From speno at isc.upenn.edu Fri Sep 1 06:03:47 2000 From: speno at isc.upenn.edu (John P Speno) Date: Thu, 31 Aug 2000 15:03:47 -0400 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Tue, Aug 29, 2000 at 12:03:39PM +1100 References: Message-ID: <20000831150347.A419159@isc.upenn.edu> > Pending success this will become 2.1.1p5 Success for host system type alphaev6-dec-osf5.0. From qralston+ml.openssh-unix-dev at andrew.cmu.edu Fri Sep 1 08:27:29 2000 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Thu, 31 Aug 2000 17:27:29 -0400 (EDT) Subject: assorted issues with 2.1.1p4... In-Reply-To: Message-ID: On Thu, 31 Aug 2000, Pekka Savola wrote: > On Wed, 30 Aug 2000, James Ralston wrote: > > > > 4. If X11 forwarding is being used, and an X11 application is > > being forwarded across the secure channel, occasionally > > shutting down that application causes the sshd process to > > crash. > > > > I've made an attempt to look at issue #4, but so far, I've been > > unable to catch the sshd process in the act of crashing; it seems > > that the problem doesn't occur when the sshd process in question > > is being traced. I'm not even sure what signal sshd is dying on. > > I'll report back once I have more definite information, but until > > then, has anyone run into what they think might be the same > > problem? > > Do you mean that the main sshd process dies, or the one handling your > connection? The one that's handling my connection dies. > For what it's worth, when doing heavy X11Forwarding, the latter > happens to me almost daily. Connecting with SecureCRT 3.1 to > commercial SSH-1.2.25. I've only noticed this with SecureCRT (not > that I do much X11 forwarding from anywhere else). > > So this might be a little more generic problem ... Perhaps. But I've *never* had this problem with any of the ssh 1.2.x packages. And I didn't have this problem when I was using OpenSSH to connect to a ssh 1.2.27 server. I only saw this problem when I started using OpenSSH to connect to an OpenSSH server. Like I said, I haven't been able to figure out what's happening, because every time I trace the sshd and try to reproduce the problem, I never can. For all I know, this could be the SIGPIPE problem that others have already reported... James From gem at rellim.com Fri Sep 1 11:58:09 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 31 Aug 2000 17:58:09 -0700 (PDT) Subject: sftp Message-ID: Yo All! I understand why we do not have sftp in openssh, but it would be nice if we could make it so that when an SSH.COM scp2 client makes a connection to an OpenSSH V2 daemon that it does not hang.... Any ideas or do I need to dig a bit on this? Here is what the sshd says when I conenct to it from scp2: debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request subsystem reply 1 subsystem request for sftp subsystem request for sftp failed, subsystem not found debug: callback done debug: channel 0: rcvd close Then they both hang. If I ^C the sshd then the connection drops. It looks very close to working, it detects the error and tries to close, it just not get there. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gem at rellim.com Fri Sep 1 12:08:06 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 31 Aug 2000 18:08:06 -0700 (PDT) Subject: sftp In-Reply-To: Message-ID: Yo All! On Thu, 31 Aug 2000, Gary E. Miller wrote: > I understand why we do not have sftp in openssh, but it would be nice > if we could make it so that when an SSH.COM scp2 client makes a connection > to an OpenSSH V2 daemon that it does not hang.... After a little checking I found in /usr/local/etc/sshd_config: #Subsystem sftp /usr/local/sbin/sftpd If I uncomment that line, and restart sshd then the scp2 connection will fail promptly as it should. Even though (because?) sftp is not on that host. Maybe this should be the default? RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From mouring at pconline.com Fri Sep 1 12:19:13 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 31 Aug 2000 20:19:13 -0500 (CDT) Subject: sftp In-Reply-To: Message-ID: I believe it was stated back a few months ago that if one needs the support they can use the sftp-server2 and sftp2 from the ssh commerical using what you show down below. Unless someone feels in the mood to attempt to reverse engineer sftp. I doubt it will get into OpenSSH. On Thu, 31 Aug 2000, Gary E. Miller wrote: > Yo All! > > On Thu, 31 Aug 2000, Gary E. Miller wrote: > > > I understand why we do not have sftp in openssh, but it would be nice > > if we could make it so that when an SSH.COM scp2 client makes a connection > > to an OpenSSH V2 daemon that it does not hang.... > > After a little checking I found in /usr/local/etc/sshd_config: > > #Subsystem sftp /usr/local/sbin/sftpd > > If I uncomment that line, and restart sshd then the scp2 connection > will fail promptly as it should. Even though (because?) sftp is > not on that host. > > Maybe this should be the default? > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > > From Todd.Miller at courtesan.com Fri Sep 1 12:27:35 2000 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 31 Aug 2000 19:27:35 -0600 Subject: sftp In-Reply-To: Your message of "Thu, 31 Aug 2000 17:58:09 PDT." References: Message-ID: <200009010127.e811Ra721420@xerxes.courtesan.com> Markus committed sftp support in the OpenBSD tree today. Once it has had some more testing I'm sure this will make its way into the portable release. - todd From gem at rellim.com Fri Sep 1 12:33:05 2000 From: gem at rellim.com (Gary E. Miller) Date: Thu, 31 Aug 2000 18:33:05 -0700 (PDT) Subject: sftp In-Reply-To: Message-ID: Yo Ben! I do not care about sftp support, I just do not want inbound scp2 connections to hang. If we can not do it we should error out cleanly and promptly. Then I can engage my brain and remember to type "scp1" instead of just "scp". I am getting tired of getting support calls on this one. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Thu, 31 Aug 2000, Ben Lindstrom wrote: > Unless someone feels in the mood to attempt to reverse engineer sftp. I > doubt it will get into OpenSSH. From mouring at pconline.com Fri Sep 1 14:27:00 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 31 Aug 2000 22:27:00 -0500 (CDT) Subject: sftp In-Reply-To: <200009010127.e811Ra721420@xerxes.courtesan.com> Message-ID: On Thu, 31 Aug 2000, Todd C. Miller wrote: > Markus committed sftp support in the OpenBSD tree today. Once it > has had some more testing I'm sure this will make its way into the > portable release. > Nice.. Outside a group of warnings.. and changing futimes(FD,..) to utimes(handle_to_name(handle),..) it compiles and seems to work with from what I've played with so far under Linux. From djm at mindrot.org Fri Sep 1 14:31:47 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 1 Sep 2000 14:31:47 +1100 (EST) Subject: sftp In-Reply-To: Message-ID: On Thu, 31 Aug 2000, Ben Lindstrom wrote: > Nice.. Outside a group of warnings.. and changing futimes(FD,..) to > utimes(handle_to_name(handle),..) it compiles and seems to work > with from what I've played with so far under Linux. Good to hear :) It wont be in the release later today, but it will be followed with a snapshot pretty quickly with sftp, better PAM and a few other patches which have accrued in the last week. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From stevesk at sweden.hp.com Fri Sep 1 20:29:14 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 1 Sep 2000 11:29:14 +0200 (CEST) Subject: sshd.8 patch Message-ID: <200009010926.LAA14202@b0fh.sweden.hp.com> I see Protocol 1,2 is the default now: --- sshd.8~ Tue Aug 29 02:33:51 2000 +++ sshd.8 Fri Sep 1 11:03:04 2000 @@ -541,7 +541,7 @@ .Dq 2 . Multiple versions must be comma-separated. The default is -.Dq 1 . +.Dq 1,2 . .It Cm RandomSeed Obsolete. Random number generation uses other techniques. From stevesk at sweden.hp.com Fri Sep 1 22:51:50 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 1 Sep 2000 13:51:50 +0200 (CEST) Subject: scp -S patch fix Message-ID: <200009011148.NAA08563@b0fh.sweden.hp.com> The scp -S patch didn't seem to go in cleanly; here are some fixes against the 0830 snapshot: --- scp.c~ Wed Aug 30 01:11:30 2000 +++ scp.c Fri Sep 1 12:54:14 2000 @@ -262,7 +262,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:")) != EOF) switch (ch) { /* User-visible flags. */ case '4': --- scp.1~ Wed Aug 23 02:46:24 2000 +++ scp.1 Fri Sep 1 13:46:33 2000 @@ -20,6 +20,7 @@ .Sh SYNOPSIS .Nm scp .Op Fl pqrvC46 +.Op Fl S Ar ssh .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file @@ -68,11 +69,6 @@ .It Fl p Preserves modification times, access times, and modes from the original file. -.It Fl S -Name of program to use for the encrypted connection. -The program must understand -.Xr ssh 1 -options. .It Fl r Recursively copy entire directories. .It Fl v @@ -103,7 +99,7 @@ .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . -.It Fl S +.It Fl S Ar ssh Name of program to use for the encrypted connection. The program must understand .Xr ssh 1 From mwolinski at mimecom.com Sat Sep 2 04:55:00 2000 From: mwolinski at mimecom.com (Matt Wolinski) Date: Fri, 01 Sep 2000 10:55:00 -0700 Subject: unable to install openssh 2.1.1.p4 Message-ID: <39AFED74.95C769A0@mimecom.com> Hello, I am having a problem running the configure for my openssh install (version 2.1.1p4). I have installed a new version of openssl (0.9.5a). This is the error I am receiving: checking for login in -lbsd... no checking for daemon... no checking for daemon in -lbsd... no checking for getpagesize... yes checking whether snprintf correctly terminates long strings... yes checking for dlopen in -ldl... yes checking for pam_getenvlist... yes checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install I have read several archived messages about similar problems and found no solution. I tried installing symlinks in /usr/local/lib for both libcrypto.a and libssl.a pointing to my /usr/local/ssl/lib directory. I also tried installing symlinks in the /usr/local/ssl for both libraries. Here is the last 50 or so lines from my config.log. Thanks for the help, Matt configure:2795: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt/include -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/opt/lib -L/opt -R/opt/lib -R/opt conftest.c -ldl -lsocket -lnsl -lz -lpam -lcrypto 1>&5 Undefined first referenced symbol in file RAND_add /var/tmp/ccpfsjNB.o RAND_status /var/tmp/ccpfsjNB.o ld: fatal: Symbol referencing errors. No output written to conftest collect2: ld returned 1 exit status configure: failed program was: #line 2781 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2795: gcc -o conftest -g -O2 -Wall -I/usr/local/include -I/opt/openssl/include -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib -R/usr/ucblib -L/opt/openssl/lib -L/opt/openssl -R/opt/openssl/lib -R/opt/openssl conftest.c -ldl -lsocket -lnsl -lz -lpam -lcrypto 1>&5 Undefined first referenced symbol in file RAND_add /var/tmp/cc4cZDdz.o RAND_status /var/tmp/cc4cZDdz.o ld: fatal: Symbol referencing errors. No output written to conftest collect2: ld returned 1 exit status configure: failed program was: #line 2781 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } From mwolinski at MimEcom.com Sat Sep 2 05:18:28 2000 From: mwolinski at MimEcom.com (Matt Wolinski) Date: Fri, 1 Sep 2000 11:18:28 -0700 Subject: FW: unable to install openssh 2.1.1.p4 Message-ID: <3A97CCB5D8F28949A0AE89287B1AFBFD14FE95@sfomail01.mimecom.com> My $LD_LIBRARY_PATH does include the "/usr/local/ssl/lib" directory and I have been passing the configure script my ssl directory. ./configure --with-ssl-dir=/usr/local/ssl Also, I am running Solaris 7 on a Sparc. Thank you very much for all of your suggestions, -Matt -----Original Message----- From: James Oden [mailto:joden at eworld.wox.org] Sent: Friday, September 01, 2000 11:03 AM To: Matt Wolinski Subject: Re: unable to install openssh 2.1.1.p4 > > Hello, > > I am having a problem running the configure for my openssh install > (version 2.1.1p4). I have installed a new version of openssl (0.9.5a). > This is the error I am receiving: > > checking for login in -lbsd... no > checking for daemon... no > checking for daemon in -lbsd... no > checking for getpagesize... yes > checking whether snprintf correctly terminates long strings... yes > checking for dlopen in -ldl... yes > checking for pam_getenvlist... yes > checking whether pam_strerror takes only one argument... no > checking for OpenSSL directory... configure: error: Could not find > working SSLeay / OpenSSL libraries, please install > > > I have read several archived messages about similar problems and found > no solution. I tried installing symlinks in /usr/local/lib for both > libcrypto.a and libssl.a pointing to my /usr/local/ssl/lib directory. I > also tried installing symlinks in the /usr/local/ssl for both > libraries. Here is the last 50 or so lines from my config.log. > Matt, Have you tried to set your LD_LIBRARY_PATH? For instance if your ssl lived in /opt/ssl/lib, and your were running bash or ksh you could type: export LD_LIBRARY_PATH=/opt/ssl/lib or if it already is setup to something: export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/opt/ssl/lib conversly, the configure file has an option to say where ssl is installed: ./configure --with-ssl-dir=/opt/ssl Assuming that is of course assuming that ssl is under /opt/ssl Cheers...james From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Sep 2 06:29:43 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 1 Sep 2000 21:29:43 +0200 Subject: unable to install openssh 2.1.1.p4 In-Reply-To: <39AFED74.95C769A0@mimecom.com>; from mwolinski@mimecom.com on Fri, Sep 01, 2000 at 10:55:00AM -0700 References: <39AFED74.95C769A0@mimecom.com> Message-ID: <20000901212943.B28631@serv01.aet.tu-cottbus.de> On Fri, Sep 01, 2000 at 10:55:00AM -0700, Matt Wolinski wrote: > configure:2795: gcc -o conftest -g -O2 -Wall -I/usr/local/include > -I/opt/openssl/include -L/usr/local/lib -R/usr/local/lib -L/usr/ucblib > -R/usr/ucblib -L/opt/openssl/lib -L/opt/openssl -R/opt/openssl/lib > -R/opt/openssl conftest.c -ldl -lsocket -lnsl -lz -lpam -lcrypto 1>&5 > Undefined first referenced > symbol in file > RAND_add /var/tmp/cc4cZDdz.o > RAND_status /var/tmp/cc4cZDdz.o > ld: fatal: Symbol referencing errors. No output written to conftest > collect2: ld returned 1 exit status Please check, whether you have another "libcrypto" on your system. I had a discussion with Marc Crispin (UW-imap now has SSL-support) who explained to me, that Kerberos(?) also has a libcrypto, so that he had to hardcode the path to the Openssl-libcrypto library. (You already stated that you have 0.9.5a, so the version problem does not apply to your case). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From markus.friedl at informatik.uni-erlangen.de Sat Sep 2 09:03:28 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 2 Sep 2000 00:03:28 +0200 Subject: sftp In-Reply-To: ; from gem@rellim.com on Thu, Aug 31, 2000 at 05:58:09PM -0700 References: Message-ID: <20000902000328.A1499@folly.informatik.uni-erlangen.de> openssh's sshd behaviour is completely leagal, it seems that scp2 ignores the SSH2_MSG_CHANNEL_FAILURE message. On Thu, Aug 31, 2000 at 05:58:09PM -0700, Gary E. Miller wrote: > Yo All! > > I understand why we do not have sftp in openssh, but it would be nice > if we could make it so that when an SSH.COM scp2 client makes a connection > to an OpenSSH V2 daemon that it does not hang.... > > Any ideas or do I need to dig a bit on this? > > Here is what the sshd says when I conenct to it from scp2: > > debug: session_open: session 0: link with channel 0 > debug: confirm session > debug: callback start > debug: session_by_channel: session 0 channel 0 > debug: session_input_channel_req: session 0 channel 0 request subsystem reply 1 > subsystem request for sftp > subsystem request for sftp failed, subsystem not found > debug: callback done > debug: channel 0: rcvd close > > Then they both hang. If I ^C the sshd then the connection drops. > It looks very close to working, it detects the error and tries > to close, it just not get there. > > RGDS > GARY > --------------------------------------------------------------------------- > Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 > gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 > > From mwolinski at MimEcom.com Sat Sep 2 09:25:44 2000 From: mwolinski at MimEcom.com (Matt Wolinski) Date: Fri, 1 Sep 2000 15:25:44 -0700 Subject: scp not found Message-ID: <3A97CCB5D8F28949A0AE89287B1AFBFD14FE97@sfomail01.mimecom.com> Thank you to everbody who helped me successfully install ssh. Now I'm having a problem with scp. I am getting the error: ksh: scp: not found I know this error has something to do with the default path. I tried to run the configure script again ("./configure --with-default-path=/usr/local/bin"). Then I ran the "make" and "make install". But I'm still having the problem. I stopped and started the "sshd" daemon also. Am I missing something? All the archived messages mentioned that specifying the default-path will solve the problem. Should I uninstall ssh before I re-run the installation procedures? If so, how? One of the archived messages talked about the /usr/include/paths.h file. I don't have that file on my system, is that a problem? Where else is the default path set? This is a sparc system running Solaris 7. Thanks, Matt ________________________________ Matt Wolinski Application Developer - MimEcom Corp. mwolinski at mimecom.com From djm at mindrot.org Sat Sep 2 11:24:12 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 2 Sep 2000 11:24:12 +1100 (EST) Subject: ANNOUNCE: portable OpenSSH 2.2.0p1 Message-ID: Version 2.2.0p1 of portable OpenSSH has just been uploaded to the master site and should be making its way to the mirrors in due course. http://www.openssh.com/portable.html This release contains several new features and bugfixes relative to the previous 2.1.1p4 release. In particular: - DSA key support in ssh-agent. Please not that this will not interop with ssh.com's ssh-agent (Markus Friedl) - sshd now implements Random Early Drop connection rate limiting, which can help mitigate DoS attacks against sshd. See the `MaxStartups' option in the sshd manpage for details (Markus Friedl) - `-u' option to sshd allow logging of hostnames (rather than IP addresses) in wtmp when `UseLogin' is set to `yes'. (Markus Friedl) - Escape character `~' support in SSH2 (Markus Friedl) - Interop with SSH.COM ssh 2.3.0 (Markus Friedl) - Fix problems when sshd is run from inetd - Better SunOS 4.1.x support (Nate Itkin and Charles Levert) - Solaris package support, see contrib/solaris (Rip Loomis) - Work around connection freezes on HPUX and SunOS 4 (Lutz Jaenicke, Tamito KAJIYAMA) - Fix ^C ignored issue on Solaris. (Gert Doering, John Horne and Garrick James) - Further improved NeXT support. (Ben Lindstrom, Mark Miller) - Lots of other minor fixes (see ChangeLog for details) This release has been tested on HPUX (10.20, 11.00), Irix (5.3, 6.5), Linux (Debian, Redhat, Slackware, SuSE), NeXTstep 3 (HPPA, i386, m68k), OpenStep (i386, m68k, Sparc), SCO Unixware 7.1.0, SCO OpenServer 5.0.5, Solaris 2.7 (Sparc), Solaris 2.8 (i386, Sparc), SNI/Reliant Unix, DEC OSF/Tru64 5.0. Many thanks to those who contributed bug reports, fixes and testing time. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From stevesk at sweden.hp.com Sat Sep 2 21:28:17 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 2 Sep 2000 12:28:17 +0200 (METDST) Subject: scp not found In-Reply-To: <3A97CCB5D8F28949A0AE89287B1AFBFD14FE97@sfomail01.mimecom.com> Message-ID: On Fri, 1 Sep 2000, Matt Wolinski wrote: > Now I'm having a problem with scp. I am getting the error: > > ksh: scp: not found > > I know this error has something to do with the default path. I tried to run > the configure script again ("./configure > --with-default-path=/usr/local/bin"). Then I ran the "make" and "make > install". But I'm still having the problem. I stopped and started the > "sshd" daemon also. Am I missing something? All the archived messages > mentioned that specifying the default-path will solve the problem. Should I > uninstall ssh before I re-run the installation procedures? If so, how? grep USER_PATH config.h and make sure /usr/local/bin is there make clean;make;make install ls -l /usr/local/bin/scp to verify it's there and see if it works. From charles at comm.polymtl.ca Sun Sep 3 06:28:50 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Sat, 2 Sep 2000 15:28:50 -0400 Subject: [2.2.0p1] patch to get "scp -S prog" to work right + man page fix Message-ID: <200009021928.PAA23373@faucon.comm.polymtl.ca> Hi. This functionality was just added in 2.2.0p1. The patch is self-explanatory. Charles --- scp.c.orig-2.2.0p1 Tue Aug 29 19:11:30 2000 +++ scp.c Sat Sep 2 15:14:58 2000 @@ -262,7 +262,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:")) != EOF) switch (ch) { /* User-visible flags. */ case '4': --- scp.1.orig-2.2.0p1 Tue Aug 22 20:46:24 2000 +++ scp.1 Sat Sep 2 15:18:00 2000 @@ -20,6 +20,7 @@ .Sh SYNOPSIS .Nm scp .Op Fl pqrvC46 +.Op Fl S Ar ssh .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file @@ -68,7 +69,7 @@ .It Fl p Preserves modification times, access times, and modes from the original file. -.It Fl S +.It Fl S Ar ssh Name of program to use for the encrypted connection. The program must understand .Xr ssh 1 From vinschen at cygnus.com Sun Sep 3 05:46:36 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Sat, 02 Sep 2000 20:46:36 +0200 Subject: [PATCH]: Cygwin port of 2.2.0p1 Message-ID: <39B14B0C.435852B1@cygnus.com> Attached is the patch for the Cygwin port of 2.2.0p1. As usual I didn't attach the patch to `configure' but only the patch to `configure.in'. BTW: I have attached a gzip'd version of the patch since it's size is > 20K and I thought that it might be too big. The gzip'd diff is < 8K. What are "Small attachments (such as diff files) within the bounds of common sense" as mentioned on the OpenSSH home page? Which max. size of diff's is accepted without compression? The binaries and patched sources are accessible via ftp: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.4 Files: openssh-2.2.0p1.README readme openssh-2.2.0p1.tar.gz binaries openssh-2.2.0p1-src.tar.gz sources This version is finally compiled with OpenSSL-0.9.5a. Binaries and sources could as well be found under the above path. Files: openssl-0.9.5a.README readme openssl-0.9.5a.tar.gz binaries openssl-0.9.5a-src.tar.gz sources Regards, Corinna ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently. Added `cygwin_util.o' to the dependencies of LIBSSH_OBJS. - acconfig.h: Add defines for HAVE_CYGWIN and BROKEN_VHANGUP. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid 0 when HAVE_CYGWIN is set. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid 0 when HAVE_CYGWIN is set. - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. - channels.c: Disable check for uid 0 when HAVE_CYGWIN is set. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - cygwin_util.c: New file containing `binary_open' and `binary_pipe' function. - defines.h: Check for BROKEN_VHANGUP to set USE_VHANGUP. - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' as `binary_open' and `pipe' as `binary_pipe' when HAVE_CYGWIN is set. - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. - pty.c: Check for USE_VHANGUP instead of HAVE_VHANGUP. Don't call I_PUSH ioctl's under Cygwin. - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. Disable check for uid 0 when HAVE_CYGWIN is set. - sshconnect.c: Disable check for euid 0 when HAVE_CYGWIN is set. - sshd.c: Open pid file explicit binary. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.2.0p1.p0.gz Type: application/x-gzip Size: 7596 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000902/538d22b2/attachment.bin From charles at comm.polymtl.ca Sun Sep 3 06:42:33 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Sat, 2 Sep 2000 15:42:33 -0400 Subject: [2.2.0p1] patch to get "scp -S prog" to work right + man page fix In-Reply-To: <200009021928.PAA23373@faucon.comm.polymtl.ca> References: <200009021928.PAA23373@faucon.comm.polymtl.ca> Message-ID: <200009021942.PAA23530@faucon.comm.polymtl.ca> Forget the scp.1 part of the last patch and use the following one instead. I just noticed that details for the -S option appeared twice. --- scp.1.orig-2.2.0p1 Tue Aug 22 20:46:24 2000 +++ scp.1 Sat Sep 2 15:37:17 2000 @@ -20,6 +20,7 @@ .Sh SYNOPSIS .Nm scp .Op Fl pqrvC46 +.Op Fl S Ar ssh .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file @@ -68,11 +69,6 @@ .It Fl p Preserves modification times, access times, and modes from the original file. -.It Fl S -Name of program to use for the encrypted connection. -The program must understand -.Xr ssh 1 -options. .It Fl r Recursively copy entire directories. .It Fl v @@ -103,7 +99,7 @@ .Fl p is already reserved for preserving the times and modes of the file in .Xr rcp 1 . -.It Fl S +.It Fl S Ar ssh Name of program to use for the encrypted connection. The program must understand .Xr ssh 1 From rjmooney at atl.mediaone.net Sun Sep 3 08:04:13 2000 From: rjmooney at atl.mediaone.net (Robert Mooney) Date: Sat, 2 Sep 2000 16:04:13 -0500 Subject: [PATCH]: Cygwin port of 2.2.0p1 In-Reply-To: <39B14B0C.435852B1@cygnus.com> Message-ID: When will OpenSSH natively support Cygwin? I apologize in advance of this has already been discussed... -----Original Message----- From: owner-openssh-unix-dev at mindrot.org [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Corinna Vinschen Sent: Saturday, September 02, 2000 1:47 PM To: openssh Subject: [PATCH]: Cygwin port of 2.2.0p1 Attached is the patch for the Cygwin port of 2.2.0p1. As usual I didn't attach the patch to `configure' but only the patch to `configure.in'. BTW: I have attached a gzip'd version of the patch since it's size is > 20K and I thought that it might be too big. The gzip'd diff is < 8K. What are "Small attachments (such as diff files) within the bounds of common sense" as mentioned on the OpenSSH home page? Which max. size of diff's is accepted without compression? The binaries and patched sources are accessible via ftp: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Cori nna/V1.1.4 Files: openssh-2.2.0p1.README readme openssh-2.2.0p1.tar.gz binaries openssh-2.2.0p1-src.tar.gz sources This version is finally compiled with OpenSSL-0.9.5a. Binaries and sources could as well be found under the above path. Files: openssl-0.9.5a.README readme openssl-0.9.5a.tar.gz binaries openssl-0.9.5a-src.tar.gz sources Regards, Corinna ChangeLog: ========== - Makefile.in: Changed to support $EXEEXT transparently. Added `cygwin_util.o' to the dependencies of LIBSSH_OBJS. - acconfig.h: Add defines for HAVE_CYGWIN and BROKEN_VHANGUP. - auth-passwd.c: Support getting NT passwords via Cygwin special functions. Disable check for uid 0 when HAVE_CYGWIN is set. - auth1.c: Reject changing user context if not authenticated via password under Windows NT. Disable check for uid 0 when HAVE_CYGWIN is set. - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. - bsd-daemon.c: Avoid possible race condition under Cygwin. - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. - channels.c: Disable check for uid 0 when HAVE_CYGWIN is set. - config.h.in: Add HAVE_CYGWIN. - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. - cygwin_util.c: New file containing `binary_open' and `binary_pipe' function. - defines.h: Check for BROKEN_VHANGUP to set USE_VHANGUP. - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' as `binary_open' and `pipe' as `binary_pipe' when HAVE_CYGWIN is set. - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. - pty.c: Check for USE_VHANGUP instead of HAVE_VHANGUP. Don't call I_PUSH ioctl's under Cygwin. - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the controlling terminal when HAVE_CYGWIN is set. - session.c: Close xauthfiles immediatly to avoid implicit file lockings on Windows NT systems. Changes in environment setting. Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth with `.../unix' syntax under Cygwin. - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file extension. Disable check for uid 0 when HAVE_CYGWIN is set. - sshconnect.c: Disable check for euid 0 when HAVE_CYGWIN is set. - sshd.c: Open pid file explicit binary. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From mikesun at bigfoot.com Sun Sep 3 11:42:27 2000 From: mikesun at bigfoot.com (MICHAEL SUN) Date: Sat, 02 Sep 2000 17:42:27 -0700 Subject: [2.2.0p1] unable to restart sshd remotely Message-ID: <39B19E73.9727215C@bigfoot.com> after I check sshd.init file, I found: you use 'daemon' function to start sshd. but 'daemon' will not start a daemon if the daemon process already exist, isn't it right? From patrol at omni.sinus.cz Sun Sep 3 02:59:01 2000 From: patrol at omni.sinus.cz (Pavel Troller) Date: Sat, 2 Sep 2000 17:59:01 +0200 Subject: A bug in openssh-2.2.0-p1 Message-ID: <20000902175901.A6346@omni.sinus.cz> Hello! Today I've found, downloaded and compiled openssh-2.2.0-p1. It basically worked, except that users other than root were not allowed to login. My system is a Linux-2.4.0-test7 with glibc-2.1.3. No PAM is installed/used. It uses MD5 passwords and shadow with account expiration feature. In handling of the latter, a probable bug was found. In auth.c, allowed_user(), there is a code at the line 73, saying ... /* Check password expiry */ if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && (days > (spw->sp_lstchg + spw->sp_inact))) return 0; } ... In my opinion, this is wrong. sp_inact tells how long the account may remain inactive until it is locked, measured from the last login time. It is set to 30 days for all users on my system. To add the date of last password change to this value is meaningless and this test fails for all my users. On the other hand, there is a sp_max entry, stating maximum number of days between password changes. This is the right value for us. So I changed the code to be as follows: /* Check password expiry */ if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; } And from that, all works well and all users are correctly permitted to login. I'm not sending a patch because I think it's more easy to edit the source by hand than to apply a patch on it, in that case. With regards, Pavel Troller From faheem at email.unc.edu Sun Sep 3 16:27:02 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Sun, 3 Sep 2000 01:27:02 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 Message-ID: I am taking the liberty of forwarding this message to the list. I am not subscribed to it. If you want to reply to me, please send email to faheem at email.unc.edu Thanks, Faheem Mitha. ---------- Forwarded message ---------- From: Faheem Mitha Newsgroups: comp.security.ssh Subject: installing OpenSSH rpm on SuSE 6.2 Dear people, I tried to recompile the rpm of OpenSSH (openssh-2.2.0p1-1.src.rpm) on SuSE 6.2. I got the following errors. faheem /usr/src/packages/SPECS>rpm -ba openssh.spec line 25: Version not permitted: PreReq: openssl >= 0.9.5a I enclose the openssh.spec below. NOTE: OpenSSH seems to require another package called openssl. Ironically, the source rpm for this compiled flawlessly, and I installed the three binary rpms openssl, openssl-misc, openssl-devel. I then had a shot at installing the binary rpm. I got the error. root /home/faheem/rpm>rpm -Uvh openssh-2.2.0p1-1.i386.rpm error: failed dependencies: rpmlib(VersionedDependencies) <= 3.0.3-1 is needed by openssh-2.2.0p1-1 I have rpm version 3.03. My gnome libraries are almost certainly incompatible with those of Redhat (this rpm was made for Redhat) so I disabled the building of the gnome feature (gnome_askpass) below. Also, the spec file talks about something else called tcp_wrappers. Never heard of this. In any case, can you shed light on the problem above and whether anything can be done about it? Sincerely, Faheem Mitha. ******************************************************************* # Version of OpenSSH %define oversion 2.2.0p1 # Version of ssh-askpass %define aversion 1.0.1 # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 1 Summary: OpenSSH free Secure Shell (SSH) implementation Name: openssh Version: %{oversion} Release: 1 Packager: Damien Miller URL: http://www.openssh.com/ Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{oversion}.tar.gz Source1: http://www.ntrnet.net /~jmknoble/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz Copyright: BSD Group: Applications/Internet BuildRoot: /tmp/openssh-%{version}-buildroot Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a BuildPreReq: perl BuildPreReq: openssl-devel BuildPreReq: tcp_wrappers %if ! %{no_gnome_askpass} BuildPreReq: gnome-libs-devel %endif %package clients Summary: OpenSSH Secure Shell protocol clients Requires: openssh Group: Applications/Internet Obsoletes: ssh-clients %package server Summary: OpenSSH Secure Shell protocol server (sshd) Group: System Environment/Daemons Obsoletes: ssh-server PreReq: openssh chkconfig >= 0.9 %package askpass Summary: OpenSSH X11 passphrase dialog Group: Applications/Internet Requires: openssh Obsoletes: ssh-extras %package askpass-gnome Summary: OpenSSH GNOME passphrase dialog Group: Applications/Internet Requires: openssh Obsoletes: ssh-extras %description Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package includes the core files necessary for both the OpenSSH client and server. To make this package useful, you should also install openssh-clients, openssh-server, or both. %description clients Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package includes the clients necessary to make encrypted connections to SSH servers. %description server Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package contains the secure shell daemon. The sshd is the server part of the secure shell protocol and allows ssh clients to connect to your host. %description askpass Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package contains Jim Knoble's X11 passphrase dialog. %description askpass-gnome Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package contains the GNOME passphrase dialog. %changelog * Tue Aug 08 2000 Damien Miller - Some surgery to sshd.init (generate keys at runtime) - Cleanup of groups and removal of keygen calls * Wed Jul 12 2000 Damien Miller - Make building of X11-askpass and gnome-askpass optional * Mon Jun 12 2000 Damien Miller - Glob manpages to catch compressed files * Wed Mar 15 2000 Damien Miller - Updated for new location - Updated for new gnome-ssh-askpass build * Sun Dec 26 1999 Damien Miller - Added Jim Knoble's askpass * Mon Nov 15 1999 Damien Miller - Split subpackages further based on patch from jim knoble * Sat Nov 13 1999 Damien Miller - Added 'Obsoletes' directives * Tue Nov 09 1999 Damien Miller - Use make install - Subpackages * Mon Nov 08 1999 Damien Miller - Added links for slogin - Fixed perms on manpages * Sat Oct 30 1999 Damien Miller - Renamed init script * Fri Oct 29 1999 Damien Miller - Back to old binary names * Thu Oct 28 1999 Damien Miller - Use autoconf - New binary names * Wed Oct 27 1999 Damien Miller - Initial RPMification, based on Jan "Yenya" Kasprzak's spec. %prep %setup -a 1 %build CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --with-tcp-wrappers --with-ipv4-default \ --with-rsh=/usr/bin/rsh make %if ! %{no_x11_askpass} cd x11-ssh-askpass-%{aversion} xmkmf -a make cd .. %endif %if ! %{no_gnome_askpass} cd contrib gcc -O -g `gnome-config --cflags gnome gnomeui` \ gnome-ssh-askpass.c -o gnome-ssh-askpass \ `gnome-config --libs gnome gnomeui` cd .. %endif %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT/ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/etc/rc.d/init.d install -d $RPM_BUILD_ROOT/usr/libexec/ssh install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd %if ! %{no_x11_askpass} install -s x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/x11-ssh-askpass ln -s /usr/libexec/ssh/x11-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/ssh-askpass %endif %if ! %{no_gnome_askpass} install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/libexec/ssh/gnome-ssh-askpass %endif %clean rm -rf $RPM_BUILD_ROOT %post server /sbin/chkconfig --add sshd if test -r /var/run/sshd.pid ; then /etc/rc.d/init.d/sshd restart >&2 fi %preun server if [ "$1" = 0 ] ; then /etc/rc.d/init.d/sshd stop >&2 /sbin/chkconfig --del sshd fi %files %defattr(-,root,root) %doc ChangeLog OVERVIEW COPYING.Ylonen README* INSTALL %doc CREDITS UPGRADING %attr(0755,root,root) /usr/bin/ssh-keygen %attr(0755,root,root) /usr/bin/scp %attr(0644,root,root) /usr/man/man1/ssh-keygen.1* %attr(0644,root,root) /usr/man/man1/scp.1* %attr(0755,root,root) %dir /etc/ssh %attr(0755,root,root) %dir /usr/libexec/ssh %files clients %defattr(-,root,root) %attr(4755,root,root) /usr/bin/ssh %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add %attr(0644,root,root) /usr/man/man1/ssh.1* %attr(0644,root,root) /usr/man/man1/ssh-agent.1* %attr(0644,root,root) /usr/man/man1/ssh-add.1* %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %attr(-,root,root) /usr/bin/slogin %attr(-,root,root) /usr/man/man1/slogin.1* %files server %defattr(-,root,root) %attr(0755,root,root) /usr/sbin/sshd %attr(0644,root,root) /usr/man/man8/sshd.8* %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd %if ! %{no_x11_askpass} %files askpass %defattr(-,root,root) %doc x11-ssh-askpass-%{aversion}/README %doc x11-ssh-askpass-%{aversion}/ChangeLog %doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad %attr(0755,root,root) /usr/libexec/ssh/ssh-askpass %attr(0755,root,root) /usr/libexec/ssh/x11-ssh-askpass %endif %if ! %{no_gnome_askpass} %files askpass-gnome %defattr(-,root,root) %attr(0755,root,root) /usr/libexec/ssh/gnome-ssh-askpass %endif From pekkas at netcore.fi Sun Sep 3 19:17:35 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 3 Sep 2000 11:17:35 +0300 (EEST) Subject: [2.2.0p1] unable to restart sshd remotely In-Reply-To: <39B19E73.9727215C@bigfoot.com> Message-ID: On Sat, 2 Sep 2000, MICHAEL SUN wrote: > after I check sshd.init file, I found: > you use 'daemon' function to start sshd. > > but 'daemon' will not start a daemon if the daemon process already > exist, isn't it right? Yes. This has existed at least from OpenSSH 2.0 (as long as I have been using it). Starting sshd fails because incoming ssh connections are registered as the same sshd daemon processes as the one being started. This happens in daemon() in /etc/rc.d/init.d/functions. The culprit is: --- [ -n "$pid" ] && return --- where $pid is the number of incoming sshd connections plus one if running sshd server at the moment. The following is not probably not the clean solution, but I don't think daemon keyword _can_ be used with sshd. :-/ ----- --- sshd.orig Sat Sep 2 12:56:47 2000 +++ sshd Sun Sep 3 11:06:03 2000 @@ -57,9 +57,9 @@ echo -n "Starting sshd: " if [ ! -f $PID_FILE ] ; then - daemon sshd + /usr/sbin/sshd RETVAL=$? - touch /var/lock/subsys/sshd + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd && echo_success fi echo ;; ----- -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From djm at mindrot.org Sun Sep 3 19:18:03 2000 From: djm at mindrot.org (Damien Miller) Date: Sun, 3 Sep 2000 19:18:03 +1100 (EST) Subject: [2.2.0p1] unable to restart sshd remotely In-Reply-To: <39B19E73.9727215C@bigfoot.com> Message-ID: On Sat, 2 Sep 2000, MICHAEL SUN wrote: > after I check sshd.init file, I found: > you use 'daemon' function to start sshd. > > but 'daemon' will not start a daemon if the daemon process already > exist, isn't it right? Yes. This patch should fix it, as will the updated RPMs that I am uploading now. Thanks, Damien Miller diff -u -r1.2 -r1.3 --- contrib/redhat/sshd.init 2000/08/08 06:53:28 1.2 +++ contrib/redhat/sshd.init 2000/09/03 08:14:58 1.3 @@ -57,9 +57,14 @@ echo -n "Starting sshd: " if [ ! -f $PID_FILE ] ; then - daemon sshd + sshd RETVAL=$? - touch /var/lock/subsys/sshd + if [ "$RETVAL" = "0" ] ; then + success "sshd startup" + touch /var/lock/subsys/sshd + else + failure "sshd startup" + fi fi echo ;; -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From pekkas at netcore.fi Sun Sep 3 19:27:48 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 3 Sep 2000 11:27:48 +0300 (EEST) Subject: [2.2.0p1] unable to restart sshd remotely In-Reply-To: Message-ID: On Sun, 3 Sep 2000, Damien Miller wrote: > Yes. This patch should fix it, as will the updated RPMs that I am > uploading now. > > if [ ! -f $PID_FILE ] ; then > - daemon sshd > + sshd Please note, however, that 'kill -HUP `cat /var/run/sshd.pid`' ceases to work if sshd is run like this, without pathname. :-( -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From vinschen at cygnus.com Sun Sep 3 19:53:31 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Sun, 03 Sep 2000 10:53:31 +0200 Subject: [PATCH]: Cygwin port of 2.2.0p1 References: <39B14B0C.435852B1@cygnus.com> Message-ID: <39B2118B.ACD5F68@cygnus.com> I have to apologize. My previous patch missed a file :-( Attached to this mail you will find the corrected patch _with_ the missing file. Sorry, Corinna Corinna Vinschen wrote: > > Attached is the patch for the Cygwin port of 2.2.0p1. As usual I didn't > attach the patch to `configure' but only the patch to `configure.in'. > > BTW: I have attached a gzip'd version of the patch since it's size > is > 20K and I thought that it might be too big. The gzip'd diff is > < 8K. > What are "Small attachments (such as diff files) within the bounds > of common sense" as mentioned on the OpenSSH home page? Which max. > size of diff's is accepted without compression? > > The binaries and patched sources are accessible via ftp: > > ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin/porters/Vinschen_Corinna/V1.1.4 > > Files: > > openssh-2.2.0p1.README readme > openssh-2.2.0p1.tar.gz binaries > openssh-2.2.0p1-src.tar.gz sources > > This version is finally compiled with OpenSSL-0.9.5a. Binaries > and sources could as well be found under the above path. > > Files: > > openssl-0.9.5a.README readme > openssl-0.9.5a.tar.gz binaries > openssl-0.9.5a-src.tar.gz sources > > Regards, > Corinna > > ChangeLog: > ========== > - Makefile.in: Changed to support $EXEEXT transparently. Added > `cygwin_util.o' to the dependencies of LIBSSH_OBJS. > - acconfig.h: Add defines for HAVE_CYGWIN and BROKEN_VHANGUP. > - auth-passwd.c: Support getting NT passwords via Cygwin special > functions. Disable check for uid 0 when HAVE_CYGWIN is set. > - auth1.c: Reject changing user context if not authenticated via > password under Windows NT. Disable check for uid 0 when HAVE_CYGWIN > is set. > - authfile.c: Disable check for file modes when HAVE_CYGWIN is set. > - bsd-daemon.c: Avoid possible race condition under Cygwin. > - bsd-mktemp.c: Define `open' as `binary_open' when HAVE_CYGWIN is set. > - channels.c: Disable check for uid 0 when HAVE_CYGWIN is set. > - config.h.in: Add HAVE_CYGWIN. > - configure.in: Add *-*-cygwin as target. Call AC_EXEEXT now. > - cygwin_util.c: New file containing `binary_open' and `binary_pipe' > function. > - defines.h: Check for BROKEN_VHANGUP to set USE_VHANGUP. > - includes.h: Use HAVE_CYGWIN to care for include files. Define `open' > as `binary_open' and `pipe' as `binary_pipe' when HAVE_CYGWIN is set. > - loginrec.c: Disable check for uid 0 when HAVE_CYGWIN is set. > - pty.c: Check for USE_VHANGUP instead of HAVE_VHANGUP. > Don't call I_PUSH ioctl's under Cygwin. > - readconf.c: Disable check for uid 0 when HAVE_CYGWIN is set. > - scp.c: Call tcgetpgrp() instead of ioctl(..., TIOCGPGRP) to get the > controlling terminal when HAVE_CYGWIN is set. > - session.c: Close xauthfiles immediatly to avoid implicit file > lockings on Windows NT systems. Changes in environment setting. > Disable check for uid 0 when HAVE_CYGWIN is set. Don't call xauth > with `.../unix' syntax under Cygwin. > - ssh.c: Disable setrlimit call under Cygwin. Take care for `.exe' file > extension. Disable check for uid 0 when HAVE_CYGWIN is set. > - sshconnect.c: Disable check for euid 0 when HAVE_CYGWIN is set. > - sshd.c: Open pid file explicit binary. -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-2.2.0p1.p1.gz Type: application/x-gzip Size: 7534 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000903/957c6274/attachment.bin From corinna at vinschen.de Sun Sep 3 23:12:56 2000 From: corinna at vinschen.de (Corinna Vinschen) Date: Sun, 03 Sep 2000 14:12:56 +0200 Subject: [PATCH]: openssh.spec file for SuSE 6.4 & 7.0 Message-ID: <39B24048.C8FB12FF@vinschen.de> Attached is a spec file for OpenSSH on SuSE 6.4 and 7.0 systems. It differs from the current spec file in the following details: - Only one rpm file is created containing client and server files. - PreReq `openssl-devel' is changed to `openssl'. - Path '/usr/libexec/ssh' is changed to '/usr/lib/ssh' for ssh-askpass and gnome-ssh-askpass. The resulting openssh-2.2.0p1-1.rpm file behaves similar to the original installation. Corinna -------------- next part -------------- Summary: OpenSSH, a free Secure Shell (SSH) implementation Name: openssh Version: 2.2.0p1 URL: http://www.openssh.com/ Release: 1 Source0: openssh-%{version}.tar.gz Copyright: BSD Group: Applications/Internet BuildRoot: /tmp/openssh-%{version}-buildroot PreReq: openssl Obsoletes: ssh # # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.) # building prerequisites -- stuff for # OpenSSL (openssl-devel), # TCP Wrappers (nkitb), # and Gnome (glibdev, gtkdev, and gnlibsd) # BuildPrereq: openssl BuildPrereq: nkitb BuildPrereq: glibdev BuildPrereq: gtkdev BuildPrereq: gnlibsd %description Ssh (Secure Shell) a program for logging into a remote machine and for executing commands in a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. OpenSSH is OpenBSD's rework of the last free version of SSH, bringing it up to date in terms of security and features, as well as removing all patented algorithms to seperate libraries (OpenSSL). This package includes all files necessary for both the OpenSSH client and server. Additionally, this package contains the GNOME passphrase dialog. %changelog * Mon Jun 12 2000 Damien Miller - Glob manpages to catch compressed files * Wed Mar 15 2000 Damien Miller - Updated for new location - Updated for new gnome-ssh-askpass build * Sun Dec 26 1999 Chris Saia - Made symlink to gnome-ssh-askpass called ssh-askpass * Wed Nov 24 1999 Chris Saia - Removed patches that included /etc/pam.d/sshd, /sbin/init.d/rc.sshd, and /var/adm/fillup-templates/rc.config.sshd, since Damien merged these into his released tarfile - Changed permissions on ssh_config in the install procedure to 644 from 600 even though it was correct in the %files section and thus right in the RPMs - Postinstall script for the server now only prints "Generating SSH host key..." if we need to actually do this, in order to eliminate a confusing message if an SSH host key is already in place - Marked all manual pages as %doc(umentation) * Mon Nov 22 1999 Chris Saia - Added flag to configure daemon with TCP Wrappers support - Added building prerequisites (works in RPM 3.0 and newer) * Thu Nov 18 1999 Chris Saia - Made this package correct for SuSE. - Changed instances of pam_pwdb.so to pam_unix.so, since it works more properly with SuSE, and lib_pwdb.so isn't installed by default. * Mon Nov 15 1999 Damien Miller - Split subpackages further based on patch from jim knoble * Sat Nov 13 1999 Damien Miller - Added 'Obsoletes' directives * Tue Nov 09 1999 Damien Miller - Use make install - Subpackages * Mon Nov 08 1999 Damien Miller - Added links for slogin - Fixed perms on manpages * Sat Oct 30 1999 Damien Miller - Renamed init script * Fri Oct 29 1999 Damien Miller - Back to old binary names * Thu Oct 28 1999 Damien Miller - Use autoconf - New binary names * Wed Oct 27 1999 Damien Miller - Initial RPMification, based on Jan "Yenya" Kasprzak's spec. %prep %setup -q %build CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-gnome-askpass \ --with-tcp-wrappers --with-ipv4-default make cd contrib gcc -O -g `gnome-config --cflags gnome gnomeui` \ gnome-ssh-askpass.c -o gnome-ssh-askpass \ `gnome-config --libs gnome gnomeui` cd .. %install rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT/ install -d $RPM_BUILD_ROOT/etc/ssh/ install -d $RPM_BUILD_ROOT/etc/pam.d/ install -d $RPM_BUILD_ROOT/sbin/init.d/ install -d $RPM_BUILD_ROOT/var/adm/fillup-templates install -d $RPM_BUILD_ROOT/usr/lib/ssh install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd install -m744 contrib/suse/rc.sshd $RPM_BUILD_ROOT/sbin/init.d/sshd ln -s ../../sbin/init.d/sshd $RPM_BUILD_ROOT/usr/sbin/rcsshd install -s contrib/gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/gnome-ssh-askpass ln -s gnome-ssh-askpass $RPM_BUILD_ROOT/usr/lib/ssh/ssh-askpass install -m744 contrib/suse/rc.config.sshd \ $RPM_BUILD_ROOT/var/adm/fillup-templates %clean rm -rf $RPM_BUILD_ROOT %post if [ "$1" = 1 ]; then echo "Creating SSH stop/start scripts in the rc directories..." ln -s ../sshd /sbin/init.d/rc2.d/K20sshd ln -s ../sshd /sbin/init.d/rc2.d/S20sshd ln -s ../sshd /sbin/init.d/rc3.d/K20sshd ln -s ../sshd /sbin/init.d/rc3.d/S20sshd fi echo "Updating /etc/rc.config..." if [ -x /bin/fillup ] ; then /bin/fillup -q -d = etc/rc.config var/adm/fillup-templates/rc.config.sshd else echo "ERROR: fillup not found. This should NOT happen in SuSE Linux." echo "Update /etc/rc.config by hand from the following template file:" echo " /var/adm/fillup-templates/rc.config.sshd" fi if [ ! -f /etc/ssh/ssh_host_key -o ! -s /etc/ssh/ssh_host_key ]; then echo "Generating SSH host key..." /usr/bin/ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N '' >&2 fi if [ ! -f /etc/ssh/ssh_host_dsa_key -o ! -s /etc/ssh/ssh_host_dsa_key ]; then echo "Generating SSH DSA host key..." /usr/bin/ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N '' >&2 fi if test -r /var/run/sshd.pid then echo "Restarting the running SSH daemon..." /usr/sbin/rcsshd restart >&2 fi %preun if [ "$1" = 0 ] then echo "Stopping the SSH daemon..." /usr/sbin/rcsshd stop >&2 echo "Removing SSH stop/start scripts from the rc directories..." rm /sbin/init.d/rc2.d/K20sshd rm /sbin/init.d/rc2.d/S20sshd rm /sbin/init.d/rc3.d/K20sshd rm /sbin/init.d/rc3.d/S20sshd fi %files %defattr(-,root,root) %doc COPYING.Ylonen ChangeLog OVERVIEW README* %doc RFC.nroff TODO UPGRADING CREDITS %attr(0755,root,root) %dir /etc/ssh %attr(0644,root,root) %config /etc/ssh/ssh_config %attr(0600,root,root) %config /etc/ssh/sshd_config %attr(0644,root,root) %config /etc/pam.d/sshd %attr(0755,root,root) %config /sbin/init.d/sshd %attr(0755,root,root) /usr/bin/ssh-keygen %attr(0755,root,root) /usr/bin/scp %attr(4755,root,root) /usr/bin/ssh %attr(-,root,root) /usr/bin/slogin %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add %attr(0755,root,root) /usr/sbin/sshd %attr(-,root,root) /usr/sbin/rcsshd %attr(0755,root,root) %dir /usr/lib/ssh %attr(0755,root,root) /usr/lib/ssh/ssh-askpass %attr(0755,root,root) /usr/lib/ssh/gnome-ssh-askpass %attr(0644,root,root) %doc /usr/man/man1/scp.1* %attr(0644,root,root) %doc /usr/man/man1/ssh.1* %attr(-,root,root) %doc /usr/man/man1/slogin.1* %attr(0644,root,root) %doc /usr/man/man1/ssh-agent.1* %attr(0644,root,root) %doc /usr/man/man1/ssh-add.1* %attr(0644,root,root) %doc /usr/man/man1/ssh-keygen.1* %attr(0644,root,root) %doc /usr/man/man8/sshd.8* %attr(0644,root,root) /var/adm/fillup-templates/rc.config.sshd From GLeblanc at cu-portland.edu Mon Sep 4 04:03:20 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Sun, 3 Sep 2000 10:03:20 -0700 Subject: installing OpenSSH rpm on SuSE 6.2 Message-ID: <025836EFF856D411A6660090272811E61D06B0@EMAIL> > ---------- Forwarded message ---------- > From: Faheem Mitha > Newsgroups: comp.security.ssh > Subject: installing OpenSSH rpm on SuSE 6.2 > > Dear people, > > I tried to recompile the rpm of OpenSSH (openssh-2.2.0p1-1.src.rpm) > on SuSE 6.2. I got the following errors. > > faheem /usr/src/packages/SPECS>rpm -ba openssh.spec > line 25: Version not permitted: PreReq: openssl >= 0.9.5a I think you should get a newer version of RPM. I'd go with 3.0.5, as that's the newest in the 3.0 series, and it supports PreReq's properly. Greg From faheem at email.unc.edu Mon Sep 4 04:13:56 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Sun, 3 Sep 2000 13:13:56 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: <025836EFF856D411A6660090272811E61D06B0@EMAIL> Message-ID: On Sun, 3 Sep 2000, Gregory Leblanc wrote: > > ---------- Forwarded message ---------- > > From: Faheem Mitha > > Newsgroups: comp.security.ssh > > Subject: installing OpenSSH rpm on SuSE 6.2 > > > > Dear people, > > > > I tried to recompile the rpm of OpenSSH (openssh-2.2.0p1-1.src.rpm) > > on SuSE 6.2. I got the following errors. > > > > faheem /usr/src/packages/SPECS>rpm -ba openssh.spec > > line 25: Version not permitted: PreReq: openssl >= 0.9.5a > > I think you should get a newer version of RPM. I'd go with 3.0.5, as that's > the newest in the 3.0 series, and it supports PreReq's properly. > Greg Aargh, I was afraid someone would suggest that. I am seriously worried I will run into problems with rpm 3.05, and then I will not be able to reinstall my old version of rpm because rpm is not working. (How is that for a catch-22 nightmare?) Also, I might need to rebuild my database, which might cause further problems. Can't I tweak the spec file somehow? Thanks, Faheem. From djm at mindrot.org Mon Sep 4 11:25:47 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Sep 2000 11:25:47 +1100 (EST) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Sun, 3 Sep 2000, Faheem Mitha wrote: > Aargh, I was afraid someone would suggest that. I am seriously worried > I will run into problems with rpm 3.05, and then I will not be able to > reinstall my old version of rpm because rpm is not working. (How is > that for a catch-22 nightmare?) Also, I might need to rebuild my > database, which might cause further problems. Can't I tweak the spec > file somehow? Alternately, you can just comment out the PreReqs. They are there to ensure that software is installed in the correct order, but are not essential. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From faheem at email.unc.edu Mon Sep 4 12:54:55 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Sun, 3 Sep 2000 21:54:55 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Mon, 4 Sep 2000, Damien Miller wrote: > On Sun, 3 Sep 2000, Faheem Mitha wrote: > Alternately, you can just comment out the PreReqs. They are there to > ensure that software is installed in the correct order, but are > not essential. Hi, thanks for your reply. I got the rpms to build, though it still remains to be seen if they will work correctly. I think there might be a minor error in your spec file. You say... # Do we want to disable building of x11-askpass? (1=yes 0=no) %define no_x11_askpass 0 # Do we want to disable building of gnome-askpass? (1=yes 0=no) %define no_gnome_askpass 0 However, by observation from building the rpms (and bearing in mind that I really know bugger-all about rpms) is that the reverse is true: Ie. if (for example both are kept as 0, then neither the x11 nor the gnome askpass rpm is built, contrary to what you commenting says. If I am wrong about this, please let me know. Let me take the opportunity to ask: Does leaving out the x11 and gnome askpass rpms reduce an functionality in the system? I am still unclear as to their purpose. I will probably not worrry about the gnome rpm anyway, since my gnome libraries are in a mess. Best regards, Faheem Mitha. From djm at mindrot.org Mon Sep 4 13:05:37 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Sep 2000 13:05:37 +1100 (EST) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Sun, 3 Sep 2000, Faheem Mitha wrote: > However, by observation from building the rpms (and bearing in mind > that I really know bugger-all about rpms) is that the reverse is true: > > Ie. if (for example both are kept as 0, then neither the x11 nor the > gnome askpass rpm is built, contrary to what you commenting says. If I > am wrong about this, please let me know. That is not my experience - I use the spec file unmodified to build the RPMs distributed from ftp.openbsd.org. > Let me take the opportunity to ask: > > Does leaving out the x11 and gnome askpass rpms reduce an > functionality in the system? I am still unclear as to their purpose. I > will probably not worrry about the gnome rpm anyway, since my gnome > libraries are in a mess. It means that you have to enter your passphrase into a terminal (console, xterm, etc), rather than a pretty X11 dialog :) -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From faheem at email.unc.edu Mon Sep 4 15:12:29 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Mon, 4 Sep 2000 00:12:29 -0400 (EDT) Subject: openssh installation success In-Reply-To: Message-ID: Dear people, Just thought I would say a quick thank-you. I managed to compile and install the openssh rpms for ssh on my system from the source rpm which was provided (at least the ssh and the ssh-clients rpms, which I think is all I need, since I do not want to ssh in from outside). ssh and scp seem to be working properly (I ran them with -v flag). Also, they run noticeably faster than the old versions I has installed (not openssh but ssh, wherever that came from). People on this list have been very helpful considering that this is not really what this list is for. I will go away now, but before I do, Let me just ask a couple of dumb questions. 1) I asked a long time ago on the ssh newsgroup whether there was any way to interactively turn on and off encryption while a ssh session is going on. The reason was that it might speed things up, and often in a ssh session one only cares about encrypting the password. The answer was apparently no, and I am wondering whether this is still true, and if so, why. Ie. the feature was not added because it was considered unnecessary, undesirable, or just impossible to implement within the current framework? 2) What is a good value of compression to use for ssh logins to remote sites, if using a modem? Oh yes, and please recommend a good place on the web to learn about ssh. Your manual page assumes some expertise. Best regards, Faheem Mitha. From djm at mindrot.org Mon Sep 4 15:21:03 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Sep 2000 15:21:03 +1100 (EST) Subject: openssh installation success In-Reply-To: Message-ID: On Mon, 4 Sep 2000, Faheem Mitha wrote: > 1) I asked a long time ago on the ssh newsgroup whether there was any > way to interactively turn on and off encryption while a ssh session > is going on. The reason was that it might speed things up, and > often in a ssh session one only cares about encrypting the > password. The answer was apparently no, and I am wondering whether > this is still true, and if so, why. Ie. the feature was not added > because it was considered unnecessary, undesirable, or just > impossible to implement within the current framework If you use a fast cipher (e.g blowfish) then you are likely to be able to run at wire speeds anyway. On a Celery 400, Blowfish can push 13 megabytes per second: [damien at neon damien]$ openssl speed bf Doing blowfish cbc for 3s on 8 size blocks: 4433946 blowfish cbc's in 2.96s Doing blowfish cbc for 3s on 64 size blocks: 631695 blowfish cbc's in 2.94s Doing blowfish cbc for 3s on 256 size blocks: 159063 blowfish cbc's in 2.96s Doing blowfish cbc for 3s on 1024 size blocks: 40825 blowfish cbc's in 2.98s Doing blowfish cbc for 3s on 8192 size blocks: 4981 blowfish cbc's in 2.96s OpenSSL 0.9.5a 1 Apr 2000 built on: Wed Aug 9 10:17:01 EST 2000 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM The 'numbers' are in 1000s of bytes per second processed. type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes blowfish cbc 11983.64k 13751.18k 13756.80k 14028.46k 13785.25k > 2) What is a good value of compression to use for ssh logins to remote > sites, if using a modem? I am told that zlib has diminishing returns after level 4, but some real numbers would be much better than anecdote :) > Oh yes, and please recommend a good place on the web to learn about > ssh. Your manual page assumes some expertise. The ssh at clinet.fi mailing list is pretty general. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From faheem at email.unc.edu Mon Sep 4 15:31:26 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Mon, 4 Sep 2000 00:31:26 -0400 (EDT) Subject: openssh installation success In-Reply-To: Message-ID: On Mon, 4 Sep 2000, Damien Miller wrote: > > > Oh yes, and please recommend a good place on the web to learn about > > ssh. Your manual page assumes some expertise. > > The ssh at clinet.fi mailing list is pretty general. No, sorry, I meant documentation. Faheem. From faheem at email.unc.edu Mon Sep 4 15:37:36 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Mon, 4 Sep 2000 00:37:36 -0400 (EDT) Subject: openssh installation success In-Reply-To: Message-ID: On Mon, 4 Sep 2000, Damien Miller wrote: > On Mon, 4 Sep 2000, Faheem Mitha wrote: > > > 1) I asked a long time ago on the ssh newsgroup whether there was any > > way to interactively turn on and off encryption while a ssh session > > is going on. The reason was that it might speed things up, and > > often in a ssh session one only cares about encrypting the > > password. The answer was apparently no, and I am wondering whether > > this is still true, and if so, why. Ie. the feature was not added > > because it was considered unnecessary, undesirable, or just > > impossible to implement within the current framework > > If you use a fast cipher (e.g blowfish) then you are likely to be able > to run at wire speeds anyway. On a Celery 400, Blowfish can push 13 > megabytes per second: > > [damien at neon damien]$ openssl speed bf > Doing blowfish cbc for 3s on 8 size blocks: 4433946 blowfish cbc's in 2.96s > Doing blowfish cbc for 3s on 64 size blocks: 631695 blowfish cbc's in 2.94s > Doing blowfish cbc for 3s on 256 size blocks: 159063 blowfish cbc's in 2.96s > Doing blowfish cbc for 3s on 1024 size blocks: 40825 blowfish cbc's in 2.98s > Doing blowfish cbc for 3s on 8192 size blocks: 4981 blowfish cbc's in 2.96s > OpenSSL 0.9.5a 1 Apr 2000 > built on: Wed Aug 9 10:17:01 EST 2000 > options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) > compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM > The 'numbers' are in 1000s of bytes per second processed. > type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes > blowfish cbc 11983.64k 13751.18k 13756.80k 14028.46k 13785.25k The same command gives me faheem ~>openssl speed bf Doing blowfish cbc for 3s on 8 size blocks: 2639671 blowfish cbc's in 3.00s Doing blowfish cbc for 3s on 64 size blocks: 260730 blowfish cbc's in 2.20s Doing blowfish cbc for 3s on 256 size blocks: 81753 blowfish cbc's in 2.57s Doing blowfish cbc for 3s on 1024 size blocks: 24267 blowfish cbc's in 3.00s Doing blowfish cbc for 3s on 8192 size blocks: 3039 blowfish cbc's in 3.00s OpenSSL 0.9.5a 1 Apr 2000 built on: Sat Sep 2 23:50:30 EDT 2000 options:bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int) blowfish(idx) compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM The 'numbers' are in 1000s of bytes per second processed. type 8 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes blowfish cbc 7039.12k 8260.75k 8143.49k 8283.14k 8298.50k But I am not sure what this is telling me. My modem is a little bit elderly and slow, by the way, which may explain why my numbers are smaller than yours. Faheem. From djm at mindrot.org Mon Sep 4 15:49:40 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Sep 2000 15:49:40 +1100 (EST) Subject: openssh installation success In-Reply-To: Message-ID: On Mon, 4 Sep 2000, Faheem Mitha wrote: > blowfish cbc 7039.12k 8260.75k 8143.49k 8283.14k 8298.50k > > But I am not sure what this is telling me. My modem is a little bit > elderly and slow, by the way, which may explain why my numbers are > smaller than yours. This is the speed of the encryption algorithm itself on your system, it does not include any of the other factors (getting the data to encrypt, speed of the network, etc). I quoted that numbers to demonstrate that the overhead that a fast algorithm imposes is small enough that there is little point in not using it (in response to your question of whether it is possible to disable encryption in OpenSSH for performance). -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From qralston+ml.openssh-unix-dev at andrew.cmu.edu Mon Sep 4 17:42:16 2000 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Mon, 4 Sep 2000 02:42:16 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Sun, 3 Sep 2000, Faheem Mitha wrote: > Aargh, I was afraid someone would suggest that. I am seriously > worried I will run into problems with rpm 3.05, and then I will not > be able to reinstall my old version of rpm because rpm is not > working. You're going to run into *more* problems if you don't upgrade to rpm-3.0.5, because binary packages produced by it are frequently going to be incompatible with previous versions of RPM, due to rpmlib() dependencies that rpm-3.0.5 uses to track incompatible changes across different versions of RPM. Note, however, that nested %if's are broken in both rpm-3.0.5 and rpm-4.0. See: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=14463 > Also, I might need to rebuild my database, which might cause further > problems. You shouldn't need to, as rpm-3.0.5 uses the same db1-1.85 that rpm has always used. > Can't I tweak the spec file somehow? Well, there are two versioned PreReq's in contrib/redhat/openssh.spec. The first is in the main package, and is immediately followed by a versioned Requires: PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a This PreReq is actually an error, and *should* be removed. Nothing in the installation process of openssh depends on openssl being installed first. The "Requires" line is sufficient. The second PreReq is in the server subpackage: PreReq: openssh chkconfig >= 0.9 This PreReq is completely correct; the openssh.spec %post script runs /sbin/chkconfig, so chkconfig *must* be installed on the system before openssh. If you absolutely cannot or will not upgrade to rpm 3.0.5, then the safest thing to do would be to replace the above PreReq line with: PreReq: openssh Requires: chkconfig >= 0.9 IMO, it's very unlikely that chkconfig won't be installed on your system, as many things depend on it. James From jim.drake at ecrc.de Mon Sep 4 20:20:48 2000 From: jim.drake at ecrc.de (Jim Drake) Date: Mon, 04 Sep 2000 09:20:48 +0000 Subject: Man pages Message-ID: <39B36970.F08DA7F@ecrc.de> I've noticed that the man pages provided in the tarball do not work on Solaris - the output is not formatted as expected. On a linux box it is possible to view the man pages using nroff -mdoc ./sshd.8, where prepended file is /usr/lib/groff/tmac/tmac.doc. There does not appear to be an equivelent macro file on Solaris 2.6. Does anybody know how I can get the man pages to display properly on Solaris. Thanks From janfrode at parallab.uib.no Tue Sep 5 00:50:58 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 4 Sep 2000 15:50:58 +0200 Subject: Hm, dispatch protocol error Message-ID: <20000904155058.A26853@ii.uib.no> I've been getting a few locked sessions (unable to ctrl-c, ctrl-z it) with the message: Hm, dispatch protocol error: type 20 plen 136 I've never seen this message before openssh-SNAP-2000082900, and it's only happened when connected to SSH 2.3.0, from openssh-SNAP-2000082900. Both machines are mips-sgi-irix6.5. Anybody care to explain what it means? Is it a known bug? -jf From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 5 01:29:08 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Sep 2000 16:29:08 +0200 Subject: Hm, dispatch protocol error In-Reply-To: <20000904155058.A26853@ii.uib.no>; from janfrode@parallab.uib.no on Mon, Sep 04, 2000 at 03:50:58PM +0200 References: <20000904155058.A26853@ii.uib.no> Message-ID: <20000904162908.A22678@faui02l.informatik.uni-erlangen.de> On Mon, Sep 04, 2000 at 03:50:58PM +0200, Jan-Frode Myklebust wrote: > I've been getting a few locked sessions (unable to ctrl-c, ctrl-z it) with > the message: > > Hm, dispatch protocol error: type 20 plen 136 > > I've never seen this message before openssh-SNAP-2000082900, and it's only > happened when connected to SSH 2.3.0, from openssh-SNAP-2000082900. Both > machines are mips-sgi-irix6.5. > > Anybody care to explain what it means? Is it a known bug? ssh-2.3.0 does re-keying by default. openssh does not at all. you have to turn off re-keying in sshd_conf, see sshd_conf(5). (RekeyIntervalSeconds 0) From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 5 01:30:10 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Sep 2000 16:30:10 +0200 Subject: Man pages In-Reply-To: <39B36970.F08DA7F@ecrc.de>; from jim.drake@ecrc.de on Mon, Sep 04, 2000 at 09:20:48AM +0000 References: <39B36970.F08DA7F@ecrc.de> Message-ID: <20000904163010.B22678@faui02l.informatik.uni-erlangen.de> On Mon, Sep 04, 2000 at 09:20:48AM +0000, Jim Drake wrote: > I've noticed that the man pages provided in the tarball do not work on > Solaris - the output is not formatted as expected. On a linux box it is > possible to view the man pages using nroff -mdoc ./sshd.8, where > prepended file is /usr/lib/groff/tmac/tmac.doc. There does not appear > to be an equivelent macro file on Solaris 2.6. Does anybody know how I > can get the man pages to display properly on Solaris. Thanks you have to use the groff macros or the preformatted manpages from the portable openssh distribution. From faheem at email.unc.edu Tue Sep 5 03:05:43 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Mon, 4 Sep 2000 12:05:43 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Mon, 4 Sep 2000, James Ralston wrote: > On Sun, 3 Sep 2000, Faheem Mitha wrote: > You're going to run into *more* problems if you don't upgrade to > rpm-3.0.5, because binary packages produced by it are frequently going > to be incompatible with previous versions of RPM, due to rpmlib() > dependencies that rpm-3.0.5 uses to track incompatible changes across > different versions of RPM. Well, these days I increasingly recompile my rpms. I guess I'm just a Nervous Nellie when it comes to even the slight possibility of trashing my system. > Note, however, that nested %if's are broken in both rpm-3.0.5 and > rpm-4.0. See: > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=14463 Er, is this a serious problem (ie. should I upgrade anyway), and I didn't even know there was an rpm 4.0! > > Also, I might need to rebuild my database, which might cause further > > problems. > > You shouldn't need to, as rpm-3.0.5 uses the same db1-1.85 that rpm > has always used. Yes, I noted that on the rpm web site. > > Can't I tweak the spec file somehow? > > Well, there are two versioned PreReq's in contrib/redhat/openssh.spec. > The first is in the main package, and is immediately followed by a > versioned Requires: > > PreReq: openssl >= 0.9.5a > Requires: openssl >= 0.9.5a > > This PreReq is actually an error, and *should* be removed. Nothing in > the installation process of openssh depends on openssl being installed > first. The "Requires" line is sufficient. rpm seemed to be having problems with the >= 0.9.5.a part (some (not very clear) documentation on www.rpm.org seemed to suggest this might be the case). I *know* the version of openssl is 0.9.5.a, so thats OK. > The second PreReq is in the server subpackage: > > PreReq: openssh chkconfig >= 0.9 > > This PreReq is completely correct; the openssh.spec %post script runs > /sbin/chkconfig, so chkconfig *must* be installed on the system before > openssh. > > If you absolutely cannot or will not upgrade to rpm 3.0.5, then the > safest thing to do would be to replace the above PreReq line with: > > PreReq: openssh > Requires: chkconfig >= 0.9 > > IMO, it's very unlikely that chkconfig won't be installed on your > system, as many things depend on it. This may be unlikely, but appears to be the case. When I type locate chkconfig I get precisely two files as follows (SuSE 6.2): /opt/kde/share/apps/klyx/chkconfig.ltx /usr/share/lyx/chkconfig.ltx Is it possible it might be called something else on my system. If not, should I install it? It didn't intefere with my compliation, since chkconfig appears only to be required for the server rpm, which I do not require since I will not be logging in from outside. This is a *really* helpful mailing list! Thanks. Faheem. From bet at rahul.net Tue Sep 5 03:14:53 2000 From: bet at rahul.net (Bennett Todd) Date: Mon, 4 Sep 2000 12:14:53 -0400 Subject: trivial patch to post overridden command into env Message-ID: <20000904121453.I461@oven.com> I am not 100% positive of the security implications of this, but I really can't see any potential for harm. If this patch is applied (I coded it against the now-current openssh-2.2.0p1), then if (a) the authorized_keys entry has command="whatever" to force a specific command, and also (b) the invoker specified some command on their ssh cmdline, then the invoked command will be posted into the $command environment variable. This is really helpful for providing restricted-access versions of things like rsync-over-ssh and cvs-over-ssh, where the command may vary, but nonetheless needs to be restricted; the command="..." string in authorized_keys can specify a wrapper that checks the command environment variable, and if and only if it likes it, execs the real command with some (checked) args from the user. I used a new global [global to session.c, static for file scope] to pass the saved command from one place to another, which is almost certainly inappropriate. Hopefully, if the maintainers of OpenSSH deem this functionality worth including, they'll be able to bring their superior knowlege of openssh's data structures and flow to bear on the problem and pick a more apt place to stash it. -Bennett [ I'd be grateful if any comments on this patch were Cc-ed to me directly, as I'm not on the list ] -------------- next part -------------- diff -ruN openssh-2.2.0p1.orig/session.c openssh-2.2.0p1/session.c --- openssh-2.2.0p1.orig/session.c Tue Aug 29 18:21:22 2000 +++ openssh-2.2.0p1/session.c Mon Sep 4 11:47:10 2000 @@ -125,6 +125,8 @@ static login_cap_t *lc; #endif +static char *saved_command = 0; + /* * Remove local Xauthority file. */ @@ -377,8 +379,11 @@ packet_integrity_check(plen, 0, type); } if (forced_command != NULL) { + saved_command = command; command = forced_command; debug("Forced command '%.500s'", forced_command); + } else { + saved_command = NULL; } if (have_pty) do_exec_pty(s, command, pw); @@ -1042,6 +1047,9 @@ env = xmalloc(envsize * sizeof(char *)); env[0] = NULL; + if (saved_command) { + child_set_env(&env, &envsize, "command", saved_command); + } if (!options.use_login) { /* Set basic environment. */ child_set_env(&env, &envsize, "USER", pw->pw_name); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000904/88d7031a/attachment.bin From faheem at email.unc.edu Tue Sep 5 03:25:29 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Mon, 4 Sep 2000 12:25:29 -0400 (EDT) Subject: installing OpenSSH rpm on SuSE 6.2 In-Reply-To: Message-ID: On Mon, 4 Sep 2000, James Ralston wrote: > IMO, it's very unlikely that chkconfig won't be installed on your > system, as many things depend on it. I just did a little investigating. It appears that the chkconfig package is a fundamental system utility on Redhat and its functionality is replaced on SuSE by completely different things (I'm not sure what). I don't think there is any easy fix for this. chkconfig *cannot* be installed on my system, since it would conflict with all kinds of things. Can someone confirm this? It looks as if the server rpm would have to be redesigned for SuSE. Fortunately, I don't need the server rpm. IMHO it is unfortunate that the different Linux distributions cannot attempt to maintain more of a standard. This kind of Balkanisation does nobody any good. Best regards, Faheem Mitha. From markus.friedl at informatik.uni-erlangen.de Tue Sep 5 05:24:36 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Sep 2000 20:24:36 +0200 Subject: trivial patch to post overridden command into env In-Reply-To: <20000904121453.I461@oven.com>; from bet@rahul.net on Mon, Sep 04, 2000 at 12:14:53PM -0400 References: <20000904121453.I461@oven.com> Message-ID: <20000904202436.C20574@folly.informatik.uni-erlangen.de> On Mon, Sep 04, 2000 at 12:14:53PM -0400, Bennett Todd wrote: > command="whatever" to force a specific command, and also (b) the > invoker specified some command on their ssh cmdline, then the > invoked command will be posted into the $command environment > variable. thanks, i forgot about this. in ssh-1.2.27 and friends the command is stored in $SSH_ORIGINAL_COMMAND. this behaviour will be in the next release (2.3.0) -markus > diff -ruN openssh-2.2.0p1.orig/session.c openssh-2.2.0p1/session.c > --- openssh-2.2.0p1.orig/session.c Tue Aug 29 18:21:22 2000 > +++ openssh-2.2.0p1/session.c Mon Sep 4 11:47:10 2000 > @@ -125,6 +125,8 @@ > static login_cap_t *lc; > #endif > > +static char *saved_command = 0; > + > /* > * Remove local Xauthority file. > */ > @@ -377,8 +379,11 @@ > packet_integrity_check(plen, 0, type); > } > if (forced_command != NULL) { > + saved_command = command; > command = forced_command; > debug("Forced command '%.500s'", forced_command); > + } else { > + saved_command = NULL; > } > if (have_pty) > do_exec_pty(s, command, pw); > @@ -1042,6 +1047,9 @@ > env = xmalloc(envsize * sizeof(char *)); > env[0] = NULL; > > + if (saved_command) { > + child_set_env(&env, &envsize, "command", saved_command); > + } > if (!options.use_login) { > /* Set basic environment. */ > child_set_env(&env, &envsize, "USER", pw->pw_name); From dirkw at rentec.com Tue Sep 5 06:00:05 2000 From: dirkw at rentec.com (Dirk Wetter) Date: Mon, 04 Sep 2000 15:00:05 -0400 Subject: msg "X11 connection uses different authentication protocol" ? Message-ID: <39B3F135.BC4AAE0@rentec.com> Hi, using OpenSSH_2.1.1 p4 i have problems with X11 forwarding. I used the same sources for Solaris and Linux. Tried nearly every combination, but it seems that the "opensshd" for Solaris has some problems. Of course i tried to connect with "ssh -X", the server has in its /etc/sshd_config: X11Forwarding yes X11DisplayOffset 10 XAuthLocation /usr/openwin/bin/xauth The client doesn't have any config file, neither for Linux nor for Solaris (same NFS homedir). - it doesn't depend on the client, i checked with an non-free ssh client or use Linux instead. Both works. - i checked the x11 fwd'ing with the openssh client on a non-free server on Solaris as well to an openssh server on Linux, both works too. So, every time when i try to use x11 forwarding the Solaris server using the openssh daemon, it fails. Attached you find an output from an openssh client to an openssh server, both on Solaris. I know this is not the latest version. But since i could find anything in the changelog for 2.2.0p1 which could have addressed this issue or in the archived mailing list, i dare to send this mail ;-) Thanks for your help, PS: please CC to me, I am not on this list. -------------- next part -------------- server:~ # /usr/sbin/sshd -d debug: sshd version OpenSSH_2.1.1 debug: Command 'ls -alni /var/mail' timed out debug: Seeded RNG with 41 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: read DSA private key done debug: Seeded RNG with 40 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug: Seeded RNG with 40 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Command 'ls -alni /var/mail' timed out debug: Seeded RNG with 41 bytes from programs debug: Seeded RNG with 3 bytes from system calls RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from client-ip port 890 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1 debug: Local version string SSH-1.99-OpenSSH_2.1.