATE_SUNSSH_OPT
+CFLAGS += -DKRB5_BUILD_FIX
+CFLAGS += -DDTRACE_SFTP
+CFLAGS += -DDISABLE_BANNER
+CFLAGS += -DPAM_ENHANCEMENT
+CFLAGS += -DPAM_BUGFIX
+CFLAGS += -DOPTION_DEFAULT_VALUE
+
+CONFIGURE_OPTIONS += CFLAGS="$(CFLAGS)"
+
+# We need to disable lazyloading of dynamic dependent libraries. During the
+# pre-authentication phase, sshd will chroot to /var/empty which doesn't
+# contain any files. If we use lazyloading, sshd will fail to find any
+# libraries that it needs.
+CONFIGURE_OPTIONS += LDFLAGS="$(LDFLAGS) -B direct -z nolazyload"
+
+CONFIGURE_OPTIONS += --with-audit=solaris
+CONFIGURE_OPTIONS += --with-libedit
+CONFIGURE_OPTIONS += --with-kerberos5
+CONFIGURE_OPTIONS += --with-pam
+CONFIGURE_OPTIONS += --with-sandbox=no
+CONFIGURE_OPTIONS += --with-solaris-contracts
+CONFIGURE_OPTIONS += --with-solaris-projects
+CONFIGURE_OPTIONS += --with-tcp-wrappers
+CONFIGURE_OPTIONS += --with-4in6
+CONFIGURE_OPTIONS += --enable-strip=no
+CONFIGURE_OPTIONS += --without-rpath
+CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
+CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
+CONFIGURE_OPTIONS += --bindir=/usr/bin
+CONFIGURE_OPTIONS += --disable-lastlog
+
+# Copy source files that are not yet part of a patch
+COMPONENT_PREP_ACTION += ($(CP) sources/*.c $(@D)/)
+
+# common targets
+build: $(BUILD_32)
+
+install: $(INSTALL_32)
+
+# Because of certain set up requirement, the regress test suite is ported to
+# the STC gate.
+test: $(NO_TESTS)
+
+BUILD_PKG_DEPENDENCIES = $(BUILD_TOOLS)
+
+include ../../make-rules/depend.mk
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/openssh.license Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,340 @@
+This file is part of the OpenSSH software.
+
+The licences which components of this software fall under are as
+follows. First, we will summarize and say that all components
+are under a BSD licence, or a licence more free than that.
+
+OpenSSH contains no GPL code.
+
+1)
+ * Copyright (c) 1995 Tatu Ylonen <[email protected]>, Espoo, Finland
+ * All rights reserved
+ *
+ * As far as I am concerned, the code I have written for this software
+ * can be used freely for any purpose. Any derived versions of this
+ * software must be clearly marked as such, and if the derived work is
+ * incompatible with the protocol description in the RFC file, it must be
+ * called by a name other than "ssh" or "Secure Shell".
+
+ [Tatu continues]
+ * However, I am not implying to give any licenses to any patents or
+ * copyrights held by third parties, and the software includes parts that
+ * are not under my direct control. As far as I know, all included
+ * source code is used in accordance with the relevant license agreements
+ * and can be used freely for any purpose (the GNU license being the most
+ * restrictive); see below for details.
+
+ [However, none of that term is relevant at this point in time. All of
+ these restrictively licenced software components which he talks about
+ have been removed from OpenSSH, i.e.,
+
+ - RSA is no longer included, found in the OpenSSL library
+ - IDEA is no longer included, its use is deprecated
+ - DES is now external, in the OpenSSL library
+ - GMP is no longer used, and instead we call BN code from OpenSSL
+ - Zlib is now external, in a library
+ - The make-ssh-known-hosts script is no longer included
+ - TSS has been removed
+ - MD5 is now external, in the OpenSSL library
+ - RC4 support has been replaced with ARC4 support from OpenSSL
+ - Blowfish is now external, in the OpenSSL library
+
+ [The licence continues]
+
+ Note that any information and cryptographic algorithms used in this
+ software are publicly available on the Internet and at any major
+ bookstore, scientific library, and patent office worldwide. More
+ information can be found e.g. at "http://www.cs.hut.fi/crypto".
+
+ The legal status of this program is some combination of all these
+ permissions and restrictions. Use only at your own responsibility.
+ You will be responsible for any legal consequences yourself; I am not
+ making any claims whether possessing or using this is legal or not in
+ your country, and I am not taking any responsibility on your behalf.
+
+
+ NO WARRANTY
+
+ BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+ FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+ OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+ PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+ OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+ TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+ REPAIR OR CORRECTION.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+ REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+ INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+ OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+ TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGES.
+
+2)
+ The 32-bit CRC compensation attack detector in deattack.c was
+ contributed by CORE SDI S.A. under a BSD-style license.
+
+ * Cryptographic attack detector for ssh - source code
+ *
+ * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
+ *
+ * All rights reserved. Redistribution and use in source and binary
+ * forms, with or without modification, are permitted provided that
+ * this copyright notice is retained.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
+ * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
+ * SOFTWARE.
+ *
+ * Ariel Futoransky <[email protected]>
+ * <http://www.core-sdi.com>
+
+3)
+ ssh-keyscan was contributed by David Mazieres under a BSD-style
+ license.
+
+ * Copyright 1995, 1996 by David Mazieres <[email protected]>.
+ *
+ * Modification and redistribution in source and binary forms is
+ * permitted provided that due credit is given to the author and the
+ * OpenBSD project by leaving this copyright notice intact.
+
+4)
+ The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
+ and Paulo Barreto is in the public domain and distributed
+ with the following license:
+
+ * @version 3.0 (December 2000)
+ *
+ * Optimised ANSI C code for the Rijndael cipher (now AES)
+ *
+ * @author Vincent Rijmen <[email protected]>
+ * @author Antoon Bosselaers <[email protected]>
+ * @author Paulo Barreto <[email protected]>
+ *
+ * This code is hereby placed in the public domain.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
+ * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+ * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+5)
+ One component of the ssh source code is under a 3-clause BSD license,
+ held by the University of California, since we pulled these parts from
+ original Berkeley code.
+
+ * Copyright (c) 1983, 1990, 1992, 1993, 1995
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+6)
+ Remaining components of the software are provided under a standard
+ 2-term BSD licence with the following names as copyright holders:
+
+ Markus Friedl
+ Theo de Raadt
+ Niels Provos
+ Dug Song
+ Aaron Campbell
+ Damien Miller
+ Kevin Steves
+ Daniel Kouril
+ Wesley Griffin
+ Per Allansson
+ Nils Nordman
+ Simon Wilkinson
+
+ Portable OpenSSH additionally includes code from the following copyright
+ holders, also under the 2-term BSD license:
+
+ Ben Lindstrom
+ Tim Rice
+ Andre Lucas
+ Chris Adams
+ Corinna Vinschen
+ Cray Inc.
+ Denis Parker
+ Gert Doering
+ Jakob Schlyter
+ Jason Downs
+ Juha Yrj�l�
+ Michael Stone
+ Networks Associates Technology, Inc.
+ Solar Designer
+ Todd C. Miller
+ Wayne Schroeder
+ William Jones
+ Darren Tucker
+ Sun Microsystems
+ The SCO Group
+ Daniel Walsh
+ Red Hat, Inc
+ Simon Vallet / Genoscope
+
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+8) Portable OpenSSH contains the following additional licenses:
+
+ a) md5crypt.c, md5crypt.h
+
+ * "THE BEER-WARE LICENSE" (Revision 42):
+ * <[email protected]> wrote this file. As long as you retain this
+ * notice you can do whatever you want with this stuff. If we meet
+ * some day, and you think this stuff is worth it, you can buy me a
+ * beer in return. Poul-Henning Kamp
+
+ b) snprintf replacement
+
+ * Copyright Patrick Powell 1995
+ * This code is based on code written by Patrick Powell
+ * ([email protected]) It may be used for any purpose as long as this
+ * notice remains intact on all source code distributions
+
+ c) Compatibility code (openbsd-compat)
+
+ Apart from the previously mentioned licenses, various pieces of code
+ in the openbsd-compat/ subdirectory are licensed as follows:
+
+ Some code is licensed under a 3-term BSD license, to the following
+ copyright holders:
+
+ Todd C. Miller
+ Theo de Raadt
+ Damien Miller
+ Eric P. Allman
+ The Regents of the University of California
+ Constantin S. Svintsoff
+
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+ Some code is licensed under an ISC-style license, to the following
+ copyright holders:
+
+ Internet Software Consortium.
+ Todd C. Miller
+ Reyk Floeter
+ Chad Mynhier
+
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+ Some code is licensed under a MIT-style license to the following
+ copyright holders:
+
+ Free Software Foundation, Inc.
+
+ * Permission is hereby granted, free of charge, to any person obtaining a *
+ * copy of this software and associated documentation files (the *
+ * "Software"), to deal in the Software without restriction, including *
+ * without limitation the rights to use, copy, modify, merge, publish, *
+ * distribute, distribute with modifications, sublicense, and/or sell *
+ * copies of the Software, and to permit persons to whom the Software is *
+ * furnished to do so, subject to the following conditions: *
+ * *
+ * The above copyright notice and this permission notice shall be included *
+ * in all copies or substantial portions of the Software. *
+ * *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS *
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF *
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. *
+ * IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, *
+ * DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR *
+ * OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR *
+ * THE USE OR OTHER DEALINGS IN THE SOFTWARE. *
+ * *
+ * Except as contained in this notice, the name(s) of the above copyright *
+ * holders shall not be used in advertising or otherwise to promote the *
+ * sale, use or other dealings in this Software without prior written *
+ * authorization. *
+ ****************************************************************************/
+
+
+------
+$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/openssh.p5m Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,132 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
+#
+<transform file path=usr.*/man/.+ -> default mangler.man.stability uncommitted>
+set name=pkg.fmri \
+ value=pkg:/network/openssh@$(IPS_COMPONENT_VERSION),$(BUILD_VERSION)
+set name=pkg.summary value=OpenSSH
+set name=pkg.description \
+ value="OpenSSH provides end-to-end encrypted replacement of applications such as telnet, rlogin, and ftp. Unlike these legacy applications, OpenSSH never passes anything (including user name and password) over the wire in unencrypted form. OpenSSH provides the SSH known host mechanism which verifies that the system you connect to is really the one you intended to. OpenSSH provides secure tunneling capabilities and several authentication methods. It also supports forwarding X11 connections and arbitrary TCP ports over the secure channel."
+set name=pkg.human-version value=$(HUMAN_VERSION)
+set name=com.oracle.info.description \
+ value="OpenSSH, a suite of tools that help secure network connections"
+set name=com.oracle.info.tpno value=$(TPNO)
+set name=info.classification \
+ value=org.opensolaris.category.2008:Applications/Internet \
+ value=org.opensolaris.category.2008:System/Security
+set name=info.source-url value=$(COMPONENT_ARCHIVE_URL)
+set name=info.upstream-url value=$(COMPONENT_PROJECT_URL)
+set name=org.opensolaris.arc-caseid value=PSARC/2012/335
+set name=org.opensolaris.consolidation value=$(CONSOLIDATION)
+link path=usr/bin/scp target=../lib/openssh/bin/scp mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/sftp target=../lib/openssh/bin/sftp mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/ssh target=../lib/openssh/bin/ssh mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/ssh-add target=../lib/openssh/bin/ssh-add mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/ssh-agent target=../lib/openssh/bin/ssh-agent mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/ssh-keygen target=../lib/openssh/bin/ssh-keygen mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/bin/ssh-keyscan target=../lib/openssh/bin/ssh-keyscan \
+ mediator=ssh mediator-implementation=openssh
+file usr/bin/scp path=usr/lib/openssh/bin/scp mode=0555
+file usr/bin/sftp path=usr/lib/openssh/bin/sftp mode=0555
+file usr/bin/ssh path=usr/lib/openssh/bin/ssh mode=0555
+file usr/bin/ssh-add path=usr/lib/openssh/bin/ssh-add mode=0555
+file usr/bin/ssh-agent path=usr/lib/openssh/bin/ssh-agent mode=2555
+file usr/bin/ssh-keygen path=usr/lib/openssh/bin/ssh-keygen mode=0555
+file usr/bin/ssh-keyscan path=usr/lib/openssh/bin/ssh-keyscan mode=0555
+file usr/lib/ssh/sftp-server path=usr/lib/openssh/lib/sftp-server mode=0555
+file usr/lib/ssh/ssh-keysign path=usr/lib/openssh/lib/ssh-keysign mode=4555
+file usr/lib/ssh/ssh-pkcs11-helper path=usr/lib/openssh/lib/ssh-pkcs11-helper \
+ mode=0555
+file usr/lib/ssh/sshd path=usr/lib/openssh/lib/sshd mode=0555
+link path=usr/lib/ssh/sftp-server target=../openssh/lib/sftp-server \
+ mediator=ssh mediator-implementation=openssh
+link path=usr/lib/ssh/ssh-keysign target=../openssh/lib/ssh-keysign \
+ mediator=ssh mediator-implementation=openssh
+link path=usr/lib/ssh/ssh-pkcs11-helper \
+ target=../openssh/lib/ssh-pkcs11-helper mediator=ssh \
+ mediator-implementation=openssh
+link path=usr/lib/ssh/sshd target=../openssh/lib/sshd mediator=ssh \
+ mediator-implementation=openssh restart_fmri=svc:/network/ssh:default
+link path=usr/share/man/man1/scp.1 target=./scp.openssh.1 mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man1/scp.1 path=usr/share/man/man1/scp.openssh.1 mode=0444
+link path=usr/share/man/man1/sftp.1 target=./sftp.openssh.1 mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man1/sftp.1 path=usr/share/man/man1/sftp.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-add.1 target=./ssh-add.openssh.1 mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man1/ssh-add.1 path=usr/share/man/man1/ssh-add.openssh.1 \
+ mode=0444
+link path=usr/share/man/man1/ssh-agent.1 target=./ssh-agent.openssh.1 \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-agent.1 \
+ path=usr/share/man/man1/ssh-agent.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-keygen.1 target=./ssh-keygen.openssh.1 \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-keygen.1 \
+ path=usr/share/man/man1/ssh-keygen.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh-keyscan.1 target=./ssh-keyscan.openssh.1 \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man1/ssh-keyscan.1 \
+ path=usr/share/man/man1/ssh-keyscan.openssh.1 mode=0444
+link path=usr/share/man/man1/ssh.1 target=./ssh.openssh.1 mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man1/ssh.1 path=usr/share/man/man1/ssh.openssh.1 mode=0444
+link path=usr/share/man/man1m/sftp-server.1m target=./sftp-server.openssh.1m \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man8/sftp-server.8 \
+ path=usr/share/man/man1m/sftp-server.openssh.1m
+link path=usr/share/man/man1m/ssh-keysign.1m target=./ssh-keysign.openssh.1m \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man8/ssh-keysign.8 \
+ path=usr/share/man/man1m/ssh-keysign.openssh.1m
+link path=usr/share/man/man1m/ssh-pkcs11-helper.1m \
+ target=./ssh-pkcs11-helper.openssh.1m mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man8/ssh-pkcs11-helper.8 \
+ path=usr/share/man/man1m/ssh-pkcs11-helper.openssh.1m
+link path=usr/share/man/man1m/sshd.1m target=./sshd.openssh.1m mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man8/sshd.8 path=usr/share/man/man1m/sshd.openssh.1m
+link path=usr/share/man/man4/moduli.4 target=./moduli.openssh.4 mediator=ssh \
+ mediator-implementation=openssh
+file usr/share/man/man5/moduli.5 path=usr/share/man/man4/moduli.openssh.4
+link path=usr/share/man/man4/ssh_config.4 target=./ssh_config.openssh.4 \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man5/ssh_config.5 \
+ path=usr/share/man/man4/ssh_config.openssh.4
+link path=usr/share/man/man4/sshd_config.4 target=./sshd_config.openssh.4 \
+ mediator=ssh mediator-implementation=openssh
+file usr/share/man/man5/sshd_config.5 \
+ path=usr/share/man/man4/sshd_config.openssh.4
+dir path=var/empty owner=root group=sys mode=0755 sysattr=readonly
+group groupname=sshd gid=22
+user username=sshd ftpuser=false gcos-field="sshd privsep" group=sshd \
+ home-dir=/var/empty login-shell=/bin/false uid=22
+license openssh.license license="BSD, BSD-like"
+depend type=require fmri=service/network/ssh-common
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/001-skip_config_check.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,27 @@
+#
+# This change is to remove some misleading error messages when running
+# "gmake install". OpenSSH mixes the building and running together. Some
+# system setup checking for running the program needs to be removed, because
+# they are not suitable in a build system. This is for Solaris only, so we
+# will not contribute back this change to the upstream community.
