AIX patch for openssh-3.7.1p2

Matt Richards matter at sover.net
Wed Nov 5 06:48:34 EST 2003


>> I mispoke. The problem actually is privledge separation and setauthdb.
>> setauthdb requires root, sshd is not running as root during privledge
>> separation, so the authentication fails.
>
> When running with Privilege Separation, there are 2 sshd's[1], one
> running
> as root and one not.  aix_setauthdb() should always be called from the
> privileged sshd process.
>
> If it's not, can you please post a debug (sshd -ddd) where it's
> failing?


After looking at it some more, it seems to be the setpcred call and
set_authdb. Local users it seems to work okay, however AFS/DFS users,
the setpcred fails. I believe it may have something to do with DCE,
but I will investigate further.



debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 24
debug3: mm_request_receive entering
debug3: mm_newkeys_from_blob: 2013cf08(118)
debug2: mac_init: found hmac-md5
debug3: mm_get_keystate: Waiting for second key
debug3: mm_newkeys_from_blob: 2013cf08(118)
debug2: mac_init: found hmac-md5
debug3: mm_get_keystate: Getting compression state
debug3: mm_get_keystate: Getting Network I/O buffers
debug3: mm_share_sync: Share sync
debug3: mm_share_sync: Share sync end
Failed to set process credentials
debug1: Calling cleanup 0x20035490(0x0)
debug2: User child is on pid 20572
debug3: mm_request_receive entering

"Failed to set process credentials" comes from setpcred in
do_setusercontext in session.c.


> (Also, which AIX version, maintenance level and compiler are you
> using?)

AIX 4.3.3 ML 01 VisualAge C 5.0.2
AIX 5.1.0 ML 00 VisualAge C 5.1.0
AIX 5.2.0 ML 00 VisualAge C 5.2.0

>
>>> I can't follow the changes to configure (which is a machine-generated
>>> file).  What is the issue with the loginfailed test?  Could you post
>>> a
>>> patch against configure.ac, which is what autoconf uses to generate
>>> configure?  (preferably "diff -u").
>>
>> The problem here is the configure test of:
>>
>> #ifndef loginfailed
>>    char *p = (char *) loginfailed;
>> #endif
>>
>> loginfailed is not defined by the compiler and is picked up during the
>> linking phase. The patch that I put in tests the linking phase rather
>> than the compiling phase. The code above will always fail on AIX.
>
> That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef.
> Can you please post the fragment of config.log where it's failing?
configure:3281: checking whether loginfailed is declared
configure:3303: /usr/vacpp/bin/cc -c -g  -I/usr/local/include conftest.c
>&5
"configure", line 3294.22: 1506-045 (S) Undeclared identifier loginfailed.
configure:3306: $? = 1
configure: failed program was:
#line 3287 "configure"
#include "confdefs.h"
#include <usersec.h>

int
main ()
{
#ifndef loginfailed
  char *p = (char *) loginfailed;
#endif

  ;
  return 0;
}
configure:3322: result: no

>
>> AIX has an odd setup for wtmp. I originally patched the 1.2.27
>> version of
>> ssh to use AIX's loginsuccess and loginfailed which will take care of
>> wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it
>> under
>> CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for
>> this
>> version.
>
> CUSTOM_FAILED_LOGIN should be defined automatically be configure.
> Again,
> if it's not please post the the fragment from config.log where it
> fails.


CUSTOM_FAILED_LOGIN is not detected/tested by configure. It used to be
part of the AIX build. It is not now. Perhaps it should be an AIX
define instead of CUSTOM_FAILED_LOGIN.

% grep CUSTOM configure
%





More information about the openssh-unix-dev mailing list