Greetings, In order to use solaris's BSM (Basic security module) also called c2 audit, which logs specific kernel calls depending on your audit_control, I would need to use login(1) to log users exec calls and whatnot because Portable OpenSSH does not have <bsm/audit.h> support, now that would mean I would have to enable Uselogin in sshd_config in order for that to work. I am running openssh's latest portable version on Solaris 7 core install with latest patches. When I enabled Uselogin, and I ssh with debug mode on, I get the following: Environment: TZ=US/Eastern SSH_CLIENT=x.x.x.x 34951 22 SSH_TTY=/dev/pts/3 TERM=vt100 No utmpx entry. You must exec "login" from the lowest level "shell". Connection to x.x.x.x closed. Here's my debug output from sshd: Connection from x.x.x.x port 34949 debug: Client protocol version 1.5; client software version x.x.x debug: Local version string SSH-1.5-x.x.x debug: Sent 1152 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Attempting authentication for xxxxxx. Accepted password for xxxxx from x.x.x.x port 34949 debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Entering interactive session. debug: fd 3 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 debug: Received SIGCHLD. debug: tvp!=NULL kid 1 mili 10 debug: tvp!=NULL kid 1 mili 10 debug: tvp!=NULL kid 1 mili 100 debug: End of interactive session; stdin 0, stdout (read 171, sent 171), stderr 0 bytes. debug: Command exited with status 1. debug: Received exit confirmation. debug: session_pty_cleanup: session 0 release /dev/pts/3 Closing connection to 10.10.1.31 I also tryed giving mode 777 to both sshd and login and it did not work to see if that would make a difference. Telnetting in works so I don't see a problem with login(1) or utmp[x]. Could it be a broken implementation of Uselogin in Solaris? Any help is appreciated.. Sincerely, Jonathan
does telnetd call login? how does telnetd call login? On Sun, Dec 17, 2000 at 05:23:05PM -0500, Jonathan Fortin wrote:> In order to use solaris's BSM (Basic security module) also called c2 audit, > which logs specific kernel calls depending on your audit_control, > I would need to use login(1) to log users exec calls and whatnot because > Portable OpenSSH does not have <bsm/audit.h> support, now that would mean I > would have to enable Uselogin in sshd_config in order for that to work.
Aarggh. Telnetd has the necessary audit initialization code (and generation of login/logout audit events) written in by Sun. The "best" fix (IMHO) is to do the audit initialization within OpenSSH, in the same way that OpenSSH needs to do it for SGI IRIX, etc., and in the same way that telnetd does it for Solaris. I have code (which was written for a previous customer against "commercial" SSH 1.2.27) that correctly implements all the audit initialization stuff for Solaris. I've been trying to make the time to integrate the code into OpenSSH for several months, but Real Work keeps intruding. Does someone want the existing (not real pretty but workable) code against 1.2.27 as a starting point? If not then I'll try to make time in the next couple of weeks, but trying to make time hasn't historically seemed to work. The biggest stumbling block when I last went in to integrate the code was that (IIRC) OpenSSH calls one "session initialization" function which is common to both the ssh client and sshd. This caused some problems...but I'll excavate my codebase again now and take another look this afternoon. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com> -----Original Message----- > From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] > Sent: Monday, December 18, 2000 3:03 AM > To: Jonathan Fortin > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Portable OpenSSH Solaris UseLogin Issue > > > does telnetd call login? how does telnetd call login? > > On Sun, Dec 17, 2000 at 05:23:05PM -0500, Jonathan Fortin wrote: > > In order to use solaris's BSM (Basic security module) also > called c2 audit, > > which logs specific kernel calls depending on your audit_control, > > I would need to use login(1) to log users exec calls and > whatnot because > > Portable OpenSSH does not have <bsm/audit.h> support, now > that would mean I > > would have to enable Uselogin in sshd_config in order for > that to work. >