question on assorted patches

The Alchemist nospam at magestower.net
Thu Oct 30 05:35:15 EST 2003 

*This message was transferred with a trial version of CommuniGate(tm) Pro*
I'm trying to put togther a starting list of patches required to get 
3.7.1p2 working in our enviroment.  I'm pretty sure I need the following 
at minimum but would like guidance about a couple of them and direction 
on a couple unanswered questions.  I've spent most of the morning 
trolling the archives, but I feel that I've still got gaps in my 
understanding.  I would greatly appreciate additional clarification.

My questions are linked as footnotes with numbers in brackets

Our environment:
- Solaris (2.6, 8) with:
     PAM  [1]
     password forced change (both for new accounts and inactivity)  [2]
     BSM for some hosts [3]
     Some sparcv9 (64-bit)  [4]
- HP-UX (mostly 11.x)
    PAM
    both trusted and untrusted [5]
    password forces change like Solaris [6]
- We're also working on some Linux, but its probably too early to worry 
about it now

So here are my questions/observations:
 - [1]  Should work fine w/ --use-pam & UsePam=yes except for [2]
 - [2]  I found a patch from  Darren, but according to a later post it 
doesn't apply against stock 3.7.1p2.  Does anyone have a version that 
does?  Use of -current disturbs me since I'm trying to write up a 
standards doc that will be norative until a new vulnerability arises or 
enough other changes take place to warrent upgrade on several hundred 
servers.
 - [3]  We are currently using 3.4p1 with the BSM patch along with 
UseLogin=yes for hosts that are BSM enabled.  According to one email 
with no reply, that patch is MIA for 3.7.1p2.  Does anyone have a 
replacement?
 - [4]  I found a patch for this that I plan on using.  No worries here.
 - [5/6]  I've found disturbing comments about issues with trusted.  Are 
there any good or trial patches to resolve this?  Can anyone fully 
elaborate what the limitations are?
 - General concerns:  I understand we'll want to use 
keyboard-interactive & publickey for our only auth types.  Is this 
correct?  Anyone have really strong recommendations on openssl/zlib 
versions?

Thanks all for a great product,
--Jason

More information about the openssh-unix-dev mailing list