Trusted HP-UX Patch from Re: PLEASE TEST snapshots

Wed Apr 24 08:03:06 EST 2002

On Tue, 23 Apr 2002, Darren Cole wrote:
:I checked the patch Tim Rice originally attached.  It works fine for me
:against the current cvs (maybe twenty minutes old or so).  I would really
:like to trusted hp-ux working out of the box, so if there is anything I can
:do to help testing please let me know.

i have a problem with the following.  why is it needed?

+#ifdef TRUSTED_HPUX
+	/*
+	 * Took two lines from a patch at:
+	 *	<http://www.math.ualberta.ca/imaging/snfs/>
+	 * by John C. Bowman
+	 * There is some speculation that you could possibly
+	 * see data loss from this on usenet.  But without
+	 * this sshd does not exit on logout.
+	 */
+	if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN)
+		chan_read_failed(c);
+#endif

other than that the only other question is why did you add
disable_ptmx_check?

for now i have this, which is everything but the above against
-current (the uselogin fix applied to HP-UX in general and has
already been applied):

Index: acconfig.h
===================================================================
RCS file: /var/cvs/openssh/acconfig.h,v
retrieving revision 1.134
diff -u -r1.134 acconfig.h

--- acconfig.h	23 Apr 2002 20:45:56 -0000	1.134
+++ acconfig.h	23 Apr 2002 21:53:09 -0000
@@ -15,8 +15,8 @@
 /* SCO workaround */
 #undef BROKEN_SYS_TERMIO_H

-/* Define if you have SCO protected password database */
-#undef HAVE_SCO_PROTECTED_PW
+/* Define if you have SecureWare-based protected password database */
+#undef HAVE_SECUREWARE

 /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */
 /* from environment and PATH */
Index: auth-passwd.c
===================================================================
RCS file: /var/cvs/openssh/auth-passwd.c,v
retrieving revision 1.40
diff -u -r1.40 auth-passwd.c
--- auth-passwd.c	4 Apr 2002 19:02:28 -0000	1.40
+++ auth-passwd.c	23 Apr 2002 21:53:11 -0000
@@ -55,11 +55,11 @@
 #  include <hpsecurity.h>
 #  include <prot.h>
 # endif
-# ifdef HAVE_SCO_PROTECTED_PW
+# ifdef HAVE_SECUREWARE
 #  include <sys/security.h>
 #  include <sys/audit.h>
 #  include <prot.h>
-# endif /* HAVE_SCO_PROTECTED_PW */
+# endif /* HAVE_SECUREWARE */
 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 #  include <shadow.h>
 # endif
@@ -102,12 +102,9 @@
 	char *encrypted_password;
 	char *pw_password;
 	char *salt;
-#ifdef __hpux
+#if defined(__hpux) || defined(HAVE_SECUREWARE)
 	struct pr_passwd *spw;
-#endif
-#ifdef HAVE_SCO_PROTECTED_PW
-	struct pr_passwd *spw;
-#endif /* HAVE_SCO_PROTECTED_PW */
+#endif /* __hpux || HAVE_SECUREWARE */
 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 	struct spwd *spw;
 #endif
@@ -183,21 +180,20 @@
 		pw_password = spw->sp_pwdp;
 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */

-#ifdef HAVE_SCO_PROTECTED_PW
-	spw = getprpwnam(pw->pw_name);
-	if (spw != NULL)
-		pw_password = spw->ufld.fd_encrypt;
-#endif /* HAVE_SCO_PROTECTED_PW */
-
 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
 		pw_password = spw->pwa_passwd;
 #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */

-#if defined(__hpux)
+#ifdef HAVE_SECUREWARE
+	if ((spw = getprpwnam(pw->pw_name)) != NULL)
+		pw_password = spw->ufld.fd_encrypt;
+#endif /* HAVE_SECUREWARE */
+
+#if defined(__hpux) && !defined(HAVE_SECUREWARE)
 	if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
 		pw_password = spw->ufld.fd_encrypt;
-#endif /* defined(__hpux) */
+#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */

 	/* Check for users with no password. */
 	if ((password[0] == '\0') && (pw_password[0] == '\0'))
@@ -214,18 +210,18 @@
 	else
 		encrypted_password = crypt(password, salt);
 #else /* HAVE_MD5_PASSWORDS */
-# ifdef __hpux
+# if defined(__hpux) && !defined(HAVE_SECUREWARE)
 	if (iscomsec())
 		encrypted_password = bigcrypt(password, salt);
 	else
 		encrypted_password = crypt(password, salt);
 # else
-#  ifdef HAVE_SCO_PROTECTED_PW
+#  ifdef HAVE_SECUREWARE
 	encrypted_password = bigcrypt(password, salt);
 #  else
 	encrypted_password = crypt(password, salt);
-#  endif /* HAVE_SCO_PROTECTED_PW */
-# endif /* __hpux */
+#  endif /* HAVE_SECUREWARE */
+# endif /* __hpux && !defined(HAVE_SECUREWARE) */
 #endif /* HAVE_MD5_PASSWORDS */

 	/* Authentication is accepted if the encrypted passwords are identical. */
Index: configure.ac
===================================================================
RCS file: /var/cvs/openssh/configure.ac,v
retrieving revision 1.52
diff -u -r1.52 configure.ac
--- configure.ac	23 Apr 2002 20:45:56 -0000	1.52
+++ configure.ac	23 Apr 2002 21:53:25 -0000
@@ -91,6 +91,22 @@
 *-*-darwin*)
 	AC_DEFINE(BROKEN_GETADDRINFO)
 	;;
+*-*-hpux10.26)
+	if test -z "$GCC"; then
+		CFLAGS="$CFLAGS -Ae"
+	fi
+	CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1"
+	IPADDR_IN_DISPLAY=yes
+	AC_DEFINE(HAVE_SECUREWARE)
+	AC_DEFINE(USE_PIPES)
+	AC_DEFINE(LOGIN_NO_ENDOPT)
+	AC_DEFINE(LOGIN_NEEDS_UTMPX)
+	AC_DEFINE(DISABLE_SHADOW)
+	AC_DEFINE(DISABLE_UTMP)
+	AC_DEFINE(SPT_TYPE,SPT_PSTAT)
+	LIBS="$LIBS -lxnet -lsec -lsecpw"
+	disable_ptmx_check=yes
+	;;
 *-*-hpux10*)
 	if test -z "$GCC"; then
 		CFLAGS="$CFLAGS -Ae"
@@ -235,7 +251,7 @@
 	no_dev_ptmx=1
 	AC_DEFINE(BROKEN_SYS_TERMIO_H)
 	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
+	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_DEFINE(BROKEN_SAVED_UIDS)
 	AC_CHECK_FUNCS(getluid setluid)
@@ -249,7 +265,7 @@
 	no_dev_ptmx=1
 	rsh_path="/usr/bin/rcmd"
 	AC_DEFINE(USE_PIPES)
-	AC_DEFINE(HAVE_SCO_PROTECTED_PW)
+	AC_DEFINE(HAVE_SECUREWARE)
 	AC_DEFINE(DISABLE_SHADOW)
 	AC_CHECK_FUNCS(getluid setluid)
 	MANTYPE=man
@@ -1926,12 +1942,14 @@
 fi

 if test -z "$no_dev_ptmx" ; then
-	AC_CHECK_FILE("/dev/ptmx",
-		[
-			AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
-			have_dev_ptmx=1
-		]
-	)
+	if test "x$disable_ptmx_check" != "xyes" ; then
+		AC_CHECK_FILE("/dev/ptmx",
+			[
+				AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
+				have_dev_ptmx=1
+			]
+		)
+	fi
 fi
 AC_CHECK_FILE("/dev/ptc",
 	[
Index: sshd.c
===================================================================
RCS file: /var/cvs/openssh/sshd.c,v
retrieving revision 1.200
diff -u -r1.200 sshd.c
--- sshd.c	2 Apr 2002 20:48:20 -0000	1.200
+++ sshd.c	23 Apr 2002 21:53:35 -0000
@@ -48,6 +48,10 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #include <openssl/rand.h>
+#ifdef HAVE_SECUREWARE
+#include <sys/security.h>
+#include <prot.h>
+#endif

 #include "ssh.h"
 #include "ssh1.h"
@@ -785,6 +789,9 @@
 	Key *key;
 	int ret, key_used = 0;

+#ifdef HAVE_SECUREWARE
+	(void)set_auth_parameters(ac, av);
+#endif
 	__progname = get_progname(av[0]);
 	init_rng();

@@ -996,10 +1003,6 @@
 	/* Configuration looks good, so exit if in test mode. */
 	if (test_flag)
 		exit(0);
-
-#ifdef HAVE_SCO_PROTECTED_PW
-	(void) set_auth_parameters(ac, av);
-#endif

 	/* Initialize the log (it is reinitialized below in case we forked). */
 	if (debug_flag && !inetd_flag)


