| blob | f6d00bb7be05d8f0f3df5c1625a36ebf8514f076 |
1 --- hpn-ssh-hpn-18.4.2/INSTALL.orig
2 +++ hpn-ssh-hpn-18.4.2/INSTALL
3 @@ -103,9 +103,13 @@
5 Basic Security Module (BSM):
7 -Native BSM support is known to exist in Solaris from at least 2.5.1,
8 -FreeBSD 6.1 and OS X. Alternatively, you may use the OpenBSM
9 -implementation (http://www.openbsm.org).
10 +Native BSM support is known to exist in Solaris from at least 2.5.1
11 +to Solaris 10. From Solaris 11 the previously documented BSM (libbsm)
12 +interfaces are no longer public and are unsupported. While not public
13 +interfaces, audit-solaris.c implements Solaris Audit from Solaris 11.
14 +Native BSM support is known to exist in FreeBSD 6.1 and OS X.
15 +Alternatively, you may use the OpenBSM implementation
16 +(http://www.openbsm.org).
18 makedepend:
20 @@ -171,8 +175,9 @@
21 There are a few other options to the configure script:
23 --with-audit=[module] enable additional auditing via the specified module.
24 -Currently, drivers for "debug" (additional info via syslog) and "bsm"
25 -(Sun's Basic Security Module) are supported.
26 +Currently, drivers for "debug" (additional info via syslog), and "bsm"
27 +(Sun's Legacy Basic Security Module prior to Solaris 11), and "solaris"
28 +(Sun's Audit infrastructure from Solaris 11) are supported.
30 --with-pam enables PAM support. If PAM support is compiled in, it must
31 also be enabled in sshd_config (refer to the UsePAM directive).
32 --- hpn-ssh-hpn-18.4.2/Makefile.in.orig
33 +++ hpn-ssh-hpn-18.4.2/Makefile.in
34 @@ -122,7 +122,7 @@
35 sshconnect.o sshconnect2.o mux.o cipher-switch.o $(SKOBJS)
37 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o \
38 - audit.o audit-bsm.o audit-linux.o platform.o \
39 + audit.o audit-bsm.o audit-linux.o audit-solaris.o platform.o \
40 sshpty.o sshlogin.o servconf.o serverloop.o \
41 auth.o auth2.o auth-options.o session.o \
42 auth2-chall.o groupaccess.o \
43 --- hpn-ssh-hpn-18.4.2/README.platform.orig
44 +++ hpn-ssh-hpn-18.4.2/README.platform
45 @@ -72,10 +72,10 @@
46 libssl-dev, libz-dev and libpam-dev.
49 -Solaris
50 --------
51 -If you enable BSM auditing on Solaris, you need to update audit_event(4)
52 -for praudit(1m) to give sensible output. The following line needs to be
53 +Prior to Solaris 11
54 +-------------------
55 +If you enable BSM auditing on Solaris, you need to update audit_event(5)
56 +for praudit(8) to give sensible output. The following line needs to be
57 added to /etc/security/audit_event:
59 32800:AUE_openssh:OpenSSH login:lo
60 @@ -86,6 +86,9 @@
61 number is already in use on your system, you may change it at build time
62 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
64 +From Solaris 11
65 +---------------
66 +Solaris Audit is supported by configuring --with-audit=solaris.
68 Platforms using PAM
69 -------------------
70 --- hpn-ssh-hpn-18.4.2/audit-bsm.c.orig
71 +++ hpn-ssh-hpn-18.4.2/audit-bsm.c
72 @@ -348,7 +348,7 @@
73 /* Below is the sshd audit API code */
75 void
76 -audit_connection_from(const char *host, int port)
77 +audit_connection_from(struct ssh *ssh, const char *host, int port)
78 {
79 AuditInfoTermID *tid = &ssh_bsm_tid;
80 char buf[1024];
81 --- hpn-ssh-hpn-18.4.2/audit-linux.c.orig
82 +++ hpn-ssh-hpn-18.4.2/audit-linux.c
83 @@ -71,7 +71,7 @@
84 /* Below is the sshd audit API code */
86 void
87 -audit_connection_from(const char *host, int port)
88 +audit_connection_from(struct ssh *ssh, const char *host, int port)
89 {
90 /* not implemented */
91 }
92 --- /dev/null
93 +++ hpn-ssh-hpn-18.4.2/audit-solaris.c
94 @@ -0,0 +1,574 @@
95 +/*
96 + * CDDL HEADER START
97 + *
98 + * The contents of this file are subject to the terms of the
99 + * Common Development and Distribution License (the "License").
