PSARC 2012/335 OpenSSH migration
PSARC 2013/115 Shared configuration for SunSSH & OpenSSH
PSARC 2014/078 OpenSSH 6.5
PSARC 2014/342 pam_unix_session lastlog support
15769261 SUNBT7135649 Deliver OpenSSH 6.0P1 in the userland gate
18205826 upgrade OpenSSH to 6.5p1
19579776 OpenSSH doesn't need to reference lastlog anymore now that PAM session mgmt does
18267729 Delegating credentials in OpenSSH
18828925 migrate the disablebanner feature from SunSSH to OpenSSH
18890096 migrate PAM enhancements from SunSSH to OpenSSH
19629847 OpenSSH does not support Solaris Audit for login/logout.
17997193 misc. problems in Makefile and openssh.p5m
18268681 openssh has non-existent /usr/local/lib in its runpath
18528305 /var/empty should be delivered readonly
19034156 PAM coversation function for passwd auth method has an incorrect assumption
19906401 should set AUTHTOK to NULL after pam_authenticate in sshpam_auth_passwd()
19517432 OpenSSH does not update utmpx on login
19570656 GSSAPIAuthentication option should default to yes
19591379 X11Forwarding and ForwardX11Trusted should default to yes
19465507 Deprecate SunSSH-only server options (e.g. iMaxAuthTriesLog) in OpenSSH
18898794 ssh connections fail with openssh, same config works with sunssh
20549448 OpenSSH X86 server core dump at audit_event
20656125 OpenSSH ed25519 algorithm signature verification failure
18435439 problem in UTILITY/OPENSSH
18491957 problem in UTILITY/OPENSSH
#
# Add Solaris Auditing configuration (--with-audit=solaris) to openssh-6.5p1.
#
# Add phase 1 Solaris Auditing of sshd login/logout to openssh-6.5p1.
#
# Additional Solaris Auditing should include audit of password
# change.
# Presuming it is appropriate, this patch should/will be updated
# with additional files and updates to sources/audit-solaris.c
#
# Code is developed by the Solaris Audit team.
# It should/will likely be contributed up stream when done.
# This patch relies on sources/audit-solaris.c being copied into
# the openssh source directory by the Makefile that configures
# using --with-audit=solaris.
#
# The up stream community has been contacted about the plans.
# No reply has yet been received.
#
# An additional patch relying on the --with-audit=solaris configuration
# should/will be created for sftp Solaris Audit and password change.
#
--- orig/config.h.in 2014-11-05 13:11:59.968745838 -0800
+++ new/config.h.in 2014-10-13 14:00:31.117475979 -0700
@@ -1628,6 +1628,9 @@
/* Use Linux audit module */
#undef USE_LINUX_AUDIT
+/* Use Solaris audit module */
+#undef USE_SOLARIS_AUDIT
+
/* Enable OpenSSL engine support */
#undef USE_OPENSSL_ENGINE
--- orig/configure 2014-11-05 13:11:59.971959419 -0800
+++ new/configure 2014-12-04 08:43:59.945675841 -0800
@@ -1420,7 +1420,7 @@
--with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
--with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
- --with-audit=module Enable audit support (modules=debug,bsm,linux)
+ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)
--with-pie Build Position Independent Executables if possible
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
@@ -10185,6 +10185,27 @@
$as_echo "#define USE_LINUX_AUDIT 1" >>confdefs.h
;;
+ solaris)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: solaris" >&5
+$as_echo "solaris" >&6; }
+ AUDIT_MODULE=solaris
+ for ac_header in bsm/adt.h
+do :
+ ac_fn_c_check_header_compile "$LINENO" "bsm/adt.h" "ac_cv_header_bsm_adt_h" ""
+if test "x$ac_cv_header_bsm_adt_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_ADT_H 1
