OpenBSD Journal

[OpenSSH] Solaris 9 to use OpenSSH code

Contributed by Dengue on from the saves-me-a-lot-of-time dept.

dodeca writes :
" Daily Daemon News points to a Register story talking about the enhanced security features of Solaris 9. In particular, they will be using OpenSSH code and submitting enhancements made back to the community. All the Solaris 9 info at requires subscription/membership."

(Comments are closed)

  1. By Chris () on

    With Sun's record of code security, is that a good or a bad thing?

  2. By mra () on

    Sun took OpenSSH and modified it to the point of breaking compatability with the forthcoming standard. They did this so that everyone else wouldn't be able to get all of their PKI additions without doing an overhaul of how they parse version strings to accomodate "SUN-SSH".

    Yea the LDAP PKI infrastructure is really cool, and it certainly is much better than nis(+), so while I'm glad they are giving that back to the code base I'm still bothered that they felt they needed to break compatability *with all existing implimentations*.

    1. By Anonymous Hero () on

      can you elaborate on this, or point to someplace that already does?

      thanks. :)

      1. By Anonymous Hero () on

        can you elaborate on this, or point to someplace that already does?

        er, already has?

      2. By mra () on

        I don't know of anyplace where this has been posted, I found out through talking with Sun employees.

      3. By Technofiend () on

        I have a Solaris 9 beta box (the iso's can be freely downloaded from

        You can ssh TO almost any box FROM your Solaris 9 machine.

        Only the very latest openssh (3.2.1) succeeds connecting TO Solaris 9.

        Anything else reports a variety of errors; unable to complete key exchange, RSA key checksum didn't match, etc.

        My guess is public pressure will make them fix it or the openssh community will adapt. Nothing keeping ya from loading your own openssh right on top of it anyway.

        1. By mra () on

          OpenSSH 3.2.1 supports Sun's broken version that's why it was able to connect to it. The reason why you wouldn't just compile an OpenSSH and use that instead is because once you do that you can no longer use the iPlanet (Sun's LDAP PKI structure) features that are built into Sun's SSH.

          I doubt they will "fix it" since there is already an OpenSSH version that supports their version, and is working on a version that will support them as well.

          What really bothers me about this is that a Sun engineer is the working group chair for SSH, yet they still felt they could break the spec. The whole thing seems like embrace and extend.

    2. By Darren Moffat () Darren.Moffat@Sun.COM on mailto:Darren.Moffat@Sun.COM

      First let me introduce myself - I'm the engineer that ran the project to get OpenSSH included in Solaris.

      There is no LDAP specific code in the OpenSSH that is in Solaris.

      All we added was the following:

      1. BSM audit code (which has now been donated back to OpenSSH)
      2. L10N/I18N of messages that get sent to the user (Last I spoke with Theo on this issue they didn't want this code for OpenBSD).
      3. Two standalone proxy commands one for SOCKS5 and one for HTTP.
      4. The code was also linted.

      We did change the vendor part of version string but this is perfectly in spec. The
      reason for this being we don't want to identify it as OpenSSH because
      it isn't 100% OpenSSH cod. Also because of the version of OpenSSH we started with didn't implement rekeying. There will be an effort to get back in sync with OpenSSH in a future revision of Solaris - we will assess at that time if it is appropriate to keep Sun_SSH as the vendor component or revert to OpenSSH.

      By having a different vendor string it helps in identifying any bugs because it is obvious who to contact.

      The portable OpenSSH uses PAM, and as such we get the ability to authenticate using the pam_ldap module on Solaris. There was no code added by Sun to do this it all comes from the portable OpenSSH work.
      I'm not ware of any plans for giving any LDAP code "back" to anyone.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]