Mailing List Archive

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #755 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-01-30 00:46 -------
Created an attachment (id=793)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=793&action=view)
Add audit hooks to sshd

.fixes the problem of lack of privilege in the nologin and save_command events.
The nologin handling is ugly though.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #793 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-01-30 16:24 -------
Created an attachment (id=794)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=794&action=view)
Add audit hooks to sshd

OK, I think this one is ready. (Don't get excited yet folks, it's just the
hooks at this stage.)

I dropped the /etc/nologin handling because it was ugly. With a little
restructuring to do_nologin it can be done cleanly, but it can wait.

Things that ought to be looked at in this patch:

- the audit hooks in the monitor are enabled unconditionally post-auth.
audit_event() is pretty harmless, but audit_run_command takes a string.

- should audit_run_command and/or the monitor do sanity checking (strnvis?
enforce a max length?)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #794 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-01-30 21:33 -------
Created an attachment (id=795)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=795&action=view)
Add audit hooks to sshd.

Now separates authentication and session events, since one SSH2 connection may
carry multiple sessions. (eg "ssh -N" will record a successful authentication
but zero sessions.)

Adds some more auth types (hostbased, gssapi). Adds comments (so it must be
done!)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #795 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-01-31 11:48 -------
Created an attachment (id=796)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=796&action=view)
Add audit hooks to sshd

audit_cleanup() has been replaced with the CONNECTION_CLOSE and
CONNECTION_ABANDON events. Other minor cleanups.

Note that the hooks are (well, should be) now all privsep-aware, so once it's
ported the BSM audit module ought to work fine with privsep.

Now, some questions for the BSM cognoscenti:

- is there a limit on the size of the comand that can be written to the audit
log and if so, what?

- why does the original patch save the tty in sav_tty and then not use it?

- how does BSM differentiate between authentication events and session events?
eg the SSH2 protocol allows zero, one or many sessions (ie shells or commands)
to be associated with a single authentication (ie SSH connection). At the
moment, the audit hooks differentiate between a session (ie pty allocated) and
a command (no pty allocated). The original patch seemed to mix these two (it
will write a single login event after authentication but a logout event at
every session close).

- is there a reference on the format of the audit records? the au_* man pages
seem to cover *how* to write them but not *what* to write.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From djm@mindrot.org 2005-02-02 15:46 -------
(From update of attachment 796)
>+/* helper to return supplied username */
>+static const char *
>+audit_username(void)
>+{
>+ static const char unknownuser[] = "(unknown user)";
>+
>+ if (the_authctxt == NULL || the_authctxt->user == NULL)
>+ return (unknownuser);
>+ return (the_authctxt->user);

What about when !authctxt->valid, shouldn't it return "Invalid User" or
something to prevent leakage of mistyped passwords into logs?

>+void
>+audit_connection_from(const char *host, int port)
>+{
>+ debug("%s: euid %d connection from %s port %d", __func__, geteuid(),
>+ host, port);
>+}

Remember: __func__ is verboten :)

>+/*
>+ * Called when various events occur (see audit.h for a list of possible
>+ * events and what they mean).
>+ */
>+void
>+audit_event(ssh_audit_event_t event)
>+{
>+ char *eventstr[] = {
>+ "LOGIN_EXCEED_MAXTRIES",
>+ "LOGIN_ROOT_DENIED",
>+ "AUTH_SUCCESS",
>+ "AUTH_FAIL_NONE",
>+ "AUTH_FAIL_PASSWD",
>+ "AUTH_FAIL_KBDINT",
>+ "AUTH_FAIL_PUBKEY",
>+ "AUTH_FAIL_HOSTBASED",
>+ "AUTH_FAIL_GSSAPI",
>+ "INVALID_USER",
>+ "NOLOGIN",
>+ "CONNECTION_CLOSE",
>+ "CONNECTION_ABANDON",
>+ "AUDIT_UNKNOWN"
>+ };

Rather than maintaining this list and the mapping for auth method names earlier
in this file, would it be nicer to whack them all into an array-of-struct (int,
char*, char*) and provide lookup functions?