+#
+--- orig/Makefile.in Wed Mar 27 16:56:36 2013
++++ new/Makefile.in Wed Mar 27 17:05:06 2013
+@@ -237,7 +237,16 @@
+ install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
+
+ check-config:
+- -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
++# On Solaris, to workaround OpenSSH's unlucky mixing of 'building ssh' and
++# 'running ssh', on build machine the following requisites shouldn't be
++# enforced:
++# 1) existence of privsep user sshd
++# 2) existence of privsep directory /var/empty
++# 3) read permissions for /etc/ssh/ssh_host_[rsa,dsa]_key
++#
++# -$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
++#
++ @echo 'Oracle Solaris: skipping check-config'
+
+ install-files:
+ $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/002-pam_support.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,42 @@
+#
+# To comply to the Solaris PAM policy, the UsePAM option is changed to be
+# always on and not configurable on Solaris. This is for Solaris only, so we
+# will not contribute the changes to the upstream community.
+#
+*** orig/servconf.c Mon Dec 5 17:23:03 2011
+--- new/servconf.c Wed Dec 7 13:41:04 2011
+***************
+*** 145,151 ****
+--- 145,156 ----
+ {
+ /* Portable-specific options */
+ if (options->use_pam == -1)
++ #ifdef SET_USE_PAM
++ /* use_pam should be always set to 1 on Solaris */
++ options->use_pam = 1;
++ #else
+ options->use_pam = 0;
++ #endif
+
+ /* Standard Options */
+ if (options->protocol == SSH_PROTO_UNKNOWN)
+***************
+*** 755,762 ****
+--- 760,776 ----
+ switch (opcode) {
+ /* Portable-specific options */
+ case sUsePAM:
++ #ifdef SET_USE_PAM
++ /* UsePAM is always on and not configurable on Solaris */
++ logit("%s line %d: ignoring UsePAM option value."
++ " This option is always on.", filename, linenum);
++ while (arg)
++ arg = strdelim(&cp);
++ break;
++ #else
+ intptr = &options->use_pam;
+ goto parse_flag;
++ #endif
+
+ /* Standard Options */
+ case sBadOption:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/003-last_login.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,69 @@
+# The man page change here is Solaris-specific and thus is not being
+# contributed back to the upstream community. The servconf.c change
+# was developed in-house and has been submitted upstream to OpenSSH for
+# their consideration:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2278
+#
+# OpenSSH normally updates lastlog when users login and reads lastlog to
+# determine the last login time of the user however on Solaris the
+# pam_unix_session(5) module handles both of these tasks so we compile
+# OpenSSH with --disable-lastlog to disable all lastlog references.
+# This means the sshd_config option of PrintLastLog is now ignored and
+# can't be changed so we update sshd's configuration parsing to flag
+# this as unsupported and update the man page here.
+#
+*** old/servconf.c Wed Sep 17 02:54:26 2014
+--- new/servconf.c Wed Sep 17 02:56:55 2014
+***************
+*** 432,438 ****
+--- 432,442 ----
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
++ #ifdef DISABLE_LASTLOG
++ { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
++ #else
+ { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
++ #endif
+ { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+ { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+ { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
+*** old/sshd_config.5 Tue Sep 16 06:24:13 2014
+--- new/sshd_config.5 Tue Sep 16 06:47:47 2014
+***************
+*** 1008,1015 ****
+ .Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+! The default is
+! .Dq yes .
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 1M
+--- 1008,1015 ----
+ .Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+! On Solaris this option is always ignored since pam_unix_session(5)
+! reports the last login time.
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 1M
+***************
+*** 1349,1355 ****
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+! .Xr sshd 8
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
+--- 1349,1356 ----
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+! .Xr sshd 8 ,
+! .Xr pam_unix_session 5
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/005-openssh_krb5_build_fix.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,102 @@
+#
+# This is to work around an unresloved symbol problem with the Kerberos
+# build option. Unlike MIT Kerberos, the gss_krb5_copy_ccache() function
+# is not supported on Solaris, because it violates API abstraction. This
+# workaround disables delegated credentials storing on server side.
+#
+# The long term goal is to replace Solaris Kerberos libraries with MIT Kerberos
+# delivered from Userland gate (The Solaris MIT Kerberos Drop in Project).
+# After that, function gss_krb5_copy_ccache() will be available in Solaris and
+# the delegating credentials functionality will be made available using the
+# upstream code.
+#
+--- orig/auth2-gss.c Fri Mar 21 10:41:03 2014
++++ new/auth2-gss.c Fri Mar 21 11:13:57 2014
+@@ -47,6 +47,10 @@
+
+ extern ServerOptions options;
+
++#ifdef KRB5_BUILD_FIX
++ extern gss_OID_set g_supported;
++#endif
++
+ static void input_gssapi_token(int type, u_int32_t plen, void *ctxt);
+ static void input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
+ static void input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
+@@ -77,7 +81,13 @@
+ return (0);
+ }
+
++#ifdef KRB5_BUILD_FIX
++ /* use value obtained in privileged parent */
++ supported = g_supported;
++#else
+ ssh_gssapi_supported_oids(&supported);
++#endif
++
+ do {
+ mechs--;
+
+--- orig/configure Fri Mar 21 10:41:03 2014
++++ new/configure Fri Mar 21 11:02:11 2014
+@@ -16634,6 +16634,12 @@
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+ $as_echo "no" >&6; }
+ fi
++
++ # Oracle Solaris
++ # OpenSSH is mixed-up gssapi AND krb5 aplication
++ K5CFLAGS="$K5CFLAGS `$KRB5CONF --cflags krb5`"
++ K5LIBS="$K5LIBS `$KRB5CONF --libs krb5`"
++
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using Heimdal" >&5
+ $as_echo_n "checking whether we are using Heimdal... " >&6; }
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+--- orig/sshd.c Fri Mar 21 10:41:03 2014
++++ new/sshd.c Fri Mar 21 11:09:30 2014
+@@ -259,6 +259,11 @@
+ /* Unprivileged user */
+ struct passwd *privsep_pw = NULL;
+
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++/* Temporary storing supported GSS mechs */
++gss_OID_set g_supported;
++#endif
++
+ /* Prototypes for various functions defined later in this file. */
+ void destroy_sensitive_data(void);
+ void demote_sensitive_data(void);
+@@ -1407,6 +1412,10 @@
+ av = saved_argv;
+ #endif
+
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++ OM_uint32 ms;
++#endif
++
+ if (geteuid() == 0 && setgroups(0, NULL) == -1)
+ debug("setgroups(): %.200s", strerror(errno));
+
+@@ -2083,6 +2092,11 @@
+ buffer_init(&loginmsg);
+ auth_debug_reset();
+
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++ /* collect gss mechs for later use in privsep child */
++ ssh_gssapi_supported_oids(&g_supported);
++#endif
++
+ if (use_privsep) {
+ if (privsep_preauth(authctxt) == 1)
+ goto authenticated;
+@@ -2120,6 +2134,10 @@
+ startup_pipe = -1;
+ }
+
++#if defined(KRB5_BUILD_FIX) && defined(GSSAPI)
++ gss_release_oid_set(&ms, &g_supported);
++#endif
++
+ #ifdef SSH_AUDIT_EVENTS
+ audit_event(SSH_AUTH_SUCCESS);
+ #endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/007-manpages.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,688 @@
+# This change is Solaris-specific and thus is not being contributed back
+# to the upstream community. Details:
+#
+# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
+# man page scheme used in Solaris. In order to comply to the Solaris man page
+# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
+# pages, the section numbers of some OpenSSH man pages are changed to be the
+# same as their corresponding ones in SunSSH.
+#
+--- orig/moduli.5 Thu Feb 6 10:00:17 2014
++++ new/moduli.5 Thu Feb 6 10:08:07 2014
+@@ -14,7 +14,7 @@
+ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ .Dd $Mdocdate: September 26 2012 $
+-.Dt MODULI 5
++.Dt MODULI 4
+ .Os
+ .Sh NAME
+ .Nm moduli
+@@ -23,7 +23,7 @@
+ The
+ .Pa /etc/moduli
+ file contains prime numbers and generators for use by
+-.Xr sshd 8
++.Xr sshd 1M
+ in the Diffie-Hellman Group Exchange key exchange method.
+ .Pp
+ New moduli may be generated with
+@@ -40,7 +40,7 @@
+ .Ic ssh-keygen -T ,
+ provides a high degree of assurance that the numbers are prime and are
+ safe for use in Diffie-Hellman operations by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ This
+ .Nm
+ format is used as the output from each pass.
+@@ -70,7 +70,7 @@
+ Further primality testing with
+ .Xr ssh-keygen 1
+ produces safe prime moduli (type 2) that are ready for use in
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ Other types are not used by OpenSSH.
+ .It tests
+ Decimal number indicating the type of primality tests that the number
+@@ -105,16 +105,16 @@
+ .El
+ .Pp
+ When performing Diffie-Hellman Group Exchange,
+-.Xr sshd 8
++.Xr sshd 1M
+ first estimates the size of the modulus required to produce enough
+ Diffie-Hellman output to sufficiently key the selected symmetric cipher.
+-.Xr sshd 8
++.Xr sshd 1M
+ then randomly selects a modulus from
+ .Fa /etc/moduli
+ that best meets the size requirement.
+ .Sh SEE ALSO
+ .Xr ssh-keygen 1 ,
+-.Xr sshd 8
++.Xr sshd 1M
+ .Sh STANDARDS
+ .Rs
+ .%A M. Friedl
+--- orig/sftp-server.8 Thu Feb 6 10:01:20 2014
++++ new/sftp-server.8 Thu Feb 6 10:09:59 2014
+@@ -23,7 +23,7 @@
+ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ .\"
+ .Dd $Mdocdate: October 14 2013 $
+-.Dt SFTP-SERVER 8
++.Dt SFTP-SERVER 1M
+ .Os
+ .Sh NAME
+ .Nm sftp-server
+@@ -47,7 +47,7 @@
+ to stdout and expects client requests from stdin.
+ .Nm
+ is not intended to be called directly, but from
+-.Xr sshd 8
++.Xr sshd 1M
+ using the
+ .Cm Subsystem
+ option.
+@@ -58,7 +58,7 @@
+ .Cm Subsystem
+ declaration.
+ See
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ for more information.
+ .Pp
+ Valid options are:
+@@ -71,7 +71,7 @@
+ and %u is replaced by the username of that user.
+ The default is to use the user's home directory.
+ This option is useful in conjunction with the
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm ChrootDirectory
+ option.
+ .It Fl e
+@@ -152,8 +152,8 @@
+ .Sh SEE ALSO
+ .Xr sftp 1 ,
+ .Xr ssh 1 ,
+-.Xr sshd_config 5 ,
+-.Xr sshd 8
++.Xr sshd_config 4 ,
++.Xr sshd 1M
+ .Rs
+ .%A T. Ylonen
+ .%A S. Lehtinen
+--- orig/ssh_config.5 Thu Feb 6 10:01:20 2014
++++ new/ssh_config.5 Thu Mar 27 16:37:50 2014
+@@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
+ .Dd $Mdocdate: January 19 2014 $
+-.Dt SSH_CONFIG 5
++.Dt SSH_CONFIG 4
+ .Os
+ .Sh NAME
+ .Nm ssh_config
+@@ -503,7 +503,7 @@
+ .Dq Fl O No exit
+ option).
+ If set to a time in seconds, or a time in any of the formats documented in
+-.Xr sshd_config 5 ,
++.Xr sshd_config 4 ,
+ then the backgrounded master connection will automatically terminate
+ after it has remained idle (with no client connections) for the
+ specified time.
+@@ -622,7 +622,7 @@
+ Specify a timeout for untrusted X11 forwarding
+ using the format described in the
+ TIME FORMATS section of
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ X11 connections received by
+ .Xr ssh 1
+ after this time will be refused.
+@@ -689,7 +689,7 @@
+ These hashed names may be used normally by
+ .Xr ssh 1
+ and
+-.Xr sshd 8 ,
++.Xr sshd 1M ,
+ but they do not reveal identifying information should the file's contents
+ be disclosed.
+ The default is
+@@ -1122,7 +1122,7 @@
+ The optional second value is specified in seconds and may use any of the
+ units documented in the
+ TIME FORMATS section of
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ The default value for
+ .Cm RekeyLimit
+ is
+@@ -1166,7 +1166,7 @@
+ will only succeed if the server's
+ .Cm GatewayPorts
+ option is enabled (see
+-.Xr sshd_config 5 ) .
++.Xr sshd_config 4 ) .
+ .It Cm RequestTTY
+ Specifies whether to request a pseudo-tty for the session.
+ The argument may be one of:
+@@ -1218,7 +1218,7 @@
+ Refer to
+ .Cm AcceptEnv
+ in
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ for how to configure the server.
+ Variables are specified by name, which may contain wildcard characters.
+ Multiple environment variables may be separated by whitespace or spread
+--- orig/ssh-keysign.8 Thu Feb 6 10:01:20 2014
++++ new/ssh-keysign.8 Thu Feb 6 10:13:05 2014
+@@ -23,7 +23,7 @@
+ .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ .\"
+ .Dd $Mdocdate: December 7 2013 $
+-.Dt SSH-KEYSIGN 8
++.Dt SSH-KEYSIGN 1M
+ .Os
+ .Sh NAME
+ .Nm ssh-keysign
+@@ -52,7 +52,7 @@
+ See
+ .Xr ssh 1
+ and
+-.Xr sshd 8
++.Xr sshd 1M
+ for more information about host-based authentication.
