18 # No reply has yet been received. |
18 # No reply has yet been received. |
19 # |
19 # |
20 # An additional patch relying on the --with-audit=solaris configuration |
20 # An additional patch relying on the --with-audit=solaris configuration |
21 # should/will be created for sftp Solaris Audit and password change. |
21 # should/will be created for sftp Solaris Audit and password change. |
22 # |
22 # |
23 --- orig/config.h.in 2014-11-05 13:11:59.968745838 -0800 |
23 diff -pur old/INSTALL new/INSTALL |
24 +++ new/config.h.in 2014-10-13 14:00:31.117475979 -0700 |
24 --- old/INSTALL 2015-03-16 22:49:20.000000000 -0700 |
25 @@ -1628,6 +1628,9 @@ |
25 +++ new/INSTALL 2015-05-21 03:54:29.120932630 -0700 |
26 /* Use Linux audit module */ |
26 @@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/ |
27 #undef USE_LINUX_AUDIT |
|
28 |
|
29 +/* Use Solaris audit module */ |
|
30 +#undef USE_SOLARIS_AUDIT |
|
31 + |
|
32 /* Enable OpenSSL engine support */ |
|
33 #undef USE_OPENSSL_ENGINE |
|
34 |
|
35 --- orig/configure 2014-11-05 13:11:59.971959419 -0800 |
|
36 +++ new/configure 2014-12-04 08:43:59.945675841 -0800 |
|
37 @@ -1420,7 +1420,7 @@ |
|
38 --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH) |
|
39 --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) |
|
40 --with-libedit[=PATH] Enable libedit support for sftp |
|
41 - --with-audit=module Enable audit support (modules=debug,bsm,linux) |
|
42 + --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris) |
|
43 --with-pie Build Position Independent Executables if possible |
|
44 --with-ssl-dir=PATH Specify path to OpenSSL installation |
|
45 --without-openssl-header-check Disable OpenSSL version consistency check |
|
46 @@ -10185,6 +10185,27 @@ |
|
47 $as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h |
|
48 |
|
49 ;; |
|
50 + solaris) |
|
51 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: solaris" >&5 |
|
52 +$as_echo "solaris" >&6; } |
|
53 + AUDIT_MODULE=solaris |
|
54 + for ac_header in bsm/adt.h |
|
55 +do : |
|
56 + ac_fn_c_check_header_compile "$LINENO" "bsm/adt.h" "ac_cv_header_bsm_adt_h" "" |
|
57 +if test "x$ac_cv_header_bsm_adt_h" = xyes; then : |
|
58 + cat >>confdefs.h <<_ACEOF |
|
59 +#define HAVE_ADT_H 1 |
|
60 +_ACEOF |
|
61 + |
|
62 +else |
|
63 + as_fn_error $? "Solaris Audit enabled and bsm/adt.h not found" "$LINENO" 5 |
|
64 +fi |
|
65 + |
|
66 +done |
|
67 + |
|
68 + SSHDLIBS="$SSHDLIBS -lbsm" |
|
69 +$as_echo "#define USE_SOLARIS_AUDIT 1" >>confdefs.h |
|
70 + ;; |
|
71 debug) |
|
72 AUDIT_MODULE=debug |
|
73 { $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5 |
|
74 --- orig/defines.h 2014-01-17 05:12:38.000000000 -0800 |
|
75 +++ new/defines.h 2014-09-12 10:09:27.000000000 -0700 |
|
76 @@ -622,6 +622,11 @@ |
|
77 # define CUSTOM_SSH_AUDIT_EVENTS |
|
78 #endif |
|
79 |
|
80 +#ifdef USE_SOLARIS_AUDIT |
|
81 +# define SSH_AUDIT_EVENTS |
|
82 +# define CUSTOM_SSH_AUDIT_EVENTS |
|
83 +#endif |
|
84 + |
|
85 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) |
|
86 # define __func__ __FUNCTION__ |
|
87 #elif !defined(HAVE___func__) |
|
88 --- orig/INSTALL 2013-03-06 17:33:35.000000000 -0800 |
|
89 +++ new/INSTALL 2014-12-04 08:41:24.369920230 -0800 |
|
90 @@ -97,9 +97,13 @@ |
|
91 |
27 |
92 Basic Security Module (BSM): |
28 Basic Security Module (BSM): |
93 |
29 |
94 -Native BSM support is know to exist in Solaris from at least 2.5.1, |
30 -Native BSM support is know to exist in Solaris from at least 2.5.1, |
95 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
31 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
114 +(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris" |
50 +(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris" |
115 +(Sun's Audit infrastructure from Solaris 11) are supported. |
51 +(Sun's Audit infrastructure from Solaris 11) are supported. |
116 |
52 |
117 --with-pam enables PAM support. If PAM support is compiled in, it must |
53 --with-pam enables PAM support. If PAM support is compiled in, it must |
118 also be enabled in sshd_config (refer to the UsePAM directive). |