Looks OK otherwise




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-02-03 00:25 -------
Patch #796 has been committed so the hooks are in. Will attach my current
working patch for the BSM part shortly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #756 is|0 |1
obsolete| |
Attachment #796 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-02-03 00:43 -------
Created an attachment (id=800)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=800&action=view)
Use audit hooks for BSM auditting (still work in progress)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #800 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-02-06 12:40 -------
Created an attachment (id=804)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=804&action=view)
Use audit hooks for BSM auditting

I think this is ready to start testing. I have put up a snapshot with the
patch applied at:
http://www.zip.com.au/~dtucker/tmp/openssh-audit-bsm.tar.gz

There's some code in the patch #if'ed out. I think the code in question should
be removed but it's left there for discussion.

Remaining issues:

- what is the correct way to construct the device identifier part of Terminal
ID? The telnet events seem to use something other than a source port.

- what is the value of logging the command supplied to sshd? It seems to be an
attempt to mimic AUE_rshd but it's not equivalent since there may be zero, one
or many command sessions supplied in a given sshd session.

Would this not be better handled by using the built-in "ex" class? Appending
it as text token to the logout event seems wrong for a couple of reasons:
- it'll only ever record the last command supplied
- by my read the text tokens are limited to 255 bytes in length (or 127 if
the "length" field is unsigned, the docs don't say).

If it's really required then should it not be a separate event number?

- why does the patch call GetAuditFunc(&now, sizeof (now))? AFAICT the "now"
struct is never used after being populated.

- why does the original patch save the tty name? AFAICT it's never used.

- should all of the au_* functions have their return codes checked, or is
checking au_close() adequate?

- what values should be specified with the return token? praudit seems to
interpret the "process error" as an errno. Are these just picked arbitrarily
by the application, with zero as success? I noticed that later patches try to
use error numbers from 240 - 255, outside of the errno range, is this
advisable? And are these expected to be stable for a given application (ie
sshd)?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From phil@usc.edu 2005-02-06 13:33 -------
For what it's worth, the security team at USC will begin testing this as a
replacement for are inferior in-house auditd patch around the last week in
February - we've been pushed back a bit.

-Phil



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #804 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-02-11 17:30 -------
Created an attachment (id=820)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=820&action=view)
Use audit hooks for BSM auditting

Update to match recent changes in the audit interface in sshd.

Note that the argument to enable it has changed, use
$ ./configure --with-audit=bsm [other flags]

A patched snapshot tarball is also available at:
http://www.zip.com.au/~dtucker/tmp/openssh-audit-bsm.tar.gz

Anyone interested in seeing this in the next release really should test this...




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From djm@mindrot.org 2005-02-14 12:10 -------
(From update of attachment 820)
>Index: audit-bsm.c
...
>+/*
>+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
>+ * Use is subject to license terms.

If you have made substantial changes to this file, you should assert copyright
too.

>+#ifndef HAVE_GETTEXT
>+# define gettext(a) (a)
>+#endif

Is this necessary for auditing? Can we just scrub out the couple of gettext
references? We don't internationalise any other messages from sshd...

