OpenSSH, Solaris 8, and BSM works with BSM patch, but must disable privilege separation

Jeff Koenig Jeff.Koenig at experian.com
Sat Jan 4 10:30:08 EST 2003 

To get BSM working on Solaris 8 with OpenSSH, I did this:

Download John R. Jackson's OpenSSH 3.5p1 BSM patch here, and save as "patch.tar.gz":
http://bugzilla.mindrot.org/show_bug.cgi?id=125
(NOTE TO OpenSSH DEVELOPERS, can you incorporate this patch into the next version of OpenSSH?)

Installing the OpenSSH 3.5p1 BSM patch:
―--------------------------------------
Turning on Sun BSM auditing requires you to:
Apply the OpenSSH 3.5p1 BSM patch
Disable privilege separation in OpenSSH /usr/local/etc/sshd_config file

You need these applications installed prior to the patch install (you can get the packages from sunfreeware.com):
autoconf 2.53 (SMCautoc)
m4 1.4 (SMCm4)
patch 2.5.4 (SMCpatch)
Perl 5.00503 or higher (SMCperl)

cp openssh-3.5p1.tar.gz /tmp
cp patch.tar.gz /tmp
cd /tmp
gunzip patch.tar.gz
tar xvf patch.tar
gunzip openssh-3.5p1.tar.gz
tar xvf openssh-3.5p1.tar
cd openssh-3.5p1
/usr/local/bin/patch -p0 < ../openssh-vs-bsm/patch-bs-3.5p1
rm -f configure
autoheader
autoconf
./configure --with-pam
make
make install

# Set privilege separation to "no" in /usr/local/etc/sshd_config
# Example:
UsePrivilegeSeparation no

# restart sshd

NOTE:
The following output is "normal" during the patching process:
patching file INSTALL
patching file Makefile.in
patching file auth1.c
patching file auth2-kbdint.c
patching file auth2-passwd.c
patching file auth2-pubkey.c
patching file auth2.c
patching file bsmaudit.c
patching file bsmaudit.h
patching file configure.ac
patching file contrib/solaris/buildpkg.sh
patching file contrib/solaris/postinstall
patching file includes.h
patching file servconf.c
patching file session.c
patching file sshd.c
patching file sshlogin.c
WARNING: Using auxiliary files such as `acconfig.h', `config.h.bot'
WARNING: and `config.h.top', to define templates for `config.h.in'
WARNING: is deprecated and discouraged.

WARNING: Using the third argument of `AC_DEFINE' and
WARNING: `AC_DEFINE_UNQUOTED' allows to define a template without
WARNING: `acconfig.h':

WARNING:   AC_DEFINE([NEED_MAIN], 1,
WARNING:             [Define if a function `main' is needed.])

WARNING: More sophisticated templates can also be produced, see the
WARNING: documentation.
autoheader: `config.h.in' is updated

NOTE:
This is "normal" during compile:
bsmaudit.h:30: warning: ignoring pragma: "@(#)bsmaudit.h        1.1     01/09/17 SMI

More information about the openssh-unix-dev mailing list