I discovered today that the unpatched Solaris ssh program doesn't understand the 'GSSAPIKeyExchange' and 'GSSAPIAuthentication' configuration options that are necessary to fix the problem on the patched ssh. (I had them in a $HOME/.ssh/config file that was shared between a patched system and an unpatched system.)

So what appears to have happened is that Sun developed a new version of ssh that implements the GSS stuff, and as a result requires it and the Kerberos stuff to be installed and configured and so on. This is the 'new' ssh included in patch 114356-07 (but not in the -06 version of the same patch) that requires 112908-24 ('SunOS 5.9: krb5, gss Patch').

Later, Sun saw some problems and yanked all mention of current versions of patch 112908 from the patchdiag.xref file, thereby making 114356-07 uninstallable without special magic. However, they did not actually withdraw either 114356-07 or 112908-24 (and in fact 114356-07 remains marked as a recommended patch).

(Some investigation also shows that installing patch 117177 (mentioned in the README for 114356-07) does not help the problem any.)