There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb
function does not work with other types of authentication such as AFS/DFS.
The loginfailed test in configure is not correct. Also, AIX can use the
wtmp logging which I added in configure. Attached is the patch.
Thanks,
Matt Richards
-------------- next part --------------
*** openssh-3.7.1p2/openbsd-compat/port-aix.c Mon Jul 14 02:41:55 2003
--- openssh-3.7.1p2.patched/openbsd-compat/port-aix.c Mon Sep 22 12:42:00 2003
***************
*** 96,102 ****
--- 96,104 ----
if (geteuid() != 0)
return;
+ #if 0
aix_setauthdb(user);
+ #endif
# ifdef AIX_LOGINFAILED_4ARG
loginfailed((char *)user, hostname, (char *)ttyname, AUDIT_FAIL_AUTH);
# else
*** openssh-3.7.1p2/auth-passwd.c Fri Sep 12 20:41:56 2003
--- openssh-3.7.1p2.patched/auth-passwd.c Mon Sep 22 12:24:15 2003
***************
*** 110,116 ****
--- 110,118 ----
pw->pw_name, authmsg);
/* No pty yet, so just label the line as "ssh" */
+ #if 0
aix_setauthdb(authctxt->user);
+ #endif
if (loginsuccess(authctxt->user, host, "ssh",
&msg) == 0) {
if (msg != NULL) {
*** openssh-3.7.1p2/configure Tue Sep 23 05:55:43 2003
--- openssh-3.7.1p2.patched/configure Tue Oct 28 08:24:57 2003
***************
*** 3100,3105 ****
--- 3100,3106 ----
# Check for some target-specific stuff
case "$host" in
*-*-aix*)
+ conf_wtmp_location=/var/adm/wtmp
CPPFLAGS="$CPPFLAGS -I/usr/local/include"
LDFLAGS="$LDFLAGS -L/usr/local/lib"
echo "$as_me:3105: checking how to specify blibpath for linker
($LD)" >&5
***************
*** 3284,3326 ****
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
- #line 3287 "configure"
#include "confdefs.h"
! #include <usersec.h>
int
main ()
{
- #ifndef loginfailed
- char *p = (char *) loginfailed;
- #endif
! ;
! return 0;
}
_ACEOF
! rm -f conftest.$ac_objext
! if { (eval echo "$as_me:3303: \"$ac_compile\"") >&5
! (eval $ac_compile) 2>&5
! ac_status=$?
! echo "$as_me:3306: \$? = $ac_status" >&5
! (exit $ac_status); } &&
! { ac_try='test -s conftest.$ac_objext'
! { (eval echo "$as_me:3309: \"$ac_try\"") >&5
! (eval $ac_try) 2>&5
! ac_status=$?
! echo "$as_me:3312: \$? = $ac_status" >&5
! (exit $ac_status); }; }; then
! ac_cv_have_decl_loginfailed=yes
! else
echo "$as_me: failed program was:" >&5
! cat conftest.$ac_ext >&5
! ac_cv_have_decl_loginfailed=no
! fi
! rm -f conftest.$ac_objext conftest.$ac_ext
! fi
! echo "$as_me:3322: result: $ac_cv_have_decl_loginfailed" >&5
! echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6
if test $ac_cv_have_decl_loginfailed = yes; then
echo "$as_me:3325: checking if loginfailed takes 4 arguments"
>&5
echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C"
>&6
--- 3285,3329 ----
echo $ECHO_N "(cached) $ECHO_C" >&6
else
cat >conftest.$ac_ext <<_ACEOF
#include "confdefs.h"
! #ifdef __cplusplus
! extern "C"
! #endif
+ int loginfailed ();
+ int (*f) ();
+
int
main ()
{
! f=loginfailed
! ;
! return 0;
}
_ACEOF
! rm -f conftest.$ac_objext conftest$ac_exeext
! if { (eval echo "$as_me:3193: \"$ac_link\"") >&5
! (eval $ac_link) 2>&5
! ac_status=$?
! echo "$as_me:3196: \$? = $ac_status" >&5
! (exit $ac_status); } &&
! { ac_try='test -s conftest$ac_exeext'
! { (eval echo "$as_me:3199: \"$ac_try\"") >&5
! (eval $ac_try) 2>&5
! ac_status=$?
