Quest OpenSSH

Quest OpenSSH Change Summary

Configuration defaults changed:

* sshd_config:
	GSSAPIAuthentication      no  -> yes
	GSSAPIKeyExchange         no  -> yes
	GSSAPIStrictAcceptorCheck yes -> no
	HostKeys                  -      yes
	UsePAM                    no  -> yes
	X11Forwarding             no  -> yes

* ssh_config:
	GSSAPIAuthentication      no  -> yes
	GSSAPIKeyExchange         no  -> yes
	GSSAPIDelegateCredentials no  -> yes
	HashKnownHosts            no  -> yes
	ServicePrincipalName      -      NULL
	Protocol                  2,1 -> 2

Change History:
- Fix for

- On Linux, include a Provides for 'openssh'.

- On AIX, if the file "/var/opt/quest/.sshd_disable_lam" exists LAM auth isn't tried. 

- Work to make sure that if a login changes information ( like nested group membership
  makes a new override apply to the user, and/or new group memberships ) that the new
  information is used. This might slow down logings slightly as information is re-queried. 

- On AIX, include a PAM comfiguration copied from the login section of pam.conf if not already configured.
- Re-aquire user's information after authentication in case processing the login changed it. 
- On AIX, if the file "/var/opt/quest/.sshd_disable_lam" exists, LAM auth is disabled.

- pam_open_session called with dropped privs

- Insufficient privileges to chroot() on AIX

- Openssh doesn't support UTMPS/BTMPS/WTMPS database

- Fix linking so AIX package doens't require QAS 4.0 library. 
- Change version ( remove _ ) so the package is accepted on Debian. 
- Add back the HPN patch. openssh5.2 - HPN 13 - dynwindow_noneswitch

- AIX src integration now works. 

- Let sshd manage its own PID file. This keeps remote restarts from hanging due to 
  the old sshd & echo $! method to obtain the pid failing if there is no job control.
- Worked on the HP init scripts, some variables were expanded in making the script, 
  when they should expand only when the script it run. 

- For SMF, have the process ignore child cores.

- Update openSSL to 0.9.8o.
- Bug 499, SMF integration on Solaris. 

- Fix an X11 forwarding issue, native IPV6 address without IPV6 enabled.

- Bug 745: Back port openSSH upstream fix for bug 1528:

- Bug 724: No /etc/rc?.d/*sshd-quest files made using response file for install
- Bug 481: /etc/pam.d/sshd layed down is only RH4+ compatable, fails on RH3  

- Update copyright year on auth-lam.c

- sshd-quest service no longer optional on Solaris

- Fix Quest revision missing from version number on AIX

- Deny root if PermitRootLogin is not "yes" during LAM authentication
  (bug #712).

- Fix double-free bug in AIX LAM authentication code (bug #679)
- Don't explicitly link to libgcc_s, despite what krb5-config might say
  (bug #703)

  - bug 564: Enabled IPv6 in tcp_wrappers
  - bug 514: specifying -h hostkey option to sshd caused corruption
  - bug 405: improve build checks
  - bug 451: on Solaris 2.6, put PID files in /tmp instead of /var/run
  - use openssl-0.9.8g
  - bug 409: don't print "Killed by signal 15"
  - bug 11:  don't use /var/log/btmp on Debian
  - show all host fingerprints in HP-UX SAM module
  - merge with sxw's openssh-5.0p1-gsskex-20080404.patch

  - bug 368: merge with OpenSSH 4.7p1
  - bug 185: double stop init script messages
  - bug 346: install PAM files
  - moved manual pages into the main package 
  - upstream bug 1368: added -R option to scp

  - bug 222: merge with OpenSSH 4.6p1 release
  - bug 281: merge with HPN 12v17 patch
  - merge with sxw's openssh-4.6p1-gsskex-20070312
  - bug 207: 64bit support on Linux/s390x
  - OS X build support
  - bug 280: NIS+/pam_dhkeys credentials were not established (upstream 1339)
  - bug 253: put pid files in /var/run instead of /var/opt/quest/run
  - bug 110: add /opt/quest/bin into default PATH for AIX systems (for scp)
  - bug 186: correct missing summary information in packages
  - KbdInteractiveAuthentication defaults to enabled when UsePAM is enabled
  - correct documentation for GSSAPIKeyExchange default
  - improved tests for Debian; and aliased host/
  - use openssl-0.9.8e; s/390 supoprt + patch from upstream bug 1291