100 + * You may not use this file except in compliance with the License.
101 + *
102 + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
103 + * or http://www.opensolaris.org/os/licensing.
104 + * See the License for the specific language governing permissions
105 + * and limitations under the License.
106 + *
107 + * When distributing Covered Code, include this CDDL HEADER in each
108 + * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
109 + * If applicable, add the following below this CDDL HEADER, with the
110 + * fields enclosed by brackets "[]" replaced with your own identifying
111 + * information: Portions Copyright [yyyy] [name of copyright owner]
112 + *
113 + * CDDL HEADER END
114 + */
115 +
116 +/*
117 + * Copyright (c) 2014, 2015, Oracle and/or its affiliates. All rights reserved.
118 + */
119 +
120 +#include "includes.h"
121 +#if defined(USE_SOLARIS_AUDIT)
122 +
123 +#include "audit.h"
124 +#include "sshbuf.h"
125 +#include "sshkey.h"
126 +#include "hostfile.h"
127 +#include "auth.h"
128 +#include "log.h"
129 +#include "packet.h"
130 +
131 +#include <errno.h>
132 +#include <pwd.h>
133 +#include <string.h>
134 +
135 +#include <bsm/adt.h>
136 +#include <bsm/adt_event.h>
137 +
138 +#ifdef ADT_DEBUG
139 +#include <bsm/audit.h>
140 +#include <arpa/inet.h>
141 +#include <netinet/in.h>
142 +#include <values.h>
143 +#include <errno.h>
144 +#include <pwd.h>
145 +#include <stdio.h>
146 +#include <unistd.h>
147 +#include <stdarg.h>
148 +#include <string.h>
149 +#include <ucred.h>
150 +#include <values.h>
151 +
152 +#include <bsm/adt.h>
153 +#include <bsm/audit.h>
154 +
155 +#include <sys/types.h>
156 +#include <sys/stat.h>
157 +
158 +/* semi private adt functions to extract information */
159 +
160 +extern void adt_get_asid(const adt_session_data_t *, au_asid_t *);
161 +extern void adt_get_auid(const adt_session_data_t *, au_id_t *);
162 +extern void adt_get_mask(const adt_session_data_t *, au_mask_t *);
163 +extern void adt_get_termid(const adt_session_data_t *, au_tid_addr_t *);
164 +
165 +extern void __auditd_debug(char *, ...);
166 +
167 +void
168 +__audit_pidinfo(void)
169 +{
170 + adt_session_data_t *ah = NULL;
171 + au_id_t auid;
172 + char *auid_name = "badname";
173 + struct passwd *pwd;
174 + au_asid_t asid;
175 + au_mask_t mask;
176 + char flags[512];
177 + au_tid_addr_t tid;
178 + char pbuf[INET6_ADDRSTRLEN];
179 + int af = AF_INET;
180 + int remote;
181 + int local;
182 +
183 + if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
184 + __auditd_debug("cannot start session %s\n", strerror(errno));
185 + return;
186 + }
187 + if (ah == NULL) {
188 + __auditd_debug("ah is NULL\n");
189 + return;
190 + }
191 + adt_get_auid(ah, &auid);
192 + if ((pwd = getpwuid((uid_t)auid)) != NULL) {
193 + auid_name = pwd->pw_name;
194 + }
195 + __auditd_debug("audit id = %s(%d)\n", auid_name, auid);
196 +
197 + adt_get_mask(ah, &mask);
198 + if (getauditflagschar(flags, &mask, NULL) < 0) {
199 + (void) strlcpy(flags, "badflags", sizeof (flags));
200 + }
201 +#ifdef _LP64
202 + __auditd_debug("preselection mask = %s(0x%lx,0x%lx)\n", flags,
203 + mask.am_success, mask.am_failure);
204 +#else /* _ILP32 */
205 + __auditd_debug("preselection mask = %s(0x%llx,0x%llx)\n", flags,
206 + mask.am_success, mask.am_failure);