+ .Sh FILES
+ .Bl -tag -width Ds -compact
+@@ -83,8 +83,8 @@
+ .Sh SEE ALSO
+ .Xr ssh 1 ,
+ .Xr ssh-keygen 1 ,
+-.Xr ssh_config 5 ,
+-.Xr sshd 8
++.Xr ssh_config 4 ,
++.Xr sshd 1M
+ .Sh HISTORY
+ .Nm
+ first appeared in
+--- orig/ssh-pkcs11-helper.8 Thu Feb 6 10:01:20 2014
++++ new/ssh-pkcs11-helper.8 Thu Feb 6 10:14:40 2014
+@@ -15,7 +15,7 @@
+ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ .\"
+ .Dd $Mdocdate: July 16 2013 $
+-.Dt SSH-PKCS11-HELPER 8
++.Dt SSH-PKCS11-HELPER 1M
+ .Os
+ .Sh NAME
+ .Nm ssh-pkcs11-helper
+--- orig/sshd_config.5 Thu Feb 6 10:01:20 2014
++++ new/sshd_config.5 Thu Feb 6 10:17:21 2014
+@@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
+ .Dd $Mdocdate: December 8 2013 $
+-.Dt SSHD_CONFIG 5
++.Dt SSHD_CONFIG 4
+ .Os
+ .Sh NAME
+ .Nm sshd_config
+@@ -43,7 +43,7 @@
+ .Sh SYNOPSIS
+ .Nm /etc/ssh/sshd_config
+ .Sh DESCRIPTION
+-.Xr sshd 8
++.Xr sshd 1M
+ reads configuration data from
+ .Pa /etc/ssh/sshd_config
+ (or the file specified with
+@@ -68,7 +68,7 @@
+ See
+ .Cm SendEnv
+ in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for how to configure the client.
+ Note that environment passing is only supported for protocol 2.
+ Variables are specified by name, which may contain the wildcard characters
+@@ -85,7 +85,7 @@
+ The default is not to accept any environment variables.
+ .It Cm AddressFamily
+ Specifies which address family should be used by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ Valid arguments are
+ .Dq any ,
+ .Dq inet
+@@ -118,7 +118,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm AllowTcpForwarding
+ Specifies whether TCP forwarding is permitted.
+@@ -158,7 +158,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm AuthenticationMethods
+ Specifies the authentication methods that must be successfully completed
+@@ -202,7 +202,7 @@
+ It will be invoked with a single argument of the username
+ being authenticated, and should produce on standard output zero or
+ more lines of authorized_keys output (see AUTHORIZED_KEYS in
+-.Xr sshd 8 ) .
++.Xr sshd 1M ) .
+ If a key supplied by AuthorizedKeysCommand does not successfully authenticate
+ and authorize the user then public key authentication continues using the usual
+ .Cm AuthorizedKeysFile
+@@ -218,7 +218,7 @@
+ The format is described in the
+ AUTHORIZED_KEYS FILE FORMAT
+ section of
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ .Cm AuthorizedKeysFile
+ may contain tokens of the form %T which are substituted during connection
+ setup.
+@@ -241,7 +241,7 @@
+ to be accepted for authentication.
+ Names are listed one per line preceded by key options (as described
+ in AUTHORIZED_KEYS FILE FORMAT in
+-.Xr sshd 8 ) .
++.Xr sshd 1M ) .
+ Empty lines and comments starting with
+ .Ql #
+ are ignored.
+@@ -271,7 +271,7 @@
+ though the
+ .Cm principals=
+ key option offers a similar facility (see
+-.Xr sshd 8
++.Xr sshd 1M
+ for details).
+ .It Cm Banner
+ The contents of the specified file are sent to the remote user before
+@@ -294,7 +294,7 @@
+ All components of the pathname must be root-owned directories that are
+ not writable by any other user or group.
+ After the chroot,
+-.Xr sshd 8
++.Xr sshd 1M
+ changes the working directory to the user's home directory.
+ .Pp
+ The pathname may contain the following tokens that are expanded at runtime once
+@@ -370,7 +370,7 @@
+ .It Cm ClientAliveCountMax
+ Sets the number of client alive messages (see below) which may be
+ sent without
+-.Xr sshd 8
++.Xr sshd 1M
+ receiving any messages back from the client.
+ If this threshold is reached while client alive messages are being sent,
+ sshd will disconnect the client, terminating the session.
+@@ -397,7 +397,7 @@
+ .It Cm ClientAliveInterval
+ Sets a timeout interval in seconds after which if no data has been received
+ from the client,
+-.Xr sshd 8
++.Xr sshd 1M
+ will send a message through the encrypted
+ channel to request a response from the client.
+ The default
+@@ -428,7 +428,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm DenyUsers
+ This keyword can be followed by a list of user name patterns, separated
+@@ -447,7 +447,7 @@
+ .Cm AllowGroups .
+ .Pp
+ See PATTERNS in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .It Cm ForceCommand
+ Forces the execution of the command specified by
+@@ -472,7 +472,7 @@
+ Specifies whether remote hosts are allowed to connect to ports
+ forwarded for the client.
+ By default,
+-.Xr sshd 8
++.Xr sshd 1M
+ binds remote port forwardings to the loopback address.
+ This prevents other remote hosts from connecting to forwarded ports.
+ .Cm GatewayPorts
+@@ -520,7 +520,7 @@
+ A setting of
+ .Dq yes
+ means that
+-.Xr sshd 8
++.Xr sshd 1M
+ uses the name supplied by the client rather than
+ attempting to resolve the name from the TCP connection itself.
+ The default is
+@@ -531,7 +531,7 @@
+ by
+ .Cm HostKey .
+ The default behaviour of
+-.Xr sshd 8
++.Xr sshd 1M
+ is not to load any certificates.
+ .It Cm HostKey
+ Specifies a file containing a private host key
+@@ -546,7 +546,7 @@
+ .Pa /etc/ssh/ssh_host_rsa_key
+ for protocol version 2.
+ Note that
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse to use a file if it is group/world-accessible.
+ It is possible to have multiple host key files.
+ .Dq rsa1
+@@ -587,7 +587,7 @@
+ .Dq yes .
+ .It Cm IgnoreUserKnownHosts
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should ignore the user's
+ .Pa ~/.ssh/known_hosts
+ during
+@@ -681,7 +681,7 @@
+ The default is 3600 (seconds).
+ .It Cm ListenAddress
+ Specifies the local addresses
+-.Xr sshd 8
++.Xr sshd 1M
+ should listen on.
+ The following forms may be used:
+ .Pp
+@@ -724,7 +724,7 @@
+ The default is 120 seconds.
+ .It Cm LogLevel
+ Gives the verbosity level that is used when logging messages from
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The possible values are:
+ QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBUG2, and DEBUG3.
+ The default is INFO.
+@@ -776,7 +776,7 @@
+ The match patterns may consist of single entries or comma-separated
+ lists and may use the wildcard and negation operators described in the
+ PATTERNS section of
+-.Xr ssh_config 5 .
++.Xr ssh_config 4 .
+ .Pp
+ The patterns in an
+ .Cm Address
+@@ -856,7 +856,7 @@
+ the three colon separated values
+ .Dq start:rate:full
+ (e.g. "10:30:60").
+-.Xr sshd 8
++.Xr sshd 1M
+ will refuse connection attempts with a probability of
+ .Dq rate/100
+ (30%)
+@@ -969,7 +969,7 @@
+ options in
+ .Pa ~/.ssh/authorized_keys
+ are processed by
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The default is
+ .Dq no .
+ Enabling environment processing may enable users to bypass access
+@@ -982,7 +982,7 @@
+ .Pa /var/run/sshd.pid .
+ .It Cm Port
+ Specifies the port number that
+-.Xr sshd 8
++.Xr sshd 1M
+ listens on.
+ The default is 22.
+ Multiple options of this type are permitted.
+@@ -990,7 +990,7 @@
+ .Cm ListenAddress .
+ .It Cm PrintLastLog
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+ The default is
+@@ -997,7 +997,7 @@
+ .Dq yes .
+ .It Cm PrintMotd
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should print
+ .Pa /etc/motd
+ when a user logs in interactively.
+@@ -1008,7 +1008,7 @@
+ .Dq yes .
+ .It Cm Protocol
+ Specifies the protocol versions
+-.Xr sshd 8
++.Xr sshd 1M
+ supports.
+ The possible values are
+ .Sq 1
+@@ -1081,7 +1081,7 @@
+ The minimum value is 512, and the default is 1024.
+ .It Cm StrictModes
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should check file modes and ownership of the
+ user's files and home directory before accepting login.
+ This is normally desirable because novices sometimes accidentally leave their
+@@ -1115,7 +1115,7 @@
+ Note that this option applies to protocol version 2 only.
+ .It Cm SyslogFacility
+ Gives the facility code that is used when logging messages from
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2,
+ LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
+ The default is AUTH.
+@@ -1156,7 +1156,7 @@
+ .Xr ssh-keygen 1 .
+ .It Cm UseDNS
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should look up the remote host name and check that
+ the resolved host name for the remote IP address maps back to the
+ very same IP address.
+@@ -1201,13 +1201,13 @@
+ If
+ .Cm UsePAM
+ is enabled, you will not be able to run
+-.Xr sshd 8
++.Xr sshd 1M
+ as a non-root user.
+ The default is
+ .Dq no .
+ .It Cm UsePrivilegeSeparation
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ separates privileges by creating an unprivileged child process
+ to deal with incoming network traffic.
+ After successful authentication, another process will be created that has
+@@ -1229,7 +1229,7 @@
+ .Dq none .
+ .It Cm X11DisplayOffset
+ Specifies the first display number available for
+-.Xr sshd 8 Ns 's
++.Xr sshd 1M Ns 's
+ X11 forwarding.
+ This prevents sshd from interfering with real X11 servers.
+ The default is 10.
+@@ -1244,7 +1244,7 @@
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
+-.Xr sshd 8
++.Xr sshd 1M
+ proxy display is configured to listen on the wildcard address (see
+ .Cm X11UseLocalhost
+ below), though this is not the default.
+@@ -1255,7 +1255,7 @@
+ forwarding (see the warnings for
+ .Cm ForwardX11
+ in
+-.Xr ssh_config 5 ) .
++.Xr ssh_config 4 ) .
+ A system administrator may have a stance in which they want to
+ protect clients that may expose themselves to attack by unwittingly
+ requesting X11 forwarding, which can warrant a
+@@ -1269,7 +1269,7 @@
+ is enabled.
+ .It Cm X11UseLocalhost
+ Specifies whether
+-.Xr sshd 8
++.Xr sshd 1M
+ should bind the X11 forwarding server to the loopback address or to
+ the wildcard address.
+ By default,
+@@ -1300,7 +1300,7 @@
+ .Pa /usr/X11R6/bin/xauth .
+ .El
+ .Sh TIME FORMATS
+-.Xr sshd 8
++.Xr sshd 1M
+ command-line arguments and configuration file options that specify time
+ may be expressed using a sequence of the form:
+ .Sm off
+@@ -1344,12 +1344,12 @@
+ .Bl -tag -width Ds
+ .It Pa /etc/ssh/sshd_config
+ Contains configuration data for
+-.Xr sshd 8 .
++.Xr sshd 1M .
+ This file should be writable by root only, but it is recommended
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+-.Xr sshd 8 ,
++.Xr sshd 1M ,
+ .Xr pam_unix_session 5
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
+--- orig/sshd.8 Thu Feb 6 10:01:20 2014
++++ new/sshd.8 Thu Feb 6 10:22:35 2014
+@@ -35,7 +35,7 @@
+ .\"
+ .\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
+ .Dd $Mdocdate: December 7 2013 $
+-.Dt SSHD 8
++.Dt SSHD 1M
+ .Os
+ .Sh NAME
+ .Nm sshd
+@@ -80,7 +80,7 @@
+ .Nm
+ can be configured using command-line options or a configuration file
+ (by default
+-.Xr sshd_config 5 ) ;
++.Xr sshd_config 4 ) ;
+ command-line options override values specified in the
+ configuration file.
+ .Nm
+@@ -210,7 +210,7 @@
+ This is useful for specifying options for which there is no separate
+ command-line flag.
+ For full details of the options, and their values, see
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .It Fl p Ar port
+ Specifies the port on which the server listens for connections
+ (default 22).
+@@ -280,7 +280,7 @@
+ though this can be changed via the
+ .Cm Protocol
+ option in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ Protocol 2 supports DSA, ECDSA, ED25519 and RSA keys;
+ protocol 1 only supports RSA keys.
+ For both protocols,
+@@ -405,7 +405,7 @@
+ See the
+ .Cm PermitUserEnvironment
+ option in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .It
+ Changes to user's home directory.
+ .It
+@@ -550,7 +550,7 @@
+ environment variable.
+ Note that this option applies to shell, command or subsystem execution.
+ Also note that this command may be superseded by either a
+-.Xr sshd_config 5
++.Xr sshd_config 4
+ .Cm ForceCommand
+ directive or a command embedded in a certificate.
+ .It Cm environment="NAME=value"
+@@ -571,7 +571,7 @@
+ name of the remote host or its IP address must be present in the
+ comma-separated list of patterns.
+ See PATTERNS in
+-.Xr ssh_config 5
++.Xr ssh_config 4
+ for more information on patterns.
+ .Pp
+ In addition to the wildcard matching that may be applied to hostnames or
+@@ -865,7 +865,7 @@
+ .It Pa /etc/moduli
+ Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange".
+ The file format is described in
+-.Xr moduli 5 .
++.Xr moduli 4 .
+ .Pp
+ .It Pa /etc/motd
+ See
+@@ -926,7 +926,7 @@
+ Contains configuration data for
+ .Nm sshd .
+ The file format and configuration options are described in
+-.Xr sshd_config 5 .
++.Xr sshd_config 4 .
+ .Pp
+ .It Pa /etc/ssh/sshrc
+ Similar to
+@@ -962,10 +962,10 @@
+ .Xr chroot 2 ,
+ .Xr hosts_access 5 ,
+ .Xr login.conf 5 ,
+-.Xr moduli 5 ,
+-.Xr sshd_config 5 ,
+-.Xr inetd 8 ,
+-.Xr sftp-server 8
++.Xr moduli 4 ,
++.Xr sshd_config 4 ,
++.Xr inetd 1M ,
++.Xr sftp-server 1M
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/008-deprecate_sunssh_opt.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,36 @@
+#
+# To make the transition from SunSSH to OpenSSH as smooth as possible, we
+# added SunSSH-only options as deprecated options in OpenSSH. Note that this
+# is an interim enhancement to OpenSSH to make the transition smoother. If a
+# deprecated SunSSH-only option is migrated to OpenSSH later, then it will be
+# changed from deprecated to supported. Since this is for Solaris only, we will
+# not contribute back this change to the upstream community.
+#
+--- orig/readconf.c Fri May 23 09:56:00 2014
++++ new/readconf.c Fri May 23 09:59:57 2014
+@@ -268,6 +268,25 @@
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+ { "ignoreunknown", oIgnoreUnknown },
+
++#ifdef DEPRECATE_SUNSSH_OPT
++ /*
++ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
++ * as possible, we will deprecate SunSSH-only options in OpenSSH.
++ * Therefore, on a system that is running OpenSSH with a deprecated
++ * option from the user's config file (~/.ssh/config), the ssh
++ * connection will proceed without the deprecated option. Note that
++ * this is an interim enhancement to OpenSSH to make the transition
++ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH
++ * later, then it will be changed from deprecated to supported.
