PSARC/2017/022 OpenSSH 7.4
25295722 upgrade OpenSSH to 7.4p1
25295787 problem in UTILITY/OPENSSH
25295804 problem in UTILITY/OPENSSH
25295822 problem in UTILITY/OPENSSH
25295840 problem in UTILITY/OPENSSH
25809379 Openssh 7.4p1 has 3 regressions, fixed in 7.5
25795760 openssh drops connection when GSSAPIAuthentication set to no
#
# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.
#
# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.
#
# Additional Solaris Auditing should include audit of password
# change.
# Presuming it is appropriate, this patch should/will be updated
# with additional files and updates to sources/audit-solaris.c
#
# Code is developed by the Solaris Audit team.
# It should/will likely be contributed up stream when done.
# This patch relies on sources/audit-solaris.c being copied into
# the openssh source directory by the Makefile that configures
# using --with-audit=solaris.
#
# The up stream community has been contacted about the plans.
# No reply has yet been received.
#
# An additional patch relying on the --with-audit=solaris configuration
# should/will be created for sftp Solaris Audit and password change.
#
diff -pur old/INSTALL new/INSTALL
--- old/INSTALL
+++ new/INSTALL
@@ -98,9 +98,13 @@ http://www.gnu.org/software/autoconf/
Basic Security Module (BSM):
-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
+Native BSM support is known to exist in Solaris from at least 2.5.1
+to Solaris 10. From Solaris 11 the previously documented BSM (libbsm)
+interfaces are no longer public and are unsupported. While not public
+interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
+Native BSM support is known to exist in FreeBSD 6.1 and OS X.
+Alternatively, you may use the OpenBSM implementation
+(http://www.openbsm.org).
2. Building / Installation
@@ -153,8 +157,9 @@ name).
There are a few other options to the configure script:
--with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
+Currently, drivers for "debug" (additional info via syslog), and "bsm"
+(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
+(Sun's Audit infrastructure from Solaris 11) are supported.
--with-pam enables PAM support. If PAM support is compiled in, it must
also be enabled in sshd_config (refer to the UsePAM directive).
diff -pur old/Makefile.in new/Makefile.in
--- old/Makefile.in
+++ new/Makefile.in
@@ -100,7 +100,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
sshconnect.o sshconnect1.o sshconnect2.o mux.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
- audit.o audit-bsm.o audit-linux.o platform.o \
+ audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth2.o auth-options.o session.o \
auth2-chall.o groupaccess.o \
diff -pur old/README.platform new/README.platform
--- old/README.platform
+++ new/README.platform
@@ -71,8 +71,8 @@ zlib-devel and pam-devel, on Debian base
libssl-dev, libz-dev and libpam-dev.
-Solaris
--------
+Prior to Solaris 11
+-------------------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output. The following line needs to be
added to /etc/security/audit_event:
@@ -85,6 +85,9 @@ There is no official registry of 3rd par
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
+From Solaris 11
+---------------
+Solaris Audit is supported by configuring --with-audit=solaris.
Platforms using PAM
-------------------
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in
+++ new/config.h.in
@@ -1679,6 +1679,9 @@
/* Use Linux audit module */
#undef USE_LINUX_AUDIT
+/* Use Solaris audit module */
+#undef USE_SOLARIS_AUDIT
+
/* Enable OpenSSL engine support */
#undef USE_OPENSSL_ENGINE
diff -pur old/configure.ac new/configure.ac
--- old/configure.ac
+++ new/configure.ac
@@ -1560,10 +1560,21 @@ AC_ARG_WITH([libedit],
AUDIT_MODULE=none
AC_ARG_WITH([audit],
- [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
+ [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)],
[
AC_MSG_CHECKING([for supported audit module])
case "$withval" in
+ solaris)
+ AC_MSG_RESULT([solaris])
+ AUDIT_MODULE=solaris
+ dnl Checks for headers, libs and functions
+ AC_CHECK_HEADERS([bsm/adt.h], [],
+ [AC_MSG_ERROR([Solaris Audit enabled and bsm/adt.h not found])],
+ []
+ )
+ SSHDLIBS="$SSHDLIBS -lbsm"
+ AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module])
+ ;;
bsm)
AC_MSG_RESULT([bsm])
AUDIT_MODULE=bsm
diff -pur old/defines.h new/defines.h
--- old/defines.h
+++ new/defines.h
@@ -645,6 +645,11 @@ struct winsize {
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
+#ifdef USE_SOLARIS_AUDIT
+# define SSH_AUDIT_EVENTS
+# define CUSTOM_SSH_AUDIT_EVENTS
+#endif
+
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
# define __func__ __FUNCTION__
#elif !defined(HAVE___func__)
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c
+++ new/sshd.c
@@ -2043,7 +2043,9 @@ main(int ac, char **av)
}
#ifdef SSH_AUDIT_EVENTS
+#ifndef USE_SOLARIS_AUDIT
audit_event(SSH_AUTH_SUCCESS);
+#endif /* !USE_SOLARIS_AUDIT */
#endif
#ifdef GSSAPI
@@ -2073,6 +2075,10 @@ main(int ac, char **av)
do_pam_session();
}
#endif
+#ifdef USE_SOLARIS_AUDIT
+ /* Audit should take place after all successful pam */
+ audit_event(SSH_AUTH_SUCCESS);
+#endif /* USE_SOLARIS_AUDIT */
/*
* In privilege separation, we fork another child and prepare