207 +#endif /* _LP64 */
208 +
209 + adt_get_termid(ah, &tid);
210 + __auditd_debug("tid type=%d, maj=%u, min=%u, addr=%x:%x:%x:%x\n",
211 + tid.at_type,
212 + (uint16_t)((tid.at_port) >> BITS(uint16_t)),
213 + (uint16_t)(tid.at_port & UINT16_MAX),
214 + tid.at_addr[0],
215 + tid.at_addr[1],
216 + tid.at_addr[2],
217 + tid.at_addr[3]);
218 + if (tid.at_type == AU_IPv6) {
219 + af = AF_INET6;
220 + }
221 + (void) inet_ntop(af, (void *)(tid.at_addr), pbuf,
222 + sizeof (pbuf));
223 + remote = (tid.at_port >> BITS(uint16_t));
224 + local = (tid.at_port & UINT16_MAX);
225 + __auditd_debug("tid type-%d (remote,local,host)= %u,%u,%s\n",
226 + tid.at_type, remote, local, pbuf);
227 + adt_get_asid(ah, &asid);
228 + __auditd_debug("audit session id = %u\n", asid);
229 + (void) adt_end_session(ah);
230 +}
231 +#else /* !ADT_DEBUG */
232 +/*ARGSUSED*/
233 +/*PRINTFLIKE1*/
234 +static void
235 +__auditd_debug(char *fmt, ...)
236 +{
237 +}
238 +static void
239 +__audit_pidinfo()
240 +{
241 +}
242 +#endif /* ADT_DEBUG */
243 +
244 +#include <security/pam_appl.h>
245 +
246 +#include <sys/types.h>
247 +
248 +extern Authctxt *the_authctxt;
249 +
250 +extern const char *audit_username(void);
251 +extern const char *audit_event_lookup(ssh_audit_event_t);
252 +
253 +static adt_session_data_t *ah = NULL; /* audit session handle */
254 +static adt_termid_t *tid = NULL; /* peer terminal id */
255 +
256 +static void audit_login(void);
257 +static void audit_logout(void);
258 +static void audit_fail(int);
259 +
260 +/* Below is the sshd audit API Solaris adt interpretation */
261 +
262 +/*
263 + * Called after a connection has been accepted but before any authentication
264 + * has been attempted.
265 + */
266 +/* ARGSUSED */
267 +void
268 +audit_connection_from(struct ssh *ssh, const char *host, int port)
269 +{
270 + int peer = ssh_packet_get_connection_in(ssh);
271 + adt_session_data_t *ah = NULL;
272 +
273 + if (adt_load_termid(peer, &tid) != 0) {
274 + error("adt audit_connection_from: unable to load tid for %d:%s",
275 + peer, strerror(errno));
276 + goto err;
277 + }
278 + if (adt_start_session(&ah, NULL, 0) != 0) {
279 + error("adt audit_connection_from: unable to start session "
280 + "for %s:%d:%s", host, port, strerror(errno));
281 + goto err;
282 + }
283 + if (adt_set_user(ah, ADT_NO_AUDIT, ADT_NO_AUDIT, 0,
284 + ADT_NO_AUDIT, tid, ADT_SETTID) != 0) {
285 + error("adt audit_connection_from: unable to set user "
286 + "for %s:%d:%s", host, port, strerror(errno));
287 + goto err;
288 + }
289 + if (adt_set_proc(ah) != 0) {
290 + error("adt audit_connection_from: unable to set proc "
291 + "for %s:%d:%s", host, port, strerror(errno));
292 + goto err;
293 + }
294 + (void) adt_end_session(ah);
295 + debug("adt audit_connection_from(%s, %d): peerfd=%d", host, port,
296 + peer);
297 + __auditd_debug("%d/%d:%d-adt audit_connection_from(%s, %d)ctxt=%p: "
298 + "peerfd=%d\n", getpid(), getuid(), geteuid(), host, port,
299 + (void *)the_authctxt, peer);
300 + __audit_pidinfo();
301 + return;
302 +
303 +err:
304 + free(tid);
305 + tid = NULL;
306 + if (ah != NULL) {
307 + (void) adt_end_session(ah);
308 + }
309 +}
310 +
311 +/*
312 + * Called when various events occur (see audit.h for a list of possible
313 + * events and what they mean).
