From stevesk at pobox.com Mon Jan 1 11:27:25 2001 From: stevesk at pobox.com (Kevin Steves) Date: Mon, 1 Jan 2001 01:27:25 +0100 (CET) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: <20001229195707.A13319@folly> Message-ID: On Fri, 29 Dec 2000, Markus Friedl wrote: : mysignal can fallback to signal if sigaction is not available. : with mysignal() we don't need to reinstall signalhandlers. : : comments? i'm rather far away from my stevens apue. with the patch below hp-ux 11.11 is working with protocol 2 (i did not include the patch for signal() -> mysignal()). why is scp using sigaction() with SA_RESTART flags in the portable version? it seems EINTR is handled in atomicio() without that. Index: ssh.h =================================================================== RCS file: /var/cvs/openssh/ssh.h,v retrieving revision 1.49 diff -u -r1.49 ssh.h --- ssh.h 2000/12/22 01:44:00 1.49 +++ ssh.h 2001/01/01 00:03:02 @@ -500,6 +500,10 @@ /* set filedescriptor to non-blocking */ void set_nonblock(int fd); +/* wrapper for signal interface */ +typedef void (*mysig_t)(int); +mysig_t mysignal(int sig, mysig_t act); + /* * Performs the interactive session. This handles data transmission between * the client and the program. Note that the notion of stdin, stdout, and Index: util.c =================================================================== RCS file: /var/cvs/openssh/util.c,v retrieving revision 1.4 diff -u -r1.4 util.c --- util.c 2000/10/28 03:19:58 1.4 +++ util.c 2001/01/01 00:03:03 @@ -94,3 +94,25 @@ return (old); } + +mysig_t +mysignal(int sig, mysig_t act) +{ +#ifdef HAVE_SIGACTION + struct sigaction sa, osa; + + if (sigaction(sig, 0, &osa) == -1) + return (mysig_t) -1; + if (osa.sa_handler != act) { + memset(&sa, 0, sizeof sa); + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = act; + if (sigaction(sig, &sa, 0) == -1) + return (mysig_t) -1; + } + return (osa.sa_handler); +#else + return (signal(sig, act)); +#endif +} From mouring at etoh.eviladmin.org Mon Jan 1 12:43:19 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 31 Dec 2000 19:43:19 -0600 (CST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Mon, 1 Jan 2001, Kevin Steves wrote: > On Fri, 29 Dec 2000, Markus Friedl wrote: > : mysignal can fallback to signal if sigaction is not available. > : with mysignal() we don't need to reinstall signalhandlers. > : > : comments? > > i'm rather far away from my stevens apue. > > with the patch below hp-ux 11.11 is working with protocol 2 (i did not > include the patch for signal() -> mysignal()). > > why is scp using sigaction() with SA_RESTART flags in the portable > version? it seems EINTR is handled in atomicio() without that. > Kinda wondering that myself, but I've been too busy to dig up in the portable tree when that change occured. BTW. For the portable version sigaction will almost always be accessable. Either via standard sigaction() interface or via sigvec() (Thanks to the fact NeXT lacks sigaction()). - Ben From djm at mindrot.org Mon Jan 1 21:37:16 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 1 Jan 2001 21:37:16 +1100 (EST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Sun, 31 Dec 2000 mouring at etoh.eviladmin.org wrote: > > why is scp using sigaction() with SA_RESTART flags in the portable > > version? it seems EINTR is handled in atomicio() without that. > > > Kinda wondering that myself, but I've been too busy to dig up in the > portable tree when that change occured. IIRC that predates the appearance of atomicio in the source tree. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From Chiaki.Ishikawa at personal-media.co.jp Tue Jan 2 00:02:50 2001 From: Chiaki.Ishikawa at personal-media.co.jp (Chiaki Ishikawa) Date: Mon, 1 Jan 2001 22:02:50 +0900 (JST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: <20001230133503.B9008@folly> (markus.friedl@informatik.uni-erlangen.de) Message-ID: <200101011302.WAA10366@sparc18.personal-media.co.jp> X-PMC-CI-e-mail-id: 14375 Sorry to respond so late: |> Please add handling for |> SA_INTERRUPT and SA_RESTART and many will be greatful |> for that. | |why? what is the rationale? |even stevens APUE has 2 versions. on with SA_RESTART and |one without. I could be more specific if I can access APUE at the office. But a quick glance at Unix Network Programming and my lame try to refresh my memory led to the following observation. - System calls can be interrupted by signals. - Under certain conditions, the system calls are automatically restarted after the interruption. SA_RESTART (when it is available, and set ) makes a system call interrupted by this signal automatically restarted by the kernel. Old systems such as SunOS 4.x (and old BSD, too?) automatically restart an interrupted system call by default. (SA_INTERRUPT is defined to be the complement of SA_RESTART(?). [I am hazy on this. Need to read APUE to be sure.]). - Special handling of SIGALRM is due to the following reason: we are quite likely to want to interrupt a blocked system call since SIGALRM is used often to place a timeout value on read/write. (And for this purpose, I think we don't want automatic restart for system calls interrupted by SIGALRM.) So short summary is that for SIGALRM, we want to make sure that the interrupted system call is NOT automatically restarted. For other signals (other than SIGALRM), we want the interrupted system calls to be restarted automatically. That is the gist of the change I put in and it is essentially based on the code from Steven's Unix Network Programming. (Only variable name changes, etc..) APUE, which I can't access for another few days, may have a clear explanation if there are two different versions for signal(). -- Ishikawa, Chiaki ishikawa at personal-media.co.jp.NoSpam or (family name, given name) Chiaki.Ishikawa at personal-media.co.jp.NoSpam Personal Media Corp. ** Remove .NoSpam at the end before use ** Shinagawa, Tokyo, Japan 142-0051 From pekkas at netcore.fi Tue Jan 2 00:54:16 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 1 Jan 2001 15:54:16 +0200 (EET) Subject: pty.c problem (was: OpenSSH 2.4.0 patch call..) Message-ID: Another minor but difficult-to-fix-properly(?) issue: pty.c: In function `pty_allocate': pty.c:55: warning: implicit declaration of function `openpty' this happens if you have HAVE_PTY_H. To allow building out of the main directory, there is '-I. -I$(srcdir)' in the Makefile. Now, because there is 'pty.h', /usr/include/pty.h in '#include ' is never getting included (rather, ./pty.h is), causing implicit declaration. Some ways to fix this(?): - rename pty.h to something else, would cause trouble with OpenBSD CVS syncs - disable -I. -I$(srcdir) --> no building out of the main directory - there's got to be some other ways.. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From pekkas at netcore.fi Tue Jan 2 01:43:11 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 1 Jan 2001 16:43:11 +0200 (EET) Subject: Port forwarding control patch Message-ID: Hi, I'd like to bring this up again as there has been discussion about 2.4.0 patches. Getting something this big in would probably delay the release too much, but something similar should be considered for 2.5 then. A lot of people would like some control over port forwarding. Florian Weimer's patches (http://cert.uni-stuttgart.de/files/openssh/) are one, rather "big" approach at the problem. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From markus.friedl at informatik.uni-erlangen.de Tue Jan 2 07:52:43 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 1 Jan 2001 21:52:43 +0100 Subject: Port forwarding control patch In-Reply-To: ; from pekkas@netcore.fi on Mon, Jan 01, 2001 at 04:43:11PM +0200 References: Message-ID: <20010101215243.A12832@folly> while i think this patch is useful, i also think that 'keynote' support would be more powerful. -markus On Mon, Jan 01, 2001 at 04:43:11PM +0200, Pekka Savola wrote: > Hi, > > I'd like to bring this up again as there has been discussion about 2.4.0 > patches. Getting something this big in would probably delay the release > too much, but something similar should be considered for 2.5 then. > > A lot of people would like some control over port forwarding. Florian > Weimer's patches (http://cert.uni-stuttgart.de/files/openssh/) are one, > rather "big" approach at the problem. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > From stevesk at sweden.hp.com Wed Jan 3 04:21:23 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 2 Jan 2001 18:21:23 +0100 (CET) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Mon, 1 Jan 2001, Damien Miller wrote: : On Sun, 31 Dec 2000 mouring at etoh.eviladmin.org wrote: : > > why is scp using sigaction() with SA_RESTART flags in the portable : > > version? it seems EINTR is handled in atomicio() without that. : > > : > Kinda wondering that myself, but I've been too busy to dig up in the : > portable tree when that change occured. : : IIRC that predates the appearance of atomicio in the source tree. should we revert back to signal there? we could also remove bsd-sigaction. From kdo at cosmos.phy.tufts.edu Wed Jan 3 04:34:14 2001 From: kdo at cosmos.phy.tufts.edu (Ken Olum) Date: Tue, 2 Jan 2001 12:34:14 -0500 Subject: [kdo@cosmos.phy.tufts.edu: protocol incompatibility between OpenSSH and SSH secure shell?] In-Reply-To: <20001229232201.B30844@folly> (message from Markus Friedl on Fri, 29 Dec 2000 23:22:01 +0100) Message-ID: <200101021734.f02HYEi27714@cosmos.phy.tufts.edu> From: Markus Friedl Date: Fri, 29 Dec 2000 23:22:01 +0100 openssh does not support rekeying (yet). perhaps openssh-2.5 will, openssh-2.4 will not. What is the connection between rekeying and forwarding of user-specified ports? upgrading the windows client to ssh.com-2.4.0 should help. It did not. On Fri, Dec 29, 2000 at 04:13:53PM -0500, Michael H. Warfield wrote: > Hello all! > > I didn't see anyone else reply to this, but I also didn't see > anything show up on the OpenSSH development list (Cc'ed here). There > is a patch call out right now for the pending release of 2.4.0. I'm > wondering if anyone is aware of this and if it's already been covered > in 2.4.0? > > Please reply to list and original poster... > > ----- Forwarded message from Ken Olum ----- > > Date: Wed, 27 Dec 2000 16:19:20 -0500 > From: Ken Olum > To: ssh at clinet.fi > Subject: protocol incompatibility between OpenSSH and SSH secure shell? > Precedence: bulk > > I am using SSH secure shell version 2.3 under Windows 95 as the > client and OpenSSH_2.3.0p1 under Red Hat 7.0 as the server. When I > tell the client to forward a random incoming port the server gives the > error "error: Hm, dispatch protocol error: type 80 plen 33" instead of > listening on my port. > > Sorry if this is the wrong place to report this, or if I should have > looked in some list of known problems. > > Ken Olum > > ----- End forwarded message ----- > > Mike > -- > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > From mouring at etoh.eviladmin.org Wed Jan 3 06:55:32 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 2 Jan 2001 13:55:32 -0600 (CST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Tue, 2 Jan 2001, Kevin Steves wrote: > On Mon, 1 Jan 2001, Damien Miller wrote: > : On Sun, 31 Dec 2000 mouring at etoh.eviladmin.org wrote: > : > > why is scp using sigaction() with SA_RESTART flags in the portable > : > > version? it seems EINTR is handled in atomicio() without that. > : > > > : > Kinda wondering that myself, but I've been too busy to dig up in the > : > portable tree when that change occured. > : > : IIRC that predates the appearance of atomicio in the source tree. > > should we revert back to signal there? we could also remove > bsd-sigaction. > Nope.. cli.c uses sigaction() so even removing it from scp.c NeXT still needs sigaction() to handle cli.c correctly. - Ben From horape at tinuviel.compendium.net.ar Wed Jan 3 06:17:01 2001 From: horape at tinuviel.compendium.net.ar (horape at tinuviel.compendium.net.ar) Date: Tue, 2 Jan 2001 16:17:01 -0300 Subject: Why add ListenAddress to sshd_conf Message-ID: <20010102161700.A8589@tinuviel.compendium.net.ar> ?Hola! [Please keep me in the Cc: list, i amn't subscribed to the list] (From ftp://ftp.plig.org/pub/OpenBSD/OpenSSH/portable/openssh-2.2.0p1-vs-openbsd.diff.gz) --- ssh-openbsd-2000090200/sshd_config Tue Aug 8 16:55:05 2000 +++ openssh-2.2.0p1/sshd_config Wed Aug 30 09:40:09 2000 @@ -2,7 +2,7 @@ Port 22 #Protocol 2,1 -#ListenAddress 0.0.0.0 +ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh_host_key ServerKeyBits 768 ---- Why? If there's no ListenAddress ssh listens on all addresses: --- ListenAddress Specifies what local address sshd should listen on. The default is to listen to all local addresses. Multiple options of this type are permitted. Additionally, the Ports options must precede this option. --- (from sshd(8) ) and the ListenAddress 0.0.0.0 directive breaks IPv6 support (in january/2000 the openbsd branch changed that so it works. Why reverting the change and breaking again IPv6 support?) Thanks, HoraPe --- Horacio J. Pe?a horape at compendium.com.ar horape at uninet.edu bofh at puntoar.net.ar horape at hcdn.gov.ar From res at des.jhy.us.ml.com Wed Jan 3 06:21:43 2001 From: res at des.jhy.us.ml.com (Richard E. Silverman) Date: Tue, 2 Jan 2001 14:21:43 -0500 (EST) Subject: [kdo@cosmos.phy.tufts.edu: protocol incompatibility between OpenSSH and SSH secure shell?] In-Reply-To: <200101021734.f02HYEi27714@cosmos.phy.tufts.edu> Message-ID: > openssh does not support rekeying (yet). perhaps openssh-2.5 will, > openssh-2.4 will not. > > What is the connection between rekeying and forwarding of > user-specified ports? Markus made a mistake. That message, with "type 20", indicates the rekeying problem. Type 80 is an SSH2 "global request" message. This suggests to me that you are doing a remote forwarding, rather than a local one. OpenSSH does not yet support remote forwarding in protocol 2. -- Richard Silverman slade at shore.net From markus.friedl at informatik.uni-erlangen.de Wed Jan 3 07:37:08 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 2 Jan 2001 21:37:08 +0100 Subject: [kdo@cosmos.phy.tufts.edu: protocol incompatibility between OpenSSH and SSH secure shell?] In-Reply-To: <200101021734.f02HYEi27714@cosmos.phy.tufts.edu>; from kdo@cosmos.phy.tufts.edu on Tue, Jan 02, 2001 at 12:34:14PM -0500 References: <20001229232201.B30844@folly> <200101021734.f02HYEi27714@cosmos.phy.tufts.edu> Message-ID: <20010102213708.A14844@folly> oops, sent reply to wrong mail. are you using local (client doing the listen) or remote (server listening) port forwarding? -markus On Tue, Jan 02, 2001 at 12:34:14PM -0500, Ken Olum wrote: > From: Markus Friedl > Date: Fri, 29 Dec 2000 23:22:01 +0100 > > openssh does not support rekeying (yet). perhaps openssh-2.5 will, > openssh-2.4 will not. > > What is the connection between rekeying and forwarding of > user-specified ports? > > upgrading the windows client to ssh.com-2.4.0 should help. > > It did not. > > On Fri, Dec 29, 2000 at 04:13:53PM -0500, Michael H. Warfield wrote: > > Hello all! > > > > I didn't see anyone else reply to this, but I also didn't see > > anything show up on the OpenSSH development list (Cc'ed here). There > > is a patch call out right now for the pending release of 2.4.0. I'm > > wondering if anyone is aware of this and if it's already been covered > > in 2.4.0? > > > > Please reply to list and original poster... > > > > ----- Forwarded message from Ken Olum ----- > > > > Date: Wed, 27 Dec 2000 16:19:20 -0500 > > From: Ken Olum > > To: ssh at clinet.fi > > Subject: protocol incompatibility between OpenSSH and SSH secure shell? > > Precedence: bulk > > > > I am using SSH secure shell version 2.3 under Windows 95 as the > > client and OpenSSH_2.3.0p1 under Red Hat 7.0 as the server. When I > > tell the client to forward a random incoming port the server gives the > > error "error: Hm, dispatch protocol error: type 80 plen 33" instead of > > listening on my port. > > > > Sorry if this is the wrong place to report this, or if I should have > > looked in some list of known problems. > > > > Ken Olum > > > > ----- End forwarded message ----- > > > > Mike > > -- > > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com > > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > > NIC whois: MHW9 | An optimist believes we live in the best of all > > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > > > From kdo at cosmos.phy.tufts.edu Wed Jan 3 08:40:01 2001 From: kdo at cosmos.phy.tufts.edu (Ken Olum) Date: Tue, 2 Jan 2001 16:40:01 -0500 Subject: [kdo@cosmos.phy.tufts.edu: protocol incompatibility between OpenSSH and SSH secure shell?] In-Reply-To: <20010102213708.A14844@folly> (message from Markus Friedl on Tue, 2 Jan 2001 21:37:08 +0100) Message-ID: <200101022140.f02Le1c28486@cosmos.phy.tufts.edu> It's remote port forwarding. I'm expecting the server to listen on the port. Ken From mouring at etoh.eviladmin.org Wed Jan 3 18:04:16 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 3 Jan 2001 01:04:16 -0600 (CST) Subject: SCO OpenServer 5.0.5 port In-Reply-To: Message-ID: > Here is a patch to skip building sftp-server if there are no 64bit > data types. > A version of this was applied. There was a few minor things that needed to be cleaned up (if sftp-server was not going to be installed then sftp-server.8 is kinda worthless to install =). Plus I added a warning at the end to notify the person that sftp-server will not be installed. > It also has some UnixWare 2.x fixes. > Applied - Ben From mouring at etoh.eviladmin.org Wed Jan 3 18:11:00 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 3 Jan 2001 01:11:00 -0600 (CST) Subject: patch to support hurd-i386 In-Reply-To: Message-ID: On Sat, 30 Dec 2000, Damien Miller wrote: > On Fri, 29 Dec 2000 mouring at etoh.eviladmin.org wrote: > > I assume that MAXHOSTNAMELEN should be the same on every platform. I just > > submitted a patch to define it at 64 characters if it's not found. > > I feel very uneasy about this, can we define it per host (in configure.in) > only after we have verified it against each implementation? > > I would much rather have a few platforms where compilation fails than > one where we get a buffer overrun. > After looking around the source again I think it may be best. Since MAXHOSTNAMELEN is used as the default size of utmp_len in sshd.c. Which does change per platform. So if Hurd group and any other platform that needs a MAXHOSTNAMELEN submit a patch to add it to your configure.in section based on your utmp structure. - Ben From mike at hyperreal.org Wed Jan 3 18:43:58 2001 From: mike at hyperreal.org (mike at hyperreal.org) Date: Tue, 2 Jan 2001 23:43:58 -0800 (PST) Subject: openssh 2.2, fbsd 4.2: incoming data hangs sshd on tty In-Reply-To: <20001226203548.21082.qmail@hyperreal.org> from "mike@hyperreal.org" at "Dec 26, 2000 12:35:48 pm" Message-ID: <20010103074358.23225.qmail@hyperreal.org> Using the Jan 02 snapshot, and after adding the contents of contrib/sshd.pam.freebsd to /etc/pam.conf, an out-of-the-box compile of OpenSSH seems, upon quickly testing, to have resolved the problems I was experiencing with sshd locking up on me. The litmus test was always a copy/paste into an ssh client on a windows box. Didn't matter if I was connected on the LAN or over a relatively slow DSL link. The new daemon seems to be throttling quite a bit. The paste takes a while to paint on the screen, whereas before it was lightning-quick, at least until it locked up. Should I be concerned? A zmodem file transfer on a link that tests with bing to get ~50 Mbps only got about 800 kbps. Seems a little slow.. I'm not complaining, though. No more crashes is good. > mouring at etoh.eviladmin.org wrote: > > > > Can you verify this against the latest snapshot at: > > http://bass.directhit.com/openssh_snap/ > > > > 2.2.0 is very old release. Since we are on the verge (from the sounds of > > it from Markus) of 2.4.0 release. > > > > - Ben > > > > On Mon, 25 Dec 2000 mike at hyperreal.org wrote: > > > > > I wrote: > > > > sshd, specifically the forked sshd process that is attached to a terminal > > > > when a connection is made, tends to freeze when receiving data over the link. > > > > The only way out is to kill -9 this process. It is easily reproducible by > > > > pasting text into an editor. > > > > > > With the help of someone who advised me to run ktrace on the sshd process > > > that freezes, I have narrowed down the circumstances under which the problem > > > is reproducible, and I discovered that sshd does receive a little bit more > > > data from the paste than I get to see coming back from the editor. [rest snipped] - Mike ________________________________________________________________________ Mike Brown / Hyperreal | Hyperreal http://music.hyperreal.org/ PO Box 61334 | XML & XSL http://skew.org/xml/ Denver CO 80206-8334 USA | personal http://www.hyperreal.org/~mike/ From rmoore at qualcomm.com Wed Jan 3 19:19:20 2001 From: rmoore at qualcomm.com (Ryan Moore) Date: Wed, 3 Jan 2001 00:19:20 -0800 (PST) Subject: PORT BUG: openssh 2.3.0p1 in Linux Slackware 7 Message-ID: I'm running a Slackware 7-based Linux distribution. I had a problem using openssh 2.3.0p1. Slackware 7 uses shadow passwords. Openssh picks up the shadow password information correctly but doesn't encrypt the incoming password properly so all password authentication fails. The problem is that sshd *must* be compiled with the link flag '-lcrypt' which includes libcrypt with the proper password crypt() function. Without '-lcrypt', a different crypt() function (from the C library, I guess) is used which isn't compatible with the shadow password suite distributed with Slackware. In Slackware 7, libcrypt is in /lib so no '-L' flags are needed. I believe the solution is to have the configure script check for libcrypt and link against it if it exists. The ssh-1.2.27 distribution configure script checks for this library and properly links against it, so it works correctly. Sorry, I can't provide any patches, but I'm not an autoconf expert. I can produce debug output I added to auth-passwd.c showing the differences in the behavior of the crypt() function if necessary. Contact me directly if you have any questions. I'm using the openssh server with SecureCRT 3.1 under Windows. So far, everything looks compatible in both ssh1 and ssh2. Great server! Thanks for the support.... Ryan From jhuuskon at messi.uku.fi Wed Jan 3 19:31:13 2001 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Wed, 3 Jan 2001 10:31:13 +0200 Subject: AIX loginsuccess and aixloginmsg ? Message-ID: <20010103103112.A4921@laivuri63.uku.fi> Hi, I noticed that the AIX specific loginsuccess call uses char *aixloginmsg to retrieve login information. Later this message is printed in session.c (around line 753). Loginsuccess mallocs space for this message and according to the aix docs it's the responsibility of the calling program to free this message. I didn't notice any code in openssh that would free the aixloginmsg. Can somebody confirm/test if aixloginmsg should be freed ? If so this little patch might work (I didn't test this !!!!!): ^^^^^^^^^^^^^^^^^^^^^^^^^ --- session.c-orig Wed Jan 3 10:19:31 2001 +++ session.c Wed Jan 3 10:20:48 2001 @@ -750,8 +750,10 @@ print_pam_messages(); #endif /* USE_PAM */ #ifdef WITH_AIXAUTHENTICATE - if (aixloginmsg && *aixloginmsg) + if (aixloginmsg && *aixloginmsg) { printf("%s\n", aixloginmsg); + free(aixloginmsg); + } #endif /* WITH_AIXAUTHENTICATE */ if (last_login_time != 0) { Also what about the loginrestrictions call ? Should openssh free the loginmsg from loginrestrictions call ? The aix docs are not clear about this. -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From stuge at cdy.org Wed Jan 3 20:56:07 2001 From: stuge at cdy.org (Peter Stuge) Date: Wed, 3 Jan 2001 10:56:07 +0100 Subject: PORT BUG: openssh 2.3.0p1 in Linux Slackware 7 In-Reply-To: ; from rmoore@qualcomm.com on Wed, Jan 03, 2001 at 12:19:20AM -0800 References: Message-ID: <20010103105607.A20149@foo.birdnet.se> On Wed, Jan 03, 2001 at 12:19:20AM -0800, Ryan Moore wrote: > I'm running a Slackware 7-based Linux distribution. I had a problem using > openssh 2.3.0p1. Slackware 7 uses shadow passwords. Openssh picks up the > shadow password information correctly but doesn't encrypt the incoming > password properly so all password authentication fails. > > The problem is that sshd *must* be compiled with the link flag > '-lcrypt' which includes libcrypt with the proper password crypt() > function. Without '-lcrypt', a different crypt() function (from the C > library, I guess) is used which isn't compatible with the shadow password > suite distributed with Slackware. In Slackware 7, libcrypt is in /lib so > no '-L' flags are needed. > > I believe the solution is to have the configure script check for libcrypt > and link against it if it exists. The ssh-1.2.27 distribution configure > script checks for this library and properly links against it, so it works > correctly. I had problems with this too. The "problem" is actually that Slackware 7 is using an encryption other than the regular 2 char salt + 11 char key; the "$1$" + 8 char salt + "$" + 23 char key. The solutions is to throw --with-md5-passwords at ./configure, then all works fine. The reason -lcrypt also solves the problem is because the crypt() in OpenSSL gets overridden by the crypt() in libcrypt if you explicitly include it. > Sorry, I can't provide any patches, but I'm not an autoconf expert. I've given this issue some thought but I'm still very unsure of what a good solution would be. There isn't really any reason to assume that all entries in the passwd/shadow file use the same or even the desired encryption method so there's no real way to know what to do. Although I guess the --with-md5-passwords could be enabled automagically if configure sees $1$ in the beginning of the password field of any entry in passwd/shadow. This would however require configure to be run with root priviledges, which I don't think is very good. The autodetection could of course be skipped if a user is running configure but then there's not very much use for it in the first place. Or? //Peter -- irc: CareBear\ tel: +46-40-914420 irl: Peter Stuge gsm: +46-705-783805 From provos at citi.umich.edu Wed Jan 3 23:35:43 2001 From: provos at citi.umich.edu (Niels Provos) Date: Wed, 03 Jan 2001 07:35:43 -0500 Subject: patch to support hurd-i386 In-Reply-To: Christian Kurz, Wed, 27 Dec 2000 23:47:58 +0100 Message-ID: <20010103123543.92125207C1@citi.umich.edu> In message <20001227234758.N12722 at seteuid.getuid.de>, Christian Kurz writes: > * Hurd has no MAXHOSTNAME. Two instances replaced by fixed limit, where > only the first N bytes were used, anyway. Two more instances replaced > by a grow-until-fits loop. A better fix would be to just define MAXHOSTNAMELEN. Why make things more complicated than they need to be. Niels. From mouring at etoh.eviladmin.org Thu Jan 4 02:09:14 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 3 Jan 2001 09:09:14 -0600 (CST) Subject: openssh 2.2, fbsd 4.2: incoming data hangs sshd on tty In-Reply-To: <20010103074358.23225.qmail@hyperreal.org> Message-ID: On Tue, 2 Jan 2001 mike at hyperreal.org wrote: > Using the Jan 02 snapshot, and after adding the contents of > contrib/sshd.pam.freebsd to /etc/pam.conf, an out-of-the-box compile of > OpenSSH seems, upon quickly testing, to have resolved the problems I was > experiencing with sshd locking up on me. > > The litmus test was always a copy/paste into an ssh client on a windows box. > Didn't matter if I was connected on the LAN or over a relatively slow DSL > link. > > The new daemon seems to be throttling quite a bit. The paste takes a while to > paint on the screen, whereas before it was lightning-quick, at least until it > locked up. > How much text are you refering to? 100 lines? 500 lines? I've not noticed too much (but I tend to only paste at a max of 80 lines myself). > Should I be concerned? A zmodem file transfer on a link that tests with bing > to get ~50 Mbps only got about 800 kbps. Seems a little slow.. > zmodem over ssh? If so remember there is encryption going on. So the speed of your connection is limited by the speed the machines you are using for your client and server. - Ben From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 4 03:08:35 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 3 Jan 2001 17:08:35 +0100 Subject: SCO OpenServer 5.0.5 port In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jan 03, 2001 at 01:04:16AM -0600 References: Message-ID: <20010103170834.A21578@faui02.informatik.uni-erlangen.de> why skip building sftp-server? just use 32 bit instead and check wether this is enough. On Wed, Jan 03, 2001 at 01:04:16AM -0600, mouring at etoh.eviladmin.org wrote: > > > Here is a patch to skip building sftp-server if there are no 64bit > > data types. > > > A version of this was applied. There was a few minor things that needed > to be cleaned up (if sftp-server was not going to be installed then > sftp-server.8 is kinda worthless to install =). Plus I added a warning at > the end to notify the person that sftp-server will not be installed. > > > It also has some UnixWare 2.x fixes. > > > Applied > > - Ben > > From tim at multitalents.net Thu Jan 4 03:26:05 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 3 Jan 2001 08:26:05 -0800 (PST) Subject: SCO OpenServer 5.0.5 port In-Reply-To: Message-ID: On Wed, 3 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > Here is a patch to skip building sftp-server if there are no 64bit > > data types. > > > A version of this was applied. There was a few minor things that needed > to be cleaned up (if sftp-server was not going to be installed then > sftp-server.8 is kinda worthless to install =). Plus I added a warning at That was just one of my quirks. I like man pages even if the software is not installed. > the end to notify the person that sftp-server will not be installed. Good idea. > > > It also has some UnixWare 2.x fixes. > > > Applied > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Thu Jan 4 05:02:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 3 Jan 2001 12:02:26 -0600 (CST) Subject: SCO OpenServer 5.0.5 port In-Reply-To: <20010103170834.A21578@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 3 Jan 2001, Markus Friedl wrote: > why skip building sftp-server? > just use 32 bit instead and check wether this is enough. > Mainly because I was not keen on going through the sftp-server.c code and adding in a bunch of #ifdef to ensure the right thing happen on compilers that lack 64bit int. (Since I don't have access to such a machine to verify the patch) I look at this as a stop gap until either someone from the SCO community writes such a patch or I break down and do it some evening (which won't be for a while). But I'll add it to the TODO list incase someone is looking for a project. =) - Ben From tim at multitalents.net Thu Jan 4 05:17:25 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 3 Jan 2001 10:17:25 -0800 (PST) Subject: SCO OpenServer 5.0.5 port In-Reply-To: Message-ID: On Wed, 3 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Wed, 3 Jan 2001, Markus Friedl wrote: > > > why skip building sftp-server? > > just use 32 bit instead and check wether this is enough. > > > > Mainly because I was not keen on going through the sftp-server.c code and > adding in a bunch of #ifdef to ensure the right thing happen on compilers > that lack 64bit int. (Since I don't have access to such a machine to > verify the patch) I look at this as a stop gap until either someone > from the SCO community writes such a patch or I break down and do it some > evening (which won't be for a while). Is a 32bit int an acceptable option for sftp-server? If so I'll write a patch. > > But I'll add it to the TODO list incase someone is looking for a > project. =) > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From rmcc at novis.pt Thu Jan 4 06:32:57 2001 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Wed, 3 Jan 2001 19:32:57 +0000 Subject: chroot.diff In-Reply-To: <001b01c075b9$74617f00$0100a8c0@S003>; from SCondorovici@derivion.com on Wed, Jan 03, 2001 at 02:14:53PM -0500 References: <001b01c075b9$74617f00$0100a8c0@S003> Message-ID: <20010103193257.I20896@isp.novis.pt> Hi there, everyone; I've had a few requests for an updated version of my chroot patch. (the version found in contrib is outdated) So, here it goes, updated to 2.3.0p1; "chroot.diff" is a plain diff for session.c (apply, compile and go). "chroot+configure.diff" is the same patch, plus an option to "configure" for enabling/disabling chroot support (./configure --with-chroot). If you use this one, please run autoconf after applying the patch to generate a fresh "configure" script. RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis Telecom - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- --- openssh-2.3.0p1/session.c Sat Oct 28 04:19:58 2000 +++ openssh-2.3.0p1-chroot/session.c Wed Jan 3 19:29:11 2001 @@ -159,6 +159,8 @@ static login_cap_t *lc; #endif +#define CHROOT + /* * Remove local Xauthority file. */ @@ -1011,6 +1013,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -1076,6 +1082,26 @@ # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +# ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +# endif /* CHROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1122,7 +1148,6 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - #ifdef AFS /* Try to get AFS tokens for the local cell. */ if (k_hasafs()) { -------------- next part -------------- diff -u openssh-2.3.0p1/acconfig.h openssh-2.3.0p1-chroot/acconfig.h --- openssh-2.3.0p1/acconfig.h Wed Oct 18 14:11:44 2000 +++ openssh-2.3.0p1-chroot/acconfig.h Wed Jan 3 19:23:48 2001 @@ -199,6 +199,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW Only in openssh-2.3.0p1-chroot/: acconfig.h~ diff -u openssh-2.3.0p1/config.h.in openssh-2.3.0p1-chroot/config.h.in --- openssh-2.3.0p1/config.h.in Mon Nov 6 03:25:18 2000 +++ openssh-2.3.0p1-chroot/config.h.in Wed Jan 3 19:23:48 2001 @@ -198,6 +198,9 @@ /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS +/* Define if you want to use chrooting when a magic token is found */ +#undef CHROOT + /* Define if you want to disable shadow passwords */ #undef DISABLE_SHADOW Only in openssh-2.3.0p1-chroot/: config.h.in~ diff -u openssh-2.3.0p1/configure openssh-2.3.0p1-chroot/configure --- openssh-2.3.0p1/configure Mon Nov 6 03:25:18 2000 +++ openssh-2.3.0p1-chroot/configure Wed Jan 3 19:23:50 2001 @@ -42,6 +42,8 @@ ac_help="$ac_help --with-md5-passwords Enable use of MD5 passwords" ac_help="$ac_help + --with-chroot Enable user chrooting through magic token" +ac_help="$ac_help --without-shadow Disable shadow password support" ac_help="$ac_help --with-ipaddr-display Use ip address instead of hostname in \$DISPLAY" @@ -3065,7 +3067,7 @@ echo $ac_n "(cached) $ac_c" 1>&6 else cat > conftest.$ac_ext <&5; (eval $ac_compile) 2>&5; }; then +if { (eval echo configure:3700: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then rm -rf conftest* ac_cv_have_u_int64_t="yes" else @@ -6396,6 +6398,24 @@ fi +# Check whether to enable chrooting +CHROOT_MSG="no" +# Check whether --with-chroot or --without-chroot was given. +if test "${with_chroot+set}" = set; then + withval="$with_chroot" + + if test "x$withval" != "xno" ; then + cat >> confdefs.h <<\EOF +#define CHROOT 1 +EOF + + CHROOT_MSG="yes" + fi + + +fi + + # Whether to disable shadow password support # Check whether --with-shadow or --without-shadow was given. if test "${with_shadow+set}" = set; then @@ -7521,6 +7541,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" diff -u openssh-2.3.0p1/configure.in openssh-2.3.0p1-chroot/configure.in --- openssh-2.3.0p1/configure.in Sun Nov 5 09:08:45 2000 +++ openssh-2.3.0p1-chroot/configure.in Wed Jan 3 19:23:50 2001 @@ -1156,6 +1156,18 @@ ] ) +# Check whether to enable chrooting +CHROOT_MSG="no" +AC_ARG_WITH(chroot, + [ --with-chroot Enable user chrooting through magic token], + [ + if test "x$withval" != "xno" ; then + AC_DEFINE(CHROOT) + CHROOT_MSG="yes" + fi + ] +) + # Whether to disable shadow password support AC_ARG_WITH(shadow, [ --without-shadow Disable shadow password support], @@ -1568,6 +1580,7 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " Magic token chroot support: $CHROOT_MSG" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Use IPv4 by default hack: $IPV4_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" Only in openssh-2.3.0p1-chroot/: configure.in~ Only in openssh-2.3.0p1-chroot/: configure~ Common subdirectories: openssh-2.3.0p1/contrib and openssh-2.3.0p1-chroot/contrib diff -u openssh-2.3.0p1/session.c openssh-2.3.0p1-chroot/session.c --- openssh-2.3.0p1/session.c Sat Oct 28 04:19:58 2000 +++ openssh-2.3.0p1-chroot/session.c Wed Jan 3 19:23:50 2001 @@ -1011,6 +1011,10 @@ extern char **environ; struct stat st; char *argv[10]; +#ifdef CHROOT + char *user_dir; + char *new_root; +#endif /* CHROOT */ #ifdef WITH_IRIX_PROJECT prid_t projid; #endif /* WITH_IRIX_PROJECT */ @@ -1076,6 +1080,26 @@ # else /* HAVE_LOGIN_CAP */ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +# ifdef CHROOT + user_dir = xstrdup(pw->pw_dir); + new_root = user_dir + 1; + + while((new_root = strchr(new_root, '.')) != NULL) { + new_root--; + if(strncmp(new_root, "/./", 3) == 0) { + *new_root = '\0'; + new_root += 2; + + if(chroot(user_dir) != 0) + fatal("Couldn't chroot to user directory %s", user_dir); + + pw->pw_dir = new_root; + break; + } + new_root += 2; + } +# endif /* CHROOT */ + if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1122,7 +1146,6 @@ #ifdef HAVE_LOGIN_CAP shell = login_getcapstr(lc, "shell", (char *)shell, (char *)shell); #endif - #ifdef AFS /* Try to get AFS tokens for the local cell. */ if (k_hasafs()) { -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010103/6eeed9e6/attachment.bin From markus.friedl at informatik.uni-erlangen.de Thu Jan 4 07:44:09 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 3 Jan 2001 21:44:09 +0100 Subject: chroot.diff In-Reply-To: <20010103193257.I20896@isp.novis.pt>; from rmcc@novis.pt on Wed, Jan 03, 2001 at 07:32:57PM +0000 References: <001b01c075b9$74617f00$0100a8c0@S003> <20010103193257.I20896@isp.novis.pt> Message-ID: <20010103214409.A13138@folly> hi, what is the rationale for the while() loop? why multiple chroot's? -markus > +# ifdef CHROOT > + user_dir = xstrdup(pw->pw_dir); > + new_root = user_dir + 1; > + > + while((new_root = strchr(new_root, '.')) != NULL) { > + new_root--; > + if(strncmp(new_root, "/./", 3) == 0) { > + *new_root = '\0'; > + new_root += 2; > + > + if(chroot(user_dir) != 0) > + fatal("Couldn't chroot to user directory %s", user_dir); > + > + pw->pw_dir = new_root; > + break; > + } > + new_root += 2; > + } > +# endif /* CHROOT */ From rmcc at novis.pt Thu Jan 4 07:54:31 2001 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Wed, 3 Jan 2001 20:54:31 +0000 Subject: chroot.diff In-Reply-To: <20010103214409.A13138@folly>; from markus.friedl@informatik.uni-erlangen.de on Wed, Jan 03, 2001 at 09:44:09PM +0100 References: <001b01c075b9$74617f00$0100a8c0@S003> <20010103193257.I20896@isp.novis.pt> <20010103214409.A13138@folly> Message-ID: <20010103205431.J20896@isp.novis.pt> On Wed, Jan 03, 2001 at 09:44:09PM +0100, Markus Friedl wrote: > hi, what is the rationale for the while() loop? why multiple chroot's? > There aren't multiple chroots. Just one, when it finds the "magic token" in the userdir. The while cycle runs the full homedir string and chops the first char away in each loop, until the magic token is found (i.e., the first 3 chars of the string are "/./"). When that happens, the magic token gets replaced by a NULL, which in effect transforms the full userdir into the new root. Only then it tries to chroot. RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis Telecom - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010103/206f0822/attachment.bin From markus.friedl at informatik.uni-erlangen.de Thu Jan 4 08:15:13 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 3 Jan 2001 22:15:13 +0100 Subject: [kdo@cosmos.phy.tufts.edu: protocol incompatibility between OpenSSH and SSH secure shell?] In-Reply-To: <200101022140.f02Le1c28486@cosmos.phy.tufts.edu>; from kdo@cosmos.phy.tufts.edu on Tue, Jan 02, 2001 at 04:40:01PM -0500 References: <20010102213708.A14844@folly> <200101022140.f02Le1c28486@cosmos.phy.tufts.edu> Message-ID: <20010103221512.B10649@folly> On Tue, Jan 02, 2001 at 04:40:01PM -0500, Ken Olum wrote: > It's remote port forwarding. I'm expecting the server to listen on > the port. you need to try a recent snapshot for remote port fwding: http://bass.directhit.com/openssh_snap/ From tobias.burnus at physik.fu-berlin.de Thu Jan 4 09:47:43 2001 From: tobias.burnus at physik.fu-berlin.de (Tobias Burnus) Date: Wed, 3 Jan 2001 23:47:43 +0100 (CET) Subject: OpenSSH 2.3 on Tru Unix: Problems Message-ID: Hi, I try to get OpenSSH working on Compaq's Tru64 Unix (alias Digital Unix) Version 5.1. It compiles smootly with OpenSSL-0.9.6, but I observer some odd things. (A) AS SERVER The authenification via .ssh/known_host doesn't work. I have the same sshd_config as on FreeBSD (OpenSSH 2.2.0), where it works. sshd -d -d: ----------- debug1: sshd version OpenSSH_2.3.0p1 ... RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from XXX.XX.XX.XXX port 1019 debug1: Client protocol version 1.5; client software version 1.2.27 debug1: no match: 1.2.27 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for tburnus. This is nice, but I have a .ssh/known_hosts which isn't used. If I connect with SSH Version OpenSSH_2.2.0, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f) from FreeBSD I get the very same result. (B) AS A CLIENT Using OpenSSH as a client (default settings, except Authforward and X11forwarding) I get: Warning: Permanently added the RSA host key for IP address 'XXX.XX.XX.XXX' to the list of known hosts. I don't see this with OpenSSH 2.2 on FreeBSD or with SSH 1.2 on FreeBSD and OSF1. Thanks for you help, Tobias From djm at mindrot.org Thu Jan 4 13:40:36 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 4 Jan 2001 13:40:36 +1100 (EST) Subject: OpenSSH 2.3 on Tru Unix: Problems In-Reply-To: Message-ID: On Wed, 3 Jan 2001, Tobias Burnus wrote: > Hi, > > I try to get OpenSSH working on Compaq's Tru64 Unix (alias Digital Unix) > Version 5.1. > > It compiles smootly with OpenSSL-0.9.6, but I observer some odd things. > > (A) AS SERVER > The authenification via .ssh/known_host doesn't work. > I have the same sshd_config as on FreeBSD (OpenSSH 2.2.0), where it works. ~/.ssh/known_hosts isn't for user authentication. You want ~/.ssh/authorized_keys and ~/.ssh/authorized_keys for that. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From ruf at tik.ee.ethz.ch Fri Jan 5 00:34:20 2001 From: ruf at tik.ee.ethz.ch (Lukas Ruf) Date: Thu, 4 Jan 2001 14:34:20 +0100 Subject: Installing OpenSSH 2.3.0p1 on Solaris 7 Message-ID: <20010104143420.C13094@ee.ethz.ch> Dear all, trying to install OpenSSH 2.3.0p1 on SunOS 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-30 always leads to the result ./configure [...] checking for deflate in -lz... no configure: error: *** zlib missing - please install first *** I installed zlib-1.1.3 with its default directories and I also installed openSSL without problems. Strange to me that on Linux 2.2.18 I installed OpenSSH 2.3.0p1 several times already without any problem. Probably, I do need to update the library cache, don't I ? But how ? Any help is greatfully appreaciated -- thanks in advance. Lukas From ruf at tik.ee.ethz.ch Fri Jan 5 00:37:40 2001 From: ruf at tik.ee.ethz.ch (Lukas Ruf) Date: Thu, 4 Jan 2001 14:37:40 +0100 Subject: Problem in openSSL "fixed" Message-ID: <20010104143740.D13094@ee.ethz.ch> Dear all, while installing openssl on SunOS 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-30 I had to add manually to the generated Makefile the two libraries for EX_LIBS= -lnsl -lsocket for successfully installing openssl. Either I made a mistake with the Configure-call or something other is missing. Who knows ? Kind regards, Lukas From burnus at gmx.de Fri Jan 5 01:27:25 2001 From: burnus at gmx.de (Tobias Burnus) Date: Thu, 04 Jan 2001 15:27:25 +0100 Subject: OpenSSH 2.3 on Tru Unix: Problems References: Message-ID: <3A54884D.6B6CC960@gmx.de> Hi Damien, > > (A) AS SERVER > > The authenification via .ssh/known_host doesn't work. > > I have the same sshd_config as on FreeBSD (OpenSSH 2.2.0), where it works. > ~/.ssh/known_hosts isn't for user authentication. You want > ~/.ssh/authorized_keys and ~/.ssh/authorized_keys for that. Which I actually have (I mixed the file names), but still: It doesn't work to this True Unix computer whereas it works with OpenSSH on FreeBSD and with SSH on FreeBSD and True Unix. Tobias -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man. From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 5 02:08:40 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 4 Jan 2001 16:08:40 +0100 Subject: ssh-keygen (2.3.0p1) + bus error on solaris? Message-ID: <20010104160839.A24898@faui02.informatik.uni-erlangen.de> hi, i am told that ssh-keygen gets bus errors on solaris 2.6? has anyone heard about this before? thanks -markus From a.d.stribblehill at durham.ac.uk Fri Jan 5 02:24:10 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Thu, 4 Jan 2001 15:24:10 +0000 Subject: ssh-keygen (2.3.0p1) + bus error on solaris? In-Reply-To: <20010104160839.A24898@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Thu, Jan 04, 2001 at 04:08:40PM +0100 References: <20010104160839.A24898@faui02.informatik.uni-erlangen.de> Message-ID: <20010104152410.I31008@womble.dur.ac.uk> Quoting Markus Friedl : > hi, > > i am told that ssh-keygen gets bus errors on solaris 2.6? > has anyone heard about this before? Our E450 running Solaris 2.6 creates .ssh/{identity,id_dsa}{,.pub} with no problems, using 2.3.0p1. Get in touch if you want us to run any more tests. Cheerio, Andrew Stribblehill Systems Programmer, IT Service, University of Durham, England From mouring at etoh.eviladmin.org Fri Jan 5 04:06:33 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 11:06:33 -0600 (CST) Subject: OpenSSH 2.3 on Tru Unix: Problems In-Reply-To: <3A54884D.6B6CC960@gmx.de> Message-ID: On Thu, 4 Jan 2001, Tobias Burnus wrote: > Hi Damien, > > > > (A) AS SERVER > > > The authenification via .ssh/known_host doesn't work. > > > I have the same sshd_config as on FreeBSD (OpenSSH 2.2.0), where it works. > > ~/.ssh/known_hosts isn't for user authentication. You want > > ~/.ssh/authorized_keys and ~/.ssh/authorized_keys for that. > Which I actually have (I mixed the file names), but still: It doesn't > work to this True Unix computer whereas it works with OpenSSH on FreeBSD > and with SSH on FreeBSD and True Unix. > Check the permissions of authorized_keys and authorized_keys2 They *MUST* not be read/write/excutable by group or other. Otherwise it will fail. I almost wonder (since I've make this mistake before) if we should not product some sort of warning that the authorized_key* have the wrong permission. From tim at multitalents.net Fri Jan 5 03:27:09 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 08:27:09 -0800 (PST) Subject: Problem in openSSL "fixed" In-Reply-To: <20010104143740.D13094@ee.ethz.ch> Message-ID: It works here. SunOS sun1 5.7 Generic_106541-08 sun4m sparc SUNW,SPARCstation-5 Are you using gcc or the sun compiler? On Thu, 4 Jan 2001, Lukas Ruf wrote: > Dear all, > > while installing openssl on > SunOS 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-30 > I had to add manually to the generated Makefile the two libraries for > EX_LIBS= -lnsl -lsocket > for successfully installing openssl. > > Either I made a mistake with the Configure-call or something other is > missing. > > Who knows ? > > Kind regards, > > Lukas > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From jesus at omniti.com Fri Jan 5 05:36:42 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Thu, 04 Jan 2001 13:36:42 -0500 Subject: SecurID patch. References: Message-ID: <3A54C2D0.E8DD47CB@omniti.com> Damien Miller wrote: > > What are the chances of getting the SecurID patch integrated into > > OpenSSH? I think I asked before and was told that it could be done > > with PAM, but I (and others) are not satisfied with the PAM support. > > What is wrong with the PAM support? Have you tried the > KbdInteractive support in the snapshots? The PAM supports for SecurID is okay. I have no direct complaints about that... I am having all sorts of trouble getting this work right. It sort of works with openssh->openssh, but all of the clients that I have to support are legacy ssh1 clients -- Windows clients and unix ssh.com ssh1.2.27 clients. Is this explicitly not supported under protocol 1? -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From tim at multitalents.net Fri Jan 5 07:04:51 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 12:04:51 -0800 (PST) Subject: compiler warnings In-Reply-To: Message-ID: (Jan 3 CVS version) Several of my platforms are generating warnings. Most of these warnings seem like some mixing of char and u_char in the usage of key_from_blob() and buffer_get_string() cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/authfd.c UX:acomp: WARNING: "src/authfd.c", line 300: assignment type mismatch UX:acomp: WARNING: "src/authfd.c", line 302: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/authfd.c", line 410: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/authfd.c", line 410: assignment type mismatch cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/authfile.c UX:acomp: WARNING: "src/authfile.c", line 190: argument is incompatible with prototype: arg #4 UX:acomp: WARNING: "src/authfile.c", line 194: argument is incompatible with prototype: arg #4 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/key.c UX:acomp: WARNING: "src/key.c", line 182: argument is incompatible with prototype: arg #3 UX:acomp: WARNING: "src/key.c", line 331: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/key.c", line 399: argument is incompatible with prototype: arg #3 UX:acomp: WARNING: "src/key.c", line 401: argument is incompatible with prototype: arg #3 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/entropy.c UX:acomp: WARNING: "src/entropy.c", line 464: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/entropy.c", line 569: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/entropy.c", line 785: assignment type mismatch UX:acomp: WARNING: "src/entropy.c", line 793: argument is incompatible with prototype: arg #2 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/uuencode.c UX:acomp: WARNING: "src/uuencode.c", line 64: argument is incompatible with prototype: arg #3 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/sshconnect2.c UX:acomp: WARNING: "src/sshconnect2.c", line 519: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/sshconnect2.c", line 654: argument is incompatible with prototype: arg #3 UX:acomp: WARNING: "src/sshconnect2.c", line 662: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/sshconnect2.c", line 684: argument is incompatible with prototype: arg #5 UX:acomp: WARNING: "src/sshconnect2.c", line 695: argument is incompatible with prototype: arg #2 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/auth2.c UX:acomp: WARNING: "src/auth2.c", line 462: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/auth2.c", line 486: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/auth2.c", line 486: argument is incompatible with prototype: arg #4 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/auth-rhosts.c UX:acomp: WARNING: "src/auth-rhosts.c", line 110: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/auth-rhosts.c", line 111: argument is incompatible with prototype: arg #2 UX:acomp: WARNING: "src/auth-rhosts.c", line 118: argument is incompatible with prototype: arg #3 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/ssh-keygen.c UX:acomp: WARNING: "src/ssh-keygen.c", line 154: argument is incompatible with prototype: arg #3 cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/ssh-agent.c UX:acomp: WARNING: "src/ssh-agent.c", line 246: assignment type mismatch UX:acomp: WARNING: "src/ssh-agent.c", line 247: assignment type mismatch UX:acomp: WARNING: "src/ssh-agent.c", line 253: argument is incompatible with prototype: arg #1 UX:acomp: WARNING: "src/ssh-agent.c", line 257: argument is incompatible with prototype: arg #3 UX:acomp: WARNING: "src/ssh-agent.c", line 299: assignment type mismatch UX:acomp: WARNING: "src/ssh-agent.c", line 300: argument is incompatible with prototype: arg #1 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Jan 5 07:06:03 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 12:06:03 -0800 (PST) Subject: caldera rpm pieces Message-ID: Here are some contrib files to build rpms on Caldera eDesktpop 2.4 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- A non-text attachment was scrubbed... Name: caldera.tgz Type: application/octet-stream Size: 4129 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010104/61336b5e/attachment.obj From tim at multitalents.net Fri Jan 5 07:13:36 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 12:13:36 -0800 (PST) Subject: UnixWare 2.03 patch Message-ID: Here is a patch to help UnixWare 2.03 along. No if we could only change utimes() back to utime() in scp.c & sftp-server.c we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- defines.h.old Wed Jan 3 17:33:52 2001 +++ defines.h Wed Jan 3 17:41:28 2001 @@ -360,6 +360,10 @@ # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ +#if defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) +#define bcopy(b1,b2,length) (void) memmove ((b2), (b1), (length)) +#endif /* defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) */ + #if !defined(HAVE_ATEXIT) && defined(HAVE_ON_EXIT) # define atexit(a) on_exit(a) #else From plange at uol.com.br Fri Jan 5 04:29:50 2001 From: plange at uol.com.br (Paulo Ricardo Lange) Date: Thu, 04 Jan 2001 15:29:50 -0200 Subject: Problem... Message-ID: <3A54B30E.34A8B531@uol.com.br> Hi, i have a problem when i try to connect a machine by SSH. The message is: /dev/pts/0: 3004-004 You must "exec" login from the lowest login shell. Closed connection to X.X.X.X Help me, please! Tks Paulo Lange From mouring at etoh.eviladmin.org Fri Jan 5 09:14:15 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 16:14:15 -0600 (CST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001, Tim Rice wrote: > > Here is a patch to help UnixWare 2.03 along. > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > One could always write a utime() emulation via utimes(). From Jeff.Snipes at walgreens.com Thu Jan 4 11:20:08 2001 From: Jeff.Snipes at walgreens.com (Jeff.Snipes at walgreens.com) Date: Wed, 3 Jan 2001 18:20:08 -0600 Subject: 'make' fails on SCO OpenServer 5.0.5 Message-ID: Hi folks, I'm trying to install OpenSSH 2.3.0 on a SCO OpenServer Release 3.2 v.5.0.5 box. I downloaded the tarball from the 'portable' directory and uncompressed. ./configure --with-egd-pool=/dev/random <-- works with no errors. Output attached here: (See attached file: output.txt) make displays: root:/tmp/OpenSSH/openssh-2.3.0p1 # make cc -g -I. -I. -I/usr/local/include -I/usr/local/ssl/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT =\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-arc4random.c "./defines.h", line 174: #error: "64 bit int type not found." *** Error code 1 (bu21) I'm doing all this per the instructions in Sysadmin Magazine October 2000 in the article "Installing and Configuring OpenSSH". Also from reading the appropriate INSTALL and README files. I previously downloaded and installed OpenSSL, Zlib, and egd with no problems. Thanks for any help. Jeff Snipes SCO/Linux Administration The Frozen North aka Chicago Area -------------- next part -------------- A non-text attachment was scrubbed... Name: output.txt Type: application/octet-stream Size: 9614 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010103/5e0e08f8/attachment.obj From gert at greenie.muc.de Fri Jan 5 10:20:34 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 5 Jan 2001 00:20:34 +0100 Subject: UnixWare 2.03 patch In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jan 04, 2001 at 04:14:15PM -0600 References: Message-ID: <20010105002034.U1394@greenie.muc.de> Hi, On Thu, Jan 04, 2001 at 04:14:15PM -0600, mouring at etoh.eviladmin.org wrote: > On Thu, 4 Jan 2001, Tim Rice wrote: > > Here is a patch to help UnixWare 2.03 along. > > > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > > One could always write a utime() emulation via utimes(). Yes, but this leaves my previous question unanswered: why bother with emulating utimes() via utime(), instead of using the more portable utime() directly? The only benefit of utimes() is the millisecond resolution, which OpenSSH doesn't use (at least not last time I checked, tv_usec was explicitely set to 0). gert -- Gert Doering Mobile communications ... right now writing from *Aichach* ... mobile phone: +49 177 2160221 ... or mail me: gert at greenie.muc.de From djm at mindrot.org Fri Jan 5 09:31:18 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 09:31:18 +1100 (EST) Subject: OpenSSH 2.3 on Tru Unix: Problems In-Reply-To: <3A54884D.6B6CC960@gmx.de> Message-ID: On Thu, 4 Jan 2001, Tobias Burnus wrote: > Which I actually have (I mixed the file names), but still: It doesn't > work to this True Unix computer whereas it works with OpenSSH on FreeBSD > and with SSH on FreeBSD and True Unix. What are the permissions on the .ssh/authorized_keys{,2} files? -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Fri Jan 5 10:31:05 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 17:31:05 -0600 (CST) Subject: UnixWare 2.03 patch In-Reply-To: <20010105002034.U1394@greenie.muc.de> Message-ID: On Fri, 5 Jan 2001, Gert Doering wrote: > Hi, > > On Thu, Jan 04, 2001 at 04:14:15PM -0600, mouring at etoh.eviladmin.org wrote: > > On Thu, 4 Jan 2001, Tim Rice wrote: > > > Here is a patch to help UnixWare 2.03 along. > > > > > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > > > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > > > > One could always write a utime() emulation via utimes(). > > Yes, but this leaves my previous question unanswered: why bother with > emulating utimes() via utime(), instead of using the more portable utime() > directly? > > The only benefit of utimes() is the millisecond resolution, which > OpenSSH doesn't use (at least not last time I checked, tv_usec was > explicitely set to 0). > Either way... We will need to emulate one or the other. Personally I could careless which one we use. Again, the only reason why it's utimes() is because sftp-server.c used it and I asked if we could be consistant. And a lot more platforms support it due to it's BSD history. It's just oddballs like SCO that don't tend to implement complete BSD API alongside SysV. - Ben From djm at mindrot.org Fri Jan 5 09:32:40 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 09:32:40 +1100 (EST) Subject: SecurID patch. In-Reply-To: <3A54C2D0.E8DD47CB@omniti.com> Message-ID: On Thu, 4 Jan 2001, Theo E. Schlossnagle wrote: > Damien Miller wrote: > > > What are the chances of getting the SecurID patch integrated into > > > OpenSSH? I think I asked before and was told that it could be done > > > with PAM, but I (and others) are not satisfied with the PAM support. > > > > What is wrong with the PAM support? Have you tried the > > KbdInteractive support in the snapshots? > > The PAM supports for SecurID is okay. I have no direct complaints about > that... > > I am having all sorts of trouble getting this work right. It sort of works > with openssh->openssh, but all of the clients that I have to support are > legacy ssh1 clients -- Windows clients and unix ssh.com ssh1.2.27 clients. Is > this explicitly not supported under protocol 1? There is no clean way of doing it in protocol 1, unless you do it in login.8 -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From peter at ifm.liu.se Fri Jan 5 09:40:32 2001 From: peter at ifm.liu.se (Peter Eriksson) Date: Thu, 4 Jan 2001 23:40:32 +0100 (MET) Subject: Patch to allow openssh-2.2.0-p1 to be started from /etc/inittab Message-ID: <200101042240.XAA10134@homer.ifm.liu.se> The following patch allows OpenSSH 2.2.0-p1 to be started (and managed) from /etc/inittab (by "init") on systems which support that. This is useful when you *really* want SSHD to always run since it will be automatically restarted by "init" if it dies (and if "init" dies the the systems dies :-). I use a line (in /etc/inittab) like this on Solaris systems: ss:234:respawn:/usr/local/sbin/sshd What the patch does is that it checks if it was started from process #1, and then avoids the fork() to put itself into the background. It also avoids writing to stderr and ignores errors from the setsid() call (which will fail, atleast on Solaris 7 and 8). - Peter Eriksson diff -c -r openssh-2.2.0p1/bsd-daemon.c openssh-2.2.0p1-pen1/bsd-daemon.c *** openssh-2.2.0p1/bsd-daemon.c Wed Aug 30 00:21:22 2000 --- openssh-2.2.0p1-pen1/bsd-daemon.c Thu Jan 4 23:32:52 2001 *************** *** 70,74 **** return (0); } ! #endif /* !HAVE_DAEMON */ --- 70,111 ---- return (0); } ! #endif ! ! int ! sshd_daemon(nochdir, noclose) ! int nochdir, noclose; ! { ! int fd; ! ! if (getppid() != 1) ! { ! switch (fork()) { ! case -1: ! return (-1); ! case 0: ! break; ! default: ! _exit(0); ! } ! } ! ! signal(SIGTTOU, SIG_IGN); ! signal(SIGTTIN, SIG_IGN); ! ! if (setsid() == -1 && getppid() != 1) ! return (-1); ! ! if (!nochdir) ! (void)chdir("/"); ! ! if (!noclose && (fd = open(_PATH_DEVNULL, O_RDWR, 0)) != -1) { ! (void)dup2(fd, STDIN_FILENO); ! (void)dup2(fd, STDOUT_FILENO); ! (void)dup2(fd, STDERR_FILENO); ! if (fd > 2) ! (void)close (fd); ! } ! return (0); ! } diff -c -r openssh-2.2.0p1/bsd-daemon.h openssh-2.2.0p1-pen1/bsd-daemon.h *** openssh-2.2.0p1/bsd-daemon.h Fri Nov 19 05:32:34 1999 --- openssh-2.2.0p1-pen1/bsd-daemon.h Thu Jan 4 23:31:35 2001 *************** *** 6,9 **** --- 6,11 ---- int daemon(int nochdir, int noclose); #endif /* !HAVE_DAEMON */ + int sshd_daemon(int nochdir, int noclose); + #endif /* _BSD_DAEMON_H */ diff -c -r openssh-2.2.0p1/sshd.c openssh-2.2.0p1-pen1/sshd.c *** openssh-2.2.0p1/sshd.c Tue Aug 29 02:05:50 2000 --- openssh-2.2.0p1-pen1/sshd.c Thu Jan 4 23:30:46 2001 *************** *** 552,558 **** log_init(av0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, ! !silent && !inetd_flag); /* Read server configuration options from the configuration file. */ read_server_config(&options, config_file_name); --- 552,558 ---- log_init(av0, options.log_level == -1 ? SYSLOG_LEVEL_INFO : options.log_level, options.log_facility == -1 ? SYSLOG_FACILITY_AUTH : options.log_facility, ! !silent && !inetd_flag && getppid() != 1); /* Read server configuration options from the configuration file. */ read_server_config(&options, config_file_name); *************** *** 633,639 **** } /* Initialize the log (it is reinitialized below in case we forked). */ ! if (debug_flag && !inetd_flag) log_stderr = 1; log_init(av0, options.log_level, options.log_facility, log_stderr); --- 633,639 ---- } /* Initialize the log (it is reinitialized below in case we forked). */ ! if (debug_flag && !inetd_flag && getppid() != 1) log_stderr = 1; log_init(av0, options.log_level, options.log_facility, log_stderr); *************** *** 646,652 **** #ifdef TIOCNOTTY int fd; #endif /* TIOCNOTTY */ ! if (daemon(0, 0) < 0) fatal("daemon() failed: %.200s", strerror(errno)); /* Disconnect from the controlling tty. */ --- 646,652 ---- #ifdef TIOCNOTTY int fd; #endif /* TIOCNOTTY */ ! if (sshd_daemon(0, 0) < 0) fatal("daemon() failed: %.200s", strerror(errno)); /* Disconnect from the controlling tty. */ From djm at mindrot.org Fri Jan 5 09:41:09 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 09:41:09 +1100 (EST) Subject: Installing OpenSSH 2.3.0p1 on Solaris 7 In-Reply-To: <20010104143420.C13094@ee.ethz.ch> Message-ID: On Thu, 4 Jan 2001, Lukas Ruf wrote: > Dear all, > > trying to install OpenSSH 2.3.0p1 on > SunOS 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-30 > always leads to the result > ./configure > [...] > checking for deflate in -lz... no > configure: error: *** zlib missing - please install first *** Have a look in config.log, it should have a more detailed error message. You may need to specify LDFLAGS=-L/path/to/zlib ./configure [options] -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From tim at multitalents.net Fri Jan 5 09:41:34 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 14:41:34 -0800 (PST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Thu, 4 Jan 2001, Tim Rice wrote: > > > > > Here is a patch to help UnixWare 2.03 along. > > > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > > One could always write a utime() emulation via utimes(). Don't you mean a utimes() emulation via utime()? All the systems I have encountered with utimes, also have utime. But not all systems have utimes. Some have utime only. > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Fri Jan 5 09:43:10 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 09:43:10 +1100 (EST) Subject: ssh-keygen (2.3.0p1) + bus error on solaris? In-Reply-To: <20010104160839.A24898@faui02.informatik.uni-erlangen.de> Message-ID: On Thu, 4 Jan 2001, Markus Friedl wrote: > hi, > > i am told that ssh-keygen gets bus errors on solaris 2.6? > has anyone heard about this before? Most segfaults and bus errors have been caused by binary openssh with a different version of openssl. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Fri Jan 5 10:42:50 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 17:42:50 -0600 (CST) Subject: caldera rpm pieces In-Reply-To: Message-ID: On Thu, 4 Jan 2001, Tim Rice wrote: > > Here are some contrib files to build rpms on Caldera eDesktpop 2.4 > > Applied. From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 5 09:44:36 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 4 Jan 2001 23:44:36 +0100 Subject: Patch to allow openssh-2.2.0-p1 to be started from /etc/inittab In-Reply-To: <200101042240.XAA10134@homer.ifm.liu.se>; from peter@ifm.liu.se on Thu, Jan 04, 2001 at 11:40:32PM +0100 References: <200101042240.XAA10134@homer.ifm.liu.se> Message-ID: <20010104234436.B12597@faui02.informatik.uni-erlangen.de> On Thu, Jan 04, 2001 at 11:40:32PM +0100, Peter Eriksson wrote: > ss:234:respawn:/usr/local/sbin/sshd a recent snapshot from http://bass.directhit.com/openssh_snap/ supports the -D option, e.g.: ss:234:respawn:/usr/local/sbin/sshd -D -markus From Donald.Smith at qwest.com Fri Jan 5 08:19:21 2001 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Thu, 4 Jan 2001 14:19:21 -0700 Subject: SecurID patch. Message-ID: <2D00AD0E4D36D411BD300008C786E424012582BC@Denntex021.qwest.net> Theo can you be more specfic? I have been working on the ssh1.2.30 with securid patch for a while now and it works fine. I am in the process of loading your patch on a openssh2.3 right now and if your haveing problems it would be helpful to know what errors your getting. Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell > -----Original Message----- > From: Theo E. Schlossnagle [mailto:jesus at omniti.com] > Sent: Thursday, January 04, 2001 11:37 AM > To: Damien Miller > Cc: openssh-unix-dev at mindrot.org > Subject: Re: SecurID patch. > > > Damien Miller wrote: > > > What are the chances of getting the SecurID patch integrated into > > > OpenSSH? I think I asked before and was told that it > could be done > > > with PAM, but I (and others) are not satisfied with the > PAM support. > > > > What is wrong with the PAM support? Have you tried the > > KbdInteractive support in the snapshots? > > The PAM supports for SecurID is okay. I have no direct > complaints about > that... > > I am having all sorts of trouble getting this work right. It > sort of works > with openssh->openssh, but all of the clients that I have to > support are > legacy ssh1 clients -- Windows clients and unix ssh.com > ssh1.2.27 clients. Is > this explicitly not supported under protocol 1? > > -- > Theo Schlossnagle > 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F > 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 > From djm at mindrot.org Fri Jan 5 09:50:08 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 09:50:08 +1100 (EST) Subject: Patch to allow openssh-2.2.0-p1 to be started from /etc/inittab In-Reply-To: <200101042240.XAA10134@homer.ifm.liu.se> Message-ID: On Thu, 4 Jan 2001, Peter Eriksson wrote: > The following patch allows OpenSSH 2.2.0-p1 to be started (and managed) > from /etc/inittab (by "init") on systems which support that. This is > useful when you *really* want SSHD to always run since it will be > automatically restarted by "init" if it dies (and if "init" dies the > the systems dies :-). Support for this is already in the snapshot releases (the -D option). Thanks, Damien Miller -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From tim at multitalents.net Fri Jan 5 09:52:25 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 14:52:25 -0800 (PST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Fri, 5 Jan 2001, Gert Doering wrote: > > > Hi, > > > > On Thu, Jan 04, 2001 at 04:14:15PM -0600, mouring at etoh.eviladmin.org wrote: > > > On Thu, 4 Jan 2001, Tim Rice wrote: > > > > Here is a patch to help UnixWare 2.03 along. > > > > > > > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > > > > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > > > > > > One could always write a utime() emulation via utimes(). > > > > Yes, but this leaves my previous question unanswered: why bother with > > emulating utimes() via utime(), instead of using the more portable utime() > > directly? > > > > The only benefit of utimes() is the millisecond resolution, which > > OpenSSH doesn't use (at least not last time I checked, tv_usec was > > explicitely set to 0). > > > Either way... We will need to emulate one or the other. Personally I All the systems I have encountered with utimes, also have utime. But not all systems have utimes. Some have utime only. Are there any system that have utimes but not utime? > could careless which one we use. Again, the only reason why it's > utimes() is because sftp-server.c used it and I asked if we could be > consistant. And a lot more platforms support it due to it's BSD > history. It's just oddballs like SCO that don't tend to implement > complete BSD API alongside SysV. > > - Ben > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Fri Jan 5 10:52:48 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 17:52:48 -0600 (CST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001, Tim Rice wrote: > On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Fri, 5 Jan 2001, Gert Doering wrote: > > > > > Hi, > > > > > > On Thu, Jan 04, 2001 at 04:14:15PM -0600, mouring at etoh.eviladmin.org wrote: > > > > On Thu, 4 Jan 2001, Tim Rice wrote: > > > > > Here is a patch to help UnixWare 2.03 along. > > > > > > > > > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > > > > > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > > > > > > > > One could always write a utime() emulation via utimes(). > > > > > > Yes, but this leaves my previous question unanswered: why bother with > > > emulating utimes() via utime(), instead of using the more portable utime() > > > directly? > > > > > > The only benefit of utimes() is the millisecond resolution, which > > > OpenSSH doesn't use (at least not last time I checked, tv_usec was > > > explicitely set to 0). > > > > > Either way... We will need to emulate one or the other. Personally I > > All the systems I have encountered with utimes, also have utime. > But not all systems have utimes. Some have utime only. > Are there any system that have utimes but not utime? > NeXTStep for one So which ever we pick we will have to provide some form of emulation. - Ben From jesus at omniti.com Fri Jan 5 10:07:45 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Thu, 04 Jan 2001 18:07:45 -0500 Subject: SecurID patch. References: <2D00AD0E4D36D411BD300008C786E424012582BC@Denntex021.qwest.net> Message-ID: <3A550257.9B305A3@omniti.com> Actually, what I am talking about is integrating the SecurID patches into OpenSSH. The question was posed "what is wrong with PAM+kbdinteractive" So, my answer is that it doesn't support protocol 1, which is necessary for me. Using login is not an option because it screws with things like scp and cvs and rsync. My SecurID patches work fine AFAIK. I have no problems with them and I haven't received any bug reports. I just want to know if the patches I wrote for SecurID could be integrated into the OpenSSH distribution so that I don't have to port them to each new release and can just fix things in a more developmental manner. I *do not* want to tell the maintainer what to do -- I am the maintainer of more an one project and I know that is not my place. I *do* think they are worthwhile having in the OpenSSH dist because the PAM support doesn't cut it. Frankly, we all know it is easier to maintain something inside a project than it is to maintain a patchset -- ecspecially one that requires autoconf to be run. I run openssh-2.3.0p1 and 2.2.0p1 with SecurID patch on over 50 machines and I have not once had a problem. But, I cannot, for the life of me, get any acceptable operation from a ssh-1.2.xx or Windows protocol 1 client to OpenSSH using a PAM SecurID module. As a side note, I have trouble with the kbdinteractive mode using protocol 2 from OpenSSH client -> OpenSSH server. "Smith, Donald" wrote: > Theo can you be more specfic? > I have been working on the ssh1.2.30 with securid patch for a while now and > it works fine. > I am in the process of loading your patch on a openssh2.3 right now and if > your haveing > problems it would be helpful to know what errors your getting. -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From tim at multitalents.net Fri Jan 5 10:13:35 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jan 2001 15:13:35 -0800 (PST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 4 Jan 2001, Tim Rice wrote: > [snip] > > > Either way... We will need to emulate one or the other. Personally I > > > > All the systems I have encountered with utimes, also have utime. > > But not all systems have utimes. Some have utime only. > > Are there any system that have utimes but not utime? > > > NeXTStep for one > > So which ever we pick we will have to provide some form of > emulation. openbsd's utime.c is ~20 lines (not counting copyright notice) that ends with "return (utimes(path, tvp));" Perhaps openbsd's utime.c would work for NeXTStep. > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From stevesk at pobox.com Fri Jan 5 10:38:56 2001 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 5 Jan 2001 00:38:56 +0100 (CET) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Tue, 2 Jan 2001 mouring at etoh.eviladmin.org wrote: : > should we revert back to signal there? we could also remove : > bsd-sigaction. : : Nope.. cli.c uses sigaction() so even removing it from scp.c NeXT still : needs sigaction() to handle cli.c correctly. ok, i missed that one. is it feasable to move entirely to sigaction() and emulate with sigvec() if needed? From johnnyb at wolfram.com Fri Jan 5 10:39:28 2001 From: johnnyb at wolfram.com (Jonathan Bartlett) Date: Thu, 4 Jan 2001 17:39:28 -0600 (CST) Subject: patch for the HURD Message-ID: This is a small/trivial patch to get HURD to _compile_ (I haven't gotten PRNG to work yet) openssh. All it does is define MAXHOSTNAMELEN in defines.h if it isn't already defined (there may need to be a library loaded first, or you may want to incorporate that patch into canohost.c instead of defines.h). Anyway, small patch for canohost.c and defines.h because HURD doesn't use MAXHOSTNAMELEN Jonathan Bartlett -- PGP information is available at http://members.wri.com/johnnyb/about/ -------------- next part -------------- --- canohost.c Fri Oct 27 22:19:58 2000 +++ canohost-new.c Thu Jan 4 11:24:26 2001 @@ -11,6 +11,7 @@ * called by a name other than "ssh" or "Secure Shell". */ +#include "config.h" #include "includes.h" RCSID("$OpenBSD: canohost.c,v 1.16 2000/10/21 17:04:22 markus Exp $"); -------------- next part -------------- --- defines.h Thu Oct 19 17:14:05 2000 +++ defines-new.h Thu Jan 4 11:21:58 2001 @@ -6,6 +6,7 @@ # define _REENTRANT 1 #endif + /* Necessary headers */ #include /* For [u]intxx_t */ @@ -71,6 +72,12 @@ #endif /* IPTOS_LOWDELAY */ #ifndef MAXPATHLEN +/* HURD needs this - no maximum limits */ +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 4095 +#endif + + # ifdef PATH_MAX # define MAXPATHLEN PATH_MAX # else /* PATH_MAX */ From mouring at etoh.eviladmin.org Fri Jan 5 11:57:55 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 4 Jan 2001 18:57:55 -0600 (CST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Fri, 5 Jan 2001, Kevin Steves wrote: > On Tue, 2 Jan 2001 mouring at etoh.eviladmin.org wrote: > : > should we revert back to signal there? we could also remove > : > bsd-sigaction. > : > : Nope.. cli.c uses sigaction() so even removing it from scp.c NeXT still > : needs sigaction() to handle cli.c correctly. > > ok, i missed that one. is it feasable to move entirely to sigaction() > and emulate with sigvec() if needed? > Don't see a problem with that. I believe that is what Markus was suggesting with his 'mysignal()'. - Ben From fauxpas at trellisinc.com Fri Jan 5 03:16:34 2001 From: fauxpas at trellisinc.com (Faux Pas III) Date: Thu, 4 Jan 2001 11:16:34 -0500 Subject: Possible bug in X11 forwarding code. Message-ID: <20010104111634.A21648@trellisinc.com> I'm running into a repeatable bug with OpenSSH versions 2.2.0p1 and the most recent 2.3.0 on Linux/x86. For some servers (I can't exactly pin down the relationship among those that exhibit the bug, but it seems to be those that run X locally), if you ssh in from a shell where the DISPLAY environment variable is set, and both ends have X11 forwarding enabled, the session will immediately exit. Unsetting the DISPLAY environment reliably fixes this problem, and for servers where the problem exists, it seems to exist for all OpenSSH clients. -- Josh Litherland (fauxpas at trellisinc.com) It is by caffeine alone that I set my mind in motion. It is by the juice of Mtn Dew that thoughts acquire speed. From mouring at etoh.eviladmin.org Fri Jan 5 17:51:06 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 5 Jan 2001 00:51:06 -0600 (CST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Thu, 4 Jan 2001, Tim Rice wrote: > > Here is a patch to help UnixWare 2.03 along. > > No if we could only change utimes() back to utime() in scp.c & sftp-server.c > we would have a working versin for Unixware 2.03 and SCO 3.2v4.2 > > >--- defines.h.old Wed Jan 3 17:33:52 2001 >+++ defines.h Wed Jan 3 17:41:28 2001 >@@ -360,6 +360,10 @@ > # define memmove(s1, s2, n) bcopy((s2), (s1), (n)) > #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */ > >+#if defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) >+#define bcopy(b1,b2,length) (void) memmove ((b2), (b1), (length)) >+#endif /* defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) */ >+ Hmm.. bsd-getcwd.c and bsd-setenv.c (both I believe I added or requested originally due to NeXT issuses) use bcopy(). Would you have any objection to just changing them to memmove() (like how the rest of the OpenSSH code) instead of doing this patch? - Ben From djm at mindrot.org Fri Jan 5 17:00:38 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 5 Jan 2001 17:00:38 +1100 (EST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Fri, 5 Jan 2001 mouring at etoh.eviladmin.org wrote: > Hmm.. bsd-getcwd.c and bsd-setenv.c (both I believe I added or requested > originally due to NeXT issuses) use bcopy(). Would you have any objection > to just changing them to memmove() (like how the rest of the OpenSSH > code) instead of doing this patch? Since bcopy is only used in our replacement code, please go ahead! -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From burnus at gmx.de Fri Jan 5 20:05:12 2001 From: burnus at gmx.de (Tobias Burnus) Date: Fri, 05 Jan 2001 10:05:12 +0100 Subject: OpenSSH 2.3 on Tru Unix: Problems References: Message-ID: <3A558E48.857A163E@gmx.de> Hi, > > Which I actually have (I mixed the file names), but still: It doesn't > > work to this True Unix computer whereas it works with OpenSSH on FreeBSD > > and with SSH on FreeBSD and True Unix. > What are the permissions on the .ssh/authorized_keys{,2} files? Now they are -rw------, but it still doesn't work. At home I have (had): -rw-r--r-- 1 tob users 680 M?r 30 2000 authorized_keys i.e. I shouldn't affect the client. And on a FreeBSD I have OpenSSH 2.2 and I had no problems at all as client and as server. Tobias -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man. From yuliy at mobiltel.bg Sat Jan 6 00:52:30 2001 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Fri, 5 Jan 2001 15:52:30 +0200 (EET) Subject: Is RhostAuthentication working? Message-ID: Hi! I've got a few machines (Red Hat Linux, IBM AIX, HP-UX) with OpenSSH 2.3.0p1. But it's that RhostAuthentication doesn't work :( Is it true or not? yuliy From ishikawa at yk.rim.or.jp Sat Jan 6 03:52:06 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 06 Jan 2001 01:52:06 +0900 Subject: subject: ssh non-intuitive logging setting. (priority names) Message-ID: <3A55FBB5.8B20E0F2@yk.rim.or.jp> subject: ssh non-intuitive logging setting (priority names). I installed openssh 2.3.0p1 on Solaris 7 for x86 box and sshd worked fine. However, somehow the logging of connection and disconnection to sshd was not recorded as I wished. Time to investigate. On a host where sshd from data-fellows once ran, the log was recorded with auth.info level. After trying to modify sshd_config, I found that the setting of log-level may not be quite intuitive to seasoned UNIX admins. I mean the names of priorities are not quite in line with the common UNIX priority names and its usage. The following is a snippet from /usr/include/syslog.h: The priorities are used for filtering within syslog.conf and used as the first argument of syslog() function. /* * Priorities (these are ordered) */ #define LOG_EMERG 0 /* system is unusable */ #define LOG_ALERT 1 /* action must be taken immediately */ #define LOG_CRIT 2 /* critical conditions */ #define LOG_ERR 3 /* error conditions */ #define LOG_WARNING 4 /* warning conditions */ #define LOG_NOTICE 5 /* normal but signification condition */ #define LOG_INFO 6 /* informational */ #define LOG_DEBUG 7 /* debug-level messages */ Whereas the sshd_config seems to accept only the following names for priority in the configuration file(s): QUIET, FATAL, ERROR, INFO, VERBOSE, DEBUG, DEBUG1, DEBU2, DEBUG3 (case will be ignored in matching.) The mapping of these names to the UNIX priorities are done by an array in log.c via macro names defined in ssh.h. (You can see from the snippet from log.c that DEBUG and DEBUG1 have the same effect by the way.) log.c: static struct { const char *name; LogLevel val; } log_levels[] = { { "QUIET", SYSLOG_LEVEL_QUIET }, { "FATAL", SYSLOG_LEVEL_FATAL }, { "ERROR", SYSLOG_LEVEL_ERROR }, { "INFO", SYSLOG_LEVEL_INFO }, { "VERBOSE", SYSLOG_LEVEL_VERBOSE }, { "DEBUG", SYSLOG_LEVEL_DEBUG1 }, { "DEBUG1", SYSLOG_LEVEL_DEBUG1 }, { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, { "DEBUG3", SYSLOG_LEVEL_DEBUG3 }, { NULL, 0 } The priorities specified, say, in sshd_config will use the SYSLOG_LEVEL_* values defined in ssh.h. typedef enum { SYSLOG_LEVEL_QUIET, SYSLOG_LEVEL_FATAL, SYSLOG_LEVEL_ERROR, SYSLOG_LEVEL_INFO, SYSLOG_LEVEL_VERBOSE, SYSLOG_LEVEL_DEBUG1, SYSLOG_LEVEL_DEBUG2, SYSLOG_LEVEL_DEBUG3 } LogLevel; So I see the mapping thusly. QUIET <-> priority 0 FATAL <-> priority 1 ERROR <-> priority 2 INFO <-> priority 3 VERBOSE <-> 4 DEBUG1 <-> 5 DEBUG2 <-> 6 DEBUG3 <-> 7 For my initial purpose, after experimenting with syslog.conf and the setting in sshd_config, I put the following in sshd_config. SyslogFacility AUTH LogLevel DEBUG2 I also used the following in /etc/syslog.conf. auth.info loggin-file-pathname Now I obtain the kind of log I want in the logging file: Jan 6 01:17:53 www sshd[15304]: Connection from 192.9.200.18 port 602 Jan 6 01:17:57 www sshd[15304]: Accepted password for gnu from 192.9.200.18 port 602 However, I think the admissible priority names are not quite intuitive to long-time UNIX sysadmins because they are not quite in line with the common accepted priority names. (Please don't misunderstand: I am not saying the common accepted priority names are better. They are often memorized by the long-time sysadmins and anything different are hard to use initially. And frankly, the deviation here is a source of conufsion.) I am not advocating the throw-away of the current names since it would disturb large installed base of openssh sshd. But I would rather see the common priority names accepted in the config files, also. So doesn't anyone care to patch log.c to allow us to use the common accepted UNIX priority names as in the following? I put the extra names(common UNIX priority names) at each priority level following the currently used openssh priority name. (The mods clearly shows rather inappropriate choice for SYSLOG_LEVEL_* macro names IMHO.) log.c: static struct { const char *name; LogLevel val; } log_levels[] = { /* 0 : EMERG */ { "QUIET", SYSLOG_LEVEL_QUIET }, { "EMERG", SYSLOG_LEVEL_QUIET }, { "PANIC", SYSLOG_LEVEL_QUIET }, /* 1 : ALERT */ { "FATAL", SYSLOG_LEVEL_FATAL }, { "ALERT", SYSLOG_LEVEL_FATAL }, /* 2 : CRIT */ { "ERROR", SYSLOG_LEVEL_ERROR }, { "CRIT", SYSLOG_LEVEL_ERROR }, /* 3 : ERR. */ { "INFO", SYSLOG_LEVEL_INFO }, { "ERR", SYSLOG_LEVEL_INFO }, { "ERROR", SYSLOG_LEVEL_INFO }, /* 4 : WARNING */ { "VERBOSE", SYSLOG_LEVEL_VERBOSE }, { "WARN", SYSLOG_LEVEL_VERBOSE }, { "WARNING", SYSLOG_LEVEL_VERBOSE }, /* 5 : NOTICE */ { "DEBUG", SYSLOG_LEVEL_DEBUG1 }, { "DEBUG1", SYSLOG_LEVEL_DEBUG1 }, { "NOTICE", SYSLOG_LEVEL_DEBUG1 }, /* 6 : INFO */ { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, /* Here I can't put "INFO" because this would clash with the openssh 2.3.0p1's use of INFO at priority # 3. Ugh... */ /* { "DEBUG2", SYSLOG_LEVEL_DEBUG2 }, */ /* 7 : DEBUG */ { "DEBUG3", SYSLOG_LEVEL_DEBUG3 }, /* AGAIN, I can't put DEBUG here because DEBUG is used at priority # 5. */ { NULL, 0 } PS: Is it possible someone broke log.c and ssh.h to the point that the original intent of keeping sync with UNIX priority names no longer works? The mis-use (in my eyes) of macronames uncovered during this investigation suggested something like this happened. Actually, if there are not many objections, I would rather see the cleanup of the SYSLOG_LEVEL_* macro definitions and usage to keep them in line with the UNIX priorities so that the names like "INFO" or "DEBUG" would have similar meaning (that is at the same priority level) as in the usage of syslog.conf. Currently, they don't seem to. Or am I missing something? What do people think? From a.d.stribblehill at durham.ac.uk Sat Jan 6 04:12:55 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Fri, 5 Jan 2001 17:12:55 +0000 Subject: subject: ssh non-intuitive logging setting. (priority names) In-Reply-To: <3A55FBB5.8B20E0F2@yk.rim.or.jp>; from ishikawa@yk.rim.or.jp on Sat, Jan 06, 2001 at 01:52:06AM +0900 References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> Message-ID: <20010105171255.K31008@womble.dur.ac.uk> Quoting Ishikawa : > subject: ssh non-intuitive logging setting (priority names). > > What do people think? I think your suggestion would be very useful, especially in my situation whereby I have to tell the TCP wrappers one thing and SSHD another, to get a "connection succeeded" message to appear on the right level. Cheerio, Andrew Stribblehill Systems programmer, IT Service, University of Durham, England From tim at multitalents.net Sat Jan 6 05:14:01 2001 From: tim at multitalents.net (Tim Rice) Date: Fri, 5 Jan 2001 10:14:01 -0800 (PST) Subject: UnixWare 2.03 patch In-Reply-To: Message-ID: On Fri, 5 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 4 Jan 2001, Tim Rice wrote: > [snip] > >+#if defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) > >+#define bcopy(b1,b2,length) (void) memmove ((b2), (b1), (length)) > >+#endif /* defined(HAVE_MEMMOVE) && !defined(HAVE_BCOPY) */ > >+ > > Hmm.. bsd-getcwd.c and bsd-setenv.c (both I believe I added or requested > originally due to NeXT issuses) use bcopy(). Would you have any objection > to just changing them to memmove() (like how the rest of the OpenSSH > code) instead of doing this patch? That works for me. > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From paul-anderson at paul-anderson.com Sat Jan 6 08:15:49 2001 From: paul-anderson at paul-anderson.com (Paul Anderson) Date: Fri, 5 Jan 2001 21:15:49 -0000 Subject: PORTING to IBM OS/390: select() always returning 0 in entropy.c Message-ID: <000c01c0775c$af8aa710$01000100@bigpc> Hello, I'm attempting to port OpenSSH to IBM's S/390 mainframe. Things have gone well but I have come a little unstuck with the internal PRNG. Although the commands in ssh_prng_cmds are being executed the select() seems to be returning 0 and therefore the cose is assuming that the forked process has timed out. This could be a difference in the way that select is implemented on OS/390. The Unix environment provided by OS/390 has many compatability levels from including several POSIX and XPG variants. I am not a C expert and the debugegr is not very good, has anyone come across smiliar behavior before. A description of the select() on OS/390 can be found at: http://www.s390.ibm.com/bookmgr-cgi/bookmgr.cmd/BOOKS/EDCLB031/4%2e1%2e131?SHELF=CBCBS031 Thanks, Paul Anderson -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010105/cf07978b/attachment.html From pekkas at netcore.fi Sat Jan 6 08:52:42 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 5 Jan 2001 23:52:42 +0200 (EET) Subject: Is RhostAuthentication working? In-Reply-To: Message-ID: On Fri, 5 Jan 2001, Yuliy Minchev wrote: > I've got a few machines (Red Hat Linux, IBM AIX, HP-UX) with > OpenSSH 2.3.0p1. But it's that RhostAuthentication doesn't work :( > > Is it true or not? Did you try it in a non-privileged port? That doesn't (didn't) work. Try running it <1024 somewhere. