From hume at Den.BOFH.Halifax.NS.Ca Thu Jun 1 00:25:23 2000 From: hume at Den.BOFH.Halifax.NS.Ca (Brandon Hume) Date: Wed, 31 May 2000 11:25:23 -0300 (ADT) Subject: Solaris utmp problems In-Reply-To: from Damien Miller at "May 31, 2000 2: 6:59 pm" Message-ID: <200005311425.LAA23888@Den.BOFH.Halifax.NS.Ca> > The login code is heaps cleaner now. The prototype for login() in bsd-login.h and the actual declaration don't appear to agree: .h contains: # if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) # include void login(struct utmp *utp, struct utmpx *utx); # else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ void login(struct utmp *utp); # endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ While .c has: #if defined(HAVE_UTMPX_H) && defined(USE_UTMPX) void login(struct utmpx *utx) #else /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ void login(struct utmp *utp) #endif /* defined(HAVE_UTMPX_H) && defined(USE_UTMPX) */ And... just as a note... the code for dealing with utmpx and utmp in bsd-login seems almost like two separate functions interleaved with #ifdefs. Might it be useful to separate them out as two functions chosen with a fewer number of #ifs? -- Brandon Hume - hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/ -> Solaris Snob and general NOCMonkey From eli7 at horizonlive.com Thu Jun 1 02:45:29 2000 From: eli7 at horizonlive.com (Elisheva Alexander) Date: Wed, 31 May 2000 12:45:29 -0400 (EDT) Subject: X11 forwarding again Message-ID: I am using the openssh-2.1.0p3-1 RPM, but i seem to have a similar problem. the debug doesn't say anything about "X11 connection uses different authentication protocol." it just kicks me out. I can't figure it out. very strange. please CC me, because i am not subscribed. thanks, e:~> echo $XAUTHORITY XAUTHORITY: Undefined variable. e:~> xauth list e.slim.horizonlive.com:0 MIT-MAGIC-COOKIE-1 465b795e7662322c632d3c3b50320f72 e.slim.horizonlive.com/unix:0 MIT-MAGIC-COOKIE-1 465b795e7662322c632d3c3b50320f72 localhost.localdomain:0 MIT-MAGIC-COOKIE-1 300d124b7c171f2364335b2478161970 e:~> ssh -v f1 SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 50124 geteuid 0 anon 0 debug: Connecting to f1.slim.horizonlive.com [10.23.0.3] port 22. debug: Seeding random number generator debug: Allocated local port 707. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'f1.slim.horizonlive.com' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'eli7 at e.horizonlive.com' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. Last login: Wed May 31 12:25:30 2000 from e.slim.horizonlive.com f1:~> echo $XAUTHORITY /tmp/ssh-xFeD1762/cookies f1:~> xauth list f1.slim.horizonlive.com:11 MIT-MAGIC-COOKIE-1 1d8deced6f3430e253b39313c8d3afef f1.slim.horizonlive.com/unix:11 MIT-MAGIC-COOKIE-1 1d8deced6f3430e253b39313c8d3afef f1:~> xterm Connection to f1.slim.horizonlive.com closed by remote host. Connection to f1.slim.horizonlive.com closed. debug: Transferred: stdin 28, stdout 1176, stderr 109 bytes in 15.3 seconds debug: Bytes per second: stdin 1.8, stdout 77.0, stderr 7.1 debug: Exit status -1 e:~> From h at kondara.org Thu Jun 1 04:07:24 2000 From: h at kondara.org (Hidetomo Hosono) Date: Thu, 01 Jun 2000 03:07:24 +0900 Subject: gnome-ssh-askpass patch Message-ID: <20000601030724I.h@kondara.org> Hello, everyone. I am Hidetomo Hosono, a member of Kondara Project. ## Kondara Project is a RPM-based Linux distribution development ## project from Japan. ## See if you want to know about us: http://www.kondara.org/ Thank you for your OpenSSH. I am enjoying to use it. But I couldn't use it with gnome-ssh-askpass on Kondara MNU/Linux 1.1 (includes linux-2.2.15+our extensions, XFree86-3.3.6 and gnome-libs-1.0.61). When I executed gnome-ssh-askpass, it stops before the buttons are shown. So I read the source and I have found how to fix. Then I send. Thank you for your reading. ---- Kondara Project, GNOME Guys A-team: Hidetomo -Hakondara- Hosono [GnuPG] F263 A53C 1E2D FF0A A08B B913 0CA7 EAA1 7ECE CEDB http://www.kondara.org/ -------------- next part -------------- --- contrib/gnome-ssh-askpass.c.original Wed Mar 15 10:13:03 2000 +++ contrib/gnome-ssh-askpass.c Mon May 29 00:46:59 2000 @@ -79,7 +79,7 @@ gtk_widget_show_all(dialog); /* Grab focus */ - XGrabServer(GDK_DISPLAY()); + /* XGrabServer(GDK_DISPLAY()); */ gdk_pointer_grab(dialog->window, TRUE, 0, NULL, NULL, GDK_CURRENT_TIME); gdk_keyboard_grab(dialog->window, FALSE, GDK_CURRENT_TIME); @@ -90,7 +90,7 @@ result = gnome_dialog_run(GNOME_DIALOG(dialog)); /* Ungrab */ - XUngrabServer(GDK_DISPLAY()); + /* XUngrabServer(GDK_DISPLAY()); */ gdk_pointer_ungrab(GDK_CURRENT_TIME); gdk_keyboard_ungrab(GDK_CURRENT_TIME); gdk_flush(); @@ -119,9 +119,9 @@ gnome_init("GNOME ssh-askpass", "0.1", argc, argv); - if (argc == 2) + /* if (argc == 2) message = argv[1]; - else + else */ message = "Enter your OpenSSH passphrase:"; if (passphrase_dialog(&passphrase, message)) From tbert at abac.com Thu Jun 1 04:37:45 2000 From: tbert at abac.com (Tom Bertelson) Date: Wed, 31 May 2000 14:37:45 -0400 Subject: Solaris utmp problems References: Message-ID: <39355BF9.E81855AD@abac.com> Damien Miller wrote: > > Could all those who were having problems with utmp logging on Solaris > please try the test release at: > > http://violet.ibs.com.au/openssh/files/test/openssh-TEST-2000053100.tar.gz > > Users on other platforms, particularly HP/UX, AIX and SCO are invited > as well, to test compatibility. On AIX, utmp is updated correctly, but not wtmp. If config.h contains #define HAVE_PUTUTXLINE #undef HAVE_UPDWTMPX or #define HAVE_PUTUTLINE #undef HAVE_UPDWTMP no code is created in bsd-login.c to update wtmp. If anyone knows the correct way to update wtmp using putut{,x}line I'll be happy to patch and test it. In the meantime I'll do a little experimenting... Oh, and line 128 of bsd-login.c should probably read "# if defined(HAVE_UPDWTMP)" -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From nalin at redhat.com Thu Jun 1 05:06:37 2000 From: nalin at redhat.com (Nalin Dahyabhai) Date: Wed, 31 May 2000 15:06:37 -0400 Subject: openssh 2.1.0p3 w/ rsaref Message-ID: <20000531150637.C19182@devserv.devel.redhat.com> Looks like the fixes to use OpenSSL with RSAnull break it for rsaref. I've attached a patch that fixes it for me. Cheers, Nalin -------------- next part -------------- --- openssh-2.1.0p3/configure.in Wed May 31 08:56:52 2000 +++ openssh-2.1.0p3/configure.in Wed May 31 09:03:49 2000 @@ -231,7 +231,27 @@ [ found_crypto=1 break; - ], [] + ], + [ + LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + AC_TRY_RUN( + [ + #include + #include + int main(void) + { + char a[2048]; + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); + } + ], + [ + found_crypto=1 + break; + ] + ) + ] ) if test ! -z "$found_crypto" ; then From chip at princetonecom.com Thu Jun 1 06:45:12 2000 From: chip at princetonecom.com (Chip Christian) Date: Wed, 31 May 2000 16:45:12 -0400 Subject: grace logins on solaris In-Reply-To: Message from Damien Miller of "Wed, 31 May 2000 09:56:06 +1000." Message-ID: <20000531204512.4B2F7B47B@fleck.princetonecom.com> Now that do_pam_account() returns 1 when pam_acct_mgmt() returns PAM_NEW_AUTH_TOK_REQD, the message *is* properly displayed. So sorry to make you add the NEW_AUTHTOK_MSG crud. The patch does work fine, of course. djm at mindrot.org said: > That's a step in the right direction, sure. I'll test, but I assume > when > grace logins are exhausted, pam_acct_mgmt returns something else. > > Can this string (found from a -d invocation) also be displayed in this > case? > > debug: Adding PAM message: \ > Your password has expired and you have 4 grace login(s). > > At some point I might find the free time to craft up the code for the > other case... > Hmmm, that message should have been displayed. > Can you try this patch: From markus.friedl at informatik.uni-erlangen.de Thu Jun 1 06:52:34 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 31 May 2000 22:52:34 +0200 Subject: Solaris utmp problems In-Reply-To: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp>; from yozo@ipc.chiba-u.ac.jp on Wed, May 31, 2000 at 09:15:51PM +0900 References: <200005311215.VAA00623@aohakobe.ipc.chiba-u.ac.jp> Message-ID: <20000531225234.A8264@folly.informatik.uni-erlangen.de> On Wed, May 31, 2000 at 09:15:51PM +0900, Yozo TODA wrote: > (3) > when connecting to openssh hosts from ssh-2.0.12 hosts, > publickey authentication doesn't work. > openssh sshd writes the following message to syslog; > > May 31 18:21:52 host sshd[525]: [ID 800047 auth.info] bug compatibility w > ith ssh-2.0.13 pubkey not implemented > > I suppose this part is not yet implemented... these bugs from ssh-2.0.12 have been fixed in ssh.com's latest release. From chip at princetonecom.com Thu Jun 1 07:56:05 2000 From: chip at princetonecom.com (Chip Christian) Date: Wed, 31 May 2000 17:56:05 -0400 Subject: pam_chauthtok placement Message-ID: <20000531215605.A6903B47B@fleck.princetonecom.com> Can I ask for some advice, as to where in the code would be the logical place to add code to ask a user to change his password? Presumably do_pam_account is the *wrong* place. Guess I should build a do_pam_password function, but who should be calling it? From yozo at ipc.chiba-u.ac.jp Thu Jun 1 14:50:37 2000 From: yozo at ipc.chiba-u.ac.jp (Yozo TODA) Date: Thu, 01 Jun 2000 13:50:37 +0900 Subject: Solaris utmp problems In-Reply-To: Your message of "Wed, 31 May 2000 22:48:20 JST." Message-ID: <200006010450.NAA09471@aohakobe.ipc.chiba-u.ac.jp> > Can you send me the output of a ./configure run? I used script command to record the installation procedure. please pick up by ftp ftp://aohakobe.ipc.chiba-u.ac.jp /misc/docs/SECURITY/SecureShell /openssh/portable/log-openssh-TEST-2000053100-solaris8-sparc.tar.gz sorry for the long long URL. well, the file log-openssh-TEST-2000053100-solaris8-sparc.tar.gz from the ftp server aohakobe.ipc.chiba-u.ac.jp, the directory /misc/docs/SECURITY/SecureShell/openssh/portable/. -- yozo. From jhuuskon at messi.uku.fi Thu Jun 1 16:56:40 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Thu, 1 Jun 2000 09:56:40 +0300 Subject: pam_chauthtok placement In-Reply-To: <20000531215605.A6903B47B@fleck.princetonecom.com>; from chip@princetonecom.com on Wed, May 31, 2000 at 05:56:05PM -0400 References: <20000531215605.A6903B47B@fleck.princetonecom.com> Message-ID: <20000601095640.A36504@messi.uku.fi> On Wed, May 31, Chip Christian wrote: > Can I ask for some advice, as to where in the code would be the logical > place to add code to ask a user to change his password? Presumably > do_pam_account is the *wrong* place. Guess I should build a > do_pam_password function, but who should be calling it? I think it would be nice to have the ability to prompt for a new password even if you don't use pam. So maybe it could be more general function ? -Jarno From douglas.manton at uk.ibm.com Sat Jun 3 00:48:11 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 2 Jun 2000 15:48:11 +0100 Subject: scp creating root files Message-ID: <802568F2.00516755.00@d06mta05.portsmouth.uk.ibm.com> Folks, I noticed that whenever I scp'ed a file to my test server (running OpenSSH 2.1.0p2, and then tested with p3) it was created owned by root. /home/me $ ls -al .profile -rwx------ 1 me group 1056 Jan 18 1999 .profile /home/me $ scp .profile me at server:test me at server's password: .profile 100% |*********************************************************************************| 508 00:00 /home/me $ ls -al test -rwx------ 1 root system 1056 Jun 2 15:37 test This is the same whether I force protocol version 1.5 or 2. The same also occurs using DSA authentication. Can someone check to see if they can reproduce this? The following appears in verbose output: Sending file modes: C0700 508 .profile The file mode is always correct but the user is always wrong (I don't allow direct root access to servers). Any ideas? -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From pekkas at netcore.fi Sat Jun 3 01:07:43 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 2 Jun 2000 18:07:43 +0300 (EEST) Subject: scp creating root files In-Reply-To: <802568F2.00516755.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: > Sending file modes: C0700 508 .profile > > The file mode is always correct but the user is always wrong (I don't > allow direct root access to servers). Is your UID the same on both -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From douglas.manton at uk.ibm.com Sat Jun 3 01:17:57 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 2 Jun 2000 16:17:57 +0100 Subject: scp creating root files Message-ID: <802568F2.00540C6F.00@d06mta05.portsmouth.uk.ibm.com> > Is your UID the same on both Yes and no. I repeated the test locally: scp .profile me at lcoalhost:test and get the same result. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From lhecking at nmrc.ucc.ie Sat Jun 3 02:04:51 2000 From: lhecking at nmrc.ucc.ie (Lars Hecking) Date: Fri, 2 Jun 2000 17:04:51 +0100 Subject: Solaris utmpx Message-ID: <20000602170451.A26183@nmrc.ie> Some people have reported utmpx corruption on Solaris. Is that fixed in p3? | 20000530 | - Fix buffer overrun in login.c for systems which use syslen in utmpx. | patch from YOSHIFUJI Hideaki From naz at warkworth.net Sat Jun 3 02:07:04 2000 From: naz at warkworth.net (naz) Date: Fri, 2 Jun 2000 17:07:04 +0100 (BST) Subject: scp creating root files In-Reply-To: <802568F2.00516755.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: Is your scp, ssh, or sshd SUID root? naz From douglas.manton at uk.ibm.com Sat Jun 3 03:00:32 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 2 Jun 2000 18:00:32 +0100 Subject: scp creating root files Message-ID: <802568F2.005D70C6.00@d06mta05.portsmouth.uk.ibm.com> > Is your scp, ssh, or sshd SUID root? Nope. All mode 755. I have noticed that all commands executed via ssh run as root. ssh -l me localhost touch test /home/me $ ls -l test -rw-r--r-- 1 root system 0 Jun 2 17:18 test I have also discovered that the problem goes away when UseLogin is set to "no"! Changing line 834 in session.c to: if (command != NULL || !options.use_login) { solves the problem for me. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From robert.a.wakehouse at intel.com Sat Jun 3 07:53:25 2000 From: robert.a.wakehouse at intel.com (Wakehouse, Robert A) Date: Fri, 2 Jun 2000 14:53:25 -0700 Subject: scp creating root files Message-ID: I am attempting to build OpenSSH on AIX in AFS environment. I've succeeded in building Zlib and OpenSSL, but OpenSSH insists that it needs krb.h, kafs.h, and perhaps libkrb. I have not found any of these on this AIX machine (nor on others I've checked). The INSTALL document seems to insist that the --with-kerberos4 option is required for AFS (as is --with-AFS, of course). If someone can explain exactly what is necessary, and where to find it or how to obtain it, I would be most grateful. Thanks! Bob Wakehouse Robert.A.Wakehouse at intel.com 503-696-6325 Beaverton, OR From robert.a.wakehouse at intel.com Sat Jun 3 07:58:58 2000 From: robert.a.wakehouse at intel.com (Wakehouse, Robert A) Date: Fri, 2 Jun 2000 14:58:58 -0700 Subject: Info on building OpenSSH on AIX in AFS? Message-ID: Please pardon the repeat posting, here, but I hope to get better response with a proper subject line. I am attempting to build OpenSSH on AIX in AFS environment. I've succeeded in building Zlib and OpenSSL, but OpenSSH insists that it needs krb.h, kafs.h, and perhaps libkrb. I have not found any of these on this AIX machine (nor on others I've checked). The INSTALL document seems to insist that the --with-kerberos4 option is required for AFS (as is --with-AFS, of course). If someone can explain exactly what is necessary, and where to find it or how to obtain it, I would be most grateful. Thanks! Bob Wakehouse Robert.A.Wakehouse at intel.com 503-696-6325 Beaverton, OR From dugsong at monkey.org Sat Jun 3 07:58:48 2000 From: dugsong at monkey.org (Dug Song) Date: Fri, 2 Jun 2000 17:58:48 -0400 (EDT) Subject: scp creating root files In-Reply-To: Message-ID: On Fri, 2 Jun 2000, Wakehouse, Robert A wrote: > I've succeeded in building Zlib and OpenSSL, but OpenSSH > insists that it needs krb.h, kafs.h, and perhaps libkrb. I have > not found any of these on this AIX machine (nor on others I've > checked). you need the KTH krb4 distribution. ftp://ftp.pdc.kth.se/pub/krb/src/ -d. --- http://www.monkey.org/~dugsong/ From djm at mindrot.org Sat Jun 3 09:47:29 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 3 Jun 2000 09:47:29 +1000 (EST) Subject: Solaris utmpx In-Reply-To: <20000602170451.A26183@nmrc.ie> Message-ID: On Fri, 2 Jun 2000, Lars Hecking wrote: > > Some people have reported utmpx corruption on Solaris. Is that > fixed in p3? Not quite. Andre Lucas has provided a much cleaner replacement for the login.c code which I will be looking at this weekend. There will be another test release soon. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From carl at bl.echidna.id.au Tue Jun 6 11:01:58 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Tue, 6 Jun 2000 11:01:58 +1000 (EST) Subject: FreeBSD 4.0 and openssh 2.1.0p3 Message-ID: <200006060101.e5611wI21885@rollcage.bl.echidna.id.au> I just got OpenSSH 2.1.0p3 compiled on a FreeBSD 4.0 (generic off the CD), but I had to comment out the fake socket stuff in ssh.h and openbsd-compat.h, and sshd doesn't seem to like /dev/random. My configure option was just : ./configure --with-random=/dev/random Is the above what I'd expect to have to do, or have I got a bodgey install/path? :) Carl From mouring at pconline.com Tue Jun 6 12:10:13 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Mon, 5 Jun 2000 21:10:13 -0500 (CDT) Subject: 2.1.0p3 and next. In-Reply-To: <200006060101.e5611wI21885@rollcage.bl.echidna.id.au> Message-ID: I finally have had time to port up to 2.1.0p3 and hope to have an other rough patch. However, I'm having problems getting enough randomness to run sshd. The problem lies in the fact this NeXT box will never really ever be very busy. I may end up having to move back to egd.pl. Which I don't want to. Any advice? From vectro at pipeline.com Tue Jun 6 12:50:57 2000 From: vectro at pipeline.com (vectro at pipeline.com) Date: Mon, 5 Jun 2000 19:50:57 -0700 (PDT) Subject: connection timeout Message-ID: Attached is a patch which adds a ConnectionTimeout option, and corrects the ConnectionAttempts documentation. Previously, ssh would try to make a connection ConnectionAttempts times, sleeping 1 second between tries. But each connection attempt could take a very long time to fail if the packets die before the get to the host. So if ssh is being run in a script or what-have-you, it might be desirable to wait a shorter period of time. So this limits the time per connection attempt to the lesser of ConnectionTimeout, and the kernel timeout for a socket in SYN_SENT state. The patch is against the portable ssh, because I run linux, but it applies to the current version of ssh as well, albiet with some fuzz and offsets. I have also not patched ssh.0 because it appears to be a generated file, and my troff must work differently from whoever generated it. I'm thinking I might add a command line option to parse another config file after the defaults, mabye even instead of the user's home directory. Any thoughts? Ian Turner -------------- next part -------------- diff -Naur openssh-2.1.0p3/readconf.c openssh-2.1.0p3-new/readconf.c --- openssh-2.1.0p3/readconf.c Mon May 29 20:44:53 2000 +++ openssh-2.1.0p3-new/readconf.c Mon Jun 5 19:06:58 2000 @@ -102,9 +102,10 @@ oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, - oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, - oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, oTISAuthentication, - oUsePrivilegedPort, oLogLevel, oCiphers, oProtocol, oIdentityFile2, + oConnectionTimeout, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, + oCompression, oCompressionLevel, oKeepAlives, + oNumberOfPasswordPrompts, oTISAuthentication, oUsePrivilegedPort, + oLogLevel, oCiphers, oProtocol, oIdentityFile2, oGlobalKnownHostsFile2, oUserKnownHostsFile2, oDSAAuthentication } OpCodes; @@ -151,6 +152,7 @@ { "globalknownhostsfile2", oGlobalKnownHostsFile2 }, { "userknownhostsfile2", oUserKnownHostsFile2 }, { "connectionattempts", oConnectionAttempts }, + { "connectiontimeout", oConnectionTimeout }, { "batchmode", oBatchMode }, { "checkhostip", oCheckHostIP }, { "stricthostkeychecking", oStrictHostKeyChecking }, @@ -460,6 +462,10 @@ case oConnectionAttempts: intptr = &options->connection_attempts; goto parse_int; + + case oConnectionTimeout: + intptr = &options->connection_timeout; + goto parse_int; case oCipher: intptr = &options->cipher; @@ -669,6 +675,7 @@ options->compression_level = -1; options->port = -1; options->connection_attempts = -1; + options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; @@ -746,6 +753,8 @@ options->port = 0; /* Filled in ssh_connect. */ if (options->connection_attempts == -1) options->connection_attempts = 4; + if (options->connection_timeout == -1) + options->connection_timeout = 120; if (options->number_of_password_prompts == -1) options->number_of_password_prompts = 3; /* Selected in ssh_login(). */ diff -Naur openssh-2.1.0p3/readconf.h openssh-2.1.0p3-new/readconf.h --- openssh-2.1.0p3/readconf.h Mon May 8 18:03:01 2000 +++ openssh-2.1.0p3-new/readconf.h Mon Jun 5 19:39:31 2000 @@ -60,8 +60,9 @@ LogLevel log_level; /* Level for logging. */ int port; /* Port to connect. */ - int connection_attempts; /* Max attempts (seconds) before + int connection_attempts; /* Max attempts before * giving up */ + int connection_timeout; /* Max time to wait per attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ diff -Naur openssh-2.1.0p3/ssh.1 openssh-2.1.0p3-new/ssh.1 --- openssh-2.1.0p3/ssh.1 Mon May 29 20:44:54 2000 +++ openssh-2.1.0p3-new/ssh.1 Mon Jun 5 19:12:24 2000 @@ -628,10 +628,13 @@ The meaning of the values is the same as in .Xr gzip 1 . .It Cm ConnectionAttempts -Specifies the number of tries (one per second) to make before falling +Specifies the maximum number of tries to make before falling back to rsh or exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. +.It Cm ConnectionTimeout +Specifies the maximum amount of time, in seconds, to wait, for every +connection attempt. The argument must be an integer. .It Cm DSAAuthentication Specifies whether to try DSA authentication. The argument to this keyword must be diff -Naur openssh-2.1.0p3/ssh.c openssh-2.1.0p3-new/ssh.c --- openssh-2.1.0p3/ssh.c Mon May 29 20:44:54 2000 +++ openssh-2.1.0p3-new/ssh.c Mon Jun 5 19:12:59 2000 @@ -578,6 +578,7 @@ ok = ssh_connect(host, &hostaddr, options.port, options.connection_attempts, + options.connection_timeout, !options.rhosts_authentication && !options.rhosts_rsa_authentication, original_real_uid, diff -Naur openssh-2.1.0p3/ssh.h openssh-2.1.0p3-new/ssh.h --- openssh-2.1.0p3/ssh.h Wed May 17 05:34:24 2000 +++ openssh-2.1.0p3-new/ssh.h Mon Jun 5 19:13:55 2000 @@ -323,13 +323,14 @@ * is 0, the default port will be used. If anonymous is zero, a privileged * port will be allocated to make the connection. This requires super-user * privileges if anonymous is false. Connection_attempts specifies the - * maximum number of tries, one per second. This returns true on success, + * maximum number of tries; Connection_timeout specifies the maximum number + * of time to wait for each try. This returns true on success, * and zero on failure. If the connection is successful, this calls * packet_set_connection for the connection. */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int connection_attempts, + u_short port, int connection_attempts, int connection_timeout, int anonymous, uid_t original_real_uid, const char *proxy_command); diff -Naur openssh-2.1.0p3/sshconnect.c openssh-2.1.0p3-new/sshconnect.c --- openssh-2.1.0p3/sshconnect.c Thu May 18 07:03:23 2000 +++ openssh-2.1.0p3-new/sshconnect.c Mon Jun 5 19:32:56 2000 @@ -175,14 +175,16 @@ * If port is 0, the default port will be used. If anonymous is zero, * a privileged port will be allocated to make the connection. * This requires super-user privileges if anonymous is false. - * Connection_attempts specifies the maximum number of tries (one per - * second). If proxy_command is non-NULL, it specifies the command (with %h + * Connection_attempts specifies the maximum number of tries and + * connection_timeout specifies the time to wait on each try. + * If proxy_command is non-NULL, it specifies the command (with %h * and %p substituted for host and port, respectively) to use to contact * the daemon. */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int connection_attempts, + int connection_timeout, int anonymous, uid_t original_real_uid, const char *proxy_command) { @@ -230,6 +232,9 @@ /* Loop through addresses for this host, and try each one in sequence until the connection succeeds. */ for (ai = aitop; ai; ai = ai->ai_next) { + fd_set ourset; + struct timeval timeout; + if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) continue; if (getnameinfo(ai->ai_addr, ai->ai_addrlen, @@ -253,7 +258,15 @@ * the remote uid as root. */ temporarily_use_uid(original_real_uid); - if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { + fcntl(sock, F_SETFL, O_NONBLOCK); + FD_ZERO(&ourset); + FD_SET(sock, &ourset); + timeout.tv_sec = connection_timeout; + timeout.tv_usec = 0; + connect(sock, ai->ai_addr, ai->ai_addrlen); + select(sock + 1, &ourset, &ourset, &ourset, &timeout); + connect(sock, ai->ai_addr, ai->ai_addrlen); + if (errno == EISCONN) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); restore_uid(); From root at theporch.com Tue Jun 6 13:14:27 2000 From: root at theporch.com (Phillip Porch) Date: Mon, 5 Jun 2000 22:14:27 -0500 (CDT) Subject: SCO Openserver 5.0.5 ssh2 problem. Message-ID: I just finished compiling openssh-2.1.0p3 on a SCO openserver system. I generated the keys fine and genereated the host keys both rsa and dsa without problems. ssh (version1) works great. I tried to use ssh (version 2) and after being prompted to login, it quits. I am attaching a script file of... ssh -v -2 root at sco to see if you can find the problem. Let me know how I can help. [root at sco ~] ssh -v -2 root at sco SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x00905820). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to sco [207.234.31.38] port 22. debug: loaded 21 entropy commands from /usr/local/etc/ssh_prng_cmds debug: Seeding random number generator. debug: OpenSSL random status is now 0 debug: 3 bytes from system calls debug: Time elapsed: 20 msec debug: Got 0.06 bytes of entropy from 'ls -alni /var/log' debug: Time elapsed: 30 msec debug: Got 0.77 bytes of entropy from 'ls -alni /var/adm' debug: Time elapsed: 10 msec debug: Got 0.02 bytes of entropy from 'ls -alni /var/spool/mail' debug: Time elapsed: 40 msec debug: Got 1.49 bytes of entropy from 'ls -alni /tmp' debug: Time elapsed: 30 msec debug: Got 2.00 bytes of entropy from 'netstat -an' debug: Time elapsed: 70 msec debug: Got 0.61 bytes of entropy from 'netstat -in' debug: Time elapsed: 40 msec debug: Got 0.20 bytes of entropy from 'netstat -rn' debug: Time elapsed: 30 msec debug: Got 0.70 bytes of entropy from 'netstat -s' debug: Time elapsed: 10 msec debug: Got 0.06 bytes of entropy from 'arp -a -n' debug: Time elapsed: 30 msec debug: Got 0.17 bytes of entropy from 'ifconfig -a' debug: Time elapsed: 60 msec debug: Got 0.23 bytes of entropy from 'ps -al' debug: Time elapsed: 100 msec debug: Command 'ps -efl' timed out debug: Got 2.00 bytes of entropy from 'ps -efl' debug: Time elapsed: 60 msec debug: Got 0.15 bytes of entropy from 'w' debug: Time elapsed: 30 msec debug: Got 0.31 bytes of entropy from 'last' debug: Time elapsed: 50 msec debug: Got 0.20 bytes of entropy from 'df' debug: Time elapsed: 20 msec debug: Got 0.28 bytes of entropy from 'df -i' debug: Time elapsed: 60 msec debug: Got 0.26 bytes of entropy from 'vmstat' debug: Time elapsed: 20 msec debug: Got 0.01 bytes of entropy from 'uptime' debug: Time elapsed: 10 msec debug: Command 'ipcs -a' timed out debug: Got 0.00 bytes of entropy from 'ipcs -a' debug: Time elapsed: 20 msec debug: Got 1.73 bytes of entropy from 'tail -200 /var/adm/messages' debug: Time elapsed: 0 msec debug: Got 0.00 bytes of entropy from 'tail -200 /var/adm/syslog' debug: Time elapsed: 20 msec debug: Got 0.03 bytes of entropy from 'ls -alni /var/log' debug: Time elapsed: 20 msec debug: Got 0.39 bytes of entropy from 'ls -alni /var/adm' debug: Time elapsed: 10 msec debug: Got 0.01 bytes of entropy from 'ls -alni /var/spool/mail' debug: Time elapsed: 40 msec debug: Got 0.74 bytes of entropy from 'ls -alni /tmp' debug: Time elapsed: 30 msec debug: Got 1.00 bytes of entropy from 'netstat -an' debug: Time elapsed: 70 msec debug: Got 0.30 bytes of entropy from 'netstat -in' debug: Time elapsed: 40 msec debug: Got 0.10 bytes of entropy from 'netstat -rn' debug: Time elapsed: 30 msec debug: Got 0.35 bytes of entropy from 'netstat -s' debug: Time elapsed: 10 msec debug: Got 0.03 bytes of entropy from 'arp -a -n' debug: Time elapsed: 30 msec debug: Got 0.08 bytes of entropy from 'ifconfig -a' debug: Time elapsed: 60 msec debug: Got 0.11 bytes of entropy from 'ps -al' debug: Command 'ps -efl' disabled (badness 2) debug: Time elapsed: 0 msec debug: Command 'w' timed out debug: Got 0.00 bytes of entropy from 'w' debug: Time elapsed: 30 msec debug: Got 0.15 bytes of entropy from 'last' debug: Time elapsed: 50 msec debug: Got 0.10 bytes of entropy from 'df' debug: Time elapsed: 20 msec debug: Got 0.14 bytes of entropy from 'df -i' debug: Time elapsed: 50 msec debug: Got 0.13 bytes of entropy from 'vmstat' debug: Time elapsed: 10 msec debug: Got 0.00 bytes of entropy from 'uptime' debug: Command 'ipcs -a' disabled (badness 2) debug: Time elapsed: 20 msec debug: Got 0.87 bytes of entropy from 'tail -200 /var/adm/messages' debug: Time elapsed: 0 msec debug: Got 0.00 bytes of entropy from 'tail -200 /var/adm/syslog' debug: 27 bytes from programs debug: OpenSSL random status is now 1 debug: loading PRNG seed from file /root/.ssh/prng_seed debug: Allocated local port 784. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH-2.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: zlib,none debug: got kexinit: zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 513/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'sco' is known and matches the DSA host key. debug: bits set: 493/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /root/.ssh/id_dsa debug: PEM_read_bio_DSAPrivateKey failed debug: read DSA private key done Enter passphrase for DSA key '/root/.ssh/id_dsa': debug: read DSA private key done debug: sig size 20 20 debug: authentications that can continue: publickey,password root at sco's password: debug: ssh-userauth2 successfull debug: fd 6 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: channel request 0: shell debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. Connection to sco closed. debug: Transferred: stdin 0, stdout 0, stderr 27 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 270.0 debug: Exit status 0 debug: writing PRNG seed to file /root/.ssh/prng_seed -- Phillip P. Porch NIC:PP1573 finger for http://www.theporch.com UTM - 16 514546E 3994565N PGP key From markus.friedl at informatik.uni-erlangen.de Tue Jun 6 17:27:40 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 6 Jun 2000 09:27:40 +0200 Subject: scp creating root files In-Reply-To: <802568F2.005D70C6.00@d06mta05.portsmouth.uk.ibm.com>; from douglas.manton@uk.ibm.com on Fri, Jun 02, 2000 at 06:00:32PM +0100 References: <802568F2.005D70C6.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20000606092740.A23197@folly.informatik.uni-erlangen.de> On Fri, Jun 02, 2000 at 06:00:32PM +0100, douglas.manton at uk.ibm.com wrote: > I have also discovered that the problem goes away when UseLogin is set to > "no"! Changing line 834 in session.c to: thanks! UseLogin is not tested and very broken, please use this patch. otherwise users can login with uid==0 if they use: $ ssh host /bin/sh -markus Index: session.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/session.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- session.c 2000/05/31 06:36:40 1.16 +++ session.c 2000/06/05 19:53:40 1.17 @@ -746,6 +746,10 @@ extern char **environ; struct stat st; char *argv[10]; + + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; f = fopen("/etc/nologin", "r"); if (f) { From tibbs at math.uh.edu Wed Jun 7 09:07:04 2000 From: tibbs at math.uh.edu (Jason L Tibbitts III) Date: 06 Jun 2000 18:07:04 -0500 Subject: RPMS falling back to /usr/kerberos/bin/rsh Message-ID: The 2.1.0p2 and 2.1.0p3 RPMS try to fall back to the r* commands in /usr/kerberos/bin. I'm not sure under which distribution that path is valid, but it just gives an error on my machines (RedHat 6.1 and 6.2). It's no big deal to tweak the SRPM and build my own packages, but it does make me wonder if the fallback path should be configurable. -- Jason L Tibbitts III - tibbs at uh.edu - 713/743-3486 - 660PGH - 94 PC800 System Manager: University of Houston Department of Mathematics Born alone beneath pale sardonic skies. One love, one life, one sorrow. From vinschen at cygnus.com Wed Jun 7 11:00:22 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Wed, 07 Jun 2000 03:00:22 +0200 Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment Message-ID: <393D9EA6.D065FC8A@cygnus.com> Hi all, I have just successfully ported openssh-2.1.0p3 to Cygwin. As you may know, Cygwin is a GPLed POSIX layer for Windows OSes. To be serious: I don't _like_ Windows systems and sometimes I really hate that STUPID concessions which are necessary when trying to get U*X software working on Windoze but for some reason that's exactly the reason, why I love to work on Cygwin! Porting to Cygwin has two major goals: - Care for all file access to differ `text mode' (files may have \n or \r\n line endings) from `binary mode' (files are always read as they are like in U*X). - Care for Windows NT password authentication method. Another problem is the usage of the filename `aux.c'. Windows has some special files (devices) called NUL, AUX, PRN, LPT, CON and as a holdover from `those good ol' DOS days' :-( it's not possible to name a regular file eg. "aux", "aux.foo", "foo.aux". To get rid of that problem, I have renamed the file `aux.c' to `aux_funcs.c'. You can't see this file name change in my patch only in `Makefile.in', unfortunately. With that port, you can use sshd either as service which enables NT password authentication for each user or as a user bound daemon which allows RSA/DSA authentication only for exactly that user due to the NT/W2K authentication restrictions. No such restriction exists when running sshd under (geez) W95/W98. Which works. I would be very glad if it's possible to integrate the patch and to add Cygwin to the development targets of the portable OpenSSH. The gzip'd patch file related to 2.1.0p3 is attached. Please reply to my personal mail address, because I'm not subscribed to the mailing list. Thanks in advance, Corinna ChangeLog: 20000607 - Change name of `aux.c' to `aux_funcs.c'. - [auth-password.c auth1.c auth2.c session.c] Include Windows NT password authentication. - [auth1.c auth2.c] Disable empty password authentication for Cygwin. - [Various files] Care for binary versus text mode in file open calls. - Disable some file permission checks for Cygwin to allow working on FAT file systems. - [bsd-daemon.c} When working in daemon mode, let parent process sleep a second to avoid a race condition in Cygwin. - [defines.h] typedef the types `n_short', `n_long' and `n_time' instead of including netinet/in_systm.h for Cygwin. - [includes.h] include getopt.h for Cygwin. Define O_BINARY as far as it's not already defined. - [login.c] Cast -1 to uid_t to avoid compiler warnings. - [packet.c] IPTOS_LOWDELAY and IPTOS_THROUGHPUT are defined in Cygwin but result in error on W2K. - [pty.c] pushing streams modules isn't functional on Windows. - [rsa.c] Don't call seed_rng() in Cygwin to avoid race condition in daemon mode. - [scp.c] Call `tcgetpgrp()' instead of `ioctl(, TIOCGPGRP,) in Cygwin. - [session.c] Rearrange environment handling for woring under Windows. Close xauthfile imediately to avoid permission problems under Windows. Don't send the `$DISPLAY/unix' stuff to the Cygwin xauth program. - [ssh.c] Try more variations of the own name in Cygwin. - [ssh.h] Disable declaration of auth_password for Cygwin here. -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.1.0p3.diff.gz Type: application/x-gzip Size: 8982 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000607/b63f3176/attachment.bin From djm at mindrot.org Wed Jun 7 19:25:51 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Jun 2000 19:25:51 +1000 (EST) Subject: FreeBSD 4.0 and openssh 2.1.0p3 In-Reply-To: <200006060101.e5611wI21885@rollcage.bl.echidna.id.au> Message-ID: On Tue, 6 Jun 2000 carl at bl.echidna.id.au wrote: > > I just got OpenSSH 2.1.0p3 compiled on a FreeBSD 4.0 (generic off > the CD), but I had to comment out the fake socket stuff in ssh.h and > openbsd-compat.h, and sshd doesn't seem to like /dev/random. What was the exact problem here? > Is the above what I'd expect to have to do, or have I got a bodgey > install/path? :) FreeBSD maintain their own port of OpenSSH which is likely to be better tested. As such we don't get a whole lot of FreeBSD reports. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Jun 7 19:26:55 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Jun 2000 19:26:55 +1000 (EST) Subject: 2.1.0p3 and next. In-Reply-To: Message-ID: On Mon, 5 Jun 2000, Ben Lindstrom wrote: > > I finally have had time to port up to 2.1.0p3 and hope to have an other > rough patch. > > However, I'm having problems getting enough randomness to run sshd. The > problem lies in the fact this NeXT box will never really ever be very > busy. I may end up having to move back to egd.pl. Which I don't want > to. > > Any advice? Increate the entropy estimates in ssh_prng_cmds (the third column). They are guesses anyway. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Jun 7 19:54:50 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 7 Jun 2000 19:54:50 +1000 (EST) Subject: RPMS falling back to /usr/kerberos/bin/rsh In-Reply-To: Message-ID: On 6 Jun 2000, Jason L Tibbitts III wrote: > The 2.1.0p2 and 2.1.0p3 RPMS try to fall back to the r* commands in > /usr/kerberos/bin. I'm not sure under which distribution that path > is valid, but it just gives an error on my machines (RedHat 6.1 and > 6.2). > > It's no big deal to tweak the SRPM and build my own packages, but it > does make me wonder if the fallback path should be configurable. Thanks, fixed. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From marc.fournier at acadiau.ca Wed Jun 7 22:48:03 2000 From: marc.fournier at acadiau.ca (Marc G. Fournier) Date: Wed, 7 Jun 2000 09:48:03 -0300 (ADT) Subject: Solaris8/Sparc20: builtin random number generator Message-ID: just compiled and installed p3 on my server, and just trying to start up sshd, I'm getting this ... god, how I hate Solaris *sigh* /usr/slocal/sbin/sshd fatal: Couldn't initialise builtin random number generator -- exiting. Marc G. Fournier marc.fournier at acadiau.ca Senior Systems Administrator Acadia University "These are my opinions, which are not necessarily shared by my employer" From mouring at pconline.com Thu Jun 8 00:22:22 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 7 Jun 2000 09:22:22 -0500 (CDT) Subject: 2.1.0p3 and next. In-Reply-To: Message-ID: No luck. I played with it for a good hour and half I even dug into the NeXT OS and starting looking for strange and unique platform commands that gave random output. Oh well. BTW. OpenSSH 2.1.0p3 is running on 4.2 OpenStep Black hardware. The 'make install' works (yippy thanks whoever submitted those patches), but we pretty much have the same issues as with 1.2.x series. 1) utmp is still broken as of this moment. 2) "setsockopt IPTOS_LOWDELAY: Invalid argument" error still occurs on connection - It's seems harmless, but I suspect that NeXT lacks the whole IPTOS_LOWDELAY concept. 3) scp won't compile and I don't remember the reason right off hand. But Protocol 2 seems to work from OpenSSH to OpenSSH on NeXT =) That's at least good. Matt Weigel and I should hopefully have OpenSSL and OpenSSH patches for at least NIH rought support in the next few days. For those running NeXT and you want to try the current version I'm working on. ftp://ftp.pconline.com/users/mouring/openssh-next210p3.tar.gz The 'configure' script works correctly now. Damien, How do you want me attempt to package the routines required to give NeXT enought posix routines to run. At this moment 95% of all my code is in next-fixup.[ch]. With only a few minor patches to other files? -Ben On Wed, 7 Jun 2000, Damien Miller wrote: > On Mon, 5 Jun 2000, Ben Lindstrom wrote: > > > > > I finally have had time to port up to 2.1.0p3 and hope to have an other > > rough patch. > > > > However, I'm having problems getting enough randomness to run sshd. The > > problem lies in the fact this NeXT box will never really ever be very > > busy. I may end up having to move back to egd.pl. Which I don't want > > to. > > > > Any advice? > > Increate the entropy estimates in ssh_prng_cmds (the third column). > They are guesses anyway. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > From kenji at miyake.org Thu Jun 8 02:50:16 2000 From: kenji at miyake.org (Kenji Miyake) Date: Thu, 08 Jun 2000 01:50:16 +0900 Subject: patch for utmpx corruption for openssh-2.1.0p3.tar.gz Message-ID: <20000608015016H.kenji@miyake.org> if openssh-2.1.0p3 exec in USE_UTMPX enabled environment (ie. solaris 8) then utmpx file update to utmp format. --- ./bsd-login.c.org Sat May 20 14:03:00 2000 +++ ./bsd-login.c Thu Jun 8 01:33:43 2000 @@ -148,10 +148,11 @@ if (utp->ut_type == USER_PROCESS) { #ifdef USE_UTMPX if ((fd = open(_PATH_UTMPX, O_WRONLY|O_APPEND, 0)) >= 0) { + (void)write(fd, utx, sizeof(struct utmpx)); #else /* USE_UTMPX */ if ((fd = open(_PATH_UTMP, O_WRONLY|O_APPEND, 0)) >= 0) { -#endif /* USE_UTMPX */ (void)write(fd, utp, sizeof(struct utmp)); +#endif /* USE_UTMPX */ (void)close(fd); } } else { From kaspar at lifosa.com Thu Jun 8 06:36:50 2000 From: kaspar at lifosa.com (Aidas Kasparas) Date: Wed, 07 Jun 2000 22:36:50 +0200 Subject: port forwarding as root Message-ID: <393EB262.40DAB87B@lifosa.com> Hi, I'm little unhappy that OpenSSH server forwards connections while running as root. Services what checks out using ident protocol complains about me working as root [and for a good reason]. To change situation I see following ways: 1) for every port forwarding fork();setuid();forward|exec(netcat) 2) after authentication grab one pty;setuid();forward connections as requested [is there client which opens more than one interactive/forwarded connection?] 3) fool somehow ident server [how?] I need your oppinions. -- Aidas Kasparas Network Manager AB Lifosa From djm at mindrot.org Thu Jun 8 14:42:39 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 8 Jun 2000 14:42:39 +1000 (EST) Subject: patch for utmpx corruption for openssh-2.1.0p3.tar.gz In-Reply-To: <20000608015016H.kenji@miyake.org> Message-ID: On Thu, 8 Jun 2000, Kenji Miyake wrote: > if openssh-2.1.0p3 exec in USE_UTMPX enabled environment (ie. solaris > 8) then utmpx file update to utmp format. Can you give this release a try: http://www.mindrot.org/misc/junk/openssh-2.1.1p1-TEST-2000060700.tar.gz It contains substantially improved login code. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From rmk at toad.rmkhome.com Fri Jun 9 03:31:10 2000 From: rmk at toad.rmkhome.com (Rick Kelly) Date: Thu, 8 Jun 2000 11:31:10 -0600 (MDT) Subject: openssh-2.1.0p3 & NetBSD 1.4.2 Message-ID: <200006081731.e58HVAX23674@toad.rmkhome.com> I have a need to set up an ssh login server that groks both ssh1 and ssh2. I'm trying to build openssh-2.1.0p3 on NetBSD 1.4.2. Configure fails when it tries to build the test program conftest. It's not obvious fron config.log exactly what is going wrong. Has anyone built that latest openssh under NetBSD 1.4.2? Thanks in advance. -- Rick Kelly rmk at rmkhome.com www.rmkhome.com From kenji at miyake.org Fri Jun 9 11:32:54 2000 From: kenji at miyake.org (Kenji Miyake) Date: Fri, 09 Jun 2000 10:32:54 +0900 Subject: patch for utmpx corruption for openssh-2.1.0p3.tar.gz In-Reply-To: Your message of "Thu, 8 Jun 2000 14:42:39 +1000 (EST)" References: Message-ID: <20000609103254W.kenji@miyake.org> From: Damien Miller Subject: Re: patch for utmpx corruption for openssh-2.1.0p3.tar.gz Date: Thu, 8 Jun 2000 14:42:39 +1000 (EST) > On Thu, 8 Jun 2000, Kenji Miyake wrote: > > > if openssh-2.1.0p3 exec in USE_UTMPX enabled environment (ie. solaris > > 8) then utmpx file update to utmp format. > > Can you give this release a try: > > http://www.mindrot.org/misc/junk/openssh-2.1.1p1-TEST-2000060700.tar.gz > > It contains substantially improved login code. Your revised code is very clear and basically no problem, but some little problem for solaris8 environment. Solaris8 don't have utmp and wtmp file but configure script detect and use it(access utmpx and wtmpx file twice for each.). --- ./configure.in.org Wed Jun 7 21:20:23 2000 +++ ./configure.in Fri Jun 9 08:32:14 2000 @@ -106,6 +106,15 @@ need_dash_r=1 # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT(yes) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(DISABLE_WTMP) + else + AC_MSG_RESULT(no) + fi ;; *-*-sunos4*) CFLAGS="$CFLAGS -DSUNOS4" From djm at mindrot.org Fri Jun 9 11:59:43 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 9 Jun 2000 11:59:43 +1000 (EST) Subject: patch for utmpx corruption for openssh-2.1.0p3.tar.gz In-Reply-To: <20000609103254W.kenji@miyake.org> Message-ID: On Fri, 9 Jun 2000, Kenji Miyake wrote: > Your revised code is very clear and basically no problem, The new code is actually by Andre Lucas, but yes - it is a great improvement. > but some > little problem for solaris8 environment. Solaris8 don't have utmp and > wtmp file but configure script detect and use it(access utmpx and > wtmpx file twice for each.). Thanks for this - I have applied the patch. Expect a real 2.1.1p1 very soon. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From douglas.manton at uk.ibm.com Fri Jun 9 19:59:54 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 9 Jun 2000 10:59:54 +0100 Subject: ssh-agent support of ssh2 Message-ID: <802568F9.0036E112.00@d06mta05.portsmouth.uk.ibm.com> Folks, Any idea of when ssh2 support will be available within ssh-agent and ssh-add? Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From djm at mindrot.org Fri Jun 9 21:52:57 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 9 Jun 2000 21:52:57 +1000 (EST) Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment In-Reply-To: <393D9EA6.D065FC8A@cygnus.com> Message-ID: On Wed, 7 Jun 2000, Corinna Vinschen wrote: > Hi all, > > I have just successfully ported openssh-2.1.0p3 to Cygwin. As you > may know, Cygwin is a GPLed POSIX layer for Windows OSes. > To be serious: I don't _like_ Windows systems and sometimes I > really hate that STUPID concessions which are necessary when > trying to get U*X software working on Windoze but for some > reason that's exactly the reason, why I love to work on Cygwin! Thanks for the patch! Cygwin does make working with nt a little more endurable :) > Porting to Cygwin has two major goals: > > - Care for all file access to differ `text mode' (files may have > \n or \r\n line endings) from `binary mode' (files are always > read as they are like in U*X). This is the main problem with integrating the patch - it touched just about every open and fopen in the source. This make it more difficult to stay synched with the OpenBSD CVS tree (i.e lots more manual patching). Is there any way to decrease the volume of these changes or isolate them to a one-off #define? I will give the diff a try over the weekend on our poor NT machine :) Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Jun 9 21:53:39 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 9 Jun 2000 21:53:39 +1000 (EST) Subject: openssh-2.1.0p3 & NetBSD 1.4.2 In-Reply-To: <200006081731.e58HVAX23674@toad.rmkhome.com> Message-ID: On Thu, 8 Jun 2000, Rick Kelly wrote: > > I have a need to set up an ssh login server that groks both ssh1 and > ssh2. I'm trying to build openssh-2.1.0p3 on NetBSD 1.4.2. Configure > fails when it tries to build the test program conftest. It's not > obvious fron config.log exactly what is going wrong. What is the output from configure? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Fri Jun 9 21:59:55 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 9 Jun 2000 21:59:55 +1000 (EST) Subject: SIA support patches for Tru64 UNIX In-Reply-To: <20000505141552.B103289@isc.upenn.edu> Message-ID: On Fri, 5 May 2000, John P Speno wrote: > On Wed, May 03, 2000 at 09:59:23AM -0400, John P Speno wrote: > > > I think I'm ready with the SIA (Security Integration Architecture) > > patches for Tru64 UNIX. All of the code was written by Tom > > Woodburn, an engineer > > The patches are available here: > > > > There's a README file in that tarball which gives instructions on > what to hack after running configure to use SIA support. Do you have a diff against any of the 2.x.x OpenSSH versions? I had a look on you homepage, but all I could find was a picture of a very cute puppy :) -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From speno at isc.upenn.edu Fri Jun 9 22:05:37 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 9 Jun 2000 08:05:37 -0400 Subject: SIA support patches for Tru64 UNIX In-Reply-To: ; from djm@mindrot.org on Fri, Jun 09, 2000 at 09:59:55PM +1000 References: <20000505141552.B103289@isc.upenn.edu> Message-ID: <20000609080537.B24179@isc.upenn.edu> On Fri, Jun 09, 2000 at 09:59:55PM +1000, Damien Miller wrote: > On Fri, 5 May 2000, John P Speno wrote: > > > On Wed, May 03, 2000 at 09:59:23AM -0400, John P Speno wrote: > > > > > I think I'm ready with the SIA (Security Integration Architecture) > > > patches for Tru64 UNIX. All of the code was written by Tom > > > Woodburn, an engineer > > > > The patches are available here: > > > > > > > > There's a README file in that tarball which gives instructions on > > what to hack after running configure to use SIA support. > > Do you have a diff against any of the 2.x.x OpenSSH versions? > > I had a look on you homepage, but all I could find was a picture of > a very cute puppy :) And she's still cute... but no, my diffs are vs 1.2.3. I can work up 2.x diffs if thats what it'll take to get it into the tree. What 2.x version should I use? (url please). Thanks. From drankin at bohemians.lexington.ky.us Sat Jun 10 00:08:24 2000 From: drankin at bohemians.lexington.ky.us (David Rankin) Date: Fri, 9 Jun 2000 10:08:24 -0400 Subject: openssh-2.1.0p3 & NetBSD 1.4.2 In-Reply-To: <200006081731.e58HVAX23674@toad.rmkhome.com>; from Rick Kelly on Thu, Jun 08, 2000 at 11:31:10AM -0600 References: <200006081731.e58HVAX23674@toad.rmkhome.com> Message-ID: <20000609100824.A5452@rumpole.bohemians.lexington.ky.us> On Thu, Jun 08, 2000 at 11:31:10AM -0600, Rick Kelly wrote: > I have a need to set up an ssh login server that groks both ssh1 and > ssh2. I'm trying to build openssh-2.1.0p3 on NetBSD 1.4.2. Configure > fails when it tries to build the test program conftest. It's not > obvious fron config.log exactly what is going wrong. I'd strongly suggest using the Packages collection for NetBSD (not only for openssh but also for everything else). While I wasn't involved in the 2.1.0p3 package creation, I have tested it on one of my newly built machines, and it appears to work just fine. Feel free to give me a yell if you can't get it working through package, and I'll see if I can figure out what's wrong. Thanks, David -- David W. Rankin, Jr. Husband, Father, and UNIX Sysadmin. Email: drankin at bohemians.lexington.ky.us Address/Phone Number: Ask me. From markus.friedl at informatik.uni-erlangen.de Sat Jun 10 01:06:30 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 9 Jun 2000 17:06:30 +0200 Subject: OpenSSH's UseLogin option allows remote access with root privilege. Message-ID: <20000609170629.A4933@folly.informatik.uni-erlangen.de> OpenSSH's UseLogin option allows remote access with root privilege. 1. Systems affected: The default installation of OpenSSH is not vulnerable, since UseLogin defaults to 'no'. However, if UseLogin is enabled, all versions of OpenSSH prior to 2.1.1 are affected. 2. Description: If the UseLogin option is enabled the OpenSSH server (sshd) does not switch to the uid of the user logging in. Instead, sshd relies on login(1) to do the job. However, if the user specifies a command for remote execution login(1) cannot be used and sshd fails to set the correct user id. The command is run with the same privilege as sshd (usually with root privilege). 3. Impact: If the administrator enables UseLogin users can get privileged access to the server running sshd. 4. Short Term Solution: Do not enable UseLogin on your machines or disable UseLogin again in /etc/sshd_config: UseLogin no 5. Solution: Upgrade to OpenSSH-2.1.1 or apply the attached patch. OpenSSH-2.1.1 is available from www.openssh.com. Appendix: 1. OpenSSH-1.2.2 --- sshd.c.orig Thu Jan 20 18:58:39 2000 +++ sshd.c Tue Jun 6 10:12:00 2000 @@ -2231,6 +2231,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 2. OpenSSH-1.2.3 --- sshd.c.orig Mon Mar 6 22:11:17 2000 +++ sshd.c Tue Jun 6 10:14:07 2000 @@ -2250,6 +2250,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ 3. OpenSSH-2.1.0 --- session.c.orig Wed May 3 20:03:07 2000 +++ session.c Tue Jun 6 10:10:50 2000 @@ -744,6 +744,10 @@ struct stat st; char *argv[10]; + /* login(1) is only called if we execute the login shell */ + if (options.use_login && command != NULL) + options.use_login = 0; + f = fopen("/etc/nologin", "r"); if (f) { /* /etc/nologin exists. Print its contents and exit. */ EOF From heinlein at cse.ogi.edu Sat Jun 10 01:08:12 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Fri, 9 Jun 2000 08:08:12 -0700 (PDT) Subject: pine/openssh In-Reply-To: Message-ID: Forgive me for asking an implementation question on the developers' list... Until yesterday, I was using ssh-1.2.2x on my Linux boxes here at work. I ssh-enabled pine (4.21) by pointing it at our imap server and adding the following directives to ~/.pinerc: ssh-open-timeout=30 ssh-path=/usr/local/bin/ssh ssh-command="%s %s -l %s exec /usr/etc/local/%sd" Everything worked great. I'd wrap my local X sessions in ssh-agent, load my rsa key and voila! Password-less imap. On those rare occasions when pine prompted me for a password, I'd know that my ssh connection hadn't "taken" and that something was amiss. Upon installation of openssh-2.1.0p3, the connection no longer "takes" -- ever. I've fiddled and fiddled, to no avail. Before I start running some serious tcpdump sessions, I thought I'd ask if anyone's encountered this problem and/or devised a solution. . Paul Heinlein . . . . . . . . . . . Webmaster, Systems Administrator . . Department of Computer Science and Engineering . . Oregon Graduate Institute of Science and Technology . . Beaverton, Oregon, USA . . . . 503-748-1199 http://www.cse.ogi.edu/~heinlein/ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . From chip at princetonecom.com Sat Jun 10 01:10:58 2000 From: chip at princetonecom.com (Chip Christian) Date: Fri, 09 Jun 2000 11:10:58 -0400 Subject: patch for utmpx corruption for openssh-2.1.0p3.tar.gz In-Reply-To: Message from Damien Miller of "Thu, 08 Jun 2000 14:42:39 +1000." Message-ID: <20000609151058.1116BB47B@fleck.princetonecom.com> No problems so far on a handful of 2.6 boxen. I take it this should also fix the utmp curruption reported by Lukas Karrer? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95959541620508&w=2 > On Thu, 8 Jun 2000, Kenji Miyake wrote: > > > if openssh-2.1.0p3 exec in USE_UTMPX enabled environment (ie. solaris > > 8) then utmpx file update to utmp format. > > Can you give this release a try: > > http://www.mindrot.org/misc/junk/openssh-2.1.1p1-TEST-2000060700.tar.gz > > It contains substantially improved login code. > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From greg at nest.cx Sat Jun 10 01:30:05 2000 From: greg at nest.cx (Gregory Steuck) Date: 09 Jun 2000 08:30:05 -0700 Subject: OpenSSH's UseLogin option allows remote access with root privilege. In-Reply-To: Markus Friedl's message of "Fri, 9 Jun 2000 17:06:30 +0200" References: <20000609170629.A4933@folly.informatik.uni-erlangen.de> Message-ID: <86aegu98jm.fsf@home.nest.cx> >>>>> "Markus" == Markus Friedl writes: Markus> OpenSSH's UseLogin option allows remote access with root Markus> privilege. 1. Systems affected: Markus> The default installation of OpenSSH is not vulnerable, Markus> since UseLogin defaults to 'no'. However, if UseLogin is Markus> enabled, all versions of OpenSSH prior to 2.1.1 are Markus> affected. Could you clarify if the following lines from http://www.openbsd.org/plus.html are true than? "Do not use the (non-default) UseLogin option in OpenSSH 2.1.*, it has a hole on other operating systems and does not work right in OpenBSD." ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Is OpenBSD with "UseLogin yes" vulnerable or not (even though it's not default)? Bye Greg From markus.friedl at informatik.uni-erlangen.de Sat Jun 10 01:56:18 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 9 Jun 2000 17:56:18 +0200 Subject: OpenSSH's UseLogin option allows remote access with root privilege. In-Reply-To: ; from chris@dqc.org on Fri, Jun 09, 2000 at 08:25:11AM -0700 References: <20000609170629.A4933@folly.informatik.uni-erlangen.de> <86aegu98jm.fsf@home.nest.cx> <20000609170629.A4933@folly.informatik.uni-erlangen.de> Message-ID: <20000609175617.A15613@folly.informatik.uni-erlangen.de> > Is OpenBSD with "UseLogin yes" vulnerable or not (even though it's not > default)? all systems running OpenSSH with UseLogin=yes are vulnerable. however, it was not possible for me to make this $ ssh openbsdhost id work on OpenBSD+OpenSSH+UseLogin. From corinna at vinschen.de Sat Jun 10 05:46:09 2000 From: corinna at vinschen.de (Corinna Vinschen) Date: Fri, 09 Jun 2000 21:46:09 +0200 Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment References: Message-ID: <39414981.2DD0FE1D@vinschen.de> Damien Miller wrote: > > - Care for all file access to differ `text mode' (files may have > > \n or \r\n line endings) from `binary mode' (files are always > > read as they are like in U*X). > > This is the main problem with integrating the patch - it touched > just about every open and fopen in the source. This make it more > difficult to stay synched with the OpenBSD CVS tree (i.e lots more > manual patching). > > Is there any way to decrease the volume of these changes or isolate > them to a one-off #define? The problem is, that some files has to be opened as `text files' (motd, sshd_config, etc) and some files has to be opened as `binary files' (utmp, identity, etc) so there's no chance to generalize the open mode. You may have seen, that there's a difference in the implementation: open(2) calls in OpenSSH are in general with mode O_BINARY so this is in fact a generalization which should be easy to handle in the ported version. For all OSes, which hasn't defined O_BINARY, O_BINARY is set to 0 (includes.h). The difficulty is given in the fopen(3) calls. I don't have a generalization yet instantly. Has somebody else an idea? > I will give the diff a try over the weekend on our poor NT machine :) Fine. Corinna -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company From pekkas at netcore.fi Sat Jun 10 07:57:35 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 10 Jun 2000 00:57:35 +0300 (EEST) Subject: openssh-2.1.1p1 RH62 compile failure Message-ID: Hello all, Compiling 2.1.1p1 on my RedHat Linux 6.2 w/ 2.2.16 kernel seems to cause errors from the start.. ---- gcc -O2 -m486 -fno-strength-reduce -Wall -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c -o bsd-base64.o bsd-base64.c In file included from defines.h:261, from config.h:455, from bsd-base64.c:45: /usr/include/utmp.h:109: redefinition of `struct lastlog' /usr/include/utmp.h:119: redefinition of `struct exit_status' /usr/include/utmp.h:127: redefinition of `struct utmp' make: *** [bsd-base64.o] Error 1 ---- Regards, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From djm at mindrot.org Sat Jun 10 08:54:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 10 Jun 2000 08:54:44 +1000 (EST) Subject: openssh-2.1.1p1 RH62 compile failure In-Reply-To: Message-ID: On Sat, 10 Jun 2000, Pekka Savola wrote: > Hello all, > > Compiling 2.1.1p1 on my RedHat Linux 6.2 w/ 2.2.16 kernel seems to cause > errors from the start.. No idea what is happening here - I compile OpenSSH on RH6.2 every other day. Have you changed any of the includes or libraries? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sat Jun 10 09:08:03 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 10 Jun 2000 09:08:03 +1000 (EST) Subject: Portable OpenSSH 2.1.1p1 Message-ID: Announcing the availability of portable OpenSSH 2.1.1p1. This release contains the fix for the "UseLogin yes" vulnerability identified in Markus' release and several other enhancements and bugfixes. Including: - Better login code. Andre Lucas has rewritten the login code to be much more modular and extensible. In the process he has fixed the problems with Solaris utmp[x]. - Revised the entropy collection code to be faster and more reliable. - Fix for RSA host restrictions ("from=" in authorized_keys) It is recommended that all users upgrade to this version. Portable OpenSSH 2.1.1p1 is available from one of the many mirrors listed at: http://www.openssh.com/portable.html Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From pekkas at netcore.fi Sat Jun 10 14:34:26 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 10 Jun 2000 07:34:26 +0300 (EEST) Subject: openssh-2.1.1p1 RH62 compile failure In-Reply-To: Message-ID: > > Compiling 2.1.1p1 on my RedHat Linux 6.2 w/ 2.2.16 kernel seems to cause > > errors from the start.. > > No idea what is happening here - I compile OpenSSH on RH6.2 every > other day. > > Have you changed any of the includes or libraries? Ah, my bad, sorry. I had edited /usr/include/utmp.h when creating a fix for broken configure w/ bash2 but forgot to change the file back. It seems configure is still broken with bash2 :( -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From rmk at toad.rmkhome.com Sat Jun 10 15:41:43 2000 From: rmk at toad.rmkhome.com (Rick Kelly) Date: Fri, 9 Jun 2000 23:41:43 -0600 (MDT) Subject: openssh-2.1.0p3 & NetBSD 1.4.2 In-Reply-To: <20000609100824.A5452@rumpole.bohemians.lexington.ky.us> from David Rankin at "Jun 9, 2000 10:08:24 am" Message-ID: <200006100541.e5A5fhR26557@toad.rmkhome.com> David Rankin said: > >I'd strongly suggest using the Packages collection for NetBSD (not >only for openssh but also for everything else). While I wasn't involved >in the 2.1.0p3 package creation, I have tested it on one of my newly built >machines, and it appears to work just fine. I wasn't aware that 2.1.0p3 had made it into pkgsrc yet. I downloaded the latest pkgsrc from NetBSD-current and it built easily out of the box. Works as advertised! Thanks for the tip! -- Rick Kelly rmk at rmkhome.com www.rmkhome.com From ckarney at sarnoff.com Sun Jun 11 10:03:04 2000 From: ckarney at sarnoff.com (Charles Karney) Date: Sat, 10 Jun 2000 20:03:04 -0400 (EDT) Subject: Some missing features? Message-ID: <14658.55096.165046.471200@shearwater.sarnoff.com> openssh 2.1.1p1 Linux 2.2.16 (1) ssh(1) says there's a -k flag. Trying to use it gives prints out the usage message. openssh should support the "-k" flag for interoperability with ssh 1.2.27. (And the flag should be accepted whether or not kerberos support is actually present.) (2) DSA files seems to be poorly supported: ssh-keygen -l [-d] -f .ssh/id_dsa .ssh/id_dsa is not a valid key file. ssh-add [-d] .ssh/id_dsa Bad key file .ssh/id_dsa: Success -- Charles Karney Email: ckarney at sarnoff.com Sarnoff Corporation Phone: +1 609 734 2312 Princeton, NJ 08543-5300 Fax: +1 609 734 2586 From corinna at vinschen.de Mon Jun 12 01:54:24 2000 From: corinna at vinschen.de (Corinna Vinschen) Date: Sun, 11 Jun 2000 17:54:24 +0200 Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment References: Message-ID: <3943B630.3B843693@vinschen.de> Damien Miller wrote: > > Porting to Cygwin has two major goals: > > > > - Care for all file access to differ `text mode' (files may have > > \n or \r\n line endings) from `binary mode' (files are always > > read as they are like in U*X). > > This is the main problem with integrating the patch - it touched > just about every open and fopen in the source. This make it more > difficult to stay synched with the OpenBSD CVS tree (i.e lots more > manual patching). > > Is there any way to decrease the volume of these changes or isolate > them to a one-off #define? What do you think of something like #ifdef __CYGWIN__ #define FOPEN_READ_TEXT "rt" #define FOPEN_READ_BINARY "rb" #else #define FOPEN_READ_TEXT "r" #define FOPEN_READ_BINARY "r" #endif and use FOPEN_READ_* throughout. That still touches every single fopen but it reduces the number of lines. Corinna > > I will give the diff a try over the weekend on our poor NT machine :) > > Regards, > Damien Miller > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company From jeff at cyte.com Mon Jun 12 05:02:50 2000 From: jeff at cyte.com (Jeff Wiegley) Date: Sun, 11 Jun 2000 12:02:50 -0700 Subject: ssh-agent2? Message-ID: <3943E25A.B17677A6@cyte.com> I noticed Mr. Manton queried about the availability status of ssh-{agent,add}2 for OpenSSH. I would also like to know when this feature will be added and available? I can help code it or document it but my understanding of the inner workings of the SSH protocols is pretty much nil. and the RSA authention agent routines seem pretty involved and complex which sort of discouraged me right off the bat from trying to forge ahead and implement it for DSA. Any news about other peoples attempts/progress to get ssh-agent2 implemented? Thanks, Jeff Wiegley From stend+openssh at sten.org Mon Jun 12 05:56:37 2000 From: stend+openssh at sten.org (Sten) Date: 11 Jun 2000 14:56:37 -0500 Subject: Additions to UPGRADING? Message-ID: In upgrading from ssh-1.1.25 to openssh-2.1.1p1, I've come across a pair of incompatibilities not mentioned in the UPGRADING list. The first involves the authorized_keys file: n. No un-quoted spaces are permitted in the options field of the authorized_keys file. While this was documented as a restriction in F-Secure SSH, in practice this was not enforced. OpenSSH does enforce this restriction. The second involves both the sshd_config and authorized_keys files. I encountered it with the authorized_keys file (as it made a key unusable), and I haven't tested how the OpenSSH sshd reacts to having the unavailable flags in sshd_config: m. Options unavailable in sshd_options and authorized_keys. The AccountExpireWarningDays, AllowForwardingPort, AllowForwardingTo, AllowHosts, AllowSHosts, AllowTcpForwarding, DenyForwardingPort, DenyForwardingTo, DenyHosts, DenySHosts, DenyTcpForwarding, ForcedEmptyPasswdChange, ForcedPasswdChange, IdleTimeout, IgnoreRootRhosts, PasswordExpireWarningDays, SilentDeny, TISAuthentication, and Umask options are not available in sshd_options. Similarly, the allowforwardingport, allowforwardingto, denyforwardingport, and denyforwardingto options are not available in authorized_keys. -- #include /* Sten Drescher */ "This is the *NIX version of the 'ILOVEYOU' worm. It runs on the honor system. Forward this to everyone in your address book, and randomly delete some of your files." - Unknown From amc at cs.berkeley.edu Mon Jun 12 06:04:53 2000 From: amc at cs.berkeley.edu (Adam M. Costello) Date: Sun, 11 Jun 2000 20:04:53 +0000 Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment In-Reply-To: <3943B630.3B843693@vinschen.de>; from corinna@vinschen.de on Sun, Jun 11, 2000 at 05:54:24PM +0200 References: <3943B630.3B843693@vinschen.de> Message-ID: <20000611200452.F6536@arwen.cs.berkeley.edu> > #ifdef __CYGWIN__ > #define FOPEN_READ_TEXT "rt" > #define FOPEN_READ_BINARY "rb" > #else > #define FOPEN_READ_TEXT "r" > #define FOPEN_READ_BINARY "r" > #endif I know nothing about Cygwin, but is it ANSI C comformant? K&R2 does not mention the option of including "t" in the mode. It says you can either have a "b" or not have one. It should be perfectly safe to use "b" for binary files on all platforms, so I see no need to use the preprocessor. AMC From jmknoble at pint-stowp.cx Mon Jun 12 06:15:32 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Sun, 11 Jun 2000 16:15:32 -0400 Subject: [PATCH]: Port of openssh-2.1.0p3 to Cygwin environment In-Reply-To: <20000611200452.F6536@arwen.cs.berkeley.edu>; from Adam M. Costello on Sun, Jun 11, 2000 at 08:04:53PM +0000 References: <3943B630.3B843693@vinschen.de> <20000611200452.F6536@arwen.cs.berkeley.edu> Message-ID: <20000611161532.C16752@ntrnet.net> Circa 2000-Jun-11 20:04:53 +0000 schrieb Adam M. Costello: : I know nothing about Cygwin, but is it ANSI C comformant? K&R2 does not : mention the option of including "t" in the mode. It says you can either : have a "b" or not have one. Plauger ("The Standard C Library") confirms this: fopen(... "r" ...) means text mode, while fopen(... "rb" ...) means binary. : It should be perfectly safe to use "b" for binary files on all : platforms, so I see no need to use the preprocessor. Agreed. Use of "b" with fopen() ought to get folded back into OpenBSD's OpenSSH code. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From rachit at ensim.com Mon Jun 12 15:00:42 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Sun, 11 Jun 2000 22:00:42 -0700 Subject: problems with scp Message-ID: <39446E7A.30512992@ensim.com> I have an openssh server running on solaris 7 and the client running on a clean RH linux 6.1 box. I am using the latest release (2.1.1p1 -- i had the known solaris utmp problem and the read_key problem when using 2.1.0p2 so i upgraded). scp from the linux machine to solaris machine gives a "lost connection" message [root at dog /root]# scp foo.bar solmachine:/tmp/ lost connection the file foo.bar does not even have to exist for this to happen. The -v and the -d flags don't seem to give more information (i compared the output with a linux-linux scp). strace / truss information can be made available, although it doesn't seem like any system call failed to cause this to happen. Looking from the source code, it looks like the client scp does a read (using the atomicio call), expects the message to be a certain length, but it isn't. So it assumes the server disconnected (which seems to be a valid assumption), and prints "lost connection" then disconnects. However looking at the server side, it thought the client disconnected. Anyways, did anyone else ever encounter this problem (so i can confirm that it isn't my hallucination)? (i'll probably go back to using datafellows ssh). BTW, i am not a member of this list, so please cc any responses to me. thanx. -rchit From rachit at ensim.com Mon Jun 12 16:43:12 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Sun, 11 Jun 2000 23:43:12 -0700 Subject: problems with scp References: <39446E7A.30512992@ensim.com> Message-ID: <39448680.9553794C@ensim.com> Theo de Raadt requested my scp -v output, so i'm posting it to the list. Also, the lost connection message was from line 917 in scp.c (the first couple lines of int response(). (note i used a non-default port 19635). output of scp -v -P 19635 foo.bar 10.1.1.239:/tmp 2>&1 Executing: host 10.1.1.239, user (unspecified), command scp -v -t /tmp SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 10.1.1.239 [10.1.1.239] port 19635. debug: Connection established. debug: Remote protocol version 2.0, remote software version OpenSSH_2.1.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: zlib,none debug: got kexinit: zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 514/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: Host '10.1.1.239' is known and matches the DSA host key. debug: bits set: 496/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /root/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull debug: fd 5 setting O_NONBLOCK debug: fd 6 setting O_NONBLOCK debug: fd 7 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: scp -v -t /tmp debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 1 lost connection From bakerkj at umich.edu Tue Jun 13 01:58:28 2000 From: bakerkj at umich.edu (Kenneth J Baker) Date: Mon, 12 Jun 2000 11:58:28 -0400 (EDT) Subject: ssh -R option Message-ID: Dear list, I'm relatively new to using ssh. I'm trying to use the -R option to set up a forwarded port between two machines. Specifically I'd like to be able to ssh to machineB from machineA and then have a port on machineB that I can connect to machineA with. If my understanding is correct I'd need a command like: machineA> ssh -R 10000:machineA:23 machineB This should open port 10000 on machineB to be forwarded to machineA:23, right? Assuming I have telnet open on machineA I should be able to then: machineB> telnet machineB 10000 For some reason this doesn't work. Is what i'm trying to do possible? Any suggestions? Thanks, Ken (below is the debug output when I run the above command with the -v option) [root at machineA /root]# ssh -v -R 10000:machineA:23 machineB SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to machineB [192.168.1.20] port 22. debug: Seeding random number generator debug: Allocated local port 824. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH-2.1 debug: Local version string SSH-1.5-OpenSSH-2.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'machineB' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'root at machineA' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting pty. debug: Connections to remote port 10000 forwarded to local address machineA:23 debug: Requesting shell. debug: Entering interactive session. [root at machineB /root]# ........ [root at machineB /root]# telnet machineB 10000 Trying 192.168.1.20... telnet: Unable to connect to remote host: Connection refused From gem at rellim.com Tue Jun 13 02:33:58 2000 From: gem at rellim.com (Gary E. Miller) Date: Mon, 12 Jun 2000 09:33:58 -0700 (PDT) Subject: Openssh on SCO Openserver Release 5 In-Reply-To: <001a01bfd471$e605dc80$27dc25c4@datrix.co.za> Message-ID: Yo Andrew! What version of Openssh are you trying? RGDS GARY On Mon, 12 Jun 2000, Andrew McGill wrote: > Date: Mon, 12 Jun 2000 15:26:53 +0200 > From: Andrew McGill > To: djm at ibs.com.au > Cc: gem at rellim.com > Subject: Openssh on SCO Openserver Release 5 > > Hi there > > Your e-mail address appears in the README for openssh, which is why I am > sending this to you. (I hope you are somewhere close to the maintainers of > openssh) > > I have managed to compile and run openssh on SCO Openserver (another > version from the original port). There were a few funnies which you may > want to incorporate into the distribution: > > 0. System information: > > $ uname -X > System = SCO_SV > Node = scosysv > Release = 3.2v5.0.4 > KernelID = 97/05/07 > Machine = Pentium > BusType = ISA > Serial = 4FC006928 > Users = 16-user > OEM# = 0 > Origin# = 1 > NumCPU = 1 > > > 1. /dev/ptmx > > config.h > My SCO does support the device /dev/ptmx after a fashion, but does not > enable them as true tty's. This causes problems with sshd. The man page > says: > >>> > Limitations > =========== > > Although /dev/ptmx is referred to as a pseudo-tty, the master device does > not have tty characteristics and therefore cannot become the controlling > tty of a process group. The slave side of the connection does have the > characteristics of a real tty and can become the controlling tty of a > process group. > <<< > > I changed the config.h line > #define HAVE_DEV_PTMX 1 > to contain the following > /* #define HAVE_DEV_PTMX 1 */ > fixes this. I think the correct approach is to fix configure.in to include > a line for SCO similar to the line for linux --but installing autoconf on > this box doesn't seem like fun at the moment, especially since I am > changing jobs within the month: > > *-*-sco3*) > no_dev_ptmx=1 > ;; > > 2. MAXPATHLEN > > include.h > My SCO header files do not define the MAXPATHLEN macro, which is required > by openssh. To rectify this, I added the following lines before the final > endif: > #ifndef MAXPATHLEN > #define MAXPATHLEN 64 > #endif > According to usr/include/limits.h, the correct SCO value appears to be > PATH_MAX -- except it is not defined either :( > > host system type: > i586-pc-sco3.2v5.0.4 > > > > --- > This entire communication can be represented as a binary integer. As a > result it is entirely rational. > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From speno at isc.upenn.edu Tue Jun 13 04:37:32 2000 From: speno at isc.upenn.edu (John P Speno) Date: Mon, 12 Jun 2000 14:37:32 -0400 Subject: SIA support patches for Tru64 UNIX In-Reply-To: ; from djm@mindrot.org on Fri, Jun 09, 2000 at 09:59:55PM +1000 References: <20000505141552.B103289@isc.upenn.edu> Message-ID: <20000612143732.A44992@isc.upenn.edu> On Fri, Jun 09, 2000 at 09:59:55PM +1000, Damien Miller wrote: > > Do you have a diff against any of the 2.x.x OpenSSH versions? I do know. SIA support patches for 2.x are here: From pausmith at nortelnetworks.com Tue Jun 13 05:50:25 2000 From: pausmith at nortelnetworks.com (Paul D. Smith) Date: Mon, 12 Jun 2000 15:50:25 -0400 (EDT) Subject: getrusage() privileged on Solaris 2.5.1 Message-ID: <14661.16129.850891.40910@nortelnetworks.com> The builtin entropy gathering code in OpenSSH 2.1.1p1 tries to use getrusage() if it's available. This function is available on Solaris 2.5.1, but you must have root permissions to run it. However, configure.in uses only AC_CHECK_FUNCS() to look for getrusage, and this only tests for a successful link. For this function you need to do a more thorough check and actually try to run a test program with getrusage() to see if the user has permissions to run it. In the meantime I've had to hardwire config.h to disable HAVE_GETRUSAGE. Thanks. -- ------------------------------------------------------------------------------- Paul D. Smith Network Management Development "Please remain calm...I may be mad, but I am a professional." --Mad Scientist ------------------------------------------------------------------------------- These are my opinions---Nortel Networks takes no responsibility for them. From tbert at abac.com Tue Jun 13 07:45:33 2000 From: tbert at abac.com (Tom Bertelson) Date: Mon, 12 Jun 2000 17:45:33 -0400 Subject: AIX and 2.1.1p1 Message-ID: <394559FD.DC62E116@abac.com> The new login code works fine with AIX 4.3. Two nits, though. If --disable-lastlog is defined, the code still tries to slog through wtmp to determine the last login time. Is this a bug or a feature? If a feature, change the DISABLE_LASTLOG test below to WITH_AIXAUTHENTICATE. Also, a small typo in configure.in, plus an AIX tweak. --- configure.in.orig Thu Jun 8 21:58:35 2000 +++ configure.in Mon Jun 12 16:27:54 2000 @@ -38,6 +38,8 @@ AC_DEFINE(BROKEN_GETADDRINFO) dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) + MANTYPE='$(CATMAN)' + mansubdir=cat ;; *-*-hpux10*) if test -z "$GCC"; then @@ -994,7 +996,7 @@ [ char *lastlog = _PATH_LASTLOG; ], [ AC_MSG_RESULT(yes) ], [ - AC_MSG_RESULT(no), + AC_MSG_RESULT(no) system_lastlog_path=no ]) ] --- session.c.orig Mon Jun 12 16:52:59 2000 +++ session.c Mon Jun 12 16:54:24 2000 @@ -524,6 +524,9 @@ /* Get remote host name. */ hostname = get_canonical_hostname(); +#if defined(DISABLE_LASTLOG) + last_login_time = 0; +#else /* * Get the time when the user last logged in. Buf will be set to * contain the hostname the last login was from. @@ -532,6 +535,7 @@ last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, buf, sizeof(buf)); } +#endif #ifdef USE_PAM do_pam_session(pw->pw_name, s->tty); -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From andre.lucas at dial.pipex.com Tue Jun 13 09:45:06 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Tue, 13 Jun 2000 00:45:06 +0100 Subject: AIX and 2.1.1p1 References: <394559FD.DC62E116@abac.com> Message-ID: <39457602.949F875E@dial.pipex.com> Tom Bertelson wrote: > > The new login code works fine with AIX 4.3. Two nits, though. If > --disable-lastlog is defined, the code still tries to slog through wtmp > to determine the last login time. Is this a bug or a feature? If a > feature, change the DISABLE_LASTLOG test below to WITH_AIXAUTHENTICATE. > Also, a small typo in configure.in, plus an AIX tweak. > 8< 8< Glad to hear it's working on AIX :) The DISABLE_LASTLOG issue you mention is a bug, I've made some changes to loginrec.c that I hope will fix it. If you have time please could you test the attached patch? All it does is immediately return 0 if DISABLE_LASTLOG is defined. USE_LASTLOG isn't the opposite of DISABLE_LASTLOG. A bit confusing, I know. USE_LASTLOG means 'this system has some form of lastlog recording of its own so use it', whereas DISABLE_LASTLOG should mean 'don't even *try* to retrieve lastlog information from any source.' USE_SYSTEM_LASTLOG might be a better symbol name than USE_LASTLOG. Since the problem should be fixed in loginrec.c, no change is required in session.c. I've applied your changes to configure.in, thanks. -Andre' > > -- > Tom Bertelson "Any sufficiently advanced technology > RHI Consulting is indistinguishable from magic." > tbert at abac.com -- Arthur C. Clarke -------------- next part -------------- Index: loginrec.c =================================================================== RCS file: /var/cvs/openssh/loginrec.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- loginrec.c 2000/06/07 11:32:13 1.4 +++ loginrec.c 2000/06/12 22:21:44 1.5 @@ -170,7 +170,7 @@ #include "xmalloc.h" #include "loginrec.h" -RCSID("$Id: loginrec.c,v 1.4 2000/06/07 11:32:13 djm Exp $"); +RCSID("$Id: loginrec.c,v 1.5 2000/06/12 22:21:44 andre Exp $"); /** ** prototypes for helper functions in this file @@ -372,29 +372,40 @@ #else /* !USE_LASTLOG */ +# ifdef DISABLE_LASTLOG + /* On some systems we shouldn't even try to obtain last login + * time, e.g. AIX */ + return 0; + +# else /* Try to retrieve the last login time from wtmp */ -# if defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) +# if defined(USE_WTMP) && (defined(HAVE_TIME_IN_UTMP) || defined(HAVE_TV_IN_UTMP)) /* retrieve last login time from utmp */ if (wtmp_get_entry(li)) return 1; else return 0; -# else +# else /* If wtmp isn't available, try wtmpx */ -# if defined(USE_WTMPX) && (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX)) +# if defined(USE_WTMPX) && (defined(HAVE_TIME_IN_UTMPX) || defined(HAVE_TV_IN_UTMPX)) /* retrieve last login time from utmpx */ if (wtmpx_get_entry(li)) return 1; else return 0; -# else +# else /* Give up: No means of retrieving last login time */ return 0; +# endif + /* USE_WTMPX && (HAVE_TIME_IN_UTMPX || HAVE_TV_IN_UTMPX) */ + # endif + /* USE_WTMP && (HAVE_TIME_IN_UTMP || HAVE_TV_IN_UTMP) */ # endif + /* DISABLE_LASTLOG */ #endif /* USE_LASTLOG */ } From Matthew_Clarke at mindlink.bc.ca Tue Jun 13 10:28:40 2000 From: Matthew_Clarke at mindlink.bc.ca (Matthew Clarke) Date: Mon, 12 Jun 2000 17:28:40 -0700 Subject: 2.2.1p1 / AIX 4.2.1.0.06 login nits Message-ID: <20000612172840.B16182@ds0.van.maves.ca> Hi. New (2.1.1p1) login code is nicer on AIX (4.2.1.0.06). Thanks. A couple of issues, though, which I haven't really dug into yet. I'm wondering if anyone else has seen them? If not, I'll investigate & report. 1. If I set "UseLogin" to "yes", everything seems fine except that the authentication agent forwarding doesn't work. The "SSH" environment variables don't get propagated through to the user's shell. 2. If I set "UseLogin" to "no", the above problem disappears, but the user's resource limits are not set from /etc/security/limits. In my case, the server inherits the hard limit on stack size (16384) from the parent process (init), and that's not enough stack space to load the C compiler, among other things. :( Thoughts? Matt. -- Any research done on how to efficiently use computers has been long lost in the mad rush to upgrade systems to do things that aren't needed by people who don't understand what they are really supposed to do with them. -- Graham Reed, in a.s.r. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000612/062f96d2/attachment.bin From bens at saber.net Wed Jun 14 02:32:22 2000 From: bens at saber.net (Benjamin Smith) Date: Tue, 13 Jun 2000 09:32:22 -0700 Subject: scp -r blues Message-ID: <39466216.90300BB8@saber.net> Hi there, I'm using the latest stable release of open-ssh, and scp, and am having a problem... I want to use scp to backup some important files on a publically visible server. Everything seems fine, except for two details: 1) scp will not copy a core file. This server is used for devel, and the occasional core file is created. scp almost always coughs on such files, and stops. 2) scp -r will recurse sub-directories, but no option is available for "don't copy sym-links" or similar. It's not uncommon to hit a loop, copying recursively forever until you are out of disk space locally. In other words, if /home/user/bin/scripts/perl/tcommand is a symlink to /home/user/bin/tcommand than scp will copy the ./scripts/perl/tcommand over and over as sub-directories over and over... endlessly. Is there a way around these two problems? -Ben -- "Life is short. Live it!" From karn at ka9q.ampr.org Tue Jun 13 11:53:09 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Mon, 12 Jun 2000 18:53:09 -0700 Subject: scp -r blues In-Reply-To: <39466216.90300BB8@saber.net> (message from Benjamin Smith on Tue, 13 Jun 2000 09:32:22 -0700) References: <39466216.90300BB8@saber.net> Message-ID: <200006130153.SAA22548@homer.ka9q.ampr.org> One workaround is to run rsync on top of ssh. In general, it is a much better copy utility, with clever performance enhancements for making minor file updates across slow links, and I now use it for just about everything from automatic mirroring of my home directory on a backup machine to downloading email to my laptop. Phil From djm at mindrot.org Tue Jun 13 12:08:14 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 13 Jun 2000 12:08:14 +1000 (EST) Subject: scp -r blues In-Reply-To: <39466216.90300BB8@saber.net> Message-ID: On Tue, 13 Jun 2000, Benjamin Smith wrote: > I'm using the latest stable release of open-ssh, and scp, and am having > a problem... > > I want to use scp to backup some important files on a publically visible > server. > > Everything seems fine, except for two details: > > 1) scp will not copy a core file. This server is used for devel, and the > occasional core file is created. scp almost always coughs on such files, > and stops. I can't replicate this behaviour. What platforms are the client and server end? An error messages when the copy stops? Can you try turning ip the LogLevel to DEBUG and see what is produced? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From andrewm at datrix.co.za Tue Jun 13 17:10:35 2000 From: andrewm at datrix.co.za (Andrew McGill) Date: Tue, 13 Jun 2000 09:10:35 +0200 Subject: Openssh on SCO Openserver Release 5 References: Message-ID: <000601bfd506$788d27e0$27dc25c4@datrix.co.za> Hi! - I guess I should have said. The versions are: openssh-2.1.1p1 openssl-0.9.5a zlib-1.1.3 perl-5.6.0 &:-) ----- Original Message ----- From: To: Andrew McGill Cc: Sent: Monday 12 June 2000 18:33 Subject: Re: Openssh on SCO Openserver Release 5 Yo Andrew! What version of Openssh are you trying? RGDS GARY On Mon, 12 Jun 2000, Andrew McGill wrote: > Date: Mon, 12 Jun 2000 15:26:53 +0200 > From: Andrew McGill > To: djm at ibs.com.au > Cc: gem at rellim.com > Subject: Openssh on SCO Openserver Release 5 > > Hi there > > Your e-mail address appears in the README for openssh, which is why I am > sending this to you. (I hope you are somewhere close to the maintainers of > openssh) > > I have managed to compile and run openssh on SCO Openserver (another > version from the original port). There were a few funnies which you may > want to incorporate into the distribution: > > 0. System information: > > $ uname -X > System = SCO_SV > Node = scosysv > Release = 3.2v5.0.4 > KernelID = 97/05/07 > Machine = Pentium > BusType = ISA > Serial = 4FC006928 > Users = 16-user > OEM# = 0 > Origin# = 1 > NumCPU = 1 > > > 1. /dev/ptmx > > config.h > My SCO does support the device /dev/ptmx after a fashion, but does not > enable them as true tty's. This causes problems with sshd. The man page > says: > >>> > Limitations > =========== > > Although /dev/ptmx is referred to as a pseudo-tty, the master device does > not have tty characteristics and therefore cannot become the controlling > tty of a process group. The slave side of the connection does have the > characteristics of a real tty and can become the controlling tty of a > process group. > <<< > > I changed the config.h line > #define HAVE_DEV_PTMX 1 > to contain the following > /* #define HAVE_DEV_PTMX 1 */ > fixes this. I think the correct approach is to fix configure.in to include > a line for SCO similar to the line for linux --but installing autoconf on > this box doesn't seem like fun at the moment, especially since I am > changing jobs within the month: > > *-*-sco3*) > no_dev_ptmx=1 > ;; > > 2. MAXPATHLEN > > include.h > My SCO header files do not define the MAXPATHLEN macro, which is required > by openssh. To rectify this, I added the following lines before the final > endif: > #ifndef MAXPATHLEN > #define MAXPATHLEN 64 > #endif > According to usr/include/limits.h, the correct SCO value appears to be > PATH_MAX -- except it is not defined either :( > > host system type: > i586-pc-sco3.2v5.0.4 > > > > --- > This entire communication can be represented as a binary integer. As a > result it is entirely rational. > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From douglas.manton at uk.ibm.com Tue Jun 13 18:28:49 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 13 Jun 2000 09:28:49 +0100 Subject: 2.2.1p1 / AIX 4.2.1.0.06 login nits Message-ID: <802568FD.002EA580.00@d06mta05.portsmouth.uk.ibm.com> Matt, When login is called in session.c the environment variables are not passed to it. AIX login expects environment variables to be passed on the command line in the form: /usr/bin/login -h -p -f -- DISPLAY=host:10.0 TZ=GMT0BST ... There are restrictions, for example you cannot set PATH. When login is called in session.c the variables are not passed. /* Launch login(1). */ execl("/usr/bin/login", "login", "-h", get_remote_ipaddr(), "-p", "-f", "--", pw->pw_name, NULL); The NULL needs to be replaced with a string containing the variables. Unfortunately using execve (instead of execl) and using the environment pointer does not have any effect -- login does not inherit the variables passed in that way. Could whoever has been working on the revamped login code (Andre?) take a look into this? It effectively breaks X11 forwarding :-( Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions douglas.manton at uk.ibm.