From vinschen at cygnus.com Sun Oct 1 00:34:33 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Sat, 30 Sep 2000 15:34:33 +0200 Subject: Snapshot References: Message-ID: <39D5EBE9.2424DEE@cygnus.com> Damien Miller wrote: > > There is now a new snapshot available at: > > http://www.mindrot.org/misc/openssh/ > > Please give this snapshot a good run on your platform of choice. When > sending success/failure reports, please include the 'host system type' > as reported by ./configure. It is hoped that this snapshot will become > 2.2.0p2 in due course. Tried on Cygwin: ./configure --prefix=/usr --sysconfdir=/etc --libexecprefix=/usr/sbin Reported host system type: i686-pc-cygwin - Compile time error: Too few arguments to binary_open. Creating cygwin_util.h is a good idea, however, open is typically called with two or three arguments, so binary_open() should be declared as int binary_open(const char*, int, ...); - Compile time error: ssh.c: unknown struct rlimit. I think the `#ifdef' isn't correct: #if !defined(HAVE_SETRLIMIT) || !defined(HAVE_CYGWIN) Since Cygwin hasn't setrlimit, the second rule may be dropped and the first rule should be inverted, isn't it? #ifdef HAVE_SETRLIMIT - Runtime error when trying to connect to sshd: /usr/X11R6/bin/xauth: (stdin):2: bad display name "CVAIO/unix:10.0" in "add" command The "/unix" method isn't supported by the Cygwin port of X11R6. Therefore I had #ifndef'ed the lines in session.c which try to add the "host/unix:display.screen" string to xauth. For some reason these #ifndef lines disappeared between SNAP-20000916 and 20000930. After patching the above three points, everything went fine. The needed patch is attached. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- Index: cygwin_util.h =================================================================== RCS file: /src/cvsroot/openssh-20000930/cygwin_util.h,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 cygwin_util.h --- cygwin_util.h 2000/09/30 11:15:36 1.1.1.1 +++ cygwin_util.h 2000/09/30 11:52:48 @@ -17,7 +17,7 @@ #ifdef HAVE_CYGWIN -int binary_open(const char *filename, int flags, mode_t mode); +int binary_open(const char *filename, int flags, ...); int binary_pipe(int fd[2]); int check_nt_auth(int pwd_authenticated, uid_t uid); int check_ntsec(const char *filename); Index: session.c =================================================================== RCS file: /src/cvsroot/openssh-20000930/session.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 session.c --- session.c 2000/09/30 11:15:37 1.1.1.1 +++ session.c 2000/09/30 12:16:42 @@ -1327,11 +1327,13 @@ do_child(const char *command, struct pas "Running %.100s add %.100s %.100s %.100s\n", options.xauth_location, display, auth_proto, auth_data); +#ifndef HAVE_CYGWIN if (screen != NULL) fprintf(stderr, "Adding %.*s/unix%s %s %s\n", (int)(screen-display), display, screen, auth_proto, auth_data); +#endif } snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); @@ -1339,10 +1341,12 @@ do_child(const char *command, struct pas if (f) { fprintf(f, "add %s %s %s\n", display, auth_proto, auth_data); +#ifndef HAVE_CYGWIN if (screen != NULL) fprintf(f, "add %.*s/unix%s %s %s\n", (int)(screen-display), display, screen, auth_proto, auth_data); +#endif pclose(f); } else { fprintf(stderr, "Could not run %s\n", Index: ssh.c =================================================================== RCS file: /src/cvsroot/openssh-20000930/ssh.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 ssh.c --- ssh.c 2000/09/30 11:15:37 1.1.1.1 +++ ssh.c 2000/09/30 11:58:09 @@ -244,7 +244,7 @@ main(int ac, char **av) original_real_uid = getuid(); original_effective_uid = geteuid(); -#if !defined(HAVE_SETRLIMIT) || !defined(HAVE_CYGWIN) +#if defined(HAVE_SETRLIMIT) /* If we are installed setuid root be careful to not drop core. */ if (original_real_uid != original_effective_uid) { struct rlimit rlim; From djm at mindrot.org Sun Oct 1 00:44:33 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 1 Oct 2000 00:44:33 +1100 (EST) Subject: Snapshot In-Reply-To: <39D5EBE9.2424DEE@cygnus.com> Message-ID: On Sat, 30 Sep 2000, Corinna Vinschen wrote: > Reported host system type: i686-pc-cygwin > The needed patch is attached. Applied - thanks! -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mouring at pconline.com Sun Oct 1 11:20:51 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 30 Sep 2000 19:20:51 -0500 (CDT) Subject: [PATCH] realpath fix for NeXT (Re: Snapshot) In-Reply-To: Message-ID: Stupid NeXT platform! I swear somedays I want to slap the orignal programmers around... (realpath does not exist, yet somewhere in NeXT's libc there is a lightly bound realpath() function that has nothing to do with what we want.) So here is the realpath() implemenation for those that lack it. (I assume NeXT only since no one else has yelled. =) I used the realpath() from OpenBSD.. since NeXT lacks fchdir() I worked around it. This brings NeXT inline with everyone else. - Ben diff -ruN openssh/Makefile.in openssh-mine/Makefile.in --- openssh/Makefile.in Fri Sep 29 07:01:36 2000 +++ openssh-mine/Makefile.in Sat Sep 30 18:42:53 2000 @@ -37,7 +37,7 @@ LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readp ass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o -LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o +LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-realpath.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep .o bsd-strtok.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o diff -ruN openssh/bsd-realpath.c openssh-mine/bsd-realpath.c --- openssh/bsd-realpath.c Wed Dec 31 18:00:00 1969 +++ openssh-mine/bsd-realpath.c Sat Sep 30 18:54:30 2000 @@ -0,0 +1,178 @@ +/* + * Copyright (c) 1994 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Jan-Simon Pendry. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors. + * 4. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "config.h" + +#if !defined(HAVE_REALPATH) + +#if defined(LIBC_SCCS) && !defined(lint) +static char *rcsid = "$OpenBSD: realpath..c,v 1.4 1998/05/18 09:55:19 deraadt Exp $"; +#endif /* LIBC_SCCS and not lint */ + +#include +#include + +#include +#include +#include +#include +#include + +/* + * Mimic getcwd() by using getwd() for those OS that don't support + * getcwd(). + */ +#ifndef HAVE_GETCWD +#define getcwd(buf,size) getwd(buf) +#endif + +/* + * S_ISLNK compatibility + */ +#ifndef S_ISLNK +#define S_ISLNK(m) ((m & 0170000) == 0120000) +#endif + +/* + * char *realpath(const char *path, char resolved_path[MAXPATHLEN]); + * + * Find the real name of path, by removing all ".", ".." and symlink + * components. Returns (resolved) on success, or (NULL) on failure, + * in which case the path which caused trouble is left in (resolved). + */ +char * +realpath(const char *path, char *resolved) +{ + struct stat sb; + int fd, n, rootd, serrno = 0; + char *p, *q, wbuf[MAXPATHLEN], start[MAXPATHLEN]; + int symlinks = 0; + + /* Save the starting point. */ + getcwd(start,MAXPATHLEN); + if ((fd = open(".", O_RDONLY)) < 0) { + (void)strcpy(resolved, "."); + return (NULL); + } + close(fd); + + /* + * Find the dirname and basename from the path to be resolved. + * Change directory to the dirname component. + * lstat the basename part. + * if it is a symlink, read in the value and loop. + * if it is a directory, then change to that directory. + * get the current directory name and append the basename. + */ + (void)strncpy(resolved, path, MAXPATHLEN - 1); + resolved[MAXPATHLEN - 1] = '\0'; +loop: + q = strrchr(resolved, '/'); + if (q != NULL) { + p = q + 1; + if (q == resolved) + q = "/"; + else { + do { + --q; + } while (q > resolved && *q == '/'); + q[1] = '\0'; + q = resolved; + } + if (chdir(q) < 0) + goto err1; + } else + p = resolved; + + /* Deal with the last component. */ + if (lstat(p, &sb) == 0) { + if (S_ISLNK(sb.st_mode)) { + if (++symlinks > MAXSYMLINKS) { + serrno = ELOOP; + goto err1; + } + n = readlink(p, resolved, MAXPATHLEN-1); + if (n < 0) + goto err1; + resolved[n] = '\0'; + goto loop; + } + if (S_ISDIR(sb.st_mode)) { + if (chdir(p) < 0) + goto err1; + p = ""; + } + } + + /* + * Save the last component name and get the full pathname of + * the current directory. + */ + (void)strcpy(wbuf, p); + if (getcwd(resolved, MAXPATHLEN) == 0) + goto err1; + + /* + * Join the two strings together, ensuring that the right thing + * happens if the last component is empty, or the dirname is root. + */ + if (resolved[0] == '/' && resolved[1] == '\0') + rootd = 1; + else + rootd = 0; + + if (*wbuf) { + if (strlen(resolved) + strlen(wbuf) + rootd + 1 > MAXPATHLEN) { + serrno = ENAMETOOLONG; + goto err1; + } + if (rootd == 0) + (void)strcat(resolved, "/"); + (void)strcat(resolved, wbuf); + } + + /* Go back to where we came from. */ + if (chdir(start) < 0) { + serrno = errno; + goto err2; + } + return (resolved); + +err1: chdir(start); +err2: errno = serrno; + return (NULL); +} +#endif diff -ruN openssh/config.h.in openssh-mine/config.h.in --- openssh/config.h.in Fri Sep 29 22:30:02 2000 +++ openssh-mine/config.h.in Sat Sep 30 18:56:24 2000 @@ -5,6 +5,11 @@ /* Generated automatically from acconfig.h by autoheader. */ /* Please make your changes there */ +/* Define if you have realpath() */ +#undef HAVE_REALPATH + +/* Define if you have getcwd() */ +#undef HAVE_GETCWD /* Define if the `getpgrp' function takes no argument. */ #undef GETPGRP_VOID diff -ruN openssh/configure.in openssh-mine/configure.in --- openssh/configure.in Fri Sep 29 17:43:20 2000 +++ openssh-mine/configure.in Sat Sep 30 18:41:12 2000 @@ -268,7 +268,7 @@ AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/s elect.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getaddrinfo getcwd getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realp ath rresvport_af setenv seteuid setlogin setproctitle setreuid setrlimit sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r vsnprintf vhangup _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions From djm at mindrot.org Sun Oct 1 12:16:18 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 1 Oct 2000 12:16:18 +1100 (EST) Subject: [PATCH] realpath fix for NeXT (Re: Snapshot) In-Reply-To: Message-ID: On Sat, 30 Sep 2000, Ben Lindstrom wrote: > This brings NeXT inline with everyone else. Cool - before I apply: does NeXT have getcwd()? I _really_ don't like this bit of the diff: > +#ifndef HAVE_GETCWD > +#define getcwd(buf,size) getwd(buf) > +#endif -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From Nathaniel.Couper-Noles at tigris.com Sun Oct 1 06:26:13 2000 From: Nathaniel.Couper-Noles at tigris.com (Nathaniel Couper-Noles) Date: Sat, 30 Sep 2000 15:26:13 -0400 Subject: Openssh 2.2.0p1 portable Makefile Message-ID: <9AE7A33537DAD21194AE009027289AA638A637@tigrisweb.tigris.com> Hi, I'm not subbed, but I was just building OpenSSH 2.2.0p1 on Solaris 8 and I noticed that the compile failed because $(AR) was not defined in Makefile. Setting AR=/usr/xpg4/bin/ar in Makefile made it compile without a hitch. My configure flags were --with-ipv4-default. Thanks for an otherwise excellent program. Nathaniel Couper-Noles From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Oct 1 02:49:32 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sat, 30 Sep 2000 17:49:32 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Sep 30, 2000 at 02:52:36PM +1100 References: Message-ID: <20000930174932.A19034@ws01.aet.tu-cottbus.de> On Sat, Sep 30, 2000 at 02:52:36PM +1100, Damien Miller wrote: > There is now a new snapshot available at: > > http://www.mindrot.org/misc/openssh/ > > Please give this snapshot a good run on your platform of choice. When > sending success/failure reports, please include the 'host system type' > as reported by ./configure. It is hoped that this snapshot will become > 2.2.0p2 in due course. hppa2.0-hp-hpux10.20 build and some test runs OK. Environment: OpenSSL 0.9.6, entropy collection via EGD-socket (PRNGD) i686-pc-linux-gnu build and some test runs OK. Environment: SuSE 6.4, Linux 2.2.16, OpenSSL 0.9.6, /dev/urandom I don't have any sftp-client, so no check of this part. Best regards, Lutz PS. Could you please add the ?host system type' to the list of items printed at the end of the configure run? It tends to run out of the scroll limit and so I have to collect it from config.status :-) -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pekkas at netcore.fi Sun Oct 1 06:59:27 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 30 Sep 2000 22:59:27 +0300 (EEST) Subject: RHL OpenSSH upgrade: _new_ sshd is not started Message-ID: Hello all, A few days ago I noticed that the following seems to happen when upgradign OpenSSH on Linux-based (/etc/rc.d/init.d/sshd) based systems: - sshd is restarted with 'sshd restart'; however sshd serving in port 22 is not replaced. - you have to kill the old one (netstat -ltp | grep :ssh ; kill ...) first, then restart sshd. - This might happen only when performing the upgrade while connected on the system w/ ssh; not sure. However, I'm not sure which would be the best way to get around this. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From chenda at cs.unc.edu Sun Oct 1 03:10:06 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 30 Sep 2000 12:10:06 -0400 (EDT) Subject: Snapshot In-Reply-To: Message-ID: checking host system type... i686-pc-linux-gnu (SuSE 6.4 x86, non-RPM) Works fine with OpenSSL-0.9.5a and -0.9.6 dtc --- Daniel T. Chen | chenda at cs.unc.edu From djm at mindrot.org Sun Oct 1 12:37:22 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 1 Oct 2000 12:37:22 +1100 (EST) Subject: Openssh 2.2.0p1 portable Makefile In-Reply-To: <9AE7A33537DAD21194AE009027289AA638A637@tigrisweb.tigris.com> Message-ID: On Sat, 30 Sep 2000, Nathaniel Couper-Noles wrote: > Hi, I'm not subbed, but I was just building OpenSSH 2.2.0p1 on Solaris 8 and > I noticed that the compile failed because $(AR) was not defined in Makefile. > Setting > > AR=/usr/xpg4/bin/ar Was this directory in your path? configure tries to search for ar. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sun Oct 1 12:40:20 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 1 Oct 2000 12:40:20 +1100 (EST) Subject: RHL OpenSSH upgrade: _new_ sshd is not started In-Reply-To: Message-ID: On Sat, 30 Sep 2000, Pekka Savola wrote: > Hello all, > > A few days ago I noticed that the following seems to happen when upgradign > OpenSSH on Linux-based (/etc/rc.d/init.d/sshd) based systems: Are you sure - it works for me: [djm at mothra djm]$ ssh root at toad Warning: Remote host denied X11 forwarding. Last login: Sun Oct 1 12:06:59 2000 from mothra.mindrot.org [root at toad /root]# telnet localhost 22 Trying 127.0.0.1... Connected to toad.mindrot.org. Escape character is '^]'. SSH-1.99-OpenSSH_2.1.1 ^] telnet> close Connection closed. [root at toad /root]# rpm -Uvh /mnt/archive/rpms/local/openssh/openssh-[2cs]*i386* openssh ################################################## openssh-clients ################################################## openssh-server ################################################## Shutting down sshd: [ OK ] Starting sshd: [ OK ] [root at toad /root]# telnet localhost 22 Trying 127.0.0.1... Connected to toad.mindrot.org. Escape character is '^]'. SSH-1.99-OpenSSH_2.2.0p1 ^] telnet> close Connection closed. [root at toad /root]# -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mouring at pconline.com Sun Oct 1 13:06:05 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 30 Sep 2000 21:06:05 -0500 (CDT) Subject: [PATCH] realpath fix for NeXT (Re: Snapshot) In-Reply-To: Message-ID: On Sun, 1 Oct 2000, Damien Miller wrote: > On Sat, 30 Sep 2000, Ben Lindstrom wrote: > > > This brings NeXT inline with everyone else. > > Cool - before I apply: does NeXT have getcwd()? I _really_ don't like > this bit of the diff: > Sadly it's another 'feature' wrapped up in the libposix.a I'd be happy to dig around to find a better solution then getwd(). I know Linux complains that it's a bad thing. I maybe to use OpenBSD's getcwd().. I don't see anything that looks too much like a show stopper. Just I'd have to test it to ensure it works. Which I can do either later tonight or tomorrow. I really should email apple and beg for libposix source. =) - Ben From phma at oltronics.net Sun Oct 1 13:59:22 2000 From: phma at oltronics.net (Pierre Abbat) Date: Sat, 30 Sep 2000 22:59:22 -0400 Subject: RHL OpenSSH upgrade: _new_ sshd is not started In-Reply-To: References: Message-ID: <0009302305071D.10552@neofelis> On Sat, 30 Sep 2000, Pekka Savola wrote: >Hello all, > >A few days ago I noticed that the following seems to happen when upgradign >OpenSSH on Linux-based (/etc/rc.d/init.d/sshd) based systems: > >- sshd is restarted with 'sshd restart'; however sshd serving in port 22 >is not replaced. > >- you have to kill the old one (netstat -ltp | grep :ssh ; kill >...) first, then restart sshd. > >- This might happen only when performing the upgrade while connected on >the system w/ ssh; not sure. > >However, I'm not sure which would be the best way to get around this. Any sshd's that are serving the port, if you kill them, will disconnect someone. Let them keep running and just restart the parent process. Me, when I work on the ssh configuration of a remote machine, log in with telnet; and conversely, when I'm working on the srp config, I log in with ssh. (Telnet is set up to require srp.) phma From mouring at pconline.com Sun Oct 1 15:34:57 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 30 Sep 2000 23:34:57 -0500 (CDT) Subject: [PATCH] realpath fix for NeXT (Re: Snapshot) In-Reply-To: Message-ID: Ok.. With a few tweaks the OpenBSD getcwd.c works under NeXT. The only have one consern noted in the code. Jump down to the area where I marked a "RACE" .. Just not sure if there is a better thing to replace fstat(dirfd(..), ..) with. Mainly because NeXT has no dirfd() support, and I'm guessing that any OS using the bsd-getcwd.c will be old enough that dirfd() won't exist. - Ben -------------- next part -------------- /* * Copyright (c) 1989, 1991, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "config.h" #ifndef HAVE_GETCWD #if defined(LIBC_SCCS) && !defined(lint) static char rcsid[] = "$OpenBSD: getcwd.c,v 1.6 2000/07/19 15:25:13 deraadt Exp $"; #endif /* LIBC_SCCS and not lint */ #include #include #include #include #include #include #include #include #include "includes.h" #define ISDOT(dp) \ (dp->d_name[0] == '.' && (dp->d_name[1] == '\0' || \ (dp->d_name[1] == '.' && dp->d_name[2] == '\0'))) char * getcwd(pt, size) char *pt; size_t size; { register struct dirent *dp; register DIR *dir = NULL; register dev_t dev; register ino_t ino; register int first; register char *bpt, *bup; struct stat s; dev_t root_dev; ino_t root_ino; size_t ptsize, upsize; int save_errno; char *ept, *eup, *up; /* * If no buffer specified by the user, allocate one as necessary. * If a buffer is specified, the size has to be non-zero. The path * is built from the end of the buffer backwards. */ if (pt) { ptsize = 0; if (!size) { errno = EINVAL; return (NULL); } ept = pt + size; } else { if ((pt = malloc(ptsize = 1024 - 4)) == NULL) return (NULL); ept = pt + ptsize; } bpt = ept - 1; *bpt = '\0'; /* * Allocate bytes (1024 - malloc space) for the string of "../"'s. * Should always be enough (it's 340 levels). If it's not, allocate * as necessary. Special * case the first stat, it's ".", not "..". */ if ((up = malloc(upsize = 1024 - 4)) == NULL) goto err; eup = up + MAXPATHLEN; bup = up; up[0] = '.'; up[1] = '\0'; /* Save root values, so know when to stop. */ if (stat("/", &s)) goto err; root_dev = s.st_dev; root_ino = s.st_ino; errno = 0; /* XXX readdir has no error return. */ for (first = 1;; first = 0) { /* Stat the current level. */ if (lstat(up, &s)) goto err; /* Save current node values. */ ino = s.st_ino; dev = s.st_dev; /* Check for reaching root. */ if (root_dev == dev && root_ino == ino) { *--bpt = '/'; /* * It's unclear that it's a requirement to copy the * path to the beginning of the buffer, but it's always * been that way and stuff would probably break. */ bcopy(bpt, pt, ept - bpt); free(up); return (pt); } /* * Build pointer to the parent directory, allocating memory * as necessary. Max length is 3 for "../", the largest * possible component name, plus a trailing NULL. */ if (bup + 3 + MAXNAMLEN + 1 >= eup) { char *nup; if ((nup = realloc(up, upsize *= 2)) == NULL) goto err; up = nup; bup = up; eup = up + upsize; } *bup++ = '.'; *bup++ = '.'; *bup = '\0'; /* Open and stat parent directory. * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) */ if (!(dir = opendir(up)) || lstat(up,&s)) goto err; /* Add trailing slash for next directory. */ *bup++ = '/'; /* * If it's a mount point, have to stat each element because * the inode number in the directory is for the entry in the * parent directory, not the inode number of the mounted file. */ save_errno = 0; if (s.st_dev == dev) { for (;;) { if (!(dp = readdir(dir))) goto notfound; if (dp->d_fileno == ino) break; } } else for (;;) { if (!(dp = readdir(dir))) goto notfound; if (ISDOT(dp)) continue; bcopy(dp->d_name, bup, dp->d_namlen + 1); /* Save the first error for later. */ if (lstat(up, &s)) { if (!save_errno) save_errno = errno; errno = 0; continue; } if (s.st_dev == dev && s.st_ino == ino) break; } /* * Check for length of the current name, preceding slash, * leading slash. */ if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) { size_t len, off; char *npt; if (!ptsize) { errno = ERANGE; goto err; } off = bpt - pt; len = ept - bpt; if ((npt = realloc(pt, ptsize *= 2)) == NULL) goto err; pt = npt; bpt = pt + off; ept = pt + ptsize; bcopy(bpt, ept - len, len); bpt = ept - len; } if (!first) *--bpt = '/'; bpt -= dp->d_namlen; bcopy(dp->d_name, bpt, dp->d_namlen); (void)closedir(dir); /* Truncate any file name. */ *bup = '\0'; } notfound: /* * If readdir set errno, use it, not any saved error; otherwise, * didn't find the current directory in its parent directory, set * errno to ENOENT. */ if (!errno) errno = save_errno ? save_errno : ENOENT; /* FALLTHROUGH */ err: if (ptsize) free(pt); if (up) free(up); if (dir) (void)closedir(dir); return (NULL); } #endif From kamath at geekoids.com Sun Oct 1 17:32:13 2000 From: kamath at geekoids.com (Sean Kamath) Date: Sat, 30 Sep 2000 23:32:13 -0700 Subject: OpenSSH-2.2.0p1 cores in openssl-0.9.6's bn_print.c Message-ID: <200010010632.e916WDq23416@sink.geekoids.com> The bug is pretty simple: bn_print.c in openssl-0.9.6's crypto lib says you must use OPENSSL_free on the return value from Bn_bn2dec, yet key.c simply calls free on the buffer. I changed it, but it didn't fix the problem I'm seeing. I don't know if what I'm seeing is a known bug (didn't see it anywhere on the web site). I get a core dump when trying to connect to another machine. It cores in BN_bn2dec in CRYPTO_malloc, all in openssl's cryptolib, but I think it's because openssh is not initiallizing the openssl malloc machine (there is a comment in the openssl source about calling CRYPTO_malloc_init, but it's in the SSLEAY CHANGES. . .). Just FYI: It's a sparc running Solaris 8. Will provide further details upon request, but the actual bug is not calling OPENSSL_free on the returned buffer from BN_bn2dec, which may or may not be excaserbating my coredumps. . . :-) Sean Kamath From pekkas at netcore.fi Sun Oct 1 18:03:15 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 1 Oct 2000 10:03:15 +0300 (EEST) Subject: RHL OpenSSH upgrade: _new_ sshd is not started In-Reply-To: Message-ID: On Sun, 1 Oct 2000, Damien Miller wrote: > On Sat, 30 Sep 2000, Pekka Savola wrote: > > > Hello all, > > > > A few days ago I noticed that the following seems to happen when upgradign > > OpenSSH on Linux-based (/etc/rc.d/init.d/sshd) based systems: > > Are you sure - it works for me: [proof snipped] You're right -- I can't reproduce it now, at least in a Joe System like that. However, I'm sure there was something fishy there -- When I had to add the patch for old Macintosh systems, no amount of /etc/rc.d/init.d/sshd restart after the RPM upgrade would get the clients to be able to log in. After I did some process killing and sshd start, it worked just fine (and nobody was disconnected in the process). I'll try if I can reproduce this in similar circumstances (busy day, 30-40 clients connected). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From pekkas at netcore.fi Mon Oct 2 07:15:47 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 1 Oct 2000 23:15:47 +0300 (EEST) Subject: Snapshot In-Reply-To: Message-ID: On Sat, 30 Sep 2000, Damien Miller wrote: > There is now a new snapshot available at: > 20000929 > - (djm) Fix SSH2 not terminating until all background tasks done problem. This is a bit buggy; scp w/ SSH2 will now cause abrupt ending of scp transfers: --- pekkas at netcore.fi's password: log.c 100% |*********************************************************| 5194 00:00 Connection to netcore.fi closed by remote host. --- When server is 2.2.0p1 or SSH1 is being used for scp everything works fine. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From jmknoble at jmknoble.cx Mon Oct 2 10:52:18 2000 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 1 Oct 2000 19:52:18 -0400 Subject: PATCH: OpenSSH RPM spec file problems In-Reply-To: ; from pekkas@netcore.fi on Wed, Sep 27, 2000 at 06:25:24PM +0300 References: Message-ID: <20001001195218.B22228@quipu.half.pint-stowp.cx> Circa 2000-Sep-27 18:25:24 +0300 dixit Pekka Savola: : There are two issues in OpenSSH RPM Red Hat spec file (against 2.2.0p1): : : 1. /etc/rc.d/init.d/sshd uses 'success' and 'failure'. These don't work : in Red Hat 5.2; else the spec file is fine. Initscripts requirement (for : the one in RH60) added. Hmmm. I haven't looked at this for some time, but i recall patching the initscript back before OpenSSH-1.2.3 to do this sort of thing: #!/bin/bash # ... case "$1" in start) # ... case "`type -type success`" in function) ## For Red Hat Linux 6.0 and later /usr/sbin/sshd && success "sshd startup" || failure "sshd startup" RETVAL=$? ;; *) ## For Red Hat Linux 4.x and 5.x /usr/sbin/sshd && echo -n "sshd " ;; esac # ... ;; esac Did that construct go away in the meantime? -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From djm at mindrot.org Mon Oct 2 22:29:36 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 2 Oct 2000 22:29:36 +1100 (EST) Subject: Snapshot In-Reply-To: Message-ID: On Sun, 1 Oct 2000, Pekka Savola wrote: > On Sat, 30 Sep 2000, Damien Miller wrote: > > > There is now a new snapshot available at: > > 20000929 > > - (djm) Fix SSH2 not terminating until all background tasks done > > problem. > > This is a bit buggy; scp w/ SSH2 will now cause abrupt ending of scp > transfers: > > pekkas at netcore.fi's password: > log.c 100% > |*********************************************************| 5194 00:00 > Connection to netcore.fi closed by remote host. Most frustrating. Markus, what do you recommend? On Linux (and other systems) background processes will hold their fd 0,1,2 open and sshd will get get stuck in serverloop{2}. There is a hack in the portable version for SSH1 which breaks out of serverloop after a SIGCHLD and one pass through the wait_until_can_do_something() select. I have tried a hack for SSH2 which breaks out of serverloop2 if a SIGCHLD has been received and there are no active sessions left, but this causes the above problem with scp over ssh2. Can you recommend a better approach? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From pekkas at netcore.fi Mon Oct 2 22:33:24 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 2 Oct 2000 14:33:24 +0300 (EEST) Subject: Snapshot In-Reply-To: Message-ID: On Mon, 2 Oct 2000, Damien Miller wrote: > > This is a bit buggy; scp w/ SSH2 will now cause abrupt ending of scp > > transfers: > > > > pekkas at netcore.fi's password: > > log.c 100% > > |*********************************************************| 5194 00:00 > > Connection to netcore.fi closed by remote host. > > Most frustrating. > > Markus, what do you recommend? On Linux (and other systems) background > processes will hold their fd 0,1,2 open and sshd will get get stuck in > serverloop{2}. > > There is a hack in the portable version for SSH1 which breaks out of > serverloop after a SIGCHLD and one pass through the > wait_until_can_do_something() select. I have tried a hack for SSH2 > which breaks out of serverloop2 if a SIGCHLD has been received and > there are no active sessions left, but this causes the above problem > with scp over ssh2. As a matter of fact, it'd seem that all SSH2 sessions get the same 'closed by remote host' message, not just scp. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Oct 2 22:47:02 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 2 Oct 2000 13:47:02 +0200 Subject: Open connections when using agent-forwarding Message-ID: <20001002134702.A7050@serv01.aet.tu-cottbus.de> Hi! I have problems with connections being left open with both 2.2.0p1 and the latest snapshot when using agent-forwarding. (I didn't use this with older versions, so I don't know whether this problem is older.) Scenario: I have a secret key that I run with ssh-agent on host "host-A". I then connect to "host-B" using 'slogin -A host-B'. When executing a command on "host-C" (for which the secret key is needed), the command is executed fine, but after finishing I cannot exit the slogin command: host-A> slogin -A host-B ... host-B> ssh host-C "ls -al" ... [output from ls -al command] host-B> exit logout Waiting for forwarded connections to terminate... The following connections are open: #2 accepted auth socket (t4 r0 i8/0 o16/0 fd 9/9) #3 accepted auth socket (t4 r1 i8/0 o16/0 fd 10/10) I have to kill the "slogin -A host-B" process on "host-A" to terminate the session. When connecting from host-B to host-D, for which RSA host authentication is allowed (and hence my personal key not needed), only one connection stays open. I am not quite sure at which places to look for the problem, so I rather send this bug report instead of providing a patch :-) Best regards, Lutz PS. Platform is HP-UX 10.20/OpenSSL 0.9.6 but it should not matter. I have two keys (one RSA, one DSA) in ssh-agent; experiments carried out with SSH-1 protocol only. -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pekkas at netcore.fi Mon Oct 2 23:33:42 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 2 Oct 2000 15:33:42 +0300 (EEST) Subject: still sftp-server problems with Irix? Message-ID: Hello all, Using 20000930 snapshot on Irix 6.5.9m. SFTP connections with SSH 2.3.0 (Windows) die right out. Similar configuration and the same version works fine in Red Hat Linux 6.2. This is probably related to 'sftp' thread 7-10 days ago. The error messages captured in debug mode: --- debug1: server_input_channel_open: ctype session rchan 1 win 100000 max 8192 debug1: open session debug1: channel 2: new [server-session] debug1: session_new: session 1 (2 used) debug1: session_open: channel 2 debug1: session_open: session 1: link with channel 2 debug1: confirm session debug2: callback start debug1: session_by_channel: session 1 channel 2 debug1: session_input_channel_req: session 1 channel 2 request subsystem reply 1 subsystem request for sftp debug1: subsystem: exec() /v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/libexec/sftp-server debug1: fd 13 setting O_NONBLOCK debug2: callback done debug1: Received SIGCHLD. debug1: session_by_pid: pid 31997225 debug1: session_exit_message: session 1 channel 2 pid 31997225 debug1: session_exit_message: release channel 2 debug1: channel 2: write failed debug1: channel 2: output open -> closed debug1: channel 2: close_write debug1: channel 2: chan_shutdown_write: shutdown() failed for fd13: Transport endpoint is not connected debug1: session_free: session 1 pid 31997225 debug1: channel 2: read<=0 rfd 13 len 0 debug1: channel 2: read failed debug1: channel 2: input open -> drain debug1: channel 2: close_read debug1: channel 2: input: no drain shortcut debug1: channel 2: ibuf empty debug1: channel 2: input drain -> closed debug1: channel 2: send eof debug1: channel 2: send close ----- The error message in SSH 2.3.0 sftp program: ----- File transfer server could not be started or it exited unexpectedly Exit value 1 was returned. ----- Anyone with non-Linux/BSD systems experiencing sftp-server problems? Ideas? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Chiaki.Ishikawa at personal-media.co.jp Mon Oct 2 23:35:36 2000 From: Chiaki.Ishikawa at personal-media.co.jp (Chiaki Ishikawa) Date: Mon, 2 Oct 2000 21:35:36 +0900 (JST) Subject: (from BugTraq) openssh2.2.p1 - Re: scp file transfer hole Message-ID: <200010021235.VAA14020@sparc18.personal-media.co.jp> X-PMC-CI-e-mail-id: 13726 Hi, I have been a successful user of Openssh for some time. I am attaching two articles from BugTraq. Hopefully, they show exactly the security problems reported in the BugTraq mailing list. [Pity that no one seemed to have bothered to contact the mailing list(s) for openssh development.] I am not sure what the right fixes would be. But at least, people need to be made aware of the problem first. Interested readers are encouraged to look at BugTraq mailing list archives found in the web across the world. (1) (Before this post there was a post from Zalewski, which is quoted in this e-mail post.) Date: Sun, 1 Oct 2000 12:19:46 +0200 Reply-To: Martin MaD Douda Sender: Bugtraq List From: Martin MaD Douda Subject: openssh2.2.p1 - Re: scp file transfer hole To: BUGTRAQ at SECURITYFOCUS.COM In-Reply-To: Openssh2.2.0p1 IS vulnerable, but some change is needed in fake scp to exploit it. Using your scripts I could make suid scpuser's file in /tmp, but probably due to some protocol change in scp, the file was empty and scp has died with "lost connection". Since openssh 2.2.0p1 is latest existing version, this vulnerability probably exist in every single scp version in the world. Martin On Sat, 30 Sep 2000, Michal Zalewski wrote: > This issue appears quite often - tar suffers from problem of this kind as > well (using cute symlink tricks, you can create an archive, which, when > unpacked, can overwrite or create specific files anywhere in your > filesystem). This time, similar scp vulnerability has been found and > acknowledged in sshd 1.2.xx releases (no information on 2.0.xx). > > When you are scp'ing files from remote machine to your local computer, > modified scp service on the second endpoint can spoof legitimate scp data, > overwriting arbitrary files. > > As a proof of concept, I created trivial scp replacement (put it on remote > machine in the place of original scp binary - usually in /usr/local/bin). > It will try to exploit any file transfer, creating setuid /tmp/ScpIsBuggy > file on client system: > > -- > #!/bin/bash > > echo "D0755 0 ../../../../../../tmp/nope" > echo "D0755 0 ../../../../../../tmp" > echo "C4755 200 ScpIsBuggy" > dd if=/dev/urandom of=/dev/stdout bs=200 count=1 2>/dev/null > dd if=/dev/zero of=/dev/stdout bs=1 count=2 2>/dev/null > -- > > This isn't really nice :P After SSH become popular, people started to > transfer files using scp (both user files and backups, logs etc). > Successful exploitation of single server (or even single account) might > cause futher intrusions on client machines. > > Another thing I can imagine - automated scp worm, which will, after > intrusion, intercept futher scp sessions (eg. using ptrace) to send itself > to remote system (and, probably, doing other operations as well). This > doesn't actually require it to operate on privledged level :> > > What's probably the most alarming, there is no simple way to detect such > attack - path is stripped before displaying filenames on client side - > in above example, you'll see successful transfer of ScpIsBuggy file, > suggesting it has been downloaded in current directory. Also, file modes > are not verified, so suid files can be placed in remote system (but that's > not the point, even without it, remote attack eg. on .ssh/authorized_keys > is possible). > > _______________________________________________________ > Michal Zalewski [lcamtuf at tpi.pl] [tp.internet/security] > [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: > =-----=> God is real, unless declared integer. <=-----= > > -------------------------------------------------------------------------------- Martin "MaD" Douda WEB: http://martin.douda.net/ PHONE:+420603752779 ICQ# 86467013 EMAIL: , (160 characters only) PGP:ID=0x6FE43023 Fingerprint:E495 11DA EF6E 0DD6 965A 54F3 888E CC9E 6FE4 3023 -------------------------------------------------------------------------------- [1]+ Done rm -rf / (2) Date: Sun, 1 Oct 2000 00:43:39 -0400 Reply-To: stanislav shalunov Sender: Bugtraq List From: stanislav shalunov Subject: Re: scp file transfer hole To: BUGTRAQ at SECURITYFOCUS.COM In-Reply-To: Michal Zalewski writes: > When you are scp'ing files from remote machine to your local computer, > modified scp service on the second endpoint can spoof legitimate scp data, > overwriting arbitrary files. OpenSSH-1.2.1 appears to create the file wherever you tell it to, but refuses to set setuid bit on it. That's not quite as bad as SSH 1.2 (which will even conveniently allow setting arbitrary file mode), but you can still overwrite ~/.ssh/authorized_keys or similar files to the same effect, as you point you. Very disturbing--this is supposed to be security software. -- Stanislav Shalunov Internet Engineer, Internet2 A language that doesn't have everything is actually easier to program in than some that do. -- Dennis M. Ritchie From mouring at pconline.com Mon Oct 2 23:49:31 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Mon, 2 Oct 2000 07:49:31 -0500 (CDT) Subject: still sftp-server problems with Irix? In-Reply-To: Message-ID: Yes.. Under NeXT "realpath" is not implemented, but there is a weakly bound "realpath" function within it's C libraries. I have a patch submitted to add in realpath for those missing it. When you compile sftp-server. Does it give you any warnings? - Ben On Mon, 2 Oct 2000, Pekka Savola wrote: > Hello all, > > Using 20000930 snapshot on Irix 6.5.9m. > > SFTP connections with SSH 2.3.0 (Windows) die right out. Similar > configuration and the same version works fine in Red Hat Linux 6.2. > > This is probably related to 'sftp' thread 7-10 days ago. > > The error messages captured in debug mode: > --- > debug1: server_input_channel_open: ctype session rchan 1 win 100000 max 8192 > debug1: open session > debug1: channel 2: new [server-session] > debug1: session_new: session 1 (2 used) > debug1: session_open: channel 2 > debug1: session_open: session 1: link with channel 2 > debug1: confirm session > debug2: callback start > debug1: session_by_channel: session 1 channel 2 > debug1: session_input_channel_req: session 1 channel 2 request subsystem > reply 1 > subsystem request for sftp > debug1: subsystem: exec() > /v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/libexec/sftp-server > debug1: fd 13 setting O_NONBLOCK > debug2: callback done > debug1: Received SIGCHLD. > debug1: session_by_pid: pid 31997225 > debug1: session_exit_message: session 1 channel 2 pid 31997225 > debug1: session_exit_message: release channel 2 > debug1: channel 2: write failed > debug1: channel 2: output open -> closed > debug1: channel 2: close_write > debug1: channel 2: chan_shutdown_write: shutdown() failed for fd13: > Transport endpoint is not connected > debug1: session_free: session 1 pid 31997225 > debug1: channel 2: read<=0 rfd 13 len 0 > debug1: channel 2: read failed > debug1: channel 2: input open -> drain > debug1: channel 2: close_read > debug1: channel 2: input: no drain shortcut > debug1: channel 2: ibuf empty > debug1: channel 2: input drain -> closed > debug1: channel 2: send eof > debug1: channel 2: send close > ----- > > The error message in SSH 2.3.0 sftp program: > ----- > File transfer server could not be started or it exited unexpectedly > Exit value 1 was returned. > ----- > > Anyone with non-Linux/BSD systems experiencing sftp-server problems? > Ideas? > > -- > Pekka Savola "Tell me of difficulties surmounted, > Pekka.Savola at netcore.fi not those you stumble over and fall" > > From pekkas at netcore.fi Mon Oct 2 23:57:47 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 2 Oct 2000 15:57:47 +0300 (EEST) Subject: still sftp-server problems with Irix? In-Reply-To: Message-ID: On Mon, 2 Oct 2000, Ben Lindstrom wrote: > > Yes.. Under NeXT "realpath" is not implemented, but there is a weakly > bound "realpath" function within it's C libraries. I have a patch > submitted to add in realpath for those missing it. > > When you compile sftp-server. Does it give you any warnings? No, none for sftp-server. Most prominent other warnings, on the other hand (if they help any/want to fix them), are: ----- serverloop.c: In function `sigchld_handler': serverloop.c:98: warning: int format, pid_t arg (arg 2) serverloop.c:98: warning: int format, pid_t arg (arg 3) serverloop.c: In function `server_loop': serverloop.c:602: warning: int format, pid_t arg (arg 2) serverloop.c:602: warning: int format, pid_t arg (arg 3) gcc -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/lib/openssl/include -DETCDIR=\"/usr/alt/hostdep/etc/openssh/\" -DSSH_PROGRAM=\"/v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c md5crypt.c gcc -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/lib/openssl/include -DETCDIR=\"/usr/alt/hostdep/etc/openssh/\" -DSSH_PROGRAM=\"/v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/v/irix65_mips64/comm/openssh/2.2.0p2_SNAP/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c session.c session.c: In function `do_exec_no_pty': session.c:491: warning: passing arg 1 of `log_init' discards `const' from pointer target type session.c: In function `do_exec_pty': session.c:604: warning: passing arg 1 of `log_init' discards `const' from pointer target type session.c: In function `session_dump': session.c:1475: warning: int format, pid_t arg (arg 6) session.c: In function `session_by_pid': session.c:1516: warning: int format, pid_t arg (arg 2) session.c:1522: warning: int format, pid_t arg (arg 2) session.c: In function `session_exit_message': session.c:1811: warning: int format, pid_t arg (arg 4) session.c: In function `session_free': session.c:1852: warning: int format, pid_t arg (arg 3) session.c: In function `session_close_by_pid': session.c:1878: warning: int format, pid_t arg (arg 2) session.c: In function `session_close_by_channel': session.c:1902: warning: int format, pid_t arg (arg 3) session.c:1909: warning: int format, pid_t arg (arg 2) session.c:1912: warning: int format, pid_t arg (arg 2) ----- (and a few other ones; I think uid_t and gid_t vs. int "mismatches" were these too) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From mstone at cs.loyola.edu Tue Oct 3 00:10:44 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Mon, 2 Oct 2000 09:10:44 -0400 Subject: still sftp-server problems with Irix? In-Reply-To: ; from pekkas@netcore.fi on Mon, Oct 02, 2000 at 03:33:42PM +0300 References: Message-ID: <20001002091044.P15994@justice.loyola.edu> On Mon, Oct 02, 2000 at 03:33:42PM +0300, Pekka Savola wrote: > Anyone with non-Linux/BSD systems experiencing sftp-server problems? > Ideas? Try checking the SYSLOG file for messages from sftp-server, and look for core files. -- Mike Stone From Markus.Friedl at informatik.uni-erlangen.de Tue Oct 3 01:58:35 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 2 Oct 2000 16:58:35 +0200 Subject: still sftp-server problems with Irix? In-Reply-To: <20001002091044.P15994@justice.loyola.edu>; from mstone@cs.loyola.edu on Mon, Oct 02, 2000 at 09:10:44AM -0400 References: <20001002091044.P15994@justice.loyola.edu> Message-ID: <20001002165835.A27719@faui02.informatik.uni-erlangen.de> sftp-server should not dump core. please send a backtrace if it does... On Mon, Oct 02, 2000 at 09:10:44AM -0400, Michael Stone wrote: > On Mon, Oct 02, 2000 at 03:33:42PM +0300, Pekka Savola wrote: > > Anyone with non-Linux/BSD systems experiencing sftp-server problems? > > Ideas? > > Try checking the SYSLOG file for messages from sftp-server, and look for > core files. > > -- > Mike Stone From chip at princetonecom.com Tue Oct 3 04:23:42 2000 From: chip at princetonecom.com (Chip Christian) Date: Mon, 02 Oct 2000 13:23:42 -0400 Subject: Snapshot In-Reply-To: Message from Damien Miller of "Sat, 30 Sep 2000 14:52:36 +1100." Message-ID: <20001002172342.2E2D3B47B@fleck.princetonecom.com> sparc-sun-solaris2.6 works great, configure as follows: ./configure --with-default-path=/usr/local/bin:/usr/bin --with-tcp-appers --with-random=/dev/random --with-pid-dir=/usr/local/etc with OpenSSL-0.9.6, SUNWski PAM issues: I run this package on a sparc-sun-solaris[67], with Novell NDS Corporate Edition for authentication. Set my password to expire this am, login appears to hang after accepting my password, before printing anything. trussing the sshd reveals the following over and over: write(2, " D o y o u w a n t ".., 54) = 54 read(0, 0x00110E54, 8192) = 0 It does consume one of my grace logins. djm at mindrot.org said: > Please give this snapshot a good run on your platform of choice. When > sending success/failure reports, please include the 'host system type' > as reported by ./configure. It is hoped that this snapshot will become > 2.2.0p2 in due course. From chip at princetonecom.com Tue Oct 3 04:28:52 2000 From: chip at princetonecom.com (Chip Christian) Date: Mon, 02 Oct 2000 13:28:52 -0400 Subject: Snapshot In-Reply-To: Message from Chip Christian of "Mon, 02 Oct 2000 13:23:42 EDT." <20001002172342.2E2D3B47B@fleck.princetonecom.com> Message-ID: <20001002172852.7B89CB47B@fleck.princetonecom.com> Further, here's what I see when I run sshd -d; std{in,out,err} are still connected to my original pty, so I get to answer the question: debug1: Starting up PAM with username "chip" debug1: Attempting authentication for chip. Failed rsa for chip from 192.168.12.2 port 860 Do you want to change your password now ([y]es/[n]o): n debug1: PAM Password authentication accepted for user "chip" Accepted password for chip from 192.168.12.2 port 860 debug1: PAM setting rhost to "fleck.princetonecom.com" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. From chip at princetonecom.com Tue Oct 3 05:35:22 2000 From: chip at princetonecom.com (Chip Christian) Date: Mon, 02 Oct 2000 14:35:22 -0400 Subject: Snapshot In-Reply-To: Message from Damien Miller of "Sat, 30 Sep 2000 14:52:36 +1100." Message-ID: <20001002183523.04050B47B@fleck.princetonecom.com> Actually, scp doesn't work in my config either. Somewhere between 2.2p1 and now --with-default-path= must've broken; user_path is set in configure, but never used. Previously the value was written into config.h via confdefs.h. configure: *************** *** 6001,6010 **** withval="$with_default_path" if test "x$withval" != "xno" ; then ! cat >> confdefs.h < Message-ID: On Mon, 2 Oct 2000, Michael Stone wrote: > On Mon, Oct 02, 2000 at 03:33:42PM +0300, Pekka Savola wrote: > > Anyone with non-Linux/BSD systems experiencing sftp-server problems? > > Ideas? > > Try checking the SYSLOG file for messages from sftp-server, and look for > core files. This was the only message in SYSLOG: ---- error: channel 2: chan_shutdown_read: shutdown() failed for fd11 [i1 o16]: Transport endpoint is not connected ---- However, it seems sftp-server works just fine w/ sftp from SSH 2.3.0 Unix version -- Windows version doesn't. This looks rather weird but it could be a windows ssh bug too. I'm running this on port 2022 if it'd make any difference. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From kai at pac-rim.net Tue Oct 3 09:30:03 2000 From: kai at pac-rim.net (Kai Schlichting) Date: Mon, 02 Oct 2000 18:30:03 -0400 Subject: OpenSSH 2.2.0p1 on Solaris 2.7 fails to compile Message-ID: <4.3.2.7.2.20001002182031.00ae3540@mail.conti.nu> Greetings. I am a non-sub, but I read/searched the archive: I just can't for the life of it get OpenSSH to even *configure* on a Solaris 2.7 machine (UltraSparc-2). While minor difficulties (such as the --with-ssl-dir option somehow not fully working, as includes fail to see , easily overridden with a well-placed link from /opt/openssl -> /usr/local/ssl) have been overcome (and I have built the package on Linux and BSDI a few dozen times since 1.2), some compilation problem goes over my head: Why are RAND_ symbols failing? config.log says: configure:2862: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt/openssl/include -L/usr/loc al/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/opt/openssl/lib -L/opt/openssl -R/opt/openssl/ lib -R/opt/openssl conftest.c -ldl -lsocket -lnsl -lz -lpam -lcrypto 1>&5 configure: In function `main': configure:2856: warning: implicit declaration of function `RAND_add' configure:2857: warning: implicit declaration of function `RAND_status' Undefined first referenced symbol in file RAND_add /var/tmp/ccHZaWXy1.o RAND_status /var/tmp/ccHZaWXy1.o ld: fatal: Symbol referencing errors. No output written to conftest configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } This is with GNU Make version 3.77 and gcc version 2.8.1. I am suspecting that something is still wrong with the linking of the crypto lib here (if Kerberos really supplied one, as one of the articles mentioned, why can't I find it?). Thanks for any hints, bye,Kai From mouring at pconline.com Tue Oct 3 09:58:12 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Mon, 2 Oct 2000 17:58:12 -0500 (CDT) Subject: OpenSSH 2.2.0p1 on Solaris 2.7 fails to compile In-Reply-To: <4.3.2.7.2.20001002182031.00ae3540@mail.conti.nu> Message-ID: On Mon, 2 Oct 2000, Kai Schlichting wrote: > Greetings. I am a non-sub, but I read/searched the archive: I just can't > for the life of it get OpenSSH to even *configure* on a Solaris 2.7 > machine (UltraSparc-2). > > While minor difficulties (such as the --with-ssl-dir option somehow > not fully working, as includes fail to see , easily > overridden with a well-placed link from /opt/openssl -> /usr/local/ssl) > have been overcome (and I have built the package on Linux and BSDI > a few dozen times since 1.2), some compilation problem goes over my head: > > Why are RAND_ symbols failing? > You need at least 0.9.5a or greater OpenSSL for OpenSSH 2.2.0p1 to work. From gsstark at mit.edu Tue Oct 3 13:57:53 2000 From: gsstark at mit.edu (Gregory Stark) Date: 02 Oct 2000 22:57:53 -0400 Subject: find canonic host name [SECURITY VULNERABILITY] Message-ID: <87ya064oni.fsf@HSE-MTL-ppp64190.qc.sympatico.ca> I reported a bug recently to the debian bug tracking system but I just checked this mailing list and it seems it was already mentioned here. However the thread seemed to have died. This is worrisome because it's rather a severe security vulnerability. OpenSSH seems to have changed behaviour to canonicalize host names _before_ looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE. This sounds like someone applied a blanket security rule-of-thumb without understanding the rationale behind the rule. (What's worse is that canonicalizing host names doesn't really buy any security in the general case but that's another battle.) Canonicalizing names provided by untrusted sources is reasonable because it prevents untrusted sources from being able to provide aliases that might escape treatment by some security provision. Canonicalizing names provided by the user before checking the known_hosts file means you're opening the user up to additional attacks where he might not even be connecting to the host he requested! Incidentally, my original debian bug report was that SSH should use the hostname/port pair as the key for known_hosts, not merely the hostname. Since each port could run an sshd with a different key. I would actually like an option in .ssh/config to specify the known_hosts key explicitly rather than use the hostname and ip address. -- greg From nico at sonycom.com Tue Oct 3 16:52:01 2000 From: nico at sonycom.com (Nico De Ranter) Date: Tue, 3 Oct 2000 07:52:01 +0200 Subject: OpenSSH 2.2.0p1 on Solaris 2.7 fails to compile In-Reply-To: ; from mouring@pconline.com on Mon, Oct 02, 2000 at 05:58:12PM -0500 References: <4.3.2.7.2.20001002182031.00ae3540@mail.conti.nu> Message-ID: <20001003075201.A838@immortelle.sonytel.be> I have the same problem here on Solaris 8 using openssl 0.9.6. Solaris 2.6 was apparently not a problem :-( Nico On Mon, Oct 02, 2000 at 05:58:12PM -0500, Ben Lindstrom wrote: > > > On Mon, 2 Oct 2000, Kai Schlichting wrote: > > > Greetings. I am a non-sub, but I read/searched the archive: I just can't > > for the life of it get OpenSSH to even *configure* on a Solaris 2.7 > > machine (UltraSparc-2). > > > > While minor difficulties (such as the --with-ssl-dir option somehow > > not fully working, as includes fail to see , easily > > overridden with a well-placed link from /opt/openssl -> /usr/local/ssl) > > have been overcome (and I have built the package on Linux and BSDI > > a few dozen times since 1.2), some compilation problem goes over my head: > > > > Why are RAND_ symbols failing? > > > You need at least 0.9.5a or greater OpenSSL for OpenSSH 2.2.0p1 > to work. > > > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 3 18:01:43 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 3 Oct 2000 09:01:43 +0200 Subject: OpenSSH 2.2.0p1 on Solaris 2.7 fails to compile In-Reply-To: <20001003075201.A838@immortelle.sonytel.be>; from nico@sonycom.com on Tue, Oct 03, 2000 at 07:52:01AM +0200 References: <4.3.2.7.2.20001002182031.00ae3540@mail.conti.nu> <20001003075201.A838@immortelle.sonytel.be> Message-ID: <20001003090143.A14723@serv01.aet.tu-cottbus.de> On Tue, Oct 03, 2000 at 07:52:01AM +0200, Nico De Ranter wrote: > I have the same problem here on Solaris 8 using openssl 0.9.6. Solaris 2.6 > was apparently not a problem :-( I have HP-UX, so I only can guess on what is going on. First, there was a problem in openssh-2.2.0p1 in that it did not honor the --with-ssl-dir flag if there was an openssl installed in the systems standard location for libraries and includes (like /usr/lib). This was changed for the latest snapshot. Second, as already pointed out in this thread, at least OpenSSL 0.9.5a is needed. We don't know, whether this applies for the original poster. Third, the snippet posted (and you say that you have the same problem) implies, that a libcrypto.* was found (otherwise the error message would have stated that libcryto could not be found), but it did not contain the RAND_* functions. For this very reason, you should look out whether you ran into another incompatible libcrypto being part of some other package. There is another point in configure, that probably cannot be solved. The configuration test tries to compile, link and run the test file. As configure is testing several locations for openssl, it is probably not the last entry in config.log that shows up the real error message. Hope this helps in narrowing down the problem, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From gem at rellim.com Tue Oct 3 19:16:32 2000 From: gem at rellim.com (Gary E. Miller) Date: Tue, 3 Oct 2000 01:16:32 -0700 (PDT) Subject: Snapshot In-Reply-To: Message-ID: Yo Damien! It seems to compile and run fine on : Slackware 7.0 (i686-pc-linux-gnu) I will put some time on it to see if anything shakes out. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Sat, 30 Sep 2000, Damien Miller wrote: > Please give this snapshot a good run on your platform of choice. When > sending success/failure reports, please include the 'host system type' > as reported by ./configure. It is hoped that this snapshot will become > 2.2.0p2 in due course. From janfrode at parallab.uib.no Tue Oct 3 22:24:21 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Tue, 3 Oct 2000 13:24:21 +0200 Subject: Snapshot In-Reply-To: ; from pekkas@netcore.fi on Mon, Oct 02, 2000 at 02:33:24PM +0300 References: Message-ID: <20001003132421.A23395@ii.uib.no> On Mon, Oct 02, 2000 at 02:33:24PM +0300, Pekka Savola wrote: > On Mon, 2 Oct 2000, Damien Miller wrote: > > > This is a bit buggy; scp w/ SSH2 will now cause abrupt ending of scp > > > transfers: > > > > > > pekkas at netcore.fi's password: > > > log.c 100% > > > |*********************************************************| 5194 00:00 > > > Connection to netcore.fi closed by remote host. > > mips-sgi-irix6.5 here, and I'm also getting this one with ssh2s scp: % scp krypvier:/etc/passwd /tmp/ jfm at krypvier's password: passwd | 1.3kB | 1.3 kB/s | TOC: 00:00:01 | 100% % Disconnected; connection lost (Connection closed.). > > As a matter of fact, it'd seem that all SSH2 sessions get the same > 'closed by remote host' message, not just scp. > Not here. Normal ssh2 session works fine: % ssh -V ssh: SSH Secure Shell 2.3.0 (non-commercial version) on sparc-sun-solaris2.7 % ssh krypvier jfm's password: Authentication successful. Last login: Tue Oct 3 13:19:03 2000 from eik-20.ii.uib.no % -jf From janfrode at parallab.uib.no Tue Oct 3 22:28:20 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Tue, 3 Oct 2000 13:28:20 +0200 Subject: Snapshot In-Reply-To: <20001003132421.A23395@ii.uib.no>; from janfrode@parallab.uib.no on Tue, Oct 03, 2000 at 01:24:21PM +0200 References: <20001003132421.A23395@ii.uib.no> Message-ID: <20001003132820.B23395@ii.uib.no> On Tue, Oct 03, 2000 at 01:24:21PM +0200, Jan-Frode Myklebust wrote: > > Not here. Normal ssh2 session works fine: > > % ssh -V > ssh: SSH Secure Shell 2.3.0 (non-commercial version) on sparc-sun-solaris2.7 > % ssh krypvier > jfm's password: > Authentication successful. > Last login: Tue Oct 3 13:19:03 2000 from eik-20.ii.uib.no > % > > Ooops, you're right. I'm getting "Disconnected; connection lost (Connection closed.)." when I exit a normal ssh2 session. Same thing happens when I exit a sftp session. The server is openssh-SNAP-20000930 Klient is ssh: SSH Secure Shell 2.3.0 (non-commercial version) on sparc-sun-solaris2.7 -jf From jpk28 at hermes.cam.ac.uk Wed Oct 4 03:25:08 2000 From: jpk28 at hermes.cam.ac.uk (J.P. King) Date: Tue, 3 Oct 2000 17:25:08 +0100 (BST) Subject: Various platforms Message-ID: Hello, I've been compiling OpenSSH up on just about every platform that I can get my hands on. I am not certain of the best way of building my 'fixes' into the source tree, not least of all since I didn't worry about #ifdef's or the configure scripts. However hopefully this will be of use to you. This is all for openssh-2.2.0p1 compiled alongside openssl-0.9.5a and zlib-1.1.3. Under HP-UX =========== uname -smr HP-UX A.09.03 9000/735 There is no seteuid or setreuid, but there is a setresuid, so using your model in bsd-misc.c, I did: ----------- #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) int seteuid(uid_t euid) { return(setreuid(-1,euid)); } #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ /* JPK */ int seteuid(uid_t euid) { return(setresuid(-1,euid,-1)); } ----------- This appears to be correct based on the documentation, and appears to work. Also under the same version of HP-UX, you use RLIMIT_CORE, however this isn't defined in the include files except in , and even then only for _KERNEL. My kludge was to copy the correct entry from that header file into ssh.c. The resultant statically linked binary appears to work for HP-UX 9 and HP-UX 10. I have not tested the compile except on HP-UX 9. Under SunOS =========== This compiles with lots of warnings, but I just realised that my patches were to OpenSSL, so I'll generate a report for them. Again it appears to work with uname -smr SunOS 4.1.3_U1 sun4c Under Tru64 =========== This wouldn't compile under Compaq's compiler, although according to someone from the comp.security.ssh newsgroup: : We had a similar problem at 5.0A, and solved by installing the latest : compiler version, available at http://tru64unix.compaq.com/tools.html : : I believe I also saw the claim that the most recent patchkit : solved the problem. http://www.support.compaq.com/patches/index.html : for that. I haven't had a chance to test this yet. It compiled fine with gcc 2.7.2.3 - I would have used 2.95.x, but that doesn't compile cleanly on the machine, and I didn't bother compiling 2.95.x with gcc2.7.2.3, since I wanted OpenSSH, not gcc. :-) Others ====== In case you are interested, I've also compiled it up under Irix, Solaris, Linux, and will be compiling it up for various *BSDs and MacOS X, the latter being the only one that might cause grief. If I have managed to miss out some salient point then I'm sorry, just prod me and I'll tell you whatever I can. Cheers, Julian -- Julian King Computer Officer, University of Cambridge, Unix Support From andrew at pimlott.ne.mediaone.net Wed Oct 4 04:30:42 2000 From: andrew at pimlott.ne.mediaone.net (Andrew Pimlott) Date: Tue, 3 Oct 2000 13:30:42 -0400 Subject: find canonic host name [SECURITY VULNERABILITY] In-Reply-To: <87ya064oni.fsf@HSE-MTL-ppp64190.qc.sympatico.ca>; from gsstark@mit.edu on Mon, Oct 02, 2000 at 10:57:53PM -0400 References: <87ya064oni.fsf@HSE-MTL-ppp64190.qc.sympatico.ca> Message-ID: <20001003133042.A4374@pimlott.ne.mediaone.net> On Mon, Oct 02, 2000 at 10:57:53PM -0400, Gregory Stark wrote: > OpenSSH seems to have changed behaviour to canonicalize host names _before_ > looking up keys in known_hosts. This is BAD. AWFUL. TERRIBLE. Thank you for bringing this up again. I'm disappointed that this wasn't addressed last time. Is there another forum for security issues with openssh? Should I contact OpenBSD? One of the strong points of ssh (emphasized since the earliest versons I ever used) is resistance to DNS spoofing. This principle seems to have been disregarded in this case. Since nobody identified any purpose for host name canonicalization, I suggest simple deleting the code I referred to. > Incidentally, my original debian bug report was that SSH should use the > hostname/port pair as the key for known_hosts, not merely the hostname. Since > each port could run an sshd with a different key. I would actually like an > option in .ssh/config to specify the known_hosts key explicitly rather than > use the hostname and ip address. You must like typing ;) Andrew From dwp at rice.edu Wed Oct 4 07:42:24 2000 From: dwp at rice.edu (David Wray Price) Date: Tue, 3 Oct 2000 15:42:24 -0500 Subject: X forwarding fails, Linux 2.4.0-test[8,9] Message-ID: <20001003154224.A405@rice.edu> X forwarding doesn't work for me under Linux kernels 2.4.0-test8 or test9, using OpenSSH 2.2.0p1 (as packaged in Debian woody.) When I try to ssh to my machine, the client spits out the following pieces of information: Warning: Remote host denied X11 forwarding. Last login: Tue Oct 3 15:26:19 2000 from localhost on pts/2 Linux mallard 2.4.0-test9 #3 Tue Oct 3 14:20:59 CDT 2000 i686 unknown No mail. Last login: Tue Oct 3 15:26:30 2000 from localhost Received disconnect: Command terminated on signal 11. sshd logs the following when I connect: sshd[547]: Connection from 127.0.0.1 port 1186 sshd[547]: Accepted rsa for dwp from 127.0.0.1 port 1186 sshd[547]: error: socket: Address family not supported by protocol PAM_unix[547]: (ssh) session opened for user dwp by (uid=0) sshd[547]: Disconnecting: Command terminated on signal 11. PAM_unix[547]: (ssh) session closed for user dwp The error also occurs if I don't use RSAAuthentication, come in from a remote machine, or use SSH protcol version 2 (although with v2 the sig11s do not occur); in any of these cases, I get the same socket: Address family not supported by protocol error in my log and the connection drops, unless I turn off X forwarding. All this worked with no problem in Linux 2.4.0-test7 and earlier. Does anyone know what broke? Is this a Linux kernel bug? -- David Wray Price | #!