! echo "$as_me:3202: \$? = $ac_status" >&5
! (exit $ac_status); }; }; then
! ac_cv_have_decl_loginfailed=yes
! else
echo "$as_me: failed program was:" >&5
! cat conftest.$ac_ext >&5
! ac_cv_have_decl_loginfailed=no
! fi
! rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext
! fi
! echo "$as_me:3212: result: $ac_cv_have_decl_loginfailed" >&5
! echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6
if test $ac_cv_have_decl_loginfailed = yes; then
echo "$as_me:3325: checking if loginfailed takes 4 arguments"
>&5
echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C"
>&6
Matt Richards wrote:> > There are a couple of bugs in the openssh-3.7.1p2. The aix_setauthdb > function does not work with other types of authentication such as AFS/DFS.I take it your issue is that your failed logins aren't being recorded for AFS/DFS? The call to setauthdb is needed for correct recording of successful and failed logins for some authentication types (eg LDAP). I can see two possibilities: 1) Call loginfailed (and loginsuccess) twice when the authentication DB isn't FILES, once with setauthdb(FILES) and once with setauthdb(whatever). 2) Keep a list of authentication types for which setauthdb is not called.> The loginfailed test in configure is not correct. Also, AIX can use the > wtmp logging which I added in configure. Attached is the patch.I can't follow the changes to configure (which is a machine-generated file). What is the issue with the loginfailed test? Could you post a patch against configure.ac, which is what autoconf uses to generate configure? (preferably "diff -u"). Any particular reason you added wtmp? -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
> I take it your issue is that your failed logins aren't being recorded > for > AFS/DFS? > > The call to setauthdb is needed for correct recording of successful and > failed logins for some authentication types (eg LDAP). > > I can see two possibilities: > 1) Call loginfailed (and loginsuccess) twice when the authentication DB > isn't FILES, once with setauthdb(FILES) and once with > setauthdb(whatever).I mispoke. The problem actually is privledge separation and setauthdb. setauthdb requires root, sshd is not running as root during privledge separation, so the authentication fails.> I can't follow the changes to configure (which is a machine-generated > file). What is the issue with the loginfailed test? Could you post a > patch against configure.ac, which is what autoconf uses to generate > configure? (preferably "diff -u").The problem here is the configure test of: #ifndef loginfailed char *p = (char *) loginfailed; #endif loginfailed is not defined by the compiler and is picked up during the linking phase. The patch that I put in tests the linking phase rather than the compiling phase. The code above will always fail on AIX.> Any particular reason you added wtmp?AIX has an odd setup for wtmp. I originally patched the 1.2.27 version of ssh to use AIX's loginsuccess and loginfailed which will take care of wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it under CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for this version.
>> I mispoke. The problem actually is privledge separation and setauthdb. >> setauthdb requires root, sshd is not running as root during privledge >> separation, so the authentication fails. > > When running with Privilege Separation, there are 2 sshd's[1], one > running > as root and one not. aix_setauthdb() should always be called from the > privileged sshd process. > > If it's not, can you please post a debug (sshd -ddd) where it's > failing?After looking at it some more, it seems to be the setpcred call and set_authdb. Local users it seems to work okay, however AFS/DFS users, the setpcred fails. I believe it may have something to do with DCE, but I will investigate further. debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 2013cf08(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 2013cf08(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end Failed to set process credentials debug1: Calling cleanup 0x20035490(0x0) debug2: User child is on pid 20572 debug3: mm_request_receive entering "Failed to set process credentials" comes from setpcred in do_setusercontext in session.c.> (Also, which AIX version, maintenance level and compiler are you > using?)AIX 4.3.3 ML 01 VisualAge C 5.0.2 AIX 5.1.0 ML 00 VisualAge C 5.1.0 AIX 5.2.0 ML 00 VisualAge C 5.2.0> >>> I can't follow the changes to configure (which is a machine-generated >>> file). What is the issue with the loginfailed test? Could you post >>> a >>> patch against configure.ac, which is what autoconf uses to generate >>> configure? (preferably "diff -u"). >> >> The problem here is the configure test of: >> >> #ifndef loginfailed >> char *p = (char *) loginfailed; >> #endif >> >> loginfailed is not defined by the compiler and is picked up during the >> linking phase. The patch that I put in tests the linking phase rather >> than the compiling phase. The code above will always fail on AIX. > > That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef. > Can you please post the fragment of config.log where it's failing?configure:3281: checking whether loginfailed is declared configure:3303: /usr/vacpp/bin/cc -c -g -I/usr/local/include conftest.c>&5"configure", line 3294.22: 1506-045 (S) Undeclared identifier loginfailed. configure:3306: $? = 1 configure: failed program was: #line 3287 "configure" #include "confdefs.h" #include <usersec.h> int main () { #ifndef loginfailed char *p = (char *) loginfailed; #endif ; return 0; } configure:3322: result: no> >> AIX has an odd setup for wtmp. I originally patched the 1.2.27 >> version of >> ssh to use AIX's loginsuccess and loginfailed which will take care of >> wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it >> under >> CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for >> this >> version. > > CUSTOM_FAILED_LOGIN should be defined automatically be configure. > Again, > if it's not please post the the fragment from config.log where it > fails.CUSTOM_FAILED_LOGIN is not detected/tested by configure. It used to be part of the AIX build. It is not now. Perhaps it should be an AIX define instead of CUSTOM_FAILED_LOGIN. % grep CUSTOM configure %
>It looks like the AFS registry module doesn't support setpcred (alongwith>loginsucess(), sigh).The AFS registry does support the loginsuccess and loginfailure (I have done it in other applications), however there seems to be a bug in setpcred/setauthdb which does not play nice with DCE.>The loginfailed() test in configure is just there to figure out how many >arguments it takes. It's still used (as long as WITH_AIXAUTHENTICATE is >defined, see below) if the test fails.I understand this part, put there are two loginfailed tests in configure. One is to test the existence of loginfailed and another to test how many arguments it takes. The test for the arguments is never executed if the loginfailed test fails.>Correction, CUSTOM_FAILED_LOGIN is defined in port-aix.h if >WITH_AIXAUTHENTICATE is defined. It's WITH_AIXAUTHENTICATE that is >detected by configure.That is correct, thanks for the info. I still believe that conf_wtmp_location=/var/adm/wtmp should still be added to the configure script. It is done that way for Next.
Reasonably Related Threads
- libedit not found on SUse 11.1
- [PATCH re-send]: Clean up logging of failed logins
- rsync-3.0.3 on TRU64 5.1a w/ provided c compiler
- OPenssl and dependencies such as openssh
- [PATCH 00/09] arm: tools: build for arm64 and enable cross-compiling for both arm32 and arm64