From morgan at transmeta.com Wed Dec 1 08:06:54 1999 From: morgan at transmeta.com (Andrew Morgan) Date: Tue, 30 Nov 1999 13:06:54 -0800 Subject: Food for thought regarding PAM References: Message-ID: <38443C6E.7578670F@transmeta.com> I'd like to claim that the patch below is no worse than any other patch out there. Its actually a great deal cleaner than others that I've seen. It also adds support (off by default) for a new PAM-only authentication mode that activates if the client and server have PAM support compiled in. I actually have a PAM setup that enables me to use ssh with a fingerprint reader, something that's exclusive to this PAM-only authentication mode. There should be no reason why someone (in the free world) couldn't implement modules that do RSA and other forms of authentication with respect to the PAM-only mode provided in this patch. Let's face it, if I can do fingerprint authentication, RSA should be trivial. I believe the original post on this thread was concerned with the idea that it might be better to add full PAM support as a way to address the problem of adding more and more authentication modes to openssh. I agree with that sentiment - but then I would wouldn't I :) If you have a biomouse fingerprint reader, feel free to download the module/agent combo here: http://www.kernel.org/pub/linux/libs/pam/pre/modules/pam_biomouseplus-0.50.tar.gz The ssh patch (which may be a little tricky to apply over the existing PAM patch in openssh) is here: http://www.kernel.org/pub/linux/libs/pam/pre/applications/ssh-patch-0.90.tar.gz And the open source implementation of PAM is here: http://www.kernel.org/pub/linux/libs/pam/pre/library/ Mike Fisk wrote: > Even if we can't find a nice way to do credential-based authentication, > On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > > But... what happens in the special case where you have to pass some strange > > data, like a login context? This should be covered. Cheers Andrew From morgan at transmeta.com Wed Dec 1 08:12:06 1999 From: morgan at transmeta.com (Andrew Morgan) Date: Tue, 30 Nov 1999 13:12:06 -0800 Subject: Food for thought regarding PAM References: <19991130001238.A2942@folly.informatik.uni-erlangen.de> Message-ID: <38443DA6.5C63A55C@transmeta.com> Markus Friedl wrote: > fyi, there are different opinions on PAM. > this is from the lsh-distribution: > ------------------------------------------------------------------------- > > NO PAM SUPPORT > > I spent a day reading the PAM documentation. My conclusion was that > PAM is not at all suited for handling ssh user authentication. There > are three main problems, the first two of which would be show-stoppers > for any SSH server, while the last is a problem that affects servers > like lshd which doesn't fork() for each connection. > > (i) The design of PAM is to hide all details about the actual > authentication methods used, and that the application should never > know anything about that. However, ssh user authentication is about > particular authentication methods. When the client asks which This sort of thing can be addressed by adding a single additional PAM-only authentication mode. Something that only gets invoked if the server and client support it. > (ii) PAM wants to talk directly to the user, to ask for passwords, > request password changes, etc. These messages are not abstracted *at* > *all*, PAM gives the application a string and some display hints, and > expects a string back as the users response. This mode of operation > doesn't fit with the ssh user-authentication protocol. This is the same point as the one above. > (iii) The PAM conversation function expects the server to ask the user > some question, block until a response is received, and then return the > result to PAM. That is very unfriendly to a server using a select() This is no longer the case. We added support for 'event loop' oriented servers. Its also a problem that is specific to lsh's design and does not actually apply to openssh. Cheers Andrew From mfisk at lanl.gov Wed Dec 1 08:16:52 1999 From: mfisk at lanl.gov (Mike Fisk) Date: Tue, 30 Nov 1999 21:16:52 +0000 (GMT) Subject: Food for thought regarding PAM In-Reply-To: <38443C6E.7578670F@transmeta.com> Message-ID: On Tue, 30 Nov 1999, Andrew Morgan wrote: > I'd like to claim that the patch below is no worse than any other patch > out there. Its actually a great deal cleaner than others that I've seen. > It also adds support (off by default) for a new PAM-only authentication > mode that activates if the client and server have PAM support compiled > in. I agree that it's a great design, but I'm very preoccupied by compatibility with existing SSH clients and servers. What would be nice is a way to use PAM within the server for RSA, Kerberos, etc. without having to use a PAM protocol option. BTW, I haven't fully groked the BINARY conversation thingy, but how does it compare to/work with GSS-API? There are a growing number of daemons that support GSS-API. > Mike Fisk wrote: > > Even if we can't find a nice way to do credential-based authentication, > > > On Mon, 29 Nov 1999, Tor-Ake Fransson wrote: > > > But... what happens in the special case where you have to pass some strange > > > data, like a login context? > > This should be covered. > > Cheers > > Andrew > -- ===================================================================== Mike Fisk | (505)667-5119 | MS B255 Network Engineering (CIC-5) | | Los Alamos National Lab mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 From morgan at transmeta.com Wed Dec 1 08:27:55 1999 From: morgan at transmeta.com (Andrew Morgan) Date: Tue, 30 Nov 1999 13:27:55 -0800 Subject: Food for thought regarding PAM References: Message-ID: <3844415B.FAF3AB56@transmeta.com> Mike Fisk wrote: > I agree that it's a great design, but I'm very preoccupied by > compatibility with existing SSH clients and servers. What would be nice > is a way to use PAM within the server for RSA, Kerberos, etc. without > having to use a PAM protocol option. Believe me, I've thought about this long and hard. I think there is a small chance that one might be able to subvert the binary message stream within the server to transform such prompts into something that a PAM unaware client might grok, but without a working module/agent pair for something like RSA, its hard to determine if the details work out. > BTW, I haven't fully groked the BINARY conversation thingy, but how does > it compare to/work with GSS-API? There are a growing number of daemons > that support GSS-API. I looked at the GSS-API stuff a few years ago, and decided that it was too immature and somewhat baroque. To be frank, I've igored it since - in the mean time it has evidently matured... If you want to email me some documentation pointers (privately), I'll take a look and make some attempt to write up a summary. Cheers Andrew From David.DelPiero at qed.qld.gov.au Wed Dec 1 18:02:30 1999 From: David.DelPiero at qed.qld.gov.au (David Del Piero) Date: Wed, 01 Dec 1999 17:02:30 +1000 Subject: Compile bugs in openssh-1.2pre15 on Solaris (2.6) Message-ID: <3844C806.7259EFB6@qed.qld.gov.au> Hi, I didn't know if this was the correct spot to send openSSH bugs/problems so I thought I'd try... Anyway, I have encountered the following compile time problems for openssh-1.2pre15 / Solaris 2.6 / gcc 2.8.1 - * daemon code (bsd-daemon.[ch]) exists but is not linked in. Also, header is not included. Same might apply to bsd-login. * rsa.h needs __P() define to work (I think this has already been reported). Diffs are - *** Makefile.in.ORIG Thu Nov 25 12:40:22 1999 --- Makefile.in Wed Dec 1 12:09:37 1999 *************** *** 34,40 **** all: $(OBJS) $(TARGETS) ! libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o bsd-mktemp.o bsd-strlcpy.o bsd-strlcat.o log.o fingerprint.o $(AR) rv $@ $^ $(RANLIB) $@ --- 34,40 ---- all: $(OBJS) $(TARGETS) ! libssh.a: authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o hostfile.o match.o mpaux.o nchan.o packet.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o xmalloc.o helper.o rc4.o bsd-mktemp.o bsd-strlcpy.o bsd-strlcat.o bsd-daemon.o bsd-login.o log.o fingerprint.o $(AR) rv $@ $^ $(RANLIB) $@ *** includes.h.ORIG Thu Nov 25 10:54:59 1999 --- includes.h Wed Dec 1 12:13:59 1999 *************** *** 76,81 **** --- 76,83 ---- #include "bsd-strlcpy.h" #include "bsd-strlcat.h" #include "bsd-mktemp.h" + #include "bsd-login.h" + #include "bsd-daemon.h" /* Define this to be the path of the xauth program. */ #ifndef XAUTH_PATH *** rsa.h.ORIG Thu Nov 25 10:54:59 1999 --- rsa.h Wed Dec 1 13:10:55 1999 *************** *** 14,19 **** --- 14,26 ---- */ /* RCSID("$Id: rsa.h,v 1.4 1999/11/24 19:53:50 markus Exp $"); */ + #ifndef __P + #ifdef __STDC__ + #define __P(x) x + #else + #define __P(x) () + #endif + #endif #ifndef RSA_H #define RSA_H ______________________________________________________________________________ David Del Piero, Email : David.DelPiero at qed.qld.gov.au Education Queensland, Floor 11, Education House, 30 Mary Street, Brisbane. 4000. Phone : +61 7 32370509 Queensland. Australia. Fax : +61 7 32379695 From bent at clark.net Wed Dec 1 19:40:19 1999 From: bent at clark.net (Ben Taylor) Date: Wed, 1 Dec 1999 03:40:19 -0500 (EST) Subject: Pam errors in Solaris In-Reply-To: <3844C806.7259EFB6@qed.qld.gov.au> Message-ID: Thanks to a friend, I was able to gather a little more data about the problem with PAM authentication and Solaris. Apparently the pam_open_session module doesn't like it if PAM_RHOST or PAM_TTY is not set, and segfaults if it hasn't been set. Figured I'd work around this, but to no avail. I cut out a bit of do_pam_account_and_session, and made a do_pam_account and do_pam_session. Basically the do_pam_session was a pam_set_attr for PAM_TTY, and the original pam_open_session for the original function (which was removed from the new pam_do_account). I tried in several places to set the information for do_pam_session but always got the same result. That being a non-controlled terminal, and no instance in wtmpx/utmpx (this is solaris). There are indications that data is being propogated to the utmp file, but it's kind of a wash since Solaris ignores it now. The other problem is that the resulting terminal has horrible properties, probably due to the lack of a controlling terminal and the ability to set it properties. Well, maybe Sun will fix this pam problem. However, now I'm concerned that the logging for Sun should be going to wtmpx/utmpx. I'll look at this in a day or two. Funny thing. If I remove the pam_open_session, I get a nice working session. back to the drawing board. Ben From damien at ibs.com.au Thu Dec 2 10:33:42 1999 From: damien at ibs.com.au (Damien Miller) Date: Thu, 02 Dec 1999 10:33:42 +1100 Subject: [Fwd: Serious Bug Report: OpenSSH] Message-ID: <3845B056.99608C1F@ibs.com.au> Can anyone using PAM and rsa-rhosts authentication replicate this? Damien -------------- next part -------------- An embedded message was scrubbed... From: Adrian Baugh Subject: Serious Bug Report: OpenSSH Date: Wed, 1 Dec 1999 02:38:56 +0000 (GMT) Size: 3926 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991202/f994f86a/attachment.mht From damien at ibs.com.au Thu Dec 2 11:18:46 1999 From: damien at ibs.com.au (Damien Miller) Date: Thu, 02 Dec 1999 11:18:46 +1100 Subject: [Fwd: [Fwd: OpenSSH for UNIX]] Message-ID: <3845BAE6.716AAAF4@ibs.com.au> This is a resend, the first try got bounced because of the message size limit on the list. -------------- next part -------------- An embedded message was scrubbed... From: Damien Miller Subject: [Fwd: OpenSSH for UNIX] Date: Thu, 02 Dec 1999 10:52:38 +1100 Size: 73561 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991202/e81e7166/attachment.mht From csaia at wtower.com Thu Dec 2 12:00:44 1999 From: csaia at wtower.com (Chris Saia) Date: 01 Dec 1999 20:00:44 -0500 Subject: [Fwd: Serious Bug Report: OpenSSH] In-Reply-To: Damien Miller's message of "Thu, 02 Dec 1999 10:33:42 +1100" References: <3845B056.99608C1F@ibs.com.au> Message-ID: Damien Miller writes: (actually, Adrian Baugh wrote, via Damien's forward) > I'm using a RH6.1 system and have tried both the default sshd PAM file and > adding md5 to the password required line. (By the way, should the module > for this line be pam_pwdb rather than pam_unix, as in the PAM files for > login and passwd?) I'm not qualified to answer the previous questions about debugging showing user passwords, but since I was responsible for having the sshd.pam file changed to reflect pam_unix rather than pam_pwdb, I'll answer this part. I believe this (using pam_unix.so vs. pam_pwdb.so) makes OpenSSH more uniform across various PAM implementations. RedHat Linux and Mandrake include both in their PAM package; SuSE Linux only includes pam_unix.so in its default setup(*); and Solaris (looking at Sol7/x86) only has pam_unix.so -- no pam_pwdb.so at all. I don't have access to any other PAM implementations, but I would reckon they also have pam_unix.so and may or may not have the former. (*) pam_pwdb is included with SuSE, but it's packaged separately, is not kept up-to-date with the pam package itself, and contains the following package description: The pwdb package contains libpwdb, the password database library. Libpwdb is a library which implements a generic user information database. Libpwdb doesn't use NSS from glibc. So it is not possible to use services like NIS+ or LDAP with pwdb. -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From dugsong at monkey.org Thu Dec 2 16:22:41 1999 From: dugsong at monkey.org (Dug Song) Date: Thu, 2 Dec 1999 00:22:41 -0500 (EST) Subject: krb5 support In-Reply-To: <3845BAE6.716AAAF4@ibs.com.au> Message-ID: On Thu, 2 Dec 1999, Damien Miller wrote: > This patch seems to use the same CMSG type as the KRBIV support > currently in OpenSSH. Would it be better to recommend to the author > that he defines a new CMSG for KRBV instead? actually, in the mainline ssh-1.2.27 code, the KERBEROS protocol messages are for Kerberos v5 - my original Kerberos v4 patches weren't integrated (they originally had dependencies on AFS, etc.). it would be nice if we could do some magic to determine the version of Kerberos being used automatically, based on ticket contents. i'm sure this is possible (perhaps just using pvno in AP_REQ messages), i haven't looked too deeply into it yet. i'll try to take a look at this soon. > Around this issue: what is the policy for defining new message types > in the future? imo, i don't think we should be extending the protocol at all. the only exception i could see to that would be GSS-API support, which would (theoretically, anyhow) be the last security flavor we'd ever have to add (too bad it's so unwieldy and relatively unused). -d. --- http://www.monkey.org/~dugsong/ From morgan at transmeta.com Thu Dec 2 17:15:26 1999 From: morgan at transmeta.com (Andrew Morgan) Date: Wed, 01 Dec 1999 22:15:26 -0800 Subject: [Fwd: Serious Bug Report: OpenSSH] References: <3845B056.99608C1F@ibs.com.au> Message-ID: <38460E7E.178D3A7F@transmeta.com> Chris Saia wrote: > (*) pam_pwdb is included with SuSE, but it's packaged separately, is > not kept up-to-date with the pam package itself, and contains the > following package description: I think its pretty well determined that libpwdb is no longer alive and will go away, I'm recommending that folk use pam_unix these days. Glibc's NSS support is better supported, widely deployed and does almost what libpwdb was intended to do. [BTW. regarding this bug, is it the case that their client and server are from the same openssh package (1.2-pre15)? Forgive my ignorance, but is P$ some sort of shorthand for something? Or is this actually something that the log generates? If I were to guess wildly, I'd say that this looks a lot like the daemon's conversation-function getting royally confused.] Cheers Andrew From mfisk at lanl.gov Fri Dec 3 03:14:35 1999 From: mfisk at lanl.gov (Mike Fisk) Date: Thu, 2 Dec 1999 16:14:35 +0000 (GMT) Subject: krb5 support In-Reply-To: Message-ID: On Thu, 2 Dec 1999, Dug Song wrote: > imo, i don't think we should be extending the protocol at all. the only > exception i could see to that would be GSS-API support, which would > (theoretically, anyhow) be the last security flavor we'd ever have to add > (too bad it's so unwieldy and relatively unused). As far as I can tell, GSS-API has no mechanism for negotiating supported authentication types. It is purely a way for clients and servers to interface with authentication libraries and pass credentials across the wire. It seems to be mainly used as a way to include Kerberos support. ===================================================================== Mike Fisk | (505)667-5119 | MS B255 Network Engineering (CIC-5) | | Los Alamos National Lab mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 From dugsong at monkey.org Fri Dec 3 04:06:51 1999 From: dugsong at monkey.org (Dug Song) Date: Thu, 2 Dec 1999 12:06:51 -0500 (EST) Subject: krb5 support In-Reply-To: Message-ID: On Thu, 2 Dec 1999, Mike Fisk wrote: > As far as I can tell, GSS-API has no mechanism for negotiating supported > authentication types. It is purely a way for clients and servers to > interface with authentication libraries and pass credentials across the > wire. GSS-API doesn't have one per se, but there has been at least one proposed negotiation mechanism on top of it - see RFC 2478 for details. > It seems to be mainly used as a way to include Kerberos support. this is probably because only Kerberos people have implemented it (MIT krb5, KTH heimdal). but again, there have been proposals to use public key GSS-API mechanisms - see RFC 2025 (SPKM). i think GSS-API has been slow to catch on for the following reasons: 1. unwieldy interface, somewhat over-engineered 2. lack of freely available independent implementations (MIT and KTH's are both tied to their Kerberos distributions) 3. SSL (SSLeay/OpenSSL in particular) is so much easier for people to understand and code to - no middleware, just some initialization and then read()/write() API replacements still, with important protocols like NFSv4 relying on the deployment of GSS-API (e.g. RPCSEC_GSS), i'm sure it will mature and gain acceptance over time. -d. --- http://www.monkey.org/~dugsong/ From phil at hands.com Fri Dec 3 04:39:59 1999 From: phil at hands.com (Philip Hands) Date: 02 Dec 1999 17:39:59 +0000 Subject: [Fwd: Serious Bug Report: OpenSSH] In-Reply-To: (Chris Saia's message of "01 Dec 1999 20:00:44 -0500") References: <3845B056.99608C1F@ibs.com.au> Message-ID: <87wvqxkzrk.fsf@sheikh.hands.com> Chris Saia writes: > RedHat Linux and Mandrake include both in their PAM package; SuSE > Linux only includes pam_unix.so in its default setup(*); and Solaris > (looking at Sol7/x86) only has pam_unix.so -- no pam_pwdb.so at all. > I don't have access to any other PAM implementations, but I would > reckon they also have pam_unix.so and may or may not have the former. On Debian, pam_unix.so in libpam-modules, which is going to be installed on almost all Debian systems because things that use pam (like login, passwd, and ssh as it happens) depend upon it. pam_pwdb.so is in a separate package (libpam-pwdb), so is not necessarily present, although it does seem to be maintained as part of the main pam group of packages, so is not rotting like the SuSe package. Cheers, Phil. From csaia at wtower.com Sun Dec 5 07:52:57 1999 From: csaia at wtower.com (Chris Saia) Date: 04 Dec 1999 15:52:57 -0500 Subject: updated SuSE spec file Message-ID: Howdy, The following patch should be applied if you're building a SuSE-style RPM with the spec file included in the pre15 tarfile. I've made some changes since the copy that went out with pre15, and I've been a little lax in sending the updates up. Namely, one of the fixes includes not making symlinks part of the package itself. They are now done with a postinstall script and are removed (if found) by a postuninstall script. Some of the messages output by these scripts are now more user-oriented. (Why bother saying that we're creating a new host key if one already exists and we aren't going to make one?) I've also marked manual pages as %doc. Damien, I'll be sending you up the whole spec file intact as well. -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== -------------- next part -------------- A non-text attachment was scrubbed... Name: file Type: application/octet-stream Size: 6310 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991204/734ab250/attachment.obj From csaia at wtower.com Sun Dec 5 08:16:24 1999 From: csaia at wtower.com (Chris Saia) Date: 04 Dec 1999 16:16:24 -0500 Subject: confusion over RSAref vul w/OpenSS[HL] Message-ID: Howdy, The string of notices on BugTraq about RSAref being vulnerable to overflows has me concerned. After trying to sort through all the messages, I can't figure out whether I need to update OpenSSL (a check of their website indicates no new patches), OpenSSH, both, or neither. I am aware there is no known exploit for it yet. I could be a bad boy and just run all the code without RSAref, given that my software builds will probably outlast the (ridiculous) software patent, which expires in 10 months. However, I figure I best pursue a legitimate [legal] solution first. What's the deal? Best, "Burned in Boston" -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From provos at citi.umich.edu Sun Dec 5 09:51:26 1999 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 04 Dec 1999 17:51:26 -0500 Subject: confusion over RSAref vul w/OpenSS[HL] In-Reply-To: Chris Saia, 04 Dec 1999 16:16:24 EST Message-ID: <19991204225305.A796C26EF0@toad.mindrot.org> In message , Chris Saia writes: > messages, I can't figure out whether I need to update OpenSSL (a > check of their website indicates no new patches), OpenSSH, both, or You need to update OpenSSL if you use it with RSAREF2. I just sent the following email to Bugtraq: Subject: Re: Security Advisory: Buffer overflow in RSAREF2 From: Niels Provos In-Reply-To: Gerardo Richarte, Thu, 02 Dec 1999 16:50:46 -0300 To: Gerardo Richarte Cc: BUGTRAQ at SECURITYFOCUS.COM Date: Sat, 04 Dec 1999 17:45:20 -0500 Sender: provos at citi.umich.edu In message <3846CC26.513CE96F at core-sdi.com>, Gerardo Richarte writes: > To make this clear: in combination with the buffer overflow in rsaglue. >c this makes possible to get >a remote shell on a machine running sshd AND it also makes possible to use a r >everse exploit to gain access on >clients' machines, using malicious sshd. I fear that this posting should have been even clearer. To sum the problem up more clearly: ssh-1.2.27 (if compiled with RSAREF2) is vulnerable. Attackers can obtain a shell on the machine running sshd. The exploit uses buffer overflows in the RSAREF2 implementation AND in the rsaglue.c file in ssh-1.2.27. I am surprised that there wasnt a bigger outrage on the mailing list about this, it is quite serious!!! On the other hand, OpenSSH is not vulnerable to this remote exploit. Since rsaglue.c was rewritten, OpenSSH does stricter parameter checking than ssh-1.2.27 and these recent problems in ssh-1.2.27 did NOT affect OpenSSH. Nonetheless, OpenSSH users in the USA that use OpenSSL compiled with RSAREF2 should update their ssl library (since isakmpd or httpd may be affected), see previous postings on Bugtraq, and http://www.openbsd.org/errata.html#sslUSA Another thing is worth mentioning, RSA could use the buffer overflow in RSAREF2 to scan machines in the USA for RSA license violation. For example, sshds that do not use RSAREF2 do will behave differently than those that do. Information on OpenSSH can be found at http://www.openssh.com/ Infomration on OpenSSL can be found at http://www.openssl.org/ From csaia at wtower.com Sun Dec 5 11:53:23 1999 From: csaia at wtower.com (Chris Saia) Date: 04 Dec 1999 19:53:23 -0500 Subject: confusion over RSAref vul w/OpenSS[HL] References: <19991204225305.A796C26EF0@toad.mindrot.org> Message-ID: Niels Provos writes: > You need to update OpenSSL if you use it with RSAREF2. I just sent > the following email to Bugtraq: **wonderful message snipped** That message is nice and detailed, except it lacks an actual patch. The link points to OpenBSD library fixes, but they're not terribly useful if you don't run OpenBSD. :) -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From jmknoble at pobox.com Mon Dec 6 15:28:17 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 5 Dec 1999 23:28:17 -0500 Subject: OpenSSH-1.12pre15: PATCH: packages/redhat/sshd.init Message-ID: <19991205232817.F12383@quipu.earth> The ChangeLog indicates: 19991113 [...] - Revised Redhat initscript to fix bug: sshd (re)start would fail if executed from inside a ssh login. Unfortunately, the changes made to the init script make it no longer work on a Red Hat Linux 4.x or 5.x system, which doesn't use the `success' or `failure' functions available in Red Hat Linux 6.x. The attached patch enables the script to work in either environment by checking for the existence of the `success' shell function. -- jim knoble jmknoble at pobox.com -------------- next part -------------- --- ./packages/redhat/sshd.init.orig-init Mon Nov 22 18:11:29 1999 +++ ./packages/redhat/sshd.init Sun Dec 5 02:06:27 1999 @@ -21,8 +21,16 @@ start) echo -n "Starting sshd: " if [ ! -f /var/run/sshd.pid ] ; then - /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" - RETVAL=$? + case "`type -type success`" in + function) + /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" + RETVAL=$? + ;; + *) + /usr/sbin/sshd && echo -n "sshd " + RETVAL=$? + ;; + esac fi echo ;; From jmknoble at pobox.com Mon Dec 6 15:34:15 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 5 Dec 1999 23:34:15 -0500 Subject: New x11-ssh-askpass release available Message-ID: <19991205233415.G12383@quipu.earth> http://www.pobox.com/~jmknoble/jmk/x11-ssh-askpass-1999.12.04.tar.gz Changes: 1999-12-05 04:21 jmknoble * Imakefile: Added patch from Markus Friedl to change use of awk (with GNU-specific extensions?) to sed, more likely to be available on various platforms. X11-ssh-askpass is drop-in passphrase dialog for OpenSSH, based solely on the regular X11 libraries (libX11, libXt), with a default look and feel similar to the passphrase dialog present in recent releases of the not-so-open SSH-1.2.x. -- jim knoble jmknoble at pobox.com From jmknoble at pobox.com Mon Dec 6 15:43:37 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 5 Dec 1999 23:43:37 -0500 Subject: OpenSSH-1.12pre15: fun with ulimit Message-ID: <19991205234337.H12383@quipu.earth> Since upgrading from pre11 (aack, that was old!) to pre15, i get the following message when logging in via ssh to a box with the OpenSSH server running: ulimit: cannot raise limit: Operation not permitted I've traced this to the following command in /etc/profile: ulimit -c 1000000 It seems as if sshd is turning off core dumps for the shell session it spawns. Any idea what change caused this, and whether this particular effect is reversible without compromising security? A cursory examination of the ChangeLog wasn't particularly revealing to me. Red Hat Linux/x86 5.2, glibc-2.0.7, OpenSSL-0.9.4 OpenSSH built with egcs-1.1.2 (egcs -pipe -O2 -mpentium -fno-strength-reduce) ./configure --prefix=/usr --sysconfdir=/etc --with-tcp-wrappers -- jim knoble jmknoble at pobox.com From dfs at roaringpenguin.com Tue Dec 7 02:53:56 1999 From: dfs at roaringpenguin.com (David F. Skoll) Date: Mon, 6 Dec 1999 10:53:56 -0500 (EST) Subject: Ugly patch to openssh-1.2pre15 Message-ID: Hi, I am behind a firewall which does not permit connections to port 22, so I run my ssh server on port 23. :-) Unfortunately, the stupid firewall prints a few lines of junk when you make a connection to port 23 before actually starting the connection. This confuses ssh. Attached is an (ugly) patch against openssh-1.2pre15 which makes it ignore a configurable number of lines while looking for the SSH-%d-%d identification string. If you think it's worth including this hack in the official version, feel free. :-) Please reply to me as I'm not on this list. Regards, David F. Skoll http://www.roaringpenguin.com diff -b -c --recursive openssh-1.2pre15/sshconnect.c openssh-1.2pre15-patched/sshconnect.c *** openssh-1.2pre15/sshconnect.c Wed Nov 24 19:54:59 1999 --- openssh-1.2pre15-patched/sshconnect.c Mon Dec 6 10:35:51 1999 *************** *** 31,36 **** --- 31,42 ---- #include "readconf.h" #include "fingerprint.h" + /* I am behind a firewall which forces me to run my SSH server on port 23. + The stupid firewall emits several lines of chatter before making + the real connection, so we have to swallow some lines before getting + the SSH-%d.%d identification string */ + #define FIREWALL_CHATTER_LINES 10 + /* Session id for the current session. */ unsigned char session_id[16]; *************** *** 896,902 **** --- 902,910 ---- int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); extern Options options; + int chatter; + for (chatter = 0; chatter < FIREWALL_CHATTER_LINES; chatter++) { /* Read other side\'s version identification. */ for (i = 0; i < sizeof(buf) - 1; i++) { if (read(connection_in, &buf[i], 1) != 1) *************** *** 917,927 **** * Check that the versions match. In future this might accept * several versions and set appropriate flags to handle them. */ if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, ! remote_version) != 3) fatal("Bad remote protocol version identification: '%.100s'", buf); debug("Remote protocol version %d.%d, remote software version %.100s", remote_major, remote_minor, remote_version); /* Check if the remote protocol version is too old. */ if (remote_major == 1 && remote_minor < 3) --- 925,943 ---- * Check that the versions match. In future this might accept * several versions and set appropriate flags to handle them. */ + debug("chatter = %d, buf = %s", chatter, buf); if (sscanf(buf, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, ! remote_version) != 3) { ! if (chatter >= FIREWALL_CHATTER_LINES-1) { fatal("Bad remote protocol version identification: '%.100s'", buf); + } else { + continue; + } + } debug("Remote protocol version %d.%d, remote software version %.100s", remote_major, remote_minor, remote_version); + break; + } /* Check if the remote protocol version is too old. */ if (remote_major == 1 && remote_minor < 3) From Markus.Friedl at informatik.uni-erlangen.de Tue Dec 7 03:20:04 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 6 Dec 1999 17:20:04 +0100 Subject: Ugly patch to openssh-1.2pre15 In-Reply-To: ; from dfs@roaringpenguin.com on Mon, Dec 06, 1999 at 10:53:56AM -0500 References: Message-ID: <19991206172004.A19736@faui01.informatik.uni-erlangen.de> On Mon, Dec 06, 1999 at 10:53:56AM -0500, David F. Skoll wrote: > I am behind a firewall which does not permit connections to port 22, so I > run my ssh server on port 23. :-) Unfortunately, the stupid firewall > prints a few lines of junk when you make a connection to port 23 before > actually starting the connection. This confuses ssh. > > Attached is an (ugly) patch against openssh-1.2pre15 which makes it ignore > a configurable number of lines while looking for the SSH-%d-%d > identification string. If you think it's worth including this hack in the > official version, feel free. :-) i think, the right way to fix this is by using a proxy-command that eats the bogus greeting. you don't want to touch ssh for this. a friend of mine lived behind a firewall that injected telnet commands like for port 23. we used this perl-script and ProxyCommand % cat .ssh/config Host bla ProxyCommand /blabla/bin/tunnel.pl %h %p % cat /blabla/bin/tunnel.pl #!/usr/bin/perl -w # Usage: ProxyCommand /path/bin/tunnel.pl %h %p $debug=0; $debug=1; sub dial{ require 'sys/socket.ph'; # perl4 # don't touch! local($thathost, $port, $name, $aliases, $proto, $type, $len); local($thataddr, $sockaddr, $that); ($thathost, $port)=split(/:/,"@_"); print STDERR "tunnel: trying $thathost port $port... " if $debug; $sockaddr = 'S n a4 x8'; ($name, $aliases, $proto) = getprotobyname('tcp'); ($name, $aliases, $type, $len, $thataddr) = gethostbyname($thathost); $that = pack($sockaddr, &AF_INET, $port, $thataddr); socket(SOCK, &PF_INET, &SOCK_STREAM, $proto) || die "socket: $!"; connect(SOCK, $that) || die "connect: $!"; print STDERR "connected\n" if $debug; } if($#ARGV !=1){ print STDERR "usage: $0 destination port\n"; exit(1); } $host=shift; $port=shift; &dial("$host:$port"); select(SOCK); $| = 1; select(STDOUT); $| = 1; $read=0; $magic=""; # wait for banner: SSH- while(sysread(SOCK,$buf,1)){ $read++; $magic .= $buf; if($buf eq "S"){ sysread(SOCK,$buf,3); $read+=3; $magic .= $buf; if($buf eq "SH-"){ print STDERR "tunnel: MAGIC $read bytes\n" if $debug; print STDERR "tunnel: pre-MAGIC: $magic\n" if $debug; while($magic =~ /(.)/g){ printf STDERR "%x ",ord($1) if $debug; } print STDERR "\n" if $debug; print STDOUT ("SSH-"); last; } } } if($child = fork){ while(sysread(STDIN,$buf,4096)){ print SOCK ($buf); } sleep 2; kill(15,$child) if $child; }else{ while(sysread(SOCK,$buf,4096)){ print STDOUT ($buf); } } % ssh -v -p 23 bla From jas at ops.sgp.arm.gov Tue Dec 7 07:28:13 1999 From: jas at ops.sgp.arm.gov (Jeff Sapp) Date: Mon, 06 Dec 1999 20:28:13 +0000 Subject: PAM authentication Message-ID: <384C1C5D.4E4D4B58@ops.sgp.arm.gov> Hey all, I'm having some trouble it seems with PAM. I'm running Redhat 6.0 with a 2.2.13 kernel. I installed OpenSSL 0.9.4 and OpenSSH 1.2pre15. It compiled and (Open)ssh seems to work just fine when I connect to other computers running sshd. Yet when I start (Open)sshd on my local computer and try and connect, it won't let me login. When I run sshd -d it says that PAM rejected my account. Here is what it says. I did copy the generic ssh pam file into /etc/pam.d/sshd debug: PAM setting rhost to "redhawk.sgp.arm.gov" PAM rejected by account configuration: Module is unknown Faking authloop for illegal user jasapp from 198.124.97.210 port 3830 fatal: Connection closed by 198.124.97.210 debug: Calling cleanup 0x804a940(0x0) Cannot close PAM session: Module is unknown debug: Calling cleanup 0x8055320(0x0) Any great help or advice? Thanks in advanced. Jeff -- Failure is not an option, it's integrated into all Microsoft products. From dagraz at jahoopa.com Tue Dec 7 09:11:28 1999 From: dagraz at jahoopa.com (David Agraz) Date: Mon, 6 Dec 1999 16:11:28 CST Subject: Pam errors in Solaris Message-ID: <19991206215900.09D644002@bb.vitnet.com.sg> regarding the segfault that shows up when calling pam_open_session in sshd under solaris-- In the dec 1 Solaris 7 patch report update, there is one mention of pam: Patch-ID# 107285-01 Synopsis: SunOS 5.7: passwd & pam_unix.so.1 patch BugId's fixed with this patch: 4172457 Changes incorporated in this version: Date: Aug/17/99 but it doesn't seem to be freely available -- when looking for the file to download, sun tells us: The document or patch you are attempting to access is available to contract customers only. You can obtain the patch from your local Solution Center. North American customers can call 1-800-USA-4SUN. I also didn't have much luck finding out just what bugid 4172457 is, so I'm afraid I can't even tell if it's relevant. Has anyone access to this patch, and if so how has running sshd gone? thanks, David Agraz _____________________________________________________ Sent by Jahoopa Free Email! Find us on the web at http://www.jahoopa.com Join today! From brett at lariat.org Tue Dec 7 09:29:53 1999 From: brett at lariat.org (Brett Glass) Date: Mon, 06 Dec 1999 15:29:53 -0700 Subject: Has anyone tried to compile under FreeBSD 2.2.x? Message-ID: <4.2.0.58.19991206152657.03e3fba0@localhost> I support several machines which are running FreeBSD 2.2.x. Currently, the FreeBSD Ports Collection only includes ports for newer versions. Has anyone tried compiling the generic UNIX/Linux port for FreeBSD 2.2.x? Any tips and/or suggestions for flags and #defines (for example, we need to set SSH up to use MD5 passwords), etc. would be most appreciated. Please respond to me as well as to this list, as I am currently subscribed to more mailing lists than I can *possibly* read. --Brett From djm at mindrot.org Tue Dec 7 09:50:04 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Dec 1999 09:50:04 +1100 (EST) Subject: PAM authentication In-Reply-To: <384C1C5D.4E4D4B58@ops.sgp.arm.gov> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 6 Dec 1999, Jeff Sapp wrote: > Hey all, I'm having some trouble it seems with PAM. I'm running Redhat > 6.0 with a 2.2.13 > kernel. I installed OpenSSL 0.9.4 and OpenSSH 1.2pre15. It compiled and > (Open)ssh > seems to work just fine when I connect to other computers running sshd. Any reason why you are not using the RPM package of OpenSSH? If you need to rebuild from source, there is also a source RPM. Both of these customise OpenSSH to Redhat's enviornment. > Yet > when I start (Open)sshd on my local computer and try and connect, it > won't let me login. > When I run sshd -d it says that PAM rejected my account. Here is what it > says. > I did copy the generic ssh pam file into /etc/pam.d/sshd You should probably use the PAM config in in packages/redhat/ as it is specific to Redhat (tested too). Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4TD2formJ9RG1dI8RAjz4AJ0XO/Be3+RZ+PkjXqRVWmf4BQQxEgCgiqx/ Bw5bbi5wdkj4mcHJCxNz7Ec= =qYps -----END PGP SIGNATURE----- From provos at outguess.org Tue Dec 7 09:54:36 1999 From: provos at outguess.org (Niels Provos) Date: Mon, 6 Dec 1999 17:54:36 -0500 (EST) Subject: Fwd: Re: openssh on a non-PAM system? Message-ID: <199912062254.RAA17292@india.citi.umich.edu> FYI. Maybe ppl with access to Solaris can look at this. Niels. From: mark at salfrd.ac.uk (Mark Powell) Newsgroups: comp.security.ssh Subject: Re: openssh on a non-PAM system? Date: 6 Dec 1999 14:10:21 -0000 Message-ID: <82gg4d$15ta$1 at plato.salford.ac.uk> In article , Dan Lowe wrote: >mark at salfrd.ac.uk (Mark Powell) writes: >This is what I did: > > 1. Install OpenSSL and EGD as recommended by the Install docs at > http://violet.ibs.com.au/openssh/files/INSTALL > and started up "/usr/local/bin/egd.pl /etc/egd.pool" > (Don't forget to drop this in a startup script that runs prior > to sshd being started). > > 2. Grabbed the tar.gz noted above, untarred etc. > > 3. Ran ./configure --with-egd-pool=/etc/egd.pool --prefix=/usr/local > > 4. Edited Makefile, removing "-lpam" from the "LIBS=" line. > > 5. Edited config.h, commenting out the "#define HAVELIBPAM 1" line. I tried the same, although, I think the --without-pam switch would remove the need for steps 4 and 5? Although, it doesn't :) > 6. Ran "make" Using gmake, it falls over straight away on 2.5.1 (gcc-2.95.1) and 2.7 (gcc-2.95), with: gcc -O2 -fomit-frame-pointer -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DHAVE_CONFIG_H -c authfd.c -o authfd.o In file included from ssh.h:25, from authfd.c:19: rsa.h:40: parse error before `__P' rsa.h:42: parse error before `__P' rsa.h:44: parse error before `__P' rsa.h:45: parse error before `__P' a quick: #define __P(p) p in rsa.h fixes that. Then falls over linking ssh, with: gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o libssh.a -lpam -ldl -lsocket -lnsl -lz -lcrypto -L/usr/local/ssl/lib -lssl -lcrypto Undefined first referenced symbol in file daemon ssh.o ld: fatal: Symbol referencing errors. No output written to ssh collect2: ld returned 1 exit status make: *** [ssh] Error 1 a manual link adding bsd_daemon.o on 2.7 fixes this. 2.5.1 additionally complains of missing: snprintf ssh.o vsnprintf log-client.o which it doesn't have . I continued on the 2.7 machine... > 7. I found that "make install" was broken so I manually copied all the > files into place. You can do this easily by hand by reading the > steps for the install target in Makefile and doing them yourself. > Or if you figure out what I should have done to fix my Makefile let > me know. :) Simply s/m644/m 644/ made it work, but as you note it doesn't make the host_key for you. > 8. /usr/local/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' I thought the whole idea of '--prefix=/usr/local' was to have everything under /usr/local? Why it still wants to find it there > 9. /usr/local/sbin/sshd > >SunOS bombadil 5.6 Generic_105181-15 sun4u sparc SUNW,UltraSPARC-IIi-Engine After much fiddling, I find it still won't process /etc/default/login at login, leaving the environment different from a standard login. I'm going back to ssh-1.2.27. -- Mark Powell - UNIX System Administrator - Clifford Whitworth Building A.I.S., University of Salford, Salford, Manchester, UK. Tel: +44 161 295 5936 Fax: +44 161 295 5888 www.pgp.com for PGP key M.S.Powell at ais.salfrd.ac.uk (spell salford correctly to reply to me) From oetiker at ee.ethz.ch Tue Dec 7 10:41:29 1999 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Tue, 7 Dec 1999 00:41:29 +0100 (MET) Subject: [openssh] Re: Pam errors in Solaris In-Reply-To: <19991206215900.09D644002@bb.vitnet.com.sg> Message-ID: Yesterday you sent me mail regarding [openssh] Re: Pam errors in Solaris: *> *> regarding the segfault that shows up when calling *> pam_open_session in sshd under solaris-- *> *> In the dec 1 Solaris 7 patch report update, there is one mention *> of pam: *> *> Patch-ID# 107285-01 *> Synopsis: SunOS 5.7: passwd & pam_unix.so.1 patch *> BugId's fixed with this patch: 4172457 *> Changes incorporated in this version: *> Date: Aug/17/99 this is from the bug report: Customer who is running in 2.6 and is attempting to change login shell to tcsh without /etc/shells. ( used "passwd -e") Then, they could change login shell. In 2.5, they couldn't chage login shell without /etc/shells. I don't think it is the same ... issue ... have you seen any working PAM code for solaris ? cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From bent at CLARK.net Tue Dec 7 10:44:07 1999 From: bent at CLARK.net (Ben Taylor) Date: Mon, 6 Dec 1999 18:44:07 -0500 (EST) Subject: Pam errors in Solaris In-Reply-To: <19991206215900.09D644002@bb.vitnet.com.sg> Message-ID: On Mon, 6 Dec 1999, David Agraz wrote: > > regarding the segfault that shows up when calling > pam_open_session in sshd under solaris-- The segfault is related to the fact that PAM_TTY was not set by pam_set_attr, which for some reason, Solaris expects to be set. I have a patch which causes the segfault to go away, but have had worse success getting a working shell. There is a controlling terminal issue, which I haven't gotten my hands around. Ben > > In the dec 1 Solaris 7 patch report update, there is one mention > of pam: > > Patch-ID# 107285-01 > Synopsis: SunOS 5.7: passwd & pam_unix.so.1 patch > BugId's fixed with this patch: 4172457 > Changes incorporated in this version: > Date: Aug/17/99 > > but it doesn't seem to be freely available -- when looking > for the file to download, sun tells us: > > The document or patch you are attempting to access is available to > contract customers only. You can obtain the patch from your local > Solution Center. North American customers can call 1-800-USA-4SUN. > > I also didn't have much luck finding out just what bugid 4172457 > is, so I'm afraid I can't even tell if it's relevant. Has anyone > access to this patch, and if so how has running sshd gone? > > thanks, > > David Agraz > > > _____________________________________________________ > Sent by Jahoopa Free Email! > Find us on the web at http://www.jahoopa.com > Join today! > > From lists at anomie.dhis.net Tue Dec 7 11:04:14 1999 From: lists at anomie.dhis.net (Brad) Date: Mon, 6 Dec 1999 18:04:14 -0600 Subject: ssh/openssh and X authentication Message-ID: <19991206180413.B19907@anomie.dhis.net> On 1999-11-29 at 15:29:37, Nigel Metheringham wrote: > I've currently got a couple of boxes which obtain their IP address via > DHCP, and as a consequence do not have a mapping in /etc/hosts for > their own IP/name... but helpfully (!) they have their name mapping to > 127.0.0.1 i have a similar setup here, except with names mapping to 0.0.0.0; i forget why, but mapping to 127.0.0.1 didn't work well for me for some reason. Probably i did something wrong. > This breaks X authentication... - openssh (and also ssh) makes an > apparently valid xauth entry, but all attempts to start clients gives > "X11 connection rejected because of wrong authentication." Hacking the > DISPLAY & xauth entries to use the real IP address of the box, or even > 127.0.0.2 works fine, so it appears that something (maybe outside ssh) > is special casing 127.0.0.1 I think it's X itself, using unix domain sockets to connect to the localhost. opensshd only puts an internet domain entry in the xauth file. I managed to solve it on my system by having sshd do a second xauth with "/unix" inserted just before the ':' in the display variable in sshd.c. I've filed more information in the Debian GNU/Linux bug tracking database, at . I'm not subscribed to openssh-unix-dev, so CCs of replies would be welcome. -- finger for GPG public key. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991206/b5ebc680/attachment.bin From djm at mindrot.org Tue Dec 7 14:34:20 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Dec 1999 14:34:20 +1100 (EST) Subject: OpenSSH-1.12pre15: PATCH: packages/redhat/sshd.init In-Reply-To: <19991205232817.F12383@quipu.earth> Message-ID: On Sun, 5 Dec 1999, Jim Knoble wrote: > The ChangeLog indicates: > > 19991113 > [...] > - Revised Redhat initscript to fix bug: sshd (re)start would fail > if executed from inside a ssh login. > > Unfortunately, the changes made to the init script make it no longer > work on a Red Hat Linux 4.x or 5.x system, which doesn't use the > `success' or `failure' functions available in Red Hat Linux 6.x. > > The attached patch enables the script to work in either environment by > checking for the existence of the `success' shell function. Applied. Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Dec 7 14:37:09 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Dec 1999 14:37:09 +1100 (EST) Subject: OpenSSH-1.12pre15: fun with ulimit In-Reply-To: <19991205234337.H12383@quipu.earth> Message-ID: On Sun, 5 Dec 1999, Jim Knoble wrote: > Since upgrading from pre11 (aack, that was old!) to pre15, i get the > following message when logging in via ssh to a box with the OpenSSH > server running: > > ulimit: cannot raise limit: Operation not permitted > > I've traced this to the following command in /etc/profile: > > ulimit -c 1000000 > > It seems as if sshd is turning off core dumps for the shell session it > spawns. Any idea what change caused this, and whether this particular > effect is reversible without compromising security? A cursory > examination of the ChangeLog wasn't particularly revealing to me. Are you sure that it is not PAM which is setting the limit? A quick grepping through the code shows that ssh will set the limit, but sshd does not. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From damien at ibs.com.au Tue Dec 7 14:55:43 1999 From: damien at ibs.com.au (Damien Miller) Date: Tue, 07 Dec 1999 14:55:43 +1100 Subject: Serious Bug Report: OpenSSH References: Message-ID: <384C853F.36613E38@ibs.com.au> Adrian Baugh wrote: > > Hi, > I'm using the Linux port of OpenSSH 1.2-pre15. > One of my users complained of not being able to log in using password > authentication but being able to log in okay using RSA authentication. > I set up the server in debug mode and got the following for RSA > authentication (usernames, machine names and IPs obfuscated): I think I have found the problem here. Does this patch help? Damien -------------- next part -------------- Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.33 diff -u -r1.33 sshd.c --- sshd.c 1999/12/04 09:24:48 1.33 +++ sshd.c 1999/12/07 03:55:18 @@ -1551,24 +1551,41 @@ get_remote_port(), user); -#ifdef HAVE_LIBPAM - do_pam_account_and_session(pw->pw_name, client_user); +#ifndef HAVE_LIBPAM + if (authenticated) + return; - /* Clean up */ - if (client_user != NULL) - xfree(client_user); + if (attempt > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); +#else /* HAVE_LIBPAM */ + if (authenticated) { + do_pam_account_and_session(pw->pw_name, client_user); - if (password != NULL) { - memset(password, 0, strlen(password)); - xfree(password); - } -#endif /* HAVE_LIBPAM */ + /* Clean up */ + if (client_user != NULL) + xfree(client_user); - if (authenticated) + if (password != NULL) { + memset(password, 0, strlen(password)); + xfree(password); + } + return; + } - if (attempt > AUTH_FAIL_MAX) + if (attempt > AUTH_FAIL_MAX) { + /* Clean up */ + if (client_user != NULL) + xfree(client_user); + + if (password != NULL) { + memset(password, 0, strlen(password)); + xfree(password); + } + packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); + } +#endif /* HAVE_LIBPAM */ /* Send a message indicating that the authentication attempt failed. */ packet_start(SSH_SMSG_FAILURE); From jmknoble at pobox.com Tue Dec 7 14:59:45 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 6 Dec 1999 22:59:45 -0500 Subject: OpenSSH-1.12pre15: fun with ulimit In-Reply-To: ; from Damien Miller on Tue, Dec 07, 1999 at 02:37:09PM +1100 References: <19991205234337.H12383@quipu.earth> Message-ID: <19991206225944.A698@quipu.earth> [Smacks head.] Of course. Adding an appropriate entry in /etc/security/limits.conf made the message go away. [Crawls back in hole.] -- jim knoble jmknoble at pobox.com P? 1999-Dec-07 klokka 14:37:09 +1100 skrivet Damien Miller: : > It seems as if sshd is turning off core dumps for the shell session it : > spawns. Any idea what change caused this, and whether this particular : > effect is reversible without compromising security? A cursory : > examination of the ChangeLog wasn't particularly revealing to me. : : Are you sure that it is not PAM which is setting the limit? A quick : grepping through the code shows that ssh will set the limit, but sshd : does not. From djm at mindrot.org Tue Dec 7 17:15:26 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 7 Dec 1999 17:15:26 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre16 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded openssh-1.2pre16 to: http://violet.ibs.com.au/openssh This is mainly a bugfix release, it should fix some of the recurrent compile problems that have been reported to the mailing list and to me (the __P() stuff on Solaris for example). Full changelog: 19991207 - sshd Redhat init script patch from Jim Knoble fixes compatability with 4.x and 5.x - Fixed default SSH_ASKPASS - Fix PAM account and session being called multiple times. Problem reported by Adrian Baugh - Merged more OpenBSD changes: - [atomicio.c authfd.c scp.c serverloop.c ssh.h sshconnect.c sshd.c] move atomicio into it's own file. wrap all socket write()s which were doing write(sock, buf, len) != len, with atomicio() calls. - [auth-skey.c] fd leak - [authfile.c] properly name fd variable - [channels.c] display great hatred towards strcpy - [pty.c pty.h sshd.c] use openpty() if it exists (it does on BSD4_4) - [tildexpand.c] check for ~ expansion past MAXPATHLEN - Modified helper.c to use new atomicio function. - Reformat Makefile a little - Moved RC4 routines from rc4.[ch] into helper.c - Added autoconf code to detect /dev/ptmx (Solaris) and /dev/ptc (AIX) - Updated SuSE spec from Chris Saia - Tweaked Redhat spec - Clean up bad imports of a few files (forgot -kb) - Released 1.2pre16 19991204 - Small cleanup of PAM code in sshd.c - Merged OpenBSD CVS changes: - [auth-krb4.c auth-passwd.c auth-skey.c ssh.h] move skey-auth from auth-passwd.c to auth-skey.c, same for krb4 - [auth-rsa.c] warn only about mismatch if key is _used_ warn about keysize-mismatch with log() not error() channels.c readconf.c readconf.h ssh.c ssh.h sshconnect.c ports are u_short - [hostfile.c] indent, shorter warning - [nchan.c] use error() for internal errors - [packet.c] set loglevel for SSH_MSG_DISCONNECT to log(), not fatal() serverloop.c indent - [ssh-add.1 ssh-add.c ssh.h] document $SSH_ASKPASS, reasonable default - [ssh.1] CheckHostIP is not available for connects via proxy command - [sshconnect.c] typo easier to read client code for passwd and skey auth turn of checkhostip for proxy connects, since we don't know the remote ip 19991126 - Add definition for __P() - Added [v]snprintf() replacement for systems that lack it - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4TKYDormJ9RG1dI8RAqoDAKDdw827US1rdDJU5+vCXYzveP/3ZQCg0YBD 3CbGkXzaSlw1ptPYmlJPETg= =KlmZ -----END PGP SIGNATURE----- From bent at shell.clark.net Wed Dec 8 02:25:54 1999 From: bent at shell.clark.net (Ben Taylor) Date: Tue, 7 Dec 1999 10:25:54 -0500 (EST) Subject: Serious Bug Report: OpenSSH In-Reply-To: <384C853F.36613E38@ibs.com.au> Message-ID: On Tue, 7 Dec 1999, Damien Miller wrote: Actually, while debugging another problem, I realized that the do_pam_accounting_and_session was getting called multiple times until the authorization finally succeeded. Since I'm in the middle of a work around for the PAM bug in Solaris, and have split functionality for do_pam_account and do_pam_session, I was able to move the code to call do_pam_account into the segment [ if (authenticated) { return; } ] around line 1277 in sshd.c. The effect is that do_pam_account is called only after the user has been authenticated. Does this make sense? I didn't think that calling do_pam_account_and_session several times until the authentication had taken place made sense. I've got patches for Solaris in the works to use PTMX, utmpx instead of utmp, and a fix to the PAM library to prevent the segfault. It all works and I'm in the middle of cleaning up the patch. Solaris for some reason ends up printing MOTD twice, but I think I can just turn off MOTD in the config file. Ben From helm at fionn.es.net Wed Dec 8 04:26:38 1999 From: helm at fionn.es.net (Michael Helm) Date: Tue, 07 Dec 1999 09:26:38 -0800 Subject: Serious Bug Report: OpenSSH In-Reply-To: Your message of "Tue, 07 Dec 1999 10:25:54 EST." Message-ID: <199912071726.JAA02312@fionn.es.net> Ben Taylor writes: > works and I'm in the middle of cleaning up the patch. Solaris for > some reason ends up printing MOTD twice, but I think I can just > turn off MOTD in the config file. That's what we've done in ssh-1.2.x on solaris; in sshd_config: PrintMotd no /bin/login executes /etc/profile or /etc/.login, depending on your default shell, before your account's own shell startup files. By default those scripts cat /etc/motd. From djm at mindrot.org Wed Dec 8 08:42:54 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 8 Dec 1999 08:42:54 +1100 (EST) Subject: Serious Bug Report: OpenSSH In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 7 Dec 1999, Ben Taylor wrote: > On Tue, 7 Dec 1999, Damien Miller wrote: > > Actually, while debugging another problem, I realized that the > do_pam_accounting_and_session was getting called multiple times > until the authorization finally succeeded. Since I'm in the middle > of a work around for the PAM bug in Solaris, and have split functionality > for do_pam_account and do_pam_session, I was able to move the code > to call do_pam_account into the segment [ if (authenticated) { return; } ] > around line 1277 in sshd.c. The effect is that do_pam_account is called > only after the user has been authenticated. Yes, this is exactly what I did in 1.2pre16. > I've got patches for Solaris in the works to use PTMX, utmpx instead of > utmp, and a fix to the PAM library to prevent the segfault. It all > works and I'm in the middle of cleaning up the patch. Solaris for > some reason ends up printing MOTD twice, but I think I can just > turn off MOTD in the config file. 1.2pre16 detects and uses PTMX, can you test this? utmpx support would be nice. Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4TX9kormJ9RG1dI8RAt5FAJ9CynT0xrvzdIt22+MEqm2Wvo7ofwCgtJll TUBgjmuq9mtLTgPtQ6vfXrA= =iLg7 -----END PGP SIGNATURE----- From damien at ibs.com.au Wed Dec 8 08:52:20 1999 From: damien at ibs.com.au (Damien Miller) Date: Wed, 08 Dec 1999 08:52:20 +1100 Subject: [Fwd: openssh-1.2pre16 on solaris 7 (pty.c)] Message-ID: <384D8194.D3D0964A@ibs.com.au> This should fix a compile problem in 1.2pre16 for Solaris. -------------- next part -------------- An embedded message was scrubbed... From: "David Agraz" Subject: openssh-1.2pre16 on solaris 7 (pty.c) Date: Tue, 7 Dec 1999 13:30:42 CST Size: 1616 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991208/d0fb110b/attachment.mht From provos at citi.umich.edu Wed Dec 8 09:03:35 1999 From: provos at citi.umich.edu (Niels Provos) Date: Tue, 07 Dec 1999 17:03:35 -0500 Subject: confusion over RSAref vul w/OpenSS[HL] In-Reply-To: Chris Saia, 04 Dec 1999 19:53:23 EST Message-ID: <19991207220518.4035126EF0@toad.mindrot.org> In message , Chris Saia writes: >That message is nice and detailed, except it lacks an actual patch. >The link points to OpenBSD library fixes, but they're not terribly >useful if you don't run OpenBSD. :) The Bugtraq posting contained the relevant patches, have a look at http://www.securityfocus.com/templates/advisory.html?id=1892. The patches are only against RSAREF2, nothing else needs fixing. Niels. From djm at mindrot.org Wed Dec 8 10:17:02 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 8 Dec 1999 10:17:02 +1100 (EST) Subject: Bug in logout Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 sshd will not return until after all backgrounded jobs are completed. To replicate: [damien at neon damien]$ ssh damien at localhost Last login: Tue Dec 7 16:40:40 1999 from localhost.localdomain 10:14am up 17:36, 7 users, load average: 0.00, 0.04, 0.06 [damien at neon damien]$ sleep 20 & [damien at neon damien]$ logout ssh will stall for ~20 seconds. Should sshd send a HUP signal to its child process on logout? Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4TZV4ormJ9RG1dI8RAqOrAJ9oLcE4PIGS9iY8CW86TNDBv5W+NQCfXx2J BKlONhMmJ13JXZL9NzTxkd4= =23bx -----END PGP SIGNATURE----- From marclee at mgmt.utoronto.ca Wed Dec 8 16:53:44 1999 From: marclee at mgmt.utoronto.ca (Marcus Lee) Date: Wed, 8 Dec 1999 00:53:44 -0500 Subject: apparent fix for Solaris 7 compilation problems Message-ID: <19991208005344.A31021@mgmt.utoronto.ca> Hi everyone, I'm new to the list... I was just assigned an Ultra60 with Solaris 7 to setup and tried to compile openssh-1.2pre16 with... "./configure --with-tcp-wrappers --with-egd-pool=/dev/entropy; make;" And here's where the compilation process failed... --------------------------------------------------------------------- gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c pty.c -o pty.o pty.c: In function `pty_allocate': pty.c:115: `I_PUSH' undeclared (first use in this function) pty.c:115: (Each undeclared identifier is reported only once pty.c:115: for each function it appears in.) make: *** [pty.o] Error 1 --------------------------------------------------------------------- And here's the fix... In "includes.h", I added the following line: #include After doing this, 'make' works (except for a few warning messages)... and openssh seems to be working (I'm using it now). I hope this helps. marc -- Marcus Lee marclee at mgmt.utoronto.ca Rotman School of Management, University of Toronto [check http://mgmt.utoronto.ca/~marclee/ for my PGP Public Key] From drankin at bohemians.lexington.ky.us Thu Dec 9 05:38:02 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Wed, 8 Dec 1999 13:38:02 -0500 Subject: Patches to help pre16 run on NetBSD Message-ID: <19991208133801.A6483@rumpole.bohemians.lexington.ky.us> -lwrap on NetBSD doesn't like not having some of its global variables defined, so linking it to anything but sshd is bad. This patch fixes Makefile.in and configure/configure.in to make this work. Thanks, David --- configure.orig Tue Dec 7 01:10:51 1999 +++ configure Wed Dec 8 12:46:12 1999 @@ -2242,7 +2242,7 @@ #define LIBWRAP 1 EOF - LIBS="$LIBS -lwrap" + LIBWRAP="-lwrap" fi @@ -2377,6 +2377,7 @@ s%@DEFS@%$DEFS%g s%@LDFLAGS@%$LDFLAGS%g s%@LIBS@%$LIBS%g +s%@LIBWRAP@%$LIBWRAP%g s%@exec_prefix@%$exec_prefix%g s%@prefix@%$prefix%g s%@program_transform_name@%$program_transform_name%g --- Makefile.in.orig Wed Dec 8 12:34:45 1999 +++ Makefile.in Wed Dec 8 12:35:16 1999 @@ -15,6 +15,7 @@ EXTRA_TARGETS=@GNOME_ASKPASS@ TARGETS=libssh.a ssh sshd ssh-add ssh-keygen ssh-agent scp $(EXTRA_TARGETS) LIBS=@LIBS@ +LIBWRAP=@LIBWRAP@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ @@ -48,7 +49,7 @@ sshd: sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \ pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o \ md5crypt.o libssh.a - $(CC) -o $@ $^ $(LFLAGS) $(LIBS) + $(CC) -o $@ $^ $(LFLAGS) $(LIBS) $(LIBWRAP) scp: scp.o libssh.a $(CC) -o $@ $^ $(LFLAGS) $(LIBS) --- configure.in.orig Wed Dec 8 12:53:00 1999 +++ configure.in Wed Dec 8 13:34:51 1999 @@ -269,9 +269,10 @@ [ --with-tcp-wrappers Enable tcpwrappers support], [ AC_DEFINE(LIBWRAP) - LIBS="$LIBS -lwrap" + LIBWRAP="-lwrap" ] ) +AC_SUBST(LIBWRAP) dnl Check whether to enable MD5 passwords AC_ARG_WITH(md5-passwords, From Peter.Losher at iengines.com Thu Dec 9 10:55:01 1999 From: Peter.Losher at iengines.com (Peter Losher) Date: Wed, 8 Dec 1999 15:55:01 -0800 (PST) Subject: OpenSSH and Kerberos V support... In-Reply-To: <3845BAE6.716AAAF4@ibs.com.au> Message-ID: > I have received a patch (attached) which adds Kerberos V support to > OpenSSH. I recall some discussion about KRBV support on the list > previously; it was mentioned that there was a problem in providing it > in a manner compatible with the current KRBIV support. Any status of these patches being implemented in the source tree yet? Thanks - Peter From damien at ibs.com.au Thu Dec 9 11:08:45 1999 From: damien at ibs.com.au (Damien Miller) Date: Thu, 09 Dec 1999 11:08:45 +1100 Subject: OpenSSH and Kerberos V support... References: Message-ID: <384EF30D.F7E08AEB@ibs.com.au> Peter Losher wrote: > > > I have received a patch (attached) which adds Kerberos V support to > > OpenSSH. I recall some discussion about KRBV support on the list > > previously; it was mentioned that there was a problem in providing it > > in a manner compatible with the current KRBIV support. > > Any status of these patches being implemented in the source tree yet? Unfortunatly no. There were questions regarding the exportability of the patches (they were written in the USA) and the author eventually withdrew them. Regards, Damien Miller From djm at mindrot.org Thu Dec 9 11:07:33 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 9 Dec 1999 11:07:33 +1100 (EST) Subject: ANNOUNCE: openssh-1.2pre17 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded 1.2pre17 to: http://violet.ibs.com.au/openssh This release mainly consists of improved Solaris and PAM support (thanks to Ben Taylor). It should fix the PAM problems that have been reported on Solaris. It would be appreciated if Solaris users bang on this to test it as much as possible. Changelog: 19991209 - Import of patch from Ben Taylor : - Improved PAM support - "uninstall" rule for Makefile - utmpx support - Should fix PAM problems on Solaris - OpenBSD CVS updates: - [readpass.c] avoid stdio; based on work by markus, millert, and I - [sshd.c] make sure the client selects a supported cipher - [sshd.c] fix sighup handling. accept would just restart and daemon handled sighup only after the next connection was accepted. use poll on listen sock now. - [sshd.c] make that a fatal - Applied patch from David Rankin to fix libwrap support on NetBSD - Released 1.2pre17 19991208 - Compile fix for Solaris with /dev/ptmx from David Agraz - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4TvLQormJ9RG1dI8RAmK5AJ9LLZs/h+fHwNewtaj5bMkph2Fz4wCfah1S /hE3z4XTQseF6ocud2viHzI= =SdGh -----END PGP SIGNATURE----- From dugsong at monkey.org Thu Dec 9 11:18:05 1999 From: dugsong at monkey.org (Dug Song) Date: Wed, 8 Dec 1999 19:18:05 -0500 (EST) Subject: OpenSSH and Kerberos V support... In-Reply-To: <384EF30D.F7E08AEB@ibs.com.au> Message-ID: On Thu, 9 Dec 1999, Damien Miller wrote: > There were questions regarding the exportability of the patches (they > were written in the USA) and the author eventually withdrew them. that's funny - Tatu Ylonen managed to merge, and then redistribute Glenn Machin's patch just fine for ssh-1.2.2x... an earlier, license-unencumbered patch was already posted to this list, in case a non-US programmer wants to give it a stab. Bjoern Groenvall expressed some interest in doing this some time ago (for ossh, which was the basis for OpenSSH)... -d. --- http://www.monkey.org/~dugsong/ From nkbj at image.dk Thu Dec 9 16:57:08 1999 From: nkbj at image.dk (Niels Kristian Bech Jensen) Date: Thu, 9 Dec 1999 06:57:08 +0100 (CET) Subject: [PATCH] Fixing a couple of small problems in Makefile.in (1.2pre17). Message-ID: Hi, This patch fixes a couple of small ``problems'' in 1.2pre17 Makefile.in: 1. Avoid making an empty $(libexecdir)/ssh directory. 2. Don't try to uninstall $(mandir)/man1/slogin.1 twice. --- openssh-1.2pre17/Makefile.in~ Thu Dec 9 00:48:58 1999 +++ openssh-1.2pre17/Makefile.in Thu Dec 9 06:51:41 1999 @@ -92,9 +92,9 @@ -rm -f $(mandir)/man1/slogin.1 ln -s ssh.1 $(mandir)/man1/slogin.1 - $(INSTALL) -d $(libexecdir) ; - $(INSTALL) -d $(libexecdir)/ssh ; if [ ! -z "@GNOME_ASKPASS@" ] ; then \ + $(INSTALL) -d $(libexecdir) ; \ + $(INSTALL) -d $(libexecdir)/ssh ; \ $(INSTALL) -s @GNOME_ASKPASS@ ${ASKPASS_PROGRAM} ; \ fi @@ -129,7 +129,6 @@ -rm -f $(mandir)/man1/ssh-keygen.1 -rm -f $(mandir)/man8/sshd.8 -rm -f $(bindir)/slogin - -rm -f $(mandir)/man1/slogin.1 -rm -f $(mandir)/man1/slogin.1 -rm -f ${ASKPASS_PROGRAM} -rmdir $(libexecdir)/ssh ; -- Niels Kristian Bech Jensen -- nkbj at image.dk -- http://www.image.dk/~nkbj/ ----------->> Stop software piracy --- use free software! <<----------- From gordonr at gormand.com.au Thu Dec 9 17:41:37 1999 From: gordonr at gormand.com.au (Gordon Rowell) Date: Thu, 9 Dec 1999 17:41:37 +1100 (EST) Subject: Minor patches to openssh-1.2pre17 for Solaris Message-ID: Almost worked first time (Solaris 2.7, gcc-2.95.2). Well done. perl -i -p -e 's/-m644/-m 644/' Makefile.in Also, it would be nice to be able to set up LFLAGS somehow, to provide the following: LFLAGS=-R/usr/local/lib YMMV with the path. That way the executables will run without setting LD_LIBRARY_PATH. I can't see where to tweak this in the configure setup at the moment - I'll keep looking. Gordon -- Gordon Rowell Email: Gordon.Rowell at gormand.com.au Gormand Pty Ltd (ACN 067 684 548) http://www.gormand.com.au P.O. Box 239 St Pauls NSW 2031 Mobile: +61 (0418) 467 366 /* What a pile of australian legislature. */ - Alan Cox From jmknoble at pobox.com Thu Dec 9 19:59:48 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 9 Dec 1999 03:59:48 -0500 Subject: OpenSSH-1.12pre17: PATCH: Red Hat PAM limits Message-ID: <19991209035948.A5862@quipu.earth> With the sshd in recent releases of OpenSSH, some Red Hat Linux systems complain about ulimit trying to raise a limit when logging in via ssh. The problem is that packages/redhat/sshd.pam doesn't do limit checking for an sshd session. The attached patch adds the pam_limits module to the sshd session, which checks for limits set in /etc/security/limits.conf. This works on Red Hat Linux 5.2 (pam-0.64-4) in the following scenarios: - pam_limits included in /etc/pam.d/sshd, but /etc/security/limits.conf does not exist. Sshd allows login with default limits (core limit ends up being 0). No difference from not having pam_limits at all. - pam_limits included, with default /etc/security/limits.conf. The default limits.conf is populated entirely by comments and blank lines. Same as limits.conf not existing, above. - pam_limits included, and /etc/security/limits.conf contains uncommented items similar to the following: user hard core 1000000 @group hard core 1000000 Works on Red Hat Linux 5.2, *and* the ulimit command from /etc/profile executes successfully and without complaint. NOTE: Red Hat Linux 6.x's PAM configuration is liable to be anywhere from slightly to radically different. Anyone who knows or discovers that this patch works under 6.x should please speak up. Likewise if it breaks. -- jim knoble jmknoble at pobox.com -------------- next part -------------- --- ./packages/redhat/sshd.pam.orig-limits Mon Nov 22 18:11:29 1999 +++ ./packages/redhat/sshd.pam Wed Dec 8 23:17:34 1999 @@ -5,3 +5,4 @@ password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so +session required /lib/security/pam_limits.so From loki at ltnx.com Thu Dec 9 20:31:25 1999 From: loki at ltnx.com (ET) Date: Thu, 9 Dec 1999 10:31:25 +0100 Subject: solaris 2.5.1 still no good Message-ID: <000501bf4228$2be5aaa0$d23d020a@tardieu-e.clients.cpr.fr> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi folks, Here's what I get under solaris 2.5.1 (sparc) with gcc-2.95.2 and gnumake 3.78-something : bsd-snprintf.c: In function `msetup': bsd-snprintf.c:67: warning: implicit declaration of function `getpagesize' bsd-snprintf.c:72: `x' undeclared (first use in this function) bsd-snprintf.c:72: (Each undeclared identifier is reported only once bsd-snprintf.c:72: for each function it appears in.) bsd-snprintf.c:72: `y' undeclared (first use in this function) bsd-snprintf.c:72: warning: left-hand operand of comma expression has no effect bsd-snprintf.c: In function `snprintf': bsd-snprintf.c:123: warning: implicit declaration of function `vsnprintf' bsd-snprintf.c: In function `vsnprintf': bsd-snprintf.c:138: warning: variable `ret' might be clobbered by `longjmp' or `vfork' bsd-snprintf.c: At top level: bsd-snprintf.c:52: warning: `caught' defined but not used gmake: *** [bsd-snprintf.o] Error 1 I can't find getpagesize() in /usr/include, nor can I find vsnprintf() or snprintf() Sorry for using such an old OS ;-) E. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use iQA/AwUBOE9o3VJaPnfBnbH/EQLghwCgtpZ/jqRz6nBOfy4q0ZKlntZS9jQAn0Bs OqmxmtsgU17QHgU/e/x7Rni7 =Xq6G -----END PGP SIGNATURE----- From the_h1ghlander at yahoo.com Thu Dec 9 23:49:39 1999 From: the_h1ghlander at yahoo.com (Ben Taylor) Date: Thu, 9 Dec 1999 04:49:39 -0800 (PST) Subject: Minor patches to openssh-1.2pre17 for Solaris Message-ID: <19991209124939.8703.qmail@web216.mail.yahoo.com> --- Gordon Rowell wrote: > Almost worked first time (Solaris 2.7, gcc-2.95.2). > Well done. > > perl -i -p -e 's/-m644/-m 644/' Makefile.in > > Also, it would be nice to be able to set up LFLAGS > somehow, to provide the > following: > > LFLAGS=-R/usr/local/lib typically what I do is an "env LFLAGS="-R/usr/local/lib -R/usr/local/ssl/lib -L/usr/local/lib" CFLAGS="-I/usr/local/ssl/include" ./configure ... and it sets up fine without any intervention. However, I agree that it should automatically setup the path for the libraries. It drove me crazy trying to find that whole setup line the last time I had to build. > YMMV with the path. That way the executables will run without setting > LD_LIBRARY_PATH. I can't see where to tweak this in > the configure setup at the moment - I'll keep looking. > > Gordon Ben bent at clark.net __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com From mfisk at lanl.gov Fri Dec 10 03:19:57 1999 From: mfisk at lanl.gov (Mike Fisk) Date: Thu, 9 Dec 1999 16:19:57 +0000 (GMT) Subject: OpenSSH and Kerberos V support... In-Reply-To: Message-ID: On Wed, 8 Dec 1999, Dug Song wrote: > On Thu, 9 Dec 1999, Damien Miller wrote: > > > There were questions regarding the exportability of the patches (they > > were written in the USA) and the author eventually withdrew them. > > that's funny - Tatu Ylonen managed to merge, and then redistribute Glenn > Machin's patch just fine for ssh-1.2.2x... We're consulting with our lawyers about the legality of exporting a U.S. patch to add K5 support. Given that, I don't expect an answer right away. ===================================================================== Mike Fisk | (505)667-5119 | MS B255 Network Engineering (CIC-5) | | Los Alamos National Lab mfisk at lanl.gov | FAX: 665-7793 | Los Alamos, NM 87545 From mark.baushke at solipsa.com Fri Dec 10 04:35:27 1999 From: mark.baushke at solipsa.com (Mark D. Baushke) Date: Thu, 09 Dec 1999 09:35:27 -0800 Subject: openssh-1.2pre16 patch to pty.c for Solaris 2.6 Message-ID: <199912091735.JAA08021@mozart.solipsa.com> Greetings, While attempting to build openssh for Solaris 2.6, I ran into a minor problem that should probably be corrected in the next release of openssh. The file pty.c does not #include to define I_PUSH even though I_PUSH is used when HAVE_DEV_PTMX is defined. Platform: SunOS test01 5.6 Generic_105181-16 sun4u sparc SUNW,Ultra-60 Using: zlib 1.1.3 http://www.cdrom.com/pub/infozip/zlib/zlib-1.1.3.tar.gz rsaref2.0 (plus patch from bugtraq digest 30-Nov-1999) ftp://ftp.funet.fi/pub/unix/security/login/ssh/rsaref2.tar.gz openssl 0.9.4 ftp://ftp.openssl.org/source/openssl-0.9.4.tar.gz egd 0.6 ftp://ftp.lothar.com/linux/egd-0.6.tar.gz openssh 1.2pre16 http://violet.ibs.com.au/openssh/files/openssh-1.2pre16.tar.gz Configured with: ./configure --prefix=/usr/local \ --sysconfdir=/etc/ssh \ --with-tcp-wrapers \ --with-egd-pool=/var/random/entropy Problem: # using $Id: pty.c,v 1.9 1999/12/06 12:10:12 deraadt Exp $ gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" \ -DSSH_PROGRAM=\"/usr/local/bin/ssh\" \ -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" \ -DHAVE_CONFIG_H -c pty.c -o pty.o pty.c: In function `pty_allocate': pty.c:115: `I_PUSH' undeclared (first use in this function) pty.c:115: (Each undeclared identifier is reported only once pty.c:115: for each function it appears in.) make: *** [pty.o] Error 1 Possible Patch: Index: pty.c --- pty.c~ 1999/12/09 09:31:41 +++ pty.c 1999/12/09 16:41:46 @@ -27,6 +27,12 @@ #if defined(HAVE__GETPTY) || defined(HAVE_OPENPTY) #undef HAVE_DEV_PTMX #endif + +#ifdef HAVE_DEV_PTMX +#ifndef I_PUSH +#include +#endif /* I_PUSH */ +#endif /* HAVE_DEV_PTMX */ #ifndef O_NOCTTY #define O_NOCTTY 0 Enjoy! -- Mark From dagraz at jahoopa.com Fri Dec 10 06:52:42 1999 From: dagraz at jahoopa.com (David Agraz) Date: Thu, 9 Dec 1999 13:52:42 CST Subject: xauth location in openssh-1.2pre17 Message-ID: <19991209194000.8FF044004@bb.vitnet.com.sg> The current configuration only works if xauth can be found at /usr/X11R6/bin/xauth, which creates some problems when running sshd on an openwin system. Contained below are patches to find the path of xauth in configure, and set the path in config.h. (also contained is a patch for configure for those without autoconf) Also-- added #include "bsd-daemon" to includes.h, which quiets a compiler warning in sshd.c. hope this helps, -dagraz --- configure.in.orig Thu Dec 9 14:16:45 1999 +++ configure.in Thu Dec 9 14:14:42 1999 @@ -287,4 +287,8 @@ [AC_DEFINE(HAVE_MD5_PASSWORDS)] ) +dnl Check for the path to xauth +AC_PATH_PROG(xauth_path, xauth) +AC_DEFINE_UNQUOTED(XAUTH_PATH, "$xauth_path") + AC_OUTPUT(Makefile) --- includes.h.orig Thu Dec 9 14:16:16 1999 +++ includes.h Thu Dec 9 14:15:50 1999 @@ -77,11 +77,7 @@ #include "bsd-strlcat.h" #include "bsd-mktemp.h" #include "bsd-snprintf.h" - -/* Define this to be the path of the xauth program. */ -#ifndef XAUTH_PATH -#define XAUTH_PATH "/usr/X11R6/bin/xauth" -#endif /* XAUTH_PATH */ +#include "bsd-daemon.h" /* Define this to be the path of the rsh program. */ #ifndef _PATH_RSH --- config.h.in.orig Thu Dec 9 14:17:04 1999 +++ config.h.in Thu Dec 9 13:11:24 1999 @@ -175,6 +175,9 @@ /* Define if you have the z library (-lz). */ #undef HAVE_LIBZ +/* Path to xauth */ +#undef XAUTH_PATH + /* ******************* Shouldn't need to edit below this line ************** */ #include /* For u_intXX_t */ --- acconfig.h.orig Thu Dec 9 14:17:11 1999 +++ acconfig.h Thu Dec 9 12:46:14 1999 @@ -73,6 +73,9 @@ /* Define if you have /dev/ptc */ #undef HAVE_DEV_PTS_AND_PTC +/* Path to xauth */ +#undef XAUTH_PATH + @BOTTOM@ /* ******************* Shouldn't need to edit below this line ************** */ --- configure.orig Thu Dec 9 14:16:54 1999 +++ configure Thu Dec 9 14:14:49 1999 @@ -2282,6 +2282,46 @@ fi +# Extract the first word of "xauth", so it can be a program name with args. +set dummy xauth; ac_word=$2 +echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 +echo "configure:2289: checking for $ac_word" >&5 +if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + case "$xauth_path" in + /*) + ac_cv_path_xauth_path="$xauth_path" # Let the user override the test with a path. + ;; + ?:/*) + ac_cv_path_xauth_path="$xauth_path" # Let the user override the test with a dos path. + ;; + *) + IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":" + ac_dummy="$PATH" + for ac_dir in $ac_dummy; do + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$ac_word; then + ac_cv_path_xauth_path="$ac_dir/$ac_word" + break + fi + done + IFS="$ac_save_ifs" + ;; +esac +fi +xauth_path="$ac_cv_path_xauth_path" +if test -n "$xauth_path"; then + echo "$ac_t""$xauth_path" 1>&6 +else + echo "$ac_t""no" 1>&6 +fi + +cat >> confdefs.h < confcache <<\EOF # This file is a shell script that caches the results of configure @@ -2426,6 +2466,7 @@ s%@GNOME_ASKPASS@%$GNOME_ASKPASS%g s%@RANDOM_POOL@%$RANDOM_POOL%g s%@LIBWRAP@%$LIBWRAP%g +s%@xauth_path@%$xauth_path%g CEOF EOF _____________________________________________________ Sent by Jahoopa Free Email! Find us on the web at http://www.jahoopa.com Join today! From dagraz at jahoopa.com Fri Dec 10 07:12:23 1999 From: dagraz at jahoopa.com (David Agraz) Date: Thu, 9 Dec 1999 14:12:23 CST Subject: bsd-login.c in pre17 Message-ID: <19991209200029.88F7826EE5@toad.mindrot.org> Just a small fix: if #ifdef is given multiple arguments, it only evaluates the first and ignores the rest of the line... Also added #include to prevent compiler warning about strncmp in login. enjoy, -dagraz --- bsd-login.c.orig Thu Dec 9 14:52:27 1999 +++ bsd-login.c Thu Dec 9 14:58:42 1999 @@ -52,6 +52,7 @@ # include #endif #include +#include void login(utp) @@ -78,7 +79,7 @@ tty = ttyslot(); if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { -#ifdef HAVE_HOST_IN_UTMP || HAVE_HOST_IN_UTMPX +#if defined(HAVE_HOST_IN_UTMP) || defined(HAVE_HOST_IN_UTMPX) (void)lseek(fd, (off_t)(tty * sizeof(struct UTMP_STR)), SEEK_SET); /* * Prevent luser from zero'ing out ut_host. _____________________________________________________ Sent by Jahoopa Free Email! Find us on the web at http://www.jahoopa.com Join today! From karn at ka9q.ampr.org Fri Dec 10 09:07:42 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Thu, 9 Dec 1999 14:07:42 -0800 Subject: ssh-keygen key length mismatch? Message-ID: <199912092207.OAA10053@homer.ka9q.ampr.org> Scenario: Use the ssh-keygen utility in openssh-1.2pre17 to generate a host key Kill and restart sshd Remove the old host key from ~/.ssh/known_hosts Connect to the host using ssh. I get this: homer.ka9q.ampr.org$ ssh 199.106.106.3 who The authenticity of host '199.106.106.3' can't be established. Key fingerprint is 1024 a0:8d:17:f0:fa:a9:9f:6f:b5:d0:1c:d6:02:92:bd:5e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '199.106.106.3' to the list of known hosts. Warning: keysize mismatch: actual 1023, announced 1024 <------ I have generated new host keys about a half dozen times now and I get the same keysize mismatch message every time. Is this a bug in ssh-keygen inherited from the original Ylonen code? Simply changing the keysize field in /etc/ssh/ssh_host_key.pub and restarting the server doesn't fix the problem. I guess the server gets the size from the private key file, which I can't edit. Phil From djm at mindrot.org Fri Dec 10 09:33:10 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 09:33:10 +1100 (EST) Subject: ssh-keygen key length mismatch? In-Reply-To: <199912092207.OAA10053@homer.ka9q.ampr.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, Phil Karn wrote: > Scenario: > > Use the ssh-keygen utility in openssh-1.2pre17 to generate a host key > Kill and restart sshd > Remove the old host key from ~/.ssh/known_hosts > Connect to the host using ssh. > > I get this: > > homer.ka9q.ampr.org$ ssh 199.106.106.3 who > The authenticity of host '199.106.106.3' can't be established. > Key fingerprint is 1024 a0:8d:17:f0:fa:a9:9f:6f:b5:d0:1c:d6:02:92:bd:5e. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added '199.106.106.3' to the list of known hosts. > Warning: keysize mismatch: actual 1023, announced 1024 <------ > > I have generated new host keys about a half dozen times now and I get > the same keysize mismatch message every time. Is this a bug in > ssh-keygen inherited from the original Ylonen code? I haven't been able to replicate this. What platform and configure options are you using? Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4UC4qormJ9RG1dI8RAr/XAJ4yKfJBGR/8+UAkFuBCgMycqgQCugCeM0WT tZdbvW9TmqmW2rEL0Q2SQoI= =nL9d -----END PGP SIGNATURE----- From csaia at wtower.com Fri Dec 10 09:41:16 1999 From: csaia at wtower.com (Chris Saia) Date: 09 Dec 1999 17:41:16 -0500 Subject: OpenSSH-1.12pre17: PATCH: Red Hat PAM limits In-Reply-To: Jim Knoble's message of "Thu, 9 Dec 1999 03:59:48 -0500" References: <19991209035948.A5862@quipu.earth> Message-ID: Jim Knoble writes: > This works on Red Hat Linux 5.2 (pam-0.64-4) in the following scenarios: Likewise, the added session line also seems to work with SuSE 6.2's PAM configuration. Best, =C= -- =============================================================================== csaia at wtower.com, WTnet IRC Administrator - http://www.wtower.com/~csaia/ GNU Privacy Guard Public Key information is available at the above URL. =============================================================================== From markus.friedl at informatik.uni-erlangen.de Fri Dec 10 10:27:23 1999 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 10 Dec 1999 00:27:23 +0100 Subject: ssh-keygen key length mismatch? In-Reply-To: <199912092207.OAA10053@homer.ka9q.ampr.org> References: <199912092207.OAA10053@homer.ka9q.ampr.org> Message-ID: <19991210002723.A13522@folly.informatik.uni-erlangen.de> Hello, could you please provide the output from 'ssh -v'. the warning is _not_ about the server keys (it would say so), but about your identity-key I suppose. Try ssh-keygen -l -f ~/.ssh/identity.pub and it will print 1023 while the identity.pub file says 1024. And no, the bug is only in the original Ylonen RSA-code which is not reused by OpenSSH. OpenSSH uses OpenSSL for RSA. I will make the warning more verbose. Markus On Thu, Dec 09, 1999 at 02:07:42PM -0800, Phil Karn wrote: > Scenario: > > Use the ssh-keygen utility in openssh-1.2pre17 to generate a host key > Kill and restart sshd > Remove the old host key from ~/.ssh/known_hosts > Connect to the host using ssh. > > I get this: > > homer.ka9q.ampr.org$ ssh 199.106.106.3 who > The authenticity of host '199.106.106.3' can't be established. > Key fingerprint is 1024 a0:8d:17:f0:fa:a9:9f:6f:b5:d0:1c:d6:02:92:bd:5e. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added '199.106.106.3' to the list of known hosts. > Warning: keysize mismatch: actual 1023, announced 1024 <------ > > I have generated new host keys about a half dozen times now and I get > the same keysize mismatch message every time. Is this a bug in > ssh-keygen inherited from the original Ylonen code? > > Simply changing the keysize field in /etc/ssh/ssh_host_key.pub and > restarting the server doesn't fix the problem. I guess the server gets > the size from the private key file, which I can't edit. > > Phil > > From karn at ka9q.ampr.org Fri Dec 10 10:45:40 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Thu, 9 Dec 1999 15:45:40 -0800 Subject: ssh-keygen key length mismatch? In-Reply-To: <19991210002723.A13522@folly.informatik.uni-erlangen.de> (message from Markus Friedl on Fri, 10 Dec 1999 00:27:23 +0100) Message-ID: <199912092345.PAA10830@homer.ka9q.ampr.org> >could you please provide the output from 'ssh -v'. >the warning is _not_ about the server keys (it would say so), Ah so. Sure enough, you're right. Editing my identity.pub file solved the problem. Sorry about the false alarm. >I will make the warning more verbose. That seems like a very good idea. The original SSH could also be very confusing about the source of its error messages. I remember once having great difficulty figuring out from an ambiguous error message just what directory on what machine had an objectionable set of permissions. Phil From mark.baushke at solipsa.com Fri Dec 10 13:07:47 1999 From: mark.baushke at solipsa.com (Mark D. Baushke) Date: Thu, 09 Dec 1999 18:07:47 -0800 Subject: documentation nit Message-ID: <199912100207.SAA11999@mozart.solipsa.com> Greetings, A minor documentation nit (patch follows my .signature) replace the missing 'f' letter... Both openssh-1.2pre16 and the openbsd cvs repository need the change. -- Mark Index: ssh.1 =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.1,v retrieving revision 1.29 diff -u -r1.29 ssh.1 --- ssh.1 1999/12/02 17:23:54 1.29 +++ ssh.1 1999/12/09 22:26:07 @@ -351,7 +351,7 @@ Use a non-privileged port for outgoing connections. This can be used if your firewall does not permit connections from privileged ports. -Note that this option turns of +Note that this option turns off .Cm RhostsAuthentication and .Cm RhostsRSAAuthentication . From djm at mindrot.org Fri Dec 10 19:17:57 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:17:57 +1100 (EST) Subject: [PATCH] Fixing a couple of small problems in Makefile.in (1.2pre17). In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, Niels Kristian Bech Jensen wrote: > Hi, > This patch fixes a couple of small ``problems'' in 1.2pre17 Makefile.in: > > 1. Avoid making an empty $(libexecdir)/ssh directory. > 2. Don't try to uninstall $(mandir)/man1/slogin.1 twice. Thanks, applied. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ULc4ormJ9RG1dI8RAoUeAKCX/pmgl0vZZYgwRzLPxOJF1nx9TQCdH7oX 9RWyixygbPmj1shzjSiwq0Q= =x7qU -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 10 19:19:08 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:19:08 +1100 (EST) Subject: Minor patches to openssh-1.2pre17 for Solaris In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, Gordon Rowell wrote: > Almost worked first time (Solaris 2.7, gcc-2.95.2). Well done. > > perl -i -p -e 's/-m644/-m 644/' Makefile.in Done, thanks. > Also, it would be nice to be able to set up LFLAGS somehow, to > provide the following: > > LFLAGS=-R/usr/local/lib You can do this with configure: LDFLAGS=-R/usr/local/lib ./configure[options] They should get propogated thru to the Makefile. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ULd/ormJ9RG1dI8RArPzAKCUsTu47pnLR9nkRUiTNQ8FYjfJGACgkqWD hIyY+Zok5XbS30ur2RJMwUY= =bFFH -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 10 19:23:11 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:23:11 +1100 (EST) Subject: OpenSSH-1.12pre17: PATCH: Red Hat PAM limits In-Reply-To: <19991209035948.A5862@quipu.earth> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, Jim Knoble wrote: > With the sshd in recent releases of OpenSSH, some Red Hat Linux > systems complain about ulimit trying to raise a limit when logging > in via ssh. The problem is that packages/redhat/sshd.pam doesn't do > limit checking for an sshd session. Applied. Thanks. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ULhyormJ9RG1dI8RAo8fAKCX53cZiwlx9H68ZXiSDU5FreowuwCbBKpF xzoeFIyXhHuqgaKKBm5G6pM= =4IW7 -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 10 19:34:59 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:34:59 +1100 (EST) Subject: solaris 2.5.1 still no good In-Reply-To: <000501bf4228$2be5aaa0$d23d020a@tardieu-e.clients.cpr.fr> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, ET wrote: > Hi folks, > > Here's what I get under solaris 2.5.1 (sparc) with gcc-2.95.2 and > gnumake 3.78-something : > > bsd-snprintf.c: In function `msetup': > bsd-snprintf.c:67: warning: implicit declaration of function > `getpagesize' Can anyone offer a replacement for this? > bsd-snprintf.c:72: `x' undeclared (first use in this function) > bsd-snprintf.c:72: (Each undeclared identifier is reported only once > bsd-snprintf.c:72: for each function it appears in.) > bsd-snprintf.c:72: `y' undeclared (first use in this function) > bsd-snprintf.c:72: warning: left-hand operand of comma expression has > no effect This is weird - it looks like your C compiler is breaking while trying to expand the roundup() macro. > bsd-snprintf.c: In function `snprintf': > bsd-snprintf.c:123: warning: implicit declaration of function > `vsnprintf' At least this warning was easily fixed. > I can't find getpagesize() in /usr/include, nor can I find > vsnprintf() or snprintf() There are not #defines which contain the same information? Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ULs2ormJ9RG1dI8RAuCnAJ4vFHXo517wc5W+Kq7naZ3KLYoy8wCfTrHW ClefFOgUKN2lIypIpqK+20A= =9LxV -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 10 19:35:47 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:35:47 +1100 (EST) Subject: openssh-1.2pre16 patch to pty.c for Solaris 2.6 In-Reply-To: <199912091735.JAA08021@mozart.solipsa.com> Message-ID: On Thu, 9 Dec 1999, Mark D. Baushke wrote: > Greetings, > > While attempting to build openssh for Solaris 2.6, I ran into a minor > problem that should probably be corrected in the next release of > openssh. The file pty.c does not #include to define I_PUSH > even though I_PUSH is used when HAVE_DEV_PTMX is defined. Should be fixed in 1.2pre17 Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Dec 10 19:39:08 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 10 Dec 1999 19:39:08 +1100 (EST) Subject: bsd-login.c in pre17 In-Reply-To: <19991209200029.88F7826EE5@toad.mindrot.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 9 Dec 1999, David Agraz wrote: > > Just a small fix: > > if #ifdef is given multiple arguments, it only evaluates the first > and ignores the rest of the line... > > Also added #include to prevent compiler warning about > strncmp in login. Applied, thanks. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ULwvormJ9RG1dI8RAsV2AJ9VaB/cuQuiGR7cYZtTICTdYJVHFwCcDryR GpzMawfSE9Uv3DqgeKP1l1Q= =Zt+w -----END PGP SIGNATURE----- From edgy at us.ibm.com Fri Dec 10 20:18:13 1999 From: edgy at us.ibm.com (edgy at us.ibm.com) Date: Fri, 10 Dec 1999 04:18:13 -0500 Subject: openssh on AIX v4.3.3 with native compiler Message-ID: <85256843.00333877.00@D51MTA05.pok.ibm.com> Hello, Was looking in the archives... and haven't seen this one listed. When I compile openssh-1.2pre17 on AIX v4.3.3 with the native compiler I get the following errors. I haven't see this __attribute__ code.. What compiler/libraries are needed to compile this? I have seen that people have compiled openssh on AIX.. Just wondering what you have used. # make cc -g -I/usr/local/include -DETCDIR=\"//etc\" -DSSH_PROGRAM=\"//bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"//libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c atomicio.c "ssh.h", line 494.36: 1506-276 (S) Syntax error: possible missing '{'? make: 1254-004 The error code from the last command is 1. The code is below... /* Output a message to syslog or stderr */ void fatal(const char *fmt,...) __attribute__((format(printf, 1, 2))); void error(const char *fmt,...) __attribute__((format(printf, 1, 2))); void log(const char *fmt,...) __attribute__((format(printf, 1, 2))); void verbose(const char *fmt,...) __attribute__((format(printf, 1, 2))); void debug(const char *fmt,...) __attribute__((format(printf, 1, 2))); Any suggestions? Any help would be greatly appreciated! EdGy From markus.friedl at informatik.uni-erlangen.de Fri Dec 10 20:33:53 1999 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 10 Dec 1999 10:33:53 +0100 Subject: openssh on AIX v4.3.3 with native compiler In-Reply-To: <85256843.00333877.00@D51MTA05.pok.ibm.com> References: <85256843.00333877.00@D51MTA05.pok.ibm.com> Message-ID: <19991210103353.A9870@folly.informatik.uni-erlangen.de> > void fatal(const char *fmt,...) __attribute__((format(printf, 1, 2))); try this: Index: cipher.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/cipher.c,v retrieving revision 1.18 diff -u -r1.18 cipher.c --- cipher.c 1999/11/24 19:53:45 1.18 +++ cipher.c 1999/12/07 13:30:41 @@ -106,7 +106,7 @@ void (*cipher_attack_detected) (const char *fmt,...) = fatal; -static inline void +static INLINE void detect_cbc_attack(const unsigned char *src, unsigned int len) { Index: includes.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/includes.h,v retrieving revision 1.11 diff -u -r1.11 includes.h --- includes.h 1999/11/24 19:53:47 1.11 +++ includes.h 1999/12/07 13:30:41 @@ -57,6 +57,18 @@ #include "version.h" +#ifdef __GNUC__ +# if __GNUC__ < 2 +# define INLINE inline +# define __attribute__(x) +# else +# define INLINE __inline__ +# endif /* __GNUC__ < 2 */ +#else +# define __attribute__(x) +# define INLINE +#endif /* __GNUC__ */ + /* Define this to be the path of the xauth program. */ #define XAUTH_PATH "/usr/X11R6/bin/xauth" From edgy at us.ibm.com Fri Dec 10 21:04:14 1999 From: edgy at us.ibm.com (edgy at us.ibm.com) Date: Fri, 10 Dec 1999 05:04:14 -0500 Subject: openssh on AIX v4.3.3 with native compiler Message-ID: <85256843.00375A01.00@D51MTA05.pok.ibm.com> Thanks for your help, That patch fixed the first error I encountered.. Here is another perhaps you might have a suggestion. It is having problems with two extern declarations with different types and same name. Sorry to keep posting but I just started looking at this source tree and I am not comfortable making changes.. There are much better people to decide what to change then I :) cc -g -I/usr/local/include -DETCDIR=\"//etc\" -DSSH_PROGRAM=\"//bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"//libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c channels.c "channels.c", line 390.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 418.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 448.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 1014.34: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "channels.c", line 1021.55: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "channels.c", line 1121.30: 1506-343 (S) Redeclaration of options differs from previous declaration on line 884 of "channels.c". "channels.c", line 1121.30: 1506-382 (I) The type "struct {...}" of identifier options differs from previous type "struct {...}". "channels.c", line 1230.49: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. make: 1254-004 The error code from the last command is 1. void channel_request_local_forwarding(u_short port, const char *host, u_short host_port) { int ch, sock, on = 1; struct sockaddr_in sin; extern Options options; and the other is char * x11_create_display_inet(int screen_number) { extern ServerOptions options; int display_number, sock; Just wondering if the warnings could be fixed... "channels.c", line 390.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. newsock = accept(ch->sock, &addr, &addrlen); addrlen is declared as int but my docs say... #include #include int accept (Socket, Address, AddressLength) int Socket; struct sockaddr *Address; size_t *AddressLength; EdGy From scrappy at hub.org Sat Dec 11 02:25:41 1999 From: scrappy at hub.org (Marc G. Fournier) Date: Fri, 10 Dec 1999 10:25:41 -0500 (EST) Subject: snprintf from postgresql Message-ID: <199912101525.KAA70679@hub.org> /* * Copyright (c) 1983, 1995, 1996 Eric P. Allman * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifdef NOT_USED #include "sendmail.h" #include "pathnames.h" #endif #include "postgres.h" #include "regex/cdefs.h" #include #include #include #include /* * We do all internal arithmetic in the widest available integer type, * here called long_long (or ulong_long for unsigned). */ #ifdef HAVE_LONG_LONG_INT_64 typedef long long long_long; typedef unsigned long long ulong_long; #else typedef long long_long; typedef unsigned long ulong_long; #endif /* ** SNPRINTF, VSNPRINT -- counted versions of printf ** ** These versions have been grabbed off the net. They have been ** cleaned up to compile properly and support for .precision and ** %lx has been added. */ /************************************************************** * Original: * Patrick Powell Tue Apr 11 09:48:21 PDT 1995 * A bombproof version of doprnt (dopr) included. * Sigh. This sort of thing is always nasty do deal with. Note that * the version here does not include floating point. (now it does ... tgl) * * snprintf() is used instead of sprintf() as it does limit checks * for string length. This covers a nasty loophole. * * The other functions are there to prevent NULL pointers from * causing nast effects. **************************************************************/ /*static char _id[] = "$Id: snprintf.c,v 1.22 1999/05/25 16:10:28 momjian Exp $";*/ static char *end; static int SnprfOverflow; int snprintf(char *str, size_t count, const char *fmt,...); int vsnprintf(char *str, size_t count, const char *fmt, va_list args); static void dopr(char *buffer, const char *format, va_list args); int snprintf(char *str, size_t count, const char *fmt,...) { int len; va_list args; va_start(args, fmt); len = vsnprintf(str, count, fmt, args); va_end(args); return len; } int vsnprintf(char *str, size_t count, const char *fmt, va_list args) { str[0] = 0; end = str + count - 1; SnprfOverflow = 0; dopr(str, fmt, args); if (count > 0) end[0] = 0; if (SnprfOverflow) elog(NOTICE, "vsnprintf overflow, len = %d, str = %s", count, str); return strlen(str); } /* * dopr(): poor man's version of doprintf */ static void fmtstr(char *value, int ljust, int len, int zpad, int maxwidth); static void fmtnum(long_long value, int base, int dosign, int ljust, int len, int zpad); static void fmtfloat(double value, char type, int ljust, int len, int precision, int pointflag); static void dostr(char *str, int cut); static void dopr_outch(int c); static char *output; static void dopr(char *buffer, const char *format, va_list args) { int ch; long_long value; double fvalue; int longlongflag = 0; int longflag = 0; int pointflag = 0; int maxwidth = 0; char *strvalue; int ljust; int len; int zpad; output = buffer; while ((ch = *format++)) { switch (ch) { case '%': ljust = len = zpad = maxwidth = 0; longflag = longlongflag = pointflag = 0; nextch: ch = *format++; switch (ch) { case 0: dostr("**end of format**", 0); return; case '-': ljust = 1; goto nextch; case '0': /* set zero padding if len not set */ if (len == 0 && !pointflag) zpad = '0'; case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (pointflag) maxwidth = maxwidth * 10 + ch - '0'; else len = len * 10 + ch - '0'; goto nextch; case '*': if (pointflag) maxwidth = va_arg(args, int); else len = va_arg(args, int); goto nextch; case '.': pointflag = 1; goto nextch; case 'l': if (longflag) longlongflag = 1; else longflag = 1; goto nextch; case 'u': case 'U': /* fmtnum(value,base,dosign,ljust,len,zpad) */ if (longflag) { if (longlongflag) value = va_arg(args, long_long); else value = va_arg(args, long); } else value = va_arg(args, int); fmtnum(value, 10, 0, ljust, len, zpad); break; case 'o': case 'O': /* fmtnum(value,base,dosign,ljust,len,zpad) */ if (longflag) { if (longlongflag) value = va_arg(args, long_long); else value = va_arg(args, long); } else value = va_arg(args, int); fmtnum(value, 8, 0, ljust, len, zpad); break; case 'd': case 'D': if (longflag) { if (longlongflag) value = va_arg(args, long_long); else value = va_arg(args, long); } else value = va_arg(args, int); fmtnum(value, 10, 1, ljust, len, zpad); break; case 'x': if (longflag) { if (longlongflag) value = va_arg(args, long_long); else value = va_arg(args, long); } else value = va_arg(args, int); fmtnum(value, 16, 0, ljust, len, zpad); break; case 'X': if (longflag) { if (longlongflag) value = va_arg(args, long_long); else value = va_arg(args, long); } else value = va_arg(args, int); fmtnum(value, -16, 0, ljust, len, zpad); break; case 's': strvalue = va_arg(args, char *); if (maxwidth > 0 || !pointflag) { if (pointflag && len > maxwidth) len = maxwidth; /* Adjust padding */ fmtstr(strvalue, ljust, len, zpad, maxwidth); } break; case 'c': ch = va_arg(args, int); dopr_outch(ch); break; case 'e': case 'E': case 'f': case 'g': case 'G': fvalue = va_arg(args, double); fmtfloat(fvalue, ch, ljust, len, maxwidth, pointflag); break; case '%': dopr_outch(ch); continue; default: dostr("???????", 0); } break; default: dopr_outch(ch); break; } } *output = 0; } static void fmtstr(char *value, int ljust, int len, int zpad, int maxwidth) { int padlen, strlen; /* amount to pad */ if (value == 0) value = ""; for (strlen = 0; value[strlen]; ++strlen); /* strlen */ if (strlen > maxwidth && maxwidth) strlen = maxwidth; padlen = len - strlen; if (padlen < 0) padlen = 0; if (ljust) padlen = -padlen; while (padlen > 0) { dopr_outch(' '); --padlen; } dostr(value, maxwidth); while (padlen < 0) { dopr_outch(' '); ++padlen; } } static void fmtnum(long_long value, int base, int dosign, int ljust, int len, int zpad) { int signvalue = 0; ulong_long uvalue; char convert[64]; int place = 0; int padlen = 0; /* amount to pad */ int caps = 0; /* * DEBUGP(("value 0x%x, base %d, dosign %d, ljust %d, len %d, zpad * %d\n", value, base, dosign, ljust, len, zpad )); */ uvalue = value; if (dosign) { if (value < 0) { signvalue = '-'; uvalue = -value; } } if (base < 0) { caps = 1; base = -base; } do { convert[place++] = (caps ? "0123456789ABCDEF" : "0123456789abcdef") [uvalue % (unsigned) base]; uvalue = (uvalue / (unsigned) base); } while (uvalue); convert[place] = 0; if (len < 0) { /* this could happen with a "*" width spec */ ljust = 1; len = -len; } padlen = len - place; if (padlen < 0) padlen = 0; if (ljust) padlen = -padlen; /* * DEBUGP(( "str '%s', place %d, sign %c, padlen %d\n", * convert,place,signvalue,padlen)); */ if (zpad && padlen > 0) { if (signvalue) { dopr_outch(signvalue); --padlen; signvalue = 0; } while (padlen > 0) { dopr_outch(zpad); --padlen; } } while (padlen > 0) { dopr_outch(' '); --padlen; } if (signvalue) dopr_outch(signvalue); while (place > 0) dopr_outch(convert[--place]); while (padlen < 0) { dopr_outch(' '); ++padlen; } } static void fmtfloat(double value, char type, int ljust, int len, int precision, int pointflag) { char fmt[32]; char convert[512]; int padlen = 0; /* amount to pad */ /* we rely on regular C library's sprintf to do the basic conversion */ if (pointflag) sprintf(fmt, "%%.%d%c", precision, type); else sprintf(fmt, "%%%c", type); sprintf(convert, fmt, value); if (len < 0) { /* this could happen with a "*" width spec */ ljust = 1; len = -len; } padlen = len - strlen(convert); if (padlen < 0) padlen = 0; if (ljust) padlen = -padlen; while (padlen > 0) { dopr_outch(' '); --padlen; } dostr(convert, 0); while (padlen < 0) { dopr_outch(' '); ++padlen; } } static void dostr(char *str, int cut) { if (cut) { while (*str && cut-- > 0) dopr_outch(*str++); } else { while (*str) dopr_outch(*str++); } } static void dopr_outch(int c) { #ifdef NOT_USED if (iscntrl(c) && c != '\n' && c != '\t') { c = '@' + (c & 0x1F); if (end == 0 || output < end) *output++ = '^'; } #endif if (end == 0 || output < end) *output++ = c; else SnprfOverflow++; } From marc.fournier at acadiau.ca Sat Dec 11 02:28:04 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Fri, 10 Dec 1999 11:28:04 -0400 (AST) Subject: solaris 2.5.1 still no good In-Reply-To: Message-ID: I just email'd, from my other account, the snprintf.c that we distribute in PostgreSQL...its been thoroughly tested on all the platforms that we support, with Solaris 2.5.1 being one of them...the bsd-snprintf.c that we included in OpenSSH, I believe, was the stock FreeBSD one, whereas this one is meant to be generic ... I *believe* that we pulled/borrowed this from sendmail originally... On Fri, 10 Dec 1999, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 9 Dec 1999, ET wrote: > > > Hi folks, > > > > Here's what I get under solaris 2.5.1 (sparc) with gcc-2.95.2 and > > gnumake 3.78-something : > > > > bsd-snprintf.c: In function `msetup': > > bsd-snprintf.c:67: warning: implicit declaration of function > > `getpagesize' > > Can anyone offer a replacement for this? > > > bsd-snprintf.c:72: `x' undeclared (first use in this function) > > bsd-snprintf.c:72: (Each undeclared identifier is reported only once > > bsd-snprintf.c:72: for each function it appears in.) > > bsd-snprintf.c:72: `y' undeclared (first use in this function) > > bsd-snprintf.c:72: warning: left-hand operand of comma expression has > > no effect > > This is weird - it looks like your C compiler is breaking while > trying to expand the roundup() macro. > > > bsd-snprintf.c: In function `snprintf': > > bsd-snprintf.c:123: warning: implicit declaration of function > > `vsnprintf' > > At least this warning was easily fixed. > > > I can't find getpagesize() in /usr/include, nor can I find > > vsnprintf() or snprintf() > > There are not #defines which contain the same information? > > Regards, > Damien > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4ULs2ormJ9RG1dI8RAuCnAJ4vFHXo517wc5W+Kq7naZ3KLYoy8wCfTrHW > ClefFOgUKN2lIypIpqK+20A= > =9LxV > -----END PGP SIGNATURE----- > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From Marc.Haber-lists at gmx.de Sat Dec 11 03:32:28 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Fri, 10 Dec 1999 16:32:28 GMT Subject: scp with openssh on the server side and $PATH. Message-ID: Hi! When I try to use scp from or to a machine that runs openssh-1.2pre16 on Debian Linux, I keep getting the error message "scp: command not found". Executing "ssh this-host echo \$PATH" yields "/usr/bin:/bin:/usr/sbin:/sbin:" which might be set in config.h. sshd is installed to /usr/local/stow/openssh-1.2pre16/sbin, scp to /usr/local/stow/openssh-1.2pre16/bin; both programs are then symlinked so that they can be found in /usr/local/[s]bin. I changed config.h to say |#ifndef _PATH_STDPATH |# define _PATH_STDPATH "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:" |#endif recompiled and reinstalled, but I still keep getting the same, incorrect $PATH. What am I doing wrong? btw, it would be easier to verify the correct sshd being executed if |mh at torres[6/504]:~/devel/userspace/openssh-1.2pre12$ ./sshd -v |./sshd: invalid option -- v |sshd version OpenSSH-1.2 |Usage: sshd [options] Usage message snipped |mh at torres[7/505]:~/devel/userspace/openssh-1.2pre12$ would show the pre-version stamp as well. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From phil at hands.com Sat Dec 11 04:09:39 1999 From: phil at hands.com (Philip Hands) Date: 10 Dec 1999 17:09:39 +0000 Subject: New x11-ssh-askpass release available In-Reply-To: <19991205233415.G12383@quipu.earth> (Jim Knoble's message of "Sun, 5 Dec 1999 23:34:15 -0500") References: <19991205233415.G12383@quipu.earth> Message-ID: <87bt7yafjg.fsf@sheikh.hands.com> Jim Knoble writes: > http://www.pobox.com/~jmknoble/jmk/x11-ssh-askpass-1999.12.04.tar.gz ... > X11-ssh-askpass is drop-in passphrase dialog for OpenSSH, based solely > on the regular X11 libraries (libX11, libXt), with a default look and > feel similar to the passphrase dialog present in recent releases of the > not-so-open SSH-1.2.x. Given that this requires least (in terms of library dependencies) of all the Free ssh-askpass implementations available to us, is it going to be adopted as the default? It seems to make sense to put this in the main source tree (as ssh-askpass) and to get rid of the other two, to remove clutter, but perhaps I'm missing some reason that people might prefer the gnome or perl-tk versions. Cheers, Phil. From phil at hands.com Sat Dec 11 04:13:20 1999 From: phil at hands.com (Philip Hands) Date: 10 Dec 1999 17:13:20 +0000 Subject: [David Huggins-Daines ] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't Message-ID: <87vh6690sv.fsf@sheikh.hands.com> Damien, Here's a forwarded bug for you. Cheers, Phil. --[[message/rfc822]] Subject: Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't Reply-To: David Huggins-Daines , 52414 at bugs.debian.org Resent-From: David Huggins-Daines Resent-To: debian-bugs-dist at lists.debian.org Resent-CC: Philip Hands Resent-Date: Fri, 10 Dec 1999 04:18:07 GMT Resent-Message-ID: Resent-Sender: owner at bugs.debian.org Date: Thu, 9 Dec 1999 23:10:16 -0500 From: David Huggins-Daines To: submit at bugs.debian.org Message-ID: <19991209231016.A9982 at elgin.plcom.on.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Package: ssh Version: 1.2pre16-1 Severity: normal Hi, OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour of calling ssh-askpass when it's not possible to read the pass{phrase,word} from a terminal. This is rather inconvenient for things like pcl-cvs in Emacs. Here's a patch that makes OpenSSH act more like the non-free one: diff -ur openssh-1.2pre16/readpass.c openssh-1.2pre16.patched/readpass.c --- openssh-1.2pre16/readpass.c Wed Nov 24 19:54:59 1999 +++ openssh-1.2pre16.patched/readpass.c Thu Dec 9 22:34:23 1999 @@ -38,6 +38,47 @@ kill(getpid(), sig); } +/* Calls the external program specified to read a passphrase (usually + used to invoke ssh-askpass when running with $DISPLAY but no TTY) */ + +char * +ssh_askpass(const char *askpass, const char *msg) +{ + pid_t pid; + size_t len; + char *nl, *pass; + int p[2], status; + char buf[1024]; + + if (askpass == NULL) + fatal("internal error: askpass undefined"); + if (pipe(p) < 0) + fatal("ssh_askpass: pipe: %s", strerror(errno)); + if ((pid = fork()) < 0) + fatal("ssh_askpass: fork: %s", strerror(errno)); + if (pid == 0) { + close(p[0]); + if (dup2(p[1], STDOUT_FILENO) < 0) + fatal("ssh_askpass: dup2: %s", strerror(errno)); + execlp(askpass, askpass, msg, (char *) 0); + fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); + } + close(p[1]); + len = read(p[0], buf, sizeof buf); + close(p[0]); + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + if (len <= 1) + return xstrdup(""); + nl = strchr(buf, '\n'); + if (nl) + *nl = '\0'; + pass = xstrdup(buf); + memset(buf, 0, sizeof(buf)); + return pass; +} + /* * Reads a passphrase from /dev/tty with echo turned off. Returns the * passphrase (allocated with xmalloc). Exits if EOF is encountered. The diff -ur openssh-1.2pre16/ssh-add.c openssh-1.2pre16.patched/ssh-add.c --- openssh-1.2pre16/ssh-add.c Sun Dec 5 19:47:29 1999 +++ openssh-1.2pre16.patched/ssh-add.c Thu Dec 9 22:11:03 1999 @@ -50,44 +50,6 @@ fprintf(stderr, "Failed to remove all identitities.\n"); } -char * -ssh_askpass(char *askpass, char *msg) -{ - pid_t pid; - size_t len; - char *nl, *pass; - int p[2], status; - char buf[1024]; - - if (askpass == NULL) - fatal("internal error: askpass undefined"); - if (pipe(p) < 0) - fatal("ssh_askpass: pipe: %s", strerror(errno)); - if ((pid = fork()) < 0) - fatal("ssh_askpass: fork: %s", strerror(errno)); - if (pid == 0) { - close(p[0]); - if (dup2(p[1], STDOUT_FILENO) < 0) - fatal("ssh_askpass: dup2: %s", strerror(errno)); - execlp(askpass, askpass, msg, (char *) 0); - fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); - } - close(p[1]); - len = read(p[0], buf, sizeof buf); - close(p[0]); - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - if (len <= 1) - return xstrdup(""); - nl = strchr(buf, '\n'); - if (nl) - *nl = '\0'; - pass = xstrdup(buf); - memset(buf, 0, sizeof(buf)); - return pass; -} - void add_file(AuthenticationConnection *ac, const char *filename) { diff -ur openssh-1.2pre16/ssh.c openssh-1.2pre16.patched/ssh.c --- openssh-1.2pre16/ssh.c Thu Dec 9 22:29:24 1999 +++ openssh-1.2pre16.patched/ssh.c Thu Dec 9 23:03:19 1999 @@ -81,6 +81,9 @@ /* Original real UID. */ uid_t original_real_uid; +/* Flag indicating whether we should try to use ssh-askpass or not */ +int use_askpass = 0; + /* Prints a help message to the user. This function never returns. */ void @@ -430,10 +433,20 @@ /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin))) { + FILE *dummy; if (tty_flag) fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); tty_flag = 0; + + /* Now to check if we should be using askpass */ + if ((dummy = fopen("/dev/tty", "r"))) { + fclose(dummy); + } else { + if (getenv("DISPLAY")) + use_askpass = 1; + } } + /* Get user data. */ pw = getpwuid(original_real_uid); if (!pw) { diff -ur openssh-1.2pre16/ssh.h openssh-1.2pre16.patched/ssh.h --- openssh-1.2pre16/ssh.h Thu Dec 9 22:29:24 1999 +++ openssh-1.2pre16.patched/ssh.h Thu Dec 9 22:14:30 1999 @@ -429,6 +429,12 @@ char *read_passphrase(const char *prompt, int from_stdin); /* + * Attempts to call the ssh-askpass program to read a passphrase when + * there is no tty and $DISPLAY is set. + */ +char *ssh_askpass(const char *askpass, const char *msg); + +/* * Saves the authentication (private) key in a file, encrypting it with * passphrase. The identification of the file (lowest 64 bits of n) will * precede the key to provide identification of the key without needing a diff -ur openssh-1.2pre16/sshconnect.c openssh-1.2pre16.patched/sshconnect.c --- openssh-1.2pre16/sshconnect.c Mon Dec 6 23:38:32 1999 +++ openssh-1.2pre16.patched/sshconnect.c Thu Dec 9 23:00:54 1999 @@ -36,6 +36,9 @@ extern Options options; +/* Needed to determine whether to use ssh-askpass or not */ +extern int use_askpass; + /* * Connect to the given ssh server using a proxy command. */ @@ -538,9 +541,16 @@ char buf[300]; snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); - if (!options.batch_mode) - passphrase = read_passphrase(buf, 0); - else { + if (!options.batch_mode) { + if (use_askpass) { + const char * askpass; + if ((askpass = getenv(SSH_ASKPASS_ENV))) + passphrase = ssh_askpass(askpass, buf); + else + passphrase = ssh_askpass(SSH_ASKPASS_DEFAULT, buf); + } else + passphrase = read_passphrase(buf, 0); + } else { debug("Will not query passphrase for %.100s in batch mode.", comment); passphrase = xstrdup(""); @@ -921,7 +931,14 @@ for (i = 0; i < options.number_of_password_prompts; i++) { if (i != 0) error("Permission denied, please try again."); - response = read_passphrase("Response: ", 0); + if (use_askpass) { + const char * askpass; + if ((askpass = getenv(SSH_ASKPASS_ENV))) + response = ssh_askpass(askpass, "Response: "); + else + response = ssh_askpass(SSH_ASKPASS_DEFAULT, "Response: "); + } else + response = read_passphrase("Response: ", 0); packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); packet_put_string(response, strlen(response)); memset(response, 0, strlen(response)); @@ -954,7 +971,14 @@ for (i = 0; i < options.number_of_password_prompts; i++) { if (i != 0) error("Permission denied, please try again."); - password = read_passphrase(prompt, 0); + if (use_askpass) { + const char * askpass; + if ((askpass = getenv(SSH_ASKPASS_ENV))) + password = ssh_askpass(askpass, prompt); + else + password = ssh_askpass(SSH_ASKPASS_DEFAULT, prompt); + } else + password = read_passphrase(prompt, 0); packet_start(SSH_CMSG_AUTH_PASSWORD); packet_put_string(password, strlen(password)); memset(password, 0, strlen(password)); Cheers --[[text/plain]] From jmknoble at pobox.com Sat Dec 11 06:11:41 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 10 Dec 1999 14:11:41 -0500 Subject: New x11-ssh-askpass release available In-Reply-To: <87bt7yafjg.fsf@sheikh.hands.com>; from Philip Hands on Fri, Dec 10, 1999 at 05:09:39PM +0000 References: <19991205233415.G12383@quipu.earth> <87bt7yafjg.fsf@sheikh.hands.com> Message-ID: <19991210141141.A25168@ntrnet.net> I've just heard this week from Markus Friedl that x11-ssh-askpass is in OpenBSD's CVS tree in the X11 section. I need to make absolutely sure that what they have and what i have are in sync before it goes anywhere else, and i haven't had time to do that yet. (I'm leaving Sunday for a Linux Standard Base meeting and then The Bazaar in New York, and i won't be back until the following Sunday, so it might take a bit.) Once that's done, it's up to Damien whether it should be in the OpenSSH port or not; i'd really like to autoconf-ify it, but i don't have so much experience doing that. Perhaps one or two folks here could help once it does (or doesn't) get in the OpenSSH package. I don't particularly see any reason to exclude the other ssh-askpass implementations other than that it's more difficult to maintain two or three implementations than one. It seems good to let folks choose which one they prefer. -- jim knoble jmknoble at pobox.com P? 1999-Dec-10 klokka 17:09:39 +0000 skrivet Philip Hands: : Given that this requires least (in terms of library dependencies) of : all the Free ssh-askpass implementations available to us, is it going : to be adopted as the default? : : It seems to make sense to put this in the main source tree (as : ssh-askpass) and to get rid of the other two, to remove clutter, but : perhaps I'm missing some reason that people might prefer the gnome or : perl-tk versions. From karn at ka9q.ampr.org Sat Dec 11 06:35:01 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Fri, 10 Dec 1999 11:35:01 -0800 Subject: scp with openssh on the server side and $PATH. In-Reply-To: (Marc.Haber-lists@gmx.de) Message-ID: <199912101935.LAA13990@homer.ka9q.ampr.org> >When I try to use scp from or to a machine that runs openssh-1.2pre16 >on Debian Linux, I keep getting the error message "scp: command not >found". Executing "ssh this-host echo \$PATH" yields I worked around this problem by doing ln -s /usr/local/bin/scp /usr/bin Perhaps not the most elegant fix, since most people probably expect that when they do a ssh remote execution, they'll get the same PATH they'd get if they logged in. Dunno how to do that without rereading the user's profile each time, though. --Phil From mark.baushke at solipsa.com Sat Dec 11 07:48:07 1999 From: mark.baushke at solipsa.com (Mark D. Baushke) Date: Fri, 10 Dec 1999 12:48:07 -0800 Subject: problems with 1.2pre17 on solaris2.6 Message-ID: <199912102048.MAA18311@mozart.solipsa.com> On Solaris2.6, I have just run into some problems where using the 1.2pre17 scp to another box with either 1.2pre16 or 1.2pre17 on it. The scp dies with an "Alarm Clock" problem on larger files (the failure case file is a 1297920 byte solaris package.). It does not always die in the same place. openssh-1.2pre17-spa 51% |************** | qd 00:00 ETAAlarm Clock Write failed flushing stdout buffer. write stdout: Broken pipe I have not yet tracked down the problem. Hints welcome. This does not appear to be a problem with the i386 version of 1.2pre17. Copying the same file using scp from ssh-1.2.27 (with RSAREF) had no problems. -- Mark % ./scp -v /tmp/openssh-1.2pre17-sparc-sol26-local mdb01.solipsa.com:/tmp/junk Executing: host mdb01.solipsa.com, user (unspecified), command scp -v -t /tmp/junk SSH Version 1.2.27 [sparc-sun-solaris2.6], protocol version 1.5. Compiled with RSAREF. weblblend01: ssh_connect: getuid 1005 geteuid 0 anon 0 weblblend01: Connecting to mdb01.solipsa.com [216.132.90.209] port 22. weblblend01: Allocated local port 1023. weblblend01: Connection established. weblblend01: Remote protocol version 1.5, remote software version OpenSSH-1.2 weblblend01: Waiting for server public key. weblblend01: Received server public key (768 bits) and host key (1024 bits). weblblend01: Host 'mdb01.solipsa.com' is known and matches the host key. weblblend01: Initializing random; seed file /export/home/mdb/.ssh/random_seed weblblend01: IDEA not supported, using 3des instead. weblblend01: Encryption type: 3des weblblend01: Sent encrypted session key. weblblend01: Installing crc compensation attack detector. weblblend01: Received encrypted confirmation. weblblend01: No agent. weblblend01: Doing password authentication. mdb at mdb01.solipsa.com's password: weblblend01: Sending command: scp -v -t /tmp/junk weblblend01: Entering interactive session. Sending file modes: C0644 1297920 openssh-1.2pre17-sparc-sol26-local openssh-1.2pre17-spa 42% |************ | qd 00:01 ETAAlarm Clock % Write failed flushing stdout buffer. write stdout: Broken pipe weblblend01: Transferred: stdin 935985, stdout 27, stderr 27 bytes in 2.4 seconds weblblend01: Bytes per second: stdin 384021.6, stdout 11.1, stderr 11.1 weblblend01: Exit status -1 From phil at hands.com Sat Dec 11 04:50:13 1999 From: phil at hands.com (Philip Hands) Date: 10 Dec 1999 17:50:13 +0000 Subject: scp with openssh on the server side and $PATH. In-Reply-To: (Marc Haber's message of "Fri, 10 Dec 1999 16:32:28 GMT") References: Message-ID: <87n1ri8z3e.fsf@sheikh.hands.com> Marc.Haber-lists at gmx.de (Marc Haber) writes: > Hi! > > When I try to use scp from or to a machine that runs openssh-1.2pre16 > on Debian Linux, I keep getting the error message "scp: command not > found". Executing "ssh this-host echo \$PATH" yields > "/usr/bin:/bin:/usr/sbin:/sbin:" which might be set in config.h. > > sshd is installed to /usr/local/stow/openssh-1.2pre16/sbin, scp to > /usr/local/stow/openssh-1.2pre16/bin; both programs are then symlinked > so that they can be found in /usr/local/[s]bin. I suggest you install the debian package, rather than build it yourself. You can grab it thus: apt-get install ssh Then it'll just work (or you get to report a bug to me ;-) It shouldn't be too long before 1.2pre17 gets into the non-us.debian.org archive, but if you're desperate, look here: http://www.hands.com/~phil/debian/openssh/ssh_1.2pre17-1_i386.deb Cheers, Phil. From damien at ibs.com.au Sat Dec 11 10:21:29 1999 From: damien at ibs.com.au (Damien Miller) Date: Sat, 11 Dec 1999 10:21:29 +1100 Subject: [David Huggins-Daines ] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't References: <87vh6690sv.fsf@sheikh.hands.com> Message-ID: <38518AF9.F20188CD@ibs.com.au> Philip Hands wrote: > > Damien, > > Here's a forwarded bug for you. > > Cheers, Phil. > --[[message/rfc822]] > Subject: Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't > Reply-To: David Huggins-Daines , 52414 at bugs.debian.org > Resent-From: David Huggins-Daines > Resent-To: debian-bugs-dist at lists.debian.org > Resent-CC: Philip Hands > Resent-Date: Fri, 10 Dec 1999 04:18:07 GMT > Resent-Message-ID: > Resent-Sender: owner at bugs.debian.org > Date: Thu, 9 Dec 1999 23:10:16 -0500 > From: David Huggins-Daines > To: submit at bugs.debian.org > Message-ID: <19991209231016.A9982 at elgin.plcom.on.ca> > Mime-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > > Package: ssh > Version: 1.2pre16-1 > Severity: normal > > Hi, > > OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour > of calling ssh-askpass when it's not possible to read the pass{phrase,word} > from a terminal. Isn't that what ssh-agent is for? Damien From djm at mindrot.org Sat Dec 11 10:33:32 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Dec 1999 10:33:32 +1100 (EST) Subject: New x11-ssh-askpass release available In-Reply-To: <87bt7yafjg.fsf@sheikh.hands.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10 Dec 1999, Philip Hands wrote: > Jim Knoble writes: > > > http://www.pobox.com/~jmknoble/jmk/x11-ssh-askpass-1999.12.04.tar.gz > ... > > X11-ssh-askpass is drop-in passphrase dialog for OpenSSH, based solely > > on the regular X11 libraries (libX11, libXt), with a default look and > > feel similar to the passphrase dialog present in recent releases of the > > not-so-open SSH-1.2.x. > > Given that this requires least (in terms of library dependencies) of > all the Free ssh-askpass implementations available to us, is it going > to be adopted as the default? > > It seems to make sense to put this in the main source tree (as > ssh-askpass) and to get rid of the other two, to remove clutter, but > perhaps I'm missing some reason that people might prefer the gnome or > perl-tk versions. I am considering seperating the gnome and the perl-tk askpasses out of the tree that I distribute. Since Markus added the ability to choose which particular askpass program is used at runtime it makes sense to offer a few different packages. If Jim has no objection, I might start RPM packaging his askpass program and distributing it with the other RPMs I build. The perl-tk askpass concerns me a bit. Perl is a big interpreted language with plenty of opportunities for a users passphrase to end up in VM and no way to ensure its erasure. Regards, Damien -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4UY3PormJ9RG1dI8RArbSAJ4zG4T20Cvgh+y2DIquaLVnJkf28ACcCW3X +v7D2JKq49OVEOBGw5LswLQ= =wrdx -----END PGP SIGNATURE----- From djm at mindrot.org Sat Dec 11 10:39:27 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 11 Dec 1999 10:39:27 +1100 (EST) Subject: New x11-ssh-askpass release available In-Reply-To: <19991210141141.A25168@ntrnet.net> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 10 Dec 1999, Jim Knoble wrote: > I've just heard this week from Markus Friedl that x11-ssh-askpass is > in OpenBSD's CVS tree in the X11 section. I need to make absolutely > sure that what they have and what i have are in sync before it goes > anywhere else, and i haven't had time to do that yet. (I'm leaving > Sunday for a Linux Standard Base meeting and then The Bazaar in New > York, and i won't be back until the following Sunday, so it might > take a bit.) I am _very_ jealous :) > Once that's done, it's up to Damien whether it should be in the > OpenSSH port or not; i'd really like to autoconf-ify it, but i don't > have so much experience doing that. Perhaps one or two folks here > could help once it does (or doesn't) get in the OpenSSH package. The next lot of packages I am building will have seperate tarballs for the askpass programs, so integration with autoconf is less of an issue. xmkmf should work for any X11 system. > I don't particularly see any reason to exclude the other ssh-askpass > implementations other than that it's more difficult to maintain > two or three implementations than one. It seems good to let folks > choose which one they prefer. Thats the plan - users can select at runtime using the SSH_ASKPASS env variable. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4UY8zormJ9RG1dI8RAoQQAKDd+11EPIzuI/8htAJXiairkW/HoACfessK 5lshAzExCruVCaL8funNldc= =Luh5 -----END PGP SIGNATURE----- From Marc.Haber-lists at gmx.de Sun Dec 12 01:04:34 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sat, 11 Dec 1999 14:04:34 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: <87n1ri8z3e.fsf@sheikh.hands.com> References: <87n1ri8z3e.fsf@sheikh.hands.com> Message-ID: On 10 Dec 1999 17:50:13 +0000, you wrote: >I suggest you install the debian package, rather than build it >yourself. You can grab it thus: > > apt-get install ssh > >Then it'll just work (or you get to report a bug to me ;-) Nope. slink here. The binary package depends on libc6.1, the source package doesn't build because stropts.h is in libc6-dev from potato, but not in slink's. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From Marc.Haber-lists at gmx.de Sun Dec 12 01:04:34 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sat, 11 Dec 1999 14:04:34 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: <199912101935.LAA13990@homer.ka9q.ampr.org> References: <199912101935.LAA13990@homer.ka9q.ampr.org> Message-ID: On Fri, 10 Dec 1999 11:35:01 -0800, you wrote: >I worked around this problem by doing > >ln -s /usr/local/bin/scp /usr/bin > >Perhaps not the most elegant fix, Clumsy and ugly, yes ;-) I'd only do that if no other solution comes up. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From kern at sibbald.com Sun Dec 12 03:43:05 1999 From: kern at sibbald.com (Kern Sibbald) Date: Sat, 11 Dec 1999 17:43:05 +0100 Subject: Hello Message-ID: <01BF43FF.2E365F60.kern@sibbald.com> Hello, I have just joined your mailing list, and I thought I would introduce myself. My name is Kern Sibbald, I live in Switzerland, and I am not a US citizen or employed by any company (no license problems). I've been programming for about 35 years now and would like to possibly make a few contributions to OpenSSH. I had previously installed ssh 1.x? then ssh2, which is rather nice, but when I read the license, I was horrified about the changes between 1.x and 2 so I removed it from my system. Then a month later I stumbled on OpenSSH. Neat and thanks. I now have it running on my system, but it wasn't easy and there are a lot of things that I don't yet understand, like why it always use 3des when I am me (kern) and uses blowfish (as configured) when I am root, and why I cannot seem to make it do RSAHost authorization and RSA user authorization. It does RSAHost authorization if I connect as root and RSA user authorization if I connect as kern. At least that is how I interpret the debug output. I thought I might contribute in the following ways: 1. Correct/enhance the manual where I found errors and deficiencies (for example, it wasn't immediately clear the distinction between RSA authentication and RSH host authentication. If one substitutes RSA user authentication for the former, things become a bit easier to understand. 2. Provide a step by step installation for dummies like myself. There are a zillion files to be setup to get it working after the "make install" and there are a number of traps such as /etc/shosts is not used for root access -hmm. 3. I don't like the idea that the identity files and authorized_keys are kept in the user's home directory. That is certainly a valid option, but on my system, I want everything kept in /etc/ssh, and subdirectories, and only readable by root. ssh2 permitted this with the UserConfigDirectory configuration statement. I'd like to add the code to do this in OpenSSH. By the way, for the next 6 or 7 months I don't have a lot of time to devote to this (max 20%). Does this interest you? Best regards, Kern From dhd at plcom.on.ca Mon Dec 13 08:55:06 1999 From: dhd at plcom.on.ca (David Huggins-Daines) Date: Sun, 12 Dec 1999 16:55:06 -0500 Subject: [David Huggins-Daines ] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't In-Reply-To: <38518AF9.F20188CD@ibs.com.au>; from damien@ibs.com.au on Sat, Dec 11, 1999 at 10:21:29AM +1100 References: <87vh6690sv.fsf@sheikh.hands.com> <38518AF9.F20188CD@ibs.com.au> Message-ID: <19991212165506.A817@plcom.on.ca> On Sat, Dec 11, 1999 at 10:21:29AM +1100, Damien Miller wrote: > > OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour > > of calling ssh-askpass when it's not possible to read the pass{phrase,word} > > from a terminal. > > Isn't that what ssh-agent is for? Unless you're not using RSA authentication. Granted, you *should* be using RSA authentication, but that isn't always the case. From markus.friedl at informatik.uni-erlangen.de Mon Dec 13 09:27:42 1999 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 12 Dec 1999 23:27:42 +0100 Subject: [David Huggins-Daines ] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't In-Reply-To: <87vh6690sv.fsf@sheikh.hands.com> References: <87vh6690sv.fsf@sheikh.hands.com> Message-ID: <19991212232742.A14015@folly.informatik.uni-erlangen.de> On Fri, Dec 10, 1999 at 05:13:20PM +0000, Philip Hands wrote: > OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour > of calling ssh-askpass when it's not possible to read the pass{phrase,word} > from a terminal. hm, this is not a bug in openssh. i don't want ssh (setuid root) exec a X11 program. -markus From gordonr at gormand.com.au Mon Dec 13 15:40:45 1999 From: gordonr at gormand.com.au (Gordon Rowell) Date: Mon, 13 Dec 1999 15:40:45 +1100 (EST) Subject: Minor patches to openssh-1.2pre17 for Solaris In-Reply-To: Message-ID: On Fri, 10 Dec 1999, Damien Miller wrote: > On Thu, 9 Dec 1999, Gordon Rowell wrote: > [...] > > Also, it would be nice to be able to set up LFLAGS somehow, to > > provide the following: > > > > LFLAGS=-R/usr/local/lib > > You can do this with configure: > > LDFLAGS=-R/usr/local/lib ./configure[options] > > They should get propogated thru to the Makefile. Sure, but how about this so that people don't need extra magic environment variables? It might be applicable to more than SunOS/Solaris, but I have guarded it for SunOS/Solaris for now. *** configure.orig Mon Dec 13 15:33:55 1999 --- configure Mon Dec 13 15:39:28 1999 *************** *** 1017,1022 **** --- 1017,1026 ---- if test "$ssldir" != "/usr"; then CFLAGS="$CFLAGS -I$ssldir/include" LIBS="$LIBS -L$ssldir/lib" + case "`uname -s`" in + "SunOS") LDFLAGS="$LDFLAGS -R$ssldir/lib" + ;; + esac fi LIBS="$LIBS -lssl -lcrypto" echo "$ac_t""$ssldir" 1>&6 Gordon -- Gordon Rowell Email: Gordon.Rowell at gormand.com.au Gormand Pty Ltd (ACN 067 684 548) http://www.gormand.com.au P.O. Box 239 St Pauls NSW 2031 Mobile: +61 (0418) 467 366 /* What a pile of australian legislature. */ - Alan Cox From phil at hands.com Tue Dec 14 03:34:28 1999 From: phil at hands.com (Philip Hands) Date: 13 Dec 1999 16:34:28 +0000 Subject: [David Huggins-Daines ] Bug#52414: ssh-add uses ssh-askpass, but ssh doesn't In-Reply-To: <19991212232742.A14015@folly.informatik.uni-erlangen.de> (Markus Friedl's message of "Sun, 12 Dec 1999 23:27:42 +0100") References: <87vh6690sv.fsf@sheikh.hands.com> <19991212232742.A14015@folly.informatik.uni-erlangen.de> Message-ID: <87u2lmby0b.fsf@sheikh.hands.com> Markus Friedl writes: > On Fri, Dec 10, 1999 at 05:13:20PM +0000, Philip Hands wrote: > > OpenSSH's 'ssh' program doesn't seem to mimic the non-free SSH's behaviour > > of calling ssh-askpass when it's not possible to read the pass{phrase,word} > > from a terminal. > > hm, this is not a bug in openssh. i don't want ssh (setuid root) > exec a X11 program. That's a very good point. David, perhaps you should just use ssh-agent. I'm closing this bug --- Feel free to persuade me otherwise. Cheers, Phil. From phil at hands.com Tue Dec 14 03:55:45 1999 From: phil at hands.com (Philip Hands) Date: 13 Dec 1999 16:55:45 +0000 Subject: New x11-ssh-askpass release available In-Reply-To: (Damien Miller's message of "Sat, 11 Dec 1999 10:33:32 +1100 (EST)") References: <87bt7yafjg.fsf@sheikh.hands.com> Message-ID: <87k8mibx0u.fsf@sheikh.hands.com> Damien Miller writes: > I am considering seperating the gnome and the perl-tk askpasses out > of the tree that I distribute. > > Since Markus added the ability to choose which particular askpass > program is used at runtime it makes sense to offer a few different > packages. > > If Jim has no objection, I might start RPM packaging his askpass > program and distributing it with the other RPMs I build. Can we call it ssh-askpass-x11 in that case, because it makes it easier to find in file listings. I would like to package it for debian, regardless of whether it gets put in the main source tree. Is there really any need for us to have more than one of these? > The perl-tk askpass concerns me a bit. Perl is a big interpreted > language with plenty of opportunities for a users passphrase to > end up in VM and no way to ensure its erasure. I think dropping this is probably the right thing to do. It was good to have a fix for when there was nothing else available, but I cannot see anyone choosing the perl-tk option over one of the other two. I'm going to stop packaging ssh-askpass-ptk as soon as the ssh-askpass-x11 package gets done. I'm only holding back on that because I was wondering what version numbers we'd end up using for it (1999... or 1.2pre...) I think the right thin to do is to make Jim's implementation the default ssh-askpass and include that in the OpenSSH source tree. A separate package of ssh-askpass-gnome is fair enough if you think that some people will opt for it over ssh-askpass, but otherwise just gives people a choice they don't need. I'll probably make the packages conflict anyway, so that it's a systemwide decision. Cheers, Phil. From phil at hands.com Tue Dec 14 04:06:52 1999 From: phil at hands.com (Philip Hands) Date: 13 Dec 1999 17:06:52 +0000 Subject: scp with openssh on the server side and $PATH. In-Reply-To: (Marc Haber's message of "Sat, 11 Dec 1999 14:04:34 GMT") References: <87n1ri8z3e.fsf@sheikh.hands.com> Message-ID: <87bt7ubwib.fsf@sheikh.hands.com> Marc.Haber-lists at gmx.de (Marc Haber) writes: > On 10 Dec 1999 17:50:13 +0000, you wrote: > >I suggest you install the debian package, rather than build it > >yourself. You can grab it thus: > > > > apt-get install ssh > > > >Then it'll just work (or you get to report a bug to me ;-) > > Nope. slink here. The binary package depends on libc6.1, the source > package doesn't build because stropts.h is in libc6-dev from potato, > but not in slink's. So how are you building it yourself? The Debian diff doesn't contain any references to stropts.h, so I've not introduced that dependency. If you're having to tweak something to make it build, I'd appreciate it if you'd apply the same tweak to the debian source and tell me what needs to be done, because I'd like the debian source to build on slink too. Cheers, Phil. From dhall at apk.net Tue Dec 14 17:02:19 1999 From: dhall at apk.net (d. hall) Date: Tue, 14 Dec 1999 01:02:19 -0500 Subject: openssh on AIX v4.3.3 with native compiler Message-ID: <000101bf45f8$e963c8e0$fe9436cf@grahf> edgy at us.ibm.com wrote: > That patch fixed the first error I encountered.. Here is another perhaps > you might have a suggestion. It is having problems with two extern declarations > with different types and same name. Sorry to keep posting but I just started > looking at this source tree and I am not comfortable making changes.. There > are much better people to decide what to change then I :) Excuse the bad parsing of this message, Outlook at fixed width may or may not butcher this message badly (please send any replies and/or CC: to my work address, Darren_Hall at progressive.com I can't seem to get Outlook to added Reply-to headers either =( ) Btw: I have a patch for configure.in to incorporate looking for GNU C compiler and #ifndef the "attribute(x)", as well as check against a native inline. I've been attempting to port over openssh to AIX 4.2.1 (and correspondingly to 4.3.2 / 4.3.3) The problem is "Options options" and "ServerOptions options", defined within ssh.c and sshd.c respectively. I believe channels.c attempt to locally define them within individual functions, unfortunately AIX's native compiler produces a more global scope. What side effects would occur if the ServerOptions options variable was changed to soptions? I just downloaded the source last night, and have been tinkering with it during the day. I've gotten it _very_ close to compiling (linker complained about an undefined options somewhere), before the end of the day. I also have done a lot of type casting to remove the frivilous warnings regarding (int *) != (unsigned int *). Let me know if I'm repeating any work done. From Markus.Friedl at informatik.uni-erlangen.de Tue Dec 14 18:41:01 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 14 Dec 1999 08:41:01 +0100 Subject: openssh on AIX v4.3.3 with native compiler In-Reply-To: <000101bf45f8$e963c8e0$fe9436cf@grahf>; from dhall@apk.net on Tue, Dec 14, 1999 at 01:02:19AM -0500 References: <000101bf45f8$e963c8e0$fe9436cf@grahf> Message-ID: <19991214084101.A29323@faui01.informatik.uni-erlangen.de> On Tue, Dec 14, 1999 at 01:02:19AM -0500, d. hall wrote: > What side effects would occur if the ServerOptions options variable was > changed to soptions? channels.c has been fixed in OpenSSH-current > I also have done a lot of type casting to remove the frivilous warnings > regarding (int *) != (unsigned int *). Let me know if I'm repeating any > work done. i'll will look into these if time permits, could you please mail the warnings to markus at openssh.com. it's .com not .org, alas. -markus From bds at ucs.co.za Tue Dec 14 21:08:33 1999 From: bds at ucs.co.za (Berend De Schouwer) Date: Tue, 14 Dec 1999 12:08:33 +0200 (SAST) Subject: 1.2pre17 scp Input/Output error Message-ID: <199912141016.MAA31048@jhb.ucs.co.za> Under OpenSSH 1.2pre17 I can duplicate and Input/Output error for scp: Conditions: pc36 is a RH6.0/i386 box. abc.co.za is a RH5.2/i386 box. (private network) openssh 1.2 pre 17 on both boxes. Line between them is a 128k leased line. It works between two 10baseT machines. If the scrollbar is active, the scp fails, if it isn't active, scp works. Note that without the scrollbar, the file gets there and is valid. I can try for an strace, but I'd rather not flood the mailing list. Also, server or client? I've attached scp -v info because its rather small, but useless. ---cut-here--- [bds at pc36 ssh-rh5]$ ls -la openssl-0.9.4-3.i386.rpm -rwxr-xr-x 1 root root 653323 Dec 14 11:07 openssl-0.9.4-3.i386.rpm [bds at pc36 ssh-rh5]$ scp openssl-0.9.4-3.i386.rpm root at abc.co.za:/tmp root at abc.co.za's password: openssl-0.9.4-3.i386 30% |******** | 196 KB - stalled - openssl-0.9.4-3.i386.rpm: Input/output error [bds at pc36 ssh-rh5]$ Killed by signal 2. ---cut-here--- Note: I had to press Ctrl-C (signal 2). ---cut-here--- [bds at pc36 ssh-rh5]$ scp openssl-0.9.4-3.i386.rpm root at abc.co.za:/tmp -q root at abc.co.za's password: [bds at pc36 ssh-rh5]$ ---cut-here--- ---cut-here--- [bds at pc36 ssh-rh5]$ scp openssl-0.9.4-3.i386.rpm root at abc.co.za:/tmp -q -v Executing: host abc.co.za, user root, command scp -v -t /tmp SSH Version OpenSSH-1.2, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 513 geteuid 0 anon 0 debug: Connecting to abc.co.za [10.128.1.1] port 22. debug: Allocated local port 1023. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'abc.co.za' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. root at abc.co.za's password: debug: Sending command: scp -v -t /tmp debug: Entering interactive session. Sending file modes: C0755 653323 openssl-0.9.4-3.i386.rpm debug: Transferred: stdin 653362, stdout 3, stderr 0 bytes in 66.0 seconds debug: Bytes per second: stdin 9899.5, stdout 0.0, stderr 0.0 debug: Exit status 0 ---cut-here--- The failed verbose looks the same, except the last few lines: ---cut-here--- Sending file modes: C0755 653323 openssl-0.9.4-3.i386.rpm openssl-0.9.4-3.i386 30% |******** | 196 KB - stalled - openssl-0.9.4-3.i386.rpm: Input/output error [bds at pc36 ssh-rh5]$ Killed by signal 2. debug: Calling cleanup 0x80558f0(0x0) ---cut-here--- -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From baz at sqf.hp.com Tue Dec 14 21:52:43 1999 From: baz at sqf.hp.com (Barrie Spence) Date: Tue, 14 Dec 1999 10:52:43 +0000 Subject: 1.2pre17 scp Input/Output error References: <199912141016.MAA31048@jhb.ucs.co.za> Message-ID: <3856217B.60F6EDDA@sqf.hp.com> Berend De Schouwer wrote: > > Under OpenSSH 1.2pre17 I can duplicate and Input/Output error for scp: > > Conditions: > pc36 is a RH6.0/i386 box. > abc.co.za is a RH5.2/i386 box. (private network) > openssh 1.2 pre 17 on both boxes. > Line between them is a 128k leased line. It works between two 10baseT > machines. > If the scrollbar is active, the scp fails, if it isn't active, scp > works. Note that without the scrollbar, the file gets there and is > valid. I can confirm this problem - in our case, both ends are RH6.1 with a 2.2.13 kernel. I'm actually using it via a SOCKS5 firewall with the runsocks command - I don't know the spec of the intervening pipework. I also noticed that small files transfer without problem (anything larger than ~500k breaks). I rebuilt the supplied SRC rpm locally. Barrie -- Barrie Spence (313-2465) Agilent Technologies UK Ltd E-Mail: baz at sqf.hp.com South Queensferry, UK Play: barrie at calvin.demon.co.uk #include From bds at ucs.co.za Tue Dec 14 22:13:30 1999 From: bds at ucs.co.za (Berend De Schouwer) Date: Tue, 14 Dec 1999 13:13:30 +0200 (SAST) Subject: 1.2pre17 scp Input/Output error In-Reply-To: <3856217B.60F6EDDA@sqf.hp.com> Message-ID: <199912141121.NAA16804@jhb.ucs.co.za> On 14 Dec, Barrie Spence wrote: > Berend De Schouwer wrote: >> >> Under OpenSSH 1.2pre17 I can duplicate and Input/Output error for scp: >> >> Conditions: >> pc36 is a RH6.0/i386 box. >> abc.co.za is a RH5.2/i386 box. (private network) >> openssh 1.2 pre 17 on both boxes. >> Line between them is a 128k leased line. It works between two 10baseT >> machines. >> If the scrollbar is active, the scp fails, if it isn't active, scp >> works. Note that without the scrollbar, the file gets there and is >> valid. > > I can confirm this problem - in our case, both ends are RH6.1 with > a 2.2.13 kernel. I'm actually using it via a SOCKS5 firewall with > the runsocks command - I don't know the spec of the intervening > pipework. > I also noticed that small files transfer without problem (anything > larger than ~500k breaks). More investigation indicates that this happens if the scrollbar needs updating. ie, if the entire file gets sent in one go (immediate 100%) it works. On slow links and large files the scrollbar has to wait at x%, and update. It breaks at the very first (visual) update. Happens with a 1.2pre15 client as well. > I rebuilt the supplied SRC rpm locally. Me too - one per RedHat release (4, 5 and 6). Gnome support compiled out. Built to .rpm from the .tar.gz > Barrie -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From Marc.Haber-lists at gmx.de Wed Dec 15 00:29:27 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Tue, 14 Dec 1999 13:29:27 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: <87bt7ubwib.fsf@sheikh.hands.com> References: <87n1ri8z3e.fsf@sheikh.hands.com> <87bt7ubwib.fsf@sheikh.hands.com> Message-ID: On 13 Dec 1999 17:06:52 +0000, you wrote: >Marc.Haber-lists at gmx.de (Marc Haber) writes: >> On 10 Dec 1999 17:50:13 +0000, you wrote: >> >I suggest you install the debian package, rather than build it >> >yourself. You can grab it thus: >> > >> > apt-get install ssh >> > >> >Then it'll just work (or you get to report a bug to me ;-) >> >> Nope. slink here. The binary package depends on libc6.1, the source >> package doesn't build because stropts.h is in libc6-dev from potato, >> but not in slink's. > >So how are you building it yourself? Looks like that stropts.h reference was included in pre17 and I have built pre16. The pre17 patch does seem to apply to pre16 as well, with the exception of some hunks failing in Makefile.in. Unfortunately, the old patches are not archived on the openssh ftp server. However, it looks like the debian patched build process needs some gnome files: |gcc -g -O2 -Wall -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/lib/ssh/ssh-askpass\" -DHAVE_CONFIG_H `gnome-config --cflags gnome gnomeui` -o gnome-ssh-askpass gnome-ssh-askpass.c `gnome-config --libs gnome gnomeui` |/bin/sh: gnome-config: command not found |/bin/sh: gnome-config: command not found |gnome-ssh-askpass.c:39: gnome.h: No such file or directory |gnome-ssh-askpass.c:40: X11/Xlib.h: No such file or directory |gnome-ssh-askpass.c:41: gdk/gdkx.h: No such file or directory |make[1]: *** [gnome-ssh-askpass] Error 1 |make[1]: Leaving directory `/mnt/main8/home/mh/devel/userspace/openssh-1.2pre17/openssh-1.2pre16' |make: *** [build-stamp] Error 2 |mh at torres[40/538]:~/devel/userspace/openssh-1.2pre17/openssh-1.2pre16$ Is this imperative? My server system doesn't even have a GUI installed, so I feel that the compile should go through on minimal systems as well. I don't have a clue about libc issues, but I'd really like to see openssh compiling on systems with older libc versions as well. Is it very hard to have configure detect older libc versions as well and to disable features that need 6.1 in that case? Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From bds at ucs.co.za Wed Dec 15 01:02:18 1999 From: bds at ucs.co.za (Berend De Schouwer) Date: Tue, 14 Dec 1999 16:02:18 +0200 (SAST) Subject: 1.2pre17 fails to compile on RedHat 4.2/i386 (libc5) Message-ID: <199912141409.QAA30242@jhb.ucs.co.za> Here goes: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-tcp-wrappers Compiles just about everything until: gcc -O2 -m486 -fno-strength-reduce -Wall -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh.c -o ssh.o ssh.c: In function `main': ssh.c:751: warning: implicit declaration of function `daemon' gcc -o ssh ssh.o sshconnect.o log-client.o readconf.o clientloop.o libssh.a -lpam -ldl -lz -lcrypto -lssl -lcrypto -lbsd gcc -O2 -m486 -fno-strength-reduce -Wall -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshd.c -o sshd.o sshd.c:16: poll.h: No such file or directory make: *** [sshd.o] Error 1 Bad exit status from /var/tmp/rpm-tmp.67018 (%build) The following is me rambling on and trying quick fixes: In later versions (glibc), daemon is defined in unistd.h as: unistd.h:extern int daemon __P ((int __nochdir, int __noclose)); Notes, configure DOES check for daemon: checking for daemon... yes If I create this manually, it seems to compile. And poll.h just includes sys/poll.h which defines struct pollfd, and the functions: extern int __poll __P ((struct pollfd *__fds, unsigned long int __nfds, int __timeout)); extern int poll __P ((struct pollfd *__fds, unsigned long int __nfds, int __timeout)); If I copy in a poll.h, I get (obviously): gcc -g -O2 -Wall -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshd.c -o sshd.o sshd.c: In function `do_fake_authloop': sshd.c:1647: warning: unused variable `type' sshd.c: In function `do_child': sshd.c:2490: warning: initialization from incompatible pointer type gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o servconf.o serverloop.o bsd-login.o md5crypt.o libssh.a -lpam -ldl -lz -lcrypto -lssl -lcrypto -lbsd -lwrap sshd.o: In function `main': /usr/local/src/openssh-1.2pre17/sshd.c:700: undefined reference to `poll' make: *** [sshd] Error 1 -- Kind regards, Berend -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS From phil at hands.com Wed Dec 15 03:54:43 1999 From: phil at hands.com (Philip Hands) Date: 14 Dec 1999 16:54:43 +0000 Subject: scp with openssh on the server side and $PATH. In-Reply-To: (Marc Haber's message of "Tue, 14 Dec 1999 13:29:27 GMT") References: <87n1ri8z3e.fsf@sheikh.hands.com> <87bt7ubwib.fsf@sheikh.hands.com> Message-ID: <874sdla2ek.fsf@sheikh.hands.com> Marc.Haber-lists at gmx.de (Marc Haber) writes: > However, it looks like the debian patched build process needs some > gnome files: Just edit the ``--with-gnome-askpass'' out of the ./configure line in debian/rules > Is this imperative? My server system doesn't even have a GUI > installed, so I feel that the compile should go through on minimal > systems as well. I have to make it build everything that's available, because it's best to have it fail with an error than for me to generate an empty package (it I happen to have removed a required library, say). Most of what happens during a debian build is equivalent to: make -f debian/rules build If it fails on something you don't care about, you can normally get round it by editing debian/rules > I don't have a clue about libc issues, but I'd really like to see > openssh compiling on systems with older libc versions as well. Is it > very hard to have configure detect older libc versions as well and to > disable features that need 6.1 in that case? Try deleting the three lines: #ifdef HAVE_DEV_PTMX #include #endif /* HAVE_DEV_PTMX */ in pty.c They're surplus to requirements anyway, since stropts.h is included again (this time checking if you have it) about 10 lines below. Cheers, Phil. -- Boycott Amazon! --- http://linuxtoday.com/stories/13652.html From Darren_Hall at progressive.com Wed Dec 15 06:12:14 1999 From: Darren_Hall at progressive.com (Darren_Hall at progressive.com) Date: Tue, 14 Dec 1999 14:12:14 -0500 Subject: openssh on AIX v4.3.3 with native compiler Message-ID: <85256847.0066A42C.00@s65a0384.prci.com> The inline patch for configure.in *** configure.in Tue Dec 14 13:41:19 1999 --- configure.in~ Wed Dec 8 18:48:58 1999 *************** *** 55,63 **** AC_CHECK_LIB(dl, dlopen, , ) AC_CHECK_LIB(pam, pam_authenticate, , ) - dnl Checks for compiler characteristics - AC_C_INLINE - dnl Checks for header files. AC_CHECK_HEADERS(endian.h lastlog.h login.h maillock.h netgroup.h paths.h pty. h shadow.h util.h utmp.h utmpx.h sys/select.h sys/stropts.h sys/time.h) --- 55,60 ---- (autoheader should fixup the config.h.in) Someone already sent a nice #ifndef __GNUC__ to fix the __attribute__ issue to the list. >> I also have done a lot of type casting to remove the frivilous >> warnings regarding (int *) != (unsigned int *). Let me know if >> I'm repeating any work done. > i'll will look into these if time permits, could you please mail > the warnings to markus at openssh.com. it's .com not .org, alas. "canohost.c", line 39.61: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "canohost.c", line 128.32: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "canohost.c", line 194.61: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "canohost.c", line 216.59: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 390.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 418.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 448.67: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "channels.c", line 1014.34: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "channels.c", line 1021.55: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "channels.c", line 1230.49: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshconnect.c", line 915.39: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 707.82: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "sshd.c", line 1144.42: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1427.57: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1450.57: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1498.54: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1786.50: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1831.59: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1832.58: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 1909.61: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "sshd.c", line 2167.58: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "ssh-keygen.c", line 104.52: 1506-280 (W) Function argument assignment between types "unsigned int*" and "int*" is not allowed. "ssh-agent.c", line 430.93: 1506-280 (W) Function argument assignment between types "unsigned long*" and "int*" is not allowed. "scp.c", line 1187.33: 1506-280 (W) Function argument assignment between types "void(*)(int)" and "void*" is not allowed. From djm at mindrot.org Wed Dec 15 09:31:45 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 15 Dec 1999 09:31:45 +1100 (EST) Subject: 1.2pre17 scp Input/Output error In-Reply-To: <199912141016.MAA31048@jhb.ucs.co.za> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 14 Dec 1999, Berend De Schouwer wrote: > Under OpenSSH 1.2pre17 I can duplicate and Input/Output error for scp: Does the attached patch sole your problems? Thanks for the report. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4VsVVormJ9RG1dI8RAsl6AKCmc/67Z9s5vGxpRxakfoxc7mDulwCghByS xcT+G0f9yFT7JjtjPyzNI4M= =uYXx -----END PGP SIGNATURE----- -------------- next part -------------- Index: scp.c =================================================================== RCS file: /var/cvs/openssh/scp.c,v retrieving revision 1.12 diff -u -r1.12 scp.c --- scp.c 1999/12/07 04:38:32 1.12 +++ scp.c 1999/12/14 22:27:10 @@ -541,14 +541,14 @@ if (i + amt > stb.st_size) amt = stb.st_size - i; if (!haderr) { - result = read(fd, bp->buf, amt); + result = atomicio(read, fd, bp->buf, amt); if (result != amt) haderr = result >= 0 ? EIO : errno; } if (haderr) - (void) write(remout, bp->buf, amt); + (void) atomicio(write, remout, bp->buf, amt); else { - result = write(remout, bp->buf, amt); + result = atomicio(write, remout, bp->buf, amt); if (result != amt) haderr = result >= 0 ? EIO : errno; statbytes += result; @@ -1145,9 +1145,8 @@ i++; abbrevsize >>= 10; } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5qd %c%c ", - (quad_t) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : - 'B'); + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5d %c%c ", + (int) abbrevsize, prefixes[i], prefixes[i] == ' ' ? ' ' : 'B'); timersub(&now, &lastupdate, &wait); if (cursize > lastsize) { From dhall at virage.org Wed Dec 15 16:02:36 1999 From: dhall at virage.org (d. hall) Date: 15 Dec 1999 00:02:36 -0500 Subject: openssh on AIX v4.3.3 with native compiler Message-ID: Had a little more time to think about this, instead of just reacting to the compiler warnings. canohost.c line 39 getpeername, changed fromlen to size_t line 128 getsockopt, changed option_size to size_t line 194 getpeername, changed fromlen to size_t line 216 getpeername, changed fromlen to size_t A majority of these problems arise from AIX's compiler being fussy. I noticed on my current dist of Linux, getpeername's 3rd arg is defined as (int *) in the man page, and (socklen_t *) within the include file (which isn't defined within aix). channels.c line 390 accept, changed addrlen to size_t line 418 accept, changed addrlen to size_t line 448 accept, changed len to size_t line 1014 packet_get_string, host_len as size_t line 1021 packet_get_string, originator_len as size_t line 1230 packet_get_string, remote_len as size_t sshconnect.c line 915 packet_get_string, payload_len as size_t After digging around my dist to find exactly what typedef size_t was set to, I'll have to guess it's an unsigned long. It was far easier setting these variable to size_t, then going through and typecasting (size_t *) for each declaration of that function. >>>> Markus Friedl wrote: > channels.c has been fixed in OpenSSH-current Is this the CVS version? I'm relatively new to openssh, so I haven't looked carefully at the relationship between the CVS/BSD version, as it compares to the ported version. Also with a little coax'ing, the Makefile is understood by non-gnu make; any consideration towards a more generic Makefile format? From karn at ka9q.ampr.org Wed Dec 15 19:24:56 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Wed, 15 Dec 1999 00:24:56 -0800 Subject: scp gotcha on NFS Message-ID: <199912150824.AAA08384@homer.ka9q.ampr.org> I ran into a nasty gotcha today with scp from openssh-1.2pre17. If you use scp to copy a file between machines when the local and remote file args correspond to the same physical file (e.g., exported by a NFS mount) the file is trashed. E.g., if your home directories on "homer" and "bart" share the same NFS-mounted volume and you do homer$ scp foo bart:foo file "foo" will be trashed. It'll be the same length as before, but overwritten with something that looks like scp -t foo which repeats for the length of the file. --Phil From matt at arcticmail.com Thu Dec 16 01:30:50 1999 From: matt at arcticmail.com (Matt Petteys) Date: Wed, 15 Dec 1999 09:30:50 -0500 Subject: rh 6.0 pam patch.. Message-ID: <000001bf4708$fc411f60$c801a8c0@mpetteys.colybrand.com> Redhat 6.0 must have changed module names for pam_unix. I believe that this should provide the desired results. Might want to make a seperate file for redhat pam.. [root at gordon pam.d]# uname -a Linux gordon.scully.liquidcool.com 2.2.5-15 #1 Mon Apr 19 21:39:28 EDT 1999 i486 unknown [root at gordon pam.d]# cat /etc/redhat-release Red Hat Linux release 6.0 (Hedwig) [root at gordon pam.d]# diff sshd /usr/local/src/openssh-1.2pre17/sshd.pam.generic 2c2 < auth required /lib/security/pam_unix_auth.so shadow --- > auth required /lib/security/pam_unix.so shadow 4c4 < account required /lib/security/pam_unix_acct.so --- > account required /lib/security/pam_unix.so 6,7c6,7 < password required /lib/security/pam_unix_password.so shadow nullok use_a uthtok < session required /lib/security/pam_unix_session.so --- > password required /lib/security/pam_unix.so shadow nullok use_authtok > session required /lib/security/pam_unix.so From djm at mindrot.org Thu Dec 16 10:58:33 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Dec 1999 10:58:33 +1100 (EST) Subject: rh 6.0 pam patch.. In-Reply-To: <000001bf4708$fc411f60$c801a8c0@mpetteys.colybrand.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 15 Dec 1999, Matt Petteys wrote: > > Redhat 6.0 must have changed module names for pam_unix. I believe that this > should provide the desired results. Might want to make a seperate file for > redhat pam.. That is why there is a Redhat specific file in packages/redhat/sshd.pam Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WCssormJ9RG1dI8RAn9JAJ9YsD8lLmrKYCdidEhz7Rlj098yrgCcDI+m pl+AsyCVm8bzbwH2f8lkESk= =djwU -----END PGP SIGNATURE----- From djm at mindrot.org Thu Dec 16 14:22:23 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Dec 1999 14:22:23 +1100 (EST) Subject: Progress meter for ssh-keygen Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attached is a patch to add a progress meter for ssh-keygen similar to the one in the commercial ssh1. Was this left out of the OpenBSD version because of security concerns? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WFr1ormJ9RG1dI8RAjYoAJ99bJwtjL7dKwrZhat9FAUj4nEUlwCgqvZ/ tFU5SXFtgbOsFx8gFlEdd8s= =20cA -----END PGP SIGNATURE----- -------------- next part -------------- Index: rsa.c =================================================================== RCS file: /var/cvs/openssh/rsa.c,v retrieving revision 1.5 diff -u -r1.5 rsa.c --- rsa.c 1999/11/25 00:54:59 1.5 +++ rsa.c 1999/12/16 03:19:38 @@ -56,6 +56,21 @@ } /* + * Key generation progress meter callback + */ +void +keygen_progress(int p, int n, void *arg) +{ + const char progress_chars[] = ".o+O?"; + + if ((p < 0) || (p > (sizeof(progress_chars) - 2))) + p = 4; + + printf("%c", progress_chars[p]); + fflush(stdout); +} + +/* * Generates RSA public and private keys. This initializes the data * structures; they should be freed with rsa_clear_private_key and * rsa_clear_public_key. @@ -69,8 +84,11 @@ if (rsa_verbose) { printf("Generating RSA keys: "); fflush(stdout); + key = RSA_generate_key(bits, 35, keygen_progress, NULL); + printf("\n"); + } else { + key = RSA_generate_key(bits, 35, NULL, NULL); } - key = RSA_generate_key(bits, 35, NULL, NULL); if (key == NULL) fatal("rsa_generate_key: key generation failed."); From provos at citi.umich.edu Thu Dec 16 15:41:34 1999 From: provos at citi.umich.edu (Niels Provos) Date: Wed, 15 Dec 1999 23:41:34 -0500 Subject: Progress meter for ssh-keygen In-Reply-To: Damien Miller, Thu, 16 Dec 1999 14:22:23 +1100 Message-ID: <19991216044308.3D85B26F02@toad.mindrot.org> In message , Damie n Miller writes: >Was this left out of the OpenBSD version because of security >concerns? No, not for security concerns. I did not have the time to put the function hooks in. And it did not seem particullary important. Niels. From mark.baushke at solipsa.com Thu Dec 16 18:34:11 1999 From: mark.baushke at solipsa.com (Mark D. Baushke) Date: Wed, 15 Dec 1999 23:34:11 -0800 Subject: Progress meter for ssh-keygen In-Reply-To: Mail from Damien Miller dated Thu, 16 Dec 1999 14:22:23 +1100 Message-ID: <199912160734.XAA09593@mozart.solipsa.com> Reading this (progress meter) patch reminds me of something I meant to bring up previously about scp... I know folks that favor building the old ssh1.2.27 distribution using the 'configure --without-scp-stats' option so that scp more closely behaves like rcp (only generate output on errors). Yes, this behavior can be obtained if you remember to add the -q switch to the scp command, but it might be useful to borrow this kind of configuration functionality from the ssh1.2.27 configure script. I believe they use a macro something like WITH_SCP_STATS to control if the code to generate the progress stats should be compiled into the program or not. Enjoy! -- Mark From djm at mindrot.org Thu Dec 16 21:35:27 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 16 Dec 1999 21:35:27 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre18 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded 1.2.1pre18. This is mainly merges from the OpenBSD tree, bugfixes for Solaris and libc5 Linux systems. It should fix all reported bugs except the snprintf problems on some older Solaris versions. Please test thoroughly, my hope is to have a stable version released before Jan 1. At this point the main holdup is Solaris. I have had to disbale direct downloads from violet.ibs.com.au, demand for OpenSSH is saturating our little ISDN connection. I notice that: ftp://ftp.localhost.ca/pub/openssh/files/ (Canada) ftp://ftp.firedrake.org/openssh/files/ (UK) ftp://thermo.stat.ncsu.edu/pub/openssh/files/ (USA *only*) have already updated. Regards, Damien Changelog: 19991216 - Makefile changes for Solaris from Peter Kocks - Minor updates to docs - Merged OpenBSD CVS changes: - [authfd.c ssh-agent.c] keysize warnings talk about identity files - [packet.c] "Connection closed by x.x.x.x": fatal() -> log() - Correctly handle empty passwords in shadow file. Patch from: "Chris, the Young One" - Released 1.2.1pre18 19991215 - Integrated patchs from Juergen Keil - Avoid void* pointer arithmatic - Use LDFLAGS correctly - Fix SIGIO error in scp - Simplify status line printing in scp - Added better test for inline functions compiler support from Darren_Hall at progressive.com 19991214 - OpenBSD CVS Changes - [canohost.c] fix get_remote_port() and friends for sshd -i; Holger.Trapp at Informatik.TU-Chemnitz.DE - [mpaux.c] make code simpler. no need for memcpy. niels@ ok - [pty.c] namebuflen not sizeof namebuflen; bnd at ep-ag.com via djm at mindrot.org fix proto; markus - [ssh.1] typo; mark.baushke at solipsa.com - [channels.c ssh.c ssh.h sshd.c] type conflict for 'extern Type *options' in channels.c; dot at dotat.at - [sshconnect.c] move checking of hostkey into own function. - [version.h] OpenSSH-1.2.1 - Clean up broken includes in pty.c - Some older systems don't have poll.h, they use sys/poll.h instead - Doc updates 19991211 - Fix compilation on systems with AFS. Reported by aloomis at glue.umd.edu - Fix installation on Solaris. Reported by Gordon Rowell - Fix gccisms (__attribute__ and inline). Report by edgy at us.ibm.com, patch from Markus Friedl - Auto-locate xauth. Patch from David Agraz - Compile fix from David Agraz - Avoid compiler warning in bsd-snprintf.c - Added pam_limits.so to default PAM config. Suggested by Jim Knoble - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WMBzormJ9RG1dI8RAgl/AJ9Np2Coj/di+ijmZ3uDoY/4ZR/+hgCeJrap 9mpaUL2o7DCCGJ+MWzKAukY= =PQve -----END PGP SIGNATURE----- From marc.fournier at acadiau.ca Fri Dec 17 00:23:41 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 16 Dec 1999 09:23:41 -0400 (AST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: Solaris 7/x86: gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/slocal/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/slocal/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c canohost.c -o canohost.o canohost.c: In function `get_remote_hostname': canohost.c:62: warning: subscript has type `char' canohost.c: In function `peer_connection_is_on_socket': canohost.c:163: `AF_INET6' undeclared (first use in this function) canohost.c:163: (Each undeclared identifier is reported only once canohost.c:163: for each function it appears in.) make: *** [canohost.o] Error 1 On Thu, 16 Dec 1999, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just uploaded 1.2.1pre18. > > This is mainly merges from the OpenBSD tree, bugfixes for Solaris > and libc5 Linux systems. It should fix all reported bugs except the > snprintf problems on some older Solaris versions. > > Please test thoroughly, my hope is to have a stable version > released before Jan 1. At this point the main holdup is Solaris. > > I have had to disbale direct downloads from violet.ibs.com.au, > demand for OpenSSH is saturating our little ISDN connection. > I notice that: > > ftp://ftp.localhost.ca/pub/openssh/files/ (Canada) > ftp://ftp.firedrake.org/openssh/files/ (UK) > ftp://thermo.stat.ncsu.edu/pub/openssh/files/ (USA *only*) > > have already updated. > > Regards, > Damien > > Changelog: > > 19991216 > - Makefile changes for Solaris from Peter Kocks > > - Minor updates to docs > - Merged OpenBSD CVS changes: > - [authfd.c ssh-agent.c] > keysize warnings talk about identity files > - [packet.c] > "Connection closed by x.x.x.x": fatal() -> log() > - Correctly handle empty passwords in shadow file. Patch from: > "Chris, the Young One" > - Released 1.2.1pre18 > > 19991215 > - Integrated patchs from Juergen Keil > - Avoid void* pointer arithmatic > - Use LDFLAGS correctly > - Fix SIGIO error in scp > - Simplify status line printing in scp > - Added better test for inline functions compiler support from > Darren_Hall at progressive.com > > 19991214 > - OpenBSD CVS Changes > - [canohost.c] > fix get_remote_port() and friends for sshd -i; > Holger.Trapp at Informatik.TU-Chemnitz.DE > - [mpaux.c] > make code simpler. no need for memcpy. niels@ ok > - [pty.c] > namebuflen not sizeof namebuflen; bnd at ep-ag.com via djm at mindrot.org > fix proto; markus > - [ssh.1] > typo; mark.baushke at solipsa.com > - [channels.c ssh.c ssh.h sshd.c] > type conflict for 'extern Type *options' in channels.c; dot at dotat.at > - [sshconnect.c] > move checking of hostkey into own function. > - [version.h] > OpenSSH-1.2.1 > - Clean up broken includes in pty.c > - Some older systems don't have poll.h, they use sys/poll.h instead > - Doc updates > > 19991211 > - Fix compilation on systems with AFS. Reported by > aloomis at glue.umd.edu > - Fix installation on Solaris. Reported by > Gordon Rowell > - Fix gccisms (__attribute__ and inline). Report by edgy at us.ibm.com, > patch from Markus Friedl > - Auto-locate xauth. Patch from David Agraz > - Compile fix from David Agraz > - Avoid compiler warning in bsd-snprintf.c > - Added pam_limits.so to default PAM config. Suggested by > Jim Knoble > > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4WMBzormJ9RG1dI8RAgl/AJ9Np2Coj/di+ijmZ3uDoY/4ZR/+hgCeJrap > 9mpaUL2o7DCCGJ+MWzKAukY= > =PQve > -----END PGP SIGNATURE----- > > > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Fri Dec 17 00:28:18 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 16 Dec 1999 09:28:18 -0400 (AST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: Solaris 7/x86: ============================================ > ssh new-relay marc at new-relay's password: Last login: Thu Dec 16 09:27:06 1999 from atelier.acadiau. Sun Microsystems Inc. SunOS 5.7 Generic October 1998 login: scrappy Password: Login incorrect login: marc Password: No utmpx entry. You must exec "login" from the lowest level "shell". Connection to new-relay closed. > =========================================== Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From djm at mindrot.org Fri Dec 17 01:01:54 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Dec 1999 01:01:54 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 16 Dec 1999, Marc G. Fournier wrote: > > Solaris 7/x86: > > canohost.c:163: `AF_INET6' undeclared (first use in this function) Could you try the attached patch. The IPv6 support in the OpenBSD tree must be landing sooner than I expected. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WPDWormJ9RG1dI8RAusbAJ4gFv2WOyCRv4mPsZiAGOtfeE6GfgCffLhV 6OxEsXItr9gc4tRLdWFuBW8= =JRev -----END PGP SIGNATURE----- -------------- next part -------------- Index: canohost.c =================================================================== RCS file: /var/cvs/openssh/canohost.c,v retrieving revision 1.5 diff -u -r1.5 canohost.c --- canohost.c 1999/12/13 23:47:15 1.5 +++ canohost.c 1999/12/16 14:01:37 @@ -160,8 +160,9 @@ memset(&from, 0, sizeof(from)); if (getpeername(in, (struct sockaddr *) & from, &fromlen) < 0) return 0; - if (from.sin_family != AF_INET && from.sin_family != AF_INET6) + if (from.sin_family != AF_INET) return 0; + return 1; } From djm at mindrot.org Fri Dec 17 01:03:41 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Dec 1999 01:03:41 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 16 Dec 1999, Marc G. Fournier wrote: > > Solaris 7/x86: > > ============================================ > > > ssh new-relay > marc at new-relay's password: > Last login: Thu Dec 16 09:27:06 1999 from atelier.acadiau. > Sun Microsystems Inc. SunOS 5.7 Generic October 1998 [snip] > No utmpx entry. You must exec "login" from the lowest level "shell". > Connection to new-relay closed. Are you using "UseLogin yes" in your sshd_config? It looks like the utmpx support has broken your installation. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WPFBormJ9RG1dI8RApImAJkBTkjiowJSz5GN5Db5XvRvcCxlJACcDhhO zpNfIbCRsKH8FcuV2dqUzHs= =5TCW -----END PGP SIGNATURE----- From Markus.Friedl at informatik.uni-erlangen.de Fri Dec 17 01:55:08 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 16 Dec 1999 15:55:08 +0100 Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: ; from marc.fournier@acadiau.ca on Thu, Dec 16, 1999 at 09:23:41AM -0400 References: Message-ID: <19991216155508.A21810@faui01.informatik.uni-erlangen.de> On Thu, Dec 16, 1999 at 09:23:41AM -0400, Marc G. Fournier wrote: > canohost.c:163: `AF_INET6' undeclared (first use in this function) > canohost.c:163: (Each undeclared identifier is reported only once > canohost.c:163: for each function it appears in.) > make: *** [canohost.o] Error 1 you can try #define AF_INET6 24 /* IPv6 */ From the_h1ghlander at yahoo.com Fri Dec 17 02:17:21 1999 From: the_h1ghlander at yahoo.com (Ben Taylor) Date: Thu, 16 Dec 1999 07:17:21 -0800 (PST) Subject: ANNOUNCE: openssh-1.2.1pre18 Message-ID: <19991216151721.2483.qmail@web214.mail.yahoo.com> I think a better solution would be to check if AF_INET6 exists and do the first if it does and do the second if it doesn't. sorry I don't have the patch as I'm not at home. Regards, Ben --- Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 16 Dec 1999, Marc G. Fournier wrote: > > > > > Solaris 7/x86: > > > > canohost.c:163: `AF_INET6' undeclared (first use > in this function) > > Could you try the attached patch. > > The IPv6 support in the OpenBSD tree must be landing > sooner than > I expected. > > Damien > > - -- > | "Bombay is 250ms from New York in the new world > order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au > (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4WPDWormJ9RG1dI8RAusbAJ4gFv2WOyCRv4mPsZiAGOtfeE6GfgCffLhV > 6OxEsXItr9gc4tRLdWFuBW8= > =JRev > -----END PGP SIGNATURE----- > > Index: canohost.c > =================================================================== > RCS file: /var/cvs/openssh/canohost.c,v > retrieving revision 1.5 > diff -u -r1.5 canohost.c > --- canohost.c 1999/12/13 23:47:15 1.5 > +++ canohost.c 1999/12/16 14:01:37 > @@ -160,8 +160,9 @@ > memset(&from, 0, sizeof(from)); > if (getpeername(in, (struct sockaddr *) & from, > &fromlen) < 0) > return 0; > - if (from.sin_family != AF_INET && from.sin_family > != AF_INET6) > + if (from.sin_family != AF_INET) > return 0; > + > return 1; > } > > __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com From marc.fournier at acadiau.ca Fri Dec 17 02:22:24 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 16 Dec 1999 11:22:24 -0400 (AST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: thats what I did to get around the problem, but still have the utmpx problem ;( On Fri, 17 Dec 1999, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 16 Dec 1999, Marc G. Fournier wrote: > > > > > Solaris 7/x86: > > > > canohost.c:163: `AF_INET6' undeclared (first use in this function) > > Could you try the attached patch. > > The IPv6 support in the OpenBSD tree must be landing sooner than > I expected. > > Damien > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4WPDWormJ9RG1dI8RAusbAJ4gFv2WOyCRv4mPsZiAGOtfeE6GfgCffLhV > 6OxEsXItr9gc4tRLdWFuBW8= > =JRev > -----END PGP SIGNATURE----- > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From the_h1ghlander at yahoo.com Fri Dec 17 02:34:38 1999 From: the_h1ghlander at yahoo.com (Ben Taylor) Date: Thu, 16 Dec 1999 07:34:38 -0800 (PST) Subject: ANNOUNCE: openssh-1.2.1pre18 Message-ID: <19991216153438.8215.qmail@web219.mail.yahoo.com> Hmmm. Guess I better go check Solaris 8 again, cause I could have sworn it was 26. Not only that, it shows up twice... I still think the better solution is to not define it if you don't have it. Ben --- Markus Friedl wrote: > On Thu, Dec 16, 1999 at 09:23:41AM -0400, Marc G. > Fournier wrote: > > canohost.c:163: `AF_INET6' undeclared (first use > in this function) > > canohost.c:163: (Each undeclared identifier is > reported only once > > canohost.c:163: for each function it appears in.) > > make: *** [canohost.o] Error 1 > > you can try > #define AF_INET6 24 /* IPv6 > */ > > > __________________________________________________ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one place. Yahoo! Shopping: http://shopping.yahoo.com From Markus.Friedl at informatik.uni-erlangen.de Fri Dec 17 02:39:32 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 16 Dec 1999 16:39:32 +0100 Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: <19991216151721.2483.qmail@web214.mail.yahoo.com>; from the_h1ghlander@yahoo.com on Thu, Dec 16, 1999 at 07:17:21AM -0800 References: <19991216151721.2483.qmail@web214.mail.yahoo.com> Message-ID: <19991216163932.A24033@faui01.informatik.uni-erlangen.de> On Thu, Dec 16, 1999 at 07:17:21AM -0800, Ben Taylor wrote: > I think a better solution would be to check if > AF_INET6 > exists and do the first if it does and do the second > if it doesn't. sorry I don't have the patch as I'm > not at home. for now it's better to remove the AF_INET6 definition, things will change anyway if complete IPv6 support will be added in a few weeks. From djm at mindrot.org Fri Dec 17 13:46:48 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Dec 1999 13:46:48 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre18 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 16 Dec 1999, Marc G. Fournier wrote: > thats what I did to get around the problem, but still have the utmpx > problem ;( The attached patch makes utmpx support optional (disabled by default). Does it help? Note that the attached patch does not include the autoconf magic to actually enable utmpx support. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WaQcormJ9RG1dI8RAjnBAJ0WQTr1sZdzBNB8jVZ1vXJDYRaUgwCfZFdQ CblBWPDYpOuV3GimPkgXK6c= =nOO0 -----END PGP SIGNATURE----- -------------- next part -------------- ? openssh-keygen-progress.patch Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.24 diff -u -r1.24 acconfig.h --- config.h.in 1999/12/15 05:33:33 1.24 +++ config.h.in 1999/12/17 02:44:22 @@ -91,7 +91,7 @@ # include /* For _PATH_XXX */ #endif -#ifdef HAVE_UTMPX_H +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include /* For _PATH_XXX */ #endif @@ -183,7 +183,7 @@ #endif /* Use utmpx if supported */ -#ifdef HAVE_UTMPX_H +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # define UTMP_STR utmpx #else # ifdef HAVE_UTMP_H @@ -192,7 +192,7 @@ #endif #ifndef _PATH_UTMP -# ifdef UTMPX_FILE +# if defined(UTMPX_FILE) && defined(USE_UTMPX) # define _PATH_UTMP UTMPX_FILE # else # ifdef UTMP_FILE @@ -204,7 +204,7 @@ #endif #ifndef _PATH_WTMP -# ifdef WTMPX_FILE +# if defined(WTMPX_FILE) && defined(USE_UTMPX) # define _PATH_WTMP WTMPX_FILE # else # ifdef WTMP_FILE Index: bsd-login.c =================================================================== RCS file: /var/cvs/openssh/bsd-login.c,v retrieving revision 1.6 diff -u -r1.6 bsd-login.c --- bsd-login.c 1999/12/12 21:27:33 1.6 +++ bsd-login.c 1999/12/17 02:44:22 @@ -45,7 +45,7 @@ #include #include #include -#ifdef HAVE_UTMPX_H +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include #endif #ifdef HAVE_UTMP_H @@ -64,7 +64,7 @@ #ifndef UT_LINESIZE # define UT_LINESIZE (sizeof(old_ut.ut_line)) -# ifdef HAVE_UTMPX_H +# if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # define UT_NAMESIZE (sizeof(old_ut.ut_user)) # else # define UT_NAMESIZE (sizeof(old_ut.ut_name)) @@ -72,7 +72,7 @@ # ifdef HAVE_HOST_IN_UTMP # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) # endif -# ifdef HAVE_HOST_IN_UTMPX +# if defined(HAVE_HOST_IN_UTMPX) && defined(USE_UTMPX) # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) # endif #endif Index: login.c =================================================================== RCS file: /var/cvs/openssh/login.c,v retrieving revision 1.6 diff -u -r1.6 login.c --- login.c 1999/12/08 23:16:55 1.6 +++ login.c 1999/12/17 02:44:22 @@ -20,7 +20,7 @@ #include "includes.h" RCSID("$Id: login.c,v 1.10 1999/11/24 19:53:47 markus Exp $"); -#ifdef HAVE_UTMPX_H +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include #endif #ifdef HAVE_UTMP_H @@ -94,7 +94,7 @@ /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); -#ifdef HAVE_UTMPX_H +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) u.ut_tv.tv_sec = time(NULL); strncpy(u.ut_user, user, sizeof(u.ut_name)); #else From djm at mindrot.org Fri Dec 17 14:01:54 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 17 Dec 1999 14:01:54 +1100 (EST) Subject: Progress meter for ssh-keygen In-Reply-To: <199912160734.XAA09593@mozart.solipsa.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 15 Dec 1999, Mark D. Baushke wrote: > Yes, this behavior can be obtained if you remember to add the -q > switch to the scp command, but it might be useful to borrow this kind > of configuration functionality from the ssh1.2.27 configure script. I > believe they use a macro something like WITH_SCP_STATS to control if > the code to generate the progress stats should be compiled into the > program or not. How about: alias scp="scp -q" In your profile? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4WaemormJ9RG1dI8RAo4qAJ9U8KNg3Ffvgdr68IY+hJI1r+btrQCaAxwI ZWjF66PP5iaP3FRnAeuocqM= =/Ct5 -----END PGP SIGNATURE----- From andre.lucas at dial.pipex.com Sat Dec 18 03:25:27 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Fri, 17 Dec 1999 16:25:27 +0000 Subject: ANNOUNCE: preliminary HPUX10.20 port Message-ID: <385A63F7.6398E4DF@dial.pipex.com> Hi all, I've done a basic port of OpenSSH 1.2.1pre18 to HPUX10.20. It looks like everything's in there except utmp/wtmp/wtmpx support, which seems to be a problem in general... In particular, X11 forwarding works (Oh yes!) even though HP seem determined to break it. It's working well enough to do continuing development work on, if that tells you anything about the state of the port. The patchfile (hint: use GNU patch 2.5!) is attached, it's made against the virgin openssh-1.2.1pre18.tar.gz file. It's tested with gcc, I'm interested to hear if it works with HP's compiler. I haven't tested with a trusted system yet but the detection code is in there. AFAIK the changes are all autoconf friendly. It adds the platform detection stuff (config.sub, config.guess) which may annoy some people - let me know what you think. I don't see the harm myself. Even if you don't have HPUX, I'd be grateful if you'd try applying the patch so I can see what breaks. BTW don't hate me for some of the apparently wierd autoconf changes, HPUX is a strange place to work. If there's anyone out there who can explain what the *hell* they are playing at with utmp and wtmp, I'd love to hear it. Enjoy! -Andre Lucas Instinet Global Services -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2.1pre18-hpux1020.patch.gz Type: application/x-gzip Size: 26446 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991217/022a7aff/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2471 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991217/022a7aff/attachment-0001.bin From sen_ml at eccosys.com Sat Dec 18 13:45:59 1999 From: sen_ml at eccosys.com (sen_ml at eccosys.com) Date: Sat, 18 Dec 1999 11:45:59 +0900 Subject: limiting port forwarding? (do better than just 'on' or 'off'?) Message-ID: <19991218114559I.1000@eccosys.com> hello- i would like to be able to have users access a specific set of ports (and no others) on a machine running an ssh daemon via ssh's port-forwarding. i was thinking of doing this by not providing shell access (so using an appropriate command="command" option in each user's authorized_keys file), but i did not find an appropriate keyword for the sshd configuration file to control which ports should be permitted to be forwarded. i know about the AllowTcpForwarding keyword, but it does not appear to allow the granularity of control i would like, to put it mildly ;-) is there currently a way to accomplish what is described above? if not, how hard would it be to implement the ability to limit port-forwarding of server (the one that is running the sshd being connected to) ports to certain specific ports? further, would it be difficult to do this on a per rsa key basis and/or per user basis? thanks for your time. From andre.lucas at dial.pipex.com Tue Dec 21 05:07:05 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Mon, 20 Dec 1999 18:07:05 +0000 Subject: Portability hacks + alpha HPUX1020 port Message-ID: <385E7049.B5C7EE12@dial.pipex.com> Hi, Attached is a patch to 1.2.1pre18 that includes a number of portability changes, and more a more complete HPUX10.20 implementation. Thanks to Ben Taylor's utmpx patch, utmpx and wtmpx support are now in for HP, with a few caveats. It compiles cleanly on HPUX10.20 with gcc, cleanly on Linux, and with a few minor warnings on Solaris 2.6. Most compat changes are made via autoconf which should help further portability a little. However, with OpenBSD, Linux, Solaris and HPUX running I'm out of other platforms to try right now. The patch needs to be applied against raw 1.2.1pre18, as it includes both Ben's patch and the simplest IPV6 change. Changes and TODOs follow. I look forward to your bitter criticism, or even some constructive feedback... Ta, -Andre Lucas Instinet Global Services Changes (mostly HPSUX workarounds :-) ) - Ben Taylor's utmpx patch, with a few hacks for HPUX compat - Filled out utmp struct as well for above (HP commands still use utmp...) - innetgr() protos if required - #ifdef blocks for innetgr lib function - *snprintf proto definitions if not present (HP) - utmpx compatibility hacks - search for xauth - check for updwtmpx lib func (HP) - check for ttcompat.h (HP) - check environment for mail directory if no maillock.h - variable for custom rsh path (HP uses remsh) - include bsd-login.h for systems w/o login lib func - X11 port forwarding on HPUX - macro to use setreuid() instead of seteuid(), which HP lacks *** Someone shout if this has any security implications ! *** - autoconf config.sub and config.guess (AC_CANONICAL_HOST) added - various compiler warnings squashed. I hate warnings. Grr. TODO: - HP utmp/utmpx support is still broken, ttyslot() seems to return garbage for ptys... anyone? :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2.1pre18-hpux1020-a4.patch.gz Type: application/x-gzip Size: 29217 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991220/84bce5d9/attachment.bin From andre.lucas at dial.pipex.com Tue Dec 21 05:21:58 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Mon, 20 Dec 1999 18:21:58 +0000 Subject: Portability hacks + alpha HPUX1020 port References: <385E7049.B5C7EE12@dial.pipex.com> Message-ID: <385E73C6.A13965E8@dial.pipex.com> Er, that's ' a more complete HPUX10.20 implementation'. Oops. Andre Lucas wrote: > > Hi, > > Attached is a patch to 1.2.1pre18 that includes a number of portability > changes, and more a more complete HPUX10.20 implementation. Thanks to > Ben Taylor's utmpx patch, utmpx and wtmpx support are now in for HP, > with a few caveats. It compiles cleanly on HPUX10.20 with gcc, cleanly > on Linux, and with a few minor warnings on Solaris 2.6. > > Most compat changes are made via autoconf which should help further > portability a little. However, with OpenBSD, Linux, Solaris and HPUX > running I'm out of other platforms to try right now. > > The patch needs to be applied against raw 1.2.1pre18, as it includes > both Ben's patch and the simplest IPV6 change. Changes and TODOs follow. > I look forward to your bitter criticism, or even some constructive > feedback... > > Ta, > -Andre Lucas > Instinet Global Services > > Changes (mostly HPSUX workarounds :-) ) > - Ben Taylor's utmpx patch, with a few hacks for HPUX compat > - Filled out utmp struct as well for above (HP commands still use > utmp...) > - innetgr() protos if required > - #ifdef blocks for innetgr lib function > - *snprintf proto definitions if not present (HP) > - utmpx compatibility hacks > - search for xauth > - check for updwtmpx lib func (HP) > - check for ttcompat.h (HP) > - check environment for mail directory if no maillock.h > - variable for custom rsh path (HP uses remsh) > - include bsd-login.h for systems w/o login lib func > - X11 port forwarding on HPUX > - macro to use setreuid() instead of seteuid(), which HP lacks *** > Someone shout if this has any security implications ! *** > - autoconf config.sub and config.guess (AC_CANONICAL_HOST) added > - various compiler warnings squashed. I hate warnings. Grr. > > TODO: > - HP utmp/utmpx support is still broken, ttyslot() seems to return > garbage for ptys... anyone? :-) > > ------------------------------------------------------------------------ > Name: openssh-1.2.1pre18-hpux1020-a4.patch.gz > openssh-1.2.1pre18-hpux1020-a4.patch.gz Type: application/x-gzip > Encoding: base64 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2471 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991220/057e39cb/attachment.bin From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Dec 21 06:23:20 1999 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 20 Dec 1999 20:23:20 +0100 Subject: Portability hacks + alpha HPUX1020 port In-Reply-To: <385E73C6.A13965E8@dial.pipex.com>; from andre.lucas@dial.pipex.com on Mon, Dec 20, 1999 at 06:21:58PM +0000 References: <385E7049.B5C7EE12@dial.pipex.com> <385E73C6.A13965E8@dial.pipex.com> Message-ID: <19991220202320.A15293@serv01.aet.tu-cottbus.de> On Mon, Dec 20, 1999 at 06:21:58PM +0000, Andre Lucas wrote: > Er, that's ' a more complete HPUX10.20 implementation'. Oops. Hi, maybe you just forgot the attachement with the patch itself (like I do with approx half of the attachments I want to send :-)? Best regards, Lutz > > ------------------------------------------------------------------------ > > Name: openssh-1.2.1pre18-hpux1020-a4.patch.gz > > openssh-1.2.1pre18-hpux1020-a4.patch.gz Type: application/x-gzip > > Encoding: base64 -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From andre.lucas at dial.pipex.com Tue Dec 21 07:11:50 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Mon, 20 Dec 1999 20:11:50 +0000 Subject: Portability hacks + alpha HPUX1020 port References: <385E7049.B5C7EE12@dial.pipex.com> <385E73C6.A13965E8@dial.pipex.com> <19991220202320.A15293@serv01.aet.tu-cottbus.de> Message-ID: <385E8D86.D56A5D67@dial.pipex.com> Nope. You had me shouting "doh" at myself for a few seconds, but it's definitely there in the post. It wouldn't be the first time I'd forgotten the attachment, though. Is anyone else having trouble with the .gz file? Normally I would post patches as regular text pasted into the mail, but this one is 140KB as it has some new files and quite a few changes. I don't want to get flames for sending another huge post today! -Andre Lutz Jaenicke wrote: > > On Mon, Dec 20, 1999 at 06:21:58PM +0000, Andre Lucas wrote: > > Er, that's ' a more complete HPUX10.20 implementation'. Oops. > > Hi, > > maybe you just forgot the attachement with the patch itself (like I do > with approx half of the attachments I want to send :-)? > > Best regards, > Lutz > > > > ------------------------------------------------------------------------ > > > Name: openssh-1.2.1pre18-hpux1020-a4.patch.gz > > > openssh-1.2.1pre18-hpux1020-a4.patch.gz Type: application/x-gzip > > > Encoding: base64 > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From djm at mindrot.org Tue Dec 21 21:05:51 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Dec 1999 21:05:51 +1100 (EST) Subject: Portability hacks + alpha HPUX1020 port In-Reply-To: <385E7049.B5C7EE12@dial.pipex.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 20 Dec 1999, Andre Lucas wrote: > Hi, > > Attached is a patch to 1.2.1pre18 that includes a number > of portability changes, and more a more complete HPUX10.20 > implementation. Thanks to Ben Taylor's utmpx patch, utmpx and wtmpx > support are now in for HP, with a few caveats. It compiles cleanly > on HPUX10.20 with gcc, cleanly on Linux, and with a few minor > warnings on Solaris 2.6. Excellent! Unfortunatly I have already merged your peliminary patch :( 1.2.1pre19 should be released very soon. It includes a somewhat modified version of your original patch. I have brought some of the changes you made out to ./configure directives because they are useful on other platforms. No doubt I have broken your patch in the process. Since I am on holidays as of tomorrow afternoon I will have a bit more time to work on OpenSSH over the coming week (modulo xmas). Thanks, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4X1EDormJ9RG1dI8RAgrbAKDKrbuWxpmhE2EWLTXySvglUZ+Y3ACdH/45 4Z+EyrZ9dB5DRNZmlIjlzXs= =C7d8 -----END PGP SIGNATURE----- From djm at mindrot.org Tue Dec 21 21:37:48 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Dec 1999 21:37:48 +1100 (EST) Subject: limiting port forwarding? (do better than just 'on' or 'off'?) In-Reply-To: <19991218114559I.1000@eccosys.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 18 Dec 1999 sen_ml at eccosys.com wrote: > hello- > > i would like to be able to have users access a specific set of > ports (and no others) on a machine running an ssh daemon via ssh's > port-forwarding. > > i was thinking of doing this by not providing shell access (so > using an appropriate command="command" option in each user's > authorized_keys file), but i did not find an appropriate keyword > for the sshd configuration file to control which ports should be > permitted to be forwarded. i know about the AllowTcpForwarding > keyword, but it does not appear to allow the granularity of control > i would like, to put it mildly ;-) I was thinking of doing something along these lines. The mechanism I had in mind was a /etc/ssh/portforward file (suggestions for a better name welcomed) containing the following fields: username group remote_addr remote_port username could be a name, uid or an asterisk meaning "any" group could be a name, gid or an asterisk meaning "any" remote_addr could be a hostname, ip address or network in CIDR format remote_port could be a service name, port, port range (numbers with a hyphen between them) or an asterisk. That which is not implicitly allowed would be denied. We could ship a default file of "* * * *" for backwards compatibility. Thoughts? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4X1iDormJ9RG1dI8RAku1AJ9oWM0Vtxs193dQ0z5AstEpgQWOkACdEbcF S8vwv+jrZOupHEun8Psfatw= =Q1GP -----END PGP SIGNATURE----- From andre.lucas at dial.pipex.com Tue Dec 21 22:54:49 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Tue, 21 Dec 1999 11:54:49 +0000 Subject: Portability hacks + alpha HPUX1020 port References: Message-ID: <385F6A89.E1B7F136@dial.pipex.com> Ok, I look forward to seeing what you've added. A lot of people are seeing multiple copies of my first post in this thread. It's a little hard for me to know why it happens - a thousand people use that mail gateway at Instinet and send attachments all day long, noone else gets this - but I'll apologise anyway as it's a large attachment. Is there any way the list administrator can investigate this please? It's not just my mail that people are getting more than once (I have two copies of your response, for example) but mine is the one pissing most people off, because of its size. Here's hoping this one doesn't loop. Please, guys: The looping isn't my fault, don't killfile me just yet... Ta, -Andr? Damien Miller wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 20 Dec 1999, Andre Lucas wrote: > > > Hi, > > > > Attached is a patch to 1.2.1pre18 that includes a number > > of portability changes, and more a more complete HPUX10.20 > > implementation. Thanks to Ben Taylor's utmpx patch, utmpx and wtmpx > > support are now in for HP, with a few caveats. It compiles cleanly > > on HPUX10.20 with gcc, cleanly on Linux, and with a few minor > > warnings on Solaris 2.6. > > Excellent! Unfortunatly I have already merged your peliminary > patch :( > > 1.2.1pre19 should be released very soon. It includes a somewhat > modified version of your original patch. > > I have brought some of the changes you made out to ./configure > directives because they are useful on other platforms. No doubt > I have broken your patch in the process. > > Since I am on holidays as of tomorrow afternoon I will have a bit > more time to work on OpenSSH over the coming week (modulo xmas). > > Thanks, > Damien Miller > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4X1EDormJ9RG1dI8RAgrbAKDKrbuWxpmhE2EWLTXySvglUZ+Y3ACdH/45 > 4Z+EyrZ9dB5DRNZmlIjlzXs= > =C7d8 > -----END PGP SIGNATURE----- From djm at mindrot.org Tue Dec 21 23:54:21 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 21 Dec 1999 23:54:21 +1100 (EST) Subject: Portability hacks + alpha HPUX1020 port In-Reply-To: <385F6A89.E1B7F136@dial.pipex.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Dec 1999, Andre Lucas wrote: > Ok, I look forward to seeing what you've added. I will be uploading it in a moment. You can grab it from: http://violet.ibs.com.au/openssh/files/openssh-1.2.1pre19.tar.gz Please don't publicise this URL. Despite it being easy to figure out, I would prefer that general users use a mirror. > A lot of people are seeing multiple copies of my first post in > this thread. It's a little hard for me to know why it happens > - a thousand people use that mail gateway at Instinet and send > attachments all day long, noone else gets this - but I'll apologise > anyway as it's a large attachment. > > Is there any way the list administrator can investigate this please? > It's not just my mail that people are getting more than once (I have two > copies of your response, for example) but mine is the one pissing most > people off, because of its size. > > Here's hoping this one doesn't loop. Please, guys: The looping isn't > my fault, don't killfile me just yet... I host the list from one of my home machines. Can you send few examples of the looped email with full headers and I will track it down. Anyone have problems? Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4X3iBormJ9RG1dI8RAgaFAJ95SHx6EqbsLMtiSw1X8MvhlS2FtwCggi/z yLmtUqxpEaS9Ff3gKlddQH0= =2A9i -----END PGP SIGNATURE----- From pasteka at kabsi.at Wed Dec 22 00:04:58 1999 From: pasteka at kabsi.at (Othmar Pasteka) Date: Tue, 21 Dec 1999 14:04:58 +0100 Subject: Authentication using Kerberos V Message-ID: <19991221140458.B4112@tron.priv.at> Hi, i just looked at the openssh programm and found out that it just supports Kerberos IV. are there any plans that Kerberos V will be supported? i just looked at the non-free ssh version 1.2.27 and saw that it supports Kerberos V. so is there any chance to get Kerberos V support in the near future or not? regards Othmar From bole at falcon.etf.bg.ac.yu Wed Dec 22 05:59:19 1999 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Tue, 21 Dec 1999 19:59:19 +0100 (CET) Subject: Problem with UTMP recording Message-ID: Hello to all! I have problem with OpenSSH 1.2.1pre18 on Linux (kernel 2.2.13, distribution Slackware 4.0). When someone login using ssh, there is no way to see his presentance with some 'standard' tools (finger, who, w, users...). Of course, his proccesses are in ps, and so. I've tried to see /etc/utmp using vi, and there is some entry, but maybe invalid, or something. When I enable option 'UseLogin', login correctly records logins and logouts, but, user has to enter password twice. In attachement is config.h (created after configure --sysconfdir=/etc/ssh). If you need any additional information, please tell me. Sincerely, Bole -------------- next part -------------- /* config.h. Generated automatically by configure. */ /* config.h.in. Generated automatically from configure.in by autoheader. */ /* Define as __inline if that's what the C compiler calls it. */ /* #undef inline */ /* SSL directory. */ #define ssldir "/usr/local/ssl" /* Location of lastlog file */ #define LASTLOG_LOCATION "/var/log/lastlog" /* If lastlog is a directory */ /* #undef LASTLOG_IS_DIR */ /* Location of random number pool */ #define RANDOM_POOL "/dev/urandom" /* Are we using the Entropy gathering daemon */ /* #undef HAVE_EGD */ /* Define if your ssl headers are included with #include */ /* #undef HAVE_SSL */ /* Define if your ssl headers are included with #include */ #define HAVE_OPENSSL 1 /* Define is utmp.h has a ut_host field */ #define HAVE_HOST_IN_UTMP 1 /* Define is utmpx.h has a ut_host field */ /* #undef HAVE_HOST_IN_UTMPX */ /* Define is libutil has login() function */ /* #undef HAVE_LIBUTIL_LOGIN */ /* Define if libc defines __progname */ #define HAVE___PROGNAME 1 /* Define if you want Kerberos 4 support */ /* #undef KRB4 */ /* Define if you want AFS support */ /* #undef AFS */ /* Define if you want S/Key support */ /* #undef SKEY */ /* Define if you want TCP Wrappers support */ /* #undef LIBWRAP */ /* Define if your libraries define login() */ #define HAVE_LOGIN 1 /* Define if your libraries define daemon() */ #define HAVE_DAEMON 1 /* Define if you want to allow MD5 passwords */ /* #undef HAVE_MD5_PASSWORDS */ /* Define if you have an old version of PAM which takes only one argument */ /* to pam_strerror */ #define HAVE_OLD_PAM 1 /* Data types */ /* #undef HAVE_QUAD_T */ #define HAVE_INTXX_T 1 #define HAVE_U_INTXX_T 1 #define HAVE_UINTXX_T 1 /* Define if you have /dev/ptmx */ /* #undef HAVE_DEV_PTMX */ /* Define if you have /dev/ptc */ /* #undef HAVE_DEV_PTS_AND_PTC */ /* Path to xauth binary */ #define XAUTH_PATH "/usr/X11R6/bin/xauth" /* The number of bytes in a int. */ #define SIZEOF_INT 4 /* The number of bytes in a long int. */ #define SIZEOF_LONG_INT 4 /* The number of bytes in a long long int. */ #define SIZEOF_LONG_LONG_INT 8 /* The number of bytes in a short int. */ #define SIZEOF_SHORT_INT 2 /* Define if you have the _getpty function. */ /* #undef HAVE__GETPTY */ /* Define if you have the arc4random function. */ /* #undef HAVE_ARC4RANDOM */ /* Define if you have the mkdtemp function. */ /* #undef HAVE_MKDTEMP */ /* Define if you have the openpty function. */ /* #undef HAVE_OPENPTY */ /* Define if you have the setenv function. */ #define HAVE_SETENV 1 /* Define if you have the setlogin function. */ /* #undef HAVE_SETLOGIN */ /* Define if you have the setproctitle function. */ /* #undef HAVE_SETPROCTITLE */ /* Define if you have the snprintf function. */ #define HAVE_SNPRINTF 1 /* Define if you have the strlcat function. */ /* #undef HAVE_STRLCAT */ /* Define if you have the strlcpy function. */ /* #undef HAVE_STRLCPY */ /* Define if you have the vsnprintf function. */ #define HAVE_VSNPRINTF 1 /* Define if you have the header file. */ #define HAVE_ENDIAN_H 1 /* Define if you have the header file. */ #define HAVE_LASTLOG_H 1 /* Define if you have the header file. */ /* #undef HAVE_LOGIN_H */ /* Define if you have the header file. */ /* #undef HAVE_MAILLOCK_H */ /* Define if you have the header file. */ /* #undef HAVE_NETGROUP_H */ /* Define if you have the header file. */ #define HAVE_PATHS_H 1 /* Define if you have the header file. */ /* #undef HAVE_POLL_H */ /* Define if you have the header file. */ /* #undef HAVE_PTY_H */ /* Define if you have the header file. */ #define HAVE_SHADOW_H 1 /* Define if you have the header file. */ #define HAVE_SYS_POLL_H 1 /* Define if you have the header file. */ /* #undef HAVE_SYS_SELECT_H */ /* Define if you have the header file. */ /* #undef HAVE_SYS_STROPTS_H */ /* Define if you have the header file. */ #define HAVE_SYS_TIME_H 1 /* Define if you have the header file. */ /* #undef HAVE_UTIL_H */ /* Define if you have the header file. */ #define HAVE_UTMP_H 1 /* Define if you have the header file. */ /* #undef HAVE_UTMPX_H */ /* Define if you have the crypto library (-lcrypto). */ #define HAVE_LIBCRYPTO 1 /* Define if you have the dl library (-ldl). */ #define HAVE_LIBDL 1 /* Define if you have the nsl library (-lnsl). */ /* #undef HAVE_LIBNSL */ /* Define if you have the pam library (-lpam). */ /* #undef HAVE_LIBPAM */ /* Define if you have the socket library (-lsocket). */ /* #undef HAVE_LIBSOCKET */ /* Define if you have the z library (-lz). */ #define HAVE_LIBZ 1 /* ******************* Shouldn't need to edit below this line ************** */ #include /* For u_intXX_t */ #include /* For SHUT_XXXX */ #ifdef HAVE_PATHS_H # include /* For _PATH_XXX */ #endif #ifdef HAVE_UTMP_H # include /* For _PATH_XXX */ #endif #ifdef HAVE_UTMPX_H # include /* For _PATH_XXX */ #endif #ifdef HAVE_SYS_TIME_H # include /* For timersub */ #endif #ifdef HAVE_MAILLOCK_H #include #endif #ifndef SHUT_RDWR enum { SHUT_RD = 0, /* No more receptions. */ SHUT_WR, /* No more transmissions. */ SHUT_RDWR /* No more receptions or transmissions. */ }; # define SHUT_RD SHUT_RD # define SHUT_WR SHUT_WR # define SHUT_RDWR SHUT_RDWR #endif /* If sys/types.h does not supply intXX_t, supply them ourselves */ /* (or die trying) */ #ifndef HAVE_INTXX_T # if (SIZEOF_SHORT_INT == 2) # define int16_t short int # else # error "16 bit int type not found." # endif # if (SIZEOF_INT == 4) # define int32_t int # else # error "32 bit int type not found." # endif # if (SIZEOF_LONG_INT == 8) # define int64_t long int # else # if (SIZEOF_LONG_LONG_INT == 8) # define int64_t long long int # else # error "64 bit int type not found." # endif # endif #endif /* If sys/types.h does not supply u_intXX_t, supply them ourselves */ #ifndef HAVE_U_INTXX_T # ifdef HAVE_UINTXX_T # define u_int16_t uint16_t # define u_int32_t uint32_t # define u_int64_t uint64_t # else # if (SIZEOF_SHORT_INT == 2) # define u_int16_t unsigned short int # else # error "16 bit int type not found." # endif # if (SIZEOF_INT == 4) # define u_int32_t unsigned int # else # error "32 bit int type not found." # endif # if (SIZEOF_LONG_INT == 8) # define u_int64_t unsigned long int # else # if (SIZEOF_LONG_LONG_INT == 8) # define u_int64_t unsigned long long int # else # error "64 bit int type not found." # endif # endif # endif #endif /* If quad_t is not supplied, then supply it now. We can rely on int64_t */ /* being defined by the above */ #ifndef HAVE_QUAD_T # define quad_t int64_t #endif /* If _PATH_LASTLOG is not defined by system headers, set it to the */ /* lastlog file detected by autoconf */ #ifndef _PATH_LASTLOG # ifdef LASTLOG_LOCATION # define _PATH_LASTLOG LASTLOG_LOCATION # endif #endif /* Use utmpx if supported */ #ifdef HAVE_UTMPX_H # define UTMP_STR utmpx #else # ifdef HAVE_UTMP_H # define UTMP_STR utmp # endif #endif #ifndef _PATH_UTMP # ifdef UTMPX_FILE # define _PATH_UTMP UTMPX_FILE # else # ifdef UTMP_FILE # define _PATH_UTMP UTMP_FILE # else # define _PATH_UTMP "/var/adm/utmp" # endif # endif #endif #ifndef _PATH_WTMP # ifdef WTMPX_FILE # define _PATH_WTMP WTMPX_FILE # else # ifdef WTMP_FILE # define _PATH_WTMP WTMP_FILE # else # define _PATH_WTMP "/var/adm/wtmp" # endif # endif #endif #ifndef _PATH_BSHELL # define _PATH_BSHELL "/bin/sh" #endif #ifndef _PATH_STDPATH # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" #endif #ifndef _PATH_DEVNULL # define _PATH_DEVNULL "/dev/null" #endif #ifndef _PATH_MAILDIR # ifdef MAILDIR # define _PATH_MAILDIR MAILDIR # endif #endif #ifndef MAX # define MAX(a,b) (((a)>(b))?(a):(b)) # define MIN(a,b) (((a)<(b))?