314 + *
315 + * Entry the_authcntxt
316 + */
317 +void
318 +audit_event(struct ssh *ssh, ssh_audit_event_t event)
319 +{
320 + static boolean_t logged_in = B_FALSE; /* if user did login */
321 + int fail = PAM_IGNORE; /* default unset */
322 + static boolean_t did_maxtries = B_FALSE; /* if interactive and abort */
323 +
324 + debug("adt audit_event(%s)", audit_event_lookup(event));
325 + __auditd_debug("%d/%d:%d-adt audit_event(%s/%s)ctxt=%p\n",
326 + getpid(), getuid(), geteuid(), audit_event_lookup(event),
327 + audit_username(), (void *)the_authctxt);
328 + __audit_pidinfo();
329 +
330 + switch (event) {
331 + case SSH_AUTH_SUCCESS: /* authentication success */
332 + logged_in = B_TRUE;
333 + audit_login(); /* ADT_ssh; */
334 + return;
335 +
336 + case SSH_CONNECTION_CLOSE: /* connection closed, all done */
337 + if (logged_in) {
338 + audit_logout(); /* ADT_logout; */
339 + logged_in = B_FALSE;
340 + } else {
341 + error("adt audit_event logout without login");
342 + }
343 + free(tid);
344 + tid = NULL;
345 + return;
346 +
347 + /* Translate fail events to Solaris PAM errors */
348 +
349 + /* auth2.c: userauth_finish as audit_event(SSH_LOGIN_EXCEED_MAXTRIES) */
350 + /* auth1.c:do_authloop audit_event(SSH_LOGIN_EXCEED_MAXTRIES) */
351 + case SSH_LOGIN_EXCEED_MAXTRIES:
352 + fail = PAM_MAXTRIES;
353 + did_maxtries = B_TRUE;
354 + break;
355 +
356 + /* auth2.c: userauth_finish as audit_event(SSH_LOGIN_ROOT_DENIED) */
357 + /* auth1.c:do_authloop audit_event(SSH_LOGIN_ROOT_DENIED) */
358 + case SSH_LOGIN_ROOT_DENIED:
359 + fail = PAM_PERM_DENIED;
360 + break;
361 +
362 + /* auth2.c: input_userauth_request as audit_event(SSH_INVALID_USER) */
363 + /* auth.c: getpwnamallow as audit_event(SSH_INVALID_USER) */
364 + case SSH_INVALID_USER:
365 + fail = PAM_USER_UNKNOWN;
366 + break;
367 +
368 + /* seems unused, but translate to the Solaris PAM error */
369 + case SSH_NOLOGIN:
370 + fail = PAM_ACCT_EXPIRED;
371 + break;
372 +
373 + /*
374 + * auth.c in auth_log as it's walking through methods calls
375 + * audit_classify_method(method) which maps
376 + *
377 + * none -> SSH_AUTH_FAIL_NONE
378 + * password -> SSH_AUTH_FAIL_PASSWD
379 + *
380 + * publickey -> SSH_AUTH_FAIL_PUBKEY
381 + * rsa -> SSH_AUTH_FAIL_PUBKEY
382 + *
383 + * keyboard-interactive -> SSH_AUTH_FAIL_KBDINT
384 + * challenge-response -> SSH_AUTH_FAIL_KBDINT
385 + *
386 + * hostbased -> SSH_AUTH_FAIL_HOSTBASED
387 + * rhosts-rsa -> SSH_AUTH_FAIL_HOSTBASED
388 + *
389 + * gssapi-with-mic -> SSH_AUTH_FAIL_GSSAPI
390 + *
391 + * unknown method -> SSH_AUDIT_UNKNOWN
392 + */
393 + /*
394 + * see mon_table mon_dispatch_proto20[], mon_dispatch_postauth20[],
395 + * mon_dispatch_proto15[], mon_dispatch_postauth15[]:
396 + * MONITOR_REQ_AUDIT_EVENT
397 + * called from monitor.c:mm_answer_audit_event()
398 + * SSH_AUTH_FAIL_PUBKEY, SSH_AUTH_FAIL_HOSTBASED,
399 + * SSH_AUTH_FAIL_GSSAPI, SSH_LOGIN_EXCEED_MAXTRIES,
400 + * SSH_LOGIN_ROOT_DENIED, SSH_CONNECTION_CLOSE SSH_INVALID_USER