++ */
++ { "gssapikeyexchange", oDeprecated },
++ { "kmfpolicydatabase", oDeprecated },
++ { "kmfpolicyname", oDeprecated },
++ { "trustedanchorkeystore", oDeprecated },
++ { "usefips140", oDeprecated },
++ { "useopensslengine", oDeprecated },
++#endif
++
+ { NULL, oBadOption }
+ };
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/010-gss_store_cred.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,198 @@
+#
+# This patch modifies code for storing delegated GSS-API credentials to work
+# with Solaris Kerberos.
+#
+# Default credential cache is used instead of per-session credentials cache
+# because on Solaris gssd cannot use credentials from non-default cred store.
+# A downside of this solution is, that the default credential cache file
+# cannot be deleted upon logout and hence GSSAPICleanupCredentials is
+# unsupported for now.
+#
+# To store the credentials a standardized GSS-API function gss_store_cred() is
+# used instead of gss_krb5_copy_ccache(), because (unlike MIT Kerberos
+# libgssapi_krb5) Solaris Kerberos libgss does not have Kerberos mechanism
+# directly built in the library and this function is not directly accessible.
+#
+# The patch is implemented as Solaris-specific using USE_GSS_STORE_CRED
+# and GSSAPI_STORECREDS_NEEDS_RUID macros.
+#
+--- orig/config.h.in Fri Mar 21 11:42:17 2014
++++ new/config.h.in Fri Mar 21 11:46:26 2014
+@@ -1616,6 +1616,12 @@
+ /* Use btmp to log bad logins */
+ #undef USE_BTMP
+
++/* Store delegated credentials in default cred. store using gss_store_cred */
++#undef USE_GSS_STORE_CRED
++
++/* Set real uid prior to storing delegated credentials */
++#undef GSSAPI_STORECREDS_NEEDS_RUID
++
+ /* Use libedit for sftp */
+ #undef USE_LIBEDIT
+
+--- orig/configure Fri Mar 21 11:42:24 2014
++++ new/configure Fri Mar 21 11:49:51 2014
+@@ -7797,6 +7797,9 @@
+
+ fi
+
++ $as_echo "#define USE_GSS_STORE_CRED 1" >>confdefs.h
++ $as_echo "#define GSSAPI_STORECREDS_NEEDS_RUID 1" >>confdefs.h
++
+ TEST_SHELL=$SHELL # let configure find us a capable shell
+ ;;
+ *-*-sunos4*)
+--- orig/configure.ac Fri Mar 21 11:42:28 2014
++++ new/configure.ac Fri Mar 21 16:32:28 2014
+@@ -866,6 +866,8 @@
+ ],
+ )
+ TEST_SHELL=$SHELL # let configure find us a capable shell
++ AC_DEFINE([USE_GSS_STORE_CRED])
++ AC_DEFINE([GSSAPI_STORECREDS_NEEDS_RUID])
+ ;;
+ *-*-sunos4*)
+ CPPFLAGS="$CPPFLAGS -DSUNOS4"
+--- orig/gss-serv-krb5.c Fri Mar 21 11:42:46 2014
++++ new/gss-serv-krb5.c Fri Mar 21 11:54:48 2014
+@@ -109,7 +109,7 @@
+ return retval;
+ }
+
+-
++#ifndef USE_GSS_STORE_CRED
+ /* This writes out any forwarded credentials from the structure populated
+ * during userauth. Called after we have setuid to the user */
+
+@@ -195,6 +195,7 @@
+
+ return;
+ }
++#endif /* #ifndef USE_GSS_STORE_CRED */
+
+ ssh_gssapi_mech gssapi_kerberos_mech = {
+ "toWM5Slw5Ew8Mqkay+al2g==",
+@@ -203,7 +204,11 @@
+ NULL,
+ &ssh_gssapi_krb5_userok,
+ NULL,
++#ifdef USE_GSS_STORE_CRED
++ NULL
++#else
+ &ssh_gssapi_krb5_storecreds
++#endif
+ };
+
+ #endif /* KRB5 */
+--- orig/gss-serv.c Fri Mar 21 11:42:53 2014
++++ new/gss-serv.c Fri Mar 21 15:59:43 2014
+@@ -292,6 +292,9 @@
+ void
+ ssh_gssapi_cleanup_creds(void)
+ {
++#ifdef USE_GSS_STORE_CRED
++ debug("removing gssapi cred file not implemented");
++#else
+ if (gssapi_client.store.filename != NULL) {
+ /* Unlink probably isn't sufficient */
+ debug("removing gssapi cred file\"%s\"",
+@@ -298,6 +301,7 @@
+ gssapi_client.store.filename);
+ unlink(gssapi_client.store.filename);
+ }
++#endif /* USE_GSS_STORE_CRED */
+ }
+
+ /* As user */
+@@ -304,10 +308,50 @@
+ void
+ ssh_gssapi_storecreds(void)
+ {
++#ifdef USE_GSS_STORE_CRED
++ OM_uint32 maj_status, min_status;
++
++ if (gssapi_client.creds == NULL) {
++ debug("No credentials stored");
++ return;
++ }
++
++ maj_status = gss_store_cred(&min_status, gssapi_client.creds,
++ GSS_C_INITIATE, &gssapi_client.mech->oid, 1, 1, NULL, NULL);
++
++ if (GSS_ERROR(maj_status)) {
++ Buffer b;
++ gss_buffer_desc msg;
++ OM_uint32 lmin;
++ OM_uint32 more = 0;
++ buffer_init(&b);
++ /* GSS-API error */
++ do {
++ gss_display_status(&lmin, maj_status, GSS_C_GSS_CODE,
++ GSS_C_NULL_OID, &more, &msg);
++ buffer_append(&b, msg.value, msg.length);
++ buffer_put_char(&b, '\n');
++ gss_release_buffer(&lmin, &msg);
++ } while (more != 0);
++ /* Mechanism specific error */
++ do {
++ gss_display_status(&lmin, min_status, GSS_C_MECH_CODE,
++ &gssapi_client.mech->oid, &more, &msg);
++ buffer_append(&b, msg.value, msg.length);
++ buffer_put_char(&b, '\n');
++ gss_release_buffer(&lmin, &msg);
++ } while (more != 0);
++ buffer_put_char(&b, '\0');
++ error("GSS-API error while storing delegated credentials: %s",
++ buffer_ptr(&b));
++ buffer_free(&b);
++ }
++#else /* #ifdef USE_GSS_STORE_CRED */
+ if (gssapi_client.mech && gssapi_client.mech->storecreds) {
+ (*gssapi_client.mech->storecreds)(&gssapi_client);
+ } else
+ debug("ssh_gssapi_storecreds: Not a GSSAPI mechanism");
++#endif /* #ifdef USE_GSS_STORE_CRED */
+ }
+
+ /* This allows GSSAPI methods to do things to the childs environment based
+--- orig/servconf.c Fri Mar 21 11:43:02 2014
++++ new/servconf.c Fri Mar 21 16:02:54 2014
+@@ -409,7 +409,11 @@
+ { "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
+ #ifdef GSSAPI
+ { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
++#ifdef USE_GSS_STORE_CRED
++ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
++#else /* USE_GSS_STORE_CRED */
+ { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
++#endif /* USE_GSS_STORE_CRED */
+ #else
+ { "gssapiauthentication", sUnsupported, SSHCFG_ALL },
+ { "gssapicleanupcredentials", sUnsupported, SSHCFG_GLOBAL },
+--- orig/sshd.c Fri Mar 21 11:43:08 2014
++++ new/sshd.c Mon Mar 24 15:05:30 2014
+@@ -2126,9 +2126,23 @@
+
+ #ifdef GSSAPI
+ if (options.gss_authentication) {
++#ifdef GSSAPI_STORECREDS_NEEDS_RUID
++ if (setreuid(authctxt->pw->pw_uid, -1) != 0) {
++ debug("setreuid %u: %.100s",
++ (u_int) authctxt->pw->pw_uid, strerror(errno));
++ goto bail_storecred;
++ }
++#endif
+ temporarily_use_uid(authctxt->pw);
+ ssh_gssapi_storecreds();
+ restore_uid();
++#ifdef GSSAPI_STORECREDS_NEEDS_RUID
++ if (setuid(geteuid()) != 0) {
++ fatal("setuid %u: %.100s", (u_int) geteuid(),
++ strerror(errno));
++ }
++ bail_storecred: ;
++#endif
+ }
+ #endif
+ #ifdef USE_PAM
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/011-useprivilegedport_regression.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,62 @@
+#
+# This is to fix a regression in OpenSSH6.5p1 for UsePrivilegedPort=yes. The
+# bug fix code came from OpenSSH.org. When we upgrade OpenSSH to version 6.6
+# or later, we will remove this patch file.
+#
+--- orig/sshconnect.c Mon Feb 10 13:56:07 2014
++++ new/sshconnect.c Mon Feb 10 17:10:54 2014
+@@ -269,7 +269,7 @@
+ ssh_create_socket(int privileged, struct addrinfo *ai)
+ {
+ int sock, r, gaierr;
+- struct addrinfo hints, *res;
++ struct addrinfo hints, *res = NULL;
+
+ sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+ if (sock < 0) {
+@@ -282,17 +282,19 @@
+ if (options.bind_address == NULL && !privileged)
+ return sock;
+
+- memset(&hints, 0, sizeof(hints));
+- hints.ai_family = ai->ai_family;
+- hints.ai_socktype = ai->ai_socktype;
+- hints.ai_protocol = ai->ai_protocol;
+- hints.ai_flags = AI_PASSIVE;
+- gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+- if (gaierr) {
++ if (options.bind_address) {
++ memset(&hints, 0, sizeof(hints));
++ hints.ai_family = ai->ai_family;
++ hints.ai_socktype = ai->ai_socktype;
++ hints.ai_protocol = ai->ai_protocol;
++ hints.ai_flags = AI_PASSIVE;
++ gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
++ if (gaierr) {
+ error("getaddrinfo: %s: %s", options.bind_address,
+ ssh_gai_strerror(gaierr));
+ close(sock);
+ return -1;
++ }
+ }
+ /*
+ * If we are running as root and want to connect to a privileged
+@@ -300,7 +302,7 @@
+ */
+ if (privileged) {
+ PRIV_START;
+- r = bindresvport_sa(sock, res->ai_addr);
++ r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
+ PRIV_END;
+ if (r < 0) {
+ error("bindresvport_sa: af=%d %s", ai->ai_family,
+@@ -317,7 +319,8 @@
+ return -1;
+ }
+ }
+- freeaddrinfo(res);
++ if (res != NULL)
++ freeaddrinfo(res);
+ return sock;
+ }
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/012-acceptenv.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,33 @@
+#
+# This is to fix a security bug (CVE-2014-2532) when using environment passing
+# with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6
+# could be tricked into accepting any enviornment variable that contains the
+# characters before the wildcard character. The bug fix code came from
+# OpenSSH.org. When we upgrade OpenSSH to version 6.6 or later, we will remove
+# this patch file.
+#
+--- orig/session.c Tue Mar 18 18:37:57 2014
++++ new/session.c Tue Mar 18 18:41:17 2014
+@@ -978,6 +978,11 @@
+ u_int envsize;
+ u_int i, namelen;
+
++ if (strchr(name, '=') != NULL) {
++ error("Invalid environment variable \"%.100s\"", name);
++ return;
++ }
++
+ /*
+ * If we're passed an uninitialized list, allocate a single null
+ * entry before continuing.
+@@ -2225,8 +2230,8 @@
+ char *name, *val;
+ u_int name_len, val_len, i;
+
+- name = packet_get_string(&name_len);
+- val = packet_get_string(&val_len);
++ name = packet_get_cstring(&name_len);
++ val = packet_get_cstring(&val_len);
+ packet_check_eom();
+
+ /* Don't set too many environment variables */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/014-disable_banner.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,163 @@
+#
+# This patch is to add a new DisableBanner option to the ssh client command,
+# which allows the ssh command to disable the display of the banner message.
+# We have contributed back this feature to the OpenSSH upstream community. For
+# more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2242.
+# In the future, if this feature is accepted by the upsteam in a later release,
+# we will remove this patch when we upgrade to that release.
+#
+--- orig/readconf.c Wed May 21 15:04:21 2014
++++ new/readconf.c Wed May 28 11:56:04 2014
+@@ -148,7 +148,11 @@
+ oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
+ oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
+ oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
++#ifdef DISABLE_BANNER
++ oDisableBanner, oIgnoredUnknownOption, oDeprecated, oUnsupported
++#else
+ oIgnoredUnknownOption, oDeprecated, oUnsupported
++#endif
+ } OpCodes;
+
+ /* Textual representations of the tokens. */
+@@ -266,6 +270,9 @@
+ { "canonicalizehostname", oCanonicalizeHostname },
+ { "canonicalizemaxdots", oCanonicalizeMaxDots },
+ { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
++#ifdef DISABLE_BANNER
++ { "disablebanner", oDisableBanner },
++#endif
+ { "ignoreunknown", oIgnoreUnknown },
+
+ { NULL, oBadOption }
+@@ -682,6 +689,17 @@
+ { NULL, -1 }
+ };
+
++#ifdef DISABLE_BANNER
++static const struct multistate multistate_disablebanner[] = {
++ { "true", SSH_DISABLEBANNER_YES },
++ { "false", SSH_DISABLEBANNER_NO },
++ { "yes", SSH_DISABLEBANNER_YES },
++ { "no", SSH_DISABLEBANNER_NO },
++ { "in-exec-mode", SSH_DISABLEBANNER_INEXECMODE },
++ { NULL, -1 }
++};
++#endif
++
+ /*
+ * Processes a single option line as used in the configuration files. This
+ * only sets those values that have not already been set.
+@@ -1392,6 +1410,13 @@
+ intptr = &options->canonicalize_fallback_local;
+ goto parse_flag;
+
++#ifdef DISABLE_BANNER
++ case oDisableBanner:
++ intptr = &options->disable_banner;
++ multistate_ptr = multistate_disablebanner;
++ goto parse_multistate;
++#endif
++
+ case oDeprecated:
+ debug("%s line %d: Deprecated option \"%s\"",
+ filename, linenum, keyword);
+@@ -1554,6 +1579,9 @@
+ options->ip_qos_bulk = -1;
+ options->request_tty = -1;
+ options->proxy_use_fdpass = -1;
++#ifdef DISABLE_BANNER
++ options->disable_banner = -1;
++#endif
+ options->ignored_unknown = NULL;
+ options->num_canonical_domains = 0;
+ options->num_permitted_cnames = 0;
+@@ -1721,6 +1749,12 @@
+ options->canonicalize_fallback_local = 1;
+ if (options->canonicalize_hostname == -1)
+ options->canonicalize_hostname = SSH_CANONICALISE_NO;
++
++#ifdef DISABLE_BANNER
++ if (options->disable_banner == -1)
++ options->disable_banner = 0;
++#endif
++
+ #define CLEAR_ON_NONE(v) \
+ do { \
+ if (v != NULL && strcasecmp(v, "none") == 0) { \
+--- orig/readconf.h Wed May 21 15:04:35 2014
++++ new/readconf.h Wed May 28 11:08:53 2014
+@@ -155,6 +155,9 @@
+ struct allowed_cname permitted_cnames[MAX_CANON_DOMAINS];
+
+ char *ignored_unknown; /* Pattern list of unknown tokens to ignore */
++#ifdef DISABLE_BANNER
++ int disable_banner; /* Disable display of banner */
++#endif
+ } Options;
+
+ #define SSH_CANONICALISE_NO 0
+@@ -175,6 +178,12 @@
+ #define SSHCONF_CHECKPERM 1 /* check permissions on config file */
+ #define SSHCONF_USERCONF 2 /* user provided config file not system */
+
++#ifdef DISABLE_BANNER
++#define SSH_DISABLEBANNER_NO 0
++#define SSH_DISABLEBANNER_YES 1
++#define SSH_DISABLEBANNER_INEXECMODE 2
++#endif
++
+ void initialize_options(Options *);
+ void fill_default_options(Options *);
+ int process_config_line(Options *, struct passwd *, const char *, char *,
+--- orig/ssh_config.5 Thu May 22 15:05:04 2014
++++ new/ssh_config.5 Fri May 23 09:36:52 2014
+@@ -507,6 +507,14 @@
+ then the backgrounded master connection will automatically terminate
+ after it has remained idle (with no client connections) for the
+ specified time.
