note that official openssh distribution have already dropped kerberosIV support,
therefore maintenance cost needs to be paid by us. and have no intent to help.
- krb4/5 support for privsep (krb5 diff was already applied)
includes fake implementaation of getpeereid() from openssh-portable, which
does nothing useful - need improvement.
NetBSD's default security policy in this area: if you are not on
a secure terminal, you must be able to authenticate as a user in
the "wheel" group before you may attempt to authenticate as root
using the root password.
major behavior changes: (made in openssh master tree - openbsd usr.bin/ssh)
- ssh(1) now defaults to ssh protocol version 2.
if you want version 1 to take precedence, use /etc/ssh.conf to override.
- config change: ~/.ssh/id_rsa[12] is now ~/.ssh/id_rsa (changed 4/3)
- forced client rekey for protocol version 2 (~R)
- swap gid when uid swaps.
- ListenAddress syntax can take [foo]:port for IPv6 numerics.
- "ssh -D 1080" allows us to use ssh tunnel as SOCKS4 proxy.
with openssh tree to ease future upgrade. re-do local changes, including:
- prototype pedants
- IgnoreRootRhosts
- login.conf user validation
some of the local changes that weren't used are omitted for now. we may
need to revisit those afterwards.
it adds "sftp".