54 also be enabled in sshd_config (refer to the UsePAM directive). |
119 --- orig/Makefile.in 2014-11-12 15:18:05.366726810 -0800 |
55 diff -pur old/Makefile.in new/Makefile.in |
120 +++ new/Makefile.in 2014-11-12 15:22:36.825227512 -0800 |
56 --- old/Makefile.in 2015-12-07 15:43:45.335711670 -0800 |
121 @@ -84,7 +84,7 @@ |
57 +++ new/Makefile.in 2015-12-07 15:51:37.440455000 -0800 |
|
58 @@ -98,7 +98,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s |
122 roaming_common.o roaming_client.o |
59 roaming_common.o roaming_client.o |
123 |
60 |
124 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
61 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
125 - audit.o audit-bsm.o audit-linux.o platform.o \ |
62 - audit.o audit-bsm.o audit-linux.o platform.o \ |
126 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ |
63 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ |
127 sshpty.o sshlogin.o servconf.o serverloop.o \ |
64 sshpty.o sshlogin.o servconf.o serverloop.o \ |
128 auth.o auth1.o auth2.o auth-options.o session.o \ |
65 auth.o auth1.o auth2.o auth-options.o session.o \ |
129 auth-chall.o auth2-chall.o groupaccess.o \ |
66 auth-chall.o auth2-chall.o groupaccess.o \ |
130 --- orig/README.platform 2009-08-28 16:14:48.000000000 -0700 |
67 diff -pur old/README.platform new/README.platform |
131 +++ new/README.platform 2014-09-12 09:45:50.000000000 -0700 |
68 --- old/README.platform 2015-03-16 22:49:20.000000000 -0700 |
132 @@ -68,8 +68,8 @@ |
69 +++ new/README.platform 2015-05-21 03:54:29.121331205 -0700 |
|
70 @@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base |
133 libssl-dev, libz-dev and libpam-dev. |
71 libssl-dev, libz-dev and libpam-dev. |
134 |
72 |
135 |
73 |
136 -Solaris |
74 -Solaris |
137 -------- |
75 -------- |
138 +Prior to Solaris 11 |
76 +Prior to Solaris 11 |
139 +------------------- |
77 +------------------- |
140 If you enable BSM auditing on Solaris, you need to update audit_event(4) |
78 If you enable BSM auditing on Solaris, you need to update audit_event(4) |
141 for praudit(1m) to give sensible output. The following line needs to be |
79 for praudit(1m) to give sensible output. The following line needs to be |
142 added to /etc/security/audit_event: |
80 added to /etc/security/audit_event: |
143 @@ -82,6 +82,9 @@ |
81 @@ -82,6 +82,9 @@ There is no official registry of 3rd par |
144 number is already in use on your system, you may change it at build time |
82 number is already in use on your system, you may change it at build time |
145 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
83 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
146 |
84 |
147 +From Solaris 11 |
85 +From Solaris 11 |
148 +--------------- |
86 +--------------- |
149 +Solaris Audit is supported by configuring --with-audit=solaris. |
87 +Solaris Audit is supported by configuring --with-audit=solaris. |
150 |
88 |
151 Platforms using PAM |
89 Platforms using PAM |
152 ------------------- |
90 ------------------- |
153 --- orig/sshd.c 2014-11-05 13:11:59.974945893 -0800 |
91 diff -pur old/config.h.in new/config.h.in |
154 +++ new/sshd.c 2014-11-10 13:33:12.279354856 -0800 |
92 --- old/config.h.in 2015-05-21 03:54:29.047656051 -0700 |
155 @@ -2139,7 +2139,9 @@ |
93 +++ new/config.h.in 2015-05-21 03:54:29.121686621 -0700 |
156 #endif |
94 @@ -1635,6 +1635,9 @@ |
|
95 /* Use Linux audit module */ |
|
96 #undef USE_LINUX_AUDIT |
|
97 |
|
98 +/* Use Solaris audit module */ |
|
99 +#undef USE_SOLARIS_AUDIT |
|
100 + |
|
101 /* Enable OpenSSL engine support */ |
|
102 #undef USE_OPENSSL_ENGINE |
|
103 |
|
104 diff -pur old/configure new/configure |
|
105 --- old/configure 2015-05-21 03:54:29.053171257 -0700 |
|
106 +++ new/configure 2015-05-21 06:53:04.579282150 -0700 |
|
107 @@ -1336,7 +1336,7 @@ Optional Packages: |
|
108 --with-skey[=PATH] Enable S/Key support (optionally in PATH) |
|
109 --with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH) |
|
110 --with-libedit[=PATH] Enable libedit support for sftp |
|
