PSARC/2015/395 OpenSSH 7.1p1
PSARC 2014/390 OpenSSH GSSKEY
21696247 upgrade OpenSSH to 7.1p1
22031540 problem in UTILITY/OPENSSH
22022180 problem in UTILITY/OPENSSH
22048638 problem in UTILITY/OPENSSH
19775805 OpenSSH contains a redundant call to do_pam_setcred()
21379157 OpenSSH shouldn't call setproject(3PROJECT) when configured to use PAM
20919294 upgrade OpenSSH to 6.8p1
19130869 migrate the Xforwarding bug fix (15350344) from SunSSH to OpenSSH
21861322 OpenSSH client hangs on broken pipe
22018764 remove cast128-cbc from OpenSSH
21919790 add GSSKeyEx as an alias to GSSAPIKeyExchange in OpenSSH
19941148 GSS-API Key Exchange for OpenSSH
21643415 OpenSSH should use AI_ADDRCONFIG per bug 19827438
20370803 OpenSSH patch number collision
20711463 OpenSSH wants to be able to login to a role too
22389801 OpenSSH: remove cast from ssh(1), sshd(8), ssh_config(5) and sshd_config(5)
22582153 openssh system/linker should be added to core REQ
#
# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.
#
# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.
#
# Additional Solaris Auditing should include audit of password
# change.
# Presuming it is appropriate, this patch should/will be updated
# with additional files and updates to sources/audit-solaris.c
#
# Code is developed by the Solaris Audit team.
# It should/will likely be contributed up stream when done.
# This patch relies on sources/audit-solaris.c being copied into
# the openssh source directory by the Makefile that configures
# using --with-audit=solaris.
#
# The up stream community has been contacted about the plans.
# No reply has yet been received.
#
# An additional patch relying on the --with-audit=solaris configuration
# should/will be created for sftp Solaris Audit and password change.
#
diff -pur old/INSTALL new/INSTALL
--- old/INSTALL 2015-03-16 22:49:20.000000000 -0700
+++ new/INSTALL 2015-05-21 03:54:29.120932630 -0700
@@ -92,9 +92,13 @@ http://www.gnu.org/software/autoconf/
Basic Security Module (BSM):
-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
+Native BSM support is known to exist in Solaris from at least 2.5.1
+to Solaris 10. From Solaris 11 the previously documented BSM (libbsm)
+interfaces are no longer public and are unsupported. While not public
+interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
+Native BSM support is known to exist in FreeBSD 6.1 and OS X.
+Alternatively, you may use the OpenBSM implementation
+(http://www.openbsm.org).
2. Building / Installation
@@ -147,8 +151,9 @@ name).
There are a few other options to the configure script:
--with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
+Currently, drivers for "debug" (additional info via syslog), and "bsm"
+(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
+(Sun's Audit infrastructure from Solaris 11) are supported.
--with-pam enables PAM support. If PAM support is compiled in, it must
also be enabled in sshd_config (refer to the UsePAM directive).
diff -pur old/Makefile.in new/Makefile.in
--- old/Makefile.in 2015-12-07 15:43:45.335711670 -0800
+++ new/Makefile.in 2015-12-07 15:51:37.440455000 -0800
@@ -98,7 +98,7 @@ SSHOBJS= ssh.o readconf.o clientloop.o s
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- audit.o audit-bsm.o audit-linux.o platform.o \
+ audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
diff -pur old/README.platform new/README.platform
--- old/README.platform 2015-03-16 22:49:20.000000000 -0700
+++ new/README.platform 2015-05-21 03:54:29.121331205 -0700
@@ -68,8 +68,8 @@ zlib-devel and pam-devel, on Debian base
libssl-dev, libz-dev and libpam-dev.
-Solaris
--------
+Prior to Solaris 11
+-------------------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output. The following line needs to be
added to /etc/security/audit_event:
@@ -82,6 +82,9 @@ There is no official registry of 3rd par
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
+From Solaris 11
+---------------
+Solaris Audit is supported by configuring --with-audit=solaris.
Platforms using PAM
-------------------
diff -pur old/config.h.in new/config.h.in
--- old/config.h.in 2015-05-21 03:54:29.047656051 -0700
+++ new/config.h.in 2015-05-21 03:54:29.121686621 -0700
@@ -1635,6 +1635,9 @@
/* Use Linux audit module */
#undef USE_LINUX_AUDIT
+/* Use Solaris audit module */
+#undef USE_SOLARIS_AUDIT
+
/* Enable OpenSSL engine support */
#undef USE_OPENSSL_ENGINE
diff -pur old/configure new/configure
--- old/configure 2015-05-21 03:54:29.053171257 -0700
+++ new/configure 2015-05-21 06:53:04.579282150 -0700
@@ -1336,7 +1336,7 @@ Optional Packages:
--with-skey[=PATH] Enable S/Key support (optionally in PATH)
--with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
- --with-audit=module Enable audit support (modules=debug,bsm,linux)
+ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)
--with-pie Build Position Independent Executables if possible
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
@@ -16106,6 +16106,160 @@ cat >>confdefs.h <<\_ACEOF
_ACEOF
;;
+ solaris)
+ { echo "$as_me:$LINENO: result: solaris" >&5
+echo "${ECHO_T}solaris" >&6; }
+ AUDIT_MODULE=solaris
+
+for ac_header in bsm/adt.h
+do
+as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ { echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+else
+ # Is the header compilable?
