• Categories
  • Search
General | Tuesday, July 7, 2015

OpenSSH in Solaris 11.3

By: Darren Moffat | Senior Principal Engineer

Solaris 9 was the first release where we included an implementation of the IETF SSH client and server protocols, I led that project and at the time I was also the document editor for the IETF standards documents. We started with OpenSSH but for various reasons it ended up over time being a Solaris specific fork called SunSSH. We have regularly resynced for features and bug fixes with OpenSSH, but SunSSH remains a fork.

Starting with Solaris 11.3 we supply OpenSSH in addition to SunSSH.  The intent is that in some future release SunSSH will be removed leaving only OpenSSH. 

For Solaris 11.3 both OpenSSH and SunSSH can be installed on a machine at the same time or the administrator can choose to install only one.  SunSSH is delivered by pkg:/network/ssh and OpenSSH by pkg:/network/openssh.

Both packages effectively deliver the same svc:/network/ssh:default, really it comes from pkg:/network/ssh-common. When both OpenSSH and SunSSH are installed an IPS package mediator is used to select which one is run by the SMF service and which one is /usr/bin/ssh.  A system with OpenSSH set as the default would look like this:

$ pkg mediator ssh
MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION
ssh system local openssh

Our intent is that the OpenSSH delivered in Solaris has as few Solaris-specific changes applied as possible. We have managed to push some bug fixes upstream to the OpenSSH community but there are still some Solaris-specific changes for enhancements we felt were important to customers migrating from SunSSH. These Solaris-specific changes are applied to OpenSSH during the build process using patch(1) and are thus maintained in a directory called patches Some of the patches are purely build related and some are features. The current list of feature patches include:

  • GSS credential storage
  • PAM Service Name per SSH userauth method as per SunSSH
  • PAM can not be disabled with the UsePAM option
  • DisableBanner option for ssh client: see ssh_config(4)/li>

While the intent going forward is to keep up with the OpenSSH releases we may choose to backport a fix from a later
version of OpenSSH to fix a bug or security vulnerability rather than
delivering the whole release.  Often the reasons for doing this will be releated to the available Solaris release train at the time and the size of change in the later release. This means that the version of OpenSSH could change in a Solaris SRU.

The OpenSSH releases also include some very useful features that we hadn't ported over to SunSSH. The pkg mediator allows for selecting which binaries are the system default but it doesn't help with the per user configuration file. In order to use features from OpenSSH when the users home directory may also be used by a SunSSH client use of the options to ignore unknown options is needed.  This is a feature that originated in SunSSH but when the equivalent feature arrived in OpenSSH the option name was different.  To over come this I have the following in my ~/.ssh/config file:

IgnoreUnknown IgnoreIfUnknown
IgnoreIfUnknown IgnoreUnknown,ControlMaster,ControlPersist,ControlPath

That allows me to have Host blocks that use ControlMaster configuration that OpenSSH knows about but SunSSH doesn't and ensures that neither of them complains about unknown options. Some of the other important differences between SunSSH and OpenSSH are:

SunSSH OpenSSH

UseOpenSSLEngine


No replacement, OpenSSL defaults to using Hardware acceleration on modern SPARC and Intel CPUs

MaxAuthTriesLog

OpenSSH always logs at MaxAuthTries / 2

PreUserAuthHook

Use AuthorizedKeysCommand instead.
IgnoreIfUknown IgnoreUnknown
Message Localisation Client and Server messages are no longer localised.
Use of /etc/default/login No replacement, set policy using PAM and sshd_config.

Join the discussion

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
 

Visit the Oracle Blog

 

Contact Us

Oracle

Integrated Cloud Applications & Platform Services