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From markus.friedl at informatik.uni-erlangen.de Sat Jan 6 10:08:55 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 6 Jan 2001 00:08:55 +0100 Subject: subject: ssh non-intuitive logging setting. (priority names) In-Reply-To: <3A55FBB5.8B20E0F2@yk.rim.or.jp>; from ishikawa@yk.rim.or.jp on Sat, Jan 06, 2001 at 01:52:06AM +0900 References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> Message-ID: <20010106000855.A5714@folly> On Sat, Jan 06, 2001 at 01:52:06AM +0900, Ishikawa wrote: > QUIET <-> priority 0 > FATAL <-> priority 1 > ERROR <-> priority 2 > INFO <-> priority 3 > VERBOSE <-> 4 > DEBUG1 <-> 5 > DEBUG2 <-> 6 > DEBUG3 <-> 7 this mapping order is due to the history of openssh. ssh-1.2.12 used debug(), log(), error() and fatal() calls (in order of importance) with the following options QuietMode (only fatal() is logged, not sure about error()) FascistLogging (debug,log,error and fatal) and standard mode: log,error and fatal. in fact, you had only 3 different levels and we tried to change that. additionaly, log() was far to chatty so i split all the calls: openssh now uses log() and for less important messages verbose(). so now we have: QUIET nothing FATAL fatal ERROR fatal+error INFO fatal+error+log (since Loglevel=LOG sounds strange) VERBOSE fatal+error+log+verbose DEBUG fatal+error+log+verbose+debug later we added some more debug levels. this is the reason for the current log levels. i don't say that's perfect. > For my initial purpose, after experimenting with syslog.conf and > the setting in sshd_config, > I put the following in sshd_config. > > SyslogFacility AUTH > LogLevel DEBUG2 you probably want LogLevel VERBOSE > /* 3 : ERR. */ > { "INFO", SYSLOG_LEVEL_INFO }, > { "ERR", SYSLOG_LEVEL_INFO }, > { "ERROR", SYSLOG_LEVEL_INFO }, so this would mean with LogLevel=ERROR you would see fatal+error+log in syslog(). i think this mapping is more appropriate ALERT nothing CRIT fatal ERR fatal+error NOTICE fatal+error+log (since Loglevel=LOG sounds strange) INFO fatal+error+log+verbose DEBUG fatal+error+log+verbose+debug > PS: Is it possible someone > broke log.c and ssh.h to the point that the original > intent of keeping sync with UNIX priority names > no longer works? > The mis-use (in my eyes) of macronames uncovered during > this investigation suggested something like this happened. where? what do you mean. > Actually, if there are not many objections, I would rather > see the cleanup of the SYSLOG_LEVEL_* macro definitions and usage > to keep them in line with the UNIX priorities so that > the names like "INFO" or "DEBUG" would have > similar meaning (that is at the same priority level) > as in the usage of syslog.conf. > Currently, they don't seem to. Or am I missing something? the macros don't need the cleanup. probably all the loging should be replace and _then_ we could cleanup the macro names. perhaps move from fatal(), error() log(), verbose(), debug1(), debug2(), debug3() to sshlog(CRIT, ...); sshlog(ERR, ...); sshlog(NOTICE, ...); sshlog(INFO, ...); sshlog(DEBUG1, ...); sshlog(DEBUG2, ...); sshlog(DEBUG3, ...); or even more levels, similar to syslog. comments? -markus From djm at mindrot.org Sat Jan 6 10:43:47 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 6 Jan 2001 10:43:47 +1100 (EST) Subject: OpenSSH 2.3 on Tru Unix: Problems In-Reply-To: <3A558E48.857A163E@gmx.de> Message-ID: On Fri, 5 Jan 2001, Tobias Burnus wrote: > Now they are -rw------, but it still doesn't work. > > At home I have (had): > -rw-r--r-- 1 tob users 680 M?r 30 2000 authorized_keys > > i.e. I shouldn't affect the client. And on a FreeBSD I have OpenSSH 2.2 > and I had no problems at all as client and as server. What does ssh -v say when you are connecting? -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From anandbhatt at hotmail.com Fri Jan 5 16:49:46 2001 From: anandbhatt at hotmail.com (anand bhatt) Date: Fri, 05 Jan 2001 16:49:46 Subject: No subject Message-ID: Hi, I am trying to install openssh-2.3.0p1 on solaris 2.7 (sparc).Though i have all requirements for installing, it gives me error while running make install.The error is , "make : Fatal error : command failed for target 'installed-Files'. It stops the installation after that.Kindly help me in this regard. Regards, Anand. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From ishikawa at yk.rim.or.jp Sat Jan 6 11:08:50 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 06 Jan 2001 09:08:50 +0900 Subject: subject: ssh non-intuitive logging setting. (priority names) References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> Message-ID: <3A566212.E564D76B@yk.rim.or.jp> Hi, thank you for the clarification. Markus Friedl wrote: > On Sat, Jan 06, 2001 at 01:52:06AM +0900, Ishikawa wrote: > > QUIET <-> priority 0 > > FATAL <-> priority 1 > > ERROR <-> priority 2 > > INFO <-> priority 3 > > VERBOSE <-> 4 > > DEBUG1 <-> 5 > > DEBUG2 <-> 6 > > DEBUG3 <-> 7 > > this mapping order is due to the history of openssh. > ssh-1.2.12 used > debug(), log(), error() and fatal() > calls (in order of importance) with the following options > QuietMode (only fatal() is logged, not sure about error()) > FascistLogging (debug,log,error and fatal) > and standard mode: log,error and fatal. > > in fact, you had only 3 different levels and we tried to change > that. additionaly, log() was far to chatty so i split all the calls: > openssh now uses log() and for less important messages verbose(). > Great work. > > so now we have: > QUIET nothing > FATAL fatal > ERROR fatal+error > INFO fatal+error+log (since Loglevel=LOG sounds strange) > VERBOSE fatal+error+log+verbose > DEBUG fatal+error+log+verbose+debug > > later we added some more debug levels. > this is the reason for the current log levels. Thank you for the clarification. The above mapping of QUIET <-> nothing, etc. is the kind of info that would be useful in the documentation. > > For my initial purpose, after experimenting with syslog.conf and > > the setting in sshd_config, > > I put the following in sshd_config. > > > > SyslogFacility AUTH > > LogLevel DEBUG2 > > you probably want LogLevel VERBOSE Strange thing is that the DEBUG2 setting doesn't seem too chatty and I left the setting as is for now. I will investigate a little more. Come to think of it, only when the login fails or other error conditions such as key doesn't match the expected value, the output would be different. But under normal conditions, it is acceptable. I will tune it to my needs. > > > PS: Is it possible someone > > broke log.c and ssh.h to the point that the original > > intent of keeping sync with UNIX priority names > > no longer works? > > The mis-use (in my eyes) of macronames uncovered during > > this investigation suggested something like this happened. > > where? what do you mean. I didn't know the history of log message mechanism very well and after looking at the source code I was confused by the log priority level name mappings. I thought by mistake that the mapping with the usual UNIX priority names were lost by accident. (Like for examples, an unexpected shuffle of lines in the enum definition in ssh.h.) Your description of history convinced me it is not the case. > > the macros don't need the cleanup. probably > all the loging should be replace and _then_ we > could cleanup the macro names. > > perhaps move from > fatal(), error() log(), verbose(), debug1(), debug2(), debug3() > to > sshlog(CRIT, ...); > sshlog(ERR, ...); > sshlog(NOTICE, ...); > sshlog(INFO, ...); > sshlog(DEBUG1, ...); > sshlog(DEBUG2, ...); > sshlog(DEBUG3, ...); > > or even more levels, similar to syslog. > > comments? In principle, I would go with the more levels to make the priority levels match the use in syslog, and hopefully the same priority names. A common interoperability to use UNIX priority names is a good thing to avoid the type of confusion Andrew Stribblehill mentioned in the case of priority level usage in TCP wrapper and sshd. Frankly, when you mention "You probably want LogLevel VERBOSE" I had to go back and forth in the message and think hard about which priority level I would need to use in syslog.conf. A common usage will cut down the extra mental power. Oh well. Am I getting old or what ;-) (We could possibly simply rename fatal() -> crit() error() -> err() log() -> notice() ... provided no naming conflicts occur. Or as you suggest use ssh logging function directly. I take that syslog() was not directly used since there were portability issues.) From markus.friedl at informatik.uni-erlangen.de Sat Jan 6 22:23:38 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 6 Jan 2001 12:23:38 +0100 Subject: subject: ssh non-intuitive logging setting. (priority names) In-Reply-To: <3A566212.E564D76B@yk.rim.or.jp>; from ishikawa@yk.rim.or.jp on Sat, Jan 06, 2001 at 09:08:50AM +0900 References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> <3A566212.E564D76B@yk.rim.or.jp> Message-ID: <20010106122338.A9846@folly> On Sat, Jan 06, 2001 at 09:08:50AM +0900, Ishikawa wrote: > I take that syslog() was not directly used since there > were portability issues.) some code is shared between client and server and the client should not call syslog. -markus From Clay.McClure at bellsouth.com Sat Jan 6 17:14:44 2001 From: Clay.McClure at bellsouth.com (McClure, Clay) Date: Sat, 6 Jan 2001 01:14:44 -0500 Subject: ssh_prng_cmds in Solaris port Message-ID: <9E34B2F2B1C8D411B1A400508BE3353601C16D49@BLSMSGPRV02> Hello, I'm not sure if this is the correct place to send this, but perhaps you can forward it to the proper folks if not... The Solaris port of OpenSSH includes an ssh_prng_cmds file used for collecting entropy, however many of the commands listed in the file are incompatible with Solaris command syntax. Not knowing much about entropy or random numbers, I've modified the file a bit to produce less errors and included a few commands that I thought might produce some pseudo-random output. Perhaps it could be included in the Solaris port. <> Overall I'm very pleased with the software. Keep up the good work! -- Clay McClure Technical Architect 770-414-6140 eIOC / BTSI cmcclure at bellsouthips.com -------------- next part -------------- A non-text attachment was scrubbed... Name: ssh_prng_cmds Type: application/octet-stream Size: 1387 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010106/bfdcf1b4/attachment.obj From markus.friedl at informatik.uni-erlangen.de Sat Jan 6 23:03:07 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 6 Jan 2001 13:03:07 +0100 Subject: subject: ssh non-intuitive logging setting. (priority names) In-Reply-To: <3A566212.E564D76B@yk.rim.or.jp>; from ishikawa@yk.rim.or.jp on Sat, Jan 06, 2001 at 09:08:50AM +0900 References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> <3A566212.E564D76B@yk.rim.or.jp> Message-ID: <20010106130307.A21832@folly> On Sat, Jan 06, 2001 at 09:08:50AM +0900, Ishikawa wrote: > Hi, thank you for the clarification. i think this patch would help. additionaly we should rename SYSLOG_LEVEL_INFO to SYSLOG_LEVEL_NOTICE this would be more appropriate? comments? commit? cheers, -markus Index: log-server.c =================================================================== RCS file: /home/markus/cvs/ssh/log-server.c,v retrieving revision 1.17 diff -u -r1.17 log-server.c --- log-server.c 2000/09/12 20:53:10 1.17 +++ log-server.c 2001/01/06 11:59:53 @@ -128,15 +128,17 @@ if (level > log_level) return; switch (level) { - case SYSLOG_LEVEL_ERROR: - txt = "error"; - pri = LOG_ERR; - break; case SYSLOG_LEVEL_FATAL: txt = "fatal"; + pri = LOG_CRIT; + break; + case SYSLOG_LEVEL_ERROR: + txt = "error"; pri = LOG_ERR; break; case SYSLOG_LEVEL_INFO: + pri = LOG_NOTICE; + break; case SYSLOG_LEVEL_VERBOSE: pri = LOG_INFO; break; From ishikawa at yk.rim.or.jp Sun Jan 7 00:39:27 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Sat, 06 Jan 2001 22:39:27 +0900 Subject: subject: ssh non-intuitive logging setting. (priority names) References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> <3A566212.E564D76B@yk.rim.or.jp> <20010106130307.A21832@folly> Message-ID: <3A57200E.7B866D9C@yk.rim.or.jp> Markus Friedl wrote: > On Sat, Jan 06, 2001 at 09:08:50AM +0900, Ishikawa wrote: > > Hi, thank you for the clarification. > > i think this patch would help. > additionaly we should rename > SYSLOG_LEVEL_INFO to SYSLOG_LEVEL_NOTICE > > this would be more appropriate? > > comments? > commit? > Thank you for the patch. Too bad, Monday is a Japanese national holiday and so my own check will have to wait until next week. On visual inspection, though, the patch at least seems to lessen the confusion somewhat. I missed realizing the log-server.c code mentioned in the patch and this part certainly seems to be the core of the problem some experienced. Also, the renaming of SYSLOG_LEVEL_INFO to SYSLOG_LEVEL_NOTICE should lessen the mental barrier in understanding the code by someone who are familiar with the UNIX-style syslog priority scheme. (Less confusion, that is.) But, in the meantime, I am also interested in learning what others think about these syslog message issues myself. One thing I noticed after obtaining the log messages from openssh is that data-fellows ssh 1.x daemon put the priority level in the log message like "log:" or "fatail:" (after the hostname [pid], and before the main text) whereas openssh didn't. (Is it possible that the patch proposed put such info into the log? Well, maybe we need txt="notice", etc..) This subtle difference caused me to rewrite an awk script to produce log sumary, but it is again a minor issue since nobody seems to have raised the issue before. Thank you again for your contribution. Cheers. ishikawa From timgallagher at telocity.com Fri Jan 5 14:56:29 2001 From: timgallagher at telocity.com (Timothy S. Gallagher) Date: Thu, 4 Jan 2001 22:56:29 -0500 Subject: Problems on RedHat Sparc Linux In-Reply-To: <20001230133328.A9008@folly> Message-ID: I tried setting rhost and rhostrsa authentication to no in /etc/ssh/ssh_config. That didn't work. When I added "UsePrivilegedPorts no" to /etc/ssh/ssh_config, it gave me a syntax error. I tried using ssh -P hostname, which locked up on authenticating to host. Someone I know who uses openssh on an Alpha Linux host has the same problem, but the ports are different even for him (1024-65535). To get openssh to work on a Sparc Linux box, I set the firewall open from ports 512-1023. Thanks for your help, Tim Gallagher mailto:timgallagher at telocity.com -----Original Message----- From: Markus Friedl [mailto:markus.friedl at informatik.uni-erlangen.de] Sent: Saturday, December 30, 2000 7:33 AM To: Timothy S. Gallagher Cc: openssh at openssh.com Subject: Re: Problems on RedHat Sparc Linux turn off rhost and rhostrsa authentication in the client. or set UsePrivilegedPorts=no in {/etc/ssh_config,.ssh/config} cu, -markus On Fri, Dec 29, 2000 at 11:08:16PM -0500, Timothy S. Gallagher wrote: > I am using the .i386.rpm of the 2.2 version on my Intel system. Recently, I > got a Sparc box, and loaded RedHat 6.2. I compiled matching versions of > openssl and openssh from the .src.rpm's (2.2, 2.3 had issues, I'm not sure > why) . The server I'm going to is a firewall, with port 22 open to specific > IP addresses, which responds on private channels >1024. This works fine on > my Intel PC, which picks ports >1024 for private channels, but the Sparc > version does not, using ports in the 600's and 700's. Do you have any idea > why? > > Thanks for any help, > > Tim Gallagher > mailto:timgallagher at telocity.com > From anandbhatt at hotmail.com Fri Jan 5 16:49:46 2001 From: anandbhatt at hotmail.com (anand bhatt) Date: Fri, 05 Jan 2001 16:49:46 Subject: No subject Message-ID: Hi, I am trying to install openssh-2.3.0p1 on solaris 2.7 (sparc).Though i have all requirements for installing, it gives me error while running make install.The error is , "make : Fatal error : command failed for target 'installed-Files'. It stops the installation after that.Kindly help me in this regard. Regards, Anand. _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. From burnus at gmx.de Sun Jan 7 04:01:26 2001 From: burnus at gmx.de (Tobias Burnus) Date: Sat, 06 Jan 2001 18:01:26 +0100 Subject: OpenSSH 2.3 on Tru Unix: Problems References: Message-ID: <3A574F66.76F64550@gmx.de> Hi, > > -rw------ 1 tob users 680 M?r 30 2000 authorized_keys > What does ssh -v say when you are connecting? It says (from SuSE Linux 7.1b3): me at home: ~> ssh that.tru64.computer.with.the.same.OpenSSH SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /home/me/.ssh/config debug: Applying options for * debug: Reading configuration data /etc/ssh/ssh_config debug: Seeding random number generator debug: ssh_connect: getuid 500 geteuid 0 anon 0 debug: Connecting to tru64 [zzz.zzz.zzz.zzz] port 22. debug: Allocated local port 1023. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 debug: Local version string SSH-1.5-OpenSSH_2.3.0p1 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'tru64' is known and matches the RSA host key. debug: Seeding random number generator debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Doing password authentication. me at tru64's password: And to the FreeBSD 4.2 computer: .... debug: Connecting to freebsd [zzz.zzz.zzz.zzz] port 22. debug: Allocated local port 1022. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.2.0 debug: match: OpenSSH_2.2.0 pat ^OpenSSH[-_]2\.[012] debug: Local version string SSH-1.5-OpenSSH_2.3.0p1 ... [see above] debug: Received encrypted confirmation. debug: Trying RSA authentication via agent with 'me at home' debug: Received RSA challenge from server. debug: Sending response to RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. ... and login! The version string cannot be the reason since I get at home -> localhost: ... debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 debug: Local version string SSH-1.5-OpenSSH_2.3.0p1 ... Tobias -- This above all: To thine own self be true / And it must follow as the night the day / Thou canst not then be false to any man. From mouring at etoh.eviladmin.org Sun Jan 7 06:59:50 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 6 Jan 2001 13:59:50 -0600 (CST) Subject: PORTING to IBM OS/390: select() always returning 0 in entropy.c In-Reply-To: <000c01c0775c$af8aa710$01000100@bigpc> Message-ID: On Fri, 5 Jan 2001, Paul Anderson wrote: > Hello, > I'm attempting to port OpenSSH to IBM's S/390 mainframe. Things >have gone well but I have come a little unstuck with the internal >PRNG. Although the commands in ssh_prng_cmds are being executed the >select() seems to be returning 0 and therefore the cose is assuming that >the forked process has timed out. This could be a difference in the way If select() returns 0 it means that the select() timed out. Look at your ssh_prng_cmds and consider increasing the number on the left handside by very small amounts until you hit the magical number that allows you get to get enough entropy. And I suggest you hound IBM to put in a /dev/urandom. that select is implemented on OS/390. The Unix environment provided by OS/390 has many compatability levels from including several POSIX and XPG variants. I am not a C expert and the debugegr is not very good, has anyone come across smiliar behavior before. A description of the select() on OS/390 can be found at: http://www.s390.ibm.com/bookmgr-cgi/bookmgr.cmd/BOOKS/EDCLB031/4%2e1%2e131?SHELF=CBCBS031 > > Thanks, Paul Anderson > From paul-anderson at paul-anderson.com Sun Jan 7 10:31:14 2001 From: paul-anderson at paul-anderson.com (Paul Anderson) Date: Sat, 6 Jan 2001 23:31:14 -0000 Subject: PORTING to IBM OS/390: select() always returning 0 in entropy.c References: Message-ID: <000d01c07838$c6040db0$012020c0@bigpc> Hi, Thanks for you reply, I hear what your saying about /dev/urandom, I work for IBM and I'll sugget it to the development team. I ended up using prngd by Lutz.Jaenicke which worked fine. OpenSHH now works on my S/390 but it's a bit flakey due to the the EBCDIC 390 talking to ASCII clients, SCP works but will put even binary files throught the ASCII-EBCDIC conversion. Paul Anderson. ----- Original Message ----- From: To: "Paul Anderson" Cc: Sent: Saturday, January 06, 2001 7:59 PM Subject: Re: PORTING to IBM OS/390: select() always returning 0 in entropy.c > On Fri, 5 Jan 2001, Paul Anderson wrote: > > > Hello, > > I'm attempting to port OpenSSH to IBM's S/390 mainframe. Things > >have gone well but I have come a little unstuck with the internal > >PRNG. Although the commands in ssh_prng_cmds are being executed the > >select() seems to be returning 0 and therefore the cose is assuming that > >the forked process has timed out. This could be a difference in the way > > If select() returns 0 it means that the select() timed out. Look at your > ssh_prng_cmds and consider increasing the number on the left handside by > very small amounts until you hit the magical number that allows you get to > get enough entropy. > > And I suggest you hound IBM to put in a /dev/urandom. > > that select is implemented on OS/390. The Unix environment provided by OS/390 has many compatability levels from including several POSIX and XPG variants. I am not a C expert and the debugegr is not very good, has anyone come across smiliar behavior before. A description of the select() on OS/390 can be found at: http://www.s390.ibm.com/bookmgr-cgi/bookmgr.cmd/BOOKS/EDCLB031/4%2e1%2e131?S HELF=CBCBS031 > > > > Thanks, Paul Anderson > > > > From Lutz.Jaenicke at aet.TU-Cottbus.DE Sun Jan 7 19:51:56 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 7 Jan 2001 09:51:56 +0100 Subject: PORTING to IBM OS/390: select() always returning 0 in entropy.c In-Reply-To: <000d01c07838$c6040db0$012020c0@bigpc>; from paul-anderson@paul-anderson.com on Sat, Jan 06, 2001 at 11:31:14PM -0000 References: <000d01c07838$c6040db0$012020c0@bigpc> Message-ID: <20010107095156.A13722@serv01.aet.tu-cottbus.de> On Sat, Jan 06, 2001 at 11:31:14PM -0000, Paul Anderson wrote: > Hi, > Thanks for you reply, I hear what your saying about /dev/urandom, I work > for IBM and I'll sugget it to the development team. I ended up using prngd > by Lutz.Jaenicke which worked fine. OpenSHH now works on my S/390 but it's a > bit flakey due to the the EBCDIC 390 talking to ASCII clients, SCP works but > will put even binary files throught the ASCII-EBCDIC conversion. Would you kindly consider send me the compiler flags, entropy collection commands and maybe other changes made for inclusion into the prngd-release? Thanks, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From john at chattanooga.net Sun Jan 7 08:45:28 2001 From: john at chattanooga.net (John Aldrich) Date: Sat, 6 Jan 2001 16:45:28 -0500 Subject: Bug Report OpenSSH 2.3.0-p1-1.src.rpm for linux Message-ID: <01010616491601.14116@slave1> Gentlemen: I'm running RedHat 6.2 here (out of the box, virtually no upgrades...) and while OpenSSH 2.2.0p1-2 will compile and run just fine, for some reason OpenSSH2.3.0p1 (Portable for Linux) will not. It configures just fine, but dies in the "make" as follows: ranlib libssh.a gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -L. -L/usr/lib -L/usr -lssh -lopenbsd-compat -ldl -lnsl -lz -lutil -lpam -lcrypto gcc -o sshd sshd.o auth.o auth1.o auth2.o auth-skey.o auth2-skey.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o -L. -L/usr/lib -L/usr -lssh -lopenbsd-compat -ldl -lnsl -lz -lutil -lpam -lcrypto sshd.o: In function `main': sshd.o(.text+0x16f0): undefined reference to `request_init' sshd.o(.text+0x16f9): undefined reference to `sock_host' sshd.o(.text+0x16ff): undefined reference to `hosts_access' sshd.o(.text+0x171e): undefined reference to `refuse' collect2: ld returned 1 exit status make: *** [sshd] Error 1 Please feel free to contact me for any information about my system you may need. Generic info as follows: Dual-PPro 200 192 MB RAM 40 GIGS of drive space, plenty of FREE drive space, especially under the /usr directory tree -- /dev/sda1 8657308 1361896 6855636 17% /usr As I said, I don't know what info you need, so please feel free to ask me... I would've emailed the "portability" team directly, except I couldn't find any info. Thanks... John From stevesk at pobox.com Sun Jan 7 22:27:41 2001 From: stevesk at pobox.com (Kevin Steves) Date: Sun, 7 Jan 2001 12:27:41 +0100 (CET) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: : On Fri, 5 Jan 2001, Kevin Steves wrote: : > ok, i missed that one. is it feasable to move entirely to sigaction() : > and emulate with sigvec() if needed? : > : Don't see a problem with that. I believe that is what Markus was : suggesting with his 'mysignal()'. mysignal() was a wrapper for sigaction()/signal(). signal was used if there was no sigaction. i was thinking of using sigaction directly, then use sigaction/sigvec emulation if needed. will that work? From kenng at kpmg.com Sat Jan 6 10:18:02 2001 From: kenng at kpmg.com (Ng, Kenneth (US)) Date: Fri, 5 Jan 2001 18:18:02 -0500 Subject: broadcast from a central server using open-ssh Message-ID: Hello, I am interested in using open-ssh to be able to start a command on one server and broadcast it out to a lot of servers ( > 100). I'm getting errors about being out of entropy, and they seem to be coming from the client side. Is there anything that I can do to increase the entropy beforehand? I'm not currently using the entropy gathering daemon, am using the internal entropy. The starting machine is Sol 2.7. The receiver sides will be Solaris and Linux. ***************************************************************************** The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter. ***************************************************************************** From marekm at linux.org.pl Mon Jan 8 06:06:07 2001 From: marekm at linux.org.pl (Marek Michalkiewicz) Date: Sun, 7 Jan 2001 20:06:07 +0100 (CET) Subject: Linux glibc 2.1 openpty() and /dev/ptmx Message-ID: <200101071906.UAA09230@marekm.home> Hello, looking at the pty handling in OpenSSH 2.3.0p1 (hasn't changed much in CVS, as far as I can tell after a quick look at it), I can see that if the system provides both /dev/ptmx and openpty() types of pty interface, the latter is preferred. This is the case on Linux with glibc 2.1.3 and most likely later versions too. However, openpty() is documented to be dangerous - quote from the glibc manual: *Warning:* Using the `openpty' function with NAME not set to `NULL' is *very dangerous* because it provides no protection against overflowing the string NAME. You should use the `ttyname' function on the file descriptor returned in *SLAVE to find out the file name of the slave pseudo-terminal device instead. Now, OpenSSH uses a 64-byte buffer for the tty name. I don't know if this is really exploitable, but the warning sounds serious. Perhaps openpty() in OpenBSD is guaranteed to never overflow such a buffer, but that assumption might not hold for glibc? But, glibc 2.1 also supports the standard Unix98 pty interface (/dev/ptmx), which avoids the issue completely, and the modified OpenSSH (using exactly the same pty code as for Solaris) appears to work fine in my tests, done on a Debian "potato" system. Are there any known problems with using /dev/ptmx instead of openpty() if both interfaces are available? Currently the former is completely disabled for Linux by configure, and even if it isn't, if HAVE_OPENPTY is defined, this causes HAVE_DEV_PTMX to be undefined. Why? (There is a comment saying that pty allocated with _getpty gets broken, but that is no problem in this case, as the pty is allocated by opening /dev/ptmx and not _getpty.) One more (minor) thing I noticed: the tests for no_libsocket and no_libnsl in configure.in are swapped. Systems that define one define the other too so everything still worked right... if test -z "$no_libsocket" ; then AC_CHECK_LIB(nsl, yp_match, , ) fi if test -z "$no_libnsl" ; then AC_CHECK_LIB(socket, main, , ) fi Thanks, and keep up the good work! Marek From mouring at etoh.eviladmin.org Mon Jan 8 07:19:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 7 Jan 2001 14:19:46 -0600 (CST) Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: Message-ID: On Sun, 7 Jan 2001, Kevin Steves wrote: > On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > : On Fri, 5 Jan 2001, Kevin Steves wrote: > : > ok, i missed that one. is it feasable to move entirely to sigaction() > : > and emulate with sigvec() if needed? > : > > : Don't see a problem with that. I believe that is what Markus was > : suggesting with his 'mysignal()'. > > mysignal() was a wrapper for sigaction()/signal(). signal was used if > there was no sigaction. i was thinking of using sigaction directly, > then use sigaction/sigvec emulation if needed. will that work? > As far as I know it should work fine. Don't know how many platforms lack sigaction() and would require sigvec(). I know NeXT lacks it. I threw together a quick patch that replaced all signal() w/ mysignal(), and I did not see any ill effects under Linux. However, I did not push it very hard either (due to time, and lack of any indepth knowledge of signal() vs sigaction()). - Ben From dwmw2 at infradead.org Mon Jan 8 09:03:58 2001 From: dwmw2 at infradead.org (David Woodhouse) Date: Sun, 7 Jan 2001 22:03:58 +0000 (GMT) Subject: [PATCH] Caching passphrase in ssh-add. Message-ID: The patch below does two things. 1. If invoked with no arguments, attempt to add both RSA and DSA keys. 2. Remember the last successful passphrase and attempt to use it on subsequent key files which are added. Note that the latter part of the patch extends the period of time during which the passphrase is held in clear text in the ssh-add process, but doesn't introduce any _new_ vulnerability. If you're paranoid about an attacker being able to cause your ssh-add process to core dump and/or reap your passphrase from it, then you probably shouldn't be using ssh-agent at all. Is the SSHv2 protocol fundamentally incapable of using RSA keys for authentication, or is that (RSA on v2) a missing feature of OpenSSH? Index: ssh-add.c =================================================================== RCS file: /cvs/openssh_cvs/ssh-add.c,v retrieving revision 1.28 diff -u -r1.28 ssh-add.c --- ssh-add.c 2000/11/17 03:47:21 1.28 +++ ssh-add.c 2001/01/07 21:52:10 @@ -54,6 +54,8 @@ char *__progname; #endif +static char *last_passphrase = NULL; + void delete_file(AuthenticationConnection *ac, const char *filename) { @@ -172,6 +174,10 @@ /* At first, try empty passphrase */ private = key_new(type); success = load_private_key(filename, "", private, &comment); + if (!success && last_passphrase) { + /* Have passphrase from last key loaded */ + success = load_private_key(filename, last_passphrase, private, &comment); + } if (!success) { printf("Need passphrase for %.200s\n", filename); if (!interactive && askpass == NULL) { @@ -193,13 +199,19 @@ return; } success = load_private_key(filename, pass, private, &comment); + if (success) { + if (last_passphrase) { + memset(last_passphrase, 0, strlen(last_passphrase)); + xfree(last_passphrase); + } + last_passphrase = pass; + break; + } memset(pass, 0, strlen(pass)); xfree(pass); - if (success) - break; strlcpy(msg, "Bad passphrase, try again", sizeof msg); } - } + } xfree(comment); if (ssh_add_identity(ac, private, saved_comment)) fprintf(stderr, "Identity added: %s (%s)\n", filename, saved_comment); @@ -296,6 +308,16 @@ delete_file(ac, buf); else add_file(ac, buf); + + snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir, SSH_CLIENT_ID_DSA); + if (deleting) + delete_file(ac, buf); + else + add_file(ac, buf); + } + if (last_passphrase) { + memset(last_passphrase, 0, strlen(last_passphrase)); + xfree(last_passphrase); } ssh_close_authentication_connection(ac); exit(0); -- dwmw2 From yuliy at mobiltel.bg Mon Jan 8 13:27:51 2001 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Mon, 8 Jan 2001 04:27:51 +0200 (EET) Subject: Is RhostAuthentication working? In-Reply-To: Message-ID: On Fri, 5 Jan 2001, Pekka Savola wrote: > On Fri, 5 Jan 2001, Yuliy Minchev wrote: > > I've got a few machines (Red Hat Linux, IBM AIX, HP-UX) with > > OpenSSH 2.3.0p1. But it's that RhostAuthentication doesn't work :( > > > > Is it true or not? > > Did you try it in a non-privileged port? That doesn't (didn't) work. Try > running it <1024 somewhere. yes the default behavior is to run in privileged mode, I check with netstat -a and connections were below 1024 but still doesn't work yuliy From jones at tacc.cc.utexas.edu Mon Jan 8 14:20:11 2001 From: jones at tacc.cc.utexas.edu (William L. Jones) Date: Sun, 07 Jan 2001 21:20:11 -0600 Subject: Is RhostAuthentication working? In-Reply-To: References: Message-ID: <4.2.0.58.20010107211038.01b86990@127.0.0.1> Make sure you using SSH protocol version 1 by default. The openssh sshd does not support RhostAuthentication when it doing SSH protocol version 2. At 04:27 AM 1/8/01 +0200, Yuliy Minchev wrote: >On Fri, 5 Jan 2001, Pekka Savola wrote: > > > On Fri, 5 Jan 2001, Yuliy Minchev wrote: > > > I've got a few machines (Red Hat Linux, IBM AIX, HP-UX) with > > > OpenSSH 2.3.0p1. But it's that RhostAuthentication doesn't work :( > > > > > > Is it true or not? > > > > Did you try it in a non-privileged port? That doesn't (didn't) work. Try > > running it <1024 somewhere. > >yes > >the default behavior is to run in privileged mode, I check with >netstat -a and connections were below 1024 > >but still doesn't work > >yuliy From Norbert.Bladt at adi.ch Mon Jan 8 18:13:18 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Mon, 8 Jan 2001 08:13:18 +0100 Subject: X11-Forwarding for Reliant UNIX (formerly SINIX) Message-ID: <0912C8BC2132D411BBB80001020BA94702D80E@naizk10.adi.ch> Hi ! To all: A Happy New Year ! During the last week I did some investigations why the X11 forwarding on Reliant UNIX Versions 5.44 and 5.45 does not work out of the box with OpenSSH-2.3.0p1. The result fo my investigation is: 1. The OpenSSH sshd opens a TCP/IP-port 6000 + display number and listens to it. This is fine and works with Solaris 7, DEC-OSF 4.0D, Linux and FreeBSD-4.2 but not with Reliant UNIX. 2. The local communication for X under Reliant UNIX is done via the named pipe /tmp/.X11-unix/Xn where n is the display number. Every other OS I have worked on uses a socket for this. 3. All standard X-applications try to determine whether they are running locally, i.e. if the DISPLAY on computer HOSTX is HOSTX:10.0 the X-applications detect that this is the local computer and try to open the named pipe mentioned above. If I change the DISPLAY to be "IP-Address-of-HOSTX":10.0 than X-forwarding works fine ! 4. The main reason I want to use X11-Forwarding is a special application. For this, the work-around with the IP-Address does not work. Regardless whether I specify the hostname, its IP-address, the name "localhost" or the address 127.0.0.1 this application somehow detects that it is running locally and therefore the X11-forwarding does not work. The real "fix" would be to open the named pipe for reading instead of the TCP port, I guess. I have found the location where the TCP port is opened for listening and the location where the local UNIX domain socket is opened. I think I can change these lines of code to open the named pipe on Reliant UNIX, instead. However, I don't know what the implications are if I do that, i.e. are there other parts of the source that imply the use of a socket ? For instance changing some socket options on a named-pipe will simply return an error code I expect. I would like to get some comments whether the "fix" mentioned above is the right way of doing it and whether changing the code in channels.c is sufficient to solve this problem. Or is my configuration wrong, i.e. should the sshd open a local UNIX domain socket instead of opening an IP-port ? The source code is there to do it in case the DISPLAY variable is containing the string "unix". I already have changed the code to open the named pipe in that case, but this is obviously never done. Somehow confused, Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From djm at mindrot.org Mon Jan 8 23:15:35 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 8 Jan 2001 23:15:35 +1100 (EST) Subject: X11-Forwarding for Reliant UNIX (formerly SINIX) In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D80E@naizk10.adi.ch> Message-ID: On Mon, 8 Jan 2001, Bladt Norbert wrote: > Hi ! > > To all: A Happy New Year ! > > During the last week I did some investigations why the X11 forwarding > on Reliant UNIX Versions 5.44 and 5.45 does not work out of the box > with OpenSSH-2.3.0p1. > > The result fo my investigation is: > 3. All standard X-applications try to determine whether > they are running locally, i.e. if the DISPLAY on > computer HOSTX is HOSTX:10.0 the X-applications detect > that this is the local computer and try to open the > named pipe mentioned above. > If I change the DISPLAY to be "IP-Address-of-HOSTX":10.0 > than X-forwarding works fine ! Can you try setting the "--with-ipaddr-display" option to configure? Does this fix the problem? If so I will make it the default for Reliant Unix. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From Norbert.Bladt at adi.ch Tue Jan 9 00:53:56 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Mon, 8 Jan 2001 14:53:56 +0100 Subject: AW: X11-Forwarding for Reliant UNIX (formerly SINIX) Message-ID: <0912C8BC2132D411BBB80001020BA94702D815@naizk10.adi.ch> Damien Miller [SMTP:djm at mindrot.org] wrote: > On Mon, 8 Jan 2001, Bladt Norbert wrote: [...] >> The result fo my investigation is: >> 3. All standard X-applications try to determine whether >> they are running locally, i.e. if the DISPLAY on >> computer HOSTX is HOSTX:10.0 the X-applications detect >> that this is the local computer and try to open the >> named pipe mentioned above. >> If I change the DISPLAY to be "IP-Address-of-HOSTX":10.0 >> than X-forwarding works fine ! > Can you try setting the "--with-ipaddr-display" option to configure? OK. I'll try that. > Does this fix the problem? If so I will make it the default for Reliant > Unix. I'll report the result to the list. Later, Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From johnh at aproposretail.com Tue Jan 9 03:37:20 2001 From: johnh at aproposretail.com (John Hardin) Date: Mon, 08 Jan 2001 08:37:20 -0800 Subject: subject: ssh non-intuitive logging setting. (priority names) References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> <3A566212.E564D76B@yk.rim.or.jp> <20010106130307.A21832@folly> <3A57200E.7B866D9C@yk.rim.or.jp> Message-ID: <3A59ECC0.961355C4@aproposretail.com> Ishikawa wrote: > > Monday is a Japanese national holiday and so my own > check will have to wait until next week. Every monday? What a *wonderful* idea! We should adopt the same policy. :) -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 x265 From paskalis at di.uoa.gr Tue Jan 9 04:12:13 2001 From: paskalis at di.uoa.gr (Sarantis Paskalis) Date: Mon, 8 Jan 2001 19:12:13 +0200 (EET) Subject: openssh-2.3.0p1 fails to transport rsync Message-ID: Hi, I had previously noticed some peculiar log entries of the form error: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 in my logs. They were harmless as far as I was concerned. I checked the list archives, where the same logs have been reported and no solution was presented. Recently I tried to use rsync over ssh for backup purposes. The remote end runs Solaris 2.7 and the local machine RedHat Linux 7.0. It fails with the error message: unexpected EOF in read_timeout Simultaneously an error is logged in the Solaris machine error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 The same command works a remote Linux machine. Note that the same log entry is printed in the remote linux logs. Is it a known problem? Thanks for any help. Sarantis -- Sarantis Paskalis From joe at hole-in-the.net Tue Jan 9 04:58:19 2001 From: joe at hole-in-the.net (Joe Warren-Meeks) Date: Mon, 8 Jan 2001 17:58:19 +0000 Subject: fatal: PRNG initialisation failed Message-ID: <20010108175819.E21197@hole-in-the.net> Heya, I have compiled and installed OpenSSH on a Solaris/Sparc machine and whenever I try to start any of the ssh programs I get "fatal: PRNG initialisation failed -- exiting" Now, I have looked through the mailing lists and have seen some mention that this indicates it can't open the ssh_prng_cmds file, which entropy.c also seems to indicate the problem is. However, this snippet from truss would indicate it opened it fine and started reading it: open("/usr/local/etc/ssh_prng_cmds", O_RDONLY) = 3 brk(0x000E6DB8) = 0 brk(0x000E8DB8) = 0 fstat64(3, 0xFFBEECD8) = 0 brk(0x000E8DB8) = 0 brk(0x000EADB8) = 0 ioctl(3, TCGETA, 0xFFBEEC64) Err#25 ENOTTY read(3, " # e n t r o p y g a".., 8192) = 1517 read(3, 0x000E79CC, 8192) = 0 fstat(-1, 0xFFBEEDE8) Err#9 EBADF fstat(-1, 0xFFBEE1B8) Err#9 EBADF Not sure that those last EBADF from fstat are referring to.. I'm not that good with truss.. Anyone know what the problem is? Or where I can start looking to solve it? Could you reply to me as I'm not on the list.. Cheers guys! -- joe. From jones at tacc.cc.utexas.edu Tue Jan 9 06:27:44 2001 From: jones at tacc.cc.utexas.edu (William L. Jones) Date: Mon, 08 Jan 2001 13:27:44 -0600 Subject: fatal: PRNG initialisation failed In-Reply-To: <20010108175819.E21197@hole-in-the.net> Message-ID: <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> How many good cmds are their in the ssh_prng_cmds. If you don't have at least 16 source you need at least 16. Look at /usr/local/etc/ssh_prng_cmds and count how many cmds are not undefined. You may have to add more sun specific commands to ssh_prng_cmds.in. At 05:58 PM 1/8/01 +0000, Joe Warren-Meeks wrote: >Heya, > >I have compiled and installed OpenSSH on a Solaris/Sparc machine and >whenever I try to start any of the ssh programs I get >"fatal: PRNG initialisation failed -- exiting" > >Now, I have looked through the mailing lists and have seen some mention >that this indicates it can't open the ssh_prng_cmds file, which >entropy.c also seems to indicate the problem is. However, this snippet >from truss would indicate it opened it fine and started reading it: > >open("/usr/local/etc/ssh_prng_cmds", O_RDONLY) = 3 >brk(0x000E6DB8) = 0 >brk(0x000E8DB8) = 0 >fstat64(3, 0xFFBEECD8) = 0 >brk(0x000E8DB8) = 0 >brk(0x000EADB8) = 0 >ioctl(3, TCGETA, 0xFFBEEC64) Err#25 ENOTTY >read(3, " # e n t r o p y g a".., 8192) = 1517 >read(3, 0x000E79CC, 8192) = 0 >fstat(-1, 0xFFBEEDE8) Err#9 EBADF >fstat(-1, 0xFFBEE1B8) Err#9 EBADF > >Not sure that those last EBADF from fstat are referring to.. I'm not >that good with truss.. > >Anyone know what the problem is? Or where I can start looking to solve >it? > >Could you reply to me as I'm not on the list.. > >Cheers guys! > > -- joe. From roumen.petrov at skalasoft.com Tue Jan 9 07:00:16 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Mon, 08 Jan 2001 22:00:16 +0200 Subject: ssh-agent, protocol 2, openssh-2.3.0p1 References: Message-ID: <3A5A1C50.3010502@skalasoft.com> What protocol version use ssh-agent from OpenSSH. local:'SSH Version OpenSSH_2.3.0p2, protocol versions 1.5/2.0.' ( SNAP-20010108 ) remote:'SSH Secure Shell 2.3.0 ....' I remove in files: - clientloop.c - session.c - ssh.c '@openssh.com' in lines about agent authentication. after this sshd2/1 ( from ssh.com ) on remote machine create unix domain socket, but work fine only if I connect to sshd1 ( protocol version 1.5 ). If connection is to sshd2 ( protocol version 2 ) command 'ssh-add2 -l' ( list auth keys ) from ssh.com report this: ssh_agent_received_packet: packet number 2 (version response from 1.x agent) and 'forwarding of the authentication agent connection' don`t work ! What can I do ? How to check packets response from OpenSSH agent to SSH server ? File 'authfd.h' has 'private OpenSSH extensions for SSH2' . Is this wrong ? From joe at hole-in-the.net Tue Jan 9 07:03:16 2001 From: joe at hole-in-the.net (Joe Warren-Meeks) Date: Mon, 8 Jan 2001 20:03:16 +0000 Subject: fatal: PRNG initialisation failed In-Reply-To: <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1>; from jones@tacc.cc.utexas.edu on Mon, Jan 08, 2001 at 01:27:44PM -0600 References: <20010108175819.E21197@hole-in-the.net> <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> Message-ID: <20010108200315.F21197@hole-in-the.net> On Mon, Jan 08, 2001 at 01:27:44PM -0600, William L. Jones scribed: Heya, > How many good cmds are their in the ssh_prng_cmds. If you don't have at least > 16 source you need at least 16. Look at /usr/local/etc/ssh_prng_cmds and > count > how many cmds are not undefined. > > You may have to add more sun specific commands to ssh_prng_cmds.in. There are at least 19 valid ones in there.. is that enough? Cheers! -- joe. > > At 05:58 PM 1/8/01 +0000, Joe Warren-Meeks wrote: > >Heya, > > > >I have compiled and installed OpenSSH on a Solaris/Sparc machine and > >whenever I try to start any of the ssh programs I get > >"fatal: PRNG initialisation failed -- exiting" > > > >Now, I have looked through the mailing lists and have seen some mention > >that this indicates it can't open the ssh_prng_cmds file, which > >entropy.c also seems to indicate the problem is. However, this snippet > >from truss would indicate it opened it fine and started reading it: > > > >open("/usr/local/etc/ssh_prng_cmds", O_RDONLY) = 3 > >brk(0x000E6DB8) = 0 > >brk(0x000E8DB8) = 0 > >fstat64(3, 0xFFBEECD8) = 0 > >brk(0x000E8DB8) = 0 > >brk(0x000EADB8) = 0 > >ioctl(3, TCGETA, 0xFFBEEC64) Err#25 ENOTTY > >read(3, " # e n t r o p y g a".., 8192) = 1517 > >read(3, 0x000E79CC, 8192) = 0 > >fstat(-1, 0xFFBEEDE8) Err#9 EBADF > >fstat(-1, 0xFFBEE1B8) Err#9 EBADF > > > >Not sure that those last EBADF from fstat are referring to.. I'm not > >that good with truss.. > > > >Anyone know what the problem is? Or where I can start looking to solve > >it? > > > >Could you reply to me as I'm not on the list.. > > > >Cheers guys! > > > > -- joe. > From jones at tacc.cc.utexas.edu Tue Jan 9 07:22:47 2001 From: jones at tacc.cc.utexas.edu (William L. Jones) Date: Mon, 08 Jan 2001 14:22:47 -0600 Subject: fatal: PRNG initialisation failed In-Reply-To: <20010108200315.F21197@hole-in-the.net> References: <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> <20010108175819.E21197@hole-in-the.net> <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> Message-ID: <4.2.0.58.20010108141825.01b9fdb0@127.0.0.1> You would hope! Are you sure their not marked undef? You might have to add print statements to prng_read_commands to figure this one out. Bill Jones At 08:03 PM 1/8/01 +0000, Joe Warren-Meeks wrote: >On Mon, Jan 08, 2001 at 01:27:44PM -0600, William L. Jones scribed: > >Heya, > > > How many good cmds are their in the ssh_prng_cmds. If you don't have > at least > > 16 source you need at least 16. Look at /usr/local/etc/ssh_prng_cmds and > > count > > how many cmds are not undefined. > > > > You may have to add more sun specific commands to ssh_prng_cmds.in. > >There are at least 19 valid ones in there.. is that enough? > >Cheers! > > -- joe. > > > > > At 05:58 PM 1/8/01 +0000, Joe Warren-Meeks wrote: > > >Heya, > > > > > >I have compiled and installed OpenSSH on a Solaris/Sparc machine and > > >whenever I try to start any of the ssh programs I get > > >"fatal: PRNG initialisation failed -- exiting" > > > > > >Now, I have looked through the mailing lists and have seen some mention > > >that this indicates it can't open the ssh_prng_cmds file, which > > >entropy.c also seems to indicate the problem is. However, this snippet > > >from truss would indicate it opened it fine and started reading it: > > > > > >open("/usr/local/etc/ssh_prng_cmds", O_RDONLY) = 3 > > >brk(0x000E6DB8) = 0 > > >brk(0x000E8DB8) = 0 > > >fstat64(3, 0xFFBEECD8) = 0 > > >brk(0x000E8DB8) = 0 > > >brk(0x000EADB8) = 0 > > >ioctl(3, TCGETA, 0xFFBEEC64) Err#25 ENOTTY > > >read(3, " # e n t r o p y g a".., 8192) = 1517 > > >read(3, 0x000E79CC, 8192) = 0 > > >fstat(-1, 0xFFBEEDE8) Err#9 EBADF > > >fstat(-1, 0xFFBEE1B8) Err#9 EBADF > > > > > >Not sure that those last EBADF from fstat are referring to.. I'm not > > >that good with truss.. > > > > > >Anyone know what the problem is? Or where I can start looking to solve > > >it? > > > > > >Could you reply to me as I'm not on the list.. > > > > > >Cheers guys! > > > > > > -- joe. > > From joe at hole-in-the.net Tue Jan 9 08:29:25 2001 From: joe at hole-in-the.net (Joe Warren-Meeks) Date: Mon, 8 Jan 2001 21:29:25 +0000 Subject: fatal: PRNG initialisation failed In-Reply-To: <4.2.0.58.20010108141825.01b9fdb0@127.0.0.1>; from jones@tacc.cc.utexas.edu on Mon, Jan 08, 2001 at 02:22:47PM -0600 References: <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> <20010108175819.E21197@hole-in-the.net> <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> <20010108200315.F21197@hole-in-the.net> <4.2.0.58.20010108141825.01b9fdb0@127.0.0.1> Message-ID: <20010108212924.G21197@hole-in-the.net> On Mon, Jan 08, 2001 at 02:22:47PM -0600, William L. Jones scribed: Heya, > You would hope! Are you sure their not marked undef? > You might have to add print statements to prng_read_commands to figure this one > out. Oh, they are all marked as undef! Thats what happens when you do a make install in a minimal chrooted environment so that you can make a Solaris package without hosing /usr/local! Sorry for wasting your time 8( what should be there instead of undef? And is there any documentation for the file format? Cheers! -- joe. From jones at tacc.cc.utexas.edu Tue Jan 9 08:39:23 2001 From: jones at tacc.cc.utexas.edu (William L. Jones) Date: Mon, 08 Jan 2001 15:39:23 -0600 Subject: fatal: PRNG initialisation failed In-Reply-To: <20010108212924.G21197@hole-in-the.net> References: <4.2.0.58.20010108141825.01b9fdb0@127.0.0.1> <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> <20010108175819.E21197@hole-in-the.net> <4.2.0.58.20010108132013.01ba8ad0@127.0.0.1> <20010108200315.F21197@hole-in-the.net> <4.2.0.58.20010108141825.01b9fdb0@127.0.0.1> Message-ID: <4.2.0.58.20010108153856.01bb06d0@127.0.0.1> At 09:29 PM 1/8/01 +0000, Joe Warren-Meeks wrote: >On Mon, Jan 08, 2001 at 02:22:47PM -0600, William L. Jones scribed: > >Heya, > > > You would hope! Are you sure their not marked undef? > > You might have to add print statements to prng_read_commands to figure > this one > > out. > > >Oh, they are all marked as undef! Thats what happens when you do a make >install in a minimal chrooted environment so that you can make a Solaris >package without hosing /usr/local! > That why I know to look :) >Sorry for wasting your time 8( what should be there instead of undef? >And is there any documentation for the file format? > >Cheers! > > -- joe. From markus.friedl at informatik.uni-erlangen.de Tue Jan 9 09:40:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 8 Jan 2001 23:40:36 +0100 Subject: OpenSSH 2.4.0 patch call.. In-Reply-To: ; from mouring@etoh.eviladmin.org on Sun, Jan 07, 2001 at 02:19:46PM -0600 References: Message-ID: <20010108234036.H4811@folly> the reason for mysignal() is that it has a defined semantics and what Stevens calls 'reliable signals'. the handler are not deinstalled if a signal occurs. -m On Sun, Jan 07, 2001 at 02:19:46PM -0600, mouring at etoh.eviladmin.org wrote: > On Sun, 7 Jan 2001, Kevin Steves wrote: > > > On Thu, 4 Jan 2001 mouring at etoh.eviladmin.org wrote: > > : On Fri, 5 Jan 2001, Kevin Steves wrote: > > : > ok, i missed that one. is it feasable to move entirely to sigaction() > > : > and emulate with sigvec() if needed? > > : > > > : Don't see a problem with that. I believe that is what Markus was > > : suggesting with his 'mysignal()'. > > > > mysignal() was a wrapper for sigaction()/signal(). signal was used if > > there was no sigaction. i was thinking of using sigaction directly, > > then use sigaction/sigvec emulation if needed. will that work? > > > As far as I know it should work fine. Don't know how many platforms lack > sigaction() and would require sigvec(). I know NeXT lacks it. > > I threw together a quick patch that replaced all signal() w/ mysignal(), > and I did not see any ill effects under Linux. However, I did not push it > very hard either (due to time, and lack of any indepth knowledge of > signal() vs sigaction()). > > - Ben > > From markus.friedl at informatik.uni-erlangen.de Tue Jan 9 09:42:53 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 8 Jan 2001 23:42:53 +0100 Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: ; from dwmw2@infradead.org on Sun, Jan 07, 2001 at 10:03:58PM +0000 References: Message-ID: <20010108234253.I4811@folly> On Sun, Jan 07, 2001 at 10:03:58PM +0000, David Woodhouse wrote: > 2. Remember the last successful passphrase and attempt to use it on > subsequent key files which are added. i don't like this feature. i don't want to encourage people to reuse the same passphrase for different keys. > Is the SSHv2 protocol fundamentally incapable of using RSA keys for > authentication, or is that (RSA on v2) a missing feature of OpenSSH? http://bass.directhit.com/openssh_snap supports RSA in V2 (but you need to generate a special RSA keys for v2). -m From markus.friedl at informatik.uni-erlangen.de Tue Jan 9 09:43:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 8 Jan 2001 23:43:39 +0100 Subject: openssh-2.3.0p1 fails to transport rsync In-Reply-To: ; from paskalis@di.uoa.gr on Mon, Jan 08, 2001 at 07:12:13PM +0200 References: Message-ID: <20010108234339.J4811@folly> hi, please try a recent snapshot from http://bass.directhit.com/openssh_snap does it fix this problem? On Mon, Jan 08, 2001 at 07:12:13PM +0200, Sarantis Paskalis wrote: > Hi, > > I had previously noticed some peculiar log entries of the form error: > > error: channel 0: internal error: we do not read, but chan_read_failed for > istate 8 > > in my logs. They were harmless as far as I was concerned. I checked the > list archives, where the same logs have been reported and no solution was > presented. > > Recently I tried to use rsync over ssh for backup purposes. The remote > end runs Solaris 2.7 and the local machine RedHat Linux 7.0. It fails > with the error message: > > unexpected EOF in read_timeout > > Simultaneously an error is logged in the Solaris machine > > error: channel 0: internal error: we do not read, but chan_read_failed for > istate 8 > > The same command works a remote Linux machine. Note that the same log > entry is printed in the remote linux logs. > > Is it a known problem? > Thanks for any help. > > Sarantis > > > -- > Sarantis Paskalis > > From markus.friedl at informatik.uni-erlangen.de Tue Jan 9 09:46:35 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 8 Jan 2001 23:46:35 +0100 Subject: ssh-agent, protocol 2, openssh-2.3.0p1 In-Reply-To: <3A5A1C50.3010502@skalasoft.com>; from roumen.petrov@skalasoft.com on Mon, Jan 08, 2001 at 10:00:16PM +0200 References: <3A5A1C50.3010502@skalasoft.com> Message-ID: <20010108234635.K4811@folly> On Mon, Jan 08, 2001 at 10:00:16PM +0200, Roumen Petrov wrote: > What protocol version use ssh-agent from OpenSSH. > > local:'SSH Version OpenSSH_2.3.0p2, protocol versions 1.5/2.0.' ( SNAP-20010108 ) > remote:'SSH Secure Shell 2.3.0 ....' > > I remove in files: > - clientloop.c > - session.c > - ssh.c > '@openssh.com' in lines about agent authentication. don't remove this line :) i don't have a spec for the agent protocol of SSH.COM's SSH2, so i extended the old agent protocol SSH2 in a openssh-private way. it won't interoperate with ssh.com's agent. From dwmw2 at infradead.org Tue Jan 9 09:55:33 2001 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 8 Jan 2001 22:55:33 +0000 (GMT) Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: <20010108234253.I4811@folly> Message-ID: On Mon, 8 Jan 2001, Markus Friedl wrote: > On Sun, Jan 07, 2001 at 10:03:58PM +0000, David Woodhouse wrote: > > 2. Remember the last successful passphrase and attempt to use it on > > subsequent key files which are added. > > i don't like this feature. i don't want to encourage people > to reuse the same passphrase for different keys. That's reasonable, I suppose, but in this case these keys are used for _identical_ purposes, and distributed as a pair, one RSA and one DSA, so that it doesn't matter whether today particular combination of client/server versions is using the V1 or V2 protocol. So I can revert to protocol 1 when I want agent forwarding to work, etc. And when the sysadmins of certain remote machines get round to upgrading, it'll suddenly start using the DSA key instead of the RSA key for those boxes, and I won't have to deal with it. I suspect there are quite a few people now using pairs of RSA and DSA keys in this manner. It's useful to be able to load them both at once without having to repeat the passphrase, IMO. We don't prohibit keys without passphrases. Surely it should be sufficent to support it, but warn in the documentation that it's not advised for maximal security? > > Is the SSHv2 protocol fundamentally incapable of using RSA keys for > > authentication, or is that (RSA on v2) a missing feature of OpenSSH? > > http://bass.directhit.com/openssh_snap supports RSA in V2 (but > you need to generate a special RSA keys for v2). Will those keys then be compatible with V1-only clients? Otherwise the point is sort of lost :) -- dwmw2 From djm at mindrot.org Tue Jan 9 09:58:37 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 Jan 2001 09:58:37 +1100 (EST) Subject: fatal: PRNG initialisation failed In-Reply-To: <20010108175819.E21197@hole-in-the.net> Message-ID: On Mon, 8 Jan 2001, Joe Warren-Meeks wrote: > Heya, > > I have compiled and installed OpenSSH on a Solaris/Sparc machine and > whenever I try to start any of the ssh programs I get > "fatal: PRNG initialisation failed -- exiting" > > Now, I have looked through the mailing lists and have seen some mention > that this indicates it can't open the ssh_prng_cmds file, which > entropy.c also seems to indicate the problem is. However, this snippet > from truss would indicate it opened it fine and started reading it: Doing a "ssh -v -v -v" is the best way to debug PRNG failures, it turns on a lot of additional debugging. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From sunil at redback.com Tue Jan 9 10:02:00 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Mon, 8 Jan 2001 15:02:00 -0800 (PST) Subject: openSSH: configure ciphers. Message-ID: I see that: SSH uses the following ciphers for encryption: Cipher SSH1 SSH2 DES yes no 3DES yes yes IDEA yes no Blowfish yes yes Twofish no yes Arcfour no yes Cast128-cbc no yes Two ques re: sshd: 1) Using openssh, how do I configure which set of ciphers to use from above set for SSH1 and SSH2 ? Does "yes" above mean must or an option (configurable)? 2) Does SSH2 use DES and 3DES or it is DES or 3DES ? If latter, can I specify SSH2 with DES ? Thank you. From pekkas at netcore.fi Tue Jan 9 10:12:27 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 9 Jan 2001 01:12:27 +0200 (EET) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: On Mon, 8 Jan 2001, Sunil K. Vallamkonda wrote: > I see that: > SSH uses the following ciphers for encryption: > Cipher SSH1 SSH2 > DES yes no > 3DES yes yes > IDEA yes no > Blowfish yes yes > Twofish no yes > Arcfour no yes > Cast128-cbc no yes Your list is a based on ssh by ssh communications, I assume. There has never been Idea in OpenSSH due to patents. Recent versions of SSHv2 also support AES aka Rijndael for SSHv2. DES is just there for SSHv1 compability with certain SSH-enabled routers. Because of it's insufficient length, it has been disabled elsewhere. There are no compile-time configuration options to toggle these on and off. You can specify which to use at run time or in configuration using 'Cipher' and 'Ciphers'. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From sunil at redback.com Tue Jan 9 10:32:23 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Mon, 8 Jan 2001 15:32:23 -0800 (PST) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: <..clipped..> On Tue, 9 Jan 2001, Pekka Savola wrote: > > IDEA yes no > > Blowfish yes yes > > Twofish no yes > > Arcfour no yes > > Cast128-cbc no yes > > Your list is a based on ssh by ssh communications, I assume. > ^^^^^^^ thank you for your email. Yes, I got this list from ssh communications. Question is: Is there a similar list for openSSH ? > There has never been Idea in OpenSSH due to patents. Recent versions of > SSHv2 also support AES aka Rijndael for SSHv2. > > DES is just there for SSHv1 compability with certain SSH-enabled routers. > Because of it's insufficient length, it has been disabled elsewhere. > > There are no compile-time configuration options to toggle these on and > off. You can specify which to use at run time or in configuration using > 'Cipher' and 'Ciphers'. > ^^^^^^^^^^^ Does it mean at server side there is no compile-time/run-time option to specify list of ciphers to accept from a client ? I find that in SSH Transport Layer Protocol doc: http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-08.txt: 3des-cbc REQUIRED three-key 3DES in CBC mode blowfish-cbc RECOMMENDED Blowfish in CBC mode twofish-cbc RECOMMENDED Twofish in CBC mode aes256-cbc RECOMMENDED AES (Rijndael) in CBC mode, with 256-bit key aes192-cbc OPTIONAL AES with 192-bit key <..clipped..> Is this for SSH1 and SSH2 ? Does RECOMMENDED mean "MUST" ? Thank you. > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > From djm at mindrot.org Tue Jan 9 11:14:28 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 9 Jan 2001 11:14:28 +1100 (EST) Subject: openSSH: configure ciphers. In-Reply-To: Message-ID: On Mon, 8 Jan 2001, Sunil K. Vallamkonda wrote: > thank you for your email. > Yes, I got this list from ssh communications. > Question is: Is there a similar list for openSSH ? The manpage lists a few - recent snapshots include a more complete list. > > There are no compile-time configuration options to toggle these on and > > off. You can specify which to use at run time or in configuration using > > 'Cipher' and 'Ciphers'. > > > Does it mean at server side there is no compile-time/run-time > option to specify list of ciphers to accept from a client ? Read the above paragraph again - you can use the 'Cipher' (for SSH1) and 'Ciphers' (for SSH2) to select which cipher will be used by the client. You can also use 'Ciphers' to specify which ciphers the server will accept. > I find that in SSH Transport Layer Protocol doc: > http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-08.txt: > > 3des-cbc REQUIRED three-key 3DES in CBC mode > blowfish-cbc RECOMMENDED Blowfish in CBC mode > twofish-cbc RECOMMENDED Twofish in CBC mode > aes256-cbc RECOMMENDED AES (Rijndael) in CBC mode, > with 256-bit key > aes192-cbc OPTIONAL AES with 192-bit key > <..clipped..> > > > Is this for SSH1 and SSH2 ? SSH2. > Does RECOMMENDED mean "MUST" ? No, REQUIRED = MUST. This is a list of the ciphers that OpenSSH implements: SSH1 ---- 3DES (default) Blowfish DES (client only, must be explicitly selected) SSH2 ---- 3des-cbc blowfish-cbc cast128-cbc arcfour aes128-cbc (a.k.a rijndael128-cbc) aes192-cbc (a.k.a rijndael192-cbc) aes256-cbc (a.k.a rijndael256-cbc) -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From tim at multitalents.net Tue Jan 9 12:24:24 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 8 Jan 2001 17:24:24 -0800 (PST) Subject: AUTHPRIV In-Reply-To: Message-ID: Jan 7 CVS # uname -a SunOS sun1 5.7 Generic_106541-08 sun4m sparc SUNW,SPARCstation-5 # /usr/local/sbin/sshd -d fatal: /usr/local/etc/sshd_config line 26: unsupported log facility 'AUTHPRIV' debug1: Calling cleanup 0x3aedc(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed # Why is AUTHPRIV the default in sshd_config if -------< log.c >--------- #ifdef LOG_AUTHPRIV { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, #endif ------------------------- -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From sunil at redback.com Tue Jan 9 13:13:12 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Mon, 8 Jan 2001 18:13:12 -0800 (PST) Subject: sshd: DES in SSH1 ? Message-ID: I see that commercial SSH version it is possible to run sshd in SSH1 using DES (i.e, accepting SSH-DES clients). I understand from Damien Miller that Cisco routers also run in only SSH1 DES mode. Is it possible in openSSH to configure sshd (compile-time/runtime) to run sshd in SSH1 or SSH2 mode and accept SSH1 or SSH2 DES clients ? [I would like to be able to run sshd in SSH1/DES mode ] Is there a patch or another version that I can use (to be able to run openSSH sshd to accept SSH-DES clients in SSH1 ? If not any pointers/ suggestions to code changes that I should be make to achieve above ? Thank you. From Norbert.Bladt at adi.ch Tue Jan 9 17:56:02 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 9 Jan 2001 07:56:02 +0100 Subject: AW: fatal: PRNG initialisation failed Message-ID: <0912C8BC2132D411BBB80001020BA94702D817@naizk10.adi.ch> Joe Warren-Meeks [SMTP:joe at hole-in-the.net] wrote: > open("/usr/local/etc/ssh_prng_cmds", O_RDONLY) = 3 open of the command file succeeded. > brk(0x000E6DB8) = 0 "malloc" in user land, i.e. sshd > brk(0x000E8DB8) = 0 "malloc" in user land, i.e. sshd > fstat64(3, 0xFFBEECD8) = 0 > brk(0x000E8DB8) = 0 another malloc > brk(0x000EADB8) = 0 and another malloc > ioctl(3, TCGETA, 0xFFBEEC64) Err#25 ENOTTY This looks suspicious to me. Why does the code do an ioctl intended for a terminal on the file listing the commands ? This system call will return a "-1". Perhaps this is what is used later for the fstat ? > read(3, " # e n t r o p y g a".., 8192) = 1517 This read reads the whole file with the entropy commands of size 1517. Mine, on Solaris 7 is smaller and it works for me. > read(3, 0x000E79CC, 8192) = 0 The next reads returns zero as there is nothing left to read. > fstat(-1, 0xFFBEEDE8) Err#9 EBADF > fstat(-1, 0xFFBEE1B8) Err#9 EBADF > Not sure that those last EBADF from fstat are referring to.. I'm not > that good with truss.. Me too. Looking at the sources shows that the error message you see is indeed shown if the number of commands in the command file is too small. >From the truss I see that at least two mallocs are done. Now, the problem is that I don't know anything about the Solaris malloc, i.e. if it is intelligent enough to not map application mallocs to brk system calls or not. If it does a 1:1 mapping, there is something wrong in the command file or you run out of memory. Because there should be much more "malloc"s done by sshd than just these four. Sorry, that I can't help much more than analyzing the truss output. Hope it helps, anyway, Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Norbert.Bladt at adi.ch Tue Jan 9 18:40:33 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 9 Jan 2001 08:40:33 +0100 Subject: Result: X11-Forwarding for Reliant UNIX (formerly SINIX) Message-ID: <0912C8BC2132D411BBB80001020BA94702D818@naizk10.adi.ch> Hi ! I promised to report the result to the list. Here it is: Damien Miller [SMTP:djm at mindrot.org] wrote yesterday on his keyboard: > On Mon, 8 Jan 2001, Bladt Norbert wrote: [...] >> During the last week I did some investigations why the X11 forwarding >> on Reliant UNIX Versions 5.44 and 5.45 does not work out of the box >> with OpenSSH-2.3.0p1. >> >> The result fo my investigation is: >> 3. All standard X-applications try to determine whether >> they are running locally, i.e. if the DISPLAY on >> computer HOSTX is HOSTX:10.0 the X-applications detect >> that this is the local computer and try to open the >> named pipe mentioned above. >> If I change the DISPLAY to be "IP-Address-of-HOSTX":10.0 >> than X-forwarding works fine ! > Can you try setting the "--with-ipaddr-display" option to configure? > Does this fix the problem? If so I will make it the default for Reliant > Unix. It does not fix the problem really but it is a reasonable work-around which is sufficient for the standard X11-applications like xterm, xeyes, etc. So I think it is a good idea to turn that on for Reliant UNIX. The host has been detected as "mips-sni-sysv4" It still can't work with the System Management tool TransView. This application tries hard to figure out whether it is running on the local host and opens the communication to the local name piped /tmp/.X11-unix/Xn (n being the DISPLAY number) instead of the TCP-port 6000+n. I am still thinking that opening and creating the named pipe in /tmp/.X11unix is the real and final fix. Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Norbert.Bladt at adi.ch Tue Jan 9 18:48:45 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 9 Jan 2001 08:48:45 +0100 Subject: Difference 2.1.1 and 2.3.0p1 on Reliant UNIX Message-ID: <0912C8BC2132D411BBB80001020BA94702D819@naizk10.adi.ch> Hi ! I upgraded one of our Reliant UNIX systems from 2.1.1 to 2.3.0p1. Now, I suddenly can't login any more. The error message is: Attempting authentication for illegal user ... The reason is: Password expiration Although I don't use my password to login, at all. I login via RSAAuthentication and this did work with version 2.1.1. Version 2.3.0p1, obviously, checks the password expiration and sets the "illegal user flag" before it tries the RSAAuthentication. These kind of problems are not easy to determine without looking at the source and adding calls to debug(...) to it. Is that change intended or is this the result of the "added" support for Reliant UNIX ? Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Chiaki.Ishikawa at personal-media.co.jp Tue Jan 9 21:31:00 2001 From: Chiaki.Ishikawa at personal-media.co.jp (Chiaki Ishikawa) Date: Tue, 9 Jan 2001 19:31:00 +0900 (JST) Subject: subject: ssh non-intuitive logging setting. (priority names) In-Reply-To: <3A59ECC0.961355C4@aproposretail.com> (johnh@aproposretail.com) Message-ID: <200101091031.TAA26028@sparc18.personal-media.co.jp> X-PMC-CI-e-mail-id: 14407 >> Monday is a Japanese national holiday and so my own >> check will have to wait until next week. > >Every monday? What a *wonderful* idea! We should adopt the same policy. > >:) Yeah, I wish I lived in that kind of Uthopia. Seriously, I meant the upcoming Monday, which was yesterday, was a Japanese holiday. (The second Monday of January, that is. It used to be the fixed date when I was a kid: January 15th.) Anyway, I will try the sshd log thing and report my findings. -- Ishikawa, Chiaki ishikawa at personal-media.co.jp.NoSpam or (family name, given name) Chiaki.Ishikawa at personal-media.co.jp.NoSpam Personal Media Corp. ** Remove .NoSpam at the end before use ** Shinagawa, Tokyo, Japan 142-0051 From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 9 21:47:45 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 Jan 2001 11:47:45 +0100 Subject: openSSH: configure ciphers. In-Reply-To: ; from sunil@redback.com on Mon, Jan 08, 2001 at 03:02:00PM -0800 References: Message-ID: <20010109114745.C3647@faui02.informatik.uni-erlangen.de> On Mon, Jan 08, 2001 at 03:02:00PM -0800, Sunil K. Vallamkonda wrote: > > I see that: > SSH uses the following ciphers for encryption: replace 'SSH uses' by 'the SSH protocol defines' > Cipher SSH1 SSH2 > DES yes no > 3DES yes yes > IDEA yes no > Blowfish yes yes > Twofish no yes > Arcfour no yes > Cast128-cbc no yes OpenSSH supports in protocol SSH-1: 3des, blowfish (the client additionally supports DES) SSH-2: 3des, blowfish, AES, cast, arcfour > 1) Using openssh, how do I configure which > set of ciphers to use from above set for SSH1 and SSH2 ? > Does "yes" above mean must or an option (configurable)? 3des and blowfish are always enabled in SSH-1 servers. SSH-1 clients can select the cipher with ssh -c cipher or 'Cipher cipher' in .ssh/config or ssh_config SSH-2 clients and servers can use Ciphers 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc in sshd_config or .ssh/config or ssh_config or ssh -c cipher but this is all in the manpages. > 2) Does SSH2 use DES and 3DES or it is DES or 3DES ? > If latter, can I specify SSH2 with DES ? no, DES is not defined for SSH2. -markus From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 9 21:41:09 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 Jan 2001 11:41:09 +0100 Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: ; from dwmw2@infradead.org on Mon, Jan 08, 2001 at 10:55:33PM +0000 References: <20010108234253.I4811@folly> Message-ID: <20010109114109.B3647@faui02.informatik.uni-erlangen.de> On Mon, Jan 08, 2001 at 10:55:33PM +0000, David Woodhouse wrote: > > http://bass.directhit.com/openssh_snap supports RSA in V2 (but > > you need to generate a special RSA keys for v2). > > Will those keys then be compatible with V1-only clients? Otherwise the > point is sort of lost :) why. V1-only clients speak V1 only. so what should be compatible? RSA keys in SSH2 are different in openssh, since they are used for different purposes. you might prefer to use RSA instead of DSA in ssh2 since RSA is simpler and does not consume as much random ness as the DSA sign process. -markus From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 9 21:50:09 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 Jan 2001 11:50:09 +0100 Subject: sshd: DES in SSH1 ? In-Reply-To: ; from sunil@redback.com on Mon, Jan 08, 2001 at 06:13:12PM -0800 References: Message-ID: <20010109115009.D3647@faui02.informatik.uni-erlangen.de> change the definition of cipher_mask_ssh1(), but it's not recommended. On Mon, Jan 08, 2001 at 06:13:12PM -0800, Sunil K. Vallamkonda wrote: > > I see that commercial SSH version it is possible to > run sshd in SSH1 using DES (i.e, accepting SSH-DES clients). > I understand from Damien Miller that > Cisco routers also run in only SSH1 DES mode. > > Is it possible in openSSH to configure sshd (compile-time/runtime) > to run sshd in SSH1 or SSH2 mode and accept SSH1 or SSH2 DES clients ? > [I would like to be able to run sshd in SSH1/DES mode ] > > > Is there a patch or another version that I can use (to be able to > run openSSH sshd to accept SSH-DES clients in SSH1 ? If not any pointers/ > suggestions to code changes that I should be make to achieve above ? > > Thank you. > > > > From dwmw2 at infradead.org Tue Jan 9 22:12:21 2001 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 09 Jan 2001 11:12:21 +0000 Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: <20010109114109.B3647@faui02.informatik.uni-erlangen.de> References: <20010109114109.B3647@faui02.informatik.uni-erlangen.de> <20010108234253.I4811@folly> Message-ID: <18981.979038741@redhat.com> Markus.Friedl at informatik.uni-erlangen.de said: > why. V1-only clients speak V1 only. so what should be compatible? RSA > keys in SSH2 are different in openssh, since they are used for > different purposes. Internally, perhaps. As far as the na?ve user (me) is concerned, though, they're used for exactly the same purpose - the presence of a private key on the client, and the corresponding public key on the server, serves to provide authentication to the server. Slowly but surely, systems are upgrading to versions of SSH which are capable of the V2 protocol, and as soon as both ends have done so, the existing RSA key pairs suddenly stop working. Hence the use of matched pairs of keypairs, one RSAv1 and one DSA, to ensure that it doesn't matter which protocol is used. And the desire to load both keys into ssh-agent at the same time with the same passphrase, because conceptually, they're identical - the have exactly the same level of trust, and protocol version mismatches aside, they provide access to exactly the same systems. -- dwmw2 From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 9 22:21:01 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 Jan 2001 12:21:01 +0100 Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: <18981.979038741@redhat.com>; from dwmw2@infradead.org on Tue, Jan 09, 2001 at 11:12:21AM +0000 References: <20010109114109.B3647@faui02.informatik.uni-erlangen.de> <20010108234253.I4811@folly> <20010109114109.B3647@faui02.informatik.uni-erlangen.de> <18981.979038741@redhat.com> Message-ID: <20010109122100.A10444@faui02.informatik.uni-erlangen.de> i don't understand your point? what do you want? you want to share passphrases, this is no problem for me. you want to cache passphases? i think this is a bad idea but i might be wrong. but how is this related to SSH-2 RSA keys? right now, RSA keys for SSH-2 are different from RSA keys in SSH-1, since there might be some problems/attacks if a key used for encryption is now reused for signing. -markus On Tue, Jan 09, 2001 at 11:12:21AM +0000, David Woodhouse wrote: > Markus.Friedl at informatik.uni-erlangen.de said: > > why. V1-only clients speak V1 only. so what should be compatible? RSA > > keys in SSH2 are different in openssh, since they are used for > > different purposes. > > Internally, perhaps. As far as the na?ve user (me) is concerned, though, > they're used for exactly the same purpose - the presence of a private key > on the client, and the corresponding public key on the server, serves to > provide authentication to the server. > > Slowly but surely, systems are upgrading to versions of SSH which are > capable of the V2 protocol, and as soon as both ends have done so, the > existing RSA key pairs suddenly stop working. > > Hence the use of matched pairs of keypairs, one RSAv1 and one DSA, to ensure > that it doesn't matter which protocol is used. And the desire to load both > keys into ssh-agent at the same time with the same passphrase, because > conceptually, they're identical - the have exactly the same level of trust, > and protocol version mismatches aside, they provide access to exactly the > same systems. > > -- > dwmw2 > From dwmw2 at infradead.org Tue Jan 9 22:43:40 2001 From: dwmw2 at infradead.org (David Woodhouse) Date: Tue, 09 Jan 2001 11:43:40 +0000 Subject: [PATCH] Caching passphrase in ssh-add. In-Reply-To: <20010109122100.A10444@faui02.informatik.uni-erlangen.de> References: <20010109122100.A10444@faui02.informatik.uni-erlangen.de> <20010109114109.B3647@faui02.informatik.uni-erlangen.de> <20010108234253.I4811@folly> <20010109114109.B3647@faui02.informatik.uni-erlangen.de> <18981.979038741@redhat.com> Message-ID: <22529.979040620@redhat.com> Markus.Friedl at informatik.uni-erlangen.de said: > i don't understand your point? what do you want? Sorry, I wasn't very clear. > you want to share passphrases, this is no problem for me. you want to > cache passphases? i think this is a bad idea but i might be wrong. Caching passphrases for any length of time would be bad, I agree. I'm suggesting that they're kept for a very short period of time in a process which had them already, so that if the same passphrase is used on multiple keys, it only needs to be entered once per invocation of ssh-add. This reduces the number of times that the user has to physically enter their passphrase, and hence could even be argued to be _increasing_ the security. > but how is this related to SSH-2 RSA keys? Not at all. My problem is that I have to type the passphrase twice, and I'm lazy. If SSHv2 were capable of using SSH-1 RSA keys, then I wouldn't need the extra DSA key - I could use only a single RSA1 key and still not have to type the passphrase twice. The alternative fix is for ssh-add, when asked to add both keys simultaneously, to attempt to re-use the passphrase entered for the first key on the second, rather than asking me a second time. This is what the patch I provided does. -- dwmw2 From paskalis at di.uoa.gr Tue Jan 9 23:04:38 2001 From: paskalis at di.uoa.gr (Sarantis Paskalis) Date: Tue, 9 Jan 2001 14:04:38 +0200 (EET) Subject: openssh-2.3.0p1 fails to transport rsync In-Reply-To: <20010108234339.J4811@folly> Message-ID: On Mon, 8 Jan 2001, Markus Friedl wrote: > hi, please try a recent snapshot from > http://bass.directhit.com/openssh_snap > does it fix this problem? Hi, Unfortunately no. I installed openssh-20010108 on both remote solaris and local linux and it stills fails with the same error. Rsync with local solaris and remote linux succeeds though. It could be an rsync bug. Btw, the in the default sshd_config the LoglevelFacility is defined as AUTHPRIV, which does not exist in Solaris. Regards, Sarantis -- Sarantis Paskalis From Norbert.Bladt at adi.ch Tue Jan 9 23:27:34 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 9 Jan 2001 13:27:34 +0100 Subject: OpenSSH on Reliant UNIX Message-ID: <0912C8BC2132D411BBB80001020BA94702D81A@naizk10.adi.ch> Hello, it's me again ! I tried to compile / install OpenSSH on our Reliant UNIX system, OS version 5.45 (and 5.44). The following problems did appear: 1. OpenSSL-0.9.5a will not compile out of the box. The problem on RU 5.45 is, that the compiler does support "long long" but NOT "unsigned long long". The latter just provokes the error message "superfluous long" (or so). I think this is a bug in the - commercial and expensive - compiler. I didn't try gcc on that platform, yet. No, I didn't try 0.9.6, yet. 2. scp will hang after the file transfer(s) The "fix" is to change the line 495 in serverloop.c from shutdown(fdin, SHUT_WR); to shutdown(fdin, SHUT_RDWR); The same which I did in 2.1.1. 3. X11 forwarding does just work for standard X clients - if you configure it with --with-ipaddr-display - but not for all X applications. The reason is that Siemens is using a named pipe in /tmp/.X11-unix for X communication where every other OS uses a socket, there and some applications try hard to figure out whether they are really running locally. I think to avoid the TCP/IP and the UNIX domain socket protocol stack to gain a few percent of performance. Nevertheless I got Openssh-2.3.0p1 to compile and install on Reliant UNIX. I even managed to create a package, based on the one contributed for Solaris but I was not able to test it, yet. This mail is intended as an indication that the sentence "port to Reliant UNIX has been added" which appears in some documentation and announcements is not completely true. Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jan 9 23:41:20 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 9 Jan 2001 13:41:20 +0100 Subject: OpenSSH on Reliant UNIX In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D81A@naizk10.adi.ch>; from Norbert.Bladt@adi.ch on Tue, Jan 09, 2001 at 01:27:34PM +0100 References: <0912C8BC2132D411BBB80001020BA94702D81A@naizk10.adi.ch> Message-ID: <20010109134120.A24475@ws01.aet.tu-cottbus.de> On Tue, Jan 09, 2001 at 01:27:34PM +0100, Bladt Norbert wrote: > 2. scp will hang after the file transfer(s) > The "fix" is to change the line 495 in serverloop.c from > shutdown(fdin, SHUT_WR); > to > shutdown(fdin, SHUT_RDWR); > The same which I did in 2.1.1. A lot of platforms have problems with shutdown(). For those platforms the USE_PIPES flag is needed. Would you recompile with -DUSE_PIPES Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Norbert.Bladt at adi.ch Wed Jan 10 00:17:11 2001 From: Norbert.Bladt at adi.ch (Bladt Norbert) Date: Tue, 9 Jan 2001 14:17:11 +0100 Subject: OpenSSH on Reliant UNIX Message-ID: <0912C8BC2132D411BBB80001020BA94702D81C@naizk10.adi.ch> Lutz Jaenicke [SMTP:Lutz.Jaenicke at aet.TU-Cottbus.DE] wrote today: > A lot of platforms have problems with shutdown(). For those platforms > the USE_PIPES flag is needed. Would you recompile with -DUSE_PIPES OK. This did fix this problem with the hanging sshd while executing scp. Thanks for the hint, Norbert. -- Norbert Bladt ATAG debis Informatik, ISM-TZ1 / Z302 Industriestrasse 1, CH 3052-Zollikofen E-Mail: norbert.bladt at adi.ch Tel.: +41 31 915 3964 Fax: +41 31 915 3640 From stevesk at sweden.hp.com Wed Jan 10 01:41:39 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 9 Jan 2001 15:41:39 +0100 (MET) Subject: OpenSSH on Reliant UNIX In-Reply-To: <0912C8BC2132D411BBB80001020BA94702D81A@naizk10.adi.ch> Message-ID: On Tue, 9 Jan 2001, Bladt Norbert wrote: : 3. X11 forwarding does just work for standard X clients : - if you configure it with --with-ipaddr-display - : but not for all X applications. The reason is that : Siemens is using a named pipe in /tmp/.X11-unix : for X communication where every other OS uses : a socket, there and some applications try hard to figure out : whether they are really running locally. I think to : avoid the TCP/IP and the UNIX domain socket protocol : stack to gain a few percent of performance. if they don't provide a way to force the use of TCP for the X11 transport, i don't know what we can do. HP-UX for example has XFORCE_INTERNET=1 to disable the shared memory transport in clients, or using an IP address in DISPLAY. From stevesk at sweden.hp.com Wed Jan 10 02:32:59 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 9 Jan 2001 16:32:59 +0100 (MET) Subject: AUTHPRIV In-Reply-To: Message-ID: On Mon, 8 Jan 2001, Tim Rice wrote: : Why is AUTHPRIV the default in sshd_config if : -------< log.c >--------- : #ifdef LOG_AUTHPRIV : { "AUTHPRIV", SYSLOG_FACILITY_AUTHPRIV }, : #endif : ------------------------- it shouldn't be, i'll sync it and it'll go back to AUTH. also, there was a concern there was a platform that broke without an explicit ``ListenAddress 0.0.0.0'', so holler if that's the case. From sunil at redback.com Wed Jan 10 06:12:51 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Tue, 9 Jan 2001 11:12:51 -0800 (PST) Subject: sshd: DES in SSH1 ? In-Reply-To: <20010109115009.D3647@faui02.informatik.uni-erlangen.de> Message-ID: I figure you were referring to: cipher_mask1() in cipher.c . I find that more functions need to be changed to add DES/sshd/SSH1 support. Please let me know if below looks okay and if I missed any others. 1) I see that cipher_set_key(..) may need to be changed to have case for DES as: -------- case SSH_CIPHER_DES: case SSH_CIPHER_3DES: /* * Note: the least significant bit of each byte of key is * parity, and must be ignored by the implementation. 16 * bytes of key are used (first and last keys are the same). */ if (keylen < 16) error("Key length %d is insufficient for 3DES.", keylen) ; des_set_key((void *) padded, context->u.des3.key1); ------- Is above okay - same key len etc. for DES as 3DES ? 2) In cipher_set_key_iv(..) - cipher.c: -------- case SSH_CIPHER_DES: case SSH_CIPHER_3DES: case SSH_CIPHER_BLOWFISH: fatal("cipher_set_key_iv: illegal cipher: %s", cipher_name(ciphe r)); break; ------- 3) In cipher_encrypt(..) and cipher_decrypt(..) - cipher.c: what is the routine/macros to encrypt/decrypt using DES ? 4) In SSH_3CBC_DECRYPT(..) in cipher.c: If I modify as: -- SSH_3CBC_ENCRYPT(...) function definition and SSH_3CBC_DECRYPT(des_key_schedule ks1, des_key_schedule ks2, des_cblock * iv2, des_key_schedule ks3, des_cblock * iv3, unsigned char *dest, unsigned char *src, unsigned int len) { des_cblock iv1; memcpy(&iv1, iv2, 8); // for decrypt des_cbc_encrypt(src, dest, len, ks3, iv3, DES_DECRYPT); // OR - for encrypt des_cbc_encrypt(src, dest, len, ks3, iv3, DES_ENCRYPT); memcpy(iv3, src + len - 8, 8); } -- Would this suffice for DES encrypt and decrypt - sshd/SSH1 ? Does openSSH archive have an older version of cipher.c which has DES support for SSH1 - that I could retrieve and use as example ? Thank you. On Tue, 9 Jan 2001, Markus Friedl wrote: > change the definition of cipher_mask_ssh1(), but it's not > recommended. > > On Mon, Jan 08, 2001 at 06:13:12PM -0800, Sunil K. Vallamkonda wrote: > > > > I see that commercial SSH version it is possible to > > run sshd in SSH1 using DES (i.e, accepting SSH-DES clients). > > I understand from Damien Miller that > > Cisco routers also run in only SSH1 DES mode. > > > > Is it possible in openSSH to configure sshd (compile-time/runtime) > > to run sshd in SSH1 or SSH2 mode and accept SSH1 or SSH2 DES clients ? > > [I would like to be able to run sshd in SSH1/DES mode ] > > > > > > Is there a patch or another version that I can use (to be able to > > run openSSH sshd to accept SSH-DES clients in SSH1 ? If not any pointers/ > > suggestions to code changes that I should be make to achieve above ? > > > > Thank you. > > > > > > > > > From devon at admin2.gisnetworks.com Wed Jan 10 06:32:15 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Tue, 9 Jan 2001 11:32:15 -0800 Subject: openssh 2.3.0p1 closing connection before command output comes through? Message-ID: <007101c07a72$e160c5d0$1900a8c0@devn> i'm getting some very strange behavior with openssh 2.3.0p1 that i don't recall seeing with 2.2.0p1. here's some short output that will probably sum up what's going on better than i can explain it: admin2:~$ ssh downtown1 df Filesystem 1k-blocks Used Available Use% Mounted on /dev/sda3 8457624 2881868 5139192 36% / /dev/sda1 15522 1662 13059 11% /boot /dev/sdb1 8605584 5633920 2527472 69% /content /dev/sdc1 8605584 3261568 4899824 40% /logs admin2:~$ ssh downtown1 df admin2:~$ ssh downtown1 df admin2:~$ ssh -t downtown1 df Filesystem 1k-blocks Used Available Use% Mounted on /dev/sda3 8457624 2881904 5139156 36% / Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Filesystem 1k-blocks Used Available Use% Mounted on Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Filesystem 1k-blocks Used Available Use% Mounted on Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Connection to downtown1 closed. admin2:~$ ssh -t downtown1 df Filesystem 1k-blocks Used Available Use% Mounted on /dev/sda3 8457624 2881908 5139152 36% / /dev/sda1 15522 1662 13059 11% /boot /dev/sdb1 8605584 5633920 2527472 69% /content /dev/sdc1 8605584 3261664 4899728 40% /logs Connection to downtown1 closed. there's plenty of memory free (512MB total, 220MB free) and cpu load is low (0.05 up to around 0.10). system is slackware 7.1.0. using openssl 0.9.5a. using openssh 2.3.0p1 on both ends of the connection with publickey authentication. using openssh 2.1.1 (openssl 0.9.5a) with password authentication to the same server, everything works normally. devon From devon at admin2.gisnetworks.com Wed Jan 10 06:35:19 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Tue, 9 Jan 2001 11:35:19 -0800 Subject: openssh 2.3.0p1 closing connection before command output comes through? References: <007101c07a72$e160c5d0$1900a8c0@devn> Message-ID: <007f01c07a73$4d2f5830$1900a8c0@devn> one more piece of information: the only difference in the sshd_config files is some comments. devon ----- Original Message ----- From: "Devon Bleak" To: Sent: Tuesday, January 09, 2001 11:32 AM Subject: openssh 2.3.0p1 closing connection before command output comes through? > i'm getting some very strange behavior with openssh 2.3.0p1 that i don't > recall seeing with 2.2.0p1. here's some short output that will probably sum > up what's going on better than i can explain it: > > admin2:~$ ssh downtown1 df > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/sda3 8457624 2881868 5139192 36% / > /dev/sda1 15522 1662 13059 11% /boot > /dev/sdb1 8605584 5633920 2527472 69% /content > /dev/sdc1 8605584 3261568 4899824 40% /logs > admin2:~$ ssh downtown1 df > admin2:~$ ssh downtown1 df > admin2:~$ ssh -t downtown1 df > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/sda3 8457624 2881904 5139156 36% / > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Filesystem 1k-blocks Used Available Use% Mounted on > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Filesystem 1k-blocks Used Available Use% Mounted on > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Connection to downtown1 closed. > admin2:~$ ssh -t downtown1 df > Filesystem 1k-blocks Used Available Use% Mounted on > /dev/sda3 8457624 2881908 5139152 36% / > /dev/sda1 15522 1662 13059 11% /boot > /dev/sdb1 8605584 5633920 2527472 69% /content > /dev/sdc1 8605584 3261664 4899728 40% /logs > Connection to downtown1 closed. > > there's plenty of memory free (512MB total, 220MB free) and cpu load is low > (0.05 up to around 0.10). > system is slackware 7.1.0. using openssl 0.9.5a. using openssh 2.3.0p1 on > both ends of the connection with publickey authentication. > > using openssh 2.1.1 (openssl 0.9.5a) with password authentication to the > same server, everything works normally. > > devon > > > From bole at falcon.etf.bg.ac.yu Wed Jan 10 06:53:57 2001 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Tue, 9 Jan 2001 20:53:57 +0100 (CET) Subject: Problems with 2.4.0 SSH Secure Shell (non-commercial) In-Reply-To: <007101c07a72$e160c5d0$1900a8c0@devn> Message-ID: Hello to all I have OpenSSH 2.2.0p1 (openssl 0.9.6, Slackware, glibc 2.1.3) and there are some problems connecting machines that use SSH-2.0-2.4.0 SSH Secure Shell (non-commercial). Here is the output: OpenSSH Machine> ssh problematic Disconnecting: Corrupted HMAC on input. Problematic> ssh OpenSSH warning: Authentication failed. Disconnected; MAC error (Message authentication check fails.). $ telnet problematic 22 Trying 123.45.67.89.. Connected to problematic. Escape character is '^]'. SSH-2.0-2.4.0 SSH Secure Shell (non-commercial) .... With OpenSSH 2.1.1 everything looks OK. Greetings From roumen.petrov at skalasoft.com Wed Jan 10 07:16:02 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Tue, 09 Jan 2001 22:16:02 +0200 Subject: Problems with 2.4.0 SSH Secure Shell (non-commercial) References: Message-ID: <3A5B7182.8080909@skalasoft.com> hmm. Test with version 2.3.xx. I don't have this problem with SSH-2.3/4.x ( exactly openssh-SNAP-20010108.tar.gz ). I use slackware openssh.build script ( get it from slack ftp site ) and openssl-0.9.5a . Bosko Radivojevic wrote: > Hello to all > > I have OpenSSH 2.2.0p1 (openssl 0.9.6, Slackware, glibc 2.1.3) and there > are some problems connecting machines that use SSH-2.0-2.4.0 SSH Secure > Shell (non-commercial). > > Here is the output: > > OpenSSH Machine> ssh problematic > Disconnecting: Corrupted HMAC on input. > > Problematic> ssh OpenSSH > warning: Authentication failed. > Disconnected; MAC error (Message authentication check fails.). > > $ telnet problematic 22 > Trying 123.45.67.89.. > Connected to problematic. > Escape character is '^]'. > SSH-2.0-2.4.0 SSH Secure Shell (non-commercial) > ..... > > With OpenSSH 2.1.1 everything looks OK. > > Greetings From mouring at etoh.eviladmin.org Wed Jan 10 07:15:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 9 Jan 2001 14:15:23 -0600 (CST) Subject: Problems with 2.4.0 SSH Secure Shell (non-commercial) In-Reply-To: Message-ID: Please upgrade to 2.3.0p1 or one of the latest snapshots. 2.2.0p1 is pretty old. On Tue, 9 Jan 2001, Bosko Radivojevic wrote: > Hello to all > > I have OpenSSH 2.2.0p1 (openssl 0.9.6, Slackware, glibc 2.1.3) and there > are some problems connecting machines that use SSH-2.0-2.4.0 SSH Secure > Shell (non-commercial). > > Here is the output: > > OpenSSH Machine> ssh problematic > Disconnecting: Corrupted HMAC on input. > > Problematic> ssh OpenSSH > warning: Authentication failed. > Disconnected; MAC error (Message authentication check fails.). > > $ telnet problematic 22 > Trying 123.45.67.89.. > Connected to problematic. > Escape character is '^]'. > SSH-2.0-2.4.0 SSH Secure Shell (non-commercial) > .... > > With OpenSSH 2.1.1 everything looks OK. > > Greetings > > > From roumen.petrov at skalasoft.com Wed Jan 10 03:20:37 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Tue, 09 Jan 2001 18:20:37 +0200 Subject: Makefile.in and ssh-agent References: Message-ID: <3A5B3A55.8060602@skalasoft.com> Look in Makefile: ssh-agent is linked with log-client ( bad idea ) . Must be log-server From markus.friedl at informatik.uni-erlangen.de Wed Jan 10 07:43:18 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 9 Jan 2001 21:43:18 +0100 Subject: sshd: DES in SSH1 ? In-Reply-To: ; from sunil@redback.com on Tue, Jan 09, 2001 at 11:12:51AM -0800 References: <20010109115009.D3647@faui02.informatik.uni-erlangen.de> Message-ID: <20010109214318.C12293@folly> your cipher.c is out of date. get a snapshot from http://bass.directhit.com/openssh_snap/ On Tue, Jan 09, 2001 at 11:12:51AM -0800, Sunil K. Vallamkonda wrote: > Does openSSH archive have an older version of cipher.c which has > DES support for SSH1 - that I could retrieve and use as example ? From shorty at getuid.de Wed Jan 10 06:04:41 2001 From: shorty at getuid.de (Christian Kurz) Date: Tue, 9 Jan 2001 20:04:41 +0100 Subject: Path to config files in manpages Message-ID: <20010109200441.F13250@seteuid.getuid.de> Hi, I just noticed that the path to some config files in the manpages get's replaced during the build of the debian package with the pathes which are used during the build. This is not good, since the path will not be the same for the enduser, who installs the deb. Is it intented that the pathes in the manpage get generated during compilation and should I know generate a script for debian to fix them? Ciao Christian -- While the year 2000 (y2k) problem is not an issue for us, all Linux implementations will impacted by the year 2038 (y2.038k) issue. The Debian Project is committed to working with the industry on this issue and we will have our full plans and strategy posted by the first quarter of 2020. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 242 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010109/96f0d2d7/attachment.bin From bole at falcon.etf.bg.ac.yu Wed Jan 10 07:45:54 2001 From: bole at falcon.etf.bg.ac.yu (Bosko Radivojevic) Date: Tue, 9 Jan 2001 21:45:54 +0100 (CET) Subject: Problems with 2.4.0 SSH Secure Shell (non-commercial) In-Reply-To: Message-ID: On Tue, 9 Jan 2001 mouring at etoh.eviladmin.org wrote: > Please upgrade to 2.3.0p1 or one of the latest snapshots. 2.2.0p1 is > pretty old. OK. It works with 2.3.0p1. Thanks to all. Greetings From mouring at etoh.eviladmin.org Wed Jan 10 07:57:14 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 9 Jan 2001 14:57:14 -0600 (CST) Subject: Path to config files in manpages In-Reply-To: <20010109200441.F13250@seteuid.getuid.de> Message-ID: On Tue, 9 Jan 2001, Christian Kurz wrote: > Hi, > > I just noticed that the path to some config files in the manpages get's > replaced during the build of the debian package with the pathes which > are used during the build. This is not good, since the path will not be > the same for the enduser, who installs the deb. Is it intented that the > pathes in the manpage get generated during compilation and should I know > generate a script for debian to fix them? > My suggestion is you pull the 'fixpaths' call out of Makefile.in and embed the script into your install script. That way it should be correctly modified per each .deb install. - Ben From shorty at getuid.de Wed Jan 10 07:59:54 2001 From: shorty at getuid.de (Christian Kurz) Date: Tue, 9 Jan 2001 21:59:54 +0100 Subject: Path to config files in manpages In-Reply-To: References: <20010109200441.F13250@seteuid.getuid.de> Message-ID: <20010109215954.A3784@bofh.de> On 01-01-09 mouring at etoh.eviladmin.org wrote: > On Tue, 9 Jan 2001, Christian Kurz wrote: > > I just noticed that the path to some config files in the manpages get's > > replaced during the build of the debian package with the pathes which > > are used during the build. This is not good, since the path will not be > > the same for the enduser, who installs the deb. Is it intented that the > > pathes in the manpage get generated during compilation and should I know > > generate a script for debian to fix them? > My suggestion is you pull the 'fixpaths' call out of Makefile.in and embed > the script into your install script. That way it should be correctly > modified per each .deb install. Thanks, but I found an other better fix to generate correct pathes, but now I have the following problem: I said --sysconfdir=/etc/ssh and it uses this path in the compile process. But if I start sshd it tries to read /etc/sshd_config. Do you have any idea what I missed? Ciao Christian -- Hell is empty and all the devils are here. -- Wm. Shakespeare, "The Tempest" From pekkas at netcore.fi Wed Jan 10 08:07:33 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 9 Jan 2001 23:07:33 +0200 (EET) Subject: Path to config files in manpages In-Reply-To: <20010109215954.A3784@bofh.de> Message-ID: On Tue, 9 Jan 2001, Christian Kurz wrote: > On 01-01-09 mouring at etoh.eviladmin.org wrote: > > On Tue, 9 Jan 2001, Christian Kurz wrote: > > > I just noticed that the path to some config files in the manpages get's > > > replaced during the build of the debian package with the pathes which > > > are used during the build. This is not good, since the path will not be > > > the same for the enduser, who installs the deb. Is it intented that the > > > pathes in the manpage get generated during compilation and should I know > > > generate a script for debian to fix them? > > > My suggestion is you pull the 'fixpaths' call out of Makefile.in and embed > > the script into your install script. That way it should be correctly > > modified per each .deb install. > > Thanks, but I found an other better fix to generate correct pathes, but > now I have the following problem: I said --sysconfdir=/etc/ssh and it > uses this path in the compile process. But if I start sshd it tries to > read /etc/sshd_config. Do you have any idea what I missed? You'll be easiest off if you do something like RPM specfile after building and installing under $RPM_BUILD_ROOT: perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From shorty at getuid.de Wed Jan 10 08:11:48 2001 From: shorty at getuid.de (Christian Kurz) Date: Tue, 9 Jan 2001 22:11:48 +0100 Subject: Path to config files in manpages In-Reply-To: References: <20010109215954.A3784@bofh.de> Message-ID: <20010109221148.C3784@bofh.de> On 01-01-09 Pekka Savola wrote: > On Tue, 9 Jan 2001, Christian Kurz wrote: > > On 01-01-09 mouring at etoh.eviladmin.org wrote: > > > On Tue, 9 Jan 2001, Christian Kurz wrote: > > > > I just noticed that the path to some config files in the manpages get's > > > > replaced during the build of the debian package with the pathes which > > > > are used during the build. This is not good, since the path will not be > > > > the same for the enduser, who installs the deb. Is it intented that the > > > > pathes in the manpage get generated during compilation and should I know > > > > generate a script for debian to fix them? > > > > > My suggestion is you pull the 'fixpaths' call out of Makefile.in and embed > > > the script into your install script. That way it should be correctly > > > modified per each .deb install. > > > > Thanks, but I found an other better fix to generate correct pathes, but > > now I have the following problem: I said --sysconfdir=/etc/ssh and it > > uses this path in the compile process. But if I start sshd it tries to > > read /etc/sshd_config. Do you have any idea what I missed? > You'll be easiest off if you do something like RPM specfile after > building and installing under $RPM_BUILD_ROOT: > perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/* Well, I just wonder why the configure switch is not recognized by sshd. I wonder why it still tries to search in a dir that I didn't specify. This should happen and for my local openssh that I build from cvs it works as expected. Ciao Christian -- Hell is empty and all the devils are here. -- Wm. Shakespeare, "The Tempest" From djm at mindrot.org Wed Jan 10 08:18:22 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Jan 2001 08:18:22 +1100 (EST) Subject: openssh 2.3.0p1 closing connection before command output comes through? In-Reply-To: <007101c07a72$e160c5d0$1900a8c0@devn> Message-ID: On Tue, 9 Jan 2001, Devon Bleak wrote: > i'm getting some very strange behavior with openssh 2.3.0p1 that i don't > recall seeing with 2.2.0p1. here's some short output that will probably sum > up what's going on better than i can explain it: 'Fixed' in the snapshots. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Wed Jan 10 08:22:16 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 10 Jan 2001 08:22:16 +1100 (EST) Subject: Path to config files in manpages In-Reply-To: <20010109200441.F13250@seteuid.getuid.de> Message-ID: On Tue, 9 Jan 2001, Christian Kurz wrote: > Hi, > > I just noticed that the path to some config files in the manpages get's > replaced during the build of the debian package with the pathes which > are used during the build. This is not good, since the path will not be > the same for the enduser, who installs the deb. Is it intented that the > pathes in the manpage get generated during compilation and should I know > generate a script for debian to fix them? The paths for the manpages are fixed up at build time based on the options given to configure. If you are installing under a fake root for the purposes of packaging (rpm, deb, etc) then configure and build with the final filesystem paths, but override them when you install under the fake root. Have a look at the Redhat spec file for how I do it. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From sunil at redback.com Wed Jan 10 08:33:20 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Tue, 9 Jan 2001 13:33:20 -0800 (PST) Subject: rel.2.4.0 ? Message-ID: Is there an official release of 2.4.0 ? I have an earlier release. Is there a patch script that I can apply to upgrade ? The versions under: http://c1hvd.directhit.com/openssh_snap/ I see the version: OpenSSH_2.3.0p2 Is this the latest openSSH available ? From gert at greenie.muc.de Wed Jan 10 09:07:02 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Jan 2001 23:07:02 +0100 Subject: sshd: DES in SSH1 ? In-Reply-To: ; from Sunil K. Vallamkonda on Tue, Jan 09, 2001 at 11:12:51AM -0800 References: <20010109115009.D3647@faui02.informatik.uni-erlangen.de> Message-ID: <20010109230702.D5815@greenie.muc.de> Hi, On Tue, Jan 09, 2001 at 11:12:51AM -0800, Sunil K. Vallamkonda wrote: > I find that more functions need to > be changed to add DES/sshd/SSH1 support. > Please let me know if > below looks okay and if I missed any others. Actually - why would you do this? It's faster than 3DES, but so is blowfish - and that's about the only reason why someone would want to use DES... Being curious, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Wed Jan 10 09:21:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 9 Jan 2001 16:21:44 -0600 (CST) Subject: rel.2.4.0 ? In-Reply-To: Message-ID: On Tue, 9 Jan 2001, Sunil K. Vallamkonda wrote: > > Is there an official release of 2.4.0 ? > Markus back off from an 2.4.0 release for the moment (unsure why, but it does not matter to much to me). In the next few days we should have a 2.3.1p1 release out. We are just attempting to finish up a few things first. - Ben From rob at hagopian.net Wed Jan 10 10:28:10 2001 From: rob at hagopian.net (Rob Hagopian) Date: Tue, 9 Jan 2001 18:28:10 -0500 (EST) Subject: ssh speed In-Reply-To: Message-ID: OK, I've been looking to run ssh2 without encryption to get maximum throughput but with secure authentication. However, my tests show that the performance speedup isn't as dramatic as I suspected: For a 587MB file: 3des-cbc 3:03 arcfour 2:10 none 2:13 ftp 0:57 I checked, compression is off (with it on estimated times were over 5min). I interpret the above as saying that the cipher does make a difference, but when using a sufficiently fast cipher there's overhead in the protocol that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk or network I/O, so what could be slowing it down? Thoughts? Suggestions? -Rob From mstone at cs.loyola.edu Wed Jan 10 11:03:19 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 9 Jan 2001 19:03:19 -0500 Subject: ssh speed In-Reply-To: ; from rob@hagopian.net on Tue, Jan 09, 2001 at 06:28:10PM -0500 References: Message-ID: <20010109190319.V686@justice.loyola.edu> On Tue, Jan 09, 2001 at 06:28:10PM -0500, Rob Hagopian wrote: > that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk I'm curious about this. Are you sure that both sides had cpu left? I've never seen an ssh test where one side or the other wasn't maxed on cpu. (I've also seen better performance than you reported, but you didn't mention what platform you were running on.) -- Mike Stone From jfulmer at appin.org Wed Jan 10 12:56:53 2001 From: jfulmer at appin.org (John Fulmer) Date: Tue, 09 Jan 2001 19:56:53 -0600 Subject: sshd: DES in SSH1 ? References: <20010109115009.D3647@faui02.informatik.uni-erlangen.de> <20010109230702.D5815@greenie.muc.de> Message-ID: <3A5BC165.386DED4B@appin.org> Gert Doering wrote: > Actually - why would you do this? It's faster than 3DES, but so is > blowfish - and that's about the only reason why someone would want to use > DES... > > Being curious, Some (simple) ssh implementations only support DES. Sucks, but there it is. From Markus.Friedl at informatik.uni-erlangen.de Wed Jan 10 20:37:35 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 Jan 2001 10:37:35 +0100 Subject: ssh speed In-Reply-To: ; from rob@hagopian.net on Tue, Jan 09, 2001 at 06:28:10PM -0500 References: Message-ID: <20010110103735.A1948@faui02.informatik.uni-erlangen.de> did you use compression? On Tue, Jan 09, 2001 at 06:28:10PM -0500, Rob Hagopian wrote: > OK, I've been looking to run ssh2 without encryption to get maximum > throughput but with secure authentication. However, my tests show that the > performance speedup isn't as dramatic as I suspected: > > For a 587MB file: > 3des-cbc 3:03 > arcfour 2:10 > none 2:13 > > ftp 0:57 > > I checked, compression is off (with it on estimated times were over 5min). > > I interpret the above as saying that the cipher does make a difference, > but when using a sufficiently fast cipher there's overhead in the protocol > that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk > or network I/O, so what could be slowing it down? Thoughts? Suggestions? > > -Rob > From yuliy at mobiltel.bg Wed Jan 10 22:04:27 2001 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Wed, 10 Jan 2001 13:04:27 +0200 (EET) Subject: AIX problem In-Reply-To: <3A5BC165.386DED4B@appin.org> Message-ID: hi I have two AIX 4.2.1.0 machines with OpenSSH 2.3.0p1. When I try to compile something on the one of them cc print: cc: 1501-245 Warning: Hard ulimit has been reduced to less than RLIM_INFINITY. There may not be enough space to complete the compilation. If I use telnet to login to this machine. I can compile without any problem. I cannot figure out what exactly is going on. yuliy -- Yuliy Minchev UNIX Administrator From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 11 00:12:45 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 Jan 2001 14:12:45 +0100 Subject: ssh speed In-Reply-To: <20010110103735.A1948@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Wed, Jan 10, 2001 at 10:37:35AM +0100 References: <20010110103735.A1948@faui02.informatik.uni-erlangen.de> Message-ID: <20010110141244.A25971@faui02.informatik.uni-erlangen.de> On Wed, Jan 10, 2001 at 10:37:35AM +0100, Markus Friedl wrote: > did you use compression? oops, i should read the all of the mail. what did you do? scp? ssh+cat? sftp? http over forwarded channels? what are exact version of openssh? openssh-current? did you try AES? what kind of network? CPU? transfer to localhost? did you really use 'none' in SSH-2? did you hack the source (cipher none should not be supported)? -markus > On Tue, Jan 09, 2001 at 06:28:10PM -0500, Rob Hagopian wrote: > > OK, I've been looking to run ssh2 without encryption to get maximum > > throughput but with secure authentication. However, my tests show that the > > performance speedup isn't as dramatic as I suspected: > > > > For a 587MB file: > > 3des-cbc 3:03 > > arcfour 2:10 > > none 2:13 > > > > ftp 0:57 > > > > I checked, compression is off (with it on estimated times were over 5min). > > > > I interpret the above as saying that the cipher does make a difference, > > but when using a sufficiently fast cipher there's overhead in the protocol > > that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk > > or network I/O, so what could be slowing it down? Thoughts? Suggestions? > > > > -Rob > > From j.petersen at msh.de Thu Jan 11 00:25:28 2001 From: j.petersen at msh.de (=?iso-8859-1?Q?=22Petersen=2C_J=F6rg=22?=) Date: Wed, 10 Jan 2001 14:25:28 +0100 Subject: AIX problem Message-ID: Probabely the ulimit is set to -1 meaning no limits. If this is the case, you may ignore the warning. J?rg Petersen -----Original Message----- From: Yuliy Minchev [mailto:yuliy at mobiltel.bg] Sent: Wednesday, January 10, 2001 12:04 PM I have two AIX 4.2.1.0 machines with OpenSSH 2.3.0p1. When I try to compile something on the one of them cc print: cc: 1501-245 Warning: Hard ulimit has been reduced to less than RLIM_INFINITY. There may not be enough space to complete the compilation. .... From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 11 01:32:32 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 10 Jan 2001 15:32:32 +0100 Subject: sftp Message-ID: <20010110153232.A17972@faui02l.informatik.uni-erlangen.de> there is now a draft: http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt if someone could please check whether sftp-server.c comlies :) From cnewbill at support.onewest.net Thu Jan 11 04:11:20 2001 From: cnewbill at support.onewest.net (Chris Newbill) Date: Wed, 10 Jan 2001 10:11:20 -0700 Subject: SSH2/1 Failure when using bash shell, other shells work Message-ID: Got a strange problem here. We have OpenSSH 2.3.0p1 running on a variety of machines and on one particular Redhat 6.2 machine(all patches applied) we run into a situation where it will not allow us to start a shell when using bash or bash2. csh and others work fine. One note...if I enable PermitRootLogin, the user root IS allowed to login with bash. This is very strange. I'm guessing it must be some kind of permissions problem, but I have checked everything I can think of: sshd configs, pam configs, permissions on user data, permissions on ssh pieces, etc. Here is the debug report for SSH Protocol 2. (generated using sshd -ddd) When using /bin/bash (GNU bash, version 1.14.7(1)) as a shell When using csh it works fine and allows us to login. debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 206.58.180.12 port 3754 debug1: Client protocol version 2.0; client software version PuTTY debug1: no match: PuTTY Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: blowfish-cbc,blowfish-cbc,3des-cbc debug1: got kexinit: blowfish-cbc,blowfish-cbc,3des-cbc debug1: got kexinit: hmac-sha1,hmac-md5,none debug1: got kexinit: hmac-sha1,hmac-md5,none debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server blowfish-cbc hmac-sha1 none debug1: kex: server->client blowfish-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEXDH_INIT. debug1: bits set: 492/1024 debug1: bits set: 522/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user cnewbill service ssh-connection method password debug1: attempt #1 debug2: input_userauth_request: setting up authctxt for cnewbill debug1: Starting up PAM with username "cnewbill" debug2: input_userauth_request: try method password debug1: PAM Password authentication accepted for user "cnewbill" debug1: PAM setting rhost to "cnewbill.onewest.net" Accepted password for cnewbill from 206.58.180.12 port 3754 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 100 win 32768 max 16384 debug1: open session debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 1 debug1: session_pty_req: session 0 alloc /dev/pts/4 debug2: callback done debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request shell reply 1 debug1: PAM setting tty to "/dev/pts/4" debug1: PAM establishing creds debug1: fd 7 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug2: callback done debug1: Setting controlling tty using TIOCSCTTY. debug2: channel 0: rcvd adjust 315 ???debug1: Received SIGCHLD.??? debug1: session_by_pid: pid 4903 debug1: session_exit_message: session 0 channel 0 pid 4903 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: session_pty_cleanup: session 0 release /dev/pts/4 debug1: session_free: session 0 pid 4903 debug1: channel 0: send close debug2: channel 0: rcvd adjust 7 debug1: channel 0: rcvd close ***fatal: buffer_get: trying to get more bytes than in buffer*** debug1: Calling cleanup 0x805b6f0(0x0) debug1: Calling cleanup 0x8050980(0x0) debug1: Calling cleanup 0x8061750(0x0) Now for SSH Protocol 1 attempt debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 206.58.180.12 port 3791 debug1: Client protocol version 1.5; client software version PuTTY debug1: no match: PuTTY debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "cnewbill" debug1: Attempting authentication for cnewbill. Accepted password for cnewbill from 206.58.180.12 port 3791 debug1: PAM setting rhost to "cnewbill.onewest.net" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/pts/4" debug1: PAM establishing creds debug1: Entering interactive session. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug1: tvp!=NULL kid 0 mili 10 debug1: tvp!=NULL kid 0 mili 10 debug1: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug1: tvp!=NULL kid 1 mili 100 debug1: End of interactive session; stdin 0, stdout (read 323, sent 323), stderr 0 bytes. debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_pty_cleanup: session 0 release /dev/pts/4 Closing connection to 206.58.180.12 Thanks, Chris Newbill Programmer/Analyst OneWest.net Inc., 406-449-8056 ------------------------------------------------------------ Ever notice how it's a penny for your thoughts, yet you put in your two-cents? Someone is making a penny on the deal. -----Steven Wright ------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010110/50c06f78/attachment.html From rob at hagopian.net Thu Jan 11 04:24:07 2001 From: rob at hagopian.net (Rob Hagopian) Date: Wed, 10 Jan 2001 12:24:07 -0500 (EST) Subject: ssh speed In-Reply-To: <20010110141244.A25971@faui02.informatik.uni-erlangen.de> Message-ID: These were using SNAP-010109 on PIII 800s, striped 10K RPM drives, switched fast ethernet. One machine is SMP, one isn't. Using 'scp -o Ciphers=xxx' Both machines are FreeBSD. (587MB file:) aes256-cbc 02:19 aes128-cbc 02:17 arcfour 02:08 3des-cbc 02:59 blowfish-cbc 02:13 none2 02:12 I did "hack the source" (hehehe) to add none: rijndael_setkey, rijndael_setiv, rijndael_cbc_encrypt, rijndael_cbc_decrypt }, + { "none2", + SSH_CIPHER_SSH2, 8, 0, + none_setkey, none_setiv, + none_crypt, none_crypt }, { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } }; (it's none2 to avoid name collision with the ssh1 none) Indeed, it seems that when using a cipher, the ssh process is using more cpu than sshd and is maxing out that side. But when using none2 as a 'cipher' CPU maxes out around 30% for ssh (20% for sshd). Both processes seem to be in select() a lot according to top. -Rob On Wed, 10 Jan 2001, Markus Friedl wrote: > On Wed, Jan 10, 2001 at 10:37:35AM +0100, Markus Friedl wrote: > > did you use compression? > > oops, i should read the all of the mail. > > what did you do? scp? ssh+cat? sftp? http over forwarded > channels? > > what are exact version of openssh? openssh-current? did you try AES? > > what kind of network? CPU? transfer to localhost? > > did you really use 'none' in SSH-2? did you hack the source (cipher none > should not be supported)? > > -markus > > > On Tue, Jan 09, 2001 at 06:28:10PM -0500, Rob Hagopian wrote: > > > OK, I've been looking to run ssh2 without encryption to get maximum > > > throughput but with secure authentication. However, my tests show that the > > > performance speedup isn't as dramatic as I suspected: > > > > > > For a 587MB file: > > > 3des-cbc 3:03 > > > arcfour 2:10 > > > none 2:13 > > > > > > ftp 0:57 > > > > > > I checked, compression is off (with it on estimated times were over 5min). > > > > > > I interpret the above as saying that the cipher does make a difference, > > > but when using a sufficiently fast cipher there's overhead in the protocol > > > that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk > > > or network I/O, so what could be slowing it down? Thoughts? Suggestions? > > > > > > -Rob > > > > From johnh at aproposretail.com Thu Jan 11 04:29:18 2001 From: johnh at aproposretail.com (John Hardin) Date: Wed, 10 Jan 2001 09:29:18 -0800 Subject: ssh speed References: Message-ID: <3A5C9BEE.2AEC63B4@aproposretail.com> Rob Hagopian wrote: > > (587MB file:) > arcfour 02:08 > none2 02:12 I wonder why arcfour is faster than no encryption...? -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 x265 From cnewbill at support.onewest.net Thu Jan 11 05:10:48 2001 From: cnewbill at support.onewest.net (Chris Newbill) Date: Wed, 10 Jan 2001 11:10:48 -0700 Subject: SSH2/1 Failure when using bash shell, other shells work In-Reply-To: Message-ID: Additional Info, rebuilt OpenSSL 0.9.6(have also tried 0.9.5a) and OpenSSH, no luck. Another strange note, if your default shell is set to /bin/sh (a symlink to /bin/bash) it lets you login!?? Thanks, Chris Newbill -----Original Message----- From: Chris Newbill [mailto:cnewbill at support.onewest.net] Sent: Wednesday, January 10, 2001 10:11 AM To: openssh-unix-dev at mindrot.org Subject: SSH2/1 Failure when using bash shell, other shells work Got a strange problem here. We have OpenSSH 2.3.0p1 running on a variety of machines and on one particular Redhat 6.2 machine(all patches applied) we run into a situation where it will not allow us to start a shell when using bash or bash2. csh and others work fine. One note...if I enable PermitRootLogin, the user root IS allowed to login with bash. This is very strange. I'm guessing it must be some kind of permissions problem, but I have checked everything I can think of: sshd configs, pam configs, permissions on user data, permissions on ssh pieces, etc. Here is the debug report for SSH Protocol 2. (generated using sshd -ddd) When using /bin/bash (GNU bash, version 1.14.7(1)) as a shell When using csh it works fine and allows us to login. debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 206.58.180.12 port 3754 debug1: Client protocol version 2.0; client software version PuTTY debug1: no match: PuTTY Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: blowfish-cbc,blowfish-cbc,3des-cbc debug1: got kexinit: blowfish-cbc,blowfish-cbc,3des-cbc debug1: got kexinit: hmac-sha1,hmac-md5,none debug1: got kexinit: hmac-sha1,hmac-md5,none debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server blowfish-cbc hmac-sha1 none debug1: kex: server->client blowfish-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEXDH_INIT. debug1: bits set: 492/1024 debug1: bits set: 522/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user cnewbill service ssh-connection method password debug1: attempt #1 debug2: input_userauth_request: setting up authctxt for cnewbill debug1: Starting up PAM with username "cnewbill" debug2: input_userauth_request: try method password debug1: PAM Password authentication accepted for user "cnewbill" debug1: PAM setting rhost to "cnewbill.onewest.net" Accepted password for cnewbill from 206.58.180.12 port 3754 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 100 win 32768 max 16384 debug1: open session debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 1 debug1: session_pty_req: session 0 alloc /dev/pts/4 debug2: callback done debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request shell reply 1 debug1: PAM setting tty to "/dev/pts/4" debug1: PAM establishing creds debug1: fd 7 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug2: callback done debug1: Setting controlling tty using TIOCSCTTY. debug2: channel 0: rcvd adjust 315 ???debug1: Received SIGCHLD.??? debug1: session_by_pid: pid 4903 debug1: session_exit_message: session 0 channel 0 pid 4903 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: session_pty_cleanup: session 0 release /dev/pts/4 debug1: session_free: session 0 pid 4903 debug1: channel 0: send close debug2: channel 0: rcvd adjust 7 debug1: channel 0: rcvd close ***fatal: buffer_get: trying to get more bytes than in buffer*** debug1: Calling cleanup 0x805b6f0(0x0) debug1: Calling cleanup 0x8050980(0x0) debug1: Calling cleanup 0x8061750(0x0) Now for SSH Protocol 1 attempt debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 206.58.180.12 port 3791 debug1: Client protocol version 1.5; client software version PuTTY debug1: no match: PuTTY debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 768 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "cnewbill" debug1: Attempting authentication for cnewbill. Accepted password for cnewbill from 206.58.180.12 port 3791 debug1: PAM setting rhost to "cnewbill.onewest.net" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/pts/4" debug1: PAM establishing creds debug1: Entering interactive session. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug1: Setting controlling tty using TIOCSCTTY. debug1: tvp!=NULL kid 0 mili 10 debug1: tvp!=NULL kid 0 mili 10 debug1: tvp!=NULL kid 0 mili 10 debug1: Received SIGCHLD. debug1: tvp!=NULL kid 1 mili 100 debug1: End of interactive session; stdin 0, stdout (read 323, sent 323), stderr 0 bytes. debug1: Command exited with status 0. debug1: Received exit confirmation. debug1: session_pty_cleanup: session 0 release /dev/pts/4 Closing connection to 206.58.180.12 Thanks, Chris Newbill Programmer/Analyst OneWest.net Inc., 406-449-8056 ------------------------------------------------------------ Ever notice how it's a penny for your thoughts, yet you put in your two-cents? Someone is making a penny on the deal. -----Steven Wright ------------------------------------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010110/2c4d5618/attachment.html From rob at hagopian.net Thu Jan 11 05:51:07 2001 From: rob at hagopian.net (Rob Hagopian) Date: Wed, 10 Jan 2001 13:51:07 -0500 (EST) Subject: ssh speed In-Reply-To: <3A5C9BEE.2AEC63B4@aproposretail.com> Message-ID: 4/132 = 3% difference... I can't guarantee that the machines are 100.00% idle... Average of 3 runs of each: none2: 02:10 02:08 02:09 2:09 arcfour: 02:10 02:12 02:09 2:10.333 As I noted before, it appears that the bottleneck is with the cipher only for slower ciphers. ssh and sshd both seem to spend a lot of time in select() once the cipher is fast enough... -Rob On Wed, 10 Jan 2001, John Hardin wrote: > Rob Hagopian wrote: > > > > (587MB file:) > > arcfour 02:08 > > none2 02:12 > > I wonder why arcfour is faster than no encryption...? > > -- > John Hardin > Internal Systems Administrator > Apropos Retail Management Systems, Inc. > - (425) 672-1304 x265 > From sunil at redback.com Thu Jan 11 06:13:16 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Wed, 10 Jan 2001 11:13:16 -0800 (PST) Subject: rel.2.4.0 ? In-Reply-To: Message-ID: Is rel.2.3.1.p1 to be available sometime soon or instead you suggest I pick up the latest snapshot at: http://bass.directhit.com/openssh_snap/ ? On Tue, 9 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Tue, 9 Jan 2001, Sunil K. Vallamkonda wrote: > > > > > Is there an official release of 2.4.0 ? > > > Markus back off from an 2.4.0 release for the moment (unsure why, but > it does not matter to much to me). In the next few days we should have a > 2.3.1p1 release out. We are just attempting to finish up a few things > first. > > - Ben > > > From mouring at etoh.eviladmin.org Thu Jan 11 06:21:06 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 10 Jan 2001 13:21:06 -0600 (CST) Subject: rel.2.4.0 ? In-Reply-To: Message-ID: I just talked to Markus and there is no offical 2.3.1 release it was required to bump the release number up in order to ensure the new 'Banner' feature was detected correctly. Sorry about that. The suggestion is still to use the current snapshot. - Ben On Wed, 10 Jan 2001, Sunil K. Vallamkonda wrote: > > > Is rel.2.3.1.p1 to be available sometime soon or instead > you suggest I pick up the latest snapshot at: > http://bass.directhit.com/openssh_snap/ ? > > > > On Tue, 9 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Tue, 9 Jan 2001, Sunil K. Vallamkonda wrote: > > > > > > > > Is there an official release of 2.4.0 ? > > > > > Markus back off from an 2.4.0 release for the moment (unsure why, but > > it does not matter to much to me). In the next few days we should have a > > 2.3.1p1 release out. We are just attempting to finish up a few things > > first. > > > > - Ben > > > > > > > > From rachit at ensim.com Thu Jan 11 08:03:52 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Wed, 10 Jan 2001 13:03:52 -0800 Subject: SSH2/1 Failure when using bash shell, other shells work References: Message-ID: <3A5CCE38.5C4DB676@ensim.com> > Another strange note, if your default shell is set to /bin/sh (a symlink to /bin/bash) it lets you login!?? This info doesn't solve your problem directly, but /bin/bash emulates /bin/sh when argv[0] == "/bin/sh" So the behaviour of /bin/bash will be different from /bin/sh even though they are symlinks of each other. -rchit From pnnguyen1 at west.raytheon.com Thu Jan 11 06:44:51 2001 From: pnnguyen1 at west.raytheon.com (Phuonganh N Nguyen) Date: Wed, 10 Jan 2001 11:44:51 -0800 Subject: Using ssh to login Message-ID: <3A5CBBB3.95001996@west.raytheon.com> Hi, I am on my machine with uid (as hughes) and login to another person's machine with same uid (as hughes) (ie. pnguy hughes % ssh nsche), and both machines have .rhosts and .shosts indicating a + 'sign' to indicate no password required for uid hughes. Why does ssh still request for a password (no password required when using rlogin) providing that the hosts files on both machines have both the usernames on my machine and another person's machine? Please let me know if you need further information. Thanks, P(Ann) Nguyen From stuge at cdy.org Thu Jan 11 07:04:53 2001 From: stuge at cdy.org (Peter Stuge) Date: Wed, 10 Jan 2001 21:04:53 +0100 Subject: problem report about installation of OpenSSH In-Reply-To: ; from jlandstr@astro.uwo.ca on Tue, Dec 26, 2000 at 07:15:53PM -0500 References: Message-ID: <20010110210453.A29771@foo.birdnet.se> On Tue, Dec 26, 2000 at 07:15:53PM -0500, John Landstreet wrote: > ______________________________________________________________________ > > However, when I try to compile with make, the make does not work, with the > following message: > _______________________________________________________________________ > /usr/local/src/openssh-2.3.0p1>make > > gcc -g -O2 -Wall -I. -I. -I/usr/local/ssl/include > -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H > -c bsd-base64.c -o bsd-base64.o > gcc: Internal compiler error: program cc1 got fatal signal 6 > make: *** [bsd-base64.o] Error 1 > ______________________________________________________________________ > > I do not know what to try next. I have looked over the FAQ file for > OpenSSH, as well as the README and the INSTALL files, and none of the > comments seem to be relevant. I would be most grateful for any suggestions > you could make about how to proceed from here. Fatal signals received by the compiler usually indicates that you're out of memory. Create a 64mb swapfile: dd if=/dev/zero of=/tmp/swapfile bs=1024k count=64 mkswap /tmp/swapfile swapon /tmp/swapfile and try to rerun make. When you're done you can swapoff /tmp/swapfile rm /tmp/swapfile to get rid of the 64mb file. Good luck. //Peter -- irc: CareBear\ tel: +46-40-914420 irl: Peter Stuge gsm: +46-705-783805 From pnnguyen1 at west.raytheon.com Thu Jan 11 10:07:11 2001 From: pnnguyen1 at west.raytheon.com (Phuonganh N Nguyen) Date: Wed, 10 Jan 2001 15:07:11 -0800 Subject: Login using ssh without password Message-ID: <3A5CEB1F.9C6873BB@west.raytheon.com> Hello, I'm having a problem trying to use ssh to login from my machine with server_user as hughes to myself with server_user as hughes. I have no problem using rlogin - no password required. How do I use ssh to login from my machine as hughes at pnguy to myself with the same server_user (hughes) (etc. ssh pnguy) without a password required. My .rhosts, .shosts in /users/hughes/.ssh directory contains a "+" signed to alllow from hughes to hughes server_user without password when I use rlogin. My name is P(Ann) Nguyen and my e-mail is pnnguyen1 at west.raytheon.com. Please e-mail to me or call at 714-446-4470. Thanks P(Ann) Nguyen From djm at mindrot.org Thu Jan 11 13:22:05 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Jan 2001 13:22:05 +1100 (EST) Subject: sftp In-Reply-To: <20010110153232.A17972@faui02l.informatik.uni-erlangen.de> Message-ID: On Wed, 10 Jan 2001, Markus Friedl wrote: > there is now a draft: > > http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt > > if someone could please check whether sftp-server.c comlies :) It seems to compile on OpenBSD, I don't have a client to test with (yet). I have started some work towards a sftp client, but I haven't got much free time at the moment. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From rmcc at novis.pt Thu Jan 11 15:40:36 2001 From: rmcc at novis.pt (Ricardo Cerqueira) Date: Thu, 11 Jan 2001 04:40:36 +0000 Subject: sftp In-Reply-To: ; from djm@mindrot.org on Thu, Jan 11, 2001 at 01:22:05PM +1100 References: <20010110153232.A17972@faui02l.informatik.uni-erlangen.de> Message-ID: <20010111044036.B23056@isp.novis.pt> On Thu, Jan 11, 2001 at 01:22:05PM +1100, Damien Miller wrote: > On Wed, 10 Jan 2001, Markus Friedl wrote: > > > there is now a draft: > > > > http://www.ietf.org/internet-drafts/draft-ietf-secsh-filexfer-00.txt > > > > if someone could please check whether sftp-server.c comlies :) > > It seems to compile on OpenBSD, I don't have a client to test with (yet). Erm... I think he meant "complies". As in... does OpenSSH's sftp comply with the draft? RC -- +------------------- | Ricardo Cerqueira | PGP Key fingerprint - B7 05 13 CE 48 0A BF 1E 87 21 83 DB 28 DE 03 42 | Novis Telecom - Engenharia ISP / Rede T?cnica | P?. Duque Saldanha, 1, 7? E / 1050-094 Lisboa / Portugal | Tel: +351 2 1010 0000 - Fax: +351 2 1010 4459 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/9a833d00/attachment.bin From mdejong at cygnus.com Thu Jan 11 17:03:23 2001 From: mdejong at cygnus.com (Mo DeJong) Date: Wed, 10 Jan 2001 22:03:23 -0800 (PST) Subject: Patch to improve -p error message. Message-ID: Hi all. I got sick of getting a lame error message when I typed the wrong thing in for a -p argument, so I wrote up this patch. Bad: % ssh -p L4501 localhost Secure connection to localhost refused. Good: ./ssh -p L4501 localhost Bad port specification 'L4501'. Mo DeJong Red Hat Inc Index: ssh.c =================================================================== RCS file: /cvs/openssh_cvs/ssh.c,v retrieving revision 1.56 diff -u -r1.56 ssh.c --- ssh.c 2000/12/28 16:40:05 1.56 +++ ssh.c 2001/01/11 06:01:18 @@ -437,6 +437,12 @@ break; case 'p': options.port = atoi(optarg); + if (options.port == 0) { + fprintf(stderr, + "Bad port specification '%s'.\n", + optarg); + exit(1); + } break; case 'l': options.user = optarg; From mdejong at cygnus.com Thu Jan 11 17:07:14 2001 From: mdejong at cygnus.com (Mo DeJong) Date: Wed, 10 Jan 2001 22:07:14 -0800 (PST) Subject: Is anyone else getting this build error? Message-ID: This is from the current CVS: % make ... In file included from config.h:629, from /home/mo/project/openssh_cvs/includes.h:20, from /home/mo/project/openssh_cvs/scp.c:77: /home/mo/project/openssh_cvs/defines.h:208: warning: redefinition of `clock_t' /usr/include/time.h:60: warning: `clock_t' previously declared here gcc -o scp scp.o -L. -L/usr/local/ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -ldl -lnsl -lz -lutil -lpam -lcrypto ./libssh.a(log.o): In function `fatal': /home/mo/project/openssh_cvs/log.c:51: undefined reference to `do_log' ./libssh.a(log.o): In function `error': /home/mo/project/openssh_cvs/log.c:63: undefined reference to `do_log' ./libssh.a(log.o): In function `log': /home/mo/project/openssh_cvs/log.c:74: undefined reference to `do_log' ./libssh.a(log.o): In function `verbose': /home/mo/project/openssh_cvs/log.c:85: undefined reference to `do_log' ./libssh.a(log.o): In function `debug': /home/mo/project/openssh_cvs/log.c:96: undefined reference to `do_log' ./libssh.a(log.o):/home/mo/project/openssh_cvs/log.c:105: more undefined references to `do_log' follow collect2: ld returned 1 exit status make: *** [scp] Error 1 I am building on a Red Hat Linux 6.2 box. Mo DeJong Red Hat Inc From djm at mindrot.org Thu Jan 11 17:11:22 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Jan 2001 17:11:22 +1100 (EST) Subject: Is anyone else getting this build error? In-Reply-To: Message-ID: On Wed, 10 Jan 2001, Mo DeJong wrote: > This is from the current CVS: > > % make > ... > > In file included from config.h:629, > from /home/mo/project/openssh_cvs/includes.h:20, > from /home/mo/project/openssh_cvs/scp.c:77: > /home/mo/project/openssh_cvs/defines.h:208: warning: redefinition of > `clock_t' No. > I am building on a Red Hat Linux 6.2 box. Same here. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Thu Jan 11 18:11:19 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 01:11:19 -0600 (CST) Subject: Is anyone else getting this build error? In-Reply-To: Message-ID: On Wed, 10 Jan 2001, Mo DeJong wrote: > This is from the current CVS: > > % make > ... > > In file included from config.h:629, > from /home/mo/project/openssh_cvs/includes.h:20, > from /home/mo/project/openssh_cvs/scp.c:77: > /home/mo/project/openssh_cvs/defines.h:208: warning: redefinition of > `clock_t' I moved clock_t detection from news4-posix.h into a general defination. > /usr/include/time.h:60: warning: `clock_t' previously declared here Hmm... Why did the test work fine under NeXT and Linux and fail under Cygwin. It looks like they all have clock_t defined in Ermm.... From rachit at ensim.com Thu Jan 11 17:24:09 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Wed, 10 Jan 2001 22:24:09 -0800 Subject: contrib/redhat/openssh.spec question Message-ID: <3A5D5189.9B32ABF4@ensim.com> I have a couple of questions regarding openssh.spec and the rpm that gets generated from it. I am using 2.3.0p1 1. Why is openssl a prereq? openssh statically links to openssl during build by default (rightfully so, you don't want your security library a shared object if possible) 2. I don't understand the following line in the spec file during the install step (it makes it not build for me): %{makeinstall} \ sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ DESTDIR=/ # Hack to disable key generation The problem here is that make install will then put everything in the root directory (/usr/bin, etc.) instead of /usr/src/redhat/INSTALL/usr/bin, etc. (depends on RPM_ROOT) and thus in later stages of the RPM build, it won't find those files. Shouldn't DEST be $RPM_BUILD_ROOT and the others blank? One thing that might have affected stuff was i changed in the spec from %{makeinstall} to "make install". With rpm 3.0.3, i guess doesn't have that defined by default (i doubt this affects anything though). 3. Why is openssl-devel a BuildPreReq? From mouring at etoh.eviladmin.org Thu Jan 11 18:16:12 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 01:16:12 -0600 (CST) Subject: Is anyone else getting this build error? In-Reply-To: Message-ID: On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Wed, 10 Jan 2001, Mo DeJong wrote: > > > This is from the current CVS: > > > > % make > > ... > > > > In file included from config.h:629, > > from /home/mo/project/openssh_cvs/includes.h:20, > > from /home/mo/project/openssh_cvs/scp.c:77: > > /home/mo/project/openssh_cvs/defines.h:208: warning: redefinition of > > `clock_t' > > I moved clock_t detection from news4-posix.h into a general > defination. > > > /usr/include/time.h:60: warning: `clock_t' previously declared here > > Hmm... Why did the test work fine under NeXT and Linux and fail under > Cygwin. It looks like they all have clock_t defined in > > Sorry, I noticed you stated 'Redhat 6.2' later on.. I'm not getting this under Redhat 7.0. Kinda what I get for not reading things fully and being tired.=) ./configure | grep clock_t and show me the line (on a fresh build). - Ben From mdejong at cygnus.com Thu Jan 11 17:42:07 2001 From: mdejong at cygnus.com (Mo DeJong) Date: Wed, 10 Jan 2001 22:42:07 -0800 (PST) Subject: Is anyone else getting this build error? In-Reply-To: Message-ID: On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Wed, 10 Jan 2001, Mo DeJong wrote: > > > > > This is from the current CVS: > > > > > > % make > > > ... > > > > > > In file included from config.h:629, > > > from /home/mo/project/openssh_cvs/includes.h:20, > > > from /home/mo/project/openssh_cvs/scp.c:77: > > > /home/mo/project/openssh_cvs/defines.h:208: warning: redefinition of > > > `clock_t' > > > > I moved clock_t detection from news4-posix.h into a general > > defination. > > > > > /usr/include/time.h:60: warning: `clock_t' previously declared here > > > > Hmm... Why did the test work fine under NeXT and Linux and fail under > > Cygwin. It looks like they all have clock_t defined in > > > > > Sorry, I noticed you stated 'Redhat 6.2' later on.. I'm not getting this > under Redhat 7.0. > > Kinda what I get for not reading things fully and being tired.=) > > ./configure | grep clock_t and show me the line (on a fresh build). There is nothing like that. I did find: checking for bindresvport_af... no checking for clock... yes checking for fchmod... yes >From config.h: /* Define if you have the clock function. */ #define HAVE_CLOCK 1 Oh, wait. My configure script must be out of date. I reran autogen.sh and now I am seeing: checking for ssize_t... yes checking for clock_t... yes checking for sa_family_t... yes Now it compiles just fine. Of course, that brings up an old issue. Why is there no configure file checked into the CVS? I really should be up to the developer to regen the configure file when changes are made to configure.in. This also make it really easy to build out of the CVS, since you don't need to have the autotools installed on the box you want to build on. Mo DeJong Red Hat Inc From pekkas at netcore.fi Thu Jan 11 18:43:13 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 11 Jan 2001 09:43:13 +0200 (EET) Subject: contrib/redhat/openssh.spec question In-Reply-To: <3A5D5189.9B32ABF4@ensim.com> Message-ID: On Wed, 10 Jan 2001, Rachit Siamwalla wrote: > 1. Why is openssl a prereq? openssh statically links to openssl during > build by default (rightfully so, you don't want your security library a > shared object if possible) No, openssl is linked dynamically: $ ldd /usr/bin/ssh | grep crypto libcrypto.so.0 => /usr/lib/libcrypto.so.0 (0x4004d000) > 2. I don't understand the following line in the spec file during the > install step (it makes it not build for me): > > %{makeinstall} \ > sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ > libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ > DESTDIR=/ # Hack to disable key generation > > The problem here is that make install will then put everything in the > root directory (/usr/bin, etc.) instead of > /usr/src/redhat/INSTALL/usr/bin, etc. (depends on RPM_ROOT) and thus in > later stages of the RPM build, it won't find those files. Shouldn't DEST > be $RPM_BUILD_ROOT and the others blank? > > One thing that might have affected stuff was i changed in the spec from > %{makeinstall} to "make install". With rpm 3.0.3, i guess doesn't have > that defined by default (i doubt this affects anything though). Upgrade to RPM 3.0.5. Do you still see the problem? %{makeinstall} is crucial. It's entirely different from make install; several install directory options are passed, for example. If you replace it with something like: %makeinstall \ make \\\ prefix=%{?buildroot:%{buildroot}}%{_prefix} \\\ exec_prefix=%{?buildroot:%{buildroot}}%{_exec_prefix} \\\ bindir=%{?buildroot:%{buildroot}}%{_bindir} \\\ sbindir=%{?buildroot:%{buildroot}}%{_sbindir} \\\ sysconfdir=%{?buildroot:%{buildroot}}%{_sysconfdir} \\\ datadir=%{?buildroot:%{buildroot}}%{_datadir} \\\ includedir=%{?buildroot:%{buildroot}}%{_includedir} \\\ libdir=%{?buildroot:%{buildroot}}%{_libdir} \\\ libexecdir=%{?buildroot:%{buildroot}}%{_libexecdir} \\\ localstatedir=%{?buildroot:%{buildroot}}%{_localstatedir} \\\ sharedstatedir=%{?buildroot:%{buildroot}}%{_sharedstatedir} \\\ mandir=%{?buildroot:%{buildroot}}%{_mandir} \\\ infodir=%{?buildroot:%{buildroot}}%{_infodir} \\\ install you get ~similar behaviour. > 3. Why is openssl-devel a BuildPreReq? Because openssl headers are required to build OpenSSH. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 11 19:00:25 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 11 Jan 2001 09:00:25 +0100 Subject: Glibc Local Root Exploit (fwd) Message-ID: <20010111090025.C21530@faui02.informatik.uni-erlangen.de> -------------- next part -------------- An embedded message was scrubbed... From: Charles Stevenson Subject: Glibc Local Root Exploit Date: Wed, 10 Jan 2001 00:06:48 -0700 Size: 3299 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/271074f0/attachment.mht From wpilorz at bdk.pl Thu Jan 11 19:49:31 2001 From: wpilorz at bdk.pl (Wojtek Pilorz) Date: Thu, 11 Jan 2001 09:49:31 +0100 (CET) Subject: sleep 20&exit hangs on Linux Message-ID: Dear All, Let me quote a few lines from TODO file (SNAP-20010109): - Linux hangs for 20 seconds when you do "sleep 20&exit". All current solutions break scp or leaves processes hanging around after the ssh connection has ended. It seems to be linked to two things. One select() under Linux is not as nice as others, and two the children of the shell are not killed on exiting the shell. When I connect to sshd (SNAP-20010109), there is indeed a hang. However, I have verified that when I connect to sshd (openssh-1.2.3 version) there is no problem here (the client is always SNAP-20010109, the destination machine runs both versions of sshd ). So, does openssh 1.2.3 has problems with scp or some other problems ? Could someone please let me know how to reliably test whether scp is OK ? ( I can transfer 160000k of nulls and all are delivered using both sshd versions). I find it quite useful to be able to put a program into background on a remote machine and exit immediately. It might be intersting that one can use nohup as a workaround: (nohup sleep 10 &); exit exist ssh immediately ( and sleep is run in background on the destination machine) Neither nohup sleep 10 & exit nor (sleep 10 &); exit will avoid the hang on SNAP-20010109 sshd. Best regards, Wojtek PS. I am using RedHat Linux 6.2 on x86 with updates applied. -------------------- Wojtek Pilorz Wojtek.Pilorz at bdk.pl From djm at mindrot.org Thu Jan 11 20:46:00 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Jan 2001 20:46:00 +1100 (EST) Subject: sftp In-Reply-To: <20010111044036.B23056@isp.novis.pt> Message-ID: On Thu, 11 Jan 2001, Ricardo Cerqueira wrote: > Erm... I think he meant "complies". As in... does OpenSSH's sftp comply > with the draft? I realised this about 1ms after I hit the send button. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Thu Jan 11 20:52:15 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 11 Jan 2001 20:52:15 +1100 (EST) Subject: contrib/redhat/openssh.spec question In-Reply-To: <3A5D5189.9B32ABF4@ensim.com> Message-ID: On Wed, 10 Jan 2001, Rachit Siamwalla wrote: > > I have a couple of questions regarding openssh.spec and the rpm that > gets generated from it. I am using 2.3.0p1 > > 1. Why is openssl a prereq? openssh statically links to openssl during > build by default (rightfully so, you don't want your security library a > shared object if possible) OpenSSL is usually dynamically linked - I don't see why this is a problem libc is usually dynamically linked too and it is even more critical. > 2. I don't understand the following line in the spec file during the > install step (it makes it not build for me): > > %{makeinstall} \ > sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ > libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ > DESTDIR=/ # Hack to disable key generation %{makeinstall} is an RPM macro which tries to put things in the right spot by overriding prefix, etc. > One thing that might have affected stuff was i changed in the spec from > %{makeinstall} to "make install". With rpm 3.0.3, i guess doesn't have > that defined by default (i doubt this affects anything though). %{makeinstall} != make install. If you want use make install you probably want to do something like: make install \ prefix=$RPM_BUILD_ROOT%/usr \ sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ DESTDIR=/ # Hack to disable key generation > 3. Why is openssl-devel a BuildPreReq? The headers are required for compilation. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Fri Jan 12 04:14:47 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 11:14:47 -0600 (CST) Subject: Glibc Local Root Exploit (fwd) In-Reply-To: <20010111090025.C21530@faui02.informatik.uni-erlangen.de> Message-ID: >Hi all, > This has been bouncing around on vuln-dev and the debian-devel >lists. It effects glibc >= 2.1.9x and it would seem many if not all OSes >using these versions of glibc. Ben Collins writes, "This wasn't supposed >to happen, and the actual fix was a missing comma in the list of secure >env vars that were supposed to be cleared when a program starts up >suid/sgid (including RESOLV_HOST_CONF)." The exploit varies from system >to system but in our devel version of Yellow Dog Linux I was able to >print the /etc/shadow file as a normal user in the following manner: Hmm.. What a wonderful way to start my morning. I can sure confirm that OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for pulling up passwords on Redhat 7.0/intel (glibc 2.2). I'm guess I should be thankful I don't run a shell server. Wonder if NSA's involvement in Linux will improve it. - Ben From pekkas at netcore.fi Fri Jan 12 03:27:56 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 11 Jan 2001 18:27:56 +0200 (EET) Subject: Glibc Local Root Exploit (fwd) In-Reply-To: Message-ID: On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > Hmm.. What a wonderful way to start my morning. I can sure confirm that > OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for > pulling up passwords on Redhat 7.0/intel (glibc 2.2). > > I'm guess I should be thankful I don't run a shell server. > > Wonder if NSA's involvement in Linux will improve it. Luckily enough this isn't OpenSSH specific; you can do this with ~any setuid application that doesn't drop privileges soon enough. However, ping and traceroute in RHL7 do though. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Fri Jan 12 04:41:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 11:41:36 -0600 (CST) Subject: Glibc Local Root Exploit (fwd) In-Reply-To: Message-ID: On Thu, 11 Jan 2001, Pekka Savola wrote: > On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > > Hmm.. What a wonderful way to start my morning. I can sure confirm that > > OpenSSH's ssh w/ RESOLV_HOST_CONF set to /etc/shadow works great for > > pulling up passwords on Redhat 7.0/intel (glibc 2.2). > > > > I'm guess I should be thankful I don't run a shell server. > > > > Wonder if NSA's involvement in Linux will improve it. > > Luckily enough this isn't OpenSSH specific; you can do this with ~any > setuid application that doesn't drop privileges soon enough. > > However, ping and traceroute in RHL7 do though. > I was just skimming bugtraq on the topic.. Which begs to have two questions brought up. 1) What reason stops us from requiring ./configure --with-suid and have it be non-suid by default? (I guess the question that has to be asked.. 'Is it worth emulating rsh/rlogin/etc out of the box now days?') 2) Where is the correct 'sweet' spot to drop priviledge to stop this type of attack (Assuming there is such a spot for every OS). - Ben From mouring at etoh.eviladmin.org Fri Jan 12 05:02:00 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 12:02:00 -0600 (CST) Subject: sleep 20&exit hangs on Linux In-Reply-To: Message-ID: On Thu, 11 Jan 2001, Wojtek Pilorz wrote: > Dear All, > > Let me quote a few lines from TODO file (SNAP-20010109): > > - Linux hangs for 20 seconds when you do "sleep 20&exit". All current > solutions break scp or leaves processes hanging around after the ssh > connection has ended. It seems to be linked to two things. One > select() under Linux is not as nice as others, and two the children > of the shell are not killed on exiting the shell. > > When I connect to sshd (SNAP-20010109), there is indeed a hang. > > However, I have verified that when I connect to sshd (openssh-1.2.3 > version) there is no problem here (the client is always SNAP-20010109, > the destination machine runs both versions of sshd ). > So, does openssh 1.2.3 has problems with scp or some other problems ? > I don't remember when the hack was put in place.. but 2.3.0p1 is affected witht he scp issue.. 2.2.0p1 may be. All current snapshots should have a perfectly fine working scp. > It might be intersting that one can use nohup as a workaround: > > (nohup sleep 10 &); exit > Now that is interesting.. Because (sleep 10&); exit hangs for 10 seconds. At least I have a work around to tell people when they come to #openssh on efnet. Still would like to figure out why. - Ben From jmknoble at jmknoble.cx Fri Jan 12 04:09:00 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Thu, 11 Jan 2001 12:09:00 -0500 Subject: Is anyone else getting this build error? In-Reply-To: ; from mdejong@cygnus.com on Wed, Jan 10, 2001 at 10:42:07PM -0800 References: Message-ID: <20010111120900.A32078@shell.ntrnet.net> Circa 2001-Jan-10 22:42:07 -0800 dixit Mo DeJong: : Of course, that brings up an old issue. Why is there no configure : file checked into the CVS? I really should be up to the developer to : regen the configure file when changes are made to configure.in. No; the 'configure' script should be regenerated by a Makefile rule. Something like this: configure: configure.in Makefile.in aclocal autoconf This would fix the problem Mo encountered with an out-of-date configure, and would also limit the CVS repository to "true" source files rather than a combination of source and generated files. : This also make it really easy to build out of the CVS, since you : don't need to have the autotools installed on the box you want to : build on. The CVS stuff is pretty much for developments-savvy folks only. If you're using the CVS snapshots, you should have the auto* tools installed. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From gleblanc at cu-portland.edu Fri Jan 12 04:14:41 2001 From: gleblanc at cu-portland.edu (Gregory Leblanc) Date: 11 Jan 2001 09:14:41 -0800 Subject: contrib/redhat/openssh.spec question In-Reply-To: Message-ID: <20010111171411.3FB9E1A4A1@toad.mindrot.org> On 11 Jan 2001 09:43:13 +0200, Pekka Savola wrote: > On Wed, 10 Jan 2001, Rachit Siamwalla wrote: > > 2. I don't understand the following line in the spec file during the > > install step (it makes it not build for me): > > > > %{makeinstall} \ > > sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir}/ssh \ > > libexecdir=$RPM_BUILD_ROOT%{_libexecdir}/openssh \ > > DESTDIR=/ # Hack to disable key generation > > > > The problem here is that make install will then put everything in the > > root directory (/usr/bin, etc.) instead of > > /usr/src/redhat/INSTALL/usr/bin, etc. (depends on RPM_ROOT) and thus in > > later stages of the RPM build, it won't find those files. Shouldn't DEST > > be $RPM_BUILD_ROOT and the others blank? > > > > One thing that might have affected stuff was i changed in the spec from > > %{makeinstall} to "make install". With rpm 3.0.3, i guess doesn't have > > that defined by default (i doubt this affects anything though). > > Upgrade to RPM 3.0.5. Do you still see the problem? Yeah, this is a worth-while upgrade. I don't think there are any distributions who don't have rpm 3.0.5 or later as their recomended version of RPM 3. It's a large step forward for RPM. BTW, if the spec file really does say %{makeinstall}, it's not right, it should be %makeinstall instead, as the {} make some of the escape sequences not work right. I think there are details in the macros file (/usr/lib/rpm/macros on RH) that ships with RPM. > > %{makeinstall} is crucial. It's entirely different from make install; > several install directory options are passed, for example. > > If you replace it with something like: > > %makeinstall \ > make \\\ > prefix=%{?buildroot:%{buildroot}}%{_prefix} \\\ > exec_prefix=%{?buildroot:%{buildroot}}%{_exec_prefix} \\\ > bindir=%{?buildroot:%{buildroot}}%{_bindir} \\\ > sbindir=%{?buildroot:%{buildroot}}%{_sbindir} \\\ > sysconfdir=%{?buildroot:%{buildroot}}%{_sysconfdir} \\\ > datadir=%{?buildroot:%{buildroot}}%{_datadir} \\\ > includedir=%{?buildroot:%{buildroot}}%{_includedir} \\\ > libdir=%{?buildroot:%{buildroot}}%{_libdir} \\\ > libexecdir=%{?buildroot:%{buildroot}}%{_libexecdir} \\\ > localstatedir=%{?buildroot:%{buildroot}}%{_localstatedir} \\\ > sharedstatedir=%{?buildroot:%{buildroot}}%{_sharedstatedir} \\\ > mandir=%{?buildroot:%{buildroot}}%{_mandir} \\\ > infodir=%{?buildroot:%{buildroot}}%{_infodir} \\\ > install > > you get ~similar behaviour. But %makeinstall is a lot less typing. :) Does the OpenSSH rpm also use %configure? I'll have try to grab the source and take a look this weekend. Greg From mouring at etoh.eviladmin.org Fri Jan 12 05:08:58 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 12:08:58 -0600 (CST) Subject: Is anyone else getting this build error? In-Reply-To: <20010111120900.A32078@shell.ntrnet.net> Message-ID: On Thu, 11 Jan 2001, Jim Knoble wrote: > Circa 2001-Jan-10 22:42:07 -0800 dixit Mo DeJong: > > : Of course, that brings up an old issue. Why is there no configure > : file checked into the CVS? I really should be up to the developer to > : regen the configure file when changes are made to configure.in. > > No; the 'configure' script should be regenerated by a Makefile rule. > Something like this: > > configure: configure.in Makefile.in > aclocal > autoconf > 'make -f Makefile.in distprep' filles this void nicely. - Ben From gert at greenie.muc.de Fri Jan 12 06:31:55 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 11 Jan 2001 20:31:55 +0100 Subject: Glibc Local Root Exploit (fwd) In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jan 11, 2001 at 11:41:36AM -0600 References: Message-ID: <20010111203155.B29499@greenie.muc.de> Hi, On Thu, Jan 11, 2001 at 11:41:36AM -0600, mouring at etoh.eviladmin.org wrote: > 2) Where is the correct 'sweet' spot to drop priviledge to stop this type > of attack (Assuming there is such a spot for every OS). Bind to the privileged socket very early, drop suid, then start doing anything else (parsing files, reading things). But if the bugs in glibc are bad enough, even that won't help... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From ksulliva at psc.edu Fri Jan 12 06:42:51 2001 From: ksulliva at psc.edu (Kevin Sullivan) Date: Thu, 11 Jan 2001 14:42:51 -0500 Subject: Kerberos password authentication and SSH2 Message-ID: <14627.979242171@sludge.psc.edu> My site uses Kerb 4 (actually AFS) for virtually all authentication. No users have local passwords on machines. We'd like to start allowing SSH2 connections, but OpenSSH 2.3.0p1 will not authenticate Kerberos passwords for SSH2 connections. In auth2.c: #ifdef KRB4 /* turn off kerberos, not supported by SSH2 */ options.kerberos_authentication = 0; #endif If I remove this snippet of code, then all works as expected and SSH2 users can authenticate. Why is this code here? Will I open a security hole by removing the code? I understand that ticket-forwarding, etc won't work. -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 284 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/edf2fab2/attachment.bin From ksulliva at psc.edu Fri Jan 12 06:48:00 2001 From: ksulliva at psc.edu (Kevin Sullivan) Date: Thu, 11 Jan 2001 14:48:00 -0500 Subject: OpenSSH, Kth kerberos, and Digital Unix In-Reply-To: Your message of "14 Dec 2000 16:23:32 +0100." Message-ID: <14673.979242480@sludge.psc.edu> On 14 Dec 2000 16:23:32 +0100, Jan IVEN says >>>>>> "KS" == Kevin Sullivan writes: > > KS> I've compiled OpenSSH 2.3.0p1 with Kerberos 4 from Kth (1.0.4). We use A >FS > KS> heavily and need the AFS token passing features. This combo is working > KS> great on Irix and NetBSD/{alpha,i386}, but it's dying on Digital Unix (4. >0f > KS> and 5.0). > > KS> "ssh -v hostname" dumps core in des_pcbc_encrypt() after "Trying Kerberos > KS> authentication". My suspicion is that the des routines from OpenSSL and > KS> Kerberos are getting confused by the linker, but I'm not sure how to test > KS> that or fix it. > > KS> Has anyone seen this before? Any suggestions? > >We have trouble with the self-test for DES from openssl-0.9.6 on >Digital boxes (OSF1 refdux40f V4.0 1229 alpha). The tests produce lots >of "unaligned access" errors and all of them fail (despite being >converted transparently). If you have "uac noprint sigbus" on your >machine, this might be the same problem in disguise? Could be, though the des tests work fine. I've fixed the problem by removing the des libraries from libcrypt.a and using the ones which came with Kth-krb4. Thanks for the pointer! -Kevin -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 284 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/da09d7d0/attachment.bin From johnh at aproposretail.com Fri Jan 12 06:48:47 2001 From: johnh at aproposretail.com (John Hardin) Date: Thu, 11 Jan 2001 11:48:47 -0800 Subject: Glibc Local Root Exploit (fwd) References: <20010111203155.B29499@greenie.muc.de> Message-ID: <3A5E0E1F.54E38140@aproposretail.com> Gert Doering wrote: > > Bind to the privileged socket very early, drop suid, then start doing > anything else (parsing files, reading things). > > But if the bugs in glibc are bad enough, even that won't help... I believe that this bug only bites when you call the resolver libraries, so dropping suid before attempting to resolve the remote host should avoid the exploitable condition. -- John Hardin Internal Systems Administrator Apropos Retail Management Systems, Inc. - (425) 672-1304 x265 From vovic at cs.msu.su Fri Jan 12 07:08:20 2001 From: vovic at cs.msu.su (vovic) Date: Thu, 11 Jan 2001 23:08:20 +0300 (MSK) Subject: Bug/feature: Slackware + openssh 2.1 does not work Message-ID: Hello. I've tried to install openssh to my Linux Slackware boxes, but it works only for connecting to other hosts. The bug is in the auth-passwd.c of pppd. Slackware has it's own (or just an another) version of shadow package (if I've understood the problem correctly) with it's own password encryption manner. I do not use stuff like Kerberos, PAM etc. As a result, the line encrypted_password=crypt(password,salt); creates an encrypted password that is different than the stored in /etc/shadow . I do not know the password encryption used in Slackware, but ssh (not OpenSSH) works fine. So, it is advisable for auth-passwd.c maintainer to connect to Slackware developers or to look to the ssh distribution in order to fix this. Unfortunally, my time for this problem solving has exhausted, and I cannot do this myself :( . Yours, Voznesensky Vladimir, Moscow, Russia. From devon at admin2.gisnetworks.com Fri Jan 12 07:25:22 2001 From: devon at admin2.gisnetworks.com (Devon Bleak) Date: Thu, 11 Jan 2001 12:25:22 -0800 Subject: Bug/feature: Slackware + openssh 2.1 does not work References: Message-ID: <3A5E16B2.52D5011E@admin2.gisnetworks.com> hello, i run slackware 7.x on more than a few machines, all of which have had openssh 2.1.0 up to 2.3.0 installed on them and working fine. check your /etc/shadow file format. if the encrypted passwords start with $1$, then you'll need to give the configure script the --with-md5-passwords switch. if they don't, then you'll have to omit that switch. openssh doesn't use the crypt function from libcrypt (part of glibc), it uses its own, which is why you have to tell it explicitly. the glibc crypt has built-in functionality to detect md5 passwords (based on the $1$ at the beginning of the string). devon vovic wrote: > > Hello. > I've tried to install openssh to my Linux Slackware boxes, but it works > only for connecting to other hosts. > The bug is in the auth-passwd.c of pppd. Slackware has it's own (or just > an another) version of shadow package (if I've understood the > problem correctly) with it's own password encryption manner. > I do not use stuff like Kerberos, PAM etc. > As a result, the line > encrypted_password=crypt(password,salt); > creates an encrypted password that is different than the stored in > /etc/shadow . > I do not know the password encryption used in Slackware, but ssh (not > OpenSSH) works fine. > So, it is advisable for auth-passwd.c maintainer to connect to Slackware > developers or to look to the ssh distribution in order to fix this. > Unfortunally, my time for this problem solving has exhausted, and I cannot > do this myself :( . > Yours, Voznesensky Vladimir, Moscow, Russia. From rachit at ensim.com Fri Jan 12 07:37:10 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Thu, 11 Jan 2001 12:37:10 -0800 Subject: contrib/redhat/openssh.spec question References: Message-ID: <3A5E1976.A62B1917@ensim.com> thanx a lot guys, i guess it turns out most of my problems are due to a old version of rpm. -rchit From gert at greenie.muc.de Fri Jan 12 08:10:47 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 11 Jan 2001 22:10:47 +0100 Subject: Glibc Local Root Exploit (fwd) In-Reply-To: <3A5E0E1F.54E38140@aproposretail.com>; from John Hardin on Thu, Jan 11, 2001 at 11:48:47AM -0800 References: <20010111203155.B29499@greenie.muc.de> <3A5E0E1F.54E38140@aproposretail.com> Message-ID: <20010111221047.I29499@greenie.muc.de> Hi, On Thu, Jan 11, 2001 at 11:48:47AM -0800, John Hardin wrote: > > Bind to the privileged socket very early, drop suid, then start doing > > anything else (parsing files, reading things). > > > > But if the bugs in glibc are bad enough, even that won't help... > > I believe that this bug only bites when you call the resolver libraries, > so dropping suid before attempting to resolve the remote host should > avoid the exploitable condition. For this specific bug, yes. I was thinking more in the general direction of "is there a way to avoid being bitten by a similar bug in the future". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From pekkas at netcore.fi Fri Jan 12 08:19:25 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 11 Jan 2001 23:19:25 +0200 (EET) Subject: Glibc Local Root Exploit (fwd) In-Reply-To: <20010111203155.B29499@greenie.muc.de> Message-ID: On Thu, 11 Jan 2001, Gert Doering wrote: > Hi, > > On Thu, Jan 11, 2001 at 11:41:36AM -0600, mouring at etoh.eviladmin.org wrote: > > 2) Where is the correct 'sweet' spot to drop priviledge to stop this type > > of attack (Assuming there is such a spot for every OS). > > Bind to the privileged socket very early, drop suid, then start doing > anything else (parsing files, reading things). > > But if the bugs in glibc are bad enough, even that won't help... This isn't enough. If SSHv1 is used, after connecting ssh reads system private host key in case RhostsRSAAuthentication is being used. Of course, you could read that in advance too. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From hans-georg.pabst at ch.adtranz.com Fri Jan 12 02:31:52 2001 From: hans-georg.pabst at ch.adtranz.com (Hans-Georg Pabst) Date: Thu, 11 Jan 2001 16:31:52 +0100 Subject: OpenSSH 2.3.0p1 on Compaq Alpha Message-ID: <412569D1.00554F1A.00@demalng1.goc.adtranz.com> Hello, I have installed OpenSSH 2.3.0p1 on a DEC AlphaServer 4000 under Tru64 UNIX 4.0F and on a DEC AlphaStation 200 under Tru64 UNIX 5.1. I tested Protocol 2 and 1 with RAS authentication resp. DSA authentication an both work well. There is one bug: I cannot view the man pages for OpenSSH under Compaq Tru64 UNIX. Are they in a special format which is not understood by the Tru64 UNIX man command? Here, I want to contribute a boot script for sshd under Tru64 UNIX: #!/sbin/sh # # Purpose: Start sshd for OpenSSH at boot time. # For Compaq Alpha (Tru64 UNIX 4.0F and 5.1). # # Author: Hans-Georg Pabst, CH-8702 Zollikon, Switzerland # # SSHD_DAEMON=/usr/local/sbin/sshd SSHD_CONFIG=/etc/ssh SSHD_OPTS= SSHD_TITLE="SSH Daemon (OpenSSH 2.3.0)" SSHD_PID_FILE=/var/run/sshd.pid PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin export PATH Pid=`/sbin/init.d/bin/getpid $SSHD_DAEMON -uroot` case "$1" in 'start') if [ -z "$Pid" ]; then if [ ! -f $SSHD_CONFIG/ssh_host_key ]; then echo "Generating $SSHD_CONFIG/ssh_host_key." ssh-keygen -b 1024 -f $SSHD_CONFIG/ssh_host_key -N '' fi if [ ! -f $SSHD_CONFIG/ssh_host_dsa_key ]; then echo "Generating $SSHD_CONFIG/ssh_host_dsa_key." ssh-keygen -d -b 1024 -f $SSHD_CONFIG/ssh_host_dsa_key -N '' fi if [ -x $SSHD_DAEMON ]; then echo "Starting ${SSHD_TITLE}" $SSHD_DAEMON $SSHD_OPTS > /dev/null 2>&1 fi else echo "${SSHD_TITLE} already running (PID=$Pid)." fi ;; 'stop') if [ -r $SSHD_PID_FILE ]; then FILE_PID=`cat ${SSHD_PID_FILE}` fi if [ ! -z "$FILE_PID" ]; then echo "Stopping ${SSHD_TITLE}" kill -TERM $FILE_PID else if [ ! -z "$Pid" ]; then echo "Stopping ${SSHD_TITLE}" kill -TERM $Pid fi fi ;; *) echo "usage: $0 {start|stop}" ;; esac Here, I want to contribute a boot script for egd under Tru64 UNIX: #!/sbin/sh # # Purpose: Start EGD v0.8 (Entropy Gathering Daemon ) # on a Compaq Alpha (Tru64 UNIX 4.0F and 5.1) at boot time. # # Author: Hans-Georg Pabst, CH-8702 Zollikon, Switzerland # # PATH=/sbin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin export PATH EGD_DAEMON=/usr/local/sbin/egd.pl EGD_SOCKET=/tmp/entropy EGD_TITLE="Entropy Gathering Daemon (EGD 0.8)" EGD_LOG=/dev/null # # create $EGD_SOCKET writable to all # umask 000 Pid=`/sbin/init.d/bin/getpid $EGD_DAEMON -uroot` case "$1" in 'start') if [ -z "$Pid" ]; then if [ -x $EGD_DAEMON ]; then echo "Starting ${EGD_TITLE}" nohup $EGD_DAEMON $EGD_SOCKET > $EGD_LOG 2>&1 fi else echo "${EGD_TITLE} already running (PID=$Pid)." fi ;; 'stop') if [ ! -z "$Pid" ]; then echo "Stopping ${EGD_TITLE}" $EGD_DAEMON --kill $EGD_SOCKET > $EGD_LOG 2>&1 fi ;; *) echo "usage: $0 {start|stop}" ;; esac Best regards, Hans-Georg Pabst From markus.friedl at informatik.uni-erlangen.de Fri Jan 12 08:45:19 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 11 Jan 2001 22:45:19 +0100 Subject: Kerberos password authentication and SSH2 In-Reply-To: <14627.979242171@sludge.psc.edu>; from ksulliva@psc.edu on Thu, Jan 11, 2001 at 02:42:51PM -0500 References: <14627.979242171@sludge.psc.edu> Message-ID: <20010111224519.B31857@folly> On Thu, Jan 11, 2001 at 02:42:51PM -0500, Kevin Sullivan wrote: > #ifdef KRB4 > /* turn off kerberos, not supported by SSH2 */ > options.kerberos_authentication = 0; > #endif > > If I remove this snippet of code, then all works as expected and SSH2 users > can authenticate. Why is this code here? Will I open a security hole by > removing the code? I understand that ticket-forwarding, etc won't work. you cannot remove this code and expect to automagically get a full implementation of kerberosIV + SSH2. until recently, there was no spec for kerberos over SSH2. but perhaps kerberos-password authentication works, this needs to be tested... -markus From psmith at epicrealm.com Fri Jan 12 08:54:25 2001 From: psmith at epicrealm.com (Peter Smith) Date: Thu, 11 Jan 2001 15:54:25 -0600 Subject: Possible bug? scp attempts to forward ports... Message-ID: <9D899FC5B147D4118B3F000629550361DB46EB@ROCKFORD> I've been having a recurring problem using ssh and then scp. I've got 2 machines, client A and server B. I'm using OpenSSH on both. I've got a port-forward from server B in client A's "~/.ssh/config" file. Normally I login to server B via ssh from client A. With this session open (and a port forwarded) sometimes I go to a different terminal on client A and attempt to scp a file or two to server B. However, I am unable to use scp _at_all_ because of scp attempting, and failing, to forward the same port that the ssh connection already has open. It seems to me that this is undesirable behavior... Am I wrong? If not, I'll work on creating a bug item, etc, for this. I'm hoping it's not already known. I've checked the FAQ which does not mention anything like this. I've installed openssh v2.3.0p1 on client A and am still seeing this behavior. Both machines are ix86 using the portable openssh. Peter From ksulliva at psc.edu Fri Jan 12 09:36:36 2001 From: ksulliva at psc.edu (Kevin Sullivan) Date: Thu, 11 Jan 2001 17:36:36 -0500 Subject: Kerberos password authentication and SSH2 In-Reply-To: Your message of "Thu, 11 Jan 2001 22:45:19 +0100." <20010111224519.B31857@folly> Message-ID: <15498.979252596@sludge.psc.edu> On Thu, 11 Jan 2001 22:45:19 +0100, Markus Friedl says >you cannot remove this code and expect to automagically >get a full implementation of kerberosIV + SSH2. I understand that. The only piece I really care about is when you type in a password, the server checks against the Kerberos database in addition to /etc/passwd, and issues an AFS token if possible. This works by removing the 4 lines of code. The other kerberos features are cool and useful, but I can live without them. My main concern is people with Windows boxes who only have a SSH2 client. >until recently, there was no spec for kerberos over SSH2. >but perhaps kerberos-password authentication works, this needs >to be tested... One data point: it works for me. Hmmm, I do see one problem if you have AFS. In SSH1 you'll get a new pag, but not with SSH2. The k_setpag() code from auth1.c needs to be in auth2.c. I've appended a patch. Whether or not you delete the kerberos-disabling code, you should add the k_setpag code or else someone logging in may get more privs than they expect! -Kevin --- auth2.c.orig Thu Jan 11 17:23:48 2001 +++ auth2.c Thu Jan 11 17:24:06 2001 @@ -129,8 +129,12 @@ x_authctxt = authctxt; /*XXX*/ -#ifdef KRB4 - /* turn off kerberos, not supported by SSH2 */ - options.kerberos_authentication = 0; -#endif +#ifdef AFS + /* If machine has AFS, set process authentication group. */ + if (k_hasafs()) { + k_setpag(); + k_unlog(); + } +#endif /* AFS */ + dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 284 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010111/d5e8b7eb/attachment.bin From wendyp at cray.com Fri Jan 12 10:08:05 2001 From: wendyp at cray.com (Wendy Palm) Date: Thu, 11 Jan 2001 17:08:05 -0600 Subject: openssh with dce? Message-ID: <3A5E3CD5.40E10CD2@cray.com> is anyone running, or advocating running openssh in combination with dce? what would be the concerns? on first glance, i'd say they shouldn't be run together, but i don't know enough about dce to be able to definitively state that. thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From sunil at redback.com Fri Jan 12 10:18:40 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Thu, 11 Jan 2001 15:18:40 -0800 (PST) Subject: ssh-keygen: passphrase. Message-ID: Looking at openSSH INSTALL: To generate a host key, run "make host-key". Alternately you can do so manually using the following commands: ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" But when I try latter, I get: (gdb) n 1 0x35a6 in save_private_key_ssh2 ( filename=0xb2d2c "/mydir/ssh_host_dsa_key", _passphrase=0xb90f0 "''", key=0xc0360, comment=0xefbf91b0 "user at host") at authfile.c:172 ^^^^^^^^^ This means: In authfile.c - save_private_key_ssh2(..): if (len > 0 && len <= 4) { error("passphrase too short: %d bytes", len); errno = 0; return 0; } Any ideas why this check, when INSTALL says passphrase not required ? Thx. Sunil. From djm at mindrot.org Fri Jan 12 11:55:16 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 12 Jan 2001 11:55:16 +1100 (EST) Subject: ssh-keygen: passphrase. In-Reply-To: Message-ID: On Thu, 11 Jan 2001, Sunil K. Vallamkonda wrote: > > Looking at openSSH INSTALL: > > To generate a host key, run "make host-key". Alternately you can do so > manually using the following commands: > > ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" > ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" > > But when I try latter, I get: > > (gdb) n > 1 0x35a6 in save_private_key_ssh2 ( > filename=0xb2d2c "/mydir/ssh_host_dsa_key", > _passphrase=0xb90f0 "''", key=0xc0360, comment=0xefbf91b0 > "user at host") > at authfile.c:172 I am not sure what you are saying here - what is the problem you are seeing? > ^^^^^^^^^ > This means: > > In authfile.c - save_private_key_ssh2(..): > > > if (len > 0 && len <= 4) { > error("passphrase too short: %d bytes", len); > errno = 0; > return 0; > } > > > > > Any ideas why this check, when INSTALL says passphrase not required ? Read the check again - 0 length passphrases are allowed. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From jason at dfmm.org Fri Jan 12 12:01:11 2001 From: jason at dfmm.org (Jason Stone) Date: Thu, 11 Jan 2001 17:01:11 -0800 (PST) Subject: ssh-keygen: passphrase. In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > To generate a host key, run "make host-key". Alternately you can do so > manually using the following commands: > > ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" > ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" A zero length passphrase isn't the same as no passphrase. I.e., leave off the - -N "" and try again. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6XldaswXMWWtptckRAqM5AKDOTY0MJn6m56a3d/Y6hTI0fig2UwCdFNKt KUjgVOnnumnTNK1DZP1XzR0= =2gU/ -----END PGP SIGNATURE----- From mouring at etoh.eviladmin.org Fri Jan 12 15:00:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 11 Jan 2001 22:00:26 -0600 (CST) Subject: SCO patch attempt. In-Reply-To: Message-ID: Since I don't have a SCO access I need you to try this, Tim. 1. Added utimes() support via utime() interface. 2. First wack at 32bit sftp-server. Markus, Can you skim the patch? The only aspect that I think is wrong (looking back) is the use of SSH2_OP_UNSUPPORTED in read/write. There should be SSH2_FX_TRUNCATE in the specs to account for such a case, but maybe I should be using SSH2_FX_EOF. Or maybe in process_open() should return SSH2_OP_UNSUPPORTED if a->high_size > 0.. But.. There is nothing in the sftp specs to handle such a case. So I suspect some odd behavior eitherway. - Ben diff -ur openssh/bsd-misc.c ossh/bsd-misc.c --- openssh/bsd-misc.c Thu Nov 16 21:47:20 2000 +++ ossh/bsd-misc.c Thu Jan 11 21:32:30 2001 @@ -80,3 +80,15 @@ return(sys_errlist[e]); } #endif + +#ifndef HAVE_UTIMES +int utimes(char *filename, struct timeval *tvp) +{ + struct utimbuf ub; + + ub.actime = tvp->tv_sec; + ub.modtime = tvp->tv_usec; + + return(utime(filename, &ub)); +} +#endif diff -ur openssh/bsd-misc.h ossh/bsd-misc.h --- openssh/bsd-misc.h Thu Nov 16 21:47:20 2000 +++ ossh/bsd-misc.h Thu Jan 11 21:34:12 2001 @@ -54,4 +54,15 @@ const char *strerror(int e); #endif + +#ifndef HAVE_UTIMES +struct timeval { + long tv_sec; + long tv_usec; +} + +int utimes(char *filename, struct timeval *tvp); +#endif + + #endif /* _BSD_MISC_H */ diff -ur openssh/bufaux.c ossh/bufaux.c --- openssh/bufaux.c Thu Jan 11 00:56:25 2001 +++ ossh/bufaux.c Thu Jan 11 21:28:32 2001 @@ -152,6 +152,7 @@ return GET_32BIT(buf); } +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer) { @@ -159,6 +160,7 @@ buffer_get(buffer, (char *) buf, 8); return GET_64BIT(buf); } +#endif /* * Stores an integer in the buffer in 4 bytes, msb first. @@ -171,6 +173,7 @@ buffer_append(buffer, buf, 4); } +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value) { @@ -178,6 +181,7 @@ PUT_64BIT(buf, value); buffer_append(buffer, buf, 8); } +#endif /* * Returns an arbitrary binary string from the buffer. The string cannot diff -ur openssh/bufaux.h ossh/bufaux.h --- openssh/bufaux.h Thu Jan 11 00:56:25 2001 +++ ossh/bufaux.h Thu Jan 11 21:29:10 2001 @@ -30,11 +30,15 @@ /* Returns an integer from the buffer (4 bytes, msb first). */ u_int buffer_get_int(Buffer * buffer); +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer); +#endif /* Stores an integer in the buffer in 4 bytes, msb first. */ void buffer_put_int(Buffer * buffer, u_int value); +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value); +#endif /* Returns a character from the buffer (0 - 255). */ int buffer_get_char(Buffer * buffer); diff -ur openssh/configure.in ossh/configure.in --- openssh/configure.in Wed Jan 10 21:46:49 2001 +++ ossh/configure.in Thu Jan 11 21:38:14 2001 @@ -316,7 +316,7 @@ AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r sysconf vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r sysconf utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions @@ -830,7 +830,7 @@ if test "x$ac_cv_have_int64_t" = "xno" -a \ "x$ac_cv_sizeof_long_int" != "x8" -a \ "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' + NO_SFTP="" AC_SUBST(NO_SFTP) fi diff -ur openssh/getput.h ossh/getput.h --- openssh/getput.h Thu Jan 11 00:56:25 2001 +++ ossh/getput.h Thu Jan 11 21:27:50 2001 @@ -18,6 +18,7 @@ /*------------ macros for storing/extracting msb first words -------------*/ +#ifdef HAVE_U_INT64_T #define GET_64BIT(cp) (((u_int64_t)(u_char)(cp)[0] << 56) | \ ((u_int64_t)(u_char)(cp)[1] << 48) | \ ((u_int64_t)(u_char)(cp)[2] << 40) | \ @@ -26,6 +27,7 @@ ((u_int64_t)(u_char)(cp)[5] << 16) | \ ((u_int64_t)(u_char)(cp)[6] << 8) | \ ((u_int64_t)(u_char)(cp)[7])) +#endif #define GET_32BIT(cp) (((u_long)(u_char)(cp)[0] << 24) | \ ((u_long)(u_char)(cp)[1] << 16) | \ @@ -35,6 +37,7 @@ #define GET_16BIT(cp) (((u_long)(u_char)(cp)[0] << 8) | \ ((u_long)(u_char)(cp)[1])) +#ifdef HAVE_U_INT64_T #define PUT_64BIT(cp, value) do { \ (cp)[0] = (value) >> 56; \ (cp)[1] = (value) >> 48; \ @@ -44,6 +47,7 @@ (cp)[5] = (value) >> 16; \ (cp)[6] = (value) >> 8; \ (cp)[7] = (value); } while (0) +#endif #define PUT_32BIT(cp, value) do { \ (cp)[0] = (value) >> 24; \ diff -ur openssh/sftp-server.c ossh/sftp-server.c --- openssh/sftp-server.c Thu Jan 11 21:09:05 2001 +++ ossh/sftp-server.c Thu Jan 11 21:27:00 2001 @@ -33,7 +33,9 @@ #include "sftp.h" /* helper */ +#ifdef HAVE_U_INT64_T #define get_int64() buffer_get_int64(&iqueue); +#endif #define get_int() buffer_get_int(&iqueue); #define get_string(lenp) buffer_get_string(&iqueue, lenp); #define TRACE debug @@ -56,7 +58,12 @@ struct Attrib { u_int32_t flags; +#ifndef HAVE_U_INT64_T + u_int32_t high_size; + u_int32_t low_size; +#else u_int64_t size; +#endif u_int32_t uid; u_int32_t gid; u_int32_t perm; @@ -126,7 +133,12 @@ attrib_clear(Attrib *a) { a->flags = 0; +#ifndef HAVE_U_INT64_T + a->high_size = 0; + a->low_size = 0; +#else a->size = 0; +#endif a->uid = 0; a->gid = 0; a->perm = 0; @@ -141,7 +153,12 @@ attrib_clear(&a); a.flags = buffer_get_int(b); if (a.flags & SSH2_FILEXFER_ATTR_SIZE) { +#ifndef HAVE_U_INT64_T + a.high_size = buffer_get_int32(b); + a.low_size = buffer_get_int32(b); +#else a.size = buffer_get_int64(b); +#endif } if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) { a.uid = buffer_get_int(b); @@ -174,7 +191,12 @@ { buffer_put_int(b, a->flags); if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { +#ifndef HAVE_U_INT64_T + buffer_put_int32(b, a->high_size); + buffer_put_int32(b, a->high_low); +#else buffer_put_int64(b, a->size); +#endif } if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { buffer_put_int(b, a->uid); @@ -196,7 +218,12 @@ attrib_clear(&a); a.flags = 0; a.flags |= SSH2_FILEXFER_ATTR_SIZE; +#ifndef HAVE_U_INT64_T + a.low_size = st->st_size; + a.high_size = 0; +#else a.size = st->st_size; +#endif a.flags |= SSH2_FILEXFER_ATTR_UIDGID; a.uid = st->st_uid; a.gid = st->st_gid; @@ -495,11 +522,23 @@ char buf[64*1024]; u_int32_t id, len; int handle, fd, ret, status = SSH2_FX_FAILURE; +#ifndef HAVE_U_INT64_T + u_int32_t off; +#else u_int64_t off; +#endif id = get_int(); handle = get_handle(); +#ifndef HAVE_U_INT64_T + if (get_int32() > 0) { + send_status(id, SSH2_OP_UNSUPPORTED); + return; + } + off = get_int32(); +#else off = get_int64(); +#endif len = get_int(); TRACE("read id %d handle %d off %lld len %d", id, handle, off, len); @@ -532,14 +571,26 @@ process_write(void) { u_int32_t id; +#ifndef HAVE_U_INT64_T + u_int32_t off; +#else u_int64_t off; +#endif u_int len; int handle, fd, ret, status = SSH2_FX_FAILURE; char *data; id = get_int(); handle = get_handle(); +#ifndef HAVE_U_INT64_T + if (get_int32() > 0) { + send_status(id, SSH2_OP_UNSUPPORTED); + return; + } + off = get_int32(); +#else off = get_int64(); +#endif data = get_string(&len); TRACE("write id %d handle %d off %lld len %d", id, handle, off, len); From mike at hyperreal.org Fri Jan 12 15:17:02 2001 From: mike at hyperreal.org (mike at hyperreal.org) Date: Thu, 11 Jan 2001 20:17:02 -0800 (PST) Subject: login.conf MAIL environment weirdness solved Message-ID: <20010112041702.8501.qmail@hyperreal.org> A while back, I posted to the freebsd-questions list about a problem I was having getting custom MAIL environment variable settings in /etc/login.conf to take. Something had happened between FreeBSD 3.3 and 4.2 that caused MAIL to always be set to /var/mail/$USER. It turns out this was a problem with the sshd configuration. The problem was apparently related to the fact OpenSSH's sshd is now configured by default with "UseLogin no", meaning it will not invoke the system's login(1) after authentication. I changed this to "UseLogin yes" and sent a HUP signal to sshd, and all is well; MAIL is now whatever I set it to in /etc/login.conf (and /etc/login.conf.db). The version of OpenSSH that comes with FreeBSD 4.2, if "UseLogin no" is set or is undefined, will seem to process *other* environment variables defined in /etc/login.conf, but always leaves MAIL as the default value which is compiled into sshd. This was very a confusing situation and made the problem difficult to diagnose. More recent snapshots of OpenSSH do not seem to acknowledge environment changes in /etc/login.conf at all, when UseLogin was no. So like I said, the solution was "UseLogin yes" in sshd_config. Now I have some questions: 1. What risks are there in having "UseLogin yes"? 2. Is the current sshd behaving as intended (not doing anything to cause /etc/login.conf.db to be processed at all)? 3. Why was the older version picking up the login.conf environment settings, aside from MAIL, even if "UseLogin no" was set? - Mike ________________________________________________________________________ Mike Brown / Hyperreal | Hyperreal http://music.hyperreal.org/ PO Box 61334 | XML & XSL http://skew.org/xml/ Denver CO 80206-8334 USA | personal http://www.hyperreal.org/~mike/ From tim at multitalents.net Fri Jan 12 17:43:24 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Jan 2001 22:43:24 -0800 (PST) Subject: SCO patch attempt. In-Reply-To: Message-ID: On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > > Since I don't have a SCO access I need you to try this, Tim. > > 1. Added utimes() support via utime() interface. A good start. (More below) > 2. First wack at 32bit sftp-server. > > Markus, > > Can you skim the patch? The only aspect that I think is wrong (looking > back) is the use of SSH2_OP_UNSUPPORTED in read/write. There should be That might explain ... cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/lo cal/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/loca l/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/sftp-server.c UX:acomp: ERROR: "src/sftp-server.c", line 196: undefined struct/union member: h igh_low UX:acomp: ERROR: "src/sftp-server.c", line 535: undefined symbol: SSH2_OP_UNSUPP ORTED UX:acomp: ERROR: "src/sftp-server.c", line 587: undefined symbol: SSH2_OP_UNSUPP ORTED gmake: *** [sftp-server.o] Error 1 ... BTW. This was on a machine that has utimes() and long long. > SSH2_FX_TRUNCATE in the specs to account for such a case, but maybe I > should be using SSH2_FX_EOF. Or maybe in process_open() should return > SSH2_OP_UNSUPPORTED if a->high_size > 0.. But.. There is nothing in the > sftp specs to handle such a case. So I suspect some odd behavior > eitherway. > > - Ben > > diff -ur openssh/bsd-misc.h ossh/bsd-misc.h > --- openssh/bsd-misc.h Thu Nov 16 21:47:20 2000 > +++ ossh/bsd-misc.h Thu Jan 11 21:34:12 2001 > @@ -54,4 +54,15 @@ > const char *strerror(int e); > #endif > > + > +#ifndef HAVE_UTIMES > +struct timeval { > + long tv_sec; > + long tv_usec; OK, change #ifndef HAVE_UTIMES to #if !defined(HAVE_UTIMES) && !defined(HAVE_UTIME) In configure.in, add utime.h to AC_CHECK_HEADERS add utime to AC_CHECK_FUNCS In includes.h add #ifdef HAVE_UTIME_H # include #endif When I get more time i'll look into the sftp-server problem. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Jan 12 18:27:29 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Jan 2001 23:27:29 -0800 (PST) Subject: SCO patch attempt. In-Reply-To: Message-ID: On Thu, 11 Jan 2001, Tim Rice wrote: > On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > > > diff -ur openssh/bsd-misc.h ossh/bsd-misc.h > > --- openssh/bsd-misc.h Thu Nov 16 21:47:20 2000 > > +++ ossh/bsd-misc.h Thu Jan 11 21:34:12 2001 > > @@ -54,4 +54,15 @@ > > const char *strerror(int e); > > #endif > > > > + > > +#ifndef HAVE_UTIMES > > +struct timeval { > > + long tv_sec; > > + long tv_usec; > > OK, change #ifndef HAVE_UTIMES to > #if !defined(HAVE_UTIMES) && !defined(HAVE_UTIME) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It was allready past bedtime when I fired this off and now I can't sleep because this doesn't make any sense. I was getting ... cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/lo cal/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/loca l/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/bsd-arc4random.c UX:acomp: ERROR: "src/bsd-misc.h", line 59: (struct) tag redeclared: timeval UX:acomp: ERROR: "src/bsd-misc.h", line 64: invalid type combination gmake: *** [bsd-arc4random.o] Error 1 ... Maybe it should be #ifndef HAVE_UTIME_H I'll do more checking tomorrow. > > In configure.in, > add utime.h to AC_CHECK_HEADERS > add utime to AC_CHECK_FUNCS > > In includes.h add > #ifdef HAVE_UTIME_H > # include > #endif > > When I get more time i'll look into the sftp-server problem. > > > > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 18:43:07 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 08:43:07 +0100 Subject: SFTP Server For Linux 7 (fwd) Message-ID: <20010112084306.A5300@faui02.informatik.uni-erlangen.de> fyi. who is running RH7? i don't. -------------- next part -------------- An embedded message was scrubbed... From: Jason Subject: SFTP Server For Linux 7 Date: Thu, 11 Jan 2001 19:03:54 -0600 Size: 2121 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010112/52923a41/attachment.mht From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 18:46:52 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 08:46:52 +0100 Subject: Strange errors for sftp and scp (fwd) Message-ID: <20010112084652.B5300@faui02.informatik.uni-erlangen.de> -------------- next part -------------- An embedded message was scrubbed... From: Olof Liungman Subject: Strange errors for sftp and scp Date: Thu, 11 Jan 2001 18:28:33 -0800 Size: 9107 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010112/19ee0e6b/attachment.mht From gem at rellim.com Fri Jan 12 18:47:54 2001 From: gem at rellim.com (Gary E. Miller) Date: Thu, 11 Jan 2001 23:47:54 -0800 (PST) Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: <20010112084306.A5300@faui02.informatik.uni-erlangen.de> Message-ID: Yo Markus! Even Linus peed on RH 7. And it was the wrong kind of pee, as reported elsewhere. Once again, RH shipped a beta ( and buggy ) compiler as the real thing. Stay away from it, I have already been bitten by it several times... RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Fri, 12 Jan 2001, Markus Friedl wrote: > Date: Fri, 12 Jan 2001 08:43:07 +0100 > From: Markus Friedl > To: openssh-unix-dev at mindrot.org > Subject: SFTP Server For Linux 7 (fwd) > > fyi. who is running RH7? i don't. > From pekkas at netcore.fi Fri Jan 12 18:55:22 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 12 Jan 2001 09:55:22 +0200 (EET) Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: <20010112084306.A5300@faui02.informatik.uni-erlangen.de> Message-ID: >First of all... please dont flame me for running RedHat Linux 7. It is a >requirement from my supervisor. > >I am looking for the proper way to setup sftp-server using openSSH. Can >you please point me in the right direction? I have the statment defined >in my sshd_config file, but it does not work. > >When I do a locate sftp-server... it reports it is not even on the >system. Check out your sshd_config. It reads like #Subsystem sftp /usr/libexec/openssh/openssh/sftp-server or the like (they patched sshd_config file in a wrong way and fixpaths munged it, it's ok now). Replace it with Subsystem sftp /usr/libexec/openssh/sftp-server and you should be fine. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 19:06:56 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 09:06:56 +0100 Subject: Possible bug? scp attempts to forward ports... In-Reply-To: <9D899FC5B147D4118B3F000629550361DB46EB@ROCKFORD>; from psmith@epicrealm.com on Thu, Jan 11, 2001 at 03:54:25PM -0600 References: <9D899FC5B147D4118B3F000629550361DB46EB@ROCKFORD> Message-ID: <20010112090655.D5300@faui02.informatik.uni-erlangen.de> imho, this is a user error. use special aliases for setting up forwardings, e.g.: % cat .ssh/config Host hosta* User name Host hostafwd Localforward ... Hostname hosta % now % scp hosta:file /dir works. but perhaps i'll add a clearallforwardings option to openssh, On Thu, Jan 11, 2001 at 03:54:25PM -0600, Peter Smith wrote: > I've been having a recurring problem using ssh and then scp. I've got 2 > machines, client A and server B. I'm using OpenSSH on both. I've got a > port-forward from server B in client A's "~/.ssh/config" file. Normally I > login to server B via ssh from client A. With this session open (and a port > forwarded) sometimes I go to a different terminal on client A and attempt to > scp a file or two to server B. However, I am unable to use scp _at_all_ > because of scp attempting, and failing, to forward the same port that the > ssh connection already has open. > > It seems to me that this is undesirable behavior... Am I wrong? If not, > I'll work on creating a bug item, etc, for this. I'm hoping it's not > already known. I've checked the FAQ which does not mention anything like > this. > > I've installed openssh v2.3.0p1 on client A and am still seeing this > behavior. Both machines are ix86 using the portable openssh. > > Peter From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 19:09:20 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 09:09:20 +0100 Subject: ssh-keygen: passphrase. In-Reply-To: ; from sunil@redback.com on Thu, Jan 11, 2001 at 03:18:40PM -0800 References: Message-ID: <20010112090920.E5300@faui02.informatik.uni-erlangen.de> On Thu, Jan 11, 2001 at 03:18:40PM -0800, Sunil K. Vallamkonda wrote: > > Looking at openSSH INSTALL: > > To generate a host key, run "make host-key". Alternately you can do so > manually using the following commands: > > ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" > ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" > > But when I try latter, I get: > > (gdb) n > 1 0x35a6 in save_private_key_ssh2 ( > filename=0xb2d2c "/mydir/ssh_host_dsa_key", > _passphrase=0xb90f0 "''", key=0xc0360, comment=0xefbf91b0 _passphrase == "''" this does not look like an empty passphrase. perhaps your shell quoting is wrong? > "user at host") > at authfile.c:172 > > ^^^^^^^^^ > This means: > > In authfile.c - save_private_key_ssh2(..): > > > if (len > 0 && len <= 4) { > error("passphrase too short: %d bytes", len); > errno = 0; > return 0; > } > > > > > Any ideas why this check, when INSTALL says passphrase not required ? > > Thx. > > Sunil. > > From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 19:09:49 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 09:09:49 +0100 Subject: ssh-keygen: passphrase. In-Reply-To: ; from jason@dfmm.org on Thu, Jan 11, 2001 at 05:01:11PM -0800 References: Message-ID: <20010112090948.F5300@faui02.informatik.uni-erlangen.de> On Thu, Jan 11, 2001 at 05:01:11PM -0800, Jason Stone wrote: > > > To generate a host key, run "make host-key". Alternately you can do so > > manually using the following commands: > > > > ssh-keygen -b 1024 -f /etc/ssh/ssh_host_key -N "" > > ssh-keygen -d -f /etc/ssh/ssh_host_dsa_key -N "" > > A zero length passphrase isn't the same as no passphrase. it is. at least in openssh. From jhuuskon at messi.uku.fi Fri Jan 12 19:09:25 2001 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Fri, 12 Jan 2001 10:09:25 +0200 Subject: Key fingerprint feature request Message-ID: <20010112100924.A4380@laivuri63.uku.fi> Hi, Does anyone know what algorithm the commercial ssh-2.3.0 uses to display the key fingerprints ? On the manual it says the algorithm is 'bubble babble' but I didn't find out how to actually create this bubble string (I guess I could find out from the sources). I think that it would be a nice option if OpenSSH could print out the host keys fingerprint in same format as the commercial ssh. This would make it so much easier to compare host keys etc. when you (have to) use both commercial ssh / openssh clients and servers. >From what I can see it wouldn't be too much work to add new fingerprint method to key.c:key_fingerprint ... Perhaps the fingerprint style could be configurable with ssh_config options ? -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From Markus.Friedl at informatik.uni-erlangen.de Fri Jan 12 19:44:06 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 12 Jan 2001 09:44:06 +0100 Subject: Key fingerprint feature request In-Reply-To: <20010112100924.A4380@laivuri63.uku.fi>; from jhuuskon@messi.uku.fi on Fri, Jan 12, 2001 at 10:09:25AM +0200 References: <20010112100924.A4380@laivuri63.uku.fi> Message-ID: <20010112094406.A9799@faui02.informatik.uni-erlangen.de> > Does anyone know what algorithm the commercial ssh-2.3.0 uses to display > the key fingerprints ? On the manual it says the algorithm is > 'bubble babble' but I didn't find out how to actually create this > bubble string (I guess I could find out from the sources). they use sha1 for fingerprints, we use md5 we print hex digits, they use 'bubble babble' but there is a compile time define to switch to hex digits. you have to use the sources for 'bubble babble' > I think that it would be a nice option if OpenSSH could print out > the host keys fingerprint in same format as the commercial ssh. This would > make it so much easier to compare host keys etc. when you (have to) use > both commercial ssh / openssh clients and servers. i think it would be nice if the commercial ssh could print out the host keys fingerprint in same format as OpenSSH :) > >From what I can see it wouldn't be too much work to add new fingerprint > method to key.c:key_fingerprint ... Perhaps the fingerprint style could > be configurable with ssh_config options ? well, ssh-keygen does not read ssh_config (and should not). but, yes, perhaps key_fingerprint should get some more options (like hash type, output format). on the other hand, this could confuse people. From Hans.Schwengeler at unibas.ch Fri Jan 12 23:13:47 2001 From: Hans.Schwengeler at unibas.ch (Hans Schwengeler) Date: Fri, 12 Jan 2001 13:13:47 +0100 (MET) Subject: No subject Message-ID: <200101121213.NAA0000009058@saturn.astro.unibas.ch> Hello, the man pages for openssh-2.3.0p1 look bad on our Tru64 Unix V4.0E systems. (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communica- tions between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel. connects and logs into the specified The user must prove his/her identity to the remote machine using one of several methods depending on the protocol version used: First, if the machine the user logs in from is listed in or on the remote machine, and the user names are the same on both sides, the user is immediately permitted to log in. Second, if or exists in the user's home directory on the remote machine and contains a line containing the name of the client machine and the name of the user on that machine, the user is permitted to log in. This form of authentication alone is normally not allowed by the server because it is not secure. The second (and primary) authentication method is the or method combined with RSA-based host authentication. It means that if the login would be permit- ted by or and if additionally the server can verify the client's host key (see and in the section), only then login is permitted. ... etc. The same happens if I use directly 'nroff -man ssh.1 | more'. (both /usr/bin/nroff and /usr/local/bin/nroff (aka groff 1.16.1)). Yours, H.Schwengeler (schwengeler at ubaclu.unibas.ch) From pekkas at netcore.fi Fri Jan 12 23:28:34 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 12 Jan 2001 14:28:34 +0200 (EET) Subject: your mail In-Reply-To: <200101121213.NAA0000009058@saturn.astro.unibas.ch> Message-ID: On Fri, 12 Jan 2001, Hans Schwengeler wrote: > the man pages for openssh-2.3.0p1 look bad on our Tru64 Unix V4.0E > systems. > The same happens if I use directly 'nroff -man ssh.1 | more'. > (both /usr/bin/nroff and /usr/local/bin/nroff (aka groff 1.16.1)). use -mandoc. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Sat Jan 13 01:56:49 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 12 Jan 2001 08:56:49 -0600 (CST) Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: Message-ID: On Fri, 12 Jan 2001, Pekka Savola wrote: > >First of all... please dont flame me for running RedHat Linux 7. It is a > >requirement from my supervisor. > > > >I am looking for the proper way to setup sftp-server using openSSH. Can > >you please point me in the right direction? I have the statment defined > >in my sshd_config file, but it does not work. > > > >When I do a locate sftp-server... it reports it is not even on the > >system. > > Check out your sshd_config. It reads like > > #Subsystem sftp /usr/libexec/openssh/openssh/sftp-server > > or the like (they patched sshd_config file in a wrong way and fixpaths > munged it, it's ok now). > > Replace it with > > Subsystem sftp /usr/libexec/openssh/sftp-server > > and you should be fine. > > I agree.. I'm running Redhat 7.0 as a development box (of course I dropped back a compiler release to a known good version. =) and One just needs to set the Subsystem path correct and it works perfectly. - Ben From mw at moni.msci.memphis.edu Sat Jan 13 01:48:36 2001 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Fri, 12 Jan 2001 08:48:36 -0600 Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: ; from gem@rellim.com on Thu, Jan 11, 2001 at 11:47:54PM -0800 References: <20010112084306.A5300@faui02.informatik.uni-erlangen.de> Message-ID: <20010112084836.B23532@moni.msci.memphis.edu> On Thu, Jan 11, 2001 at 11:47:54PM -0800, Gary E. Miller wrote: > Once again, RH shipped a beta ( and buggy ) compiler as the real thing. Try the updated gcc or kgcc. Mate From mouring at etoh.eviladmin.org Sat Jan 13 03:11:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 12 Jan 2001 10:11:24 -0600 (CST) Subject: SCO patch attempt. In-Reply-To: Message-ID: On Thu, 11 Jan 2001, Tim Rice wrote: > > > On Thu, 11 Jan 2001, Tim Rice wrote: > > > On Thu, 11 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > > > > > > diff -ur openssh/bsd-misc.h ossh/bsd-misc.h > > > --- openssh/bsd-misc.h Thu Nov 16 21:47:20 2000 > > > +++ ossh/bsd-misc.h Thu Jan 11 21:34:12 2001 > > > @@ -54,4 +54,15 @@ > > > const char *strerror(int e); > > > #endif > > > > > > + > > > +#ifndef HAVE_UTIMES > > > +struct timeval { > > > + long tv_sec; > > > + long tv_usec; > > > > OK, change #ifndef HAVE_UTIMES to > > #if !defined(HAVE_UTIMES) && !defined(HAVE_UTIME) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > It was allready past bedtime when I fired this off and now I can't sleep > because this doesn't make any sense. > > I was getting > ... > cc -g -I/usr/local/include -I/usr/local/ssl/include -I. -Isrc -DETCDIR=\"/usr/lo > cal/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/loca > l/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/bsd-arc4random.c > UX:acomp: ERROR: "src/bsd-misc.h", line 59: (struct) tag redeclared: timeval > UX:acomp: ERROR: "src/bsd-misc.h", line 64: invalid type combination > gmake: *** [bsd-arc4random.o] Error 1 > ... Ermm.. What other commands use 'timeval'? If you have a valid timeval. Then one is going to have to test the existance of timeval like they do other structures and set or not-set accordingly. - Ben From mouring at etoh.eviladmin.org Sat Jan 13 03:49:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 12 Jan 2001 10:49:26 -0600 (CST) Subject: Glibc Local Root Exploit (Redhat Annoucement) In-Reply-To: Message-ID: I know most of you don't care.. but this looks like the full description of the glibc issue with redhat updates. 1. Topic: A couple of bugs in GNU C library 2.2 allow unpriviledged user to read restricted files and preload libraries in /lib and /usr/lib directories into SUID programs even if those libraries have not been marked as such by system administrator. 2. Relevant releases/architectures: Red Hat Linux 7.0 - alpha, alphaev6, i386, i686 3. Problem description: Because of a typo in glibc source RESOLV_HOST_CONF and RES_OPTIONS variables were not removed from environment for SUID/SGID programs. LD_PRELOAD variable is honoured normally even for SUID/SGID applications (but removed afterwards from environment) if it does not contain `/' characters, but there is a special check which only preloads found libraries if they have the SUID bit set. If a library has been found in /etc/ld.so.cache this check was not done though, so malicious user could preload some /lib or /usr/lib library before SUID/SGID application and e.g. create or overwrite a file he did not have permissions to. [..snip everything else that is not required..] Complete Report at: http://linuxtoday.com/news_story.php3?ltsn=2001-01-11-020-04-SC-RH From hin at stacken.kth.se Sat Jan 13 03:26:12 2001 From: hin at stacken.kth.se (Hans Insulander) Date: 12 Jan 2001 17:26:12 +0100 Subject: Kerberos password authentication and SSH2 In-Reply-To: Kevin Sullivan's message of "Thu, 11 Jan 2001 17:36:36 -0500" References: <15498.979252596@sludge.psc.edu> Message-ID: <86snmoohy3.fsf@hink.hans.insulander.com> Kevin Sullivan writes: > On Thu, 11 Jan 2001 22:45:19 +0100, Markus Friedl says > >you cannot remove this code and expect to automagically > >get a full implementation of kerberosIV + SSH2. > > I understand that. The only piece I really care about is when you type in > a password, the server checks against the Kerberos database in addition to > /etc/passwd, and issues an AFS token if possible. This works by removing > the 4 lines of code. > > The other kerberos features are cool and useful, but I can live without > them. My main concern is people with Windows boxes who only have a SSH2 > client. > > >until recently, there was no spec for kerberos over SSH2. > >but perhaps kerberos-password authentication works, this needs > >to be tested... > > One data point: it works for me. Hmmm, I do see one problem if you have > AFS. In SSH1 you'll get a new pag, but not with SSH2. The k_setpag() code > from auth1.c needs to be in auth2.c. I've appended a patch. Whether or > not you delete the kerberos-disabling code, you should add the k_setpag > code or else someone logging in may get more privs than they expect! > > -Kevin > > --- auth2.c.orig Thu Jan 11 17:23:48 2001 > +++ auth2.c Thu Jan 11 17:24:06 2001 > @@ -129,8 +129,12 @@ > x_authctxt = authctxt; /*XXX*/ > > -#ifdef KRB4 > - /* turn off kerberos, not supported by SSH2 */ > - options.kerberos_authentication = 0; > -#endif > +#ifdef AFS > + /* If machine has AFS, set process authentication group. */ > + if (k_hasafs()) { > + k_setpag(); > + k_unlog(); > + } > +#endif /* AFS */ > + > dispatch_init(&protocol_error); > dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); > > I've already reported exaclty this fix a couple of months, but noone seemed to understand, or care. This fix is correct, someone should commit it. -- --- Hans Insulander , SM0UTY ----------------------- Gravity never looses. The best you can hope for is a draw. From gleblanc at cu-portland.edu Sat Jan 13 03:41:36 2001 From: gleblanc at cu-portland.edu (Gregory Leblanc) Date: 12 Jan 2001 08:41:36 -0800 Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: Message-ID: <20010112164106.1E64F1A4A1@toad.mindrot.org> On 11 Jan 2001 23:47:54 -0800, Gary E. Miller wrote: > Yo Markus! > > Even Linus peed on RH 7. And it was the wrong kind of pee, as reported > elsewhere. > > Once again, RH shipped a beta ( and buggy ) compiler as the real thing. > > Stay away from it, I have already been bitten by it several times... Gah, that's a crock, RH outlined the reasons for their decision pretty clearly. Besides, with the updates, the C compiler is BETTER than the "released" gcc C compiler, and the C++ compiler is working, although not compatible with other compiler versions. And if you're going to flame RH for this, I sure hope you flamed Debian back when they pulled the same stunt. That said, I think Pekka Savola has answered this question nicely. Thanks, Greg From dale at accentre.com Sat Jan 13 07:22:08 2001 From: dale at accentre.com (dale at accentre.com) Date: Fri, 12 Jan 2001 12:22:08 -0800 Subject: Socket options not properly set for ssh and sshd. Message-ID: <20010112122207.A17573@cupro.opengvs.com> I mentioned this problem in a previous post (in November). This time I'm including a patch. Version: OpenSSH_2.3.0p1 Keywords: setsockopt keepalive hang masquerade interactive Symptom: For protocol 2, socket options (especially keepalive) are not being properly set for OpenSSH_2.3.0p1, even when request in the config files. Furthermore (for either protocol), keepalive is only set for "interactive" connections -- it should be set (when requested) for any sort of connection. ----------------------- As an aside (as information for anyone else with the same problem), I need keepalives to keep my connections from hanging after thirty minutes due to an ISP (Cox at work) router that is masquerading IP addresses for my local network. This router apparently drops the masquerade table entries after 30 minutes of inactivity. (Then, in response to any further activity from the client it just sends TCP resets, which generally leaves the connected incarnation of sshd hung until killed). My solution to that problem is to change the default keepalive time on my Linux system from 120 minutes to 20 minutes (1200 seconds) via echo 1200 > /proc/sys/net/ipv4/tcp_keepalive_time and then depend on sshd keepalives to avoid inactivity. --- sv0/packet.c Fri Oct 13 22:23:12 2000 +++ packet.c Tue Jan 2 16:40:45 2001 @@ -1225,7 +1225,7 @@ /* Informs that the current session is interactive. Sets IP flags for that. */ void -packet_set_interactive(int interactive, int keepalives) +packet_set_interactive(int interactive) { int on = 1; @@ -1235,12 +1235,7 @@ /* Only set socket options if using a socket. */ if (!packet_connection_is_on_socket()) return; - if (keepalives) { - /* Set keepalives if requested. */ - if (setsockopt(connection_in, SOL_SOCKET, SO_KEEPALIVE, (void *) &on, - sizeof(on)) < 0) - error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); - } + /* * IPTOS_LOWDELAY, TCP_NODELAY and IPTOS_THROUGHPUT are IPv4 only */ --- sv0/packet.h Fri Sep 15 19:29:09 2000 +++ packet.h Tue Jan 2 16:40:45 2001 @@ -65,7 +65,7 @@ * Informs that the current session is interactive. Sets IP flags for * optimal performance in interactive use. */ -void packet_set_interactive(int interactive, int keepalives); +void packet_set_interactive(int interactive); /* Returns true if the current connection is interactive. */ int packet_is_interactive(void); --- sv0/session.c Fri Oct 27 20:19:58 2000 +++ session.c Tue Jan 2 16:40:45 2001 @@ -405,8 +405,7 @@ case SSH_CMSG_EXEC_SHELL: case SSH_CMSG_EXEC_CMD: /* Set interactive/non-interactive mode. */ - packet_set_interactive(have_pty || s->display != NULL, - options.keepalives); + packet_set_interactive(have_pty || s->display != NULL); if (type == SSH_CMSG_EXEC_CMD) { command = packet_get_string(&dlen); --- sv0/ssh.c Fri Oct 27 20:19:58 2000 +++ ssh.c Tue Jan 2 16:42:51 2001 @@ -843,7 +843,7 @@ } } /* Tell the packet module whether this is an interactive session. */ - packet_set_interactive(interactive, options.keepalives); + packet_set_interactive(interactive); /* Clear agent forwarding if we don\'t have an agent. */ authfd = ssh_get_authentication_socket(); --- sv0/sshconnect.c Fri Sep 22 23:15:57 2000 +++ sshconnect.c Tue Jan 2 16:40:45 2001 @@ -304,6 +304,15 @@ linger.l_linger = 5; setsockopt(sock, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger)); + if (options.keepalives) { + static const int on = 1; + + /* Set keepalives if requested. */ + if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE, (void *) &on, + sizeof(on)) < 0) + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); + } + /* Set the connection. */ packet_set_connection(sock, sock); --- sv0/sshd.c Fri Oct 13 22:23:13 2000 +++ sshd.c Tue Jan 2 16:42:57 2001 @@ -1014,6 +1014,13 @@ linger.l_linger = 5; setsockopt(sock_in, SOL_SOCKET, SO_LINGER, (void *) &linger, sizeof(linger)); + if (options.keepalives) { + /* Set keepalives if requested. */ + if (setsockopt(sock_in, SOL_SOCKET, SO_KEEPALIVE, (void *) &on, + sizeof(on)) < 0) + error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); + } + /* * Register our connection. This turns encryption off because we do * not have a key. From sunil at redback.com Sat Jan 13 07:30:57 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 12 Jan 2001 12:30:57 -0800 (PST) Subject: auth Ques. Message-ID: I have a question on authentication. In openSSH, how do I enable keys based authentication (RSA) ? (Normally a user creates private/public keys, then puts public key on server under ~/.ssh/xxx ). How can this be achieved using openSSH ? I did not see in doc (may be I missed something..). Is it enough: In sshd_config: RSAAuthentication yes 1) On server, where should the user's public key be stored (~/.ssh/xxx)? 2) If RSA fails, does sshd automatically drop down to SSH_CMSG_AUTH_PASSWORD based ? Is this option configurable ? Thank you. Sunil. From pekkas at netcore.fi Sat Jan 13 07:45:42 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 12 Jan 2001 22:45:42 +0200 (EET) Subject: auth Ques. In-Reply-To: Message-ID: On Fri, 12 Jan 2001, Sunil K. Vallamkonda wrote: > I have a question on authentication. > In openSSH, how do I enable keys based authentication (RSA) ? > (Normally a user creates private/public keys, then puts public key on > server under ~/.ssh/xxx ). How can this be achieved using openSSH ? > I did not see in doc (may be I missed something..). You should have read ssh(1) man page. Read under Protocol 1 and Protocol 2. Key generation and adding it to authorized_keys2 are explained there. > 1) On server, where should the user's public key be stored (~/.ssh/xxx)? See above. authorized_keys and authorized_keys2. > 2) If RSA fails, does sshd automatically drop down to > SSH_CMSG_AUTH_PASSWORD > based ? Is this option configurable ? Yes and yes. Disable those authentication methods in either sshd_config or connecting ssh_config/ ~/.ssh/config to tune which methods will be tried. The order is fixed. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From sunil at redback.com Sat Jan 13 08:20:05 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 12 Jan 2001 13:20:05 -0800 (PST) Subject: auth Ques. In-Reply-To: Message-ID: On Fri, 12 Jan 2001, Pekka Savola wrote: > On Fri, 12 Jan 2001, Sunil K. Vallamkonda wrote: > > I have a question on authentication. > > In openSSH, how do I enable keys based authentication (RSA) ? > > (Normally a user creates private/public keys, then puts public key on > > server under ~/.ssh/xxx ). How can this be achieved using openSSH ? > > I did not see in doc (may be I missed something..). > > You should have read ssh(1) man page. Read under Protocol 1 and Protocol > 2. Key generation and adding it to authorized_keys2 are explained there. > > > 1) On server, where should the user's public key be stored (~/.ssh/xxx)? > ^^^^^^^^ Thank you. but, Question is: in auth1.c file, case: SSH_CMSG_AUTH_RSA ... is initiated by client only, or server has control too in setting option to accept RSA or PASSWORD etc. ? > See above. authorized_keys and authorized_keys2. > > > 2) If RSA fails, does sshd automatically drop down to > > SSH_CMSG_AUTH_PASSWORD > > based ? Is this option configurable ? > > Yes and yes. Disable those authentication methods in either sshd_config > or connecting ssh_config/ ~/.ssh/config to tune which methods will be > tried. The order is fixed. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > From markus.friedl at informatik.uni-erlangen.de Sat Jan 13 19:06:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 13 Jan 2001 09:06:33 +0100 Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: <20010112164106.1E64F1A4A1@toad.mindrot.org>; from gleblanc@cu-portland.edu on Fri, Jan 12, 2001 at 08:41:36AM -0800 References: <20010112164106.1E64F1A4A1@toad.mindrot.org> Message-ID: <20010113090633.B6159@folly> would you please stop sending me mails about red hat or something similar. On Fri, Jan 12, 2001 at 08:41:36AM -0800, Gregory Leblanc wrote: > On 11 Jan 2001 23:47:54 -0800, Gary E. Miller wrote: > > Yo Markus! > > > > Even Linus peed on RH 7. And it was the wrong kind of pee, as reported > > elsewhere. > > > > Once again, RH shipped a beta ( and buggy ) compiler as the real thing. > > > > Stay away from it, I have already been bitten by it several times... > > Gah, that's a crock, RH outlined the reasons for their decision pretty > clearly. Besides, with the updates, the C compiler is BETTER than the > "released" gcc C compiler, and the C++ compiler is working, although not > compatible with other compiler versions. And if you're going to flame > RH for this, I sure hope you flamed Debian back when they pulled the > same stunt. That said, I think Pekka Savola has answered this question > nicely. Thanks, > > Greg > > From djm at mindrot.org Sat Jan 13 20:18:40 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 13 Jan 2001 20:18:40 +1100 (EST) Subject: Key fingerprint feature request In-Reply-To: <20010112094406.A9799@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 12 Jan 2001, Markus Friedl wrote: > > I think that it would be a nice option if OpenSSH could print > > out the host keys fingerprint in same format as the commercial > > ssh. This would make it so much easier to compare host keys etc. > > when you (have to) use both commercial ssh / openssh clients and > > servers. > > i think it would be nice if the commercial ssh could print out the > host keys fingerprint in same format as OpenSSH :) After all, we were first. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Sat Jan 13 20:29:20 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 13 Jan 2001 20:29:20 +1100 (EST) Subject: SFTP Server For Linux 7 (fwd) In-Reply-To: <20010112164106.1E64F1A4A1@toad.mindrot.org> Message-ID: On 12 Jan 2001, Gregory Leblanc wrote: > > Once again, RH shipped a beta ( and buggy ) compiler as the real thing. > > > > Stay away from it, I have already been bitten by it several times... > > Gah, that's a crock, RH outlined the reasons for their decision pretty Please - this argument has been thrashed out a dozen times on a dozen mailing lists. There is no need to repeat the argument here. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From markus.friedl at informatik.uni-erlangen.de Sun Jan 14 03:16:56 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 13 Jan 2001 17:16:56 +0100 Subject: SCO patch attempt. In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jan 11, 2001 at 10:00:26PM -0600 References: Message-ID: <20010113171656.A32104@folly> On Thu, Jan 11, 2001 at 10:00:26PM -0600, mouring at etoh.eviladmin.org wrote: > +#ifdef HAVE_U_INT64_T > u_int64_t > buffer_get_int64(Buffer *buffer) > { > @@ -159,6 +160,7 @@ > buffer_get(buffer, (char *) buf, 8); > return GET_64BIT(buf); > } > +#endif wouldn't it be simpler to typedef u_int32_t u_int64_t; and check whether the first 4 bytes are != 0 ? -m From cyril at natur.cuni.cz Thu Jan 11 22:46:12 2001 From: cyril at natur.cuni.cz (CYRIL) Date: Thu, 11 Jan 2001 12:46:12 +0100 (MET) Subject: bug report Message-ID: Hi, I use openssh-2.3.0p1, and the following occurs : [cyril at ts2 cyril]$ rsync -essh -r cyril at beda:zwz . cyril's password: unexpected EOF in read_timeout [cyril at ts2 cyril]$ FATAL: Received signal 10. and in beda log is : Jan 11 12:31:30 6E:beda sshd[2220748]: Accepted password for cyril from 195.113.46.2 port 1045 ssh2 Jan 11 12:31:30 3E:beda sshd[2220748]: error: channel 0: internal error: we do not read, but chan_read_failed for istate 8 and I am little confused about, do you have any idea ? thanks BR C.Benda cyril at natur.cuni.cz From mouring at etoh.eviladmin.org Sun Jan 14 08:42:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 13 Jan 2001 15:42:26 -0600 (CST) Subject: SCO patch attempt. In-Reply-To: <20010113171656.A32104@folly> Message-ID: On Sat, 13 Jan 2001, Markus Friedl wrote: > On Thu, Jan 11, 2001 at 10:00:26PM -0600, mouring at etoh.eviladmin.org wrote: > > +#ifdef HAVE_U_INT64_T > > u_int64_t > > buffer_get_int64(Buffer *buffer) > > { > > @@ -159,6 +160,7 @@ > > buffer_get(buffer, (char *) buf, 8); > > return GET_64BIT(buf); > > } > > +#endif > > wouldn't it be simpler to > typedef u_int32_t u_int64_t; > and check whether the first 4 bytes are != 0 ? > I started going down that path originally, but I could not see a reasonable way of doing error checking. Hmm.. Unless I report errors on on 'errno' (Because it's pretty hard to return -1 on an unsigned int =). I'll take another look at that method in a day or so. - Ben From shorty at getuid.de Sun Jan 14 08:28:54 2001 From: shorty at getuid.de (Christian Kurz) Date: Sat, 13 Jan 2001 22:28:54 +0100 Subject: redundant warning about absent tty Message-ID: <20010113222854.P18473@seteuid.getuid.de> > If ssh is invoked without a tty on stdin, it emits a warning message. > This is fine, except it *still* emits such a warning message if you > specify -q (which is supposed to supress warning messages) or -T > (which explicitly requests that no tty be used on the remote side - > making it academic whether there is a tty on the local side.) > The patch below fixes this. diff -x *~ -ruN openssh-2.3.0p1.deborig/debian/changelog openssh-2.3.0p1/debian/changelog --- openssh-2.3.0p1.deborig/debian/changelog Sat Jan 13 13:06:14 2001 +++ openssh-2.3.0p1/debian/changelog Sat Jan 13 19:04:09 2001 @@ -1,3 +1,9 @@ +openssh (1:2.3.0p1-1.5.rjk1) unstable; urgency=low + + * Eliminate bogus tty warning messages + + -- Richard Kettlewell Sat, 13 Jan 2001 18:53:27 +0000 + openssh (1:2.3.0p1-1.5) unstable; urgency=high * Fixed now also the problem with sshd used as default ipv4 and @@ -448,5 +454,4 @@ Local variables: mode: debian-changelog -add-log-mailing-address: "phil at hands.com" End: diff -x *~ -ruN openssh-2.3.0p1.deborig/ssh.c openssh-2.3.0p1/ssh.c --- openssh-2.3.0p1.deborig/ssh.c Sat Oct 28 04:19:58 2000 +++ openssh-2.3.0p1/ssh.c Sat Jan 13 18:57:53 2001 @@ -517,15 +517,16 @@ if (buffer_len(&command) == 0) tty_flag = 1; + /* force */ + if (no_tty_flag) + tty_flag = 0; /* Do not allocate a tty if stdin is not a tty. */ if (!isatty(fileno(stdin))) { - if (tty_flag) + if (tty_flag + && options.log_level > SYSLOG_LEVEL_QUIET) fprintf(stderr, "Pseudo-terminal will not be allocated because stdin is not a terminal.