>Index: audit-bsm.h
...
>+#include "includes.h"
>+#ifdef USE_BSM_AUDIT
>+
>+#ifndef AUE_openssh
>+# define AUE_openssh 32800
>+#endif
>+#include <bsm/audit.h>
>+#include <bsm/libbsm.h>
>+#include <bsm/audit_uevents.h>
>+#include <bsm/audit_record.h>
>+#include <locale.h>
>+
>+#if defined(HAVE_GETAUDIT_ADDR)
>+#define AuditInfoStruct auditinfo_addr
>+#define AuditInfoTermID au_tid_addr_t
>+#define GetAuditFunc(a,b) getaudit_addr((a),(b))
>+#define GetAuditFuncText "getaudit_addr"
>+#define SetAuditFunc(a,b) setaudit_addr((a),(b))
>+#define SetAuditFuncText "setaudit_addr"
>+#define AUToSubjectFunc au_to_subject_ex
>+#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
>+#else
>+#define AuditInfoStruct auditinfo
>+#define AuditInfoTermID au_tid_t
>+#define GetAuditFunc(a,b) getaudit(a)
>+#define GetAuditFuncText "getaudit"
>+#define SetAuditFunc(a,b) setaudit(a)
>+#define SetAuditFuncText "setaudit"
>+#define AUToSubjectFunc au_to_subject
>+#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
>+#endif
>+
>+extern int cannot_audit(int);
>+extern void aug_init(void);
>+extern dev_t aug_get_port(void);
>+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
>+extern void aug_save_auid(au_id_t);
>+extern void aug_save_uid(uid_t);
>+extern void aug_save_euid(uid_t);
>+extern void aug_save_gid(gid_t);
>+extern void aug_save_egid(gid_t);
>+extern void aug_save_pid(pid_t);
>+extern void aug_save_asid(au_asid_t);
>+extern void aug_save_tid(dev_t, unsigned int);
>+extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
>+extern int aug_save_me(void);
>+extern int aug_save_namask(void);
>+extern void aug_save_event(au_event_t);
>+extern void aug_save_sorf(int);
>+extern void aug_save_text(char *);
>+extern void aug_save_text1(char *);
>+extern void aug_save_text2(char *);
>+extern void aug_save_na(int);
>+extern void aug_save_user(char *);
>+extern void aug_save_path(char *);
>+extern int aug_save_policy(void);
>+extern void aug_save_afunc(int (*)(int));
>+extern int aug_audit(void);
>+extern int aug_na_selected(void);
>+extern int aug_selected(void);
>+extern int aug_daemon_session(void);

Wouldn't most of this stuff be better off living in audit-bsm.c? It isn't used
elsewhere in the tree.

>Index: configure.ac
...
>+ # These are optional
>+ AC_CHECK_FUNCS(getaudit_addr gettext)

Ditto comment about gettext above.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-02-15 19:32 -------
(In reply to comment #41)
> If you have made substantial changes to this file, you should assert copyright
> too.

My main contribution appears to be repeated use of the "d" key :-)

> Is this necessary for auditing? Can we just scrub out the couple of gettext
> references? We don't internationalise any other messages from sshd...

I don't know if it's required but it was in the original patches. I just made
it optional.

> >Index: audit-bsm.h
[...]
> Wouldn't most of this stuff be better off living in audit-bsm.c? It isn't used
> elsewhere in the tree.

The original idea was to move the OS interface out of the way so I could
concentrate on the code. It can go back into audit-bsm.c.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #820 is|0 |1
obsolete| |




------- Additional Comments From dtucker@zip.com.au 2005-02-15 19:47 -------
Created an attachment (id=826)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=826&action=view)
Use audit hooks for BSM auditting

Update with djm's feedback. Also removed all of the #ifdef'ed out code.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #826| |ok+
Flag| |




