21 # should/will be created for sftp Solaris Audit and password change. |
21 # should/will be created for sftp Solaris Audit and password change. |
22 # |
22 # |
23 diff -pur old/INSTALL new/INSTALL |
23 diff -pur old/INSTALL new/INSTALL |
24 --- old/INSTALL |
24 --- old/INSTALL |
25 +++ new/INSTALL |
25 +++ new/INSTALL |
26 @@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/ |
26 @@ -98,9 +98,13 @@ http://www.gnu.org/software/autoconf/ |
27 |
27 |
28 Basic Security Module (BSM): |
28 Basic Security Module (BSM): |
29 |
29 |
30 -Native BSM support is know to exist in Solaris from at least 2.5.1, |
30 -Native BSM support is know to exist in Solaris from at least 2.5.1, |
31 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
31 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM |
38 +Alternatively, you may use the OpenBSM implementation |
38 +Alternatively, you may use the OpenBSM implementation |
39 +(http://www.openbsm.org). |
39 +(http://www.openbsm.org). |
40 |
40 |
41 |
41 |
42 2. Building / Installation |
42 2. Building / Installation |
43 @@ -147,8 +151,9 @@ name). |
43 @@ -153,8 +157,9 @@ name). |
44 There are a few other options to the configure script: |
44 There are a few other options to the configure script: |
45 |
45 |
46 --with-audit=[module] enable additional auditing via the specified module. |
46 --with-audit=[module] enable additional auditing via the specified module. |
47 -Currently, drivers for "debug" (additional info via syslog) and "bsm" |
47 -Currently, drivers for "debug" (additional info via syslog) and "bsm" |
48 -(Sun's Basic Security Module) are supported. |
48 -(Sun's Basic Security Module) are supported. |
54 also be enabled in sshd_config (refer to the UsePAM directive). |
54 also be enabled in sshd_config (refer to the UsePAM directive). |
55 diff -pur old/Makefile.in new/Makefile.in |
55 diff -pur old/Makefile.in new/Makefile.in |
56 --- old/Makefile.in |
56 --- old/Makefile.in |
57 +++ new/Makefile.in |
57 +++ new/Makefile.in |
58 @@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s |
58 @@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s |
59 roaming_common.o roaming_client.o |
59 sshconnect.o sshconnect1.o sshconnect2.o mux.o |
60 |
60 |
61 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ |
61 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \ |
62 - audit.o audit-bsm.o audit-linux.o platform.o \ |
62 - audit.o audit-bsm.o audit-linux.o platform.o \ |
63 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ |
63 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \ |
64 sshpty.o sshlogin.o servconf.o serverloop.o \ |
64 sshpty.o sshlogin.o servconf.o serverloop.o \ |
65 auth.o auth1.o auth2.o auth-options.o session.o \ |
65 auth.o auth2.o auth-options.o session.o \ |
66 auth-chall.o auth2-chall.o groupaccess.o \ |
66 auth2-chall.o groupaccess.o \ |
67 diff -pur old/README.platform new/README.platform |
67 diff -pur old/README.platform new/README.platform |
68 --- old/README.platform |
68 --- old/README.platform |
69 +++ new/README.platform |
69 +++ new/README.platform |
70 @@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base |
70 @@ -71,8 +71,8 @@ zlib-devel and pam-devel, on Debian base |
71 libssl-dev, libz-dev and libpam-dev. |
71 libssl-dev, libz-dev and libpam-dev. |
72 |
72 |
73 |
73 |
74 -Solaris |
74 -Solaris |
75 -------- |
75 -------- |
76 +Prior to Solaris 11 |
76 +Prior to Solaris 11 |
77 +------------------- |
77 +------------------- |