+_ACEOF
+
+else
+ as_fn_error $? "Solaris Audit enabled and bsm/adt.h not found" "$LINENO" 5
+fi
+
+done
+
+ SSHDLIBS="$SSHDLIBS -lbsm"
+$as_echo "#define USE_SOLARIS_AUDIT 1" >>confdefs.h
+ ;;
debug)
AUDIT_MODULE=debug
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: debug" >&5
--- orig/defines.h 2014-01-17 05:12:38.000000000 -0800
+++ new/defines.h 2014-09-12 10:09:27.000000000 -0700
@@ -622,6 +622,11 @@
# define CUSTOM_SSH_AUDIT_EVENTS
#endif
+#ifdef USE_SOLARIS_AUDIT
+# define SSH_AUDIT_EVENTS
+# define CUSTOM_SSH_AUDIT_EVENTS
+#endif
+
#if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
# define __func__ __FUNCTION__
#elif !defined(HAVE___func__)
--- orig/INSTALL 2013-03-06 17:33:35.000000000 -0800
+++ new/INSTALL 2014-12-04 08:41:24.369920230 -0800
@@ -97,9 +97,13 @@
Basic Security Module (BSM):
-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
+Native BSM support is known to exist in Solaris from at least 2.5.1
+to Solaris 10. From Solaris 11 the previously documented BSM (libbsm)
+interfaces are no longer public and are unsupported. While not public
+interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
+Native BSM support is known to exist in FreeBSD 6.1 and OS X.
+Alternatively, you may use the OpenBSM implementation
+(http://www.openbsm.org).
2. Building / Installation
@@ -152,8 +156,9 @@
There are a few other options to the configure script:
--with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
+Currently, drivers for "debug" (additional info via syslog), and "bsm"
+(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
+(Sun's Audit infrastructure from Solaris 11) are supported.
--with-pam enables PAM support. If PAM support is compiled in, it must
also be enabled in sshd_config (refer to the UsePAM directive).
--- orig/Makefile.in 2014-11-12 15:18:05.366726810 -0800
+++ new/Makefile.in 2014-11-12 15:22:36.825227512 -0800
@@ -84,7 +84,7 @@
roaming_common.o roaming_client.o
SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
- audit.o audit-bsm.o audit-linux.o platform.o \
+ audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
sshpty.o sshlogin.o servconf.o serverloop.o \
auth.o auth1.o auth2.o auth-options.o session.o \
auth-chall.o auth2-chall.o groupaccess.o \
--- orig/README.platform 2009-08-28 16:14:48.000000000 -0700
+++ new/README.platform 2014-09-12 09:45:50.000000000 -0700
@@ -68,8 +68,8 @@
libssl-dev, libz-dev and libpam-dev.
-Solaris
--------
+Prior to Solaris 11
+-------------------
If you enable BSM auditing on Solaris, you need to update audit_event(4)
for praudit(1m) to give sensible output. The following line needs to be
added to /etc/security/audit_event:
@@ -82,6 +82,9 @@
number is already in use on your system, you may change it at build time
by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
+From Solaris 11
+---------------
+Solaris Audit is supported by configuring --with-audit=solaris.
Platforms using PAM
-------------------
--- orig/sshd.c 2014-11-05 13:11:59.974945893 -0800
+++ new/sshd.c 2014-11-10 13:33:12.279354856 -0800
@@ -2139,7 +2139,9 @@
#endif
#ifdef SSH_AUDIT_EVENTS
+#ifndef USE_SOLARIS_AUDIT
audit_event(SSH_AUTH_SUCCESS);
+#endif /* !USE_SOLARIS_AUDIT */
#endif
#ifdef GSSAPI
@@ -2169,6 +2171,10 @@
do_pam_session();
}
#endif
+#ifdef USE_SOLARIS_AUDIT
+ /* Audit should take place after all successful pam */
+ audit_event(SSH_AUTH_SUCCESS);
+#endif /* USE_SOLARIS_AUDIT */
/*
* In privilege separation, we fork another child and prepare