Potential Patch

Phil Dibowitz phil at usc.edu
Fri Jul 23 12:13:36 EST 2004 

On Thu, Jul 22, 2004 at 07:56:58PM -0500, Ben Lindstrom wrote:
> > Changes:
> > 1. Solaris BSM/Auditd supprt
> > This is properly ifdef'd out, and I added support in the autoconf stuff to
> [..]
> 
> Compare it to http://bugzilla.mindrot.org/show_bug.cgi?id=125  and add to
> that bugzilla report.

I think that looks to be a lot more complete then my patch. My patch only
really enables the auditd handle -- this patch seems to add in all sorts of
other wonderful goodness. Is this expected for inclusion in the next version?
It appears its been "pending" since about 3.4.

> > 2. We add a logit() call for people doing "ssh host command" to log the user
> > and commadn (2 places in session.c). Requested by our security staff.
> > Currently my patch does not make this a configuration or compile time option,
> > but I could probably do that without too much work.
> >
> 
> Either they should exist.. or not exist.. We don't care for odd compile
> time options.

Fair enough. The question is, do the developers believe these two lines should
exist? I will always have to add them in, so if they could be added, that
would be stellar. I don't think they clutter logs, though it's something some
people may not expect to see in their logs. 

--- session.c.orig      Sat Feb 28 21:19:25 2004
+++ session.c   Sat Feb 28 21:21:59 2004
@@ -340,6 +340,8 @@
                        if (type == SSH_CMSG_EXEC_CMD) {
                                command = packet_get_string(&dlen);
                                debug("Exec command '%.500s'", command);
+                               /* USC CHANGE: We log this */
+ logit("User %.100s attempting to executed comand '%.5
00s' on command line", s->pw->pw_name, command);
                                do_exec(s, command);
                                xfree(command);
                        } else {
@@ -1804,6 +1806,8 @@
        u_int len;
        char *command = packet_get_string(&len);
        packet_check_eom();
+       /* USC CHANGE: We log this */
+ logit("User %.100s attempting to executed comand '%.500s' on command line",
s
->pw->pw_name, command);
        do_exec(s, command);
        xfree(command);
        return 1;


> > 3. Makefile.in change to break up install a bit more. Currently it has an
> > "install" and "install-nokeys". I further broke it into "install"
> > "install-nokeys" and "install-nosysconf" which doesn't try to write anything
> > to the configuration directory (this could be useful when the person
> > installing doesn't have access to that dir, or doesn't want to write to it, or
> > its read-only, or...).
> >
> 
> Makes sense in some cases.  I'd like to see the patch first.

Sure! I've attached that portion of the patch -- sans cleaning up comments and
such -- just so you can see the Makefile.in changes I made. If you like it, and
depending on whether you like the above or not, I'll make a nicer patch of the
both of them and send it in.

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040722/19094438/attachment.bin

More information about the openssh-unix-dev mailing list