PSARC/2014/342 pam_unix_session lastlog support
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
--- a/components/openssh/Makefile Tue Sep 30 13:39:00 2014 -0700
+++ b/components/openssh/Makefile Wed Oct 01 04:52:05 2014 -0700
@@ -85,6 +85,7 @@
CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
CONFIGURE_OPTIONS += --sbindir=/usr/lib/ssh
CONFIGURE_OPTIONS += --sysconfdir=/etc/ssh
+CONFIGURE_OPTIONS += --disable-lastlog
# Copy the sftp dtrace provider file and the header file to source directory
COMPONENT_PRE_BUILD_ACTION = \
--- a/components/openssh/patches/003-last_login.patch Tue Sep 30 13:39:00 2014 -0700
+++ b/components/openssh/patches/003-last_login.patch Wed Oct 01 04:52:05 2014 -0700
@@ -1,32 +1,69 @@
-# This change is Solaris-specific and thus is not being contributed back
-# to the upstream community. Details:
+# The man page change here is Solaris-specific and thus is not being
+# contributed back to the upstream community. The servconf.c change
+# was developed in-house and has been submitted upstream to OpenSSH for
+# their consideration:
+# https://bugzilla.mindrot.org/show_bug.cgi?id=2278
+#
+# OpenSSH normally updates lastlog when users login and reads lastlog to
+# determine the last login time of the user however on Solaris the
+# pam_unix_session(5) module handles both of these tasks so we compile
+# OpenSSH with --disable-lastlog to disable all lastlog references.
+# This means the sshd_config option of PrintLastLog is now ignored and
+# can't be changed so we update sshd's configuration parsing to flag
+# this as unsupported and update the man page here.
#
-# OpenSSH updates lastlog when users login however on Solaris the
-# pam_open_session(3PAM) function handles this so we avoid the
-# redundant additional upating of lastlog here. We can't disable all
-# lastlog references with --disable-lastlog or NO_SSH_LASTLOG since that
-# prevents the 'Last login: ...' message from being displayed. Thus
-# we just prevent OpenSSH from updating lastlog since reading from
-# lastlog is fine. Other PAM implementations don't update lastlog
-# during session management so this change is Solaris-specific and
-# thus isn't being contributed back to the upstream community.
-#
-*** orig/loginrec.c Thu Oct 4 16:08:42 2012
---- new/loginrec.c Thu Sep 4 16:41:24 2014
+*** old/servconf.c Wed Sep 17 02:54:26 2014
+--- new/servconf.c Wed Sep 17 02:56:55 2014
+***************
+*** 432,438 ****
+--- 432,442 ----
+ { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
+ { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
+ { "printmotd", sPrintMotd, SSHCFG_GLOBAL },
++ #ifdef DISABLE_LASTLOG
++ { "printlastlog", sUnsupported, SSHCFG_GLOBAL },
++ #else
+ { "printlastlog", sPrintLastLog, SSHCFG_GLOBAL },
++ #endif
+ { "ignorerhosts", sIgnoreRhosts, SSHCFG_GLOBAL },
+ { "ignoreuserknownhosts", sIgnoreUserKnownHosts, SSHCFG_GLOBAL },
+ { "x11forwarding", sX11Forwarding, SSHCFG_ALL },
+*** old/sshd_config.5 Tue Sep 16 06:24:13 2014
+--- new/sshd_config.5 Tue Sep 16 06:47:47 2014
***************
-*** 444,450 ****
- #ifdef USE_LOGIN
- syslogin_write_entry(li);
- #endif
-! #ifdef USE_LASTLOG
- if (li->type == LTYPE_LOGIN)
- lastlog_write_entry(li);
- #endif
---- 444,450 ----
- #ifdef USE_LOGIN
- syslogin_write_entry(li);
- #endif
-! #if defined(USE_LASTLOG) && !defined(PAM_SUN_CODEBASE)
- if (li->type == LTYPE_LOGIN)
- lastlog_write_entry(li);
- #endif
+*** 1008,1015 ****
+ .Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+! The default is
+! .Dq yes .
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 1M
+--- 1008,1015 ----
+ .Xr sshd 1M
+ should print the date and time of the last user login when a user logs
+ in interactively.
+! On Solaris this option is always ignored since pam_unix_session(5)
+! reports the last login time.
+ .It Cm PrintMotd
+ Specifies whether
+ .Xr sshd 1M
+***************
+*** 1349,1355 ****
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+! .Xr sshd 8
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
+--- 1349,1356 ----
+ (though not necessary) that it be world-readable.
+ .El
+ .Sh SEE ALSO
+! .Xr sshd 8 ,
+! .Xr pam_unix_session 5
+ .Sh AUTHORS
+ OpenSSH is a derivative of the original and free
+ ssh 1.2.12 release by Tatu Ylonen.
--- a/components/openssh/patches/007-manpages.patch Tue Sep 30 13:39:00 2014 -0700
+++ b/components/openssh/patches/007-manpages.patch Wed Oct 01 04:52:05 2014 -0700
@@ -1,8 +1,10 @@
+# This change is Solaris-specific and thus is not being contributed back
+# to the upstream community. Details:
#
# OpenSSH uses the BSD/Linux man page scheme which is different from the SysV
# man page scheme used in Solaris. In order to comply to the Solaris man page
# policy and also use the IPS mediator to switch between SunSSH and OpenSSH man
-# pages, the section numbers of some OpenSSH man pages are changed to be as
+# pages, the section numbers of some OpenSSH man pages are changed to be the
# same as their corresponding ones in SunSSH.
#
--- orig/moduli.5 Thu Feb 6 10:00:17 2014
@@ -580,8 +582,9 @@
(though not necessary) that it be world-readable.
.El
.Sh SEE ALSO
--.Xr sshd 8
-+.Xr sshd 1M
+-.Xr sshd 8 ,
++.Xr sshd 1M ,
+ .Xr pam_unix_session 5
.Sh AUTHORS
OpenSSH is a derivative of the original and free
ssh 1.2.12 release by Tatu Ylonen.