AIX patch for openssh-3.7.1p2

Darren Tucker dtucker at
Fri Oct 31 08:13:56 EST 2003

Matt Richards wrote:
> I mispoke. The problem actually is privledge separation and setauthdb.
> setauthdb requires root, sshd is not running as root during privledge
> separation, so the authentication fails.

When running with Privilege Separation, there are 2 sshd's[1], one running
as root and one not.  aix_setauthdb() should always be called from the
privileged sshd process.

If it's not, can you please post a debug (sshd -ddd) where it's failing?

(Also, which AIX version, maintenance level and compiler are you using?)

> > I can't follow the changes to configure (which is a machine-generated
> > file).  What is the issue with the loginfailed test?  Could you post a
> > patch against, which is what autoconf uses to generate
> > configure?  (preferably "diff -u").
> The problem here is the configure test of:
> #ifndef loginfailed
>    char *p = (char *) loginfailed;
> #endif
> loginfailed is not defined by the compiler and is picked up during the
> linking phase. The patch that I put in tests the linking phase rather
> than the compiling phase. The code above will always fail on AIX.

That's the output of AC_CHECK_FUNC and it's an #ifndef and not #ifdef. 
Can you please post the fragment of config.log where it's failing?

> AIX has an odd setup for wtmp. I originally patched the 1.2.27 version of
> ssh to use AIX's loginsuccess and loginfailed which will take care of
> wtmp and lastlog. It seems that openssh-3.7.1 changed it and put it under
> CUSTOM_FAILED_LOGIN define. Defining CUSTOM_FAILED_LOGIN, works for this
> version.

CUSTOM_FAILED_LOGIN should be defined automatically be configure.  Again,
if it's not please post the the fragment from config.log where it fails.

[1] Actually for privesep, there are 4 sshds handling a given connections
at various times (not counting the master daemon), but there's normally
only 2 at any given time.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list