Trusted HP-UX 10.26

Darren Cole dcole at keysoftsys.com
Wed Mar 27 06:51:16 EST 2002 

----- Original Message -----
From: "Kevin Steves" <kevin at atomicgears.com>
To: "Darren Cole" <dcole at keysoftsys.com>
Cc: <openssh-unix-dev at mindrot.org>
Sent: Monday, March 25, 2002 6:04 PM
Subject: Re: Trusted HP-UX 10.26


> On Mon, 25 Mar 2002, Darren Cole wrote:
> :Note:  This patch does not due privilege bracketting, nor does it make
sshd
> :multilevel aware (if you don't know what this means, don't worry about
it)
>
> ah, ok.  you can also upgrade to 10.20--why are you using 10.26 then?

The product I am working on requires CMW functionality.  Basicly openssh
running on our development systems is a convience.  Initially we just want
openssh working.  Later if needed we (probably me) will add multilevel
awareness, and privilege bracketting.

> :Some asked for seperate patches when they are large, but to keep them
> :together if they are all for one fix.  At only a 184 lines, I figured
> :keeping the patch together was better than 4 or 5 different patches.
> :
> :___patch follows___
> :***************
> :*** 183,190 ****
> :--- 187,209 ----
> :
> :   if (authctxt->attempt++ == 0) {
> :    /* setup auth context */
> :+ #ifdef TRUSTED_HPUX
> :+   struct pr_passwd *pr_pw = NULL;
> :+ #endif
> :    struct passwd *pw = NULL;
> :    pw = getpwnam(user);
> :+
> :+ #ifdef TRUSTED_HPUX
> :+   file://Trusted HP-UX passwords are stored differently
> :+   file://you need to call getprpwnam to get the password for
> :+   file://a user.
> :+   pr_pw = getprpwnam(pw->pw_name);
> :+   file://This dies with a bus error, but isn't
> :+   file://this a pointer that should be freed
> :+   file://before we reassign?
> :+   file://free(pw->pw_passwd);
> :+   pw->pw_passwd=pr_pw->ufld.fd_encrypt;
> :+ #endif
> :    if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
> :     authctxt->pw = pwcopy(pw);
> :     authctxt->valid = 1;
>
> i don't understand this.  why do you need the hashed password here?
> openssh works today with hp-ux commercial security--why is CMW different?
> see auth-passwd.c. also, why did you change only auth2.c and not auth1.c?

I need the password here because I found that sshd would fail otherwise.
The normal getpwnam does not get the password.   Further down  (not shown in
the patch) there is a line: authenticated = m->userauth(authtxt);
authtxt now has the password information.  Without the getprpwnam call,
authtxt wont get the encrypted password.
Hmm... Now that I know a bit more about autoconf, I see how I could make
HAVE_SCO_PROTECTED_PW be defined on trusted hp-ux.  Then I could move this
functionality to auth-passwd.c.  Thanks, I will try that before I post my
next try at the patch.
I didn't look at auth1.c because it didn't fail in my testing. (though it
probably would have if I had tested using ssh1 protocal).

> :diff -cr openssh-3.1p1.orig/session.c openssh-3.1p1/session.c
> :*** openssh-3.1p1.orig/session.c Mon Feb 25 15:48:03 2002
> :--- openssh-3.1p1/session.c Fri Mar 22 22:56:30 2002
> :***************
> :*** 1285,1291 ****
> :--- 1285,1297 ----
> :  #ifdef LOGIN_NEEDS_TERM
> :        (s->term ? s->term : "unknown"),
> :  #endif /* LOGIN_NEEDS_TERM */
> :+ #ifdef TRUSTED_HPUX
> :+    // the "--" makes login hang on Trusted HP-UX
> :+    // 10.26
> :+       "-p", "-f", pw->pw_name, (char *)NULL);
> :+ #else
> :        "-p", "-f", "--", pw->pw_name, (char *)NULL);
> :+ #endif
> :
> :    /* Login couldn't be executed, die. */
>
> do you require UseLogin yes?

Yes.  It seems much easier to let login taking care of checking and setting
all that needs to be done on a CMW, instead of duplicating all of that work
and code.

> :   if (c->ostate != CHAN_OUTPUT_CLOSED)
> :    chan_write_failed(c);
> :+ #ifdef TRUSTED_HPUX
> :+  file://Took two lines from a patch at:
> :+  // <http://www.math.ualberta.ca/imaging/snfs/>
> :+  file://by John C. Bowman
> :+  file://There is some speculation that you could possibly
> :+  file://see data loss from this on usenet.  But without
> :+  file://this sshd does not exit on logout.
> :+  if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN)
> :+   chan_read_failed(c);
> :+ #endif
> :   s->chanid = -1;
>
> this has been discussed and is wrong.

Okay.  How can I fix the problem? I can login, then imediately logout, and
will hang every time.  That it happens everytime without any background
proccess is a problem.  If there is a better solution, please let me know.

> i don't understand the file:// stuff.

Yeah, got munched.  I will attach the patch next time.
As many pointed out comments like this should not be used.  I have fixed
this, so the stupid file:// stuff shouldn't happen again.

Darren Cole
dcole at keysoftsys.com

More information about the openssh-unix-dev mailing list