(a):(b)) #endif #ifndef timersub #define timersub(a, b, result) \ do { \ (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \ (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \ if ((result)->tv_usec < 0) { \ --(result)->tv_sec; \ (result)->tv_usec += 1000000; \ } \ } while (0) #endif /* In older versions of libpam, pam_strerror takes a single argument */ #ifdef HAVE_OLD_PAM # define PAM_STRERROR(a,b) pam_strerror((b)) #else # define PAM_STRERROR(a,b) pam_strerror((a),(b)) #endif #ifndef __P # define __P(x) x #endif #if !defined(__GNUC__) || (__GNUC__ < 2) # define __attribute__(x) #endif /* !defined(__GNUC__) || (__GNUC__ < 2) */ From djm at mindrot.org Wed Dec 22 12:18:17 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Dec 1999 12:18:17 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre19 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSH-1.2.1pre19 has been released. http://violet.ibs.com.au/openssh/files/MIRRORS.html The major change in this version is the integration of Andre Lucas' HPUX support. This adds a few other options which may be useful on other systems. Changelog: 19991221 - Integration of large HPUX patch from Andre Lucas . Integrating it had a few other benefits: - Ability to disable shadow passwords at configure time - Ability to disable lastlog support at configure time - Support for IP address in $DISPLAY - OpenBSD CVS update: - [sshconnect.c] say "REMOTE HOST IDENTIFICATION HAS CHANGED" - Fix DISABLE_SHADOW support - Allow MD5 passwords even if shadow passwords are disabled - Release 1.2.1pre19 19991218 - Redhat init script patch from Chun-Chung Chen - Avoid breakage on systems without IPv6 headers - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4YCbdormJ9RG1dI8RAmsGAJ9NK4FDhvrAJrqYdzYK5IHFo39aZACgkiVe DYKmn9MmTA6a0D6U10DUFPo= =FxGd -----END PGP SIGNATURE----- From willard.dawson at sbs.siemens.com Wed Dec 22 12:54:29 1999 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Tue, 21 Dec 1999 20:54:29 -0500 Subject: ANNOUNCE: openssh-1.2.1pre19 In-Reply-To: ; from djm@mindrot.org on Wed, Dec 22, 1999 at 12:18:17PM +1100 References: Message-ID: <19991221205429.A25576@wdawson-sun.sbs.siemens.com> On Wed, Dec 22, 1999 at 12:18:17PM +1100, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > OpenSSH-1.2.1pre19 has been released. > > http://violet.ibs.com.au/openssh/files/MIRRORS.html And here's a bug report: ./configure --with-egd-pool=/export/home/wdawson-u60/wdawson/.gnupg/entropy < grind, grind, grind, compile, compile, compile > gcc -g -O2 -Wall -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-login.c bsd-login.c: In function `login': bsd-login.c:90: structure has no member named `ut_host' bsd-login.c:91: structure has no member named `ut_host' bsd-login.c:94: structure has no member named `ut_host' bsd-login.c:94: structure has no member named `ut_host' bsd-login.c:94: `UT_HOSTSIZE' undeclared (first use in this function) bsd-login.c:94: (Each undeclared identifier is reported only once bsd-login.c:94: for each function it appears in.) *** Error code 1 make: Fatal error: Command failed for target `bsd-login.o' Oh, well. -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From willard.dawson at sbs.siemens.com Wed Dec 22 13:00:29 1999 From: willard.dawson at sbs.siemens.com (Willard Dawson) Date: Tue, 21 Dec 1999 21:00:29 -0500 Subject: ANNOUNCE: openssh-1.2.1pre19 In-Reply-To: <19991221205429.A25576@wdawson-sun.sbs.siemens.com>; from willard.dawson@sbs.siemens.com on Tue, Dec 21, 1999 at 08:54:29PM -0500 References: <19991221205429.A25576@wdawson-sun.sbs.siemens.com> Message-ID: <19991221210028.A25591@wdawson-sun.sbs.siemens.com> On Tue, Dec 21, 1999 at 08:54:29PM -0500, Willard Dawson wrote: > On Wed, Dec 22, 1999 at 12:18:17PM +1100, Damien Miller wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > OpenSSH-1.2.1pre19 has been released. > > > > http://violet.ibs.com.au/openssh/files/MIRRORS.html > > And here's a bug report: > > ./configure --with-egd-pool=/export/home/wdawson-u60/wdawson/.gnupg/entropy > > < grind, grind, grind, compile, compile, compile > Oops, forgot to say which system this was for. My apologies! (wdawson-u60) $ gcc -v Reading specs from /usr/local/lib/gcc-lib/sparc-sun-solaris2.7/2.95.2/specs gcc version 2.95.2 19991024 (release) (wdawson-u60) $ uname -a SunOS wdawson-u60 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-60 -- Willard Francis Otto Dawson +1 770 814 5099 / +1 770 814 5202 FAX Siemens Business Services, ENS mailto:willard.dawson at sbs.siemens.com 4570 River Green Pkwy, Ste 140 http://www.sbs.siemens.com/ Duluth, GA 30096-2564 Standard disclaimer applies. From djm at mindrot.org Wed Dec 22 13:13:19 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Dec 1999 13:13:19 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre19 In-Reply-To: <19991221205429.A25576@wdawson-sun.sbs.siemens.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 21 Dec 1999, Willard Dawson wrote: > And here's a bug report: ... and here's a fix (hopefully) Could you send me a copy of the config.h that autoconf generates for you? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4YDPOormJ9RG1dI8RAirSAKC9B3GXeE43nwkgREvFMeR0Oq1GDQCfThZn iyjtuRPKhAbQMSokmvHrc6s= =bzeK -----END PGP SIGNATURE----- -------------- next part -------------- Index: login.c =================================================================== RCS file: /var/cvs/openssh/login.c,v retrieving revision 1.9 diff -u -r1.9 login.c --- login.c 1999/12/21 10:30:56 1.9 +++ login.c 1999/12/22 02:11:51 @@ -101,10 +101,14 @@ if ( wt.ut_type == USER_PROCESS) { if ( !strncmp(logname, wt.ut_user, 8) ) { t = (unsigned long) wt.ut_time; +#ifdef HAVE_HOST_IN_UTMP if (bufsize > sizeof(wt.ut_host) + 1) bufsize = sizeof(wt.ut_host) + 1; strncpy(buf, wt.ut_host, bufsize - 1); buf[bufsize - 1] = 0; +#endif /* HAVE_HOST_IN_UTMP */ + buf[0] = 0; +#endif /* HAVE_HOST_IN_UTMP */ } } From djm at mindrot.org Wed Dec 22 13:24:41 1999 From: djm at mindrot.org (Damien Miller) Date: Wed, 22 Dec 1999 13:24:41 +1100 (EST) Subject: Better login.c patch Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Apply this patch to login.c if you are having difficulty compiling. This replaces the previous patch I sent. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4YDZsormJ9RG1dI8RAhvkAJwJOUteyZBqQTkMOFeRg/wZh8HjbACdFgsE +WAB91OJF+TLuG8uOcNhrt8= =Rj1b -----END PGP SIGNATURE----- -------------- next part -------------- Index: login.c =================================================================== RCS file: /var/cvs/openssh/login.c,v retrieving revision 1.9 diff -u -r1.9 login.c --- login.c 1999/12/21 10:30:56 1.9 +++ login.c 1999/12/22 02:22:38 @@ -53,7 +53,7 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { -#if defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; int fd; @@ -76,7 +76,7 @@ buf[bufsize - 1] = 0; return ll.ll_time; -#else /* defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) */ +#else /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ /* Look in wtmp for the last login */ struct utmp wt; char *wt_file = _PATH_WTMP; @@ -101,10 +101,14 @@ if ( wt.ut_type == USER_PROCESS) { if ( !strncmp(logname, wt.ut_user, 8) ) { t = (unsigned long) wt.ut_time; +#ifdef HAVE_HOST_IN_UTMP if (bufsize > sizeof(wt.ut_host) + 1) bufsize = sizeof(wt.ut_host) + 1; strncpy(buf, wt.ut_host, bufsize - 1); buf[bufsize - 1] = 0; +#endif /* HAVE_HOST_IN_UTMP */ + buf[0] = 0; +#endif /* HAVE_HOST_IN_UTMP */ } } @@ -113,7 +117,7 @@ } while (t == 0); return t; -#endif /* defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* @@ -125,10 +129,10 @@ record_login(int pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr_in * addr) { -#if defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; -#endif /* defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ struct UTMP_STR u; const char *utmp, *wtmp; @@ -152,7 +156,7 @@ login(&u); -#if defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) +#if defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) lastlog = _PATH_LASTLOG; /* Update lastlog unless actually recording a logout. */ @@ -176,7 +180,7 @@ close(fd); } } -#endif /* defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) */ +#endif /* defined(_PATH_LASTLOG) && !defined(DISABLE_LASTLOG) */ } /* Records that the user has logged out. */ From drankin at bohemians.lexington.ky.us Fri Dec 24 06:26:20 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 23 Dec 1999 14:26:20 -0500 Subject: Patch to make pre19 work with NetBSD Message-ID: <19991223142620.A12251@hilda.bohemians.lexington.ky.us> The pre19 code assumes that struct lastlog either exists in lastlog.h or isn't there. On NetBSD, struct lastlog is defined in utmp.h. Even worse, the non-lastlog code in login.h is terrible on NetBSD (since NetBSD doesn't have a ut_type struct member). With the patch below, openssh will compile and run on NetBSD again. Thanks, David --- configure.orig Tue Dec 21 06:51:22 1999 +++ configure Thu Dec 23 14:15:16 1999 @@ -2073,12 +2073,43 @@ fi rm -f conftest* -echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:2078: checking whether pam_strerror takes only one argument" >&5 +echo $ac_n "checking For struct lastlog in utmp.h""... $ac_c" 1>&6 +echo "configure:2078: checking For struct lastlog in utmp.h" >&5 cat > conftest.$ac_ext < + #include + +int main() { +struct lastlog c; c.ll_time = 0; +; return 0; } +EOF +if { (eval echo configure:2090: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then + rm -rf conftest* + + cat >> confdefs.h <<\EOF +#define HAVE_LASTLOG 1 +EOF + + echo "$ac_t""yes" 1>&6 + +else + echo "configure: failed program was:" >&5 + cat conftest.$ac_ext >&5 + rm -rf conftest* + echo "$ac_t""no" 1>&6 + +fi +rm -f conftest* + +echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 +echo "configure:2109: checking whether pam_strerror takes only one argument" >&5 +cat > conftest.$ac_ext < #include --- config.h.in.orig Thu Dec 23 13:50:18 1999 +++ config.h.in Thu Dec 23 13:59:23 1999 @@ -148,6 +148,9 @@ /* Define if you have the header file. */ #undef HAVE_LASTLOG_H +/* Define if you don't have the header file but have lastlog. */ +#undef HAVE_LASTLOG + /* Define if you have the header file. */ #undef HAVE_LOGIN_H @@ -405,3 +408,7 @@ #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) # define seteuid(a) setreuid(-1,a) #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ + +#if defined(HAVE_LASTLOG_H) && !defined(HAVE_LASTLOG) +# define HAVE_LASTLOG +#endif /* defined (HAVE_LASTLOG_H) && !defined(HAVE_LASTLOG) */ --- login.c.orig Thu Dec 23 13:34:04 1999 +++ login.c Thu Dec 23 13:40:37 1999 @@ -53,7 +53,7 @@ get_last_login_time(uid_t uid, const char *logname, char *buf, unsigned int bufsize) { -#if defined(HAVE_LASTLOG_H) && !defined(DISABLE_LASTLOG) +#if defined(HAVE_LASTLOG) && !defined(DISABLE_LASTLOG) struct lastlog ll; char *lastlog; int fd; --- configure.in.orig Thu Dec 23 13:41:02 1999 +++ configure.in Thu Dec 23 13:48:33 1999 @@ -151,6 +151,18 @@ [AC_MSG_RESULT(no)] ) +dnl On NetBSD (at least), lastlog is in utmp.h +AC_MSG_CHECKING([For struct lastlog in utmp.h]) +AC_TRY_COMPILE( + [#include ], + [struct lastlog c; c.ll_time = 0;], + [ + AC_DEFINE(HAVE_LASTLOG) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + dnl Check PAM strerror arguments AC_MSG_CHECKING([whether pam_strerror takes only one argument]) AC_TRY_COMPILE( From drankin at bohemians.lexington.ky.us Fri Dec 24 08:05:27 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 23 Dec 1999 16:05:27 -0500 Subject: Releasing a code version that stays for a while Message-ID: <19991223160526.A13967@rumpole.bohemians.lexington.ky.us> I've been working on a package for openssh to include in the NetBSD package system (similar to the FreeBSD ports system). I'm being hindered in this by the fact that updates to these packages can be extremely slow (2-3 days minimum, more like 2 weeks including testing), too slow to compensate for the fact that the tarfiles for back-level versions of openssh-1.2pre* are going away. Given that Linux and NetBSD (among others) are stable, might it be possible to either have the next release stick around until 1.2.1 goes gold, or (even better) a bug-patch-only 1.2.1 branch be forked off before more enhancements start entering the tree? Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard From jamest at math.ksu.edu Fri Dec 24 08:48:26 1999 From: jamest at math.ksu.edu (James Thompson) Date: Thu, 23 Dec 1999 15:48:26 -0600 (CST) Subject: Better Login.c Patch In-Reply-To: <19991223160526.A13967@rumpole.bohemians.lexington.ky.us> Message-ID: Seems there might be a bug in the patch. I believe the first #endif below should actually be an #else +#ifdef HAVE_HOST_IN_UTMP if (bufsize > sizeof(wt.ut_host) + 1) bufsize = sizeof(wt.ut_host) + 1; strncpy(buf, wt.ut_host, bufsize - 1); buf[bufsize - 1] = 0; +#endif /* HAVE_HOST_IN_UTMP */ + buf[0] = 0; +#endif /* HAVE_HOST_IN_UTMP */ Also, on Solaris 2.6 it seems you must specify --with-utmpx on your ./configure command or the program will fail to compile in bsd-login.c due to ut_host not being defined. I don't know if this is a bug or an oversight on my part. ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< From djm at mindrot.org Fri Dec 24 09:51:46 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Dec 1999 09:51:46 +1100 (EST) Subject: Releasing a code version that stays for a while In-Reply-To: <19991223160526.A13967@rumpole.bohemians.lexington.ky.us> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 23 Dec 1999, David Rankin wrote: > I've been working on a package for openssh to include in the NetBSD > package system (similar to the FreeBSD ports system). I'm being > hindered in this by the fact that updates to these packages can > be extremely slow (2-3 days minimum, more like 2 weeks including > testing), too slow to compensate for the fact that the tarfiles for > back-level versions of openssh-1.2pre* are going away. What do you mean? All the old tar files are still around, you should be able to get them from: http://violet.ibs.com.au/openssh/files/old/ or a mirror. > Given that Linux and NetBSD (among others) are stable, might it be > possible to either have the next release stick around until 1.2.1 > goes gold, or (even better) a bug-patch-only 1.2.1 branch be forked > off before more enhancements start entering the tree? I hope to have a stable release before the end of the year for NetBSD, Linux, Solaris and hopefully HPUX. Since I am on holidays now, I have a bit more time to work on OpenSSH (modulo xmas and new years). Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4YqeGormJ9RG1dI8RAsDTAKDc1ULJTF2lr5rkfgEJXSu3bAzR+wCglLd0 aSYG/TNKeHYIdtu9BmQahJU= =BkHA -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 24 09:52:49 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 24 Dec 1999 09:52:49 +1100 (EST) Subject: Better Login.c Patch In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 23 Dec 1999, James Thompson wrote: > Also, on Solaris 2.6 it seems you must specify --with-utmpx on > your ./configure command or the program will fail to compile in > bsd-login.c due to ut_host not being defined. I don't know if this > is a bug or an oversight on my part. Probably my fault. I am going to release pre20 today which includes Ben Taylor's cleanup of the utmp/utmpx stuff. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4YqfGormJ9RG1dI8RArL/AKCP+DHg2VwW8Z1FUlV9vg/3XHpfxQCcDy6h v/RURrDivwI9B59Xr7XgBuQ= =ZzWL -----END PGP SIGNATURE----- From bole at falcon.etf.bg.ac.yu Fri Dec 24 12:09:07 1999 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Fri, 24 Dec 1999 02:09:07 +0100 (CET) Subject: Problem with 1.2.1pre19 In-Reply-To: Message-ID: Hello to all There is some very strange problem in 1.2.1pre19. I can not even log in, I'm always getting message "Permission denied, please try again." Seems like problem in auth-passwd.c or something. I tried to mix pre18 & pre19, but... ;) Bye From bole at falcon.etf.bg.ac.yu Fri Dec 24 12:45:51 1999 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Fri, 24 Dec 1999 02:45:51 +0100 (CET) Subject: Problem with 1.2.1pre19 In-Reply-To: Message-ID: [Me, again :)] On Fri, 24 Dec 1999, Bosko Radivojevic wrote: > There is some very strange problem in 1.2.1pre19. I can not even log in, > I'm always getting message "Permission denied, please try again." Seems > like problem in auth-passwd.c or something. I tried to mix pre18 & pre19, > but... ;) I forgot, this is on the server side, like a client, I have no complains on 1.2.1pre19. :) Bye From jmknoble at pobox.com Fri Dec 24 18:06:19 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 24 Dec 1999 02:06:19 -0500 Subject: ANNOUNCE: x11-ssh-askpass 0.99 available Message-ID: <19991224020619.A12616@quipu.earth> I've merged changes from the OpenBSD folks into x11-ssh-askpass (including a fix for a potential memory leak). The only reason it's not 1.0 yet is that it doesn't include a spec file for building RPMs. It's available here: http://www.pobox.com/~jmknoble/jmk/x11-ssh-askpass-0.99.tar.gz [Damien, remind me again what you were wanting to do with this as far as RPM packaging, bundling with openssh, etc. I seem to have lost your recent messages about that. Private mail is fine.] -- jim knoble jmknoble at pobox.com From Marc.Haber-lists at gmx.de Fri Dec 24 20:28:08 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Fri, 24 Dec 1999 09:28:08 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Fri, 10 Dec 1999 16:32:28 GMT, you wrote: >When I try to use scp from or to a machine that runs openssh-1.2pre16 >on Debian Linux, I keep getting the error message "scp: command not >found". Executing "ssh this-host echo \$PATH" yields >"/usr/bin:/bin:/usr/sbin:/sbin:" which might be set in config.h. This issue still hasn't been addressed. I don't have a clue what where to search. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From andre.lucas at dial.pipex.com Sat Dec 25 00:43:46 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Fri, 24 Dec 1999 13:43:46 +0000 Subject: ANNOUNCE: openssh-1.2.1pre19 References: Message-ID: <38637892.E3635810@dial.pipex.com> First chance I've had to compile 1.2.1pre19. The _PATH_MAILDIR stuff is broken on HPUX. A patch follows, mercifully short this time. It probably broke because the old way I did it was nasty, I think this is a little cleaner. A lot of (IMHO) good portability stuff was in the 'a4' patch against 1.2.1pre18. I'll wait for 1.2.1pre20 before attempting to reapply any of it, though. Ta, -Andr? *** start of patch *** --- openssh-1.2.1pre19.orig/config.h.in Tue Dec 21 11:51:21 1999 +++ openssh-1.2.1pre19.new/config.h.in Fri Dec 24 13:33:00 1999 @@ -154,6 +154,9 @@ /* Define if you have the header file. */ #undef HAVE_MAILLOCK_H +/* Set this to your mail directory if you don't have maillock.h */ +#undef MAIL_DIRECTORY + /* Define if you have the header file. */ #undef HAVE_NETGROUP_H @@ -236,6 +239,13 @@ #include #endif +/* MAIL_DIRECTORY is defined by configure from $MAIL environment + * variable in case we can't find the mail path from the headers */ +#ifndef MAILDIR +# define MAILDIR MAIL_DIRECTORY +#endif + #ifndef SHUT_RDWR enum { @@ -363,10 +373,6 @@ #ifndef _PATH_MAILDIR # ifdef MAILDIR # define _PATH_MAILDIR MAILDIR -# else -# ifdef MAIL_DIRECTORY -# define _PATH_MAILDIR MAIL_DIRECTORY -# endif # endif #endif *** end of patch *** Damien Miller wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > OpenSSH-1.2.1pre19 has been released. > 8< snip 8< From djm at mindrot.org Sat Dec 25 08:58:33 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 25 Dec 1999 08:58:33 +1100 (EST) Subject: scp with openssh on the server side and $PATH. In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 24 Dec 1999, Marc Haber wrote: > On Fri, 10 Dec 1999 16:32:28 GMT, you wrote: > >When I try to use scp from or to a machine that runs > >openssh-1.2pre16 on Debian Linux, I keep getting the error message > >"scp: command not found". Executing "ssh this-host echo \$PATH" > >yields "/usr/bin:/bin:/usr/sbin:/sbin:" which might be set in > >config.h. > > This issue still hasn't been addressed. I don't have a clue what > where to search. This is a little tricky. When you execute scp, your local copy of scp executes another instance of scp on the server end. The remote copy of scp could have been installed anywhere, and there is little the client could do to the path (it could be anywhere). A possible solution would be to hardcode an explicit path at configure time, but this would only work if the client and the server were configured the same. I am not keen to include this kludge. (a more elegant solution would be welcomed, though). Have you tried editing your /etc/profile (or similar) and simply including the path to scp in there? Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4Y+yNormJ9RG1dI8RArBRAJ4211JL8JUlBtZttn6AVQXvumH4GgCgznRk A4UO3TyMJyRu+5XV/yOZhT4= =8cf/ -----END PGP SIGNATURE----- From djm at mindrot.org Sat Dec 25 10:30:31 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 25 Dec 1999 10:30:31 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre20 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre20 has been released at: http://violet.ibs.com.au/openssh/files/ This release integrates more of Andre Lucas' portability patch, Ben Taylor's utmpx patch and some cleanups and bugfixes of my own. The auth-passwd failures should be fixed, as should lastlog support on NetBSD. Since Andre Lucas' patch included platform detection, we should use it to set appropriate compiler flags. I recall some discussion about solaris needing special flags to get openssh to compile. These can now be set by autoconf (if you tell me what they are). The PAM support has been slightly cleaned up and I have fixed a small bug in the authentication (auth_password was not being tried with an empty password for PAM first). This has necessitated a small change to the PAM config file. I am very interested to hear how this release compiles on Solaris, HPUX and AIX. ChangeLog: 19991225 - More fixes from Andre Lucas - Cleanup of auth-passwd.c for shadow and MD5 passwords - Cleanup and bugfix of PAM authentication code 19991223 - Merged later HPUX patch from Andre Lucas - Above patch included better utmpx support from Ben Taylor : 19991222 - Fix undefined fd_set type in ssh.h from Povl H. Pedersen - Fix login.c breakage on systems which lack ut_host in struct utmp. Reported by Willard Dawson - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ZAIbormJ9RG1dI8RAmp2AJ962AAA5qwWCEqgwFGB/YbdM65o3ACgyW0g k+92eziI5oqXySFkuhCNCqY= =t4uu -----END PGP SIGNATURE----- From karn at ka9q.ampr.org Sat Dec 25 11:08:38 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Fri, 24 Dec 1999 16:08:38 -0800 Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: (message from Damien Miller on Sat, 25 Dec 1999 10:30:31 +1100 (EST)) References: Message-ID: <199912250008.QAA08486@homer.ka9q.ampr.org> As far as I can tell, user password authentication is still broken in 1.2.1pre20. This is with Debian 2.1 Linux on both ends, 2.2.13 kernels: marge.ka9q.ampr.org$ slogin homer Enter passphrase for RSA key 'karn at ka9q.ampr.org': [deliberately hit return here] Bad passphrase. karn at homer.ka9q.ampr.org's password: [enter correct password here] Permission denied, please try again. karn at homer.ka9q.ampr.org's password: [enter correct password here] Permission denied, please try again. karn at homer.ka9q.ampr.org's password: [enter correct password here] Permission denied. --Phil From karn at ka9q.ampr.org Sat Dec 25 12:37:20 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Fri, 24 Dec 1999 17:37:20 -0800 Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: <199912250008.QAA08486@homer.ka9q.ampr.org> (message from Phil Karn on Fri, 24 Dec 1999 16:08:38 -0800) References: <199912250008.QAA08486@homer.ka9q.ampr.org> Message-ID: <199912250137.RAA11136@homer.ka9q.ampr.org> A followup observation: the problem I was having with password authentication goes away if I enable shadow passwords. Perhaps the sshd password checking routine assumes that shadow passwords are always on? Phil From jmknoble at pobox.com Sat Dec 25 12:44:11 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 24 Dec 1999 20:44:11 -0500 Subject: scp with openssh on the server side and $PATH. In-Reply-To: ; from Damien Miller on Sat, Dec 25, 1999 at 08:58:33AM +1100 References: Message-ID: <19991224204411.A16311@quipu.earth> Hmm ... two solutions come to mind: (1) Allow a configuration item in /etc/ssh/sshd_config to specify the default PATH for connecting ssh sessions. I'm not so familiar with the protocol, but it might even be possible to specify different PATHs for interactive/noninteractive ssh sessions. (2) Allow a configuration item in ~/.ssh/config to specify a PATH to pass to the remote shell. The local scp would pass a command like `env PATH=x:y:z; scp ...' to execute the remote scp. This is a bit trickier than [1], but does give control to the client. I'll leave judgments on their elegance to someone besides me. Perhaps some combination of them would be practical.... -- jim knoble jmknoble at pobox.com P? 1999-Dec-25 klokka 08:58:33 +1100 skrivet Damien Miller: : This is a little tricky. When you execute scp, your local copy of : scp executes another instance of scp on the server end. : : The remote copy of scp could have been installed anywhere, and : there is little the client could do to the path (it could be : anywhere). : : A possible solution would be to hardcode an explicit path at : configure time, but this would only work if the client and the : server were configured the same. I am not keen to include this : kludge. (a more elegant solution would be welcomed, though). : : Have you tried editing your /etc/profile (or similar) and simply : including the path to scp in there? From bent at clark.net Sat Dec 25 13:48:55 1999 From: bent at clark.net (Ben Taylor) Date: Fri, 24 Dec 1999 21:48:55 -0500 (EST) Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: Message-ID: Here are my patches against pre20 which make utmpx support work correctly for Solaris. Fixes: login.c: fix typo, add code, clean ups for utmpx bsd-login.c: cleanup case with old_ut is only used when HAVE_HOST_IN_UTMP is used, as well as move defines used in only that case config.h.in: fix for utmpx Ben -------------- next part -------------- --- Makefile.in.ORIG Fri Dec 24 21:23:54 1999 +++ Makefile.in Fri Dec 24 21:24:26 1999 @@ -48,6 +48,8 @@ $(AR) rv $@ $(LIBOBJS) $(RANLIB) $@ +$(OBJS): config.h + ssh: ssh.o sshconnect.o log-client.o readconf.o clientloop.o libssh.a $(CC) -o $@ ssh.o sshconnect.o log-client.o readconf.o \ clientloop.o $(LDFLAGS) -lssh $(LIBS) --- bsd-login.c.ORIG Fri Dec 24 21:20:53 1999 +++ bsd-login.c Fri Dec 24 21:38:38 1999 @@ -65,13 +65,19 @@ struct utmp *utp; #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ { +#if defined(HAVE_HOST_IN_UTMP) struct utmp old_ut; +#endif #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) struct utmpx *old_utx; #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ register int fd; int tty; + tty = ttyslot(); + if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { +#if defined(HAVE_HOST_IN_UTMP) + #ifndef UT_LINESIZE # define UT_LINESIZE (sizeof(old_ut.ut_line)) # define UT_NAMESIZE (sizeof(old_ut.ut_name)) @@ -79,10 +85,6 @@ # define UT_HOSTSIZE (sizeof(old_ut.ut_host)) # endif #endif - - tty = ttyslot(); - if (tty > 0 && (fd = open(_PATH_UTMP, O_RDWR|O_CREAT, 0644)) >= 0) { -#if defined(HAVE_HOST_IN_UTMP) (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); /* * Prevent luser from zero'ing out ut_host. --- config.h.in.ORIG Fri Dec 24 21:05:57 1999 +++ config.h.in Fri Dec 24 21:10:06 1999 @@ -349,6 +349,23 @@ # endif #endif +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) +# ifndef _PATH_UTMPX +# ifdef UTMPX_FILE +# define _PATH_UTMPX UTMPX_FILE +# else +# define _PATH_UTMPX "/var/adm/utmpx" +# endif +# endif +# ifndef _PATH_WTMPX +# ifdef WTMPX_FILE +# define _PATH_WTMPX WTMPX_FILE +# else +# define _PATH_WTMPX "/var/adm/wtmp" +# endif +# endif +#endif + #ifndef _PATH_BSHELL # define _PATH_BSHELL "/bin/sh" #endif --- login.c.ORIG Fri Dec 24 21:15:34 1999 +++ login.c Fri Dec 24 21:20:04 1999 @@ -152,10 +152,11 @@ #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) memset(&utx, 0, sizeof(utx)); strncpy(utx.ut_user, user, sizeof(utx.ut_name)); + strcpy(utx.ut_id, "sshd"); strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); utx.ut_pid = (pid_t)pid; utx.ut_tv.tv_sec = time(NULL); - u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; + utx.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; #ifdef HAVE_HOST_IN_UTMPX #ifdef HAVE_SYSLEN_IN_UTMPX utx.ut_syslen = strlen(host); @@ -166,7 +167,8 @@ #endif #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ -#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN) +/*#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) && !defined(HAVE_LOGIN)*/ +#if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) login(&u, &utx); #else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ login(&u); From Markus.Friedl at informatik.uni-erlangen.de Sat Dec 25 19:37:20 1999 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 25 Dec 1999 09:37:20 +0100 Subject: scp with openssh on the server side and $PATH. In-Reply-To: <19991224204411.A16311@quipu.earth>; from jmknoble@pobox.com on Fri, Dec 24, 1999 at 08:44:11PM -0500 References: <19991224204411.A16311@quipu.earth> Message-ID: <19991225093720.A25090@faui01.informatik.uni-erlangen.de> On Fri, Dec 24, 1999 at 08:44:11PM -0500, Jim Knoble wrote: > Hmm ... two solutions come to mind: > [...] ssh(1) says: Additionally, ssh reads $HOME/.ssh/environment, and adds lines of the format ``VARNAME=value'' to the environment. -markus From djm at mindrot.org Sat Dec 25 22:42:52 1999 From: djm at mindrot.org (Damien Miller) Date: Sat, 25 Dec 1999 22:42:52 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Fri, 24 Dec 1999, Ben Taylor wrote: > > Here are my patches against pre20 which make utmpx support > work correctly for Solaris. Applied. A question before I commit it: =================================================================== RCS file: /var/cvs/openssh/login.c,v retrieving revision 1.11 diff -u -r1.11 login.c - --- login.c 1999/12/24 23:11:29 1.11 +++ login.c 1999/12/25 11:34:14 @@ -152,10 +152,11 @@ #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) memset(&utx, 0, sizeof(utx)); strncpy(utx.ut_user, user, sizeof(utx.ut_name)); + strcpy(utx.ut_id, "sshd"); My docs (utmp.h) indicates that the ut_id field is used to indicate the id of the process from the inittab. Is it used for something different on Solaris? Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ZK3BormJ9RG1dI8RAhSlAJ48eed0lvf5L0//RLOPo5xKSHzsWwCdGsz3 57+k6rAL2JYXZzDI5RoS6Qc= =RnzM -----END PGP SIGNATURE----- From bent at clark.net Sun Dec 26 00:00:15 1999 From: bent at clark.net (Ben Taylor) Date: Sat, 25 Dec 1999 08:00:15 -0500 (EST) Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: Message-ID: On Sat, 25 Dec 1999, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 24 Dec 1999, Ben Taylor wrote: > > > > > Here are my patches against pre20 which make utmpx support > > work correctly for Solaris. > > Applied. A question before I commit it: > > =================================================================== > RCS file: /var/cvs/openssh/login.c,v > retrieving revision 1.11 > diff -u -r1.11 login.c > - --- login.c 1999/12/24 23:11:29 1.11 > +++ login.c 1999/12/25 11:34:14 > @@ -152,10 +152,11 @@ > #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) > memset(&utx, 0, sizeof(utx)); > strncpy(utx.ut_user, user, sizeof(utx.ut_name)); > + strcpy(utx.ut_id, "sshd"); > > My docs (utmp.h) indicates that the ut_id field is used to > indicate the id of the process from the inittab. Is it used for > something different on Solaris? Probably best not to commit it. I think I might have been a bit over zealous to fill out all the fields in the utmpx structure. Ben > > Regards, > Damien > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4ZK3BormJ9RG1dI8RAhSlAJ48eed0lvf5L0//RLOPo5xKSHzsWwCdGsz3 > 57+k6rAL2JYXZzDI5RoS6Qc= > =RnzM > -----END PGP SIGNATURE----- > From Marc.Haber-lists at gmx.de Sun Dec 26 01:43:58 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sat, 25 Dec 1999 14:43:58 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Sat, 25 Dec 1999 08:58:33 +1100 (EST), you wrote: >A possible solution would be to hardcode an explicit path at >configure time, but this would only work if the client and the >server were configured the same. I am not keen to include this >kludge. (a more elegant solution would be welcomed, though). > >Have you tried editing your /etc/profile (or similar) and simply >including the path to scp in there? scp is in /usr/local/bin/scp and openssh has been configured with --prefix=/usr/local/bin/. _PATH_STDPATH is set to "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:", but executing "ssh this-host echo \$PATH" yields "/usr/bin:/bin:/usr/sbin:/sbin:". I don't have the slightest idea where that PATH is pulled from. It neither is the PATH set in the server config nor the one set by /etc/profile on the server side. Is that path generated at the client side? In that case, I might have a problem since the client is a windows box with a pre-compiled ssh/scp binary. Using the non-free ssh on the server side works. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From Marc.Haber-lists at gmx.de Sun Dec 26 01:44:07 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sat, 25 Dec 1999 14:44:07 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: <19991224204411.A16311@quipu.earth> References: <19991224204411.A16311@quipu.earth> Message-ID: On Fri, 24 Dec 1999 20:44:11 -0500, you wrote: > (2) Allow a configuration item in ~/.ssh/config to specify a PATH to > pass to the remote shell. The local scp would pass a command > like `env PATH=x:y:z; scp ...' to execute the remote scp. This > is a bit trickier than [1], but does give control to the client. In quite some cases, the client system isn't under the user's control and / or runs a ssh version different from openssh. I feel that this needs to be solved on the server side. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From persoenlich at marc-haber.de Sun Dec 26 08:15:38 1999 From: persoenlich at marc-haber.de (Marc Haber) Date: Sat, 25 Dec 1999 21:15:38 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: <874sdla2ek.fsf@sheikh.hands.com> References: <87n1ri8z3e.fsf@sheikh.hands.com> <87bt7ubwib.fsf@sheikh.hands.com> <874sdla2ek.fsf@sheikh.hands.com> Message-ID: On 14 Dec 1999 16:54:43 +0000, you wrote: >If it fails on something you don't care about, you can normally get >round it by editing debian/rules Normally, yes. However, if I configure without gnome-ssh-askpass, it fails later when it tries to move the compiled file into the subdirectory structure. I comment that out, and build fails during dh_movefiles (which doesn't even have a man page). RTFS, delete the askpass subdirectories in debian, and have build fail even later because it _needs_ the askpass subdirectories. Hence, not yet a building debian openssh on my system :-( Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From rlm at pricegrabber.com Sun Dec 26 11:52:10 1999 From: rlm at pricegrabber.com (Rob McMillin) Date: Sat, 25 Dec 1999 16:52:10 -0800 Subject: Looking for an appropriate forum Message-ID: <386566BA.823AF43F@pricegrabber.com> Sorry to bust in, folks, but I'm having some trouble integrating the OpenSSH RPMs in my Red Hat 6.1 system and was hoping somebody could point me at an appropriate place to ask my newbie questions. (I've been over the docs and they don't seem to apply to the problems I'm having.) -- http://www.pricegrabber.com | The best deals, all the time. From djm at mindrot.org Sun Dec 26 13:50:53 1999 From: djm at mindrot.org (Damien Miller) Date: Sun, 26 Dec 1999 13:50:53 +1100 (EST) Subject: Disabling logging during pam_authenticate Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any way to disable logging of failures during pam_authenticate? I ask because OpenSSH is currently generating an extra "authentication failure..." message at each login. The problem is that OpenSSH likes to try a blank password attempting any other authentication. This is a shortcut for anonymous SSH servers (e.g. OpenBSD's CVS repositories). I expect that this test will fail in the vast majority of cases, but it speeds things up significantly when it succeeds. A way to disable authentication failure delays on a per-function call basis would be great as well. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE4ZYKRormJ9RG1dI8RAt65AKDQnVI8AClZFOcz1qVhxyPbGHNjXwCY8cNS oLQgydP3KgSJVNZRsQ8e0w== =5qe6 -----END PGP SIGNATURE----- From djm at mindrot.org Sun Dec 26 14:49:14 1999 From: djm at mindrot.org (Damien Miller) Date: Sun, 26 Dec 1999 14:49:14 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre21 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre21 has just been uploaded. This incorporates yet more fixes from Andre Lucas and Ben Taylor, Solaris and HPUX should be working properly now. This version also fixes up the PAM support a little more, though there is still a spurious authentication failure message at each log-in. Read the UPGRADING file for the gory details. The PAM configuration file has changed slightly. If you do not update your local copy you may experience delays during authentication. The Redhat RPM packages now include Jim Knoble's X11 ssh-askpass and use it by default. The old GNOME ssh-askpass is bundled as a seperate package. For those of you not using Redhat and who missed Jim's announcement, this is available at: http://www.pobox.com/~jmknoble/jmk/ Changes: 19991226 - Enabled utmpx support by default for Solaris - Cleanup sshd.c PAM a little more - Revised RPM package to include Jim Knoble's X11 ssh-askpass program. - Disable logging of PAM success and failures, PAM is verbose enough. Unfortunatly there is currently no way to disable auth failure messages. Mention this in UPGRADING file and sent message to PAM developers - OpenBSD CVS update: - [ssh-keygen.1 ssh.1] remove ref to .ssh/random_seed, mention .ssh/environment in .Sh FILES, too 19991225 - Merged fixes from Ben Taylor - Fixed configure support for PAM. Reported by Naz <96na at eng.cam.ac.uk> - Disabled logging of PAM password authentication failures when password is empty. (e.g start of authentication loop). Reported by Naz <96na at eng.cam.ac.uk>) Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4ZZA+ormJ9RG1dI8RAig2AKDA/XxDL/oTGqUOr/zbhQUHF6+6UgCeJwM8 fHx+Ndr8lQVcNV5jTeM70CI= =ZTbu -----END PGP SIGNATURE----- From bent at clark.net Sun Dec 26 14:55:16 1999 From: bent at clark.net (Ben Taylor) Date: Sat, 25 Dec 1999 22:55:16 -0500 (EST) Subject: scp with openssh on the server side and $PATH. In-Reply-To: Message-ID: On Sat, 25 Dec 1999, Marc Haber wrote: > _PATH_STDPATH is set to > "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:", but > executing "ssh this-host echo \$PATH" yields > "/usr/bin:/bin:/usr/sbin:/sbin:". I don't have the slightest idea > where that PATH is pulled from. It neither is the PATH set in the > server config nor the one set by /etc/profile on the server side. This path is generated out of the std path from config.h. Perhaps we should add in something into config.h.in for _STD_PATH to include the $(bindir) from configure. I just don't have a clue how this might happen, as I'm not that good at autoconf. Ben From jmknoble at pobox.com Sun Dec 26 17:25:51 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 26 Dec 1999 01:25:51 -0500 Subject: Disabling logging during pam_authenticate In-Reply-To: ; from Damien Miller on Sun, Dec 26, 1999 at 01:50:53PM +1100 References: Message-ID: <19991226012551.G698@quipu.earth> P? 1999-Dec-26 klokka 13:50:53 +1100 skrivet Damien Miller: : A way to disable authentication failure delays on a per-function call : basis would be great as well. Look at: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl-3.html and search for `pam_fail_delay' and see if that isn't what you need for this. -- jim knoble jmknoble at pobox.com From jmknoble at pobox.com Sun Dec 26 18:59:52 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 26 Dec 1999 02:59:52 -0500 Subject: ALERT: potential for `.' in _PATH_STDPATH [OpenSSH-1.2.1pre21] Message-ID: <19991226025952.H698@quipu.earth> After the recent discussion here about some OpenSSH sshd's having difficulty locating scp in /usr/local/bin/, i took a look at openssh-1.2.1pre17's config.h.in and found what i believe is a potential minor security problem: the _PATH_STDPATH defined there ends in `:', effectively putting a `.' (current directory) at the end of the path and thus opening ssh sessions that use that default PATH to the possibility of trojan attacks. This is *only* a problem if _PATH_STDPATH is not defined in your system includes (usually in /usr/include/). If your system includes do define _PATH_STDPATH (for example, in ), this problem does not affect you. (That is no guarantee, however, that your _PATH_STDPATH is completely secure---check it to make sure it is.) Since the `current directory' element is preceded by `/usr/bin:/bin:/usr/sbin:/sbin', the possibility for such an attack succeeding is less than if the current directory were at the beginning of the PATH, but it's still Not A Good Thing(tm). The attached patch fixes the potential problem. It's necessary to re-./configure and recompile openssh after patching. -- jim knoble jmknoble at pobox.com -------------- next part -------------- --- ./config.h.in.orig-pathdot Sat Dec 25 22:25:22 1999 +++ ./config.h.in Sun Dec 26 02:06:52 1999 @@ -371,7 +371,7 @@ #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin:" +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" #endif #ifndef _PATH_DEVNULL From Marc.Haber-lists at gmx.de Mon Dec 27 00:58:40 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sun, 26 Dec 1999 13:58:40 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Sat, 25 Dec 1999 22:55:16 -0500 (EST), you wrote: >On Sat, 25 Dec 1999, Marc Haber wrote: >> _PATH_STDPATH is set to >> "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:", but >> executing "ssh this-host echo \$PATH" yields >> "/usr/bin:/bin:/usr/sbin:/sbin:". I don't have the slightest idea >> where that PATH is pulled from. It neither is the PATH set in the >> server config nor the one set by /etc/profile on the server side. > >This path is generated out of the std path from config.h. This is obviously wrong or I am missing something very basic. See above. I have hacked config.h so that _PATH_STDPATH _includes_ /usr/local/bin, but this doesn't seem to work. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From Marc.Haber-lists at gmx.de Mon Dec 27 00:59:08 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Sun, 26 Dec 1999 13:59:08 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Sat, 25 Dec 1999 14:43:58 GMT, you wrote: >_PATH_STDPATH is set to >"/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:", but >executing "ssh this-host echo \$PATH" yields >"/usr/bin:/bin:/usr/sbin:/sbin:". I don't have the slightest idea >where that PATH is pulled from. It neither is the PATH set in the >server config nor the one set by /etc/profile on the server side. In the mean time, I found out that this path comes from /usr/include/paths.h which is included from config.h (thanks to Jim Knoble for pointing that out in his Alert article. I will try later today if preventing that include from happening will solve the problem. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From vorlon at netexpress.net Mon Dec 27 04:37:09 1999 From: vorlon at netexpress.net (Steve Langasek) Date: Sun, 26 Dec 1999 11:37:09 -0600 (CST) Subject: Disabling logging during pam_authenticate In-Reply-To: Message-ID: On Sun, 26 Dec 1999, Damien Miller wrote: > Is there any way to disable logging of failures during > pam_authenticate? PAM does not have control over the logging process during pam_authenticate, that's left up to the individual modules. You may be able to turn logging off for individual modules; however-- > The problem is that OpenSSH likes to try a blank password attempting > any other authentication. This is a shortcut for anonymous SSH servers > (e.g. OpenBSD's CVS repositories). I expect that this test will fail > in the vast majority of cases, but it speeds things up significantly > when it succeeds. wouldn't it be more reasonable to ask ssh to not try null passwords? There could be any number of modules that would be used in the PAM auth section, and all of them may have an opinion on what should be logged. Some of them may be well-behaved and let you disable logging, but then you've also disabled logging for any genuine attacks against you using that service. Perhaps, as with Samba's client utils, a commandline option could be added to openssh's client to specify the use of a null password? That way, you don't have to worry about prompts when the connection is scripted, and you get around the logging issue as well. -Steve Langasek postmodern programmer From jmknoble at pobox.com Mon Dec 27 06:36:53 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Sun, 26 Dec 1999 14:36:53 -0500 Subject: scp with openssh on the server side and $PATH. In-Reply-To: ; from Marc Haber on Sun, Dec 26, 1999 at 01:59:08PM +0000 References: Message-ID: <19991226143653.A14381@quipu.earth> That probably won't work the way you intend. Try the attached patch to sshd.c instead (against 1.2.1pre21). -- jim knoble jmknoble at pobox.com P? 1999-Dec-26 klokka 13:59:08 +0000 skrivet Marc Haber: : In the mean time, I found out that this path comes from : /usr/include/paths.h which is included from config.h (thanks to Jim : Knoble for pointing that out in his Alert article. : : I will try later today if preventing that include from happening will : solve the problem. -------------- next part -------------- --- ./sshd.c.orig-stdpath Sat Dec 25 22:04:33 1999 +++ ./sshd.c Sun Dec 26 03:04:07 1999 @@ -44,6 +44,9 @@ #define O_NOCTTY 0 #endif +#undef _PATH_STDPATH +#define _PATH_STDPATH "/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin" + /* Local Xauthority file. */ static char *xauthfile = NULL; From andre.lucas at dial.pipex.com Mon Dec 27 07:08:02 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Sun, 26 Dec 1999 20:08:02 +0000 Subject: ANNOUNCE: openssh-1.2.1pre20 References: Message-ID: <386675A2.2E98D285@dial.pipex.com> 8< 8< > > > > My docs (utmp.h) indicates that the ut_id field is used to > > indicate the id of the process from the inittab. Is it used for > > something different on Solaris? > > Probably best not to commit it. I think I might have been a bit > over zealous to fill out all the fields in the utmpx structure. > I don't think you were! pututxline() uses the ut_id field as a key into the utmpx file, so if it's not set I don't see how the system can know where to put the entry. Maybe some OSs look at the ut_line entry. With the current code, HPUX puts all the pty entries in the same place... This is from Linux's utmp manpage: char ut_id[4]; /* init id or abbrev. ttyname */ I think it only matters about inittab stuff when the ut_type field is something other than USER_PROCESS or DEAD_PROCESS, the only ones ssh uses. AFAIK. -Andre From djm at mindrot.org Mon Dec 27 10:05:47 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 27 Dec 1999 10:05:47 +1100 (EST) Subject: scp with openssh on the server side and $PATH. In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 26 Dec 1999, Marc Haber wrote: > In the mean time, I found out that this path comes from > /usr/include/paths.h which is included from config.h (thanks to Jim > Knoble for pointing that out in his Alert article. > > I will try later today if preventing that include from happening > will solve the problem. 1.2.1pre22 will have a --with-default-path option with which you can override this. Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4Zp9QormJ9RG1dI8RAoMBAJ0X5bqx62+keicwlsZRFRuaBlHx4gCeNNTQ jrufo/ElsPWNChrUYeUyaHw= =ETle -----END PGP SIGNATURE----- From djm at mindrot.org Mon Dec 27 11:55:52 1999 From: djm at mindrot.org (Damien Miller) Date: Mon, 27 Dec 1999 11:55:52 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre20 In-Reply-To: <386675A2.2E98D285@dial.pipex.com> Message-ID: On Sun, 26 Dec 1999, Andre Lucas wrote: > I don't think you were! pututxline() uses the ut_id field as a key > into the utmpx file, so if it's not set I don't see how the system > can know where to put the entry. Maybe some OSs look at the ut_line > entry. With the current code, HPUX puts all the pty entries in the > same place... Ok, I am now copying the last couple of characters of the tty path. This is what Linux's /bin/login does. Index: login.c =================================================================== RCS file: /var/cvs/openssh/login.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- login.c 1999/12/25 23:21:48 1.12 +++ login.c 1999/12/27 00:33:56 1.13 @@ -141,6 +141,7 @@ /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); + strncpy(u.ut_id, ttyname + 8, sizeof(u.ut_id)); u.ut_pid = (pid_t)pid; u.ut_time = time(NULL); strncpy(u.ut_name, user, sizeof(u.ut_name)); @@ -153,6 +154,7 @@ memset(&utx, 0, sizeof(utx)); strncpy(utx.ut_user, user, sizeof(utx.ut_name)); strncpy(utx.ut_line, ttyname + 5, sizeof(utx.ut_line)); + strncpy(utx.ut_id, ttyname + 8, sizeof(utx.ut_id)); utx.ut_pid = (pid_t)pid; utx.ut_tv.tv_sec = time(NULL); utx.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; Regards, Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From drankin at bohemians.lexington.ky.us Tue Dec 28 03:30:42 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Mon, 27 Dec 1999 11:30:42 -0500 Subject: More patches to fix NetBSD compiling Message-ID: <19991227113041.A21493@rumpole.bohemians.lexington.ky.us> Unfortunately, the login.c changes after pre-19 have exposed some more NetBSD-centric problems concerning the lack of several fields in struct utmp. Here's another set of patches to fix NetBSD compiling (although they may also help some other UNIXes as well). Thanks, David --- configure.in.orig Mon Dec 27 09:09:05 1999 +++ configure.in Mon Dec 27 09:13:39 1999 @@ -264,6 +264,16 @@ [AC_DEFINE(HAVE_SYSLEN_IN_UTMPX) AC_MSG_RESULT(yes); ], [AC_MSG_RESULT(no)] ) +AC_MSG_CHECKING([whether utmp.h has ut_pid field]) +AC_EGREP_HEADER(ut_pid, utmp.h, + [AC_DEFINE(HAVE_PID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) +AC_MSG_CHECKING([whether utmp.h has ut_type field]) +AC_EGREP_HEADER(ut_type, utmp.h, + [AC_DEFINE(HAVE_TYPE_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) dnl Look for lastlog location AC_ARG_WITH(lastlog, --- configure.orig Mon Dec 27 09:15:10 1999 +++ configure Mon Dec 27 09:15:17 1999 @@ -2348,6 +2348,48 @@ fi rm -f conftest* +echo $ac_n "checking whether utmp.h has ut_pid field""... $ac_c" 1>&6 +echo "configure:2353: checking whether utmp.h has ut_pid field" >&5 +cat > conftest.$ac_ext < +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "ut_pid" >/dev/null 2>&1; then + rm -rf conftest* + cat >> confdefs.h <<\EOF +#define HAVE_PID_IN_UTMP 1 +EOF + echo "$ac_t""yes" 1>&6; +else + rm -rf conftest* + echo "$ac_t""no" 1>&6 + +fi +rm -f conftest* + +echo $ac_n "checking whether utmp.h has ut_type field""... $ac_c" 1>&6 +echo "configure:2374: checking whether utmp.h has ut_type field" >&5 +cat > conftest.$ac_ext < +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "ut_type" >/dev/null 2>&1; then + rm -rf conftest* + cat >> confdefs.h <<\EOF +#define HAVE_TYPE_IN_UTMP 1 +EOF + echo "$ac_t""yes" 1>&6; +else + rm -rf conftest* + echo "$ac_t""no" 1>&6 + +fi +rm -f conftest* + # Check whether --with-lastlog or --without-lastlog was given. if test "${with_lastlog+set}" = set; then --- acconfig.h.orig Mon Dec 27 09:17:11 1999 +++ acconfig.h Mon Dec 27 09:18:09 1999 @@ -33,6 +33,12 @@ /* Define is utmpx.h has a syslen field */ #undef HAVE_SYSLEN_IN_UTMPX +/* Define is utmp.h has a ut_pid field */ +#undef HAVE_PID_IN_UTMP + +/* Define is utmp.h has a ut_type field */ +#undef HAVE_TYPE_IN_UTMP + /* Define if you want to use utmpx */ #undef USE_UTMPX --- config.h.in.orig Mon Dec 27 09:16:31 1999 +++ config.h.in Mon Dec 27 09:18:28 1999 @@ -36,6 +36,12 @@ /* Define is utmpx.h has a syslen field */ #undef HAVE_SYSLEN_IN_UTMPX +/* Define is utmp.h has a ut_pid field */ +#undef HAVE_PID_IN_UTMP + +/* Define is utmp.h has a ut_type field */ +#undef HAVE_TYPE_IN_UTMP + /* Define if you want to use utmpx */ #undef USE_UTMPX --- login.c.orig Mon Dec 27 09:22:55 1999 +++ login.c Mon Dec 27 09:23:00 1999 @@ -141,10 +141,14 @@ /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); +#if defined(HAVE_PID_IN_UTMP) u.ut_pid = (pid_t)pid; +#endif /* HAVE_PID_IN_UTMP */ u.ut_time = time(NULL); strncpy(u.ut_name, user, sizeof(u.ut_name)); +#if defined(HAVE_TYPE_IN_UTMP) u.ut_type = (uid == -1)?DEAD_PROCESS:USER_PROCESS; +#endif /* HAVE_TYPE_IN_UTMP */ #if defined(HAVE_HOST_IN_UTMP) strncpy(u.ut_host, host, sizeof(u.ut_host)); #endif From andre.lucas at dial.pipex.com Tue Dec 28 04:51:03 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Mon, 27 Dec 1999 17:51:03 +0000 Subject: Suggestion: login.c->record_login() Message-ID: <3867A707.40DEAA26@dial.pipex.com> Hi, A lot of the problems with openssh portability so far appear to be with the login record functionality, i.e. lastlog support, and variations on handling utmp vs. utmpx etc. Looking at for-profit SSH 1.2.27, login.c is rather embarassing spaghetti code, so laden with '#ifdef's it's almost impossible to read. OpenSSH's code isn't anything like that, but then it doesn't support as many platforms yet. Even with the best of intentions, there's every prospect that the code will mutate into the same kind of thing as in SSH. It's a tricky problem to solve, because the code varies so much and is so important. I wonder if this is a suitable moment to suggest that record_login() gets a major rewrite. We could abstract it more, so we pass a superstructure containing all the information we have to functions that handle exactly one of utmp, utmpx, wtmp, wtmpx, lastlog, or whatever else comes along. *Then* we could use #ifdef to call the right code. One way might be: #ifdef LINUX /* Linux: Do the business with PAM */ set_pam_entry (struct logindata l); /* ... whatever else Linux needs ... */ #endif /* LINUX */ #ifdef HPUX /* HPUX: Do things the hard way * no lastlog, utmp *and* utmpx, wtmp */ set_utmp_entry (struct logindata l); set_utmpx_entry (struct logindata l); set_wtmp_entry (struct logindata l); #endif /* HPUX */ etc... It's still not exactly pretty, but it's a lot more readily understood IMO. (I've left error propogation out for clarity at this point.) There would still be #ifdef blocks in the individual routines, to cover for platform differences in the individual structures, but even that's clearer; it's far simpler to see why a change is being made for a particular platform if you don't have to wonder what kind of structure will eventually be set for which platform! I have two reasons for suggesting this approach over another potential method, that of having a platform-specific file or block for each supported OS. First, that complicates the Makefile (IMO) unnecessarily with different files (or makes one huge conditionally compiled file with one file), and secondly it doesn't stand a chance of working on a platform without specific support. The second is the killer for me. I'm aware that there are issues for Damien here in keeping track of OpenBSD changes to the OpenSSH codebase. I still think that this would be tidier and easier in the long run. I look forward to your comments. Ta, -Andre Lucas Instinet Global Services From henrik.nordstrom at edt.ericsson.se Tue Dec 28 06:18:57 1999 From: henrik.nordstrom at edt.ericsson.se (Henrik Nordstrom) Date: Mon, 27 Dec 1999 20:18:57 +0100 Subject: 1.2pre17: -C option to scp Message-ID: <3867BBA1.8B422EC2@edt.ericsson.se> Simple patch adding the -C option to scp: Disable the use of privilegied ports (-P option to ssh). The patch does not include manpage documentation of the command option. -- Henrik Nordstrom -------------- next part -------------- --- scp.cscp-L Tue Dec 7 05:38:32 1999 +++ scp.c Mon Dec 27 19:29:26 1999 @@ -87,6 +87,10 @@ and passphrase queries are not allowed). */ int batchmode = 0; +/* This is set to non-zero if the use of low ports (for rhost-RSA) + * should be disabled */ +int nolowports; + /* This is set to the cipher type string if given on the command line. */ char *cipher = NULL; @@ -167,6 +171,8 @@ args[i++] = "-l"; args[i++] = remuser; } + if (nolowports) + args[i++] = "-P"; args[i++] = host; args[i++] = cmd; args[i++] = NULL; @@ -242,7 +248,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvLBCc:i:P:q")) != EOF) switch (ch) { /* User-visible flags. */ case 'p': @@ -253,6 +259,9 @@ break; case 'r': iamrecursive = 1; + break; + case 'L': + nolowports = 1; break; /* Server options. */ case 'd': From djm at mindrot.org Tue Dec 28 10:57:42 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 28 Dec 1999 10:57:42 +1100 (EST) Subject: Suggestion: login.c->record_login() In-Reply-To: <3867A707.40DEAA26@dial.pipex.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 27 Dec 1999, Andre Lucas wrote: > Hi, > > A lot of the problems with openssh portability so far appear to > be with the login record functionality, i.e. lastlog support, and > variations on handling utmp vs. utmpx etc. Looking at for-profit SSH > 1.2.27, login.c is rather embarassing spaghetti code, so laden with > '#ifdef's it's almost impossible to read. No kidding :) The login portions of OpenSSH have, so far, proved to be the most platform dependant. Apart from the PAM code, most other changes have been minor or drop-in replacements for missing functions. > OpenSSH's code isn't anything like that, but then it doesn't support > as many platforms yet. Even with the best of intentions, there's > every prospect that the code will mutate into the same kind of thing > as in SSH. It's a tricky problem to solve, because the code varies > so much and is so important. > > I wonder if this is a suitable moment to suggest that record_login() > gets a major rewrite. We could abstract it more, so we pass a > superstructure containing all the information we have to functions > that handle exactly one of utmp, utmpx, wtmp, wtmpx, lastlog, or > whatever else comes along. > > *Then* we could use #ifdef to call the right code. One way might be: [pseudocode snipped] > It's still not exactly pretty, but it's a lot more readily understood > IMO. (I've left error propogation out for clarity at this point.) I think this is an excellent idea. If it works well, then it could also serve as the basis for solving this problem for other projects. The specific recording modules: > set_utmp_entry (struct logindata l); > set_utmpx_entry (struct logindata l); > set_wtmp_entry (struct logindata l); would probably still be fairly heavily preprocessed. Most of the #ifdef mess in login.c is to work around differences in struct utmp. > I have two reasons for suggesting this approach over another > potential method, that of having a platform-specific file or block > for each supported OS. First, that complicates the Makefile (IMO) > unnecessarily with different files (or makes one huge conditionally > compiled file with one file), and secondly it doesn't stand a chance > of working on a platform without specific support. The second is the > killer for me. Don't underestimate the first either - I find C code much easier to understand than complex autoconf/makefile interactions. > I'm aware that there are issues for Damien here in keeping track of > OpenBSD changes to the OpenSSH codebase. I still think that this > would be tidier and easier in the long run. I would be happier sacrificing easy 'diffability' on one source file in return for better code. login.c is hardly ever touched by the OpenBSD people, the last real change to it was in August. Keeping track of this pace of change will not be a problem :) My goal is to have a 1.2.1.0 release before, or shortly after the new year. I think that major surgery to the login code should wait until after then. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4Z/z5ormJ9RG1dI8RAkdKAKCO2XzYtXq2yUuj9ob9p5Msvz+WZwCeL7g+ BeXnqHdlDlFtd1GOzPRYyhA= =dXL1 -----END PGP SIGNATURE----- From andre.lucas at dial.pipex.com Tue Dec 28 11:16:10 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Tue, 28 Dec 1999 00:16:10 +0000 Subject: Suggestion: login.c->record_login() References: Message-ID: <3868014A.16243762@dial.pipex.com> Damien Miller wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Mon, 27 Dec 1999, Andre Lucas wrote: > > > Hi, > > > > A lot of the problems with openssh portability so far appear to > > be with the login record functionality, i.e. lastlog support, and > > variations on handling utmp vs. utmpx etc. Looking at for-profit SSH > > 1.2.27, login.c is rather embarassing spaghetti code, so laden with > > '#ifdef's it's almost impossible to read. > > No kidding :) The login portions of OpenSSH have, so far, proved to > be the most platform dependant. Ok, it was stating the obvious somewhat :-) > > > It's still not exactly pretty, but it's a lot more readily understood > > IMO. (I've left error propogation out for clarity at this point.) > > I think this is an excellent idea. If it works well, then it could > also serve as the basis for solving this problem for other projects. I thought that too. It's real hassleware, but some poor soul has to do it! > > > > > I'm aware that there are issues for Damien here in keeping track of > > OpenBSD changes to the OpenSSH codebase. I still think that this > > would be tidier and easier in the long run. > > I would be happier sacrificing easy 'diffability' on one source file > in return for better code. Ah, if only people at my work thought that way... Ta, -Andre > > login.c is hardly ever touched by the OpenBSD people, the last real > change to it was in August. Keeping track of this pace of change > will not be a problem :) > > My goal is to have a 1.2.1.0 release before, or shortly after the > new year. I think that major surgery to the login code should wait > until after then. > > Regards, > Damien > > - -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.0 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE4Z/z5ormJ9RG1dI8RAkdKAKCO2XzYtXq2yUuj9ob9p5Msvz+WZwCeL7g+ > BeXnqHdlDlFtd1GOzPRYyhA= > =dXL1 > -----END PGP SIGNATURE----- From djm at mindrot.org Tue Dec 28 15:35:29 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 28 Dec 1999 15:35:29 +1100 (EST) Subject: More patches to fix NetBSD compiling In-Reply-To: <19991227113041.A21493@rumpole.bohemians.lexington.ky.us> Message-ID: On Mon, 27 Dec 1999, David Rankin wrote: > Unfortunately, the login.c changes after pre-19 have exposed some > more NetBSD-centric problems concerning the lack of several fields > in struct utmp. Here's another set of patches to fix NetBSD > compiling (although they may also help some other UNIXes as well). Thanks, applied. Damien -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Tue Dec 28 15:51:39 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 28 Dec 1999 15:51:39 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre22 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have just uploaded 1.2.1pre22 to: http://violet.ibs.com.au/openssh/files/ This release consists of portability fixes and cleanups. It also resolves two issues which may have caused security problems - If you OS header files did not define PATH_STDPATH, then an unsafe path was used by default (it contained an implicit '.'). Thanks to Jim Knoble for pointing this out and supplying a fix. - PermitEmptyPassword was being ignored for PAM systems. An upgrade is therefore recommended. This release also includes Andre Lucas' fixpaths perl script which will substitute the correct paths into the manpages at install time. Also included is peliminary Irix support. I have managed to compile it under Irix 5.2, but was not able to run it (my perl install is too broken to run EGD). lastlog support is disabled under Irix because it uses a strange directory based lastlog which I cannot find documentation on. I am interested in hearing success or failure stories from users of Solaris, HPUX, AIX, Irix, NetBSD and older Linux variants. ChangeLog: 19991228 - Replacement for getpagesize() for systems which lack it - NetBSD login.c compile fix from David Rankin - Fully set ut_tv if present in utmp or utmpx - Portability fixes for Irix 5.3 (now compiles OK!) - autoconf and other misc cleanups 19991227 - Automatically correct paths in manpages and configuration files. Patch and script from Andre Lucas - Removed credits from README to CREDITS file, updated. - Added --with-default-path to specify custom path for server - Removed #ifdef trickery from acconfig.h into defines.h - PAM bugfix. PermitEmptyPassword was being ignored. - Fixed PAM config files to allow empty passwords if server does. - Explained spurious PAM auth warning workaround in UPGRADING - Use last few chars of tty line as ut_id - New SuSE RPM spec file from Chris Saia - OpenBSD CVS updates: - [packet.h auth-rhosts.c] check format string for packet_disconnect and packet_send_debug, too - [channels.c] use packet_get_maxsize for channels. consistence. 19991226 - Fixed implicit '.' in default path, report from Jim Knoble - Redhat RPM spec fixes from Jim Knoble Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4aEHformJ9RG1dI8RAsy6AJ9mRwol+KxAymF6eE2m/PouqUWqkwCgxh8K vHZbW8K4chmupbT9p6s7D7o= =suuE -----END PGP SIGNATURE----- From drankin at bohemians.lexington.ky.us Tue Dec 28 16:39:46 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Tue, 28 Dec 1999 00:39:46 -0500 Subject: Suggestion: login.c->record_login() In-Reply-To: <3867A707.40DEAA26@dial.pipex.com>; from Andre Lucas on Mon, Dec 27, 1999 at 05:51:03PM +0000 References: <3867A707.40DEAA26@dial.pipex.com> Message-ID: <19991228003945.A21583@rumpole.bohemians.lexington.ky.us> The problem with a "OS-based" ifdef system is that it makes porting to a new OS problematic. Also, what happens if FooNix or BarBSD decide to add/subtract/change the way they use struct utmp/utmpx/et al.? Under an OS-based ifdef, configure "figures out" the messy details for you (hopefully the right way), while this setup would require manual intervention to go to either older supported OSes or newer versions. For the record, I think this "configure soup" stinks. But I also think that this would make things less portable, not more. Thanks, David On Mon, Dec 27, 1999 at 05:51:03PM +0000, Andre Lucas wrote: > Hi, > A lot of the problems with openssh portability so far appear to be with > the login record functionality, i.e. lastlog support, and variations on > handling utmp vs. utmpx etc. Looking at for-profit SSH 1.2.27, login.c > is rather embarassing spaghetti code, so laden with '#ifdef's it's > almost impossible to read. > OpenSSH's code isn't anything like that, but then it doesn't support as > many platforms yet. Even with the best of intentions, there's every > prospect that the code will mutate into the same kind of thing as in > SSH. It's a tricky problem to solve, because the code varies so much and > is so important. > I wonder if this is a suitable moment to suggest that record_login() > gets a major rewrite. We could abstract it more, so we pass a > superstructure containing all the information we have to functions that > handle exactly one of utmp, utmpx, wtmp, wtmpx, lastlog, or whatever > else comes along. > > *Then* we could use #ifdef to call the right code. One way might be: > #ifdef LINUX > /* Linux: Do the business with PAM */ > set_pam_entry (struct logindata l); > /* ... whatever else Linux needs ... */ > #endif /* LINUX */ > > #ifdef HPUX > /* HPUX: Do things the hard way > * no lastlog, utmp *and* utmpx, wtmp */ > set_utmp_entry (struct logindata l); > set_utmpx_entry (struct logindata l); > set_wtmp_entry (struct logindata l); > #endif /* HPUX */ > etc... > > It's still not exactly pretty, but it's a lot more readily understood > IMO. (I've left error propogation out for clarity at this point.) > > There would still be #ifdef blocks in the individual routines, to cover > for platform differences in the individual structures, but even that's > clearer; it's far simpler to see why a change is being made for a > particular platform if you don't have to wonder what kind of structure > will eventually be set for which platform! > > I have two reasons for suggesting this approach over another potential > method, that of having a platform-specific file or block for each > supported OS. First, that complicates the Makefile (IMO) unnecessarily > with different files (or makes one huge conditionally compiled file with > one file), and secondly it doesn't stand a chance of working on a > platform without specific support. The second is the killer for me. > > I'm aware that there are issues for Damien here in keeping track of > OpenBSD changes to the OpenSSH codebase. I still think that this would > be tidier and easier in the long run. > > I look forward to your comments. > > Ta, > -Andre Lucas > Instinet Global Services -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard From dhall at virage.org Tue Dec 28 17:55:08 1999 From: dhall at virage.org (Darren Hall) Date: 28 Dec 1999 01:55:08 -0500 Subject: autoconf check for socklen_t Message-ID: Here's a configure check to see if socklen_t is defined. Even though my man pages on linux say accept(2) takes (int *) as it's 3rd arg, the sys/socket.h files begs to differ. If not defined (which is doesn't seem to be on AIX 4.2.1), it can be explicitly typedef'ed to (unsigned int). Now do mainstream code changes get submitted back to the openbsd group, or would it be better to submit to this list? After defining all those variables to socklen_t, this should clean up the spurious errors spewed forth from AIX's native compiler, about the uncast connect, accept and bind calls. context diff on 1.2.1pre21 *** configure.in~ Sat Dec 25 18:21:48 1999 --- configure.in Mon Dec 27 00:55:17 1999 *************** *** 180,185 **** --- 180,197 ---- [AC_MSG_RESULT(no)] ) + AC_MSG_CHECKING([For socklen_t]) + AC_TRY_COMPILE( + [#include ], + [#include ], + [socklen_t foo; foo = 1235;], + [ + AC_DEFINE(HAVE_SOCKLEN_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] + ) + dnl Check PAM strerror arguments AC_MSG_CHECKING([whether pam_strerror takes only one argument]) AC_TRY_COMPILE( From djm at mindrot.org Tue Dec 28 19:18:16 1999 From: djm at mindrot.org (Damien Miller) Date: Tue, 28 Dec 1999 19:18:16 +1100 (EST) Subject: autoconf check for socklen_t In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28 Dec 1999, Darren Hall wrote: > Here's a configure check to see if socklen_t is defined. Even > though my man pages on linux say accept(2) takes (int *) as it's 3rd > arg, the sys/socket.h files begs to differ. Thanks, applied. I am now typedefing (unsigned int) to socklen_t if the definition is missing. > If not defined (which is doesn't seem to be on AIX 4.2.1), it can > be explicitly typedef'ed to (unsigned int). Now do mainstream code > changes get submitted back to the openbsd group, or would it be > better to submit to this list? For portability changes, it is best to send the via this list. Feel free to send any other patches as well, I feed them back to the OpenBSD people if I think they are relevant. > After defining all those variables to socklen_t, this should clean > up the spurious errors spewed forth from AIX's native compiler, > about the uncast connect, accept and bind calls. Does 1.2.1pre22 (with your patch) work correctly on AIX? Thanks, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4aHJMormJ9RG1dI8RApuXAJ9dXuOUVfPYgyxZLRPvcl+pRKD7bACgzmAd icirF/nHMgVFwGmvekaXU/c= =kioU -----END PGP SIGNATURE----- From andre.lucas at dial.pipex.com Tue Dec 28 22:57:38 1999 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Tue, 28 Dec 1999 11:57:38 +0000 Subject: Suggestion: login.c->record_login() References: <3867A707.40DEAA26@dial.pipex.com> <19991228003945.A21583@rumpole.bohemians.lexington.ky.us> Message-ID: <3868A5B2.EED418DF@dial.pipex.com> How on Earth does breaking out stuff OpenSSH already does into smaller, more manageable chunks inhibit portability? I would suggest that the opposite applies. You have OS specific stuff because, well, this stuff is OS specific. Then you have autoconf make a best guess if you don't know the OS. That's the same as it is now, BTW, except that because it's trying to be general it doesn't always get it right, even on the platforms it directly supports. Having autoconf guess at OSs that you really care about supporting well, and can therefore program special cases for, is pointless IMO. I know I care a great deal about having logins registered properly on a telnet, rlogin and rcp replacement program, more than I care about philosophical arguments regarding autoconf that mean it doesn't work correctly. Look at configure.in for any large package, I guarantee it will be full of special cases. That's why it's there. Likewise, any package that gets 'down to the metal' has chunks of highly OS specific code. tcpdump (actually libpcap) springs to mind here, where it interfaces with different OS' Berkeley Packet Filter equivalents. Even with the platform hacks, tcpdump is a great program that people use even if their OS has an equivalent utility, e.g. snoop. That's the kind of pragmatic approach that I think OpenSSH has to take to win hearts and minds over for-profit SSH in The Real World(tm), and if that means putting in specific code for Linux, Solaris, AIX, HPUX, Digital, NetBSD and whatever else, well, so what? In any case, I'm not talking about removing autoconf's wonderful 'best guess' functionality. I'm talking about a code cleanup that will enhance it. Regards, -Andre David Rankin wrote: > > The problem with a "OS-based" ifdef system is that it makes porting > to a new OS problematic. Also, what happens if FooNix or BarBSD decide > to add/subtract/change the way they use struct utmp/utmpx/et al.? Under > an OS-based ifdef, configure "figures out" the messy details for > you (hopefully the right way), while this setup would require manual > intervention to go to either older supported OSes or newer versions. > > For the record, I think this "configure soup" stinks. But I also think > that this would make things less portable, not more. > > Thanks, > David > > On Mon, Dec 27, 1999 at 05:51:03PM +0000, Andre Lucas wrote: > > Hi, > > > A lot of the problems with openssh portability so far appear to be with > > the login record functionality, i.e. lastlog support, and variations on > > handling utmp vs. utmpx etc. Looking at for-profit SSH 1.2.27, login.c > > is rather embarassing spaghetti code, so laden with '#ifdef's it's > > almost impossible to read. > > > OpenSSH's code isn't anything like that, but then it doesn't support as > > many platforms yet. Even with the best of intentions, there's every > > prospect that the code will mutate into the same kind of thing as in > > SSH. It's a tricky problem to solve, because the code varies so much and > > is so important. > > > I wonder if this is a suitable moment to suggest that record_login() > > gets a major rewrite. We could abstract it more, so we pass a > > superstructure containing all the information we have to functions that > > handle exactly one of utmp, utmpx, wtmp, wtmpx, lastlog, or whatever > > else comes along. > > > > *Then* we could use #ifdef to call the right code. One way might be: > > > #ifdef LINUX > > /* Linux: Do the business with PAM */ > > set_pam_entry (struct logindata l); > > /* ... whatever else Linux needs ... */ > > #endif /* LINUX */ > > > > #ifdef HPUX > > /* HPUX: Do things the hard way > > * no lastlog, utmp *and* utmpx, wtmp */ > > set_utmp_entry (struct logindata l); > > set_utmpx_entry (struct logindata l); > > set_wtmp_entry (struct logindata l); > > #endif /* HPUX */ > > etc... > > > > It's still not exactly pretty, but it's a lot more readily understood > > IMO. (I've left error propogation out for clarity at this point.) > > > > There would still be #ifdef blocks in the individual routines, to cover > > for platform differences in the individual structures, but even that's > > clearer; it's far simpler to see why a change is being made for a > > particular platform if you don't have to wonder what kind of structure > > will eventually be set for which platform! > > > > I have two reasons for suggesting this approach over another potential > > method, that of having a platform-specific file or block for each > > supported OS. First, that complicates the Makefile (IMO) unnecessarily > > with different files (or makes one huge conditionally compiled file with > > one file), and secondly it doesn't stand a chance of working on a > > platform without specific support. The second is the killer for me. > > > > I'm aware that there are issues for Damien here in keeping track of > > OpenBSD changes to the OpenSSH codebase. I still think that this would > > be tidier and easier in the long run. > > > > I look forward to your comments. > > > > Ta, > > -Andre Lucas > > Instinet Global Services > -- > David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. > Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. > "It is no great thing to be humble when you are brought low; but to be humble > when you are praised is a great and rare accomplishment." St. Bernard From usenet-9947 at marc-haber.de Tue Dec 28 23:11:24 1999 From: usenet-9947 at marc-haber.de (Marc Haber) Date: Tue, 28 Dec 1999 12:11:24 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Mon, 27 Dec 1999 10:05:47 +1100 (EST), you wrote: >On Sun, 26 Dec 1999, Marc Haber wrote: >> In the mean time, I found out that this path comes from >> /usr/include/paths.h which is included from config.h (thanks to Jim >> Knoble for pointing that out in his Alert article. >> >> I will try later today if preventing that include from happening >> will solve the problem. > >1.2.1pre22 will have a --with-default-path option with which you can >override this. Is it possible that this option is not currently honored by the configure script? It shows up in the help, is accepted by configure |./configure --with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin/:/usr/sbin:/sbin", but the stdpath set in config.h still shows the normal path without /local and grepping for "/local" over the sources doesn't give hits - and the compiled sshd still sets the path to what is default. I feel rather stupid here. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From drankin at bohemians.lexington.ky.us Wed Dec 29 01:42:34 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Tue, 28 Dec 1999 09:42:34 -0500 Subject: ANNOUNCE: openssh-1.2.1pre22 In-Reply-To: ; from Damien Miller on Tue, Dec 28, 1999 at 03:51:39PM +1100 References: Message-ID: <19991228094233.A5071@rumpole.bohemians.lexington.ky.us> On Tue, Dec 28, 1999 at 03:51:39PM +1100, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I have just uploaded 1.2.1pre22 to: ... > I am interested in hearing success or failure stories from users of > Solaris, HPUX, AIX, Irix, NetBSD and older Linux variants. Wouldn't you know it, another NetBSD-caused utmp patch, this time for ut_id. In case it will help in the future, here's what utmp.h basically looks like on NetBSD: #define UT_NAMESIZE 8 #define UT_LINESIZE 8 #define UT_HOSTSIZE 16 struct lastlog { time_t ll_time; char ll_line[UT_LINESIZE]; char ll_host[UT_HOSTSIZE]; }; struct utmp { char ut_line[UT_LINESIZE]; char ut_name[UT_NAMESIZE]; char ut_host[UT_HOSTSIZE]; time_t ut_time; }; Anyway, another unified diff to fix things. Thanks, David --- configure.in.orig Tue Dec 28 09:15:51 1999 +++ configure.in Tue Dec 28 09:16:43 1999 @@ -290,6 +290,11 @@ [AC_DEFINE(HAVE_TV_IN_UTMP) AC_MSG_RESULT(yes); ], [AC_MSG_RESULT(no)] ) +AC_MSG_CHECKING([whether utmp.h has ut_id field]) +AC_EGREP_HEADER(ut_id, utmp.h, + [AC_DEFINE(HAVE_ID_IN_UTMP) AC_MSG_RESULT(yes); ], + [AC_MSG_RESULT(no)] +) dnl Look for lastlog location AC_ARG_WITH(lastlog, --- login.c.orig Tue Dec 28 09:13:45 1999 +++ login.c Tue Dec 28 09:15:30 1999 @@ -141,7 +141,9 @@ /* Construct an utmp/wtmp entry. */ memset(&u, 0, sizeof(u)); strncpy(u.ut_line, ttyname + 5, sizeof(u.ut_line)); +#if defined(HAVE_ID_IN_UTMP) strncpy(u.ut_id, ttyname + 8, sizeof(u.ut_id)); +#endif /* defined(HAVE_ID_IN_UTMP) */ strncpy(u.ut_name, user, sizeof(u.ut_name)); #if defined(HAVE_TV_IN_UTMP) (void)gettimeofday(&u.ut_tv, NULL); --- acconfig.h.orig Tue Dec 28 09:17:10 1999 +++ acconfig.h Tue Dec 28 09:17:38 1999 @@ -48,6 +48,9 @@ /* Define is utmp.h has a ut_tv field */ #undef HAVE_TV_IN_UTMP +/* Define is utmp.h has a ut_id field */ +#undef HAVE_ID_IN_UTMP + /* Define if you want to use utmpx */ #undef USE_UTMPX From drankin at bohemians.lexington.ky.us Wed Dec 29 02:49:26 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Tue, 28 Dec 1999 10:49:26 -0500 Subject: Patch to detect perl using autoconf Message-ID: <19991228104926.C21583@rumpole.bohemians.lexington.ky.us> For systems that don't have perl at /usr/bin/perl, fixpaths doesn't run. I've added a check in configure.in to find where perl is and use it to run fixpaths. Here's the patch: --- configure.in.orig Mon Dec 27 23:09:36 1999 +++ configure.in Tue Dec 28 10:16:05 1999 @@ -9,6 +9,7 @@ AC_PROG_RANLIB AC_PROG_INSTALL AC_CHECK_PROG(AR, ar, ar) +AC_CHECK_PROG(PERL, perl, perl) AC_PATH_PROG(xauth_path, xauth) dnl Use ip address instead of hostname in $DISPLAY --- Makefile.in.orig Tue Dec 28 10:22:27 1999 +++ Makefile.in Tue Dec 28 10:23:54 1999 @@ -25,6 +25,7 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ +PERL=@PERL@ LDFLAGS=-L. @LDFLAGS@ GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` @@ -89,7 +90,7 @@ *.1 *.8 sshd_config ssh_config manpages: - $(FIXPATHS) -Dsysconfdir=${sysconfdir} $(srcdir)/*.1.in $(srcdir)/*.8.in \ + $(PERL) $(FIXPATHS) -Dsysconfdir=${sysconfdir} $(srcdir)/*.1.in $(srcdir)/*.8.in \ $(srcdir)/ssh_config.in $(srcdir)/sshd_config.in install: all From nalin at thermo.stat.ncsu.edu Wed Dec 29 03:10:55 1999 From: nalin at thermo.stat.ncsu.edu (Nalin Dahyabhai) Date: Tue, 28 Dec 1999 11:10:55 -0500 Subject: Patches to report rsaref build and to call pam_setcred Message-ID: <19991228111055.A8907@thermo.stat.ncsu.edu> I've attached two patches. The first just changes the output of "ssh -V" to print that it was built against rsaref if libRSAglue (which is built as part of openssl only when it is built against rsaref) is present at build-time. The second adds appropriate calls to pam_setcred() in sshd. Without them, our systems can't access AFS because the PAM modules only get tokens at a pam_setcred() or pam_open_session() call. Cheers, Nalin -------------- next part -------------- diff -uNr acconfig.h acconfig.h --- acconfig.h Sat Dec 25 18:21:48 1999 +++ acconfig.h Mon Dec 27 10:46:05 1999 @@ -24,6 +24,10 @@ /* Define if your ssl headers are included with #include */ #undef HAVE_OPENSSL +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + /* Define is utmp.h has a ut_host field */ #undef HAVE_HOST_IN_UTMP diff -uNr config.h.in config.h.in --- config.h.in Sat Dec 25 22:25:22 1999 +++ config.h.in Mon Dec 27 10:51:13 1999 @@ -27,6 +27,10 @@ /* Define if your ssl headers are included with #include */ #undef HAVE_OPENSSL +/* Define if you are linking against RSAref. Used only to print the right + * message at run-time. */ +#undef RSAREF + /* Define is utmp.h has a ut_host field */ #undef HAVE_HOST_IN_UTMP diff -uNr configure.in configure.in --- configure.in Sat Dec 25 18:21:48 1999 +++ configure.in Mon Dec 27 10:45:09 1999 @@ -89,7 +89,8 @@ saved_LIBS="$LIBS" LIBS="$saved_LIBS -lRSAglue -lrsaref" AC_TRY_LINK([], [], -[AC_MSG_RESULT(yes); ], +[AC_MSG_RESULT(yes); + AC_DEFINE(RSAREF)], [AC_MSG_RESULT(no)]; LIBS="$saved_LIBS") dnl Checks for libraries. diff -uNr ssh.c ssh.c --- ssh.c Mon Dec 13 18:47:16 1999 +++ ssh.c Mon Dec 27 10:48:43 1999 @@ -305,7 +305,11 @@ case 'V': fprintf(stderr, "SSH Version %s, protocol version %d.