401 + * monitor_wrap.c: mm_audit_event()
402 + */
403 + case SSH_AUTH_FAIL_NONE: /* auth type none */
404 + case SSH_AUTH_FAIL_PUBKEY: /* authtype publickey */
405 + break;
406 +
407 + case SSH_AUTH_FAIL_PASSWD: /* auth type password */
408 + case SSH_AUTH_FAIL_KBDINT: /* authtype keyboard-interactive */
409 + case SSH_AUTH_FAIL_HOSTBASED: /* auth type hostbased */
410 + case SSH_AUTH_FAIL_GSSAPI: /* auth type gssapi-with-mic */
411 + case SSH_AUDIT_UNKNOWN: /* auth type unknown */
412 + fail = PAM_AUTH_ERR;
413 + break;
414 +
415 + /* sshd.c: cleanup_exit: server specific fatal cleanup */
416 + case SSH_CONNECTION_ABANDON: /* bailing with fatal error */
417 + /*
418 + * This seems to occur with OpenSSH client when
419 + * the user login shell exits.
420 + */
421 + if (logged_in) {
422 + audit_logout(); /* ADT_logout; */
423 + logged_in = B_FALSE;
424 + return;
425 + } else if (!did_maxtries) {
426 + fail = PAM_AUTHINFO_UNAVAIL;
427 + } else {
428 + /* reset saw max tries */
429 + did_maxtries = FALSE;
430 + }
431 + free(tid);
432 + tid = NULL;
433 + break;
434 +
435 + default:
436 + error("adt audit_event: unknown event %d", event);
437 + __auditd_debug("%d/%d:%d-unknown event %d",
438 + getpid(), getuid(), geteuid(), event);
439 + __audit_pidinfo();
440 + break;
441 + }
442 + audit_fail(fail);
443 +}
444 +
445 +/*
446 + * Called when a user session is started. Argument is the tty allocated to
447 + * the session, or NULL if no tty was allocated.
448 + *
449 + * Note that this may be called multiple times if multiple sessions are used
450 + * within a single connection.
451 + */
452 +/* ARGSUSED */
453 +void
454 +audit_session_open(struct logininfo *li)
455 +{
456 + const char *t = li->line ? li->line : "(no tty)";
457 +
458 + debug("adt audit_session_open: user=%s:tty=%s", audit_username(),
459 + t);
460 + __auditd_debug("%d/%d:%d-adt audit_session_open:ctxt=%p "
461 + "user=%s:tty=%s\n", getpid(), getuid(), geteuid(),
462 + (void *)the_authctxt, audit_username(), t);
463 + __audit_pidinfo();
464 +}
465 +
466 +/*
467 + * Called when a user session is closed. Argument is the tty allocated to
468 + * the session, or NULL if no tty was allocated.
469 + *
470 + * Note that this may be called multiple times if multiple sessions are used
471 + * within a single connection.
472 + */
473 +/* ARGSUSED */
474 +void
475 +audit_session_close(struct logininfo *li)
476 +{
477 + const char *t = li->line ? li->line : "(no tty)";
478 +
479 + debug("adt audit_session_close: user=%s:tty=%s", audit_username(),
480 + t);
481 + __auditd_debug("%d/%d:%d-adt audit_session_close:ctxt=%p "
482 + "user=%s:tty=%s\n", getpid(), getuid(), geteuid(),
483 + (void *)the_authctxt, audit_username(), t);
484 + __audit_pidinfo();
485 +}
486 +
487 +/*
488 + * This will be called when a user runs a non-interactive command. Note that
489 + * it may be called multiple times for a single connection since SSH2 allows
490 + * multiple sessions within a single connection.
