On Wed, Mar 15, 2006 at 03:36:16PM -0500, Bob Jones wrote:
> Hello all. For various reasons, we use a version of openssh (currently
> v 4.2) that is built on a system running HP-UX 11iv1 that has not been
> converted to TCB, but we wish to run it on a system that has been
> converted to TCB. We have noticed that when run this way sshd is not
> updating the last login (u_suclog) field in the TCB and that it doesn't
> honor administrative locks on accounts (lets you log in anyway).

You mean Trusted Mode aka Commercial Security? I am assuming so for the
responses below.

> We can get around this by using pam (UsePAM=yes) but this is not the way
> we would prefer to get around this problem.
> I've done a number of searches trying to find solutions to this issue,
> and the only one I have really come across is to use pam.
> So, here are some questions that hopefully some of you can help us out
> on with answers.
> 1. If you compile Openssh on a HP-UX 11iv1 system that has been
> converted to use TCB, does Openssh properly update things like last
> login in the TCB and honor locks set in the TCB?

No. The only thing that is currently supported is password expiry.
That said, it would probabbly not be hard to add if there's a need for it.

> 2. Is there a compile time and/or config option we can set to force
> Openssh to honor the TCB on a system that has not been converted?

I'm not sure I understand this question. You want sshd to use it
even though the system doesn't? Or you want to build it on a system
that doesn't have it for deployment on one that does (or vice versa)?

> 3. Is it possible to compile openssh in such a way so that the single
> sshd binary will honor both TCB and non-TCB systems?

Yes. You can detect Trusted Mode at run time with the iscomsec() function
(and indeed that's what sshd does for what it checks now).

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.