/usr/bin/perl Jones '03 | $_=1;while($_<=4){print(chr(int(2*exp(log( Rice University | $_)*3)-15*exp(log($_)*2)+30*($_++)+57.5)))} From vsync at quadium.net Wed Oct 4 10:48:17 2000 From: vsync at quadium.net (vsync) Date: 03 Oct 2000 16:48:17 -0700 Subject: X forwarding fails, Linux 2.4.0-test[8,9] In-Reply-To: David Wray Price's message of "Tue, 3 Oct 2000 15:42:24 -0500" References: <20001003154224.A405@rice.edu> Message-ID: <87pulh4hby.fsf@piro.quadium.net> David Wray Price writes: > X forwarding doesn't work for me under Linux kernels 2.4.0-test8 or test9, > using OpenSSH 2.2.0p1 (as packaged in Debian woody.) When I try to ssh to my > machine, the client spits out the following pieces of information: I have this same situation. Upgrading to the very most recent test release didn't change anything either, but I'm planning to put FreeBSD on that box anyway. =) -- vsync http://quadium.net/ - last updated Mon Oct 2 17:39:49 PDT 2000 (cons (cons (car (cons 'c 'r)) (cdr (cons 'a 'o))) ; Orjner (cons (cons (car (cons 'n 'c)) (cdr (cons nil 's))) nil)) From nico at sonycom.com Wed Oct 4 18:56:03 2000 From: nico at sonycom.com (Nico De Ranter) Date: Wed, 4 Oct 2000 09:56:03 +0200 Subject: OpenSSH 2.2.0p1 on Solaris 2.7 fails to compile In-Reply-To: <20001003090143.A14723@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Tue, Oct 03, 2000 at 09:01:43AM +0200 References: <4.3.2.7.2.20001002182031.00ae3540@mail.conti.nu> <20001003075201.A838@immortelle.sonytel.be> <20001003090143.A14723@serv01.aet.tu-cottbus.de> Message-ID: <20001004095603.Q838@immortelle.sonytel.be> Howdy, I've tried a few things more but still got the same results :-(: 1. tried openssl-0.9.5a in stead of 0.9.6 but that didn't make a difference 2. check filesystem for other libcrypto.*, coudln't find any (if I remove the libcrypto.a from openssl the compilation doesn't work at all anymore so I figure he is trying to use the correct library) faro[nico]$ ls -l /usr/local.host/lib total 4 lrwxrwxrwx 1 root other 26 Oct 4 09:34 libcrypto.a -> ../app/ssl/lib/libcrypto.a lrwxrwxrwx 1 root other 23 Oct 4 09:34 libssl.a -> ../app/ssl/lib/libssl.a You have new mail in /net/primus/mail/spool/nico faro[nico]$ ld -L/usr/local.host/lib -R/usr/local.host/lib -L/usr/ucblib -R/usr/ucblib -ldl -lsocket -lnsl -lz -lpam -lcrypto conftest.o Undefined first referenced symbol in file RAND_add conftest.o RAND_status conftest.o memset conftest.o (symbol belongs to implicit dependency /usr/lib/libc.so.1) ld: fatal: Symbol referencing errors. No output written to a.out I checked config.log and all compilations with the ssl libs give exactly the same error messages 3. I also tried putting the openssl libraries and stuff in the default locations (/usr/local/...) but that gave the same errors. 4. Also tried compiling shared libraries for openssl (but I prefer staticly linked libs for security reasons) but that doesn't help either. If I do a "strings" of the libcrypto.a library, RAND_add and RAND_status are indeed there. Snif... what am I doing wrong. Nico On Tue, Oct 03, 2000 at 09:01:43AM +0200, Lutz Jaenicke wrote: > On Tue, Oct 03, 2000 at 07:52:01AM +0200, Nico De Ranter wrote: > > I have the same problem here on Solaris 8 using openssl 0.9.6. Solaris 2.6 > > was apparently not a problem :-( > > I have HP-UX, so I only can guess on what is going on. > > First, there was a problem in openssh-2.2.0p1 in that it did not honor > the --with-ssl-dir flag if there was an openssl installed in the systems > standard location for libraries and includes (like /usr/lib). This was > changed for the latest snapshot. > Second, as already pointed out in this thread, at least OpenSSL 0.9.5a is > needed. We don't know, whether this applies for the original poster. > Third, the snippet posted (and you say that you have the same problem) > implies, that a libcrypto.* was found (otherwise the error message would > have stated that libcryto could not be found), but it did not contain the > RAND_* functions. For this very reason, you should look out whether you ran > into another incompatible libcrypto being part of some other package. > > There is another point in configure, that probably cannot be solved. The > configuration test tries to compile, link and run the test file. As > configure is testing several locations for openssl, it is probably not the > last entry in config.log that shows up the real error message. > > Hope this helps in narrowing down the problem, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Oct 4 19:56:35 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 4 Oct 2000 10:56:35 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Sep 30, 2000 at 02:52:36PM +1100 References: Message-ID: <20001004105635.A22572@ws01.aet.tu-cottbus.de> On Sat, Sep 30, 2000 at 02:52:36PM +1100, Damien Miller wrote: > There is now a new snapshot available at: > > http://www.mindrot.org/misc/openssh/ > > Please give this snapshot a good run on your platform of choice. When > sending success/failure reports, please include the 'host system type' > as reported by ./configure. It is hoped that this snapshot will become > 2.2.0p2 in due course. Obviously the default path for ssh-askpass has changed. In Makefile.in it now is located in ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass (instead of $(libexecdir)/ssh/ssh-askpass) This change is not documented. Even more, at the end of configure, the old location is printed!!! E=`eval echo ${libexecdir}/ssh/ssh-askpass` ; E=`eval echo ${E}` Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Oct 4 21:44:21 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 4 Oct 2000 12:44:21 +0200 Subject: Snapshot In-Reply-To: <20001004105635.A22572@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Wed, Oct 04, 2000 at 10:56:35AM +0200 References: <20001004105635.A22572@ws01.aet.tu-cottbus.de> Message-ID: <20001004124421.A16264@ws01.aet.tu-cottbus.de> On Wed, Oct 04, 2000 at 10:56:35AM +0200, Lutz Jaenicke wrote: > On Sat, Sep 30, 2000 at 02:52:36PM +1100, Damien Miller wrote: > > There is now a new snapshot available at: > > > > http://www.mindrot.org/misc/openssh/ > > > > Please give this snapshot a good run on your platform of choice. When > > sending success/failure reports, please include the 'host system type' > > as reported by ./configure. It is hoped that this snapshot will become > > 2.2.0p2 in due course. > > Obviously the default path for ssh-askpass has changed. In Makefile.in > it now is located in > ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass > > (instead of $(libexecdir)/ssh/ssh-askpass) > > This change is not documented. > > Even more, at the end of configure, the old location is printed!!! > E=`eval echo ${libexecdir}/ssh/ssh-askpass` ; E=`eval echo ${E}` BTW. Is there is specific reason to not make ASKPASS_PROGRAM an option of configure (like xauth)? I actually have installed (x11-)ssh-askpass in the default PATH. It is not distributed with openssh and since I have openssh in a special location (/usr/local/openssh) I don't like to have extra software inside /usr/local/openssh... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From rmcc at novis.pt Wed Oct 4 23:04:59 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Wed, 4 Oct 2000 13:04:59 +0100 Subject: 2.2.0p1 chroot patch Message-ID: <20001004130459.A4176@isp.novis.pt> Hi there, everyone; Attached to this mail is the 2.2.0p1 version of my chroot patch. For those of you interested, my usual warning: This is NOT plug&pray. You'll have to build a whole binaries/libs/conf files tree within the new root. (it's just like the "classic" anonymous ftp behaviour) Configure with "configure --with-chroot" to use. Regards; RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- diff -u --new-file openssh-2.2.0p1/acconfig.h openssh-2.2.0p1-chroot/acconfig.h --- openssh-2.2.0p1/acconfig.h Tue Aug 29 01:33:50 2000 +++ openssh-2.2.0p1-chroot/acconfig.h Tue Oct 3 19:44:43 2000 @@ -177,6 +177,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW diff -u --new-file openssh-2.2.0p1/config.h.in openssh-2.2.0p1-chroot/config.h.in --- openssh-2.2.0p1/config.h.in Sat Sep 2 00:08:44 2000 +++ openssh-2.2.0p1-chroot/config.h.in Tue Oct 3 19:44:43 2000 @@ -170,6 +170,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW diff -u --new-file openssh-2.2.0p1/configure openssh-2.2.0p1-chroot/configure --- openssh-2.2.0p1/configure Sat Sep 2 00:08:44 2000 +++ openssh-2.2.0p1-chroot/configure Tue Oct 3 19:44:48 2000 @@ -42,6 +42,8 @@ ac_help="$ac_help --with-md5-passwords Enable use of MD5 passwords" ac_help="$ac_help + --with-chroot Enable user chrooting through magic token" +ac_help="$ac_help --without-shadow Disable shadow password support" ac_help="$ac_help --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY" @@ -588,7 +590,7 @@ # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:592: checking for $ac_word" >&5 +echo "configure:594: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -618,7 +620,7 @@ # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:622: checking for $ac_word" >&5 +echo "configure:624: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -669,7 +671,7 @@ # Extract the first word of "cl", so it can be a program name with args. set dummy cl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:673: checking for $ac_word" >&5 +echo "configure:675: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -701,7 +703,7 @@ fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6 -echo "configure:705: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 +echo "configure:707: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5 ac_ext=c # CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options. @@ -712,12 +714,12 @@ cat > conftest.$ac_ext << EOF -#line 716 "configure" +#line 718 "configure" #include "confdefs.h" main(){return(0);} EOF -if { (eval echo configure:721: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:723: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then ac_cv_prog_cc_works=yes # If we can't run a trivial program, we are probably using a cross compiler. if (./conftest; exit) 2>/dev/null; then @@ -743,12 +745,12 @@ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; } fi echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6 -echo "configure:747: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 +echo "configure:749: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5 echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6 cross_compiling=$ac_cv_prog_cc_cross echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6 -echo "configure:752: checking whether we are using GNU C" >&5 +echo "configure:754: checking whether we are using GNU C" >&5 if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -757,7 +759,7 @@ yes; #endif EOF -if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:761: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then +if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:763: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then ac_cv_prog_gcc=yes else ac_cv_prog_gcc=no @@ -776,7 +778,7 @@ ac_save_CFLAGS="$CFLAGS" CFLAGS= echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6 -echo "configure:780: checking whether ${CC-cc} accepts -g" >&5 +echo "configure:782: checking whether ${CC-cc} accepts -g" >&5 if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -833,7 +835,7 @@ fi echo $ac_n "checking host system type""... $ac_c" 1>&6 -echo "configure:837: checking host system type" >&5 +echo "configure:839: checking host system type" >&5 host_alias=$host case "$host_alias" in @@ -856,7 +858,7 @@ # Checks for programs. echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6 -echo "configure:860: checking how to run the C preprocessor" >&5 +echo "configure:862: checking how to run the C preprocessor" >&5 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= @@ -871,13 +873,13 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:881: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:883: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -888,13 +890,13 @@ rm -rf conftest* CPP="${CC-cc} -E -traditional-cpp" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:898: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:900: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -905,13 +907,13 @@ rm -rf conftest* CPP="${CC-cc} -nologo -E" cat > conftest.$ac_ext < Syntax Error EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:915: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:917: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then : @@ -938,7 +940,7 @@ # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:942: checking for $ac_word" >&5 +echo "configure:944: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -977,7 +979,7 @@ # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. echo $ac_n "checking for a BSD compatible install""... $ac_c" 1>&6 -echo "configure:981: checking for a BSD compatible install" >&5 +echo "configure:983: checking for a BSD compatible install" >&5 if test -z "$INSTALL"; then if eval "test \"`echo '$''{'ac_cv_path_install'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1032,7 +1034,7 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1036: checking for $ac_word" >&5 +echo "configure:1038: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_prog_AR'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1061,7 +1063,7 @@ # Extract the first word of "perl", so it can be a program name with args. set dummy perl; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1065: checking for $ac_word" >&5 +echo "configure:1067: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PERL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1097,7 +1099,7 @@ # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1101: checking for $ac_word" >&5 +echo "configure:1103: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_ENT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1142,7 +1144,7 @@ # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:1146: checking for $ac_word" >&5 +echo "configure:1148: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_LOGIN_PROGRAM_FALLBACK'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -1189,21 +1191,21 @@ # C Compiler features echo $ac_n "checking for inline""... $ac_c" 1>&6 -echo "configure:1193: checking for inline" >&5 +echo "configure:1195: checking for inline" >&5 if eval "test \"`echo '$''{'ac_cv_c_inline'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:1209: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_c_inline=$ac_kw; break else @@ -1242,12 +1244,12 @@ blibpath="/usr/lib:/lib:/usr/local/lib" fi echo $ac_n "checking for authenticate""... $ac_c" 1>&6 -echo "configure:1246: checking for authenticate" >&5 +echo "configure:1248: checking for authenticate" >&5 if eval "test \"`echo '$''{'ac_cv_func_authenticate'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1276: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_authenticate=yes" else @@ -1316,7 +1318,7 @@ EOF echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1320: checking for HPUX trusted system password database" >&5 +echo "configure:1322: checking for HPUX trusted system password database" >&5 if test -f /tcb/files/auth/system/default; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1343,7 +1345,7 @@ EOF echo $ac_n "checking for HPUX trusted system password database""... $ac_c" 1>&6 -echo "configure:1347: checking for HPUX trusted system password database" >&5 +echo "configure:1349: checking for HPUX trusted system password database" >&5 if test -f /tcb/files/auth/system/default; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1429,7 +1431,7 @@ # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" echo $ac_n "checking for obsolete utmp and wtmp in solaris2.x""... $ac_c" 1>&6 -echo "configure:1433: checking for obsolete utmp and wtmp in solaris2.x" >&5 +echo "configure:1435: checking for obsolete utmp and wtmp in solaris2.x" >&5 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then echo "$ac_t""yes" 1>&6 @@ -1450,12 +1452,12 @@ for ac_func in getpwanam do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1454: checking for $ac_func" >&5 +echo "configure:1456: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1484: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1546,7 +1548,7 @@ # This is untested if test ! -z "USE_SIA" ; then echo $ac_n "checking for Digital Unix Security Integration Architecture""... $ac_c" 1>&6 -echo "configure:1550: checking for Digital Unix Security Integration Architecture" >&5 +echo "configure:1552: checking for Digital Unix Security Integration Architecture" >&5 if test -f /etc/sia/matrix.conf; then echo "$ac_t""yes" 1>&6 cat >> confdefs.h <<\EOF @@ -1603,7 +1605,7 @@ # Checks for libraries. echo $ac_n "checking for deflate in -lz""... $ac_c" 1>&6 -echo "configure:1607: checking for deflate in -lz" >&5 +echo "configure:1609: checking for deflate in -lz" >&5 ac_lib_var=`echo z'_'deflate | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1611,7 +1613,7 @@ ac_save_LIBS="$LIBS" LIBS="-lz $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1628: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1651,7 +1653,7 @@ fi echo $ac_n "checking for login in -lutil""... $ac_c" 1>&6 -echo "configure:1655: checking for login in -lutil" >&5 +echo "configure:1657: checking for login in -lutil" >&5 ac_lib_var=`echo util'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1659,7 +1661,7 @@ ac_save_LIBS="$LIBS" LIBS="-lutil $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1676: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1696,7 +1698,7 @@ if test -z "$no_libsocket" ; then echo $ac_n "checking for yp_match in -lnsl""... $ac_c" 1>&6 -echo "configure:1700: checking for yp_match in -lnsl" >&5 +echo "configure:1702: checking for yp_match in -lnsl" >&5 ac_lib_var=`echo nsl'_'yp_match | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1704,7 +1706,7 @@ ac_save_LIBS="$LIBS" LIBS="-lnsl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1721: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1745,7 +1747,7 @@ fi if test -z "$no_libnsl" ; then echo $ac_n "checking for main in -lsocket""... $ac_c" 1>&6 -echo "configure:1749: checking for main in -lsocket" >&5 +echo "configure:1751: checking for main in -lsocket" >&5 ac_lib_var=`echo socket'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -1753,14 +1755,14 @@ ac_save_LIBS="$LIBS" LIBS="-lsocket $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1766: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -1794,17 +1796,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:1798: checking for $ac_hdr" >&5 +echo "configure:1800: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:1808: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:1810: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -1834,12 +1836,12 @@ for ac_func in arc4random atexit b64_ntop bcopy bindresvport_af clock freeaddrinfo gai_strerror getaddrinfo getnameinfo getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty rresvport_af setenv seteuid setlogin setproctitle setreuid sigaction sigvec snprintf strerror strlcat strlcpy strsep vsnprintf vhangup _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1838: checking for $ac_func" >&5 +echo "configure:1840: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1868: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1889,12 +1891,12 @@ for ac_func in gettimeofday time do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1893: checking for $ac_func" >&5 +echo "configure:1895: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1923: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1944,12 +1946,12 @@ for ac_func in login logout updwtmp logwtmp do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:1948: checking for $ac_func" >&5 +echo "configure:1950: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:1978: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -1999,12 +2001,12 @@ for ac_func in entutent getutent getutid getutline pututline setutent do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2003: checking for $ac_func" >&5 +echo "configure:2005: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2033: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2054,12 +2056,12 @@ for ac_func in utmpname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2058: checking for $ac_func" >&5 +echo "configure:2060: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2088: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2109,12 +2111,12 @@ for ac_func in entutxent getutxent getutxid getutxline pututxline do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2113: checking for $ac_func" >&5 +echo "configure:2115: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2143: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2164,12 +2166,12 @@ for ac_func in setutxent utmpxname do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2168: checking for $ac_func" >&5 +echo "configure:2170: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2198: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2218,12 +2220,12 @@ echo $ac_n "checking for getuserattr""... $ac_c" 1>&6 -echo "configure:2222: checking for getuserattr" >&5 +echo "configure:2224: checking for getuserattr" >&5 if eval "test \"`echo '$''{'ac_cv_func_getuserattr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2252: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getuserattr=yes" else @@ -2267,7 +2269,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getuserattr in -ls""... $ac_c" 1>&6 -echo "configure:2271: checking for getuserattr in -ls" >&5 +echo "configure:2273: checking for getuserattr in -ls" >&5 ac_lib_var=`echo s'_'getuserattr | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2275,7 +2277,7 @@ ac_save_LIBS="$LIBS" LIBS="-ls $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2292: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2314,12 +2316,12 @@ echo $ac_n "checking for login""... $ac_c" 1>&6 -echo "configure:2318: checking for login" >&5 +echo "configure:2320: checking for login" >&5 if eval "test \"`echo '$''{'ac_cv_func_login'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2348: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_login=yes" else @@ -2363,7 +2365,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for login in -lbsd""... $ac_c" 1>&6 -echo "configure:2367: checking for login in -lbsd" >&5 +echo "configure:2369: checking for login in -lbsd" >&5 ac_lib_var=`echo bsd'_'login | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2371,7 +2373,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2388: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2410,12 +2412,12 @@ echo $ac_n "checking for daemon""... $ac_c" 1>&6 -echo "configure:2414: checking for daemon" >&5 +echo "configure:2416: checking for daemon" >&5 if eval "test \"`echo '$''{'ac_cv_func_daemon'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2444: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_daemon=yes" else @@ -2459,7 +2461,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for daemon in -lbsd""... $ac_c" 1>&6 -echo "configure:2463: checking for daemon in -lbsd" >&5 +echo "configure:2465: checking for daemon in -lbsd" >&5 ac_lib_var=`echo bsd'_'daemon | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2467,7 +2469,7 @@ ac_save_LIBS="$LIBS" LIBS="-lbsd $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2484: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2506,12 +2508,12 @@ echo $ac_n "checking for getpagesize""... $ac_c" 1>&6 -echo "configure:2510: checking for getpagesize" >&5 +echo "configure:2512: checking for getpagesize" >&5 if eval "test \"`echo '$''{'ac_cv_func_getpagesize'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2540: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_getpagesize=yes" else @@ -2555,7 +2557,7 @@ else echo "$ac_t""no" 1>&6 echo $ac_n "checking for getpagesize in -lucb""... $ac_c" 1>&6 -echo "configure:2559: checking for getpagesize in -lucb" >&5 +echo "configure:2561: checking for getpagesize in -lucb" >&5 ac_lib_var=`echo ucb'_'getpagesize | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2563,7 +2565,7 @@ ac_save_LIBS="$LIBS" LIBS="-lucb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2580: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2604,19 +2606,19 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then echo $ac_n "checking whether snprintf correctly terminates long strings""... $ac_c" 1>&6 -echo "configure:2608: checking whether snprintf correctly terminates long strings" >&5 +echo "configure:2610: checking whether snprintf correctly terminates long strings" >&5 if test "$cross_compiling" = yes; then { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < int main(void){char b[5];snprintf(b,5,"123456789");return(b[4]!='\0');} EOF -if { (eval echo configure:2620: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2622: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then echo "$ac_t""yes" 1>&6 else @@ -2657,7 +2659,7 @@ if (test -z "$no_pam" && test "x$ac_cv_header_security_pam_appl_h" = "xyes") ; then echo $ac_n "checking for dlopen in -ldl""... $ac_c" 1>&6 -echo "configure:2661: checking for dlopen in -ldl" >&5 +echo "configure:2663: checking for dlopen in -ldl" >&5 ac_lib_var=`echo dl'_'dlopen | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -2665,7 +2667,7 @@ ac_save_LIBS="$LIBS" LIBS="-ldl $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2682: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -2708,12 +2710,12 @@ for ac_func in pam_getenvlist do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 -echo "configure:2712: checking for $ac_func" >&5 +echo "configure:2714: checking for $ac_func" >&5 if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:2742: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_func_$ac_func=yes" else @@ -2767,9 +2769,9 @@ # Check PAM strerror arguments (old PAM) echo $ac_n "checking whether pam_strerror takes only one argument""... $ac_c" 1>&6 -echo "configure:2771: checking whether pam_strerror takes only one argument" >&5 +echo "configure:2773: checking whether pam_strerror takes only one argument" >&5 cat > conftest.$ac_ext < @@ -2779,7 +2781,7 @@ (void)pam_strerror((pam_handle_t *)NULL, -1); ; return 0; } EOF -if { (eval echo configure:2783: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:2785: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""no" 1>&6 else @@ -2819,7 +2821,7 @@ tryssldir="$tryssldir $prefix" fi echo $ac_n "checking for OpenSSL directory""... $ac_c" 1>&6 -echo "configure:2823: checking for OpenSSL directory" >&5 +echo "configure:2825: checking for OpenSSL directory" >&5 if eval "test \"`echo '$''{'ac_cv_openssldir'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2844,7 +2846,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2858,7 +2860,7 @@ } EOF -if { (eval echo configure:2862: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2864: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then found_crypto=1 @@ -2913,7 +2915,7 @@ # Now test RSA support saved_LIBS="$LIBS" echo $ac_n "checking for RSA support""... $ac_c" 1>&6 -echo "configure:2917: checking for RSA support" >&5 +echo "configure:2919: checking for RSA support" >&5 for WANTS_RSAREF in "" 1 ; do if test -z "$WANTS_RSAREF" ; then LIBS="$saved_LIBS" @@ -2924,7 +2926,7 @@ { echo "configure: error: can not run test program while cross compiling" 1>&2; exit 1; } else cat > conftest.$ac_ext < @@ -2943,7 +2945,7 @@ } EOF -if { (eval echo configure:2947: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:2949: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then rsa_works=1 @@ -2979,7 +2981,7 @@ # Checks for data types echo $ac_n "checking size of char""... $ac_c" 1>&6 -echo "configure:2983: checking size of char" >&5 +echo "configure:2985: checking size of char" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_char'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -2987,7 +2989,7 @@ ac_cv_sizeof_char=1 else cat > conftest.$ac_ext < main() @@ -2998,7 +3000,7 @@ exit(0); } EOF -if { (eval echo configure:3002: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3004: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_char=`cat conftestval` else @@ -3018,7 +3020,7 @@ echo $ac_n "checking size of short int""... $ac_c" 1>&6 -echo "configure:3022: checking size of short int" >&5 +echo "configure:3024: checking size of short int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_short_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3026,7 +3028,7 @@ ac_cv_sizeof_short_int=2 else cat > conftest.$ac_ext < main() @@ -3037,7 +3039,7 @@ exit(0); } EOF -if { (eval echo configure:3041: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3043: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_short_int=`cat conftestval` else @@ -3057,7 +3059,7 @@ echo $ac_n "checking size of int""... $ac_c" 1>&6 -echo "configure:3061: checking size of int" >&5 +echo "configure:3063: checking size of int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3065,7 +3067,7 @@ ac_cv_sizeof_int=4 else cat > conftest.$ac_ext < main() @@ -3076,7 +3078,7 @@ exit(0); } EOF -if { (eval echo configure:3080: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3082: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_int=`cat conftestval` else @@ -3096,7 +3098,7 @@ echo $ac_n "checking size of long int""... $ac_c" 1>&6 -echo "configure:3100: checking size of long int" >&5 +echo "configure:3102: checking size of long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3104,7 +3106,7 @@ ac_cv_sizeof_long_int=4 else cat > conftest.$ac_ext < main() @@ -3115,7 +3117,7 @@ exit(0); } EOF -if { (eval echo configure:3119: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3121: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_int=`cat conftestval` else @@ -3135,7 +3137,7 @@ echo $ac_n "checking size of long long int""... $ac_c" 1>&6 -echo "configure:3139: checking size of long long int" >&5 +echo "configure:3141: checking size of long long int" >&5 if eval "test \"`echo '$''{'ac_cv_sizeof_long_long_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -3143,7 +3145,7 @@ ac_cv_sizeof_long_long_int=8 else cat > conftest.$ac_ext < main() @@ -3154,7 +3156,7 @@ exit(0); } EOF -if { (eval echo configure:3158: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null +if { (eval echo configure:3160: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null then ac_cv_sizeof_long_long_int=`cat conftestval` else @@ -3176,20 +3178,20 @@ # More checks for data types echo $ac_n "checking for u_int type""... $ac_c" 1>&6 -echo "configure:3180: checking for u_int type" >&5 +echo "configure:3182: checking for u_int type" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_int'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int a; a = 1; ; return 0; } EOF -if { (eval echo configure:3193: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3195: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int="yes" else @@ -3213,20 +3215,20 @@ fi echo $ac_n "checking for intXX_t types""... $ac_c" 1>&6 -echo "configure:3217: checking for intXX_t types" >&5 +echo "configure:3219: checking for intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { int8_t a; int16_t b; int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3230: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3232: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_intxx_t="yes" else @@ -3250,20 +3252,20 @@ fi echo $ac_n "checking for u_intXX_t types""... $ac_c" 1>&6 -echo "configure:3254: checking for u_intXX_t types" >&5 +echo "configure:3256: checking for u_intXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_u_intxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < int main() { u_int8_t a; u_int16_t b; u_int32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3267: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3269: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_intxx_t="yes" else @@ -3290,9 +3292,9 @@ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then echo $ac_n "checking for intXX_t and u_intXX_t types in sys/bitypes.h""... $ac_c" 1>&6 -echo "configure:3294: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 +echo "configure:3296: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 cat > conftest.$ac_ext < @@ -3305,7 +3307,7 @@ ; return 0; } EOF -if { (eval echo configure:3309: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3311: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* cat >> confdefs.h <<\EOF @@ -3330,13 +3332,13 @@ if test -z "$have_u_intxx_t" ; then echo $ac_n "checking for uintXX_t types""... $ac_c" 1>&6 -echo "configure:3334: checking for uintXX_t types" >&5 +echo "configure:3336: checking for uintXX_t types" >&5 if eval "test \"`echo '$''{'ac_cv_have_uintxx_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3345,7 +3347,7 @@ uint8_t a; uint16_t b; uint32_t c; a = b = c = 1; ; return 0; } EOF -if { (eval echo configure:3349: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3351: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_uintxx_t="yes" else @@ -3369,13 +3371,13 @@ fi echo $ac_n "checking for socklen_t""... $ac_c" 1>&6 -echo "configure:3373: checking for socklen_t" >&5 +echo "configure:3375: checking for socklen_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_socklen_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3385,7 +3387,7 @@ socklen_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3389: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3391: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_socklen_t="yes" else @@ -3408,13 +3410,13 @@ fi echo $ac_n "checking for size_t""... $ac_c" 1>&6 -echo "configure:3412: checking for size_t" >&5 +echo "configure:3414: checking for size_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_size_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3423,7 +3425,7 @@ size_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3429: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_size_t="yes" else @@ -3446,13 +3448,13 @@ fi echo $ac_n "checking for ssize_t""... $ac_c" 1>&6 -echo "configure:3450: checking for ssize_t" >&5 +echo "configure:3452: checking for ssize_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_ssize_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3461,7 +3463,7 @@ ssize_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3465: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3467: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ssize_t="yes" else @@ -3484,13 +3486,13 @@ fi echo $ac_n "checking for sa_family_t""... $ac_c" 1>&6 -echo "configure:3488: checking for sa_family_t" >&5 +echo "configure:3490: checking for sa_family_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_sa_family_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3500,7 +3502,7 @@ sa_family_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3504: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3506: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sa_family_t="yes" else @@ -3523,13 +3525,13 @@ fi echo $ac_n "checking for pid_t""... $ac_c" 1>&6 -echo "configure:3527: checking for pid_t" >&5 +echo "configure:3529: checking for pid_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_pid_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3538,7 +3540,7 @@ pid_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3542: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3544: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pid_t="yes" else @@ -3561,13 +3563,13 @@ fi echo $ac_n "checking for mode_t""... $ac_c" 1>&6 -echo "configure:3565: checking for mode_t" >&5 +echo "configure:3567: checking for mode_t" >&5 if eval "test \"`echo '$''{'ac_cv_have_mode_t'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3576,7 +3578,7 @@ mode_t foo; foo = 1235; ; return 0; } EOF -if { (eval echo configure:3580: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3582: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_mode_t="yes" else @@ -3600,13 +3602,13 @@ echo $ac_n "checking for struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:3604: checking for struct sockaddr_storage" >&5 +echo "configure:3606: checking for struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_storage'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3616,7 +3618,7 @@ struct sockaddr_storage s; ; return 0; } EOF -if { (eval echo configure:3620: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3622: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_storage="yes" else @@ -3639,13 +3641,13 @@ fi echo $ac_n "checking for struct sockaddr_in6""... $ac_c" 1>&6 -echo "configure:3643: checking for struct sockaddr_in6" >&5 +echo "configure:3645: checking for struct sockaddr_in6" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_sockaddr_in6'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3655,7 +3657,7 @@ struct sockaddr_in6 s; s.sin6_family = 0; ; return 0; } EOF -if { (eval echo configure:3659: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3661: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_sockaddr_in6="yes" else @@ -3678,13 +3680,13 @@ fi echo $ac_n "checking for struct in6_addr""... $ac_c" 1>&6 -echo "configure:3682: checking for struct in6_addr" >&5 +echo "configure:3684: checking for struct in6_addr" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_in6_addr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3694,7 +3696,7 @@ struct in6_addr s; s.s6_addr[0] = 0; ; return 0; } EOF -if { (eval echo configure:3698: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3700: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_in6_addr="yes" else @@ -3717,13 +3719,13 @@ fi echo $ac_n "checking for struct addrinfo""... $ac_c" 1>&6 -echo "configure:3721: checking for struct addrinfo" >&5 +echo "configure:3723: checking for struct addrinfo" >&5 if eval "test \"`echo '$''{'ac_cv_have_struct_addrinfo'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -3734,7 +3736,7 @@ struct addrinfo s; s.ai_flags = AI_PASSIVE; ; return 0; } EOF -if { (eval echo configure:3738: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3740: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_struct_addrinfo="yes" else @@ -3764,13 +3766,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmp.h""... $ac_c" 1>&6 -echo "configure:3768: checking for ut_host field in utmp.h" >&5 +echo "configure:3770: checking for ut_host field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3804,13 +3806,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host echo $ac_n "checking for ut_host field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3808: checking for ut_host field in utmpx.h" >&5 +echo "configure:3810: checking for ut_host field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3844,13 +3846,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen echo $ac_n "checking for syslen field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3848: checking for syslen field in utmpx.h" >&5 +echo "configure:3850: checking for syslen field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3884,13 +3886,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid echo $ac_n "checking for ut_pid field in utmp.h""... $ac_c" 1>&6 -echo "configure:3888: checking for ut_pid field in utmp.h" >&5 +echo "configure:3890: checking for ut_pid field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3924,13 +3926,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmp.h""... $ac_c" 1>&6 -echo "configure:3928: checking for ut_type field in utmp.h" >&5 +echo "configure:3930: checking for ut_type field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -3964,13 +3966,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type echo $ac_n "checking for ut_type field in utmpx.h""... $ac_c" 1>&6 -echo "configure:3968: checking for ut_type field in utmpx.h" >&5 +echo "configure:3970: checking for ut_type field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4004,13 +4006,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmp.h""... $ac_c" 1>&6 -echo "configure:4008: checking for ut_tv field in utmp.h" >&5 +echo "configure:4010: checking for ut_tv field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4044,13 +4046,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmp.h""... $ac_c" 1>&6 -echo "configure:4048: checking for ut_id field in utmp.h" >&5 +echo "configure:4050: checking for ut_id field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4084,13 +4086,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id echo $ac_n "checking for ut_id field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4088: checking for ut_id field in utmpx.h" >&5 +echo "configure:4090: checking for ut_id field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4124,13 +4126,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmp.h""... $ac_c" 1>&6 -echo "configure:4128: checking for ut_addr field in utmp.h" >&5 +echo "configure:4130: checking for ut_addr field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4164,13 +4166,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr echo $ac_n "checking for ut_addr field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4168: checking for ut_addr field in utmpx.h" >&5 +echo "configure:4170: checking for ut_addr field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4204,13 +4206,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmp.h""... $ac_c" 1>&6 -echo "configure:4208: checking for ut_addr_v6 field in utmp.h" >&5 +echo "configure:4210: checking for ut_addr_v6 field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4244,13 +4246,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 echo $ac_n "checking for ut_addr_v6 field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4248: checking for ut_addr_v6 field in utmpx.h" >&5 +echo "configure:4250: checking for ut_addr_v6 field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4284,13 +4286,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit echo $ac_n "checking for ut_exit field in utmp.h""... $ac_c" 1>&6 -echo "configure:4288: checking for ut_exit field in utmp.h" >&5 +echo "configure:4290: checking for ut_exit field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4324,13 +4326,13 @@ ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmp.h""... $ac_c" 1>&6 -echo "configure:4328: checking for ut_time field in utmp.h" >&5 +echo "configure:4330: checking for ut_time field in utmp.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4364,13 +4366,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time echo $ac_n "checking for ut_time field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4368: checking for ut_time field in utmpx.h" >&5 +echo "configure:4370: checking for ut_time field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4404,13 +4406,13 @@ ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv echo $ac_n "checking for ut_tv field in utmpx.h""... $ac_c" 1>&6 -echo "configure:4408: checking for ut_tv field in utmpx.h" >&5 +echo "configure:4410: checking for ut_tv field in utmpx.h" >&5 if eval "test \"`echo '$''{'$ossh_varname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF @@ -4441,13 +4443,13 @@ echo $ac_n "checking for sun_len field in struct sockaddr_un""... $ac_c" 1>&6 -echo "configure:4445: checking for sun_len field in struct sockaddr_un" >&5 +echo "configure:4447: checking for sun_len field in struct sockaddr_un" >&5 if eval "test \"`echo '$''{'ac_cv_have_sun_len_in_struct_sockaddr_un'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4457,7 +4459,7 @@ struct sockaddr_un s; s.sun_len = 1; ; return 0; } EOF -if { (eval echo configure:4461: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4463: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_sun_len_in_struct_sockaddr_un="yes" else @@ -4479,13 +4481,13 @@ fi echo $ac_n "checking for ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4483: checking for ss_family field in struct sockaddr_storage" >&5 +echo "configure:4485: checking for ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have_ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4495,7 +4497,7 @@ struct sockaddr_storage s; s.ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4499: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4501: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_ss_family_in_struct_ss="yes" else @@ -4517,13 +4519,13 @@ fi echo $ac_n "checking for __ss_family field in struct sockaddr_storage""... $ac_c" 1>&6 -echo "configure:4521: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "configure:4523: checking for __ss_family field in struct sockaddr_storage" >&5 if eval "test \"`echo '$''{'ac_cv_have___ss_family_in_struct_ss'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4533,7 +4535,7 @@ struct sockaddr_storage s; s.__ss_family = 1; ; return 0; } EOF -if { (eval echo configure:4537: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4539: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have___ss_family_in_struct_ss="yes" else @@ -4556,13 +4558,13 @@ fi echo $ac_n "checking for pw_class field in struct passwd""... $ac_c" 1>&6 -echo "configure:4560: checking for pw_class field in struct passwd" >&5 +echo "configure:4562: checking for pw_class field in struct passwd" >&5 if eval "test \"`echo '$''{'ac_cv_have_pw_class_in_struct_passwd'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < @@ -4572,7 +4574,7 @@ struct passwd p s; p.pw_class = NULL; ; return 0; } EOF -if { (eval echo configure:4576: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:4578: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -4596,20 +4598,20 @@ echo $ac_n "checking if libc defines __progname""... $ac_c" 1>&6 -echo "configure:4600: checking if libc defines __progname" >&5 +echo "configure:4602: checking if libc defines __progname" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines___progname'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4615: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines___progname="yes" else @@ -4633,20 +4635,20 @@ echo $ac_n "checking if libc defines sys_errlist""... $ac_c" 1>&6 -echo "configure:4637: checking if libc defines sys_errlist" >&5 +echo "configure:4639: checking if libc defines sys_errlist" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_errlist'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4652: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_errlist="yes" else @@ -4670,20 +4672,20 @@ echo $ac_n "checking if libc defines sys_nerr""... $ac_c" 1>&6 -echo "configure:4674: checking if libc defines sys_nerr" >&5 +echo "configure:4676: checking if libc defines sys_nerr" >&5 if eval "test \"`echo '$''{'ac_cv_libc_defines_sys_nerr'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:4689: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* ac_cv_libc_defines_sys_nerr="yes" else @@ -4720,7 +4722,7 @@ # Extract the first word of "rsh", so it can be a program name with args. set dummy rsh; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4724: checking for $ac_word" >&5 +echo "configure:4726: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_rsh_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4770,7 +4772,7 @@ # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4774: checking for $ac_word" >&5 +echo "configure:4776: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_xauth_path'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4836,7 +4838,7 @@ ac_safe=`echo ""/dev/ptmx"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptmx"""... $ac_c" 1>&6 -echo "configure:4840: checking for "/dev/ptmx"" >&5 +echo "configure:4842: checking for "/dev/ptmx"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4869,7 +4871,7 @@ ac_safe=`echo ""/dev/ptc"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/ptc"""... $ac_c" 1>&6 -echo "configure:4873: checking for "/dev/ptc"" >&5 +echo "configure:4875: checking for "/dev/ptc"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4920,7 +4922,7 @@ ac_safe=`echo ""/dev/urandom"" | sed 'y%./+-%__p_%'` echo $ac_n "checking for "/dev/urandom"""... $ac_c" 1>&6 -echo "configure:4924: checking for "/dev/urandom"" >&5 +echo "configure:4926: checking for "/dev/urandom"" >&5 if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -4981,7 +4983,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:4985: checking for $ac_word" >&5 +echo "configure:4987: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5022,7 +5024,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5026: checking for $ac_word" >&5 +echo "configure:5028: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_NETSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5063,7 +5065,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5067: checking for $ac_word" >&5 +echo "configure:5069: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_ARP'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5104,7 +5106,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5108: checking for $ac_word" >&5 +echo "configure:5110: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IFCONFIG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5145,7 +5147,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5149: checking for $ac_word" >&5 +echo "configure:5151: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_PS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5186,7 +5188,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5190: checking for $ac_word" >&5 +echo "configure:5192: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_W'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5227,7 +5229,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5231: checking for $ac_word" >&5 +echo "configure:5233: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_WHO'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5268,7 +5270,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5272: checking for $ac_word" >&5 +echo "configure:5274: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LAST'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5309,7 +5311,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5313: checking for $ac_word" >&5 +echo "configure:5315: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LASTLOG'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5350,7 +5352,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5354: checking for $ac_word" >&5 +echo "configure:5356: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_DF'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5391,7 +5393,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5395: checking for $ac_word" >&5 +echo "configure:5397: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_VMSTAT'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5432,7 +5434,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5436: checking for $ac_word" >&5 +echo "configure:5438: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_UPTIME'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5473,7 +5475,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5477: checking for $ac_word" >&5 +echo "configure:5479: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_IPCS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5514,7 +5516,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5518: checking for $ac_word" >&5 +echo "configure:5520: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_TAIL'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5555,7 +5557,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 echo $ac_n "checking for $ac_word""... $ac_c" 1>&6 -echo "configure:5559: checking for $ac_word" >&5 +echo "configure:5561: checking for $ac_word" >&5 if eval "test \"`echo '$''{'ac_cv_path_PROG_LS'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else @@ -5649,17 +5651,17 @@ do ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'` echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6 -echo "configure:5653: checking for $ac_hdr" >&5 +echo "configure:5655: checking for $ac_hdr" >&5 if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext < EOF ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out" -{ (eval echo configure:5663: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } +{ (eval echo configure:5665: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; } ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"` if test -z "$ac_err"; then rm -rf conftest* @@ -5686,7 +5688,7 @@ done echo $ac_n "checking for main in -lkrb""... $ac_c" 1>&6 -echo "configure:5690: checking for main in -lkrb" >&5 +echo "configure:5692: checking for main in -lkrb" >&5 ac_lib_var=`echo krb'_'main | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5694,14 +5696,14 @@ ac_save_LIBS="$LIBS" LIBS="-lkrb $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5707: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5737,7 +5739,7 @@ KLIBS="-lkrb -ldes" echo $ac_n "checking for dn_expand in -lresolv""... $ac_c" 1>&6 -echo "configure:5741: checking for dn_expand in -lresolv" >&5 +echo "configure:5743: checking for dn_expand in -lresolv" >&5 ac_lib_var=`echo resolv'_'dn_expand | sed 'y%./+-%__p_%'` if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then echo $ac_n "(cached) $ac_c" 1>&6 @@ -5745,7 +5747,7 @@ ac_save_LIBS="$LIBS" LIBS="-lresolv $LIBS" cat > conftest.$ac_ext <&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5762: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* eval "ac_cv_lib_$ac_lib_var=yes" else @@ -5857,9 +5859,9 @@ saved_LIBS="$LIBS" LIBS="$LIBS -lwrap" echo $ac_n "checking for libwrap""... $ac_c" 1>&6 -echo "configure:5861: checking for libwrap" >&5 +echo "configure:5863: checking for libwrap" >&5 cat > conftest.$ac_ext < @@ -5869,7 +5871,7 @@ hosts_access(0); ; return 0; } EOF -if { (eval echo configure:5873: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then +if { (eval echo configure:5875: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then rm -rf conftest* echo "$ac_t""yes" 1>&6 @@ -5913,6 +5915,24 @@ fi +# Check whether to enable chrooting +CHROOT_MSG="no" +# Check whether --with-chroot or --without-chroot was given. +if test "${with_chroot+set}" = set; then + withval="$with_chroot" + + if test "x$withval" != "xno" ; then + cat >> confdefs.h <<\EOF +#define CHROOT 1 +EOF + + CHROOT_MSG="yes" + fi + + +fi + + # Whether to disable shadow password support # Check whether --with-shadow or --without-shadow was given. if test "${with_shadow+set}" = set; then @@ -5932,9 +5952,9 @@ if test -z "$disable_shadow" ; then echo $ac_n "checking if the systems has expire shadow information""... $ac_c" 1>&6 -echo "configure:5936: checking if the systems has expire shadow information" >&5 +echo "configure:5956: checking if the systems has expire shadow information" >&5 cat > conftest.$ac_ext < @@ -5945,7 +5965,7 @@ sp.sp_expire = sp.sp_lstchg = sp.sp_inact = 0; ; return 0; } EOF -if { (eval echo configure:5949: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:5969: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* sp_expire_available=yes else @@ -6031,7 +6051,7 @@ echo $ac_n "checking if we need to convert IPv4 in IPv6-mapped addresses""... $ac_c" 1>&6 -echo "configure:6035: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "configure:6055: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 IPV4_IN6_HACK_MSG="no" # Check whether --with-4in6 or --without-4in6 was given. if test "${with_4in6+set}" = set; then @@ -6174,9 +6194,9 @@ echo $ac_n "checking if your system defines LASTLOG_FILE""... $ac_c" 1>&6 -echo "configure:6178: checking if your system defines LASTLOG_FILE" >&5 +echo "configure:6198: checking if your system defines LASTLOG_FILE" >&5 cat > conftest.$ac_ext < @@ -6192,7 +6212,7 @@ char *lastlog = LASTLOG_FILE; ; return 0; } EOF -if { (eval echo configure:6196: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6216: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6202,9 +6222,9 @@ echo "$ac_t""no" 1>&6 echo $ac_n "checking if your system defines _PATH_LASTLOG""... $ac_c" 1>&6 -echo "configure:6206: checking if your system defines _PATH_LASTLOG" >&5 +echo "configure:6226: checking if your system defines _PATH_LASTLOG" >&5 cat > conftest.$ac_ext < @@ -6220,7 +6240,7 @@ char *lastlog = _PATH_LASTLOG; ; return 0; } EOF -if { (eval echo configure:6224: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6244: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6259,9 +6279,9 @@ fi echo $ac_n "checking if your system defines UTMP_FILE""... $ac_c" 1>&6 -echo "configure:6263: checking if your system defines UTMP_FILE" >&5 +echo "configure:6283: checking if your system defines UTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6274,7 +6294,7 @@ char *utmp = UTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6278: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6298: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6309,9 +6329,9 @@ fi echo $ac_n "checking if your system defines WTMP_FILE""... $ac_c" 1>&6 -echo "configure:6313: checking if your system defines WTMP_FILE" >&5 +echo "configure:6333: checking if your system defines WTMP_FILE" >&5 cat > conftest.$ac_ext < @@ -6324,7 +6344,7 @@ char *wtmp = WTMP_FILE; ; return 0; } EOF -if { (eval echo configure:6328: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6348: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6360,9 +6380,9 @@ echo $ac_n "checking if your system defines UTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6364: checking if your system defines UTMPX_FILE" >&5 +echo "configure:6384: checking if your system defines UTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6378,7 +6398,7 @@ char *utmpx = UTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6382: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6402: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6405,9 +6425,9 @@ fi echo $ac_n "checking if your system defines WTMPX_FILE""... $ac_c" 1>&6 -echo "configure:6409: checking if your system defines WTMPX_FILE" >&5 +echo "configure:6429: checking if your system defines WTMPX_FILE" >&5 cat > conftest.