Re: OpenSSH, Solaris 8, and BSM works with BSM patch, but must disable privilege separation

From: Ben Lindstrom (mouring@etoh.eviladmin.org)
Date: 01/03/03

  • Next message: Henry Ka Wai Chan: "SSH login problems"
    Date: Fri, 3 Jan 2003 12:44:08 -0600 (CST)
    From: Ben Lindstrom <mouring@etoh.eviladmin.org>
    To: Jeff Koenig <Jeff.Koenig@experian.com>
    
    

    Is there any reason why Cygwin code is being changed? I don't agree with
    random changes without having someone from that camp agree that those are
    correct changes.

    Also, Privsep should never be turned off unless the user sets it off.
    Hard error.

    - Ben

    On Fri, 3 Jan 2003, Jeff Koenig wrote:

    > To get BSM working on Solaris 8 with OpenSSH, I did this:
    >
    > Download John R. Jackson's OpenSSH 3.5p1 BSM patch here, and save as "patch.tar.gz":
    > http://bugzilla.mindrot.org/show_bug.cgi?id=125
    > (NOTE TO OpenSSH DEVELOPERS, can you incorporate this patch into the next version of OpenSSH?)
    >
    > Installing the OpenSSH 3.5p1 BSM patch:
    > --------------------------------------
    > Turning on Sun BSM auditing requires you to:
    > Apply the OpenSSH 3.5p1 BSM patch
    > Disable privilege separation in OpenSSH /usr/local/etc/sshd_config file
    >
    > You need these applications installed prior to the patch install (you can get the packages from sunfreeware.com):
    > autoconf 2.53 (SMCautoc)
    > m4 1.4 (SMCm4)
    > patch 2.5.4 (SMCpatch)
    > Perl 5.00503 or higher (SMCperl)
    >
    > cp openssh-3.5p1.tar.gz /tmp
    > cp patch.tar.gz /tmp
    > cd /tmp
    > gunzip patch.tar.gz
    > tar xvf patch.tar
    > gunzip openssh-3.5p1.tar.gz
    > tar xvf openssh-3.5p1.tar
    > cd openssh-3.5p1
    > /usr/local/bin/patch -p0 < ../openssh-vs-bsm/patch-bs-3.5p1
    > rm -f configure
    > autoheader
    > autoconf
    > ./configure --with-pam
    > make
    > make install
    >
    > # Set privilege separation to "no" in /usr/local/etc/sshd_config
    > # Example:
    > UsePrivilegeSeparation no
    >
    > # restart sshd
    >
    > NOTE:
    > The following output is "normal" during the patching process:
    > patching file INSTALL
    > patching file Makefile.in
    > patching file auth1.c
    > patching file auth2-kbdint.c
    > patching file auth2-passwd.c
    > patching file auth2-pubkey.c
    > patching file auth2.c
    > patching file bsmaudit.c
    > patching file bsmaudit.h
    > patching file configure.ac
    > patching file contrib/solaris/buildpkg.sh
    > patching file contrib/solaris/postinstall
    > patching file includes.h
    > patching file servconf.c
    > patching file session.c
    > patching file sshd.c
    > patching file sshlogin.c
    > WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
    > WARNING: and `config.h.top', to define templates for `config.h.in'
    > WARNING: is deprecated and discouraged.
    >
    > WARNING: Using the third argument of `AC_DEFINE' and
    > WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
    > WARNING: `acconfig.h':
    >
    > WARNING: AC_DEFINE([NEED_MAIN], 1,
    > WARNING: [Define if a function `main' is needed.])
    >
    > WARNING: More sophisticated templates can also be produced, see the
    > WARNING: documentation.
    > autoheader: `config.h.in' is updated
    >
    > NOTE:
    > This is "normal" during compile:
    > bsmaudit.h:30: warning: ignoring pragma: "@(#)bsmaudit.h 1.1 01/09/17 SMI
    >
    >
    >
    > _______________________________________________
    > openssh-unix-dev@mindrot.org mailing list
    > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
    >



    Relevant Pages