%d.\n", SSH_VERSION, PROTOCOL_MAJOR, PROTOCOL_MINOR); +#ifndef RSAREF fprintf(stderr, "Compiled with SSL.\n"); +#else + fprintf(stderr, "Compiled with SSL (RSAref version).\n"); +#endif if (opt == 'V') exit(0); debug_flag = 1; -------------- next part -------------- --- sshd.c Mon Dec 27 23:09:36 1999 +++ sshd.c Tue Dec 28 10:57:00 1999 @@ -149,6 +149,7 @@ int do_pam_auth(const char *user, const char *password); void do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, char *ttyname); +void do_pam_setcred(); void pam_cleanup_proc(void *context); static struct pam_conv conv = { @@ -230,6 +231,12 @@ PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + if (pam_retval != PAM_SUCCESS) { + log("Cannot delete credentials: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + } + pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { log("Cannot release PAM authentication: %.200s", @@ -301,6 +308,16 @@ if (pam_retval != PAM_SUCCESS) fatal("PAM session setup failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); } + +void do_pam_setcred() +{ + int pam_retval; + + debug("PAM establishing creds"); + pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + if (pam_retval != PAM_SUCCESS) + fatal("PAM setcred failed: %.200s", PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); +} #endif /* USE_PAM */ /* @@ -1903,6 +1920,9 @@ packet_set_interactive(have_pty || display != NULL, options.keepalives); +#ifdef USE_PAM + do_pam_setcred(); +#endif if (forced_command != NULL) goto do_forced_command; debug("Forking shell."); @@ -1918,6 +1938,9 @@ packet_set_interactive(have_pty || display != NULL, options.keepalives); +#ifdef USE_PAM + do_pam_setcred(); +#endif if (forced_command != NULL) goto do_forced_command; /* Get command from the packet. */ From Darren_Hall at progressive.com Wed Dec 29 04:13:57 1999 From: Darren_Hall at progressive.com (Darren_Hall at progressive.com) Date: Tue, 28 Dec 1999 12:13:57 -0500 Subject: FYI: lastlog on AIX Message-ID: <85256855.005DD703.00@s65a0384.prci.com> As a general FYI for AIX. On a vanilla AIX install, you'll need to run ./configure as root in order to find the lastlog. The lastlog file is found within /etc/security, with permissions to allow root and the security group. From Darren_Hall at progressive.com Wed Dec 29 03:58:18 1999 From: Darren_Hall at progressive.com (Darren_Hall at progressive.com) Date: Tue, 28 Dec 1999 11:58:18 -0500 Subject: autoconf check for socklen_t Message-ID: <85256855.005B76E8.00@s65a0384.prci.com> > For portability changes, it is best to send the via this list. Feel > free to send any other patches as well, I feed them back to the > OpenBSD people if I think they are relevant. I'll have all the socklen_t patches sent back to the list soon. > Does 1.2.1pre22 (with your patch) work correctly on AIX? I've got it to compile via native compiler and working on AIX 4.2.1. I will see if I can check out 4.3.2 as well. The utmp support works, I've confirmed X forwarding, and both types of cipher. I had problems with scp, and had to explicitly setup a .ssh/environment file to include the /usr/local/bin. I'll have to download the latest version and check to see if _PATH_STDPATH (which isn't defined on AIX) includes $bindir if not already there at compile time. From drankin at bohemians.lexington.ky.us Wed Dec 29 04:47:07 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Tue, 28 Dec 1999 12:47:07 -0500 Subject: Patch to detect perl using autoconf In-Reply-To: <19991228104926.C21583@rumpole.bohemians.lexington.ky.us>; from David Rankin on Tue, Dec 28, 1999 at 10:49:26AM -0500 References: <19991228104926.C21583@rumpole.bohemians.lexington.ky.us> Message-ID: <19991228124707.D21583@rumpole.bohemians.lexington.ky.us> On Tue, Dec 28, 1999 at 10:49:26AM -0500, David Rankin wrote: > For systems that don't have perl at /usr/bin/perl, fixpaths doesn't run. > I've added a check in configure.in to find where perl is and use it to > run fixpaths. Here's the patch: OK, I managed to screw this patch up. It looks like the AC_CHECK_PROG wasn't doing an AC_SUBST automatically for me, so I forced it. Here's try two. --- configure.in.orig Mon Dec 27 23:09:36 1999 +++ configure.in Tue Dec 28 12:31:31 1999 @@ -9,6 +9,8 @@ AC_PROG_RANLIB AC_PROG_INSTALL AC_CHECK_PROG(AR, ar, ar) +AC_PATH_PROG(PERL, perl) +AC_SUBST(PERL) AC_PATH_PROG(xauth_path, xauth) dnl Use ip address instead of hostname in $DISPLAY --- Makefile.in.orig Tue Dec 28 10:22:27 1999 +++ Makefile.in Tue Dec 28 10:23:54 1999 @@ -25,6 +25,7 @@ AR=@AR@ RANLIB=@RANLIB@ INSTALL=@INSTALL@ +PERL=@PERL@ LDFLAGS=-L. @LDFLAGS@ GNOME_CFLAGS=`gnome-config --cflags gnome gnomeui` @@ -89,7 +90,7 @@ *.1 *.8 sshd_config ssh_config manpages: - $(FIXPATHS) -Dsysconfdir=${sysconfdir} $(srcdir)/*.1.in $(srcdir)/*.8.in \ + $(PERL) $(FIXPATHS) -Dsysconfdir=${sysconfdir} $(srcdir)/*.1.in $(srcdir)/*.8.in \ $(srcdir)/ssh_config.in $(srcdir)/sshd_config.in install: all From js1 at digitalfurnace.com Wed Dec 29 05:02:06 1999 From: js1 at digitalfurnace.com (Jiann-Ming Su) Date: Tue, 28 Dec 1999 13:02:06 -0500 Subject: denied X11 forwarding Message-ID: <3868FB1E.60286090@digitalfurnace.com> This has to be a FAQ, but I can't find anything on it at the web site. I've installed openssh on several computers now and have yet to get X11 forwarding to work. I get the following when I log into a computer with ssh: Warning: Remote host denied X11 forwarding, perhaps xauth program could not be run on the server side. However: $ which xauth /usr/X11R6/bin/xauth Please reply by email as I'm not on the developer's list. Thanks for any help. From bent at clark.net Wed Dec 29 05:43:10 1999 From: bent at clark.net (Ben Taylor) Date: Tue, 28 Dec 1999 13:43:10 -0500 (EST) Subject: scp with openssh on the server side and $PATH. In-Reply-To: Message-ID: On Tue, 28 Dec 1999, Marc Haber wrote: > Is it possible that this option is not currently honored by the > configure script? It shows up in the help, is accepted by configure > |./configure --with-default-path="/usr/local/bin:/usr/bin:/bin:/usr/local/sbin/:/usr/sbin:/sbin", > but the stdpath set in config.h still shows the normal path without > /local and grepping for "/local" over the sources doesn't give hits - > and the compiled sshd still sets the path to what is default. > > I feel rather stupid here. Don't feel stupid. The configure script accepts the --with-default-path option, but doesn't do anything with it. Since there is now a defines.h that got broken away from config.h, I suspect that what should happen is a rule in configure should write something like this to config.h. This will allow us to override the _PATH_STDPATH if we want to, and not have it redefined in defines.h if we have defined it. #if HAVE_DEFAULT_PATH # if defined (_PATH_STDPATH) # undef _PATH_STDPATH # endif # define _PATH_STDPATH "" #endif I haven't figured out autoconf that well yet, so maybe someone who knows it can hack this into configure.in. Ben From Darren_Hall at progressive.com Wed Dec 29 08:02:54 1999 From: Darren_Hall at progressive.com (Darren_Hall at progressive.com) Date: Tue, 28 Dec 1999 16:02:54 -0500 Subject: patch for AIX native compiler warnings Message-ID: <85256855.007370B3.00@s65a0384.prci.com> Combined with the socklen_t, this patch cleans up all the spurious warnings from the native compiler. (See attached file: openssh-1.2.1pre22-aix.patch) -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-1.2.1pre22-aix.patch Type: application/octet-stream Size: 8605 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991228/265535b5/attachment.obj From drankin at bohemians.lexington.ky.us Thu Dec 30 03:32:40 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Wed, 29 Dec 1999 11:32:40 -0500 Subject: Patch to use Dante socks library Message-ID: <19991229113239.A19471@rumpole.bohemians.lexington.ky.us> Since I use the Dante SOCKS library (instead of the NEC libraries), I decided to hack support for them into OpenSSH. Here is the results. Thanks, David $NetBSD$ --- configure.in.orig Wed Dec 29 08:37:01 1999 +++ configure.in Wed Dec 29 08:37:25 1999 @@ -334,6 +341,20 @@ AC_MSG_WARN([*** Disabling lastlog support *** ]) AC_DEFINE(DISABLE_LASTLOG) fi + +dnl Compile with dante SOCKS library +AC_ARG_WITH(dante, + [ --with-dante=DIR Use Dante SOCKS lib (default is system library path)], + [ + AC_DEFINE(HAVE_DANTE) + if test "x$withval" != "xno" ; then + if test -n $withval ; then + LIBS="$LIBS -L$withval" + fi + LIBS="$LIBS -lsocks" + fi + ] +) AC_CHECK_FILE("/dev/ptmx", AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX)) AC_CHECK_FILE("/dev/ptc", AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC)) $NetBSD$ --- acconfig.h.orig Mon Dec 27 23:09:36 1999 +++ acconfig.h Wed Dec 29 08:57:46 1999 @@ -24,6 +24,9 @@ /* Are we using the Entropy gathering daemon */ #undef HAVE_EGD +/* Define if using the Dante SOCKS library. */ +#undef HAVE_DANTE + /* Define if your ssl headers are included with #include */ #undef HAVE_SSL --- ssh.h.orig Tue Dec 21 08:12:39 1999 +++ ssh.h Wed Dec 29 10:12:31 1999 @@ -267,6 +267,53 @@ #define SSH_CMSG_HAVE_KERBEROS_TGT 44 /* credentials (s) */ #define SSH_CMSG_HAVE_AFS_TOKEN 65 /* token (s) */ +/* + * The following defines map the normal socket operations to SOCKSified + * versions coming from the Dante package. + */ + +#ifdef HAVE_DANTE +#define accept Raccept +#define bind Rbind +#define bindresvport Rbindresvport +#define connect Rconnect +#define gethostbyname Rgethostbyname +#define gethostbyname2 Rgethostbyname2 +#define getpeername Rgetpeername +#define getsockname Rgetsockname +#define read Rread +#define readv Rreadv +#define recv Rrecv +#define recvmsg Rrecvmsg +#define recvfrom Rrecvfrom +#define rresvport Rrresvport +#define send Rsend +#define sendmsg Rsendmsg +#define sendto Rsendto +#define write Rwrite +#define writev Rwritev +int Raccept (int, struct sockaddr *, socklen_t *); +int Rbind (int, const struct sockaddr *, socklen_t); +int Rbindresvport(int , struct sockaddr_in *); +int Rconnect (int, const struct sockaddr *, socklen_t); +struct hostent *Rgethostbyname(const char *); +struct hostent *Rgethostbyname2(const char *, int); +int Rgetpeername (int, struct sockaddr *, socklen_t *); +int Rgetsockname (int, struct sockaddr *, socklen_t *); +ssize_t Rread(int , void *, size_t ); +ssize_t Rreadv(int d, const struct iovec *iov, int iovcnt); +ssize_t Rrecv (int, void *, size_t, int); +ssize_t Rrecvfrom (int, void *, size_t, int, struct sockaddr *, + socklen_t *); +ssize_t Rsend (int, const void *, size_t, int); +ssize_t Rsendmsg (int, const struct msghdr *, int); +ssize_t Rsendto (int, const void *, + size_t, int, const struct sockaddr *, socklen_t); +ssize_t Rwrite(int , const void *, size_t ); +ssize_t Rwritev(int , const struct iovec *, int ); +iovcnt +#endif /* HAVE_DANTE */ + /*------------ definitions for login.c -------------*/ /* --- INSTALL.orig Wed Dec 29 10:38:23 1999 +++ INSTALL Wed Dec 29 10:53:51 1999 @@ -15,6 +15,12 @@ PAM: http://www.kernel.org/pub/linux/libs/pam/ +Dante: +http://www.inet.no/dante + +OpenSSH can also use the Dante SOCKS libraries, version 1.1.1pre1 or higher, +if you have them installed on your system. + If you wish to build the GNOME passphrase requester, you will need the GNOME libraries and headers. @@ -104,6 +110,10 @@ --with-md5-passwords will enable the use of MD5 passwords. Enable this if your operating system uses MD5 passwords without using PAM. + +--with-dante[=DIR] will enable Dante SOCKS library support. If the Dante +libsocks library isn't installed in a library searched by the compiler, +add the directory name as the option. If you need to pass special options to the compiler or linker, you can specify these as enviornment variables before running ./configure. --- README.orig Wed Dec 29 10:33:29 1999 +++ README Wed Dec 29 10:56:27 1999 @@ -14,7 +14,9 @@ for OpenBSD library functions that are (regrettably) absent from other unices. This port has been best tested on Linux, Solaris and HPUX, though support for AIX and Irix is underway. This version -actively tracks changes in the OpenBSD CVS repository. +actively tracks changes in the OpenBSD CVS repository. This port +also has optional support for using the Dante SOCKS library[6], +version 1.1.1pre1 or later. The PAM support is now more functional than the popular packages of commercial ssh-1.2.x. It checks "account" and "session" modules for @@ -25,11 +27,11 @@ bsd-*.[ch] is from the OpenBSD project and has its own license (again, see the source files for details). -OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4]. To build -the GNOME[5] pass-phrase requester (--with-gnome-askpass), you will -need the GNOME libraries installed. If you are building OpenSSH on a -Unix which lacks a kernel random number pool (/dev/random), you will -need to install EGD[1]. +OpenSSH depends on Zlib[2], OpenSSL[3] and optionally PAM[4] and +Dante[6]. To build the GNOME[5] pass-phrase requester +(--with-gnome-askpass), you will need the GNOME libraries installed. +If you are building OpenSSH on a Unix which lacks a kernel random +number pool (/dev/random), you will need to install EGD[1]. There is now a mailing list for this port of OpenSSH. To subscribe, send a message consisting of the word 'SUBSCRIBE' to @@ -71,4 +73,5 @@ [3] http://www.openssl.org/ [4] http://www.kernel.org/pub/linux/libs/pam/ (PAM is standard on Solaris) [5] http://www.gnome.org/ +[6] http://www.inet.no/dante From Marc.Haber-lists at gmx.de Thu Dec 30 10:02:18 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Wed, 29 Dec 1999 23:02:18 GMT Subject: scp with openssh on the server side and $PATH. In-Reply-To: References: Message-ID: On Tue, 28 Dec 1999 13:43:10 -0500 (EST), you wrote: >Don't feel stupid. The configure script accepts the --with-default-path >option, but doesn't do anything with it. I see. This needs to be documented or other people will fall into that trap. >I haven't figured out autoconf that well yet, so maybe someone who knows >it can hack this into configure.in. Just to solve it _now_, can I safely put #if HAVE_DEFAULT_PATH # if defined (_PATH_STDPATH) # undef _PATH_STDPATH # endif # define _PATH_STDPATH "_my_path_" #endif in config.h without breaking anything? Installing a broken sshd on the machine in question will result in a 300 km drive :-( btw, since this list is intended for developers, I believe that slowly we need a openssh-unix-user mailing list. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From djm at mindrot.org Thu Dec 30 17:01:39 1999 From: djm at mindrot.org (Damien Miller) Date: Thu, 30 Dec 1999 17:01:39 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre23 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre23 is available on: http://violet.ibs.com.au/openssh/files/ Highlights of this release: - - A cleanup of the PAM code (it now lives in auth-pam.[ch]). This also fixes a bug where sshd was ignoring a "PermitRootLogin without-password" directive. - - David Randkin's SOCKS support using the Dante libraries. I have not tested this because I don't have Dante. Instructions and links to Dante are in the INSTALL document. - - Automatically detect path to perl installation - - Fixed broken --wth-default-path option - - Much tidying up of source files, etc. - - Portability fixes 19991230 - OpenBSD CVS updates: - [auth-passwd.c] check for NULL 1st - Removed most of the pam code into its own file auth-pam.[ch]. This cleaned up sshd.c up significantly. - Several other cleanups - Merged Dante SOCKS support patch from David Rankin - Updated documentation with ./configure options 19991229 - Applied another NetBSD portability patch from David Rankin - Fix --with-default-path option. - Autodetect perl, patch from David Rankin - Print whether OpenSSH was compiled with RSARef, patch from Nalin Dahyabhai - Calls to pam_setcred, patch from Nalin Dahyabhai - Detect missing size_t and typedef it. - Rename helper.[ch] to (more appropriate) bsd-misc.[ch] - Minor Makefile cleaning Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4avVGormJ9RG1dI8RAlIcAKDXu0CnLcc2j1eyaZ4vto/5Pmc/sACdHny7 yJ8nI93PXkKrwPI/YFqj3TA= =w8Ia -----END PGP SIGNATURE----- From Marc.Haber-lists at gmx.de Thu Dec 30 20:31:32 1999 From: Marc.Haber-lists at gmx.de (Marc Haber) Date: Thu, 30 Dec 1999 09:31:32 GMT Subject: ANNOUNCE: openssh-1.2.1pre23 In-Reply-To: References: Message-ID: On Thu, 30 Dec 1999 17:01:39 +1100 (EST), you wrote: >- - Fixed broken --wth-default-path option Nope, any path given to --with-default-path still doesn't find its way into any header files. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Karlsruhe, Germany | Beginning of Wisdom " | Fon: *49 721 966 32 15 Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29 From jmknoble at pobox.com Thu Dec 30 20:48:53 1999 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 30 Dec 1999 04:48:53 -0500 Subject: ANNOUNCE: openssh-1.2.1pre23 Message-ID: <19991230044853.J21519@quipu.earth> Oops ... meant to send this to the list for maximum usefulness. -- jim knoble jmknoble at pobox.com -------------- next part -------------- An embedded message was scrubbed... From: Jim Knoble Subject: Re: ANNOUNCE: openssh-1.2.1pre23 Date: Thu, 30 Dec 1999 04:47:39 -0500 Size: 2238 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991230/22e7791c/attachment.mht From karn at ka9q.ampr.org Thu Dec 30 21:22:09 1999 From: karn at ka9q.ampr.org (Phil Karn) Date: Thu, 30 Dec 1999 02:22:09 -0800 Subject: TCP port forwarding troubles? Message-ID: <199912301022.CAA10614@homer.ka9q.ampr.org> Has anyone heavily exercised the TCP connection forwarding features in openssh? I use this feature quite extensively for secure web surfing. I run a ssh command like this: ssh -c blowfish -L3128:127.0.0.1:3128 squidmachine Then I set up Netscape on my local machine to use 127.0.0.1:3128 as a proxy server. Needless to say, this exercises the TCP connection forwarding feature quite heavily. This worked quite reliably with ssh 1.2.26, but it seems to hang a lot when I use open SSH. Before I dig into the problem, has anyone else out there heavily exercised TCP port forwarding in openssh? Phil From phil at hands.com Thu Dec 30 22:24:18 1999 From: phil at hands.com (Philip Hands) Date: 30 Dec 1999 11:24:18 +0000 Subject: scp with openssh on the server side and $PATH. In-Reply-To: (Marc Haber's message of "Wed, 29 Dec 1999 23:02:18 GMT") References: Message-ID: <87ln6coen1.fsf@sheikh.hands.com> Marc.Haber-lists at gmx.de (Marc Haber) writes: > On Tue, 28 Dec 1999 13:43:10 -0500 (EST), you wrote: > >Don't feel stupid. The configure script accepts the --with-default-path > >option, but doesn't do anything with it. > > I see. This needs to be documented or other people will fall into that > trap. > > >I haven't figured out autoconf that well yet, so maybe someone who knows > >it can hack this into configure.in. > > Just to solve it _now_, can I safely put > > #if HAVE_DEFAULT_PATH > # if defined (_PATH_STDPATH) > # undef _PATH_STDPATH > # endif > # define _PATH_STDPATH "_my_path_" > #endif > > in config.h without breaking anything? Installing a broken sshd on the > machine in question will result in a 300 km drive :-( If you kill only the server process, you should be left with the ssh session(s) on which you have already logged in (This is how the Debian ssh packages ensure that you can do an upgrade via an ssh session without cutting your own throat). The server process should have written its PID into a pid file, the name of which will probably be revealed by: strings /usr/sbin/sshd | grep '\.pid' Once you've done that, you can run a new server, and try logging in again before you log out on the original session. If that fails, you can back out by running the old server. Once you've proved it's all working, you can move the sshd into place in /usr/sbin (or whatever). If you're paranoid, you can always schedule a reboot in ten minutes time before you start, so that if you kill your own session at least things will recover. You'll need to remember to cancel the reboot if things go well though. Cheers, Phil. -- Boycott Amazon! --- http://linuxtoday.com/stories/13652.html From drankin at bohemians.lexington.ky.us Fri Dec 31 01:03:59 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 30 Dec 1999 09:03:59 -0500 Subject: ANNOUNCE: openssh-1.2.1pre23 In-Reply-To: ; from Damien Miller on Thu, Dec 30, 1999 at 05:01:39PM +1100 References: Message-ID: <19991230090359.A19709@rumpole.bohemians.lexington.ky.us> On Thu, Dec 30, 1999 at 05:01:39PM +1100, Damien Miller wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > openssh-1.2.1pre23 is available on: > http://violet.ibs.com.au/openssh/files/ Configure.in has a problem with the way it checks for socklen_t and size_t. Without this patch, the program never checks correctly, so it always comes back undefined. Thanks, David --- configure.in.orig Thu Dec 30 08:56:52 1999 +++ configure.in Thu Dec 30 08:58:17 1999 @@ -184,8 +184,10 @@ AC_MSG_CHECKING([For socklen_t]) AC_TRY_COMPILE( - [#include ], - [#include ], + [ + #include + #include + ], [socklen_t foo; foo = 1235;], [ AC_DEFINE(HAVE_SOCKLEN_T) @@ -196,8 +198,10 @@ AC_MSG_CHECKING([For size_t]) AC_TRY_COMPILE( - [#include ], - [#include ], + [ + #include + #include + ], [size_t foo; foo = 1235;], [ AC_DEFINE(HAVE_SIZE_T) From marc.fournier at acadiau.ca Fri Dec 31 01:58:37 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 30 Dec 1999 10:58:37 -0400 (AST) Subject: Configure problems under Solaris 7 ... Message-ID: checking For uintXX_t types... yes checking For socklen_t... ./configure: socklen_t: not found ./configure: foo: not found checking For size_t... ./configure: size_t: not found ./configure: foo: not found checking for dlopen in -ldl... yes The problem is: AC_MSG_CHECKING([For size_t]) AC_TRY_COMPILE( [#include ], [#include ], [size_t foo; foo = 1235;], [ AC_DEFINE(HAVE_SIZE_T) AC_MSG_RESULT(yes) ], [AC_MSG_RESULT(no)] ) The syntax should be: AC_TRY_COMPILE([],[],[],[]) But the configure.in has each include in a seperate [] ... Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From marc.fournier at acadiau.ca Fri Dec 31 02:14:21 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 30 Dec 1999 11:14:21 -0400 (AST) Subject: more problems with solaris 7? Message-ID: configure appears to be setting things right: dragon:/var/src/openssh-1.2.1pre23> grep INTXX config.h #define HAVE_INTXX_T 1 /* #undef HAVE_U_INTXX_T */ #define HAVE_UINTXX_T 1 Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" ---------- Forwarded message ---------- Date: Thu, 30 Dec 1999 11:10:42 -0400 (AST) From: Super User To: marc at acadiau.ca Subject: openssh gcc -g -O2 -Wall -I/usr/slocal/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/slocal/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/slocal/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c atomicio.c -o atomicio.o In file included from config.h:289, from includes.h:22, from atomicio.c:26: defines.h:102: conflicting types for `quad_t' /usr/include/sys/types.h:531: previous declaration of `quad_t' In file included from config.h:289, from bsd-misc.h:39, from includes.h:91, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-strlcpy.h:4, from includes.h:92, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-strlcat.h:4, from includes.h:93, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-mktemp.h:4, from includes.h:94, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-snprintf.h:4, from includes.h:95, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-daemon.h:4, from includes.h:96, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from bsd-login.h:4, from includes.h:97, from atomicio.c:26: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from rsa.h:21, from ssh.h:27, from atomicio.c:30: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here In file included from config.h:289, from cipher.h:19, from ssh.h:28, from atomicio.c:30: defines.h:73: redefinition of `u_int16_t' defines.h:73: `u_int16_t' previously declared here defines.h:74: redefinition of `u_int32_t' defines.h:74: `u_int32_t' previously declared here defines.h:75: redefinition of `u_int64_t' defines.h:75: `u_int64_t' previously declared here defines.h:102: redefinition of `quad_t' defines.h:102: `quad_t' previously declared here make: *** [atomicio.o] Error 1 From marc.fournier at acadiau.ca Fri Dec 31 02:24:10 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 30 Dec 1999 11:24:10 -0400 (AST) Subject: quad_t: incompatible types in config.log: Message-ID: configure:2050: checking for quad_t configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 configure: In function `main': configure:2055: incompatible types in assignment configure: failed program was: #line 2052 "configure" #include "confdefs.h" #include int main() { quad_t a; a = 1235; ; return 0; } Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From drankin at bohemians.lexington.ky.us Fri Dec 31 02:35:00 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 30 Dec 1999 10:35:00 -0500 Subject: quad_t: incompatible types in config.log: In-Reply-To: ; from Marc G. Fournier on Thu, Dec 30, 1999 at 11:24:10AM -0400 References: Message-ID: <19991230103500.B19709@rumpole.bohemians.lexington.ky.us> On Thu, Dec 30, 1999 at 11:24:10AM -0400, Marc G. Fournier wrote: > configure:2050: checking for quad_t > configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 > configure: In function `main': > configure:2055: incompatible types in assignment > configure: failed program was: > #line 2052 "configure" > #include "confdefs.h" > #include > int main() { > quad_t a; a = 1235; > ; return 0; } Does this help anything? (I'd recommend using autoconf if at all possible, but if you can't, try the configure patch.) David --- configure.in.orig Thu Dec 30 10:29:52 1999 +++ configure.in Thu Dec 30 10:30:29 1999 @@ -141,7 +141,7 @@ AC_MSG_CHECKING([for quad_t]) AC_TRY_COMPILE( [#include ], - [quad_t a; a = 1235;], + [quad_t a; a = (quad_t) 1235;], [ AC_DEFINE(HAVE_QUAD_T) AC_MSG_RESULT(yes) --- configure.orig Thu Dec 30 10:32:55 1999 +++ configure Thu Dec 30 09:20:47 1999 @@ -2052,7 +2052,7 @@ #include "confdefs.h" #include int main() { -quad_t a; a = 1235; +quad_t a; a = (quad_t) 1235; ; return 0; } EOF if { (eval echo configure:2059: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then From Darren_Hall at progressive.com Fri Dec 31 02:57:55 1999 From: Darren_Hall at progressive.com (Darren_Hall at progressive.com) Date: Thu, 30 Dec 1999 10:57:55 -0500 Subject: ANNOUNCE: openssh-1.2.1pre23 Message-ID: <85256857.005776E0.00@s65a0384.prci.com> AC_MSG_CHECKING([For socklen_t]) AC_TRY_COMPILE(([For [#include ], [#include ], [socklen_t foo; foo = 1235;], [ AC_DEFINE(HAVE_SOCKLEN_T) AC_MSG_RESULT(yes) ], [AC_MSG_RESULT(no)] ) This'll need to be changed to [ #include #include ] My mistake on wrong number of args for the AC_TRY_COMPILE function. The same for the size_t openssh-1.2.1pre23 is available on: http://violet.ibs.com.au/openssh/files/ From marc.fournier at acadiau.ca Fri Dec 31 04:20:28 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 30 Dec 1999 13:20:28 -0400 (AST) Subject: quad_t: incompatible types in config.log: In-Reply-To: <19991230103500.B19709@rumpole.bohemians.lexington.ky.us> Message-ID: Nope, produces the following instead: configure:2050: checking for quad_t configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 configure: In function `main': configure:2055: conversion to non-scalar type requested configure: failed program was: #line 2052 "configure" #include "confdefs.h" #include int main() { quad_t a; a = (quad_t) 1235; ; return 0; } On Thu, 30 Dec 1999, David Rankin wrote: > On Thu, Dec 30, 1999 at 11:24:10AM -0400, Marc G. Fournier wrote: > > > configure:2050: checking for quad_t > > configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 > > configure: In function `main': > > configure:2055: incompatible types in assignment > > configure: failed program was: > > #line 2052 "configure" > > #include "confdefs.h" > > #include > > int main() { > > quad_t a; a = 1235; > > ; return 0; } > > Does this help anything? (I'd recommend using autoconf if at all possible, > but if you can't, try the configure patch.) > > David > > > --- configure.in.orig Thu Dec 30 10:29:52 1999 > +++ configure.in Thu Dec 30 10:30:29 1999 > @@ -141,7 +141,7 @@ > AC_MSG_CHECKING([for quad_t]) > AC_TRY_COMPILE( > [#include ], > - [quad_t a; a = 1235;], > + [quad_t a; a = (quad_t) 1235;], > [ > AC_DEFINE(HAVE_QUAD_T) > AC_MSG_RESULT(yes) > --- configure.orig Thu Dec 30 10:32:55 1999 > +++ configure Thu Dec 30 09:20:47 1999 > @@ -2052,7 +2052,7 @@ > #include "confdefs.h" > #include > int main() { > -quad_t a; a = 1235; > +quad_t a; a = (quad_t) 1235; > ; return 0; } > EOF > if { (eval echo configure:2059: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From drankin at bohemians.lexington.ky.us Fri Dec 31 05:23:01 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 30 Dec 1999 13:23:01 -0500 Subject: quad_t: incompatible types in config.log: In-Reply-To: ; from Marc G. Fournier on Thu, Dec 30, 1999 at 01:20:28PM -0400 References: <19991230103500.B19709@rumpole.bohemians.lexington.ky.us> Message-ID: <19991230132300.A21656@rumpole.bohemians.lexington.ky.us> On Thu, Dec 30, 1999 at 01:20:28PM -0400, Marc G. Fournier wrote: > Nope, produces the following instead: > configure:2050: checking for quad_t > configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 > configure: In function `main': > configure:2055: conversion to non-scalar type requested > configure: failed program was: > #line 2052 "configure" > #include "confdefs.h" > #include > int main() { > quad_t a; a = (quad_t) 1235; > ; return 0; } > Why don't you send out the line in /usr/include/sys/types that defines quad_t? I'm beginning to suspect that Solaris 7 (I can only access 2.6) is using quad_t as something != int64_t or long long int. Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. "It is no great thing to be humble when you are brought low; but to be humble when you are praised is a great and rare accomplishment." St. Bernard From marc.fournier at acadiau.ca Fri Dec 31 06:12:18 1999 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Thu, 30 Dec 1999 15:12:18 -0400 (AST) Subject: quad_t: incompatible types in config.log: In-Reply-To: <19991230132300.A21656@rumpole.bohemians.lexington.ky.us> Message-ID: dragon:/var/patches/OpenWindows_3.6.1_x86> grep quad_t /usr/include/sys/types.h typedef struct _quad { int val[2]; } quad_t; /* used by UFS */ typedef quad_t quad; /* used by UFS */ On Thu, 30 Dec 1999, David Rankin wrote: > On Thu, Dec 30, 1999 at 01:20:28PM -0400, Marc G. Fournier wrote: > > > Nope, produces the following instead: > > > configure:2050: checking for quad_t > > configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 > > configure: In function `main': > > configure:2055: conversion to non-scalar type requested > > configure: failed program was: > > #line 2052 "configure" > > #include "confdefs.h" > > #include > > int main() { > > quad_t a; a = (quad_t) 1235; > > ; return 0; } > > > > Why don't you send out the line in /usr/include/sys/types that defines > quad_t? I'm beginning to suspect that Solaris 7 (I can only access 2.6) > is using quad_t as something != int64_t or long long int. > > Thanks, > David > > -- > David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. > Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. > "It is no great thing to be humble when you are brought low; but to be humble > when you are praised is a great and rare accomplishment." St. Bernard > Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From drankin at bohemians.lexington.ky.us Fri Dec 31 06:58:34 1999 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Thu, 30 Dec 1999 14:58:34 -0500 Subject: quad_t: incompatible types in config.log: In-Reply-To: ; from Marc G. Fournier on Thu, Dec 30, 1999 at 03:12:18PM -0400 References: <19991230132300.A21656@rumpole.bohemians.lexington.ky.us> Message-ID: <19991230145833.A22120@rumpole.bohemians.lexington.ky.us> On Thu, Dec 30, 1999 at 03:12:18PM -0400, Marc G. Fournier wrote: > dragon:/var/patches/OpenWindows_3.6.1_x86> grep quad_t > /usr/include/sys/types.h > typedef struct _quad { int val[2]; } quad_t; /* used by UFS */ > typedef quad_t quad; /* used by UFS */ I was afraid of something like this. I did a grep of the entire source code, and I didn't notice a single place quad_t was used withing OpenSSH itself. Is there a reason why it's being checked? If not, then perhaps the best "fix" is to just comment this out. If a quad_t check is necessary, this configure.in patch might help. If we eventually need to tell the difference between Solaris' quad_t and the int64_t equivalent, do it here. Thanks, David --- configure.in.orig Thu Dec 30 14:50:11 1999 +++ configure.in Thu Dec 30 14:52:08 1999 @@ -149,6 +149,18 @@ [AC_MSG_RESULT(no)] ) +dnl XXX on Solaris 7 at least, quad_t is actually a struct. +AC_MSG_CHECKING([for quad_t Solaris 7 style]) +AC_TRY_COMPILE( + [#include ], + [quad_t a; a.val[0] = 1235;], + [ + AC_DEFINE(HAVE_QUAD_T) + AC_MSG_RESULT(yes) + ], + [AC_MSG_RESULT(no)] +) + AC_MSG_CHECKING([for intXX_t types]) AC_TRY_COMPILE( [#include ], From damien at ibs.com.au Fri Dec 31 09:18:37 1999 From: damien at ibs.com.au (Damien Miller) Date: Fri, 31 Dec 1999 09:18:37 +1100 Subject: more problems with solaris 7? References: Message-ID: <386BDA3D.81113F84@ibs.com.au> "Marc G. Fournier" wrote: > > configure appears to be setting things right: > > dragon:/var/src/openssh-1.2.1pre23> grep INTXX config.h > #define HAVE_INTXX_T 1 > /* #undef HAVE_U_INTXX_T */ > #define HAVE_UINTXX_T 1 I have found one bug, patch attached. This is curious though: > defines.h:102: conflicting types for `quad_t' > /usr/include/sys/types.h:531: previous declaration of `quad_t' > In file included from config.h:289, > from bsd-misc.h:39, > from includes.h:91, > from atomicio.c:26: Does ./configure detect whether you have quad_t? It seems to attempting to define it even though your system header already have it. Regards, Damien -------------- next part -------------- Index: defines.h =================================================================== RCS file: /var/cvs/openssh/defines.h,v retrieving revision 1.5 diff -u -r1.5 defines.h --- defines.h 1999/12/30 04:08:44 1.5 +++ defines.h 1999/12/30 22:11:34 @@ -61,6 +61,7 @@ # else # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; +# define HAVE_INTXX_T # else # error "64 bit int type not found." # endif @@ -89,6 +90,7 @@ # else # if (SIZEOF_LONG_LONG_INT == 8) typedef unsigned long long int u_int64_t; +# define HAVE_U_INTXX_T # else # error "64 bit int type not found." # endif @@ -100,14 +102,17 @@ /* being defined by the above */ #ifndef HAVE_QUAD_T typedef int64_t quad_t; +# define HAVE_QUAD_T #endif #ifndef HAVE_SOCKLEN_T typedef unsigned int socklen_t; +# define HAVE_SOCKLEN_T #endif /* HAVE_SOCKLEN_T */ #ifndef HAVE_SIZE_T typedef unsigned int size_t; +# define HAVE_SIZE_T #endif /* HAVE_SIZE_T */ /* Paths */ From damien at ibs.com.au Fri Dec 31 09:20:31 1999 From: damien at ibs.com.au (Damien Miller) Date: Fri, 31 Dec 1999 09:20:31 +1100 Subject: quad_t: incompatible types in config.log: References: Message-ID: <386BDAAF.D0DDDBB4@ibs.com.au> "Marc G. Fournier" wrote: > > configure:2050: checking for quad_t > configure:2059: gcc -c -g -O2 -Wall -I/usr/slocal/include conftest.c 1>&5 > configure: In function `main': > configure:2055: incompatible types in assignment > configure: failed program was: > #line 2052 "configure" > #include "confdefs.h" > #include > int main() { > quad_t a; a = 1235; > ; return 0; } How is quad_t defined in sys/types.h? Regards, Damien From djm at mindrot.org Fri Dec 31 09:39:56 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Dec 1999 09:39:56 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre23 In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 Dec 1999, Marc Haber wrote: > On Thu, 30 Dec 1999 17:01:39 +1100 (EST), you wrote: > >- - Fixed broken --wth-default-path option > > Nope, any path given to --with-default-path still doesn't find its way > into any header files. My stupid. Jim Knoble has sent me a fix which will make it into the release later today. Regards, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4a98/ormJ9RG1dI8RAhcIAJ98HkVhVBnWYX2/LxIHxunpnVnDpQCgl5cx 4lYyaJdMYIkk8F2dLjqjkUs= =UbZ6 -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 31 09:42:24 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Dec 1999 09:42:24 +1100 (EST) Subject: TCP port forwarding troubles? In-Reply-To: <199912301022.CAA10614@homer.ka9q.ampr.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 Dec 1999, Phil Karn wrote: > Has anyone heavily exercised the TCP connection forwarding features > in openssh? No. I have performed casual testing with telnet and fowards to SMTP and pop ports, but nothing high traffic. > I use this feature quite extensively for secure web surfing. I run > a ssh command like this: > > ssh -c blowfish -L3128:127.0.0.1:3128 squidmachine I might give this a go myself. Thanks, Damien Miller - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4a9/TormJ9RG1dI8RAt8CAJ9fQUpxTutpbyp+agUAykbNXNsBnQCfbIPQ u46ip9uH08I3M4ZkCPygEns= =CyuO -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 31 09:45:51 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Dec 1999 09:45:51 +1100 (EST) Subject: quad_t: incompatible types in config.log: In-Reply-To: <19991230145833.A22120@rumpole.bohemians.lexington.ky.us> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 30 Dec 1999, David Rankin wrote: > I was afraid of something like this. I did a grep of the entire source > code, and I didn't notice a single place quad_t was used withing OpenSSH > itself. Is there a reason why it's being checked? If not, then perhaps > the best "fix" is to just comment this out. You are correct. quad_t was used in the past for something in scp (don't remember what), but is no longer. I have removed the test and the typedef. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4a+CiormJ9RG1dI8RApewAKDQMv4Kie6GDXMkOe6sFA3EHHtKkACfY9In dM9yd4ih2IdjJ9nD6Y6VoyM= =R5vL -----END PGP SIGNATURE----- From djm at mindrot.org Fri Dec 31 10:46:34 1999 From: djm at mindrot.org (Damien Miller) Date: Fri, 31 Dec 1999 10:46:34 +1100 (EST) Subject: ANNOUNCE: openssh-1.2.1pre24 Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssh-1.2.1pre24 is being uploaded to: http://violet.ibs.com.au/openssh/files/ This release fixes the silly bugs (almost all autoconf related) that crept into yesterday's release. 19991231 - Fix password support on systems with a mixture of shadowed and non-shadowed passwords (e.g. NIS). Report and fix from HARUYAMA Seigo - Fix broken autoconf typedef detection. Report from Marc G. Fournier - Fix occasional crash on LinuxPPC. Patch from Franz Sirl - Prevent typedefs from being compiled more than once. Report from Marc G. Fournier - Fill in ut_utaddr utmp field. Report from Benjamin Charron - Really fix broken default path. Fix from Jim Knoble - Remove test for quad_t. No longer needed. Regards, Damien - -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.0 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE4a+7dormJ9RG1dI8RAtPVAJ9eei2hVKSrLRhk5tDNjI6sIn/ybQCeNhBr INmewdyMfjU0SV6xlVqb34M= =6Bj8 -----END PGP SIGNATURE----- From damien at ibs.com.au Fri Dec 31 14:15:06 1999 From: damien at ibs.com.au (Damien Miller) Date: Fri, 31 Dec 1999 14:15:06 +1100 Subject: [Fwd: ssh build on Solaris] Message-ID: <386C1FBA.3A8FF21F@ibs.com.au> Can anyone replicate this? -------------- next part -------------- An embedded message was scrubbed... From: Greg Steuck Subject: ssh build on Solaris Date: Wed, 29 Dec 1999 14:56:39 -0800 (PST) Size: 2552 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/19991231/40007e2d/attachment.mht From bent at clark.net Fri Dec 31 15:08:24 1999 From: bent at clark.net (Ben Taylor) Date: Thu, 30 Dec 1999 23:08:24 -0500 (EST) Subject: ANNOUNCE: openssh-1.2.1pre24 In-Reply-To: Message-ID: This is a patch to avoid the redefinition of the uintxx_t structures. Ben --- defines.h.ORIG Thu Dec 30 23:05:41 1999 +++ defines.h Thu Dec 30 23:06:35 1999 @@ -61,7 +61,7 @@ # else # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; -# define HAVE_INTXX_T +# define HAVE_INTXX_T 1 # else # error "64 bit int type not found." # endif @@ -74,6 +74,7 @@ typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; typedef uint64_t u_int64_t; +# define HAVE_U_INTXX_T 1 # else # if (SIZEOF_SHORT_INT == 2) typedef unsigned short int u_int16_t; From bent at clark.net Fri Dec 31 15:18:03 1999 From: bent at clark.net (Ben Taylor) Date: Thu, 30 Dec 1999 23:18:03 -0500 (EST) Subject: [Fwd: ssh build on Solaris] In-Reply-To: <386C1FBA.3A8FF21F@ibs.com.au> Message-ID: On Fri, 31 Dec 1999, Damien Miller wrote: > Can anyone replicate this? Try the pre24, it works correctly. Ben