Created attachment 1417 [details] Adds BSM support. Attached is a patch for building OpenSSH 4.7p1 on Mac OS X. This patch adds part of the BSM support for Mac OS X.
Comment on attachment 1417 [details] Adds BSM support. >+#if defined(__APPLE__) >+ /* don't have a aug_get_machine */ >+ tid->at_addr[0] = inet_addr(host); >+ tid->at_type = 0; >+ snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]); >+ debug3("BSM audit: machine ID %s", buf); A cleaner way to do this is implement aug_get_machine as a static function in this file, and activate it based on the presence (or not) of aug_get_machine. I believe FreeBSD would also benefit from this. I will post an alternative patch. >- AC_CHECK_FUNCS(getaudit_addr) >+ AC_CHECK_FUNCS(getaudit_addr, >+ [ >+ case "$host" in >+ *-*-darwin7* | *-*-darwin8*) >+ AC_MSG_CHECKING(for getaudit_addr usability) >+ AC_MSG_RESULT(no) >+ ;; >+ *) AC_DEFINE(HAVE_GETAUDIT_ADDR, Could you please explain why this is needed? darwin7 and darwin8 have a getaudit_addr but it doesn't work?
Comment on attachment 1417 [details] Adds BSM support. >+#if defined(__APPLE__) >+ /* don't have a aug_get_machine */ >+ tid->at_addr[0] = inet_addr(host); >+ tid->at_type = 0; >+ snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]); >+ debug3("BSM audit: machine ID %s", buf); >+#else How does this cope with connections from IPv6 addresses?
Created attachment 1422 [details] Implement aug_get_machine for BSM audit support This should work on OS X (modulo the query I have about handling IPv6 connections) and FreeBSD/OpenBSM (untested).
(In reply to comment #2) > (From update of attachment 1417 [details]) > >+#if defined(__APPLE__) > >+ /* don't have a aug_get_machine */ > >+ tid->at_addr[0] = inet_addr(host); > >+ tid->at_type = 0; > >+ snprintf(buf, sizeof(buf), "%08x", tid->at_addr[0]); > >+ debug3("BSM audit: machine ID %s", buf); > >+#else > > How does this cope with connections from IPv6 addresses? This, unfortunately, does not cope with IPv6 addresses. I have filed a bug in our system to have this addressed.
(In reply to comment #4) > This, unfortunately, does not cope with IPv6 addresses. I have filed a > bug in our system to have this addressed. The code I posted (attachment #1422 [details]) does cope with IPv6 addresses, but since the original patch doesn't I'm not sure that it will write a record of the correct format. On Solaris, AU_IPv6 = 16 and AU_IPv4 = 4. (There's also comment in the header about them being the sizes of the addresses which might cause trouble down the track if code assumes that's always the case and another address types happen to be 16 bytes...) From patch 1417, it appears that Apple have made record type 0 to be IPv4, the question is what's IPv6? My patch assumes 1.
(In reply to comment #5) > (In reply to comment #4) > > This, unfortunately, does not cope with IPv6 addresses. I have filed a > > bug in our system to have this addressed. > > The code I posted (attachment #1422 [details]) does cope with IPv6 addresses, but > since the original patch doesn't I'm not sure that it will write a > record of the correct format. > > On Solaris, AU_IPv6 = 16 and AU_IPv4 = 4. (There's also comment in > the header about them being the sizes of the addresses which might > cause trouble down the track if code assumes that's always the case and > another address types happen to be 16 bytes...) > > From patch 1417, it appears that Apple have made record type 0 to be > IPv4, the question is what's IPv6? My patch assumes 1. When this patch was created, we only supported IPv4 so the type was just set to 0 (and not used). I expect that we will adopt the types that are used in OpenBSM (AU_IPv6 = 16 and AU_IPv4 = 4) when IPv6 support is added.
Created attachment 1433 [details] Add aug_get_machine, make AU_IPv6 optional In that case I think this is the way to do it. The patch should have equivalent behaviour to your original patch on current platforms, and should also work when AU_IPv6 is added. Could you please confirm? Also: if there are any users of OpenBSM and/or FreeBSD out there that could also test that would be appreciated. Thanks.
(In reply to comment #7) > In that case I think this is the way to do it. The patch should have > equivalent behaviour to your original patch on current platforms, and > should also work when AU_IPv6 is added. Could you please confirm? This looks good. Thank you, sir.
(In reply to comment #8) > This looks good. By "looks good" do you mean that it behaves correctly when tested? If it has been tested then I'm ok with putting it in 4.8. > Thank you, sir. You're welcome.
Comment on attachment 1433 [details] Add aug_get_machine, make AU_IPv6 optional ok
(In reply to comment #9) > (In reply to comment #8) > > This looks good. > > By "looks good" do you mean that it behaves correctly when tested? If > it has been tested then I'm ok with putting it in 4.8. Yes. Our normal build process doesn't run autoconf, so I did have to run that manually and augment the patch (with hunks for configure and config.h.in). After that it worked as expected.
patch #1433 has been applied (with a couple of extra headers spotted by csjp at FreeBSD org) and will be in 4.8. Thanks.
Fix shipped in 4.9/4.9p1 release.