491 + */
492 +/* ARGSUSED */
493 +void
494 +audit_run_command(const char *command)
495 +{
496 + debug("adt audit_run_command: \"%s\"", command);
497 + __auditd_debug("%d/%d:%d-adt audit_run_command:ctxt=%p \"%s\"\n",
498 + getpid(), getuid(), geteuid(), (void *)the_authctxt, command);
499 + __audit_pidinfo();
500 +}
501 +
502 +/*
503 + * audit_login - audit successful login
504 + *
505 + * Entry the_authctxt should be valid ;-)
506 + * and pam_setcred called.
507 + * adt_info & ADT_INFO_PW_SUCCESS if successful
508 + * password change.
509 + *
510 + * Exit ah = audit session established for audit_logout();
511 + */
512 +static void
513 +audit_login(void)
514 +{
515 + adt_event_data_t *event;
516 + uid_t uid = ADT_NO_ATTRIB;
517 + gid_t gid = (gid_t)ADT_NO_ATTRIB;
518 + au_id_t auid;
519 +
520 + if ((the_authctxt != NULL) && (the_authctxt->valid != 0)) {
521 + uid = the_authctxt->pw->pw_uid;
522 + gid = the_authctxt->pw->pw_gid;
523 + }
524 +
525 + if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
526 + error("adt_start_session: %s", strerror(errno));
527 + return;
528 + }
529 +
530 + adt_get_auid(ah, &auid);
531 +
532 + if (adt_set_user(ah, uid, gid, uid, gid, NULL,
533 + auid == AU_NOAUDITID ? ADT_NEW : ADT_USER)) {
534 + error("adt_set_user auid=%d, uid=%d", auid, uid);
535 + (void) adt_end_session(ah);
536 + ah = NULL;
537 + free(tid);
538 + tid = NULL;
539 + return;
540 + }
541 + if ((event = adt_alloc_event(ah, ADT_ssh)) == NULL) {
542 + error("adt_alloc_event(ADT_ssh): %s", strerror(errno));
543 + return;
544 + }
545 + if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
546 + error("adt_put_event(ADT_ssh, ADT_SUCCESS): %s",
547 + strerror(errno));
548 + }
549 + /* should audit successful password change here */
550 + adt_free_event(event);
551 +}
552 +
553 +/*
554 + * audit_logout - audit the logout
555 + *
556 + * Entry ah = audit session.
557 + */
558 +static void
559 +audit_logout(void)
560 +{
561 + adt_event_data_t *event;
562 +
563 + if ((event = adt_alloc_event(ah, ADT_logout)) == NULL) {
564 + error("adt_alloc_event(ADT_logout): %s", strerror(errno));
565 + return;
566 + }
567 + if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
568 + error("adt_put_event(ADT_logout, ADT_SUCCESS): %s",
569 + strerror(errno));
570 + }
571 + adt_free_event(event);
572 + (void) adt_end_session(ah);
573 + ah = NULL;
574 +}
575 +
576 +/*
577 + * audit_fail - audit login failure.
578 + *
579 + * Entry the_authctxt assumed to have some info.
580 + * user = user who asked to be authenticated.
581 + * tid = connection audit TID set by audit_connect_from();
582 + *
583 + * N.B. pam_strerror() prototype takes a pam handle and error number.
584 + * At least on Solaris, pam_strerror never uses the pam handle.
585 + * Since there doesn't seem to be a pam handle available, this
586 + * code just uses NULL.
