Trusted HP-UX Patch from Re: PLEASE TEST snapshots

Darren Cole dcole at keysoftsys.com
Wed Apr 24 08:27:17 EST 2002 

----- Original Message -----
From: "Kevin Steves" <kevin at atomicgears.com>
To: "Darren Cole" <dcole at keysoftsys.com>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Tuesday, April 23, 2002 3:03 PM
Subject: Re: Trusted HP-UX Patch from Re: PLEASE TEST snapshots


> On Tue, 23 Apr 2002, Darren Cole wrote:
> :I checked the patch Tim Rice originally attached.  It works fine for me
> :against the current cvs (maybe twenty minutes old or so).  I would really
> :like to trusted hp-ux working out of the box, so if there is anything I
can
> :do to help testing please let me know.
>
> i have a problem with the following.  why is it needed?
>
> +#ifdef TRUSTED_HPUX
> + /*
> + * Took two lines from a patch at:
> + * <http://www.math.ualberta.ca/imaging/snfs/>
> + * by John C. Bowman
> + * There is some speculation that you could possibly
> + * see data loss from this on usenet.  But without
> + * this sshd does not exit on logout.
> + */
> + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN)
> + chan_read_failed(c);
> +#endif

The problem is that you always hang on logout if I don't I have this code.
If  someone has a better fix I would love to have, I haven't found one yet.
If I login, and imediately type exit without any other commands ssh hangs.
This is really annoying, and since most haven't liked this change I put it
only for TRUSTED_HPUX.

> other than that the only other question is why did you add
> disable_ptmx_check?

Login wont work correctly if ptmx is used.  From what I have found it
appears to have to be one of the little weird things in truste hpux.

> for now i have this, which is everything but the above against
> -current (the uselogin fix applied to HP-UX in general and has
> already been applied):

Thanks a lot.  If there is anyway to make the above better, or more
acceptable for inclusion let me know.