------- Additional Comments From djm@mindrot.org 2005-02-15 20:22 -------
(From update of attachment 826)
>Index: LICENCE
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/LICENCE,v
>retrieving revision 1.17
>diff -u -p -r1.17 LICENCE
>--- LICENCE 5 Nov 2004 09:00:03 -0000 1.17
>+++ LICENCE 30 Jan 2005 12:15:38 -0000
>@@ -203,6 +203,7 @@ OpenSSH contains no GPL code.
> Wayne Schroeder
> William Jones
> Darren Tucker
>+ Sun Microsystems
>
> * Redistribution and use in source and binary forms, with or without
> * modification, are permitted provided that the following conditions
>Index: Makefile.in
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/Makefile.in,v
>retrieving revision 1.268
>diff -u -p -r1.268 Makefile.in
>--- Makefile.in 2 Feb 2005 13:20:53 -0000 1.268
>+++ Makefile.in 2 Feb 2005 13:27:40 -0000
>@@ -85,7 +85,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passw
> monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o \
> auth-krb5.o \
> auth2-gss.o gss-serv.o gss-serv-krb5.o \
>- loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o audit.o
>+ loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
>+ audit.o audit-bsm.o
>
> MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out sshd_config.5.out ssh_config.5.out
> MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 sshd_config.5 ssh_config.5
>Index: README.platform
>===================================================================
>RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/README.platform,v
>retrieving revision 1.2
>diff -u -p -r1.2 README.platform
>--- README.platform 23 Apr 2004 08:57:13 -0000 1.2
>+++ README.platform 30 Jan 2005 12:15:38 -0000
>@@ -23,8 +23,20 @@ openssl-devel, zlib, minres, minires-dev
>
> Solaris
> -------
>-Currently, sshd does not support BSM auditting. This can show up as errors
>-when editting cron entries via crontab. See.
>-http://bugzilla.mindrot.org/show_bug.cgi?id=125
>+If you enable BSM auditing on Solaris, you need to update audit_event(4)
>+for praudit(1m) to give sensible output. The following line needs to be
>+added to /etc/security/audit_event:
>+
>+ 32800:AUE_openssh:OpenSSH login:lo
>+
>+If the contrib/buildpkg.sh script is used, the included postinstall
>+script will add the line for you.
>+
>+The BSM audit event range available for third party TCB applications is
>+32768 - 65535. Event number 32800 has been choosen for AUE_openssh.
>+There is no official registry of 3rd party event numbers, so if this
>+number is already in use on your system, you may change it at build time
>+by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
>+
>
> $Id: README.platform,v 1.2 2004/04/23 08:57:13 dtucker Exp $
>Index: audit-bsm.c
>===================================================================
>RCS file: audit-bsm.c
>diff -N audit-bsm.c
>--- /dev/null 1 Jan 1970 00:00:00 -0000
>+++ audit-bsm.c 15 Feb 2005 08:41:13 -0000
>@@ -0,0 +1,329 @@
>+/* $Id$ */
>+
>+/*
>+ * TODO
>+ *
>+ * - deal with overlap between this and sys_auth_allowed_user
>+ * sys_auth_record_login and record_failed_login.
>+ */
>+
>+/*
>+ * Copyright 1988-2002 Sun Microsystems, Inc. All rights reserved.
>+ * Use is subject to license terms.
>+ *
>+ * Redistribution and use in source and binary forms, with or without
>+ * modification, are permitted provided that the following conditions
>+ * are met:
>+ * 1. Redistributions of source code must retain the above copyright
>+ * notice, this list of conditions and the following disclaimer.
>+ * 2. Redistributions in binary form must reproduce the above copyright
>+ * notice, this list of conditions and the following disclaimer in the
>+ * documentation and/or other materials provided with the distribution.
>+ *
>+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
>+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
>+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
>+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
>+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
>+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
>+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
>+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
>+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
>+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
>+ *
>+ */
>+/* #pragma ident "@(#)bsmaudit.c 1.1 01/09/17 SMI" */
>+
>+#include "includes.h"
>+#if defined(USE_BSM_AUDIT)
>+
>+#include "ssh.h"
>+#include "log.h"
>+#include "auth.h"
>+#include "xmalloc.h"
>+
>+#ifndef AUE_openssh
>+# define AUE_openssh 32800
>+#endif
>+#include <bsm/audit.h>
>+#include <bsm/libbsm.h>
>+#include <bsm/audit_uevents.h>
>+#include <bsm/audit_record.h>
>+#include <locale.h>
>+
>+#if defined(HAVE_GETAUDIT_ADDR)
>+#define AuditInfoStruct auditinfo_addr
>+#define AuditInfoTermID au_tid_addr_t
>+#define GetAuditFunc(a,b) getaudit_addr((a),(b))
>+#define GetAuditFuncText "getaudit_addr"
>+#define SetAuditFunc(a,b) setaudit_addr((a),(b))
>+#define SetAuditFuncText "setaudit_addr"
>+#define AUToSubjectFunc au_to_subject_ex
>+#define AUToReturnFunc(a,b) au_to_return32((a), (int32_t)(b))
>+#else
>+#define AuditInfoStruct auditinfo
>+#define AuditInfoTermID au_tid_t
>+#define GetAuditFunc(a,b) getaudit(a)
>+#define GetAuditFuncText "getaudit"
>+#define SetAuditFunc(a,b) setaudit(a)
>+#define SetAuditFuncText "setaudit"
>+#define AUToSubjectFunc au_to_subject
>+#define AUToReturnFunc(a,b) au_to_return((a), (u_int)(b))
>+#endif
>+
>+extern int cannot_audit(int);
>+extern void aug_init(void);
>+extern dev_t aug_get_port(void);
>+extern int aug_get_machine(char *, u_int32_t *, u_int32_t *);
>+extern void aug_save_auid(au_id_t);
>+extern void aug_save_uid(uid_t);
>+extern void aug_save_euid(uid_t);
>+extern void aug_save_gid(gid_t);
>+extern void aug_save_egid(gid_t);
>+extern void aug_save_pid(pid_t);
>+extern void aug_save_asid(au_asid_t);
>+extern void aug_save_tid(dev_t, unsigned int);
>+extern void aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
>+extern int aug_save_me(void);
>+extern int aug_save_namask(void);
>+extern void aug_save_event(au_event_t);
>+extern void aug_save_sorf(int);
>+extern void aug_save_text(char *);
>+extern void aug_save_text1(char *);
>+extern void aug_save_text2(char *);
>+extern void aug_save_na(int);
>+extern void aug_save_user(char *);
>+extern void aug_save_path(char *);
>+extern int aug_save_policy(void);
>+extern void aug_save_afunc(int (*)(int));
>+extern int aug_audit(void);
>+extern int aug_na_selected(void);
>+extern int aug_selected(void);
>+extern int aug_daemon_session(void);
>+
>+#ifndef HAVE_GETTEXT
>+# define gettext(a) (a)
>+#endif
>+
>+extern Authctxt *the_authctxt;
>+static AuditInfoTermID ssh_bsm_tid;
>+
>+/* Below is the low-level BSM interface code */
>+
>+/*
>+ * Check if the specified event is selected (enabled) for auditting.

