Fast links: Home Page Tinderbox Bugzilla openssh-unix-dev CVSWeb
I'm one of the OpenSSH developers, and occasionally I put up patches that are for testing or haven't been integrated yet. They can be downloaded here. Old patches (ones that have either integrated or abandoned) are archived. OpenSSH is a BSD-licensed SSH implementation, originally based on the last free SSH release.
The stuff I intend doing is listed on the To Do List.
Starting from the existing Solaris buildpkg scripts and with some help from Ben Lindstrom and others, I wrote buildbff.sh which allows the creation of AIX native SMIT/installp installable packages from compiled code. It has been included in contrib/aix in the OpenSSH distribution since 3.1p1.
Currently there are no updates to the package builder shipped with 3.7x or 3.8p1.
Note: a subset of the functionality in these patches in included in OpenSSH 3.8 and 3.8p1 and up. In most cases, users requiring handling of expired passwords will no longer need these patches. The differences are documented in this post to openssh-unix-dev.
This is a series of patches against 3.6.1p2 and 3.7.1p2 that add password expiry support to OpenSSH. Currently the patch (#26) supports AIX, platform using /etc/shadow (which includes Solaris and Linux when openssh is configured without PAM, and SCO UnixWare), and PAM Platforms (including Solaris, Linux and HP-UX).
Note that the recent .bff packages supplied by IBM Developerworks also contain this functionality (based on pwexp22).
It works by executing /bin/passwd at the start of the session and includes "your password will expire on.." warnings.
The following people have made contributions to this patch (if I've missed someone please let me know):
The current patch supports AIX and /etc/shadow platforms (Solaris, UnixWare and possibly others). The series supported, at various times, ssh2's USERAUTH_PASSWD_CHANGEREQ and HP-UX's expiry, however the current patch does not, in a (possibly vain) attempt to keep the diff size down. If there is sufficient interest, these can be re-added later (these older patches can be found in the archive).
The basic procedure is (assuming you have both the tarball and patch in the current directory):
$ gzip -dc openssh-3.5p1.tar.gz | tar xf - $ cd openssh-3.5p1 $ patch -p1 < ../openssh-3.5p1-passexpire17.patch $ ./configure $ make
Note: These patches are in unified diff format and some
vendor's patch programs can't deal with them. If you are
so afflicted, try GNU
patch. Because configure.ac is patched, you must run
autoreconf to re-build configure for the CVS
patches. The patches against releases have already had configure
rebuilt.
openssh-3.7.1p2-pwexp26.patch (gpg sig). Fixes compile errors and correctly (I hope!) detects root-forced password changes when password aging is disabled on HP-UX.
If you have been running OpenSSH on AIX for a while without this patch, some of your user accounts may have exceeded the "Weeks between password EXPIRATION and LOCKOUT" setting, and when sshd starts enforcing the password expiration rules, you may find many accounts are now locked out. To help in the transition, you can use this migration patch (which will apply to 3.6.1p2 with fuzz). This patch will reset the user's password then set the ADMCHG flag, then the user can change their password normally. The patch is not intended to be merged into the main tree, it is intended only as a transition aid.
My OpenSSH AIX binary packages are available for download here. Before you download them, please consider making your own. Everything you need is in the OpenSSH source distribution. If it's not possible for you to compile your own (or you're lazy and trusting :-) then you can download the packages below.
Any problems with these packages are likely to be my fault and should be reported directly to me.
The packages are built with the following commands:
./configure --with-tcp-wrappers=/usr/local
--with-cflags=-fno-builtin-memset
--with-cflags=-DBROKEN_GETADDRINFO
AIX_SRC=yes contrib/aix/buildbff.sh
They use internal pseudo-random seeding (so have no prereqs) but will use egd or prngd (preferred) if either is available and has its socket in one of the standard locations.
All packages contain bffs for AIX 4 and AIX 5. The V4 packages are built on AIX 4.2.1 and should also work on any newer version including 4.3.3. (In March 2004, they were also reported to work on AIX 3.2!). The V5 packages are built on AIX 5.1 and should work on 5.1 and 5.2 (and, presumably, 5.3 although I've not tested it). As of version 4.5p1, by request there is also a PAM-enabled package for AIX 5.x.
The tarballs contain .bff installable packages and gpg (signed with this key) and MD5 or SHA1 signatures.
| AIX Package | Description |
|---|---|
| openssh-4.5p1 | New: sftp libedit support and a PAM-enabled package for
AIX 5.x has been added. Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7l, tcpwrappers-7.6 and libedit-20060829-2.9. |
| openssh-4.6p1 | Has sftp libedit support and a PAM-enabled package for
AIX 5.x. Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7l, tcpwrappers-7.6 and libedit-20060829-2.9. |
| openssh-4.7p1 | Has sftp libedit support and a PAM-enabled package for
AIX 5.x. Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7m, tcpwrappers-7.6 and libedit-20060829-2.9. |
| openssh-5.0p1 | Has sftp libedit support and a PAM-enabled package for
AIX 5.x. Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7m, tcpwrappers-7.6 and libedit-20060829-2.9. |
| openssh-5.2p1 | Has sftp libedit support and a PAM-enabled package for
AIX 5.x. Built with gcc-4.1.1, zlib-1.2.3, openssl-0.9.7m, tcpwrappers-7.6 and libedit-20060829-2.9. |
Versions 3.6.1p1-1 and 3.6.1p2 have been removed due to a security risk (error in buffer handling). Users of packages previous to 3.7.1p1 should upgrade immediately.
