Wandering Thoughts archives

More on the Solaris ssh stuff (part 3)

As an update on the Solaris ssh stuff and to sort of answer a question left in comments on here:

I brought another Solaris machine up to the current patchlevels today, which let me see what the current state of affairs is. The best answer is that it's confusing and not fixed yet.

• patch 112908-24 and 112908-25, the apparently bad versions of the 'krb5 shared obj' patch, have been very thoroughly removed.
• 112908-23 remains available on the patches.sun.com website, but it is not mentioned in patchdiag.xref. In fact, according to patchdiag.xref there is no currently valid version of 112908 (and -24 and -25 are not explicitly in there marked as bad and withdrawn, either; instead they've just been Stalinized).
• 113273-11 (sshd) and 114356-08 (ssh) remain in patchdiag.xref as the only live versions. They are recommended patches, and 113273-11 is marked as a security patch as well.
• However, both 113273-11 and 114356-08 specifically require 112908-24, the unavailable krb5 patch; they will fail to install on a system with 112908-23.

Thus, Sun has quietly removed 112908-24 and 112908-25 as buggy but failed to withdraw or fix patches that depend on it. The result is that you cannot install a recommended Sun security patch, and of course the situation is not fixed in the least. (The only true fix for the situation is for Sun to release new, non-buggy versions of the patches. For some reason they haven't yet gotten around to this.)

The best workaround for now is to manually install the last good versions of the bad patches; you want 113273-10 and 114356-06. Pca will handily do this for you.

An update on impending changes to access to Solaris patches

To update my earlier reporting, here's the current state, again as reported on the pca news page.

The new Sun access restrictions only apply to Solaris 10 (and anything Sun releases later). For Solaris 9 and earlier, Sun isn't making any changes for patch access; anonymous access via pca continues to work. (I was wondering about that, since I have been too busy to get around to getting a Sun Online Account, yet my patch access was still fine.)

Since all of my machines are Solaris 9 (or earlier) and I have no plans of upgrading to Solaris 10, this is ideal for me.

(While Solaris 10 has a fair amount of nice goodies, I have never done a Solaris OS upgrade, I have no idea how hassle-free it is, and the machines are old enough that we need to think about their future in general.)

How to irritate your successor (on Solaris)

How to to really irritate your successor sysadmin on a Solaris machine:

Set the machine's hostname not by changing /etc/nodename, but by hand-editing a 'hostname foobar' into the /etc/init.d/network startup script.

Of course, you won't want to keep the machine current on patches either; otherwise, your successor might take a much longer time to find this, and have a much less exciting day.

Important caution: for the safest results, insure that you are a long way away from your successor.

I must thank Solaris's patchadd and associated infrastructure for saving a copy of the old 'modified out from underneath it' init.d scripts; without that I might never have figured out how this machine had once worked.

(The modification was made right after the network script normally prints the hostname on the console, and it's relatively easy to find where that message is generated, so I can contort my mind to see how a sufficiently brute force sysadmin might set the hostname this way.)