s/auditting/auditing/

I think configure should print a "read the README.bsm" or something if BSM is
enabled.

Otherwise OK.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-02-23 21:58 -------
Thanks, this has now been applied and it's in the snaps:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/

The package stuff needs to be re-done.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From phil@usc.edu 2005-02-25 13:09 -------
So we've done some internal testing with the latest snapshot over the last two
days, and things look good. It's not a thorough test, but the logging is as we
would expect, and everything else looks as expected.

A huge thanks to all the people who helped with this.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-03-05 10:12 -------
Created an attachment (id=845)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=845&action=view)
allow audit events earlier

Remaining issues:
1) Unpermitted monitor requests under some conditions. Believed fixed by the
attached patch, awaiting confirmation. (reported by Phil Dibowitz):
fatal: monitor_read: unpermitted request 56
fatal: mm_request_send: write

2) Another error reported by Matt Goebel: on disconnect without successful
authentication. Similar to above but does not have the "unpermitted request".
Not fixed by attached patch, so is either a different issue to above, or is and
the above does not fix it:
fatal: mm_request_send: write

3) If GNU libintl is found by configure then the library must be added by hand
to the LIBS list. Also reported by Matt Goebel.
(either fix configure or remove gettext() from the BSM code).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From phil@usc.edu 2005-03-05 10:41 -------
I was in the midst of a campus-wide upgrade to 3.9 from 3.8. I'm recompiling the
test version with the patch now, and I'll report back shortly.

- Phil



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-03-05 11:35 -------
Created an attachment (id=846)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=846&action=view)
send audit close event earlier

I think this will fix item 2 from comment #47.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From phil@usc.edu 2005-03-05 13:02 -------
Yup, the patch does solve my issue (issue #1). Thanks.

- Phil



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125





------- Additional Comments From dtucker@zip.com.au 2005-03-06 23:06 -------
I've committed patches #845 and #846, they'll be in tomorrow's snaps.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |FIXED




------- Additional Comments From dtucker@zip.com.au 2005-03-07 16:16 -------
This will be in the 4.0p1 release. Thanks to all who participated.

The GNU libintl gettext() thing still needs to be sorted (we'll probably remove
the gettext calls unless someone can tell us why it's required for BSM).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=125


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED




------- Additional Comments From dtucker@zip.com.au 2005-03-10 09:06 -------
With the release of OpenSSH 4.0, these bugs are now closed. For details, see:
http://www.openssh.com/txt/release-4.0



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.