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From J.Horne at plymouth.ac.uk Tue Jun 13 21:52:35 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 13 Jun 2000 12:52:35 +0100 (BST) Subject: Openssh-2.1.1p1 and solaris 7/8 Message-ID: Hello, I just installed the above openssh onto a Sun Solaris 7 and Solaris 8 system. No problem with that. However, I now seem to get some rubbish processed when I login with slogin. An example: Last login: Tue Jun 13 12:31:27 2000 from jhorne.csd.plymo:tJ` ^[[?1;2c Telnet logs in okay, but just shows 'Last login...jhorne.csd.plymo'. This seems to get passed to the shell, which it of course errors on. I do, however, actually login okay. This is seen on both systems. As a test I purged the /var/adm/lastlog file - logged out, logged in - this was okay. Logged out and logged in again, and got the same problem. I upgraded from 2.1.0p3 to fix the utmpx problem; that version did not exhibit this problem. So far the utmpx problem hasn't recurred though :-) I configured both systems using: ./configure --with-egd-pool=/tmp/entropy --with-catman=man --with-tcp-wrappers --with-default-path=/usr/bin:/usr/local/bin Using the '--disable-lastlog' got around the problem. Something doesn't seem right though. John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From tbert at abac.com Wed Jun 14 00:18:45 2000 From: tbert at abac.com (Tom Bertelson) Date: Tue, 13 Jun 2000 10:18:45 -0400 Subject: AIX and 2.1.1p1 References: <394559FD.DC62E116@abac.com> <39457602.949F875E@dial.pipex.com> Message-ID: <394642C5.599C770E@abac.com> Andre Lucas wrote: > USE_LASTLOG isn't the opposite of DISABLE_LASTLOG. A bit confusing, I > know. USE_LASTLOG means 'this system has some form of lastlog recording > of its own so use it', whereas DISABLE_LASTLOG should mean 'don't even > *try* to retrieve lastlog information from any source.' > USE_SYSTEM_LASTLOG might be a better symbol name than USE_LASTLOG. Your patch works fine with AIX - thanks! The reason I wondered about the symbol names is because if configure can't find a lastlog file anywhere, it sets DISABLE_LASTLOG. It may be nice in this default case to search wtmp, since presumably the OS doesn't have a real lastlog facility. --disable-lastlog could still be used to override this. Perhaps something like this? (untested): --- configure.in.orig Thu Jun 8 21:58:35 2000 +++ configure.in Tue Jun 13 10:15:25 2000 @@ -1008,8 +1010,7 @@ fi done if test -z "$conf_lastlog_location"; then - AC_MSG_WARN([** Cannot find lastlog - disabling feature **]) - AC_DEFINE(DISABLE_LASTLOG) + AC_MSG_WARN([** Cannot find lastlog - resorting to wtmp search **]) fi fi fi -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke From P.S.S.Camp at ukc.ac.uk Wed Jun 14 00:44:32 2000 From: P.S.S.Camp at ukc.ac.uk (P.S.S.Camp) Date: Tue, 13 Jun 2000 15:44:32 +0100 (BST) Subject: Openssh-2.1.1p1 and solaris 7/8 In-Reply-To: Message-ID: On Tue, 13 Jun 2000, John Horne wrote: > Hello, > > I just installed the above openssh onto a Sun Solaris 7 and Solaris 8 system. > No problem with that. However, I now seem to get some rubbish processed when > I login with slogin. An example: > > Last login: Tue Jun 13 12:31:27 2000 from jhorne.csd.plymo:tJ` > ^[[?1;2c > > Telnet logs in okay, but just shows 'Last login...jhorne.csd.plymo'. > > This seems to get passed to the shell, which it of course errors on. I do, > however, actually login okay. This is seen on both systems. As a test I > purged the /var/adm/lastlog file - logged out, logged in - this was okay. > Logged out and logged in again, and got the same problem. > > I upgraded from 2.1.0p3 to fix the utmpx problem; that version did not > exhibit this problem. So far the utmpx problem hasn't recurred though :-) > > I configured both systems using: > ./configure --with-egd-pool=/tmp/entropy --with-catman=man > --with-tcp-wrappers --with-default-path=/usr/bin:/usr/local/bin > > Using the '--disable-lastlog' got around the problem. Something doesn't seem > right though. > Right to further my patch yesterday this superseeds it --- loginrec.c.old Wed Jun 7 12:32:13 2000 +++ loginrec.c Tue Jun 13 15:29:19 2000 @@ -1087,7 +1087,7 @@ #endif line_fullname(li->line, utx.ut_line, sizeof(utx.ut_line)); #ifdef HAVE_HOST_IN_UTMPX - strlcpy(li->hostname, utx.ut_host, sizeof(utx.ut_line)); + strlcpy(li->hostname, utx.ut_host, sizeof(utx.ut_host)); #endif } if (lseek(fd, (off_t)(0-2*sizeof(struct utmpx)), SEEK_CUR) == -1) { @@ -1289,7 +1289,10 @@ lastlog_populate_entry(struct logininfo *li, struct lastlog *last) { line_fullname(li->line, last->ll_line, sizeof(li->line)); - strlcpy(li->hostname, last->ll_host, sizeof(li->hostname)); + /* limit at length of the smallest structre as some entries as not + * all are null terminated. */ + strlcpy(li->hostname, last->ll_host, + ( sizeof(last->ll_host) < sizeof(li->hostname) ) ? sizeof(last->ll_host) : sizeof(li->hostname) ); li->tv_sec = last->ll_time; } ---- This fixes corrupt lastlogin lines with --disable-lastlog and without The first chunk fixes a str chop at ut_line(32) instead of ut_host(256) The second that no all entries in lastlog file have zero terminated strings ie those of max length, so this path modifies the strlcpy to a limit of the smallest structutre involved in the copy, which should all be resolved a comple time as it is costant, then the strlcpy correctly termintes the copy. Phill. Camp -- Computer Science Computing Officer University Of Kent At Canterbury From J.Horne at plymouth.ac.uk Wed Jun 14 01:00:40 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 13 Jun 2000 16:00:40 +0100 (BST) Subject: Remote -> remote scp not working Message-ID: Hello, Using openssh 2.1.1p1 I have tried to use scp to copy a file from one remote system directly to another remote system - e.g. 'scp -i ./ecp eros:jhf alice:jhf', so the file jhf is copied from the remote system eros to the remote system alice via an intermidate system (the one where the command is issued from). The key is in the file ecp. Using protocol 1 it doesn't seem to work. I can issue: scp -i ./ecp eros:jhf . scp -i ./ecp jhf alice:jhf and these work fine. However, combining the two just gives me 'permission denied'. Using -v doesn't seem to show much more: Executing: exec /usr/local/bin/ssh -v -x -o'FallBackToRsh no' -n eros scp -v jhf 'alice:jhf' SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /export/home/jhorne/.ssh/config debug: Applying options for * debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 100 geteuid 0 anon 1 debug: Connecting to eros.csd.plymouth.ac.uk [141.163.2.9] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (1152 bits) and host key (1024 bits). debug: Host 'eros.csd.plymouth.ac.uk' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. Permission denied. debug: Calling cleanup 0x3d358(0x0) The 'config' file mentioned above simply states: Host * Protocol 1 I have gotten around this by copying the file directly from one system to the other, but according to the man page a remote-remote copy should work. Thanks, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From J.Horne at plymouth.ac.uk Wed Jun 14 01:29:40 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Tue, 13 Jun 2000 16:29:40 +0100 (BST) Subject: Openssh-2.1.1p1 and solaris 7/8 In-Reply-To: Message-ID: On 13-Jun-00 at 14:44:32 P.S.S.Camp wrote: >> Telnet logs in okay, but just shows 'Last login...jhorne.csd.plymo'. >> > Right to further my patch yesterday this superseeds it > --- loginrec.c.old Wed Jun 7 12:32:13 2000 > +++ loginrec.c Tue Jun 13 15:29:19 2000 > @@ -1087,7 +1087,7 @@ > #endif [rest snipped] Yup, this seems to work fine :-) Only thing I noticed was that, as above, telnet showed 'plymo' (a truncated plymouth.ac.uk), whilst slogin after your patch shows 'plym'. I have no idea if that is significant :-) Many thanks, John. -------------------------------------------------------------------------- John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From ted at mtv.se Wed Jun 14 06:53:28 2000 From: ted at mtv.se (Ted Parnefors) Date: Tue, 13 Jun 2000 22:53:28 +0200 (CEST) Subject: SCP Problems. Message-ID: Just added myself to the list, and I saw that somebody else had the same problem that I have, namely that I can't get "scp" to work. The similarities I could see was that we both use linux as the platform for issuing the command "scp", however I also use linux on the destination. The other similarity is that we both are using strictly version 2 of the ssh protocol. I've included the output of a "scp -v". Or am I simply doing something wrong? (hostname has been replaced by "my_host.com" & ip by x.x.x.x) scp -v ./profile.php ted at my_host.com:. Executing: host my_host.com, user ted, command scp -v -t . SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x00905100). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 502 geteuid 0 anon 1 debug: Connecting to my_host.com [x.x.x.x] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.1.1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: zlib,none debug: got kexinit: zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 zlib debug: kex: client->server 3des-cbc hmac-sha1 zlib debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 491/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'my_host.com' is known and matches the DSA host key. debug: bits set: 518/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: Enabling compression at level 6. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /home/ted/.ssh/id_dsa debug: PEM_read_bio_DSAPrivateKey failed debug: read DSA private key done Enter passphrase for DSA key '/home/ted/.ssh/id_dsa': debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull debug: fd 5 setting O_NONBLOCK debug: fd 6 setting O_NONBLOCK debug: fd 7 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: scp -v -t . debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.8 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 127 debug: compress outgoing: raw data 656, compressed 615, factor 0.94 debug: compress incoming: raw data 103, compressed 96, factor 0.93 lost connection -- Ted Parnefors , KeyID 0x6627DEE4 PGP Fingerprint 1C39FA94703EB54A011CF18932018E256627DEE4 From rachit at ensim.com Wed Jun 14 07:12:01 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Tue, 13 Jun 2000 14:12:01 -0700 Subject: SCP Problems. References: Message-ID: <3946A3A1.192F5930@ensim.com> Thats wierd, i could do linux-linux scps without a problem. I did the same thing as you, use strictly ssh version 2 (with the -2) option. Perhaps this problem is related to certain keys (like the other key_read problem). Too bad I blew away the machines i used to test this problem (and I can't get them back). Try storing the server key somewhere and regenerating the key and see if it still happens (probably a stupid idea, but easy to try out, anyway). > Just added myself to the list, and I saw that somebody else had the same > problem that I have, namely that I can't get "scp" to work. The similarities I > could see was that we both use linux as the platform for issuing the command > "scp", however I also use linux on the destination. The other similarity is that > we both are using strictly version 2 of the ssh protocol. I've included the > output of a "scp -v". Or am I simply doing something wrong? From andre.lucas at dial.pipex.com Wed Jun 14 11:07:52 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Wed, 14 Jun 2000 02:07:52 +0100 Subject: AIX and 2.1.1p1 References: <394559FD.DC62E116@abac.com> <39457602.949F875E@dial.pipex.com> <394642C5.599C770E@abac.com> Message-ID: <3946DAE8.B3AEC8D6@dial.pipex.com> Tom Bertelson wrote: > 8< > Your patch works fine with AIX - thanks! Good news. Thanks for testing it. > The reason I wondered about the symbol names is because if configure > can't find a lastlog file anywhere, it sets DISABLE_LASTLOG. It may be > nice in this default case to search wtmp, since presumably the OS > doesn't have a real lastlog facility. --disable-lastlog could still be > used to override this. I agree, I made almost exactly the same change in the CVS yesterday :) Ta, -Andre' From karn at ka9q.ampr.org Wed Jun 14 11:17:06 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Tue, 13 Jun 2000 18:17:06 -0700 Subject: TCP connection forwarding troubles Message-ID: <200006140117.SAA27240@homer.ka9q.ampr.org> For some time I have routinely websurfed across a forwarded TCP connection using SSH. The other end of the TCP tunnel connects to a Squid proxy cache on the same machine. This usually works. But I see lots of error messages on each end of the form Jun 13 13:22:02 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected Jun 13 13:22:11 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected Jun 13 13:24:50 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected Jun 13 13:25:03 tunnel sshd[32378]: error: channel 1: chan_shutdown_read: shutdown() failed for fd8 [i1 o128]: Transport endpoint is not connected Jun 13 13:25:03 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected Jun 13 13:25:03 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected Jun 13 13:25:14 tunnel sshd[32378]: error: channel 5: chan_shutdown_read: shutdown() failed for fd13 [i1 o128]: Transport endpoint is not connected Jun 13 13:46:02 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected This is from the remote end of the tunnel, the machine with the squid proxy. I see similar messages on the client side. And occasionally things often just hang. When I kill and restart the local ssh client that's providing the tunnel, it starts working again. Both ends are running OpenSSH 2.1.1, Debian Linux 2.1 and the 2.2.15 kernel. --Phil From P.S.S.Camp at ukc.ac.uk Wed Jun 14 18:33:16 2000 From: P.S.S.Camp at ukc.ac.uk (P.S.S.Camp) Date: Wed, 14 Jun 2000 09:33:16 +0100 (BST) Subject: TCP connection forwarding troubles In-Reply-To: <200006140117.SAA27240@homer.ka9q.ampr.org> Message-ID: On Tue, 13 Jun 2000, Phil Karn wrote: > For some time I have routinely websurfed across a forwarded TCP > connection using SSH. The other end of the TCP tunnel connects to a > Squid proxy cache on the same machine. > > This usually works. But I see lots of error messages on each end of > the form > > Jun 13 13:22:02 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected > Jun 13 13:22:11 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected > Jun 13 13:24:50 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 1: chan_shutdown_read: shutdown() failed for fd8 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:14 tunnel sshd[32378]: error: channel 5: chan_shutdown_read: shutdown() failed for fd13 [i1 o128]: Transport endpoint is not connected > Jun 13 13:46:02 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected > > This is from the remote end of the tunnel, the machine with the squid > proxy. I see similar messages on the client side. > > And occasionally things often just hang. When I kill and restart the > local ssh client that's providing the tunnel, it starts working again. > get this when killing any proxyed conecttion (inc X) under solaris too. Phill. -- Computer Science Computing Officer From P.S.S.Camp at ukc.ac.uk Wed Jun 14 19:26:17 2000 From: P.S.S.Camp at ukc.ac.uk (P.S.S.Camp) Date: Wed, 14 Jun 2000 10:26:17 +0100 (BST) Subject: Openssh-2.1.1p1 and solaris 7/8 Message-ID: On Tue, 13 Jun 2000, John Horne wrote: > On 13-Jun-00 at 14:44:32 P.S.S.Camp wrote: > >> Telnet logs in okay, but just shows 'Last login...jhorne.csd.plymo'. > >> > > Right to further my patch yesterday this superseeds it > > --- loginrec.c.old Wed Jun 7 12:32:13 2000 > > +++ loginrec.c Tue Jun 13 15:29:19 2000 > > @@ -1087,7 +1087,7 @@ > > #endif > [rest snipped] > > Yup, this seems to work fine :-) Only thing I noticed was that, as above, > telnet showed 'plymo' (a truncated plymouth.ac.uk), whilst slogin after your > patch shows 'plym'. I have no idea if that is significant :-) > > Many thanks, > What is written into lastlog on solaris is an lastlog entry not a utmpx, therefore hostnames are truncated to 15 char + terminator see /usr/include/lastlog.h Phill. -- Computer Science Computing Officer From pamirian at primustel.ca Wed Jun 14 23:19:06 2000 From: pamirian at primustel.ca (Patrick Amirian) Date: Wed, 14 Jun 2000 09:19:06 -0400 Subject: need help with compiling openssh Message-ID: <002f01bfd603$205a54a0$530ba7d1@zerocode> hi, I'm trying to compile OpenSSH, latest version on my Linux box. I know that it requires openssl and I've installed the 0.9.5a and it's working just fine. Now when I'm trying to ./configure the openssh with the options ./configure --prefix=/usr/local/bin/openssh/ --without-pam --without-shadow --with-tcp-wrappers It's giving me checking for openssl directory... configure: error: could not find working SSLeay / OpenSSL libraries, please install but I've already installed it. I've also tried with the option... humm... ssl-dir or something like that to give it the path to my ssl libraries myself but I'm getting the same thing... any ideas ? Thanks. From djm at mindrot.org Wed Jun 14 23:30:18 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 14 Jun 2000 23:30:18 +1000 (EST) Subject: need help with compiling openssh In-Reply-To: <002f01bfd603$205a54a0$530ba7d1@zerocode> Message-ID: On Wed, 14 Jun 2000, Patrick Amirian wrote: > It's giving me > > checking for openssl directory... configure: error: could not find > working SSLeay / OpenSSL libraries, please install > > but I've already installed it. I've also tried with the option... > humm... ssl-dir or something like that to give it the path to my ssl > libraries myself but I'm getting the same thing... any ideas ? Can you send the last 100 or so lines of the config.log that gets generated? Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From preed at sigkill.com Wed Jun 14 23:39:04 2000 From: preed at sigkill.com (J. Paul Reed) Date: Wed, 14 Jun 2000 06:39:04 -0700 (PDT) Subject: need help with compiling openssh In-Reply-To: <002f01bfd603$205a54a0$530ba7d1@zerocode> Message-ID: On Wed, 14 Jun 2000, Patrick Amirian wrote: > checking for openssl directory... configure: error: could not find working > SSLeay / OpenSSL libraries, please install > > but I've already installed it. > I've also tried with the option... humm... ssl-dir or something like that to > give it the path to my ssl libraries myself but I'm getting the same > thing... > any ideas ? This is a bug in the configure script...or something like it. If you look at config.log, you should see that it fails to link libcrypto.a to the test binary it makes...for some reason, it doesn't apply the correct include/library directives to the compile, which would cause OpenSSH to fail to compile to. Anyway, the fix should be a simple: cd /usr/local/lib; ln -s /usr/local/ssl/lib/libcrypto.a . Of course, modify where libcrypto.a is for your system. Later, Paul ------------------------------------------------------------------- J. Paul Reed preed at sigkill.com || web.sigkill.com/preed Look, I'm not going to say Limp Bizkit sucks. You know it... I know it... I'm not going to say it. -- Trent Reznor From Leakin at dfw.Nostrum.com Thu Jun 15 01:00:26 2000 From: Leakin at dfw.Nostrum.com (Lee Eakin) Date: Wed, 14 Jun 2000 10:00:26 -0500 Subject: need help with compiling openssh In-Reply-To: <002f01bfd603$205a54a0$530ba7d1@zerocode>; from pamirian@primustel.ca on Wed, Jun 14, 2000 at 09:19:06AM -0400 References: <002f01bfd603$205a54a0$530ba7d1@zerocode> Message-ID: <20000614100026.A18118@japh.itg.ti.com> I think openssl has recently changed where the libs are stored. Several programs that use SSL have the same problem. To get around this, I symlinked libcrypto.a and libssl.a into the top of the ssl directory: /usr/local/ssl/libcrypto.a -> lib/libcrypto.a /usr/local/ssl/libssl.a -> lib/libssl.a After that all the apps built properly. -Lee ---begin quoted text--- > Delivered-To: openssh-unix-dev-list at mindrot.org > From: "Patrick Amirian" > To: > Subject: need help with compiling openssh > Date: Wed, 14 Jun 2000 09:19:06 -0400 > X-Mailer: Microsoft Outlook Express 5.00.2314.1300 > > hi, > I'm trying to compile OpenSSH, latest version on my Linux box. > I know that it requires openssl and I've installed the 0.9.5a and it's > working just fine. > > Now when I'm trying to ./configure the openssh with the options > > ./configure --prefix=/usr/local/bin/openssh/ --without-pam --without-shadow > --with-tcp-wrappers > It's giving me > > checking for openssl directory... configure: error: could not find working > SSLeay / OpenSSL libraries, please install > > but I've already installed it. > I've also tried with the option... humm... ssl-dir or something like that to > give it the path to my ssl libraries myself but I'm getting the same > thing... > any ideas ? > > Thanks. > ---end quoted text--- -- Lee Eakin - leakin at ti.com - Naming Services, Texas Instruments -o) [ permanent e-mail: Lee at Eakin.Org ] /\\ _\_v "Hit any key to continue" does _not_ mean you should hit the power switch. From ted at mtv.se Thu Jun 15 03:58:43 2000 From: ted at mtv.se (Ted Parnefors) Date: Wed, 14 Jun 2000 19:58:43 +0200 (CEST) Subject: need help with compiling openssh In-Reply-To: <002f01bfd603$205a54a0$530ba7d1@zerocode> Message-ID: On Wed, 14 Jun 2000, Patrick Amirian wrote: > hi, > I'm trying to compile OpenSSH, latest version on my Linux box. > I know that it requires openssl and I've installed the 0.9.5a and it's > working just fine. > > Now when I'm trying to ./configure the openssh with the options > > ./configure --prefix=/usr/local/bin/openssh/ --without-pam --without-shadow > --with-tcp-wrappers > It's giving me The default installation directory for OpenSSL is /usr/local/ssl as far as I know so if you ass "--with-ssl=/usr/local/ssl" to your configure line it should work just fine, otherwise check where it was installed and use that path instead. -- Ted Parnefors , KeyID 0x6627DEE4 PGP Fingerprint 1C39FA94703EB54A011CF18932018E256627DEE4 From ted at mtv.se Thu Jun 15 04:01:39 2000 From: ted at mtv.se (Ted Parnefors) Date: Wed, 14 Jun 2000 20:01:39 +0200 (CEST) Subject: need help with compiling openssh In-Reply-To: Message-ID: On Wed, 14 Jun 2000, Ted Parnefors wrote: > On Wed, 14 Jun 2000, Patrick Amirian wrote: > > > hi, > > I'm trying to compile OpenSSH, latest version on my Linux box. > > I know that it requires openssl and I've installed the 0.9.5a and it's > > working just fine. > > > > Now when I'm trying to ./configure the openssh with the options > > > > ./configure --prefix=/usr/local/bin/openssh/ --without-pam --without-shadow > > --with-tcp-wrappers > > It's giving me > > The default installation directory for OpenSSL is /usr/local/ssl as far as I > know so if you ass "--with-ssl=/usr/local/ssl" to your configure line it should > work just fine, otherwise check where it was installed and use that path > instead. > Oooops! Typo! :) Of course that should be "--with-ssl-dir" and not "--with-ssl". -- Ted Parnefors , KeyID 0x6627DEE4 PGP Fingerprint 1C39FA94703EB54A011CF18932018E256627DEE4 From gem at rellim.com Thu Jun 15 05:11:31 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 14 Jun 2000 12:11:31 -0700 (PDT) Subject: OpenSSH 2.1.1p1 on SCO Unixware 7.1.0 Message-ID: Yo All! I was just trying out OpenSSH 2.1.1p1 on SCO Unixware 7.1.0. The "configure" dies. See below. This seems to be the problem: if test -d "$f" -o -e "$f" ; then conf_lastlog_location=$f fi test is expecting a "shell option" after the "-o". If I run "/bin/sh ./configure" it fails. If I run "/bin/bash ./configure it passes.o Maybe you can break the test up in to 2 parts? After that it seems to build, install and run fine. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 loading cache ./config.cache checking for gcc... no checking for cc... cc checking whether the C compiler (cc ) works... yes checking whether the C compiler (cc ) is a cross-compiler... no checking whether we are using GNU C... no checking whether cc accepts -g... yes checking host system type... i586-sco-sysv5uw7.1.0 checking how to run the C preprocessor... cc -E checking for ranlib... : checking for a BSD compatible install... ./install-sh -c checking for ar... ar checking for perl... /usr/local/bin/perl checking for ent... no checking for inline... no checking for deflate in -lz... yes checking for login in -lutil... no checking for yp_match in -lnsl... yes checking for main in -lsocket... yes checking for bstring.h... no checking for endian.h... no checking for lastlog.h... yes checking for login.h... no checking for maillock.h... yes checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... yes checking for poll.h... yes checking for pty.h... no checking for shadow.h... yes checking for security/pam_appl.h... no checking for sys/bitypes.h... yes checking for sys/bsdtty.h... no checking for sys/cdefs.h... yes checking for sys/poll.h... yes checking for sys/select.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... no checking for stddef.h... yes checking for time.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... yes checking for arc4random... no checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... yes checking for gai_strerror... yes checking for getaddrinfo... yes checking for getnameinfo... yes checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for on_exit... no checking for openpty... no checking for rresvport_af... no checking for setenv... no checking for seteuid... yes checking for setlogin... no checking for setproctitle... no checking for setreuid... yes checking for snprintf... yes checking for strlcat... no checking for strlcpy... no checking for vsnprintf... yes checking for vhangup... no checking for _getpty... no checking for __b64_ntop... no checking for gettimeofday... yes checking for time... yes checking for login... no checking for logout... no checking for updwtmp... yes checking for logwtmp... no checking for entutent... no checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for entutxent... no checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... yes checking for login... (cached) no checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... no checking for intXX_t and u_intXX_t types in sys/bitypes.h... yes checking for uintXX_t types... yes checking for socklen_t... no checking for size_t... yes checking for ssize_t... yes checking for struct sockaddr_storage... no checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct addrinfo... yes checking for ut_host field in utmp.h... no checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... yes checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_addr field in utmp.h... no checking for ut_addr field in utmpx.h... no checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... yes checking for ut_tv field in utmpx.h... yes checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... no checking for rsh... /usr/bin/rsh checking for xauth... no checking for /dev/ptmx... yes checking for /dev/ptc... no checking for /dev/urandom... no checking for ls... /usr/bin/ls checking for netstat... /usr/bin/netstat checking for arp... /usr/sbin/arp checking for ifconfig... /usr/sbin/ifconfig checking for ps... /sbin/ps checking for w... /usr/bin/w checking for who... /sbin/who checking for last... /usr/bin/last checking for lastlog... no checking for df... /sbin/df checking for vmstat... no checking for uptime... /usr/bin/uptime checking for ipcs... /usr/bin/ipcs checking for tail... /usr/bin/tail checking for ls... (cached) /usr/bin/ls checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no UX:test (./configure): ERROR: Argument expected From pamirian at primustel.ca Thu Jun 15 05:12:05 2000 From: pamirian at primustel.ca (Patrick Amirian) Date: Wed, 14 Jun 2000 15:12:05 -0400 Subject: oh non!! grrr.... :) Message-ID: <000f01bfd634$6e1e82c0$0c0ca7d1@zerocode> new problem! I managed to have my openssh find the openssl libraries, I had to create 2 symlinks in the ../openssl directory pointing to the 2 ??.a files in /openssl/lib/ now when I'm trying to do a make I'm getting this: In file included from ssh.h:30 from bsd-misc.c:46: cipher.h:22: openssl/cast.h: No such file or directory make: *** [bsd-misc.o] Error 1 is this just happening to me or what ? by the way I'm on a Linux machine but I doubt that it has something to do with it. Thanks and guys don't forget to fix the ./configure file, it should point to /openssl/lib/ or you can just leave it the way it is :) one more thing it does not work even if I do --with-ssl-dir=/usr/local/bin/openssl/lib/ I absolutely have to create the 2 symlinks in /usr/local/bin/openssl/ directory thanks again. From djm at mindrot.org Thu Jun 15 07:51:01 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 15 Jun 2000 07:51:01 +1000 (EST) Subject: oh non!! grrr.... :) In-Reply-To: <000f01bfd634$6e1e82c0$0c0ca7d1@zerocode> Message-ID: On Wed, 14 Jun 2000, Patrick Amirian wrote: > new problem! > I managed to have my openssh find the openssl libraries, I had to create 2 > symlinks in the ../openssl directory pointing to the 2 ??.a files in > /openssl/lib/ You can do something like: CFLAGS=-I../openssl/include LDFLAGS=-L../openssl/lib ./configure to tell configure where to find the headers and libraries. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From ted at mtv.se Thu Jun 15 08:14:14 2000 From: ted at mtv.se (Ted Parnefors) Date: Thu, 15 Jun 2000 00:14:14 +0200 (CEST) Subject: SCP Problems. In-Reply-To: <3946A3A1.192F5930@ensim.com> Message-ID: I've been trying a whole lot of different keys now, but the problem is persistent, it won't go away. I can do "ssh" to the other machine without problems but "scp" just doesn't work. What kernel version are you using on your linux machine? I'm using 2.2.14 on one of them and 2.2.15 on the other one. I'm using different "glibc" on them too (2.1.1 and 2.1.3) but that probably should make any difference either. sigh... On Tue, 13 Jun 2000, Rachit Siamwalla wrote: > > Thats wierd, i could do linux-linux scps without a problem. I did the > same thing as you, use strictly ssh version 2 (with the -2) option. > > Perhaps this problem is related to certain keys (like the other key_read > problem). Too bad I blew away the machines i used to test this problem > (and I can't get them back). Try storing the server key somewhere and > regenerating the key and see if it still happens (probably a stupid > idea, but easy to try out, anyway). > > > Just added myself to the list, and I saw that somebody else had the same > > problem that I have, namely that I can't get "scp" to work. The similarities I > > could see was that we both use linux as the platform for issuing the command > > "scp", however I also use linux on the destination. The other similarity is that > > we both are using strictly version 2 of the ssh protocol. I've included the > > output of a "scp -v". Or am I simply doing something wrong? > > -- Ted Parnefors , KeyID 0x6627DEE4 PGP Fingerprint 1C39FA94703EB54A011CF18932018E256627DEE4 From rachit at ensim.com Thu Jun 15 08:55:28 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Wed, 14 Jun 2000 15:55:28 -0700 Subject: SCP Problems. References: Message-ID: <39480D60.77CC98BA@ensim.com> kernel version doesn't seem to matter. I'm using a pretty default RH 6.1 machine, 2.2.12-20 and glibc 2.1.2. Before running I did a clean format of the machine. I have a couple of non-standard kernel modules installed, but that shouldn't matter. The other solaris machine that was the server was also a recently formatted fairly stock solaris 7 machine. -rchit Ted Parnefors wrote: > > I've been trying a whole lot of different keys now, but the problem is > persistent, it won't go away. I can do "ssh" to the other machine without > problems but "scp" just doesn't work. What kernel version are you using on your > linux machine? I'm using 2.2.14 on one of them and 2.2.15 on the other one. I'm > using different "glibc" on them too (2.1.1 and 2.1.3) but that probably should > make any difference either. sigh... From itojun at iijlab.net Thu Jun 15 14:44:43 2000 From: itojun at iijlab.net (Jun-ichiro itojun Hagino) Date: Thu, 15 Jun 2000 13:44:43 +0900 Subject: configure.in portability: need other headers for sockaddr_in6 Message-ID: <4168.961044283@lychee.itojun.org> I think I have sent this before, but since it is not in 2.1.1p1 I would like to resend. the following patch improves portability of configure.in script. netbsd build will choke without this. itojun $NetBSD: patch-aa,v 1.7 2000/05/31 15:32:44 itojun Exp $ --- configure.in Tue May 30 11:57:47 2000 +++ configure.in Wed May 31 18:31:52 2000 @@ -447,3 +447,5 @@ [ +#include #include +#include ], @@ -461,2 +463,3 @@ [ +#include #include From Norbert.Bladt at adi.ch Thu Jun 15 23:51:59 2000 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Thu, 15 Jun 2000 15:51:59 +0200 Subject: AW: oh non!! grrr.... :) Message-ID: <0912C8BC2132D411BBB80001020BA94702D6FA@naizk10.adi.ch> Damien Miller wrote: >> On Wed, 14 Jun 2000, Patrick Amirian wrote: > >> new problem! > >> I managed to have my openssh find the openssl libraries, I had to > create 2 > >> symlinks in the ../openssl directory pointing to the 2 ??.a files in > >> /openssl/lib/ > > You can do something like: > CFLAGS=-I../openssl/include LDFLAGS=-L../openssl/lib ./configure > to tell configure where to find the headers and libraries. What I had to do was something like this to get it configured. First to set the location of the zlib include and library files and second the location of the openssl include files and libraries. CFLAGS="-I/usr/local/include -I/usr/local/ssl/include" LDFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib" ./configure --with-ssl-dir=/usr/local/openssl it took me hours (on a very slow system) to figure this one out. The above two lines are in fact just one command line. L8R, Norbert. -- Norbert Bladt ATAG debis Informatik, TZ1 - Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From acox at cv.telegroup.com Fri Jun 16 02:26:27 2000 From: acox at cv.telegroup.com (Aran Cox) Date: Thu, 15 Jun 2000 18:26:27 +0200 Subject: SCO OpenServer 5.0.5, issues with MAXPATHLEN and tty devices Message-ID: <394903B3.C5CF2E2@cv.telegroup.com> These issues affected previous 2. versions of openssh and still affects openssh-2.1.1p1. The environment is SCO OS 5.0.5 with the SCO development environment (not gcc, gmake, etc.) There are two issues, the first is a compilation problem, and the second is a run-time problem. The first problem is simply that MAXPATHLEN is not defined. I found it to be defined in /usr/include/sys/fs/dtfilsys.h but I am not sure if including this file is the correct thing to do or not. I got around this by simply defining it as 1024 in defines.h. The second problem is related the tty devices chosen by the sshd when initiating a new connection: If HAVE_DEV_PTMX is defined, code in pty.c (function pty_alloc) is used that seems to be designed for Solaris 2.X. The header above the code is /* * This code is used e.g. on Solaris 2.x. (Note that Solaris 2.3 * also has bsd-style ptys, but they simply do not work.) */ It tries to use device names like /dev/pts000 and the code in pty_make_controlling_tty to fail. Specifically this code fails: /* Verify that we now have a controlling tty. */ fd = open("/dev/tty", O_WRONLY); if (fd < 0) error("open /dev/tty failed - could not set controlling tty: %.100s", strerror(errno)); else { close(fd); } Causing this message to be generated by the sshd when run with the -d option: error: open /dev/tty failed - could not set controlling tty: No such device or address If I alter the config.h line that defines HAVE_DEV_PTMX to: #undef HAVE_DEV_PTMX then it compiles with code that seems to work exactly as expected, choosing tty device names like /dev/ttyp8. The above error message does indicate a real problem, not just a potential one. At the very least it prevents me from running resize which makes using the terminal very tricky. Both of these issues seem really to be problems with the configure script. (configure should find MAXPATHLEN for you, and should know that using /dev/ptsX on SCO OS doesn't work) I'm no autoconf wizard but I will try to fix these issues and submit a patch, unless someone else who is more familiar with the code could do it quicker ;) From pausmith at nortelnetworks.com Fri Jun 16 02:37:08 2000 From: pausmith at nortelnetworks.com (Paul D. Smith) Date: Thu, 15 Jun 2000 12:37:08 -0400 (EDT) Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can Message-ID: <14665.1588.781410.640729@nortelnetworks.com> My ISP supports connections via ssh. I was using OpenSSH 1.2.3 (portable) on Solaris 2.5.1 (with EGD), and I could connect to my ISP just fine. They're using the proprietary sshd version 1.2.26 as far as I can tell. A connect session looks like: $ ssh-1.2.3 -v -l foobar xx.xx.xx.xx SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: ssh_connect: getuid 390 geteuid 390 anon 1 debug: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.2.26 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'xx.xx.xx.xx' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'psmith at lemming' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting pty. debug: Requesting authentication agent forwarding. debug: Requesting shell. debug: Entering interactive session. ... $ exit Connection to xx.xx.xx.xx closed. debug: Transferred: stdin 5, stdout 709, stderr 36 bytes in 25.4 seconds debug: Bytes per second: stdin 0.2, stdout 27.9, stderr 1.4 debug: Exit status 0 Now I've compiled OpenSSH 2.1.1p1 (same system, Solaris 2.5.1, but this time using PRNG instead of EGD). This version works to _some_ systems (for example, I can connect to my home system which is running Debian GNU/Linux 2.2--running sshd from OpenSSH 1.2.3. But, I can't connect to my ISP; I just time out. Here's a session: $ ssh-2.1.1p1 -v -l foobar xx.xx.xx.xx SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: loaded 21 entropy commands from /usr/global/etc/ssh_prng_cmds debug: Seeding random number generator. debug: OpenSSL random status is now 0 debug: 1 bytes from system calls debug: Command 'arp -a -n' timed out debug: Command 'last' timed out debug: Command 'df' timed out debug: 28 bytes from programs debug: OpenSSL random status is now 1 debug: loading PRNG seed from file /export/home/psmith/.ssh/prng_seed debug: ssh_connect: getuid 390 geteuid 0 anon 0 debug: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22. debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 1 bytes from system calls debug: 26 bytes from programs debug: OpenSSL random status is now 1 debug: Allocated local port 827. debug: connect: Connection timed out debug: Trying again... debug: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22. debug: Allocated local port 850. debug: connect: Connection timed out debug: Trying again... debug: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22. debug: Allocated local port 892. debug: connect: Connection timed out debug: Trying again... debug: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22. debug: Allocated local port 755. debug: connect: No route to host Secure connection to xx.xx.xx.xx refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted. /usr/bin/rsh xx.xx.xx.xx -l foobar xx.xx.xx.xx: No route to host I tried reading the FAQ and skimming the list archives, but nothing jumped out at me. Anyone have any thoughts? -- ------------------------------------------------------------------------------- Paul D. Smith Network Management Development "Please remain calm...I may be mad, but I am a professional." --Mad Scientist ------------------------------------------------------------------------------- These are my opinions---Nortel Networks takes no responsibility for them. From mstone at cs.loyola.edu Fri Jun 16 04:01:37 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 15 Jun 2000 14:01:37 -0400 Subject: problem in entropy.c if no getrusage Message-ID: <20000615140137.G23299@justice.loyola.edu> entropy.c assumes RUSAGE_SELF and RUSAGE_CHILDREN *** entropy.c.orig Thu Jun 15 13:57:28 2000 --- entropy.c Thu Jun 15 13:58:25 2000 *************** *** 201,207 **** --- 201,209 ---- total_entropy_estimate += stir_gettimeofday(1.0); total_entropy_estimate += stir_clock(0.2); + #ifdef HAVE_GETRUSAGE total_entropy_estimate += stir_rusage(RUSAGE_SELF, 2.0); + #endif return(total_entropy_estimate); } *************** *** 247,254 **** --- 249,258 ---- /* Execution times should be a little unpredictable */ total_entropy_estimate += stir_gettimeofday(0.05); total_entropy_estimate += stir_clock(0.05); + #ifdef HAVE_GETRUSAGE total_entropy_estimate += stir_rusage(RUSAGE_SELF, 0.1); total_entropy_estimate += stir_rusage(RUSAGE_CHILDREN, 0.1); + #endif } else { #ifdef DEBUG_ENTROPY debug("Command '%s' disabled (badness %d)", -- Mike Stone From markus.friedl at informatik.uni-erlangen.de Thu Jun 15 23:59:28 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Jun 2000 15:59:28 +0200 Subject: TCP connection forwarding troubles In-Reply-To: <200006140117.SAA27240@homer.ka9q.ampr.org>; from karn@ka9q.ampr.org on Tue, Jun 13, 2000 at 06:17:06PM -0700 References: <200006140117.SAA27240@homer.ka9q.ampr.org> Message-ID: <20000615155928.C26857@folly.informatik.uni-erlangen.de> Does this happen for protocol 1 or 2? could you please send a 'ssh -v' trace? On Tue, Jun 13, 2000 at 06:17:06PM -0700, Phil Karn wrote: > For some time I have routinely websurfed across a forwarded TCP > connection using SSH. The other end of the TCP tunnel connects to a > Squid proxy cache on the same machine. > > This usually works. But I see lots of error messages on each end of > the form > > Jun 13 13:22:02 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected > Jun 13 13:22:11 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected > Jun 13 13:24:50 tunnel sshd[32378]: error: channel 0: chan_shutdown_read: shutdown() failed for fd5 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 1: chan_shutdown_read: shutdown() failed for fd8 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:03 tunnel sshd[32378]: error: channel 2: chan_shutdown_read: shutdown() failed for fd10 [i1 o128]: Transport endpoint is not connected > Jun 13 13:25:14 tunnel sshd[32378]: error: channel 5: chan_shutdown_read: shutdown() failed for fd13 [i1 o128]: Transport endpoint is not connected > Jun 13 13:46:02 tunnel sshd[32378]: error: channel 3: chan_shutdown_read: shutdown() failed for fd11 [i1 o128]: Transport endpoint is not connected > > This is from the remote end of the tunnel, the machine with the squid > proxy. I see similar messages on the client side. > > And occasionally things often just hang. When I kill and restart the > local ssh client that's providing the tunnel, it starts working again. > > Both ends are running OpenSSH 2.1.1, Debian Linux 2.1 and the 2.2.15 kernel. > > --Phil > From markus.friedl at informatik.uni-erlangen.de Fri Jun 16 00:02:17 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Jun 2000 16:02:17 +0200 Subject: SCP Problems. In-Reply-To: ; from ted@mtv.se on Tue, Jun 13, 2000 at 10:53:28PM +0200 References: Message-ID: <20000615160217.D26857@folly.informatik.uni-erlangen.de> On Tue, Jun 13, 2000 at 10:53:28PM +0200, Ted Parnefors wrote: > debug: Sending command: scp -v -t . is scp in your default path on the remote host? From markus.friedl at informatik.uni-erlangen.de Thu Jun 15 23:47:33 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Jun 2000 15:47:33 +0200 Subject: ssh -R option In-Reply-To: ; from bakerkj@umich.edu on Mon, Jun 12, 2000 at 11:58:28AM -0400 References: Message-ID: <20000615154733.A26857@folly.informatik.uni-erlangen.de> On Mon, Jun 12, 2000 at 11:58:28AM -0400, Kenneth J Baker wrote: > > Dear list, > > I'm relatively new to using ssh. I'm trying to use the -R option to set > up a forwarded port between two machines. Specifically I'd like to be > able to ssh to machineB from machineA and then have a port on machineB > that I can connect to machineA with. If my understanding is correct I'd > need a command like: > machineA> ssh -R 10000:machineA:23 machineB this is correct. the following line does the same: machineA> ssh -R 10000:localhost:23 machineB > This should open port 10000 on machineB to be forwarded to machineA:23, > right? Assuming I have telnet open on machineA I should be able to then: > machineB> telnet machineB 10000 > > For some reason this doesn't work. Is what i'm trying to do possible? > Any suggestions? does machineB> telnet localhost 10000 work? if you want to make sshd listen to port 10000 on _all_ interfaces (default is loopback only) you have to use the GatewayPorts option for sshd, see sshd(8). -m From markus.friedl at informatik.uni-erlangen.de Thu Jun 15 23:57:05 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 15 Jun 2000 15:57:05 +0200 Subject: Remote -> remote scp not working In-Reply-To: ; from J.Horne@plymouth.ac.uk on Tue, Jun 13, 2000 at 04:00:40PM +0100 References: Message-ID: <20000615155705.B26857@folly.informatik.uni-erlangen.de> On Tue, Jun 13, 2000 at 04:00:40PM +0100, John Horne wrote: > Using openssh 2.1.1p1 I have tried to use scp to copy a file from one remote > system directly to another remote system - e.g. 