openssh unix dev - Nov 2001 - Openssh 3.0p1/Solaris 8 problems still...

Currently under solaris 8 with a fairly generic build:

CC="cc" ./configure \
        --prefix=/opt/openssh \
        --sysconfdir=/var/ssh \
        --with-rsh=/usr/local/etc/rsh \
        --with-ipv4-default \
        --with-ssl-dir=/usr/local/ssl \
        --with-ipaddr-display \
        --with-pam \
        --with-pid-dir=/var/ssh

cron will quit working since ssh hasn't doesn't have auditing support
just right (You will get "! cron audit problem. job failed...etc..."
all
through /var/cron/log **the next time a change is made** to the crontab).
This fails with or without PAM support. I and others reported this at 
least a year ago.

You can get around it by just setting sshd_config to "UseLogin yes"
since
/usr/bin/login *does* have the proper audit hooks so crontabs will once
again be created properly and work. Unfortunately, when you do that
you no loger get X11 forwarding (from ssh verbose output):
>debug1: Requesting X11 forwarding with authentication spoofing.
>debug1: Remote: X11 forwarding disabled; not compatible with UseLogin=yes.
>Warning: Remote host denied X11 forwarding.
My question is this. Since there doesn't appear to be a fix forthcoming for
the cron/audit bug, is there a Solaris 8 setup that creates good crontabs 
*and* allows X11 forwarding? It seems that would be basic "out of the
box"
functionality but I can't seem to get it? 
--mike

--On Monday, November 12, 2001 3:50 PM -0500 James M Moya 
<moyman at ecn.purdue.edu> wrote:
> Currently under solaris 8 with a fairly generic build:
...
> cron will quit working since ssh hasn't doesn't have auditing
support
> just right (You will get "! cron audit problem. job
failed...etc..." all
> through /var/cron/log **the next time a change is made** to the crontab).
Please be more specific. I assume you mean that there are problems when 
invoking crontab from an ssh-spawned login shell? I can't imagine that just 
running sshd would break cron...

-- 
Carson

On Mon, Nov 12, 2001 at 03:50:18PM -0500, James M Moya
wrote:
> Currently under solaris 8 with a fairly generic build:
[...]
> cron will quit working since ssh hasn't doesn't have auditing
support
> just right
[...]
> --mike
On Mon, Nov 12, 2001 at 05:42:04PM -0800, Darren J Moffat
wrote:
> If you are running BSM auditing and have logged in using sshd and use
> crontab -e to update your crontab then because sshd does not properly
> setup the audit id for Solaris the .au file that cron uses to set the
> audit id before running the cron job will be corrupt, as a result cron
> will not run these jobs.
>
> It is a known problem, part of the problem is sshd by not having support
> for setting up the BSM audit id is not a proper login service on Solaris
> and part of the problem is crontab -e not noticing that the audit id
> is invalid but still doing the update.
On Tue, Nov 13, 2001 at 08:47:45PM +0100, Markus Friedl
wrote:
> how should openssh do this? do you have code examples?

OK, i am curious; does SSH.Com handle this properly?  if so, is the 
proper code only in the commercial version?

chris

-- 
Christopher Linn, <celinn at mtu.edu>    | By no means shall either the
CEC
Staff System Administrator            | or MTU be held in any way liable
  Center for Experimental Computation | for any opinions or conjecture I
    Michigan Technological University | hold to or imply to hold herein.

Dammit.  I have old code that I keep thinking I'll be able
to spend the time to port over.  It was against SSH.com
1.2.27, and correctly implemented auditing on Solaris and
IRIX.  When last I looked at it, I wasn't sure how best to
insert it into OpenSSH.  I'll take a look at it this
afternoon, and either send a patch or put the code out
for someone else to play with.

--
Rip Loomis
Senior Systems Security Engineer
SAIC Center for Information Security Technology 
> -----Original Message-----
> From: Markus Friedl [mailto:markus at openbsd.org]
> Sent: Tuesday, 13 November, 2001 14:48
> To: Darren J Moffat
> Cc: Christopher Linn; openssh-unix-dev at mindrot.org
> Subject: Re: Openssh 3.0p1/Solaris 8 problems still...
> 
> 
> On Mon, Nov 12, 2001 at 05:42:04PM -0800, Darren J Moffat wrote:
> > If you are running BSM auditing and have logged in using 
> sshd and use
> > crontab -e to update your crontab then because sshd does 
> not properly
> > setup the audit id for Solaris the .au file that cron uses 
> to set the
> 
> how should openssh do this? do you have code examples?
> 
> -m
>

>> > OK, i am curious; does SSH.Com handle this properly?  if so, is
the
>> > proper code only in the commercial version?
>> 
>> Too my knowlege there are no 3rd party login products from any vendor
>> that do this properly for Solaris.  Most vendors don't test their
>> products with BSM auditing installed because so many people don't
even
>> know that it exists never mind how to write code for it.
>
>*chuckle* ... ow my sides  ;*)
>
>this begs the question:  would SMI like there to be?
Yes we would and we have been working to get our API's in better
shape so that it will be easier for vendors to support this.
>what other OS vendors support BSM auditing?
BSM auditing is unique to Solaris.  Other vendors may have similar
functionality but there are no standards based or de facto standards
for the API or log file format.

--
Darren J Moffat