$ac_ext < @@ -6423,7 +6443,7 @@ char *wtmpx = WTMPX_FILE; ; return 0; } EOF -if { (eval echo configure:6427: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:6447: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* echo "$ac_t""yes" 1>&6 else @@ -6906,6 +6926,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" diff -u --new-file openssh-2.2.0p1/configure.in openssh-2.2.0p1-chroot/configure.in --- openssh-2.2.0p1/configure.in Wed Aug 30 23:20:05 2000 +++ openssh-2.2.0p1-chroot/configure.in Tue Oct 3 19:44:43 2000 @@ -1063,6 +1063,18 @@ ] ) +# Check whether to enable chrooting +CHROOT_MSG="no" +AC_ARG_WITH(chroot, + [ --with-chroot Enable user chrooting through magic token], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(CHROOT) + CHROOT_MSG="yes" + fi + ] +) + # Whether to disable shadow password support AC_ARG_WITH(shadow, [ --without-shadow Disable shadow password support], @@ -1444,6 +1456,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" diff -u --new-file openssh-2.2.0p1/session.c openssh-2.2.0p1-chroot/session.c --- openssh-2.2.0p1/session.c Tue Aug 29 23:21:22 2000 +++ openssh-2.2.0p1-chroot/session.c Tue Oct 3 19:44:43 2000 @@ -920,6 +920,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -981,6 +985,26 @@ # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +# ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +# endif /* CHROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1024,7 +1048,6 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - #ifdef AFS /* Try to get AFS tokens for the local cell. */ if (k_hasafs()) { -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001004/0a0ea6b3/attachment.bin From nico at sonycom.com Thu Oct 5 01:52:12 2000 From: nico at sonycom.com (Nico De Ranter) Date: Wed, 4 Oct 2000 16:52:12 +0200 Subject: openssh 2.2.0p1 and F-secure SSH ftp Message-ID: <20001004165212.E19225@immortelle.sonytel.be> Howdy, I'm sorry if this is a FAQ but I couldn't reach the openssh.com website so I can't check. Is it possible to use F-Secure SSH FTP 4.1 (client) with the openssh2.2.0p1 server? In the documentation I read that sftp is still on the todo list but "SecureFX (secure ftp)" is supported. Apparently this means there are different ways to do ftp with ssh? In that case which one does F-Secure SSH FTP use and is it supported? Thanks in advance, Nico -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From mouring at pconline.com Thu Oct 5 01:59:26 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 4 Oct 2000 09:59:26 -0500 (CDT) Subject: openssh 2.2.0p1 and F-secure SSH ftp In-Reply-To: <20001004165212.E19225@immortelle.sonytel.be> Message-ID: sftp-server exists in the current snapshot at: http://www.mindrot.org/misc/openssh/ It works on most systems (and if not in this snapshot, but in upcoming ones should work with NeXT). On Wed, 4 Oct 2000, Nico De Ranter wrote: > Howdy, > > I'm sorry if this is a FAQ but I couldn't reach the openssh.com > website so I can't check. > > Is it possible to use F-Secure SSH FTP 4.1 (client) with > the openssh2.2.0p1 server? In the documentation I read that > sftp is still on the todo list but "SecureFX (secure ftp)" is > supported. Apparently this means there are different ways to > do ftp with ssh? In that case which one does F-Secure SSH FTP > use and is it supported? > > Thanks in advance, > > Nico > > > -------------------------------------------------------- > "It has been said that there are only two businesses > refer to customers as users: illegal drug trade and > the computer industry." > -------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/DME-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: nico.deranter at sonycom.com > From kamahara at cc.kshosen.ac.jp Fri Oct 6 14:34:53 2000 From: kamahara at cc.kshosen.ac.jp (KAMAHARA Junzou) Date: Fri, 6 Oct 2000 12:34:53 +0900 (JST) Subject: Openssh 2.2.0p1 configure files has a problem for pw_class Message-ID: Hi, I compiled Openssh 2.2.0p1 on NetBSD/i386 1.5ALPHA2, but I got some configuration error which is that HAVE_LOGIN_CAP_H was defined though HAVE_PW_CLASS_IN_PASSWD was not defined. So login_getclass() always used default class (of course, I needs /etc/login.conf[.db] and default entry ). The cause of unavailablity was the problem in the configure.in. I shows the patch below. diff -u --new-file configure.in.ORG configure.in --- configure.in.ORG Thu Aug 31 07:20:05 2000 +++ configure.in Thu Oct 5 21:24:25 2000 @@ -759,10 +759,9 @@ ac_cv_have_pw_class_in_struct_passwd, [ AC_TRY_COMPILE( [ -#include #include ], - [ struct passwd p s; p.pw_class = NULL; ], + [ struct passwd p; p.pw_class = 0; ], [ ac_cv_have_pw_class_in_struct_passwd="yes" ], [ ac_cv_have_pw_class_in_struct_passwd="no" ] ) Regards; JK -- KAMAHARA Junzo(kamahara at cc.kshosen.ac.jp) Kobe University of Mercantile Marine, Information Processing Center From nakaji at tutrp.tut.ac.jp Fri Oct 6 15:03:37 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 06 Oct 2000 13:03:37 +0900 Subject: [Need help] sshd cannot work on mips-sony-bsd In-Reply-To: <871yz6jabk.fsf@nakaji.tutrp.tut.ac.jp> (NAKAJI Hiroyuki's message of "31 Aug 2000 13:58:39 +0900") References: <87hf82jk5s.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: <871yxumx9i.fsf@nakaji.tutrp.tut.ac.jp> I made it! Ben> Ermm.. I wonder if vhangup is either broken or returning an error that is Ben> not being caught. Or we are trying to move to a tty device that does Ben> not exist (but it looks like the wrong section of code for that) Another person who tried informed me a little addition to pty.c --- openssh-2.1.1p4/pty.c Thu Jun 22 20:32:31 2000 +++ openssh-news4/pty.c Tue Sep 26 13:01:07 2000 @@ -235,6 +235,8 @@ */ ioctl(*ttyfd, TIOCSCTTY, NULL); #endif /* TIOCSCTTY */ + if (setpgrp(0,0) < 0) + error("SETPGRP %s",strerror(errno)) ; #ifdef HAVE_VHANGUP old = signal(SIGHUP, SIG_IGN); vhangup(); This makes ssh to work on NEWS-OS 4.x. Full diff from openssh-2.1.1p4 is available at ftp://ftp.tutrp.tut.ac.jp/pub/sony-news/openssh.diff and its md5sum is 1582fab8ab563fcd9293452327441697 openssh.diff Please check, thanks. -- NAKAJI Hiroyuki From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Oct 6 21:34:48 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 6 Oct 2000 12:34:48 +0200 Subject: Open connections when using agent-forwarding In-Reply-To: <20001002134702.A7050@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Mon, Oct 02, 2000 at 01:47:02PM +0200 References: <20001002134702.A7050@serv01.aet.tu-cottbus.de> Message-ID: <20001006123448.A14625@serv01.aet.tu-cottbus.de> On Mon, Oct 02, 2000 at 01:47:02PM +0200, Lutz Jaenicke wrote: > host-A> slogin -A host-B > ... > host-B> ssh host-C "ls -al" > ... [output from ls -al command] > host-B> exit > logout > Waiting for forwarded connections to terminate... > The following connections are open: > #2 accepted auth socket (t4 r0 i8/0 o16/0 fd 9/9) > #3 accepted auth socket (t4 r1 i8/0 o16/0 fd 10/10) > I have to kill the "slogin -A host-B" process on "host-A" to terminate the > session. > > When connecting from host-B to host-D, for which RSA host authentication > is allowed (and hence my personal key not needed), only one connection > stays open. In the meantime I have strolled around through the code a little bit, even though that I must state, that I am not completely sure that I understand everything :-) For me it seems, that when using the forward agent connections, the authentication channels are opened on the host-B sshd and then closed again, but only for reading: debug1: channel 3: new [accepted auth socket] debug1: channel 3: istate=1, ostate=16 debug1: channel 3: read<=0 rfd 12 len 0 debug1: channel 3: read failed debug1: channel 3: input open -> drain debug1: channel 3: close_read debug1: channel 3: input: no drain shortcut debug1: channel 3: ibuf empty debug1: channel 3: input drain -> wait_oclose debug1: channel 3: send ieof debug1: channel 3: istate=4, ostate=16 debug1: channel 3: istate=4, ostate=16 debug1: channel 3: istate=4, ostate=16 debug1: channel 3: istate=4, ostate=16 debug1: channel 3: istate=4, ostate=16 debug1: channel 3: rcvd oclose debug1: channel 3: input wait_oclose -> closed debug1: channel 3: istate=8, ostate=16 (the istate=, ostate= I have added to chan_delete_if_full_closed1()). >From there it seems, that the ostate is always left at #define CHAN_OUTPUT_OPEN 0x10 so that the channel will never be see channel_free(c->self). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From stevesk at sweden.hp.com Sun Oct 8 01:27:15 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 7 Oct 2000 16:27:15 +0200 (CEST) Subject: Various platforms In-Reply-To: Message-ID: <200010071419.QAA23472@b0fh.sweden.hp.com> On Tue, 3 Oct 2000, J.P. King wrote: : Under HP-UX : =========== : : uname -smr : HP-UX A.09.03 9000/735 Can you upgrade that to 10.20? Is 9.03 supported at all (that's from 1993 or so if I recall)? : There is no seteuid or setreuid, but there is a setresuid, so : using your model in bsd-misc.c, I did: : : ----------- : #if !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) : int seteuid(uid_t euid) : { : return(setreuid(-1,euid)); : } : #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ : /* JPK */ : int seteuid(uid_t euid) : { : return(setresuid(-1,euid,-1)); : } : ----------- : : This appears to be correct based on the documentation, and appears to : work. That should work. : Also under the same version of HP-UX, you use RLIMIT_CORE, however : this isn't defined in the include files except in , : and even then only for _KERNEL. My kludge was to copy the correct : entry from that header file into ssh.c. I believe if you define _HPUX_SOURCE you should pull in this symbol from the resource.h header file (which is in defined.h). From stevesk at sweden.hp.com Sun Oct 8 01:34:24 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 7 Oct 2000 16:34:24 +0200 (CEST) Subject: Snapshot In-Reply-To: <200009202032.WAA25915@b0fh.sweden.hp.com> Message-ID: <200010071426.QAA23717@b0fh.sweden.hp.com> On Wed, 20 Sep 2000, Kevin Steves wrote: : This is what I had in mind (untested); though I'd prefer to wait a bit : and see when the fix might be available before inserting workarounds : like these in the code. And I don't know when PAM_AUTHTOK_EXPIRED : should be returned and what security issues may result from this. : : --- auth-pam.c~ Sat Sep 16 07:09:27 2000 : +++ auth-pam.c Wed Sep 20 22:24:43 2000 : @@ -206,6 +206,13 @@ : case PAM_SUCCESS: : /* This is what we want */ : break; : +#ifdef __hpux : + /* : + * This is a workaround to an HP-UX PAM defect; : + * refer to JAGad29724 for patch availability. : + */ : + case PAM_AUTHTOK_EXPIRED: : +#endif : case PAM_NEW_AUTHTOK_REQD: : pam_msg_cat(NEW_AUTHTOK_MSG); : /* flag that password change is necessary */ This doesn't work. We end up looping in pam_chauthtok() and it's related to the same defect referred to above but there's no way to work around this one. We need a PAM patch which I'm trying to push for. From polk at BSDI.COM Sun Oct 8 03:39:40 2000 From: polk at BSDI.COM (Jeff Polk) Date: Sat, 07 Oct 2000 10:39:40 -0600 Subject: OpenSSH changes for BSD/OS Message-ID: <200010071639.e97Gdjr27760@demiurge.BSDI.COM> The following are patches against openssh 2.1.1p4 to add support for the BSD_AUTH authentication mechanisms. It allows the use of non-challenge/response style mechanisms (which styles are allowed my be limited by appropriate auth-ssh entries in login.conf). The patches also add support for calling setusercontext for the appropriate class when called with a command (so that the PATH, limits, etc. are set appropriately for the class the user is part of). login -h takes care of this when ssh is called for a regular login. To have access to the class when setting up the session, I had to add preserving it in ssh.c, and both version 1 and version 2 auth routines. I made that conditional on the last CSRG release BSD/OS is based on (all of the other BSD's should also have it). Please let me know if you have different suggestions. It looks like the s/key challenge/response code is really a hack using the debugging messages for the challenge on the first login attempt. It looked pretty painful, so I didn't bother making generic challenge/response for BSD_AUTH work using that mechanism. Is there something I'm missing that would make challenge/response more reasonable? Jeff Index: auth1.c =================================================================== RCS file: /master/contrib/openssh/auth1.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 auth1.c *** auth1.c 2000/08/17 16:17:52 1.1.1.1 --- auth1.c 2000/10/06 20:45:57 *************** *** 23,28 **** --- 23,34 ---- # include #endif + #ifdef HAVE_BSD_AUTH + # include + # include + static char *bsduser=NULL; /* XXX -- ugly, but we need the original */ + #endif + /* import */ extern ServerOptions options; extern char *forced_command; *************** *** 315,321 **** NULL, password) == SIASUCCESS) { authenticated = 1; } ! #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ --- 321,330 ---- NULL, password) == SIASUCCESS) { authenticated = 1; } ! #elif defined(HAVE_BSD_AUTH) ! authenticated = auth_userokay(bsduser, NULL, ! "auth-ssh", password); ! #else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); #endif /* USE_PAM */ *************** *** 469,474 **** --- 478,492 ---- #endif /* AFS */ /* Verify that the user is a valid user. */ + #ifdef HAVE_BSD_AUTH + /* we may have an auth type in the user name we need to strip */ + { + char *p; + bsduser = xstrdup(user); + if ((p = strchr(user, ':')) != NULL) + *p = '\0'; + } + #endif pw = getpwnam(user); if (!pw || !allowed_user(pw)) do_fake_authloop1(user); *************** *** 482,487 **** --- 500,508 ---- pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); + #if defined(BSD) && BSD >= 199506 + pwcopy.pw_class = xstrdup(pw->pw_class); + #endif pw = &pwcopy; #ifdef USE_PAM *************** *** 508,514 **** (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { ! #else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { #endif /* USE_PAM */ /* Authentication with empty password succeeded. */ --- 529,537 ---- (sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS)) { ! #elif defined(HAVE_BSD_AUTH) ! auth_userokay(bsduser, NULL, "auth-ssh", "" )) { ! #else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH */ auth_password(pw, "")) { #endif /* USE_PAM */ /* Authentication with empty password succeeded. */ *************** *** 520,525 **** --- 543,555 ---- authentication is successfull */ do_authloop(pw); } + + #ifdef HAVE_BSD_AUTH + if (bsduser != NULL) { + xfree(bsduser); + bsduser = NULL; + } + #endif /* The user has been authenticated and accepted. */ #ifdef WITH_AIXAUTHENTICATE Index: auth2.c =================================================================== RCS file: /master/contrib/openssh/auth2.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 auth2.c *** auth2.c 2000/08/17 16:17:52 1.1.1.1 --- auth2.c 2000/10/06 20:49:19 *************** *** 61,66 **** --- 61,71 ---- # include #endif + #ifdef HAVE_BSD_AUTH + # include + # include + #endif + /* import */ extern ServerOptions options; extern unsigned char *session_id2; *************** *** 262,268 **** return(sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS); ! #else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); #endif /* USE_PAM */ } --- 267,275 ---- return(sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, "") == SIASUCCESS); ! #elif defined(HAVE_BSD_AUTH) ! return auth_userokay(authctxt->user, NULL, "auth-ssh", ""); ! #else /* !HAVE_OSF_SIA && !USE_PAM && !HAVE_BSD_AUTH */ return auth_password(pw, ""); #endif /* USE_PAM */ } *************** *** 289,295 **** sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, password) == SIASUCCESS) ! #else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(pw, password) == 1) #endif /* USE_PAM */ authenticated = 1; --- 296,304 ---- sia_validate_user(NULL, saved_argc, saved_argv, get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, password) == SIASUCCESS) ! #elif defined(HAVE_BSD_AUTH) ! auth_userokay(authctxt->user, NULL, "auth-ssh", password) != 0) ! #else /* !USE_PAM && !HAVE_OSF_SIA && !HAVE_BSD_AUTH */ auth_password(pw, password) == 1) #endif /* USE_PAM */ authenticated = 1; *************** *** 397,403 **** --- 406,424 ---- authctxt->user = xstrdup(u); authctxt->service = xstrdup(s); setproctitle("%s", u); + #ifdef HAVE_BSD_AUTH + { + /* user may contain requested auth type */ + char *p; + if ((p = strchr(u, ':')) != NULL) + *p = '\0'; + pw = getpwnam(u); + if (p != NULL) + *p = ':'; + } + #else pw = getpwnam(u); + #endif if (!pw || !allowed_user(pw)) { log("auth_set_user: illegal user %s", u); return NULL; *************** *** 413,418 **** --- 434,442 ---- copy->pw_gid = pw->pw_gid; copy->pw_dir = xstrdup(pw->pw_dir); copy->pw_shell = xstrdup(pw->pw_shell); + #if defined(BSD) && BSD >= 199506 + copy->pw_class = xstrdup(pw->pw_class); + #endif authctxt->valid = 1; } else { if (strcmp(u, authctxt->user) != 0 || Index: session.c =================================================================== RCS file: /master/contrib/openssh/session.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 session.c *** session.c 2000/08/17 16:17:59 1.1.1.1 --- session.c 2000/10/06 21:03:25 *************** *** 32,37 **** --- 32,41 ---- #include #endif /* WITH_IRIX_PROJECT */ + #ifdef HAVE_SETUSERCONTEXT + #include + #endif + #if defined(HAVE_USERSEC_H) #include #endif *************** *** 900,905 **** --- 904,912 ---- #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ + #ifdef HAVE_SETUSERCONTEXT + login_cap_t *lc; + #endif /* HAVE_SETUSERCONTEXT */ /* login(1) is only called if we execute the login shell */ if (options.use_login && command != NULL) *************** *** 927,932 **** --- 934,940 ---- /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ if (!options.use_login) { + #ifndef HAVE_SETUSERCONTEXT #ifdef HAVE_OSF_SIA extern char **saved_argv; extern int saved_argc; *************** *** 984,989 **** --- 992,1002 ---- if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %d.", (int) pw->pw_uid); #endif /* HAVE_OSF_SIA */ + #else /* HAVE_SETUSERCONTEXT*/ + lc = login_getclass(pw->pw_class); + if (setusercontext(lc, pw, pw->pw_uid, LOGIN_SETALL) < 0) + fatal("setusercontext failed."); + #endif /* HAVE_SETUSERCONTEXT */ } /* * Get the shell from the password data. An empty shell field is *************** *** 1013,1019 **** --- 1026,1038 ---- child_set_env(&env, &envsize, "USER", pw->pw_name); child_set_env(&env, &envsize, "LOGNAME", pw->pw_name); child_set_env(&env, &envsize, "HOME", pw->pw_dir); + #ifdef HAVE_SETUSERCONTEXT + /* update the path to the one setusercontext set for us */ + if (getenv("PATH")) + child_set_env(&env, &envsize, "PATH", getenv("PATH")); + #else child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); + #endif snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); Index: ssh.c =================================================================== RCS file: /master/contrib/openssh/ssh.c,v retrieving revision 1.1.1.1 diff -c -r1.1.1.1 ssh.c *** ssh.c 2000/08/17 16:18:00 1.1.1.1 --- ssh.c 2000/10/06 20:44:07 *************** *** 492,497 **** --- 492,500 ---- pwcopy.pw_gid = pw->pw_gid; pwcopy.pw_dir = xstrdup(pw->pw_dir); pwcopy.pw_shell = xstrdup(pw->pw_shell); + #if defined(BSD) && BSD >= 199506 + pwcopy.pw_class = xstrdup(pw->pw_class); + #endif pw = &pwcopy; /* Initialize "log" output. Since we are the client all output From jpk28 at hermes.cam.ac.uk Sun Oct 8 05:40:13 2000 From: jpk28 at hermes.cam.ac.uk (J.P. King) Date: Sat, 7 Oct 2000 19:40:13 +0100 (BST) Subject: Various platforms In-Reply-To: <200010071419.QAA23472@b0fh.sweden.hp.com> from Kevin Steves at "Oct 7, 2000 04:27:15 pm" Message-ID: > : uname -smr > : HP-UX A.09.03 9000/735 > Can you upgrade that to 10.20? Is 9.03 supported at all (that's from > 1993 or so if I recall)? Not my machines, and it avoids the purpose of what I am doing. I am compiling a CD of clients for every platform that I can - we are upgrading from using ssh1.2.27 to OpenSSH, not least because of the SSH1 and SSH2 support. I am compiling on the oldest variants of platforms I can, and testing on more recent versions to make sure that they still work. I am compiling them statically, at least where the OS doesn't fight me hard enough to prevent this. So you can understand what I am up to if you have a look at: http://www-uxsup.csx.cam.ac.uk/CD/ and http://www-uxsup.csx.cam.ac.uk/CD/UCAM_SSH_CD_05/ It would probably be best if this wasn't documented anywhere official, since it is meant to be an internal service. Note that this is merely the upcoming variation of the SSH CD we produce, and it is still beta, so some versions are still to do, like IRIX. > : This appears to be correct based on the documentation, and appears to > : work. > That should work. Good. > : Also under the same version of HP-UX, you use RLIMIT_CORE, however > : this isn't defined in the include files except in , > : and even then only for _KERNEL. My kludge was to copy the correct > : entry from that header file into ssh.c. > I believe if you define _HPUX_SOURCE you should pull in this symbol from > the resource.h header file (which is in defined.h). Sounds good, I will try to use that if I need to recompile. I am somewhat wary about pulling in more things than I need, in case one of the other things upsets the applecart so to speak. I was hoping that OpenSSH could be made aware of these aspects in some fashion, such that when I compile a future version this problem doesn't arise. Thanks for your help, and thanks to the OpenSSH people in general for writing it. :-) Julian -- Julian King Computer Officer, University of Cambridge, Unix Support From xercist at lammah.com Sun Oct 8 05:48:12 2000 From: xercist at lammah.com (xercist) Date: Sat, 7 Oct 2000 12:48:12 -0600 Subject: specifying ip when forwarding? Message-ID: <20001007124812.A8426@lammah.com> With openssh, i can use -L x:y:z to forward a local port x to the remote host y's port z. If the sshd server has more than one IP, is there a way to specify which it binds to when forwarding the connection? If not, this may be a feature you should consider adding? -- -*% % % % % % % % % % % % % % % % *- -* xercist *- -* xercist at mindless.com *- -* % % % % % % % % % % % % % % % %*- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001007/492c4b7b/attachment.bin From mdb at juniper.net Sun Oct 8 06:48:11 2000 From: mdb at juniper.net (Mark D. Baushke) Date: Sat, 07 Oct 2000 12:48:11 -0700 Subject: specifying ip when forwarding? In-Reply-To: Mail from xercist dated Sat, 07 Oct 2000 12:48:12 MDT <20001007124812.A8426@lammah.com> Message-ID: <200010071948.MAA98898@garnet.juniper.net> Hi xercist, On Sat, 7 Oct 2000 12:48:12 -0600, xercist wrote: >With openssh, i can use -L x:y:z to forward a local port x to the remote host >y's port z. If the sshd server has more than one IP, is there a way to specify >which it binds to when forwarding the connection? > >If not, this may be a feature you should consider adding? Sure, if you want to have a particular IP address used, specify the IP address for y. It does not have to be the same as the name on the ssh connection, just bear in mind that host y will be contacted by the sshd on the remote end of your conneciton. Example: If www.somedomain.com has IP addresses 172.1.1.2 and 172.1.2.2 as its IP addresses and the host gate.somehost.com on 10.1.1.1 can reach the 172.1.1.2 host, then you should be able to use ssh -L 8080:172.1.1.2:80 gate.somehost.com command to get to port 80 on the 172.1.1.2 interface of the www.somedomain.com host. The above command will bind 127.0.0.1:8080 on your local machine and the sshd running on gate.somehost.com will try to open 172.1.1.2:80 for you as if it were coming from gate.somehost.com. If you used ssh -L 8080:www.somedomain.com:80 gate.somehost.com command then the sshd on gate.somehost.com will try all of the IP addresses for www.somedomain.com in turn until it finds one that lets it accept a connection to port 80. 127.0.0.1:8080 on your local box is still the port that will be available on your local machine. If this is not what you want, then you probably need to be more specific as to what feature you believe needs to be added. Enjoy! -- Mark From vinschen at cygnus.com Sun Oct 8 08:40:39 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Sat, 07 Oct 2000 23:40:39 +0200 Subject: [PATCH]: Add tcp_wrappers protection to port forwarding Message-ID: <39DF9857.F3455BD@cygnus.com> Hi, attached is a patch by Chris Faylor relative to 2.2.0p1. Description: OpenSSH does not allow port gatewaying by default. This means that only the local host can access forwarded ports. Adding "GatewayPorts yes" to .ssh/config usually does this job. Unfortunately, OpenSSH does not recognize the same hosts.allow/ hosts.deny options as ssh.com's sshd client, i.e., it dosn't recognize the sshfwd settings in hosts.allow. So adding "GatewayPorts" opens up all forwarded ports to outside inspection not considering using a firewall. The patch uses basically the same method as ssh.com. A lookup is made in hosts.allow/hosts.deny on sshfwd- (not port name -- this is different from ssh.com) and if the tcp_wrappers don't allow the lookup then the connection is closed immediately. ChangeLog: 20001007 - Add tcp_wrappers protection to port forwarding. From cgf at cygnus.com. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- --- channels.c.orig Tue Aug 22 20:46:24 2000 +++ channels.c Mon Oct 2 22:49:22 2000 @@ -38,6 +38,11 @@ RCSID("$OpenBSD: channels.c,v 1.66 2000/ #include "key.h" #include "authfd.h" +#ifdef LIBWRAP +#include +#include +#endif /* LIBWRAP */ + /* Maximum number of fake X11 displays to try. */ #define MAX_DISPLAYS 1000 @@ -581,6 +586,30 @@ channel_post_port_listener(Channel *c, f } remote_hostname = get_remote_hostname(newsock); remote_port = get_peer_port(newsock); +#ifdef LIBWRAP + { + char fwd[80]; + void (*sigch) (int); + int res; + struct request_info req; + + snprintf(fwd, sizeof(fwd), "sshdfwd-%d", c->host_port); + request_init(&req, RQ_DAEMON, fwd, RQ_FILE, newsock, NULL); + fromhost(&req); + sigch = signal(SIGCHLD, SIG_DFL); + res = hosts_access(&req); + signal(SIGCHLD, sigch); + if (!res) { + packet_send_debug("refused forwarded connection from %.500s to local port %d.", + eval_client(&req), c->host_port); + error("forwarded connection from %.500s to local port %d refused.", + eval_client(&req), c->host_port); + shutdown(newsock, SHUT_RDWR); + close(newsock); + return; + } + } +#endif /* LIBWRAP */ snprintf(buf, sizeof buf, "listen port %d for %.100s port %d, " "connect from %.200s port %d", --- ssh.c.orig Mon Aug 28 20:33:51 2000 +++ ssh.c Mon Oct 2 22:50:29 2000 @@ -30,6 +30,11 @@ RCSID("$OpenBSD: ssh.c,v 1.63 2000/08/28 #include "key.h" #include "authfd.h" #include "authfile.h" +#ifdef LIBWRAP +#include +int allow_severity = LOG_INFO; +int deny_severity = LOG_WARNING; +#endif /* LIBWRAP */ #ifdef HAVE___PROGNAME extern char *__progname; From i.palsenberg at jdimedia.nl Sun Oct 8 23:37:44 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Sun, 8 Oct 2000 14:37:44 +0200 (CEST) Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest Message-ID: Hi, Some info : Client side : SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. Linux 2.2.16 Server side : OpenSSH 2.2.0 without RSA OpenBSD devel 2.7 JDI#1 i386 Connection gives : Local: Bad packet length 1349676916. The connection goes fine with OpenSSH 2.1.0 on a Linux machine. The OpenSSH on the server is the non-portable version. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From markus.friedl at informatik.uni-erlangen.de Mon Oct 9 01:16:17 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 8 Oct 2000 16:16:17 +0200 Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: ; from i.palsenberg@jdimedia.nl on Sun, Oct 08, 2000 at 02:37:44PM +0200 References: Message-ID: <20001008161617.A30167@folly> On Sun, Oct 08, 2000 at 02:37:44PM +0200, Igmar Palsenberg wrote: > Client side : > SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. > Standard version. Does not use RSAREF. > > Linux 2.2.16 > > Server side : > OpenSSH 2.2.0 without RSA ssh version 1.2.x can never talk to a openssh version without RSA. From markus.friedl at informatik.uni-erlangen.de Mon Oct 9 01:19:13 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 8 Oct 2000 16:19:13 +0200 Subject: [PATCH]: Add tcp_wrappers protection to port forwarding In-Reply-To: <39DF9857.F3455BD@cygnus.com>; from vinschen@cygnus.com on Sat, Oct 07, 2000 at 11:40:39PM +0200 References: <39DF9857.F3455BD@cygnus.com> Message-ID: <20001008161913.B30167@folly> On Sat, Oct 07, 2000 at 11:40:39PM +0200, Corinna Vinschen wrote: > + snprintf(fwd, sizeof(fwd), "sshdfwd-%d", c->host_port); i don't like this feature. should it be for -R or -L style forwarding? why should a client programm read /etc/hosts.allow? at least it should not be the default, even if you use tcp-wrappers in sshd. -markus From i.palsenberg at jdimedia.nl Mon Oct 9 01:37:23 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Sun, 8 Oct 2000 16:37:23 +0200 (CEST) Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: <20001008161617.A30167@folly> Message-ID: > On Sun, Oct 08, 2000 at 02:37:44PM +0200, Igmar Palsenberg wrote: > > Client side : > > SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. > > Standard version. Does not use RSAREF. > > > > Linux 2.2.16 > > > > Server side : > > OpenSSH 2.2.0 without RSA > > ssh version 1.2.x can never talk to a openssh version without RSA. I doubt that.. This Linux machine is running OpenSSH 2.1.0 and is able to talk to 1.2.27 just fine. The linux machine is compiled without RSA support, so that would mean it would give the same problems. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From cgf at cygnus.com Mon Oct 9 02:29:45 2000 From: cgf at cygnus.com (Chris Faylor) Date: Sun, 8 Oct 2000 11:29:45 -0400 Subject: [PATCH]: Add tcp_wrappers protection to port forwarding In-Reply-To: <20001008161913.B30167@folly>; from markus.friedl@informatik.uni-erlangen.de on Sun, Oct 08, 2000 at 04:19:13PM +0200 References: <39DF9857.F3455BD@cygnus.com> <20001008161913.B30167@folly> Message-ID: <20001008112945.A2620@cygnus.com> On Sun, Oct 08, 2000 at 04:19:13PM +0200, Markus Friedl wrote: >On Sat, Oct 07, 2000 at 11:40:39PM +0200, Corinna Vinschen wrote: >> + snprintf(fwd, sizeof(fwd), "sshdfwd-%d", c->host_port); > >i don't like this feature. > >should it be for -R or -L style forwarding? Why does it matter? It should manage connections to host ports whether they were set up with -R or -L. In my case, I use it for -R ports. >why should a client programm read /etc/hosts.allow? Probably it shouldn't. I didn't know of any way to avoid this, however. >at least it should not be the default, even if you use tcp-wrappers in sshd. I'm not sure why. Without something like this, you have the potential for exposing your ports to the outside world. That's why ssh.com's version added this protection, I assume. cgf From pekkas at netcore.fi Mon Oct 9 03:01:13 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 8 Oct 2000 19:01:13 +0300 (EEST) Subject: [PATCH]: Add tcp_wrappers protection to port forwarding In-Reply-To: <39DF9857.F3455BD@cygnus.com> Message-ID: On Sat, 7 Oct 2000, Corinna Vinschen wrote: > The patch uses basically the same method as ssh.com. A lookup is made > in hosts.allow/hosts.deny on sshfwd- (not port name -- > this is different from ssh.com) and if the tcp_wrappers don't allow > the lookup then the connection is closed immediately. Speaking of tcp_wrappers, I think this might be of interest to some of you even though it isn't exactly an _OpenSSH_ patch. Before, I was griping why OpenSSH didn't include AllowHosts capabilities. One of the best side of these was that you could use *? -wildcards when matching IP addresses and hostnames. I've adapted the attached patch from SSH-1.2.12 (no changes to the code since then) to tcp_wrappers to make it possible to match *? wildcards with certain exceptions. Combined with the feature in e.g. FreeBSD to import hostnames / IP addresses from separate files (patch available), tcp_wrappers becomes even more powerful than before :-). Perhaps someone else will find this useful too :-). Comments welcome. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- diff -uNr tcp_wrappers_7.6/hosts_access.5 tcp_wrappers_7.6.new/hosts_access.5 --- tcp_wrappers_7.6/hosts_access.5 Fri Sep 22 21:29:24 2000 +++ tcp_wrappers_7.6.new/hosts_access.5 Fri Sep 22 21:28:44 2000 @@ -96,6 +96,10 @@ zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used. +.IP \(bu +Wildcards `*\' and `?\' can be used to match hostnames or IP addresses. This +method of matching cannot be used in conjunction with `net/mask\' matching, +hostname matching beginning with `.\' or IP address matching ending with `.\'. .SH WILDCARDS The access control language supports explicit wildcards: .IP ALL diff -uNr tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c --- tcp_wrappers_7.6/hosts_access.c Fri Sep 22 21:29:24 2000 +++ tcp_wrappers_7.6.new/hosts_access.c Fri Sep 22 21:18:09 2000 @@ -311,6 +311,11 @@ { int n; +#ifndef DISABLE_WILDCARD_MATCHING + if (strchr(tok, '*') || strchr(tok,'?')) { /* contains '*' or '?' */ + return (match_pattern_ylo(string,tok)); + } else +#endif if (tok[0] == '.') { /* suffix */ n = strlen(string) - strlen(tok); return (n > 0 && STR_EQ(tok, string + n)); @@ -351,3 +356,71 @@ } return ((addr & mask) == net); } + +#ifndef DISABLE_WILDCARD_MATCHING +/* Note: this feature has been adapted in a pretty straightforward way + from Tatu Ylonen's last SSH version under a free license by + Pekka Savola . + + Copyright (c) 1995 Tatu Ylonen , Espoo, Finland +*/ + +/* Returns true if the given string matches the pattern (which may contain + ? and * as wildcards), and zero if it does not match. */ + +int match_pattern_ylo(const char *s, const char *pattern) +{ + while (1) + { + /* If at end of pattern, accept if also at end of string. */ + if (!*pattern) + return !*s; + + /* Process '*'. */ + if (*pattern == '*') + { + /* Skip the asterisk. */ + pattern++; + + /* If at end of pattern, accept immediately. */ + if (!*pattern) + return 1; + + /* If next character in pattern is known, optimize. */ + if (*pattern != '?' && *pattern != '*') + { + /* Look instances of the next character in pattern, and try + to match starting from those. */ + for (; *s; s++) + if (*s == *pattern && + match_pattern_ylo(s + 1, pattern + 1)) + return 1; + /* Failed. */ + return 0; + } + + /* Move ahead one character at a time and try to match at each + position. */ + for (; *s; s++) + if (match_pattern_ylo(s, pattern)) + return 1; + /* Failed. */ + return 0; + } + + /* There must be at least one more character in the string. If we are + at the end, fail. */ + if (!*s) + return 0; + + /* Check if the next character of the string is acceptable. */ + if (*pattern != '?' && *pattern != *s) + return 0; + + /* Move to the next character, both in string and in pattern. */ + s++; + pattern++; + } + /*NOTREACHED*/ +} +#endif /* DISABLE_WILDCARD_MATCHING */ From res at shore.net Mon Oct 9 03:20:35 2000 From: res at shore.net (Richard E. Silverman) Date: Sun, 8 Oct 2000 12:20:35 -0400 (EDT) Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: Message-ID: On Sun, 8 Oct 2000, Igmar Palsenberg wrote: > > On Sun, Oct 08, 2000 at 02:37:44PM +0200, Igmar Palsenberg wrote: > > > Client side : > > > SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. > > > Standard version. Does not use RSAREF. > > > > > > Linux 2.2.16 > > > > > > Server side : > > > OpenSSH 2.2.0 without RSA > > > > ssh version 1.2.x can never talk to a openssh version without RSA. > > I doubt that.. This Linux machine is running OpenSSH 2.1.0 and is able to > talk to 1.2.27 just fine. > > The linux machine is compiled without RSA support, so that would mean it > would give the same problems. No, Markus is correct. The SSH-1 protocol explicitly uses the RSA algorithm. There is no option to use it without RSA, nor is there any option to compile ssh-1.2.x "without RSA;" such a thing would have no meaning. One possible source of confusion; when you say "1.2.27 NO-RSA," are you inferring that from the "Does not use RSAREF" in the version announcement? All that means is that it is using its internal RSA implementation, as opposed to the RSAREF library from RSADSI (now defunct and pointless, due to the patent expiration). Anyway, if you compile OpenSSH against an OpenSSL built without RSA, OpenSSH will only be able to do protocol 2. -- Richard Silverman slade at shore.net From res at shore.net Mon Oct 9 03:46:59 2000 From: res at shore.net (Richard E. Silverman) Date: Sun, 8 Oct 2000 12:46:59 -0400 (EDT) Subject: Agent forwarding with DSA keys? Message-ID: peter> Also, would anyone know anything about a utility that is able to peter> convert ssh.com private DSA keys into PEM OpenSSL private DSA keys? markus> ssh.com's format is not documented. True. However, ssh.com-2.3.0 has added a ssh-keygen -i feature, which prints out all the parameters for a DSA public or private key. So I wrote the following quick hack to take the output of that and write out an OpenSSH private key. I should probably roll a fancier version of this into the OpenSSH ssh-keygen as -z. http://www.snailbook.com/tools/dsa-convert.c -- Richard Silverman slade at shore.net From res at shore.net Mon Oct 9 08:51:38 2000 From: res at shore.net (Richard E. Silverman) Date: Sun, 8 Oct 2000 17:51:38 -0400 Subject: OpenSSH-2.2.0 problem with ssh.com ssh-agent2 Message-ID: <200010082151.RAA04219@syrinx.oankali.net> The OpenSSH and ssh.com agents use a completely different set of messages for dealing with DSA keys, so I don't expect the OpenSSH client to be able to get DSA keys from ssh-agent2. However, if I'm running "ssh-agent2 -1", I expect OpenSSH to be able to use RSA keys stored in ssh-agent2's agent1 compatibility box. And it does. However, there's a problem. If I'm running "ssh-agent2 -1", and try to use the OpenSSH client, protocol 2, with DSA authentication enabled, I get this: Bad authentication reply message type: 102 ...and the client exits. Again, I wasn't expecting it to get any DSA keys from the agent, but it should use the keys on disk, or fall through to password authentication. But it just dies. What happens is that OpenSSH issues one of its own set of DSA-related agent messages, which ssh-agent2 doesn't understand, so the agent sends back an "agent failure" message. This should be fine; the OpenSSH code looks for that. However, there are two "agent failure" messages in the ssh.com world: #define SSH1_AGENT_FAILURE 5 #define SSH_AGENT_FAILURE 102 OpenSSH only checks for the first one, but the agent returns the second one. OpenSSH doesn't recognize it, and dies. Below is a proposed fix, as diffs to authfd.c and authfd.h. -- Richard Silverman slade at shore.net ================================================================================ *** authfd.h Sun Oct 8 17:45:16 2000 --- authfd.h.orig Tue Aug 22 20:46:24 2000 *************** *** 39,50 **** #define SSH2_AGENTC_REMOVE_IDENTITY 18 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 - /* messages used by the ssh.com ssh-agent2 */ - #define SSH_COM_AGENT_FAILURE 102 - - /* macro to check for "agent failure" message */ - #define agent_failed(x) ((x == SSH_AGENT_FAILURE) || (x == SSH_COM_AGENT_FAILURE)) - typedef struct { int fd; Buffer identities; --- 39,44 ---- *** authfd.c Sun Oct 8 17:45:28 2000 --- authfd.c.orig Tue Aug 22 20:46:24 2000 *************** *** 223,229 **** /* Get message type, and verify that we got a proper answer. */ type = buffer_get_char(&auth->identities); ! if (agent_failed(type)) { return NULL; } else if (type != code2) { fatal("Bad authentication reply message type: %d", type); --- 223,229 ---- /* Get message type, and verify that we got a proper answer. */ type = buffer_get_char(&auth->identities); ! if (type == SSH_AGENT_FAILURE) { return NULL; } else if (type != code2) { fatal("Bad authentication reply message type: %d", type); *************** *** 322,328 **** } type = buffer_get_char(&buffer); ! if (agent_failed(type)) { log("Agent admitted failure to authenticate using the key."); } else if (type != SSH_AGENT_RSA_RESPONSE) { fatal("Bad authentication response: %d", type); --- 322,328 ---- } type = buffer_get_char(&buffer); ! if (type == SSH_AGENT_FAILURE) { log("Agent admitted failure to authenticate using the key."); } else if (type != SSH_AGENT_RSA_RESPONSE) { fatal("Bad authentication response: %d", type); *************** *** 366,372 **** return -1; } type = buffer_get_char(&msg); ! if (agent_failed(type)) { log("Agent admitted failure to sign using the key."); } else if (type != SSH2_AGENT_SIGN_RESPONSE) { fatal("Bad authentication response: %d", type); --- 366,372 ---- return -1; } type = buffer_get_char(&msg); ! if (type == SSH_AGENT_FAILURE) { log("Agent admitted failure to sign using the key."); } else if (type != SSH2_AGENT_SIGN_RESPONSE) { fatal("Bad authentication response: %d", type); *************** *** 513,519 **** { switch (type) { case SSH_AGENT_FAILURE: - case SSH_COM_AGENT_FAILURE: log("SSH_AGENT_FAILURE"); return 0; case SSH_AGENT_SUCCESS: --- 513,518 ---- From chris at ex-parrot.com Mon Oct 9 10:02:41 2000 From: chris at ex-parrot.com (Chris Lightfoot) Date: Mon, 9 Oct 2000 00:02:41 +0100 (GMT) Subject: No subject Message-ID: Chris Lightfoot -- http://www.ex-parrot.com/~chris/ In view of the fact that God limited man's intelligence, it is a pity that He did not also limit his stupidity (Adenauer) From chris at ex-parrot.com Mon Oct 9 10:14:30 2000 From: chris at ex-parrot.com (Chris Lightfoot) Date: Mon, 9 Oct 2000 00:14:30 +0100 (GMT) Subject: binding to privileged ports Message-ID: Apologies if this is a FAQ; I couldn't find an answer on openssh.com or the mailing list archive.... Commercial SSH (I looked at 1.2.30) allocates privileged ports by counting /downwards/ from 1023, so that it will obtain a socket with (roughly speaking) the highest available privileged port number. This also appears to be the behaviour of rsh et al: (from sshconnect.c; whitespace elided) for (p = 1023; p > 512; p--) { sock = socket(AF_INET, SOCK_STREAM, 0); if (sock < 0) fatal("socket: %.100s", strerror(errno)); /* Initialize the desired sockaddr_in structure. */ memset(&sin, 0, sizeof(sin)); sin.sin_family = AF_INET; sin.sin_addr.s_addr = INADDR_ANY; sin.sin_port = htons(p); /* Try to bind the socket to the privileged port. */ #if defined(SOCKS) if (Rbind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) break; /* Success. */ #else /* SOCKS */ if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) >= 0) break; /* Success. */ #endif /* SOCKS */ if (errno == EADDRINUSE) { close(sock); continue; } fatal("bind: %.100s", strerror(errno)); } The portable OpenSSH distribution appears to count /upwards/ from 600: (from bsd-bindresvport.c; whitespace elided) for(i = 0; i < NPORTS; i++) { *portp = htons(port); error = bind(sd, sa, salen); /* Terminate on success */ if (error == 0) break; /* Terminate on errors, except "address already in use" */ if ((error < 0) && !((errno == EADDRINUSE) || (errno == EINVAL))) break; port++; if (port > ENDPORT) port = STARTPORT; } This creates problems in environments where a range of privileged ports (those which correspond to well-known services) are firewalled out, leaving the range from ~850 to 1023 available. From this point of view, it would seem desirable to count downwards as stock ssh does, rather than upwards. What is the reasoning behind this decision? Chris Lightfoot -- http://www.ex-parrot.com/~chris/ The meek may inherit the earth - but not its mineral rights (Getty) From markus.friedl at informatik.uni-erlangen.de Mon Oct 9 17:06:33 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Oct 2000 08:06:33 +0200 Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: ; from i.palsenberg@jdimedia.nl on Sun, Oct 08, 2000 at 04:37:23PM +0200 References: <20001008161617.A30167@folly> Message-ID: <20001009080633.A12251@folly> On Sun, Oct 08, 2000 at 04:37:23PM +0200, Igmar Palsenberg wrote: > > On Sun, Oct 08, 2000 at 02:37:44PM +0200, Igmar Palsenberg wrote: > > > Client side : > > > SSH Version 1.2.27 [i586-unknown-linux], protocol version 1.5. > > > Standard version. Does not use RSAREF. > > > > > > Linux 2.2.16 > > > > > > Server side : > > > OpenSSH 2.2.0 without RSA > > > > ssh version 1.2.x can never talk to a openssh version without RSA. > > I doubt that.. This Linux machine is running OpenSSH 2.1.0 and is able to > talk to 1.2.27 just fine. > > The linux machine is compiled without RSA support, so that would mean it > would give the same problems. protocol version 1 does not work without RSA support. From Jose.Rodriguez at ac.upc.es Mon Oct 9 23:19:02 2000 From: Jose.Rodriguez at ac.upc.es (Jose A. Rodriguez) Date: Mon, 9 Oct 2000 14:19:02 +0200 (MET DST) Subject: Remote port forwarding Message-ID: <200010091219.OAA01823@pons.ac.upc.es> I have the following line in the sshd_config file: GatewayPorts no If I launch the ssh client as this: ssh -l user host -R 9000:otherHost:25 the port forwarding is successful! :-( As you can see, the 'netstat -na' command shows the Secure Shell daemon listening to the port 9000. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN I've checked the code and the only use of the "gateway_ports" variable is when calling the getaddrinfo function (inside channel_request_local_forwarding). The right behaviour should be to deny the port fordwarding request, shouldn't it? Any help? BTW, I'm using openssh-2.2.0p1 on Linux (RedHat). Thanks in advance, Jose _______________________________________________________________________________ Jose A. Rodriguez OOO Universitat Politecnica de Catalunya (UPC) josear at ac.upc.es OOO Departament d'Arquitectura de Computadors Tel. 6990 OOO -*- LCAC -*- UPC From res at shore.net Tue Oct 10 04:04:08 2000 From: res at shore.net (Richard E. Silverman) Date: Mon, 9 Oct 2000 13:04:08 -0400 (EDT) Subject: Remote port forwarding In-Reply-To: <200010091219.OAA01823@pons.ac.upc.es> Message-ID: > The right behaviour should be to deny the port fordwarding request, > shouldn't it? No. From the sshd man page: GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. The argument must be ``yes'' or ``no''. The default is ``no''. GatewayPorts does not control whether port-forwarding requests are accepted or not; it controls which addresses are bound for listening. If it is "yes," SSH listens on all interfaces; if "no," only the loopback. -- Richard Silverman slade at shore.net From markus.friedl at informatik.uni-erlangen.de Tue Oct 10 04:49:23 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Oct 2000 19:49:23 +0200 Subject: binding to privileged ports In-Reply-To: ; from chris@ex-parrot.com on Mon, Oct 09, 2000 at 12:14:30AM +0100 References: Message-ID: <20001009194923.B20699@folly> On Mon, Oct 09, 2000 at 12:14:30AM +0100, Chris Lightfoot wrote: > This creates problems in environments where a range of privileged ports > (those which correspond to well-known services) are firewalled out, > leaving the range from ~850 to 1023 available. From this point of view, it > would seem desirable to count downwards as stock ssh does, rather than > upwards. > > What is the reasoning behind this decision? i did not know that i causes problems. however, you can use 'echo useprivilegedports no' > ~/.ssh/config if you don't want to allocate ports < 1024. -markus From markus.friedl at informatik.uni-erlangen.de Tue Oct 10 04:45:20 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Oct 2000 19:45:20 +0200 Subject: Remote port forwarding In-Reply-To: <200010091219.OAA01823@pons.ac.upc.es>; from Jose.Rodriguez@ac.upc.es on Mon, Oct 09, 2000 at 02:19:02PM +0200 References: <200010091219.OAA01823@pons.ac.upc.es> Message-ID: <20001009194519.A20699@folly> On Mon, Oct 09, 2000 at 02:19:02PM +0200, Jose A. Rodriguez wrote: > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN > > I've checked the code and the only use of the "gateway_ports" variable > is when calling the getaddrinfo function (inside > channel_request_local_forwarding). in ssh1 channel_request_local_forwarding() is re-used by sshd. > > The right behaviour should be to deny the port fordwarding request, > shouldn't it? you can see above that sshd only listens on 127.0.0.1:9000, and this is what 'GatewayPorts no' means. right now there is no option for turning off -R/-L style forwarding in the server config. -markus From chris at ex-parrot.com Tue Oct 10 06:25:35 2000 From: chris at ex-parrot.com (Chris Lightfoot) Date: Mon, 9 Oct 2000 20:25:35 +0100 (GMT) Subject: binding to privileged ports In-Reply-To: <20001009194923.B20699@folly> Message-ID: On Mon, 9 Oct 2000, Markus Friedl wrote: > On Mon, Oct 09, 2000 at 12:14:30AM +0100, Chris Lightfoot wrote: > > This creates problems in environments where a range of privileged ports > > (those which correspond to well-known services) are firewalled out, > > leaving the range from ~850 to 1023 available. From this point of view, it > > would seem desirable to count downwards as stock ssh does, rather than > > upwards. > > > > What is the reasoning behind this decision? > > i did not know that i causes problems. It's a bit of a special case, but I think quite a few firewalls are constructed in this way. > however, you can use 'echo useprivilegedports no' > ~/.ssh/config > if you don't want to allocate ports < 1024. Certainly. But this wasn't my point -- what if I want RSARhosts etc. to still work? Chris Lightfoot -- http://www.ex-parrot.com/~chris/ "I have a demonstration... but we'll leave it to the end because I can't really carry on after it, as you will see." (Physics lecture, on nuclear weapons) From stevesk at sweden.hp.com Tue Oct 10 07:39:15 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 9 Oct 2000 22:39:15 +0200 (MEST) Subject: binding to privileged ports In-Reply-To: Message-ID: On Mon, 9 Oct 2000, Chris Lightfoot wrote: : On Mon, 9 Oct 2000, Markus Friedl wrote: : > On Mon, Oct 09, 2000 at 12:14:30AM +0100, Chris Lightfoot wrote: : > > This creates problems in environments where a range of privileged ports : > > (those which correspond to well-known services) are firewalled out, I'm not sure what you mean by firewalled out. : > > leaving the range from ~850 to 1023 available. From this point of view, it : > > would seem desirable to count downwards as stock ssh does, rather than : > > upwards. : > > : > > What is the reasoning behind this decision? : > : > i did not know that i causes problems. : : It's a bit of a special case, but I think quite a few firewalls are : constructed in this way. Are you filtering connections via source port? If so, how does that increase the security of your firewall? The use of source port <1024 as a security mechanism is flawed. From chris at ex-parrot.com Tue Oct 10 07:46:05 2000 From: chris at ex-parrot.com (Chris Lightfoot) Date: Mon, 9 Oct 2000 21:46:05 +0100 (GMT) Subject: binding to privileged ports In-Reply-To: Message-ID: On Mon, 9 Oct 2000, Kevin Steves wrote: > On Mon, 9 Oct 2000, Chris Lightfoot wrote: > : On Mon, 9 Oct 2000, Markus Friedl wrote: > : > On Mon, Oct 09, 2000 at 12:14:30AM +0100, Chris Lightfoot wrote: > : > > This creates problems in environments where a range of privileged ports > : > > (those which correspond to well-known services) are firewalled out, > > I'm not sure what you mean by firewalled out. As in, that there exists a firewall between the two hosts on which I am using ssh/sshd which filters out all privileged ports other than a few which correspond to services which are actually in use, and a small set of ports at the top of the range. > : > > leaving the range from ~850 to 1023 available. From this point of > : > > view, it would seem desirable to count downwards as stock ssh > : > > does, rather than upwards. > : > > > : > > What is the reasoning behind this decision? > : > > : > i did not know that i causes problems. > : > : It's a bit of a special case, but I think quite a few firewalls are > : constructed in this way. > > Are you filtering connections via source port? If so, how does that > increase the security of your firewall? The use of source port <1024 as > a security mechanism is flawed. 1. Not my firewall. 2. Certainly, relying on port filtering of this sort alone is a flawed strategy. However, there are valid reasons to do it and IMO probably does have a tangible security benefit even in conjunction with a more sophisticated firewall (which is also deployed in this instance). 3. Every other piece of software I have looked at which runs suid root to allocate a privileged port does so by allocating the highest available one. I presume that openssh is designed differently for some reason other than bloody-mindedness; I would be interested to find out what that reason is. Chris Lightfoot -- http://www.ex-parrot.com/~chris/ People who make no mistakes do not usually make anything From stevesk at sweden.hp.com Tue Oct 10 07:57:03 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 9 Oct 2000 22:57:03 +0200 (MEST) Subject: Various platforms In-Reply-To: Message-ID: On Sat, 7 Oct 2000, J.P. King wrote: : Not my machines, and it avoids the purpose of what I am doing. I am : compiling a CD of clients for every platform that I can - we are : upgrading from using ssh1.2.27 to OpenSSH, not least because of the : SSH1 and SSH2 support. But isn't one of your goals security? You can build an ssh that works on 9.X if needed, but I'd recommend shipping a more modern build as well. : I am compiling on the oldest variants of platforms I can, and testing : on more recent versions to make sure that they still work. I am : compiling them statically, at least where the OS doesn't fight me : hard enough to prevent this. 9.03 libc is ancient and I wouldn't want to use it in a security application. : Sounds good, I will try to use that if I need to recompile. I am somewhat : wary about pulling in more things than I need, in case one of the other : things upsets the applecart so to speak. : : I was hoping that OpenSSH could be made aware of these aspects in some : fashion, such that when I compile a future version this problem doesn't : arise. setresuid() is an HP-only thing and I don't really want to add detection for it. From markus.friedl at informatik.uni-erlangen.de Tue Oct 10 08:51:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Oct 2000 23:51:53 +0200 Subject: OpenSSH-2.2.0 problem with ssh.com ssh-agent2 In-Reply-To: <200010082151.RAA04219@syrinx.oankali.net>; from res@shore.net on Sun, Oct 08, 2000 at 05:51:38PM -0400 References: <200010082151.RAA04219@syrinx.oankali.net> Message-ID: <20001009235153.A3793@folly> thanks, i added this patch to the openbsd cvs tree. On Sun, Oct 08, 2000 at 05:51:38PM -0400, Richard E. Silverman wrote: > #define SSH1_AGENT_FAILURE 5 > #define SSH_AGENT_FAILURE 102 From markus.friedl at informatik.uni-erlangen.de Tue Oct 10 08:53:42 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 9 Oct 2000 23:53:42 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: ; from res@shore.net on Sun, Oct 08, 2000 at 12:46:59PM -0400 References: Message-ID: <20001009235342.B3793@folly> On Sun, Oct 08, 2000 at 12:46:59PM -0400, Richard E. Silverman wrote: > markus> ssh.com's format is not documented. > > True. However, ssh.com-2.3.0 has added a ssh-keygen -i feature, which > prints out all the parameters for a DSA public or private key. So I wrote i added support for private ssh.com keys to openssh's keygen. just check out from cvs or wait for a new snapshot. From jpk28 at hermes.cam.ac.uk Tue Oct 10 14:34:59 2000 From: jpk28 at hermes.cam.ac.uk (J.P. King) Date: Tue, 10 Oct 2000 04:34:59 +0100 (BST) Subject: Various platforms In-Reply-To: from Kevin Steves at "Oct 9, 2000 10:57:03 pm" Message-ID: > But isn't one of your goals security? You can build an ssh that works > on 9.X if needed, but I'd recommend shipping a more modern build as > well. One of my goals is _improved_ security, however only of the communication with our machines by people connecting from the outside world. Whilst I would like security in the world to be improved, it is hard for me to do this from the outside (projeects like OpenSSH not-withstanding). Unless there is some security hole introduced into OpenSSH by building it on an older platform, then I don't see how I have lost. In the meantime I have gained because the people connecting from an old HP-UX box, and those connecting from a more modern one can all use a secure channel to talk to their machines back in Cambridge. If I have failed to take account of something then I would like to know, but based on the last year this program has had not trivial amounts of success in reducing passwords being sniffed by Cambridge 'scholars' visiting other institutions. > : I am compiling on the oldest variants of platforms I can, and testing > : on more recent versions to make sure that they still work. I am > : compiling them statically, at least where the OS doesn't fight me > : hard enough to prevent this. > > 9.03 libc is ancient and I wouldn't want to use it in a security > application. I certainly don't claim to be a security expert, so I am prepared to admit that I may have forgotten something, but I cannot think of a way to use an 'insecure' statically compiled libc on a non priveledged binary on a CDrom to even allow a hacker to intercept data being sent by a user to one of our machines? The only way I can see this possible requires the attacker to have root priveledges already, and circumventing the binary is much easier than compromising it. One thing I should perhaps make clear, which may not have been obvious, the only applications being shipped on the CDrom are ssh and scp - sshd is NOT shipped, and if you thought that was the case then I can see your concerns. This is not meant to be a means of distributing precompiled sshd binaries, just the clients. > : Sounds good, I will try to use that if I need to recompile. I am somewhat > : wary about pulling in more things than I need, in case one of the other > : things upsets the applecart so to speak. > : > : I was hoping that OpenSSH could be made aware of these aspects in some > : fashion, such that when I compile a future version this problem doesn't > : arise. > > setresuid() is an HP-only thing and I don't really want to add detection > for it. FreeBSD supports it too I have not checked anywhere else. I was more thinking of detecting the lack of setreuid as well as the lack of seteuid. I am not sure what not detecting it gains you, especially since the wrapper replacement for seteuid is so simple? However if you don't then I will keep working around it, it just seems strange to me. *shrug* Julian P.S. It occurs to me that as I am about to send this the set[r]e[s]uid() call will only be used by the sshd, won't it - I guess I could have got around it by doing make ssh - I just don't like not compiling the whole suite, because that involves checking the Makefile out ludicrously carefully to confirm that it is written with a valid dependancy list. From Tomi.Ollila at sonera.com Tue Oct 10 16:52:30 2000 From: Tomi.Ollila at sonera.com (Tomi Ollila) Date: Tue, 10 Oct 2000 08:52:30 +0300 (EET DST) Subject: binding to privileged ports In-Reply-To: References: Message-ID: <14818.44702.658672.560196@chardonnay.ajk.tele.fi> Monday Oct 9 22:39:15 +0200 2000 Kevin Steves wrote: > : > : It's a bit of a special case, but I think quite a few firewalls are > : constructed in this way. > > Are you filtering connections via source port? If so, how does that > increase the security of your firewall? The use of source port <1024 as > a security mechanism is flawed. Source port becomes destination port when other end sends packets to it, and in stateless packet filtering that then blocks also returning packets to outgoing connections. I had this problem when I had a FW that was only meant to forward packets and not to allow incoming connections -- all connections to ports below 1024 was disallowed. I remember asking how to solve that problem last spring and remember Markus Friedl kindly replying a solution of not using privileged port. Now that I read about this having only ports < ~850 disallowed I can see an idea behind it (hey, might even myself use it!), and like to see solution for it, either provide a configuration option that tells what is the lowest port to bind, or start scanning from 1023 downwards... The lucky thing is that one can always compilile a self-patched version of the ssh suite to fulfill one's (possibly) marginal needs. Tomi Ollila From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 10 19:29:48 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 10 Oct 2000 10:29:48 +0200 Subject: Various platforms In-Reply-To: ; from jpk28@hermes.cam.ac.uk on Tue, Oct 10, 2000 at 04:34:59AM +0100 References: Message-ID: <20001010102948.A11246@ws01.aet.tu-cottbus.de> On Tue, Oct 10, 2000 at 04:34:59AM +0100, J.P. King wrote: > > But isn't one of your goals security? You can build an ssh that works > > on 9.X if needed, but I'd recommend shipping a more modern build as > > well. > One of my goals is _improved_ security, however only of the > communication with our machines by people connecting from the > outside world. Whilst I would like security in the world to > be improved, it is hard for me to do this from the outside > (projeects like OpenSSH not-withstanding). > > Unless there is some security hole introduced into OpenSSH > by building it on an older platform, then I don't see how > I have lost. In the meantime I have gained because the > people connecting from an old HP-UX box, and those connecting > from a more modern one can all use a secure channel to talk > to their machines back in Cambridge. Support for HP-UX 9.03 has run out long ago, there even was a free upgrade to HP-UX 10.20 (the first version of HP-UX being Y2K conformant when using the necessary patches, and yes there is some 9.X for Motorola based machines). I don't know whether there are security issues with respect to libc et al for HP-UX 9.02, probably nobody knows as nobody cares any longer. Given your situation, you have to support 9.03 because some people did not upgrade when they should have upgraded. So you must provide a 9.03 binary. That's fine. As 10.20 is the minimum you should run by now, I however second Kevin's recommondation to include the 10.20 binary as default and only offer 9.03 for those poor guys. At least the directory hierarchy for 10.X has changed so that the PRNG commands might have changed considerably. 