AIX patch for openssh-3.7.1p2

Matt Richards matter at sover.net
Fri Oct 31 00:15:48 EST 2003



> I take it your issue is that your failed logins aren't being recorded
> for
> AFS/DFS?
> 
> The call to setauthdb is needed for correct recording of successful and
> failed logins for some authentication types (eg LDAP).
>
> I can see two possibilities:
> 1) Call loginfailed (and loginsuccess) twice when the authentication DB
> isn't FILES, once with setauthdb(FILES) and once with
> setauthdb(whatever).

I mispoke. The problem actually is privledge separation and setauthdb. 
setauthdb requires root, sshd is not running as root during privledge
separation, so the authentication fails.

> I can't follow the changes to configure (which is a machine-generated
> file).  What is the issue with the loginfailed test?  Could you post a
> patch against configure.ac, which is what autoconf uses to generate
> configure?  (preferably "diff -u").

The problem here is the configure test of:

#ifndef loginfailed
   char *p = (char *) loginfailed;
#endif

loginfailed is not defined by the compiler and is picked up during the 
linking phase. The patch that I put in tests the linking phase rather
than the compiling phase. The code above will always fail on AIX.

> Any particular reason you added wtmp?

AIX has an odd setup for wtmp. I originally patched the 1.2.27 version of
ssh to use AIX's loginsuccess and loginfailed which will take care of 
wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it under
CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for this 
version.




More information about the openssh-unix-dev mailing list