question on assorted patches
Darren Tucker
dtucker at zip.com.au
Thu Oct 30 09:10:09 EST 2003
The Alchemist wrote:
> I'm trying to put togther a starting list of patches required to get
> 3.7.1p2 working in our enviroment. I'm pretty sure I need the following
> at minimum but would like guidance about a couple of them and direction
> on a couple unanswered questions. I've spent most of the morning
> trolling the archives, but I feel that I've still got gaps in my
> understanding. I would greatly appreciate additional clarification.
>
> My questions are linked as footnotes with numbers in brackets
>
> Our environment:
> - Solaris (2.6, 8) with:
> PAM [1]
> password forced change (both for new accounts and inactivity) [2]
http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-pwexp24.patch
The only issue is currently you won't get warnings (eg "your password will
expire in x days") but the expiry should work OK.
> BSM for some hosts [3]
http://bugzilla.mindrot.org/show_bug.cgi?id=125
> Some sparcv9 (64-bit) [4]
> - HP-UX (mostly 11.x)
> PAM
> both trusted and untrusted [5]
http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch
> password forces change like Solaris [6]
Same expiry patch as Solaris above.
> - We're also working on some Linux, but its probably too early to worry
> about it now
>
> So here are my questions/observations:
> - [1] Should work fine w/ --use-pam & UsePam=yes except for [2]
> - [2] I found a patch from Darren, but according to a later post it
> doesn't apply against stock 3.7.1p2.
There's an updated patch now, link see above.
.
> - [5/6] I've found disturbing comments about issues with trusted. Are
> there any good or trial patches to resolve this? Can anyone fully
> elaborate what the limitations are?
a) sshd didn't correctly handle password authentication for Trusted
systems. We changed it so HP-UX used the normal shadow interface, which
caused:
b) sshd thinks the accounts are locked when they're not
c) sshd thinks the passwords expire 1 day after they're changed
Those are fixed in the current development versions and the HP-UX patch
above.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list