'scp -i ./ecp eros:jhf > alice:jhf', so the file jhf is copied from the remote system eros to the > remote system alice via an intermidate system (the one where the command is > issued from). The key is in the file ecp. > > Using protocol 1 it doesn't seem to work. I can issue: > scp -i ./ecp eros:jhf . > scp -i ./ecp jhf alice:jhf > > and these work fine. However, combining the two just gives me 'permission > denied'. Using -v doesn't seem to show much more: % scp bela:/bsd nohow:/tmp actually executes: % ssh bela 'scp /bsd nohow:/tmp' so authentication from host 'bela' to 'nohow' has to work without user interaction. the localhost does not authenticate you to both remote hosts (only to bela). note that the name 'nohow' is interpreted on host 'bela'. -markus From herrold at owlriver.com Fri Jun 16 05:20:02 2000 From: herrold at owlriver.com (R P Herrold) Date: Thu, 15 Jun 2000 15:20:02 -0400 (EDT) Subject: SCP Problems. In-Reply-To: <20000615160217.D26857@folly.informatik.uni-erlangen.de> Message-ID: On Thu, 15 Jun 2000, Markus Friedl wrote: > On Tue, Jun 13, 2000 at 10:53:28PM +0200, Ted Parnefors wrote: > > debug: Sending command: scp -v -t . > > is scp in your default path on the remote host? ... I also can create this problem at will --- yes --- /usr/bin, in each instance --- note that running the command thus: /usr/bin/ssh hostname /usr/bin/scp -t -f filespec will similarly hang, and yield no error messages, nor messages at either host. It is acting like an non-passive, non-proxied FTP connection --- like each side is waiting for a signal from the other to proceed -- and not receiving it -- and so stalling and timing out in an 'deadly embrace' Markus: If you wish temporary user accounts on a pair of affected hosts, please contact me off list. -- Russ Herrold From ted at mtv.se Fri Jun 16 06:02:11 2000 From: ted at mtv.se (Ted Parnefors) Date: Thu, 15 Jun 2000 22:02:11 +0200 (CEST) Subject: SCP Problems. In-Reply-To: <20000615160217.D26857@folly.informatik.uni-erlangen.de> Message-ID: Damn Markus! You're the man! That was it! Thanks alot, works beautifully. On Thu, 15 Jun 2000, Markus Friedl wrote: > On Tue, Jun 13, 2000 at 10:53:28PM +0200, Ted Parnefors wrote: > > debug: Sending command: scp -v -t . > > is scp in your default path on the remote host? -- Ted Parnefors , KeyID 0x6627DEE4 PGP Fingerprint 1C39FA94703EB54A011CF18932018E256627DEE4 From karn at ka9q.ampr.org Fri Jun 16 06:05:53 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Thu, 15 Jun 2000 13:05:53 -0700 Subject: Openssh-2.1.1p1 and solaris 7/8 In-Reply-To: (P.S.S.Camp@ukc.ac.uk) References: Message-ID: <200006152005.NAA06839@homer.ka9q.ampr.org> A quick workaround is to create .hushlogin in the home directory of the Solaris machine you're logging into with slogin. This suppresses the motd and lastlogin displays. Until I did this, my xterm windows into my remote Solaris machine were useless because binary garbage sent by sshd after the truncated lastlog message screwed up the state of the local xterm emulator, which began printing graphics characters in place of normal text. This problem suddenly appeared when I upgraded the local client to Debian 2.2 (frozen) from 2.1 (slink). Not sure why, since both ends were already running openssh-2.1.1p1. Phil From borrmann at uni-freiburg.de Fri Jun 16 21:46:03 2000 From: borrmann at uni-freiburg.de (H.G.Borrmann) Date: Fri, 16 Jun 2000 13:46:03 +0200 Subject: OpenSSH 2.1.1 has a completely insecure libpath if compiled with gcc under AIX Message-ID: <394A137B.4A4F4103@uni-freiburg.de> The subject says it. Openssh 2.1.1p1 still has the same insecure LIBPATH if compiled under AIX with gcc, e.g. dump -H ssh ssh: ***Loader Section*** Loader Header Information VERSION# #SYMtableENT #RELOCent LENidSTR 0x00000001 0x000000aa 0x00001a28 0x0000008e #IMPfilID OFFidSTR LENstrTBL OFFstrTBL 0x00000004 0x000149f0 0x0000026d 0x00014a7e ***Import File Strings*** INDEX PATH BASE MEMBER 0 .:/usr/local/lib:/client/lib:/usr/local/lib/gcc-lib/powerpc-ibm-aix4.3.1.0/2.95.2:/usr/lib:/lib 1 libc.a shr.o 2 libnsl.a shr.o 3 libz.a shr.o As I wrote earlier as a circumvention it is possible to edit the makefiler and add an appropriate -Xlinker option, e.g. "-Xlinker -blibpath:/usr/ruf/lib:/usr/lib:/lib" to the LDFLAGS. I had hoped that this problem is resolved in the new OpenSSH 2.1.1p port. H.G.Borrmann ._________________________________________________________________________. |H.G.Borrmann |Tel.: (0761) 203-4652 | |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 | |Hermann-Herder-Str. 10 |email: | |D79104 FREIBURG |borrmann at ruf.uni-freiburg.de | |_________________________________________________________________________| From garrick at james.net Sat Jun 17 04:39:21 2000 From: garrick at james.net (Garrick James) Date: Fri, 16 Jun 2000 11:39:21 -0700 (PDT) Subject: login reporting (utmp?) problem on Linux Message-ID: I have recently compiled and installed openssh-2.1.1p1 on a linux box. The login reporting does not seem to work properly. When logging into the box via ssh (protocol 1) utmp shows the user logged in and the tty properly, but the field for the login date/time and the field for originating host contain all NULLs. Is anyone else seeing this same behavior, or have I just done something really stupid? I will not be able to use openssh if it doesn't log to utmp properly. :-( Thanks, Garrick James From emily at ubermachine.com Sat Jun 17 04:57:19 2000 From: emily at ubermachine.com (Emily Slocombe) Date: Fri, 16 Jun 2000 14:57:19 -0400 Subject: login reporting (utmp?) problem on Linux In-Reply-To: ; from garrick@james.net on Fri, Jun 16, 2000 at 11:39:21AM -0700 References: Message-ID: <20000616145719.A8363@ubermachine.com> * Garrick James [000616 14:43]: |I have recently compiled and installed openssh-2.1.1p1 on a linux box. |The login reporting does not seem to work properly. I have recently compiled and installed it on 4 machines, 3 of which are Slackware7, and one is Slackware-current. |When logging into the box via ssh (protocol 1) utmp shows the user logged |in and the tty properly, but the field for the login date/time and the |field for originating host contain all NULLs. For me, I have the same behavior -- 0xffffff. opensshd seems to have a utmp problem, but I can't be sure All of the ttyp*'s are ssh logins: [emily at dumont:~]$ w 2:50pm up 2 days, 21:07, 7 users, load average: 2.00, 2.00, 2.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT emily tty1 - Tue 5pm 16:21m 1.21s 1.17s ssh damon emily tty2 - Tue 5pm 2days 2days 42.25s dnetc emily tty3 - Thu11am 19:54 0.03s 0.03s -bash emily tty4 - 12:47am 30:31 0.06s 0.06s -bash emily ttyp6 - 31Dec69 0.00s 0.02s 0.01s w emily ttyp4 - 31Dec69 13.00s 0.20s 0.10s mutt emily ttyp5 - 31Dec69 7:59 0.06s 0.04s ssh otn Thanks, Emily From wooac at hotmail.com Sat Jun 17 12:05:42 2000 From: wooac at hotmail.com (Alex Woo) Date: Fri, 16 Jun 2000 19:05:42 PDT Subject: Winsock2 port Message-ID: <20000617020542.33116.qmail@hotmail.com> Is anyone working on a Winsock2 port of openssh? ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com From garrick at james.net Sat Jun 17 18:15:57 2000 From: garrick at james.net (Garrick James) Date: Sat, 17 Jun 2000 01:15:57 -0700 (PDT) Subject: PATCH: login reporting (utmp?) problem on Linux In-Reply-To: <20000616145719.A8363@ubermachine.com> Message-ID: After quite a while trying to track down what was going wrong, I discovered that the configure script is what is causing the problem. The tests that configure runs for checking for various struct members in utmp.h do not work properly: checking for struct sockaddr_in6... no checking for struct in6_addr... no checking for struct addrinfo... yes checking for ut_host field in utmp.h... ossh_cv_utmp_h_has_ut_host checking for ut_host field in utmpx.h... ossh_cv_utmpx_h_has_ut_host checking for syslen field in utmpx.h... ossh_cv_utmpx_h_has_syslen checking for ut_pid field in utmp.h... ossh_cv_utmp_h_has_ut_pid checking for ut_type field in utmp.h... ossh_cv_utmp_h_has_ut_type checking for ut_type field in utmpx.h... ossh_cv_utmpx_h_has_ut_type checking for ut_tv field in utmp.h... ossh_cv_utmp_h_has_ut_tv checking for ut_id field in utmp.h... ossh_cv_utmp_h_has_ut_id checking for ut_addr field in utmp.h... ossh_cv_utmp_h_has_ut_addr checking for ut_addr field in utmpx.h... ossh_cv_utmpx_h_has_ut_addr checking for ut_addr_v6 field in utmp.h... ossh_cv_utmp_h_has_ut_addr_v6 checking for ut_addr_v6 field in utmpx.h... ossh_cv_utmpx_h_has_ut_addr_v6 checking for ut_exit field in utmp.h... ossh_cv_utmp_h_has_ut_exit checking for ut_time field in utmp.h... ossh_cv_utmp_h_has_ut_time checking for ut_time field in utmpx.h... ossh_cv_utmpx_h_has_ut_time checking for ut_tv field in utmpx.h... ossh_cv_utmpx_h_has_ut_tv checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... yes All those ossh_cv_SOMTHING-OR-OTHERs should all be simple "yes"es or "no"s. As a result, a number of #defines never get set in config.h. Anyway, to fix the problem apply the following patch and run autoreconf before running configure. I hope this doesn't break configure for other platforms, though... :-) Thanks, Emily, for responding and letting me know I wasn't the only one with the problem! -Garrick James --------- cut here ----------- *** aclocal.m4.orig Sat Jun 17 00:11:58 2000 --- aclocal.m4 Sat Jun 17 00:34:33 2000 *************** *** 22,28 **** eval "$ossh_varname=no" dnl ]) dnl ]) ! ossh_result=`eval "echo "$"$ossh_varname"` if test -n "`echo $ossh_varname`"; then AC_MSG_RESULT($ossh_result) if test "x$ossh_result" = "xyes"; then --- 22,28 ---- eval "$ossh_varname=no" dnl ]) dnl ]) ! ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then AC_MSG_RESULT($ossh_result) if test "x$ossh_result" = "xyes"; then From djm at mindrot.org Sat Jun 17 18:36:53 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 17 Jun 2000 18:36:53 +1000 (EST) Subject: OpenSSH 2.1.1 has a completely insecure libpath if compiled with gcc under AIX In-Reply-To: <394A137B.4A4F4103@uni-freiburg.de> Message-ID: On Fri, 16 Jun 2000, H.G.Borrmann wrote: > As I wrote earlier as a circumvention it is possible to edit the > makefiler and add an appropriate -Xlinker option, e.g. "-Xlinker > -blibpath:/usr/ruf/lib:/usr/lib:/lib" to the LDFLAGS. > > I had hoped that this problem is resolved in the new OpenSSH 2.1.1p > port. The portable OpenSSH has configure logic to set the blibpath if the xld linker is being used. Are you saying that this option is needed for other linkers? -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 11:22:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 11:22:28 +1000 (EST) Subject: OpenSSH 2.1.1p1 on SCO Unixware 7.1.0 In-Reply-To: Message-ID: On Wed, 14 Jun 2000, Gary E. Miller wrote: > Yo All! > > I was just trying out OpenSSH 2.1.1p1 on SCO Unixware 7.1.0. > > The "configure" dies. See below. > > This seems to be the problem: > > if test -d "$f" -o -e "$f" ; then > conf_lastlog_location=$f > fi > > test is expecting a "shell option" after the "-o". Ouch. These are used in quite a few places throughout configure and IIRC are in the POSIX standard. The -e is wrong though. You should change that to a '-f' Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 12:43:29 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 12:43:29 +1000 (EST) Subject: SCO OpenServer 5.0.5, issues with MAXPATHLEN and tty devices In-Reply-To: <394903B3.C5CF2E2@cv.telegroup.com> Message-ID: On Thu, 15 Jun 2000, Aran Cox wrote: > These issues affected previous 2. versions of openssh and still > affects openssh-2.1.1p1. The environment is SCO OS 5.0.5 with > the SCO development environment (not gcc, gmake, etc.) Thanks for these. They are already fixed in my tree. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 12:45:59 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 12:45:59 +1000 (EST) Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can In-Reply-To: <14665.1588.781410.640729@nortelnetworks.com> Message-ID: On Thu, 15 Jun 2000, Paul D. Smith wrote: > My ISP supports connections via ssh. I was using OpenSSH 1.2.3 > (portable) on Solaris 2.5.1 (with EGD), and I could connect to my ISP > just fine. They're using the proprietary sshd version 1.2.26 as far as I > can tell. A connect session looks like: [snip] > Now I've compiled OpenSSH 2.1.1p1 (same system, Solaris 2.5.1, but this > time using PRNG instead of EGD). This version works to _some_ systems > (for example, I can connect to my home system which is running Debian > GNU/Linux 2.2--running sshd from OpenSSH 1.2.3. > > But, I can't connect to my ISP; I just time out. Here's a session: [snip] > debug: Allocated local port 827. > debug: connect: Connection timed out > debug: Trying again... I haven't seen this one before. Can you telnet to port 22 on the target machine? An strace of the client and a tcpdump of a failed connection would help. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 12:53:26 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 12:53:26 +1000 (EST) Subject: problem in entropy.c if no getrusage In-Reply-To: <20000615140137.G23299@justice.loyola.edu> Message-ID: On Thu, 15 Jun 2000, Michael Stone wrote: > entropy.c assumes RUSAGE_SELF and RUSAGE_CHILDREN Thanks. This patch also fixes the problem of getrusage being a privileged operation on some Unices: Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.13 diff -u -r1.13 entropy.c --- entropy.c 2000/06/07 12:20:23 1.13 +++ entropy.c 2000/06/18 02:52:12 @@ -55,6 +55,13 @@ #define WHITESPACE " \t\n" +#ifndef RUSAGE_SELF +# define RUSAGE_SELF 0 +#endif +#ifndef RUSAGE_CHILDREN +# define RUSAGE_CHILDREN 0 +#endif + #if defined(EGD_SOCKET) || defined(RANDOM_POOL) #ifdef EGD_SOCKET @@ -301,9 +308,9 @@ struct rusage ru; if (getrusage(who, &ru) == -1) - fatal("Couldn't getrusage: %s", strerror(errno)); + return(0); - RAND_add(&ru, sizeof(ru), 0.1); + RAND_add(&ru, sizeof(ru), entropy_estimate); return(entropy_estimate); #else /* _HAVE_GETRUSAGE */ -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 14:05:32 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 14:05:32 +1000 (EST) Subject: configure.in portability: need other headers for sockaddr_in6 In-Reply-To: <4168.961044283@lychee.itojun.org> Message-ID: On Thu, 15 Jun 2000, Jun-ichiro itojun Hagino wrote: > > I think I have sent this before, but since it is not in 2.1.1p1 > I would like to resend. > the following patch improves portability of configure.in script. > netbsd build will choke without this. Thanks for this, it has been applied. My apologies for missing it last time. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 14:11:27 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 14:11:27 +1000 (EST) Subject: pine/openssh In-Reply-To: Message-ID: On Fri, 9 Jun 2000, Paul Heinlein wrote: > Forgive me for asking an implementation question on the developers' > list... Forgive my slow reply :) > Until yesterday, I was using ssh-1.2.2x on my Linux boxes here at work. I > ssh-enabled pine (4.21) by pointing it at our imap server and adding the > following directives to ~/.pinerc: > > ssh-open-timeout=30 > ssh-path=/usr/local/bin/ssh > ssh-command="%s %s -l %s exec /usr/etc/local/%sd" > > Everything worked great. I'd wrap my local X sessions in ssh-agent, load > my rsa key and voila! Password-less imap. On those rare occasions when > pine prompted me for a password, I'd know that my ssh connection hadn't > "taken" and that something was amiss. > > Upon installation of openssh-2.1.0p3, the connection no longer "takes" -- > ever. I've fiddled and fiddled, to no avail. Have you tried the 2.1.1p1 release? There were quite a few fixes included. The output of ssh in verbose mode would be preferable to tcpdumps. To capture this you might need to create a wrapper script that runs "ssh -v" and directs stderr to a log file. Use the wrapper instead of ssh in your pinerc. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Sun Jun 18 14:58:10 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 18 Jun 2000 14:58:10 +1000 (EST) Subject: SIA support patches for Tru64 UNIX In-Reply-To: <20000612143732.A44992@isc.upenn.edu> Message-ID: On Mon, 12 Jun 2000, John P Speno wrote: > On Fri, Jun 09, 2000 at 09:59:55PM +1000, Damien Miller wrote: > > > > Do you have a diff against any of the 2.x.x OpenSSH versions? > > I do know. SIA support patches for 2.x are here: I am going through these right now, but this is concerning: > > auth-sia.c > > Author: Tom Woodburn > > Helper functions for using the SIA (Security Integration Architecture) > functions of Tru64 UNIX. > > Copyright (c) 1999 SSH Communications Security Oy, Espoo, Finland > and Compaq Computer Corporation What license is this code under? If it is to be integrated, it needs to be under a BSD licence (cf. the start of atomicio.c). Why the copyright for SSH Communications Security? If sections of this code are based on commercial SSH code, they cannot be integrated. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From lef at st.rim.or.jp Mon Jun 19 04:56:39 2000 From: lef at st.rim.or.jp (HAYASHI, 'Lef' Tatsuya) Date: Mon, 19 Jun 2000 03:56:39 +0900 Subject: Winsock2 port Message-ID: <394D1B67124.5575LEF@mail.lefs.org> (I don't know original "Message-Id:" from web interface. I try "index" and "get" command for Majordomo. But, Return mail body in "invalid file". Perhaps this mail break a message thread chain. Sorry.) At Mon, 16 Jun 2000 19:05:42 "Alex Woo" wrote? >Is anyone working on a Winsock2 port of openssh? Sorry, I'm weak at English. I'm working "OpenSSH 2.x for Win32". Don't use VC++. Using Mingw32(gcc for Win32). http://mingw.sourceforge.net/ I emphasize that its environment should be free/open. Don't use cygwin. It already existent. I want native code version. (for scp and CVS.) But, I go ahead with a project slowly. Becouse, I don't have time and skill. and I'm in sick now... I'm unsure of completion. Don't expect too much of me, please. I will do my best. Now status: - /dev/random replace Crypto API implemented. - "C>ssh -l user host ls -al" is running. But, imperfectly. - Now working interactive mode. - "tty" changing "Win32 Console API". - "select" changing "WaitForMultipleObjects" for "STDIN STDOUT STDERR". - Perhaps password/RSA/DSA authentication runs. I'm testing in FreeBSD and Cygwin. - Perhaps ssh-keygen runs. I'm testing key in FreeBSD and Cygwin. - ssh-add, ssh-agent, scp, sshd, is not touch. - I'm working OpenSSH 2.1.0p2. I will change it in 2.1.1p1, as soon as possible. Screenshots: http://hp.vector.co.jp/authors/VA001791/openssh/screenshot1.png log: "ssh -l UserName host.name ls -al" http://hp.vector.co.jp/authors/VA001791/openssh/debuglog1.txt "ssh -l UserName host.name" http://hp.vector.co.jp/authors/VA001791/openssh/debuglog2.txt web page: http://hp.vector.co.jp/authors/VA001791/openssh/ Sorry, this web page is written in Japanese... I will make it in English, as soon as possible... ----- HAYASHI, "Lef" Tatsuya / mailto:lef at st.rim.or.jp From andre.lucas at dial.pipex.com Mon Jun 19 07:35:31 2000 From: andre.lucas at dial.pipex.com (Andre Lucas) Date: Sun, 18 Jun 2000 22:35:31 +0100 Subject: Openssh-2.1.1p1 and solaris 7/8 References: Message-ID: <394D40A3.69F92333@dial.pipex.com> Hi, Thanks for the patch, and well spotted :) I took a long hard look and found a few other instances where parts of struct [uw]tmpx? could get clobbered, so I stuck in a macro that expands to just what you've sent, and does the same in other affected parts of the code. As another list member observed, this does result in some names getting truncated in the resulting entries. I'm not really too concerned about that as long as it's for things like hostnames - if it truncates the username that's a different matter, things will probably break when that happens. Ta, -Andre' "P.S.S.Camp" wrote: > > On Tue, 13 Jun 2000, John Horne wrote: > > > Hello, > > > > I just installed the above openssh onto a Sun Solaris 7 and Solaris 8 system. > > No problem with that. However, I now seem to get some rubbish processed when > > I login with slogin. An example: > > > > Last login: Tue Jun 13 12:31:27 2000 from jhorne.csd.plymo:tJ` > > ^[[?1;2c > > > > Telnet logs in okay, but just shows 'Last login...jhorne.csd.plymo'. > > > > This seems to get passed to the shell, which it of course errors on. I do, > > however, actually login okay. This is seen on both systems. As a test I > > purged the /var/adm/lastlog file - logged out, logged in - this was okay. > > Logged out and logged in again, and got the same problem. > > > > I upgraded from 2.1.0p3 to fix the utmpx problem; that version did not > > exhibit this problem. So far the utmpx problem hasn't recurred though :-) > > > > I configured both systems using: > > ./configure --with-egd-pool=/tmp/entropy --with-catman=man > > --with-tcp-wrappers --with-default-path=/usr/bin:/usr/local/bin > > > > Using the '--disable-lastlog' got around the problem. Something doesn't seem > > right though. > > > Right to further my patch yesterday this superseeds it > --- loginrec.c.old Wed Jun 7 12:32:13 2000 > +++ loginrec.c Tue Jun 13 15:29:19 2000 > @@ -1087,7 +1087,7 @@ > #endif > line_fullname(li->line, utx.ut_line, sizeof(utx.ut_line)); > #ifdef HAVE_HOST_IN_UTMPX > - strlcpy(li->hostname, utx.ut_host, sizeof(utx.ut_line)); > + strlcpy(li->hostname, utx.ut_host, sizeof(utx.ut_host)); > #endif > } > if (lseek(fd, (off_t)(0-2*sizeof(struct utmpx)), > SEEK_CUR) == -1) { > @@ -1289,7 +1289,10 @@ > lastlog_populate_entry(struct logininfo *li, struct lastlog *last) > { > line_fullname(li->line, last->ll_line, sizeof(li->line)); > - strlcpy(li->hostname, last->ll_host, sizeof(li->hostname)); > + /* limit at length of the smallest structre as some entries as not > + * all are null terminated. */ > + strlcpy(li->hostname, last->ll_host, > + ( sizeof(last->ll_host) < sizeof(li->hostname) ) ? sizeof(last->ll_host) : sizeof(li->hostname) ); > li->tv_sec = last->ll_time; > } > > ---- > > This fixes corrupt lastlogin lines with --disable-lastlog and without > The first chunk fixes a str chop at ut_line(32) instead of ut_host(256) > The second that no all entries in lastlog file have zero terminated > strings ie those of max length, so this path modifies the strlcpy to > a limit of the smallest structutre involved in the copy, which should all > be resolved a comple time as it is costant, then the strlcpy correctly > termintes the copy. > > Phill. Camp > > -- > Computer Science Computing Officer > University Of Kent At Canterbury From gotoh at taiyo.co.jp Mon Jun 19 12:00:21 2000 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Mon, 19 Jun 2000 11:00:21 +0900 (JST) Subject: Winsock2 port In-Reply-To: <394D1B67124.5575LEF@mail.lefs.org> References: <394D1B67124.5575LEF@mail.lefs.org> Message-ID: <20000619110021X.gotoh@taiyo.co.jp> >>>>> at Mon, 19 Jun 2000 03:56:39 +0900 >>>>> lef == "HAYASHI, 'Lef' Tatsuya" said, >Is anyone working on a Winsock2 port of openssh? lef> I'm working "OpenSSH 2.x for Win32". lef> Don't use VC++. lef> Using Mingw32(gcc for Win32). http://mingw.sourceforge.net/ lef> I emphasize that its environment should be free/open. We are also working OpenSSH 2.x for Win32 with **VC++** and BC++. Currently, programs are almost good (i'm using them every day) except some features are not yet ported. lef> Don't use cygwin. It already existent. lef> I want native code version. (for scp and CVS.) I think both code may be merge. ## Please contact to me. lef> Now status: lef> - /dev/random replace Crypto API implemented. lef> - "C>ssh -l user host ls -al" is running. But, imperfectly. lef> - Now working interactive mode. lef> - "tty" changing "Win32 Console API". lef> - "select" changing "WaitForMultipleObjects" for "STDIN STDOUT STDERR". lef> - Perhaps password/RSA/DSA authentication runs. lef> I'm testing in FreeBSD and Cygwin. lef> - Perhaps ssh-keygen runs. lef> I'm testing key in FreeBSD and Cygwin. lef> - ssh-add, ssh-agent, scp, sshd, is not touch. lef> - I'm working OpenSSH 2.1.0p2. lef> I will change it in 2.1.1p1, as soon as possible. Almost same but ssh-agent and ssh-add is working in our porting. sshd is not. ssh-agent is specialized for win32 environment using named pipe (for WinNT) or socket (for win95/98), and with passphrase input dialog. Using Winseed for entropy generator and Win32 CryptoAPI for backup. We are chose standard Winsock 1.1 to support most Win32 and because it is familiar for us. Is there something merit to use Winsock2? I wander, tell me. lef> Screenshots: lef> http://hp.vector.co.jp/authors/VA001791/openssh/screenshot1.png Sorry, our code is not yet in public because not to distribute un-secure version. But I think we should do now. Please contact to me to co-working! --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From kengelha at advance-bank.de Mon Jun 19 20:25:28 2000 From: kengelha at advance-bank.de (kengelha at advance-bank.de) Date: Mon, 19 Jun 2000 11:25:28 +0100 Subject: sshd does not exit after scp (hpux 11.00 / ssh 2.1.1p1) Message-ID: <41256903.00390964.00@mailint.dmz.advance-bank.de> Hello, I have encountered a problem using ssh-2.1.1p1 on HP-UX 11.00: Everything else seems to work but running scp results in processes staying open: On the server there are 2 processes still running after copying a file: "scp -v -t /tmp" and one sshd. On the client also a ssh-process stays running until killing one of the processes manually... The copying works fine however. I've seen this or similar problems have been reported earlier, but I could not find a solution. If I can provide additional infos please tell me... Thanks, Klaus From oetiker at ee.ethz.ch Mon Jun 19 20:11:53 2000 From: oetiker at ee.ethz.ch (Tobias Oetiker) Date: Mon, 19 Jun 2000 12:11:53 +0200 (MET DST) Subject: connection dies when X11 forwarded app exists In-Reply-To: <41256903.00390964.00@mailint.dmz.advance-bank.de> Message-ID: I have encountered a problem using Openssh-2.1.1p1 on Solaris 2.6 I connect to a remote box with localbox> ssh -X remotebox remotebox> nedit& nedit show up fine I quit nedit ... And now the connection to remotehost dies as well ... running ssh with -v shows the following [...] debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. [...] debug: Received X11 open request. debug: fd 7 setting O_NONBLOCK debug: channel 0: new [X11 connection from remotehost port 50931] [...] debug: channel 0: send data len 32 debug: channel 0: send data len 32 debug: channel 0: send data len 32 debug: channel 0: send data len 512 debug: channel 0: send data len 512 [...] debug: channel 0: rcvd ieof debug: channel 0: output open -> drain debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: send oclose debug: channel 0: close_write debug: channel 0: send data len 384 debug: channel 0: send data len 96 debug: channel 0: read<=0 rfd 7 len 0 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof Connection to tardis closed by remote host. Connection to tardis closed. debug: Transferred: stdin 20, stdout 1224, stderr 75 bytes in 17.0 seconds debug: Bytes per second: stdin 1.2, stdout 72.2, stderr 4.4 debug: Exit status -1 debug: writing PRNG seed to file /home/oetiker/.ssh/prng_seed [...] I found that the problem seems to be restricted to Motif apps ... it does not happen with Xt, Qt or GTK apps cheers tobi -- ______ __ _ /_ __/_ / / (_) Oetiker, Timelord & SysMgr @ EE-Dept ETH-Zurich / // _ \/ _ \/ / TEL: +41(0)1-6325286 FAX:...1517 ICQ: 10419518 /_/ \.__/_.__/_/ oetiker at ee.ethz.ch http://ee-staff.ethz.ch/~oetiker From tbert at abac.com Mon Jun 19 23:03:06 2000 From: tbert at abac.com (Tom Bertelson) Date: Mon, 19 Jun 2000 09:03:06 -0400 Subject: 2.2.1p1 / AIX 4.2.1.0.06 login nits, and Solaris utmp (again) References: <20000612172840.B16182@ds0.van.maves.ca> Message-ID: <394E1A0A.8E144026@abac.com> Here's a patch to support AIX's additional user information (various hard and soft rlimits, default umask). Special thanks to Matthew Clarke for suggestions and help in testing. I've also included a buffer overrun fix I ran into with Solaris 2.7 (loginrec.c). I haven't gone over the rest of this file too carefully, but maybe this will help some other people. -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke -------------- next part -------------- --- configure.in~ Thu Jun 8 21:58:35 2000 +++ configure.in Fri Jun 16 11:21:23 2000 @@ -38,6 +38,8 @@ AC_DEFINE(BROKEN_GETADDRINFO) dnl AIX handles lastlog as part of its login message AC_DEFINE(DISABLE_LASTLOG) + MANTYPE='$(CATMAN)' + mansubdir=cat ;; *-*-hpux10*) if test -z "$GCC"; then @@ -168,7 +170,7 @@ fi # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h util.h utmp.h utmpx.h) +AC_CHECK_HEADERS(bstring.h endian.h lastlog.h login.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/select.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h stddef.h time.h usersec.h util.h utmp.h utmpx.h) # Checks for library functions. AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage innetgr md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid snprintf strlcat strlcpy vsnprintf vhangup _getpty __b64_ntop) @@ -183,6 +185,11 @@ AC_CHECK_FUNCS(entutxent getutxent getutxid getutxline pututxline ) AC_CHECK_FUNCS(setutxent utmpxname) +AC_CHECK_FUNC(getuserattr, + [AC_DEFINE(HAVE_GETUSERATTR)], + [AC_CHECK_LIB(s, getuserattr, [LIBS="$LIBS -ls"; AC_DEFINE(HAVE_GETUSERATTR)])] +) + AC_CHECK_FUNC(login, [AC_DEFINE(HAVE_LOGIN)], [AC_CHECK_LIB(bsd, login, [LIBS="$LIBS -lbsd"; AC_DEFINE(HAVE_LOGIN)])] @@ -994,7 +1001,7 @@ [ char *lastlog = _PATH_LASTLOG; ], [ AC_MSG_RESULT(yes) ], [ - AC_MSG_RESULT(no), + AC_MSG_RESULT(no) system_lastlog_path=no ]) ] --- config.h.in~ Fri Jun 9 06:56:25 2000 +++ config.h.in Fri Jun 16 11:21:24 2000 @@ -242,6 +242,9 @@ /* Define if you have the gettimeofday function. */ #undef HAVE_GETTIMEOFDAY +/* Define if you have the getuserattr function. */ +#undef HAVE_GETUSERATTR + /* Define if you have the getutent function. */ #undef HAVE_GETUTENT @@ -421,6 +424,9 @@ /* Define if you have the header file. */ #undef HAVE_TIME_H + +/* Define if you have the header file. */ +#undef HAVE_USERSEC_H /* Define if you have the header file. */ #undef HAVE_UTIL_H --- loginrec.c~ Wed Jun 7 07:32:13 2000 +++ loginrec.c Fri Jun 16 11:57:42 2000 @@ -1289,7 +1300,9 @@ lastlog_populate_entry(struct logininfo *li, struct lastlog *last) { line_fullname(li->line, last->ll_line, sizeof(li->line)); - strlcpy(li->hostname, last->ll_host, sizeof(li->hostname)); + strlcpy(li->hostname, last->ll_host, + sizeof(li->hostname) < sizeof(last->ll_host) + 1 ? + sizeof(li->hostname) : sizeof(last->ll_host) + 1); li->tv_sec = last->ll_time; } --- session.c~ Wed Jun 7 07:22:38 2000 +++ session.c Fri Jun 16 11:21:24 2000 @@ -9,6 +9,9 @@ #include "includes.h" RCSID("$OpenBSD: session.c,v 1.17 2000/06/05 19:53:40 markus Exp $"); +#if defined(HAVE_USERSEC_H) +#include +#endif #include "xmalloc.h" #include "ssh.h" @@ -836,6 +839,41 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { if (getuid() == 0 || geteuid() == 0) { +#if defined(HAVE_GETUSERATTR) + struct rlimit rlim; + rlim_t tlim; + int mask; + +#define set_limit(SOFT, HARD, RLIMIT, MULTIPLIER) \ + getrlimit(RLIMIT, &rlim); \ + tlim = (rlim_t) 0; \ + if (getuserattr(pw->pw_name, SOFT, &tlim, SEC_INT) != -1 && tlim) \ + rlim.rlim_cur = tlim * MULTIPLIER; \ + tlim = (rlim_t) 0; \ + if (getuserattr(pw->pw_name, HARD, &tlim, SEC_INT) != -1 && tlim) \ + rlim.rlim_max = tlim * MULTIPLIER; \ + if (rlim.rlim_cur > rlim.rlim_max) \ + rlim.rlim_max = rlim.rlim_cur; \ + if (setrlimit(RLIMIT, &rlim) != 0) \ + error("setrlimit(%.10s) failed: %.100s", SOFT, strerror(errno)) + + set_limit(S_UFSIZE, S_UFSIZE_HARD, RLIMIT_FSIZE, 512); + set_limit(S_UCPU, S_UCPU_HARD, RLIMIT_CPU, 1); + set_limit(S_UDATA, S_UDATA_HARD, RLIMIT_DATA, 512); + set_limit(S_USTACK, S_USTACK_HARD, RLIMIT_STACK, 512); + set_limit(S_URSS, S_URSS_HARD, RLIMIT_RSS, 512); + set_limit(S_UCORE, S_UCORE_HARD, RLIMIT_CORE, 512); +#if defined(S_UNOFILE) + set_limit(S_UNOFILE, S_UNOFILE_HARD, RLIMIT_NOFILE, 1); +#endif + + if (getuserattr(pw->pw_name, S_UMASK, &mask, SEC_INT) != -1) { + /* Convert decimal to octal */ + (void) snprintf(buf, sizeof buf, "%d", mask); + (void) sscanf(buf, "%o", &mask); + (void) umask(mask); + } +#endif if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); From djm at mindrot.org Tue Jun 20 00:03:19 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 20 Jun 2000 00:03:19 +1000 (EST) Subject: sshd does not exit after scp (hpux 11.00 / ssh 2.1.1p1) In-Reply-To: <41256903.00390964.00@mailint.dmz.advance-bank.de> Message-ID: On Mon, 19 Jun 2000 kengelha at advance-bank.de wrote: > > > Hello, > > I have encountered a problem using ssh-2.1.1p1 on HP-UX 11.00: > > Everything else seems to work but running scp results in processes > staying open: On the server there are 2 processes still running > after copying a file: "scp -v -t /tmp" and one sshd. On the client > also a ssh-process stays running until killing one of the processes > manually... Can you turn on debugging at the server end (LogLevel DEBUG) and send along the output? Thanks, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Markus.Ridinger at IWR.Uni-Heidelberg.De Tue Jun 20 00:45:31 2000 From: Markus.Ridinger at IWR.Uni-Heidelberg.De (Markus Ridinger) Date: Mon, 19 Jun 2000 16:45:31 +0200 Subject: Problem with yppasswd ans openssh on Irix Message-ID: Hi, I compiled openssh 2.1.1p1 on Irix 6.2 with MIPS 7.2.1.2m compiler. All works fine except the yppasswd command from Irix (it's no NIS-problem, same with rlogin works): Logged in with 'ssh machine -l user1' # who user1 ttyq0 Jun 19 15:17 (xxxxx.iwr.uni-heidelberg.de) # ypcat passwd |grep user1 user1:xxxxxxxxxxxxx:1535:1500:User1:/usr/people/user1:/bin/tcsh # ypcat passwd |grep user2 user2:xxxxxxxxxxxxx:2108:2100:User2:/usr/people/user2:/bin/tcsh # yppasswd Changing NIS password for user2 on nis_server.iwr.uni-heidelberg.de. Permission denied User2 changes with different sessions, but is the same for every 'yppasswd' in the same session. 'yppasswd user1' works fine, so it seems a problem of getting the correct UID. Do you know about that problem? Is there any patch available? Regards, Markus Ridinger ===================================================================== Markus Ridinger Tel (+49)06221/548241 IWR, Uni Heidelberg Fax (+49)06221/545224 Im Neuenheimer Feld 368 eMail 69120 Heidelberg Markus.Ridinger at iwr.uni-heidelberg.de ===================================================================== From kengelha at advance-bank.de Tue Jun 20 02:10:13 2000 From: kengelha at advance-bank.de (kengelha at advance-bank.de) Date: Mon, 19 Jun 2000 17:10:13 +0100 Subject: sshd does not exit after scp (hpux 11.00 / ssh 2.1.1p1) Message-ID: <41256903.0058D3E4.00@mailint.dmz.advance-bank.de> Hello, Damien Miller wrote: > Can you turn on debugging at the server end (LogLevel DEBUG) and send > along the output? Yes, here it comes: Jun 19 17:02:33 uxdev05 sshd[3944]: Connection from 185.10.101.174 port 806 Jun 19 17:02:33 uxdev05 sshd[3862]: debug: Forked child 3944. Jun 19 17:01:02 uxdev05 sshd[3925]: debug: tvp!=NULL kid 0 mili 10 Jun 19 17:02:33 uxdev05 above message repeats 2 times Jun 19 17:02:33 uxdev05 sshd[3862]: debug: Seeding random number generator. Jun 19 17:02:33 uxdev05 sshd[3862]: debug: OpenSSL random status is now 1 Jun 19 17:02:33 uxdev05 sshd[3862]: debug: 3 bytes from system calls Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Client protocol version 1.5; client software version OpenSSH-1.2.2 Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Local version string SSH-1.5-OpenSSH_2.1.1 Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Sent 768 bit public key and 1024 bit host key. Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Encryption type: 3des Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Received session key; encryption turned on. Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Installing crc compensation attack detector. Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Starting up PAM with username "root" Jun 19 17:02:33 uxdev05 sshd[3944]: debug: Attempting authentication for root. Jun 19 17:02:34 uxdev05 sshd[3862]: debug: 22 bytes from programs Jun 19 17:02:34 uxdev05 sshd[3862]: debug: OpenSSL random status is now 1 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: PAM Password authentication accepted for user "root" Jun 19 17:02:36 uxdev05 sshd[3944]: Accepted password for ROOT from 185.10.101.174 port 806 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: PAM setting rhost to "n4wm1780" Jun 19 17:02:36 uxdev05 sshd[3944]: debug: session_new: init Jun 19 17:02:36 uxdev05 sshd[3944]: debug: session_new: session 0 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: Exec command 'scp -t /tmp' Jun 19 17:02:36 uxdev05 sshd[3944]: debug: PAM establishing creds Jun 19 17:02:36 uxdev05 sshd[3944]: debug: Entering interactive session. Jun 19 17:02:36 uxdev05 sshd[3944]: debug: fd 10 setting O_NONBLOCK Jun 19 17:02:36 uxdev05 sshd[3944]: debug: fd 12 setting O_NONBLOCK Jun 19 17:02:36 uxdev05 sshd[3944]: debug: server_init_dispatch_13 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: server_init_dispatch_15 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: tvp!=NULL kid 0 mili 10 Jun 19 17:02:36 uxdev05 sshd[3944]: debug: EOF received for stdin. When killing the remaining process on the client, following is added to the servers logfile: Jun 19 17:03:55 uxdev05 sshd[3944]: Connection closed by remote host. Jun 19 17:03:55 uxdev05 sshd[3944]: debug: Calling cleanup 0x40015232(0x0) Jun 19 17:02:36 uxdev05 sshd[3944]: debug: tvp!=NULL kid 0 mili 10 Jun 19 17:03:55 uxdev05 above message repeats 2 times Jun 19 17:03:55 uxdev05 sshd[3944]: pam_setcred: error Permission denied Jun 19 17:03:55 uxdev05 sshd[3944]: Cannot delete credentials: Permission denied Jun 19 17:03:55 uxdev05 sshd[3944]: debug: Calling cleanup 0x400153d2(0x0) Jun 19 17:03:55 uxdev05 sshd[3944]: debug: Calling cleanup 0x400153e2(0x0) Jun 19 17:03:55 uxdev05 sshd[3944]: debug: writing PRNG seed to file /root/.ssh/prng_seed Thanks, Klaus From gem at rellim.com Tue Jun 20 04:44:17 2000 From: gem at rellim.com (Gary E. Miller) Date: Mon, 19 Jun 2000 11:44:17 -0700 (PDT) Subject: OpenSSH 2.1.1p1 on SCO Unixware 7.1.0 In-Reply-To: Message-ID: Yo Damien! I looked it up, -o as you use it is part of the POSIX spec.. OTOH, SCO does not conform to POSIX. So the choice is once again "correctness" or "portable". RGDS GARY On Sun, 18 Jun 2000, Damien Miller wrote: > On Wed, 14 Jun 2000, Gary E. Miller wrote: > > > Yo All! > > > > I was just trying out OpenSSH 2.1.1p1 on SCO Unixware 7.1.0. > > > > The "configure" dies. See below. > > > > This seems to be the problem: > > > > if test -d "$f" -o -e "$f" ; then > > conf_lastlog_location=$f > > fi > > > > test is expecting a "shell option" after the "-o". > > Ouch. These are used in quite a few places throughout configure and > IIRC are in the POSIX standard. > > The -e is wrong though. You should change that to a '-f' --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From jmknoble at pint-stowp.cx Tue Jun 20 05:32:30 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Mon, 19 Jun 2000 15:32:30 -0400 Subject: OpenSSH 2.1.1p1 on SCO Unixware 7.1.0 In-Reply-To: ; from Gary E. Miller on Mon, Jun 19, 2000 at 11:44:17AM -0700 References: Message-ID: <20000619153230.C8444@ntrnet.net> Circa 2000-Jun-19 11:44:17 -0700 schrieb Gary E. Miller: : I looked it up, -o as you use it is part of the POSIX spec.. : OTOH, SCO does not conform to POSIX. : : So the choice is once again "correctness" or "portable". See below for a portable alternative. : On Sun, 18 Jun 2000, Damien Miller wrote: : : > On Wed, 14 Jun 2000, Gary E. Miller wrote: : > > This seems to be the problem: : > > : > > if test -d "$f" -o -e "$f" ; then This can also be written: if (test -d "$f" || test -f "$f"); then : > > conf_lastlog_location=$f : > > fi : > > : > > test is expecting a "shell option" after the "-o". : > : > Ouch. These are used in quite a few places throughout configure and : > IIRC are in the POSIX standard. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From Thanh.Ma at casi-rusco.com Tue Jun 20 05:57:06 2000 From: Thanh.Ma at casi-rusco.com (Thanh Ma) Date: Mon, 19 Jun 2000 15:57:06 -0400 Subject: configure problem on UnixWare 7.1.1 Message-ID: <9B6977074BA8D311B3B30090279C703B766C54@bctexc10.casi-rusco.com> Anyone can locate what was wrong with the below problem on UnixWare 7.1.1 ? The file rand.h was finally found in one of the tests but configure still failed with ... checking for getpagesize... yes checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install Thanh configure:2302: gcc -o conftest -g -O2 -Wall -I/usr/local/include -L/usr/local/lib conftest.c -lsocket -lnsl -lz -lgen -lsocket 1>&5 configure:2543: checking for OpenSSL directory configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -L/usr/local/lib conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/local/openssl/include -L/usr/local/lib -L/usr/local/openssl/lib -L/usr/local/openssl conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/lib/openssl/include -L/usr/local/lib -L/usr/lib/openssl/lib -L/usr/lib/openssl conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/lib/ssl/include -L/usr/local/lib -L/usr/lib/ssl/lib -L/usr/lib/ssl conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/local/include -L/usr/local/lib -L/usr/local/lib -L/usr/local conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/usr/pkg/include -L/usr/local/lib -L/usr/pkg/lib -L/usr/pkg conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt/include -L/usr/local/lib -L/opt/lib -L/opt conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt/openssl/include -L/usr/local/lib -L/opt/openssl/lib -L/opt/openssl conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 21 00:03:52 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 20 Jun 2000 16:03:52 +0200 Subject: Critical EGD handling in 2.1.1p1 Message-ID: <20000620160352.A10742@ws01.aet.tu-cottbus.de> Hi, when running OpenSSH with EGD as entropy source, the sshd server connects to the EGD socket and leaves it open to re-seed on the fly. Unfortunately the connection is not checked when re-seeding, so that a failure or restart of EGD will lead to a "fatal()" abort of the sshd server process. Since a dying server process can not be accepted, I would recommend to not have sshd call it "fatal()" if EGD cannot be queried and there is already enough seed available. Something like: if (error_condition) { close(egd_socket); egd_socket = -1; /* Try to reopen next time */ if (RAND_status() == 0) fatal("Could not get entropy"); /* not enough seed -> fatal */ } Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pausmith at nortelnetworks.com Wed Jun 21 01:34:06 2000 From: pausmith at nortelnetworks.com (Paul D. Smith) Date: 20 Jun 2000 11:34:06 -0400 Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can In-Reply-To: Damien Miller's message of "Sun, 18 Jun 2000 12:45:59 +1000 (EST)" References: Message-ID: %% Damien Miller writes: dm> On Thu, 15 Jun 2000, Paul D. Smith wrote: >> My ISP supports connections via ssh. I was using OpenSSH 1.2.3 >> (portable) on Solaris 2.5.1 (with EGD), and I could connect to my ISP >> just fine. They're using the proprietary sshd version 1.2.26 as far as I >> can tell. A connect session looks like: dm> [snip] >> Now I've compiled OpenSSH 2.1.1p1 (same system, Solaris 2.5.1, but this >> time using PRNG instead of EGD). This version works to _some_ systems >> (for example, I can connect to my home system which is running Debian >> GNU/Linux 2.2--running sshd from OpenSSH 1.2.3. >> >> But, I can't connect to my ISP; I just time out. Here's a session: dm> [snip] >> debug: Allocated local port 827. >> debug: connect: Connection timed out >> debug: Trying again... dm> I haven't seen this one before. dm> Can you telnet to port 22 on the target machine? Yes: $ telnet xx.xx.xx.xx 22 Trying xx.xx.xx.xx... Connected to xx.xx.xx.xx. Escape character is '^]'. SSH-1.5-1.2.26 Connection closed by foreign host. (I hit RET and it closed the connection) dm> An strace of the client and a tcpdump of a failed connection would dm> help. Ugh. OK, I'm a bit confused. I couldn't truss it because ssh was setuid root, so I made a copy that wasn't. That copy worked! It's apparently something about the privileged ports?, because if I run the setuid version with -P, then that works as well. _But_, I don't see how it can be a firewall issue, at least not on my side, since I can use a privileged port to access my home system (I don't need -P for that). That's what threw me :-/. Maybe my ISP has some kind of firewall on his side which is blocking it? Oh well, I figured out how to get it working, that's the important thing :). Sorry for the false alarm. PS. It might be worthwhile to help the user by printing a message if "privileged" is set and the connection times out, suggesting they try -P and see if that works... -- ------------------------------------------------------------------------------- Paul D. Smith Network Management Development "Please remain calm...I may be mad, but I am a professional." --Mad Scientist ------------------------------------------------------------------------------- These are my opinions---Nortel Networks takes no responsibility for them. From gert at greenie.muc.de Wed Jun 21 04:23:19 2000 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 20 Jun 2000 20:23:19 +0200 Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can In-Reply-To: ; from Paul D. Smith on Tue, Jun 20, 2000 at 11:34:06AM -0400 References: Message-ID: <20000620202319.A14558@greenie.muc.de> Hi, On Tue, Jun 20, 2000 at 11:34:06AM -0400, Paul D. Smith wrote: > dm> An strace of the client and a tcpdump of a failed connection would > dm> help. > > Ugh. OK, I'm a bit confused. I couldn't truss it because ssh was > setuid root, so I made a copy that wasn't. That copy worked! > > It's apparently something about the privileged ports?, because if I run > the setuid version with -P, then that works as well. > > _But_, I don't see how it can be a firewall issue, at least not on my > side, since I can use a privileged port to access my home system (I > don't need -P for that). That's what threw me :-/. Sounds *very* much like a firewall issue - somewhere on the way in between. Something of "privileged ports are evil, forbid, forbid!" without actually understanding things like ssh... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Wed Jun 21 09:07:18 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Jun 2000 09:07:18 +1000 (EST) Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: <20000620160352.A10742@ws01.aet.tu-cottbus.de> Message-ID: On Tue, 20 Jun 2000, Lutz Jaenicke wrote: > Hi, > > when running OpenSSH with EGD as entropy source, the sshd server connects > to the EGD socket and leaves it open to re-seed on the fly. > Unfortunately the connection is not checked when re-seeding, so that > a failure or restart of EGD will lead to a "fatal()" abort of the sshd > server process. > > Since a dying server process can not be accepted, I would recommend to > not have sshd call it "fatal()" if EGD cannot be queried and there is > already enough seed available. Thanks for the report. How does the attached patch look? Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- ? scp.0 ? ssh-add.0 ? ssh-agent.0 ? ssh-keygen.0 ? ssh.0 ? sshd.0 ? configure ? config.h.in ? config.log ? config.h ? config.cache ? config.status ? Makefile ? ssh_prng_cmds Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.14 diff -u -r1.14 entropy.c --- entropy.c 2000/06/18 04:07:04 1.14 +++ entropy.c 2000/06/20 23:06:14 @@ -70,21 +70,25 @@ { static int egd_socket = -1; int c; + int egd_error; char egd_message[2] = { 0x02, 0x00 }; struct sockaddr_un addr; int addr_len; + egd_error = 0; + +retry: + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; - - /* FIXME: compile time check? */ + if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); - + strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); - + if (egd_socket == -1) { egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); if (egd_socket == -1) @@ -95,17 +99,37 @@ if (len > 255) fatal("Too many bytes to read from EGD"); - + /* Send blocking read request to EGD */ egd_message[1] = len; c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); - if (c == -1) - fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (c == -1) { + if (egd_error) { + fatal("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + } else { + egd_error = 1; + error("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + goto retry; + } + } c = atomicio(read, egd_socket, buf, len); if (c <= 0) - fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (c == -1) { + if (egd_error) { + fatal("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + } else { + egd_error = 1; + egd_socket = -1; + error("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + goto retry; + } + } } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL From ard at waikato.ac.nz Wed Jun 21 14:55:44 2000 From: ard at waikato.ac.nz (Andrew Donkin) Date: 21 Jun 2000 16:55:44 +1200 Subject: Linux sshd dumps core unless client is insecure. Message-ID: pausmith at nortelnetworks.com (Paul D. Smith) had a problem where his 2.1.1p1 wouldn't connect if it was running set-UID root, unless "-P" was given. Gert Doering suggested a firewall problem. Damien Miller tried to help too. Now I've got the same problem: my 2.1.1p1, 1.2.2, and 1.2.3 clients won't connect to *some* ssh 1.2.2 and 1.2.3 servers, if the following is true: - I am not root, and - the client is set-UID root. Hence I cannot strace it. - "-P" is not given - I have no "~/.[rs]hosts" entry on the server (i.e. I supply a password) - the server sshd is running on a privileged port If I "sshd -d -p222" it only dumps core if I supply the correct password. If I "strace sshd -d -p222" it dumps core if I give any non-null password. Weird, eh? [...] send(3, "<38>Jun 21 16:22:17 sshd[6979]: Failed rsa for ard from x.x.x.x port 866\0", 79, 0) = 79 sigaction(SIGPIPE, {SIG_DFL}, NULL) = 0 close(3) = 0 write(4, "[...12 unprintable bytes...", 12) = 12 select(5, [4], NULL, NULL, NULL [...waits while I type my password...] ) = 1 (in [4]) read(4, "[...a bunch of binary...]", 8192) = 28 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ So, sshd SEGVs when rhosts and RSA authentications fail and it tries password authentication. Everything is sweet if rhosts or RSA succeeds or if it never attempts them. An aside: why doesn't the SSH protocol attempt host-based auth when insecure ports are used? In summary: About the only thing that has happened since this *used* to work is an upgrade to 2.2.16, ssh 2.2.1, and ssl 0.9.5a. It's not a firewall problem; all these hosts are on the same segment. It's not a build problem; the same client binary works on another machine. It doesn't seem like a 2.2.16 problem (which was my first idea, since 2.2.16 has messed with UID-swapping), because the same binary works on another 2.2.16 machine. It's not a Slackware problem, since two of the problematic servers are Debian binaries on Debian servers. In fact I have run out of ideas, which is why I'm turning to you clever folks. The workaround is to use Rhosts or RhostsRSA authentication so that I don't have to enter my password. But that's a bit nasty and I'd rather get this figured out for good. Clients: ======== Kernel 2.2.16, Slackware. SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. ...and: SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). Servers: ======== Kernel 2.2.16 on a Slackware installation running sshd 1.2.2. Kernels 2.0.33 and 2.0.35 on Debian installations running sshd 1.2.2. -- _________________________________________________________________________ Andrew Donkin ITS.G.40, x4414 From karn at ka9q.ampr.org Wed Jun 21 15:55:49 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Tue, 20 Jun 2000 22:55:49 -0700 Subject: PATCH: login reporting (utmp?) problem on Linux In-Reply-To: (message from Garrick James on Sat, 17 Jun 2000 01:15:57 -0700 (PDT)) References: Message-ID: <200006210555.WAA18792@homer.ka9q.ampr.org> FYI, I also encountered this problem, but only after I updated my Linux machines from Debian 2.1 (slink) to the Debian "frozen" (2.2-potato) release. All my utmp entries are now Wed Dec 31. Phil From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 21 20:03:46 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 21 Jun 2000 12:03:46 +0200 Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: ; from djm@mindrot.org on Wed, Jun 21, 2000 at 09:07:18AM +1000 References: <20000620160352.A10742@ws01.aet.tu-cottbus.de> Message-ID: <20000621120346.A13164@ws01.aet.tu-cottbus.de> On Wed, Jun 21, 2000 at 09:07:18AM +1000, Damien Miller wrote: > On Tue, 20 Jun 2000, Lutz Jaenicke wrote: > > > Hi, > > > > when running OpenSSH with EGD as entropy source, the sshd server connects > > to the EGD socket and leaves it open to re-seed on the fly. > > Unfortunately the connection is not checked when re-seeding, so that > > a failure or restart of EGD will lead to a "fatal()" abort of the sshd > > server process. > > > > Since a dying server process can not be accepted, I would recommend to > > not have sshd call it "fatal()" if EGD cannot be queried and there is > > already enough seed available. > > Thanks for the report. How does the attached patch look? Hmm, I am not completely happy with it. If it finds, that the EGD connection has been dropped, it tries to reconnect, that is a good one, but: - If EGD is down at this point for any reason whatsoever, the sshd server will die, even though enough entropy might have been collected over time. * This is especially bad, as without EGD you cannot even fire off an "emergency" sshd on another port from inetd. Hence you cannot recover this problem from remote (without using the root password over telnet). Hence, I have "reworked" your patch a bit :-) Best regards, Lutz PS. I have sshd dying very often by now, it just services the first request and once the connection is closed, the server process dies, too.... [No time to look into it now.] Where in hell are the "fatal()" and "error()" messages logged on HP-UX 10.20?? -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 21 20:05:02 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 21 Jun 2000 12:05:02 +0200 Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: ; from djm@mindrot.org on Wed, Jun 21, 2000 at 09:07:18AM +1000 References: <20000620160352.A10742@ws01.aet.tu-cottbus.de> Message-ID: <20000621120501.B13164@ws01.aet.tu-cottbus.de> And this time the patch attached :-) Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- *** entropy.c.orig Wed Jun 7 14:20:23 2000 --- entropy.c Wed Jun 21 11:41:50 2000 *************** *** 63,104 **** { static int egd_socket = -1; int c; char egd_message[2] = { 0x02, 0x00 }; struct sockaddr_un addr; int addr_len; memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; ! ! /* FIXME: compile time check? */ if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); ! strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); ! addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); ! if (egd_socket == -1) { egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); ! if (egd_socket == -1) fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); ! if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); } if (len > 255) fatal("Too many bytes to read from EGD"); ! /* Send blocking read request to EGD */ egd_message[1] = len; c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); ! if (c == -1) ! fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); c = atomicio(read, egd_socket, buf, len); if (c <= 0) ! fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL --- 63,150 ---- { static int egd_socket = -1; int c; + int egd_error; + int enough_entropy; char egd_message[2] = { 0x02, 0x00 }; struct sockaddr_un addr; int addr_len; + egd_error = 0; + + enough_entropy = RAND_status(); + + retry: + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; ! if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); ! strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); ! addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); ! if (egd_socket == -1) { egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); ! if (egd_socket == -1) { ! if (!enough_entropy) fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); ! else ! error("Couldn't create AF_UNIX socket: %s", strerror(errno)); ! } ! if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) { ! if (!enough_entropy) fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + else + error("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + } } if (len > 255) fatal("Too many bytes to read from EGD"); ! /* Send blocking read request to EGD */ egd_message[1] = len; c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); ! if (c == -1) { ! if (egd_error) { ! if (!enough_entropy) ! fatal("Couldn't write to EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! else ! error("Couldn't write to EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! } else { ! egd_error = 1; ! close(egd_socket); ! egd_socket = -1; ! error("Couldn't write to EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! goto retry; ! } ! } c = atomicio(read, egd_socket, buf, len); if (c <= 0) ! if (c == -1) { ! if (egd_error) { ! if (!enough_entropy) ! fatal("Couldn't read from EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! else ! error("Couldn't read from EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! } else { ! egd_error = 1; ! close(egd_socket); ! egd_socket = -1; ! error("Couldn't read from EGD socket \"%s\": %s", ! EGD_SOCKET, strerror(errno)); ! goto retry; ! } ! } } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL From djm at mindrot.org Wed Jun 21 20:54:47 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Jun 2000 20:54:47 +1000 (EST) Subject: Linux sshd dumps core unless client is insecure. In-Reply-To: Message-ID: On 21 Jun 2000, Andrew Donkin wrote: > If I "sshd -d -p222" it only dumps core if I supply the correct password. > If I "strace sshd -d -p222" it dumps core if I give any non-null > password. Weird, eh? The sshd in this case being 2.1.1p1? Can you get a backtrace from the core? Compile sshd with debugging (-g in CFLAGS), run and break it. Then fire up gdb: echo bt | gdb ./sshd core and send the result. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Wed Jun 21 20:56:52 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 21 Jun 2000 20:56:52 +1000 (EST) Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can In-Reply-To: Message-ID: On 20 Jun 2000, Paul D. Smith wrote: > dm> An strace of the client and a tcpdump of a failed connection would > dm> help. > > Ugh. OK, I'm a bit confused. I couldn't truss it because ssh was > setuid root, so I made a copy that wasn't. That copy worked! Can you try again, running the non-setuid binary as root? It will be able to use a low numbered port and you will be able to truss it. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From root at rjimlad.org.uk Wed Jun 21 23:49:18 2000 From: root at rjimlad.org.uk (Jim) Date: Wed, 21 Jun 2000 14:49:18 +0100 (BST) Subject: ssh 2.1.1p1 can't connect; ssh 1.2.3 can In-Reply-To: <20000620202319.A14558@greenie.muc.de> Message-ID: On Tue, 20 Jun 2000, Gert Doering wrote: > > It's apparently something about the privileged ports?, because if I run > > the setuid version with -P, then that works as well. > > > > _But_, I don't see how it can be a firewall issue, at least not on my > > side, since I can use a privileged port to access my home system (I > > don't need -P for that). That's what threw me :-/. > > Sounds *very* much like a firewall issue - somewhere on the way in > between. Something of "privileged ports are evil, forbid, forbid!" > without actually understanding things like ssh... > I was having a similar issue myself - no local firewall, though, although I can't be entirely sure my ISP doesn't have some kind of firewall setup. However, I can connect to sshd on my own box from the remote box in question, so I'm guessing my priveledged ports are fine. I did have a commercial version of SSH on this box(whichever one comes with SuSE linux 6.4 :) ), which worked fine for connecting to the remote server (which runs a commercial sshd running SSH2 on linux). I had an earlier version of OpenSSH, but obviously it couldn't negotiate an SSH2 connection :) Incidentally, in my case it just hangs but specifying -P sorts it out nicely. Maybe it might be a good idea to set this as the default? Jim From garrick at james.net Thu Jun 22 02:01:39 2000 From: garrick at james.net (Garrick James) Date: Wed, 21 Jun 2000 09:01:39 -0700 (PDT) Subject: PATCH: login reporting (utmp?) problem on Linux In-Reply-To: <200006210555.WAA18792@homer.ka9q.ampr.org> Message-ID: I have two Debian based machines. One is stock 2.1r5. The other is somewhere between 2.1 and 2.2. ;-) Both machines had the utmp problem. So far, I have seen this problem on or received reports for the problem on Debian (2.1 and 2.2), Slackware (version?), RedHat (version?), Suse (6.4), and Mandrake (7.0 and 7.1), though. The patch I posted fixed the problem in each case. Damien, is there anyway I can get my patch tested on other non-Linux systems and rolled into the official distribution? -Garrick On Tue, 20 Jun 2000, Phil Karn wrote: > FYI, I also encountered this problem, but only after I updated my > Linux machines from Debian 2.1 (slink) to the Debian "frozen" > (2.2-potato) release. All my utmp entries are now Wed Dec 31. > > Phil > From nstevens at arm.com Thu Jun 22 02:13:30 2000 From: nstevens at arm.com (Nick Stevenson) Date: Wed, 21 Jun 2000 18:13:30 +0200 Subject: configure: error: Could not find working SSLeay / OpenSSL libraries Message-ID: <200006211713.SAA13722@cam-mail2.cambridge.arm.com> Hi, I've built and installed the openssl-0.9.1c package but openssh-2.1.1p1 configure can't apparently 'see' the package. I've tried adding the install directory to LD_LIBRARY_PATH, using CFLAGS, LDFLAGS, LIBS etc. The 'missing' rand.h is present n the included path shown in the config.log output below. What am I missing? Any help would be very much appreciated. The platform is Solaris v2.5.1, gcc 2.7.2.3 - please send replies to me, I'm not subscribed. TIA, -- Nick ------------8<------------ configure:2582: gcc -o conftest -I/home/nstevens/unix/PACKAGES/openssl-0.9.1c/i n clude -Wall -I/usr/local/include -I/opt/openssl/include -L/home/nstevens/unix/P ACKAGES/openssl-0.9.1c/lib -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/us r/ucblib -L/opt/openssl/lib -L/opt/openssl -R/opt/openssl/lib -R/opt/openssl con ftest.c -lsocket -lnsl -lz -lcrypto -lcrypto 1>&5 configure:2571: openssl/rand.h: No such file or directory configure: failed program was: #line 2568 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } -------------8<------------- From gem at rellim.com Thu Jun 22 04:26:30 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 11:26:30 -0700 (PDT) Subject: configure: error: Could not find working SSLeay / OpenSSL libraries In-Reply-To: <200006211713.SAA13722@cam-mail2.cambridge.arm.com> Message-ID: Yo Nick! You should be using openssl-0.9.5a. It works much better. RGDS GARY On Wed, 21 Jun 2000, Nick Stevenson wrote: > I've built and installed the openssl-0.9.1c package but openssh-2.1.1p1 > configure can't apparently 'see' the package. I've tried adding the install > directory to LD_LIBRARY_PATH, using CFLAGS, LDFLAGS, LIBS etc. The 'missing' > rand.h is present n the included path shown in the config.log output below. > > What am I missing? Any help would be very much appreciated. The platform is > Solaris v2.5.1, gcc 2.7.2.3 - please send replies to me, I'm not subscribed. --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From mstone at cs.loyola.edu Thu Jun 22 05:39:03 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 21 Jun 2000 15:39:03 -0400 Subject: IRIX patches Message-ID: <20000621153903.P23299@justice.loyola.edu> The attached patch adds support for array sessions, project id's, and system audit trail id. Arrays are available at least on UNICOS in addition to IRIX. The project id & audit stuff is IRIX specific. Otherwise, the IRIX support in the current OpenSSHp looks good. (There were some utmp/wtmp oddities, but I think they've gone away in the latest release.) -- Mike Stone -------------- next part -------------- *** openssh-2.1.1p1.orig/configure.in Thu Jun 08 21:58:35 EDT 2000 --- openssh-2.1.1p1/configure.in Wed Jun 21 14:16:26 EDT 2000 *************** *** 89,94 **** --- 89,97 ---- LDFLAGS="$LDFLAGS" MANTYPE='$(CATMAN)' AC_MSG_WARN([*** Irix 6.x is not tested, please report you experiences *** ]) + AC_DEFINE(WITH_ARRAY) + AC_DEFINE(WITH_IRIX_PROJECT) + AC_DEFINE(WITH_IRIX_AUDIT) no_libsocket=1 no_libnsl=1 ;; *** openssh-2.1.1p1.orig/config.h.in Fri Jun 09 06:56:25 EDT 2000 --- openssh-2.1.1p1/config.h.in Wed Jun 21 14:17:02 EDT 2000 *************** *** 15,20 **** --- 15,29 ---- /* Define if you want to enable AIX4's authenticate function */ #undef WITH_AIXAUTHENTICATE + /* Define if you have/want arrays (cluster-wide session managment, not C arrays) */ + #undef WITH_ARRAY + + /* Define if you want IRIX project management */ + #undef WITH_IRIX_PROJECT + + /* Define if you want IRIX audit trails */ + #undef WITH_IRIX_AUDIT + /* Location of random number pool */ #undef RANDOM_POOL *** openssh-2.1.1p1.orig/session.c Wed Jun 07 07:22:38 EDT 2000 --- openssh-2.1.1p1/session.c Wed Jun 21 15:05:37 EDT 2000 *************** *** 27,32 **** --- 27,36 ---- #include "ssh2.h" #include "auth.h" + #ifdef WITH_IRIX_PROJECT + #include + #endif /* WITH_IRIX_PROJECT */ + /* types */ #define TTYSZ 64 *************** *** 810,815 **** --- 814,822 ---- extern char **environ; struct stat st; char *argv[10]; + #ifdef WITH_IRIX_PROJECT + prid_t projid; + #endif /* WITH_IRIX_PROJECT */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) *************** *** 846,851 **** --- 853,877 ---- exit(1); } endgrent(); + + #ifdef WITH_ARRAY + /* initialize array session */ + if (newarraysess() != 0) + fatal("Failed to set up new array session: %.100s", + strerror(errno)); + #endif /* WITH_ARRAY */ + + #ifdef WITH_IRIX_PROJECT + /* initialize irix project info */ + if ((projid = getdfltprojuser(pw->pw_name)) == -1) { + debug("Failed to get project id, using projid 0"); + projid = 0; + } + + if (setprid(projid)) + fatal("Failed to initialize project %d for %s: %.100s", + (int)projid, pw->pw_name, strerror(errno)); + #endif /* WITH_IRIX_PROJECT */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw->pw_uid); *** openssh-2.1.1p1.orig/uidswap.c Sat Apr 15 21:18:49 EDT 2000 --- openssh-2.1.1p1/uidswap.c Wed Jun 21 15:14:07 EDT 2000 *************** *** 11,16 **** --- 11,19 ---- #include "ssh.h" #include "uidswap.h" + #ifdef WITH_IRIX_AUDIT + #include + #endif /* WITH_IRIX_AUDIT */ /* * Note: all these functions must work in all of the following cases: *************** *** 83,88 **** --- 86,99 ---- void permanently_set_uid(uid_t uid) { + #ifdef WITH_IRIX_AUDIT + if (sysconf(_SC_AUDIT)) { + debug("Setting sat id to %d", (int) uid); + if (satsetid(uid)) + fatal("error setting satid: %.100s", strerror(errno)); + } + #endif /* WITH_IRIX_AUDIT */ + if (setuid(uid) < 0) debug("setuid %d: %.100s", (int) uid, strerror(errno)); } From gem at rellim.com Thu Jun 22 07:27:14 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 14:27:14 -0700 (PDT) Subject: make install Message-ID: Yo All! I was just looking at the "other" SSH for ideas. There is one thing in their install that would be nice. When they do a 'make install' they check to see if a host key already exists and if it does not they create one and install it. This sure makes life simple and should be simple to code in the Makefile. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From heinlein at cse.ogi.edu Thu Jun 22 08:04:01 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Wed, 21 Jun 2000 15:04:01 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: On Wed, 21 Jun 2000, Gary E. Miller wrote: > I was just looking at the "other" SSH for ideas. There is > one thing in their install that would be nice. When they do a > 'make install' they check to see if a host key already exists and > if it does not they create one and install it. This sure makes life > simple and should be simple to code in the Makefile. Along those lines, I think it's worth noting that Damien's contrib/redhat/openssh.spec file does a very nice job with that: %files clients ... %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %files server ... %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd Bravo! Paul Heinlein heinlein at cse.ogi.edu From heinlein at cse.ogi.edu Thu Jun 22 08:11:36 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Wed, 21 Jun 2000 15:11:36 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: On Wed, 21 Jun 2000, Paul Heinlein wrote: > Along those lines, I think it's worth noting that Damien's > contrib/redhat/openssh.spec file does a very nice job with that: > > %files clients > ... Oops. I was thinking in a parallel universe and included Damien's stuff with the config files. His spec file does the right thing with host keys, too: if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ] then /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 fi if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key] then /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 fi Sorry for the mailbloat. Paul Heinlein heinlein at cse.ogi.edu From gem at rellim.com Thu Jun 22 08:21:23 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 15:21:23 -0700 (PDT) Subject: SSH 2.2.0 Message-ID: Yo All! I have been playing with SSH 2.2.0 from www.ssh.com. I can not connect to openssh 2.2.1p1 using Ver 2 protocol from ssh Ver 2.2.0. Ver 1 works fine. See below for the debug output from both ends If I force hmac-md5 (-m hmac-md5) from the sender it works! The other 3 choices fail: hmac-sha1; hmac-md5-96; and none. I have no problem connecting to this openssh host (hobbes) from SeccureCRT Ver 3.1b2 or SSH V 2.0.13. I also have no problem connecting from SecureCRT 3.1b2 to ssh 2.2.0 (after I select "Standard Server" on the client end). Any ideas? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 [root at a ~]# ssh -V ssh: SSH Secure Shell 2.2.0 (non-commercial version) on i686-pc-linux-gnu [root at a ~]# ssh -v -l gem -p 4040 hobbes.rellim.com debug: hostname is 'hobbes.rellim.com'. debug: Unable to open /root/.ssh2/ssh2_config debug: connecting to hobbes.rellim.com... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: SshAuthMethodClient/sshauthmethodc.c:99/ssh_client_authentication_initialize: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:99/ssh_client_authentication_initialize: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1097/ssh_client_wrap: creating userauth protocol debug: Ssh2Common/sshcommon.c:350/ssh_common_wrap: local ip = 192.168.254.148, local port = 1034 debug: Ssh2Common/sshcommon.c:352/ssh_common_wrap: remote ip = 204.17.205.2, remote port = 4040 debug: SshConnection/sshconn.c:1853/ssh_conn_wrap: Wrapping... debug: Ssh2Transport/trcommon.c:593/ssh_tr_input_version: Remote version: SSH-1.99-OpenSSH_2.1.1 debug: Remote version: SSH-1.99-OpenSSH_2.1.1 debug: SshUnixUserFiles/sshunixuserfiles.c:200/ssh_blob_read: file /root/.ssh2/hostkeys/key_4040_hobbes.rellim.com.pub does not exist. debug: SshUnixUserFiles/sshunixuserfiles.c:200/ssh_blob_read: file /etc/ssh2/hostkeys/key_4040_hobbes.rellim.com.pub does not exist. Host key not found from database. Key fingerprint: xodat-besid-vulot-nimet-hygyv-dovak-ryraf-cugiz-dazyl-tireg-bixox You can get a public key's fingerprint by running % ssh-keygen -F publickey.pub on the keyfile. Are you sure you want to continue connecting (yes/no)? yes Host key saved to /root/.ssh2/hostkeys/key_4040_hobbes.rellim.com.pub host key for hobbes.rellim.com, accepted by root Wed Jun 21 2000 15:07:20 -0700 debug: Ssh2Common/sshcommon.c:132/ssh_common_disconnect: DISCONNECT received: Message authentication check fails. warning: Authentication failed. debug: Ssh2/ssh2.c:76/client_disconnect: locally_generated = TRUE Disconnected; MAC error (Message authentication check fails.). debug: uninitializing event loop On the other end: hobbes:/usr/adm# sshd -p 4040 -d debug: sshd version OpenSSH_2.1.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 4040 on 0.0.0.0. Server listening on 0.0.0.0 port 4040. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 216.200.191.195 port 1034 debug: Client protocol version 1.99; client software version 2.2.0 SSH Secure Shell (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit: hmac-sha1,hmac-md5,hmac-md5-96,none debug: got kexinit: hmac-sha1,hmac-md5,hmac-md5-96,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 1 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-sha1 none debug: kex: server->client 3des-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 523/1024 debug: bits set: 505/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. Disconnecting: Corrupted HMAC on input. debug: Calling cleanup 0x805f650(0x0) From djm at mindrot.org Thu Jun 22 08:23:49 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jun 2000 08:23:49 +1000 (EST) Subject: make install In-Reply-To: Message-ID: On Wed, 21 Jun 2000, Gary E. Miller wrote: > Yo All! > > I was just looking at the "other" SSH for ideas. There is > one thing in their install that would be nice. When they do a > 'make install' they check to see if a host key already exists and > if it does not they create one and install it. This sure makes life > simple and should be simple to code in the Makefile. There is a "make host-key" target in there already - it shouldn't be too much work to hook it up to the install process. -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From gem at rellim.com Thu Jun 22 08:24:05 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 15:24:05 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: Yo Paul! The config yes, the keys, no. I still have to manually generate and install the keys. RGDS GARY On Wed, 21 Jun 2000, Paul Heinlein wrote: > On Wed, 21 Jun 2000, Gary E. Miller wrote: > > > I was just looking at the "other" SSH for ideas. There is > > one thing in their install that would be nice. When they do a > > 'make install' they check to see if a host key already exists and > > if it does not they create one and install it. This sure makes life > > simple and should be simple to code in the Makefile. > > Along those lines, I think it's worth noting that Damien's > contrib/redhat/openssh.spec file does a very nice job with that: > > %files clients > ... > %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config > > > %files server > ... > %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config > %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd > > Bravo! > > Paul Heinlein > heinlein at cse.ogi.edu > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gem at rellim.com Thu Jun 22 08:37:33 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 15:37:33 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: Yo Damien! I could do it if you do not mind US content.... RGDS GARY On Thu, 22 Jun 2000, Damien Miller wrote: > On Wed, 21 Jun 2000, Gary E. Miller wrote: > > > Yo All! > > > > I was just looking at the "other" SSH for ideas. There is > > one thing in their install that would be nice. When they do a > > 'make install' they check to see if a host key already exists and > > if it does not they create one and install it. This sure makes life > > simple and should be simple to code in the Makefile. > > There is a "make host-key" target in there already - it shouldn't be > too much work to hook it up to the install process. --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gem at rellim.com Thu Jun 22 08:36:20 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 15:36:20 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: Yo Paul! I just installed 2.1.1p1 on a clean host and I do not see these in the Makefile. I do see a "make host-key" that I missed before but it is not called by default from "make install" and does not check before clobbering any existing keys. I see the lines that you are talking about in the redhat and suse stuff but I do not use those. Having it in the makefile would be preferred. RGDS GARY On Wed, 21 Jun 2000, Paul Heinlein wrote: > On Wed, 21 Jun 2000, Paul Heinlein wrote: > > > Along those lines, I think it's worth noting that Damien's > > contrib/redhat/openssh.spec file does a very nice job with that: > > > > %files clients > > ... > > Oops. I was thinking in a parallel universe and included Damien's > stuff with the config files. His spec file does the right thing with > host keys, too: > > if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ] > then > /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 > fi > if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key] > then > /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 > fi > > Sorry for the mailbloat. > > Paul Heinlein > heinlein at cse.ogi.edu > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From mouring at pconline.com Thu Jun 22 10:05:17 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 21 Jun 2000 19:05:17 -0500 (CDT) Subject: make install In-Reply-To: Message-ID: Would something like this be more to your like? It will check to see if the DSA and RSA key exists.. If not it creates them. If they are it puts out a nice message saying you can use 'make host-key-rsa' or 'make host-key-dsa' to recreate them. Ben Lindstrom On Wed, 21 Jun 2000, Gary E. Miller wrote: > Yo Paul! > > I just installed 2.1.1p1 on a clean host and I do not see these > in the Makefile. I do see a "make host-key" that I missed before but it > is not called by default from "make install" and does not check before > clobbering any existing keys. > > I see the lines that you are talking about in the redhat and suse > stuff but I do not use those. Having it in the makefile would be > preferred. > > RGDS > GARY > > On Wed, 21 Jun 2000, Paul Heinlein wrote: > > > On Wed, 21 Jun 2000, Paul Heinlein wrote: > > > > > Along those lines, I think it's worth noting that Damien's > > > contrib/redhat/openssh.spec file does a very nice job with that: > > > > > > %files clients > > > ... > > > > Oops. I was thinking in a parallel universe and included Damien's > > stuff with the config files. His spec file does the right thing with > > host keys, too: > > > > if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ] > > then > > /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 > > fi > > if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key] > > then > > /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 > > fi > > > > Sorry for the mailbloat. > > > > Paul Heinlein > > heinlein at cse.ogi.edu > > > > > > > > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > -------------- next part -------------- --- Makefile.in.orig Wed Jun 21 12:54:46 2000 +++ Makefile.in Wed Jun 21 13:15:03 2000 @@ -144,10 +144,24 @@ $(PERL) fixprogs ssh_prng_cmds $(ENT); \ $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR)$(sysconfdir)/ssh_prng_cmds; \ fi + if [ ! -f $(sysconfdir)/ssh_host_key ]; then \ + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N ""; \ + else \ + echo "To recreate RSA key use 'make host-key-rsa'"; \ + fi + if [ ! -f $(sysconfdir)/ssh_host_dsa_key ]; then \ + ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N ""; \ + else \ + echo "To regnerate DSA key use 'make host-key-dsa'"; \ + fi -host-key: ssh-keygen +host-key-rsa:ssh-keygen ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" + +host-key-dsa:ssh-keygen ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" + +host-key: host-key-rsa host-key-dsa uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config From offby1 at blarg.net Thu Jun 22 10:06:03 2000 From: offby1 at blarg.net (Eric Hanchrow) Date: 21 Jun 2000 17:06:03 -0700 Subject: X clients die after a while Message-ID: <87og4ur34k.fsf@potato.hanchrow.org> The following message is a courtesy copy of an article that has been posted to comp.security.ssh as well. I have sshd (from openssh 1.2.3) running on my home machine (Debian GNU/Linux 2.2), and when I'm at work I like to start an Emacs like this: ssh -f -l offby1 my.home.machine.net emacs (At work I use ssh 1.2.27 from http://www.cs.hut.fi/ssh on RedHat 6.2.) This works fine, except: often, after iconifying Emacs and then not using it for a while (an hour or two), I will restore it, and it will then vanish. At the shell prompt from which I started the ssh client, I will see a message that says `read from my.home.machine.net: connection reset by peer'. There will be no log message on the server machine to indicate what went wrong. I've tried restarting the daemon with the line `KeepAlive no' in /etc/ssh/sshd_config, but that made no difference. I haven't yet tried running the daemon with debugging turned on. Until I do that, though, can anyone suggest why this might be happening? Thanks -- PGP Fingerprint: 3E7B A3F3 96CA 8958 ACC5 C8BD 6337 0041 C01C 5276 From gem at rellim.com Thu Jun 22 10:08:46 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 17:08:46 -0700 (PDT) Subject: make install In-Reply-To: Message-ID: Yo Ben! That sounds good. I just did something similar. OTOH, if the openssh project is a carefull as the FreeS/Wan project then neither of can contribute code because that may violate US Export rules. I have not heard a clear statement on this from Damien yet. RGDS GARY On Wed, 21 Jun 2000, Ben Lindstrom wrote: > Would something like this be more to your like? > > It will check to see if the DSA and RSA key exists.. If not it creates > them. If they are it puts out a nice message saying you can use > 'make host-key-rsa' or 'make host-key-dsa' to recreate them. > > Ben Lindstrom > > On Wed, 21 Jun 2000, Gary E. Miller wrote: > > > Yo Paul! > > > > I just installed 2.1.1p1 on a clean host and I do not see these > > in the Makefile. I do see a "make host-key" that I missed before but it > > is not called by default from "make install" and does not check before > > clobbering any existing keys. > > > > I see the lines that you are talking about in the redhat and suse > > stuff but I do not use those. Having it in the makefile would be > > preferred. > > > > RGDS > > GARY > > > > On Wed, 21 Jun 2000, Paul Heinlein wrote: > > > > > On Wed, 21 Jun 2000, Paul Heinlein wrote: > > > > > > > Along those lines, I think it's worth noting that Damien's > > > > contrib/redhat/openssh.spec file does a very nice job with that: > > > > > > > > %files clients > > > > ... > > > > > > Oops. I was thinking in a parallel universe and included Damien's > > > stuff with the config files. His spec file does the right thing with > > > host keys, too: > > > > > > if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ] > > > then > > > /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 > > > fi > > > if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key] > > > then > > > /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 > > > fi > > > > > > Sorry for the mailbloat. > > > > > > Paul Heinlein > > > heinlein at cse.ogi.edu > > > > > > > > > > > > > --------------------------------------------------------------------------- > > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > > > > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From loomisg at cist.saic.com Thu Jun 22 13:45:39 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 21 Jun 2000 20:45:39 -0700 Subject: PATCH: login reporting (utmp?) problem on Linux In-Reply-To: Message-ID: <000301bfdbfc$5599fd60$275346d1@rloomis.cist.saic.com> For validation: I just built 2.1.1p1 in two separate source trees on a SPARC 20 (Solaris 7, gcc 2.95.2). One was the "vanilla" 2.1.1p1, and the other had Garrick's one-line patch to aclocal.m4 applied (after which I had to autoreconf as stated in his original message). After stripping both sets of binaries, they're 100% identical--so at least on Solaris, Garrick's patch doesn't break anything. I would recommend including it into the mainline portable code. --Rip Rip Loomis -------------------------------------------------------- Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Garrick James Sent: Wednesday, June 21, 2000 9:02 AM To: Phil Karn Cc: openssh-unix-dev at mindrot.org Subject: Re: PATCH: login reporting (utmp?) problem on Linux I have two Debian based machines. One is stock 2.1r5. The other is somewhere between 2.1 and 2.2. ;-) Both machines had the utmp problem. So far, I have seen this problem on or received reports for the problem on Debian (2.1 and 2.2), Slackware (version?), RedHat (version?), Suse (6.4), and Mandrake (7.0 and 7.1), though. The patch I posted fixed the problem in each case. Damien, is there anyway I can get my patch tested on other non-Linux systems and rolled into the official distribution? -Garrick On Tue, 20 Jun 2000, Phil Karn wrote: > FYI, I also encountered this problem, but only after I updated my > Linux machines from Debian 2.1 (slink) to the Debian "frozen" > (2.2-potato) release. All my utmp entries are now Wed Dec 31. > > Phil > From davo at chunga.apana.org.au Thu Jun 22 10:46:03 2000 From: davo at chunga.apana.org.au (Dave Edwards) Date: Thu, 22 Jun 2000 10:16:03 +0930 (CST) Subject: Probs with Solaris 2.6 Message-ID: <200006220046.KAA11656@chunga.apana.org.au> Hi, I use OpenSSH (thanks folks) to administer a mix of boxes at work and have seen some quite scary problems. I set up an ssh connection from the host to a central admin machine from a perl script running on the host. The script brings up an ssh connection to the central admin machine and sets up some reverse port redirection for administration (telnet for instance) and some forward redirection for offsite real time logging. This is working fine except a Solaris 2.6 box (Ultra2) has started spontaneously rebooting. I put this down to hardware until today, when I was working on the machine through the redireted telnet port and accidently closed the ssh session from the host machine. This dropped my session of course, big deal I thought, but the host dropped to single user mode and stopped accepting connections. This leads me to suspect that events on a redirected session inside an ssh session, can effect the health of the box the client is run on.. Another problem I've seen is that we also redirct a localhost port on the hosts through the ssh session, to syslog-ng on the central host. Whenever we HUP syslog on the central host, it drops the ssh session. I figure this is a problem with the way syslog-ng closes TCP connections but it may also be a pointer to the rebooting problem. Anyone got any ideas? The box is running Solaris 2.6 and OpenSSH client version 1.2.2 protocol version 1.5. I'll upgrade it today to 2.1.1 today from the portable source to see if that reduces problems. ciao dave -- Dave Edwards davo at chunga.apana.org.au || davo at sa.apana.org.au Adelaide, South Australia ---- From markus.friedl at informatik.uni-erlangen.de Thu Jun 22 10:48:08 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 22 Jun 2000 02:48:08 +0200 Subject: SSH 2.2.0 In-Reply-To: ; from gem@rellim.com on Wed, Jun 21, 2000 at 03:21:23PM -0700 References: Message-ID: <20000622024807.A21180@folly.conference.usenix.org> On Wed, Jun 21, 2000 at 03:21:23PM -0700, Gary E. Miller wrote: > Yo All! > > I have been playing with SSH 2.2.0 from www.ssh.com. I can not > connect to openssh 2.2.1p1 using Ver 2 protocol from ssh Ver 2.2.0. > Ver 1 works fine. > > See below for the debug output from both ends > > If I force hmac-md5 (-m hmac-md5) from the sender it works! > The other 3 choices fail: hmac-sha1; hmac-md5-96; and none. > > I have no problem connecting to this openssh host (hobbes) from > SeccureCRT Ver 3.1b2 or SSH V 2.0.13. > > I also have no problem connecting from SecureCRT 3.1b2 to ssh 2.2.0 > (after I select "Standard Server" on the client end). > > Any ideas? i don't agree with what ssh.com uses as authkey size for hmac-sha1. hmac-md5-96 is not implemented by openssh. try the attached patches. -markus -------------- next part -------------- Index: compat.c =================================================================== RCS file: /home/markus/cvs/ssh/compat.c,v retrieving revision 1.14 retrieving revision 1.17 diff -IRCSID -u -r1.14 -r1.17 --- compat.c 2000/05/22 18:42:01 1.14 +++ compat.c 2000/06/20 01:39:40 1.17 @@ -61,6 +61,7 @@ char *version; int bugs; } check[] = { + {"2.2.0", SSH_BUG_HMAC|SSH_COMPAT_SESSIONID_ENCODING}, {"2.1.0", SSH_BUG_SIGBLOB|SSH_BUG_HMAC}, {"2.0.1", SSH_BUG_SIGBLOB|SSH_BUG_HMAC|SSH_BUG_PUBKEYAUTH|SSH_BUG_X11FWD}, {NULL, 0} Index: compat.h =================================================================== RCS file: /home/markus/cvs/ssh/compat.h,v retrieving revision 1.7 retrieving revision 1.9 diff -IRCSID -u -r1.7 -r1.9 --- compat.h 2000/05/08 17:42:24 1.7 +++ compat.h 2000/06/20 01:39:40 1.9 @@ -40,6 +40,7 @@ #define SSH_BUG_PUBKEYAUTH 0x02 #define SSH_BUG_HMAC 0x04 #define SSH_BUG_X11FWD 0x08 +#define SSH_COMPAT_SESSIONID_ENCODING 0x10 void enable_compat13(void); void enable_compat20(void); Index: sshconnect2.c =================================================================== RCS file: /home/markus/cvs/ssh/sshconnect2.c,v retrieving revision 1.13 retrieving revision 1.14 diff -IRCSID -u -r1.13 -r1.14 --- sshconnect2.c 2000/06/02 02:00:19 1.13 +++ sshconnect2.c 2000/06/19 00:50:11 1.14 @@ -295,6 +295,7 @@ unsigned char *blob, *signature; int bloblen, slen; struct stat st; + int skip = 0; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); @@ -321,7 +322,13 @@ /* data to be signed */ buffer_init(&b); - buffer_append(&b, session_id2, session_id2_len); + if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) { + buffer_put_string(&b, session_id2, session_id2_len); + skip = buffer_len(&b); + } else { + buffer_append(&b, session_id2, session_id2_len); + skip = session_id2_len; + } buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); buffer_put_cstring(&b, server_user); buffer_put_cstring(&b, @@ -357,9 +364,9 @@ xfree(signature); /* skip session id and packet type */ - if (buffer_len(&b) < session_id2_len + 1) + if (buffer_len(&b) < skip + 1) fatal("ssh2_try_pubkey: internal error"); - buffer_consume(&b, session_id2_len + 1); + buffer_consume(&b, skip + 1); /* put remaining data from buffer into packet */ packet_start(SSH2_MSG_USERAUTH_REQUEST); -------------- next part -------------- Index: kex.c =================================================================== RCS file: /home/markus/cvs/ssh/kex.c,v retrieving revision 1.8 diff -u -r1.8 kex.c --- kex.c 2000/06/20 01:39:41 1.8 +++ kex.c 2000/06/22 00:47:37 @@ -360,11 +360,17 @@ mac->md = EVP_sha1(); } else if (strcmp(name, "hmac-ripemd160 at openssh.com") == 0) { mac->md = EVP_ripemd160(); + } else if (strcmp(name, "hmac-md5-96") == 0) { + mac->md = EVP_md5(); + } else if (strcmp(name, "hmac-sha-96") == 0) { + mac->md = EVP_sha1(); } else { fatal("unsupported mac %s", name); } mac->name = name; mac->mac_len = mac->md->md_size; + if (strstr(name, "-96") == 0 && mac->mac_len > 96) + mac->mac_len = 96/8; mac->key_len = (datafellows & SSH_BUG_HMAC) ? 