From bugzilla-daemon at mindrot.org Mon Apr 1 00:03:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Apr 2002 00:03:32 +1000 (EST) Subject: [Bug 109] sftp hangs when a tcsh user types quit or exit Message-ID: <20020331140332.9AF5CE918@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=109 ------- Additional Comments From andrewb at cs.mcgill.ca 2002-04-01 00:03 ------- It happened with: Client @ : OpenSSH_2.9p2 (Shell tcsh on both sides) Server @ : OpenSSH_3.0.2p1 (Solaris 7) As soon as client was upgraded or downgraded this problem stopped. Thank you all for your time. There are no problems connecting to a OpenSSH_3.1p1 server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Apr 1 02:51:08 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 31 Mar 2002 18:51:08 +0200 Subject: scp : Problems with pathing In-Reply-To: References: <200203301319.IAA05013@heimdall.ttsg.com> Message-ID: <20020331165108.GA10285@folly> On Sat, Mar 30, 2002 at 10:33:05AM -0800, Tim Rice wrote: > So the path you want, "_PATH_STDPATH" will not be used. > I'm not sure what to do about it. I have no BSD here. BSD/OS uses the path from /etc/login.conf From tuc at ttsg.com Mon Apr 1 03:01:46 2002 From: tuc at ttsg.com (Tuc) Date: Sun, 31 Mar 2002 12:01:46 -0500 (EST) Subject: scp : Problems with pathing In-Reply-To: <20020331165108.GA10285@folly> from "Markus Friedl" at Mar 31, 2002 06:51:08 PM Message-ID: <200203311701.MAA00439@heimdall.ttsg.com> > > On Sat, Mar 30, 2002 at 10:33:05AM -0800, Tim Rice wrote: > > So the path you want, "_PATH_STDPATH" will not be used. > > I'm not sure what to do about it. I have no BSD here. > > BSD/OS uses the path from /etc/login.conf > Ok. So which is the correct behaviour. Is it supposed to prefer the users path, over the compiled in path? Is there something I can pass to tell it to IGNORE the users path? Should I just change the config.h or defines.h to say we don't have the facility to use the getenv('PATH') stuff? Thanks, Tuc/TTSG Internet Services, Inc. From bugzilla-daemon at mindrot.org Mon Apr 1 14:13:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Apr 2002 14:13:46 +1000 (EST) Subject: [Bug 119] Occassionally, SSH failed to connect and timeout after 2 hrs! Message-ID: <20020401041346.88660E93D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=119 ------- Additional Comments From anguslau at hongkong.com 2002-04-01 14:13 ------- Before I make ssh connection, the time is 'Tue Feb 12 04:10:04 HKT 2002'. After the ssh failed to connect (ssh_exchange_identification: read: Connection reset by peer), the time is Tue Feb 12 06:11:39 HKT 2002. ssh waits for 2 hrs before declaring the connection fails! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 1 17:49:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Apr 2002 17:49:34 +1000 (EST) Subject: [Bug 189] pam_setcred() failures should not be treated as fatal Message-ID: <20020401074934.C2917E966@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=189 ------- Additional Comments From stevesk at pobox.com 2002-04-01 17:49 ------- why should pam_setcred() failures not be treated as fatal? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From J.S.Peatfield at damtp.cam.ac.uk Mon Apr 1 17:54:25 2002 From: J.S.Peatfield at damtp.cam.ac.uk (Jon Peatfield) Date: Mon, 01 Apr 2002 08:54:25 +0100 Subject: path to find ssh-rand-helper Message-ID: <200204010754.g317sOs14128.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Before I actually implement the small changes needed to allow the location of ssh-rand-helper to be specified in the config file, I'd like to check that in doing so I won't be opening up a huge security hole. My brief reading of the code suggests that in entropy.c:seed_rng() the ssh-rand-helper is run as the original uid (for binaries which were setuid in the first place of course), so I can't spot any obvious holes (but I may not be devious enough). Since almost all the other paths can be overridden in the config (or with -o), and the config file location can also be controlled from the command line (-F for ssh, -f for sshd), I can't see any good reason why the ssh-rand-helper location can't also be... [ I will then nobble ssh-rand-helper to take the prng_cmds from a user-specified source and I'll have a way to give people a small set of files to install anywhere (with a helper shell script to specify all the paths etc) ] -- Jon Peatfield, DAMTP, Computer Officer, University of Cambridge Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk From bugzilla-daemon at mindrot.org Mon Apr 1 19:11:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Apr 2002 19:11:28 +1000 (EST) Subject: [Bug 195] New: Openssh3.1.0 "make" failure Message-ID: <20020401091128.9F923E9A0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=195 Summary: Openssh3.1.0 "make" failure Product: Portable OpenSSH Version: 3.0.1p1 Platform: ix86 OS/Version: OpenBSD Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: arctor002 at hotmail.com Attempting to build OpenSSH 3.1.0 on OpenBSD 2.9 fails. The 2.9 patch info is unnecesarily buried. Sorry for the hassle from me, gentlemen, but information on the OBSD 2.9 patch for OpenSSH 3.1 is buried. This is exactly the sort of thing that belongs in the FAQ (I would think), so if it's possible, please either update the FAQ at openssh.org or pass along some feedback to the OpenBSD people. I know I can't be the only anklebiter to have this problem. Thanks for your time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 01:35:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 01:35:10 +1000 (EST) Subject: [Bug 196] New: wront sent message id on upload Message-ID: <20020401153510.A9F60E916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=196 Summary: wront sent message id on upload Product: Portable OpenSSH Version: -current Platform: All OS/Version: other Status: NEW Severity: major Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: chombier at mac.com In sftp_client.c, do_upload() function, the 'id' variable is used for both the sent and the received message ids, this corrupts the id of the messages to send and randomly generates upload failures. The fix is to use another variable to extract the received message id, status_id, as done in do_download() ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jdennis at law.harvard.edu Tue Apr 2 02:21:52 2002 From: jdennis at law.harvard.edu (James Dennis) Date: Mon, 1 Apr 2002 11:21:52 -0500 Subject: chroot.diff Message-ID: <20020401112152.401e56f8.jdennis@law.harvard.edu> Hello, I'm not sure if this is the list to mail, but I have updated chroot.diff for openssh 3.1. I thought more people are most likely using this and figured some people may lack the ability to update it themselves as certain functions were modified enough to require new function prototypes etc... I'd be happy to modify this again for future releases if you'd like. As I'm not on this mailing list please cc jdennis at law.harvard.edu. -- James Dennis Codito, ergo sum -------------- next part -------------- A non-text attachment was scrubbed... Name: chroot.diff Type: application/octet-stream Size: 2561 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020401/10605539/attachment.obj From jdennis at law.harvard.edu Tue Apr 2 02:25:36 2002 From: jdennis at law.harvard.edu (James Dennis) Date: Mon, 1 Apr 2002 11:25:36 -0500 Subject: chroot.diff Message-ID: <20020401112536.547ef88d.jdennis@law.harvard.edu> Looks like I diff'd 'em backwards. Whoops! -- James Dennis Codito, ergo sum -------------- next part -------------- A non-text attachment was scrubbed... Name: chroot.diff Type: application/octet-stream Size: 2561 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020401/45297924/attachment.obj From bonomo at sal.wisc.edu Tue Apr 2 03:38:37 2002 From: bonomo at sal.wisc.edu (Richard Bonomo) Date: Mon, 1 Apr 2002 11:38:37 -0600 (CST) Subject: entropy problems IRIX Message-ID: <200204011738.g31Hcbw274460@maddog.sal.wisc.edu> Hello! I am running openSSH 2.9x on an IRIX 6.5.x platform. This was recently installed using SGI-supplied "freeware" binaries. I find that as time goes on, it takes more attempts to establish an ssh connection from the IRIX platform to another machine, as it fails with "not enough entropy in PRNG." I posted a note asking for assistance, and received a reply suggesting I install PRNGd, which I did. Unfortunately, I looks like the binaries were not compiled with PRNGd support. Before I attempt to download and compile a fresh version of this utility (which tends to be problematic with our installations), I would like to know if there is some way of tweaking openssh's internal "entropy generator" to fix this problem. Does anyone know? Thank you. Richard B. -- ************************************************ Richard Bonomo UW Space Astronomy Laboratory ph: (608) 263-4683 telefacsimile: (608) 263-0361 SAL-related email: bonomo at sal.wisc.edu all other email: bonomo at ece.wisc.edu web page URL: http://www.cae.wisc.edu/~bonomo ************************************************ From mouring at etoh.eviladmin.org Tue Apr 2 03:44:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Apr 2002 11:44:05 -0600 (CST) Subject: path to find ssh-rand-helper In-Reply-To: <200204010754.g317sOs14128.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: Since ssh-keygen does not read (and should not) the sshd_config nor ssh_config files. Adding in that ability to the configuration file is really useless in the larger scheme. I would personally rather seen a nice clearly documented mini-howto or FAQ entry explaning how to setup prng or egd w/ OpenSSL. That way ssh-rand-helper is not ran since OpenSSL can internally sead itself. ssh-rand-helper should be viewed as your last line of defence on a box that lacks kernel entropy devices (read: No root access user installing the ssh client). On Mon, 1 Apr 2002, Jon Peatfield wrote: > Before I actually implement the small changes needed to allow the > location of ssh-rand-helper to be specified in the config file, I'd > like to check that in doing so I won't be opening up a huge security > hole. > > My brief reading of the code suggests that in entropy.c:seed_rng() the > ssh-rand-helper is run as the original uid (for binaries which were > setuid in the first place of course), so I can't spot any obvious > holes (but I may not be devious enough). > > Since almost all the other paths can be overridden in the config (or > with -o), and the config file location can also be controlled from the > command line (-F for ssh, -f for sshd), I can't see any good reason > why the ssh-rand-helper location can't also be... > > [ I will then nobble ssh-rand-helper to take the prng_cmds from a > user-specified source and I'll have a way to give people a small set > of files to install anywhere (with a helper shell script to specify > all the paths etc) ] > > -- > Jon Peatfield, DAMTP, Computer Officer, University of Cambridge > Telephone: +44 1223 3 37852 Mail: J.S.Peatfield at damtp.cam.ac.uk > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Tue Apr 2 03:47:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Apr 2002 11:47:15 -0600 (CST) Subject: entropy problems IRIX In-Reply-To: <200204011738.g31Hcbw274460@maddog.sal.wisc.edu> Message-ID: in the ${PREFIX}/etc/ssh_prng_cmds lists all commands that are used for gathering entropy. If you run a ssh -v -v -v (or sshd -d -d -d respectively) you will see what commands are failing and succeeding and that may help you to tweak it. However remember anything below 3.1 has a security adv out on it. Which basicly sums up being a post-authentication root hole. You really should upgrade to 3.1. - Ben On Mon, 1 Apr 2002, Richard Bonomo wrote: > > Hello! > > I am running openSSH 2.9x on an IRIX 6.5.x platform. > This was recently installed using SGI-supplied > "freeware" binaries. > > I find that as time goes on, it takes more attempts > to establish an ssh connection from the IRIX platform > to another machine, as it fails with "not enough entropy > in PRNG." I posted a note asking for assistance, and > received a reply suggesting I install PRNGd, which > I did. Unfortunately, I looks like the binaries > were not compiled with PRNGd support. > > Before I attempt to download and compile a fresh > version of this utility (which tends to be > problematic with our installations), I would > like to know if there is some way of tweaking > openssh's internal "entropy generator" to fix > this problem. Does anyone know? > > Thank you. > > Richard B. > > -- > ************************************************ > Richard Bonomo > UW Space Astronomy Laboratory > ph: (608) 263-4683 telefacsimile: (608) 263-0361 > SAL-related email: bonomo at sal.wisc.edu > all other email: bonomo at ece.wisc.edu > web page URL: http://www.cae.wisc.edu/~bonomo > ************************************************ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Maria.Wiese at McKesson.com Tue Apr 2 03:51:52 2002 From: Maria.Wiese at McKesson.com (Wiese, Maria) Date: Mon, 1 Apr 2002 09:51:52 -0800 Subject: OpenSSH password expiration in Solaris Message-ID: <23ED36D4661BD51199E000D0B782508D014C80F4@ddce0051.mckesson.com> I have a question regarding userid password expiration and OpenSSH. When using telnet to a solaris server with an expired userid, the telnet session allows the user to enter a new password, but the user ssh instead the password expiration is ignored and it let the user logon. How can I make ssh recognize that the password has expired ?. I Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From bugzilla-daemon at mindrot.org Tue Apr 2 04:07:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 04:07:09 +1000 (EST) Subject: [Bug 192] monitor.c:545: undefined reference to `auth_password with USE_PAM on Message-ID: <20020401180709.5D9E8E9C2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=192 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-04-02 04:07 ------- - (stevesk) [monitor.c] PAM should work again; will *not* work with UsePrivilegeSeparation=yes. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Maria.Wiese at McKesson.com Tue Apr 2 04:06:20 2002 From: Maria.Wiese at McKesson.com (Wiese, Maria) Date: Mon, 1 Apr 2002 10:06:20 -0800 Subject: OpenSSH password expiration in Solaris Message-ID: <23ED36D4661BD51199E000D0B782508D014C80F5@ddce0051.mckesson.com> > -----Original Message----- > From: Wiese, Maria > Sent: Monday, April 01, 2002 9:52 AM > To: 'openssh-unix-dev at mindrot.org' > Subject: OpenSSH password expiration in Solaris > > I have a question regarding userid password expiration and OpenSSH. When > using telnet to a solaris server with an expired userid, the > telnet session allows the user to enter a new password, but the user ssh > instead the password expiration is ignored and it let the user > logon. > How can I make ssh recognize that the password has expired ?. > Forgot to mention, I am running OpenSSH V31p1 with sshv1 disable, so the > paramwter ForcePasswdChange does not work. > Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From markus at openbsd.org Tue Apr 2 02:43:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Apr 2002 18:43:35 +0200 Subject: scp : Problems with pathing In-Reply-To: <200203311701.MAA00439@heimdall.ttsg.com> References: <20020331165108.GA10285@folly> <200203311701.MAA00439@heimdall.ttsg.com> Message-ID: <20020401164335.GB21298@folly> On Sun, Mar 31, 2002 at 12:01:46PM -0500, Tuc wrote: > > > > On Sat, Mar 30, 2002 at 10:33:05AM -0800, Tim Rice wrote: > > > So the path you want, "_PATH_STDPATH" will not be used. > > > I'm not sure what to do about it. I have no BSD here. > > > > BSD/OS uses the path from /etc/login.conf > > > Ok. So which is the correct behaviour. Is it supposed to prefer the > users path, over the compiled in path? Is there something I can pass to tell > it to IGNORE the users path? Should I just change the config.h or defines.h > to say we don't have the facility to use the getenv('PATH') stuff? we set the path from login.conf and re-read if with getenv. if your dot-whatever overrides the path, then you need to fix dot-whatever. there is no such thing as the 'users path'. From kevin at atomicgears.com Tue Apr 2 04:42:17 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 1 Apr 2002 10:42:17 -0800 (PST) Subject: OpenSSH password expiration in Solaris In-Reply-To: <23ED36D4661BD51199E000D0B782508D014C80F4@ddce0051.mckesson.com> Message-ID: On Mon, 1 Apr 2002, Wiese, Maria wrote: :I have a question regarding userid password expiration and OpenSSH. When :using telnet to a solaris server with an expired userid, the :telnet session allows the user to enter a new password, but the user ssh :instead the password expiration is ignored and it let the user :logon. :How can I make ssh recognize that the password has expired ?. I I plan to integrate this patch for 3.2: http://bugzilla.mindrot.org/show_bug.cgi?id=14 Another option would be to use PAM (preferable in general I think) but it's not working in some cases now on solaris: http://bugzilla.mindrot.org/show_bug.cgi?id=129 From tuc at ttsg.com Tue Apr 2 05:41:51 2002 From: tuc at ttsg.com (Tuc) Date: Mon, 1 Apr 2002 14:41:51 -0500 (EST) Subject: scp : Problems with pathing In-Reply-To: <20020401164335.GB21298@folly> from "Markus Friedl" at Apr 01, 2002 06:43:35 PM Message-ID: <200204011941.OAA03593@heimdall.ttsg.com> > > On Sun, Mar 31, 2002 at 12:01:46PM -0500, Tuc wrote: > > > > > > On Sat, Mar 30, 2002 at 10:33:05AM -0800, Tim Rice wrote: > > > > So the path you want, "_PATH_STDPATH" will not be used. > > > > I'm not sure what to do about it. I have no BSD here. > > > > > > BSD/OS uses the path from /etc/login.conf > > > > > Ok. So which is the correct behaviour. Is it supposed to prefer the > > users path, over the compiled in path? Is there something I can pass to tell > > it to IGNORE the users path? Should I just change the config.h or defines.h > > to say we don't have the facility to use the getenv('PATH') stuff? > > we set the path from login.conf and re-read if with getenv. if your > dot-whatever overrides the path, then you need to fix dot-whatever. > there is no such thing as the 'users path'. > My bad, I used the incorrect terms. Ok, so what is the correct behavoiur? It is supposed to prefer the path set in the /etc/login.conf over the compiled in path? Is there something I can pass to tell it not to do the getenv call, and use the path compiled into it? So which should it trust? The getenv call or the compiled in one? Thanks, Tuc/TTSG Internet Services, Inc. From bugzilla-daemon at mindrot.org Tue Apr 2 06:42:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 06:42:25 +1000 (EST) Subject: [Bug 197] New: Error getting file with sftp on old F-Secure servers Message-ID: <20020401204225.71E11E9E1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=197 Summary: Error getting file with sftp on old F-Secure servers Product: Portable OpenSSH Version: 3.1p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gcmccone at west.raytheon.com As of OpenSSH 3.1p1, when connected to an older F-Secure server ( 2.0.12 to be specific ) via sftp, a get on a file returns: "Server version does not support lstat operation" Everything works fine when connected to an OpenSSH server. The sftp from OpenSSH 3.0p1 works just fine with all versions of F-Secure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 06:45:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 06:45:48 +1000 (EST) Subject: [Bug 198] New: Error getting file with sftp on old F-Secure servers Message-ID: <20020401204548.8B844E9E8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=198 Summary: Error getting file with sftp on old F-Secure servers Product: Portable OpenSSH Version: 3.1p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gcmccone at west.raytheon.com As of OpenSSH 3.1p1, when connected to an older F-Secure server ( 2.0.12 to be specific ) via sftp, a get on a file returns: "Server version does not support lstat operation" Everything works fine when connected to an OpenSSH server. The sftp from OpenSSH 3.0p1 works just fine with all versions of F-Secure. Below is the makefile used to build. ------------------------------------------------------------------------------- # $Id: Makefile.in,v 1.197 2002/02/26 19:24:22 mouring Exp $ prefix=/usr/local exec_prefix=${prefix} bindir=${exec_prefix}/bin sbindir=${exec_prefix}/sbin libexecdir=${exec_prefix}/libexec datadir=${prefix}/share mandir=${prefix}/man mansubdir=man sysconfdir=/usr/local/etc piddir=/usr/local/etc srcdir=. top_srcdir=. DESTDIR= SSH_PROGRAM=${exec_prefix}/bin/ssh ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass SFTP_SERVER=$(libexecdir)/sftp-server PATHS= -DSSHDIR=\"$(sysconfdir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ -D_PATH_SSH_PIDDIR=\"$(piddir)\" \ -DSSH_RAND_HELPER=\"$(libexecdir)/ssh-rand-helper\" CC=gcc LD=gcc CFLAGS=-g -O2 -Wall -Wpointer-arith -Wno-uninitialized CPPFLAGS=-I. -I$(srcdir) -I/home/gmccone/installs/openssl-0.9.6c/include - I/home/gmccone/installs/zlib-1.1.4 -I/usr/local/include $(PATHS) - DHAVE_CONFIG_H LIBS=-lz -lsocket -lnsl -lcrypto LIBPAM=-lpam -ldl LIBWRAP= AR=/usr/xpg4/bin/ar RANLIB=ranlib INSTALL=./install-sh -c PERL=/home/gmccone/local/bin/perl ENT= XAUTH_PATH=/usr/openwin/bin/xauth LDFLAGS=-L. -Lopenbsd-compat/ -R/home/gmccone/installs/openssl-0.9.6c - L/home/gmccone/installs/openssl-0.9.6c -L/home/gmccone/installs/zlib-1.1.4 - R/home/gmccone/installs/zlib-1.1.4 -L/usr/local/lib -R/usr/local/lib EXEEXT= SSH_MODE= 0711 INSTALL_SSH_PRNG_CMDS= INSTALL_SSH_RAND_HELPER=yes SFTP_PROGS=sftp-server$(EXEEXT) sftp$(EXEEXT) TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh- keyscan${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} $(SFTP_PROGS) LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o deattack.o dh.o dispatch.o fatal.o mac.o hostfile.o key.o kex.o kexdh.o kexgex.o log.o match.o misc.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o scard.o ssh-dss.o ssh-rsa.o tildexpand.o ttymodes.o uidswap.o uuencode.o xmalloc.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth- rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth- rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh- keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 MANTYPE = man CONFIGFILES=sshd_config.out ssh_config.out moduli.out CONFIGFILES_IN=sshd_config ssh_config moduli PATHSUBS = \ -D/etc/ssh/ssh_config=$(sysconfdir)/ssh_config \ -D/etc/ssh/ssh_known_hosts=$(sysconfdir)/ssh_known_hosts \ -D/etc/ssh/sshd_config=$(sysconfdir)/sshd_config \ -D/usr/libexec=$(libexecdir) \ -D/etc/shosts.equiv=$(sysconfdir)/shosts.equiv \ -D/etc/ssh/ssh_host_key=$(sysconfdir)/ssh_host_key \ -D/etc/ssh/ssh_host_dsa_key=$(sysconfdir)/ssh_host_dsa_key \ -D/etc/ssh/ssh_host_rsa_key=$(sysconfdir)/ssh_host_rsa_key \ -D/var/run/sshd.pid=$(piddir)/sshd.pid \ -D/etc/ssh/moduli=$(sysconfdir)/moduli \ -D/etc/ssh/sshrc=$(sysconfdir)/sshrc \ -D/usr/X11R6/bin/xauth=$(XAUTH_PATH) \ - D/usr/bin:/bin:/usr/sbin:/sbin=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin FIXPATHSCMD = $(PERL) $(srcdir)/fixpaths $(PATHSUBS) all: $(CONFIGFILES) $(MANPAGES) $(TARGETS) $(LIBSSH_OBJS): config.h $(SSHOBJS): config.h $(SSHDOBJS): config.h .c.o: $(CC) $(CFLAGS) $(CPPFLAGS) -c $< LIBCOMPAT=openbsd-compat/libopenbsd-compat.a $(LIBCOMPAT): always (cd openbsd-compat && $(MAKE)) always: libssh.a: $(LIBSSH_OBJS) $(AR) rv $@ $(LIBSSH_OBJS) $(RANLIB) $@ ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS) $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o $(LD) -o $@ scp.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o $(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd- compat $(LIBS) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp- common.o sftp-glob.o $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) # test driver for the loginrec code - not built by default logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o $(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat -lssh $(LIBS) $(MANPAGES): $(MANPAGES_IN) if test "$(MANTYPE)" = "cat"; then \ manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \ else \ manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \ fi; \ if test "$(MANTYPE)" = "man"; then \ $(FIXPATHSCMD) $${manpage} | $(PERL) $(srcdir)/mdoc2man.pl > $@; \ else \ $(FIXPATHSCMD) $${manpage} > $@; \ fi $(CONFIGFILES): $(CONFIGFILES_IN) conffile=`echo $@ | sed 's/.out$$//'`; \ $(FIXPATHSCMD) $(srcdir)/$${conffile} > $@ clean: rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core (cd openbsd-compat && $(MAKE) clean) distclean: rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core rm -f Makefile config.h config.status ssh_prng_cmds *~ rm -rf autom4te.cache (cd openbsd-compat && $(MAKE) distclean) (cd scard && $(MAKE) distclean) veryclean: rm -f configure config.h.in *.0 rm -f *.o *.a $(TARGETS) logintest config.cache config.log rm -f *.out core rm -f Makefile config.h config.status ssh_prng_cmds *~ (cd openbsd-compat && $(MAKE) distclean) (cd scard && $(MAKE) distclean) mrproper: distclean catman-do: @for f in $(MANPAGES_IN) ; do \ base=`echo $$f | sed 's/\..*$$//'` ; \ echo "$$f -> $$base.0" ; \ nroff -mandoc $$f | cat -v | sed -e 's/.\^H//g' \ >$$base.0 ; \ done distprep: catman-do autoreconf (cd scard && $(MAKE) -f Makefile.in distprep) install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files host-key install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files scard-install: (cd scard && $(MAKE) DESTDIR=$(DESTDIR) install) install-files: scard-install $(srcdir)/mkinstalldirs $(DESTDIR)$(bindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir) $(srcdir)/mkinstalldirs $(DESTDIR)$(datadir) $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) $(INSTALL) -m $(SSH_MODE) -s ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 -s scp $(DESTDIR)$(bindir)/scp $(INSTALL) -m 0755 -s ssh-add $(DESTDIR)$(bindir)/ssh-add $(INSTALL) -m 0755 -s ssh-agent $(DESTDIR)$(bindir)/ssh-agent $(INSTALL) -m 0755 -s ssh-keygen $(DESTDIR)$(bindir)/ssh-keygen $(INSTALL) -m 0755 -s ssh-keyscan $(DESTDIR)$(bindir)/ssh-keyscan $(INSTALL) -m 0755 -s sshd $(DESTDIR)$(sbindir)/sshd if test ! -z "$(INSTALL_SSH_RAND_HELPER)" ; then \ $(INSTALL) -m 0755 -s ssh-rand-helper $(DESTDIR) $(libexecdir)/ssh-rand-helper ; \ fi $(INSTALL) -m 0755 -s sftp $(DESTDIR)$(bindir)/sftp $(INSTALL) -m 0755 -s sftp-server $(DESTDIR)$(SFTP_SERVER) $(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 $(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 $(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh- add.1 $(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh- agent.1 $(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir) 1/ssh-keygen.1 $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir) 1/ssh-keyscan.1 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 $(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 $(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir) 8/sftp-server.8 -rm -f $(DESTDIR)$(bindir)/slogin ln -s ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ln -s ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \ $(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \ fi if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \ $(INSTALL) -m 644 ssh_config.out $(DESTDIR) $(sysconfdir)/ssh_config; \ else \ echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \ fi if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \ $(INSTALL) -m 644 sshd_config.out $(DESTDIR) $(sysconfdir)/sshd_config; \ else \ echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \ fi if [ -f ssh_prng_cmds -a ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ $(PERL) $(srcdir)/fixprogs ssh_prng_cmds $(ENT); \ if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds ] ; then \ $(INSTALL) -m 644 ssh_prng_cmds.out $(DESTDIR) $(sysconfdir)/ssh_prng_cmds; \ else \ echo "$(DESTDIR)$(sysconfdir)/ssh_prng_cmds already exists, install will not overwrite"; \ fi ; \ fi if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \ if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \ echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \ mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR) $(sysconfdir)/moduli"; \ else \ $(INSTALL) -m 644 moduli.out $(DESTDIR) $(sysconfdir)/moduli; \ fi ; \ else \ echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \ fi host-key: ssh-keygen$(EXEEXT) if [ -z "$(DESTDIR)" ] ; then \ if [ -f "$(DESTDIR)$(sysconfdir)/ssh_host_key" ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_key already exists, skipping." ; \ else \ ./ssh-keygen -t rsa1 -f $(DESTDIR) $(sysconfdir)/ssh_host_key -N "" ; \ fi ; \ if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \ else \ ./ssh-keygen -t dsa -f $(DESTDIR) $(sysconfdir)/ssh_host_dsa_key -N "" ; \ fi ; \ if [ -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key ] ; then \ echo "$(DESTDIR)$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \ else \ ./ssh-keygen -t rsa -f $(DESTDIR) $(sysconfdir)/ssh_host_rsa_key -N "" ; \ fi ; \ fi ; host-key-force: ssh-keygen$(EXEEXT) ./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N "" ./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N "" ./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N "" uninstallall: uninstall -rm -f $(DESTDIR)$(sysconfdir)/ssh_config -rm -f $(DESTDIR)$(sysconfdir)/sshd_config -rm -f $(DESTDIR)$(sysconfdir)/ssh_prng_cmds -rmdir $(DESTDIR)$(sysconfdir) -rmdir $(DESTDIR)$(bindir) -rmdir $(DESTDIR)$(sbindir) -rmdir $(DESTDIR)$(mandir)/$(mansubdir)1 -rmdir $(DESTDIR)$(mandir)/$(mansubdir)8 -rmdir $(DESTDIR)$(mandir) -rmdir $(DESTDIR)$(libexecdir) uninstall: -rm -f $(DESTDIR)$(bindir)/slogin -rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT) -rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT) -rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT) -rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT) -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Apr 2 06:45:48 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Apr 2002 22:45:48 +0200 Subject: scp : Problems with pathing In-Reply-To: <200204011941.OAA03593@heimdall.ttsg.com> References: <20020401164335.GB21298@folly> <200204011941.OAA03593@heimdall.ttsg.com> Message-ID: <20020401204548.GA11989@faui02> for LOGIN_CAP the value from /etc/login.conf is used. From bugzilla-daemon at mindrot.org Tue Apr 2 07:03:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 07:03:38 +1000 (EST) Subject: [Bug 195] Openssh3.1.0 "make" failure Message-ID: <20020401210338.A7A5AE9F6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=195 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Summary| Openssh3.1.0 "make" failure|Openssh3.1.0 "make" failure ------- Additional Comments From markus at openbsd.org 2002-04-02 07:03 ------- make works fine for openssh-3.1 information about running openssh on older openbsd systems is on http://www.openssh.com/openbsd.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 07:10:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 07:10:44 +1000 (EST) Subject: [Bug 109] sftp hangs when a tcsh user types quit or exit Message-ID: <20020401211044.5DF61E9FC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=109 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From stevesk at pobox.com 2002-04-02 07:10 ------- thanks; closing ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 07:16:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 07:16:51 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020401211651.C9FCBE9FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 gcmccone at west.raytheon.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From gcmccone at west.raytheon.com 2002-04-02 07:16 ------- Instance 1) is a non issue. Misread the man file several times. Instance 2) and 3) are still vaild and were working in 3.0p1 F-Secure is not SSH.COM ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 07:28:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 07:28:44 +1000 (EST) Subject: [Bug 198] Error getting file with sftp on old F-Secure servers Message-ID: <20020401212844.75875E9FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=198 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From markus at openbsd.org 2002-04-02 07:28 ------- *** This bug has been marked as a duplicate of 197 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 07:28:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 07:28:49 +1000 (EST) Subject: [Bug 197] Error getting file with sftp on old F-Secure servers Message-ID: <20020401212849.B2F59EA0B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=197 ------- Additional Comments From markus at openbsd.org 2002-04-02 07:28 ------- *** Bug 198 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tuc at ttsg.com Tue Apr 2 07:33:25 2002 From: tuc at ttsg.com (Tuc) Date: Mon, 1 Apr 2002 16:33:25 -0500 (EST) Subject: scp : Problems with pathing In-Reply-To: <20020401204548.GA11989@faui02> from "Markus Friedl" at Apr 01, 2002 10:45:48 PM Message-ID: <200204012133.QAA00686@heimdall.ttsg.com> > > for LOGIN_CAP the value from /etc/login.conf is used. > Ok, great, thanks. Is there a way to convince it when its configured with ./configure to either "ignore" we have LOGIN_CAP or something like that so it DOES hardcode the _PATH_STDPATH in? I don't want to change /etc/login.conf to add the /usr/local/bin path, so the only other thing I can do is get it to use : child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); And to do that either HAVE_LOGIN_CAP_H or HAVE_LOGIN_GETCAPBOOL or both need to be undefined. I can't find in "./configure" how to "fudge" it. Thanks, and I don't mean to be a pain, just trying to find out what to do that I don't want to edit /etc/login.conf Tuc/TTSG Internet Services, Inc. From bugzilla-daemon at mindrot.org Tue Apr 2 08:02:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 08:02:23 +1000 (EST) Subject: [Bug 197] Error getting file with sftp on old F-Secure servers Message-ID: <20020401220223.85C5BEA1A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=197 ------- Additional Comments From markus at openbsd.org 2002-04-02 08:02 ------- Created an attachment (id=57) fallback to stat if lstat is not supported ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 08:13:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 08:13:51 +1000 (EST) Subject: [Bug 197] Error getting file with sftp on old F-Secure servers Message-ID: <20020401221351.2F72BEA25@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=197 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-04-02 08:13 ------- patch commited ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ANTIGEN_ABRA at wrq.com Tue Apr 2 08:14:22 2002 From: ANTIGEN_ABRA at wrq.com (ANTIGEN_ABRA) Date: Mon, 1 Apr 2002 14:14:22 -0800 Subject: Antigen Notification:Antigen found FILE FILTER= *.pif file Message-ID: <616772E97E38D31188FA00508B318ACA03FA42C6@abra.wrq.com> Antigen for Exchange found href.pif matching FILE FILTER= *.pif file filter. The file is currently Purged. The message, "Pytania prosze kierowac do ", was sent from reklama and was discovered in IMC Queues\Inbound located at WRQ/Seattle/ABRA. From bugzilla-daemon at mindrot.org Tue Apr 2 09:33:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 09:33:03 +1000 (EST) Subject: [Bug 197] Error getting file with sftp on old F-Secure servers Message-ID: <20020401233303.ABEA2E9DB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=197 gcmccone at west.raytheon.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From gcmccone at west.raytheon.com 2002-04-02 09:32 ------- Accidentally commited twice. Closing this bug since 198 is the same and has more info. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 11:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 11:30:09 +1000 (EST) Subject: [Bug 196] wront sent message id on upload Message-ID: <20020402013009.43600E9DF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=196 ------- Additional Comments From djm at mindrot.org 2002-04-02 11:30 ------- Created an attachment (id=58) Fix for id clobbering ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 2 11:31:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 11:31:35 +1000 (EST) Subject: [Bug 196] wront sent message id on upload Message-ID: <20020402013135.4C27FEA0C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=196 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-04-02 11:31 ------- Thanks for spotting this - can you please try the attached patch? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cmadams at hiwaay.net Tue Apr 2 12:47:45 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 1 Apr 2002 20:47:45 -0600 Subject: path to find ssh-rand-helper In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Apr 01, 2002 at 11:44:05AM -0600 References: <200204010754.g317sOs14128.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: <20020401204745.A232035@hiwaay.net> Once upon a time, Ben Lindstrom said: > I would personally rather seen a nice clearly documented mini-howto or FAQ > entry explaning how to setup prng or egd w/ OpenSSL. That way > ssh-rand-helper is not ran since OpenSSL can internally sead itself. The PRNGD/EGD code was moved into ssh-rand-helper, so if you don't have a kernel entropy device, ssh-rand-helper is required. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bugzilla-daemon at mindrot.org Tue Apr 2 13:27:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 13:27:33 +1000 (EST) Subject: [Bug 199] New: ssh-agent -k doesn't check $SHELL environment variable Message-ID: <20020402032733.9F59BEA43@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=199 Summary: ssh-agent -k doesn't check $SHELL environment variable Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P3 Component: ssh-agent AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: menscher+bug at uiuc.edu CC: menscher+bug at uiuc.edu Line 882 of ssh-agent.c reads: if (ac == 0 && !c_flag && !k_flag && !s_flag && !d_flag) { stuff to set c_flag=1 iff $SHELL=*csh } This means that someone running ssh-agent -k will have k_flag set and therefore won't get the auto-shell determination, therefore leaving them with bash-style commands. I'm guessing the debug flag shouldn't be here either, so the correct line would read: if (ac == 0 && !c_flag && !s_flag) { This was originally found to be broken on IRIX 6.5.15m, but looking at the source made it obvious it was cross-platform. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Tue Apr 2 13:22:12 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Apr 2002 21:22:12 -0600 (CST) Subject: path to find ssh-rand-helper In-Reply-To: <20020401204745.A232035@hiwaay.net> Message-ID: PRNGD/EGD is supported by OpenSSL also. Therefor if you teach OpenSSL how to talk to PRNGG/EGD ssh-rand-helper is not required. - Ben On Mon, 1 Apr 2002, Chris Adams wrote: > Once upon a time, Ben Lindstrom said: > > I would personally rather seen a nice clearly documented mini-howto or FAQ > > entry explaning how to setup prng or egd w/ OpenSSL. That way > > ssh-rand-helper is not ran since OpenSSL can internally sead itself. > > The PRNGD/EGD code was moved into ssh-rand-helper, so if you don't have > a kernel entropy device, ssh-rand-helper is required. > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From J.S.Peatfield at damtp.cam.ac.uk Tue Apr 2 17:37:15 2002 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Tue, 02 Apr 2002 08:37:15 +0100 Subject: path to find ssh-rand-helper Message-ID: <200204020737.g327bF215351.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> > ssh-rand-helper should be viewed as your last line of defence on a > box that lacks kernel entropy devices (read: No root access user > installing the ssh client). Exactly. I wish to continue to be able to provide downloads of binaries for use by our users if they visit a random site which doesn't (yet) provide ssh. They won't have root access and will almost certainly be running on machines with no kernel entropy source (well the ones with a local entropy source will be ok anyway). Since we no longer allow any other form of remote access it is now more important that we continue to be able to offer such binaries (we had to suffer several sets of _important_people_ complaining when we blocked telnet access, and the availability of downloadable binaries was about the only thing which calmed them down (though they had to have a new procedure explained to them)). Of course most sites do now supply ssh clients but we can't rely on it when people are at random conferences... -- Jon From markus at openbsd.org Tue Apr 2 17:58:47 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Apr 2002 09:58:47 +0200 Subject: scp : Problems with pathing In-Reply-To: <200204012133.QAA00686@heimdall.ttsg.com> References: <20020401204548.GA11989@faui02> <200204012133.QAA00686@heimdall.ttsg.com> Message-ID: <20020402075847.GA11392@folly> On Mon, Apr 01, 2002 at 04:33:25PM -0500, Tuc wrote: > > > > for LOGIN_CAP the value from /etc/login.conf is used. > > > Ok, great, thanks. > > Is there a way to convince it when its configured with > ./configure to either "ignore" we have LOGIN_CAP or something like that so > it DOES hardcode the _PATH_STDPATH in? I don't want to change /etc/login.conf > to add the /usr/local/bin path, so the only other thing I can do is > get it to use : > > child_set_env(&env, &envsize, "PATH", _PATH_STDPATH); but that's the wrong thing to do for LOGIN_CAP systems. of course you can hack your source. From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Apr 2 19:57:36 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 2 Apr 2002 11:57:36 +0200 Subject: path to find ssh-rand-helper In-Reply-To: References: <20020401204745.A232035@hiwaay.net> Message-ID: <20020402095736.GA12551@serv01.aet.tu-cottbus.de> On Mon, Apr 01, 2002 at 09:22:12PM -0600, Ben Lindstrom wrote: > > PRNGD/EGD is supported by OpenSSL also. Therefor if you teach OpenSSL how > to talk to PRNGG/EGD ssh-rand-helper is not required. The automated query of PRNGD/EGD (at predefined locations) by OpenSSL's PRNG functions is only implemented as of the not-yet released 0.9.7 version. 0.9.6x will not automatically query PRNGD/EGD. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From gert at greenie.muc.de Tue Apr 2 21:00:04 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 2 Apr 2002 13:00:04 +0200 Subject: PrivSep and portability Message-ID: <20020402130004.A12113@greenie.muc.de> Hi, I've seen a few patches related to the PrivSep works. As far as I can see, it seems to work by using a shared memory segment to communicate. I just want to point out that there are some unix systems that do not have mmap() (SCO, older SVR3 systems) or that might have problems with anonymous shared mmap() (don't have an examples, but e.g. the INN docs are full of warnings concerning mmap()). So I want to ask you to make the PrivSep stuff compile-time configurable, to enable building on "legacy" platforms. gert PS: my SCO 3 fix for the suid problem seems to have been lost, I'll resubmit via bugzilla. -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus at openbsd.org Tue Apr 2 21:13:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Apr 2002 13:13:35 +0200 Subject: PrivSep and portability In-Reply-To: <20020402130004.A12113@greenie.muc.de> References: <20020402130004.A12113@greenie.muc.de> Message-ID: <20020402111334.GB21477@faui02> On Tue, Apr 02, 2002 at 01:00:04PM +0200, Gert Doering wrote: > I just want to point out that there are some unix systems that do not > have mmap() (SCO, older SVR3 systems) or that might have problems with > anonymous shared mmap() (don't have an examples, but e.g. the INN docs > are full of warnings concerning mmap()). those systems could try to use SYSV SHM instead of mmap(). I think Engelschall has something doing this (perhaps mm-1.1.x.tar.gz). From bugzilla-daemon at mindrot.org Tue Apr 2 21:52:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Apr 2002 21:52:03 +1000 (EST) Subject: [Bug 199] ssh-agent -k doesn't check $SHELL environment variable Message-ID: <20020402115203.98CC5E98D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=199 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-04-02 21:51 ------- thanks, patch applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 3 00:16:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 00:16:29 +1000 (EST) Subject: [Bug 189] pam_setcred() failures should not be treated as fatal Message-ID: <20020402141629.3EFB9EA50@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=189 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-04-03 00:16 ------- I don't see how failure to pam_setcred() ought be fatal. It can be crippling to the actual user experience, but, fatal? At least make it an option. Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed Apr 3 00:20:38 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Apr 2002 16:20:38 +0200 Subject: path to find ssh-rand-helper In-Reply-To: References: <20020401204745.A232035@hiwaay.net> Message-ID: <20020402142038.GB16579@folly> On Mon, Apr 01, 2002 at 09:22:12PM -0600, Ben Lindstrom wrote: > PRNGD/EGD is supported by OpenSSL also. Therefor if you teach OpenSSL how > to talk to PRNGG/EGD ssh-rand-helper is not required. we should not depend on openssl 0.9.7 it does not even exist :) From mouring at etoh.eviladmin.org Wed Apr 3 00:28:33 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Apr 2002 08:28:33 -0600 (CST) Subject: path to find ssh-rand-helper In-Reply-To: <200204020737.g327bF215351.redmires.amtp.cam.ac.uk@damtp.cam.ac.uk> Message-ID: Maybe (I'm half-awake so I'm not considering all the issues) one should allow OpenSSH to look for ssh-rand-helper in the user's path. (Default to fixed location, but a configure option). That will solve the problem in the generic form, but I'm worried about it selecting a wrong ssh-rand-helper. - Ben On Tue, 2 Apr 2002 J.S.Peatfield at damtp.cam.ac.uk wrote: > > ssh-rand-helper should be viewed as your last line of defence on a > > box that lacks kernel entropy devices (read: No root access user > > installing the ssh client). > > Exactly. I wish to continue to be able to provide downloads of > binaries for use by our users if they visit a random site which > doesn't (yet) provide ssh. They won't have root access and will > almost certainly be running on machines with no kernel entropy source > (well the ones with a local entropy source will be ok anyway). > > Since we no longer allow any other form of remote access it is now > more important that we continue to be able to offer such binaries (we > had to suffer several sets of _important_people_ complaining when we > blocked telnet access, and the availability of downloadable binaries > was about the only thing which calmed them down (though they had to > have a new procedure explained to them)). > > Of course most sites do now supply ssh clients but we can't rely on it > when people are at random conferences... > > -- Jon > > From mouring at etoh.eviladmin.org Wed Apr 3 00:30:27 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Apr 2002 08:30:27 -0600 (CST) Subject: path to find ssh-rand-helper In-Reply-To: <20020402142038.GB16579@folly> Message-ID: 0.9.7 is not the only release to support self-seeding from non /dev/random sources. 0.9.6 does, but requires prompting. - Ben On Tue, 2 Apr 2002, Markus Friedl wrote: > On Mon, Apr 01, 2002 at 09:22:12PM -0600, Ben Lindstrom wrote: > > PRNGD/EGD is supported by OpenSSL also. Therefor if you teach OpenSSL how > > to talk to PRNGG/EGD ssh-rand-helper is not required. > > we should not depend on openssl 0.9.7 > > it does not even exist :) > From mcardenas at ya.com Wed Apr 3 02:56:55 2002 From: mcardenas at ya.com (Manuel =?iso-8859-1?Q?Carde=F1as?=) Date: Tue, 02 Apr 2002 18:56:55 +0200 Subject: Running openssh-3.1p1 from sunfreeware... Message-ID: <5.1.0.14.0.20020402185408.03aeabc0@pop.mailcorp.ya.com> Hi... There exists some posibilty of running sshd from precompiled package of sunfreeware whitout using the prngd daemon? ciao. From jm.poure at freesurf.fr Wed Apr 3 03:40:27 2002 From: jm.poure at freesurf.fr (Jean-Michel POURE) Date: Tue, 2 Apr 2002 19:40:27 +0200 Subject: Chroot patch Message-ID: <200204021740.g32HeRhk030603@www1.translationforge> Dear James and Chris, I would like to buid openssh with the chroot patch. I applied the http://cag.lcs.mit.edu/~raoul chroot patch to openssh-3.1p1, configured it using a simple "--with-chroot" for testing and compiled under Mandrake 8.2. Problem : 1) Configuration report shows no chroot configuration. What is wrong? 2) After compiling, I added a test user with "/home/test/./" home dir. Should I create another directory inside /home/test ? Like "/home/test/./home"? Of course, this does not work. What's wrong? Best regards, Jean-Michel POURE From kevin at atomicgears.com Wed Apr 3 05:38:11 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 2 Apr 2002 11:38:11 -0800 (PST) Subject: PrivSep and portability In-Reply-To: <20020402130004.A12113@greenie.muc.de> Message-ID: On Tue, 2 Apr 2002, Gert Doering wrote: :I've seen a few patches related to the PrivSep works. As far as I can :see, it seems to work by using a shared memory segment to communicate. : :I just want to point out that there are some unix systems that do not :have mmap() (SCO, older SVR3 systems) or that might have problems with :anonymous shared mmap() (don't have an examples, but e.g. the INN docs :are full of warnings concerning mmap()). : :So I want to ask you to make the PrivSep stuff compile-time configurable, :to enable building on "legacy" platforms. yes, what we want in the end is that ./configure;make will compile on the current platforms and work as it does today. privsep is by default off. the strategy i've taken is to get it working on portable platforms that i'm using (currently solaris 8 and hp-ux 11). now i'm thinking about how to support PAM. we currently support access rights and ancillary data fd passing. we should probably add I_SEND/RECVFD support, but i haven't seen anyone ask yet. same for shm support vs. mmap(). for platforms that cannot be supported, i think we will just fatal() on a required non-supported function if someone enables privsep. i think we should still handle preauth separation without fd passing support, but i haven't tested that. From markus at openbsd.org Wed Apr 3 05:55:43 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Apr 2002 21:55:43 +0200 Subject: PrivSep and portability In-Reply-To: References: <20020402130004.A12113@greenie.muc.de> Message-ID: <20020402195543.GF10434@faui02> On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: > i think we > should still handle preauth separation without fd passing support, but i > haven't tested that. yes. and w/o mmap you could do privsep w/o compression. From Nicolas.Williams at ubsw.com Wed Apr 3 06:05:51 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 2 Apr 2002 15:05:51 -0500 Subject: PrivSep and portability In-Reply-To: ; from kevin@atomicgears.com on Tue, Apr 02, 2002 at 11:38:11AM -0800 References: <20020402130004.A12113@greenie.muc.de> Message-ID: <20020402150549.V27398@sm2p1386swk.wdr.com> On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: > we currently support access rights and ancillary data fd passing. we Interesting. If you're passing creds that must mean that you're allowing the unpriviledged sshd child to be root sometimes. Doesn't this violate the point of privsep? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From gert at greenie.muc.de Wed Apr 3 06:12:13 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 2 Apr 2002 22:12:13 +0200 Subject: PrivSep and portability In-Reply-To: ; from Kevin Steves on Tue, Apr 02, 2002 at 11:38:11AM -0800 References: <20020402130004.A12113@greenie.muc.de> Message-ID: <20020402221213.C2245@greenie.muc.de> Hi, On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: > we currently support access rights and ancillary data fd passing. we > should probably add I_SEND/RECVFD support, but i haven't seen anyone ask > yet. same for shm support vs. mmap(). Ummm. File descriptor passing is also not possible on oldish SVR3s (except for some STREAMS drivers) > for platforms that cannot be supported, i think we will just fatal() on a > required non-supported function if someone enables privsep. Fine with me - as long as it builds :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus at openbsd.org Wed Apr 3 06:26:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Apr 2002 22:26:50 +0200 Subject: PrivSep and portability In-Reply-To: <20020402150549.V27398@sm2p1386swk.wdr.com> References: <20020402130004.A12113@greenie.muc.de> <20020402150549.V27398@sm2p1386swk.wdr.com> Message-ID: <20020402202650.GG10434@faui02> On Tue, Apr 02, 2002 at 03:05:51PM -0500, Nicolas Williams wrote: > On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: > > we currently support access rights and ancillary data fd passing. we > > Interesting. If you're passing creds that must mean that you're allowing > the unpriviledged sshd child to be root sometimes. why? From Nicolas.Williams at ubsw.com Wed Apr 3 06:30:36 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 2 Apr 2002 15:30:36 -0500 Subject: PrivSep and portability In-Reply-To: <20020402202650.GG10434@faui02>; from markus@openbsd.org on Tue, Apr 02, 2002 at 10:26:50PM +0200 References: <20020402130004.A12113@greenie.muc.de> <20020402150549.V27398@sm2p1386swk.wdr.com> <20020402202650.GG10434@faui02> Message-ID: <20020402153034.W27398@sm2p1386swk.wdr.com> On Tue, Apr 02, 2002 at 10:26:50PM +0200, Markus Friedl wrote: > On Tue, Apr 02, 2002 at 03:05:51PM -0500, Nicolas Williams wrote: > > On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: > > > we currently support access rights and ancillary data fd passing. we > > > > Interesting. If you're passing creds that must mean that you're allowing > > the unpriviledged sshd child to be root sometimes. > > why? Oh, never mind. As I think more, you must be starting the child as nobody and later passing the authenticated user's uid/gids. I get it. Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Wed Apr 3 07:57:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 07:57:15 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020402215715.A1A7AE920@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 ------- Additional Comments From markus at openbsd.org 2002-04-03 07:57 ------- #2 fixed ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 3 08:26:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 08:26:53 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020402222653.7A0F5EA7E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From markus at openbsd.org 2002-04-03 08:26 ------- importing your example keys work for me with differnt versions of openssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Wed Apr 3 09:05:22 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 2 Apr 2002 15:05:22 -0800 (PST) Subject: PrivSep and portability In-Reply-To: <20020402195543.GF10434@faui02> Message-ID: On Tue, 2 Apr 2002, Markus Friedl wrote: :On Tue, Apr 02, 2002 at 11:38:11AM -0800, Kevin Steves wrote: :> i think we :> should still handle preauth separation without fd passing support, but i :> haven't tested that. : :yes. and w/o mmap you could do privsep w/o compression. i'm not sure of the best way to handle that case given privsep is runtime yes/no. we want privsep=no to support compression but privsep=yes to not when mm doesn't work. From chua at ayrnetworks.com Wed Apr 3 10:47:36 2002 From: chua at ayrnetworks.com (Bryan Chua) Date: Tue, 02 Apr 2002 16:47:36 -0800 Subject: cross compilation? Message-ID: <3CAA5128.4010008@ayrnetworks.com> ../openssh-3.1p1/configure --host=mips-linux --build=i686-linux --with-pam does not work. It selects the correct toolchain prefix, but the configure script bails on cross-compilation. Attached is a patch that *might* make the right paranoid assumptions, but I am not positive. -- bryan --- configure.ac.orig Tue Feb 26 22:12:35 2002 +++ configure.ac Wed Mar 27 14:28:02 2002 @@ -437,20 +437,6 @@ ] ) -AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) -AC_TRY_RUN( - [ -#include -#include -int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} - ], - [AC_MSG_RESULT(yes)], - [ - AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) - ] -) - # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, @@ -469,11 +455,13 @@ SKEY_MSG="yes" AC_MSG_CHECKING([for s/key support]) - AC_TRY_RUN( + AC_TRY_LINK( [ -#include -#include -int main() { char *ff = skey_keyinfo(""); ff=""; return 0; } + #include + #include + ], + [ + char *ff = skey_keyinfo(""); ff=""; ], [AC_MSG_RESULT(yes)], [ @@ -625,6 +613,10 @@ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_SNPRINTF) AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ + AC_MSG_RESULT(assuming no) + AC_DEFINE(BROKEN_SNPRINTF) ] ) fi @@ -729,22 +721,21 @@ # Basic test to check for compatible version and correct linking # *does not* test for RSA - that comes later. - AC_TRY_RUN( + AC_TRY_LINK( [ -#include -#include -int main(void) -{ - char a[2048]; - memset(a, 0, sizeof(a)); - RAND_add(a, sizeof(a), sizeof(a)); - return(RAND_status() <= 0); -} + #include + #include + ], + [ + char a[2048]; + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); ], [ found_crypto=1 break; - ], [] + ], [ ] ) if test ! -z "$found_crypto" ; then @@ -800,26 +791,26 @@ else LIBS="$saved_LIBS -lRSAglue -lrsaref" fi - AC_TRY_RUN([ -#include -#include -#include -#include -#include -int main(void) -{ - int num; RSA *key; static unsigned char p_in[] = "blahblah"; - unsigned char c[256], p[256]; - memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); - if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); - num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); - return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); -} - ], - [ + AC_TRY_LINK( + [ + #include + #include + #include + #include + #include + ], + [ + int num; RSA *key; static unsigned char p_in[] = "blahblah"; + unsigned char c[256], p[256]; + memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); + if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); + num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); + return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); + ], + [ rsa_works=1 break; - ], []) + ], []) done LIBS="$saved_LIBS" @@ -856,6 +847,9 @@ [ AC_MSG_RESULT(no) AC_MSG_ERROR(Your OpenSSL headers do not match your library) + ], + [ + AC_MSG_RESULT(hoping so) ] ) @@ -885,6 +879,12 @@ # Default to use of the rand helper if OpenSSL doesn't # seed itself USE_RAND_HELPER=yes + ], + [ + AC_MSG_RESULT(not sure) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes ] ) @@ -1457,7 +1457,10 @@ #else main() { exit(0); } #endif - ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ], + [ true ], + [ AC_DEFINE(BROKEN_SNPRINTF) ], + [ AC_DEFINE(BROKEN_SNPRINTF) ] ) fi AC_SUBST(NO_SFTP) @@ -1776,12 +1779,11 @@ ] ) fi -AC_CHECK_FILE("/dev/ptc", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) - have_dev_ptc=1 - ] -) + +if test -f "/dev/ptc" ; then + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 +fi # Options from here on. Some of these are preset by platform above AC_ARG_WITH(mantype, --- sftp-glob.c.orig Tue Feb 12 19:10:33 2002 +++ sftp-glob.c Wed Mar 27 14:27:30 2002 @@ -78,12 +78,9 @@ * Solaris defines dirent->d_name as a one byte array and expects * you to hack around it. */ -#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME - strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); -#else strlcpy(ret->d_name, od->dir[od->offset++]->filename, - sizeof(ret->d_name)); -#endif + (sizeof(ret->d_name) <= sizeof(char))? + MAXPATHLEN: sizeof(ret->d_name)); #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with From mouring at etoh.eviladmin.org Wed Apr 3 11:02:23 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Apr 2002 19:02:23 -0600 (CST) Subject: cross compilation? In-Reply-To: <3CAA5128.4010008@ayrnetworks.com> Message-ID: Can you avoid reforming and just post the required changes you feel should be made? It makes it very hard to decide if this is an acceptable thing to do. - Ben On Tue, 2 Apr 2002, Bryan Chua wrote: > ../openssh-3.1p1/configure --host=mips-linux --build=i686-linux --with-pam > does not work. > > It selects the correct toolchain prefix, but the configure script bails > on cross-compilation. > > Attached is a patch that *might* make the right paranoid assumptions, > but I am not positive. > > -- bryan > > --- configure.ac.orig Tue Feb 26 22:12:35 2002 > +++ configure.ac Wed Mar 27 14:28:02 2002 > @@ -437,20 +437,6 @@ > ] > ) > > -AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) > -AC_TRY_RUN( > - > [ > -#include > -#include > -int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} > - > ], > - > [AC_MSG_RESULT(yes)], > - > [ > - > AC_MSG_RESULT(no) > - > AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) > - > ] > -) > - > # Check whether user wants S/Key support > SKEY_MSG="no" > AC_ARG_WITH(skey, > @@ -469,11 +455,13 @@ > > SKEY_MSG="yes" > > > AC_MSG_CHECKING([for s/key support]) > - > AC_TRY_RUN( > + > AC_TRY_LINK( > > [ > -#include > -#include > -int main() { char *ff = skey_keyinfo(""); ff=""; return 0; } > + > #include > + > #include > + > ], > + > [ > + > char *ff = skey_keyinfo(""); ff=""; > > ], > > [AC_MSG_RESULT(yes)], > > [ > @@ -625,6 +613,10 @@ > > AC_MSG_RESULT(no) > > AC_DEFINE(BROKEN_SNPRINTF) > > AC_MSG_WARN([****** Your snprintf() function is broken, complain to your > vendor]) > + > ], > + > [ > + > AC_MSG_RESULT(assuming no) > + > AC_DEFINE(BROKEN_SNPRINTF) > ] > ) > fi > @@ -729,22 +721,21 @@ > > # Basic test to check for compatible version and correct linking > # *does not* test for RSA - that comes later. > - > AC_TRY_RUN( > + > AC_TRY_LINK( > > [ > -#include > -#include > -int main(void) > -{ > - > char a[2048]; > - > memset(a, 0, sizeof(a)); > - > RAND_add(a, sizeof(a), sizeof(a)); > - > return(RAND_status() <= 0); > -} > + > #include > + > #include > + > ], > + > [ > + > char a[2048]; > + > memset(a, 0, sizeof(a)); > + > RAND_add(a, sizeof(a), sizeof(a)); > + > return(RAND_status() <= 0); > > ], > > [ > > found_crypto=1 > > break; > - > ], [] > + > ], [ ] > ) > > if test ! -z "$found_crypto" ; then > @@ -800,26 +791,26 @@ > else > LIBS="$saved_LIBS -lRSAglue -lrsaref" > fi > - > AC_TRY_RUN([ > -#include > -#include > -#include > -#include > -#include > -int main(void) > -{ > - > int num; RSA *key; static unsigned char p_in[] = "blahblah"; > - > unsigned char c[256], p[256]; > - > memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); > - > if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); > - > num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); > - > return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); > -} > - > ], > - > [ > + > AC_TRY_LINK( > + > [ > + > #include > + > #include > + > #include > + > #include > + > #include > + > ], > + > [ > + > int num; RSA *key; static unsigned char p_in[] = "blahblah"; > + > unsigned char c[256], p[256]; > + > memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); > + > if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); > + > num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); > + > return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); > + > ], > + > [ > rsa_works=1 > break; > - > ], []) > + > ], []) > done > LIBS="$saved_LIBS" > > @@ -856,6 +847,9 @@ > [ > AC_MSG_RESULT(no) > AC_MSG_ERROR(Your OpenSSL headers do not match your library) > + > ], > + > [ > + > AC_MSG_RESULT(hoping so) > ] > ) > > @@ -885,6 +879,12 @@ > # Default to use of the rand helper if OpenSSL doesn't > # seed itself > USE_RAND_HELPER=yes > + > ], > + > [ > + > AC_MSG_RESULT(not sure) > + > # Default to use of the rand helper if OpenSSL