OpenSSH 3.5p1, Solaris 8, BSM, cron issue

Darren J Moffat Darren.Moffat at Sun.COM
Sat Oct 19 00:12:25 EST 2002


On Fri, 18 Oct 2002, Ben Lindstrom wrote:

> On Thu, 17 Oct 2002, Jeff Koenig wrote:
>
> > We have started using BSM and have hit the BSM issue where cron is messed up if you SSH into a Solaris 8 box and try to issue a cron job.
> >
> > I noticed the bug here:
> > http://bugzilla.mindrot.org/show_bug.cgi?id=125
> >
> > Is this patch applied to the OpenSSH 3.5p1 release?
> >
>
> No this patch has not.  There was talk that is conflicted with privsep.
> And that someone was going to look at it and see how to solve the
> conflict.

BSM and privsep is pretty much in the same category as PAM and privsep.
The BSM patch does two things only one of which impacts the cron job
problem.  The first and most important thing it does is setup the users
audit mask.  The second is to write login/logout audit records to the BSM
audit log.  Both of these things need uid 0 to work on Solaris.

I believe that if you aren't running privsep and you apply the patch it
should work - but I haven't had time to test this theory.  The patch probably
also needs some rework for 3.5p1 anyway (again haven't had time).

A co worker in Sun is working on an alternate solution for the audit mask
issue.  What he is trying to do is have it set in a PAM module.  This
should work fine for OpenSSH even in the case of the authentication not
being via PAM since it will be done in pam_setcred().  At this time I'm
not sure if this will be available as a patch for Solaris 8 or not.  However
if you take the current BSM audit patch for OpenSSH and look for the
bits that do the audit mask setup you could make that PAM module yourself.

-- 
Darren J Moffat




More information about the openssh-unix-dev mailing list