587 + */
588 +static void
589 +audit_fail(int pamerr)
590 +{
591 + adt_session_data_t *ah = NULL;
592 + adt_event_data_t *event;
593 + uid_t uid = ADT_NO_ATTRIB;
594 + gid_t gid = (gid_t)ADT_NO_ATTRIB;
595 +
596 + __auditd_debug("%d/%d:%d-audit_fail(%s) ctxt=%p\n",
597 + getpid(), getuid(), geteuid(), pam_strerror(NULL, pamerr),
598 + (void *)the_authctxt);
599 + if (the_authctxt != NULL) {
600 + uid_t pwuid = ADT_NO_ATTRIB;
601 +
602 + if (the_authctxt->pw != NULL) {
603 + pwuid = the_authctxt->pw->pw_uid;
604 + }
605 + __auditd_debug("valid=%d, user=%s, uid=%d\n",
606 + the_authctxt->valid, audit_username(), pwuid);
607 + } else {
608 + __auditd_debug("\tNo autxctxt\n");
609 + }
610 + __audit_pidinfo();
611 + if (pamerr == PAM_IGNORE) {
612 + return;
613 + }
614 + if ((the_authctxt != NULL) && (the_authctxt->valid != 0)) {
615 + uid = the_authctxt->pw->pw_uid;
616 + gid = the_authctxt->pw->pw_gid;
617 + } else if ((the_authctxt != NULL) && (the_authctxt->user != NULL)) {
618 + struct passwd *pw;
619 +
620 + if ((pw = getpwnam(the_authctxt->user)) != NULL) {
621 + uid = pw->pw_uid;
622 + gid = pw->pw_gid;
623 + }
624 + }
625 + if (adt_start_session(&ah, NULL, 0) != 0) {
626 + error("adt_start_session(ADT_ssh, 0, fail=%s):"
627 + " %s", pam_strerror(NULL, pamerr), strerror(errno));
628 + __auditd_debug("%d/%d:%d-adt_start_session(ADT_ssh, "
629 + "PROC_DATA, fail=%s): %s", getpid(), getuid(),
630 + geteuid(), pam_strerror(NULL, pamerr),
631 + strerror(errno));
632 + return;
633 + }
634 + __auditd_debug("%d/%d:%d-audit_fail+start_session() ah=%p\n",
635 + getpid(), getuid(), geteuid(), (void *)ah);
636 + if (adt_set_user(ah, uid, gid, uid, gid, tid, ADT_NEW) != 0) {
637 + error("adt_set_user(ADT_ssh, PROC_DATA, fail=%s): %s",
638 + pam_strerror(NULL, pamerr), strerror(errno));
639 + __auditd_debug("%d/%d:%d-adt_set_user(ADT_ssh, "
640 + "PROC_DATA, fail=%s): %s", getpid(), getuid(),
641 + geteuid(), pam_strerror(NULL, pamerr),
642 + strerror(errno));
643 + goto done;
644 + }
645 + __auditd_debug("%d/%d:%d-audit_fail+set_user() ah=%p\n", getpid(),
646 + getuid(), geteuid(), (void *)ah);
647 + if ((event = adt_alloc_event(ah, ADT_ssh)) == NULL) {
648 + error("adt_alloc_event(ADT_ssh, fail=%s): %s",
649 + pam_strerror(NULL, pamerr), strerror(errno));
650 + __auditd_debug("%d/%d:%d-adt_set_user(ADT_ssh, 0, "
651 + "fail=%s): %s", getpid(), getuid(), geteuid(),
652 + pam_strerror(NULL, pamerr), strerror(errno));
653 + } else if (adt_put_event(event, ADT_FAILURE,
654 + ADT_FAIL_PAM + pamerr) != 0) {
655 + error("adt_put_event(ADT_ssh, fail=%s): %s",
656 + pam_strerror(NULL, pamerr), strerror(errno));
657 + __auditd_debug("%d/%d:%d-adt_put_event(ADT_ssh, fail=%s): %s",
658 + getpid(), getuid(), geteuid(), pam_strerror(NULL, pamerr),
659 + strerror(errno));
660 + }
661 + __auditd_debug("%d/%d:%d-audit_fail+put_event() ah=%p\n", getpid(),
662 + getuid(), geteuid(), (void *)ah);
663 + /* should audit authentication with failed password change here. */
664 + adt_free_event(event);
665 +done:
666 + (void) adt_end_session(ah);
667 +}
668 +#endif /* USE_SOLARIS_AUDIT */
669 --- hpn-ssh-hpn-18.4.2/audit.c.orig
670 +++ hpn-ssh-hpn-18.4.2/audit.c
671 @@ -120,7 +120,7 @@
672 * has been attempted.
