omnios-build New build/openssh/patches/0014-Deprecate-SunSSH-compatible-server-options.patch

   1 From 9406fc5e9296bbba9fe16433d0fea6c0fd40abd7 Mon Sep 17 00:00:00 2001
   2 From: oracle <solaris@oracle.com>
   3 Date: Mon, 3 Aug 2015 14:36:33 -0700
   4 Subject: [PATCH 14/36] Deprecate SunSSH compatible server options
   5 
   6 #
   7 # Originally we planned to only deprecate client config (ssh_config) options
   8 # and leave it up to system administrators to remove all SunSSH specific
   9 # server config (sshd_config) options. In internal testing we have discovered,
  10 # that this would bring too much trouble to the said administrators.
  11 # The probability of these options appearing in existing sshd_config files
  12 # is higher than initially though, because some of the options have been in
  13 # default sshd_config file for very long time. Also the consequence of
  14 # unknown server option is harsh - ssh service goes to maintenance mode
  15 # possible rendering the instance not accessible. For this reason we will
  16 # deprecate SunSSH specific sshd_config options too.
  17 #
  18 # This is a Solaris specific change to ease the transition and will not be
  19 # offered upstream.
  20 #
  21 ---
  22  servconf.c | 23 +++++++++++++++++++++++
  23  1 file changed, 23 insertions(+)
  24 
  25 diff --git a/servconf.c b/servconf.c
  26 index dab8945..1a68479 100644
  27 --- a/servconf.c
  28 +++ b/servconf.c
  29 @@ -592,6 +592,29 @@ static struct {
  30         { "pamserviceprefix", sPAMServicePrefix, SSHCFG_GLOBAL },
  31         { "pamservicename", sPAMServiceName, SSHCFG_GLOBAL },
  32  #endif
  33 +#ifdef DEPRECATE_SUNSSH_OPT
  34 +       /*
  35 +        * On Solaris, to make the transition from SunSSH to OpenSSH as smooth
  36 +        * as possible, we will deprecate SunSSH-only options in OpenSSH.
  37 +        * Therefore on a system having one of the following options in
  38 +        * /etc/ssh/sshd_config, change to OpenSSH will not result in service
  39 +        * network/ssh going to maintenance. Instead, a warning will be printed
  40 +        * to /var/svc/log/network-ssh:default.log. Note that
  41 +        * this is an interim enhancement to OpenSSH to make the transition
  42 +        * smoother.  If a deprecated SunSSH-only option is migrated to OpenSSH
  43 +        * later, then it will be changed from deprecated to supported.
  44 +        */
  45 +       { "maxauthtrieslog", sDeprecated, SSHCFG_GLOBAL },
  46 +       { "lookupclienthostnames", sDeprecated, SSHCFG_GLOBAL },
  47 +       { "useopensslengine", sDeprecated, SSHCFG_GLOBAL },
  48 +       { "preuserauthhook", sDeprecated, SSHCFG_ALL},
  49 +       { "kmfpolicydatabase", sDeprecated, SSHCFG_GLOBAL },
  50 +       { "kmfpolicyname", sDeprecated, SSHCFG_GLOBAL },
  51 +       { "trustedanchorkeystore", sDeprecated, SSHCFG_GLOBAL },
  52 +       { "useunsupportedsshv1", sDeprecated, SSHCFG_GLOBAL },
  53 +       { "usefips140", sDeprecated, SSHCFG_ALL},
  54 +       { "gssapistoredelegatedcredentials", sDeprecated, SSHCFG_ALL },
  55 +#endif
  56         { "revokedkeys", sRevokedKeys, SSHCFG_ALL },
  57         { "trustedusercakeys", sTrustedUserCAKeys, SSHCFG_ALL },
  58         { "authorizedprincipalsfile", sAuthorizedPrincipalsFile, SSHCFG_ALL },
  59 -- 
  60 2.5.4 (Apple Git-61)
  61