  - merge with OpenSSH 4.5p1 release
  - bug 123: local account logins failed on hpux11.11 with vas3.1
  - bugs 127 128 174: install missing directories
  - bug 173: correct problem where ssh*_config not installed
  - package name changes
  - bug 134: source dist improvements; add build-2.6 make target for VAS2.6

  - merge with OpenSSH 4.4p1 release
  - vintela bug 4150: check VAS version during install
  - vintela bug 4319: sshd option GSSAPIStrictAcceptorCheck yes->no
  - vintela bug 5428: don't ship ssh-keysign as setuid
  - vintela bug 7747: look in VAS2.6 sysconfdir for old host keys first
  - vintela bug 8249: revert GSSAPICleanupCredentials to default to yes
  - bug 31: home directory creation failed on aix
  - bug 49: ssh option HashKnownHosts no->yes
  - bug 74: keyboard-interactive for AIX when PAM unavailable
  - bug 90: merge with sxw's openssh-4.4p1-gsskex-20061002.patch
  - bug 92: sshd option GSSAPIKeyExchange default no->yes
  - bug 95: ssh option Protocol default 2,1->2
  - bug 99: maintain /etc/pam.d/sshd when suse openssh is uninstalled
  - using polypkg for package generation
  - bug 54: build with tcp_wrappers

  - New version numbering scheme.
  - use root:bin to own executable files; not root:sys.
  - Add RC licence text which shows up under AIX installs.
  - allow config.local to specifiy the SRC name
  - VAS3 test support
  - Merge with OpenSSH 4.3p2 release.

  - Merge with OpenSSH 4.3p1 release
  - bug 5895: try gssapi before public-key
  - bug 6042: empty usernames mapped using GSSAPI 
	(requires 'UsePrivilegeSeparation no', for now)
  - bug 6594: RSA (publickey) failures on Solaris

vrc1.9.2 (unreleased)
  - bug 5934: unnecessary initgroup calls delayed
	login on systems with many VAS-enabled groups
  - bug 6068: user credential cache was lost when using
	pam_vas with keyboard-interactive and privsep
  - merge with openssh-4.2p1-gsskex-20050926-2.patch
  - bug 6379: detect gss gex bugs in vintela putty versions and disable
  - bug 6115 (upstream bug 1087): show PAM password expiry messages

  - bug 5899: cross-realm authentication workarounds

  - Merge with OpenSSH 4.2p1 release
  - Change GSSAPIServiceName to ServicePrincipalName

  - bug 5651: Add GSSAPIServiceName option
  - Add HostKeys and GSSAPIKexExchange options to server
  - improve diagnostics for aix credentials
  - bugfix: gsskex rekey no longer fails with privsep
  - bugfix: occasional superfluous chars after realm

* Merge with OpenSSH 4.1p1 release

  - Include gsskex (GSSAPI key exchange) (enhancement bug 3943)
        See <>
  - bugfix: core dump in AIX on LAM pw expire (bug 4918; bug 1006)
  - bugfix: missing pam messages on auth fail (bug 4618; bug 1028)

* Merge with OpenSSH 4.0p1 release


* Do not use a GSSAPI service name constructed from gethostname();
  instead let GSSAPI (VAS) choose the service name.


Changes configuration defaults. The rationale behind this was to ease
migration from existing SSH installtions, and to enable by default
features provided by VAS.

    UsePAM no -> yes
       - Use VAS (via PAM) to set up user context, mount home etc
    GSSAPIAuthentication no -> yes
       - prefer use of VAS (via GSSAPI)
    GSSAPICleanupCredentials yes -> no
       - rely on VAS to remove credentials on session close
    X11Forwarding no -> yes
       - required for VMX

    GSSAPIAuthentication no->yes
       - prefer use of VAS (via GSSAPI)
    GSSDelegateCredentials no->yes
       - allow credentials to be copied to remote host (improves SSO)