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "userid" debug: Attempting authentication for userid. debug: Trying rhosts with RSA host authentication for userid debug: Rhosts RSA authentication: canonical host client Rhosts with RSA host authentication accepted for userid, userid on client. Accepted rhosts-rsa for userid from client-ip port 890 ruser userid debug: PAM setting rhost to "client" debug: PAM setting ruser to "userid" debug: session_new: init debug: session_new: session 0 debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: fd 14 setting O_NONBLOCK debug: channel 0: new [X11 inet listener] debug: PAM setting tty to "/dev/pts/9" debug: PAM establishing creds debug: Entering interactive session. debug: fd 12 setting O_NONBLOCK debug: server_init_dispatch_13 debug: server_init_dispatch_15 debug: tvp!=NULL kid 0 mili 10 on the client side was issued "ssh -v -X": userid at client[~:512] ssh -X -v server SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh_config debug: Command 'ls -alni /var/mail' timed out debug: Seeded RNG with 39 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 505 geteuid 0 anon 0 debug: Connecting to server [server-ip] port 22. debug: Seeded RNG with 39 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 890. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'server' is known and matches the RSA host key. debug: Seeded RNG with 39 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug: Remote: Accepted for client [client-ip] by /etc/hosts.equiv. debug: Received RSA challenge for host key from server. debug: Sending response to host key RSA challenge. debug: Remote: Rhosts with RSA host authentication accepted. debug: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. Environment: TZ=US/Eastern SSH_CLIENT=client-ip 890 22 SSH_TTY=/dev/pts/9 TERM=xterm DISPLAY=server:10.0 XAUTHORITY=/tmp/ssh-zXXT5224/cookies [...] userid at server[~:512] echo $DISPLAY $TERM xterm userid at server[~:513] xterm -display server:10.0 debug: Received X11 open request. debug: fd 9 setting O_NONBLOCK debug: channel 0: new [X11 connection from server port 35530] debug: X11 connection uses different authentication protocol. debug: X11 rejected 0 i1/o16 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof debug: channel 0: write failed debug: channel 0: output open -> wait_ieof debug: channel 0: send oclose debug: channel 0: close_write debug: X11 closed 0 i4/o64 debug: channel 0: rcvd ieof debug: channel 0: non-open channel 0: istate 4 != open channel 0: ostate 64 != open debug: channel 0: rcvd oclose debug: channel 0: input wait_oclose -> closed X connection to server:10.0 broken (explicit kill or server shutdown). userid at server[~:516] netstat -a | grep '\.60' *.6000 *.* 0 0 0 0 LISTEN *.6010 *.* 0 0 0 0 LISTEN server.6010 server.35530 32768 0 32768 0 TIME_WAIT From djm at mindrot.org Tue Sep 5 16:33:11 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Sep 2000 16:33:11 +1100 (EST) Subject: [PATCH]: Cygwin port of 2.2.0p1 In-Reply-To: <39B2118B.ACD5F68@cygnus.com> Message-ID: On Sun, 3 Sep 2000, Corinna Vinschen wrote: > I have to apologize. My previous patch missed a file :-( > Attached to this mail you will find the corrected patch _with_ > the missing file. Just going through you patch now. Some questions: --- There are lots of cases where uid/euid == 0 checks are disabled. I assume because Win does not share Unix's root metaphor. Is this correct? If so, there should be some replacement check to prevent non admin users from doing things like setting up port forwards for ports < 1024, etc. --- In auth1.c you have: /* * The only authentication which is able to change the user * context on NT systems is the password authentication. So * we deny all requsts for changing the user context if another * authentication method is used. * This may change in future when a special openssh * subauthentication package is available. */ Does this mean the only way to change Window's equivalent of uid is with a valid password? The code adjacent to the above comment looks like it will disable authentication modes other than password, correct? I can't see anything similar done for protocol v2 though. ---- Also in auth1.c: /* * check owner and modes. * This won't work on Windows under all circumstances so we drop * that check for now. */ How does it fail? I don't want to _remove_ security checks. --- In session.c you copy the parent's whole environment to the child. Is there any way to limit this to specific variables, or (better still) initialise them from scratch? I have made a snapshot with your changes merged + a couple of others picked up over the last few days. http://www.mindrot.org/misc/openssh/openssh-SNAP-20000905.tar.gz -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mouring at pconline.com Tue Sep 5 16:50:26 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 5 Sep 2000 00:50:26 -0500 (CDT) Subject: scp.c proposed changed. In-Reply-To: <871yz6jabk.fsf@nakaji.tutrp.tut.ac.jp> Message-ID: I'm unsure at this point if I should split this patch in two and submit part of it to the keeper of the OpenBSD's OpenSSH tree (Which is...=). The following patch changes utime() to utimes() in scp. And also lets us support usec. The second half is to keep the NeXT port inline with this change. =) --- scp.c.orig Tue Aug 29 18:11:30 2000 +++ scp.c Mon Sep 4 23:47:40 2000 @@ -683,8 +683,7 @@ off_t size; int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; - struct utimbuf ut; - int dummy_usec; + struct timeval tv[2]; #define SCREWUP(str) { why = str; goto screwup; } @@ -738,16 +737,16 @@ if (*cp == 'T') { setimes++; cp++; - getnum(ut.modtime); + getnum(tv[1].tv_sec); if (*cp++ != ' ') SCREWUP("mtime.sec not delimited"); - getnum(dummy_usec); + getnum(tv[1].tv_usec); if (*cp++ != ' ') SCREWUP("mtime.usec not delimited"); - getnum(ut.actime); + getnum(tv[0].tv_sec); if (*cp++ != ' ') SCREWUP("atime.sec not delimited"); - getnum(dummy_usec); + getnum(tv[0].tv_usec); if (*cp++ != '\0') SCREWUP("atime.usec not delimited"); (void) atomicio(write, remout, "", 1); @@ -815,7 +814,7 @@ sink(1, vect); if (setimes) { setimes = 0; - if (utime(np, &ut) < 0) + if (utimes(np, tv) < 0) run_err("%s: set times: %s", np, strerror(errno)); } @@ -902,7 +901,7 @@ (void) response(); if (setimes && wrerr == NO) { setimes = 0; - if (utime(np, &ut) < 0) { + if (utimes(np, tv) < 0) { run_err("%s: set times: %s", np, strerror(errno)); wrerr = DISPLAYED; --- next-posix.c.orig Thu Aug 31 22:14:37 2000 +++ next-posix.c Mon Sep 4 23:47:50 2000 @@ -18,20 +18,6 @@ return wait_pid; } - -int -posix_utime(char *filename,struct utimbuf *buf) -{ - time_t timep[2]; - - timep[0] = buf->actime; - timep[1] = buf->modtime; - - #undef utime /* Use NeXT's utime() function */ - return utime(filename,timep); -} - - int waitpid(int pid, int *stat_loc, int options) { --- next-posix.h.orig Tue Aug 29 18:11:30 2000 +++ next-posix.h Mon Sep 4 23:47:50 2000 @@ -36,9 +36,6 @@ #define WCOREDUMP(w) ((w) & WCOREFLAG) /* POSIX "wrapper" functions to replace to BSD functions */ -int posix_utime(char *filename, struct utimbuf *buf); /* new utime() */ -#define utime posix_utime - pid_t posix_wait(int *status); /* new wait() */ #define wait posix_wait From jim.drake at ecrc.de Tue Sep 5 19:10:09 2000 From: jim.drake at ecrc.de (Jim Drake) Date: Tue, 05 Sep 2000 08:10:09 +0000 Subject: Man pages References: <39B36970.F08DA7F@ecrc.de> <20000904163010.B22678@faui02l.informatik.uni-erlangen.de> Message-ID: <39B4AA61.AFF10BF1@ecrc.de> Perhaps I'm missing something, but in the portable openssh distribution are what appear to be manpages: [root at is31] openssh-2.2.0p1 [315] file * | grep roff scp.1: [nt]roff, tbl, or eqn input text scp.1.out: [nt]roff, tbl, or eqn input text ssh-add.1: [nt]roff, tbl, or eqn input text ssh-add.1.out: [nt]roff, tbl, or eqn input text etc......... These files begin with the following : .Dd September 25, 1999 .Dt SCP 1 .Os .Sh NAME There are only minor differences between the '.1' and '.1.out' files. I can display these on redhat linux 6 because there is an appropriate macro to prepend to the file. I can find no such macro on Solaris 2.6. I can find no preformatted manpages in the portable openssh distribution - only the ones above which I can not use! Any help appreciated. Markus Friedl wrote: > On Mon, Sep 04, 2000 at 09:20:48AM +0000, Jim Drake wrote: > > I've noticed that the man pages provided in the tarball do not work on > > Solaris - the output is not formatted as expected. On a linux box it is > > possible to view the man pages using nroff -mdoc ./sshd.8, where > > prepended file is /usr/lib/groff/tmac/tmac.doc. There does not appear > > to be an equivelent macro file on Solaris 2.6. Does anybody know how I > > can get the man pages to display properly on Solaris. Thanks > > you have to use the groff macros or the preformatted manpages > from the portable openssh distribution. -- Jim Drake, Haus 3, G 2.OG Cable & Wireless ECRC tel: +49 89-9 26 99 224 Landsbergerstr. 155 fax: +49 89-9 26 99 170 D-80687 M?nchen email: jdrake at ecrc.de Deutschland http://www.ecrc.de From djm at mindrot.org Tue Sep 5 21:23:05 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Sep 2000 21:23:05 +1100 (EST) Subject: Man pages In-Reply-To: <39B4AA61.AFF10BF1@ecrc.de> Message-ID: On Tue, 5 Sep 2000, Jim Drake wrote: > There are only minor differences between the '.1' and '.1.out' files. > > I can display these on redhat linux 6 because there is an appropriate macro > to prepend to the file. I can find no such macro on Solaris 2.6. I can find > no preformatted manpages in the portable openssh distribution - only the ones > above which I can not use! Any help appreciated. They are there: [djm at mothra dist]$ tar ztvf openssh-2.2.0p1.tar.gz | grep '\.0$' -rw-rw-r-- djm/djm 2591 2000-09-05 14:16:32 openssh-2.2.0p1/scp.0 -rw-rw-r-- djm/djm 3202 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-add.0 -rw-rw-r-- djm/djm 4772 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-agent.0 -rw-rw-r-- djm/djm 6828 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-keygen.0 -rw-rw-r-- djm/djm 42238 2000-09-05 14:16:33 openssh-2.2.0p1/ssh.0 -rw-rw-r-- djm/djm 37293 2000-09-05 14:16:33 openssh-2.2.0p1/sshd.0 They can be installed by default using the "--with-catman=cat" configure option. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From stevesk at sweden.hp.com Wed Sep 6 00:08:26 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 5 Sep 2000 15:08:26 +0200 (CEST) Subject: sftp-server and latest snapshot Message-ID: <200009051304.PAA22478@b0fh.sweden.hp.com> Needed to do the following to get sftp-server to compile on HP-UX 11. Not sure what the right "portable" fix might be. Also, should sftp-server really be installed in prefix/libexec/ssh/ or just prefix/libexec/? --- defines.h~ Tue Sep 5 07:13:07 2000 +++ defines.h Tue Sep 5 14:36:24 2000 @@ -143,9 +143,7 @@ typedef uint8_t u_int8_t; typedef uint16_t u_int16_t; typedef uint32_t u_int32_t; -/* typedef uint64_t u_int64_t; -*/ # define HAVE_U_INTXX_T 1 # else # if (SIZEOF_CHAR == 1) From jim.drake at ecrc.de Wed Sep 6 00:43:41 2000 From: jim.drake at ecrc.de (Jim Drake) Date: Tue, 05 Sep 2000 13:43:41 +0000 Subject: Man pages References: Message-ID: <39B4F88D.219F5867@ecrc.de> These files ending with '.0' appear to be just ascii text files. When I use the "--catman=cat" configure option, these files are installed directly as ascii text files and are therefore not suitable as man pages. Other applications I have recently installed always seem to have man pages with a format similar to below in the tarball : .SH NAME scp2 \- secure copy client .SH SYNOPSIS .na .B scp2 Apologies if this is not the correct place to ask such questions and thanks for the help so far. Damien Miller wrote: > On Tue, 5 Sep 2000, Jim Drake wrote: > > > There are only minor differences between the '.1' and '.1.out' files. > > > > I can display these on redhat linux 6 because there is an appropriate macro > > to prepend to the file. I can find no such macro on Solaris 2.6. I can find > > no preformatted manpages in the portable openssh distribution - only the ones > > above which I can not use! Any help appreciated. > > They are there: > > [djm at mothra dist]$ tar ztvf openssh-2.2.0p1.tar.gz | grep '\.0$' > -rw-rw-r-- djm/djm 2591 2000-09-05 14:16:32 openssh-2.2.0p1/scp.0 > -rw-rw-r-- djm/djm 3202 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-add.0 > -rw-rw-r-- djm/djm 4772 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-agent.0 > -rw-rw-r-- djm/djm 6828 2000-09-05 14:16:32 openssh-2.2.0p1/ssh-keygen.0 > -rw-rw-r-- djm/djm 42238 2000-09-05 14:16:33 openssh-2.2.0p1/ssh.0 > -rw-rw-r-- djm/djm 37293 2000-09-05 14:16:33 openssh-2.2.0p1/sshd.0 > > They can be installed by default using the "--with-catman=cat" configure > option. > > -d > > -- > | ``The power of accurate observation is | Damien Miller > | commonly called cynicism by those who | @Work > | have not got it'' - George Bernard Shaw | http://www.mindrot.org -- Jim Drake, Haus 3, G 2.OG Cable & Wireless ECRC tel: +49 89-9 26 99 224 Landsbergerstr. 155 fax: +49 89-9 26 99 170 D-80687 M?nchen email: jdrake at ecrc.de Deutschland http://www.ecrc.de From stevesk at sweden.hp.com Wed Sep 6 01:17:37 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 5 Sep 2000 16:17:37 +0200 (CEST) Subject: HP-UX contrib files Message-ID: <200009051413.QAA16477@b0fh.sweden.hp.com> Attached is a small tar archive with a start of a contrib/hpux/ directory. Right now it has a startup/shutdown script. -------------- next part -------------- A non-text attachment was scrubbed... Name: hpux.tar Type: application/octet-stream Size: 10240 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000905/42c23a97/attachment.obj From douglas.manton at uk.ibm.com Wed Sep 6 01:49:42 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 5 Sep 2000 15:49:42 +0100 Subject: [PATCH] Added features for AIX authentication Message-ID: <80256951.00517911.00@d06mta05.portsmouth.uk.ibm.com> Please find attached a patch I put together to provide some useful extras using OpenSSH 2.2.0p1 under AIX. I have been forced to write these to allow OpenSSH to conform to our local security policy and to aid our user administration department. Please note that in testing of this latest release we found "useLogin yes" to be broken again. Since login provides no extra functionality in this environment we have disabled it completely. This change was omitted from this patch. - Prompts user to change expired password (regardless of authentication method used, but only for interative sessions). This enforces the system's password policy. E.g. $ ssh remotehost testing's New password: Your new password must have: minimum of 1 alphabetic character minimum of 1 non-alphabetic character minimum of 3 characters not in old password maximum of 2 repeated characters minimum of 6 characters in length Your password failed to meet: minimum of 1 alphabetic character minimum of 1 non-alphabetic character minimum of 6 characters in length user at remotehost's password: 3004-610 You are required to change your password. Please choose a new one. user's New password: Re-enter user's new password: $ - Reports why login is denied to users who have successfully authenticated but cannot log in due to security restriction (locked account, no rlogin, logintimes). E.g. $ ssh remotehost Enter passphrase for RSA key 'user at localhost': Received disconnect: There have been too many unsuccessful login attempts; please see the system administrator. $ scp test remotehost:test testing at localhost's password: Received disconnect: You are not allowed to login at this time. lost connection - Increments the failed login count with each failed authentication attempt (to match AIX login's behaviour). Previous behaviour was to increment once after AUTH_FAIL_MAX attempts. Our policy is 5 strikes -- the previous behaviour gave 25. I have tested these with the OpenSSH client and SecureCRT v3.1. They don't attempt to extend the SSH protocols -- they work within established sessions. (See attached file: aix_changes.patch) Best wishes, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" -------------- next part -------------- A non-text attachment was scrubbed... Name: aix_changes.patch Type: application/octet-stream Size: 6073 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000905/42015690/attachment.obj From vinschen at cygnus.com Wed Sep 6 03:35:19 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Tue, 05 Sep 2000 18:35:19 +0200 Subject: [PATCH]: Cygwin port of 2.2.0p1 References: Message-ID: <39B520C7.95A35857@cygnus.com> Damien Miller wrote: > --- There are lots of cases where uid/euid == 0 checks are disabled. > I assume because Win does not share Unix's root metaphor. Is this > correct? This is correct. NT/W2K has lots of special "user rights". Those user rights can be given to any single user or group of users explicitely. So, to be a member of the special group "administrators" does only have a meaning after installation. > If so, there should be some replacement check to prevent non admin users > from doing things like setting up port forwards for ports < 1024, etc. That's impossible. Windows doesn't check that you are some sort of special user which has the right to use ports < 1024. Everyone may use that ports. As mentioned above the membership in a user group doesn't mean much. To get things worse, think of W95/W98 which doesn't know of the concept of different users either. > --- In auth1.c you have: > > /* > * The only authentication which is able to change the user > * context on NT systems is the password authentication. So > * we deny all requsts for changing the user context if another > * authentication method is used. > * This may change in future when a special openssh > * subauthentication package is available. > */ > > Does this mean the only way to change Window's equivalent of uid is with > a valid password? Yes. Without special authentication packages you have no chance to change the user context without knowing the NT password of that user. > The code adjacent to the above comment looks like it will disable > authentication modes other than password, correct? No. It doesn't disable other authentications at all. It only disables non-password authentication _if_ ssh is running in NT/W2K (not 9X/ME) and _if_ the user running the process is different from the user trying to login. So you can run sshd under your own account to login with non-password authentication, nevertheless. But _if_ you want to change user context (your uid != sshd uid) you are only able to do that with password auth in NT/W2K. That's the check for. As I mentioned this may change in future. It's not easy to write authentication packages for NT/W2K since the documentation is, uhm, more or less nonexistant and you need special header files which aren't part of the standard MS development environment. However, I'm investigating. > I can't see anything similar done for protocol v2 though. You doesn't see that for v2? Wait, just looking through the code... [time passes] You're right. Patch related to openssh-SNAP-20000905 attached. > ---- Also in auth1.c: > > /* > * check owner and modes. > * This won't work on Windows under all circumstances so we drop > * that check for now. > */ > > How does it fail? I don't want to _remove_ security checks. FAT filesystems doesn't support that modes. NTFS does support that modes but NTFS is very complex in that it doesn't support UNIX modes but access control lists. I have written a security module for Cygwin called "ntsec" which allows a mapping between POSIX and NTFS permissions but it's users choice to use it and it's inside of the Cygwin subsystem so I can't rely on that nor can I change the setting from inside a running application. I didn't want to flood the OpenSSH code with special Win32 code for checking file systems and getting/setting access control lists. Hmmm, I _could_ check for the setting of "ntsec" and, if it's set, remain the aforementioned security check active.... [more time passes] Ok. It's also in the attached patch. A bit more than I thought but it's well commented (cygwin_util.c function `check_ntsec'). > --- In session.c you copy the parent's whole environment to the child. > Is there any way to limit this to specific variables, or (better still) > initialise them from scratch? Hmmmm. Windows uses dozens of special env vars. I _could_ figure out which one to use and which one to drop but it wouldn't make the code really nicer... However, I will note that for a later patch. > I have made a snapshot with your changes merged + a couple of others > picked up over the last few days. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000905.tar.gz > > -d Thanks :) Now to the attached patch. I have created a new function `check_nt_auth' in cygwin_util.c which is called from auth1.c and auth2.c. I would like to put the `packet_disconnect' call into cygwin_util.c as well but unfortunately this requires changing ssh-add.c so that `int IPv4orv6' is defined :-( The new function `check_ntsec' checks if a later file security check makes sense. In `binary_pipe' I forgot a `return' statement. ChangeLog: ========== - auth1.c: Change check for password authentication under Windows NT/W2K. Call `check_nt_auth' now. - auth2.c: Add check for password authentication under Windows NT/W2K by calling `check_nt_auth'. - authfile.c: Change checking file permissions for Cygwin by calling `check_ntsec' now. - cygwin_util.c: New function check_nt_auth(). New function check_ntsec(). Add missing return statement in binary_pipe(). Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com -------------- next part -------------- Index: auth1.c =================================================================== RCS file: /src/cvsroot//openssh-20000905/auth1.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 auth1.c --- auth1.c 2000/09/05 11:23:12 1.1.1.1 +++ auth1.c 2000/09/05 12:45:59 @@ -23,11 +23,6 @@ RCSID("$OpenBSD: auth1.c,v 1.3 2000/08/2 # include #endif -#ifdef HAVE_CYGWIN -#include -#define is_winnt (GetVersion() < 0x80000000) -#endif - /* import */ extern ServerOptions options; extern char *forced_command; @@ -377,16 +372,8 @@ do_authloop(struct passwd * pw) } #ifdef HAVE_CYGWIN - /* - * The only authentication which is able to change the user - * context on NT systems is the password authentication. So - * we deny all requsts for changing the user context if another - * authentication method is used. - * This may change in future when a special openssh - * subauthentication package is available. - */ - if (is_winnt && type != SSH_CMSG_AUTH_PASSWORD && - authenticated && geteuid() != pw->pw_uid) { + if (authenticated && + !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) { packet_disconnect("Authentication rejected for uid %d.", (int) pw->pw_uid); authenticated = 0; Index: auth2.c =================================================================== RCS file: /src/cvsroot//openssh-20000905/auth2.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 auth2.c --- auth2.c 2000/09/05 11:23:12 1.1.1.1 +++ auth2.c 2000/09/05 12:45:29 @@ -186,6 +186,15 @@ input_userauth_request(int type, int ple authenticated = ssh2_auth_pubkey(pw, service); } } + +#ifdef HAVE_CYGWIN + if (authenticated && !check_nt_auth(strcmp(method, "password") == 0, pw->pw_uid)) { + packet_disconnect("Authentication rejected for uid %d.", + (int) pw->pw_uid); + authenticated = 0; + } +#endif + if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { authenticated = 0; log("ROOT LOGIN REFUSED FROM %.200s", @@ -193,8 +202,8 @@ input_userauth_request(int type, int ple } #ifdef USE_PAM - if (authenticated && !do_pam_account(pw->pw_name, NULL)) - authenticated = 0; + if (authenticated && !do_pam_account(pw->pw_name, NULL)) + authenticated = 0; #endif /* USE_PAM */ /* Raise logging level */ Index: authfile.c =================================================================== RCS file: /src/cvsroot//openssh-20000905/authfile.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 authfile.c --- authfile.c 2000/09/05 11:23:12 1.1.1.1 +++ authfile.c 2000/09/05 15:22:08 @@ -457,12 +457,10 @@ load_private_key(const char *filename, c if (fd < 0) return 0; -#ifndef HAVE_CYGWIN - /* - * check owner and modes. - * This won't work on Windows under all circumstances so we drop - * that check for now. - */ + /* check owner and modes. */ +#ifdef HAVE_CYGWIN + if (check_ntsec(filename)) +#endif if (fstat(fd, &st) < 0 || (st.st_uid != 0 && st.st_uid != getuid()) || (st.st_mode & 077) != 0) { @@ -475,7 +473,6 @@ load_private_key(const char *filename, c error("It is recommended that your private key files are NOT accessible by others."); return 0; } -#endif switch (key->type) { case KEY_RSA: if (key->rsa->e != NULL) { Index: cygwin_util.c =================================================================== RCS file: /src/cvsroot//openssh-20000905/cygwin_util.c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 cygwin_util.c --- cygwin_util.c 2000/09/05 11:23:14 1.1.1.1 +++ cygwin_util.c 2000/09/05 16:20:09 @@ -18,6 +18,10 @@ #ifdef HAVE_CYGWIN #include #include +#include +#include +#include +#define is_winnt (GetVersion() < 0x80000000) int binary_open(const char *filename, int flags, mode_t mode) { @@ -31,5 +35,67 @@ int binary_pipe(int fd[2]) setmode (fd[0], O_BINARY); setmode (fd[1], O_BINARY); } + return ret; +} + +int check_nt_auth (int pwd_authenticated, uid_t uid) +{ + /* + * The only authentication which is able to change the user + * context on NT systems is the password authentication. So + * we deny all requsts for changing the user context if another + * authentication method is used. + * This may change in future when a special openssh + * subauthentication package is available. + */ + if (is_winnt && !pwd_authenticated && geteuid() != uid) + return 0; + return 1; +} + +int check_ntsec (const char *filename) +{ + char *cygwin; + int allow_ntea = 0; + int allow_ntsec = 0; + struct statfs fsstat; + + /* Windows 95/98/ME don't support file system security at all. */ + if (!is_winnt) + return 0; + + /* Evaluate current CYGWIN settings. */ + if ((cygwin = getenv("CYGWIN")) != NULL) { + if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea")) + allow_ntea = 1; + if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec")) + allow_ntsec = 1; + } + + /* + * `ntea' is an emulation of POSIX attributes. It doesn't support + * real file level security as ntsec on NTFS file systems does + * but it supports FAT filesystems. `ntea' is minimum requirement + * for security checks. + */ + if (allow_ntea) + return 1; + + /* + * Retrieve file system flags. In Cygwin, file system flags are + * copied to f_type which has no meaning in Win32 itself. + */ + if (statfs(filename, &fsstat)) + return 1; + + /* + * Only file systems supporting ACLs are able to set permissions. + * `ntsec' is the setting in Cygwin which switches using of NTFS + * ACLs to support POSIX permissions on files. + */ + if (fsstat.f_type & FS_PERSISTENT_ACLS) + return allow_ntsec; + + return 0; } #endif From charles at comm.polymtl.ca Wed Sep 6 03:50:44 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Tue, 5 Sep 2000 12:50:44 -0400 Subject: [2.2.0p1] patch: generic detection of correct getpgrp() invocation Message-ID: <200009051650.MAA01317@faucon.comm.polymtl.ca> Hi. Several OSes have a getpgrp() function that takes an argument, unlike what POSIX mandates. NeXT was covered, but SunOS wasn't. This provides a generic solution through autoconf. Charles ======================================================================== --- configure.in.orig-2.2.0p1 Wed Aug 30 18:20:05 2000 +++ configure.in Tue Sep 5 10:48:20 2000 @@ -284,6 +284,8 @@ ) fi +AC_FUNC_GETPGRP + PAM_MSG="no" AC_ARG_WITH(pam, [ --without-pam Disable PAM support ], --- config.h.in.orig-2.2.0p1 Fri Sep 1 19:08:44 2000 +++ config.h.in Tue Sep 5 11:01:57 2000 @@ -46,6 +46,9 @@ /* Define if your snprintf is busted */ #undef BROKEN_SNPRINTF +/* Define if getpgrp takes no argument */ +#undef GETPGRP_VOID + /* Define if you are on NeXT */ #undef HAVE_NEXT --- defines.h.orig-2.2.0p1 Mon Aug 28 20:33:51 2000 +++ defines.h Tue Sep 5 11:31:36 2000 @@ -322,6 +322,10 @@ # define atexit(a) on_exit(a) #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ +#ifndef GETPGRP_VOID +# define getpgrp() getpgrp(0) +#endif + /** ** login recorder definitions **/ --- next-posix.h.orig-2.2.0p1 Tue Aug 29 19:11:30 2000 +++ next-posix.h Tue Sep 5 11:11:08 2000 @@ -44,7 +44,6 @@ /* MISC functions */ int waitpid(int pid,int *stat_loc,int options); -#define getpgrp() getpgrp(0) pid_t setsid(void); /* TC */ ======================================================================== From mouring at pconline.com Wed Sep 6 04:49:31 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Tue, 5 Sep 2000 12:49:31 -0500 (CDT) Subject: [2.2.0p1] patch: generic detection of correct getpgrp() invocation In-Reply-To: <200009051650.MAA01317@faucon.comm.polymtl.ca> Message-ID: Is there anything else from next-posix.[ch] that the SunOS folks need? I've pretty much decided that except for maybe waitpid() that the rest of it will pretty much stay in next-posix.[ch] until another platform needs it. (Like Sony NEWS.. I assume that it's still not working right. Wish I could help, but without a NEWS machine infront of me I'm not sure what else to look at) Ben On Tue, 5 Sep 2000, Charles Levert wrote: > Hi. > > Several OSes have a getpgrp() function that takes an argument, unlike > what POSIX mandates. NeXT was covered, but SunOS wasn't. This > provides a generic solution through autoconf. > > > Charles > > > ======================================================================== > --- configure.in.orig-2.2.0p1 Wed Aug 30 18:20:05 2000 > +++ configure.in Tue Sep 5 10:48:20 2000 > @@ -284,6 +284,8 @@ > ) > fi > > +AC_FUNC_GETPGRP > + > PAM_MSG="no" > AC_ARG_WITH(pam, > [ --without-pam Disable PAM support ], > --- config.h.in.orig-2.2.0p1 Fri Sep 1 19:08:44 2000 > +++ config.h.in Tue Sep 5 11:01:57 2000 > @@ -46,6 +46,9 @@ > /* Define if your snprintf is busted */ > #undef BROKEN_SNPRINTF > > +/* Define if getpgrp takes no argument */ > +#undef GETPGRP_VOID > + > /* Define if you are on NeXT */ > #undef HAVE_NEXT > > --- defines.h.orig-2.2.0p1 Mon Aug 28 20:33:51 2000 > +++ defines.h Tue Sep 5 11:31:36 2000 > @@ -322,6 +322,10 @@ > # define atexit(a) on_exit(a) > #endif /* !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) */ > > +#ifndef GETPGRP_VOID > +# define getpgrp() getpgrp(0) > +#endif > + > /** > ** login recorder definitions > **/ > --- next-posix.h.orig-2.2.0p1 Tue Aug 29 19:11:30 2000 > +++ next-posix.h Tue Sep 5 11:11:08 2000 > @@ -44,7 +44,6 @@ > > /* MISC functions */ > int waitpid(int pid,int *stat_loc,int options); > -#define getpgrp() getpgrp(0) > pid_t setsid(void); > > /* TC */ > ======================================================================== > From mwolinski at MimEcom.com Wed Sep 6 04:55:28 2000 From: mwolinski at MimEcom.com (Matt Wolinski) Date: Tue, 5 Sep 2000 10:55:28 -0700 Subject: No controlling tty. Cannot read passphrase Message-ID: <3A97CCB5D8F28949A0AE89287B1AFBFD14FE99@sfomail01.mimecom.com> Hello, I have installed openssh (2.1.1p4)and openssl (0.9.5a) on a Solaris 7 sparc box. When I try to use scp this is the error I am getting: You have no controlling tty. Cannot read passphrase. lost connection. I have read that this could be a permissions problem with /dev/tty. But my system looks different than any of the examples. Here is what I'm seeing: $ ls -l /dev/tty lrwxrwxrwx 1 root other 26 Aug 23 15:38 /dev/tty -> ../devices/pseudo/sy at 0:tty $ ls -l /devices/pseudo/sy at 0:tty crw-rw-rw 1 root tty 22, 0 Sep 5 10:43 /devices/pseudo/sy at 0:tty In the examples I read about, they did not show /dev/tty as a symlink. Please let me know what you think. Thanks, Matt ________________________________ Matt Wolinski Application Developer - MimEcom Corp. mwolinski at mimecom.com From qralston+ml.openssh-unix-dev at andrew.cmu.edu Wed Sep 6 06:57:20 2000 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Tue, 5 Sep 2000 15:57:20 -0400 (EDT) Subject: ssh-askpass and ssh/scp: is this behavior intentional? Message-ID: Okay, I'm asking this again. As of 2.2.0p1, the *only* program that knows how to invoke ssh-askpass is ssh-add. Not ssh itself, nor scp understand how to invoke ssh-askpass. This is a direct contrast to ssh-1.2.27, in which all clients know how to invoke ssh-askpass. My question: is the limitation that only ssh-add knows how to invoke ssh-askpass intentional (i.e., a deliberate design decision)? If so, why? If it is *not* intentional, then I am going to patch ssh and scp to understand how to invoke ssh-askpass, as I routinely have to login to machines for which I *must* fall back to password authentication. (Meaning, they will refuse my RSA/DSA key no matter what I do.) If the limitation *is* intentional, though, I'd like to obtain a better understanding as to why, before I decide whether I want to patch ssh and scp anyway. Thanks, James From djm at mindrot.org Wed Sep 6 09:22:24 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 6 Sep 2000 09:22:24 +1100 (EST) Subject: Man pages In-Reply-To: <39B4F88D.219F5867@ecrc.de> Message-ID: On Tue, 5 Sep 2000, Jim Drake wrote: > These files ending with '.0' appear to be just ascii text files. When > I use the "--catman=cat" configure option, these files are installed > directly as ascii text files and are therefore not suitable as man > pages. What do you mean 'not suitable'? man seems to display preformatted pages OK for me. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From charles at comm.polymtl.ca Wed Sep 6 12:54:30 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Tue, 5 Sep 2000 21:54:30 -0400 Subject: [2.2.0p1] patch: generic detection of correct getpgrp() invocation Message-ID: <200009060154.VAA01566@faucon.comm.polymtl.ca> > Is there anything else from next-posix.[ch] that the SunOS folks need? > I've pretty much decided that except for maybe waitpid() that the rest > of it will pretty much stay in next-posix.[ch] until another platform > needs it. (Like Sony NEWS.. I assume that it's still not working > right. Wish I could help, but without a NEWS machine infront of me > I'm not sure what else to look at) In the spare minutes I use to play with free software, I'll try to look at each of the items in next-posix.[ch] to see if they can be applied to SunOS or better yet, generalized through autoconf. So don't worry if I don't deliver right away or all at once... Charles From bit at eltech.ru Wed Sep 6 17:55:19 2000 From: bit at eltech.ru (Andrew Zabolotny) Date: Wed, 06 Sep 2000 10:55:19 +0400 (MSD) Subject: [PATCH]: Cygwin port of 2.2.0p1 In-Reply-To: <39B520C7.95A35857@cygnus.com> Message-ID: <200009060651.KAA12412@post.eltech.ru> On Tue, 05 Sep 2000 18:35:19 +0200, Corinna Vinschen wrote: >> If so, there should be some replacement check to prevent non admin users >> from doing things like setting up port forwards for ports < 1024, etc. >That's impossible. Windows doesn't check that you are some sort >of special user which has the right to use ports < 1024. Everyone >may use that ports. As mentioned above the membership in a user >group doesn't mean much. To get things worse, think of W95/W98 >which doesn't know of the concept of different users either. This can be solved by defining a macro like this: #ifndef USER_IS_ROOT #define USER_IS_ROOT(name,uid) (uid == 0) #endif and in respective system-dependent header files to define something like this: #define USER_IS_ROOT(name,uid) w32_user_is_root(name) extern int w32_user_is_root(char *name); This approach also have the plus that it does not need to be implemented immediately for win32, it is just a outlet to which you can later connect any code (for any other platform). >> Does this mean the only way to change Window's equivalent of uid is with >> a valid password? >Yes. Without special authentication packages you have no chance >to change the user context without knowing the NT password of that >user. Well, if you have administrator rights this should be possible, but maybe is not straightforward. Something like "change user's password to empty, login with empty password, change password back" should be definitely possible. But this is kinda clumsy and results in a race condition. There could be other ways to do that. Greetings, _\ndy at teamOS/2 From vinschen at cygnus.com Wed Sep 6 21:48:07 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Wed, 06 Sep 2000 12:48:07 +0200 Subject: [PATCH]: Cygwin port of 2.2.0p1 References: <200009060651.KAA12412@post.eltech.ru> Message-ID: <39B620E7.79C8CE79@cygnus.com> Andrew Zabolotny wrote: > On Tue, 05 Sep 2000 18:35:19 +0200, Corinna Vinschen wrote: > >That's impossible. Windows doesn't check that you are some sort > >of special user which has the right to use ports < 1024. Everyone > >may use that ports. As mentioned above the membership in a user > >group doesn't mean much. To get things worse, think of W95/W98 > >which doesn't know of the concept of different users either. > > This can be solved by defining a macro like this: > > #ifndef USER_IS_ROOT > #define USER_IS_ROOT(name,uid) (uid == 0) > #endif > > and in respective system-dependent header files to define something like this: > > #define USER_IS_ROOT(name,uid) w32_user_is_root(name) > extern int w32_user_is_root(char *name); > > This approach also have the plus that it does not need to be implemented > immediately for win32, it is just a outlet to which you can later connect any > code (for any other platform). This would have the disadvantage that each request for uid 0 (25 source lines or so) has to be changed but it would be ok with me. The first implementation of w32_user_is_root() would always return TRUE (at least for 9X/ME). > >Yes. Without special authentication packages you have no chance > >to change the user context without knowing the NT password of that > >user. > Well, if you have administrator rights this should be possible, but maybe is > not straightforward. Something like "change user's password to empty, login > with empty password, change password back" should be definitely possible. But > this is kinda clumsy and results in a race condition. There could be other ways > to do that. There have to be other ways to do that since the above isn't possible. - Administrators (it's a group of users, not a user) is a local group. It has _no_ permissions to change the security database of the domain controller if they are not (by chance) member of the domain admins. - Nobody has access to users passwords, neither cleartext nor hashed, as long as it isn't a process running as LSA authentication package which is running in a very special environment in kernel context and which has to be a special shared library. - The password you used for login is saved in your login credentials and they are used for your access to SMB shares. If you haven't used the correct users password, you have no access to that shares. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From djm at mindrot.org Wed Sep 6 21:55:32 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 6 Sep 2000 21:55:32 +1100 (EST) Subject: List address Message-ID: I have noticed some people have been posting to "openssh-unix-dev-list at mindrot.org". The correct address is "openssh-unix-dev at mindrot.org". Posting to the "-list" address is now diasabled as it broke some of the mailing list checks. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From vinschen at cygnus.com Wed Sep 6 22:24:41 2000 From: vinschen at cygnus.com (Corinna Vinschen) Date: Wed, 06 Sep 2000 13:24:41 +0200 Subject: [PATCH]: Cygwin port of 2.2.0p1 References: <200009060651.KAA12412@post.eltech.ru> Message-ID: <39B62979.13405E54@cygnus.com> Andrew Zabolotny wrote: > On Tue, 05 Sep 2000 18:35:19 +0200, Corinna Vinschen wrote: > >That's impossible. Windows doesn't check that you are some sort > >of special user which has the right to use ports < 1024. Everyone > >may use that ports. As mentioned above the membership in a user > >group doesn't mean much. To get things worse, think of W95/W98 > >which doesn't know of the concept of different users either. > > This can be solved by defining a macro like this: > > #ifndef USER_IS_ROOT > #define USER_IS_ROOT(name,uid) (uid == 0) > #endif > > and in respective system-dependent header files to define something like this: > > #define USER_IS_ROOT(name,uid) w32_user_is_root(name) > extern int w32_user_is_root(char *name); > > This approach also have the plus that it does not need to be implemented > immediately for win32, it is just a outlet to which you can later connect any > code (for any other platform). This would have the disadvantage that each request for uid 0 (25 source lines or so) has to be changed but it would be ok with me. The first implementation of w32_user_is_root() would always return TRUE (at least for 9X/ME). > >Yes. Without special authentication packages you have no chance > >to change the user context without knowing the NT password of that > >user. > Well, if you have administrator rights this should be possible, but maybe is > not straightforward. Something like "change user's password to empty, login > with empty password, change password back" should be definitely possible. But > this is kinda clumsy and results in a race condition. There could be other ways > to do that. There have to be other ways to do that since the above isn't possible. - Administrators (it's a group of users, not a user) is a local group. It has _no_ permissions to change the security database of the domain controller if they are not (by chance) member of the domain admins. - Nobody has access to users passwords, neither cleartext nor hashed, as long as it isn't a process running as LSA authentication package which is running in a very special environment in kernel context and which has to be a special shared library. - The password you used for login is saved in your login credentials and they are used for your access to SMB shares. If you haven't used the correct users password, you have no access to that shares. Corinna -- Corinna Vinschen Please, send mails regarding Cygwin to Cygwin Developer mailto:cygwin at sources.redhat.com Red Hat, Inc. mailto:vinschen at cygnus.com From Stephan.Hendl at lds.brandenburg.de Thu Sep 7 01:34:54 2000 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 06 Sep 2000 16:34:54 +0200 Subject: openssh 2.2.0p1 and finger Message-ID: Hi all, just I installed OpenSSH 2.2.0p1 on a HPUX-11 machine and it works. But when I connected to the machine and give "finger -R"-command then in the "Where"-column I see the hostname of the openssh-server instead of the hostname where I came from. Does anybody have an idea? Thanks Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de From stevesk at sweden.hp.com Thu Sep 7 05:09:26 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 6 Sep 2000 20:09:26 +0200 (CEST) Subject: openssh 2.2.0p1 and finger In-Reply-To: Message-ID: <200009061804.UAA25307@b0fh.sweden.hp.com> On Wed, 6 Sep 2000, Stephan Hendl wrote: : just I installed OpenSSH 2.2.0p1 on a HPUX-11 machine and it works. : But when I connected to the machine and give "finger -R"-command : then in the "Where"-column I see the hostname of the openssh-server : instead of the hostname where I came from. : : Does anybody have an idea? This is my analysis having not looked much at loginrec.c before: finger -R is looking at ut_addr in the utmp struct for Where. HP-UX 11.0 has both utmp and utmpx and by default we use the library interface to write utmp* entries. The problem is that both are used: first pututline(), then pututxline(). We should use one *or* the other because pututxline() overwrites pututline() data: pututline() Writes out the supplied utmp structure into the utmp file, translates the supplied utmp structure int a utmpx structure and writes it to a utmpx file. pututxline() Writes out the supplied utmpx structure into the utmpx file, translates the supplied utmpx structure into a utmp structure and writes it to a utmp file. What you see results from the fact that ut_addr isn't set for utmpx data: # ifdef HAVE_ADDR_IN_UTMPX /* FIXME: (ATL) not supported yet */ # endif If you build with #define DISABLE_UTMPX finger -R works as expected. However, I think we should use utmpx (longer host names for one), and it's just a question of when everything is supported. So the best fix I feel is to define DISABLE_UTMP for 11.0 (and maybe 10.20 though I'm not using that myself) and finish up utmpx support in loginrec. Also, HAVE_ENDUTENT and HAVE_ENDUTXENT are not set in configure; should they be? From kromJx at crosswinds.net Thu Sep 7 00:31:20 2000 From: kromJx at crosswinds.net (kromJx) Date: Wed, 6 Sep 2000 13:31:20 +0000 Subject: 2.1.1p4: sessions automatically closed, if sshd is run from inetd Message-ID: <20000906181145.11085@evelyn.betatech.gr> Hi all, I have noticed a problem with the newly released version 2.1.1p4 (as well as with 2.1.1p3) : If sshd is run from inetd, all interactive sessions are automatically closed right after (successful) login. The problem disappears, if sshd is run from the command line (ie. no -i option) and did not exist in 2.1.1p2. This was noticed on a linux x86 box. I have appended a typescript of the session (which was started with 'ssh -v localhost'), as well as the respective logged messages. Is this a known bug or I am just missing something? Are there any workarounds ? Any help is appreciated. - J PS. Keep up the good work all of you guys. -------------- next part -------------- SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/s/.ssh/config debug: Applying options for * debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 101 geteuid 0 anon 1 debug: Connecting to localhost [127.0.0.1] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.1.1 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Forcing accepting of host key for loopback/localhost. debug: Seeding random number generator debug: Encryption type: blowfish debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying RSA authentication with key 'identity_1024' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting pty. debug: Requesting shell. debug: Entering interactive session. Last login: Wed Sep 6 16:08:18 2000 from localhost Welcome to ThisCompanny, Inc. ! Environment: USER=a_user LOGNAME=a_user HOME=/home/a_user PATH=/usr/bin:/bin MAIL=/var/spool/mail/a_user SHELL=/bin/bash SSH_CLIENT=127.0.0.1 1157 22 SSH_TTY=/dev/pts/0 TERM=linux Connection to localhost closed. debug: Transferred: stdin 0, stdout 297, stderr 33 bytes in 0.1 seconds debug: Bytes per second: stdin 0.0, stdout 4280.2, stderr 475.6 debug: Exit status 0 -------------- next part -------------- Sep 6 16:08:28 evelyn sshd[9571]: Generating 768 bit RSA key. Sep 6 16:08:29 evelyn sshd[9571]: RSA key generation complete. Sep 6 16:08:29 evelyn sshd[9571]: Connection from 127.0.0.1 port 1157 Sep 6 16:08:29 evelyn sshd[9571]: Accepted rsa for a_user from 127.0.0.1 port 1157 Sep 6 16:08:29 evelyn PAM_pwdb[9571]: (sshd) session opened for user a_user by (uid=0) Sep 6 16:08:30 evelyn sshd[9571]: syslogin_perform_logout: logout() returned an error Sep 6 16:08:30 evelyn sshd[9571]: Closing connection to 127.0.0.1 Sep 6 16:08:30 evelyn PAM_pwdb[9571]: (sshd) session closed for user a_user From stevesk at sweden.hp.com Thu Sep 7 06:05:10 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 6 Sep 2000 21:05:10 +0200 (CEST) Subject: sftp In-Reply-To: Message-ID: <200009061900.VAA05289@b0fh.sweden.hp.com> On Fri, 1 Sep 2000, Damien Miller wrote: : It wont be in the release later today, but it will be followed with a : snapshot pretty quickly with sftp, better PAM and a few other patches : which have accrued in the last week. I'm curious about the PAM changes coming. I'm taking a closer look at the workings of PAM on HP-UX 11 and one thing that's missing is the ability to change an expired password. From wth at gt.pl Thu Sep 7 20:03:01 2000 From: wth at gt.pl (Waldemar Thiel) Date: Thu, 7 Sep 2000 11:03:01 +0200 Subject: My implementation of PAM support for OpenSSH Message-ID: <005401c018aa$6e0aea90$06c319d5@gt.pl> Hello all I've finished developing my own implementation of PAM support for OpenSSH. I've done this, because it was my master of science thesis. Everyone who is intrested in with it, can download one from: http://valdi.gt.pl/OpenSSH/ What is intresting - I've implemented RSA authentication too :-) More info in short README which can be downloaded from above page. Ah - avaible patch is for OpenSSH1.2.3 (it can be downloaded from above page too), but if any1 need patch for OpenSSH1.2.pre17 - I got it too, because it was my working implementation of OpenSSH. -- Waldemar Thiel (wth at gt.pl) From charles at comm.polymtl.ca Fri Sep 8 03:35:08 2000 From: charles at comm.polymtl.ca (Charles Levert) Date: Thu, 7 Sep 2000 12:35:08 -0400 Subject: [2.2.0p1] patch: generic detection of correct getpgrp() invocation In-Reply-To: <200009060154.VAA01566@faucon.comm.polymtl.ca> References: <200009051650.MAA01317@faucon.comm.polymtl.ca> <200009060154.VAA01566@faucon.comm.polymtl.ca> Message-ID: <200009071635.MAA04661@faucon.comm.polymtl.ca> I have revised the whole content of next-posix.[ch] to see what could apply to SunOS 4.1.4. The only relevant item is highlighted with "==>". next-posix.h -- readdir does return struct dirent * in and it has the d_ino (through a #define) and d_name fields needed by scp.c -- struct utimbuf seems ok in -- O_NONBLOCK is defined by (and does not have the same value as on NeXT) -- WIFEXITED, WIFSTOPPED, WIFSIGNALED, WEXITSTATUS, and WTERMSIG are all defined in ==> -- WCOREFLAG and WCOREDUMP are not defined anywhere on SunOS and could use the exact same definitions as for NeXT (I believe, according to the wait(2) manpage) -- utime is declared in -- wait and waitpid are declared in -- setsid is declared in -- tc[gs]etattr, cf[gs]etospeed, and cf[gs]etispeed are declared in -- tcsetpgrp is declared in but not used in openssh next-posix.c -- wait is available -- utime is available -- waitpid is available -- setsid is available -- tc[gs]etattr, cf[gs]etospeed, and cf[gs]etispeed are available -- tcsetpgrp is available but not used in openssh For WCOREFLAG and WCOREDUMP, would a simple pair of #ifndef/#define/#endif in defines.h suffice and be appropriate for all OSes: those that don't define these natively and for those that do, assuming they are always #define's? Is the 0x80 pretty universal in those that don't? It is worth mentioning that the combination of SunOS 4.1.4 and gcc 2.7.2.2 produces a conflict between definitions that SunOS puts in and that gcc puts in its (which are derived from the SunOS ones anyway, so forget the gcc part of the comment, really). Those definitions are for BS0, BS1, CR0, CR1, CR2, CR3, ECHO, FF0, FF1, FLUSHO, NL0, NL1, NOFLSH, PENDIN, TAB0, TAB1, TAB2, TOSTOP, and XTABS. They are incompatible, but I believe that as long as is included before (see includes.h), the ones in have the final say and this is the right thing (I think). These are used in clientloop.c, readpass.c, and ttymodes.[ch]. The ideal would be probably be to have that specific code isolated to only see the definitions. Right now, this produces at *lot* of warnings in the make output, but they are harmless (again, I think). Charles From chip at princetonecom.com Fri Sep 8 05:11:50 2000 From: chip at princetonecom.com (Chip Christian) Date: Thu, 07 Sep 2000 14:11:50 -0400 Subject: X11Forwarding through a firewall Message-ID: <20000907181150.4D2B1B47C@fleck.princetonecom.com> I am running 2.1.1p4 on RedHat Linux and several Solaris boxes. I have X11Forwarding set to yes in .ssh/ssh_config, as well as all of the sshd_config files. Works just fine between machines inside my firewall, but I can't forward X11 clients from outside the firewall. We have a PIX doing NAT. Any idea what I'm missing? From stnor at sweden.hp.com Fri Sep 8 06:16:48 2000 From: stnor at sweden.hp.com (Stefan Norberg) Date: Thu, 7 Sep 2000 21:16:48 +0200 Subject: scp -2 patch Message-ID: I can't see why there shouldn't be a '-2' flag for "scp" when there's one for "ssh". Am I missing something here? Attached is a very simple patch for scp.c and scp.1 that introduces a '-2' for scp. Stefan Norberg stnor at sweden.hp.com -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: scp-forcev2.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000907/dc562728/attachment.ksh From mwolinski at mimecom.com Fri Sep 8 07:38:09 2000 From: mwolinski at mimecom.com (Matt Wolinski) Date: Thu, 07 Sep 2000 13:38:09 -0700 Subject: SSH2 Message-ID: <39B7FCB1.96672D36@mimecom.com> I've installed and configured openssh 2.1.1p4. It's working great, however, I've been asked to implement SSH2 functionality. I have a question with the README.openssh2 file. It says that all I need to do is: howto: 1) generate server key: $ ssh-keygen -d -f /etc/ssh_host_dsa_key -N '' 2) enable ssh2: server: add 'Protocol 2,1' to /etc/sshd_config client: ssh -o 'Protocol 2,1', or add to .ssh/config 3) DSA authentication similar to RSA (add keys to ~/.ssh/authorized_keys During my install I already created the server key. So I should only need to update the /etc/sshd_config file on each of my servers.....correct? Will I need to have each user update their ~/.ssh/config files also??? The server/client part confused me. When I installed openssh on each server, I did the same procedures. I assume that I'll need to restart the sshd daemon on each system....correct? As far as the DSA authentication file, can I put a /etc/ssh_authorized_keys file which contains the keys for all servers???? Or does each user need to have their own ~/.ssh/authorized_keys file. I would think that this should work the same way as the known_hosts file........is that correct? My last question has to do with the ssh command. I assume that after this change the ssh command will start using the protocal 2 rather than protocol 1.3 or 1.5. I know that some comercial distributions of SSH come with a ssh2 command as well as an ssh command (that way you can choose which to use). I don't care about that.....I just wanted to verify that after the config file change.....it'll start using the ssh2 protocol when I run the ssh command. Thank you in advance for answering my questions. Cheers, Matt From stnor at sweden.hp.com Fri Sep 8 09:51:50 2000 From: stnor at sweden.hp.com (Stefan Norberg) Date: Fri, 8 Sep 2000 00:51:50 +0200 Subject: scp -2 patch In-Reply-To: <200009072047.e87Klp719358@cvs.openbsd.org> Message-ID: Theo de Raadt [mailto:deraadt at cvs.openbsd.org]: > I don't think there should be a scp -2 flag. The ssh -2 flag is mostly > there for testing. > > Users don't need to tweak all this stuff. > > Options are bad. It just bloats the code! > I humbly suggest either adding it to scp or removing it from ssh for consistency. Stefan From deraadt at cvs.openbsd.org Fri Sep 8 10:00:18 2000 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Thu, 07 Sep 2000 17:00:18 -0600 Subject: scp -2 patch In-Reply-To: Your message of "Fri, 08 Sep 2000 00:51:50 +0200." Message-ID: <200009072300.e87N0J700313@cvs.openbsd.org> That doesn't make sense either. ssh has a lot of options, because it needs them. scp has few options, because it doesn't need them. It's like comparing the sum of the options on rlogin, telnet, and xterm, to the options on rcp. There just is no need for consistancy. You didn't even give a justification for why you might want to scp -2. It doesn't make sense. > Theo de Raadt [mailto:deraadt at cvs.openbsd.org]: > > I don't think there should be a scp -2 flag. The ssh -2 flag is mostly > > there for testing. > > > > Users don't need to tweak all this stuff. > > > > Options are bad. It just bloats the code! > > > > I humbly suggest either adding it to scp or removing it from ssh for > consistency. > > Stefan > 1 From willday at rom.oit.gatech.edu Fri Sep 8 10:26:36 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Thu, 7 Sep 2000 19:26:36 -0400 Subject: scp -2 patch In-Reply-To: ; from stnor@sweden.hp.com on Thu, Sep 07, 2000 at 09:16:48PM +0200 References: Message-ID: <20000907192636.A25075@rom.oit.gatech.edu> A short time ago, at a computer terminal far, far away, Stefan Norberg wrote: >I can't see why there shouldn't be a '-2' flag for "scp" when there's one >for "ssh". Am I missing something here? Not that I can see. Of course, I think there should be "-1" and "-2" options for both scp and ssh, and have modified mine to do this, and submitted a patch a couple weeks back. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000907/60743426/attachment.bin From scraig at eli.net Fri Sep 8 10:30:35 2000 From: scraig at eli.net (Stuart Craig) Date: Thu, 07 Sep 2000 16:30:35 -0700 Subject: scp -2 patch References: <200009072300.e87N0J700313@cvs.openbsd.org> Message-ID: <39B8251B.8DF18251@eli.net> I'm not all that concerned about consistency, but I would like to see a -2 switch on both ssh and scp. I've got a network with around 150 *NIX systems running a mix of OpenSSH, commercial ssh1 and commercial ssh2, and I'd like to be able to force a protocol 2 connection when I need it. - Stu Theo de Raadt wrote: > > That doesn't make sense either. > > ssh has a lot of options, because it needs them. > > scp has few options, because it doesn't need them. > > It's like comparing the sum of the options on rlogin, telnet, and > xterm, to the options on rcp. > > There just is no need for consistancy. > > You didn't even give a justification for why you might want to scp -2. > > It doesn't make sense. > > > Theo de Raadt [mailto:deraadt at cvs.openbsd.org]: > > > I don't think there should be a scp -2 flag. The ssh -2 flag is mostly > > > there for testing. > > > > > > Users don't need to tweak all this stuff. > > > > > > Options are bad. It just bloats the code! > > > > > > > I humbly suggest either adding it to scp or removing it from ssh for > > consistency. > > > > Stefan > > > > 1 -- Stuart J. Craig Senior UNIX Administrator Electric Lightwave, Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 2515 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000907/5ffaae8a/attachment.bin From Markus.Friedl at informatik.uni-erlangen.de Fri Sep 8 19:26:18 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 8 Sep 2000 10:26:18 +0200 Subject: scp -2 patch In-Reply-To: <39B8251B.8DF18251@eli.net>; from scraig@eli.net on Thu, Sep 07, 2000 at 04:30:35PM -0700 References: <200009072300.e87N0J700313@cvs.openbsd.org> <39B8251B.8DF18251@eli.net> Message-ID: <20000908102618.A4208@faui02.informatik.uni-erlangen.de> all the scp needs is a -o flag. that's it. who has a patch? On Thu, Sep 07, 2000 at 04:30:35PM -0700, Stuart Craig wrote: > I'm not all that concerned about consistency, but I would like to see a > -2 switch on both ssh and scp. I've got a network with around 150 *NIX > systems running a mix of OpenSSH, commercial ssh1 and commercial ssh2, > and I'd like to be able to force a protocol 2 connection when I need it. > > - Stu > > Theo de Raadt wrote: > > > > That doesn't make sense either. > > > > ssh has a lot of options, because it needs them. > > > > scp has few options, because it doesn't need them. > > > > It's like comparing the sum of the options on rlogin, telnet, and > > xterm, to the options on rcp. > > > > There just is no need for consistancy. > > > > You didn't even give a justification for why you might want to scp -2. > > > > It doesn't make sense. > > > > > Theo de Raadt [mailto:deraadt at cvs.openbsd.org]: > > > > I don't think there should be a scp -2 flag. The ssh -2 flag is mostly > > > > there for testing. > > > > > > > > Users don't need to tweak all this stuff. > > > > > > > > Options are bad. It just bloats the code! > > > > > > > > > > I humbly suggest either adding it to scp or removing it from ssh for > > > consistency. > > > > > > Stefan > > > > > > > 1 > > -- > Stuart J. Craig > Senior UNIX Administrator > Electric Lightwave, Inc. From djm at mindrot.org Fri Sep 8 19:32:49 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 8 Sep 2000 19:32:49 +1100 (EST) Subject: scp -2 patch In-Reply-To: <39B8251B.8DF18251@eli.net> Message-ID: On Thu, 7 Sep 2000, Stuart Craig wrote: > I'm not all that concerned about consistency, but I would like to see a > -2 switch on both ssh and scp. I've got a network with around 150 *NIX > systems running a mix of OpenSSH, commercial ssh1 and commercial ssh2, > and I'd like to be able to force a protocol 2 connection when I need it. Does OpenSSH's protocol fallback not work correctly? Otherwise you can use ssh_config or ~/.ssh/config: Host foo Protocol 1 Host bar Protocol 2 This takes care of both ssh and scp. Though I do agree with Markus that a '-o' scp option is the way to go. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From Dirk.DeWachter at rug.ac.be Fri Sep 8 23:16:04 2000 From: Dirk.DeWachter at rug.ac.be (Dirk De Wachter) Date: Fri, 8 Sep 2000 14:16:04 +0200 Subject: PATCH: HPUX trusted system password checking Message-ID: <39B8F4A4.19213.42E3C36@localhost> Dear developers, The HPUX 10.20 trusted system hack doesn't work yet as intended. I have adapted the auth-passwd.c file to make it work. Please find a context diff file attached to this file. This diff is against the latest OpenSSH 2.2.0p1 released Sept 2, 2000. Also on HPUX 10.20, xauth is not found at the standard location. Perhaps this standard location could be changed automagically to /usr/bin/X11/auth once HPUX is detected. Please remark that I'm not on this mailing list, so please reply directly to my e-mail address. Best regards, Dirk De Wachter *--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--* Dirk De Wachter, MScEE, MScBME, PhD mailto:Dirk.DeWachter at rug.ac.be postdoctoral fellow, systems administrator http://navier.rug.ac.be Hydraulics Laboratory, Ibitech, University of Gent voice:+32 9 264 3281 Sint-Pietersnieuwstraat 41, B-9000 Gent Belgium faxto:+32 9 264 3595 ~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~ -------------- next part -------------- A non-text attachment was scrubbed... Name: auth-passwd.c.diff Type: application/octet-stream Size: 1056 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000908/89d68f3e/attachment.obj From joden at eworld.wox.org Sat Sep 9 01:04:17 2000 From: joden at eworld.wox.org (James Oden) Date: Fri, 8 Sep 2000 10:04:17 -0400 (EDT) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <39B8F4A4.19213.42E3C36@localhost> from "Dirk De Wachter" at Sep 08, 2000 02:16:04 PM Message-ID: <200009081404.KAA10870@eworld.wox.org> > Content-description: Mail message body > > Dear developers, > > The HPUX 10.20 trusted system hack doesn't work yet as intended. > I have adapted the auth-passwd.c file to make it work. > Is this an issue on HP/UX 11.0 also? Thanks ...james From stevesk at sweden.hp.com Sat Sep 9 01:38:50 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 8 Sep 2000 16:38:50 +0200 (CEST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <39B8F4A4.19213.42E3C36@localhost> Message-ID: <200009081433.QAA20011@b0fh.sweden.hp.com> On Fri, 8 Sep 2000, Dirk De Wachter wrote: : The HPUX 10.20 trusted system hack doesn't work yet as intended. : I have adapted the auth-passwd.c file to make it work. : : Please find a context diff file attached to this file. This diff is : against the latest OpenSSH 2.2.0p1 released Sept 2, 2000. Using the getprpwent() interface may be a good direction, since getspent() is deprecated, but from a look at the code, why didn't it execute the code that uses getspnam()? Is HAVE_SHADOW_H defined and DISABLE_SHADOW undefined in config.h? Also, does PAM work with OpenSSH on 10.20? PAM is on 10.20, but was only used by CDE. If PAM is sufficiently supported on 10.20, I wouldn't mind getting rid of the HPUX_TRUSTED stuff and only supporting PAM on 10.20 and 11.0. Otherwise, I'd like to clean things up including always linking with -lsec and using iscomsec(2) to differentiate between trusted/not trusted at runtime. : Also on HPUX 10.20, xauth is not found at the standard location. : Perhaps this standard location could be changed automagically to : /usr/bin/X11/auth once HPUX is detected. It's detected on 11.0 and it's the same path so I don't immediately see what's happening. From stevesk at sweden.hp.com Sat Sep 9 01:42:46 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 8 Sep 2000 16:42:46 +0200 (CEST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <200009081404.KAA10870@eworld.wox.org> Message-ID: <200009081437.QAA21454@b0fh.sweden.hp.com> On Fri, 8 Sep 2000, James Oden wrote: : > The HPUX 10.20 trusted system hack doesn't work yet as intended. : > I have adapted the auth-passwd.c file to make it work. : > : Is this an issue on HP/UX 11.0 also? Not if you use PAM, which is detected and used by default. From robert.steinfeldt at steeleye.com Sat Sep 9 04:58:45 2000 From: robert.steinfeldt at steeleye.com (Robert Steinfeldt) Date: Fri, 08 Sep 2000 10:58:45 -0700 Subject: OpenSSH PPP tunneling issue Message-ID: <39B928D5.F4AB7673@steeleye.com> I am trying to set up a secure PPP tunnel between an OpenSSH client and server, and am having problems establishing the tunnel. ----------------------------------------------------------------------------- Server information: Stock Redhat 6.1 machine running a 2.2.12 kernel OpenSSH version 2.2.0p1 (downloaded as Redhat RPMs, revision 2) OpenSSL version 0.9.5a (downloaded as Redhat RPMs, revision 3) PPP version 2.3.10 One exposed external IP address (for this list, assume to be 100.100.100.100) /etc/ssh/sshd_config: Port 22 Protocol 2,1 ListenAddress 0.0.0.0 HostKey /etc/ssh/ssh_host_key HostDSAKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin no IgnoreRhosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes /etc/ppp/options: lock local noauth proxyarp Client information: *Stock Redhat 6.2 machine running a 2.2.17pre20 kernel OpenSSH version 2.2.0p1 (downloaded as Redhat RPMs, revision 2) OpenSSL version 0.9.5a (downloaded as Redhat RPMs, revision 3) PPP version 2.3.11 /etc/ssh/ssh_config: Empty (default) /etc/ppp/options: lock noauth * This has also failed on Redhat 6.1 (kernel 2.2.12) and Redhat 6.9.5 (kernel 2.2.16) machines with the same results. ----------------------------------------------------------------------------------------- What happens: We attempt to connect to the OpenSSH server with the following command, run in a terminal: /usr/sbin/pppd -detach lcp-echo-failure 600 lcp-echo-interval 600 local passive pty "ssh -t -l 100.100.100.100 /usr/sbin/pppd file /etc/ppp/options-" (The options-username file on the server simply contains an IP address, such that the client machine is set up with a static IP to attach to the server.) When executed, OpenSSH asks for the password to gain entry to the server, after which the connection appears to hang while negotiating a PPP connection. PPPd on the client side eventually fails with 'LCP: timeout sending Config-Requests'. This behavior remains constant whether the '-e none' option is provided to ssh or not, on the client side. However, the pppd command on the server IS executed, as shown by its server logs, so we know the ssh session is being established. At this point, we are lead to suspect that either the virtual tty allocation or emulation is not sending binary characters through properly, or that some sort of character sequence is being interpreted by openssh despite the '-e none' option specified. The OpenSSH client seems to be suspect, because when the commercial SSH RPM available at (ftp://ftp.ssh.com/pub/ssh/rpms/ssh-2.3.0-1.i386.rpm) is called upon to perform the same command on the client side, the ppp tunnel is successfully established with the OpenSSH server -- whether run in a terminal or inside a script. I've tried compiling the OpenSSH RPM from source on multiple client machines in case that was an issue; it had no effect on the problem. I'll try to provide any debugging information if needed; please advise. Robert Steinfeldt -- robert.steinfeldt at steeleye.com From gem at rellim.com Sat Sep 9 05:09:20 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 8 Sep 2000 11:09:20 -0700 (PDT) Subject: OpenSSH PPP tunneling issue In-Reply-To: <39B928D5.F4AB7673@steeleye.com> Message-ID: Yo Robert! OpenSSH and SSH tunnel IP. PPP is a layer underneath IP used for point to point connections. OpenSSH does not tunnel PPP or any other protocol under IP. If you need PPP then you need to find a way to tunnel it inside IP and then tunnel that IP in SSH. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Fri, 8 Sep 2000, Robert Steinfeldt wrote: > I am trying to set up a secure PPP tunnel between an OpenSSH client and > server, and am having problems establishing the tunnel. From robert.steinfeldt at steeleye.com Sat Sep 9 05:31:01 2000 From: robert.steinfeldt at steeleye.com (Robert Steinfeldt) Date: Fri, 08 Sep 2000 11:31:01 -0700 Subject: OpenSSH PPP tunneling issue References: Message-ID: <39B93065.8A19B5E5@steeleye.com> "Gary E. Miller" wrote: > > Yo Robert! > > OpenSSH and SSH tunnel IP. PPP is a layer underneath IP used > for point to point connections. OpenSSH does not tunnel PPP or > any other protocol under IP. > > If you need PPP then you need to find a way to tunnel it inside > IP and then tunnel that IP in SSH. > Ack. Perhaps I should have been more precise with my terminology. :) What I'm doing is using OpenSSH as a conduit, such that on both the client and server machines, pppd is run through the tty that ssh can create with the -t option. The result is that on the client side, pppd sends PPP data through the SSH connection to the other side, where the server is ALSO running pppd. They then exchange binary PPP information through the ssh tty. Server OpenSSH Client ------ ------- ------ pppd-> ->tty<- <-pppd Robert From mouring at pconline.com Sat Sep 9 05:40:59 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Fri, 8 Sep 2000 13:40:59 -0500 (CDT) Subject: OpenSSH PPP tunneling issue In-Reply-To: <39B928D5.F4AB7673@steeleye.com> Message-ID: Either you need to use a userspace PPP software (which you may find on www.freshmeat.net) or I suggest checking out the the following Linux howtos: http://www.linux.org/docs/ldp/howto/VPN-HOWTO.html http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html The first one explains SSH and PPP Theories in VPNing. I believe the much more prefered method of connection distance networks is really IPSec (Which requires a patch to the 2.{0,2,4} kernels). On Fri, 8 Sep 2000, Robert Steinfeldt wrote: > I am trying to set up a secure PPP tunnel between an OpenSSH client and > server, and am having problems establishing the tunnel. > > ----------------------------------------------------------------------------- > > Server information: > Stock Redhat 6.1 machine running a 2.2.12 kernel > OpenSSH version 2.2.0p1 (downloaded as Redhat RPMs, revision 2) > OpenSSL version 0.9.5a (downloaded as Redhat RPMs, revision 3) > PPP version 2.3.10 > One exposed external IP address (for this list, assume to be > 100.100.100.100) > > /etc/ssh/sshd_config: > Port 22 > Protocol 2,1 > ListenAddress 0.0.0.0 > HostKey /etc/ssh/ssh_host_key > HostDSAKey /etc/ssh/ssh_host_dsa_key > ServerKeyBits 768 > LoginGraceTime 600 > KeyRegenerationInterval 3600 > PermitRootLogin no > IgnoreRhosts yes > StrictModes yes > X11Forwarding no > X11DisplayOffset 10 > PrintMotd yes > KeepAlive yes > > /etc/ppp/options: > lock > local > noauth > proxyarp > > Client information: > *Stock Redhat 6.2 machine running a 2.2.17pre20 kernel > OpenSSH version 2.2.0p1 (downloaded as Redhat RPMs, revision 2) > OpenSSL version 0.9.5a (downloaded as Redhat RPMs, revision 3) > PPP version 2.3.11 > > /etc/ssh/ssh_config: > Empty (default) > > /etc/ppp/options: > lock > noauth > > * This has also failed on Redhat 6.1 (kernel 2.2.12) and Redhat 6.9.5 > (kernel 2.2.16) machines with the same results. > > ----------------------------------------------------------------------------------------- > > What happens: > We attempt to connect to the OpenSSH server with the following command, > run in a terminal: > > /usr/sbin/pppd -detach lcp-echo-failure 600 lcp-echo-interval 600 local > passive pty "ssh -t -l 100.100.100.100 /usr/sbin/pppd file > /etc/ppp/options-" > > (The options-username file on the server simply contains an IP address, > such that the client machine is set up with a static IP to attach to the > server.) > > When executed, OpenSSH asks for the password to gain entry to the > server, after which the connection appears to hang while negotiating a > PPP connection. PPPd on the client side eventually fails with 'LCP: > timeout sending Config-Requests'. This behavior remains constant whether > the '-e none' option is provided to ssh or not, on the client side. > However, the pppd command on the server IS executed, as shown by its > server logs, so we know the ssh session is being established. At this > point, we are lead to suspect that either the virtual tty allocation or > emulation is not sending binary characters through properly, or that > some sort of character sequence is being interpreted by openssh despite > the '-e none' option specified. > > The OpenSSH client seems to be suspect, because when the commercial SSH > RPM available at (ftp://ftp.ssh.com/pub/ssh/rpms/ssh-2.3.0-1.i386.rpm) > is called upon to perform the same command on the client side, the ppp > tunnel is successfully established with the OpenSSH server -- whether > run in a terminal or inside a script. I've tried compiling the OpenSSH > RPM from source on multiple client machines in case that was an issue; > it had no effect on the problem. I'll try to provide any debugging > information if needed; please advise. > > Robert Steinfeldt -- robert.steinfeldt at steeleye.com > From gem at rellim.com Sat Sep 9 05:56:32 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 8 Sep 2000 11:56:32 -0700 (PDT) Subject: OpenSSH PPP tunneling issue In-Reply-To: <39B93065.8A19B5E5@steeleye.com> Message-ID: Yo Robert! I doubt that will work either. pppd needs more of a "tty" than just stdin, stdout and stderr. It also needs access to the ioctl()s for setting baud rates, bit rates, etc.... RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Fri, 8 Sep 2000, Robert Steinfeldt wrote: > Date: Fri, 08 Sep 2000 11:31:01 -0700 > From: Robert Steinfeldt > To: Gary E. Miller > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH PPP tunneling issue > > "Gary E. Miller" wrote: > > > > Yo Robert! > > > > OpenSSH and SSH tunnel IP. PPP is a layer underneath IP used > > for point to point connections. OpenSSH does not tunnel PPP or > > any other protocol under IP. > > > > If you need PPP then you need to find a way to tunnel it inside > > IP and then tunnel that IP in SSH. > > > > Ack. Perhaps I should have been more precise with my terminology. :) > > What I'm doing is using OpenSSH as a conduit, such that on both the > client and server machines, pppd is run through the tty that ssh can > create with the -t option. The result is that on the client side, pppd > sends PPP data through the SSH connection to the other side, where the > server is ALSO running pppd. They then exchange binary PPP information > through the ssh tty. > > Server OpenSSH Client > ------ ------- ------ > pppd-> ->tty<- <-pppd > > > Robert > From gem at rellim.com Sat Sep 9 06:02:54 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 8 Sep 2000 12:02:54 -0700 (PDT) Subject: OpenSSH PPP tunneling issue In-Reply-To: Message-ID: Yo Ben! I guess I have to take my foot out of my mouth. There it is in black and white. On Fri, 8 Sep 2000, Ben Lindstrom wrote: > Either you need to use a userspace PPP software (which you may find on > www.freshmeat.net) or I suggest checking out the the > following Linux howtos: > > http://www.linux.org/docs/ldp/howto/VPN-HOWTO.html > http://www.linux.org/docs/ldp/howto/VPN-Masquerade-HOWTO.html > > The first one explains SSH and PPP Theories in VPNing. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From willday at rom.oit.gatech.edu Sat Sep 9 07:31:59 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Fri, 8 Sep 2000 16:31:59 -0400 Subject: scp -2 patch In-Reply-To: ; from djm@mindrot.org on Fri, Sep 08, 2000 at 07:32:49PM +1100 References: <39B8251B.8DF18251@eli.net> Message-ID: <20000908163159.A19909@rom.oit.gatech.edu> A short time ago, at a computer terminal far, far away, Damien Miller wrote: >> I'm not all that concerned about consistency, but I would like to see a >> -2 switch on both ssh and scp. I've got a network with around 150 *NIX >> systems running a mix of OpenSSH, commercial ssh1 and commercial ssh2, >> and I'd like to be able to force a protocol 2 connection when I need it. > >Does OpenSSH's protocol fallback not work correctly? No, it works correctly, but there are times when you want to override the protocol order, >Otherwise you can use ssh_config or ~/.ssh/config: > >Host foo > Protocol 1 > >Host bar > Protocol 2 without going in an editing your .ssh/config only to edit it back again for a go or two. >This takes care of both ssh and scp. Though I do agree with Markus that >a '-o' scp option is the way to go. A "-1" or "-2" is just so convenient - much more so than "-o Protocol 1", and trivial to implement, although a "-o" option for scp would be useful for other things as well. And it's not like we're probably going to be using the "1" or "2" option flags for anything else. :) Ssh already has a "-2", so it personally seems reasonable to just do the "-1" and "-2" all around. As I said, that's what I've done here. It's a convenient, simple, trivial change, has no signficicant detriment, and if others would find it useful, it seems like it'd be a Good Thing to have. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000908/04e1da35/attachment.bin From gem at rellim.com Sat Sep 9 09:46:57 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 8 Sep 2000 15:46:57 -0700 (PDT) Subject: -1 and friends Message-ID: Yo All! Well I work on a diverse number of OS's with a diverse number of clients. Some use F-Secure, SecureCRT, PuTTY, SSH.COM. OpenSSH, etc. with a wide variety of versions between each, some from source, some from rpms, etc... Basically a lot of legacy stuff that no one has the time to update. In fact I am working on a couple of OpenSSH config problems in the last few days. Sometimes we want to use SSH2 for the better antispoofing and sometimes SSH1 for scp compatibility and sometimes we have to change between versions to use RSA and DSA keys and do it from scripts. Having -1 and -2 would make life a lot easier, if only for testing purposes. Even a "-o [option]" with scp would be nice. A lot of these different products only interoperate in certain modes so I have to try a lot of things. I would also like to argue for more orthogonality between sch, ssh and sshd. Why do you turn on verbosity and debugging with "-v" in scp and ssh, but use "-d" with sshd? Why do you select a port with scp and sshd with "-P port" but with "-p port" on sshd? My poor little brain has enough to remember without all these changes that make little difference? And having to muck with config files leaves a lot of mess behind. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From drosih at rpi.edu Sat Sep 9 11:19:57 2000 From: drosih at rpi.edu (Garance A Drosihn) Date: Fri, 8 Sep 2000 20:19:57 -0400 Subject: -1 and friends In-Reply-To: References: Message-ID: At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: >I would also like to argue for more orthogonality between scp, >ssh and sshd. I suspect you did not want to ask for "more orthogonality"... >Why do you turn on verbosity and debugging with "-v" in scp >and ssh, but use "-d" with sshd? Why do you select a port with >scp and sshd with "-P port" but with "-p port" on sshd? some of this is because of what the different commands do. scp is patterned after cp, and thus it pretty much has to have -r as "recursive" and -p as "preserve". Thus, you would really irritate people if you decided to use '-p' to select a port number. It would be more consistent to use -P for port, because cp does not use -P for anything. sshd is probably mimicing assorted other system daemons, which are much more likely to use -p to select a port instead of -P. (that's off the top of my head, I haven't actually checked all possible system daemons to see if that is strictly true). Thus, it probably IS more consistent for sshd to use -p. ssh itself is trying to look like rsh. So, it is more important for it's options to match rsh's options than for them to match scp's options. --- Garance Alistair Drosehn = gad at eclipse.acs.rpi.edu Senior Systems Programmer or drosih at rpi.edu Rensselaer Polytechnic Institute From gem at rellim.com Sat Sep 9 12:14:01 2000 From: gem at rellim.com (Gary E. Miller) Date: Fri, 8 Sep 2000 18:14:01 -0700 (PDT) Subject: -1 and friends In-Reply-To: Message-ID: Yo Garance! On Fri, 8 Sep 2000, Garance A Drosihn wrote: > At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: > >I would also like to argue for more orthogonality between scp, > >ssh and sshd. > > I suspect you did not want to ask for "more orthogonality"... Yes I did. This is the lingo CPU designers us when they mean that they want a class of instructions to look similar. > >Why do you turn on verbosity and debugging with "-v" in scp > >and ssh, but use "-d" with sshd? Why do you select a port with > >scp and sshd with "-P port" but with "-p port" on sshd? > > some of this is because of what the different commands do. But we can do better than the old ways! Well how about for all of scp, ssh and sshd: -1 conflicts with nothing and looks like SSH.com -2 conflicts with nothing and looks like SSH.com -d conflicts with nothing and turns on debug stuff -P [port] to set the port to use -o [options] to set other options All the other stuff could stay for back compatibility. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 From gert at greenie.muc.de Sat Sep 9 21:56:56 2000 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 9 Sep 2000 12:56:56 +0200 Subject: -1 and friends In-Reply-To: ; from Gary E. Miller on Fri, Sep 08, 2000 at 06:14:01PM -0700 References: Message-ID: <20000909125656.E1911@greenie.muc.de> Hi, On Fri, Sep 08, 2000 at 06:14:01PM -0700, Gary E. Miller wrote: > On Fri, 8 Sep 2000, Garance A Drosihn wrote: > > At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: > > >I would also like to argue for more orthogonality between scp, > > >ssh and sshd. > > > > I suspect you did not want to ask for "more orthogonality"... > Yes I did. This is the lingo CPU designers us when they mean that > they want a class of instructions to look similar. Actually, "orthogonal" in mathemathics and physics means exactly the opposite: a set of vectors being orthogonal means all of them are at right angles to each others, the scalar product being zero... gert -- Gert Doering From pekkas at netcore.fi Sat Sep 9 21:22:13 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 9 Sep 2000 13:22:13 +0300 (EEST) Subject: -1 and friends In-Reply-To: <20000909125656.E1911@greenie.muc.de> Message-ID: On Sat, 9 Sep 2000, Gert Doering wrote: > Hi, > > On Fri, Sep 08, 2000 at 06:14:01PM -0700, Gary E. Miller wrote: > > On Fri, 8 Sep 2000, Garance A Drosihn wrote: > > > At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: > > > >I would also like to argue for more orthogonality between scp, > > > >ssh and sshd. > > > > > > I suspect you did not want to ask for "more orthogonality"... > > Yes I did. This is the lingo CPU designers us when they mean that > > they want a class of instructions to look similar. > > Actually, "orthogonal" in mathemathics and physics means exactly the > opposite: a set of vectors being orthogonal means all of them are at > right angles to each others, the scalar product being zero... > > gert Yes, but in computer sciences "orthogonal" means that all the software components are independent of each other and that they behave the same way in any circumstance (which was what the originating poster meant). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Sat Sep 9 21:27:50 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 9 Sep 2000 12:27:50 +0200 Subject: -1 and friends In-Reply-To: ; from gem@rellim.com on Fri, Sep 08, 2000 at 03:46:57PM -0700 References: Message-ID: <20000909122750.B29256@folly.informatik.uni-erlangen.de> On Fri, Sep 08, 2000 at 03:46:57PM -0700, Gary E. Miller wrote: > Having -1 and -2 would make life a lot easier, if only for testing > purposes. Even a "-o [option]" with scp would be nice. A lot of > these different products only interoperate in certain modes so I > have to try a lot of things. if you switch between protocols all the time, then editing .ssh/config is probably the 'right thing'. if you want to switch occasionally, then it's easy to type -o protocol=2 > I would also like to argue for more orthogonality between sch, ssh and > sshd. Why do you turn on verbosity and debugging with "-v" in scp > and ssh, but use "-d" with sshd? Why do you select a port with > scp and sshd with "-P port" but with "-p port" on sshd? history and compatibility with rcp. but there are much more imporant things todo with openssh than adding millions of cmdline options. imho, scp needs only -o and the options from rcp. everything else can be removed. -markus From mhwood at ameritech.net Sat Sep 9 22:07:14 2000 From: mhwood at ameritech.net (Mark H. Wood) Date: Sat, 9 Sep 2000 06:07:14 -0500 (EST) Subject: -1 and friends In-Reply-To: <20000909125656.E1911@greenie.muc.de> Message-ID: On Sat, 9 Sep 2000, Gert Doering wrote: > On Fri, Sep 08, 2000 at 06:14:01PM -0700, Gary E. Miller wrote: > > On Fri, 8 Sep 2000, Garance A Drosihn wrote: > > > At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: > > > >I would also like to argue for more orthogonality between scp, > > > >ssh and sshd. > > > > > > I suspect you did not want to ask for "more orthogonality"... > > Yes I did. This is the lingo CPU designers us when they mean that > > they want a class of instructions to look similar. > > Actually, "orthogonal" in mathemathics and physics means exactly the > opposite: a set of vectors being orthogonal means all of them are at > right angles to each others, the scalar product being zero... That's what it means in CPU design, too: it means that various attributes of the instructions are independent. Like the way most of the PDP-10 instruction set has all the same addressing modes, regardless of the operation performed, even when it "makes no sense" (SET and JUMP are both no-ops, and SETMM is another no-op except that it exercises the path to memory.) I wouldn't have used the word the way he did, but it makes a kind of sense: the options are independent of the underlying operation -- the two semantic vectors are orthogonal. I tend to think this would not be a bad thing, but then the PDP-10 is still my favorite architecture because it's so consistent.... -- Mark H. Wood, radical centrist OpenPGP ID 876A8B75 mhwood at ameritech.net 01/01/00 00:00:00 -- Apocralypse Now From mouring at pconline.com Sat Sep 9 23:55:14 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sat, 9 Sep 2000 07:55:14 -0500 (CDT) Subject: -1 and friends In-Reply-To: <20000909122750.B29256@folly.informatik.uni-erlangen.de> Message-ID: On Sat, 9 Sep 2000, Markus Friedl wrote: > On Fri, Sep 08, 2000 at 03:46:57PM -0700, Gary E. Miller wrote: > > Having -1 and -2 would make life a lot easier, if only for testing > > purposes. Even a "-o [option]" with scp would be nice. A lot of > > these different products only interoperate in certain modes so I > > have to try a lot of things. > > if you switch between protocols all the time, then editing .ssh/config > is probably the 'right thing'. if you want to switch occasionally, then > it's easy to type -o protocol=2 > Should this also be true about -2 on ssh? Since we have -o there should be no reason for it. > > I would also like to argue for more orthogonality between sch, ssh and > > sshd. Why do you turn on verbosity and debugging with "-v" in scp > > and ssh, but use "-d" with sshd? Why do you select a port with > > scp and sshd with "-P port" but with "-p port" on sshd? > > history and compatibility with rcp. > > but there are much more imporant things todo with openssh > than adding millions of cmdline options. > Do we have a master list of things that should be done to OpenSSH? I know a few of them (Like rekeying). > imho, scp needs only -o and the options from rcp. everything > else can be removed. > Agreed.. I was actually looking for a -o option recently in scp. I would have thought scp -S 'ssh -o Protocol 2' would have worked, but of course it does not.=) Ben Lindstrom From qralston+ml.openssh-unix-dev at andrew.cmu.edu Sun Sep 10 08:31:51 2000 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Sat, 9 Sep 2000 17:31:51 -0400 (EDT) Subject: 2.2.0p1 PATCH: ssh/scp/slogin will invoke ssh-askpass Message-ID: Enclosed is a patch against 2.2.0p1 that teaches ssh (and therefore slogin and scp) how to invoke ssh-askpass to request a password, RSA/DSA key passphrase, or an skey challenge response. I've tested this on Linux (i386), for passwords and RSA/DSA key passphrases. I cannot easily test whether the Right Thing will happen for skey challenge responses; I would appreciate it if someone who uses skey would apply this patch and see if it works properly. In the process of making this patch, I fixed a bug in the ssh_askpass() function (it assumed the string read from the pipe to ssh-askpass would always contain a trailing newline, which is a false assumption). Also, the ssh2_try_passwd() function appears to be broken, in that it contains partial logic to prompt for the correct password multiple times, but the flow of execution through the function guarantees that it can never ask for the password more than once. I wasn't sure what was intended here, so my patched version of ssh2_try_passwd() keeps the same (broken?) logic. Regards, -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA -------------- next part -------------- diff -U 3 -N -r ORIG/openssh-2.2.0p1/readpass.c openssh-2.2.0p1/readpass.c --- ORIG/openssh-2.2.0p1/readpass.c Thu Jun 22 07:32:32 2000 +++ openssh-2.2.0p1/readpass.c Sat Sep 9 01:10:07 2000 @@ -117,3 +117,48 @@ memset(buf, 0, sizeof(buf)); return (p); } + +/* + * Reads a passphrase by calling ssh-askpass. Returns the passphrase + * (allocated with xmalloc), being very careful to ensure that no + * other userland buffer is storing the password. + */ +char * +ssh_askpass(char *askpass, char *msg) +{ + pid_t pid; + size_t len; + char *nl, *pass; + int p[2], status; + char buf[1024]; + + if (askpass == NULL) + fatal("internal error: askpass undefined"); + if (pipe(p) < 0) + fatal("ssh_askpass: pipe: %s", strerror(errno)); + if ((pid = fork()) < 0) + fatal("ssh_askpass: fork: %s", strerror(errno)); + if (pid == 0) { + close(p[0]); + if (dup2(p[1], STDOUT_FILENO) < 0) + fatal("ssh_askpass: dup2: %s", strerror(errno)); + execlp(askpass, askpass, msg, (char *) 0); + fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); + } + close(p[1]); + len = read(p[0], buf, sizeof buf); + close(p[0]); + while (waitpid(pid, &status, 0) < 0) + if (errno != EINTR) + break; + if (len <= 1) + return xstrdup(""); + if (! (len == sizeof buf)) + buf[len] = '\0'; + nl = strchr(buf, '\n'); + if (nl) + *nl = '\0'; + pass = xstrdup(buf); + memset(buf, 0, sizeof(buf)); + return pass; +} diff -U 3 -N -r ORIG/openssh-2.2.0p1/ssh-add.c openssh-2.2.0p1/ssh-add.c --- ORIG/openssh-2.2.0p1/ssh-add.c Mon Aug 28 20:33:51 2000 +++ openssh-2.2.0p1/ssh-add.c Sat Sep 9 01:10:07 2000 @@ -65,44 +65,6 @@ fprintf(stderr, "Failed to remove all identitities.\n"); } -char * -ssh_askpass(char *askpass, char *msg) -{ - pid_t pid; - size_t len; - char *nl, *pass; - int p[2], status; - char buf[1024]; - - if (askpass == NULL) - fatal("internal error: askpass undefined"); - if (pipe(p) < 0) - fatal("ssh_askpass: pipe: %s", strerror(errno)); - if ((pid = fork()) < 0) - fatal("ssh_askpass: fork: %s", strerror(errno)); - if (pid == 0) { - close(p[0]); - if (dup2(p[1], STDOUT_FILENO) < 0) - fatal("ssh_askpass: dup2: %s", strerror(errno)); - execlp(askpass, askpass, msg, (char *) 0); - fatal("ssh_askpass: exec(%s): %s", askpass, strerror(errno)); - } - close(p[1]); - len = read(p[0], buf, sizeof buf); - close(p[0]); - while (waitpid(pid, &status, 0) < 0) - if (errno != EINTR) - break; - if (len <= 1) - return xstrdup(""); - nl = strchr(buf, '\n'); - if (nl) - *nl = '\0'; - pass = xstrdup(buf); - memset(buf, 0, sizeof(buf)); - return pass; -} - void add_file(AuthenticationConnection *ac, const char *filename) { diff -U 3 -N -r ORIG/openssh-2.2.0p1/ssh.h openssh-2.2.0p1/ssh.h --- ORIG/openssh-2.2.0p1/ssh.h Tue Aug 22 20:46:25 2000 +++ openssh-2.2.0p1/ssh.h Sat Sep 9 01:10:07 2000 @@ -426,6 +426,12 @@ */ char *read_passphrase(const char *prompt, int from_stdin); +/* + * Reads a passphrase by calling ssh-askpass. Returns the passphrase + * (allocated with xmalloc), being very careful to ensure that no + * other userland buffer is storing the password. + */ +char *ssh_askpass(char *askpass, char *msg); /*------------ Definitions for logging. -----------------------*/ diff -U 3 -N -r ORIG/openssh-2.2.0p1/sshconnect1.c openssh-2.2.0p1/sshconnect1.c --- ORIG/openssh-2.2.0p1/sshconnect1.c Tue Aug 22 20:46:25 2000 +++ openssh-2.2.0p1/sshconnect1.c Sat Sep 9 01:13:35 2000 @@ -191,6 +191,8 @@ char *passphrase, *comment; int type, i; int plen, clen; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; /* Try to load identification for the authentication key. */ public = key_new(KEY_RSA); @@ -244,7 +246,15 @@ snprintf(buf, sizeof buf, "Enter passphrase for RSA key '%.100s': ", comment); if (!options.batch_mode) - passphrase = read_passphrase(buf, 0); + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = SSH_ASKPASS_DEFAULT; + passphrase = ssh_askpass(askpass, buf); + } else { + passphrase = read_passphrase(buf, 0); + } else { debug("Will not query passphrase for %.100s in batch mode.", comment); @@ -602,6 +612,9 @@ int payload_len; unsigned int clen; char *challenge, *response; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; + char buf[300]; debug("Doing skey authentication."); @@ -625,13 +638,30 @@ if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! " "Reponse will be transmitted in clear text."); - fprintf(stderr, "%s\n", challenge); + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = SSH_ASKPASS_DEFAULT; + snprintf(buf, sizeof buf, + "Challenge: \"%s\"; enter response:", challenge); + } else { + fprintf(stderr, "%s\n", challenge); + } xfree(challenge); fflush(stderr); for (i = 0; i < options.number_of_password_prompts; i++) { - if (i != 0) - error("Permission denied, please try again."); - response = read_passphrase("Response: ", 0); + if (!interactive && getenv("DISPLAY")) { + if (i != 0) + response = ssh_askpass(askpass, + "Permission denied, please try again:"); + else + response = ssh_askpass(askpass, buf); + } else { + if (i != 0) + error("Permission denied, please try again."); + response = read_passphrase("Response: ", 0); + } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); packet_put_string(response, strlen(response)); memset(response, 0, strlen(response)); @@ -657,14 +687,31 @@ { int type, i, payload_len; char *password; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; debug("Doing password authentication."); if (options.cipher == SSH_CIPHER_NONE) log("WARNING: Encryption is disabled! Password will be transmitted in clear text."); + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) { + askpass = getenv(SSH_ASKPASS_ENV); + } else { + askpass = SSH_ASKPASS_DEFAULT; + } + } for (i = 0; i < options.number_of_password_prompts; i++) { - if (i != 0) - error("Permission denied, please try again."); - password = read_passphrase(prompt, 0); + if (!interactive && getenv("DISPLAY")) { + if (i != 0) + password = ssh_askpass(askpass, + "Permission denied, please try again:"); + else + password = ssh_askpass(askpass, prompt); + } else { + if (i != 0) + error("Permission denied, please try again."); + password = read_passphrase(prompt, 0); + } packet_start(SSH_CMSG_AUTH_PASSWORD); packet_put_string(password, strlen(password)); memset(password, 0, strlen(password)); diff -U 3 -N -r ORIG/openssh-2.2.0p1/sshconnect2.c openssh-2.2.0p1/sshconnect2.c --- ORIG/openssh-2.2.0p1/sshconnect2.c Tue Aug 22 20:46:25 2000 +++ openssh-2.2.0p1/sshconnect2.c Sat Sep 9 01:10:30 2000 @@ -264,16 +264,30 @@ static int attempt = 0; char prompt[80]; char *password; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; if (attempt++ >= options.number_of_password_prompts) return 0; - - if(attempt != 1) - error("Permission denied, please try again."); - + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = SSH_ASKPASS_DEFAULT; + } snprintf(prompt, sizeof(prompt), "%.30s@%.40s's password: ", server_user, host); - password = read_passphrase(prompt, 0); + if (!interactive && getenv("DISPLAY")) { + if (attempt != 1) + password = ssh_askpass(askpass, + "Permission denied, please try again:"); + else + password = ssh_askpass(askpass, prompt); + } else { + if (attempt != 1) + error("Permission denied, please try again."); + password = read_passphrase(prompt, 0); + } packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(server_user); packet_put_cstring(service); @@ -374,6 +388,8 @@ Key *k; int ret = 0; struct stat st; + int interactive = isatty(STDIN_FILENO); + char *askpass = NULL; if (stat(filename, &st) != 0) { debug("key does not exist: %s", filename); @@ -389,7 +405,15 @@ snprintf(prompt, sizeof prompt, "Enter passphrase for DSA key '%.100s': ", filename); - passphrase = read_passphrase(prompt, 0); + if (!interactive && getenv("DISPLAY")) { + if (getenv(SSH_ASKPASS_ENV)) + askpass = getenv(SSH_ASKPASS_ENV); + else + askpass = SSH_ASKPASS_DEFAULT; + passphrase = ssh_askpass(askpass, prompt); + } else { + passphrase = read_passphrase(prompt, 0); + } success = load_private_key(filename, passphrase, k, NULL); memset(passphrase, 0, strlen(passphrase)); xfree(passphrase); From jbaitis at selway.umt.edu Sun Sep 10 19:04:57 2000 From: jbaitis at selway.umt.edu (Jeff Baitis) Date: Sun, 10 Sep 2000 02:04:57 -0600 (MDT) Subject: X11 forwarding under Linux Message-ID: Hello, I have been having issues with x11 forwarding using my linux-mandrake based servers. I checked my XAUTHORITY variable and it was set to ~/.Xauthority ... After reading the mail archives, I found the /tmp/ssh* directory created during my ssh session, and did this: export XAUTHORITY="/tmp/ssh-hzuA1805/cookies" xeyes ...and the X11 forwarding worked! I'm using the openssh-2.2.0p1-2 openssh-askpass-2.2.0p1-2 openssh-clients-2.2.0p1-2 openssh-server-2.2.0p1-2 rpm packages. I look forward to running a version of openSSH-linux to have x11 forwarding working !!! Please see reference to: http://marc.theaimsgroup.com/?l=secure-shell&m=96808107729963&w=2 If you respond, please cc your response to baitisj at cyberdude.com as I am not subscribed to the mailing list. Thank you for your excellent software, Jeff > When you're sshed in, check the XAUTHORITY variable. It should be > something like /tmp/ssh-efPeK778/cookies . /etc/profile.d/xhost.sh > should be something like this: From mouring at pconline.com Mon Sep 11 04:39:45 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Sun, 10 Sep 2000 12:39:45 -0500 (CDT) Subject: [PATCH] -o option for scp (Re: -1 and friends) In-Reply-To: Message-ID: Since there was a lot of chatter about -o, -1, and -2 for scp. I figured I'll just go ahead and do this. The following patch includes is to add the -o option to scp. It supports a max of 40 -o options at the command line (I picked that number because there are around 43 current options that readconf.c supports. However as we know not all of them are valid on the command line. This could be lowered). I also bumped the char *args[100] in do_cmd() to char *args[140] as another safety measurement. I'm sure that MAX_SSH_OPTS could be lowered to around 10 - 20. But I just felt that 40 would be a good starting point. Markus. Feel free to let me know if I overlooked something. -------------- next part -------------- --- ../openssh/scp.c Tue Sep 5 00:13:07 2000 +++ scp.c Sun Sep 10 12:24:18 2000 @@ -117,6 +117,11 @@ /* This is the program to execute for the secured connection. ("ssh" or -S) */ char *ssh_program = SSH_PROGRAM; +/* This is the options (-o) to use when starting up ssh for the connection */ +#define MAX_SSH_OPTS 40 /* Rough number of max options in readconfig.c */ +char *ssh_opts[MAX_SSH_OPTS]; /* XXX Careful [but handled in main()] */ +int ssh_opts_cnt = 0; + /* * This function executes the given command as the specified user on the * given host. This returns < 0 if execution fails, and >= 0 otherwise. This @@ -150,16 +155,16 @@ /* For a child to execute the command on the remote host using ssh. */ if (fork() == 0) { - char *args[100]; /* XXX careful */ + char *args[140]; /* XXX careful */ unsigned int i; - /* Child. */ + /* Child. */ close(pin[1]); close(pout[0]); dup2(pin[0], 0); dup2(pout[1], 1); close(pin[0]); - close(pout[1]); + close(pout[1]); i = 0; args[i++] = ssh_program; @@ -175,6 +180,13 @@ args[i++] = "-C"; if (batchmode) args[i++] = "-oBatchMode yes"; + if (ssh_opts_cnt > 0) { + int x; + for (x=0;x < ssh_opts_cnt;x++) { + args[i++] = "-o"; + args[i++] = ssh_opts[x]; + } + } if (cipher != NULL) { args[i++] = "-c"; args[i++] = cipher; @@ -262,7 +274,7 @@ extern int optind; fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46S:")) != EOF) + while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q46So:")) != EOF) switch (ch) { /* User-visible flags. */ case '4': @@ -283,6 +295,13 @@ case 'S': ssh_program = optarg; break; + case 'o': + if (ssh_opts_cnt != MAX_SSH_OPTS) + ssh_opts[ssh_opts_cnt++] = optarg; + else + fatal("Exceeded max -o options (%d)", + MAX_SSH_OPTS); + break; /* Server options. */ case 'd': From jmknoble at pint-stowp.cx Mon Sep 11 05:34:54 2000 From: jmknoble at pint-stowp.cx (Jim Knoble) Date: Sun, 10 Sep 2000 14:34:54 -0400 Subject: X11 forwarding under Linux In-Reply-To: ; from jbaitis@selway.umt.edu on Sun, Sep 10, 2000 at 02:04:57AM -0600 References: Message-ID: <20000910143454.A7314@quipu.half.pint-stowp.cx> [Mailed and posted.] There's some discussion about this exact problem here: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95427721905704&w=2 http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95428316310940&w=2 The problem lies with the Linux distribution, not with OpenSSH. An actual fix would entail coercing the distributions that have this problem to fix it in their shell initialization scripts (possibly by filing bug reports). -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ Circa 2000-Sep-10 02:04:57 -0600 dixit Jeff Baitis: : Hello, I have been having issues with x11 forwarding using my : linux-mandrake based servers. I checked my XAUTHORITY variable and it was : set to ~/.Xauthority ... After reading the mail archives, I found the : /tmp/ssh* directory created during my ssh session, and did this: : : export XAUTHORITY="/tmp/ssh-hzuA1805/cookies" : xeyes : : ...and the X11 forwarding worked! : : I'm using the openssh-2.2.0p1-2 openssh-askpass-2.2.0p1-2 : openssh-clients-2.2.0p1-2 openssh-server-2.2.0p1-2 rpm packages. : : I look forward to running a version of openSSH-linux to have x11 : forwarding working !!! : : Please see reference to: : http://marc.theaimsgroup.com/?l=secure-shell&m=96808107729963&w=2 : : If you respond, please cc your response to baitisj at cyberdude.com as I am : not subscribed to the mailing list. : : Thank you for your excellent software, : Jeff : : > When you're sshed in, check the XAUTHORITY variable. It should be : > something like /tmp/ssh-efPeK778/cookies . /etc/profile.d/xhost.sh : > should be something like this: From paul at engsoc.org Mon Sep 11 06:34:38 2000 From: paul at engsoc.org (Paul Nicholas Faure) Date: Sun, 10 Sep 2000 15:34:38 -0400 (EDT) Subject: OpenSSH and PAM In-Reply-To: <20000910192158.63DDB1A4B9@toad.mindrot.org> Message-ID: Does OpenSSH support PAM fully ? OpenSSH does not prompt the user for a new password if it has expired. It simply says "Warning: You password has expired, please change it now". My /etc/pam.d/sshd file is: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 password required /lib/security/pam_unix.so shadow nullok use_authtok nis session required /lib/security/pam_unix.so session optional /lib/security/pam_console.so My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet properly prompts me for a password. -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org From damien at galexia.com.au Mon Sep 11 10:03:34 2000 From: damien at galexia.com.au (Damien Mascord) Date: Mon, 11 Sep 2000 10:03:34 +1100 Subject: -1 and friends In-Reply-To: References: Message-ID: <4.3.2.7.2.20000911100122.00ba9830@mail.galexia.com.au> Hi, Doesn't scp -v continue running, and not quit after one session? As sshd -d quits after one session, and therefore consolidating these options would probably be more confusing than not. Unless of course you could have multiple sessions in sshd using the -v switch... Anyway... probably not important. Damien >But we can do better than the old ways! > >Well how about for all of scp, ssh and sshd: > -1 conflicts with nothing and looks like SSH.com > -2 conflicts with nothing and looks like SSH.com > -d conflicts with nothing and turns on debug stuff > -P [port] to set the port to use > -o [options] to set other options > >All the other stuff could stay for back compatibility. _____________________________________________________________ Damien Mascord Email: damien at galexia.com.au Network and System Administrator http://www.galexia.com.au Galexia Mobile: +61 414 448 272 Level 1, 3 Montague Street Tel: +61 2 9555 5913 Balmain, NSW 2041 Australia Fax: +61 2 9555 5688 From drosih at rpi.edu Mon Sep 11 11:41:07 2000 From: drosih at rpi.edu (Garance A Drosihn) Date: Sun, 10 Sep 2000 20:41:07 -0400 Subject: -1 and friends In-Reply-To: <20000909125656.E1911@greenie.muc.de> References: <20000909125656.E1911@greenie.muc.de> Message-ID: At 12:56 PM +0200 9/9/00, Gert Doering wrote: >Hi, > >On Fri, Sep 08, 2000 at 06:14:01PM -0700, Gary E. Miller wrote: > > On Fri, 8 Sep 2000, Garance A Drosihn wrote: > > > At 3:46 PM -0700 9/8/00, Gary E. Miller wrote: > > > >I would also like to argue for more orthogonality between scp, > > > >ssh and sshd. > > > > > > I suspect you did not want to ask for "more orthogonality"... > > > > Yes I did. This is the lingo CPU designers us when they mean that > > they want a class of instructions to look similar. > >Actually, "orthogonal" in mathemathics and physics means exactly the >opposite: a set of vectors being orthogonal means all of them are at >right angles to each others, the scalar product being zero... And indeed, I come from a physics and math background... :-) (many years ago). I still tend to use it the same way in computer science contexts, although that might not be standard practice. If I were to say the options in a set of commands should be orthogonal, I would mean that the options for one command would be unrelated to the options for another command in that set. If I want the options to be the same across a set of commands, I would much rather use the word "consistent", simply because everyone will have the same idea of what that means. We now return you to the original topic, instead of this orthogonal digression... :-) --- Garance Alistair Drosehn = gad at eclipse.acs.rpi.edu Senior Systems Programmer or drosih at rpi.edu Rensselaer Polytechnic Institute From claus.fischer at werhats.at Mon Sep 11 12:20:17 2000 From: claus.fischer at werhats.at (Claus Fischer) Date: Sun, 10 Sep 2000 18:20:17 -0700 Subject: Suggestion for config file enhancement Message-ID: <20000910182017.B29456@boltzmann.strudlhofstiege> In order to provide more control over the port forwarding feature, it would be nice to add these options to the per-key configuration on the server side: no-X11-forwarding no-agent-forwarding no-pty command="sleep 10" client-local-forward 25 client-remote-forward 26 This would allow a remote client to establish port forwarding, but only sending to the server port 25 (SMTP) and only listening on server port 26. The client could connect server port 26 to his own mail server. The purpose is that you can have multiple people with authority to port-forward, but each must use a specifically assigned server port (here 26). Noone could `steal' another person's assigned port. Claus (please CC: me since I'm not subscribed; sorry) -- Claus Fischer (claus.fischer at werhats.at) From Dirk.DeWachter at rug.ac.be Mon Sep 11 18:40:15 2000 From: Dirk.DeWachter at rug.ac.be (Dirk De Wachter) Date: Mon, 11 Sep 2000 09:40:15 +0200 Subject: PATCH: HPUX trusted system password checking In-Reply-To: <200009081433.QAA20011@b0fh.sweden.hp.com> References: <39B8F4A4.19213.42E3C36@localhost> Message-ID: <39BCA87F.17507.28D6E0@localhost> Thank you Kevin for your prompt reply. Given your input, I have reiterated through the configure process. I haven't mentioned it in my previous mail, but I ran a plain configure process, without forcing anything by options, except for the program and configuration locations. First the password issue. As you already pointed out: HAVE_SHADOW_H is not set during the configure step. I gather that this is because my stupid HPUX system always gives a warning about the "Redefinition of macro MAXINT". E.g. the Samba (http://www.samba.org) configure process has a hack for this error, but most configure script choke on this and fail to set the #define. I have now manually set it in config.h and it is currently compiling. I guess this will clean things out and make it work almost 'out of the box'. I don't like to use PAM since it was only introduced for DCE (which I don't use) and is greatly unsupported for HPUX 10.20. I have never tried to make it work for other programs. Moreover if PAM is not installed but the HPUX-trusted password change is, we will still need to support it, I guess. Others might have different views though. I like your suggestion of using iscomsec to differentiate between a trusted/regular system, as this will allow to have the same binary shared over NFS by different systems. The error of not finding xauth was caused by myself. I had restricted the PATH of the configure process, so it wasn't able to find its location. I apologize for the confusion. Best regards, Dirk On 8 Sep 2000, at 16:38, Kevin Steves wrote about Re: PATCH: HPUX trusted system password checking: > On Fri, 8 Sep 2000, Dirk De Wachter wrote: > : The HPUX 10.20 trusted system hack doesn't work yet as intended. > : I have adapted the auth-passwd.c file to make it work. > : > : Please find a context diff file attached to this file. This diff is > : against the latest OpenSSH 2.2.0p1 released Sept 2, 2000. > > Using the getprpwent() interface may be a good direction, since > getspent() is deprecated, but from a look at the code, why didn't it > execute the code that uses getspnam()? Is HAVE_SHADOW_H defined and > DISABLE_SHADOW undefined in config.h? Also, does PAM work with OpenSSH > on 10.20? PAM is on 10.20, but was only used by CDE. If PAM is > sufficiently supported on 10.20, I wouldn't mind getting rid of the > HPUX_TRUSTED stuff and only supporting PAM on 10.20 and 11.0. > Otherwise, I'd like to clean things up including always linking with > -lsec and using iscomsec(2) to differentiate between trusted/not trusted > at runtime. > > : Also on HPUX 10.20, xauth is not found at the standard location. > : Perhaps this standard location could be changed automagically to > : /usr/bin/X11/auth once HPUX is detected. > > It's detected on 11.0 and it's the same path so I don't immediately see > what's happening. > > *--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--* Dirk De Wachter, MScEE, MScBME, PhD mailto:Dirk.DeWachter at rug.ac.be postdoctoral fellow, systems administrator http://navier.rug.ac.be Hydraulics Laboratory, Ibitech, University of Gent voice:+32 9 264 3281 Sint-Pietersnieuwstraat 41, B-9000 Gent Belgium faxto:+32 9 264 3595 ~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~--~ From djm at mindrot.org Mon Sep 11 19:59:23 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 11 Sep 2000 19:59:23 +1100 (EST) Subject: sftp In-Reply-To: <200009061900.VAA05289@b0fh.sweden.hp.com> Message-ID: On Wed, 6 Sep 2000, Kevin Steves wrote: > On Fri, 1 Sep 2000, Damien Miller wrote: > : It wont be in the release later today, but it will be followed with a > : snapshot pretty quickly with sftp, better PAM and a few other patches > : which have accrued in the last week. > > I'm curious about the PAM changes coming. I'm taking a closer look > at the workings of PAM on HP-UX 11 and one thing that's missing is > the ability to change an expired password. There was a patch posted a few weeks ago which allowed challenge-response auth through PAM so things like the PAM SKEY and OPIE modules could be used. It also cleaned up the PAM conversation function a little bit. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From larry.jones at sdrc.com Tue Sep 12 08:21:15 2000 From: larry.jones at sdrc.com (Larry Jones) Date: Mon, 11 Sep 2000 17:21:15 -0400 (EDT) Subject: Problems/patches for BSD/OS 4.0.1 Message-ID: <200009112121.RAA06654@thor.sdrc.com> Two small problems with 2.2.0p1 on BSD/OS 4.0.1, both invoving the internal entropy collector: 1) The ``ls'' commands in ssh_prng_cmds.in all use -n, which isn't valid on BSD/OS and thus caused them all to fail when fixprogs checked them. BSD/OS does, however, have a -T flag which gives complete timestamp information (month, day, year, hour, minute, and second), which seems like a useful addition. I suspect the configure script should be enhanced to deal with this, but I don't know enough about configure to suggest a patch. 2) The fixprogs script doesn't reopen the child process's STDIN, STDOUT, and STDERR correctly. This caused all of the ``tail'' commands in ssh_prng_cmds to fail because they couldn't write to stdout. Here's a patch: --- fixprogs.orig Thu May 18 09:12:50 2000 +++ fixprogs Mon Sep 11 16:57:42 2000 @@ -44,9 +44,9 @@ if (! ($pid = fork())) { # child close STDIN; close STDOUT; close STDERR; - open STDIN, "/dev/null"; - open STDERR, ">/dev/null"; + open (STDIN, "/tmp/foo"); + open (STDERR, ">/dev/null"); exec $path @args; exit 1; # shouldn't be here } Neither of these would have been fatal alone, but together they reduced the number of available entropy sources to 15, one less than the required minimum of 16, which caused the PRNG initialization to fail. -Larry Jones In short, open revolt and exile is the only hope for change? -- Calvin From tyoshida at gemini.rc.kyushu-u.ac.jp Tue Sep 12 22:21:54 2000 From: tyoshida at gemini.rc.kyushu-u.ac.jp (Takashi YOSHIDA) Date: Tue, 12 Sep 2000 20:21:54 +0900 Subject: A very small bug report Message-ID: <20000912202154W.tyoshida@gemini.rc.kyushu-u.ac.jp> Dear mailng list of OpenSSH There is a very small bug in openssh-2.1.1p4. After extracted openssh-2.1.1p4.tar.gz, a file named "openssh.spec" for constructing an rpm file of SuSE linux in "openssh-2.1.1p4/contrib/suse/". A small bug in the "openssh.spec" file brings about failure in constructing an rpm file. Line 171 in "openssh.spec" "install -m644 sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd" should be "install -m644 contrib/sshd.pam.generic $RPM_BUILD_ROOT/etc/pam.d/sshd". Sincerely yours, Takashi Yoshida Kyushu Univ. Ropponmatsu, Fukuoka 810-8560, JAPAN E-mail: tyoshida at gemini.rc.kyushu-u.ac.jp From Tomi.Ollila at sonera.com Tue Sep 12 22:49:15 2000 From: Tomi.Ollila at sonera.com (Tomi Ollila) Date: Tue, 12 Sep 2000 14:49:15 +0300 (EET DST) Subject: Cleartext pre-authentication before going to secure mode. Message-ID: <14782.6203.450097.174606@chardonnay.ajk.tele.fi> Hi This is a feature request. 1) Make sshd to ignore garbage that may appear before ssh identification string is received. Such "garbage" may be for example telnet negotiation codes. This should be pretty easy task. 2) Make ssh to work in cleartext mode (and have minimum telnet negotiation handling) before it receives ssh identification string. This requires somewhat complex work to do. This way one could for example pass firewall authentication sequence before connection is passed to the ssh server on the other end -- firewalls cannot obviously intercept secure communication in order to do that. For the time being, such feature can be used with my tt4ssh "wrappers" I've just completed. The software (BSD licensed) is available at http://www.iki.fi/too/sw/releases/tt4ssh10.tar.gz and it has the following programs: tt4sshd -- listens a port (given at cmd line), when connection arrives, waits 1/2 secs, reads any "garbage" received, and then execs ssh with option `-i' to handle the rest of the traffic. The 1/2 sec wait is just an arbitrary time... The port usually used is the telnet (23) port (???) tt4ssh -- connects to remote host (default port 23, can be changed), handles minimum telnet negotiations (changes between line/character mode). When tt4ssh receives beginning of SSH ident string `SSH-', it launches ssh 127.0.0.1 -p [rest tt4ssh args] and relays data between network and this local port. This system works quite well for me -- I can pass firewall which does authentication on telnet port, and then use ssh for communication with my peer machine. The only problem is that when ssh connects to localhost, it cannot check whether other end is already known... A "textshot" of my logging sequence through FW-1 with SecurID authentication: home$ ./tt4ssh 192.168.16.6 CLEARTEXT> CLEARTEXT> CLEARTEXT> Company Corporate Network CLEARTEXT> CLEARTEXT> CLEARTEXT> Check Point FireWall-1 authenticated Telnet server running on FW CLEARTEXT> CLEARTEXT> User: unski CLEARTEXT> PASSCODE: ********** CLEARTEXT> User unski authenticated by SecurID CLEARTEXT> CLEARTEXT> Connected to 192.168.16.6 *** Launching `ssh 127.0.0.1 -p 22222' unski at 127.0.0.1's password: Last login: Mon Sep 11 10:35:26 2000 from fw.company.com work$ Tomi Ollila From stevesk at sweden.hp.com Wed Sep 13 00:23:56 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 12 Sep 2000 15:23:56 +0200 (CEST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <39BCA87F.17507.28D6E0@localhost> Message-ID: <200009121324.PAA10384@b0fh.sweden.hp.com> On Mon, 11 Sep 2000, Dirk De Wachter wrote: : I don't like to use PAM since it was only introduced for DCE (which I : don't use) and is greatly unsupported for HPUX 10.20. I have never : tried to make it work for other programs. Moreover if PAM is not : installed but the HPUX-trusted password change is, we will still need : to support it, I guess. Others might have different views though. : I like your suggestion of using iscomsec to differentiate between a : trusted/regular system, as this will allow to have the same binary : shared over NFS by different systems. Attached is a patch which removes the HAVE_HPUX_TRUSTED_SYSTEM_PW define, and instead uses __hpux to determine if we're HP-UX and iscomsec(2) to determine if commercial security/trusted system is enabled. I have only tested this on HP-UX 11.0 (with --without-pam), but I think it should work on 10.20. Note that because I define DISABLE_SHADOW the password age check in auth.c that I *think* was getting executed on HP-UX is no longer included. There should probably be an || __hpux to keep that. The password aging support needs work for non-trusted, trusted/shadow and PAM. I'm not sure how best to handle that right now. -------------- next part -------------- --- openssh/configure.in Tue Sep 5 07:13:07 2000 +++ openssh-ks/configure.in Tue Sep 12 13:00:50 2000 @@ -73,16 +73,8 @@ CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) - AC_MSG_CHECKING(for HPUX trusted system password database) - if test -f /tcb/files/auth/system/default; then - AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) - LIBS="$LIBS -lsec" - AC_MSG_WARN([This configuration is untested]) - else - AC_MSG_RESULT(no) - AC_DEFINE(DISABLE_SHADOW) - fi + AC_DEFINE(DISABLE_SHADOW) + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; @@ -90,16 +82,8 @@ CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) - AC_MSG_CHECKING(for HPUX trusted system password database) - if test -f /tcb/files/auth/system/default; then - AC_MSG_RESULT(yes) - AC_DEFINE(HAVE_HPUX_TRUSTED_SYSTEM_PW) - LIBS="$LIBS -lsec" - AC_MSG_WARN([This configuration is untested]) - else - AC_MSG_RESULT(no) - AC_DEFINE(DISABLE_SHADOW) - fi + AC_DEFINE(DISABLE_SHADOW) + LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat ;; --- openssh/acconfig.h Tue Sep 5 07:13:07 2000 +++ openssh-ks/acconfig.h Tue Sep 12 13:43:14 2000 @@ -186,9 +186,6 @@ /* Define if you want to use shadow password expire field */ #undef HAS_SHADOW_EXPIRE -/* Define if you want have trusted HPUX */ -#undef HAVE_HPUX_TRUSTED_SYSTEM_PW - /* Define if you have Digital Unix Security Integration Architecture */ #undef HAVE_OSF_SIA --- openssh/auth-passwd.c Tue Sep 5 07:13:07 2000 +++ openssh-ks/auth-passwd.c Tue Sep 12 13:59:31 2000 @@ -21,14 +21,14 @@ #ifdef WITH_AIXAUTHENTICATE # include #endif -#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW +#ifdef __hpux # include # include #endif -#ifdef HAVE_SHADOW_H +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) # include #endif -#ifdef HAVE_GETPWANAM +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) # include # include # include @@ -55,10 +55,13 @@ char *encrypted_password; char *pw_password; char *salt; -#ifdef HAVE_SHADOW_H +#ifdef __hpux + struct pr_passwd *spw; +#endif +#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif -#ifdef HAVE_GETPWANAM +#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; #endif #ifdef WITH_AIXAUTHENTICATE @@ -117,34 +120,29 @@ } #endif - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) - return 1; - pw_password = pw->pw_passwd; + /* Various interfaces to shadow or protected password data */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); if (spw != NULL) - { - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) - return 1; - pw_password = spw->sp_pwdp; - } #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ + #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) - { - /* Check for users with no password. */ - if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0) - return 1; - pw_password = spw->pwa_passwd; - } #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ +#ifdef __hpux + if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) + pw_password = spw->ufld.fd_encrypt; +#endif + + /* Check for users with no password. */ + if (strcmp(password, "") == 0 && strcmp(pw_password, "") == 0) + return 1; + if (pw_password[0] != '\0') salt = pw_password; else @@ -156,11 +154,14 @@ else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ -# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW - encrypted_password = bigcrypt(password, salt); +# ifdef __hpux + if (iscomsec()) + encrypted_password = bigcrypt(password, salt); + else + encrypted_password = crypt(password, salt); # else encrypted_password = crypt(password, salt); -# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */ +# endif /* __hpux */ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ From joden at eworld.wox.org Wed Sep 13 00:46:31 2000 From: joden at eworld.wox.org (James Oden) Date: Tue, 12 Sep 2000 09:46:31 -0400 (EDT) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <200009121324.PAA10384@b0fh.sweden.hp.com> from "Kevin Steves" at Sep 12, 2000 03:23:56 PM Message-ID: <200009121346.JAA19498@eworld.wox.org> Is there any work being done to create HP/UX (or rather SD/UX) packages of openssh? I would reall like to see a make target like: make depot that would build a package after you had done the regular make. I have been thinking about doing this myself, but I don't know if I have the time right now to do this. If I did try to do this, is there anything in particular I would need to be aware of? Thanks...james From markus at openbsd.org Wed Sep 13 00:54:52 2000 From: markus at openbsd.org (Markus Friedl) Date: Tue, 12 Sep 2000 15:54:52 +0200 Subject: Cleartext pre-authentication before going to secure mode. In-Reply-To: <14782.6203.450097.174606@chardonnay.ajk.tele.fi>; from Tomi.Ollila@sonera.com on Tue, Sep 12, 2000 at 02:49:15PM +0300 References: <14782.6203.450097.174606@chardonnay.ajk.tele.fi> Message-ID: <20000912155452.A27208@faui02.informatik.uni-erlangen.de> i don't understand completely what you want, but shouldn't this work with ssh's proxy option? On Tue, Sep 12, 2000 at 02:49:15PM +0300, Tomi Ollila wrote: > home$ ./tt4ssh 192.168.16.6 > CLEARTEXT> > CLEARTEXT> > CLEARTEXT> Company Corporate Network > CLEARTEXT> > CLEARTEXT> > CLEARTEXT> Check Point FireWall-1 authenticated Telnet server running on FW > CLEARTEXT> > CLEARTEXT> User: unski > CLEARTEXT> PASSCODE: ********** > CLEARTEXT> User unski authenticated by SecurID > CLEARTEXT> > CLEARTEXT> Connected to 192.168.16.6 > *** Launching `ssh 127.0.0.1 -p 22222' > unski at 127.0.0.1's password: > Last login: Mon Sep 11 10:35:26 2000 from fw.company.com > work$ > > > Tomi Ollila From andreas at ds3.etech.fh-hamburg.de Wed Sep 13 04:30:58 2000 From: andreas at ds3.etech.fh-hamburg.de (Andreas Schneider) Date: Tue, 12 Sep 2000 19:30:58 +0200 (MET DST) Subject: OpenSSH 2.2.0p1 port to QNX 4 Message-ID: <200009121730.TAA16864@ds3.etech.fh-hamburg.de> Dear OpenSSH porting developers, finally I succeded in porting OpenSSH to QNX 4. To get things going I had to take over some definitions from Linux' include files, since they are not available under QNX (e.g. the howmany makro, NFDBITS, the lastlog structure). With this email I send a patch with all my changes as well as the file "qnx-term.h" which I created because IXANY and ONLCR are not supported under QNX. Please include my changes into the OpenSSH portable distribution to allow others to install OpenSSH under QNX easily. Greetings Andreas -------------- next part -------------- /* Things the system doesn't provide under QNX */ #if defined(__QNX__) && !defined(__QNXNTO__) #ifndef QNX_TERM_H #define QNX_TERM_H #define IXANY 0 /* not supported on QNX; under Linux 0004000 */ #define ONLCR 0 /* not supported on QNX; under Linux 0000004 */ #endif /* !QNX_TERM_H */ #endif /* __QNX__ && !__QNXNTO__ */ -------------- next part -------------- diff -cr openssh-2.2.0p1.orig/clientloop.c openssh-2.2.0p1.qnx/clientloop.c *** openssh-2.2.0p1.orig/clientloop.c Wed Aug 23 02:46:24 2000 --- openssh-2.2.0p1.qnx/clientloop.c Tue Sep 12 10:23:58 2000 *************** *** 32,37 **** --- 32,41 ---- #include "buffer.h" #include "bufaux.h" + #if defined(__QNX__) && !defined(__QNXNTO__) + #include "qnx-term.h" + #endif /* __QNX__ && !__QNXNTO__ */ + /* Flag indicating that stdin should be redirected from /dev/null. */ extern int stdin_null_flag; diff -cr openssh-2.2.0p1.orig/includes.h openssh-2.2.0p1.qnx/includes.h *** openssh-2.2.0p1.orig/includes.h Fri Aug 18 06:59:59 2000 --- openssh-2.2.0p1.qnx/includes.h Tue Sep 12 10:26:21 2000 *************** *** 27,33 **** --- 27,35 ---- #include #include #include + #if !defined(__QNX__) || defined(__QNXNTO__) #include + #endif /* !__QNX__ || __QNXNTO__ */ #include #include diff -cr openssh-2.2.0p1.orig/loginrec.c openssh-2.2.0p1.qnx/loginrec.c *** openssh-2.2.0p1.orig/loginrec.c Tue Aug 29 05:30:37 2000 --- openssh-2.2.0p1.qnx/loginrec.c Tue Sep 12 09:26:36 2000 *************** *** 744,755 **** --- 744,760 ---- } #else /* FIXME */ + #if defined(__QNX__) && !defined(__QNXNTO__) + tty = 1; + #else tty = ttyslot(); /* seems only to work for /dev/ttyp? style names */ + #endif /* __QNX__ && !__QNXNTO__ */ #endif /* HAVE_GETTTYENT */ if (tty > 0 && (fd = open(UTMP_FILE, O_RDWR|O_CREAT, 0644)) >= 0) { (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); + #ifdef HAVE_HOST_IN_UTMP /* * Prevent luser from zero'ing out ut_host. * If the new ut_line is empty but the old one is not *************** *** 761,766 **** --- 766,772 ---- (strncmp(old_ut.ut_name, ut->ut_name, sizeof(ut->ut_name)) == 0)) { (void)memcpy(ut->ut_host, old_ut.ut_host, sizeof(ut->ut_host)); } + #endif /* HAVE_HOST_IN_UTMP */ (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET); if (atomicio(write, fd, ut, sizeof(*ut)) != sizeof(*ut)) *************** *** 1319,1324 **** --- 1325,1349 ---- #define LL_FILE 1 #define LL_DIR 2 #define LL_OTHER 3 + + /* struct lastlog is not defined under QNX: define it */ + #if defined(__QNX__) && !defined(__QNXNTO__) + #define __time_t time_t + + /* from Linux's */ + #define UT_LINESIZE 32 + #define UT_NAMESIZE 32 + #define UT_HOSTSIZE 256 + + /* The structure describing an entry in the database of + previous logins. */ + struct lastlog + { + __time_t ll_time; + char ll_line[UT_LINESIZE]; + char ll_host[UT_HOSTSIZE]; + }; + #endif /* __QNX__ && !__QNXNTO__ */ static void lastlog_construct(struct logininfo *li, struct lastlog *last) diff -cr openssh-2.2.0p1.orig/scp.c openssh-2.2.0p1.qnx/scp.c *** openssh-2.2.0p1.orig/scp.c Wed Aug 30 01:11:30 2000 --- openssh-2.2.0p1.qnx/scp.c Tue Sep 12 10:29:21 2000 *************** *** 650,656 **** --- 650,660 ---- return; } while ((dp = readdir(dirp))) { + #if defined(__QNX__) && !defined(__QNXNTO__) + if (dp->d_stat.st_ino == 0) + #else /* !__QNX__ || __QNXNTO__ */ if (dp->d_ino == 0) + #endif /* !__QNX__ || __QNXNTO__ */ continue; if (!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) continue; *************** *** 1050,1055 **** --- 1054,1064 ---- bad: fprintf(stderr, "%s: invalid user name\n", cp0); return (0); } + + + #if defined(__QNX__) && !defined(__QNXNTO__) + #define st_blksize st_size /* other naming under QNX */ + #endif /* __QNX__ && !__QNX_NTO__ */ BUF * allocbuf(bp, fd, blksize) diff -cr openssh-2.2.0p1.orig/session.c openssh-2.2.0p1.qnx/session.c *** openssh-2.2.0p1.orig/session.c Wed Aug 30 00:21:22 2000 --- openssh-2.2.0p1.qnx/session.c Tue Sep 12 09:27:19 2000 *************** *** 1861,1863 **** --- 1861,1874 ---- if (xauthfile) xauthfile_cleanup_proc(NULL); } + + + #if defined(__QNX__) && !defined(__QNXNTO__) + /* Thanks to liug at mama.indstate.edu */ + + int initgroups(char *name,gid_t id) + { + return(0); + } + + #endif /* __QNX__ && !__QNXNTO__ */ diff -cr openssh-2.2.0p1.orig/ssh.c openssh-2.2.0p1.qnx/ssh.c *** openssh-2.2.0p1.orig/ssh.c Tue Aug 29 02:33:51 2000 --- openssh-2.2.0p1.qnx/ssh.c Tue Sep 12 10:30:53 2000 *************** *** 215,220 **** --- 215,221 ---- original_real_uid = getuid(); original_effective_uid = geteuid(); + #if !defined(__QNX__) || defined(__QNXNTO__) /* If we are installed setuid root be careful to not drop core. */ if (original_real_uid != original_effective_uid) { struct rlimit rlim; *************** *** 222,227 **** --- 223,229 ---- if (setrlimit(RLIMIT_CORE, &rlim) < 0) fatal("setrlimit failed: %.100s", strerror(errno)); } + #endif /* !__QNX__ || __QNXNTO__ */ /* * Use uid-swapping to give up root privileges for the duration of * option processing. We will re-instantiate the rights when we are diff -cr openssh-2.2.0p1.orig/sshd.c openssh-2.2.0p1.qnx/sshd.c *** openssh-2.2.0p1.orig/sshd.c Tue Aug 29 02:05:50 2000 --- openssh-2.2.0p1.qnx/sshd.c Tue Sep 12 12:21:29 2000 *************** *** 49,54 **** --- 49,76 ---- int deny_severity = LOG_WARNING; #endif /* LIBWRAP */ + #if defined(__QNX__) && !defined(__QNXNTO__) + /* Define some things not available under QNX */ + + /* from Linux's */ + #ifndef howmany + # define howmany(x, y) (((x)+((y)-1))/(y)) + #endif /* !howmany */ + /* from the Linux kernel */ + //#define __NFDBITS (8 * sizeof(unsigned long)) /* results in 32 under QNX and Linux (A.S.) */ + + /* from Linux's */ + /* One element in the file descriptor mask array. */ + typedef unsigned long int __fd_mask; + /* It's easier to assume 8-bit bytes than to get CHAR_BIT. */ + #define __NFDBITS (8 * sizeof (__fd_mask)) /* results in 32 under QNX and Linux (A.S.) */ + + /* from Linux's */ + /* Number of bits per word of `fd_set' (some code assumes this is 32). */ + #define NFDBITS __NFDBITS + typedef __fd_mask fd_mask; + #endif /* __QNX__ && !__QNXNTO__ */ + #ifndef O_NOCTTY #define O_NOCTTY 0 #endif diff -cr openssh-2.2.0p1.orig/ttymodes.h openssh-2.2.0p1.qnx/ttymodes.h *** openssh-2.2.0p1.orig/ttymodes.h Thu Jun 22 13:32:32 2000 --- openssh-2.2.0p1.qnx/ttymodes.h Tue Sep 12 10:32:13 2000 *************** *** 32,37 **** --- 32,41 ---- * is only intended for including from ttymodes.c. */ + #if defined(__QNX__) && !defined(__QNXNTO__) + #include "qnx-term.h" + #endif /* __QNX__ && !