\n"); tty_flag = 0; } - /* force */ - if (no_tty_flag) - tty_flag = 0; /* Get user data. */ pw = getpwuid(original_real_uid); Do you really think that such a patch should be applied to openssh or not? I think about not applying but rejecting it since this is a change of behaviour is not very good. Please let me know your opinion. Thanks. Ciao Christian -- Debian Developer and Quality Assurance Team Member 1024/26CC7853 31E6 A8CA 68FC 284F 7D16 63EC A9E6 67FF 26CC 7853 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 242 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010113/1e9a2829/attachment.bin From markus.friedl at informatik.uni-erlangen.de Sun Jan 14 08:53:48 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 13 Jan 2001 22:53:48 +0100 Subject: Kerberos password authentication and SSH2 In-Reply-To: <15498.979252596@sludge.psc.edu>; from ksulliva@psc.edu on Thu, Jan 11, 2001 at 05:36:36PM -0500 References: <20010111224519.B31857@folly> <15498.979252596@sludge.psc.edu> Message-ID: <20010113225348.A14484@folly> ok, it's in the tree. -m On Thu, Jan 11, 2001 at 05:36:36PM -0500, Kevin Sullivan wrote: > -#ifdef KRB4 > - /* turn off kerberos, not supported by SSH2 */ > - options.kerberos_authentication = 0; > -#endif > +#ifdef AFS > + /* If machine has AFS, set process authentication group. */ > + if (k_hasafs()) { > + k_setpag(); > + k_unlog(); > + } > +#endif /* AFS */ > + From markus.friedl at informatik.uni-erlangen.de Mon Jan 15 04:08:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 14 Jan 2001 18:08:36 +0100 Subject: openssh 2.3.0p1 doesn't show fingerprints In-Reply-To: ; from ns@canada.com on Sat, Jan 13, 2001 at 09:33:24PM -0800 References: <2.2.16.20010113232010.4bafbd24@crash.cts.com> Message-ID: <20010114180836.A30868@folly> On Sat, Jan 13, 2001 at 09:33:24PM -0800, Noam Sturmwind wrote: > I've noticed that in openssh 2.3.0 when I connect to a new server or to > one on which the host key has changed, it warns me that the key is unknown > or changed, but doesn't show me the host key fingerprint so I can verify > it. This goes for both protocols 1 (RSA host key) and 2 (DSA host key). I > remember that older versions used to display a warning and the > fingerprint and ask if I still wanted to connect (yes/no). openssh will show the fingerprint and ask (yes/no) if the host key is unknown (if StrictHostKeyChecking is set to ask, of course). if the hostkey has changed and StrictHostKeyChecking != no (the default is 'ask') then the ssh will exit. you can now remove the offending key, reconnect, and check the fingerprint given by the client (since the host key is now unknown). however, in future openssh versions we will display the fingerprint for changed host keys, too. > Please let me know if I'm missing an option which turns display of > fingerprint & prompting on. Though, even if there is, I think it should be > on by default... let advanced users turn it off rather than the other way > around. the default is StrictHostKeyChecking ask and this should be ok for less advanced users. -markus From ns at canada.com Mon Jan 15 04:54:52 2001 From: ns at canada.com (Noam Sturmwind) Date: Sun, 14 Jan 2001 09:54:52 -0800 (PST) Subject: openssh 2.3.0p1 doesn't show fingerprints In-Reply-To: <20010114180836.A30868@folly> Message-ID: > openssh will show the fingerprint and ask (yes/no) if the > host key is unknown (if StrictHostKeyChecking is set to ask, > of course). > ... > > the default is > StrictHostKeyChecking ask > and this should be ok for less advanced users. This is interesting... on my build (precompiled Mandrake cooker, openssh-2.3.0p1-7.3mdk) the default is StrictHostKeyChecking no. man ssh(1) says for StrictHostKeyChecking, "The argument must be ``yes'' or ``no''." No mention of an 'ask' setting anywhere I can find, though it does work if I set it to ask. Thanks for the help. Noam Sturmwind From tim at multitalents.net Mon Jan 15 07:34:06 2001 From: tim at multitalents.net (Tim Rice) Date: Sun, 14 Jan 2001 12:34:06 -0800 (PST) Subject: SCO patch attempt. In-Reply-To: Message-ID: On Fri, 12 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 11 Jan 2001, Tim Rice wrote: > > > l/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/bsd-arc4random.c > > UX:acomp: ERROR: "src/bsd-misc.h", line 59: (struct) tag redeclared: timeval > > UX:acomp: ERROR: "src/bsd-misc.h", line 64: invalid type combination > > gmake: *** [bsd-arc4random.o] Error 1 > > ... > > Ermm.. What other commands use 'timeval'? If you have a valid > timeval. Then one is going to have to test the existance of timeval like > they do other structures and set or not-set accordingly. Yup, that's obvious after a good nights sleep. ;-) I did some work on your patch and it now builds on Solaris 7 UnixWare 2.03 UnixWare 2.1.3 UnixWare 7.1.0 Caldera eDesktop 2.4 RedHat 6.2 SCO Open Server 5.0.4 It would build on SCO Open Server 3 (aka 3.2v4.2) but there is no fchmod() in this platform. ... gcc -o sftp-server sftp-server.o log-server.o -L. -L/usr/local/lib -L/usr/local /ssl/lib -L/usr/local/ssl -lssh -lopenbsd-compat -lz -lsocket -lgen -lsocket -l os -lprot -lx -ltinfo -lm -lcrypto undefined first referenced symbol in file fchmod sftp-server.o ld fatal: Symbol referencing errors. No output written to sftp-server gmake: *** [sftp-server] Error 1 ... I didn't see an easy way to do an #ifdef HAVE_FCHMOD like in scp.c > > - Ben > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- openssh_cvs/acconfig.h.old Thu Jan 11 20:30:18 2001 +++ openssh_cvs/acconfig.h Fri Jan 12 12:17:01 2001 @@ -103,6 +103,9 @@ * message at run-time. */ #undef RSAREF +/* struct timeval */ +#undef HAVE_STRUCT_TIMEVAL + /* struct utmp and struct utmpx fields */ #undef HAVE_HOST_IN_UTMP #undef HAVE_HOST_IN_UTMPX --- openssh_cvs/bsd-misc.c.old Thu Nov 16 19:47:20 2000 +++ openssh_cvs/bsd-misc.c Fri Jan 12 10:30:14 2001 @@ -80,3 +80,15 @@ return(sys_errlist[e]); } #endif + +#ifndef HAVE_UTIMES +int utimes(char *filename, struct timeval *tvp) +{ + struct utimbuf ub; + + ub.actime = tvp->tv_sec; + ub.modtime = tvp->tv_usec; + + return(utime(filename, &ub)); +} +#endif --- openssh_cvs/bsd-misc.h.old Thu Nov 16 19:47:20 2000 +++ openssh_cvs/bsd-misc.h Fri Jan 12 12:18:41 2001 @@ -54,4 +54,17 @@ const char *strerror(int e); #endif + +#ifndef HAVE_UTIMES +#ifndef HAVE_STRUCT_TIMEVAL +struct timeval { + long tv_sec; + long tv_usec; +} +#endif /* HAVE_STRUCT_TIMEVAL */ + +int utimes(char *filename, struct timeval *tvp); +#endif /* HAVE_UTIMES */ + + #endif /* _BSD_MISC_H */ --- openssh_cvs/bufaux.c.old Thu Jan 11 20:30:20 2001 +++ openssh_cvs/bufaux.c Fri Jan 12 12:47:50 2001 @@ -152,6 +152,7 @@ return GET_32BIT(buf); } +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer) { @@ -159,6 +160,7 @@ buffer_get(buffer, (char *) buf, 8); return GET_64BIT(buf); } +#endif /* * Stores an integer in the buffer in 4 bytes, msb first. @@ -171,6 +173,7 @@ buffer_append(buffer, buf, 4); } +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value) { @@ -178,6 +181,7 @@ PUT_64BIT(buf, value); buffer_append(buffer, buf, 8); } +#endif /* * Returns an arbitrary binary string from the buffer. The string cannot --- openssh_cvs/bufaux.h.old Thu Jan 11 20:30:20 2001 +++ openssh_cvs/bufaux.h Fri Jan 12 12:47:50 2001 @@ -30,11 +30,15 @@ /* Returns an integer from the buffer (4 bytes, msb first). */ u_int buffer_get_int(Buffer * buffer); +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer); +#endif /* Stores an integer in the buffer in 4 bytes, msb first. */ void buffer_put_int(Buffer * buffer, u_int value); +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value); +#endif /* Returns a character from the buffer (0 - 255). */ int buffer_get_char(Buffer * buffer); --- openssh_cvs/configure.in.old Thu Jan 11 20:30:25 2001 +++ openssh_cvs/configure.in Fri Jan 12 18:01:35 2001 @@ -313,10 +313,10 @@ ) # Checks for header files. -AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utmp.h utmpx.h vis.h) +AC_CHECK_HEADERS(bstring.h endian.h floatingpoint.h getopt.h lastlog.h limits.h login.h login_cap.h maillock.h netdb.h netgroup.h netinet/in_systm.h paths.h poll.h pty.h shadow.h security/pam_appl.h sys/bitypes.h sys/bsdtty.h sys/cdefs.h sys/poll.h sys/queue.h sys/select.h sys/stat.h sys/stropts.h sys/sysmacros.h sys/time.h sys/ttcompat.h sys/un.h stddef.h time.h ttyent.h usersec.h util.h utime.h utmp.h utmpx.h vis.h) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r sysconf vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_af clock fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getnameinfo getrlimit getrusage getttyent inet_aton inet_ntoa innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv seteuid setlogin setproctitle setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strsep strtok_r sysconf utime utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions @@ -825,14 +825,27 @@ AC_DEFINE(HAVE_STRUCT_ADDRINFO) fi +AC_CACHE_CHECK([for struct timeval], ac_cv_have_struct_timeval, [ + AC_TRY_COMPILE( + [ #include ], + [ struct timeval tv; tv.tv_sec = 1;], + [ ac_cv_have_struct_timeval="yes" ], + [ ac_cv_have_struct_timeval="no" ] + ) +]) +if test "x$ac_cv_have_struct_timeval" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_TIMEVAL) + have_struct_timeval=1 +fi + # If we don't have int64_t then we can't compile sftp-server. So don't # even attempt to do it. -if test "x$ac_cv_have_int64_t" = "xno" -a \ - "x$ac_cv_sizeof_long_int" != "x8" -a \ - "x$ac_cv_sizeof_long_long_int" = "x0" ; then - NO_SFTP='#' - AC_SUBST(NO_SFTP) -fi +#if test "x$ac_cv_have_int64_t" = "xno" -a \ +# "x$ac_cv_sizeof_long_int" != "x8" -a \ +# "x$ac_cv_sizeof_long_long_int" = "x0" ; then +# NO_SFTP='#' +#fi +AC_SUBST(NO_SFTP) dnl Checks for structure members OSSH_CHECK_HEADER_FOR_FIELD(ut_host, utmp.h, HAVE_HOST_IN_UTMP) --- openssh_cvs/defines.h.old Thu Jan 11 20:30:26 2001 +++ openssh_cvs/defines.h Fri Jan 12 12:46:05 2001 @@ -171,20 +171,22 @@ #ifndef HAVE_INT64_T # if (SIZEOF_LONG_INT == 8) typedef long int int64_t; +# define HAVE_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; -# define HAVE_INTXX_T 1 +# define HAVE_INT64_T 1 # endif # endif #endif #ifndef HAVE_U_INT64_T # if (SIZEOF_LONG_INT == 8) typedef unsigned long int u_int64_t; +# define HAVE_U_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef unsigned long long int u_int64_t; -# define HAVE_U_INTXX_T 1 +# define HAVE_U_INT64_T 1 # endif # endif #endif --- openssh_cvs/getput.h.old Thu Jan 11 20:30:26 2001 +++ openssh_cvs/getput.h Fri Jan 12 12:47:50 2001 @@ -18,6 +18,7 @@ /*------------ macros for storing/extracting msb first words -------------*/ +#ifdef HAVE_U_INT64_T #define GET_64BIT(cp) (((u_int64_t)(u_char)(cp)[0] << 56) | \ ((u_int64_t)(u_char)(cp)[1] << 48) | \ ((u_int64_t)(u_char)(cp)[2] << 40) | \ @@ -26,6 +27,7 @@ ((u_int64_t)(u_char)(cp)[5] << 16) | \ ((u_int64_t)(u_char)(cp)[6] << 8) | \ ((u_int64_t)(u_char)(cp)[7])) +#endif #define GET_32BIT(cp) (((u_long)(u_char)(cp)[0] << 24) | \ ((u_long)(u_char)(cp)[1] << 16) | \ @@ -35,6 +37,7 @@ #define GET_16BIT(cp) (((u_long)(u_char)(cp)[0] << 8) | \ ((u_long)(u_char)(cp)[1])) +#ifdef HAVE_U_INT64_T #define PUT_64BIT(cp, value) do { \ (cp)[0] = (value) >> 56; \ (cp)[1] = (value) >> 48; \ @@ -44,6 +47,7 @@ (cp)[5] = (value) >> 16; \ (cp)[6] = (value) >> 8; \ (cp)[7] = (value); } while (0) +#endif #define PUT_32BIT(cp, value) do { \ (cp)[0] = (value) >> 24; \ --- openssh_cvs/includes.h.old Thu Jan 11 20:30:26 2001 +++ openssh_cvs/includes.h Thu Jan 11 22:16:57 2001 @@ -85,6 +85,9 @@ #ifdef HAVE_SYS_SYSMACROS_H # include #endif +#ifdef HAVE_UTIME_H +# include +#endif #ifdef HAVE_VIS_H # include #endif --- openssh_cvs/sftp-server.c.old Thu Jan 11 20:30:32 2001 +++ openssh_cvs/sftp-server.c Fri Jan 12 16:08:26 2001 @@ -33,9 +33,11 @@ #include "sftp.h" /* helper */ -#define get_int64() buffer_get_int64(&iqueue); -#define get_int() buffer_get_int(&iqueue); -#define get_string(lenp) buffer_get_string(&iqueue, lenp); +#ifdef HAVE_U_INT64_T +#define get_int64() buffer_get_int64(&iqueue) +#endif +#define get_int() buffer_get_int(&iqueue) +#define get_string(lenp) buffer_get_string(&iqueue, lenp) #define TRACE debug #ifdef HAVE___PROGNAME @@ -56,7 +58,12 @@ struct Attrib { u_int32_t flags; +#ifndef HAVE_U_INT64_T + u_int32_t high_size; + u_int32_t low_size; +#else u_int64_t size; +#endif u_int32_t uid; u_int32_t gid; u_int32_t perm; @@ -126,7 +133,12 @@ attrib_clear(Attrib *a) { a->flags = 0; +#ifndef HAVE_U_INT64_T + a->high_size = 0; + a->low_size = 0; +#else a->size = 0; +#endif a->uid = 0; a->gid = 0; a->perm = 0; @@ -141,7 +153,12 @@ attrib_clear(&a); a.flags = buffer_get_int(b); if (a.flags & SSH2_FILEXFER_ATTR_SIZE) { +#ifndef HAVE_U_INT64_T + a.high_size = buffer_get_int(b); + a.low_size = buffer_get_int(b); +#else a.size = buffer_get_int64(b); +#endif } if (a.flags & SSH2_FILEXFER_ATTR_UIDGID) { a.uid = buffer_get_int(b); @@ -174,7 +191,12 @@ { buffer_put_int(b, a->flags); if (a->flags & SSH2_FILEXFER_ATTR_SIZE) { +#ifndef HAVE_U_INT64_T + buffer_put_int(b, a->high_size); + buffer_put_int(b, a->low_size); +#else buffer_put_int64(b, a->size); +#endif } if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { buffer_put_int(b, a->uid); @@ -196,7 +218,12 @@ attrib_clear(&a); a.flags = 0; a.flags |= SSH2_FILEXFER_ATTR_SIZE; +#ifndef HAVE_U_INT64_T + a.low_size = st->st_size; + a.high_size = 0; +#else a.size = st->st_size; +#endif a.flags |= SSH2_FILEXFER_ATTR_UIDGID; a.uid = st->st_uid; a.gid = st->st_gid; @@ -495,11 +522,23 @@ char buf[64*1024]; u_int32_t id, len; int handle, fd, ret, status = SSH2_FX_FAILURE; +#ifndef HAVE_U_INT64_T + u_int32_t off; +#else u_int64_t off; +#endif id = get_int(); handle = get_handle(); +#ifndef HAVE_U_INT64_T + if (get_int() > 0) { + send_status(id, SSH2_FX_OP_UNSUPPORTED); + return; + } + off = get_int(); +#else off = get_int64(); +#endif len = get_int(); TRACE("read id %d handle %d off %lld len %d", id, handle, off, len); @@ -532,14 +571,26 @@ process_write(void) { u_int32_t id; +#ifndef HAVE_U_INT64_T + u_int32_t off; +#else u_int64_t off; +#endif u_int len; int handle, fd, ret, status = SSH2_FX_FAILURE; char *data; id = get_int(); handle = get_handle(); +#ifndef HAVE_U_INT64_T + if (get_int() > 0) { + send_status(id, SSH2_FX_OP_UNSUPPORTED); + return; + } + off = get_int(); +#else off = get_int64(); +#endif data = get_string(&len); TRACE("write id %d handle %d off %lld len %d", id, handle, off, len); @@ -741,9 +792,15 @@ ls_file(char *name, struct stat *st) { char buf[1024]; +#ifdef HAVE_U_INT64_T snprintf(buf, sizeof buf, "0%o %d %d %lld %d %s", st->st_mode, st->st_uid, st->st_gid, (long long)st->st_size, (int)st->st_mtime, name); +#else + snprintf(buf, sizeof buf, "0%o %d %d %lld %d %s", + st->st_mode, st->st_uid, st->st_gid, st->st_size, + (int)st->st_mtime, name); +#endif return xstrdup(buf); } From stevesk at pobox.com Mon Jan 15 10:56:17 2001 From: stevesk at pobox.com (Kevin Steves) Date: Mon, 15 Jan 2001 00:56:17 +0100 (CET) Subject: Patch to improve -p error message. In-Reply-To: Message-ID: you can still enter -4501, which is invalid and not noted, or 4501L which will work but may not be what you wanted. if you want to clean up atoi() handling you might sweep the tree (scp has -P till exempel) and see how head.c from openbsd uses strtol() in a paranoid fashion. On Wed, 10 Jan 2001, Mo DeJong wrote: : I got sick of getting a lame error message when I typed : the wrong thing in for a -p argument, so I wrote : up this patch. : : Bad: : : % ssh -p L4501 localhost : Secure connection to localhost refused. : : Good: : : ./ssh -p L4501 localhost : Bad port specification 'L4501'. : : Mo DeJong : Red Hat Inc : : Index: ssh.c : =================================================================== : RCS file: /cvs/openssh_cvs/ssh.c,v : retrieving revision 1.56 : diff -u -r1.56 ssh.c : --- ssh.c 2000/12/28 16:40:05 1.56 : +++ ssh.c 2001/01/11 06:01:18 : @@ -437,6 +437,12 @@ : break; : case 'p': : options.port = atoi(optarg); : + if (options.port == 0) { : + fprintf(stderr, : + "Bad port specification '%s'.\n", : + optarg); : + exit(1); : + } : break; : case 'l': : options.user = optarg; From stevesk at pobox.com Mon Jan 15 11:22:26 2001 From: stevesk at pobox.com (Kevin Steves) Date: Mon, 15 Jan 2001 01:22:26 +0100 (CET) Subject: openssh 2.3.0p1 doesn't show fingerprints In-Reply-To: Message-ID: On Sun, 14 Jan 2001, Noam Sturmwind wrote: : > the default is : > StrictHostKeyChecking ask : > and this should be ok for less advanced users. : : This is interesting... on my build (precompiled Mandrake cooker, : openssh-2.3.0p1-7.3mdk) the default is StrictHostKeyChecking no. man : ssh(1) says for StrictHostKeyChecking, "The argument must be ``yes'' or : ``no''." No mention of an 'ask' setting anywhere I can find, though it : does work if I set it to ask. Thanks for the help. i see ssh.1 doesn't document ask. a good task for someone that's interested is to review pieces of code and compare that to the corresponding man page (readconf.c/ssh.1 serverconf.c/sshd.8, etc) and make sure they are accurate and in sync, and provide patches when they are not. is anyone interested? From mouring at etoh.eviladmin.org Mon Jan 15 13:29:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 14 Jan 2001 20:29:36 -0600 (CST) Subject: SCO patch attempt. In-Reply-To: Message-ID: On Sun, 14 Jan 2001, Tim Rice wrote: > On Fri, 12 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Thu, 11 Jan 2001, Tim Rice wrote: > > > > > l/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c src/bsd-arc4random.c > > > UX:acomp: ERROR: "src/bsd-misc.h", line 59: (struct) tag redeclared: timeval > > > UX:acomp: ERROR: "src/bsd-misc.h", line 64: invalid type combination > > > gmake: *** [bsd-arc4random.o] Error 1 > > > ... > > > > Ermm.. What other commands use 'timeval'? If you have a valid > > timeval. Then one is going to have to test the existance of timeval like > > they do other structures and set or not-set accordingly. > > Yup, that's obvious after a good nights sleep. ;-) > [..] > > It would build on SCO Open Server 3 (aka 3.2v4.2) but there is no > fchmod() in this platform. > ... That is an easy fix. We follow suite with futimes(). @@ -685,7 +736,11 @@ status = SSH2_FX_FAILURE; } else { if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { +#ifdef HAVE_FCHMOD ret = fchmod(fd, a->perm & 0777); +#else + ret = chmod(name, a->perm & 077); +endif if (ret == -1) status = errno_to_portable(errno); } I'm going to split the utimes()/fchmod() patch from the rest of the sftp-server stuff. I'm not really happy with the current changes with forcing sftp-server into 32bit mode. (Assuming it even works.=) - Ben From mdejong at cygnus.com Mon Jan 15 18:29:44 2001 From: mdejong at cygnus.com (Mo DeJong) Date: Sun, 14 Jan 2001 23:29:44 -0800 (PST) Subject: Patch to improve -p error message. In-Reply-To: Message-ID: On Mon, 15 Jan 2001, Kevin Steves wrote: > you can still enter -4501, which is invalid and not noted, or 4501L > which will work but may not be what you wanted. if you want to clean up > atoi() handling you might sweep the tree (scp has -P till exempel) and > see how head.c from openbsd uses strtol() in a paranoid fashion. > > On Wed, 10 Jan 2001, Mo DeJong wrote: > : I got sick of getting a lame error message when I typed > : the wrong thing in for a -p argument, so I wrote > : up this patch. Well, how about something like this? Index: ssh.c =================================================================== RCS file: /cvs/openssh_cvs/ssh.c,v retrieving revision 1.56 diff -u -r1.56 ssh.c --- ssh.c 2000/12/28 16:40:05 1.56 +++ ssh.c 2001/01/15 07:27:37 @@ -229,7 +229,7 @@ { int i, opt, optind, exit_status, ok; u_short fwd_port, fwd_host_port; - char *optarg, *cp, buf[256]; + char *optarg, *cp, *tmp, buf[256]; struct stat st; struct passwd *pw, pwcopy; int dummy; @@ -436,6 +436,14 @@ } break; case 'p': + for (tmp = optarg; *tmp ; tmp++) { + if (*tmp < '0' || *tmp > '9') { + fprintf(stderr, + "Bad port specification '%s'.\n", + optarg); + exit(1); + } + } options.port = atoi(optarg); break; case 'l': Mo DeJong Red Hat Inc From Markus.Friedl at informatik.uni-erlangen.de Mon Jan 15 19:19:24 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 15 Jan 2001 09:19:24 +0100 Subject: SCO patch attempt. In-Reply-To: ; from mouring@etoh.eviladmin.org on Sat, Jan 13, 2001 at 03:42:26PM -0600 References: <20010113171656.A32104@folly> Message-ID: <20010115091923.A11183@faui02.informatik.uni-erlangen.de> On Sat, Jan 13, 2001 at 03:42:26PM -0600, mouring at etoh.eviladmin.org wrote: > > wouldn't it be simpler to > > typedef u_int32_t u_int64_t; > > and check whether the first 4 bytes are != 0 ? > > > I started going down that path originally, but I could not see a > reasonable way of doing error checking. Hmm.. Unless I report errors on > on 'errno' (Because it's pretty hard to return -1 on an unsigned int =). > > I'll take another look at that method in a day or so. before you call get_uint64() you could check that the next for bytes in the current packet are equal to zero. -markus From Stephan.Hendl at lds.brandenburg.de Mon Jan 15 20:59:27 2001 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Mon, 15 Jan 2001 10:59:27 +0100 Subject: PAM error on openssh-2.3.0p1/HP-UX Message-ID: Hi all, I try to login from a Linux Box with ssh-1.2.27 to an HP-UX Server with openssh-2.3.0p1 using PAM. After a couple of login the HP-UX disables my account with the error message: Too many unsuccesful logins. It seems to me - and the logfile says it too - that the first attemt to authenticate myself via Password fails and the second attempt via rsa-key works. Now the counter of unsuccesful logins is added by one and after 5 logins I am disabled. I use the ssh-agent technology with rsa-keys. The required PAM-Patch is installed. What shell I do? Jan 15 10:39:46 pns sshd[12272]: pam_authenticate: error Authentication failedJan 15 10:39:46 pns sshd[12272]: debug1: PAM Password authentication for "hendl" failed[9]: Authentication failedJan 15 10:39:46 pns sshd[12272]: Accepted rsa for hendl from 194.76.232.130 port 2571Jan 15 10:39:46 pns sshd[12272]: debug1: PAM setting rhost to "www1.brandenburg.de" The second problem is that at the end of a session some PAM related file could not be deleted. See logfile below. Jan 15 10:52:24 pns sshd[10218]: debug1: tvp!=NULL kid 0 mili 10Jan 15 10:52:24 pns sshd[10218]: debug1: tvp!=NULL kid 0 mili 10Jan 15 10:52:27 pns sshd[10218]: debug1: tvp!=NULL kid 0 mili 10Jan 15 10:52:32 pns sshd[13016]: debug1: EOF received for stdin.Jan 15 10:52:27 pns sshd[10218]: debug1: tvp!=NULL kid 0 mili 10Jan 15 10:52:32 pns sshd[13016]: Connection closed by remote host.Jan 15 10:52:32 pns sshd[13016]: debug1: Calling cleanup 0x40005e12(0x4000be40)Jan 15 10:52:32 pns sshd[13016]: debug1: pty_cleanup_proc: /dev/pts/3Jan 15 10:52:32 pns sshd[13016]: debug1: Calling cleanup 0x40005d6a(0x0)Jan 15 10:52:32 pns sshd[13016]: pam_setcred: error Permission deniedJan 15 10:52:32 pns sshd[13016]: debug1: Cannot delete credentials[7]: Permission deniedJan 15 10:52:32 pns sshd[13016]: debug1: Calling cleanup 0x40005ffa(0x0)Jan 15 10:52:32 pns sshd[13016]: debug1: Calling cleanup 0x40006002(0x0)Jan 15 10:52:32 pns sshd[13016]: debug1: writing PRNG seed to file //.ssh/prng_seed Thanks for help! Stephan From ksulliva at psc.edu Mon Jan 15 21:43:22 2001 From: ksulliva at psc.edu (Kevin Sullivan) Date: Mon, 15 Jan 2001 05:43:22 -0500 (EST) Subject: Kerberos password authentication and SSH2 In-Reply-To: <20010113225348.A14484@folly> Message-ID: On 13-Jan-01 Markus Friedl wrote: > ok, it's in the tree. Cool, thanks. If you want a "cleaner" solution you could move the k_setpag() code out of both auth1.c and auth2.c, into sshd.c around line 1080, just before the calls to do_authentication and do_authentication2. That way the code won't be duplicated. -Kevin > On Thu, Jan 11, 2001 at 05:36:36PM -0500, Kevin Sullivan wrote: >> -#ifdef KRB4 >> - /* turn off kerberos, not supported by SSH2 */ >> - options.kerberos_authentication = 0; >> -#endif >> +#ifdef AFS >> + /* If machine has AFS, set process authentication group. */ >> + if (k_hasafs()) { >> + k_setpag(); >> + k_unlog(); >> + } >> +#endif /* AFS */ >> + > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 284 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010115/da204650/attachment.bin From stevesk at sweden.hp.com Tue Jan 16 03:31:22 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 15 Jan 2001 17:31:22 +0100 (MET) Subject: PAM error on openssh-2.3.0p1/HP-UX In-Reply-To: Message-ID: On Mon, 15 Jan 2001, Stephan Hendl wrote: : I try to login from a Linux Box with ssh-1.2.27 to an HP-UX Server : with openssh-2.3.0p1 using PAM. After a couple of login the HP-UX : disables my account with the error message: Too many unsuccesful : logins. It seems to me - and the logfile says it too - that the : first attemt to authenticate myself via Password fails and the : second attempt via rsa-key works. Now the counter of unsuccesful : logins is added by one and after 5 logins I am disabled. : : I use the ssh-agent technology with rsa-keys. The required PAM-Patch : is installed. What shell I do? the logs indicate it tries password auth, then rsa. i'm not sure how to get the client to do that, with proto 1 at least. : The second problem is that at the end of a session some PAM related : file could not be deleted. See logfile below. that can be ignored. we might look into suppressing it. From jhuuskon at messi.uku.fi Tue Jan 16 04:03:39 2001 From: jhuuskon at messi.uku.fi (Jarno Huuskonen) Date: Mon, 15 Jan 2001 19:03:39 +0200 Subject: Key fingerprint feature request In-Reply-To: <20010112094406.A9799@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Fri, Jan 12, 2001 at 09:44:06AM +0100 References: <20010112100924.A4380@laivuri63.uku.fi> <20010112094406.A9799@faui02.informatik.uni-erlangen.de> Message-ID: <20010115190339.A25822@laivuri63.uku.fi> On Fri, Jan 12, Markus Friedl wrote: > i think it would be nice if the commercial ssh could print > out the host keys fingerprint in same format as OpenSSH :) I'm not very optimistic that commercial ssh is going to change to md5/hex fingerprint :) > > >From what I can see it wouldn't be too much work to add new fingerprint > > method to key.c:key_fingerprint ... Perhaps the fingerprint style could > > be configurable with ssh_config options ? > > well, ssh-keygen does not read ssh_config (and should not). > but, yes, perhaps key_fingerprint should get some more options > (like hash type, output format). on the other hand, this could > confuse people. When I was thinking about the ssh_config option for fingerprint style I had in mind that ssh would use the ssh_config option when displaying the fingerprint (when connecting to new hosts). Would something like this work: - modify key.c:key_fingerprint to take hash_type and fingerprint style parameters (hash is md5 / sha1 and fingerprint is 'bubble' / hex). ( or just one parameter with both parameters combined?) - add KeyFingerprintStyle option to ssh_config (this could have values like md5-hex, sha1-hex, sha1-bubble etc). (Perhaps even multiple values so it would be possible to get the key-fingerprint printed in openssh / commercial ssh style at the same time). - change ssh-keygen.c and ssh-add.c to use the new parameters for key_fingerprint (use md5/hex as default and perhaps have something like -o parameter) - change sshconnect.c to use the new parameters and to use the ssh_config option. (- and modify the manuals to reflect these changes). All the default values would make OpenSSH to act like before, but add the possibility to print key fingerprint commercial ssh-style. If these ideas sound somewhat feasible I might volunteer to start coding... -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Centre | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 16 04:17:40 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 15 Jan 2001 18:17:40 +0100 Subject: Key fingerprint feature request In-Reply-To: <20010115190339.A25822@laivuri63.uku.fi>; from jhuuskon@messi.uku.fi on Mon, Jan 15, 2001 at 07:03:39PM +0200 References: <20010112100924.A4380@laivuri63.uku.fi> <20010112094406.A9799@faui02.informatik.uni-erlangen.de> <20010115190339.A25822@laivuri63.uku.fi> Message-ID: <20010115181739.A25710@faui02.informatik.uni-erlangen.de> the option for choosing the fingerprint hash is very easy. just change the line EVP_MD *md = EVP_md5(); in key.c i have no idea about bubble, but start coding. On Mon, Jan 15, 2001 at 07:03:39PM +0200, Jarno Huuskonen wrote: > On Fri, Jan 12, Markus Friedl wrote: > > i think it would be nice if the commercial ssh could print > > out the host keys fingerprint in same format as OpenSSH :) > > I'm not very optimistic that commercial ssh is going to change to > md5/hex fingerprint :) > > > > >From what I can see it wouldn't be too much work to add new fingerprint > > > method to key.c:key_fingerprint ... Perhaps the fingerprint style could > > > be configurable with ssh_config options ? > > > > well, ssh-keygen does not read ssh_config (and should not). > > but, yes, perhaps key_fingerprint should get some more options > > (like hash type, output format). on the other hand, this could > > confuse people. > > When I was thinking about the ssh_config option for fingerprint style > I had in mind that ssh would use the ssh_config option when displaying > the fingerprint (when connecting to new hosts). > > Would something like this work: > - modify key.c:key_fingerprint to take hash_type and fingerprint style > parameters (hash is md5 / sha1 and fingerprint is 'bubble' / hex). > ( or just one parameter with both parameters combined?) > > - add KeyFingerprintStyle option to ssh_config (this could have values > like md5-hex, sha1-hex, sha1-bubble etc). > (Perhaps even multiple values so it would be possible to get the > key-fingerprint printed in openssh / commercial ssh style at the same > time). > > - change ssh-keygen.c and ssh-add.c to use the new parameters > for key_fingerprint (use md5/hex as default and perhaps have something > like -o parameter) > > - change sshconnect.c to use the new parameters and to use the ssh_config > option. > > (- and modify the manuals to reflect these changes). > All the default values would make OpenSSH to act like before, but add the > possibility to print key fingerprint commercial ssh-style. > > If these ideas sound somewhat feasible I might volunteer to start coding... > > -Jarno > > -- > Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi > University of Kuopio - Computer Centre | Work: +358 17 162822 > PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 > From stevesk at sweden.hp.com Tue Jan 16 04:32:44 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Mon, 15 Jan 2001 18:32:44 +0100 (MET) Subject: Patch to improve -p error message. In-Reply-To: Message-ID: overflow? On Sun, 14 Jan 2001, Mo DeJong wrote: : > On Wed, 10 Jan 2001, Mo DeJong wrote: : > : I got sick of getting a lame error message when I typed : > : the wrong thing in for a -p argument, so I wrote : > : up this patch. : : : Well, how about something like this? : : Index: ssh.c : =================================================================== : RCS file: /cvs/openssh_cvs/ssh.c,v : retrieving revision 1.56 : diff -u -r1.56 ssh.c : --- ssh.c 2000/12/28 16:40:05 1.56 : +++ ssh.c 2001/01/15 07:27:37 : @@ -229,7 +229,7 @@ : { : int i, opt, optind, exit_status, ok; : u_short fwd_port, fwd_host_port; : - char *optarg, *cp, buf[256]; : + char *optarg, *cp, *tmp, buf[256]; : struct stat st; : struct passwd *pw, pwcopy; : int dummy; : @@ -436,6 +436,14 @@ : } : break; : case 'p': : + for (tmp = optarg; *tmp ; tmp++) { : + if (*tmp < '0' || *tmp > '9') { : + fprintf(stderr, : + "Bad port specification '%s'.\n", : + optarg); : + exit(1); : + } : + } : options.port = atoi(optarg); : break; : case 'l': : : : Mo DeJong : Red Hat Inc : : : From ishikawa at yk.rim.or.jp Tue Jan 16 04:42:07 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Tue, 16 Jan 2001 02:42:07 +0900 Subject: subject: ssh non-intuitive logging setting. (priority names) References: <3A55FBB5.8B20E0F2@yk.rim.or.jp> <20010106000855.A5714@folly> <3A566212.E564D76B@yk.rim.or.jp> <20010106130307.A21832@folly> Message-ID: <3A63366E.2677AF71@yk.rim.or.jp> Hi, After a busy week last week, I finally managed to check Markus's patch to modification to log-server.c. After the experimentation and reading the code, I have summarized what I found about how opensshd handles logging and verbosity control at the following URL. http://www.yk.rim.or.jp/~ishikawa/ssh-log-dir/ssh-log-patch.html In the page, I added a slightly extended ugly patch that I installed for a test installation. The page is a quick hack. don't blame me for html syntax errors. Comments are welcome. (Those of you who prefer text files, I could post a text file that was the draft of the above web page. It is about 20K bytes and is actually available as .txt file at http://www.yk.rim.or.jp/~ishikawa/ssh-log-dir/ssh-log-patch.txt Markus Friedl wrote: > On Sat, Jan 06, 2001 at 09:08:50AM +0900, Ishikawa wrote: > > Hi, thank you for the clarification. > > i think this patch would help. > additionaly we should rename > SYSLOG_LEVEL_INFO to SYSLOG_LEVEL_NOTICE > > this would be more appropriate? > > comments? > commit? > > cheers, > -markus > > Index: log-server.c > =================================================================== > RCS file: /home/markus/cvs/ssh/log-server.c,v > retrieving revision 1.17 > diff -u -r1.17 log-server.c > --- log-server.c 2000/09/12 20:53:10 1.17 > +++ log-server.c 2001/01/06 11:59:53 > @@ -128,15 +128,17 @@ > if (level > log_level) > return; > switch (level) { > - case SYSLOG_LEVEL_ERROR: > - txt = "error"; > - pri = LOG_ERR; > - break; > case SYSLOG_LEVEL_FATAL: > txt = "fatal"; > + pri = LOG_CRIT; > + break; > + case SYSLOG_LEVEL_ERROR: > + txt = "error"; > pri = LOG_ERR; > break; > case SYSLOG_LEVEL_INFO: > + pri = LOG_NOTICE; > + break; > case SYSLOG_LEVEL_VERBOSE: > pri = LOG_INFO; > break; From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 16 21:38:55 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 16 Jan 2001 11:38:55 +0100 Subject: http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 Message-ID: <20010116113855.A29474@faui02.informatik.uni-erlangen.de> hi, http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 claims that the sshd from openssh-2.3.0p1 does not work with redhat. at least for the author. could someone please check and perhaps tell him what to do?? thanks, -m From djm at mindrot.org Tue Jan 16 21:45:08 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Jan 2001 21:45:08 +1100 (EST) Subject: http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 In-Reply-To: <20010116113855.A29474@faui02.informatik.uni-erlangen.de> Message-ID: On Tue, 16 Jan 2001, Markus Friedl wrote: > hi, > > http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 > > claims that the sshd from openssh-2.3.0p1 does not work with redhat. > at least for the author. could someone please check and perhaps > tell him what to do?? I had a brief skim through the article, but I couldn't find an email address. It does suprise me that he couldn't get this working - 2.3.0p1 is shipped as one of Redhat's update RPMs. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Tue Jan 16 21:55:42 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 16 Jan 2001 21:55:42 +1100 (EST) Subject: http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 In-Reply-To: Message-ID: On Tue, 16 Jan 2001, Damien Miller wrote: > I had a brief skim through the article, but I couldn't find an email > address. Found it - reply sent. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From joden at eworld.wox.org Wed Jan 17 02:12:13 2001 From: joden at eworld.wox.org (James Oden) Date: Tue, 16 Jan 2001 10:12:13 -0500 (EST) Subject: http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 In-Reply-To: <20010116113855.A29474@faui02.informatik.uni-erlangen.de> from "Markus Friedl" at Jan 16, 2001 11:38:55 AM Message-ID: <200101161512.KAA21732@eworld.wox.org> > > hi, > > http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 > > claims that the sshd from openssh-2.3.0p1 does not work with redhat. > at least for the author. could someone please check and perhaps > tell him what to do?? > > thanks, > -m > I know what problem he had, at least with the rpm. At some point openssh began being built with a newer version of rpm than shipped with RH 6.2. The solution is for the guy to do what he was supposed to do anyway, before he started loading extra packages, which was to go to a redhat mirror and download the errata files pertinant to his install. One of those updated rpms is an update of rpm. From experience he probably would need to update the popt libraries also, as the new rpm (new to RH 6.2) depeneded on that. Cheers...james From a.d.stribblehill at durham.ac.uk Wed Jan 17 03:53:13 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Tue, 16 Jan 2001 16:53:13 +0000 Subject: ssh drops privs when it can't find ~/.ssh/prng_seed Message-ID: <20010116165313.A2705@womble.dur.ac.uk> I'm using OpenSSH 2.3.0p1. When my users use ssh for the first time, using rhosts authentication, entropy.c drops the privs in prng_write_seedfile() at the setuid(original_uid) line (line 550, approx): void prng_write_seedfile(void) { int fd; char seed[1024]; char filename[1024]; struct passwd *pw; /* Don't bother if we have already saved a seed */ if (prng_seed_saved) return; setuid(original_uid); /* ^^^^^^^^^^^^^^^^^^^^ ***HERE*** */ prng_seed_saved = 1; pw = getpwuid(original_uid); if (pw == NULL) fatal("Couldn't get password entry for current user (%i): %s", original_uid, strerror(errno)); /* Try to ensure that the parent directory is there */ snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_USER_DIR); mkdir(filename, 0700); snprintf(filename, sizeof(filename), "%.512s/%s", pw->pw_dir, SSH_PRNG_SEED_FILE); debug("writing PRNG seed to file %.100s", filename); RAND_bytes(seed, sizeof(seed)); /* Don't care if the seed doesn't exist */ prng_check_seedfile(filename); if ((fd = open(filename, O_WRONLY|O_TRUNC|O_CREAT, 0600)) == -1) { debug("WARNING: couldn't access PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); } else { if (atomicio(write, fd, &seed, sizeof(seed)) != sizeof(seed)) fatal("problem writing PRNG seedfile %.100s (%.100s)", filename, strerror(errno)); close(fd); } } Can anyone explain firstly why it does this, and secondly how I can stop it? Thanks, Andrew Stribblehill Systems programmer, IT Service, University of Durham, England From mhw at wittsend.com Wed Jan 17 05:22:28 2001 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 16 Jan 2001 13:22:28 -0500 Subject: Solaris Problem In-Reply-To: <005301c07fd3$b3faa9b0$ad02a8c0@elebel>; from etienne.lebel@ift.ulaval.ca on Tue, Jan 16, 2001 at 10:47:59AM -0500 References: <005301c07fd3$b3faa9b0$ad02a8c0@elebel> Message-ID: <20010116132228.A23049@alcove.wittsend.com> OpenSSH mailing list, openssh-unix-dev at mindrot.org, added to Cc. On Tue, Jan 16, 2001 at 10:47:59AM -0500, Etienne Lebel wrote: > I try to install openssh-2.3.0p1/2.2.0p4 on a solaris 2.7 and I always got a > core dump with the ssh-keygen. But when I installed the 2.1.1p4 everything > was fine. Why ? That's funny... I can't even get it to compile on Solaris 2.7 with gcc 2.8.1 or 2.95.2. It bombs out in log.c with a shit load of errors complaining that __builtin_va_alist is undeclared. Where did you get the package you are trying to install? Did you compile it yourself? If yes, how and what is your configuration? If not, where did the binary package come from and what system was it compiled for? > The error that comes up at the installation process is when openssh generate > the key with ssh-keygen. Look at the error message > ./ssh-keygen > Bus Error (core dumped) > Thanks > Etienne Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From mhw at wittsend.com Wed Jan 17 07:54:47 2001 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 16 Jan 2001 15:54:47 -0500 Subject: Solaris Problem In-Reply-To: <20010116132228.A23049@alcove.wittsend.com>; from mhw@wittsend.com on Tue, Jan 16, 2001 at 01:22:28PM -0500 References: <005301c07fd3$b3faa9b0$ad02a8c0@elebel> <20010116132228.A23049@alcove.wittsend.com> Message-ID: <20010116155447.B23049@alcove.wittsend.com> On Tue, Jan 16, 2001 at 01:22:28PM -0500, Michael H. Warfield wrote: > OpenSSH mailing list, openssh-unix-dev at mindrot.org, added to Cc. > On Tue, Jan 16, 2001 at 10:47:59AM -0500, Etienne Lebel wrote: > > I try to install openssh-2.3.0p1/2.2.0p4 on a solaris 2.7 and I always got a > > core dump with the ssh-keygen. But when I installed the 2.1.1p4 everything > > was fine. Why ? > That's funny... I can't even get it to compile on Solaris 2.7 > with gcc 2.8.1 or 2.95.2. It bombs out in log.c with a shit load of > errors complaining that __builtin_va_alist is undeclared. Just solved my own problem thanks to the OpenSSH mailing list archives. I had to edit the Makefile and change "-I/usr/include" to "-i/usr/include" (include the system directories AFTER the compiler include directories) and then everything built correctly. The message in the archives about this problem was dated 03/14/2000. Why hasn't this made it into the sources? > Where did you get the package you are trying to install? Did > you compile it yourself? If yes, how and what is your configuration? > If not, where did the binary package come from and what system was it > compiled for? > > The error that comes up at the installation process is when openssh generate > > the key with ssh-keygen. Look at the error message > > > ./ssh-keygen > > Bus Error (core dumped) Try rebuilding from sources. Mine is now working great! > > Thanks > > Etienne Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From bfriday at LaSierra.edu Wed Jan 17 08:03:28 2001 From: bfriday at LaSierra.edu (Brian Friday) Date: Tue, 16 Jan 2001 13:03:28 -0800 (PST) Subject: Solaris Problem In-Reply-To: <20010116155447.B23049@alcove.wittsend.com> Message-ID: On Tue, 16 Jan 2001, Michael H. Warfield wrote: > Just solved my own problem thanks to the OpenSSH mailing list > archives. I had to edit the Makefile and change "-I/usr/include" to > "-i/usr/include" (include the system directories AFTER the compiler > include directories) and then everything built correctly. > > The message in the archives about this problem was dated 03/14/2000. > Why hasn't this made it into the sources? I've been compiling openssh on solaris machines (OS 2.5.1, 2.6, 2.7, 2.8 all sparc) for at least a year and I've never come across that problem using either Sun's C compiler product or multiple versions of GCC. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From mhw at wittsend.com Wed Jan 17 08:29:07 2001 From: mhw at wittsend.com (Michael H. Warfield) Date: Tue, 16 Jan 2001 16:29:07 -0500 Subject: Solaris Problem In-Reply-To: ; from bfriday@LaSierra.edu on Tue, Jan 16, 2001 at 01:03:28PM -0800 References: <20010116155447.B23049@alcove.wittsend.com> Message-ID: <20010116162907.A23052@alcove.wittsend.com> On Tue, Jan 16, 2001 at 01:03:28PM -0800, Brian Friday wrote: > On Tue, 16 Jan 2001, Michael H. Warfield wrote: > > Just solved my own problem thanks to the OpenSSH mailing list > > archives. I had to edit the Makefile and change "-I/usr/include" to > > "-i/usr/include" (include the system directories AFTER the compiler > > include directories) and then everything built correctly. > > The message in the archives about this problem was dated 03/14/2000. > > Why hasn't this made it into the sources? > I've been compiling openssh on solaris machines (OS 2.5.1, 2.6, 2.7, 2.8 > all sparc) for at least a year and I've never come across that problem > using either Sun's C compiler product or multiple versions of GCC. And I can take a wild guess why... Check in /usr/local/include and see if you have the file "stdarg.h". If you do, that's why. It's a development environment dependency. The stdarg.h that's in /usr/include won't work with gcc because it tries to use some funky buildin for va_start. You apparently need the gcc version of stdarg.h instead of the Solaris version. The stock Makefile contains the sequence "-I/usr/local/include -I/usr/include" so, if stdarg.h is in /usr/local/include, that version should get included instead of the one in /usr/include. My systems (2 of them) consist of fresh Solaris 2.7 (11/99) installs onto which I installed the gcc from sunfreeware.com using pkgadd. It does NOT install stdarg.h in /usr/local/include, but instead leaves it in /usr/local/lib/gcc-lib/sparc-sun-solaris2.7/{Compiler_ver}/include. I built up two fresh sparc systems this way and both were broken the same way when it came to building OpenSSH. I have confirmation from several other people in my office who have run into identical problems on Sparc systems. Interestingly enough, OpenSSL compiles even though it uses va_start/va_list/va_end in crypto/bio/b_print. That gave me the hint that maybe the "-I/usr/include" in OpenSSH should even be there AT ALL. This turns out to be the case. Removing the "-I/usr/include" instead of changing it to "-i/usr/include" has the same effect. The fact that your setup worked just means that somewhere in your include path you have a working stdarg.h prior to the one in /usr/include. > Sincerely, > Brian Friday > Systems Administrator > La Sierra University > (909) 785-2554 x2 Mike -- Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! From bfriday at LaSierra.edu Wed Jan 17 09:18:39 2001 From: bfriday at LaSierra.edu (Brian Friday) Date: Tue, 16 Jan 2001 14:18:39 -0800 (PST) Subject: Solaris Problem In-Reply-To: <20010116162907.A23052@alcove.wittsend.com> Message-ID: On Tue, 16 Jan 2001, Michael H. Warfield wrote: > On Tue, Jan 16, 2001 at 01:03:28PM -0800, Brian Friday wrote: > > > I've been compiling openssh on solaris machines (OS 2.5.1, 2.6, 2.7, 2.8 > > all sparc) for at least a year and I've never come across that problem > > using either Sun's C compiler product or multiple versions of GCC. > > And I can take a wild guess why... Check in /usr/local/include > and see if you have the file "stdarg.h". If you do, that's why. It's > a development environment dependency. > > The stdarg.h that's in /usr/include won't work with gcc because it > tries to use some funky buildin for va_start. You apparently need the > gcc version of stdarg.h instead of the Solaris version. The stock Makefile > contains the sequence "-I/usr/local/include -I/usr/include" so, if stdarg.h > is in /usr/local/include, that version should get included instead of the one > in /usr/include. I have stdarg.h in the following locations on each system (OS number differs as well as gcc number) /usr/include/stdarg.h /usr/local/lib/gcc-lib/sparc-sun-solaris2.7/2.8.1/include/stdarg.h I think the difference between the two of us might be our environment variables. Long ago (and far away) a number of compilation attempts for some other software (way before I met openssh) required specifically the search to start in /usr/local then default to /usr/include|lib. For all I remember it could have been a how to compile using gcc document I read in the past. Regardless you will notice that instead of defaulting to looking first in /usr/[include|lib] we default our search to /usr/local/[include|lib]. I just recently reinstalled the OS on one of my machines completely. I installed a few packages after patching the system before bringing it on to our network Perl GCC TCSH autoconf ----- set path=(/usr/bin /usr/local/bin /opt/SUNWspro/bin /usr/ucb /usr/ccs/bin /opt/sbin /etc .) setenv LD_LIBRARY_PATH "/usr/local/lib:/lib:/usr/lib:/usr/local/X11/lib:/usr/dt/ lib:/usr/openwin/lib:/usr/ucblib:/usr/local/ssl/lib" setenv PATH "/usr/bin:/usr/sbin:/usr/local/bin:/opt/SUNWspro/bin:/usr/local/sbin :/usr/ccs/bin:/etc:/usr/etc:/usr/local/X11/bin:/usr/openwin/bin:/usr/local/etc:/ opt/sbin:/opt/sbin" ----- > I built up two fresh sparc systems this way and both were broken the > same way when it came to building OpenSSH. Whatever your shell may be it is defaulting to look first in /usr/include and /usr/lib. Once it finds the file it errors as you describe because it is not the file you are supposed to use (ie the gcc version). Trying setting your shell environment variables to the above and see what happens. One thing that stay standard on all my systems is my LD_LIBRARY_PATH and some portions of the PATH/path. > your include path you have a working stdarg.h prior to the one in > /usr/include. Exactly. In my case my search path defaults to /usr/local/lib before it searches /usr/lib or /usr/include thus it picks up the gcc stdarg.h as opposed to the system stdarg.h. I've found that this is not necessarily a problem with a open source software package as much as it is a problem with varying standards of open source programming. Perhaps if the program config/makefiles start in a OS that by its nature supports or uses a number of Open Source programs as its main components then defaulting to the /usr/include is appropriate. Whereas if a program is developed for open source on an OS like Solaris which does not rely on open source programs by default. The config/makefiles correctly look in /usr/local and avoid /usr. I don't know that there is an easy solution but if your going to work frequently with open source apps I'd make the above changes to your default search paths. Sincerely, Brian Friday Systems Administrator La Sierra University (909) 785-2554 x2 From djm at mindrot.org Wed Jan 17 09:25:25 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 09:25:25 +1100 (EST) Subject: http://www.planetit.com/techcenters/docs/security-defensive_tools/product_review/PIT20010110S0010/1 In-Reply-To: <200101161512.KAA21732@eworld.wox.org> Message-ID: On Tue, 16 Jan 2001, James Oden wrote: > I know what problem he had, at least with the rpm. At some point openssh > began being built with a newer version of rpm than shipped with RH 6.2. > The solution is for the guy to do what he was supposed to do anyway, before > he started loading extra packages, which was to go to a redhat mirror and > download the errata files pertinant to his install. One of those updated > rpms is an update of rpm. From experience he probably would need to update > the popt libraries also, as the new rpm (new to RH 6.2) depeneded on that. Yes - the need to upgrade RPM to a more recent version is documented in the file README-FIRST, which is in the same directory as the rpms on the ftp sites. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Wed Jan 17 09:31:32 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 09:31:32 +1100 (EST) Subject: ssh drops privs when it can't find ~/.ssh/prng_seed In-Reply-To: <20010116165313.A2705@womble.dur.ac.uk> Message-ID: On Tue, 16 Jan 2001, Andrew Stribblehill wrote: > I'm using OpenSSH 2.3.0p1. When my users use ssh for the first > time, using rhosts authentication, entropy.c drops the privs in > prng_write_seedfile() at the setuid(original_uid) line (line 550, > approx): > Can anyone explain firstly why it does this, and secondly how I > can stop it? Try the below patch, which causes seeds to be only written upon exit. Index: entropy.c =================================================================== RCS file: /var/cvs/openssh/entropy.c,v retrieving revision 1.22 diff -u -r1.22 entropy.c --- entropy.c 2000/11/24 23:09:32 1.22 +++ entropy.c 2001/01/16 22:29:37 @@ -601,12 +601,7 @@ debug("loading PRNG seed from file %.100s", filename); if (!prng_check_seedfile(filename)) { - verbose("Random seed file not found, creating new"); - prng_write_seedfile(); - - /* Reseed immediatly */ - (void)stir_from_system(); - (void)stir_from_programs(); + verbose("Random seed file not found or not valid, ignoring."); return; } -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From a.d.stribblehill at durham.ac.uk Wed Jan 17 10:53:52 2001 From: a.d.stribblehill at durham.ac.uk (Andrew Stribblehill) Date: Tue, 16 Jan 2001 23:53:52 +0000 Subject: ssh drops privs when it can't find ~/.ssh/prng_seed In-Reply-To: ; from djm@mindrot.org on Wed, Jan 17, 2001 at 09:31:32AM +1100 References: <20010116165313.A2705@womble.dur.ac.uk> Message-ID: <20010116235352.B2705@womble.dur.ac.uk> Quoting Damien Miller : > On Tue, 16 Jan 2001, Andrew Stribblehill wrote: > > > I'm using OpenSSH 2.3.0p1. When my users use ssh for the first > > time, using rhosts authentication, entropy.c drops the privs in > > prng_write_seedfile() at the setuid(original_uid) line (line 550, > > approx): > > > Can anyone explain firstly why it does this, and secondly how I > > can stop it? > > Try the below patch, which causes seeds to be only written upon exit. That works fine; it fixes the problem I reported, seemingly without creating any other errors. Is it going to be checked into CVS? Thanks, Andrew Stribblehill Systems programmer, IT Service, University of Durham, England From djm at mindrot.org Wed Jan 17 11:08:49 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 11:08:49 +1100 (EST) Subject: ssh drops privs when it can't find ~/.ssh/prng_seed In-Reply-To: <20010116235352.B2705@womble.dur.ac.uk> Message-ID: On Tue, 16 Jan 2001, Andrew Stribblehill wrote: > That works fine; it fixes the problem I reported, seemingly without > creating any other errors. > > Is it going to be checked into CVS? yes. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Wed Jan 17 11:28:57 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 11:28:57 +1100 (EST) Subject: PAM & Configure Message-ID: I have just checked in a change which makes PAM support optional and disabled by default. Previously PAM support was detected and enabled automatically if found. The change was made because there is no workable way to make PAM work 'out of the box'. Each vendor implements PAM a little differently and there appears to be no standard on the naming of modules or the augments they take. To enable PAM support, use the '--with-pam' configure flag. The RPM spec files in contrib/* have already been updated to do this. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From Darren.Moffat at eng.sun.com Wed Jan 17 11:44:45 2001 From: Darren.Moffat at eng.sun.com (Darren J Moffat) Date: Tue, 16 Jan 2001 16:44:45 -0800 Subject: PAM & Configure References: Message-ID: <3A64EAFD.7BC968EA@Eng.Sun.COM> Damien Miller wrote: > The change was made because there is no workable way to make PAM work > 'out of the box'. Each vendor implements PAM a little differently and > there appears to be no standard on the naming of modules or the augments > they take. Just a point to note here; SSHD as an application should NOT be dependant on any module existing. Applications should not assume anything about what modules are available since this breaks the entire concept of what PAM is all about. If this is the reason why PAM is being disabled then there are wrong assumptions in SSHD about what PAM should be doing and those should be fixed. Could you give a summary of what problems there were with the PAM framework being different on platforms specifically how that relates to OpenSSH ? FYI PAM was proposed to X/Open as a draft standard but never got completed, AFAIK Linux and Solaris are similar in most respects for PAM. Solaris implements what was in the standard but Linux went off and "embraced and extended (with source available)" and made enhancements and changes to this. -- Darren J Moffat From djm at mindrot.org Wed Jan 17 12:07:15 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 12:07:15 +1100 (EST) Subject: PAM & Configure In-Reply-To: <3A64EAFD.7BC968EA@Eng.Sun.COM> Message-ID: On Tue, 16 Jan 2001, Darren J Moffat wrote: > Damien Miller wrote: > > The change was made because there is no workable way to make PAM work > > 'out of the box'. Each vendor implements PAM a little differently and > > there appears to be no standard on the naming of modules or the augments > > they take. > > Just a point to note here; SSHD as an application should NOT be > dependant on any module existing. Applications should not assume > anything about what modules are available since this breaks the entire > concept of what PAM is all about. If this is the reason why PAM is > being disabled then there are wrong assumptions in SSHD about what PAM > should be doing and those should be fixed. sshd doesn't, but how are you supposed to install a default configuration file if there is not set of standard modules with standard arguments? > Could you give a summary of what problems there were with the PAM > framework being different on platforms specifically how that relates > to OpenSSH ? There is no way to cleanly install a default config across the various versions of PAM. Different implementations use different modules with different arguments (even pam_unix.so can't be trusted to have the same args between different Linux distributions). The PAM API is annoying in that it has been (presumably) crafted to fit the needs of login or telnet. i.e get a bit of information at a time, return textual prompts and then get the next bit. We have to resort to kludges (the conversation function which assumes ECHO_OFF prompts are asking for passwords) to get the username and password into PAM in the first place. The SSH2 KbdInteractive auth mode is a better match to the PAM way of doing things, but it would be nice if PAM had more flexability in its API. My other gripe about PAM (unrelated to ssh) is that it doesn't seperate mechanism and policy. Specifying .so files with magic options is just too fragile. > FYI PAM was proposed to X/Open as a draft standard but never got > completed, > AFAIK Linux and Solaris are similar in most respects for PAM. > Solaris implements what was in the standard but Linux went off and > "embraced > and extended (with source available)" and made enhancements and changes > to this. Has there been any movement towards reworking the standard? -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From morgan at transmeta.com Wed Jan 17 12:08:37 2001 From: morgan at transmeta.com (Andrew Morgan) Date: Tue, 16 Jan 2001 17:08:37 -0800 Subject: PAM & Configure References: <3A64EAFD.7BC968EA@Eng.Sun.COM> Message-ID: <3A64F095.7D46CBD9@transmeta.com> The Linux implementation didn't embrace all of the X/Open draft. It had a whole lot of half thought out domain and secondary sign on extensions that weren't well designed. It is true that the Linux implementation extended stuff a little. But we have strived very hard to maintain backward compatibility with the original Sunsoft RFC. I believe that the root of Damien's problem is that Linux distributions ship with a default deny option for the 'other' service, whereas other implementations ship with an 'other' that permits service. Also the pam_unix module is not necessarily the default configuration on all systems, so providing a default sshd configuration file (without which sshd won't work out of the box) is not a trivial task. It seems that third parties will want to package openshh in their own format (not just as source code), so I can well understand this decision. Cheers Andrew From rachit at ensim.com Wed Jan 17 13:11:20 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Tue, 16 Jan 2001 18:11:20 -0800 Subject: couple of questions Message-ID: <3A64FF48.6064664F@ensim.com> This is regarding openssh 2.3.0p1 (the following problem was seen on Linux client / server): I have a problem with openssh when i don't "login": ie. i do the following: ssh -2 10.1.6.13 echo 0 It doesn't print the "0". However, i can get it to print the "0" by doing the following: ssh -2 10.1.6.13 echo 0 \; sleep 1 using "ssh -2 10.1.6.13" logins to the machine fine. Also keys have already been exchanged (authorized_keys2 has been setup). Removing authorized_keys2 doesn't seem to change anything (except password is asked of course). There seems to be some kind of timing issue here. Has anyone seen this problem before? A search on the archives turned nothing (although i can't think of good keywords for this problem :)) At the end of this message will be the -v / -d output of server / client. My second question has been asked / answered once on the archive already, but I'm wondering whether someone in the meantime was able to get around this problem: I need to be able to convert a F-secure / ssh.com private key to openssh private key format. (i believe it was marcus that said that the ssh.com private key format was proprietary and the thread ended there). However, ssh.com's source code is available (last i checked), and i was wondering whether someone wrote a program to do that already. If not, i'll see if its feasable for me to do it myself (and also whether i will get into any legal issues by doing this). (yes i know i can set my ssh_configs so that they only use protocol 2) Thanx! -rchit ------------------------------------------- Output: (note that i changed the port number of communication) Server: debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeding random number generator debug1: read DSA private key done debug1: Seeding random number generator debug1: Bind to port 19635 on 0.0.0.0. Server listening on 0.0.0.0 port 19635. Generating 768 bit RSA key. debug1: Seeding random number generator debug1: Seeding random number generator RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.8.8.107 port 1411 debug1: Client protocol version 2.0; client software version OpenSSH_2.3.0p1 debug1: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-sha1 none debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. /etc/ssh/primes: No such file or directory WARNING: /etc/ssh/primes does not exist, using old prime debug1: bits set: 507/1024 debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 512/1024 debug1: sig size 20 20 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. debug1: GOT SSH2_MSG_NEWKEYS. debug1: done: KEX2. debug1: userauth-request for user root service ssh-connection method none debug1: attempt #1 debug1: Starting up PAM with username "root" Failed none for ROOT from 10.8.8.107 port 1411 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt #2 debug1: matching key found: file /root/.ssh/authorized_keys2, line 1 debug1: len 55 datafellows 0 debug1: dsa_verify: signature correct debug1: PAM setting rhost to "w107.ensim.com" Accepted publickey for ROOT from 10.8.8.107 port 1411 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 32768 debug1: open session debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: confirm session debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request exec reply 0 debug1: PAM establishing creds debug1: Received SIGCHLD. debug1: fd 7 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: fd 9 setting O_NONBLOCK debug1: tvp!=NULL kid 1 mili 100 debug1: session_by_pid: pid 1699 debug1: session_exit_message: session 0 channel 0 pid 1699 debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: output open -> closed debug1: channel 0: close_write debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: session_free: session 0 pid 1699 debug1: channel 0: send close debug1: channel 0: closing efd 9 debug1: channel 0: rcvd close debug1: channel 0: full closed2 debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/2 o128/0 fd 7/7) Connection closed by remote host. debug1: Calling cleanup 0x805bf00(0x0) debug1: Calling cleanup 0x8051190(0x0) debug1: Calling cleanup 0x8061f60(0x0) ------------------------------------------- Client: SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: ssh_connect: getuid 0 geteuid 0 anon 0 debug: Connecting to 10.1.6.13 [10.1.6.13] port 19635. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: Seeding random number generator debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client 3des-cbc hmac-sha1 none debug: kex: client->server 3des-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 512/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. debug: Host '10.1.6.13' is known and matches the DSA host key. debug: bits set: 507/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: try pubkey: /root/.ssh/id_dsa debug: read DSA private key done debug: sig size 20 20 debug: ssh-userauth2 successfull: method publickey debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Sending command: echo 0 debug: channel 0: open confirm rwindow 0 rmax 16384 debug: client_input_channel_req: rtype exit-status reply 0 debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: rcvd close debug: channel 0: input open -> closed debug: channel 0: close_read debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write debug: channel 0: send close debug: channel 0: full closed2 debug: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.0 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug: Exit status 0 From djm at mindrot.org Wed Jan 17 13:30:48 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 13:30:48 +1100 (EST) Subject: couple of questions In-Reply-To: <3A64FF48.6064664F@ensim.com> Message-ID: On Tue, 16 Jan 2001, Rachit Siamwalla wrote: > This is regarding openssh 2.3.0p1 (the following problem was seen on > Linux client / server): > > I have a problem with openssh when i don't "login": ie. i do the > following: > > ssh -2 10.1.6.13 echo 0 > > It doesn't print the "0". This is a known problem and has been fixed in the snapshots[1], a new release is due fairly soon. > My second question has been asked / answered once on the archive > already, but I'm wondering whether someone in the meantime was able to > get around this problem: I need to be able to convert a F-secure / > ssh.com private key to openssh private key format. (i believe it was > marcus that said that the ssh.com private key format was proprietary and > the thread ended there). However, ssh.com's source code is available > (last i checked), and i was wondering whether someone wrote a program to > do that already. If not, i'll see if its feasable for me to do it myself > (and also whether i will get into any legal issues by doing this). It wouldn't be legal to use ssh.com's sourcecode if you don't have a license for it. We will never accept any contributions which have been legally tainted by ssh.com's source. If you were to reverse engineer the format by examining & decoding the output, [sl]tracing the binary _AND_ reverse engineering is legal in your jurisdiction, then you could write a legally unencumbered version. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From oliva at lsd.ic.unicamp.br Wed Jan 17 16:19:32 2001 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 17 Jan 2001 03:19:32 -0200 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 Message-ID: It depends on regex.h, that is not part of IRIX 5's standard library and, in fact, that is no portable in general. I'm currently using GNU rx as a replacement, but it would be nice to have a portable implementation of regular expressions built into OpenSSH, if it is to depend on them. Best regards, -- Alexandre Oliva Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/ Red Hat GCC Developer aoliva@{cygnus.com, redhat.com} CS PhD student at IC-Unicamp oliva@{lsd.ic.unicamp.br, gnu.org} Free Software Evangelist *Please* write to mailing lists, not to me From carson at taltos.org Wed Jan 17 17:15:23 2001 From: carson at taltos.org (Carson Gaspar) Date: Tue, 16 Jan 2001 22:15:23 -0800 Subject: Solaris Problem In-Reply-To: <20010116155447.B23049@alcove.wittsend.com> Message-ID: <430780375.979683323@[10.10.1.2]> --On Tuesday, January 16, 2001 3:54 PM -0500 "Michael H. Warfield" wrote: > Just solved my own problem thanks to the OpenSSH mailing list > archives. I had to edit the Makefile and change "-I/usr/include" to > "-i/usr/include" (include the system directories AFTER the compiler > include directories) and then everything built correctly. Actually, the _correct_ fix is to _remove_ -I/usr/include completely. Let the compiler do its job. What dain-bramaged OS caused that to make it into compile flags in the first place? -- Carson From pekkas at netcore.fi Wed Jan 17 17:49:47 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Wed, 17 Jan 2001 08:49:47 +0200 (EET) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On 17 Jan 2001, Alexandre Oliva wrote: > It depends on regex.h, that is not part of IRIX 5's standard library > and, in fact, that is no portable in general. I'm currently using > GNU rx as a replacement, but it would be nice to have a portable > implementation of regular expressions built into OpenSSH, if it is to > depend on them. Build in everything some ancient && obscure systems just _might_ need? SGI doesn't even support Irix 5 anymore, AFAIK. IMO, no way :-) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From oliva at lsd.ic.unicamp.br Wed Jan 17 18:21:55 2001 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 17 Jan 2001 05:21:55 -0200 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: References: Message-ID: On Jan 17, 2001, Pekka Savola wrote: > Build in everything some ancient && obscure systems just _might_ need? > SGI doesn't even support Irix 5 anymore, AFAIK. IMO, no way :-) I sincerely hope this is not the official position of the OpenSSH porting team. I understand sticking to a portable subset of functionality is a pain, but adding a small regex package to the distribution, or just not using regexes, as in previous releases, mustn't be that painful. I'm sure IRIX 5 isn't the only system that doesn't offer POSIX regular expressions. I'd recommend Henry Spencer's regex package, that comes with a very liberal license and is very, very portable. We've been using release alpha3.6, slightly modified, in Amanda (www.amanda.org) for a couple of years. I see there's a newer release available at ftp://ftp.zoo.toronto.edu/pub/regex.shar. Please consider shipping it along with OpenSSH, with some configury machinery to detect the lack of regex.h and fallback to it. Or take Amanda's approach, which is to use it unconditionally :-) Feel free to borrow Amanda's regex embedding technology from common-src sub-directory. -- Alexandre Oliva Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/ Red Hat GCC Developer aoliva@{cygnus.com, redhat.com} CS PhD student at IC-Unicamp oliva@{lsd.ic.unicamp.br, gnu.org} Free Software Evangelist *Please* write to mailing lists, not to me From shorty at getuid.de Wed Jan 17 18:26:50 2001 From: shorty at getuid.de (Christian Kurz) Date: Wed, 17 Jan 2001 08:26:50 +0100 Subject: Hostname handling of openssh Message-ID: <20010117082650.A16948@seteuid.getuid.de> Hi, I got the following bugreport which makes the submitter very confused: > $ ssh host > The authenticity of host 'host' can't be established. > RSA key fingerprint is 38:bf:b9:a3:e3:64:9a:28:c7:5f:ba:87:12:06:a9:10. > Are you sure you want to continue connecting (yes/no)? yes > Warning: Permanently added 'host,192.168.33.23' (RSA) to the list of known hosts. > Last login: Tue Jan 16 23:13:38 2001 from host2.doma.in on pts/8 > Linux host 2.2.17pre16 #1 Fri Aug 11 22:00:38 CEST 2000 i686 unknown > You have newmail. > host% logout > Connection to host closed. > $ grep host .ssh/known_hosts > host,192.168.33.23 1024 35 12131082570035376314617778062669953008287727... > As you can see, it *does* add the IP number now (which is a good thing) > but still not the FQDN. If the CVS version works for you, it is either > a bug that got fixed, or the Debian package wasn't built properly. > However I read the manpage of ssh, which says: > The canonical system name (as returned by name servers) is used > by sshd(8) to verify the client host when logging in; other names > are needed because ssh does not convert the user-supplied name to > a canonical name before checking the key, because someone with > access to the name servers would then be able to fool host au- > thentication. > The weird thing is that this was in the manpage for 1.2.3 as well, > in which ssh which _does_ convert the user-supplied name to a canonical name. > So now I'm confused - 1.2.3, the manpages, and apparently the CVS > versions all describe and do different things. > I think that the canonical name should be used when CheckHostIP > is set to yes. I just noticed that this really happens with the CVS-Version. So could one of you guys please enlighten me? Ciao Christian -- While the year 2000 (y2k) problem is not an issue for us, all Linux implementations will impacted by the year 2038 (y2.038k) issue. The Debian Project is committed to working with the industry on this issue and we will have our full plans and strategy posted by the first quarter of 2020. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 242 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010117/293d5e97/attachment.bin From Markus.Friedl at informatik.uni-erlangen.de Wed Jan 17 22:29:47 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 17 Jan 2001 12:29:47 +0100 Subject: upcoming s/key changes Message-ID: <20010117122947.A25996@faui02.informatik.uni-erlangen.de> could someone please review this change? http://131.188.30.102/~msfriedl/openssh/SSHD_AUTH_PATCH is a diff against openbsd's cvs and will commited ASAP. the patch tries to unify various challenge/response methods in ssh1 and ssh2. faking s/key is dropped, since i am not sure what do do for faking cryptocard and other challenge/response methods. -markus From djm at mindrot.org Wed Jan 17 23:01:52 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 23:01:52 +1100 (EST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On 17 Jan 2001, Alexandre Oliva wrote: > It depends on regex.h, that is not part of IRIX 5's standard library > and, in fact, that is no portable in general. I'm currently using > GNU rx as a replacement, but it would be nice to have a portable > implementation of regular expressions built into OpenSSH, if it is to > depend on them. This has come up in the past: we will not be including a regex implementation in OpenSSH, the OpenBSD regex is ~100k of source. An excellent regex replacement is PCRE (I don't have the URL handy). -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Wed Jan 17 23:02:28 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Jan 2001 23:02:28 +1100 (EST) Subject: Solaris Problem In-Reply-To: <430780375.979683323@[10.10.1.2]> Message-ID: On Tue, 16 Jan 2001, Carson Gaspar wrote: > > > --On Tuesday, January 16, 2001 3:54 PM -0500 "Michael H. Warfield" > wrote: > > > Just solved my own problem thanks to the OpenSSH mailing list > > archives. I had to edit the Makefile and change "-I/usr/include" to > > "-i/usr/include" (include the system directories AFTER the compiler > > include directories) and then everything built correctly. > > Actually, the _correct_ fix is to _remove_ -I/usr/include completely. Let > the compiler do its job. What dain-bramaged OS caused that to make it into > compile flags in the first place? Try a braindamaged configure script. Try the snapshots - I think I have gotten rid of it. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From Nigel.Metheringham at InTechnology.co.uk Wed Jan 17 23:15:04 2001 From: Nigel.Metheringham at InTechnology.co.uk (Nigel Metheringham) Date: Wed, 17 Jan 2001 12:15:04 +0000 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message from Damien Miller of "Wed, 17 Jan 2001 23:01:52 +1100." Message-ID: djm at mindrot.org said: > An excellent regex replacement is PCRE (I don't have the URL handy). Primary site is:- ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ The current .tar.gz file is nearly 300K (although that includes the test vectors and stuff). Nigel. -- [ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ] [ Phone: +44 1423 850000 Fax +44 1423 858866 ] [ - Comments in this message are my own and not ITO opinion/policy - ] From oliva at lsd.ic.unicamp.br Wed Jan 17 23:21:21 2001 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 17 Jan 2001 10:21:21 -0200 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: References: Message-ID: On Jan 17, 2001, Damien Miller wrote: > This has come up in the past: we will not be including a regex > implementation in OpenSSH, the OpenBSD regex is ~100k of source. Ok, so how about configure hooks to use GNU rx, for example? -- Alexandre Oliva Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/ Red Hat GCC Developer aoliva@{cygnus.com, redhat.com} CS PhD student at IC-Unicamp oliva@{lsd.ic.unicamp.br, gnu.org} Free Software Evangelist *Please* write to mailing lists, not to me From mouring at etoh.eviladmin.org Thu Jan 18 01:59:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 17 Jan 2001 08:59:25 -0600 (CST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On 17 Jan 2001, Alexandre Oliva wrote: > On Jan 17, 2001, Damien Miller wrote: > > > This has come up in the past: we will not be including a regex > > implementation in OpenSSH, the OpenBSD regex is ~100k of source. > > Ok, so how about configure hooks to use GNU rx, for example? > Hooks are in place for PCRE. If I remember right there was only a few minor tweaks to let GNU rx work. And I have no if someone wants to send me a patch to allow rx (as long as it does not break PCRE!). NeXT is the only other platform I know at this point that lacks a POSIX regular expression.. Thus the reason why PCRE is detected and used if no system POSIX libraries are usable. (Sony's News-os may be another, but I've not heard back from anyone running that platform in a few months.) =) If I had my way I'd get Apple to send me their 'libposix' CVS code from their NeXTSTep 4.2 branch and fix it. And migrate all the NeXTism back to where it belonged.. but that will never happen since last I checked with them they said, 'no'. - Ben From shea at gtsdesign.com Thu Jan 18 03:15:10 2001 From: shea at gtsdesign.com (Gary Shea) Date: Wed, 17 Jan 2001 09:15:10 -0700 (MST) Subject: Connections automatically timeout? Message-ID: Hi -- Recently set up OpenSSH on a number of machines that I'd been using ssh2 on (illegally, it turns out... gotta read the small print!). OpenSSH is working great except for one small thing. If I leave an openssh connection untouched for a few hours, it seems to automatically disconnect. I don't see this behaviour with ssh.com ssh, either v1 or v2. I have Keep-Alive set to 'no' for both openssh and commercial ssh, but can't find any other possibly relevant directives. Am I missing something obvious? Thanks! Gary From gert at greenie.muc.de Thu Jan 18 03:37:42 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 17 Jan 2001 17:37:42 +0100 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jan 17, 2001 at 08:59:25AM -0600 References: Message-ID: <20010117173742.C10969@greenie.muc.de> Hi, On Wed, Jan 17, 2001 at 08:59:25AM -0600, mouring at etoh.eviladmin.org wrote: > NeXT is the only other platform I know at this point that lacks a POSIX > regular expression.. Thus the reason why PCRE is detected and used if no > system POSIX libraries are usable. (Sony's News-os may be another, but > I've not heard back from anyone running that platform in a few months.) SCO 3.2v4.2 (Open Server 3.0) doesn't have POSIX regex's either. OpenSSH_CVS seems to compile nicely with the GNU rx library that I have installed here, though. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From oliva at lsd.ic.unicamp.br Thu Jan 18 03:48:22 2001 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 17 Jan 2001 14:48:22 -0200 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: <20010117173742.C10969@greenie.muc.de> References: <20010117173742.C10969@greenie.muc.de> Message-ID: On Jan 17, 2001, Gert Doering wrote: > OpenSSH_CVS seems to compile nicely with the GNU rx library that I have > installed here, though. Great! Thanks for taking one item out of my to-do list :-) -- Alexandre Oliva Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/ Red Hat GCC Developer aoliva@{cygnus.com, redhat.com} CS PhD student at IC-Unicamp oliva@{lsd.ic.unicamp.br, gnu.org} Free Software Evangelist *Please* write to mailing lists, not to me From dale at accentre.com Thu Jan 18 04:30:46 2001 From: dale at accentre.com (Dale Stimson) Date: Wed, 17 Jan 2001 09:30:46 -0800 Subject: Connections automatically timeout? In-Reply-To: ; from shea@gtsdesign.com on Wed, Jan 17, 2001 at 09:15:10AM -0700 References: Message-ID: <20010117093046.A29637@cupro.opengvs.com> Hi, On Wed, Jan 17, 2001 at 09:15:10AM -0700, Gary Shea wrote: > Recently set up OpenSSH on a number of machines that I'd been using > ssh2 on (illegally, it turns out... gotta read the small print!). > OpenSSH is working great except for one small thing. > > If I leave an openssh connection untouched for a few hours, it seems to > automatically disconnect. I don't see this behaviour with ssh.com > ssh, either v1 or v2. > > I have Keep-Alive set to 'no' for both openssh and commercial ssh, but > can't find any other possibly relevant directives. Am I missing something > obvious? This sounds like a problem I experienced, wherein a connection that was inactive over a period of time "hangs" because an intermediate router that was masquerading IP addresses timed-out the masquerade table entries due to inactivity (30 minutes in my case). The solution is to: 1. enable keep alive on either the client or server (in my case, it was logical to do both, as it was an issue for both incoming and outgoing connections. That is: KeepAlive yes in both sshd_config and and ssh_config (or $HOME/.ssh/config). 