Hosting Provided By

OpenSSH, Solaris 8, and BSM works with BSM patch, but must disable privilege separation

From: Jeff Koenig <Jeff.Koenig(at)experian.com>
Date: Fri Jan 03 2003 - 18:30:08 EST

To get BSM working on Solaris 8 with OpenSSH, I did this:

Download John R. Jackson's OpenSSH 3.5p1 BSM patch here, and save as "patch.tar.gz": http://bugzilla.mindrot.org/show_bug.cgi?id=125 (NOTE TO OpenSSH DEVELOPERS, can you incorporate this patch into the next version of OpenSSH?)

Installing the OpenSSH 3.5p1 BSM patch:

¯--------------------------------------

Turning on Sun BSM auditing requires you to: Apply the OpenSSH 3.5p1 BSM patch
Disable privilege separation in OpenSSH /usr/local/etc/sshd_config file

You need these applications installed prior to the patch install (you can get the packages from sunfreeware.com): autoconf 2.53 (SMCautoc)
m4 1.4 (SMCm4)
patch 2.5.4 (SMCpatch)
Perl 5.00503 or higher (SMCperl)

cp openssh-3.5p1.tar.gz /tmp
cp patch.tar.gz /tmp
cd /tmp
gunzip patch.tar.gz
tar xvf patch.tar
gunzip openssh-3.5p1.tar.gz
tar xvf openssh-3.5p1.tar
cd openssh-3.5p1
/usr/local/bin/patch -p0 < ../openssh-vs-bsm/patch-bs-3.5p1 rm -f configure
autoheader
autoconf
./configure --with-pam
make
make install

# Set privilege separation to "no" in /usr/local/etc/sshd_config
# Example:
UsePrivilegeSeparation no

# restart sshd

NOTE:
The following output is "normal" during the patching process: patching file INSTALL
patching file Makefile.in
patching file auth1.c

patching file auth2-kbdint.c
patching file auth2-passwd.c
patching file auth2-pubkey.c

patching file auth2.c
patching file bsmaudit.c
patching file bsmaudit.h
patching file configure.ac
patching file contrib/solaris/buildpkg.sh patching file contrib/solaris/postinstall patching file includes.h
patching file servconf.c
patching file session.c
patching file sshd.c
patching file sshlogin.c

WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.

WARNING: Using the third argument of `AC_DEFINE' and

WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without WARNING: `acconfig.h':

Do you need help?

WARNING: AC_DEFINE([NEED_MAIN], 1,
WARNING: [Define if a function `main' is needed.])

WARNING: More sophisticated templates can also be produced, see the WARNING: documentation.
autoheader: `config.h.in' is updated

NOTE:
This is "normal" during compile:
bsmaudit.h:30: warning: ignoring pragma: "@(#)bsmaudit.h 1.1 01/09/17 SMI Received on Mon Jan 6 13:25:59 2003

This message: [ Message body ]
Next message: Greg Wooledge: "Re: SSH login problems"
Previous message: Jian CJ Chen: "error "Protocol major versions differ: 1 vs. 2""
In reply to Ben Lindstrom: "Re: OpenSSH, Solaris 8, and BSM works with BSM patch, but must disable privilege separation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:52 EDT