++.It Cm DisableBanner
++If set to yes, disables the display of the banner message.
++If set to in-exec-mode, disables the display of banner message when in remote
++command mode only.
++.Pp
++The default value is no, which means that the banner is displayed unless the
++log level is QUIET, FATAL, or ERROR. See also the Banner option in
++.Xr sshd_config 4 . This option applies to protocol version 2 only.
+ .It Cm DynamicForward
+ Specifies that a TCP port on the local machine be forwarded
+ over the secure channel, and the application
+--- orig/sshconnect2.c Wed May 21 15:05:27 2014
++++ new/sshconnect2.c Thu May 29 17:33:56 2014
+@@ -82,6 +82,10 @@
+ extern char *server_version_string;
+ extern Options options;
+
++#ifdef DISABLE_BANNER
++extern Buffer command;
++#endif
++
+ /*
+ * SSH2 key exchange
+ */
+@@ -480,7 +484,20 @@
+ debug3("input_userauth_banner");
+ raw = packet_get_string(&len);
+ lang = packet_get_string(NULL);
++
++#ifdef DISABLE_BANNER
++ /*
++ * Banner is a warning message according to RFC 4252. So, never print
++ * a banner in error log level or lower. If the log level is higher,
++ * use DisableBanner option to decide whether to display it or not.
++ */
++ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO &&
++ (options.disable_banner == SSH_DISABLEBANNER_NO ||
++ (options.disable_banner == SSH_DISABLEBANNER_INEXECMODE &&
++ buffer_len(&command) == 0))) {
++#else
+ if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
++#endif
+ if (len > 65536)
+ len = 65536;
+ msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/015-pam_conversation_fix.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,91 @@
+#
+# This patch contains an important bug fix for the PAM password userauth
+# conversation function. This bug fix was contributed back to the upstream in
+# 2009, but it was not accepted by the upstream. For more information, see
+# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
+#
+--- orig/auth-pam.c Mon Oct 27 14:40:01 2014
++++ new/auth-pam.c Tue Oct 28 12:40:59 2014
+@@ -1111,11 +1111,13 @@
+ free(env);
+ }
+
++#ifndef PAM_BUGFIX
+ /*
+ * "Blind" conversation function for password authentication. Assumes that
+ * echo-off prompts are for the password and stores messages for later
+ * display.
+ */
++#endif
+ static int
+ sshpam_passwd_conv(int n, sshpam_const struct pam_message **msg,
+ struct pam_response **resp, void *data)
+@@ -1137,6 +1139,17 @@
+ for (i = 0; i < n; ++i) {
+ switch (PAM_MSG_MEMBER(msg, i, msg_style)) {
+ case PAM_PROMPT_ECHO_OFF:
++#ifdef PAM_BUGFIX
++ /*
++ * PAM conversation function for the password userauth
++ * method (non-interactive) really cannot do any
++ * prompting. We set the PAM_AUTHTOK item in
++ * sshpam_auth_passwd()to avoid conversation. If some
++ * modules still try to converse, then the password
++ * userauth will fail.
++ */
++ goto fail;
++#else
+ if (sshpam_password == NULL)
+ goto fail;
+ if ((reply[i].resp = strdup(sshpam_password)) == NULL)
+@@ -1143,6 +1156,7 @@
+ goto fail;
+ reply[i].resp_retcode = PAM_SUCCESS;
+ break;
++#endif
+ case PAM_ERROR_MSG:
+ case PAM_TEXT_INFO:
+ len = strlen(PAM_MSG_MEMBER(msg, i, msg));
+@@ -1178,6 +1192,9 @@
+ int
+ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
+ {
++#ifdef PAM_BUGFIX
++ int set_item_rtn;
++#endif
+ int flags = (options.permit_empty_passwd == 0 ?
+ PAM_DISALLOW_NULL_AUTHTOK : 0);
+
+@@ -1197,6 +1214,15 @@
+ options.permit_root_login != PERMIT_YES))
+ sshpam_password = badpw;
+
++#ifdef PAM_BUGFIX
++ sshpam_err = pam_set_item(sshpam_handle, PAM_AUTHTOK, password);
++ if (sshpam_err != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, sshpam_err));
++ return 0;
++ }
++#endif
++
+ sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
+ (const void *)&passwd_conv);
+ if (sshpam_err != PAM_SUCCESS)
+@@ -1205,6 +1231,16 @@
+
+ sshpam_err = pam_authenticate(sshpam_handle, flags);
+ sshpam_password = NULL;
++
++#ifdef PAM_BUGFIX
++ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
++ if (set_item_rtn != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, set_item_rtn));
++ return 0;
++ }
++#endif
++
+ if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ debug("PAM: password authentication accepted for %.100s",
+ authctxt->user);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/016-pam_enhancement.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,478 @@
+#
+# This patch contains a couple of PAM enhancements:
+# 1) Each SSHv2 userauth method has its own PAM service name so that PAM can
+# be used to control what userauth methods are allowed.
+# 2) The PAMServiceName and PAMServicePrefix options.
+#
+# We have contributed back this feature to the OpenSSH upstream community.
+# For more information, see https://bugzilla.mindrot.org/show_bug.cgi?id=2246
+# In the future, if these enhancements are accepted by the upsteam in a
+# later release, we will remove this patch when we upgrade to that release.
+#
+--- orig/auth-pam.c Fri Jun 20 15:39:05 2014
++++ new/auth-pam.c Fri Jun 20 16:47:09 2014
+@@ -617,6 +617,72 @@
+ sshpam_handle = NULL;
+ }
+
++#ifdef PAM_ENHANCEMENT
++char *
++derive_pam_service_name(Authctxt *authctxt)
++{
++ char *svcname = xmalloc(BUFSIZ);
++
++ /*
++ * If PamServiceName is set we use that for everything, including
++ * SSHv1
++ */
++ if (options.pam_service_name != NULL) {
++ (void) strlcpy(svcname, options.pam_service_name, BUFSIZ);
++ return (svcname);
++ }
++
++ if (compat20) {
++ char *method_name = authctxt->authmethod_name;
++
++ if (!method_name)
++ fatal("Userauth method unknown while starting PAM");
++
++ /*
++ * For SSHv2 we use "sshd-<userauth name>
++ * The "sshd" prefix can be changed via the PAMServicePrefix
++ * sshd_config option.
++ */
++ if (strcmp(method_name, "none") == 0) {
++ snprintf(svcname, BUFSIZ, "%s-none",
++ options.pam_service_prefix);
++ }
++ if (strcmp(method_name, "password") == 0) {
++ snprintf(svcname, BUFSIZ, "%s-password",
++ options.pam_service_prefix);
++ }
++ if (strcmp(method_name, "keyboard-interactive") == 0) {
++ /* "keyboard-interactive" is too long, shorten it */
++ snprintf(svcname, BUFSIZ, "%s-kbdint",
++ options.pam_service_prefix);
++ }
++ if (strcmp(method_name, "publickey") == 0) {
++ /* "publickey" is too long, shorten it */
++ snprintf(svcname, BUFSIZ, "%s-pubkey",
++ options.pam_service_prefix);
++ }
++ if (strcmp(method_name, "hostbased") == 0) {
++ snprintf(svcname, BUFSIZ, "%s-hostbased",
++ options.pam_service_prefix);
++ }
++ if (strncmp(method_name, "gssapi-", 7) == 0) {
++ /*
++ * Although OpenSSH only supports "gssapi-with-mic"
++ * for now. We will still map any userauth method
++ * prefixed with "gssapi-" to the gssapi PAM service.
++ */
++ snprintf(svcname, BUFSIZ, "%s-gssapi",
++ options.pam_service_prefix);
++ }
++ return svcname;
++ } else {
++ /* SSHv1 doesn't get to be so cool */
++ snprintf(svcname, BUFSIZ, "sshd-v1");
++ }
++ return svcname;
++}
++#endif /* PAM_ENHANCEMENT */
++
+ static int
+ sshpam_init(Authctxt *authctxt)
+ {
+@@ -624,18 +690,61 @@
+ const char *pam_rhost, *pam_user, *user = authctxt->user;
+ const char **ptr_pam_user = &pam_user;
+
++#ifdef PAM_ENHANCEMENT
++ const char *pam_service;
++ const char **ptr_pam_service = &pam_service;
++ char *svc = NULL;
++
++ svc = derive_pam_service_name(authctxt);
++ debug3("PAM service is %s", svc);
++#endif
++
+ if (sshpam_handle != NULL) {
++#ifdef PAM_ENHANCEMENT
++ /* get the pam service name */
++ sshpam_err = pam_get_item(sshpam_handle,
++ PAM_SERVICE, (sshpam_const void **)ptr_pam_service);
++ if (sshpam_err != PAM_SUCCESS)
++ fatal("Failed to get the PAM service name");
++ debug3("Previous pam_service is %s", pam_service ?
++ pam_service : "NULL");
++
++ /* get the pam user name */
++ sshpam_err = pam_get_item(sshpam_handle,
++ PAM_USER, (sshpam_const void **)ptr_pam_user);
++
++ /*
++ * only need to re-start if either user or service is
++ * different.
++ */
++ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0
++ && strncmp(svc, pam_service, strlen(svc)) == 0) {
++ free(svc);
++ return (0);
++ }
++
++#else /* Original */
+ /* We already have a PAM context; check if the user matches */
+ sshpam_err = pam_get_item(sshpam_handle,
+ PAM_USER, (sshpam_const void **)ptr_pam_user);
+ if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
+ return (0);
++#endif /* PAM_ENHANCEMENT */
+ pam_end(sshpam_handle, sshpam_err);
+ sshpam_handle = NULL;
+ }
+ debug("PAM: initializing for \"%s\"", user);
++
++#ifdef PAM_ENHANCEMENT
++ debug3("Starting PAM service %s for user %s method %s", svc, user,
++ authctxt->authmethod_name);
+ sshpam_err =
++ pam_start(svc, user, &store_conv, &sshpam_handle);
++ free(svc);
++#else /* Original */
++ sshpam_err =
+ pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
++#endif
+ sshpam_authctxt = authctxt;
+
+ if (sshpam_err != PAM_SUCCESS) {
+--- orig/auth.h Fri Jun 20 15:39:05 2014
++++ new/auth.h Fri Jun 20 15:39:05 2014
+@@ -76,6 +76,9 @@
+ #endif
+ Buffer *loginmsg;
+ void *methoddata;
++#ifdef PAM_ENHANCEMENT
++ char *authmethod_name;
++#endif
+ };
+ /*
+ * Every authentication method has to handle authentication requests for
+--- orig/auth2.c Fri Jun 20 15:39:05 2014
++++ new/auth2.c Fri Jun 20 15:39:05 2014
+@@ -249,10 +249,13 @@
+ PRIVSEP(audit_event(SSH_INVALID_USER));
+ #endif
+ }
++
++#ifndef PAM_ENHANCEMENT
+ #ifdef USE_PAM
+ if (options.use_pam)
+ PRIVSEP(start_pam(authctxt));
+ #endif
++#endif
+ setproctitle("%s%s", authctxt->valid ? user : "unknown",
+ use_privsep ? " [net]" : "");
+ authctxt->service = xstrdup(service);
+@@ -286,6 +289,14 @@
+ /* try to authenticate user */
+ m = authmethod_lookup(authctxt, method);
+ if (m != NULL && authctxt->failures < options.max_authtries) {
++
++#ifdef PAM_ENHANCEMENT
++ authctxt->authmethod_name = xstrdup(method);
++ if (use_privsep)
++ mm_inform_authmethod(method);
++ if (options.use_pam)
++ PRIVSEP(start_pam(authctxt));
++#endif
+ debug2("input_userauth_request: try method %s", method);
+ authenticated = m->userauth(authctxt);
+ }
+@@ -303,6 +314,10 @@
+ char *methods;
+ int partial = 0;
+
++#ifdef PAM_ENHANCEMENT
++ debug3("%s: entering", __func__);
++#endif
++
+ if (!authctxt->valid && authenticated)
+ fatal("INTERNAL ERROR: authenticated invalid user %s",
+ authctxt->user);
+@@ -623,5 +638,3 @@
+ fatal("%s: method not in AuthenticationMethods", __func__);
+ return 0;
+ }
+-
+-
+--- orig/monitor_wrap.c Fri Jun 20 15:39:05 2014
++++ new/monitor_wrap.c Fri Jun 20 15:39:05 2014
+@@ -338,6 +338,24 @@
+ buffer_free(&m);
+ }
+
++#ifdef PAM_ENHANCEMENT
++/* Inform the privileged process about the authentication method */
++void
++mm_inform_authmethod(char *authmethod)
++{
++ Buffer m;
++
++ debug3("%s entering", __func__);
++
++ buffer_init(&m);
++ buffer_put_cstring(&m, authmethod);
++
++ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHMETHOD, &m);
++
++ buffer_free(&m);
++}
++#endif
++
+ /* Do the password authentication */
+ int
+ mm_auth_password(Authctxt *authctxt, char *password)
+--- orig/monitor.c Fri Jun 20 15:39:05 2014
++++ new/monitor.c Fri Jun 20 15:39:05 2014
+@@ -146,6 +146,9 @@
+ int mm_answer_pwnamallow(int, Buffer *);
+ int mm_answer_auth2_read_banner(int, Buffer *);
+ int mm_answer_authserv(int, Buffer *);
++#ifdef PAM_ENHANCEMENT
++int mm_answer_authmethod(int, Buffer *);
++#endif
+ int mm_answer_authpassword(int, Buffer *);
+ int mm_answer_bsdauthquery(int, Buffer *);
+ int mm_answer_bsdauthrespond(int, Buffer *);
+@@ -225,10 +228,17 @@
+ {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+ {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
+ {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
++#ifdef PAM_ENHANCEMENT
++ {MONITOR_REQ_AUTHMETHOD, MON_ISAUTH, mm_answer_authmethod},
++#endif
+ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
+ {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
+ #ifdef USE_PAM
++#ifdef PAM_ENHANCEMENT
++ {MONITOR_REQ_PAM_START, MON_ISAUTH, mm_answer_pam_start},
++#else
+ {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
++#endif
+ {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+@@ -828,6 +838,10 @@
+ /* Allow service/style information on the auth context */
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
++#ifdef PAM_ENHANCEMENT
++ /* Allow authmethod information on the auth context */
++ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHMETHOD, 1);
++#endif
+ }
+ #ifdef USE_PAM
+ if (options.use_pam)
+@@ -868,7 +882,25 @@
+ return (0);
+ }
+
++#ifdef PAM_ENHANCEMENT
+ int
++mm_answer_authmethod(int sock, Buffer *m)
++{
++ monitor_permit_authentications(1);
++
++ authctxt->authmethod_name = buffer_get_string(m, NULL);
++ debug3("%s: authmethod_name=%s", __func__, authctxt->authmethod_name);
++
++ if (strlen(authctxt->authmethod_name) == 0) {
++ free(authctxt->authmethod_name);
++ authctxt->authmethod_name = NULL;
++ }
++
++ return (0);
++}
++#endif
++
++int
+ mm_answer_authpassword(int sock, Buffer *m)
+ {
+ static int call_count;
+--- orig/monitor.h Fri Jun 20 15:39:05 2014
++++ new/monitor.h Fri Jun 20 15:39:05 2014
+@@ -70,6 +70,9 @@
+ MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
+ MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
+
++#ifdef PAM_ENHANCEMENT
++ MONITOR_REQ_AUTHMETHOD = 114,
++#endif
+ };
+
+ struct mm_master;
+--- orig/servconf.c Fri Jun 20 15:39:05 2014
++++ new/servconf.c Fri Jun 20 15:39:05 2014
+@@ -154,6 +154,10 @@
+ options->ip_qos_interactive = -1;
+ options->ip_qos_bulk = -1;
+ options->version_addendum = NULL;
++#ifdef PAM_ENHANCEMENT
++ options->pam_service_name = NULL;
++ options->pam_service_prefix = NULL;
++#endif
+ }
+
+ void
+@@ -303,6 +307,12 @@
+ options->ip_qos_bulk = IPTOS_THROUGHPUT;
+ if (options->version_addendum == NULL)
+ options->version_addendum = xstrdup("");
++
++#ifdef PAM_ENHANCEMENT
++ if (options->pam_service_prefix == NULL)
++ options->pam_service_prefix = _SSH_PAM_SERVICE_PREFIX;
++#endif
++
+ /* Turn privilege separation on by default */
+ if (use_privsep == -1)
+ use_privsep = PRIVSEP_NOSANDBOX;
+@@ -351,6 +361,9 @@
+ sKexAlgorithms, sIPQoS, sVersionAddendum,
+ sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
+ sAuthenticationMethods, sHostKeyAgent,
++#ifdef PAM_ENHANCEMENT
++ sPAMServicePrefix, sPAMServiceName,
++#endif
+ sDeprecated, sUnsupported
+ } ServerOpCodes;
+
+@@ -482,6 +495,10 @@
+ { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
+ { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
+ { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
++#ifdef PAM_ENHANCEMENT
++ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
++ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
++#endif
+ { NULL, sBadOption, 0 }
+ };
+
+@@ -1632,6 +1649,30 @@
+ }
+ return 0;
+
++ case sPAMServicePrefix:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: Missing argument.",
++ filename, linenum);
++ if (options->pam_service_name != NULL)
++ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
++ " are mutually exclusive.", filename, linenum);
++ if (options->pam_service_prefix == NULL)
++ options->pam_service_prefix = xstrdup(arg);
++ break;
++
++ case sPAMServiceName:
++ arg = strdelim(&cp);
++ if (!arg || *arg == '\0')
++ fatal("%s line %d: Missing argument.",
++ filename, linenum);
++ if (options->pam_service_prefix != NULL)
++ fatal("%s line %d: PAMServiceName and PAMServicePrefix"
++ " are mutually exclusive.", filename, linenum);
++ if (options->pam_service_name == NULL)
++ options->pam_service_name = xstrdup(arg);
++ break;
++
+ case sDeprecated:
+ logit("%s line %d: Deprecated option %s",
+ filename, linenum, arg);
+--- orig/servconf.h Fri Jun 20 15:39:05 2014
++++ new/servconf.h Fri Jun 20 15:39:05 2014
+@@ -54,6 +54,10 @@
+ /* Magic name for internal sftp-server */
+ #define INTERNAL_SFTP_NAME "internal-sftp"
+
++#ifdef PAM_ENHANCEMENT
++#define _SSH_PAM_SERVICE_PREFIX "sshd"
++#endif
++
+ typedef struct {
+ u_int num_ports;
+ u_int ports_from_cmdline;
+@@ -185,6 +189,12 @@
+
+ u_int num_auth_methods;
+ char *auth_methods[MAX_AUTH_METHODS];
++
++#ifdef PAM_ENHANCEMENT
++ char *pam_service_prefix;
++ char *pam_service_name;
++#endif
++
+ } ServerOptions;
+
+ /* Information about the incoming connection as used by Match */
+--- orig/sshd_config.5 Fri Jun 20 15:39:05 2014
++++ new/sshd_config.5 Fri Jun 20 15:39:05 2014
+@@ -868,6 +868,21 @@
+ are refused if the number of unauthenticated connections reaches
+ .Dq full
+ (60).
++.It Cm PAMServiceName
++Specifies the PAM service name for the PAM session. The PAMServiceName and
++PAMServicePrefix options are mutually exclusive and if both set, sshd does not
++start. If this option is set the service name is the same for all user
++authentication methods. The option has no default value. See PAMServicePrefix
++for more information.
++.It Cm PAMServicePrefix
++Specifies the PAM service name prefix for service names used for individual
++user authentication methods. The default is sshd. The PAMServiceName and
++PAMServicePrefix options are mutually exclusive and if both set, sshd does not
++start.
++.Pp
++For example, if this option is set to admincli, the service name for the
++keyboard-interactive authentication method is admincli-kbdint instead of the
++default sshd-kbdint.
+ .It Cm PasswordAuthentication
+ Specifies whether password authentication is allowed.
+ The default is
+--- orig/sshd.8 Fri Jun 20 15:39:05 2014
++++ new/sshd.8 Fri Jun 20 15:39:05 2014
+@@ -951,6 +951,33 @@
+ started last).
+ The content of this file is not sensitive; it can be world-readable.
+ .El
++
++.Sh SECURITY
++sshd uses pam(3PAM) for password and keyboard-interactive methods as well as
++for account management, session management, and the password management for all
++authentication methods.
++.Pp
++Each SSHv2 userauth type has its own PAM service name:
++
++.Bd -literal -offset 3n
++
++-----------------------------------------------
++| SSHv2 Userauth | PAM Service Name |
++-----------------------------------------------
++| none | sshd-none |
++-----------------------------------------------
++| password | sshd-password |
++-----------------------------------------------
++| keyboard-interactive | sshd-kbdint |
++-----------------------------------------------
++| pubkey | sshd-pubkey |
++-----------------------------------------------
++| hostbased | sshd-hostbased |
++-----------------------------------------------
++| gssapi-with-mic | sshd-gssapi |
++-----------------------------------------------
++.Ed
++
+ .Sh SEE ALSO
+ .Xr scp 1 ,
+ .Xr sftp 1 ,
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/017-option_default_value.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,112 @@
+#
+# Some options in OpenSSH have different default values from those in SunSSH.
+# To make the transition smoother from SunSSH to OpenSSH, we change default
+# values for the following options to be as same as those in SunSSH.
+#
+# GSSAPIAuthentication (for both server and client)
+# X11Forwarding (for server)
+# ForwardX11Trusted (for client)
+#
+# This is for Solaris only, we will not contribute back these changes to the
+# upstream.
+#
+--- orig/readconf.c Thu Sep 4 17:27:04 2014
++++ new/readconf.c Tue Sep 9 17:33:50 2014
+@@ -1575,7 +1575,11 @@
+ if (options->forward_x11 == -1)
+ options->forward_x11 = 0;
+ if (options->forward_x11_trusted == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->forward_x11_trusted = 1;
++#else
+ options->forward_x11_trusted = 0;
++#endif
+ if (options->forward_x11_timeout == -1)
+ options->forward_x11_timeout = 1200;
+ if (options->exit_on_forward_failure == -1)
+@@ -1593,7 +1597,11 @@
+ if (options->challenge_response_authentication == -1)
+ options->challenge_response_authentication = 1;
+ if (options->gss_authentication == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->gss_authentication = 1;
++#else
+ options->gss_authentication = 0;
++#endif
+ if (options->gss_deleg_creds == -1)
+ options->gss_deleg_creds = 0;
+ if (options->password_authentication == -1)
+--- orig/servconf.c Thu Sep 4 17:17:58 2014
++++ new/servconf.c Tue Sep 9 17:36:32 2014
+@@ -208,7 +208,11 @@
+ if (options->print_lastlog == -1)
+ options->print_lastlog = 1;
+ if (options->x11_forwarding == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->x11_forwarding = 1;
++#else
+ options->x11_forwarding = 0;
++#endif
+ if (options->x11_display_offset == -1)
+ options->x11_display_offset = 10;
+ if (options->x11_use_localhost == -1)
+@@ -244,7 +248,11 @@
+ if (options->kerberos_get_afs_token == -1)
+ options->kerberos_get_afs_token = 0;
+ if (options->gss_authentication == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->gss_authentication = 1;
++#else
+ options->gss_authentication = 0;
++#endif
+ if (options->gss_cleanup_creds == -1)
+ options->gss_cleanup_creds = 1;
+ if (options->password_authentication == -1)
+--- orig/ssh_config.5 Thu Sep 4 17:58:05 2014
++++ new/ssh_config.5 Tue Sep 9 17:48:39 2014
+@@ -643,8 +643,8 @@
+ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
+@@ -673,8 +673,8 @@
+ .Pa /etc/ssh/ssh_known_hosts2 .
+ .It Cm GSSAPIAuthentication
+ Specifies whether user authentication based on GSSAPI is allowed.
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ Note that this option applies to protocol version 2 only.
+ .It Cm GSSAPIDelegateCredentials
+ Forward (delegate) credentials to the server.
+--- orig/sshd_config.5 Thu Sep 4 17:58:07 2014
++++ new/sshd_config.5 Tue Sep 9 17:49:58 2014
+@@ -490,8 +490,8 @@
+ .Dq no .
+ .It Cm GSSAPIAuthentication
+ Specifies whether user authentication based on GSSAPI is allowed.
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ Note that this option applies to protocol version 2 only.
+ .It Cm GSSAPICleanupCredentials
+ Specifies whether to automatically destroy the user's credentials cache
+@@ -1239,8 +1239,8 @@
+ .Dq yes
+ or
+ .Dq no .
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/019-no_uid_restoration_test.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,70 @@
+#
+# OpenSSH verifies, that changing [ug]id back to 0 fails, after it
+# was set to the values of the user logging in.
+# On Solaris, if that user was given PRIV_PROC_SETUID privilege,
+# set[gu]id(0) succeeds. But in this case this is not an error in
+# dropping privilege, such user is supposed to be able to do that.
+#
+# This fix removes this check entirely. Skipping the check only in
+# case PRIV_PROC_SETUID is asserted in the effective set was considered
+# but decided against. The check is redundant, because inability to
+# restore uid=0 can be inferred from successful run of setreuid(uid, uid).
+#
+# The fix is implemented by replacing an OS-related HAVE_CYGWIN guard
+# with a functional NO_UID_RESTORATION_TEST and by defining the new
+# symbol in the component Makefile.
+#
+# This patch was submitted upstream:
+#
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2299
+#
+# See the above URL for details on if/when it might be accepted.
+#
+diff -ur old/uidswap.c new/uidswap.c
+--- old/uidswap.c 2014-01-18 01:43:50.000000000 -0800
++++ new/uidswap.c 2014-09-04 06:26:32.965065384 -0700
+@@ -134,7 +134,7 @@
+ void
+ permanently_drop_suid(uid_t uid)
+ {
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ uid_t old_uid = getuid();
+ #endif
+
+@@ -142,7 +142,7 @@
+ if (setresuid(uid, uid, uid) < 0)
+ fatal("setresuid %u: %.100s", (u_int)uid, strerror(errno));
+
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ /* Try restoration of UID if changed (test clearing of saved uid) */
+ if (old_uid != uid &&
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
+@@ -199,7 +199,7 @@
+ void
+ permanently_set_uid(struct passwd *pw)
+ {
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ uid_t old_uid = getuid();
+ gid_t old_gid = getgid();
+ #endif
+@@ -227,7 +227,7 @@
+ if (setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid) < 0)
+ fatal("setresuid %u: %.100s", (u_int)pw->pw_uid, strerror(errno));
+
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ /* Try restoration of GID if changed (test clearing of saved gid) */
+ if (old_gid != pw->pw_gid && pw->pw_uid != 0 &&
+ (setgid(old_gid) != -1 || setegid(old_gid) != -1))
+@@ -241,7 +241,7 @@
+ (u_int)pw->pw_gid);
+ }
+
+-#ifndef HAVE_CYGWIN
++#ifndef NO_UID_RESTORATION_TEST
+ /* Try restoration of UID if changed (test clearing of saved uid) */
+ if (old_uid != pw->pw_uid &&
+ (setuid(old_uid) != -1 || seteuid(old_uid) != -1))
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,47 @@
+#
+# Originally we planned to only deprecate client config (ssh_config) options
+# and leave it up to system administrators to remove all SunSSH specific
+# server config (sshd_config) options. In internal testing we have discovered,
+# that this would bring too much trouble to the said administrators.
+# The probability of these options appearing in existing sshd_config files
+# is higher than initially though, because some of the options have been in
+# default sshd_config file for very long time. Also the consequence of
+# unknown server option is harsh - ssh service goes to maintenance mode
+# possible rendering the instance not accessible. For this reason we will
+# deprecate SunSSH specific sshd_config options too.
+#
+# This is a Solaris specific change to ease the transition and will not be
+# offered upstream.
+#
+diff -ur old/servconf.c new/servconf.c
+--- old/servconf.c 2014-10-29 07:27:34.549410967 -0700
++++ new/servconf.c 2014-10-29 07:27:58.775996557 -0700
+@@ -516,6 +516,28 @@
+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
+ #endif
++#ifdef DEPRECATE_SUNSSH_OPT
++ /*
++ * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
++ * as possible, we will deprecate SunSSH-only options in OpenSSH.
++ * Therefore on a system having one of the following options in
++ * /etc/ssh/sshd_config, change to OpenSSH will not result in service
++ * network/ssh going to maintenance. Instead, a warning will be printed
++ * to /var/svc/log/network-ssh:default.log. Note that
++ * this is an interim enhancement to OpenSSH to make the transition
++ * smoother. If a deprecated SunSSH-only option is migrated to OpenSSH
++ * later, then it will be changed from deprecated to supported.