2. Fix ssh and sshd so that they honor the keep alive request for both protocol 1 and 2. See my previous email to the list of Jan 12 which has relevant patches, subject: Re: Socket options not properly set for ssh and sshd. I'll forward that off-list. I see by checking out top-of-tree Openssh with anonymous CVS that as of yesterday, the patch is in the OpenBSD version of Openssh, but not yet in the portable version. The patch is not yet in any released version. (I'd expect to see it in the V2.4.0 release). From Donald.Smith at qwest.com Thu Jan 18 04:41:12 2001 From: Donald.Smith at qwest.com (Smith, Donald ) Date: Wed, 17 Jan 2001 10:41:12 -0700 Subject: PAM & Configure Message-ID: <2D00AD0E4D36D411BD300008C786E4240125832C@Denntex021.qwest.net> Damien having said that PAM is an unmanagable pain what is the objection to haveing Theo Schlossnagle's securid patch included into the cvs tree? The pam+kbdinteractive is not a solution if you have to support older ssh clients (protocal 1). Donald.Smith at qwest.com IP Engineering Security 303-226-9939/0688 Office/Fax 720-320-1537 cell > -----Original Message----- > From: Damien Miller [mailto:djm at mindrot.org] > Sent: Tuesday, January 16, 2001 6:07 PM > To: Darren J Moffat > Cc: openssh-unix-dev at mindrot.org > Subject: Re: PAM & Configure > > > On Tue, 16 Jan 2001, Darren J Moffat wrote: > > > Damien Miller wrote: > > > The change was made because there is no workable way to > make PAM work > > > 'out of the box'. Each vendor implements PAM a little > differently and > > > there appears to be no standard on the naming of modules > or the augments > > > they take. > > > > Just a point to note here; SSHD as an application should NOT be > > dependant on any module existing. Applications should not assume > > anything about what modules are available since this breaks > the entire > > concept of what PAM is all about. If this is the reason why PAM is > > being disabled then there are wrong assumptions in SSHD > about what PAM > > should be doing and those should be fixed. > > sshd doesn't, but how are you supposed to install a default > configuration file if there is not set of standard modules with > standard arguments? > > > Could you give a summary of what problems there were with the PAM > > framework being different on platforms specifically how that relates > > to OpenSSH ? > > There is no way to cleanly install a default config across the various > versions of PAM. Different implementations use different modules with > different arguments (even pam_unix.so can't be trusted to > have the same > args between different Linux distributions). > > The PAM API is annoying in that it has been (presumably) > crafted to fit > the needs of login or telnet. i.e get a bit of information at a time, > return textual prompts and then get the next bit. We have to resort to > kludges (the conversation function which assumes ECHO_OFF prompts are > asking for passwords) to get the username and password into > PAM in the > first place. > > The SSH2 KbdInteractive auth mode is a better match to the PAM way of > doing things, but it would be nice if PAM had more flexability in its > API. > > My other gripe about PAM (unrelated to ssh) is that it > doesn't seperate > mechanism and policy. Specifying .so files with magic options > is just too > fragile. > > > FYI PAM was proposed to X/Open as a draft standard but never got > > completed, > > AFAIK Linux and Solaris are similar in most respects for PAM. > > Solaris implements what was in the standard but Linux went off and > > "embraced > > and extended (with source available)" and made enhancements > and changes > > to this. > > Has there been any movement towards reworking the standard? > > -d > > -- > | ``We've all heard that a million monkeys banging on | > Damien Miller - > | a million typewriters will eventually reproduce the | > > | works of Shakespeare. Now, thanks to the Internet, / > | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Thu Jan 18 10:05:56 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 17 Jan 2001 17:05:56 -0600 (CST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: <20010117173742.C10969@greenie.muc.de> Message-ID: On Wed, 17 Jan 2001, Gert Doering wrote: > Hi, > > On Wed, Jan 17, 2001 at 08:59:25AM -0600, mouring at etoh.eviladmin.org wrote: > > NeXT is the only other platform I know at this point that lacks a POSIX > > regular expression.. Thus the reason why PCRE is detected and used if no > > system POSIX libraries are usable. (Sony's News-os may be another, but > > I've not heard back from anyone running that platform in a few months.) > > SCO 3.2v4.2 (Open Server 3.0) doesn't have POSIX regex's either. > > OpenSSH_CVS seems to compile nicely with the GNU rx library that I have > installed here, though. > Hmm..No configure changes required? That is a first. - Ben From mouring at etoh.eviladmin.org Thu Jan 18 10:11:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 17 Jan 2001 17:11:18 -0600 (CST) Subject: Connections automatically timeout? In-Reply-To: <20010117093046.A29637@cupro.opengvs.com> Message-ID: > 2. Fix ssh and sshd so that they honor the keep alive request for > both protocol 1 and 2. See my previous email to the list of Jan 12 > which has relevant patches, subject: Re: Socket options not properly > set for ssh and sshd. I'll forward that off-list. > > I see by checking out top-of-tree Openssh with anonymous CVS that > as of yesterday, the patch is in the OpenBSD version of Openssh, > but not yet in the portable version. The patch is not yet in any > released version. (I'd expect to see it in the V2.4.0 release). > If it's in the last week's worth of OpenBSD tree changes. Then hopefully it will be in the portable tree tonight. Some of us have lives outside of computers, and mine caugh up and over powered me for a few days. =) - Ben From gert at greenie.muc.de Thu Jan 18 09:21:46 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 17 Jan 2001 23:21:46 +0100 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jan 17, 2001 at 05:05:56PM -0600 References: <20010117173742.C10969@greenie.muc.de> Message-ID: <20010117232146.D18937@greenie.muc.de> Hi, On Wed, Jan 17, 2001 at 05:05:56PM -0600, mouring at etoh.eviladmin.org wrote: > > SCO 3.2v4.2 (Open Server 3.0) doesn't have POSIX regex's either. > > > > OpenSSH_CVS seems to compile nicely with the GNU rx library that I have > > installed here, though. > > > Hmm..No configure changes required? That is a first. Ummm, lotsa configure changes required, but none of them for the regex stuff. (The stuff that was required are things like "-l..." library order and such, which I didn't clean up enough yet to send to the list) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Thu Jan 18 09:33:59 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Jan 2001 09:33:59 +1100 (EST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On 17 Jan 2001, Alexandre Oliva wrote: > On Jan 17, 2001, Damien Miller wrote: > > > This has come up in the past: we will not be including a regex > > implementation in OpenSSH, the OpenBSD regex is ~100k of source. > > Ok, so how about configure hooks to use GNU rx, for example? ./configure --with-libs=-lrx --with-cppflags=-I/path/to/rx --with-ldflags=/path/to/rx -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Thu Jan 18 09:39:22 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Jan 2001 09:39:22 +1100 (EST) Subject: Connections automatically timeout? In-Reply-To: Message-ID: On Wed, 17 Jan 2001, Gary Shea wrote: > Hi -- > > Recently set up OpenSSH on a number of machines that I'd been using > ssh2 on (illegally, it turns out... gotta read the small print!). > OpenSSH is working great except for one small thing. > > If I leave an openssh connection untouched for a few hours, it seems to > automatically disconnect. I don't see this behaviour with ssh.com > ssh, either v1 or v2. > > I have Keep-Alive set to 'no' for both openssh and commercial ssh, but > can't find any other possibly relevant directives. Am I missing something > obvious? Is there a router performing NAT or a masquerading firewall between the client and the server? These frequently timeout quiescent connections. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Thu Jan 18 09:44:08 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Jan 2001 09:44:08 +1100 (EST) Subject: PAM & Configure In-Reply-To: <2D00AD0E4D36D411BD300008C786E4240125832C@Denntex021.qwest.net> Message-ID: On Wed, 17 Jan 2001, Smith, Donald wrote: > Damien having said that PAM is an unmanagable pain what is the > objection to haveing Theo Schlossnagle's securid patch included into the cvs > tree? We won't put patches for proprietary products into OpenSSH. It could live as a diff in contrib/ if someone wanted to maintain it. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From shea at gtsdesign.com Thu Jan 18 09:58:46 2001 From: shea at gtsdesign.com (Gary Shea) Date: Wed, 17 Jan 2001 15:58:46 -0700 (MST) Subject: Connections automatically timeout? In-Reply-To: Message-ID: Tomorrow, Damien Miller (djm at mindrot.org) wrote: ^^^^^^^^ Now that's living on the edge! > On Wed, 17 Jan 2001, Gary Shea wrote: > > > Hi -- > > > > Recently set up OpenSSH on a number of machines that I'd been using > > ssh2 on (illegally, it turns out... gotta read the small print!). > > OpenSSH is working great except for one small thing. > > > > If I leave an openssh connection untouched for a few hours, it seems to > > automatically disconnect. I don't see this behaviour with ssh.com > > ssh, either v1 or v2. > > > > I have Keep-Alive set to 'no' for both openssh and commercial ssh, but > > can't find any other possibly relevant directives. Am I missing something > > obvious? > > Is there a router performing NAT or a masquerading firewall between the > client and the server? These frequently timeout quiescent connections. > > -d There are in fact TWO different masquerading firewalls between the client and server machines! However, I'm not convinced that's the problem. Here's my logic: As I mentioned earlier, my commercial ssh2 connections survive indefinitely. Maybe ssh.com ssh2 doesn't respect my request to turn KeepAlive's off? Nope, because when I turn ssh.com ssh2's KeepAlive's on, I lose my connection with every little network glitch. With KeepAlive off, I have seen my connection survive some fairly nasty network outages. I will run a few experiments to see if maybe something has changed since I last played with KeepAlive on ssh.com ssh2. Wouldn't surprise me... Thanks for the ideas! Gary > > > -- > | ``We've all heard that a million monkeys banging on | Damien Miller - > | a million typewriters will eventually reproduce the | > | works of Shakespeare. Now, thanks to the Internet, / > | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org > > > From GORDONFR at Attachmate.com Thu Jan 18 11:51:36 2001 From: GORDONFR at Attachmate.com (Gordon Fritsch) Date: Wed, 17 Jan 2001 16:51:36 -0800 Subject: BSafe toolkits for implementing RSA public key algorithm Message-ID: <512C2140816ED111B22E00600857374B013822A2@EXCH-VAN1> Has anyone had any experience with any of the BSafe toolkits that are available and contain support for the RSA public key algorithms? I would like to use one of RSA's toolkits in a port of a Windows OpenSSH client that I am working on, in order to avoid any licensing issues from RSA. Can anyone recommend a good toolkit? I understand that there a number of them, such as BSafe SSL-C, SLPlus, SSLRef, etc. thanks, Gordon From djm at mindrot.org Thu Jan 18 11:57:08 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Jan 2001 11:57:08 +1100 (EST) Subject: BSafe toolkits for implementing RSA public key algorithm In-Reply-To: <512C2140816ED111B22E00600857374B013822A2@EXCH-VAN1> Message-ID: On Wed, 17 Jan 2001, Gordon Fritsch wrote: > Has anyone had any experience with any of the BSafe toolkits that are > available and contain support for the RSA public key algorithms? I would > like to use one of RSA's toolkits in a port of a Windows OpenSSH client that > I am working on, in order to avoid any licensing issues from RSA. Can anyone > recommend a good toolkit? I understand that there a number of them, such as > BSafe SSL-C, SLPlus, SSLRef, etc. There are no licensing issues for RSA - the patent expired last year. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From GORDONFR at Attachmate.com Thu Jan 18 12:02:02 2001 From: GORDONFR at Attachmate.com (Gordon Fritsch) Date: Wed, 17 Jan 2001 17:02:02 -0800 Subject: BSafe toolkits for implementing RSA public key algorithm Message-ID: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1> That is what I am hearing, but our legal department seems to think otherwise. Apparently, even though the patent expired, there are licensing issues with using the RSA algorithms. This is for a possible commercial application. -----Original Message----- From: Damien Miller [mailto:djm at mindrot.org] Sent: Wednesday, January 17, 2001 4:57 PM To: Gordon Fritsch Cc: 'ssh at clienet.fi'; 'openssh-unix-dev at mindrot.org' Subject: Re: BSafe toolkits for implementing RSA public key algorithm On Wed, 17 Jan 2001, Gordon Fritsch wrote: > Has anyone had any experience with any of the BSafe toolkits that are > available and contain support for the RSA public key algorithms? I would > like to use one of RSA's toolkits in a port of a Windows OpenSSH client that > I am working on, in order to avoid any licensing issues from RSA. Can anyone > recommend a good toolkit? I understand that there a number of them, such as > BSafe SSL-C, SLPlus, SSLRef, etc. There are no licensing issues for RSA - the patent expired last year. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Thu Jan 18 12:05:41 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Jan 2001 12:05:41 +1100 (EST) Subject: BSafe toolkits for implementing RSA public key algorithm In-Reply-To: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1> Message-ID: On Wed, 17 Jan 2001, Gordon Fritsch wrote: > That is what I am hearing, but our legal department seems to think > otherwise. Apparently, even though the patent expired, there are licensing > issues with using the RSA algorithms. This is for a possible commercial > application. There are only licensing issues if you are using a implementation from RSADSI. The OpenSSL implementation (as used by OpenSSH) is not derived from RSA code, there are also other Public Domain implementations if you don't like OpenSSL's license. RSADSI even released rights to the RSA algorithm prior to the expiry of the patent - check the press releases on their website for details. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From dbt at meat.net Thu Jan 18 12:08:08 2001 From: dbt at meat.net (David Terrell) Date: Wed, 17 Jan 2001 17:08:08 -0800 Subject: BSafe toolkits for implementing RSA public key algorithm In-Reply-To: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1>; from GORDONFR@Attachmate.com on Wed, Jan 17, 2001 at 05:02:02PM -0800 References: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1> Message-ID: <20010117170808.A3497@pianosa.catch22.org> On Wed, Jan 17, 2001 at 05:02:02PM -0800, Gordon Fritsch wrote: > That is what I am hearing, but our legal department seems to think > otherwise. Apparently, even though the patent expired, there are licensing > issues with using the RSA algorithms. This is for a possible commercial > application. RSA Labs explicitly put the RSA patent into the public domain on Sept 6th. Press release here: http://www.rsasecurity.com/news/pr/000906-1.html. The BSAFE RSA crypto toolkit is still commercial software and must be licensed from RSA Security Inc for use. Your legal dept may be confusing RSA the algorithm with RSA's BSAFE implementation -- further discussion of this is unrelated to ssh but can be directed to me personally. -- David Terrell | "To increase the hype, I'm gonna release a bunch Nebcorp PM | of BLT variants (NetBLT, FreeBLT, BLT386, etc) dbt at meat.net | and create artificial rivalries." wwn.nebcorp.com | - Brian Sweltand (www.openblt.org) From celinn at mtu.edu Thu Jan 18 12:10:24 2001 From: celinn at mtu.edu (Christopher Linn) Date: Wed, 17 Jan 2001 20:10:24 -0500 Subject: BSafe toolkits for implementing RSA public key algorithm In-Reply-To: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1>; from Gordon Fritsch on Wed, Jan 17, 2001 at 05:02:02PM -0800 References: <512C2140816ED111B22E00600857374B013822A4@EXCH-VAN1> Message-ID: <20010117201024.F369@mtu.edu> gordon, if there really are any issues, there are alot of people who would be very concerned about that. if you find out any substance to this, please inform the community at large. best regards, chris On Wed, Jan 17, 2001 at 05:02:02PM -0800, Gordon Fritsch wrote: > That is what I am hearing, but our legal department seems to think > otherwise. Apparently, even though the patent expired, there are licensing > issues with using the RSA algorithms. This is for a possible commercial > application. -- Christopher Linn | All opinions are my own and should Staff System Administrator | not be construed as reflecting the Center for Experimental Computation | opinions or policies of the CEC or Michigan Technological University | of the people who sign my paycheck From andrew at pimlott.ne.mediaone.net Thu Jan 18 12:19:07 2001 From: andrew at pimlott.ne.mediaone.net (Andrew Pimlott) Date: Wed, 17 Jan 2001 20:19:07 -0500 Subject: ssh-add bug Message-ID: <20010117201907.A4467@pimlott.ne.mediaone.net> There is an amusing bug in ssh-add that causes it to go into an infinite loop. I am using openssh 1.2.3, and noticed that when I ran "ssh-add < /dev/null" in my X startup scripts, but didn't have ssh-askpass installed, ssh-add started spewing errors into my .xsession-errors and didn't stop. I found that what happens is: ssh-add forks and attempts to exec ssh-askpass. The exec-ed process is supposed to pass back the passphrase on stdout. However, when the exec fails, the child ssh-add process exits and--if stdout was not a terminal--flushes its stdio buffers, which happen to contain a "Need passphrase" message. As a result, the parent ssh-add sees what it interprets as a passphrase coming back from the child. It tries to use this to decript the key, fails, and tries the whole thing over again. You can reproduce by moving ssh-askpass to another name (setting SSH_ASKPASS=nowhere should also do) and running "ssh-add < /dev/null > /dev/null". A strace showing this folly is at the end. I think a patch that fixes this is --- ssh-add.c.orig Wed Jan 17 20:09:29 2001 +++ ssh-add.c Wed Jan 17 20:14:07 2001 @@ -59,6 +59,9 @@ int p[2], status; char buf[1024]; + /* make sure child doesn't accidentally blab to stdout */ + if (fflush(stdout) != 0) + fatal("ssh_askpass: fflush: %s", strerror(errno)); if (askpass == NULL) fatal("internal error: askpass undefined"); if (pipe(p) < 0) (untested because I don't have all the libraries on this machine to recompile). Andrew Strace output: pipe([4, 5]) = 0 fork() = 16582 [pid 19607] close(5) = 0 [pid 19607] read(4, [pid 16582] close(4) = 0 [pid 16582] dup2(5, 1) = 1 [pid 16582] execve("/usr/bin/ssh-askpass", ["/usr/bin/ssh-askpass", "Bad passphr ase, try again"], [/* 20 vars */]) = -1 ENOENT (No such file or directory) [pid 16582] write(2, "ssh_askpass: exec(/usr/bin/ssh-a"..., 66) = 66 [pid 16582] write(2, "\r\n", 2) = 2 [pid 16582] write(1, "Need passphrase for /home/pimlot"..., 48) = 48 [pid 16582] munmap(0x40018000, 4096) = 0 [pid 16582] _exit(255) = ? <... read resumed> "Need passphrase for /home/pimlot"..., 1024) = 48 --- SIGCHLD (Child exited) --- close(4) = 0 wait4(16582, [WIFEXITED(s) && WEXITSTATUS(s) == 255], 0, NULL) = 16582 open("/home/pimlott/.ssh/identity", O_RDONLY) = 4 fstat(4, {st_mode=S_IFREG|0600, st_size=529, ...}) = 0 getuid() = 1000 getuid() = 1000 lseek(4, 0, SEEK_END) = 529 lseek(4, 0, SEEK_SET) = 0 read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n"..., 529) = 529 close(4) = 0 pipe([4, 5]) = 0 fork() = 16583 From mouring at etoh.eviladmin.org Thu Jan 18 14:05:47 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 17 Jan 2001 21:05:47 -0600 (CST) Subject: Warning to all CVS users. In-Reply-To: <20010117201907.A4467@pimlott.ne.mediaone.net> Message-ID: For all of you who are testing off the Portable CVS tree. Let point out a new 'feature' that was just brought over from the OpenBSD tree: - markus at cvs.openbsd.org 2001/01/16 19:20:06 [key.c ssh-rsa.c] make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from galb at vandyke.com. note that you have to delete older ssh2-rsa keys, since they are in the wrong format, too. they must be removed from .ssh/authorized_keys2 and .ssh/known_hosts2, etc. (cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP .ssh/authorized_keys2) additionally, we now check that BN_num_bits(rsa->n) >= 768. So keep this in mind. =) This has bitten me in a the ass already while trying to submit the whole ball of wax. I believe this means that if you use the standard key generation of OpenSSH you need to regenerate your keys. (Which I can't do quite yet. =) - Ben From mouring at etoh.eviladmin.org Thu Jan 18 14:36:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 17 Jan 2001 21:36:29 -0600 (CST) Subject: Warning to all CVS users. In-Reply-To: Message-ID: > I believe this means that if you use the standard key generation of > OpenSSH you need to regenerate your keys. (Which I can't do quite yet. =) > Ignore this.=) Just make sure your sshd is restarted. But still the general warning is valid.=) From douglas.manton at uk.ibm.com Wed Jan 17 03:58:22 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 16 Jan 2001 16:58:22 +0000 Subject: AIX <--> Solaris X11 Forwarding Problem Message-ID: <802569D6.005D3DEA.00@d06mta05.portsmouth.uk.ibm.com> I have an X11 application installed on a Solaris 5.7 server. ?The server runs the OpenSSH 2.3.0p1 daemon. ?I then SSH to this server from OpenSSH 2.3.0p1 under AIX with X11 forwarding enabled. ?I can run X utilities, such as xclock and xterm, without any problems. ?However, the X11 application I require (a Privacy Manager GUI) creates an empty window frame. If I telnet from the AIX server to the Sun machine and export the display then this application works perfectly. ?I have tried all combinations of SSH1, SSH2, compression on and off and different encryption algorithms to no effect. Any ideas welcomed. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions ? ? ? ? ? ? ? ?E: ?demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From douglas.manton at uk.ibm.com Wed Jan 17 19:18:32 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Wed, 17 Jan 2001 08:18:32 +0000 Subject: AIX <--> Solaris X11 Forwarding Problem Message-ID: <802569D7.002DA544.00@d06mta05.portsmouth.uk.ibm.com> I have an X11 application installed on a Solaris 5.7 server. The server runs the OpenSSH 2.3.0p1 daemon. I then SSH to this server from OpenSSH 2.3.0p1 under AIX with X11 forwarding enabled. I can run X utilities, such as xclock and xterm, without any problems. However, the X11 application I require (a Privacy Manager GUI) creates an empty window frame. If I telnet from the AIX server to the Sun machine and export the display then this application works perfectly. I have tried all combinations of SSH1, SSH2, compression on and off and different encryption algorithms to no effect. Any ideas welcomed. -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 18 19:48:31 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 18 Jan 2001 09:48:31 +0100 Subject: Warning to all CVS users. In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jan 17, 2001 at 09:05:47PM -0600 References: <20010117201907.A4467@pimlott.ne.mediaone.net> Message-ID: <20010118094831.C937@faui02.informatik.uni-erlangen.de> another note: please do NOT use RSA2 key generated after this commit in authorized_keys2 files with sshd's from before the commit. the sshd will think they are 6-bit RSA keys and this is a very bad thing. On Wed, Jan 17, 2001 at 09:05:47PM -0600, mouring at etoh.eviladmin.org wrote: > > For all of you who are testing off the Portable CVS tree. Let point out a > new 'feature' that was just brought over from the OpenBSD tree: > > - markus at cvs.openbsd.org 2001/01/16 19:20:06 > [key.c ssh-rsa.c] > make "ssh-rsa" key format for ssh2 confirm to the ietf-drafts; from > galb at vandyke.com. note that you have to delete older ssh2-rsa keys, > since they are in the wrong format, too. they must be removed from > .ssh/authorized_keys2 and .ssh/known_hosts2, etc. > (cd; grep -v ssh-rsa .ssh/authorized_keys2 > TMP && mv TMP > .ssh/authorized_keys2) additionally, we now check that > BN_num_bits(rsa->n) >= 768. > > > So keep this in mind. =) This has bitten me in a the ass already while > trying to submit the whole ball of wax. > > I believe this means that if you use the standard key generation of > OpenSSH you need to regenerate your keys. (Which I can't do quite yet. =) > > - Ben > From ckthin at csam.com.my Thu Jan 18 20:08:11 2001 From: ckthin at csam.com.my (Thin Chin Kung) Date: Thu, 18 Jan 2001 17:08:11 +0800 Subject: scp from openssh2.30p1 to openssh2.1.1 Message-ID: <3A66B27B.16CB3135@csam.com.my> Hi all, I have OpenSSH_2.3.0p1 on a Redhat 6.2 box and OpenSSH_2.1.1 on a Solaris 2.6 box. I can't seems to scp from the linux box to the sun box but I have no problem from Sun to Linux. I got the following message displayed on the screen. # scp test.log hostB:/tmp -v Executing: program /usr/bin/ssh host hostB, user (unspecified), command scp -v -t /tmp Enter passphrase for DSA key '/root/.ssh/id_dsa': lost connection Anybody face this problem before? Rgds, ckthin From oliva at lsd.ic.unicamp.br Thu Jan 18 22:27:49 2001 From: oliva at lsd.ic.unicamp.br (Alexandre Oliva) Date: 18 Jan 2001 09:27:49 -0200 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: References: Message-ID: On Jan 17, 2001, Damien Miller wrote: > On 17 Jan 2001, Alexandre Oliva wrote: >> On Jan 17, 2001, Damien Miller wrote: >> >> > This has come up in the past: we will not be including a regex >> > implementation in OpenSSH, the OpenBSD regex is ~100k of source. >> >> Ok, so how about configure hooks to use GNU rx, for example? > ./configure --with-libs=-lrx --with-cppflags=-I/path/to/rx --with-ldflags=/path/to/rx The only problem is that compat.c (sp?) #includes regex.h, but there's no such header file in GNU rx 1.5. The header file is named rxposix.h. -- Alexandre Oliva Enjoy Guarana', see http://www.ic.unicamp.br/~oliva/ Red Hat GCC Developer aoliva@{cygnus.com, redhat.com} CS PhD student at IC-Unicamp oliva@{lsd.ic.unicamp.br, gnu.org} Free Software Evangelist *Please* write to mailing lists, not to me From gert at greenie.muc.de Thu Jan 18 22:35:14 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 18 Jan 2001 12:35:14 +0100 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: ; from Alexandre Oliva on Thu, Jan 18, 2001 at 09:27:49AM -0200 References: Message-ID: <20010118123514.K4420@greenie.muc.de> Hi, On Thu, Jan 18, 2001 at 09:27:49AM -0200, Alexandre Oliva wrote: > >> Ok, so how about configure hooks to use GNU rx, for example? > > > ./configure --with-libs=-lrx --with-cppflags=-I/path/to/rx --with-ldflags=/path/to/rx > > The only problem is that compat.c (sp?) #includes regex.h, but there's > no such header file in GNU rx 1.5. The header file is named > rxposix.h. Seems I was just lucky - the rx version that I have installed here is 0.12, from 1993 :-) and it has a "regex.h" file. So please ignore what I said about "it works with rx on SCO out of the box" - this is true, but only for sufficiently-old rx versions. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Alain.St-Denis at ec.gc.ca Fri Jan 19 00:43:31 2001 From: Alain.St-Denis at ec.gc.ca (Alain St-Denis) Date: Thu, 18 Jan 2001 08:43:31 -0500 Subject: sigchld_handler2. Message-ID: <3A66F303.4F46C814@ec.gc.ca> On 2.3.0p1, we have been experiencing the SSH2 stdout truncation problem that was reported by a few users. I built the 20010115 snapshot. It seems to correct the problem but before I was able to test it, I had to change sigchld_handler2 so it would not reset the signal handler before waitpid is called. On Irix, it seems a SIGCHLD is delivered for ever... I haven't tried the last snapshots so I don't know if this was fixed. Here's a diff of what I did (basically just resetting it as it was for 2.3.0p1): *** serverloop.c.orig Thu Jan 18 08:41:13 EST 2001 --- serverloop.c Wed Jan 17 16:01:41 EST 2001 *************** *** 109,115 **** int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); errno = save_errno; } --- 109,114 ---- *************** *** 667,672 **** --- 666,672 ---- if (child_terminated) { while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); + signal(SIGCHLD, sigchld_handler2); child_terminated = 0; } channel_after_select(&readset, &writeset); Alain St-Denis Environment Canada From mouring at etoh.eviladmin.org Fri Jan 19 01:55:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 18 Jan 2001 08:55:44 -0600 (CST) Subject: sigchld_handler2. In-Reply-To: <3A66F303.4F46C814@ec.gc.ca> Message-ID: On Thu, 18 Jan 2001, Alain St-Denis wrote: > > On 2.3.0p1, we have been experiencing the SSH2 stdout truncation problem > that was reported by a few users. > > I built the 20010115 snapshot. It seems to correct the problem but > before I was able to test it, I had to change sigchld_handler2 so it > would not reset the signal handler before waitpid is called. On Irix, it > seems a SIGCHLD is delivered for ever... > This has been talked about on HP/UX platform as well. The feeling is that sigaction() may be a better solution. However, nothing has appeared in the OpenBSD tree in regards to that solution yet. As for the truncation problem. It was introducted in around 2.1.1p4 in hopes to deal with a problem with linux's 'select()' function. It was reverted in 2.3.0p2 snapshot because it was learned scp was effected by it. - Ben From vinschen at redhat.com Fri Jan 19 01:39:20 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 18 Jan 2001 15:39:20 +0100 Subject: New configuration scripts for Cygwin Message-ID: <20010118153920.I4318@cobold.vinschen.de> Hi, I have attached two new shell scripts `ssh-host-config' and `ssh-user-config' which will replace the script `ssh-config' in the next Cygwin OpenSSH release. Could somebody with write access please remove contrib/cygwin/ssh-config from the OpenSSH repository and add these two attached files instead? The third attached file is the diff for contrib/cygwin/README. Thanks in advance, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com -------------- next part -------------- #!/bin/sh # # ssh-host-config, Copyright 2000, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. # Subdirectory where the new package is being installed PREFIX=/usr # Directory where the config files are stored SYSCONFDIR=/etc # Subdirectory where an old package might be installed OLDPREFIX=/usr/local OLDSYSCONFDIR=${OLDPREFIX}/etc progname=$0 auto_answer="" request() { if [ "${auto_answer}" = "yes" ] then return 0 elif [ "${auto_answer}" = "no" ] then return 1 fi answer="" while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " read answer done if [ "X${answer}" = "Xyes" ] then return 0 else return 1 fi } # Check options while : do case $# in 0) break ;; esac option=$1 shift case "$option" in -d | --debug ) set -x ;; -y | --yes ) auto_answer=yes ;; -n | --no ) auto_answer=no ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH host configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo exit 1 ;; esac done # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running if ps -ef | grep -v grep | grep -q ssh then echo echo "There are still ssh processes running. Please shut them down first." echo exit 1 fi # Check for ${SYSCONFDIR} directory if [ -e "${SYSCONFDIR}" -a ! -d "${SYSCONFDIR}" ] then echo echo "${SYSCONFDIR} is existant but not a directory." echo "Cannot create global configuration files." echo exit 1 fi # Create it if necessary if [ ! -e "${SYSCONFDIR}" ] then mkdir "${SYSCONFDIR}" if [ ! -e "${SYSCONFDIR}" ] then echo echo "Creating ${SYSCONFDIR} directory failed" echo exit 1 fi fi # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't # the same as ${PREFIX} old_install=0 if [ "${OLDPREFIX}" != "${PREFIX}" ] then if [ -f "${OLDPREFIX}/sbin/sshd" ] then echo echo "You seem to have an older installation in ${OLDPREFIX}." echo # Check if old global configuration files exist if [ -f "${OLDSYSCONFDIR}/ssh_host_key" ] then if request "Do you want to copy your config files to your new installation?" then cp -f ${OLDSYSCONFDIR}/ssh_host_key ${SYSCONFDIR} cp -f ${OLDSYSCONFDIR}/ssh_host_key.pub ${SYSCONFDIR} cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key ${SYSCONFDIR} cp -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub ${SYSCONFDIR} cp -f ${OLDSYSCONFDIR}/ssh_config ${SYSCONFDIR} cp -f ${OLDSYSCONFDIR}/sshd_config ${SYSCONFDIR} fi fi if request "Do you want to erase your old installation?" then rm -f ${OLDPREFIX}/bin/ssh.exe rm -f ${OLDPREFIX}/bin/ssh-config rm -f ${OLDPREFIX}/bin/scp.exe rm -f ${OLDPREFIX}/bin/ssh-add.exe rm -f ${OLDPREFIX}/bin/ssh-agent.exe rm -f ${OLDPREFIX}/bin/ssh-keygen.exe rm -f ${OLDPREFIX}/bin/slogin rm -f ${OLDSYSCONFDIR}/ssh_host_key rm -f ${OLDSYSCONFDIR}/ssh_host_key.pub rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key rm -f ${OLDSYSCONFDIR}/ssh_host_dsa_key.pub rm -f ${OLDSYSCONFDIR}/ssh_config rm -f ${OLDSYSCONFDIR}/sshd_config rm -f ${OLDPREFIX}/man/man1/ssh.1 rm -f ${OLDPREFIX}/man/man1/scp.1 rm -f ${OLDPREFIX}/man/man1/ssh-add.1 rm -f ${OLDPREFIX}/man/man1/ssh-agent.1 rm -f ${OLDPREFIX}/man/man1/ssh-keygen.1 rm -f ${OLDPREFIX}/man/man1/slogin.1 rm -f ${OLDPREFIX}/man/man8/sshd.8 rm -f ${OLDPREFIX}/sbin/sshd.exe rm -f ${OLDPREFIX}/sbin/sftp-server.exe fi old_install=1 fi fi # First generate host keys if not already existing if [ ! -f "${SYSCONFDIR}/ssh_host_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_key" ssh-keygen -t rsa1 -f ${SYSCONFDIR}/ssh_host_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_rsa_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_rsa_key" ssh-keygen -t rsa -f ${SYSCONFDIR}/ssh_host_rsa_key -N '' > /dev/null fi if [ ! -f "${SYSCONFDIR}/ssh_host_dsa_key" ] then echo "Generating ${SYSCONFDIR}/ssh_host_dsa_key" ssh-keygen -t dsa -f ${SYSCONFDIR}/ssh_host_dsa_key -N '' > /dev/null fi # Check if ssh_config exists. If yes, ask for overwriting if [ -f "${SYSCONFDIR}/ssh_config" ] then if request "Overwrite existing ${SYSCONFDIR}/ssh_config file?" then rm -f "${SYSCONFDIR}/ssh_config" if [ -f "${SYSCONFDIR}/ssh_config" ] then echo "Can't overwrite. ${SYSCONFDIR}/ssh_config is write protected." fi fi fi # Create default ssh_config from here script if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" cat > ${SYSCONFDIR}/ssh_config << EOF # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user configuration # files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent yes # ForwardX11 yes # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking no # Port 22 # Protocol 2,1 # Cipher 3des # EscapeChar ~ # Be paranoid by default Host * ForwardAgent no ForwardX11 no FallBackToRsh no # Try authentification with the following identities IdentityFile ~/.ssh/identity IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/id_dsa EOF fi # Check if sshd_config exists. If yes, ask for overwriting if [ -f "${SYSCONFDIR}/sshd_config" ] then if request "Overwrite existing ${SYSCONFDIR}/sshd_config file?" then rm -f "${SYSCONFDIR}/sshd_config" if [ -f "${SYSCONFDIR}/sshd_config" ] then echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." fi fi fi # Create default sshd_config from here script if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" cat > ${SYSCONFDIR}/sshd_config << EOF # This is ssh server systemwide configuration file. Port 22 # Protocol 2,1 ListenAddress 0.0.0.0 #ListenAddress :: # # Uncomment the following lines according to the used authentication HostKey /etc/ssh_host_key HostKey /etc/ssh_host_rsa_key HostKey /etc/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # To install for logon to different user accounts change to "no" here RSAAuthentication yes # To install for logon to different user accounts change to "yes" here PasswordAuthentication no PermitEmptyPasswords no CheckMail no UseLogin no #Uncomment if you want to enable sftp #Subsystem sftp /usr/sbin/sftp-server #MaxStartups 10:30:60 EOF fi # Add port 22/tcp to services _sys="`uname -a`" _nt=`expr "$_sys" : "CYGWIN_NT"` if [ $_nt -gt 0 ] then _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" _wserv_tmp="${SYSTEMROOT}\\system32\\drivers\\etc\\srv.out.$$" else _wservices="${WINDIR}\\SERVICES" _wserv_tmp="${WINDIR}\\SERV.$$" fi _services=`cygpath -u "${_wservices}"` _serv_tmp=`cygpath -u "${_wserv_tmp}"` mount -b -f "${_wservices}" "${_services}" mount -b -f "${_wserv_tmp}" "${_serv_tmp}" if [ `grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ] then awk '{ if ( $2 ~ /^23\/tcp/ ) print "sshd 22/tcp #SSH daemon\r"; print $0; }' < "${_services}" > "${_serv_tmp}" if [ -f "${_serv_tmp}" ] then if mv "${_serv_tmp}" "${_services}" then echo "Added sshd to ${_services}" else echo "Adding sshd to ${_services} failed\!" fi rm -f "${_serv_tmp}" else echo "Adding sshd to ${_services} failed\!" fi fi umount "${_services}" umount "${_serv_tmp}" # Add sshd line to inetd.conf if [ -f /etc/inetd.conf ] then grep -q "^[# \t]*sshd" /etc/inetd.conf || echo "# sshd stream tcp nowait root /usr/sbin/sshd -i" >> /etc/inetd.conf fi if [ "${old_install}" = "1" ] then echo echo "Note: If you have used sshd as service or from inetd, don't forget to" echo " change the path to sshd.exe in the service entry or in inetd.conf." fi echo echo "Host configuration finished. Have fun!" -------------- next part -------------- #!/bin/sh # # ssh-user-config, Copyright 2000, Red Hat Inc. # # This file is part of the Cygwin port of OpenSSH. progname=$0 auto_answer="" auto_passphrase="no" passphrase="" request() { if [ "${auto_answer}" = "yes" ] then return 0 elif [ "${auto_answer}" = "no" ] then return 1 fi answer="" while [ "X${answer}" != "Xyes" -a "X${answer}" != "Xno" ] do echo -n "$1 (yes/no) " read answer done if [ "X${answer}" = "Xyes" ] then return 0 else return 1 fi } # Check options while : do case $# in 0) break ;; esac option=$1 shift case "$option" in -d | --debug ) set -x ;; -y | --yes ) auto_answer=yes ;; -n | --no ) auto_answer=no ;; -p | --passphrase ) with_passphrase="yes" passphrase=$1 shift ;; *) echo "usage: ${progname} [OPTION]..." echo echo "This script creates an OpenSSH user configuration." echo echo "Options:" echo " --debug -d Enable shell's debug output." echo " --yes -y Answer all questions with \"yes\" automatically." echo " --no -n Answer all questions with \"no\" automatically." echo " --passphrase -p word Use \"word\" as passphrase automatically." echo exit 1 ;; esac done # Ask user if user identity should be generated if [ ! -f /etc/passwd ] then echo '/etc/passwd is nonexistant. Please generate an /etc/passwd file' echo 'first using mkpasswd. Check if it contains an entry for you and' echo 'please care for the home directory in your entry as well.' exit 1 fi uid=`id -u` pwdhome=`awk -F: '{ if ( $3 == '${uid}' ) print $6; }' < /etc/passwd` if [ "X${pwdhome}" = "X" ] then echo 'There is no home directory set for you in /etc/passwd.' echo 'Setting $HOME is not sufficient!' exit 1 fi if [ ! -d "${pwdhome}" ] then echo "${pwdhome} is set in /etc/passwd as your home directory" echo 'but it is not a valid directory. Cannot create user identity files.' exit 1 fi # If home is the root dir, set home to empty string to avoid error messages # in subsequent parts of that script. if [ "X${pwdhome}" = "X/" ] then # But first raise a warning! echo 'Your home directory in /etc/passwd is set to root (/). This is not recommended!' if request "Would you like to proceed anyway?" then pwdhome='' else exit 1 fi fi if [ -e "${pwdhome}/.ssh" -a ! -d "${pwdhome}/.ssh" ] then echo "${pwdhome}/.ssh is existant but not a directory. Cannot create user identity files." exit 1 fi if [ ! -e "${pwdhome}/.ssh" ] then mkdir "${pwdhome}/.ssh" if [ ! -e "${pwdhome}/.ssh" ] then echo "Creating users ${pwdhome}/.ssh directory failed" exit 1 fi fi if [ ! -f "${pwdhome}/.ssh/identity" ] then if request "Shall I create an SSH1 RSA identity file for you?" then echo "Generating ${pwdhome}/.ssh/identity" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t rsa1 -N "${passphrase}" -f "${pwdhome}/.ssh/identity" > /dev/null else ssh-keygen -t rsa1 -f "${pwdhome}/.ssh/identity" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys" cat "${pwdhome}/.ssh/identity.pub" >> "${pwdhome}/.ssh/authorized_keys" fi fi fi if [ ! -f "${pwdhome}/.ssh/id_rsa" ] then if request "Shall I create an SSH2 RSA identity file for you? (yes/no) " then echo "Generating ${pwdhome}/.ssh/id_rsa" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t rsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_rsa" > /dev/null else ssh-keygen -t rsa -f "${pwdhome}/.ssh/id_rsa" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys2" cat "${pwdhome}/.ssh/id_rsa.pub" >> "${pwdhome}/.ssh/authorized_keys2" fi fi fi if [ ! -f "${pwdhome}/.ssh/id_dsa" ] then if request "Shall I create an SSH2 DSA identity file for you? (yes/no) " then echo "Generating ${pwdhome}/.ssh/id_dsa" if [ "${with_passphrase}" = "yes" ] then ssh-keygen -t dsa -N "${passphrase}" -f "${pwdhome}/.ssh/id_dsa" > /dev/null else ssh-keygen -t dsa -f "${pwdhome}/.ssh/id_dsa" > /dev/null fi if request "Do you want to use this identity to login to this machine?" then echo "Adding to ${pwdhome}/.ssh/authorized_keys2" cat "${pwdhome}/.ssh/id_dsa.pub" >> "${pwdhome}/.ssh/authorized_keys2" fi fi fi echo echo "Configuration finished. Have fun!" -------------- next part -------------- Index: README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.1 diff -u -p -r1.1 README --- contrib/cygwin/README 2000/10/29 19:18:49 1.1 +++ contrib/cygwin/README 2001/01/18 14:37:43 @@ -20,18 +20,41 @@ of the files has changed from /usr/local files are in /etc now. If you are installing OpenSSH the first time, you can generate -global config files, server keys and your own user keys by running +global config files and server keys by running - /usr/bin/ssh-config + /usr/bin/ssh-host-config -If you are updating your installation you may run the above ssh-config +Note that this binary archive doesn't contain default config files in /etc. +That files are only created if ssh-host-config is started. + +If you are updating your installation you may run the above ssh-host-config as well to move your configuration files to the new location and to erase the files at the old location. -Be sure to start the new ssh-config when updating! +To support testing and unattended installation ssh-host-config got +some options: -Note that this binary archive doesn't contain default config files in /etc. -That files are only created if ssh-config is started. +usage: ssh-host-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + +You can create the private and public keys for a user now by running + + /usr/bin/ssh-user-config + +under the users account. + +To support testing and unattended installation ssh-user-config got +some options as well: + +usage: ssh-user-config [OPTION]... +Options: + --debug -d Enable shell's debug output. + --yes -y Answer all questions with "yes" automatically. + --no -n Answer all questions with "no" automatically. + --passphrase -p word Use "word" as passphrase automatically. Install sshd as daemon via SRVANY.EXE (recommended on NT/W2K), via inetd (results in very slow deamon startup!) or from the command line (recommended From roumen.petrov at skalasoft.com Fri Jan 19 03:25:51 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Thu, 18 Jan 2001 18:25:51 +0200 Subject: GNU autoconf/automake in OpenSSH Message-ID: <3A67190F.7070907@skalasoft.com> I make changes in open source tree to implement autoconf/automake. What's new ? - new acinclude.m4 ( based on old aclocal.m4 + new macros OSSH_EXPAND_PATHS and OSSH_SHOW_OPTIONS - new configure option --with-askpass=PATH - updated acconfig.h ( based on old acconfig.h with removed USE_EXTERNAL_ASKPASS and new ASKPASS_PATH + new config.h.top and config.h.bot ) !!! in this file has two lines only with ^L for autoheader !!! - new empty files NEWS AUTHORS COPYING to make automake happy - ssh.h is generated from configure from ssh.h.in ( all paths are substituted with @xxx@ ) - files ssh_config sshd_config and all TROFFMAN files are generated from configure to. - removed version.h ( version number is in configure and #define in ssh.h ) - updated includes.h ( without version.h ) - changed defines.h and ssh-add.c with new askpass option and #define - removed fixpaths ( sed command from configure generate correct file paths ). You might backup it. tests: - install, uninstall work fine - all clean options are not tested !!! - make dist is not well good : tar archive is without contrib subdir and many files !!! Howto ? - extract openssh-SNAP-20010117.tar.gz - extract attached file patches.tgz - edit patches/doGNU.bash ( change variable S to openssh source tree ) - make new dir and go in it ! and run .../patches/doGNU.bash About 'doGNU.bash'. This script: - copy files from source dir - make all changes ( patches ) - run './configure --prefix=/usr/local/openssh' and 'make install' ;-) -------------- next part -------------- A non-text attachment was scrubbed... Name: patches.tgz Type: application/octet-stream Size: 8325 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010118/3e011290/attachment.obj From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jan 19 05:39:22 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 18 Jan 2001 19:39:22 +0100 Subject: Announcement: PRNGD 0.9.0 available Message-ID: <20010118193921.A3626@ws01.aet.tu-cottbus.de> Hi! I have just made the 0.9.0 release of PRNGD available. PRNGD is the Pseudo Random Number Generator Daemon. It has an EGD compatible interface and is designed to provide entropy on systems not having /dev/*random devices. Software supporting EGD style entropy requests are openssh, Apache/mod_ssl, Postfix/TLS... Automatic querying of EGD sockets at fixed locations has been introduced in the development version of OpenSSL and will be included in the 0.9.7 release. (Up to now, applications have to access an EGD like software explicitly.) This latest version of PRNGD now has its own PRNG built in, so that it does not need installed OpenSSL libraries any longer (thus it does not make problems when updating shared libraries). It now provides the performance I want it to have, minus maybe some small adjustments in usage or porting, and hence will lead to the 1.0.0 release. Current (and new :-) users of PRNGD are encouraged to try the new version. As always, your feedback (porting, bugs, design critics) is welcome. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 Contents of 00README file: Overview: ========= - This is the PRNGD "Pseudo Random Number Generator Daemon". It offers an EGD compatible interface to obtain random data and is intented to be used as an entropy source to feed other software, especially software based on OpenSSL. - Like EGD it calls system programs to collect entropy. - Unlike EGD it does not generate a pool of random bits that can be called from other software. Rather more it feeds the bits gathered into its internal PRNG from which the "random bits" are obtained when requested. This way, PRNGD is never drained and can never block (unlike EGD), so it is also suitable to seed inetd-started programs. It also features a seed-save file, so that it is immediately usable after system start. License: ======== - This software is free. You can do with it whatever you want. I would however kindly ask you to acknowledge the use of this package, if you are going use it in your software, which you might be going to distribute. I would also like to receive a note if you are a satisfied user :-) Disclaimer: =========== - This software is provided ``as is''. You are using it at your own risk. I will take no liability in any case. Author: ======= - Lutz Jaenicke Usage: ====== Usage of PRNGD is simple: - Adjust the Makefile and config.h to fit your machine and compile "prngd". Install it at a place you like (e.g. /usr/local/sbin). - Generate an /etc/prngd.conf file with commands to gather entropy. The format of the file is taken from the OpenSSH-portable package. See the included examples. - Generate a start seed by some way. Use egc.pl /path/to/EGD read 255 > /etc/prngd-seed or cat some logfiles together cat /var/adm/syslog/mail.log /var/adm/syslog/syslog.log > /etc/prngd-seed - Start prngd: /usr/local/sbin/prngd /var/run/egd-pool It might take a moment to read the initial seed, if you provided large files. Use egc.pl to check prngd really works: egc.pl /var/run/egd-pool get should yield the entropy in the PRNG pool as estimated by the PRNG. Obtain some random data for test egc.pl /var/run/egd-pool read 255 - You can shut down PRNGD cleanly (it will save actual random data back to the seed file) by sending it HUP or TERM. prngd --kill /var/run/egd-pool will send HUP for you. egc.pl is part of the EGD package. You already have EGD, don't you?? Don't miss the original EGD!!! http://www.lothar.com/tech/crypto/ Porting: ======== - PRNGD has been developed on HP-UX 10.20 and (SuSE-)Linux. Support for other platforms has been provided by: Solaris 2.6: Louis LeBlanc Solaris 7: Phil Howard NeXTstep 3: Michael Weiser IRIX 6.5: Michael Weiser Tru64: James Bourne Unixware 7: George Walsh (not finished, yet, fails with "bind(): invalid argument"...) - To port PRNGD to a new platform: * Check out the compiler and flags in Makefile * IMPORTANT: Adjust the path names in config.h, as these files are used to obtain seeding by size and modification/access times very frequently!! * Provide a prngd.conf file. The format is compatible to OpenSSH, so you can use a file created by the OpenSSH install process for you. * Send feedback to me, so that it can be added to the distribution :-) Todo: ===== - Too long to be listed :-) - Engage "autoconf" to make this thing easier to port and configure. From evazquez at inflow.com Fri Jan 19 06:30:01 2001 From: evazquez at inflow.com (Ed Vazquez, Jr.) Date: Thu, 18 Jan 2001 12:30:01 -0700 Subject: OpenSSH v2.3.0p1 on Solaris 2.7/2.8 vs. OpenBSD 2.8 Message-ID: <3A674439.C3594EAD@inflow.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've seen a few posts, but no solutions as of yet. Here's a bit more info. BoxA - Solaris 2.7, Maintenance Update 01/09/2001, SunWorks cc compiler BoxB - Solaris 2.8, gcc-2.95.2 gcc compiler BoxC - Solaris 2.7, Maintenance Update 01/09/2001, gcc-2.95.2 gcc compiler BoxD - OpenBSD 2.8, patched to STABLE, gcc-2.95.2 _and_ BSD cc compilers available. BoxE - OpenBSD 2.7, release, no patches On the Solaris boxen, OpenSSL-engine v0.9.6 was compiled first with the only configure options being a prefix of /opt/sfw. Then, OpenSSH v2.3.0p1 was built with configure options of: - - --prefix=/opt/sfw - - --with-ipaddr-display - - --with-ipv4-default - - --with-4in6 and installed successfully. On BoxD, I re-built the entire system from stable, then also compiled v2.3.0p1 with a prefix of /usr/local, plus the options as on the Solaris boxes using gcc. This gave me the default ssh, _and_ a build supposedly similar to the Solaris boxes. On SSH connections from the BoxD back to itself (127.0.0.1) or to/ from BoxE, there are no problems with either client or server, ssh-1 or ssh-2. On SSH connections from any Solaris to any other Solaris, no issues are seen on either ssh-1 or ssh-2 protocols. *attachment: successful-ssh - - From any Solaris to the BSD box though, I got the "Bad packet length" error. Where the packet data translates as: 23 28 62 93 e8 8b ca 43 89 5b 43 b2 df 64 3a 65 (hex) 35 40 98 147 232 139 202 67 137 91 67 178 223 100 58 101 (decimal) # ( b ~ ? < ? C % [ C ? ? d : e (ascii) *attachment: sshsolerror And from the BSD box to any Solaris box, I again got the "Bad packet length" error, but with slightly different packet data: a4 c8 7d 9e 89 ad ee dd 19 ca fa 26 df 41 3e c6 (hex) 164 200 125 158 137 173 238 221 25 202 250 38 223 65 62 198 (decimal) ? ? } unused unused ? ? ? EM ? ? & ? A > ? (ascii) *attachment: ssherror Unlike the existing posts, the ascii translations do not make any sort of sense to me. Also, all sshd_config and ssh_confige files are identical, I have tried the server as both an inetd and as a daemon, with the same results for both ssh-1 and ssh-2. *attachment: sshd_config *attachment: ssh_config As an almost afterthought, SSH clients from Windows machines work on both ssh-1 and ssh-2 to any of these boxes. Clients tried were: VanDyke SecureCRT, PuTTY, TeraTerm. I think this counts as a build specific bug, but (disclaimer): I am not a programmer[tm]. If I need to provide more information, please let me know. None of these systems are in production yet, so I can destructively test if needed. Ed Vazquez -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (OpenBSD) Comment: For info see http://www.gnupg.org iD8DBQE6Z0QesgiUrZLjn0MRAj7mAKCFmlZiqhcoTPkCBkMEU0y0xdRmVQCfVH6V l7H673tkANEHRJgH7A9Jq4I= =ph9F -----END PGP SIGNATURE----- -------------- next part -------------- SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0. Compiled with SSL (0x0090581f). debug: Reading configuration data /etc/ssh_config debug: ssh_connect: getuid 1000 geteuid 0 anon 0 debug: Connecting to 44.1.2.3 [44.1.2.3] port 22. debug: Allocated local port 703. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client aes256-cbc hmac-sha1 zlib debug: kex: client->server aes256-cbc hmac-sha1 zlib debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 493/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. The authenticity of host '44.1.2.3' can't be established. DSA key fingerprint is d5:1e:47:01:9a:63:7d:07:6a:44:6c:a6:61:2d:15:c4. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '44.1.2.3' (DSA) to the list of known hosts. debug: bits set: 524/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: Enabling compression at level 6. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST a4 c8 7d 9e 89 ad ee dd 19 ca fa 26 df 41 3e c6 debug: compress outgoing: raw data 60, compressed 63, factor 1.05 debug: compress incoming: raw data 0, compressed 0, factor 0.00 Disconnecting: Bad packet length -1530364514. debug: Calling cleanup 0x159fc(0x0) -------------- next part -------------- SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: Seeded RNG with 33 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 100 geteuid 0 anon 0 debug: Connecting to 172.16.35.120 [172.16.35.120] port 22. debug: Seeded RNG with 34 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 646. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 debug: no match: OpenSSH_2.3.0 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client aes256-cbc hmac-sha1 none debug: kex: client->server aes256-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 1043/2049 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. Warning: Permanently added '172.16.35.120' (DSA) to the list of known hosts. debug: bits set: 1004/2049 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST 23 28 62 93 e8 8b ca 43 89 5b 43 b2 df 64 3a 65 Disconnecting: Bad packet length 589849235. debug: Calling cleanup 0x51940(0x0) debug: Calling cleanup 0x5c1a0(0x0) debug: writing PRNG seed to file /home/evazquez/.ssh/prng_seed -------------- next part -------------- SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). debug: Reading configuration data /etc/ssh/ssh_config debug: Seeded RNG with 36 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: ssh_connect: getuid 100 geteuid 0 anon 0 debug: Connecting to 44.1.2.2 [44.1.2.2] port 22. debug: Seeded RNG with 36 bytes from programs debug: Seeded RNG with 3 bytes from system calls debug: Allocated local port 900. debug: Connection established. debug: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug: no match: OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug: Local version string SSH-2.0-OpenSSH_2.3.0p1 debug: send KEXINIT debug: done debug: wait KEXINIT debug: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug: got kexinit: ssh-dss debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndae l128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndae l128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug: got kexinit: none,zlib debug: got kexinit: none,zlib debug: got kexinit: debug: got kexinit: debug: first kex follow: 0 debug: reserved: 0 debug: done debug: kex: server->client aes256-cbc hmac-sha1 none debug: kex: client->server aes256-cbc hmac-sha1 none debug: Sending SSH2_MSG_KEX_DH_GEX_REQUEST. debug: Wait SSH2_MSG_KEX_DH_GEX_GROUP. debug: Got SSH2_MSG_KEX_DH_GEX_GROUP. debug: bits set: 527/1024 debug: Sending SSH2_MSG_KEX_DH_GEX_INIT. debug: Wait SSH2_MSG_KEX_DH_GEX_REPLY. debug: Got SSH2_MSG_KEXDH_REPLY. Warning: Permanently added '44.1.2.2' (DSA) to the list of known hosts. debug: bits set: 501/1024 debug: len 55 datafellows 0 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: key does not exist: /home/evazquez/.ssh/id_dsa debug: next auth method to try is password evazquez at 44.1.2.2's password: debug: ssh-userauth2 successfull: method password debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: channel request 0: shell debug: channel 0: open confirm rwindow 0 rmax 16384 -------------- next part -------------- # This is ssh client systemwide configuration file. This file provides # defaults for users, and the values can be changed in per-user configuration # files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent yes # ForwardX11 yes # RhostsAuthentication yes # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking no # IdentityFile ~/.ssh/identity # Port 22 Protocol 2,1 Cipher blowfish Ciphers aes256-cbc,aes192-cbc,aes128-cbc,blowfish-cbc,3des-cbc,cast128-cbc # EscapeChar ~ -------------- next part -------------- # This is ssh server systemwide configuration file. Port 22 Protocol 2,1 ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes # # Don't read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding no X11DisplayOffset 10 PrintMotd yes KeepAlive yes # Logging SyslogFacility AUTH LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #SkeyAuthentication no #KbdInteractiveAuthentication yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes CheckMail no #UseLogin no # Uncomment if you want to enable sftp #Subsystem sftp /usr/local/libexec/sftp-server #MaxStartups 10:30:60 From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jan 19 07:11:42 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 18 Jan 2001 21:11:42 +0100 Subject: Announcement: PRNGD 0.9.0 available In-Reply-To: <20010118193921.A3626@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Jan 18, 2001 at 07:39:22PM +0100 References: <20010118193921.A3626@ws01.aet.tu-cottbus.de> Message-ID: <20010118211142.A27216@serv01.aet.tu-cottbus.de> On Thu, Jan 18, 2001 at 07:39:22PM +0100, Lutz Jaenicke wrote: > I have just made the 0.9.0 release of PRNGD available. The location is http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html One should not write announcements when already being half out of the door. Sigh, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From tom.orban at corp.usa.net Fri Jan 19 15:06:04 2001 From: tom.orban at corp.usa.net (Tom Orban) Date: Thu, 18 Jan 2001 21:06:04 -0700 Subject: Core dumps on HP-UX Message-ID: <3A67BD2C.4F91A53D@corp.usa.net> Hello, I've been trying to get openssh working at our site recently, but have been running into these problems. In using the "release" version (openssh-2.3.0p1) we kept getting these broken pipe errors: zcat: stdout: Broken pipe Damien suggested we try out the snapshot versions, so I've been trying out the daily versions since last week. With the snapshots, the pipe problem is gone, but we're now seeing core dumps. Specifically, we see core dumps in the following situations: 1) when we ssh from one box to another and X11 forwarding is enabled in both ssh_config on client, and sshd_config on server. The child sshd on the server core dumps before we even get a shell prompt: (with -v turned on) debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: next auth method to try is password troot at spare4's password: debug: ssh-userauth2 successful: method password debug: channel 0: new [client-session] debug: send channel open 0 debug: Entering interactive session. debug: client_init id 0 arg 0 debug: Requesting X11 forwarding with authentication spoofing. debug: channel request 0: shell debug: channel 0: open confirm rwindow 0 rmax 16384 Pid 22024 received a SIGSEGV for stack growth failure. Possible causes: insufficient memory or swap space, or stack size exceeded maxssiz. debug: channel 0: rcvd eof debug: channel 0: output open -> drain debug: channel 0: obuf empty debug: channel 0: output drain -> closed debug: channel 0: close_write Connection to spare4 closed by remote host. Connection to spare4 closed. debug: Transferred: stdin 0, stdout 0, stderr 75 bytes in 13.2 seconds debug: Bytes per second: stdin 0.0, stdout 0.0, stderr 5.7 debug: Exit status -1 debug: writing PRNG seed to file //.ssh/prng_seed 2) When X11 forwarding is turned off, the shell runs fine, but then the child sshd on the server core dumps when you log off. Obviously the interactive session goes fine, but then you're left with the core dump on the server when you're done. Other info: we're running on HP boxes running HP-UX 11.00; the compiler is HP's Ansi C compiler with patch PHSS_22272 installed. The core problems have occurred on snapshots from 0112 up to and including tonight's (SNAP-0119). Let me know if there's any other info you need, or anything else I can do to help troubleshoot this. Thanks. -Tom From tim at multitalents.net Fri Jan 19 15:26:54 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Jan 2001 20:26:54 -0800 (PST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: <20010118123514.K4420@greenie.muc.de> Message-ID: On Thu, 18 Jan 2001, Gert Doering wrote: > Hi, > > On Thu, Jan 18, 2001 at 09:27:49AM -0200, Alexandre Oliva wrote: > > >> Ok, so how about configure hooks to use GNU rx, for example? > > > > > ./configure --with-libs=-lrx --with-cppflags=-I/path/to/rx --with-ldflags=/path/to/rx > > > > The only problem is that compat.c (sp?) #includes regex.h, but there's > > no such header file in GNU rx 1.5. The header file is named > > rxposix.h. > > Seems I was just lucky - the rx version that I have installed here is > 0.12, from 1993 :-) and it has a "regex.h" file. > > So please ignore what I said about "it works with rx on SCO out of the > box" - this is true, but only for sufficiently-old rx versions. You may find that all it really neds is the regex.h file. On my SCO Open Server 3 machine, configure finds regcomp and therefor will not test for pcre but there is no regex.h in the system include files. If I grab regex.h from the HylaFAX sources it's quite happy with regex. The regex functions are indeed in the system libraries. Open Server 3 just doesn't have regex.h Perhaps we could add it as fake-regex.h (it's only 3.6k) and in compat.c do a #ifdef HAVE_LIBPCRE # include #else /* Use native regex libraries */ #ifdef HAVE_REGEX_H # include #else # include #endif /* HAVE_REGEX_H */ #endif /* HAVE_LIBPCRE */ > > gert > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Fri Jan 19 16:32:02 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 18 Jan 2001 23:32:02 -0600 (CST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On Thu, 18 Jan 2001, Tim Rice wrote: > You may find that all it really neds is the regex.h file. > On my SCO Open Server 3 machine, > configure finds regcomp and therefor will not test for pcre > but there is no regex.h in the system include files. > Your making me have flashbacks on why I really dislike SCO. =) Where does SCO keep it's regcomp() defination? if it does not have a regex.h? From mouring at etoh.eviladmin.org Fri Jan 19 16:41:08 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 18 Jan 2001 23:41:08 -0600 (CST) Subject: GNU autoconf/automake in OpenSSH In-Reply-To: <3A67190F.7070907@skalasoft.com> Message-ID: > I make changes in open source tree to implement autoconf/automake. > What's new ? > - new acinclude.m4 ( based on old aclocal.m4 + new macros OSSH_EXPAND_PATHS and > OSSH_SHOW_OPTIONS > - new configure option --with-askpass=PATH > - updated acconfig.h ( based on old acconfig.h with removed USE_EXTERNAL_ASKPASS and new > ASKPASS_PATH + new config.h.top and config.h.bot ) > !!! in this file has two lines only with ^L for autoheader !!! > - new empty files NEWS AUTHORS COPYING to make automake happy Humor me. =) How is automake improving our lives? > - ssh.h is generated from configure from ssh.h.in ( all paths are substituted with @xxx@ ) > - files ssh_config sshd_config and all TROFFMAN files are generated from configure to. > - removed version.h ( version number is in configure and #define in ssh.h ) This file will not be going anywhere unless you talk the OpenBSD group into the change. > - updated includes.h ( without version.h ) > - changed defines.h and ssh-add.c with new askpass option and #define > - removed fixpaths ( sed command from configure generate correct file paths ). You might > backup it. Have we verified that sed will work correctly on every platform for this operation? Hmmm?? Mainly on Solaris and other platforms that are known to ship brain dead sed. Humor me again... How does the all of theses changes 'improve' portability of OpenSSH or the readablity of the autoconf? And have you verified that adding automake into the mix does not imply the requirement of GNU Make? - Ben From tim at multitalents.net Fri Jan 19 16:21:08 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Jan 2001 21:21:08 -0800 (PST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On Thu, 18 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 18 Jan 2001, Tim Rice wrote: > > > You may find that all it really neds is the regex.h file. > > On my SCO Open Server 3 machine, > > configure finds regcomp and therefor will not test for pcre > > but there is no regex.h in the system include files. > > > > Your making me have flashbacks on why I really dislike SCO. =) > > Where does SCO keep it's regcomp() defination? if it does not > have a regex.h? > It doesn't. (Isn't this fun?) But in linc we see tim(trr)@sco42 41% ar tv /lib/libc.a | grep reg rw-r--r-- 0/ 1 404 Jan 6 02:27 1993 regcomp.o rw-r--r-- 0/ 1 404 Jan 6 02:27 1993 regerror.o rw-r--r-- 0/ 1 404 Jan 6 02:27 1993 regexec.o rw-r--r-- 0/ 1 404 Jan 6 02:27 1993 regfree.o > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Fri Jan 19 17:15:54 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 19 Jan 2001 00:15:54 -0600 (CST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On Thu, 18 Jan 2001, Tim Rice wrote: > On Thu, 18 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > On Thu, 18 Jan 2001, Tim Rice wrote: > > > > > You may find that all it really neds is the regex.h file. > > > On my SCO Open Server 3 machine, > > > configure finds regcomp and therefor will not test for pcre > > > but there is no regex.h in the system include files. > > > > > > > Your making me have flashbacks on why I really dislike SCO. =) > > > > Where does SCO keep it's regcomp() defination? if it does not > > have a regex.h? > > > It doesn't. (Isn't this fun?) > And 'find /usr/include -type f -print | xargs grep "regcomp"' produces no results? UGh.. Flashbacks.. =) From mouring at etoh.eviladmin.org Fri Jan 19 17:34:58 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 19 Jan 2001 00:34:58 -0600 (CST) Subject: New configuration scripts for Cygwin In-Reply-To: <20010118153920.I4318@cobold.vinschen.de> Message-ID: On Thu, 18 Jan 2001, Corinna Vinschen wrote: > Hi, > > I have attached two new shell scripts `ssh-host-config' and > `ssh-user-config' which will replace the script `ssh-config' > in the next Cygwin OpenSSH release. > > Could somebody with write access please remove > Done. There was an S/Key change that I commited tonight. Could you verify that auth1.c around like 325 if that is the correct location for that little CYGWIN, or if it should go after the root checking case. Assuming that the root check is even valid under Cygwin. Thanks. - Ben From vinschen at redhat.com Fri Jan 19 19:09:24 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 19 Jan 2001 09:09:24 +0100 Subject: New configuration scripts for Cygwin In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Jan 19, 2001 at 12:34:58AM -0600 References: <20010118153920.I4318@cobold.vinschen.de> Message-ID: <20010119090924.N4318@cobold.vinschen.de> On Fri, Jan 19, 2001 at 12:34:58AM -0600, mouring at etoh.eviladmin.org wrote: > On Thu, 18 Jan 2001, Corinna Vinschen wrote: > > I have attached two new shell scripts `ssh-host-config' and > > `ssh-user-config' which will replace the script `ssh-config' > > in the next Cygwin OpenSSH release. > > > > Could somebody with write access please remove > > > Done. > > There was an S/Key change that I commited tonight. Could you verify that > auth1.c around like 325 if that is the correct location for that little > CYGWIN, or if it should go after the root checking case. Assuming that > the root check is even valid under Cygwin. For some reason I don't get your changes from CVS. I just tried it and it doesn't contain any changes. However, a root check isn't valid for Cygwin. Admins are either non existant (Windows 9x/ME) or they are a whole group of people having a combination of special "user rights" (NT/W2K). A portable solution for root checks at all would be to substitute all checks for uid/gid 0 by two OS dependent check_uid_root(uid), check_gid_root() functions. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From roumen.petrov at skalasoft.com Fri Jan 19 20:00:05 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Fri, 19 Jan 2001 11:00:05 +0200 Subject: GNU autoconf/automake in OpenSSH References: Message-ID: <3A680215.6080705@skalasoft.com> Is this work for you ? mouring at etoh.eviladmin.org wrote: > Humor me. =) How is automake improving our lives? Makefile.am is easy. > Have we verified that sed will work correctly on every platform for this > operation? Hmmm?? Mainly on Solaris and other platforms that are known to > ship brain dead sed. if configure script work => sed work. (macro AC_OUTPUT in configure.in) GNU tools autoconf/automake improve development. New make file has dependency information. Makefile.am is easy. In genarated Makefile from automake has rules to rebuild some files ( if you change configure.in simply run make ) From gert at greenie.muc.de Fri Jan 19 20:06:10 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 19 Jan 2001 10:06:10 +0100 Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jan 18, 2001 at 11:32:02PM -0600 References: Message-ID: <20010119100610.B28715@greenie.muc.de> Hi, On Thu, Jan 18, 2001 at 11:32:02PM -0600, mouring at etoh.eviladmin.org wrote: > > On my SCO Open Server 3 machine, > > configure finds regcomp and therefor will not test for pcre > > but there is no regex.h in the system include files. > > Your making me have flashbacks on why I really dislike SCO. =) Ummm, yeah, SCO is very much "different". OTOH, comparison isn't really fair, as one would have to compare SCO 3.0 to Linux 1.0 (or earlier) - my system was installed in May 1993... > Where does SCO keep it's regcomp() defination? if it does not > have a regex.h? It doesn't. Weird enough - no regex.h, and no mention of regcomp() in any file under /usr/include. There is no man page for regcomp either, but it's in libc. mentions a , but that doesn't exist either. *ugh* gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From djm at mindrot.org Fri Jan 19 20:11:43 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Jan 2001 20:11:43 +1100 (EST) Subject: GNU autoconf/automake in OpenSSH In-Reply-To: <3A680215.6080705@skalasoft.com> Message-ID: On Fri, 19 Jan 2001, Roumen Petrov wrote: > Is this work for you ? > > mouring at etoh.eviladmin.org wrote: > > > Humor me. =) How is automake improving our lives? > Makefile.am is easy. > > > Have we verified that sed will work correctly on every platform > > for this operation? Hmmm?? Mainly on Solaris and other platforms > > that are known to ship brain dead sed. > if configure script work => sed work. (macro AC_OUTPUT in configure.in) > > GNU tools autoconf/automake improve development. autoconf is horrid, its language is ugly and incredibly fragile. We use it because he have to, I can't imagine anyone actually liking it! > New make file has dependency information. Can we not get this with a "make depend" target? > Makefile.am is easy. So are plain makefiles. > In genarated Makefile from automake has rules to rebuild some files > ( if you change configure.in simply run make ) We can do this with: Makefile: configure ./configure configure: configure.in autoreconf and avoid an additional tool that all developers need to learn and have on hand. IMO automake may be useful IFF you have a large, complicated project with many modules and more than a moderate degree of change. Portable OpenSSH has none of these attributes. I don't mean to discourage your contribution but, as Ben implied, switching to automake does not make our jobs any easier. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From vinschen at redhat.com Fri Jan 19 21:47:19 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 19 Jan 2001 11:47:19 +0100 Subject: New configuration scripts for Cygwin In-Reply-To: <20010119090924.N4318@cobold.vinschen.de>; from vinschen@redhat.com on Fri, Jan 19, 2001 at 09:09:24AM +0100 References: <20010118153920.I4318@cobold.vinschen.de> <20010119090924.N4318@cobold.vinschen.de> Message-ID: <20010119114719.Q4318@cobold.vinschen.de> On Fri, Jan 19, 2001 at 09:09:24AM +0100, Corinna Vinschen wrote: > On Fri, Jan 19, 2001 at 12:34:58AM -0600, mouring at etoh.eviladmin.org wrote: > > There was an S/Key change that I commited tonight. Could you verify that > > auth1.c around like 325 if that is the correct location for that little > > CYGWIN, or if it should go after the root checking case. Assuming that > > the root check is even valid under Cygwin. > > For some reason I don't get your changes from CVS. I just tried it > and it doesn't contain any changes. > > However, a root check isn't valid for Cygwin. Admins are either > non existant (Windows 9x/ME) or they are a whole group of people > having a combination of special "user rights" (NT/W2K). > > A portable solution for root checks at all would be to substitute > all checks for uid/gid 0 by two OS dependent check_uid_root(uid), > check_gid_root() functions. Ok, I could check the code and it looks fine. Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From roumen.petrov at skalasoft.com Fri Jan 19 22:03:58 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Fri, 19 Jan 2001 13:03:58 +0200 Subject: GNU autoconf/automake in OpenSSH References: Message-ID: <3A681F1E.3080201@skalasoft.com> Damien Miller wrote: > On Fri, 19 Jan 2001, Roumen Petrov wrote: ... >> In genarated Makefile from automake has rules to rebuild some files >> ( if you change configure.in simply run make ) > > > We can do this with: > > Makefile: configure > ./configure > NO ./config.status > configure: configure.in > autoreconf ;-) automake make this better for you. > > and avoid an additional tool that all developers need to learn and have > on hand. > only few developers. I found that all sources in one directory is difficult. Am example len put all sshd sources in subfolder sshd. To make, install, clean you must create a Makefile.in with all rules. But i can create Makefile.am : ------------ AM_INSTALL_PROGRAM_FLAGS=-m 0755 -s LDFLAGS=-L.. @LDFLAGS@ sbin_PROGRAMS=sshd LDADD=-lssh -lopenbsd-compat # source files sshd_SOURCES=sshd.c auth.c ..... ------------ and append in configure.in in macro AC_OUTPUT -> sshd/Makefile and run automake. I found this easy for all developers. From artem at atlant.ru Fri Jan 19 23:19:38 2001 From: artem at atlant.ru (Tugarev Artem) Date: Fri, 19 Jan 2001 15:19:38 +0300 Subject: OPENSSH Message-ID: <037901c08212$182d0640$3a0aa8c0@atlant.local> Hello! I'm from Russia and have a one question about openssh: I killed .ssh directory on client and server, then my ssh -2 become to use my passwd file. It is fine, but does openssh use cryptography methods, when it logins with password (etc/passwd) method, if I don't wont to use key files(DSA)? Best Regardes, Artem From stevesk at sweden.hp.com Sat Jan 20 00:30:19 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Fri, 19 Jan 2001 14:30:19 +0100 (MET) Subject: Core dumps on HP-UX In-Reply-To: <3A67BD2C.4F91A53D@corp.usa.net> Message-ID: On Thu, 18 Jan 2001, Tom Orban wrote: : Pid 22024 received a SIGSEGV for stack growth failure. : Possible causes: insufficient memory or swap space, : or stack size exceeded maxssiz. : : Other info: we're running on HP boxes running HP-UX 11.00; the compiler : is HP's Ansi C compiler with patch PHSS_22272 installed. The core : problems have occurred on snapshots from 0112 up to and including : tonight's (SNAP-0119). that's the SIGCHLD issue that hasn't been resolved yet. i've been using this patch on hp-ux for a few weeks now, so i can use and test the proto 2 stuff. it implements a mysignal() wrapper and uses it for the sigchld_handler2 function. Index: ssh.h =================================================================== RCS file: /var/cvs/openssh/ssh.h,v retrieving revision 1.52 diff -u -r1.52 ssh.h --- ssh.h 2001/01/19 04:26:52 1.52 +++ ssh.h 2001/01/19 13:13:59 @@ -500,6 +500,10 @@ /* set filedescriptor to non-blocking */ void set_nonblock(int fd); +/* wrapper for signal interface */ +typedef void (*mysig_t)(int); +mysig_t mysignal(int sig, mysig_t act); + /* * Performs the interactive session. This handles data transmission between * the client and the program. Note that the notion of stdin, stdout, and Index: util.c =================================================================== RCS file: /var/cvs/openssh/util.c,v retrieving revision 1.4 diff -u -r1.4 util.c --- util.c 2000/10/28 03:19:58 1.4 +++ util.c 2001/01/19 13:13:59 @@ -94,3 +94,25 @@ return (old); } + +mysig_t +mysignal(int sig, mysig_t act) +{ +#ifdef HAVE_SIGACTION + struct sigaction sa, osa; + + if (sigaction(sig, 0, &osa) == -1) + return (mysig_t) -1; + if (osa.sa_handler != act) { + memset(&sa, 0, sizeof sa); + sigemptyset(&sa.sa_mask); + sa.sa_flags = 0; + sa.sa_handler = act; + if (sigaction(sig, &sa, 0) == -1) + return (mysig_t) -1; + } + return (osa.sa_handler); +#else + return (signal(sig, act)); +#endif +} Index: serverloop.c =================================================================== RCS file: /var/cvs/openssh/serverloop.c,v retrieving revision 1.36 diff -u -r1.36 serverloop.c --- serverloop.c 2001/01/19 04:26:52 1.36 +++ serverloop.c 2001/01/19 13:14:06 @@ -109,7 +109,7 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; - signal(SIGCHLD, sigchld_handler2); + mysignal(SIGCHLD, sigchld_handler2); errno = save_errno; } @@ -643,7 +643,7 @@ debug("Entering interactive session for SSH2."); - signal(SIGCHLD, sigchld_handler2); + mysignal(SIGCHLD, sigchld_handler2); signal(SIGPIPE, SIG_IGN); child_terminated = 0; connection_in = packet_get_connection_in(); From roumen.petrov at skalasoft.com Sat Jan 20 00:37:51 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Fri, 19 Jan 2001 15:37:51 +0200 Subject: GNU autoconf/automake in OpenSSH References: Message-ID: <3A68432F.8070905@skalasoft.com> If you don't adopt Makefile.am, peace to add to openssh changes about new configure option --with-askpass For macro OSSH_EXPAND_PATHS thinks for answer form Philippe WILLEM, Gary E. Miller > Yes, that way it works on SCO's sh. Tim Race > Works with both sh and ksh on Solaris 7 UnixWare 2.03 SCO 3.2v4.2 UnixWare 2.1.3 SCO 5.0.4 UnixWare 7.1.0 (already reported) AIX 4.3.2.0 for answers to post with subject 'configure.in: Someone please show me a better way :)' in this forum. In this topic is an base example for this macro. About macro OSSH_SHOW_OPTIONS. If you adopt OSSH_EXPAND_PATHS we can use this macro in configure.in instead of code with echo commands after 'Someone please show me a better way .....' From jason at dialog.com Sat Jan 20 00:57:41 2001 From: jason at dialog.com (Jason F.) Date: Fri, 19 Jan 2001 13:57:41 +0000 Subject: BUG in compilation as suggested Message-ID: <3A6847D5.7E199E23@dialog.com> Dear [?], In compiling open-ssh on Solaris 2.6, with all recommended patches, a current verson of gcc, the latest (recommended) ZLib, the latest (and recommended) OpenSSL... When a simple ./configure and then make is performed, this error comes up, always, no matter what configure flags are set or not. This layout is posted on the Cert Website... and it fails everytime. -thanks if anyone could advise or suggest... The readme's do not mention anything I can see close to this error. -Jason F, London, Uk. gcc -g -O2 -Wall -I. -I. -I/usr/local/include -I/usr/include -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -DSSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c log.c -o log.o log.c: In function `fatal': log.c:50: `__builtin_va_alist' undeclared (first use in this function) log.c:50: (Each undeclared identifier is reported only once log.c:50: for each function it appears in.) log.c:49: warning: `args' might be used uninitialized in this function log.c: In function `error': log.c:62: `__builtin_va_alist' undeclared (first use in this function) log.c:61: warning: `args' might be used uninitialized in this function log.c: In function `log': log.c:73: `__builtin_va_alist' undeclared (first use in this function) log.c:72: warning: `args' might be used uninitialized in this function log.c: In function `verbose': log.c:84: `__builtin_va_alist' undeclared (first use in this function) log.c:83: warning: `args' might be used uninitialized in this function log.c: In function `debug': log.c:95: `__builtin_va_alist' undeclared (first use in this function) log.c:94: warning: `args' might be used uninitialized in this function log.c: In function `debug2': log.c:104: `__builtin_va_alist' undeclared (first use in this function) log.c:103: warning: `args' might be used uninitialized in this function log.c: In function `debug3': log.c:113: `__builtin_va_alist' undeclared (first use in this function) log.c:112: warning: `args' might be used uninitialized in this function make: *** [log.o] Error 1 From djm at mindrot.org Sat Jan 20 01:36:50 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Jan 2001 01:36:50 +1100 (EST) Subject: OPENSSH In-Reply-To: <037901c08212$182d0640$3a0aa8c0@atlant.local> Message-ID: On Fri, 19 Jan 2001, Tugarev Artem wrote: > Hello! > I'm from Russia and have a one question about openssh: > > I killed .ssh directory on client and server, then my ssh -2 become to use > my passwd file. It is fine, but > does openssh use cryptography methods, when it logins with password > (etc/passwd) method, if I don't wont to use key files(DSA)? Yes - if you run ssh with the '-v' flag, it will tell you the algorithm it uses (likely 3des). -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Sat Jan 20 01:38:55 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Jan 2001 01:38:55 +1100 (EST) Subject: BUG in compilation as suggested In-Reply-To: <3A6847D5.7E199E23@dialog.com> Message-ID: On Fri, 19 Jan 2001, Jason F. wrote: > Dear [?], > > In compiling open-ssh on Solaris 2.6, with all recommended patches, a > current verson of gcc, the latest (recommended) ZLib, the latest (and > recommended) OpenSSL... > > When a simple ./configure and then make is performed, this error comes > up, always, no matter what configure flags are set or not. This layout > is posted on the Cert Website... and it fails everytime. > > -thanks if anyone could advise or suggest... The readme's do not mention > anything I can see close to this error. Edit the Makefile that configure generated and delete the -I/usr/include from CFLAGS. This should be fixed in the snapshots[1] (can someone verify?) -d [1] www.openssh.com/portable.html -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Sat Jan 20 03:08:13 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 19 Jan 2001 10:08:13 -0600 (CST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: <20010119100610.B28715@greenie.muc.de> Message-ID: On Fri, 19 Jan 2001, Gert Doering wrote: > Hi, > > On Thu, Jan 18, 2001 at 11:32:02PM -0600, mouring at etoh.eviladmin.org wrote: > > > On my SCO Open Server 3 machine, > > > configure finds regcomp and therefor will not test for pcre > > > but there is no regex.h in the system include files. > > > > Your making me have flashbacks on why I really dislike SCO. =) > > Ummm, yeah, SCO is very much "different". OTOH, comparison isn't really > fair, as one would have to compare SCO 3.0 to Linux 1.0 (or earlier) - my > system was installed in May 1993... > Well.. my SCO days were just around the Linux 1.0 days. SCO, DG/UX, and Interactive UNIX where the platforms I was forced to admin (along with a little Slackware box I brought with me to the job). and that was 1995 (Linux was still pre-1.0 in may of 93). > > Where does SCO keep it's regcomp() defination? if it does not > > have a regex.h? > > It doesn't. Weird enough - no regex.h, and no mention of regcomp() in any > file under /usr/include. There is no man page for regcomp either, but > it's in libc. > > mentions a , but that doesn't exist either. *ugh* > Pitty.. Looks like we need a fake-regexp.h or something to fill the void. - Ben From vanja at relaygroup.com Sat Jan 20 03:22:09 2001 From: vanja at relaygroup.com (Vanja Hrustic) Date: Fri, 19 Jan 2001 23:22:09 +0700 Subject: sshd crashes (w/ skey) Message-ID: <20010119232209.A7407@relaygroup.com> Hi! There is a situation when sshd will crash, but it might be rather hard to reproduce. I'll try to explain the setup :) S/KEY is compiled and installed (taken from http://www.sparc.spb.su/solaris/skey/ ) on Linux box (kernel 2.4.0). Then, OpenSSH 2.3.0p1 is compiled with skey support. It all works fine (patch has been applied too, which fixes skey issue found in November). Now, for the sake of testing, I have created an skey entry for the user which doesn't have an account on the system. Like: 'skey init blah' Then, I try to connect with: ssh blah at host (s/key enabled, password authentication disabled - so s/key kicks in automatically, and ssh_config also has s/key authentication enabled) Sshd dies. Debug output shows: ... debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for illegal user blah. debug1: rcvd SSH_CMSG_AUTH_TIS debug1: generating fake skeyinfo for blah. Segmentation fault (core dumped) [root at x openssh-2.3.0p1]# Funny enough, core file is created in the root (/core) - I am not sure if that is 'expected' behavior - never had sshd crash before :) gdb output shows: (gdb) where #0 0x400ae0d6 in chunk_free (ar_ptr=0x40142d60, p=0x80f3948) at malloc.c:3097 #1 0x400ade46 in chunk_alloc (ar_ptr=0x40142d60, nb=24) at malloc.c:2594 #2 0x400ad5ce in __libc_malloc (bytes=15) at malloc.c:2696 #3 0x400b2a29 in __strdup (s=0x4013b731 "/etc/localtime") at strdup.c:43 #4 0x400dd3c0 in tzset_internal (always=0) at tzset.c:169 #5 0x400de0db in __tz_convert (timer=0xbfffee8c, use_localtime=1, tp=0x40148460) at tzset.c:582 #6 0x400d9c9c in localtime (t=0xbfffee8c) at localtime.c:43 #7 0x400d9bd8 in ctime (t=0xbfffee8c) at ctime.c:32 #8 0x80501b6 in skey_fake_keyinfo (username=0x80ed5d8 "blah") at auth-skey.c:145 #9 0x804eb9c in do_authloop (pw=0x0, luser=0x80ed5d8 "blah") at auth1.c:279 #10 0x804ef77 in do_authentication () at auth1.c:473 #11 0x804dc4a in main (ac=2, av=0xbffffa3c) at sshd.c:1088 (gdb) I might be talking complete BS, but I think that problem lies somewhere among these lines: -- auth-skey.c - skey_fake_keyinfo() -- } else if (!stat(_PATH_MEM, &sb) || !stat("/", &sb)) { t = sb.st_ctime; secret = ctime(&t); secretlen = strlen(secret); flg = 0; } -- cut-- I have tried adding various debug() messages in the auth-skey.c file, and what was VERY funny is that sshd would 'randomly' stop crashing if I put debug lines to the code. For example, I add 2 debug lines below this piece of code, and fake response gets generated fine - sshd never dies. I put only 1, little bit more up - it dies. I move it more, sshd works again. This doesn't look like 'stable bug' (doesn't happen when I add some debug lines fe), so it might be something related to the system itself. More details: opennssl 0.9.6 openssh 2.3.0p1 gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) kernel 2.4.0 (no 'additional' patches) Any help is appreciated :) Vanja p.s: sorry, I'm not on the list, so I'd appreciate if you can CC me on any responses. Thanks :) From tim at multitalents.net Sat Jan 20 03:30:07 2001 From: tim at multitalents.net (Tim Rice) Date: Fri, 19 Jan 2001 08:30:07 -0800 (PST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On Fri, 19 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Thu, 18 Jan 2001, Tim Rice wrote: > > > On Thu, 18 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > > > On Thu, 18 Jan 2001, Tim Rice wrote: > > > > > > > You may find that all it really neds is the regex.h file. > > > > On my SCO Open Server 3 machine, > > > > configure finds regcomp and therefor will not test for pcre > > > > but there is no regex.h in the system include files. > > > > > > > > > > Your making me have flashbacks on why I really dislike SCO. =) > > > > > > Where does SCO keep it's regcomp() defination? if it does not > > > have a regex.h? > > > > > It doesn't. (Isn't this fun?) > > > And 'find /usr/include -type f -print | xargs grep "regcomp"' produces > no results? That's right. > > UGh.. Flashbacks.. =) > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From roumen.petrov at skalasoft.com Sat Jan 20 05:30:01 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Fri, 19 Jan 2001 20:30:01 +0200 Subject: upcoming s/key changes Message-ID: <3A6887A9.30109@skalasoft.com> First look : might work. Markus give me please idea how to make strong tests. From magick at dds.nl Sat Jan 20 09:22:21 2001 From: magick at dds.nl (Magick) Date: Fri, 19 Jan 2001 23:22:21 +0100 Subject: Reduced sshd Message-ID: <20010119232221.A9635@Magick> Hello, I'm looking for a minimal implementation of the ssh daemon, which could, for example, be used in a linux router. Is there such a version, or should i try it myself? If i'm going to do it myself, which features can i remove, which is the best encryption methode to use? Bart -- ..the more original a discovery the more obvious it seems afterwards. -- Arthur Koestler GPG key = 1024D/4B086D06 Fingerprint = CD4D 5601 287D F075 6F96 6157 99F9 E56A 4B08 6D06 From sunil at redback.com Sat Jan 20 09:32:44 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 19 Jan 2001 14:32:44 -0800 (PST) Subject: SIGSEGV: openssl/openssh Message-ID: I am using: OpenSSL 0.9.5a 1 Apr 2000 OpenSSH_2.3.1p1 OS: NetBSD 1.4.2 I get ssh-keygen errors at runtime: % gdb ./ssh-keygen (gdb) r Starting program: ./ssh-keygen Program received signal SIGSEGV, Segmentation fault. 0x2ddce in expand (lh=0xd3080) at openssl/crypto/lhash/lhash.c:321 321 np->next= *n2; (gdb) where #0 0x2ddce in expand (lh=0xd3080) at openssl/crypto/lhash/lhash.c:321 #1 0x2dff4 in lh_insert (lh=0xd3080, data=0xd8800) at openssl/crypto/lhash/lhash.c:187 #2 0x2efec in OBJ_NAME_add (name=0x3054a "RC4", type=2, data=0xbc0c0 "\005") at openssl/crypto/objects/o_names.c:171 #3 0x4c23a in EVP_add_cipher (c=0xbc0c0) at openssl/crypto/evp/names.c:69 #4 0x2ceca in OpenSSL_add_all_ciphers () at openssl/crypto/evp/c_allc.c:94 #5 0x2ccf8 in OpenSSL_add_all_algorithms () at openssl/crypto/evp/c_all.c:65 #6 0x29a4 in main (ac=1, av=0xefbfd628) at openssh/ssh-keygen.c:649 (gdb) (gdb) p n2 $1 = (LHASH_NODE **) 0xd9040 (gdb) p *n2 $2 = (LHASH_NODE *) 0x0 (gdb) p np $3 = (LHASH_NODE *) 0x8d7ca (gdb) p np->next $4 = (struct lhash_node_st *) 0xe8510c4d Any suggestions ? Thank you. From Darren.Moffat at eng.sun.com Sat Jan 20 10:07:00 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 19 Jan 2001 15:07:00 -0800 (PST) Subject: Reduced sshd Message-ID: <200101192307.f0JN70M326056@jurassic.eng.sun.com> >I'm looking for a minimal implementation of the ssh daemon, which could, >for example, be used in a linux router. Is there such a version, or should >i try it myself? >If i'm going to do it myself, which features can i remove, which is the >best encryption methode to use? If what you are asking for is minimizing the features that the connecting client can use then most of this can probably be achived by setting options in the config file. As for the minimum encryption then the minimum as per the IETF draft is 3DES for SSHv2, but I would recommend supporting at least blowfish as well, the rest - comment them out of the cipher.c file. But you can do this in the server config file anyway. There is a lot of stuff you could probably remove from the code base if you really wanted to rather than just turning it off in the server config, but what do you believe this is going to achive for you ? -- Darren J Moffat From jason at dfmm.org Sat Jan 20 11:32:06 2001 From: jason at dfmm.org (Jason Stone) Date: Fri, 19 Jan 2001 16:32:06 -0800 (PST) Subject: Reduced sshd In-Reply-To: <200101192307.f0JN70M326056@jurassic.eng.sun.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I'm looking for a minimal implementation of the ssh daemon, which > > could, for example, be used in a linux router. Is there such a > > version, or should i try it myself? If i'm going to do it myself, > > which features can i remove, which is the best encryption methode to > > use? > > There is a lot of stuff you could probably remove from the code base > if you really wanted to rather than just turning it off in the server > config, but what do you believe this is going to achive for you ? Probablly he believes that he's really tight on space and wants to trim the binary size? There are a number of projects to run linux routers/firewalls that boot off of a single floppy, or a very small flash disk, etc, unpack into ram and run a really minimal system out of a ramdisk. If you control all of the clients, you're free to pick whatever you want. Personally, I'd go with just protocol 1 support, and just blowfish for the symmetric cipher. If you have to allow/support weird clients though, you'll have to have a look and see what they support. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6aNyJswXMWWtptckRAh64AKDWcBfgsHvHZ9KLlUCP6XRXcw6vQQCg38sp Gkh8F79YaUE+kTN3A/lvIPI= =2uhv -----END PGP SIGNATURE----- From djm at mindrot.org Sat Jan 20 11:34:13 2001 From: djm at mindrot.org (Damien Miller) Date: Sat, 20 Jan 2001 11:34:13 +1100 (EST) Subject: OpenSSH 2.3.0p1 won't build on IRIX 5.2 In-Reply-To: Message-ID: On Fri, 19 Jan 2001 mouring at etoh.eviladmin.org wrote: > Pitty.. Looks like we need a fake-regexp.h or something to fill the void. I think we should just use an external lib rather than try to guess the types and behaviour of an undocumented libc routine :) -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From davidr at oddjob.uchicago.edu Sun Jan 21 07:38:33 2001 From: davidr at oddjob.uchicago.edu (David Ressman) Date: Sat, 20 Jan 2001 14:38:33 -0600 Subject: /etc/nologin and Solaris PAM bug Message-ID: <20010120143833.A20690@oddjob> My apologies if this has already been discussed. I looked through the mailing list archives and couldn't see any mention of this problem. I compiled and installed openssh-2.3.0p1 on a sparc running SunOS 5.7, and while I was testing it to make sure everything was working properly, I noticed that when I used PAM to authenticate, rather than /bin/login, sshd was not honoring /etc/nologin. I took a real quick look through the source code and found this at line 1022 of session.c: #ifndef USE_PAM /* pam_nologin handles this */ if (!options.use_login) { Now that seems like it's probably the right way to handle /etc/nologin under PAM authenticated linux systems, however there's one problem: Sun doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates the user, and since openssh is told not to look for /etc/nologin, it lets the user log in. I could fix this by having sshd use /bin/login, but I'd really rather not. I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM */" lines and it worked fine. I'm not suggesting that as the fix for the bug, but it certainly works. Besides, I can't see the harm in having sshd check /etc/nologin even if there is a pam_nologin module that's supposed to check for it. I'd view it as an extra guarantee that /etc/nologin really means no logins even if some script kiddie or incompetent admin has been playing around with the system's PAM configuration. Thanks for your time, David Ressman P.S. Here's the patch I used to fix the problem: *** session.c.orig Sat Jan 20 14:09:42 2001 --- session.c Sat Jan 20 14:10:02 2001 *************** *** 1019,1025 **** if (options.use_login && command != NULL) options.use_login = 0; - #ifndef USE_PAM /* pam_nologin handles this */ if (!options.use_login) { # ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) --- 1019,1024 ---- *************** *** 1037,1043 **** exit(254); } } - #endif /* USE_PAM */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" --- 1036,1041 ---- From markus.friedl at informatik.uni-erlangen.de Sun Jan 21 08:11:45 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 20 Jan 2001 22:11:45 +0100 Subject: Reduced sshd In-Reply-To: <20010119232221.A9635@Magick>; from magick@dds.nl on Fri, Jan 19, 2001 at 11:22:21PM +0100 References: <20010119232221.A9635@Magick> Message-ID: <20010120221145.C4246@folly> On Fri, Jan 19, 2001 at 11:22:21PM +0100, Magick wrote: > I'm looking for a minimal implementation of the ssh daemon, which could, > for example, be used in a linux router. Is there such a version, or should > i try it myself? > If i'm going to do it myself, which features can i remove, which is the > best encryption methode to use? it depends on what you need. for ssh-1 you could remove unused user authentication code. the port/x11/agent forwarding code in channel.c is large, but you need this for ssh-2. -markus From markus.friedl at informatik.uni-erlangen.de Sun Jan 21 08:36:01 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 20 Jan 2001 22:36:01 +0100 Subject: ssh-add bug In-Reply-To: <20010117201907.A4467@pimlott.ne.mediaone.net>; from andrew@pimlott.ne.mediaone.net on Wed, Jan 17, 2001 at 08:19:07PM -0500 References: <20010117201907.A4467@pimlott.ne.mediaone.net> Message-ID: <20010120223601.D4246@folly> thanks! commited. On Wed, Jan 17, 2001 at 08:19:07PM -0500, Andrew Pimlott wrote: > There is an amusing bug in ssh-add that causes it to go into an > infinite loop. I am using openssh 1.2.3, and noticed that when I > ran "ssh-add < /dev/null" in my X startup scripts, but didn't have > ssh-askpass installed, ssh-add started spewing errors into my > .xsession-errors and didn't stop. > > I found that what happens is: ssh-add forks and attempts to exec > ssh-askpass. The exec-ed process is supposed to pass back the > passphrase on stdout. However, when the exec fails, the child > ssh-add process exits and--if stdout was not a terminal--flushes its > stdio buffers, which happen to contain a "Need passphrase" message. > As a result, the parent ssh-add sees what it interprets as a > passphrase coming back from the child. It tries to use this to > decript the key, fails, and tries the whole thing over again. > > You can reproduce by moving ssh-askpass to another name (setting > SSH_ASKPASS=nowhere should also do) and running "ssh-add < /dev/null > > /dev/null". A strace showing this folly is at the end. I think a > patch that fixes this is > > --- ssh-add.c.orig Wed Jan 17 20:09:29 2001 > +++ ssh-add.c Wed Jan 17 20:14:07 2001 > @@ -59,6 +59,9 @@ > int p[2], status; > char buf[1024]; > > + /* make sure child doesn't accidentally blab to stdout */ > + if (fflush(stdout) != 0) > + fatal("ssh_askpass: fflush: %s", strerror(errno)); > if (askpass == NULL) > fatal("internal error: askpass undefined"); > if (pipe(p) < 0) > > (untested because I don't have all the libraries on this machine to > recompile). > > Andrew > > Strace output: > > pipe([4, 5]) = 0 > fork() = 16582 > [pid 19607] close(5) = 0 > [pid 19607] read(4, > [pid 16582] close(4) = 0 > [pid 16582] dup2(5, 1) = 1 > [pid 16582] execve("/usr/bin/ssh-askpass", ["/usr/bin/ssh-askpass", "Bad passphr > ase, try again"], [/* 20 vars */]) = -1 ENOENT (No such file or directory) > [pid 16582] write(2, "ssh_askpass: exec(/usr/bin/ssh-a"..., 66) = 66 > [pid 16582] write(2, "\r\n", 2) = 2 > [pid 16582] write(1, "Need passphrase for /home/pimlot"..., 48) = 48 > [pid 16582] munmap(0x40018000, 4096) = 0 > [pid 16582] _exit(255) = ? > <... read resumed> "Need passphrase for /home/pimlot"..., 1024) = 48 > --- SIGCHLD (Child exited) --- > close(4) = 0 > wait4(16582, [WIFEXITED(s) && WEXITSTATUS(s) == 255], 0, NULL) = 16582 > open("/home/pimlott/.ssh/identity", O_RDONLY) = 4 > fstat(4, {st_mode=S_IFREG|0600, st_size=529, ...}) = 0 > getuid() = 1000 > getuid() = 1000 > lseek(4, 0, SEEK_END) = 529 > lseek(4, 0, SEEK_SET) = 0 > read(4, "SSH PRIVATE KEY FILE FORMAT 1.1\n"..., 529) = 529 > close(4) = 0 > pipe([4, 5]) = 0 > fork() = 16583 > > From markus.friedl at informatik.uni-erlangen.de Sun Jan 21 08:49:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 20 Jan 2001 22:49:36 +0100 Subject: GNU autoconf/automake in OpenSSH In-Reply-To: <3A67190F.7070907@skalasoft.com>; from roumen.petrov@skalasoft.com on Thu, Jan 18, 2001 at 06:25:51PM +0200 References: <3A67190F.7070907@skalasoft.com> Message-ID: <20010120224936.E4246@folly> On Thu, Jan 18, 2001 at 06:25:51PM +0200, Roumen Petrov wrote: > - removed version.h ( version number is in configure and #define in ssh.h ) why? From markus.friedl at informatik.uni-erlangen.de Sun Jan 21 08:52:46 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 20 Jan 2001 22:52:46 +0100 Subject: ssh speed In-Reply-To: ; from rob@hagopian.net on Wed, Jan 10, 2001 at 12:24:07PM -0500 References: <20010110141244.A25971@faui02.informatik.uni-erlangen.de> Message-ID: <20010120225246.A22484@folly> hm, could you turn on (-pg, or -p) profiling and do some more tests? ssh does some data copies that could be avoided... On Wed, Jan 10, 2001 at 12:24:07PM -0500, Rob Hagopian wrote: > These were using SNAP-010109 on PIII 800s, striped 10K RPM drives, > switched fast ethernet. One machine is SMP, one isn't. Using 'scp -o > Ciphers=xxx' Both machines are FreeBSD. > > (587MB file:) > aes256-cbc 02:19 > aes128-cbc 02:17 > arcfour 02:08 > 3des-cbc 02:59 > blowfish-cbc 02:13 > none2 02:12 > > I did "hack the source" (hehehe) to add none: > > rijndael_setkey, rijndael_setiv, > rijndael_cbc_encrypt, rijndael_cbc_decrypt }, > + { "none2", > + SSH_CIPHER_SSH2, 8, 0, > + none_setkey, none_setiv, > + none_crypt, none_crypt }, > { NULL, SSH_CIPHER_ILLEGAL, 0, 0, NULL, NULL, NULL, NULL } > }; > > (it's none2 to avoid name collision with the ssh1 none) > > Indeed, it seems that when using a cipher, the ssh process is using more > cpu than sshd and is maxing out that side. But when using none2 as a > 'cipher' CPU maxes out around 30% for ssh (20% for sshd). Both processes > seem to be in select() a lot according to top. > -Rob > > On Wed, 10 Jan 2001, Markus Friedl wrote: > > > On Wed, Jan 10, 2001 at 10:37:35AM +0100, Markus Friedl wrote: > > > did you use compression? > > > > oops, i should read the all of the mail. > > > > what did you do? scp? ssh+cat? sftp? http over forwarded > > channels? > > > > what are exact version of openssh? openssh-current? did you try AES? > > > > what kind of network? CPU? transfer to localhost? > > > > did you really use 'none' in SSH-2? did you hack the source (cipher none > > should not be supported)? > > > > -markus > > > > > On Tue, Jan 09, 2001 at 06:28:10PM -0500, Rob Hagopian wrote: > > > > OK, I've been looking to run ssh2 without encryption to get maximum > > > > throughput but with secure authentication. However, my tests show that the > > > > performance speedup isn't as dramatic as I suspected: > > > > > > > > For a 587MB file: > > > > 3des-cbc 3:03 > > > > arcfour 2:10 > > > > none 2:13 > > > > > > > > ftp 0:57 > > > > > > > > I checked, compression is off (with it on estimated times were over 5min). > > > > > > > > I interpret the above as saying that the cipher does make a difference, > > > > but when using a sufficiently fast cipher there's overhead in the protocol > > > > that becomes the bottleneck. Arcfour didn't max out the CPU, nor the disk > > > > or network I/O, so what could be slowing it down? Thoughts? Suggestions? > > > > > > > > -Rob > > > > > > > > From roumen.petrov at skalasoft.com Mon Jan 22 19:00:05 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Mon, 22 Jan 2001 10:00:05 +0200 Subject: GNU autoconf/automake in OpenSSH References: <3A67190F.7070907@skalasoft.com> <20010120224936.E4246@folly> Message-ID: <3A6BE885.4070407@skalasoft.com> Markus Friedl wrote: > On Thu, Jan 18, 2001 at 06:25:51PM +0200, Roumen Petrov wrote: > >> - removed version.h ( version number is in configure and #define in ssh.h ) > > > why? changes in configure.in for automake : @@ -1,6 +1,7 @@ AC_INIT(ssh.c) +AM_INIT_AUTOMAKE(openssh,2.3.1p1) -AC_CONFIG_HEADER(config.h) +AM_CONFIG_HEADER(config.h) AC_PROG_CC AC_CANONICAL_HOST @@ -827,8 +828,8 @@ ..... about macro AM_INIT_AUTOMAKE: first arg. is PACKAGE and second is VERSION. I put in ssh.h.in this line: ... #define SSH_VERSION "@PACKAGE at _@VERSION@" ... instead of define in version.h If we use version.h, developer must change version in two files - configure.in and version.h ! From hideo at yamato.ibm.co.jp Mon Jan 22 19:26:06 2001 From: hideo at yamato.ibm.co.jp (Suzuki Hideo) Date: Mon, 22 Jan 2001 17:26:06 +0900 Subject: error: getnameinfo failed Message-ID: <20010122172606A.hideo@yamato.ibm.com> I installed openssh-2.3.0p1 on AIX 4.3.3. However, I have a problem like below and I cannot start sshd. # /usr/local/sbin/sshd -d debug1: sshd version OpenSSH_2.3.0p1 debug1: Seeded RNG with 33 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: read DSA private key done debug1: Seeded RNG with 33 bytes from programs debug1: Seeded RNG with 3 bytes from system calls error: getnameinfo failed fatal: Cannot bind any address. debug1: Calling cleanup 0x20023dc4(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed # I had no compilation error when I compiled openssh2.3.0p1. Please help me if someone know the solution. ------- Hideo Suzuki hideo at yamato.ibm.com From roumen.petrov at skalasoft.com Mon Jan 22 22:47:06 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Mon, 22 Jan 2001 13:47:06 +0200 Subject: CVS source tree from 22 Jan 2001 Message-ID: <3A6C1DBA.8020607@skalasoft.com> Makefile.in is not fixed ! in old ssh.h # define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" in new pathnames.h #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" but in Makefile.in PATHS=...-DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" ----------------------------------------------------------- about patch: - remove unused defines: USE_EXTERNAL_ASKPASS (acconfig.h) ASKPASS_PROGRAM (Makefile.in, pathnames.h) - add new option (again) --with-askpass=PATH ------------------------------------------------------------ About default for askpass ? Default for sftp-server is $(libexecdir)/sftp-server But in pathnames.h we have: #define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" I think that default for ssh-askpass is $(libexecdir)/ssh-askpass or might is better for both program $(libexecdir)/ssh ------------------------------------------------------------ HOME PAGE for external x11-ssh-askpass program: http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ -------------- next part -------------- A non-text attachment was scrubbed... Name: patch-20010122.gz Type: application/gzip Size: 1669 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010122/4b9c6083/attachment.bin From mouring at etoh.eviladmin.org Tue Jan 23 02:14:21 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 09:14:21 -0600 (CST) Subject: CVS source tree from 22 Jan 2001 In-Reply-To: <3A6C1DBA.8020607@skalasoft.com> Message-ID: On Mon, 22 Jan 2001, Roumen Petrov wrote: > Makefile.in is not fixed ! > > in old ssh.h > # define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" > > in new pathnames.h > #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" > > but in Makefile.in > > PATHS=...-DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" I figured I'd miss one or two of those things.=) I'll fix this later today. All references to SSH_ASKPASS_DEFAULT should be changed to _PATH_SSH_ASKPASS_DEFAULT. - Ben From roumen.petrov at skalasoft.com Tue Jan 23 02:22:06 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Mon, 22 Jan 2001 17:22:06 +0200 Subject: CVS source tree from 22 Jan 2001 References: Message-ID: <3A6C501E.8050109@skalasoft.com> Would you like to implement --with-askpass options. I can make changes in source to use askpass program in ssh ( like ssh-add ) This will solve problem in runing ssh from X session without terminal or without running ssh-agent mouring at etoh.eviladmin.org wrote: > On Mon, 22 Jan 2001, Roumen Petrov wrote: > > >> Makefile.in is not fixed ! >> >> in old ssh.h >> # define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" >> >> in new pathnames.h >> #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" >> >> but in Makefile.in >> >> PATHS=...-DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" > > > I figured I'd miss one or two of those things.=) I'll fix this later > today. All references to SSH_ASKPASS_DEFAULT should be changed to > _PATH_SSH_ASKPASS_DEFAULT. > > - Ben From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 23 02:31:58 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 22 Jan 2001 16:31:58 +0100 Subject: CVS source tree from 22 Jan 2001 In-Reply-To: <3A6C501E.8050109@skalasoft.com>; from roumen.petrov@skalasoft.com on Mon, Jan 22, 2001 at 05:22:06PM +0200 References: <3A6C501E.8050109@skalasoft.com> Message-ID: <20010122163158.A3657@faui02.informatik.uni-erlangen.de> On Mon, Jan 22, 2001 at 05:22:06PM +0200, Roumen Petrov wrote: > Would you like to implement --with-askpass options. > I can make changes in source to use askpass program in ssh ( like ssh-add ) i have patches for this waiting in my queue. > This will solve problem in runing ssh from X session without terminal or without running > ssh-agent From george at gly.bris.ac.uk Tue Jan 23 04:47:30 2001 From: george at gly.bris.ac.uk (George Helffrich) Date: Mon, 22 Jan 2001 17:47:30 GMT Subject: Patches for failing build & bus error on SPARC/Linux Message-ID: <200101221747.RAA11749@opx.gly.bris.ac.uk> All - For those installs on crusty old hardware and OS releases, here are patches to fix two OpenSSH problems on sparc redhat 4.2 systems. 1. `Old PAM' #defines different - build fails with undefined symbols when PAM used. 2. Running ssh on sparc hardware results in bus error on some connection negotiations. Unaligned data on call to inet_ntoa() results in bus error. Compiled with gcc 2.7.2.1. Patches and a test program follows. George Helffrich (george at geology.bristol.ac.uk) *** defines.h.orig Thu Oct 19 23:14:05 2000 --- defines.h Mon Jan 22 16:52:05 2001 *************** *** 338,345 **** --- 338,349 ---- /* Function replacement / compatibility hacks */ /* In older versions of libpam, pam_strerror takes a single argument */ + /* Older versions of PAM (1.10) don't define some symbols the same way */ #ifdef HAVE_OLD_PAM # define PAM_STRERROR(a,b) pam_strerror((b)) + # define PAM_DELETE_CRED PAM_CRED_DELETE + # define PAM_ESTABLISH_CRED PAM_CRED_ESTABLISH + # define PAM_NEW_AUTHTOK_REQD PAM_AUTHTOKEN_REQD #else # define PAM_STRERROR(a,b) pam_strerror((a),(b)) #endif *** fake-getnameinfo.c.orig Fri Sep 29 00:59:14 2000 --- fake-getnameinfo.c Mon Jan 22 16:19:39 2001 *************** *** 30,39 **** if (host) { if (flags & NI_NUMERICHOST) { ! if (strlen(inet_ntoa(sin->sin_addr)) >= hostlen) return EAI_MEMORY; ! strcpy(host, inet_ntoa(sin->sin_addr)); return 0; } else { hp = gethostbyaddr((char *)&sin->sin_addr, --- 30,43 ---- if (host) { if (flags & NI_NUMERICHOST) { ! /* inet_ntoa wants aligned data on SPARC */ ! struct in_addr align; ! bcopy((char *)&sin->sin_addr, ! (char *)&align, sizeof(struct in_addr)); ! if (strlen(inet_ntoa(align)) >= hostlen) return EAI_MEMORY; ! strcpy(host,inet_ntoa(align)); return 0; } else { hp = gethostbyaddr((char *)&sin->sin_addr, *** /dev/null Tue Jan 1 04:00:00 1980 --- /tmp/testinet.c Mon Jan 22 16:44:17 2001 *************** *** 0 **** --- 1,47 ---- + /* Test program to exercise bug arising from assumed alignment of + struct sockaddr_in in some SPARC versions of inet_ntoa. Appears under + config with host sparc-unknown-linux-gnulibc1. + + To try, compile e.g. + gcc -g -I/usr/src/local/openssh-2.3.0p1 -I/usr/local/ssl/include \ + -o testinet testinet.c + + G. Helffrich/U. Bristol Earth Sciences + */ + #include "includes.h" + #include "ssh.h" + + int sub(const struct sockaddr *sa, char *host, size_t hostlen) { + struct sockaddr_in *sin = (struct sockaddr_in *)sa; + + char *str = inet_ntoa(sin->sin_addr); + + if (strlen(str) > hostlen) + return -1; + else + strcpy(host,str); + return 0; + } + + main(argc,argv) + int argc; + char *argv[]; + { + struct sockaddr_in sin; + char host[1025]; + + char *ptr = malloc(sizeof(struct sockaddr_in)+8); + + char *unaligned = ptr+1; + + sin.sin_family = 2; + sin.sin_port = 22; + sin.sin_addr = inet_makeaddr(137<<24 | 222<<16 | 20<<8 , 17); + + bcopy((char *)&sin, unaligned, sizeof(struct sockaddr_in)); + + (void)sub((struct sockaddr *)unaligned,host,(size_t)sizeof(host)); + + printf("%s\n",host); + return 0; + } From jmknoble at jmknoble.cx Tue Jan 23 06:00:12 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Mon, 22 Jan 2001 14:00:12 -0500 Subject: CVS source tree from 22 Jan 2001 In-Reply-To: <3A6C1DBA.8020607@skalasoft.com>; from roumen.petrov@skalasoft.com on Mon, Jan 22, 2001 at 01:47:06PM +0200 References: <3A6C1DBA.8020607@skalasoft.com> Message-ID: <20010122140012.B24773@shell.ntrnet.net> Circa 2001-Jan-22 13:47:06 +0200 dixit Roumen Petrov: : ------------------------------------------------------------ : HOME PAGE for external x11-ssh-askpass program: : http://www.ntrnet.net/~jmknoble/software/x11-ssh-askpass/ Actually, i'd prefer it if the following URL is used instead of, or at least in addition to, the one above: http://www.jmknoble.cx/software/x11-ssh-askpass/ It points to the same spot, but it's a more stable location. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ From smartind at home.com Mon Jan 22 23:56:40 2001 From: smartind at home.com (Daphne and Steve Martindell) Date: Mon, 22 Jan 2001 06:56:40 -0600 Subject: openssl make fails Message-ID: <3A6C2E08.54157A31@home.com> I am running a p166 hardware with suse linux 7.0. I have downloaded the ssl version from your website. I did a ./config -d no-asm I did a ./make during the compilation of /apps the gcc -o openssl ... -lcrypto -lefence -ldl the following error message: /usr/i486-suse-linux/bin/ld: cannot find -lefence collect2: ld returned 1 exit status make[2]: *** [openssl] Error 1 make[2]: Leaving directory '/root/openssl-0.9.6/apps' make[1]: *** [all] Error 1 make[1]: Leaving directory `/root/openssl-0.9.6' make: *** [top] Error 2 Is there a conflict between the suse linux 7.0 and your ssl version 0.9.6? Thx. - daphne martindell From mouring at etoh.eviladmin.org Tue Jan 23 09:50:19 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 16:50:19 -0600 (CST) Subject: CVS source tree from 22 Jan 2001 In-Reply-To: <3A6C1DBA.8020607@skalasoft.com> Message-ID: On Mon, 22 Jan 2001, Roumen Petrov wrote: > Makefile.in is not fixed ! > > in old ssh.h > # define SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" > > in new pathnames.h > #define _PATH_SSH_ASKPASS_DEFAULT "/usr/X11R6/bin/ssh-askpass" > > but in Makefile.in > > PATHS=...-DSSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" > Done.. Along with a few more path fix ups. > ----------------------------------------------------------- > about patch: > - remove unused defines: > USE_EXTERNAL_ASKPASS (acconfig.h) > ASKPASS_PROGRAM (Makefile.in, pathnames.h) > - add new option (again) > --with-askpass=PATH > ------------------------------------------------------------ > About default for askpass ? > I would perfer to sit on this for a bit longer. With the major cleanup that just happened I would perfer to shake out the minor compile issues and get ready for a real 2.4.0 release.=) - Ben From andrew.sherrod at tfn.com Tue Jan 23 07:48:01 2001 From: andrew.sherrod at tfn.com (Sherrod, Andrew) Date: Mon, 22 Jan 2001 15:48:01 -0500 Subject: Solaris 2.6 problem Message-ID: I was building OpenSSH on a Solaris 2.6 machine and found a small problem using scp after it was built. The scp command coming from a remote machine to the OpenSSH machine results in an error message of "sh: scp: not found". The start-up script for sshd sets PATH to include /usr/local/bin where scp resides. I also tried adding an "export PATH" in case that was the problem, but the error persisted. I also added /usr/local/bin to the PATH in the .login for root. I also did the same for each individual user. I could solve the problem by linking /usr/local/bin/scp to /usr/bin/scp, but this seems a fairly ugly solution. Do you have any idea why the PATH variable is not picked up sshd (either from root's PATh or the target user's PATH)? Thanks for any input. Andrew Sherrod From mouring at etoh.eviladmin.org Tue Jan 23 09:55:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 16:55:28 -0600 (CST) Subject: openssl make fails In-Reply-To: <3A6C2E08.54157A31@home.com> Message-ID: On Mon, 22 Jan 2001, Daphne and Steve Martindell wrote: > > I am running a p166 hardware with suse linux 7.0. > I have downloaded the ssl version from your website. > > I did a ./config -d no-asm > > I did a ./make > > during the compilation of /apps > the gcc -o openssl ... -lcrypto -lefence -ldl > the following error message: > /usr/i486-suse-linux/bin/ld: cannot find -lefence ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Do you have efence installed or did you disable this feature? This is really the wrong mailinglist. Try the OpenSSL mailinglist. - Ben From mouring at etoh.eviladmin.org Tue Jan 23 10:04:01 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 17:04:01 -0600 (CST) Subject: Solaris 2.6 problem In-Reply-To: Message-ID: Have you tried recompiling with --with-default-path= and ensure that /usr/local/bin is within that path? On Mon, 22 Jan 2001, Sherrod, Andrew wrote: > I was building OpenSSH on a Solaris 2.6 machine and found a small problem > using scp after it was built. > > The scp command coming from a remote machine to the OpenSSH machine results > in an error message of "sh: scp: not found". The start-up script for sshd > sets PATH to include /usr/local/bin where scp resides. I also tried adding > an "export PATH" in case that was the problem, but the error persisted. > > I also added /usr/local/bin to the PATH in the .login for root. I also did > the same for each individual user. > > I could solve the problem by linking /usr/local/bin/scp to /usr/bin/scp, but > this seems a fairly ugly solution. > > Do you have any idea why the PATH variable is not picked up sshd (either > from root's PATh or the target user's PATH)? > > Thanks for any input. > > Andrew Sherrod > From rachit at ensim.com Tue Jan 23 09:34:30 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 22 Jan 2001 14:34:30 -0800 Subject: Solaris 2.6 problem References: Message-ID: <3A6CB576.A4681B31@ensim.com> perhaps ./configure should pick that up automatically for SunOS. So many people have asked that question and probably countless more (including me) have had the problem and searched the archives for a solution (or did the ugly ln -s solution). I don't know too much about configure or i would submit a patch myself. -rchit mouring at etoh.eviladmin.org wrote: > > Have you tried recompiling with --with-default-path= and ensure that > /usr/local/bin is within that path? > > On Mon, 22 Jan 2001, Sherrod, Andrew wrote: > > > I was building OpenSSH on a Solaris 2.6 machine and found a small problem > > using scp after it was built. > > > > The scp command coming from a remote machine to the OpenSSH machine results > > in an error message of "sh: scp: not found". The start-up script for sshd > > sets PATH to include /usr/local/bin where scp resides. I also tried adding > > an "export PATH" in case that was the problem, but the error persisted. > > > > I also added /usr/local/bin to the PATH in the .login for root. I also did > > the same for each individual user. > > > > I could solve the problem by linking /usr/local/bin/scp to /usr/bin/scp, but > > this seems a fairly ugly solution. > > > > Do you have any idea why the PATH variable is not picked up sshd (either > > from root's PATh or the target user's PATH)? > > > > Thanks for any input. > > > > Andrew Sherrod > > From ishikawa at yk.rim.or.jp Tue Jan 23 09:31:16 2001 From: ishikawa at yk.rim.or.jp (Ishikawa) Date: Tue, 23 Jan 2001 07:31:16 +0900 Subject: Solaris 2.6 problem References: Message-ID: <3A6CB4B4.48909741@yk.rim.or.jp> mouring at etoh.eviladmin.org wrote: > Have you tried recompiling with --with-default-path= and ensure that > /usr/local/bin is within that path? > On Solaris 7, this solved the similar problem I had. I think sshd resets PATH and sets it on its own throwing away the environment setting. Whether having sshd use /usr/local/bin as part of its search PATH is cleaner than having a single symlink /usr/bin/scp -> /usr/local/bin/scp is a matter of question. I chose the --with-default-path setting after pondering for a while. ishikawa From mouring at etoh.eviladmin.org Tue Jan 23 10:41:37 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 17:41:37 -0600 (CST) Subject: Solaris 2.6 problem In-Reply-To: <3A6CB576.A4681B31@ensim.com> Message-ID: On Mon, 22 Jan 2001, Rachit Siamwalla wrote: > perhaps ./configure should pick that up automatically for SunOS. So many > people have asked that question and probably countless more (including > me) have had the problem and searched the archives for a solution (or > did the ugly ln -s solution). > > I don't know too much about configure or i would submit a patch myself. > Umm... No. Configure should however should key off of --prefix= and add in ${PREFIX}/bin to the compiled in path. That I can see and agree, but just to blinding assume 'everyone on XX platform installs this application in /usr/local/bin' is flawed. Because I know on my solaris box I install OpenSSH in /opt/ssh because I personally have a massive dislike for /usr/local/. After installing 40 added packages to make my users happy I end up with a mess. I'd have to look into what this would take. I think the idea may have come out before, but no action was taken on it. - Ben From rachit at ensim.com Tue Jan 23 10:02:05 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 22 Jan 2001 15:02:05 -0800 Subject: Solaris 2.6 problem References: Message-ID: <3A6CBBED.EA83EF97@ensim.com> > Configure should however should key off of --prefix= and add in > ${PREFIX}/bin to the compiled in path. That I can see and agree, but > just to blinding assume 'everyone on XX platform installs this application Thats actually a much better solution. It actually solves the problem in a more general case. -rchit From jason at dfmm.org Tue Jan 23 10:30:41 2001 From: jason at dfmm.org (Jason Stone) Date: Mon, 22 Jan 2001 15:30:41 -0800 (PST) Subject: Solaris 2.6 problem In-Reply-To: <3A6CB4B4.48909741@yk.rim.or.jp> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Have you tried recompiling with --with-default-path= and ensure that > > /usr/local/bin is within that path? > > On Solaris 7, this solved the similar problem I had. > I think sshd resets PATH and sets it on its own > throwing away the environment setting. You could set PATH in $HOME/.ssh/environment - I belive this gets read after the environment is "normalized", but just before the command or shell is run. I agree that the better solution is for configure to include $PREFIX/bin in the default path. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE6bMKkswXMWWtptckRAhmUAKC5eA1AXt0f97cCJ9Mcx893RF3VeACeODoS 1qnrb4G17lInYIcZGmnWyxI= =+V9I -----END PGP SIGNATURE----- From djm at mindrot.org Tue Jan 23 11:18:34 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Jan 2001 11:18:34 +1100 (EST) Subject: Workaround for hanging shells on exit Message-ID: While browsing through bash's hugh manpage, I noticed that it has a 'huponexit' option which will send SIGHUP to all interactive processes when the shell exits. I have tested this and it does resolve the hanging at logout without causing race conditions. I now have a "shopt -s huponexit" in my /etc/bashrc and it works beautifully. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Tue Jan 23 12:26:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 19:26:25 -0600 (CST) Subject: Workaround for hanging shells on exit In-Reply-To: Message-ID: On Tue, 23 Jan 2001, Damien Miller wrote: > > While browsing through bash's hugh manpage, I noticed that it has a > 'huponexit' option which will send SIGHUP to all interactive processes > when the shell exits. > Works if you don't do: nohup command & exit ..It still hangs.. So it's a solution for the most common case.=) - Ben From tim at multitalents.net Tue Jan 23 11:40:10 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 22 Jan 2001 16:40:10 -0800 (PST) Subject: Solaris 2.6 problem In-Reply-To: Message-ID: On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Mon, 22 Jan 2001, Rachit Siamwalla wrote: > > > perhaps ./configure should pick that up automatically for SunOS. So many > > people have asked that question and probably countless more (including > > me) have had the problem and searched the archives for a solution (or > > did the ugly ln -s solution). > > > > I don't know too much about configure or i would submit a patch myself. > > > > Umm... No. > > Configure should however should key off of --prefix= and add in > ${PREFIX}/bin to the compiled in path. That I can see and agree, but > just to blinding assume 'everyone on XX platform installs this application > in /usr/local/bin' is flawed. Because I know on my solaris box I install > OpenSSH in /opt/ssh because I personally have a massive dislike for > /usr/local/. After installing 40 added packages to make my users happy I > end up with a mess. > > I'd have to look into what this would take. I think the idea may have > come out before, but no action was taken on it. It has. I provided a patch a while ago for openssh-2.2.0p1 that was rejected. If you would like to revisit this I'll update my patch for the CVS version. > > - Ben > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Tue Jan 23 11:39:02 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Jan 2001 11:39:02 +1100 (EST) Subject: Workaround for hanging shells on exit In-Reply-To: Message-ID: On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > Works if you don't do: > > nohup command & > exit > > ..It still hangs.. Here you can do: nohup command /dev/null >/dev/null & -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From mouring at etoh.eviladmin.org Tue Jan 23 12:36:35 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 22 Jan 2001 19:36:35 -0600 (CST) Subject: Workaround for hanging shells on exit In-Reply-To: Message-ID: On Tue, 23 Jan 2001, Damien Miller wrote: > On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > Works if you don't do: > > > > nohup command & > > exit > > > > ..It still hangs.. > > Here you can do: > > nohup command /dev/null >/dev/null & > That works, and acts the way it should (putting the process in the background and letting it run long after the ssh shell has disconnected. - Ben From tim at multitalents.net Tue Jan 23 14:59:36 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 22 Jan 2001 19:59:36 -0800 (PST) Subject: cc & no 64bit int patches Message-ID: Here are a couple of patches against the CVS (Jan 22 18:41 PST) Some C++ comments found their way into ssh.h The no64.patch puts ifdefs around buffer_get_int64() now in bufaux.[c,h] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- ssh.h.old Mon Jan 22 18:40:58 2001 +++ ssh.h Mon Jan 22 19:02:02 2001 @@ -25,8 +25,10 @@ # include #endif -//#include "rsa.h" -//#include "cipher.h" +/* +#include "rsa.h" +#include "cipher.h" +*/ /* Cipher used for encrypting authentication files. */ #define SSH_AUTHFILE_CIPHER SSH_CIPHER_3DES -------------- next part -------------- --- bufaux.c.old Mon Jan 22 18:40:22 2001 +++ bufaux.c Mon Jan 22 19:15:04 2001 @@ -152,6 +152,7 @@ return GET_32BIT(buf); } +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer) { @@ -159,6 +160,7 @@ buffer_get(buffer, (char *) buf, 8); return GET_64BIT(buf); } +#endif /* * Stores an integer in the buffer in 4 bytes, msb first. @@ -171,6 +173,7 @@ buffer_append(buffer, buf, 4); } +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value) { @@ -178,6 +181,7 @@ PUT_64BIT(buf, value); buffer_append(buffer, buf, 8); } +#endif /* * Returns an arbitrary binary string from the buffer. The string cannot --- bufaux.h.old Mon Jan 22 18:40:22 2001 +++ bufaux.h Mon Jan 22 19:10:22 2001 @@ -31,11 +31,15 @@ /* Returns an integer from the buffer (4 bytes, msb first). */ u_int buffer_get_int(Buffer * buffer); +#ifdef HAVE_U_INT64_T u_int64_t buffer_get_int64(Buffer *buffer); +#endif /* Stores an integer in the buffer in 4 bytes, msb first. */ void buffer_put_int(Buffer * buffer, u_int value); +#ifdef HAVE_U_INT64_T void buffer_put_int64(Buffer *buffer, u_int64_t value); +#endif /* Returns a character from the buffer (0 - 255). */ int buffer_get_char(Buffer * buffer); --- defines.h.old Mon Jan 22 18:40:32 2001 +++ defines.h Mon Jan 22 19:45:41 2001 @@ -171,20 +171,22 @@ #ifndef HAVE_INT64_T # if (SIZEOF_LONG_INT == 8) typedef long int int64_t; +# define HAVE_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef long long int int64_t; -# define HAVE_INTXX_T 1 +# define HAVE_INT64_T 1 # endif # endif #endif #ifndef HAVE_U_INT64_T # if (SIZEOF_LONG_INT == 8) typedef unsigned long int u_int64_t; +# define HAVE_U_INT64_T 1 # else # if (SIZEOF_LONG_LONG_INT == 8) typedef unsigned long long int u_int64_t; -# define HAVE_U_INTXX_T 1 +# define HAVE_U_INT64_T 1 # endif # endif #endif From tim at multitalents.net Tue Jan 23 16:57:16 2001 From: tim at multitalents.net (Tim Rice) Date: Mon, 22 Jan 2001 21:57:16 -0800 (PST) Subject: SCO Open Server 3 In-Reply-To: Message-ID: CVS (Jan 22 18:41 PST) Here is a small patch to build on SCO Open Server 3 Patched version of fake-regex.h works. Added an #ifdef S_IFSOCK to bsd-strmode.c Added -lintl to *-*-sco3.2v4*) LIBS list for strftime() in sftp-server.c -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.in.old Mon Jan 22 18:40:30 2001 +++ configure.in Mon Jan 22 21:46:58 2001 @@ -211,7 +211,7 @@ LDFLAGS="$LDFLAGS -L/usr/local/lib" MANTYPE='$(CATMAN)' mansubdir=cat - LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm" + LIBS="$LIBS -lgen -lsocket -los -lprot -lx -ltinfo -lm -lintl" no_dev_ptmx=1 RANLIB=true AC_DEFINE(BROKEN_SYS_TERMIO_H) --- bsd-strmode.c.old Wed Jan 17 18:04:35 2001 +++ bsd-strmode.c Mon Jan 22 20:11:52 2001 @@ -64,9 +64,11 @@ case S_IFLNK: /* symbolic link */ *p++ = 'l'; break; +#ifdef S_IFSOCK case S_IFSOCK: /* socket */ *p++ = 's'; break; +#endif #ifdef S_IFIFO case S_IFIFO: /* fifo */ *p++ = 'p'; --- fake-regex.h.old Fri Jan 19 09:11:43 2001 +++ fake-regex.h Mon Jan 22 21:26:21 2001 @@ -37,13 +37,12 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * @(#)regex.h 8.1 (Berkeley) 6/2/93 + * @(#)regex.h 8.2 (Berkeley) 1/3/94 */ #ifndef _REGEX_H_ #define _REGEX_H_ -#include #include /* types */ @@ -99,12 +98,14 @@ #define REG_LARGE 01000 /* force large representation */ #define REG_BACKR 02000 /* force use of backref code */ -__BEGIN_DECLS -int regcomp __P((regex_t *, const char *, int)); -size_t regerror __P((int, const regex_t *, char *, size_t)); -int regexec __P((const regex_t *, - const char *, size_t, regmatch_t [], int)); -void regfree __P((regex_t *)); -__END_DECLS - +#ifdef __cplusplus +extern "C" { +#endif +int regcomp(regex_t*, const char*, int); +size_t regerror(int, const regex_t*, char*, size_t); +int regexec(const regex_t*, const char*, size_t, regmatch_t[], int); +void regfree(regex_t*); +#ifdef __cplusplus +} +#endif #endif /* !_REGEX_H_ */ From pekkas at netcore.fi Tue Jan 23 18:08:21 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 23 Jan 2001 09:08:21 +0200 (EET) Subject: Workaround for hanging shells on exit In-Reply-To: Message-ID: On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Tue, 23 Jan 2001, Damien Miller wrote: > > > > > While browsing through bash's hugh manpage, I noticed that it has a > > 'huponexit' option which will send SIGHUP to all interactive processes > > when the shell exits. > > > > Works if you don't do: > > nohup command & > exit > > ..It still hangs.. > > So it's a solution for the most common case.=) ^^^^^^^^ Plrase, 'workaround' or 'hack', not the solution. :-/ -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From roumen.petrov at skalasoft.com Tue Jan 23 18:49:59 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Tue, 23 Jan 2001 09:49:59 +0200 Subject: Solaris 2.6 problem References: <3A6CB576.A4681B31@ensim.com> Message-ID: <3A6D37A7.4090902@skalasoft.com> Rachit Siamwalla wrote: > perhaps ./configure should pick that up automatically for SunOS. So many > people have asked that question and probably countless more (including > me) have had the problem and searched the archives for a solution (or > did the ugly ln -s solution). > > I don't know too much about configure or i would submit a patch myself. > > -rchit put AC_PROG_LN_S in configure.in run autoconf replace in Makefile.in all commands [ln -s ......] with [$(LN_S) ......] run './config.status' or './configure ......' From douglas.manton at uk.ibm.com Tue Jan 23 20:02:36 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 23 Jan 2001 09:02:36 +0000 Subject: sshd hanging after multiple successive logons Message-ID: <802569DD.0031AE02.00@d06mta05.portsmouth.uk.ibm.com> Folks, I use OpenSSH to poll a number of remote servers once every five minutes and obtain a number of attributes. This is done using ssh as "sexec": ssh stats at remotehost getstats This returns the output of the getstats program which is parsed, etc... The problem is that after so many connections, the parent sshd hangs and does not accept any more connections. I have reproduced the problem using a simple shell script on my local machine: while sleep 1 do ssh me at localhost whoami done This iterates about 4000 times before sshd hangs. I can see that sshd is waiting in _pthread_waitlock when it has hung. It actually decreases the CPU time when in this state. I can conenct to the daemon on port 22 but it does not present the version string. I realise that 4000 connections is not bad, but at five minute intervals over 100 machines this is happening every couple of days. I am running OpenSSH 2.3.0p1 under AIX 4.3.3.0-ML6, compiled with IBM VAC v5. Any ideas? Has this been seen. I can reproduce it every time. When I get a chance I will test the build on my Ultra 10. Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From roumen.petrov at skalasoft.com Tue Jan 23 22:42:00 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Tue, 23 Jan 2001 13:42:00 +0200 Subject: sshd hanging after multiple successive logons References: <802569DD.0031AE02.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <3A6D6E08.2080207@skalasoft.com> What is value of MaxStartups in sshd_config ? douglas.manton at uk.ibm.com wrote: > > > Folks, > > I use OpenSSH to poll a number of remote servers once every five minutes > and obtain a number of attributes. This is done using ssh as "sexec": > > ssh stats at remotehost getstats > > This returns the output of the getstats program which is parsed, etc... > > The problem is that after so many connections, the parent sshd hangs and > does not accept any more connections. I have reproduced the problem using > a simple shell script on my local machine: > > while sleep 1 > do > ssh me at localhost whoami > done > > This iterates about 4000 times before sshd hangs. I can see that sshd is > waiting in _pthread_waitlock when it has hung. It actually decreases the > CPU time when in this state. I can conenct to the daemon on port 22 but > it does not present the version string. > > I realise that 4000 connections is not bad, but at five minute intervals > over 100 machines this is happening every couple of days. > > I am running OpenSSH 2.3.0p1 under AIX 4.3.3.0-ML6, compiled with IBM VAC > v5. > > Any ideas? Has this been seen. I can reproduce it every time. When I > get a chance I will test the build on my Ultra 10. > > Many thanks, > -------------------------------------------------------- > Doug Manton, AT&T EMEA Firewall and Security Solutions > > demanton at att.com > -------------------------------------------------------- > "If privacy is outlawed, only outlaws will have privacy" From djm at mindrot.org Tue Jan 23 22:52:18 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Jan 2001 22:52:18 +1100 (EST) Subject: sshd hanging after multiple successive logons In-Reply-To: <802569DD.0031AE02.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: On Tue, 23 Jan 2001 douglas.manton at uk.ibm.com wrote: > The problem is that after so many connections, the parent sshd hangs and > does not accept any more connections. I have reproduced the problem using > a simple shell script on my local machine: I am running something similar now (770 connections and counting). What version of OpenSSH are you running? If you can, please try the snapshot[1] and see if that resolves the problem. If you can run sshd under a debugger, try sending it an ABRT signal when it locks and see where it was stuck. Regards, Damien -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From douglas.manton at uk.ibm.com Tue Jan 23 22:57:46 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 23 Jan 2001 11:57:46 +0000 Subject: sshd hanging after multiple successive logons Message-ID: <802569DD.0041B8AD.00@d06mta05.portsmouth.uk.ibm.com> > What is value of MaxStartups in sshd_config ? This is left at the default. The connections are being successfully authenticated and each one is terminated before the next one is made -- so this _should_ have no effect. The annoying part is that if sshd were to completely die, it would be automatically restarted by the AIX system resource controller daemon. But because it is still a valid process... Best wishes, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From roumen.petrov at skalasoft.com Tue Jan 23 23:24:22 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Tue, 23 Jan 2001 14:24:22 +0200 Subject: SCO Open Server 3 References: Message-ID: <3A6D77F6.3020001@skalasoft.com> Tim Rice wrote: > CVS (Jan 22 18:41 PST) > > Here is a small patch to build on SCO Open Server 3 ........... > Added -lintl to *-*-sco3.2v4*) LIBS list for strftime() in sftp-server.c NO! Add macro AC_FUNC_STRFTIME in configure.in > ........... From djm at mindrot.org Tue Jan 23 23:27:44 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Jan 2001 23:27:44 +1100 (EST) Subject: sshd hanging after multiple successive logons In-Reply-To: Message-ID: On Tue, 23 Jan 2001, Damien Miller wrote: > On Tue, 23 Jan 2001 douglas.manton at uk.ibm.com wrote: > > > The problem is that after so many connections, the parent sshd hangs and > > does not accept any more connections. I have reproduced the problem using > > a simple shell script on my local machine: > > I am running something similar now (770 connections and counting). > > What version of OpenSSH are you running? If you can, please try the > snapshot[1] and see if that resolves the problem. oops [1] www.openssh.com/portable.html -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From tlewis at secureworks.net Wed Jan 24 02:23:45 2001 From: tlewis at secureworks.net (Todd Lewis) Date: Tue, 23 Jan 2001 10:23:45 -0500 (EST) Subject: Workaround for hanging shells on exit In-Reply-To: Message-ID: Under zsh, which has many advantages over bash, you can just do: % command &! % exit and the shell takes care of all of this for you. -- Todd Lewis tlewis at secureworks.net God grant me the courage not to give up what I think is right, even though I think it is hopeless. - Admiral Chester W. Nimitz On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Tue, 23 Jan 2001, Damien Miller wrote: > > > On Mon, 22 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > > > Works if you don't do: > > > > > > nohup command & > > > exit > > > > > > ..It still hangs.. > > > > Here you can do: > > > > nohup command /dev/null >/dev/null & > > > That works, and acts the way it should (putting the process in the > background and letting it run long after the ssh shell has disconnected. > > - Ben > From mouring at etoh.eviladmin.org Wed Jan 24 04:22:10 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 23 Jan 2001 11:22:10 -0600 (CST) Subject: cc & no 64bit int patches In-Reply-To: Message-ID: On Mon, 22 Jan 2001, Tim Rice wrote: > > Here are a couple of patches against the CVS (Jan 22 18:41 PST) > > Some C++ comments found their way into ssh.h > Removed by Markus > The no64.patch puts ifdefs around buffer_get_int64() > now in bufaux.[c,h] > Applied. From tim at multitalents.net Wed Jan 24 04:28:15 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Jan 2001 09:28:15 -0800 (PST) Subject: SCO Open Server 3 In-Reply-To: <3A6D77F6.3020001@skalasoft.com> Message-ID: On Tue, 23 Jan 2001, Roumen Petrov wrote: > Tim Rice wrote: > > > CVS (Jan 22 18:41 PST) > > > > Here is a small patch to build on SCO Open Server 3 > ........... > > > Added -lintl to *-*-sco3.2v4*) LIBS list for strftime() in sftp-server.c > > NO! Add macro AC_FUNC_STRFTIME in configure.in Oops. OH, here is the revised patch. > > > > ........... > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.in.old Mon Jan 22 18:40:30 2001 +++ configure.in Tue Jan 23 08:52:15 2001 @@ -367,6 +367,8 @@ AC_FUNC_GETPGRP +AC_FUNC_STRFTIME + # Check for PAM libs PAM_MSG="no" AC_ARG_WITH(pam, --- bsd-strmode.c.old Wed Jan 17 18:04:35 2001 +++ bsd-strmode.c Mon Jan 22 20:11:52 2001 @@ -64,9 +64,11 @@ case S_IFLNK: /* symbolic link */ *p++ = 'l'; break; +#ifdef S_IFSOCK case S_IFSOCK: /* socket */ *p++ = 's'; break; +#endif #ifdef S_IFIFO case S_IFIFO: /* fifo */ *p++ = 'p'; --- fake-regex.h.old Fri Jan 19 09:11:43 2001 +++ fake-regex.h Mon Jan 22 21:26:21 2001 @@ -37,13 +37,12 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * @(#)regex.h 8.1 (Berkeley) 6/2/93 + * @(#)regex.h 8.2 (Berkeley) 1/3/94 */ #ifndef _REGEX_H_ #define _REGEX_H_ -#include #include /* types */ @@ -99,12 +98,14 @@ #define REG_LARGE 01000 /* force large representation */ #define REG_BACKR 02000 /* force use of backref code */ -__BEGIN_DECLS -int regcomp __P((regex_t *, const char *, int)); -size_t regerror __P((int, const regex_t *, char *, size_t)); -int regexec __P((const regex_t *, - const char *, size_t, regmatch_t [], int)); -void regfree __P((regex_t *)); -__END_DECLS - +#ifdef __cplusplus +extern "C" { +#endif +int regcomp(regex_t*, const char*, int); +size_t regerror(int, const regex_t*, char*, size_t); +int regexec(const regex_t*, const char*, size_t, regmatch_t[], int); +void regfree(regex_t*); +#ifdef __cplusplus +} +#endif #endif /* !_REGEX_H_ */ From douglas.manton at uk.ibm.com Wed Jan 24 04:51:01 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Tue, 23 Jan 2001 17:51:01 +0000 Subject: sshd hanging after multiple successive logons Message-ID: <802569DD.00620F4C.00@d06mta05.portsmouth.uk.ibm.com> Damien, I am still running the test, so haven't had a chance to test the snapshot yet. Will do after I have investigated the following: I have found a clue in my syslog: Jan 22 18:33:00 myserver sshd[30586]: Accepted rsa for myuser from 10.0.0.1 port 57453 Jan 22 18:33:03 myserver sshd[30632]: Accepted rsa for myuser from 10.0.0.1 port 57454 Jan 22 18:33:05 myserver sshd[30678]: Accepted rsa for myuser from 10.0.0.1 port 57455 Jan 22 18:33:07 myserver sshd[30468]: Accepted rsa for myuser from 10.0.0.1 port 57456 Jan 22 18:33:09 myserver sshd[30514]: Accepted rsa for myuser from 10.0.0.1 port 57457 Jan 22 18:33:11 myserver sshd[20990]: Generating new 768 bit RSA key. Jan 22 18:33:11 myserver sshd[30560]: Accepted rsa for myuser from 10.0.0.1 port 57458 Jan 23 08:56:16 myserver sshd[25084]: Server listening on 0.0.0.0 port 22. Jan 23 08:56:16 myserver sshd[25084]: Generating 768 bit RSA key. Jan 23 08:56:18 myserver sshd[25084]: RSA key generation complete. Note how the daemon hangs when the user connects to the second a new RSA key is generated. The key generation never completes. The morning entry was my killing and restarting of the daemon. Coincidence? Many thanks, -------------------------------------------------------- Doug Manton, AT&T EMEA Firewall and Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" On Tue, 23 Jan 2001, Damien Miller wrote: > On Tue, 23 Jan 2001 douglas.manton at uk.ibm.com wrote: > > > The problem is that after so many connections, the parent sshd hangs and > > does not accept any more connections. I have reproduced the problem using > > a simple shell script on my local machine: > > I am running something similar now (770 connections and counting). > > What version of OpenSSH are you running? If you can, please try the > snapshot[1] and see if that resolves the problem. From Darren.Moffat at eng.sun.com Wed Jan 24 05:12:16 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 23 Jan 2001 10:12:16 -0800 (PST) Subject: /etc/nologin and Solaris PAM bug Message-ID: <200101231812.f0NICG9440793@jurassic.eng.sun.com> First one nit, there is no Bug in Solaris with respect to nologin, just a different mechanism to what you get under the distributions of Linux that have PAM support and ship a pam_nologin. On Solaris /etc/nologin is checked directly by /bin/login and dtlogin. >Now that seems like it's probably the right way to handle /etc/nologin I would agree that using PAM to check nologin is a better method, but not doing so is not a bug in Solaris. >under PAM authenticated linux systems, however there's one problem: Sun >doesn't ship SunOS with a pam_nologin.so module. pam_unix.so authenticates >the user, and since openssh is told not to look for /etc/nologin, it lets >the user log in. This was exactly the rational for not having PAM be enabled by default. >I could fix this by having sshd use /bin/login, but I'd really rather not. >I just removed the "#ifndef USE_PAM" and "#endif /* USE_PAM */" lines and >it worked fine. I'm not suggesting that as the fix for the bug, but it >certainly works. The problem here is there is a large (an IMO increasing) overlap between stuff being done inside sshd and stuff that really should be done by PAM on systems that have it - eg the group access stuff is perfect for a PAM module. Problem here is that while the PAM framework is (almost) the same on all platforms the available modules is very different. This makes it very difficult to choose what to compile directly into the sshd program and what to expect PAM to beable to check. As for the particular case of nologin then I am fully aware of it and hope to have a PAM module will do this check in some future release of Solaris. (The code is written it is proccess and testing that needs done, not this is not an Engineering comittment to actuall provide this, just a heads up that we are aware of it and could do it if we get approval). >Besides, I can't see the harm in having sshd check /etc/nologin even if >there is a pam_nologin module that's supposed to check for it. I'd view >it as an extra guarantee that /etc/nologin really means no logins even if >some script kiddie or incompetent admin has been playing around with the >system's PAM configuration. I would treat this in a similar way to /etc/motd, ie add an sshd_config file option for it so that the server can be set to check it for systems that don't do it in PAM and set not to for those that do. It then reduces the problem to a default config issue for distribution builders. This is better than SSHD always checking it even if PAM is going to check it again later (Race conditions, slightly differing symantics etc etc), otherwise you will get someone complaining that it checks it twice and it is slowing down their login (believe me I've had reports like this from customers before for telnet!). -- Darren J Moffat From mouring at etoh.eviladmin.org Wed Jan 24 09:32:25 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 23 Jan 2001 16:32:25 -0600 (CST) Subject: CuteFTP and sftp. Message-ID: For those who did not get the annoucement. CuteFTP is now claiming to support sftp as stated in the RFC. And at first glace it *SORTA* works.=) I can upload files, but the directory listings are broken (it does not display anything) and as a result download won't work (since cuteftp rquires the file to be in the directory listing to get). I'm going to back down a releas of sftp-server.c when I get home and test, and talk to the CuteFTP folks. Just thought I'd give everyone's a heads up in case someone wanders in looking for help on the topic. Markus, is sftp suppose to support multiple active transfers at once? I was able to get CuteFTP to send two files at the same time. - Ben From mouring at etoh.eviladmin.org Wed Jan 24 10:36:09 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 23 Jan 2001 17:36:09 -0600 (CST) Subject: CuteFTP and sftp. In-Reply-To: Message-ID: On Tue, 23 Jan 2001 mouring at etoh.eviladmin.org wrote: > > For those who did not get the annoucement. CuteFTP is now claiming to > support sftp as stated in the RFC. And at first glace it *SORTA* works.=) > > I can upload files, but the directory listings are broken (it does not > display anything) and as a result download won't work (since cuteftp > rquires the file to be in the directory listing to get). I'm going to > back down a releas of sftp-server.c when I get home and test, and talk to > the CuteFTP folks. Just thought I'd give everyone's a heads up in case > someone wanders in looking for help on the topic. > > Ermm.. Strike that.. I had an older version of sftp-server in place since we originally installed stuff to libexec/ssh/. It seems to upload and download just fine. So that is good.. Finally a quality sftp client for windows.=) From irving at samurai.sfo.dead-dog.com Wed Jan 24 10:02:43 2001 From: irving at samurai.sfo.dead-dog.com (Irving Popovetsky) Date: Tue, 23 Jan 2001 15:02:43 -0800 Subject: CuteFTP and sftp. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jan 23, 2001 at 05:36:09PM -0600 References: Message-ID: <20010123150242.A30910@samurai.sfo.dead-dog.com> I don't know what pricing on CuteFTP is, but SecureFX (www.vandyke.com) has been doing that for a while now. It does sftp and ftp-over-ssh, both of which work great on OpenSSH. Cool thing about SecureFX is the directory sync feature, where it can sync up a local directory tree to a remote one. -Irving On Tue, Jan 23, 2001 at 05:36:09PM -0600, mouring at etoh.eviladmin.org wrote: > On Tue, 23 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > > > For those who did not get the annoucement. CuteFTP is now claiming to > > support sftp as stated in the RFC. And at first glace it *SORTA* works.=) > > > > I can upload files, but the directory listings are broken (it does not > > display anything) and as a result download won't work (since cuteftp > > rquires the file to be in the directory listing to get). I'm going to > > back down a releas of sftp-server.c when I get home and test, and talk to > > the CuteFTP folks. Just thought I'd give everyone's a heads up in case > > someone wanders in looking for help on the topic. > > > > > Ermm.. Strike that.. I had an older version of sftp-server in place since > we originally installed stuff to libexec/ssh/. It seems to upload and > download just fine. > > So that is good.. Finally a quality sftp client for windows.=) > From mouring at etoh.eviladmin.org Wed Jan 24 11:42:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 23 Jan 2001 18:42:18 -0600 (CST) Subject: CuteFTP and sftp. In-Reply-To: <20010123150242.A30910@samurai.sfo.dead-dog.com> Message-ID: On Tue, 23 Jan 2001, Irving Popovetsky wrote: > I don't know what pricing on CuteFTP is, but SecureFX (www.vandyke.com) > has been doing that for a while now. It does sftp and ftp-over-ssh, both > of which work great on OpenSSH. > Current CuteFTP Pro price is $49 > Cool thing about SecureFX is the directory sync feature, where it can sync > up a local directory tree to a remote one. > Same feature exists in CuteFTP. From roumen.petrov at skalasoft.com Wed Jan 24 19:08:45 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Wed, 24 Jan 2001 10:08:45 +0200 Subject: SCO Open Server 3 References: Message-ID: <3A6E8D8D.9000600@skalasoft.com> Tim Rice wrote: > On Tue, 23 Jan 2001, Roumen Petrov wrote: ... >> Tim Rice wrote: ... >>> Added -lintl to *-*-sco3.2v4*) LIBS list for strftime() in sftp-server.c >> >> NO! Add macro AC_FUNC_STRFTIME in configure.in ... > ... here is the revised patch. patch + commands - autoheader - ./config.status ( for existing build ) or ./configure ... From roumen.petrov at skalasoft.com Wed Jan 24 19:22:22 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Wed, 24 Jan 2001 10:22:22 +0200 Subject: SCO Open Server 3 References: <3A6E8D8D.9000600@skalasoft.com> Message-ID: <3A6E90BE.20006@skalasoft.com> Roumen Petrov wrote: > > patch + commands > - autoheader autoconf > - ./config.status ( for existing build ) or ./configure ... From roumen.petrov at skalasoft.com Wed Jan 24 19:58:04 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Wed, 24 Jan 2001 10:58:04 +0200 Subject: SCO Open Server 3 References: <3A6E8D8D.9000600@skalasoft.com> <3A6E90BE.20006@skalasoft.com> Message-ID: <3A6E991C.8000005@skalasoft.com> Roumen Petrov wrote: > Roumen Petrov wrote: .... >> - ./config.status ( for existing build ) or ./configure ... oops ./config.status --recheck ( for existing build ) or ./configure ... From stevesk at sweden.hp.com Wed Jan 24 23:03:06 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Wed, 24 Jan 2001 13:03:06 +0100 (MET) Subject: error: getnameinfo failed In-Reply-To: <20010122172606A.hideo@yamato.ibm.com> Message-ID: On Mon, 22 Jan 2001, Suzuki Hideo wrote: : I installed openssh-2.3.0p1 on AIX 4.3.3. However, I have a problem like below and I cannot start sshd. : : # /usr/local/sbin/sshd -d : debug1: sshd version OpenSSH_2.3.0p1 : debug1: Seeded RNG with 33 bytes from programs : debug1: Seeded RNG with 3 bytes from system calls : debug1: read DSA private key done : debug1: Seeded RNG with 33 bytes from programs : debug1: Seeded RNG with 3 bytes from system calls : error: getnameinfo failed : fatal: Cannot bind any address. : debug1: Calling cleanup 0x20023dc4(0x0) : debug1: writing PRNG seed to file //.ssh/prng_seed : # : : I had no compilation error when I compiled openssh2.3.0p1. Please help me if someone know the solution. does aix HAVE_GETNAMEINFO? what is your ListenAddress configuration? can you try this patch and see what the error message is? Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.112 diff -u -r1.112 sshd.c --- sshd.c 2001/01/23 03:12:10 1.112 +++ sshd.c 2001/01/24 11:57:25 @@ -812,15 +812,17 @@ generate_empheral_server_key(); } else { for (ai = options.listen_addrs; ai; ai = ai->ai_next) { + int gaierr; if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) continue; if (num_listen_socks >= MAX_LISTEN_SOCKS) fatal("Too many listen sockets. " "Enlarge MAX_LISTEN_SOCKS"); - if (getnameinfo(ai->ai_addr, ai->ai_addrlen, + if ((gaierr = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), - NI_NUMERICHOST|NI_NUMERICSERV) != 0) { - error("getnameinfo failed"); + NI_NUMERICHOST|NI_NUMERICSERV)) != 0) { + error("main: getnameinfo failed %.100s", + gai_strerror(gaierr)); continue; } /* Create socket for listening. */ From Markus.Friedl at informatik.uni-erlangen.de Thu Jan 25 02:20:13 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 24 Jan 2001 16:20:13 +0100 Subject: CuteFTP and sftp. In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jan 23, 2001 at 04:32:25PM -0600 References: Message-ID: <20010124162013.A20634@faui02.informatik.uni-erlangen.de> On Tue, Jan 23, 2001 at 04:32:25PM -0600, mouring at etoh.eviladmin.org wrote: > For those who did not get the annoucement. CuteFTP is now claiming to > support sftp as stated in the RFC. And at first glace it *SORTA* works.