19591379 X11Forwarding and ForwardX11Trusted should default to yes
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
--- a/components/openssh/patches/015-pam_conversation_fix.patch Wed Nov 12 13:26:19 2014 -0800
+++ b/components/openssh/patches/015-pam_conversation_fix.patch Wed Nov 12 16:36:55 2014 -0800
@@ -4,8 +4,8 @@
# 2009, but it was not accepted by the upstream. For more information, see
# https://bugzilla.mindrot.org/show_bug.cgi?id=1681.
#
---- orig/auth-pam.c Fri Jun 20 14:55:27 2014
-+++ new/auth-pam.c Fri Jun 20 14:54:39 2014
+--- orig/auth-pam.c Mon Oct 27 14:40:01 2014
++++ new/auth-pam.c Tue Oct 28 12:40:59 2014
@@ -1111,11 +1111,13 @@
free(env);
}
@@ -46,7 +46,17 @@
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
len = strlen(PAM_MSG_MEMBER(msg, i, msg));
-@@ -1197,6 +1211,15 @@
+@@ -1178,6 +1192,9 @@
+ int
+ sshpam_auth_passwd(Authctxt *authctxt, const char *password)
+ {
++#ifdef PAM_BUGFIX
++ int set_item_rtn;
++#endif
+ int flags = (options.permit_empty_passwd == 0 ?
+ PAM_DISALLOW_NULL_AUTHTOK : 0);
+
+@@ -1197,6 +1214,15 @@
options.permit_root_login != PERMIT_YES))
sshpam_password = badpw;
@@ -62,3 +72,20 @@
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&passwd_conv);
if (sshpam_err != PAM_SUCCESS)
+@@ -1205,6 +1231,16 @@
+
+ sshpam_err = pam_authenticate(sshpam_handle, flags);
+ sshpam_password = NULL;
++
++#ifdef PAM_BUGFIX
++ set_item_rtn = pam_set_item(sshpam_handle, PAM_AUTHTOK, NULL);
++ if (set_item_rtn != PAM_SUCCESS) {
++ debug("PAM: %s: failed to set PAM_AUTHTOK: %s", __func__,
++ pam_strerror(sshpam_handle, set_item_rtn));
++ return 0;
++ }
++#endif
++
+ if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
+ debug("PAM: password authentication accepted for %.100s",
+ authctxt->user);
--- a/components/openssh/patches/017-option_default_value.patch Wed Nov 12 13:26:19 2014 -0800
+++ b/components/openssh/patches/017-option_default_value.patch Wed Nov 12 16:36:55 2014 -0800
@@ -1,12 +1,30 @@
#
-# The default value of the GSSAPIAuthentication option is yes in SunSSH, but
-# no in OpenSSH. To make the transition smoother from SunSSH to OpenSSH, we
-# change the default value of this option to be yes in OpenSSH also. This is
-# for Solaris only, we will not contribute back this changes to the upstream.
+# Some options in OpenSSH have different default values from those in SunSSH.
+# To make the transition smoother from SunSSH to OpenSSH, we change default
+# values for the following options to be as same as those in SunSSH.
+#
+# GSSAPIAuthentication (for both server and client)
+# X11Forwarding (for server)
+# ForwardX11Trusted (for client)
+#
+# This is for Solaris only, we will not contribute back these changes to the
+# upstream.
#
--- orig/readconf.c Thu Sep 4 17:27:04 2014
-+++ new/readconf.c Thu Sep 4 17:51:24 2014
-@@ -1593,7 +1593,11 @@
++++ new/readconf.c Tue Sep 9 17:33:50 2014
+@@ -1575,7 +1575,11 @@
+ if (options->forward_x11 == -1)
+ options->forward_x11 = 0;
+ if (options->forward_x11_trusted == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->forward_x11_trusted = 1;
++#else
+ options->forward_x11_trusted = 0;
++#endif
+ if (options->forward_x11_timeout == -1)
+ options->forward_x11_timeout = 1200;
+ if (options->exit_on_forward_failure == -1)
+@@ -1593,7 +1597,11 @@
if (options->challenge_response_authentication == -1)
options->challenge_response_authentication = 1;
if (options->gss_authentication == -1)
@@ -19,8 +37,20 @@
options->gss_deleg_creds = 0;
if (options->password_authentication == -1)
--- orig/servconf.c Thu Sep 4 17:17:58 2014
-+++ new/servconf.c Thu Sep 4 17:50:50 2014
-@@ -244,7 +244,11 @@
++++ new/servconf.c Tue Sep 9 17:36:32 2014
+@@ -208,7 +208,11 @@
+ if (options->print_lastlog == -1)
+ options->print_lastlog = 1;
+ if (options->x11_forwarding == -1)
++#ifdef OPTION_DEFAULT_VALUE
++ options->x11_forwarding = 1;
++#else
+ options->x11_forwarding = 0;
++#endif
+ if (options->x11_display_offset == -1)
+ options->x11_display_offset = 10;
+ if (options->x11_use_localhost == -1)
+@@ -244,7 +248,11 @@
if (options->kerberos_get_afs_token == -1)
options->kerberos_get_afs_token = 0;
if (options->gss_authentication == -1)
@@ -33,7 +63,18 @@
options->gss_cleanup_creds = 1;
if (options->password_authentication == -1)
--- orig/ssh_config.5 Thu Sep 4 17:58:05 2014
-+++ new/ssh_config.5 Thu Sep 4 17:59:06 2014
++++ new/ssh_config.5 Tue Sep 9 17:48:39 2014
+@@ -643,8 +643,8 @@
+ token used for the session will be set to expire after 20 minutes.
+ Remote clients will be refused access after this time.
+ .Pp
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ .Pp
+ See the X11 SECURITY extension specification for full details on
+ the restrictions imposed on untrusted clients.
@@ -673,8 +673,8 @@
.Pa /etc/ssh/ssh_known_hosts2 .
.It Cm GSSAPIAuthentication
@@ -46,7 +87,7 @@
.It Cm GSSAPIDelegateCredentials
Forward (delegate) credentials to the server.
--- orig/sshd_config.5 Thu Sep 4 17:58:07 2014
-+++ new/sshd_config.5 Thu Sep 4 17:59:40 2014
++++ new/sshd_config.5 Tue Sep 9 17:49:58 2014
@@ -490,8 +490,8 @@
.Dq no .
.It Cm GSSAPIAuthentication
@@ -58,3 +99,14 @@
Note that this option applies to protocol version 2 only.
.It Cm GSSAPICleanupCredentials
Specifies whether to automatically destroy the user's credentials cache
+@@ -1239,8 +1239,8 @@
+ .Dq yes
+ or
+ .Dq no .
+-The default is
+-.Dq no .
++The default on Solaris is
++.Dq yes .
+ .Pp
+ When X11 forwarding is enabled, there may be additional exposure to
+ the server and to client displays if the