++ */
++ { "maxauthtrieslog", sDeprecated, SSHCFG_GLOBAL },
++ { "lookupclienthostnames", sDeprecated, SSHCFG_GLOBAL },
++ { "useopensslengine", sDeprecated, SSHCFG_GLOBAL },
++ { "preuserauthhook", sDeprecated, SSHCFG_ALL},
++ { "kmfpolicydatabase", sDeprecated, SSHCFG_GLOBAL },
++ { "kmfpolicyname", sDeprecated, SSHCFG_GLOBAL },
++ { "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },
++ { "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
++ { "usefips140", sDeprecated, SSHCFG_ALL},
++#endif
+ { NULL, sBadOption, 0 }
+ };
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/021-CVE-2014-2653.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,63 @@
+#
+# This is to fix the CVE-2014-2653 security bug. The bug fix code came from
+# OpenSSH. When we upgrade OpenSSH to version 6.7 or later, we will remove
+# this patch file.
+#
+--- orig/sshconnect.c Mon Jun 16 10:31:17 2014
++++ new/sshconnect.c Mon Jun 16 10:44:16 2014
+@@ -1216,29 +1216,39 @@
+ {
+ int flags = 0;
+ char *fp;
++ Key *plain = NULL;
+
+ fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
+ debug("Server host key: %s %s", key_type(host_key), fp);
+ free(fp);
+
+- /* XXX certs are not yet supported for DNS */
+- if (!key_is_cert(host_key) && options.verify_host_key_dns &&
+- verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
+- if (flags & DNS_VERIFY_FOUND) {
+-
+- if (options.verify_host_key_dns == 1 &&
+- flags & DNS_VERIFY_MATCH &&
+- flags & DNS_VERIFY_SECURE)
+- return 0;
+-
+- if (flags & DNS_VERIFY_MATCH) {
+- matching_host_key_dns = 1;
+- } else {
+- warn_changed_key(host_key);
+- error("Update the SSHFP RR in DNS with the new "
+- "host key to get rid of this message.");
++ if (options.verify_host_key_dns) {
++ /*
++ * XXX certs are not yet supported for DNS, so downgrade
++ * them and try the plain key.
++ */
++ plain = key_from_private(host_key);
++ if (key_is_cert(plain))
++ key_drop_cert(plain);
++ if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
++ if (flags & DNS_VERIFY_FOUND) {
++ if (options.verify_host_key_dns == 1 &&
++ flags & DNS_VERIFY_MATCH &&
++ flags & DNS_VERIFY_SECURE) {
++ key_free(plain);
++ return 0;
++ }
++ if (flags & DNS_VERIFY_MATCH) {
++ matching_host_key_dns = 1;
++ } else {
++ warn_changed_key(plain);
++ error("Update the SSHFP RR in DNS "
++ "with the new host key to get rid "
++ "of this message.");
++ }
+ }
+ }
++ key_free(plain);
+ }
+
+ return check_host_key(host, hostaddr, options.port, host_key, RDRW,
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/022-solaris_audit.patch Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,175 @@
+#
+# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.
+#
+# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.
+#
+# Additional Solaris Auditing should include audit of password
+# change.
+# Presuming it is appropriate, this patch should/will be updated
+# with additional files and updates to sources/audit-solaris.c
+#
+# Code is developed by the Solaris Audit team.
+# It should/will likely be contributed up stream when done.
+# This patch relies on sources/audit-solaris.c being copied into
+# the openssh source directory by the Makefile that configures
+# using --with-audit=solaris.
+#
+# The up stream community has been contacted about the plans.
+# No reply has yet been received.
+#
+# An additional patch relying on the --with-audit=solaris configuration
+# should/will be created for sftp Solaris Audit and password change.
+#
+--- orig/config.h.in 2014-11-05 13:11:59.968745838 -0800
++++ new/config.h.in 2014-10-13 14:00:31.117475979 -0700
+@@ -1628,6 +1628,9 @@
+ /* Use Linux audit module */
+ #undef USE_LINUX_AUDIT
+
++/* Use Solaris audit module */
++#undef USE_SOLARIS_AUDIT
++
+ /* Enable OpenSSL engine support */
+ #undef USE_OPENSSL_ENGINE
+
+--- orig/configure 2014-11-05 13:11:59.971959419 -0800
++++ new/configure 2014-12-04 08:43:59.945675841 -0800
+@@ -1420,7 +1420,7 @@
+ --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
+ --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
+ --with-libedit[=PATH] Enable libedit support for sftp
+- --with-audit=module Enable audit support (modules=debug,bsm,linux)
++ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)
+ --with-pie Build Position Independent Executables if possible
+ --with-ssl-dir=PATH Specify path to OpenSSL installation
+ --without-openssl-header-check Disable OpenSSL version consistency check
+@@ -10185,6 +10185,27 @@
+ $as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h
+
+ ;;
++ solaris)
++ { $as_echo "$as_me:${as_lineno-$LINENO}: result: solaris" >&5
++$as_echo "solaris" >&6; }
++ AUDIT_MODULE=solaris
++ for ac_header in bsm/adt.h
++do :
++ ac_fn_c_check_header_compile "$LINENO" "bsm/adt.h" "ac_cv_header_bsm_adt_h" ""
++if test "x$ac_cv_header_bsm_adt_h" = xyes; then :
++ cat >>confdefs.h <<_ACEOF
++#define HAVE_ADT_H 1
++_ACEOF
++
++else
++ as_fn_error $? "Solaris Audit enabled and bsm/adt.h not found" "$LINENO" 5
++fi
++
++done
++
++ SSHDLIBS="$SSHDLIBS -lbsm"
++$as_echo "#define USE_SOLARIS_AUDIT 1" >>confdefs.h
++ ;;
+ debug)
+ AUDIT_MODULE=debug
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5
+--- orig/defines.h 2014-01-17 05:12:38.000000000 -0800
++++ new/defines.h 2014-09-12 10:09:27.000000000 -0700
+@@ -622,6 +622,11 @@
+ # define CUSTOM_SSH_AUDIT_EVENTS
+ #endif
+
++#ifdef USE_SOLARIS_AUDIT
++# define SSH_AUDIT_EVENTS
++# define CUSTOM_SSH_AUDIT_EVENTS
++#endif
++
+ #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
+ # define __func__ __FUNCTION__
+ #elif !defined(HAVE___func__)
+--- orig/INSTALL 2013-03-06 17:33:35.000000000 -0800
++++ new/INSTALL 2014-12-04 08:41:24.369920230 -0800
+@@ -97,9 +97,13 @@
+
+ Basic Security Module (BSM):
+
+-Native BSM support is know to exist in Solaris from at least 2.5.1,
+-FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
+-implementation (http://www.openbsm.org).
++Native BSM support is known to exist in Solaris from at least 2.5.1
++to Solaris 10. From Solaris 11 the previously documented BSM (libbsm)
++interfaces are no longer public and are unsupported. While not public
++interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
++Native BSM support is known to exist in FreeBSD 6.1 and OS X.
++Alternatively, you may use the OpenBSM implementation
++(http://www.openbsm.org).
+
+
+ 2. Building / Installation
+@@ -152,8 +156,9 @@
+ There are a few other options to the configure script:
+
+ --with-audit=[module] enable additional auditing via the specified module.
+-Currently, drivers for "debug" (additional info via syslog) and "bsm"
+-(Sun's Basic Security Module) are supported.
++Currently, drivers for "debug" (additional info via syslog), and "bsm"
++(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
++(Sun's Audit infrastructure from Solaris 11) are supported.
+
+ --with-pam enables PAM support. If PAM support is compiled in, it must
+ also be enabled in sshd_config (refer to the UsePAM directive).
+--- orig/Makefile.in 2014-11-12 15:18:05.366726810 -0800
++++ new/Makefile.in 2014-11-12 15:22:36.825227512 -0800
+@@ -84,7 +84,7 @@
+ roaming_common.o roaming_client.o
+
+ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
+- audit.o audit-bsm.o audit-linux.o platform.o \
++ audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
+ sshpty.o sshlogin.o servconf.o serverloop.o \
+ auth.o auth1.o auth2.o auth-options.o session.o \
+ auth-chall.o auth2-chall.o groupaccess.o \
+--- orig/README.platform 2009-08-28 16:14:48.000000000 -0700
++++ new/README.platform 2014-09-12 09:45:50.000000000 -0700
+@@ -68,8 +68,8 @@
+ libssl-dev, libz-dev and libpam-dev.
+
+
+-Solaris
+--------
++Prior to Solaris 11
++-------------------
+ If you enable BSM auditing on Solaris, you need to update audit_event(4)
+ for praudit(1m) to give sensible output. The following line needs to be
+ added to /etc/security/audit_event:
+@@ -82,6 +82,9 @@
+ number is already in use on your system, you may change it at build time
+ by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
+
++From Solaris 11
++---------------
++Solaris Audit is supported by configuring --with-audit=solaris.
+
+ Platforms using PAM
+ -------------------
+--- orig/sshd.c 2014-11-05 13:11:59.974945893 -0800
++++ new/sshd.c 2014-11-10 13:33:12.279354856 -0800
+@@ -2139,7 +2139,9 @@
+ #endif
+
+ #ifdef SSH_AUDIT_EVENTS
++#ifndef USE_SOLARIS_AUDIT
+ audit_event(SSH_AUTH_SUCCESS);
++#endif /* !USE_SOLARIS_AUDIT */
+ #endif
+
+ #ifdef GSSAPI
+@@ -2169,6 +2171,10 @@
+ do_pam_session();
+ }
+ #endif
++#ifdef USE_SOLARIS_AUDIT
++ /* Audit should take place after all successful pam */
++ audit_event(SSH_AUTH_SUCCESS);
++#endif /* USE_SOLARIS_AUDIT */
+
+ /*
+ * In privilege separation, we fork another child and prepare
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/resolve.deps Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,9 @@
+library/libedit
+library/security/openssl
+library/zlib
+service/security/kerberos-5
+system/library
+system/library/security/gss
+system/library/gcc-45-runtime
+system/library/gcc/gcc-c-runtime
+system/linker
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/sources/audit-solaris.c Fri Mar 13 17:05:08 2015 -0700
@@ -0,0 +1,561 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
+ */
+
+#include "includes.h"
+#if defined(USE_SOLARIS_AUDIT)
+
+#include "audit.h"
+#include "buffer.h"
+#include "key.h"
+#include "hostfile.h"
+#include "auth.h"
+#include "log.h"
+#include "packet.h"
+
+#include <errno.h>
+#include <pwd.h>
+#include <string.h>
+
+#include <bsm/adt.h>
+#include <bsm/adt_event.h>
+
+#ifdef ADT_DEBUG
+#include <bsm/audit.h>
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <values.h>
+#include <errno.h>
+#include <pwd.h>
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#include <ucred.h>
+#include <values.h>
+
+#include <bsm/adt.h>
+#include <bsm/audit.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+/* semi private adt functions to extract information */
+
+extern void adt_get_asid(const adt_session_data_t *, au_asid_t *);
+extern void adt_get_auid(const adt_session_data_t *, au_id_t *);
+extern void adt_get_mask(const adt_session_data_t *, au_mask_t *);
+extern void adt_get_termid(const adt_session_data_t *, au_tid_addr_t *);
+
+extern void __auditd_debug(char *, ...);
+
+void
+__audit_pidinfo(void)
+{
+ adt_session_data_t *ah = NULL;
+ au_id_t auid;
+ char *auid_name = "badname";
+ struct passwd *pwd;
+ au_asid_t asid;
+ au_mask_t mask;
+ char flags[512];
+ au_tid_addr_t tid;
+ char pbuf[INET6_ADDRSTRLEN];
+ int af = AF_INET;
+ int remote;
+ int local;
+
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
+ __auditd_debug("cannot start session %s\n", strerror(errno));
+ return;
+ }
+ if (ah == NULL) {
+ __auditd_debug("ah is NULL\n");
+ return;
+ }
+ adt_get_auid(ah, &auid);
+ if ((pwd = getpwuid((uid_t)auid)) != NULL) {
+ auid_name = pwd->pw_name;
+ }
+ __auditd_debug("audit id = %s(%d)\n", auid_name, auid);
+
+ adt_get_mask(ah, &mask);
+ if (getauditflagschar(flags, &mask, NULL) < 0) {
+ (void) strlcpy(flags, "badflags", sizeof (flags));
+ }
+#ifdef _LP64
+ __auditd_debug("preselection mask = %s(0x%lx,0x%lx)\n", flags,
+ mask.am_success, mask.am_failure);
+#else /* _ILP32 */
+ __auditd_debug("preselection mask = %s(0x%llx,0x%llx)\n", flags,
+ mask.am_success, mask.am_failure);
+#endif /* _LP64 */
+
+ adt_get_termid(ah, &tid);
+ __auditd_debug("tid type=%d, maj=%u, min=%u, addr=%x:%x:%x:%x\n",
+ tid.at_type,
+ (uint16_t)((tid.at_port) >> BITS(uint16_t)),
+ (uint16_t)(tid.at_port & UINT16_MAX),
+ tid.at_addr[0],
+ tid.at_addr[1],
+ tid.at_addr[2],
+ tid.at_addr[3]);
+ if (tid.at_type == AU_IPv6) {
+ af = AF_INET6;
+ }
+ (void) inet_ntop(af, (void *)(tid.at_addr), pbuf,
+ sizeof (pbuf));
+ remote = (tid.at_port >> BITS(uint16_t));
+ local = (tid.at_port & UINT16_MAX);
+ __auditd_debug("tid type-%d (remote,local,host)= %u,%u,%s\n",
+ tid.at_type, remote, local, pbuf);
+ adt_get_asid(ah, &asid);
+ __auditd_debug("audit session id = %u\n", asid);
+ (void) adt_end_session(ah);
+}
+#else /* !ADT_DEBUG */
+/*ARGSUSED*/
+/*PRINTFLIKE1*/
+static void
+__auditd_debug(char *fmt, ...)
+{
+}
+static void
+__audit_pidinfo()
+{
+}
+#endif /* ADT_DEBUG */
+
+#include <security/pam_appl.h>
+
+#include <sys/types.h>
+
+extern Authctxt *the_authctxt;
+
+extern const char *audit_username(void);
+extern const char *audit_event_lookup(ssh_audit_event_t);
+
+static adt_session_data_t *ah = NULL; /* audit session handle */
+static adt_termid_t *tid = NULL; /* peer terminal id */
+
+static void audit_login(void);
+static void audit_logout(void);
+static void audit_fail(int);
+
+/* Below is the sshd audit API Solaris adt interpretation */
+
+/*
+ * Called after a connection has been accepted but before any authentication
+ * has been attempted.
