Patch Name: PHCO_28961 Patch Description: s700_800 11.04 (VVOS) PAM support for OpenSSH Creation Date: 03/04/07 Post Date: 03/05/14 Hardware Platforms - OS Releases: s700: 11.04 s800: 11.04 Products: N/A Filesets: VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04,fa=HP-UX_B.11.04_32/64,v=HP Automatic Reboot?: Yes Status: General Release Critical: No Category Tags: defect_repair enhancement general_release Path Name: /hp-ux_patches/s700_800/11.X/PHCO_28961 Symptoms: PHCO_28961: 1. PAM does not support OpenSSH on VVOS 11.04 2. Non SYSTEM shell doesn't allow passwd changes 3. Unexpected behaviour of passwd command with -as options PHCO_20884: 1. The passwd command displays the same time when printing the last successful and last unsuccessful password change dates. 2. Login and passwd do not display the date correctly when a different timezone is used. 3. The audit trail shows the terminal pathnames in the format /dev/dev/pts... 4. Su does not audit successful entries. Defect Description: PHCO_28961: 1. VVOS PAM currently does not recognize SSH daemon as a valid service type. Hence OpenSSH cannot be configured to use PAM on VVOS 11.04 2. The user is not able to change the password from a non SYSTEM shell because the passwd command can not update the protected password database file which is at "SYSTEM". 3. passwd command is not behaving as expected. Resolution: 1. Modified libpam_vvos to accept requests from SSH daemon. 2. Raised the necessary privileges in the underlying PAM module to support updating the protected password database at any sensitivity level. 3. Code changes in the underlying PAM module. PHCO_20884: 1. The line printing each date for the successful and unsuccessful change times was using ctime() twice in a single printf() call. 2. The TZ environment variable is not explicitly loaded into the process's environment to be used when displaying dates. 3. reduce assumes that device names will not have the leading /dev provided. The PAM module provides the full device path for some of its audit calls. 4. PAM was not auditing successful su events, only calling syslog. Resolution: 1. Changed ctime() calls to ctime_r() with different buffers. 2. If the TZ environment variable is not set, read the timezone from /etc/TIMEZONE. 3. When generating audit records, do not use the full pathname /dev/pts/ta. Only use pts/ta. 4. When we know the user has successfully su'ed to a new account, generate a 'successful' audit record. Enhancement: Yes PHCO_28961: PAM support for OpenSSH. SR: 8606125843 8606125844 8606125846 8606125849 8606304599 8606308242 8606308245 Patch Files: VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04, fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/security/libpam_vvos.1 what(1) Output: VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04, fa=HP-UX_B.11.04_32/64,v=HP: /usr/lib/security/libpam_vvos.1: $Revision: Hewlett-Packard ISSL Level vvos_rose42 $ $Header: Hewlett-Packard ISSL Release vvos_r ose $ $Date: Mon May 5 14:31:36 EDT 2003 $ $Source: seccmd/pam_vvos/vvos_util.c, cmdsmisc, vvos _rose, rose0303 $ $Date: 03/04/22 03:26:39 $ $Revision: 1.18 PATCH_11.04 (PHCO_28961) $ cksum(1) Output: VirtualVaultOS.VVOS-SHLIBS,fr=B.11.04, fa=HP-UX_B.11.04_32/64,v=HP: 4003406746 90112 /usr/lib/security/libpam_vvos.1 Patch Conflicts: None Patch Dependencies: None Hardware Dependencies: None Other Dependencies: None Supersedes: PHCO_20884 Equivalent Patches: None Patch Package Size: 60 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHCO_28961 5. Run swinstall to install the patch: swinstall -x autoreboot=true -x patch_match_target=true \ -s /tmp/PHCO_28961.depot By default swinstall will archive the original software in /var/adm/sw/save/PHCO_28961. If you do not wish to retain a copy of the original software, include the patch_save_files option in the swinstall command above: -x patch_save_files=false WARNING: If patch_save_files is false when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. For future reference, the contents of the PHCO_28961.text file is available in the product readme: swlist -l product -a readme -d @ /tmp/PHCO_28961.depot To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHCO_28961.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: None