PLEASE TEST snapshots

Tue Apr 16 04:15:28 EST 2002

> > :A couple of questions about your patch.
> > :--- configure.ac.orig Fri Apr 12 20:57:56 2002
> > :+++ configure.ac Sat Apr 13 10:01:51 2002
> > :@@ -79,6 +79,23 @@
> > :
> > :+*-*-hpux10.26)
> > :[snip]
> > :+ AC_DEFINE(HAVE_SECUREWARE_PW)
> >
> > i'd prefer SecureWare here.

Yes, but I felt that since the original define was SCO_PROTECTED_PW, it made
sense to me to keep it similar

> > :+ AC_DEFINE(BROKEN_LOGIN)
> >
> > i know i suggested this, but i think we need a better name for login
that
> > can't handle "--".
>
> I'm sure whatever names you come up with will be fine.

Yeah, I didn't really like BROKEN_LOGIN either but was the best I could
think of.  Maybe instead NO_LOGIN_DOUBLEDASH?

> >
> > :+ AC_DEFINE(TRUSTED_HPUX)
> >
> > was this in the new patch?
>
> Yes, i grabbed attachment 67 from bugzilla

New version of an existing patch (that was also in bugzilla).  In the future
would it be beter to just post the patch to the list? Instead of just
bugzilla?

> >
> > :Are all 10.26 machines trusted HP/UX?
> >
> > they are the HP-UX CMW variant.  this patch also requires
"uselogin=yes".
> > there is also something called VVOS which might be something like 10.24
or
> > 11.04 which is a hybrid multi-level/CMW thing.
>
> Just wanted to make sure we don't have a 10.26 machines out there that
> will choke on those AC_DEFINES

All 10.26 machines are CMW machines.

> >
> > :--- sshd.c.orig Tue Apr  9 20:19:04 2002
> > :+++ sshd.c Sat Apr 13 10:01:52 2002
> > :@@ -47,7 +47,10 @@
> > : #include <openssl/dh.h>
> > : #include <openssl/bn.h>
> > : #include <openssl/md5.h>
> > :-#include <openssl/rand.h>
> > :^^ was this intentional?

It was unintentional.  I looks like between 3.1p1 and current CVS this
include was added, when I moved my 3.1p1 to CVS current it must have removed
this line.

> > :+#ifdef HAVE_SECUREWARE_PW
> > :+#include <sys/security.h>
> > :+#include <prot.h>
> > :+#endif
> >

> The patch seems to work fine on the SCO side.
> I've attached a (slightly modified) diff -u version of attachment 67

I took a quick look at don't see any problems, but will take a better look
shortly.

>> :+ AC_DEFINE(TRUSTED_HPUX)
>> was this in the new patch?

Yes, I used it to ifdef out the lines in session.c to fix an hang on exit
problem.  This is the part from the diff.
*** 1727,1732 ****
--- 1732,1749 ----
    */
   if (c->ostate != CHAN_OUTPUT_CLOSED)
    chan_write_failed(c);
+ #ifdef TRUSTED_HPUX
+  /*
+   * Took two lines from a patch at:
+   * <http://www.math.ualberta.ca/imaging/snfs/>
+   * by John C. Bowman
+   * There is some speculation that you could possibly
+   * see data loss from this on usenet.  But without
+   * this sshd does not exit on logout.
+   */
+  if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN)
+   chan_read_failed(c);
+ #endif
   s->chanid = -1;
  }
If the lines of code are not include exit always hangs.  Even without any
backgrounded processes it will hang.  Other solutions will be warmly
welcomed.

>> :Are all 10.26 machines trusted HP/UX?

>> they are the HP-UX CMW variant.  this patch also requires "uselogin=yes".
>> there is also something called VVOS which might be something like 10.24
or
>>11.04 which is a hybrid multi-level/CMW thing.

This patch does not require "userlogin=yes"for users to be able to login.
It just requires it if you want all security setup done correctly (clearance
set, privileges set, administration specific to CMW, etc.).  Eventually I
will probably add all the code to do what login does, and add privilege
bracketing.  It is that just right now this is not a priority for what is
needed at work.

Darren Cole
dcole at keysoftsys.com