doesn't > + > # seed itself > + > USE_RAND_HELPER=yes > ] > ) > > @@ -1457,7 +1457,10 @@ > #else > main() { exit(0); } > #endif > - > ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] > + > ], > + > [ true ], > + > [ AC_DEFINE(BROKEN_SNPRINTF) ], > + > [ AC_DEFINE(BROKEN_SNPRINTF) ] > ) > fi > AC_SUBST(NO_SFTP) > @@ -1776,12 +1779,11 @@ > ] > ) > fi > -AC_CHECK_FILE("/dev/ptc", > - > [ > - > AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) > - > have_dev_ptc=1 > - > ] > -) > + > +if test -f "/dev/ptc" ; then > + > AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) > + > have_dev_ptc=1 > +fi > > # Options from here on. Some of these are preset by platform above > AC_ARG_WITH(mantype, > --- sftp-glob.c.orig Tue Feb 12 19:10:33 2002 > +++ sftp-glob.c Wed Mar 27 14:27:30 2002 > @@ -78,12 +78,9 @@ > * Solaris defines dirent->d_name as a one byte array and expects > * you to hack around it. > */ > -#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME > - > strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); > -#else > strlcpy(ret->d_name, od->dir[od->offset++]->filename, > - > sizeof(ret->d_name)); > -#endif > + > (sizeof(ret->d_name) <= sizeof(char))? > + > MAXPATHLEN: sizeof(ret->d_name)); > #ifdef __GNU_LIBRARY__ > /* > * Idiot glibc uses extensions to struct dirent for readdir with > > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From J.S.Peatfield at damtp.cam.ac.uk Wed Apr 3 11:18:21 2002 From: J.S.Peatfield at damtp.cam.ac.uk (J.S.Peatfield at damtp.cam.ac.uk) Date: Wed, 03 Apr 2002 02:18:21 +0100 Subject: path to find ssh-rand-helper Message-ID: <200204030118.g331IL005016.dale.amtp.cam.ac.uk@damtp.cam.ac.uk> > Maybe (I'm half-awake so I'm not considering all the issues) one > should allow OpenSSH to look for ssh-rand-helper in the user's path. > (Default to fixed location, but a configure option). That will > solve the problem in the generic form, but I'm worried about it > selecting a wrong ssh-rand-helper. The thing which worries me most is that if the user can specify the entropy source they could cause it to be fed something which isn't random at all, and so the seeding of the prngd could be very suspect. Normally this is just the user shooting themself in the foot, but if ssh is setuid and (say) using DSA (which I seem to remember needs a very good entropy source (or am I confusing that with something else)), there may be a leak of bits of the host's private key (e.g. when trying rhostrsa or similar). Of course since ssh-rand-helper (and particularly the entropy gathering commands themselves) run as the user a malicious user might be able to cause them to generate whatever output they want anyway. Of course I may be just completely mis-understanding the issues? In the case I'm interested in ssh won't be setuid so I'd be happy enough for the option to be honoured only if ssh isn't running suid though that seems less clean if it is safe anyway (which is why I asked initially). Now to avoid showing my ignorance further I'll shut up for a bit... -- Jon From bugzilla-daemon at mindrot.org Wed Apr 3 12:18:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 12:18:15 +1000 (EST) Subject: [Bug 201] New: Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020403021815.1A794E976@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 Summary: Building openssh from CVS fails on AIX 4.2.1 Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dtucker at zip.com.au While compiling from CVS, monitor_mm.c on AIX 4.2.1, gcc gives the following error: monitor_mm.c: In function `mm_create': monitor_mm.c:87: `MAP_FAILED' undeclared (first use in this function) monitor_mm.c:87: (Each undeclared identifier is reported only once monitor_mm.c:87: for each function it appears in.) make: *** [monitor_mm.o] Error 1 This does not occur on AIX 4.3.3, where /usr/include/sys/mman.h contains "#define MAP_FAILED ((void *)-1)". Adding this #define to monitor_mm.c allows it to compile and run. I'm not sure what the proper fix is. AIX 4.2.1 is no longer supported by IBM but some boxes are still running it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From chua at ayrnetworks.com Wed Apr 3 12:26:30 2002 From: chua at ayrnetworks.com (Bryan Chua) Date: Tue, 02 Apr 2002 18:26:30 -0800 Subject: cross compilation? References: Message-ID: <3CAA6856.1080806@ayrnetworks.com> I am hoping that Mozilla doesn't hose it this time.... -- bryan Ben Lindstrom wrote: > Can you avoid reforming and just post the required changes you feel > should be made? It makes it very hard to decide if this is an > acceptable thing to do. > > - Ben > > On Tue, 2 Apr 2002, Bryan Chua wrote: > > >>../openssh-3.1p1/configure --host=mips-linux --build=i686-linux --with-pam >> does not work. >> >>It selects the correct toolchain prefix, but the configure script bails >>on cross-compilation. >> >>Attached is a patch that *might* make the right paranoid assumptions, >>but I am not positive. >> >>-- bryan --- configure.ac.orig Tue Feb 26 22:12:35 2002 +++ configure.ac Wed Mar 27 14:28:02 2002 @@ -437,20 +437,6 @@ ] ) -AC_MSG_CHECKING([whether struct dirent allocates space for d_name]) -AC_TRY_RUN( - [ -#include -#include -int main(void){struct dirent d;return(sizeof(d.d_name)<=sizeof(char));} - ], - [AC_MSG_RESULT(yes)], - [ - AC_MSG_RESULT(no) - AC_DEFINE(BROKEN_ONE_BYTE_DIRENT_D_NAME) - ] -) - # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, @@ -469,11 +455,13 @@ SKEY_MSG="yes" AC_MSG_CHECKING([for s/key support]) - AC_TRY_RUN( + AC_TRY_LINK( [ -#include -#include -int main() { char *ff = skey_keyinfo(""); ff=""; return 0; } + #include + #include + ], + [ + char *ff = skey_keyinfo(""); ff=""; ], [AC_MSG_RESULT(yes)], [ @@ -625,6 +613,10 @@ AC_MSG_RESULT(no) AC_DEFINE(BROKEN_SNPRINTF) AC_MSG_WARN([****** Your snprintf() function is broken, complain to your vendor]) + ], + [ + AC_MSG_RESULT(assuming no) + AC_DEFINE(BROKEN_SNPRINTF) ] ) fi @@ -729,22 +721,21 @@ # Basic test to check for compatible version and correct linking # *does not* test for RSA - that comes later. - AC_TRY_RUN( + AC_TRY_LINK( [ -#include -#include -int main(void) -{ - char a[2048]; - memset(a, 0, sizeof(a)); - RAND_add(a, sizeof(a), sizeof(a)); - return(RAND_status() <= 0); -} + #include + #include + ], + [ + char a[2048]; + memset(a, 0, sizeof(a)); + RAND_add(a, sizeof(a), sizeof(a)); + return(RAND_status() <= 0); ], [ found_crypto=1 break; - ], [] + ], [ ] ) if test ! -z "$found_crypto" ; then @@ -800,26 +791,26 @@ else LIBS="$saved_LIBS -lRSAglue -lrsaref" fi - AC_TRY_RUN([ -#include -#include -#include -#include -#include -int main(void) -{ - int num; RSA *key; static unsigned char p_in[] = "blahblah"; - unsigned char c[256], p[256]; - memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); - if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); - num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); - return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); -} - ], - [ + AC_TRY_LINK( + [ + #include + #include + #include + #include + #include + ], + [ + int num; RSA *key; static unsigned char p_in[] = "blahblah"; + unsigned char c[256], p[256]; + memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); + if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); + num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); + return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); + ], + [ rsa_works=1 break; - ], []) + ], []) done LIBS="$saved_LIBS" @@ -856,6 +847,9 @@ [ AC_MSG_RESULT(no) AC_MSG_ERROR(Your OpenSSL headers do not match your library) + ], + [ + AC_MSG_RESULT(hoping so) ] ) @@ -885,6 +879,12 @@ # Default to use of the rand helper if OpenSSL doesn't # seed itself USE_RAND_HELPER=yes + ], + [ + AC_MSG_RESULT(not sure) + # Default to use of the rand helper if OpenSSL doesn't + # seed itself + USE_RAND_HELPER=yes ] ) @@ -1457,7 +1457,10 @@ #else main() { exit(0); } #endif - ], [ true ], [ AC_DEFINE(BROKEN_SNPRINTF) ] + ], + [ true ], + [ AC_DEFINE(BROKEN_SNPRINTF) ], + [ AC_DEFINE(BROKEN_SNPRINTF) ] ) fi AC_SUBST(NO_SFTP) @@ -1776,12 +1779,11 @@ ] ) fi -AC_CHECK_FILE("/dev/ptc", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) - have_dev_ptc=1 - ] -) + +if test -f "/dev/ptc" ; then + AC_DEFINE_UNQUOTED(HAVE_DEV_PTS_AND_PTC) + have_dev_ptc=1 +fi # Options from here on. Some of these are preset by platform above AC_ARG_WITH(mantype, --- sftp-glob.c.orig Tue Feb 12 19:10:33 2002 +++ sftp-glob.c Wed Mar 27 14:27:30 2002 @@ -78,12 +78,9 @@ * Solaris defines dirent->d_name as a one byte array and expects * you to hack around it. */ -#ifdef BROKEN_ONE_BYTE_DIRENT_D_NAME - strlcpy(ret->d_name, od->dir[od->offset++]->filename, MAXPATHLEN); -#else strlcpy(ret->d_name, od->dir[od->offset++]->filename, - sizeof(ret->d_name)); -#endif + (sizeof(ret->d_name) <= sizeof(char))? + MAXPATHLEN: sizeof(ret->d_name)); #ifdef __GNU_LIBRARY__ /* * Idiot glibc uses extensions to struct dirent for readdir with From chua at ayrnetworks.com Wed Apr 3 12:53:21 2002 From: chua at ayrnetworks.com (Bryan Chua) Date: Tue, 02 Apr 2002 18:53:21 -0800 Subject: cross compilation? References: Message-ID: <3CAA6EA1.9010708@ayrnetworks.com> Trying to attach the patch.... Let me know if this works.... -- bryan Ben Lindstrom wrote: > Can you avoid reforming and just post the required changes you feel > should be made? It makes it very hard to decide if this is an > acceptable thing to do. > > - Ben > > On Tue, 2 Apr 2002, Bryan Chua wrote: > > >>../openssh-3.1p1/configure --host=mips-linux --build=i686-linux --with-pam >> does not work. >> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: openssh.3.1p1.diffs Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020402/1af5a8f8/attachment.ksh From bugzilla-daemon at mindrot.org Wed Apr 3 13:15:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 13:15:00 +1000 (EST) Subject: [Bug 202] New: scp/ssh hangs Message-ID: <20020403031500.04CE8EA89@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 Summary: scp/ssh hangs Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: All Status: NEW Severity: major Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: zheyang at cis.upenn.edu CC: zheyang at cis.upenn.edu The program "scp" hangs invariably on large files (mine is 18M in length). This behavior is observed with SSH version 3.1p1 under both Windows XP platform and Linux [OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f]. The sshd server is running on SunOS 5.8 (solaris). I don't know its version, but the accompanying ssh program shows "SSH version 1.2.32 [sparc-sun-solaris2.7], protocol version 1.5". I think that streaming under "ssh" doesn't work either: for example, X-connection hangs up after a while (Xfree86 on Windows). Adding "-oProtocol=1" makes everything work. I tried OpenSSH 3.0.2p1 on Windows 2000 professional with the same sshd server and copying large file causes no hanging problem. This bug seems to be related to bug #124, reported by John Brown for the AIX platform. Zhe ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 3 13:23:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 13:23:42 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20020403032342.24C12EA87@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 ------- Additional Comments From mouring at eviladmin.org 2002-04-03 13:23 ------- sadly enough.. Setting Assign To: is a sure fire way of a report not hitting the main list unless you add a cc: ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Wed Apr 3 14:12:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 14:12:09 +1000 (EST) Subject: [Bug 189] pam_setcred() failures should not be treated as fatal Message-ID: <20020403041209.D4314EA95@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=189 ------- Additional Comments From stevesk at pobox.com 2002-04-03 14:12 ------- what error return are you seeing? what are the pam_setcred() flags? why does it occur? why should it not be fatal? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 3 14:21:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 14:21:36 +1000 (EST) Subject: [Bug 193] sshd: error: select: Bad file number Message-ID: <20020403042136.1E9D1EA98@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=193 ------- Additional Comments From stevesk at pobox.com 2002-04-03 14:21 ------- did a prior openssh version work? which version? have any other sunos users seen this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed Apr 3 19:28:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Apr 2002 11:28:52 +0200 Subject: scp fails with "ls" or other command in sshrc In-Reply-To: <20020403091307.93595.qmail@web10104.mail.yahoo.com> References: <20020403091307.93595.qmail@web10104.mail.yahoo.com> Message-ID: <20020403092852.GA3507@faui02> sshrc MUST NOT produce any output on 'stdout', use 'stderr' instead. On Wed, Apr 03, 2002 at 01:13:07AM -0800, Mark Pitt wrote: > On AIX 4.3.3 with 2.9.9 and 3.1.p1, once I place "ls" > or any other command in sshrc such as: > > ls > ls > /tmp7junk.txt > cat /tmp/junk.txt > > then scp simply ceases to work, stopping at first > "file modes" debug message. > > export LSLIST=$( ls ) > > echo $LSLIST > > however works. > > I noticed this with I program of mine, and then tried > ls. > > Is this a bug or dont I understand something ? > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Tax Center - online filing with TurboTax > http://taxes.yahoo.com/ From bugzilla-daemon at mindrot.org Wed Apr 3 23:54:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Apr 2002 23:54:11 +1000 (EST) Subject: [Bug 203] New: X11 forwarding ignores GatewayPorts flag Message-ID: <20020403135411.C3B17E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=203 Summary: X11 forwarding ignores GatewayPorts flag Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: eric-openssh at omnifarious.org I'm sshing to my computer at work, and forwarding my X connection. I would like to put windows up on my computer here from any of the computer's on my company's local network. But, ssh steadfastedly refuses to listen on *:6010, it will only listen on 127.0.0.1:6010 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 4 00:13:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 00:13:30 +1000 (EST) Subject: [Bug 203] X11 forwarding ignores GatewayPorts flag Message-ID: <20020403141330.69EF6E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=203 ------- Additional Comments From dtucker at zip.com.au 2002-04-04 00:13 ------- Add "X11UseLocalhost no" to sshd_config on your server. More details can be found in the sshd man page. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 4 00:20:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 00:20:09 +1000 (EST) Subject: [Bug 203] X11 forwarding ignores GatewayPorts flag Message-ID: <20020403142009.3D873EAA8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=203 eric-openssh at omnifarious.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From eric-openssh at omnifarious.org 2002-04-04 00:20 ------- I'm sorry, I didn't look at the sshd manpage, though I did carefully peruse the ssh manpage. Thanks. *sigh* ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Richard.Finch at ubsw.com Thu Apr 4 01:03:12 2002 From: Richard.Finch at ubsw.com (Richard.Finch at ubsw.com) Date: Wed, 3 Apr 2002 16:03:12 +0100 Subject: Problems on ssh and Cygwin Message-ID: Hi, I was given you name by a colleague of mine as someone who may be able to help me with ssh and Cygwin. I've set up Cygwin and ssh - but every time I run ssh it asks me for my password. I want to set this up so I can use keys for the user and host pair to stop this happening, but have had no success. The id_dsa.pub file generated by ssh-keygen actually starts with "ssh-dss", and if I manually change this to "ssh-dsa" then "ssh -v -v -v" says that "id_dsa type -1", but does print a line saying "read PEM", which is what we get on our unix machine. Is there any way I can find out why it's not accepting the keys / id_dsa / id_dsa.pub / authorized_keys2, etc as putting -v -v -v doesn't really say why it's ignoring the key and dropping into the password protected bit. Attached is the output of ssh -v -v -v to hope that this might give you some insight. Thanks in advance for any help you may be able to give, Richard Finch ECM IT Technical Architect Ext: 86059 -------------- next part -------------- $ ssh -v -v -v finchri at lldn0023022 "ls c:/" OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 49202 geteuid 49202 anon 1 debug1: Connecting to lldn0023022 [172.16.97.163] port 22. debug1: temporarily_use_uid: 49202/10513 (e=49202) debug1: restore_uid debug1: temporarily_use_uid: 49202/10513 (e=49202) debug1: restore_uid debug1: Connection established. debug1: identity file //nldn1274pfs/_finchri$/.ssh/identity type -1 debug1: identity file //nldn1274pfs/_finchri$/.ssh/id_rsa type -1 debug3: Not a RSA1 key file //nldn1274pfs/_finchri$/.ssh/id_dsa. debug2: key_type_from_name: unknown key type '-----BEGIN' debug3: key_read: no key found debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug3: key_read: no space debug2: key_type_from_name: unknown key type '-----END' debug3: key_read: no key found debug1: identity file //nldn1274pfs/_finchri$/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-gro up1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open ssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 118/256 debug1: bits set: 1618/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename //nldn1274pfs/_finchri$/.ssh/known_host s debug3: check_host_in_hostfile: match line 1 debug3: check_host_in_hostfile: filename //nldn1274pfs/_finchri$/.ssh/known_host s debug3: check_host_in_hostfile: match line 1 debug1: Host 'lldn0023022' is known and matches the RSA host key. debug1: Found key in //nldn1274pfs/_finchri$/.ssh/known_hosts:1 debug1: bits set: 1582/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interacti ve debug3: start over, passed a different list publickey,password,keyboard-interact ive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: //nldn1274pfs/_finchri$/.ssh/identity debug3: no such identity: //nldn1274pfs/_finchri$/.ssh/identity debug1: try privkey: //nldn1274pfs/_finchri$/.ssh/id_rsa debug3: no such identity: //nldn1274pfs/_finchri$/.ssh/id_rsa debug1: try pubkey: //nldn1274pfs/_finchri$/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interacti ve debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interacti ve debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password finchri at lldn0023022's password: debug1: packet_send2: adding 64 (len 60 padlen 4 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: ssh-userauth2 successful: method password debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug1: send channel open 0 debug1: Entering interactive session. debug2: callback start debug1: ssh_session2_setup: id 0 debug1: Sending command: ls c:/ debug1: channel request 0: exec debug2: callback done debug1: channel 0: open confirm rwindow 0 rmax 32768 debug2: channel 0: rcvd adjust 131072 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 AUTOEXEC.BAT AdobeWeb.log BOOTSECT.DOS COMMAND.COM CONFIG.SYS DRIVERS Documents and Settings Download FrontPage Webs IO.SYS Kawapro5.0 MS MSDOS.SYS NTDETECT.COM Perl Program Files RECYCLER SMS.INI SMS.NEW System Volume Information TD_72 WIN32APP WINNT WORKSTN boot.ini cc_views cygwin hclmrul.ini jdk1.2.2 jdk1.3.0_02 mvfslogs ntldr openmail.log pagefile.sys pjee3.0 temp users winnt4 debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: close_write debug1: channel 0: output drain -> closed debug1: channel 0: rcvd close debug1: channel 0: close_read debug1: channel 0: input open -> closed debug3: channel 0: will not send data after close debug1: channel 0: almost dead debug1: channel 0: gc: notify user debug1: channel 0: gc: user detached debug1: channel 0: send close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: client-session, nchannels 1 debug3: channel_free: status: The following connections are open: #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e 6 debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 4.4 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 0 -------------- next part -------------- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Gerard.Breiner at ias.u-psud.fr Thu Apr 4 01:56:10 2002 From: Gerard.Breiner at ias.u-psud.fr (Gerard Breiner) Date: Wed, 03 Apr 2002 17:56:10 +0200 Subject: OpenSSH version 3.1 sous HPUX 11 Message-ID: <5.1.0.14.0.20020403174742.00b2fee0@neptune.ias.u-psud.fr> Hello, I have just installed Openssh 3.1 sur HPUX 11.00. the command ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" doesn't stop, it seems waiting some other parameters. How to configure this please. An idea ? Best regards. Gerard breiner gerard.breiner at ias.fr Institut d'Astrophysique spatiale Orsay France From bugzilla-daemon at mindrot.org Thu Apr 4 03:07:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 03:07:20 +1000 (EST) Subject: [Bug 153] NULL pointer passed to xfree() during client connection Message-ID: <20020403170720.045B8E92D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=153 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-04-04 03:07 ------- from bernie: Thanks for asking! I finally solved the problem this weekend. It turned out to be a glibc problem. Specifically, I had a mix of 2.1.3 and 2.2 files that caused confusion. Once I removed the 2.2 files, the build went fine. closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dwd at bell-labs.com Thu Apr 4 03:08:44 2002 From: dwd at bell-labs.com (Dave Dykstra) Date: Wed, 3 Apr 2002 11:08:44 -0600 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020322183735.GA21975@lucent.com> References: <20020322183735.GA21975@lucent.com> Message-ID: <20020403170844.GA11863@lucent.com> I'm disappointed that nobody has replied to my question. OpenSSH development team, isn't the potential for a remote root exploit something that's important to you? Many other tools that use zlib have issued a public statement saying they are or they are not vulnerable. - Dave On Fri, Mar 22, 2002 at 12:37:35PM -0600, Dave Dykstra wrote: > SSH.COM says their SSH2 is not vulnerable to the ZLIB problem even though > they use the library (details below). Can OpenSSH say the same thing? > > In either case, it seems like there ought to be an openssh-unix-announce > message about what the situation is. I may have missed it, but I don't > believe there was one. Yes, openssh doesn't have its own copy of zlib > source but it would still be helpful to have a statement, especially since > it appears under protocol 2 that it's potentially exploitable before > authentication. > > - Dave Dykstra > > > ----- Forwarded message from Erik Parker ----- > > Mailing-List: contact secureshell-help at securityfocus.com; run by ezmlm > List-Post: > List-Help: > List-Unsubscribe: > List-Subscribe: > Delivered-To: mailing list secureshell at securityfocus.com > Delivered-To: moderator for secureshell at securityfocus.com > Date: Wed, 20 Mar 2002 12:59:59 -0600 (CST) > From: Erik Parker > To: secureshell at securityfocus.com > Subject: RE: ZLIB.. WHere is SSH.COM?! Part 2 (fwd) > > ---------- Forwarded message ---------- > Date: Mon, 18 Mar 2002 08:08:41 -0800 > From: Thi Le > To: Erik Parker > Subject: RE: ZLIB.. WHere is SSH.COM?! > > Dear Erik, > > We sincerely apologize for the delay in responding to your question and concerns. > > Below are the comments from our product management team: > > There has been a vulnerability in zlib compression library that is being > used by SSH Secure Shell and numerous other applications and operating > systems. > > SSH Secure Shell is NOT vulnerable to this thanks to our implementation > style. > > Our software is using the vulnerable zlib library, but it can't be > exploited. If someone tries to perform an exploit only that specific > connection will crash. Not the server nor any other connections. > > We will upgrade the zlib library in our future releases. > > CERT and CERT-FI has been notified, no other reaction is necessary at this > point. > > For further technical information, please see the technical explanation > below. > > The problem works as follows: when a maliciously corrupted compressed > data stream is decompressed, it can cause the function > inflate_blocks() to enter a certain state and return FALSE. If called > again in this state, this function can cause a heap corruption > exploitable by the attacker. (More precisely, both the first and the > second call will attempt to free the same pointer. This is layed out > in more detail in the advisory.) > > We do not use the zlib directly. Instead, we use a wrapper library > bufzip that is the only point in our code that is in directly contact > to the zlib. > > The crucial point is this: if bufzip calls the misbehaving function in > the zlib, it always checks whether the return value is TRUE. If not, > it terminates the process with a message that the compressed data > stream is corrupted. > > Consequently, every attempt to attack makes the connection collapse > with a nasty error, which is exactly what we want if an attack is > going on. No other effects are possible. > > I hope that answers your question & concerns. Please feel free to contact > me if I can be of any further assistance. > > Sincerely, > Thi Le > Eastern Region Territory Manager > SSH Communications Security > > > ----- End forwarded message ----- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kevin at atomicgears.com Thu Apr 4 03:32:48 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 3 Apr 2002 09:32:48 -0800 (PST) Subject: OpenSSH version 3.1 sous HPUX 11 In-Reply-To: <5.1.0.14.0.20020403174742.00b2fee0@neptune.ias.u-psud.fr> Message-ID: On Wed, 3 Apr 2002, Gerard Breiner wrote: :I have just installed Openssh 3.1 sur HPUX 11.00. :the command ssh-keygen -t dsa -f /opt/openssh2/etc/ssh_host_dsa_key -N "" :doesn't stop, it seems waiting some other parameters. :How to configure this please. :An idea ? what entropy source are you using? perhaps run a syscall trace using tusc for some hints as to where it's blocked. that command works fine for me when configured according to: http://www.atomicgears.com/papers/osshhpux.html From dale at accentre.com Thu Apr 4 04:31:08 2002 From: dale at accentre.com (dale at accentre.com) Date: Wed, 3 Apr 2002 10:31:08 -0800 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403170844.GA11863@lucent.com>; from dwd@bell-labs.com on Wed, Apr 03, 2002 at 11:08:44AM -0600 References: <20020322183735.GA21975@lucent.com> <20020403170844.GA11863@lucent.com> Message-ID: <20020403103108.A3012@cupro.opengvs.com> On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > I'm disappointed that nobody has replied to my question. OpenSSH > development team, isn't the potential for a remote root exploit something > that's important to you? Many other tools that use zlib have issued a > public statement saying they are or they are not vulnerable. The issue has been discussed on this list. I quote: > From: Nalin Dahyabhai > Subject: Re: zlib compression, the exploit, and OpenSSH > Date: Wed, 13 Mar 2002 16:23:59 -0500 > > On Wed, Mar 13, 2002 at 12:07:34PM -0800, ewheeler at kaico.com wrote: > > 3. Does OpenSSH statically link (or can it/does it by default) to the > > zlib library -- will updating the zlib library to 1.1.4 take care of the > > situation? > > I can't speak to the rest of your questions, but because the portable > tree doesn't bundle its own copy of zlib, OpenSSH links against the > version installed on the system it's being compiled on. Usually that's > a shared library if your OS has shared libraries, but it's going to be > OS-specific. From Nicolas.Williams at ubsw.com Thu Apr 4 04:44:01 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 3 Apr 2002 13:44:01 -0500 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403103108.A3012@cupro.opengvs.com>; from dale@accentre.com on Wed, Apr 03, 2002 at 10:31:08AM -0800 References: <20020322183735.GA21975@lucent.com> <20020403170844.GA11863@lucent.com> <20020403103108.A3012@cupro.opengvs.com> Message-ID: <20020403134400.X27398@sm2p1386swk.wdr.com> On Wed, Apr 03, 2002 at 10:31:08AM -0800, dale at accentre.com wrote: > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > > I'm disappointed that nobody has replied to my question. OpenSSH > > development team, isn't the potential for a remote root exploit something > > that's important to you? Many other tools that use zlib have issued a > > public statement saying they are or they are not vulnerable. > > The issue has been discussed on this list. I quote: [...] > > I can't speak to the rest of your questions, but because the portable > > tree doesn't bundle its own copy of zlib, OpenSSH links against the > > version installed on the system it's being compiled on. Usually that's > > a shared library if your OS has shared libraries, but it's going to be > > OS-specific. This is not a complete answer. A complete answer would be: "SSHv2 is resistant to exploits of the ZLib bug, and so is OpenSSH when linked a zlib 1.1.3. But to be sure upgrade to Zlib 1.1.4." Or "SSHv2 is not resistant to exploits of the ZLib bug. OpenSSH linked with zlib 1.1.3 is vulnerable." The protocol specific issue (i.e., "is SSHv2 resistant to the ZLib bug?") could be discussed on the IETF SECSH list. Even if SSHv2 is not resistant to the ZLib bug OpenSSH might be for whatever reason (for example, the malloc()/free() implementation of a given platform has well defined harmless behaviour with double-free()s). Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Thu Apr 4 04:50:48 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Apr 2002 12:50:48 -0600 (CST) Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403103108.A3012@cupro.opengvs.com> Message-ID: From markus at openbsd.org Thu Apr 4 05:12:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Apr 2002 21:12:23 +0200 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403170844.GA11863@lucent.com> References: <20020322183735.GA21975@lucent.com> <20020403170844.GA11863@lucent.com> Message-ID: <20020403191223.GC12952@faui02> On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > I'm disappointed that nobody has replied to my question. OpenSSH > development team, isn't the potential for a remote root exploit something > that's important to you? Many other tools that use zlib have issued a > public statement saying they are or they are not vulnerable. do you have an exploit? how would it look like? what would it do? sorry, i'm not writing exploits, so i have no idea how such an exploit should work. however, compress.c now has some code that should prevent a double free from zlib. From markus at openbsd.org Thu Apr 4 05:19:40 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Apr 2002 21:19:40 +0200 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403170844.GA11863@lucent.com> References: <20020322183735.GA21975@lucent.com> <20020403170844.GA11863@lucent.com> Message-ID: <20020403191939.GD12952@faui02> On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > > SSH Secure Shell is NOT vulnerable to this thanks to our implementation > > style. I don't think this is true. They seem to call inflateEnd() if inflate() fails. OpenSSH did the same. however, since I have no idea how to exploit this I cannot tell you wether we are vulnerable. But you should upgrade zlib in any case... > > Our software is using the vulnerable zlib library, but it can't be > > exploited. If someone tries to perform an exploit only that specific > > connection will crash. Not the server nor any other connections. > > > > We will upgrade the zlib library in our future releases. > > > > CERT and CERT-FI has been notified, no other reaction is necessary at this > > point. > > > > For further technical information, please see the technical explanation > > below. > > > > The problem works as follows: when a maliciously corrupted compressed > > data stream is decompressed, it can cause the function > > inflate_blocks() to enter a certain state and return FALSE. If called > > again in this state, this function can cause a heap corruption > > exploitable by the attacker. (More precisely, both the first and the > > second call will attempt to free the same pointer. This is layed out > > in more detail in the advisory.) > > > > We do not use the zlib directly. Instead, we use a wrapper library > > bufzip that is the only point in our code that is in directly contact > > to the zlib. > > > > The crucial point is this: if bufzip calls the misbehaving function in > > the zlib, it always checks whether the return value is TRUE. If not, > > it terminates the process with a message that the compressed data > > stream is corrupted. > > > > Consequently, every attempt to attack makes the connection collapse > > with a nasty error, which is exactly what we want if an attack is > > going on. No other effects are possible. > > > > I hope that answers your question & concerns. Please feel free to contact > > me if I can be of any further assistance. > > > > Sincerely, > > Thi Le > > Eastern Region Territory Manager > > SSH Communications Security > > > > > > ----- End forwarded message ----- > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From deraadt at cvs.openbsd.org Thu Apr 4 05:34:08 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Wed, 03 Apr 2002 12:34:08 -0700 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: Your message of "Wed, 03 Apr 2002 21:12:23 +0200." <20020403191223.GC12952@faui02> Message-ID: <200204031934.g33JY8Kp022595@cvs.openbsd.org> > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > > I'm disappointed that nobody has replied to my question. OpenSSH > > development team, isn't the potential for a remote root exploit something > > that's important to you? Many other tools that use zlib have issued a > > public statement saying they are or they are not vulnerable. > > do you have an exploit? how would it look like? what would it do? > sorry, i'm not writing exploits, so i have no idea how such an exploit > should work. however, compress.c now has some code that should > prevent a double free from zlib. Please go read www.openbsd.org/security.html We do not do exploitability checking. Many groups on the net do, and I feel they waste their time greatly doing so, instead of just fixing their code. As a user, do what you should naturally do. Assume so. And upgrade. I mean, what is the problem? A bug has been fixed. A new release is out. Upgrade. We simply do not do software release management in the way you want us to, and we never will. Why hold us accountable to do things in a stupid way which it is clear every single company on the planet does not follow either? Why should we be better, when we are unfinanced, volunteer based, and such? Know who publishes exploitability status reports? People who need the PR. From Nicolas.Williams at ubsw.com Thu Apr 4 05:30:58 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 3 Apr 2002 14:30:58 -0500 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403134400.X27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Wed, Apr 03, 2002 at 01:44:01PM -0500 References: <20020322183735.GA21975@lucent.com> <20020403170844.GA11863@lucent.com> <20020403103108.A3012@cupro.opengvs.com> <20020403134400.X27398@sm2p1386swk.wdr.com> Message-ID: <20020403143056.Y27398@sm2p1386swk.wdr.com> On Wed, Apr 03, 2002 at 01:44:01PM -0500, Nicolas Williams wrote: > > > I can't speak to the rest of your questions, but because the portable > > > tree doesn't bundle its own copy of zlib, OpenSSH links against the > > > version installed on the system it's being compiled on. Usually that's > > > a shared library if your OS has shared libraries, but it's going to be > > > OS-specific. > > This is not a complete answer. A complete answer would be: > > "SSHv2 is resistant to exploits of the ZLib bug, and so is OpenSSH when > linked a zlib 1.1.3. But to be sure upgrade to Zlib 1.1.4." > > Or > > "SSHv2 is not resistant to exploits of the ZLib bug. OpenSSH linked > with zlib 1.1.3 is vulnerable." Actually, "noone has stated that they can exploit OpenSSH with Zlib 1.1.3 and noone has posted credible analysis as to SSHv2's or OpenSSH's vulnerability to this bug" is a good enough response, if true. It seems that that's just about the case too. Just upgrade :) Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dwd at bell-labs.com Thu Apr 4 05:48:44 2002 From: dwd at bell-labs.com (Dave Dykstra) Date: Wed, 3 Apr 2002 13:48:44 -0600 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <200204031934.g33JY8Kp022595@cvs.openbsd.org> References: <20020403191223.GC12952@faui02> <200204031934.g33JY8Kp022595@cvs.openbsd.org> Message-ID: <20020403194844.GB13979@lucent.com> On Wed, Apr 03, 2002 at 12:34:08PM -0700, Theo de Raadt wrote: > > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > > > I'm disappointed that nobody has replied to my question. OpenSSH > > > development team, isn't the potential for a remote root exploit something > > > that's important to you? Many other tools that use zlib have issued a > > > public statement saying they are or they are not vulnerable. > > > > do you have an exploit? how would it look like? what would it do? > > sorry, i'm not writing exploits, so i have no idea how such an exploit > > should work. however, compress.c now has some code that should > > prevent a double free from zlib. > > Please go read www.openbsd.org/security.html That's wonderful, it has a statement on the zlib bug. The corresponding page at www.openssh.org/security.html, however does not. That's all I'm asking for. > We do not do exploitability checking. > > Many groups on the net do, and I feel they waste their time greatly > doing so, instead of just fixing their code. I'm not asking for a detailed check, just a quick educated opinion from the people who know the code best. > As a user, do what you should naturally do. Assume so. And upgrade. > I mean, what is the problem? A bug has been fixed. A new release is > out. Upgrade. Please post a recommendation to do that then. > We simply do not do software release management in the > way you want us to, and we never will. Why hold us accountable to do > things in a stupid way which it is clear every single company on the > planet does not follow either? > > Why should we be better, when we are unfinanced, volunteer based, and > such? I'm not asking you to do that. I do that for openssh binaries for a lot of people, and I'd just like some advice on whether or not it's worth initiating my process to get all my users to upgrade. > Know who publishes exploitability status reports? People who need the > PR. Thanks. - Dave Dykstra From deraadt at cvs.openbsd.org Thu Apr 4 06:01:24 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Wed, 03 Apr 2002 13:01:24 -0700 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: Your message of "Wed, 03 Apr 2002 13:48:44 CST." <20020403194844.GB13979@lucent.com> Message-ID: <200204032001.g33K1OKp028376@cvs.openbsd.org> > On Wed, Apr 03, 2002 at 12:34:08PM -0700, Theo de Raadt wrote: > > > On Wed, Apr 03, 2002 at 11:08:44AM -0600, Dave Dykstra wrote: > > > > I'm disappointed that nobody has replied to my question. OpenSSH > > > > development team, isn't the potential for a remote root exploit something > > > > that's important to you? Many other tools that use zlib have issued a > > > > public statement saying they are or they are not vulnerable. > > > > > > do you have an exploit? how would it look like? what would it do? > > > sorry, i'm not writing exploits, so i have no idea how such an exploit > > > should work. however, compress.c now has some code that should > > > prevent a double free from zlib. > > > > Please go read www.openbsd.org/security.html > > That's wonderful, it has a statement on the zlib bug. The corresponding > page at www.openssh.org/security.html, however does not. That's all I'm > asking for. That statement is about OpenBSD, not about OpenSSH. I wanted you to read the rest. About how we find and fix bugs, and do not do exploitability testing: > > We do not do exploitability checking. > > > > Many groups on the net do, and I feel they waste their time greatly > > doing so, instead of just fixing their code. > > I'm not asking for a detailed check, just a quick educated opinion from the > people who know the code best. We know there is a bug. We do not know what exact code causes these bugs. Our educated opinion is that there was a bug. We will go no further, since we do not know. Or, should I? In my educated opinion, we probably fixed another critical bug in the last week. Is it a hole? In my educated opinoin, it is quite likely that we have fixed something which could have disastrous side effects. And yes, I am for real. That is how it works, and I am sure you know that is how it works. > > As a user, do what you should naturally do. Assume so. And upgrade. > > I mean, what is the problem? A bug has been fixed. A new release is > > out. Upgrade. > > Please post a recommendation to do that then. No, I do not think that is needed. I could go further and say that systems which have weak mallocs which do not handle this, are broken. How many more double free holes are we going to see before some of these systems fix their malloc's? > > We simply do not do software release management in the > > way you want us to, and we never will. Why hold us accountable to do > > things in a stupid way which it is clear every single company on the > > planet does not follow either? > > > > Why should we be better, when we are unfinanced, volunteer based, and > > such? > > I'm not asking you to do that. I do that for openssh binaries for a lot > of people, and I'd just like some advice on whether or not it's worth > initiating my process to get all my users to upgrade. I've heard you are an intelligent person capable of making your own decisions, and I think you can make this decision on your own. From markus at openbsd.org Thu Apr 4 05:59:03 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Apr 2002 21:59:03 +0200 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: <20020403194844.GB13979@lucent.com> References: <20020403191223.GC12952@faui02> <200204031934.g33JY8Kp022595@cvs.openbsd.org> <20020403194844.GB13979@lucent.com> Message-ID: <20020403195902.GA11516@faui02> On Wed, Apr 03, 2002 at 01:48:44PM -0600, Dave Dykstra wrote: > > Please go read www.openbsd.org/security.html > > That's wonderful, it has a statement on the zlib bug. The corresponding > page at www.openssh.org/security.html, however does not. because it's a problem of the system and not a problem of the application From jclonguet at free.fr Thu Apr 4 07:58:25 2002 From: jclonguet at free.fr (Jean-Charles Longuet) Date: Wed, 03 Apr 2002 23:58:25 +0200 Subject: [PATCH] connect() timeout Message-ID: <3CAB7B01.270260E6@free.fr> Here is a version of this widely used patch specific for OpenSSH 3.1p1, as it is still not in the main tree (perhap one day...) The patch avoids spending too much time when doing an ssh()/scp() on a down host, as it does not depend off the default TCP timeout used by connect(). Patch was tested on Linux, Solaris and HP-UX. The patch can also be found on: http://charts.free.fr/openssh-3.1p1-timeout.patch Hope it will help you... -- Jean-Charles Longuet -------------- next part -------------- --- openssh-3.1p1/readconf.c.ORIG Tue Feb 5 02:26:35 2002 +++ openssh-3.1p1/readconf.c Wed Apr 3 23:34:34 2002 @@ -115,7 +115,8 @@ oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias, oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication, oHostKeyAlgorithms, oBindAddress, oSmartcardDevice, - oClearAllForwardings, oNoHostAuthenticationForLocalhost + oClearAllForwardings, oNoHostAuthenticationForLocalhost, + oConnectTimeout } OpCodes; /* Textual representations of the tokens. */ @@ -187,6 +188,7 @@ { "smartcarddevice", oSmartcardDevice }, { "clearallforwardings", oClearAllForwardings }, { "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, + { "connecttimeout", oConnectTimeout }, { NULL, oBadOption } }; @@ -294,6 +296,19 @@ /* don't panic, but count bad options */ return -1; /* NOTREACHED */ + + case oConnectTimeout: + intptr = &options->connection_timeout; +parse_time: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%.200s line %d: Missing time argument.", filename, linenum); + if ((value = convtime(arg)) == -1) + fatal("%.200s line %d: Invalid time argument.", filename, linenum); + if (*intptr == -1) + *intptr = value; + break; + case oForwardAgent: intptr = &options->forward_agent; parse_flag: @@ -775,6 +790,7 @@ options->compression_level = -1; options->port = -1; options->connection_attempts = -1; + options->connection_timeout = -1; options->number_of_password_prompts = -1; options->cipher = -1; options->ciphers = NULL; --- openssh-3.1p1/readconf.h.ORIG Tue Mar 5 02:53:05 2002 +++ openssh-3.1p1/readconf.h Wed Apr 3 23:33:48 2002 @@ -68,6 +68,8 @@ int port; /* Port to connect. */ int connection_attempts; /* Max attempts (seconds) before * giving up */ + int connection_timeout; /* Max time (seconds) before + * aborting connection attempt */ int number_of_password_prompts; /* Max number of password * prompts. */ int cipher; /* Cipher to use. */ --- openssh-3.1p1/ssh.1.ORIG Tue Feb 19 05:27:24 2002 +++ openssh-3.1p1/ssh.1 Wed Apr 3 23:33:48 2002 @@ -807,6 +807,12 @@ The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. +.It Cm ConnectTimeout +Specifies the timeout used when connecting to the ssh +server, instead of using default system values. This value is used +only when the target is down or really unreachable, not when it +refuses the connection. This may be usefull for tools using ssh +for communication, as it avoid long TCP timeouts. .It Cm DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application --- openssh-3.1p1/ssh.c.ORIG Tue Feb 19 05:20:58 2002 +++ openssh-3.1p1/ssh.c Wed Apr 3 23:33:48 2002 @@ -674,7 +674,7 @@ /* Open a connection to the remote host. */ cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6, - options.connection_attempts, + options.connection_attempts, options.connection_timeout, original_effective_uid != 0 || !options.use_privileged_port, pw, options.proxy_command); --- openssh-3.1p1/sshconnect.c.ORIG Tue Mar 5 19:59:46 2002 +++ openssh-3.1p1/sshconnect.c Wed Apr 3 23:33:48 2002 @@ -222,6 +222,64 @@ return sock; } +int +timeout_connect(int sockfd, const struct sockaddr *serv_addr, + socklen_t addrlen, int timeout) +{ + int rc; + fd_set fds; + + int optval = 0; + socklen_t optlen = sizeof(optval); + struct timeval tv; + + + if (timeout <= 0) + return(connect(sockfd, serv_addr, addrlen)); + + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) + { + return -1; + } + + rc = connect(sockfd, serv_addr, addrlen); + if (rc == 0) + return 0; + if (errno != EINPROGRESS) + return -1; + + FD_ZERO(&fds); + FD_SET(sockfd, &fds); + tv.tv_sec = timeout; + tv.tv_usec = 0; + rc=select(sockfd+1, NULL, &fds, NULL, &tv); + + switch(rc) { + case 0: + errno = ETIMEDOUT; + case -1: + return -1; + break; + case 1: + if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1) + return -1; + if (optval != 0) + { + errno = optval; + return -1; + } + return 0; + + default: + /* Should not occur */ + return -1; + break; + } + + return -1; + +} + /* * Opens a TCP/IP connection to the remote server on the given host. * The address of the remote host will be returned in hostaddr. @@ -241,7 +299,7 @@ */ int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, - u_short port, int family, int connection_attempts, + u_short port, int family, int connection_attempts, int connection_timeout, int anonymous, struct passwd *pw, const char *proxy_command) { int gaierr; @@ -323,7 +381,8 @@ * the remote uid as root. */ temporarily_use_uid(pw); - if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) { + if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen, + connection_timeout) >= 0) { /* Successful connection. */ memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen); restore_uid(); --- openssh-3.1p1/sshconnect.h.ORIG Wed Oct 10 07:07:45 2001 +++ openssh-3.1p1/sshconnect.h Wed Apr 3 23:33:48 2002 @@ -28,7 +28,7 @@ int ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int, - int, struct passwd *, const char *); + int, int, struct passwd *, const char *); void ssh_login(Key **, int, const char *, struct sockaddr *, struct passwd *); From dan at doxpara.com Thu Apr 4 08:00:56 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 3 Apr 2002 14:00:56 -0800 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? References: <200204032001.g33K1OKp028376@cvs.openbsd.org> Message-ID: <006601c1db5b$085faf80$1701000a@effugas> > We know there is a bug. We do not know what exact code causes these > bugs. Our educated opinion is that there was a bug. We will go no > further, since we do not know. > > Or, should I? In my educated opinion, we probably fixed another > critical bug in the last week. Is it a hole? In my educated opinoin, > it is quite likely that we have fixed something which could have > disastrous side effects. And yes, I am for real. That is how it works, > and I am sure you know that is how it works. Interestingly enough, I was a bit annoyed to hear about a remote root compromise in OpenSSH when it remained "just a possibility". It's kind of funny to see the difference in Theo's style vs. the corporate style: Theo presumes a major hole, even without absolute proof; SSH.Com and most other corps presume no hole at all unless absolute proof is given. I think the bottom line from the OpenSSH team seems to be "We don't need an exploit to fix our bugs." That other groups *do* require that exploit is one of the prime reasons exploits generally need to be built. Their position certainly isn't unreasonable, and to be honest it's reflected somewhat in the OpenSSH developers' annoyance at security reports that omit *both* the exploit *and* any explanation for how it might work -- see the reaction to CRC32 overflow claims. Perfectly reasonable. Life is full of imaginary risks; humans use direct example to calibrate their fears. Most people need that actual exploit to motivate them to fix their code. Theo's paranoid enough not to require that ;-) As for whether users should upgrade -- emergency patching procedures are generally warranted when there's an emergent condition. Certainly it's undeniable that an upgrade cycle should occur within a reasonable timeframe, and it should be a global upgrade. But I don't think there's a 24 hour criticality to this, like there *would* be for your traditional Remote Root announcement. There's a very interesting argument which says that widespread knowledge of vulnerabilities in the purely theoretical phase are the convenient calm to upgrade within before the storm of exploits. This is of course the reasonably obscure condition of a hole in a massively shared library without any clear method of exploiting it. Most vulnerabilities translate more readily to immediate attacks. Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com From bugzilla-daemon at mindrot.org Thu Apr 4 08:10:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 08:10:28 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020403221028.22B68E9FE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 ------- Additional Comments From dcole at keysoftsys.com 2002-04-04 08:10 ------- Created an attachment (id=60) better style (no c++ comments), and incorporation of suggestions ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From deraadt at cvs.openbsd.org Thu Apr 4 09:07:29 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Wed, 03 Apr 2002 16:07:29 -0700 Subject: Is OpenSSH vulnerable to the ZLIB problem or isn't it? In-Reply-To: Your message of "Wed, 03 Apr 2002 14:00:56 PST." <006601c1db5b$085faf80$1701000a@effugas> Message-ID: <200204032307.g33N7TKp006585@cvs.openbsd.org> > This is of course the reasonably obscure condition of a hole in a massively > shared library without any clear method of exploiting it. Most > vulnerabilities translate more readily to immediate attacks. I do not think that libz is really to blame here. I think that you are going to see about 10 "malloc does not detect duplicate free" holes in the next year. We have other security features in our libc malloc, for instance, even one that prevents the ssh crc32 overflow from working. It does this by returning write protected blocks of memory for malloc(0) allocations. These features will stop holes from happening. Other vendors are not building these protections in. Instead, they show how dutiful they are with respect to security by making fancy announcements. I wish we could be as cool as them, but naw. From tvKatie at msn.com Thu Apr 4 09:55:33 2002 From: tvKatie at msn.com (laxKatie) Date: Wed, 3 Apr 2002 17:55:33 -0600 Subject: Strategic Use of the Internet fhk Message-ID: <20020404000401.DEFA0EA17@shitei.mindrot.org> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020403/7812150f/attachment.html From bugzilla-daemon at mindrot.org Thu Apr 4 17:51:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 17:51:44 +1000 (EST) Subject: [Bug 204] New: Authentication fails when username contains an at-sign Message-ID: <20020404075144.E3CADE98B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 Summary: Authentication fails when username contains an at-sign Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: britt at yenne.net I have a Linux box running the Ensim web hosting software. Users on virtual accounts are required to log in using domain-qualified usernames like "user at host.com", for instance: ssh hostname -l user at host.com This worked with SSH version 2.9p2-11.7 but fails with 3.1p1. I tracked the problem down to a change at line 376 in auth1.c: /* XXX - SSH.com Kerberos v5 braindeath. */ if ((p = strchr(user, '@')) != NULL) *p = '\0'; Commenting out that code fixes the problem, although now I'm having a problem with pty allocation. Sigh. -britt ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 4 18:49:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Apr 2002 18:49:44 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020404084944.13D0FEA17@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 ------- Additional Comments From britt at yenne.net 2002-04-04 18:49 ------- Okay, commenting out those lines definitely solved the problem. The pty issue happened because I didn't configure with PAM, and evidently Ensim has done something sneaky there. So, definitely a problem. -britt ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bordewijk at fox-it.com Thu Apr 4 21:32:33 2002 From: bordewijk at fox-it.com (Lourens Bordewijk) Date: Thu, 4 Apr 2002 13:32:33 +0200 Subject: challenge-response token Message-ID: Hello, I have to find a solution logon through OpenSSH to OpenBSD machines from anywhere in the world (unsave computers). So I think I must use a challenge-response system with an hardware token that isn't connected to the computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I can't use challenge response mode with cryptocard, because I want to protect it against an attacker that can break DES. Is it possible to use ActivCard with OpenSSH and OpenBSD ? Are there other solutions ? Is there anyone who can help me ? Thanx, >SecurID is probably the easiest (for you and your users). Cryptocard is >probably the cheapest. Activcard is probably the hardest to implement. >I'd say they are all within the realm of "good". Don't use challenge >response mode with cryptocard if you wish to protect against an attacker >that can break DES. Your users won't like challenge/response mode anyway. >Funny thing, cryptocard can store 3 keys and so could do 3DES if they >wanted, or they could do a 2-key scheme which is unbreakable with any >computing power. Oh well. I think I'll patent that and license it back >to them. :-\ Lourens Bordewijk Fox-IT Forensic IT Experts B.V. Oude Delft 47 2611 BC Delft Tel: 015 - 21 91 111 ________________________________________________________ http://www.fox-it.com ________________________________________________________ From Roumen.Petrov at skalasoft.com Thu Apr 4 23:12:12 2002 From: Roumen.Petrov at skalasoft.com (Roumen Petrov) Date: Thu, 4 Apr 2002 16:12:12 +0300 Subject: openssh and x509 extension Message-ID: I am just finished support for x509 certificate. More information on this page: http://satva.skalasoft.com/~rumen/openssh/ From markus at openbsd.org Fri Apr 5 00:09:58 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Apr 2002 16:09:58 +0200 Subject: [PATCH] connect() timeout In-Reply-To: <3CAB7B01.270260E6@free.fr> References: <3CAB7B01.270260E6@free.fr> Message-ID: <20020404140958.GA6477@folly> nice, could you please add this to http://bugzilla.mindrot.org/ On Wed, Apr 03, 2002 at 11:58:25PM +0200, Jean-Charles Longuet wrote: > + fd_set fds; > + > + int optval = 0; ^^ pipe thought unexpand. > + struct timeval tv; > + > + ^^ check style(9) > + if (timeout <= 0) > + return(connect(sockfd, serv_addr, addrlen)); > + > + if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0) > + { ^^ check style(9) > + rc = connect(sockfd, serv_addr, addrlen); > + if (rc == 0) > + return 0; > + if (errno != EINPROGRESS) > + return -1; > + > + FD_ZERO(&fds); > + FD_SET(sockfd, &fds); ^^^ the fdset might overflow, please allocate fds dynamically like the rest of ssh does. From bugzilla-daemon at mindrot.org Fri Apr 5 00:22:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 00:22:12 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020404142212.4C422EA5E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 ------- Additional Comments From markus at openbsd.org 2002-04-05 00:22 ------- Created an attachment (id=61) this should help, but patch needs some more work ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Fri Apr 5 06:43:53 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Thu, 4 Apr 2002 12:43:53 -0800 Subject: challenge-response token In-Reply-To: ; from bordewijk@fox-it.com on Thu, Apr 04, 2002 at 01:32:33PM +0200 References: Message-ID: <20020404124353.B7792@google.com> On Thu, Apr 04, 2002 at 01:32:33PM +0200, Lourens Bordewijk wrote: > Hello, > > I have to find a solution logon through OpenSSH to OpenBSD machines from > anywhere in the world (unsave computers). So I think I must use a > challenge-response system with an hardware token that isn't connected to the > computer. I do not want to use a RSA ACE/SERVER, so i can't use SecurID ? I > can't use challenge response mode with cryptocard, because I want to protect > it against an attacker that can break DES. Is it possible to use ActivCard > with OpenSSH and OpenBSD ? Are there other solutions ? So use synchronous mode with cryptocard. Or yes, you can use activcard. You will have to use their server (sounds like you don't want to do that) or buy their dev kit which is a bit pricy and then write a lot of code. /fc From bugzilla-daemon at mindrot.org Fri Apr 5 18:50:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 18:50:40 +1000 (EST) Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install" Message-ID: <20020405085040.E5581E915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=68 ------- Additional Comments From stevesk at pobox.com 2002-04-05 18:50 ------- has the cause of this been resolved? i have never seen this on hp-ux. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 18:58:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 18:58:31 +1000 (EST) Subject: [Bug 75] Error compiling in ssh-agent.c Message-ID: <20020405085831.762DEE922@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=75 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-04-05 18:58 ------- ssh-agent doesn't use atexit() now. closing. should we remove atexit stuff from portable defines.h etc? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 19:12:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 19:12:12 +1000 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020405091212.CDAF9E92C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |openssh-unix-dev at mindrot.org AssignedTo|openssh-unix-dev at mindrot.org|stevesk at pobox.com ------- Additional Comments From stevesk at pobox.com 2002-04-05 19:12 ------- i see this too. will investigate. PAM is fragile. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Fri Apr 5 19:18:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 19:18:28 +1000 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020405091828.22C31E948@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From stevesk at pobox.com 2002-04-05 19:18 ------- wontfix ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 19:23:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 19:23:21 +1000 (EST) Subject: [Bug 96] bsd-cray.h modifications to allow correct UNICOS execution Message-ID: <20020405092321.3F3E6E983@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=96 ------- Additional Comments From stevesk at pobox.com 2002-04-05 19:23 ------- the cray support is incomplete now, is that correct? if so, what is needed to complete it? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 19:41:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 19:41:49 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20020405094149.3D428E992@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 ------- Additional Comments From stevesk at pobox.com 2002-04-05 19:41 ------- this only occurs with protocol 2 to the sun? what protocol 2 server is on the sun? ssh.com something? i don't think they do scp over ssh2. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 19:58:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 19:58:14 +1000 (EST) Subject: [Bug 39] segmentation violations & bus errors Message-ID: <20020405095814.CF04FE999@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=39 ------- Additional Comments From stevesk at pobox.com 2002-04-05 19:58 ------- is this still an open issue? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 20:01:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 20:01:50 +1000 (EST) Subject: [Bug 32] ssh fails with "Bus error" upon connection Message-ID: <20020405100150.0A8C3EA6C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=32 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-04-05 20:01 ------- no stack trace ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 5 20:15:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Apr 2002 20:15:31 +1000 (EST) Subject: [Bug 25] ssh_exchange_identification Message-ID: <20020405101531.8E546EA6E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=25 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-04-05 20:15 ------- no debug input ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bennt at attbi.com Fri Apr 5 08:16:16 2002 From: bennt at attbi.com (Benn Tannenbaum) Date: Thu, 04 Apr 2002 14:16:16 -0800 Subject: Problems with ./config on Mac OS X Message-ID: My apologies for sending this to such a generic list. My ultimate goal is to compile Kerberos-aware ssh and scp on my Mac running OS X 10.1.3. To that end, I downloaded openssh-3.1p1. Following the instructions, I also downloaded and installed openssl-0.9.6c. I did a % make; make install for that. It seems to be happy. However, when I run ./config, I get this error: checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library What am I doing wrong? Thanks for any help/insight you can provide! -Benn From markus at openbsd.org Fri Apr 5 20:16:15 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 5 Apr 2002 12:16:15 +0200 Subject: PLEASE TEST snapshots In-Reply-To: <20020404214633.A10777@tetto.liafa.jussieu.fr> References: <20020404201958.GE12530@faui02> Message-ID: <20020405101615.GA28894@folly> The next OpenSSH release is close, too. If you want OpenSSH 3.2 to be the best version of OpenSSH, then please test the snapshots. If you like to see new features in future OpenSSH releases, then test the snapshots. If you are running OpenBSD then please test the OpenBSD snapshots. If you are running the portable OpenSSH release then please test the nightly snapshots from http://www.openssh.com/portable.html If you are running into bugs, please report them at http://bugzilla.mindrot.org/ Thanks, -m From v_t_m at seznam.cz Fri Apr 5 20:33:44 2002 From: v_t_m at seznam.cz (=?iso-8859-2?Q?V=E1clav=20Tomec?