21509846 problem in UTILITY/OPENSSH
21279048 OpenSSH missing dependency on xauth
21459889 GSSAPIStoreDelegatedCredentials option should be deprecated in OpenSSH
21482420 OpenSSH default XAuthLocation should be /usr/bin/xauth on Solaris
--- a/components/openssh/Makefile Tue Jul 28 13:01:27 2015 -0700
+++ b/components/openssh/Makefile Tue Jul 28 14:47:36 2015 -0700
@@ -81,6 +81,7 @@
CONFIGURE_OPTIONS += --with-solaris-contracts
CONFIGURE_OPTIONS += --with-tcp-wrappers
CONFIGURE_OPTIONS += --with-4in6
+CONFIGURE_OPTIONS += --with-xauth=/usr/bin/xauth
CONFIGURE_OPTIONS += --enable-strip=no
CONFIGURE_OPTIONS += --without-rpath
CONFIGURE_OPTIONS += --libexecdir=/usr/lib/ssh
--- a/components/openssh/openssh.p5m Tue Jul 28 13:01:27 2015 -0700
+++ b/components/openssh/openssh.p5m Tue Jul 28 14:47:36 2015 -0700
@@ -136,4 +136,6 @@
com.oracle.info.description="GSS-API authenticated key exchange" \
com.oracle.info.name=gsskex com.oracle.info.tpno=$(TPNO_GSSKEX) \
com.oracle.info.version=5.7p1
+depend type=conditional fmri=pkg:/x11/session/xauth \
+ predicate=pkg:/x11/library/libxau
depend type=require fmri=service/network/ssh-common--- a/components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch Tue Jul 28 13:01:27 2015 -0700
+++ b/components/openssh/patches/020-deprecate_sunssh_sshd_config_opts.patch Tue Jul 28 14:47:36 2015 -0700
@@ -13,12 +13,11 @@
# This is a Solaris specific change to ease the transition and will not be
# offered upstream.
#
-diff -pur old/servconf.c new/servconf.c
---- old/servconf.c 2015-03-28 22:31:16.652020119 +0100
-+++ new/servconf.c 2015-03-28 22:34:36.569887785 +0100
[email protected]@ -557,6 +557,28 @@ static struct {
- { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
- { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
+--- orig/servconf.c Tue Jul 21 16:34:07 2015
++++ new/servconf.c Tue Jul 21 17:00:39 2015
[email protected]@ -567,6 +567,29 @@
+ { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
+ { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
#endif
+#ifdef DEPRECATE_SUNSSH_OPT
+ /*
@@ -41,6 +40,7 @@
+ { "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },
+ { "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
+ { "usefips140", sDeprecated, SSHCFG_ALL},
++ { "gssapistoredelegatedcredentials", sDeprecated, SSHCFG_ALL },
+#endif
{ "revokedkeys", sRevokedKeys, SSHCFG_ALL },
{ "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/openssh/patches/030-auth_limits_bypass_fix.patch Tue Jul 28 14:47:36 2015 -0700
@@ -0,0 +1,35 @@
+#
+# This is to fix a keyboard-interactive authentication brute force
+# vulnerability (MaxAuthTries bypass). A CVE number (CVE-2015-5600) has been
+# reserved for this problem, but not officially issued yet. This fix came from
+# OpenSSH upstream, which will be included in the future OpenSSH 7.0p1 release.
+# When we upgrade OpenSSH to 7.0 in the future, we will remove this patch.
+#
+--- orig/auth2-chall.c Fri Jul 24 17:36:37 2015
++++ new/auth2-chall.c Fri Jul 24 17:47:21 2015
[email protected]@ -83,6 +83,7 @@
+ void *ctxt;
+ KbdintDevice *device;
+ u_int nreq;
++ u_int devices_done;
+ };
+
+ #ifdef USE_PAM
[email protected]@ -169,11 +170,15 @@
+ if (len == 0)
+ break;
+ for (i = 0; devices[i]; i++) {
+- if (!auth2_method_allowed(authctxt,
++ if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
++ !auth2_method_allowed(authctxt,
+ "keyboard-interactive", devices[i]->name))
+ continue;
+- if (strncmp(kbdintctxt->devices, devices[i]->name, len) == 0)
++ if (strncmp(kbdintctxt->devices, devices[i]->name,
++ len) == 0) {
+ kbdintctxt->device = devices[i];
++ kbdintctxt->devices_done |= 1 << i;
++ }
+ }
+ t = kbdintctxt->devices;
+ kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;