__QNXNTO__ */ + /* termios macro */ /* sgtty macro */ /* name, op */ TTYCHAR(VINTR, 1) SGTTYCHAR(tiotc.t_intrc, 1) From hh at sidereal.kz Wed Sep 13 15:10:19 2000 From: hh at sidereal.kz (erich) Date: 13 Sep 2000 04:10:19 -0000 Subject: CryptoCard patch Message-ID: <20000913041019.32568.qmail@mailhost.sidereal.kz> Hi, I had a contractor write a patch to allow CryptoCard support in OpenSSH. It works with portable openssh-2.1.1p4, and it was posted to the SSH mailing lists, but I see that it hasn't been included in the openssh-2.2.0p1 release. Would it be possible to include this patch in the official release? The reason why I ask is because it will not be difficult to do that, it will support the CryptoCard users, and I don't want to have to hire a contractor again every time a new version of OpenSSH comes out. Btw, the patch is under the same license as OpenSSH itself, so there is no problem with licensing. Also, PuTTY, which is a free open-source SSH client for windows, and which works with OpenSSH, also now has CryptoCard support. I also hired the author of that program to include it. Here is the patch for openssh-2.1.1p4: http://www.sidereal.kz/~hh/openssh-cryptocard.patch.gz Please let me know if it will be possible to include this patch in future releases. If there are specific reasons why it can't be, please let me know, because maybe I can address them. Otherwise I will ask our contractor to update the patch for them. Thanks, e From Stephan.Hendl at lds.brandenburg.de Wed Sep 13 18:49:44 2000 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 13 Sep 2000 09:49:44 +0200 Subject: CryptoCard patch Message-ID: Hi, I tried to find a note about CryptoCard support on the web page of PuTTY but I couldn't find it... How should I configure it? Stephan -- LDS Brandenburg Dr. Stephan Hendl fon: +49-(0)331-39 471 fax: +49-(0)331-27548 1187 EMail: stephan.hendl at lds.brandenburg.de >>> erich 13.09.2000 06:10:19 >>> Hi, I had a contractor write a patch to allow CryptoCard support in OpenSSH. It works with portable openssh-2.1.1p4, and it was posted to the SSH mailing lists, but I see that it hasn't been included in the openssh-2.2.0p1 release. Would it be possible to include this patch in the official release? The reason why I ask is because it will not be difficult to do that, it will support the CryptoCard users, and I don't want to have to hire a contractor again every time a new version of OpenSSH comes out. Btw, the patch is under the same license as OpenSSH itself, so there is no problem with licensing. Also, PuTTY, which is a free open-source SSH client for windows, and which works with OpenSSH, also now has CryptoCard support. I also hired the author of that program to include it. Here is the patch for openssh-2.1.1p4: http://www.sidereal.kz/~hh/openssh-cryptocard.patch.gz Please let me know if it will be possible to include this patch in future releases. If there are specific reasons why it can't be, please let me know, because maybe I can address them. Otherwise I will ask our contractor to update the patch for them. Thanks, e From Tomi.Ollila at sonera.com Wed Sep 13 19:17:11 2000 From: Tomi.Ollila at sonera.com (Tomi Ollila) Date: Wed, 13 Sep 2000 11:17:11 +0300 (EET DST) Subject: Cleartext pre-authentication before going to secure mode. In-Reply-To: <20000912155452.A27208@faui02.informatik.uni-erlangen.de> References: <14782.6203.450097.174606@chardonnay.ajk.tele.fi> <20000912155452.A27208@faui02.informatik.uni-erlangen.de> Message-ID: <14783.14343.937465.866456@chardonnay.ajk.tele.fi> Tuesday Sep 12 15:54:52 +0200 2000 Markus Friedl wrote: > i don't understand completely what you want, but shouldn't this work > with ssh's proxy option? Hmm, it took me a while understanding this ProxyCommand option... in my case I should write a program that works like a modem dialler script -- when it receives `User:' and 'PASSCODE' -strings, it would automatically output that info. Progress information could be outputted to terminal using fd 2 ? That would solve that `host key management' issue I wrote before. I'll see what I can come up with that (It probably won't be possible to pass terminal input to the proxy command?). The proxycommand is a program that have to stay between the network and ssh all the time (and disallows ssh to use `getpeername()' to verify the other end?). I have one additional option to suggest here? Add an option where ssh could use an already connected file descriptor for it's communication socket. This means that ssh should still be launched by an external program, but that program would not be needed to transfer the data -- and ssh could use normal socket syscalls to manage the fd. That would also ease my work -- I already have that `tt4ssh' -- which is very easy to use -- It would require some simple changes to make it work with this option. When passing through FW-1 authenticated Telnet server, 2 things have to be handled: 1) that server requires that the client that connects to it answers the telnet negotiation commands that it sends -- otherwise after connection is made to the end host, no data is passed to it. 2) That telnet server always sends those telnet negotiation commands to the end host after connection -- so if no pre-cleaning of the connection is made, when trying to send ssh identification string, the end host receives the following stream (telnet negotiation codes "prettyprinted") IAC DO ECHO IAC DO SUPPRESS GO AHEAD SSH-1.5-OpenSSH_2.1.1 That's why I requested that I'd like to see sshd ignore some possible garbage until it looks like it is receiving an ssh identification string (in my programs I am checking that SSH- has arrived). Is there any change for these features -- I can manage with current functionality, but there might be other people who has the same problem -- I'd like to make my program as good (and secure) as possible for public release -- if tt4ssh -like functionality is not going be incorporated into ssh programs. Tomi From Markus.Friedl at informatik.uni-erlangen.de Wed Sep 13 19:45:59 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 13 Sep 2000 10:45:59 +0200 Subject: Cleartext pre-authentication before going to secure mode. In-Reply-To: <14783.14343.937465.866456@chardonnay.ajk.tele.fi>; from Tomi.Ollila@sonera.com on Wed, Sep 13, 2000 at 11:17:11AM +0300 References: <14782.6203.450097.174606@chardonnay.ajk.tele.fi> <20000912155452.A27208@faui02.informatik.uni-erlangen.de> <14783.14343.937465.866456@chardonnay.ajk.tele.fi> Message-ID: <20000913104559.A23955@faui02.informatik.uni-erlangen.de> On Wed, Sep 13, 2000 at 11:17:11AM +0300, Tomi Ollila wrote: > Tuesday Sep 12 15:54:52 +0200 2000 Markus Friedl wrote: > > > i don't understand completely what you want, but shouldn't this work > > with ssh's proxy option? > > Hmm, it took me a while understanding this ProxyCommand option... in my > case I should write a program that works like a modem dialler script -- > when it receives `User:' and 'PASSCODE' -strings, it would automatically > output that info. Progress information could be outputted to terminal using > fd 2 ? you can print out info to stderr and read the passcode from /dev/tty > The proxycommand is a program that have to stay between the network and > ssh all the time (and disallows ssh to use `getpeername()' to verify the > other end?). > When passing through FW-1 authenticated Telnet server, 2 things have to be > handled: 1) that server requires that the client that connects to it > answers the telnet negotiation commands that it sends -- otherwise after > connection is made to the end host, no data is passed to it. 2) That telnet > server always sends those telnet negotiation commands to the end host after > connection -- so if no pre-cleaning of the connection is made, when trying > to send ssh identification string, the end host receives the following > stream (telnet negotiation codes "prettyprinted") > > IAC DO ECHO > IAC DO SUPPRESS GO AHEAD > SSH-1.5-OpenSSH_2.1.1 > > > That's why I requested that I'd like to see sshd ignore some possible > garbage until it looks like it is receiving an ssh identification string > (in my programs I am checking that SSH- has arrived). i think this is possible. From hein at acm.org Wed Sep 13 20:28:05 2000 From: hein at acm.org (Hein Roehrig) Date: Wed, 13 Sep 2000 11:28:05 +0200 Subject: CryptoCard patch In-Reply-To: Your message of "13 Sep 2000 04:10:19 -0000." <20000913041019.32568.qmail@mailhost.sidereal.kz> Message-ID: hh at sidereal.kz said: > I had a contractor write a patch to allow CryptoCard support in > OpenSSH. [...] Would it be possible to include this patch > in the official release? I think for platforms supporting PAM this patch is not necessary because you can just use the respective PAM module. Moreover, introducing new authentication types (instead of plugging into password or TIS authentication) always has the disadvantage of not interoperating with versions of ssh that have not been patched. -Hein From maf at appgate.com Wed Sep 13 20:34:00 2000 From: maf at appgate.com (Martin Forssen) Date: Wed, 13 Sep 2000 11:34:00 +0200 (MEST) Subject: CryptoCard patch In-Reply-To: Message-ID: <20000913093403.E52E13B5DD@pelee.firedoor.se> On 13 Sep, Hein Roehrig wrote: > hh at sidereal.kz said: >> I had a contractor write a patch to allow CryptoCard support in >> OpenSSH. [...] Would it be possible to include this patch >> in the official release? > > I think for platforms supporting PAM this patch is not necessary > because you can just use the respective PAM module. Moreover, > introducing new authentication types (instead of plugging into > password or TIS authentication) always has the disadvantage of not > interoperating with versions of ssh that have not been patched. I agree 100%. This is also exactly why we wrote the keyboard-interactive authentication protocol for ssh2. This protocol adds generic support for all sorts of authentication methods which only needs to interact with the user on the client-side. The user may then act as an interface to whatever device one wishes to use. /MaF PS I will submit a new and updated draft (error corrections only) of keyboard-interactive as soon as I find the time. From Pete.Chown at skygate.co.uk Wed Sep 13 21:59:05 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 13 Sep 2000 11:59:05 +0100 Subject: CryptoCard patch In-Reply-To: <20000913093403.E52E13B5DD@pelee.firedoor.se>; from maf@appgate.com on Wed, Sep 13, 2000 at 11:34:00AM +0200 References: <20000913093403.E52E13B5DD@pelee.firedoor.se> Message-ID: <20000913115905.E934@hyena.skygate.co.uk> Hein Roehrig wrote: > I think for platforms supporting PAM this patch is not necessary > because you can just use the respective PAM module. Suppose I decided to have people log on to my systems using CRAM-MD5. How could I implement that as a PAM module? I could implement the server end using PAM, but I couldn't do the client end. The user would have to have some separate program to calculate the MAC, and then cut and paste the result into ssh. Martin Forssen wrote: > I agree 100%. This is also exactly why we wrote the > keyboard-interactive authentication protocol for ssh2. [ ... ] The > user may then act as an interface to whatever device one wishes to > use. Agreed, but this isn't very convenient. What would be nice is some kind of PAM-like system that works on the client. Then you have a CRAM-MD5 module on the server, and they authenticate the user by talking between themselves. The client module asks the user for the MAC secret, accepts a challenge from the server and sends back the response. The server PAM module then logs the user in (or not). Hopefully next weekend I will have time to get the OpenPGP stuff into a reasonably usable state... -- Pete From i.palsenberg at jdimedia.nl Thu Sep 14 00:30:03 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Wed, 13 Sep 2000 15:30:03 +0200 (CEST) Subject: CryptoCard patch Message-ID: Hi, Since I'm not on this list I'll quote :) ----------------------------------------------------------------------------- Hein Roehrig wrote: >> I think for platforms supporting PAM this patch is not necessary >> because you can just use the respective PAM module. >Suppose I decided to have people log on to my systems using CRAM-MD5. >How could I implement that as a PAM module? I could implement the >server end using PAM, but I couldn't do the client end. The user >would have to have some separate program to calculate the MAC, and >then cut and paste the result into ssh. PAM just writes text to the terminal, and ask for responses. What the module actually does with it is of no interest to PAM. I've programmed about everything with it you an think of. You indeed would have to have a program that calculates the response, but that also applies to CryptoCard, bioscans, etc, etc. >> I agree 100%. This is also exactly why we wrote the >> keyboard-interactive authentication protocol for ssh2. [ ... ] The >> user may then act as an interface to whatever device one wishes to >> use. >Agreed, but this isn't very convenient. What would be nice is some >kind of PAM-like system that works on the client. Then you have a >CRAM-MD5 module on the server, and they authenticate the user by >talking between themselves. The client module asks the user for the >MAC secret, accepts a challenge from the server and sends back the >response. The server PAM module then logs the user in (or not). Above scenario is no problem at all. Nothing prevents you from letting the client talk to the server in that case. >Hopefully next weekend I will have time to get the OpenPGP stuff into >a reasonably usable state... Regards, Igmar Palsenberg JDI Media Solutions -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From Pete.Chown at skygate.co.uk Thu Sep 14 01:45:06 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 13 Sep 2000 15:45:06 +0100 Subject: CryptoCard patch In-Reply-To: ; from i.palsenberg@jdimedia.nl on Wed, Sep 13, 2000 at 03:30:03PM +0200 References: Message-ID: <20000913154506.B4052@hyena.skygate.co.uk> Igmar Palsenberg wrote: > PAM just writes text to the terminal, and ask for responses. What the > module actually does with it is of no interest to PAM. > I've programmed about everything with it you an think of. > > You indeed would have to have a program that calculates the response, but > that also applies to CryptoCard, bioscans, etc, etc. I'm probably not making myself clear. Of course, you can accept all these different things with a PAM module. The problem is that the user has to do everything manually. Using my CRAM-MD5 example, the server would say, "here is the challenge". The user would then have to paste that into another application. It would give the response, and then the user would then have to copy the result back. Of course, this works, but it is suboptimal. Also, as everyone knows, users don't implement security unless it is easy! > [ I wrote: ] > > What would be nice is some > > kind of PAM-like system that works on the client [ .... ] > Above scenario is no problem at all. Nothing prevents you from letting the > client talk to the server in that case. Not sure what you mean here, sorry. -- Pete From i.palsenberg at jdimedia.nl Thu Sep 14 01:58:13 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Wed, 13 Sep 2000 16:58:13 +0200 (CEST) Subject: CryptoCard patch In-Reply-To: <20000913154506.B4052@hyena.skygate.co.uk> Message-ID: > I'm probably not making myself clear. Of course, you can accept all > these different things with a PAM module. The problem is that the > user has to do everything manually. Using my CRAM-MD5 example, the > server would say, "here is the challenge". The user would then have > to paste that into another application. It would give the response, > and then the user would then have to copy the result back. > > Of course, this works, but it is suboptimal. Also, as everyone knows, > users don't implement security unless it is easy! Letting the client side so almost everything is can be less secure, and requires a modified client. > > > What would be nice is some > > > kind of PAM-like system that works on the client [ .... ] > > > Above scenario is no problem at all. Nothing prevents you from letting the > > client talk to the server in that case. > > Not sure what you mean here, sorry. What I meant to say is that nothing prevents the PAM module from opening a TCP connection back to the client, and exchange data that way. Regards, Igmar -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From maf at appgate.com Thu Sep 14 02:07:52 2000 From: maf at appgate.com (Martin Forssen) Date: Wed, 13 Sep 2000 17:07:52 +0200 (MEST) Subject: CryptoCard patch In-Reply-To: <20000913115905.E934@hyena.skygate.co.uk> Message-ID: <20000913150755.237453B5DD@pelee.firedoor.se> On 13 Sep, Pete Chown wrote: > Martin Forssen wrote: >> I agree 100%. This is also exactly why we wrote the >> keyboard-interactive authentication protocol for ssh2. [ ... ] The >> user may then act as an interface to whatever device one wishes to >> use. > > Agreed, but this isn't very convenient. What would be nice is some > kind of PAM-like system that works on the client. Then you have a > CRAM-MD5 module on the server, and they authenticate the user by > talking between themselves. The client module asks the user for the > MAC secret, accepts a challenge from the server and sends back the > response. The server PAM module then logs the user in (or not). I would rather say that it is very convenient, for some authentication methods. Namely those methods which does not need any special code on the client. CRAM-MD5 needs extra code on the client and is thus no good candidate for keyboard-interactive. The point with keyboard-interactive is that once it is in place you do not need any additional code on the client to handle some new authentication methods (like for example CryptoCard, SecurID and other token-cards). This is a very nice property if you have lots of different clients, like Windows, Macs and N*Unix-versions. Pam might be an ok solution to certain unix-versions but gets trickier if one involves other platforms. Keyboard-interactive is not the ultimate authentication method and it doesn't solve all problems. But it is IMHO a very good way of solving the problems with a certain class of authentication methods. /MaF From GLeblanc at cu-portland.edu Thu Sep 14 02:39:34 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 13 Sep 2000 08:39:34 -0700 Subject: Can't connect to server using protocol v2? Message-ID: <025836EFF856D411A6660090272811E61D0701@EMAIL> Is this really caused by a buggy server, or is this an interoperability problem? It seems to work ok when I specify -o "protocol 1" on the command line. Thanks, Greg [gleblanc at grego1 gleblanc]$ ssh -v login.metalab.unc.edu SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to login.metalab.unc.edu [152.2.210.14] port 22. debug: Seeding random number generator debug: Allocated local port 762. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-md5 none debug: kex: client->server 3des-cbc hmac-md5 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 546/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. The authenticity of host 'login.metalab.unc.edu' can't be established. DSA key fingerprint is 29:49:6e:f2:b4:e8:e1:a3:91:2f:f9:99:d5:27:7b:7e. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'login.metalab.unc.edu,152.2.210.14' (DSA) to the list of known hosts. debug: bits set: 504/1024 debug: len 40 datafellows 15 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: buggy server: service_accept w/o service debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: Permission denied (). debug: Calling cleanup 0x805ba68(0x0) [gleblanc at grego1 gleblanc]$ From Markus.Friedl at informatik.uni-erlangen.de Thu Sep 14 02:43:51 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 13 Sep 2000 17:43:51 +0200 Subject: Can't connect to server using protocol v2? In-Reply-To: <025836EFF856D411A6660090272811E61D0701@EMAIL>; from GLeblanc@cu-portland.edu on Wed, Sep 13, 2000 at 08:39:34AM -0700 References: <025836EFF856D411A6660090272811E61D0701@EMAIL> Message-ID: <20000913174351.A17641@faui02.informatik.uni-erlangen.de> On Wed, Sep 13, 2000 at 08:39:34AM -0700, Gregory Leblanc wrote: > debug: got SSH2_MSG_SERVICE_ACCEPT > debug: authentications that can continue: > Permission denied (). > debug: Calling cleanup 0x805ba68(0x0) the server does not offer any authentication methods. can you login this server with the commercial ssh.com-2.3.0 client? -markus From GLeblanc at cu-portland.edu Thu Sep 14 03:27:42 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 13 Sep 2000 09:27:42 -0700 Subject: Can't connect to server using protocol v2? Message-ID: <025836EFF856D411A6660090272811E61D0702@EMAIL> > -----Original Message----- > From: Markus Friedl [mailto:Markus.Friedl at informatik.uni-erlangen.de] > > On Wed, Sep 13, 2000 at 08:39:34AM -0700, Gregory Leblanc wrote: > > debug: got SSH2_MSG_SERVICE_ACCEPT > > debug: authentications that can continue: > > Permission denied (). > > debug: Calling cleanup 0x805ba68(0x0) > > the server does not offer any authentication methods. > can you login this server with the commercial ssh.com-2.3.0 client? Hmm, good question... download...compile...try... nope, it doesn't work. FYI, here's the output from ssh2. I'll contact the site admin and poke a few questions into them. Thanks, Greg [gleblanc at grego1 ssh-2.3.0]$ ssh2 -v login.metalab.unc.edu debug: hostname is 'login.metalab.unc.edu'. debug: Unable to open /home/gleblanc/.ssh2/ssh2_config debug: connecting to login.metalab.unc.edu... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initializ e: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:105/ssh_client_authentication_initializ e: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1104/ssh_client_wrap: creating userauth protocol debug: Ssh2Common/sshcommon.c:487/ssh_common_wrap: local ip = 207.149.58.197, local port = 2311 debug: Ssh2Common/sshcommon.c:489/ssh_common_wrap: remote ip = 152.2.210.14, remote port = 22 debug: SshConnection/sshconn.c:1853/ssh_conn_wrap: Wrapping... debug: Ssh2Transport/trcommon.c:593/ssh_tr_input_version: Remote version: SSH-1.99-2.0.13 (non-commercial) debug: Ssh2Transport/trcommon.c:688/ssh_tr_input_version: Remote version has service accept message draft incompatibility bug. debug: Ssh2Transport/trcommon.c:692/ssh_tr_input_version: Remote version has publickey service name draft incompatibility bug. debug: Ssh2Transport/trcommon.c:696/ssh_tr_input_version: Remote version has X11 channel open draft incompatibility bug. debug: Ssh2Transport/trcommon.c:701/ssh_tr_input_version: Remote version has SSH_MSG_CHANNEL_OPEN_FAILURE draft incompatibility bug. debug: Ssh2Transport/trcommon.c:706/ssh_tr_input_version: Remote version has SSH_MSG_USERAUTH_PK_OK draft incompatibility bug. debug: Ssh2Transport/trcommon.c:728/ssh_tr_input_version: Remote version has hostbased service name draft incompatibility bug. debug: Ssh2Transport/trcommon.c:732/ssh_tr_input_version: Remote version has publickey session_id encoding draft incompatibility bug. debug: Ssh2Transport/trcommon.c:736/ssh_tr_input_version: Remote version has malformed signatures draft incompatibility bug. debug: Ssh2Transport/trcommon.c:740/ssh_tr_input_version: Remote version uses deprecated disconnect codes debug: Ssh2Transport/trcommon.c:1068/ssh_tr_negotiate: c_to_s: cipher 3des-cbc, mac hmac-md5, compression none debug: Ssh2Transport/trcommon.c:1071/ssh_tr_negotiate: s_to_c: cipher 3des-cbc, mac hmac-md5, compression none debug: Ssh2Client/sshclient.c:399/keycheck_key_match: Host key found from database. debug: Ssh2Common/sshcommon.c:297/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:347/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: Ssh2Common/sshcommon.c:132/ssh_common_disconnect: DISCONNECT received: No further authentication methods available. warning: Authentication failed. debug: Ssh2/ssh2.c:78/client_disconnect: locally_generated = TRUE Disconnected; no more authentication methods available (No further authentication methods available.). debug: uninitializing event loop [gleblanc at grego1 ssh-2.3.0]$ From faheem at email.unc.edu Thu Sep 14 04:50:13 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Wed, 13 Sep 2000 13:50:13 -0400 (EDT) Subject: Kerberos/AFS options in ssh/sshd while disabling them in configure Message-ID: Dear OpenSSH developers, Hello, I strongly support this suggestion ie. adding the sentence "This option has been disabled at compile time" as appropriate. It would be even more helpful if you said how to enable it (krb) at compile time. Remember, this is the only documentation available. I spent some time wondering about this before searching the archives. Ok, while we are on the subject, I was wondering of the current state of Kerberos support. I have SSH Version OpenSSH_2.2.0p1 for Linux. Is there currently support for Krb4 or only for Krb5? Krb4 is only mentioned in passing, and I think this is something else you could usefully make clear in your man pages. Thank you for your time. Please note that I am not currently subscribed to openssh-unix-dev. Sincerely, Faheem Mitha. *************************************************************************** Hello all, If you don't compile in Kerberos, AFS etc. support, the ssh/sshd man page still mentions them as valid options, and ssh/sshd complains loudly and refuses to run if you set options about them in ssh_config or sshd_config. I'm not sure if this is the intended (or good?) behaviour. Should it be better to modify the man pages when ./configuring too? Like, adding a small sentence about stuff disabled at compile time. An example: KerberosTgtPassing Specifies whether a Kerberos TGT will be forwarded to the server. This will only work if the Kerberos server is actually an AFS kaserver. The argument to this keyword must be ``yes'' or ``no''. This option has been disabled at compile time. What do you think? :) -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From stevev at darkwing.uoregon.edu Thu Sep 14 05:05:29 2000 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Wed, 13 Sep 2000 11:05:29 -0700 Subject: auth-pam.c support for pam_chauthtok() Message-ID: <14783.49641.930739.954333@darkwing.uoregon.edu> When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users noticed that it did not honor password expiration consistently with other Solaris login services. The patch below is against OpenSSH 2.2.0p1 and adds support for PAM password changes on expiration via pam_chauthtok(). A brief summary of changes: auth-pam.c: * change declaration of pamh to "static pam_handle_t *pamh", remove unnecessary casts "(pam_handle_t *)" * fix typo in NEW_AUTHTOK_MSG * extend pamconv() to support real interactive prompting and display, in addition to the kludge to feed the user's password into PAM during initial login * add function do_pam_chauthtok() to call pam_chauthtok() if needed, once interactive session has been established auth-pam.h: * add prototype for do_pam_chauthtok() session.c: * add call to do_pam_chauthtok() after print_pam_messages() I am subscribed to openssh-unix-dev, so you do not have to copy any list discussion to me personally. =================================================================== RCS file: RCS/auth-pam.c,v retrieving revision 1.1 diff -u -r1.1 auth-pam.c --- auth-pam.c 2000/09/06 22:29:58 1.1 +++ auth-pam.c 2000/09/12 19:30:24 @@ -37,7 +37,7 @@ RCSID("$Id: auth-pam.c,v 1.1 2000/09/06 22:29:58 stevev Exp stevev $"); #define NEW_AUTHTOK_MSG \ - "Warning: You password has expired, please change it now" + "Warning: Your password has expired, please change it now" /* Callbacks */ static int pamconv(int num_msg, const struct pam_message **msg, @@ -50,40 +50,72 @@ pamconv, NULL }; -static struct pam_handle_t *pamh = NULL; +static pam_handle_t *pamh = NULL; static const char *pampasswd = NULL; static char *pam_msg = NULL; -/* PAM conversation function. This is really a kludge to get the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the password from the client into + * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output + * messages with pam_msg_cat(). This is used during initial + * authentication to bypass the normal PAM password prompt. + * + * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1) + * and outputs messages to stderr. This mode is used if pam_chauthtok() + * is called to update expired passwords. + */ static int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { struct pam_response *reply; int count; + char buf[1024]; /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) return PAM_CONV_ERR; - for(count = 0; count < num_msg; count++) { - switch (msg[count]->msg_style) { + for (count = 0; count < num_msg; count++) { + switch ((*msg)[count].msg_style) { + case PAM_PROMPT_ECHO_ON: + fputs((*msg)[count].msg, stderr); + fgets(buf, sizeof(buf), stdin); + reply[count].resp = xstrdup(buf); + reply[count].resp_retcode = PAM_SUCCESS; + break; case PAM_PROMPT_ECHO_OFF: - if (pampasswd == NULL) { - free(reply); - return PAM_CONV_ERR; - } + if (pamstate == INITIAL_LOGIN) { + if (pampasswd == NULL) { + free(reply); + return PAM_CONV_ERR; + } + reply[count].resp = xstrdup(pampasswd); + } else + reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1)); reply[count].resp_retcode = PAM_SUCCESS; - reply[count].resp = xstrdup(pampasswd); break; + case PAM_ERROR_MSG: case PAM_TEXT_INFO: - reply[count].resp_retcode = PAM_SUCCESS; + if ((*msg)[count].msg != NULL) { + if (pamstate == INITIAL_LOGIN) + pam_msg_cat((*msg)[count].msg); + else { + fputs((*msg)[count].msg, stderr); + fputs("\n", stderr); + } + } reply[count].resp = xstrdup(""); - - if (msg[count]->msg != NULL) - pam_msg_cat(msg[count]->msg); - + reply[count].resp_retcode = PAM_SUCCESS; break; default: free(reply); @@ -103,22 +135,22 @@ if (pamh != NULL) { - pam_retval = pam_close_session((pam_handle_t *)pamh, 0); + pam_retval = pam_close_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { log("Cannot close PAM session: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); + pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) { debug("Cannot delete credentials: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } - pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); + pam_retval = pam_end(pamh, pam_retval); if (pam_retval != PAM_SUCCESS) { log("Cannot release PAM authentication: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } } @@ -139,14 +171,15 @@ pampasswd = password; - pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); + pamstate = INITIAL_LOGIN; + pam_retval = pam_authenticate(pamh, 0); if (pam_retval == PAM_SUCCESS) { debug("PAM Password authentication accepted for user \"%.100s\"", pw->pw_name); return 1; } else { debug("PAM Password authentication for \"%.100s\" failed: %s", - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + pw->pw_name, PAM_STRERROR(pamh, pam_retval)); return 0; } } @@ -157,33 +190,35 @@ int pam_retval; debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, + pam_retval = pam_set_item(pamh, PAM_RHOST, get_canonical_hostname()); if (pam_retval != PAM_SUCCESS) { fatal("PAM set rhost failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } if (remote_user != NULL) { debug("PAM setting ruser to \"%.200s\"", remote_user); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); + pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); if (pam_retval != PAM_SUCCESS) { fatal("PAM set ruser failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } - pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); + pam_retval = pam_acct_mgmt(pamh, 0); switch (pam_retval) { case PAM_SUCCESS: /* This is what we want */ break; case PAM_NEW_AUTHTOK_REQD: pam_msg_cat(NEW_AUTHTOK_MSG); + /* flag that password change is necessary */ + password_change_required = 1; break; default: log("PAM rejected by account configuration: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); return(0); } @@ -197,17 +232,17 @@ if (ttyname != NULL) { debug("PAM setting tty to \"%.200s\"", ttyname); - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); + pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); if (pam_retval != PAM_SUCCESS) { fatal("PAM set tty failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } - pam_retval = pam_open_session((pam_handle_t *)pamh, 0); + pam_retval = pam_open_session(pamh, 0); if (pam_retval != PAM_SUCCESS) { fatal("PAM session setup failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } } @@ -217,10 +252,28 @@ int pam_retval; debug("PAM establishing creds"); - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); + pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { fatal("PAM setcred failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); + } +} + +/* + * Have user change authentication token if pam_acct_mgmt() indicated + * it was expired. This needs to be called after an interactive + * session is established and the user's pty is connected to + * stdin/stout/stderr. + */ +void do_pam_chauthtok() +{ + int pam_retval; + + if (password_change_required) { + pamstate = OTHER; + do { + pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + } while (pam_retval != PAM_SUCCESS); } } @@ -238,12 +291,11 @@ debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, - (pam_handle_t**)&pamh); + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh); if (pam_retval != PAM_SUCCESS) { fatal("PAM initialisation failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } #ifdef PAM_TTY_KLUDGE @@ -254,10 +306,10 @@ * not even need one (for tty-less connections) * Kludge: Set a fake PAM_TTY */ - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); + pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); if (pam_retval != PAM_SUCCESS) { fatal("PAM set tty failed: %.200s", - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); + PAM_STRERROR(pamh, pam_retval)); } #endif /* PAM_TTY_KLUDGE */ @@ -268,7 +320,7 @@ char **fetch_pam_environment(void) { #ifdef HAVE_PAM_GETENVLIST - return(pam_getenvlist((pam_handle_t *)pamh)); + return(pam_getenvlist(pamh)); #else /* HAVE_PAM_GETENVLIST */ return(NULL); #endif /* HAVE_PAM_GETENVLIST */ =================================================================== RCS file: RCS/auth-pam.h,v retrieving revision 1.1 diff -u -r1.1 auth-pam.h --- auth-pam.h 2000/09/12 02:02:26 1.1 +++ auth-pam.h 2000/09/12 02:02:41 @@ -11,5 +11,6 @@ void do_pam_session(char *username, const char *ttyname); void do_pam_setcred(); void print_pam_messages(void); +void do_pam_chauthtok(); #endif /* USE_PAM */ =================================================================== RCS file: RCS/session.c,v retrieving revision 1.1 diff -u -r1.1 session.c --- session.c 2000/09/12 00:43:22 1.1 +++ session.c 2000/09/12 23:58:44 @@ -674,6 +674,8 @@ #ifdef USE_PAM print_pam_messages(); + /* If password change is needed, do it now. */ + do_pam_chauthtok(); #endif /* USE_PAM */ #ifdef WITH_AIXAUTHENTICATE if (aixloginmsg && *aixloginmsg) From stevev at darkwing.uoregon.edu Thu Sep 14 05:25:41 2000 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Wed, 13 Sep 2000 11:25:41 -0700 Subject: Solaris wtmp/wtmpx handling Message-ID: <14783.50853.480980.869079@darkwing.uoregon.edu> It appears to be a pervasive assumption in the Portable OpenSSH code that wtmp and wtmpx records for the end of a session do not need to include the user name or hostname. Unfortunately Solaris appears not to go along with that assumption; the Solaris "last" command shows all login sessions initiated by OpenSSH as never terminating, or sometimes terminating with the user's next login, and examination of wtmp/wtmpx records for other kinds of logins show that those services do record the username and hostname in both session start and session end records. While it looks like it is possible to fix this, it's probably going to require some extensive code changes and some kind of conditionals to make this do the right thing in Solaris without changing the behavior on other OSes. From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Sep 14 06:48:22 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 13 Sep 2000 21:48:22 +0200 Subject: Problem with --with-ssl-dir Message-ID: <20000913214822.A23664@serv01.aet.tu-cottbus.de> Hi! When specifying --with-ssl-dir=/path/to/ssl, configure will always use an openssl-library in system locations if there, regardless of the setting. This is caused by line 343 of configure.in: for ssldir in "" $tryssldir /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do as "" precedes $tryssldir, so $tryssldir is never used, if "" is already successfull. I recommend to change the precedence to ' $tryssldir "" ', so that I can choose another OpenSSL library (version) besides the one in the system directory. (Currently, setting CFLAGS and LDFLAGS has even higher precedence, so as a workaround I could choose this way). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From larry.jones at sdrc.com Thu Sep 14 08:35:14 2000 From: larry.jones at sdrc.com (Larry Jones) Date: Wed, 13 Sep 2000 17:35:14 -0400 (EDT) Subject: Problems/patches for BSD/OS 4.0.1 In-Reply-To: from "Larry Jones" at Sep 11, 0 05:21:15 pm Message-ID: <200009132135.RAA18004@thor.sdrc.com> I wrote: > > 2) The fixprogs script doesn't reopen the child process's STDIN, STDOUT, > and STDERR correctly. This caused all of the ``tail'' commands in > ssh_prng_cmds to fail because they couldn't write to stdout. Here's a > patch: But the patch was wrong (it redirected STDOUT to /tmp/foo instead of /dev/null, a leftover from trying to track down the problem). Here's the correct patch: --- fixprogs.orig Thu May 18 09:12:50 2000 +++ fixprogs Wed Sep 13 17:20:43 2000 @@ -44,9 +44,9 @@ if (! ($pid = fork())) { # child close STDIN; close STDOUT; close STDERR; - open STDIN, "/dev/null"; - open STDERR, ">/dev/null"; + open (STDIN, "/dev/null"); + open (STDERR, ">/dev/null"); exec $path @args; exit 1; # shouldn't be here } There's also another problem -- the fake struct sockaddr_storage is not compatible with struct sockaddr on my system (sockaddr has a byte for the address family, sockaddr_storage has a short), which leads to all sorts of interesting, non-obvious failures later. The simplest solution is to have sockaddr_storage contain an actual sockaddr and use it. Here's the patch: --- fake-socket.h.orig Tue May 30 21:20:12 2000 +++ fake-socket.h Wed Sep 13 17:17:47 2000 @@ -6,17 +6,13 @@ #ifndef HAVE_STRUCT_SOCKADDR_STORAGE # define _SS_MAXSIZE 128 /* Implementation specific max size */ -# define _SS_ALIGNSIZE (sizeof(int)) -# define _SS_PAD1SIZE (_SS_ALIGNSIZE - sizeof(u_short)) -# define _SS_PAD2SIZE (_SS_MAXSIZE - (sizeof(u_short) + \ - _SS_PAD1SIZE + _SS_ALIGNSIZE)) +# define _SS_PADSIZE (_SS_MAXSIZE - sizeof (struct sockaddr)) struct sockaddr_storage { - u_short ss_family; - char __ss_pad1[_SS_PAD1SIZE]; - int __ss_align; - char __ss_pad2[_SS_PAD2SIZE]; + struct sockaddr ss_sa; + char __ss_pad2[_SS_PADSIZE]; }; +# define ss_family ss_sa.sa_family #endif /* !HAVE_STRUCT_SOCKADDR_STORAGE */ #ifndef IN6_IS_ADDR_LOOPBACK -Larry Jones Just when I thought this junk was beginning to make sense. -- Calvin From djm at mindrot.org Thu Sep 14 14:48:40 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Sep 2000 14:48:40 +1100 (EST) Subject: CryptoCard patch In-Reply-To: <20000913041019.32568.qmail@mailhost.sidereal.kz> Message-ID: On 13 Sep 2000, erich wrote: > Please let me know if it will be possible to include this patch in > future releases. If there are specific reasons why it can't be, > please let me know, because maybe I can address them. Otherwise I > will ask our contractor to update the patch for them. I am not particularly keen on putting code into OpenSSH to support proprietary authentication technologies. In any case, changes to the protocol (which this is) should be sent via the OpenBSD maintainers. I doubt they would accept the patch in its current form - it uses functions only present in the portable version. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From hh at sidereal.kz Thu Sep 14 16:09:53 2000 From: hh at sidereal.kz (erich) Date: 14 Sep 2000 05:09:53 -0000 Subject: CryptoCard patch In-Reply-To: (message from Damien Miller on Thu, 14 Sep 2000 14:48:40 +1100 (EST)) References: Message-ID: <20000914050953.1104.qmail@mailhost.sidereal.kz> > I am not particularly keen on putting code into OpenSSH to support > proprietary authentication technologies. CryptoCard is absolutely not in any way a proprietary authentication technology. It is a plain and simple DES ECB encryption of the input, using a key which is stored in the device. The first 4 bytes of the output are then displayed in hex. In fact, I have also hired someone to write a CryptoCard emulator for the Palm Pilot, and the resulting code will also be under GPL. Contrast this with RSA, which is in fact a proprietary authentication technology, and which OpenSSH supports by default. Including a hundred or so lines of code to support a more secure, non-proprietary authentication method makes sense. I had this code written under the OpenSSH license exactly for this purpose. If you want people like me to continue to pay people to contribute to open source projects, like OpenSSH, it would be a good idea to not disregard the stuff that gets done this way. I have some pretty specific security needs for what I'm doing, and I want to do it in an open source way, and contribute back as much as possible to the quality project that is OpenBSD. > In any case, changes to the protocol (which this is) should be sent > via the OpenBSD maintainers. I doubt they would accept the patch in its > current form - it uses functions only present in the portable version. Who can I talk to about this? Should I send it to the OpenBSD core team? Thanks, e From hin at stacken.kth.se Thu Sep 14 18:20:30 2000 From: hin at stacken.kth.se (Hans Insulander) Date: 14 Sep 2000 09:20:30 +0200 Subject: Kerberos/AFS options in ssh/sshd while disabling them in configure In-Reply-To: Faheem Mitha's message of "Wed, 13 Sep 2000 13:50:13 -0400 (EDT)" References: Message-ID: Faheem Mitha writes: > Ok, while we are on the subject, I was wondering of the current state of > Kerberos support. I have SSH Version OpenSSH_2.2.0p1 for Linux. Is there > currently support for Krb4 or only for Krb5? Krb4 is only mentioned in > passing, and I think this is something else you could usefully make clear > in your man pages. The Kerberos4 support works. At least on OpenBSD and Solaris 7. No Kerberos5 support at the moment. -- --- Hans Insulander , SM0UTY ----------------------- Gravity never looses. The best you can hope for is a draw. From djm at mindrot.org Thu Sep 14 22:06:47 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Sep 2000 22:06:47 +1100 (EST) Subject: CryptoCard patch In-Reply-To: <20000914050953.1104.qmail@mailhost.sidereal.kz> Message-ID: On 14 Sep 2000, erich wrote: > > I am not particularly keen on putting code into OpenSSH to support > > proprietary authentication technologies. > > CryptoCard is absolutely not in any way a proprietary authentication > technology. It is a plain and simple DES ECB encryption of the input, > using a key which is stored in the device. The first 4 bytes of the > output are then displayed in hex. In fact, I have also hired someone > to write a CryptoCard emulator for the Palm Pilot, and the resulting > code will also be under GPL. Contrast this with RSA, which is in fact > a proprietary authentication technology, and which OpenSSH supports by > default. I was mistaken about Cryptocard, my apologies. Calling RSA proprietary is a drawing a bit of a long bow though. > > In any case, changes to the protocol (which this is) should be sent > > via the OpenBSD maintainers. I doubt they would accept the patch in its > > current form - it uses functions only present in the portable version. > > Who can I talk to about this? Should I send it to the OpenBSD core > team? There are several on the list, otherwise you can contact them direct at openssh at openbsd.org. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From paul at engsoc.org Fri Sep 15 02:36:16 2000 From: paul at engsoc.org (Paul Nicholas Faure) Date: Thu, 14 Sep 2000 11:36:16 -0400 (EDT) Subject: ListenAddress option. Message-ID: How do I compile OpenSSH so that I can use: ListenAddress 0.0.0.0 in my sshd_config file ? Currently I get: [root at dark openssh-2.2.0p1]# sshd -d debug: sshd version OpenSSH_2.2.0p1 debug: Seeding random number generator debug: read DSA private key done debug: Seeding random number generator error: getnameinfo failed fatal: Cannot bind any address. if I try to use "ListenAddress 0.0.0.0". If I put in the full ip of the system that runs OpenSSH server, then it works fine. Thank you. -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org _______________________________________________ Pam-list mailing list Pam-list at redhat.com https://listman.redhat.com/mailman/listinfo/pam-list From GLeblanc at cu-portland.edu Fri Sep 15 02:59:42 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Thu, 14 Sep 2000 08:59:42 -0700 Subject: ListenAddress option. Message-ID: <025836EFF856D411A6660090272811E61D0718@EMAIL> > -----Original Message----- > From: Paul Nicholas Faure [mailto:paul at engsoc.org] > > How do I compile OpenSSH so that I can use: > ListenAddress 0.0.0.0 > in my sshd_config file ? > > Currently I get: > [root at dark openssh-2.2.0p1]# sshd -d > debug: sshd version OpenSSH_2.2.0p1 > debug: Seeding random number generator > debug: read DSA private key done > debug: Seeding random number generator > error: getnameinfo failed > fatal: Cannot bind any address. > > if I try to use "ListenAddress 0.0.0.0". If I put in the full > ip of the > system that runs OpenSSH server, then it works fine. What version of *nix are you using? It works fine for me on Linux (RPM), OpenBSD and Solaris with the default options. Greg From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Sep 15 03:23:30 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 14 Sep 2000 18:23:30 +0200 Subject: openssh 2.2.0p1 fails with openssl 0.9.6-beta1 In-Reply-To: ; from graham@webwayone.co.uk on Wed, Sep 13, 2000 at 09:13:26AM +0000 References: Message-ID: <20000914182330.A2671@serv01.aet.tu-cottbus.de> On Wed, Sep 13, 2000 at 09:13:26AM +0000, Graham Murray wrote: > On upgrading to openssl 0.9.6-beta1, I find that openssh 2.2.0p1 fails > to connect. I did some more experiments and also saw the problems. They occur when using a 0.9.6-beta client to connect to 0.9.5a and 0.9.6-beta servers. They also occur when using a 0.9.5a client connecting to a 0.9.6-beta server. Connections fail with "dsa_verify: signature incorrect". I have completely recompiled and re-linked the packages, so that binary compatibility of the OpenSSL library is not an issue. I have crossposted this message to openssh-unix-dev, as I don't know, whether this is caused by the new OpenSSL release or a problem with OpenSSH calling it. !! In any case it is a kind of show-stopper!! Unfortunately I don't know enough about the SSH protocol, so I cannot offer my help this time :-( Best regards, Lutz Rest of original message: > I get the following log > SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. > Compiled with SSL (0x00906001). > debug: Reading configuration data /usr/local/etc/ssh_config > debug: Applying options for * > debug: Seeding random number generator > debug: ssh_connect: getuid 500 geteuid 0 anon 0 > debug: Connecting to gateway.webwayone.demon.co.uk [192.168.50.2] port 22. > debug: Allocated local port 1023. > debug: Connection established. > debug: Remote protocol version 2.0, remote software version OpenSSH_2.2.0p1 > Enabling compatibility mode for protocol 2.0 > debug: Local version string SSH-2.0-OpenSSH_2.2.0p1 > debug: Seeding random number generator > debug: send KEXINIT > debug: done > debug: wait KEXINIT > debug: got kexinit: diffie-hellman-group1-sha1 > debug: got kexinit: ssh-dss > debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc > debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc > debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com > debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com > debug: got kexinit: zlib,none > debug: got kexinit: zlib,none > debug: got kexinit: > debug: got kexinit: > debug: first kex follow: 0 > debug: reserved: 0 > debug: done > debug: kex: server->client 3des-cbc hmac-sha1 none > debug: kex: client->server 3des-cbc hmac-sha1 none > debug: Sending SSH2_MSG_KEXDH_INIT. > debug: bits set: 501/1024 > debug: Wait SSH2_MSG_KEXDH_REPLY. > debug: Got SSH2_MSG_KEXDH_REPLY. > debug: Host 'gateway.webwayone.demon.co.uk' is known and matches the DSA host key. > debug: bits set: 509/1024 > debug: len 55 datafellows 0 > debug: dsa_verify: signature incorrect > dsa_verify failed for server_host_key > debug: Calling cleanup 0x805e760(0x0) > > Using openssl 0.9.5a there are no problems (I have a log of a > connection using this, if this will help) > > The remote system is running openssh 2.2.0p1 with openssl 0.9.5a. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users at openssl.org > Automated List Manager majordomo at openssl.org -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From preed at sigkill.com Fri Sep 15 03:36:10 2000 From: preed at sigkill.com (J. Paul Reed) Date: Thu, 14 Sep 2000 09:36:10 -0700 (PDT) Subject: X forwarding In-Reply-To: <20000914182330.A2671@serv01.aet.tu-cottbus.de> Message-ID: This is probably a commonly asked question...that, or I'm missing something significant, here. I'm using an OpenSSH 2.2.1p4 client, with OpenSSH 1.2.3 for the server; I'm trying to display a remote X app back to my desktop; everytime I try it, I get: remote.server$ xcalc channel 0: istate 4 != open channel 0: ostate 64 != open X connection to remote.server:10.0 broken (explicit kill or server shutdown). Is this an xauth thing, or an incompatibility thing, or? TIA! Later, Paul ---------------------------------------------------------------------- J. Paul Reed preed at sigkill.com || web.sigkill.com/preed If you put a gun to my head and said "Name ten great bands that have come out in the last 5 years," you'd be wiping my brains off the wall. -- Trent Reznor From i.palsenberg at jdimedia.nl Fri Sep 15 04:32:53 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Thu, 14 Sep 2000 19:32:53 +0200 (CEST) Subject: CryptoCard patch Message-ID: On 14 Sep 2000, erich wrote: >> I am not particularly keen on putting code into OpenSSH to support >> proprietary authentication technologies. > > CryptoCard is absolutely not in any way a proprietary authentication > technology. It is a plain and simple DES ECB encryption of the input, > using a key which is stored in the device. The first 4 bytes of the > output are then displayed in hex. The current implementation is a ANSI X9.9, and is a supported mode on almost all hardware tokens. Specific mode for tokens are not supported, and probably will never, since all manufacturers refuse to give me any information. >> In fact, I have also hired someone >> to write a CryptoCard emulator for the Palm Pilot, and the resulting >> code will also be under GPL. Contrast this with RSA, which is in fact >> a proprietary authentication technology, and which OpenSSH supports by >> default. >I was mistaken about Cryptocard, my apologies. Calling RSA proprietary >is a drawing a bit of a long bow though. >> In any case, changes to the protocol (which this is) should be sent >> via the OpenBSD maintainers. I doubt they would accept the patch in its >> current form - it uses functions only present in the portable version. Which one ?? It isn't using anything weard as far is I can see. >> Who can I talk to about this? Should I send it to the OpenBSD core >> team? > There are several on the list, otherwise you can contact them direct at > openssh at openbsd.org. I've contacted them, but no reply unfortunately. > Regards, > Damien Miller Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From levitte at stacken.kth.se Fri Sep 15 04:34:31 2000 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Thu, 14 Sep 2000 19:34:31 +0200 Subject: openssh 2.2.0p1 fails with openssl 0.9.6-beta1 In-Reply-To: Your message of "Thu, 14 Sep 2000 18:23:30 +0200" <20000914182330.A2671@serv01.aet.tu-cottbus.de> References: <20000914182330.A2671@serv01.aet.tu-cottbus.de> Message-ID: <20000914193431R.levitte@pizza.stacken.kth.se> From: Lutz Jaenicke Lutz.Jaenicke> I did some more experiments and also saw the problems. Lutz.Jaenicke> Lutz.Jaenicke> They occur when using a 0.9.6-beta client to connect to Lutz.Jaenicke> 0.9.5a and 0.9.6-beta servers. Lutz.Jaenicke> They also occur when using a 0.9.5a client connecting Lutz.Jaenicke> to a 0.9.6-beta server. Hmm, that's no good. I'll see if I can generate something similar using just s_client and s_server or something like that... -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Chairman at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur at Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From faheem at email.unc.edu Fri Sep 15 07:37:04 2000 From: faheem at email.unc.edu (Faheem Mitha) Date: Thu, 14 Sep 2000 16:37:04 -0400 (EDT) Subject: modifying Openssh config script for KTH-KRB (fwd) Message-ID: Dear OpenSSH developers, Hi, taking the liberty of sending this to your mailing list in the hope someone will be able to help. The KTH version of Kerberos 4 was the only one I was able to find. In case you don't want to look at all the stuff below, the situation is briefly that I am trying to compile openssh with kerberos 4 support, which it apparently has. However, it can't find krb.h, which is right there. And it compiles OK, but gives "KerberosTgtPassing yes" as a bad option, which can't be good, and I don't get properly authenticated when I log in, which is obviously the whole point. If this ssh cannot be compiled with this krb4 version, can you suggest a version it *would* compile correctly with? It is possible the configure file could be tweaked to perform correctly, but how? I heard this compiles correctly on OpenSSH. Since OpenSSH is free, what version of krb4 are they using there? Best regards, Faheem Mitha. ---------- Forwarded message ---------- Date: Thu, 14 Sep 2000 00:36:57 -0400 (EDT) From: Faheem Mitha To: ssh at clinet.fi Subject: Re: modifying Openssh config script for KTH-KRB Just after I sent this message, I decided to see whether Kerberos4 support would work anyway, even without the krb.h. I get ssh -v sun gives... ******************************************* debug: Trying Kerberos authentication. debug: Kerberos V4 authentication accepted. debug: Kerberos V4 challenge successful. ******************************************* This is encouraging (sort of) However, it still does not appear to be working properly, as I cannot read my files (don't have the appropriate permissions). This happens when I have not been properly authenticated. Oh, yes "KerberosTgtPassing yes" is still a "Bad configuration option", though "KerberosAuthentication yes" is now apparently OK. Can anyone suggest what to try now? Is the missing krb.h part of the problem? Best regards, Faheem Mitha. On Thu, 14 Sep 2000, Faheem Mitha wrote: > > Dear people, > > Openssh appears to have the option to compile with krb4 support, judging > by the config script. There is a line that says > > ac_help="$ac_help > --with-kerberos4=PATH Enable Kerberos 4 support" > > I assume this means add the flag > > --with-kerberos4=PATH > > to ./configure. > > However, I have the KTH version of KERBOROS, which has files in > idiosyncatic places. All the stuff is in /usr/athena, with subdirectories > like lib and include. krb.h is in /usr/athena/include, but the script > complains it cannot find it when I set PATH=/usr/athena. I get the > following output from configure which seems relevant. I have no idea what > "checking for main in -lkrb... yes" means. > > ****************************************************************** > checking for krb.h... no > checking for main in -lkrb... yes > configure: warning: Cannot find krb.h, build may fail > ****************************************************************** > > I don't understand these scripts well enough to understand what is going > on. Can someone tell me what I need to do. The relevant area of configure > appears below. I hope drastic changes will not be necessary. > > By the way, I have no idea what the KRB4_MSG="no" means. My impression is > that it has no functional part, but I could be wrong. > > ******************************************************************** > # Check whether user wants Kerberos support > KRB4_MSG="no" > # Check whether --with-kerberos4 or --without-kerberos4 was given. > if test "${with_kerberos4+set}" = set; then > withval="$with_kerberos4" > > if test "x$withval" != "xno" ; then > > if test "x$withval" != "$xyes" ; then > CFLAGS="$CFLAGS -I${withval}/include" > LDFLAGS="$LDFLAGS -L${withval}/lib" > if test ! -z "$need_dash_r" ; then > LDFLAGS="$LDFLAGS > -R${withval}/lib" > fi > if test ! -z "$blibpath" ; then > > blibpath="$blibpath:${withval}/lib" > fi > else > if test -d /usr/include/kerberosIV ; then > CFLAGS="$CFLAGS > -I/usr/include/kerberosI > fi > fi > > for ac_hdr in krb.h > *************************************************************************** > > I'd appreciate any help. > > Faheem. > > From phma at oltronics.net Fri Sep 15 07:30:23 2000 From: phma at oltronics.net (Pierre Abbat) Date: Thu, 14 Sep 2000 16:30:23 -0400 Subject: X forwarding In-Reply-To: References: Message-ID: <00091416403119.00919@neofelis> On Thu, 14 Sep 2000, J. Paul Reed wrote: >This is probably a commonly asked question...that, or I'm missing >something significant, here. > >I'm using an OpenSSH 2.2.1p4 client, with OpenSSH 1.2.3 for the server; >I'm trying to display a remote X app back to my desktop; everytime I try >it, I get: > >remote.server$ xcalc >channel 0: istate 4 != open >channel 0: ostate 64 != open >X connection to remote.server:10.0 broken (explicit kill or server >shutdown). > >Is this an xauth thing, or an incompatibility thing, or? Check your XAUTHORITY environment variable. It should be /tmp/ssh-*/cookies. If it's ~/.Xauthority, try changing it. Also try running sshd in debug mode on a different port and see whether it is forwarding X. phma From preed at sigkill.com Fri Sep 15 08:10:53 2000 From: preed at sigkill.com (J. Paul Reed) Date: Thu, 14 Sep 2000 14:10:53 -0700 (PDT) Subject: X forwarding In-Reply-To: <00091416403119.00919@neofelis> Message-ID: On Thu, 14 Sep 2000, Pierre Abbat wrote: > Check your XAUTHORITY environment variable. It should be > /tmp/ssh-*/cookies. If it's ~/.Xauthority, try changing it. Also try > running sshd in debug mode on a different port and see whether it is > forwarding X. It was set correctly; I included debug output from both the client and the server, attached above. However, I did notice this on the client end: debug: channel 0: new [X11 connection from remote port 3459] debug: X11 connection uses different authentication protocol. debug: X11 rejected 0 i1/o16 Could that be the issue? I changed all the names to remote and remote.server, and local and local.server, if you're looking at the debug output. Later, Paul ---------------------------------------------------------------------- J. Paul Reed preed at sigkill.com || web.sigkill.com/preed If you put a gun to my head and said "Name ten great bands that have come out in the last 5 years," you'd be wiping my brains off the wall. -- Trent Reznor -------------- next part -------------- [preed at lira preed]$ ssh -v -C -p 2200 remote.server SSH Version OpenSSH_2.1.1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/preed/.ssh/config debug: Applying options for * debug: Seeding random number generator debug: ssh_connect: getuid 1000 geteuid 0 anon 0 debug: Connecting to remote.server [x.x.x.x] port 2200. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH-1.2.3 debug: Local version string SSH-1.5-OpenSSH_2.1.1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'remote.server' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. preed at remote.server's password: debug: Requesting compression at level 6. debug: Enabling compression at level 6. debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. Last login: Thu Sep 14 14:01:00 2000 from local.box Environment: USER=preed LOGNAME=preed HOME=/home/preed PATH=/usr/local/java:/bin:/usr/bin:/etc:/usr/sbin:$HOME/bin:/sbin:/usr/local/bin:/usr/X11R6/bin:/usr/bin/X11:$HOME:. MAIL=/var/spool/mail/preed SHELL=/bin/bash SSH_CLIENT=remote.server 63941 2200 SSH_TTY=/dev/pts/9 TERM=xterm DISPLAY=remote.server:12.0 XAUTHORITY=/tmp/ssh-FAE14707/cookies Running /usr/X11R6/bin/xauth add remote.server:12.0 MIT-MAGIC-COOKIE-1 13e8a2bcfba9ac74a996d449d6837388 Some circumstantial evidence is very strong, as when you find a trout in the milk. -- Thoreau remote.server$ xcalc debug: Received X11 open request. debug: fd 4 setting O_NONBLOCK debug: channel 0: new [X11 connection from remote port 3459] debug: X11 connection uses different authentication protocol. debug: X11 rejected 0 i1/o16 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> wait_oclose debug: channel 0: send ieof debug: channel 0: write failed debug: channel 0: output open -> wait_ieof debug: channel 0: send oclose debug: channel 0: close_write debug: X11 closed 0 i4/o64 debug: channel 0: rcvd ieof debug: channel 0: non-open channel 0: istate 4 != open channel 0: ostate 64 != open debug: channel 0: rcvd oclose debug: channel 0: input wait_oclose -> closed X connection to remote.server:12.0 broken (explicit kill or server shutdown). Connection to remote.server closed. debug: Transferred: stdin 12, stdout 880, stderr 45 bytes in 48.0 seconds debug: Bytes per second: stdin 0.2, stdout 18.3, stderr 0.9 debug: Exit status 1 debug: compress outgoing: raw data 291, compressed 275, factor 0.95 debug: compress incoming: raw data 1066, compressed 747, factor 0.70 -------------- next part -------------- debug: sshd version OpenSSH-1.2.3 debug: Bind to port 2200 on 0.0.0.0. Server listening on 0.0.0.0 port 2200. Generating 768 bit RSA key. RSA key generation complete. debug: Server will not fork when running in debugging mode. Connection from local.server port 63941 debug: Client protocol version 1.5; client software version OpenSSH_2.1.1 debug: Sent 768 bit public key and 1024 bit host key. debug: Encryption type: 3des debug: Received session key; encryption turned on. debug: Installing crc compensation attack detector. debug: Starting up PAM with username "preed" debug: Attempting authentication for preed. debug: PAM Password authentication accepted for user "preed" Accepted password for preed from local.server port 63941 debug: PAM setting rhost to "local.server" debug: Enabling compression at level 6. debug: Allocating pty. debug: Received request for X11 forwarding with auth spoofing. debug: Socket family 10 not supported [X11 disp create] debug: bind port 6010: Address already in use debug: Socket family 10 not supported [X11 disp create] debug: bind port 6011: Address already in use debug: Socket family 10 not supported [X11 disp create] debug: channel 0: new [X11 inet listener] debug: Forking shell. debug: PAM setting tty to "/dev/pts/9" debug: PAM establishing creds debug: Entering interactive session. debug: Setting controlling tty using TIOCSCTTY. debug: X11 connection requested. debug: channel 1: new [X11 connection from remote.server port 3459] debug: Received channel open confirmation. debug: Received channel close. debug: channel 1: OUTPUT_OPEN -> OUTPUT_WAIT_DRAIN [rvcd IEOF] debug: Received channel close confirmation. debug: channel 1: INPUT_OPEN -> INPUT_CLOSED [rvcd OCLOSE, send IEOF] debug: channel 1: shutdown_read debug: channel 1: OUTPUT_WAIT_DRAIN -> OUTPUT_CLOSED [obuf empty, send OCLOSE] debug: channel 1: shutdown_write debug: channel 1: full closed debug: Received SIGCHLD. debug: End of interactive session; stdin 12, stdout (read 880, sent 880), stderr 0 bytes. debug: Command exited with status 1. debug: Received exit confirmation. debug: xauthfile_cleanup_proc called Closing connection to x.x.x.x debug: compress outgoing: raw data 1066, compressed 747, factor 0.70 debug: compress incoming: raw data 291, compressed 275, factor 0.95 From Edward.Livengood at CommerceBank.com Fri Sep 15 08:40:42 2000 From: Edward.Livengood at CommerceBank.com (Livengood, Edward) Date: Thu, 14 Sep 2000 16:40:42 -0500 Subject: SSH using the login binary Message-ID: <5D4224BA9743D311BB6E00A0C9F4854F063228AB@KCEXC> This may not be the place to pose this question so forgive me if I should send this somewhere else. I have noticed that SSH2 appears to check user's password against the password file without executing login. We are using a security application that replaces the login binary to perform its own security checks on login, i.e.. is suspend user ids that have failed to use a successful password. Since SSH2 doesn't use the login binary that was replaced it bypasses our security product. I was wondering if this would be difficult to change, and if not where in the source code I would have to go to make such a change? Ed Information Security From paul at engsoc.carleton.ca Fri Sep 15 09:00:58 2000 From: paul at engsoc.carleton.ca (Paul Nicholas Faure) Date: Thu, 14 Sep 2000 18:00:58 -0400 (EDT) Subject: ListenAddress option. In-Reply-To: <025836EFF856D411A6660090272811E61D0718@EMAIL> Message-ID: Yea, thats just it. The RPM works, but I wand to compile it, so I need the options that people use to make the RPMs. On Thu, 14 Sep 2000, Gregory Leblanc wrote: > > -----Original Message----- > > From: Paul Nicholas Faure [mailto:paul at engsoc.org] > > > > How do I compile OpenSSH so that I can use: > > ListenAddress 0.0.0.0 > > in my sshd_config file ? > > > > Currently I get: > > [root at dark openssh-2.2.0p1]# sshd -d > > debug: sshd version OpenSSH_2.2.0p1 > > debug: Seeding random number generator > > debug: read DSA private key done > > debug: Seeding random number generator > > error: getnameinfo failed > > fatal: Cannot bind any address. > > > > if I try to use "ListenAddress 0.0.0.0". If I put in the full > > ip of the > > system that runs OpenSSH server, then it works fine. > > What version of *nix are you using? It works fine for me on Linux (RPM), > OpenBSD and Solaris with the default options. > Greg > -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org From GLeblanc at cu-portland.edu Fri Sep 15 09:05:46 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Thu, 14 Sep 2000 15:05:46 -0700 Subject: ListenAddress option. Message-ID: <025836EFF856D411A6660090272811E61D071C@EMAIL> > -----Original Message----- > From: Paul Nicholas Faure [mailto:paul at engsoc.carleton.ca] > > Yea, thats just it. The RPM works, but I wand to compile it, > so I need the > options that people use to make the RPMs. These are the configure options from the RPM for 2.2.0p1-2. CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --with-tcp-wrappers --with-ipv4-default \ --with-rsh=/usr/bin/rsh Greg From GLeblanc at cu-portland.edu Fri Sep 15 09:07:35 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Thu, 14 Sep 2000 15:07:35 -0700 Subject: SSH using the login binary Message-ID: <025836EFF856D411A6660090272811E61D071D@EMAIL> > -----Original Message----- > From: Livengood, Edward [mailto:Edward.Livengood at CommerceBank.com] > > This may not be the place to pose this question so forgive me > if I should > send this somewhere else. > > I have noticed that SSH2 appears to check user's password against the > password file without executing login. We are using a > security application > that replaces the login binary to perform its own security > checks on login, > i.e.. is suspend user ids that have failed to use a > successful password. > Since SSH2 doesn't use the login binary that was replaced it > bypasses our > security product. I was wondering if this would be difficult > to change, and > if not where in the source code I would have to go to make > such a change? Now I'm not an expert, bus isn't this what the "UseLogin" parameter in sshd_config is supposed to do? The man page for sshd has more information. Greg From Tomi.Ollila at sonera.com Fri Sep 15 18:36:59 2000 From: Tomi.Ollila at sonera.com (Tomi Ollila) Date: Fri, 15 Sep 2000 10:36:59 +0300 (EET DST) Subject: An alternative to `ProxyCommand' In-Reply-To: <20000913104559.A23955@faui02.informatik.uni-erlangen.de> References: <14782.6203.450097.174606@chardonnay.ajk.tele.fi> <20000912155452.A27208@faui02.informatik.uni-erlangen.de> <14783.14343.937465.866456@chardonnay.ajk.tele.fi> <20000913104559.A23955@faui02.informatik.uni-erlangen.de> Message-ID: <14785.53659.372570.15829@chardonnay.ajk.tele.fi> Hi In last 2 mails I've been discussing of options how to best create a feature I need, doing some special pre-handling of a communication link until ssh will take over. Now I probably understand the directions where ssh is not wanted to evolve, and been thinking how the features I'd like to see ssh support (either directly or indirectly) could be implemented. So, this is the latest and (IMHO) neatest. An alternative to ssh option ProxyCommand that would work like the following: 1) ssh creates the network socket and connects to the peer. 2) If this option (for which I don't know a good name ... yet) is used, ssh will launch the program associated with it. The first argument to this program will be the file descriptor of the network socket that is used for communication. 3) ssh will go to wait(), and when this launched program exits, will continue normally in ssh identification procedure and so on. While ssh is wait()ing process to exit, this process can read/write to stdin/stdout normally (it it wants to do so). This way ssh can do all the same security checks that it could do when working in "normal" mode, since it has access to the network socket. Also, the launched program has access to that socket and therefore may query it if it wants to know something -- passing the hostname with %h might still be useful... This option could be used in configuration file as the ProxyCommand -option, allowing ssh/scp/... work as with it. Only a bit more effective since there will be no process context switching and relaying the data. ProxyCommand can add `SSH-...' string to the stream going to the ssh process if necessary (it has read such data from network connection). W/ this new system this cannot be done. This is no problem, however -- the launched process can utilize recv(sd, buf, buflen, MSG_PEEK) when reading the network socket, and adjust the receive buffer first contain SSH-... when it exits (just as tt4ssh does). Any opinions on this proposal -- c/sh/would this be done? I'll redesign my tt4ssh to work with it if this is going to be implemented (and will think a new name for it)... I could even implement this to ssh if it is going to stay there in future releases also. Tomi Now that I possibly understand the model From Markus.Friedl at informatik.uni-erlangen.de Sat Sep 16 00:39:23 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 15 Sep 2000 15:39:23 +0200 Subject: openssh 2.2.0p1 fails with openssl 0.9.6-beta1 In-Reply-To: <20000914193431R.levitte@pizza.stacken.kth.se>; from levitte@stacken.kth.se on Thu, Sep 14, 2000 at 07:34:31PM +0200 References: <20000914182330.A2671@serv01.aet.tu-cottbus.de> <20000914193431R.levitte@pizza.stacken.kth.se> Message-ID: <20000915153923.A850@faui02.informatik.uni-erlangen.de> On Thu, Sep 14, 2000 at 07:34:31PM +0200, Richard Levitte - VMS Whacker wrote: > From: Lutz Jaenicke > > Lutz.Jaenicke> I did some more experiments and also saw the problems. > Lutz.Jaenicke> > Lutz.Jaenicke> They occur when using a 0.9.6-beta client to connect to > Lutz.Jaenicke> 0.9.5a and 0.9.6-beta servers. > Lutz.Jaenicke> They also occur when using a 0.9.5a client connecting > Lutz.Jaenicke> to a 0.9.6-beta server. > > Hmm, that's no good. I'll see if I can generate something similar > using just s_client and s_server or something like that... i tried to trace this and it seems that DSA is not the problem. the shared DH secret differs for both machines. this secret is included in the data that the server has to sign. this is why ssh prints: dsa_verify failed. From levitte at stacken.kth.se Sat Sep 16 00:54:40 2000 From: levitte at stacken.kth.se (Richard Levitte - VMS Whacker) Date: Fri, 15 Sep 2000 15:54:40 +0200 Subject: openssh 2.2.0p1 fails with openssl 0.9.6-beta1 In-Reply-To: Your message of "Fri, 15 Sep 2000 15:39:23 +0200" <20000915153923.A850@faui02.informatik.uni-erlangen.de> References: <20000915153923.A850@faui02.informatik.uni-erlangen.de> Message-ID: <20000915155440T.levitte@pizza.stacken.kth.se> From: Markus Friedl Markus.Friedl> i tried to trace this and it seems that DSA is not the problem. Markus.Friedl> Markus.Friedl> the shared DH secret differs for both machines. this Markus.Friedl> secret is included in the data that the server has to Markus.Friedl> sign. this is why ssh prints: dsa_verify failed. I'm not sure if that means that OpenSSL still has a bug or not... -- Richard Levitte \ Spannv?gen 38, II \ LeViMS at stacken.kth.se Chairman at Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur at Stacken \ SWEDEN \ or +46-709-50 36 10 Procurator Odiosus Ex Infernis -- poei at bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, Celo Communications: http://www.celocom.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. From Edward.Livengood at CommerceBank.com Sat Sep 16 02:11:34 2000 From: Edward.Livengood at CommerceBank.com (Livengood, Edward) Date: Fri, 15 Sep 2000 10:11:34 -0500 Subject: SSH using the login binary Message-ID: <5D4224BA9743D311BB6E00A0C9F4854F063228AD@KCEXC> Thank you. That lead me to what I was looking for. Ed Information Security -----Original Message----- From: Gregory Leblanc [mailto:GLeblanc at cu-portland.edu] Sent: Thursday, September 14, 2000 5:08 PM To: 'Livengood, Edward'; 'openssh-unix-dev at mindrot.org' Subject: RE: SSH using the login binary > -----Original Message----- > From: Livengood, Edward [mailto:Edward.Livengood at CommerceBank.com] > > This may not be the place to pose this question so forgive me > if I should > send this somewhere else. > > I have noticed that SSH2 appears to check user's password against the > password file without executing login. We are using a > security application > that replaces the login binary to perform its own security > checks on login, > i.e.. is suspend user ids that have failed to use a > successful password. > Since SSH2 doesn't use the login binary that was replaced it > bypasses our > security product. I was wondering if this would be difficult > to change, and > if not where in the source code I would have to go to make > such a change? Now I'm not an expert, bus isn't this what the "UseLogin" parameter in sshd_config is supposed to do? The man page for sshd has more information. Greg From shane at collab.net Sat Sep 16 11:53:33 2000 From: shane at collab.net (Shane Owenby) Date: Fri, 15 Sep 2000 17:53:33 -0700 Subject: openssh-2.2.0p1-2 issue Message-ID: <20000915175333.A3068@collab.net> I have checked the FAQ and the mailing list archives, but I haven't been able to RTFM to solve my problem. Thus turning to the dev list. 2.2.0p1 Changelog includes: 20000207 - Removed SOCKS code. Will support through a ProxyCommand. Relevant Mailing list archives: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=95803710921359&w=2 and http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=94681757108109&w=2 Show that SOCKS support has been an issue for the past few months. Here are my questions: 1. Has the ProxyCommand been implemented, and if so where are instructions on how to use it? If no is anyone working on it? 2. Why was the inferior method of 'socksify' chosen over proper -lsocks support? (ie why was the Dante patch removed. It was useful) Think of deploying OpenSSH to a group of 300 people. If a person can be given one set of binaries which works with SOCKS out of the box that is much better than making them download and configure Dante as well as OpenSSH. (assume a working socks config file is already on the box) I will be happy to provide a patch to the FAQ once I understand the issues and solution. Thanks in advance for you time, Shane Owenby Shane at collab.net From djm at mindrot.org Sat Sep 16 13:32:31 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 13:32:31 +1100 (EST) Subject: A bug in openssh-2.2.0-p1 In-Reply-To: <20000902175901.A6346@omni.sinus.cz> Message-ID: On Sat, 2 Sep 2000, Pavel Troller wrote: > Hello! > Today I've found, downloaded and compiled openssh-2.2.0-p1. It > basically worked, except that users other than root were not allowed > to login. My system is a Linux-2.4.0-test7 with glibc-2.1.3. No PAM > is installed/used. It uses MD5 passwords and shadow with account > expiration feature. In handling of the latter, a probable bug was > found. In auth.c, allowed_user(), there is a > code at the line 73, saying [snip] > On the other hand, there is a sp_max entry, stating maximum number > of days between password changes. This is the right value for us. So > I changed the code to be as follows: [snip] Thanks - this has been applied. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 13:42:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 13:42:28 +1100 (EST) Subject: sftp-server and latest snapshot In-Reply-To: <200009051304.PAA22478@b0fh.sweden.hp.com> Message-ID: On Tue, 5 Sep 2000, Kevin Steves wrote: > Needed to do the following to get sftp-server to compile on HP-UX 11. > Not sure what the right "portable" fix might be. Also, should > sftp-server really be installed in prefix/libexec/ssh/ or just > prefix/libexec/? The fix is correct. You are right about libexec. The new makefile uses whatever you specify as libexecdir, i.e. $(prefix)/libexec by default. -d > --- defines.h~ Tue Sep 5 07:13:07 2000 > +++ defines.h Tue Sep 5 14:36:24 2000 > @@ -143,9 +143,7 @@ > typedef uint8_t u_int8_t; > typedef uint16_t u_int16_t; > typedef uint32_t u_int32_t; > -/* > typedef uint64_t u_int64_t; > -*/ > # define HAVE_U_INTXX_T 1 > # else > # if (SIZEOF_CHAR == 1) > > > -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 13:44:15 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 13:44:15 +1100 (EST) Subject: HP-UX contrib files In-Reply-To: <200009051413.QAA16477@b0fh.sweden.hp.com> Message-ID: On Tue, 5 Sep 2000, Kevin Steves wrote: > Attached is a small tar archive with a start of a contrib/hpux/ > directory. Right now it has a startup/shutdown script. Thanks, I have added this. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 13:49:19 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 13:49:19 +1100 (EST) Subject: [2.2.0p1] patch: generic detection of correct getpgrp() invocation In-Reply-To: <200009051650.MAA01317@faucon.comm.polymtl.ca> Message-ID: On Tue, 5 Sep 2000, Charles Levert wrote: > Hi. > > Several OSes have a getpgrp() function that takes an argument, unlike > what POSIX mandates. NeXT was covered, but SunOS wasn't. This > provides a generic solution through autoconf. Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From paul at engsoc.carleton.ca Sat Sep 16 14:03:21 2000 From: paul at engsoc.carleton.ca (Paul Nicholas Faure) Date: Fri, 15 Sep 2000 23:03:21 -0400 (EDT) Subject: auth-pam.c support for pam_chauthtok() In-Reply-To: <14783.49641.930739.954333@darkwing.uoregon.edu> Message-ID: Has this patch been added to the main tree of OpenSSH ? It works very very nicely for me. Thank you. On Wed, 13 Sep 2000, Steve VanDevender wrote: > When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users > noticed that it did not honor password expiration consistently with > other Solaris login services. > > The patch below is against OpenSSH 2.2.0p1 and adds support for PAM > password changes on expiration via pam_chauthtok(). A brief summary of > changes: > > auth-pam.c: > * change declaration of pamh to "static pam_handle_t *pamh", remove > unnecessary casts "(pam_handle_t *)" > * fix typo in NEW_AUTHTOK_MSG > * extend pamconv() to support real interactive prompting and display, in > addition to the kludge to feed the user's password into PAM during > initial login > * add function do_pam_chauthtok() to call pam_chauthtok() if needed, > once interactive session has been established > > auth-pam.h: > * add prototype for do_pam_chauthtok() > > session.c: > * add call to do_pam_chauthtok() after print_pam_messages() > > I am subscribed to openssh-unix-dev, so you do not have to copy any list > discussion to me personally. > > =================================================================== > RCS file: RCS/auth-pam.c,v > retrieving revision 1.1 > diff -u -r1.1 auth-pam.c > --- auth-pam.c 2000/09/06 22:29:58 1.1 > +++ auth-pam.c 2000/09/12 19:30:24 > @@ -37,7 +37,7 @@ > RCSID("$Id: auth-pam.c,v 1.1 2000/09/06 22:29:58 stevev Exp stevev $"); > > #define NEW_AUTHTOK_MSG \ > - "Warning: You password has expired, please change it now" > + "Warning: Your password has expired, please change it now" > > /* Callbacks */ > static int pamconv(int num_msg, const struct pam_message **msg, > @@ -50,40 +50,72 @@ > pamconv, > NULL > }; > -static struct pam_handle_t *pamh = NULL; > +static pam_handle_t *pamh = NULL; > static const char *pampasswd = NULL; > static char *pam_msg = NULL; > > -/* PAM conversation function. This is really a kludge to get the password */ > -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ > +/* states for pamconv() */ > +typedef enum { INITIAL_LOGIN, OTHER } pamstates; > +static pamstates pamstate = INITIAL_LOGIN; > +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ > +static int password_change_required = 0; > + > +/* > + * PAM conversation function. > + * There are two states this can run in. > + * > + * INITIAL_LOGIN mode simply feeds the password from the client into > + * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output > + * messages with pam_msg_cat(). This is used during initial > + * authentication to bypass the normal PAM password prompt. > + * > + * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1) > + * and outputs messages to stderr. This mode is used if pam_chauthtok() > + * is called to update expired passwords. > + */ > static int pamconv(int num_msg, const struct pam_message **msg, > struct pam_response **resp, void *appdata_ptr) > { > struct pam_response *reply; > int count; > + char buf[1024]; > > /* PAM will free this later */ > reply = malloc(num_msg * sizeof(*reply)); > if (reply == NULL) > return PAM_CONV_ERR; > > - for(count = 0; count < num_msg; count++) { > - switch (msg[count]->msg_style) { > + for (count = 0; count < num_msg; count++) { > + switch ((*msg)[count].msg_style) { > + case PAM_PROMPT_ECHO_ON: > + fputs((*msg)[count].msg, stderr); > + fgets(buf, sizeof(buf), stdin); > + reply[count].resp = xstrdup(buf); > + reply[count].resp_retcode = PAM_SUCCESS; > + break; > case PAM_PROMPT_ECHO_OFF: > - if (pampasswd == NULL) { > - free(reply); > - return PAM_CONV_ERR; > - } > + if (pamstate == INITIAL_LOGIN) { > + if (pampasswd == NULL) { > + free(reply); > + return PAM_CONV_ERR; > + } > + reply[count].resp = xstrdup(pampasswd); > + } else > + reply[count].resp = xstrdup(read_passphrase((*msg)[count].msg, 1)); > reply[count].resp_retcode = PAM_SUCCESS; > - reply[count].resp = xstrdup(pampasswd); > break; > + case PAM_ERROR_MSG: > case PAM_TEXT_INFO: > - reply[count].resp_retcode = PAM_SUCCESS; > + if ((*msg)[count].msg != NULL) { > + if (pamstate == INITIAL_LOGIN) > + pam_msg_cat((*msg)[count].msg); > + else { > + fputs((*msg)[count].msg, stderr); > + fputs("\n", stderr); > + } > + } > reply[count].resp = xstrdup(""); > - > - if (msg[count]->msg != NULL) > - pam_msg_cat(msg[count]->msg); > - > + reply[count].resp_retcode = PAM_SUCCESS; > break; > default: > free(reply); > @@ -103,22 +135,22 @@ > > if (pamh != NULL) > { > - pam_retval = pam_close_session((pam_handle_t *)pamh, 0); > + pam_retval = pam_close_session(pamh, 0); > if (pam_retval != PAM_SUCCESS) { > log("Cannot close PAM session: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > > - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); > + pam_retval = pam_setcred(pamh, PAM_DELETE_CRED); > if (pam_retval != PAM_SUCCESS) { > debug("Cannot delete credentials: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > > - pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); > + pam_retval = pam_end(pamh, pam_retval); > if (pam_retval != PAM_SUCCESS) { > log("Cannot release PAM authentication: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > } > } > @@ -139,14 +171,15 @@ > > pampasswd = password; > > - pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); > + pamstate = INITIAL_LOGIN; > + pam_retval = pam_authenticate(pamh, 0); > if (pam_retval == PAM_SUCCESS) { > debug("PAM Password authentication accepted for user \"%.100s\"", > pw->pw_name); > return 1; > } else { > debug("PAM Password authentication for \"%.100s\" failed: %s", > - pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + pw->pw_name, PAM_STRERROR(pamh, pam_retval)); > return 0; > } > } > @@ -157,33 +190,35 @@ > int pam_retval; > > debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); > - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, > + pam_retval = pam_set_item(pamh, PAM_RHOST, > get_canonical_hostname()); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM set rhost failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > > if (remote_user != NULL) { > debug("PAM setting ruser to \"%.200s\"", remote_user); > - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); > + pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM set ruser failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > } > > - pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); > + pam_retval = pam_acct_mgmt(pamh, 0); > switch (pam_retval) { > case PAM_SUCCESS: > /* This is what we want */ > break; > case PAM_NEW_AUTHTOK_REQD: > pam_msg_cat(NEW_AUTHTOK_MSG); > + /* flag that password change is necessary */ > + password_change_required = 1; > break; > default: > log("PAM rejected by account configuration: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > return(0); > } > > @@ -197,17 +232,17 @@ > > if (ttyname != NULL) { > debug("PAM setting tty to \"%.200s\"", ttyname); > - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); > + pam_retval = pam_set_item(pamh, PAM_TTY, ttyname); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM set tty failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > } > > - pam_retval = pam_open_session((pam_handle_t *)pamh, 0); > + pam_retval = pam_open_session(pamh, 0); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM session setup failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > } > > @@ -217,10 +252,28 @@ > int pam_retval; > > debug("PAM establishing creds"); > - pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); > + pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM setcred failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > + } > +} > + > +/* > + * Have user change authentication token if pam_acct_mgmt() indicated > + * it was expired. This needs to be called after an interactive > + * session is established and the user's pty is connected to > + * stdin/stout/stderr. > + */ > +void do_pam_chauthtok() > +{ > + int pam_retval; > + > + if (password_change_required) { > + pamstate = OTHER; > + do { > + pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); > + } while (pam_retval != PAM_SUCCESS); > } > } > > @@ -238,12 +291,11 @@ > > debug("Starting up PAM with username \"%.200s\"", pw->pw_name); > > - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, > - (pam_handle_t**)&pamh); > + pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, &pamh); > > if (pam_retval != PAM_SUCCESS) { > fatal("PAM initialisation failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > > #ifdef PAM_TTY_KLUDGE > @@ -254,10 +306,10 @@ > * not even need one (for tty-less connections) > * Kludge: Set a fake PAM_TTY > */ > - pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, "ssh"); > + pam_retval = pam_set_item(pamh, PAM_TTY, "ssh"); > if (pam_retval != PAM_SUCCESS) { > fatal("PAM set tty failed: %.200s", > - PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); > + PAM_STRERROR(pamh, pam_retval)); > } > #endif /* PAM_TTY_KLUDGE */ > > @@ -268,7 +320,7 @@ > char **fetch_pam_environment(void) > { > #ifdef HAVE_PAM_GETENVLIST > - return(pam_getenvlist((pam_handle_t *)pamh)); > + return(pam_getenvlist(pamh)); > #else /* HAVE_PAM_GETENVLIST */ > return(NULL); > #endif /* HAVE_PAM_GETENVLIST */ > =================================================================== > RCS file: RCS/auth-pam.h,v > retrieving revision 1.1 > diff -u -r1.1 auth-pam.h > --- auth-pam.h 2000/09/12 02:02:26 1.1 > +++ auth-pam.h 2000/09/12 02:02:41 > @@ -11,5 +11,6 @@ > void do_pam_session(char *username, const char *ttyname); > void do_pam_setcred(); > void print_pam_messages(void); > +void do_pam_chauthtok(); > > #endif /* USE_PAM */ > =================================================================== > RCS file: RCS/session.c,v > retrieving revision 1.1 > diff -u -r1.1 session.c > --- session.c 2000/09/12 00:43:22 1.1 > +++ session.c 2000/09/12 23:58:44 > @@ -674,6 +674,8 @@ > > #ifdef USE_PAM > print_pam_messages(); > + /* If password change is needed, do it now. */ > + do_pam_chauthtok(); > #endif /* USE_PAM */ > #ifdef WITH_AIXAUTHENTICATE > if (aixloginmsg && *aixloginmsg) > -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org From djm at mindrot.org Sat Sep 16 15:31:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 15:31:28 +1100 (EST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <39B8F4A4.19213.42E3C36@localhost> Message-ID: On Fri, 8 Sep 2000, Dirk De Wachter wrote: > Dear developers, > > The HPUX 10.20 trusted system hack doesn't work yet as intended. > I have adapted the auth-passwd.c file to make it work. > > Please find a context diff file attached to this file. This diff is > against the latest OpenSSH 2.2.0p1 released Sept 2, 2000. Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 15:36:49 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 15:36:49 +1100 (EST) Subject: Problems/patches for BSD/OS 4.0.1 In-Reply-To: <200009112121.RAA06654@thor.sdrc.com> Message-ID: On Mon, 11 Sep 2000, Larry Jones wrote: > Two small problems with 2.2.0p1 on BSD/OS 4.0.1, both invoving the > internal entropy collector: > > 1) The ``ls'' commands in ssh_prng_cmds.in all use -n, which isn't valid > on BSD/OS and thus caused them all to fail when fixprogs checked them. > BSD/OS does, however, have a -T flag which gives complete timestamp > information (month, day, year, hour, minute, and second), which seems > like a useful addition. I suspect the configure script should be > enhanced to deal with this, but I don't know enough about configure to > suggest a patch. I have just added commands similar to "ls -alTi /var/log" @PROG_LS@ 0.02 to the prng commands list. > 2) The fixprogs script doesn't reopen the child process's STDIN, STDOUT, > and STDERR correctly. This caused all of the ``tail'' commands in > ssh_prng_cmds to fail because they couldn't write to stdout. Here's a > patch: Applied. How does this help, the patch only adds parantheses? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 15:39:16 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 15:39:16 +1100 (EST) Subject: A very small bug report In-Reply-To: <20000912202154W.tyoshida@gemini.rc.kyushu-u.ac.jp> Message-ID: On Tue, 12 Sep 2000, Takashi YOSHIDA wrote: > Dear mailng list of OpenSSH > > There is a very small bug in openssh-2.1.1p4. > After extracted openssh-2.1.1p4.tar.gz, > a file named "openssh.spec" for constructing an > rpm file of SuSE linux in "openssh-2.1.1p4/contrib/suse/". > A small bug in the "openssh.spec" file brings > about failure in constructing an rpm file. Thanks - the fix shall be included in the next version. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 15:49:42 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 15:49:42 +1100 (EST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: <200009121324.PAA10384@b0fh.sweden.hp.com> Message-ID: On Tue, 12 Sep 2000, Kevin Steves wrote: > Attached is a patch which removes the HAVE_HPUX_TRUSTED_SYSTEM_PW > define, and instead uses __hpux to determine if we're HP-UX and > iscomsec(2) to determine if commercial security/trusted system is > enabled. I have only tested this on HP-UX 11.0 (with --without-pam), > but I think it should work on 10.20. Applied - thanks. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:10:15 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:10:15 +1100 (EST) Subject: auth-pam.c support for pam_chauthtok() In-Reply-To: <14783.49641.930739.954333@darkwing.uoregon.edu> Message-ID: On Wed, 13 Sep 2000, Steve VanDevender wrote: > When we installed OpenSSH 2.1.1p4 on our Solaris systems, our users > noticed that it did not honor password expiration consistently with > other Solaris login services. > > The patch below is against OpenSSH 2.2.0p1 and adds support for PAM > password changes on expiration via pam_chauthtok(). A brief summary of > changes: Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:16:02 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:16:02 +1100 (EST) Subject: Problems/patches for BSD/OS 4.0.1 In-Reply-To: <200009132135.RAA18004@thor.sdrc.com> Message-ID: On Wed, 13 Sep 2000, Larry Jones wrote: > There's also another problem -- the fake struct sockaddr_storage is not > compatible with struct sockaddr on my system (sockaddr has a byte for > the address family, sockaddr_storage has a short), which leads to all > sorts of interesting, non-obvious failures later. The simplest solution > is to have sockaddr_storage contain an actual sockaddr and use it. Yes - that is much nicer. Applied -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:16:37 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:16:37 +1100 (EST) Subject: Kerberos/AFS options in ssh/sshd while disabling them in configure In-Reply-To: Message-ID: On 14 Sep 2000, Hans Insulander wrote: > The Kerberos4 support works. At least on OpenBSD and Solaris 7. > No Kerberos5 support at the moment. You can use the PAM krb5 module is your system supports it. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:17:30 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:17:30 +1100 (EST) Subject: ListenAddress option. In-Reply-To: Message-ID: On Thu, 14 Sep 2000, Paul Nicholas Faure wrote: > How do I compile OpenSSH so that I can use: > ListenAddress 0.0.0.0 > in my sshd_config file ? > > Currently I get: > [root at dark openssh-2.2.0p1]# sshd -d > debug: sshd version OpenSSH_2.2.0p1 > debug: Seeding random number generator > debug: read DSA private key done > debug: Seeding random number generator > error: getnameinfo failed > fatal: Cannot bind any address. > > if I try to use "ListenAddress 0.0.0.0". If I put in the full ip of the > system that runs OpenSSH server, then it works fine. What platform are you using? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:19:13 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:19:13 +1100 (EST) Subject: SSH using the login binary In-Reply-To: <5D4224BA9743D311BB6E00A0C9F4854F063228AB@KCEXC> Message-ID: On Thu, 14 Sep 2000, Livengood, Edward wrote: > This may not be the place to pose this question so forgive me if I > should send this somewhere else. > > I have noticed that SSH2 appears to check user's password against > the password file without executing login. We are using a security > application that replaces the login binary to perform its own > security checks on login, i.e.. is suspend user ids that have failed > to use a successful password. Since SSH2 doesn't use the login > binary that was replaced it bypasses our security product. I was > wondering if this would be difficult to change, and if not where in > the source code I would have to go to make such a change? No need - just put a "UseLogin yes" in the server config file. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:34:19 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:34:19 +1100 (EST) Subject: sftp-server and latest snapshot In-Reply-To: <200009051304.PAA22478@b0fh.sweden.hp.com> Message-ID: On Tue, 5 Sep 2000, Kevin Steves wrote: > Needed to do the following to get sftp-server to compile on HP-UX 11. > Not sure what the right "portable" fix might be. Also, should > sftp-server really be installed in prefix/libexec/ssh/ or just > prefix/libexec/? Quite right. I have changed the behaviour of the makefile so that it properly honours the $(libexec) path rather than appending junk to it. To get the old bechavour back, use --libexecdir=/usr/lib/libexec/ssh or similar. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 16 16:37:48 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 16 Sep 2000 16:37:48 +1100 (EST) Subject: Snapshot Message-ID: Quite a few changes here, please test. http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz -d 20000916 - (djm) New SuSE spec from Corinna Vinschen - (djm) Update CygWin support from Corinna Vinschen - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. Patch from Larry Jones - (djm) Add Steve VanDevender's PAM password change patch. - (djm) Bring licenses on my stuff in line with OpenBSD's - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from Kevin Steves - (djm) Shadow expiry check fix from Pavel Troller - (djm) Re-enable int64_t types - we need them for sftp - (djm) Use libexecdir from configure , rather than libexecdir/ssh - (djm) Update Redhat SPEC file accordingly - (djm) Add Kevin Steves HP/UX contrib files - (djm) Add Charles Levert getpgrp patch - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter - (djm) Fixprogs and entropy list fixes from Larry Jones - (djm) Fix for SuSE spec file from Takashi YOSHIDA - (djm) Merge OpenBSD changes: - markus at cvs.openbsd.org 2000/09/05 02:59:57 [session.c] print hostname (not hushlogin) - markus at cvs.openbsd.org 2000/09/05 13:18:48 [authfile.c ssh-add.c] enable ssh-add -d for DSA keys - markus at cvs.openbsd.org 2000/09/05 13:20:49 [sftp-server.c] cleanup - markus at cvs.openbsd.org 2000/09/06 03:46:41 [authfile.h] prototype - deraadt at cvs.openbsd.org 2000/09/07 14:27:56 [ALL] cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate. - markus at cvs.openbsd.org 2000/09/07 14:40:30 [channels.c channels.h clientloop.c serverloop.c ssh.c] cleanup window and packet sizes for ssh2 flow control; ok niels - markus at cvs.openbsd.org 2000/09/07 14:53:00 [scp.c] typo - markus at cvs.openbsd.org 2000/09/07 15:13:37 [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] [pty.c readconf.c] some more Copyright fixes - markus at cvs.openbsd.org 2000/09/08 03:02:51 [README.openssh2] bye bye - deraadt at cvs.openbsd.org 2000/09/11 18:38:33 [LICENCE cipher.c] a few more comments about it being ARC4 not RC4 - markus at cvs.openbsd.org 2000/09/12 14:53:11 [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] multiple debug levels - markus at cvs.openbsd.org 2000/09/14 14:25:15 [clientloop.c] typo - deraadt at cvs.openbsd.org 2000/09/15 01:13:51 [ssh-agent.c] check return value for setenv(3) for failure, and deal appropriately 20000913 - (djm) Fix server not exiting with jobs in background. 20000905 - (djm) Import OpenBSD CVS changes - markus at cvs.openbsd.org 2000/08/31 15:52:24 [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c] implement a SFTP server. interops with sftp2, scp2 and the windows client from ssh.com - markus at cvs.openbsd.org 2000/08/31 15:56:03 [README.openssh2] sync - markus at cvs.openbsd.org 2000/08/31 16:05:42 [session.c] Wall - markus at cvs.openbsd.org 2000/08/31 16:09:34 [authfd.c ssh-agent.c] add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions - deraadt at cvs.openbsd.org 2000/09/01 09:25:13 [scp.1 scp.c] cleanup and fix -S support; stevesk at sweden.hp.com - markus at cvs.openbsd.org 2000/09/01 16:29:32 [sftp-server.c] portability fixes - markus at cvs.openbsd.org 2000/09/01 16:32:41 [sftp-server.c] fix cast; mouring at pconline.com - itojun at cvs.openbsd.org 2000/09/03 09:23:28 [ssh-add.1 ssh.1] add missing .El against .Bl. - markus at cvs.openbsd.org 2000/09/04 13:03:41 [session.c] missing close; ok theo - markus at cvs.openbsd.org 2000/09/04 13:07:21 [session.c] fix get_last_login_time order; from andre at van-veen.de - markus at cvs.openbsd.org 2000/09/04 13:10:09 [sftp-server.c] more cast fixes; from mouring at pconline.com - markus at cvs.openbsd.org 2000/09/04 13:06:04 [session.c] set SSH_ORIGINAL_COMMAND; from Leakin at dfw.nostrum.com, bet at rahul.net - (djm) Cleanup after import. Fix sftp-server compilation, Makefile - (djm) Merge cygwin support from Corinna Vinschen 20000903 - (djm) Fix Redhat init script -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From chenda at cs.unc.edu Sat Sep 16 19:34:23 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 16 Sep 2000 04:34:23 -0400 (EDT) Subject: Snapshot In-Reply-To: Message-ID: openssh-SNAP-20000916.tar.gz compiled and tested okay on x86 SuSE 6.4 w/ OpenSSL-0.9.6-beta1 and the following options: OpenSSH configured has been configured with the following options. User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Random number collection: Device (/dev/urandom) Manpage format: man PAM support: yes KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: yes IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: yes Compiler flags: -g -O2 -Wall -I/usr/local/ssl/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -ldl -lnsl -lz -lutil -lpam -lcrypto -lwrap --- Daniel T. Chen | chenda at cs.unc.edu From stevesk at sweden.hp.com Sat Sep 16 19:42:41 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 16 Sep 2000 10:42:41 +0200 (METDST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Damien Miller wrote: > On Fri, 8 Sep 2000, Dirk De Wachter wrote: > > The HPUX 10.20 trusted system hack doesn't work yet as intended. > > I have adapted the auth-passwd.c file to make it work. > > > > Please find a context diff file attached to this file. This diff is > > against the latest OpenSSH 2.2.0p1 released Sept 2, 2000. > > Thanks - applied. My patch was a superset of Dirk's; here's some small cleanup against the 0916 snapshot: --- auth-passwd.c~ Sat Sep 16 06:55:52 2000 +++ auth-passwd.c Sat Sep 16 10:31:00 2000 @@ -114,9 +114,6 @@ #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; #endif -# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW - struct pr_passwd *prpw; -#endif #ifdef WITH_AIXAUTHENTICATE char *authmsg; char *loginmsg; From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Sep 16 20:01:58 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sat, 16 Sep 2000 11:01:58 +0200 Subject: Snapshot In-Reply-To: ; from chenda@cs.unc.edu on Sat, Sep 16, 2000 at 04:34:23AM -0400 References: Message-ID: <20000916110157.A20526@serv01.aet.tu-cottbus.de> On Sat, Sep 16, 2000 at 04:34:23AM -0400, Daniel T. Chen wrote: > openssh-SNAP-20000916.tar.gz compiled and tested okay on x86 SuSE 6.4 w/ > OpenSSL-0.9.6-beta1 and the following options: Did you test with the SSH-2 protocol? It should fail because of a problem that is actually being investigated. This does not affect the "stable" OpenSSL-0.9.5a release. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From chenda at cs.unc.edu Sat Sep 16 20:08:25 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Sat, 16 Sep 2000 05:08:25 -0400 (EDT) Subject: Snapshot In-Reply-To: <20000916110157.A20526@serv01.aet.tu-cottbus.de> Message-ID: Lutz, Yes, it failed for SSH-2 with "dsa_verify failed for server_host_key". Thanks for the heads up. dtc --- Daniel T. Chen | chenda at cs.unc.edu On Sat, 16 Sep 2000, Lutz Jaenicke wrote: > On Sat, Sep 16, 2000 at 04:34:23AM -0400, Daniel T. Chen wrote: > > openssh-SNAP-20000916.tar.gz compiled and tested okay on x86 SuSE 6.4 w/ > > OpenSSL-0.9.6-beta1 and the following options: > > Did you test with the SSH-2 protocol? It should fail because of a problem > that is actually being investigated. > This does not affect the "stable" OpenSSL-0.9.5a release. > > Best regards, > Lutz > From stevesk at sweden.hp.com Sat Sep 16 20:10:11 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sat, 16 Sep 2000 11:10:11 +0200 (METDST) Subject: DISABLE_UTMP on HP-UX In-Reply-To: <200009061804.UAA25307@b0fh.sweden.hp.com> Message-ID: On Wed, 6 Sep 2000, Kevin Steves wrote: > This is my analysis having not looked much at loginrec.c before: > > finger -R is looking at ut_addr in the utmp struct for Where. HP-UX > 11.0 has both utmp and utmpx and by default we use the library interface > to write utmp* entries. The problem is that both are used: first > pututline(), then pututxline(). We should use one *or* the other > because pututxline() overwrites pututline() data: > > pututline() Writes out the supplied utmp structure into the > utmp file, translates the supplied utmp structure > int a utmpx structure and writes it to a utmpx > file. > > pututxline() Writes out the supplied utmpx structure into the > utmpx file, translates the supplied utmpx > structure into a utmp structure and writes it to a > utmp file. > > What you see results from the fact that ut_addr isn't set for utmpx > data: > > # ifdef HAVE_ADDR_IN_UTMPX > /* FIXME: (ATL) not supported yet */ > # endif > > If you build with #define DISABLE_UTMPX finger -R works as expected. > However, I think we should use utmpx (longer host names for one), and > it's just a question of when everything is supported. So the best fix I > feel is to define DISABLE_UTMP for 11.0 (and maybe 10.20 though I'm not > using that myself) and finish up utmpx support in loginrec. > > Also, HAVE_ENDUTENT and HAVE_ENDUTXENT are not set in configure; should > they be? Here's a configure fix for what I suggested above, as well as adding addr in utmpx support, which I hope is a "portable" fix (configure checks for the struct member). Also, loginrec works quite well on HP-UX 11. --- configure.in~ Sat Sep 16 06:55:52 2000 +++ configure.in Sat Sep 16 10:52:52 2000 @@ -74,6 +74,7 @@ IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat @@ -83,6 +84,7 @@ IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) LIBS="$LIBS -lsec" MANTYPE='$(CATMAN)' mansubdir=cat --- loginrec.c~ Tue Sep 5 07:13:07 2000 +++ loginrec.c Sat Sep 16 10:57:24 2000 @@ -678,7 +678,9 @@ strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); # endif # ifdef HAVE_ADDR_IN_UTMPX - /* FIXME: (ATL) not supported yet */ + /* this is just a 32-bit IP address */ + if (li->hostaddr.sa.sa_family == AF_INET) + utx->ut_addr = li->hostaddr.sa_in.sin_addr.s_addr; # endif # ifdef HAVE_SYSLEN_IN_UTMPX /* ut_syslen is the length of the utx_host string */ From pekkas at netcore.fi Sat Sep 16 21:20:37 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 16 Sep 2000 13:20:37 +0300 (EEST) Subject: Snapshot In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Damien Miller wrote: > > Quite a few changes here, please test. I noticed a few packaging issues. With Red Hat (and probably SuSE too) spec file, sftp-server is not being installed. Also, if you compile OpenSSH w/ mandir /usr/share/man (RH 7.0 beta and up), the paths will go wrong because %configure will tell it to use use /usr/share/man but %files uses /usr/man. These have been replaced by %{_mandir} macro. Both changes done in my patch. More "portability" patches like these could probably go in too, but I think the rest, like %{_bindir} for /usr/bin, are pretty theoretical. Also, sftp-server.8 seems to use an undefined (OpenBSD only?) definition Ox: --- .Sh HISTORY .Nm first appeared in .Ox 2.8 . --- Believe this is trying to hint at OpenBSD 2.8. It shows as: --- HISTORY sftp-server first appeared in --- I couldn't find any other references to .Ox in OpenSSH (cvs or not). Some kind of patch attached. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- openssh.spec.orig Sat Sep 16 07:39:57 2000 +++ openssh.spec Sat Sep 16 12:59:30 2000 @@ -227,8 +227,8 @@ %doc CREDITS UPGRADING %attr(0755,root,root) /usr/bin/ssh-keygen %attr(0755,root,root) /usr/bin/scp -%attr(0644,root,root) /usr/man/man1/ssh-keygen.1* -%attr(0644,root,root) /usr/man/man1/scp.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1* +%attr(0644,root,root) %{_mandir}/man1/scp.1* %attr(0755,root,root) %dir /etc/ssh %attr(0755,root,root) %dir /usr/libexec/openssh @@ -237,17 +237,19 @@ %attr(4755,root,root) /usr/bin/ssh %attr(0755,root,root) /usr/bin/ssh-agent %attr(0755,root,root) /usr/bin/ssh-add -%attr(0644,root,root) /usr/man/man1/ssh.1* -%attr(0644,root,root) /usr/man/man1/ssh-agent.1* -%attr(0644,root,root) /usr/man/man1/ssh-add.1* +%attr(0644,root,root) %{_mandir}/man1/ssh.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1* +%attr(0644,root,root) %{_mandir}/man1/ssh-add.1* %attr(0644,root,root) %config(noreplace) /etc/ssh/ssh_config %attr(-,root,root) /usr/bin/slogin -%attr(-,root,root) /usr/man/man1/slogin.1* +%attr(-,root,root) %{_mandir}/man1/slogin.1* %files server %defattr(-,root,root) %attr(0755,root,root) /usr/sbin/sshd -%attr(0644,root,root) /usr/man/man8/sshd.8* +%attr(0755,root,root) /usr/libexec/openssh/sftp-server +%attr(0644,root,root) %{_mandir}/man8/sshd.8* +%attr(0644,root,root) %{_mandir}/man8/sftp-server.8* %attr(0600,root,root) %config(noreplace) /etc/ssh/sshd_config %attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd %attr(0755,root,root) %config /etc/rc.d/init.d/sshd -------------- next part -------------- --- sftp-server.8.orig Sat Sep 16 05:29:10 2000 +++ sftp-server.8 Sat Sep 16 13:03:56 2000 @@ -45,8 +45,7 @@ for more information. .Sh HISTORY .Nm -first appeared in -.Ox 2.8 . +first appeared in OpenBSD 2.8. .Sh AUTHOR Markus Friedl .Sh SEE ALSO From paul at engsoc.carleton.ca Sun Sep 17 02:45:07 2000 From: paul at engsoc.carleton.ca (Paul Nicholas Faure) Date: Sat, 16 Sep 2000 11:45:07 -0400 (EDT) Subject: ListenAddress option. In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Damien Miller wrote: > On Thu, 14 Sep 2000, Paul Nicholas Faure wrote: > > > How do I compile OpenSSH so that I can use: > > ListenAddress 0.0.0.0 > > in my sshd_config file ? > > > > Currently I get: > > [root at dark openssh-2.2.0p1]# sshd -d > > debug: sshd version OpenSSH_2.2.0p1 > > debug: Seeding random number generator > > debug: read DSA private key done > > debug: Seeding random number generator > > error: getnameinfo failed > > fatal: Cannot bind any address. > > > > if I try to use "ListenAddress 0.0.0.0". If I put in the full ip of the > > system that runs OpenSSH server, then it works fine. > > What platform are you using? RedHat 6.2 The RPMs that I got seem to support "ListenAddress 0.0.0.0" but not if I compile from scratch. Thanks > > -d > > -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org From gert at greenie.muc.de Sun Sep 17 03:39:14 2000 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 16 Sep 2000 18:39:14 +0200 Subject: Problem with --with-ssl-dir In-Reply-To: <20000913214822.A23664@serv01.aet.tu-cottbus.de>; from Lutz Jaenicke on Wed, Sep 13, 2000 at 09:48:22PM +0200 References: <20000913214822.A23664@serv01.aet.tu-cottbus.de> Message-ID: <20000916183914.E1375@greenie.muc.de> Hi, On Wed, Sep 13, 2000 at 09:48:22PM +0200, Lutz Jaenicke wrote: > When specifying --with-ssl-dir=/path/to/ssl, configure will always use > an openssl-library in system locations if there, regardless of the setting. Yes! (I have been bitten by that as well, but hadn't really been able to figure out what was going on in configure). [..] > I recommend to change the precedence to ' $tryssldir "" ', so that I can choose > another OpenSSL library (version) besides the one in the system directory. Strongly seconded - especially for testing this is very useful. gert -- Gert Doering Mobile communications ... right now writing from *Ijmuiden* :-)) From larry.jones at sdrc.com Sun Sep 17 14:42:20 2000 From: larry.jones at sdrc.com (Larry Jones) Date: Sat, 16 Sep 2000 23:42:20 -0400 (EDT) Subject: Problems/patches for BSD/OS 4.0.1 In-Reply-To: from "Damien Miller" at Sep 16, 0 03:36:49 pm Message-ID: <200009170342.XAA02225@thor.sdrc.com> Damien Miller writes [quoting me]: > > > 2) The fixprogs script doesn't reopen the child process's STDIN, STDOUT, > > and STDERR correctly. This caused all of the ``tail'' commands in > > ssh_prng_cmds to fail because they couldn't write to stdout. Here's a > > patch: > > Applied. How does this help, the patch only adds parantheses? I'm not a perl expert, but it seems that open STDOUT, ">/dev/null"; is parsed as open (STDOUT), ">/dev/null"; rather than open (STDOUT, ">/dev/null"); which seems to be contrary to what the perl manual says, but without the parens, the tail commands all failed with EBADF; with them, it works. -Larry Jones I'm crying because out there he's gone, but he's not gone inside me. -- Calvin From hugh at mail.island.net.au Sun Sep 17 23:46:10 2000 From: hugh at mail.island.net.au (Hugh Blandford) Date: Sun, 17 Sep 2000 23:46:10 +1100 (EST) Subject: configure prob with 2.2.0p1 and FBSD4.1R Message-ID: Hi, I'm getting the: checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install despite Freebsd coming with openssl in the base system. I have tried various settings using --with-ssl-dir and still haven't had any luck. Any suggestions would be greatly appreciated. Locate finds the following relevant looking files: /etc/ssl/openssl.cnf /usr/bin/openssl /usr/include/openssl (this is a directory that includes rand.h etc) Therefore any suggestions on what I should be using in my configure command would be appreciated. Thanks, Hugh From stevesk at sweden.hp.com Mon Sep 18 07:08:47 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sun, 17 Sep 2000 22:08:47 +0200 (CEST) Subject: PATCH: HPUX trusted system password checking In-Reply-To: Message-ID: <200009172007.WAA27053@b0fh.sweden.hp.com> On Sat, 16 Sep 2000, Damien Miller wrote: : On Tue, 12 Sep 2000, Kevin Steves wrote: : > Attached is a patch which removes the HAVE_HPUX_TRUSTED_SYSTEM_PW : > define, and instead uses __hpux to determine if we're HP-UX and : > iscomsec(2) to determine if commercial security/trusted system is : > enabled. I have only tested this on HP-UX 11.0 (with --without-pam), : > but I think it should work on 10.20. : : Applied - thanks. Thanks, but there's also the caveat I added: Note that because I define DISABLE_SHADOW the password age check in auth.c that I *think* was getting executed on HP-UX is no longer included. There should probably be an || __hpux to keep that. The password aging support needs work for non-trusted, trusted/shadow and PAM. I'm not sure how best to handle that right now. I'll look at the aging checks again tomorrow or early next week. One challenge for HP-UX is in supporting several configuration combinations: PAM (HP-UX 11.0 only) PAM should deal with trusted/not trusted issues no PAM trusted (10.20 and 11.0) [though code is the same] no PAM not trusted (10.20 and 11.0) [though code is the same] and then UseLogin yes. And there's overlaping checks if I recall; for example I think the existing aging checks in auth.c get executed even if we use PAM though PAM should also verify password aging and locked account criteria. From djm at mindrot.org Mon Sep 18 09:44:53 2000 From: djm at mindrot.org (Damien Miller) Date: Mon, 18 Sep 2000 09:44:53 +1100 (EST) Subject: configure prob with 2.2.0p1 and FBSD4.1R In-Reply-To: Message-ID: On Sun, 17 Sep 2000, Hugh Blandford wrote: > Hi, > > I'm getting the: > > checking for OpenSSL directory... configure: error: Could not find working > SSLeay / OpenSSL libraries, please install You are probably better off going with FreeBSD's official port of OpenSSH. If you really want to use the portable version, have a look at the end of config.log - there should be a more descriptive error message. Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From pbates at lto.nsw.gov.au Mon Sep 18 17:44:23 2000 From: pbates at lto.nsw.gov.au (Peter Bates) Date: Mon, 18 Sep 2000 16:44:23 +1000 Subject: OpenSSH 2.2.0p1 + Redhat 6.2 - Problem with scp Message-ID: <9D5F7A73F86BD3119D2200508B4437675E5CAB@svr-mail.syd.lto.gov.aus> Hi, Chances are this is me stuffing something up, but in cases its not, this is my problem. I've just installed the latest port of OpenSSH on a few Redhat 6.2 machines. That is version 2.2.0p1. Everything compiles ok, and using the supplied init and pam files I got openssh working without to much difficulty. In fact it was easier than the commerical versions. I can use ssh to login to remote machines fine, and it all behaves as expected. However, when i try to use scp between the same hosts, i get the following error on the client side: -------------------- [pbates at shaman pbates] >scp ftp.csv pbates at quicksilver: Enter passphrase for DSA key '/home/pbates/.ssh/id_dsa': pbates at 128.1.3.92's password: select: Bad file descriptor lost connection -------------------- Why does this happen? Both the server and client are configured to only run the version 2 protocol, is this a problem? The only info i could find on the wider web / news groups only mentioned this briefly, and offered no solution. Everything seems to be authenticating properly, as i can ssh to between the same machines, and syslogd reflects a successful login via pam. The config I am running is default with the only change being to remove support for protocol 1, as we don't use it at our site. I also don't have any .rhosts / shosts files, nor hosts.equiv etc. I tried adding these and configuring openssh to look at them, but that made no difference. Included below are the debug dumps from the client, and the server, trying to transfer a single file, without rhosts type files. Thanks for your time, Peter CLIENT ------------------------------- Executing: host quicksilver, user pbates, command scp -v -t . SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to 128.1.3.92 [128.1.3.92] port 22. debug: Seeding random number generator debug: Allocated local port 950. debug: Connection established. debug: Remote protocol version 2.0, remote software version OpenSSH_2.2.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: zlib,none debug: got kexinit: zlib,none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 494/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host '128.1.3.92' is known and matches the DSA host key. debug: bits set: 505/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /home/pbates/.ssh/id_dsa debug: PEM_read_bio_DSAPrivateKey failed debug: read DSA private key done debug: read DSA private key done debug: sig size 20 20 debug: authentications that can continue: publickey,password debug: ssh-userauth2 successfull debug: fd 4 setting O_NONBLOCK debug: fd 5 setting O_NONBLOCK debug: fd 6 setting O_NONBLOCK debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: scp -v -t . debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 0 rmax 32768 debug: channel 0: rcvd adjust 16384 debug: channel 0: rcvd ext data 44 debug: channel 0: rcvd ext data 137 debug: channel 0: rcvd ext data 29 debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) select: Bad file descriptor debug: Transferred: stdin 0, stdout 0, stderr 29 bytes in 0.0 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 1989.4 debug: Exit status 127 lost connection -------------- SERVER --------------------------- debug: sshd version OpenSSH_2.2.0p1 debug: read DSA private key done debug: Seeding random number generator debug: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug: Server will not fork when running in debugging mode. Connection from 128.1.16.62 port 950 debug: Client protocol version 2.0; client software version OpenSSH_2.2.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: 3des-cbc,blowfish-cbc,arcfour,cast128-cbc debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none debug: got kexinit: none debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: client->server 3des-cbc hmac-sha1 none debug: kex: server->client 3des-cbc hmac-sha1 none debug: Wait SSH2_MSG_KEXDH_INIT. debug: bits set: 505/1024 debug: bits set: 494/1024 debug: sig size 20 20 debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: userauth-request for user pbates service ssh-connection method none debug: Starting up PAM with username "pbates" Failed none for pbates from 128.1.16.62 port 950 ssh2 debug: userauth-request for user pbates service ssh-connection method publickey DSA authentication refused for pbates: bad ownership or modes for '/home/pbates/.ssh/authorized_keys2'. Failed publickey for pbates from 128.1.16.62 port 950 ssh2 debug: userauth-request for user pbates service ssh-connection method password debug: PAM Password authentication accepted for user "pbates" Could not reverse map address 128.1.16.62. debug: PAM setting rhost to "128.1.16.62" Accepted password for pbates from 128.1.16.62 port 950 ssh2 debug: Entering interactive session for SSH2. debug: server_init_dispatch_20 debug: channel_input_open: ctype session rchan 0 win 65536 max 32768 debug: open session debug: channel 0: new [server-session] debug: session_new: init debug: session_new: session 0 debug: session_open: channel 0 debug: session_open: session 0: link with channel 0 debug: confirm session debug: callback start debug: session_by_channel: session 0 channel 0 debug: session_input_channel_req: session 0 channel 0 request exec reply 0 debug: PAM establishing creds debug: fd 7 setting O_NONBLOCK debug: fd 9 setting O_NONBLOCK debug: callback done debug: channel 0: read 44 from efd 9 debug: channel 0: read 137 from efd 9 debug: channel 0: read 29 from efd 9 debug: Received SIGCHLD. debug: session_by_pid: pid 7647 debug: session_exit_message: session 0 channel 0 pid 7647 debug: session_exit_message: release channel 0 debug: channel 0: write failed debug: channel 0: output open -> closed debug: channel 0: close_write debug: session_free: session 0 pid 7647 debug: channel 0: read<=0 rfd 7 len 0 debug: channel 0: read failed debug: channel 0: input open -> drain debug: channel 0: close_read debug: channel 0: input: no drain shortcut debug: channel 0: ibuf empty debug: channel 0: input drain -> closed debug: channel 0: send eof debug: channel 0: read 0 from efd 9 debug: channel 0: closing efd 9 debug: channel 0: send close Connection closed by remote host. debug: Calling cleanup 0x805826c(0x0) debug: Calling cleanup 0x804e78c(0x0) debug: Calling cleanup 0x805d704(0x0) Peter Bates Unix Systems Administrator Department of Information Technology and Management pbates at lto.nsw.gov.au From ust at cert.siemens.de Mon Sep 18 16:45:41 2000 From: ust at cert.siemens.de (Udo Schweigert) Date: Mon, 18 Sep 2000 07:45:41 +0200 Subject: configure prob with 2.2.0p1 and FBSD4.1R In-Reply-To: ; from djm@mindrot.org on Mon, Sep 18, 2000 at 09:44:53AM +1100 References: Message-ID: <20000918074541.A73976@alaska.cert.siemens.de> On Mon, Sep 18, 2000 at 09:44:53 +1100, Damien Miller wrote: > On Sun, 17 Sep 2000, Hugh Blandford wrote: > > > Hi, > > > > I'm getting the: > > > > checking for OpenSSL directory... configure: error: Could not find working > > SSLeay / OpenSSL libraries, please install > > You are probably better off going with FreeBSD's official port of > OpenSSH. > > If you really want to use the portable version, have a look at the end of > config.log - there should be a more descriptive error message. > FreeBSD 4.1 has openssl 0.9.4 which lacks RAND_add and RAND_status. So you have to install the openssl port (version 0.9.5a) first. The OpenSSH port of FreeBSD is (at the moment) not up to date, so I also thought about using the portable version, but had not the time doing so. Best regards. -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 ZT IK 3, Siemens CERT | Fax : +49 89 636 41166 D-81730 Muenchen / Germany | email : ust at cert.siemens.de PGP-2/5 fingerprint | D8 A5 DF 34 EC 87 E8 C6 E2 26 C4 D0 EE 80 36 B2 From a.d.stribblehill at durham.ac.uk Mon Sep 18 19:40:09 2000 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Mon, 18 Sep 2000 09:40:09 +0100 Subject: scp.1 Message-ID: <20000918094009.A6550@womble.dur.ac.uk> A few people have commented that the synopsis in 'man 1 scp' is a bit difficult for humans to parse. I attach a diff between the distributed version and mine: (I suppose this should really go to the OpenBSD maintainers, but I wanted a little feedback about whether this was better or not.) Thanks, Andrew Stribblehill Systems Programmer, IT Service, University of Durham -------------- next part -------------- --- scp.1- Mon Sep 18 09:29:19 2000 +++ scp.1 Thu Sep 14 17:23:45 2000 @@ -23,22 +23,26 @@ .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file -.Sm off +.Ar src1 .Oo -.Op Ar user@ -.Ar host1 No : -.Oc Ns Ar file1 -.Sm on -.Op Ar ... +.Ar ... +.Ar srcN +.Oc +.Ar dest +.Sh DESCRIPTION +.Nm +copies files between hosts on a network. Each +.Ar src +or +.Ar dest +argument is of the form .Sm off .Oo .Op Ar user@ -.Ar host2 No : -.Oc Ar file2 -.Sm on -.Sh DESCRIPTION -.Nm -copies files between hosts on a network. It uses +.Ar host No : +.Oc Ar file +.Sm on . +It uses .Xr ssh 1 for data transfer, and uses the same authentication and provides the same security as @@ -101,6 +105,41 @@ Forces .Nm to use IPv6 addresses only. +.Sh EXAMPLES +Copy file +.Ar src +from the current directory to become file +.Ar dest +on host +.Ar remotehost +.Ns : +.Dl % scp src remotehost:dest +.Pp +Copy files +.Ar src1 +and +.Ar src2 +from hosts +.Ar alpha +and +.Ar beta +(respectively), using your own username, into directory +.Ar dir +on +.Ar omega +.Ns : +.Dl % scp alpha:src1 beta:src2 omega:dir +.Pp +Copy +.Ar src +from account +.Ar ken +on machine +.Ar gamma +into +.Ar dest +in the current working directory: +.Dl % scp ken at gamma:src dest .Sh AUTHORS Timo Rinne and Tatu Ylonen .Sh HISTORY From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Sep 19 01:51:44 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Mon, 18 Sep 2000 16:51:44 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Sep 16, 2000 at 04:37:48PM +1100 References: Message-ID: <20000918165144.A16018@serv01.aet.tu-cottbus.de> On Sat, Sep 16, 2000 at 04:37:48PM +1100, Damien Miller wrote: > > Quite a few changes here, please test. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz HP-UX 10.20 ok (OpenSSL 0.9.5a). Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From mdorman at debian.org Tue Sep 19 08:38:04 2000 From: mdorman at debian.org (Michael Alan Dorman) Date: 18 Sep 2000 17:38:04 -0400 Subject: ssh-agent and ssh2 servers... Message-ID: <87zol5nzyb.fsf@kate.mallet-assembly.org> I'm not on the mailing list, so I'd appreciate it if you could cc: me, though I will keep an eye on the archives. I am running openssh 2.2.0p1 on Debian GNU/Linux. I was pleased to see that 2.2.0p1 had support for DSA keys in the agent, and I have successfully used the v2 protocol to another openssh server with the agent providing authentication. I am also able to successfully connect to an ssh.com-2.1.0 server using DSA authentication, but the ssh-agent doesn't seem to provide authentication in this instance. Trying to figure out if this was just my issue or a genuine bug, I found the following comment in the cvs log of ssh-agent.c: add SSH2/DSA support to the agent and some other DSA related cleanups. (note that we cannot talk to ssh.com's ssh2 agents) It is not clear to me if this comment is intended to mean that openssh can't talk to the ssh-agent from ssh2 (which wouldn't surprise me a bit), or if it should really read "(note that we cannot talk to ssh.com's ssh2 servers)" My question may be a result of me misunderstanding how the agent works, but at first glance it would seem that if ssh-agent is able to handle authenticating to another openssh server using the v2 protocol, then it ought to work with an ssh.com server using the v2 protocol. Could someone clarify whether this is a issue with the openssh agent, or perhaps a bug in what _is_ an older version of ssh.com's ssh? And if it's an issue with the openssh agent, is there any possibility of it being resolved, or does ssh.com's server use some sort of proprietary protocol that makes interoperability impossible? I appreciate any information anyone can provide. Mike From pbates at lto.nsw.gov.au Tue Sep 19 12:26:24 2000 From: pbates at lto.nsw.gov.au (Peter Bates) Date: Tue, 19 Sep 2000 11:26:24 +1000 Subject: OpenSSH 2.2.0p1 + Redhat 6.2 - Problem with scp Message-ID: <9D5F7A73F86BD3119D2200508B4437675E5CAD@svr-mail.syd.lto.gov.aus> After a nights sleep to think about it some more, I've conducted the following extra tests with OpenSSH. I have a test OpenBSD 2.7 machine that I recently built. The only change from defaults I made was to uncomment the config lines in the server and client files to allow protocols 2 and 1. After transferring my keys I was able to use ssh to login between the openssh and redhat boxes. This worked in both directions. When trying scp, I could not connect from OpenBSD to redhat, but scp from the redhat machine to OpenBSD works!! To check the sanity of my configs I then copied the OpenBSD config files to redhat and used those, but this made no difference. Summary as follows SSH: Redhat -> OpenBSD : yes OpenBSD -> Redhat : yes Redhat -> Redhat : yes SCP: Redhat -> OpenBSD : yes OpenBSD -> Redhat : no Redhat -> Redhat : no This seems to point to a problem in my build of the server side of the openssh port in Linux. The build machines are stock redhat 6.2 with most of the errata updates applied. No fatal errors, or any noticeable warnings occurred during the building on openssl or openssh. Peter Bates Unix Systems Administrator Department of Information Technology and Management pbates at lto.nsw.gov.au From pbates at lto.nsw.gov.au Tue Sep 19 16:34:03 2000 From: pbates at lto.nsw.gov.au (Peter Bates) Date: Tue, 19 Sep 2000 15:34:03 +1000 Subject: OpenSSH 2.2.0p1 + Redhat 6.2 - Problem with scp Message-ID: <9D5F7A73F86BD3119D2200508B4437675E5CB2@svr-mail.syd.lto.gov.aus> I've kind of fixed the problem. I removed the installed files from the src build i did, and installed the rpm versions of openssl and openssh. Scp now works between all machines. This is with exactly the same config and before. The src build didn't seem to fail, and indeed everything but the scp functions worked fine. So if anybody knows what I have to do to manually build the packages I would be greatfull. Thanks Peter Bates Unix Systems Administrator Department of Information Technology and Management pbates at lto.nsw.gov.au From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 19 20:56:57 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 19 Sep 2000 11:56:57 +0200 Subject: ssh-agent and ssh2 servers... In-Reply-To: <87zol5nzyb.fsf@kate.mallet-assembly.org>; from mdorman@debian.org on Mon, Sep 18, 2000 at 05:38:04PM -0400 References: <87zol5nzyb.fsf@kate.mallet-assembly.org> Message-ID: <20000919115657.A19218@faui02.informatik.uni-erlangen.de> On Mon, Sep 18, 2000 at 05:38:04PM -0400, Michael Alan Dorman wrote: > I am running openssh 2.2.0p1 on Debian GNU/Linux. I was pleased to > see that 2.2.0p1 had support for DSA keys in the agent, and I have > successfully used the v2 protocol to another openssh server with the > agent providing authentication. nice. > I am also able to successfully connect to an ssh.com-2.1.0 server > using DSA authentication, but the ssh-agent doesn't seem to provide > authentication in this instance. the agent currenly works only against ssh.com-2.2.0 and 2.3.0, bug compatibility for 2.1.0 and 2.0.13 will come soon, see patch below. > It is not clear to me if this comment is intended to mean that openssh > can't talk to the ssh-agent from ssh2 (which wouldn't surprise me a > bit), yes this true. > or if it should really read "(note that we cannot talk to > ssh.com's ssh2 servers)" nope. see above. > My question may be a result of me misunderstanding how the agent > works, but at first glance it would seem that if ssh-agent is able to > handle authenticating to another openssh server using the v2 protocol, > then it ought to work with an ssh.com server using the v2 protocol. > > Could someone clarify whether this is a issue with the openssh agent, yes and no. > or perhaps a bug in what _is_ an older version of ssh.com's ssh? yes! > And > if it's an issue with the openssh agent, is there any possibility of > it being resolved, yes. > or does ssh.com's server use some sort of > proprietary protocol that makes interoperability impossible? nope. it's just a bug. > I appreciate any information anyone can provide. you could try this patch, perhaps you need to hand-edit the results. Index: authfd.c =================================================================== RCS file: /home/markus/cvs/ssh/authfd.c,v retrieving revision 1.27 diff -u -r1.27 authfd.c --- authfd.c 2000/09/07 20:27:49 1.27 +++ authfd.c 2000/09/17 13:31:35 @@ -51,6 +51,7 @@ #include "authfd.h" #include "kex.h" #include "dsa.h" +#include "compat.h" /* helper */ int decode_reply(int type); @@ -360,20 +361,24 @@ unsigned char **sigp, int *lenp, unsigned char *data, int datalen) { + extern int datafellows; Buffer msg; unsigned char *blob; unsigned int blen; - int type; + int type, flags = 0; int ret = -1; if (dsa_make_key_blob(key, &blob, &blen) == 0) return -1; + if (datafellows & SSH_BUG_SIGBLOB) + flags = SSH_AGENT_OLD_SIGNATURE; + buffer_init(&msg); buffer_put_char(&msg, SSH2_AGENTC_SIGN_REQUEST); buffer_put_string(&msg, blob, blen); buffer_put_string(&msg, data, datalen); - buffer_put_int(&msg, 0); /* flags, unused */ + buffer_put_int(&msg, flags); xfree(blob); if (ssh_request_reply(auth, &msg, &msg) == 0) { Index: authfd.h =================================================================== RCS file: /home/markus/cvs/ssh/authfd.h,v retrieving revision 1.11 diff -u -r1.11 authfd.h --- authfd.h 2000/09/07 20:27:49 1.11 +++ authfd.h 2000/09/17 13:31:35 @@ -37,6 +37,9 @@ #define SSH2_AGENTC_REMOVE_IDENTITY 18 #define SSH2_AGENTC_REMOVE_ALL_IDENTITIES 19 +#define SSH_AGENT_OLD_SIGNATURE 0x01 + + typedef struct { int fd; Buffer identities; Index: ssh-agent.c =================================================================== RCS file: /home/markus/cvs/ssh/ssh-agent.c,v retrieving revision 1.35 diff -u -r1.35 ssh-agent.c --- ssh-agent.c 2000/09/07 20:27:54 1.35 +++ ssh-agent.c 2000/09/17 13:31:36 @@ -56,6 +56,7 @@ #include "authfd.h" #include "dsa.h" #include "kex.h" +#include "compat.h" typedef struct { int fd; @@ -233,6 +234,7 @@ Key *key, *private; unsigned char *blob, *data, *signature = NULL; unsigned int blen, dlen, slen = 0; + int flags; Buffer msg; int ok = -1; @@ -240,7 +242,10 @@ blob = buffer_get_string(&e->input, &blen); data = buffer_get_string(&e->input, &dlen); - buffer_get_int(&e->input); /* flags, unused */ + + flags = buffer_get_int(&e->input); + if (flags & SSH_AGENT_OLD_SIGNATURE) + datafellows = SSH_BUG_SIGBLOB; key = dsa_key_from_blob(blob, blen); if (key != NULL) { From mdorman at mallet-assembly.org Wed Sep 20 00:03:52 2000 From: mdorman at mallet-assembly.org (Michael Alan Dorman) Date: 19 Sep 2000 09:03:52 -0400 Subject: ssh-agent and ssh2 servers... In-Reply-To: Markus Friedl's message of "Tue, 19 Sep 2000 11:56:57 +0200" References: <87zol5nzyb.fsf@kate.mallet-assembly.org> <20000919115657.A19218@faui02.informatik.uni-erlangen.de> Message-ID: <8766nszg7b.fsf@kate.mallet-assembly.org> Markus Friedl writes: > the agent currenly works only against ssh.com-2.2.0 and 2.3.0, bug > compatibility for 2.1.0 and 2.0.13 will come soon, see patch below. Ah. This is wonderful to hear. I'll try the patch, but I'll also try to get the entity currently using the non-free version to change to OpenSSH. :-) Many thanks, Markus, for a clear explanation and the patch. Mike. From mdorman at mallet-assembly.org Wed Sep 20 00:20:14 2000 From: mdorman at mallet-assembly.org (Michael Alan Dorman) Date: 19 Sep 2000 09:20:14 -0400 Subject: ssh-agent and ssh2 servers... In-Reply-To: Markus Friedl's message of "Tue, 19 Sep 2000 11:56:57 +0200" References: <87zol5nzyb.fsf@kate.mallet-assembly.org> <20000919115657.A19218@faui02.informatik.uni-erlangen.de> Message-ID: <87pum01ptd.fsf@kate.mallet-assembly.org> Markus Friedl writes: > you could try this patch, perhaps you need to hand-edit the > results. I did have to tweak it a bit, but it works beautifully. Thanks, Mike. From ying.jin.li at ontariopowergeneration.com Wed Sep 20 01:08:50 2000 From: ying.jin.li at ontariopowergeneration.com (LI Ying Jin -NUCLEAR) Date: Tue, 19 Sep 2000 10:08:50 -0400 Subject: OpenSSH 2.2.0p1 + Redhat 6.2 - Problem with scp Message-ID: <7F0197B71966D31180360008C7CF28C540693F@TORJ> Peter, I have quoted the following paragraph from FAQ of OpenSSH at website http://www.openssh.com . scp must be in the default PATH on both the client and the server. You may need to use the --with-default-path option to specify a custom path to search on the server. This option replaces the default path, so you need to specify all the current directories on your path as well as where you have installed scp. For example: ./configure --with-default-path=/bin:/usr/bin:/usr/local/bin:/path/to/scp I hope that this will help. Michael Li Nuclear Analysis Department, Ontario Power Generation Inc. 700 University Avenue, Toronto, Ontario M5G 1X6, CANADA ---------- From: Peter Bates [SMTP:pbates at lto.nsw.gov.au] Sent: Monday, September 18, 2000 9:26 PM To: Openssh-Unix-Dev (E-mail) Subject: Re: OpenSSH 2.2.0p1 + Redhat 6.2 - Problem with scp After a nights sleep to think about it some more, I've conducted the following extra tests with OpenSSH. I have a test OpenBSD 2.7 machine that I recently built. The only change from defaults I made was to uncomment the config lines in the server and client files to allow protocols 2 and 1. After transferring my keys I was able to use ssh to login between the openssh and redhat boxes. This worked in both directions. When trying scp, I could not connect from OpenBSD to redhat, but scp from the redhat machine to OpenBSD works!! To check the sanity of my configs I then copied the OpenBSD config files to redhat and used those, but this made no difference. Summary as follows SSH: Redhat -> OpenBSD : yes OpenBSD -> Redhat : yes Redhat -> Redhat : yes SCP: Redhat -> OpenBSD : yes OpenBSD -> Redhat : no Redhat -> Redhat : no This seems to point to a problem in my build of the server side of the openssh port in Linux. The build machines are stock redhat 6.2 with most of the errata updates applied. No fatal errors, or any noticeable warnings occurred during the building on openssl or openssh. Peter Bates Unix Systems Administrator Department of Information Technology and Management pbates at lto.nsw.gov.au From janfrode at parallab.uib.no Wed Sep 20 01:31:53 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Tue, 19 Sep 2000 16:31:53 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Sep 16, 2000 at 04:37:48PM +1100 References: Message-ID: <20000919163153.A13187@ii.uib.no> On Sat, Sep 16, 2000 at 04:37:48PM +1100, Damien Miller wrote: > > Quite a few changes here, please test. > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz > Failed because sftpserver.c didn't define u_int64_t. cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -I. -DETCDIR=\"/usr/openssh/etc\" -DSSH_PROGRAM=\"/usr/openssh/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/openssh/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c sftp-server.c -o sftp-server.o "sftp-server.c", line 108: error(1020): identifier "u_int64_t" is undefined u_int64_t size; ^ 9 times this error in sftp-server.c. This was on mips-sgi-irix6.5 with MIPSPro, not gcc. -jf From jhuuskon at messi.uku.fi Wed Sep 20 05:20:29 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Tue, 19 Sep 2000 21:20:29 +0300 Subject: Protocol 2 remote forwarding patch (again) In-Reply-To: <20000911204307.A243@folly.informatik.uni-erlangen.de>; from markus.friedl@informatik.uni-erlangen.de on Mon, Sep 11, 2000 at 08:43:07PM +0200 References: <20000823104837.A661@laivuri63.uku.fi> <20000823212936.A20637@folly.informatik.uni-erlangen.de> <20000830144321.B26339@laivuri63.uku.fi> <20000830140610.A29287@faui02.informatik.uni-erlangen.de> <20000902132353.A13112@laivuri63.uku.fi> <20000911204307.A243@folly.informatik.uni-erlangen.de> Message-ID: <20000919212029.A16040@laivuri63.uku.fi> Hi, I'm sending you the little bit of code that I've made to get remote portforwarding working (protocol 2). Unfortunately at the moment I have no time to make any improvements to it. I'll try to explain the changes I've made so hopefully it'll be easier for someone to finish this. ssh2 CLIENT changes: ssh.c: - added init_remote_fwd(void) - call init_remote_fwd from ssh_session2 - changed channel_request_local_forwarding calls (added one extra parameter) (see below) channels.c: - changed channel_request_remote_forwarding: - if compat20 send SSH2_MSG_GLOBAL_REQUEST/tcpip-forward (doesn't want a reply from the server because correctly handling all possible cases might be tricky (rekey msgs)) - protocol1 handle SSH_MSG_FAILURE, because commercial server sends it if portforwarding is not allowed - added client_forwarded_tcpip_request. It's called when the server sends SSH2_MSG_GLOBAL_REQUEST/forwarded-tcpip (some1 connects to the remote socket). This just tries to validate the request and creates a new channel. channels.h: - client_forwarded_tcpip_request prototype clientloop.c: - modified client_input_channel_open to handle forwarded-tcpip message (just calls client_forwarded_tcpip_request) ssh2 SERVER changes: auth2.c: - modified input_userauth_request: if the user is authenticated as root then user_authenticated_as_root flag is set to true. channels.c: - user_authenticated_as_root flag. Server checks this when remote forwarding is requested to see if a reserved port can be forwarded. - channel_post_port_listener: If the channel type is SSH2_CHANNEL_PORT_LISTENER then sends forwarded-tcpip message (instead of direct-tcpip). - Added pre/post handlers for the new SSH2_CHANNEL_PORT_LISTENER channel type - channel_server_global_request: This function handles tcpip-forward/cancel- tcpip-forward messages. (NOTE: handling cancel-tcpip-forward message is untested). - channel_request_local_forwarding: added ssh2_remote_fwd parameter which is set to true when the server creates remote forward listener. (This is needed so channel_post_port_listener knows to send forwarded-tcpip msg). channels.h: - added the new SSH2_CHANNEL_PORT_LISTENER define - channel_server_global_request prototype - modified channel_request_local_forwarding prototype ssh2_remote_fwd param. serverloop.c: - added handling of SSH2_MSG_GLOBAL_REQUEST messages (channel_server_global_request) Stuff that needs more work: - Test "cancel-tcpip-forward" handling. - Make logging consistent - Also somekind of access control for portforwarding might be nice (Is this of any use when users have shell access ?) Cheers, - Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 -------------- next part -------------- diff -u -r openssh-2.2.0p1/auth2.c openssh-2.2.0p1-jh/auth2.c --- openssh-2.2.0p1/auth2.c Wed Aug 23 03:46:24 2000 +++ openssh-2.2.0p1-jh/auth2.c Tue Sep 19 18:41:43 2000 @@ -65,6 +65,7 @@ extern ServerOptions options; extern unsigned char *session_id2; extern int session_id2_len; +extern int user_authenticated_as_root; /* Jarno: From channels.c */ /* protocol */ @@ -239,6 +240,14 @@ packet_put_char(0); /* XXX partial success, unused */ packet_send(); packet_write_wait(); + } + + /* Jarno: Set the user_authenticated_as_root flag */ + if ( authenticated && pw && pw->pw_uid == (uid_t)0 ) { + user_authenticated_as_root = 1; + } + else { + user_authenticated_as_root = 0; } xfree(service); diff -u -r openssh-2.2.0p1/channels.c openssh-2.2.0p1-jh/channels.c --- openssh-2.2.0p1/channels.c Wed Aug 23 03:46:24 2000 +++ openssh-2.2.0p1-jh/channels.c Tue Sep 19 18:41:43 2000 @@ -56,6 +56,10 @@ */ static Channel *channels = NULL; +int user_authenticated_as_root; /* Set to true if user is root. Checked + * if the user can forward privileged ports + */ + /* * Size of the channel array. All slots of the array must always be * initialized (at least the type field); unused slots are marked with type @@ -586,13 +590,20 @@ "connect from %.200s port %d", c->listening_port, c->path, c->host_port, remote_hostname, remote_port); - newch = channel_new("direct-tcpip", + /* Jarno: If the channel is SSH2 port listener (server) then send + * forwarded-tcpip message. + */ + newch = channel_new( (c->type == SSH2_CHANNEL_PORT_LISTENER) ? + "forwarded-tcpip" : "direct-tcpip", SSH_CHANNEL_OPENING, newsock, newsock, -1, c->local_window_max, c->local_maxpacket, 0, xstrdup(buf)); if (compat20) { packet_start(SSH2_MSG_CHANNEL_OPEN); - packet_put_cstring("direct-tcpip"); + if (c->type == SSH2_CHANNEL_PORT_LISTENER) + packet_put_cstring("forwarded-tcpip"); + else + packet_put_cstring("direct-tcpip"); packet_put_int(newch); packet_put_int(c->local_window_max); packet_put_int(c->local_maxpacket); @@ -798,10 +809,12 @@ channel_pre[SSH_CHANNEL_OPEN] = &channel_pre_open_20; channel_pre[SSH_CHANNEL_X11_OPEN] = &channel_pre_x11_open; channel_pre[SSH_CHANNEL_PORT_LISTENER] = &channel_pre_listener; + channel_pre[SSH2_CHANNEL_PORT_LISTENER] = &channel_pre_listener; channel_pre[SSH_CHANNEL_X11_LISTENER] = &channel_pre_listener; channel_post[SSH_CHANNEL_OPEN] = &channel_post_open_2; channel_post[SSH_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; + channel_post[SSH2_CHANNEL_PORT_LISTENER] = &channel_post_port_listener; channel_post[SSH_CHANNEL_X11_LISTENER] = &channel_post_x11_listener; } @@ -1287,6 +1300,97 @@ c->remote_window += adjust; } +/* Jarno Huuskonen: This is called when server receives + * SSH2_MSG_GLOBAL_REQUEST. Handles both "tcpip-forward" and + * "cancel-tcpip-forward" requests. + */ +void +channel_server_global_request(int type, int plen) +{ + char *rtype; + char want_reply; + int success = 0; + + rtype = packet_get_string(NULL); + want_reply = packet_get_char(); + + if ( strcmp(rtype, "tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Check if the client is allowed to forward (this port) */ + if ( port_to_bind < IPPORT_RESERVED && !user_authenticated_as_root ) { + log("User tries to forward privileged port %d", port_to_bind); + packet_send_debug("Requested forwarding of port %d but user is not root.", port_to_bind); + success = 0; + } + else { + /* Start listening on the port */ + channel_request_local_forwarding( port_to_bind, address_to_bind, + port_to_bind, 1, + 1 /* ssh2_remote_fwd*/); + /* NOT REACHED if error (disconnects). + * Note: if error xfree not called + * for address_to_bind + */ + success = 1; + } + + xfree( address_to_bind ); + } + + /* TODO: This is untested !!! create some test code !!!