Darren Cole
dcole at keysoftsys.com

> Index: acconfig.h
> ===================================================================
> RCS file: /var/cvs/openssh/acconfig.h,v
> retrieving revision 1.134
> diff -u -r1.134 acconfig.h
> --- acconfig.h 23 Apr 2002 20:45:56 -0000 1.134
> +++ acconfig.h 23 Apr 2002 21:53:09 -0000
> @@ -15,8 +15,8 @@
>  /* SCO workaround */
>  #undef BROKEN_SYS_TERMIO_H
>
> -/* Define if you have SCO protected password database */
> -#undef HAVE_SCO_PROTECTED_PW
> +/* Define if you have SecureWare-based protected password database */
> +#undef HAVE_SECUREWARE
>
>  /* If your header files don't define LOGIN_PROGRAM, then use this
(detected) */
>  /* from environment and PATH */
> Index: auth-passwd.c
> ===================================================================
> RCS file: /var/cvs/openssh/auth-passwd.c,v
> retrieving revision 1.40
> diff -u -r1.40 auth-passwd.c
> --- auth-passwd.c 4 Apr 2002 19:02:28 -0000 1.40
> +++ auth-passwd.c 23 Apr 2002 21:53:11 -0000
> @@ -55,11 +55,11 @@
>  #  include <hpsecurity.h>
>  #  include <prot.h>
>  # endif
> -# ifdef HAVE_SCO_PROTECTED_PW
> +# ifdef HAVE_SECUREWARE
>  #  include <sys/security.h>
>  #  include <sys/audit.h>
>  #  include <prot.h>
> -# endif /* HAVE_SCO_PROTECTED_PW */
> +# endif /* HAVE_SECUREWARE */
>  # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>  #  include <shadow.h>
>  # endif
> @@ -102,12 +102,9 @@
>   char *encrypted_password;
>   char *pw_password;
>   char *salt;
> -#ifdef __hpux
> +#if defined(__hpux) || defined(HAVE_SECUREWARE)
>   struct pr_passwd *spw;
> -#endif
> -#ifdef HAVE_SCO_PROTECTED_PW
> - struct pr_passwd *spw;
> -#endif /* HAVE_SCO_PROTECTED_PW */
> +#endif /* __hpux || HAVE_SECUREWARE */
>  #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
>   struct spwd *spw;
>  #endif
> @@ -183,21 +180,20 @@
>   pw_password = spw->sp_pwdp;
>  #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
>
> -#ifdef HAVE_SCO_PROTECTED_PW
> - spw = getprpwnam(pw->pw_name);
> - if (spw != NULL)
> - pw_password = spw->ufld.fd_encrypt;
> -#endif /* HAVE_SCO_PROTECTED_PW */
> -
>  #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
>   if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
>   pw_password = spw->pwa_passwd;
>  #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
>
> -#if defined(__hpux)
> +#ifdef HAVE_SECUREWARE
> + if ((spw = getprpwnam(pw->pw_name)) != NULL)
> + pw_password = spw->ufld.fd_encrypt;
> +#endif /* HAVE_SECUREWARE */
> +
> +#if defined(__hpux) && !defined(HAVE_SECUREWARE)
>   if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
>   pw_password = spw->ufld.fd_encrypt;
> -#endif /* defined(__hpux) */
> +#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */
>
>   /* Check for users with no password. */
>   if ((password[0] == '\0') && (pw_password[0] == '\0'))
> @@ -214,18 +210,18 @@
>   else
>   encrypted_password = crypt(password, salt);
>  #else /* HAVE_MD5_PASSWORDS */
> -# ifdef __hpux
> +# if defined(__hpux) && !defined(HAVE_SECUREWARE)
>   if (iscomsec())
>   encrypted_password = bigcrypt(password, salt);
>   else
>   encrypted_password = crypt(password, salt);
>  # else
> -#  ifdef HAVE_SCO_PROTECTED_PW
> +#  ifdef HAVE_SECUREWARE
>   encrypted_password = bigcrypt(password, salt);
>  #  else
>   encrypted_password = crypt(password, salt);
> -#  endif /* HAVE_SCO_PROTECTED_PW */
> -# endif /* __hpux */
> +#  endif /* HAVE_SECUREWARE */
> +# endif /* __hpux && !defined(HAVE_SECUREWARE) */
>  #endif /* HAVE_MD5_PASSWORDS */
>
>   /* Authentication is accepted if the encrypted passwords are identical.
*/
> Index: configure.ac
> ===================================================================
> RCS file: /var/cvs/openssh/configure.ac,v
> retrieving revision 1.52
> diff -u -r1.52 configure.ac
> --- configure.ac 23 Apr 2002 20:45:56 -0000 1.52
> +++ configure.ac 23 Apr 2002 21:53:25 -0000
> @@ -91,6 +91,22 @@
>  *-*-darwin*)
>   AC_DEFINE(BROKEN_GETADDRINFO)
>   ;;
> +*-*-hpux10.26)
> + if test -z "$GCC"; then
> + CFLAGS="$CFLAGS -Ae"
> + fi
> +
CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=
1"
> + IPADDR_IN_DISPLAY=yes
> + AC_DEFINE(HAVE_SECUREWARE)
> + AC_DEFINE(USE_PIPES)
> + AC_DEFINE(LOGIN_NO_ENDOPT)
> + AC_DEFINE(LOGIN_NEEDS_UTMPX)
> + AC_DEFINE(DISABLE_SHADOW)
> + AC_DEFINE(DISABLE_UTMP)
> + AC_DEFINE(SPT_TYPE,SPT_PSTAT)
> + LIBS="$LIBS -lxnet -lsec -lsecpw"
> + disable_ptmx_check=yes
> + ;;
>  *-*-hpux10*)
>   if test -z "$GCC"; then
>   CFLAGS="$CFLAGS -Ae"
> @@ -235,7 +251,7 @@
>   no_dev_ptmx=1
>   AC_DEFINE(BROKEN_SYS_TERMIO_H)
>   AC_DEFINE(USE_PIPES)
> - AC_DEFINE(HAVE_SCO_PROTECTED_PW)
> + AC_DEFINE(HAVE_SECUREWARE)
>   AC_DEFINE(DISABLE_SHADOW)
>   AC_DEFINE(BROKEN_SAVED_UIDS)
>   AC_CHECK_FUNCS(getluid setluid)
> @@ -249,7 +265,7 @@
>   no_dev_ptmx=1
>   rsh_path="/usr/bin/rcmd"
>   AC_DEFINE(USE_PIPES)
> - AC_DEFINE(HAVE_SCO_PROTECTED_PW)
> + AC_DEFINE(HAVE_SECUREWARE)
>   AC_DEFINE(DISABLE_SHADOW)
>   AC_CHECK_FUNCS(getluid setluid)
>   MANTYPE=man
> @@ -1926,12 +1942,14 @@
>  fi
>
>  if test -z "$no_dev_ptmx" ; then
> - AC_CHECK_FILE("/dev/ptmx",
> - [
> - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
> - have_dev_ptmx=1
> - ]
> - )
> + if test "x$disable_ptmx_check" != "xyes" ; then
> + AC_CHECK_FILE("/dev/ptmx",
> + [
> + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)
> + have_dev_ptmx=1
> + ]
> + )
> + fi
>  fi
>  AC_CHECK_FILE("/dev/ptc",
>   [
> Index: sshd.c
> ===================================================================
> RCS file: /var/cvs/openssh/sshd.c,v
> retrieving revision 1.200
> diff -u -r1.200 sshd.c
> --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200
> +++ sshd.c 23 Apr 2002 21:53:35 -0000
> @@ -48,6 +48,10 @@
>  #include <openssl/bn.h>
>  #include <openssl/md5.h>
>  #include <openssl/rand.h>
> +#ifdef HAVE_SECUREWARE
> +#include <sys/security.h>
> +#include <prot.h>
> +#endif
>
>  #include "ssh.h"
>  #include "ssh1.h"
> @@ -785,6 +789,9 @@
>   Key *key;
>   int ret, key_used = 0;
>
> +#ifdef HAVE_SECUREWARE
> + (void)set_auth_parameters(ac, av);
> +#endif
>   __progname = get_progname(av[0]);
>   init_rng();
>
> @@ -996,10 +1003,6 @@
>   /* Configuration looks good, so exit if in test mode. */
>   if (test_flag)
>   exit(0);
> -
> -#ifdef HAVE_SCO_PROTECTED_PW
> - (void) set_auth_parameters(ac, av);
> -#endif
>
>   /* Initialize the log (it is reinitialized below in case we forked). */
>   if (debug_flag && !inetd_flag)
>
>

More information about the openssh-unix-dev mailing list