Patch Name: PHCO_28961

Patch Description: s700_800 11.04 (VVOS) PAM support for OpenSSH

Creation Date: 03/04/07

Post Date: 03/05/14

Hardware Platforms - OS Releases:
	s700: 11.04
	s800: 11.04

Products: N/A

Filesets:
	VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP

Automatic Reboot?: Yes

Status: General Release

Critical: No

Category Tags:
	defect_repair enhancement general_release

Path Name: /hp-ux_patches/s700_800/11.X/PHCO_28961

Symptoms:
	PHCO_28961:
	1. PAM does not support OpenSSH on VVOS 11.04
	2. Non SYSTEM shell doesn't allow passwd changes
	3. Unexpected behaviour of passwd command with -as options

	PHCO_20884:
	1. The passwd command displays the same time when printing
	   the last successful and last unsuccessful password
	   change dates.
	2. Login and passwd do not display the date correctly when
	   a different timezone is used.
	3. The audit trail shows the terminal pathnames in the
	   format /dev/dev/pts...
	4. Su does not audit successful entries.

Defect Description:
	PHCO_28961:
	1. VVOS PAM currently does not recognize SSH daemon as a
	   valid service type. Hence OpenSSH cannot be configured
	   to use PAM on VVOS 11.04
	2. The user is not able to change the password from a
	   non SYSTEM shell because the passwd command can not
	   update the protected password database file which is at
	   "SYSTEM".
	3. passwd command is not behaving as expected.

	Resolution:
	1. Modified libpam_vvos to accept requests from SSH daemon.
	2. Raised the necessary privileges in the underlying PAM
	   module to support updating the protected password
	   database at any sensitivity level.
	3. Code changes in the underlying PAM module.

	PHCO_20884:
	1. The line printing each date for the successful and
	   unsuccessful change times was using ctime() twice
	   in a single printf() call.
	2. The TZ environment variable is not explicitly loaded
	   into the process's environment to be used when
	   displaying dates.
	3. reduce assumes that device names will not have the
	   leading /dev provided.  The PAM module provides the
	   full device path for some of its audit calls.
	4. PAM was not auditing successful su events, only
	   calling syslog.

	Resolution:
	1. Changed ctime() calls to ctime_r() with different
	   buffers.
	2. If the TZ environment variable is not set, read the
	   timezone from /etc/TIMEZONE.
	3. When generating audit records, do not use the full
	   pathname /dev/pts/ta.  Only use pts/ta.
	4. When we know the user has successfully su'ed to a
	   new account, generate a 'successful' audit record.

Enhancement:
	Yes
	PHCO_28961:
	  PAM support for OpenSSH.

SR:
	8606125843 8606125844 8606125846 8606125849 8606304599
	8606308242 8606308245

Patch Files:
	
	VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04,
		fa=HP-UX_B.11.04_32/64,v=HP:
	/usr/lib/security/libpam_vvos.1

what(1) Output:
	
	VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04,
		fa=HP-UX_B.11.04_32/64,v=HP:
	/usr/lib/security/libpam_vvos.1:
		$Revision: Hewlett-Packard ISSL Level vvos_rose42 $ 
			$Header: Hewlett-Packard ISSL Release vvos_r
			ose $ $Date: Mon May  5 14:31:36 EDT 2003 $
		$Source: seccmd/pam_vvos/vvos_util.c, cmdsmisc, vvos
			_rose, rose0303 $ $Date: 03/04/22 03:26:39 $
			 $Revision: 1.18 PATCH_11.04 (PHCO_28961) $

cksum(1) Output:
	
	VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04,
		fa=HP-UX_B.11.04_32/64,v=HP:
	4003406746 90112 /usr/lib/security/libpam_vvos.1

Patch Conflicts: None

Patch Dependencies: None

Hardware Dependencies: None

Other Dependencies: None

Supersedes:
	PHCO_20884 

Equivalent Patches: None

Patch Package Size: 60 KBytes

Installation Instructions:
	Please review all instructions and the Hewlett-Packard
	SupportLine User Guide or your Hewlett-Packard support terms
	and conditions for precautions, scope of license,
	restrictions, and, limitation of liability and warranties,
	before installing this patch.
	------------------------------------------------------------
	1. Back up your system before installing a patch.

	2. Login as root.

	3. Copy the patch to the /tmp directory.

	4. Move to the /tmp directory and unshar the patch:

		cd /tmp
		sh PHCO_28961

	5. Run swinstall to install the patch:

		swinstall -x autoreboot=true -x patch_match_target=true \
			  -s /tmp/PHCO_28961.depot

	By default swinstall will archive the original software in 
	/var/adm/sw/save/PHCO_28961.  If you do not wish to retain a
	copy of the original software, include the patch_save_files
	option in the swinstall command above:

		-x patch_save_files=false

	WARNING: If patch_save_files is false when a patch is installed,
		 the patch cannot be deinstalled.  Please be careful
		 when using this feature.

	For future reference, the contents of the PHCO_28961.text file is 
	available in the product readme:

		swlist -l product -a readme -d @ /tmp/PHCO_28961.depot

	To put this patch on a magnetic tape and install from the
	tape drive, use the command:

		dd if=/tmp/PHCO_28961.depot of=/dev/rmt/0m bs=2k

Special Installation Instructions: None