*/ + if ( strcmp(rtype, "cancel-tcpip-forward") == 0 ) { + char *address_to_bind; + int port_to_bind; + int chan; + + address_to_bind = packet_get_string(NULL); + port_to_bind = packet_get_int(); + + /* Lookup the channel listening for this port: + First see if the channel type is SSH2_CHANNEL_PORT_LISTENER and then + compare port/addr. + TODO: Is it safe to use strcmp on address_to_bind ? + */ + for (chan = 0; chan < channels_alloc; chan++) { + if ( channels[chan].type == SSH2_CHANNEL_PORT_LISTENER ) { + if ( channels[chan].listening_port == port_to_bind && + (strcmp(address_to_bind, channels[chan].path) == 0) ) + break; + } + } + + if ( chan < channels_alloc ) { + /* We have a winner --> close the channel*/ + channel_free( channels[chan].self ); + success = 1; + } + else { + debug("Invalid cancel-tcpip-forward request: Couldn't find channel."); + } + xfree( address_to_bind ); + } + + /* Client requested a reply */ + if ( want_reply ) { + if ( success ) { + packet_start(SSH2_MSG_REQUEST_SUCCESS); + } + else { + packet_start(SSH2_MSG_REQUEST_FAILURE); + } + /* Now send the SUCCESS/FAILURE */ + packet_send(); + packet_write_wait(); + } + xfree(rtype); +} + + /* * Stops listening for channels, and removes any unix domain sockets that we * might have. @@ -1304,6 +1408,7 @@ channel_free(i); break; case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_X11_LISTENER: close(channels[i].sock); channel_free(i); @@ -1347,6 +1452,7 @@ case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: continue; @@ -1392,6 +1498,7 @@ case SSH_CHANNEL_FREE: case SSH_CHANNEL_X11_LISTENER: case SSH_CHANNEL_PORT_LISTENER: + case SSH2_CHANNEL_PORT_LISTENER: /* Jarno */ case SSH_CHANNEL_CLOSED: case SSH_CHANNEL_AUTH_SOCKET: continue; @@ -1424,10 +1531,9 @@ * Initiate forwarding of connections to local port "port" through the secure * channel to host:port from remote side. */ - void channel_request_local_forwarding(u_short port, const char *host, - u_short host_port, int gateway_ports) + u_short host_port, int gateway_ports, int ssh2_remote_fwd) { int success, ch, sock, on = 1; struct addrinfo hints, *ai, *aitop; @@ -1494,7 +1600,8 @@ } /* Allocate a channel number for the socket. */ ch = channel_new( - "port listener", SSH_CHANNEL_PORT_LISTENER, + "port listener", + ssh2_remote_fwd ? SSH2_CHANNEL_PORT_LISTENER : SSH_CHANNEL_PORT_LISTENER, sock, sock, -1, CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0, xstrdup("port listener")); @@ -1518,38 +1625,149 @@ u_short port_to_connect) { int payload_len; + int type; + int success = 0; + /* Record locally that connection to this host/port is permitted. */ if (num_permitted_opens >= SSH_MAX_FORWARDS_PER_DIRECTION) fatal("channel_request_remote_forwarding: too many forwards"); - permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); - permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; - permitted_opens[num_permitted_opens].listen_port = listen_port; - num_permitted_opens++; - /* Send the forward request to the remote side. */ if (compat20) { const char *address_to_bind = "0.0.0.0"; packet_start(SSH2_MSG_GLOBAL_REQUEST); packet_put_cstring("tcpip-forward"); - packet_put_char(0); /* boolean: want reply */ + + /* Don't ask for a reply because: while waiting for a reply server can + send rekey-msg and handling that correctly might be messy. + Not requesting a reply is not the best solution: We have no way of + know if the server doesn't allow port forwarding. + */ + packet_put_char(0); /* Boolean 1 asks for reply */ packet_put_cstring(address_to_bind); packet_put_int(listen_port); - } else { + packet_send(); + packet_write_wait(); + success = 1; /* Assume that server accepts the request and put the + forward request to permitted_opens */ + + /* + type = packet_read(&payload_len); + switch (type) { + case SSH2_MSG_REQUEST_SUCCESS: + success = 1; + break; + case SSH2_MSG_REQUEST_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + */ + } + else { + /* Protocol 1 */ packet_start(SSH_CMSG_PORT_FORWARD_REQUEST); packet_put_int(listen_port); packet_put_cstring(host_to_connect); packet_put_int(port_to_connect); packet_send(); packet_write_wait(); - /* - * Wait for response from the remote side. It will send a disconnect - * message on failure, and we will never see it here. + + /* Jarno: Server can send SSH_SMSG_FAILURE if it won't do port + * forwardings. Read the server reply. */ - packet_read_expect(&payload_len, SSH_SMSG_SUCCESS); + type = packet_read(&payload_len); /* Expect reply from server */ + switch (type) { + case SSH_SMSG_SUCCESS: + success = 1; + break; + case SSH_SMSG_FAILURE: + log("Warning: Server doesn't do port forwarding."); + break; + default: + /* Unknown packet */ + packet_disconnect("Protocol error for port forward request: received packet type %d.", type); + } + } + + if ( success ) { + permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host_to_connect); + permitted_opens[num_permitted_opens].port_to_connect = port_to_connect; + permitted_opens[num_permitted_opens].listen_port = listen_port; + num_permitted_opens++; } } +/* Jarno Huuskonen: + * This gets called after ssh client has received + * SSH2_MSG_GLOBAL_REQUEST type "forwarded-tcpip". + * + * returns new channel if OK or NULL for failure. + */ +Channel* +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack) +{ + Channel* c = NULL; + int sock; + char *listen_address; /* Remote (server) address that is listening + for the connection */ + int listen_port; + char* originator_address; /* Address of the client connecting to + listen_address */ + int originator_port; /* Client port */ + + unsigned int client_len, connected_len; + + int newch; + int i; + + debug("ssh2 server tries to open forwarded-tcpip channel."); + + /* Get rest of the packet */ + listen_address = packet_get_string(&connected_len); + listen_port = packet_get_int(); + originator_address = packet_get_string(&client_len); + originator_port = packet_get_int(); + packet_done(); + + /* Check if we have requested this remote forwarding + * Note: this is not fool proof, because we don't ask the server to + * acknowledge our remote forward request. + */ + for (i = 0; i= num_permitted_opens ) { + log("Received request to open remote forwarded channel (%d) but the request was denied", rchan); + return NULL; + } + + /* TODO: Somekind of access control ?? + * Maybe tcp_wrappers/username/group based access control ?? + */ + + /* Open socket and allocate a channel for it */ + sock = channel_connect_to(permitted_opens[i].host_to_connect, + permitted_opens[i].port_to_connect); + + if ( sock >= 0 ) { + newch = channel_new("forwarded-tcpip", SSH_CHANNEL_OPEN, + sock, sock, -1, 4*1024, 32*1024, 0, + xstrdup(originator_address)); + c = channel_lookup( newch ); + } + /* client_input_channel_open calls xfree(request_type) Don't call it here */ + xfree(originator_address); + xfree(listen_address); + return c; +} + /* * This is called after receiving CHANNEL_FORWARDING_REQUEST. This initates * listening for the port, and sends back a success reply (or disconnect @@ -1577,7 +1795,10 @@ /* * Initiate forwarding, */ - channel_request_local_forwarding(port, hostname, host_port, gateway_ports); + /* Jarno: The last parameter is used to signal if this is protocol 2 + server listening for remote forward --> false */ + channel_request_local_forwarding(port, hostname, host_port, + gateway_ports, 0); /* Free the argument string. */ xfree(hostname); @@ -1633,12 +1854,12 @@ return sock; } + /* * This is called after receiving PORT_OPEN message. This attempts to * connect to the given host:port, and sends back CHANNEL_OPEN_CONFIRMATION * or CHANNEL_OPEN_FAILURE. */ - void channel_input_port_open(int type, int plen) { @@ -1649,7 +1870,7 @@ /* Get remote channel number. */ remote_channel = packet_get_int(); - + /* Get host name to connect to. */ host = packet_get_string(&host_len); diff -u -r openssh-2.2.0p1/channels.h openssh-2.2.0p1-jh/channels.h --- openssh-2.2.0p1/channels.h Wed Aug 23 03:46:24 2000 +++ openssh-2.2.0p1-jh/channels.h Tue Sep 19 21:12:37 2000 @@ -15,7 +15,13 @@ #define SSH_CHANNEL_INPUT_DRAINING 8 /* sending remaining data to conn */ #define SSH_CHANNEL_OUTPUT_DRAINING 9 /* sending remaining data to app */ #define SSH_CHANNEL_LARVAL 10 /* larval session */ -#define SSH_CHANNEL_MAX_TYPE 11 +#define SSH2_CHANNEL_PORT_LISTENER 11 /* Jarno: protocol 2 remote port + * listener. (needs different type + * because with protocol 2 remote + * forward the server sends + * forwarded-tcpip (not direct-tcpip) + */ +#define SSH_CHANNEL_MAX_TYPE 12 /* * Data structure for channel data. This is iniailized in channel_allocate @@ -99,8 +105,12 @@ void channel_input_open_failure(int type, int plen); void channel_input_port_open(int type, int plen); void channel_input_window_adjust(int type, int plen); + void channel_input_open(int type, int plen); +/* Jarno Huuskonen: */ +void channel_server_global_request(int type, int plen); + /* Sets specific protocol options. */ void channel_set_options(int hostname_in_open); @@ -157,9 +167,12 @@ * channel to host:port from remote side. This never returns if there was an * error. */ +/* Jarno: Added ssh2_remote_fwd flag. Used when protocol2 server gets + * tcpip-forward request + */ void channel_request_local_forwarding(u_short port, const char *host, - u_short remote_port, int gateway_ports); + u_short remote_port, int gateway_ports, int ssh2_remote_fwd); /* * Initiate forwarding of connections to port "port" on remote host through @@ -170,6 +183,12 @@ void channel_request_remote_forwarding(u_short port, const char *host, u_short remote_port); + +/* Jarno Huuskonen: + */ +Channel * +client_forwarded_tcpip_request(const char *request_type, int rchan, + int rwindow, int rmaxpack); /* * Permits opening to any host/port in SSH_MSG_PORT_OPEN. This is usually diff -u -r openssh-2.2.0p1/clientloop.c openssh-2.2.0p1-jh/clientloop.c --- openssh-2.2.0p1/clientloop.c Wed Aug 23 03:46:24 2000 +++ openssh-2.2.0p1-jh/clientloop.c Tue Sep 19 18:41:43 2000 @@ -993,6 +993,12 @@ debug("client_input_channel_open: ctype %s rchan %d win %d max %d", ctype, rchan, rwindow, rmaxpack); + /* Jarno: Check if ssh2 server tries to open remote forward channel + */ + if (strcmp(ctype, "forwarded-tcpip") == 0) { + c = client_forwarded_tcpip_request( ctype, rchan, rwindow, rmaxpack ); + } + if (strcmp(ctype, "x11") == 0) { int sock; char *originator; @@ -1035,7 +1041,8 @@ packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); packet_put_int(rchan); packet_put_int(SSH2_OPEN_ADMINISTRATIVELY_PROHIBITED); - packet_put_cstring("bla bla"); + packet_put_cstring("bla bla"); /* TODO: Perhaps a little better + explanation */ packet_put_cstring(""); packet_send(); } diff -u -r openssh-2.2.0p1/serverloop.c openssh-2.2.0p1-jh/serverloop.c --- openssh-2.2.0p1/serverloop.c Tue Jul 11 10:31:38 2000 +++ openssh-2.2.0p1-jh/serverloop.c Tue Sep 19 18:41:43 2000 @@ -723,10 +723,13 @@ /* XXX check permission */ if (no_port_forwarding_flag) { + packet_send_debug("Server configuration rejects port forwardings."); + debug("Port forwarding disabled in server configuration."); xfree(target); xfree(originator); return -1; } + sock = channel_connect_to(target, target_port); xfree(target); xfree(originator); @@ -819,6 +822,7 @@ dispatch_set(SSH2_MSG_CHANNEL_OPEN_FAILURE, &channel_input_open_failure); dispatch_set(SSH2_MSG_CHANNEL_REQUEST, &channel_input_channel_request); dispatch_set(SSH2_MSG_CHANNEL_WINDOW_ADJUST, &channel_input_window_adjust); + dispatch_set(SSH2_MSG_GLOBAL_REQUEST, &channel_server_global_request); } void server_init_dispatch_13() diff -u -r openssh-2.2.0p1/ssh.c openssh-2.2.0p1-jh/ssh.c --- openssh-2.2.0p1/ssh.c Tue Aug 29 03:33:51 2000 +++ openssh-2.2.0p1-jh/ssh.c Tue Sep 19 18:41:43 2000 @@ -834,7 +834,7 @@ channel_request_local_forwarding(options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, - options.gateway_ports); + options.gateway_ports, 0); } /* Initiate remote TCP/IP port forwardings. */ @@ -890,7 +890,25 @@ channel_request_local_forwarding(options.local_forwards[i].port, options.local_forwards[i].host, options.local_forwards[i].host_port, - options.gateway_ports); + options.gateway_ports, 0); + } +} + +/* Jarno Huuskonen: ssh2 client calls this to initiate remote port forwarding + * requests. + */ +void +init_remote_fwd(void) +{ + int i; + for (i = 0; i < options.num_remote_forwards; i++) { + debug("Connections to remote port %d forwarded to local address %.200s:%d", + options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); + channel_request_remote_forwarding(options.remote_forwards[i].port, + options.remote_forwards[i].host, + options.remote_forwards[i].host_port); } } @@ -972,7 +990,8 @@ /* should be pre-session */ init_local_fwd(); - + init_remote_fwd(); + /* If requested, let ssh continue in the background. */ if (fork_after_authentication_flag) if (daemon(1, 1) < 0) From hh at sidereal.kz Wed Sep 20 10:50:02 2000 From: hh at sidereal.kz (erich) Date: 19 Sep 2000 23:50:02 -0000 Subject: CryptoCard patch In-Reply-To: (message from Damien Miller on Thu, 14 Sep 2000 22:06:47 +1100 (EST)) References: Message-ID: <20000919235002.9916.qmail@mailhost.sidereal.kz> > > CryptoCard is absolutely not in any way a proprietary authentication > > technology. It is a plain and simple DES ECB encryption of the input, > > using a key which is stored in the device. The first 4 bytes of the > > output are then displayed in hex. In fact, I have also hired someone > > to write a CryptoCard emulator for the Palm Pilot, and the resulting > > code will also be under GPL. Contrast this with RSA, which is in fact > > a proprietary authentication technology, and which OpenSSH supports by > > default. > > I was mistaken about Cryptocard, my apologies. Calling RSA proprietary > is a drawing a bit of a long bow though. Ok, you're right, although it is patented in the US for another 24 hours, I believe... There will probably be some good parties tomorrow. > > Who can I talk to about this? Should I send it to the OpenBSD core > > team? > > There are several on the list, otherwise you can contact them direct at > openssh at openbsd.org. I sent email to that list. I'm not on this mailing list, so I couldn't participate in any discussion. I'm willing to have this thing modified in any way necessary to have it included in the official distribution. I'm going to be doing a lot of hiring contractors to do open source work, although it will be very frustrating if I can't get stuff put back into the distributions. I could have bought the commercial F-secure server, which already has CryptoCard support built in, but instead I thought I would spend the money on hiring someone to put it into the superior open source product. You can imagine that I am a little frustrated that my contribution was rejected. Thanks, e From bfriday at LaSierra.edu Wed Sep 20 11:15:04 2000 From: bfriday at LaSierra.edu (Brian Friday) Date: Tue, 19 Sep 2000 17:15:04 -0700 (PDT) Subject: CryptoCard patch In-Reply-To: <20000919235002.9916.qmail@mailhost.sidereal.kz> Message-ID: On 19 Sep 2000, erich wrote: > > I was mistaken about Cryptocard, my apologies. Calling RSA proprietary > > is a drawing a bit of a long bow though. > > Ok, you're right, although it is patented in the US for another 24 > hours, I believe... There will probably be some good parties > tomorrow. Actually RSA dropped its patent rights (or maybe released is a better name for it) for RSA encryption as of September 6th... So the parties were held a bit early this year ^_^ Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From djm at mindrot.org Wed Sep 20 11:18:57 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Sep 2000 11:18:57 +1100 (EST) Subject: CryptoCard patch In-Reply-To: Message-ID: On Tue, 19 Sep 2000, Brian Friday wrote: > > > I was mistaken about Cryptocard, my apologies. Calling RSA proprietary > > > is a drawing a bit of a long bow though. > > > > Ok, you're right, although it is patented in the US for another 24 > > hours, I believe... There will probably be some good parties > > tomorrow. > > Actually RSA dropped its patent rights (or maybe released is a better name > for it) for RSA encryption as of September 6th... RSA was never patented in Australia at all :) -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Wed Sep 20 12:14:58 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 20 Sep 2000 12:14:58 +1100 (EST) Subject: CryptoCard patch In-Reply-To: <20000919235002.9916.qmail@mailhost.sidereal.kz> Message-ID: On 19 Sep 2000, erich wrote: > > There are several on the list, otherwise you can contact them direct at > > openssh at openbsd.org. > > I sent email to that list. I'm not on this mailing list, so I > couldn't participate in any discussion. I'm willing to have this > thing modified in any way necessary to have it included in the > official distribution. > > I'm going to be doing a lot of hiring contractors to do open source > work, although it will be very frustrating if I can't get stuff put > back into the distributions. I could have bought the commercial > F-secure server, which already has CryptoCard support built in, but > instead I thought I would spend the money on hiring someone to put it > into the superior open source product. You can imagine that I am a > little frustrated that my contribution was rejected. I can understand why you feel that way, but appreciate our position: The portable version is just that - a port of OpenSSH as released by the OpenBSD team to other operating systems. The only new features relate to correct operation on the target systems: entropy collection, native authentication, etc. Unless we want multiple, incompatible versions (which we don't), it makes more sense for the changes to happen at the upstream end. A further complicating factor is the fact that SSH2 is currently in the standardisation process (though I think interactive auth is already covered by the drafts). If you want to sponsor further work on OpenSSH (and we certainly hope that you do!), you would be well advised to contact Markus Friedl before you start to determine the best way to work together. He may even be willing to do the development himself - Markus has done more work on OpenSSH than anyone else. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From hh at sidereal.kz Wed Sep 20 12:27:12 2000 From: hh at sidereal.kz (erich) Date: 20 Sep 2000 01:27:12 -0000 Subject: CryptoCard patch In-Reply-To: (message from Damien Miller on Wed, 20 Sep 2000 12:14:58 +1100 (EST)) References: Message-ID: <20000920012712.13347.qmail@mailhost.sidereal.kz> > I can understand why you feel that way, but appreciate our position: > The portable version is just that - a port of OpenSSH as released by > the OpenBSD team to other operating systems. The only new features > relate to correct operation on the target systems: entropy collection, > native authentication, etc. Yes, I understand that, and when our system launches, it will be running under OpenBSD, so I'll want to have CryptoCard support in the "native" OpenSSH anyway. > Unless we want multiple, incompatible versions (which we don't), it Yes, multiple incompatible versions would be very bad. It will also be bad if there are branches in the tree, particularly silly branches like a CryptoCard branch. > If you want to sponsor further work on OpenSSH (and we certainly > hope that you do!), you would be well advised to contact Markus > Friedl before you start > to determine the best way to work together. He may even be willing > to do the development himself - Markus has done more work on OpenSSH > than anyone else. I very much want to sponsor further work on OpenSSH (and also OpenBSD), and I have a few more features that I need for myself, which will also be beneficial to others. The #1 of these projects would be CryptoCard support in the SSH2 protocol. I would also like to sponsor someone to write a free Windows implementation of SSH2, perhaps based on PuTTY (which seems like quite a good program). I will contact Markus. I would be very very happy to tell my contractor, and Markus, "I want CryptoCard support in OpenSSH, protocols SSH1 and SSH2. Markus, please tell Igmar what needs to be done. Igmar, please send me the bill. Markus, please put Igmar's code into your release." I have CC:'ed this to Markus and Igmar. Thanks, e From randolf at skerka.de Wed Sep 20 23:07:58 2000 From: randolf at skerka.de (Randolf Skerka) Date: Wed, 20 Sep 2000 14:07:58 +0200 Subject: Problems with UseLogin yes on Solaris Message-ID: <39C8A89E.1948F356@skerka.de> Hi all! I've searched all the maillists but can't find a solution. I have problems using the "UseLogin yes" parameter of sshd. When I enable the feature I got: <> I need local login binary, because of enhances login policies, sshd is not able to handle. - OpenSSH-2.2.0p1 - Solaris 2.6/2.7 Randolf -- +---------------------------------------------------------------------+ | Randolf Skerka +49-172-5440058 http://www.randolf.org | +---------------------------------------------------------------------+ From i.palsenberg at jdimedia.nl Thu Sep 21 00:39:48 2000 From: i.palsenberg at jdimedia.nl (Igmar Palsenberg) Date: Wed, 20 Sep 2000 15:39:48 +0200 (CEST) Subject: CryptoCard patch In-Reply-To: <20000920012712.13347.qmail@mailhost.sidereal.kz> Message-ID: On 20 Sep 2000, erich wrote: > > I can understand why you feel that way, but appreciate our position: > > The portable version is just that - a port of OpenSSH as released by > > the OpenBSD team to other operating systems. The only new features > > relate to correct operation on the target systems: entropy collection, > > native authentication, etc. > > Yes, I understand that, and when our system launches, it will be > running under OpenBSD, so I'll want to have CryptoCard support in the > "native" OpenSSH anyway. > > > Unless we want multiple, incompatible versions (which we don't), it > > Yes, multiple incompatible versions would be very bad. It will also > be bad if there are branches in the tree, particularly silly branches > like a CryptoCard branch. I don't see what the problem is in this case. The CryptoCard (X9.9) case isn't any different then for example S/Key. It's just another method, that is widely supported. > > If you want to sponsor further work on OpenSSH (and we certainly > > hope that you do!), you would be well advised to contact Markus > > Friedl before you start > > to determine the best way to work together. He may even be willing > > to do the development himself - Markus has done more work on OpenSSH > > than anyone else. > > I very much want to sponsor further work on OpenSSH (and also > OpenBSD), and I have a few more features that I need for myself, which > will also be beneficial to others. The #1 of these projects would be > CryptoCard support in the SSH2 protocol. I would also like to sponsor > someone to write a free Windows implementation of SSH2, perhaps based > on PuTTY (which seems like quite a good program). > > I will contact Markus. I would be very very happy to tell my > contractor, and Markus, "I want CryptoCard support in OpenSSH, > protocols SSH1 and SSH2. Markus, please tell Igmar what needs to be > done. Igmar, please send me the bill. Markus, please put Igmar's > code into your release." I agree on that one. I would be happy to do the work, and work with Markus to integrate it in the OpenSSH port. Regards, Igmar -- -- Igmar Palsenberg JDI Media Solutions Jansplaats 11 6811 GB Arnhem The Netherlands mailto: i.palsenberg at jdimedia.nl PGP/GPG key : http://www.jdimedia.nl/formulier/pgp/igmar From Mark.Wallace at osd.mil Thu Sep 21 01:04:21 2000 From: Mark.Wallace at osd.mil (Wallace, Mark, CTR, OSD/ATL) Date: Wed, 20 Sep 2000 10:04:21 -0400 Subject: Performance hits from seeding the random number generator Message-ID: <378C49974B36D411A585009027E59E6F09C6D8@osdn1.osd.mil> What kind of connection delays are people seeing with Ossh 2.2.0p1?? One of the programmers here is seeing delays of up to 25s, which is clearly unacceptable. He's localized the problem to seeding the random number generator - it appears that the _minimum_ number of commands needed to seed the random number generator is 16. On his hosts (for a variety of reasons), many of those commands time out. We're reconfiguring OSSH to avoid the commands that time out, but we've also considered alternate methods of seeding the random number generator. One of our other folks has written a function that produces random output for another program. It has been subjected to some informal statistical analysis, and we're considering using it to see the random number generator, rather than the current method - if it works, I'll see about releasing the code. Since it will be compiled code vice 16+ fork/exec calls, it should be much faster. However, I'd like to know if the current seed method has been subjected to any formal analysis (if so, I'd like to submit out function to the same analysis). Mark Wallace From Pete.Chown at skygate.co.uk Thu Sep 21 02:47:23 2000 From: Pete.Chown at skygate.co.uk (Pete Chown) Date: Wed, 20 Sep 2000 16:47:23 +0100 Subject: Performance hits from seeding the random number generator In-Reply-To: <378C49974B36D411A585009027E59E6F09C6D8@osdn1.osd.mil>; from Mark.Wallace@osd.mil on Wed, Sep 20, 2000 at 10:04:21AM -0400 References: <378C49974B36D411A585009027E59E6F09C6D8@osdn1.osd.mil> Message-ID: <20000920164723.B3456@hyena.skygate.co.uk> Wallace, Mark, CTR, OSD/ATL wrote: > One of our other folks has written a function that produces random output > for another program. It has been subjected to some informal statistical > analysis ... Statistical randomness is only one requirement for cryptographic systems. You also don't want output from the random number generator to be predictable, given old data and the state of the system. For example, the typical C library rand() function passes statistical tests up to a point, but is also completely predictable. If your random function satisfies this then it could be worth using. Otherwise using it would probably compromise your security. -- Pete From stevesk at sweden.hp.com Thu Sep 21 03:05:29 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 20 Sep 2000 18:05:29 +0200 (CEST) Subject: password aging and account lock checks Message-ID: <200009201603.SAA08752@b0fh.sweden.hp.com> I'm looking at the password aging and account lock checks in auth.c:allowed_user(), and specifically their behaviour on HP-UX. First, should this code be ifdef'd away if we're using PAM? Next: /* Check account expiry */ if ((spw->sp_expire > 0) && (days > spw->sp_expire)) return 0; If I lock an account by entering too many incorrect passwords, sp_expire does not change (it stays at -1). From the comment in the man page, I would expect it to be set to 0, but even then the code above would not catch it. long sp_expire; /* # of days from 1/1/70 when account is locked */ If I lock at account with passwd -l sp_expire is still -1. I tried this on Solaris as well and it seems sp_expire is only for account expiration. The solution on HP-UX 10.20 and 11.0 is to use the getprpw(3) interface. And: /* Check password expiry */ if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; If I expire a password with passwd -f: -f Force user to change password upon next login by expiring the current password. sp_lastchg is set to 0. The above code does not catch that. So it seems we want something like this (untested): /* Check password expiry */ if (spw->sp_lstchg == 0 || (spw->sp_max > 0 && days > spw->sp_lstchg + spw->sp_max)) { debug("Password for user \"%.200s\" expired", pw->pw_name); return 0; } And there are no aging checks if you're not shadow/trusted. On HP-UX at least, you can also age passwords without being configured as a trusted system. And we need to provide a way to change an expired password. I'd like to look at building a password abstraction layer where all the platform dependent password code resides. This includes various interfaces to shadow and protected password information, password aging, and password formats (crypt(), bigcrypt(), MD5). This will serve to clean up auth-passwd.c and auth.c and probably some other stuff. Is this a good direction? From stevesk at sweden.hp.com Thu Sep 21 03:13:43 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 20 Sep 2000 18:13:43 +0200 (CEST) Subject: Snapshot In-Reply-To: Message-ID: <200009201611.SAA10319@b0fh.sweden.hp.com> On Sat, 16 Sep 2000, Damien Miller wrote: : - (djm) Add Steve VanDevender's PAM : password change patch. On HP-UX 11.0, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED when I expire a password with passwd -f: #define PAM_AUTHTOK_EXPIRED 18 /* Password expired and no longer */ /* usable */ The code wants PAM_NEW_AUTHTOK_REQD. Is this a bug in HP-UX? Also, I submitted a patch a while back to auth-pam.c that added the pam_retval to the error/debugging messages like so: log("PAM rejected by account configuration [%d]: %.200s", pam_retval, PAM_STRERROR(pamh, pam_retval)); This makes debugging PAM a bit easier; any chance we could get that in? I can create a new patch against the latest auth-pam.c. From mouring at pconline.com Thu Sep 21 04:05:52 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 20 Sep 2000 12:05:52 -0500 (CDT) Subject: [PATCH] NextStep (Re: Snapshot) In-Reply-To: <200009201611.SAA10319@b0fh.sweden.hp.com> Message-ID: With the change in GETPGRP_VOID a few tweaks have to occur. They are attached. For those using NeXT port.. sftp-server is broken. I'm attempting to track down what I think is sftp-server core dumping. It compiles however.=) Ben Lindstrom -------------- next part -------------- --- defines.h.orig Wed Sep 20 11:46:33 2000 +++ defines.h Wed Sep 20 11:45:39 2000 @@ -34,6 +34,9 @@ #ifdef HAVE_SYS_STAT_H # include /* For S_* constants and macros */ #endif +#ifdef HAVE_NEXT +# include +#endif #include /* For STDIN_FILENO, etc */ --- next-posix.h.orig Wed Sep 20 11:46:47 2000 +++ next-posix.h Wed Sep 20 11:45:39 2000 @@ -7,7 +7,6 @@ #ifdef HAVE_NEXT -#include #include /* readdir() returns struct direct (BSD) not struct dirent (POSIX) */ From mstone at cs.loyola.edu Thu Sep 21 04:20:20 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 20 Sep 2000 13:20:20 -0400 Subject: sftp In-Reply-To: ; from djm@mindrot.org on Sat, Sep 16, 2000 at 04:37:48PM +1100 References: Message-ID: <20000920132020.A8493@justice.loyola.edu> Does anyone have sftp-server working? I've got it compiled on IRIX, but the sftp client (3 & 4 for NT) reports the connection as dead immediately after it's been made. Is there a way to enable some debugging for this? -- Mike Stone From mouring at pconline.com Thu Sep 21 04:29:40 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 20 Sep 2000 12:29:40 -0500 (CDT) Subject: sftp In-Reply-To: <20000920132020.A8493@justice.loyola.edu> Message-ID: sftp-server should dump out messages in your /var/adm/messages (or the correct location for IRIX). sftp-server has passed every test I've thrown at it for Linux/Redhat and Linux/Suse. (It would be nice to have a recursive remove, but I don't believe that is part ssh.com's defines yet) What your describing is what I'm seeing on NeXT platform at this moment. It comments, passes ssh2 security checks, spawns off sftp-server, and dies while pulling up a directory listing (or so it looks from the client side, I've not verified this.) Ben On Wed, 20 Sep 2000, Michael Stone wrote: > Does anyone have sftp-server working? I've got it compiled on IRIX, but > the sftp client (3 & 4 for NT) reports the connection as dead > immediately after it's been made. Is there a way to enable some > debugging for this? > > -- > Mike Stone > From mstone at cs.loyola.edu Thu Sep 21 04:36:58 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Wed, 20 Sep 2000 13:36:58 -0400 Subject: sftp In-Reply-To: ; from mouring@pconline.com on Wed, Sep 20, 2000 at 12:29:40PM -0500 References: <20000920132020.A8493@justice.loyola.edu> Message-ID: <20000920133658.B8493@justice.loyola.edu> On Wed, Sep 20, 2000 at 12:29:40PM -0500, Ben Lindstrom wrote: > sftp-server should dump out messages in your /var/adm/messages (or > the correct location for IRIX). sftp-server has passed every test I've Well, yeah, I've got that. But it's not real illuminating: Sep 19 07:59:08 6E:hostname sshd[92992]: subsystem request for sftp Sep 19 07:59:08 6E:hostname sshd[92587]: client version 0 Sep 19 07:59:08 6E:hostname sshd[92587]: realpath id 0 path . Sep 19 07:59:08 6E:hostname sshd[92587]: sent names id 0 count 1 Sep 19 07:59:08 6E:hostname sshd[92587]: opendir id 1 path [mumble] Sep 19 07:59:08 6E:hostname sshd[92587]: sent handle id 1 handle 0 Sep 19 07:59:09 6E:hostname sshd[92587]: readdir id 2 handle 0 -- Mike Stone From mouring at pconline.com Thu Sep 21 04:47:20 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 20 Sep 2000 12:47:20 -0500 (CDT) Subject: sftp In-Reply-To: <20000920133658.B8493@justice.loyola.edu> Message-ID: Note since Markus did the code.. I may be a bit off.. but =) On Wed, 20 Sep 2000, Michael Stone wrote: > On Wed, Sep 20, 2000 at 12:29:40PM -0500, Ben Lindstrom wrote: > > sftp-server should dump out messages in your /var/adm/messages (or > > the correct location for IRIX). sftp-server has passed every test I've > > Well, yeah, I've got that. But it's not real illuminating: > Sep 19 07:59:08 6E:hostname sshd[92992]: subsystem request for sftp > Sep 19 07:59:08 6E:hostname sshd[92587]: client version 0 > Sep 19 07:59:08 6E:hostname sshd[92587]: realpath id 0 path . In process_realpath() > Sep 19 07:59:08 6E:hostname sshd[92587]: sent names id 0 count 1 > Sep 19 07:59:08 6E:hostname sshd[92587]: opendir id 1 path [mumble] In process_opendir() > Sep 19 07:59:08 6E:hostname sshd[92587]: sent handle id 1 handle 0 > Sep 19 07:59:09 6E:hostname sshd[92587]: readdir id 2 handle 0 In process_readdir() So that is where I would assume would be best to start. From mouring at pconline.com Thu Sep 21 06:05:32 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 20 Sep 2000 14:05:32 -0500 (CDT) Subject: sftp In-Reply-To: Message-ID: On Wed, 20 Sep 2000, Ben Lindstrom wrote: [..] > > Sep 19 07:59:08 6E:hostname sshd[92587]: sent handle id 1 handle 0 > > Sep 19 07:59:09 6E:hostname sshd[92587]: readdir id 2 handle 0 > In process_readdir() > > So that is where I would assume would be best to start. > > Found where it's crashing within process_readdir(). /* XXX OVERFLOW ? */ snprintf(pathname, sizeof pathname, "%s/%s", path, dp->d_name); if (lstat(pathname, &st) < 0) continue; The crash seems to be occuring at lstat(). Either command alone works (well, does not crash =), but something with there interaction is causing the crash. Any ideas? From stevesk at sweden.hp.com Thu Sep 21 06:18:16 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 20 Sep 2000 21:18:16 +0200 (CEST) Subject: Snapshot In-Reply-To: <200009201611.SAA10319@b0fh.sweden.hp.com> Message-ID: <200009201916.VAA13138@b0fh.sweden.hp.com> On Wed, 20 Sep 2000, Kevin Steves wrote: : On HP-UX 11.0, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED when I expire : a password with passwd -f: : : #define PAM_AUTHTOK_EXPIRED 18 /* Password expired and no longer */ : /* usable */ : : The code wants PAM_NEW_AUTHTOK_REQD. Is this a bug in HP-UX? This is indeed a defect, and I have logged a defect report. There will be a PAM patch produced, though I have no idea when. I'm not sure if it makes sense to work around this until then. From rob at hagopian.net Thu Sep 21 07:07:10 2000 From: rob at hagopian.net (Rob Hagopian) Date: Wed, 20 Sep 2000 16:07:10 -0400 (EDT) Subject: Snapshot In-Reply-To: <200009201916.VAA13138@b0fh.sweden.hp.com> Message-ID: People will always have this version of HP-UX somewhere... #ifndef PAM_AUTHTOK_EXPIRED #ifdef PAM_NEW_AUTHTOK_REQD #define PAM_AUTHTOK_EXPIRED PAM_NEW_AUTHTOK_REQD #warn "HP-UX pam defect worked around" #else #error "PAM_AUTHTOK_EXPIRED is required by the PAM spec" #endif Or in the configure script... -Rob On Wed, 20 Sep 2000, Kevin Steves wrote: > On Wed, 20 Sep 2000, Kevin Steves wrote: > : On HP-UX 11.0, pam_acct_mgmt() returns PAM_AUTHTOK_EXPIRED when I expire > : a password with passwd -f: > : > : #define PAM_AUTHTOK_EXPIRED 18 /* Password expired and no longer */ > : /* usable */ > : > : The code wants PAM_NEW_AUTHTOK_REQD. Is this a bug in HP-UX? > > This is indeed a defect, and I have logged a defect report. There will > be a PAM patch produced, though I have no idea when. I'm not sure if it > makes sense to work around this until then. > > From stevesk at sweden.hp.com Thu Sep 21 07:34:48 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 20 Sep 2000 22:34:48 +0200 (CEST) Subject: Snapshot In-Reply-To: Message-ID: <200009202032.WAA25915@b0fh.sweden.hp.com> On Wed, 20 Sep 2000, Rob Hagopian wrote: : People will always have this version of HP-UX somewhere... And when the patch is available we tell them to install the patch. : #ifndef PAM_AUTHTOK_EXPIRED : #ifdef PAM_NEW_AUTHTOK_REQD : #define PAM_AUTHTOK_EXPIRED PAM_NEW_AUTHTOK_REQD : #warn "HP-UX pam defect worked around" : #else : #error "PAM_AUTHTOK_EXPIRED is required by the PAM spec" : #endif This doesn't work because PAM_AUTHTOK_EXPIRED is defined. This is what I had in mind (untested); though I'd prefer to wait a bit and see when the fix might be available before inserting workarounds like these in the code. And I don't know when PAM_AUTHTOK_EXPIRED should be returned and what security issues may result from this. --- auth-pam.c~ Sat Sep 16 07:09:27 2000 +++ auth-pam.c Wed Sep 20 22:24:43 2000 @@ -206,6 +206,13 @@ case PAM_SUCCESS: /* This is what we want */ break; +#ifdef __hpux + /* + * This is a workaround to an HP-UX PAM defect; + * refer to JAGad29724 for patch availability. + */ + case PAM_AUTHTOK_EXPIRED: +#endif case PAM_NEW_AUTHTOK_REQD: pam_msg_cat(NEW_AUTHTOK_MSG); /* flag that password change is necessary */ From rob at hagopian.net Thu Sep 21 07:38:20 2000 From: rob at hagopian.net (Rob Hagopian) Date: Wed, 20 Sep 2000 16:38:20 -0400 (EDT) Subject: Snapshot In-Reply-To: <200009202032.WAA25915@b0fh.sweden.hp.com> Message-ID: Oops, I got them reversed... but has anyone confirmed that all versions of HP-UX have PAM_AUTHTOK_EXPIRED defined? +#ifdef PAM_AUTHTOK_EXPIRED + /* + * This is a workaround to an HP-UX PAM defect; + * refer to JAGad29724 for patch availability. + */ + case PAM_AUTHTOK_EXPIRED: +#endif would be safer... -Rob On Wed, 20 Sep 2000, Kevin Steves wrote: > On Wed, 20 Sep 2000, Rob Hagopian wrote: > : People will always have this version of HP-UX somewhere... > > And when the patch is available we tell them to install the patch. > > : #ifndef PAM_AUTHTOK_EXPIRED > : #ifdef PAM_NEW_AUTHTOK_REQD > : #define PAM_AUTHTOK_EXPIRED PAM_NEW_AUTHTOK_REQD > : #warn "HP-UX pam defect worked around" > : #else > : #error "PAM_AUTHTOK_EXPIRED is required by the PAM spec" > : #endif > > This doesn't work because PAM_AUTHTOK_EXPIRED is defined. > > This is what I had in mind (untested); though I'd prefer to wait a bit > and see when the fix might be available before inserting workarounds > like these in the code. And I don't know when PAM_AUTHTOK_EXPIRED > should be returned and what security issues may result from this. > > --- auth-pam.c~ Sat Sep 16 07:09:27 2000 > +++ auth-pam.c Wed Sep 20 22:24:43 2000 > @@ -206,6 +206,13 @@ > case PAM_SUCCESS: > /* This is what we want */ > break; > +#ifdef __hpux > + /* > + * This is a workaround to an HP-UX PAM defect; > + * refer to JAGad29724 for patch availability. > + */ > + case PAM_AUTHTOK_EXPIRED: > +#endif > case PAM_NEW_AUTHTOK_REQD: > pam_msg_cat(NEW_AUTHTOK_MSG); > /* flag that password change is necessary */ > From stevesk at sweden.hp.com Thu Sep 21 07:56:29 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 20 Sep 2000 22:56:29 +0200 (CEST) Subject: Snapshot In-Reply-To: Message-ID: <200009202054.WAA29176@b0fh.sweden.hp.com> On Wed, 20 Sep 2000, Rob Hagopian wrote: : Oops, I got them reversed... but has anyone confirmed that all versions of : HP-UX have PAM_AUTHTOK_EXPIRED defined? The only version we're concerned with is 11.0. I don't believe PAM on 10.20 is supported for anything other than CDE, so USE_PAM should not be used on 10.20. So yes, PAM_AUTHTOK_EXPIRED is defined for all versions where USE_PAM should be defined on HP-UX. But again, I don't want this patch integrated right now. : +#ifdef PAM_AUTHTOK_EXPIRED : + /* : + * This is a workaround to an HP-UX PAM defect; : + * refer to JAGad29724 for patch availability. : + */ : + case PAM_AUTHTOK_EXPIRED: : +#endif : : would be safer... It will also cause the code to be inserted for Linux (Redhat at least) and Solaris. From xercist at lammah.com Thu Sep 21 09:25:54 2000 From: xercist at lammah.com (xercist) Date: Wed, 20 Sep 2000 16:25:54 -0600 Subject: Binding to specific IPs/ports Message-ID: <20000920162554.A5886@lammah.com> Sorry if this is the wrong place to post, I'm not a developer. OpenSSH seems to be capable of binding to any given list of IP addresses, on any given list of ports. What it can't seem to do, however, is be given any combination of these. Lets say I want to bind to 1.1.1.1:22 as well as 2.2.2.2:80. (I choose 80 knowing it is the http port, just for that purpose, because some people are behind firewalls and cannot get out on ports other than 80.) The only way to do this would require also listening on 1.1.1.1:80, and if I'm running something else there (like a web server :), it doesn't work. It seems to me this is just an issue regarding how openssh loads its conf file, and would not be too hard to implement in future versions, for one of you developers :) Please let me know. -- -*% % % % % % % % % % % % % % % % *- -* xercist *- -* xercist at mindless.com *- -* % % % % % % % % % % % % % % % %*- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000920/abda8c30/attachment.bin From wpilorz at bdk.pl Thu Sep 21 17:58:52 2000 From: wpilorz at bdk.pl (Wojtek Pilorz) Date: Thu, 21 Sep 2000 08:58:52 +0200 (CEST) Subject: Binding to specific IPs/ports In-Reply-To: <20000920162554.A5886@lammah.com> Message-ID: On Wed, 20 Sep 2000, xercist wrote: > Date: Wed, 20 Sep 2000 16:25:54 -0600 > From: xercist > To: openssh-unix-dev at mindrot.org > Subject: Binding to specific IPs/ports > > Sorry if this is the wrong place to post, I'm not a developer. > > OpenSSH seems to be capable of binding to any given list of IP > addresses, on any given list of ports. What it can't seem to > do, however, is be given any combination of these. > > Lets say I want to bind to 1.1.1.1:22 as well as 2.2.2.2:80. > (I choose 80 knowing it is the http port, just for that purpose, > because some people are behind firewalls and cannot get out > on ports other than 80.) > > The only way to do this would require also listening on 1.1.1.1:80, > and if I'm running something else there (like a web server :), > it doesn't work. > Couldn't you just start two instances of OpenSSH, e.g. using two separate configuration files? Or am I missing somthing? > > It seems to me this is just an issue regarding how openssh loads > its conf file, and would not be too hard to implement in future > versions, for one of you developers :) > > Please let me know. > -- > > -*% % % % % % % % % % % % % % % % *- > -* xercist *- > -* xercist at mindless.com *- > -* % % % % % % % % % % % % % % % %*- > Best regards, Wojtek From randolf at skerka.de Thu Sep 21 20:29:34 2000 From: randolf at skerka.de (Randolf Skerka) Date: Thu, 21 Sep 2000 11:29:34 +0200 Subject: Problem using Java based applications throug OpenSSH? Message-ID: <39C9D4FE.A095F064@skerka.de> Hi all! I've expected a Problem with java bases application guis (here I use Veriats Volumen Manager). The usage of the right mouse button does not result in an action. Does anybody else have same problems? Client: WinNT, F-Secure SSH 4.0 CLient, Exceed Server: Solaris 2.6, OpenSSH 2.2.0p1 Randolf -- +---------------------------------------------------------------------+ | Randolf Skerka +49-172-5440058 http://www.randolf.org | +---------------------------------------------------------------------+ From mstone at cs.loyola.edu Fri Sep 22 05:30:47 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 21 Sep 2000 14:30:47 -0400 Subject: sftp In-Reply-To: <20000920132020.A8493@justice.loyola.edu>; from mstone@cs.loyola.edu on Wed, Sep 20, 2000 at 01:20:20PM -0400 References: <20000920132020.A8493@justice.loyola.edu> Message-ID: <20000921143047.H8493@justice.loyola.edu> On Wed, Sep 20, 2000 at 01:20:20PM -0400, Michael Stone wrote: > Does anyone have sftp-server working? I've got it compiled on IRIX, but > the sftp client (3 & 4 for NT) reports the connection as dead > immediately after it's been made. Is there a way to enable some > debugging for this? What do you know--it does dump core. Anyway, the fix was to change a %qd to a %lld in sftp-server.c. Linux apparantly understands the bsdism, but not all systems do. -- Mike Stone From mouring at pconline.com Fri Sep 22 05:43:11 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 21 Sep 2000 13:43:11 -0500 (CDT) Subject: sftp In-Reply-To: <20000921143047.H8493@justice.loyola.edu> Message-ID: Hmm..This may fix some system.. but is not the magical fix for NeXT. However bsd-snprintf.c itself does not support %qd nor %lld if I remember right... (One of the documented downfalls of that version of snprintf/vsnprintf.) Does IRIX have it's own vsnprintf/snprintf? On Thu, 21 Sep 2000, Michael Stone wrote: > On Wed, Sep 20, 2000 at 01:20:20PM -0400, Michael Stone wrote: > > Does anyone have sftp-server working? I've got it compiled on IRIX, but > > the sftp client (3 & 4 for NT) reports the connection as dead > > immediately after it's been made. Is there a way to enable some > > debugging for this? > > What do you know--it does dump core. Anyway, the fix was to change a %qd > to a %lld in sftp-server.c. Linux apparantly understands the bsdism, but > not all systems do. > > -- > Mike Stone > From mstone at cs.loyola.edu Fri Sep 22 05:54:09 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 21 Sep 2000 14:54:09 -0400 Subject: sftp In-Reply-To: ; from mouring@pconline.com on Thu, Sep 21, 2000 at 01:43:11PM -0500 References: <20000921143047.H8493@justice.loyola.edu> Message-ID: <20000921145409.I8493@justice.loyola.edu> On Thu, Sep 21, 2000 at 01:43:11PM -0500, Ben Lindstrom wrote: > Does IRIX have it's own vsnprintf/snprintf? yes -- Mike Stone From jeremy at xxedgexx.com Fri Sep 22 06:29:36 2000 From: jeremy at xxedgexx.com (Jeremy Hansen) Date: Thu, 21 Sep 2000 15:29:36 -0400 (EDT) Subject: corrupt files localhost Message-ID: We recently ran into an issue with scp'ing file only themselves which results in a corrupt file. I understand that this seems logical for files to be currupt when cping them onto themselves, but for some reason fsecure scp does not do this. For reasons outside of my control, we need this to work for staging purposes. Example: scp /home/file localhost:/home/file leave file completely corrupt. Using rsync to do the same thing, even with openssh makes everything fine. Any ideas on this. Any help is appreciated. I didn't want to say it was a bug cause for all I know, what openssh is doing could be the right thing and fsecure is wrong. Thanks -jeremy eholes.org * jeremy at eholes.org ----------------------------------------- eholes have feelings too... From chenda at cs.unc.edu Fri Sep 22 06:32:34 2000 From: chenda at cs.unc.edu (Daniel T. Chen) Date: Thu, 21 Sep 2000 15:32:34 -0400 (EDT) Subject: OpenSSL-0.9.6-beta3 and SSH2 Message-ID: Hello folks, just rebuilt the latest snapshot of OpenSSH from Damien's page using the latest beta of OpenSSL-0.9.6-beta3 and have good news: SSH2 works again! Any fellow bleeding-edgers want to confirm this? Btw, I tested this on i686/Linux. dtc --- Daniel T. Chen | chenda at cs.unc.edu From chip at princetonecom.com Fri Sep 22 06:55:43 2000 From: chip at princetonecom.com (Chip Christian) Date: Thu, 21 Sep 2000 15:55:43 -0400 Subject: OpenSSL-0.9.6-beta3 and SSH2 In-Reply-To: Message from "Daniel T. Chen" of "Thu, 21 Sep 2000 15:32:34 EDT." Message-ID: <20000921195543.DDDEAB47B@fleck.princetonecom.com> Ditto. Solaris 2.6/7 on SPARC. > Hello folks, just rebuilt the latest snapshot of OpenSSH from Damien's > page using the latest beta of OpenSSL-0.9.6-beta3 and have good news: SSH2 > works again! Any fellow bleeding-edgers want to confirm this? Btw, I > tested this on i686/Linux. > > dtc > > --- > Daniel T. Chen | chenda at cs.unc.edu > > > From jeremy at xxedgexx.com Fri Sep 22 07:31:24 2000 From: jeremy at xxedgexx.com (Jeremy Hansen) Date: Thu, 21 Sep 2000 16:31:24 -0400 (EDT) Subject: remote execution Message-ID: On a related note to my corrupt files issue, it seems that somethign is also different with openssh and fsecure ssh that breaks on of our scripts that does an apache restart or on a remote machine. It just does a restart using red hat package init script and smoetimes completely fails to execute. The problem is that it's only *sometimes*. Fsecure ssh work reliable. Any ideas on this? Thanks -jeremy eholes.org * jeremy at eholes.org ----------------------------------------- eholes have feelings too... From theos at cnds.jhu.edu Fri Sep 22 10:52:24 2000 From: theos at cnds.jhu.edu (Theo E. Schlossnagle) Date: Thu, 21 Sep 2000 19:52:24 -0400 Subject: OpenSSH-2.2.0p1 + SecurID. Message-ID: <39CA9F38.38758C59@cnds.jhu.edu> Hello all, I looked long and hard for SecurID support for OpenSSH and I have not found it. So, I spent a few hours today and added SecurID authentication support into OpenSSH. Specifically the 2.2.0p1 portability release. I have beat on it for several hours and it seems to work just fine. I don't know if anyone would find these patches useful or not... I also don't know if the maintainers would like to integrate them into the source tree as they depend directly on a closed source library from RSA. (though only if you enable support for it :) I would like to hear the opinions of the maintainers/authors and the public before I pollute the list with this patch. I patched up the source tree so that if the SecurID headers are in your include path already and you copy the sdiclient.a file into the openssh base directory, all you have to do then is add --with-securid and it should compile right in. It works similarly to the Skey code (except less complicated) and it hooks in the beginning of the PAM and passwd authentication methods. It checks to see if a user's shell ends with "sdhell" and if it does it attempts to do SecurID authentication. There is absolutely no documentation yet, but it can handle the "Please enter next token" exception using the send_debug_packet on the server side. So if your login attempts are failing, you can run ssh -v [args] and it will tell you "failed" or "please enter next token". Cute and required no modification on the client side :) For those who don't know, SecurID can ask you to enter the next code on your token if you have several failed login attempts (so you'll have to enter two passwords to log in). It does this to handle drift and prevent guessing (I think). Without integrated SecurID support, tools like scp and rsync (and anything else over ssh) can be excruciatingly painful if not impossible. What do you think? -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From carl at bl.echidna.id.au Fri Sep 22 11:05:21 2000 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Fri, 22 Sep 2000 11:05:21 +1100 (EST) Subject: OpenSSH-2.2.0p1 + SecurID. Message-ID: <200009220005.e8M05LA10989@rollcage.bl.echidna.id.au> > From: "Theo E. Schlossnagle" > > Hello all, > > I looked long and hard for SecurID support for OpenSSH and I have not found > it. So, I spent a few hours today and added SecurID authentication support > into OpenSSH. Specifically the 2.2.0p1 portability release. I have beat on > it for several hours and it seems to work just fine. If you're running RMS/Loonicks or Solaris, you can use SecurID with PAM (which is the whole point of PAM). It'd be really nice to get PAM support in some of the other UNIX's. Carl From theos at cnds.jhu.edu Fri Sep 22 15:34:25 2000 From: theos at cnds.jhu.edu (Theo E. Schlossnagle) Date: Fri, 22 Sep 2000 00:34:25 -0400 Subject: OpenSSH-2.2.0p1 + SecurID. References: <200009220005.e8M05LA10989@rollcage.bl.echidna.id.au> Message-ID: <39CAE151.BCF5A647@cnds.jhu.edu> carl at bl.echidna.id.au wrote: > If you're running RMS/Loonicks or Solaris, you can use SecurID with > PAM (which is the whole point of PAM). It'd be really nice to get PAM > support in some of the other UNIX's. Acutally, I had a lot of trouble with SecurID and PAM. It worked great on the console and for anything with freeform tty-style log ins, but for SecurID it didn't work the way I needed. The problem is that after the user enters the correct PIN, sometimes the ACE/Server will request that the user enter the next token code. The hooks in PAM are there to do this (and much more), but I didn't see the that ssh could utilize this. The patch I wrote will account for this most common case. As ssh/sshd (OpenSSH) gives you three chances to type in the right password by default, I can actually do the assigning of a PIN as well. The first pass is the token code, the second is the PIN and the third is the confirmation of the PIN. I think I will work on that next. It was of vital importance to NOT change the client as we have a lot of people here that use Windows clients and Java clients. Did I miss something in the auth-pam that would allow for this complicated interaction? -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From paul.l.allen at boeing.com Fri Sep 22 16:15:43 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Thu, 21 Sep 2000 22:15:43 -0700 Subject: Agent forwarding with DSA keys? Message-ID: <39CAEAFF.8C1B11B9@boeing.com> Does agent forwarding work with DSA keys? I'm using 2.2.0p1 on RedHat Linux 6.2 (Alpha) and Solaris 2.6 (SPARC). If I ssh-add my RSA key into the local agent and ssh to another machine, the agent connection is forwarded properly. (I can say "ssh-add -l" and see my keys.) If I ssh-add my DSA key into the local agent and "ssh -2" to another machine, the agent connection does not forward. (Ssh-add -l can't find the agent, there is no SSH_AUTH_SOCK environment variable.) I've been rummaging in the code, and I see two sections in ssh.c where X forwarding is handled. One of the sections also handles agent forwarding. I tagged one of the debug() calls about "Requesting X11 forwarding" in order to distinguish between them at runtime. The section that does not appear to do agent forwarding is the one that gets executed when a DSA key is being used. Hmmm... I don't see other complaints like this on the list, so probably I'm doing something wrong. On the other hand, perhaps everybody but me already knows that agent forwarding doesn't quite work yet in protocol 2. :-) Can anybody point me to the path of sanity here? Thanks! Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From Mark.Wallace at osd.mil Fri Sep 22 22:33:55 2000 From: Mark.Wallace at osd.mil (Wallace, Mark, CTR, OSD/ATL) Date: Fri, 22 Sep 2000 07:33:55 -0400 Subject: Agent forwarding with DSA keys? Message-ID: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> How do you manage to ssh-add your dsa key? When I try that, I'm informed that it is a bad key file... -----Original Message----- From: Paul Allen [mailto:paul.l.allen at boeing.com] Sent: Friday, September 22, 2000 1:20 AM To: openssh-unix-dev at mindrot.org Subject: Agent forwarding with DSA keys? Does agent forwarding work with DSA keys? I'm using 2.2.0p1 on RedHat Linux 6.2 (Alpha) and Solaris 2.6 (SPARC). If I ssh-add my RSA key into the local agent and ssh to another machine, the agent connection is forwarded properly. (I can say "ssh-add -l" and see my keys.) If I ssh-add my DSA key into the local agent and "ssh -2" to another machine, the agent connection does not forward. (Ssh-add -l can't find the agent, there is no SSH_AUTH_SOCK environment variable.) I've been rummaging in the code, and I see two sections in ssh.c where X forwarding is handled. One of the sections also handles agent forwarding. I tagged one of the debug() calls about "Requesting X11 forwarding" in order to distinguish between them at runtime. The section that does not appear to do agent forwarding is the one that gets executed when a DSA key is being used. Hmmm... I don't see other complaints like this on the list, so probably I'm doing something wrong. On the other hand, perhaps everybody but me already knows that agent forwarding doesn't quite work yet in protocol 2. :-) Can anybody point me to the path of sanity here? Thanks! Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From J.Horne at plymouth.ac.uk Fri Sep 22 22:53:42 2000 From: J.Horne at plymouth.ac.uk (John Horne) Date: Fri, 22 Sep 2000 12:53:42 +0100 (BST) Subject: Agent forwarding with DSA keys? In-Reply-To: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> Message-ID: On 22-Sep-00 at 11:33:55 Wallace, Mark, CTR, OSD/ATL wrote: > How do you manage to ssh-add your dsa key? > When I try that, I'm informed that it is a bad key file... > Missed the thread on this, but in my .bash_profile file I have: eval `ssh-agent` >/dev/null SSH_ASKPASS=/usr/libexec/ssh/ssh-askpass export SSH_ASKPASS ssh-add $HOME/.ssh/id_dsa Works fine - using redhat 6.1. John. ------------------------------------------------------------------------ John Horne, University of Plymouth, UK Tel: +44 (0)1752 233914 E-mail: jhorne at plymouth.ac.uk PGP key available from public key servers From dberk at lump.org Sat Sep 23 01:52:26 2000 From: dberk at lump.org (David Berk) Date: Fri, 22 Sep 2000 10:52:26 -0400 Subject: i think this is great Message-ID: <000501c024a4$b9ae0580$293814aa@cbs.com> I have tried ( to no avail ) to get SecurID and ssh work tegether. The biggest sticking points have been either new pin / next token mode OR scp. I would be interested in looking at your patch. I have been banging on auth-pam.c to work in the pam stuff for the last couple days, but it seems auth-pam is an incomplete implementation of pam. The patch from Steve VanDevender looked promising. Thanks Dave From djm at mindrot.org Sat Sep 23 13:48:32 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 13:48:32 +1100 (EST) Subject: Agent forwarding with DSA keys? In-Reply-To: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> Message-ID: On Fri, 22 Sep 2000, Wallace, Mark, CTR, OSD/ATL wrote: > How do you manage to ssh-add your dsa key? > When I try that, I'm informed that it is a bad key file... Are you using 2.2.0p1? It supports DSA keys in the agent. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 13:50:57 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 13:50:57 +1100 (EST) Subject: i think this is great In-Reply-To: <000501c024a4$b9ae0580$293814aa@cbs.com> Message-ID: On Fri, 22 Sep 2000, David Berk wrote: > I have tried ( to no avail ) to get SecurID and ssh work tegether. > The biggest sticking points have been either new pin / next token > mode OR scp. I would be interested in looking at your patch. I > have been banging on auth-pam.c to work in the pam stuff for > the last couple days, but it seems auth-pam is an incomplete > implementation of pam. The patch from Steve VanDevender looked > promising. Have you tried the snapshot? Steve's patch is integrated. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:00:28 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:00:28 +1100 (EST) Subject: DISABLE_UTMP on HP-UX In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Kevin Steves wrote: > Here's a configure fix for what I suggested above, as well as adding addr > in utmpx support, which I hope is a "portable" fix (configure checks for > the struct member). > > Also, loginrec works quite well on HP-UX 11. Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:01:03 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:01:03 +1100 (EST) Subject: Snapshot In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Pekka Savola wrote: > On Sat, 16 Sep 2000, Damien Miller wrote: > > > > > Quite a few changes here, please test. > > I noticed a few packaging issues. [snip] > Also, sftp-server.8 seems to use an undefined (OpenBSD only?) definition > Ox: [snip] > I couldn't find any other references to .Ox in OpenSSH (cvs or not). > Some kind of patch attached. Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:01:41 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:01:41 +1100 (EST) Subject: ListenAddress option. In-Reply-To: Message-ID: On Sat, 16 Sep 2000, Paul Nicholas Faure wrote: > > > if I try to use "ListenAddress 0.0.0.0". If I put in the full ip > > > of the system that runs OpenSSH server, then it works fine. > > > > What platform are you using? > RedHat 6.2 > > The RPMs that I got seem to support "ListenAddress 0.0.0.0" but not if I > compile from scratch. Have you tried compiling with the same options that the RPM spec file uses? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:01:58 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:01:58 +1100 (EST) Subject: Problem with --with-ssl-dir In-Reply-To: <20000916183914.E1375@greenie.muc.de> Message-ID: On Sat, 16 Sep 2000, Gert Doering wrote: > > I recommend to change the precedence to ' $tryssldir "" ', so that > > I can choose another OpenSSL library (version) besides the one in > > the system directory. > > Strongly seconded - especially for testing this is very useful. Done. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:02:43 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:02:43 +1100 (EST) Subject: configure prob with 2.2.0p1 and FBSD4.1R In-Reply-To: Message-ID: On Sun, 17 Sep 2000, Hugh Blandford wrote: > Hi, > > I'm getting the: > > checking for OpenSSL directory... configure: error: Could not find working > SSLeay / OpenSSL libraries, please install Have a look at the end of config.log - there may be some more descriptive error messages. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:13:48 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:13:48 +1100 (EST) Subject: Snapshot In-Reply-To: <20000919163153.A13187@ii.uib.no> Message-ID: On Tue, 19 Sep 2000, Jan-Frode Myklebust wrote: > On Sat, Sep 16, 2000 at 04:37:48PM +1100, Damien Miller wrote: > > > > Quite a few changes here, please test. > > > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz > > > > Failed because sftpserver.c didn't define u_int64_t. Strange - I have refined the tests for the 64 bit types some more, can you try todays snapshot? (will probably be released in about 1/2 hour) -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:25:35 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:25:35 +1100 (EST) Subject: password aging and account lock checks In-Reply-To: <200009201603.SAA08752@b0fh.sweden.hp.com> Message-ID: On Wed, 20 Sep 2000, Kevin Steves wrote: > I'm looking at the password aging and account lock checks in > auth.c:allowed_user(), and specifically their behaviour on > HP-UX. > > First, should this code be ifdef'd away if we're using PAM? You are correct - done. > Next: > > /* Check account expiry */ > if ((spw->sp_expire > 0) && (days > spw->sp_expire)) > return 0; I have changed it to "spw->sp_expire >= 0". > sp_lastchg is set to 0. The above code does not catch that. So > it seems we want something like this (untested): > > /* Check password expiry */ > if (spw->sp_lstchg == 0 || (spw->sp_max > 0 && > days > spw->sp_lstchg + spw->sp_max)) { > debug("Password for user \"%.200s\" expired", > pw->pw_name); > return 0; > } How about: if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; > I'd like to look at building a password abstraction layer where all the > platform dependent password code resides. This includes various > interfaces to shadow and protected password information, password aging, > and password formats (crypt(), bigcrypt(), MD5). This will serve to > clean up auth-passwd.c and auth.c and probably some other stuff. > > Is this a good direction? I think so, this sort of abstraction (in the form of loginrec.c) has already made life much simpler. It may be of use for other projects as well. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 23 14:58:44 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 23 Sep 2000 14:58:44 +1100 (EST) Subject: sftp In-Reply-To: <20000921143047.H8493@justice.loyola.edu> Message-ID: On Thu, 21 Sep 2000, Michael Stone wrote: > What do you know--it does dump core. Anyway, the fix was to change > a %qd to a %lld in sftp-server.c. Linux apparantly understands the > bsdism, but not all systems do. Thanks - applied. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From paul at engsoc.carleton.ca Sat Sep 23 17:40:56 2000 From: paul at engsoc.carleton.ca (Paul Nicholas Faure) Date: Sat, 23 Sep 2000 02:40:56 -0400 (EDT) Subject: ListenAddress option. In-Reply-To: Message-ID: On Sat, 23 Sep 2000, Damien Miller wrote: > On Sat, 16 Sep 2000, Paul Nicholas Faure wrote: > > > > > if I try to use "ListenAddress 0.0.0.0". If I put in the full ip > > > > of the system that runs OpenSSH server, then it works fine. > > > > > > What platform are you using? > > RedHat 6.2 > > > > The RPMs that I got seem to support "ListenAddress 0.0.0.0" but not if I > > compile from scratch. > > Have you tried compiling with the same options that the RPM spec file > uses? Yes I have, but no luck. > -d > > -- Paul Faure paul at paulfaure.com Carleton University Systems Engineer 3rd Year paul at porkchop.org Engsoc Admin/BOG Technical Director paul at engsoc.org From jmknoble at jmknoble.cx Sun Sep 24 16:56:38 2000 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 24 Sep 2000 01:56:38 -0400 Subject: ANNOUNCE: x11-ssh-askpass v1.0.2 In-Reply-To: <20000828040826.A19242@quipu.half.pint-stowp.cx>; from jmknoble@pint-stowp.cx on Mon, Aug 28, 2000 at 04:08:26AM -0400 References: <20000828040826.A19242@quipu.half.pint-stowp.cx> Message-ID: <20000924015638.H18952@quipu.half.pint-stowp.cx> x11-ssh-askpass version 1.0.2 is now available from the following locations: http://www.jmknoble.cx/software/x11-ssh-askpass/ http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ x11-ssh-askpass is a passphrase dialog for use with OpenSSH (www.openssh.com) under the X Window System. The important changes since version 1.0.2 are as follows: - Fixed a problem grabbing the keyboard that seems to happen more on faster machines. More information about this problem is available at: http://www.jmknoble.cx/software/x11-ssh-askpass/keyboard-grabbing.html -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From sgr at rotzorg.org Sun Sep 24 23:47:36 2000 From: sgr at rotzorg.org (Sendy) Date: Sun, 24 Sep 2000 14:47:36 +0200 Subject: SSH_CLIENT _not_ set when doing a command Message-ID: <20000924144736.B23003@stereo.rotzorg.org> Hi, I'm trying to create an dynamic dns system by using the nsupdate (or Net::DNS) trough a non-passphrase protected ssh session. I've keygen'ed an extra key, with no passphrase and using it, i execute a litte script on the server, which updates te DNS records. (something like this: ssh pickup /usr/local/bin/updatedns 10.1.2.3) This al works fine and dandy. I would like to protect this scheme more by using the command="" feature, the only problem is that i can't use an ip-number in authorized_keys (because i do not know it). In an interactive shell, the env variable 'SSH_CLIENT' is set, and this variable can easily be parsed for the connecting ipnumber. The real problem is that this variable is _not_ set when just executing a remote command. Is it possible to retrieve the ipnumber of the connecting client while executing a remote command? Simply turning on the enviroment variables should suffice. im using OpenSSH version 2.2.0p1 on Debian GNU. gr, Sendy De Graaf sendy at dds.nl From stevesk at sweden.hp.com Mon Sep 25 02:07:09 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sun, 24 Sep 2000 17:07:09 +0200 (MEST) Subject: password aging and account lock checks In-Reply-To: Message-ID: On Sat, 23 Sep 2000, Damien Miller wrote: : > sp_lastchg is set to 0. The above code does not catch that. So : > it seems we want something like this (untested): : > : > /* Check password expiry */ : > if (spw->sp_lstchg == 0 || (spw->sp_max > 0 && : > days > spw->sp_lstchg + spw->sp_max)) { : > debug("Password for user \"%.200s\" expired", : > pw->pw_name); : > return 0; : > } : : How about: : : if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && : (days > (spw->sp_lstchg + spw->sp_max))) : return 0; I wrote it as an or because I thought it might be possible for sp_max to be "undefined" or -1, and I still wanted lst_chg==0 to match for password expired. The HP-UX manpage claims getspent() is conformant is SVID3 so it seems we'll have to examine that to answer some of these questions. : > I'd like to look at building a password abstraction layer where all the : > platform dependent password code resides. This includes various : > interfaces to shadow and protected password information, password aging, : > and password formats (crypt(), bigcrypt(), MD5). This will serve to : > clean up auth-passwd.c and auth.c and probably some other stuff. : > : > Is this a good direction? : : I think so, this sort of abstraction (in the form of loginrec.c) has : already made life much simpler. It may be of use for other projects : as well. I plan to work on this. From stevesk at sweden.hp.com Mon Sep 25 02:50:45 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Sun, 24 Sep 2000 17:50:45 +0200 (MEST) Subject: strtok_r() HP-UX Message-ID: Until I can determine what the issue and background is, you'll need to define _REENTRANT in the latest snapshot so the strtok_r() function prototype is pulled in from . This is for HP-UX 11.0; I'm not sure about 10.20. From markus.friedl at informatik.uni-erlangen.de Mon Sep 25 04:31:04 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 24 Sep 2000 19:31:04 +0200 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <20000924144736.B23003@stereo.rotzorg.org>; from sgr@rotzorg.org on Sun, Sep 24, 2000 at 02:47:36PM +0200 References: <20000924144736.B23003@stereo.rotzorg.org> Message-ID: <20000924193104.A610@folly> hi, i cannot reproduce this: folly% cat bin/echoclient #!