=) could you send me the annoucement+url, please. > I can upload files, but the directory listings are broken (it does not > someone wanders in looking for help on the topic. do you have debugging output from sftp-server? > Markus, is sftp suppose to support multiple active transfers at once? I > was able to get CuteFTP to send two files at the same time. i don't know what CuteFTP does. openssh's sshd allows 10 concurrent sessions over a single ssh connection. e.g. with ssh.com's windows client you can authenticate and click on new terminal window and new file transfer several times. this is all multiplexed over a single ssh connection. however, it's also possible that the sftp client sends mutiple open and read request, since the request contain identifiers. the same identifiers are used in the replies. -markus From mouring at etoh.eviladmin.org Thu Jan 25 04:24:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 24 Jan 2001 11:24:29 -0600 (CST) Subject: CuteFTP and sftp. In-Reply-To: <20010124162013.A20634@faui02.informatik.uni-erlangen.de> Message-ID: > > Markus, is sftp suppose to support multiple active transfers at once? I > > was able to get CuteFTP to send two files at the same time. > > i don't know what CuteFTP does. > openssh's sshd allows 10 concurrent sessions over a single ssh > connection. e.g. with ssh.com's windows client you can authenticate > and click on new terminal window and new file transfer several > times. this is all multiplexed over a single ssh connection. > > however, it's also possible that the sftp client sends > mutiple open and read request, since the request contain > identifiers. the same identifiers are used in the replies. > I played with this at some lengths last night (mainly to write a personal patch to mimic ftp's /etc/shells feature). The behavior (from a bystanders view) is that when you transfer multiple files (I never did more then around 4 at a time.) it spawns off a new sshd and sftp-server per sftp. It will hold on them until you close the connection in the CuteFTP client. Unsure if that is the same thing ssh.com's client does (since I don't normally use it). - Ben From andrew.sherrod at tfn.com Thu Jan 25 04:07:06 2001 From: andrew.sherrod at tfn.com (Sherrod, Andrew) Date: Wed, 24 Jan 2001 12:07:06 -0500 Subject: Solaris 2.6 Bug part 2 Message-ID: I took the advice from this list and a website I found and tried to build Openssh after running: -with-default-path=/bin:/usr/bin:/usr/local/bin It did not appear to fix my scp problem. I then gave the configure script a very cursory reading, and decided to try "--without-default-path". That is where the bug appears. Running just ./configure or ./configure with the default path option worked fine. Make ran without event. After running --without-default-path, the Makefile had no value at all set for $AR which broke the Makefile. (It is easily enough filled by manually changing "AR=" to "AR=ar", but it is annoying.) Any idea why this is broken, or why the --with-default-path=... doesn't let sshd find my /usr/local/bin/scp? Thanks for all the help. Andrew Sherrod From andrew.sherrod at tfn.com Thu Jan 25 04:45:46 2001 From: andrew.sherrod at tfn.com (Sherrod, Andrew) Date: Wed, 24 Jan 2001 12:45:46 -0500 Subject: FW: Solaris 2.6 Bug part 2 Message-ID: Forget the first half of this email, I ran "make clean" in the wrong directory. The problem with $AR not being set is unrelated to this mistake, so it is still a real bug. Thanks again. I now have scp working properly. Andrew Sherrod -----Original Message----- From: Sherrod, Andrew To: 'openssh at openssh.com' Cc: McNamara, Geoff Sent: 1/24/01 12:07 PM Subject: Solaris 2.6 Bug part 2 I took the advice from this list and a website I found and tried to build Openssh after running: -with-default-path=/bin:/usr/bin:/usr/local/bin It did not appear to fix my scp problem. I then gave the configure script a very cursory reading, and decided to try "--without-default-path". That is where the bug appears. Running just ./configure or ./configure with the default path option worked fine. Make ran without event. After running --without-default-path, the Makefile had no value at all set for $AR which broke the Makefile. (It is easily enough filled by manually changing "AR=" to "AR=ar", but it is annoying.) Any idea why this is broken, or why the --with-default-path=... doesn't let sshd find my /usr/local/bin/scp? Thanks for all the help. Andrew Sherrod From mouring at etoh.eviladmin.org Thu Jan 25 12:02:43 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 24 Jan 2001 19:02:43 -0600 (CST) Subject: SCO Open Server 3 In-Reply-To: Message-ID: Outside the AC_FUNC_STRFTIME macro in configure.in (which I just commited) what other issues are outstanding for the SCO platforms (ignoring sftp-server for the time being). - Ben From murray at dcci.cc Thu Jan 25 12:40:41 2001 From: murray at dcci.cc (Murray Hooper) Date: Wed, 24 Jan 2001 20:40:41 -0500 Subject: First attempt at anoncvs to checkout openssh In-Reply-To: Message-ID: Folks: I have cvs loaded on a SCO OpenServer 5.0.5 box. I am trying to get openssh from Alberta (anoncvs at anoncvs.anoncvsl.ca.openbsd.org:/cvs) When I do the checkout, I get "broken pipe" error. I have set CVSROOT SHELL=/bin/rsh what am I missing, once I have ssh compiled and installed I will switch download method but until then... thank you murray From djm at mindrot.org Thu Jan 25 15:13:31 2001 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Jan 2001 15:13:31 +1100 (EST) Subject: First attempt at anoncvs to checkout openssh In-Reply-To: Message-ID: On Wed, 24 Jan 2001, Murray Hooper wrote: > Folks: > > I have cvs loaded on a SCO OpenServer 5.0.5 box. > > I am trying to get openssh from Alberta > (anoncvs at anoncvs.anoncvsl.ca.openbsd.org:/cvs) If you want to obtain the portable release via CVS, look at the instructions here: www.openssh.com/portable.html -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From roumen.petrov at skalasoft.com Thu Jan 25 19:27:12 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Thu, 25 Jan 2001 10:27:12 +0200 Subject: about sftp-server.c from CVS 25 jan 2001 References: Message-ID: <3A6FE360.4080309@skalasoft.com> diff : ... - ret = chmod(name, a->perm & 077); + ret = chmod(name, a->perm & 0777); slackware has in sys/stat.h ..... # define ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO) /* 0777 */ ..... idea: add to defines.h lines like this: #ifndef ACCESSPERMS # define ACCESSPERMS (S_IRWXU|S_IRWXG|S_IRWXO) /* 0777 */ #endif pleace use in authfile.c and sftp-server.c this define instead of 0777 ! From Florian.Weimer at RUS.Uni-Stuttgart.DE Thu Jan 25 23:44:06 2001 From: Florian.Weimer at RUS.Uni-Stuttgart.DE (Florian Weimer) Date: 25 Jan 2001 13:44:06 +0100 Subject: First attempt at anoncvs to checkout openssh In-Reply-To: References: Message-ID: Damien Miller writes: > If you want to obtain the portable release via CVS, look at the > instructions here: > > www.openssh.com/portable.html BTW: This patch has some instructions for patch submission, but doesn't mention an actual address to which patches should be sent. -- Florian Weimer Florian.Weimer at RUS.Uni-Stuttgart.DE University of Stuttgart http://cert.uni-stuttgart.de/ RUS-CERT +49-711-685-5973/fax +49-711-685-5898 From mouring at etoh.eviladmin.org Fri Jan 26 01:06:20 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 25 Jan 2001 08:06:20 -0600 (CST) Subject: First attempt at anoncvs to checkout openssh In-Reply-To: Message-ID: On 25 Jan 2001, Florian Weimer wrote: > Damien Miller writes: > > > If you want to obtain the portable release via CVS, look at the > > instructions here: > > > > www.openssh.com/portable.html > > BTW: This patch has some instructions for patch submission, but doesn't > mention an actual address to which patches should be sent. > Patchs can be sent to this list. If they add new functionality then you should cc: openssh at openbsd.org - Ben From mouring at etoh.eviladmin.org Fri Jan 26 01:09:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 25 Jan 2001 08:09:44 -0600 (CST) Subject: about sftp-server.c from CVS 25 jan 2001 In-Reply-To: <3A6FE360.4080309@skalasoft.com> Message-ID: On Thu, 25 Jan 2001, Roumen Petrov wrote: > > diff : > ... > - ret = chmod(name, a->perm & 077); > + ret = chmod(name, a->perm & 0777); > This was pointed out and already corrected. > slackware has in sys/stat.h Not sure what your getting at. Is ./configure misdetecting this? - Ben From roumen.petrov at skalasoft.com Fri Jan 26 02:24:26 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Thu, 25 Jan 2001 17:24:26 +0200 Subject: about sftp-server.c from CVS 25 jan 2001 References: Message-ID: <3A70452A.1080500@skalasoft.com> mouring at etoh.eviladmin.org wrote: > On Thu, 25 Jan 2001, Roumen Petrov wrote: > > >> diff : >> ... >> - ret = chmod(name, a->perm & 077); >> + ret = chmod(name, a->perm & 0777); >> > > This was pointed out and already corrected. > > >> slackware has in sys/stat.h > > > Not sure what your getting at. Is ./configure misdetecting this? > ???? My idea is developers to use: ( S_IRWXG | S_IRWXO ) instead of 077 ( S_IRWXU | S_IRWXG | S_IRWXO ) 0777 or ( S_IRUSR | S_IWUSR ) 0600 From jones at hpc.utexas.edu Fri Jan 26 02:43:03 2001 From: jones at hpc.utexas.edu (William L. Jones) Date: Thu, 25 Jan 2001 09:43:03 -0600 Subject: SSH_PROGRAM not used but _SSH_PROGRAM is In-Reply-To: References: Message-ID: <4.2.0.58.20010125093805.01c9e100@127.0.0.1> The configuration script carefully set up a define for SSH_PROGRAM that is not used. I think this is an attempt to set the _SSH_PROGRAM variable. Does any one know what the original intent was. Bill Jones From roumen.petrov at skalasoft.com Fri Jan 26 02:53:08 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Thu, 25 Jan 2001 17:53:08 +0200 Subject: SSH_PROGRAM not used but _SSH_PROGRAM is References: <4.2.0.58.20010125093805.01c9e100@127.0.0.1> Message-ID: <3A704BE4.5080408@skalasoft.com> In latest CVS source is _PATH_SSH_PROGRAM, but is not fixed in Makefile.in and in pathnames.h define is not enclosed in #ifndef....#endif ! William L. Jones wrote: > > The configuration script carefully set up a define for SSH_PROGRAM that > is not used. > I think this is an attempt to set the _SSH_PROGRAM variable. Does any > one know > what the original intent was. > > Bill Jones From murray at dcci.cc Fri Jan 26 03:03:54 2001 From: murray at dcci.cc (Murray Hooper) Date: Thu, 25 Jan 2001 11:03:54 -0500 Subject: Distribution of openssh once compiled Message-ID: Folks: Thanks to all who helped me get ssh up and running on my development box. Now I want to make a distribution package to take and install on the rest of my network. I am not sure what to transfer from box to box and what to run to get started. I did the install on the dev box and all tested fine. Is there a "standard distribution" list of only files required for running ssh on each box? thanx murray From Roumen.Petrov at SkalaSoft.com Fri Jan 26 03:45:47 2001 From: Roumen.Petrov at SkalaSoft.com (Roumen Petrov) Date: Thu, 25 Jan 2001 18:45:47 +0200 Subject: Distribution of openssh once compiled Message-ID: :-) binary distribution is dependent from Unix/Linux version. "Murray Hooper" Sent by: owner-openssh-unix-dev at mindrot.org 2001-01-25 18:03 To: "openssh" cc: Subject: Distribution of openssh once compiled Folks: Thanks to all who helped me get ssh up and running on my development box. Now I want to make a distribution package to take and install on the rest of my network. I am not sure what to transfer from box to box and what to run to get started. I did the install on the dev box and all tested fine. Is there a "standard distribution" list of only files required for running ssh on each box? thanx murray -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 1242 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010125/0ae6cb34/attachment.bin From murray at dcci.cc Fri Jan 26 04:03:38 2001 From: murray at dcci.cc (Murray Hooper) Date: Thu, 25 Jan 2001 12:03:38 -0500 Subject: Distribution of openssh once compiled In-Reply-To: Message-ID: I realize that binaries are not necessarily compatible platform to platform, but in my case all systems will be SCO OpenServer 5.0.5. I was looking for a list or "make distrib" that would create a tar file to transport machine to machine. thanx -----Original Message----- From: Roumen Petrov [mailto:Roumen.Petrov at SkalaSoft.com] Sent: Thursday, January 25, 2001 11:46 AM To: Murray Hooper Cc: openssh; owner-openssh-unix-dev at mindrot.org Subject: Re: Distribution of openssh once compiled :-) binary distribution is dependent from Unix/Linux version. "Murray Hooper" Sent by: owner-openssh-unix-dev at mindrot.org 2001-01-25 18:03 To: "openssh" cc: Subject: Distribution of openssh once compiled Folks: Thanks to all who helped me get ssh up and running on my development box. Now I want to make a distribution package to take and install on the rest of my network. I am not sure what to transfer from box to box and what to run to get started. I did the install on the dev box and all tested fine. Is there a "standard distribution" list of only files required for running ssh on each box? thanx murray From dale at accentre.com Fri Jan 26 04:16:15 2001 From: dale at accentre.com (Dale Stimson) Date: Thu, 25 Jan 2001 09:16:15 -0800 Subject: Distribution of openssh once compiled In-Reply-To: ; from murray@dcci.cc on Thu, Jan 25, 2001 at 12:03:38PM -0500 References: Message-ID: <20010125091615.A3321@cupro.opengvs.com> On Thu, Jan 25, 2001 at 12:03:38PM -0500, Murray Hooper wrote: > I was looking for a list or "make distrib" that would create a > tar file to transport machine to machine. Hmm. I'll give a sample list derived the quick and dirty way -- by seeing what the Redhat rpms install. There may be some packages here in which you are not interested. YMMV. rpm -q -l openssh-2.3.0p1-4 /etc/ssh /etc/ssh/primes /usr/bin/scp /usr/bin/ssh-keygen /usr/libexec/openssh # A directory, populated by rpms below. /usr/share/doc/openssh-2.3.0p1 /usr/share/doc/openssh-2.3.0p1/COPYING.Ylonen /usr/share/doc/openssh-2.3.0p1/CREDITS /usr/share/doc/openssh-2.3.0p1/ChangeLog /usr/share/doc/openssh-2.3.0p1/INSTALL /usr/share/doc/openssh-2.3.0p1/LICENCE /usr/share/doc/openssh-2.3.0p1/OVERVIEW /usr/share/doc/openssh-2.3.0p1/RFC.nroff /usr/share/doc/openssh-2.3.0p1/TODO /usr/share/doc/openssh-2.3.0p1/WARNING.RNG /usr/share/man/man1/scp.1.gz /usr/share/man/man1/ssh-keygen.1.gz rpm -q -l openssh-clients-2.3.0p1-4 /etc/ssh/ssh_config /usr/bin/slogin /usr/bin/ssh /usr/bin/ssh-add /usr/bin/ssh-agent /usr/share/man/man1/slogin.1.gz /usr/share/man/man1/ssh-add.1.gz /usr/share/man/man1/ssh-agent.1.gz /usr/share/man/man1/ssh.1.gz rpm -q -l openssh-server-2.3.0p1-4 /etc/pam.d/sshd /etc/rc.d/init.d/sshd /etc/ssh/sshd_config /usr/libexec/openssh/sftp-server /usr/sbin/sshd /usr/share/man/man8/sftp-server.8.gz /usr/share/man/man8/sshd.8.gz rpm -q -l openssh-askpass-gnome-2.3.0p1-4 /etc/profile.d/gnome-ssh-askpass.csh /etc/profile.d/gnome-ssh-askpass.sh /usr/libexec/openssh/gnome-ssh-askpass rpm -q -l openssh-askpass-2.3.0p1-4 /usr/libexec/openssh/ssh-askpass /usr/libexec/openssh/x11-ssh-askpass /usr/share/doc/openssh-askpass-2.3.0p1 /usr/share/doc/openssh-askpass-2.3.0p1/ChangeLog /usr/share/doc/openssh-askpass-2.3.0p1/README /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-1337.ad /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-NeXTish.ad /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-default.ad /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-green.ad /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-motif.ad /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass.ad From GILBERT.R.LOOMIS at saic.com Fri Jan 26 04:49:04 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Thu, 25 Jan 2001 12:49:04 -0500 Subject: Distribution of openssh once compiled Message-ID: <791BD3CB503DD411A6510008C7CF6477F8C34A@col-581-exs01.cist.saic.com> Murray-- As an alternative, take a look at the packaging scripts that I wrote for Solaris, which live in contrib/solaris. One of the scripts grabs all the necessary files and puts them in a package build directory--and for your OS, you will likely need ${ETCDIR}/ssh_prng_cmds just as Solaris does. (It wasn't on the list below since Linux has a proper /dev/urandom, so the OpenSSH PRNG isn't required on Redhat.) The Solaris scripts, especially the post-install, can likely be adapted to your platform--if nothing else, the info you're looking for is in there somewhere. Rip Loomis Voice Number: (410) 953-6874 -------------------------------------------------------- Senior Security Engineer Center for Information Security Technology Science Applications International Corporation http://www.cist.saic.com > -----Original Message----- > From: Dale Stimson [mailto:dale at accentre.com] > Sent: Thursday, January 25, 2001 12:16 PM > To: openssh > Cc: Murray Hooper > Subject: Re: Distribution of openssh once compiled > > > On Thu, Jan 25, 2001 at 12:03:38PM -0500, Murray Hooper wrote: > > I was looking for a list or "make distrib" that would create a > > tar file to transport machine to machine. > > Hmm. I'll give a sample list derived the quick and dirty way -- by > seeing what the Redhat rpms install. There may be some packages > here in which you are not interested. YMMV. > > > rpm -q -l openssh-2.3.0p1-4 > /etc/ssh > /etc/ssh/primes > /usr/bin/scp > /usr/bin/ssh-keygen > /usr/libexec/openssh # A directory, populated > by rpms below. > /usr/share/doc/openssh-2.3.0p1 > /usr/share/doc/openssh-2.3.0p1/COPYING.Ylonen > /usr/share/doc/openssh-2.3.0p1/CREDITS > /usr/share/doc/openssh-2.3.0p1/ChangeLog > /usr/share/doc/openssh-2.3.0p1/INSTALL > /usr/share/doc/openssh-2.3.0p1/LICENCE > /usr/share/doc/openssh-2.3.0p1/OVERVIEW > /usr/share/doc/openssh-2.3.0p1/RFC.nroff > /usr/share/doc/openssh-2.3.0p1/TODO > /usr/share/doc/openssh-2.3.0p1/WARNING.RNG > /usr/share/man/man1/scp.1.gz > /usr/share/man/man1/ssh-keygen.1.gz > > rpm -q -l openssh-clients-2.3.0p1-4 > /etc/ssh/ssh_config > /usr/bin/slogin > /usr/bin/ssh > /usr/bin/ssh-add > /usr/bin/ssh-agent > /usr/share/man/man1/slogin.1.gz > /usr/share/man/man1/ssh-add.1.gz > /usr/share/man/man1/ssh-agent.1.gz > /usr/share/man/man1/ssh.1.gz > > rpm -q -l openssh-server-2.3.0p1-4 > /etc/pam.d/sshd > /etc/rc.d/init.d/sshd > /etc/ssh/sshd_config > /usr/libexec/openssh/sftp-server > /usr/sbin/sshd > /usr/share/man/man8/sftp-server.8.gz > /usr/share/man/man8/sshd.8.gz > > rpm -q -l openssh-askpass-gnome-2.3.0p1-4 > /etc/profile.d/gnome-ssh-askpass.csh > /etc/profile.d/gnome-ssh-askpass.sh > /usr/libexec/openssh/gnome-ssh-askpass > > rpm -q -l openssh-askpass-2.3.0p1-4 > /usr/libexec/openssh/ssh-askpass > /usr/libexec/openssh/x11-ssh-askpass > /usr/share/doc/openssh-askpass-2.3.0p1 > /usr/share/doc/openssh-askpass-2.3.0p1/ChangeLog > /usr/share/doc/openssh-askpass-2.3.0p1/README > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-1337.ad > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-NeXTish.ad > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-default.ad > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-green.ad > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass-motif.ad > /usr/share/doc/openssh-askpass-2.3.0p1/SshAskpass.ad > > From roumen.petrov at skalasoft.com Fri Jan 26 05:10:12 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Thu, 25 Jan 2001 20:10:12 +0200 Subject: Distribution of openssh once compiled References: Message-ID: <3A706C04.3070807@skalasoft.com> If you build and install openssh on one workstation, just mount this dir on another, go in mounted point and type make install. But good style is to make a instalation package with binary files, etc and use default OS instaler. I think that is not for a Makefile. ------------------------------ Another idea is: #DESTDIR='/tmp/openssh-bala-bla-bla' #export DESTDIR #make -e install in $DESTDIR/... is all (binary, data, man , etc ) backup it. !!!!!! but on new WS after install this backup you must create host key files command is /usr/bin/ssh-keygen -t -f /etc/.../ssh_..... look in Makefile for host-key rule and man page for ssh-keygen. Check you make option for '-e' !!!! -e don't overide environment variables Some projects use automake to create Makefile.in. In this projects has rule make dist, but this rule create tar.gz file only with source files. This is not for you because must run configure ..., make[, make ...], make install on all WS. ;-) Murray Hooper wrote: > I realize that binaries are not necessarily compatible platform to > platform, but in my case all systems will be SCO OpenServer 5.0.5. > > I was looking for a list or "make distrib" that would create a > tar file to transport machine to machine. > From mouring at etoh.eviladmin.org Fri Jan 26 10:59:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 25 Jan 2001 17:59:46 -0600 (CST) Subject: SSH_PROGRAM not used but _SSH_PROGRAM is In-Reply-To: <3A704BE4.5080408@skalasoft.com> Message-ID: On Thu, 25 Jan 2001, Roumen Petrov wrote: > In latest CVS source is _PATH_SSH_PROGRAM, but is not fixed in Makefile.in and > in pathnames.h define is not enclosed in #ifndef....#endif ! > I think he was refering to something different, but I just fixed this. - Ben From mouring at etoh.eviladmin.org Fri Jan 26 11:06:24 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 25 Jan 2001 18:06:24 -0600 (CST) Subject: Distribution of openssh once compiled In-Reply-To: Message-ID: I have a tend to do: ./configure --prefix=/opt/ssh; make; make install Then just tar up /opt/ssh. Just need to create new keys for each machine, but that is simplistic. Just make sure you install it in the same place. - Ben On Thu, 25 Jan 2001, Murray Hooper wrote: > I realize that binaries are not necessarily compatible platform to > platform, but in my case all systems will be SCO OpenServer 5.0.5. > > I was looking for a list or "make distrib" that would create a > tar file to transport machine to machine. > > thanx > > -----Original Message----- > From: Roumen Petrov [mailto:Roumen.Petrov at SkalaSoft.com] > Sent: Thursday, January 25, 2001 11:46 AM > To: Murray Hooper > Cc: openssh; owner-openssh-unix-dev at mindrot.org > Subject: Re: Distribution of openssh once compiled > > > :-) binary distribution is dependent from Unix/Linux version. > > > > > > "Murray Hooper" > Sent by: owner-openssh-unix-dev at mindrot.org > 2001-01-25 18:03 > > > To: "openssh" > cc: > Subject: Distribution of openssh once compiled > > > Folks: > > Thanks to all who helped me get ssh up and running on my development box. > > Now I want to make a distribution package to take and install on the rest > of > my network. > > I am not sure what to transfer from box to box and what to run to get > started. I did > the install on the dev box and all tested fine. > > Is there a "standard distribution" list of only files required for running > ssh on each > box? > > thanx > murray > > > > > > > From vinschen at redhat.com Fri Jan 26 10:26:27 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 26 Jan 2001 00:26:27 +0100 Subject: Distribution of openssh once compiled In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jan 25, 2001 at 06:06:24PM -0600 References: Message-ID: <20010126002627.H1493@cobold.vinschen.de> On Thu, Jan 25, 2001 at 06:06:24PM -0600, mouring at etoh.eviladmin.org wrote: > > I have a tend to do: > > ./configure --prefix=/opt/ssh; make; make install > > Then just tar up /opt/ssh. Just need to create new keys for each machine, > but that is simplistic. > > Just make sure you install it in the same place. Check the script /contrib/cygwin/ssh-host-config. It's a /bin/sh script used to create the host key files and global config files in /etc. You can use it for unattended installs by giving --yes or --no on the command line dependent of your wishes. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From djm at mindrot.org Fri Jan 26 15:42:07 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Jan 2001 15:42:07 +1100 (EST) Subject: Distribution of openssh once compiled In-Reply-To: Message-ID: On Thu, 25 Jan 2001, Murray Hooper wrote: > Folks: > > Thanks to all who helped me get ssh up and running on my development box. > > Now I want to make a distribution package to take and install on the rest of > my network. This will work: ./configure [options] make make install DESTDIR=./fakeroot tar zcvf ssh-bin.tgz fakeroot -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From tim at multitalents.net Fri Jan 26 17:15:43 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Jan 2001 22:15:43 -0800 (PST) Subject: SCO Open Server 3 In-Reply-To: Message-ID: On Wed, 24 Jan 2001 mouring at etoh.eviladmin.org wrote: > > > Outside the AC_FUNC_STRFTIME macro in configure.in (which I just > commited) what other issues are outstanding for the SCO platforms > (ignoring sftp-server for the time being). I checked out the CVS again (Thu Jan 25 08:56:42 PST 2001) and found it would not even configure. test -S is not portable. After taking out the offending code in configure.in, I find that it builds on Solaris 7 SCO Open Server 3 (3.2v4.2) SCO Open Server 5.0.4 UnixWare 2.03 UnixWare 2.1.3 UnixWare 7.1.0 Caldera eDesktop 2.4 Now that it builds, I'll try and find some time to install/test. > > - Ben > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Fri Jan 26 17:18:26 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Jan 2001 22:18:26 -0800 (PST) Subject: Distribution of openssh once compiled In-Reply-To: Message-ID: On Thu, 25 Jan 2001, Murray Hooper wrote: > I realize that binaries are not necessarily compatible platform to > platform, but in my case all systems will be SCO OpenServer 5.0.5. Here is the script I use to install openssh-2.2.0p1 on Open Server 5 machines. It should give you a good starting point. > > I was looking for a list or "make distrib" that would create a > tar file to transport machine to machine. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- A non-text attachment was scrubbed... Name: mk-tar.sh.gz Type: application/octet-stream Size: 1633 bytes Desc: Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010125/cea5248a/attachment.obj From sunil at redback.com Sat Jan 27 11:21:27 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 26 Jan 2001 16:21:27 -0800 (PST) Subject: load host key error: Message-ID: I get error: %SSHD-3-ERROR: Could not load host key: /tmp/ssh_host_dsa_key: Bad file descriptor Jan 26 23:58:52: %SSHD-6-INFO: Disabling protocol version 2. Could not load host key Everything looks okay, the file exists, (it was generated using command: ssh-keygen -d -f ssh_host_dsa_key -N '') I also do 'ls' and find the file exists with permissions: -rw------- 1 root group 668 Jan 26 15:53 ssh_host_dsa_key -rw-r--r-- 1 root group 601 Jan 26 15:53 ssh_host_dsa_key.pub version i use: OpenSSH_2.3.1p1 on NetBSD1.4.2 Is this a bug ? Any suggestions ? Thank you. From acox at cv.telegroup.com Sat Jan 27 11:54:03 2001 From: acox at cv.telegroup.com (Aran Cox) Date: Fri, 26 Jan 2001 18:54:03 -0600 Subject: SCO Open Server 3 (SCO report) In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jan 24, 2001 at 07:02:43PM -0600 References: Message-ID: <20010126185402.A905@benway.cv.telegroup.com> I have a few problems with the Jan26 snapshot on SCO OpenServer 5.0.5 using SCO's development environment (not gcc.) In order for configure to finish I had to add --without-egd-pool. If I don't do that I get: checking for PRNGD/EGD socket... ./configure: test: argument expected just before configure gives up. I'm not sure which test is dying and config.log reveals nothing. For the record I config/compile with; export CCFLAGS='-L/usr/local/lib -I/usr/local/include' ./configure --sysconfdir=/etc/ssh --with-rsh=/usr/bin/rcmd \ --exec-prefix=/usr --without-egd-pool configure reports this at the end: OpenSSH configured has been configured with the following options. User binaries: /usr/bin User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/ssh-askpass Manual pages: /usr/local/man/catX PID file: /etc/ssh Random number collection: Builtin (timeout 200) Manpage format: cat PAM support: no KerberosIV support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: i686-pc-sco3.2v5.0.5 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/include -I/usr/local/ssl/include Linker flags: -L/usr/local/lib -L/usr/local/ssl/lib -L/usr/local/ssl Libraries: -lz -lsocket -lprot -lx -ltinfo -lm -lgen -lcrypto WARNING: you are using the builtin random number collection service. Please read WARNING.RNG and request that your OS vendor includes /dev/random in future versions of their OS. sftp-server will be disabled. Your compiler does not support 64bit integers. Anyway, on to the USE_PIPE question. A while back I had a problem with 2.1.1 and later editions where commands run remotely would die like so: ssh -n -l root tignam3b ls Received disconnect: Command terminated on signal 13. I don't recall the details but I found that defining USE_PIPES cleared up that issue. Now it seems that the configure section for sco has been broken out into sco3.2v4 and sco3.2v5 and v4 has USE_PIPES defined and v5 doesn't. I don't have the previous problem with commands terminating on signal 13, nor do they seem to be hanging, in fact everything appears to be just fine. Can anyone explain what has changed in this regard and why? I'll try to do a little more testing this weekend or next week and let you know. On Wed, Jan 24, 2001 at 07:02:43PM -0600, mouring at etoh.eviladmin.org wrote: > > > Outside the AC_FUNC_STRFTIME macro in configure.in (which I just > commited) what other issues are outstanding for the SCO platforms > (ignoring sftp-server for the time being). > > - Ben > > From mouring at etoh.eviladmin.org Sat Jan 27 14:26:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 26 Jan 2001 21:26:26 -0600 (CST) Subject: SCO Open Server 3 (SCO report) In-Reply-To: <20010126185402.A905@benway.cv.telegroup.com> Message-ID: On Fri, 26 Jan 2001, Aran Cox wrote: [..] > If I don't do that I get: > checking for PRNGD/EGD socket... ./configure: test: argument expected > This has been brought up once. It's choking on "if test -S $egdsock; then". The test verifies that it's detecting a Socket. And it seems that SCO is missing -S... (Hmm.. I should check NeXT it may also lack a -S) I understand why -S was selected, but I don't know how many older platforms support -S without GNUaifying them. I hate to change it to -e .. Only other option I see is doing a "test ! -f $egdsock" .. At least would at least get us close to what we want. Assuming -f is portable and I believe it is. [..] > Anyway, on to the USE_PIPE question. A while back I had a problem > with 2.1.1 and later editions where commands run remotely would die like so: > > ssh -n -l root tignam3b ls > Received disconnect: Command terminated on signal 13. > > I don't recall the details but I found that defining USE_PIPES cleared > up that issue. Now it seems that the configure section for sco has been > broken out into sco3.2v4 and sco3.2v5 and v4 has USE_PIPES defined > and v5 doesn't. I don't have the previous problem with commands > terminating on signal 13, nor do they seem to be hanging, in fact > everything appears to be just fine. Can anyone explain what has > changed in this regard and why? > I have not paying too much heed to SCO until recently (mainly because I don't run it =). Tim, is there any reason why USE_PIPES is not defined for sco3.2v5? Or should I add it in? On the topic of SCO. Can someone please explain the use of "-Dftruncate=chsize"? I can't find a manpage on any platform for chsize(). And I'm interested in why it was not handled in bsd-misc.c. - Ben From mouring at etoh.eviladmin.org Sat Jan 27 14:27:36 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 26 Jan 2001 21:27:36 -0600 (CST) Subject: load host key error: In-Reply-To: Message-ID: On Fri, 26 Jan 2001, Sunil K. Vallamkonda wrote: > > I get error: > %SSHD-3-ERROR: Could not load host key: /tmp/ssh_host_dsa_key: Bad file > descriptor Hmm... /tmp/ssh_host_dsa_key ??? > Jan 26 23:58:52: %SSHD-6-INFO: Disabling protocol version 2. Could not > load host key > > Everything looks okay, the file exists, (it was generated using command: > ssh-keygen -d -f ssh_host_dsa_key -N '') > I also do 'ls' and find the file exists with permissions: > > -rw------- 1 root group 668 Jan 26 15:53 ssh_host_dsa_key > -rw-r--r-- 1 root group 601 Jan 26 15:53 ssh_host_dsa_key.pub > What path are those files in? And is the source out the CVS tree? If so what day? - Ben From gert at greenie.muc.de Sun Jan 28 04:42:34 2001 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 27 Jan 2001 18:42:34 +0100 Subject: SCO Open Server 3 (SCO report) In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Jan 26, 2001 at 09:26:26PM -0600 References: <20010126185402.A905@benway.cv.telegroup.com> Message-ID: <20010127184234.D1305@greenie.muc.de> Hi, On Fri, Jan 26, 2001 at 09:26:26PM -0600, mouring at etoh.eviladmin.org wrote: > On the topic of SCO. Can someone please explain the use > of "-Dftruncate=chsize"? ftruncate() does not exist on SCO 3, while chsize() does (coming from the Xenix heritage). They have the same calling syntax, so the #define above fixes all uses of ftruncate(). > I can't find a manpage on any platform for chsize(). Look on SCO 3 :) (head of the man page appendend below). > And I'm interested in why it was not handled in bsd-misc.c. Can't comment on that. gert ------------ chsize(S) 6 January 1993 chsize(S) Name chsize - changes the size of a file Syntax cc . . . -lx int chsize (fildes, size) int fildes; long size; Description fildes is a file descriptor obtained from a creat, open, dup, fcntl, or pipe system call. chsize changes the size of the file associated with the file descriptor fildes to be exactly size bytes in length. The rou- tine either truncates the file, or pads it with an appropriate number of bytes. If size is less than the initial size of the file, then all allo- cated disk blocks between size and the initial file size are freed. [...] Standards conformance chsize is an extension of AT&T System V provided by the Santa Cruz Opera- tion. -- Gert Doering Mobile communications ... right now writing from *@home* ... mobile phone: +49 177 2160221 ... or mail me: gert at greenie.muc.de From mouring at etoh.eviladmin.org Sun Jan 28 07:00:50 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 27 Jan 2001 14:00:50 -0600 (CST) Subject: SCO Open Server 3 (SCO report) In-Reply-To: <20010127184234.D1305@greenie.muc.de> Message-ID: On Sat, 27 Jan 2001, Gert Doering wrote: > Hi, > > On Fri, Jan 26, 2001 at 09:26:26PM -0600, mouring at etoh.eviladmin.org wrote: > > On the topic of SCO. Can someone please explain the use > > of "-Dftruncate=chsize"? > > ftruncate() does not exist on SCO 3, while chsize() does (coming from > the Xenix heritage). They have the same calling syntax, so the #define > above fixes all uses of ftruncate(). > > > I can't find a manpage on any platform for chsize(). > > Look on SCO 3 :) (head of the man page appendend below). > =) I have only access to limited manpages, and Xenix and SCO are ones that are not within my collection. Thanks. - Ben From tim at multitalents.net Sun Jan 28 07:31:24 2001 From: tim at multitalents.net (Tim Rice) Date: Sat, 27 Jan 2001 12:31:24 -0800 (PST) Subject: SCO Open Server 3 (SCO report) In-Reply-To: Message-ID: On Fri, 26 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Fri, 26 Jan 2001, Aran Cox wrote: > > [..] > > If I don't do that I get: > > checking for PRNGD/EGD socket... ./configure: test: argument expected > > > > This has been brought up once. It's choking on "if test -S > $egdsock; then". > > The test verifies that it's detecting a Socket. And it seems that SCO is > missing -S... (Hmm.. I should check NeXT it may also lack a -S) I > understand why -S was selected, but I don't know how many older platforms > support -S without GNUaifying them. All the UnixWare platform also. Probably most System V based machines not counting Solaris. > > I hate to change it to -e .. Only other option I see is doing a The -e option of test is not portable either. > "test ! -f $egdsock" .. At least would at least get us close to > what we want. Assuming -f is portable and I believe it is. > > [..] > > Anyway, on to the USE_PIPE question. A while back I had a problem > > with 2.1.1 and later editions where commands run remotely would die like so: > > > > ssh -n -l root tignam3b ls > > Received disconnect: Command terminated on signal 13. This worked for me on 2.2.0p1 ssh -n -l mt sco504 ls mt at sco504's password: Main.dt Personal.dt bin mods mt_mods sco504 trash.dt ... installs Jan 25 CVS ..... tim(trr)@uw213 10% !! ssh -n -l mt sco504 ls mt at sco504's password: Hmm, Stuck here. And ps on the SCO 504 machine shows RUSER PID PPID %CPU VSZ TIME TTY COMMAND root 12184 12138 92.64 1136 00:00:01 ? /usr/local/sbin/sshd Looks like some more research is needed. > > > > I don't recall the details but I found that defining USE_PIPES cleared > > up that issue. Now it seems that the configure section for sco has been > > broken out into sco3.2v4 and sco3.2v5 and v4 has USE_PIPES defined > > and v5 doesn't. I don't have the previous problem with commands > > terminating on signal 13, nor do they seem to be hanging, in fact > > everything appears to be just fine. Can anyone explain what has > > changed in this regard and why? > > > > I have not paying too much heed to SCO until recently (mainly > because I don't run it =). Tim, is there any reason why USE_PIPES is not > defined for sco3.2v5? Or should I add it in? Before discovering opsnssh I whiped up some portability fixes for the ssh.com version. I don't think I needed USE_PIPES on Open Server 5 there (Just Open Server 3) and as it turend out, I didn't need USE_PIPES on Open Server 5 on the openssh-2.2.0p1 version I patched. It's possible I didn't uncover the problem yet. ... does more "ssh -n -l mt sco504 ls" tests with the CVS version ..... Looks like it's working 8 out of 10 times. If Aran is having problems and USE_PIPES fixes it, I say put it back in. > > - Ben > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From holger at klawitter.de Tue Jan 23 01:09:40 2001 From: holger at klawitter.de (Holger Klawitter) Date: Mon, 22 Jan 2001 15:09:40 +0100 Subject: strange ssh2 delays Message-ID: <3A6C3F24.B4D50245@klawitter.de> Hi there, I have the following prolbem with ssh (linux). Whenever I have a ppp connection up and running, the ssh client takes minutes to log on. ssh -v tells me that this happens during debug: Seeding random number generator This happens to local AND remote hosts. If the pppd is down, ssh to the local host works fine. rlogin works at both times. I assume that there is a problem with the name resolving, but what does this have to do with the seed? With kind regards / Mit freundlichem Gru? Holger Klawitter -- Holger Klawitter holger at klawitter.de http://www.klawitter.de From bricker at us-rx.com Tue Jan 16 03:07:47 2001 From: bricker at us-rx.com (Ben Ricker) Date: Mon, 15 Jan 2001 10:07:47 -0600 Subject: 'Bad Packet Length' error? References: <200101130036.QAA19847@shepster.int.bmcomp.com> Message-ID: <3A632053.3030104@us-rx.com> After upgrading my client with 2.4p1, I started getting the folowing errors when using slogin to login to a server: 2f 75 73 72 2f 6c 6f 63 Disconnecting: Bad packet length 796226418. Thinking it was the 2.4 upgrade, I uninstalled 2.4 and reinstalled 2.3 client. Problem still exists. I have OpenSSH 2.3 installed as the server. I even deleted the key entry on the client side by editing the 'known_hosts' file. Still get that error message. Strangely enough, I can ssh into other boxes and then ssh into the box I cannot ssh into directcly! Any ideas? Ben Ricker Senior Web Administrator US-Rx, inc. From bricker at us-rx.com Wed Jan 24 03:22:50 2001 From: bricker at us-rx.com (Ben Ricker) Date: Tue, 23 Jan 2001 10:22:50 -0600 Subject: Authentication Problem on Sun Solaris 8 and SSHd2 Message-ID: <3A6DAFDA.60805@us-rx.com> I am running SSH on a number of servers but none use SSH for anything but admin login. I am thinking of switching all users to it (for obvious security reasons) but I have had a rash of problems lately. The first was the 'Bad Packet' error which no one seems to care about or know the answer to why it suddenly appears on 2 servers while other servers running the same OS and SSH version work fine. This problem is on a Sun E250 runninng Solaris 8 and OpenSSH 2.3. I could log into the box perfectly fine before but have not accessed the box in a while (at least a week). Now, I get the following trace when I try to login to a server: <--snip--> debug: Host 'hostname' is known and matches the DSA host key. debug: bits set: 485/1024 debug: len 55 datafellows 4 debug: dsa_verify: signature correct debug: Wait SSH2_MSG_NEWKEYS. debug: GOT SSH2_MSG_NEWKEYS. debug: send SSH2_MSG_NEWKEYS. debug: done: send SSH2_MSG_NEWKEYS. debug: done: KEX2. debug: send SSH2_MSG_SERVICE_REQUEST debug: service_accept: ssh-userauth debug: got SSH2_MSG_SERVICE_ACCEPT debug: authentications that can continue: publickey,password debug: next auth method to try is publickey debug: key does not exist: /home/username/.ssh/id_dsa debug: next auth method to try is password admin at hostname's password: debug: authentications that can continue: publickey,password debug: next auth method to try is password Any ideas on this one? Ben Ricker Senior Systems Administrator US-Rx, Inc. From darcy at elegant.com Wed Jan 24 08:05:44 2001 From: darcy at elegant.com (darcy w. christ) Date: Tue, 23 Jan 2001 16:05:44 -0500 Subject: using rhosts on AIX Message-ID: <3A6DF228.ABEDE9D3@elegant.com> Hi, i'm trying to use rhosts with RSA to allow me to run commands as root. My AIX system is setup to not allow remote logins using the file /etc/security/user. On my other systems, i can use rsh to run commands, but i cannot login. When i try the same with ssh, it does not work. i'm not really sure what i should be seeing in the debug output. To me, it doesn't even look like it is checking my rhosts file. Any thoughts on matter would be greatly appreciated. debug1: userauth-request for user root service ssh-connection method none debug1: attempt #1 Login restricted for root: Remote logins are not allowed for this account. input_userauth_request: illegal user root Failed none for NOUSER from 10.133.33.26 port 1022 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt #2 Failed publickey for NOUSER from 10.133.33.26 port 1022 ssh2 -- ~darcy w. christ Elegant Communications Inc. 416.362.9772 x222 | 416.362.8324 fax From willie at account.abs.net Wed Jan 24 01:34:14 2001 From: willie at account.abs.net (Willie Bollinger) Date: Tue, 23 Jan 2001 09:34:14 -0500 Subject: Build Problem Message-ID: <20010123093414.A8423@account.abs.net> I have been trying to get the cvs version of open ssh to compile on a linux based machine and keep running into this problem. Does anybody have any suggestions gcc -g -O2 -Wall -O3 -mcpu=pentiumpro -I/usr/local/ssl/include -I. -I. -DETCDIR=\"/usr/local/etc\" -DSSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c bsd-arc4random.c In file included from openbsd-compat.h:26, from includes.h:95, from bsd-arc4random.c:25: bsd-waitpid.h:38: warning: `WEXITSTATUS' redefined /usr/include/sys/wait.h:83: warning: this is the location of the previous definition bsd-waitpid.h:39: warning: `WTERMSIG' redefined /usr/include/sys/wait.h:84: warning: this is the location of the previous definition bsd-waitpid.h:40: warning: `WCOREFLAG' redefined /usr/include/sys/wait.h:91: warning: this is the location of the previous definition bsd-waitpid.h:41: warning: `WCOREDUMP' redefined /usr/include/sys/wait.h:92: warning: this is the location of the previous definition In file included from openbsd-compat.h:33, from includes.h:95, from bsd-arc4random.c:25: fake-socket.h:9: warning: `_SS_PADSIZE' redefined /usr/include/bits/socket.h:151: warning: this is the location of the previous definition In file included from openbsd-compat.h:12, from includes.h:95, from bsd-arc4random.c:25: bsd-misc.h:60: redefinition of `struct timeval' bsd-misc.h:66: two or more data types in declaration of `utimes' In file included from openbsd-compat.h:23, from includes.h:95, from bsd-arc4random.c:25: bsd-strsep.h:7: parse error before `__extension__' bsd-strsep.h:7: parse error before `(' In file included from openbsd-compat.h:24, from includes.h:95, from bsd-arc4random.c:25: bsd-strtok.h:7: parse error before `__extension__' In file included from openbsd-compat.h:33, from includes.h:95, from bsd-arc4random.c:25: fake-socket.h:11: redefinition of `struct sockaddr_storage' fake-socket.h:25: redefinition of `struct in6_addr' fake-socket.h:26: warning: no semicolon at end of struct or union fake-socket.h:26: parse error before `.' fake-socket.h:31: redefinition of `struct sockaddr_in6' make: *** [bsd-arc4random.o] Error 1 [willie at caldera openssh_cvs]$ -- ------------------------------------------------------------------------------- Willie Bollinger, ABSnet Internet Service Voice 410-361-8160 E-Mail willie at abs.net http://www.abs.net ------------------------------------------------------------------------------- From ldv at fandra.org Mon Jan 29 14:44:10 2001 From: ldv at fandra.org (Dmitry V. Levin) Date: Mon, 29 Jan 2001 06:44:10 +0300 Subject: I: [PATCH] ssh-keygen Message-ID: <20010129064410.A25690@LDV.fandra.org> Greetings! According to documentation, "-x" and "-X" options of ssh-keygen designed to work only with DSA keys. It means that key_type_name variable have to be initialized to "dsa" if any of these options were specified. Regards, Dmitry +-------------------------------------------------------------------------+ Dmitry V. Levin mailto://ldv at fandra.org Software Engineer PGP pubkey http://www.fandra.org/users/ldv/pgpkeys.html IPLabs Linux Team http://linux.iplabs.ru Fandra Project http://www.fandra.org +-------------------------------------------------------------------------+ UNIX is user friendly. It's just very selective about who its friends are. -------------- next part -------------- Index: ssh-keygen.c =================================================================== RCS file: /cvs/openssh_cvs/ssh-keygen.c,v retrieving revision 1.35 diff -u -r1.35 ssh-keygen.c --- ssh-keygen.c 2001/01/22 05:34:43 1.35 +++ ssh-keygen.c 2001/01/29 03:24:18 @@ -691,10 +691,12 @@ case 'x': convert_to_ssh2 = 1; + key_type_name = "dsa"; break; case 'X': convert_from_ssh2 = 1; + key_type_name = "dsa"; break; case 'y': -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010129/61f094de/attachment.bin From mw at moni.msci.memphis.edu Tue Jan 30 02:36:24 2001 From: mw at moni.msci.memphis.edu (Mate Wierdl) Date: Mon, 29 Jan 2001 09:36:24 -0600 Subject: list address Message-ID: <20010129093624.B15669@moni.msci.memphis.edu> Hi, I must have missed something; it seems that all messages sent to the ssh list get forwarded to the openssh list. Thx Mate -- --- Mate Wierdl | Dept. of Math. Sciences | University of Memphis From sunil at redback.com Tue Jan 30 06:22:02 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Mon, 29 Jan 2001 11:22:02 -0800 (PST) Subject: load host dsa key error: In-Reply-To: Message-ID: poking futher into this, I find error while reading private host dsa key - I see decode error: EVP_DecodeFinal(...) calls EVP_DecodeBlock(..) which returns error. And the function call tree is: load_private_key_autodetect (...) at sshd.c:482 load_private_key (...) at authfile.c:538 load_private_key_ssh2 (...) at authfile.c:451 PEM_read_PrivateKey (...) at pem_all.c:200 PEM_ASN1_read (d2i=0x6eb40 , name=0x5fb34 "ANY PRIVATE KEY", fp=0x105a04, x=0x0, cb=0, u=0x1106) at pem_lib.c:180 PEM_ASN1_read_bio (d2i=0x6eb40 , name=0x5fb34 "ANY PRIVATE KEY", bp=0x117300, x=0x0, cb=0, u=0x1106) at pem_lib.c:238 PEM_read_bio (...) at pem_lib.c:774 DecodeFinal (...) at encode.c:395 ques: Is there a bug in ssh-keygen: generation of private host dsa key - which could be causing a read/decode error ? Thank you On Fri, 26 Jan 2001, Sunil K. Vallamkonda wrote: > > I get error: > %SSHD-3-ERROR: Could not load host key: /tmp/ssh_host_dsa_key: Bad file > descriptor > Jan 26 23:58:52: %SSHD-6-INFO: Disabling protocol version 2. Could not > load host key > > Everything looks okay, the file exists, (it was generated using command: > ssh-keygen -d -f ssh_host_dsa_key -N '') > I also do 'ls' and find the file exists with permissions: > > -rw------- 1 root group 668 Jan 26 15:53 ssh_host_dsa_key > -rw-r--r-- 1 root group 601 Jan 26 15:53 ssh_host_dsa_key.pub > > version i use: > OpenSSH_2.3.1p1 > on NetBSD1.4.2 > > > Is this a bug ? Any suggestions ? > > Thank you. > > > > > From sunil at redback.com Tue Jan 30 06:27:46 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Mon, 29 Jan 2001 11:27:46 -0800 (PST) Subject: load host key error: In-Reply-To: Message-ID: On Fri, 26 Jan 2001 mouring at etoh.eviladmin.org wrote: > On Fri, 26 Jan 2001, Sunil K. Vallamkonda wrote: > > > > > I get error: > > %SSHD-3-ERROR: Could not load host key: /tmp/ssh_host_dsa_key: Bad file > > descriptor > > Hmm... /tmp/ssh_host_dsa_key ??? > ^^^^^^^^ Yes, I modified header file to look at - changed path. This is fine, since daemon *does find the other key file: /tmp/ssh_host_key > > Jan 26 23:58:52: %SSHD-6-INFO: Disabling protocol version 2. Could not > > load host key > > > > Everything looks okay, the file exists, (it was generated using command: > > ssh-keygen -d -f ssh_host_dsa_key -N '') > > I also do 'ls' and find the file exists with permissions: > > > > -rw------- 1 root group 668 Jan 26 15:53 ssh_host_dsa_key > > -rw-r--r-- 1 root group 601 Jan 26 15:53 ssh_host_dsa_key.pub > > > What path are those files in? > ^^^^^ /tmp > And is the source out the CVS tree? If so what day? > ^^^^^^^^^^^ it is from development tree: openssh.20010109 > - Ben > > From rachit at ensim.com Tue Jan 30 06:51:33 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 29 Jan 2001 11:51:33 -0800 Subject: 'Bad Packet Length' error? References: <200101130036.QAA19847@shepster.int.bmcomp.com> <3A632053.3030104@us-rx.com> Message-ID: <3A75C9C5.270DD0F0@ensim.com> There is a patch here in the list archives that fixes these types of problems: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=97751386931920&w=2 (i believe the latest snapshot will work too). -rchit Ben Ricker wrote: > > After upgrading my client with 2.4p1, I started getting the folowing > errors when using slogin to login to a server: > > 2f 75 73 72 2f 6c 6f 63 > Disconnecting: Bad packet length 796226418. > > Thinking it was the 2.4 upgrade, I uninstalled 2.4 and reinstalled 2.3 > client. Problem still exists. I have OpenSSH 2.3 installed as the server. > > I even deleted the key entry on the client side by editing the > 'known_hosts' file. Still get that error message. Strangely enough, I > can ssh into other boxes and then ssh into the box I cannot ssh into > directcly! > > Any ideas? > > Ben Ricker > Senior Web Administrator > US-Rx, inc. From djm at mindrot.org Tue Jan 30 08:10:35 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Jan 2001 08:10:35 +1100 (EST) Subject: list address In-Reply-To: <20010129093624.B15669@moni.msci.memphis.edu> Message-ID: On Mon, 29 Jan 2001, Mate Wierdl wrote: > Hi, > > I must have missed something; it seems that all messages sent to the > ssh list get forwarded to the openssh list. Not by a long shot, though some are crossposted. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From siegert at sfu.ca Tue Jan 30 08:47:40 2001 From: siegert at sfu.ca (Martin Siegert) Date: Mon, 29 Jan 2001 13:47:40 -0800 Subject: Solaris wtmpx patch Message-ID: <20010129134740.A8762@stikine.ucs.sfu.ca> Hi, Solaris (tested with 2.6) needs a username in the logout record in the wtmpx file. Currently openssh (version 2.3.0p1) leaves the username (utmpx.ut_user) empty in logout records, which leads to conflicting results from the last command. Example: # last -5 siegert siegert pts/186 stikine.ucs.sfu. Mon Jan 15 14:26 still logged in siegert pts/105 stikine.ucs.sfu. Mon Jan 15 13:48 still logged in siegert pts/141 stikine.ucs.sfu. Mon Jan 15 10:23 still logged in siegert pts/94 stikine.ucs.sfu. Mon Jan 15 10:14 still logged in siegert pts/97 stikine.ucs.sfu. Mon Jan 15 10:10 still logged in # last -4000 | grep siegert siegert pts/186 stikine.ucs.sfu. Mon Jan 15 14:26 - 14:31 (00:05) siegert pts/105 stikine.ucs.sfu. Mon Jan 15 13:48 - 13:50 (00:01) siegert pts/141 stikine.ucs.sfu. Mon Jan 15 10:23 still logged in siegert pts/94 stikine.ucs.sfu. Mon Jan 15 10:14 - 10:29 (00:14) siegert pts/97 stikine.ucs.sfu. Mon Jan 15 10:10 - 10:16 (00:05) The result from "last -5 siegert" is nonsense. To see that the missing username is the reason for this one can use bvi to enter the username manually in the logout records. This indeed fixes the problem. I append a patch. This will enter the username in any utmpx/wtmpx logout record on any operating system. I believe that that won't be a problem (?). Cheers, Martin ======================================================================== Martin Siegert Academic Computing Services phone: (604) 291-4691 Simon Fraser University fax: (604) 291-4242 Burnaby, British Columbia email: siegert at sfu.ca Canada V5A 1S6 ======================================================================== solaris-wtmpx patch ============================================================== diff -u -r openssh-2.3.0p1.orig/login.c openssh-2.3.0p1/login.c --- openssh-2.3.0p1.orig/login.c Fri Sep 15 19:29:09 2000 +++ openssh-2.3.0p1/login.c Fri Jan 26 15:48:26 2001 @@ -80,11 +80,11 @@ /* Records that the user has logged out. */ void -record_logout(pid_t pid, const char *ttyname) +record_logout(pid_t pid, const char *ttyname, const char *user) { struct logininfo *li; - li = login_alloc_entry(pid, NULL, NULL, ttyname); + li = login_alloc_entry(pid, user, NULL, ttyname); login_logout(li); login_free_entry(li); } diff -u -r openssh-2.3.0p1.orig/loginrec.c openssh-2.3.0p1/loginrec.c --- openssh-2.3.0p1.orig/loginrec.c Sat Sep 30 03:34:44 2000 +++ openssh-2.3.0p1/loginrec.c Tue Jan 23 18:24:25 2001 @@ -674,6 +674,9 @@ set_utmpx_time(li, utx); utx->ut_pid = li->pid; + /* strncpy(): Don't necessarily want null termination */ + strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username)); + if (li->type == LTYPE_LOGOUT) return; @@ -682,8 +685,6 @@ * for logouts. */ - /* strncpy(): Don't necessarily want null termination */ - strncpy(utx->ut_name, li->username, MIN_SIZEOF(utx->ut_name, li->username)); # ifdef HAVE_HOST_IN_UTMPX strncpy(utx->ut_host, li->hostname, MIN_SIZEOF(utx->ut_host, li->hostname)); # endif diff -u -r openssh-2.3.0p1.orig/session.c openssh-2.3.0p1/session.c --- openssh-2.3.0p1.orig/session.c Fri Oct 27 20:19:58 2000 +++ openssh-2.3.0p1/session.c Fri Jan 26 14:31:22 2001 @@ -194,7 +194,7 @@ if (s->pid != 0) { /* Record that the user has logged out. */ - record_logout(s->pid, s->tty); + record_logout(s->pid, s->tty, s->pw->pw_name); } /* Release the pseudo-tty. */ @@ -1796,7 +1796,7 @@ fatal_remove_cleanup(pty_cleanup_proc, (void *)s); /* Record that the user has logged out. */ - record_logout(s->pid, s->tty); + record_logout(s->pid, s->tty, s->pw->pw_name); /* Release the pseudo-tty. */ pty_release(s->tty); diff -u -r openssh-2.3.0p1.orig/ssh.h openssh-2.3.0p1/ssh.h --- openssh-2.3.0p1.orig/ssh.h Fri Oct 13 22:23:12 2000 +++ openssh-2.3.0p1/ssh.h Fri Jan 26 14:58:01 2001 @@ -310,7 +310,7 @@ * Records that the user has logged out. This does many thigs normally done * by login(1) or init. */ -void record_logout(pid_t pid, const char *ttyname); +void record_logout(pid_t pid, const char *ttyname, const char *user); /*------------ definitions for sshconnect.c ----------*/ From frye1 at home.com Tue Jan 30 04:18:14 2001 From: frye1 at home.com (Jayme Frye) Date: Mon, 29 Jan 2001 11:18:14 -0600 Subject: Problem with OpenSSH 2.3.0p1 and Linux kernel 2.4.1pre8 (Disconnecting: fork failed: Resource temporarily unavailable) Message-ID: <3A75A5D6.5060108@home.com> I'm having a problem with OpenSSH 2.3.0p1 and Linux kernel 2.4.1pre8. After a client connects and is authenticated ssh fails to fork, disconnects and dies. Normally I run sshd out of inetd with the -i flag. thinking this might be the problem I ran it in daemon mode from the command line. The results were the same. Running with maximum debugging on I captured the following: debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 debug1: Sent 1152 bit public key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "adminjf" debug1: Attempting authentication for adminjf. debug1: PAM Password authentication accepted for user "adminjf" Accepted password for adminjf from 209.155.224.94 port 868 debug1: PAM setting rhost to "orion.inventivecomm.com" debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug1: PAM setting tty to "/dev/pts/0" debug1: PAM establishing creds Disconnecting: fork failed: Resource temporarily unavailable debug1: Calling cleanup 0x8057aa0(0x80e47a0) debug1: pty_cleanup_proc: /dev/pts/0 debug1: Calling cleanup 0x8050498(0x0) debug1: Calling cleanup 0x80653c8(0x0) Under 2.2.19pre7 everything works fine. Has anyone run across 2.4 kernel problems with OpenSSH? Jayme Frye System Administrator Inventive Comm. jfrye at inventivecomm.com From stevev at darkwing.uoregon.edu Tue Jan 30 10:30:09 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Mon, 29 Jan 2001 15:30:09 -0800 Subject: Solaris wtmpx patch In-Reply-To: <20010129134740.A8762@stikine.ucs.sfu.ca> References: <20010129134740.A8762@stikine.ucs.sfu.ca> Message-ID: <14965.64769.198196.389341@darkwing.uoregon.edu> Martin Siegert writes: > Hi, > > Solaris (tested with 2.6) needs a username in the logout record in the wtmpx > file. Currently openssh (version 2.3.0p1) leaves the username (utmpx.ut_user) > empty in logout records, which leads to conflicting results from the last > command. Solaris 2.7 needs this too. I would very much like to see this patch or something like it put into the distribution (I rolled my own attempt at this in 2.2.0p1 and haven't yet gotten around to porting it to a recent snapshot and submitting my own patch). I would be happy if this was conditionally compiled to be Solaris-only (I don't know that any other UNIXen have a problem with this), if people don't think this is a good default behavior. From djm at mindrot.org Tue Jan 30 10:40:43 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Jan 2001 10:40:43 +1100 (EST) Subject: Problem with OpenSSH 2.3.0p1 and Linux kernel 2.4.1pre8 (Disconnecting: fork failed: Resource temporarily unavailable) In-Reply-To: <3A75A5D6.5060108@home.com> Message-ID: On Mon, 29 Jan 2001, Jayme Frye wrote: > I'm having a problem with OpenSSH 2.3.0p1 and Linux kernel 2.4.1pre8. > After a client connects and is authenticated ssh fails to fork, > disconnects and dies. Normally I run sshd out of inetd with the -i flag. > thinking this might be the problem I ran it in daemon mode from the > command line. The results were the same. Running with maximum debugging > on I captured the following: > > debug1: Local version string SSH-1.99-OpenSSH_2.3.0p1 > debug1: Sent 1152 bit public key and 1024 bit host key. > debug1: Encryption type: 3des > debug1: Received session key; encryption turned on. > debug1: Installing crc compensation attack detector. > debug1: Starting up PAM with username "adminjf" > debug1: Attempting authentication for adminjf. > debug1: PAM Password authentication accepted for user "adminjf" > Accepted password for adminjf from 209.155.224.94 port 868 > debug1: PAM setting rhost to "orion.inventivecomm.com" > debug1: session_new: init > debug1: session_new: session 0 > debug1: Allocating pty. > debug1: PAM setting tty to "/dev/pts/0" > debug1: PAM establishing creds > Disconnecting: fork failed: Resource temporarily unavailable > debug1: Calling cleanup 0x8057aa0(0x80e47a0) > debug1: pty_cleanup_proc: /dev/pts/0 > debug1: Calling cleanup 0x8050498(0x0) > debug1: Calling cleanup 0x80653c8(0x0) > > Under 2.2.19pre7 everything works fine. Has anyone run across 2.4 kernel > problems with OpenSSH? Looks like a kernel problem to me - if fork is failing, then lots of other things may break. You do have an appropriate libc for your kernel? -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From shorty at debian.org Tue Jan 30 18:27:49 2001 From: shorty at debian.org (Christian Kurz) Date: Tue, 30 Jan 2001 08:27:49 +0100 Subject: Detection of identical file doesn't work for localhost: Message-ID: <20010130082749.T17538@seteuid.getuid.de> Hi, I had to notice that scp is able to detect if a file is copied to itself if you use "scp foo /path/to/foo" or "scp foo .". If you type in "scp foo localhost:/path/to/foo" it will still overwrite the old version of foo. Is it possible to change this behaviour of scp? I only had a quick glance at scp.c and I'm also not a C coder, only learning C right now, so please give me some hints if I'm wrong. You use the function "colon" in 984 to check if you should to a remote copy or a local copy. I think it would be possible to add a check to it to see if the name of the remote host will be localhost and then also use the function "tolocal" for doing a local copy instead of calling "toremote". What do you guys think? Would you please add this feature? Ciao Christian P.S.: Would somebody please change s/debain/debian/ in the ChangeLog to fix my email-address? Thanks -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 242 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010130/d87d034d/attachment.bin From djm at mindrot.org Tue Jan 30 20:06:46 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Jan 2001 20:06:46 +1100 (EST) Subject: Detection of identical file doesn't work for localhost: In-Reply-To: <20010130082749.T17538@seteuid.getuid.de> Message-ID: On Tue, 30 Jan 2001, Christian Kurz wrote: > Hi, > > I had to notice that scp is able to detect if a file is copied to itself > if you use "scp foo /path/to/foo" or "scp foo .". If you type in "scp > foo localhost:/path/to/foo" it will still overwrite the old version of > foo. Is it possible to change this behaviour of scp? > > I only had a quick glance at scp.c and I'm also not a C coder, only > learning C right now, so please give me some hints if I'm wrong. You use > the function "colon" in 984 to check if you should to a remote copy or a > local copy. I think it would be possible to add a check to it to see if > the name of the remote host will be localhost and then also use the > function "tolocal" for doing a local copy instead of calling "toremote". > What do you guys think? Would you please add this feature? This has come up before, IIRC we decided not to put such a check in because there are so many ways to refer to the local host (localhost, hostname(s), ip addresses, etc) that such a check would cover a small range of the cases. OTOH a patch to make scp write to a temp file and then rename it as the final step may make more sense and achieve a better result. > P.S.: Would somebody please change s/debain/debian/ in the ChangeLog to > fix my email-address? Thanks Done. -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From gert at greenie.muc.de Tue Jan 30 20:06:28 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 30 Jan 2001 10:06:28 +0100 Subject: Detection of identical file doesn't work for localhost: In-Reply-To: <20010130082749.T17538@seteuid.getuid.de>; from Christian Kurz on Tue, Jan 30, 2001 at 08:27:49AM +0100 References: <20010130082749.T17538@seteuid.getuid.de> Message-ID: <20010130100628.D24499@greenie.muc.de> Hi, On Tue, Jan 30, 2001 at 08:27:49AM +0100, Christian Kurz wrote: > I had to notice that scp is able to detect if a file is copied to itself > if you use "scp foo /path/to/foo" or "scp foo .". If you type in "scp > foo localhost:/path/to/foo" it will still overwrite the old version of > foo. Is it possible to change this behaviour of scp? > > I only had a quick glance at scp.c and I'm also not a C coder, only > learning C right now, so please give me some hints if I'm wrong. You use > the function "colon" in 984 to check if you should to a remote copy or a > local copy. I think it would be possible to add a check to it to see if > the name of the remote host will be localhost and then also use the > function "tolocal" for doing a local copy instead of calling "toremote". > What do you guys think? Would you please add this feature? I don't think it's reasonable. If a user want to shoot into his own foot, he will always be able to do this. If you trap "localhost", people will use 127.0.0.1, or the real name of the machine, or one of its ethernet IP addresses, etc. (Why on earth would anybody do an "scp localhost:..." in the first place?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mdb at juniper.net Tue Jan 30 21:31:47 2001 From: mdb at juniper.net (Mark D. Baushke) Date: Tue, 30 Jan 2001 02:31:47 -0800 Subject: Detection of identical file doesn't work for localhost: In-Reply-To: Mail from Gert Doering dated Tue, 30 Jan 2001 10:06:28 +0100 <20010130100628.D24499@greenie.muc.de> Message-ID: <200101301031.CAA78487@garnet.juniper.net> >Date: Tue, 30 Jan 2001 10:06:28 +0100 >From: Gert Doering > >Hi, > >On Tue, Jan 30, 2001 at 08:27:49AM +0100, Christian Kurz wrote: >> I had to notice that scp is able to detect if a file is copied to itself >> if you use "scp foo /path/to/foo" or "scp foo .". If you type in "scp >> foo localhost:/path/to/foo" it will still overwrite the old version of >> foo. Is it possible to change this behaviour of scp? >> >> I only had a quick glance at scp.c and I'm also not a C coder, only >> learning C right now, so please give me some hints if I'm wrong. You use >> the function "colon" in 984 to check if you should to a remote copy or a >> local copy. I think it would be possible to add a check to it to see if >> the name of the remote host will be localhost and then also use the >> function "tolocal" for doing a local copy instead of calling "toremote". >> What do you guys think? Would you please add this feature? > >I don't think it's reasonable. If a user want to shoot into his own foot, >he will always be able to do this. > >If you trap "localhost", people will use 127.0.0.1, or the real name of >the machine, or one of its ethernet IP addresses, etc. > >(Why on earth would anybody do an "scp localhost:..." in the first place?) Why? Well, one reason would be to copy from a chroot()ed environment back to the real host, of course... Probably not, but it is possible. There is no guarentee that localhost:/some/directory is in the same filesystem as /some/directory on the current machine as viewed by the currently running scp program. Enjoy! -- Mark From Markus.Friedl at informatik.uni-erlangen.de Tue Jan 30 21:44:38 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 30 Jan 2001 11:44:38 +0100 Subject: Detection of identical file doesn't work for localhost: In-Reply-To: <20010130082749.T17538@seteuid.getuid.de>; from shorty@debian.org on Tue, Jan 30, 2001 at 08:27:49AM +0100 References: <20010130082749.T17538@seteuid.getuid.de> Message-ID: <20010130114438.A16866@faui02.informatik.uni-erlangen.de> > I had to notice that scp is able to detect if a file is copied to itself > if you use "scp foo /path/to/foo" or "scp foo .". If you type in "scp > foo localhost:/path/to/foo" it will still overwrite the old version of > foo. Is it possible to change this behaviour of scp? how could 'scp' tell that it's really the identical file? From lists at fips.de Tue Jan 30 21:55:40 2001 From: lists at fips.de (Philipp Buehler) Date: Tue, 30 Jan 2001 11:55:40 +0100 Subject: HP-UX lastlog / contrib Message-ID: <20010130115540.A16528@pohl.fips.de> Hi, just built 2.3.0p1 on HP-UX 10.20 more or less smoothly >From 1.2.3 I had documented --without-lastlog, can't remember why, broke something. So I tried my old configure settings for 2.3.0 which seams to break stuff: loginrec.c:1338: warning: `struct lastlog' declared inside parameter list some more dereferencing pointers and then Error 1 [of course] Omitting the --without-lastlog all is fine, for the record: gcc 2.95.2 So, I try to understand if this would be still a valid configure option and there is something wrong, or I misunderstood it and I gave an NO to package which cant be denied. Btw, I came across contrib/hpux [nice :>] and there is a little typo for installing egd.rc in the README: # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K600egd # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S400egd which should read # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd Thanks for the work on OpenSSH :) ciao -- Philipp Buehler, aka fIpS | sysfive.com GmbH | BOfH | NUCH | %SYSTEM-F-TOOEARLY, please contact your sysadmin at a sensible time. Artificial Intelligence stands no chance against Natural Stupidity. [X] <-- nail here for new monitor From jesus at omniti.com Tue Jan 30 23:31:24 2001 From: jesus at omniti.com (Theo E. Schlossnagle) Date: Tue, 30 Jan 2001 07:31:24 -0500 Subject: Detection of identical file doesn't work for localhost: References: <200101301031.CAA78487@garnet.juniper.net> Message-ID: <3A76B41B.383BB999@omniti.com> That is exactly what I was going to say. I run sshd in a chrooted environment to provide secure "virtualized" CVS repository and a few other services on one of my machines. I really don't like the idea of OpenSSH thinking it knows better than I do. If I type localhost:/path/to/file, that is what I mean. "Mark D. Baushke" wrote: > Why? Well, one reason would be to copy from a chroot()ed environment > back to the real host, of course... Probably not, but it is possible. > There is no guarentee that localhost:/some/directory is in the same > filesystem as /some/directory on the current machine as viewed by > the currently running scp program. -- Theo Schlossnagle 1024D/A8EBCF8F/13BD 8C08 6BE2 629A 527E 2DC2 72C2 AD05 A8EB CF8F 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From Darren.Moffat at eng.sun.com Wed Jan 31 04:32:39 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 30 Jan 2001 09:32:39 -0800 (PST) Subject: Detection of identical file doesn't work for localhost: Message-ID: <200101301732.f0UHWd9655979@jurassic.eng.sun.com> >>(Why on earth would anybody do an "scp localhost:..." in the first place?) > >Why? Well, one reason would be to copy from a chroot()ed environment >back to the real host, of course... Probably not, but it is possible. >There is no guarentee that localhost:/some/directory is in the same >filesystem as /some/directory on the current machine as viewed by >the currently running scp program. But if that is the case then the reported problem doesn't occur because the source and destination are different. A check like this is likely to do more harm than good, just to fix one or two edge cases where the user did something strange and didn't like what they got. -- Darren J Moffat From Darren.Moffat at eng.sun.com Wed Jan 31 04:33:29 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 30 Jan 2001 09:33:29 -0800 (PST) Subject: PAM namespace. Message-ID: <200101301733.f0UHXU9656456@jurassic.eng.sun.com> auth-pam.c declares some new functions in the pam_ namespace that are not part of PAM. pam_password_change_required() pam_msg_cat() pam_cleanup_proc() Purely to avoid any possible future problems I would suggest changing these so they do not being with pam_, suggestions include: __ssh_pam_msg_cat() ssh_pam_msg_cat() do_pam_msg_cat() cat_pam_msg() Please don't take this as a hint that any of these functions are going to appear in a future release of Solaris just because I have an @Sun.COM address - there is no hint intended. I would just rather that OpenSSH didn't polute the pam_ namespace. The same could be said for the Kerberos namespace in krb4 but since krb4 is no longer in development the risk is much lower. -- Darren J Moffat From stevesk at sweden.hp.com Wed Jan 31 05:23:05 2001 From: stevesk at sweden.hp.com (Kevin Steves) Date: Tue, 30 Jan 2001 19:23:05 +0100 (MET) Subject: HP-UX lastlog / contrib In-Reply-To: <20010130115540.A16528@pohl.fips.de> Message-ID: On Tue, 30 Jan 2001, Philipp Buehler wrote: : just built 2.3.0p1 on HP-UX 10.20 more or less smoothly : >From 1.2.3 I had documented --without-lastlog, can't : remember why, broke something. : So I tried my old configure settings for 2.3.0 : which seams to break stuff: : : loginrec.c:1338: warning: `struct lastlog' declared inside parameter list : some more dereferencing pointers and then Error 1 [of course] : : Omitting the --without-lastlog all is fine, for the record: gcc 2.95.2 : : So, I try to understand if this would be still a valid configure : option and there is something wrong, or I misunderstood it and : I gave an NO to package which cant be denied. hp-ux doesn't have lastlog, and you shouldn't need --without-lastlog. but something is broken if you define it, because i see #define CONF_LASTLOG_FILE "no" as a result. can someone else look into this? : Btw, I came across contrib/hpux [nice :>] and there is a little typo : for installing egd.rc in the README: : # ln -s /sbin/init.d/sshd.rc /sbin/rc1.d/K600egd : # ln -s /sbin/init.d/sshd.rc /sbin/rc2.d/S400egd : which should read : # ln -s /sbin/init.d/egd.rc /sbin/rc1.d/K600egd : # ln -s /sbin/init.d/egd.rc /sbin/rc2.d/S400egd thanks :) i noticed that while sitting on a plane in november, and snapshots/cvs from around december have the fix. From wendyp at cray.com Wed Jan 31 06:51:39 2001 From: wendyp at cray.com (Wendy Palm) Date: Tue, 30 Jan 2001 13:51:39 -0600 Subject: sigchld_handler2. References: Message-ID: <3A771B4B.220AE5EE@cray.com> mouring at etoh.eviladmin.org wrote: > > On Thu, 18 Jan 2001, Alain St-Denis wrote: > > > > > On 2.3.0p1, we have been experiencing the SSH2 stdout truncation problem > > that was reported by a few users. > > > > I built the 20010115 snapshot. It seems to correct the problem but > > before I was able to test it, I had to change sigchld_handler2 so it > > would not reset the signal handler before waitpid is called. On Irix, it > > seems a SIGCHLD is delivered for ever... > > > > This has been talked about on HP/UX platform as well. The feeling is that > sigaction() may be a better solution. However, nothing has appeared in > the OpenBSD tree in regards to that solution yet. i'll second (third?) this. i'm porting a version for the Cray platforms, and it experiences the same problem. the fix alain suggests works great for us. > > - Ben -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tom at avatar.itc.nrcs.usda.gov Wed Jan 31 07:32:13 2001 From: tom at avatar.itc.nrcs.usda.gov (Tom Rudnick) Date: Tue, 30 Jan 2001 13:32:13 -0700 (MST) Subject: dsa_verify signature incorrect Message-ID: <200101302032.NAA03525@avatar.itc.nrcs.usda.gov> I am building version 2.3.0p1 of openssh on a UnixWare 2.03 system and am unable to connect with SSH 2. The error I get is: debug: len 55 datafellows 0 debug: dsa_verify: signature incorrect dsa_verify failed for server_host_key The build environment is as follows: gcc 2.95.1 openssl-0.9.6-beta2 I've looked through the archives and found similar problems related to version incompatabilities. In this case, I have the same version (2.3.0p1) on both ends. I got the same error with 2.2.0p1. Where should I look next? -Tom -- ----------------/---------------------------------------------- Tom Rudnick | USDA Natural Resources Conservation Service Fort Collins,CO | tom at avatar.itc.nrcs.usda.gov (970) 295-5427 ** The 3rd Millennium starts Jan 1, 2001. see: ** ** http://aa.usno.navy.mil/AA/faq/docs/millennium.html ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From sunil at redback.com Wed Jan 31 07:51:40 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Tue, 30 Jan 2001 12:51:40 -0800 (PST) Subject: seed_rng() error: In-Reply-To: Message-ID: I am getting error: In file: entropy.c routine: seed_rng() if (!RAND_status()) { fatal("Entropy collection failed and entropy exhausted "); Any suggestions ? Thank you. From djm at mindrot.org Wed Jan 31 09:11:25 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 Jan 2001 09:11:25 +1100 (EST) Subject: seed_rng() error: In-Reply-To: Message-ID: On Tue, 30 Jan 2001, Sunil K. Vallamkonda wrote: > > I am getting error: > > In file: entropy.c > routine: seed_rng() > if (!RAND_status()) { > fatal("Entropy collection failed and entropy exhausted "); > > Any suggestions ? You should have received quite a few errors before this one. What were they? -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From djm at mindrot.org Wed Jan 31 09:59:10 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 31 Jan 2001 09:59:10 +1100 (EST) Subject: HP-UX lastlog / contrib In-Reply-To: Message-ID: On Tue, 30 Jan 2001, Kevin Steves wrote: > hp-ux doesn't have lastlog, and you shouldn't need --without-lastlog. > but something is broken if you define it, because i see #define > CONF_LASTLOG_FILE "no" as a result. can someone else look into this? Fixed. --with-lastlog=no is now equivalent to --disable-lastlog -d -- | ``We've all heard that a million monkeys banging on | Damien Miller - | a million typewriters will eventually reproduce the | | works of Shakespeare. Now, thanks to the Internet, / | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org From sunil at redback.com Wed Jan 31 10:05:41 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Tue, 30 Jan 2001 15:05:41 -0800 (PST) Subject: seed_rng() error: In-Reply-To: Message-ID: Damien Miller, Thank you for heads up. Yes, I see the problem now. I see error: Couldn't open random pool "/dev/urandom": No such file or directory I know the fix on my system. Thank you. Sunil. On Wed, 31 Jan 2001, Damien Miller wrote: > On Tue, 30 Jan 2001, Sunil K. Vallamkonda wrote: > > > > > I am getting error: > > > > In file: entropy.c > > routine: seed_rng() > > if (!RAND_status()) { > > fatal("Entropy collection failed and entropy exhausted "); > > > > Any suggestions ? > > You should have received quite a few errors before this one. What were > they? > > -d > > -- > | ``We've all heard that a million monkeys banging on | Damien Miller - > | a million typewriters will eventually reproduce the | > | works of Shakespeare. Now, thanks to the Internet, / > | we know this is not true.'' - Robert Wilensky UCB / http://www.mindrot.org > > > > From tim at multitalents.net Wed Jan 31 13:09:37 2001 From: tim at multitalents.net (Tim Rice) Date: Tue, 30 Jan 2001 18:09:37 -0800 (PST) Subject: dsa_verify signature incorrect In-Reply-To: <200101302032.NAA03525@avatar.itc.nrcs.usda.gov> Message-ID: On Tue, 30 Jan 2001, Tom Rudnick wrote: > > I am building version 2.3.0p1 of openssh on a UnixWare 2.03 system > and am unable to connect with SSH 2. The error I get is: > > debug: len 55 datafellows 0 > debug: dsa_verify: signature incorrect > dsa_verify failed for server_host_key > > The build environment is as follows: > > gcc 2.95.1 > openssl-0.9.6-beta2 Just a thought here. Does the openssl "make test" pass. I'll bet it fails. The default build of openssl-0.9.6 on UnixWare 2.03 builds but fails make test. There is optimizer problem on 2.03. Get rid of the -O -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From roumen.petrov at skalasoft.com Wed Jan 31 20:06:20 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Wed, 31 Jan 2001 11:06:20 +0200 Subject: dsa_verify signature incorrect References: Message-ID: <3A77D58C.6050103@skalasoft.com> Tim Rice wrote: > On Tue, 30 Jan 2001, Tom Rudnick wrote: > > >> I am building version 2.3.0p1 of openssh on a UnixWare 2.03 system >> and am unable to connect with SSH 2. The error I get is: >> >> debug: len 55 datafellows 0 >> debug: dsa_verify: signature incorrect >> dsa_verify failed for server_host_key >> >> The build environment is as follows: >> >> gcc 2.95.1 >> openssl-0.9.6-beta2 > > > Just a thought here. Does the openssl "make test" pass. > I'll bet it fails. > The default build of openssl-0.9.6 on UnixWare 2.03 builds but fails > make test. > > There is optimizer problem on 2.03. Get rid of the -O On slack linux with gcc 2.95.2 and openssl-0.9.6 ( make test is OK ) and output from ssh -v conection to SSH 2.4.0 is .... debug: len 55 datafellows 0 debug: dsa_verify: signature correct .... From Markus.Friedl at informatik.uni-erlangen.de Wed Jan 31 21:08:06 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 31 Jan 2001 11:08:06 +0100 Subject: dsa_verify signature incorrect In-Reply-To: <200101302032.NAA03525@avatar.itc.nrcs.usda.gov>; from tom@avatar.itc.nrcs.usda.gov on Tue, Jan 30, 2001 at 01:32:13PM -0700 References: <200101302032.NAA03525@avatar.itc.nrcs.usda.gov> Message-ID: <20010131110806.A27720@faui02.informatik.uni-erlangen.de> On Tue, Jan 30, 2001 at 01:32:13PM -0700, Tom Rudnick wrote: > > I am building version 2.3.0p1 of openssh on a UnixWare 2.03 system > and am unable to connect with SSH 2. The error I get is: > > debug: len 55 datafellows 0 > debug: dsa_verify: signature incorrect > dsa_verify failed for server_host_key > > The build environment is as follows: > > gcc 2.95.1 > openssl-0.9.6-beta2 openssl-0.9.6-beta2 is broken. From roumen.petrov at skalasoft.com Wed Jan 31 22:25:20 2001 From: roumen.petrov at skalasoft.com (Roumen Petrov) Date: Wed, 31 Jan 2001 13:25:20 +0200 Subject: PTY Message-ID: <3A77F620.10806@skalasoft.com> environment 1)compiler: cc -v Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/2.95.2/specs gcc version 2.95.2 19991024 (release) 2)openssh: CVS from 31 jan 2001 3)libc: GNU libc 2.2.1 output form make pty.o is: #make pty.o gcc -g -O2 -Wall -I/usr/local/ssl/include -I. -I. -DETCDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -DHAVE_CONFIG_H -c pty.c pty.c: In function `pty_allocate': pty.c:55: warning: implicit declaration of function `openpty' This is old warning but today i have time to investigate. GNU libc has pty.h and openssh has pty.h Problem is that system ( from libc ) pty.h is never included, but !!! OpenSSH work well good with openpty method. how to stop this warning and to include pty.h from libc : 1) to rename pty.X to ssh-pty.X plus changes from #include "pty.h" to #include "ssh-pty.h" in header/source files 2) to put pty.h in subfolder XXXssh and use #include "XXXssh/pty.h" in header/source files 3) to add in configure.in line: ...... ...*-*-linux*) CPPFLAGS="-I/usr/include $CPPFLAGS" ...... From cereal at enitel.no Sun Jan 14 22:05:02 2001 From: cereal at enitel.no (Aleksander Olsen) Date: Sun, 14 Jan 2001 12:05:02 +0100 Subject: openssh help Message-ID: <001301c07e19$d7ef99e0$333a4382@cereal> Hello Just want to say thank you :) and ask you a question... Yesterday I upgradet to the newest release. I had openssh compiled at path /usr/local/openssh.x.x and simply "make clean" and "make distclean" from the dir. I allso rm'd all the ssh* files from the /usr/local/etc/ dir. Hostfiles etc. etc.. Then i rm -rf'd the earlyer release. untared the new one in the same /usr/local and ran the commands: "LIBS=-lcrypt ./configure" "make" "make install" then i started the new one with "sshd" Now the real question comes... What did I do wrong? After sending the sshd some amounts of bytes over ex. putty or secure crt i get disconnected. When ssh2'ing in i get to send 187 bytes every time. No more, no less. I did not have this problem before "upgrading" . My OS is Slackware 7.1 and running kernel 2.2.18. Help! I dont want to use telnet anymore! :) I'm really looking forward for an answer, and hope you know whats wrong. regards, Aleksander Olsen cereal at enitel.no