+ */
+/* ARGSUSED */
+void
+audit_connection_from(const char *host, int port)
+{
+ int peer = packet_get_connection_in();
+ adt_session_data_t *ah;
+
+ if (adt_load_termid(peer, &tid) != 0) {
+ error("adt audit_connection_from: unable to load tid for %d:%s",
+ peer, strerror(errno));
+ }
+ if (adt_start_session(&ah, NULL, 0) != 0) {
+ error("adt audit_connection_from: unable to start session "
+ "for %s:%d:%s", host, port, strerror(errno));
+ }
+ if (adt_set_user(ah, ADT_NO_AUDIT, ADT_NO_AUDIT, 0,
+ ADT_NO_AUDIT, tid, ADT_SETTID) != 0) {
+ error("adt audit_connection_from: unable to set user "
+ "for %s:%d:%s", host, port, strerror(errno));
+ (void) adt_end_session(ah);
+ ah = NULL;
+ }
+ if (adt_set_proc(ah) != 0) {
+ error("adt audit_connection_from: unable to set proc "
+ "for %s:%d:%s", host, port, strerror(errno));
+ }
+ (void) adt_end_session(ah);
+ debug("adt audit_connection_from(%s, %d): peerfd=%d", host, port,
+ peer);
+ __auditd_debug("%d/%d:%d-adt audit_connection_from(%s, %d)ctxt=%p: "
+ "peerfd=%d\n", getpid(), getuid(), geteuid(), host, port,
+ (void *)the_authctxt, peer);
+ __audit_pidinfo();
+}
+
+/*
+ * Called when various events occur (see audit.h for a list of possible
+ * events and what they mean).
+ *
+ * Entry the_authcntxt
+ */
+void
+audit_event(ssh_audit_event_t event)
+{
+ static boolean_t logged_in = B_FALSE; /* if user did login */
+ int fail = PAM_IGNORE; /* default unset */
+ static boolean_t did_maxtries = B_FALSE; /* if interactive and abort */
+
+ debug("adt audit_event(%s)", audit_event_lookup(event));
+ __auditd_debug("%d/%d:%d-adt audit_event(%s/%s)ctxt=%p\n",
+ getpid(), getuid(), geteuid(), audit_event_lookup(event),
+ audit_username(), (void *)the_authctxt);
+ __audit_pidinfo();
+
+ switch (event) {
+ case SSH_AUTH_SUCCESS: /* authentication success */
+ logged_in = B_TRUE;
+ audit_login(); /* ADT_ssh; */
+ return;
+
+ case SSH_CONNECTION_CLOSE: /* connection closed, all done */
+ if (logged_in) {
+ audit_logout(); /* ADT_logout; */
+ logged_in = B_FALSE;
+ } else {
+ error("adt audit_event logout without login");
+ }
+ return;
+
+ /* Translate fail events to Solaris PAM errors */
+
+ /* auth2.c: userauth_finish as audit_event(SSH_LOGIN_EXCEED_MAXTRIES) */
+ /* auth1.c:do_authloop audit_event(SSH_LOGIN_EXCEED_MAXTRIES) */
+ case SSH_LOGIN_EXCEED_MAXTRIES:
+ fail = PAM_MAXTRIES;
+ did_maxtries = B_TRUE;
+ break;
+
+ /* auth2.c: userauth_finish as audit_event(SSH_LOGIN_ROOT_DENIED) */
+ /* auth1.c:do_authloop audit_event(SSH_LOGIN_ROOT_DENIED) */
+ case SSH_LOGIN_ROOT_DENIED:
+ fail = PAM_PERM_DENIED;
+ break;
+
+ /* auth2.c: input_userauth_request as audit_event(SSH_INVALID_USER) */
+ /* auth.c: getpwnamallow as audit_event(SSH_INVALID_USER) */
+ case SSH_INVALID_USER:
+ fail = PAM_USER_UNKNOWN;
+ break;
+
+ /* seems unused, but translate to the Solaris PAM error */
+ case SSH_NOLOGIN:
+ fail = PAM_LOGINS_DISABLED;
+ break;
+
+ /*
+ * auth.c in auth_log as it's walking through methods calls
+ * audit_classify_method(method) which maps
+ *
+ * none -> SSH_AUTH_FAIL_NONE
+ * password -> SSH_AUTH_FAIL_PASSWD
+ *
+ * publickey -> SSH_AUTH_FAIL_PUBKEY
+ * rsa -> SSH_AUTH_FAIL_PUBKEY
+ *
+ * keyboard-interactive -> SSH_AUTH_FAIL_KBDINT
+ * challenge-response -> SSH_AUTH_FAIL_KBDINT
+ *
+ * hostbased -> SSH_AUTH_FAIL_HOSTBASED
+ * rhosts-rsa -> SSH_AUTH_FAIL_HOSTBASED
+ *
+ * gssapi-with-mic -> SSH_AUTH_FAIL_GSSAPI
+ *
+ * unknown method -> SSH_AUDIT_UNKNOWN
+ */
+ /*
+ * see mon_table mon_dispatch_proto20[], mon_dispatch_postauth20[],
+ * mon_dispatch_proto15[], mon_dispatch_postauth15[]:
+ * MONITOR_REQ_AUDIT_EVENT
+ * called from monitor.c:mm_answer_audit_event()
+ * SSH_AUTH_FAIL_PUBKEY, SSH_AUTH_FAIL_HOSTBASED,
+ * SSH_AUTH_FAIL_GSSAPI, SSH_LOGIN_EXCEED_MAXTRIES,
+ * SSH_LOGIN_ROOT_DENIED, SSH_CONNECTION_CLOSE SSH_INVALID_USER
+ * monitor_wrap.c: mm_audit_event()
+ */
+ case SSH_AUTH_FAIL_NONE: /* auth type none */
+ case SSH_AUTH_FAIL_PUBKEY: /* authtype publickey */
+ break;
+
+ case SSH_AUTH_FAIL_PASSWD: /* auth type password */
+ case SSH_AUTH_FAIL_KBDINT: /* authtype keyboard-interactive */
+ case SSH_AUTH_FAIL_HOSTBASED: /* auth type hostbased */
+ case SSH_AUTH_FAIL_GSSAPI: /* auth type gssapi-with-mic */
+ case SSH_AUDIT_UNKNOWN: /* auth type unknown */
+ fail = PAM_AUTH_ERR;
+ break;
+
+ /* sshd.c: cleanup_exit: server specific fatal cleanup */
+ case SSH_CONNECTION_ABANDON: /* bailing with fatal error */
+ /*
+ * This seems to occur with OpenSSH client when
+ * the user login shell exits.
+ */
+ if (logged_in) {
+ audit_logout(); /* ADT_logout; */
+ logged_in = B_FALSE;
+ return;
+ } else if (!did_maxtries) {
+ fail = PAM_AUTHINFO_UNAVAIL;
+ } else {
+ /* reset saw max tries */
+ did_maxtries = FALSE;
+ }
+ break;
+
+ default:
+ error("adt audit_event: unknown event %d", event);
+ __auditd_debug("%d/%d:%d-unknown event %d",
+ getpid(), getuid(), geteuid(), event);
+ __audit_pidinfo();
+ break;
+ }
+ audit_fail(fail);
+}
+
+/*
+ * Called when a user session is started. Argument is the tty allocated to
+ * the session, or NULL if no tty was allocated.
+ *
+ * Note that this may be called multiple times if multiple sessions are used
+ * within a single connection.
+ */
+/* ARGSUSED */
+void
+audit_session_open(struct logininfo *li)
+{
+ const char *t = li->line ? li->line : "(no tty)";
+
+ debug("adt audit_session_open: user=%s:tty=%s", audit_username(),
+ t);
+ __auditd_debug("%d/%d:%d-adt audit_session_open:ctxt=%p "
+ "user=%s:tty=%s\n", getpid(), getuid(), geteuid(),
+ (void *)the_authctxt, audit_username(), t);
+ __audit_pidinfo();
+}
+
+/*
+ * Called when a user session is closed. Argument is the tty allocated to
+ * the session, or NULL if no tty was allocated.
+ *
+ * Note that this may be called multiple times if multiple sessions are used
+ * within a single connection.
+ */
+/* ARGSUSED */
+void
+audit_session_close(struct logininfo *li)
+{
+ const char *t = li->line ? li->line : "(no tty)";
+
+ debug("adt audit_session_close: user=%s:tty=%s", audit_username(),
+ t);
+ __auditd_debug("%d/%d:%d-adt audit_session_close:ctxt=%p "
+ "user=%s:tty=%s\n", getpid(), getuid(), geteuid(),
+ (void *)the_authctxt, audit_username(), t);
+ __audit_pidinfo();
+}
+
+/*
+ * This will be called when a user runs a non-interactive command. Note that
+ * it may be called multiple times for a single connection since SSH2 allows
+ * multiple sessions within a single connection.
+ */
+/* ARGSUSED */
+void
+audit_run_command(const char *command)
+{
+ debug("adt audit_run_command: \"%s\"", command);
+ __auditd_debug("%d/%d:%d-adt audit_run_command:ctxt=%p \"%s\"\n",
+ getpid(), getuid(), geteuid(), (void *)the_authctxt, command);
+ __audit_pidinfo();
+}
+
+/*
+ * audit_login - audit successful login
+ *
+ * Entry the_authctxt should be valid ;-)
+ * and pam_setcred called.
+ * adt_info & ADT_INFO_PW_SUCCESS if successful
+ * password change.
+ *
+ * Exit ah = audit session established for audit_logout();
+ */
+static void
+audit_login(void)
+{
+ adt_event_data_t *event;
+ uid_t uid = ADT_NO_ATTRIB;
+ gid_t gid = (gid_t)ADT_NO_ATTRIB;
+ au_id_t auid;
+
+ if ((the_authctxt != NULL) && (the_authctxt->valid != 0)) {
+ uid = the_authctxt->pw->pw_uid;
+ gid = the_authctxt->pw->pw_gid;
+ }
+
+ if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
+ error("adt_start_session: %s", strerror(errno));
+ return;
+ }
+
+ adt_get_auid(ah, &auid);
+
+ if (adt_set_user(ah, uid, gid, uid, gid, NULL,
+ auid == AU_NOAUDITID ? ADT_NEW : ADT_USER)) {
+ error("adt_set_user auid=%d, uid=%d", auid, uid);
+ (void) adt_end_session(ah);
+ ah = NULL;
+ free(tid);
+ tid = NULL;
+ return;
+ }
+ if ((event = adt_alloc_event(ah, ADT_ssh)) == NULL) {
+ error("adt_alloc_event(ADT_ssh): %s", strerror(errno));
+ return;
+ }
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
+ error("adt_put_event(ADT_ssh, ADT_SUCCESS): %s",
+ strerror(errno));
+ }
+ /* should audit successful password change here */
+ adt_free_event(event);
+}
+
+/*
+ * audit_logout - audit the logout
+ *
+ * Entry ah = audit session.
+ */
+static void
+audit_logout(void)
+{
+ adt_event_data_t *event;
+
+ if ((event = adt_alloc_event(ah, ADT_logout)) == NULL) {
+ error("adt_alloc_event(ADT_logout): %s", strerror(errno));
+ return;
+ }
+ if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
+ error("adt_put_event(ADT_logout, ADT_SUCCESS): %s",
+ strerror(errno));
+ }
+ adt_free_event(event);
+ (void) adt_end_session(ah);
+ ah = NULL;
+ free(tid);
+ tid = NULL;
+}
+
+/*
+ * audit_fail - audit login failure.
+ *
+ * Entry the_authctxt assumed to have some info.
+ * user = user who asked to be authenticated.
+ * tid = connection audit TID set by audit_connect_from();
+ *
+ * N.B. pam_strerror() prototype takes a pam handle and error number.
+ * At least on Solaris, pam_strerror never uses the pam handle.
+ * Since there doesn't seem to be a pam handle available, this
+ * code just uses NULL.
+ */
+static void
+audit_fail(int pamerr)
+{
+ adt_session_data_t *ah = NULL;
+ adt_event_data_t *event;
+ uid_t uid = ADT_NO_ATTRIB;
+ gid_t gid = (gid_t)ADT_NO_ATTRIB;
+
+ __auditd_debug("%d/%d:%d-audit_fail(%s) ctxt=%p\n",
+ getpid(), getuid(), geteuid(), pam_strerror(NULL, pamerr),
+ (void *)the_authctxt);
+ if (the_authctxt != NULL) {
+ uid_t pwuid = ADT_NO_ATTRIB;
+
+ if (the_authctxt->pw != NULL) {
+ pwuid = the_authctxt->pw->pw_uid;
+ }
+ __auditd_debug("valid=%d, user=%s, uid=%d\n",
+ the_authctxt->valid, audit_username(), pwuid);
+ } else {
+ __auditd_debug("\tNo autxctxt\n");
+ }
+ __audit_pidinfo();
+ if (pamerr == PAM_IGNORE) {
+ return;
+ }
+ if ((the_authctxt != NULL) && (the_authctxt->valid != 0)) {
+ uid = the_authctxt->pw->pw_uid;
+ gid = the_authctxt->pw->pw_gid;
+ } else if ((the_authctxt != NULL) && (the_authctxt->user != NULL)) {
+ struct passwd *pw;
+
+ if ((pw = getpwnam(the_authctxt->user)) != NULL) {
+ uid = pw->pw_uid;
+ gid = pw->pw_gid;
+ }
+ }
+ if (adt_start_session(&ah, NULL, 0) != 0) {
+ error("adt_start_session(ADT_ssh, 0, fail=%s):"
+ " %s", pam_strerror(NULL, pamerr), strerror(errno));
+ __auditd_debug("%d/%d:%d-adt_start_session(ADT_ssh, "
+ "PROC_DATA, fail=%s): %s", getpid(), getuid(),
+ geteuid(), pam_strerror(NULL, pamerr),
+ strerror(errno));
+ return;
+ }
+ __auditd_debug("%d/%d:%d-audit_fail+start_session() ah=%p\n",
+ getpid(), getuid(), geteuid(), (void *)ah);
+ if (adt_set_user(ah, uid, gid, uid, gid, tid, ADT_NEW) != 0) {
+ error("adt_set_user(ADT_ssh, PROC_DATA, fail=%s): %s",
+ pam_strerror(NULL, pamerr), strerror(errno));
+ __auditd_debug("%d/%d:%d-adt_set_user(ADT_ssh, "
+ "PROC_DATA, fail=%s): %s", getpid(), getuid(),
+ geteuid(), pam_strerror(NULL, pamerr),
+ strerror(errno));
+ goto done;
+ }
+ __auditd_debug("%d/%d:%d-audit_fail+set_user() ah=%p\n", getpid(),
+ getuid(), geteuid(), (void *)ah);
+ if ((event = adt_alloc_event(ah, ADT_ssh)) == NULL) {
+ error("adt_alloc_event(ADT_ssh, fail=%s): %s",
+ pam_strerror(NULL, pamerr), strerror(errno));
+ __auditd_debug("%d/%d:%d-adt_set_user(ADT_ssh, 0, "
+ "fail=%s): %s", getpid(), getuid(), geteuid(),
+ pam_strerror(NULL, pamerr), strerror(errno));
+ } else if (adt_put_event(event, ADT_FAILURE,
+ ADT_FAIL_PAM + pamerr) != 0) {
+ error("adt_put_event(ADT_ssh, fail=%s): %s",
+ pam_strerror(NULL, pamerr), strerror(errno));
+ __auditd_debug("%d/%d:%d-adt_put_event(ADT_ssh, fail=%s): %s",
+ getpid(), getuid(), geteuid(), pam_strerror(NULL, pamerr),
+ strerror(errno));
+ }
+ __auditd_debug("%d/%d:%d-audit_fail+put_event() ah=%p\n", getpid(),
+ getuid(), geteuid(), (void *)ah);
+ /* should audit authentication with failed password change here. */
+ adt_free_event(event);
+done:
+ (void) adt_end_session(ah);
+}
+#endif /* USE_SOLARIS_AUDIT */