9.X is dead and gone, 10.x is the minimum to go, 11.x is a close relative to 10.x (at least with respect to directory hierarchy and API). > If I have failed to take account of something then I would > like to know, but based on the last year this program has > had not trivial amounts of success in reducing passwords > being sniffed by Cambridge 'scholars' visiting other > institutions. That's a really good thing to have :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From fatbob at acc.umu.se Wed Oct 11 08:53:34 2000 From: fatbob at acc.umu.se (Martin Johansson) Date: Tue, 10 Oct 2000 23:53:34 +0200 (MET_DST) Subject: [PATCH] X11 forwarding failure on later Linux dev kernels fix Message-ID: Hi! The return values from socket() changed from EINVAL to EAFNOTSUPPORT for not supported address family in Linux 2.4.0-test8. This small patch fixes the 'error: socket: Address family not supported by protocol' and 'Disconnecting: Command terminated on signal 11.' when enabling X11 forwarding. Cheers /Martin Johansson --- channels.c.orig Wed Aug 23 00:46:24 2000 +++ channels.c Tue Oct 10 21:22:14 2000 @@ -1740,7 +1740,7 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - if (errno != EINVAL) { + if (errno != EINVAL && errno != EAFNOSUPPORT) { error("socket: %.100s", strerror(errno)); return NULL; } else { From nakaji at tutrp.tut.ac.jp Wed Oct 11 14:38:48 2000 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 11 Oct 2000 12:38:48 +0900 Subject: [port] OpenSSH-SNAP-20000930 for mips-sony-bsd Message-ID: <87r95o6o8n.fsf@nakaji.tutrp.tut.ac.jp> Hi, I successfully ported openssh-SNAP-20000930 to my Sony NEWS-OS 4.2.1R which is 4.3BSD based system and detected as mips-sony-bsd by config.guess. A patch is attached below. -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-SNAP-20000930-news4.diff Type: application/octet-stream Size: 5750 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001011/6620779e/attachment.obj -------------- next part -------------- -- NAKAJI Hiroyuki From Martin.Luig at telekom.de Thu Oct 12 01:00:40 2000 From: Martin.Luig at telekom.de (Martin.Luig at telekom.de) Date: Wed, 11 Oct 2000 16:00:40 +0200 Subject: Bug in OpenSSH 2.2.0p1 Message-ID: In line 542 of entropy.c is the owner of the PRNG seedfile checked. Root is also a valid owner of this file. So the line must be: if (((st.st_mode & 0177) != 0) || !( (st.st_uid == original_uid) || (st.st_uid == 0) ) ) Regards, Martin --- Martin Luig email: email at Martin-Luig.de From brianlmoon at iname.com Thu Oct 12 01:34:01 2000 From: brianlmoon at iname.com (Brian Moon) Date: Wed, 11 Oct 2000 09:34:01 -0500 Subject: OpenSSH doesn't see keys. Message-ID: <007501c03390$552a0be0$d367aad0@dealnews.com> Ok, I have OpenSSH installed on two servers. I SSH to server 1. On server 1 I ssh-keygen. I give it an empty passphrase. scp identity.pub to server 2. On server 2 I cat ident > authorized_keys on server 1 I ssh -l user server I asks for the password. If I give it the login it works. Now, I have SecureCRT on my windows machine and it connects to server 2 using a key just fine. Any clues? Does it have to do with me being SSH'd in to server to start with? Brian. ------------------------------ http://brian.threadnet.com From hvisage at is.co.za Thu Oct 12 01:42:18 2000 From: hvisage at is.co.za (Hendrik Visage) Date: Wed, 11 Oct 2000 16:42:18 +0200 Subject: scp -L option Message-ID: <20001011164218.S6946@hermwas.is.co.za> Hi there, I have a need to have scp pass the -P option to ssh to "bypass" the packetfilters that doesn't allow connections to return to arbitary "priviledged" ports, ie. ports <1024. See attached context sensitive diffs against 2.2.0p1 to please integrate. Thanx Hendrik Visage -------------- next part -------------- *** 1.1 2000/10/11 13:31:45 --- scp.c 2000/10/11 14:26:25 *************** *** 117,122 **** --- 117,125 ---- /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = SSH_PROGRAM; + /* Using an anonymous port ? */ + int highport=0; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This *************** *** 165,170 **** --- 168,175 ---- args[i++] = ssh_program; args[i++] = "-x"; args[i++] = "-oFallBackToRsh no"; + if (highport) + args[i++] = "-P"; if (IPv4) args[i++] = "-4"; if (IPv6) *************** *** 262,268 **** extern int optind; fflag = tflag = 0; ! while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S")) != EOF) switch (ch) { /* User-visible flags. */ case '4': --- 267,273 ---- extern int optind; fflag = tflag = 0; ! while ((ch = getopt(argc, argv, "LdfprtvBCc:i:P:q46S")) != EOF) switch (ch) { /* User-visible flags. */ case '4': *************** *** 283,288 **** --- 288,296 ---- case 'S': ssh_program = optarg; break; + case 'L': + highport=1; + break; /* Server options. */ case 'd': *************** *** 420,435 **** else if (!okname(suser)) continue; (void) sprintf(bp, ! "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } else { host = cleanhostname(argv[i]); (void) sprintf(bp, ! "exec %s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); --- 428,445 ---- else if (!okname(suser)) continue; (void) sprintf(bp, ! "%s%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", + highport ? "" : " -P", suser, host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); } else { host = cleanhostname(argv[i]); (void) sprintf(bp, ! "exec %s%s%s -x -o'FallBackToRsh no' -n %s %s %s '%s%s%s:%s'", ssh_program, verbose_mode ? " -v" : "", + highport ? "" : " -P" , host, cmd, src, tuser ? tuser : "", tuser ? "@" : "", thost, targ); *************** *** 961,967 **** usage() { (void) fprintf(stderr, "usage: scp " ! "[-pqrvC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2; or:\n" " scp [options] f1 ... fn directory\n"); exit(1); } --- 971,977 ---- usage() { (void) fprintf(stderr, "usage: scp " ! "[-LpqrvC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2; or:\n" " scp [options] f1 ... fn directory\n"); exit(1); } -------------- next part -------------- *** 1.1 2000/10/11 14:27:17 --- scp.1 2000/10/11 14:32:31 *************** *** 9,15 **** .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" ! .\" $Id: scp.1,v 1.1 2000/10/11 14:27:17 hvisage Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 --- 9,15 ---- .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" ! .\" $Id: scp.1,v 1.2 2000/10/11 14:32:24 hvisage Exp $ .\" .Dd September 25, 1999 .Dt SCP 1 *************** *** 19,25 **** .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp ! .Op Fl pqrvC46 .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file --- 19,25 ---- .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp ! .Op Fl LpqrvC46 .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file *************** *** 103,108 **** --- 103,115 ---- .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . + .It Fl L + Used to add the + .Fl P flag to + .Xr ssh 1 + to prevent it from using a priviledge port, but rather an anonymous port. This is + useful in getting out of a packet filtered environment that doesn't allow packets to + return to priviledged ports, ie. ports <1024. .It Fl S Name of program to use for the encrypted connection. The program must understand From brianlmoon at iname.com Thu Oct 12 01:53:45 2000 From: brianlmoon at iname.com (Brian Moon) Date: Wed, 11 Oct 2000 09:53:45 -0500 Subject: OpenSSH doesn't see keys. References: <007501c03390$552a0be0$d367aad0@dealnews.com> Message-ID: <008701c03393$0e3160a0$d367aad0@dealnews.com> never mind. I was not generating ssh2 keys. Brian. ------------------------------ http://brian.threadnet.com ----- Original Message ----- From: "Brian Moon" To: "openssh-dev" Sent: Wednesday, October 11, 2000 9:34 AM Subject: OpenSSH doesn't see keys. > Ok, I have OpenSSH installed on two servers. > > I SSH to server 1. > > On server 1 I ssh-keygen. > I give it an empty passphrase. > scp identity.pub to server 2. > > On server 2 I > cat ident > authorized_keys > > on server 1 > I ssh -l user server > > I asks for the password. > If I give it the login it works. > > Now, I have SecureCRT on my windows machine and it connects to server 2 > using a key just fine. > > Any clues? Does it have to do with me being SSH'd in to server to start > with? > > Brian. > ------------------------------ > http://brian.threadnet.com > > > > > From pekkas at netcore.fi Thu Oct 12 01:57:18 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 11 Oct 2000 17:57:18 +0300 (EEST) Subject: scp -L option In-Reply-To: <20001011164218.S6946@hermwas.is.co.za> Message-ID: On Wed, 11 Oct 2000, Hendrik Visage wrote: > I have a need to have scp pass the -P option to ssh > to "bypass" the packetfilters that doesn't allow connections > to return to arbitary "priviledged" ports, ie. ports <1024. > > See attached context sensitive diffs against 2.2.0p1 > to please integrate. -P is already 'port' setting in scp (-p in ssh). Rather, use "UsePrivilegedPort no" in ssh_config instead, or remove the setuid bit from ssh binary. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Thu Oct 12 01:58:55 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 11 Oct 2000 16:58:55 +0200 Subject: OpenSSH doesn't see keys. In-Reply-To: <007501c03390$552a0be0$d367aad0@dealnews.com>; from brianlmoon@iname.com on Wed, Oct 11, 2000 at 09:34:01AM -0500 References: <007501c03390$552a0be0$d367aad0@dealnews.com> Message-ID: <20001011165855.A20404@folly> sorry, without sshd -d and ssh -v output this report is not very useful. On Wed, Oct 11, 2000 at 09:34:01AM -0500, Brian Moon wrote: > Ok, I have OpenSSH installed on two servers. > > I SSH to server 1. > > On server 1 I ssh-keygen. > I give it an empty passphrase. > scp identity.pub to server 2. > > On server 2 I > cat ident > authorized_keys > > on server 1 > I ssh -l user server > > I asks for the password. > If I give it the login it works. > > Now, I have SecureCRT on my windows machine and it connects to server 2 > using a key just fine. > > Any clues? Does it have to do with me being SSH'd in to server to start > with? > > Brian. > ------------------------------ > http://brian.threadnet.com > > > > From hvisage at is.co.za Thu Oct 12 02:08:26 2000 From: hvisage at is.co.za (Hendrik Visage) Date: Wed, 11 Oct 2000 17:08:26 +0200 Subject: scp -L option In-Reply-To: ; from pekkas@netcore.fi on Wed, Oct 11, 2000 at 05:57:18PM +0300 References: <20001011164218.S6946@hermwas.is.co.za> Message-ID: <20001011170826.V6946@hermwas.is.co.za> On Wed, Oct 11, 2000 at 05:57:18PM +0300, Pekka Savola wrote: > On Wed, 11 Oct 2000, Hendrik Visage wrote: > > I have a need to have scp pass the -P option to ssh > > to "bypass" the packetfilters that doesn't allow connections > > to return to arbitary "priviledged" ports, ie. ports <1024. > > > > See attached context sensitive diffs against 2.2.0p1 > > to please integrate. > > -P is already 'port' setting in scp (-p in ssh). ssh -P is for anonymous port usage. scp -L would then pass the -P option to ssh (ala commercial ssh) > Rather, use "UsePrivilegedPort no" in ssh_config instead, or remove the > setuid bit from ssh binary. Thanx Will follow up on the "UsePrivilegedPort no" Comes the "trick" question: Why the "need" for a setuid ssh?? Greetz Hendrik From pekkas at netcore.fi Thu Oct 12 02:15:25 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 11 Oct 2000 18:15:25 +0300 (EEST) Subject: scp -L option In-Reply-To: <20001011170826.V6946@hermwas.is.co.za> Message-ID: On Wed, 11 Oct 2000, Hendrik Visage wrote: > Comes the "trick" question: Why the "need" for a setuid ssh?? If you're using [DR]SA Rhosts authentication, ssh binary has to be able to read the system's private key which is root-only. Also, in order for Rhosts Authentication to succeed (in r* protocol compability mode) the connection probably has to come from the specified low-end ports.. I think there is one more reason in the vein of RhostsAuthentication. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From altic at lysator.liu.se Thu Oct 12 03:06:00 2000 From: altic at lysator.liu.se (Peter Astrand) Date: Wed, 11 Oct 2000 18:06:00 +0200 (CEST) Subject: Expired passwords & PAM Message-ID: Currently, OpenSSH prints the message: "Warning: You password has expired, please change it now" if the password has expired. It would be nice if the user could/had to change password before continuing, like with Linux console login. I've tried to make an patch, but it doesn't work. Ideas? --- auth-pam.c.org Wed Oct 11 18:03:43 2000 +++ auth-pam.c Wed Oct 11 18:03:44 2000 @@ -36,9 +36,6 @@ RCSID("$Id: auth-pam.c,v 1.12 2000/08/29 22:57:50 djm Exp $"); -#define NEW_AUTHTOK_MSG \ - "Warning: You password has expired, please change it now" - /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr); @@ -175,11 +172,17 @@ pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); switch (pam_retval) { - case PAM_SUCCESS: + case PAM_SUCCESS: /* This is what we want */ break; - case PAM_NEW_AUTHTOK_REQD: - pam_msg_cat(NEW_AUTHTOK_MSG); + case PAM_AUTHTOK_EXPIRED: + case PAM_NEW_AUTHTOK_REQD: + pam_retval = pam_chauthtok((pam_handle_t *)pamh, PAM_CHANGE_EXPIRED_ AUTHTOK); + if (pam_retval != PAM_SUCCESS) { + log("PAM change authtoken failed: %.200s", + PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + return(0); + } break; default: log("PAM rejected by account configuration: %.200s", -- /Peter ?strand From william at hpcf.upr.edu Thu Oct 12 05:43:38 2000 From: william at hpcf.upr.edu (William Caban) Date: Wed, 11 Oct 2000 14:43:38 -0400 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL Message-ID: <39E4B4D9.4A3615D2@hpcf.upr.edu> Hi all: I'm trying to compile OpenSSH 2.2.0p1 on an Origin 2000 running Irix 6.5.9 and when I run ./configure it didn't detect the OpenSSL libraries. I compile/install OpenSSL 0.9.6. The installation was done using prefix /usr/local/ssl. I test the binaries and they are working fine. Then, when I try to configure the Openssh ./configure --prefix=/usr/local/ssh --with-ssl-dir=/usr/local/ssl or ./configure --prefix=/usr/local/ssl --with-ssl-dir=/usr/local/ssl or other options, I just get the message: configure: error: Could not find working SSLeay / OpenSSL libraries, please install I add some "echo" on the configure script to see the differents paths it is testing and it is testing the correct ones at some point but it doesn't detect it. Any help will be welcome. --William Caban From fatbob at acc.umu.se Thu Oct 12 05:41:06 2000 From: fatbob at acc.umu.se (Martin Johansson) Date: Wed, 11 Oct 2000 20:41:06 +0200 (MET_DST) Subject: [PATCH] X11 forwarding failure on later Linux dev kernels fix In-Reply-To: Message-ID: I resend the patch since I noticed that the first one was corrupted by my mail prog. I also forgot to mention that the version of OpenSSH in question is 2.2.0p1. Regards /Martin On Tue, 10 Oct 2000, Martin Johansson wrote: > Hi! > > The return values from socket() changed from EINVAL to EAFNOTSUPPORT for > not supported address family in Linux 2.4.0-test8. This small patch fixes > the 'error: socket: Address family not supported by protocol' and > 'Disconnecting: Command terminated on signal 11.' when enabling X11 > forwarding. > > Cheers > /Martin Johansson > --- openssh-2.2.0p1-orig/channels.c Wed Aug 23 00:46:24 2000 +++ openssh-2.2.0p1/channels.c Tue Oct 10 21:22:14 2000 @@ -1740,7 +1740,7 @@ continue; sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { - if (errno != EINVAL) { + if (errno != EINVAL && errno != EAFNOSUPPORT) { error("socket: %.100s", strerror(errno)); return NULL; } else { From pekkas at netcore.fi Thu Oct 12 05:57:36 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 11 Oct 2000 21:57:36 +0300 (EEST) Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL In-Reply-To: <39E4B4D9.4A3615D2@hpcf.upr.edu> Message-ID: On Wed, 11 Oct 2000, William Caban wrote: > I compile/install OpenSSL 0.9.6. The installation was done using prefix > /usr/local/ssl. I test the binaries and they are working fine. Then, > when I try to configure the Openssh > > ./configure --prefix=/usr/local/ssl --with-ssl-dir=/usr/local/ssl > > or other options, I just get the message: > > configure: error: Could not find working SSLeay / OpenSSL libraries, > please install I assume the old version of OpenSSL you had installed is pre-0.9.5a. When you use --with-ssl-dir in OpenSSL, it'll first look at the standard directories, not the one specified. This has hit me a couple of times when you have an older version of OpenSSL in e.g. /usr/local/lib etc. -- you _can't_ override that easily.. AFAIR the order was changed in post-2.2.0p1 snapshots. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Oct 12 06:33:53 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 11 Oct 2000 21:33:53 +0200 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL In-Reply-To: <39E4B4D9.4A3615D2@hpcf.upr.edu>; from william@hpcf.upr.edu on Wed, Oct 11, 2000 at 02:43:38PM -0400 References: <39E4B4D9.4A3615D2@hpcf.upr.edu> Message-ID: <20001011213353.B6801@serv01.aet.tu-cottbus.de> On Wed, Oct 11, 2000 at 02:43:38PM -0400, William Caban wrote: > Hi all: > > I'm trying to compile OpenSSH 2.2.0p1 on an Origin 2000 running Irix > 6.5.9 and when I run ./configure it didn't detect the OpenSSL libraries. > > I compile/install OpenSSL 0.9.6. The installation was done using prefix > /usr/local/ssl. I test the binaries and they are working fine. Then, > when I try to configure the Openssh > > ./configure --prefix=/usr/local/ssh --with-ssl-dir=/usr/local/ssl > or > ./configure --prefix=/usr/local/ssl --with-ssl-dir=/usr/local/ssl > > or other options, I just get the message: > > configure: error: Could not find working SSLeay / OpenSSL libraries, > please install > > I add some "echo" on the configure script to see the differents paths it > is testing and it is testing the correct ones at some point but it > doesn't detect it. Pekka Savola already commented on the possibility of an old SSL installation in the standard path. This however should not apply here. If there is a not-working OpenSSL, configure will go on to the next location, which would be the specified one. Anyway, configure logs everything it does (especially the failures) to config.log. Please check for the error message when examining /usr/local/ssl. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From william at hpcf.upr.edu Thu Oct 12 06:42:29 2000 From: william at hpcf.upr.edu (William Caban) Date: Wed, 11 Oct 2000 15:42:29 -0400 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL References: Message-ID: <39E4C2A5.9B1CF1C9@hpcf.upr.edu> Pekka Savola wrote: > On Wed, 11 Oct 2000, William Caban wrote: > > I compile/install OpenSSL 0.9.6. The installation was done using prefix > > /usr/local/ssl. I test the binaries and they are working fine. Then, > > when I try to configure the Openssh > > > > ./configure --prefix=/usr/local/ssl --with-ssl-dir=/usr/local/ssl > > > > or other options, I just get the message: > > > > configure: error: Could not find working SSLeay / OpenSSL libraries, > > please install > > I assume the old version of OpenSSL you had installed is pre-0.9.5a. No. I download it yesterday and it is openssl 0.9.6. The problem is not compiling openssl but with OpenSSH. Also, I want to add that I also try with: CFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib" ./configure \ --prefix=/usr/local --with-ssl-dir=/usr/local/ssl that someone just recomend but it didn't work, I just get the same error message. --William Caban From stevev at darkwing.uoregon.edu Thu Oct 12 06:42:06 2000 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Wed, 11 Oct 2000 12:42:06 -0700 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL In-Reply-To: <39E4C2A5.9B1CF1C9@hpcf.upr.edu> References: <39E4C2A5.9B1CF1C9@hpcf.upr.edu> Message-ID: <14820.49806.125413.384673@darkwing.uoregon.edu> William Caban writes: > Also, I want to add that I also try with: > > CFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib" ./configure \ > --prefix=/usr/local --with-ssl-dir=/usr/local/ssl > > that someone just recomend but it didn't work, I just get the same error > message. When I recommended that to you, I expected that you would apply some critical thought, particularly taking a look at where your OpenSSL libraries were actually installed on your system, and adjust it accordingly. From william at hpcf.upr.edu Thu Oct 12 06:58:20 2000 From: william at hpcf.upr.edu (William Caban) Date: Wed, 11 Oct 2000 15:58:20 -0400 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL References: <39E4C2A5.9B1CF1C9@hpcf.upr.edu> <14820.49806.125413.384673@darkwing.uoregon.edu> Message-ID: <39E4C65C.54AE7747@hpcf.upr.edu> Steve VanDevender wrote: > William Caban writes: > > Also, I want to add that I also try with: > > > > CFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib" ./configure \ > > --prefix=/usr/local --with-ssl-dir=/usr/local/ssl > > > > that someone just recomend but it didn't work, I just get the same error > > message. > > When I recommended that to you, I expected that you would apply some > critical thought, particularly taking a look at where your OpenSSL > libraries were actually installed on your system, and adjust it > accordingly. Actually I did it. The real path that I want to use is /usr/local/sshdist/ssl and it is there where I have everything installed. This is the full command I'm running. Also, I have no other version on my system. I just want to create a directory, in this case /usr/local/sshdist/ with all the libraries and binaries needed to make this work in that way I can keep upgrading it without disturbing the rest of the system that is been heavily use by researchers. CFLAGS="-L/usr/local/sshdist/lib -L/usr/local/sshdist/ssl/lib -I/usr/local/sshdist -I/usr/local/sshdist/ssl -I/usr/local/sshdist/include -I/usr/local/sshdist/ssl/include" \ -I/usr/local/sshdist/ssl/include/openssl" \ ./configure --prefix=/usr/local/sshdist \ --with-egd-pool=/tmp/random_pool \ --with-random=/tmp/random_pool \ --with-ssl-dir=/usr/local/sshdist/ssl -------------- next part -------------- A non-text attachment was scrubbed... Name: william.vcf Type: text/x-vcard Size: 572 bytes Desc: Card for William Caban Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001011/659c0296/attachment.vcf From william at hpcf.upr.edu Thu Oct 12 07:07:41 2000 From: william at hpcf.upr.edu (William Caban) Date: Wed, 11 Oct 2000 16:07:41 -0400 Subject: OpenSSH 2.2.0p1 doesn't detect OpenSSL References: <39E4B4D9.4A3615D2@hpcf.upr.edu> <14820.47322.293181.623801@darkwing.uoregon.edu> <39E4C4EA.EF9A5394@hpcf.upr.edu> <14820.50498.628311.338580@darkwing.uoregon.edu> Message-ID: <39E4C88D.430A21DC@hpcf.upr.edu> Steve VanDevender wrote: > William Caban writes: > > > You shouldn't be using --prefix in that way. --prefix does not tell > > > configure where to find libraries; it tells configure where OpenSSH > > > will eventually be installed. > > > > Yes, I know. But when I look at the 'configure' script it also test for > > possible libraries on that direcotry and anyway, I was doing it to minimize > > any possible ($prefix)/lib missmatch, I just want to install it under > > /usr/local/ssh. > > > > > You may also need to add library path flags to your CFLAGS to tell your > > > C compiler where to find libraries; i.e. > > > > > > CFLAGS="-L/usr/local/lib -L/usr/local/ssl/lib" ./configure \ > > > --prefix=/usr/local --with-ssl-dir=/usr/local/ssl > > > > I try this but it is doing the same. Thanks anyway. > > In the general case, you need to determine where the OpenSSL includes > live, and if they are not in the default include path for your compiler, > add something like "-I/usr/local/ssl/include" to your CFLAGS. > Similarly, if the OpenSSL libraries are not in the default link path for > your compiler, you need to add something like "-L/usr/local/ssl/lib" to > your LDFLAGS. > > On some systems (i.e. Digital UNIX with the DEC C compiler) I have the > best luck with something like this: > > CC="cc -I/usr/local/include -L/usr/local/lib" CFLAGS="-O2" ./configure ... > > This is because not all configure tests actually pull in CFLAGS, but > they do pull in your definition of CC. > > If you dig around in config.log you might be able to determine which > configure test is failing and why, and adjust your invocation of > configure to match. Actually, thanks for that suggestion, I just look at the config.log and discover the real error: .... configure:2862: gcc -o conftest -L/usr/local/sshdist/lib -L/usr/local/sshdist/ssl/lib -I/usr/local/sshdist -I/usr/local/sshdist/ssl -I/usr/local/sshdist/incl 1219 ld: FATAL 12: Expecting 32-bit objects: /usr/local/sshdist/lib/libcrypto.a is 64-bit. configure: failed program was: ... This is happening for all the ssl tests so I have 32-bit binaries fighting with 64-bit binaries.... Nice jungle! Probably I could do it. Thanks! -------------- next part -------------- A non-text attachment was scrubbed... Name: william.vcf Type: text/x-vcard Size: 572 bytes Desc: Card for William Caban Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001011/7629192e/attachment.vcf From gombasg at inf.elte.hu Thu Oct 12 08:29:49 2000 From: gombasg at inf.elte.hu (GOMBAS Gabor) Date: Wed, 11 Oct 2000 23:29:49 +0200 Subject: Install bug in Makefile.in Message-ID: <20001011232949.G26159@valerie.inf.elte.hu> Hello, There is a bug in the Makefile.in distributed with OpenSSH-2.2.0p1: it refers to mkinstalldirs as "./mkinstalldirs" whereas it should use "$(top_srcdir)/mkinstalldirs". This bug prevents "make install" to work if the build directory is not the same as the source directory. Gabor -- Gabor Gombas Eotvos Lorand University E-mail: gombasg at inf.elte.hu Hungary From pekkas at netcore.fi Thu Oct 12 08:47:01 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 12 Oct 2000 00:47:01 +0300 (EEST) Subject: Install bug in Makefile.in In-Reply-To: <20001011232949.G26159@valerie.inf.elte.hu> Message-ID: On Wed, 11 Oct 2000, GOMBAS Gabor wrote: > There is a bug in the Makefile.in distributed with OpenSSH-2.2.0p1: it > refers to mkinstalldirs as "./mkinstalldirs" whereas it should use > "$(top_srcdir)/mkinstalldirs". This bug prevents "make install" to work > if the build directory is not the same as the source directory. This has been fixed in the latest snapshots (0930 at least). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From Marc.Neitzner at nbg.net Fri Oct 13 00:52:16 2000 From: Marc.Neitzner at nbg.net (Marc.Neitzner at nbg.net) Date: Thu, 12 Oct 2000 14:52:16 +0100 Subject: openssh on solaris x86 Message-ID: Hi, we're using SSH-1.5-OpenSSH-1.2.2 and SSH-1.5-OpenSSH-2.2.0p1 on solaris for x86 (Solaris 2.8). Both Versions seem to have a problem in forwarding ports that may concern htonl/ntohl: SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 1 debug: Connecting to 6.0.1.1 [6.0.1.1] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.3.6 F-SECURE SSH debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '6.0.1.1' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. a116017 at 6.0.1.1's password: debug: Requesting pty. debug: Connections to local port 8888 forwarded to remote address localhost:389 debug: Local forwarding listening on 1.0.0.127 port 8888. bind: Cannot assign requested address Disconnecting: cannot listen port: 8888 debug: Calling cleanup 0x8077c9c(0x0) Using truss you can see that the local bind fails: bind(5, 0x081104C0, 16, 3) Err#126 EADDRNOTAVAIL Thanks for your help Marc From bolsen at pixxures.com Fri Oct 13 05:20:25 2000 From: bolsen at pixxures.com (Brian Olsen) Date: Thu, 12 Oct 2000 12:20:25 -0600 Subject: Remote port forwarding problems Message-ID: <39E600E9.25337F14@pixxures.com> I've been trying to get remote port forwarding to work between redhat 6.2 boxes using openssh 2.2.0p1. One box is running the stock kernel, the other is running 2.4.0-test9 currently. The command I type is: ssh -v -R 8080:localhost:8080 I've also used the machine name and ip address for the local machine. The -v shows these curious messages: debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull debug: no set_nonblock for tty fd 4 debug: no set_nonblock for tty fd 5 debug: no set_nonblock for tty fd 6 debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. The no set_nonblock, is that an indication? here's the output with ssh -v -R 8080:localhost:8080 -L 8081:localhost:8081 debug: ssh-userauth2 successfull debug: Connections to local port 8081 forwarded to remote address localhost:8081 socket: Invalid argument debug: Local forwarding listening on 127.0.0.1 port 8081. debug: fd 7 setting O_NONBLOCK debug: channel 0: new [port listener] debug: no set_nonblock for tty fd 4 debug: no set_nonblock for tty fd 5 debug: no set_nonblock for tty fd 6 debug: channel 1: new [client-session] The local port forwarding seems to work even with the complaint. Thanks, Brian bolsen at pixxures.com From greg at linuxpower.cx Fri Oct 13 09:25:15 2000 From: greg at linuxpower.cx (Gregory Maxwell) Date: Thu, 12 Oct 2000 18:25:15 -0400 Subject: SSH2 slow. Message-ID: <20001012182515.A7945@xi.linuxpower.cx> I just upgraded a Linux system to OpenSSH-2.2.0p1 from a prior non-SSH2 able version. After connecting from another system with 2.2.0 over a slow (28.8kbit) link, I found the system to be much slower and more latent then before. I disabled protocol 2 on the server and restarted sshd, reconnected, and the problem was resolved. I briefly searched the webpage and list archives to no avail. Is this a known issue, am I in need of a good larting with the find manual, or is this an unknown bug and I need to make a better report? I haven't found myself in need of any SSH2 features, so this isn't yet a big problem for me... Just curious. Thanks for any advice. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 233 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001012/bc1e9a06/attachment.bin From vtmue at uni-freiburg.de Fri Oct 13 12:57:44 2000 From: vtmue at uni-freiburg.de (V. T. Mueller) Date: Fri, 13 Oct 2000 03:57:44 +0200 (MET DST) Subject: 2.2.0p1 configure problems Message-ID: hp-pa2.0W HP-UX 11.0 pl6/00 /opt/zlib (1.1.3) /opt/openssl (0.9.6) (tried sh and ksh) CFLAGS="-O -Ae" LIBS="-L/opt/zlib/lib" ./configure --prefix=/opt \ --with-pid-dir=/var/run --with-ipv4-default --with-ssl-dir=/opt/openssl States it is unable to find openssl. Anyone worked around this already? I would think it has problems compiling the piece of test-code, but I have no idea how to track this down... any suggestions? And well, there is a mini bug in line 1612: LIBS="-lz $LIBS" should imho read LIBS="$LIBS -lz" Greetings, vt -- V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de "Windows: Written by Morons for Morons" From markus.friedl at informatik.uni-erlangen.de Fri Oct 13 20:12:15 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 13 Oct 2000 11:12:15 +0200 Subject: Remote port forwarding problems In-Reply-To: <39E600E9.25337F14@pixxures.com>; from bolsen@pixxures.com on Thu, Oct 12, 2000 at 12:20:25PM -0600 References: <39E600E9.25337F14@pixxures.com> Message-ID: <20001013111214.A8966@folly> -R is not yet supported for SSH-2 (but will be soon). On Thu, Oct 12, 2000 at 12:20:25PM -0600, Brian Olsen wrote: > I've been trying to get remote port forwarding to work between redhat > 6.2 boxes > using openssh 2.2.0p1. One box is running the stock kernel, the other > is running > 2.4.0-test9 currently. > > The command I type is: > > ssh -v -R 8080:localhost:8080 > > I've also used the machine name and ip address for the local machine. > > The -v shows these curious messages: > > debug: read DSA private key done > debug: sig size 20 20 > debug: ssh-userauth2 successfull > debug: no set_nonblock for tty fd 4 > debug: no set_nonblock for tty fd 5 > debug: no set_nonblock for tty fd 6 > debug: channel 0: new [client-session] > debug: send channel open 0 > debug: Entering interactive session. > > The no set_nonblock, is that an indication? > > here's the output with > > ssh -v -R 8080:localhost:8080 -L 8081:localhost:8081 > > debug: ssh-userauth2 successfull > debug: Connections to local port 8081 forwarded to remote address > localhost:8081 > socket: Invalid argument > debug: Local forwarding listening on 127.0.0.1 port 8081. > debug: fd 7 setting O_NONBLOCK > debug: channel 0: new [port listener] > debug: no set_nonblock for tty fd 4 > debug: no set_nonblock for tty fd 5 > debug: no set_nonblock for tty fd 6 > debug: channel 1: new [client-session] > > The local port forwarding seems to work even with the complaint. > > Thanks, > Brian > > bolsen at pixxures.com > From epa98 at doc.ic.ac.uk Fri Oct 13 23:35:27 2000 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Fri, 13 Oct 2000 13:35:27 +0100 (BST) Subject: Cipher 'none' Message-ID: By making a one-line change it is possible to enable the cipher 'none' in openssh. But you still have to ask for it explicitly, either by adding it to /etc/ssh/ssh_config or by giving the '-c none' option to ssh. I think that this 'feature' should be turned back on, because for slow machines or large file transfers, using encryption slows things down a lot. This means that you have to resort to rcp or ftp to get things working at a reasonable speed, which is a bad habit for the users to get into. It's understandable to disable weak ciphers like DES - and even weaker ones like 'none' :-) - to improve security. But it doesn't improve security if it pushes people back into the arms of telnet and rsh. For many networks, eavesdropping is not a serious problem - think of a home network or even a small office. In an ideal world you'd have strong encryption even across these links, but in practice not every machine is fast enough to do this and still get work done. (My situation is a 386SX-16 as an X terminal over a small Ethernet. I've set things up so that no encryption is used for the four or five hosts on this closed network, but if ssh is used over the Internet (via a modem link) it uses Blowfish or triple-DES. Then the users just remember one command, and it's secure when it needs to be and fast when it can be.) Protecting the users from themselves can only go so far. If somebody has deliberately enabled none in the configuration file or on the command line, and has chosen to ignore the warning messages printed by ssh, they probably know what they want. Compare 'no encryption' with the FallBackToRsh option in the configuration file. Using rsh is insecure and so it is disabled by default, and rightly so. But if the user is prepared to sacrifice some security for convenience, the option is there - but it must be turned on deliberately. If you feel that support for the cipher 'none' should not be included in the ssh libraries, shouldn't falling back to rsh also be disabled? -- Ed Avis epa98 at doc.ic.ac.uk From res at shore.net Fri Oct 13 23:51:22 2000 From: res at shore.net (Richard E. Silverman) Date: Fri, 13 Oct 2000 08:51:22 -0400 (EDT) Subject: Cipher 'none' In-Reply-To: Message-ID: For the SSH-2 protocol, I agree with your comments. I think the "none" cipher should be available in the standard build, and the client should print a prominent warning message on connection (and password authentication should be disabled, of course). A security concern you didn't mention is that an attacker might surreptitiously add "cipher none" to a config file, invisibly rendering connections readable unless someone uses debug mode and notices the cipher; printing a warning helps alleviate this concern. However, for SSH-1, I believe "none" should remain disabled, since without encryption you effectively lose server authentication and integrity as well. This is just too weak to tolerate. SSH-2 does not suffer from this problem. -- Richard Silverman slade at shore.net From epa98 at doc.ic.ac.uk Sat Oct 14 02:11:12 2000 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Fri, 13 Oct 2000 16:11:12 +0100 (BST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Fri, 13 Oct 2000, Richard E. Silverman wrote: [should the user be allowed to select cipher 'none'?] >For the SSH-2 protocol, I agree with your comments. I think the "none" >cipher should be available in the standard build, and the client should >print a prominent warning message on connection Yep. >(and password authentication should be disabled, of course). Not necessarily - if you trust the network there's no problem with sending the password over it. But such blatant insecurity might be too much for ssh developers to swallow. Authentication happens only once for each connection, so it doesn't really matter how slow it is. There's no problem with requiring key + passphrase authentication, except maybe that it requires users to manage another password. >A security concern you >didn't mention is that an attacker might surreptitiously add "cipher none" >to a config file, He'd have to add it on both the client and server (I'm imagining that sshd in the default configuration would not accept 'none'). That would require root access on the server at least. If you have root access you could do what you wanted anyway. And if you have access to a user's account to edit ~/.ssh/ssh_config you could probably put a trojan 'ssh' binary in the user's PATH. So I don't think it raises any new concerns. >However, for SSH-1, I believe "none" should remain disabled, since without >encryption you effectively lose server authentication and integrity as >well. This is just too weak to tolerate. Depends. You pick what level of security you need depending on your environment. OTOH, you do have a point - it would get just too clumsy to print several warnings about cleartext passwords, suspect servers and so on. >SSH-2 does not suffer from this problem. It looks as if SSH-2 with DSA authentication and no encryption is the best compromise between security and speed for slowish machines on a fast, trusted network. Provided the user deliberately chooses to enable it, of course. -- Ed Avis epa98 at doc.ic.ac.uk From rachit at ensim.com Sat Oct 14 10:31:49 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Fri, 13 Oct 2000 16:31:49 -0700 Subject: question about ssh / security Message-ID: <39E79B65.EDFACEF@ensim.com> I've been using ssh for a while now (both fsecure and openssh), but am not an expert on security. I was wondering whether the following is secure: I create a key pair, trusted & trusted.pub I run sshd on a server (no telnet, rsh or other services). I create a user "guest", and put "trusted.pub" in my authorized file. I give away "trusted" (the private key) to people I trust, but lets assume for a moment that it is public (its hard to enforce that "trusted" will not be distributed indiscriminately). For the user guest, i set the shell in /etc/passwd to be my own server program that i make as bullet-proof as possible. For the people i give the key away to, i give them a client program to access this server program which uses the "trusted" key. My question is, is it possible for a smart, evil man given the the trusted key and the source of the client program to circumvent the /etc/passwd shell and bypass my server program (assuming that the server program has no bugs in it)? -rchit From djm at mindrot.org Sat Oct 14 12:37:37 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 12:37:37 +1100 (EST) Subject: [PATCH] X11 forwarding failure on later Linux dev kernels fix In-Reply-To: Message-ID: On Tue, 10 Oct 2000, Martin Johansson wrote: > Hi! > > The return values from socket() changed from EINVAL to EAFNOTSUPPORT > for not supported address family in Linux 2.4.0-test8. This small > patch fixes the 'error: socket: Address family not supported by > protocol' and 'Disconnecting: Command terminated on signal 11.' when > enabling X11 forwarding. Thanks, applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 12:46:39 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 12:46:39 +1100 (EST) Subject: Bug in OpenSSH 2.2.0p1 In-Reply-To: Message-ID: On Wed, 11 Oct 2000 Martin.Luig at telekom.de wrote: > In line 542 of entropy.c is the owner of the PRNG seedfile checked. Root is > also a valid owner of this file. > So the line must be: > if (((st.st_mode & 0177) != 0) || !( (st.st_uid == original_uid) || (st.st_uid == 0) ) ) Under what conditions was the original test failing? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 13:05:48 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 13:05:48 +1100 (EST) Subject: openssh on solaris x86 In-Reply-To: Message-ID: On Thu, 12 Oct 2000 Marc.Neitzner at nbg.net wrote: > Hi, > > we're using SSH-1.5-OpenSSH-1.2.2 and SSH-1.5-OpenSSH-2.2.0p1 > on solaris for x86 (Solaris 2.8). Both Versions seem to have a problem > in forwarding ports that may concern htonl/ntohl: > > debug: Local forwarding listening on 1.0.0.127 port 8888. Very strange. Can anyone else with Solaris x86 replicate? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 13:08:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 13:08:44 +1100 (EST) Subject: 2.2.0p1 configure problems In-Reply-To: Message-ID: On Fri, 13 Oct 2000, V. T. Mueller wrote: > > hp-pa2.0W > HP-UX 11.0 pl6/00 > /opt/zlib (1.1.3) > /opt/openssl (0.9.6) > (tried sh and ksh) > > CFLAGS="-O -Ae" LIBS="-L/opt/zlib/lib" ./configure --prefix=/opt \ > --with-pid-dir=/var/run --with-ipv4-default --with-ssl-dir=/opt/openssl > > States it is unable to find openssl. Anyone worked around this > already? I would think it has problems compiling the piece of > test-code, but I have no idea how to track this down... any > suggestions? Check the last few lines of config.log, they usually contain a clue as to why things fail. > And well, there is a mini bug in line 1612: > > LIBS="-lz $LIBS" > should imho read > LIBS="$LIBS -lz" (I presume you refer to configure) This is automatically generated by autoconf. What problem does the above cause? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 13:38:06 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 13:38:06 +1100 (EST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Fri, 13 Oct 2000, Edward Avis wrote: > By making a one-line change it is possible to enable the cipher 'none' > in openssh. But you still have to ask for it explicitly, either by > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to > ssh. > > I think that this 'feature' should be turned back on, because for slow > machines or large file transfers, using encryption slows things down a > lot. This means that you have to resort to rcp or ftp to get > things working at a reasonable speed, which is a bad habit for the users > to get into. It is a bad habit to have unencrypted data on your network full stop :) Seriously, some of the ciphers offered by SSH2 are pretty fast. These are the times it took to scp a 100Mb file to /dev/null via ssh2 over localhost: P166 3des-cbc: 232 sec 431kbps blowfish-cbc: 90 sec 1.1Mbps arcfour: 71 sec 1.4Mbps P3/700 3des-cbc: 47 sec 2.1Mbps blowfish-cbc: 18 sec, 5.5Mbps cast128-cbc: 18 sec, 5.5Mbps arcfour: 12 sec 8.3Mbps -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 13:45:11 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 13:45:11 +1100 (EST) Subject: question about ssh / security In-Reply-To: <39E79B65.EDFACEF@ensim.com> Message-ID: On Fri, 13 Oct 2000, Rachit Siamwalla wrote: > > I've been using ssh for a while now (both fsecure and openssh), but am > not an expert on security. I was wondering whether the following is > secure: > > I create a key pair, trusted & trusted.pub > > I run sshd on a server (no telnet, rsh or other services). I create a > user "guest", and put "trusted.pub" in my authorized file. I give away > "trusted" (the private key) to people I trust, but lets assume for a > moment that it is public (its hard to enforce that "trusted" will not be > distributed indiscriminately). You are better off making multiple keypairs, one for each person that you wish to give access to. This will make it easy to revoke access to a single person. > For the user guest, i set the shell in /etc/passwd to be my own server > program that i make as bullet-proof as possible. You are better off using key options in your authorized_keys file. The syntax is: command="your command",[options] [keydata] e.g: command="cvs server",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1C15907A13182AEC4CF198C0B34104A146541578F5A3EB1C65776438616511AF7SRQyzSMF1gyUkEnT+O3BMmKiwnFYu/fy+eiUOYSf9AAAAFQDCkuOkBpR1XFM52lFVxEo+dfTwnQAAAIBYq/1hbl8WYMP8Cnfx8ajGnNBpd5twHwoV3V6J/owCUxSCNkXk1iv2zIOkGaWNdqDY24HXKd759bmx/0bAoKAd1GzzN8aYXgKvj9Xgyl00A7YD0JdkjJykcPn/hAhz9bL+QiN5HDXOns0Q5rXMC15907A13182AEC4CF198C0B34104A146541578F5A3EB1C65776438616511AFpvKM3ffs1SbysZczo+A7OgxTZ8qGnlCyT3GsrbT1KXF39353Y2zMI= user at example.com This will limit the user of the key to the specified program and also prevent them from setting up port-forwards. Have a look at the sshd manpage for details. > For the people i give the key away to, i give them a client program to > access this server program which uses the "trusted" key. > > My question is, is it possible for a smart, evil man given the the > trusted key and the source of the client program to circumvent the > /etc/passwd shell and bypass my server program (assuming that the > server program has no bugs in it)? Not to our knowledge. If they could, it would be a serious bug in OpenSSH. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From rob at hagopian.net Sat Oct 14 16:14:03 2000 From: rob at hagopian.net (Rob Hagopian) Date: Sat, 14 Oct 2000 01:14:03 -0400 (EDT) Subject: Cipher 'none' In-Reply-To: Message-ID: 8.3MB/s isn't that good when you need to transfer 100GBs of data around on gigabit ethernet... Secure authentication without session encryption will always have a legitimate niche amongst some people. Would this be enough to deter use? a) a configure option, and b) a config file option for sshd, and c) has to be specified on the command line for ssh, and d) client prints out a warning whenever no cipher is found (unless a specific supression flag is given [so it would show up even with -q]) The downside to these protections is it's more code in more places for such a simple change. I think just a configure option should be enough... If session encryption is so important why isn't everyone using ssl for http for the web? -Rob On Sat, 14 Oct 2000, Damien Miller wrote: > On Fri, 13 Oct 2000, Edward Avis wrote: > > > By making a one-line change it is possible to enable the cipher 'none' > > in openssh. But you still have to ask for it explicitly, either by > > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to > > ssh. > > > > I think that this 'feature' should be turned back on, because for slow > > machines or large file transfers, using encryption slows things down a > > lot. This means that you have to resort to rcp or ftp to get > > things working at a reasonable speed, which is a bad habit for the users > > to get into. > > It is a bad habit to have unencrypted data on your network full stop :) > > Seriously, some of the ciphers offered by SSH2 are pretty fast. These > are the times it took to scp a 100Mb file to /dev/null via ssh2 over > localhost: > > P166 > > 3des-cbc: 232 sec 431kbps > blowfish-cbc: 90 sec 1.1Mbps > arcfour: 71 sec 1.4Mbps > > P3/700 > > 3des-cbc: 47 sec 2.1Mbps > blowfish-cbc: 18 sec, 5.5Mbps > cast128-cbc: 18 sec, 5.5Mbps > arcfour: 12 sec 8.3Mbps > > -d > > From djm at mindrot.org Sat Oct 14 16:49:31 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 16:49:31 +1100 (EST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Rob Hagopian wrote: > If session encryption is so important why isn't everyone using ssl > for http for the web? The high costs of RSA key generation for each new client that need to connect - not a characteristic shared with ssh. I am not still convinced of the need for 'Ciphers none'. I just don't like the idea of ssh having a mode without any crypto. Markus? BTW Rijndael (in the new snapshot) is very quick. 3.2Mbps for 256bit keys, 4Mbps for 128bit keys. I am sure that this will improve as people put effort into optimising it further. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From Andrew.Ruthven at MCS.VUW.AC.NZ Sat Oct 14 16:58:20 2000 From: Andrew.Ruthven at MCS.VUW.AC.NZ (Andrew Ruthven) Date: Sat, 14 Oct 2000 18:58:20 +1300 (NZDT) Subject: Installation globbers ssh_prng_cmds Message-ID: Gidday, I've just tried installing openssh-2.2.0p1 and found that it globbers my ssh_prng_cmds file which has been customised from the normally installed one. On BSDi 4.0.1 it doesn't detect enough commands for ssh-keygen to be happy. Most of the commands do actually exist, but I have to specify where they are. Could someone please modify the installation scripts to either backup this file, or not globber it on installation. For reference the commands which are set to undef and their actual locations follow (anyone willing to setup config details for BSDi?): ls /bin/ls netstat /usr/sbin/netstat arp /usr/sbin/arp ifconfig /sbin/ifconfig who /usr/bin/who On another note, could someone please add a better error to entropy.c, line 816, "PRNG initialisation failed -- exiting." isn't very helpful to tracking down the problem. It's only from reading the source that I was able to track it down and fix it. (I had 14 working entries in ssh_prng_cmds when I needed 16.) Otherwise, it's a great piece of software! Cheers! -- Andrew Ruthven Victoria University of Wellington, New Zealand At Home: andrew at etc.gen.nz At Uni: puck at mcs.vuw.ac.nz At Work: andrew.ruthven at chelmer.co.nz From djm at mindrot.org Sat Oct 14 17:47:31 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 17:47:31 +1100 (EST) Subject: Snapshot Message-ID: Another snapshot for your enjoyment and testing. There is one known problem: SSH2 sessions do not exit if there are backgrounded processes with open std{in,out,err} fds. This release includes several large changes from the OpenBSD team: - ssh-keygen -X now reads private ssh.com DSA keys (Markus Friedl) - Interop with ssh.com ssh-agent2 (res at shore.net) - Initial implementation of DH group exchange draft-provos-secsh-dh-group-exchange-00.txt (Niels Provos, Uni. Windsor) - Support "scp -o ssh-opt" (Markus Frield and Ben Lindstrom) - Add SKEY support to SSH2 using kbd-interactive auth method (mkiernan at avantgo.com and Markus Friedl) - Allow single-DES for SSH1 clients (used to connect to Cisco routers) (Markus Friedl) - rijndael/aes support (Markus Friedl) Enjoy. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 17:47:37 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 17:47:37 +1100 (EST) Subject: Installation globbers ssh_prng_cmds In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Andrew Ruthven wrote: > Gidday, > > I've just tried installing openssh-2.2.0p1 and found that it > globbers my ssh_prng_cmds file which has been customised from the > normally installed one. On BSDi 4.0.1 it doesn't detect enough > commands for ssh-keygen to be happy. Most of the commands do > actually exist, but I have to specify where they are. Thanks for the report. The new snapshot should fix this. http://www.mindrot.org/misc/openssh/ -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mouring at pconline.com Sat Oct 14 18:48:39 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 14 Oct 2000 02:48:39 -0500 (CDT) Subject: Cipher 'none' In-Reply-To: Message-ID: Can I suggest middle ground here.. If there is such an overwelming demand for Cipher 'none' then maybe someone should create a patch and submit it to be included in contrib/ section. It keeps people from using -c none without thought, and lets those who wish to accept the risk have an easy way of doing so. - Ben On Sat, 14 Oct 2000, Rob Hagopian wrote: > 8.3MB/s isn't that good when you need to transfer 100GBs of data around on > gigabit ethernet... Secure authentication without session encryption will > always have a legitimate niche amongst some people. > > Would this be enough to deter use? > a) a configure option, and > b) a config file option for sshd, and > c) has to be specified on the command line for ssh, and > d) client prints out a warning whenever no cipher is found (unless a > specific supression flag is given [so it would show up even with -q]) > > The downside to these protections is it's more code in more places for > such a simple change. I think just a configure option should be enough... > > If session encryption is so important why isn't everyone using ssl for > http for the web? > -Rob > > On Sat, 14 Oct 2000, Damien Miller wrote: > > > On Fri, 13 Oct 2000, Edward Avis wrote: > > > > > By making a one-line change it is possible to enable the cipher 'none' > > > in openssh. But you still have to ask for it explicitly, either by > > > adding it to /etc/ssh/ssh_config or by giving the '-c none' option to > > > ssh. > > > > > > I think that this 'feature' should be turned back on, because for slow > > > machines or large file transfers, using encryption slows things down a > > > lot. This means that you have to resort to rcp or ftp to get > > > things working at a reasonable speed, which is a bad habit for the users > > > to get into. > > > > It is a bad habit to have unencrypted data on your network full stop :) > > > > Seriously, some of the ciphers offered by SSH2 are pretty fast. These > > are the times it took to scp a 100Mb file to /dev/null via ssh2 over > > localhost: > > > > P166 > > > > 3des-cbc: 232 sec 431kbps > > blowfish-cbc: 90 sec 1.1Mbps > > arcfour: 71 sec 1.4Mbps > > > > P3/700 > > > > 3des-cbc: 47 sec 2.1Mbps > > blowfish-cbc: 18 sec, 5.5Mbps > > cast128-cbc: 18 sec, 5.5Mbps > > arcfour: 12 sec 8.3Mbps > > > > -d > > > > > > From pekkas at netcore.fi Sat Oct 14 19:33:49 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 14 Oct 2000 11:33:49 +0300 (EEST) Subject: Key exchange/selection badly broken in SNAP1014? Message-ID: Hello all, It seems the overhaul on key exchange/selection broke it badly. I haven't managed to use any other encryption method than 3des and blowfish when connecting to SNAP -> SNAP. SNAP -> 2.2.0p1 will use arcfour etc. quite cleanly. How SNAP -> SNAP looks like: --- debug: Local version string SSH-2.0-OpenSSH_2.2.0p2 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done --- Anyone else see this? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From djm at mindrot.org Sat Oct 14 19:51:50 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 19:51:50 +1100 (EST) Subject: Key exchange/selection badly broken in SNAP1014? In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Pekka Savola wrote: > Hello all, > > It seems the overhaul on key exchange/selection broke it badly. I > haven't managed to use any other encryption method than 3des and > blowfish when connecting to SNAP -> SNAP. SNAP -> 2.2.0p1 will use > arcfour etc. quite cleanly. Snap->snap works fine for me: [djm at mothra openssh]$ ssh -v -2 -o "Ciphers rijndael128-cbc,arcfour" mothra SSH Version OpenSSH_2.2.0p2, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/djm/.ssh/config debug: cipher ok: rijndael128-cbc [rijndael128-cbc,blowfish-cbc] debug: cipher ok: blowfish-cbc [rijndael128-cbc,blowfish-cbc] debug: ciphers ok: [rijndael128-cbc,blowfish-cbc] debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to mothra [203.44.118.225] port 22. debug: Seeding random number generator debug: Allocated local port 973. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.2.0p2 debug: no match: OpenSSH_2.2.0p2 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0p2 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client rijndael128-cbc hmac-sha1 zlib debug: kex: client->server rijndael128-cbc hmac-sha1 zlib -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From pekkas at netcore.fi Sat Oct 14 21:06:55 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 14 Oct 2000 13:06:55 +0300 (EEST) Subject: Key exchange/selection badly broken in SNAP1014? [works] In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Damien Miller wrote: > On Sat, 14 Oct 2000, Pekka Savola wrote: > > > Hello all, > > > > It seems the overhaul on key exchange/selection broke it badly. I > > haven't managed to use any other encryption method than 3des and > > blowfish when connecting to SNAP -> SNAP. SNAP -> 2.2.0p1 will use > > arcfour etc. quite cleanly. > > Snap->snap works fine for me: Oh. I see that 'Cipher' only supports 3des/blowfish, while Ciphers is meant for SSH2 operation. Should there be a note, like, 'This is meant to be used with SSH1 protocol' on the man page? There are a few other issues: 1) if you connect using 'ssh otherhost' rather than 'ssh otherhost.yourdomain', now OpenSSH will add second host key 'otherhost' to known_hosts2. Before, it wouldn't do that. Is this intentional? 2) 'ssh -h' prints out: -c cipher Select encryption algorithm: ``3des'', ``blowfish'' I'm not sure if it's better to say check the man page for algorithms or make a bigger list here. Also, the man page doesn't mention aes or rijndael. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From pekkas at netcore.fi Sat Oct 14 21:10:15 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 14 Oct 2000 13:10:15 +0300 (EEST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Damien Miller wrote: > Seriously, some of the ciphers offered by SSH2 are pretty fast. These > are the times it took to scp a 100Mb file to /dev/null via ssh2 over > localhost: > > P166 > > 3des-cbc: 232 sec 431kbps > blowfish-cbc: 90 sec 1.1Mbps > arcfour: 71 sec 1.4Mbps > > P3/700 > > 3des-cbc: 47 sec 2.1Mbps > blowfish-cbc: 18 sec, 5.5Mbps > cast128-cbc: 18 sec, 5.5Mbps > arcfour: 12 sec 8.3Mbps I did similar tests on my P2/266 system to see how fast aes128-cbc and rijndael128-cbc were. These were conducted with a 10 MB data off /dev/urandom: arcfour 3.1 MB/s blowfish-cbc 2.2 MB/s cast128-cbc 2.1 MB/s aes128-cbc 1.6 MB/s rijndael128-cbc 1.6 MB/s 3des-cbc 0.8 MB/s (I timed scp to localhost using an empty file to get the authentication overhead, then timed with the real file) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Sat Oct 14 21:19:01 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 14 Oct 2000 12:19:01 +0200 Subject: Key exchange/selection badly broken in SNAP1014? [works] In-Reply-To: ; from pekkas@netcore.fi on Sat, Oct 14, 2000 at 01:06:55PM +0300 References: Message-ID: <20001014121901.B18195@folly> On Sat, Oct 14, 2000 at 01:06:55PM +0300, Pekka Savola wrote: > On Sat, 14 Oct 2000, Damien Miller wrote: > > > On Sat, 14 Oct 2000, Pekka Savola wrote: > > > > > Hello all, > > > > > > It seems the overhaul on key exchange/selection broke it badly. I > > > haven't managed to use any other encryption method than 3des and > > > blowfish when connecting to SNAP -> SNAP. SNAP -> 2.2.0p1 will use > > > arcfour etc. quite cleanly. > > > > Snap->snap works fine for me: > > > Oh. I see that 'Cipher' only supports 3des/blowfish, while Ciphers is > meant for SSH2 operation. Should there be a note, like, 'This is meant to > be used with SSH1 protocol' on the man page? i'll fix this, too. > There are a few other issues: > > 1) if you connect using 'ssh otherhost' rather than 'ssh > otherhost.yourdomain', now OpenSSH will add second host key 'otherhost' to > known_hosts2. Before, it wouldn't do that. Is this intentional? i removed the canonicalization of the given hostname due to popular demand. perhaps this should be noted in the snapshot changelog. > 2) 'ssh -h' prints out: > > -c cipher Select encryption algorithm: ``3des'', ``blowfish'' > > I'm not sure if it's better to say check the man page for algorithms or > make a bigger list here. Also, the man page doesn't mention aes or > rijndael. yes, this needs to be fixed. From epa98 at doc.ic.ac.uk Sat Oct 14 22:15:51 2000 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Sat, 14 Oct 2000 12:15:51 +0100 (BST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Rob Hagopian wrote: >Secure authentication without session encryption will always have a >legitimate niche amongst some people. > >Would this be enough to deter use? >a) a configure option, and >b) a config file option for sshd, and >c) has to be specified on the command line for ssh, and >d) client prints out a warning whenever no cipher is found (unless a > specific supression flag is given [so it would show up even with -q]) I think a configure option is probably not necessary. The whole point is to let the user choose whether or not to use unencrypted connections without having to recompile. I think that two config files on two different machines plus a warning when ssh is run would suffice. The ultra-paranoid might want a configure option to disable any possibility of unencrypted connections... but is there a configure option to permanently disable FallBackToRsh? >The downside to these protections is it's more code in more places for >such a simple change. I think just a configure option should be enough... At the moment I've made a one-line change to the source, and edited ssh_config. The warning message is already in there. One thing that does seem to be missing from sshd_config is a way to specify what ciphers are allowed for protocol version 1. -- Ed Avis epa98 at doc.ic.ac.uk From markus.friedl at informatik.uni-erlangen.de Sat Oct 14 22:38:36 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 14 Oct 2000 13:38:36 +0200 Subject: Cipher 'none' In-Reply-To: ; from pekkas@netcore.fi on Sat, Oct 14, 2000 at 01:10:15PM +0300 References: Message-ID: <20001014133836.A25640@folly> > aes128-cbc 1.6 MB/s > rijndael128-cbc 1.6 MB/s just a note: these two ciphers are identical. it's just not clear now what the name for the cipher in the standard will be, so we support both for now, but it seems they will go 'aesXXX-cbc' and we will drop 'rijndaelXXX-cbc' in the future. From Lasse.Holmqvist at uab.ericsson.se Sat Oct 14 23:12:41 2000 From: Lasse.Holmqvist at uab.ericsson.se (Lasse Holmqvist) Date: Sat, 14 Oct 2000 14:12:41 +0200 Subject: Compile error rijndael on Solaris 2.6 (and fix) Message-ID: <39E84DB9.85282C4E@uab.ericsson.se> When compiling openssh-SNAP-20001014 on Solaris 2.6 with gcc 2.95.2 I get: In file included from rijndael.c:42: rijndael.h:6: parse error before `u1byte' and a lot more warnings and errors... Solved by adding #include "config.h" in rijndael.c Lasse Holmqvist From djm at mindrot.org Sat Oct 14 23:26:20 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 23:26:20 +1100 (EST) Subject: Compile error rijndael on Solaris 2.6 (and fix) In-Reply-To: <39E84DB9.85282C4E@uab.ericsson.se> Message-ID: On Sat, 14 Oct 2000, Lasse Holmqvist wrote: > > When compiling openssh-SNAP-20001014 on Solaris 2.6 with > gcc 2.95.2 I get: > > In file included from rijndael.c:42: > rijndael.h:6: parse error before `u1byte' > and a lot more warnings and errors... > > Solved by adding > #include "config.h" > in rijndael.c Thanks - fixed: Index: rijndael.c =================================================================== RCS file: /var/cvs/openssh/rijndael.c,v retrieving revision 1.1 diff -u -r1.1 rijndael.c --- rijndael.c 2000/10/14 05:23:12 1.1 +++ rijndael.c 2000/10/14 12:25:58 @@ -38,7 +38,7 @@ */ -#include +#include "includes.h" #include "rijndael.h" void gen_tabs __P((void)); Index: rijndael.h =================================================================== RCS file: /var/cvs/openssh/rijndael.h,v retrieving revision 1.1 diff -u -r1.1 rijndael.h --- rijndael.h 2000/10/14 05:23:12 1.1 +++ rijndael.h 2000/10/14 12:25:58 @@ -1,6 +1,8 @@ #ifndef _RIJNDAEL_H_ #define _RIJNDAEL_H_ +#include "includes.h" + /* 1. Standard types for AES cryptography source code */ typedef u_int8_t u1byte; /* an 8 bit unsigned character type */ -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Oct 14 23:30:08 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 14 Oct 2000 23:30:08 +1100 (EST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Pekka Savola wrote: > I did similar tests on my P2/266 system to see how fast aes128-cbc and > rijndael128-cbc were. These were conducted with a 10 MB data off > /dev/urandom: You are probably better off using 10Mb hole, so disk IO and buffer caches don't affect the results. This is what I use: #include #include #include #include int main(void) { int f; char c = 0; f = open("hole", O_RDWR|O_CREAT|O_TRUNC); lseek(f, (10*1024*1024) - 1, SEEK_CUR); write(f, &c, 1); close(f); exit(0); } > (I timed scp to localhost using an empty file to get the authentication > overhead, then timed with the real file) I just used the number of seconds reported by scp, so your methodology is probably a bit better here :) -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From stevesk at sweden.hp.com Sun Oct 15 01:20:14 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 14 Oct 2000 16:20:14 +0200 (CEST) Subject: Expired passwords & PAM In-Reply-To: Message-ID: <200010141410.QAA21378@b0fh.sweden.hp.com> On Wed, 11 Oct 2000, Peter Astrand wrote: : Currently, OpenSSH prints the message: : : "Warning: You password has expired, please change it now" : : if the password has expired. It would be nice if the user could/had to : change password before continuing, like with Linux console login. I've : tried to make an patch, but it doesn't work. Ideas? Can you try the latest snapshot? There was a patch that went in post-2.2.0p1 to add support for this. btw, what messages do other PAM implementations add when a password expires? Below is HP-UX 11.0 (with an unreleased libpam patch to get it working). As you see PAM adds "Your password has expired.", which makes the message ssh adds somewhat redundant. What about "Please change your password now." for NEW_AUTHTOK_MSG? [stevesk at jenny stevesk]$ ssh -p24 robinson Last successful login for stevesk: Sat Oct 14 14:11:52 MET-1METDST 2000 on pts /4 Last unsuccessful login for stevesk: Sat Oct 14 13:15:33 MET-1METDST 2000 on pts /ta Your password has expired. Warning: Your password has expired, please change it now Changing password for stevesk Old password: Last successful password change for stevesk: NEVER Last unsuccessful password change for stevesk: Sat Oct 14 13:14:34 2000 Do you want (choose one letter only): pronounceable passwords generated for you (g) a string of letters generated (l) ? to pick your passwords (p) ? Enter choice here: p New password: Re-enter new password: Passwd successfully changed Last login: Sat Oct 14 14:11:52 2000 from jenny.foo From stevesk at sweden.hp.com Sun Oct 15 01:23:51 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 14 Oct 2000 16:23:51 +0200 (CEST) Subject: scp -L option In-Reply-To: Message-ID: <200010141414.QAA21411@b0fh.sweden.hp.com> On Wed, 11 Oct 2000, Pekka Savola wrote: : Rather, use "UsePrivilegedPort no" in ssh_config instead, or remove the : setuid bit from ssh binary. Note that recent snapshots also have a --disable-suid-ssh configure option. From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Oct 15 01:47:59 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sat, 14 Oct 2000 16:47:59 +0200 Subject: snapshot-20001014: HP-UX 10.20 success and some remarks Message-ID: <20001014164759.A3665@serv01.aet.tu-cottbus.de> Hi! after applying the rijndael patch ("includes.h") snap-20001014 compiles on HP-UX 10.20, some login/logout/scp connections with other OpenSSH hosts seem to work. There is a minor correction for Configure: - At the summary, the location for ask-pass is still .../libexec/ssh/ssh-askpass while it is compiled in as .../libexec/ssh-askpass I also just noted (I never cared to look onto that in detail), that the date of last login printed just on top does not show the last login but the actual one. This is already true for 2.2.0p1, don't know about older versions. Platform: hppa2.0-hp-hpux10.20 Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From markus.friedl at informatik.uni-erlangen.de Sun Oct 15 03:47:27 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 14 Oct 2000 18:47:27 +0200 Subject: scp -L option In-Reply-To: <200010141414.QAA21411@b0fh.sweden.hp.com>; from stevesk@sweden.hp.com on Sat, Oct 14, 2000 at 04:23:51PM +0200 References: <200010141414.QAA21411@b0fh.sweden.hp.com> Message-ID: <20001014184727.B11974@folly> On Sat, Oct 14, 2000 at 04:23:51PM +0200, Kevin Steves wrote: > On Wed, 11 Oct 2000, Pekka Savola wrote: > : Rather, use "UsePrivilegedPort no" in ssh_config instead, or remove the > : setuid bit from ssh binary. > > Note that recent snapshots also have a --disable-suid-ssh configure > option. or you can use 'scp -o UsePrivilegedPort=no' From stevesk at sweden.hp.com Sun Oct 15 04:42:03 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 14 Oct 2000 19:42:03 +0200 (MEST) Subject: snapshot-20001014: HP-UX 10.20 success and some remarks In-Reply-To: <20001014164759.A3665@serv01.aet.tu-cottbus.de> Message-ID: On Sat, 14 Oct 2000, Lutz Jaenicke wrote: : There is a minor correction for Configure: : - At the summary, the location for ask-pass is still : .../libexec/ssh/ssh-askpass : while it is compiled in as .../libexec/ssh-askpass Thanks, fixed now. : I also just noted (I never cared to look onto that in detail), that the : date of last login printed just on top does not show the last login : but the actual one. This is already true for 2.2.0p1, don't know about : older versions. Hmm, works fine on 11.0. I glanced at the code and didn't see anything that would cause this, so more investigation is needed. My OpenBSD system with 2.2.0 seems to be doing this as well, so I may be missing something obvious. Can you try to debug on your end? From stuge at cdy.org Sun Oct 15 05:17:30 2000 From: stuge at cdy.org (Peter Stuge) Date: Sat, 14 Oct 2000 20:17:30 +0200 Subject: last login time, was: snapshot-20001014: HP-UX 10.20 success and some remarks In-Reply-To: ; from stevesk@sweden.hp.com on Sat, Oct 14, 2000 at 07:42:03PM +0200 References: <20001014164759.A3665@serv01.aet.tu-cottbus.de> Message-ID: <20001014201730.F14062@foo.birdnet.se> On Sat, Oct 14, 2000 at 07:42:03PM +0200, Kevin Steves wrote: > : I also just noted (I never cared to look onto that in detail), that the > : date of last login printed just on top does not show the last login > : but the actual one. This is already true for 2.2.0p1, don't know about > : older versions. > > Hmm, works fine on 11.0. I glanced at the code and didn't see anything > that would cause this, so more investigation is needed. My OpenBSD > system with 2.2.0 seems to be doing this as well, so I may be missing > something obvious. Can you try to debug on your end? When checking out the code this behaviour is what you'd expect, it's not what we want, however. The problem (in 2.2.0p1) was in session.c:662; record_login(), which calls login_login() which calls login_write() which stores the current login in lastlog/utmp/whatever, is called before get_last_login_time(), which does it's job and tells us the last recorded login time. I just downloaded SNAP-20001014 and this has been fixed there. Twice. (?) Patch cleans this up. --- session.c.old Sat Oct 14 20:12:38 2000 +++ session.c Sat Oct 14 20:12:09 2000 @@ -708,10 +708,6 @@ } /* Get the time and hostname when the user last logged in. */ - last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - hostname, sizeof(hostname)); - - /* Get the time and hostname when the user last logged in. */ hostname[0] = '\0'; last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, hostname, sizeof(hostname)); //Peter -- irc: CareBear\ tel: +46-40-914420 irl: Peter Stuge gsm: +46-705-783805 From stevesk at sweden.hp.com Sun Oct 15 05:33:57 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 14 Oct 2000 20:33:57 +0200 (MEST) Subject: last login time, was: snapshot-20001014: HP-UX 10.20 success and some remarks In-Reply-To: <20001014201730.F14062@foo.birdnet.se> Message-ID: On Sat, 14 Oct 2000, Peter Stuge wrote: : When checking out the code this behaviour is what you'd expect, it's not : what we want, however. The problem (in 2.2.0p1) was in session.c:662; : record_login(), which calls login_login() which calls login_write() which : stores the current login in lastlog/utmp/whatever, is called before : get_last_login_time(), which does it's job and tells us the last recorded : login time. : : I just downloaded SNAP-20001014 and this has been fixed there. Twice. (?) : Patch cleans this up. Thanks, I had spotted the duplicate call and fixed it while looking into this. Lutz, are you really seeing this with SNAP-20001014? From chenda at cs.unc.edu Sun Oct 15 05:32:07 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 14 Oct 2000 14:32:07 -0400 (EDT) Subject: Snapshot In-Reply-To: Message-ID: openssh-SNAP-20001014.tar.gz configures, compiles, and installs fine from tarball on this x86 SuSE 6.4 GNU/Linux system: Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap dtc --- Daniel T. Chen | chenda at cs.unc.edu On Sat, 14 Oct 2000, Damien Miller wrote: > Another snapshot for your enjoyment and testing. > > There is one known problem: SSH2 sessions do not exit if there are > backgrounded processes with open std{in,out,err} fds. > > This release includes several large changes from the OpenBSD team: > > - ssh-keygen -X now reads private ssh.com DSA keys (Markus Friedl) > - Interop with ssh.com ssh-agent2 (res at shore.net) > - Initial implementation of DH group exchange > draft-provos-secsh-dh-group-exchange-00.txt (Niels Provos, > Uni. Windsor) > - Support "scp -o ssh-opt" (Markus Frield and Ben Lindstrom) > - Add SKEY support to SSH2 using kbd-interactive auth method > (mkiernan at avantgo.com and Markus Friedl) > - Allow single-DES for SSH1 clients (used to connect to Cisco > routers) (Markus Friedl) > - rijndael/aes support (Markus Friedl) > > Enjoy. > > -d > > > From mouring at pconline.com Sun Oct 15 05:41:28 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 14 Oct 2000 13:41:28 -0500 (CDT) Subject: regex libraries and NeXT. In-Reply-To: Message-ID: compat.c just moved to regular expressions, and NeXT lacks any real implementation (yes we have regex.h, but it's very pre-posix =). Outside of rx-1.5.tar.gz from FSF. Does anyone have any other suggestion any better library to detect and use if the base OS lacks any real regex implementation? - Ben From maf at appgate.com Sun Oct 15 06:26:28 2000 From: maf at appgate.com (Martin Forssen) Date: Sat, 14 Oct 2000 21:26:28 +0200 (MEST) Subject: Cipher 'none' In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Damien Miller wrote: > On Sat, 14 Oct 2000, Pekka Savola wrote: > > I did similar tests on my P2/266 system to see how fast aes128-cbc and > > rijndael128-cbc were. These were conducted with a 10 MB data off > > /dev/urandom: > > You are probably better off using 10Mb hole, so disk IO and buffer > caches don't affect the results. This is what I use: One has to be very careful when comparing results like this. There are many factors wich affects the results a great deal. For example the OS is very important in this case. I did some performance measurements between different versions of ssh and one setup I tried initially was to run the following on one machine (linux with 2.2.12 kernel): ttcp -t --> ssh -L --> sshd -> ttcp -r (i.e. a test of portforward performance on one machine). This test got a really awful result, a couple of magnitudes worse than I expected. I then tried the same thing on a machine SunOS 5.6 and got the expected result ,i.e. two orders of magnitude faster than the linux one. The lesson I learned here was that the client OS can really affect things (in this case I suspect the scheduling code in linux sucks). What I am trying to say here is that in order to be able to compare performance results one must have identical environments (hardware and software) in which the measurements are taken. /MaF PS The one thing I did find out about ssh2 performance is that the window sizes for the channel flow control are really important and openssh had a bug which really hurt performance (this bug was fixed some time ago). From pekkas at netcore.fi Sun Oct 15 06:48:53 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 14 Oct 2000 22:48:53 +0300 (EEST) Subject: Snapshot In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Damien Miller wrote: > Another snapshot for your enjoyment and testing. A few more comments: 1) It seems the (non-working) fix for 'sleep 60 & ; exit' bug was reverted. Good. A new solution to the original problem has to be found -- IMO it's not a show-stopper though. 2) I've added condrestart for Red Hat spec file; because in RHL7 all daemons do that. In the spec file, sshd restart could be changed to use condrestart too, if preferred. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- sshd.orig Sat Oct 14 10:43:10 2000 +++ sshd Sat Oct 14 15:58:01 2000 @@ -81,12 +81,19 @@ $0 start RETVAL=$? ;; + condrestart) + if [ -f /var/lock/subsys/sshd ] ; then + $0 stop + $0 start + RETVAL=$? + fi + ;; status) status sshd RETVAL=$? ;; *) - echo "Usage: sshd {start|stop|restart|status}" + echo "Usage: sshd {start|stop|restart|condrestart|status}" exit 1 ;; esac From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Oct 15 07:23:41 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sat, 14 Oct 2000 22:23:41 +0200 Subject: last login time, was: snapshot-20001014: HP-UX 10.20 success and some remarks In-Reply-To: ; from stevesk@sweden.hp.com on Sat, Oct 14, 2000 at 08:33:57PM +0200 References: <20001014201730.F14062@foo.birdnet.se> Message-ID: <20001014222341.A5716@serv01.aet.tu-cottbus.de> On Sat, Oct 14, 2000 at 08:33:57PM +0200, Kevin Steves wrote: > Thanks, I had spotted the duplicate call and fixed it while looking into > this. Lutz, are you really seeing this with SNAP-20001014? Rechecked. it is gone with SNAP-20001014. Thanks, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From howarth at bromo.med.uc.edu Sun Oct 15 11:23:49 2000 From: howarth at bromo.med.uc.edu (Jack Howarth) Date: Sat, 14 Oct 2000 17:23:49 -0700 (PDT) Subject: RedHat 7.0 openssh-2.2.0p1-5 vs ssh 2.3.0 Message-ID: <200010150023.RAA76974@bromo.med.uc.edu> Hello, I am using RedHat's most recent openssh-2.20p1-5 srpm recompiled on Linuxppc under glibc 2.1.95/Linux 2.4-test10pre2/gcc 2.95.3(cvs). I have noticed an oddity when connecting to machines running ssh 2.3.0's sshd2 server. While the connections occur with no problem after awhile the connection fails when idle with the following error message... Hm, dispatch protocol error: type 20 plen 136 Any idea why this is happening? Please e-mail responses to howarth at bromo.med.uc.edu since I don't read this list much. Jack ps Oh, is the problem with ssh 2.3.0 ssh2 clients connecting to openssh going to be fixed soon or do we have to wait for a fix in ssh v2.3.x? From rachit at ensim.com Sun Oct 15 11:42:39 2000 From: rachit at ensim.com (Rachit Siamwalla) Date: Sat, 14 Oct 2000 17:42:39 -0700 Subject: Cipher 'none' References: Message-ID: <39E8FD7F.BF2B1A@ensim.com> I agree with people who want the option to allow cipher "none". I use ssh primarily for its secure authentication capabilities, not necessarily for its encryption of data. I use it to do secure RPC's within a network. I don't particularly care if some evil guy breaks into my network and sees what RPC's i'm doing, i just want to make sure the evil guy cannot make those RPC's to my machines themselves. Also, some of these RPCs are data intensive, moving gigabytes of data back and forth. Also, having the capability to allow "FallbackToRSH" is probably much worse than allowing "Cipher none" in the first place. If you guys think that ssh should not have the "Cipher none" on the grounds of being afraid of the user shooting themselves in the foot, then we definitely don't want the other option either. -rchit From djm at mindrot.org Sun Oct 15 11:47:02 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 15 Oct 2000 11:47:02 +1100 (EST) Subject: regex libraries and NeXT. In-Reply-To: Message-ID: On Sat, 14 Oct 2000, Ben Lindstrom wrote: > compat.c just moved to regular expressions, and NeXT lacks any real > implementation (yes we have regex.h, but it's very pre-posix =). > > Outside of rx-1.5.tar.gz from FSF. Does anyone have any other suggestion > any better library to detect and use if the base OS lacks any real regex > implementation? PCRE[1] is an excellent library, but it may be overkill for what you need. Then again, you will probably be needing regex code for other things as well. You will need to add some configure glue to only detect and use pcreposix.h and libpcreposix.a if a system regex library is not present. -d [1] ftp://ftp.cus.cam.ac.uk/pub/software/programs/pcre/ -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sun Oct 15 11:51:52 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 15 Oct 2000 11:51:52 +1100 (EST) Subject: RedHat 7.0 openssh-2.2.0p1-5 vs ssh 2.3.0 In-Reply-To: <200010150023.RAA76974@bromo.med.uc.edu> Message-ID: On Sat, 14 Oct 2000, Jack Howarth wrote: > Hello, > I am using RedHat's most recent openssh-2.20p1-5 srpm recompiled > on Linuxppc under glibc 2.1.95/Linux 2.4-test10pre2/gcc 2.95.3(cvs). > I have noticed an oddity when connecting to machines running ssh > 2.3.0's sshd2 server. While the connections occur with no problem > after awhile the connection fails when idle with the following > error message... > > Hm, dispatch protocol error: type 20 plen 136 > > Any idea why this is happening? Please e-mail responses to > howarth at bromo.med.uc.edu since I don't read this list much. Is there a masquerading firewall or other NAT device between the two hosts? You may be a victim of NAT timeouts. > ps Oh, is the problem with ssh 2.3.0 ssh2 clients connecting > to openssh going to be fixed soon or do we have to wait for > a fix in ssh v2.3.x? Have you tried the snapshot at http://www.mindrot.org/misc/openssh -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From res at shore.net Sun Oct 15 15:18:51 2000 From: res at shore.net (Richard E. Silverman) Date: Sun, 15 Oct 2000 00:18:51 -0400 (EDT) Subject: RedHat 7.0 openssh-2.2.0p1-5 vs ssh 2.3.0 In-Reply-To: <200010150023.RAA76974@bromo.med.uc.edu> Message-ID: On Sat, 14 Oct 2000, Jack Howarth wrote: > Hello, > I am using RedHat's most recent openssh-2.20p1-5 srpm recompiled > on Linuxppc under glibc 2.1.95/Linux 2.4-test10pre2/gcc 2.95.3(cvs). > I have noticed an oddity when connecting to machines running ssh > 2.3.0's sshd2 server. While the connections occur with no problem > after awhile the connection fails when idle with the following > error message... > > Hm, dispatch protocol error: type 20 plen 136 > > Any idea why this is happening? The "awhile" will be exactly an hour from the start of the session, regardless of whether it's idle. The problem is that ssh-2.3.0 implements session re-keying, and OpenSSH does not. The default rekey interval is 1 hour, and the OpenSSH client dies when it gets the rekey request. The rekey is not optional (the client can't refuse to do it), so until OpenSSH does rekeying, the only way to avoid this is to turn off rekeying in the server: set RekeyIntervalSeconds to 0. -- Richard Silverman slade at shore.net From res at shore.net Sun Oct 15 15:27:16 2000 From: res at shore.net (Richard E. Silverman) Date: Sun, 15 Oct 2000 00:27:16 -0400 (EDT) Subject: Cipher 'none' In-Reply-To: <39E8FD7F.BF2B1A@ensim.com> Message-ID: On Sat, 14 Oct 2000, Rachit Siamwalla wrote: > I agree with people who want the option to allow cipher "none"... > i just want to make sure the evil guy cannot make those RPC's to my > machines themselves ... > Also, having the capability to allow "FallbackToRSH" is probably much > worse than allowing "Cipher none" in the first place. FallBackToRsh is only an option with SSH-1. As I mentioned earlier in this thread, without encryption, both server authentication and integrity checking are ineffective in the SSH-1 protocol, so there's not much point in using SSH at all at that point. With SSH-2, it is at least a viable option, if you truly don't care about confidentiality. -- Richard Silverman slade at shore.net From rob at hagopian.net Sun Oct 15 18:44:50 2000 From: rob at hagopian.net (Rob Hagopian) Date: Sun, 15 Oct 2000 03:44:50 -0400 (EDT) Subject: Cipher 'none' In-Reply-To: Message-ID: Exactly. I care about security, not confidentiality. And getting home in time for season preimeres... I think ssh is the best, and easiest, way to do this... :-) -Rob On Sun, 15 Oct 2000, Richard E. Silverman wrote: > With SSH-2, it is at least a viable option, if you truly don't care about > confidentiality. From markus.friedl at informatik.uni-erlangen.de Mon Oct 16 02:28:04 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 15 Oct 2000 17:28:04 +0200 Subject: [PATCH]: Add tcp_wrappers protection to port forwarding In-Reply-To: <20001008112945.A2620@cygnus.com>; from cgf@cygnus.com on Sun, Oct 08, 2000 at 11:29:45AM -0400 References: <39DF9857.F3455BD@cygnus.com> <20001008161913.B30167@folly> <20001008112945.A2620@cygnus.com> Message-ID: <20001015172804.B6000@folly> On Sun, Oct 08, 2000 at 11:29:45AM -0400, Chris Faylor wrote: > >why should a client programm read /etc/hosts.allow? > > Probably it shouldn't. I didn't know of any way to avoid this, however. the problem is that if you want to use -L in your client, you cannot, because of /etc/hosts.allow which is under control of the sysadmin. -m From markus.friedl at informatik.uni-erlangen.de Mon Oct 16 02:28:52 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 15 Oct 2000 17:28:52 +0200 Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: ; from i.palsenberg@jdimedia.nl on Sun, Oct 08, 2000 at 04:37:23PM +0200 References: <20001008161617.A30167@folly> Message-ID: <20001015172852.C6000@folly> hello, could you please provide 'ssh -v' and 'sshd -d' output? this makes debugging much easier for us. -m From i.palsenberg at jdimedia.nl Mon Oct 16 03:35:45 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Sun, 15 Oct 2000 18:35:45 +0200 (CEST) Subject: Incompatability between 1.2.27 NO-RSA and openssh-latest In-Reply-To: <20001015172852.C6000@folly> Message-ID: Hi, > hello, could you please provide 'ssh -v' and 'sshd -d' output? this > makes debugging much easier for us. -m Problem is solved. It was reading the keys from a different location as where I expected. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From masaaki at westvillage.org Mon Oct 16 11:39:29 2000 From: masaaki at westvillage.org (Masaaki Nishimura) Date: Mon, 16 Oct 2000 09:39:29 +0900 Subject: openssh on solaris x86 In-Reply-To: References: Message-ID: <200010160045.e9G0jGJ07569@labokeeper.netird.ad.jp> Damien Miller -san said: > > debug: Local forwarding listening on 1.0.0.127 port 8888. > > Very strange. Can anyone else with Solaris x86 replicate? My Solaris7/x86 box (with OpenSSH_2.2.0p1) works fine to me. |debug: Doing password authentication. |masaaki at targethost's password: |debug: Requesting compression at level 6. |debug: Enabling compression at level 6. |debug: Requesting pty. |debug: Connections to local port 20025 forwarded to remote address 192.168.0.254:25 |debug: Local forwarding listening on 127.0.0.1 port 20025. |debug: fd 7 setting O_NONBLOCK : But on my Solaris8/x86 box(with OpenSSH_2.2.0p1) : |masaaki at targethost's password: |debug: Requesting compression at level 6. |debug: Enabling compression at level 6. |debug: Requesting pty. |debug: Connections to local port 20025 forwarded to remote address 192.168.0.254:25 |debug: Local forwarding listening on 1.0.0.127 port 20025. ^^^^^^^^^ |bind: Cannot assign requested address : -- masaaki From cmadams at hiwaay.net Mon Oct 16 08:30:04 2000 From: cmadams at hiwaay.net (Chris Adams) Date: Sun, 15 Oct 2000 16:30:04 -0500 Subject: Patch for Digital Unix SIA authentication In-Reply-To: <20000626143119.A25977@HiWAAY.net>; from cmadams@hiwaay.net on Mon, Jun 26, 2000 at 02:31:19PM -0500 References: <20000626143119.A25977@HiWAAY.net> Message-ID: <20001015163004.B10425@HiWAAY.net> A while back, I sent in a patch that added Digital Unix SIA authentication to OpenSSH. Well, I just figured out that it didn't handle everything correctly (locked accounts could still log in). I thought I had checked that, but I guess I missed it. Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -------------- next part -------------- diff -urN openssh-2.2.0p1-dist/Makefile.in openssh-2.2.0p1/Makefile.in --- openssh-2.2.0p1-dist/Makefile.in Tue Aug 22 19:46:23 2000 +++ openssh-2.2.0p1/Makefile.in Sat Oct 14 19:34:08 2000 @@ -40,7 +40,7 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 diff -urN openssh-2.2.0p1-dist/auth-sia.c openssh-2.2.0p1/auth-sia.c --- openssh-2.2.0p1-dist/auth-sia.c Wed Dec 31 18:00:00 1969 +++ openssh-2.2.0p1/auth-sia.c Sat Oct 14 21:24:19 2000 @@ -0,0 +1,34 @@ +#include "includes.h" + +#ifdef HAVE_OSF_SIA +#include "ssh.h" + +#include +#include + +extern int saved_argc; +extern char **saved_argv; + +int +auth_sia_password (user, pass) + char *user; + char *pass; +{ + SIAENTITY *ent = NULL; + int ret; + + if (sia_ses_init (&ent, saved_argc, saved_argv, + get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS) + return 0; + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + if (ret & SIASTOP) + sia_ses_release (&ent); + return 0; + } + if (sia_ses_estab (NULL, ent) != SIASUCCESS) + return 0; + sia_ses_release (&ent); + return 1; +} + +#endif /* HAVE_OSF_SIA */ diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c --- openssh-2.2.0p1-dist/auth1.c Tue Aug 22 19:46:23 2000 +++ openssh-2.2.0p1/auth1.c Sat Oct 14 19:31:56 2000 @@ -18,18 +18,9 @@ #include "auth.h" #include "session.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern char *forced_command; -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -310,11 +301,7 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password(pw->pw_name, password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); @@ -508,9 +495,7 @@ #ifdef USE_PAM auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) - (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS)) { + auth_sia_password(pw->pw_name, "")) { #else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/auth2.c openssh-2.2.0p1/auth2.c --- openssh-2.2.0p1-dist/auth2.c Tue Aug 22 19:46:24 2000 +++ openssh-2.2.0p1/auth2.c Sat Oct 14 19:32:47 2000 @@ -56,11 +56,6 @@ #include "uidswap.h" #include "auth-options.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern unsigned char *session_id2; @@ -249,19 +244,12 @@ int ssh2_auth_none(struct passwd *pw) { -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif - packet_done(); #ifdef USE_PAM return auth_pam_password(pw, ""); #elif defined(HAVE_OSF_SIA) - return(sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS); + return auth_sia_password(pw->pw_name, ""); #else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); #endif /* USE_PAM */ @@ -273,10 +261,6 @@ int authenticated = 0; int change; unsigned int len; -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif change = packet_get_char(); if (change) log("password change not supported"); @@ -286,9 +270,7 @@ #ifdef USE_PAM auth_pam_password(pw, password) == 1) #elif defined(HAVE_OSF_SIA) - sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) + auth_sia_password(pw->pw_name, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(pw, password) == 1) #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/ssh.h openssh-2.2.0p1/ssh.h --- openssh-2.2.0p1-dist/ssh.h Tue Aug 22 19:46:25 2000 +++ openssh-2.2.0p1/ssh.h Sat Oct 14 19:31:56 2000 @@ -561,4 +561,8 @@ #include "auth-pam.h" #endif /* USE_PAM */ +#ifdef HAVE_OSF_SIA +int auth_sia_password(char *user, char *pass); +#endif + #endif /* SSH_H */ From djm at mindrot.org Mon Oct 16 14:35:12 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 16 Oct 2000 14:35:12 +1100 (EST) Subject: Snapshot Message-ID: This fixes a few problems since the last one and incorporates some more work from the OpenBSD team. http://www.mindrot.org/misc/openssh/openssh-SNAP-20001016.tar.gz Most notable are the bug fix for hanging ssh2 sessions with background processes and the new AllowTcpForwarding option. -d Changelog: 20001016 - (djm) Sync with OpenBSD: - markus at cvs.openbsd.org 2000/10/14 04:01:15 [cipher.c] debug3 - markus at cvs.openbsd.org 2000/10/14 04:07:23 [scp.c] remove spaces from arguments; from djm at mindrot.org - markus at cvs.openbsd.org 2000/10/14 06:09:46 [ssh.1] Cipher is for SSH-1 only - markus at cvs.openbsd.org 2000/10/14 06:12:09 [servconf.c servconf.h serverloop.c session.c sshd.8] AllowTcpForwarding; from naddy@ - markus at cvs.openbsd.org 2000/10/14 06:16:56 [auth2.c compat.c compat.h sshconnect2.c version.h] OpenSSH_2.3; note that is is not complete, but the version number needs to be changed for interoperability reasons - markus at cvs.openbsd.org 2000/10/14 06:19:45 [auth-rsa.c] do not send RSA challenge if key is not allowed by key-options; from eivind at ThinkSec.com - markus at cvs.openbsd.org 2000/10/15 08:14:01 [rijndael.c session.c] typos; from stevesk at sweden.hp.com - markus at cvs.openbsd.org 2000/10/15 08:18:31 [rijndael.c] typo - (djm) Copy manpages back over from OpenBSD - too tedious to wade through diffs - (djm) Added condrestart to Redhat init script. Patch from Pekka Savola - (djm) Update version in Redhat spec file - (djm) Merge some of Nalin Dahyabhai changes from the Redhat 7.0 spec file 20001015 - (djm) Fix ssh2 hang on background processes at logout. 20001014 - (stevesk) Include config.h in rijndael.c so we define intXX_t and u_intXX_t types on all platforms. - (stevesk) rijndael.c: cleanup missing declaration warnings. - (stevesk) ~/.hushlogin shouldn't cause required password change to be bypassed. - (stevesk) Display correct path to ssh-askpass in configure output. Report from Lutz Jaenicke. - (bal) Add support for realpath and getcwd for platforms with broken or missing realpath implementations for sftp-server. - (bal) Corrected mistake in INSTALL in regards to GNU rx library - (bal) Add support for GNU rx library for those lacking regexp support -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From chenda at cs.unc.edu Mon Oct 16 18:33:13 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Mon, 16 Oct 2000 03:33:13 -0400 (EDT) Subject: Snapshot In-Reply-To: Message-ID: openssh-SNAP-20001016.tar.gz configures, compiles, installs, and runs cleanly on this x86 SuSE 6.4 GNU/Linux system. Hanging ssh2 sessions appear to have been fixed. Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap dtc --- Daniel T. Chen | chenda at cs.unc.edu On Mon, 16 Oct 2000, Damien Miller wrote: > > > This fixes a few problems since the last one and incorporates some > more work from the OpenBSD team. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001016.tar.gz > > Most notable are the bug fix for hanging ssh2 sessions with background > processes and the new AllowTcpForwarding option. > > -d From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Oct 16 20:59:03 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 16 Oct 2000 11:59:03 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Mon, Oct 16, 2000 at 02:35:12PM +1100 References: Message-ID: <20001016115903.A3414@serv01.aet.tu-cottbus.de> On Mon, Oct 16, 2000 at 02:35:12PM +1100, Damien Miller wrote: > > > This fixes a few problems since the last one and incorporates some > more work from the OpenBSD team. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001016.tar.gz > > Most notable are the bug fix for hanging ssh2 sessions with background > processes and the new AllowTcpForwarding option. Host: hppa2.0-hp-hpux10.20 Compiler: cc Compiler flags: -O -I. -I. -Ae -D_HPUX_SOURCE +DAportable -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lsec -lcrypto -lwrap looks fine :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From janfrode at parallab.uib.no Mon Oct 16 21:04:38 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 16 Oct 2000 12:04:38 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Mon, Oct 16, 2000 at 02:35:12PM +1100 References: Message-ID: <20001016120438.A9450@ii.uib.no> On Mon, Oct 16, 2000 at 02:35:12PM +1100, Damien Miller wrote: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001016.tar.gz > > Most notable are the bug fix for hanging ssh2 sessions with background > processes and the new AllowTcpForwarding option. > Seems to be working fine: Host: mips-sgi-irix6.5 Compiler: cc Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lcrypto -lwrap Good to see the hanging ssh2 sessions are gone.. -jf -- Donate spare cpucycles to GRISK From chip at princetonecom.com Tue Oct 17 01:56:03 2000 From: chip at princetonecom.com (Chip Christian) Date: Mon, 16 Oct 2000 10:56:03 -0400 Subject: Snapshot In-Reply-To: Message from Damien Miller of "Mon, 16 Oct 2000 14:35:12 +1100." Message-ID: <20001016145603.B4200B47B@fleck.princetonecom.com> Works like a charm on sparc-sun-solaris2.6. The default-path bug I reported is fixed. The pam_chauthtok() stuff works as well, however: Using the same modules, in.telnetd does this when I have an expired login: Your password has expired and you have 6 grace login(s). Do you want to change your password now ([y]es/[n]o): while sshd forces me to change my password: Your password has expired and you have 5 grace login(s). Warning: Your password has expired, please change it now New password: From pekkas at netcore.fi Tue Oct 17 02:43:22 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 16 Oct 2000 18:43:22 +0300 (EEST) Subject: Snapshot In-Reply-To: Message-ID: On Mon, 16 Oct 2000, Damien Miller wrote: > This fixes a few problems since the last one and incorporates some > more work from the OpenBSD team. Looks pretty good. --- Host: i386-redhat-linux-gnu Compiler: gcc Compiler flags: -O2 -m486 -fno-strength-reduce -Wall -I. -I. -I/usr/include Linker flags: -L/usr/lib -L/usr Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap --- A few minor issues (patches). The latter two apply to the non-portable version too, I think. 1) redhat .spec file has gnome-libs-devel reqqed twice, can't be compiled without gnome-askpass 2) two minor ssh.1 typos that caught my eye 3) I think DES is supported when connecting with SSH1 (routers..), so a minor adjustment is required -- this might not be an optimal wording though. Also, there was a 4-5-line patch by Andy Polyakov on the list on Sun, 16 Jul 2000 12:18:55 -0400 which added the support for old Macintosh clients. That would probably be a good addition to contrib/. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- openssh.spec.orig Mon Oct 16 05:35:19 2000 +++ openssh.spec Mon Oct 16 18:25:33 2000 @@ -24,7 +24,7 @@ Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a -BuildPreReq: perl, openssl-devel, tcp_wrappers, gnome-libs-devel +BuildPreReq: perl, openssl-devel, tcp_wrappers BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel -------------- next part -------------- --- ssh.1.orig Mon Oct 16 04:14:43 2000 +++ ssh.1 Mon Oct 16 18:29:03 2000 @@ -367,7 +367,7 @@ (triple-des) is an encrypt-decrypt-encrypt triple with three different keys. It is presumably more secure than the .Ar des -cipher which is no longer supported in +cipher which is no longer fully supported in .Nm ssh . .Ar blowfish is a fast block cipher, it appears very secure and is much faster than @@ -628,9 +628,9 @@ the check will not be executed. .It Cm Cipher Specifies the cipher to use for encrypting the session -in protocol version 1 +in protocol version 1. Currently, -.Dq blowfish , +.Dq blowfish and .Dq 3des are supported. From jhuuskon at messi.uku.fi Tue Oct 17 02:49:32 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 16 Oct 2000 18:49:32 +0300 Subject: openssh vs. commercial ssh1 port forwarding In-Reply-To: ; from djm@mindrot.org on Sun, Oct 15, 2000 at 11:51:52AM +1100 References: <200010150023.RAA76974@bromo.med.uc.edu> Message-ID: <20001016184932.A20036@laivuri63.uku.fi> Hi, I have already mentioned this a few times before but here I go again: Commercial ssh1 can send SSH_SMSG_FAILURE when client tries to do remote portforwarding. Openssh only handles SSH_SMSG_SUCCESS and ends in protocol error if server sends FAILURE. To 'correctly' handle FAILURE the code in channels.c (around line 1566) needs minor modifications (instead of packet_read_expect use packet_read etc.). This modification is in the (protocol2 -R support) patches I've sent to the list. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From Nigel.Metheringham at VData.co.uk Tue Oct 17 03:14:14 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Mon, 16 Oct 2000 17:14:14 +0100 Subject: ssh2 authentication and ip forwarding Message-ID: I'd been hoping to move all of our site to ssh protocol 2 whilst we are still small enough to do this without serious pain, however the lack of authentication and connection forwarding is making that difficult at present. I see the current (2.2.0p1) code base does not have the code on either client or server side for ssh2 to handle tunneled connections or authentication agent. Is this being worked on, scheduled for work, worth me putting time into, or is there good reason to hold off at present? [Actually I guess its more a openssh issue rather than portable openssh issue... but I'm not on that list and don't use openbsd.] Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From jhuuskon at messi.uku.fi Tue Oct 17 03:13:45 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 16 Oct 2000 19:13:45 +0300 Subject: openssh vs. commercial ssh1 port forwarding In-Reply-To: <20001016184932.A20036@laivuri63.uku.fi>; from jhuuskon@messi.uku.fi on Mon, Oct 16, 2000 at 06:49:32PM +0300 References: <200010150023.RAA76974@bromo.med.uc.edu> <20001016184932.A20036@laivuri63.uku.fi> Message-ID: <20001016191345.A23982@laivuri63.uku.fi> > I have already mentioned this a few times before but here I go again: > Commercial ssh1 can send SSH_SMSG_FAILURE when client tries to do remote > portforwarding. Openssh only handles SSH_SMSG_SUCCESS and ends in > protocol error if server sends FAILURE. The latest snapshot with the AllowTcpForwarding patch also sends SSH_SMSG_FAILURE if port forwarding is disabled -> protocol error: expecting 14 got 15 (or something like that). IMO handling the FAILURE message should go to openssh or at least print a more informational error message. > To 'correctly' handle FAILURE the code in channels.c (around line 1566) needs > minor modifications (instead of packet_read_expect use packet_read etc.). This > modification is in the (protocol2 -R support) patches I've sent to the list. -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From Nigel.Metheringham at VData.co.uk Tue Oct 17 04:10:06 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Mon, 16 Oct 2000 18:10:06 +0100 Subject: ssh2 authentication and ip forwarding In-Reply-To: Message from Nigel Metheringham of "Mon, 16 Oct 2000 17:14:14 BST." Message-ID: [following up to myself...] Embarrassingly I then noticed the current set of posts from Jarno Huuskonen on port forwarding support... I was concentrating on authentication agent forwarding and then rolled port forwarding because I saw from the code it was also missing.... without having picked it up in the posts, Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From markus.friedl at informatik.uni-erlangen.de Tue Oct 17 08:42:00 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 16 Oct 2000 23:42:00 +0200 Subject: ssh2 authentication and ip forwarding In-Reply-To: ; from Nigel.Metheringham@VData.co.uk on Mon, Oct 16, 2000 at 05:14:14PM +0100 References: Message-ID: <20001016234200.A29915@folly> agent forwarding is not in ssh2 since we don't do the officical agent protocol (there is no spec) and since we would have to do our own proprietary protocol for this. but if someone sends 'clean' patches, we can add this to openssh, of course. On Mon, Oct 16, 2000 at 05:14:14PM +0100, Nigel Metheringham wrote: > I'd been hoping to move all of our site to ssh protocol 2 whilst we are > still small enough to do this without serious pain, however the lack of > authentication and connection forwarding is making that difficult at > present. > > I see the current (2.2.0p1) code base does not have the code on either > client or server side for ssh2 to handle tunneled connections or > authentication agent. Is this being worked on, scheduled for work, > worth me putting time into, or is there good reason to hold off at > present? > > [Actually I guess its more a openssh issue rather than portable openssh > issue... but I'm not on that list and don't use openbsd.] > > Nigel. > -- > [ - Opinions expressed are personal and may not be shared by VData - ] > [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] > [ Phone: +44 1423 850000 Fax +44 1423 858866 ] > > > From gem at rellim.com Tue Oct 17 11:09:15 2000 From: gem at rellim.com (Gary E. Miller) Date: Mon, 16 Oct 2000 17:09:15 -0700 (PDT) Subject: openssh-SNAP-2001016 Message-ID: Yo All! This snap seems to compile and tune fine on: Host: i586-sco-sysv5uw7.1.0 Compiler: cc Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lsocket -lnsl -lz -lgen -lsocket -lcrypto All I have to do is: ./configure && make && make install I will beat on it some and see if anything shakes out... RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 17 19:39:32 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 17 Oct 2000 10:39:32 +0200 Subject: ssh-add broken for latest snapshots Message-ID: <20001017103932.A15640@ws01.aet.tu-cottbus.de> Hi! I had some fight with ssh-add this morning that I have now tracked down to a change recently made. I run "ssh-add < /dev/null" to launch (x11-)ssh-askpass from the CDE startup. Unfortunately, no keys are added to ssh-agent! Reason: Between 2.2.0p1 (ssh-add.c 1.20) and now (ssh-add 1.22) the input reading from ssh-askpass was changed from read() to atomicio(). 91c120 < len = read(p[0], buf, sizeof buf); --- > len = atomicio(read, p[0], buf, sizeof buf); After having entered the passphrase, atomicio will first read the correct number of characters (like read()), but then will try to read another hunk, which is not there anymore, because anything has been read. read() will hence return "0", so that atomicio will also return "0", even though "buf" contains the correct passphrase... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From vinschen at cygnus.com Tue Oct 17 22:25:41 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 17 Oct 2000 13:25:41 +0200 Subject: Snapshot-20001016 References: Message-ID: <39EC3735.3F5A9CA1@cygnus.com> OpenSSH configured has been configured with the following options. User binaries: /usr/bin User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc Askpass program: /usr/sbin/ssh-askpass Manual pages: /usr/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: i686-pc-cygwin Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/include Linker flags: -L/usr/lib -L/usr Libraries: -lz -lregex /usr/lib/textmode.o -lcrypto Looks good but I had to change configure.in since Cygwin has a V8 regex so we have to provide POSIX regex as a separate library which we will do as soon as we release the new OpenSSH-2.3.0: Index: configure =================================================================== RCS file: /src/cvsroot/openssh-20001016/configure,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 configure --- configure 2000/10/16 16:16:21 1.1.1.1 +++ configure 2000/10/17 10:33:46 @@ -1352,7 +1352,7 @@ EOF mansubdir=cat ;; *-*-cygwin*) - LIBS="$LIBS /usr/lib/textmode.o" + LIBS="$LIBS -lregex /usr/lib/textmode.o" cat >> confdefs.h <<\EOF #define HAVE_CYGWIN 1 EOF Index: configure.in =================================================================== RCS file: /src/cvsroot/openssh-20001016/configure.in,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 configure.in --- configure.in 2000/10/16 16:16:21 1.1.1.1 +++ configure.in 2000/10/17 10:32:48 @@ -58,7 +58,7 @@ case "$host" in mansubdir=cat ;; *-*-cygwin*) - LIBS="$LIBS /usr/lib/textmode.o" + LIBS="$LIBS -lregex /usr/lib/textmode.o" AC_DEFINE(HAVE_CYGWIN) AC_DEFINE(DISABLE_PAM) AC_DEFINE(DISABLE_SHADOW) Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From djm at mindrot.org Tue Oct 17 23:12:04 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 17 Oct 2000 23:12:04 +1100 (EST) Subject: ssh-add broken for latest snapshots In-Reply-To: <20001017103932.A15640@ws01.aet.tu-cottbus.de> Message-ID: On Tue, 17 Oct 2000, Lutz Jaenicke wrote: > Hi! > > I had some fight with ssh-add this morning that I have now tracked > down to a change recently made. I run "ssh-add < /dev/null" to > launch (x11-)ssh-askpass from the CDE startup. Unfortunately, no > keys are added to ssh-agent! Thanks again. Does this help: diff -u -r1.25 ssh-add.c --- ssh-add.c 2000/09/30 10:36:54 1.25 +++ ssh-add.c 2000/10/17 12:11:17 @@ -117,7 +117,9 @@ fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); } close(p[1]); - len = atomicio(read, p[0], buf, sizeof buf); + buf[0] = '\0'; + atomicio(read, p[0], buf, sizeof buf); + len = strlen(buf); close(p[0]); while (waitpid(pid, &status, 0) < 0) if (errno != EINTR) -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Tue Oct 17 23:14:35 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 17 Oct 2000 23:14:35 +1100 (EST) Subject: Snapshot-20001016 In-Reply-To: <39EC3735.3F5A9CA1@cygnus.com> Message-ID: On Tue, 17 Oct 2000, Corinna Vinschen wrote: > Looks good but I had to change configure.in since Cygwin has a V8 > regex so we have to provide POSIX regex as a separate library > which we will do as soon as we release the new OpenSSH-2.3.0: Thanks, applied -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 17 23:16:43 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 17 Oct 2000 14:16:43 +0200 Subject: ssh-add broken for latest snapshots In-Reply-To: ; from djm@mindrot.org on Tue, Oct 17, 2000 at 11:12:04PM +1100 References: <20001017103932.A15640@ws01.aet.tu-cottbus.de> Message-ID: <20001017141643.A25280@ws01.aet.tu-cottbus.de> On Tue, Oct 17, 2000 at 11:12:04PM +1100, Damien Miller wrote: > On Tue, 17 Oct 2000, Lutz Jaenicke wrote: > > I had some fight with ssh-add this morning that I have now tracked > > down to a change recently made. I run "ssh-add < /dev/null" to > > launch (x11-)ssh-askpass from the CDE startup. Unfortunately, no > > keys are added to ssh-agent! > > Thanks again. Does this help: > > diff -u -r1.25 ssh-add.c > --- ssh-add.c 2000/09/30 10:36:54 1.25 > +++ ssh-add.c 2000/10/17 12:11:17 > @@ -117,7 +117,9 @@ > fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); > } > close(p[1]); > - len = atomicio(read, p[0], buf, sizeof buf); > + buf[0] = '\0'; > + atomicio(read, p[0], buf, sizeof buf); > + len = strlen(buf); > close(p[0]); > while (waitpid(pid, &status, 0) < 0) > if (errno != EINTR) Yes, this helps, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From t.cucinotta at sssup.it Wed Oct 18 05:26:39 2000 From: t.cucinotta at sssup.it (Tommaso Cucinotta) Date: Tue, 17 Oct 2000 20:26:39 +0200 Subject: Smartcards & SSH Message-ID: <39EC99DF.CB9E4B6A@sssup.it> Hi all, I'm new to this mailing list, so I apologize if my question is "obsolete" for you. I'd like to know if anybody has a clear idea about how to connect smartcards to the SSH framework. I yet got a modified ssh-agent (by Stephen Pellicer) that uses SSP-Lite (CyberflexAccess driver by me) in order to use the smartcard instead of the HD files. Instead, I'd like to INTEGRATE that with the original, file-based, ssh environment. I'd like to know what do you think about this, and HOW the work should be accomplished, to maintain your kind of architecture (ssh-agent, ssh-add, ...). I'd like to know what PAM is used for, in the ssh framework, too (sorry if I missed some/many docs from your site). Many thanks in advance to everybody, bye, Tommaso Cucinotta. -- /------------------------------------------------\ | Dr. Tommaso Cucinotta | +------------------------------------------------+ | Scuola Superiore di Studi Universitari | | e Perfezionamento S.Anna | | Pisa Italy | \------------------------------------------------/ From carl at bl.echidna.id.au Wed Oct 18 07:43:18 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Wed, 18 Oct 2000 07:43:18 +1100 (EST) Subject: Smartcards & SSH Message-ID: <200010172043.e9HKhIn19269@rollcage.bl.echidna.id.au> > From: Tommaso Cucinotta > To: openssh-unix-dev at mindrot.org > Subject: Smartcards & SSH > > Hi all, > > I'm new to this mailing list, so I apologize if my question > is "obsolete" for you. > > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. We use SecurID tokens via PAM and radius with OpenSSH on Solaris and Loonucks. Nothing fancy required to do this, just a PAM radius agent. Carl From WHarms at bfs.de Wed Oct 18 03:55:01 2000 From: WHarms at bfs.de (WHarms at bfs.de) Date: Tue, 17 Oct 2000 17:55:01 +0100 Subject: AIX and openssh Message-ID: I got i patch from the mailing list and it seems to work fine. (aging now works). But i still add WITH_AIXAUTHENTICATE manualy. and some other minor problems. Is there someone working on the AIX port? walter From djm at mindrot.org Wed Oct 18 10:03:35 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 18 Oct 2000 10:03:35 +1100 (EST) Subject: Smartcards & SSH In-Reply-To: <39EC99DF.CB9E4B6A@sssup.it> Message-ID: On Tue, 17 Oct 2000, Tommaso Cucinotta wrote: > Hi all, > > I'm new to this mailing list, so I apologize if my question > is "obsolete" for you. > > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. > > I yet got a modified ssh-agent (by Stephen Pellicer) > that uses SSP-Lite (CyberflexAccess driver by me) > in order to use the smartcard instead of the HD files. > > Instead, I'd like to INTEGRATE that with the > original, file-based, ssh environment. What do you mean by this? Surely you would prefer to keep the keys (and preferably the action of signing) on the cards themselves? > I'd like to know what do you think about this, and > HOW the work should be accomplished, to maintain > your kind of architecture (ssh-agent, ssh-add, ...). Smartcard integration would best be done at the ssh-agent level. Since it already does the signing of challenges internally, is wouldn't be too much effort to hand this over to the card via pkcs#11 or whatever. You might need a ssh-keygen-smartcard, which would probably also pass the operations off to the card. If the cards that you are using don't do crypto, then you would probably best modify ssh-add to read the keys and hand them to ssh-agent. ssh-keygen would need to be modified to store its keys in the cards (or you could use a transfer utility). > I'd like to know what PAM is used for, in the ssh > framework, too (sorry if I missed some/many docs > from your site). PAM support is used for password authentication and enforcing account restrictions. Some work in underway for more complete PAM support using SSH2's kbd-interactive authentication mode. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From markus.friedl at informatik.uni-erlangen.de Wed Oct 18 07:30:41 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 17 Oct 2000 22:30:41 +0200 Subject: Smartcards & SSH In-Reply-To: <39EC99DF.CB9E4B6A@sssup.it>; from t.cucinotta@sssup.it on Tue, Oct 17, 2000 at 08:26:39PM +0200 References: <39EC99DF.CB9E4B6A@sssup.it> Message-ID: <20001017223041.A25177@folly> On Tue, Oct 17, 2000 at 08:26:39PM +0200, Tommaso Cucinotta wrote: > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. > > I yet got a modified ssh-agent (by Stephen Pellicer) > that uses SSP-Lite (CyberflexAccess driver by me) > in order to use the smartcard instead of the HD files. this is what i'm going to do and i think this is the best way to integrate smartcard support. do you have pointers to these modifciations or any other info? > Instead, I'd like to INTEGRATE that with the > original, file-based, ssh environment. how? > I'd like to know what do you think about this, and > HOW the work should be accomplished, to maintain > your kind of architecture (ssh-agent, ssh-add, ...). i don't understand what you exactly want... -markus From harald at iki.fi Wed Oct 18 18:30:40 2000 From: harald at iki.fi (Harald Hannelius) Date: Wed, 18 Oct 2000 10:30:40 +0300 (EEST) Subject: Smartcards & SSH In-Reply-To: <39EC99DF.CB9E4B6A@sssup.it> Message-ID: On Tue, 17 Oct 2000, Tommaso Cucinotta wrote: > Hi all, > > I'd like to know if anybody has a clear idea about > how to connect smartcards to the SSH framework. There's a guy here CSC.fi that has implemented a system which allows users to use their 'social-security card' that is now starting to get out to people here in Finland. The card has some keys on it, and they are then used to authenticate the user. The patches you can get from there are against ssh-1.2.25, but you'll get the general idea from there... Have fun :) Here's the URL: http://www.csc.fi/~jmaki/fineid/ Harald H Hannelius | Harald at iki.fi | GSM +358405470870 From t.cucinotta at sssup.it Thu Oct 19 04:35:14 2000 From: t.cucinotta at sssup.it (Tommaso Cucinotta) Date: Wed, 18 Oct 2000 19:35:14 +0200 Subject: Smartcards & SSH References: <39EC99DF.CB9E4B6A@sssup.it> <20001017223041.A25177@folly> Message-ID: <39EDDF52.81888387@sssup.it> Markus Friedl wrote: > > > this is what i'm going to do and i think this is the > best way to integrate smartcard support. do you have > pointers to these modifciations or any other info? How are you going to achieve such integration, i.e. what kind of smartcard-related software are you going to use ? I have those ssh-agent modified files, and I'm going to review them, then post on the smartsign website: http://smartsign.sourceforge.net > > Instead, I'd like to INTEGRATE that with the > > original, file-based, ssh environment. > > how? > > > I'd like to know what do you think about this, and > > HOW the work should be accomplished, to maintain > > your kind of architecture (ssh-agent, ssh-add, ...). > > i don't understand what you exactly want... What I was meaning is that I'd like not to have separate applications to start for smartcard-aware SSH and "normal" file-based SSH. I would prefer a solution that allows a user to launch his ssh-agent, then ssh-add a smartcard's key (just tell the agent HOW to use the key with the SC, not giving the key to the agent itself), and use ssh in the usual way, except that I should enter smartcard's PIN instead of the private key's passphrase. So the problem is: is out there anybody who can give me hints/suggestions about 1. how to incorporate a sort of "modularity" in SSH Agent, in such a way that it uses "cryptographic modules" to make authentication, indipendently of the way such modules operate (it seems that the separation between ssh and ssh-agent wants to achieve just this, but know I have this problem of the "agent modularity"). Maybe that PKCS#11 is a (Netscape-like) reasonable solution ? 2. how could PAM be used to achieve the task. Does ssh-agent, by now, use PAM at all ? Is there a way to use PAM to achieve the agent's modularity ? 3. What is a PAM radius agent and a SecurID token (I refer to "carl at bl.echidna.id.au"'s message) ? 4. What documents could I read about these issues ? 5. I developed an (OpenSource) smartcard-aware PAM module for LOCAL authentications on a PC (i.e. at the login, for example). Could I integrate such a tool into the ssh-agent ?? I apologize if I missed some evident documents which I could easily get from OpenSSH's site or the Internet, and pray anyone to email me URLs to such docs, if any. Many thanks in advance, bye, Tommaso Cucinotta. -- /------------------------------------------------\ | Dr. Tommaso Cucinotta | +------------------------------------------------+ | Scuola Superiore di Studi Universitari | | e Perfezionamento S.Anna | | Pisa Italy | \------------------------------------------------/ From djm at mindrot.org Thu Oct 19 10:09:58 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 19 Oct 2000 10:09:58 +1100 (EST) Subject: Smartcards & SSH In-Reply-To: <39EDDF52.81888387@sssup.it> Message-ID: On Wed, 18 Oct 2000, Tommaso Cucinotta wrote: > > i don't understand what you exactly want... > > What I was meaning is that I'd like not to have separate > applications to start for smartcard-aware SSH and "normal" > file-based SSH. > > I would prefer a solution that allows a user to launch > his ssh-agent, then ssh-add a smartcard's key (just tell > the agent HOW to use the key with the SC, not giving > the key to the agent itself), and use ssh in the usual > way, except that I should enter smartcard's PIN instead > of the private key's passphrase. > > So the problem is: is out there anybody who can give me > hints/suggestions about > > 1. how to incorporate a sort of "modularity" in SSH Agent, in > such a way that it uses "cryptographic modules" to make > authentication, indipendently of the way such modules > operate (it seems that the separation between ssh and > ssh-agent wants to achieve just this, but know I have > this problem of the "agent modularity"). Maybe that > PKCS#11 is a (Netscape-like) reasonable solution ? PKCS11 is how you would talk to the smartcards, you also need to modify ssh-agent so it knows which keys are in memory and which keys can be accessed through pkcs11. Do you want to use the card as a keystore, or do you want to sign challenges on the card? > 2. how could PAM be used to achieve the task. Does ssh-agent, > by now, use PAM at all ? Is there a way to use PAM to > achieve the agent's modularity ? No - PAM deals with system authentication and knows nothing about crypto keys. There has been talk of a PAM module that does RSA authentication, but I haven't seen it yet. > 3. What is a PAM radius agent and a SecurID token (I refer > to "carl at bl.echidna.id.au"'s message) ? SecurID is a token based one-time-password system. The PAM radius module is used to talk to the proprietary SecurID server. BTW where can I find this PAM radius module? The docs on the one I have say that it only does RADIUS accounting. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From vtmue at uni-freiburg.de Thu Oct 19 10:10:38 2000 From: vtmue at uni-freiburg.de (V. T. Mueller) Date: Thu, 19 Oct 2000 01:10:38 +0200 (MET DST) Subject: hp-ux 64 bit [was] 2.2.0p1 configure problems In-Reply-To: Message-ID: Hi, Thanks for the pointer to config.log... now I made it compile and have a running ssh client (please see appended mail). Any ideas how to fix sshd? sshd exits and logs the following to syslog: sshd[201]: Accepted password for ROOT from 0.0.0.0 port 0 vmunix: System call 76 (vhangup) was called in a kernel where the type of at least one of its arguments is currently unspecified. This is a problem that must be fixed by the owner of the system call before the kernel can be released. The process was pid 220 (sshd). sshd[201]: Disconnecting: Command terminated on signal 12. - From vtmue at sun2.ruf.uni-freiburg.de Thu Oct 19 09:59:02 2000 From: vtmue at sun2.ruf.uni-freiburg.de (V. T. Mueller) Date: Thu, 19 Oct 2000 00:59:02 +0200 (MET DST) Subject: [SUMMARY] openssh: ld: mismatched ABI Message-ID: Original question: ----------------- [..] What I am attempting to do is compiling openssh-2.2.0p1 on a C200 running 11.0 64bit. During configure, ld exits from building a test program stating: /usr/ccs/bin/ld: /opt/openssl/lib/libcrypto.a: Not a valid library (invalid magic number). Possibly a 64-bit PA archive library (Mismatched ABI). [..] Solution: -------- Many thanks to Albert C. Smith who pointed me in the right direction. After he told me to have an eye on cc rather than on ld I made my way to a working openssh. The following suggestion may be extremely quick n? dirty since I?m new to both openssh as well as 64bit HP-UX. Anyways, it works for me ;) Most of all, only ssh is running, sshd has *serious* problems for which I?ll contact it?s authors. o get the latest openssh *portable* source from www.openssh.org o have recent zlib and openssl libraries already installed o in configure, lines 1612 and 1646 (as of 2.2.0p1) change LIBS="-lz $LIBS" to LIBS="$LIBS -lz" and in lines 1705 and 1739 change LIBS="-lnsl $LIBS" to LIBS="$LIBS -lnsl" o run CC="cc +DA2.0W" CFLAGS=-I/opt/zlib/include CPPFLAGS="-L/usr/lib/pa20_64\ -L/usr/lib -L/opt/zlib/lib -L/opt/openssl/lib" LIBS=$CPPFLAGS \ ./configure --without-pam --prefix=/opt/openssh --with-pid-dir=/var/run \ --with-ipv4-default --with-ssl-dir=/opt/openssl/lib && make && make \ install Kind regards, Volker -- V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de "It is salutary to train oneself to be no more affected by censure than by praise." W. Somerset Maugham -- V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de "It is salutary to train oneself to be no more affected by censure than by praise." W. Somerset Maugham From mkiernan at avantgo.com Thu Oct 19 10:14:16 2000 From: mkiernan at avantgo.com (Michael Kiernan) Date: Wed, 18 Oct 2000 16:14:16 -0700 Subject: keyboard-interactive and PAM under protocol v2 Message-ID: <20001018231417.F0AA7F842@nayarit.avantgo.com> Hi all, Support for the keyboard-interactive authentication method has recently been added to OpenSSH. This looks like a nice way to take advantage of more of the capabilities provided by PAM, at least under version 2 of the SSH protocol. Is anybody currently looking into this or otherwise working in this direction? Thanks, Mike -- Michael Kiernan mkiernan at avantgo.com +1-650-638-7581 From carl at bl.echidna.id.au Thu Oct 19 10:53:53 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Thu, 19 Oct 2000 10:53:53 +1100 (EST) Subject: Smartcards & SSH Message-ID: <200010182353.e9INrrl25309@rollcage.bl.echidna.id.au> > From: Damien Miller > To: Tommaso Cucinotta > Cc: Markus Friedl , > openssh-unix-dev at mindrot.org, carl at bl.echidna.id.au > Subject: Re: Smartcards & SSH > X-Paranoia: just because you're paranoid doesn't mean they aren't out to get you > MIME-Version: 1.0 > Status: RO > > On Wed, 18 Oct 2000, Tommaso Cucinotta wrote: > > > > i don't understand what you exactly want... > > > > What I was meaning is that I'd like not to have separate > > applications to start for smartcard-aware SSH and "normal" > > file-based SSH. > > > > I would prefer a solution that allows a user to launch > > his ssh-agent, then ssh-add a smartcard's key (just tell > > the agent HOW to use the key with the SC, not giving > > the key to the agent itself), and use ssh in the usual > > way, except that I should enter smartcard's PIN instead > > of the private key's passphrase. > > > > So the problem is: is out there anybody who can give me > > hints/suggestions about > > > > 1. how to incorporate a sort of "modularity" in SSH Agent, in > > such a way that it uses "cryptographic modules" to make > > authentication, indipendently of the way such modules > > operate (it seems that the separation between ssh and > > ssh-agent wants to achieve just this, but know I have > > this problem of the "agent modularity"). Maybe that > > PKCS#11 is a (Netscape-like) reasonable solution ? > > PKCS11 is how you would talk to the smartcards, you also need > to modify ssh-agent so it knows which keys are in memory and > which keys can be accessed through pkcs11. > > Do you want to use the card as a keystore, or do you want > to sign challenges on the card? > > > 2. how could PAM be used to achieve the task. Does ssh-agent, > > by now, use PAM at all ? Is there a way to use PAM to > > achieve the agent's modularity ? > > No - PAM deals with system authentication and knows nothing about > crypto keys. There has been talk of a PAM module that does RSA > authentication, but I haven't seen it yet. > > > 3. What is a PAM radius agent and a SecurID token (I refer > > to "carl at bl.echidna.id.au"'s message) ? > > SecurID is a token based one-time-password system. The PAM radius > module is used to talk to the proprietary SecurID server. > > BTW where can I find this PAM radius module? The docs on the one I > have say that it only does RADIUS accounting. http://www.freeradius.org/pam_radius_auth/ If you're using it with (for example) SecurID, you need to hack it to put the radius packet session sequence number into a file (and lock it, and atomically update it etc.) - the original just makes up a sequence number 'at random', but as the range is only 0..255, collisions (and therefore failed logins) are quite possible. Carl From i.palsenberg at jdimedia.nl Thu Oct 19 21:45:57 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Thu, 19 Oct 2000 12:45:57 +0200 (CEST) Subject: Smartcard & SSH Message-ID: Some reactions on the thread : Integrating SmartCard in PAM is no problem. Problem I'm facing with for example CryptoCard and SecureID tokens is that those manufacturers refuse to give out any form of information about the internal operation of those tokens. That prevents me from implementing event synchronous mode. The best way to handle this with SSH is probably the way for example Apache and PAM handles those : Using DSO's that can be loaded from the config. Saves tons of #ifdefs and recompiles, but has some security related drawbacks, so I'm not sure if the OpenSSH core team is willing to integrate patches which implements those. I'm currenly beta-testing the OpenBSD port of the ANSI X9.9 extension, so that Challenge - Response is possible with OpenSSH protocol v1. Someone else is taking care of the v2 protocol. If there are serious thought on implementing SmartCard support in OpenSSH I'm more than willing to help. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From djm at mindrot.org Fri Oct 20 09:09:46 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 20 Oct 2000 09:09:46 +1100 (EST) Subject: [Fwd: OpenSSH - scp - transfer rate patch] (fwd) Message-ID: -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org ---------- Forwarded message ---------- Date: Thu, 17 Aug 2000 14:27:31 +1000 From: Damien Miller To: djm at mindrot.org Subject: [Fwd: OpenSSH - scp - transfer rate patch] -- ** Damien Miller ** Senior Development Engineer ** Internet Business Solutions ** Phone: +61-3-9696-9655 / Fax: +61-3-9697-4444 -------------- next part -------------- An embedded message was scrubbed... From: "Artur Nowak" Subject: OpenSSH - scp - transfer rate patch Date: Wed, 12 Jul 2000 19:48:28 +0200 (CEST) Size: 8482 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001020/29f7076a/attachment.mht From djm at mindrot.org Fri Oct 20 09:14:59 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 20 Oct 2000 09:14:59 +1100 (EST) Subject: Snapshot In-Reply-To: <20001002172342.2E2D3B47B@fleck.princetonecom.com> Message-ID: On Mon, 2 Oct 2000, Chip Christian wrote: > PAM issues: > I run this package on a sparc-sun-solaris[67], with Novell NDS Corporate > Edition for authentication. Set my password to expire this am, login > appears to hang after accepting my password, before printing anything. > trussing the sshd reveals the following over and over: > > write(2, " D o y o u w a n t ".., 54) = 54 > read(0, 0x00110E54, 8192) = 0 > > It does consume one of my grace logins. Can you try again with the latest snapshot? I think I have squashed this :) -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From cgf at cygnus.com Fri Oct 20 14:05:01 2000 From: cgf at cygnus.com (Chris Faylor) Date: Thu, 19 Oct 2000 23:05:01 -0400 Subject: [PATCH]: Add tcp_wrappers protection to port forwarding In-Reply-To: <20001015172804.B6000@folly>; from markus.friedl@informatik.uni-erlangen.de on Sun, Oct 15, 2000 at 05:28:04PM +0200 References: <39DF9857.F3455BD@cygnus.com> <20001008161913.B30167@folly> <20001008112945.A2620@cygnus.com> <20001015172804.B6000@folly> Message-ID: <20001019230501.B6533@cygnus.com> On Sun, Oct 15, 2000 at 05:28:04PM +0200, Markus Friedl wrote: >On Sun, Oct 08, 2000 at 11:29:45AM -0400, Chris Faylor wrote: >> >why should a client programm read /etc/hosts.allow? >> >> Probably it shouldn't. I didn't know of any way to avoid this, however. > >the problem is that if you want to use -L in your client, you >cannot, because of /etc/hosts.allow which is under control of >the sysadmin. AFAICT, this would only be a problem if the sysadmin specifically set up a rule to disallow the use of the port. I just tried this with a port that I hadn't put under hosts.allow control and there was no problem. I don't see any harm in letting a sysadmin specify port policy like this. cgf From pekkas at netcore.fi Fri Oct 20 17:07:12 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 20 Oct 2000 09:07:12 +0300 (EEST) Subject: [Fwd: OpenSSH - scp - transfer rate patch] (fwd) In-Reply-To: Message-ID: On Fri, 20 Oct 2000, Damien Miller wrote: Speaking of scp and ETA, it'd appear to be calculating ETA a bit off. This can be seen when scp'ing over a slower link. After the counter hits 100%, scp still transfers for like 4-5 seconds. Anyone else note this? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From jmknoble at jmknoble.cx Fri Oct 20 18:45:51 2000 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Fri, 20 Oct 2000 03:45:51 -0400 Subject: [Fwd: OpenSSH - scp - transfer rate patch] (fwd) In-Reply-To: ; from pekkas@netcore.fi on Fri, Oct 20, 2000 at 09:07:12AM +0300 References: Message-ID: <20001020034551.A25800@quipu.half.pint-stowp.cx> Circa 2000-Oct-20 09:07:12 +0300 dixit Pekka Savola: : Speaking of scp and ETA, it'd appear to be calculating ETA a bit : off. This can be seen when scp'ing over a slower link. After the counter : hits 100%, scp still transfers for like 4-5 seconds. Anyone else note : this? Me Too(tm). I suspect this may be due to operating system buffering and hence beyond the control of OpenSSH. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From stevesk at sweden.hp.com Fri Oct 20 23:59:53 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 20 Oct 2000 14:59:53 +0200 (MEST) Subject: hp-ux 64 bit [was] 2.2.0p1 configure problems In-Reply-To: Message-ID: On Thu, 19 Oct 2000, V. T. Mueller wrote: : Thanks for the pointer to config.log... now I made it compile and have a : running ssh client (please see appended mail). Any ideas how to fix sshd? : : sshd exits and logs the following to syslog: : : sshd[201]: : Accepted password for ROOT from 0.0.0.0 port 0 : vmunix: : System call 76 (vhangup) was called in a kernel where the : type of at least one of its arguments is currently : unspecified. This is a problem that must be fixed by : the owner of the system call before the kernel can be : released. The process was pid 220 (sshd). : sshd[201]: : Disconnecting: Command terminated on signal 12. I'm not sure what the problem is but I'll look into it. Note that there is not currently a 64-bit libpam, which is one reason to stick with 32-bit right now. From chip at princetonecom.com Sat Oct 21 00:06:40 2000 From: chip at princetonecom.com (Chip Christian) Date: Fri, 20 Oct 2000 09:06:40 -0400 Subject: Snapshot In-Reply-To: Message from Damien Miller of "Fri, 20 Oct 2000 09:14:59 +1100." Message-ID: <20001020130640.BF1C2B47B@fleck.princetonecom.com> You have. Thanks. I replied to the message about the recent snapshot, but I guess I didn't clearly state that this now works... > On Mon, 2 Oct 2000, Chip Christian wrote: > > PAM issues: > > I run this package on a sparc-sun-solaris[67], with Novell NDS Corporate > > Edition for authentication. Set my password to expire this am, login > > appears to hang after accepting my password, before printing anything. > > trussing the sshd reveals the following over and over: > > > > write(2, " D o y o u w a n t ".., 54) = 54 > > read(0, 0x00110E54, 8192) = 0 > > > > It does consume one of my grace logins. > > Can you try again with the latest snapshot? I think I have squashed this > :) > > -d > > -- > | ``We've all heard that a million monkeys banging on | Damien Miller - > | a million typewriters will eventually reproduce the | > | works of Shakespeare. Now, thanks to the Internet, / > | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org > > > From vtmue at uni-freiburg.de Sat Oct 21 01:07:52 2000 From: vtmue at uni-freiburg.de (V. T. Mueller) Date: Fri, 20 Oct 2000 16:07:52 +0200 (MET DST) Subject: hp-ux 64 bit [was] 2.2.0p1 configure problems In-Reply-To: Message-ID: Howdy Kevin, Well, is chose to define to not use pam, so that should not be the problem. If anyone, preferrably you ;), would be willing to take a look into it I could also send a log of my compile run. While thinking about it, I remember ugly warnings that could explain the zero IP/port below. For I don't speak C I am sorry I can't solve the problem on my own. Although I'm willing to support you with any needed information - just ask :) Kind regards, Volker On Fri, 20 Oct 2000, Kevin Steves wrote: > On Thu, 19 Oct 2000, V. T. Mueller wrote: > : Thanks for the pointer to config.log... now I made it compile and have a > : running ssh client (please see appended mail). Any ideas how to fix sshd? > : > : sshd exits and logs the following to syslog: > : > : sshd[201]: > : Accepted password for ROOT from 0.0.0.0 port 0 > : vmunix: > : System call 76 (vhangup) was called in a kernel where the > : type of at least one of its arguments is currently > : unspecified. This is a problem that must be fixed by > : the owner of the system call before the kernel can be > : released. The process was pid 220 (sshd). > : sshd[201]: > : Disconnecting: Command terminated on signal 12. > > I'm not sure what the problem is but I'll look into it. Note that there > is not currently a 64-bit libpam, which is one reason to stick with > 32-bit right now. > -- V. T. Mueller UCC Freiburg, Germany vtmue (at) uni-freiburg.de "It is salutary to train oneself to be no more affected by censure than by praise." W. Somerset Maugham From pekkas at netcore.fi Sat Oct 21 03:03:12 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 20 Oct 2000 19:03:12 +0300 (EEST) Subject: [Fwd: OpenSSH - scp - transfer rate patch] (fwd) In-Reply-To: <20001020034551.A25800@quipu.half.pint-stowp.cx> Message-ID: On Fri, 20 Oct 2000, Jim Knoble wrote: > Circa 2000-Oct-20 09:07:12 +0300 dixit Pekka Savola: > > : Speaking of scp and ETA, it'd appear to be calculating ETA a bit > : off. This can be seen when scp'ing over a slower link. After the counter > : hits 100%, scp still transfers for like 4-5 seconds. Anyone else note > : this? > > Me Too(tm). I suspect this may be due to operating system buffering > and hence beyond the control of OpenSSH. Well. When I was talking about slow, I mean slow compared to 100Mbit/s FE :-). Here, 256kbit/s link is used. A transfer of a 750 KB file. Scp counters _begin_ at 29%, keep in 100% for like 3-4 seconds. During that time, last 135 _kilobytes_ are transferred. Large buffers, if that's it. I wager the counter is about that 29% off in this case. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From misiek at pld.org.pl Sat Oct 21 17:14:47 2000 From: misiek at pld.org.pl (Arkadiusz Miskiewicz) Date: Sat, 21 Oct 2000 08:14:47 +0200 Subject: scp and regstarting transfer Message-ID: <20001021081447.A20371@pld.org.pl> Hi, I have one question. Is someone working on restarting transfers ability in scp ? This will be nice feature especially when you want to download huge file and you will lost connection (at 90%, 600MB file as I had) :-( -- Arkadiusz Mi?kiewicz http://www.misiek.eu.org/ipv6/ PLD GNU/Linux [IPv6 enabled] http://www.pld.org.pl/ From bbiswas at email.unc.edu Sat Oct 21 07:15:17 2000 From: bbiswas at email.unc.edu (Brian Biswas) Date: Fri, 20 Oct 2000 16:15:17 -0400 Subject: openssh problem on SGI 6.5 platform Message-ID: <10288995.3181047317@obie.oit.unc.edu> We are in the process of converting over to openssh at UNC. I've built openssh 2.20p1 for all supported platforms at UNC: AIX 4.3 AIX 4.2 Linux 2.2 Solaris 2.7 Solaris 2.6 SGI 6.5 We been running for about a month now and have only one reported problem--which came up today: When running ssh on a machine running SGI 6.5 you get the following error: %ssh overlord rsa_public_encrypt() exponent too small or not odd I see that this error message is coming from procedure rsa_public_encrypt() in file rsa.c, but I can't figure out what is wrong. Any idea what might be causing this problem? The problem occurs if you are running an old sshd or an openssh sshd. I can run ssh 1.2.26 fine on this platform. Here is the output of openssh's ssh -v: ==================================== SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh_config debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 52057 geteuid 58732 anon 1 debug: Connecting to overlord [152.2.1.127] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.2.26 debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'overlord' is known and matches the RSA host key. debug: Seeded RNG with 31 bytes from programs debug: Seeded RNG with 3 bytes from system calls rsa_public_encrypt() exponent too small or not odd debug: Calling cleanup 0x1003cb88(0x0) debug: Calling cleanup 0x1003bd78(0x0) debug: writing PRNG seed to file /afs/isis.unc.edu/home/b/b/bbiswas/.ssh/prng_seed ============================================ We can't completely convert to openssh at UNC until this problem is solved (obviously!). Thanks for any help you can give. --Brian Biswas Academic technology & Networks From markus.friedl at informatik.uni-erlangen.de Sat Oct 21 20:16:46 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 21 Oct 2000 11:16:46 +0200 Subject: scp and regstarting transfer In-Reply-To: <20001021081447.A20371@pld.org.pl>; from misiek@pld.org.pl on Sat, Oct 21, 2000 at 08:14:47AM +0200 References: <20001021081447.A20371@pld.org.pl> Message-ID: <20001021111646.A10805@folly> i'd recommend rsync over ssh for these problems. On Sat, Oct 21, 2000 at 08:14:47AM +0200, Arkadiusz Miskiewicz wrote: > > Hi, > > I have one question. Is someone working on restarting transfers ability in scp ? > This will be nice feature especially when you want to download huge file and > you will lost connection (at 90%, 600MB file as I had) :-( > > -- > Arkadiusz Mi?kiewicz http://www.misiek.eu.org/ipv6/ > PLD GNU/Linux [IPv6 enabled] http://www.pld.org.pl/ > From stevesk at sweden.hp.com Sun Oct 22 05:01:30 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 21 Oct 2000 20:01:30 +0200 (MEST) Subject: hp-ux 64 bit [was] 2.2.0p1 configure problems In-Reply-To: Message-ID: On Fri, 20 Oct 2000, V. T. Mueller wrote: : Well, is chose to define to not use pam, so that should not be the : problem. If anyone, preferrably you ;), would be willing to take a look : into it I could also send a log of my compile run. While thinking about : it, I remember ugly warnings that could explain the zero IP/port below. : : For I don't speak C I am sorry I can't solve the problem on my own. : Although I'm willing to support you with any needed information - just ask : :) I've duplicated it here, so I think I have what I need. I think there are two different issues here: one for the vhangup syscall and another for some prototypes that have int * but get passed a pointer to a socklen_t which is a long for LP64. I'm not sure where the fix is for either problem right now. From markus.friedl at informatik.uni-erlangen.de Mon Oct 23 02:21:40 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 22 Oct 2000 17:21:40 +0200 Subject: scp and regstarting transfer In-Reply-To: <20001022121518.A18832@pld.org.pl>; from misiek@pld.org.pl on Sun, Oct 22, 2000 at 12:15:18PM +0200 References: <20001021081447.A20371@pld.org.pl> <20001022121518.A18832@pld.org.pl> Message-ID: <20001022172140.A12711@folly> > > ... why bother? -- use rsync with ssh, and it will already do > > so for you. > nice idea :-) > > but such feature will be still usefull on host where is no rsync... use split if you really want this. even if all rsync features are useful, they won't make it into scp. From czar at acm.org Mon Oct 23 09:41:10 2000 From: czar at acm.org (Gene C.) Date: Sun, 22 Oct 2000 18:41:10 -0400 Subject: ssh-keygen -l does not work for dsa keys Message-ID: <00102218411001.01122@chaos.home> I am running 2.2.0p1-2 under RedHat Linux 7. While ssh-keygen -l -f .ssh/identity.pub works fine by printing the fingerprint and id, it does not work for dsa keys. Running ssh-keygen -d -l -f .ssh/id_dsa.pub produces the message ".ssh/id_dsa.pub is not a valid key file". Gene Czarcinski From Stephan.Hendl at lds.brandenburg.de Mon Oct 23 22:15:39 2000 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Mon, 23 Oct 2000 13:15:39 +0200 Subject: HP-UX and trusted system Message-ID: Hi, is it possible to have only _one_ openssh binary distribution (it means compiled by myself) wich recongnizes itself wether there is an trusted system or not? With the commerfial stuff I have to build to variants dependeing on the security mode - but this is quite not friendly for admins. Regards Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From simmonsjw-openssh at sws6.cind.ornl.gov Tue Oct 24 00:51:22 2000 From: simmonsjw-openssh at sws6.cind.ornl.gov (Jim Simmons) Date: Mon, 23 Oct 2000 09:51:22 -0400 Subject: HP-UX and trusted system In-Reply-To: ; from Stephan.Hendl@lds.brandenburg.de on Mon, Oct 23, 2000 at 01:15:39PM +0200 References: Message-ID: <20001023095122.A27205@sws6.cind.ornl.gov> Unless I'm mistaken, the only thing having HAVE_HPUX_TRUSTED_SYSTEM_PW defined during the compile does is to call bigcrypt instead of crypt in auth-passwd.c. If you're not using passwords longer that 8 characters, I'd expect a binary built on a non-trusted system would work on a trusted one (and it has in my limited testing). A better solution for HPUX would probably be to have the routine call iscomsec to see if trusted is on or off and then call the appropriate crypt routine. Note that I take the defaults and let it build using PAM on my systems -- if you don't there might possibly be other problems to be taken care of. Jim On Mon, Oct 23, 2000 at 01:15:39PM +0200, Stephan Hendl wrote: > Hi, > > is it possible to have only _one_ openssh binary distribution (it means compiled by myself) wich recongnizes itself wether there is an trusted system or not? With the commerfial stuff I have to build to variants dependeing on the security mode - but this is quite not friendly for admins. > > Regards > Stephan From stevesk at sweden.hp.com Tue Oct 24 02:21:52 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 23 Oct 2000 17:21:52 +0200 (MEST) Subject: HP-UX and trusted system In-Reply-To: <20001023095122.A27205@sws6.cind.ornl.gov> Message-ID: On Mon, 23 Oct 2000, Jim Simmons wrote: : Unless I'm mistaken, the only thing having HAVE_HPUX_TRUSTED_SYSTEM_PW : defined during the compile does is to call bigcrypt instead of crypt in : auth-passwd.c. If you're not using passwords longer that 8 characters, I'd : expect a binary built on a non-trusted system would work on a trusted one : (and it has in my limited testing). : : A better solution for HPUX would probably be to have the routine call : iscomsec to see if trusted is on or off and then call the appropriate crypt : routine. Yes, that change was added a while back, though after 2.2.0p1's release. This works on 10.20 and 11.0. You can grab the latest snapshot if you need it now. : Note that I take the defaults and let it build using PAM on my systems -- if : you don't there might possibly be other problems to be taken care of. If you're using 11.0 I recommend PAM, which is presently the most fully functional login mechanism for HP-UX. A future libpam patch will support changing expired passwords. I'm working on a password access interface with the goal of cleaning things up for all the different platforms. From birger at takatukaland.de Tue Oct 24 19:48:30 2000 From: birger at takatukaland.de (Birger Toedtmann) Date: Tue, 24 Oct 2000 10:48:30 +0200 Subject: feature request & patch submit: chroot(2) in sshd Message-ID: <20001024104830.A4476@spock.takatukaland.de> Hello, whereas most people take passwd/shadow/ldap/ as the place where decision on a chrooted environment / sandbox for certain users is met (just set the given usershell appropriateley), I needed a somewhat different approach. Below is a tiny patch to 2.2.0p1 which enhances the sshd-config by two options and, when set, places all users / users of a certain group immediately in their sandbox. Makes configuration and logging/tracking much more fun than the usershell thing mentioned above, me thinks. TODO: - parse gid in config as well, not only gidnumber - negation of chrootgroup in config desireable, e.g. place alle users !0 in a chroot envir. - more than one chrootgroup in config desireable - combinations of all above should be possible TODO-MAKE: - as accustomed only to linux,freebsd,sunos/solaris and hpux, I do not quite know wether chroot(2) is working on all unices. Maybe #ifdefs and ./configure-guessings have to be included. Regards, -- Birger T?dtmann Network/Security Engineer Marcant Internet Services GmbH, Bielefeld, Germany. 00 83 E2 57 EC 60 0B 1C D3 18 AE 2A 40 55 81 22 -------------- next part -------------- Only in openssh-2.2.0p1chroot: auth1.c.orig Common subdirectories: openssh-2.2.0p1/contrib and openssh-2.2.0p1chroot/contrib Only in openssh-2.2.0p1chroot: enssh-2.2.0p1chroot2.patch diff --ignore-space-change -u openssh-2.2.0p1/servconf.c openssh-2.2.0p1chroot/servconf.c --- openssh-2.2.0p1/servconf.c Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.c Sun Oct 22 18:59:49 2000 @@ -68,6 +68,8 @@ #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->use_chroot = -1; + options->chroot_group = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -158,6 +160,10 @@ options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; + if (options->use_chroot == -1) + options->use_chroot = 0; + if (options->chroot_group == -1) + options->chroot_group = 0; if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) @@ -189,6 +195,7 @@ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sUseChroot, sChrootGroup, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -236,6 +243,8 @@ { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, + { "usechroot", sUseChroot }, + { "chrootgroup", sChrootGroup }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowusers", sAllowUsers }, @@ -540,6 +549,14 @@ case sUseLogin: intptr = &options->use_login; goto parse_flag; + + case sUseChroot: + intptr = &options->use_chroot; + goto parse_flag; + + case sChrootGroup: + intptr = &options->chroot_group; + goto parse_int; case sGatewayPorts: intptr = &options->gateway_ports; diff --ignore-space-change -u openssh-2.2.0p1/servconf.h openssh-2.2.0p1chroot/servconf.h --- openssh-2.2.0p1/servconf.h Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.h Sun Oct 22 18:59:49 2000 @@ -87,6 +87,9 @@ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + int use_chroot; /* If true, do a chroot to homedir */ + int chroot_group; /* If nonzero, chroot only when equal + to gid */ unsigned int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; unsigned int num_deny_users; diff --ignore-space-change -u openssh-2.2.0p1/session.c openssh-2.2.0p1chroot/session.c --- openssh-2.2.0p1/session.c Wed Aug 30 00:21:22 2000 +++ openssh-2.2.0p1chroot/session.c Sun Oct 22 20:20:57 2000 @@ -947,6 +947,20 @@ } } #endif /* USE_PAM */ + + /* Do a chroot, if configured. */ + if (options.use_chroot) { + if ((!options.chroot_group) + || (options.chroot_group == pw->pw_gid)) { + debug("Doing chroot to %s.",pw->pw_dir); + if (chroot(pw->pw_dir)) { + log("Requested chroot failed: [%d] %s\n", + errno,strerror(errno)); + exit(1); + } + pw->pw_dir = "/"; + } + } /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" Only in openssh-2.2.0p1chroot: session.c~ diff --ignore-space-change -u openssh-2.2.0p1/sshd.8 openssh-2.2.0p1chroot/sshd.8 --- openssh-2.2.0p1/sshd.8 Tue Aug 29 02:33:51 2000 +++ openssh-2.2.0p1chroot/sshd.8 Sun Oct 22 18:59:49 2000 @@ -290,6 +290,15 @@ Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. .Pp +.It Cm ChrootGroup +Only useful when +.Cm UseChroot +is set to +.Dq yes . +Specifies which group of users +.Nm sshd +should drop into a chrooted homedir (a.k.a. sandbox) upon login. +Only numerical gid's are allowed. .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. @@ -597,6 +606,12 @@ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm UseChroot +Do a chroot(2) into the users homedirectory after successful login. +If option +.Cm ChrootGroup +is not set, this applies for all users. The default is +.Dq no . .It Cm UseLogin Specifies whether .Xr login 1 From cmadams at hiwaay.net Tue Oct 24 03:33:32 2000 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 23 Oct 2000 11:33:32 -0500 Subject: Patch for Digital Unix SIA authentication In-Reply-To: <20001015163004.B10425@HiWAAY.net>; from cmadams@hiwaay.net on Sun, Oct 15, 2000 at 04:30:04PM -0500 References: <20000626143119.A25977@HiWAAY.net> <20001015163004.B10425@HiWAAY.net> Message-ID: <20001023113332.H1249@HiWAAY.net> Once upon a time, Chris Adams said: > A while back, I sent in a patch that added Digital Unix SIA > authentication to OpenSSH. Well, I just figured out that it didn't > handle everything correctly (locked accounts could still log in). I > thought I had checked that, but I guess I missed it. > > Anyway, here is a patch against OpenSSH 2.2.0p1 that fixes this. Well, that patch still didn't fix everything. With the help of John P Speno, I've got a new patch that _really_ fixes things. Since I don't know if my previous patch has been applied to any tree, I'm including two patches here: openssh-2.2.0p1-osfsia-sec.patch: applies against 2.2.0p1 + my previous patch openssh-2.2.0p1-osfsia-full.patch: applies against clean 2.2.0p1 Sorry for the confusion; this should be "the one". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -------------- next part -------------- diff -urN openssh-2.2.0p1-dist/auth-sia.c openssh-2.2.0p1/auth-sia.c --- openssh-2.2.0p1-dist/auth-sia.c Mon Oct 16 16:00:45 2000 +++ openssh-2.2.0p1/auth-sia.c Mon Oct 16 15:50:09 2000 @@ -5,29 +5,91 @@ #include #include +#include +#include +#include +#include +#include +#include extern int saved_argc; extern char **saved_argv; +extern int errno; + int auth_sia_password (user, pass) char *user; char *pass; { - SIAENTITY *ent = NULL; int ret; + SIAENTITY *ent = NULL; + char *host = get_canonical_hostname(); - if (sia_ses_init (&ent, saved_argc, saved_argv, - get_canonical_hostname(), user, NULL, 0, NULL) != SIASUCCESS) + if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, NULL, 0, + NULL) != SIASUCCESS) return 0; + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + error ("couldn't authenticate %s from %s", user, host); if (ret & SIASTOP) sia_ses_release (&ent); return 0; } - if (sia_ses_estab (NULL, ent) != SIASUCCESS) + + sia_ses_release (&ent); + + return 1; +} + +int +session_setup_sia (user, tty) + char *user; + char *tty; +{ + int ret; + struct passwd *pw; + SIAENTITY *ent = NULL; + char *host = get_canonical_hostname(); + + if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, tty, 0, + NULL) != SIASUCCESS) + return 0; + + if ((pw = getpwnam (user)) == NULL) { + error ("getpwnam(%s) failed", user); + sia_ses_release (&ent); + return 0; + } + if (sia_make_entity_pwd (pw, ent) != SIASUCCESS) { + sia_ses_release (&ent); + return 0; + } + + ent->authtype = SIA_A_NONE; + if (sia_ses_estab (sia_collect_trm, ent) != SIASUCCESS) { + error ("couldn't establish session for %s from %s", user, + host); + return 0; + } + + if (setpriority (PRIO_PROCESS, 0, 0) == -1) { + error ("setpriority failed: %s", strerror (errno)); + sia_ses_release (&ent); + return 0; + } + + if (sia_ses_launch (sia_collect_trm, ent) != SIASUCCESS) { + error ("couldn't launch session for %s from %s", user, host); return 0; + } sia_ses_release (&ent); + + if (setreuid(geteuid(), geteuid()) < 0) { + error ("setreuid failed: %s", strerror (errno)); + return 0; + } + return 1; } diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c --- openssh-2.2.0p1-dist/auth1.c Mon Oct 16 16:00:45 2000 +++ openssh-2.2.0p1/auth1.c Mon Oct 16 14:32:28 2000 @@ -495,7 +495,7 @@ #ifdef USE_PAM auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) - auth_sia_password(pw->pw_name, "")) { + 0) { #else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/auth2.c openssh-2.2.0p1/auth2.c --- openssh-2.2.0p1-dist/auth2.c Mon Oct 16 16:00:45 2000 +++ openssh-2.2.0p1/auth2.c Mon Oct 16 15:11:34 2000 @@ -249,7 +249,7 @@ #ifdef USE_PAM return auth_pam_password(pw, ""); #elif defined(HAVE_OSF_SIA) - return auth_sia_password(pw->pw_name, ""); + return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/session.c openssh-2.2.0p1/session.c --- openssh-2.2.0p1-dist/session.c Tue Aug 29 17:21:22 2000 +++ openssh-2.2.0p1/session.c Mon Oct 16 15:19:47 2000 @@ -36,11 +36,6 @@ #include #endif -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* AIX limits */ #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE) # define S_UFSIZE_HARD S_UFSIZE "_hard" @@ -953,20 +948,8 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - extern char **saved_argv; - extern int saved_argc; - char *host = get_canonical_hostname (); - - if (sia_become_user(NULL, saved_argc, saved_argv, host, - pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != - SIASUCCESS) { - perror("sia_become_user"); + if (session_setup_sia(pw->pw_name, ttyname) != 1) exit(1); - } - if (setreuid(geteuid(), geteuid()) < 0) { - perror("setreuid"); - exit(1); - } #else /* HAVE_OSF_SIA */ if (getuid() == 0 || geteuid() == 0) { # ifdef HAVE_GETUSERATTR diff -urN openssh-2.2.0p1-dist/ssh.h openssh-2.2.0p1/ssh.h --- openssh-2.2.0p1-dist/ssh.h Mon Oct 16 16:00:45 2000 +++ openssh-2.2.0p1/ssh.h Mon Oct 16 15:03:02 2000 @@ -563,6 +563,7 @@ #ifdef HAVE_OSF_SIA int auth_sia_password(char *user, char *pass); +int session_setup_sia(char *user, char *tty); #endif #endif /* SSH_H */ -------------- next part -------------- diff -urN openssh-2.2.0p1-dist/Makefile.in openssh-2.2.0p1/Makefile.in --- openssh-2.2.0p1-dist/Makefile.in Tue Aug 22 19:46:23 2000 +++ openssh-2.2.0p1/Makefile.in Sat Oct 14 19:34:08 2000 @@ -40,7 +40,7 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 diff -urN openssh-2.2.0p1-dist/auth-sia.c openssh-2.2.0p1/auth-sia.c --- openssh-2.2.0p1-dist/auth-sia.c Wed Dec 31 18:00:00 1969 +++ openssh-2.2.0p1/auth-sia.c Mon Oct 16 15:50:09 2000 @@ -0,0 +1,96 @@ +#include "includes.h" + +#ifdef HAVE_OSF_SIA +#include "ssh.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +extern int saved_argc; +extern char **saved_argv; + +extern int errno; + +int +auth_sia_password (user, pass) + char *user; + char *pass; +{ + int ret; + SIAENTITY *ent = NULL; + char *host = get_canonical_hostname(); + + if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, NULL, 0, + NULL) != SIASUCCESS) + return 0; + + if ((ret = sia_ses_authent (NULL, pass, ent)) != SIASUCCESS) { + error ("couldn't authenticate %s from %s", user, host); + if (ret & SIASTOP) + sia_ses_release (&ent); + return 0; + } + + sia_ses_release (&ent); + + return 1; +} + +int +session_setup_sia (user, tty) + char *user; + char *tty; +{ + int ret; + struct passwd *pw; + SIAENTITY *ent = NULL; + char *host = get_canonical_hostname(); + + if (sia_ses_init (&ent, saved_argc, saved_argv, host, user, tty, 0, + NULL) != SIASUCCESS) + return 0; + + if ((pw = getpwnam (user)) == NULL) { + error ("getpwnam(%s) failed", user); + sia_ses_release (&ent); + return 0; + } + if (sia_make_entity_pwd (pw, ent) != SIASUCCESS) { + sia_ses_release (&ent); + return 0; + } + + ent->authtype = SIA_A_NONE; + if (sia_ses_estab (sia_collect_trm, ent) != SIASUCCESS) { + error ("couldn't establish session for %s from %s", user, + host); + return 0; + } + + if (setpriority (PRIO_PROCESS, 0, 0) == -1) { + error ("setpriority failed: %s", strerror (errno)); + sia_ses_release (&ent); + return 0; + } + + if (sia_ses_launch (sia_collect_trm, ent) != SIASUCCESS) { + error ("couldn't launch session for %s from %s", user, host); + return 0; + } + sia_ses_release (&ent); + + if (setreuid(geteuid(), geteuid()) < 0) { + error ("setreuid failed: %s", strerror (errno)); + return 0; + } + + return 1; +} + +#endif /* HAVE_OSF_SIA */ diff -urN openssh-2.2.0p1-dist/auth1.c openssh-2.2.0p1/auth1.c --- openssh-2.2.0p1-dist/auth1.c Tue Aug 22 19:46:23 2000 +++ openssh-2.2.0p1/auth1.c Mon Oct 16 14:32:28 2000 @@ -18,18 +18,9 @@ #include "auth.h" #include "session.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern char *forced_command; -#ifdef HAVE_OSF_SIA -extern int saved_argc; -extern char **saved_argv; -#endif /* HAVE_OSF_SIA */ /* * convert ssh auth msg type into description @@ -310,11 +301,7 @@ authenticated = auth_pam_password(pw, password); #elif defined(HAVE_OSF_SIA) /* Do SIA auth with password */ - if (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) { - authenticated = 1; - } + authenticated = auth_sia_password(pw->pw_name, password); #else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = auth_password(pw, password); @@ -508,9 +495,7 @@ #ifdef USE_PAM auth_pam_password(pw, "")) { #elif defined(HAVE_OSF_SIA) - (sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS)) { + 0) { #else /* !HAVE_OSF_SIA && !USE_PAM */ auth_password(pw, "")) { #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/auth2.c openssh-2.2.0p1/auth2.c --- openssh-2.2.0p1-dist/auth2.c Tue Aug 22 19:46:24 2000 +++ openssh-2.2.0p1/auth2.c Mon Oct 16 15:11:34 2000 @@ -56,11 +56,6 @@ #include "uidswap.h" #include "auth-options.h" -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* import */ extern ServerOptions options; extern unsigned char *session_id2; @@ -249,19 +244,12 @@ int ssh2_auth_none(struct passwd *pw) { -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif - packet_done(); #ifdef USE_PAM return auth_pam_password(pw, ""); #elif defined(HAVE_OSF_SIA) - return(sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, - "") == SIASUCCESS); + return 0; #else /* !HAVE_OSF_SIA && !USE_PAM */ return auth_password(pw, ""); #endif /* USE_PAM */ @@ -273,10 +261,6 @@ int authenticated = 0; int change; unsigned int len; -#ifdef HAVE_OSF_SIA - extern int saved_argc; - extern char **saved_argv; -#endif change = packet_get_char(); if (change) log("password change not supported"); @@ -286,9 +270,7 @@ #ifdef USE_PAM auth_pam_password(pw, password) == 1) #elif defined(HAVE_OSF_SIA) - sia_validate_user(NULL, saved_argc, saved_argv, - get_canonical_hostname(), pw->pw_name, NULL, 0, - NULL, password) == SIASUCCESS) + auth_sia_password(pw->pw_name, password) == 1) #else /* !USE_PAM && !HAVE_OSF_SIA */ auth_password(pw, password) == 1) #endif /* USE_PAM */ diff -urN openssh-2.2.0p1-dist/session.c openssh-2.2.0p1/session.c --- openssh-2.2.0p1-dist/session.c Tue Aug 29 17:21:22 2000 +++ openssh-2.2.0p1/session.c Mon Oct 16 15:19:47 2000 @@ -36,11 +36,6 @@ #include #endif -#ifdef HAVE_OSF_SIA -# include -# include -#endif - /* AIX limits */ #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE) # define S_UFSIZE_HARD S_UFSIZE "_hard" @@ -953,20 +948,8 @@ switch, so we let login(1) to this for us. */ if (!options.use_login) { #ifdef HAVE_OSF_SIA - extern char **saved_argv; - extern int saved_argc; - char *host = get_canonical_hostname (); - - if (sia_become_user(NULL, saved_argc, saved_argv, host, - pw->pw_name, ttyname, 0, NULL, NULL, SIA_BEU_SETLUID) != - SIASUCCESS) { - perror("sia_become_user"); + if (session_setup_sia(pw->pw_name, ttyname) != 1) exit(1); - } - if (setreuid(geteuid(), geteuid()) < 0) { - perror("setreuid"); - exit(1); - } #else /* HAVE_OSF_SIA */ if (getuid() == 0 || geteuid() == 0) { # ifdef HAVE_GETUSERATTR diff -urN openssh-2.2.0p1-dist/ssh.h openssh-2.2.0p1/ssh.h --- openssh-2.2.0p1-dist/ssh.h Tue Aug 22 19:46:25 2000 +++ openssh-2.2.0p1/ssh.h Mon Oct 16 15:03:02 2000 @@ -561,4 +561,9 @@ #include "auth-pam.h" #endif /* USE_PAM */ +#ifdef HAVE_OSF_SIA +int auth_sia_password(char *user, char *pass); +int session_setup_sia(char *user, char *tty); +#endif + #endif /* SSH_H */ From cjw at cwible.com Tue Oct 24 07:56:02 2000 From: cjw at cwible.com (Cullin Wible) Date: Mon, 23 Oct 2000 16:56:02 -0400 Subject: Compiler Problems Bug Message-ID: I was recently trying compile the SSH client in my home directory (since I didn't have root access to the machine). I compiled and installed zlib and OpenSSL, but when I went to compile OpenSSH, it complained that it couldn't find zlib. I tried using the --prefix, --includedir, and --includelib directories, but nothing worked. After messing with the configure script, it became apparent that for the purposes of the configuration tests, --includedir and --includelib were not being passed to gcc. The easiest fix is simply to alias gcc and put in the correct options - but I thought you might want to know anyway. This was using the latest source tarball as of a few days ago. Thanks, Cullin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001023/4c5863dc/attachment.html From Philippe.WILLEM at urssaf.fr Tue Oct 24 22:06:20 2000 From: Philippe.WILLEM at urssaf.fr (Philippe WILLEM) Date: Tue, 24 Oct 2000 12:06:20 +0100 Subject: success on SCO5 Message-ID: <41256982.00429045.00@contact31.cirso.fr> Hi all, I'm not on the list but I thought it might interest some of you to know that openssh 2.2.0p1 compiles quite well under sco5. Although not right out of the box. I'm not using gcc on those platforms, so I had to change the call to gettimeofday() because the sco cc want only one of the two arguments (SCO doesn't care with timezone). So I had to modify those files to get it work: clientloop.c, entropy.c, loginrec.c, scp.c. After that the sco was able to ssh to a linux box (protocol v2, with public key method only but that's my config). Regards, Philippe. PS: Sorry if the format of this message annoy you, it does annoy me too, but here where are using Notes (R) and there is no way for me to bypass this. From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 24 22:15:48 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 24 Oct 2000 13:15:48 +0200 Subject: success on SCO5 In-Reply-To: <41256982.00429045.00@contact31.cirso.fr>; from Philippe.WILLEM@urssaf.fr on Tue, Oct 24, 2000 at 12:06:20PM +0100 References: <41256982.00429045.00@contact31.cirso.fr> Message-ID: <20001024131548.A15494@serv01.aet.tu-cottbus.de> On Tue, Oct 24, 2000 at 12:06:20PM +0100, Philippe WILLEM wrote: > I'm not on the list but I thought it might interest some of you to know that > openssh 2.2.0p1 compiles quite well under sco5. Although not right out of the > box. I'm not using gcc on those platforms, so I had to change the call to > gettimeofday() because the sco cc want only one of the two arguments (SCO > doesn't care with timezone). So I had to modify those files to get it work: > clientloop.c, entropy.c, loginrec.c, scp.c. > > After that the sco was able to ssh to a linux box (protocol v2, with public key > method only but that's my config). > > Regards, > > Philippe. > > PS: Sorry if the format of this message annoy you, it does annoy me too, but > here where are using Notes (R) and there is no way for me to bypass this. I had a discussion on comp.security.ssh about "hanging around" sshd-processes after scp. It turned out that -DUSE_PIPES=1 was necessary for SCO 5. Can you support this? Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From papier at sdv.fr Wed Oct 25 02:53:57 2000 From: papier at sdv.fr (Laurent Papier) Date: Tue, 24 Oct 2000 17:53:57 +0200 Subject: Skey with OpenSSH 2.2.0 Message-ID: <39F5B095.A8998750@sdv.fr> Hi, I need to setup OpenSSH on a AIX host with skey support. I have search this mailing list archive and try all incarnation of skey lib, but couldn't get openssh to compile with skey support on a non openbsd system without pam support. Even on my Linux box, I can't get it to compile. Could someone give me an URL of a ready to compile skey lib that will work for me ? Or tell me how to compile OpenBSD skey lib on a non OpenBSD host ? Thanks for your help, and for OpenSSH. -- Laurent Papier - Admin. systeme Sdv Plurimedia - From rob at hagopian.net Wed Oct 25 04:37:42 2000 From: rob at hagopian.net (Rob Hagopian) Date: Tue, 24 Oct 2000 13:37:42 -0400 (EDT) Subject: openssh-SNAP-20001016 Message-ID: Using openssh-SNAP-20001016 all of our problems with hanging connections have gone away (woohoo!), and it seems to be working flawlessly, but I am seeing messages like this in syslog: Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor Oct 24 16:58:30 dhumb301 sshd[17876]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 This is FreeBSD 3.4... Any ideas? Also, FYI, I had a problem connecting from the latest SNAP to 2.2.0p1 using DSA keys; on most machines (18 of 20) it wouldn't use key verification. Debug printed out: debug: len 55 datafellows 0 debug: dsa_verify: signature incorrect while the working machines would print: debug: len 55 datafellows 0 debug: dsa_verify: signature correct Upgrading both ends to the latest SNAP solved the problem with no key changes on either end. -Rob From pekkas at netcore.fi Wed Oct 25 08:06:32 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 25 Oct 2000 00:06:32 +0300 (EEST) Subject: openssh-SNAP-20001016 In-Reply-To: Message-ID: On Tue, 24 Oct 2000, Rob Hagopian wrote: > Using openssh-SNAP-20001016 all of our problems with hanging connections > have gone away (woohoo!), and it seems to be working flawlessly, but I am > seeing messages like this in syslog: > > Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we > do not read, but chan_read_failed for istate 8 > Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor > Oct 24 16:58:30 dhumb301 sshd[17876]: error: channel 0: internal error: we > do not read, but chan_read_failed for istate 8 > > This is FreeBSD 3.4... Any ideas? I'm getting the similar messages on my Red Hat Linux 6.2 w/ the same snapshot: Oct 24 17:02:36 otso sshd[31975]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 And also: Oct 24 16:18:28 otso sshd[31644]: WARNING: /etc/ssh/primes does not exist, using old prime -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Wed Oct 25 08:14:42 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 24 Oct 2000 23:14:42 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: ; from rob@hagopian.net on Tue, Oct 24, 2000 at 01:37:42PM -0400 References: Message-ID: <20001024231442.B19923@folly> On Tue, Oct 24, 2000 at 01:37:42PM -0400, Rob Hagopian wrote: > Using openssh-SNAP-20001016 all of our problems with hanging connections > have gone away (woohoo!), and it seems to be working flawlessly, but I am > seeing messages like this in syslog: > > Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we > do not read, but chan_read_failed for istate 8 > Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor > Oct 24 16:58:30 dhumb301 sshd[17876]: error: channel 0: internal error: we > do not read, but chan_read_failed for istate 8 > > This is FreeBSD 3.4... Any ideas? i need a full trace for this. please start 'sshd -d -p 1234' and connect with 'ssh -v -p 1234 host'. From pekkas at netcore.fi Wed Oct 25 08:42:21 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 25 Oct 2000 00:42:21 +0300 (EEST) Subject: openssh-SNAP-20001016 In-Reply-To: <20001024231442.B19923@folly> Message-ID: On Tue, 24 Oct 2000, Markus Friedl wrote: > On Tue, Oct 24, 2000 at 01:37:42PM -0400, Rob Hagopian wrote: > > Using openssh-SNAP-20001016 all of our problems with hanging connections > > have gone away (woohoo!), and it seems to be working flawlessly, but I am > > seeing messages like this in syslog: > > > > Oct 24 16:57:48 dhumb301 sshd[17752]: error: channel 0: internal error: we > > do not read, but chan_read_failed for istate 8 > > Oct 24 16:57:59 dhumb301 sshd[17771]: error: select: Bad file descriptor > > Oct 24 16:58:30 dhumb301 sshd[17876]: error: channel 0: internal error: we > > do not read, but chan_read_failed for istate 8 > > > > This is FreeBSD 3.4... Any ideas? > > i need a full trace for this. please start 'sshd -d -p 1234' and > connect with 'ssh -v -p 1234 host'. This (internal errors; I haven't seen Bad file descriptor errors) only seems to happen with scp2. Traces: --- sshd [there's also syslogd logging some events to the same trace] --- root: /home/pekkas$ sshd -d -p 2022 debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 2022 on 0.0.0.0. Server listening on 0.0.0.0 port 2022. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from x.y.z.w port 1336 debug1: Client protocol version 2.0; client software version OpenSSH-2.1 debug1: match: OpenSSH-2.1 pat ^OpenSSH-2\.[01] Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: blowfish-cbc debug1: got kexinit: blowfish-cbc debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server blowfish-cbc hmac-sha1 none debug1: kex: server->client blowfish-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEXDH_INIT. debug1: bits set: 516/1024 debug1: bits set: 511/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user pekkas service ssh-connection method none debug1: attempt #1 debug1: Starting up PAM with username "pekkas" Failed none for pekkas from x.y.z.w port 1336 ssh2 debug1: userauth-request for user pekkas service ssh-connection method password debug1: attempt #2 debug1: PAM Password authentication accepted for user "pekkas" debug1: PAM setting rhost to "xx.yy.zz.ww" Accepted password for pekkas from x.y.z.w port 1336 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768 debug1: open session debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request exec reply 0 debug1: PAM establishing creds debug1: fd 7 setting O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: Received SIGCHLD. debug1: session_by_pid: pid 2145 debug1: session_exit_message: session 0 channel 0 pid 2145 debug1: session_exit_message: release channel 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: session_free: session 0 pid 2145 debug1: channel 0: read<=0 rfd 7 len 0 debug1: channel 0: read failed error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 debug1: channel 0: closing efd 9 debug1: channel 0: send close debug1: channel 0: rcvd close debug1: channel 0: full closed2 debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/0 o128/0 fd 7/7) Connection closed by remote host. debug1: Calling cleanup 0x805b700(0x0) debug1: Calling cleanup 0x80509d0(0x0) debug1: Calling cleanup 0x8061690(0x0) ----- ----- scp ----- # scp -P 2022 -v empty.file pekkas at netcore.fi:~/ Executing: host netcore.fi, user pekkas, command scp -v -t ~/ SSH Version OpenSSH-2.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to netcore.fi [193.94.160.1] port 2022. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH-2.1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client blowfish-cbc hmac-sha1 none debug: kex: client->server blowfish-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 511/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: keytype ssh-dss debug: keytype ssh-dss debug: Host 'netcore.fi' is known and matches the DSA host key. debug: bits set: 516/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: key does not exist: /root/.ssh/id_dsa pekkas at netcore.fi's password: debug: ssh-userauth2 successfull debug: fd 4 setting O_NONBLOCK debug: fd 5 setting O_NONBLOCK debug: fd 6 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: scp -v -t ~/ debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 16384 debug: channel 0: rcvd adjust 32768 debug: channel 0: rcvd ext data 201 Sending file modes: C0644 0 empty.file Environment: USER=pekkas LOGNAME=pekkas HOME=/home/pekkas PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin MAIL=/var/spool/mail/pekkas SHELL=/bin/bash SSH_CLIENT=x.y.z.w 1336 2022 debug: channel 0: written 201 to efd 6 debug: channel 0: send data len 19 empty.file 100% |**************************************| 0 --:-- ETA debug: channel 0: send data len 1 debug: channel 0: read<=0 rfd 4 len 0[root at gap /share/redhat-6.2/extra] # debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> closed debug: channel 0: send eof debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 ----- HTH, -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From jamesb-lists at alongtheway.com Wed Oct 25 12:08:09 2000 From: jamesb-lists at alongtheway.com (Jim Breton) Date: Wed, 25 Oct 2000 01:08:09 +0000 Subject: having some trouble using another user's RSA/DSA keys Message-ID: <20001025010809.J27161@conflict.net> Debian GNU/Linux 2.2 (potato), openssh-2.2.0p1 Configured with: --prefix=/usr/local/openssh --enable-gnome-askpass --with-tcp-wrappers --with-ipv4-default --with-ipaddr-display My goal here is to, as root, forward a local privileged port over an ssh tunnel to another host using a normal user's login, i.e.: root:# ssh -2 -l jamesb -i ~jamesb/.ssh/id_dsa -L 26:localhost:25 remotehost So far, I am finding it impossible or impractical to do this. Am I doing something wrong? Here's a description of my experiences: 1) First I tried it as shown above, specifying the unprivileged user's key on the command line with the -i switch. But for some reason I was still prompted for the password. So, then I try it with the -v option and observe this: # ssh -v -2 -l jamesb -i ~jamesb/.ssh/id_dsa ::snip:: debug: key does not exist: /root/.ssh/id_dsa Note that it is _still_ trying to use root's id_dsa key (root does not actually have one) despite my -i argument on the command line. 2) Next I tried specifying jamesb's dsa key in ~root/.ssh/config: IdentityFile2 ~jamesb/.ssh/id_dsa Then I got the following output: debug: try pubkey: /home/jamesb/.ssh/id_dsa @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bad ownership or mode(0600) for '/home/jamesb/.ssh/id_dsa'. It is recommended that your private key files are NOT accessible by others. Enter passphrase for DSA key '/home/jamesb/.ssh/id_dsa': I believe those warnings about invalid permissions on the key file to be in err, considering I can read everything as root anyway. Also, I was forced to supply the passphrase for the key. The passphrase in this case is blank, and after hitting Enter, I was told that this is invalid and then was prompted for the login password (which succeeded). 3) The last thing I have tried is to make a copy of jamesb's dsa key and put it in ~root/.ssh/id_dsa. This works, but it is not reasonable to have to do this for my needs. I should also note that on a friend's machine, using the Debian package of OpenSSH version/build 1.2.3-9, I do not have this problem. I can connect to that same remote host as root, using another user's key login, without all this hassle. Thanks for any help! From Nigel.Metheringham at VData.co.uk Wed Oct 25 19:45:36 2000 From: Nigel.Metheringham at VData.co.uk (Nigel Metheringham) Date: Wed, 25 Oct 2000 09:45:36 +0100 Subject: having some trouble using another user's RSA/DSA keys In-Reply-To: Message from Jim Breton of "Wed, 25 Oct 2000 01:08:09 -0000." <20001025010809.J27161@conflict.net> Message-ID: jamesb-lists at alongtheway.com said: > root:# ssh -2 -l jamesb -i ~jamesb/.ssh/id_dsa -L 26:localhost:25 > remotehost Port forwarding is not implemented in the mainstream release for ssh2 protocol. jamesb-lists at alongtheway.com said: > I should also note that on a friend's machine, using the Debian > package of OpenSSH version/build 1.2.3-9, I do not have this problem. > I can connect to that same remote host as root, using another user's > key login, without all this hassle. Thats ssh protocol 1 - use that for now and it will all work. There seems to be some work needed on both key handling and functionality for ssh2 Nigel. -- [ - Opinions expressed are personal and may not be shared by VData - ] [ Nigel Metheringham Nigel.Metheringham at VData.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] From Philippe.WILLEM at urssaf.fr Thu Oct 26 00:22:49 2000 From: Philippe.WILLEM at urssaf.fr (Philippe WILLEM) Date: Wed, 25 Oct 2000 14:22:49 +0100 Subject: Patch for SCO 5 cc Message-ID: <41256983.004FC3F3.00@contact31.cirso.fr> Hi all, As John Hardin suggested me to do here are the context diff of my changes to get openssh to compile under SCO 5 with the SCO cc compiler. Those modifications where made on the 2.2.0p1 version of portable openssh. Regards, (See attached file: diff-sco5cc-2.2.0p1.tar.gz) -------------- next part -------------- A non-text attachment was scrubbed... Name: diff-sco5cc-2.2.0p1.tar.gz Type: application/octet-stream Size: 1364 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001025/6b102347/attachment.obj From jamesb-lists at alongtheway.com Thu Oct 26 01:22:28 2000 From: jamesb-lists at alongtheway.com (Jim Breton) Date: Wed, 25 Oct 2000 14:22:28 +0000 Subject: having some trouble using another user's RSA/DSA keys In-Reply-To: ; from Nigel.Metheringham@VData.co.uk on Wed, Oct 25, 2000 at 09:45:36AM +0100 References: Message-ID: <20001025142228.N27161@alongtheway.com> Hi Nigel, thanks for responding. On Wed, Oct 25, 2000 at 09:45:36AM +0100, Nigel Metheringham wrote: > Port forwarding is not implemented in the mainstream release for ssh2 > protocol. OK, thanks. > Thats ssh protocol 1 - use that for now and it will all work. There > seems to be some work needed on both key handling and functionality for > ssh2 OK. However, using ssh1 with OpenSSH-2.2.0p1, I have two remaining issues: 1) I am still warned about bad permissions on the key file even though I am root (I guess this would be a "wishlist" item since I can suppress these warnings with the -q option); 2) I am unable to log in using that key. The passphrase is blank, but key authentication fails and I am forced to enter a login password. # ssh -v -l jamesb -i ~jamesb/.ssh/identity SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /root/.ssh/config debug: Reading configuration data /usr/local/openssh/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 1 debug: Connecting to port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'jamesb at tarkin' debug: Received RSA challenge from server. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'. It is recommended that your private key files are NOT accessible by others. Enter passphrase for RSA key 'jamesb at tarkin': @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'. It is recommended that your private key files are NOT accessible by others. Bad passphrase. debug: Remote: Wrong response to RSA authentication challenge. debug: Doing password authentication. jamesb@'s password: Thank you. From Donald.Smith at qwest.com Thu Oct 26 02:26:10 2000 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Wed, 25 Oct 2000 09:26:10 -0600 Subject: having some trouble using another user's RSA/DSA keys Message-ID: <2D00AD0E4D36D411BD300008C786E424229963@Denntex021.qwest.net> Do you use the from="hostname" clause in your keys? I have seen this error between different versions of ssh where the public key had the from clause. -----Original Message----- From: Jim Breton [mailto:jamesb-lists at alongtheway.com] Sent: Wednesday, October 25, 2000 8:22 AM To: openssh-unix-dev at mindrot.org Subject: Re: having some trouble using another user's RSA/DSA keys Hi Nigel, thanks for responding. On Wed, Oct 25, 2000 at 09:45:36AM +0100, Nigel Metheringham wrote: > Port forwarding is not implemented in the mainstream release for ssh2 > protocol. OK, thanks. > Thats ssh protocol 1 - use that for now and it will all work. There > seems to be some work needed on both key handling and functionality for > ssh2 OK. However, using ssh1 with OpenSSH-2.2.0p1, I have two remaining issues: 1) I am still warned about bad permissions on the key file even though I am root (I guess this would be a "wishlist" item since I can suppress these warnings with the -q option); 2) I am unable to log in using that key. The passphrase is blank, but key authentication fails and I am forced to enter a login password. # ssh -v -l jamesb -i ~jamesb/.ssh/identity SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /root/.ssh/config debug: Reading configuration data /usr/local/openssh/etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 0 geteuid 0 anon 1 debug: Connecting to port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host '' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'jamesb at tarkin' debug: Received RSA challenge from server. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'. It is recommended that your private key files are NOT accessible by others. Enter passphrase for RSA key 'jamesb at tarkin': @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'. It is recommended that your private key files are NOT accessible by others. Bad passphrase. debug: Remote: Wrong response to RSA authentication challenge. debug: Doing password authentication. jamesb@'s password: Thank you. From proski at gnu.org Thu Oct 26 03:20:53 2000 From: proski at gnu.org (Pavel Roskin) Date: Wed, 25 Oct 2000 12:20:53 -0400 (EDT) Subject: Typo in configure.in Message-ID: Hello! In configure.in from openssh-2.2.0p1 you are using $xno and $xyes several times. However, those variables are not defined. I guess you mean literals "xno" and "xyes" in all those cases. If that's correct please apply the patch at the end of this message. Regards, Pavel Roskin _____________________ --- configure.in Wed Aug 30 18:20:05 2000 +++ configure.in Wed Oct 25 12:17:19 2000 @@ -326,7 +326,7 @@ AC_ARG_WITH(ssl-dir, [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], [ - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then tryssldir=$withval fi ] @@ -824,7 +824,7 @@ AC_ARG_WITH(xauth, [ --with-xauth=PATH Specify path to xauth program ], [ - if test "x$withval" != "$xno" ; then + if test "x$withval" != "xno" ; then xauth_path=$withval fi ], @@ -950,7 +950,7 @@ [ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LDFLAGS="$LDFLAGS -L${withval}/lib" if test ! -z "$need_dash_r" ; then @@ -990,7 +990,7 @@ [ if test "x$withval" != "xno" ; then - if test "x$withval" != "$xyes" ; then + if test "x$withval" != "xyes" ; then CFLAGS="$CFLAGS -I${withval}/include" LFLAGS="$LFLAGS -L${withval}/lib" fi _____________________ From mouring at pconline.com Thu Oct 26 03:55:04 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 25 Oct 2000 11:55:04 -0500 (CDT) Subject: Typo in configure.in In-Reply-To: Message-ID: Applied, thanks, some of this was already done. - Ben On Wed, 25 Oct 2000, Pavel Roskin wrote: > Hello! > > In configure.in from openssh-2.2.0p1 you are using $xno and $xyes several > times. However, those variables are not defined. I guess you mean literals > "xno" and "xyes" in all those cases. > > If that's correct please apply the patch at the end of this message. > > Regards, > Pavel Roskin > > _____________________ > --- configure.in Wed Aug 30 18:20:05 2000 > +++ configure.in Wed Oct 25 12:17:19 2000 > @@ -326,7 +326,7 @@ > AC_ARG_WITH(ssl-dir, > [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], > [ > - if test "x$withval" != "$xno" ; then > + if test "x$withval" != "xno" ; then > tryssldir=$withval > fi > ] > @@ -824,7 +824,7 @@ > AC_ARG_WITH(xauth, > [ --with-xauth=PATH Specify path to xauth program ], > [ > - if test "x$withval" != "$xno" ; then > + if test "x$withval" != "xno" ; then > xauth_path=$withval > fi > ], > @@ -950,7 +950,7 @@ > [ > if test "x$withval" != "xno" ; then > > - if test "x$withval" != "$xyes" ; then > + if test "x$withval" != "xyes" ; then > CFLAGS="$CFLAGS -I${withval}/include" > LDFLAGS="$LDFLAGS -L${withval}/lib" > if test ! -z "$need_dash_r" ; then > @@ -990,7 +990,7 @@ > [ > if test "x$withval" != "xno" ; then > > - if test "x$withval" != "$xyes" ; then > + if test "x$withval" != "xyes" ; then > CFLAGS="$CFLAGS -I${withval}/include" > LFLAGS="$LFLAGS -L${withval}/lib" > fi > _____________________ > > From jamesb-lists at alongtheway.com Thu Oct 26 08:46:50 2000 From: jamesb-lists at alongtheway.com (Jim Breton) Date: Wed, 25 Oct 2000 21:46:50 +0000 Subject: having some trouble using another user's RSA/DSA keys In-Reply-To: <2D00AD0E4D36D411BD300008C786E424229963@Denntex021.qwest.net>; from Donald.Smith@qwest.com on Wed, Oct 25, 2000 at 09:26:10AM -0600 References: <2D00AD0E4D36D411BD300008C786E424229963@Denntex021.qwest.net> Message-ID: <20001025214650.T27161@alongtheway.com> On Wed, Oct 25, 2000 at 09:26:10AM -0600, Smith, Donald wrote: > Do you use the from="hostname" clause in your keys? > I have seen this error between different versions of ssh where the public > key had the from clause. Hi -- I'm not familiar with this, and do not see it in my public key. Would anyone be able to confirm that my scheme _does_ work with OpenSSH-2.2.0p1 (i.e., make sure it's not a bug)? It should be easy enough for someone to test. FYI I just tried the same thing against an OpenSSH-1.2.3 server on another one of my boxen and achieved the same result, so it doesn't appear to be an interoperability problem with the commercial SSH (which is what was running on the first remote host I tried). From djm at mindrot.org Fri Oct 27 09:02:13 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 27 Oct 2000 09:02:13 +1100 (EST) Subject: Happy Birthday portable OpenSSH! Message-ID: It was one year ago today that I released a patch to get OpenSSH compiling on Linux. I had no idea just how much trouble releasing that patch would get me into :) Within days I was inundated with patches, improvements and portability enhancements - contributions which have made portable OpenSSH the success it is today. So allow me to thank the current developers and all of you who have contributed code, time and encouragement to the portable OpenSSH project. Special thanks are reserved for the OpenBSD team and, in particular, Markus Friedl for their excellent work on a critical piece of software. What sort of present does one give a thriving free software project on its first birthday? :) Regards, Damien Miller -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From heinlein at cse.ogi.edu Fri Oct 27 09:09:21 2000 From: heinlein at cse.ogi.edu (Paul Heinlein) Date: Thu, 26 Oct 2000 15:09:21 -0700 (PDT) Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message-ID: On Fri, 27 Oct 2000, Damien Miller wrote: > What sort of present does one give a thriving free software project on > its first birthday? :) A colorful little toy would be nice. How about Windows(tm)? Paul Heinlein heinlein at cse.ogi.edu From eric at youngblut.dhs.org Fri Oct 27 10:43:16 2000 From: eric at youngblut.dhs.org (Eric Youngblut) Date: Thu, 26 Oct 2000 16:43:16 -0700 Subject: bug with -i Message-ID: <14840.49556.909031.600611@ernie.private.foo> The code that handles identity files listed on the command line only adds the files to the options.identity_files array, which is for RSA keys. If you use the SSH2 protocol and have a DSA identity, you cannot specific it with -i on the command line. From mouring at pconline.com Fri Oct 27 11:41:44 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 26 Oct 2000 19:41:44 -0500 (CDT) Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message-ID: Hmm.. How about a round of beers, and one Long Island Ice Tea. (The Ice Tea for me since I can't tolerate beer.) On Thu, 26 Oct 2000, Paul Heinlein wrote: > On Fri, 27 Oct 2000, Damien Miller wrote: > > > What sort of present does one give a thriving free software project on > > its first birthday? :) > > A colorful little toy would be nice. How about Windows(tm)? > > Paul Heinlein > heinlein at cse.ogi.edu > > From mhw at wittsend.com Fri Oct 27 12:18:09 2000 From: mhw at wittsend.com (Michael H. Warfield) Date: Thu, 26 Oct 2000 21:18:09 -0400 Subject: Happy Birthday portable OpenSSH! In-Reply-To: ; from heinlein@cse.ogi.edu on Thu, Oct 26, 2000 at 03:09:21PM -0700 References: Message-ID: <20001026211809.B22922@alcove.wittsend.com> On Thu, Oct 26, 2000 at 03:09:21PM -0700, Paul Heinlein wrote: > On Fri, 27 Oct 2000, Damien Miller wrote: > > What sort of present does one give a thriving free software project on > > its first birthday? :) > A colorful little toy would be nice. How about Windows(tm)? Sounds good! Roll up them sleaves and join in! > Paul Heinlein > heinlein at cse.ogi.edu Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From djm at mindrot.org Fri Oct 27 12:32:08 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 27 Oct 2000 12:32:08 +1100 (EST) Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message-ID: On Thu, 26 Oct 2000, Ben Lindstrom wrote: > Hmm.. How about a round of beers, and one Long Island Ice Tea. (The Ice > Tea for me since I can't tolerate beer.) I feel your pain. Red wine or Sake for me :) -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From jwbaker at acm.org Fri Oct 27 13:47:12 2000 From: jwbaker at acm.org (Jeffrey W. Baker) Date: Thu, 26 Oct 2000 19:47:12 -0700 (PDT) Subject: Segfault in 2.2.0p1 due to connect() changes in Linux 2.4 Message-ID: Hello, I upgraded (?) one of my machines to Linux kernel 2.4.0-test9, and sshd started failing. Specifically, the sshd child processes would segfault if a user requested X11 forwarding. I tracked the problem down to these bits of code: channels.c, x11_create_display_inet, line 1738: sock = socket(ai->ai_family, SOCK_STREAM, 0); if (sock < 0) { if (errno != EINVAL) { error("socket: %.100s", strerror(errno)); return NULL; } else { debug("Socket family %d not supported [X11 disp create]", ai->ai_family); continue; } } session.c, do_child, line 1219: } else if (options.xauth_location != NULL) { /* Add authority data to .Xauthority if appropriate. */ if (auth_proto != NULL && auth_data != NULL) { char *screen = strchr(display, ':'); The problem seems to be that the socket() function not returning EINVAL (as the man page suggests), but is instead returning EAFNOSUPPORT. This change was made recently... http://www.uwsg.iu.edu/hypermail/linux/kernel/0008.3/0342.html ...in order to conform to Single Unix v2: http://www.opennc.org/onlinepubs/007908799/xns/connect.html Anyway, the caller is unable to handle a NULL return from x11_create_display_inet(), and the eventual deref of s->display in do_child is fatal. Two workarounds exist. The first is to disable X11 connection forwarding. The second is to rebuild with --with-ipv4-default, which avoids the problem. The correct solution is for OpenSSH to handle NULL returns from x11_create_display_inet(). Sadly, I have not made a patch. OpenSSH developers might also want to investigate the semantics of the connect() return codes EAFNOSUPPORT and EINVAL, with regards to Posix1.g and Single Unix v2 (and Stevens TCPv2). Cheers etc., Jeffrey baker From vinschen at redhat.com Fri Oct 27 19:44:23 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 27 Oct 2000 10:44:23 +0200 Subject: Happy Birthday portable OpenSSH! References: Message-ID: <39F94067.3F7F7905@redhat.com> Paul Heinlein wrote: > > On Fri, 27 Oct 2000, Damien Miller wrote: > > > What sort of present does one give a thriving free software project on > > its first birthday? :) > > A colorful little toy would be nice. How about Windows(tm)? We all know OpenSSH is collecting operating systems. Unfortunately, OpenSSH has already a Windows(tm). What's about BeOS? Would look nice on the chimney... Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com From J.Horne at plymouth.ac.uk Fri Oct 27 20:52:22 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 27 Oct 2000 10:52:22 +0100 (BST) Subject: bug with -i In-Reply-To: <14840.49556.909031.600611@ernie.private.foo> Message-ID: On 26-Oct-00 at 23:43:16 Eric Youngblut wrote: > The code that handles identity files listed on the command line only > adds the files to the options.identity_files array, which is for RSA > keys. If you use the SSH2 protocol and have a DSA identity, you > cannot specific it with -i on the command line. > To avoid this I used the ssh '-o' option and instead of using '-i' used: '-o "IdentityFile2 ~/.ssh/backups"' (this was from our backups script). HTH John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From J.Horne at plymouth.ac.uk Fri Oct 27 20:55:39 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 27 Oct 2000 10:55:39 +0100 (BST) Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message-ID: On 27-Oct-00 at 01:32:08 Damien Miller wrote: > On Thu, 26 Oct 2000, Ben Lindstrom wrote: >> Hmm.. How about a round of beers, and one Long Island Ice Tea. (The Ice >> Tea for me since I can't tolerate beer.) > > I feel your pain. Red wine or Sake for me :) > Red wine...eech! No wonder the site's 'mindrot' :-) From the UK I'll go for a Kentish ale (called "The Bishop's finger" :-) I have no idea why!) :-) Happy Birthday and many thanks, life has certainly been easier with openssh :-) John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From Philippe.WILLEM at urssaf.fr Fri Oct 27 21:32:04 2000 From: Philippe.WILLEM at urssaf.fr (Philippe WILLEM) Date: Fri, 27 Oct 2000 11:32:04 +0100 Subject: Typo in 2.2.0p1 ?? Message-ID: <41256985.003F54F1.00@contact31.cirso.fr> I don't already figure out what is the real impact of this but I think there is a typo in function sigchld_handler() in serverloop.c (l 75). It is written if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) child_terminated = 1; child_has_selected = 0; But I think one actually means: if (WIFEXITED(child_wait_status) || WIFSIGNALED(child_wait_status)) { child_terminated = 1; child_has_selected = 0; } Regards, Philippe From rmcc at novis.pt Fri Oct 27 23:50:53 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Fri, 27 Oct 2000 13:50:53 +0100 Subject: Happy Birthday portable OpenSSH! In-Reply-To: <39F94067.3F7F7905@redhat.com>; from vinschen@redhat.com on Fri, Oct 27, 2000 at 10:44:23AM +0200 References: <39F94067.3F7F7905@redhat.com> Message-ID: <20001027135053.B4324@isp.novis.pt> On Fri, Oct 27, 2000 at 10:44:23AM +0200, Corinna Vinschen wrote: > Paul Heinlein wrote: > > > > On Fri, 27 Oct 2000, Damien Miller wrote: > > > > > What sort of present does one give a thriving free software project on > > > its first birthday? :) > > > > A colorful little toy would be nice. How about Windows(tm)? > > We all know OpenSSH is collecting operating systems. Unfortunately, > OpenSSH has already a Windows(tm). What's about BeOS? Would look > nice on the chimney... GNU Hurd would be cute. And now there's a distro of it :-) RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001027/bf85f0e7/attachment.bin From mouring at pconline.com Sat Oct 28 00:17:33 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 27 Oct 2000 08:17:33 -0500 (CDT) Subject: Happy Birthday portable OpenSSH! In-Reply-To: <20001027135053.B4324@isp.novis.pt> Message-ID: On Fri, 27 Oct 2000, Ricardo Cerqueira wrote: > On Fri, Oct 27, 2000 at 10:44:23AM +0200, Corinna Vinschen wrote: > > Paul Heinlein wrote: > > > > > > On Fri, 27 Oct 2000, Damien Miller wrote: > > > > > > > What sort of present does one give a thriving free software project on > > > > its first birthday? :) > > > > > > A colorful little toy would be nice. How about Windows(tm)? > > > > We all know OpenSSH is collecting operating systems. Unfortunately, > > OpenSSH has already a Windows(tm). What's about BeOS? Would look > > nice on the chimney... > > GNU Hurd would be cute. And now there's a distro of it :-) > Chatter from the GNU hurd list is that it may be offically part of Debian with the next release. If the Hurd folks get there act together and get some basic stuff done (like a 100% working installer =). - Ben From chip at princetonecom.com Sat Oct 28 00:27:51 2000 From: chip at princetonecom.com (Chip Christian) Date: Fri, 27 Oct 2000 09:27:51 -0400 Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message from Damien Miller of "Fri, 27 Oct 2000 12:32:08 +1100." Message-ID: <20001027132752.0B244B47B@fleck.princetonecom.com> Then you guys haven't tried the right beers. Seriously, thanks ever so much for all the hard work. > On Thu, 26 Oct 2000, Ben Lindstrom wrote: > > > Hmm.. How about a round of beers, and one Long Island Ice Tea. (The Ice > > Tea for me since I can't tolerate beer.) > > I feel your pain. Red wine or Sake for me :) From chip at princetonecom.com Sat Oct 28 00:29:47 2000 From: chip at princetonecom.com (Chip Christian) Date: Fri, 27 Oct 2000 09:29:47 -0400 Subject: Happy Birthday portable OpenSSH! In-Reply-To: Message from Corinna Vinschen of "Fri, 27 Oct 2000 10:44:23 +0200." <39F94067.3F7F7905@redhat.com> Message-ID: <20001027132947.E6B71B47B@fleck.princetonecom.com> It does indeed run quite well on Windows. But I won't be able to get that rolled out, unless... Is there a way to get cygwin to do cut&paste? > Paul Heinlein wrote: > > > > On Fri, 27 Oct 2000, Damien Miller wrote: > > > > > What sort of present does one give a thriving free software project on > > > its first birthday? :) > > > > A colorful little toy would be nice. How about Windows(tm)? > > We all know OpenSSH is collecting operating systems. Unfortunately, > OpenSSH has already a Windows(tm). What's about BeOS? Would look > nice on the chimney... > > Corinna > > -- > Corinna Vinschen Please, send mails regarding Cygwin to > Cygwin Developer mailto:cygwin at sources.redhat.com > Red Hat, Inc. > mailto:vinschen at redhat.com > > From gert at greenie.muc.de Sat Oct 28 00:48:13 2000 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 27 Oct 2000 15:48:13 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: ; from Rob Hagopian on Tue, Oct 24, 2000 at 01:37:42PM -0400 References: Message-ID: <20001027154813.A7086@greenie.muc.de> Hi, I finally found time today to start hacking SNAP-20001016 on AIX 4.3.3 today, and my findings are mixed. configure works fine (finds zlib, openssl 0.9.5a) and is happy: OpenSSH configured has been configured with the following options. User binaries: /gnu/bin User binaries: /gnu/bin System binaries: /gnu/sbin Configuration files: /etc Askpass program: /gnu/libexec/ssh-askpass Manual pages: /gnu/man/catX PID file: /etc Random number collection: EGD (/dtmp/egd.entropy) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: rs6000-ibm-aix4.3.3.0 Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/gnu/include Linker flags: -L/usr/local/lib -L/gnu/lib -L/gnu Libraries: -lnsl -lz -lcrypto Unfortunately, compilation then fails in auth2.c, because "user" is not defined here: userauth_reply(Authctxt *authctxt, int authenticated) { /* XXX todo: check if multiple auth methods are needed */ if (authenticated == 1) { #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(user, get_canonical_hostname(), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ looking what "user" should be here, I find worse things in the other place related to AIXAUTHENTICATE: input_userauth_request(int type, int plen, void *ctxt) { Authctxt *authctxt = ctxt; Authmethod *m = NULL; char *user, *service, *method; int authenticated = 0; if (authctxt == NULL) fatal("input_userauth_request: no authctxt"); if (authctxt->attempt++ >= AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE loginfailed(user,get_canonical_hostname(),"ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect("too many failed userauth_requests"); } user = packet_get_string(NULL); service = packet_get_string(NULL); method = packet_get_string(NULL); without really knowing what the "packet_get_string" function does, I can definitely say that the code is wrong here - loginfailed() expects the current user name to update lastlog accordingly, and "user" is just a dangling pointer :-( So someone (who understands these functions) should really look into this. I will, for the time being, try without WITH_AiXAUTHENTICATE, and then report again... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From rmcc at novis.pt Sat Oct 28 01:25:52 2000 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Fri, 27 Oct 2000 15:25:52 +0100 Subject: Happy Birthday portable OpenSSH! In-Reply-To: ; from mouring@pconline.com on Fri, Oct 27, 2000 at 08:17:33AM -0500 References: <20001027135053.B4324@isp.novis.pt> Message-ID: <20001027152552.C4324@isp.novis.pt> On Fri, Oct 27, 2000 at 08:17:33AM -0500, Ben Lindstrom wrote: > > > On Fri, 27 Oct 2000, Ricardo Cerqueira wrote: > > > On Fri, Oct 27, 2000 at 10:44:23AM +0200, Corinna Vinschen wrote: > > > Paul Heinlein wrote: > > > > > > > > On Fri, 27 Oct 2000, Damien Miller wrote: > > > > > > > > > What sort of present does one give a thriving free software project on > > > > > its first birthday? :) > > > > > > > > A colorful little toy would be nice. How about Windows(tm)? > > > > > > We all know OpenSSH is collecting operating systems. Unfortunately, > > > OpenSSH has already a Windows(tm). What's about BeOS? Would look > > > nice on the chimney... > > > > GNU Hurd would be cute. And now there's a distro of it :-) > > > Chatter from the GNU hurd list is that it may be offically part of Debian > with the next release. If the Hurd folks get there act together and get > some basic stuff done (like a 100% working installer =). This is getting off-topic, but... They're planning to merge Linux and Hurd in the same distribution? Heh... Here comes the big "confused lusers flooding mlists" event again ... :) RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001027/694207ed/attachment.bin From mouring at pconline.com Sat Oct 28 01:33:29 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 27 Oct 2000 09:33:29 -0500 (CDT) Subject: Happy Birthday portable OpenSSH! In-Reply-To: <20001027152552.C4324@isp.novis.pt> Message-ID: On Fri, 27 Oct 2000, Ricardo Cerqueira wrote: > On Fri, Oct 27, 2000 at 08:17:33AM -0500, Ben Lindstrom wrote: > > On Fri, 27 Oct 2000, Ricardo Cerqueira wrote: > > Chatter from the GNU hurd list is that it may be offically part of Debian > > with the next release. If the Hurd folks get there act together and get > > some basic stuff done (like a 100% working installer =). > > This is getting off-topic, but... They're planning to merge Linux and Hurd > in the same distribution? Heh... Here comes the big "confused lusers > flooding mlists" event again ... :) > No more confusing then.. 'What to I get? The one that says PPC? x86? Sparc?' .. I've seen that question a few times on efnet's #unixhelp. Anyways. I'm sure it will say "Debian HURD x86" or "Debian HURD ppc" =) OpenSSH on Playstation 2 anyone? -Ben From gert at greenie.muc.de Sat Oct 28 02:20:35 2000 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 27 Oct 2000 17:20:35 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: <20001027154813.A7086@greenie.muc.de>; from Gert Doering on Fri, Oct 27, 2000 at 03:48:13PM +0200 References: <20001027154813.A7086@greenie.muc.de> Message-ID: <20001027172035.H4300@greenie.muc.de> Hi, On Fri, Oct 27, 2000 at 03:48:13PM +0200, Gert Doering wrote: > I finally found time today to start hacking SNAP-20001016 on AIX 4.3.3 > today, and my findings are mixed. OK, News on this. If compiling without WITH_AIXAUTHENTICATE, things "seem to work" pretty well (tested protocol 1 only, and only a few things), especially utmp/wtmp handling doesn't break anything. I have one problem remaining that puzzles me - we use /etc/hosts.equiv extensively, and with sshd from OpenSSH 1.2.3 I can login just fine: [..] debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts authentication. debug: Remote: Accepted for X.Y.Z [172.30.7.7] by /etc/hosts.equiv. [..] with the sshd from OpenSSH SNAP-20001016, this doesn't work - both sshds use the same /etc/sshd_config, just different ports, and the relevant options are set to "IgnoreRhosts no" and "RhostsRSAAuthentication yes". I just get the following in my client log: [..] debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'gd at Y.Z' debug: Server refused our key. debug: Doing password authentication. -> so it seems sshd SNAP-20001016 doesn't even offer rhosts authentication, no? (same client machine, same call to ssh, except the second one has "ssh -p 6022 ...") Any tips what could cause this, and how to find out why it isn't doing rhosts + /etc/hosts.equiv? Maybe this would be a nice addition for a future release: make the client print out the authentications that the server does and does not support, like: debug: Server refuses rhosts authentication <<<<< debug: Trying RSA authentication with key ... so you know that it's not a client issue but server side. (After all, there has to be some if() in the client somewhere that decides whether to print "Trying rhosts authentication"...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus.friedl at informatik.uni-erlangen.de Sat Oct 28 04:02:55 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 27 Oct 2000 19:02:55 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: <20001027172035.H4300@greenie.muc.de>; from gert@greenie.muc.de on Fri, Oct 27, 2000 at 05:20:35PM +0200 References: <20001027154813.A7086@greenie.muc.de> <20001027172035.H4300@greenie.muc.de> Message-ID: <20001027190255.B6900@folly> On Fri, Oct 27, 2000 at 05:20:35PM +0200, Gert Doering wrote: > -> so it seems sshd SNAP-20001016 doesn't even offer rhosts > authentication, no? (same client machine, same call to ssh, except > the second one has "ssh -p 6022 ...") for rhosts+rsa server port has to be <1024. -m From markus.friedl at informatik.uni-erlangen.de Sat Oct 28 04:01:40 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 27 Oct 2000 19:01:40 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: <20001027154813.A7086@greenie.muc.de>; from gert@greenie.muc.de on Fri, Oct 27, 2000 at 03:48:13PM +0200 References: <20001027154813.A7086@greenie.muc.de> Message-ID: <20001027190140.A6900@folly> On Fri, Oct 27, 2000 at 03:48:13PM +0200, Gert Doering wrote: > userauth_reply(Authctxt *authctxt, int authenticated) > { > /* XXX todo: check if multiple auth methods are needed */ > if (authenticated == 1) { > #ifdef WITH_AIXAUTHENTICATE > /* We don't have a pty yet, so just label the line as "ssh" */ > if (loginsuccess(user, get_canonical_hostname(), "ssh", s/user/authctxt->pw->pw_name/ > &aixloginmsg) < 0) > aixloginmsg = NULL; > #endif /* WITH_AIXAUTHENTICATE */ > > > looking what "user" should be here, I find worse things in the other > place related to AIXAUTHENTICATE: > > > input_userauth_request(int type, int plen, void *ctxt) > { > Authctxt *authctxt = ctxt; > Authmethod *m = NULL; > char *user, *service, *method; > int authenticated = 0; > > if (authctxt == NULL) > fatal("input_userauth_request: no authctxt"); > if (authctxt->attempt++ >= AUTH_FAIL_MAX) { > #ifdef WITH_AIXAUTHENTICATE > loginfailed(user,get_canonical_hostname(),"ssh"); s/user/authctxt->user ? authctxt->user : ""/ > #endif /* WITH_AIXAUTHENTICATE */ > packet_disconnect("too many failed userauth_requests"); > } > > user = packet_get_string(NULL); > service = packet_get_string(NULL); > method = packet_get_string(NULL); -m From gert at greenie.muc.de Sat Oct 28 11:21:06 2000 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 28 Oct 2000 02:21:06 +0200 Subject: openssh-SNAP-20001016 In-Reply-To: <20001027190255.B6900@folly>; from Markus Friedl on Fri, Oct 27, 2000 at 07:02:55PM +0200 References: <20001027154813.A7086@greenie.muc.de> <20001027172035.H4300@greenie.muc.de> <20001027190255.B6900@folly> Message-ID: <20001028022106.J4300@greenie.muc.de> Hi, On Fri, Oct 27, 2000 at 07:02:55PM +0200, Markus Friedl wrote: > On Fri, Oct 27, 2000 at 05:20:35PM +0200, Gert Doering wrote: > > -> so it seems sshd SNAP-20001016 doesn't even offer rhosts > > authentication, no? (same client machine, same call to ssh, except > > the second one has "ssh -p 6022 ...") > > for rhosts+rsa server port has to be <1024. Why? I might see some reasoning (caution against rogue servers), but I'd see "password authentication" as a worse risk than proving that you have a certain private key. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Sat Oct 28 13:29:55 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Oct 2000 13:29:55 +1100 (EST) Subject: Typo in 2.2.0p1 ?? In-Reply-To: <41256985.003F54F1.00@contact31.cirso.fr> Message-ID: On Fri, 27 Oct 2000, Philippe WILLEM wrote: > I don't already figure out what is the real impact of this but I > think there is a typo in function sigchld_handler() in serverloop.c > (l 75). > > It is written > > if (WIFEXITED(child_wait_status) || > WIFSIGNALED(child_wait_status)) > child_terminated = 1; > child_has_selected = 0; > > But I think one actually means: > > if (WIFEXITED(child_wait_status) || > WIFSIGNALED(child_wait_status)) { > child_terminated = 1; > child_has_selected = 0; > } Quite so. Applied. Thanks, Damien Miller -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Sat Oct 28 13:36:40 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Oct 2000 13:36:40 +1100 (EST) Subject: openssh-SNAP-20001016 In-Reply-To: <20001027154813.A7086@greenie.muc.de> Message-ID: On Fri, 27 Oct 2000, Gert Doering wrote: > Unfortunately, compilation then fails in auth2.c, because "user" is > not defined here: Sorry about this, the AIX stuff was mangled by the recent auth cleanup. Does this help? Index: auth2.c =================================================================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.18 diff -u -r1.18 auth2.c --- auth2.c 2000/10/16 01:14:42 1.18 +++ auth2.c 2000/10/28 02:34:37 @@ -193,7 +193,7 @@ fatal("input_userauth_request: no authctxt"); if (authctxt->attempt++ >= AUTH_FAIL_MAX) { #ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); + loginfailed(authctxt->pw->pw_name, get_canonical_hostname(), "ssh"); #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect("too many failed userauth_requests"); } @@ -306,8 +306,8 @@ if (authenticated == 1) { #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ - if (loginsuccess(user, get_canonical_hostname(), "ssh", - &aixloginmsg) < 0) + if (loginsuccess(authctxt->pw->pw_name, get_canonical_hostname(), + "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; #endif /* WITH_AIXAUTHENTICATE */ /* turn off userauth */ -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From dbt at meat.net Sat Oct 28 14:06:24 2000 From: dbt at meat.net (David Terrell) Date: Fri, 27 Oct 2000 20:06:24 -0700 Subject: Happy Birthday portable OpenSSH! In-Reply-To: ; from djm@mindrot.org on Fri, Oct 27, 2000 at 09:02:13AM +1100 References: Message-ID: <20001027200624.A19218@pianosa.catch22.org> On Fri, Oct 27, 2000 at 09:02:13AM +1100, Damien Miller wrote: > What sort of present does one give a thriving free software project on > its first birthday? :) Pizza? -- David Terrell | "Anyone want to start a fund for students Nebcorp Prime Minister | that vow not to work at MS?" dbt at meat.net | - Libor Michalek http://wwn.nebcorp.com/ From djm at mindrot.org Sat Oct 28 23:53:10 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 28 Oct 2000 23:53:10 +1100 (EST) Subject: Another shapshot Message-ID: I have just uploaded another snapshot to: http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz Please test this one extra hard, it is likely to become 2.3.0p1 early next week. Regards, Damien Miller -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From pekkas at netcore.fi Sun Oct 29 01:17:49 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 28 Oct 2000 17:17:49 +0300 (EEST) Subject: Another shapshot In-Reply-To: Message-ID: On Sat, 28 Oct 2000, Damien Miller wrote: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz > > Please test this one extra hard, it is likely to become 2.3.0p1 early > next week. --- Host: mips-sgi-irix6.5 Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/lib/openssl/include Linker flags: -L/usr/local/lib/openssl/lib -L/usr/local/lib/openssl Libraries: -lz -lcrypto --- Preliminary (minor) tests show ok. However, there's an issue with a couple of bsd-*.c. They seem to use bcopy, which appears to want in Irix. Adding that is one warning less. Also, --- Host: i386-redhat-linux-gnu Compiler: gcc Compiler flags: -O2 -m486 -fno-strength-reduce -Wall -I. -I. -I/usr/include Linker flags: -L/usr/lib -L/usr Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap --- Seems to work ok so far. There are two issues with .spec file: 1) apparently my earlier patch fell through cracks; gnome-libs-devel should not be required twice. 2) You need x11-askpass to build (ie. you can't just copy the spec and .tar.gz to the right place). It could be conditional. This is a little controversial, as .src.rpm's would omit x11-askpass source package but well.. who'd be building this on after redefining the defaults for distribution on a system which wouldn't have all the components required anyway. For consideration. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- openssh.spec.orig Mon Oct 16 05:35:19 2000 +++ openssh.spec Sat Oct 28 17:14:45 2000 @@ -17,14 +17,16 @@ Packager: Damien Miller URL: http://www.openssh.com/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz +%if ! %{no_x11_askpass} Source1: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz +%endif Copyright: BSD Group: Applications/Internet BuildRoot: /tmp/openssh-%{version}-buildroot Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a -BuildPreReq: perl, openssl-devel, tcp_wrappers, gnome-libs-devel +BuildPreReq: perl, openssl-devel, tcp_wrappers BuildPreReq: /bin/login, /usr/bin/rsh, /usr/include/security/pam_appl.h %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel @@ -128,7 +130,11 @@ %prep +%if ! %{no_x11_askpass} %setup -q -a 1 +%else +%setup -q +%endif %build From chenda at cs.unc.edu Sun Oct 29 08:07:39 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 28 Oct 2000 17:07:39 -0400 (EDT) Subject: Another shapshot In-Reply-To: Message-ID: config/make/make install fine on SuSE 6.4 and SuSE 7.0 (x86, 2.2.18pre17aa1) GNU/Linux machines. Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap dtc --- Daniel T. Chen | chenda at cs.unc.edu On Sat, 28 Oct 2000, Damien Miller wrote: > I have just uploaded another snapshot to: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz > > Please test this one extra hard, it is likely to become 2.3.0p1 early > next week. > > Regards, > Damien Miller > > From openssh-unix-dev at progressive-comp.com Sun Oct 29 17:35:10 2000 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Sun, 29 Oct 2000 01:35:10 -0500 Subject: having some trouble using another user's RSA/DSA keys Message-ID: <200010290635.BAA26851@mailer.progressive-comp.com> On 2000-10-25, Jim Breton wrote: > 1) I am still warned about bad permissions on the key file even though > I am root (I guess this would be a "wishlist" item since I can suppress > these warnings with the -q option); Right. The warning is not because you're unable to access the file, but because OpenSSH thinks it is a bad thing to ever use a private key which is readable or (worse) writable by any user other than the one running ssh. This is a feature ;) And while you may have a legitimate case where this feature isn't desired, it's generally the Right Thing To Do--the key is essentially compromised, and root (or any user, in the generic case) should not trust it. The workaround would be to put this key in ~root/.ssh/jamesbiden or such, root.root mode 600. > 2) I am unable to log in using that key. The passphrase is blank, but > key authentication fails and I am forced to enter a login password. Right, because: > # ssh -v -l jamesb -i ~jamesb/.ssh/identity [snip] > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > Bad ownership or mode(0600) for '/home/jamesb/.ssh/identity'. > It is recommended that your private key files are NOT accessible by > others. > Enter passphrase for RSA key 'jamesb at tarkin': > debug: Remote: Wrong response to RSA authentication challenge. > debug: Doing password authentication. > jamesb@'s password: [ Even though you've said this key has no passphrase. ] I assume things are happy if you su - jamesb on the local host and then ssh remotehost? In that case I suspect this is a mildly buggy way of expressing "Hey, I'm not willing to even try to use this key, since it's essentially been compromised." Similar to how RSA authentication won't be tried if the remote host's key has changed. Probably, the workaround above will make this problem disappear. -- Hank Leininger From openssh-unix-dev at progressive-comp.com Sun Oct 29 17:52:58 2000 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Sun, 29 Oct 2000 01:52:58 -0500 Subject: feature request & patch submit: chroot(2) in sshd Message-ID: <200010290652.BAA27517@mailer.progressive-comp.com> On 2000-10-24, Birger Toedtmann wrote: > Below is a tiny patch to 2.2.0p1 which enhances the sshd-config > by two options and, when set, places all users / users of a certain group > immediately in their sandbox. Cool. Hm... > + /* Do a chroot, if configured. */ > + if (options.use_chroot) { > + if ((!options.chroot_group) > + || (options.chroot_group ==pw->pw_gid)) { > + debug("Doing chroot to %s.",pw->pw_dir); + > + if (chroot(pw->pw_dir)) { > + log("Requested chroot failed: [%d] %s\n", > + errno,strerror(errno)); > + exit(1); > + } > + pw->pw_dir = "/"; > + } > + } Aren't you missing a 'chdir("/")' in there? Else you leak '.' outside the chroot jail. (Unless a chdir is guaranteed to be done between here, and when user processes get control?) -- Hank Leininger From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Oct 29 21:03:52 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 29 Oct 2000 11:03:52 +0100 Subject: Another shapshot In-Reply-To: ; from djm@mindrot.org on Sat, Oct 28, 2000 at 11:53:10PM +1100 References: Message-ID: <20001029110352.A11185@serv01.aet.tu-cottbus.de> On Sat, Oct 28, 2000 at 11:53:10PM +1100, Damien Miller wrote: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz Host: hppa2.0-hp-hpux10.20 Compiler: cc Compiler flags: -O -I. -I. -Ae -D_HPUX_SOURCE +DAportable -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lsec -lcrypto -lwrap Compilation and some short tests passed. > Please test this one extra hard, it is likely to become 2.3.0p1 early > next week. Please give us at least the Monday for hard testing, it is much more comfortable sitting in front of my workstation instead of doingit via the ISDN line :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From vinschen at redhat.com Sun Oct 29 23:01:49 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 29 Oct 2000 13:01:49 +0100 Subject: Another shapshot References: Message-ID: <39FC11AD.3BB38630@redhat.com> Damien Miller wrote: > > I have just uploaded another snapshot to: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz > > Please test this one extra hard, it is likely to become 2.3.0p1 early > next week. Host: i686-pc-cygwin Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/include Linker flags: -L/usr/lib -L/usr Libraries: -lz -lregex /usr/lib/textmode.o -lcrypto Compiles and works OOTB. I tested sftp-server now for the first time. Works as well. Nevertheless I had a problem with the interoperability between an i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use protocol version 2. The debug output stated "dsa_verify: signature incorrect" I tried that with both, a key pair created by ssh-keygen from 2.1.1 and a key pair created by ssh-keygen from the snapshot. No luck in either way. If you need details feel free to ask. I built the snapshot on the following system: Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/home/corinna/usr/include Linker flags: -L/home/corinna/usr/lib -L/home/corinna/usr Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto No problem at all. Smooth interoperability with the Cygwin snapshot even with version 2 protocol. Additionally I have attached a diff, which adds a `cygwin' subdirectory to `contrib'. It contains the Cygwin specific README and a shell script called `ssh-config'. It's part of the Cygwin OpenSSH binary distribution and it's the only source which isn't part of the official sources yet. It would be nice if these files could be added to the source tree prior to release 2.3.0p1. Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com -------------- next part -------------- Index: openssh-20001028/contrib/cygwin/README diff -u /dev/null openssh-20001028/contrib/cygwin/README:1.2 --- /dev/null Sun Oct 29 12:38:35 2000 +++ openssh-20001028/contrib/cygwin/README Sun Oct 29 12:37:48 2000 @@ -0,0 +1,137 @@ +This package is the actual port of OpenSSH to Cygwin 1.1. + +=========================================================================== +Important change since 2.3.0p1: + +When using `ntea' or `ntsec' you now have to care for the ownership +and permission bits of your host key files and your private key files. +The host key files have to be owned by the NT account which starts +sshd. The user key files have to be owned by the user. The permission +bits of the private key files (host and user) have to be at least +rw------- (0600)! + +Note that this is forced under `ntsec' only if the files are on a NTFS +filesystem (which is recommended) due to the lack of any basic security +features of the FAT/FAT32 filesystems. +=========================================================================== + +Since this package is part of the base distribution now, the location +of the files has changed from /usr/local to /usr. The global configuration +files are in /etc now. + +If you are installing OpenSSH the first time, you can generate +global config files, server keys and your own user keys by running + + /usr/bin/ssh-config + +If you are updating your installation you may run the above ssh-config +as well to move your configuration files to the new location and to +erase the files at the old location. + +Be sure to start the new ssh-config when updating! + +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-config is started. + +Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd +(results in very slow deamon startup!) or from the command line (recommended +on 9X/ME). + +If starting via inetd, copy sshd to eg. /usr/sbin/in.sshd and add the +following line to your inetd.conf file: + +sshd stream tcp nowait root /usr/sbin/in.sshd sshd -i + +Moreover you'll have to add the following line to your +${SYSTEMROOT}/system32/drivers/etc/services file: + + sshd 22/tcp #SSH daemon + +Authentication to sshd is possible in one of two ways. +You'll have to decide before starting sshd! + +- If you want to authenticate via RSA and you want to login to that + machine to exactly one user account you can do so by running sshd + under that user account. You must change /etc/sshd_config + to contain the following: + + RSAAuthentication yes + + Moreover it's possible to use rhosts and/or rhosts with + RSA authentication by setting the following in sshd_config: + + RhostsAuthentication yes + RhostsRSAAuthentication yes + +- If you want to be able to login to different user accounts you'll + have to start sshd under system account or any other account that + is able to switch user context. Note that administrators are _not_ + able to do that by default! You'll have to give the following + special user rights to the user: + "Act as part of the operating system" + "Replace process level token" + "Increase quotas" + and if used via service manager + "Logon as a service". + + The system account does of course own that user rights by default. + + Unfortunately, if you choose that way, you can only logon with + NT password authentification and you should change + /etc/sshd_config to contain the following: + + PasswordAuthentication yes + RhostsAuthentication no + RhostsRSAAuthentication no + RSAAuthentication no + + However you can login to the user which has started sshd with + RSA authentication anyway. If you want that, change the RSA + authentication setting back to "yes": + + RSAAuthentication yes + +You may use all features of the CYGWIN=ntsec setting the same +way as they are used by the `login' port on sources.redhat.com: + + The pw_gecos field may contain an additional field, that begins + with (upper case!) "U-", followed by the domain and the username + separated by a backslash. + CAUTION: The SID _must_ remain the _last_ field in pw_gecos! + BTW: The field separator in pw_gecos is the comma. + The username in pw_name itself may be any nice name: + + domuser::1104:513:John Doe,U-domain\user,S-1-5-21-... + + Now you may use `domuser' as your login name with telnet! + This is possible additionally for local users, if you don't like + your NT login name ;-) You only have to leave out the domain: + + locuser::1104:513:John Doe,U-user,S-1-5-21-... + +V2 server and user keys are generated by `ssh-config'. If you want to +create DSA keys by yourself, call ssh-keygen with `-d' option. + +DSA authentication similar to RSA: + Add keys to ~/.ssh/authorized_keys2 +Interop. w/ ssh.com dsa-keys: + ssh-keygen -f /key/from/ssh.com -X >> ~/.ssh/authorized_keys2 +and vice versa: + ssh-keygen -f /privatekey/from/openssh -x > ~/.ssh2/mykey.pub + echo Key mykey.pub >> ~/.ssh2/authorization + +If you want to build from source, the following options to +configure are used for the Cygwin binary distribution: + +--prefix=/usr --sysconfdir=/etc --libexecdir='${exec_prefix}/sbin + +You must have installed the zlib, openssl and regex packages to +be able to build OpenSSH! + +Please send requests, error reports etc. to cygwin at sources.redhat.com. + +Have fun, + +Corinna Vinschen +Cygwin Developer +Red Hat Inc. Index: openssh-20001028/contrib/cygwin/ssh-config diff -u /dev/null openssh-20001028/contrib/cygwin/ssh-config:1.1 --- /dev/null Sun Oct 29 12:38:35 2000 +++ openssh-20001028/contrib/cygwin/ssh-config Sun Oct 29 12:26:04 2000 @@ -0,0 +1,324 @@ +#!/bin/sh +# +# ssh-config, Copyright 2000, Red Hat Inc. +# +# This file is part of the Cygwin port of OpenSSH. + +# set -x + +# Subdirectory where the new package is being installed +PREFIX=/usr + +# Directory where the config files are stored +SYSCONFDIR=/etc + +# Subdirectory where an old package might be installed +OLDPREFIX=/usr/local +OLDSYSCONFDIR=${OLDPREFIX}/etc + +request() +{ + answer="" + while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] + do + echo -n "$1 (yes/no) " + read answer + done + if [ "X${answer}" = "Xyes" ] + then + return 0 + else + return 1 + fi +} + +# Check for running ssh/sshd processes first. Refuse to do anything while +# some ssh processes are still running + +if ps -ef | grep -v grep | grep -q ssh +then + echo + echo "There are still ssh processes running. Please shut them down first." + echo + exit 1 +fi + +# Check for ${SYSCONFDIR} directory + +if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] +then + echo + echo "${SYSCONFDIR} is existant but not a directory." + echo "Cannot create global configuration files." + echo + exit 1 +fi + +# Create it if necessary + +if [ ! -e "${SYSCONFDIR}" ] +then + mkdir "${SYSCONFDIR}" + if [ ! -e "${SYSCONFDIR}" ] + then + echo + echo "Creating ${SYSCONFDIR} directory failed" + echo + exit 1 + fi +fi + +# Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't +# the same as ${PREFIX} + +if [ "${OLDPREFIX}" != "${PREFIX}" ] +then + if [ -f "${OLDPREFIX}/sbin/sshd" ] + then + echo + echo "You seem to have an older installation in ${OLDPREFIX}." + echo + # Check if old global configuration files exist + if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] + then + if request "Do you want to copy your config files to your new installation?" + then + cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} + cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} + fi + fi + if request "Do you want to erase your old installation?" + then + rm -f ${OLDPREFIX}/bin/ssh.exe + rm -f ${OLDPREFIX}/bin/ssh-config + rm -f ${OLDPREFIX}/bin/scp.exe + rm -f ${OLDPREFIX}/bin/ssh-add.exe + rm -f ${OLDPREFIX}/bin/ssh-agent.exe + rm -f ${OLDPREFIX}/bin/ssh-keygen.exe + rm -f ${OLDPREFIX}/bin/slogin + rm -f ${OLDSYSCONFDIR}/ssh_host_key + rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub + rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key + rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub + rm -f ${OLDSYSCONFDIR}/ssh_config + rm -f ${OLDSYSCONFDIR}/sshd_config + rm -f ${OLDPREFIX}/man/man1/ssh.1 + rm -f ${OLDPREFIX}/man/man1/scp.1 + rm -f ${OLDPREFIX}/man/man1/ssh-add.1 + rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 + rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 + rm -f ${OLDPREFIX}/man/man1/slogin.1 + rm -f ${OLDPREFIX}/man/man8/sshd.8 + rm -f ${OLDPREFIX}/sbin/sshd.exe + rm -f ${OLDPREFIX}/sbin/sftp-server.exe + fi + fi +fi + +# First generate host keys if not already existing + +if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_key" + ssh-keygen -f ${SYSCONFDIR}/ssh_host_key -N '' +fi + +if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] +then + echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" + ssh-keygen -d -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' +fi + +# Check if ssh_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/ssh_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" + then + rm -f "${SYSCONFDIR}/ssh_config" + if [ -f "${SYSCONFDIR}/ssh_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." + fi + fi +fi + +# Create default ssh_config from here script + +if [ ! -f "${SYSCONFDIR}/ssh_config" ] +then + echo "Creating default ${SYSCONFDIR}/ssh_config file" + cat > ${SYSCONFDIR}/ssh_config << EOF +# This is ssh client systemwide configuration file. This file provides +# defaults for users, and the values can be changed in per-user configuration +# files or on the command line. + +# Configuration data is parsed as follows: +# 1. command line options +# 2. user-specific file +# 3. system-wide file +# Any configuration value is only changed the first time it is set. +# Thus, host-specific definitions should be at the beginning of the +# configuration file, and defaults at the end. + +# Site-wide defaults for various options + +# Host * +# ForwardAgent yes +# ForwardX11 yes +# RhostsAuthentication yes +# RhostsRSAAuthentication yes +# RSAAuthentication yes +# PasswordAuthentication yes +# FallBackToRsh no +# UseRsh no +# BatchMode no +# CheckHostIP yes +# StrictHostKeyChecking no +# IdentityFile ~/.ssh/identity +# Port 22 +# Protocol 2,1 +# Cipher 3des +# EscapeChar ~ + +# Be paranoid by default +Host * + ForwardAgent no + ForwardX11 no + FallBackToRsh no +EOF +fi + +# Check if sshd_config exists. If yes, ask for overwriting + +if [ -f "${SYSCONFDIR}/sshd_config" ] +then + if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" + then + rm -f "${SYSCONFDIR}/sshd_config" + if [ -f "${SYSCONFDIR}/sshd_config" ] + then + echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." + fi + fi +fi + +# Create default sshd_config from here script + +if [ ! -f "${SYSCONFDIR}/sshd_config" ] +then + echo "Creating default ${SYSCONFDIR}/sshd_config file" + cat > ${SYSCONFDIR}/sshd_config << EOF +# This is ssh server systemwide configuration file. + +Port 22 +#Protocol 2,1 +ListenAddress 0.0.0.0 +#ListenAddress :: +#HostKey /etc/ssh_host_key +ServerKeyBits 768 +LoginGraceTime 600 +KeyRegenerationInterval 3600 +PermitRootLogin yes +# +# Don't read ~/.rhosts and ~/.shosts files +IgnoreRhosts yes +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes +StrictModes yes +X11Forwarding no +X11DisplayOffset 10 +PrintMotd yes +KeepAlive yes + +# Logging +SyslogFacility AUTH +LogLevel INFO +#obsoletes QuietMode and FascistLogging + +RhostsAuthentication no +# +# For this to work you will also need host keys in /etc/ssh_known_hosts +RhostsRSAAuthentication no + +# To install for logon to different user accounts change to "no" here +RSAAuthentication yes + +# To install for logon to different user accounts change to "yes" here +PasswordAuthentication no + +PermitEmptyPasswords no + +CheckMail no +UseLogin no + +#Uncomment if you want to enable sftp +#Subsystem sftp /usr/sbin/sftp-server +#MaxStartups 10:30:60 +EOF +fi + +# Ask user if user identity should be generated + +if [ "X${HOME}" = "X" ] +then + echo '$HOME is nonexistant. Cannot create user identity files.' + exit 1 +fi + +if [ ! -d "${HOME}" ] +then + echo '$HOME is not a valid directory. Cannot create user identity files.' + exit 1 +fi + +# If HOME is the root dir, set HOME to empty string to avoid error messages +# in subsequent parts of that script. +if [ "X${HOME}" = "X/" ] +then + HOME='' +fi + +if [ -e "${HOME}/.ssh" -a ! -d "${HOME}/.ssh" ] +then + echo '$HOME/.ssh is existant but not a directory. Cannot create user identity files.' + exit 1 +fi + +if [ ! -e "${HOME}/.ssh" ] +then + mkdir "${HOME}/.ssh" + if [ ! -e "${HOME}/.ssh" ] + then + echo "Creating users ${HOME}/.ssh directory failed" + exit 1 + fi +fi + +if [ ! -f "${HOME}/.ssh/identity" ] +then + if request "Shall I create an RSA identity file for you?" + then + echo "Generating ${HOME}/.ssh/identity" + ssh-keygen -f "${HOME}/.ssh/identity" + fi +fi + +if [ ! -f "${HOME}/.ssh/id_dsa" ] +then + if request "Shall I create an DSA identity file for you? (yes/no) " + then + echo "Generating ${HOME}/.ssh/id_dsa" + ssh-keygen -d -f "${HOME}/.ssh/id_dsa" + fi +fi + +echo +echo "Note: If you have used sshd as service or from inetd, don't forget to" +echo " change the path to sshd.exe in the service entry or in inetd.conf." +echo +echo "Configuration finished. Have fun!" From birger at takatukaland.de Sun Oct 29 23:28:05 2000 From: birger at takatukaland.de (Birger Toedtmann) Date: Sun, 29 Oct 2000 13:28:05 +0100 Subject: feature request & patch submit: chroot(2) in sshd In-Reply-To: <200010290652.BAA27517@mailer.progressive-comp.com>; from openssh-unix-dev@progressive-comp.com on Sun, Oct 29, 2000 at 01:52:58AM -0500 References: <200010290652.BAA27517@mailer.progressive-comp.com> Message-ID: <20001029132805.A17473@spock.takatukaland.de> On Sun, Oct 29, 2000 at 01:52:58AM -0500, Hank Leininger wrote: > On 2000-10-24, Birger Toedtmann wrote: > > > Below is a tiny patch to 2.2.0p1 which enhances the sshd-config > > by two options and, when set, places all users / users of a certain group > > immediately in their sandbox. > > Cool. Hm... > > > + /* Do a chroot, if configured. */ > > + if (options.use_chroot) { > > + if ((!options.chroot_group) > > + || (options.chroot_group ==pw->pw_gid)) { > > + debug("Doing chroot to %s.",pw->pw_dir); + > > + if (chroot(pw->pw_dir)) { > > + log("Requested chroot failed: [%d] %s\n", > > + errno,strerror(errno)); > > + exit(1); > > + } > > + pw->pw_dir = "/"; > > + } > > + } > > Aren't you missing a 'chdir("/")' in there? Else you leak '.' outside the > chroot jail. (Unless a chdir is guaranteed to be done between here, and > when user processes get control?) Well, right beneath this code session.c switches uid/gid and then sets the environment. $HOME is set to pw->pw_dir (already set to "/") and $HOME/.ssh/environment gets its share. After this, the chdir() is made.... ...hmmm - do you think one might be able to fool .ssh/environment into leaking information about "."? If this could be done you are quite right about doing the chdir() right here, so maybe it should look like this: > > + if (chroot(pw->pw_dir)) { > > + log("Requested chroot failed: [%d] %s\n", > > + errno,strerror(errno)); > > + exit(1); > > + } > > + pw->pw_dir = "/"; * chdir(pw->pw_dir); > > + } > > + } Then chdir() is made twice, which I found somewhat irritating, but one should not place beautified code above security ;-) Alas: I did not manage to get $HOME/.ssh/enviroment into this kind of "."- intelligence-gathering, just got me curious. Any suggetions? Regards, Birger -- Birger Toedtmann, Bielefeld, Germany. 00 83 E2 57 EC 60 0B 1C D3 18 AE 2A 40 55 81 22 From gem at rellim.com Mon Oct 30 05:10:10 2000 From: gem at rellim.com (Gary E. Miller) Date: Sun, 29 Oct 2000 10:10:10 -0800 (PST) Subject: Another shapshot In-Reply-To: Message-ID: Yo Damien! On Sat, 28 Oct 2000, Damien Miller wrote: > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz > > Please test this one extra hard, it is likely to become 2.3.0p1 early > next week. First pass, this seems to compile and work fine on Slackware 7.0: Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lnsl -lz -lutil -lcrypto -lwrap And on Unixware 7.1.0: Host: i586-sco-sysv5uw7.1.0 Compiler: cc Compiler flags: -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lsocket -lnsl -lz -lgen -lsocket -lcrypto Unixware does give a few warnings that I have not tracked down. I am also having trouble with logging in to an sshd on Unixware running Ver 2. Ver 1 works fine. I will try to make some time to track this down in the next few days. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From stevesk at sweden.hp.com Mon Oct 30 06:44:27 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sun, 29 Oct 2000 20:44:27 +0100 (MET) Subject: Another shapshot In-Reply-To: <39FC11AD.3BB38630@redhat.com> Message-ID: On Sun, 29 Oct 2000, Corinna Vinschen wrote: : Nevertheless I had a problem with the interoperability between an : i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use : protocol version 2. The debug output stated : : "dsa_verify: signature incorrect" I see that too using 2.1.1p4 as the client. Works fine with 2.2.0p1. : Additionally I have attached a diff, which adds a `cygwin' subdirectory : to `contrib'. It contains the Cygwin specific README and a shell script : called `ssh-config'. It's part of the Cygwin OpenSSH binary distribution : and it's the only source which isn't part of the official sources yet. : : It would be nice if these files could be added to the source tree prior : to release 2.3.0p1. I checked these in--thanks! From rob at hagopian.net Mon Oct 30 07:25:06 2000 From: rob at hagopian.net (Rob Hagopian) Date: Sun, 29 Oct 2000 15:25:06 -0500 (EST) Subject: Another shapshot In-Reply-To: <39FC11AD.3BB38630@redhat.com> Message-ID: I had this problem with the last snapshot too... upgrading both ends fixes the problem... -Rob On Sun, 29 Oct 2000, Corinna Vinschen wrote: > Nevertheless I had a problem with the interoperability between an > i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > protocol version 2. The debug output stated > > "dsa_verify: signature incorrect" > > I tried that with both, a key pair created by ssh-keygen from 2.1.1 > and a key pair created by ssh-keygen from the snapshot. No luck in > either way. If you need details feel free to ask. From openssh-unix-dev at progressive-comp.com Mon Oct 30 08:07:35 2000 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Sun, 29 Oct 2000 16:07:35 -0500 Subject: feature request & patch submit: chroot(2) in sshd Message-ID: <200010292107.QAA29853@mailer.progressive-comp.com> On 2000-10-29, Birger Toedtmann wrote: > On Sun, Oct 29, 2000 at 01:52:58AM -0500, Hank Leininger wrote: > > Aren't you missing a 'chdir("/")' in there? Else you leak '.' > > outside the chroot jail. (Unless a chdir is guaranteed to be done > > between here, and when user processes get control?) > Well, right beneath this code session.c switches uid/gid and then sets > the environment. $HOME is set to pw->pw_dir (already set to "/") and > $HOME/.ssh/environment gets its share. After this, the chdir() is > made.... Ah. OK, so there is a chdir() guaranteed. Although you raise a good point: > ...hmmm - do you think one might be able to fool .ssh/environment into > leaking information about "."? I'm really not sure. But for warm-and-fuzzy, obviously-correct behavior, I'd vote for an explicit chdir(pw->pw_dir) right after pw->pw_dir = "/" as you suggest. Consider the alternative -- we might audit the behavior of .ssh/environment usage now and deem it safe, only to have others decide later, for whatever seems like good reasons at the time, to break our assumptions wrt its safety in the face of things getting reordered, odd custom shells, forced commands from authorized_keys, scp's, and whatnot. Better IMHO to have the fact that it is Done Right localized and hard to break accidentally by other subtle means. Hm. For instance... $HOME/.ssh/environment processing, and then chdir, are done after dropping privs. Which the chroot() code itself obviously cannot be, as one needs to still be e?uid=0 to chroot(2). What if we are told to chroot to a directory for which the current user has no execute permission? The chroot will succeed, but the later chdir will fail--and it will not "know" that failure has security implications, it will only think that a boring erorr has occurred, and the admin is dumb. Yes, this is a wetware-bug if it is one at all (and a stretch in general; if one can't execute '/', not much will work beyond that point, including accessing $HOME/.ssh/environment =), but this kind of non-obvious consequence is not good. > If this could be done you are quite > right about doing the chdir() right here, so maybe it should look like > this: [snip] > Alas: I did not manage to get $HOME/.ssh/enviroment into this kind of > "."- intelligence-gathering, just got me curious. Any suggetions? Well, if I understand you correctly, a simple test: $ head -c16 .ssh/authorized_keys ;echo from="localhost, $ echo 'HOME=.' >.ssh/environment $ ssh localhost echo \$HOME From vinschen at redhat.com Mon Oct 30 08:11:14 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 29 Oct 2000 22:11:14 +0100 Subject: Another shapshot References: Message-ID: <39FC9272.CD525DF3@redhat.com> Rob Hagopian wrote: > > I had this problem with the last snapshot too... upgrading both ends fixes > the problem... I just fear that many people will not be able to decide about the other side of the connection... Corinna > -Rob > > On Sun, 29 Oct 2000, Corinna Vinschen wrote: > > > Nevertheless I had a problem with the interoperability between an > > i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > > protocol version 2. The debug output stated > > > > "dsa_verify: signature incorrect" > > > > I tried that with both, a key pair created by ssh-keygen from 2.1.1 > > and a key pair created by ssh-keygen from the snapshot. No luck in > > either way. If you need details feel free to ask. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com From rob at hagopian.net Mon Oct 30 08:36:04 2000 From: rob at hagopian.net (Rob Hagopian) Date: Sun, 29 Oct 2000 16:36:04 -0500 (EST) Subject: Another shapshot In-Reply-To: <39FC9272.CD525DF3@redhat.com> Message-ID: I agree (I reported it as a bug in the last snapshot), I should have called it a workaround rather than a fix... -Rob On Sun, 29 Oct 2000, Corinna Vinschen wrote: > Rob Hagopian wrote: > > > > I had this problem with the last snapshot too... upgrading both ends fixes > > the problem... > > I just fear that many people will not be able to decide about > the other side of the connection... > > Corinna > > > -Rob > > > > On Sun, 29 Oct 2000, Corinna Vinschen wrote: > > > > > Nevertheless I had a problem with the interoperability between an > > > i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > > > protocol version 2. The debug output stated > > > > > > "dsa_verify: signature incorrect" > > > > > > I tried that with both, a key pair created by ssh-keygen from 2.1.1 > > > and a key pair created by ssh-keygen from the snapshot. No luck in > > > either way. If you need details feel free to ask. > > From mouring at pconline.com Mon Oct 30 09:42:29 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sun, 29 Oct 2000 16:42:29 -0600 (CST) Subject: Another shapshot In-Reply-To: <39FC9272.CD525DF3@redhat.com> Message-ID: Host: m68k-next-openstep4 Compiler: cc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lpcreposix -lpcre -lcrypto Compiles and works under OpenStep 4.2.. And I assume the scp randomly hanging after your finished has been fixed (had to add in USE_PIPE defined). From gem at rellim.com Mon Oct 30 14:55:46 2000 From: gem at rellim.com (Gary E. Miller) Date: Sun, 29 Oct 2000 19:55:46 -0800 (PST) Subject: Another shapshot In-Reply-To: Message-ID: Yo All! I can not seem to get the openssh-SNAP-20001028.tar.gz to work with sshd v2 on Unixware. sshd v1 seems fine. See below my sig for a trace of both ends of a hung connect. I get the same error whether I connect from ssh on slackware or unixware. The same sshd code works fine for me on slackware. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 bash-2.03# /usr/local/sbin/sshd -p 200 -d -d debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeded RNG with 34 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: read DSA private key done debug1: Seeded RNG with 34 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Bind to port 200 on 0.0.0.0. Server listening on 0.0.0.0 port 200. Generating 768 bit RSA key. debug1: Seeded RNG with 34 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: Seeded RNG with 34 bytes from programs debug1: Seeded RNG with 3 bytes from system calls RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 766 debug1: Client protocol version 2.0; client software version OpenSSH_2.3.0p1 debug1: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-sha1 none debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. /usr/local/etc/primes: No such file or directory WARNING: /usr/local/etc/primes does not exist, using old prime debug1: bits set: 524/1024 debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 511/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user gem service ssh-connection method none debug1: attempt #1 debug2: input_userauth_request: setting up authctxt for gem debug2: input_userauth_request: try method none Failed none for gem from 127.0.0.1 port 766 ssh2 debug1: userauth-request for user gem service ssh-connection method password debug1: attempt #2 debug2: input_userauth_request: try method password Accepted password for gem from 127.0.0.1 port 766 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 32768 max 16384 debug1: open session debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 0 debug1: Received SIGCHLD. error: grantpt: Interrupted system call error: session_pty_req: session 0 alloc failed debug2: callback done debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request shell reply 0 debug1: fd 11 setting O_NONBLOCK debug1: fd 13 setting O_NONBLOCK debug2: callback done debug1: tvp!=NULL kid 1 mili 100 debug1: session_by_pid: pid 24483 error: session_by_pid: unknown pid 24483 debug1: dump: used 1 session 0 80f423c channel 0 pid 24484 debug1: dump: used 0 session 1 80f42c8 channel 0 pid 0 debug1: dump: used 0 session 2 80f4354 channel 0 pid 0 debug1: dump: used 0 session 3 80f43e0 channel 0 pid 0 debug1: dump: used 0 session 4 80f446c channel 0 pid 0 debug1: dump: used 0 session 5 80f44f8 channel 0 pid 0 debug1: dump: used 0 session 6 80f4584 channel 0 pid 0 debug1: dump: used 0 session 7 80f4610 channel 0 pid 0 debug1: dump: used 0 session 8 80f469c channel 0 pid 0 debug1: dump: used 0 session 9 80f4728 channel 0 pid 0 debug1: session_close_by_pid: no session for pid 0 debug2: channel 0: read 13 from efd 13 debug2: channel 0: read 11 from efd 13 debug2: channel 0: read 14 from efd 13 debug2: channel 0: read 17 from efd 13 debug2: channel 0: read 37 from efd 13 debug2: channel 0: read 22 from efd 13 debug2: channel 0: read 18 from efd 13 debug2: channel 0: read 17 from efd 13 debug2: channel 0: read 31 from efd 13 [hang] bash-2.03# ssh -l gem -v -v -p 200 localhost SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /usr/local/etc/ssh_config debug: Applying options for * debug: Applying options for * debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to localhost [127.0.0.1] port 200. debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 766. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. H2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Forcing accepting of host key for loopback/localhost. debug: bits set: 524/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: key does not exist: /root/.ssh/id_dsa debug: we did not send a packet, disable method debug: next auth method to try is password gem at localhost's password: debug: we sent a password packet, wait for reply debug: ssh-userauth2 successfull: method password debug: no set_nonblock for tty fd 6 debug: no set_nonblock for tty fd 7 debug: no set_nonblock for tty fd 8 debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: channel request 0: shell debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 16384 debug: channel 0: rcvd adjust 32768 debug: channel 0: rcvd ext data 13 Environment: debug: channel 0: written 13 to efd 8 debug: channel 0: rcvd ext data 11 USER=gem debug: channel 0: written 11 to efd 8 debug: channel 0: rcvd ext data 14 LOGNAME=gem debug: channel 0: written 14 to efd 8 debug: channel 0: rcvd ext data 17 HOME=/home/gem debug: channel 0: written 17 to efd 8 debug: channel 0: rcvd ext data 37 PATH=/usr/bin:/bin:/usr/sbin:/sbin debug: channel 0: written 37 to efd 8 debug: channel 0: rcvd ext data 22 MAIL=/var/mail//gem debug: channel 0: written 22 to efd 8 debug: channel 0: rcvd ext data 18 SHELL=/bin/bash debug: channel 0: written 18 to efd 8 debug: channel 0: rcvd ext data 17 TZ=:US/Pacific debug: channel 0: written 17 to efd 8 debug: channel 0: rcvd ext data 31 SSH_CLIENT=127.0.0.1 766 200 debug: channel 0: written 31 to efd 8 [hang] From gert at greenie.muc.de Mon Oct 30 20:57:19 2000 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 30 Oct 2000 10:57:19 +0100 Subject: Feature disappeared? Message-ID: <20001030105719.A18000@greenie.muc.de> Hi, working on tightening our network (somewhat) today, I found that OpenSSH doesn't seem to have the "AllowSHosts" directive (in sshd_config) that Commercial SSH (at least 1.2.25 & up) has. Now I wonder whether that hasn't been implemented yet, or has been dropped for a certain reason. I find this very useful for what I want to achieve - inside the company network, .shosts is honoured, from outside the company, it isn't. No matter what people put in their .shosts, they can't login from home without a password (and S/Key in future), thus a break-in into their home machine won't immediately break the office network as well... Or is this train of thought flawed somewhere? (As usually, I have to balance user convenience vs. security - if security is to inconvenient, people won't use it). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From birger at takatukaland.de Mon Oct 30 21:30:28 2000 From: birger at takatukaland.de (Birger Toedtmann) Date: Mon, 30 Oct 2000 11:30:28 +0100 Subject: feature request & patch submit: chroot(2) in sshd In-Reply-To: <200010292107.QAA29853@mailer.progressive-comp.com>; from openssh-unix-dev@progressive-comp.com on Sun, Oct 29, 2000 at 04:07:35PM -0500 References: <200010292107.QAA29853@mailer.progressive-comp.com> Message-ID: <20001030113028.B18688@spock.takatukaland.de> On Sun, Oct 29, 2000 at 04:07:35PM -0500, Hank Leininger wrote: > On 2000-10-29, Birger Toedtmann wrote: > > > On Sun, Oct 29, 2000 at 01:52:58AM -0500, Hank Leininger wrote: > > > > Aren't you missing a 'chdir("/")' in there? Else you leak '.' > > > outside the chroot jail. (Unless a chdir is guaranteed to be done > > > between here, and when user processes get control?) > > > Well, right beneath this code session.c switches uid/gid and then sets > > the environment. $HOME is set to pw->pw_dir (already set to "/") and > > $HOME/.ssh/environment gets its share. After this, the chdir() is > > made.... > > Ah. OK, so there is a chdir() guaranteed. Although you raise a good > point: > > > ...hmmm - do you think one might be able to fool .ssh/environment into > > leaking information about "."? > > I'm really not sure. But for warm-and-fuzzy, obviously-correct behavior, > I'd vote for an explicit chdir(pw->pw_dir) right after pw->pw_dir = "/" as > you suggest. Consider the alternative -- we might audit the behavior of > ..ssh/environment usage now and deem it safe, only to have others decide > later, for whatever seems like good reasons at the time, to break our > assumptions wrt its safety in the face of things getting reordered, odd > custom shells, forced commands from authorized_keys, scp's, and whatnot. > Better IMHO to have the fact that it is Done Right localized and hard to > break accidentally by other subtle means. [...] Alright, this seems reasonable. So I tested around a bit with some weird outcome. The new patch includes a chdir() right after chroot(). I set the home of my prisoner to 644 just to have a closer look. Whoops - first chdir() succeeded, the second did not! I think with uid=0 chdir()ing to a 644 sounds quite ok, whereas uid!=0 makes some difference. Maschine is a linux box. BTW: I (stupendously) oversaw the chroot.diff within contrib/ which does something similar upon a "/./"-criterion regarding the homedir section of user credentials. Now I'm not quite sure about the usefulness of either patch but we use the UseChroot/ChrootGroup one quite sucessfully on a web application server maintained via ssh by its customers. Regards, -- Birger T?dtmann, Bielefeld, Germany. 00 83 E2 57 EC 60 0B 1C D3 18 AE 2A 40 55 81 22 -------------- next part -------------- Common subdirectories: openssh-2.2.0p1/contrib and openssh-2.2.0p1chroot/contrib diff -u openssh-2.2.0p1/servconf.c openssh-2.2.0p1chroot/servconf.c --- openssh-2.2.0p1/servconf.c Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.c Mon Oct 30 12:03:49 2000 @@ -68,6 +68,8 @@ #endif options->permit_empty_passwd = -1; options->use_login = -1; + options->use_chroot = -1; + options->chroot_group = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -158,6 +160,10 @@ options->permit_empty_passwd = 0; if (options->use_login == -1) options->use_login = 0; + if (options->use_chroot == -1) + options->use_chroot = 0; + if (options->chroot_group == -1) + options->chroot_group = 0; if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->gateway_ports == -1) @@ -189,6 +195,7 @@ sPrintMotd, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sRandomSeedFile, sKeepAlives, sCheckMail, sUseLogin, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sUseChroot, sChrootGroup, sIgnoreUserKnownHosts, sHostDSAKeyFile, sCiphers, sProtocol, sPidFile, sGatewayPorts, sDSAAuthentication, sXAuthLocation, sSubsystem, sMaxStartups } ServerOpCodes; @@ -236,6 +243,8 @@ { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, + { "usechroot", sUseChroot }, + { "chrootgroup", sChrootGroup }, { "randomseed", sRandomSeedFile }, { "keepalive", sKeepAlives }, { "allowusers", sAllowUsers }, @@ -540,6 +549,14 @@ case sUseLogin: intptr = &options->use_login; goto parse_flag; + + case sUseChroot: + intptr = &options->use_chroot; + goto parse_flag; + + case sChrootGroup: + intptr = &options->chroot_group; + goto parse_int; case sGatewayPorts: intptr = &options->gateway_ports; diff -u openssh-2.2.0p1/servconf.h openssh-2.2.0p1chroot/servconf.h --- openssh-2.2.0p1/servconf.h Fri Aug 18 05:59:06 2000 +++ openssh-2.2.0p1chroot/servconf.h Mon Oct 30 12:03:49 2000 @@ -87,6 +87,9 @@ int permit_empty_passwd; /* If false, do not permit empty * passwords. */ int use_login; /* If true, login(1) is used */ + int use_chroot; /* If true, do a chroot to homedir */ + int chroot_group; /* If nonzero, chroot only when equal + to gid */ unsigned int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; unsigned int num_deny_users; diff -u openssh-2.2.0p1/session.c openssh-2.2.0p1chroot/session.c --- openssh-2.2.0p1/session.c Wed Aug 30 00:21:22 2000 +++ openssh-2.2.0p1chroot/session.c Mon Oct 30 12:06:58 2000 @@ -948,6 +948,26 @@ } #endif /* USE_PAM */ + /* Do a chroot, if configured. */ + if (options.use_chroot) { + if ((!options.chroot_group) + || (options.chroot_group == pw->pw_gid)) { + debug("Doing chroot to %s.",pw->pw_dir); + if (chroot(pw->pw_dir) < 0) { + log("Requested chroot failed: [%d] %s\n", + errno,strerror(errno)); + exit(1); + } + debug("Doing chdir to / within chroot dir %s.",pw->pw_dir); + pw->pw_dir = "/"; + if (chdir(pw->pw_dir) < 0) { + log("Unable to chdir to home directory /: [%d] %s\n", + errno,strerror(errno)); + exit(1); + }; + } + } + /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" switch, so we let login(1) to this for us. */ diff -u openssh-2.2.0p1/sshd.8 openssh-2.2.0p1chroot/sshd.8 --- openssh-2.2.0p1/sshd.8 Tue Aug 29 02:33:51 2000 +++ openssh-2.2.0p1chroot/sshd.8 Mon Oct 30 12:03:50 2000 @@ -290,6 +290,15 @@ Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. .Pp +.It Cm ChrootGroup +Only useful when +.Cm UseChroot +is set to +.Dq yes . +Specifies which group of users +.Nm sshd +should drop into a chrooted homedir (a.k.a. sandbox) upon login. +Only numerical gid's are allowed. .It Cm Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. @@ -597,6 +606,12 @@ The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The default is AUTH. +.It Cm UseChroot +Do a chroot(2) into the users homedirectory after successful login. +If option +.Cm ChrootGroup +is not set, this applies for all users. The default is +.Dq no . .It Cm UseLogin Specifies whether .Xr login 1 From jmknoble at jmknoble.cx Mon Oct 30 21:53:09 2000 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 30 Oct 2000 05:53:09 -0500 Subject: ANNOUNCE: x11-ssh-askpass v1.0.3 Message-ID: <20001030055309.A18165@quipu.half.pint-stowp.cx> x11-ssh-askpass version 1.0.3 is now available from the following locations: http://www.jmknoble.cx/software/x11-ssh-askpass/ http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ x11-ssh-askpass is a passphrase dialog for use with OpenSSH (www.openssh.com) under the X Window System. The important changes since version 1.0.2 are as follows: - Added a small amount of resolution-independence to the passphrase dialog. Now it doesn't look quite so miniscule when displaying on a high-resolution X server at 100 dpi. [Damien, this is probably a good candidate for the 2.3.0p1 packages.] -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From pekkas at netcore.fi Mon Oct 30 22:15:01 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 13:15:01 +0200 (EET) Subject: Feature disappeared? In-Reply-To: <20001030105719.A18000@greenie.muc.de> Message-ID: On Mon, 30 Oct 2000, Gert Doering wrote: > working on tightening our network (somewhat) today, I found that OpenSSH > doesn't seem to have the "AllowSHosts" directive (in sshd_config) that > Commercial SSH (at least 1.2.25 & up) has. > > Now I wonder whether that hasn't been implemented yet, or has been dropped > for a certain reason. > > I find this very useful for what I want to achieve - inside the company > network, .shosts is honoured, from outside the company, it isn't. No > matter what people put in their .shosts, they can't login from home > without a password (and S/Key in future), thus a break-in into their home > machine won't immediately break the office network as well... > > Or is this train of thought flawed somewhere? (As usually, I have to > balance user convenience vs. security - if security is to inconvenient, > people won't use it). 'IgnoreRhosts yes' will ignore .shosts files too. However, people can log in without password otherwise too, if they're using RSAAuthentication. It'll ask for a passphrase, but the user can also make it empty. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From gert at greenie.muc.de Mon Oct 30 22:35:13 2000 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 30 Oct 2000 12:35:13 +0100 Subject: Feature disappeared? In-Reply-To: ; from Pekka Savola on Mon, Oct 30, 2000 at 01:15:01PM +0200 References: <20001030105719.A18000@greenie.muc.de> Message-ID: <20001030123513.A21764@greenie.muc.de> Hi, On Mon, Oct 30, 2000 at 01:15:01PM +0200, Pekka Savola wrote: > > working on tightening our network (somewhat) today, I found that OpenSSH > > doesn't seem to have the "AllowSHosts" directive (in sshd_config) that > > Commercial SSH (at least 1.2.25 & up) has. [..] > > Or is this train of thought flawed somewhere? (As usually, I have to > > balance user convenience vs. security - if security is to inconvenient, > > people won't use it). > > 'IgnoreRhosts yes' will ignore .shosts files too. Umm, yes, but that's something else. AllowSHosts permits .shosts files on a per-host basis, so I can say "for *.mydomain.de, .shosts is ok, for everybody else, it's not ok". IgnoreRhosts does this on a for-all-clients basis. > However, people can log in without password otherwise too, if they're > using RSAAuthentication. It'll ask for a passphrase, but the user can > also make it empty. Yes, but it's a bit harder to mess up :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From pekkas at netcore.fi Mon Oct 30 22:39:39 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 13:39:39 +0200 (EET) Subject: Feature disappeared? In-Reply-To: <20001030123513.A21764@greenie.muc.de> Message-ID: On Mon, 30 Oct 2000, Gert Doering wrote: > On Mon, Oct 30, 2000 at 01:15:01PM +0200, Pekka Savola wrote: > > > working on tightening our network (somewhat) today, I found that OpenSSH > > > doesn't seem to have the "AllowSHosts" directive (in sshd_config) that > > > Commercial SSH (at least 1.2.25 & up) has. > [..] > > > Or is this train of thought flawed somewhere? (As usually, I have to > > > balance user convenience vs. security - if security is to inconvenient, > > > people won't use it). > > > > 'IgnoreRhosts yes' will ignore .shosts files too. > > Umm, yes, but that's something else. AllowSHosts permits .shosts files on > a per-host basis, so I can say "for *.mydomain.de, .shosts is ok, for > everybody else, it's not ok". Well, I'd care to wager the feature disappeared to the same hole as AllowHosts did too. Certainly intentional. I nagged about AllowHosts _a lot_ but eventually patched TCP Wrappers so that it can take more complex host definitions too (like *isdn1*.isp.com). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From gert at greenie.muc.de Mon Oct 30 22:43:54 2000 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 30 Oct 2000 12:43:54 +0100 Subject: Feature disappeared? In-Reply-To: ; from Pekka Savola on Mon, Oct 30, 2000 at 01:39:39PM +0200 References: <20001030123513.A21764@greenie.muc.de> Message-ID: <20001030124354.B21764@greenie.muc.de> Hi, On Mon, Oct 30, 2000 at 01:39:39PM +0200, Pekka Savola wrote: > > > 'IgnoreRhosts yes' will ignore .shosts files too. > > > > Umm, yes, but that's something else. AllowSHosts permits .shosts files on > > a per-host basis, so I can say "for *.mydomain.de, .shosts is ok, for > > everybody else, it's not ok". > > Well, I'd care to wager the feature disappeared to the same hole as > AllowHosts did too. Certainly intentional. Well, dropping AllowHosts doesn't mean dropping functionality (because it can be done via TCP wrappers). Dropping AllowSHosts means "I can't do that anymore", which should have security reasons, which I don't see any right now... > I nagged about AllowHosts _a lot_ but eventually patched TCP Wrappers so > that it can take more complex host definitions too (like *isdn1*.isp.com). What's your gripe with AllowHosts? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From J.Horne at plymouth.ac.uk Mon Oct 30 22:52:18 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Mon, 30 Oct 2000 11:52:18 -0000 (GMT) Subject: SSH-askpass - timeout possible? Message-ID: Hello, On my home PC, whch runs openssh with Jim Knoble's x11-ssh-askpass, I have configured my Bash shell login script to prompt me for the passphrase. No problem, however it waits during the login process for me to 'do something' - i.e. enter a passphrase, cancel it or whatever. Is it possible to set a timeout so that if, say, nothing occurs within a minute then it assumes no passphrase and the login continues? Thanks, John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From pekkas at netcore.fi Mon Oct 30 22:55:29 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 13:55:29 +0200 (EET) Subject: Feature disappeared? In-Reply-To: <20001030124354.B21764@greenie.muc.de> Message-ID: On Mon, 30 Oct 2000, Gert Doering wrote: > Well, dropping AllowHosts doesn't mean dropping functionality (because it > can be done via TCP wrappers). > > Dropping AllowSHosts means "I can't do that anymore", which should have > security reasons, which I don't see any right now... True. Now you just have to run these on separate boxes, or separate ports. > > I nagged about AllowHosts _a lot_ but eventually patched TCP Wrappers so > > that it can take more complex host definitions too (like *isdn1*.isp.com). > > What's your gripe with AllowHosts? That it was dropped in OpenSSH. As for the reasons of griping, regular TCP wrappers are rather inflexible. Here's an example. ISP might define its address pools like blahlah12311.newyork5.isp.com blahlah12311.newyork6.isp.com blahlah12311.newyork7.isp.com blahlah12311.newyork8.isp.com blahlah12311.newyork9.isp.com [ etc. the point is newyorkX ] With regular TCP Wrappers, the only chance you have to define these, really, are: .newyork5.isp.com .newyork6.isp.com [etc.] Or using IP addresses and netmasks, which unfortunately doesn't usually help a bit (if the addresses haven't been allocated nicely) and isn't as informational when you read it. Now, consider an AllowHosts/modified tcp-wrappers rule: blah*.newyork?.isp.com No pain. '*' and '?' wildcards _do_ come in handy sometimes.. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From gert at greenie.muc.de Mon Oct 30 22:58:00 2000 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 30 Oct 2000 12:58:00 +0100 Subject: Feature disappeared? In-Reply-To: ; from Pekka Savola on Mon, Oct 30, 2000 at 01:55:29PM +0200 References: <20001030124354.B21764@greenie.muc.de> Message-ID: <20001030125800.C21764@greenie.muc.de> Hi, On Mon, Oct 30, 2000 at 01:55:29PM +0200, Pekka Savola wrote: > > > I nagged about AllowHosts _a lot_ but eventually patched TCP Wrappers so > > > that it can take more complex host definitions too (like *isdn1*.isp.com). > > What's your gripe with AllowHosts? > That it was dropped in OpenSSH. Ah! Now I understand (I understood that you had been opposing AllowHosts, which is just to the contrary...). > As for the reasons of griping, regular TCP wrappers are rather inflexible. > Here's an example. ISP might define its address pools like > > blahlah12311.newyork5.isp.com > blahlah12311.newyork6.isp.com > blahlah12311.newyork7.isp.com > blahlah12311.newyork8.isp.com > blahlah12311.newyork9.isp.com > [ etc. the point is newyorkX ] > > With regular TCP Wrappers, the only chance you have to define these, > really, are: Yes. I fully understand :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Oct 30 23:08:47 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 30 Oct 2000 13:08:47 +0100 Subject: Another shapshot In-Reply-To: <20001029110352.A11185@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Sun, Oct 29, 2000 at 11:03:52AM +0100 References: <20001029110352.A11185@serv01.aet.tu-cottbus.de> Message-ID: <20001030130847.A22045@serv01.aet.tu-cottbus.de> On Sun, Oct 29, 2000 at 11:03:52AM +0100, Lutz Jaenicke wrote: > Host: hppa2.0-hp-hpux10.20 > Compiler: cc > Compiler flags: -O -I. -I. -Ae -D_HPUX_SOURCE +DAportable -I/usr/local/include -I/usr/local/ssl/include > Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl > Libraries: -lz -lsec -lcrypto -lwrap > > Compilation and some short tests passed. > > > Please test this one extra hard, it is likely to become 2.3.0p1 early > > next week. > Please give us at least the Monday for hard testing, it is much more > comfortable sitting in front of my workstation instead of doingit via > the ISDN line :-) Ok, I have spend quite some time torturing it, logged in and out, called scp, used ssh-agent. All of this between 2.2.0p1 and snapshot-20001028 machines and no problem so far. (Forwarded ssh-agent sockets are still not closed properly.) Seems we can expect 2.3.0p1 soon :-) Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From pekkas at netcore.fi Mon Oct 30 23:32:06 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 14:32:06 +0200 (EET) Subject: Another shapshot In-Reply-To: <20001030130847.A22045@serv01.aet.tu-cottbus.de> Message-ID: On Mon, 30 Oct 2000, Lutz Jaenicke wrote: > On Sun, Oct 29, 2000 at 11:03:52AM +0100, Lutz Jaenicke wrote: > > Host: hppa2.0-hp-hpux10.20 > > Compiler: cc > > Compiler flags: -O -I. -I. -Ae -D_HPUX_SOURCE +DAportable -I/usr/local/include -I/usr/local/ssl/include > > Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl > > Libraries: -lz -lsec -lcrypto -lwrap > > > > Compilation and some short tests passed. > > > > > Please test this one extra hard, it is likely to become 2.3.0p1 early > > > next week. > > Please give us at least the Monday for hard testing, it is much more > > comfortable sitting in front of my workstation instead of doingit via > > the ISDN line :-) > > Ok, I have spend quite some time torturing it, logged in and out, called scp, > used ssh-agent. > All of this between 2.2.0p1 and snapshot-20001028 machines and no problem > so far. (Forwarded ssh-agent sockets are still not closed properly.) > > Seems we can expect 2.3.0p1 soon :-) Yes. I've had good experiences with this also. There is, however the issue with OpenSSH 2.1.1 when using SSHv2 and DSA Authentication (see posts from 2-3 days off; I also reproduced the problem here). I don't really use that myself, so I'm not hit by it, but OpenSSH 2.1 is used on really many systems (Like Stable FreeBSD, non-errata RH7, etc.) so it should work if at all possible. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From "kiss000 " at mindrot.org Mon Oct 30 04:15:10 2000 From: "kiss000 " at mindrot.org ("kiss000 " at mindrot.org) Date: Mon, 30 Oct 2000 01:15:10 +0800 Subject: No subject Message-ID: <20001030123624.9F5391A4C4@toad.mindrot.org> http://home.kimo.com.tw/china999/index.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001030/faa00430/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 30486 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001030/faa00430/attachment.gif From J.Horne at plymouth.ac.uk Mon Oct 30 23:48:06 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Mon, 30 Oct 2000 12:48:06 -0000 (GMT) Subject: Another shapshot In-Reply-To: Message-ID: On 28-Oct-00 at 11:53:10 Damien Miller wrote: > I have just uploaded another snapshot to: > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20001028.tar.gz > Can't remember seeing Solaris (sparc) replies for this, but it seems to be okay with Solaris 7 and 8. One point, however, is the 'Manpage format' - it says 'cat', but I used the '--with-catman=man' configure option. (As far as I can tell using the '--with-catman=cat' option seems best in terms of how it looks though :-) ) For Solaris 7 sparc: OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc Random number collection: Device (/dev/random) Manpage format: cat PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: sparc-sun-solaris2.7 Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/usr/local/ssl/lib -L/usr/local/ssl -R/usr/local/ssl/lib -R/usr/local/ssl Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto -lwrap For Solaris 8 sparc: OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/random) Manpage format: cat PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: sparc-sun-solaris2.8 Compiler: gcc Compiler flags: -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/usr/local/ssl/lib -L/usr/local/ssl -R/usr/local/ssl/lib -R/usr/local/ssl Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto -lwrap John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From vinschen at redhat.com Mon Oct 30 23:54:05 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 30 Oct 2000 13:54:05 +0100 Subject: Another shapshot References: Message-ID: <39FD6F6D.8119D1A1@redhat.com> Pekka Savola wrote: > There is, however the issue with OpenSSH 2.1.1 when using SSHv2 and DSA > Authentication (see posts from 2-3 days off; I also reproduced the > problem here). I don't really use that myself, so I'm not hit by it, but > OpenSSH 2.1 is used on really many systems (Like Stable FreeBSD, > non-errata RH7, etc.) so it should work if at all possible. Agree. Especially the fact that 2.1.x is part of important Linux and BSD distros would result in loads of complaints. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Tue Oct 31 00:56:04 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 30 Oct 2000 14:56:04 +0100 Subject: Another shapshot References: Message-ID: <39FD7DF4.3870C550@redhat.com> Pekka Savola wrote: > There is, however the issue with OpenSSH 2.1.1 when using SSHv2 and DSA > Authentication (see posts from 2-3 days off; I also reproduced the > problem here). I don't really use that myself, so I'm not hit by it, but > OpenSSH 2.1 is used on really many systems (Like Stable FreeBSD, > non-errata RH7, etc.) so it should work if at all possible. Agree. Especially the fact that 2.1.x is part of important Linux and BSD distros would result in loads of complaints. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Tue Oct 31 00:58:09 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 30 Oct 2000 14:58:09 +0100 Subject: Another shapshot References: <39FC11AD.3BB38630@redhat.com> <20001030141432.A11888@folly> Message-ID: <39FD7E71.8D765391@redhat.com> Markus Friedl wrote: > > On Sun, Oct 29, 2000 at 01:01:49PM +0100, Corinna Vinschen wrote: > > "dsa_verify: signature incorrect" > > what version of OpenSSL are you using? It's the preinstalled version of the distro. ssh -V states: SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). The package info contains the hint that it's version 2.1.1p1 with the following patches (besides unimportant others): --- login.c +++ login.c 2000/06/28 10:54:46 @@ -52,6 +52,7 @@ li = login_alloc_entry(pid, user, host, ttyname); login_set_addr(li, addr, sizeof(struct sockaddr)); + li->uid=uid; login_login(li); login_free_entry(li); } --- readconf.c +++ readconf.c 2000/06/27 17:34:40 @@ -501,6 +501,7 @@ filename, linenum, cp ? cp : ""); if (*activep && *intptr == SSH_PROTO_UNKNOWN) *intptr = value; + strtok("",WHITESPACE); break; case oLogLevel: Corinna From darren at horseplay.demon.co.uk Tue Oct 31 01:41:02 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Mon, 30 Oct 2000 14:41:02 +0000 Subject: ssh-agent and ssh-add with openssh-2.2.0p1 on Redhat 7 Message-ID: <5.0.0.25.1.20001030142016.02bcae50@pop3.demon.co.uk> Hi all, i'm trying to figure out if i'm being silly or if there is a genuine problem. Running on the notorious Redhat 7, 2.2.16-22 #1, X86. [user at host]$ ssh-agent -s SSH_AUTH_SOCK=/tmp/ssh-XXYFcFR6/agent.2101; export SSH_AUTH_SOCK; SSH_AGENT_PID=2102; export SSH_AGENT_PID; echo Agent pid 2102; [user at host]$ echo $SSH_AUTH_SOCK [user at host]$ echo $SSH_AGENT_PID [user at host]$ ssh-add Could not open a connection to your authentication agent. [user at host]$ ls -l /tmp/ssh-XXYFcFR6/ total 0 srwxrwxr-x 1 user user 0 Oct 30 14:26 agent.2101 Is the next version is due reasonably soon? thanks Darren From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Oct 31 02:34:33 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 30 Oct 2000 16:34:33 +0100 Subject: ssh-agent and ssh-add with openssh-2.2.0p1 on Redhat 7 In-Reply-To: <5.0.0.25.1.20001030142016.02bcae50@pop3.demon.co.uk>; from darren@horseplay.demon.co.uk on Mon, Oct 30, 2000 at 02:41:02PM +0000 References: <5.0.0.25.1.20001030142016.02bcae50@pop3.demon.co.uk> Message-ID: <20001030163433.A26621@serv01.aet.tu-cottbus.de> On Mon, Oct 30, 2000 at 02:41:02PM +0000, Darren Evans wrote: > > Hi all, > > i'm trying to figure out if i'm being silly or if there is a genuine problem. > > Running on the notorious Redhat 7, 2.2.16-22 #1, X86. > > [user at host]$ ssh-agent -s > SSH_AUTH_SOCK=/tmp/ssh-XXYFcFR6/agent.2101; export SSH_AUTH_SOCK; > SSH_AGENT_PID=2102; export SSH_AGENT_PID; > echo Agent pid 2102; Use eval `ssh-agent` to have the appropriate environment variables set. Then the "echo" and "ssh-add" commands will work properly. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From J.Horne at plymouth.ac.uk Tue Oct 31 02:34:46 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Mon, 30 Oct 2000 15:34:46 -0000 (GMT) Subject: ssh-agent and ssh-add with openssh-2.2.0p1 on Redhat 7 In-Reply-To: <5.0.0.25.1.20001030142016.02bcae50@pop3.demon.co.uk> Message-ID: On 30-Oct-00 at 14:41:02 Darren Evans wrote: > i'm trying to figure out if i'm being silly or if there is a genuine > problem. > > Running on the notorious Redhat 7, 2.2.16-22 #1, X86. > > [user at host]$ ssh-agent -s > SSH_AUTH_SOCK=/tmp/ssh-XXYFcFR6/agent.2101; export SSH_AUTH_SOCK; > SSH_AGENT_PID=2102; export SSH_AGENT_PID; > echo Agent pid 2102; > [user at host]$ echo $SSH_AUTH_SOCK > My understanding is that the '-s' option shows the shell commands to be executed (if its not a C shell) - not that they *are* executed. For that reason in my .bash_profile file I have: eval `ssh-agent` >/dev/null SSH_ASKPASS=/usr/libexec/ssh/ssh-askpass export SSH_ASKPASS ssh-add $HOME/.ssh/id_dsa (I use protocol 2) (Using X (KDE) login) this sets up the correct variables. The 'eval' executes what 'ssh-agent' displays. The ssh-add runs Jim Knobles x11-askpass program to store my passphrase once upon login (very handy :-) ) I have openssh (rpms) running fine under RH7 with the 2.2.16, 2.2.17 kernels and 2.4.0-pre6 at home. John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From markus.friedl at informatik.uni-erlangen.de Tue Oct 31 00:14:32 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Oct 2000 14:14:32 +0100 Subject: Another shapshot In-Reply-To: <39FC11AD.3BB38630@redhat.com>; from vinschen@redhat.com on Sun, Oct 29, 2000 at 01:01:49PM +0100 References: <39FC11AD.3BB38630@redhat.com> Message-ID: <20001030141432.A11888@folly> On Sun, Oct 29, 2000 at 01:01:49PM +0100, Corinna Vinschen wrote: > "dsa_verify: signature incorrect" what version of OpenSSL are you using? From darren at horseplay.demon.co.uk Tue Oct 31 03:27:33 2000 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Mon, 30 Oct 2000 16:27:33 +0000 Subject: ssh-agent and ssh-add with openssh-2.2.0p1 on Redhat 7 In-Reply-To: <5.0.0.25.1.20001030142016.02bcae50@pop3.demon.co.uk> Message-ID: <5.0.0.25.1.20001030162156.02ba7cd0@pop3.demon.co.uk> Thank you for showing me how to use ssh-agent ;-) I'd like to suggest this information is added to the man page for this great program. >Use >eval `ssh-agent` >to have the appropriate environment variables set. Then the "echo" >and "ssh-add" commands will work properly. >[user at host]$ ssh-agent -s >SSH_AUTH_SOCK=/tmp/ssh-XXYFcFR6/agent.2101; export SSH_AUTH_SOCK; >SSH_AGENT_PID=2102; export SSH_AGENT_PID; >echo Agent pid 2102; >[user at host]$ echo $SSH_AUTH_SOCK > >[user at host]$ echo $SSH_AGENT_PID > >[user at host]$ ssh-add >Could not open a connection to your authentication agent. >[user at host]$ ls -l /tmp/ssh-XXYFcFR6/ >total 0 >srwxrwxr-x 1 user user 0 Oct 30 14:26 agent.2101 From lar at cs.yorkACuk Tue Oct 31 03:07:36 2000 From: lar at cs.yorkACuk (Laramie Leavitt) Date: Mon, 30 Oct 2000 16:07:36 +0000 Subject: SSH not responding. Message-ID: <00103016151701.00816@pc078.cs.york.ac.uk> SSH doesn't seem to be responding to me. The machine I am connecting to is running Linux, and I could connect to it fine from windows running the SSH client. But now I can no longer connect. From Linux, this is the output: pc078:~$ ssh -v 208.240.199.51 SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /local/hda4/lar/etc/ssh_config debug: Seeding random number generator debug: ssh_connect: getuid 1555 geteuid 1555 anon 1 debug: Connecting to 208.240.199.51 [208.240.199.51] port 22. debug: Connection established. Any Ideas? Thanks, Laramie. (Some of the finer points missing from my e-mail address.) From pekkas at netcore.fi Tue Oct 31 03:40:13 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 18:40:13 +0200 (EET) Subject: SSH not responding. In-Reply-To: <00103016151701.00816@pc078.cs.york.ac.uk> Message-ID: On Mon, 30 Oct 2000, Laramie Leavitt wrote: > SSH doesn't seem to be responding to me. > The machine I am connecting to is running Linux, > and I could connect to it fine from windows > running the SSH client. But now I can no longer > connect. From Linux, this is the output: > > > pc078:~$ ssh -v 208.240.199.51 > SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > debug: Reading configuration data /local/hda4/lar/etc/ssh_config > debug: Seeding random number generator > debug: ssh_connect: getuid 1555 geteuid 1555 anon 1 > debug: Connecting to 208.240.199.51 [208.240.199.51] port 22. > debug: Connection established. Your Linux system is probably failing in DNS lookups when checking /etc/hosts.allow. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From birger at takatukaland.de Tue Oct 31 03:49:07 2000 From: birger at takatukaland.de (Birger Toedtmann) Date: Mon, 30 Oct 2000 17:49:07 +0100 Subject: SSH not responding. In-Reply-To: <00103016151701.00816@pc078.cs.york.ac.uk>; from lar@cs.yorkACuk on Mon, Oct 30, 2000 at 04:07:36PM +0000 References: <00103016151701.00816@pc078.cs.york.ac.uk> Message-ID: <20001030174907.C19237@spock.takatukaland.de> On Mon, Oct 30, 2000 at 04:07:36PM +0000, Laramie Leavitt wrote: > SSH doesn't seem to be responding to me. > The machine I am connecting to is running Linux, > and I could connect to it fine from windows > running the SSH client. But now I can no longer > connect. From Linux, this is the output: > > > pc078:~$ ssh -v 208.240.199.51 > SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. > Compiled with SSL (0x0090600f). > debug: Reading configuration data /local/hda4/lar/etc/ssh_config > debug: Seeding random number generator > debug: ssh_connect: getuid 1555 geteuid 1555 anon 1 > debug: Connecting to 208.240.199.51 [208.240.199.51] port 22. > debug: Connection established. Are you sure it's entirely not responding or just for some period of time? Often the ssh-sever box tries for minutes unsuccessful ns-lookups for ssh-client box, after that, you may be allowed in (depends on config). -- Birger T?dtmann, Bielefeld, Germany. 00 83 E2 57 EC 60 0B 1C D3 18 AE 2A 40 55 81 22 From Benjamin.Riefenstahl at ision.net Tue Oct 31 04:12:57 2000 From: Benjamin.Riefenstahl at ision.net (Benjamin Riefenstahl) Date: Mon, 30 Oct 2000 18:12:57 +0100 Subject: Compatibility with 1.2.16 (commercial)? Message-ID: <39FDAC19.1E9CAF2@ision.net> Hi folks, I'm currently trying to connect to version 1.2.16 of the commercial server. The server says it supports protocol version 1.4 and that that is incompatible with protocol version 1.5. Is that actually true? The complete output from "ssh -v xxxxxxx" is: $ ./ssh -v xxxxxxx SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 1000 geteuid 1000 anon 0 debug: Connecting to xxxxxxx [xx.xx.xx.xx] port 22. debug: Seeding random number generator debug: Allocated local port 883. debug: Connection established. debug: Remote protocol version 1.4, remote software version 1.2.16 debug: no match: 1.2.16 debug: Local version string SSH-1.5-OpenSSH_2.3.0p1 debug: Waiting for server public key. Received disconnect: This server does not support your new ssh version. debug: Calling cleanup 0x414cf0(0x0) $ If I patch the version string sent by ssh to SSH-1.4-xxx, it works. But there seems to be no configuration parameter to influence that string, it's basically hardcoded in the ssh executable. Should I just not try that, could I add such a configuration parameter or is there any other way to get a connection? Another way of handling this would theoretically be to update the server, but as administration of the servers is not my domain here in the company, I would really prefer not to have to do that. so long, benny -- ISION Internet AG Benjamin Riefenstahl mailto:benjamin.riefenstahl at ision.net Ruhrstrasse 61 D-22761 Hamburg http://www.ision.net From openssh-unix-dev at progressive-comp.com Tue Oct 31 04:36:25 2000 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Mon, 30 Oct 2000 12:36:25 -0500 Subject: Feature disappeared? Message-ID: <200010301736.MAA30749@mailer.progressive-comp.com> On 2000-10-30, Gert Doering wrote: > Well, dropping AllowHosts doesn't mean dropping functionality (because > it can be done via TCP wrappers). > Dropping AllowSHosts means "I can't do that anymore", which should have > security reasons, which I don't see any right now... Hm. Can you get the same effect by populating /etc/ssh_known_hosts (or its moral equivalent) with the public keys of hosts you wish to allow, and then setting IgnoreUserKnownHosts? This would prevent users from adding other hosts to .shosts, no? Though it might be deemed too much administrative overhead to maintain... -- Hank Leininger From gert at greenie.muc.de Tue Oct 31 05:17:37 2000 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 30 Oct 2000 19:17:37 +0100 Subject: Feature disappeared? In-Reply-To: <200010301736.MAA30749@mailer.progressive-comp.com>; from Hank Leininger on Mon, Oct 30, 2000 at 12:36:25PM -0500 References: <200010301736.MAA30749@mailer.progressive-comp.com> Message-ID: <20001030191737.A22791@greenie.muc.de> Hi, On Mon, Oct 30, 2000 at 12:36:25PM -0500, Hank Leininger wrote: > > Well, dropping AllowHosts doesn't mean dropping functionality (because > > it can be done via TCP wrappers). > > > Dropping AllowSHosts means "I can't do that anymore", which should have > > security reasons, which I don't see any right now... > > Hm. Can you get the same effect by populating /etc/ssh_known_hosts (or its > moral equivalent) with the public keys of hosts you wish to allow, and then > setting IgnoreUserKnownHosts? This would prevent users from adding other > hosts to .shosts, no? Though it might be deemed too much administrative > overhead to maintain... Well, yes. This would work. (Though I'm not sure about maintainability) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From pekkas at netcore.fi Tue Oct 31 06:17:28 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 30 Oct 2000 21:17:28 +0200 (EET) Subject: RhostsAuthentication + nondefault port doesn't work? Message-ID: Hello all, It seems that RhostsAuthentication does not work on non-default port no matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with protocol 1 or protocol 2 (shouldn't work either..). _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication works just fine! Checking the port number of ssh client you can see that OpenSSH doesn't assign privileged port for this, but SSH Ltd's ssh does. Connecting to port 22 works with OpenSSH too. Is this a feature? If so, I wonder why? A little configuration and log: --- sshd_config --- IgnoreRhosts yes #IgnoreUserKnownHosts yes RhostsAuthentication yes RhostsRSAAuthentication yes RSAAuthentication yes --- --- .ssh/config --- Protocol 1 RhostsAuthentication yes --- --- sshd log when connecting w/ OpenSSH --- Connection from x.y.z.w port 4624 <---- NOTE PORT NUMBER! debug1: Client protocol version 1.5; client software version OpenSSH_2.2.0p1 debug1: match: OpenSSH_2.2.0p1 pat ^OpenSSH_2\.2 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "pekkas" debug1: Attempting authentication for pekkas. [ trying password entries ... ] --- --- connection from a.b.c.d port 1005 debug1: Client protocol version 1.5; client software version 1.2.25 debug1: no match: 1.2.25 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "pekkas" debug1: Attempting authentication for pekkas. Failed rhosts for pekkas from a.b.c.d port 1005 ruser pjsavol3 debug1: Trying rhosts with RSA host authentication for client user pjsavol3 Failed rhosts-rsa for pekkas from a.b.c.d port 1005 ruser pjsavol3 --- -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From mdb at juniper.net Tue Oct 31 06:23:17 2000 From: mdb at juniper.net (Mark D. Baushke) Date: Mon, 30 Oct 2000 11:23:17 -0800 Subject: Compatibility with 1.2.16 (commercial)? In-Reply-To: Mail from Benjamin Riefenstahl dated Mon, 30 Oct 2000 18:12:57 +0100 <39FDAC19.1E9CAF2@ision.net> Message-ID: <200010301923.LAA86810@garnet.juniper.net> Hi Benjamin, There is no good reason that an OpenSSH client should not be able to speak to a 1.4 protocol ssh server. Enjoy! -- Mark The following is a patch against openssh-SNAP-20001028 to use the appropriate minor version number for clients connecting to down-rev servers. Could the powers that be consider this one for inclusion in the next OpenSSH release? --- sshconnect.c~ Fri Sep 22 23:15:57 2000 +++ sshconnect.c Mon Oct 30 11:16:22 2000 @@ -321,6 +321,7 @@ int remote_major, remote_minor, i, mismatch; int connection_in = packet_get_connection_in(); int connection_out = packet_get_connection_out(); + int use_minor = PROTOCOL_MINOR_1; /* Read other side\'s version identification. */ for (;;) { @@ -377,10 +378,18 @@ } else if (remote_minor == 3) { /* We speak 1.3, too. */ enable_compat13(); + use_minor = 3; if (options.forward_agent) { log("Agent forwarding disabled for protocol 1.3"); options.forward_agent = 0; } + } else if (remote_minor == 4) { + /* We speak 1.4, too. */ + use_minor = 4; + if (options.forward_agent) { + log("Agent forwarding disabled for protocol 1.4"); + options.forward_agent = 0; + } } break; case 2: @@ -402,7 +411,7 @@ /* Send our own protocol version identification. */ snprintf(buf, sizeof buf, "SSH-%d.%d-%.100s\n", compat20 ? PROTOCOL_MAJOR_2 : PROTOCOL_MAJOR_1, - compat20 ? PROTOCOL_MINOR_2 : PROTOCOL_MINOR_1, + compat20 ? PROTOCOL_MINOR_2 : use_minor, SSH_VERSION); if (atomicio(write, connection_out, buf, strlen(buf)) != strlen(buf)) fatal("write: %.100s", strerror(errno)); From jmknoble at jmknoble.cx Tue Oct 31 06:42:51 2000 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 30 Oct 2000 14:42:51 -0500 Subject: SSH-askpass - timeout possible? In-Reply-To: ; from J.Horne@plymouth.ac.uk on Mon, Oct 30, 2000 at 11:52:18AM -0000 References: Message-ID: <20001030144251.A30482@shell.ntrnet.net> Circa 2000-Oct-30 11:52:18 -0000 dixit John Horne: : On my home PC, whch runs openssh with Jim Knoble's x11-ssh-askpass, I have : configured my Bash shell login script to prompt me for the passphrase. No : problem, however it waits during the login process for me to 'do something' : - i.e. enter a passphrase, cancel it or whatever. Is it possible to set a : timeout so that if, say, nothing occurs within a minute then it assumes no : passphrase and the login continues? I'll look into that. Unfortunately, just made a new release last night and may not have time to do anything else on it for the next week or so. If i don't speak up about it in 7-10 days, send me a ping to remind me. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From roth at feep.net Tue Oct 31 08:16:15 2000 From: roth at feep.net (Mark D. Roth) Date: Mon, 30 Oct 2000 15:16:15 -0600 Subject: Minor fixes for openssh-SNAP-20001028 Message-ID: <20001030151615.A14498@enterprise.isdn.uiuc.edu> I've attached a patch for openssh-SNAP-20001028 which fixes the following two problems: 1) I fixed fixpaths to complain instead of failing silently if it can't write the output file. 2) I changed log-server.c to use av0 as the first argument to openlog(). I also made sure it called openlog() before the TCP wrapper stuff, because libwrap calls syslog() and winds up using the wrong program name. Please let me know if you have any questions or problems. Thanks! -- Mark D. Roth http://www.feep.net/~roth/ -------------- next part -------------- diff -urN openssh-snap20001028/fixpaths /projects/encap-src/common/wsg/openssh-snap20001028/fixpaths --- openssh-snap20001028/fixpaths Wed Apr 19 16:33:24 2000 +++ /projects/encap-src/common/wsg/openssh-snap20001028/fixpaths Mon Oct 30 14:41:31 2000 @@ -37,14 +37,13 @@ $of = $2.".$ext"; open(IN, "<$f") || die ("$0: input file $f missing!\n"); - if (open(OUT, ">$of")) { - while () { - for $s (keys(%def)) { - s#$s#$def{$s}#; - } # for $s - print OUT; - } # while - } # if (outfile open) + open(OUT, ">$of") || die ("$0: cannot create output file $of: $!\n"); + while () { + for $s (keys(%def)) { + s#$s#$def{$s}#; + } # for $s + print OUT; + } # while } # for $f exit 0; diff -urN openssh-snap20001028/log-server.c /projects/encap-src/common/wsg/openssh-snap20001028/log-server.c --- openssh-snap20001028/log-server.c Fri Sep 15 21:29:09 2000 +++ /projects/encap-src/common/wsg/openssh-snap20001028/log-server.c Mon Oct 30 14:42:31 2000 @@ -46,7 +46,7 @@ #ifdef HAVE___PROGNAME extern char *__progname; #else /* HAVE___PROGNAME */ -static const char *__progname = "sshd"; +static const char *__progname = NULL; #endif /* HAVE___PROGNAME */ static LogLevel log_level = SYSLOG_LEVEL_INFO; @@ -118,6 +118,10 @@ exit(1); } log_on_stderr = on_stderr; + if (__progname == NULL) + __progname = av0; + if (! log_on_stderr) + openlog(__progname, LOG_PID, log_facility); } #define MSGBUFSIZ 1024 From itoi at eecs.umich.edu Tue Oct 31 09:21:43 2000 From: itoi at eecs.umich.edu (Naomaru Itoi) Date: Mon, 30 Oct 2000 17:21:43 -0500 Subject: OpenSSH / Smartcard Integration Proposal In-Reply-To: Your message of "Mon, 30 Oct 2000 15:34:46 GMT." Message-ID: <200010302221.e9UMLhx17378@soso.eecs.umich.edu> Hello, Some OpenSSH folks asked us about how a smartcard can be integrated into OpenSSH, so we looked into the OpenSSH code and designed how the integration can be done. This document explains the design. If you think it benefits OpenSSH (which we think it does), we can start implementing it. Please send us questions, comments, etc. We know Tommaso Cucinotta is wokring on this topic, so please excuse us if there are duplicated efforts. OpenSSH / Smartcard Integration Proposal Naomaru Itoi (itoi at eecs.umich.edu) Oct. 29, 2000 1. Objective This document proposes a way to integrate a smartcard into OpenSSH. The objective of this work is to move a user's private key to the smartcard, and to carry out all the cryptographic operations (i.e., sign a challenge) on the smartcard. This enhances the security of OpenSSH because the private key stays in the smartcard, which is a more secure storage device than a workstation. This proposal is applied only to SSH Version 1 protocol because the smartcard we use, Schlumberger Cyberflex Access, has RSA but not DSA. 2. SSH Modification Proposal This section proposes modification on two SSH components: SSH agent and ssh-add. 2.1. SSH Agent Modification In ssh-agent.c, process_authentication_challenge1() decrypts a challenge with a smartcard. The decryption function, rsa_private_decrypt(), will be replaced with a call to RSA function of a smartcard. lookup_private_key() will be skipped because the smartcard has the private key in it. process_add_identity() will not read a public / private key pair from a socket. Instead, this will read the public key from the smartcard and sets it to the identity table entry. 2.2. ssh-add modification When ssh-add is invoked with -s option (as in smartcard), it will tell the SSH agent to use the key in the smartcard. It will also tell the smartcard reader number. ssh_add_identity() will be modified to do this. When ssh-add adds an identity, it sends the SSH_AGENTC_ADD_RSA_IDENTITY message. This message must be modified to tell the SSH agent to use the smartcard. We have two options here: - One is to create another message type, e.g., SSH_AGENTC_ADD_RSA_IDENTITY_WITH_SMARTCARD. When ssh-add is invoked with a special option, it sends this message instead of the SSH_AGENTC_ADD_RSA_IDENTITY. SSH_AGENTC_ADD_RSA_IDENTITY_WITH_SMARTCARD 32-bit int reader number - The other is to use the SSH_AGENTC_ADD_RSA_IDENTITY. For example, We can set the lengths of all the RSA parameter fields to zero to indicate that we use the smartcard. This message has to contain the reader number. We can use one of the parameter fields, or the comment field to transmit this information. The former is a cleaner approach, but adds a new message type to the SSH Agent Protocol. In contrast, the other does not add a message type, but is not very clean. Please give us some feedback on this. 3. Smartcard Interface There exist several ways of talking to a smartcard from a workstation. We suggest using our sc7816 library which runs on top of IFD handlers. The sc7816 library is an UNIX file system like API for smartcards, e.g., scopen(), scclose(), scread(), scwrite(). This library uses an IFD handler internally. The IFD handler is a smartcard reader communication interface, used in the PC/SC framework (http://www.pcscworkgroup.com/). The IFD interface is well accepted that there exist drivers for more than 20 readers (http://www.linuxnet.com/drivers.html). The advantage of this approach over the PC/SC framework is that it is simpler, does not require a smartcard reader access daemon, and provides convenient interface. Thank you, -- /--------------------\ | | | ## | | ## Naomaru Itoi | | | \--------------------/ CITI Smartcard Group http://www-personal.engin.umich.edu/~itoi http://www.citi.umich.edu From fortezzo at directlink.net Tue Oct 31 18:24:35 2000 From: fortezzo at directlink.net (Jason Fortezzo) Date: Tue, 31 Oct 2000 01:24:35 -0600 Subject: Solaris 2.6 + Expired Password Annoyance Message-ID: <4.3.2.7.2.20001031012006.024336b8@mailhost.directlink.net> The latest snapshot works well for me, except for one minor annoyance. When logging into an account with an expired password, OpenSSH asks for the current login password twice and then it asks for the new password. Other than that, everything works swell. [fortezzo at entralla /root]$ ssh fortezzo at firrerre Warning: Permanently added 'firrerre,xx.xx.xx.xx' (DSA) to the list of known hosts. fortezzo at firrerre's password: Warning: Your password has expired, please change it now Enter login password: Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for fortezzo Last login: Mon Oct 30 22:52:24 2000 from entralla Sun Microsystems Inc. SunOS 5.6 Generic August 1997 [fortezzo at firrerre /export/home/fortezzo]$ ----------------------------------------------------------------- OpenSSH configured has been configured with the following options. User binaries: /opt/oss/openssh-2.3.0p1/bin User binaries: /opt/oss/openssh-2.3.0p1/bin System binaries: /opt/oss/openssh-2.3.0p1/sbin Configuration files: /etc/opt/openssh Askpass program: /opt/oss/openssh-2.3.0p1/libexec/ssh-askpass Manual pages: /opt/oss/openssh-2.3.0p1/man/catX PID file: /var/opt/openssh Random number collection: Device (/dev/urandom) Manpage format: cat PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: sparc-sun-solaris2.6 Compiler: gcc Compiler flags: -I/opt/oss/zlib-1.1.3/include -I/opt/oss/tcp_wrappers-7.6/include -Wall -I. -I. -I/usr/local/include -I/opt/oss/openssl-0.9.6/include Linker flags: -L/opt/oss/zlib-1.1.3/lib -R/opt/oss/zlib-1.1.3/lib -L/opt/oss/tcp_wrappers-7.6/lib -R/opt/oss/tcp_wrappers-7.6/lib -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/opt/oss/openssl-0.9.6/lib -L/opt/oss/openssl-0.9.6 -R/opt/oss/openssl-0.9.6/lib -R/opt/oss/openssl-0.9.6 Libraries: -ldl -lsocket -lnsl -lz -lpam -lcrypto -lwrap Jason Fortezzo fortezzo at directlink.net http://mysite.directlink.net/fortezzo/pgpkey --- If you have any trouble sounding condescending, find a Unix user to show you how it's done. --Scott Adams From markus.friedl at informatik.uni-erlangen.de Tue Oct 31 09:18:17 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Oct 2000 23:18:17 +0100 Subject: Another shapshot In-Reply-To: <39FC11AD.3BB38630@redhat.com>; from vinschen@redhat.com on Sun, Oct 29, 2000 at 01:01:49PM +0100 References: <39FC11AD.3BB38630@redhat.com> Message-ID: <20001030231817.A23318@folly> On Sun, Oct 29, 2000 at 01:01:49PM +0100, Corinna Vinschen wrote: > Nevertheless I had a problem with the interoperability between an > i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > protocol version 2. The debug output stated > > "dsa_verify: signature incorrect" when is this message displayed? during host-key verification or user-authentication? what are the exact version numbers involved. -markus From markus.friedl at informatik.uni-erlangen.de Tue Oct 31 09:20:30 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 30 Oct 2000 23:20:30 +0100 Subject: Another shapshot In-Reply-To: ; from stevesk@sweden.hp.com on Sun, Oct 29, 2000 at 08:44:27PM +0100 References: <39FC11AD.3BB38630@redhat.com> Message-ID: <20001030232030.B23318@folly> On Sun, Oct 29, 2000 at 08:44:27PM +0100, Kevin Steves wrote: > On Sun, 29 Oct 2000, Corinna Vinschen wrote: > : Nevertheless I had a problem with the interoperability between an > : i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > : protocol version 2. The debug output stated > : > : "dsa_verify: signature incorrect" in compat.c, could you please change the line { "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID }, to { "^OpenSSH[-_]2\\.[01]", SSH_OLD_SESSIONID }, and test again? -markus From markus.friedl at informatik.uni-erlangen.de Tue Oct 31 19:21:09 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 31 Oct 2000 09:21:09 +0100 Subject: RhostsAuthentication + nondefault port doesn't work? In-Reply-To: ; from pekkas@netcore.fi on Mon, Oct 30, 2000 at 09:17:28PM +0200 References: Message-ID: <20001031092109.C32127@folly> On Mon, Oct 30, 2000 at 09:17:28PM +0200, Pekka Savola wrote: > Hello all, > > It seems that RhostsAuthentication does not work on non-default port no > matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with > protocol 1 or protocol 2 (shouldn't work either..). > > _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication > works just fine! > > Checking the port number of ssh client you can see that OpenSSH doesn't > assign privileged port for this, but SSH Ltd's ssh does. Connecting to > port 22 works with OpenSSH too. > > Is this a feature? If so, I wonder why? is the openssh client setuid root? From pekkas at netcore.fi Tue Oct 31 19:21:38 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 31 Oct 2000 10:21:38 +0200 (EET) Subject: RhostsAuthentication + nondefault port doesn't work? In-Reply-To: <20001031092109.C32127@folly> Message-ID: On Tue, 31 Oct 2000, Markus Friedl wrote: > On Mon, Oct 30, 2000 at 09:17:28PM +0200, Pekka Savola wrote: > > Hello all, > > > > It seems that RhostsAuthentication does not work on non-default port no > > matter what when connecting from OpenSSH (2.1.1, 2.2.0 tried) either with > > protocol 1 or protocol 2 (shouldn't work either..). > > > > _However_ when connecting with SSH.COM Ltd's ssh, RhostsAuthentication > > works just fine! > > > > Checking the port number of ssh client you can see that OpenSSH doesn't > > assign privileged port for this, but SSH Ltd's ssh does. Connecting to > > port 22 works with OpenSSH too. > > > > Is this a feature? If so, I wonder why? > > is the openssh client setuid root? Yes. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From vinschen at redhat.com Tue Oct 31 19:47:11 2000 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 31 Oct 2000 09:47:11 +0100 Subject: Another shapshot References: <39FC11AD.3BB38630@redhat.com> <20001030232030.B23318@folly> Message-ID: <39FE870F.8FD7C0DF@redhat.com> Markus Friedl wrote: > > On Sun, Oct 29, 2000 at 08:44:27PM +0100, Kevin Steves wrote: > > On Sun, 29 Oct 2000, Corinna Vinschen wrote: > > : Nevertheless I had a problem with the interoperability between an > > : i686-pc-linux-gnu OpenSSH 2.1.1 and this snapshot. I couldn't use > > : protocol version 2. The debug output stated > > : > > : "dsa_verify: signature incorrect" > > in compat.c, could you please change the line > { "^OpenSSH-2\\.[01]", SSH_OLD_SESSIONID }, > to > { "^OpenSSH[-_]2\\.[01]", SSH_OLD_SESSIONID }, > > and test again? That works! Thanks, Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at redhat.com From jason-openssh at dfmm.org Tue Oct 31 21:34:13 2000 From: jason-openssh at dfmm.org (Jason Stone) Date: Tue, 31 Oct 2000 02:34:13 -0800 (PST) Subject: Locking pages in core Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there any interest in using mlock to lock pages in core so that potentially sensitive data won't get swapped out to disk? (GnuPG, for example, does this). There was a thread on this a long time ago, and it degenerated into a discussion of crypto-swap, but the question was never answered. Is there a good reason not to do this? The only one I can think of is that we'll need to make ssh-agent setuid as mlock requires root priveleges. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.2 (GNU/Linux) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE5/qAwswXMWWtptckRAhCqAJ91Ei23/vxP1SHmI44dHmEPIPI3FACgkujG oODCsCvCCgYCYO7ZS71ThBc= =g0GJ -----END PGP SIGNATURE----- From Benjamin.Riefenstahl at ision.net Tue Oct 31 21:47:58 2000 From: Benjamin.Riefenstahl at ision.net (Benjamin Riefenstahl) Date: Tue, 31 Oct 2000 11:47:58 +0100 Subject: Compatibility with 1.2.16 (commercial)? References: <200010301923.LAA86810@garnet.juniper.net> Message-ID: <39FEA35E.8A0E5803@ision.net> Hi Mark, Thanks for your help. I'll use your patch. so long, benny -- ISION Internet AG Benjamin Riefenstahl mailto:benjamin.riefenstahl at ision.net Ruhrstrasse 61 D-22761 Hamburg http://www.ision.net From "kiss000 " at mindrot.org Mon Oct 30 04:15:10 2000 From: "kiss000 " at mindrot.org ("kiss000 " at mindrot.org) Date: Mon, 30 Oct 2000 01:15:10 +0800 Subject: No subject Message-ID: <20001101010206.77AB31A48B@toad.mindrot.org> http://home.kimo.com.tw/china999/index.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001030/bbf97b75/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 30486 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20001030/bbf97b75/attachment.gif From dcp at sgi.com Tue Oct 31 10:08:58 2000 From: dcp at sgi.com (Dennis Parker) Date: Mon, 30 Oct 2000 17:08:58 -0600 (CST) Subject: new Irix feature Message-ID: <200010302308.RAA81963@yooper.americas.sgi.com> The Irix 6.5 operating system now supports job containers. Job containers are in some ways similar to process groups or sessions. Every process that stems from a user's initial entry to the system is assigned to the same job container. The Irix job initiation commands - login, telnet, rsh, rlogin, cron, su, etc all support job containers and I'd like to modify openssh so that it supports jobs as well. I've downloaded the 2.2.0p1 source and added job initiation support. There are a couple of lines of new code in session.c and some changes to the config files. How do I go about pursuing the changes? Thanks for any information you can send me. - Dennis Parker dcp at sgi.com