16 : mac->mac_len; mac->key = NULL; mac->enabled = 0; From gem at rellim.com Thu Jun 22 11:37:43 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 21 Jun 2000 18:37:43 -0700 (PDT) Subject: SSH 2.2.0 In-Reply-To: <20000622024807.A21180@folly.conference.usenix.org> Message-ID: Yo Markus! A quick check shows that it looks OK. I tried all four possible MAC types. hmac-md5 and hmac-sha1 both now work fine. Nice work, thanks! RGDS GARY On Thu, 22 Jun 2000, Markus Friedl wrote: > On Wed, Jun 21, 2000 at 03:21:23PM -0700, Gary E. Miller wrote: > > Yo All! > > > > I have been playing with SSH 2.2.0 from www.ssh.com. I can not > > connect to openssh 2.2.1p1 using Ver 2 protocol from ssh Ver 2.2.0. > > Ver 1 works fine. > > > > See below for the debug output from both ends > > > > If I force hmac-md5 (-m hmac-md5) from the sender it works! > > The other 3 choices fail: hmac-sha1; hmac-md5-96; and none. > > > > I have no problem connecting to this openssh host (hobbes) from > > SeccureCRT Ver 3.1b2 or SSH V 2.0.13. > > > > I also have no problem connecting from SecureCRT 3.1b2 to ssh 2.2.0 > > (after I select "Standard Server" on the client end). > > > > Any ideas? > > i don't agree with what ssh.com uses as authkey size for hmac-sha1. > hmac-md5-96 is not implemented by openssh. > > try the attached patches. > > -markus > --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From jmknoble at pint-stowp.cx Thu Jun 22 13:13:08 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Wed, 21 Jun 2000 23:13:08 -0400 Subject: X clients die after a while In-Reply-To: <87og4ur34k.fsf@potato.hanchrow.org> References: <87og4ur34k.fsf@potato.hanchrow.org> Message-ID: <20000621231308.B11773@quipu.half.pint-stowp.cx> Is the home machine on a dialup connection? Is the connection going down and then back up? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ Circa 2000-Jun-21 17:06:03 -0700 schrieb Eric Hanchrow: : The following message is a courtesy copy of an article : that has been posted to comp.security.ssh as well. : : I have sshd (from openssh 1.2.3) running on my home machine (Debian : GNU/Linux 2.2), and when I'm at work I like to start an Emacs like : this: : : ssh -f -l offby1 my.home.machine.net emacs : : (At work I use ssh 1.2.27 from http://www.cs.hut.fi/ssh on RedHat : 6.2.) : : This works fine, except: often, after iconifying Emacs and then not : using it for a while (an hour or two), I will restore it, and it will : then vanish. At the shell prompt from which I started the ssh client, : I will see a message that says `read from my.home.machine.net: : connection reset by peer'. There will be no log message on the server : machine to indicate what went wrong. : : I've tried restarting the daemon with the line `KeepAlive no' in : /etc/ssh/sshd_config, but that made no difference. : : I haven't yet tried running the daemon with debugging turned on. : Until I do that, though, can anyone suggest why this might be : happening? From Chiaki.Ishikawa at personal-media.co.jp Thu Jun 22 19:34:43 2000 From: Chiaki.Ishikawa at personal-media.co.jp (Chiaki Ishikawa) Date: Thu, 22 Jun 2000 18:34:43 +0900 (JST) Subject: Probs with Solaris 2.6 In-Reply-To: <200006220046.KAA11656@chunga.apana.org.au> (davo@chunga.apana.org.au) Message-ID: <200006220934.SAA07150@sparc18.personal-media.co.jp> X-PMC-CI-e-mail-id: 13125 >This dropped my session of course, big deal I thought, but the >host dropped to single user mode and stopped accepting >connections. This leads me to suspect that events on a >redirected session inside an ssh session, can effect the health >of the box the client is run on.. This sounds to me a kill (-1, whatever) is executed by mistake on the host. (Yeah, this sounds like a bug.) Maybe the first argument to kill was supposed to be a process ID, but the process id was somehow -1 (because the value was returned by a failed system call since such process was not found, etc..). >From man kill: > If pid is -1 and the effective user ID of the sender is > super-user, the signal is sent to all processes except sys- > tem processes, process 1, and the process sending the sig- > nal. process 1 is usally init. Hence I suspect that the sshd running with effective ID of superuser was invoking kill() for process ID, -1, by mistake. -- Ishikawa, Chiaki ishikawa at personal-media.co.jp.NoSpam or (family name, given name) Chiaki.Ishikawa at personal-media.co.jp.NoSpam Personal Media Corp. ** Remove .NoSpam at the end before use ** Shinagawa, Tokyo, Japan 142-0051 From djm at mindrot.org Thu Jun 22 20:40:26 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jun 2000 20:40:26 +1000 (EST) Subject: Probs with Solaris 2.6 In-Reply-To: <200006220934.SAA07150@sparc18.personal-media.co.jp> Message-ID: On Thu, 22 Jun 2000, Chiaki Ishikawa wrote: > X-PMC-CI-e-mail-id: 13125 > > >This dropped my session of course, big deal I thought, but the > >host dropped to single user mode and stopped accepting > >connections. This leads me to suspect that events on a > >redirected session inside an ssh session, can effect the health > >of the box the client is run on.. > > This sounds to me a > > kill (-1, whatever) > > is executed by mistake on the host. > (Yeah, this sounds like a bug.) Can you try this patch and keep an eye out for errors of the form "session_close_by_channel: Unsafe s->pid = XXX" in your logs? Regards, Damien Miller diff -u -r1.18 session.c --- session.c 2000/06/18 04:50:44 1.18 +++ session.c 2000/06/22 10:33:08 @@ -1608,7 +1608,9 @@ session_close(s); } else { /* notify child, delay session cleanup */ - if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) + if (s->pid <= 1) + error("session_close_by_channel: Unsafe s->pid = %d", s->pid); + else if (kill(s->pid, (s->ttyfd == -1) ? SIGTERM : SIGHUP) < 0) error("session_close_by_channel: kill %d: %s", s->pid, strerror(errno)); } -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Jun 22 20:43:02 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jun 2000 20:43:02 +1000 (EST) Subject: X clients die after a while In-Reply-To: <87og4ur34k.fsf@potato.hanchrow.org> References: <87og4ur34k.fsf@potato.hanchrow.org> Message-ID: On 21 Jun 2000, Eric Hanchrow wrote: > The following message is a courtesy copy of an article > that has been posted to comp.security.ssh as well. > > I have sshd (from openssh 1.2.3) running on my home machine (Debian > GNU/Linux 2.2), and when I'm at work I like to start an Emacs like > this: > > ssh -f -l offby1 my.home.machine.net emacs > > (At work I use ssh 1.2.27 from http://www.cs.hut.fi/ssh on RedHat > 6.2.) > > This works fine, except: often, after iconifying Emacs and then not > using it for a while (an hour or two), I will restore it, and it will > then vanish. At the shell prompt from which I started the ssh client, > I will see a message that says `read from my.home.machine.net: > connection reset by peer'. There will be no log message on the server > machine to indicate what went wrong. Are you behind a masquerading or otherwise stateful firewall? There are often implicit timeouts which can clobber long running but quiescent TCP connections. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Jun 22 20:55:34 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jun 2000 20:55:34 +1000 (EST) Subject: make install In-Reply-To: Message-ID: On Wed, 21 Jun 2000, Gary E. Miller wrote: > Yo Paul! > > The config yes, the keys, no. I still have to manually generate > and install the keys. Done. Try the below patch: =================================================================== RCS file: /var/cvs/openssh/Makefile.in,v retrieving revision 1.87 diff -u -r1.87 Makefile.in --- Makefile.in 2000/06/18 05:43:25 1.87 +++ Makefile.in 2000/06/22 10:55:24 @@ -112,7 +112,9 @@ >$${f%%.[18]}.0 ; \ done -install: manpages $(TARGETS) +install: manpages $(TARGETS) install-files host-key + +install-files: ./mkinstalldirs $(DESTDIR)$(bindir) ./mkinstalldirs $(DESTDIR)$(sbindir) ./mkinstalldirs $(DESTDIR)$(mandir) @@ -134,7 +136,6 @@ ln -s ssh $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config -a ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ ./mkinstalldirs $(DESTDIR)$(sysconfdir); \ $(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \ @@ -146,6 +147,18 @@ fi host-key: ssh-keygen + if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \ + echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \ + else \ + ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" ; \ + fi ; \ + if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \ + echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ + else \ + ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \ + fi ; + +host-key-force: ssh-keygen ./ssh-keygen -b 1024 -f $(sysconfdir)/ssh_host_key -N "" ./ssh-keygen -d -f $(sysconfdir)/ssh_host_dsa_key -N "" -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Thu Jun 22 21:03:06 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 22 Jun 2000 21:03:06 +1000 (EST) Subject: PATCH: login reporting (utmp?) problem on Linux In-Reply-To: Message-ID: On Wed, 21 Jun 2000, Garrick James wrote: > Damien, is there anyway I can get my patch tested on other non-Linux > systems and rolled into the official distribution? This is already in my tree. Can you try the tarball at: http://www.mindrot.org/misc/junk/openssh-SNAP-2000062200.tar.gz Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Steve.Marquess at DET.AMEDD.ARMY.MIL Thu Jun 22 21:57:03 2000 From: Steve.Marquess at DET.AMEDD.ARMY.MIL (Marquess, Steve Mr JMLFDC) Date: Thu, 22 Jun 2000 07:57:03 -0400 Subject: Timing bug patch and x509 question. Message-ID: First the bug: I've found a timing problem in 2.1.1p1 at the point where the client version string is read, a core dump with a "Did not receive ident string..." error. This problem does not appear to have been mentioned yet in the list archive. This bug was noted on HP-UX 11.0 but could be a problem on other Unices as well. My Q&D fix (patch below) was to spin on EWOULDBLOCK (the BSDism seen on HP-UX) or EAGAIN. In testing I see from 2 to 4 iterations before the first byte arrives. Now the question: Does anyone know of any plans to add a x.509 certificate capability to openssh? For political reasons only x.509 based crypto will be usable in my environment. We have used ssh heavily for some time and I'm thinking that adapting ssh for x.509 might be easier than switching the whole enterprise to another product. The commercial ssh now has a "x.509 toolkit", whatever that is, and openssh already references openssl. The patch: *** sshd.c Mon May 29 23:44:54 2000 --- /tmp/sshd.c Wed Jun 21 15:08:54 2000 *************** *** 297,302 **** --- 297,307 ---- /* Read other side\'s version identification. */ for (i = 0; i < sizeof(buf) - 1; i++) { if (read(sock_in, &buf[i], 1) != 1) { + debug("version id %.100s, %d", strerror(errno), i); + if ((errno == EWOULDBLOCK) || (errno == EAGAIN)) { + i--; + continue; + } log("Did not receive ident string from %s.", get_remote_ipaddr()); fatal_cleanup(); } ---------------------------------------------------------------------------- -------- Steve Marquess 301-663-1770 x238 / 301-619-3933 voice DMLSS Technical Manager DSN 343-3933 JMLFDC 301-663-6788 / 301-619-7831 fax 623 Porter Street steve.marquess at amedd.army.mil Ft. Detrick, MD 21702-5018 From davo at chunga.apana.org.au Thu Jun 22 22:14:20 2000 From: davo at chunga.apana.org.au (Dave Edwards) Date: Thu, 22 Jun 2000 21:44:20 +0930 (CST) Subject: Probs with Solaris 2.6 In-Reply-To: <200006220934.SAA07150@sparc18.personal-media.co.jp> from Chiaki Ishikawa at "Jun 22, 2000 06:34:43 pm" Message-ID: <200006221214.VAA30625@chunga.apana.org.au> 'Chiaki Ishikawa scribbled..' > >This dropped my session of course, big deal I thought, but the > >host dropped to single user mode and stopped accepting > >connections. This leads me to suspect that events on a > >redirected session inside an ssh session, can effect the health > >of the box the client is run on.. > > This sounds to me a > > kill (-1, whatever) You got it in one! Sorry folks, I'm wiping egg off my face here. There was another script running (perl) as root that depended on the port redirection and it was doing a kill -HUP $pid when it lost it's tcp connection. Unfortunately, $pid was gotten from a wait() and I wasn't checking the return value.. We still have a problem with the same host rebooting at random, but I can't recreate this on the test bench though, so It's probably just co-incident with a hardware problem. Thanks for the help. ciao dave -- Dave Edwards davo at chunga.apana.org.au || davo at sa.apana.org.au Adelaide, South Australia ---- From Thanh.Ma at casi-rusco.com Fri Jun 23 07:07:41 2000 From: Thanh.Ma at casi-rusco.com (Thanh Ma) Date: Thu, 22 Jun 2000 17:07:41 -0400 Subject: configure problem on UnixWare 7.1.1 Message-ID: <9B6977074BA8D311B3B30090279C703B766C6A@bctexc10.casi-rusco.com> I tried again on another 7.1.0 and 7.1.1 and it compiled fine. Still not sure what was wrong with the orignal 7.1.1 machine. Thanh > -----Original Message----- > From: Thanh Ma [mailto:Thanh.Ma at casi-rusco.com] > Sent: Monday, June 19, 2000 3:57 PM > To: 'openssh-unix-dev at mindrot.org' > Subject: configure problem on UnixWare 7.1.1 > > > Anyone can locate what was wrong with the below problem on > UnixWare 7.1.1 ? > The file rand.h was finally found in one of the tests but > configure still > failed with > > ... > checking for getpagesize... yes > checking for OpenSSL directory... configure: error: Could not > find working > SSLeay / OpenSSL libraries, please install > > Thanh > > configure:2302: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -L/usr/local/lib conftest.c -lsocket -lnsl -lz -lgen -lsocket 1>&5 > configure:2543: checking for OpenSSL directory > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -L/usr/local/lib conftest.c -lsocket -lnsl -lz -lgen > -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/local/openssl/include -L/usr/local/lib > -L/usr/local/openssl/lib > -L/usr/local/openssl conftest.c -lsocket -lnsl -lz -lgen > -lsocket -lcrypto > 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/lib/openssl/include -L/usr/local/lib -L/usr/lib/openssl/lib > -L/usr/lib/openssl conftest.c -lsocket -lnsl -lz -lgen > -lsocket -lcrypto > 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/ssl/lib > -L/usr/local/ssl conftest.c -lsocket -lnsl -lz -lgen > -lsocket -lcrypto 1>&5 > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/lib/ssl/include -L/usr/local/lib -L/usr/lib/ssl/lib > -L/usr/lib/ssl > conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/local/include -L/usr/local/lib -L/usr/local/lib -L/usr/local > conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/usr/pkg/include -L/usr/local/lib -L/usr/pkg/lib > -L/usr/pkg conftest.c > -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/opt/include -L/usr/local/lib -L/opt/lib -L/opt > conftest.c -lsocket > -lnsl -lz -lgen -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > configure:2582: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/opt/openssl/include -L/usr/local/lib -L/opt/openssl/lib > -L/opt/openssl > conftest.c -lsocket -lnsl -lz -lgen -lsocket -lcrypto 1>&5 > configure:2571: openssl/rand.h: No such file or directory > configure: failed program was: > #line 2568 "configure" > #include "confdefs.h" > > #include > #include > int main(void) > { > char a[2048]; > memset(a, 0, sizeof(a)); > RAND_add(a, sizeof(a), sizeof(a)); > return(RAND_status() <= 0); > } > > > > > From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jun 23 19:15:15 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 23 Jun 2000 11:15:15 +0200 Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: <20000621120346.A13164@ws01.aet.tu-cottbus.de>; from jaenicke@ws01.aet.tu-cottbus.de on Wed, Jun 21, 2000 at 12:03:46PM +0200 References: <20000620160352.A10742@ws01.aet.tu-cottbus.de> <20000621120346.A13164@ws01.aet.tu-cottbus.de> Message-ID: <20000623111515.A13502@serv01.aet.tu-cottbus.de> On Wed, Jun 21, 2000 at 12:03:46PM +0200, Lutz Jaenicke wrote: > I am not completely happy with it. If it finds, that the EGD connection > has been dropped, it tries to reconnect, that is a good one, but: > - If EGD is down at this point for any reason whatsoever, the sshd server > will die, even though enough entropy might have been collected over time. > * This is especially bad, as without EGD you cannot even fire off an > "emergency" sshd on another port from inetd. Hence you cannot recover > this problem from remote (without using the root password over telnet). > > Hence, I have "reworked" your patch a bit :-) > > Best regards, > Lutz > PS. I have sshd dying very often by now, it just services the first request > and once the connection is closed, the server process dies, too.... Following up to my own posting... By now I have tracked into my problems a bit more, and I have found another problem: when the connection is closed from the EGD side, the read()/write() operations may fail with SIGPIPE, which kills sshd without even having the possibility to check the return values :-( I have hence now added a sigaction sequence around the EGD communication to prevent this from happening. I have left in my other change to not consider EGD problems fatal, when enough entropy to seed the PRNG has already been collected. With respect to the "EGD-down problem": entropy.c by now is structured to only include one of the alternative PRNG-seeding methods: EGD _or_ /dev/urandom _or_ builtin. I would consider it better to have builtin always available (/dev/urandom should be reliable anyway), so that when EGD fails, the builtin seeder is called automatically. Otherwise an EGD-failure will prevent even the start of an emergency sshd from inetd... [Background: I am playing around with my own "prngd" which replaces EGD and rather emulates an "urandom" device (non-blocking, never drained) by having an internal openssl-PRNG that is continously reseeded and can save seed on close and initialize itself from the seed-file on restart. Hence I have slightly other behaviour of my daemon and a lot of restarts...] Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- --- entropy.c.orig Wed Jun 7 14:20:23 2000 +++ entropy.c Fri Jun 23 10:59:50 2000 @@ -63,42 +63,101 @@ { static int egd_socket = -1; int c; + int egd_error; + int enough_entropy; char egd_message[2] = { 0x02, 0x00 }; struct sockaddr_un addr; + struct sigaction sa, osa; int addr_len; + egd_error = 0; + + enough_entropy = RAND_status(); + + /* + * When we are losing the connection to EGD, we might receive a + * SIGPIPE when trying to write to or read from the socket. This + * SIGPIPE should be ignored and the respective error code returned + * by read()/write(), so we change the SIGPIPE handling during + * EGD connections. + */ + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = SIG_IGN; + (void) sigaction(SIGPIPE, &sa, &osa); + +retry: + memset(&addr, '\0', sizeof(addr)); addr.sun_family = AF_UNIX; - - /* FIXME: compile time check? */ + if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); - + strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - + addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); - + if (egd_socket == -1) { egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (egd_socket == -1) - fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); - if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) - fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + if (egd_socket == -1) { + if (!enough_entropy) + fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); + else + error("Couldn't create AF_UNIX socket: %s", strerror(errno)); + } + if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) { + if (!enough_entropy) + fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + else + error("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); + } } if (len > 255) fatal("Too many bytes to read from EGD"); - + /* Send blocking read request to EGD */ egd_message[1] = len; c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); - if (c == -1) - fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (c == -1) { + if (egd_error) { + if (!enough_entropy) + fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + else + error("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + } else { + egd_error = 1; + close(egd_socket); + egd_socket = -1; + error("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + goto retry; + } + } c = atomicio(read, egd_socket, buf, len); - if (c <= 0) - fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (c == -1) { + if (egd_error) { + if (!enough_entropy) + fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + else + error("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + } else { + egd_error = 1; + close(egd_socket); + egd_socket = -1; + error("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + goto retry; + } + } + + /* + * Restore the original signal response + */ + (void) sigaction(SIGPIPE, &osa, NULL); + } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL From phil at bolthole.com Sat Jun 24 05:44:15 2000 From: phil at bolthole.com (Philip Brown) Date: Fri, 23 Jun 2000 12:44:15 -0700 (PDT) Subject: problme with scp, and suggestion for fix Message-ID: <200006231944.MAA02419@shell3.ba.best.com> I recently built openssh 2.1.1p1, under solaris. I noticed that I had problems running scp. It seems that it could not find the executable on the remote end. This was odd, becuase it existed in /usr/local/bin, publically executable, and /usr/local/bin/was in the users' normal PATH (exported, even). So finally, I twiddled the source to make it call /usr/local/bin/scp, instead of just "scp". When I ran a strings on scp, it seems you have done a semi=similar hardcode of the path to ssh. /usr/local/bin/ssh turns up as a string in scp. So please do the same thing for the full path to scp, as well. From speno at isc.upenn.edu Sat Jun 24 08:10:39 2000 From: speno at isc.upenn.edu (John P Speno) Date: Fri, 23 Jun 2000 18:10:39 -0400 Subject: problme with scp, and suggestion for fix In-Reply-To: <200006231944.MAA02419@shell3.ba.best.com>; from phil@bolthole.com on Fri, Jun 23, 2000 at 12:44:15PM -0700 References: <200006231944.MAA02419@shell3.ba.best.com> Message-ID: <20000623181039.M152429@isc.upenn.edu> On Fri, Jun 23, 2000 at 12:44:15PM -0700, Philip Brown wrote: > I recently built openssh 2.1.1p1, under solaris. > > I noticed that I had problems running scp. It seems that it could not find > the executable on the remote end. > > This was odd, becuase it existed in /usr/local/bin, publically executable, > and /usr/local/bin/was in the users' normal PATH (exported, even). > > So finally, I twiddled the source to make it call /usr/local/bin/scp, > instead of just "scp". When you run configure, you can set the default path using: ./configure --with-default-path=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin This is what I use, and it works fine for me. YMMV. From djm at mindrot.org Sat Jun 24 09:47:29 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 24 Jun 2000 09:47:29 +1000 (EST) Subject: problme with scp, and suggestion for fix In-Reply-To: <200006231944.MAA02419@shell3.ba.best.com> Message-ID: On Fri, 23 Jun 2000, Philip Brown wrote: > When I ran a strings on scp, it seems you have done a semi=similar > hardcode of the path to ssh. /usr/local/bin/ssh turns up as a string > in scp. So please do the same thing for the full path to scp, as > well. This is a FAQ. The paths to scp may be different on the client and the server, so harcoding them on the client won't help. The solution is to use the --with-default-path to include a path to scp on the server. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From emily at ubermachine.com Sat Jun 24 14:59:07 2000 From: emily at ubermachine.com (Emily Slocombe) Date: Sat, 24 Jun 2000 00:59:07 -0400 Subject: problme with scp, and suggestion for fix In-Reply-To: <200006231944.MAA02419@shell3.ba.best.com>; from phil@bolthole.com on Fri, Jun 23, 2000 at 12:44:15PM -0700 References: <200006231944.MAA02419@shell3.ba.best.com> Message-ID: <20000624005907.A17059@ubermachine.com> * Philip Brown [000623 15:57]: | |So finally, I twiddled the source to make it call /usr/local/bin/scp, |instead of just "scp". I was lazy and took care of the scp path by symlinking /usr/local/bin/scp to /bin/scp. I did try to build it specifying the path first, but it did not seem to fix it. (portable open-ssh under slack 7+.) -Emily From rachit at ensim.com Sat Jun 24 15:22:54 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 23 Jun 2000 22:22:54 -0700 Subject: problme with scp, and suggestion for fix References: <200006231944.MAA02419@shell3.ba.best.com> <20000624005907.A17059@ubermachine.com> Message-ID: <395445AE.57F2C6F8@ensim.com> I had a similar problem with /usr/bin vs. /usr/local/bin thing on my solaris box a month ago -- i don't remember the configuration, etc. truss found the problem rightaway, so I did the lazy symlink thing as well and ignored the problem (although i should have reported it). I don't have access to a solaris box right now, so i can't reproduce it. -rchit Emily Slocombe wrote: > > * Philip Brown [000623 15:57]: > | > |So finally, I twiddled the source to make it call /usr/local/bin/scp, > |instead of just "scp". > > I was lazy and took care of the scp path by symlinking /usr/local/bin/scp to > /bin/scp. > > I did try to build it specifying the path first, but it did not seem to fix > it. (portable open-ssh under slack 7+.) > > -Emily From djm at mindrot.org Mon Jun 26 11:33:10 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 26 Jun 2000 11:33:10 +1000 (EST) Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: <20000623111515.A13502@serv01.aet.tu-cottbus.de> Message-ID: > [Background: I am playing around with my own "prngd" which replaces EGD > and rather emulates an "urandom" device (non-blocking, never drained) > by having an internal openssl-PRNG that is continously reseeded and > can save seed on close and initialize itself from the seed-file on restart. > Hence I have slightly other behaviour of my daemon and a lot of restarts...] You might be interested in Peter Gutmann's paper on entropy collection: http://www.cs.auckland.ac.nz/~pgut001/pubs/random2.pdf He analyses a few homegrown random collectors and presents a design for an improved one. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From djm at mindrot.org Mon Jun 26 13:46:26 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 26 Jun 2000 13:46:26 +1000 (EST) Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: <20000623111515.A13502@serv01.aet.tu-cottbus.de> Message-ID: Attached is a diff against 2.1.1p1 which reworks the EGD handling code a bit. The new code no longer tries to keep an FD open to EGD, which avoids the problems caused by dying/restarting EGDs. It also handles EGD errors in the manner that you suggested, i.e EGD errors are only fatal if there is not enough entropy in OpenSSL's random pool. Comments? -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.13 retrieving revision 1.15 diff -u -r1.13 -r1.15 --- entropy.c 2000/06/07 12:20:23 1.13 +++ entropy.c 2000/06/26 03:01:33 1.15 @@ -35,7 +35,7 @@ #include #include -RCSID("$Id: entropy.c,v 1.13 2000/06/07 12:20:23 djm Exp $"); +RCSID("$Id: entropy.c,v 1.15 2000/06/26 03:01:33 djm Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) @@ -55,68 +55,94 @@ #define WHITESPACE " \t\n" +#ifndef RUSAGE_SELF +# define RUSAGE_SELF 0 +#endif +#ifndef RUSAGE_CHILDREN +# define RUSAGE_CHILDREN 0 +#endif + #if defined(EGD_SOCKET) || defined(RANDOM_POOL) #ifdef EGD_SOCKET /* Collect entropy from EGD */ -void get_random_bytes(unsigned char *buf, int len) +int get_random_bytes(unsigned char *buf, int len) { - static int egd_socket = -1; - int c; - char egd_message[2] = { 0x02, 0x00 }; + int fd; + char msg[2]; struct sockaddr_un addr; int addr_len; - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; - - /* FIXME: compile time check? */ + /* Sanity checks */ if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); - + if (len > 255) + fatal("Too many bytes to read from EGD"); + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); - if (egd_socket == -1) { - egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (egd_socket == -1) - fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); - if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) - fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); - } + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create AF_UNIX socket: %s", strerror(errno)); + return(0); + } - if (len > 255) - fatal("Too many bytes to read from EGD"); - + if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { + error("Couldn't connect to EGD socket \"%s\": %s", + addr.sun_path, strerror(errno)); + close(fd); + return(0); + } + /* Send blocking read request to EGD */ - egd_message[1] = len; + msg[0] = 0x02; + msg[1] = len; - c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); - if (c == -1) - fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); - - c = atomicio(read, egd_socket, buf, len); - if (c <= 0) - fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) { + error("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + if (atomicio(read, fd, buf, len) != len) { + error("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + close(fd); + + return(1); } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ -void get_random_bytes(unsigned char *buf, int len) +int get_random_bytes(unsigned char *buf, int len) { - static int random_pool = -1; - int c; + int random_pool; + random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { - random_pool = open(RANDOM_POOL, O_RDONLY); - if (random_pool == -1) - fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + error("Couldn't open random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + return(0); + } + + if (atomicio(read, random_pool, buf, len) != len) { + error("Couldn't read from random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + close(random_pool); + return(0); } - c = atomicio(read, random_pool, buf, len); - if (c <= 0) - fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + close(random_pool); + + return(1); } #endif /* RANDOM_POOL */ #endif /* EGD_SOCKET */ @@ -131,8 +157,12 @@ char buf[32]; debug("Seeding random number generator"); - get_random_bytes(buf, sizeof(buf)); + + if (!get_random_bytes(buf, sizeof(buf)) && !RAND_status()) + fatal("Entropy collection failed and entropy exhausted"); + RAND_add(buf, sizeof(buf), sizeof(buf)); + memset(buf, '\0', sizeof(buf)); } @@ -301,9 +331,9 @@ struct rusage ru; if (getrusage(who, &ru) == -1) - fatal("Couldn't getrusage: %s", strerror(errno)); + return(0); - RAND_add(&ru, sizeof(ru), 0.1); + RAND_add(&ru, sizeof(ru), entropy_estimate); return(entropy_estimate); #else /* _HAVE_GETRUSAGE */ From djm at mindrot.org Mon Jun 26 13:58:32 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 26 Jun 2000 13:58:32 +1000 (EST) Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: Message-ID: On Mon, 26 Jun 2000, Damien Miller wrote: > > Attached is a diff against 2.1.1p1 which reworks the EGD handling > code a bit. In the grand tradition of replying to one's own post - here is a better (i.e not broken) patch. The previous patch didn't handle error conditions correctly - it would erroneously increase the entropy estimate in OpenSSL's pool by RAND_add()ing an non-populated buffer. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) -------------- next part -------------- Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.13 retrieving revision 1.16 diff -u -r1.13 -r1.16 --- entropy.c 2000/06/07 12:20:23 1.13 +++ entropy.c 2000/06/26 03:55:31 1.16 @@ -35,7 +35,7 @@ #include #include -RCSID("$Id: entropy.c,v 1.13 2000/06/07 12:20:23 djm Exp $"); +RCSID("$Id: entropy.c,v 1.16 2000/06/26 03:55:31 djm Exp $"); #ifndef offsetof # define offsetof(type, member) ((size_t) &((type *)0)->member) @@ -55,68 +55,94 @@ #define WHITESPACE " \t\n" +#ifndef RUSAGE_SELF +# define RUSAGE_SELF 0 +#endif +#ifndef RUSAGE_CHILDREN +# define RUSAGE_CHILDREN 0 +#endif + #if defined(EGD_SOCKET) || defined(RANDOM_POOL) #ifdef EGD_SOCKET /* Collect entropy from EGD */ -void get_random_bytes(unsigned char *buf, int len) +int get_random_bytes(unsigned char *buf, int len) { - static int egd_socket = -1; - int c; - char egd_message[2] = { 0x02, 0x00 }; + int fd; + char msg[2]; struct sockaddr_un addr; int addr_len; - memset(&addr, '\0', sizeof(addr)); - addr.sun_family = AF_UNIX; - - /* FIXME: compile time check? */ + /* Sanity checks */ if (sizeof(EGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); - + if (len > 255) + fatal("Too many bytes to read from EGD"); + + memset(&addr, '\0', sizeof(addr)); + addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, EGD_SOCKET, sizeof(addr.sun_path)); - addr_len = offsetof(struct sockaddr_un, sun_path) + sizeof(EGD_SOCKET); - if (egd_socket == -1) { - egd_socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (egd_socket == -1) - fatal("Couldn't create AF_UNIX socket: %s", strerror(errno)); - if (connect(egd_socket, (struct sockaddr*)&addr, addr_len) == -1) - fatal("Couldn't connect to EGD socket \"%s\": %s", addr.sun_path, strerror(errno)); - } + fd = socket(AF_UNIX, SOCK_STREAM, 0); + if (fd == -1) { + error("Couldn't create AF_UNIX socket: %s", strerror(errno)); + return(0); + } - if (len > 255) - fatal("Too many bytes to read from EGD"); - + if (connect(fd, (struct sockaddr*)&addr, addr_len) == -1) { + error("Couldn't connect to EGD socket \"%s\": %s", + addr.sun_path, strerror(errno)); + close(fd); + return(0); + } + /* Send blocking read request to EGD */ - egd_message[1] = len; + msg[0] = 0x02; + msg[1] = len; - c = atomicio(write, egd_socket, egd_message, sizeof(egd_message)); - if (c == -1) - fatal("Couldn't write to EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); - - c = atomicio(read, egd_socket, buf, len); - if (c <= 0) - fatal("Couldn't read from EGD socket \"%s\": %s", EGD_SOCKET, strerror(errno)); + if (atomicio(write, fd, msg, sizeof(msg)) != sizeof(msg)) { + error("Couldn't write to EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + if (atomicio(read, fd, buf, len) != len) { + error("Couldn't read from EGD socket \"%s\": %s", + EGD_SOCKET, strerror(errno)); + close(fd); + return(0); + } + + close(fd); + + return(1); } #else /* !EGD_SOCKET */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ -void get_random_bytes(unsigned char *buf, int len) +int get_random_bytes(unsigned char *buf, int len) { - static int random_pool = -1; - int c; + int random_pool; + random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { - random_pool = open(RANDOM_POOL, O_RDONLY); - if (random_pool == -1) - fatal("Couldn't open random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + error("Couldn't open random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + return(0); + } + + if (atomicio(read, random_pool, buf, len) != len) { + error("Couldn't read from random pool \"%s\": %s", + RANDOM_POOL, strerror(errno)); + close(random_pool); + return(0); } - c = atomicio(read, random_pool, buf, len); - if (c <= 0) - fatal("Couldn't read from random pool \"%s\": %s", RANDOM_POOL, strerror(errno)); + close(random_pool); + + return(1); } #endif /* RANDOM_POOL */ #endif /* EGD_SOCKET */ @@ -131,8 +157,14 @@ char buf[32]; debug("Seeding random number generator"); - get_random_bytes(buf, sizeof(buf)); - RAND_add(buf, sizeof(buf), sizeof(buf)); + + if (!get_random_bytes(buf, sizeof(buf))) { + if (!RAND_status()) + fatal("Entropy collection failed and entropy exhausted"); + } else { + RAND_add(buf, sizeof(buf), sizeof(buf)); + } + memset(buf, '\0', sizeof(buf)); } @@ -301,9 +333,9 @@ struct rusage ru; if (getrusage(who, &ru) == -1) - fatal("Couldn't getrusage: %s", strerror(errno)); + return(0); - RAND_add(&ru, sizeof(ru), 0.1); + RAND_add(&ru, sizeof(ru), entropy_estimate); return(entropy_estimate); #else /* _HAVE_GETRUSAGE */ From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Jun 26 19:22:51 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 26 Jun 2000 11:22:51 +0200 Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: ; from djm@mindrot.org on Mon, Jun 26, 2000 at 11:33:10AM +1000 References: <20000623111515.A13502@serv01.aet.tu-cottbus.de> Message-ID: <20000626112251.A22883@serv01.aet.tu-cottbus.de> On Mon, Jun 26, 2000 at 11:33:10AM +1000, Damien Miller wrote: > > [Background: I am playing around with my own "prngd" which replaces EGD > > and rather emulates an "urandom" device (non-blocking, never drained) > > by having an internal openssl-PRNG that is continously reseeded and > > can save seed on close and initialize itself from the seed-file on restart. > > Hence I have slightly other behaviour of my daemon and a lot of restarts...] > > You might be interested in Peter Gutmann's paper on entropy collection: > http://www.cs.auckland.ac.nz/~pgut001/pubs/random2.pdf > > He analyses a few homegrown random collectors and presents a design > for an improved one. Very interesting reading, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From lists at fips.de Mon Jun 26 19:34:01 2000 From: lists at fips.de (Philipp Buehler) Date: Mon, 26 Jun 2000 11:34:01 +0200 Subject: source IP|interface Message-ID: <20000626113401.A4481@pohl.fips.de> Hello, I stumbled across that it seems not to be possible to define the source-IP|interface wihch the sshclient uses. [like ping -I eth1 on linux or similar] .. Any workaround? I have some weird ipsec setup and need to define source addresses.. ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH i.G. | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. From djm at mindrot.org Mon Jun 26 19:50:22 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 26 Jun 2000 19:50:22 +1000 (EST) Subject: source IP|interface In-Reply-To: <20000626113401.A4481@pohl.fips.de> Message-ID: On Mon, 26 Jun 2000, Philipp Buehler wrote: > Hello, > > I stumbled across that it seems not to be possible to > define the source-IP|interface wihch the sshclient uses. > [like ping -I eth1 on linux or similar] .. No as yet, though you are not the first to ask. > Any workaround? I have some weird ipsec setup and need to define > source addresses.. A quick workaround may be to use a ProxyCommand (see ssh manpage) which does a bind() to a specified IP address before connecting. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Richard.West at divatv.com Tue Jun 27 01:33:41 2000 From: Richard.West at divatv.com (Richard West) Date: Mon, 26 Jun 2000 11:33:41 -0400 Subject: 2.1.1p1 Timestamp problem? Message-ID: <395777D5.89D4C1BF@divatv.com> I've been running OpenSSH for quite some time now, and I have been acting more as the point man in making the builds for LinuxPPC as well as distributing it to the Linux for the PowerPC community. Things have worked rather well, making it a straight rebuild of the package. However, a new problem was introduced with 2.1.1p1. It's not critical, but a little more than a simple annoyance. For some reason, now, running 2.1.1p1, the timestamp in wtmp is always Dec 31 19:00. So, for example, if you type "who" or "last", those users who have logged in via ssh are listed as logging into the system on Dec 31 as well as having been logged in for a heck of a long time. :) Backing down to the previous port, 2.1.0p2, restored the system back to a fully functioning state. I went through this on two separate boxes with the same results... Not knowing just how to solve this, I thought I would send it into the list in the hopes that either (1) it was a known issue and being addressed or (2) it was not a known issue and will be addressed. :) Either way, thanks! -Rich -- Richard West mailto:richard.west at divatv.com Sr. Systems Administrator DivaTV Systems - Princeton, NJ http://www.divatv.com From markus.friedl at informatik.uni-erlangen.de Mon Jun 26 12:47:18 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 26 Jun 2000 04:47:18 +0200 Subject: problme with scp, and suggestion for fix In-Reply-To: <200006231944.MAA02419@shell3.ba.best.com>; from phil@bolthole.com on Fri, Jun 23, 2000 at 12:44:15PM -0700 References: <200006231944.MAA02419@shell3.ba.best.com> Message-ID: <20000626044718.B6542@folly.conference.usenix.org> no, this will not work, since the local ssh has no idea what the pathname for the remote 'scp' binary is. On Fri, Jun 23, 2000 at 12:44:15PM -0700, Philip Brown wrote: > When I ran a strings on scp, it seems you have done a semi=similar hardcode > of the path to ssh. /usr/local/bin/ssh turns up as a string in scp. > So please do the same thing for the full path to scp, as well. From markus.friedl at informatik.uni-erlangen.de Mon Jun 26 12:45:21 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 26 Jun 2000 04:45:21 +0200 Subject: problems with scp In-Reply-To: <39446E7A.30512992@ensim.com>; from rachit@ensim.com on Sun, Jun 11, 2000 at 10:00:42PM -0700 References: <39446E7A.30512992@ensim.com> Message-ID: <20000626044521.A6542@folly.conference.usenix.org> On Sun, Jun 11, 2000 at 10:00:42PM -0700, Rachit Siamwalla wrote: > [root at dog /root]# scp foo.bar solmachine:/tmp/ > lost connection scp is probably not in the path on the remote machine. From garrick at james.net Tue Jun 27 02:26:57 2000 From: garrick at james.net (Garrick James) Date: Mon, 26 Jun 2000 09:26:57 -0700 (PDT) Subject: 2.1.1p1 Timestamp problem? In-Reply-To: <395777D5.89D4C1BF@divatv.com> Message-ID: The problem you are seeing can be solved by applying the patch which I submitted a week or so ago regarding the utmp login reporting on linux. You can get it from the list archives or let me know and I'll send it to you directly. Regards, Garrick P.S. Damien released a test bundle with the patch included, but I do not remember where to find it. On Mon, 26 Jun 2000, Richard West wrote: > I've been running OpenSSH for quite some time now, and I have been > acting more as the point man in making the builds for LinuxPPC as well > as distributing it to the Linux for the PowerPC community. > > Things have worked rather well, making it a straight rebuild of the > package. However, a new problem was introduced with 2.1.1p1. It's not > critical, but a little more than a simple annoyance. > > For some reason, now, running 2.1.1p1, the timestamp in wtmp is always > Dec 31 19:00. So, for example, if you type "who" or "last", those users > who have logged in via ssh are listed as logging into the system on Dec > 31 as well as having been logged in for a heck of a long time. :) > > Backing down to the previous port, 2.1.0p2, restored the system back to > a fully functioning state. I went through this on two separate boxes > with the same results... > > Not knowing just how to solve this, I thought I would send it into the > list in the hopes that either (1) it was a known issue and being > addressed or (2) it was not a known issue and will be addressed. :) > > Either way, thanks! > > -Rich > > > -- > Richard West mailto:richard.west at divatv.com > Sr. Systems Administrator > DivaTV Systems - Princeton, NJ http://www.divatv.com > > > > > From Ronald.Wahl at Informatik.TU-Chemnitz.DE Tue Jun 27 03:34:03 2000 From: Ronald.Wahl at Informatik.TU-Chemnitz.DE (Ronald Wahl) Date: Mon, 26 Jun 2000 19:34:03 +0200 (CEST) Subject: Strange behavior with -N + parsing bug Message-ID: Hi, I have noticed a strange behavior of openssh-2.1.1p1 under Linux if the -N switch is used. If the last forwarded connection is closed the server instance dies instead of waiting for new connections to forward. I hope someone could fix this. Additionally a found a bug in parsing the option "Protocol". The lines with the options are split up via strtok. The function that parse the "Protocol" option-values (proto_spec) uses strtok too but with another string and so interfers with the strtok that is used for splitting the whole option line. The problem occurs where we check for garbage after the option-value. Please fix! thanx, ron -- /\/\ Ronald Wahl /\/\ C S N /\/\ \/\/ ronald.wahl at informatik.tu-chemnitz.de \/\/ ------------------ \/\/ /\/\ http://www.tu-chemnitz.de/~row/ /\/\ network and system /\/\ \/\/ GnuPG/PGP key available \/\/ administration \/\/ From rachit at ensim.com Tue Jun 27 05:41:07 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 26 Jun 2000 12:41:07 -0700 Subject: problems with scp References: <39446E7A.30512992@ensim.com> <20000626044521.A6542@folly.conference.usenix.org> Message-ID: <3957B1D3.8D8FC0D8@ensim.com> Again, this is a half a month ago and I don't have my testbed anymore, but here goes for old information. I remember checking that, (linking /usr/local/bin/scp to /usr/bin/scp, etc.) *and* doing a truss / strace on the client and server + added debug output. Nowhere I saw a check for scp failing. I remember that the scp location was my first problem on linux-linux transfer and I was able to figure out from strace/truss and learned my lesson :) I know it sucks that I can't reproduce the environment, sorry... -rchit > On Sun, Jun 11, 2000 at 10:00:42PM -0700, Rachit Siamwalla wrote: > > [root at dog /root]# scp foo.bar solmachine:/tmp/ > > lost connection > > scp is probably not in the path on the remote machine. From djm at mindrot.org Tue Jun 27 07:45:37 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 27 Jun 2000 07:45:37 +1000 (EST) Subject: 2.1.1p1 Timestamp problem? In-Reply-To: <395777D5.89D4C1BF@divatv.com> Message-ID: On Mon, 26 Jun 2000, Richard West wrote: > I've been running OpenSSH for quite some time now, and I have been > acting more as the point man in making the builds for LinuxPPC as well > as distributing it to the Linux for the PowerPC community. There is a problem with the current configure script when run under bash2. You might want to try: http://www.mindrot.org/misc/junk/openssh-SNAP-2000062600.tar.gz There is still one other problem with Slackware that I am tracking down. Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From jladwig at nts.umn.edu Tue Jun 27 10:12:41 2000 From: jladwig at nts.umn.edu (John Ladwig) Date: Mon, 26 Jun 2000 19:12:41 -0500 (CDT) Subject: openssh-2.1.1p1 on Irix6.2 report Message-ID: <20000627001241.B51E35C90AF@arrow.nts.umn.edu> I've had fairly good sucecss with the portable OpenSSH 2.1.1p1 on Irix 6.2. There's one major nit, and a few things that configure got wrong. I'm kinda deep in real work at the moment, so I don't have time to delve heavily, but since configure specifically asked for feedback on this port, I'm obliging. The biggest problem I've run into so far is in the builtin PRNG command timeout parameter. Frequently, when the value's set to 200 ms, I'll fail to get *any* results added to the entropy pool, and the outgoing ssh connection fails as a result. Upping ENTROPY_TIMEOUT_MSEC to 500 seems to have cleared this problem nicely on my old crufty 144MHz Indy. The builtin PRNG seeding is *much* preferable to the prior perl-based EGD. Many thanks, -jml A few high/easy portability points: ** There seems to be a pointer problem in vsnprintf: cc -n32 -I/usr/local/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-snprintf.c "bsd-snprintf.c", line 149: warning(1164): argument of type "va_list *" is incompatible with parameter of type "char *" ret = vsprintf(p, fmt, ap); ^ "bsd-snprintf.c", line 176: warning(1177): argument is incompatible with formal parameter return (vsnprintf(str, n, fmt, ap)); ^ >From my read of the headers and manpages, there's a superfluous "*" in line 129, declaring va_list *ap, when it should be va_list ap. Removing the spurious pointer declaration removes the above complaints. ** Carelessness in prototyping versus use: cc -n32 -I/usr/local/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c authfile.c "authfile.c", line 166: warning(1164): argument of type "char *" is incompatible with parameter of type "unsigned char *" (char *)passphrase, strlen(passphrase), NULL, NULL)) ^ s/b "(unsigned char *)" to match prototype in ** Bad socket structure types cc -n32 -I/usr/local/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c canohost.c "canohost.c", line 41: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) { ^ "canohost.c", line 153: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" &option_size) >= 0 && option_size != 0) { ^ "canohost.c", line 221: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" if (getpeername(socket, (struct sockaddr *) & from, &fromlen) < 0) { ^ "canohost.c", line 249: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) { ^ "canohost.c", line 254: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" if (getpeername(sock, (struct sockaddr *) & from, &fromlen) < 0) { ^ ** and channels.c: cc -n32 -I/usr/local/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c channels.c "channels.c", line 516: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" newsock = accept(c->sock, &addr, &addrlen); ^ "channels.c", line 572: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" newsock = accept(c->sock, &addr, &addrlen); ^ "channels.c", line 628: warning(1164): argument of type "socklen_t *" is incompatible with parameter of type "int *" newsock = accept(c->sock, &addr, &addrlen); ^ There's more, but I'm out of time at the moment. -jml From Richard.West at DivaTV.com Tue Jun 27 16:07:06 2000 From: Richard.West at DivaTV.com (Richard West) Date: Tue, 27 Jun 2000 02:07:06 -0400 Subject: 2.1.1p1 Timestamp problem? References: Message-ID: <3958448A.8DDBB655@DivaTV.com> I've taken the patch, which was supplied to me by another on the list, and incorporated it into an SRPM. I built it, with the patch and autoreconf, and everything seems to be functioning perfectly! My thanks to all! -Rich Damien Miller wrote: > On Mon, 26 Jun 2000, Richard West wrote: > > > I've been running OpenSSH for quite some time now, and I have been > > acting more as the point man in making the builds for LinuxPPC as well > > as distributing it to the Linux for the PowerPC community. > > There is a problem with the current configure script when run under > bash2. You might want to try: > http://www.mindrot.org/misc/junk/openssh-SNAP-2000062600.tar.gz > > There is still one other problem with Slackware that I am tracking > down. > > Regards, > Damien Miller -- Richard West mailto:richard.west at divatv.com Sr. Systems Administrator DivaTV Systems - Princeton, NJ http://www.divatv.com From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jun 27 18:16:04 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 27 Jun 2000 10:16:04 +0200 Subject: Critical EGD handling in 2.1.1p1 In-Reply-To: ; from djm@mindrot.org on Mon, Jun 26, 2000 at 01:58:32PM +1000 References: Message-ID: <20000627101604.A23111@ws01.aet.tu-cottbus.de> On Mon, Jun 26, 2000 at 01:58:32PM +1000, Damien Miller wrote: > On Mon, 26 Jun 2000, Damien Miller wrote: > > > > > Attached is a diff against 2.1.1p1 which reworks the EGD handling > > code a bit. > > In the grand tradition of replying to one's own post - here is a > better (i.e not broken) patch. > > The previous patch didn't handle error conditions correctly - it > would erroneously increase the entropy estimate in OpenSSL's pool by > RAND_add()ing an non-populated buffer. Thanks, this increased the reliability of openssh (with EGD support) quite a bit :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Nigel.Metheringham at VData.co.uk Wed Jun 28 00:51:58 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Tue, 27 Jun 2000 15:51:58 +0100 Subject: DSA Auth Key Support Message-ID: This appears to be rather poorly supported compared to the rsa key equivalent... The man page implies that ~/.ssh/authorized_keys & ~/.ssh/authorized_keys2 are similar format. In fact the code will only read DSA keys from the ~/.ssh/authorized_keys2 file - the options entries are not supported, and putting options in causes key recognition to fail. I guess ideally the key reader needs to strip off the pre-key material, and then pass it to a common options parser shared with the rsa key handler (why duplicate the code). An alternative is that the options could be added to the end of the key line... I don't like that much, but in either case the options ought to be supported. Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From mascheck at faw.uni-ulm.de Wed Jun 28 01:16:48 2000 From: mascheck at faw.uni-ulm.de (Sven Mascheck) Date: Tue, 27 Jun 2000 17:16:48 +0200 Subject: bsd-snprintf [was: openssh-2.1.1p1 on Irix6.2 report] In-Reply-To: <20000627001241.B51E35C90AF@arrow.nts.umn.edu>; from jladwig@nts.umn.edu on Mon, Jun 26, 2000 at 07:12:41PM -0500 References: <20000627001241.B51E35C90AF@arrow.nts.umn.edu> Message-ID: <20000627171648.B24524@sun31.faw.uni-ulm.de> Hi, > ** There seems to be a pointer problem in vsnprintf: > > cc -[...] -DHAVE_CONFIG_H -c bsd-snprintf.c > "bsd-snprintf.c", line 149: warning(1164): argument of type "va_list *" is > incompatible with parameter of type "char *" > ret = vsprintf(p, fmt, ap); > ^ Yes, such a problem might occur on all platforms that don't come with [v]snprintf(). Wether it does compile depends on the compiler and the actual type of va_list. It's a struct on some platforms and just a void* (or char* resp.) on others. It doesn't compile on OSF1/V4.0 (gcc-2.7.2.1) but does so on Solaris 2.5 (gcc-2.7.2.3 / -2.95.2). I haven't tried on other dialects, that don't come with [v]snprintf(). Thus i also was wondering, why the 'argument list' (both in the declaration and implementation) contain a "va_list*", not just "va_list". All other Unix dialects that come with snprintf() (including old ones) - and particularly C99 - declare vsnprintf() with just "va_list". Again, on Solaris2.5, this doens't harm too much, as there's much implicit casting with void* pointers. This might be another reason, why it was not that important yet. On Irix6.x it might be Is there a reason, why bsd-snprintf.c/h is different then? Sven -- From mouring at pconline.com Wed Jun 28 02:13:49 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 27 Jun 2000 11:13:49 -0500 (CDT) Subject: bsd-snprintf [was: openssh-2.1.1p1 on Irix6.2 report] In-Reply-To: <20000627171648.B24524@sun31.faw.uni-ulm.de> Message-ID: On Tue, 27 Jun 2000, Sven Mascheck wrote: > Hi, > > > ** There seems to be a pointer problem in vsnprintf: > > > > cc -[...] -DHAVE_CONFIG_H -c bsd-snprintf.c > > "bsd-snprintf.c", line 149: warning(1164): argument of type "va_list *" is > > incompatible with parameter of type "char *" > > ret = vsprintf(p, fmt, ap); > > ^ > > Yes, such a problem might occur on all platforms that don't come with > [v]snprintf(). Wether it does compile depends on the compiler and the > actual type of va_list. It's a struct on some platforms and just a > void* (or char* resp.) on others. > It doesn't compile on OSF1/V4.0 (gcc-2.7.2.1) but does so on Solaris 2.5 > (gcc-2.7.2.3 / -2.95.2). I haven't tried on other dialects, that don't > come with [v]snprintf(). > NeXT 3.3 and OpenStep 4.2 dislike the bsd-snprintf.c ..I have two throw togethers that work. But they are not portable. I've not looked at the LPRNG snprintf.c Which supposable is highly portable. The current version depents on setjmp() which is not part of the NeXT OS. (And looks like would be a mess to implement.) From djm at mindrot.org Wed Jun 28 08:32:49 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 28 Jun 2000 08:32:49 +1000 (EST) Subject: DSA Auth Key Support In-Reply-To: Message-ID: On Tue, 27 Jun 2000, Nigel Metheringham wrote: > This appears to be rather poorly supported compared to the rsa key > equivalent... > > The man page implies that ~/.ssh/authorized_keys & > ~/.ssh/authorized_keys2 are similar format. In fact the code will only > read DSA keys from the ~/.ssh/authorized_keys2 file - the options > entries are not supported, and putting options in causes key > recognition to fail. This has been improved in the snapshots. Take a look at http://www.mindrot.org/misc/junk/openssh-SNAP-20000628.tar.gz Regards, Damien Miller -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From simmonsjw-openssh at sws6.cind.ornl.gov Thu Jun 29 00:04:50 2000 From: simmonsjw-openssh at sws6.cind.ornl.gov (Jim Simmons) Date: Wed, 28 Jun 2000 10:04:50 -0400 Subject: connection dies when X11 forwarded app exists In-Reply-To: ; from oetiker@ee.ethz.ch on Mon, Jun 19, 2000 at 12:11:53PM +0200 References: <41256903.00390964.00@mailint.dmz.advance-bank.de> Message-ID: <20000628100450.D17025@sws6.cind.ornl.gov> I'm seeing something similar using Openssh-2.1.1p1 with Solaris 2.6. Except when I connect using ssh -v it doesn't always kill the session. A sample: ssh -X remotehost xmgrace # On remote host # Exit xmgrace and I get: channel 0: chan_shutdown_read: shutdown() failed for fd6 [i1 o128]: Invalid argument However: ssh -X -v remotehost xmgrace # Exit xmgrace and I get: debug: channel 0: send oclose debug: channel 0: close_write debug: channel 0: send data len 512 debug: channel 0: read<=0 rfd 6 len 0 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read channel 0: chan_shutdown_read: shutdown() failed for fd6 [i1 o128]: Invalid argument debug: channel 0: send data len 512 debug: channel 0: send data len 576 Connection to remotehost closed by remote host. Connection to remotehost closed. debug: Transferred: stdin 20, stdout 2916, stderr 71 bytes in 27.8 seconds debug: Bytes per second: stdin 0.7, stdout 104.9, stderr 2.6 debug: Exit status -1 In this case it killed the connection. I tried again and this time it didn't kill it, saying: debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof debug: channel 0: rcvd oclose debug: channel 0: input wait_oclose -> closed debug: channel 0: full closed debug: channel_free: channel 0: status: The following connections are open: #0 X11 connection from remotehost port 34006 (t4 r1 i8/0 o128/0 fd 6/6) Any idea what is going on? Jim From mfisk at lanl.gov Thu Jun 29 01:02:13 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Wed, 28 Jun 2000 15:02:13 +0000 (GMT) Subject: F-secure -> Openssh Compatibility (fwd) Message-ID: Date: Tue, 27 Jun 2000 16:09:43 -0600 (MDT) From: "W. Scott Wilburn" To: ssh at clinet.fi Subject: F-secure -> Openssh Compatibility We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to connect to a server running Openssh 2.1.1 on Red Hat 6.2. I believe that the problem is a bug with Fsecure, since a 30-day trial version of 1.0.2 works fine. I'm a bit reluctant to tell all the Mac users they have to spend money to upgrade, though, since everything was fine until I switched my machines to OpenSSH from commercial SSH. Does anyone have any info on this? Is there a workaround? Symptoms -------- Client side (Mac w/ Fsecure): After initiating connection, nothing happens until eventual timeout or manual quit. Server side (Linux w/ Openssh) Log file reads Connection from port 49153 After client-side quit, log file reads Did not receive ident string from . Best regards, Scott Wilburn -- *--------------------------------*-------------------------* | W. Scott Wilburn | Email: wilburn at lanl.gov | | Los Alamos National Laboratory | Phone: (505) 667-2107 | | MS H803 | Fax: (505) 665-4121 | | Los Alamos, NM 87545 | | *--------------------------------*-------------------------* -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From mascheck at faw.uni-ulm.de Thu Jun 29 02:08:03 2000 From: mascheck at faw.uni-ulm.de (Sven Mascheck) Date: Wed, 28 Jun 2000 18:08:03 +0200 Subject: bsd-snprintf [was: openssh-2.1.1p1 on Irix6.2 report] In-Reply-To: ; from mouring@pconline.com on Tue, Jun 27, 2000 at 11:13:49AM -0500 References: <20000627171648.B24524@sun31.faw.uni-ulm.de> Message-ID: <20000628180803.A25417@sun31.faw.uni-ulm.de> Ben Lindstrom wrote: > NeXT 3.3 and OpenStep 4.2 dislike the bsd-snprintf.c ..I have two throw > togethers that work. But they are not portable. I've not looked at the > LPRNG snprintf.c Which supposable is highly portable. The current > version depents on setjmp() which is not part of the NeXT OS. (And looks > like would be a mess to implement.) Yes, the bsd-snprintf uses signal handling for buffer overrun in vsnprintf(). Damien Miller once mentioned the snprintf.c from XFree86. This derives from an original by Patrick Powell. This original lacks floating point support, btw. You may be interested in another modified version of this original, too. It's from the mutt package: Improved floating point support, i think the XFree one lacks this. It deals with systems having only one of the two functions. It comes with a selftest (switched on via define). There is neither signal handling nor mprotect required. No changes have been necessary for a long time now. It compiled "out of the box" on Solaris2.5 and OSF1/V4.0b. But i have no NeXT. It may at least inspire you, like the XFree one. Have a glance at However, i have no clue if there are even better versions available. Sven -- From mouring at pconline.com Thu Jun 29 02:17:43 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 28 Jun 2000 11:17:43 -0500 (CDT) Subject: bsd-snprintf [was: openssh-2.1.1p1 on Irix6.2 report] In-Reply-To: <20000628180803.A25417@sun31.faw.uni-ulm.de> Message-ID: On Wed, 28 Jun 2000, Sven Mascheck wrote: > Ben Lindstrom wrote: > > > NeXT 3.3 and OpenStep 4.2 dislike the bsd-snprintf.c ..I have two throw > > togethers that work. But they are not portable. I've not looked at the > > LPRNG snprintf.c Which supposable is highly portable. The current > > version depents on setjmp() which is not part of the NeXT OS. (And looks > > like would be a mess to implement.) > > Yes, the bsd-snprintf uses signal handling for buffer overrun > in vsnprintf(). > > Damien Miller once mentioned the snprintf.c from XFree86. > This derives from an original by Patrick Powell. > This original lacks floating point support, btw. > > You may be interested in another modified version of this > original, too. It's from the mutt package: > > Improved floating point support, i think the XFree one lacks this. > It deals with systems having only one of the two functions. > It comes with a selftest (switched on via define). > There is neither signal handling nor mprotect required. > No changes have been necessary for a long time now. > mprotect() is a minor issue on NeXT. Mach/4.3BSD supports it, but in NeXT they never brough it out to the libc. So a carefully crafted system call was all that was needed. > It compiled "out of the box" on Solaris2.5 and OSF1/V4.0b. > But i have no NeXT. > > It may at least inspire you, like the XFree one. > Have a glance at > I'll take it look at it tonight or tomorrow.. Along with whatever the latest snapshot is. If that works right on most platforms it would save me from writing two very nasty POSIX functions which would require assembly code for four different NeXT hardware flavors (sparc, hppa, intel, m68k). > However, i have no clue if there are even better versions available. > The version I'm currently using is like the one in the OpenBSD source tree. So anything more portable would make a few people on this list tolerating my hacks happy in regards to NeXT compatibility. Ben Lindstrom From nikhil at mailsafe.org Thu Jun 29 02:43:27 2000 From: nikhil at mailsafe.org (nikhil at mailsafe.org) Date: Wed, 28 Jun 2000 12:43:27 -0400 Subject: openssh-2.1.1p1 on Debian slink and potato Message-ID: <2000062812.nikhil.WNNBSAGHVMWM@mailsafe.org> Just today I compilied openssh-2.1.1p1 on Debian Slink and Potato both to come out with the same problem. I am compiling them with openssl-0.9.5a.. The configure line I use for openssh is below: ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-ssl-dir=../openssl-0.9.5a So I compile, do a make install restart the sshd daemon and everything seems fine. Then when I do a w at the prompt look what I get: a# w 12:41pm up 13:58, 1 user, load average: 0.09, 0.06, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 - 31Dec69 0.00s 0.13s 0.05s w # So i'm a bit puzzled I'm not logging in from console, I'm sshing from a remote host, I wonder how come the remote host is not being displaed under FROM. Same thing happens under who: # who root pts/0 Dec 31 19:00 # Is there something that I did wrong that I'm over looking? Not only is the FROM missing but the date is also missing. This was an upgrade from a old version of openssh and that version worked fine. Can someone please shed some light on what I might've done wrong and how to fix this problem. Please let me know and thanks again From pekkas at netcore.fi Thu Jun 29 02:50:40 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 28 Jun 2000 19:50:40 +0300 (EEST) Subject: openssh-2.1.1p1 on Debian slink and potato In-Reply-To: <2000062812.nikhil.WNNBSAGHVMWM@mailsafe.org> Message-ID: > Just today I compilied openssh-2.1.1p1 on Debian Slink and Potato both to come out with the same problem. > > I am compiling them with openssl-0.9.5a.. The configure line I use for openssh is below: > ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-ssl-dir=../openssl-0.9.5a > > Then when I do a w at the prompt look what I get: > a# w > 12:41pm up 13:58, 1 user, load average: 0.09, 0.06, 0.06 > USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT > root pts/0 - 31Dec69 0.00s 0.13s 0.05s w > # This is a known issue -- bash2 doesn't like how utmp/utmpx stuff was done in 'configure' in 2.x.x, and required UTMP/UTMPX #define's were left out of config.h. You could try the latest snapshot, http://www.mindrot.org/misc/junk/openssh-SNAP-20000628.tar.gz to try to get around the issue. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From loomisg at cist.saic.com Thu Jun 29 06:04:11 2000 From: loomisg at cist.saic.com (Rip Loomis) Date: Wed, 28 Jun 2000 13:04:11 -0700 Subject: openssh-2.1.1p1 on Debian slink and potato In-Reply-To: <2000062812.nikhil.WNNBSAGHVMWM@mailsafe.org> Message-ID: <001f01bfe13c$073d04b0$275346d1@rloomis.cist.saic.com> Nikhil-- (If you used to volunteer for ml.org, hello again, otherwise hello...) This is a known issue with the released 2.1.1p1 on Linux derivatives; Damien already has included the patch in his tree. I would recommend getting the latest "snapshot" tarball from http://www.mindrot.org/misc/junk/openssh-SNAP-20000628.tar.gz and using that. (The issue is the way that the configure script decides what utmp/utmpx/wtmp/wtmpx format to use). Hey Damien--would it be reasonable to release a 2.1.1p2 sometime soon to stop this FAQ? I have functional-but-ugly scripts to build a Solaris installable package that I wasn't rushing to clean up (since I thought another release would be out soon), but is there a plan for the next release? If it's going to be another two weeks then maybe I can get them cleaned up enough to go into contrib/ .... --Rip -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of nikhil at mailsafe.org Sent: Wednesday, June 28, 2000 9:43 AM To: openssh-unix-dev at mindrot.org Subject: openssh-2.1.1p1 on Debian slink and potato Just today I compilied openssh-2.1.1p1 on Debian Slink and Potato both to come out with the same problem. I am compiling them with openssl-0.9.5a.. The configure line I use for openssh is below: ./configure --sysconfdir=/etc/ssh --prefix=/usr --with-ssl-dir=../openssl-0 .9.5a So I compile, do a make install restart the sshd daemon and everything seems fine. Then when I do a w at the prompt look what I get: a# w 12:41pm up 13:58, 1 user, load average: 0.09, 0.06, 0.06 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 - 31Dec69 0.00s 0.13s 0.05s w # So i'm a bit puzzled I'm not logging in from console, I'm sshing from a remote host, I wonder how come the remote host is not being displaed under FROM. Same thing happens under who: # who root pts/0 Dec 31 19:00 # Is there something that I did wrong that I'm over looking? Not only is the FROM missing but the date is also missing. This was an upgrade from a old version of openssh and that version worked fine. Can someone please shed some light on what I might've done wrong and how to fix this problem. Please let me know and thanks again From maf at appgate.com Thu Jun 29 05:17:30 2000 From: maf at appgate.com (Martin Forssen) Date: Wed, 28 Jun 2000 21:17:30 +0200 (MET DST) Subject: F-secure -> Openssh Compatibility In-Reply-To: Message-ID: On Tue, 27 Jun 2000, W. Scott Wilburn wrote: > We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to > connect to a server running Openssh 2.1.1 on Red Hat 6.2. > > I believe that the problem is a bug with Fsecure, since a 30-day trial > version of 1.0.2 works fine. I'm a bit reluctant to tell all the Mac users > they have to spend money to upgrade, though, since everything was fine > until I switched my machines to OpenSSH from commercial SSH. > > Does anyone have any info on this? Is there a workaround? I think the version you are using is unable to connect to a server supporting the 2.0-protocol. Even if the server handles version-1.5. There is some problem in the initial handshake where the client gets confused by the version number it initially receives. The solution is to run the server in ssh-1.5 only mode. Or if you need 2.0-capability run a 1.5-server on another port. /MaF From wilburn at lanl.gov Thu Jun 29 06:20:16 2000 From: wilburn at lanl.gov (W. Scott Wilburn) Date: Wed, 28 Jun 2000 14:20:16 -0600 (MDT) Subject: F-secure -> Openssh Compatibility In-Reply-To: Message-ID: Martin, Thanks. That is exactly what is happening. I found the readme for the latest Fsecure client and it says that bug is fixed. Unfortunately, simply telling the openssh server to only use ssh1 doesn't help with the old client. Scott On Wed, 28 Jun 2000, Martin Forssen wrote: > On Tue, 27 Jun 2000, W. Scott Wilburn wrote: > > We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to > > connect to a server running Openssh 2.1.1 on Red Hat 6.2. > > > > I believe that the problem is a bug with Fsecure, since a 30-day trial > > version of 1.0.2 works fine. I'm a bit reluctant to tell all the Mac users > > they have to spend money to upgrade, though, since everything was fine > > until I switched my machines to OpenSSH from commercial SSH. > > > > Does anyone have any info on this? Is there a workaround? > > I think the version you are using is unable to connect to a server > supporting the 2.0-protocol. Even if the server handles version-1.5. There > is some problem in the initial handshake where the client gets confused by > the version number it initially receives. > > The solution is to run the server in ssh-1.5 only mode. Or if you need > 2.0-capability run a 1.5-server on another port. > > /MaF > -- *--------------------------------*-------------------------* | W. Scott Wilburn | Email: wilburn at lanl.gov | | Los Alamos National Laboratory | Phone: (505) 667-2107 | | MS H803 | Fax: (505) 665-4121 | | Los Alamos, NM 87545 | | *--------------------------------*-------------------------* From djm at mindrot.org Thu Jun 29 07:02:05 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 29 Jun 2000 07:02:05 +1000 (EST) Subject: Please test this snapshot In-Reply-To: <001f01bfe13c$073d04b0$275346d1@rloomis.cist.saic.com> Message-ID: On Wed, 28 Jun 2000, Rip Loomis wrote: > Hey Damien--would it be reasonable to release a > 2.1.1p2 sometime soon to stop this FAQ? Yes, it has been a lack of time which has prevented me so far. It would be great if I could get some feedback on how http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. BTW this snapshot contains DEC OSF/Tru64 SIA support, enable it using "USE_SIA=1 ./configure [options]". I would like some feedback from DEC users as to the correctness of this code (as I know nothing about SIA). -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Thanh.Ma at casi-rusco.com Thu Jun 29 07:58:29 2000 From: Thanh.Ma at casi-rusco.com (Thanh Ma) Date: Wed, 28 Jun 2000 17:58:29 -0400 Subject: Please test this snapshot Message-ID: <9B6977074BA8D311B3B30090279C703B766C7D@bctexc10.casi-rusco.com> It compiled with no problems on both UnixWare 7.1.1 and AIX 4.3.3 by running './configure' Thanh > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Wednesday, June 28, 2000 5:02 PM > To: Gilbert.R.Loomis at saic.com > Cc: nikhil at mailsafe.org; openssh-unix-dev at mindrot.org > Subject: Please test this snapshot > > > On Wed, 28 Jun 2000, Rip Loomis wrote: > > > Hey Damien--would it be reasonable to release a > > 2.1.1p2 sometime soon to stop this FAQ? > > Yes, it has been a lack of time which has prevented me so far. > > It would be great if I could get some feedback on how > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. > > BTW this snapshot contains DEC OSF/Tru64 SIA support, enable it > using "USE_SIA=1 ./configure [options]". I would like some feedback > from DEC users as to the correctness of this code (as I know nothing > about SIA). > > -d > > -- > | "Bombay is 250ms from New York in the new world order" - Alan Cox > | Damien Miller - http://www.mindrot.org/ > | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) > > > > > From gem at rellim.com Thu Jun 29 08:14:20 2000 From: gem at rellim.com (Gary E. Miller) Date: Wed, 28 Jun 2000 15:14:20 -0700 (PDT) Subject: Please test this snapshot In-Reply-To: Message-ID: Yo Damien! On Thu, 29 Jun 2000, Damien Miller wrote: > It would be great if I could get some feedback on how > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. A quick check shows that: ./configure && make && make install compiles fine on SCO UnixWare 7.1.0 Outbound ssh worked fine. I connected to the server from SecureCRT 3.1b2 and SSH in version 1 and 2 modes. Version 1 protocol worked OK. No luck with V2. This seemed odd so I went to 2.1.1p1 and found the same result on this host. In both cases it hung just after the password was accepted. I tried w and w/o compression, different encryption and MACs, X is off, See below for the logs. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 >From SecureCRT 3.1b2 logs: [SSH LOCAL ONLY] : SEND : SERVICE_REQUEST [userauth] [SSH LOCAL ONLY] : RECV : SERVICE_ACCEPT [SSH LOCAL ONLY] : SENT : USERAUTH_REQUEST [password] [SSH LOCAL ONLY] : RECV : AUTH_SUCCESS [SSH LOCAL ONLY] : State Change: SSH_STATE_USERAUTH->SSH_STATE_CONNECTION Environment: USER=gem LOGNAME=gem HOME=/home/gem PATH=/usr/bin:/bin:/usr/sbin:/sbin MAIL=/var/mail//gem SHELL=/bin/bash TZ=:US/Pacific SSH_CLIENT=204.17.205.3 1909 3389 >From the Openssh SNAP logs: bash-2.03# ./sshd -p 3389 -d debug: sshd version OpenSSH_2.1.1 debug: loaded 20 entropy commands from /usr/local/etc/ssh_prng_cmds debug: Seeding random number generator. debug: OpenSSL random status is now 0 debug: 3 bytes from system calls debug: 33 bytes from programs debug: OpenSSL random status is now 1 debug: loading PRNG seed from file /root/.ssh/prng_seed debug: read DSA private key done debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: 33 bytes from programs debug: OpenSSL random status is now 1 debug: Bind to port 3389 on 0.0.0.0. Server listening on 0.0.0.0 port 3389. Generating 768 bit RSA key. debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: 33 bytes from programs debug: OpenSSL random status is now 1 debug: Seeding random number generator. debug: OpenSSL random status is now 1 debug: 3 bytes from system calls debug: 33 bytes from programs debug: OpenSSL random status is now 1 RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 204.17.205.3 port 1909 debug: Client protocol version 2.0; client software version 3.0 SecureCRT (tm), a product of Van Dyke Technologies, Inc. Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc debug: got kexinit: 3des-cbc debug: got kexinit: hmac-md5 debug: got kexinit: hmac-md5 debug: got kexinit: none debug: got kexinit: none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-md5 none debug: kex: server->client 3des-cbc hmac-md5 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 512/1024 debug: bits set: 527/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user gem service ssh-connection method password Accepted password for gem from 204.17.205.3 port 1909 ssh2 debug: Entering interactive session for SSH2. debug: server_init_dispatch_20 debug: channel_input_open: ctype session rchan 0 win 8192 max 8192 debug: open session debug: channel 0: new [server-session] debug: session_new: init debug: session_new: session 0 debug: session_open: channel 0 debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request pty-req reply 0 debug: Received SIGCHLD. error: grantpt: Interrupted system call error: session_pty_req: session 0 alloc failed debug: callback done debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request shell reply 0 debug: fd 9 setting O_NONBLOCK debug: fd 11 setting O_NONBLOCK debug: callback done debug: tvp!=NULL kid 1 mili 100 debug: session_by_pid: pid 18642 error: session_by_pid: unknown pid 18642 debug: dump: used 1 session 0 80ecc4c channel 0 pid 18643 debug: dump: used 0 session 1 80eccd8 channel 0 pid 0 debug: dump: used 0 session 2 80ecd64 channel 0 pid 0 debug: dump: used 0 session 3 80ecdf0 channel 0 pid 0 debug: dump: used 0 session 4 80ece7c channel 0 pid 0 debug: dump: used 0 session 5 80ecf08 channel 0 pid 0 debug: dump: used 0 session 6 80ecf94 channel 0 pid 0 debug: dump: used 0 session 7 80ed020 channel 0 pid 0 debug: dump: used 0 session 8 80ed0ac channel 0 pid 0 debug: dump: used 0 session 9 80ed138 channel 0 pid 0 debug: session_close_by_pid: no session for pid 0 debug: channel 0: read 13 from efd 11 debug: channel 0: read 11 from efd 11 debug: channel 0: read 14 from efd 11 debug: channel 0: read 17 from efd 11 debug: channel 0: read 37 from efd 11 debug: channel 0: read 22 from efd 11 debug: channel 0: read 18 from efd 11 debug: channel 0: read 17 from efd 11 debug: channel 0: read 36 from efd 11 From JPhillips at matrasystems.com Thu Jun 29 09:24:13 2000 From: JPhillips at matrasystems.com (Jim Phillips) Date: Wed, 28 Jun 2000 19:24:13 -0400 Subject: SSH-2.2.0 (for Windows) and OpenSSH-2.1.1p1 Message-ID: I just upgraded my Windows SSH client from the 2.1.x version (whatever it was) to 2.2.0 and am now experiencing difficulties connecting to my OpenSSH-2.1.1p1 Linux servers. I'm not as up-to-speed as I should be on the inner workings of the handshakes that go on, but from the debug logs and from trying different connection methods, it seems to be isolated to using publickeys. This wouldn't surprise me. I had to re-generate new keys after upgrading because 2.2.0 couldn't read my old 2.1.x public or private keys (that seems to have been that 2.2.x now uses Unix linefeeds instead of DOS linefeeds - it's the only difference between the two files that I can see). So I re-generated the keypair, uploaded the public to my OpenSSH server via FTP.. Logged into the OpenSSH server from another Linux box with OpenSSH, ran ssh-keygen -x -f mynewkey.pub, appended the output to authorized_keys2, and tried to log in. No such luck. Below is the closest thing I could get to debug output out of the Windows client (unless someone knows a command line switch to get a debug log), followed by the log from my server.. Note that even though the reported client hostname is linux2.matrasystems.com, it's not really.. Just an IPmasqueraded connection. Also, I get the same results no matter what cypher or algorithm I select from the client. It does work using password authentication if I set the server to allow that.. This did work with SSH 2.1.x. Anybody have any suggestions? Client Troubleshooting Report ========================================================================= SSH Windows Secure Shell Troubleshooting Report Generated on Wed Jun 28 2000 22:27:39 SSH Client version: 2.2.0 (Build 123) License: Name: Jim Phillips Company: Email: jphillips at ergonet-ent.com License Type: academic Number of Licenses: 1 License Issued on: 2000-05-01 License Expires on: License Signature: C0CC 9864 9798 ABD6 CB38 Operating system: Microsoft Windows 2000 version 5.0 (Build 2195) Remote host version: SSH-1.99-OpenSSH_2.1.1 Negotiated Algorithms: Connection Settings: Encryption Algorithm: MAC Algorithm: Compression: zlib Port Number: 4040 Connect Through Firewall: No Firewall: (Empty) Firewall Port: 1080 Last 5 Messages displayed: Message 1: Server responded "too many failed userauth_requests". A protocol error was detected. This usually indicates a bug in the SSH application (either client or server). If you can repeatedly reproduce this problem, please send a detailed bug report (including version number and instructions for reproducing the problem) to ssh-bugs at ssh.fi. Message 2: Authentication failed. Most likely the password you supplied was incorrect. The user name might also be wrong, or the account might be disabled. Please check your password and try again a few times. If this does not help, please contact the system administrator of the remote machine. ======================================================== Server Debug Log ======================================================== debug: sshd version OpenSSH_2.1.1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 4040 on 0.0.0.0. Server listening on 0.0.0.0 port 4040. Generating 768 bit RSA key. debug: Seeding random number generator debug: Seeding random number generator RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from 209.186.189.140 port 63337 debug: Client protocol version 1.99; client software version 2.2.0 SSH Secure Shell for Windows datafellows: 2.2.0 SSH Secure Shell for Windows Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour debug: got kexinit: hmac-md5,hmac-sha1 debug: got kexinit: hmac-md5,hmac-sha1 debug: got kexinit: zlib debug: got kexinit: zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 1 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-md5 zlib debug: kex: server->client 3des-cbc hmac-md5 zlib debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 518/1024 debug: bits set: 495/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: Enabling compression at level 6. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user jphillips service ssh-connection method none debug: Starting up PAM with username "jphillips" Failed none for jphillips from 209.186.189.140 port 63337 ssh2 debug: userauth-request for user jphillips service ssh-connection method publickey debug: keytype ssh-dss debug: test key... debug: keytype ssh-dss debug: keytype ssh-dss debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line 2 debug: PAM setting rhost to "linux2.matrasystems.com" Postponed publickey for jphillips from 209.186.189.140 port 63337 ssh2 debug: userauth-request for user jphillips service ssh-connection method publickey debug: keytype ssh-dss debug: keytype ssh-dss debug: keytype ssh-dss debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line 2 debug: len 55 datafellows 20 debug: dsa_verify: signature incorrect Failed publickey for jphillips from 209.186.189.140 port 63337 ssh2 debug: userauth-request for user jphillips service ssh-connection method password Failed password for jphillips from 209.186.189.140 port 63337 ssh2 debug: userauth-request for user jphillips service ssh-connection method publickey debug: keytype ssh-dss debug: test key... debug: keytype ssh-dss debug: keytype ssh-dss debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line 2 debug: PAM setting rhost to "linux2.matrasystems.com" Postponed publickey for jphillips from 209.186.189.140 port 63337 ssh2 debug: compress outgoing: raw data 1033, compressed 559, factor 0.54 debug: compress incoming: raw data 2200, compressed 665, factor 0.30 Disconnecting: too many failed userauth_requests debug: Calling cleanup 0x804f260(0x0) debug: Calling cleanup 0x805f340(0x0) Jim Phillips - Facilities Manager MATRA Systems, Inc. Phone: +1 (770) 931-0038 FAX: +1 (770) 931-3444 URL: http://www.matrasystems.com/ E-Mail: jphillips at matrasystems.com We can fix this, but you're gonna need a butter knife, a roll of duct tape, and a car battery... From damien at galexia.com.au Thu Jun 29 09:33:22 2000 From: damien at galexia.com.au (Damien Mascord) Date: Thu, 29 Jun 2000 09:33:22 +1000 Subject: Solaris 8 build and test of snapshot Message-ID: <4.3.2.7.2.20000629092127.00d138c0@mail.galexia.com.au> Hi Damien (Miller), And compiles fine... (options below) on running, this seemed to be the only issue... debug: Command 'ipcs -a' timed out last and who both report correctly, including the full hostname for who... and probably nothing: debug: tvp!