111 - --with-audit=module Enable audit support (modules=debug,bsm,linux) |
|
112 + --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris) |
|
113 --with-pie Build Position Independent Executables if possible |
|
114 --with-ssl-dir=PATH Specify path to OpenSSL installation |
|
115 --without-openssl-header-check Disable OpenSSL version consistency check |
|
116 @@ -16106,6 +16106,160 @@ cat >>confdefs.h <<\_ACEOF |
|
117 _ACEOF |
|
118 |
|
119 ;; |
|
120 + solaris) |
|
121 + { echo "$as_me:$LINENO: result: solaris" >&5 |
|
122 +echo "${ECHO_T}solaris" >&6; } |
|
123 + AUDIT_MODULE=solaris |
|
124 + |
|
125 +for ac_header in bsm/adt.h |
|
126 +do |
|
127 +as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` |
|
128 +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then |
|
129 + { echo "$as_me:$LINENO: checking for $ac_header" >&5 |
|
130 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } |
|
131 +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then |
|
132 + echo $ECHO_N "(cached) $ECHO_C" >&6 |
|
133 +fi |
|
134 +ac_res=`eval echo '${'$as_ac_Header'}'` |
|
135 + { echo "$as_me:$LINENO: result: $ac_res" >&5 |
|
136 +echo "${ECHO_T}$ac_res" >&6; } |
|
137 +else |
|
138 + # Is the header compilable? |
|
139 +{ echo "$as_me:$LINENO: checking $ac_header usability" >&5 |
|
140 +echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; } |
|
141 +cat >conftest.$ac_ext <<_ACEOF |
|
142 +/* confdefs.h. */ |
|
143 +_ACEOF |
|
144 +cat confdefs.h >>conftest.$ac_ext |
|
145 +cat >>conftest.$ac_ext <<_ACEOF |
|
146 +/* end confdefs.h. */ |
|
147 +$ac_includes_default |
|
148 +#include <$ac_header> |
|
149 +_ACEOF |
|
150 +rm -f conftest.$ac_objext |
|
151 +if { (ac_try="$ac_compile" |
|
152 +case "(($ac_try" in |
|
153 + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; |
|
154 + *) ac_try_echo=$ac_try;; |
|
155 +esac |
|
156 +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 |
|
157 + (eval "$ac_compile") 2>conftest.er1 |
|
158 + ac_status=$? |
|
159 + grep -v '^ *+' conftest.er1 >conftest.err |
|
160 + rm -f conftest.er1 |
|
161 + cat conftest.err >&5 |
|
162 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 |
|
163 + (exit $ac_status); } && { |
|
164 + test -z "$ac_c_werror_flag" || |
|
165 + test ! -s conftest.err |
|
166 + } && test -s conftest.$ac_objext; then |
|
167 + ac_header_compiler=yes |
|
168 +else |
|
169 + echo "$as_me: failed program was:" >&5 |
|
170 +sed 's/^/| /' conftest.$ac_ext >&5 |
|
171 + |
|
172 + ac_header_compiler=no |
|
173 +fi |
|
174 + |
|
175 +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext |
|
176 +{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 |
|
177 +echo "${ECHO_T}$ac_header_compiler" >&6; } |
|
178 + |
|
179 +# Is the header present? |
|
180 +{ echo "$as_me:$LINENO: checking $ac_header presence" >&5 |
|
181 +echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; } |
|
182 +cat >conftest.$ac_ext <<_ACEOF |
|
183 +/* confdefs.h. */ |
|
184 +_ACEOF |
|
185 +cat confdefs.h >>conftest.$ac_ext |
|
186 +cat >>conftest.$ac_ext <<_ACEOF |
|
187 +/* end confdefs.h. */ |
|
188 +#include <$ac_header> |
|
189 +_ACEOF |
|
190 +if { (ac_try="$ac_cpp conftest.$ac_ext" |
|
191 +case "(($ac_try" in |
|
192 + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; |
|
193 + *) ac_try_echo=$ac_try;; |
|
194 +esac |
|
195 +eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5 |
|
196 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1 |
|
197 + ac_status=$? |
|
198 + grep -v '^ *+' conftest.er1 >conftest.err |
|
199 + rm -f conftest.er1 |
|
200 + cat conftest.err >&5 |
|
201 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 |
|
202 + (exit $ac_status); } >/dev/null && { |
|
203 + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || |
|
204 + test ! -s conftest.err |
|
205 + }; then |
|
206 + ac_header_preproc=yes |
|
207 +else |
|
208 + echo "$as_me: failed program was:" >&5 |
|
209 +sed 's/^/| /' conftest.$ac_ext >&5 |
|
210 + |
|
211 + ac_header_preproc=no |
|
212 +fi |
|
213 + |
|
214 +rm -f conftest.err conftest.$ac_ext |
|
215 +{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 |
