question on assorted patches

Darren Tucker dtucker at zip.com.au
Thu Oct 30 09:10:09 EST 2003


The Alchemist wrote:
> I'm trying to put togther a starting list of patches required to get
> 3.7.1p2 working in our enviroment.  I'm pretty sure I need the following
> at minimum but would like guidance about a couple of them and direction
> on a couple unanswered questions.  I've spent most of the morning
> trolling the archives, but I feel that I've still got gaps in my
> understanding.  I would greatly appreciate additional clarification.
> 
> My questions are linked as footnotes with numbers in brackets
> 
> Our environment:
> - Solaris (2.6, 8) with:
>      PAM  [1]
>      password forced change (both for new accounts and inactivity)  [2]

http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-pwexp24.patch

The only issue is currently you won't get warnings (eg "your password will
expire in x days") but the expiry should work OK.

>      BSM for some hosts [3]

http://bugzilla.mindrot.org/show_bug.cgi?id=125

>      Some sparcv9 (64-bit)  [4]
> - HP-UX (mostly 11.x)
>     PAM
>     both trusted and untrusted [5]

http://www.zip.com.au/~dtucker/openssh/openssh-3.7.1p2-hpux.patch

>     password forces change like Solaris [6]

Same expiry patch as Solaris above.

> - We're also working on some Linux, but its probably too early to worry
> about it now
> 
> So here are my questions/observations:
>  - [1]  Should work fine w/ --use-pam & UsePam=yes except for [2]
>  - [2]  I found a patch from  Darren, but according to a later post it
> doesn't apply against stock 3.7.1p2.

There's an updated patch now, link see above.
.
>  - [5/6]  I've found disturbing comments about issues with trusted.  Are
> there any good or trial patches to resolve this?  Can anyone fully
> elaborate what the limitations are?

a) sshd didn't correctly handle password authentication for Trusted
systems.  We changed it so HP-UX used the normal shadow interface, which
caused:
b) sshd thinks the accounts are locked when they're not
c) sshd thinks the passwords expire 1 day after they're changed

Those are fixed in the current development versions and the HP-UX patch
above.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list