=NULL kid 0 mili 10 bout 50 times while using ssh... and on exit, this error message came up (this has been an issue with solaris for a while, though ssh doesn't seem to care) Cannot delete credentials: Permission denied sshd seems to function correctly otherwise though, and ssh works like a charm as per usual. Thanx for you fine efforts (wish I had the time to go through some of the code myself and fix some issues), Damien --- OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Builtin (timeout 200) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -O2 -Wall -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/usr/local/ssl/lib -L/usr/local/ssl -R/usr/local/ssl/lib -R/usr/local/ssl Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto _____________________________________________________________ Damien Mascord Email: damien at galexia.com.au Network and System Administrator http://www.galexia.com.au Galexia Mobile: +61 414 448 272 Level 1, 3 Montague Street Tel: +61 2 9555 5913 Balmain, NSW 2041 Australia Fax: +61 2 9555 5688 From karn at ka9q.ampr.org Thu Jun 29 09:42:34 2000 From: karn at ka9q.ampr.org (Phil Karn) Date: Wed, 28 Jun 2000 16:42:34 -0700 Subject: connection forwarding troubles Message-ID: <200006282342.QAA21445@homer.ka9q.ampr.org> I'm still seeing problems when I use TCP connection forwarding across SSH to surf the web. I see lots of error messages of the form channel 1: chan_shutdown_read: shutdown() failed for fd7 [i1 o128]: Transport endpoint is not connected And I see occasional connection lockups. Both ends are running openssh-2.1.1p1. Phil From mfisk at lanl.gov Thu Jun 29 09:50:06 2000 From: mfisk at lanl.gov (Mike Fisk) Date: Wed, 28 Jun 2000 23:50:06 +0000 (GMT) Subject: F-secure -> Openssh Compatibility In-Reply-To: Message-ID: It does appear that F-Secure 1.0.1 on Mac does not like protocol versions greater than 1.5. However, why does OpenSSH 2.1.1 (with ssh2 disabled) advertise that it supports protocol version 1.99? SSH-1.99-OpenSSH_2.1.1 On Wed, 28 Jun 2000, Martin Forssen wrote: > On Tue, 27 Jun 2000, W. Scott Wilburn wrote: > > We have Macintoshes running Fsecure SSH client 1.0.1 which are unable to > > connect to a server running Openssh 2.1.1 on Red Hat 6.2. > > > > I believe that the problem is a bug with Fsecure, since a 30-day trial > > version of 1.0.2 works fine. I'm a bit reluctant to tell all the Mac users > > they have to spend money to upgrade, though, since everything was fine > > until I switched my machines to OpenSSH from commercial SSH. > > > > Does anyone have any info on this? Is there a workaround? > > I think the version you are using is unable to connect to a server > supporting the 2.0-protocol. Even if the server handles version-1.5. There > is some problem in the initial handshake where the client gets confused by > the version number it initially receives. > > The solution is to run the server in ssh-1.5 only mode. Or if you need > 2.0-capability run a 1.5-server on another port. > > /MaF > -- Mike Fisk, RADIANT Team, Network Engineering Group, Los Alamos National Lab See http://home.lanl.gov/mfisk/ for contact information From janfrode at parallab.uib.no Thu Jun 29 17:31:45 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 29 Jun 2000 09:31:45 +0200 Subject: Please test this snapshot In-Reply-To: ; from djm@mindrot.org on Thu, Jun 29, 2000 at 07:02:05AM +1000 References: <001f01bfe13c$073d04b0$275346d1@rloomis.cist.saic.com> Message-ID: <20000629093145.A20712@ii.uib.no> On Thu, Jun 29, 2000 at 07:02:05AM +1000, Damien Miller wrote: > > It would be great if I could get some feedback on how > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. > Seems to be working just fine here on IRIX64 6.5.8m. No mangled utmp/wtmps. There are a few warnings during the build, and I've attached the whole log to this email. ------------------------------------------------------------------ setenv CC cc ./configure --prefix=/usr/local/openssh-2.1.1p1 --with-ssl-dir=/usr/local/ssl OpenSSH configured has been configured with the following options. User binaries: /usr/local/openssh-2.1.1p1-SNAP/bin System binaries: /usr/local/openssh-2.1.1p1-SNAP/sbin Configuration files: /usr/local/openssh-2.1.1p1-SNAP/etc Askpass program: /usr/local/openssh-2.1.1p1-SNAP/libexec/ssh/ssh-askpass Manual pages: /usr/local/openssh-2.1.1p1-SNAP/man/X PID file: /var/run Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -g -I/usr/local/include -I/usr/local/ssl//include Linker flags: -L/usr/local/ssl//lib -L/usr/local/ssl/ Libraries: -lz -lcrypto ------------------------------------------------------------------ -jf -- Jan-Frode Myklebust, Para//ab, High Performance Computing Center -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-build-log.gz Type: application/x-gunzip Size: 2873 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000629/cb95e83d/attachment.bin From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 29 18:07:08 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 29 Jun 2000 10:07:08 +0200 Subject: Please test this snapshot In-Reply-To: ; from djm@mindrot.org on Thu, Jun 29, 2000 at 07:02:05AM +1000 References: <001f01bfe13c$073d04b0$275346d1@rloomis.cist.saic.com> Message-ID: <20000629100708.A1075@ws01.aet.tu-cottbus.de> On Thu, Jun 29, 2000 at 07:02:05AM +1000, Damien Miller wrote: > On Wed, 28 Jun 2000, Rip Loomis wrote: > > > Hey Damien--would it be reasonable to release a > > 2.1.1p2 sometime soon to stop this FAQ? > > Yes, it has been a lack of time which has prevented me so far. > > It would be great if I could get some feedback on how > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. The snapshot compiles and runs fine on HP-UX 10.20: There are a small number of warnings (that tend to be typical when porting software to HP-UX), so I have appended the configuration and build information. X11 forwarding does not work, though: debug: X11 forwarding disabled in user configuration file. There is a new check used in session_x11_req: if (!no_port_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; } 1. I would think that the logic is inverted. If no_port_forwarding==1 we don't want forwarding. 2. You probably meant the no_x11_forwarding_flag, as used and parsed in auth-options.c I have attached my proposed patch. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -------------- next part -------------- --- session.c.orig Thu Jun 29 10:01:02 2000 +++ session.c Thu Jun 29 10:01:24 2000 @@ -1371,7 +1371,7 @@ int session_x11_req(Session *s) { - if (!no_port_forwarding_flag) { + if (no_x11_forwarding_flag) { debug("X11 forwarding disabled in user configuration file."); return 0; } -------------- next part -------------- creating cache ./config.cache checking for gcc... cc checking whether the C compiler (cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -L/usr/local/lib -L/usr/lib/X11R6) works... yes checking whether the C compiler (cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -L/usr/local/lib -L/usr/lib/X11R6) is a cross-compiler... no checking whether we are using GNU C... no checking whether cc accepts -g... yes checking host system type... hppa2.0-hp-hpux10.20 checking how to run the C preprocessor... cc -E checking for ranlib... ranlib checking for a BSD compatible install... /opt/imake/bin/install -c checking for ar... ar checking for perl... /usr/contrib/bin/perl checking for ent... no checking for inline... no checking for HPUX trusted system password database... no checking for deflate in -lz... yes checking for login in -lutil... no checking for yp_match in -lnsl... no checking for main in -lsocket... no checking for bstring.h... no checking for endian.h... no checking for lastlog.h... no checking for limits.h... yes checking for login.h... no checking for maillock.h... no checking for netdb.h... yes checking for netgroup.h... no checking for netinet/in_systm.h... yes checking for paths.h... no checking for poll.h... yes checking for pty.h... no checking for shadow.h... no checking for security/pam_appl.h... no checking for sys/bitypes.h... no checking for sys/bsdtty.h... yes checking for sys/cdefs.h... no checking for sys/poll.h... yes checking for sys/select.h... no checking for sys/stat.h... yes checking for sys/stropts.h... yes checking for sys/sysmacros.h... yes checking for sys/time.h... yes checking for sys/ttcompat.h... no checking for stddef.h... yes checking for time.h... yes checking for util.h... no checking for utmp.h... yes checking for utmpx.h... yes checking for arc4random... no checking for atexit... yes checking for b64_ntop... no checking for bcopy... yes checking for bindresvport_af... no checking for clock... yes checking for freeaddrinfo... no checking for gai_strerror... no checking for getaddrinfo... no checking for getnameinfo... no checking for getrusage... yes checking for innetgr... yes checking for md5_crypt... no checking for memmove... yes checking for mkdtemp... no checking for on_exit... no checking for openpty... no checking for rresvport_af... no checking for setenv... no checking for seteuid... no checking for setlogin... no checking for setproctitle... no checking for setreuid... yes checking for snprintf... yes checking for strlcat... no checking for strlcpy... no checking for vsnprintf... yes checking for vhangup... yes checking for _getpty... no checking for __b64_ntop... no checking for gettimeofday... yes checking for time... yes checking for login... no checking for logout... no checking for updwtmp... no checking for logwtmp... no checking for entutent... no checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for entutxent... no checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... no checking for login... (cached) no checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking for OpenSSL directory... /usr/local/ssl checking for RSA support... yes checking size of char... 1 checking size of short int... 2 checking size of int... 4 checking size of long int... 4 checking size of long long int... 8 checking for intXX_t types... yes checking for u_intXX_t types... no checking for uintXX_t types... yes checking for socklen_t... no checking for size_t... yes checking for ssize_t... yes checking for sa_family_t... no checking for pid_t... yes checking for mode_t... yes checking for struct sockaddr_storage... no checking for struct sockaddr_in6... no checking for struct in6_addr... no checking for struct addrinfo... no checking for ut_host field in utmp.h... yes checking for ut_host field in utmpx.h... yes checking for syslen field in utmpx.h... no checking for ut_pid field in utmp.h... yes checking for ut_type field in utmp.h... yes checking for ut_type field in utmpx.h... yes checking for ut_tv field in utmp.h... no checking for ut_id field in utmp.h... yes checking for ut_addr field in utmp.h... yes checking for ut_addr field in utmpx.h... yes checking for ut_addr_v6 field in utmp.h... no checking for ut_addr_v6 field in utmpx.h... no checking for ut_exit field in utmp.h... yes checking for ut_time field in utmp.h... yes checking for ut_time field in utmpx.h... no checking for ut_tv field in utmpx.h... yes checking for ss_family field in struct sockaddr_storage... no checking for __ss_family field in struct sockaddr_storage... no checking if libc defines __progname... no checking for /dev/ptmx... yes checking for /dev/ptc... no checking for /dev/urandom... no checking for libwrap... yes checking if the systems has expire shadow information... yes checking if we need to convert IPv4 in IPv6-mapped addresses... no (default) checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... no configure: warning: ** Cannot find lastlog ** checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines UTMPX_FILE... yes checking if your system defines WTMPX_FILE... no updating cache ./config.cache creating ./config.status creating Makefile creating ssh_prng_cmds creating config.h OpenSSH configured has been configured with the following options. User binaries: /usr/local/openssh/bin System binaries: /usr/local/openssh/sbin Configuration files: /etc/ssh Askpass program: /usr/local/openssh/libexec/ssh/ssh-askpass Manual pages: /usr/local/openssh/man/catX PID file: /var/run1 Random number collection: EGD (/var/run/egd-pool) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Compiler flags: -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lcrypto -lwrap -------------- next part -------------- cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-base64.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-bindresvport.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-daemon.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-misc.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-mktemp.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-rresvport.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-setenv.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-snprintf.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-strlcat.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-strlcpy.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c fake-getaddrinfo.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c fake-getnameinfo.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c next-posix.c ar rv libopenbsd-compat.a bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o ar: creating libopenbsd-compat.a a - bsd-base64.o a - bsd-bindresvport.o a - bsd-daemon.o a - bsd-misc.o a - bsd-mktemp.o a - bsd-rresvport.o a - bsd-setenv.o a - bsd-snprintf.o a - bsd-strlcat.o a - bsd-strlcpy.o a - fake-getaddrinfo.o a - fake-getnameinfo.o a - next-posix.o ranlib libopenbsd-compat.a cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c atomicio.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c authfd.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c authfile.c cc: "authfile.c", line 165: warning 604: Pointers are not assignment-compatible. cc: "authfile.c", line 165: warning 563: Argument #4 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c aux.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c bufaux.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c buffer.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c canohost.c cc: "canohost.c", line 41: warning 604: Pointers are not assignment-compatible. cc: "canohost.c", line 41: warning 563: Argument #3 is not the correct type. cc: "canohost.c", line 152: warning 604: Pointers are not assignment-compatible. cc: "canohost.c", line 152: warning 563: Argument #5 is not the correct type. cc: "canohost.c", line 221: warning 604: Pointers are not assignment-compatible. cc: "canohost.c", line 221: warning 563: Argument #3 is not the correct type. cc: "canohost.c", line 249: warning 604: Pointers are not assignment-compatible. cc: "canohost.c", line 249: warning 563: Argument #3 is not the correct type. cc: "canohost.c", line 254: warning 604: Pointers are not assignment-compatible. cc: "canohost.c", line 254: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c channels.c cc: "channels.c", line 516: warning 604: Pointers are not assignment-compatible. cc: "channels.c", line 516: warning 563: Argument #3 is not the correct type. cc: "channels.c", line 572: warning 604: Pointers are not assignment-compatible. cc: "channels.c", line 572: warning 563: Argument #3 is not the correct type. cc: "channels.c", line 628: warning 604: Pointers are not assignment-compatible. cc: "channels.c", line 628: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c cipher.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c compat.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c compress.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c crc32.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c deattack.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c dispatch.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c dsa.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c fingerprint.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c hmac.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c hostfile.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c key.c cc: "key.c", line 148: warning 604: Pointers are not assignment-compatible. cc: "key.c", line 148: warning 563: Argument #3 is not the correct type. cc: "key.c", line 269: warning 604: Pointers are not assignment-compatible. cc: "key.c", line 269: warning 563: Argument #1 is not the correct type. cc: "key.c", line 313: warning 604: Pointers are not assignment-compatible. cc: "key.c", line 313: warning 563: Argument #3 is not the correct type. cc: "key.c", line 315: warning 604: Pointers are not assignment-compatible. cc: "key.c", line 315: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c kex.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c log.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c match.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c mpaux.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c nchan.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c packet.c cc: "packet.c", line 173: warning 604: Pointers are not assignment-compatible. cc: "packet.c", line 173: warning 563: Argument #3 is not the correct type. cc: "packet.c", line 177: warning 604: Pointers are not assignment-compatible. cc: "packet.c", line 177: warning 563: Argument #3 is not the correct type. cc: "packet.c", line 195: warning 604: Pointers are not assignment-compatible. cc: "packet.c", line 195: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c radix.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c entropy.c cc: "entropy.c", line 161: warning 604: Pointers are not assignment-compatible. cc: "entropy.c", line 161: warning 563: Argument #1 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c readpass.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c rsa.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c tildexpand.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ttymodes.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c uidswap.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c uuencode.c cc: "uuencode.c", line 41: warning 604: Pointers are not assignment-compatible. cc: "uuencode.c", line 41: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c xmalloc.c ar rv libssh.a atomicio.o authfd.o authfile.o aux.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dispatch.o dsa.o fingerprint.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o ar: creating libssh.a a - atomicio.o a - authfd.o a - authfile.o a - aux.o a - bufaux.o a - buffer.o a - canohost.o a - channels.o a - cipher.o a - compat.o a - compress.o a - crc32.o a - deattack.o a - dispatch.o a - dsa.o a - fingerprint.o a - hmac.o a - hostfile.o a - key.o a - kex.o a - log.o a - match.o a - mpaux.o a - nchan.o a - packet.o a - radix.o a - entropy.o a - readpass.o a - rsa.o a - tildexpand.o a - ttymodes.o a - uidswap.o a - uuencode.o a - xmalloc.o ranlib libssh.a cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshconnect.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshconnect1.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshconnect2.c cc: "sshconnect2.c", line 323: warning 604: Pointers are not assignment-compatible. cc: "sshconnect2.c", line 323: warning 563: Argument #3 is not the correct type. cc: "sshconnect2.c", line 331: warning 604: Pointers are not assignment-compatible. cc: "sshconnect2.c", line 331: warning 563: Argument #2 is not the correct type. cc: "sshconnect2.c", line 346: warning 604: Pointers are not assignment-compatible. cc: "sshconnect2.c", line 346: warning 563: Argument #4 is not the correct type. cc: "sshconnect2.c", line 353: warning 604: Pointers are not assignment-compatible. cc: "sshconnect2.c", line 353: warning 563: Argument #2 is not the correct type. cc: "sshconnect2.c", line 406: warning 604: Pointers are not assignment-compatible. cc: "sshconnect2.c", line 406: warning 563: Argument #1 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c log-client.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c readconf.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c clientloop.c cc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c sshd.c cc: "auth.h", line 10: warning 558: Empty declaration. cc: "sshd.c", line 781: warning 604: Pointers are not assignment-compatible. cc: "sshd.c", line 781: warning 563: Argument #3 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth.c cc: "auth.h", line 10: warning 558: Empty declaration. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth1.c cc: "auth.h", line 10: warning 558: Empty declaration. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth2.c cc: "auth.h", line 10: warning 558: Empty declaration. cc: "auth2.c", line 331: warning 604: Pointers are not assignment-compatible. cc: "auth2.c", line 331: warning 563: Argument #2 is not the correct type. cc: "auth2.c", line 349: warning 604: Pointers are not assignment-compatible. cc: "auth2.c", line 349: warning 563: Argument #2 is not the correct type. cc: "auth2.c", line 349: warning 604: Pointers are not assignment-compatible. cc: "auth2.c", line 349: warning 563: Argument #4 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-rhosts.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-options.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-krb4.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-pam.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-passwd.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-rsa.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c auth-rh-rsa.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c pty.c cc: "pty.c", line 239: warning 604: Pointers are not assignment-compatible. cc: "pty.c", line 241: warning 604: Pointers are not assignment-compatible. cc: "pty.c", line 241: warning 563: Argument #2 is not the correct type. cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c log-server.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c login.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c loginrec.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c servconf.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c serverloop.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c md5crypt.c cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c session.c cc: "auth.h", line 10: warning 558: Empty declaration. cc: "session.c", line 412: warning 611: Qualifiers are not assignment-compatible. cc: "session.c", line 412: warning 563: Argument #1 is not the correct type. cc: "session.c", line 545: warning 611: Qualifiers are not assignment-compatible. cc: "session.c", line 545: warning 563: Argument #1 is not the correct type. cc: "session.c", line 577: warning 604: Pointers are not assignment-compatible. cc: "session.c", line 577: warning 563: Argument #3 is not the correct type. cc -o sshd sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh-add.c cc -o ssh-add ssh-add.o log-client.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh-keygen.c cc: "ssh-keygen.c", line 129: warning 604: Pointers are not assignment-compatible. cc: "ssh-keygen.c", line 129: warning 563: Argument #3 is not the correct type. cc: "ssh-keygen.c", line 219: warning 604: Pointers are not assignment-compatible. cc: "ssh-keygen.c", line 219: warning 563: Argument #3 is not the correct type. cc -o ssh-keygen ssh-keygen.o log-client.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c ssh-agent.c cc: "ssh-agent.c", line 426: warning 604: Pointers are not assignment-compatible. cc: "ssh-agent.c", line 426: warning 563: Argument #3 is not the correct type. cc -o ssh-agent ssh-agent.o log-client.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap cc -Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6 -Ae -D_HPUX_SOURCE -I/usr/local/ssl/include -DETCDIR=\"/etc/ssh\" -DSSH_PROGRAM=\"/usr/local/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/openssh/libexec/ssh/ssh-askpass\" -DHAVE_CONFIG_H -c scp.c cc -o scp scp.o -L. -L/usr/local/lib -L/usr/lib/X11R6 -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lcrypto -lwrap /usr/contrib/bin/perl ./fixpaths -D/etc/ssh_config=/etc/ssh/ssh_config -D/etc/known_hosts=/etc/ssh/ssh_known_hosts -D/etc/sshd_config=/etc/ssh/sshd_config -D/etc/shosts.equiv=/etc/ssh/shosts.equiv -D/etc/ssh_host_key=/etc/ssh/ssh_host_key -D/var/run/sshd.pid=/var/run1/sshd.pid ./sshd_config /usr/contrib/bin/perl ./fixpaths -D/etc/ssh_config=/etc/ssh/ssh_config -D/etc/known_hosts=/etc/ssh/ssh_known_hosts -D/etc/sshd_config=/etc/ssh/sshd_config -D/etc/shosts.equiv=/etc/ssh/shosts.equiv -D/etc/ssh_host_key=/etc/ssh/ssh_host_key -D/var/run/sshd.pid=/var/run1/sshd.pid ./ssh_config -------------- next part -------------- CC=cc CFLAGS="-Ae +O2 +DAportable -I/usr/local/include -I/usr/include/X11R6" LDFLAGS="-L/usr/local/lib -L/usr/lib/X11R6" ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-rsh=/usr/local/lib/rsh/remsh --with-tcp-wrappers --with-pid-dir=/var/run1 --with-xauth=/usr/bin/X11/xauth --with-ssl-dir=/usr/local/ssl --with-egd-pool=/var/run/egd-pool From vinschen at cygnus.com Thu Jun 29 23:07:10 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Thu, 29 Jun 2000 15:07:10 +0200 Subject: _PATH_BSHELL versus /bin/sh Message-ID: <395B49FE.68EA3967@cygnus.com> Hi all, while _PATH_BSHELL is defined in "defines.h", there are two sources which uses /bin/sh _hardcoded_. Shouldn't that changed to _PATH_BSHELL, too? session.c:1065: f = popen("/bin/sh " SSH_USER_RC, "w"); session.c:1076: f = popen("/bin/sh " SSH_SYSTEM_RC, "w"); sshconnect.c:111: argv[0] = "/bin/sh"; sshconnect.c:118: execv("/bin/sh", argv); sshconnect.c:119: perror("/bin/sh"); The problem is that this hardcoded path refuses simple recompiling for special environments with other default shells. Corinna -- Corinna Vinschen Cygwin Developer Cygnus Solutions, a Red Hat company From dprevett at cs.unm.edu Fri Jun 30 02:01:56 2000 From: dprevett at cs.unm.edu (Daniel Prevett) Date: Thu, 29 Jun 2000 10:01:56 -0600 (MDT) Subject: SSH-2.2.0 (for Windows) and OpenSSH-2.1.1p1 In-Reply-To: Message-ID: Hi Jim, The IETF documents that describe SSH2 have changed in regard to Public Key Authentication. I believe that they also made minor modifications to disconnect messages but I am not sure. SSH Communications 2.2.0 servers & clients are using the new specifications for PKA. I beleive that they have a backwards compatibility mode for their own older servers, but it doesn't surprise me that it doesn't work with OpenSSH. The relevant documents (for anyone who's interested) are at: http://www.ietf.org/html.charters/secsh-charter.html The internet drafts are available from that page. -Daniel On Wed, 28 Jun 2000, Jim Phillips wrote: > I just upgraded my Windows SSH client from the 2.1.x version (whatever it > was) to 2.2.0 and am now experiencing difficulties connecting to my > OpenSSH-2.1.1p1 Linux servers. > > I'm not as up-to-speed as I should be on the inner workings of the > handshakes that go on, but from the debug logs and from trying different > connection methods, it seems to be isolated to using publickeys. This > wouldn't surprise me. I had to re-generate new keys after upgrading because > 2.2.0 couldn't read my old 2.1.x public or private keys (that seems to have > been that 2.2.x now uses Unix linefeeds instead of DOS linefeeds - it's the > only difference between the two files that I can see). > > So I re-generated the keypair, uploaded the public to my OpenSSH server via > FTP.. Logged into the OpenSSH server from another Linux box with OpenSSH, > ran ssh-keygen -x -f mynewkey.pub, appended the output to authorized_keys2, > and tried to log in. No such luck. > > Below is the closest thing I could get to debug output out of the Windows > client (unless someone knows a command line switch to get a debug log), > followed by the log from my server.. Note that even though the reported > client hostname is linux2.matrasystems.com, it's not really.. Just an > IPmasqueraded connection. Also, I get the same results no matter what > cypher or algorithm I select from the client. It does work using password > authentication if I set the server to allow that.. > > This did work with SSH 2.1.x. Anybody have any suggestions? > > Client Troubleshooting Report > ========================================================================= > SSH Windows Secure Shell Troubleshooting Report > Generated on Wed Jun 28 2000 22:27:39 > > SSH Client version: > 2.2.0 (Build 123) > > License: > Name: Jim Phillips > Company: > Email: jphillips at ergonet-ent.com > License Type: academic > Number of Licenses: 1 > License Issued on: 2000-05-01 > License Expires on: > License Signature: C0CC 9864 9798 ABD6 CB38 > > Operating system: > Microsoft Windows 2000 version 5.0 (Build 2195) > > Remote host version: > SSH-1.99-OpenSSH_2.1.1 > > Negotiated Algorithms: > > > Connection Settings: > Encryption Algorithm: > MAC Algorithm: > Compression: zlib > Port Number: 4040 > Connect Through Firewall: No > Firewall: (Empty) > Firewall Port: 1080 > > Last 5 Messages displayed: > Message 1: > Server responded "too many failed userauth_requests". > > A protocol error was detected. This usually indicates a bug in the SSH > application (either client or server). > If you can repeatedly reproduce this problem, please send a detailed bug > report (including version number and instructions for reproducing the > problem) to ssh-bugs at ssh.fi. > > Message 2: > Authentication failed. Most likely the password you supplied was incorrect. > The user name might also be wrong, or the account might be disabled. > Please check your password and try again a few times. > If this does not help, please contact the system administrator of the remote > machine. > > ======================================================== > Server Debug Log > ======================================================== > debug: sshd version OpenSSH_2.1.1 > debug: Seeding random number generator > debug: read DSA private key done > debug: Seeding random number generator > debug: Bind to port 4040 on 0.0.0.0. > Server listening on 0.0.0.0 port 4040. > Generating 768 bit RSA key. > debug: Seeding random number generator > debug: Seeding random number generator > RSA key generation complete. > debug: Server will not fork when running in debugging mode. > Connection from 209.186.189.140 port 63337 > debug: Client protocol version 1.99; client software version 2.2.0 SSH > Secure Shell for Windows > datafellows: 2.2.0 SSH Secure Shell for Windows > Enabling compatibility mode for protocol 2.0 > debug: Local version string SSH-1.99-OpenSSH_2.1.1 > debug: send KEXINIT > debug: done > debug: wait KEXINIT > debug: got kexinit: diffie-hellman-group1-sha1 > debug: got kexinit: ssh-dss > debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour > debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour > debug: got kexinit: hmac-md5,hmac-sha1 > debug: got kexinit: hmac-md5,hmac-sha1 > debug: got kexinit: zlib > debug: got kexinit: zlib > debug: got kexinit: > debug: got kexinit: > debug: first kex follow: 1 > debug: reserved: 0 > debug: done > debug: kex: client->server 3des-cbc hmac-md5 zlib > debug: kex: server->client 3des-cbc hmac-md5 zlib > debug: Wait SSH2_MSG_KEXDH_INIT. > debug: bits set: 518/1024 > debug: bits set: 495/1024 > debug: sig size 20 20 > debug: send SSH2_MSG_NEWKEYS. > debug: Enabling compression at level 6. > debug: done: send SSH2_MSG_NEWKEYS. > debug: Wait SSH2_MSG_NEWKEYS. > debug: GOT SSH2_MSG_NEWKEYS. > debug: done: KEX2. > debug: userauth-request for user jphillips service ssh-connection method > none > debug: Starting up PAM with username "jphillips" > Failed none for jphillips from 209.186.189.140 port 63337 ssh2 > debug: userauth-request for user jphillips service ssh-connection method > publickey > debug: keytype ssh-dss > debug: test key... > debug: keytype ssh-dss > debug: keytype ssh-dss > debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line > 2 > debug: PAM setting rhost to "linux2.matrasystems.com" > Postponed publickey for jphillips from 209.186.189.140 port 63337 ssh2 > debug: userauth-request for user jphillips service ssh-connection method > publickey > debug: keytype ssh-dss > debug: keytype ssh-dss > debug: keytype ssh-dss > debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line > 2 > debug: len 55 datafellows 20 > debug: dsa_verify: signature incorrect > Failed publickey for jphillips from 209.186.189.140 port 63337 ssh2 > debug: userauth-request for user jphillips service ssh-connection method > password > Failed password for jphillips from 209.186.189.140 port 63337 ssh2 > debug: userauth-request for user jphillips service ssh-connection method > publickey > debug: keytype ssh-dss > debug: test key... > debug: keytype ssh-dss > debug: keytype ssh-dss > debug: matching key found: file /home/jphillips/.ssh/authorized_keys2, line > 2 > debug: PAM setting rhost to "linux2.matrasystems.com" > Postponed publickey for jphillips from 209.186.189.140 port 63337 ssh2 > debug: compress outgoing: raw data 1033, compressed 559, factor 0.54 > debug: compress incoming: raw data 2200, compressed 665, factor 0.30 > Disconnecting: too many failed userauth_requests > debug: Calling cleanup 0x804f260(0x0) > debug: Calling cleanup 0x805f340(0x0) > > > > > > Jim Phillips - Facilities Manager > MATRA Systems, Inc. > Phone: +1 (770) 931-0038 FAX: +1 (770) 931-3444 > URL: http://www.matrasystems.com/ E-Mail: jphillips at matrasystems.com > We can fix this, but you're gonna need a butter knife, a roll of duct tape, > and a car battery... From mouring at pconline.com Fri Jun 30 02:19:24 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 29 Jun 2000 11:19:24 -0500 (CDT) Subject: snprintf & sigaction [was: Re: bsd-snprintf] In-Reply-To: <20000628180803.A25417@sun31.faw.uni-ulm.de> Message-ID: On Wed, 28 Jun 2000, Sven Mascheck wrote: [..] > It compiled "out of the box" on Solaris2.5 and OSF1/V4.0b. > But i have no NeXT. > > It may at least inspire you, like the XFree one. > Have a glance at > This version works perfectly fine as a dropin replacement to our current bsd-snprintf.c .. NeXT is MUCH happer with this version of snprintf. Damien, can we look at using this snprintf.c instead of the current one? BTW.. I found (out of the OpenBSD tree) a replacement sigaction() for platforms that lack it (like NeXT) and I'm in the process of integrated it into my tree. If you want to look at it.. You'll need: src/lib/libcurses/base/sigaction.c and src/lib/libcurses/SigAction.h It looks like it was GNU in nature. And the only two things we need to add to the ./configure script is to detect the extistance of sigaction() (define: HAVE_SIGACTION) and detect if we have sigvec() (define: HAVE_SIGVEC) and if the latter is found and the former is not the code is activated. The current issue that needs to be resolve is "struct sigaction" vs "struct sigaction_t" and next's gcc compaining about a lack of sizeof() working correcting using "typedef struct sigvec sigaction" (Besides the fact it's *.sa_[..] vs *.sv_[..]) Ben Lindstrom From tbert at abac.com Fri Jun 30 04:17:54 2000 From: tbert at abac.com (Tom Bertelson) Date: Thu, 29 Jun 2000 14:17:54 -0400 Subject: Please test this snapshot References: Message-ID: <395B92D2.40A5BB80@abac.com> Damien Miller wrote: > > On Wed, 28 Jun 2000, Rip Loomis wrote: > > > Hey Damien--would it be reasonable to release a > > 2.1.1p2 sometime soon to stop this FAQ? > > Yes, it has been a lack of time which has prevented me so far. > > It would be great if I could get some feedback on how > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. Sorry, but there's problems with AIX. Some old thing - utmp entries. This fixes a buffer underrun, a reversed test, and the assumption size_t == int. I suspect any architecture that uses pututline(3) and doesn't have utmpx may have the same problems. To test for this: host1$ ssh host2 host2$ tty # note the number host2$ who # you should be there host2$ ssh localhost host2$ tty # a different number host2$ who # Oops! First entry replaced with this new one host2$ exit host2$ tty # still there host2$ who # Oops! First entry gone I'm looking at logintest.c and trying to figure out a good test for this without trashing utmp (too much), but no luck so far. Also, I noticed incomplete support for HAVE_ID_IN_UTMPX. I've tested this with Solaris, and it seems to work fine with or without this patch. -- Tom Bertelson "Any sufficiently advanced technology RHI Consulting is indistinguishable from magic." tbert at abac.com -- Arthur C. Clarke -------------- next part -------------- --- configure.in.orig Thu Jun 29 13:18:02 2000 +++ configure.in Thu Jun 29 13:18:12 2000 @@ -636,6 +636,7 @@ OSSH_CHECK_HEADER_FOR_FIELD(ut_type, utmpx.h, HAVE_TYPE_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_tv, utmp.h, HAVE_TV_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmp.h, HAVE_ID_IN_UTMP) +OSSH_CHECK_HEADER_FOR_FIELD(ut_id, utmpx.h, HAVE_ID_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmp.h, HAVE_ADDR_IN_UTMP) OSSH_CHECK_HEADER_FOR_FIELD(ut_addr, utmpx.h, HAVE_ADDR_IN_UTMPX) OSSH_CHECK_HEADER_FOR_FIELD(ut_addr_v6, utmp.h, HAVE_ADDR_V6_IN_UTMP) --- config.h.in.orig Thu Jun 29 13:48:26 2000 +++ config.h.in Thu Jun 29 13:48:31 2000 @@ -53,6 +53,7 @@ #undef HAVE_TV_IN_UTMP #undef HAVE_TV_IN_UTMPX #undef HAVE_ID_IN_UTMP +#undef HAVE_ID_IN_UTMPX #undef HAVE_EXIT_IN_UTMP #undef HAVE_TIME_IN_UTMP #undef HAVE_TIME_IN_UTMPX --- loginrec.c.orig Thu Jun 29 13:13:12 2000 +++ loginrec.c Thu Jun 29 14:01:50 2000 @@ -535,11 +535,13 @@ memset(dst, '\0', dstsize); + if (strncmp(src, "/dev/", 5) == 0) + src += 5; len = strlen(src); - if (len <= 0) { - src += (len - dstsize); - strncpy(dst, src, dstsize); /* note: _don't_ change this to strlcpy */ + if (len > 0) { + src += (int) len - dstsize > 0 ? (int) len - dstsize : 0; + strncpy(dst, src, (size_t) dstsize); /* note: _don't_ change this to strlcpy */ } return dst; @@ -647,7 +649,9 @@ construct_utmpx(struct logininfo *li, struct utmpx *utx) { memset(utx, '\0', sizeof(struct utmpx)); +# ifdef HAVE_ID_IN_UTMPX line_abbrevname(utx->ut_id, li->line, sizeof(utx->ut_id)); +# endif /* this is done here to keep utmp constants out of loginrec.h */ switch (li->type) { --- configure.orig Thu Jun 29 13:20:40 2000 +++ configure Thu Jun 29 13:20:09 2000 @@ -3827,6 +3827,46 @@ fi +# look for field 'ut_id' in header 'utmpx.h' + ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` + ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id + echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 +echo "configure:3795: checking for ut_id field in utmpx.h" >&5 + if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then + echo $ac_n "(cached) $ac_c" 1>&6 +else + + cat > conftest.$ac_ext < +EOF +if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | + egrep "ut_id" >/dev/null 2>&1; then + rm -rf conftest* + eval "$ossh_varname=yes" +else + rm -rf conftest* + eval "$ossh_varname=no" +fi +rm -f conftest* + +fi + + ossh_result=`eval 'echo $'"$ossh_varname"` + if test -n "`echo $ossh_varname`"; then + echo "$ac_t""$ossh_result" 1>&6 + if test "x$ossh_result" = "xyes"; then + cat >> confdefs.h <<\EOF +#define HAVE_ID_IN_UTMPX 1 +EOF + + fi + else + echo "$ac_t""no" 1>&6 + fi + + # look for field 'ut_addr' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr From djm at mindrot.org Fri Jun 30 08:04:12 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 30 Jun 2000 08:04:12 +1000 (EST) Subject: connection forwarding troubles In-Reply-To: <200006282342.QAA21445@homer.ka9q.ampr.org> Message-ID: On Wed, 28 Jun 2000, Phil Karn wrote: > I'm still seeing problems when I use TCP connection forwarding across > SSH to surf the web. I see lots of error messages of the form I have set up my home machine to replicate the setup you are using "ssh -L 8080:localhost:8080 proxy" IIRC > channel 1: chan_shutdown_read: shutdown() failed for fd7 [i1 > o128]: Transport endpoint is not connected Seeing quite a few of these. > And I see occasional connection lockups. None of these yet. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From dprevett at cs.unm.edu Fri Jun 30 08:08:12 2000 From: dprevett at cs.unm.edu (Daniel Prevett) Date: Thu, 29 Jun 2000 16:08:12 -0600 (MDT) Subject: Protocol 2 disabled by default? Message-ID: Hi, I noticed while installing OpenSSH 2.1.1p1 that in the file sshd_config the line Protocol 2,1 is commented out by default, disabling SSH2 support. Is this deliberate? Thanks, -Daniel From celinn at mtu.edu Fri Jun 30 15:08:36 2000 From: celinn at mtu.edu (Christopher Linn) Date: Fri, 30 Jun 2000 01:08:36 -0400 Subject: req: list mirrors on http://www.openssh.com/install.html Message-ID: <20000630010836.F29371@mtu.edu> hello all, it might be handy to have a list of any mirror sites for the required libs, Zlib and OpenSSL, on http://www.OpenSSH.com/install.html... or am i missing something like this on the website? chris -- Christopher Linn Staff System Administrator Center for Experimental Computation Michigan Technological University All opinions are my own, and do not represent the opinions of my employer. ============================================================================== "...and then i read the directions, where it said ``don't do that''." -- JRH From djm at mindrot.org Fri Jun 30 15:26:27 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 30 Jun 2000 15:26:27 +1000 (EST) Subject: req: list mirrors on http://www.openssh.com/install.html In-Reply-To: <20000630010836.F29371@mtu.edu> Message-ID: On Fri, 30 Jun 2000, Christopher Linn wrote: > hello all, > > it might be handy to have a list of any mirror sites for the required > libs, Zlib and OpenSSL, on http://www.OpenSSH.com/install.html... > or am i missing something like this on the website? There are links to the homepages for Zlib and OpenSSL in install.html, there may be mirror lists there. -d -- | "Bombay is 250ms from New York in the new world order" - Alan Cox | Damien Miller - http://www.mindrot.org/ | Email: djm at mindrot.org (home) -or- djm at ibs.com.au (work) From Matthew_Clarke at mindlink.bc.ca Fri Jun 30 15:38:12 2000 From: Matthew_Clarke at mindlink.bc.ca (Matthew Clarke) Date: Thu, 29 Jun 2000 22:38:12 -0700 Subject: Please test this snapshot In-Reply-To: <395B92D2.40A5BB80@abac.com>; from tbert@abac.com on Thu, Jun 29, 2000 at 02:17:54PM -0400 References: <395B92D2.40A5BB80@abac.com> Message-ID: <20000629223812.A16690@ds0.van.maves.ca> Hi. I'm noticing some funnnies with utmp on AIX (4.2.1.0.06) too, but haven't finished testing yet, which is why the e-mail describing it is only half-written. Setting "Uselogin yes" seems to avoid the trouble, though the utmp file as shown by "who -a" still doesn't look quite right. I'll try your patch & see what kind of difference it makes. see ya... Matt. -- "Perfection [in design] is achieved not when there is nothing left to add, but rather when there is nothing left to take away." -- Antoine de Saint-Exupery jeudi, le 29 juin, 2000, Tom Bertelson nous a dit ceci: > Damien Miller wrote: > > > > On Wed, 28 Jun 2000, Rip Loomis wrote: > > > > > Hey Damien--would it be reasonable to release a > > > 2.1.1p2 sometime soon to stop this FAQ? > > > > Yes, it has been a lack of time which has prevented me so far. > > > > It would be great if I could get some feedback on how > > http://www.mindrot.org/misc/junk/openssh-SNAP-20000629.tar.gz > > works on Solaris, Irix 6.x, HPUX, AIX, Tru64 and SCO. > > Sorry, but there's problems with AIX. > > Some old thing - utmp entries. This fixes a buffer underrun, a reversed > test, and the assumption size_t == int. I suspect any architecture that > uses pututline(3) and doesn't have utmpx may have the same problems. > > To test for this: > host1$ ssh host2 > host2$ tty # note the number > host2$ who # you should be there > host2$ ssh localhost > host2$ tty # a different number > host2$ who # Oops! First entry replaced with this new one > host2$ exit > host2$ tty # still there > host2$ who # Oops! First entry gone > > I'm looking at logintest.c and trying to figure out a good test for this > without trashing utmp (too much), but no luck so far. > > Also, I noticed incomplete support for HAVE_ID_IN_UTMPX. I've tested > this with Solaris, and it seems to work fine with or without this patch. > -- > Tom Bertelson "Any sufficiently advanced technology > RHI Consulting is indistinguishable from magic." > tbert at abac.com -- Arthur C. Clarke [ patch snipped ] -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 240 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000629/61de2650/attachment.bin From celinn at mtu.edu Fri Jun 30 15:49:40 2000 From: celinn at mtu.edu (Christopher Linn) Date: Fri, 30 Jun 2000 01:49:40 -0400 Subject: req: list mirrors on http://www.openssh.com/install.html In-Reply-To: ; from Damien Miller on Fri, Jun 30, 2000 at 03:26:27PM +1000 References: <20000630010836.F29371@mtu.edu> Message-ID: <20000630014940.G29371@mtu.edu> On Fri, Jun 30, 2000 at 03:26:27PM +1000, Damien Miller wrote: > On Fri, 30 Jun 2000, Christopher Linn wrote: > > > hello all, > > > > it might be handy to have a list of any mirror sites for the required > > libs, Zlib and OpenSSL, on http://www.OpenSSH.com/install.html... > > or am i missing something like this on the website? > > There are links to the homepages for Zlib and OpenSSL in install.html, > there may be mirror lists there. > > -d yes, however to myself ftp.freesoftware.com is currently down. if http://www.OpenSSH.com/ had a list of zlib mirrors, then i could track it down... i really don't want to be complicated, just a thought ;*) chris -- Christopher Linn Staff System Administrator Center for Experimental Computation Michigan Technological University All opinions are my own, and do not represent the opinions of my employer. ============================================================================== "...and then i read the directions, where it said ``don't do that''." -- JRH From terrence.vergauwen at coo.vlaanderen.be Fri Jun 30 23:20:46 2000 From: terrence.vergauwen at coo.vlaanderen.be (Vergauwen Terrence) Date: Fri, 30 Jun 2000 15:20:46 +0200 Subject: SINIX-N openssh ??? Message-ID: <395C9EAD.23131261@coo.vlaanderen.be> Hello, We have been trying to compile openssh on some SINIX (ReliantUNIX 5.42) machines without any success, not even using GCC. Could anyone who has succeeded in compiling openssh on this platform be so kind to mail me a copy of the binaries ssh, scp, ssh-keygen, ssh-add, ssh-agent and sshd please ??? Or if anyone knows a place where i could download these... -- Greetings, Terrence Vergauwen ------------------------------------------------------ Siemens Business Services Ministerie van de Vlaamse Gemeenschap, Service 3 Unix Systems Engineer, Helpdesk LIN Ferrarisgebouw 1G02 Koning Albert II-laan 20 B-1000 Brussel Tel. ++ 32 (0)2 553 74 14 ------------------------------------------------------