Solaris Secure Shell and the OpenSSH Project

The Solaris Secure Shell is a fork of the OpenSSH project. Security fixes for vulnerabilities that are discovered in later versions of OpenSSH are integrated into Solaris Secure Shell, as are individual bug fixes and features. Internal development continues on the Solaris Secure Shell fork.

While Sun engineers provide bug fixes to the project, they have also integrated the following Solaris features into the Solaris fork of Secure Shell:

• PAM - Solaris Secure Shell uses PAM. The OpenSSH UsePAM configuration option is not supported.

• Privilege separation - Solaris Secure Shell does not use the privilege separation code from the OpenSSH project. Solaris Secure Shell separates the processing of auditing, record keeping and re-keying from the processing of the session protocols.

  Solaris Secure Shell privilege separation code is always on and cannot be switched off. The OpenSSH UsePrivilegeSeparation option is not supported.

• Locale - Solaris Secure Shell fully supports language negotiation as defined in RFC 4253, Secure Shell Transfer Protocol. After the user logs in, the user's login shell profile can override the Solaris Secure Shell negotiated locale settings.

• Auditing - Solaris Secure Shell is fully integrated into the Solaris auditing subsystem. For information on auditing, see Part VII, Solaris Auditing.

• GSS-API support - GSS-API can be used for user authentication and for initial key exchange. The GSS-API is defined in RFC4462, Generic Security Service Application Program Interface.

• Proxy commands - Solaris Secure Shell provides proxy commands for SOCKS5 and HTTP protocols. For an example, see How to Set Up Default Connections to Hosts Outside a Firewall.

Since the Solaris 9 release, the following specific changes have been introduced to Solaris Secure Shell:

• Solaris Secure Shell is forked from OpenSSH 3.5p1.

• The default value of X11Forwarding is yes in the /etc/ssh/sshd_config file.

• The following keywords have been introduced:

  • GSSAPIAuthentication

  • GSSAPIKeyExchange

  • GSSAPIDelegateCredentials

  • GSSAPIStoreDelegatedCredentials

  • KbdInteractiveAuthentication

  The GSSAPI keywords enable Solaris Secure Shell to use GSS credentials for authentication. The KbdInteractiveAuthentication keyword supports arbitrary prompting and password changing in PAM. For a complete list of keywords and their default values, see Keywords in Solaris Secure Shell.

• The ARCFOUR and AES128-CTR ciphers are now available. ARCFOUR is also known as RC4. The AES cipher is AES in counter mode.

• The sshd daemon uses the variables in /etc/default/login and the login command. The /etc/default/login variables can be overridden by values in the sshd_config file. For more information, see Solaris Secure Shell and Login Environment Variables and the sshd_config(4) man page.