+{ echo "$as_me:$LINENO: checking $ac_header usability" >&5
+echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+$ac_includes_default
+#include <$ac_header>
+_ACEOF
+rm -f conftest.$ac_objext
+if { (ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_compile") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then
+ ac_header_compiler=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_compiler=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_compiler" >&5
+echo "${ECHO_T}$ac_header_compiler" >&6; }
+
+# Is the header present?
+{ echo "$as_me:$LINENO: checking $ac_header presence" >&5
+echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6; }
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h. */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h. */
+#include <$ac_header>
+_ACEOF
+if { (ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.er1
+ ac_status=$?
+ grep -v '^ *+' conftest.er1 >conftest.err
+ rm -f conftest.er1
+ cat conftest.err >&5
+ echo "$as_me:$LINENO: \$? = $ac_status" >&5
+ (exit $ac_status); } >/dev/null && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then
+ ac_header_preproc=yes
+else
+ echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_header_preproc=no
+fi
+
+rm -f conftest.err conftest.$ac_ext
+{ echo "$as_me:$LINENO: result: $ac_header_preproc" >&5
+echo "${ECHO_T}$ac_header_preproc" >&6; }
+
+# So? What about this header?
+case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in
+ yes:no: )
+ { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5
+echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;}
+ ac_header_preproc=yes
+ ;;
+ no:yes:* )
+ { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5
+echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5
+echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5
+echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5
+echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5
+echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;}
+ { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5
+echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;}
+ ( cat <<\_ASBOX
+## ------------------------------------------- ##
+## Report this to [email protected] ##
+## ------------------------------------------- ##
+_ASBOX
+ ) | sed "s/^/$as_me: WARNING: /" >&2
+ ;;
+esac
+{ echo "$as_me:$LINENO: checking for $ac_header" >&5
+echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6; }
+if { as_var=$as_ac_Header; eval "test \"\${$as_var+set}\" = set"; }; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+ eval "$as_ac_Header=\$ac_header_preproc"
+fi
+ac_res=`eval echo '${'$as_ac_Header'}'`
+ { echo "$as_me:$LINENO: result: $ac_res" >&5
+echo "${ECHO_T}$ac_res" >&6; }
+
+fi
+if test `eval echo '${'$as_ac_Header'}'` = yes; then
+ cat >>confdefs.h <<_ACEOF
+#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+
+done
+
+ SSHDLIBS="$SSHDLIBS -lbsm"
+cat >>confdefs.h <<\_ACEOF
+#define USE_SOLARIS_AUDIT 1
+_ACEOF
+ ;;
debug)
AUDIT_MODULE=debug
{ echo "$as_me:$LINENO: result: debug" >&5
diff -pur old/defines.h new/defines.h
--- old/defines.h 2015-03-16 22:49:20.000000000 -0700
+++ new/defines.h 2015-05-21 03:54:29.127386034 -0700
@@ -635,6 +635,11 @@ struct winsize {
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
+#ifdef USE_SOLARIS_AUDIT
+# define SSH_AUDIT_EVENTS
+# define CUSTOM_SSH_AUDIT_EVENTS
+#endif
+
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
# define __func__ __FUNCTION__
#elif !defined(HAVE___func__)
diff -pur old/sshd.c new/sshd.c
--- old/sshd.c 2015-05-21 03:54:29.070139157 -0700
+++ new/sshd.c 2015-05-21 03:54:29.127803176 -0700
@@ -2215,7 +2215,9 @@ main(int ac, char **av)
}
#ifdef SSH_AUDIT_EVENTS
+#ifndef USE_SOLARIS_AUDIT
audit_event(SSH_AUTH_SUCCESS);
+#endif /* !USE_SOLARIS_AUDIT */
#endif
#ifdef GSSAPI
@@ -2245,6 +2247,10 @@ main(int ac, char **av)
do_pam_session();
}
#endif
+#ifdef USE_SOLARIS_AUDIT
+ /* Audit should take place after all successful pam */
+ audit_event(SSH_AUTH_SUCCESS);
+#endif /* USE_SOLARIS_AUDIT */
/*
* In privilege separation, we fork another child and prepare