After longer thinking and comparing what FreeBSD and NetBSD did, finally revert to the old state by kicking out the UsePrivilegeSeparation and Compression default value guessing because: 1. we are predestined to fail in general because we cannot do it correctly by just looking at the platform id. 2. UsePrivilegeSeparation is nice from a paranoid security point of view but OTOH really is too brand-new and internally limits or even breaks the OpenSSH functionality too dramatically. People who are paranoid enough and can live with this can feel free to change the "no" to a "yes" in their sshd_config easily. 3. it is nasty to have a package "openssh" shipping with totally different default configuration (using "UsePrivilegeSeparation yes" makes a large difference under run-time!) on different platforms. This is nasty and we really want a single default config independent of a platform. So, unless "UsePrivilegeSeparation yes" works equally on all our plaforms and without such dramatical restrictions (Compression, PAM, etc) and internal brokeness we will stay with the _default_ config of "UsePrivilegeSeparation no". Once Privilege Separation is really ready for a global deployment, we are happy to enable it by default again.

openssh/openssh.spec

@@ -47,7 +47,7 @@ Distribution: OpenPKG [REL]
 Group:        Cryptography
 License:      BSD
 Version:      3.4p1
-Release:      20020627
+Release:      20020706
 
 #   list of sources
 Source0:      ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
@@ -198,38 +198,10 @@ AutoReqProv:  no
         -e 's;@l_musr@;%{l_musr};g' -e 's;@l_mgrp@;%{l_mgrp};g' \
         %{SOURCE rc.openssh} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
 
-    #   determine best variant for ssh server configuration 
-    l_cfg_useprivsep=yes
-    #   (privsep broken on old Linux at all)
-    case "%{l_target}" in
-        *-linux2.0* ) l_cfg_useprivsep=no ;; 
-    esac
-%if "%{with_pam}" == "yes"
-    #   (PAM broken with privsep on non-Linux)
-    case "%{l_target}" in
-        *-linux* ) ;;
-        * ) l_cfg_useprivsep=no ;;
-    esac
-%endif
-    l_cfg_compression=yes
-    if [ ".$l_cfg_useprivsep" = .yes ]; then
-        #   (compression broken with privsep on old Linux)
-        case "%{l_target}" in
-            *-linux2.2* ) l_cfg_compression=no ;;
-        esac
-    fi
-%if "%{with_x11}" == "yes"
-    l_cfg_x11forwarding=yes
-%else
-    l_cfg_x11forwarding=no
-%endif
-
     #   install reasonable ssh server and client configuration files
     %{l_shtool} install -c -m 644 \
         -e 's;@l_prefix@;%{l_prefix};g' \
-        -e "s;@l_cfg_useprivsep@;${l_cfg_useprivsep};" \
-        -e "s;@l_cfg_compression@;${l_cfg_compression};" \
-        -e "s;@l_cfg_x11forwarding@;${l_cfg_x11forwarding};" \
+        -e 's;@l_x11forwarding@;%{with_x11};' \
         %{SOURCE sshd_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/
     %{l_shtool} install -c -m 644 -e 's;@l_prefix@;%{l_prefix};g' \
         %{SOURCE ssh_config} $RPM_BUILD_ROOT%{l_prefix}/etc/openssh/

openssh/sshd_config

@@ -28,10 +28,10 @@ StrictModes              yes
 IgnoreRhosts             yes
 KeepAlive                yes
 GatewayPorts             no
-X11Forwarding            @l_cfg_x11forwarding@
-Compression              @l_cfg_compression@
+X11Forwarding            @l_x11forwarding@
+Compression              yes
 
-UsePrivilegeSeparation   @l_cfg_useprivsep@
+UsePrivilegeSeparation   no
 LoginGraceTime           600
 MaxStartups              10:30:60
 PermitRootLogin          yes