/bin/sh env|grep SSH folly% grep bin/echoclient .ssh/authorized_keys2 command="/home/markus/bin/echoclient",from="::1" ssh-dss AAAAB3NzaC1kc3MAAACBAKJzhwF2Xh7WhRsrid6Ha8iWhlsiV9FfXnLlnoOHhyibTtKwkCp7BaryJIZtPGKrICFRmev1Iyvo7gbHWbcBBOtLcikxa5Nta3SgrS5ZidxpgVlkXBUAJ9l8BuMXuvzVnphZcaHOrymaEH9No6Mik1VTBNBjMvr+cqJXGMewIv5RAAAAFQD8TaAd/JFQ88M/XMiUKMguRNQ+CQAAAIAWFPia8OHjuSgQk46eag9vgQKeU8GsxYbDWc5gn237XjZyehgbE7e81BbJ29qV5fUchHw8AUTavudhiS3urFPL9EbThVKQtXQxdb4Pzy2shqII49Hhu+ge60d8OoFL3mnkQ0GaiZZozxICWlYyGc1AuLDcynbqTHHLcV5zpGVG/wAAAIAd6id68R4fQrRT+ghS308pYj0xWppdRZdD8OfZBUIK80wMWtn5r8htwBu1qLVU2wTANU+lopRSDZBuSOxku3nzETCwUqBbYRFOQh9R0TPgyxzsnqGrdp6ul5NB0YoowYlr6O9ftDvMHj8rDmwEY/Bsiv2XASac5W9wG6jTjWe/QA== markus at folly folly% ssh ::1 SSH_CLIENT=::1 43697 22 SSH_TTY=/dev/ttyp9 Connection to ::1 closed. folly% so it works fine. On Sun, Sep 24, 2000 at 02:47:36PM +0200, Sendy wrote: > Hi, > > I'm trying to create an dynamic dns system by using the nsupdate (or Net::DNS) trough a non-passphrase protected ssh session. I've keygen'ed an extra key, with no passphrase and using it, i execute a litte script on the server, which updates te DNS records. (something like this: ssh pickup /usr/local/bin/updatedns 10.1.2.3) > > This al works fine and dandy. I would like to protect this scheme more by using the command="" feature, the only problem is that i can't use an ip-number in authorized_keys (because i do not know it). > > In an interactive shell, the env variable 'SSH_CLIENT' is set, and this variable can easily be parsed for the connecting ipnumber. The real problem is that this variable is _not_ set when just executing a remote command. > > Is it possible to retrieve the ipnumber of the connecting client while executing a remote command? Simply turning on the enviroment variables should suffice. > > im using OpenSSH version 2.2.0p1 on Debian GNU. > > gr, > Sendy De Graaf > sendy at dds.nl > From janfrode at parallab.uib.no Mon Sep 25 18:02:38 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 25 Sep 2000 09:02:38 +0200 Subject: Snapshot In-Reply-To: ; from djm@mindrot.org on Sat, Sep 23, 2000 at 02:13:48PM +1100 References: <20000919163153.A13187@ii.uib.no> Message-ID: <20000925090238.A16551@ii.uib.no> On Sat, Sep 23, 2000 at 02:13:48PM +1100, Damien Miller wrote: > > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz > > > > Failed because sftpserver.c didn't define u_int64_t. > > Strange - I have refined the tests for the 64 bit types some more, > can you try todays snapshot? (will probably be released in about 1/2 > hour) OK, this one compiles and runs fine, but the sftp-server doesn't seem to work. It dies just after I connect to it: % sftp -D full krypvier debug: hostname is 'krypvier'. debug: Unable to open /Home/eik/jfm/.ssh2/ssh2_config debug: connecting to krypvier... debug: entering event loop debug: ssh_client_wrap: creating transport protocol debug: SshAuthMethodClient/sshauthmethodc.c:105: Added "publickey" to usable methods. debug: SshAuthMethodClient/sshauthmethodc.c:105: Added "password" to usable methods. debug: Ssh2Client/sshclient.c:1104: creating userauth protocol debug: Ssh2Common/sshcommon.c:487: local ip = 129.177.20.3, local port = 41631 debug: Ssh2Common/sshcommon.c:489: remote ip = 129.177.20.36, remote port = 22 debug: SshConnection/sshconn.c:1853: Wrapping... debug: Ssh2Transport/trcommon.c:593: Remote version: SSH-1.99-OpenSSH_2.2.0p1 debug: Ssh2Transport/trcommon.c:1068: c_to_s: cipher 3des-cbc, mac hmac-sha1, compression none debug: Ssh2Transport/trcommon.c:1071: s_to_c: cipher 3des-cbc, mac hmac-sha1, compression none debug: Ssh2Client/sshclient.c:399: Host key found from database. debug: Ssh2Common/sshcommon.c:297: Received SSH_CROSS_STARTUP packet from connection protocol. debug: Ssh2Common/sshcommon.c:347: Received SSH_CROSS_ALGORITHMS packet from connection protocol. debug: Unable to open /Home/eik/jfm/.ssh2/identification debug: Ssh2AuthClient/sshauthc.c:309: Method 'publickey' disabled. debug: Ssh2AuthPasswdClient/authc-passwd.c:82: Starting password query... jfm at krypvier's password: debug: Ssh2Common/sshcommon.c:263: Received SSH_CROSS_AUTHENTICATED packet from connection protocol. debug: Ssh2Common/sshcommon.c:686: num_channels now 1 sftp> debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 254 debug: Ssh2Common/sshcommon.c:660: num_channels now 0 debug: Got session close with exit_status=254 debug: destroying client struct... debug: uninitializing event loop ssh_sigchld_real_callback ssh_sigchld_process_pid: calling handler pid 10954 code 254 Warning: child process (ssh2) exited with code 254. -jf From Markus.Friedl at informatik.uni-erlangen.de Mon Sep 25 18:29:48 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 09:29:48 +0200 Subject: Snapshot In-Reply-To: <20000925090238.A16551@ii.uib.no>; from janfrode@parallab.uib.no on Mon, Sep 25, 2000 at 09:02:38AM +0200 References: <20000919163153.A13187@ii.uib.no> <20000925090238.A16551@ii.uib.no> Message-ID: <20000925092948.A11405@faui02.informatik.uni-erlangen.de> the debug output from the sftp-server (via syslog) would be more useful. On Mon, Sep 25, 2000 at 09:02:38AM +0200, Jan-Frode Myklebust wrote: > On Sat, Sep 23, 2000 at 02:13:48PM +1100, Damien Miller wrote: > > > > http://www.mindrot.org/misc/openssh/openssh-SNAP-20000916.tar.gz > > > > > > Failed because sftpserver.c didn't define u_int64_t. > > > > Strange - I have refined the tests for the 64 bit types some more, > > can you try todays snapshot? (will probably be released in about 1/2 > > hour) > > OK, this one compiles and runs fine, but the sftp-server doesn't seem to > work. It dies just after I connect to it: > > % sftp -D full krypvier > debug: hostname is 'krypvier'. > debug: Unable to open /Home/eik/jfm/.ssh2/ssh2_config > debug: connecting to krypvier... > debug: entering event loop > debug: ssh_client_wrap: creating transport protocol > debug: SshAuthMethodClient/sshauthmethodc.c:105: Added "publickey" to > usable methods. > debug: SshAuthMethodClient/sshauthmethodc.c:105: Added "password" to usable > methods. > debug: Ssh2Client/sshclient.c:1104: creating userauth protocol > debug: Ssh2Common/sshcommon.c:487: local ip = 129.177.20.3, local port = > 41631 > debug: Ssh2Common/sshcommon.c:489: remote ip = 129.177.20.36, remote port = > 22 > debug: SshConnection/sshconn.c:1853: Wrapping... > debug: Ssh2Transport/trcommon.c:593: Remote version: > SSH-1.99-OpenSSH_2.2.0p1 > debug: Ssh2Transport/trcommon.c:1068: c_to_s: cipher 3des-cbc, mac > hmac-sha1, compression none > debug: Ssh2Transport/trcommon.c:1071: s_to_c: cipher 3des-cbc, mac > hmac-sha1, compression none > debug: Ssh2Client/sshclient.c:399: Host key found from database. > debug: Ssh2Common/sshcommon.c:297: Received SSH_CROSS_STARTUP packet from > connection protocol. > debug: Ssh2Common/sshcommon.c:347: Received SSH_CROSS_ALGORITHMS packet > from connection protocol. > debug: Unable to open /Home/eik/jfm/.ssh2/identification > debug: Ssh2AuthClient/sshauthc.c:309: Method 'publickey' disabled. > debug: Ssh2AuthPasswdClient/authc-passwd.c:82: Starting password query... > jfm at krypvier's password: > debug: Ssh2Common/sshcommon.c:263: Received SSH_CROSS_AUTHENTICATED packet > from connection protocol. > debug: Ssh2Common/sshcommon.c:686: num_channels now 1 > sftp> debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) > debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 254 > debug: Ssh2Common/sshcommon.c:660: num_channels now 0 > debug: Got session close with exit_status=254 > debug: destroying client struct... > debug: uninitializing event loop > ssh_sigchld_real_callback > ssh_sigchld_process_pid: calling handler pid 10954 code 254 > Warning: child process (ssh2) exited with code 254. > > > > -jf From janfrode at parallab.uib.no Mon Sep 25 19:19:25 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 25 Sep 2000 10:19:25 +0200 Subject: Snapshot In-Reply-To: <20000925092948.A11405@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Mon, Sep 25, 2000 at 09:29:48AM +0200 References: <20000919163153.A13187@ii.uib.no> <20000925090238.A16551@ii.uib.no> <20000925092948.A11405@faui02.informatik.uni-erlangen.de> Message-ID: <20000925101924.A16595@ii.uib.no> > the debug output from the sftp-server (via syslog) would be more useful. OK, I put it in loglevel VERBOSE, but all I got was: Sep 25 10:13:03 6E:krypvier sshd[70226]: Server listening on 0.0.0.0 port 22. Sep 25 10:13:03 6E:krypvier sshd[70226]: Generating 768 bit RSA key. Sep 25 10:13:06 6E:krypvier sshd[70226]: RSA key generation complete. Sep 25 10:13:12 6E:krypvier sshd[72487]: Connection from 129.177.20.3 port 45149 Sep 25 10:13:12 6E:krypvier sshd[72487]: datafellows: 2.3.0 SSH Secure Shell (non-commercial) Sep 25 10:13:12 6E:krypvier sshd[72487]: Enabling compatibility mode for protocol 2.0 Sep 25 10:13:13 6E:krypvier sshd[72487]: Failed none for jfm from 129.177.20.3 port 45149 ssh2 Sep 25 10:13:13 6E:krypvier sshd[72487]: Failed none for jfm from 129.177.20.3 port 45149 ssh2 Sep 25 10:13:17 6E:krypvier sshd[72487]: Accepted password for jfm from 129.177.20.3 port 45149 ssh2 Sep 25 10:13:17 6E:krypvier sshd[72487]: subsystem request for sftp Sep 25 10:13:18 6E:krypvier sshd[72487]: Connection closed by remote host. Sep 25 10:13:29 6E:krypvier sshd[70226]: Received signal 15; terminating. And just to convince you that the binary is in place, and the coinfig file points to it :) krypvier 58# grep sftp-server sshd_config Subsystem sftp /usr/openssh/libexec/sftp-server krypvier 59# ls -l /usr/openssh/libexec/sftp-server -rwxr-xr-x 1 root sys 106720 Sep 25 08:45 /usr/openssh/libexec/sftp-server -jf From Markus.Friedl at informatik.uni-erlangen.de Mon Sep 25 19:24:47 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 10:24:47 +0200 Subject: Snapshot In-Reply-To: <20000925101924.A16595@ii.uib.no>; from janfrode@parallab.uib.no on Mon, Sep 25, 2000 at 10:19:25AM +0200 References: <20000919163153.A13187@ii.uib.no> <20000925090238.A16551@ii.uib.no> <20000925092948.A11405@faui02.informatik.uni-erlangen.de> <20000925101924.A16595@ii.uib.no> Message-ID: <20000925102447.A13945@faui02.informatik.uni-erlangen.de> there should be messages from sftp-server. if not you have to edit sftp-server.c On Mon, Sep 25, 2000 at 10:19:25AM +0200, Jan-Frode Myklebust wrote: > > the debug output from the sftp-server (via syslog) would be more useful. > > OK, I put it in loglevel VERBOSE, but all I got was: > > Sep 25 10:13:03 6E:krypvier sshd[70226]: Server listening on 0.0.0.0 port 22. > Sep 25 10:13:03 6E:krypvier sshd[70226]: Generating 768 bit RSA key. > Sep 25 10:13:06 6E:krypvier sshd[70226]: RSA key generation complete. > Sep 25 10:13:12 6E:krypvier sshd[72487]: Connection from 129.177.20.3 port 45149 > Sep 25 10:13:12 6E:krypvier sshd[72487]: datafellows: 2.3.0 SSH Secure Shell (non-commercial) > Sep 25 10:13:12 6E:krypvier sshd[72487]: Enabling compatibility mode for protocol 2.0 > Sep 25 10:13:13 6E:krypvier sshd[72487]: Failed none for jfm from 129.177.20.3 port 45149 ssh2 > Sep 25 10:13:13 6E:krypvier sshd[72487]: Failed none for jfm from 129.177.20.3 port 45149 ssh2 > Sep 25 10:13:17 6E:krypvier sshd[72487]: Accepted password for jfm from 129.177.20.3 port 45149 ssh2 > Sep 25 10:13:17 6E:krypvier sshd[72487]: subsystem request for sftp > Sep 25 10:13:18 6E:krypvier sshd[72487]: Connection closed by remote host. > Sep 25 10:13:29 6E:krypvier sshd[70226]: Received signal 15; terminating. > > > And just to convince you that the binary is in place, and the coinfig file > points to it :) > > krypvier 58# grep sftp-server sshd_config > Subsystem sftp /usr/openssh/libexec/sftp-server > krypvier 59# ls -l /usr/openssh/libexec/sftp-server > -rwxr-xr-x 1 root sys 106720 Sep 25 08:45 /usr/openssh/libexec/sftp-server > > > -jf From janfrode at parallab.uib.no Mon Sep 25 19:31:56 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 25 Sep 2000 10:31:56 +0200 Subject: Snapshot In-Reply-To: <20000925102447.A13945@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Mon, Sep 25, 2000 at 10:24:47AM +0200 References: <20000919163153.A13187@ii.uib.no> <20000925090238.A16551@ii.uib.no> <20000925092948.A11405@faui02.informatik.uni-erlangen.de> <20000925101924.A16595@ii.uib.no> <20000925102447.A13945@faui02.informatik.uni-erlangen.de> Message-ID: <20000925103155.A16618@ii.uib.no> On Mon, Sep 25, 2000 at 10:24:47AM +0200, Markus Friedl wrote: > there should be messages from sftp-server. if not you have to edit > sftp-server.c > Ohh.., my mistake.. (but sftpserver probably should have pointed it out to me). I had a /etc/nologin in place, and openssh doesn't understand /etc/nologin.allow yet. Guess I'll have to recreate a patch for it. Anyway, sftp-server works! -jf From janfrode at parallab.uib.no Mon Sep 25 19:59:09 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Mon, 25 Sep 2000 10:59:09 +0200 Subject: Snapshot In-Reply-To: <20000925103155.A16618@ii.uib.no>; from janfrode@parallab.uib.no on Mon, Sep 25, 2000 at 10:31:56AM +0200 References: <20000919163153.A13187@ii.uib.no> <20000925090238.A16551@ii.uib.no> <20000925092948.A11405@faui02.informatik.uni-erlangen.de> <20000925101924.A16595@ii.uib.no> <20000925102447.A13945@faui02.informatik.uni-erlangen.de> <20000925103155.A16618@ii.uib.no> Message-ID: <20000925105909.A16632@ii.uib.no> On Mon, Sep 25, 2000 at 10:31:56AM +0200, Jan-Frode Myklebust wrote: > On Mon, Sep 25, 2000 at 10:24:47AM +0200, Markus Friedl wrote: > > there should be messages from sftp-server. if not you have to edit > > sftp-server.c > > Ohh.., my mistake.. (but sftpserver probably should have pointed it out to > me). I had a /etc/nologin in place, and openssh doesn't understand > /etc/nologin.allow yet. Guess I'll have to recreate a patch for it. > Any chance of getting this patch into openssh? It implements a function for letting users listed in /etc/nologin.allow in when /etc/nologin is in place. -jf -------------- next part -------------- --- openssh-SNAP-2000092401/session.c Sat Sep 16 07:09:28 2000 +++ openssh/session.c Mon Sep 25 10:42:28 2000 @@ -953,6 +953,29 @@ #endif /* defined(HAVE_GETUSERATTR) */ /* + * Let users in if they're listed in /etc/nologin.allow + */ +int +nologin_allow(char *username) +{ + char buf[256]; + FILE *f = NULL; + + f = fopen("/etc/nologin.allow", "r"); + if (f) { + while (fgets(buf, sizeof(buf), f)) + buf[strlen(buf) -1] = '\0'; /* remove trailing \n */ + if (strcmp(buf, username) == 0) { + fputs("WARNING: Let in by /etc/nologin.allow\n", stderr); + fclose(f); + return(1); + } + fclose(f); + } + return(0); +} + +/* * Performs common processing for the child, such as setting up the * environment, closing extra file descriptors, setting the user and group * ids, and executing the command or shell. @@ -994,6 +1017,9 @@ while (fgets(buf, sizeof(buf), f)) fputs(buf, stderr); fclose(f); +#ifdef NOLOGINALLOW + if (nologin_allow(pw->pw_name) != 1) +#endif /* NOLOGINALLOW */ exit(254); } } From hjames at stevens-tech.edu Mon Sep 25 22:46:21 2000 From: hjames at stevens-tech.edu (Hayden James) Date: Mon, 25 Sep 2000 07:46:21 -0400 Subject: socks proxy support Message-ID: is openssh going to ever contain socks4/5 proxy support (http://www.socks.nec.com/) the same way ssh (nonfree version) does? Without this support, openssh is completely unusable behind a firewall. Hayden A. James From Markus.Friedl at informatik.uni-erlangen.de Mon Sep 25 23:17:12 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 14:17:12 +0200 Subject: socks proxy support In-Reply-To: ; from hjames@stevens-tech.edu on Mon, Sep 25, 2000 at 07:46:21AM -0400 References: Message-ID: <20000925141712.A26181@faui02.informatik.uni-erlangen.de> On Mon, Sep 25, 2000 at 07:46:21AM -0400, Hayden James wrote: > is openssh going to ever contain socks4/5 proxy support > (http://www.socks.nec.com/) the same way ssh (nonfree version) does? > Without this support, openssh is completely unusable behind a firewall. you can always write a proxy for 'ProxyCommand' or use runsocks. From douglas.manton at uk.ibm.com Mon Sep 25 23:26:54 2000 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Mon, 25 Sep 2000 13:26:54 +0100 Subject: socks proxy support Message-ID: <80256965.004464E7.00@d06mta05.portsmouth.uk.ibm.com> I have successfully followed the instructions at the NEC socks site to socksify openssh. I did it as follows: - Compile and install libsocks - Configure openssh as normal - Edit Makefile and change CFLAGS to include -DSOCKS, change LIBS to include -lsocks5 - Edit config.h and add #include Each compilation unit will complain that certain functions are being redefined, but the end result will work through socks using the file /etc/libsocks5.conf as reference. Since runsocks does not exist for AIX I have found this the easiet and quickest way to get socks support. Best wishes, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From gotoh at taiyo.co.jp Mon Sep 25 23:35:55 2000 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Mon, 25 Sep 2000 21:35:55 +0900 (JST) Subject: socks proxy support In-Reply-To: References: Message-ID: <20000925.213555.42939054.gotoh@taiyo.co.jp> >>>>> at Mon, 25 Sep 2000 07:46:21 -0400 >>>>> Hayden James said,> > is openssh going to ever contain socks4/5 proxy support > (http://www.socks.nec.com/) the same way ssh (nonfree version) does? > Without this support, openssh is completely unusable behind a firewall. I have one proxy command which use SOCKS5 or HTTP-proxy (CONNECT). I'm using it every day via SOCKS to login to out-side host from UNIX (BSD/OS) and Windows (CygWin) environments. If you wanna try, get source "connect.c" from http://www.imasy.or.jp/~gotoh/connect.c and compile it. [for UNIX] gcc -o connect connect.c [for Win32 (Visual C)] cl connect.c wsock32.lib You should add entry to use it in ~/.ssh/config, like: [for SOCKS5] Host xxxx ProxyCommand connect -S socks-server %h %p [for HTTP proxy] Host xxxx ProxyCommand connect -H http-server %h %p NOTE: "socks-server" and "htt-server" is proxy hostname on your site. It's very simple. First make connection via SOCKS5 or HTTP-proxy then relaying socket I/O each direction But it is written only for my use. So some functions are lacked. For example SOCKS4 support and USER/PASS authentication support. These are easy to implement, but not yet... I'm welcome your suggestion. --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From mkurtz at dsdlabs.com Tue Sep 26 00:39:35 2000 From: mkurtz at dsdlabs.com (MARC KURTZ) Date: Mon, 25 Sep 2000 09:39:35 -0400 Subject: How do I get the username in channel_input_port_open Message-ID: <003f01c026f6$0de9f2a0$4a35e518@s30603> Hello, Does anyone know how to get the username of the user (already authenticated and logged in) who is sending data to a forwarded tunnel from the channel_input_port_open function in channels.c?? I've tried numerous things, and all I can get is the IP address that is sending the data and where it is going to be sent to. All I want is the username or the UID Here is the chain of events that are happening: User logs on to SSHServer and authenticates Sets up local listening port on 2323 to forward to RemoteClient:23 User telnets to localhost:2323 and the ssh client forwards this data to SSHServer At this point the channel_input_port_open function gets called in the ssh server loop. In this procedure it knows that data is coming from the client's IP and is getting forwarded to RemoteClient to Port 23... Is there a way to determine the connection's user name? I'm trying to write a solution to the old "how do I limit user's forwarded connections" problem, so if one already exists then let me know. Please e-mail mkurtz at backbonesecurity.com because I am not subscribed to this list... Thank you, Marc Kurtz Security Engineer Backbone Security 570-422-3493 From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 26 01:31:28 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 16:31:28 +0200 Subject: How do I get the username in channel_input_port_open In-Reply-To: <003f01c026f6$0de9f2a0$4a35e518@s30603>; from mkurtz@dsdlabs.com on Mon, Sep 25, 2000 at 09:39:35AM -0400 References: <003f01c026f6$0de9f2a0$4a35e518@s30603> Message-ID: <20000925163128.A3896@faui02.informatik.uni-erlangen.de> no, there is no way for the client to tell the server about the username in protocol 1. protocol 2 could be abused to include the username in request message, but this would violate the protocol spec. On Mon, Sep 25, 2000 at 09:39:35AM -0400, MARC KURTZ wrote: > Hello, > Does anyone know how to get the username of the user (already authenticated > and logged in) who is sending data to a forwarded tunnel from the > channel_input_port_open function in channels.c?? > > I've tried numerous things, and all I can get is the IP address that is > sending the data and where it is going to be sent to. All I want is the > username or the UID > > Here is the chain of events that are happening: > User logs on to SSHServer and authenticates > Sets up local listening port on 2323 to forward to RemoteClient:23 > User telnets to localhost:2323 and the ssh client forwards this data to > SSHServer > > At this point the channel_input_port_open function gets called in the ssh > server loop. In this procedure it knows that data is coming from the > client's IP and is getting forwarded to RemoteClient to Port 23... Is there > a way to determine the connection's user name? > > I'm trying to write a solution to the old "how do I limit user's forwarded > connections" problem, so if one already exists then let me know. > > Please e-mail mkurtz at backbonesecurity.com because I am not subscribed to > this list... > > Thank you, > Marc Kurtz > Security Engineer > Backbone Security > 570-422-3493 > > > > From mkurtz at dsdlabs.com Tue Sep 26 01:37:31 2000 From: mkurtz at dsdlabs.com (MARC KURTZ) Date: Mon, 25 Sep 2000 10:37:31 -0400 Subject: How do I get the username in channel_input_port_open References: <003f01c026f6$0de9f2a0$4a35e518@s30603> <20000925163128.A3896@faui02.informatik.uni-erlangen.de> Message-ID: <006401c026fe$23156fd0$4a35e518@s30603> Doesn't SSHD keep track of this sort of thing? Isn't there a data structure somewhere that stores the user name of that instance of sshd? -M. Kurtz ----- Original Message ----- From: "Markus Friedl" To: "MARC KURTZ" Cc: Sent: Monday, September 25, 2000 10:31 AM Subject: Re: How do I get the username in channel_input_port_open > no, there is no way for the client to tell the server about > the username in protocol 1. protocol 2 could be abused to > include the username in request message, but this would > violate the protocol spec. > > On Mon, Sep 25, 2000 at 09:39:35AM -0400, MARC KURTZ wrote: > > Hello, > > Does anyone know how to get the username of the user (already authenticated > > and logged in) who is sending data to a forwarded tunnel from the > > channel_input_port_open function in channels.c?? > > > > I've tried numerous things, and all I can get is the IP address that is > > sending the data and where it is going to be sent to. All I want is the > > username or the UID > > > > Here is the chain of events that are happening: > > User logs on to SSHServer and authenticates > > Sets up local listening port on 2323 to forward to RemoteClient:23 > > User telnets to localhost:2323 and the ssh client forwards this data to > > SSHServer > > > > At this point the channel_input_port_open function gets called in the ssh > > server loop. In this procedure it knows that data is coming from the > > client's IP and is getting forwarded to RemoteClient to Port 23... Is there > > a way to determine the connection's user name? > > > > I'm trying to write a solution to the old "how do I limit user's forwarded > > connections" problem, so if one already exists then let me know. > > > > Please e-mail mkurtz at backbonesecurity.com because I am not subscribed to > > this list... > > > > Thank you, > > Marc Kurtz > > Security Engineer > > Backbone Security > > 570-422-3493 > > > > > > > > > From paul.l.allen at boeing.com Tue Sep 26 05:07:09 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Mon, 25 Sep 2000 11:07:09 -0700 Subject: Agent forwarding with DSA keys? References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> Message-ID: <39CF944D.60D6D1EB@boeing.com> "Wallace, Mark, CTR, OSD/ATL" wrote: > > How do you manage to ssh-add your dsa key? > When I try that, I'm informed that it is a bad key file... Well, per the man page, I give ssh-add the name of the key file. Ssh-add likes it fine. This is openssh 2.2.0p1 with openssl 0.9.5a. Note that my problem is not with ssh-add. The agent knows about my DSA key and ssh uses the stashed key to log me in on another machine without asking for my pass-phrase. The problem is that the connection to the agent is not forwarded if I use my DSA key, while it is forwarded if I use my RSA key. So, I come back to the question, "Does agent forwarding work with DSA keys?" If it doesn't work yet, that's fine. But if someone has it working, I'd sure like to hear about it. Thanks! Paul Allen > -----Original Message----- > From: Paul Allen [mailto:paul.l.allen at boeing.com] > Sent: Friday, September 22, 2000 1:20 AM > To: openssh-unix-dev at mindrot.org > Subject: Agent forwarding with DSA keys? > > Does agent forwarding work with DSA keys? > > I'm using 2.2.0p1 on RedHat Linux 6.2 (Alpha) and Solaris 2.6 (SPARC). > If I ssh-add my RSA key into the local agent and ssh to another > machine, the agent connection is forwarded properly. (I can say > "ssh-add -l" and see my keys.) If I ssh-add my DSA key into the > local agent and "ssh -2" to another machine, the agent connection > does not forward. (Ssh-add -l can't find the agent, there is no > SSH_AUTH_SOCK environment variable.) > > I've been rummaging in the code, and I see two sections in ssh.c > where X forwarding is handled. One of the sections also handles > agent forwarding. I tagged one of the debug() calls about > "Requesting X11 forwarding" in order to distinguish between them > at runtime. The section that does not appear to do agent > forwarding is the one that gets executed when a DSA key is being > used. Hmmm... > > I don't see other complaints like this on the list, so probably I'm > doing something wrong. On the other hand, perhaps everybody but me > already knows that agent forwarding doesn't quite work yet in > protocol 2. :-) > > Can anybody point me to the path of sanity here? > > Thanks! > > Paul Allen > -- > Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 > Unix Technical Support | paul.l.allen at boeing.com > Boeing Phantom Works Math & Computing Technology Site Operations, > POB 3707 M/S 7L-68, Seattle, WA 98124-2207 -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From markus.friedl at informatik.uni-erlangen.de Tue Sep 26 06:43:39 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 21:43:39 +0200 Subject: How do I get the username in channel_input_port_open In-Reply-To: <006401c026fe$23156fd0$4a35e518@s30603>; from mkurtz@dsdlabs.com on Mon, Sep 25, 2000 at 10:37:31AM -0400 References: <003f01c026f6$0de9f2a0$4a35e518@s30603> <20000925163128.A3896@faui02.informatik.uni-erlangen.de> <006401c026fe$23156fd0$4a35e518@s30603> Message-ID: <20000925214338.C27294@folly> On Mon, Sep 25, 2000 at 10:37:31AM -0400, MARC KURTZ wrote: > Doesn't SSHD keep track of this sort of thing? Isn't there a data structure > somewhere that stores the user name of that instance of sshd? of course, sshd knows the uid of the authenticated user, but not the uid of the process connecting to a forwarded socket. From markus.friedl at informatik.uni-erlangen.de Tue Sep 26 06:45:36 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 25 Sep 2000 21:45:36 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: <39CF944D.60D6D1EB@boeing.com>; from paul.l.allen@boeing.com on Mon, Sep 25, 2000 at 11:07:09AM -0700 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> Message-ID: <20000925214536.D27294@folly> On Mon, Sep 25, 2000 at 11:07:09AM -0700, Paul Allen wrote: > Note that my problem is not with ssh-add. The agent knows about > my DSA key and ssh uses the stashed key to log me in on another > machine without asking for my pass-phrase. The problem is that > the connection to the agent is not forwarded if I use my DSA key, > while it is forwarded if I use my RSA key. > > So, I come back to the question, "Does agent forwarding work > with DSA keys?" If it doesn't work yet, that's fine. But if > someone has it working, I'd sure like to hear about it. agent forwaring does work with DSA and RSA, but it does not work if you use protocol version 2, since it's not implemented. just ssh to localhost with protocol 1 and execute 'ssh-add -l' From stevev at darkwing.uoregon.edu Tue Sep 26 07:06:18 2000 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Mon, 25 Sep 2000 13:06:18 -0700 Subject: i think this is great In-Reply-To: References: <000501c024a4$b9ae0580$293814aa@cbs.com> Message-ID: <14799.45114.208361.681155@darkwing.uoregon.edu> Damien Miller writes: > On Fri, 22 Sep 2000, David Berk wrote: > > > I have tried ( to no avail ) to get SecurID and ssh work tegether. > > The biggest sticking points have been either new pin / next token > > mode OR scp. I would be interested in looking at your patch. I > > have been banging on auth-pam.c to work in the pam stuff for > > the last couple days, but it seems auth-pam is an incomplete > > implementation of pam. The patch from Steve VanDevender looked > > promising. > > Have you tried the snapshot? Steve's patch is integrated. I know that my patch was intended to address only the situation where pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD, indicating that pam_chauthtok() should be called to change an expired password. I don't know for sure how that would address SecurID or other one-time password systems handled in PAM. I don't think it will actually help one-time password challenge-response authentication. The situation I encountered in trying to get pam_chauthtok() to work is that much of the PAM authentication is done before the user's pty is set up, and therefore the usual approach of calling pam_chauthtok() immediately after pam_acct_mgmt() didn't work; PAM is assuming it can conduct a conversation on the user's terminal at that point. The original PAM conversation function just stuffed the user's password into PAM when pam_authenticate() was called, and failed for other PAM functions that wanted to converse with the user. I simply deferred calling pam_chauthtok() until the user's pty is set up for an interactive session, and extended the conversation function to support user interaction on a pty. Unfortunately this means that a noninteractive session still doesn't result in a required password change. It also means that any authentication method that requires displaying a challenge to a user and obtaining an interactive response during pam_authenticate() is still likely to be broken. While looking for information on PAM problems or patches relating to Portable OpenSSH, I came across this previous posting to openssh-unix-dev: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96831742624299&w=2 The patch is against OpenSSH 1.2.3, but looks like a much more thorough implementation of PAM support. I haven't tried integrating this into OpenSSH 2.2.0, however. The interesting thing about this patch is that it appears to try to support user dialogue by exchanging messages between the server and client via the SSH protocol, so it could work for noninteractive sessions and engage in user interaction before a session pty has been set up. From mkurtz at dsdlabs.com Tue Sep 26 07:18:49 2000 From: mkurtz at dsdlabs.com (MARC KURTZ) Date: Mon, 25 Sep 2000 16:18:49 -0400 Subject: How do I get the username in channel_input_port_open References: <003f01c026f6$0de9f2a0$4a35e518@s30603> <20000925163128.A3896@faui02.informatik.uni-erlangen.de> <006401c026fe$23156fd0$4a35e518@s30603> <20000925214338.C27294@folly> Message-ID: <005f01c0272d$d1f415e0$4a35e518@s30603> hmm... I think that is what I need. Is there a universal get_username() type of function to get that user's authenticated login name? ----- Original Message ----- From: "Markus Friedl" To: "MARC KURTZ" Cc: Sent: Monday, September 25, 2000 3:43 PM Subject: Re: How do I get the username in channel_input_port_open > On Mon, Sep 25, 2000 at 10:37:31AM -0400, MARC KURTZ wrote: > > Doesn't SSHD keep track of this sort of thing? Isn't there a data structure > > somewhere that stores the user name of that instance of sshd? > > of course, sshd knows the uid of the authenticated user, but not > the uid of the process connecting to a forwarded socket. > From peak at argo.troja.mff.cuni.cz Tue Sep 26 09:27:27 2000 From: peak at argo.troja.mff.cuni.cz (Pavel Kankovsky) Date: Tue, 26 Sep 2000 00:27:27 +0200 (MET DST) Subject: off-by-one errors in getnameinfo() Message-ID: <20000926001326.6B4.0@argo.troja.mff.cuni.cz> Description: getnameinfo() (confirmed for CVS version 1.14.2.1) does this sort of buffer size checks (these is just two of many cases): if (strlen(sp->s_name) > servlen) return ENI_MEMORY; strcpy(serv, sp->s_name); ... if (strlen(hp->h_name) > hostlen) { return ENI_MEMORY; } strcpy(host, hp->h_name); i.e. it can write up to servlen / hostlen bytes PLUS a terminating zero. This contradicts the manpage (and RFC 2533) as well as the way your own programs appear to use it (at least OpenSSH and in.ftpd use sizeof() of a buffer as servlen / hostlen). Proposed fix: Replace >'s with >='s. Related problems: The simpleminded implementation of getnameinfo() included in "portable OpenSSH" is affected too. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." From itojun at iijlab.net Tue Sep 26 09:53:37 2000 From: itojun at iijlab.net (itojun at iijlab.net) Date: Tue, 26 Sep 2000 07:53:37 +0900 Subject: off-by-one errors in getnameinfo() In-Reply-To: peak's message of Tue, 26 Sep 2000 00:27:27 +0200. <20000926001326.6B4.0@argo.troja.mff.cuni.cz> Message-ID: <3364.969922417@coconut.itojun.org> >getnameinfo() (confirmed for CVS version 1.14.2.1) does this sort of >buffer size checks (these is just two of many cases): thanks, openbsd-current is corrected. will ask for update to 2.7-STABLE. itojun From paul.l.allen at boeing.com Tue Sep 26 09:57:26 2000 From: paul.l.allen at boeing.com (Paul Allen) Date: Mon, 25 Sep 2000 15:57:26 -0700 Subject: Agent forwarding with DSA keys? References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> Message-ID: <39CFD856.86C32332@boeing.com> Markus Friedl wrote: > > On Mon, Sep 25, 2000 at 11:07:09AM -0700, Paul Allen wrote: > > Note that my problem is not with ssh-add. The agent knows about > > my DSA key and ssh uses the stashed key to log me in on another > > machine without asking for my pass-phrase. The problem is that > > the connection to the agent is not forwarded if I use my DSA key, > > while it is forwarded if I use my RSA key. > > > > So, I come back to the question, "Does agent forwarding work > > with DSA keys?" If it doesn't work yet, that's fine. But if > > someone has it working, I'd sure like to hear about it. > > agent forwaring does work with DSA and RSA, > but it does not work if you use protocol version 2, > since it's not implemented. > > just ssh to localhost with protocol 1 and execute 'ssh-add -l' That's the way it looked to me. I can ssh-add my DSA key, use protocol 1 (RSA) to ssh somewhere, and the agent connection is forwarded. I just can't use my DSA key without losing the agent connection. I'll just set my users up to use protocol 1 by default and be happy. They can use "ssh -2" if some site requires it. Thanks! OpenSSH rocks, by the way! Paul Allen -- Paul L. Allen | voice: (425) 865-3297 fax: (425) 865-2964 Unix Technical Support | paul.l.allen at boeing.com Boeing Phantom Works Math & Computing Technology Site Operations, POB 3707 M/S 7L-68, Seattle, WA 98124-2207 From stuge at cdy.org Tue Sep 26 10:26:57 2000 From: stuge at cdy.org (Peter Stuge) Date: Tue, 26 Sep 2000 01:26:57 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: <39CFD856.86C32332@boeing.com>; from paul.l.allen@boeing.com on Mon, Sep 25, 2000 at 03:57:26PM -0700 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> <39CFD856.86C32332@boeing.com> Message-ID: <20000926012657.H9187@foo.birdnet.se> On Mon, Sep 25, 2000 at 03:57:26PM -0700, Paul Allen wrote: > Markus Friedl wrote: > > > > On Mon, Sep 25, 2000 at 11:07:09AM -0700, Paul Allen wrote: > > > Note that my problem is not with ssh-add. The agent knows about > > > my DSA key and ssh uses the stashed key to log me in on another > > > machine without asking for my pass-phrase. The problem is that > > > the connection to the agent is not forwarded if I use my DSA key, > > > while it is forwarded if I use my RSA key. > > > > > > So, I come back to the question, "Does agent forwarding work > > > with DSA keys?" If it doesn't work yet, that's fine. But if > > > someone has it working, I'd sure like to hear about it. > > > > agent forwaring does work with DSA and RSA, > > but it does not work if you use protocol version 2, > > since it's not implemented. > > > > just ssh to localhost with protocol 1 and execute 'ssh-add -l' > > That's the way it looked to me. I can ssh-add my DSA key, use > protocol 1 (RSA) to ssh somewhere, and the agent connection is > forwarded. I just can't use my DSA key without losing the agent > connection. I'll just set my users up to use protocol 1 by default > and be happy. They can use "ssh -2" if some site requires it. Ehm, exactly how do I use my DSA key with version 1 of the protocol? > Thanks! OpenSSH rocks, by the way! What rocks most, IMHO, is that it implements SSH-2, which is the only thing I really want to use because last thing I heard/read was that SSH-1 could be hijacked, with some effort. I generally don't want to risk that so I stick to SSH-2 per default. This might of course be wrong, but I did some research and ended up preferring SSH-2. Also, would anyone know anything about a utility that is able to convert ssh.com private DSA keys into PEM OpenSSL private DSA keys? //Peter -- irc: CareBear\ tel: +46-40-914420 irl: Peter Stuge gsm: +46-705-783805 From djm at mindrot.org Tue Sep 26 12:14:26 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Sep 2000 12:14:26 +1100 (EST) Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <20000924144736.B23003@stereo.rotzorg.org> Message-ID: On Sun, 24 Sep 2000, Sendy wrote: > In an interactive shell, the env variable 'SSH_CLIENT' is set, and > this variable can easily be parsed for the connecting ipnumber. The > real problem is that this variable is _not_ set when just executing a > remote command. Are you sure this doesn't happen? [damien at neon openssh]$ ssh localhost 'env|grep SSH_CLIENT' SSH_CLIENT=127.0.0.1 728 22 -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Tue Sep 26 12:16:48 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Sep 2000 12:16:48 +1100 (EST) Subject: strtok_r() HP-UX, In-Reply-To: Message-ID: On Sun, 24 Sep 2000, Kevin Steves wrote: > Until I can determine what the issue and background is, you'll need to > define _REENTRANT in the latest snapshot so the strtok_r() function > prototype is pulled in from . This is for HP-UX 11.0; I'm not > sure about 10.20. Any objections to setting this unconditionally? IIRC there was some other platform (Irix?) where you needed to do the same. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Tue Sep 26 13:04:42 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Sep 2000 13:04:42 +1100 (EST) Subject: i think this is great In-Reply-To: <14799.45114.208361.681155@darkwing.uoregon.edu> Message-ID: On Mon, 25 Sep 2000, Steve VanDevender wrote: > While looking for information on PAM problems or patches relating to > Portable OpenSSH, I came across this previous posting to > openssh-unix-dev: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96831742624299&w=2 > > The patch is against OpenSSH 1.2.3, but looks like a much more thorough > implementation of PAM support. I haven't tried integrating this into > OpenSSH 2.2.0, however. The interesting thing about this patch is that > it appears to try to support user dialogue by exchanging messages > between the server and client via the SSH protocol, so it could work for > noninteractive sessions and engage in user interaction before a session > pty has been set up. What puts me off about this patch is that it changes the protocol to suit PAM. I would rather shoehorn PAM into the SSH way of doing things. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Tue Sep 26 13:13:39 2000 From: djm at mindrot.org (Damien Miller) Date: Tue, 26 Sep 2000 13:13:39 +1100 (EST) Subject: off-by-one errors in getnameinfo() In-Reply-To: <20000926001326.6B4.0@argo.troja.mff.cuni.cz> Message-ID: On Tue, 26 Sep 2000, Pavel Kankovsky wrote: > Description: > > getnameinfo() (confirmed for CVS version 1.14.2.1) does this sort of > buffer size checks (these is just two of many cases): [snip] > i.e. it can write up to servlen / hostlen bytes PLUS a terminating zero. > This contradicts the manpage (and RFC 2533) as well as the way your own > programs appear to use it (at least OpenSSH and in.ftpd use sizeof() of a > buffer as servlen / hostlen). > > > Proposed fix: > > Replace >'s with >='s. Thanks for the report. This has now been fixed in the portable version. I'll try to get a release out ASAP. Until then: diff -u -r1.3 fake-getnameinfo.c --- fake-getnameinfo.c 2000/05/31 01:20:12 1.3 +++ fake-getnameinfo.c 2000/09/26 02:12:50 @@ -30,7 +30,7 @@ if (host) { if (flags & NI_NUMERICHOST) { - if (strlen(inet_ntoa(sin->sin_addr)) > hostlen) + if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen) return EAI_MEMORY; strcpy(host, inet_ntoa(sin->sin_addr)); @@ -41,7 +41,7 @@ if (hp == NULL) return EAI_NODATA; - if (strlen(hp->h_name) > hostlen) + if (strlen(hp->h_name) >= hostlen) return EAI_MEMORY; strcpy(host, hp->h_name); -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From stevesk at sweden.hp.com Tue Sep 26 19:14:56 2000 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 26 Sep 2000 10:14:56 +0200 (MEST) Subject: strtok_r() HP-UX, In-Reply-To: Message-ID: On Tue, 26 Sep 2000, Damien Miller wrote: : > Until I can determine what the issue and background is, you'll need to : > define _REENTRANT in the latest snapshot so the strtok_r() function : > prototype is pulled in from . This is for HP-UX 11.0; I'm not : > sure about 10.20. : : Any objections to setting this unconditionally? IIRC there was some other : platform (Irix?) where you needed to do the same. For HP-UX, this is what I found in pthread(3): Note: When explicitly specifying ANSI compilation (via "-Aa"), defining the POSIX revision level restricts the program to using interfaces within the POSIX namespaces. If interfaces in the larger X/Open namespace are to be called, either of the compiler options, -D_XOPEN_SOURCE_EXTENDED or -D_HPUX_SOURCE, must be specified in addition to -D_POSIX_C_SOURCE=199506L. Alternatively, compiling with -Ae (or not specifying "-A") will implicitly specify -D_HPUX_SOURCE. Note: Some documentation will recommend the use of -D_REENTRANT for compilation. While this also functions properly, it is considered an obsolescent form. There's also this in string(3): Users of strtok_r() should also note that the prototype of this function will change in the next release for conformance with the new POSIX Threads standard. Though it's been there for years (at least since 10.20). Looking at Solaris 2.7 string.h: #if defined(__EXTENSIONS__) || defined(_REENTRANT) || \ (_POSIX_C_SOURCE - 0 >= 199506L) extern char *strtok_r(char *, const char *, char **); #endif /* defined(__EXTENSIONS__) || defined(_REENTRANT) .. */ So if it's needed on a bunch of platform, perhaps defining either _REENTRANT or _POSIX_C_SOURCE=199506L unconditionally is the way to go. This is what I did for HP-UX: *** openssh/configure.in Sat Sep 23 05:12:25 2000 --- openssh-ks/configure.in Mon Sep 25 16:46:25 2000 *************** *** 68,74 **** ;; *-*-hpux10*) if test -z "$GCC"; then ! CFLAGS="$CFLAGS -Ae" fi CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes --- 68,74 ---- ;; *-*-hpux10*) if test -z "$GCC"; then ! CFLAGS="$CFLAGS -Ae -D_REENTRANT" fi CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes *************** *** 80,86 **** mansubdir=cat ;; *-*-hpux11*) ! CFLAGS="$CFLAGS -D_HPUX_SOURCE" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) --- 80,86 ---- mansubdir=cat ;; *-*-hpux11*) ! CFLAGS="$CFLAGS -D_HPUX_SOURCE -D_REENTRANT" IPADDR_IN_DISPLAY=yes AC_DEFINE(USE_PIPES) AC_DEFINE(DISABLE_SHADOW) From sgr at rotzorg.org Tue Sep 26 19:33:24 2000 From: sgr at rotzorg.org (Sendy) Date: Tue, 26 Sep 2000 10:33:24 +0200 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: ; from Damien Miller on Tue, Sep 26, 2000 at 12:14:26PM +1100 References: <20000924144736.B23003@stereo.rotzorg.org> Message-ID: <20000926103324.A32207@stereo.rotzorg.org> Well, fairly certain i think.... If i do this on a Debian GNU system with $ sshd -? SSH Version 1.2.26 [i586-unknown-linux] (a Debian 2.1 system) i do get the SSH_CLIENT string back: $ ssh localhost 'env|grep SSH_CLIENT' SSH_CLIENT=127.0.0.1 1023 22 $ If i run 'env|grep SSH_CLIENT' on a Debian 2.2 system with sgr at PCB25:~$ sshd -? SSH Version OpenSSH-1.2.3 i do not get the string back: sgr at PCB25:~$ ssh localhost 'env|grep SSH_CLIENT' sgr at PCB25:~$ And if i run this on another Debian 2.2 system with ssh upgraded to sgr at pickup:~$ sshd -? SSH Version OpenSSH_2.2.0p1 i also not get the envvar back: sgr at pickup:~$ ssh localhost 'env|grep SSH_CLIENT' sgr at pickup:~$ I've tried to build the source myself, but can't get the openssl libs properly installed... i have given up on this. Maybe its related to the debian patch from http://non-us.debian.org/debian-non-US/dists/unstable/non-US/main/source/openssh_2.2.0p1-1.diff.gz or the some config option? TIA Sendy sendy at dds.nl On Tue, Sep 26, 2000 at 12:14:26PM +1100, Damien Miller wrote: > On Sun, 24 Sep 2000, Sendy wrote: > > > > In an interactive shell, the env variable 'SSH_CLIENT' is set, and > > this variable can easily be parsed for the connecting ipnumber. The > > real problem is that this variable is _not_ set when just executing a > > remote command. > > Are you sure this doesn't happen? > > [damien at neon openssh]$ ssh localhost 'env|grep SSH_CLIENT' > SSH_CLIENT=127.0.0.1 728 22 > > -d > > -- > | ``The power of accurate observation is | Damien Miller > | commonly called cynicism by those who | @Work > | have not got it'' - George Bernard Shaw | http://www.mindrot.org From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 26 19:37:38 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Sep 2000 10:37:38 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: <20000926012657.H9187@foo.birdnet.se>; from stuge@cdy.org on Tue, Sep 26, 2000 at 01:26:57AM +0200 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> <39CFD856.86C32332@boeing.com> <20000926012657.H9187@foo.birdnet.se> Message-ID: <20000926103738.B21040@faui02.informatik.uni-erlangen.de> On Tue, Sep 26, 2000 at 01:26:57AM +0200, Peter Stuge wrote: > Ehm, exactly how do I use my DSA key with version 1 of the protocol? you cannot. > > Thanks! OpenSSH rocks, by the way! > > What rocks most, IMHO, is that it implements SSH-2, which is the only thing > I really want to use because last thing I heard/read was that SSH-1 could be > hijacked, with some effort. do you have some _real_ information on this? or is it just FUD? > I generally don't want to risk that so I stick > to SSH-2 per default. This might of course be wrong, but I did some > research and ended up preferring SSH-2. > > > Also, would anyone know anything about a utility that is able to convert > ssh.com private DSA keys into PEM OpenSSL private DSA keys? ssh.com's format is not documented. From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Sep 26 19:43:00 2000 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 26 Sep 2000 10:43:00 +0200 Subject: strtok_r() HP-UX, In-Reply-To: ; from stevesk@sweden.hp.com on Tue, Sep 26, 2000 at 10:14:56AM +0200 References: Message-ID: <20000926104300.A1806@ws01.aet.tu-cottbus.de> On Tue, Sep 26, 2000 at 10:14:56AM +0200, Kevin Steves wrote: > On Tue, 26 Sep 2000, Damien Miller wrote: > : > Until I can determine what the issue and background is, you'll need to > : > define _REENTRANT in the latest snapshot so the strtok_r() function > : > prototype is pulled in from . This is for HP-UX 11.0; I'm not > : > sure about 10.20. > : > : Any objections to setting this unconditionally? IIRC there was some other > : platform (Irix?) where you needed to do the same. > > For HP-UX, this is what I found in pthread(3): > > Note: When explicitly specifying ANSI compilation (via "-Aa"), > defining the POSIX revision level restricts the program to using > interfaces within the POSIX namespaces. If interfaces in the larger > X/Open namespace are to be called, either of the compiler options, > -D_XOPEN_SOURCE_EXTENDED or -D_HPUX_SOURCE, must be specified in > addition to -D_POSIX_C_SOURCE=199506L. Alternatively, compiling with > -Ae (or not specifying "-A") will implicitly specify -D_HPUX_SOURCE. > > Note: Some documentation will recommend the use of -D_REENTRANT for > compilation. While this also functions properly, it is considered an > obsolescent form. > > There's also this in string(3): > > Users of strtok_r() should also note that the prototype of this > function will change in the next release for conformance with the new > POSIX Threads standard. > > Though it's been there for years (at least since 10.20). On 10.20, there is no pthread(3), but the note in string(3) is the same It is however necessary to define -D_REENTRANT additionally to using -Ae or D_HPUX_SOURCE. I have checked string.h and sys/stdsyms.h: on 10.20 -D_REENTRANT is not automatically set!! Kevin's change to configure solves the problem. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From jhuuskon at messi.uku.fi Tue Sep 26 20:49:08 2000 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Tue, 26 Sep 2000 12:49:08 +0300 Subject: Agent forwarding with DSA keys? In-Reply-To: <20000926103738.B21040@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Sep 26, 2000 at 10:37:38AM +0200 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> <39CFD856.86C32332@boeing.com> <20000926012657.H9187@foo.birdnet.se> <20000926103738.B21040@faui02.informatik.uni-erlangen.de> Message-ID: <20000926124907.A28607@laivuri63.uku.fi> On Tue, Sep 26, Markus Friedl wrote: > On Tue, Sep 26, 2000 at 01:26:57AM +0200, Peter Stuge wrote: > > What rocks most, IMHO, is that it implements SSH-2, which is the only thing > > I really want to use because last thing I heard/read was that SSH-1 could be > > hijacked, with some effort. > > do you have some _real_ information on this? or is it just FUD? A while back I found this: http://www.core-sdi.com/advisories/ssh-advisory.htm And this: http://www.core-sdi.com/soft/ssh/attack.txt -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From mstone at cs.loyola.edu Tue Sep 26 22:07:47 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 26 Sep 2000 07:07:47 -0400 Subject: i think this is great In-Reply-To: ; from djm@mindrot.org on Tue, Sep 26, 2000 at 01:04:42PM +1100 References: <14799.45114.208361.681155@darkwing.uoregon.edu> Message-ID: <20000926070747.R8493@justice.loyola.edu> On Tue, Sep 26, 2000 at 01:04:42PM +1100, Damien Miller wrote: > suit PAM. I would rather shoehorn PAM into the SSH way of doing things. If the SSH way of doing things didn't have limitations, people wouldn't have to shoehorn anything. -- Mike Stone From mstone at cs.loyola.edu Tue Sep 26 22:20:34 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 26 Sep 2000 07:20:34 -0400 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <20000926103324.A32207@stereo.rotzorg.org>; from sgr@rotzorg.org on Tue, Sep 26, 2000 at 10:33:24AM +0200 References: <20000924144736.B23003@stereo.rotzorg.org> <20000926103324.A32207@stereo.rotzorg.org> Message-ID: <20000926072034.S8493@justice.loyola.edu> On Tue, Sep 26, 2000 at 10:33:24AM +0200, Sendy wrote: > If i run 'env|grep SSH_CLIENT' on a Debian 2.2 system with > SSH Version OpenSSH-1.2.3 ~> cat /etc/debian_version 2.2 ~> ssh -V SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. ~> ssh localhost 'env|grep SSH' mstone at localhost's password: SSH_CLIENT=127.0.0.1 746 22 > And if i run this on another Debian 2.2 system with ssh upgraded to > SSH Version OpenSSH_2.2.0p1 ~> ssh -V SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). ~> ssh localhost 'env | grep SSH_CLIENT' mstone at localhost's password: SSH_CLIENT=127.0.0.1 1888 22 -- Mike Stone From radtkens at rupert.informatik.uni-stuttgart.de Tue Sep 26 22:36:10 2000 From: radtkens at rupert.informatik.uni-stuttgart.de (Nils Radtke) Date: Tue, 26 Sep 2000 13:36:10 +0200 (METDST) Subject: ./configure stops: openssl prob Message-ID: Hello everyone, meantime I reached in the following line-worm to get openssh-2.2.0p1 compiled with pam. CFLAGS="-I/usr/local/ssl/include" LDFLAGS="-static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib" ./configure --prefix=/usr/local/ --bindir=/bin/ --sbindir=/sbin/ --sysconfdir=/etc/ssh/ --with-ssl-dir=/usr/local/ssl --with-xauth=/usr/X11R6/bin/xauth --with-random=/dev/urandom --with-ipaddr-display --with-ipv4-default --with-pid-dir=/var/run/ --with-lastlog=/var/log/lastlog --with-pam --with-ldflags="-L/lib/security -L/lib -L/usr/local/ssl -L/lib" There may be little overhead now.. The problem occurs during compilation with both openssl-0.9.6beta3 and openssl-0.9.6. I attached config.log for debugging.. Error msg printed to STDERR is: checking for dlopen in -ldl... yes checking for pam_getenvlist... no checking whether pam_strerror takes only one argument... no checking for OpenSSL directory... configure: error: Could not find working SSLeay / OpenSSL libraries, please install Surely, I simply overlooked or misunderstood something, but I can't figure out what.. Hopefully waiting for hints taking me to a compiled version of openssh.. ;) BTW, the mailing list archives and faq's and other docs didn't get me out of trouble, unfortunately.. openssl gets installed under /usr/local/ssl, links from /usr/local/lib/lib[crypt|ssl].a to /usr/local/ssl/lib/lib[crypt|ssl].a exist. /lib includes the lib*pam* files: find /lib/ -name "lib*pam*": /lib/libpam.so.0.72 /lib/libpam_misc.a /lib/libpam_misc.so.0.72 /lib/libpam_misc.so.0 /lib/libpam.so.0 /lib/libpam.so /lib/libpam_misc.so no broken links in there.. /lib/security is allr8, too So what could be the prob, or more helpful, whats the solution to it? Any question? Did I miss to provide any informations? thx ia Nils Nils Radtke * de.AIESEC.org * Student @ the * nils.radtke@ * * Nat. Trainer Pool * University Stuttgart * think-future.de * * Brave GNU World. * icq/lc#:9336272/92045 PGP/GCB: c at hp :wq -------------- next part -------------- This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. configure:592: checking for gcc configure:705: checking whether the C compiler (gcc -I/usr/local/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib) works configure:721: gcc -o conftest -I/usr/local/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib conftest.c 1>&5 configure:747: checking whether the C compiler (gcc -I/usr/local/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib) is a cross-compiler configure:752: checking whether we are using GNU C configure:761: gcc -E conftest.c configure:780: checking whether gcc accepts -g configure:837: checking host system type configure:860: checking how to run the C preprocessor configure:881: gcc -E conftest.c >/dev/null 2>conftest.out configure:942: checking for ranlib configure:981: checking for a BSD compatible install configure:1036: checking for ar configure:1065: checking for perl configure:1101: checking for ent configure:1146: checking for login configure:1193: checking for inline configure:1207: gcc -c -I/usr/local/ssl/include conftest.c 1>&5 configure:1607: checking for deflate in -lz configure:1626: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lz 1>&5 configure:1655: checking for login in -lutil configure:1674: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lutil -lz 1>&5 configure:1700: checking for yp_match in -lnsl configure:1719: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1749: checking for main in -lsocket configure:1764: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lsocket -lnsl -lz -lutil 1>&5 /usr/bin/ld: cannot find -lsocket collect2: ld returned 1 exit status configure: failed program was: #line 1757 "configure" #include "confdefs.h" int main() { main() ; return 0; } configure:1798: checking for bstring.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: bstring.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for endian.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for floatingpoint.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: floatingpoint.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for lastlog.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for limits.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for login.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: login.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for login_cap.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: login_cap.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for maillock.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: maillock.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for netdb.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for netgroup.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: netgroup.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for netinet/in_systm.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for paths.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for poll.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for pty.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for shadow.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for security/pam_appl.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/bitypes.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/bsdtty.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: sys/bsdtty.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for sys/cdefs.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/poll.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/select.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/stat.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/stropts.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/sysmacros.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/time.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for sys/ttcompat.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: sys/ttcompat.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for stddef.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for time.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for ttyent.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for usersec.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: usersec.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for util.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1804: util.h: No such file or directory configure: failed program was: #line 1803 "configure" #include "confdefs.h" #include configure:1798: checking for utmp.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1798: checking for utmpx.h configure:1808: gcc -E conftest.c >/dev/null 2>conftest.out configure:1838: checking for arc4random configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/cc5x6azE.o: In function `main': /tmp/cc5x6azE.o(.text+0x4): undefined reference to `arc4random' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char arc4random(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char arc4random(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_arc4random) || defined (__stub___arc4random) choke me #else arc4random(); #endif ; return 0; } configure:1838: checking for atexit configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for b64_ntop configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/cc6T0UuB.o: In function `main': /tmp/cc6T0UuB.o(.text+0x4): undefined reference to `b64_ntop' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char b64_ntop(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char b64_ntop(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_b64_ntop) || defined (__stub___b64_ntop) choke me #else b64_ntop(); #endif ; return 0; } configure:1838: checking for bcopy configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for bindresvport_af configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccsMvHG2.o: In function `main': /tmp/ccsMvHG2.o(.text+0x4): undefined reference to `bindresvport_af' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char bindresvport_af(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char bindresvport_af(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_bindresvport_af) || defined (__stub___bindresvport_af) choke me #else bindresvport_af(); #endif ; return 0; } configure:1838: checking for clock configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for freeaddrinfo configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for gai_strerror configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for getaddrinfo configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for getnameinfo configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for getrusage configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for getttyent configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for inet_aton configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for inet_ntoa configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for innetgr configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for login_getcapbool configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccZVjktX.o: In function `main': /tmp/ccZVjktX.o(.text+0x4): undefined reference to `login_getcapbool' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char login_getcapbool(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char login_getcapbool(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_login_getcapbool) || defined (__stub___login_getcapbool) choke me #else login_getcapbool(); #endif ; return 0; } configure:1838: checking for md5_crypt configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccNq36JQ.o: In function `main': /tmp/ccNq36JQ.o(.text+0x4): undefined reference to `md5_crypt' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char md5_crypt(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char md5_crypt(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_md5_crypt) || defined (__stub___md5_crypt) choke me #else md5_crypt(); #endif ; return 0; } configure:1838: checking for memmove configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for mkdtemp configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/cclaYYqf.o: In function `main': /tmp/cclaYYqf.o(.text+0x4): undefined reference to `mkdtemp' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char mkdtemp(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char mkdtemp(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_mkdtemp) || defined (__stub___mkdtemp) choke me #else mkdtemp(); #endif ; return 0; } configure:1838: checking for on_exit configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for openpty configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for rresvport_af configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/cc0PR1hY.o: In function `main': /tmp/cc0PR1hY.o(.text+0x4): undefined reference to `rresvport_af' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char rresvport_af(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char rresvport_af(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_rresvport_af) || defined (__stub___rresvport_af) choke me #else rresvport_af(); #endif ; return 0; } configure:1838: checking for setenv configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for seteuid configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for setlogin configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure: In function `main': configure:1858: `choke' undeclared (first use in this function) configure:1858: (Each undeclared identifier is reported only once configure:1858: for each function it appears in.) configure:1858: parse error before `me' configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char setlogin(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char setlogin(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_setlogin) || defined (__stub___setlogin) choke me #else setlogin(); #endif ; return 0; } configure:1838: checking for setproctitle configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccA79CYu.o: In function `main': /tmp/ccA79CYu.o(.text+0x4): undefined reference to `setproctitle' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char setproctitle(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char setproctitle(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_setproctitle) || defined (__stub___setproctitle) choke me #else setproctitle(); #endif ; return 0; } configure:1838: checking for setreuid configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for sigaction configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for sigvec configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for snprintf configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for strerror configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for strlcat configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccuh64VL.o: In function `main': /tmp/ccuh64VL.o(.text+0x4): undefined reference to `strlcat' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char strlcat(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char strlcat(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_strlcat) || defined (__stub___strlcat) choke me #else strlcat(); #endif ; return 0; } configure:1838: checking for strlcpy configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccvVRxaf.o: In function `main': /tmp/ccvVRxaf.o(.text+0x4): undefined reference to `strlcpy' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char strlcpy(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char strlcpy(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_strlcpy) || defined (__stub___strlcpy) choke me #else strlcpy(); #endif ; return 0; } configure:1838: checking for strsep configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for vsnprintf configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for vhangup configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1838: checking for _getpty configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccLi5JRK.o: In function `main': /tmp/ccLi5JRK.o(.text+0x4): undefined reference to `_getpty' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char _getpty(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char _getpty(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub__getpty) || defined (__stub____getpty) choke me #else _getpty(); #endif ; return 0; } configure:1838: checking for __b64_ntop configure:1866: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccVKSUQP.o: In function `main': /tmp/ccVKSUQP.o(.text+0x4): undefined reference to `__b64_ntop' collect2: ld returned 1 exit status configure: failed program was: #line 1843 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char __b64_ntop(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char __b64_ntop(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub___b64_ntop) || defined (__stub_____b64_ntop) choke me #else __b64_ntop(); #endif ; return 0; } configure:1893: checking for gettimeofday configure:1921: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1893: checking for time configure:1921: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1948: checking for login configure:1976: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1948: checking for logout configure:1976: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1948: checking for updwtmp configure:1976: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:1948: checking for logwtmp configure:1976: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2003: checking for entutent configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccTMh9BA.o: In function `main': /tmp/ccTMh9BA.o(.text+0x4): undefined reference to `entutent' collect2: ld returned 1 exit status configure: failed program was: #line 2008 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char entutent(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char entutent(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_entutent) || defined (__stub___entutent) choke me #else entutent(); #endif ; return 0; } configure:2003: checking for getutent configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2003: checking for getutid configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2003: checking for getutline configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2003: checking for pututline configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2003: checking for setutent configure:2031: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2058: checking for utmpname configure:2086: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2113: checking for entutxent configure:2141: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/cchGdzKM.o: In function `main': /tmp/cchGdzKM.o(.text+0x4): undefined reference to `entutxent' collect2: ld returned 1 exit status configure: failed program was: #line 2118 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char entutxent(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char entutxent(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_entutxent) || defined (__stub___entutxent) choke me #else entutxent(); #endif ; return 0; } configure:2113: checking for getutxent configure:2141: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2113: checking for getutxid configure:2141: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2113: checking for getutxline configure:2141: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2113: checking for pututxline configure:2141: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2168: checking for setutxent configure:2196: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2168: checking for utmpxname configure:2196: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2222: checking for getuserattr configure:2250: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 /tmp/ccZL8HV4.o: In function `main': /tmp/ccZL8HV4.o(.text+0x4): undefined reference to `getuserattr' collect2: ld returned 1 exit status configure: failed program was: #line 2227 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char getuserattr(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char getuserattr(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_getuserattr) || defined (__stub___getuserattr) choke me #else getuserattr(); #endif ; return 0; } configure:2271: checking for getuserattr in -ls configure:2290: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -ls -lnsl -lz -lutil 1>&5 /usr/bin/ld: cannot find -ls collect2: ld returned 1 exit status configure: failed program was: #line 2279 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char getuserattr(); int main() { getuserattr() ; return 0; } configure:2318: checking for login configure:2414: checking for daemon configure:2442: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2510: checking for getpagesize configure:2538: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2608: checking whether snprintf correctly terminates long strings configure:2620: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -lnsl -lz -lutil 1>&5 configure:2661: checking for dlopen in -ldl configure:2680: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -ldl -lnsl -lz -lutil 1>&5 configure:2712: checking for pam_getenvlist configure:2740: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -ldl -lnsl -lz -lutil -lpam 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2717 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char pam_getenvlist(); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char pam_getenvlist(); int main() { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_pam_getenvlist) || defined (__stub___pam_getenvlist) choke me #else pam_getenvlist(); #endif ; return 0; } configure:2771: checking whether pam_strerror takes only one argument configure:2783: gcc -c -I/usr/local/ssl/include -Wall conftest.c 1>&5 configure:2823: checking for OpenSSL directory configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/local/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/local//include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/local//lib -L/usr/local/ conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/local/openssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/local/openssl/lib -L/usr/local/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/lib/openssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/lib/openssl/lib -L/usr/lib/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/local/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/local/ssl/lib -L/usr/local/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/lib/ssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/lib/ssl/lib -L/usr/lib/ssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/local/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/local/lib -L/usr/local conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/usr/pkg/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/usr/pkg/lib -L/usr/pkg conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/opt/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/opt/lib -L/opt conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } configure:2862: gcc -o conftest -I/usr/local/ssl/include -Wall -I/opt/openssl/include -static -L/lib/security -L/lib -L/usr/local/ssl/lib -L/lib -L/lib/security -L/lib -L/usr/local/ssl -L/lib -L/opt/openssl/lib -L/opt/openssl conftest.c -ldl -lnsl -lz -lutil -lpam -lcrypto 1>&5 /usr/bin/ld: cannot find -lpam collect2: ld returned 1 exit status configure: failed program was: #line 2848 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } From Markus.Friedl at informatik.uni-erlangen.de Tue Sep 26 22:51:44 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Sep 2000 13:51:44 +0200 Subject: i think this is great In-Reply-To: <20000926070747.R8493@justice.loyola.edu>; from mstone@cs.loyola.edu on Tue, Sep 26, 2000 at 07:07:47AM -0400 References: <14799.45114.208361.681155@darkwing.uoregon.edu> <20000926070747.R8493@justice.loyola.edu> Message-ID: <20000926135144.A1060@faui02.informatik.uni-erlangen.de> On Tue, Sep 26, 2000 at 07:07:47AM -0400, Michael Stone wrote: > On Tue, Sep 26, 2000 at 01:04:42PM +1100, Damien Miller wrote: > > suit PAM. I would rather shoehorn PAM into the SSH way of doing things. > > If the SSH way of doing things didn't have limitations, people wouldn't > have to shoehorn anything. feel free to submit a draft to the ietf secsh working group. or perhaps it's PAM that has limitations? or perhaps PAM is used for a job it was not designed for? From sgr at rotzorg.org Wed Sep 27 00:06:43 2000 From: sgr at rotzorg.org (Sendy) Date: Tue, 26 Sep 2000 15:06:43 +0200 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <20000926103324.A32207@stereo.rotzorg.org>; from Sendy on Tue, Sep 26, 2000 at 10:33:24AM +0200 References: <20000924144736.B23003@stereo.rotzorg.org> <20000926103324.A32207@stereo.rotzorg.org> Message-ID: <20000926150643.A32685@stereo.rotzorg.org> Erhm.... i must be nuts... i have done nothing strange with the openssh's on my Debian boxes. Even on boxes of friends on mine i don't get the string. Maybe i can give on of you a login account on my box, so you can check it out yourself? I don't believe myself anymore. I'll copy and paste one more test: sgr at PCB25:~$ ssh -V SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. sgr at PCB25:~$ ssh localhost 'env | grep SSH_CLIENT' sgr at localhost's password: sgr at PCB25:~$ gr, Sendy sendy at dds.nl From theos at cnds.jhu.edu Wed Sep 27 00:19:00 2000 From: theos at cnds.jhu.edu (Theo E. Schlossnagle) Date: Tue, 26 Sep 2000 09:19:00 -0400 Subject: i think this is great References: <14799.45114.208361.681155@darkwing.uoregon.edu> <20000926070747.R8493@justice.loyola.edu> Message-ID: <39D0A244.AFDA22DB@cnds.jhu.edu> Michael Stone wrote: > If the SSH way of doing things didn't have limitations, people wouldn't > have to shoehorn anything. I don't think that is right way of looking at things. I think that SSH's "way of doing things" lacks some robustness, but there are also real problem with many PAM implementations (the module side). The real problem that I faced with SecurID integration using PAM was not that PAM had to be retrofitted to SSH. The PAM module worked great, but like many other PAM modules, for o complicated challenge response o next token required o new pin activation dialogue o change pin required dialogue the PAM module assumed that it can carry on this dialogue via terminal. SSH has not yet assigned a terminal at this stage (and frankly shouldn't). You *could* assign a terminal for this dialogue (which most people with SecurID do), but that fundamentally breaks things that expect a successful log in once the password was accepted. (e.g. scp, cvs, rsync, tar, cpio, etc.) -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From dberk at lump.org Wed Sep 27 01:09:30 2000 From: dberk at lump.org (David Berk) Date: Tue, 26 Sep 2000 10:09:30 -0400 Subject: i think this is great In-Reply-To: Message-ID: <000001c027c3$63ea9d80$293814aa@cbs.com> That sorta defeats the whole purpose of PAM doesn't it? I mean one could just patch SecurID into sshd, but we want to auth other service off SecurID as well and don't really want to maintain a ton of source trees. Dave -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Monday, September 25, 2000 10:05 PM To: Steve VanDevender Cc: David Berk; 'Theo E. Schlossnagle'; openssh-unix-dev at mindrot.org Subject: Re: i think this is great On Mon, 25 Sep 2000, Steve VanDevender wrote: > While looking for information on PAM problems or patches relating to > Portable OpenSSH, I came across this previous posting to > openssh-unix-dev: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=96831742624299&w=2 > > The patch is against OpenSSH 1.2.3, but looks like a much more thorough > implementation of PAM support. I haven't tried integrating this into > OpenSSH 2.2.0, however. The interesting thing about this patch is that > it appears to try to support user dialogue by exchanging messages > between the server and client via the SSH protocol, so it could work for > noninteractive sessions and engage in user interaction before a session > pty has been set up. What puts me off about this patch is that it changes the protocol to suit PAM. I would rather shoehorn PAM into the SSH way of doing things. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mstone at cs.loyola.edu Wed Sep 27 01:24:56 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 26 Sep 2000 10:24:56 -0400 Subject: i think this is great In-Reply-To: <39D0A244.AFDA22DB@cnds.jhu.edu>; from theos@cnds.jhu.edu on Tue, Sep 26, 2000 at 09:19:00AM -0400 References: <14799.45114.208361.681155@darkwing.uoregon.edu> <20000926070747.R8493@justice.loyola.edu> <39D0A244.AFDA22DB@cnds.jhu.edu> Message-ID: <20000926102456.T8493@justice.loyola.edu> On Tue, Sep 26, 2000 at 09:19:00AM -0400, Theo E. Schlossnagle wrote: > I don't think that is right way of looking at things. I think that SSH's "way > of doing things" lacks some robustness, but there are also real problem with > many PAM implementations (the module side). Ok. Maybe I'm misunderstanding. What is "the ssh way" for challenge-response authentication mechanisms, password expiration, etc., that doesn't require some sort of modifications to clients. -- Mike Stone From stuge at cdy.org Wed Sep 27 01:43:39 2000 From: stuge at cdy.org (Peter Stuge) Date: Tue, 26 Sep 2000 16:43:39 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: <20000926103738.B21040@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Sep 26, 2000 at 10:37:38AM +0200 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> <39CFD856.86C32332@boeing.com> <20000926012657.H9187@foo.birdnet.se> <20000926103738.B21040@faui02.informatik.uni-erlangen.de> Message-ID: <20000926164339.A11001@foo.birdnet.se> On Tue, Sep 26, 2000 at 10:37:38AM +0200, Markus Friedl wrote: > On Tue, Sep 26, 2000 at 01:26:57AM +0200, Peter Stuge wrote: > > Ehm, exactly how do I use my DSA key with version 1 of the protocol? > > you cannot. Ok, that's what I thought. > > > Thanks! OpenSSH rocks, by the way! > > > > What rocks most, IMHO, is that it implements SSH-2, which is the only thing > > I really want to use because last thing I heard/read was that SSH-1 could be > > hijacked, with some effort. > > do you have some _real_ information on this? or is it just FUD? No real info I'm sure of, no. My suspicion comes from a number of posts to BUGTRAQ which, if I'm not mistaken, boiled down to that it is possible to hijack SSH-1 sessions. Anyway, I just generally assume worst case and prefer SSH-2 when/where at all possible. > > I generally don't want to risk that so I stick > > to SSH-2 per default. This might of course be wrong, but I did some > > research and ended up preferring SSH-2. > > > > > > Also, would anyone know anything about a utility that is able to convert > > ssh.com private DSA keys into PEM OpenSSL private DSA keys? > > ssh.com's format is not documented. Ok, thx. (To Paul too for his comment.) //Peter -- irc: CareBear\ tel: +46-40-914420 irl: Peter Stuge gsm: +46-705-783805 From nico at sonycom.com Wed Sep 27 02:23:02 2000 From: nico at sonycom.com (Nico De Ranter) Date: Tue, 26 Sep 2000 17:23:02 +0200 Subject: anoying debug info + can't login automaticaly Message-ID: <20000926172302.A864@immortelle.sonytel.be> Howdy, I'm installing openssh 2.2.0p1 on a number of SUNs running Solaris 2.6 but ran into a few problems: 1. whenever I run a remote X11 application and f.i. change the windowsize I get anoying debug messages like debug: client_check_window_change: changed This is a problem since I want to use openssh in a production environment. Is there any way to turn these messages off? 2. I used to be able to logon automaticaly from one machine to another (using ssh 1.2.x) but now openssh allways asks for a password. (Note: I'm using the same host keys and ssh_known_hosts file as before. Any help would be apreciated. Nico -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From Markus.Friedl at informatik.uni-erlangen.de Wed Sep 27 02:37:49 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Sep 2000 17:37:49 +0200 Subject: i think this is great In-Reply-To: <20000926102456.T8493@justice.loyola.edu>; from mstone@cs.loyola.edu on Tue, Sep 26, 2000 at 10:24:56AM -0400 References: <14799.45114.208361.681155@darkwing.uoregon.edu> <20000926070747.R8493@justice.loyola.edu> <39D0A244.AFDA22DB@cnds.jhu.edu> <20000926102456.T8493@justice.loyola.edu> Message-ID: <20000926173749.A21401@faui02.informatik.uni-erlangen.de> On Tue, Sep 26, 2000 at 10:24:56AM -0400, Michael Stone wrote: > On Tue, Sep 26, 2000 at 09:19:00AM -0400, Theo E. Schlossnagle wrote: > > I don't think that is right way of looking at things. I think that SSH's "way > > of doing things" lacks some robustness, but there are also real problem with > > many PAM implementations (the module side). > > Ok. Maybe I'm misunderstanding. What is "the ssh way" for > challenge-response authentication mechanisms, password expiration, etc., > that doesn't require some sort of modifications to clients. http://www.openssh.com/txt/draft-ietf-secsh-auth-kbdinteract-00.txt From Markus.Friedl at informatik.uni-erlangen.de Wed Sep 27 02:41:18 2000 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Sep 2000 17:41:18 +0200 Subject: anoying debug info + can't login automaticaly In-Reply-To: <20000926172302.A864@immortelle.sonytel.be>; from nico@sonycom.com on Tue, Sep 26, 2000 at 05:23:02PM +0200 References: <20000926172302.A864@immortelle.sonytel.be> Message-ID: <20000926174118.A21585@faui02.informatik.uni-erlangen.de> On Tue, Sep 26, 2000 at 05:23:02PM +0200, Nico De Ranter wrote: > Howdy, > > I'm installing openssh 2.2.0p1 on a number of SUNs running Solaris > 2.6 but ran into a few problems: > > 1. whenever I run a remote X11 application and f.i. change the windowsize > I get anoying debug messages like > > debug: client_check_window_change: changed > > This is a problem since I want to use openssh in a production environment. > Is there any way to turn these messages off? no, this is only printed if you turn on debugging, but i'll move it to debug level 2. > > 2. I used to be able to logon automaticaly from one machine to another > (using ssh 1.2.x) but now openssh allways asks for a password. (Note: > I'm using the same host keys and ssh_known_hosts file as before. > > Any help would be apreciated. > > Nico > > > > -------------------------------------------------------- > "It has been said that there are only two businesses > refer to customers as users: illegal drug trade and > the computer industry." > -------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/DME-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: nico.deranter at sonycom.com From jamest at math.ksu.edu Wed Sep 27 02:45:28 2000 From: jamest at math.ksu.edu (James Thompson) Date: Tue, 26 Sep 2000 10:45:28 -0500 (CDT) Subject: anoying debug info + can't login automaticaly In-Reply-To: <20000926172302.A864@immortelle.sonytel.be> Message-ID: > 2. I used to be able to logon automaticaly from one machine to another > (using ssh 1.2.x) but now openssh allways asks for a password. (Note: > I'm using the same host keys and ssh_known_hosts file as before. I'm having a similar problem with sshd on a Solaris 8 machine. I have the following in my sshd_config RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication yes RSAAuthentication no Trying to access this machine from any other machine (various ssh clients) requires a password each time. Regardless of what's in /etc/shosts.equiv and /etc/ssh_known_hosts Install steps ./configure --prefix=/usr/local/encap/openssh-2.2.0p1 --with-tcp-wrappers make make install epkg openssh (makes sym links into /usr/local space) I've tried putting the shosts.equiv and ssh_known_hosts files in /etc/ /usr/local/etc /usr/local/encap/openssh-2.2.0p1/etc To see if it's pulling somewhere different do to the --prefix I added since I couldn't get that info from sshd even with -d -d -d added Any ideas on where I've screwed up? Thanks James ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< James Thompson 138 Cardwell Hall Manhattan, Ks 66506 785-532-0561 Kansas State University Department of Mathematics ->->->->->->->->->->->->->->->->->->---<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-<-< From nico at sonycom.com Wed Sep 27 02:53:38 2000 From: nico at sonycom.com (Nico De Ranter) Date: Tue, 26 Sep 2000 17:53:38 +0200 Subject: anoying debug info + can't login automaticaly In-Reply-To: <20000926174118.A21585@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Sep 26, 2000 at 05:41:18PM +0200 References: <20000926172302.A864@immortelle.sonytel.be> <20000926174118.A21585@faui02.informatik.uni-erlangen.de> Message-ID: <20000926175338.B862@immortelle.sonytel.be> On Tue, Sep 26, 2000 at 05:41:18PM +0200, Markus Friedl wrote: > On Tue, Sep 26, 2000 at 05:23:02PM +0200, Nico De Ranter wrote: > > Howdy, > > > > I'm installing openssh 2.2.0p1 on a number of SUNs running Solaris > > 2.6 but ran into a few problems: > > > > 1. whenever I run a remote X11 application and f.i. change the windowsize > > I get anoying debug messages like > > > > debug: client_check_window_change: changed > > > > This is a problem since I want to use openssh in a production environment. > > Is there any way to turn these messages off? > > no, this is only printed if you turn on debugging, but i'll move it > to debug level 2. I expected something like that, but how do you turn on/off debugging? There is no switch mentioned in configure and I couldn't find anything in the makefile either. Nico > > > > > 2. I used to be able to logon automaticaly from one machine to another > > (using ssh 1.2.x) but now openssh allways asks for a password. (Note: > > I'm using the same host keys and ssh_known_hosts file as before. > > > > Any help would be apreciated. > > > > Nico > > > > > > > > -------------------------------------------------------- > > "It has been said that there are only two businesses > > refer to customers as users: illegal drug trade and > > the computer industry." > > -------------------------------------------------------- > > Nico De Ranter > > Sony Service Center (SDCE/DME-B) > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > e-mail: nico.deranter at sonycom.com -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From nico at sonycom.com Wed Sep 27 02:56:13 2000 From: nico at sonycom.com (Nico De Ranter) Date: Tue, 26 Sep 2000 17:56:13 +0200 Subject: Agent forwarding with DSA keys? In-Reply-To: <20000926164339.A11001@foo.birdnet.se>; from stuge@cdy.org on Tue, Sep 26, 2000 at 04:43:39PM +0200 References: <378C49974B36D411A585009027E59E6F09C6E6@osdn1.osd.mil> <39CF944D.60D6D1EB@boeing.com> <20000925214536.D27294@folly> <39CFD856.86C32332@boeing.com> <20000926012657.H9187@foo.birdnet.se> <20000926103738.B21040@faui02.informatik.uni-erlangen.de> <20000926164339.A11001@foo.birdnet.se> Message-ID: <20000926175613.C862@immortelle.sonytel.be> On Tue, Sep 26, 2000 at 04:43:39PM +0200, Peter Stuge wrote: > > > > > > What rocks most, IMHO, is that it implements SSH-2, which is the only thing > > > I really want to use because last thing I heard/read was that SSH-1 could be > > > hijacked, with some effort. > > > > do you have some _real_ information on this? or is it just FUD? > > No real info I'm sure of, no. My suspicion comes from a number of posts to > BUGTRAQ which, if I'm not mistaken, boiled down to that it is possible to > hijack SSH-1 sessions. Anyway, I just generally assume worst case and > prefer SSH-2 when/where at all possible. I followed the discussion on BUGTRAQ with half an eye and I believe it was only related to one specific method of encryption that is only used in the US (for obvious reasons :-). Nico -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From pekkas at netcore.fi Wed Sep 27 03:12:40 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 26 Sep 2000 19:12:40 +0300 (EEST) Subject: anoying debug info + can't login automaticaly In-Reply-To: Message-ID: On Tue, 26 Sep 2000, James Thompson wrote: > RhostsAuthentication no > # > # For this to work you will also need host keys in /etc/ssh_known_hosts > RhostsRSAAuthentication yes > RSAAuthentication no > > Trying to access this machine from any other machine (various ssh > clients) requires a password each time. Regardless of what's in > /etc/shosts.equiv and /etc/ssh_known_hosts If you're connecting w/ Protocol 2, DSA keys will be used which are not in your old known hosts database. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Wed Sep 27 07:00:05 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Sep 2000 22:00:05 +0200 Subject: anoying debug info + can't login automaticaly In-Reply-To: <20000926175338.B862@immortelle.sonytel.be>; from nico@sonycom.com on Tue, Sep 26, 2000 at 05:53:38PM +0200 References: <20000926172302.A864@immortelle.sonytel.be> <20000926174118.A21585@faui02.informatik.uni-erlangen.de> <20000926175338.B862@immortelle.sonytel.be> Message-ID: <20000926220005.A32565@folly> don't use ssh -v if you don't want debug output. On Tue, Sep 26, 2000 at 05:53:38PM +0200, Nico De Ranter wrote: > On Tue, Sep 26, 2000 at 05:41:18PM +0200, Markus Friedl wrote: > > On Tue, Sep 26, 2000 at 05:23:02PM +0200, Nico De Ranter wrote: > > > Howdy, > > > > > > I'm installing openssh 2.2.0p1 on a number of SUNs running Solaris > > > 2.6 but ran into a few problems: > > > > > > 1. whenever I run a remote X11 application and f.i. change the windowsize > > > I get anoying debug messages like > > > > > > debug: client_check_window_change: changed > > > > > > This is a problem since I want to use openssh in a production environment. > > > Is there any way to turn these messages off? > > > > no, this is only printed if you turn on debugging, but i'll move it > > to debug level 2. > > I expected something like that, but how do you turn on/off debugging? There > is no switch mentioned in configure and I couldn't find anything in the makefile > either. > > Nico > > > > > > > > > 2. I used to be able to logon automaticaly from one machine to another > > > (using ssh 1.2.x) but now openssh allways asks for a password. (Note: > > > I'm using the same host keys and ssh_known_hosts file as before. > > > > > > Any help would be apreciated. > > > > > > Nico > > > > > > > > > > > > -------------------------------------------------------- > > > "It has been said that there are only two businesses > > > refer to customers as users: illegal drug trade and > > > the computer industry." > > > -------------------------------------------------------- > > > Nico De Ranter > > > Sony Service Center (SDCE/DME-B) > > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > > e-mail: nico.deranter at sonycom.com > -------------------------------------------------------- > "It has been said that there are only two businesses > refer to customers as users: illegal drug trade and > the computer industry." > -------------------------------------------------------- > Nico De Ranter > Sony Service Center (SDCE/DME-B) > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > e-mail: nico.deranter at sonycom.com From rwilson at gnp.com Wed Sep 27 10:08:03 2000 From: rwilson at gnp.com (C. Regis Wilson) Date: Tue, 26 Sep 2000 16:08:03 -0700 Subject: SSH proxy or gateway? Message-ID: I'm wondering if there is a proxy version for SSH, but not in the usual way that some people have attempted. I was thinking of: user <-via clear-> telnet/SSH proxy <-via SSH-> server This requires no changes to client, except that the client needs to know to telnet to the SSH proxy and open a connection outward from there, similar to FWTK telnet proxy (which is a great proxy!) The other alternative, which I'm using now is: user <-via SSH-> dumb plug/filter <-via SSH-> server Not nice. Any thoughts, comments? One way to do this (which I saw in the archives, and may be more widely applicable): user <-via SSH-> Server Proxy Client Proxy <-via SSH-> server I don't need this because connections on the inside don't need to be authenticated. But, even this option is not ready yet (I believe)? Any help? Thanks! From djm at mindrot.org Wed Sep 27 12:44:21 2000 From: djm at mindrot.org (Damien Miller) Date: Wed, 27 Sep 2000 12:44:21 +1100 (EST) Subject: SSH proxy or gateway? In-Reply-To: Message-ID: On Tue, 26 Sep 2000, C. Regis Wilson wrote: > I'm wondering if there is a proxy version for SSH, but not > in the usual way that some people have attempted. I was > thinking of: > > user <-via clear-> telnet/SSH proxy <-via SSH-> server You could accomplish this by putting users in you password file with a custom shell. The custom shell would automatically open a SSH connection to the server. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From nico at sonycom.com Wed Sep 27 17:09:54 2000 From: nico at sonycom.com (Nico De Ranter) Date: Wed, 27 Sep 2000 08:09:54 +0200 Subject: anoying debug info + can't login automaticaly In-Reply-To: <20000926220005.A32565@folly>; from markus.friedl@informatik.uni-erlangen.de on Tue, Sep 26, 2000 at 10:00:05PM +0200 References: <20000926172302.A864@immortelle.sonytel.be> <20000926174118.A21585@faui02.informatik.uni-erlangen.de> <20000926175338.B862@immortelle.sonytel.be> <20000926220005.A32565@folly> Message-ID: <20000927080954.F862@immortelle.sonytel.be> That would really be too easy don't you think :-) immortelle[nico]$ ssh clover SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x00905100). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Command 'df' timed out debug: Seeded RNG with 39 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 10043 geteuid 0 anon 0 debug: Connecting to clover [xxx.xxx.xxx.xxx] port 22. debug: Seeded RNG with 38 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 834. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH_2.2.0p1 debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'clover' is known and matches the RSA host key. debug: Seeded RNG with 38 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts authentication. debug: Remote: Accepted for immortelle.sonytel.be [xxx.xxx.xxx.xxx] by /etc/hosts. equiv. debug: Requesting compression at level 6. debug: Enabling compression at level 6. debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ Nico On Tue, Sep 26, 2000 at 10:00:05PM +0200, Markus Friedl wrote: > don't use ssh -v if you don't want debug output. > > On Tue, Sep 26, 2000 at 05:53:38PM +0200, Nico De Ranter wrote: > > On Tue, Sep 26, 2000 at 05:41:18PM +0200, Markus Friedl wrote: > > > On Tue, Sep 26, 2000 at 05:23:02PM +0200, Nico De Ranter wrote: > > > > Howdy, > > > > > > > > I'm installing openssh 2.2.0p1 on a number of SUNs running Solaris > > > > 2.6 but ran into a few problems: > > > > > > > > 1. whenever I run a remote X11 application and f.i. change the windowsize > > > > I get anoying debug messages like > > > > > > > > debug: client_check_window_change: changed > > > > > > > > This is a problem since I want to use openssh in a production environment. > > > > Is there any way to turn these messages off? > > > > > > no, this is only printed if you turn on debugging, but i'll move it > > > to debug level 2. > > > > I expected something like that, but how do you turn on/off debugging? There > > is no switch mentioned in configure and I couldn't find anything in the makefile > > either. > > > > Nico > > > > > > > > > > > > > 2. I used to be able to logon automaticaly from one machine to another > > > > (using ssh 1.2.x) but now openssh allways asks for a password. (Note: > > > > I'm using the same host keys and ssh_known_hosts file as before. > > > > > > > > Any help would be apreciated. > > > > > > > > Nico > > > > > > > > > > > > > > > > -------------------------------------------------------- > > > > "It has been said that there are only two businesses > > > > refer to customers as users: illegal drug trade and > > > > the computer industry." > > > > -------------------------------------------------------- > > > > Nico De Ranter > > > > Sony Service Center (SDCE/DME-B) > > > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > > > e-mail: nico.deranter at sonycom.com > > -------------------------------------------------------- > > "It has been said that there are only two businesses > > refer to customers as users: illegal drug trade and > > the computer industry." > > -------------------------------------------------------- > > Nico De Ranter > > Sony Service Center (SDCE/DME-B) > > Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) > > 1130 Brussel (Bruxelles), Belgium, Europe, Earth > > Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 > > e-mail: nico.deranter at sonycom.com > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From GLeblanc at cu-portland.edu Thu Sep 28 00:37:56 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 27 Sep 2000 06:37:56 -0700 Subject: anoying debug info + can't login automaticaly Message-ID: <025836EFF856D411A6660090272811E61D0794@EMAIL> > -----Original Message----- > From: Nico De Ranter [mailto:nico at sonycom.com] > > That would really be too easy don't you think :-) RTFM (read the fine man page) dude. The below IS the output from a verbose session of ssh client. Somewhere you've got a setting in ssh_config that says LogLevel DEBUG or perhaps LogLevel VERBOSE I suppose you might have compiled it with debug logging on, but I don't know if that's possible. Whichever it is, either change or add a line to read LogLevel QUIET or LogLevel INFO Greg From nico at sonycom.com Thu Sep 28 01:03:29 2000 From: nico at sonycom.com (Nico De Ranter) Date: Wed, 27 Sep 2000 16:03:29 +0200 Subject: anoying debug info + can't login automaticaly In-Reply-To: <025836EFF856D411A6660090272811E61D0794@EMAIL>; from GLeblanc@cu-portland.edu on Wed, Sep 27, 2000 at 06:37:56AM -0700 References: <025836EFF856D411A6660090272811E61D0794@EMAIL> Message-ID: <20000927160329.R862@immortelle.sonytel.be> Ah well, reading the manpages would indeed be a nice idea if the installation process would be so kind to install any. There is a manpage but reading it with man, nroff or groff only creates a single flat file that is really unreadable. Unfortunately, adding LogLevel QUIET or INFO to /etc/ssh/ssh_config doesn't change a thing and in sshd_config LogLevel is already set to INFO. immortelle[nico]$ cat /etc/ssh/ssh_config Host * ForwardAgent yes ForwardX11 yes FallBackToRsh no UseRsh no Port 22 Protocol 2,1 LogLevel QUIET immortelle[nico]$ ssh clover SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x00905100). debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: Command 'df' timed out debug: Seeded RNG with 39 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 10043 geteuid 0 anon 0 debug: Connecting to clover [xxx.xxx.xxx.xxx] port 22. debug: Seeded RNG with 38 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 838. debug: Connection established. debug: Remote protocol version 1.5, remote software version OpenSSH_2.2.0p1 debug: Local version string SSH-1.5-OpenSSH_2.2.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'clover' is known and matches the RSA host key. debug: Seeded RNG with 38 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Trying rhosts authentication. debug: Remote: Accepted for immortelle.sonytel.be [xxx.xxx.xxx.xxx] by /etc/hosts.equiv. debug: Requesting compression at level 6. debug: Enabling compression at level 6. debug: Requesting pty. debug: Requesting X11 forwarding with authentication spoofing. debug: Requesting shell. debug: Entering interactive session. clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ debug: client_check_window_change: changed clover[nico]$ cat /etc/ssh/sshd_config # This is ssh server systemwide configuration file. Port 22 #Protocol 2,1 Protocol 1 ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility LOCAL1 LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication yes # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords yes # Uncomment to disable s/key passwords #SkeyAuthentication no # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no #UseLogin no #Subsystem sftp /usr/local/sbin/sftpd #MaxStartups 10:30:60 Snif. On Wed, Sep 27, 2000 at 06:37:56AM -0700, Gregory Leblanc wrote: > > -----Original Message----- > > From: Nico De Ranter [mailto:nico at sonycom.com] > > > > That would really be too easy don't you think :-) > > RTFM (read the fine man page) dude. The below IS the output from a verbose > session of ssh client. Somewhere you've got a setting in ssh_config that > says > LogLevel DEBUG > or perhaps > LogLevel VERBOSE > > I suppose you might have compiled it with debug logging on, but I don't know > if that's possible. Whichever it is, either change or add a line to read > LogLevel QUIET > or > LogLevel INFO > > Greg > -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From nico at sonycom.com Thu Sep 28 01:43:49 2000 From: nico at sonycom.com (Nico De Ranter) Date: Wed, 27 Sep 2000 16:43:49 +0200 Subject: anoying debug info -- solved In-Reply-To: <025836EFF856D411A6660090272811E61D0794@EMAIL>; from GLeblanc@cu-portland.edu on Wed, Sep 27, 2000 at 06:37:56AM -0700 References: <025836EFF856D411A6660090272811E61D0794@EMAIL> Message-ID: <20000927164349.T862@immortelle.sonytel.be> Please accept my very humble apologies. I copied my colleage's .bashrc some time ago and it turned out the @#%$#@$ idiot created a @!#$#$% alias for ssh which includes the '-v' parameter. I am very small now... shrinking all the time. Now I will have to commit harikiri. Damn I hate working for a Japanese company. :-) Anyway, many thanks to all who tried to fix my stupid self-induced problems. Nico -------------------------------------------------------- "It has been said that there are only two businesses refer to customers as users: illegal drug trade and the computer industry." -------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/DME-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From pekkas at netcore.fi Thu Sep 28 02:25:24 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 27 Sep 2000 18:25:24 +0300 (EEST) Subject: PATCH: OpenSSH RPM spec file problems Message-ID: Hello all, There are two issues in OpenSSH RPM Red Hat spec file (against 2.2.0p1): 1. /etc/rc.d/init.d/sshd uses 'success' and 'failure'. These don't work in Red Hat 5.2; else the spec file is fine. Initscripts requirement (for the one in RH60) added. 2. If you're upgrading over SSH ltd's ssh-server, the server will be stopped and sshd removed from chkconfig --list. Obsoleletion doesn't seem to qualify as "clean" operation, so the %preun will be run regardless. H.J. Lu supplied the patch. Tested. Similar issues (at least the second) surely apply for the SuSE SPEC file too. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- openssh.spec.orig Wed Sep 27 18:17:32 2000 +++ openssh.spec Wed Sep 27 18:16:57 2000 @@ -25,6 +25,8 @@ Obsoletes: ssh PreReq: openssl >= 0.9.5a Requires: openssl >= 0.9.5a +### Post-RH52 initscripts is required for 'success'/'failure' in init.d/sshd +Requires: initscripts >= 4.16 BuildPreReq: perl BuildPreReq: openssl-devel BuildPreReq: tcp_wrappers @@ -221,6 +223,25 @@ /etc/rc.d/init.d/sshd stop >&2 /sbin/chkconfig --del sshd fi + +# Deal with the original ssh-server rpm. +%triggerun server -- ssh-server +if [ "$1" != 0 -a -r /var/run/sshd.pid ] +then + touch /var/run/sshd.restart +fi + +%triggerpostun server -- ssh-server +if [ "$1" != 0 ] +then + /sbin/chkconfig --add sshd + if test -f /var/run/sshd.restart + then + rm -f /var/run/sshd.restart + /etc/rc.d/init.d/sshd start >&2 + fi +fi + %files %defattr(-,root,root) From jbw at cee.hw.ac.uk Thu Sep 28 04:33:21 2000 From: jbw at cee.hw.ac.uk (Joe Wells) Date: Wed, 27 Sep 2000 18:33:21 +0100 Subject: intermittent failure with "Authentication response too long" Message-ID: <200009271733.SAA04639@localhost.localdomain> Dear OpenSSH gurus, I have recently (yesterday) upgraded my machine running Red Hat Linux 6.1 with all of the binary rpms generated from the source rpms openssh-2.2.0p1-2.src.rpm and openssl-0.9.5a-3.src.rpm. Since the upgrade, I have been experiencing intermittent failures. The failures are always accompanied by this error message: response: Authentication response too long: 1433299822 1024 2b:28:82:7b:56:88:41:40:df:96:d4:36:ae:3f:a9:04 jbw at lcfairouz The numbers in the error message are always the same. These failures are intermittent in the sense that sometimes connection attempts fail and later identical connection attempts (exact same invocation of ssh to same target machine) succeed. I would like to include the debugging output obtained with the "-v" option, but I have been unable to reproduce the problem yet that way. As I wrote above, the problem is intermittent. This has happened when connecting to two different kinds of remote servers. One kind of remote server is identified by the "-v" output as: debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) The other kind of remote server is identified by the "-v" output as: debug: Remote protocol version 1.5, remote software version 1.2.26 Any suggestions as to what might be causing these intermittent failures? -- Joe Wells http://www.cee.hw.ac.uk/~jbw/ From jbw at cee.hw.ac.uk Thu Sep 28 04:51:15 2000 From: jbw at cee.hw.ac.uk (Joe Wells) Date: Wed, 27 Sep 2000 18:51:15 +0100 Subject: trouble logging out when using protocol version 2 Message-ID: <200009271751.SAA04800@localhost.localdomain> Dear OpenSSH gurus, My machine is running Red Hat Linux 6.1 and has installed all of the 6.binary rpms generated from the source rpms openssh-2.2.0p1-2.src.rpm 6.and openssl-0.9.5a-3.src.rpm. When I use protocol version 2 (by specifying "Protocol 2,1" in ~/.ssh/config), I can establish connections properly, but they do not shut down properly. When I run a remote command by "ssh REMOTE-HOST REMOTE-COMMAND", I see the output from REMOTE-COMMAND and then ssh hangs and does nothing forever. I can interrupt it by pressing Control-C (the "intr" character). I have enclosed a script of running "ssh -v REMOTE-HOST REMOTE-COMMAND" below to illustrate this. The last 5 lines of this script happen only after I press Control-C. When I create a remote login session with "ssh REMOTE-HOST", ssh hangs after I try to log out. For about thirty seconds, Control-C and Control-\ (the "quit" character) only cause "^C" and "^\" to be echoed. Then pressing either will successfully interrupt ssh. Any suggestions? -- Joe Wells http://www.cee.hw.ac.uk/~jbw/ ---------------------------------------------------------------------- (jbw at moon) 6:41:35pm [~] > ssh -v csb.bu.edu id SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /home/jbw/.ssh/config debug: Applying options for csb.bu.edu debug: Reading configuration data /etc/ssh/ssh_config debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 1 YPBINDPROC_DOMAIN: Domain not bound debug: Connecting to csb.bu.edu [128.197.10.4] port 22. debug: Connection established. debug: Remote protocol version 1.99, remote software version 2.0.13 (non-commercial) datafellows: 2.0.13 (non-commercial) Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.2.0p1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: hmac-md5,md5-8,none debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-md5 zlib debug: kex: client->server 3des-cbc hmac-md5 zlib debug: Sending SSH2_MSG_KEXDH_INIT. debug: bits set: 515/1024 debug: Wait SSH2_MSG_KEXDH_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host 'csb.bu.edu' is known and matches the DSA host key. debug: bits set: 499/1024 debug: len 40 datafellows 15 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: Enabling compression at level 6. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: buggy server: service_accept w/o service debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: try pubkey: /home/jbw/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: datafellows debug: ssh-userauth2 successfull debug: no set_nonblock for tty fd 4 debug: no set_nonblock for tty fd 5 debug: no set_nonblock for tty fd 6 debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: callback start debug: client_init id 0 arg 0 debug: Sending command: id debug: client_set_session_ident: id 0 debug: callback done debug: channel 0: open confirm rwindow 10000 rmax 32768 uid=3040(jbw) gid=1012(grad3) groups=1012(grad3),895(techreports),3467(kfoury),43743(intersectuals),2015(jbwfdk),3056(church-admin),43742(church) debug: compress outgoing: raw data 627, compressed 597, factor 0.95 debug: compress incoming: raw data 198, compressed 171, factor 0.86 Killed by signal 2. debug: Calling cleanup 0x8056630(0x0) debug: Calling cleanup 0x805c0d0(0x0) From pekkas at netcore.fi Thu Sep 28 05:03:18 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 27 Sep 2000 21:03:18 +0300 (EEST) Subject: trouble logging out when using protocol version 2 In-Reply-To: <200009271751.SAA04800@localhost.localdomain> Message-ID: On Wed, 27 Sep 2000, Joe Wells wrote: > Dear OpenSSH gurus, > > My machine is running Red Hat Linux 6.1 and has installed all of the > 6.binary rpms generated from the source rpms openssh-2.2.0p1-2.src.rpm > 6.and openssl-0.9.5a-3.src.rpm. > > When I use protocol version 2 (by specifying "Protocol 2,1" in > ~/.ssh/config), I can establish connections properly, but they do not > shut down properly. When I run a remote command by "ssh REMOTE-HOST > REMOTE-COMMAND", I see the output from REMOTE-COMMAND and then ssh > hangs and does nothing forever. I can interrupt it by pressing > Control-C (the "intr" character). I have enclosed a script of running > "ssh -v REMOTE-HOST REMOTE-COMMAND" below to illustrate this. The > last 5 lines of this script happen only after I press Control-C. When > I create a remote login session with "ssh REMOTE-HOST", ssh hangs > after I try to log out. For about thirty seconds, Control-C and > Control-\ (the "quit" character) only cause "^C" and "^\" to be > echoed. Then pressing either will successfully interrupt ssh. This is probably related to the following: Conditions: 1) SSH2 is being used, and 2) a command is left to run in background when exiting then 'logout' will freeze. For example, 1) ssh other.host 2) tail -f /var/log/messages & 3) exit [ freeze if Protocol 2 is being used ] The server here is 2.2.0p1 (latest snapshot) - RHL62, clients 2.1.1p4 (RHL and FreeBSD). -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From jbw at cee.hw.ac.uk Thu Sep 28 05:27:05 2000 From: jbw at cee.hw.ac.uk (Joe Wells) Date: Wed, 27 Sep 2000 19:27:05 +0100 Subject: trouble logging out when using protocol version 2 In-Reply-To: (message from Pekka Savola on Wed, 27 Sep 2000 21:03:18 +0300 (EEST)) References: Message-ID: <200009271827.TAA05217@localhost.localdomain> > When I use protocol version 2 (by specifying "Protocol 2,1" in > ~/.ssh/config), I can establish connections properly, but they do > not shut down properly. When I run a remote command by "ssh > REMOTE-HOST REMOTE-COMMAND", I see the output from REMOTE-COMMAND > and then ssh hangs and does nothing forever. I can interrupt it > by pressing Control-C (the "intr" character). I have enclosed a > script of running "ssh -v REMOTE-HOST REMOTE-COMMAND" below to > illustrate this. The last 5 lines of this script happen only > after I press Control-C. When I create a remote login session > with "ssh REMOTE-HOST", ssh hangs after I try to log out. For > about thirty seconds, Control-C and Control-\ (the "quit" > character) only cause "^C" and "^\" to be echoed. Then pressing > either will successfully interrupt ssh. This is probably related to the following: Conditions: 1) SSH2 is being used, and 2) a command is left to run in background when exiting then 'logout' will freeze. Thanks very much for the suggestion. I checked this out carefully, and I am reasonably confident that the situation you describe is not what is happening for me. I tried again after having disabled my configuration files on the target machine (i.e., I temporarily renamed .cshrc, .login, and .logout) and encountered the same problem. Systemwide /etc/.cshrc and /etc/.login files exist, but their contents are not anything that will leave a process running in the background. Any other suggestions? -- Joe Wells http://www.cee.hw.ac.uk/~jbw/ From willday at rom.oit.gatech.edu Thu Sep 28 07:40:31 2000 From: willday at rom.oit.gatech.edu (Will Day) Date: Wed, 27 Sep 2000 16:40:31 -0400 Subject: -i doesn't work for v2 DSA keys Message-ID: <20000927164031.A1840@rom.oit.gatech.edu> I just found that trying to specify a DSA identity file with '-i' doesn't work. Although the man page doesn't indicate that this is supported for DSA keys, it also doesn't indicate very clearly that its _not_. Indeed, in ssh.c:main(), the "-i" only increments and sets: options.options.num_identity_files options.identity_files where it would need to modify: options.options.num_identity_files2 options.identity_files2 for DSA keys. I don't know whether "-i" is supposed to support only RSA keys, but it should probably support passing DSA key file names in some fashion (either with "-i", or a different argument letter). I'd submit a patch, but I don't know which way the developers would want to go. -- Will Day OIT / O&E / Technical Support willday at rom.oit.gatech.edu Georgia Tech, Atlanta 30332-0715 -> Opinions expressed are mine alone and do not reflect OIT policy <- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin, Pennsylvania Assembly, Nov. 11, 1755 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 360 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000927/f4afc075/attachment.bin From pekkas at netcore.fi Thu Sep 28 08:46:53 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 28 Sep 2000 00:46:53 +0300 (EEST) Subject: Irix: PRNG initialization failed Message-ID: Hello all, I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly on 64-bit Irix 6.5.7f an 6.5.9m. Both times, no matter what I do, I'll get 'PRNG initialization failed -- exiting'. This happens with ssh-keygen (the keys aren't even generated yet, ssh binary etc.) It's clear that Irix etc. don't have a proper entropy pool like *BSD and Linux do, but shouldn't this be at least usable? FWIW, consigure shows for entropy source: Builtin (timeout 200). I read a mention or two about entropy daemons and such, but I'm not sure if those should be a must to get this to run.. Any ideas what might be wrong here? -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From markus.friedl at informatik.uni-erlangen.de Thu Sep 28 08:59:53 2000 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 27 Sep 2000 23:59:53 +0200 Subject: -i doesn't work for v2 DSA keys In-Reply-To: <20000927164031.A1840@rom.oit.gatech.edu>; from willday@rom.oit.gatech.edu on Wed, Sep 27, 2000 at 04:40:31PM -0400 References: <20000927164031.A1840@rom.oit.gatech.edu> Message-ID: <20000927235953.A21243@folly> On Wed, Sep 27, 2000 at 04:40:31PM -0400, Will Day wrote: > I just found that trying to specify a DSA identity file with '-i' doesn't > work. Although the man page doesn't indicate that this is supported for > DSA keys, it also doesn't indicate very clearly that its _not_. > > Indeed, in ssh.c:main(), the "-i" only increments and sets: > options.options.num_identity_files > options.identity_files > where it would need to modify: > options.options.num_identity_files2 > options.identity_files2 > for DSA keys. > > I don't know whether "-i" is supposed to support only RSA keys, but it > should probably support passing DSA key file names in some fashion (either > with "-i", or a different argument letter). > > I'd submit a patch, but I don't know which way the developers would want to > go. i'd like to use -i ssh2key, if there is a simple way. From mouring at pconline.com Thu Sep 28 09:33:22 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Wed, 27 Sep 2000 17:33:22 -0500 (CDT) Subject: Irix: PRNG initialization failed In-Reply-To: Message-ID: Play with your ${BASEDIR}/etc/ssh_prng_cmds file. On NeXT I had to change most of the numbers almost up to 0.8 in order to get enough PRNG. Granted.. You want those numbers as low as possible. If you do a: ssh -v site.com it will show you how much PRNG is generated (you need at least 16bytes). - Ben On Thu, 28 Sep 2000, Pekka Savola wrote: > Hello all, > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > on 64-bit Irix 6.5.7f an 6.5.9m. > > Both times, no matter what I do, I'll get 'PRNG initialization failed > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > yet, ssh binary etc.) > > It's clear that Irix etc. don't have a proper entropy pool like *BSD and > Linux do, but shouldn't this be at least usable? > > FWIW, consigure shows for entropy source: Builtin (timeout 200). > > I read a mention or two about entropy daemons and such, but I'm not sure > if those should be a must to get this to run.. > > Any ideas what might be wrong here? > > -- > Pekka Savola "Tell me of difficulties surmounted, > Pekka.Savola at netcore.fi not those you stumble over and fall" > > From GLeblanc at cu-portland.edu Thu Sep 28 09:57:13 2000 From: GLeblanc at cu-portland.edu (Gregory Leblanc) Date: Wed, 27 Sep 2000 15:57:13 -0700 Subject: Irix: PRNG initialization failed Message-ID: <025836EFF856D411A6660090272811E61D079F@EMAIL> > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at pconline.com] > > Play with your ${BASEDIR}/etc/ssh_prng_cmds file. On NeXT I had to > change most of the numbers almost up to 0.8 in order to get enough > PRNG. Granted.. You want those numbers as low as possible. > If you do a: > ssh -v site.com it will show you how much PRNG is generated > (you need at > least 16bytes). I'm assuming that I just don't know how to read, but what does that line look like? This would be my guess, but I'm not real sure, as it isn't clear what this is talking about (to me). debug: len 55 datafellows 0 Greg From djm at mindrot.org Thu Sep 28 10:03:27 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 28 Sep 2000 10:03:27 +1100 (EST) Subject: trouble logging out when using protocol version 2 In-Reply-To: <200009271751.SAA04800@localhost.localdomain> Message-ID: On Wed, 27 Sep 2000, Joe Wells wrote: > Dear OpenSSH gurus, > > My machine is running Red Hat Linux 6.1 and has installed all of the > 6.binary rpms generated from the source rpms openssh-2.2.0p1-2.src.rpm > 6.and openssl-0.9.5a-3.src.rpm. > > When I use protocol version 2 (by specifying "Protocol 2,1" in > ~/.ssh/config), I can establish connections properly, but they do not > shut down properly. Try the latest snapshot at http://www.mindrot.org/misc/openssh/ -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Thu Sep 28 10:12:37 2000 From: djm at mindrot.org (Damien Miller) Date: Thu, 28 Sep 2000 10:12:37 +1100 (EST) Subject: Irix: PRNG initialization failed In-Reply-To: Message-ID: On Thu, 28 Sep 2000, Pekka Savola wrote: > Hello all, > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > on 64-bit Irix 6.5.7f an 6.5.9m. > > Both times, no matter what I do, I'll get 'PRNG initialization failed > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > yet, ssh binary etc.) > > It's clear that Irix etc. don't have a proper entropy pool like *BSD and > Linux do, but shouldn't this be at least usable? > > FWIW, consigure shows for entropy source: Builtin (timeout 200). > > I read a mention or two about entropy daemons and such, but I'm not sure > if those should be a must to get this to run.. Portable OpenSSH tries to collect randomness by running commands and stirring their output into OpenSSL's random pool. If enough commands fail, or not data is read from said commands then you will fail with the above error message. You may want to adjust the commands in the ssh_prng_cmds to suit your system. If you have any favourites, please send them to me for inclusion. Alternately you can debug the execution of the commands by defining the DEBUG_ENTROPY flag in entropy.c -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From janfrode at parallab.uib.no Thu Sep 28 17:54:43 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 28 Sep 2000 08:54:43 +0200 Subject: trouble logging out when using protocol version 2 In-Reply-To: ; from djm@mindrot.org on Thu, Sep 28, 2000 at 10:03:27AM +1100 References: <200009271751.SAA04800@localhost.localdomain> Message-ID: <20000928085443.B19067@ii.uib.no> On Thu, Sep 28, 2000 at 10:03:27AM +1100, Damien Miller wrote: > > > > When I use protocol version 2 (by specifying "Protocol 2,1" in > > ~/.ssh/config), I can establish connections properly, but they do not > > shut down properly. > > Try the latest snapshot at http://www.mindrot.org/misc/openssh/ > I'm seeing this with the latest snapshot also. The client is a Solaris 8 with Secure Shell 2.3.0, and the server is IRIX64 6.5.9m with openssh-SNAP-2000092401. If I do a: client% ssh -v openssh-server openssh-server% sleep 90 & openssh-server% exit debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 0 Then the connection will hang until the sleep dies. And then it will continue otputting this debugging: debug: Ssh2Common/sshcommon.c:660: num_channels now 0 debug: Got session close with exit_status=0 debug: destroying client struct... debug: uninitializing event loop then it's finished. Putting the server in verbose logging mode doesn't seem to give any useful information: Connection from 129.177.192.45 port 34063 datafellows: 2.3.0 SSH Secure Shell (non-commercial) Enabling compatibility mode for protocol 2.0 Failed none for janfrode from 129.177.192.45 port 34063 ssh2 Failed none for janfrode from 129.177.192.45 port 34063 ssh2 Accepted password for janfrode from 129.177.192.45 port 34063 ssh2 [here's the 90 second hang] Connection closed by remote host. The same problem occurs if the client is openssh in -2 mode (on irix). The debugging output I get here is: openssh-server% sleep 90 & openssh-server% exit logout debug: callback start debug: client_input_channel_req: rtype exit-status reply 0 debug: callback done [90 second hang] debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: !channel_still_open. Connection to dontask closed. debug: Transferred: stdin 0, stdout 0, stderr 31 bytes in 34.3 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.9 debug: Exit status 0 debug: writing PRNG seed to file /usr/people/jfm/.ssh/prng_seed -jf From janfrode at parallab.uib.no Thu Sep 28 17:58:53 2000 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 28 Sep 2000 08:58:53 +0200 Subject: Irix: PRNG initialization failed In-Reply-To: ; from pekkas@netcore.fi on Thu, Sep 28, 2000 at 12:46:53AM +0300 References: Message-ID: <20000928085853.C19067@ii.uib.no> On Thu, Sep 28, 2000 at 12:46:53AM +0300, Pekka Savola wrote: > Hello all, > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > on 64-bit Irix 6.5.7f an 6.5.9m. > > Both times, no matter what I do, I'll get 'PRNG initialization failed > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > yet, ssh binary etc.) > I've had some minor problems with netstat timing out when used for PRNG on IRIX, so I just commented the netstat lines out from etc/ssh_prng_cmds. Works much better now. -jf From sgr at rotzorg.org Thu Sep 28 18:08:03 2000 From: sgr at rotzorg.org (Sendy) Date: Thu, 28 Sep 2000 09:08:03 +0200 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: ; from Damien Miller on Tue, Sep 26, 2000 at 12:14:26PM +1100 References: <20000924144736.B23003@stereo.rotzorg.org> Message-ID: <20000928090803.D9365@stereo.rotzorg.org> Hi, a friend of mine did some debugging and found that the envvar _is_ set when using a /bin/csh as loginshell, but _not_ set using /bin/bash. Look at this: sgr at PCB25:~$ cat /etc/passwd | egrep "sgr|patrick" sgr:x:1000:1000:Sander,,,:/home/sgr:/bin/bash patrick:x:1001:1001:Patrick,,,:/home/patrick:/bin/csh sgr at PCB25:~$ ssh -l sgr localhost 'env|grep SSH' sgr at localhost's password: SSH_AUTH_SOCK=/tmp/ssh-zSIp1721/agent.1721 sgr at PCB25:~$ ssh -l patrick localhost 'env|grep SSH' patrick at localhost's password: SSH_CLIENT=127.0.0.1 1583 22 SSH_AUTH_SOCK=/tmp/ssh-spvt1729/agent.1729 sgr at PCB25:~$ So, maybe its a problem with my bash? Thanks your helping, Sendy sendy at dds.nl From pekkas at netcore.fi Thu Sep 28 20:39:08 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 28 Sep 2000 12:39:08 +0300 (EEST) Subject: Irix: PRNG initialization failed In-Reply-To: Message-ID: Hello all, In response to this and other suggestions; Uncommenting DEBUG_ENTROPY #define in entropy.c didn't help at all; no extra messages were shown. I also tweaked ssh_prng file in /etc, and and upped the values by changing 0.0X to 0.X. No effect. I also tried uncommenting netstat lines, also no effect. The PRNG initialization error happens right in the beginning of 'ssh -v', 'ssh-keygen' etc. -- no other output is generated. Any other suggestions? I guess I must debug entropy.c by hand next. Regards, Pekka On Thu, 28 Sep 2000, Damien Miller wrote: > On Thu, 28 Sep 2000, Pekka Savola wrote: > > > Hello all, > > > > I tried OpenSSH versions 2.1.1p4, 2.2.0p1 and the latest snapshot briefly > > on 64-bit Irix 6.5.7f an 6.5.9m. > > > > Both times, no matter what I do, I'll get 'PRNG initialization failed > > -- exiting'. This happens with ssh-keygen (the keys aren't even generated > > yet, ssh binary etc.) > > > > It's clear that Irix etc. don't have a proper entropy pool like *BSD and > > Linux do, but shouldn't this be at least usable? > > > > FWIW, consigure shows for entropy source: Builtin (timeout 200). > > > > I read a mention or two about entropy daemons and such, but I'm not sure > > if those should be a must to get this to run.. > > Portable OpenSSH tries to collect randomness by running commands and > stirring their output into OpenSSL's random pool. If enough commands > fail, or not data is read from said commands then you will fail with > the above error message. > > You may want to adjust the commands in the ssh_prng_cmds to suit your > system. If you have any favourites, please send them to me for > inclusion. > > Alternately you can debug the execution of the commands by defining > the DEBUG_ENTROPY flag in entropy.c > > -d > > > -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" From daniels at dds.nl Fri Sep 29 00:50:28 2000 From: daniels at dds.nl (Daniel Saakes) Date: Thu, 28 Sep 2000 15:50:28 +0200 Subject: SSH_CLIENT _not_ set when doing a command Message-ID: <20000928155028.A13408@kroket.net> Hi, we (sendy & me) think it is a bash problem. i'm testing on a debian woody i386 system. bash-2.04$ ssh localhost 'env | grep SSH' daniel at localhost's password: SSH_AUTH_SOCK=/tmp/ssh-IcJ10349/agent.10349 so i made a small test program: --- code --- #include #include int main() { char *argv[3]; char *env[2]; env[0] = "SSH_WHATEVER=OK"; env[1] = "SSH_CLIENT=127.0.0.1 929 22"; env[2] = NULL; argv[0] = "-bash"; argv[1] = NULL; execve("/bin/bash", argv, env); return 0; } --- end code --- in this program the SSH_CLIENT doesn't show up either: bash-2.04$ ./test daniel at this:/usr/local/src/test-execve$ env | grep SSH SSH_WHATEVER=OK if i change the shell in the program to "/bin/ash" (or "/bin/csh") everything is ok: bash-2.04$ ./test $ env | grep SSH SSH_CLIENT=127.0.0.1 929 22 SSH_WHATEVER=OK In the bash source the SSH_CLIENT is treated as a 'special variable' and if we remove this treatment the patched bash version works ok with sshd. So i have mailed the debian bash maintainer about it in the meantime we use the ash shell for our dynamic dns system, which works allright regards, Daniel Saakes From pekkas at netcore.fi Fri Sep 29 04:29:14 2000 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 28 Sep 2000 20:29:14 +0300 (EEST) Subject: Irix: PRNG initialization failed In-Reply-To: Message-ID: On Thu, 28 Sep 2000, Pekka Savola wrote: > The PRNG initialization error happens right in the beginning of 'ssh -v', > 'ssh-keygen' etc. -- no other output is generated. > > I guess I must debug entropy.c by hand next. The problem was that by default, only 14 sources of entropy were being used, the minimum value being 16. The good sources like 'netstat', 'ifconfig', 'arp', etc. are missing. This is caused by Irix putting certain system utils in /usr/etc which is not in default user's path. Also, 'ls -alTi' doesn't work w/ Irix (T not implemented). I'm not sure if this is 100% best way to death with this, but it seemed to help. Patch attached. I also noticed that 'ssh -v' etc. don't show debug() messages in entropy.c. This makes me wonder if this is intentional as they're shown in e.g. sshconnect.c. -- Pekka Savola "Tell me of difficulties surmounted, Pekka.Savola at netcore.fi not those you stumble over and fall" -------------- next part -------------- --- configure.in.orig Sun Sep 24 03:21:31 2000 +++ configure.in Thu Sep 28 20:12:49 2000 @@ -92,6 +92,7 @@ *-*-irix5*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' no_libsocket=1 no_libnsl=1 @@ -100,6 +101,7 @@ *-*-irix6*) CFLAGS="$CFLAGS -I/usr/local/include" LDFLAGS="$LDFLAGS" + PATH="$PATH:/usr/etc" MANTYPE='$(CATMAN)' AC_DEFINE(WITH_IRIX_ARRAY) AC_DEFINE(WITH_IRIX_PROJECT) From mouring at pconline.com Fri Sep 29 08:36:52 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 28 Sep 2000 16:36:52 -0500 (CDT) Subject: [PATCH] Next cleanup part 4 or 5 by now.=) Message-ID: Changes: * Removed utimes() posix hack since scp.c moved to utimes() * Fixed waitpid() to be more proper. It was driving me nuts. * Made setsid() a #define in next-posix.h * Removed WCOREDUMP() from next-posix.h since we really don't support it and now #ifdef .. #else .. #endif around the single place it was used. * Fixed typecasting issue in sshd.c with sizeof() returning "long int" on next when we expect "int". Current known issues: * sftp-server still is broken under NeXT, and I'm still unsure why. It manifests itself in readdir() in the form of a lstat() issue which is bogus. * None of the syslog stuff is working under NeXT (found that out recently while debugging sftp-server =). Either syslogd is quietly dropping them or it's not making it to syslogd. Unsure which at the moment since I was undergoing a domain change recently. -------------- next part -------------- diff -ru openssh/next-posix.c onext/next-posix.c --- openssh/next-posix.c Thu Aug 31 22:14:37 2000 +++ onext/next-posix.c Thu Sep 28 16:19:39 2000 @@ -1,3 +1,25 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + #include "includes.h" #ifdef HAVE_NEXT @@ -8,46 +30,32 @@ pid_t posix_wait(int *status) { - #undef wait /* Use NeXT's wait() function */ union wait statusp; pid_t wait_pid; + #undef wait /* Use NeXT's wait() function */ wait_pid = wait(&statusp); status = (int *) statusp.w_status; return wait_pid; } - -int -posix_utime(char *filename,struct utimbuf *buf) -{ - time_t timep[2]; - - timep[0] = buf->actime; - timep[1] = buf->modtime; - - #undef utime /* Use NeXT's utime() function */ - return utime(filename,timep); -} - - -int -waitpid(int pid, int *stat_loc, int options) +pid_t +waitpid(int pid, int *stat_loc, int options) { + union wait statusp; + pid_t wait_pid; + if (pid <= 0) { if (pid != -1) { errno = EINVAL; return -1; } - pid = 0; /* wait4() expects pid=0 for indiscriminate wait. */ + pid = 0; /* wait4() wants pid=0 for indiscriminate wait. */ } - return wait4(pid, (union wait *)stat_loc, options, NULL); -} - -pid_t setsid(void) -{ - return setpgrp(0, getpid()); + wait_pid = wait4(pid, &statusp, options, NULL); + stat_loc = (int *)statusp.w_status; + return wait_pid; } int @@ -81,10 +89,7 @@ int tcsetpgrp(int fd, pid_t pgrp) { - int s; - - s = pgrp; - return (ioctl(fd, TIOCSPGRP, &s)); + return (ioctl(fd, TIOCSPGRP, &pgrp)); } speed_t cfgetospeed(const struct termios *t) diff -ru openssh/next-posix.h onext/next-posix.h --- openssh/next-posix.h Sat Sep 23 19:10:13 2000 +++ onext/next-posix.h Thu Sep 28 16:11:21 2000 @@ -1,5 +1,24 @@ /* - * Defines and prototypes specific to NeXT system + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * */ #ifndef _NEXT_POSIX_H @@ -9,15 +28,9 @@ #include -/* readdir() returns struct direct (BSD) not struct dirent (POSIX) */ +/* NeXT's Readdir() is BSD (struct direct) not POSIX (struct dirent) */ #define dirent direct -/* POSIX utime() struct */ -struct utimbuf { - time_t actime; - time_t modtime; -}; - /* FILE */ #define O_NONBLOCK 00004 /* non-blocking open */ @@ -31,19 +44,14 @@ #define WIFSIGNALED(w) (!WIFEXITED(w) && !WIFSTOPPED(w)) #define WEXITSTATUS(w) (int)(WIFEXITED(w) ? (((w) >> 8) & 0377) : -1) #define WTERMSIG(w) (int)(WIFSIGNALED(w) ? ((w) & 0177) : -1) -#define WCOREFLAG 0x80 -#define WCOREDUMP(w) ((w) & WCOREFLAG) - -/* POSIX "wrapper" functions to replace to BSD functions */ -int posix_utime(char *filename, struct utimbuf *buf); /* new utime() */ -#define utime posix_utime -pid_t posix_wait(int *status); /* new wait() */ -#define wait posix_wait +/* Swap out the next 'BSDish' wait() for a more POSIX complient one */ +pid_t posix_wait(int *status); +#define wait(a) posix_wait(a) /* MISC functions */ -int waitpid(int pid, int *stat_loc, int options); -pid_t setsid(void); +#define setsid() setpgrp(0, getpid()) +pid_t waitpid(int pid, int *stat_loc, int options); /* TERMCAP */ int tcgetattr(int fd, struct termios *t); @@ -54,5 +62,4 @@ int cfsetospeed(struct termios *t, int speed); #endif /* HAVE_NEXT */ - #endif /* _NEXT_POSIX_H */ Only in onext: ssh_prng_cmds diff -ru openssh/sshd.c onext/sshd.c --- openssh/sshd.c Sat Sep 23 01:15:57 2000 +++ onext/sshd.c Thu Sep 28 15:38:39 2000 @@ -1259,7 +1259,7 @@ if (len < 0 || len > sizeof(session_key)) fatal("do_connection: bad len from %s: session_key_int %d > sizeof(session_key) %d", get_remote_ipaddr(), - len, sizeof(session_key)); + len, (int) sizeof(session_key)); memset(session_key, 0, sizeof(session_key)); BN_bn2bin(session_key_int, session_key + sizeof(session_key) - len); From djm at mindrot.org Fri Sep 29 11:34:28 2000 From: djm at mindrot.org (Damien Miller) Date: Fri, 29 Sep 2000 11:34:28 +1100 (EST) Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <20000928155028.A13408@kroket.net> Message-ID: On Thu, 28 Sep 2000, Daniel Saakes wrote: > Hi, > we (sendy & me) think it is a bash problem. Are you sure you don't have something in /etc/profile, ~/.bash_profile etc which is clearing the environment? -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From mouring at pconline.com Fri Sep 29 14:56:09 2000 From: mouring at pconline.com (Ben Lindstrom) Date: Thu, 28 Sep 2000 22:56:09 -0500 (CDT) Subject: [PATCH] snprintf %lld and %qd support. In-Reply-To: Message-ID: Added support for most Long Long options. Even if I suspect most of them will never be used (if they are even vaid.. I've never seen %llx, %llo, %qx, and %qo before in my life). Does not resolve the NeXT sftp-server issue, but should help those that had to suffered when we switched snprintf() to get NeXT support integrated into the portable tree. =) - Ben -------------- next part -------------- --- ../onext/bsd-snprintf.c Tue Aug 29 17:21:22 2000 +++ bsd-snprintf.c Thu Sep 28 18:30:05 2000 @@ -38,6 +38,10 @@ * missing. Some systems only have snprintf() but not vsnprintf(), so * the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF. * + * Ben Lindstrom 09/27/00 for OpenSSH + * Welcome to the world of %lld and %qd support. With other + * long long support. This is needed for sftp-server to work + * right. **************************************************************/ #include "config.h" @@ -111,9 +115,10 @@ #define DP_F_UNSIGNED (1 << 6) /* Conversion Flags */ -#define DP_C_SHORT 1 -#define DP_C_LONG 2 -#define DP_C_LDOUBLE 3 +#define DP_C_SHORT 1 +#define DP_C_LONG 2 +#define DP_C_LDOUBLE 3 +#define DP_C_LONG_LONG 4 #define char_to_int(p) (p - '0') #ifndef MAX @@ -222,7 +227,6 @@ state = DP_S_MOD; break; case DP_S_MOD: - /* Currently, we don't support Long Long, bummer */ switch (ch) { case 'h': @@ -232,7 +236,15 @@ case 'l': cflags = DP_C_LONG; ch = *format++; + if (ch == 'l') { + cflags = DP_C_LONG_LONG; + ch = *format++; + } break; + case 'q': + cflags = DP_C_LONG_LONG; + ch = *format++; + break; case 'L': cflags = DP_C_LDOUBLE; ch = *format++; @@ -251,6 +263,8 @@ value = va_arg (args, short int); else if (cflags == DP_C_LONG) value = va_arg (args, long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, long long); else value = va_arg (args, int); fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); @@ -261,6 +275,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags); @@ -271,6 +287,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags); @@ -283,6 +301,8 @@ value = va_arg (args, unsigned short int); else if (cflags == DP_C_LONG) value = va_arg (args, unsigned long int); + else if (cflags == DP_C_LONG_LONG) + value = va_arg (args, unsigned long long); else value = va_arg (args, unsigned int); fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags); @@ -337,6 +357,12 @@ num = va_arg (args, long int *); *num = currlen; } + else if (cflags == DP_C_LONG_LONG) + { + long long *num; + num = va_arg (args, long long *); + *num = currlen; + } else { int *num; @@ -747,9 +773,11 @@ "%+22.33d", "%01.3d", "%4d", + "%lld", + "%qd", NULL }; - long int_nums[] = { -1, 134, 91340, 341, 0203, 0}; + long long int_nums[] = { -1, 134, 91340, 341, 0203, 0, 9999999 }; int x, y; int fail = 0; int num = 0; From mstone at cs.loyola.edu Fri Sep 29 22:25:30 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Fri, 29 Sep 2000 07:25:30 -0400 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: ; from djm@mindrot.org on Fri, Sep 29, 2000 at 11:34:28AM +1100 References: <20000928155028.A13408@kroket.net> Message-ID: <20000929072530.E15994@justice.loyola.edu> On Fri, Sep 29, 2000 at 11:34:28AM +1100, Damien Miller wrote: > On Thu, 28 Sep 2000, Daniel Saakes wrote: > > we (sendy & me) think it is a bash problem. > > Are you sure you don't have something in /etc/profile, ~/.bash_profile > etc which is clearing the environment? Check the source. (It's a new feature of bash 2.04.) bash actually does unexport SSH_CLIENT. It's still there if you look at `set`, but it's not there if you look at `env`. You'd have to ask the bash people why that was a good idea. -- Mike Stone From mdb at juniper.net Sat Sep 30 02:25:25 2000 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 29 Sep 2000 08:25:25 -0700 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: Mail from Michael Stone dated Fri, 29 Sep 2000 07:25:30 EDT <20000929072530.E15994@justice.loyola.edu> Message-ID: <200009291525.IAA56058@garnet.juniper.net> Hi Daniel, Mike Stone is correct in his message to openssh-unix-dev. Newer versions of bash do not auto-export the SSH_CLIENT variable. Looking at past sources, it appears that bash introduced the idea of unexporting the SSH_CLIENT variable in version 2.02 (not a new feature of version 2.04 as Mike suggested) and has been in each subsequent release of bash. The diffs between 2.01 and 2.02 give the CHANGES entry between bash-2.02, bash-2.02-alpha1 and bash-2.01.1-release: + bb. Bash now attempts to detect when it is being run by sshd, and treats + that case identically to being run by rshd. If bash thinks it is being run by rshd (or sshd), then it processes the users ~/.bashrc file. That being the case, adding the following code to your ~/.bashrc should bring the variable back for users that need/want it. if [ -z "$SSH_CLIENT" ]; then export SSH_CLIENT; fi This should let you work around your problem and still let you use bash instead of csh or ash as your shell. Enjoy! -- Mark >Date: Fri, 29 Sep 2000 07:25:30 -0400 >From: Michael Stone >To: openssh-unix-dev at mindrot.org >Subject: Re: SSH_CLIENT _not_ set when doing a command >Message-ID: <20000929072530.E15994 at justice.loyola.edu> > >On Fri, Sep 29, 2000 at 11:34:28AM +1100, Damien Miller wrote: >> On Thu, 28 Sep 2000, Daniel Saakes wrote: >> > we (sendy & me) think it is a bash problem. >> >> Are you sure you don't have something in /etc/profile, ~/.bash_profile >> etc which is clearing the environment? > >Check the source. (It's a new feature of bash 2.04.) bash actually >does unexport SSH_CLIENT. It's still there if you look at `set`, but >it's not there if you look at `env`. You'd have to ask the bash people >why that was a good idea. > >-- >Mike Stone From mstone at cs.loyola.edu Sat Sep 30 02:41:05 2000 From: mstone at cs.loyola.edu (Michael Stone) Date: Fri, 29 Sep 2000 11:41:05 -0400 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: <200009291525.IAA56058@garnet.juniper.net>; from mdb@juniper.net on Fri, Sep 29, 2000 at 08:25:25AM -0700 References: <200009291525.IAA56058@garnet.juniper.net> Message-ID: <20000929114104.G15994@justice.loyola.edu> On Fri, Sep 29, 2000 at 08:25:25AM -0700, Mark D. Baushke wrote: > Looking at past sources, it appears that bash introduced the idea of > unexporting the SSH_CLIENT variable in version 2.02 (not a new feature > of version 2.04 as Mike suggested) and has been in each subsequent > release of bash. Did you actually check this? Yes, bash has tried to do stuff with ssh since 2.02. But the entry for changes between bash-2.04-devel and bash-2.03-release contains: t. The SSH_CLIENT environment variable is no longer auto-exported. And certainly in my testing it affects 2.04 but *not* 2.03. -- Mike Stone From mdb at juniper.net Sat Sep 30 03:31:45 2000 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 29 Sep 2000 09:31:45 -0700 Subject: SSH_CLIENT _not_ set when doing a command In-Reply-To: Mail from Michael Stone dated Fri, 29 Sep 2000 11:41:05 EDT <20000929114104.G15994@justice.loyola.edu> Message-ID: <200009291631.JAA16393@red.juniper.net> On Fri, 29 Sep 2000 11:41:05 -0400, Michael Stone wrote: > >On Fri, Sep 29, 2000 at 08:25:25AM -0700, Mark D. Baushke wrote: >> Looking at past sources, it appears that bash introduced the idea of >> unexporting the SSH_CLIENT variable in version 2.02 (not a new feature >> of version 2.04 as Mike suggested) and has been in each subsequent >> release of bash. > >Did you actually check this? Yes, bash has tried to do stuff with ssh >since 2.02. But the entry for changes between bash-2.04-devel and >bash-2.03-release contains: >t. The SSH_CLIENT environment variable is no longer auto-exported. I *thought* I had checked it. However, it helps if you recompile the test program with the path to the older version of bash instead of leaving it point to a new version. Clearly, I should not have posted until after I was more fully awake. Mike is absolutely correct. Neither 2.02 nor 2.03 exhibit the problems with SSH_CLIENT at all. However, adding an export SSH_CLIENT when appropriate should allow Daniel to work around his problem. if [ "z$SSH_CLIENT" != "z" ]; then export SSH_CLIENT fi >And certainly in my testing it affects 2.04 but *not* 2.03. Yes, now that I have recompiled the test program, I get the same results. -- Mark From djm at mindrot.org Sat Sep 30 14:28:19 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 30 Sep 2000 14:28:19 +1100 (EST) Subject: PATCH: OpenSSH RPM spec file problems In-Reply-To: Message-ID: On Wed, 27 Sep 2000, Pekka Savola wrote: > 2. If you're upgrading over SSH ltd's ssh-server, the server will > be stopped and sshd removed from chkconfig --list. Obsoleletion > doesn't seem to qualify as "clean" operation, so the %preun will > be run regardless. H.J. Lu supplied the patch. > Tested. I am not sure about this - there are few differences between ssh.com ssh and openssh (LogLevel, etc). Enough IMO to warrant that admins manually restart the service. -d -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org From djm at mindrot.org Sat Sep 30 14:52:36 2000 From: djm at mindrot.org (Damien Miller) Date: Sat, 30 Sep 2000 14:52:36 +1100 (EST) Subject: Snapshot Message-ID: There is now a new snapshot available at: http://www.mindrot.org/misc/openssh/ Please give this snapshot a good run on your platform of choice. When sending success/failure reports, please include the 'host system type' as reported by ./configure. It is hoped that this snapshot will become 2.2.0p2 in due course. Here are the major changes: - sftp-server support from Markus Friedl . This is reported to interop with SSH.COM ssh2 and several windows clients. - Cygwin support from Corinna Vinschen - When using forced commands, set SSH_ORIGINAL_COMMAND environment variable from Leakin at dfw.nostrum.com, bet at rahul.net - Support for changing expired passwords on PAM systems from Steve VanDevender's - OpenSSH now has an explicit LICENSE file, which documents the licenses under which the contributors to OpenSSH have placed their code. - More bug compatibility with SSH.COM ssh software; Markus Friedl - Fixes and enhancements for NeXT, HP/UX and SCO. Thanks to Kevin Steves , Charles Levert , Dirk De Wachter , Ben Lindstrom - Many other small fixes and improvements. Full Changelog: 20000930 - (djm) Irix ssh_prng_cmds path fix from Pekka Savola - (djm) Support in bsd-snprintf.c for long long conversions from Ben Lindstrom - (djm) Cleanup NeXT support from Ben Lindstrom - (djm) Ignore SIGPIPEs from serverloop to child. Fixes crashes with very short lived X connections. Bug report from Tobias Oetiker . Fix from Markus Friedl - (djm) Add recent InitScripts as a RPM dependancy for openssh-server patch from Pekka Savola - (djm) CVS OpenBSD sync: - markus at cvs.openbsd.org 2000/09/26 13:59:59 [clientloop.c] use debug2 - markus at cvs.openbsd.org 2000/09/27 15:41:34 [auth2.c sshconnect2.c] use key_type() - markus at cvs.openbsd.org 2000/09/28 12:03:18 [channels.c] debug -> debug2 cleanup 20000929 - (djm) Fix SSH2 not terminating until all background tasks done problem. - (djm) Another off-by-one fix from Pavel Kankovsky - (djm) Clean up. Strip some unnecessary differences with OpenBSD's code, tidy necessary differences. Use Markus' new debugN() in entropy.c - (djm) Merged big SCO portability patch from Tim Rice 20000926 - (djm) Update X11-askpass to 1.0.2 in RPM spec file - (djm) Define _REENTRANT to pickup strtok_r() on HP/UX - (djm) Security: fix off-by-one buffer overrun in fake-getnameinfo.c. Report and fix from Pavel Kankovsky 20000924 - (djm) Merged cleanup patch from Mark Miller - (djm) A bit more cleanup - created cygwin_util.h - (djm) Include strtok_r() from OpenBSD libc. Fixes report from Mark Miller 20000923 - (djm) Fix address logging in utmp from Kevin Steves - (djm) Redhat spec and manpage fixes from Pekka Savola - (djm) Seperate tests for int64_t and u_int64_t types - (djm) Tweak password expiry checking at suggestion of Kevin Steves - (djm) NeXT patch from Ben Lindstrom - (djm) Use printf %lld instead of %qd in sftp-server.c. Fix from Michael Stone - (djm) OpenBSD CVS sync: - markus at cvs.openbsd.org 2000/09/17 09:38:59 [sshconnect2.c sshd.c] fix DEBUG_KEXDH - markus at cvs.openbsd.org 2000/09/17 09:52:51 [sshconnect.c] yes no; ok niels@ - markus at cvs.openbsd.org 2000/09/21 04:55:11 [sshd.8] typo - markus at cvs.openbsd.org 2000/09/21 05:03:54 [serverloop.c] typo - markus at cvs.openbsd.org 2000/09/21 05:11:42 scp.c utime() to utimes(); mouring at pconline.com - markus at cvs.openbsd.org 2000/09/21 05:25:08 sshconnect2.c change login logic in ssh2, allows plugin of other auth methods - markus at cvs.openbsd.org 2000/09/21 05:25:35 [auth2.c channels.c channels.h clientloop.c dispatch.c dispatch.h] [serverloop.c] add context to dispatch_run - markus at cvs.openbsd.org 2000/09/21 05:07:52 authfd.c authfd.h ssh-agent.c bug compat for old ssh.com software 20000920 - (djm) Fix bad path substitution. Report from Andrew Miner 20000916 - (djm) Fix SSL search order from Lutz Jaenicke - (djm) New SuSE spec from Corinna Vinschen - (djm) Update CygWin support from Corinna Vinschen - (djm) Use a real struct sockaddr inside the fake struct sockaddr_storage. Patch from Larry Jones - (djm) Add Steve VanDevender's PAM password change patch. - (djm) Bring licenses on my stuff in line with OpenBSD's - (djm) Cleanup auth-passwd.c and unify HP/UX authentication. Patch from Kevin Steves - (djm) Shadow expiry check fix from Pavel Troller - (djm) Re-enable int64_t types - we need them for sftp - (djm) Use libexecdir from configure , rather than libexecdir/ssh - (djm) Update Redhat SPEC file accordingly - (djm) Add Kevin Steves HP/UX contrib files - (djm) Add Charles Levert getpgrp patch - (djm) Fix password auth on HP/UX 10.20. Patch from Dirk De Wachter - (djm) Fixprogs and entropy list fixes from Larry Jones - (djm) Fix for SuSE spec file from Takashi YOSHIDA - (djm) Merge OpenBSD changes: - markus at cvs.openbsd.org 2000/09/05 02:59:57 [session.c] print hostname (not hushlogin) - markus at cvs.openbsd.org 2000/09/05 13:18:48 [authfile.c ssh-add.c] enable ssh-add -d for DSA keys - markus at cvs.openbsd.org 2000/09/05 13:20:49 [sftp-server.c] cleanup - markus at cvs.openbsd.org 2000/09/06 03:46:41 [authfile.h] prototype - deraadt at cvs.openbsd.org 2000/09/07 14:27:56 [ALL] cleanup copyright notices on all files. I have attempted to be accurate with the details. everything is now under Tatu's licence (which I copied from his readme), and/or the core-sdi bsd-ish thing for deattack, or various openbsd developers under a 2-term bsd licence. We're not changing any rules, just being accurate. - markus at cvs.openbsd.org 2000/09/07 14:40:30 [channels.c channels.h clientloop.c serverloop.c ssh.c] cleanup window and packet sizes for ssh2 flow control; ok niels - markus at cvs.openbsd.org 2000/09/07 14:53:00 [scp.c] typo - markus at cvs.openbsd.org 2000/09/07 15:13:37 [auth-options.c auth-options.h auth-rh-rsa.c auth-rsa.c auth.c] [authfile.h canohost.c channels.h compat.c hostfile.h log.c match.h] [pty.c readconf.c] some more Copyright fixes - markus at cvs.openbsd.org 2000/09/08 03:02:51 [README.openssh2] bye bye - deraadt at cvs.openbsd.org 2000/09/11 18:38:33 [LICENCE cipher.c] a few more comments about it being ARC4 not RC4 - markus at cvs.openbsd.org 2000/09/12 14:53:11 [log-client.c log-server.c log.c ssh.1 ssh.c ssh.h sshd.8 sshd.c] multiple debug levels - markus at cvs.openbsd.org 2000/09/14 14:25:15 [clientloop.c] typo - deraadt at cvs.openbsd.org 2000/09/15 01:13:51 [ssh-agent.c] check return value for setenv(3) for failure, and deal appropriately 20000913 - (djm) Fix server not exiting with jobs in background. 20000905 - (djm) Import OpenBSD CVS changes - markus at cvs.openbsd.org 2000/08/31 15:52:24 [Makefile sshd.8 sshd_config sftp-server.8 sftp-server.c] implement a SFTP server. interops with sftp2, scp2 and the windows client from ssh.com - markus at cvs.openbsd.org 2000/08/31 15:56:03 [README.openssh2] sync - markus at cvs.openbsd.org 2000/08/31 16:05:42 [session.c] Wall - markus at cvs.openbsd.org 2000/08/31 16:09:34 [authfd.c ssh-agent.c] add a flag to SSH2_AGENTC_SIGN_REQUEST for future extensions - deraadt at cvs.openbsd.org 2000/09/01 09:25:13 [scp.1 scp.c] cleanup and fix -S support; stevesk at sweden.hp.com - markus at cvs.openbsd.org 2000/09/01 16:29:32 [sftp-server.c] portability fixes - markus at cvs.openbsd.org 2000/09/01 16:32:41 [sftp-server.c] fix cast; mouring at pconline.com - itojun at cvs.openbsd.org 2000/09/03 09:23:28 [ssh-add.1 ssh.1] add missing .El against .Bl. - markus at cvs.openbsd.org 2000/09/04 13:03:41 [session.c] missing close; ok theo - markus at cvs.openbsd.org 2000/09/04 13:07:21 [session.c] fix get_last_login_time order; from andre at van-veen.de - markus at cvs.openbsd.org 2000/09/04 13:10:09 [sftp-server.c] more cast fixes; from mouring at pconline.com - markus at cvs.openbsd.org 2000/09/04 13:06:04 [session.c] set SSH_ORIGINAL_COMMAND; from Leakin at dfw.nostrum.com, bet at rahul.net - (djm) Cleanup after import. Fix sftp-server compilation, Makefile - (djm) Merge cygwin support from Corinna Vinschen 20000903 - (djm) Fix Redhat init script Now back to the Olympics :) Regards, Damien Miller -- | ``The power of accurate observation is | Damien Miller | commonly called cynicism by those who | @Work | have not got it'' - George Bernard Shaw | http://www.mindrot.org