Thanks for your note! I knew this had to have been discused; I don't
know why dejanews didn't give me any results. Your commentary that
sshd should behave like other login programs seems unarguable.
P.S.
The ssh facility should not expect every user to be listed in
/etc/project. For instance, we have about 300 Sun systems and
about four SGIs at this location. We're simply not interested in
the project facility. (But it would have been useful for a SGI
compute server we had years ago. Unfortunately projects weren't
available in IRIX 6.0 and 6.1, so I had to use a somewhat "unpretty"
approach of using groups and a slightly customized accounting setup.)
--- Forwarded mail from "Randolph J. Herber" <[EMAIL PROTECTED]>
Date: Sat, 4 Mar 2000 15:05:46 -0600 (CST)
From: "Randolph J. Herber" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], Michael Mondy <[EMAIL PROTECTED]>
Subject: Re: SSH1: IRIX 6.2 login failure -- fixed
Cc: [EMAIL PROTECTED]
Reply-To: "Randolph J. Herber" <[EMAIL PROTECTED]>
The following header lines retained to affect attribution:
|From: Michael Mondy <[EMAIL PROTECTED]>
|Subject: SSH1: IRIX 6.2 login failure -- fixed
|Date: Fri, 03 Mar 2000 15:09:10 -0600
|To: [EMAIL PROTECTED]
|I had a problem with ssh 1.2.26 not allowing logins to IRIX 6.2 machines
|due to a failed getprojuser() call. A Deja search only picked up
|another
|report of the same problem with no fix. Our systems have no projects
|set
|up, and I did't want to spend a lot of time on this, so my fix is rather
|simplistic -- ignore the failure if it doesn't matter anyway, e.g., if
|the
|system has no projects defined.
[SNIP]
|Mike Mondy
1. This was discussed extensively in both SGI and SSH news group about
a year ago, much more in the SSH group than in the SGI news groups.
2. I posted my fix for the project several times.
3. I opine that the correct fix is to do it exactly the same way
that the login program does it. The SSH people seem to feel that
one should provide some default value that is explicitly stated
in the code. I am willing to accept the system's implicit default.
4. You should convert to 1.2.27 if you are going to stay in the SSH1
family at all.
5. I quote myself:
>From herber Sun Apr 18 14:01:11 1999
To: Andreas Werner <[EMAIL PROTECTED]>
Subject: Re: SSH for IRIX 6.3 please help
Reply-To: Randolph J. Herber <[EMAIL PROTECTED]>
Status: O
Why not just do it correctly?
This is the third time that this discussion has come up in the last
several months. Unfortunately, I can not seem to get the ssh ``support
group'' (I regret that I do not know the proper name for the group) to
listen to me---they seem to have the idea that the code has to reconstruct
the system default project even in the face of an sshd that the system
adminstrator started in a non system standard (whatever that maybe)
project group. Did they not consider that may be what the system
administration wanted to have happen---users whom do not have entries
in the /etc/project file to have a project code different from the
system default project code?
The SGI code places a login which does not have an entry in /etc/project
into the same system project code as the project code that the sshd is
running under which would be the system default project unless the
system administration went to some effort to cause it to be different.
That fix is quite simple:
1) Remove that entire subroutine.
2) Replace the call to the subroutine with:
newarraysess();
setprid(getdfltprojuser(u_name));
I assure you that is the way the the SGI login programs
do this operation. This works because of how setprid
handles the error code returned by getdfltprojuser
when the user is not found in the /etc/project file.
The second choice is to properly administer the system and assure that
_all_ users have entries in the /etc/project file. This method was
posted very recently by Ryan Davis <[EMAIL PROTECTED]>.
===== End of quotation =====
And:
This has been a much discussed topic. Unfortunately, there people
in this discussion group who believe that it is the responsibility
of ssh to determine what the system default project is even in the
face of a system administration error which makes that impossible
and the program managing the login process not being in the default
system project.
There are a number of better and almost as simple solutions.
One is to remove the subroutine entirely and replace the code at
the location where it is called with the code from the SGI login
program, which happens to work correctly because of how the error
return of getdfltprojuser is handled by setprid, and that the
program managing the login should be set already to the system
default project:
newarraysess();
setprid(getdfltprojuser(u_name));
The code fragment above is fully equivalent to the code which does
the same function within the SGI Irix 6.2 login program; ssh does not
need to do any better.
Randolph J. Herber, [EMAIL PROTECTED], +1 630 840 2966, CD/CDFTF PK-149F,
Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, IL 60510-0500,
USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) (Product,
trade, or service marks herein belong to their respective owners.)
--- End of forwarded mail from "Randolph J. Herber" <[EMAIL PROTECTED]>
--
Mike Mondy +1 281 287-5272