Version 3.9p1 may have been affected by an error in zlib and has been removed.
Version 4.0p1 may have been affected by an error in zlib (CAN-2005-2096) and has been removed.
Version 4.1p1 may have been affected by an (error in zlib) and has been removed.
All versions prior to 4.4p1 were affected by an incorrect signal
handler in sshd (CVE-2006-5051) and versions prior to 4.5p1 contained
a bug in the sshd privsep monitor code (CVE-2006-5794). Neither is believed to be exploitable in
the configuration supplied here, but the affected packages have been
removed as a precaution.
IBM have made packages available for AIX5L on the Bonus Pack CD. The original images are based on 2.9.9p2 (with fixes), while the current ones available from the link below are based on 4.3p1. The images are available for download from Sourceforge: openssh-aix (formerly IBM DeveloperWorks).
Bull Freeware are publishing OpenSSH packages again. These are dynamically linked against openssl and libz (unlike the ones here) so will use somewhat less memory, but are sensitive to changes in the libraries. They require egd (Entropy Gathering Daemon), so may start sessions a little quicker than the packages here when used without prngd. Unlike the packages here, they have several prerequisites. (openssl, zlib, egd, perl).
This is generally caused by OpenSSH's configure picking up an older version of OpenSSL headers or libraries. You can use the following procedure to help identify the cause.
Apply this
patch if it hasn't been incorporated into your version of OpenSSH
(it's included in 3.5p1 and above). Run make -f Makefile.in
distprep && ./configure.
The output of configure will tell you the versions of the OpenSSL headers and libraries that were picked up:
checking OpenSSL header version... 90604f (OpenSSL 0.9.6d 9 May 2002) checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001) checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library
Now run findssl.sh. This should identify
the headers and libraries present and their versions. You should be
able to identify the libraries and headers used and adjust your CFLAGS
or remove incorrect versions. The output will show OpenSSL's internal
version identifier and should look something like:
$ ./findssl.sh Searching for OpenSSL header files. 0x0090604fL /usr/include/openssl/opensslv.h 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h Searching for OpenSSL shared library files. 0x0090602fL /lib/libcrypto.so.0.9.6b 0x0090602fL /lib/libcrypto.so.2 0x0090581fL /usr/lib/libcrypto.so.0 0x0090602fL /usr/lib/libcrypto.so 0x0090581fL /usr/lib/libcrypto.so.0.9.5a 0x0090600fL /usr/lib/libcrypto.so.0.9.6 0x0090600fL /usr/lib/libcrypto.so.1 Searching for OpenSSL static library files. 0x0090602fL /usr/lib/libcrypto.a 0x0090604fL /usr/local/ssl/lib/libcrypto.a
In this example, I gave configure no extra flags, so it's picking up the OpenSSL header from /usr/include/openssl (90604f) and the library from /usr/lib/ (90602f).
lbx.sh Sets up SSH and LBX to play nicely together. To use, adjust to local conditions then ". ./lbx.sh".
Diffs between portable releases
A table showing the percent_expand tokens supported by OpenSSH's ssh(1) and sshd(8).
IETF Secure Shell Working Group (includes draft RFCs) ietf-ssh mailing list archive.
OpenSSH Portable Tinderbox. Shows current build and test status of the current code.
OpenSSH Bugzilla bug tracking system.
OpenSSH CVSWeb
openssh-unix-dev mailing list archive.
Daniel J. Barrett and Richard E. Silverman wrote SSH: The Definitive Guide, known as "The Snail book". Particularly useful is the online FAQ
comp.security.ssh newsgroup
Shun-ichi Goto's connect ProxyCommand. Supports connections via SOCKS4/4a/5 and HTTP CONNECT protocols.
Pluggable Authentication Modules original RFC
XOpen Single Sign On (XSSO) Specification HTML PDF
Linux PAM Documentation
SourceForge
page
Solaris PAM
documentation
Writing
Solaris PAM modules
FreeBSD
PAM documentation. (OpenPAM)
Some PAM
gotchas, and
why PAM and SSH don't play nice together
GNU Autoconf Manual (PDF). OpenSSH uses autoconf for its build-time configuration.
PortaWiki documenting portability issues. Run by Stuart Smith of MySQL with contributions from others, including yours truly.
Single Unix Specification SUSv2 SUSv3 (obnoxious registration required)
Page last modified: $Date: 2009/06/06 04:25:35 $