673 */
674 void
675 -audit_connection_from(const char *host, int port)
676 +audit_connection_from(struct ssh *, const char *host, int port)
677 {
678 debug("audit connection from %s port %d euid %d", host, port,
679 (int)geteuid());
680 --- hpn-ssh-hpn-18.4.2/audit.h.orig
681 +++ hpn-ssh-hpn-18.4.2/audit.h
682 @@ -47,7 +47,7 @@
683 };
684 typedef enum ssh_audit_event_type ssh_audit_event_t;
686 -void audit_connection_from(const char *, int);
687 +void audit_connection_from(struct ssh *, const char *, int);
688 void audit_event(struct ssh *, ssh_audit_event_t);
689 void audit_session_open(struct logininfo *);
690 void audit_session_close(struct logininfo *);
691 --- hpn-ssh-hpn-18.4.2/configure.ac.orig
692 +++ hpn-ssh-hpn-18.4.2/configure.ac
693 @@ -1769,7 +1769,7 @@
695 AUDIT_MODULE=none
696 AC_ARG_WITH([audit],
697 - [ --with-audit=module Enable audit support (modules=debug,bsm,linux)],
698 + [ --with-audit=module Enable audit support (modules=debug,bsm,linux,solaris)],
699 [
700 AC_MSG_CHECKING([for supported audit module])
701 case "$withval" in
702 @@ -1806,6 +1806,13 @@
703 SSHDLIBS="$SSHDLIBS -laudit"
704 AC_DEFINE([USE_LINUX_AUDIT], [1], [Use Linux audit module])
705 ;;
706 + solaris)
707 + AC_MSG_RESULT([solaris])
708 + AUDIT_MODULE=solaris
709 + AC_CHECK_HEADERS([bsm/adt.h])
710 + SSHDLIBS="$SSHDLIBS -lbsm"
711 + AC_DEFINE([USE_SOLARIS_AUDIT], [1], [Use Solaris audit module])
712 + ;;
713 debug)
714 AUDIT_MODULE=debug
715 AC_MSG_RESULT([debug])
716 --- hpn-ssh-hpn-18.4.2/defines.h.orig
717 +++ hpn-ssh-hpn-18.4.2/defines.h
718 @@ -715,6 +715,11 @@
719 # define CUSTOM_SSH_AUDIT_EVENTS
720 #endif
722 +#ifdef USE_SOLARIS_AUDIT
723 +# define SSH_AUDIT_EVENTS
724 +# define CUSTOM_SSH_AUDIT_EVENTS
725 +#endif
726 +
727 #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__)
728 # define __func__ __FUNCTION__
729 #elif !defined(HAVE___func__)
730 --- hpn-ssh-hpn-18.4.2/sshd.c.orig
731 +++ hpn-ssh-hpn-18.4.2/sshd.c
732 @@ -2216,7 +2216,7 @@
733 remote_ip = ssh_remote_ipaddr(ssh);
735 #ifdef SSH_AUDIT_EVENTS
736 - audit_connection_from(remote_ip, remote_port);
737 + audit_connection_from(ssh, remote_ip, remote_port);
738 #endif
740 rdomain = ssh_packet_rdomain_in(ssh);
741 @@ -2308,8 +2308,10 @@
742 }
744 #ifdef SSH_AUDIT_EVENTS
745 +#ifndef USE_SOLARIS_AUDIT
746 audit_event(ssh, SSH_AUTH_SUCCESS);
747 #endif
748 +#endif
750 #ifdef GSSAPI
751 if (options.gss_authentication) {
752 @@ -2338,6 +2340,10 @@
753 do_pam_session(ssh);
754 }
755 #endif
756 +#ifdef USE_SOLARIS_AUDIT
757 + /* Audit should take place after all successful pam */
758 + audit_event(ssh, SSH_AUTH_SUCCESS);
759 +#endif /* USE_SOLARIS_AUDIT */
761 /*
762 * In privilege separation, we fork another child and prepare