|
216 +echo "${ECHO_T}$ac_header_preproc" >&6; } |
|
217 + |
|
218 +# So? What about this header? |
|
219 +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in |
|
220 + yes:no: ) |
|
221 + { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 |
|
222 +echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} |
|
223 + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 |
|
224 +echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} |
|
225 + ac_header_preproc=yes |
|
226 + ;; |
|
227 + no:yes:* ) |
|
228 + { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 |
|
229 +echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} |
|
230 + { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 |
|
231 +echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} |
|
232 + { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 |
|
233 +echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} |
|
234 + { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 |
|
235 +echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} |
|
236 + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 |
|
237 +echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} |
|
238 + { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 |
|
239 +echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} |
|
240 + ( cat <<\_ASBOX |
|
241 +## ------------------------------------------- ## |
|
242 +## Report this to [email protected] ## |
|
243 +## ------------------------------------------- ## |
|
244 +_ASBOX |
|
245 + ) | sed "s/^/$as_me: WARNING: /" >&2 |
|
246 + ;; |
|
247 +esac |
|
248 +{ echo "$as_me:$LINENO: checking for $ac_header" >&5 |
|
249 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; } |
|
250 +if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then |
|
251 + echo $ECHO_N "(cached) $ECHO_C" >&6 |
|
252 +else |
|
253 + eval "$as_ac_Header=\$ac_header_preproc" |
|
254 +fi |
|
255 +ac_res=`eval echo '${'$as_ac_Header'}'` |
|
256 + { echo "$as_me:$LINENO: result: $ac_res" >&5 |
|
257 +echo "${ECHO_T}$ac_res" >&6; } |
|
258 + |
|
259 +fi |
|
260 +if test `eval echo '${'$as_ac_Header'}'` = yes; then |
|
261 + cat >>confdefs.h <<_ACEOF |
|
262 +#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 |
|
263 +_ACEOF |
|
264 + |
|
265 +fi |
|
266 + |
|
267 +done |
|
268 + |
|
269 + SSHDLIBS="$SSHDLIBS -lbsm" |
|
270 +cat >>confdefs.h <<\_ACEOF |
|
271 +#define USE_SOLARIS_AUDIT 1 |
|
272 +_ACEOF |
|
273 + ;; |
|
274 debug) |
|
275 AUDIT_MODULE=debug |
|
276 { echo "$as_me:$LINENO: result: debug" >&5 |
|
277 diff -pur old/defines.h new/defines.h |
|
278 --- old/defines.h 2015-03-16 22:49:20.000000000 -0700 |
|
279 +++ new/defines.h 2015-05-21 03:54:29.127386034 -0700 |
|
280 @@ -635,6 +635,11 @@ struct winsize { |
|
281 # define CUSTOM_SSH_AUDIT_EVENTS |
|
282 #endif |
|
283 |
|
284 +#ifdef USE_SOLARIS_AUDIT |
|
285 +# define SSH_AUDIT_EVENTS |
|
286 +# define CUSTOM_SSH_AUDIT_EVENTS |
|
287 +#endif |
|
288 + |
|
289 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) |
|
290 # define __func__ __FUNCTION__ |
|
291 #elif !defined(HAVE___func__) |
|
292 diff -pur old/sshd.c new/sshd.c |
|
293 --- old/sshd.c 2015-05-21 03:54:29.070139157 -0700 |
|
294 +++ new/sshd.c 2015-05-21 03:54:29.127803176 -0700 |
|
295 @@ -2215,7 +2215,9 @@ main(int ac, char **av) |
|
296 } |
157 |
297 |
158 #ifdef SSH_AUDIT_EVENTS |
298 #ifdef SSH_AUDIT_EVENTS |
159 +#ifndef USE_SOLARIS_AUDIT |
299 +#ifndef USE_SOLARIS_AUDIT |
160 audit_event(SSH_AUTH_SUCCESS); |
300 audit_event(SSH_AUTH_SUCCESS); |
161 +#endif /* !USE_SOLARIS_AUDIT */ |
301 +#endif /* !USE_SOLARIS_AUDIT */ |
162 #endif |
302 #endif |
163 |
303 |
164 #ifdef GSSAPI |
304 #ifdef GSSAPI |
165 @@ -2169,6 +2171,10 @@ |
305 @@ -2245,6 +2247,10 @@ main(int ac, char **av) |
166 do_pam_session(); |
306 do_pam_session(); |
167 } |
307 } |
168 #endif |
308 #endif |
169 +#ifdef USE_SOLARIS_AUDIT |
309 +#ifdef USE_SOLARIS_AUDIT |
170 + /* Audit should take place after all successful pam */ |
310 + /* Audit should take place after all successful pam */ |