78 If you enable BSM auditing on Solaris, you need to update audit_event(4) |
78 If you enable BSM auditing on Solaris, you need to update audit_event(4) |
79 for praudit(1m) to give sensible output. The following line needs to be |
79 for praudit(1m) to give sensible output. The following line needs to be |
80 added to /etc/security/audit_event: |
80 added to /etc/security/audit_event: |
81 @@ -82,6 +82,9 @@ There is no official registry of 3rd par |
81 @@ -85,6 +85,9 @@ There is no official registry of 3rd par |
82 number is already in use on your system, you may change it at build time |
82 number is already in use on your system, you may change it at build time |
83 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
83 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding. |
84 |
84 |
85 +From Solaris 11 |
85 +From Solaris 11 |
86 +--------------- |
86 +--------------- |
102 #undef USE_OPENSSL_ENGINE |
102 #undef USE_OPENSSL_ENGINE |
103 |
103 |
104 diff -pur old/configure.ac new/configure.ac |
104 diff -pur old/configure.ac new/configure.ac |
105 --- old/configure.ac |
105 --- old/configure.ac |
106 +++ new/configure.ac |
106 +++ new/configure.ac |
107 @@ -1517,10 +1517,21 @@ AC_ARG_WITH([libedit], |
107 @@ -1560,10 +1560,21 @@ AC_ARG_WITH([libedit], |
108 |
108 |
109 AUDIT_MODULE=none |
109 AUDIT_MODULE=none |
110 AC_ARG_WITH([audit], |
110 AC_ARG_WITH([audit], |
111 - [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], |
111 - [ --with-audit=module Enable audit support (modules=debug,bsm,linux)], |
112 + [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)], |
112 + [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)], |
128 AC_MSG_RESULT([bsm]) |
128 AC_MSG_RESULT([bsm]) |
129 AUDIT_MODULE=bsm |
129 AUDIT_MODULE=bsm |
130 diff -pur old/defines.h new/defines.h |
130 diff -pur old/defines.h new/defines.h |
131 --- old/defines.h |
131 --- old/defines.h |
132 +++ new/defines.h |
132 +++ new/defines.h |
133 @@ -635,6 +635,11 @@ struct winsize { |
133 @@ -645,6 +645,11 @@ struct winsize { |
134 # define CUSTOM_SSH_AUDIT_EVENTS |
134 # define CUSTOM_SSH_AUDIT_EVENTS |
135 #endif |
135 #endif |
136 |
136 |
137 +#ifdef USE_SOLARIS_AUDIT |
137 +#ifdef USE_SOLARIS_AUDIT |
138 +# define SSH_AUDIT_EVENTS |
138 +# define SSH_AUDIT_EVENTS |
143 # define __func__ __FUNCTION__ |
143 # define __func__ __FUNCTION__ |
144 #elif !defined(HAVE___func__) |
144 #elif !defined(HAVE___func__) |
145 diff -pur old/sshd.c new/sshd.c |
145 diff -pur old/sshd.c new/sshd.c |
146 --- old/sshd.c |
146 --- old/sshd.c |
147 +++ new/sshd.c |
147 +++ new/sshd.c |
148 @@ -2234,7 +2234,9 @@ main(int ac, char **av) |
148 @@ -2043,7 +2043,9 @@ main(int ac, char **av) |
149 } |
149 } |
150 |
150 |
151 #ifdef SSH_AUDIT_EVENTS |
151 #ifdef SSH_AUDIT_EVENTS |
152 +#ifndef USE_SOLARIS_AUDIT |
152 +#ifndef USE_SOLARIS_AUDIT |
153 audit_event(SSH_AUTH_SUCCESS); |
153 audit_event(SSH_AUTH_SUCCESS); |
154 +#endif /* !USE_SOLARIS_AUDIT */ |
154 +#endif /* !USE_SOLARIS_AUDIT */ |
155 #endif |
155 #endif |
156 |
156 |
157 #ifdef GSSAPI |
157 #ifdef GSSAPI |
158 @@ -2264,6 +2266,10 @@ main(int ac, char **av) |
158 @@ -2073,6 +2075,10 @@ main(int ac, char **av) |
159 do_pam_session(); |
159 do_pam_session(); |
160 } |
160 } |
161 #endif |
161 #endif |
162 +#ifdef USE_SOLARIS_AUDIT |
162 +#ifdef USE_SOLARIS_AUDIT |
163 + /* Audit should take place after all successful pam */ |
163 + /* Audit should take place after all successful pam */ |