=) Date: Fri, 05 Apr 2002 12:33:44 +0200 (CEST) Subject: =?iso-8859-2?Q?SecurID=20authentication?= Message-ID: <6930.11479-8773-1963572802-1018002824@seznam.cz> The integration of support for ACE/Server 5.x is done. You can test it. Patch and documentation available at: http://sweb.cz/v_t_m/ VT ______________________________________________________________________ Reklama: Jaro prichazi .... Prazske jaro 2002 zahajuje 12. kvetna. Vstupenky jiz od 100,- Kc v pokladnach Ticketpro, Rudolfina a Prazskeho jara. Vice na http://www.festival.cz From DawesR at scmb.co.za Fri Apr 5 23:30:55 2002 From: DawesR at scmb.co.za (Dawes, Rogan R) Date: Fri, 5 Apr 2002 15:30:55 +0200 Subject: Chroot of SCP and SFTP-server Message-ID: Hi, I was thinking about the difficulties and complexities of using chroot in scp or sftp-server, in order to limit the user in which files they can access. I've seen a lot of arguments about how it is pointless to try and secure scp or sftp (also from a logging perspective) because if we allow SSH access, the user can simply provide their own scp or sftp binary, that does not do the controls that the admin wants. But that presupposes that the user actually has shell access and can execute arbitrary commands. Setting the user's shell to /usr/bin/sftp-server or to /user/bin/scp should be sufficient to restrict the user to only copying files. They DO still have the ability to roam around the filesystem, however. Hence the debates around chroot, and rejection of the various proposals, due to having to build "chroot filesystems" that contain the necessary executables. Here is a simpler proposal: How difficult is it to restrict the parent directory that they may write to? e.g. only permit relative paths, and prohibit any "../" path components? Exactly how one would tell scp or sftp-server to "pseudo-chroot" themselves is a different problem. Maybe have a "restricted-scp"? So for example, user joe is allowed to scp files to his home directory, but not anywhere above that. joe:*:501:501:::/home/joe:/bin/restricted-scp restricted-scp refuses to honour any paths that contain a leading '/', or contain a '/../' string. So he can't wander out of his home directory. Can SCP or sftp server create symlinks, that could potentially go above the home directory? That functionality should also be restricted, as above, using the same rules. I think this would answer the problems that a number of people have, that are preventing them from getting rid of FTP. Maybe it would still be possible to use chroot in these circumstances, for those that don't like trying to eliminate "parent paths". If sftp-server chroots at startup, wouldn't that solve the problem? Does sftp-server or scp use any external binaries to implement any file transfer functionality? One may have to implement a "-c" option to scp and sftp-server that simply exits, to handle instances where ssh tries to exec .profiles, or .ssh/rc files, before actually running an interactive shell. Something like: if [ $1 = '-c' ] ; then if [ "$2" = "$0" ] ; then shift shift else exit fi # parse the rest of the params fi if the parameter to the option == "my filename", then skip "-c param", read the rest of the params, else exit(0). Does this make any sense? Thanks Rogan Disclaimer and Confidentiality Note. Everything in this e-mail and attachments relating to the official business of Standard Bank Investment Corporation(Stanbic) is proprietary to the company. It is confidential, legally privileged and protected by law. Stanbic does not own and endorse any other content. Views and opinions are those of the sender unless clearly stated as being that of Stanbic. The person addressed in the e-mail is the sole authorised recipient. Please notify the sender immediately if it has unintentionally reached you and do not read, disclose or use the content in any way. Stanbic can not assure that the integrity of this communication has been maintained nor that it is free of errors, virus, interception or interference. From sxw at dcs.ed.ac.uk Sat Apr 6 00:01:08 2002 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Fri, 5 Apr 2002 15:01:08 +0100 (BST) Subject: PLEASE TEST snapshots In-Reply-To: <20020405101615.GA28894@folly> Message-ID: On Fri, 5 Apr 2002, Markus Friedl wrote: > > The next OpenSSH release is close, too. If I was to update my patches for MIT Kerberos support in protocol 1 to the latest portable CVS, would they be likely to make it into this release? Cheers, Simon. From bugzilla-daemon at mindrot.org Sat Apr 6 00:36:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 00:36:50 +1000 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020405143650.64584EAD2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 ------- Additional Comments From wknox at mitre.org 2002-04-06 00:36 ------- This appears to be fixed in the latest SNAP (according to the ChangeLog, this was a fix by markus on 2002/03/29 18:59:32. His fix is to stuff the last login time into the Session structure prior to any pty allocation), which I have tested, so this bug can likely be closed. As a side note, a little credit in the ChangeLog (like Tim gave for my patch for bug 84) for finding both this bug and bug 158 (the change in behavior of ssh-add), as well as submitting patches (which, while they weren't used, certainly provided direction as to the exact nature of the problem, I imagine) would be nice. One can just fix problems locally - the incentive to turn the patch back over to the developers is partially to get credit for having done some very small amount to help an excellent product be even better. Well, pardon the whining, and thanks for the fix. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From ANTIGEN_ABRA at wrq.com Sat Apr 6 00:34:57 2002 From: ANTIGEN_ABRA at wrq.com (ANTIGEN_ABRA) Date: Fri, 5 Apr 2002 06:34:57 -0800 Subject: Antigen Notification:Antigen found FILE FILTER= *.scr file Message-ID: <616772E97E38D31188FA00508B318ACA03FA437E@abra.wrq.com> Antigen for Exchange found 2001.scr matching FILE FILTER= *.scr file filter. The file is currently Purged. The message, "Undeliverable mail--"2001 NetSprint.pl"", was sent from postmaster and was discovered in IMC Queues\Inbound located at WRQ/Seattle/ABRA. From dtucker at zip.com.au Sat Apr 6 00:39:54 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 06 Apr 2002 00:39:54 +1000 Subject: PLEASE TEST snapshots References: <20020404201958.GE12530@faui02> <20020405101615.GA28894@folly> Message-ID: <3CADB73A.ED710CB8@zip.com.au> Markus Friedl wrote: [test snapshots, test snapshots] I get the impression you want us to test snapshots :-) The current CVS version won't build on AIX 4.2.1 (as of a couple of minutes ago). It's already logged in Bugzilla (#201). -Daz. From bugzilla-daemon at mindrot.org Sat Apr 6 01:22:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 01:22:40 +1000 (EST) Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install" Message-ID: <20020405152240.E5662E931@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=68 Todd.Bowden at atosorigin.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From Todd.Bowden at atosorigin.com 2002-04-06 01:22 ------- I downloaded the new source for openssh 3.1p1 and all is well. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 01:56:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 01:56:14 +1000 (EST) Subject: [Bug 39] segmentation violations & bus errors Message-ID: <20020405155614.393BBEAC1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=39 lyndon.vanwagner at westgroup.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From lyndon.vanwagner at westgroup.com 2002-04-06 01:56 ------- Sorry, but I don't have time to investigate this futher. The source environment I was using is gone now, and I've decided to use the pre- built binaries from www.sunfreeware.org instead. But thanks anyways ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 02:03:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 02:03:53 +1000 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020405160353.D10D9EAE1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-04-06 02:03 ------- i usually reference the bug in the commit message and mentionthe reporter. however, when fixing this particualar bugis was not aware of this bug report. your bug was fixed accidentally. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Sat Apr 6 02:21:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 02:21:59 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020405162159.AD7C8EADF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 02:21 ------- Created an attachment (id=62) Does this patch help? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 02:23:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 02:23:48 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020405162348.0F889EB08@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 02:23 ------- FYI.. I'd like to avoid adding more to the current include.h, defines.h, etc. We were in the middle of a proposed rewrite to simplify the header hell that is plaguing us. If no other platforms require this, then I think we should fix it for AIX only and then come back to it after the header header rewrites. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From scott.burch at camberwind.com Sat Apr 6 02:22:05 2002 From: scott.burch at camberwind.com (Scott Burch) Date: Fri, 5 Apr 2002 10:22:05 -0600 Subject: FYI new /dev/random from Sun for Solaris 8 Message-ID: <007801c1dcbe$068d6030$5d4218ac@ent.core.medtronic.com> Hello, I just learned this morning about a new patch from Sun for Solaris 8 that adds /dev/random. The patch is based on the device in Solaris 9. I have not tried it yet, but I though some might be interested. The patch is: (this is available for free from sunsolve) Patch-ID# 112438-01 Keywords: secuity random number generator PRNG Synopsis: SunOS 5.8: /kernel/drv/random patch Date: Mar/28/2002 Solaris Release: 8 SunOS Release: 5.8 Unbundled Product: Unbundled Release: Xref: Topic: SunOS 5.8: /kernel/drv/random patch *********************************************************** NOTE: This patch may contain one or more OEM-specific platform ports. See the appropriate OEM_NOTES file within the patch for information specific to these platforms. DO NOT INSTALL this patch on an OEM system if a corresponding OEM_NOTES file is not present (or is present, but instructs not to install the patch), unless the OEM vendor directs otherwise. *********************************************************** Relevant Architectures: sparc BugId's fixed with this patch: 4337350 Changes incorporated in this version: 4337350 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/devlink.tab /etc/minor_perm /kernel/drv/random /kernel/drv/random.conf /kernel/drv/sparcv9/random /usr/include/sys/random.h /usr/lib/mdb/kvm/random.so /usr/lib/mdb/kvm/sparcv9/random.so Problem Description: 4337350 RFE - Solaris should have /dev/random Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-8 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Reboot the system after patch installation. NOTE: Please see the "random.readme" file included with this patch to understand the new /dev/random functionality. README -- Last modified date: Monday, April 1, 2002 From mjs at ams.org Sat Apr 6 03:29:51 2002 From: mjs at ams.org (Matt Studley) Date: Fri, 5 Apr 2002 12:29:51 -0500 (EST) Subject: Problems with ./config on Mac OS X In-Reply-To: Message-ID: I am getting this error as well under the same environment regardless of what I do with the configure script. Also MacOS X seems to insist that I am running OpenSSL 0.9.6b regardless of which version I install or point OpenSSH to. Matt Studley American Mathematical Society UNIX Sys Admin "Quantum Mechanics - mjs at ams.org The dreams that stuff is made of" On Thu, 4 Apr 2002, Benn Tannenbaum wrote: > My apologies for sending this to such a generic list. > > My ultimate goal is to compile Kerberos-aware ssh and scp on my Mac running > OS X 10.1.3. To that end, I downloaded openssh-3.1p1. Following the > instructions, I also downloaded and installed openssl-0.9.6c. I did a > > % make; make install > > for that. It seems to be happy. However, when I run ./config, I get this > error: > > checking whether OpenSSL's headers match the library... no > configure: error: Your OpenSSL headers do not match your library > > What am I doing wrong? > > Thanks for any help/insight you can provide! > -Benn > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vinschen at redhat.com Sat Apr 6 04:55:06 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 5 Apr 2002 20:55:06 +0200 Subject: PLEASE TEST snapshots In-Reply-To: <20020405101615.GA28894@folly> References: <20020404201958.GE12530@faui02> <20020405101615.GA28894@folly> Message-ID: <20020405205506.V1475@cygbert.vinschen.de> On Fri, Apr 05, 2002 at 12:16:15PM +0200, Markus Friedl wrote: > > The next OpenSSH release is close, too. > > If you want OpenSSH 3.2 to be the best version of OpenSSH, > then please test the snapshots. Current from CVS: OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc Askpass program: /usr/sbin/ssh-askpass Manual pages: /usr/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: no KerberosIV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-cygwin Compiler: i686-pc-cygwin-gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lz /usr/lib/textmode.o -lcrypto Configures, builds and runs OOTB. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Sat Apr 6 05:25:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 05:25:58 +1000 (EST) Subject: [Bug 138] Incorrect OpenSSL version requirment? Message-ID: <20020405192558.F2D2DE940@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=138 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-06 05:25 ------- This should be fixed in the CVS tree. If this is still an issue please reopen before OpenSSH 3.2 goes gold. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From staatsvr at asc.hpc.mil Sat Apr 6 05:19:48 2002 From: staatsvr at asc.hpc.mil (Vern Staats) Date: Fri, 5 Apr 2002 14:19:48 -0500 Subject: =?us-ascii?Q?=3D=3Fiso-8859-2=3FQ=3FSecurID=3D20support=3D20for=3D20Open?= =?us-ascii?Q?SSH=3F=3D?= Message-ID: <20020405141948.A19401@sw4.asc.hpc.mil> I was reading this SecurID patch to openssh-3.1p1, List: openssh-unix-dev Subject: =?iso-8859-2?Q?SecurID=20support=20for=20OpenSSH?= From: =?iso-8859-2?Q?V=E1clav=20Tomec?= Date: 2002-03-25 14:53:34 and think I've found a copy bugs, the patch for which is included below. First there's a an #ifdef'd if-statement which applies to either another if-statement or to a free(). Second is a buffer overrun on a 512-byte array. This *might* be only exploitable by root (or whoever runs sshd), if so then no big deal. I didn't look too deeply; it was easier to fix than to figure out how exploitable it is. The other fixed size arrays in the patch look safe. *** openssh-3.1p1/auth2.c.orig Thu Apr 4 15:38:07 2002 --- openssh-3.1p1/auth2.c Thu Apr 4 15:38:46 2002 *************** *** 425,431 **** --- 425,433 ---- #if defined (SECURID) || defined (SECURID_OLD) if (!authenticated && options.securid_authentication_via_kbd_int) authenticated = auth_securid_kbd_int(authctxt, lang); + #ifdef USE_PAM if (!authenticated && options.securid_fallback) + #endif #endif #ifdef USE_PAM if (authenticated == 0 && options.pam_authentication_via_kbd_int) *** openssh-3.1p1/auth2-securid3.c.orig Thu Apr 4 15:21:45 2002 --- openssh-3.1p1/auth2-securid3.c Thu Apr 4 15:38:00 2002 *************** *** 142,148 **** debug("Couldn't read /etc/sdace.txt"); retval = 0; } else { ! fscanf(pfdAcefile, "%s", szVarAce); fclose(pfdAcefile); if (putenv(szVarAce)) { debug("Cannot putenv: %s", szVarAce); --- 142,148 ---- debug("Couldn't read /etc/sdace.txt"); retval = 0; } else { ! fscanf(pfdAcefile, "%511s", szVarAce); fclose(pfdAcefile); if (putenv(szVarAce)) { debug("Cannot putenv: %s", szVarAce); -- "My company prefers to have that kind of decision made by uninformed executives. We call it "Empowerment". --Dilbert staatsvr at asc.hpc.mil Vern Staats, ASC/HPTS, WPAFB OH 45433, 937-255-1616 From bugzilla-daemon at mindrot.org Sat Apr 6 05:41:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 05:41:35 +1000 (EST) Subject: [Bug 40] helpwanted: sftp client is slower than it needs to be Message-ID: <20020405194135.2F5BCEB19@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=40 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-06 05:41 ------- This has been fixed in the CVS tree. Both upload and downloading in sftp are allowed to have multiple outstanding blocks. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 05:44:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 05:44:17 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020405194417.3E2DFEB1C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 ------- Additional Comments From dcole at keysoftsys.com 2002-04-06 05:44 ------- This breaks on HP-UX 10.26 also. If I defined MAP_FAILED as in the attachment for this bug I can complie HP-UX (took some info to get it to compile from bug ) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From spusz at plusnet.pl Sat Apr 6 05:57:07 2002 From: spusz at plusnet.pl (Szymon Pusz) Date: Fri, 5 Apr 2002 21:57:07 +0200 Subject: Bug in all versions of OpenSSH Message-ID: <000001c1dcdc$1361b1d0$0100a8c0@rawi> Hi, I found a bug in all versions of SSH. I'll give you an example when the bug occurs. When I connect to a remote computer using 'ssh user at host.somewhere.in.th.net.com /bin/bash' (or /bin/tcsh) I log into the remote computer and SSHD doesn't log this in wtmp,utmp,secure and lastlog. It's *only* visible in /var/log/messages. That's all I want to tell You. I hope you'll fix it in the next release. Regards, Szymon Pusz spusz at plusnet.pl From mouring at etoh.eviladmin.org Sat Apr 6 06:06:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Apr 2002 14:06:42 -0600 (CST) Subject: Bug in all versions of OpenSSH In-Reply-To: <000001c1dcdc$1361b1d0$0100a8c0@rawi> Message-ID: Bug? Hardly.. does: ssh user at site ls login in wtmp, utmp, secure, and lastlog? you are opening up a non-tty connection there is no logging of such information outside of the system logs. Check this against every other ssh and rsh implementation. - Ben On Fri, 5 Apr 2002, Szymon Pusz wrote: > Hi, > I found a bug in all versions of SSH. I'll give you an example when the > bug occurs. When I connect to a remote computer using 'ssh > user at host.somewhere.in.th.net.com /bin/bash' (or /bin/tcsh) I log into > the remote computer and SSHD doesn't log this in wtmp,utmp,secure and > lastlog. It's *only* visible in /var/log/messages. That's all I want to > tell You. I hope you'll fix it in the next release. > > Regards, > Szymon Pusz > spusz at plusnet.pl > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Sat Apr 6 06:32:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 06:32:48 +1000 (EST) Subject: [Bug 146] OpenSSH 3.1p1 will not build on BSD/OS 4.2/4.1/4.01 Message-ID: <20020405203248.970A3EB29@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=146 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-06 06:32 ------- I just commited a patch that does the following: - Removes all attempt to detect/use system - #undef all macros in fake-queue.h - changes the #ifdef/#define/#endif wrapper from _SYS_QUEUE to _FAKE_QUEUE - Uses our fake-queue.h always It should be out on the CVS mirrors within a few hours. If this does not resolve the issue please reopen before 3.2 release. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 06:52:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 06:52:27 +1000 (EST) Subject: [Bug 96] bsd-cray.h modifications to allow correct UNICOS execution Message-ID: <20020405205227.51718EB2C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=96 ------- Additional Comments From wendyp at cray.com 2002-04-06 06:52 ------- yes, cray support is still lacking. not much has been done with the patches i submitted (96, bsd-cray.h, 97 deattack.c, 98 auth1.c, 99 auth2.c, 100 serverloop.c, 101 session.c, 103 bsd-cray.c) markus commented on 100, and that particular line is now moot, but the other mod is still needed. no one has commented on any of the others, nor have they been implemented. i have updated the patches to the current snapshot & would be happy to provide them if anyone will look at them. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 06:52:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 06:52:46 +1000 (EST) Subject: [Bug 100] serverloop.c modifications for correct UNICOS behavior Message-ID: <20020405205246.C0FBBEB2E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=100 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 06:52 ------- The following code was committed to OpenSSH to catch some SysV issue. Does this keep UNICOS happy? while ((wait_pid = waitpid(-1, &wait_status, 0)) < 0) if (errno != EINTR) packet_disconnect("wait: %.100s", strerror(errno)); if (wait_pid != pid) error("Strange, wait returned pid %d, expected %d", wait_pid, pid); If so can you close this? - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ed at UDel.Edu Sat Apr 6 07:00:20 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 5 Apr 2002 16:00:20 -0500 (EST) Subject: Quick question: /dev/random on Solaris 8 Message-ID: Can someone tell be briefly how to get OpenSSH3.1p1 configured and compiled to use /dev/random? Can OpenSSH use /dev/random directly now? Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From mouring at etoh.eviladmin.org Sat Apr 6 07:03:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Apr 2002 15:03:31 -0600 (CST) Subject: Quick question: /dev/random on Solaris 8 In-Reply-To: Message-ID: You should recompile OpenSSL with /dev/random support and then OpenSSH 3.1 will automaticly detect if OpenSSL can handle internal entropy seeding and will be happy. - Ben On Fri, 5 Apr 2002, Ed Phillips wrote: > Can someone tell be briefly how to get OpenSSH3.1p1 configured and > compiled to use /dev/random? Can OpenSSH use /dev/random directly now? > > Thanks, > > Ed > > Ed Phillips University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Sat Apr 6 07:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 07:30:09 +1000 (EST) Subject: [Bug 140] Solaris 8 cannot create pkg in OpenSSH 3.1p1 Message-ID: <20020405213009.BB9FEEB3C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=140 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-06 07:30 ------- Fixed in CVS tree ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 07:59:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 07:59:48 +1000 (EST) Subject: [Bug 181] Undocumented mget and mput in sftp Message-ID: <20020405215948.CAF68EB41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=181 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 07:59 ------- - prompt I could see adding, but default to 'no'. - hash has no real business, but a progress meter would be nice. The main issue is handling it correctly for sftp protocol (which is not as easy as scp since it supports out of order transfers) - mget/mput should really not exist either since they don't act like what people expect. Can we remove mget/mput since they are just alias to get/put and don't act the way people expect them to? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 08:08:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 08:08:34 +1000 (EST) Subject: [Bug 172] Add multiple AuthorizedKeyFiles options Message-ID: <20020405220834.9FD09EB43@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=172 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 08:08 ------- I would perfer not myself. The reason why we went down to ONE authorization file was to simplify management. Allowing multiple key locations is asking for trouble. How do you handle the case where you have two alike authorization entries with conflicting key options (command=,environment=,etc)? Which one takes priority? First come first serve? No, you should have one spot only. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 08:25:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 08:25:01 +1000 (EST) Subject: [Bug 60] OpenSSH 3.0.2p1 configure script fails on NEXTSTEP Message-ID: <20020405222501.15008EB49@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=60 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|openssh-unix-dev at mindrot.org|mouring at eviladmin.org Status|REOPENED |NEW ------- Additional Comments From mouring at eviladmin.org 2002-04-06 08:24 ------- I'll be doing NeXTStep testing this weekend if all goes well. So I'll see what the issue is on 68k hardware. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 08:32:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 08:32:48 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020405223248.204FAEB4D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 08:32 ------- And what should be the right patch? Please use attachments. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 08:39:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 08:39:20 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020405223920.6159EEB54@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 ------- Additional Comments From mouring at eviladmin.org 2002-04-06 08:39 ------- If we move it into (at the bottom) of includes.h will that solve it for both platforms? If so I'll just handle it that way and we will have to ensure to remember it when we finish up the header cleanup. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From wendyp at cray.com Sat Apr 6 09:16:39 2002 From: wendyp at cray.com (Wendy Palm) Date: Fri, 05 Apr 2002 17:16:39 -0600 Subject: PrivSep and portability References: <20020402130004.A12113@greenie.muc.de> Message-ID: <3CAE3057.B5B4018B@cray.com> i second this. I currently cannot get the current snapshot to compile. Crays do not have mmap and don't support shared memory. compile-time configuration would be a name-your-own-deity-send. wendy Gert Doering wrote: > > Hi, > > I've seen a few patches related to the PrivSep works. As far as I can > see, it seems to work by using a shared memory segment to communicate. > > I just want to point out that there are some unix systems that do not > have mmap() (SCO, older SVR3 systems) or that might have problems with > anonymous shared mmap() (don't have an examples, but e.g. the INN docs > are full of warnings concerning mmap()). > > So I want to ask you to make the PrivSep stuff compile-time configurable, > to enable building on "legacy" platforms. > > gert > > PS: my SCO 3 fix for the suid problem seems to have been lost, I'll > resubmit via bugzilla. > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From dcole at keysoftsys.com Sat Apr 6 09:11:33 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Fri, 5 Apr 2002 15:11:33 -0800 Subject: PLEASE TEST snapshots References: Message-ID: <028501c1dcf7$4c8482b0$9b78a8c0@oedserver> To get trust HP-UX patches into the next version of openssh, should I submit patches based on latest CVS? Bug submitted as http://bugzilla.mindrot.org/show_bug.cgi?id=184 Latest patch was against 3.1p1 Darren From bugzilla-daemon at mindrot.org Sat Apr 6 09:31:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 09:31:35 +1000 (EST) Subject: [Bug 205] New: PrivSep needs to be a compile-time option Message-ID: <20020405233135.90C8CEB5D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 Summary: PrivSep needs to be a compile-time option Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com Crays do not have mmap and do not support shared memory. I cannot build the current snapshot . Please make the PrivSep stuff compile-time configurable. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Sat Apr 6 09:37:14 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 5 Apr 2002 15:37:14 -0800 Subject: Bug in all versions of OpenSSH References: Message-ID: <004b01c1dcfa$d0b51e70$1701000a@effugas> > Bug? Hardly.. > > does: ssh user at site ls login in wtmp, utmp, secure, and lastlog? > > you are opening up a non-tty connection there is no logging of such > information outside of the system logs. Check this against every other > ssh and rsh implementation. Lots of things are broken by default; doesn't make them correct behavior. Sites wishing to use wtmp etc. to do accounting on who came in from where do legitimately need to worry about this trivial method of evading their accounting systems. What would be the harm of an option, or even a default, to force system-level logging for forwarded commands? Certain processes would suddenly spawn massive numbers of logins(cvs? scp?) but then these would be processes that were absolutely hammering the SSH session init crypto code. As is, it's sort of embarassing that I can evade basic system logs so easily. Telnet doesn't let you do this, and that's the status quo that matters. --Dan From mouring at etoh.eviladmin.org Sat Apr 6 10:19:48 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Apr 2002 18:19:48 -0600 (CST) Subject: PrivSep and portability In-Reply-To: <3CAE3057.B5B4018B@cray.com> Message-ID: Can we do something simple at this point. If mmap() not found #ifdef out the one spot where it uses. Then go into sshd.c and change the #define of PRIVSEP() to never use the privalege code. Something that will ensure compiling, be simple, and allow us to find potentally other ways of handling this for such platforms? I don't think it should be too hard to disable the code if no mmap() is detected. - Ben On Fri, 5 Apr 2002, Wendy Palm wrote: > i second this. I currently cannot get the current snapshot to compile. > Crays do not have mmap and don't support shared memory. compile-time > configuration would be a name-your-own-deity-send. > > wendy > > Gert Doering wrote: > > > > Hi, > > > > I've seen a few patches related to the PrivSep works. As far as I can > > see, it seems to work by using a shared memory segment to communicate. > > > > I just want to point out that there are some unix systems that do not > > have mmap() (SCO, older SVR3 systems) or that might have problems with > > anonymous shared mmap() (don't have an examples, but e.g. the INN docs > > are full of warnings concerning mmap()). > > > > So I want to ask you to make the PrivSep stuff compile-time configurable, > > to enable building on "legacy" platforms. > > > > gert > > > > PS: my SCO 3 fix for the suid problem seems to have been lost, I'll > > resubmit via bugzilla. > > -- > > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > > Gert Doering - Munich, Germany gert at greenie.muc.de > > fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Sat Apr 6 10:35:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 10:35:12 +1000 (EST) Subject: [Bug 196] wront sent message id on upload Message-ID: <20020406003512.AB165EB69@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=196 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-06 10:35 ------- Fix committed to OpenBSD CVS ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 11:05:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 11:05:30 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020406010530.5F9E3EB6A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 ------- Additional Comments From dtucker at zip.com.au 2002-04-06 11:05 ------- Attached patch (#61) fixes the compile error on AIX 4.2.1. Putting the same #define at the bottom of includes.h instead also works. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 13:27:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 13:27:42 +1000 (EST) Subject: [Bug 206] New: -SNAP-20020405: build failures on AIX 3.2.5 with XLC 1.2.1.16 Message-ID: <20020406032742.07A79EB71@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=206 Summary: -SNAP-20020405: build failures on AIX 3.2.5 with XLC 1.2.1.16 Product: Portable OpenSSH Version: -current Platform: Other OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Matthew_Clarke at mindlink.bc.ca This compiler doesn't seem to like monitor_fdpass.c. Configured as: ./configure --with-prngd-socket=/usr/local/var/run/egd-pool --with-mantype=man Compiler complaint, on several lines of monitor_fdpass.c: "monitor_fdpass.c", line 42.36: 1506-043 (S) Sizeof operator cannot be used with functions, void, bit-fields, incomplete types, or arrays of unknown size. monitor_fdpass.c line 42: char tmp[CMSG_SPACE(sizeof(int))]; CMSG_SPACE is being picked up from defines.h, line 464: #define CMSG_SPACE(len) (__CMSG_ALIGN(sizeof(struct cmsghdr)) + __CMSG_ALIGN(len)) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 14:12:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 14:12:12 +1000 (EST) Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 Message-ID: <20020406041212.BC9BEEB76@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=201 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-06 14:12 ------- Commited to CVS tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 6 14:30:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 14:30:46 +1000 (EST) Subject: [Bug 89] [PATCH] make the Waiting for forwarded connections to terminate... message more helpful Message-ID: <20020406043046.00AF2E957@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=89 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From mouring at eviladmin.org 2002-04-06 14:30 ------- Umm.. Great.. Until the user finds: -e ch|^ch|none Sets the escape character for sessions with a pty (default: `~'). The escape character is only recognized at the beginning of a line. The escape character followed by a dot (`.') closes the connection, followed by control-Z suspends the connection, and followed by itself sends the escape character once. Setting the character to ``none'' disables any escapes and makes the session fully transparent. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Sat Apr 6 14:35:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Apr 2002 14:35:38 +1000 (EST) Subject: [Bug 34] Incorrect claim about Commercial SSH's key length Message-ID: <20020406043538.9FAEFEB79@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=34 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-04-06 14:35 ------- *** This bug has been marked as a duplicate of 132 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From stuge at cdy.org Sat Apr 6 14:39:04 2002 From: stuge at cdy.org (Peter Stuge) Date: Sat, 6 Apr 2002 06:39:04 +0200 Subject: [Bug 201] Building openssh from CVS fails on AIX 4.2.1 In-Reply-To: <20020405223920.6159EEB54@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Sat, Apr 06, 2002 at 08:39:20AM +1000 References: <20020405223920.6159EEB54@shitei.mindrot.org> Message-ID: <20020406063904.E19130@foo.birdnet.se> On Sat, Apr 06, 2002 at 08:39:20AM +1000, bugzilla-daemon at mindrot.org wrote: > If we move it into (at the bottom) of includes.h will that solve it for both > platforms? If so I'll just handle it that way and we will have to ensure to > remember it when we finish up the header cleanup. Open a bug about the headers and add this comment. //Peter From mouring at etoh.eviladmin.org Sat Apr 6 15:49:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Apr 2002 23:49:13 -0600 (CST) Subject: Portable Web CVS. In-Reply-To: <20020406063904.E19130@foo.birdnet.se> Message-ID: Finally getting back to my poor deprived webserver.. I have brought back to life the cvsweb that I had a LONG time ago. http://www.eviladmin.org/cgi-bin/cvsweb.cgi It will be synced every two hours. Have fun. - Ben From bugzilla-daemon at mindrot.org Sun Apr 7 02:53:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 02:53:57 +1000 (EST) Subject: [Bug 138] Incorrect OpenSSL version requirment? Message-ID: <20020406165357.C62B5E923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=138 ------- Additional Comments From markus at openbsd.org 2002-04-07 02:53 ------- blowfish w/ ssh1 could still be broken. please check. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sun Apr 7 02:49:38 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 6 Apr 2002 18:49:38 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <000001c1dcdc$1361b1d0$0100a8c0@rawi> References: <000001c1dcdc$1361b1d0$0100a8c0@rawi> Message-ID: <20020406164938.GF13217@folly> On Fri, Apr 05, 2002 at 09:57:07PM +0200, Szymon Pusz wrote: > user at host.somewhere.in.th.net.com /bin/bash' (or /bin/tcsh) I log into wtmp and friends are for pty allocation. From markus at openbsd.org Sun Apr 7 02:54:59 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 6 Apr 2002 18:54:59 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <004b01c1dcfa$d0b51e70$1701000a@effugas> References: <004b01c1dcfa$d0b51e70$1701000a@effugas> Message-ID: <20020406165459.GG13217@folly> On Fri, Apr 05, 2002 at 03:37:14PM -0800, Dan Kaminsky wrote: > Lots of things are broken by default; doesn't make them correct behavior. > Sites wishing to use wtmp etc. to do accounting on who came in from where do sshd works fine and logs every login with syslog. logging every scp, cvs commit and non-interactiv in wtmp is silly. wtmp is not for accounting or auditing and will not work w/o a pty/tty on many systems. From markus at openbsd.org Sun Apr 7 02:55:49 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 6 Apr 2002 18:55:49 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <004b01c1dcfa$d0b51e70$1701000a@effugas> References: <004b01c1dcfa$d0b51e70$1701000a@effugas> Message-ID: <20020406165549.GH13217@folly> On Fri, Apr 05, 2002 at 03:37:14PM -0800, Dan Kaminsky wrote: > As is, it's sort of embarassing that I can evade basic system logs so > easily. nonsense, every successful authentication is logged in the system logs with syslog. From markus at openbsd.org Sun Apr 7 03:00:13 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 6 Apr 2002 19:00:13 +0200 Subject: PrivSep and portability In-Reply-To: References: <3CAE3057.B5B4018B@cray.com> Message-ID: <20020406170013.GI13217@folly> On Fri, Apr 05, 2002 at 06:19:48PM -0600, Ben Lindstrom wrote: > I don't think it should be too hard to disable the code if no mmap() > is detected. mmap() could be emulated with SYSV IPC. if you want to use privsep w/o mmap or anything similar you just have to disable compression on startup. -m From provos at citi.umich.edu Sun Apr 7 03:16:55 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 6 Apr 2002 12:16:55 -0500 Subject: PrivSep and portability In-Reply-To: References: <3CAE3057.B5B4018B@cray.com> Message-ID: <20020406171655.GZ22327@citi.citi.umich.edu> On Fri, Apr 05, 2002 at 06:19:48PM -0600, Ben Lindstrom wrote: > If mmap() not found #ifdef out the one spot where it uses. Then go into > sshd.c and change the #define of PRIVSEP() to never use the privalege > code. mmap() is only required for compression. If you do you not have mmap, just disable compression. Niels. From bugzilla-daemon at mindrot.org Sun Apr 7 04:31:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 04:31:16 +1000 (EST) Subject: [Bug 76] scp won't transfer files to or from the root under Cygwin Message-ID: <20020406183116.36F77E956@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=76 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-04-07 04:31 ------- Fixed in CVS tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sun Apr 7 04:33:44 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 6 Apr 2002 12:33:44 -0600 (CST) Subject: Irix joblimits failure (was: Re: New snapshot) In-Reply-To: <3C87D557.BB0A9612@sgi.com> Message-ID: Am I going to see the fix for IRIX that you promised? Or am I going to have to do a code revert before 3.2 release? - Ben On Thu, 7 Mar 2002, David Kaelbling wrote: > IRIX has a compatibility mechanism that lets you test for optional symbols (like jlimit_start) at run-time. I think these patches will let all all IRIX 6.5 systems build images that will test for job limit support dynamically: > > --- ./configure.ac Wed Feb 27 01:12:35 2002 > +++ ../openssh-3.1p1/./configure.ac Thu Mar 7 15:50:21 2002 > @@ -115,7 +115,7 @@ > AC_DEFINE(WITH_IRIX_ARRAY) > AC_DEFINE(WITH_IRIX_PROJECT) > AC_DEFINE(WITH_IRIX_AUDIT) > - AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) > + AC_DEFINE(WITH_IRIX_JOBS) > AC_DEFINE(BROKEN_INET_NTOA) > ;; > *-*-linux*) > > > --- ./openbsd-compat/port-irix.c Tue Feb 19 15:02:49 2002 > +++ ../openssh-3.1p1/./openbsd-compat/port-irix.c Thu Mar 7 15:35:21 2002 > @@ -3,13 +3,20 @@ > #if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) > > #ifdef WITH_IRIX_PROJECT > -#include > +# include > #endif /* WITH_IRIX_PROJECT */ > #ifdef WITH_IRIX_JOBS > -#include > -#endif > +# include > +# include > +# if !defined(JLIMIT_CPU) > +/* Simulate job limit support so we can still test for it at runtime. */ > +typedef __int64_t jid_t; > +extern jid_t jlimit_startjob(char *, uid_t, char *); > +# pragma optional jlimit_startjob > +# endif > +#endif /* WITH_IRIX_JOBS */ > #ifdef WITH_IRIX_AUDIT > -#include > +# include > #endif /* WITH_IRIX_AUDIT */ > > void > @@ -27,10 +34,16 @@ > #endif /* WITH_IRIX_JOBS */ > > #ifdef WITH_IRIX_JOBS > - jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > - if (jid == -1) > - fatal("Failed to create job container: %.100s", > + if (_MIPS_SYMBOL_PRESENT(jlimit_startjob)) { > + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > + if (jid == -1) { > + if (errno == ENOPKG) > + jid = 0; > + else > + fatal("Failed to create job container: %.100s", > strerror(errno)); > + } > + } > #endif /* WITH_IRIX_JOBS */ > #ifdef WITH_IRIX_ARRAY > /* initialize array session */ > > (Hopefully that didn't get line-wrapped. If it did I can try again.) > The JLIMIT_CPU test is to try and recognize when we are compiling on a system without the job limit headers. > > Thanks, > David > > -- > David KAELBLING Silicon Graphics Computer Systems > 1 Cabot Rd, suite 250; Hudson, MA 01749 781.839.2157, fax ...2357 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From drk at sgi.com Sun Apr 7 04:40:32 2002 From: drk at sgi.com (David Kaelbling) Date: Sat, 06 Apr 2002 13:40:32 -0500 Subject: Irix joblimits failure (was: Re: New snapshot) References: Message-ID: <3CAF4120.2D11F774@sgi.com> Ben Lindstrom wrote: > > Am I going to see the fix for IRIX that you promised? Or am I going to > have to do a code revert before 3.2 release? Sorry, I've been busy trying to ship our own release the last couple weeks. I should be able to work on this again after the 10th. If the freeze for 3.2 is coming up please pull my changes. I can re-submit them when they are more robust. Sorry, David > On Thu, 7 Mar 2002, David Kaelbling wrote: > > > IRIX has a compatibility mechanism that lets you test for optional symbols (like jlimit_start) at run-time. I think these patches will let all all IRIX 6.5 systems build images that will test for job limit support dynamically: > > > > --- ./configure.ac Wed Feb 27 01:12:35 2002 > > +++ ../openssh-3.1p1/./configure.ac Thu Mar 7 15:50:21 2002 > > @@ -115,7 +115,7 @@ > > AC_DEFINE(WITH_IRIX_ARRAY) > > AC_DEFINE(WITH_IRIX_PROJECT) > > AC_DEFINE(WITH_IRIX_AUDIT) > > - AC_CHECK_FUNC(jlimit_startjob, [AC_DEFINE(WITH_IRIX_JOBS)]) > > + AC_DEFINE(WITH_IRIX_JOBS) > > AC_DEFINE(BROKEN_INET_NTOA) > > ;; > > *-*-linux*) > > > > > > --- ./openbsd-compat/port-irix.c Tue Feb 19 15:02:49 2002 > > +++ ../openssh-3.1p1/./openbsd-compat/port-irix.c Thu Mar 7 15:35:21 2002 > > @@ -3,13 +3,20 @@ > > #if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) > > > > #ifdef WITH_IRIX_PROJECT > > -#include > > +# include > > #endif /* WITH_IRIX_PROJECT */ > > #ifdef WITH_IRIX_JOBS > > -#include > > -#endif > > +# include > > +# include > > +# if !defined(JLIMIT_CPU) > > +/* Simulate job limit support so we can still test for it at runtime. */ > > +typedef __int64_t jid_t; > > +extern jid_t jlimit_startjob(char *, uid_t, char *); > > +# pragma optional jlimit_startjob > > +# endif > > +#endif /* WITH_IRIX_JOBS */ > > #ifdef WITH_IRIX_AUDIT > > -#include > > +# include > > #endif /* WITH_IRIX_AUDIT */ > > > > void > > @@ -27,10 +34,16 @@ > > #endif /* WITH_IRIX_JOBS */ > > > > #ifdef WITH_IRIX_JOBS > > - jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > > - if (jid == -1) > > - fatal("Failed to create job container: %.100s", > > + if (_MIPS_SYMBOL_PRESENT(jlimit_startjob)) { > > + jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive"); > > + if (jid == -1) { > > + if (errno == ENOPKG) > > + jid = 0; > > + else > > + fatal("Failed to create job container: %.100s", > > strerror(errno)); > > + } > > + } > > #endif /* WITH_IRIX_JOBS */ > > #ifdef WITH_IRIX_ARRAY > > /* initialize array session */ > > > > (Hopefully that didn't get line-wrapped. If it did I can try again.) > > The JLIMIT_CPU test is to try and recognize when we are compiling on a system without the job limit headers. > > > > Thanks, > > David > > > > -- > > David KAELBLING Silicon Graphics Computer Systems > > 1 Cabot Rd, suite 250; Hudson, MA 01749 781.839.2157, fax ...2357 > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- David KAELBLING Silicon Graphics Computer Systems 1 Cabot Rd, suite 250; Hudson, MA 01749 781.839.2157, fax ...2357 From bugzilla-daemon at mindrot.org Sun Apr 7 05:20:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 05:20:33 +1000 (EST) Subject: [Bug 75] Error compiling in ssh-agent.c Message-ID: <20020406192033.37D82E985@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=75 ------- Additional Comments From adrian at afsthumper.com 2002-04-07 05:20 ------- I now believe this whole problem was due to a library version conflict I was having with this Linux box. I wouldn't worry too much about atexit(), this is the only box I've ever had this problem with, and I got similar errors when trying to compile other stuff. Keep up the good work! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 7 06:15:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 06:15:34 +1000 (EST) Subject: [Bug 207] New: Connect timeout patch Message-ID: <20020406201534.A4ACCE947@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 Summary: Connect timeout patch Product: Portable OpenSSH Version: 3.1p1 Platform: All URL: http://charts.free.fr/openssh-3.1p1-timeout-1.02.patch OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jclonguet at free.fr This patch avoids spending too much time during connect() when doing an ssh()/scp() on a down host. A first version of this patch was already posted on the list ; these one mostly corrects some style(9) typos and a possible bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 7 06:19:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 06:19:56 +1000 (EST) Subject: [Bug 207] Connect timeout patch Message-ID: <20020406201956.84285E9C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=207 ------- Additional Comments From jclonguet at free.fr 2002-04-07 06:19 ------- Created an attachment (id=63) ConnectTimeout patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 7 10:28:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 10:28:30 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020407002830.537F6E9C5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 ------- Additional Comments From mouring at eviladmin.org 2002-04-07 10:28 ------- Created an attachment (id=64) This patch (does not include configure.ac patch) should allow non-mmap platforms to compile, but will not allow them to use privsep period. One has to do more R&D to figure out where to disable compression on sshd since sshd_config does not support Compression option. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Sun Apr 7 11:16:47 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Sat, 6 Apr 2002 17:16:47 -0800 Subject: Bug in all versions of OpenSSH References: <004b01c1dcfa$d0b51e70$1701000a@effugas> <20020406165549.GH13217@folly> Message-ID: <00bb01c1ddd1$e3b72ae0$1701000a@effugas> > On Fri, Apr 05, 2002 at 03:37:14PM -0800, Dan Kaminsky wrote: > > As is, it's sort of embarassing that I can evade basic system logs so > > easily. > > nonsense, every successful authentication is logged in > the system logs with syslog. I haven't really decided how I feel about this, but I'm somewhat leaning towards feeling that "last" should show the last n logins. On the flip side, it absolutely should *not* show the last n individual file transfers. I do remember that CVS over SSH can be made much faster with something that caches SSH sessions and runs multiple commands over them (fsh, if I remember right). Could PrivSep be tweaked to allow this form of functionality? If so, perhaps all the multi-session commands could be collapsed into a single authentication to be reflected on execution of "last"...or perhaps we could just cap how often we'd log their entries(though that sacrifices inter-session independence, a huge nono). I'm not insisting on anything here -- I certainly see the validity of the syslog approach, and we don't expect all services(apache, ftpd) to throw things into the lastlog. But "ssh user at host /bin/bash" is a little uncomfortably trivial. --Dan From abartlet at pcug.org.au Sun Apr 7 12:13:07 2002 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sun, 07 Apr 2002 12:13:07 +1000 Subject: PATCH: sftp-server logging. References: <20020315122047.A22509@dour.org> <20020317211816.G15684@folly> <20020317182424.A27407@dour.org> <20020318114909.A27206@folly> <007901c1ce6b$f72d2cc0$1701000a@effugas> <20020318153126.GA23951@faui02> <011b01c1ce9c$57c62cf0$1701000a@effugas> <20020318164842.GB23951@faui02> <013501c1ce9d$eef86c90$1701000a@effugas> <20020318170032.GD23951@faui02> <013f01c1ce9f$336fa040$1701000a@effugas> Message-ID: <3CAFAB33.D27EB12D@bartlett.house> Dan Kaminsky wrote: > > > if you expect all ftpd features in sftp, then write your > > own sftpd. > > i expect the basics of any file transfer daemon. show me one that doesn't > log (ok besides samba, but you have no idea how horrific that protocol is. > there's a reason luke leighton scares everyone with his hex divining > skills.) Even Samba has rudimentary audit logs as an optional VFS module. > we're smart people, we know the difference between file transfer security > and code execution security. some companies don't. > > they get hacked regularly. I have to agree, sftp should make an attempt to log its work. I understand the current patch uses syslog - which despite its problems is *much* better than nothing. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net From abartlet at pcug.org.au Sun Apr 7 12:23:22 2002 From: abartlet at pcug.org.au (Andrew Bartlett) Date: Sun, 07 Apr 2002 12:23:22 +1000 Subject: Chroot of SCP and SFTP-server References: Message-ID: <3CAFAD9A.A5B09FCD@bartlett.house> "Dawes, Rogan R" wrote: > > Hi, > > I was thinking about the difficulties and complexities of using chroot in > scp or sftp-server, in order to limit the user in which files they can > access. > > I've seen a lot of arguments about how it is pointless to try and secure scp > or sftp (also from a logging perspective) because if we allow SSH access, > the user can simply provide their own scp or sftp binary, that does not do > the controls that the admin wants. > > But that presupposes that the user actually has shell access and can execute > arbitrary commands. > > Setting the user's shell to /usr/bin/sftp-server or to /user/bin/scp should > be sufficient to restrict the user to only copying files. They DO still have > the ability to roam around the filesystem, however. Hence the debates around > chroot, and rejection of the various proposals, due to having to build > "chroot filesystems" that contain the necessary executables. > > Here is a simpler proposal: > > How difficult is it to restrict the parent directory that they may write to? > e.g. only permit relative paths, and prohibit any "../" path components? > Exactly how one would tell scp or sftp-server to "pseudo-chroot" themselves > is a different problem. Maybe have a "restricted-scp"? > > So for example, user joe is allowed to scp files to his home directory, but > not anywhere above that. > > joe:*:501:501:::/home/joe:/bin/restricted-scp > > restricted-scp refuses to honour any paths that contain a leading '/', or > contain a '/../' string. So he can't wander out of his home directory. Can > SCP or sftp server create symlinks, that could potentially go above the home > directory? That functionality should also be restricted, as above, using the > same rules. > > I think this would answer the problems that a number of people have, that > are preventing them from getting rid of FTP. > > Maybe it would still be possible to use chroot in these circumstances, for > those that don't like trying to eliminate "parent paths". If sftp-server > chroots at startup, wouldn't that solve the problem? Does sftp-server or scp > use any external binaries to implement any file transfer functionality? If you want to chroot() you need to be setuid root. (becouse by this stage sftp is running in user's context). My preferred solution (shot down once before, so I never got the coding finished) is to use 'realpath()', but it does have inherint race conditions. Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net From gert at greenie.muc.de Sun Apr 7 20:33:14 2002 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 7 Apr 2002 12:33:14 +0200 Subject: PLEASE TEST snapshots In-Reply-To: <20020405101615.GA28894@folly>; from Markus Friedl on Fri, Apr 05, 2002 at 12:16:15PM +0200 References: <20020404201958.GE12530@faui02> <20020404214633.A10777@tetto.liafa.jussieu.fr> <20020405101615.GA28894@folly> Message-ID: <20020407123314.B27904@greenie.muc.de> Hi, On Fri, Apr 05, 2002 at 12:16:15PM +0200, Markus Friedl wrote: > If you want OpenSSH 3.2 to be the best version of OpenSSH, > then please test the snapshots. SCO 3.2v4.2 (ODT 3.0) doesn't compile. Major stumbling block is monitor_fdpass.c - SCO does not have a "struct cmsghdr", so all the CMSG_SPACE/CMSG_LEN macros fail with monitor_fdpass.c:42: sizeof applied to an incomplete type and later on monitor_fdpass.c:51: structure has no member named `msg_control' monitor_fdpass.c:52: structure has no member named `msg_controllen' Further, there is no SCM_RIGHTS on this system (I assume that this has to do with file descriptor passing, which SCO cannot do). Next issue is monitor_mm.c, due to having neither nor mmap(). I don't fully understand the PrivSep stuff, so I don't really feel like putting big #ifdef's around that stuff and trying to make it work "without"... All other source files compile fine, though I can see that two changes I had to do for 3.1p1 are still not merged in: - sftp-server.c uses "truncate()", which doesn't exist (needs to use ftruncate()). - entropy.c needs to do seteuid(getuid()) before doing setuid(original_uid), otherwise the setuid() call will fail (as per the man page, though I do not claim to understand why this is so): diff -u -w -r1.41 entropy.c --- entropy.c 11 Mar 2002 00:16:35 -0000 1.41 +++ entropy.c 7 Apr 2002 10:34:17 -0000 @@ -85,9 +85,10 @@ close(devnull); if (original_uid != original_euid && - setuid(original_uid) == -1) { - fprintf(stderr, "(rand child) setuid: %s\n", - strerror(errno)); + ( seteuid(getuid()) == -1 || + setuid(original_uid) == -1) ) { + fprintf(stderr, "(rand child) setuid(%d): %s\n", + original_uid, strerror(errno)); _exit(1); } gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Sun Apr 7 22:03:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Apr 2002 22:03:13 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020407120313.5CE2DE969@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |openssh-unix-dev at mindrot.org AssignedTo|openssh-unix-dev at mindrot.org|stevesk at pobox.com ------- Additional Comments From stevesk at pobox.com 2002-04-07 22:03 ------- this already exists in HAVE_SCO_PROTECTED_PW. this should probably be changed to use #ifdef SecureWare. prefer to see error checking on set_auth_parameters(). we probably want BROKEN_LOGIN for login that can't handle "--". didn't look at configure much right now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. You are on the CC list for the bug, or are watching someone who is. From krooger at debian.org Sun Apr 7 22:03:57 2002 From: krooger at debian.org (Jonathan Walther) Date: Sun, 7 Apr 2002 05:03:57 -0700 Subject: missing corner case in authorized_keys? Message-ID: <20020407120357.GA14490@reactor-core.org> I've written up a little HOWTO on how I set up my CVS server to allow anonymous access via ssh. I did it a little bit differently than the method documented by Theo and crew. Where their login shell has a lot of stuff in it, mine is a simple execle() statement. Url is here: http://reactor-core.org/#code After following the steps outlined in the HOWTO, I came across the following problem. How can I disable things like port forwarding, X forwarding, agent forwarding, and so on to people who are connecting to this passwordless account? The .ssh/authorized_keys file seems to provide the perfect solution, except that users are not logging in with public keys; they are being logged in without any key or password. And this is as it needs to be. I thought of one solution, but am not sure if it is correct: What if "*" was understood to mean "any key not otherwise specified in this file" in the authorized_keys file? Then I could turn all the options on and off to my hearts content. My only hesitation is that since the user is logging in via password mechanism, no public key is involved, so authorized_keys probably wouldn't even come into the picture. I'm not married to the above idea; but I would like some mechanism to enable and disable sshd features on a per user basis, so that I can use ssh to provide encryption for otherwise cleartext public services, without compromising my box, or locking down users that I do trust. Also, in authorized_keys I can limit the -L port forwarding; how about a keyword for controlling -R port forwarding as well? I don't want Joe Random CVS user opening up a port to listen on my box. Cheers! Jonathan -- Geek House Productions, Ltd. Providing Unix & Internet Contracting and Consulting, QA Testing, Technical Documentation, Systems Design & Implementation, General Programming, E-commerce, Web & Mail Services since 1998 Phone: 604-435-1205 Email: djw at reactor-core.org Webpage: http://reactor-core.org Address: 2459 E 41st Ave, Vancouver, BC V5R2W2 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 350 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020407/c4249958/attachment.bin From kevin at atomicgears.com Mon Apr 8 03:10:49 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sun, 7 Apr 2002 10:10:49 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: <20020407123314.B27904@greenie.muc.de> Message-ID: On Sun, 7 Apr 2002, Gert Doering wrote: :SCO 3.2v4.2 (ODT 3.0) doesn't compile. : :Major stumbling block is monitor_fdpass.c - SCO does not have a :"struct cmsghdr", so all the CMSG_SPACE/CMSG_LEN macros fail with : :monitor_fdpass.c:42: sizeof applied to an incomplete type : :and later on : :monitor_fdpass.c:51: structure has no member named `msg_control' :monitor_fdpass.c:52: structure has no member named `msg_controllen' : :Further, there is no SCM_RIGHTS on this system (I assume that this has :to do with file descriptor passing, which SCO cannot do). : : :Next issue is monitor_mm.c, due to having neither nor :mmap(). can you try with current again? until we determine a run-time way to be more intelligent, we just fatal() on use of a non-supported feature. - (stevesk) HAVE_CONTROL_IN_MSGHDR; not used right now. Future: we may want to test if fd passing works correctly. - (stevesk) [monitor_fdpass.c] fatal() for UsePrivilegeSeparation=yes and no fd passing support. - (stevesk) HAVE_MMAP and HAVE_SYS_MMAN_H and use them in monitor_mm.c if the other issues aren't in bugzilla already, can you add them? From bugzilla-daemon at mindrot.org Mon Apr 8 07:29:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 07:29:04 +1000 (EST) Subject: [Bug 208] New: SCO build/runtime fixes Message-ID: <20020407212904.C5D90E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 Summary: SCO build/runtime fixes Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gert at greenie.muc.de Portability fixes needed for SCO Unix 3.2v4.0 (SCO OSR 3.0). entropy.c needs seteuid(getuid()) for the setuid(original_uid) to succeed. This is per the man page for setuid(), though I won't claim to understand the reasoning. sftp-server.c uses truncate(), which does not exist on SCO. Only ftruncate() exists (-Dftruncate=chsize). I'll try to attach patches. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 07:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 07:30:09 +1000 (EST) Subject: [Bug 208] SCO build/runtime fixes Message-ID: <20020407213009.5DE92E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 ------- Additional Comments From gert at greenie.muc.de 2002-04-08 07:30 ------- Created an attachment (id=65) cvs diff of "works on SCO 3.2v4" vs. -current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Mon Apr 8 07:27:42 2002 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 7 Apr 2002 23:27:42 +0200 Subject: PLEASE TEST snapshots In-Reply-To: ; from Kevin Steves on Sun, Apr 07, 2002 at 10:10:49AM -0700 References: <20020407123314.B27904@greenie.muc.de> Message-ID: <20020407232742.B1996@greenie.muc.de> Hi, On Sun, Apr 07, 2002 at 10:10:49AM -0700, Kevin Steves wrote: > :Major stumbling block is monitor_fdpass.c - SCO does not have a > :"struct cmsghdr", so all the CMSG_SPACE/CMSG_LEN macros fail with [..] > :Next issue is monitor_mm.c, due to having neither nor > :mmap(). > > can you try with current again? Better. Compilation works, though linking fails: undefined first referenced symbol in file munmap monitor_mm.o socketpair monitor.o ld fatal: Symbol referencing errors. No output written to sshd there is no socketpair() on SCO (relates to "no unix sockets here"), and of course no munmap() either. All other applications compile just fine. Some very simplistic testing of the resulting "ssh" binary with -1 and -2 suggests success (i.e.: what I tested works). > until we determine a run-time way to > be more intelligent, we just fatal() on use of a non-supported feature. Fine with me :-) as long as the fatal() message is clear enough... fatal("%s: UsePrivilegeSeparation=yes not supported", __FUNCTION__); Looks good to me. Maybe add " due missing mmap()" or something so that it's clear that this is no "policy" issue but operating system limitation? [..] > if the other issues aren't in bugzilla already, can you add them? Done, bug 208. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Mon Apr 8 07:31:53 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 7 Apr 2002 16:31:53 -0500 (CDT) Subject: PLEASE TEST snapshots In-Reply-To: <20020407232742.B1996@greenie.muc.de> Message-ID: On Sun, 7 Apr 2002, Gert Doering wrote: > Hi, > > On Sun, Apr 07, 2002 at 10:10:49AM -0700, Kevin Steves wrote: > > :Major stumbling block is monitor_fdpass.c - SCO does not have a > > :"struct cmsghdr", so all the CMSG_SPACE/CMSG_LEN macros fail with > [..] > > :Next issue is monitor_mm.c, due to having neither nor > > :mmap(). > > > > can you try with current again? > > Better. Compilation works, though linking fails: > > undefined first referenced > symbol in file > munmap monitor_mm.o > socketpair monitor.o > ld fatal: Symbol referencing errors. No output written to sshd > > there is no socketpair() on SCO (relates to "no unix sockets here"), and > of course no munmap() either. > Which is one of the reasons why I #ifdef out the section with munmap() also in the proposed starting point in the bugzilla tree. - Ben From kevin at atomicgears.com Mon Apr 8 08:20:58 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sun, 7 Apr 2002 15:20:58 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: Message-ID: On Sun, 7 Apr 2002, Ben Lindstrom wrote: :> > :Next issue is monitor_mm.c, due to having neither nor :> > :mmap(). :> > :> > can you try with current again? :> :> Better. Compilation works, though linking fails: :> :> undefined first referenced :> symbol in file :> munmap monitor_mm.o :> socketpair monitor.o :> ld fatal: Symbol referencing errors. No output written to sshd ok, i missed munmap(). :> there is no socketpair() on SCO (relates to "no unix sockets here"), and :> of course no munmap() either. i think we want to support USE_PIPES. in fact, native OpenSSH uses that by default now. :Which is one of the reasons why I #ifdef out the section with munmap() :also in the proposed starting point in the bugzilla tree. yes, i missed that. i wanted to wrap close to the syscall for now. From bugzilla-daemon at mindrot.org Mon Apr 8 09:44:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 09:44:05 +1000 (EST) Subject: [Bug 206] -SNAP-20020405: build failures on AIX 3.2.5 with XLC 1.2.1.16 Message-ID: <20020407234405.ED070E94A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=206 ------- Additional Comments From Matthew_Clarke at mindlink.bc.ca 2002-04-08 09:44 ------- More investigation shows that adding "--with-cppflags=-D_BSD=44" triggers a "struct cmsghdr" definition in the system headers, fixing the compilation error. However, that triggers changes to the WIFEXITED() macro and friends, such that they expect a "struct wait" instead of an "int", which breaks the compile of entropy.c. Read some traffic on the openssh-unix-dev mailing list about a similar "struct cmsghdr" compile error on SCO 3.2v4.2, and about a fix/workaround being in CVS. Will try again with Monday's snapshot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 12:46:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 12:46:07 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20020408024607.4A455E941@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 ------- Additional Comments From zheyang at cis.upenn.edu 2002-04-08 12:46 ------- I need to ask the system administrator here to find out which ssh server is running on the Solaris (is there simple way to find out?) But should an ssh client be able to find out what protocols the ssh server supports? It might be a bug of the ssh server: other people using the openSSH 3.1p1 doesn't seem to suffer from this problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 12:58:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 12:58:27 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20020408025827.0497DE958@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 ------- Additional Comments From mouring at eviladmin.org 2002-04-08 12:58 ------- $ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_3.1-bal That is the best way of verifying what the server is. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 13:19:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 13:19:16 +1000 (EST) Subject: [Bug 202] scp/ssh hangs Message-ID: <20020408031916.90111E96D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=202 ------- Additional Comments From zheyang at cis.upenn.edu 2002-04-08 13:19 ------- Thanks, Ben. It shows the server to be SSH-1.99-2.0.13 (non-commercial) Is this a protocol 1 ssh server, then? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 18:21:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 18:21:44 +1000 (EST) Subject: [Bug 209] New: HP-UX 10.20 "make" problem Message-ID: <20020408082144.388C7E967@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=209 Summary: HP-UX 10.20 "make" problem Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Lutz.Jaenicke at aet.TU-Cottbus.DE After successfully configuring and compiling on HP-UX 10.20, "make install" fails with HP's "make" command: In "scard/Makefile", the install target references $(srcdir)/Ssh.bin, which resolves to ./Ssh.bin. The build-rule however tries to build "Ssh.bin" and HP's make seems to not understand that these files are identical. Thus "make install" fails with "Don't know how to build ./Ssh.bin". The problem does not appear with GNU-make. Solution: either don't reference $(srcdir) in the install rule or also use $(srcdir) in the build rule for Ssh.bin. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Apr 8 18:07:11 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 8 Apr 2002 10:07:11 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <00bb01c1ddd1$e3b72ae0$1701000a@effugas> References: <004b01c1dcfa$d0b51e70$1701000a@effugas> <20020406165549.GH13217@folly> <00bb01c1ddd1$e3b72ae0$1701000a@effugas> Message-ID: <20020408080711.GD30272@folly> On Sat, Apr 06, 2002 at 05:16:47PM -0800, Dan Kaminsky wrote: > I haven't really decided how I feel about this, but I'm somewhat leaning > towards feeling that "last" should show the last n logins. last is complex and different on every other architecture, so you should rely on syslogd for such things. > I do remember that CVS over SSH can be made much faster with something that > caches SSH sessions and runs multiple commands over them (fsh, if I remember > right). Could PrivSep be tweaked to allow this form of functionality? i don't think this is related to privsep. sshd supports up to 10 concurrent sessions, just hack the code into ssh. From markus at openbsd.org Mon Apr 8 18:10:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 8 Apr 2002 10:10:52 +0200 Subject: PATCH: sftp-server logging. In-Reply-To: <3CAFAB33.D27EB12D@bartlett.house> References: <20020317182424.A27407@dour.org> <20020318114909.A27206@folly> <007901c1ce6b$f72d2cc0$1701000a@effugas> <20020318153126.GA23951@faui02> <011b01c1ce9c$57c62cf0$1701000a@effugas> <20020318164842.GB23951@faui02> <013501c1ce9d$eef86c90$1701000a@effugas> <20020318170032.GD23951@faui02> <013f01c1ce9f$336fa040$1701000a@effugas> <3CAFAB33.D27EB12D@bartlett.house> Message-ID: <20020408081052.GE30272@folly> On Sun, Apr 07, 2002 at 12:13:07PM +1000, Andrew Bartlett wrote: > I have to agree, sftp should make an attempt to log its work. I > understand the current patch uses syslog - which despite its problems is > *much* better than nothing. #define TRACE log for auditing the current logging is even more usefull as you can trace each stat and each single read. post-process the log output if you don't like it. you need to post-process every logfile in any case. -m From bugzilla-daemon at mindrot.org Mon Apr 8 20:59:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 20:59:06 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020408105906.7C7F1E9DB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 ------- Additional Comments From markus at openbsd.org 2002-04-08 20:59 ------- Created an attachment (id=66) what about this? please test ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dan at doxpara.com Mon Apr 8 21:23:31 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 8 Apr 2002 04:23:31 -0700 Subject: Bug in all versions of OpenSSH References: <004b01c1dcfa$d0b51e70$1701000a@effugas> <20020406165549.GH13217@folly> <00bb01c1ddd1$e3b72ae0$1701000a@effugas> <20020408080711.GD30272@folly> Message-ID: <010301c1deef$d071bf30$1701000a@effugas> > On Sat, Apr 06, 2002 at 05:16:47PM -0800, Dan Kaminsky wrote: > > I haven't really decided how I feel about this, but I'm somewhat leaning > > towards feeling that "last" should show the last n logins. > > last is complex and different on every other architecture, > so you should rely on syslogd for such things. A reasonable enough statement...but I don't know about syslogd directly. Last is nice because it's a tool that directly outputs usable information, which raw system logs aren't. Maybe we can unify last in some manner. Hmm. > > I do remember that CVS over SSH can be made much faster with something that > > caches SSH sessions and runs multiple commands over them (fsh, if I remember > > right). Could PrivSep be tweaked to allow this form of functionality? > > i don't think this is related to privsep. sshd supports up > to 10 concurrent sessions, just hack the code into ssh. Is the ten session limit related to the protocol or the implementation? I bring up PrivSep because, from what I can see, it involves creating an interface by which lesser-trusted executables can access the cryptographic constructs from the greater-trusted separated process. As long as we're having one ssh executable access one privsep'd process, we might as well allow n. For that matter, is there anything that will prevent arbitrary processes from contacting the privsep'd process and accessing it as they see fit? --Dan From markus at openbsd.org Mon Apr 8 21:27:26 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 8 Apr 2002 13:27:26 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <010301c1deef$d071bf30$1701000a@effugas> References: <004b01c1dcfa$d0b51e70$1701000a@effugas> <20020406165549.GH13217@folly> <00bb01c1ddd1$e3b72ae0$1701000a@effugas> <20020408080711.GD30272@folly> <010301c1deef$d071bf30$1701000a@effugas> Message-ID: <20020408112726.GC9157@faui02> On Mon, Apr 08, 2002 at 04:23:31AM -0700, Dan Kaminsky wrote: > Maybe we can unify last in some manner. Hmm. In openssh sshd's we try to print one line per authetication (not multiple, as early versions did), so it's easy to use this information) > Is the ten session limit related to the protocol or the implementation? random implementation/compite time limit. > For that matter, is there anything that will prevent arbitrary processes > from contacting the privsep'd process and accessing it as they see fit? hm, how can arbitrary user processes access a socketpair? From Kennie.Cruz at ece.uprm.edu Mon Apr 8 21:40:41 2002 From: Kennie.Cruz at ece.uprm.edu (Kennie Cruz) Date: Mon, 08 Apr 2002 07:40:41 -0400 Subject: scp/sftp user failures on HP-UX Message-ID: <1207620907.1018251641@dieleitung.ece.uprm.edu> Hi, I have an HP server with OpenSSH 3.1p1, on which the scp and sftp are giving strange failures. For example: scp, ssh and sftp works fine only for the root user. But for a normal user account only the ssh part works, the scp and sftp fails to connect. I am running UX 11i. Any help wil be appreciated. -- "To learn is a natural pleasure" - Aristotle ------------------------------------------------------------------- Kennie J. Cruz Gutierrez, System Administrator Department of Electrical and Computer Engineering University of Puerto Rico at Mayaguez Work Phone: (787) 832-4040 x 3798 Email: Kennie.Cruz at ece.uprm.edu Web: http://ece.uprm.edu/~kennie From bugzilla-daemon at mindrot.org Mon Apr 8 22:05:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 22:05:26 +1000 (EST) Subject: [Bug 210] New: can't prevent port forwarding on a per-user basis Message-ID: <20020408120526.406F7E9F2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=210 Summary: can't prevent port forwarding on a per-user basis Product: Portable OpenSSH Version: -current Platform: All URL: http://reactor-core.org/security/HOWTO-Anonymous-CVS- Over-SSH OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: krooger at debian.org I've written up a little HOWTO on how I set up my CVS server to allow anonymous access via ssh. I did it essentially the same as the method documented by Theo and crew. Where their login shell has a lot of stuff in it, mine is a simple execle() statement. Url is here: http://reactor-core.org/#code After following the steps outlined in the HOWTO, and in the README that comes with anoncvssh.shar, I came across the following problem. How can I disable things like port forwarding, X forwarding, agent forwarding, and so on to people who are connecting to this passwordless account? The anoncvssh.shar README does not address this, so I'm wondering how the OpenBSD anonymous CVS services protect themselves from abuse of forwarding. The .ssh/authorized_keys file seems to provide the perfect solution, except that users are not logging in with public keys; they are being logged in without any key or password. And this is as it needs to be. I thought of one solution, but am not sure if it is correct: What if "*" was understood to mean "any key not otherwise specified in this file" in the authorized_keys file? Then I could turn all the options on and off to my hearts content. My only hesitation is that since the user is logging in via password mechanism, no public key is involved, so authorized_keys probably wouldn't even come into the picture. I'm not married to the above idea; but I would like some mechanism to enable and disable sshd features on a per user basis, so that I can use ssh to provide encryption for otherwise cleartext public services, without compromising my box, or locking down users that I do trust. Also, in authorized_keys I can limit the -L port forwarding; how about a keyword for controlling -R port forwarding as well? I don't want Joe Random CVS user opening up a port to listen on my box. Cheers! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 22:17:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 22:17:09 +1000 (EST) Subject: [Bug 210] can't prevent port forwarding on a per-user basis Message-ID: <20020408121709.9BE7BE9FC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=210 ------- Additional Comments From markus at openbsd.org 2002-04-08 22:17 ------- check this http://www.mindrot.org/~djm/ssh-keynote/ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 8 23:12:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Apr 2002 23:12:59 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020408131259.CC506E9F8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 ------- Additional Comments From britt at yenne.net 2002-04-08 23:12 ------- I will test this on my system today, but I have no way to test whether Kerberos V5 still works after the fix. -britt ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 9 00:25:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Apr 2002 00:25:28 +1000 (EST) Subject: [Bug 210] can't prevent port forwarding on a per-user basis Message-ID: <20020408142528.4F068EA05@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=210 ------- Additional Comments From krooger at debian.org 2002-04-09 00:25 ------- Excellent. Will the KeyNote patch be folded into -current at some point? Does /etc/sshd_policy override the directives in /etc/sshd_config? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From info at ninosdepapel.org Tue Apr 9 01:46:02 2002 From: info at ninosdepapel.org (info at ninosdepapel.org) Date: 08 Apr 2002 10:46:02 -0500 Subject: =?ISO-8859-1?B?TGFzIENvc2FzIGRlIFBhcGVsLCA0YS4gRWRpY2nzbg==?= Message-ID: <200204081153328.SM00451@ninosdepapel.org> -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020408/bbb586f0/attachment.html From ewheeler at kaico.com Tue Apr 9 02:53:13 2002 From: ewheeler at kaico.com (ewheeler at kaico.com) Date: Mon, 8 Apr 2002 09:53:13 -0700 (PDT) Subject: Bug in all versions of OpenSSH In-Reply-To: <20020408080711.GD30272@folly> Message-ID: > > i don't think this is related to privsep. sshd supports up > to 10 concurrent sessions, just hack the code into ssh. I've not seen this 10 concurrent session limitation before -- If this is the case, where can I change the number? Is there a reason it should not be changed? -- Eric Wheeler Network Administrator KAICO 20417 SW 70th Ave. Tualatin, OR 97062 www.kaico.com Voice: 503.692.5268 From markus at openbsd.org Tue Apr 9 07:35:17 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 8 Apr 2002 23:35:17 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: References: <20020408080711.GD30272@folly> Message-ID: <20020408213517.GA26896@folly> On Mon, Apr 08, 2002 at 09:53:13AM -0700, ewheeler at kaico.com wrote: > > > > i don't think this is related to privsep. sshd supports up > > to 10 concurrent sessions, just hack the code into ssh. > > I've not seen this 10 concurrent session limitation before -- If this is > the case, where can I change the number? session.c > Is there a reason it should not > be changed? do you have a problem with this limit? are you running more sessions over a single ssh connection? From austin at coremetrics.com Tue Apr 9 08:17:15 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 08 Apr 2002 17:17:15 -0500 Subject: Bug in all versions of OpenSSH In-Reply-To: <20020406165549.GH13217@folly> References: <20020406165549.GH13217@folly> Message-ID: <1018304236.15201.45.camel@UberGeek> What? You don't have a syslog server? You don't log /var/log/messages, /var/log/syslog, or /var/adm/messages to a remote syslog host or DB and watch for incidents? umm...in that case, you seem to be defeating your OWN security. On Sat, 2002-04-06 at 10:55, Markus Friedl wrote: > On Fri, Apr 05, 2002 at 03:37:14PM -0800, Dan Kaminsky wrote: > > As is, it's sort of embarassing that I can evade basic system logs so > > easily. > -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020408/6c7cd680/attachment.bin From markus at openbsd.org Tue Apr 9 08:22:22 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 9 Apr 2002 00:22:22 +0200 Subject: Bug in all versions of OpenSSH In-Reply-To: <1018304236.15201.45.camel@UberGeek> References: <20020406165549.GH13217@folly> <1018304236.15201.45.camel@UberGeek> Message-ID: <20020408222222.GA817@faui02> why are you spamming me? On Mon, Apr 08, 2002 at 05:17:15PM -0500, Austin Gonyou wrote: > What? You don't have a syslog server? You don't log /var/log/messages, > /var/log/syslog, or /var/adm/messages to a remote syslog host or DB and > watch for incidents? > > umm...in that case, you seem to be defeating your OWN security. > On Sat, 2002-04-06 at 10:55, Markus Friedl wrote: > > On Fri, Apr 05, 2002 at 03:37:14PM -0800, Dan Kaminsky wrote: > > > As is, it's sort of embarassing that I can evade basic system logs so > > > easily. > > > -- > Austin Gonyou > Systems Architect, CCNA > Coremetrics, Inc. > Phone: 512-698-7250 > email: austin at coremetrics.com > > "It is the part of a good shepherd to shear his flock, not to skin it." > Latin Proverb From bugzilla-daemon at mindrot.org Tue Apr 9 09:56:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Apr 2002 09:56:33 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020408235633.05AC6E95B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 ------- Additional Comments From britt at yenne.net 2002-04-09 09:56 ------- Yes, that patch fixes the problem on my system. Again, I can't speak for Kerberos though. Thanks! -britt ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Tue Apr 9 11:24:37 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Mon, 8 Apr 2002 18:24:37 -0700 (PDT) Subject: scp/sftp user failures on HP-UX In-Reply-To: <1207620907.1018251641@dieleitung.ece.uprm.edu> Message-ID: On Mon, 8 Apr 2002, Kennie Cruz wrote: :I have an HP server with OpenSSH 3.1p1, on which the scp and sftp are :giving strange failures. For example: scp, ssh and sftp works fine only for :the root user. But for a normal user account only the ssh part works, the :scp and sftp fails to connect. : :I am running UX 11i. what are the "strange failures"? a guess is a permission problem, but need more data. From sergecpelletier at yahoo.com Wed Apr 10 02:34:18 2002 From: sergecpelletier at yahoo.com (Serge Pelletier) Date: 09 Apr 2002 13:34:18 -0300 Subject: scp/sftp user failures on HP-UX In-Reply-To: References: Message-ID: <1018370061.13378.2.camel@dragon.ASGTechnologies.com> Are the users running Rsh as a shell. I had the same problem and it was with the users having the restricted shell not allowing ftp. Without more information, it's hard to say. l8r On Mon, 2002-04-08 at 22:24, Kevin Steves wrote: > On Mon, 8 Apr 2002, Kennie Cruz wrote: > :I have an HP server with OpenSSH 3.1p1, on which the scp and sftp are > :giving strange failures. For example: scp, ssh and sftp works fine only for > :the root user. But for a normal user account only the ssh part works, the > :scp and sftp fails to connect. > : > :I am running UX 11i. > > what are the "strange failures"? a guess is a permission problem, but > need more data. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From ewheeler at kaico.com Wed Apr 10 03:31:30 2002 From: ewheeler at kaico.com (ewheeler at kaico.com) Date: Tue, 9 Apr 2002 10:31:30 -0700 (PDT) Subject: Bug in all versions of OpenSSH In-Reply-To: <20020408213517.GA26896@folly> Message-ID: Hmm. I suppose I misunderstood the purpose. I heard session and understood connection. On Mon, 8 Apr 2002, Markus Friedl wrote: > On Mon, Apr 08, 2002 at 09:53:13AM -0700, ewheeler at kaico.com wrote: > > > > > > i don't think this is related to privsep. sshd supports up > > > to 10 concurrent sessions, just hack the code into ssh. > > > > I've not seen this 10 concurrent session limitation before -- If this is > > the case, where can I change the number? > > session.c > > > Is there a reason it should not > > be changed? > > do you have a problem with this limit? > > are you running more sessions over a single > ssh connection? > -- Eric Wheeler Network Administrator KAICO 20417 SW 70th Ave. Tualatin, OR 97062 www.kaico.com Voice: 503.692.5268 From bugzilla-daemon at mindrot.org Wed Apr 10 05:01:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 05:01:01 +1000 (EST) Subject: [Bug 172] Add multiple AuthorizedKeyFiles options Message-ID: <20020409190101.C10F5EA0D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=172 ------- Additional Comments From alex.kiernan at thus.net 2002-04-10 05:00 ------- > ------- Additional Comments From mouring at eviladmin.org 2002-04-06 08:08 > ------- > I would perfer not myself. The reason why we went down to ONE authorization > > file was to simplify management. Allowing multiple key locations is > asking for trouble. If this were the default behaviour, I'd agree. It's not. It can be turned on only by deliberate administrator action. We automatically distribute the /var/db/keys-distributed-by-security-team/%u section (and have other evil hacks that allow keys in this location to be owned by a special user - those hacks aren't in the patch). This preserves the principal of least astonishment by seperating out the keys that the security team modify (and potentially clobber) from the keys that the users expect to have control over. > How do you handle the case where you have two alike authorization entries > with > conflicting key options (command=,environment=,etc)? Which one takes > priority? First come first serve? There's already that possibility today - you can have multiple keys which can match in a single file, the first match is the one that gets used. > No, you should have one spot only. Agreed you should have only one by default, but I don't think the flexibility loses you anything. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 10 05:46:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 05:46:44 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020409194644.82C71EA13@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 ------- Additional Comments From dcole at keysoftsys.com 2002-04-10 05:46 ------- good idea, changed HAVE_SCO_PROTECTED_PW to HAVE_SECUREWARE_PW BROKEN_LOGIN for login's that can't handle "--" set_auth_parameters doesn't have a return value (it just exits the who program on errors) Left in TRUSTED_HPUX ifdef for hang on exit fix (Trusted HPUX hangs every time, even if the only command typed in after logging in was exit). Better ways to fix this welcome. The patch will be attached shortly. Comments welcome. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Wed Apr 10 05:50:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 05:50:30 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020409195030.0CA15EA17@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 ------- Additional Comments From dcole at keysoftsys.com 2002-04-10 05:50 ------- Created an attachment (id=67) Patch for Fix Trusted HP-UX against current CVS (this morning 4-9-2002) ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From gert at greenie.muc.de Wed Apr 10 06:25:10 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Apr 2002 22:25:10 +0200 Subject: PLEASE TEST snapshots In-Reply-To: ; from Kevin Steves on Sun, Apr 07, 2002 at 03:20:58PM -0700 References: Message-ID: <20020409222510.D24297@greenie.muc.de> Hi, On Sun, Apr 07, 2002 at 03:20:58PM -0700, Kevin Steves wrote: > :> undefined first referenced > :> symbol in file > :> munmap monitor_mm.o > :> socketpair monitor.o > :> ld fatal: Symbol referencing errors. No output written to sshd > ok, i missed munmap(). checkout -> yes, that part compiles & links now. Socketpair() is still open... > :> there is no socketpair() on SCO (relates to "no unix sockets here"), and > :> of course no munmap() either. > > i think we want to support USE_PIPES. in fact, native OpenSSH uses that > by default now. Is this something that should happen "by magic" in the current code? Or is this more "thinking aloud" about necessary changes to monitor.c? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Wed Apr 10 07:09:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 07:09:59 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020409210959.2B72CEA15@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 ------- Additional Comments From wendyp at cray.com 2002-04-10 07:09 ------- add an ifdef around the include, and all is fine with the crays. thanks much! --- monitor_mm.c.orig Fri Apr 5 16:28:59 2002 +++ monitor_mm.c Tue Apr 9 15:58:08 2002 @@ -26,7 +26,9 @@ #include "includes.h" RCSID("$OpenBSD: monitor_mm.c,v 1.4 2002/03/25 20:12:10 stevesk Exp $"); +#ifdef HAVE_MMAP #include +#endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 10 09:27:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 09:27:06 +1000 (EST) Subject: [Bug 211] New: ssh-keygen aborts if passphrase <= 4 bytes for RSA/DSA private key Message-ID: <20020409232706.909B0E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=211 Summary: ssh-keygen aborts if passphrase <= 4 bytes for RSA/DSA private key Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: zardoz at users.sf.net keygen should either print the requirements on passphrases before prompting or reprompt if it is too short. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ja2morri at student.math.uwaterloo.ca Wed Apr 10 11:33:27 2002 From: ja2morri at student.math.uwaterloo.ca (James A Morrison) Date: Tue, 9 Apr 2002 21:33:27 -0400 (EDT) Subject: openssh-3.1p1 on GNU/Hurd Message-ID: <200204100133.VAA17871@rees.math.uwaterloo.ca> Hi, I've gone and ported the latest version of openssh, 3.1p1, to GNU/Hurd. I've tried to learn from the other threads on this topic, but I still had to get rid of MAXHOSTNAMELEN where I could. James A. Morrison diff -urN openssh-3.1p1.old/Makefile.in openssh-3.1p1/Makefile.in --- openssh-3.1p1.old/Makefile.in Tue Feb 26 14:24:22 2002 +++ openssh-3.1p1/Makefile.in Tue Apr 9 16:16:49 2002 @@ -54,7 +54,7 @@ SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o xgethostname.o MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 @@ -113,8 +113,8 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) -ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o xgethostname.o + $(LD) -o $@ xgethostname.o ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) diff -urN openssh-3.1p1.old/canohost.c openssh-3.1p1/canohost.c --- openssh-3.1p1.old/canohost.c Mon Mar 4 20:31:29 2002 +++ openssh-3.1p1/canohost.c Tue Apr 9 21:05:15 2002 @@ -284,9 +284,11 @@ get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping) { static const char *remote = ""; - if (utmp_len > 0) + /* Assume that if utmp_len = -1 then there is no limit on the + hostname length */ + if (utmp_len > 0 || utmp_len == -1) remote = get_canonical_hostname(verify_reverse_mapping); - if (utmp_len == 0 || strlen(remote) > utmp_len) + if (utmp_len == 0 || (utmp_len != -1 && strlen(remote) > utmp_len)) remote = get_remote_ipaddr(); return remote; } diff -urN openssh-3.1p1.old/configure.ac openssh-3.1p1/configure.ac --- openssh-3.1p1.old/configure.ac Wed Feb 27 01:12:35 2002 +++ openssh-3.1p1/configure.ac Tue Apr 9 16:36:19 2002 @@ -126,6 +126,9 @@ AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) inet6_default_4in6=yes ;; +*-*-gnu*) + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) + ;; mips-sony-bsd|mips-sony-newsos4) AC_DEFINE(HAVE_NEWS4) SONY=1 diff -urN openssh-3.1p1.old/session.c openssh-3.1p1/session.c --- openssh-3.1p1.old/session.c Mon Feb 25 10:48:03 2002 +++ openssh-3.1p1/session.c Tue Apr 9 20:59:48 2002 @@ -56,6 +56,7 @@ #include "serverloop.h" #include "canohost.h" #include "session.h" +#include "xgethostname.h" #ifdef HAVE_CYGWIN #include @@ -659,7 +660,7 @@ do_login(Session *s, const char *command) { char *time_string; - char hostname[MAXHOSTNAMELEN]; + char *hostname; socklen_t fromlen; struct sockaddr_storage from; time_t last_login_time; @@ -681,11 +682,9 @@ } /* Get the time and hostname when the user last logged in. */ - if (options.print_lastlog) { - hostname[0] = '\0'; + if (options.print_lastlog) last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, - hostname, sizeof(hostname)); - } + &hostname); /* Record that there was a login on that tty from the remote host. */ record_login(pid, s->tty, pw->pw_name, pw->pw_uid, @@ -715,14 +714,17 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ - if (options.print_lastlog && last_login_time != 0) { - time_string = ctime(&last_login_time); - if (strchr(time_string, '\n')) - *strchr(time_string, '\n') = 0; - if (strcmp(hostname, "") == 0) - printf("Last login: %s\r\n", time_string); - else - printf("Last login: %s from %s\r\n", time_string, hostname); + if (options.print_lastlog ) + if (last_login_time != 0) { + time_string = ctime(&last_login_time); + if (strchr(time_string, '\n')) + *strchr(time_string, '\n') = 0; + if (strcmp(hostname, "") == 0) + printf("Last login: %s\r\n", time_string); + else + printf("Last login: %s from %s\r\n", time_string, hostname); + } + xfree(hostname); } do_motd(); @@ -1849,7 +1851,7 @@ { struct stat st; char display[512], auth_display[512]; - char hostname[MAXHOSTNAMELEN]; + char *hostname; if (no_x11_forwarding_flag) { packet_send_debug("X11 forwarding disabled in user configuration file."); @@ -1881,7 +1883,7 @@ } /* Set up a suitable value for the DISPLAY variable. */ - if (gethostname(hostname, sizeof(hostname)) < 0) + if (!(hostname = xgethostname())) fatal("gethostname: %.100s", strerror(errno)); /* * auth_display must be used as the displayname when the diff -urN openssh-3.1p1.old/ssh-keygen.c openssh-3.1p1/ssh-keygen.c --- openssh-3.1p1.old/ssh-keygen.c Tue Feb 26 13:15:10 2002 +++ openssh-3.1p1/ssh-keygen.c Tue Apr 9 16:15:47 2002 @@ -27,6 +27,7 @@ #include "pathnames.h" #include "log.h" #include "readpass.h" +#include "xgethostname.h" #ifdef SMARTCARD #include @@ -82,7 +83,7 @@ char *__progname; #endif -char hostname[MAXHOSTNAMELEN]; +char *hostname; static void ask_filename(struct passwd *pw, const char *prompt) @@ -860,7 +861,7 @@ printf("You don't exist, go away!\n"); exit(1); } - if (gethostname(hostname, sizeof(hostname)) < 0) { + if (!(hostname = xgethostname())) { perror("gethostname"); exit(1); } diff -urN openssh-3.1p1.old/sshd.c openssh-3.1p1/sshd.c --- openssh-3.1p1.old/sshd.c Mon Mar 4 20:31:30 2002 +++ openssh-3.1p1/sshd.c Tue Apr 9 14:09:55 2002 @@ -183,7 +183,7 @@ int session_id2_len = 0; /* record remote hostname or ip */ -u_int utmp_len = MAXHOSTNAMELEN; +u_int utmp_len = 0; /* options.max_startup sized array of fd ints */ int *startup_pipes = NULL; @@ -603,6 +603,13 @@ /* Save argv. */ saved_argc = ac; saved_argv = av; + + /* find max hostname length */ +#ifdef _SC_HOST_NAME_MAX + utmp_len = sysconf(_SC_HOST_NAME_MAX); +#elif MAXHOSTNAMELEN + utmp_len = MAXHOSTNAMELEN; +#endif /* Initialize configuration options to their default values. */ initialize_server_options(&options); diff -urN openssh-3.1p1.old/sshlogin.c openssh-3.1p1/sshlogin.c --- openssh-3.1p1.old/sshlogin.c Sun Feb 24 20:56:47 2002 +++ openssh-3.1p1/sshlogin.c Tue Apr 9 20:57:38 2002 @@ -51,12 +51,12 @@ u_long get_last_login_time(uid_t uid, const char *logname, - char *buf, u_int bufsize) + char **buf) { struct logininfo li; login_get_lastlog(&li, uid); - strlcpy(buf, li.hostname, bufsize); + *buf = xstrdup(li.hostname); return li.tv_sec; } diff -urN openssh-3.1p1.old/sshlogin.h openssh-3.1p1/sshlogin.h --- openssh-3.1p1.old/sshlogin.h Sun Feb 24 20:56:47 2002 +++ openssh-3.1p1/sshlogin.h Tue Apr 9 14:33:16 2002 @@ -18,7 +18,7 @@ record_login(pid_t, const char *, const char *, uid_t, const char *, struct sockaddr *); void record_logout(pid_t, const char *, const char *); -u_long get_last_login_time(uid_t, const char *, char *, u_int); +u_long get_last_login_time(uid_t, const char *, char **); #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t, const char *, const char *, const char *, diff -urN openssh-3.1p1.old/xgethostname.c openssh-3.1p1/xgethostname.c --- openssh-3.1p1.old/xgethostname.c Wed Dec 31 19:00:00 1969 +++ openssh-3.1p1/xgethostname.c Tue Apr 9 21:14:55 2002 @@ -0,0 +1,85 @@ +/* Copyright (c) 2001 Neal H Walfield . + + This file is placed into the public domain. Its distribution + is unlimited. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* NAME + + xgethostname - get the host name. + + SYNOPSIS + + char *xgethostname (void); + + DESCRIPTION + + The xhostname function is intended to replace gethostname(2), a + function used to access the host name. The old interface is + inflexable given that it assumes the existance of the + MAXHOSTNAMELEN macro, which neither POSIX nor the proposed + Single Unix Specification version 3 guarantee to be defined. + + RETURN VALUE + + On success, a malloced, null terminated (possibly truncated) + string containing the host name is returned. On failure, NULL + is returned and errno is set. + */ + +#include /* For MAXHOSTNAMELEN */ +#include +#include +#include + +char * +xgethostname (void) +{ + int size = 0; + int addnull = 0; + char *buf; + int err; + char *tmp; + +#ifdef MAXHOSTNAMELEN + size = MAXHOSTNAMELEN; + addnull = 1; +#else /* MAXHOSTNAMELEN */ +#ifdef _SC_HOST_NAME_MAX + size = sysconf (_SC_HOST_NAME_MAX); + addnull = 1; +#endif /* _SC_HOST_NAME_MAX */ + if (size <= 0) + size = 256; +#endif /* MAXHOSTNAMELEN */ + + buf = xmalloc (size + addnull); + + err = gethostname (buf, size); + while (err == -1 && errno == ENAMETOOLONG) + { + size *= 2; + buf = xrealloc (buf, size + addnull); + err = gethostname (buf, size); + } + + if (err) + return NULL; + + if (addnull) + buf[size] = '\0'; + + return buf; +} diff -urN openssh-3.1p1.old/xgethostname.h openssh-3.1p1/xgethostname.h --- openssh-3.1p1.old/xgethostname.h Wed Dec 31 19:00:00 1969 +++ openssh-3.1p1/xgethostname.h Tue Apr 9 20:54:38 2002 @@ -0,0 +1,48 @@ +/* Copyright (c) 2001 Neal H Walfield . + + This file is placed into the public domain. Its distribution + is unlimited. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* NAME + + xgethostname - get the host name. + + SYNOPSIS + + char *xgethostname (void); + + DESCRIPTION + + The xhostname function is intended to replace gethostname(2), a + function used to access the host name. The old interface is + inflexable given that it assumes the existance of the + MAXHOSTNAMELEN macro, which neither POSIX nor the proposed + Single Unix Specification version 3 guarantee to be defined. + + RETURN VALUE + + On success, a malloced, null terminated (possibly truncated) + string containing the host name is returned. On failure, + NULL is returned and errno is set. + */ + +#ifndef XGETHOSTNAME +#define XGETHOSTNAME + +char * xgethostname (void); + +#endif /* XGETHOSTNAME */ + From mouring at etoh.eviladmin.org Wed Apr 10 11:52:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 9 Apr 2002 20:52:41 -0500 (CDT) Subject: openssh-3.1p1 on GNU/Hurd In-Reply-To: <200204100133.VAA17871@rees.math.uwaterloo.ca> Message-ID: We are in a code freeze for 3.2. Only patches against --current will be reviewed, and this is too big of change to ensure correct for 15+ platforms. If you have a less draconic patch for 3.2 release we may consider it. BTW.. AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) has been removed since we use our queue.h for all platforms due to lack of consisty in each platform. - Ben On Tue, 9 Apr 2002, James A Morrison wrote: > > Hi, > > I've gone and ported the latest version of openssh, 3.1p1, to GNU/Hurd. > I've tried to learn from the other threads on this topic, but I still had > to get rid of MAXHOSTNAMELEN where I could. > > James A. Morrison > > diff -urN openssh-3.1p1.old/Makefile.in openssh-3.1p1/Makefile.in > --- openssh-3.1p1.old/Makefile.in Tue Feb 26 14:24:22 2002 > +++ openssh-3.1p1/Makefile.in Tue Apr 9 16:16:49 2002 > @@ -54,7 +54,7 @@ > > SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o > > -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o > +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o xgethostname.o > > MANPAGES = scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out > MANPAGES_IN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 > @@ -113,8 +113,8 @@ > ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o > $(LD) -o $@ ssh-agent.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > > -ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o > - $(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > +ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o xgethostname.o > + $(LD) -o $@ xgethostname.o ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) > > ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o > $(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS) > diff -urN openssh-3.1p1.old/canohost.c openssh-3.1p1/canohost.c > --- openssh-3.1p1.old/canohost.c Mon Mar 4 20:31:29 2002 > +++ openssh-3.1p1/canohost.c Tue Apr 9 21:05:15 2002 > @@ -284,9 +284,11 @@ > get_remote_name_or_ip(u_int utmp_len, int verify_reverse_mapping) > { > static const char *remote = ""; > - if (utmp_len > 0) > + /* Assume that if utmp_len = -1 then there is no limit on the > + hostname length */ > + if (utmp_len > 0 || utmp_len == -1) > remote = get_canonical_hostname(verify_reverse_mapping); > - if (utmp_len == 0 || strlen(remote) > utmp_len) > + if (utmp_len == 0 || (utmp_len != -1 && strlen(remote) > utmp_len)) > remote = get_remote_ipaddr(); > return remote; > } > diff -urN openssh-3.1p1.old/configure.ac openssh-3.1p1/configure.ac > --- openssh-3.1p1.old/configure.ac Wed Feb 27 01:12:35 2002 > +++ openssh-3.1p1/configure.ac Tue Apr 9 16:36:19 2002 > @@ -126,6 +126,9 @@ > AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) > inet6_default_4in6=yes > ;; > +*-*-gnu*) > + AC_DEFINE(HAVE_BOGUS_SYS_QUEUE_H) > + ;; > mips-sony-bsd|mips-sony-newsos4) > AC_DEFINE(HAVE_NEWS4) > SONY=1 > diff -urN openssh-3.1p1.old/session.c openssh-3.1p1/session.c > --- openssh-3.1p1.old/session.c Mon Feb 25 10:48:03 2002 > +++ openssh-3.1p1/session.c Tue Apr 9 20:59:48 2002 > @@ -56,6 +56,7 @@ > #include "serverloop.h" > #include "canohost.h" > #include "session.h" > +#include "xgethostname.h" > > #ifdef HAVE_CYGWIN > #include > @@ -659,7 +660,7 @@ > do_login(Session *s, const char *command) > { > char *time_string; > - char hostname[MAXHOSTNAMELEN]; > + char *hostname; > socklen_t fromlen; > struct sockaddr_storage from; > time_t last_login_time; > @@ -681,11 +682,9 @@ > } > > /* Get the time and hostname when the user last logged in. */ > - if (options.print_lastlog) { > - hostname[0] = '\0'; > + if (options.print_lastlog) > last_login_time = get_last_login_time(pw->pw_uid, pw->pw_name, > - hostname, sizeof(hostname)); > - } > + &hostname); > > /* Record that there was a login on that tty from the remote host. */ > record_login(pid, s->tty, pw->pw_name, pw->pw_uid, > @@ -715,14 +714,17 @@ > printf("%s\n", aixloginmsg); > #endif /* WITH_AIXAUTHENTICATE */ > > - if (options.print_lastlog && last_login_time != 0) { > - time_string = ctime(&last_login_time); > - if (strchr(time_string, '\n')) > - *strchr(time_string, '\n') = 0; > - if (strcmp(hostname, "") == 0) > - printf("Last login: %s\r\n", time_string); > - else > - printf("Last login: %s from %s\r\n", time_string, hostname); > + if (options.print_lastlog ) > + if (last_login_time != 0) { > + time_string = ctime(&last_login_time); > + if (strchr(time_string, '\n')) > + *strchr(time_string, '\n') = 0; > + if (strcmp(hostname, "") == 0) > + printf("Last login: %s\r\n", time_string); > + else > + printf("Last login: %s from %s\r\n", time_string, hostname); > + } > + xfree(hostname); > } > > do_motd(); > @@ -1849,7 +1851,7 @@ > { > struct stat st; > char display[512], auth_display[512]; > - char hostname[MAXHOSTNAMELEN]; > + char *hostname; > > if (no_x11_forwarding_flag) { > packet_send_debug("X11 forwarding disabled in user configuration file."); > @@ -1881,7 +1883,7 @@ > } > > /* Set up a suitable value for the DISPLAY variable. */ > - if (gethostname(hostname, sizeof(hostname)) < 0) > + if (!(hostname = xgethostname())) > fatal("gethostname: %.100s", strerror(errno)); > /* > * auth_display must be used as the displayname when the > diff -urN openssh-3.1p1.old/ssh-keygen.c openssh-3.1p1/ssh-keygen.c > --- openssh-3.1p1.old/ssh-keygen.c Tue Feb 26 13:15:10 2002 > +++ openssh-3.1p1/ssh-keygen.c Tue Apr 9 16:15:47 2002 > @@ -27,6 +27,7 @@ > #include "pathnames.h" > #include "log.h" > #include "readpass.h" > +#include "xgethostname.h" > > #ifdef SMARTCARD > #include > @@ -82,7 +83,7 @@ > char *__progname; > #endif > > -char hostname[MAXHOSTNAMELEN]; > +char *hostname; > > static void > ask_filename(struct passwd *pw, const char *prompt) > @@ -860,7 +861,7 @@ > printf("You don't exist, go away!\n"); > exit(1); > } > - if (gethostname(hostname, sizeof(hostname)) < 0) { > + if (!(hostname = xgethostname())) { > perror("gethostname"); > exit(1); > } > diff -urN openssh-3.1p1.old/sshd.c openssh-3.1p1/sshd.c > --- openssh-3.1p1.old/sshd.c Mon Mar 4 20:31:30 2002 > +++ openssh-3.1p1/sshd.c Tue Apr 9 14:09:55 2002 > @@ -183,7 +183,7 @@ > int session_id2_len = 0; > > /* record remote hostname or ip */ > -u_int utmp_len = MAXHOSTNAMELEN; > +u_int utmp_len = 0; > > /* options.max_startup sized array of fd ints */ > int *startup_pipes = NULL; > @@ -603,6 +603,13 @@ > /* Save argv. */ > saved_argc = ac; > saved_argv = av; > + > + /* find max hostname length */ > +#ifdef _SC_HOST_NAME_MAX > + utmp_len = sysconf(_SC_HOST_NAME_MAX); > +#elif MAXHOSTNAMELEN > + utmp_len = MAXHOSTNAMELEN; > +#endif > > /* Initialize configuration options to their default values. */ > initialize_server_options(&options); > diff -urN openssh-3.1p1.old/sshlogin.c openssh-3.1p1/sshlogin.c > --- openssh-3.1p1.old/sshlogin.c Sun Feb 24 20:56:47 2002 > +++ openssh-3.1p1/sshlogin.c Tue Apr 9 20:57:38 2002 > @@ -51,12 +51,12 @@ > > u_long > get_last_login_time(uid_t uid, const char *logname, > - char *buf, u_int bufsize) > + char **buf) > { > struct logininfo li; > > login_get_lastlog(&li, uid); > - strlcpy(buf, li.hostname, bufsize); > + *buf = xstrdup(li.hostname); > return li.tv_sec; > } > > diff -urN openssh-3.1p1.old/sshlogin.h openssh-3.1p1/sshlogin.h > --- openssh-3.1p1.old/sshlogin.h Sun Feb 24 20:56:47 2002 > +++ openssh-3.1p1/sshlogin.h Tue Apr 9 14:33:16 2002 > @@ -18,7 +18,7 @@ > record_login(pid_t, const char *, const char *, uid_t, > const char *, struct sockaddr *); > void record_logout(pid_t, const char *, const char *); > -u_long get_last_login_time(uid_t, const char *, char *, u_int); > +u_long get_last_login_time(uid_t, const char *, char **); > > #ifdef LOGIN_NEEDS_UTMPX > void record_utmp_only(pid_t, const char *, const char *, const char *, > diff -urN openssh-3.1p1.old/xgethostname.c openssh-3.1p1/xgethostname.c > --- openssh-3.1p1.old/xgethostname.c Wed Dec 31 19:00:00 1969 > +++ openssh-3.1p1/xgethostname.c Tue Apr 9 21:14:55 2002 > @@ -0,0 +1,85 @@ > +/* Copyright (c) 2001 Neal H Walfield . > + > + This file is placed into the public domain. Its distribution > + is unlimited. > + > + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF > + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > + IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY > + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE > + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER > + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR > + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN > + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +/* NAME > + > + xgethostname - get the host name. > + > + SYNOPSIS > + > + char *xgethostname (void); > + > + DESCRIPTION > + > + The xhostname function is intended to replace gethostname(2), a > + function used to access the host name. The old interface is > + inflexable given that it assumes the existance of the > + MAXHOSTNAMELEN macro, which neither POSIX nor the proposed > + Single Unix Specification version 3 guarantee to be defined. > + > + RETURN VALUE > + > + On success, a malloced, null terminated (possibly truncated) > + string containing the host name is returned. On failure, NULL > + is returned and errno is set. > + */ > + > +#include /* For MAXHOSTNAMELEN */ > +#include > +#include > +#include > + > +char * > +xgethostname (void) > +{ > + int size = 0; > + int addnull = 0; > + char *buf; > + int err; > + char *tmp; > + > +#ifdef MAXHOSTNAMELEN > + size = MAXHOSTNAMELEN; > + addnull = 1; > +#else /* MAXHOSTNAMELEN */ > +#ifdef _SC_HOST_NAME_MAX > + size = sysconf (_SC_HOST_NAME_MAX); > + addnull = 1; > +#endif /* _SC_HOST_NAME_MAX */ > + if (size <= 0) > + size = 256; > +#endif /* MAXHOSTNAMELEN */ > + > + buf = xmalloc (size + addnull); > + > + err = gethostname (buf, size); > + while (err == -1 && errno == ENAMETOOLONG) > + { > + size *= 2; > + buf = xrealloc (buf, size + addnull); > + err = gethostname (buf, size); > + } > + > + if (err) > + return NULL; > + > + if (addnull) > + buf[size] = '\0'; > + > + return buf; > +} > diff -urN openssh-3.1p1.old/xgethostname.h openssh-3.1p1/xgethostname.h > --- openssh-3.1p1.old/xgethostname.h Wed Dec 31 19:00:00 1969 > +++ openssh-3.1p1/xgethostname.h Tue Apr 9 20:54:38 2002 > @@ -0,0 +1,48 @@ > +/* Copyright (c) 2001 Neal H Walfield . > + > + This file is placed into the public domain. Its distribution > + is unlimited. > + > + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF > + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > + IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY > + DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE > + GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER > + IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR > + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN > + IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +/* NAME > + > + xgethostname - get the host name. > + > + SYNOPSIS > + > + char *xgethostname (void); > + > + DESCRIPTION > + > + The xhostname function is intended to replace gethostname(2), a > + function used to access the host name. The old interface is > + inflexable given that it assumes the existance of the > + MAXHOSTNAMELEN macro, which neither POSIX nor the proposed > + Single Unix Specification version 3 guarantee to be defined. > + > + RETURN VALUE > + > + On success, a malloced, null terminated (possibly truncated) > + string containing the host name is returned. On failure, > + NULL is returned and errno is set. > + */ > + > +#ifndef XGETHOSTNAME > +#define XGETHOSTNAME > + > +char * xgethostname (void); > + > +#endif /* XGETHOSTNAME */ > + > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From cmadams at hiwaay.net Wed Apr 10 13:32:12 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Tue, 9 Apr 2002 22:32:12 -0500 Subject: PLEASE TEST snapshots In-Reply-To: <20020405101615.GA28894@folly>; from markus@openbsd.org on Fri, Apr 05, 2002 at 12:16:15PM +0200 References: <20020404201958.GE12530@faui02> <20020404214633.A10777@tetto.liafa.jussieu.fr> <20020405101615.GA28894@folly> Message-ID: <20020409223212.A306154@hiwaay.net> Once upon a time, Markus Friedl said: > If you want OpenSSH 3.2 to be the best version of OpenSSH, > then please test the snapshots. Here's a patch for a compile bug in SIA support: ************************************************************************ diff -urN openssh-cvs/auth-sia.c openssh/auth-sia.c --- openssh-cvs/auth-sia.c Thu Apr 4 13:02:28 2002 +++ openssh/auth-sia.c Tue Apr 9 22:17:17 2002 @@ -2,11 +2,11 @@ #ifdef HAVE_OSF_SIA #include "ssh.h" +#include "auth.h" #include "auth-sia.h" #include "log.h" #include "servconf.h" #include "canohost.h" -#include "auth.h" #include #include ************************************************************************ Otherwise, quick tests appear to be working fine on Tru64 5.1A (I'll do some more testing tomorrow). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From ja2morri at student.math.uwaterloo.ca Wed Apr 10 14:13:52 2002 From: ja2morri at student.math.uwaterloo.ca (James A Morrison) Date: Wed, 10 Apr 2002 00:13:52 -0400 (EDT) Subject: openssh-cvs on GNU/Hurd In-Reply-To: (message from Ben Lindstrom on Tue, 9 Apr 2002 20:52:41 -0500 (CDT)) References: Message-ID: <200204100413.AAA28290@rees.math.uwaterloo.ca> Ok, I think the patch is going to look mostly the same ;) There is one problem from me getting to that point. MAXHOSTNAMELEN is defined by openssh and I can't find where. I have only been able to determine it is set to 64. James A. Morrison ps. Why isn't the mindrot archive of this list linked to from http://www.openssh.org/list.html From bugzilla-daemon at mindrot.org Wed Apr 10 16:00:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 16:00:47 +1000 (EST) Subject: [Bug 206] -SNAP-20020409: build failures on AIX 3.2.5 with XLC 1.2.1.16 Message-ID: <20020410060047.A029CEA30@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=206 Matthew_Clarke at mindlink.bc.ca changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|-SNAP-20020405: build |-SNAP-20020409: build |failures on AIX 3.2.5 with |failures on AIX 3.2.5 with |XLC 1.2.1.16 |XLC 1.2.1.16 ------- Additional Comments From Matthew_Clarke at mindlink.bc.ca 2002-04-10 16:00 ------- The weekend's changes in -current have fixed (or avoided) the "Sizeof operator cannot be used with functions, void, bit-fields, incomplete types or arrays of unknown size." errors. Found a couple more build problems in this environment. 1. The AIX 3.2.5 linker, unlike later ones, doesn't like the "-blibpath" option. I have patched configure.ac to detect and deal with this condition. 2. This compiler does not have a 64-bit type. If fed "long long", it issues the warning "1506-114 (W) Duplicate length adjective long ignored." and treats the entity as "long". Configure then thinks we have a "long long" type, and can therefore build sftp-server, which is wrong, because it won't work without 64-bit integers. I've put a quick kludge into configure.ac to ignore any "long long int" that is 4 bytes in size. With these changes, build completes, with a few warnings. Preliminary testing is promising. Will attach a patch for configure.ac to this bug in a minute or two. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 10 16:09:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Apr 2002 16:09:17 +1000 (EST) Subject: [Bug 206] -SNAP-20020409: build failures on AIX 3.2.5 with XLC 1.2.1.16 Message-ID: <20020410060917.2AC9FEA35@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=206 ------- Additional Comments From Matthew_Clarke at mindlink.bc.ca 2002-04-10 16:09 ------- Created an attachment (id=68) Mods to configure.ac for IBM XLC 1.2.1.16 on AIX 3.2.5 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bordewijk at fox-it.com Wed Apr 10 17:41:42 2002 From: bordewijk at fox-it.com (Lourens Bordewijk) Date: Wed, 10 Apr 2002 09:41:42 +0200 Subject: openssh-cryptocard.patch Message-ID: Is it posible to use the openssh-cryptocard.patch (This patch adds native Challenge/Reponse authentication to OpenSSH) in synchronous mode on *BSD ? are other patches ? I thought it wasn't posible to use pam on *BSD ? Gr l From Les.Blaine at eis.army.mil Wed Apr 10 02:26:12 2002 From: Les.Blaine at eis.army.mil (Blaine, Les CPR / TLA) Date: Tue, 9 Apr 2002 12:26:12 -0400 Subject: SSh 3.1p1 Message-ID: <88AB06281E1D0F4E86DEF6C486C58C75142A19@ip15293.peostamis.belvoir.army.mil> Has OpenSSh v3.1p1 been tested on HPUX 11.x in trusted mode using shadow passwords? Regards- Les Blaine Suite 210 8500 Cinder Bed Road Newington, VA 22122 703-428-0668 x273 Desk 703-428-0686 FAX les.blaine at peostamis.belvoir.army.mil LeslieBlaine at netscape.net The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. From Jason.Lacoss-Arnold at AGEDWARDS.com Wed Apr 10 06:36:40 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Tue, 9 Apr 2002 15:36:40 -0500 Subject: PLEASE TEST snapshots Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E7A3@hqempn06.agedwards.com> Won't build on Solaris 2.6 due to lack of MAP_ANON in sys/mman.h Relavant output follows: ... monitor_mm.c: In function `mm_create': monitor_mm.c:88: `MAP_ANON' undeclared (first use in this function) monitor_mm.c:88: (Each undeclared identifier is reported only once monitor_mm.c:88: for each function it appears in.) Built as follows: configure --prefix=/opt/openssh --with-xauth=/usr/openwin/bin/xauth --enable-largefile --with-pam --with-tcp_wrappers=/opt/openssh --with-default-path=/usr/bin:/usr/sbin:/usr/local/bin --with-pid-dir=/opt/openssh/etc --with-mantype=man *************************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. *************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020409/c127102e/attachment.html From bugzilla-daemon at mindrot.org Thu Apr 11 00:30:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 00:30:35 +1000 (EST) Subject: [Bug 212] New: Add netgroup support to ssh-keyscan Message-ID: <20020410143035.1062FE92C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 Summary: Add netgroup support to ssh-keyscan Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Michael.Gerdts at alcatel.com I would find it very handy to be able to scan for keys based on netgroup. As such, this patch implements that feature. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 11 00:33:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 00:33:10 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410143310.680E9E974@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From Michael.Gerdts at alcatel.com 2002-04-11 00:33 ------- This patch also changes the behavior of ssh-keyscan when a hostname does not resolve. I have changed the condition from fatal() to error() so that the scan does not quit when it runs across a bad hostname. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ed at UDel.Edu Thu Apr 11 00:26:21 2002 From: ed at UDel.Edu (Ed Phillips) Date: Wed, 10 Apr 2002 10:26:21 -0400 (EDT) Subject: FYI: Sol8 + /dev/urandom + OpenSSH/SSL Message-ID: As it turns out, you don't need to configure OpenSSL 0.9.6c in any special way to have support for /dev/urandom - it automatically tries to use it if it exists on a Unix system. So, I compiled the current snapshot using "--with-rand-helper=no" and everything appears to build and work fine on Solaris 8. Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Thu Apr 11 00:37:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 00:37:45 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410143745.EC76AE995@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From Michael.Gerdts at alcatel.com 2002-04-11 00:37 ------- Created an attachment (id=69) Add -n netgroup option to ssh-keyscan and man page ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Thu Apr 11 00:32:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 09:32:13 -0500 (CDT) Subject: PLEASE TEST snapshots In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E7A3@hqempn06.agedwards.com> Message-ID: Have you tried the most recent snapshots? They should have resovled all MMAP isues. - Ben On Tue, 9 Apr 2002, Lacoss-Arnold, Jason wrote: > Won't build on Solaris 2.6 due to lack of MAP_ANON in sys/mman.h > > Relavant output follows: > ... > monitor_mm.c: In function `mm_create': > monitor_mm.c:88: `MAP_ANON' undeclared (first use in this function) > monitor_mm.c:88: (Each undeclared identifier is reported only once > monitor_mm.c:88: for each function it appears in.) > > Built as follows: > configure --prefix=/opt/openssh --with-xauth=/usr/openwin/bin/xauth > --enable-largefile --with-pam --with-tcp_wrappers=/opt/openssh > --with-default-path=/usr/bin:/usr/sbin:/usr/local/bin > --with-pid-dir=/opt/openssh/etc --with-mantype=man > > > *************************************************************************************** > WARNING: All e-mail sent to and from this address will be received or > otherwise recorded by the A.G. Edwards corporate e-mail system and is > subject to archival, monitoring or review by, and/or disclosure to, > someone other than the recipient. > *************************************************************************************** > From tim at multitalents.net Thu Apr 11 01:15:03 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 10 Apr 2002 08:15:03 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: Message-ID: On Wed, 10 Apr 2002, Ben Lindstrom wrote: > > Have you tried the most recent snapshots? They should have resovled all > MMAP isues. There is improvement, but they do not solve all the MMAP issues. My includes.h/defines.h changes would likley fix this issue. > > - Ben > > On Tue, 9 Apr 2002, Lacoss-Arnold, Jason wrote: > > > Won't build on Solaris 2.6 due to lack of MAP_ANON in sys/mman.h > > > > Relavant output follows: > > ... > > monitor_mm.c: In function `mm_create': > > monitor_mm.c:88: `MAP_ANON' undeclared (first use in this function) > > monitor_mm.c:88: (Each undeclared identifier is reported only once > > monitor_mm.c:88: for each function it appears in.) > > > > Built as follows: > > configure --prefix=/opt/openssh --with-xauth=/usr/openwin/bin/xauth > > --enable-largefile --with-pam --with-tcp_wrappers=/opt/openssh > > --with-default-path=/usr/bin:/usr/sbin:/usr/local/bin > > --with-pid-dir=/opt/openssh/etc --with-mantype=man > > > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Thu Apr 11 02:21:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 02:21:20 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410162120.C6EB7EA40@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From markus at openbsd.org 2002-04-11 02:21 ------- hm, why can't you use ypcat/etc to produce a list and feed it to keyscan's stdin? this would be more unix like. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Stephan.Hendl at lds.brandenburg.de Thu Apr 11 02:31:04 2002 From: Stephan.Hendl at lds.brandenburg.de (Stephan Hendl) Date: Wed, 10 Apr 2002 18:31:04 +0200 Subject: Antw: SSh 3.1p1 Message-ID: Hi Markus, it has bin tested by me against HP/UX 11.0 in the mode "trusted system" and worked well. Since PAM-authentification is default in 11.00 you must not activate it via the configure switch "--with-pam". If you like I can send you a depot-file and the prndg-package by Lutz Jaenicke as a depot as well because I compiled the ssh with use of it for generating entropie. regards Stephan >>> 10.04.2002 12.17 Uhr >>> Has OpenSSh v3.1p1 been tested on HPUX 11.x in trusted mode using shadow passwords? Regards- Les Blaine Suite 210 8500 Cinder Bed Road Newington, VA 22122 703-428-0668 x273 Desk 703-428-0686 FAX les.blaine at peostamis.belvoir.army.mil LeslieBlaine at netscape.net The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Thu Apr 11 02:33:24 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 11:33:24 -0500 (CDT) Subject: openssh-cvs on GNU/Hurd In-Reply-To: <200204100413.AAA28290@rees.math.uwaterloo.ca> Message-ID: On Wed, 10 Apr 2002, James A Morrison wrote: > > Ok, > I think the patch is going to look mostly the same ;) > > There is one problem from me getting to that point. MAXHOSTNAMELEN is defined > by openssh and I can't find where. I have only been able to determine it > is set to 64. > Should not be. ChangeLog: [..] 20001231 - (bal) Reverted out of MAXHOSTNAMELEN. This should be set per OS. for multiple reasons. [..] 20001230 - (bal) if no MAXHOSTNAMELEN is defined. Default to 64 character defination. Suggested by Christian Kurz Then we don't attempt to set it if the OS does not have that by default (which most do, just HURD it seems lacks it, but we had this politic discussion before). There was a private discussion on the commit list after this change which caused me to revert out of setting it for the broader case. Doing a grep in the CVS tree shows no where we set it. - Ben From bugzilla-daemon at mindrot.org Thu Apr 11 02:48:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 02:48:32 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410164832.13E19EA49@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From ja2morri at student.math.uwaterloo.ca 2002-04-11 02:48 ------- Created an attachment (id=70) netgroups patch against cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 11 02:51:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 02:51:34 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410165134.53C3FEA4D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From ja2morri at student.math.uwaterloo.ca 2002-04-11 02:51 ------- Why not add this feature to openssh. There is a system call on at least Solaris, GNU/Linux, and GNU/Hurd for this purpose. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Thu Apr 11 02:45:17 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 10 Apr 2002 09:45:17 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: <20020409223212.A306154@hiwaay.net> Message-ID: On Tue, 9 Apr 2002, Chris Adams wrote: :Here's a patch for a compile bug in SIA support: thanks. can you also try this which has some SIA cleanup? Index: auth-sia.c =================================================================== RCS file: /var/cvs/openssh/auth-sia.c,v retrieving revision 1.5 diff -u -r1.5 auth-sia.c --- auth-sia.c 10 Apr 2002 16:09:52 -0000 1.5 +++ auth-sia.c 10 Apr 2002 16:29:43 -0000 @@ -41,7 +41,7 @@ return(0); if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { - error("couldn't authenticate %s from %s", user, host); + error("Couldn't authenticate %s from %s", user, host); if (ret & SIASTOP) sia_ses_release(&ent); return(0); @@ -55,7 +55,6 @@ void session_setup_sia(char *user, char *tty) { - int ret; struct passwd *pw; SIAENTITY *ent = NULL; const char *host; @@ -64,46 +63,38 @@ if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, NULL) != SIASUCCESS) { - error("sia_ses_init failed"); - exit(1); + fatal("sia_ses_init failed"); } if ((pw = getpwnam(user)) == NULL) { sia_ses_release(&ent); - error("getpwnam(%s) failed: %s", user, strerror(errno)); - exit(1); + fatal("getpwnam: no user: %s", user); } if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { sia_ses_release(&ent); - error("sia_make_entity_pwd failed"); - exit(1); + fatal("sia_make_entity_pwd failed"); } ent->authtype = SIA_A_NONE; if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { - error("couldn't establish session for %s from %s", user, + fatal("Couldn't establish session for %s from %s", user, host); - exit(1); } if (setpriority(PRIO_PROCESS, 0, 0) == -1) { sia_ses_release(&ent); - error("setpriority failed: %s", strerror (errno)); - exit(1); + fatal("setpriority: %s", strerror (errno)); } if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { - error("couldn't launch session for %s from %s", user, host); - exit(1); + fatal("Couldn't launch session for %s from %s", user, host); } sia_ses_release(&ent); if (setreuid(geteuid(), geteuid()) < 0) { - error("setreuid failed: %s", strerror (errno)); - exit(1); + fatal("setreuid: %s", strerror(errno)); } } #endif /* HAVE_OSF_SIA */ - From bugzilla-daemon at mindrot.org Thu Apr 11 03:12:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 03:12:08 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020410171208.8C6FDEA4E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From Michael.Gerdts at alcatel.com 2002-04-11 03:12 ------- ypcat netgroup does not give the output in a nice format. For example, suppose I have netgroups like the following: servers servers_here servers_there servers_here (fred,,) (dino,,) servers_there (barney,,) (bambam,,) If I then do "ypmatch servers netgroup", I get back "servers_here servers_there". I then have to "ypmatch servers_here netgroup; ypmatch servers_there netgroup", then parse the results "(fred,,) (dino,,) (barney,,) (bambam,,)" to pull out the server names. Yuck. Also, netgroups may not actually exist in NIS. The NIS LDAP schema (RFC 2037) and name service switch modules in recent versions of Solaris support netgroups in LDAP. If there is resistence to this patch, then perhaps a separate (more unixish) path to take would be a standalone netgroupcat(1). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From slawomir.wolak at solidex.com.pl Thu Apr 11 03:58:20 2002 From: slawomir.wolak at solidex.com.pl (slwo) Date: Wed, 10 Apr 2002 19:58:20 +0200 Subject: problem with making solaris package (openssh) Message-ID: <3CB47D3C.CBC7B3E0@solidex.com.pl> if [ ! -f /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli ]; then \ if [ -f /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes ]; then \ echo "moving /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes to /opt/sldx/ slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli"; \ mv "/opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes" "/opt/sldx/slwo/opens sh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli"; \ else \ ./install-sh -c -m 644 moduli.out /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc /moduli; \ fi ; \ else \ echo "/opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli already exists, install will not overwrite"; \ fi Building pkginfo file... Building prototype file... a teraz sie wypierdoli Building package.. ## Building pkgmap from package prototype file. ## Processing pkginfo file. pkgmk: ERROR: parameter cannot be null ## Packaging was not successful. pkgtrans: ERROR: unable to complete package transfer - no packages were selected from From mouring at etoh.eviladmin.org Thu Apr 11 04:07:11 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 13:07:11 -0500 (CDT) Subject: problem with making solaris package (openssh) In-Reply-To: <3CB47D3C.CBC7B3E0@solidex.com.pl> Message-ID: http://bugzilla.mindrot.org/show_bug.cgi?id=140 Resolved in --current tree. - Ben On Wed, 10 Apr 2002, slwo wrote: > if [ ! -f > /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli > ]; then \ > if [ -f > /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes > ]; then \ > echo "moving > /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes > to /opt/sldx/ > slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli"; > \ > mv > "/opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/primes" > "/opt/sldx/slwo/opens > sh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli"; \ > else \ > ./install-sh -c -m 644 moduli.out > /opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc > > /moduli; \ > fi ; \ > else \ > echo > "/opt/sldx/slwo/openssh-3.1p1/openssh-3.1p1/contrib/solaris/package/usr/local/etc/moduli > already exists, install will > not overwrite"; \ > fi > Building pkginfo file... > Building prototype file... > a teraz sie wypierdoli > Building package.. > ## Building pkgmap from package prototype file. > ## Processing pkginfo file. > pkgmk: ERROR: parameter cannot be null > ## Packaging was not successful. > pkgtrans: ERROR: unable to complete package transfer > - no packages were selected from > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From norbert at linuxnetworks.de Thu Apr 11 02:26:15 2002 From: norbert at linuxnetworks.de (Norbert Sendetzky) Date: Wed, 10 Apr 2002 18:26:15 +0200 Subject: OpenSSH server stops returning data from a server module Message-ID: <200204101827.UAA21406@post.webmailer.de> Hi all I've written a client/server application using OpenSSH for securing the transactions. The server is written as OpenSSH server module (same as sftp) while the client is a seperate application invoking the ssh client. My application and the ssh client are connected by socketpairs the same way as the OpenSSH server and the server module are. After the connection between the ssh client and the server is established, the user is authenticated and the server module is loaded, the application starts sending messages to the server module. The server module then responds to the former request. After around 1K of data returned by the server module, the OpenSSH server stops forwarding the data returned by the server module, so the failure is deterministic. I've done several tests to exclude a mistake made by myself. The server module and the client application seperately work correctly on the same data. If I connect the client and the server module directly by replacing the execution of the ssh client in the client application with the execution of the server module, then there is no problem at all. My tests have shown this behaviour from OpenSSH version 2.9 to 3.1. Is there any known problem related to this observation? TIA Norbert From kevin at atomicgears.com Thu Apr 11 04:31:13 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 10 Apr 2002 11:31:13 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: <20020409222510.D24297@greenie.muc.de> Message-ID: On Tue, 9 Apr 2002, Gert Doering wrote: :> ok, i missed munmap(). : :checkout -> yes, that part compiles & links now. : :Socketpair() is still open... : :> :> there is no socketpair() on SCO (relates to "no unix sockets here"), and :> :> of course no munmap() either. :> :> i think we want to support USE_PIPES. in fact, native OpenSSH uses that :> by default now. : :Is this something that should happen "by magic" in the current code? Or :is this more "thinking aloud" about necessary changes to monitor.c? it doesn't appear to be a 5 minute job to plug-in half-duplex pipes there, but i may be missing something obvious. for now i guess we can just die if no socketpair(). From emsecrist at micron.com Thu Apr 11 05:29:28 2002 From: emsecrist at micron.com (emsecrist) Date: Wed, 10 Apr 2002 13:29:28 -0600 Subject: Compiling OPENssh to use random package Message-ID: <9527E8B90F21D4118B8800508B6C011702A651C3@ntlex01.lehi.micron.com> Hello, I have attempted several times to compile openssh3.1p1 that will use a random package called ANDIrand. How can I compile and get ssh to use this random number generator? I have tried the --rand-helper switch with my configure and still it does not work. I am compiling in Solaris 8, and need to then create a package that can be used on Solaris 6, Solaris 7, and Solaris 8. Thanks, Eric Secrist From bugzilla-daemon at mindrot.org Thu Apr 11 06:19:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 06:19:31 +1000 (EST) Subject: [Bug 213] New: -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020410201931.B038FE93B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 Summary: -SNAP-20020410 fails to compile under AIX 4.3.3 Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dmanton at emea.att.com A simple ./configure; make using IBM VisualAge C++ 5 under AIX 4.3.3 ML9 returns: xlC -O2 - qlanglvl=extended -I. -I. -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" - D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" - D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" - D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" - DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c "monitor_fdpass.c", line 43.18: 1506-195 (S) Integral constant expression with a value greater than zero is required. "monitor_fdpass.c", line 87.18: 1506- 195 (S) Integral constant expression with a value greater than zero is required. make: 1254-004 The error code from the last command is 1. This appears to be a problem with the line: char tmp[CMSG_SPACE(sizeof(int))]; It would seem that the IBM compiler does not like array declarations that need to be computed in this way. Hard-coding 16 in place of CMSG_SPACE(sizeof(int)) allows compilation to succeed. Can someone help me to solve this problem? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From emsecrist at micron.com Thu Apr 11 06:34:33 2002 From: emsecrist at micron.com (emsecrist) Date: Wed, 10 Apr 2002 14:34:33 -0600 Subject: Compiling OPENssh to use random package Message-ID: <9527E8B90F21D4118B8800508B6C011702A651C4@ntlex01.lehi.micron.com> True. Here is a litte more detail. Once I compile openssh3.1p1 and then install it, it is much too slow. I have openssh2.9 installed on some of my Solaris servers that uses the ANDIrand package just fine, the connections are quick. With openssh3.1p1, the connections are at least 2 seconds slower, which leads me to believe that the random package is not being used for some reason in my 3.1 compile. Thanks. -----Original Message----- From: Paul L. Allen [mailto:paul.l.allen at boeing.com] Sent: Wednesday, April 10, 2002 2:07 PM To: emsecrist Subject: Re: Compiling OPENssh to use random package emsecrist wrote: > > Hello, > I have attempted several times to compile openssh3.1p1 that will use a > random package called ANDIrand. How can I compile and get ssh to use this > random number generator? I have tried the --rand-helper switch with my > configure and still it does not work. I am compiling in Solaris 8, and need > to then create a package that can be used on Solaris 6, Solaris 7, and > Solaris 8. Ummm... You'll probably not get much help with a problem description of the form, "it does not work." Try explaining in detail exactly what you're doing and what symptoms you're seeing. You might get better results from the list that way. Good luck! Paul Allen -- Boeing Phantom Works \ Paul L. Allen, (425) 865-3297 Math & Computing Technology \ paul.l.allen at boeing.com POB 3707 M/S 7L-40, Seattle, WA 98124-2207 \ Prototype Systems Group From mouring at etoh.eviladmin.org Thu Apr 11 06:45:49 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 15:45:49 -0500 (CDT) Subject: Compiling OPENssh to use random package In-Reply-To: <9527E8B90F21D4118B8800508B6C011702A651C3@ntlex01.lehi.micron.com> Message-ID: --rand-helper=no ? That should disable all attempts by OpenSSH to use external entropy besides what OpenSSL provides. If it fails to run then you need to look at recompiling OpenSSL with your /dev/random device installed. - Ben On Wed, 10 Apr 2002, emsecrist wrote: > Hello, > I have attempted several times to compile openssh3.1p1 that will use a > random package called ANDIrand. How can I compile and get ssh to use this > random number generator? I have tried the --rand-helper switch with my > configure and still it does not work. I am compiling in Solaris 8, and need > to then create a package that can be used on Solaris 6, Solaris 7, and > Solaris 8. > > Thanks, > Eric Secrist > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From gert at greenie.muc.de Thu Apr 11 07:18:19 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Apr 2002 23:18:19 +0200 Subject: PLEASE TEST snapshots In-Reply-To: ; from Kevin Steves on Wed, Apr 10, 2002 at 11:31:13AM -0700 References: <20020409222510.D24297@greenie.muc.de> Message-ID: <20020410231819.E21128@greenie.muc.de> Hi, On Wed, Apr 10, 2002 at 11:31:13AM -0700, Kevin Steves wrote: > :Is this something that should happen "by magic" in the current code? Or > :is this more "thinking aloud" about necessary changes to monitor.c? > > it doesn't appear to be a 5 minute job to plug-in half-duplex pipes there, > but i may be missing something obvious. > > for now i guess we can just die if no socketpair(). Okay, here we go... =================================================================== RCS file: /cvs/openssh_cvs/monitor.c,v retrieving revision 1.8 diff -u -r1.8 monitor.c --- monitor.c 2 Apr 2002 20:48:20 -0000 1.8 +++ monitor.c 10 Apr 2002 21:14:37 -0000 @@ -1406,10 +1406,15 @@ static void monitor_socketpair(int *pair) { +#ifdef USE_PIPES + fatal( "%s: can't use PrivSep on this platform, no socketpair()", + __FUNCTION__ ); +#else if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) fatal("%s: socketpair", __FUNCTION__); FD_CLOSEONEXEC(pair[0]); FD_CLOSEONEXEC(pair[1]); +#endif } --> with that patch, plus "bugzilla #208", -current compiles fine on SCO 3.2v4.2 with skey and openssl 0.9.6c. Limited testing of ssh+sshd with -1/-2 and passwort/rhostssrsa (-1 only of course) suggests that everything is working nicely. With "useprivlegeseparation yes", it bombs when trying to create the socketpair() - as is to be expected: debug1: Local version string SSH-1.99-OpenSSH_3.1p1 monitor_socketpair: can't use PrivSep on this platform, no socketpair() Markus/Damien: has anything been achieved on getting the regression tests into -portable? That way my changes for AIX could be incorporated there... (I sent them already to the list, some weeks ago). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From kevin at atomicgears.com Thu Apr 11 07:45:08 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 10 Apr 2002 14:45:08 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: <20020410231819.E21128@greenie.muc.de> Message-ID: On Wed, 10 Apr 2002, Gert Doering wrote: :+#ifdef USE_PIPES :+ fatal( "%s: can't use PrivSep on this platform, no socketpair()", :+ __FUNCTION__ ); :+#else : if (socketpair(AF_UNIX, SOCK_STREAM, 0, pair) == -1) : fatal("%s: socketpair", __FUNCTION__); : FD_CLOSEONEXEC(pair[0]); : FD_CLOSEONEXEC(pair[1]); :+#endif in this case i don't think we want to use USE_PIPES because some systems set USE_PIPES but have socketpair(). i'll check in configure and set HAVE_SOCKETPAIR. From bugzilla-daemon at mindrot.org Thu Apr 11 08:13:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 08:13:23 +1000 (EST) Subject: [Bug 138] Incorrect OpenSSL version requirment? Message-ID: <20020410221323.7DCE9EA7A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=138 ------- Additional Comments From eds at reric.net 2002-04-11 08:13 ------- As far as I can tell, blowfish is indeed broken in ssh1. [eds at ike eds]$ ssh -v -1 postal OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090581f ... snip some output ... debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'postal' is known and matches the RSA1 host key. debug1: Found key in /home/eds/.ssh/known_hosts:25 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x8062778(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Apr 11 08:18:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 11 Apr 2002 00:18:39 +0200 Subject: OpenSSH server stops returning data from a server module In-Reply-To: <200204101827.UAA21406@post.webmailer.de> References: <200204101827.UAA21406@post.webmailer.de> Message-ID: <20020410221839.GA2529@folly> do you have example code to reproduce this problem? On Wed, Apr 10, 2002 at 06:26:15PM +0200, Norbert Sendetzky wrote: > Hi all > > I've written a client/server application using OpenSSH for securing > the transactions. The server is written as OpenSSH server module > (same as sftp) while the client is a seperate application invoking > the ssh client. My application and the ssh client are connected by > socketpairs the same way as the OpenSSH server and the server module > are. > > After the connection between the ssh client and the server is > established, the user is authenticated and the server module is > loaded, the application starts sending messages to the server module. > The server module then responds to the former request. After around > 1K of data returned by the server module, the OpenSSH server stops > forwarding the data returned by the server module, so the failure is > deterministic. > > I've done several tests to exclude a mistake made by myself. The > server module and the client application seperately work correctly on > the same data. If I connect the client and the server module directly > by replacing the execution of the ssh client in the client > application with the execution of the server module, then there is no > problem at all. > > My tests have shown this behaviour from OpenSSH version 2.9 to 3.1. > Is there any known problem related to this observation? > > TIA > > > Norbert > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Thu Apr 11 08:57:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 08:57:49 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020410225749.03C55EA78@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From stevesk at pobox.com 2002-04-11 08:57 ------- can you provide cpp output from the file (e.g., cc -E) for the tmp[] definition? can someone with some AIX knowledge help with this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dcole at keysoftsys.com Thu Apr 11 09:21:09 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Wed, 10 Apr 2002 16:21:09 -0700 Subject: PLEASE TEST snapshots References: <20020409222510.D24297@greenie.muc.de> <20020410231819.E21128@greenie.muc.de> Message-ID: <014201c1e0e6$783dcae0$9b78a8c0@oedserver> Tested building from cvs today on hp-ux 10.26. Once I applied my patch ( to bug ), everything built and ran fine. Is there anyway I can get this patch commited for 3.2? If there is anything I can do to help get the patch accepted please let me know. Darren Cole dcole at keysoftsys.com From abhi at acc.com Thu Apr 11 10:02:33 2002 From: abhi at acc.com (Abhijeet Thakare) Date: Wed, 10 Apr 2002 17:02:33 -0700 Subject: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD Message-ID: Hi All, I am trying to decode the message received from openssh client 3.1.0 Following is the third message which I received. length = 0000 008c padding length = 06 messagetype = 1e (SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) padding = b8 218e c680 and the next four byte should have the n which is 0000 0080 which is less than 1024. 0000 008c 061e 0000 0080 2a19 a9e4 05fb aee2 b107 4fa9 f0c1 83d3 3bf0 15a2 8dc8 a74b 7be1 6cab 817f cffc b835 04f2 0958 850c b2ec dc0a 81de 0929 2d4c 9a6c 17a8 5a81 95bc 657b 0ac0 6a8e 246d 5d03 29c6 abcd e8c7 828f 6f61 d372 eba0 fa7f e38b 76ba b618 6402 a5d9 21cd c844 3913 2dc3 706e 3b7d 68d9 60b5 e4f1 aca1 c922 a347 9a46 2080 d9d1 cfe3 fde1 63b8 218e c680 I am not able to figure out why n is so less and what the rest of data is. Thanks, Abhijeet From mouring at etoh.eviladmin.org Thu Apr 11 10:05:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 19:05:10 -0500 (CDT) Subject: PLEASE TEST snapshots In-Reply-To: <014201c1e0e6$783dcae0$9b78a8c0@oedserver> Message-ID: I need to have Tim and Kevin signoff on this since it affects SCO and HP. - Ben On Wed, 10 Apr 2002, Darren Cole wrote: > > Tested building from cvs today on hp-ux 10.26. Once I applied my patch > ( to bug > ), everything built and ran > fine. Is there anyway I can get this patch commited for 3.2? If there is > anything I can do to help get the patch accepted please let me know. > > Darren Cole > dcole at keysoftsys.com > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From summer at os2.ami.com.au Thu Apr 11 08:23:23 2002 From: summer at os2.ami.com.au (John Summerfield) Date: Thu, 11 Apr 2002 06:23:23 +0800 Subject: I need to be able to turn off host checking entirely Message-ID: <200204102223.g3AMNNw16079@numbat.Os2.Ami.Com.Au> I have a small LAN. The entire system is within my view - all the hosts, the switch and the wire. If someone is in a a position to do a "man in the middle" attack, there's no need - they already have me. Over the other side of the room, and beside my desk, I have test systems. I use disk caddies (see www.vipower.com for examples) and can switch operating systems in about the time it takes to cycle power; I pull one drive out (with power off), push in another and reboot. One of the things the test system's used for is kickstart installing Red Hat Linux, and a test can take less than 20 minutes. Then there's my "production" system for the same box, and Windows NT..... Actually, NT's not involved in the problem. I'm getting thoroughly sick of the checking the ssh command does, and I've turned off as much as I can figure out, but I still get this: [summer at numbat summer]$ ssh possum @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 22:dc:6b:57:31:b3:0a:3c:07:7e:8d:60:1a:c0:b7:5f. Please contact your system administrator. Add correct host key in /home/summer/.ssh/known_hosts to get rid of this message. Offending key in /home/summer/.ssh/known_hosts:2 Password authentication is disabled to avoid man-in-the-middle attacks. X11 forwarding is disabled to avoid man-in-the-middle attacks. Last login: Thu Apr 11 06:06:30 2002 from numbat.os2.ami.com.au [summer at possum summer]$ Now, I suppose I can live with the messages (but I'd rather not). What I really need to have the connexion to the machine to 'just work.' I want X11 forwarding to work. Just like this: [summer at numbat summer]$ ssh dugite Last login: Thu Apr 11 05:04:54 2002 from numbat.os2.ami.com.au [summer at dugite summer]$ I appreciate there are several crude hacks I can use. Like supplying the host key when I install on possum, but that seems to me even worse. -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition. ============================== If you don't like being told you're wrong, be right! From mouring at etoh.eviladmin.org Thu Apr 11 10:57:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Apr 2002 19:57:59 -0500 (CDT) Subject: I need to be able to turn off host checking entirely In-Reply-To: <200204102223.g3AMNNw16079@numbat.Os2.Ami.Com.Au> Message-ID: why don't you unify all your keys over all those disk images? Or switch to rsh. No reason to be deploying encyption on a closed lan. - Ben On Thu, 11 Apr 2002, John Summerfield wrote: > > I have a small LAN. The entire system is within my view - all the > hosts, the switch and the wire. If someone is in a a position to do a > "man in the middle" attack, there's no need - they already have me. > > Over the other side of the room, and beside my desk, I have test > systems. I use disk caddies (see www.vipower.com for examples) and can > switch operating systems in about the time it takes to cycle power; I > pull one drive out (with power off), push in another and reboot. > > One of the things the test system's used for is kickstart installing > Red Hat Linux, and a test can take less than 20 minutes. > > Then there's my "production" system for the same box, and Windows > NT..... > > Actually, NT's not involved in the problem. > > > I'm getting thoroughly sick of the checking the ssh command does, and > I've turned off as much as I can figure out, but I still get this: > [summer at numbat summer]$ ssh possum > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > Someone could be eavesdropping on you right now (man-in-the-middle > attack)! > It is also possible that the RSA host key has just been changed. > The fingerprint for the RSA key sent by the remote host is > 22:dc:6b:57:31:b3:0a:3c:07:7e:8d:60:1a:c0:b7:5f. > Please contact your system administrator. > Add correct host key in /home/summer/.ssh/known_hosts to get rid of > this message. > Offending key in /home/summer/.ssh/known_hosts:2 > Password authentication is disabled to avoid man-in-the-middle attacks. > X11 forwarding is disabled to avoid man-in-the-middle attacks. > Last login: Thu Apr 11 06:06:30 2002 from numbat.os2.ami.com.au > [summer at possum summer]$ > > > > Now, I suppose I can live with the messages (but I'd rather not). What > I really need to have the connexion to the machine to 'just work.' > > I want X11 forwarding to work. > Just like this: > [summer at numbat summer]$ ssh dugite > Last login: Thu Apr 11 05:04:54 2002 from numbat.os2.ami.com.au > [summer at dugite summer]$ > > > I appreciate there are several crude hacks I can use. Like supplying > the host key when I install on possum, but that seems to me even worse. > > > > -- > Cheers > John Summerfield > > Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ > > Note: mail delivered to me is deemed to be intended for me, for my > disposition. > > ============================== > If you don't like being told you're wrong, > be right! > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Thu Apr 11 13:41:45 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 10 Apr 2002 20:41:45 -0700 (PDT) Subject: mmap() w/o MAP_ANON In-Reply-To: Message-ID: Would this work in monitor_mm.c ? #ifdef MAP_ANON address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); #else address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, -1, 0); #endif Many systems have mmap() but no MAP_ANON/MAP_ANONYMOUS Ie. SCO 5.0.x, UnixWare 2.x, Solaris < 8 Is MAP_ANON needed or do we just #undef HAVE_MMAP on systems that don't have it? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From summer at os2.ami.com.au Thu Apr 11 15:49:46 2002 From: summer at os2.ami.com.au (John Summerfield) Date: Thu, 11 Apr 2002 13:49:46 +0800 Subject: I need to be able to turn off host checking entirely In-Reply-To: Your message of "Wed, 10 Apr 2002 19:57:59 EST." Message-ID: <200204110549.g3B5nkK17515@numbat.Os2.Ami.Com.Au> > > why don't you unify all your keys over all those disk images? It's a bad principle. Besides, I also sometimes use that same machine to install stuff for others. I can install on that, then take the drive to another machine. I'd rather not have two machines with the same key. > > Or switch to rsh. No reason to be deploying encyption on a closed lan. ssh does things better than rsh, that's the main reason I use it. I don't actually care about the encryption. > > - Ben > > On Thu, 11 Apr 2002, John Summerfield wrote: > > > > > I have a small LAN. The entire system is within my view - all the > > hosts, the switch and the wire. If someone is in a a position to do a > > "man in the middle" attack, there's no need - they already have me. > > > > Over the other side of the room, and beside my desk, I have test > > systems. I use disk caddies (see www.vipower.com for examples) and can > > switch operating systems in about the time it takes to cycle power; I > > pull one drive out (with power off), push in another and reboot. > > > > One of the things the test system's used for is kickstart installing > > Red Hat Linux, and a test can take less than 20 minutes. > > > > Then there's my "production" system for the same box, and Windows > > NT..... > > > > Actually, NT's not involved in the problem. > > > > > > I'm getting thoroughly sick of the checking the ssh command does, and > > I've turned off as much as I can figure out, but I still get this: > > [summer at numbat summer]$ ssh possum > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! > > Someone could be eavesdropping on you right now (man-in-the-middle > > attack)! > > It is also possible that the RSA host key has just been changed. > > The fingerprint for the RSA key sent by the remote host is > > 22:dc:6b:57:31:b3:0a:3c:07:7e:8d:60:1a:c0:b7:5f. > > Please contact your system administrator. > > Add correct host key in /home/summer/.ssh/known_hosts to get rid of > > this message. > > Offending key in /home/summer/.ssh/known_hosts:2 > > Password authentication is disabled to avoid man-in-the-middle attacks. > > X11 forwarding is disabled to avoid man-in-the-middle attacks. > > Last login: Thu Apr 11 06:06:30 2002 from numbat.os2.ami.com.au > > [summer at possum summer]$ > > > > > > > > Now, I suppose I can live with the messages (but I'd rather not). What > > I really need to have the connexion to the machine to 'just work.' > > > > I want X11 forwarding to work. > > Just like this: > > [summer at numbat summer]$ ssh dugite > > Last login: Thu Apr 11 05:04:54 2002 from numbat.os2.ami.com.au > > [summer at dugite summer]$ > > > > > > I appreciate there are several crude hacks I can use. Like supplying > > the host key when I install on possum, but that seems to me even worse. > > > > > > > > -- > > Cheers > > John Summerfield > > > > Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ > > > > Note: mail delivered to me is deemed to be intended for me, for my > > disposition. > > > > ============================== > > If you don't like being told you're wrong, > > be right! > > > > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > -- Cheers John Summerfield Microsoft's most solid OS: http://www.geocities.com/rcwoolley/ Note: mail delivered to me is deemed to be intended for me, for my disposition. ============================== If you don't like being told you're wrong, be right! From jmknoble at pobox.com Thu Apr 11 17:09:10 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Thu, 11 Apr 2002 03:09:10 -0400 Subject: I need to be able to turn off host checking entirely In-Reply-To: <200204110549.g3B5nkK17515@numbat.Os2.Ami.Com.Au>; from summer@os2.ami.com.au on Thu, Apr 11, 2002 at 01:49:46PM +0800 References: <200204110549.g3B5nkK17515@numbat.Os2.Ami.Com.Au> Message-ID: <20020411030910.B27399@zax.half.pint-stowp.cx> Circa 2002-Apr-11 13:49:46 +0800 dixit John Summerfield: : > why don't you unify all your keys over all those disk images? : : It's a bad principle. No it isn't. If all the disk images are used on a machine that's assigned the same IP address, they ought to have the same host key. : Besides, I also sometimes use that same machine to install stuff for : others. I can install on that, then take the drive to another : machine. I'd rather not have two machines with the same key. You mean you reinstall the OS? Or do you mean something else by 'install'? If all you're doing is installing a software package, why don't you use the network to transfer the files to the other machine? That's kind of the idea behind a network.... If you don't want to unify host keys over all the OS's, consider one of the following: (a) Assign different IP addresses (and hence also different hostnames) to different disk images. Then everything else will magically work. Of course, you have to remember which hostname corresponds to which disk image. (b) Use ssh's HostKeyAlias option to assign different "hostnames" to the keys for each disk image. For example, in ~/.ssh/config: Host image1.hostname.example.org HostName hostname.example.org HostKeyAlias image1.hostname.example.org ... You still have to remember which name to use for which disk image. Using the same host key on all the images for the same machine is the simplest and easiest method. It's what i do on a multiboot system i use at work (with admittedly not-so-easily-removable disks), and it's quite painless.... -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020411/ee3f7145/attachment.bin From bugzilla-daemon at mindrot.org Thu Apr 11 18:07:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 18:07:29 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020411080729.D9A01EA9F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From dmanton at emea.att.com 2002-04-11 18:07 ------- Created an attachment (id=71) cpp output for monitor_fdpass.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 11 18:09:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 18:09:06 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020411080906.B0D1AEAA3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From dmanton at emea.att.com 2002-04-11 18:09 ------- tmp[CMSG_SPACE(sizeof(int))]; evaluates to: char tmp[((ulong)((caddr_t)(sizeof(struct cmsghdr)) + sizeof (void *) - 1 - ((ulong)((caddr_t)(sizeof(struct cmsghdr)) + sizeof (void *) - 1) % sizeof (void *))) + (ulong)((caddr_t)(sizeof(int)) + sizeof (void *) - 1 - ((ulong)((caddr_t)(sizeof(int)) + sizeof (void *) - 1) % sizeof (void *))))]; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Thu Apr 11 20:10:33 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 11 Apr 2002 20:10:33 +1000 Subject: I need to be able to turn off host checking entirely References: <200204102223.g3AMNNw16079@numbat.Os2.Ami.Com.Au> Message-ID: <3CB56119.F58DB027@zip.com.au> John Summerfield wrote: > I'm getting thoroughly sick of the checking the ssh command does, and > I've turned off as much as I can figure out, but I still get this: > [summer at numbat summer]$ ssh possum > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ > @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ > IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! How about: $ cat .ssh/config Host possum-linux1 HostKeyAlias possum-linux1 Host possum-linux2 HostKeyAlias possum-linux2 or: $ ln -s /dev/null .ssh/known_hosts -Daz. From bugzilla-daemon at mindrot.org Thu Apr 11 21:32:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Apr 2002 21:32:21 +1000 (EST) Subject: [Bug 2] sshd should have BSM auditing on Solaris Message-ID: <20020411113221.C2BCEEAAB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=2 Michael.Gerdts at alcatel.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Michael.Gerdts at alcatel.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Thu Apr 11 23:04:31 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 11 Apr 2002 09:04:31 -0400 Subject: mmap() w/o MAP_ANON In-Reply-To: ; from tim@multitalents.net on Wed, Apr 10, 2002 at 08:41:45PM -0700 References: Message-ID: <20020411090430.A27398@sm2p1386swk.wdr.com> Er, shouldn't it be #ifdef MAP_ANON address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); #else address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, open("/dev/zero",...), 0); #endif ? Nico On Wed, Apr 10, 2002 at 08:41:45PM -0700, Tim Rice wrote: > > Would this work in monitor_mm.c ? > #ifdef MAP_ANON > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > #else > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, > -1, 0); > #endif > > Many systems have mmap() but no MAP_ANON/MAP_ANONYMOUS > Ie. SCO 5.0.x, UnixWare 2.x, Solaris < 8 > > Is MAP_ANON needed or do we just #undef HAVE_MMAP on systems that > don't have it? > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Thu Apr 11 23:38:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 11 Apr 2002 08:38:35 -0500 (CDT) Subject: mmap() w/o MAP_ANON In-Reply-To: <20020411090430.A27398@sm2p1386swk.wdr.com> Message-ID: On Thu, 11 Apr 2002, Nicolas Williams wrote: > Er, shouldn't it be > > #ifdef MAP_ANON > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > #else > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_PRIVATE, > open("/dev/zero",...), 0); > #endif > Yes and no.. MAP_PRIVATE must be MAP_SHARED so all children can see the information written. But otherwises yes. Since it does not have a MAP_ANON we need to provide a FD to something. - Ben > ? > > Nico > > On Wed, Apr 10, 2002 at 08:41:45PM -0700, Tim Rice wrote: > > > > Would this work in monitor_mm.c ? > > #ifdef MAP_ANON > > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > > -1, 0); > > #else > > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_SHARED, > > -1, 0); > > #endif > > > > Many systems have mmap() but no MAP_ANON/MAP_ANONYMOUS > > Ie. SCO 5.0.x, UnixWare 2.x, Solaris < 8 > > > > Is MAP_ANON needed or do we just #undef HAVE_MMAP on systems that > > don't have it? > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- > -DISCLAIMER: an automatically appended disclaimer may follow. By posting- > -to a public e-mail mailing list I hereby grant permission to distribute- > -and copy this message.- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Nicolas.Williams at ubsw.com Thu Apr 11 23:48:35 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 11 Apr 2002 09:48:35 -0400 Subject: mmap() w/o MAP_ANON In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Apr 11, 2002 at 08:38:35AM -0500 References: <20020411090430.A27398@sm2p1386swk.wdr.com> Message-ID: <20020411094833.D13553@sm2p1386swk.wdr.com> On Thu, Apr 11, 2002 at 08:38:35AM -0500, Ben Lindstrom wrote: > Yes and no.. MAP_PRIVATE must be MAP_SHARED so all children can see > the information written. But otherwises yes. Since it does not have a > MAP_ANON we need to provide a FD to something. MAP_PRIVATE mmap()s are in fact inherited by children procs. MAP_SHARED is for mmap()ing some real file in such a way that changes made via VM show up in mmap()ed segments of the same file *separately* mmap()ed by other processes. So MAP_PRIVATE of /dev/zero is the way to go. It's what ld.so does and dynamically loaded libraries are, in fact, inherited across processes. > - Ben Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Jason.Lacoss-Arnold at AGEDWARDS.com Fri Apr 12 00:10:48 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 11 Apr 2002 09:10:48 -0500 Subject: getting OpenSSH/OpenSSL to utilize /dev/random Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E7A9@hqempn06.agedwards.com> I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a /dev/random interface. It appears to as cat'ing it gives me a bunch of well, random data. However, when I ran my configure, it gives me the WARNING.RND message to the effect that I'm using the built-in. I've seen allusions on this list to building openssl with to get random support, so I rebuilt it and then rerun configure for openssh. No changes. OpenSSL made references to a RANDFILE environment variable, so I set it, reconfigured and built openssl, then reconfigured openssh. I'm still getting the message that I have built-in random source. What gives? What do I have to do to get openssh or openssl to see my /dev/random? Thanks, Jason Lacoss-Arnold TS/Unix Architecture 314-955-8501 *************************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. *************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020411/36118a00/attachment.html From jmates at sial.org Fri Apr 12 00:31:27 2002 From: jmates at sial.org (Jeremy Mates) Date: Thu, 11 Apr 2002 07:31:27 -0700 Subject: getting OpenSSH/OpenSSL to utilize /dev/random In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E7A9@hqempn06.agedwards.com> References: <6808DCE827EBD5119DFB0002A58EF4DA57E7A9@hqempn06.agedwards.com> Message-ID: <20020411143127.GA51366@darkness.sial.org> * Lacoss-Arnold, Jason [2002-04-11T07:17-0700]: > What gives? What do I have to do to get openssh or openssl to see my > /dev/random? OpenSSL looks for /dev/urandom by default, and might be missing the /dev/random device ANDIrand installs: *** e_os.h.orig Thu Nov 8 06:36:49 2001 --- e_os.h Thu Apr 11 07:29:43 2002 *************** *** 79,85 **** #ifndef DEVRANDOM /* set this to your 'random' device if you have one. * My default, we will try to read this file */ ! #define DEVRANDOM "/dev/urandom" #endif #if defined(__MWERKS__) && defined(macintosh) --- 79,85 ---- #ifndef DEVRANDOM /* set this to your 'random' device if you have one. * My default, we will try to read this file */ ! #define DEVRANDOM "/dev/random" #endif #if defined(__MWERKS__) && defined(macintosh) > WARNING: All e-mail sent to and from this address will be received or > otherwise recorded by the A.G. Edwards corporate e-mail system and is > subject to archival, monitoring or review by, and/or disclosure to, > someone other than the recipient. /me waves at the nice lawyers -- Jeremy Mates http://www.sial.org/ OpenPGP: 0x11C3D628 (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628) From provos at citi.umich.edu Fri Apr 12 01:02:17 2002 From: provos at citi.umich.edu (Niels Provos) Date: Thu, 11 Apr 2002 11:02:17 -0400 Subject: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD In-Reply-To: <20020411144447.GB23825@folly> References: <20020411144447.GB23825@folly> Message-ID: <20020411150217.GD27560@citi.citi.umich.edu> Hi, > length = 0000 008c > padding length = 06 > messagetype = 1e (SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) > padding = b8 218e c680 > > and the next four byte should have the n which is 0000 0080 which is less > than 1024. According to the client code, this can never happen. nbits = dh_estimate(kex->we_need * 8); if (datafellows & SSH_OLD_DHGEX) { debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent"); /* Old GEX request */ packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); packet_put_int(nbits); The smallest possible value that dh_estimate returns is 512 bits. I have no idea why you would see 128. Are you sure that this is an openssh client that you are talking with? Niels. From ed at UDel.Edu Fri Apr 12 01:25:03 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 11 Apr 2002 11:25:03 -0400 (EDT) Subject: X11UseLocalhost option and the DISPLAY variable Message-ID: I wasn't paying much attention when there was a lot of conversation about these issues. I recently ran into a problem where an X app won't run with OpensSSH 3.1p1's default "X11UseLocalhost yes" setting. If I run the X app with the display set to "localhost:16.0" it gets a "BadAccess" error, but if I run it with the display set to "127.0.0.1:16.0" or "realhostname:16.0" it works fine. Can someone please explain the boiled-down version of what's going on here and save me some trouble? Is there anything wrong with setting "X11UseLocalhost no" in sshd_config? Thanks in advance! Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From Nicolas.Williams at ubsw.com Fri Apr 12 01:38:52 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 11 Apr 2002 11:38:52 -0400 Subject: When to utmp/wtmp revisited (was Re: Bug in all versions of OpenSSH) In-Reply-To: <20020406164938.GF13217@folly>; from markus@openbsd.org on Sat, Apr 06, 2002 at 06:49:38PM +0200 References: <000001c1dcdc$1361b1d0$0100a8c0@rawi> <20020406164938.GF13217@folly> Message-ID: <20020411113850.B27398@sm2p1386swk.wdr.com> On Sat, Apr 06, 2002 at 06:49:38PM +0200, Markus Friedl wrote: > wtmp and friends are for pty allocation. Nonsense. FTP does [uw]tmp. RSH does not even syslog (see below). SSHv2, what with the multiple channels/sessions, with SFTP, shell sessions and what not is a superset of FTP, TELNET, RSH and so on. Since FTP does [uw]tmp logging methinks that so should OpenSSH *for the SSHv2 connections* *and* for individual session channels such as SFTP and pty sessions. In fact, I'd want all channels other than port-forwarding types, to be [uw]tmp logged, but I'm willing to follow tradition with non-pty sessions. Keep in mind that, traditionally, in.rshd does not even syslog (certainly not on Solaris, where you msut turn on BSM auditing to get at RSH/REXEC logging). So, to follow tradition, non-pty sessions shouldn't be logged at all, right? Wrong. RSH is not as good a model for what to do as for what not to do. IMO, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From ed at UDel.Edu Fri Apr 12 03:02:11 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 11 Apr 2002 13:02:11 -0400 (EDT) Subject: getting OpenSSH/OpenSSL to utilize /dev/random In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E7A9@hqempn06.agedwards.com> Message-ID: On Thu, 11 Apr 2002, Lacoss-Arnold, Jason wrote: > Date: Thu, 11 Apr 2002 09:10:48 -0500 > From: "Lacoss-Arnold, Jason" > To: "'openssh-unix-dev at mindrot.org'" > Subject: getting OpenSSH/OpenSSL to utilize /dev/random > > I've installed Sun's SUNWski package on Solaris 8 (32-bit) that provides a > /dev/random interface. It appears to as cat'ing it gives me a bunch of > well, random data. > > However, when I ran my configure, it gives me the WARNING.RND message to the > effect that I'm using the built-in. I've seen allusions on this list to > building openssl with to get random support, so I rebuilt it and then rerun > configure for openssh. No changes. OpenSSL made references to a RANDFILE > environment variable, so I set it, reconfigured and built openssl, then > reconfigured openssh. I'm still getting the message that I have built-in > random source. > > What gives? What do I have to do to get openssh or openssl to see my > /dev/random? I had a similar problem. The key is that you don't have to build OpenSSL 0.9.6c in any special way to get /dev/urandom support (on Solaris 8 at least) - it appears to try to use it if it's there at run-time (when OpenSSH is compiled on any Unix system). As a matter of fact, there doesn't appear to be any user-configurable options at all for /dev/urandom support in OpenSSL. In e_os.h, DEVRANDOM is set to "/dev/urandom" and in crypto/rand/rand_win.c, if you're not compiling on Win32, there is code in RAND_poll() that calls open(DEVRANDOM...). So, the real trick to be rid of the OpenSSH internal entropy stuff and use only /dev/urandom is to configure OpenSSH with "--with-rand-helper=no" and there will be no warning about how you've configured OpenSSH to use the random helper stuff. Hope this helps... Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From ed at UDel.Edu Fri Apr 12 03:04:47 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 11 Apr 2002 13:04:47 -0400 (EDT) Subject: getting OpenSSH/OpenSSL to utilize /dev/random In-Reply-To: <20020411143127.GA51366@darkness.sial.org> Message-ID: Yes... if you literally want OpenSSL to use "/dev/random" you'd need to a change like this. The use of /dev/[u]random is not really "configurable" in OpenSSL - it always tries at run-time if you compiled it for a Unix system. Ed On Thu, 11 Apr 2002, Jeremy Mates wrote: > Date: Thu, 11 Apr 2002 07:31:27 -0700 > From: Jeremy Mates > To: "'openssh-unix-dev at mindrot.org'" > Subject: Re: getting OpenSSH/OpenSSL to utilize /dev/random > > * Lacoss-Arnold, Jason [2002-04-11T07:17-0700]: > > What gives? What do I have to do to get openssh or openssl to see my > > /dev/random? > > OpenSSL looks for /dev/urandom by default, and might be missing the > /dev/random device ANDIrand installs: > > *** e_os.h.orig Thu Nov 8 06:36:49 2001 > --- e_os.h Thu Apr 11 07:29:43 2002 > *************** > *** 79,85 **** > #ifndef DEVRANDOM > /* set this to your 'random' device if you have one. > * My default, we will try to read this file */ > ! #define DEVRANDOM "/dev/urandom" > #endif > > #if defined(__MWERKS__) && defined(macintosh) > --- 79,85 ---- > #ifndef DEVRANDOM > /* set this to your 'random' device if you have one. > * My default, we will try to read this file */ > ! #define DEVRANDOM "/dev/random" > #endif > > #if defined(__MWERKS__) && defined(macintosh) > > > > WARNING: All e-mail sent to and from this address will be received or > > otherwise recorded by the A.G. Edwards corporate e-mail system and is > > subject to archival, monitoring or review by, and/or disclosure to, > > someone other than the recipient. > > /me waves at the nice lawyers > > -- > Jeremy Mates http://www.sial.org/ > > OpenPGP: 0x11C3D628 (4357 1D47 FF78 24BB 0FBF 7AA8 A846 9F86 11C3 D628) > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From abhi at acc.com Fri Apr 12 03:22:01 2002 From: abhi at acc.com (Abhijeet Thakare) Date: Thu, 11 Apr 2002 10:22:01 -0700 Subject: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD In-Reply-To: <20020411150217.GD27560@citi.citi.umich.edu> Message-ID: Hi, I dumped the packet on our box and also captured packet using ethereal and both gave me the following dump.I was not able to figure out how the n is so small and what the rest of data is. Looking at the openssh client and server code this should not happen. This is the third message which I receive from client. length = 0000 008c padding length = 06 messagetype = 1e (SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) padding = b8 218e c680 0000 008c 061e 0000 0080 2a19 a9e4 05fb aee2 b107 4fa9 f0c1 83d3 3bf0 15a2 8dc8 a74b 7be1 6cab 817f cffc b835 04f2 0958 850c b2ec dc0a 81de 0929 2d4c 9a6c 17a8 5a81 95bc 657b 0ac0 6a8e 246d 5d03 29c6 abcd e8c7 828f 6f61 d372 eba0 fa7f e38b 76ba b618 6402 a5d9 21cd c844 3913 2dc3 706e 3b7d 68d9 60b5 e4f1 aca1 c922 a347 9a46 2080 d9d1 cfe3 fde1 63b8 218e c680 Thanks, Abhijeet -----Original Message----- From: openssh-unix-dev-admin at mindrot.org [mailto:openssh-unix-dev-admin at mindrot.org]On Behalf Of Niels Provos Sent: Thursday, April 11, 2002 8:02 AM To: openssh-unix-dev at mindrot.org Subject: Re: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD Hi, > length = 0000 008c > padding length = 06 > messagetype = 1e (SSH2_MSG_KEX_DH_GEX_REQUEST_OLD) > padding = b8 218e c680 > > and the next four byte should have the n which is 0000 0080 which is less > than 1024. According to the client code, this can never happen. nbits = dh_estimate(kex->we_need * 8); if (datafellows & SSH_OLD_DHGEX) { debug("SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent"); /* Old GEX request */ packet_start(SSH2_MSG_KEX_DH_GEX_REQUEST_OLD); packet_put_int(nbits); The smallest possible value that dh_estimate returns is 512 bits. I have no idea why you would see 128. Are you sure that this is an openssh client that you are talking with? Niels. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kevin at atomicgears.com Fri Apr 12 03:23:23 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Apr 2002 10:23:23 -0700 (PDT) Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: Message-ID: On Thu, 11 Apr 2002, Ed Phillips wrote: :I wasn't paying much attention when there was a lot of conversation about :these issues. I recently ran into a problem where an X app won't run with :OpensSSH 3.1p1's default "X11UseLocalhost yes" setting. If I run the X :app with the display set to "localhost:16.0" it gets a "BadAccess" error, :but if I run it with the display set to "127.0.0.1:16.0" or :"realhostname:16.0" it works fine. Can someone please explain the :boiled-down version of what's going on here and save me some trouble? Is :there anything wrong with setting "X11UseLocalhost no" in sshd_config? can something in sshd.8 for X11UseLocalhost be clearer? also: http://www.openssh.com/faq.html#3.12 From ed at UDel.Edu Fri Apr 12 04:15:31 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 11 Apr 2002 14:15:31 -0400 (EDT) Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: Message-ID: On Thu, 11 Apr 2002, Kevin Steves wrote: > Date: Thu, 11 Apr 2002 10:23:23 -0700 (PDT) > From: Kevin Steves > To: Ed Phillips > Cc: OpenSSH Development > Subject: Re: X11UseLocalhost option and the DISPLAY variable > > On Thu, 11 Apr 2002, Ed Phillips wrote: > :I wasn't paying much attention when there was a lot of conversation about > :these issues. I recently ran into a problem where an X app won't run with > :OpensSSH 3.1p1's default "X11UseLocalhost yes" setting. If I run the X > :app with the display set to "localhost:16.0" it gets a "BadAccess" error, > :but if I run it with the display set to "127.0.0.1:16.0" or > :"realhostname:16.0" it works fine. Can someone please explain the > :boiled-down version of what's going on here and save me some trouble? Is > :there anything wrong with setting "X11UseLocalhost no" in sshd_config? > > can something in sshd.8 for X11UseLocalhost be clearer? No, I don't think so, but it doesn't solve my problem either. The "old client" I'm using is a "current" version of Tivoli's Maestro (gconman in particular). I don't know what X calls they use to deal with the display, but the application is certainly linked against the current Solaris 8 X libraries - just like xterm, xclock, etc.,... which work fine with DISPLAY = "localhost:16.0". So, if anyone can explain to me why "127.0.0.1:16.0" works and "localhost:16.0" does not (in an OpenSSH 3.1p1 X11-forwarding scenario), or how we could add an option (or why we wouldn't want to add an option) to have OpenSSH to use the IP address in the DISPLAY variable, I'd appreciate it. Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From kevin at atomicgears.com Fri Apr 12 04:29:20 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Apr 2002 11:29:20 -0700 (PDT) Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: Message-ID: On Thu, 11 Apr 2002, Ed Phillips wrote: :No, I don't think so, but it doesn't solve my problem either. The "old :client" I'm using is a "current" version of Tivoli's Maestro (gconman in :particular). I don't know what X calls they use to deal with the display, :but the application is certainly linked against the current Solaris 8 X :libraries - just like xterm, xclock, etc.,... which work fine with DISPLAY := "localhost:16.0". : :So, if anyone can explain to me why "127.0.0.1:16.0" works and :"localhost:16.0" does not (in an OpenSSH 3.1p1 X11-forwarding scenario), :or how we could add an option (or why we wouldn't want to add an option) :to have OpenSSH to use the IP address in the DISPLAY variable, I'd :appreciate it. We talked about dials for various display settings, but kept it simple at first. Is that a client I can obtain and try here? Is it definately using the same Xlib, etc. as the other clients that work? Is the resolver used the same? From cmadams at hiwaay.net Fri Apr 12 04:53:14 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 11 Apr 2002 13:53:14 -0500 Subject: PLEASE TEST snapshots In-Reply-To: ; from kevin@atomicgears.com on Wed, Apr 10, 2002 at 09:45:17AM -0700 References: <20020409223212.A306154@hiwaay.net> Message-ID: <20020411135314.D21375@hiwaay.net> Once upon a time, Kevin Steves said: > On Tue, 9 Apr 2002, Chris Adams wrote: > :Here's a patch for a compile bug in SIA support: > > thanks. can you also try this which has some SIA cleanup? Yes, this also works okay (against SNAP-20020411, although something munged some whitespace so I had to apply it manually). I wrote auth-sia.c before I had ever heard of the coding standards; I was just looking at that last week and wondering if I should fix and submit a patch, but I guess I don't have to know. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. > Index: auth-sia.c > =================================================================== > RCS file: /var/cvs/openssh/auth-sia.c,v > retrieving revision 1.5 > diff -u -r1.5 auth-sia.c > --- auth-sia.c 10 Apr 2002 16:09:52 -0000 1.5 > +++ auth-sia.c 10 Apr 2002 16:29:43 -0000 > @@ -41,7 +41,7 @@ > return(0); > > if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { > - error("couldn't authenticate %s from %s", user, host); > + error("Couldn't authenticate %s from %s", user, host); > if (ret & SIASTOP) > sia_ses_release(&ent); > return(0); > @@ -55,7 +55,6 @@ > void > session_setup_sia(char *user, char *tty) > { > - int ret; > struct passwd *pw; > SIAENTITY *ent = NULL; > const char *host; > @@ -64,46 +63,38 @@ > > if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, tty, 0, > NULL) != SIASUCCESS) { > - error("sia_ses_init failed"); > - exit(1); > + fatal("sia_ses_init failed"); > } > > if ((pw = getpwnam(user)) == NULL) { > sia_ses_release(&ent); > - error("getpwnam(%s) failed: %s", user, strerror(errno)); > - exit(1); > + fatal("getpwnam: no user: %s", user); > } > if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { > sia_ses_release(&ent); > - error("sia_make_entity_pwd failed"); > - exit(1); > + fatal("sia_make_entity_pwd failed"); > } > > ent->authtype = SIA_A_NONE; > if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) { > - error("couldn't establish session for %s from %s", user, > + fatal("Couldn't establish session for %s from %s", user, > host); > - exit(1); > } > > if (setpriority(PRIO_PROCESS, 0, 0) == -1) { > sia_ses_release(&ent); > - error("setpriority failed: %s", strerror (errno)); > - exit(1); > + fatal("setpriority: %s", strerror (errno)); > } > > if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) { > - error("couldn't launch session for %s from %s", user, host); > - exit(1); > + fatal("Couldn't launch session for %s from %s", user, host); > } > > sia_ses_release(&ent); > > if (setreuid(geteuid(), geteuid()) < 0) { > - error("setreuid failed: %s", strerror (errno)); > - exit(1); > + fatal("setreuid: %s", strerror(errno)); > } > } > > #endif /* HAVE_OSF_SIA */ > - From bugzilla-daemon at mindrot.org Fri Apr 12 06:51:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 12 Apr 2002 06:51:56 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020411205156.AD147E919@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From pspencer at fields.utoronto.ca 2002-04-12 06:51 ------- It seems the IBM compiler will not do pointer arithmetic at compile time. For example, assuming pointers are compatible with unsigned longs, the following program will not compile using the IBM compiler xlc, but using gcc it will compile just fine (printing "6" when it runs, assuming ints are 4 bytes long): int main() { char tmp[(unsigned long)((int *)(10) - 1)]; printf ("size is %d\n", sizeof(tmp)); } Without the "- 1", the program will compile and run correctly (printing "10") using either xlc or gcc. The CMSG_SPACE macro used in monitor_fdpass.c uses the ALIGN macro, which AIX defines in sys/socket.h using pointer arithmetic. One fix is to undefine AIX's ALIGN macro in favour of openssh's which does not use pointer arithmetic and works just fine. A quick-and-dirty way of doing this is to apply the following patch to defines.h then run configure with CFLAGS="-DCOMPILER_CHOKES_ON_SYSTEM_ALIGN": --- defines.h.orig Sat Apr 6 18:52:05 2002 +++ defines.h Thu Apr 11 15:51:06 2002 @@ -447,6 +447,11 @@ #ifndef ALIGNBYTES #define ALIGNBYTES (sizeof(int) - 1) #endif +#ifdef COMPILER_CHOKES_ON_SYSTEM_ALIGN +#ifdef ALIGN +#undef ALIGN +#endif +#endif #ifndef ALIGN #define ALIGN(p) (((u_int)(p) + ALIGNBYTES) &~ ALIGNBYTES) #endif A better fix would be to have configure try to compile the following test program: #include #ifndef ALIGN #define ALIGN(p) p #endif int main() { char tmp[ALIGN(1)]; } If sys/socket.h exists but this compilation fails, configure could set the COMPILER_CHOKES_ON_SYSTEM_ALIGN flag. However, since I have no experience with autoconf I'll let someone else suggest the appropriate patch. An alternative is to simply always use openssh's ALIGN macro (i.e., omit the #ifdef COMPILER_CHOKES_ON_SYSTEM_ALIGN from the defines.h patch) but I don't know if that would break anything on a system where the system's ALIGN macro has to be used because of something special it does. Two other changes are also needed to make this snapshot compile with the older version (4) of IBM's C compiler that I am using: It will not allow "enum {a,b,...,x,}" with nothing after the final comma -- this occurs twice in log.h and once in monitor.h, and if running in strict ANSI mode it will not allow the redefinition of TILDE in openbsd-compat/glob.c (the system header files already define it). These issues may apply to released versions of openssh also; I've never tried compiling it with IBM's compiler until I saw this bug report. If anyone wants me to I could open up a new bug report and attach a patch. I personally don't care about them too much since I use gcc, and presumably the current IBM compiler is okay since the reporter of this bug didn't mention any such problems. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri Apr 12 07:06:15 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 11 Apr 2002 23:06:15 +0200 Subject: When to utmp/wtmp revisited (was Re: Bug in all versions of OpenSSH) In-Reply-To: <20020411113850.B27398@sm2p1386swk.wdr.com> References: <000001c1dcdc$1361b1d0$0100a8c0@rawi> <20020406164938.GF13217@folly> <20020411113850.B27398@sm2p1386swk.wdr.com> Message-ID: <20020411210614.GE26160@faui02> On Thu, Apr 11, 2002 at 11:38:52AM -0400, Nicolas Williams wrote: > On Sat, Apr 06, 2002 at 06:49:38PM +0200, Markus Friedl wrote: > > wtmp and friends are for pty allocation. > > Nonsense. FTP does [uw]tmp. some versions of ftpd do, but that's either abuse or accident. From ed at UDel.Edu Fri Apr 12 07:19:38 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 11 Apr 2002 17:19:38 -0400 (EDT) Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: Message-ID: On Thu, 11 Apr 2002, Kevin Steves wrote: > Date: Thu, 11 Apr 2002 11:29:20 -0700 (PDT) > From: Kevin Steves > To: Ed Phillips > Cc: Kevin Steves , > OpenSSH Development > Subject: Re: X11UseLocalhost option and the DISPLAY variable > > On Thu, 11 Apr 2002, Ed Phillips wrote: > :No, I don't think so, but it doesn't solve my problem either. The "old > :client" I'm using is a "current" version of Tivoli's Maestro (gconman in > :particular). I don't know what X calls they use to deal with the display, > :but the application is certainly linked against the current Solaris 8 X > :libraries - just like xterm, xclock, etc.,... which work fine with DISPLAY > := "localhost:16.0". > : > :So, if anyone can explain to me why "127.0.0.1:16.0" works and > :"localhost:16.0" does not (in an OpenSSH 3.1p1 X11-forwarding scenario), > :or how we could add an option (or why we wouldn't want to add an option) > :to have OpenSSH to use the IP address in the DISPLAY variable, I'd > :appreciate it. > > We talked about dials for various display settings, but kept it simple at > first. Is that a client I can obtain and try here? Is it definately > using the same Xlib, etc. as the other clients that work? The more I look at the executable, the more it appears that to have some sort of Xlib routines compiled-in (whew... it's almost 8MB!). According to "nm", there are a bunch of FUNC entries like XOpenDisplay, XMoveResizeWindow, etc., that are GLOB (not UNDEF). I must have been looking the wrong line in my "ldd" output for the help viewer (a separate X app) because it's the only executable that actually links libX11.so (or any other X library). Drat! > Is the resolver used the same? There are UNDEF calls to gethostbyname, etc., so I assume that will just call the libc.so stubs that get mapped to whatever is setup in /etc/nsswitch.conf (in my case, "files dns"). If it was a resolver problem, then it would probably be reproduceable in some other app. Most likely, it's a problem with XOpenDisplay() in the compiled-in X libraries. Double-drat! So, would it be worth it to add a "X11UseLocalhost ip" option to make sshd set DISPLAY using the IP address or make "X11UseLocalhost yes" actually set the DISPLAY to "127.0.0.1:10.0" or similar? Would this break non-"older" X apps in any way or cause DNS lookups to be performed too infrequently for peoples' tastes? Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From Nicolas.Williams at ubsw.com Fri Apr 12 07:33:37 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 11 Apr 2002 17:33:37 -0400 Subject: When to utmp/wtmp revisited (was Re: Bug in all versions of OpenSSH) In-Reply-To: <20020411210614.GE26160@faui02>; from markus@openbsd.org on Thu, Apr 11, 2002 at 11:06:15PM +0200 References: <000001c1dcdc$1361b1d0$0100a8c0@rawi> <20020406164938.GF13217@folly> <20020411113850.B27398@sm2p1386swk.wdr.com> <20020411210614.GE26160@faui02> Message-ID: <20020411173336.C27398@sm2p1386swk.wdr.com> On Thu, Apr 11, 2002 at 11:06:15PM +0200, Markus Friedl wrote: > On Thu, Apr 11, 2002 at 11:38:52AM -0400, Nicolas Williams wrote: > > On Sat, Apr 06, 2002 at 06:49:38PM +0200, Markus Friedl wrote: > > > wtmp and friends are for pty allocation. > > > > Nonsense. FTP does [uw]tmp. > > some versions of ftpd do, but that's either abuse or accident. Heh. Fine. Personally I think that syslog is almost good enough, and possibly good enough if you use syslog-ng and good scripting. And personally I dislike the fixed formats of [uw]tmp(x|) records. It's the w/who/last commands that I find usefull. But you know, depending on how you handle pam_open_session() the decision of whether to [uw]tmp(x|) log SSHv2 connections or just pty sessions could be left in the hands of the sysadmin. If I really care I'll write a patch and submit it. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From emsecrist at micron.com Fri Apr 12 08:32:24 2002 From: emsecrist at micron.com (emsecrist) Date: Thu, 11 Apr 2002 16:32:24 -0600 Subject: X11UseLocalhost option and the DISPLAY variable Message-ID: <9527E8B90F21D4118B8800508B6C011702A651CF@ntlex01.lehi.micron.com> How did you compile your ssh? Did you use the --with-ipaddr-display switch? If so, this may be your problem. Eric Secrist -----Original Message----- From: Kevin Steves [mailto:kevin at atomicgears.com] Sent: Thursday, April 11, 2002 11:23 AM To: Ed Phillips Cc: OpenSSH Development Subject: Re: X11UseLocalhost option and the DISPLAY variable On Thu, 11 Apr 2002, Ed Phillips wrote: :I wasn't paying much attention when there was a lot of conversation about :these issues. I recently ran into a problem where an X app won't run with :OpensSSH 3.1p1's default "X11UseLocalhost yes" setting. If I run the X :app with the display set to "localhost:16.0" it gets a "BadAccess" error, :but if I run it with the display set to "127.0.0.1:16.0" or :"realhostname:16.0" it works fine. Can someone please explain the :boiled-down version of what's going on here and save me some trouble? Is :there anything wrong with setting "X11UseLocalhost no" in sshd_config? can something in sshd.8 for X11UseLocalhost be clearer? also: http://www.openssh.com/faq.html#3.12 _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From kevin at atomicgears.com Fri Apr 12 09:50:10 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Apr 2002 16:50:10 -0700 (PDT) Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: <9527E8B90F21D4118B8800508B6C011702A651CF@ntlex01.lehi.micron.com> Message-ID: On Thu, 11 Apr 2002, emsecrist wrote: :How did you compile your ssh? Did you use the --with-ipaddr-display switch? :If so, this may be your problem. that has no effect when "X11UseLocalhost yes" From mdb at juniper.net Fri Apr 12 12:22:12 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Thu, 11 Apr 2002 19:22:12 -0700 Subject: scp.c::okname() problem Message-ID: <200204120222.g3C2MCT39150@merlot.juniper.net> Why does the local scp determine what characters are valid in a remote host userid? A friend of mine just had his ISP convert him to using a userid of the form 'user#isp-acct' (eg, "ssh -l 'joe#foo.org' foo.org" is used to login). The OpenSSH ssh and sftp commands both allow this form of userid. However, it seems that scp has its very own idea of what characters are legal on a remote userid and does not like the '#' character at all giving the error: % scp test-file 'joe#foo.org at foo.org:. joe#foo.org: invalid user name % (Note: foo.org is just an example for the purpose of this message) As the ssh command allows him to login and the sftp command may be used to work around the problem it is not critical that this be fixed, but it seems like a bad idea for scp to restrict the characters allowed in a remote userid. The following patch allows a '#' to be in the user name. However, I suggest that there really should be no arbitrary restriction on possible userids for scp that differs from ssh or sftp. Thanks, -- Mark Index: scp.c =================================================================== RCS file: /cvs/openssh/scp.c,v retrieving revision 1.94 diff -u -p -r1.94 scp.c --- scp.c 6 Apr 2002 18:30:00 -0000 1.94 +++ scp.c 12 Apr 2002 02:13:22 -0000 @@ -1016,7 +1016,7 @@ okname(cp0) if (c & 0200) goto bad; if (!isalpha(c) && !isdigit(c) && - c != '_' && c != '-' && c != '.' && c != '+') + c != '_' && c != '-' && c != '.' && c != '+' && c != '#') goto bad; } while (*++cp); return (1); From kevin at atomicgears.com Fri Apr 12 13:50:56 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Apr 2002 20:50:56 -0700 (PDT) Subject: mmap() w/o MAP_ANON In-Reply-To: Message-ID: On Wed, 10 Apr 2002, Tim Rice wrote: :Many systems have mmap() but no MAP_ANON/MAP_ANONYMOUS :Ie. SCO 5.0.x, UnixWare 2.x, Solaris < 8 for now just: #if defined(HAVE_MMAP) && defined(MAP_ANON) mmap(... #else fatal(... #endif improved support for privsep is going to have to be post 3.2. From bugzilla-daemon at mindrot.org Fri Apr 12 16:10:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 12 Apr 2002 16:10:34 +1000 (EST) Subject: [Bug 34] Incorrect claim about Commercial SSH's key length Message-ID: <20020412061034.8FDB4E98D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=34 hugh at mimosa.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|DUPLICATE | ------- Additional Comments From hugh at mimosa.com 2002-04-12 16:10 ------- This is not the same bug as 132. This is a bug in the FAQ. 132 is a bug/feature of real code. They are related, but not the same. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jm.poure at freesurf.fr Fri Apr 12 16:04:03 2002 From: jm.poure at freesurf.fr (Jean-Michel POURE) Date: Fri, 12 Apr 2002 08:04:03 +0200 Subject: Chrooted sftp, did you getting it working? In-Reply-To: <9877566273EED511A7560008C716DA060288CC@exchcpn1.cdcna.com> References: <9877566273EED511A7560008C716DA060288CC@exchcpn1.cdcna.com> Message-ID: <200204120804.03555.jm.poure@freesurf.fr> Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit : > I was curious to know if you had any luck in getting openssh's sftp > server properly configured to allow chrooted sftp logins? I have had > no success and need something quickly. Dear Mike, Unfortunately, I did not succeed to have it work. I got in contact with James Dennis , who send me a chroot patch. I applied the patch and did not succeed to log into a chrooted account. The patch is quite simple. I don't understand why it does not work. Any idea? Best regards, Jean-Michel From vinschen at redhat.com Fri Apr 12 17:58:35 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 12 Apr 2002 09:58:35 +0200 Subject: [CYGWIN PATCH] [was Re: PLEASE TEST snapshots] In-Reply-To: <20020405101615.GA28894@folly> References: <20020404201958.GE12530@faui02> <20020405101615.GA28894@folly> Message-ID: <20020412095835.C20149@cygbert.vinschen.de> On Fri, Apr 05, 2002 at 12:16:15PM +0200, Markus Friedl wrote: > If you are running the portable OpenSSH release then please > test the nightly snapshots from > http://www.openssh.com/portable.html Hi, somebody found a small flaw in the contrib/cygwin/ssh-host-config script. Could anybody apply this small patch: Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.4 diff -u -p -r1.4 ssh-host-config --- contrib/cygwin/ssh-host-config 11 Nov 2001 23:36:21 -0000 1.4 +++ contrib/cygwin/ssh-host-config 12 Apr 2002 07:52:59 -0000 @@ -434,9 +434,9 @@ then then if [ "${with_comment}" -eq 0 ] then - echo 'ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + echo 'ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" else - echo '# ssh stream tcp nowait root /usr/sbin/sshd -i' >> "${_inetcnf}" + echo '# ssh stream tcp nowait root /usr/sbin/sshd sshd -i' >> "${_inetcnf}" fi echo "Added ssh to ${_inetcnf}" fi Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From gert at greenie.muc.de Fri Apr 12 18:13:37 2002 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 12 Apr 2002 10:13:37 +0200 Subject: X11UseLocalhost option and the DISPLAY variable In-Reply-To: ; from Ed Phillips on Thu, Apr 11, 2002 at 11:25:03AM -0400 References: Message-ID: <20020412101337.C23024@greenie.muc.de> Hi, On Thu, Apr 11, 2002 at 11:25:03AM -0400, Ed Phillips wrote: > I wasn't paying much attention when there was a lot of conversation about > these issues. I recently ran into a problem where an X app won't run with > OpensSSH 3.1p1's default "X11UseLocalhost yes" setting. If I run the X > app with the display set to "localhost:16.0" it gets a "BadAccess" error, > but if I run it with the display set to "127.0.0.1:16.0" or > "realhostname:16.0" it works fine. Can someone please explain the > boiled-down version of what's going on here and save me some trouble? Is > there anything wrong with setting "X11UseLocalhost no" in sshd_config? X11 connections are *really really* hairy for the general case. One would expect that "it's always TCP so the IP address doesn't matter", but that's not true - there are some optimizations in the code so that (usually) "unix:0", ":0", "localhost:0" and "$hostname:0" (usually without domain, though) are not done over TCP/IP but over some sort of local connection mechanism, of which there are at least 4 (unix sockets, pty connects, STREAMS connects for SCO and for ISC). I assume that this "broken" application links some sort of X11 connection library that knows only a few different variants, and for "localhost:16" tries (e.g.) STREAMS while the OpenSSHd only offers TCP/IP and/or unix sockets (guessing here), and doesn't fallback to one of the other methods. After reading the X11 sources (xc/lib/trans/Xtranslcl.c), I'm sure we *really* do not want to emulate all this stuff... Maybe the best way is to have the fallback to "X11UseLocalhost no" for systems that need it, and then apply pressure to vendors to Not Do Stupid Things (like "link in your private copy of LibX11.so"). NB: SCO Unix 3.2v4.2 needs "X11UseLocalhost no" as well. I am fairly sure it comes due to X11 clients shortcutting from TCP/IP to STREAMS connects (no unix sockets here), but can live with it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus at openbsd.org Fri Apr 12 19:02:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 12 Apr 2002 11:02:23 +0200 Subject: scp.c::okname() problem In-Reply-To: <200204120222.g3C2MCT39150@merlot.juniper.net> References: <200204120222.g3C2MCT39150@merlot.juniper.net> Message-ID: <20020412090223.GA9374@folly> On Thu, Apr 11, 2002 at 07:22:12PM -0700, Mark D. Baushke wrote: > However, it seems that scp has its very own idea of what characters > are legal on a remote userid and does not like the '#' character at > all giving the error: > > % scp test-file 'joe#foo.org at foo.org:. > joe#foo.org: invalid user name can you try scp -o 'User joe#foo.org' test-file foo.org:. until okname() is fixed? From bugzilla-daemon at mindrot.org Fri Apr 12 20:11:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 12 Apr 2002 20:11:34 +1000 (EST) Subject: [Bug 214] New: IRIX utmp problem loginrec.c: line_abbrevname() goes wrong Message-ID: <20020412101134.BB9ABE9AA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=214 Summary: IRIX utmp problem loginrec.c: line_abbrevname() goes wrong Product: Portable OpenSSH Version: 3.1p1 Platform: MIPS URL: http://groups.google.de/groups?hl=de&selm=3B979A7D.10809 06%40nowhere.org&rnum=4 OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: phgrau at zedat.fu-berlin.de On IRIX the sshd writes wrong entries in /var/adm/utmp. The line_abbrevname function does not trim the pseudo tty name correct. i.e. /dev/ttyq1 gets "tyq1" instead off "q1". So programms like talk and xbiff, who reads /var/adm/utmp stumble about this wrong entries. There ist a usenet posting describing the same problem, and saying that it will be fixed, but it did not happen, see URL above. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From john.phillips at calanais.com Fri Apr 12 21:26:07 2002 From: john.phillips at calanais.com (Phillips, John) Date: Fri, 12 Apr 2002 12:26:07 +0100 Subject: Logging of passwords in plaintext in syslog Message-ID: <7D7384737DC6D2119C9B0008C7394C920919D755@HAMSPWNTS01> Hi, I'm running OpenSSH_3.0p1 and have discovered the following issue.. When using verbose logging and password authentication, if I mistakenly enter the password instead of the username then this is logged in syslog in plain text. I realise that I shouldn't do this ;-), but most OS's native utilities prevent logging the username in this situation. See below for an extract.. sshd[31326]: Failed publickey for illegal user **plaintextpw** from 1.2.3.4 port 1430 ssh2 sshd[31326]: Failed keyboard-interactive for illegal user **plaintextpw** from 1.2.3.4 port 1430 ssh2 sshd[31326]: Failed password for illegal user **plaintextpw** from 1.2.3.4 port 1430 ssh2 sshd[31326]: Disconnecting: Too many authentication failures for **plaintextpw** Any advice? Cheers John From maciej.bogucki at efigence.com Fri Apr 12 20:40:51 2002 From: maciej.bogucki at efigence.com (Maciej Bogucki) Date: Fri, 12 Apr 2002 12:40:51 +0200 Subject: s/key with PasswordAuthentication Message-ID: <3CB6B9B3.7B914DE2@efigence.com> HI! Is it possibly to use s/key with PasswordAuthentication at the same time? I mean that when You enter right s/key password You have to enter right shadow password to logon. Best Regards Maciej Bogucki -- efigence http://www.efigence.com/ --------------------------------------------------------------- doswiadczenie ktore zapewnia sukces tel: +48 22 646 60 96 ul.Goszczynskiego 10 02-616 Warszawa From bugzilla-daemon at mindrot.org Fri Apr 12 23:30:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 12 Apr 2002 23:30:32 +1000 (EST) Subject: [Bug 55] [PATCH] Kerberos v5 support in portable Message-ID: <20020412133032.ED2C6E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=55 ------- Additional Comments From simon at sxw.org.uk 2002-04-12 23:30 ------- Created an attachment (id=72) Patch updated to CVS head as of 2002-04-12 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jdennis at law.harvard.edu Fri Apr 12 23:32:44 2002 From: jdennis at law.harvard.edu (James Dennis) Date: Fri, 12 Apr 2002 09:32:44 -0400 Subject: Chrooted sftp, did you getting it working? In-Reply-To: <200204120804.03555.jm.poure@freesurf.fr> References: <9877566273EED511A7560008C716DA060288CC@exchcpn1.cdcna.com> <200204120804.03555.jm.poure@freesurf.fr> Message-ID: <20020412093244.5c19eddf.jdennis@law.harvard.edu> Hello, Chrooting sftp is not much more complicated than just chrooting ssh. It requires placing certain libraries (you can probably figure these out using truss or strace) in a location that appears the same as the regular file system while under the chroot. As far as I remember from doing this, the only thing sftp requires different from ssh is sftp-server which most likely lies in /usr/libexec or /usr/local/libexec. The best way to determine if chrooted ssh is working is to apply the patch (which I will include with this email), create a test username. Then login with the chrooted ssh daemon. It should run fine. Then change the users home directory to have a period in it (/home/./username) and then try logging in. If it fails the patch is working because you haven't built a chroot yet so after the chroot is applied to your user the users shell will not be found and the login fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable with truss or strace it becomes qu! ite a bit easier. Because the whole process of building a chroot is beyond the scope of my reply in regard to the patch not working I leave any inquisitive minds to finding a good article on how to build chroot's to themselves (hint: a good article on chrooting ssh (not sftp) is on securityfocus.com). Good luck to anyone. This patch does indeed work as we use it in production here at Harvard Law School. -James On Fri, 12 Apr 2002 08:04:03 +0200 jm.poure at freesurf.fr wrote: > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit : > > I was curious to know if you had any luck in getting openssh's sftp > > server properly configured to allow chrooted sftp logins? I have had > > no success and need something quickly. > > Dear Mike, > > Unfortunately, I did not succeed to have it work. > > I got in contact with James Dennis , who send me a > chroot patch. I applied the patch and did not succeed to log into a chrooted > account. > > The patch is quite simple. I don't understand why it does not work. Any idea? > > Best regards, > Jean-Michel > -------------- next part -------------- A non-text attachment was scrubbed... Name: chroot.diff Type: application/octet-stream Size: 2561 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020412/6bfce47b/attachment.obj From bugzilla-daemon at mindrot.org Sat Apr 13 00:59:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Apr 2002 00:59:31 +1000 (EST) Subject: [Bug 34] Incorrect claim about Commercial SSH's key length Message-ID: <20020412145931.5D934E9BA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=34 provos at citi.umich.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From provos at citi.umich.edu 2002-04-13 00:59 ------- the language has been modified to just say smaller than advertised. they are still half the size, its the base two logarithm that is one shorter. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Apr 13 01:51:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Apr 2002 01:51:50 +1000 (EST) Subject: [Bug 215] New: No warning for failed ssh -v -R Message-ID: <20020412155150.5446BE9C0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=215 Summary: No warning for failed ssh -v -R Product: Portable OpenSSH Version: older versions Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: russ.radke at lsil.com Folks, I am using 2.9p2, but Markus Friedl said to submit this, so I didn't bother upgrading and re-checking the problem. When you ssh -R, and the remote port that you are trying to forward is already forwarded, the forwarding that you request with the -R option will fail, but the only way to find this out is to look at the security logs on the remote machine, where sshd reports that the port is already in use. ssh -v -v -v -R does not mention anything other than: debug1: Connections to remote port 2222 forwarded to local address strad:1111 while the logs on the remote machine contain: Apr 11 16:21:44 odin sshd[3808]: Accepted publickey for russr from ###.###.##.# port 50191 ssh2 Apr 11 16:21:44 odin sshd[3808]: error: bind: Address already in use Apr 11 16:21:44 odin sshd[3808]: error: channel_request_forwarding: cannot listen to port: 2222 It would make debugging connections a lot easier if ssh -v -R would give you a warning that the port forwarding you requested had failed. Thanks, R. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mdb at juniper.net Sat Apr 13 02:08:20 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 12 Apr 2002 09:08:20 -0700 Subject: scp.c::okname() problem In-Reply-To: Mail from Markus Friedl dated Fri, 12 Apr 2002 11:02:23 +0200 <20020412090223.GA9374@folly> Message-ID: <200204121608.g3CG8KT65098@merlot.juniper.net> Hi Markus, > scp -o 'User joe#foo.org' test-file foo.org:. The above command does indeed work around the problem in scp's okname() not accepting '#' characters. Thank you, -- Mark From rodgers at nlm.nih.gov Sat Apr 13 02:50:39 2002 From: rodgers at nlm.nih.gov (R. P. C. Rodgers) Date: Fri, 12 Apr 2002 12:50:39 -0400 Subject: Using openssh 3.1p1 on Solaris with tcp wrappers? Message-ID: <3CB7105F.251D2D0C@nlm.nih.gov> Dear OpenSSH Developers, Thanks for all the great work on this important tool. We've built version 3.1p1 on SAPTC platforms under Solaris 2.8 using gcc 2.95.2. Several quick notes and a question: 1) There are several discrepancies between the INSTALL file on the openssh web site ftp://ftp.ca.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL and the output from "./configure --help", the latter fortunately being the more accurate. 2) There is essentially no information available for the installer about how to use ssh in conjunction with tcp wrappers. A few brief examples of entries for the wrapper control files hosts.allow and hosts.deny would be very helpful, as well as a few remarks about how logging gets done (a few references to this issue in the archives for thie mailing list left me confused). Not having supplied a path with our "--with-tcp-wrappers" configuration option, and the output from configure being unenlightening on this point, I'm not even certain this is really working for us, 3) For maximum portabiliity, you might want to add support for the System V conventions for man page section numbering. Currently, you employ BSD conventions: system "8" under BSD is section "1m" under SysV conventions, with the section numbers of course also being changed in the body of the manual pages themselves. As I'm not a registered member of the list, please respond directly to me as well as to the list -- thanks in advance for any enlightenment! Thanks and Cheerio, Rick Rodgers (rodgers at nlm.nih.gov) -- -------------------------------------------------------------------------------- R. P. C. Rodgers, M.D. * rodgers at nlm.nih.gov * (301)496-9305 (voice, fax) CSB, LHNCBC, U.S. National Library of Medicine, NIH Bldg 38A, Rm. 9S-916, 8600 Rockville Pike, Bethesda MD 20894 USA http://lhc.nlm.nih.gov/staff/rodgers/rodgers.html From tim at multitalents.net Sat Apr 13 03:01:21 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 12 Apr 2002 10:01:21 -0700 (PDT) Subject: UsePrivilegeSeparation yes & HostbasedAuthentication yes In-Reply-To: <3CB7105F.251D2D0C@nlm.nih.gov> Message-ID: Portable CVS Thu Apr 11 20:14:16 PDT 2002 Has anyone been sucessfull at getting host based authentication to work with privsep yes? I get messages like ... debug1: next auth method to try is hostbased 767e 8fd8 3c94 7172 899a a32e ca12 b73a Disconnecting: Bad packet length 1988005848. debug1: Calling cleanup 0x3f074(0x0) ... Is it just not working yet with privse enabled? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mdb at juniper.net Sat Apr 13 03:36:36 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 12 Apr 2002 10:36:36 -0700 Subject: PLEASE TEST snapshots In-Reply-To: Mail from Markus Friedl dated Fri, 05 Apr 2002 12:16:15 +0200 <20020405101615.GA28894@folly> Message-ID: <200204121736.g3CHaaT74815@merlot.juniper.net> Using a cvs checkout of the openssh module from CVSROOT=openssh at anoncvs.be.openbsd.org:/cvs A Solaris 2.6 sparc system fails to compile with the error: ../openssh/monitor_mm.c: In function `mm_create': ../openssh/monitor_mm.c:88: `MAP_ANON' undeclared (first use in this function) ../openssh/monitor_mm.c:88: (Each undeclared identifier is reported only once ../openssh/monitor_mm.c:88: for each function it appears in.) make: *** [monitor_mm.o] Error 1 It might be well for such systems to default to --without-privsep-user in configure Also, it would be well to add the documentation of the --with(out)-privsep-user to the 'configure --help' output. Thanks, -- Mark From mouring at etoh.eviladmin.org Sat Apr 13 03:46:25 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 12 Apr 2002 12:46:25 -0500 (CDT) Subject: PLEASE TEST snapshots In-Reply-To: <200204121736.g3CHaaT74815@merlot.juniper.net> Message-ID: [..] > > ../openssh/monitor_mm.c: In function `mm_create': > ../openssh/monitor_mm.c:88: `MAP_ANON' undeclared (first use in this function) > ../openssh/monitor_mm.c:88: (Each undeclared identifier is reported only once > ../openssh/monitor_mm.c:88: for each function it appears in.) > make: *** [monitor_mm.o] Error 1 > > It might be well for such systems to default to --without-privsep-user > in configure Also, it would be well to add the documentation of the > --with(out)-privsep-user to the 'configure --help' output. > Does the following patch fix it? We are not looking to do yet another compile option. Just disable the feature for those platform which we can't easily fix for this release. Then work out the problems post-3.2 - Ben Index: monitor_mm.c =================================================================== RCS file: /var/cvs/openssh/monitor_mm.c,v retrieving revision 1.6 diff -u -r1.6 monitor_mm.c --- monitor_mm.c 7 Apr 2002 22:36:50 -0000 1.6 +++ monitor_mm.c 12 Apr 2002 17:53:12 -0000 @@ -84,7 +84,7 @@ */ mm->mmalloc = mmalloc; -#ifdef HAVE_MMAP +#if defined(HAVE_MMAP) && defined(MAP_ANON) address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); if (address == MAP_FAILED) From mdb at juniper.net Sat Apr 13 04:25:42 2002 From: mdb at juniper.net (Mark D. Baushke) Date: Fri, 12 Apr 2002 11:25:42 -0700 Subject: PLEASE TEST snapshots In-Reply-To: Mail from Ben Lindstrom dated Fri, 12 Apr 2002 12:46:25 CDT Message-ID: <200204121825.g3CIPgT78397@merlot.juniper.net> Yes, the patch fixes my Solaris 2.6 problem. Thanks, -- Mark > Date: Fri, 12 Apr 2002 12:46:25 -0500 (CDT) > From: Ben Lindstrom > > Does the following patch fix it? We are not looking to do yet another > compile option. Just disable the feature for those platform which we > can't easily fix for this release. Then work out the problems post-3.2 > > - Ben > > Index: monitor_mm.c > =================================================================== > RCS file: /var/cvs/openssh/monitor_mm.c,v > retrieving revision 1.6 > diff -u -r1.6 monitor_mm.c > --- monitor_mm.c 7 Apr 2002 22:36:50 -0000 1.6 > +++ monitor_mm.c 12 Apr 2002 17:53:12 -0000 > @@ -84,7 +84,7 @@ > */ > mm->mmalloc = mmalloc; > > -#ifdef HAVE_MMAP > +#if defined(HAVE_MMAP) && defined(MAP_ANON) > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > if (address == MAP_FAILED) From m.ibarra at cdcixis-na.com Sat Apr 13 05:04:48 2002 From: m.ibarra at cdcixis-na.com (m.ibarra at cdcixis-na.com) Date: Fri, 12 Apr 2002 15:04:48 -0400 Subject: Chrooted sftp, did you getting it working? Message-ID: <9877566273EED511A7560008C716DA060288D2@exchcpn1.cdcna.com> Oh, it works, just not properly :-) If I sftp in using this patch, it shows all files as owned by UID instead of username. I am however able to now log in. My original problem was using ftp put, that failed due to the fact that I was originally following the chroot+sftp-server.patch, doc which stated that I must chmod the chrooted homedir to 555 and make it owned by root. I've since then properly rechmodded and all seems well, again aside from the UID bug noted above. Thanks again, -mike -----Original Message----- From: James Dennis [mailto:jdennis at law.harvard.edu] Sent: Friday, April 12, 2002 9:33 AM To: jm.poure at freesurf.fr; dci at webquill.com Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org; secureshell at securityfocus.com Subject: Re: Chrooted sftp, did you getting it working? Hello, Chrooting sftp is not much more complicated than just chrooting ssh. It requires placing certain libraries (you can probably figure these out using truss or strace) in a location that appears the same as the regular file system while under the chroot. As far as I remember from doing this, the only thing sftp requires different from ssh is sftp-server which most likely lies in /usr/libexec or /usr/local/libexec. The best way to determine if chrooted ssh is working is to apply the patch (which I will include with this email), create a test username. Then login with the chrooted ssh daemon. It should run fine. Then change the users home directory to have a period in it (/home/./username) and then try logging in. If it fails the patch is working because you haven't built a chroot yet so after the chroot is applied to your user the users shell will not be found and the login fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable with truss or strace it becomes quite a bit easier. Because the whole process of building a chroot is beyond the scope of my reply in regard to the patch not working I leave any inquisitive minds to finding a good article on how to build chroot's to themselves (hint: a good article on chrooting ssh (not sftp) is on securityfocus.com). Good luck to anyone. This patch does indeed work as we use it in production here at Harvard Law School. -James On Fri, 12 Apr 2002 08:04:03 +0200 jm.poure at freesurf.fr wrote: > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit : > > I was curious to know if you had any luck in getting openssh's sftp > > server properly configured to allow chrooted sftp logins? I have had > > no success and need something quickly. > > Dear Mike, > > Unfortunately, I did not succeed to have it work. > > I got in contact with James Dennis , who send me a > chroot patch. I applied the patch and did not succeed to log into a chrooted > account. > > The patch is quite simple. I don't understand why it does not work. Any idea? > > Best regards, > Jean-Michel > From jdennis at law.harvard.edu Sat Apr 13 05:19:17 2002 From: jdennis at law.harvard.edu (James Dennis) Date: Fri, 12 Apr 2002 15:19:17 -0400 Subject: Chrooted sftp, did you getting it working? In-Reply-To: <9877566273EED511A7560008C716DA060288D2@exchcpn1.cdcna.com> References: <9877566273EED511A7560008C716DA060288D2@exchcpn1.cdcna.com> Message-ID: <20020412151917.3ad621a7.jdennis@law.harvard.edu> It shows the uid instead because it can't read a passwd file to find what username is associated with the uid. Copy that file (though stripped down to just chrooted users) into the chroot under /chroot/etc/passwd where /chroot is your chroot path and you should be all set. -James PS. I'm sorry if this is redundant, I am not on the openssh mailing list, though I probably should be now, so I am only seeing things cc'd to me. On Fri, 12 Apr 2002 15:04:48 -0400 m.ibarra at cdcixis-na.com wrote: > Oh, it works, just not properly :-) > > If I sftp in using this patch, it shows all files as owned > by UID instead of username. I am however able to now log in. > > My original problem was using ftp put, that failed due to the > fact that I was originally following the chroot+sftp-server.patch, > doc which stated that I must chmod the chrooted homedir to 555 > and make it owned by root. I've since then properly rechmodded > and all seems well, again aside from the UID bug noted above. > > Thanks again, > > -mike > > -----Original Message----- > From: James Dennis [mailto:jdennis at law.harvard.edu] > Sent: Friday, April 12, 2002 9:33 AM > To: jm.poure at freesurf.fr; dci at webquill.com > Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org; > secureshell at securityfocus.com > Subject: Re: Chrooted sftp, did you getting it working? > > > Hello, > Chrooting sftp is not much more complicated than just chrooting ssh. It > requires placing certain libraries (you can probably figure these out using > truss or strace) in a location that appears the same as the regular file > system while under the chroot. As far as I remember from doing this, the > only thing sftp requires different from ssh is sftp-server which most likely > lies in /usr/libexec or /usr/local/libexec. The best way to determine if > chrooted ssh is working is to apply the patch (which I will include with > this email), create a test username. Then login with the chrooted ssh > daemon. It should run fine. Then change the users home directory to have a > period in it (/home/./username) and then try logging in. If it fails the > patch is working because you haven't built a chroot yet so after the chroot > is applied to your user the users shell will not be found and the login > fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable > with truss or strace it becomes quite a bit easier. > Because the whole process of building a chroot is beyond the scope of my > reply in regard to the patch not working I leave any inquisitive minds to > finding a good article on how to build chroot's to themselves (hint: a good > article on chrooting ssh (not sftp) is on securityfocus.com). > Good luck to anyone. This patch does indeed work as we use it in production > here at Harvard Law School. > -James > > On Fri, 12 Apr 2002 08:04:03 +0200 > jm.poure at freesurf.fr wrote: > > > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit : > > > I was curious to know if you had any luck in getting openssh's sftp > > > server properly configured to allow chrooted sftp logins? I have had > > > no success and need something quickly. > > > > Dear Mike, > > > > Unfortunately, I did not succeed to have it work. > > > > I got in contact with James Dennis , who send me > a > > chroot patch. I applied the patch and did not succeed to log into a > chrooted > > account. > > > > The patch is quite simple. I don't understand why it does not work. Any > idea? > > > > Best regards, > > Jean-Michel > > > From m.ibarra at cdcixis-na.com Sat Apr 13 05:59:42 2002 From: m.ibarra at cdcixis-na.com (m.ibarra at cdcixis-na.com) Date: Fri, 12 Apr 2002 15:59:42 -0400 Subject: Chrooted sftp, did you getting it working? Message-ID: <9877566273EED511A7560008C716DA060288D3@exchcpn1.cdcna.com> Arghh! Tha is what was I thinking, until I tried it. %^} username:x:100:100:Real User:/home/username:/bin/sh /usr/local/libexec/sftp-server has been copied over to /chroot/bin/sh and I have tried with /usr/local/libexec/sftp-server as the shell too. I have also tried changing the homedir to various locations. Hey, I am happy, it works beautifully, would just like to get it to work as you say it does :-) Thank you, -mike -----Original Message----- From: James Dennis [mailto:jdennis at law.harvard.edu] Sent: Friday, April 12, 2002 3:19 PM To: Ibarra, Michael Cc: jm.poure at freesurf.fr; dci at webquill.com; openssh-unix-dev at mindrot.org; secureshell at securityfocus.com Subject: Re: Chrooted sftp, did you getting it working? It shows the uid instead because it can't read a passwd file to find what username is associated with the uid. Copy that file (though stripped down to just chrooted users) into the chroot under /chroot/etc/passwd where /chroot is your chroot path and you should be all set. -James PS. I'm sorry if this is redundant, I am not on the openssh mailing list, though I probably should be now, so I am only seeing things cc'd to me. On Fri, 12 Apr 2002 15:04:48 -0400 m.ibarra at cdcixis-na.com wrote: > Oh, it works, just not properly :-) > > If I sftp in using this patch, it shows all files as owned > by UID instead of username. I am however able to now log in. > > My original problem was using ftp put, that failed due to the > fact that I was originally following the chroot+sftp-server.patch, > doc which stated that I must chmod the chrooted homedir to 555 > and make it owned by root. I've since then properly rechmodded > and all seems well, again aside from the UID bug noted above. > > Thanks again, > > -mike > > -----Original Message----- > From: James Dennis [mailto:jdennis at law.harvard.edu] > Sent: Friday, April 12, 2002 9:33 AM > To: jm.poure at freesurf.fr; dci at webquill.com > Cc: Ibarra, Michael; openssh-unix-dev at mindrot.org; > secureshell at securityfocus.com > Subject: Re: Chrooted sftp, did you getting it working? > > > Hello, > Chrooting sftp is not much more complicated than just chrooting ssh. It > requires placing certain libraries (you can probably figure these out using > truss or strace) in a location that appears the same as the regular file > system while under the chroot. As far as I remember from doing this, the > only thing sftp requires different from ssh is sftp-server which most likely > lies in /usr/libexec or /usr/local/libexec. The best way to determine if > chrooted ssh is working is to apply the patch (which I will include with > this email), create a test username. Then login with the chrooted ssh > daemon. It should run fine. Then change the users home directory to have a > period in it (/home/./username) and then try logging in. If it fails the > patch is working because you haven't built a chroot yet so after the chroot > is applied to your user the users shell will not be found and the login > fails. Chrooting ssh/sftp isn't necessarily easy, but if your comfortable > with truss or strace it becomes quite a bit easier. > Because the whole process of building a chroot is beyond the scope of my > reply in regard to the patch not working I leave any inquisitive minds to > finding a good article on how to build chroot's to themselves (hint: a good > article on chrooting ssh (not sftp) is on securityfocus.com). > Good luck to anyone. This patch does indeed work as we use it in production > here at Harvard Law School. > -James > > On Fri, 12 Apr 2002 08:04:03 +0200 > jm.poure at freesurf.fr wrote: > > > Le Jeudi 11 Avril 2002 21:09, m.ibarra at cdcixis-na.com a ?crit : > > > I was curious to know if you had any luck in getting openssh's sftp > > > server properly configured to allow chrooted sftp logins? I have had > > > no success and need something quickly. > > > > Dear Mike, > > > > Unfortunately, I did not succeed to have it work. > > > > I got in contact with James Dennis , who send me > a > > chroot patch. I applied the patch and did not succeed to log into a > chrooted > > account. > > > > The patch is quite simple. I don't understand why it does not work. Any > idea? > > > > Best regards, > > Jean-Michel > > > From b_smith44 at hotmail.com Sat Apr 13 07:31:46 2002 From: b_smith44 at hotmail.com (Bob Smith) Date: Fri, 12 Apr 2002 14:31:46 -0700 Subject: getting OpenSSH/OpenSSL to utilize /dev/random Message-ID: i have used the SUNWski, ANDIrand, and sun's new (solaris 8 patch 112438) PRNG. they all work just fine. as i recall SUNWski, by default, only provides a /dev/random interface. you can modify the startup script to either provide /dev/urandom instead or provide both /dev/random and /dev/urandom, of course the catch here is that urandom is supposed to be non-blocking and the interface provided by SUNWski is blocking. i have seen connection startup hang when using the SUNWski package on "quiet" machines due to entropy pool depletion, but only when there are a fairly large number of session connections. i've used ANDIrand on Solaris 2.6, 7 and 8 for the past two years with no problems. i have just finished converting my Solaris 8 systems to use sun's new PRNG as sun will support it and it is the package that will be shipped with Solaris 9 and on. i build OpenSSL with this script: env \ CC=cc \ CXX=CC \ CFLAGS="-fast -I/local/include" \ CPPFLAGS="-I/local/include" \ CXXFLAGS="-fast -I/local/include" \ LDFLAGS="-L/local/lib -R/local/lib" \ TMPDIR="/tmp" \ ./Configure \ --prefix=/local \ threads \ shared \ solaris-sparcv9-cc if ( $? == 0 ) then gmake endif then build OpenSSH with this script: env \ CC=cc \ CXX=CC \ CFLAGS="-fast -I/local/include" \ CPPFLAGS="-I/local/include" \ LDFLAGS="-L/local/lib -R/local/lib" \ TMPDIR="/tmp" \ ./configure \ --prefix=/local \ --sysconfdir=/etc/openssh \ --localstatedir=/var \ --with-tcp-wrappers \ --with-pam \ --with-ssl-dir=/local \ --disable-suid-ssh \ --with-pid-dir=/var/run if ( $? == 0 ) then gmake endif _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com From tim at multitalents.net Sat Apr 13 14:41:29 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 12 Apr 2002 21:41:29 -0700 (PDT) Subject: scp : Problems with pathing In-Reply-To: <200204011941.OAA03593@heimdall.ttsg.com> Message-ID: On Mon, 1 Apr 2002, Tuc wrote: > > On Sun, Mar 31, 2002 at 12:01:46PM -0500, Tuc wrote: > > > > > > > > On Sat, Mar 30, 2002 at 10:33:05AM -0800, Tim Rice wrote: > > > > > So the path you want, "_PATH_STDPATH" will not be used. > > > > > I'm not sure what to do about it. I have no BSD here. > > > > > > > > BSD/OS uses the path from /etc/login.conf Please try the attached patch. If you do not have autoconf 2.52 or later, e-mail me and I'll send you configure. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old Fri Apr 12 10:26:23 2002 +++ configure.ac Fri Apr 12 20:57:56 2002 @@ -1981,17 +1981,28 @@ ) fi +dnl BSD systems use /etc/login.conf so --with-default-path= has no effect +if test $ac_cv_func_login_getcapbool = "yes" -a \ + $ac_cv_header_login_cap_h = "yes" ; then + USES_LOGIN_CONF=yes +fi # Whether to mess with the default path SERVER_PATH_MSG="(default)" AC_ARG_WITH(default-path, [ --with-default-path=PATH Specify default \$PATH environment for server], [ - if test "x$withval" != "xno" ; then + if test "$USES_LOGIN_CONF" = "yes" ; then + AC_MSG_WARN([ +--with-default-path=PATH has no effect on this system. +Edit /etc/login.conf instead.]) + elif test "x$withval" != "xno" ; then user_path="$withval" SERVER_PATH_MSG="$withval" fi ], - [ + [ if test "$USES_LOGIN_CONF" = "yes" ; then + AC_MSG_WARN([Make sure the path to scp is in /etc/login.conf]) + else AC_TRY_RUN( [ /* find out what STDPATH is */ @@ -2041,10 +2052,12 @@ AC_MSG_RESULT(Adding $t_bindir to USER_PATH so scp will work) fi fi - ] + fi ] ) -AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") -AC_SUBST(user_path) +if test "$USES_LOGIN_CONF" != "yes" ; then + AC_DEFINE_UNQUOTED(USER_PATH, "$user_path") + AC_SUBST(user_path) +fi # Whether to force IPv4 by default (needed on broken glibc Linux) IPV4_HACK_MSG="no" From markus at openbsd.org Sat Apr 13 19:14:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 13 Apr 2002 11:14:50 +0200 Subject: UsePrivilegeSeparation yes & HostbasedAuthentication yes In-Reply-To: References: <3CB7105F.251D2D0C@nlm.nih.gov> Message-ID: <20020413091450.GB1554@folly> hostbased and privsep is broken, because the [priv] process sends debug packets during authentication. if you remove the debug messages from auth-rh* or change them similar to auth-options then this should work. On Fri, Apr 12, 2002 at 10:01:21AM -0700, Tim Rice wrote: > > Portable CVS Thu Apr 11 20:14:16 PDT 2002 > > Has anyone been sucessfull at getting host based authentication to > work with privsep yes? > I get messages like > ... > debug1: next auth method to try is hostbased > 767e 8fd8 3c94 7172 899a a32e ca12 b73a > > Disconnecting: Bad packet length 1988005848. > debug1: Calling cleanup 0x3f074(0x0) > ... > > Is it just not working yet with privse enabled? > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Sat Apr 13 19:12:54 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 13 Apr 2002 11:12:54 +0200 Subject: s/key with PasswordAuthentication In-Reply-To: <3CB6B9B3.7B914DE2@efigence.com> References: <3CB6B9B3.7B914DE2@efigence.com> Message-ID: <20020413091254.GA1554@folly> On Fri, Apr 12, 2002 at 12:40:51PM +0200, Maciej Bogucki wrote: > HI! > Is it possibly to use s/key with PasswordAuthentication at the same > time? > I mean that when You enter right s/key password You have to enter right > shadow > password to logon. no. not yet. From tim at multitalents.net Sun Apr 14 04:58:35 2002 From: tim at multitalents.net (Tim Rice) Date: Sat, 13 Apr 2002 11:58:35 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: <014201c1e0e6$783dcae0$9b78a8c0@oedserver> Message-ID: On Wed, 10 Apr 2002, Darren Cole wrote: > > Tested building from cvs today on hp-ux 10.26. Once I applied my patch > ( to bug > ), everything built and ran > fine. Is there anyway I can get this patch commited for 3.2? If there is > anything I can do to help get the patch accepted please let me know. A couple of questions about your patch. --- configure.ac.orig Fri Apr 12 20:57:56 2002 +++ configure.ac Sat Apr 13 10:01:51 2002 @@ -79,6 +79,23 @@ +*-*-hpux10.26) [snip] + AC_DEFINE(HAVE_SECUREWARE_PW) + AC_DEFINE(BROKEN_LOGIN) + AC_DEFINE(TRUSTED_HPUX) Are all 10.26 machines trusted HP/UX? --- sshd.c.orig Tue Apr 9 20:19:04 2002 +++ sshd.c Sat Apr 13 10:01:52 2002 @@ -47,7 +47,10 @@ #include #include #include -#include ^^ was this intentional? +#ifdef HAVE_SECUREWARE_PW +#include +#include +#endif > > Darren Cole > dcole at keysoftsys.com > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Sun Apr 14 05:51:14 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 13 Apr 2002 12:51:14 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: Message-ID: On Sat, 13 Apr 2002, Tim Rice wrote: :> Tested building from cvs today on hp-ux 10.26. Once I applied my patch :> ( to bug :> ), everything built and ran :> fine. Is there anyway I can get this patch commited for 3.2? If there is :> anything I can do to help get the patch accepted please let me know. : :A couple of questions about your patch. : :--- configure.ac.orig Fri Apr 12 20:57:56 2002 :+++ configure.ac Sat Apr 13 10:01:51 2002 :@@ -79,6 +79,23 @@ : :+*-*-hpux10.26) :[snip] :+ AC_DEFINE(HAVE_SECUREWARE_PW) i'd prefer SecureWare here. :+ AC_DEFINE(BROKEN_LOGIN) i know i suggested this, but i think we need a better name for login that can't handle "--". :+ AC_DEFINE(TRUSTED_HPUX) was this in the new patch? :Are all 10.26 machines trusted HP/UX? they are the HP-UX CMW variant. this patch also requires "uselogin=yes". there is also something called VVOS which might be something like 10.24 or 11.04 which is a hybrid multi-level/CMW thing. :--- sshd.c.orig Tue Apr 9 20:19:04 2002 :+++ sshd.c Sat Apr 13 10:01:52 2002 :@@ -47,7 +47,10 @@ : #include : #include : #include :-#include :^^ was this intentional? :+#ifdef HAVE_SECUREWARE_PW :+#include :+#include :+#endif there are some other issues. i'll try to check it out soon. From tim at multitalents.net Sun Apr 14 06:08:28 2002 From: tim at multitalents.net (Tim Rice) Date: Sat, 13 Apr 2002 13:08:28 -0700 (PDT) Subject: PLEASE TEST snapshots In-Reply-To: Message-ID: On Sat, 13 Apr 2002, Kevin Steves wrote: > On Sat, 13 Apr 2002, Tim Rice wrote: > :> Tested building from cvs today on hp-ux 10.26. Once I applied my patch > :> ( to bug > :> ), everything built and ran > :> fine. Is there anyway I can get this patch commited for 3.2? If there is > :> anything I can do to help get the patch accepted please let me know. > : > :A couple of questions about your patch. > : > :--- configure.ac.orig Fri Apr 12 20:57:56 2002 > :+++ configure.ac Sat Apr 13 10:01:51 2002 > :@@ -79,6 +79,23 @@ > : > :+*-*-hpux10.26) > :[snip] > :+ AC_DEFINE(HAVE_SECUREWARE_PW) > > i'd prefer SecureWare here. > > :+ AC_DEFINE(BROKEN_LOGIN) > > i know i suggested this, but i think we need a better name for login that > can't handle "--". I'm sure whatever names you come up with will be fine. > > :+ AC_DEFINE(TRUSTED_HPUX) > > was this in the new patch? Yes, i grabbed attachment 67 from bugzilla > > :Are all 10.26 machines trusted HP/UX? > > they are the HP-UX CMW variant. this patch also requires "uselogin=yes". > there is also something called VVOS which might be something like 10.24 or > 11.04 which is a hybrid multi-level/CMW thing. Just wanted to make sure we don't have a 10.26 machines out there that will choke on those AC_DEFINES > > :--- sshd.c.orig Tue Apr 9 20:19:04 2002 > :+++ sshd.c Sat Apr 13 10:01:52 2002 > :@@ -47,7 +47,10 @@ > : #include > : #include > : #include > :-#include > :^^ was this intentional? > :+#ifdef HAVE_SECUREWARE_PW > :+#include > :+#include > :+#endif > > there are some other issues. i'll try to check it out soon. The patch seems to work fine on the SCO side. I've attached a (slightly modified) diff -u version of attachment 67 -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- acconfig.h.orig Thu Apr 11 20:35:40 2002 +++ acconfig.h Sat Apr 13 10:01:51 2002 @@ -16,7 +16,7 @@ #undef BROKEN_SYS_TERMIO_H /* Define if you have SCO protected password database */ -#undef HAVE_SCO_PROTECTED_PW +#undef HAVE_SECUREWARE_PW /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ /* from environment and PATH */ @@ -165,6 +165,9 @@ /* Some versions of /bin/login need the TERM supplied on the commandline */ #undef LOGIN_NEEDS_TERM +/* Define if your login program hangs when launch with a "--" (HPUX 10.26) */ +#undef BROKEN_LOGIN + /* Define if you want to specify the path to your lastlog file */ #undef CONF_LASTLOG_FILE @@ -236,6 +239,8 @@ /* Defined if in_systm.h needs to be included with netinet/ip.h (HPUX - ) */ #undef NEED_IN_SYSTM_H +/* Defined if on a Trusted HPUX system */ +#undef TRUSTED_HPUX /* Define if you have an old version of PAM which takes only one argument */ /* to pam_strerror */ --- auth-passwd.c.orig Tue Apr 9 20:18:59 2002 +++ auth-passwd.c Sat Apr 13 11:56:16 2002 @@ -55,11 +55,11 @@ # include # include # endif -# ifdef HAVE_SCO_PROTECTED_PW +# ifdef HAVE_SECUREWARE_PW # include # include # include -# endif /* HAVE_SCO_PROTECTED_PW */ +# endif /* HAVE_SECUREWARE_PW */ # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) # include # endif @@ -102,12 +102,9 @@ char *encrypted_password; char *pw_password; char *salt; -#ifdef __hpux +#if defined(__hpux) || defined(HAVE_SECUREWARE_PW) struct pr_passwd *spw; -#endif -#ifdef HAVE_SCO_PROTECTED_PW - struct pr_passwd *spw; -#endif /* HAVE_SCO_PROTECTED_PW */ +#endif /* __hpux || HAVE_SECUREWARE_PW */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif @@ -183,18 +180,18 @@ pw_password = spw->sp_pwdp; #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#ifdef HAVE_SCO_PROTECTED_PW +#ifdef HAVE_SECUREWARE_PW spw = getprpwnam(pw->pw_name); if (spw != NULL) pw_password = spw->ufld.fd_encrypt; -#endif /* HAVE_SCO_PROTECTED_PW */ +#endif /* HAVE_SECUREWARE_PW */ #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) pw_password = spw->pwa_passwd; #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ -#if defined(__hpux) +#if defined(__hpux) && !defined(HAVE_SECUREWARE_PW) if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) pw_password = spw->ufld.fd_encrypt; #endif /* defined(__hpux) */ @@ -214,17 +211,17 @@ else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ -# ifdef __hpux +# if defined(__hpux) && !defined(HAVE_SECUREWARE_PW) if (iscomsec()) encrypted_password = bigcrypt(password, salt); else encrypted_password = crypt(password, salt); # else -# ifdef HAVE_SCO_PROTECTED_PW +# ifdef HAVE_SECUREWARE_PW encrypted_password = bigcrypt(password, salt); # else encrypted_password = crypt(password, salt); -# endif /* HAVE_SCO_PROTECTED_PW */ +# endif /* HAVE_SECUREWARE_PW */ # endif /* __hpux */ #endif /* HAVE_MD5_PASSWORDS */ --- configure.ac.orig Fri Apr 12 20:57:56 2002 +++ configure.ac Sat Apr 13 10:01:51 2002 @@ -79,6 +79,23 @@ *-*-darwin*) AC_DEFINE(BROKEN_GETADDRINFO) ;; +*-*-hpux10.26) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + AC_DEFINE(HAVE_SECUREWARE_PW) + AC_DEFINE(USE_PIPES) + AC_DEFINE(BROKEN_LOGIN) + AC_DEFINE(TRUSTED_HPUX) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + LIBS="$LIBS -lxnet -lsec -lsecpw" + disable_ptmx_check=yes + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" @@ -217,7 +234,7 @@ no_dev_ptmx=1 AC_DEFINE(BROKEN_SYS_TERMIO_H) AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(HAVE_SECUREWARE_PW) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(BROKEN_SAVED_UIDS) AC_CHECK_FUNCS(getluid setluid) @@ -231,7 +248,7 @@ no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(HAVE_SECUREWARE_PW) AC_DEFINE(DISABLE_SHADOW) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man @@ -1876,12 +1893,14 @@ fi if test -z "$no_dev_ptmx" ; then - AC_CHECK_FILE("/dev/ptmx", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) - have_dev_ptmx=1 - ] - ) + if test "x$disable_ptmx_check" != "xyes" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) + fi fi AC_CHECK_FILE("/dev/ptc", [ --- session.c.orig Tue Apr 9 20:19:04 2002 +++ session.c Sat Apr 13 10:01:51 2002 @@ -1117,7 +1117,12 @@ #ifdef xxxLOGIN_NEEDS_TERM (s->term ? s->term : "unknown"), #endif /* LOGIN_NEEDS_TERM */ +#ifdef BROKEN_LOGIN + /* The "--" makes login hang on Trusted HP-UX 10.26 */ + "-p", "-f", pw->pw_name, (char *)NULL); +#else "-p", "-f", "--", pw->pw_name, (char *)NULL); +#endif /* Login couldn't be executed, die. */ @@ -1727,6 +1732,18 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); +#ifdef TRUSTED_HPUX + /* + * Took two lines from a patch at: + * + * by John C. Bowman + * There is some speculation that you could possibly + * see data loss from this on usenet. But without + * this sshd does not exit on logout. + */ + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) + chan_read_failed(c); +#endif s->chanid = -1; } --- sshd.c.orig Tue Apr 9 20:19:04 2002 +++ sshd.c Sat Apr 13 10:01:52 2002 @@ -47,7 +47,10 @@ #include #include #include -#include +#ifdef HAVE_SECUREWARE_PW +#include +#include +#endif #include "ssh.h" #include "ssh1.h" @@ -785,6 +788,10 @@ Key *key; int ret, key_used = 0; +#ifdef HAVE_SECUREWARE_PW + (void) set_auth_parameters(ac, av); +#endif + __progname = get_progname(av[0]); init_rng(); @@ -996,10 +1003,6 @@ /* Configuration looks good, so exit if in test mode. */ if (test_flag) exit(0); - -#ifdef HAVE_SCO_PROTECTED_PW - (void) set_auth_parameters(ac, av); -#endif /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) From jmknoble at pobox.com Sun Apr 14 06:39:57 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 13 Apr 2002 16:39:57 -0400 Subject: PLEASE TEST snapshots In-Reply-To: ; from kevin@atomicgears.com on Sat, Apr 13, 2002 at 12:51:14PM -0700 References: Message-ID: <20020413163957.A17877@zax.half.pint-stowp.cx> Circa 2002-Apr-13 12:51:14 -0700 dixit Kevin Steves: : :+ AC_DEFINE(BROKEN_LOGIN) : : i know i suggested this, but i think we need a better name for login that : can't handle "--". What does '--' do? Perhaps: LOGIN_DOESNT_ Or, one of these: LOGIN_DOESNT_GROK_DOUBLEDASH DOUBLEDASH_CHALLENGED_LOGIN NO_LOGIN_DOUBLEDASH -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020413/30a06213/attachment.bin From bugzilla-daemon at mindrot.org Mon Apr 15 00:52:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Apr 2002 00:52:44 +1000 (EST) Subject: [Bug 215] No warning for failed ssh -v -R Message-ID: <20020414145244.1DBFAE91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=215 ------- Additional Comments From markus at openbsd.org 2002-04-15 00:52 ------- Created an attachment (id=73) please try this ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 15 00:55:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Apr 2002 00:55:25 +1000 (EST) Subject: [Bug 215] No warning for failed ssh -v -R Message-ID: <20020414145525.54913E95F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=215 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|openssh-unix-dev at mindrot.org|markus at openbsd.org ------- Additional Comments From markus at openbsd.org 2002-04-15 00:55 ------- i'll look into this. check the attached patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Mon Apr 15 08:18:59 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 15 Apr 2002 08:18:59 +1000 Subject: "make install" broken in cvs Message-ID: <3CBA0053.96B40FE7@zip.com.au> This applies to all platforms, I think: $ make install [snip] if [ ! -z "yes" ]; then \ ./install-sh -c -m 644 ssh-rand-helper.8.out /home/dtucker/openssh/openssh-cvs-test/contrib/aix/package/usr/local/man/man8/ssh-rand-helper.8 /bin/sh: 0403-057 Syntax error at line 1 : `then' is not matched. make: *** [install-files] Error 2 Looks like missing line continuation in Makefile.in. -Daz. $ diff -u Makefile.in.orig Makefile.in --- Makefile.in.orig Mon Apr 15 08:12:03 2002 +++ Makefile.in Mon Apr 15 08:12:32 2002 @@ -218,7 +218,7 @@ $(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1 $(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8 if [ ! -z "$(INSTALL_SSH_PRNG_CMDS)" ]; then \ - $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 + $(INSTALL) -m 644 ssh-rand-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-rand-helper.8 ; \ fi @NO_SFTP@$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1 @NO_SFTP@$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8 From djm at mindrot.org Mon Apr 15 13:26:19 2002 From: djm at mindrot.org (Damien Miller) Date: Mon, 15 Apr 2002 13:26:19 +1000 (EST) Subject: "make install" broken in cvs In-Reply-To: <3CBA0053.96B40FE7@zip.com.au> Message-ID: On Mon, 15 Apr 2002, Darren Tucker wrote: > $ make install > [snip] > if [ ! -z "yes" ]; then \ > ./install-sh -c -m 644 ssh-rand-helper.8.out /home/dtucker/openssh/openssh-cvs-test/contrib/aix/package/usr/local/man/man8/ssh-rand-helper.8 > /bin/sh: 0403-057 Syntax error at line 1 : `then' is not matched. > make: *** [install-files] Error 2 Thanks - it should be fixed now (though the anoncvs mirrors may take a little while to catch up) -d From afiore at secure-edge.com Tue Apr 16 01:57:47 2002 From: afiore at secure-edge.com (Alfonso Fiore) Date: Mon, 15 Apr 2002 17:57:47 +0200 Subject: ssh -R limitations? Message-ID: <20020415155748.715.qmail@earth-sky-water-fire.org> Hi there! I've a couple of questions on -R feature: Here is my situation: PC_A has a private IP, ssh client and has a service I want to see from the internet. PC_B is a linux firewall (public IP) where there is an open port that forwards all traffic to PC_C (ssh server on port 22) which is in PC_B LAN. I want to create a tunnel from PC_A to PC_C to access a service on PC_A from PC_C, so I want to use ssh -R. I made some successful tries using ssh -R connecting directly to a public IP machine, but from my tests it seems that a -R tunnel will accept only connection from the very same machine where the port is listening (localhost). Am I right? Is there a way to change this behaviour? When I try to cross PC_B firewall, I always have some weird error. PC_B (which has two lan cards) is set up to forward everything that comes to port xxyy to PC_C on port 22. From PC_A I write: ssh -p xxyy -R aabb:localhost:aabb PC_B I made many experiments, and I can see that PC_A correctly connects on PC_C and opens aabb LISTEN port. When I try to connect from PC_C on localhost:aabb I receive an error. Here is my guess: from PC_A command line ssh understands that aabb port is listening on PC_B, could it be that ssh refuses connection from PC_C even if it comes from localhost? If this is not the case, is there anybody with similar experience that has any suggestion? Note: both ssh are cygwin windows implementation. Thank you for your help. With best regards, Alfonso Fiore From bugzilla-daemon at mindrot.org Tue Apr 16 02:14:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 02:14:14 +1000 (EST) Subject: [Bug 216] New: ssh-keygen vs. SSH Version 2.0.13 hostkeys Message-ID: <20020415161414.EFA4DE926@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=216 Summary: ssh-keygen vs. SSH Version 2.0.13 hostkeys Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh-keygen AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: coder at mindspring.com Using precompiled binaries from sunfreeware.com, I have the following problem: # ssh-keygen -i -f ./hostkey ssh_dss_sign: sign failed xrealloc: out of memory (new_size 4290723536 bytes) This appears to be the same problem occurring in Bug#187. I am running Solaris 8, essentially stock. This problem has been duplicated on AIX 4.3 as well, although Tru64 4F seems to work properly. When I downloaded and used the OpenSSH 3.0.2 binaries from sunfreeware.com, ssh-keygen converted the hostkey properly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 02:34:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 02:34:27 +1000 (EST) Subject: [Bug 216] ssh-keygen vs. SSH Version 2.0.13 hostkeys Message-ID: <20020415163427.C6EB5E929@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=216 ------- Additional Comments From markus at openbsd.org 2002-04-16 02:34 ------- please test against latest snapshot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Apr 16 03:13:40 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 15 Apr 2002 19:13:40 +0200 Subject: ssh -R limitations? In-Reply-To: <20020415155748.715.qmail@earth-sky-water-fire.org> References: <20020415155748.715.qmail@earth-sky-water-fire.org> Message-ID: <20020415171340.GA22395@folly> On Mon, Apr 15, 2002 at 05:57:47PM +0200, Alfonso Fiore wrote: > I made some successful tries using ssh -R connecting directly to a public > IP machine, but from my tests it seems that a -R tunnel will accept only > connection from the very same machine where the port is listening > (localhost). Am I right? Is there a way to change this behaviour? $ man sshd GatewayPorts Specifies whether remote hosts are allowed to connect to ports forwarded for the client. By default, sshd binds remote port forwardings to the loopback addresss. This prevents other remote hosts from connecting to forwarded ports. GatewayPorts can be used to specify that sshd should bind remote port forwardings to the wildcard address, thus allowing remote hosts to connect to forwarded ports. The argument must be ``yes'' or ``no''. The de- fault is ``no''. From bugzilla-daemon at mindrot.org Tue Apr 16 04:35:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 04:35:11 +1000 (EST) Subject: [Bug 217] New: mdoc2man.pl puts wrong name into ssh.1 man page Message-ID: <20020415183511.B09B6E94B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=217 Summary: mdoc2man.pl puts wrong name into ssh.1 man page Product: Portable OpenSSH Version: 3.1p1 Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pspencer at fields.utoronto.ca On systems where mdoc2man.pl is used, it puts the wrong name ("sftp" instead of "ssh") into the ssh.1 man page. For example, under GatewayPorts: "By default, sftp binds local port forwardings .... GatewayPorts can be used to specify that sftp should bind local port forwardings ..." The problem is that ssh.1 includes the following lines: when specifying configuration options using the .Nm ssh , .Nm scp and .Nm sftp .Fl o option. In mdoc2man.pl the line ".Nm sftp" sets $name to be "sftp" so subsequent unqualified uses of ".Nm" produce "sftp" instead of "ssh". The attached patch fixes the problem by not allowing $name to be redefined once set. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 04:37:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 04:37:47 +1000 (EST) Subject: [Bug 217] mdoc2man.pl puts wrong name into ssh.1 man page Message-ID: <20020415183747.04108E96F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=217 ------- Additional Comments From pspencer at fields.utoronto.ca 2002-04-16 04:37 ------- Created an attachment (id=74) Prevent mdoc2man.pl from using wrong name in man pages ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From police at terrabox.com Tue Apr 16 05:19:17 2002 From: police at terrabox.com (police at terrabox.com) Date: Mon, 15 Apr 2002 14:19:17 -0500 (CDT) Subject: ssh corp versus openssh In-Reply-To: <20020415155748.715.qmail@earth-sky-water-fire.org> Message-ID: Hi all, I have a system running ssh2.4 from SSH corp and another running openssh 2.9p2, when I try to go from ssh2.4 to the openssh2.9 system I get in the logs: sshd[pid]: fatal: no hostkey alg I am using Protocol 2 on both?? anyone has a clue??? Thanks in advance. From dcole at keysoftsys.com Tue Apr 16 04:15:28 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Mon, 15 Apr 2002 11:15:28 -0700 Subject: PLEASE TEST snapshots References: Message-ID: <01fc01c1e4be$6e4b43b0$9b78a8c0@oedserver> > > :A couple of questions about your patch. > > :--- configure.ac.orig Fri Apr 12 20:57:56 2002 > > :+++ configure.ac Sat Apr 13 10:01:51 2002 > > :@@ -79,6 +79,23 @@ > > : > > :+*-*-hpux10.26) > > :[snip] > > :+ AC_DEFINE(HAVE_SECUREWARE_PW) > > > > i'd prefer SecureWare here. Yes, but I felt that since the original define was SCO_PROTECTED_PW, it made sense to me to keep it similar > > :+ AC_DEFINE(BROKEN_LOGIN) > > > > i know i suggested this, but i think we need a better name for login that > > can't handle "--". > > I'm sure whatever names you come up with will be fine. Yeah, I didn't really like BROKEN_LOGIN either but was the best I could think of. Maybe instead NO_LOGIN_DOUBLEDASH? > > > > :+ AC_DEFINE(TRUSTED_HPUX) > > > > was this in the new patch? > > Yes, i grabbed attachment 67 from bugzilla New version of an existing patch (that was also in bugzilla). In the future would it be beter to just post the patch to the list? Instead of just bugzilla? > > > > :Are all 10.26 machines trusted HP/UX? > > > > they are the HP-UX CMW variant. this patch also requires "uselogin=yes". > > there is also something called VVOS which might be something like 10.24 or > > 11.04 which is a hybrid multi-level/CMW thing. > > Just wanted to make sure we don't have a 10.26 machines out there that > will choke on those AC_DEFINES All 10.26 machines are CMW machines. > > > > :--- sshd.c.orig Tue Apr 9 20:19:04 2002 > > :+++ sshd.c Sat Apr 13 10:01:52 2002 > > :@@ -47,7 +47,10 @@ > > : #include > > : #include > > : #include > > :-#include > > :^^ was this intentional? It was unintentional. I looks like between 3.1p1 and current CVS this include was added, when I moved my 3.1p1 to CVS current it must have removed this line. > > :+#ifdef HAVE_SECUREWARE_PW > > :+#include > > :+#include > > :+#endif > > > The patch seems to work fine on the SCO side. > I've attached a (slightly modified) diff -u version of attachment 67 I took a quick look at don't see any problems, but will take a better look shortly. >> :+ AC_DEFINE(TRUSTED_HPUX) >> was this in the new patch? Yes, I used it to ifdef out the lines in session.c to fix an hang on exit problem. This is the part from the diff. *** 1727,1732 **** --- 1732,1749 ---- */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + #ifdef TRUSTED_HPUX + /* + * Took two lines from a patch at: + * + * by John C. Bowman + * There is some speculation that you could possibly + * see data loss from this on usenet. But without + * this sshd does not exit on logout. + */ + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) + chan_read_failed(c); + #endif s->chanid = -1; } If the lines of code are not include exit always hangs. Even without any backgrounded processes it will hang. Other solutions will be warmly welcomed. >> :Are all 10.26 machines trusted HP/UX? >> they are the HP-UX CMW variant. this patch also requires "uselogin=yes". >> there is also something called VVOS which might be something like 10.24 or >>11.04 which is a hybrid multi-level/CMW thing. This patch does not require "userlogin=yes"for users to be able to login. It just requires it if you want all security setup done correctly (clearance set, privileges set, administration specific to CMW, etc.). Eventually I will probably add all the code to do what login does, and add privilege bracketing. It is that just right now this is not a priority for what is needed at work. Darren Cole dcole at keysoftsys.com From bugzilla-daemon at mindrot.org Tue Apr 16 08:03:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 08:03:10 +1000 (EST) Subject: [Bug 217] mdoc2man.pl puts wrong name into ssh.1 man page Message-ID: <20020415220310.26F7DE93E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=217 ------- Additional Comments From pspencer at fields.utoronto.ca 2002-04-16 08:03 ------- Created an attachment (id=75) CORRECTION to previous patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 08:16:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 08:16:19 +1000 (EST) Subject: [Bug 217] mdoc2man.pl puts wrong name into ssh.1 man page Message-ID: <20020415221619.F21ABE953@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=217 ------- Additional Comments From pspencer at fields.utoronto.ca 2002-04-16 08:16 ------- Created an attachment (id=76) AARRGGHH!! How can I make so many mistakes in a simple patch? This third one should be correct! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dcole at keysoftsys.com Tue Apr 16 08:06:27 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Mon, 15 Apr 2002 15:06:27 -0700 Subject: PLEASE TEST snapshots References: Message-ID: <024501c1e4c9$dc899c90$9b78a8c0@oedserver> > The patch seems to work fine on the SCO side. > I've attached a (slightly modified) diff -u version of attachment 67 I don't see any problems. Built ssh with the patch, and everything worked. Darren Cole dcole at keysoftsys.com From bugzilla-daemon at mindrot.org Tue Apr 16 18:17:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 18:17:56 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020416081756.75CEBE91F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From markus at openbsd.org 2002-04-16 18:17 ------- bug fixed, not WORKSFORME ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 18:25:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 18:25:14 +1000 (EST) Subject: [Bug 216] ssh-keygen vs. SSH Version 2.0.13 hostkeys Message-ID: <20020416082514.A15A4E93D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=216 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From markus at openbsd.org 2002-04-16 18:25 ------- *** This bug has been marked as a duplicate of 187 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 18:25:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 18:25:30 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020416082530.104FEE955@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |coder at mindspring.com ------- Additional Comments From markus at openbsd.org 2002-04-16 18:25 ------- *** Bug 216 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 21:04:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 21:04:39 +1000 (EST) Subject: [Bug 187] ssh-keygen not converting from and to SECSH standard correctly Message-ID: <20020416110439.6C164E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=187 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-04-16 21:04 ------- fixed in -current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 16 23:27:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Apr 2002 23:27:12 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20020416132712.DA6BCE920@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-04-16 23:27 ------- sshd should definitely not be using 'NOUSER'. The correct thing is to use the username, regardless of whether (pw) exists. I can't understand why you would substitute the value 'NOUSER'. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 00:54:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 00:54:16 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020416145416.69FC0E960@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From dmanton at emea.att.com 2002-04-17 00:54 ------- Created an attachment (id=77) My first ever attempt at an autoconf/autoheader configuration based on the above recommendation! Can someone knowlegable review with a view to having this committed? Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 01:05:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 01:05:32 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020416150532.404FDE975@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From dmanton at emea.att.com 2002-04-17 01:05 ------- Created an attachment (id=78) ...and the patch for defines.h to use COMPILER_CHOKES_ON_SYSTEM_ALIGN helps, too. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 05:35:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 05:35:52 +1000 (EST) Subject: [Bug 218] New: make fails on IRIX 5.3 Message-ID: <20020416193552.507D4E916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=218 Summary: make fails on IRIX 5.3 Product: Portable OpenSSH Version: 3.1p1 Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: steve at mailaps.org I have openssl-0.9.6c, zlib-1.1.4 and perl5.004 installed on IRIX 5.3 system (MIPS IP22) with gcc 2.6.3. The only errors I find in config.log are of the following form: as0: Error: conftest.c, line 1:undefined assembler operation: .stabs .stabs "/usr/people/steves/build/openssh-3.1p1/",100,0,0,$Ltext0 but config exits gracefully. issuing 'make' then produces the following output: # make conffile=`echo sshd_config.out | sed 's/.out$//'`; \ /usr/bin/perl ./fixpaths -D/etc/ssh/ssh_config=/etc/ssh/ssh_config -D/etc/ssh/ssh_known_hosts=/etc/ssh/ssh_known_hosts -D/etc/ssh/sshd_config=/etc/ssh/sshd_config -D/usr/libexec=/usr/local/libexec -D/etc/shosts.equiv=/etc/ssh/shosts.equiv -D/etc/ssh/ssh_host_key=/etc/ssh/ssh_host_key -D/etc/ssh/ssh_host_dsa_key=/etc/ssh/ssh_host_dsa_key -D/etc/ssh/ssh_host_rsa_key=/etc/ssh/ssh_host_rsa_key -D/var/run/sshd.pid=/etc/ssh/sshd.pid -D/etc/ssh/moduli=/etc/ssh/moduli -D/etc/ssh/sshrc=/etc/ssh/sshrc -D/usr/X11R6/bin/xauth=/usr/bin/X11/xauth -D/usr/bin:/bin:/usr/sbin:/sbin=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin ./${conffile} > sshd_config.out conffile=sshd_config: Command not found. *** Error code 1 (bu21) I have posted to news group comp.security.ssh and searched the archives, but can't find an answer as to why I can't build openssh3.1p1, therefore I am submitting as a bug report. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 07:23:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 07:23:22 +1000 (EST) Subject: [Bug 219] New: authorized_keys documentation Message-ID: <20020416212322.8109FE92E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=219 Summary: authorized_keys documentation Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bfallik at sapient.com Please correct the authorized_keys permissions in the man page. The man page only says "It is recommended that it not be accessible by others" but it should say "It is required that it not be accessible by any other users." I'm refering to the man page for sshd, the Files section, the authorized_keys sub-bullet. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jason-openssh at shalott.net Wed Apr 17 10:06:21 2002 From: jason-openssh at shalott.net (Jason Stone) Date: Tue, 16 Apr 2002 17:06:21 -0700 (PDT) Subject: ProxyCommand commands don't exit Message-ID: <20020416161002.S52363-100000@walter> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed that when I use ProxyCommand commands to connect, the commands do not exit when ssh exits. This results in a bunch of commands piling up on the machine over time. I experimented with four machines: linux-2.2.19+patches, openssh-3.0.1p1 linux-2.2.14+patches, openssh-3.0.1p1 freebsd-4.5-stable, openssh-2.9 localisations 20020307 freebsd-4.3-stalbe, openssh-3.0.2 and in all combinations, the proxy command persisted after the client exited. luca/home/jason-1049: ps x PID TTY STAT TIME COMMAND 15245 pts/64 S 0:00 -zsh 16258 pts/64 R 0:00 ps x luca/home/jason-1050: ssh -o ProxyCommand="nc hermione 22" hermione true Enter passphrase for key '/home/jason/.ssh/id_dsa': otp-md5 495 he4606 ext S/Key Password: [successful authentication] luca/home/jason-1051: ps x PID TTY STAT TIME COMMAND 15245 pts/64 S 0:00 -zsh 16265 pts/64 S 0:00 nc hermione 22 16273 pts/64 R 0:00 ps x For completeness, I also used all of opie, rsa, passwd and hostbased auth to test, and nothing changed. Is this a bug, a feature, or a misunderstanding? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8vLyAswXMWWtptckRAtv4AJ0WMTp+b0fxqwS/gZ7+u65fclUGrgCglDwr 1wGesZfuEXqeBungL55/OTY= =imvZ -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Wed Apr 17 11:07:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:07:35 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20020417010735.28D39E947@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-04-17 11:07 ------- You do see the username, auth2.c line 193-197: log("input_userauth_request: illegal user %s", user); #ifdef USE_PAM start_pam("NOUSER"); #endif We fake a username with PAM to mitigate timing attacks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:12:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:12:42 +1000 (EST) Subject: [Bug 43] remote port forwarding failure silently ignored Message-ID: <20020417011242.3C7ADE956@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=43 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From djm at mindrot.org 2002-04-17 11:12 ------- Bug #215 has an testing patch for this *** This bug has been marked as a duplicate of 215 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:20:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:20:04 +1000 (EST) Subject: [Bug 41] Static compilation Message-ID: <20020417012004.4288DE966@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=41 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|security |enhancement Keywords| |help-wanted ------- Additional Comments From djm at mindrot.org 2002-04-17 11:19 ------- This doesn't warrant a severity of 'security' ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:25:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:25:36 +1000 (EST) Subject: [Bug 55] [PATCH] Kerberos v5 support in portable Message-ID: <20020417012536.ED819E97F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=55 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-17 11:25 ------- Patch has been applied. Portable OpenSSH now has KrbV support, thanks Simon! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:27:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:27:23 +1000 (EST) Subject: [Bug 57] make: #error "No DATAMODEL_NATIVE specified" Message-ID: <20020417012723.B411DE989@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=57 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-04-17 11:27 ------- 3 months with no followup or confirmation = no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:36:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:36:53 +1000 (EST) Subject: [Bug 63] heads-up for Solaris 9 Beta-refresh -- it has SSH Message-ID: <20020417013653.3A692E98B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=63 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2002-04-17 11:36 ------- Valid information, but not really a bug... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 11:39:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 11:39:49 +1000 (EST) Subject: [Bug 120] sshd fails pty chown() when run as non-root userid Message-ID: <20020417013949.C1D21E995@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=120 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement Keywords| |help-wanted ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:03:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:03:36 +1000 (EST) Subject: [Bug 111] sshd syslogs raw untrusted data Message-ID: <20020417020336.2EDEFE96E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 ------- Additional Comments From djm at mindrot.org 2002-04-17 12:03 ------- I agree that it should be syslog's responsability to safely encode any untrusted data. I hope you filed a bug with Sun too :) Here's an untested patch which runs all syslog data through vis() ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:06:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:06:26 +1000 (EST) Subject: [Bug 190] ssh locks while waiting for output of df Message-ID: <20020417020626.D32D7E997@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=190 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-17 12:06 ------- You can always take df out of ssh_prng_cmds. Additionally -current has the means to properly debug the entropy gathering processs (see "man 8 ssh-rand-helper") ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:18:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:18:10 +1000 (EST) Subject: [Bug 108] Enable continuation with '\' (backslash) in /etc/ssh/sshd_config (feature request) Message-ID: <20020417021810.7686FE99E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=108 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From djm at mindrot.org 2002-04-17 12:18 ------- WONTFIX - you can avoid long lines by using multiple AllowUsers directives as each gets added to the list. E.g. your example could be written: AllowUsers user1 at host1.somewhere.com user1 at host2.somewhere.com AllowUsers user2 at host1.somewhere.com user2 at host3.somewhere.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:23:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:23:06 +1000 (EST) Subject: [Bug 163] /dev/random not used Message-ID: <20020417022306.B6C5DE9A9@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=163 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-17 12:22 ------- The documentation issue has been resolved in -current. You should configure OpenSSL to use your /dev/random, then OpenSSL will support it automatically. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:28:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:28:41 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020417022841.D9996E9AE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 ------- Additional Comments From djm at mindrot.org 2002-04-17 12:28 ------- I don't understand the problem here: CPPFLAGS gets updated for each directory on the list with either -Idirectory or -Idirectory/include (if it exists). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:33:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:33:21 +1000 (EST) Subject: [Bug 217] mdoc2man.pl puts wrong name into ssh.1 man page Message-ID: <20020417023321.A9A88E9B5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=217 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-17 12:33 ------- Thanks - applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:35:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:35:59 +1000 (EST) Subject: [Bug 176] OpenSSH_3.1p1 gives X_ShmAttach error on forwarded X11 channel Message-ID: <20020417023559.2344FE9BB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=176 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-04-17 12:35 ------- workaround provided ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:34:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:34:16 +1000 (EST) Subject: [Bug 172] Add multiple AuthorizedKeyFiles options Message-ID: <20020417023416.807FEE9B5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=172 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |help-wanted ------- Additional Comments From djm at mindrot.org 2002-04-17 12:34 ------- If someone comes up with a patch, then we can discuss that. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:35:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:35:25 +1000 (EST) Subject: [Bug 218] make fails on IRIX 5.3 Message-ID: <20020417023525.9C162E9BB@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=218 ------- Additional Comments From djm at mindrot.org 2002-04-17 12:35 ------- Very strange - are you using SGI or GNU make. can you attach the generated Makefile to this bug? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:45:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:45:34 +1000 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020417024534.3B54EE9D3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-04-17 12:45 ------- Such failures get logged anyway: Apr 17 12:45:33 xenon sshd(pam_unix)[21188]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=localhost.localdomain user=root Apr 17 12:45:35 xenon sshd[21188]: Failed password for root from 127.0.0.1 port 34002 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:47:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:47:08 +1000 (EST) Subject: [Bug 143] Add reference to "rsync" in FAQ and documentation. Message-ID: <20020417024708.EDB56E9D6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=143 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |help-wanted ------- Additional Comments From djm at mindrot.org 2002-04-17 12:46 ------- I don't think the scp manpage is an appropriate place for this (maybe in the 'see also' section) and the FAQ is more for troubleshooting. We don't yet have a good HOWTO-style document for OpenSSH. If we did, we could put the text there ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 12:51:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 12:51:41 +1000 (EST) Subject: [Bug 119] Occassionally, SSH failed to connect and timeout after 2 hrs! Message-ID: <20020417025141.37A88E9E2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=119 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-04-17 12:51 ------- OpenSSH doesn't second-guess your TCP stacks connect() function. There are patches to implement shorter timeouts, see Bug #91 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 13:04:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 13:04:24 +1000 (EST) Subject: [Bug 111] sshd syslogs raw untrusted data Message-ID: <20020417030424.41C96E970@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 ------- Additional Comments From djm at mindrot.org 2002-04-17 13:04 ------- Created an attachment (id=79) Process all syslog data through vis() ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 13:06:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 13:06:45 +1000 (EST) Subject: [Bug 24] no controlling terminal problems Message-ID: <20020417030645.BA84DE998@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=24 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From djm at mindrot.org 2002-04-17 13:06 ------- Five months with no followup = no bug ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ssklar at stanford.edu Wed Apr 17 13:15:59 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Tue, 16 Apr 2002 20:15:59 -0700 Subject: openssh-SNAP-20020412 and AIX ... Message-ID: Folks, On AIX 4.3.3-08ML with the IBM C Compiler, and ssh configured to use the prngd-socket "/dev/egd-pool", the make bombs out at: /usr/bin/cc -g -I. -I. -I/usr/local/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/usr/local/etc\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_fdpass.c "monitor_fdpass.c", line 43.18: 1506-195 (S) Integral constant expression with a value greater than zero is required. "monitor_fdpass.c", line 87.18: 1506-195 (S) Integral constant expression with a value greater than zero is required. make: *** [monitor_fdpass.o] Error 1 (Should I be using bugzilla to report this?) -s- -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From Matthew_Clarke at mindlink.bc.ca Wed Apr 17 13:27:21 2002 From: Matthew_Clarke at mindlink.bc.ca (Matthew Clarke) Date: Tue, 16 Apr 2002 20:27:21 -0700 Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: References: Message-ID: <20020417032721.GA23135@ds0.tor.maves.ca> mardi, le 16 avril, 2002, Sandor W. Sklar nous a dit ceci: > Folks, > > On AIX 4.3.3-08ML with the IBM C Compiler, and ssh configured to use > the prngd-socket "/dev/egd-pool", the make bombs out at: [ snip sizeof(incomplete type) stuff ] > (Should I be using bugzilla to report this?) Already there. See bug #213. Matt. -- Thank goodness modern convenience is a thing of the remote future. -- Pogo, by Walt Kelly From bugzilla-daemon at mindrot.org Wed Apr 17 13:38:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 13:38:29 +1000 (EST) Subject: [Bug 108] Enable continuation with '\' (backslash) in /etc/ssh/sshd_config (feature request) Message-ID: <20020417033829.90197E9A7@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=108 ------- Additional Comments From dan at doxpara.com 2002-04-17 13:38 ------- Hmmm, I've created a few ProxyCommand pipes that wouldn't fit into 80 characters, and it wouldn't really make sense to have multiple ProxyCommand options. (are they piped together? &&'d? should I need to create a file and sh -c it?) \ as a line extension mechanism has a decent amount of precedent -- I think it's been around since bourne shell -- and might make some configuration files easier to read. The main cost I see is that, as far as I know, there's not a mode to make grep aware of the backslash. That would mean $ grep AllowUsers /etc/sshd/sshd_config would return only the first line of users allowed. So: Is it better to have something more usable and more standard for users to enter configurations into, or is it better to be compatible with per-line parsing systems? I'm not really sure. We've already sacrificed line independence -- a group of options can be encapsulated by a pattern match; the above grep would match all patterns equally. Damien -- what's your reasoning for disliking \ notation, out of curiosity? --Dan ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 13:42:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 13:42:56 +1000 (EST) Subject: [Bug 111] sshd syslogs raw untrusted data Message-ID: <20020417034256.25FE7E9E1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 ------- Additional Comments From tomh at po.crl.go.jp 2002-04-17 13:42 ------- A while ago vis.[ch] was removed because it wasn't used anywhere. This was helpful for another reason: AT&T's graphviz package defines a completely different vis() and has a vis.h. Since -I$(srcdir)/openbsd-compat was removed, it would always find the vis.h in /usr/local/include on systems with graphviz installed and die. If this patch goes in, it'd be nice if the prototype for vis() could be added someplace else, instead of relying on finding vis.h in the -I searchpath. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ssklar at stanford.edu Wed Apr 17 13:34:00 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Tue, 16 Apr 2002 20:34:00 -0700 Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: <20020417032721.GA23135@ds0.tor.maves.ca> References: <20020417032721.GA23135@ds0.tor.maves.ca> Message-ID: At 8:27 PM -0700 4/16/02, Matthew Clarke wrote: >mardi, le 16 avril, 2002, Sandor W. Sklar nous a dit ceci: > >> Folks, >> >> On AIX 4.3.3-08ML with the IBM C Compiler, and ssh configured to use >> the prngd-socket "/dev/egd-pool", the make bombs out at: > >[ snip sizeof(incomplete type) stuff ] > >> (Should I be using bugzilla to report this?) > >Already there. See bug #213. ah, ok, thanks. never mind then. :-) -s- -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From djm at mindrot.org Wed Apr 17 13:45:57 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Apr 2002 13:45:57 +1000 (EST) Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: Message-ID: On Tue, 16 Apr 2002, Sandor W. Sklar wrote: > Folks, > > On AIX 4.3.3-08ML with the IBM C Compiler, and ssh configured to use > the prngd-socket "/dev/egd-pool", the make bombs out at: Do your system header files #define CMSG_SPACE() anywhere, perhaps in sys/socket.h? It looks like that is not being picked up. Otherwise try adding the following lines to monitor_fdpass.c before the first function: #define _X_CMSG_ALIGN(p) (((unsigned int)(p) + \ (sizeof(int) - 1)) &~ (sizeof(int) - 1)) #define _X_CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ _X_CMSG_ALIGN(len)) > "monitor_fdpass.c", line 43.18: 1506-195 (S) Integral constant > expression with a value greater than zero is required. > "monitor_fdpass.c", line 87.18: 1506-195 (S) Integral constant > expression with a value greater than zero is required. > make: *** [monitor_fdpass.o] Error 1 > > (Should I be using bugzilla to report this?) yes :) -d From bugzilla-daemon at mindrot.org Wed Apr 17 13:47:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 13:47:27 +1000 (EST) Subject: [Bug 108] Enable continuation with '\' (backslash) in /etc/ssh/sshd_config (feature request) Message-ID: <20020417034727.65D49E9AC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=108 ------- Additional Comments From djm at mindrot.org 2002-04-17 13:47 ------- It adds complexity where it is not required. OpenSSH has a simple line-at-a-time config parser, it doesn't need to be more complicated. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ssklar at stanford.edu Wed Apr 17 14:00:54 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Tue, 16 Apr 2002 21:00:54 -0700 Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: References: Message-ID: At 1:45 PM +1000 4/17/02, Damien Miller wrote: >On Tue, 16 Apr 2002, Sandor W. Sklar wrote: > >> Folks, >> >> On AIX 4.3.3-08ML with the IBM C Compiler, and ssh configured to use >> the prngd-socket "/dev/egd-pool", the make bombs out at: > >Do your system header files #define CMSG_SPACE() anywhere, perhaps in >sys/socket.h? I grep'd for that define in all of /usr/include (and looked specifically in sys/socket.h), and got nothing. >It looks like that is not being picked up. Otherwise >try adding the following lines to monitor_fdpass.c before the first >function: > >#define _X_CMSG_ALIGN(p) (((unsigned int)(p) + \ > (sizeof(int) - 1)) &~ (sizeof(int) - 1)) >#define _X_CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ > _X_CMSG_ALIGN(len)) I have done so, as such: *** monitor_fdpass.c.orig Sun Apr 7 09:39:13 2002 --- monitor_fdpass.c Tue Apr 16 20:47:11 2002 *************** *** 31,36 **** --- 31,41 ---- #include "log.h" #include "monitor_fdpass.h" + #define _X_CMSG_ALIGN(p) (((unsigned int)(p) + \ + (sizeof(int) - 1)) &~ (sizeof(int) - 1)) + #define _X_CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ + _X_CMSG_ALIGN(len)) + void mm_send_fd(int socket, int fd) { ... and I receive the same error. Am I not putting your lines in the proper place? > > > >> (Should I be using bugzilla to report this?) > >yes :) ok. I promise I will in the future! :-) thanks, -s- -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From djm at mindrot.org Wed Apr 17 15:40:21 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Apr 2002 15:40:21 +1000 (EST) Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: Message-ID: On Tue, 16 Apr 2002, Sandor W. Sklar wrote: > I have done so, as such: > > *** monitor_fdpass.c.orig Sun Apr 7 09:39:13 2002 > --- monitor_fdpass.c Tue Apr 16 20:47:11 2002 > *************** > *** 31,36 **** > --- 31,41 ---- > #include "log.h" > #include "monitor_fdpass.h" > > + #define _X_CMSG_ALIGN(p) (((unsigned int)(p) + \ > + (sizeof(int) - 1)) &~ (sizeof(int) - 1)) > + #define _X_CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ > + _X_CMSG_ALIGN(len)) > + my bad - that last define should be: #define CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ _X_CMSG_ALIGN(len)) -d From bugzilla-daemon at mindrot.org Wed Apr 17 15:49:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 15:49:22 +1000 (EST) Subject: [Bug 172] Add multiple AuthorizedKeyFiles options Message-ID: <20020417054922.1F831E9D1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=172 ------- Additional Comments From alex.kiernan at thus.net 2002-04-17 15:49 ------- The patch we have is: http://bugzilla.mindrot.org/showattachment.cgi?attach_id=48 but thats against 3.1p1, I'll update it to against current CVS later today (and fix the man page which I forgot last time around). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 17:54:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 17:54:12 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20020417075412.64790E985@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From fcusack at fcusack.com 2002-04-17 17:54 ------- Yes "YOU" see the username but PAM doesn't. How about a comment in the code about the timing attack you are trying to mitigate? You are eliminating the possibility that sshd might want to authenticate someone without a local account (requesting a non-login service?). Also, I think this is counter-productive with PAM. PAM has it's own ability to do this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 17 19:33:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 19:33:25 +1000 (EST) Subject: [Bug 220] New: sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020417093325.42998E996@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 Summary: sshd fails to read other users authorized_keys over nfs as root Product: Portable OpenSSH Version: 3.0.2p1 Platform: All URL: http://www.hut.fi/cc/ OS/Version: All Status: NEW Severity: major Priority: P1 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: ska at cc.hut.fi Dear openssh developers, We're about to switch several hundred Unix/Linux hosts from the traditional sshd 1.2.31 to OpenSSH, but we have noticed a major problem in the way authorized keys authentication is performed by sshd. For security reasons the nfs server does not grant root permissions to most workstation mounts. Home directories are located on nfs mounted disks. Here's an example how root fails to read other users file: # cat ~pseudouser/.ssh/authorized_keys > /dev/null cat: 0652-050 Cannot open /pseudo/pseudouser/.ssh/authorized_keys. # su - pseudouser $ cat ~pseudouser/.ssh/authorized_keys > /dev/null $ On /var/adm/syslog/auth the error looks like this: "Apr 15 18:02:12 foobar sshd[23892]: Authentication refused: realpath /pseudo/pseudouser/.ssh/authorized_keys failed: Permission denied" So the problem with OpenSSH:s implementation of sshd is: - sshd expects to be able to read public authorized_keys file from other user's home directory as root user. - Other implementations of sshd have no similar problem since user id is changed appropriately to the user trying to authenticate with rsa or other key. Problem has been verified to occur on following platforms: - 3.0.2p1 / Solaris 8 - 3.0.2p1 / AIX 4.3.2 - 3.2cvs / AIX 4.3.2 Most likely the problem will appear on other architectures as well. I suggest checking functions like temporarily_use_uid(). A patch for 3.0.2p1 is needed as well as for 3.2cvs. Sincerely, Samuli Kajantola Unix administrator Helsinki University of Technology, Computing Centre ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tpr.tech at spree.de Wed Apr 17 22:38:54 2002 From: tpr.tech at spree.de (Torsten Pregel) Date: Wed, 17 Apr 2002 14:38:54 +0200 Subject: hi i have a problem with scp Message-ID: <3CBD6CDE.2612CA3E@spree.de> my file is >2GByte and the error message is scp: dump/oracle.dmp: Der Wert ist zu gro? f?r den definierten Datentyp wat is the problem ? THANKS -- >>> Tech at Spree Software Technology GmbH ,.,., C 'c 'C http://www.tech.spree.de > ' < Torsten Pregel Buelowstr. 66 """"" mailto:tpr.tech at spree.de D-10783 Berlin Tel.:++49/30/235 520-37 Fax.:++49/30/217 520-12 <<< From bugzilla-daemon at mindrot.org Wed Apr 17 23:39:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Apr 2002 23:39:47 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20020417133947.66C0BE95D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From djm at mindrot.org 2002-04-17 23:39 ------- > You are eliminating the possibility that sshd might want to authenticate > someone without a local account (requesting a non-login service?). PAM shouldn't be abused to to be a getpw* replacement. Quoth http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt: ] (c) We do not address the source of information obtained from the ] "`getXbyY()'" family of calls (e.g., `getpwnam()'). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Apr 17 23:32:58 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 17 Apr 2002 23:32:58 +1000 (EST) Subject: hi i have a problem with scp In-Reply-To: <3CBD6CDE.2612CA3E@spree.de> Message-ID: On Wed, 17 Apr 2002, Torsten Pregel wrote: > my file is >2GByte and the error message is > scp: dump/oracle.dmp: Der Wert ist zu gro? f?r den definierten Datentyp > > wat is the problem ? What version of OpenSSH (client and server)? What OS? Can you translate the error message to english for me? -d From bugzilla-daemon at mindrot.org Thu Apr 18 00:01:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 00:01:50 +1000 (EST) Subject: [Bug 143] Add reference to "rsync" in FAQ and documentation. Message-ID: <20020417140150.6BE08E9B8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=143 ------- Additional Comments From dwheeler at dwheeler.com 2002-04-18 00:01 ------- The FAQ currently emphasizes troubleshooting, but that's not necessary. A FAQ is for "frequently asked questions", and since "how do I synchronize" can be viewed as a frequent question, I think it's reasonable to add this information to the FAQ. In fact, PLEASE add the text I proposed to the FAQ, since it would help many people immediately. As far as the man page goes, changing the scp man page so that the "SEE ALSO" section mentioned rsync would be an improvement. But using rsync's "--rsh" flag really involves a combination of both ssh and rsync, and some mention in the scp man page on how to use them together would make the combination easier to use. Besides modifying scp's "SEE ALSO" man page section, could you at leat add a sentence mentioning this important use? Many people only look at the man pages, so it's important to give them a hint there. Here's my proposal; just add this text to the end of the scp man page "DESCRIPTION": If you want to only copy changed files using ssh's security features, use rsync(1) with the option --rsh="ssh", e.g., rsync -a --rsh="ssh" /home/joe/stuff joeuser at joe.com:/home/joeuser/stuff It's short, it's simple, and it shows people how to do it. If you don't like the example, drop everything after the "e.g.", but at least tell people about rsync, what it does, and its --rsh option. Just a "see also" to rsync won't tell people WHY they should also see that program. Thanks. I'm just trying to make sure that users can use this great tool (OpenSSH) using only the documentation they get... :-). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Thu Apr 18 00:01:54 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 17 Apr 2002 10:01:54 -0400 Subject: [Bug 55] [PATCH] Kerberos v5 support in portable In-Reply-To: <20020417012536.ED819E97F@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Wed, Apr 17, 2002 at 11:25:36AM +1000 References: <20020417012536.ED819E97F@shitei.mindrot.org> Message-ID: <20020417100152.D27398@sm2p1386swk.wdr.com> Cool! Now, what about Simon's GSS code? There's no RFE bug report for that IIRC. Nico > ------- Additional Comments From djm at mindrot.org 2002-04-17 11:25 ------- > Patch has been applied. Portable OpenSSH now has KrbV support, thanks Simon! -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Thu Apr 18 00:19:47 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 17 Apr 2002 16:19:47 +0200 Subject: [Bug 55] [PATCH] Kerberos v5 support in portable In-Reply-To: <20020417100152.D27398@sm2p1386swk.wdr.com> References: <20020417012536.ED819E97F@shitei.mindrot.org> <20020417100152.D27398@sm2p1386swk.wdr.com> Message-ID: <20020417141947.GC9787@faui02> openssh's bugzilla does not handle mail replies. From bugzilla-daemon at mindrot.org Thu Apr 18 00:37:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 00:37:18 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM Message-ID: <20020417143718.4F950EA01@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=117 ------- Additional Comments From abartlet at samba.org 2002-04-18 00:37 ------- While there are varying ideas on the interesting ways OpenSSH could be modified for usage without login accounts (and I see some real usful ideas here actually) this isn't the main issue. OpenSSH should always forward the correct username to PAM. Forwarding the incorrect username achives nothing - and prevents PAM from logging 'attempted login for user _____' in a consistant way across all system deamons. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 00:40:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 00:40:57 +1000 (EST) Subject: [Bug 218] make fails on IRIX 5.3 Message-ID: <20020417144057.A7119EA06@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=218 ------- Additional Comments From steve at mailaps.org 2002-04-18 00:40 ------- Created an attachment (id=80) Makefile from SGI Indigo2, IRIX 5.3, GNU make? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From yuliy at mobiltel.bg Thu Apr 18 01:13:57 2002 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Wed, 17 Apr 2002 18:13:57 +0300 (EEST) Subject: [Bug 143] Add reference to "rsync" in FAQ and documentation. In-Reply-To: <20020417140150.6BE08E9B8@shitei.mindrot.org> Message-ID: > If you want to only copy changed files using ssh's security features, > use rsync(1) with the option --rsh="ssh", e.g., > rsync -a --rsh="ssh" /home/joe/stuff joeuser at joe.com:/home/joeuser/stuff or rsync -av -e ssh /home/joe/stuff joeuser at joe.com:/home/joeuser/stuff or use rsync(1) with the option -e ssh or --rsh="ssh", e.g., > It's short, it's simple, and it shows people how to do it. > If you don't like the example, drop everything after the "e.g.", but at least > tell people about rsync, what it does, and its --rsh option. > Just a "see also" to rsync won't tell people WHY they should also see that > program. > > Thanks. I'm just trying to make sure that users can use this great tool > (OpenSSH) using only the documentation they get... :-). -- Yuliy Minchev, UNIX Administrator From bugzilla-daemon at mindrot.org Thu Apr 18 02:03:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 02:03:58 +1000 (EST) Subject: [Bug 221] New: updates for OpenSC support Message-ID: <20020417160358.4552DEA0C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=221 Summary: updates for OpenSC support Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: markus at openbsd.org patches from Antti Tapaninen ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 02:04:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 02:04:49 +1000 (EST) Subject: [Bug 221] updates for OpenSC support Message-ID: <20020417160449.78EB8E9BA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=221 ------- Additional Comments From markus at openbsd.org 2002-04-18 02:04 ------- Created an attachment (id=81) readme patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 02:21:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 02:21:53 +1000 (EST) Subject: [Bug 221] updates for OpenSC support Message-ID: <20020417162153.DE2C9E9BC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=221 ------- Additional Comments From markus at openbsd.org 2002-04-18 02:21 ------- Created an attachment (id=82) configure patch ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ssklar at stanford.edu Thu Apr 18 04:28:54 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Wed, 17 Apr 2002 11:28:54 -0700 Subject: openssh-SNAP-20020412 and AIX ... In-Reply-To: References: Message-ID: At 3:40 PM +1000 4/17/02, Damien Miller wrote: > > >my bad - that last define should be: > >#define CMSG_SPACE(len) (_X_CMSG_ALIGN(sizeof(struct cmsghdr)) + \ > _X_CMSG_ALIGN(len)) after changing that define, everything compiled fine (a few warnings, but nothing major.) Thanks very much! Is there anything I need to do to have the fix for this problem integrated into the source tree before the next release? Thanks again, --Sandy -- Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. http://whippet.stanford.edu/~ssklar/ From bugzilla-daemon at mindrot.org Thu Apr 18 06:01:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 06:01:33 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020417200133.5028BE96B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From markus at openbsd.org 2002-04-18 06:01 ------- i think i've seen this before and it was related to the realpath() implementation.... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 06:08:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 06:08:17 +1000 (EST) Subject: [Bug 219] authorized_keys documentation Message-ID: <20020417200817.A83EDE9D2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=219 ------- Additional Comments From markus at openbsd.org 2002-04-18 06:08 ------- hm, it's just required for StrictModes=yes. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 12:26:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 12:26:48 +1000 (EST) Subject: [Bug 222] New: configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020418022648.6D85DE972@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 Summary: configure finds getnameinfo() but not getaddrinfo() Product: Portable OpenSSH Version: 3.1p1 Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: urban at spielwiese.de there are two versions of getaddrinfo() in libc, ogetaddrinfo() and ngetaddrinfo(). This is allows a choice between two compatibility modes. Programmers must include in order to suck in the correct #definition for getaddrinfo(). In the configure test program used to determine if getaddrinfo() is present, is not included, and configure thus concludes that getaddrinfo() is missing, and #undefs HAVE_GETADDRINFO in config.h However, configure does find getnameinfo(), so it #defines HAVE_GETNAMEINFO. The OpenSSH getaddrinfo() and Tru64's getnameinfo() don't play well together. It would help countless poor Tru64 souls avoid a traumatic OpenSSH failure if you could address this problem! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Apr 18 16:36:52 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Apr 2002 16:36:52 +1000 (EST) Subject: Please test: Kerberos v5 support in portable In-Reply-To: <20020417012536.ED819E97F@shitei.mindrot.org> Message-ID: Could KerberosV users (both MIT and Heimdal) please test CVS -current and report back on this? File new bugs if you run into problems. Thanks, Damien Miller On Wed, 17 Apr 2002, bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=55 > > djm at mindrot.org changed: > > What |Removed |Added > ---------------------------------------------------------------------------- > Status|NEW |RESOLVED > Resolution| |FIXED > > > > ------- Additional Comments From djm at mindrot.org 2002-04-17 11:25 ------- > Patch has been applied. Portable OpenSSH now has KrbV support, thanks Simon! > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From sturle.sunde at usit.uio.no Thu Apr 18 18:47:09 2002 From: sturle.sunde at usit.uio.no (Sturle Sunde) Date: 18 Apr 2002 10:47:09 +0200 Subject: [Bug 143] Add reference to "rsync" in FAQ and documentation. In-Reply-To: References: Message-ID: Yuliy Minchev writes: > rsync -av -e ssh /home/joe/stuff joeuser at joe.com:/home/joeuser/stuff There is a bug if you depend on ssh-rand-helper and possibly external programs to collect random data: [sturles at hpsan]~ $ rsync -ave ssh file sturle at anotherhost:/tmp/file Couldn't wait for child 'ls -alni /var/log' completion: No child processes Couldn't wait for child 'ls -alni /var/adm' completion: No child processes [... for all commands in /etc/ssh/ssh_prng_cmds ...] Not enough entropy in RNG ssh-rand-helper child produced insufficient data unexpected EOF in read_timeout The reason for this is of course that rsync ignores SIGCHLD, and ssh inherits this. Here is a patch against 3.1p2 that fixes the problem. I hope it doesn't break anything else..: --- entropy.c.orig Sun Mar 10 20:42:07 2002 +++ entropy.c Thu Apr 18 07:04:10 2002 @@ -61,6 +61,7 @@ pid_t pid; int ret; unsigned char buf[RANDOM_SEED_SIZE]; + mysig_t old_sigchld; if (RAND_status() == 1) { debug3("RNG is ready, skipping seeding"); @@ -74,6 +75,7 @@ if (pipe(p) == -1) fatal("pipe: %s", strerror(errno)); + old_sigchld = mysignal(SIGCHLD, SIG_DFL); if ((pid = fork()) == -1) fatal("Couldn't fork: %s", strerror(errno)); if (pid == 0) { @@ -121,6 +123,7 @@ if (WEXITSTATUS(ret) != 0) fatal("ssh-rand-helper exit with exit status %d", ret); + mysignal(SIGCHLD, old_sigchld); RAND_add(buf, sizeof(buf), sizeof(buf)); memset(buf, '\0', sizeof(buf)); -- Sturle Before a mad scientist goes mad, there's probably a time ~~~~~~ when he's only partially mad. And this is the time when he's going to throw his best parties. -- Jack Handey From bugzilla-daemon at mindrot.org Thu Apr 18 22:40:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 22:40:51 +1000 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020418124051.5CA9DE92A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 peak at argo.troja.mff.cuni.cz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-04-18 22:40 ------- With all due respect, you should re-read the original report. :) If "such failures get logged anyway" (*) then that annoying and redundant log("input_userauth_request: illegal user %s", user) can really go away (or be reduced to a debugging message). (*) Well, whether pam_unix logs them depends on whether the particular implementation of pam_unix does it and whether pam_unix is used at all but this is a completely different question. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 22:50:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 22:50:57 +1000 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020418125057.C0CDAEA15@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 ------- Additional Comments From markus at openbsd.org 2002-04-18 22:50 ------- but the username might not get logged. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Apr 18 22:53:50 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 18 Apr 2002 22:53:50 +1000 (EST) Subject: [Bug 143] Add reference to "rsync" in FAQ and documentation. In-Reply-To: Message-ID: On 18 Apr 2002, Sturle Sunde wrote: > Yuliy Minchev writes: > > > rsync -av -e ssh /home/joe/stuff joeuser at joe.com:/home/joeuser/stuff > > There is a bug if you depend on ssh-rand-helper and possibly external > programs to collect random data: > > [sturles at hpsan]~ $ rsync -ave ssh file sturle at anotherhost:/tmp/file > Couldn't wait for child 'ls -alni /var/log' completion: No child processes > Couldn't wait for child 'ls -alni /var/adm' completion: No child processes > [... for all commands in /etc/ssh/ssh_prng_cmds ...] > Not enough entropy in RNG > ssh-rand-helper child produced insufficient data > unexpected EOF in read_timeout > > The reason for this is of course that rsync ignores SIGCHLD, and ssh > inherits this. > > Here is a patch against 3.1p2 that fixes the problem. I hope it > doesn't break anything else..: That looks sane - thanks. -d From bugzilla-daemon at mindrot.org Thu Apr 18 23:07:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 23:07:30 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020418130730.B3B02EA1C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From djm at mindrot.org 2002-04-18 23:07 ------- Could you please try CVS -current with the following patch. You will need to regenerate configure using autoconf. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Apr 18 23:08:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 23:08:49 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020418130849.D0E4FEA19@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From djm at mindrot.org 2002-04-18 23:08 ------- Created an attachment (id=83) Fake HAVE_GETADDRINFO when [on]getaddrinfo exists ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Thu Apr 18 23:36:00 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 18 Apr 2002 16:36:00 +0300 (EEST) Subject: privsep no user fatal message Message-ID: Hello, I updated the latest snapshot as RPM's to two of my systems. Basic stuff seems to be working ok. Privilege separation failed though, possibly because I didn't populate /var/empty with PAM entries. Privsep might be a bit raw in any case, at least for the portable. FWIW, I came across error message 'sshd: no user' and had to scratch my head a bit to figure out what it meant. I suggest changing the order to be more in sync with other similar code paths. Patch attached. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------- next part -------------- Index: sshd.c =================================================================== RCS file: /cvs/openssh/sshd.c,v retrieving revision 1.200 diff -u -r1.200 sshd.c --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200 +++ sshd.c 18 Apr 2002 13:36:04 -0000 @@ -536,7 +536,7 @@ demote_sensitive_data(); if ((pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) - fatal("%s: no user", SSH_PRIVSEP_USER); + fatal("no user: %s", SSH_PRIVSEP_USER); memset(pw->pw_passwd, 0, strlen(pw->pw_passwd)); endpwent(); From bugzilla-daemon at mindrot.org Thu Apr 18 23:40:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Apr 2002 23:40:10 +1000 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020418134010.916B1EA14@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 ------- Additional Comments From markus at openbsd.org 2002-04-18 23:40 ------- hm, permitted users won't get logged in the same case. not sure whether they should. we could try logging the username on disconnect. does this make sense? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 19 00:06:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Apr 2002 00:06:26 +1000 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020418140626.DD5C2E99B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-04-19 00:06 ------- Yes, something like "User joedoe disconnected in the middle of keyboard-interactive authentication." or "Illegal user blahblah disconnnected..." if the client disconnects during the authentication. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 19 00:37:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Apr 2002 00:37:54 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020418143754.A9B8FE924@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From cmadams at hiwaay.net 2002-04-19 00:37 ------- What compiler, CFLAGS, and configure options are you using to build OpenSSH on Tru64? The reason I ask is that I've used OpenSSH starting with (IIRC) 2.1 on Tru64 4.0F, 4.0G, and now 5.1A, and I haven't had any trouble with what you describe. I've always compiled with "cc -std1", running configure like: CC="cc -std1" ./configure ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri Apr 19 01:11:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 18 Apr 2002 17:11:23 +0200 Subject: privsep no user fatal message In-Reply-To: References: Message-ID: <20020418151123.GB22628@folly> On Thu, Apr 18, 2002 at 04:36:00PM +0300, Pekka Savola wrote: > - fatal("%s: no user", SSH_PRIVSEP_USER); > + fatal("no user: %s", SSH_PRIVSEP_USER); should be fixed in -current From police at terrabox.com Fri Apr 19 01:46:57 2002 From: police at terrabox.com (police at terrabox.com) Date: Thu, 18 Apr 2002 10:46:57 -0500 (CDT) Subject: ssh using rsa pub key authentication In-Reply-To: <20020418151123.GB22628@folly> Message-ID: Hi, I generated a user pub key and placed it on the system I need to access in authorized_keys2. If i ssh using root it worked just fine w/o prompting for pass. but if I try to ssh to a user on that same system it won't work. The same exact setup for both root user and the user is done. anyone has a clue. in both user's .ssh authorized_keys2 contains id_rsa.pub and 644 is for authorized_keys2 by the way am using openssl.0.96b and libgcc3.0.2 and openssh2.9p2 thx. From kor at compsoc.com Fri Apr 19 03:03:08 2002 From: kor at compsoc.com (Kevin O' Riordan) Date: Thu, 18 Apr 2002 18:03:08 +0100 Subject: 'make' fails on redhat 6.x Message-ID: <20020418170308.GA14350@hoth.compsoc.com> Hi everybody, just trying to compile openssh3.1p1 here on a redhat box, and it fails in cipher.c - with messages similar to ones I've seen posted to this list recently, regarding redhat & SCO. I'm using openssl-0.9.6c ... to my untrained eye, the output of ./configure looks ok but make fails afterwards. I've pasted as much as I hope is relevant from the outputs of './configure' and 'make' (I've edited duplicate errors out of the 'make' output, and indicated where I've done this). If anyone can shed some light, it'd be much appreciated. cheers -kev ==== configure ... =================================================== OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no KerberosIV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lutil -lz -lnsl -lcrypto -lcrypt ==== ... end configure. =============================================== ==== make ... ======================================================== cipher.c:200: void value not ignored as it ought to be cipher.c:206: warning: implicit declaration of function `EVP_CIPHER_CTX_set_key_length' cipher.c:210: void value not ignored as it ought to be cipher.c: In function `cipher_crypt': cipher.c:220: void value not ignored as it ought to be cipher.c: In function `cipher_cleanup': cipher.c:227: void value not ignored as it ought to be cipher.c: In function `cipher_set_key_string': cipher.c:249: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c:250: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c: In function `ssh1_3des_init': cipher.c:280: warning: assignment from incompatible pointer type cipher.c:299: void value not ignored as it ought to be cipher.c:300: void value not ignored as it ought to be cipher.c:301: void value not ignored as it ought to be cipher.c:302: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c: In function `ssh1_3des_cbc': cipher.c:314: warning: assignment from incompatible pointer type cipher.c:318: void value not ignored as it ought to be cipher.c:319: void value not ignored as it ought to be cipher.c:320: void value not ignored as it ought to be cipher.c: In function `ssh1_3des_cleanup': cipher.c:329: warning: assignment from incompatible pointer type cipher.c:330: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c: In function `evp_ssh1_3des': cipher.c:341: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c:346: warning: assignment from incompatible pointer type cipher.c:347: warning: assignment from incompatible pointer type cipher.c:348: warning: assignment from incompatible pointer type cipher.c:349: structure has no member named `flags' cipher.c:349: `EVP_CIPH_CBC_MODE' undeclared (first use in this function) cipher.c:349: (Each undeclared identifier is reported only once cipher.c:349: for each function it appears in.) cipher.c:349: `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this function) cipher.c: In function `evp_ssh1_bf': cipher.c:392: warning: assignment from incompatible pointer type cipher.c:394: warning: assignment from incompatible pointer type cipher.c: In function `ssh_rijndael_init': cipher.c:413: warning: assignment from incompatible pointer type cipher.c: In function `ssh_rijndael_cbc': cipher.c:440: warning: assignment from incompatible pointer type cipher.c: In function `ssh_rijndael_cleanup': cipher.c:477: warning: assignment from incompatible pointer type cipher.c:478: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c: In function `evp_rijndael': cipher.c:489: warning: pointer of type `void *' used in arithmetic [same error repeated 12 times] cipher.c:494: warning: assignment from incompatible pointer type cipher.c:495: warning: assignment from incompatible pointer type cipher.c:496: warning: assignment from incompatible pointer type cipher.c:497: structure has no member named `flags' cipher.c:497: `EVP_CIPH_CBC_MODE' undeclared (first use in this function) cipher.c:497: `EVP_CIPH_VARIABLE_LENGTH' undeclared (first use in this function) cipher.c:498: `EVP_CIPH_ALWAYS_CALL_INIT' undeclared (first use in this function) make: *** [cipher.o] Error 1 ==== ... end make. =================================================== -- if I can shoot rabbits, I can shoot fascists From brian.king at xwave.com Fri Apr 19 03:35:59 2002 From: brian.king at xwave.com (King, Brian) Date: Thu, 18 Apr 2002 14:35:59 -0300 Subject: AuthorizedKeysFile Message-ID: OpenSSH 3.1 Not really a bug, but an "undocumented feature". The default sshd_config file show the default setting for AuthorizedKeysFile as being: AuthorizedKeysFile .ssh/authorized_keys If you uncomment that default, it changes the "undocumented" setting for "AuthorizedKeysFile2", which is by default: AuthorizedKeysFile2 .ssh/authorized_keys2 Suggestions for change: 1 - Add AuthorizedKeysFile2 to the man page for sshd. 2 - Add it's default setting to the default sshd_config file. 3 - Make the settings independent (so that setting only AuthorizedKeysFile doesn't remove the setting for AuthorizedKeysFile2). Even better, would be to do away with AuthorizedKeysFile2 and have AuthorizedKeysFile work like HostKey in that you can use it multiple times in a config file to list multiple key files to check. Thanks for a great product! Brian King PS. I don't read this list so any responses should be sent directly to me. ---------------------------------------------------------------------------- This communication (including all attachments) is intended solely for the use of the person or persons to whom it is addressed and should be treated as a confidential xwave communication. If you are not the intended recipient, any use, distribution, printing, or copying of this email is strictly prohibited. If you received this email in error, please immediately delete it from your system and notify the originator. Your cooperation is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020418/b6d19743/attachment.html From dmouldin at enterasys.com Fri Apr 19 04:26:53 2002 From: dmouldin at enterasys.com (Moulding, Dan) Date: Thu, 18 Apr 2002 14:26:53 -0400 Subject: xxx_kex possible memory leak? Message-ID: <59358A738F45D51186A30008C74CE25001060F0A@slc-exc1.ctron.com> Howdy, I'm working on porting the portable version of OpenSSH to the Nucleus RTOS. So far I've had a great deal of success. However, I've run into a possible memory leak, and I'm not sure whether I need to write my own cleanup function for it or not. The xxx_kex global (defined in sshd.c) seems to not get freed. I've had difficulty finding a cleanup routine for it. I've been looking for anything similar to key_free() or buffer_free() that might work for the Kex struct, but have had no luck. Does anyone know if such a cleanup function exists? Or is this a known memory leak? Or am I just smoking crack? Any pointers are greatly appreciated! Regards, Dan Moulding Firmware Engineer Phone :801.887.9885 FAX :801.972.5789 Cell :801.541.4984 Email :dmouldin at enterasys.com www :www.enterasys.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020418/f4338a27/attachment.html From abhi at acc.com Fri Apr 19 04:41:22 2002 From: abhi at acc.com (Abhijeet Thakare) Date: Thu, 18 Apr 2002 11:41:22 -0700 Subject: User Authentication In-Reply-To: <20020418170308.GA14350@hoth.compsoc.com> Message-ID: Hi, In section 2.2 "Responses to Authentication Requests" of SSH Authentication Protocol " The client MAY send several authentication requests without waiting for responses from previous requests. The server MUST process each request completely and acknowledge any failed requests with a SSH_MSG_USERAUTH_FAILURE message before processing the next request. A request that results in further exchange of messages will be aborted by a second request. It is not possible to send a second request without waiting for a response from the server, if the first request will result in further exchange of messages. No SSH_MSG_USERAUTH_FAILURE message will be sent for the aborted method. " This is confusing. Why should the client send several authentication requests without waiting for responses from previous requests? This makes the server state machine complex specially when authentication(user name) and signature verification are performed by different process. Whats the advantage of doing that? Thanks, Abhijeet From gert at greenie.muc.de Fri Apr 19 05:43:20 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 18 Apr 2002 21:43:20 +0200 Subject: 'make' fails on redhat 6.x In-Reply-To: <20020418170308.GA14350@hoth.compsoc.com>; from Kevin O' Riordan on Thu, Apr 18, 2002 at 06:03:08PM +0100 References: <20020418170308.GA14350@hoth.compsoc.com> Message-ID: <20020418214320.A6949@greenie.muc.de> Hi, On Thu, Apr 18, 2002 at 06:03:08PM +0100, Kevin O' Riordan wrote: > just trying to compile openssh3.1p1 here on a redhat box, and it fails > in cipher.c - with messages similar to ones I've seen posted to this > list recently, regarding redhat & SCO. I'm using openssl-0.9.6c ... Make sure that you really have 0.9.6c installed, and not some leftovers from 0.9.5 or so. I had these error messages, and upon looking more closely, I had compiled 0.9.6, but never installed it, and "make" was finding 0.9.5a... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From austin at coremetrics.com Fri Apr 19 05:44:03 2002 From: austin at coremetrics.com (Austin Gonyou) Date: 18 Apr 2002 14:44:03 -0500 Subject: AuthorizedKeysFile In-Reply-To: References: Message-ID: <1019159043.1521.16.camel@UberGeek> Authorized_keys2 is going away permanently someday I'm sure. This could be a preventative measure to keep people from *just* using it so it can retire gracefully. On Thu, 2002-04-18 at 12:35, King, Brian wrote: > OpenSSH 3.1 > > Not really a bug, but an "undocumented feature". > The default sshd_config file show the default setting for > AuthorizedKeysFile as being: > > AuthorizedKeysFile .ssh/authorized_keys > > If you uncomment that default, it changes the "undocumented" setting for > "AuthorizedKeysFile2", which is by default: > > AuthorizedKeysFile2 .ssh/authorized_keys2 > > Suggestions for change: > 1 - Add AuthorizedKeysFile2 to the man page for sshd. > 2 - Add it's default setting to the default sshd_config file. > 3 - Make the settings independent (so that setting only > AuthorizedKeysFile doesn't remove the setting for AuthorizedKeysFile2). > > Even better, would be to do away with AuthorizedKeysFile2 and have > AuthorizedKeysFile work like HostKey in that you can use it multiple > times in a config file to list multiple key files to check. > > Thanks for a great product! > > Brian King > > PS. I don't read this list so any responses should be sent directly to > me. > > ------------------------------------------------------------------------ > ---- > > This communication (including all attachments) is intended solely for > the > use of the person or persons to whom it is addressed and should be > treated > as a confidential xwave communication. If you are not the intended > recipient, any use, distribution, printing, or copying of this email is > strictly prohibited. If you received this email in error, please > immediately delete it from your system and notify the originator. Your > cooperation is appreciated. > -- Austin Gonyou Systems Architect, CCNA Coremetrics, Inc. Phone: 512-698-7250 email: austin at coremetrics.com "It is the part of a good shepherd to shear his flock, not to skin it." Latin Proverb -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: This is a digitally signed message part Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020418/4d7ef393/attachment.bin From sxw at dcs.ed.ac.uk Fri Apr 19 06:23:06 2002 From: sxw at dcs.ed.ac.uk (Simon Wilkinson) Date: Thu, 18 Apr 2002 21:23:06 +0100 (BST) Subject: Please test: Kerberos v5 support in portable In-Reply-To: Message-ID: On Thu, 18 Apr 2002, Damien Miller wrote: > Could KerberosV users (both MIT and Heimdal) please test CVS -current and > report back on this? > > File new bugs if you run into problems. Feel free to assign any bugs with MIT KerberosV support to me! Thanks, Simon. From djm at mindrot.org Fri Apr 19 08:07:08 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 19 Apr 2002 08:07:08 +1000 (EST) Subject: privsep no user fatal message In-Reply-To: Message-ID: On Thu, 18 Apr 2002, Pekka Savola wrote: > Hello, > > I updated the latest snapshot as RPM's to two of my systems. Basic stuff > seems to be working ok. > > Privilege separation failed though, possibly because I didn't populate > /var/empty with PAM entries. Privsep might be a bit raw in any case, at > least for the portable. Privsep doesn't yet work for PAM, I am slowly working on it. -d From cleber.junior at atl.com.br Fri Apr 19 08:39:44 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Thu, 18 Apr 2002 19:39:44 -0300 Subject: 2 doubts Message-ID: Hi, What is the command to use with scp and sftp in UNIX, to transfer files as ASCII ? I know that in FTP , we have the parameter "ascii" , but, how about openssh? How can I make a script in UNIX using scp or sftp where I do not have to type the password ? I mean, there is a password , but I don?t know where I should put it . In a file ? Into the script ? regards, Jorge Cleber JUNIOR cleber.junior at atl.com.br ATL - Algar Telecom Leste IT - System Security Office (SSO) Tel: (21) 2528-9303 ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - Algar Telecom Leste Ltda. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From stevev at darkwing.uoregon.edu Fri Apr 19 09:54:07 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Thu, 18 Apr 2002 16:54:07 -0700 Subject: 2 doubts In-Reply-To: References: Message-ID: <15551.23711.60155.162218@darkwing.uoregon.edu> Jorge Cleber Teixeira de Almeida Junior writes: > Hi, You have two questions, not two doubts. Doubt is being unsure about whether something is true. > What is the command to use with scp and sftp in UNIX, to transfer files > as ASCII ? > > I know that in FTP , we have the parameter "ascii" , but, how about openssh? scp and sftp transfer files in binary mode only. There is no "ascii" mode for sftp. > How can I make a script in UNIX using scp or sftp where I do not have to > type the password ? I mean, there is a password , but I don?t know where I > should put it . In a file ? Into the script ? Actually, you can use identity keys to avoid having to give a password to authenticate to remote hosts. Read the man page for ssh-keygen and the sections in the man pages for ssh and sshd about RSA authentication. From gem at rellim.com Fri Apr 19 10:01:59 2002 From: gem at rellim.com (Gary E. Miller) Date: Thu, 18 Apr 2002 17:01:59 -0700 (PDT) Subject: 2 doubts In-Reply-To: Message-ID: Yo Jorge! IMHO, file transfer programs should NEVER munge the contents of a file. The "ascii" feature in ftp is probably one of the top ten all time PITA for tech support folks. All it does on a good day is tranlate M$DO$ line end to UNIX line end. On any other day it just destroys everything else. If you really need to change M$DO$ \r\n in to UNIX \n then get a separate program to do it. Or use tr like this: tr -d '\r' < infile > outfile Most unix also has "fromdos" and "todos" to make it even more idiot proff. You can also get similar programs for the M$DO$ end. RGDS GARY --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem at rellim.com Tel:+1(541)382-8588 Fax: +1(541)382-8676 On Thu, 18 Apr 2002, Jorge Cleber Teixeira de Almeida Junior wrote: > What is the command to use with scp and sftp in UNIX, to transfer files > as ASCII ? > > I know that in FTP , we have the parameter "ascii" , but, how about openssh? > > How can I make a script in UNIX using scp or sftp where I do not have to > type the password ? I mean, there is a password , but I don?t know where I > should put it . In a file ? Into the script ? From bugzilla-daemon at mindrot.org Fri Apr 19 10:28:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Apr 2002 10:28:24 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020419002824.CB06AE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From urban at spielwiese.de 2002-04-19 10:28 ------- um... I've tested the patch. configure now finds [no]getaddrinfo(), but HAVE_GETADDRINFO is still not getting set properly. Here is an excerpt from configure's output: [...] checking for getaddrinfo... no checking for getcwd... yes checking for getgrouplist... no checking for getnameinfo... yes [...] checking for ngetaddrinfo... yes checking for openpty... yes checking for ogetaddrinfo... yes [...] from config.h: /* Define to 1 if you have the `getaddrinfo' function. */ /* #undef HAVE_GETADDRINFO */ [...] /* Define to 1 if you have the `getnameinfo' function. */ #define HAVE_GETNAMEINFO 1 [...] Please let me know if I can do anything... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kerry at crypt.gen.nz Fri Apr 19 11:53:32 2002 From: kerry at crypt.gen.nz (Kerry Thompson) Date: Fri, 19 Apr 2002 13:53:32 +1200 Subject: Please test: Kerberos v5 support in portable In-Reply-To: References: <20020417012536.ED819E97F@shitei.mindrot.org> Message-ID: <15551.30876.811877.465166@edmond.crypt.gen.nz> Damien Miller writes: > > Could KerberosV users (both MIT and Heimdal) please test CVS -current and > report back on this? > I've just finished testing CVS-current against MIT krb5 1.2.3 ( current internationally available version of MIT krb5 ) on RedHat 7.2. It works well with both plain and ticket-forwarded authentication. gcc threw some warnings which didn't seem to affect the functionality: sshconnect1.c: In function `try_krb5_authentication': sshconnect1.c:566: warning: passing arg 5 of `krb5_mk_req' discards qualifiers from pointer target type sshconnect1.c: In function `send_krb5_tgt': sshconnect1.c:693: warning: passing arg 3 of `krb5_fwd_tgt_creds' discards qualifiers from pointer target type Config details : OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no KerberosIV support: no KerberosV support: yes Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/opt/kerberos/current/src/include Linker flags: -L/opt/kerberos/current/src/lib Libraries: -lresolv -lutil -lz -lnsl -lcrypto -lcrypt -lkrb5 -lk5crypto -lcom_err Nice work, Simon. Kerry -- Kerry Thompson CISSP Information Systems Security Consultant kerry at crypt.gen.nz http://www.crypt.gen.nz From bugzilla-daemon at mindrot.org Fri Apr 19 15:38:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Apr 2002 15:38:44 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020419053844.00312E935@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From djm at mindrot.org 2002-04-19 15:38 ------- That shouldn't be a problem - have a look at the defines.h hunk of the patch: we define HAVE_GETADDRINFO if either of the replacement functions are found in libc. Does the patch work? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 19 23:58:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Apr 2002 23:58:40 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020419135840.070C3E935@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 urban at spielwiese.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From urban at spielwiese.de 2002-04-19 23:58 ------- umm, sorry about that. Was a bit thick of me. The patch works! Thanks for your time. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ANTIGEN_ABRA at wrq.com Sat Apr 20 12:09:09 2002 From: ANTIGEN_ABRA at wrq.com (ANTIGEN_ABRA) Date: Fri, 19 Apr 2002 19:09:09 -0700 Subject: Antigen Notification:Antigen found FILE FILTER= *.pif file Message-ID: <616772E97E38D31188FA00508B318ACA03FA4573@abra.wrq.com> Antigen for Exchange found para.pif matching FILE FILTER= *.pif file filter. The file is currently Purged. The message, "Let's be friends", was sent from ciccio and was discovered in IMC Queues\Inbound located at WRQ/Seattle/ABRA. From markus at openbsd.org Sat Apr 20 01:21:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 19 Apr 2002 17:21:52 +0200 Subject: xxx_kex possible memory leak? In-Reply-To: <59358A738F45D51186A30008C74CE25001060F0A@slc-exc1.ctron.com> References: <59358A738F45D51186A30008C74CE25001060F0A@slc-exc1.ctron.com> Message-ID: <20020419152151.GA10376@folly> no, it does not get freed, it should get free()ed on exit(2). cf. packet_close() On Thu, Apr 18, 2002 at 02:26:53PM -0400, Moulding, Dan wrote: > Howdy, > > I'm working on porting the portable version of OpenSSH to the Nucleus RTOS. > So far I've had a great deal of success. However, I've run into a possible > memory leak, and I'm not sure whether I need to write my own cleanup > function for it or not. The xxx_kex global (defined in sshd.c) seems to not > get freed. I've had difficulty finding a cleanup routine for it. I've been > looking for anything similar to key_free() or buffer_free() that might work > for the Kex struct, but have had no luck. Does anyone know if such a cleanup > function exists? Or is this a known memory leak? Or am I just smoking crack? > > Any pointers are greatly appreciated! > > Regards, > > Dan Moulding > Firmware Engineer > Phone :801.887.9885 > FAX :801.972.5789 > Cell :801.541.4984 > Email :dmouldin at enterasys.com > www :www.enterasys.com From markus at openbsd.org Sat Apr 20 01:23:43 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 19 Apr 2002 17:23:43 +0200 Subject: AuthorizedKeysFile In-Reply-To: References: Message-ID: <20020419152343.GC10376@folly> we will remove AuthorizedKeysFile2 soon. i don't like to have it documented. -m On Thu, Apr 18, 2002 at 02:35:59PM -0300, King, Brian wrote: > OpenSSH 3.1 > > Not really a bug, but an "undocumented feature". > The default sshd_config file show the default setting for AuthorizedKeysFile > as being: > > AuthorizedKeysFile .ssh/authorized_keys > > If you uncomment that default, it changes the "undocumented" setting for > "AuthorizedKeysFile2", which is by default: > > AuthorizedKeysFile2 .ssh/authorized_keys2 > > Suggestions for change: > 1 - Add AuthorizedKeysFile2 to the man page for sshd. > 2 - Add it's default setting to the default sshd_config file. > 3 - Make the settings independent (so that setting only AuthorizedKeysFile > doesn't remove the setting for AuthorizedKeysFile2). > > Even better, would be to do away with AuthorizedKeysFile2 and have > AuthorizedKeysFile work like HostKey in that you can use it multiple times > in a config file to list multiple key files to check. > > Thanks for a great product! > > Brian King > > PS. I don't read this list so any responses should be sent directly to me. > > ---------------------------------------------------------------------------- > > This communication (including all attachments) is intended solely for the > use of the person or persons to whom it is addressed and should be treated > as a confidential xwave communication. If you are not the intended > recipient, any use, distribution, printing, or copying of this email is > strictly prohibited. If you received this email in error, please > immediately delete it from your system and notify the originator. Your > cooperation is appreciated. From markus at openbsd.org Sat Apr 20 01:22:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 19 Apr 2002 17:22:39 +0200 Subject: User Authentication In-Reply-To: References: <20020418170308.GA14350@hoth.compsoc.com> Message-ID: <20020419152239.GB10376@folly> please ask ietf-ssh at netbsd.org. From odie at rotta.media.sonera.net Sat Apr 20 17:42:28 2002 From: odie at rotta.media.sonera.net (Osmo Paananen) Date: Sat, 20 Apr 2002 10:42:28 +0300 Subject: Buffer overflow in OpenSSH 2.2.0-3.1.0 Message-ID: <200204200742.g3K7gSK20203@rotta.tmt.tele.fi> Hi! I just saw this on bugtraq. Does someone have more details about this? Subject: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow From: Marcell Fodor Date: 19 Apr 2002 22:42:51 -0000 (Sat 01:42 EEST) To: bugtraq at securityfocus.com effect: local root vulnerable services: -pass Kerberos IV TGT -pass AFS Token bug details: radix.c GETSTRING macro in radix_to_creds function may cause buffer overflow. affected buffers: creds->service creds->instance creds->realm creds->pinst exploit code here: mantra.freeweb.hu From jason-openssh at shalott.net Wed Apr 17 10:06:21 2002 From: jason-openssh at shalott.net (Jason Stone) Date: Tue, 16 Apr 2002 17:06:21 -0700 (PDT) Subject: ProxyCommand commands don't exit Message-ID: <20020416161002.S52363-100000@walter> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've noticed that when I use ProxyCommand commands to connect, the commands do not exit when ssh exits. This results in a bunch of commands piling up on the machine over time. I experimented with four machines: linux-2.2.19+patches, openssh-3.0.1p1 linux-2.2.14+patches, openssh-3.0.1p1 freebsd-4.5-stable, openssh-2.9 localisations 20020307 freebsd-4.3-stalbe, openssh-3.0.2 and in all combinations, the proxy command persisted after the client exited. luca/home/jason-1049: ps x PID TTY STAT TIME COMMAND 15245 pts/64 S 0:00 -zsh 16258 pts/64 R 0:00 ps x luca/home/jason-1050: ssh -o ProxyCommand="nc hermione 22" hermione true Enter passphrase for key '/home/jason/.ssh/id_dsa': otp-md5 495 he4606 ext S/Key Password: [successful authentication] luca/home/jason-1051: ps x PID TTY STAT TIME COMMAND 15245 pts/64 S 0:00 -zsh 16265 pts/64 S 0:00 nc hermione 22 16273 pts/64 R 0:00 ps x For completeness, I also used all of opie, rsa, passwd and hostbased auth to test, and nothing changed. Is this a bug, a feature, or a misunderstanding? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8vLyAswXMWWtptckRAtv4AJ0WMTp+b0fxqwS/gZ7+u65fclUGrgCglDwr 1wGesZfuEXqeBungL55/OTY= =imvZ -----END PGP SIGNATURE----- From mjt at tls.msk.ru Sat Apr 20 23:11:15 2002 From: mjt at tls.msk.ru (Michael Tokarev) Date: Sat, 20 Apr 2002 17:11:15 +0400 Subject: privsep no user fatal message References: Message-ID: <3CC168F3.63911A67@tls.msk.ru> Pekka Savola wrote: > > Hello, > > I updated the latest snapshot as RPM's to two of my systems. Basic stuff > seems to be working ok. > > Privilege separation failed though, possibly because I didn't populate > /var/empty with PAM entries. Privsep might be a bit raw in any case, at > least for the portable. Hmm... /var/empty is just this -- empty. It shouldn't be populated with anything. Or else, if ssh requires some files in it's chroot, the chroot jail should be separate, private to ssh directory. Anyway, putting PAM files into chroot jail seems to be unreasonable at least -- having security- related configs in jail is wrong. I don't know how privsep currently works, but IMHO lowpriv process should NOT touch ANY system file(s) at all, all auth (including PAM) stuff belongs to privileged process anyway. Regards, Michael. From markus at openbsd.org Sun Apr 21 03:52:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 20 Apr 2002 19:52:27 +0200 Subject: ProxyCommand commands don't exit In-Reply-To: <20020416161002.S52363-100000@walter> References: <20020416161002.S52363-100000@walter> Message-ID: <20020420175227.GB8279@folly> please use bugzilla.mindrot.org On Tue, Apr 16, 2002 at 05:06:21PM -0700, Jason Stone wrote: > > I've noticed that when I use ProxyCommand commands to connect, the > commands do not exit when ssh exits. This results in a bunch of commands > piling up on the machine over time. > > I experimented with four machines: > > linux-2.2.19+patches, openssh-3.0.1p1 > linux-2.2.14+patches, openssh-3.0.1p1 > freebsd-4.5-stable, openssh-2.9 localisations 20020307 > freebsd-4.3-stalbe, openssh-3.0.2 > > and in all combinations, the proxy command persisted after the client > exited. > > luca/home/jason-1049: ps x > PID TTY STAT TIME COMMAND > 15245 pts/64 S 0:00 -zsh > 16258 pts/64 R 0:00 ps x > > luca/home/jason-1050: ssh -o ProxyCommand="nc hermione 22" hermione true > Enter passphrase for key '/home/jason/.ssh/id_dsa': > otp-md5 495 he4606 ext > S/Key Password: [successful authentication] > > luca/home/jason-1051: ps x > PID TTY STAT TIME COMMAND > 15245 pts/64 S 0:00 -zsh > 16265 pts/64 S 0:00 nc hermione 22 > 16273 pts/64 R 0:00 ps x > > > For completeness, I also used all of opie, rsa, passwd and hostbased auth > to test, and nothing changed. > > > Is this a bug, a feature, or a misunderstanding? > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From provos at citi.umich.edu Sun Apr 21 13:39:31 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 20 Apr 2002 23:39:31 -0400 Subject: OpenSSH Security Advisory (adv.token) Message-ID: <20020421033931.GZ5594@citi.citi.umich.edu> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1. 2. Impact: Remote users may gain privileged access for OpenSSH < 2.9.9 Local users may gain privileged access for OpenSSH < 3.3 No privileged access is possible for OpenSSH with UsePrivsep enabled. 3. Solution: Apply the following patch and replace radix.c with http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 4. Credits: kurt at seifried.org for notifying the OpenSSH team. http://mantra.freeweb.hu/ Appendix: Index: bufaux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - /* - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). */ + +u_short +buffer_get_short(Buffer *buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char *) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ } /* - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. */ +void +buffer_put_short(Buffer *buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer *buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + u_int buffer_get_int(Buffer *); void buffer_put_int(Buffer *, u_int); From markus at openbsd.org Sun Apr 21 03:53:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Sat, 20 Apr 2002 19:53:23 +0200 Subject: privsep no user fatal message In-Reply-To: <3CC168F3.63911A67@tls.msk.ru> References: <3CC168F3.63911A67@tls.msk.ru> Message-ID: <20020420175323.GC8279@folly> the [net] process run's in /var/empty, the [priv] process does authentication and is not chrooted. -m On Sat, Apr 20, 2002 at 05:11:15PM +0400, Michael Tokarev wrote: > Pekka Savola wrote: > > > > Hello, > > > > I updated the latest snapshot as RPM's to two of my systems. Basic stuff > > seems to be working ok. > > > > Privilege separation failed though, possibly because I didn't populate > > /var/empty with PAM entries. Privsep might be a bit raw in any case, at > > least for the portable. > > Hmm... /var/empty is just this -- empty. It shouldn't be populated with > anything. Or else, if ssh requires some files in it's chroot, the chroot > jail should be separate, private to ssh directory. Anyway, putting PAM > files into chroot jail seems to be unreasonable at least -- having security- > related configs in jail is wrong. I don't know how privsep currently works, > but IMHO lowpriv process should NOT touch ANY system file(s) at all, all > auth (including PAM) stuff belongs to privileged process anyway. > > Regards, > Michael. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From bugzilla-daemon at mindrot.org Mon Apr 22 04:28:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 22 Apr 2002 04:28:41 +1000 (EST) Subject: [Bug 208] SCO build/runtime fixes Message-ID: <20020421182841.81092E918@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 ------- Additional Comments From tim at multitalents.net 2002-04-22 04:28 ------- I've commited the patch to entropy.c Thanks for your work on this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gunnar at Astrogator.se Mon Apr 22 12:03:58 2002 From: gunnar at Astrogator.se (Gunnar Brading) Date: Mon, 22 Apr 2002 04:03:58 +0200 Subject: PAM on Solaris Message-ID: <3CC36F8E.9020608@Astrogator.se> I have been having problems with openssh and PAM on my Solaris 8 box. I needed to use pam_krb5, and I always got the wrong owner on my credentials file /tmp/krb5cc_xxxx. The owner became root... It seems to me that the settings of uid should be before actually calling pam_setcred() in session.c, and when I do change around those lines, it started to work. From what I can see this is not really good behaviour from Sun's pam-module. It should realize the problem and verify ownership of the credential-file, but.. Simply changing UID works, so why not, even if giving Sun a hard time about it would be fun. Anyway... If this change seems appropriate, I am appending my diff. -- Gunnar -- Gunnar Brading, Astrogator AB - High Performance Networks & Interactive Media Email; gunnar at astrogator.se Address; R?rstrandsgatan 30A, 113 40 STOCKHOLM Office: +46 8 5456 0010 Fax: +46 8 5456 0011 Cellular: +46 70 778 2 877 The scientist describes what is; the engineer creates what never was - Theodore von Karman -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: session.c-PATCH Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020422/7c18afc8/attachment.ksh From bugzilla-daemon at mindrot.org Mon Apr 22 12:43:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 22 Apr 2002 12:43:51 +1000 (EST) Subject: [Bug 223] New: ProxyCommand commands don't exit Message-ID: <20020422024351.120F9E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=223 Summary: ProxyCommand commands don't exit Product: Portable OpenSSH Version: 3.0.1p1 Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jason-openssh at shalott.net I've noticed that when I use ProxyCommand commands to connect, the commands do not exit when ssh exits. This results in a bunch of commands piling up on the machine over time. The problem has been observed under: linux-2.2.19+patches, openssh-3.0.1p1 linux-2.2.14+patches, openssh-3.0.1p1 freebsd-4.5-stable, openssh-2.9 localisations 20020307 freebsd-4.3-stalbe, openssh-3.0.2 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From astrand at lysator.liu.se Mon Apr 22 19:10:59 2002 From: astrand at lysator.liu.se (=?iso-8859-1?Q?Peter_=C5strand?=) Date: Mon, 22 Apr 2002 11:10:59 +0200 (CEST) Subject: Password from open filedescriptor Message-ID: The included patch adds a new option to the ssh client: -d fd Read the password from file descriptor fd. If you use 0 for fd, the passphrase will be read from stdin. This is basically the same as GPG:s parameter --passphrase-fd. Flames about why this is a bad idea goes into /dev/null. I really need to do this. There are lots of ugly Expect-hacks out there, but I want a more clean solution. diff -bur openssh-3.1p1.org/readconf.c openssh-3.1p1/readconf.c --- openssh-3.1p1.org/readconf.c Tue Feb 5 02:26:35 2002 +++ openssh-3.1p1/readconf.c Mon Apr 22 09:56:31 2002 @@ -776,6 +776,7 @@ options->port = -1; options->connection_attempts = -1; options->number_of_password_prompts = -1; + options->password_from_fd = -1; options->cipher = -1; options->ciphers = NULL; options->macs = NULL; diff -bur openssh-3.1p1.org/readconf.h openssh-3.1p1/readconf.h --- openssh-3.1p1.org/readconf.h Tue Mar 5 02:53:05 2002 +++ openssh-3.1p1/readconf.h Mon Apr 22 10:24:06 2002 @@ -70,6 +70,7 @@ * giving up */ int number_of_password_prompts; /* Max number of password * prompts. */ + int password_from_fd; /* Read password from file descriptor */ int cipher; /* Cipher to use. */ char *ciphers; /* SSH2 ciphers in order of preference. */ char *macs; /* SSH2 macs in order of preference. */ diff -bur openssh-3.1p1.org/readpass.c openssh-3.1p1/readpass.c --- openssh-3.1p1.org/readpass.c Wed Feb 13 04:05:23 2002 +++ openssh-3.1p1/readpass.c Mon Apr 22 10:27:49 2002 @@ -124,4 +124,29 @@ ret = xstrdup(buf); memset(buf, 'x', sizeof buf); return ret; +} + +char * +read_password_from_fd(int fd) +{ + ssize_t nr; + int i = 0; + char ch, *buf; + + buf = xmalloc(1024); + + while (1) { + nr = read(fd, &ch, 1); + if (nr == -1) + fatal("error while reading password from filedescriptor: %.100s", strerror(errno)); + + if (nr == 0 || ch == '\n' || ch == '\r' || i >= 1024) + break; + + buf[i++] = ch; + } + + buf[i] = '\0'; + + return buf; } diff -bur openssh-3.1p1.org/readpass.h openssh-3.1p1/readpass.h --- openssh-3.1p1.org/readpass.h Wed Jul 4 06:46:58 2001 +++ openssh-3.1p1/readpass.h Mon Apr 22 10:19:53 2002 @@ -16,3 +16,4 @@ #define RP_ALLOW_STDIN 0x0002 char *read_passphrase(const char *, int); +char *read_password_from_fd(int fd); diff -bur openssh-3.1p1.org/ssh.1 openssh-3.1p1/ssh.1 --- openssh-3.1p1.org/ssh.1 Tue Feb 19 05:27:24 2002 +++ openssh-3.1p1/ssh.1 Mon Apr 22 10:34:59 2002 @@ -51,6 +51,7 @@ .Op Fl afgknqstvxACNPTX1246 .Op Fl b Ar bind_address .Op Fl c Ar cipher_spec +.Op Fl d Ar fd .Op Fl e Ar escape_char .Op Fl i Ar identity_file .Op Fl l Ar login_name @@ -415,6 +416,10 @@ See .Cm Ciphers for more information. +.It Fl d Ar fd +Read the password from file descriptor fd. If you use 0 for fd, the +passphrase will be read from stdin. Don't use this option if you can +avoid it. .It Fl e Ar ch|^ch|none Sets the escape character for sessions with a pty (default: .Ql ~ ) . diff -bur openssh-3.1p1.org/ssh.c openssh-3.1p1/ssh.c --- openssh-3.1p1.org/ssh.c Tue Feb 19 05:20:58 2002 +++ openssh-3.1p1/ssh.c Mon Apr 22 10:13:55 2002 @@ -312,7 +312,7 @@ again: while ((opt = getopt(ac, av, - "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { + "1246ab:c:e:d:fgi:kl:m:no:p:qstvxACD:F:I:L:NPR:TVX")) != -1) { switch (opt) { case '1': options.protocol = SSH_PROTO_1; @@ -522,6 +522,9 @@ break; case 'F': config = optarg; + break; + case 'd': + options.password_from_fd = atoi(optarg); break; default: usage(); diff -bur openssh-3.1p1.org/sshconnect2.c openssh-3.1p1/sshconnect2.c --- openssh-3.1p1.org/sshconnect2.c Tue Feb 26 19:15:10 2002 +++ openssh-3.1p1/sshconnect2.c Mon Apr 22 10:28:28 2002 @@ -435,6 +435,7 @@ return 1; } + int userauth_passwd(Authctxt *authctxt) { @@ -442,6 +443,12 @@ char prompt[80]; char *password; + if (options.password_from_fd != -1) { + if (attempt++ >= 1) + return 0; + + password = read_password_from_fd(options.password_from_fd); + } else { if (attempt++ >= options.number_of_password_prompts) return 0; @@ -451,6 +458,8 @@ snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", authctxt->server_user, authctxt->host); password = read_passphrase(prompt, 0); + } + packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); -- /Peter ?strand From jason at shalott.net Mon Apr 22 19:59:45 2002 From: jason at shalott.net (Jason Stone) Date: Mon, 22 Apr 2002 02:59:45 -0700 (PDT) Subject: Password from open filedescriptor In-Reply-To: Message-ID: <20020422025540.W14111-100000@walter> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The included patch adds a new option to the ssh client: > > -d fd Read the password from file descriptor fd. If you use 0 for fd, > the passphrase will be read from stdin. > > This is basically the same as GPG:s parameter --passphrase-fd. > > Flames about why this is a bad idea goes into /dev/null. I really need > to do this. There are lots of ugly Expect-hacks out there, but I want > a more clean solution. This is not a flame, but I wonder why you need to do this when ssh-agent is available? In particular, you mention GPG, which states in the manpage, "Don't use this option if you can avoid it." I think that the authors of gpg consider that feature to be a hack until they can finish gpg-agent (which is under developement). -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8w98cswXMWWtptckRAqi8AJ4xQQn0H+BvOBQxBSanFEDuCIQhCwCcDHJE H0YdT1YdmwWAav380DAv5P4= =NxF8 -----END PGP SIGNATURE----- From astrand at lysator.liu.se Mon Apr 22 20:05:59 2002 From: astrand at lysator.liu.se (Peter Astrand) Date: Mon, 22 Apr 2002 12:05:59 +0200 (CEST) Subject: Password from open filedescriptor In-Reply-To: <20020422025540.W14111-100000@walter> Message-ID: > > -d fd Read the password from file descriptor fd. If you use 0 for fd, > > the passphrase will be read from stdin. > > > > This is basically the same as GPG:s parameter --passphrase-fd. > > > > Flames about why this is a bad idea goes into /dev/null. I really need > > to do this. There are lots of ugly Expect-hacks out there, but I want > > a more clean solution. > > This is not a flame, but I wonder why you need to do this when ssh-agent > is available? ssh-agent, as far as I know, only handles keys for public key authentication. I need to use the "password" authentication method. ssh-agent does not handle this, right? -- /Peter ?strand From tomh at po.crl.go.jp Mon Apr 22 20:18:08 2002 From: tomh at po.crl.go.jp (Tom Holroyd) Date: Mon, 22 Apr 2002 19:18:08 +0900 (JST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: On Mon, 22 Apr 2002, Peter Astrand wrote: > ssh-agent, as far as I know, only handles keys for public key > authentication. I need to use the "password" authentication method. > ssh-agent does not handle this, right? No, it doesn't. It'd be nice if it did (protocol changes required?), though I wonder what the UI would look like. It can't very well ask for a password from the user after it daemonizes itself; is there some standard program it can launch to ask for a password? From markus at openbsd.org Mon Apr 22 20:38:09 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Apr 2002 12:38:09 +0200 Subject: Password from open filedescriptor In-Reply-To: <20020422025540.W14111-100000@walter> References: <20020422025540.W14111-100000@walter> Message-ID: <20020422103809.GA569@faui02> On Mon, Apr 22, 2002 at 02:59:45AM -0700, Jason Stone wrote: > This is not a flame, but I wonder why you need to do this when ssh-agent > is available? you could use $SSHASKPASS From astrand at lysator.liu.se Mon Apr 22 20:44:34 2002 From: astrand at lysator.liu.se (Peter Astrand) Date: Mon, 22 Apr 2002 12:44:34 +0200 (CEST) Subject: Password from open filedescriptor In-Reply-To: <20020422103809.GA569@faui02> Message-ID: > On Mon, Apr 22, 2002 at 02:59:45AM -0700, Jason Stone wrote: > > This is not a flame, but I wonder why you need to do this when ssh-agent > > is available? > > you could use $SSHASKPASS (The variable is called SSH_ASKPASS.) It is not possible to use SSH_ASKPASS when there is a controlling terminal. Also, SSH_ASKPASS requires a DISPLAY. My first idea was actually to add a patch to force use of SSH_ASKPASS, but it seems like SSH_ASKPASS really is only meant for X11 applications (because it requires a DISPLAY). -- /Peter ?strand From markus at openbsd.org Mon Apr 22 20:54:30 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Apr 2002 12:54:30 +0200 Subject: Password from open filedescriptor In-Reply-To: References: <20020422103809.GA569@faui02> Message-ID: <20020422105430.GA2762@faui02> On Mon, Apr 22, 2002 at 12:44:34PM +0200, Peter Astrand wrote: > My first idea was actually to add a patch to force use of SSH_ASKPASS, but > it seems like SSH_ASKPASS really is only meant for X11 applications > (because it requires a DISPLAY). well, this could be changed. and you could set DISPLAY=bla From astrand at lysator.liu.se Mon Apr 22 21:09:12 2002 From: astrand at lysator.liu.se (Peter Astrand) Date: Mon, 22 Apr 2002 13:09:12 +0200 (CEST) Subject: Password from open filedescriptor In-Reply-To: <20020422105430.GA2762@faui02> Message-ID: > On Mon, Apr 22, 2002 at 12:44:34PM +0200, Peter Astrand wrote: > > My first idea was actually to add a patch to force use of SSH_ASKPASS, but > > it seems like SSH_ASKPASS really is only meant for X11 applications > > (because it requires a DISPLAY). > > well, this could be changed. and you could set DISPLAY=bla In other words, do you like the solution with: * Remove the DISPLAY requirement from SSH_ASKPASS * Add an option for forcing use of SSH_ASKPASS, even if we have a controlling terminal ...better than my original patch? I could then write an askpass-program that takes an filedescriptor from an environment string, reads from the open fd and then prints to stdout. It would probably solve my problem, although it seems slightly more complicated than my -d option. -- /Peter ?strand From markus at openbsd.org Mon Apr 22 21:58:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Apr 2002 13:58:50 +0200 Subject: Password from open filedescriptor In-Reply-To: References: <20020422105430.GA2762@faui02> Message-ID: <20020422115850.GA4161@faui02> On Mon, Apr 22, 2002 at 01:09:12PM +0200, Peter Astrand wrote: > although it seems slightly more complicated than my -d option. your suggested -d just helps for one special case. From epa98 at doc.ic.ac.uk Mon Apr 22 22:35:57 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Mon, 22 Apr 2002 13:35:57 +0100 (BST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 22 Apr 2002, Peter Astrand wrote: >ssh-agent, as far as I know, only handles keys for public key >authentication. I need to use the "password" authentication method. >ssh-agent does not handle this, right? Since we are talking about adding features: It would be cool if you could store your password in a file encrypted with your public key. Then when ssh runs it prompts for a passphrase to read the private key, uses that to decrypt the password and sends it to the remote server. That way you could use a single keypair and passphrase for all your connections - even if the remote end requires a plain old password. The passphrase for your private key would be remembered by ssh-agent as usual. So once you have encrypted the password and stored it in a file you wouldn't have to type it again. (Of course it is usually better to do things properly and copy your public key across to the other end - but I'm assuming that in this situation, for some reason, that isn't possible. Also it might not be considered good practice to store the password anywhere, even if it is encrypted.) - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8xAOuIMp73jhGogoRAlS9AJ0WwiOWXMD9kCQTuMETVTs0u3dhaACghxJQ JURhqegvdf4YE4Tyg2Pqu3s= =nC67 -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Tue Apr 23 00:34:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 00:34:31 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020422143431.C4F11E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 ------- Additional Comments From dmanton at emea.att.com 2002-04-23 00:34 ------- openssh-SNAP-20020421 still shows this error. Can anyone spare some time to look into the above attachments? Thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From therr at rr.com Tue Apr 23 01:37:37 2002 From: therr at rr.com (Todd Herr) Date: Mon, 22 Apr 2002 11:37:37 -0400 (EDT) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: <20020421033931.GZ5594@citi.citi.umich.edu> Message-ID: Another reason to upgrade from OpenSSH 2.9.9; I'm not sure if we're compiled with these features, but... On Sat, 20 Apr 2002, at 23:39, Niels Provos wrote: > A buffer overflow exists in OpenSSH's sshd if sshd has been compiled > with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing > has been enabled in the sshd_config file. Ticket and token passing > is not enabled by default. > > 1. Systems affected: > > All Versions of OpenSSH compiled with AFS/Kerberos support > and ticket/token passing enabled contain a buffer overflow. > > Ticket/Token passing is disabled by default and available > only in protocol version 1. > > 2. Impact: > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > Local users may gain privileged access for OpenSSH < 3.3 > > No privileged access is possible for OpenSSH with > UsePrivsep enabled. > > 3. Solution: > > Apply the following patch and replace radix.c with > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 > > 4. Credits: > > kurt at seifried.org for notifying the OpenSSH team. > http://mantra.freeweb.hu/ > > Appendix: > > Index: bufaux.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v > retrieving revision 1.24 > diff -u -r1.24 bufaux.c > --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 > +++ bufaux.c 19 Apr 2002 12:55:29 -0000 > @@ -137,10 +137,18 @@ > BN_bin2bn(bin, len, value); > xfree(bin); > } > - > /* > - * Returns an integer from the buffer (4 bytes, msb first). > + * Returns integers from the buffer (msb first). > */ > + > +u_short > +buffer_get_short(Buffer *buffer) > +{ > + u_char buf[2]; > + buffer_get(buffer, (char *) buf, 2); > + return GET_16BIT(buf); > +} > + > u_int > buffer_get_int(Buffer *buffer) > { > @@ -158,8 +166,16 @@ > } > > /* > - * Stores an integer in the buffer in 4 bytes, msb first. > + * Stores integers in the buffer, msb first. > */ > +void > +buffer_put_short(Buffer *buffer, u_short value) > +{ > + char buf[2]; > + PUT_16BIT(buf, value); > + buffer_append(buffer, buf, 2); > +} > + > void > buffer_put_int(Buffer *buffer, u_int value) > { > Index: bufaux.h > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v > retrieving revision 1.17 > diff -u -r1.17 bufaux.h > --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 > +++ bufaux.h 19 Apr 2002 12:55:56 -0000 > @@ -23,6 +23,9 @@ > void buffer_get_bignum(Buffer *, BIGNUM *); > void buffer_get_bignum2(Buffer *, BIGNUM *); > > +u_short buffer_get_short(Buffer *); > +void buffer_put_short(Buffer *, u_short); > + > u_int buffer_get_int(Buffer *); > void buffer_put_int(Buffer *, u_int); > > -- Todd Herr therr at rr.com Systems Administrator, Road Runner 703.345.2447 The above message includes the opinions and thoughts of the author and does not necessarily represent the views of his employer. From provos at citi.umich.edu Sun Apr 21 13:39:31 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 20 Apr 2002 23:39:31 -0400 Subject: OpenSSH Security Advisory (adv.token) Message-ID: <20020421033931.GZ5594@citi.citi.umich.edu> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1. 2. Impact: Remote users may gain privileged access for OpenSSH < 2.9.9 Local users may gain privileged access for OpenSSH < 3.3 No privileged access is possible for OpenSSH with UsePrivsep enabled. 3. Solution: Apply the following patch and replace radix.c with http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 4. Credits: kurt at seifried.org for notifying the OpenSSH team. http://mantra.freeweb.hu/ Appendix: Index: bufaux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - /* - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). */ + +u_short +buffer_get_short(Buffer *buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char *) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ } /* - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. */ +void +buffer_put_short(Buffer *buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer *buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + u_int buffer_get_int(Buffer *); void buffer_put_int(Buffer *, u_int); From openssh-unix-dev at progressive-comp.com Tue Apr 23 02:24:01 2002 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Mon, 22 Apr 2002 12:24:01 -0400 Subject: Password from open filedescriptor Message-ID: <200204221624.g3MGO1u03811@marc2.theaimsgroup.com> On 2002-04-22, Edward Avis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > On Mon, 22 Apr 2002, Peter Astrand wrote: > > ssh-agent, as far as I know, only handles keys for public key > > authentication. I need to use the "password" authentication method. > > ssh-agent does not handle this, right? > It would be cool if you could store your password in a file encrypted > with your public key. Then when ssh runs it prompts for a passphrase > to read the private key, uses that to decrypt the password and sends it > to the remote server. That way you could use a single keypair and You could do essentially this if you had either the less-cumbersome SSH_ASKPASS setup or the read-from-fd patch, and you used a helper wrapper around gnupg to ask for a passphrase (and a dest host/account?) and spit out the right password. No caching by ssh-agent, though (you would want something like gnupg-agent). On the subject of dodgy one-off password hacks, I whipped something up last week that adds a 'Password' config option, so you can hardcode passwords in ~/.ssh/config and/or pass '-oPassword=foo' on the command line. Yes, these are both bad ideas. Patch here: http://www.theaimsgroup.com/~hlein/haqs/#openssh-passopt (I won't add this to the other openssh patches I maintain, because using it really is a bad idea in general.) -- Hank Leininger From amcintosh at atreus-systems.com Tue Apr 23 06:55:14 2002 From: amcintosh at atreus-systems.com (Allan McIntosh) Date: Mon, 22 Apr 2002 15:55:14 -0500 (CDT) Subject: ssh programming? Message-ID: Hey, I was looking for some documentation on writing a very small ssh api. Very few, simple methods. I would like to: 1. Connect to an ssh server 2. Log in as a user 3. Execute commands: - send commands. - retreive command output. 4. Logout. IE: connect(); login(); send(); receive(); disconnect(); I am assuming the underlying code will not be as simple as the above may imply. Can any one point me in the right direction? Or tell me if anything like this exists (fingers crossed)? I also wonder how much of the openssh packages deals with key and session management? From bugzilla-daemon at mindrot.org Tue Apr 23 08:28:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:28:12 +1000 (EST) Subject: [Bug 96] bsd-cray.h modifications to allow correct UNICOS execution Message-ID: <20020422222812.743BBE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=96 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:28 ------- patch is still required as of apr 22 snapshot. --- bsd-cray.h.orig Tue Aug 14 15:31:49 2001 +++ bsd-cray.h Mon Apr 22 17:15:16 2002 @@ -4,8 +4,13 @@ #ifdef _CRAY void cray_init_job(struct passwd *); /* init cray job */ void cray_job_termination_handler(int); /* process end of job signal */ -void cray_setup(uid_t, char *); /* set cray limits */ -extern char cray_tmpdir[]; /* cray tmpdir */ +char cray_tmpdir[TPATHSIZ+1]; /* cray tmpdir */ +#ifndef IA_SSHD +#define IA_SSHD IA_LOGIN +#endif +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 64 +#endif #endif #endif /* _BSD_CRAY_H */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:31:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:31:44 +1000 (EST) Subject: [Bug 99] auth2.c modifications for correct UNICOS behavior Message-ID: <20020422223144.42D06E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=99 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:31 ------- updated for 22 april snapshot: --- auth2.c.orig Mon Apr 22 14:29:54 2002 +++ auth2.c Mon Apr 22 14:31:19 2002 @@ -52,6 +52,10 @@ #include "match.h" #include "monitor_wrap.h" +#ifdef _CRAY +#include +#endif /* _CRAY */ + /* import */ extern ServerOptions options; extern u_char *session_id2; @@ -247,6 +251,13 @@ authenticated = 0; #endif /* USE_PAM */ +#ifdef _CRAY + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -271,6 +282,10 @@ #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _CRAY + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _CRAY */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:34:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:34:26 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020422223426.B7F16E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:34 ------- this seems to be working quite well. i'm happy with the changes. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:38:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:38:32 +1000 (EST) Subject: [Bug 103] new openbsd-compat/bsd-cray.c file Message-ID: <20020422223832.5E212E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=103 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:38 ------- Created an attachment (id=84) updated for 22 april snapshot ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:39:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:39:43 +1000 (EST) Subject: [Bug 97] deattack.c modifications for correct UNICOS behavior Message-ID: <20020422223943.74FAEE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=97 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-04-23 08:39 ------- these patches are no longer required. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:40:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:40:51 +1000 (EST) Subject: [Bug 100] serverloop.c modifications for correct UNICOS behavior Message-ID: <20020422224051.444AEE90D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=100 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:40 ------- 1st patch is still required, 2nd is not. updated for 22 april snapshot: --- serverloop.c.orig Mon Apr 22 14:35:09 2002 +++ serverloop.c Mon Apr 22 14:36:08 2002 @@ -143,7 +143,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#ifndef _CRAY mysignal(SIGCHLD, sigchld_handler); +#endif /* !_CRAY */ notify_parent(); errno = save_errno; } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:43:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:43:06 +1000 (EST) Subject: [Bug 101] session.c modifications for correct UNICOS behavior Message-ID: <20020422224306.8022EE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=101 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:43 ------- updated patches for 22 april snapshot: --- session.c.orig Mon Apr 22 14:36:13 2002 +++ session.c Mon Apr 22 16:31:15 2002 @@ -64,6 +64,10 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#ifdef _CRAY +#include +#endif /* _CRAY */ + /* func */ Session *session_new(void); @@ -425,11 +429,17 @@ if (dup2(err[0], 2) < 0) /* stderr */ perror("dup2 stderr"); #endif /* USE_PIPES */ +#ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* _CRAY */ /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -517,7 +527,12 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) + { +# ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +# endif /* _CRAY */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -528,6 +543,9 @@ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -668,6 +686,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#ifndef _CRAY if (options.print_lastlog && s->last_login_time != 0) { time_string = ctime(&s->last_login_time); if (strchr(time_string, '\n')) @@ -678,6 +697,7 @@ printf("Last login: %s from %s\r\n", time_string, s->hostname); } +#endif /* ! _CRAY */ do_motd(); } @@ -916,7 +936,10 @@ if (original_command) child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); - +#ifdef _CRAY + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _CRAY */ #ifdef _AIX { char *cp; @@ -1151,6 +1174,7 @@ * Login(1) does this as well, and it needs uid 0 for the "-h" * switch, so we let login(1) to this for us. */ +#ifndef _CRAY if (!options.use_login) { #ifdef HAVE_OSF_SIA session_setup_sia(pw->pw_name, s->ttyfd == -1 ? NULL : s->tty); @@ -1164,6 +1188,9 @@ do_setusercontext(pw); #endif /* HAVE_OSF_SIA */ } +#else + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _CRAY */ /* * Get the shell from the password data. An empty shell field is ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 08:41:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 08:41:43 +1000 (EST) Subject: [Bug 98] auth1.c modifications for correct UNICOS behavior Message-ID: <20020422224143.F3C9CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=98 ------- Additional Comments From wendyp at cray.com 2002-04-23 08:41 ------- updated patch for 22 april snapshot: --- auth1.c.orig Mon Apr 22 14:28:12 2002 +++ auth1.c Mon Apr 22 14:29:48 2002 @@ -26,6 +26,9 @@ #include "session.h" #include "uidswap.h" #include "monitor_wrap.h" +#ifdef _CRAY +#include +#endif /* _CRAY */ /* import */ extern ServerOptions options; @@ -291,6 +294,16 @@ if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); + +#ifdef _CRAY + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) { + cray_login_failure(authctxt->user, IA_UDBERR); + } + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (authenticated && ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From provos at citi.umich.edu Sun Apr 21 13:39:31 2002 From: provos at citi.umich.edu (Niels Provos) Date: Sat, 20 Apr 2002 23:39:31 -0400 Subject: OpenSSH Security Advisory (adv.token) Message-ID: <20020421033931.GZ5594@citi.citi.umich.edu> A buffer overflow exists in OpenSSH's sshd if sshd has been compiled with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH compiled with AFS/Kerberos support and ticket/token passing enabled contain a buffer overflow. Ticket/Token passing is disabled by default and available only in protocol version 1. 2. Impact: Remote users may gain privileged access for OpenSSH < 2.9.9 Local users may gain privileged access for OpenSSH < 3.3 No privileged access is possible for OpenSSH with UsePrivsep enabled. 3. Solution: Apply the following patch and replace radix.c with http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/radix.c?rev=1.18 4. Credits: kurt at seifried.org for notifying the OpenSSH team. http://mantra.freeweb.hu/ Appendix: Index: bufaux.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.c,v retrieving revision 1.24 diff -u -r1.24 bufaux.c --- bufaux.c 26 Mar 2002 15:23:40 -0000 1.24 +++ bufaux.c 19 Apr 2002 12:55:29 -0000 @@ -137,10 +137,18 @@ BN_bin2bn(bin, len, value); xfree(bin); } - /* - * Returns an integer from the buffer (4 bytes, msb first). + * Returns integers from the buffer (msb first). */ + +u_short +buffer_get_short(Buffer *buffer) +{ + u_char buf[2]; + buffer_get(buffer, (char *) buf, 2); + return GET_16BIT(buf); +} + u_int buffer_get_int(Buffer *buffer) { @@ -158,8 +166,16 @@ } /* - * Stores an integer in the buffer in 4 bytes, msb first. + * Stores integers in the buffer, msb first. */ +void +buffer_put_short(Buffer *buffer, u_short value) +{ + char buf[2]; + PUT_16BIT(buf, value); + buffer_append(buffer, buf, 2); +} + void buffer_put_int(Buffer *buffer, u_int value) { Index: bufaux.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/bufaux.h,v retrieving revision 1.17 diff -u -r1.17 bufaux.h --- bufaux.h 18 Mar 2002 17:25:29 -0000 1.17 +++ bufaux.h 19 Apr 2002 12:55:56 -0000 @@ -23,6 +23,9 @@ void buffer_get_bignum(Buffer *, BIGNUM *); void buffer_get_bignum2(Buffer *, BIGNUM *); +u_short buffer_get_short(Buffer *); +void buffer_put_short(Buffer *, u_short); + u_int buffer_get_int(Buffer *); void buffer_put_int(Buffer *, u_int); From bugzilla-daemon at mindrot.org Tue Apr 23 09:10:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 09:10:19 +1000 (EST) Subject: [Bug 224] New: configure.ac changes for crays Message-ID: <20020422231019.799DDE916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=224 Summary: configure.ac changes for crays Product: Portable OpenSSH Version: 3.1p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- configure.ac.orig Mon Apr 22 14:31:27 2002 +++ configure.ac Mon Apr 22 14:32:48 2002 @@ -236,12 +236,29 @@ AC_CHECK_FUNCS(getluid setluid) MANTYPE=man ;; +*-*-unicosmk*) + no_libsocket=1 + no_libnsl=1 + not_sco=1 + MANTYPE=cat + AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(USE_UTMP) + AC_DEFINE(USE_WTMP) + LDFLAGS="$LDFLAGS -L/usr/local/lib" + LIBS="$LIBS -lshare -lgen -lrsc -luex -lacm" + ;; *-*-unicos*) no_libsocket=1 no_libnsl=1 + not_sco=1 + MANTYPE=cat AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(USE_UTMP) + AC_DEFINE(USE_WTMP) LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal,-L/usr/local/lib" - LIBS="$LIBS -lgen -lrsc" + LIBS="$LIBS -lshare -lgen -lrsc -luex -lacm" ;; *-dec-osf*) AC_MSG_CHECKING(for Digital Unix SIA) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 09:12:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 09:12:47 +1000 (EST) Subject: [Bug 224] configure.ac changes for crays Message-ID: <20020422231247.51095E906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=224 ------- Additional Comments From wendyp at cray.com 2002-04-23 09:12 ------- sorry, slight error with that last patch. try this instead (with 22 april snapshot): --- configure.ac.orig Mon Apr 22 14:31:27 2002 +++ configure.ac Mon Apr 22 14:32:48 2002 @@ -236,12 +236,29 @@ AC_CHECK_FUNCS(getluid setluid) MANTYPE=man ;; +*-*-unicosmk*) + no_libsocket=1 + no_libnsl=1 + not_sco=1 + MANTYPE=cat + AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(USE_UTMP) + AC_DEFINE(USE_WTMP) + LDFLAGS="$LDFLAGS" + LIBS="$LIBS -lshare -lgen -lrsc -luex -lacm" + ;; *-*-unicos*) no_libsocket=1 no_libnsl=1 + not_sco=1 + MANTYPE=cat AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(USE_UTMP) + AC_DEFINE(USE_WTMP) - LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal,-L/usr/local/lib" + LDFLAGS="$LDFLAGS -Wl,-Dmsglevel=334:fatal" - LIBS="$LIBS -lgen -lrsc" + LIBS="$LIBS -lshare -lgen -lrsc -luex -lacm" ;; *-dec-osf*) AC_MSG_CHECKING(for Digital Unix SIA) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Apr 23 09:52:33 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Apr 2002 09:52:33 +1000 (EST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: On Mon, 22 Apr 2002, [iso-8859-1] Peter ?strand wrote: > > The included patch adds a new option to the ssh client: > > -d fd Read the password from file descriptor fd. If you use 0 for fd, > the passphrase will be read from stdin. > > This is basically the same as GPG:s parameter --passphrase-fd. > > Flames about why this is a bad idea goes into /dev/null. I really need to > do this. There are lots of ugly Expect-hacks out there, but I want a more > clean solution. pubkey authentication From djm at mindrot.org Tue Apr 23 09:55:48 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Apr 2002 09:55:48 +1000 (EST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: On Mon, 22 Apr 2002, Tom Holroyd wrote: > On Mon, 22 Apr 2002, Peter Astrand wrote: > > > ssh-agent, as far as I know, only handles keys for public key > > authentication. I need to use the "password" authentication method. > > ssh-agent does not handle this, right? > > No, it doesn't. It'd be nice if it did (protocol changes required?), > though I wonder what the UI would look like. It can't very well ask > for a password from the user after it daemonizes itself; is there some > standard program it can launch to ask for a password? It will ask $SSH_ASKPASS for a password if $DISPLAY is set. Have a look at http://bugzilla.mindrot.org/show_bug.cgi?id=69 for a patch to make it do more. -d From bugzilla-daemon at mindrot.org Tue Apr 23 10:55:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 10:55:54 +1000 (EST) Subject: [Bug 225] New: Supression of login warning banner for noninteractive commands Message-ID: <20020423005554.C1F69E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=225 Summary: Supression of login warning banner for noninteractive commands Product: Portable OpenSSH Version: 3.0.2p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P4 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cowboym at shmoo.com The Banner directive available in SSH v2 provides a nice, easy method for displaying login banners that are required in some corporate environments for security policy compliance. However, when writing scripts that connect noninteractively to remote hosts, the banner is still displayed. If these scripts are to be run from crontab, for example, the banner output is mailed to the user since it's treated as error output. If the scripts issuing the remote commands via ssh attempt to supress the banner output by piping stderr to /dev/null, they also eliminate any legitimate error output created by the commands executed on the remote machine. It would be desirable to modify the ssh client to silently discard any banner messages received from the server if in fact the client is executing a noninteractive command on the remote machine. For example, here's an interactive ssh session: catbert$ ssh dilbert *********************************** * This is a restricted host * *********************************** dilbert$ And here's a noninteractive session: catbert$ ssh dilbert /bin/date *********************************** * This is a restricted host * *********************************** Mon Apr 22 16:52:11 AKDT 2002 catbert$ Here's what would be desirable: catbert$ ssh dilbert /bin/date Mon Apr 22 16:52:11 AKDT 2002 catbert$ So, to effect this change, I created the following patchfile. Granted, there may be some installation somewhere that absolutely requires login banners for everything, even noninteractive sessions, but I'm convinced that the number of people in the same boat as myself far outnumber these select few, so maybe the supression of the banners could be the default behavior, and displaying them (for noninteractive sessions) could be a compile-time option. ******************************** --- ssh.c_orig Mon Apr 22 16:18:41 2002 +++ ssh.c Mon Apr 22 16:18:54 2002 @@ -113,6 +113,12 @@ int fork_after_authentication_flag = 0; /* + * Flag to indicate the login banner from the server should not be displayed. + * This is usedful when issuing command on remote hosts noninteractively. + */ +int supress_banner = 0; + +/* * General data structure for command line options and options configurable * in configuration files. See readconf.h. */ @@ -576,6 +582,7 @@ } } else { /* A command has been specified. Store it into the buffer. */ + supress_banner = 1; for (i = 0; i < ac; i++) { if (i) buffer_append(&command, " ", 1); --- sshconnect2.c_orig Mon Apr 22 16:18:50 2002 +++ sshconnect2.c Mon Apr 22 16:18:58 2002 @@ -57,6 +57,7 @@ /* import */ extern char *client_version_string; extern char *server_version_string; +extern int supress_banner; extern Options options; /* @@ -320,7 +321,10 @@ debug3("input_userauth_banner"); msg = packet_get_string(NULL); lang = packet_get_string(NULL); - fprintf(stderr, "%s", msg); + if (supress_banner == 1) + debug3("noninteractive shell; banner supressed."); + else + fprintf(stderr, "%s", msg); xfree(msg); xfree(lang); } **************************** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From l02 at uow.edu.au Tue Apr 23 11:34:36 2002 From: l02 at uow.edu.au (Lusiana) Date: Tue, 23 Apr 2002 11:34:36 +1000 Subject: How to use sftp =?iso-8859-1?q?unattended=3F?= Message-ID: <200204230134.LAA25649@inti.its.uow.edu.au> Hi All, I realise that similar topics has been discussed before, but I could not quite find a straight answer to it. I'd like to create a java program that reads username and password from a source, then executes and drives sftp using the retrieved username and password. The bit that I'm having problem with is the supplying of password to ssh. Is it by making ssh read the password from stdin? How can this be done? Any assistance will be appreciated. Thanks, Lusiana From anders at fix.no Tue Apr 23 16:49:02 2002 From: anders at fix.no (Anders Nordby) Date: Tue, 23 Apr 2002 08:49:02 +0200 Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: <20020421033931.GZ5594@citi.citi.umich.edu> References: <20020421033931.GZ5594@citi.citi.umich.edu> Message-ID: <20020423064901.GB41462@totem.fix.no> Hi, On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote: > 2. Impact: > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > Local users may gain privileged access for OpenSSH < 3.3 > > No privileged access is possible for OpenSSH with > UsePrivsep enabled. OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on ftp.openbsd.org. Cheers, -- Anders. From djm at mindrot.org Tue Apr 23 17:16:29 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Apr 2002 17:16:29 +1000 (EST) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: <20020423064901.GB41462@totem.fix.no> Message-ID: On Tue, 23 Apr 2002, Anders Nordby wrote: > Hi, > > On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote: > > 2. Impact: > > > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > > > Local users may gain privileged access for OpenSSH < 3.3 > > > > No privileged access is possible for OpenSSH with > > UsePrivsep enabled. > > OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on > ftp.openbsd.org. It is a little way from ready yet. Please try the CVS snapshots if you are interested :) Remember, unless you have compiled portable OpenSSH with KrbIV support (--with-kerberos4) *and* AFS support (--with-afs) *and* have set "kerberosTGTPassing yes" in sshd_config, then you are not vulnerable. -d From vinschen at redhat.com Tue Apr 23 19:15:06 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 23 Apr 2002 11:15:06 +0200 Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: References: <20020423064901.GB41462@totem.fix.no> Message-ID: <20020423111506.C29777@cygbert.vinschen.de> On Tue, Apr 23, 2002 at 05:16:29PM +1000, Damien Miller wrote: > On Tue, 23 Apr 2002, Anders Nordby wrote: > > On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote: > > > Local users may gain privileged access for OpenSSH < 3.3 > > > > OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on > > ftp.openbsd.org. > > It is a little way from ready yet. Please try the CVS snapshots if you are > interested :) Just curious: What's happened to 3.2? Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From astrand at lysator.liu.se Tue Apr 23 19:57:37 2002 From: astrand at lysator.liu.se (Peter Astrand) Date: Tue, 23 Apr 2002 11:57:37 +0200 (CEST) Subject: Password from open filedescriptor In-Reply-To: Message-ID: > > > ssh-agent, as far as I know, only handles keys for public key > > > authentication. I need to use the "password" authentication method. > > > ssh-agent does not handle this, right? > > > > No, it doesn't. It'd be nice if it did (protocol changes required?), > > though I wonder what the UI would look like. It can't very well ask > > for a password from the user after it daemonizes itself; is there some > > standard program it can launch to ask for a password? > > It will ask $SSH_ASKPASS for a password if $DISPLAY is set. Have a look > at http://bugzilla.mindrot.org/show_bug.cgi?id=69 for a patch to make it > do more. Nice. I like it. Will this patch be accepted? -- /Peter ?strand From bugzilla-daemon at mindrot.org Tue Apr 23 20:30:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 20:30:27 +1000 (EST) Subject: [Bug 222] configure finds getnameinfo() but not getaddrinfo() Message-ID: <20020423103027.91AB6E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=222 ------- Additional Comments From djm at mindrot.org 2002-04-23 20:30 ------- Actually, you should wait until the fix is committed before marking a bug RESOLVED The fix has just been committed anyway :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 21:30:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 21:30:16 +1000 (EST) Subject: [Bug 221] updates for OpenSC support Message-ID: <20020423113016.18C99E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=221 ------- Additional Comments From aet at cc.hut.fi 2002-04-23 21:30 ------- Created an attachment (id=85) Upgrade sc_pkcs15_decipher call to current API ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ANTIGEN_ABRA at wrq.com Tue Apr 23 22:07:56 2002 From: ANTIGEN_ABRA at wrq.com (ANTIGEN_ABRA) Date: Tue, 23 Apr 2002 05:07:56 -0700 Subject: Antigen Notification:Antigen found FILE FILTER= *.pif file Message-ID: <616772E97E38D31188FA00508B318ACA03FA470B@abra.wrq.com> Antigen for Exchange found size.pif matching FILE FILTER= *.pif file filter. The file is currently Purged. The message, "(no subject)", was sent from gleydson and was discovered in IMC Queues\Inbound located at WRQ/Seattle/ABRA. From bugzilla-daemon at mindrot.org Tue Apr 23 22:21:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:21:59 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423122159.3634CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From aet at cc.hut.fi 2002-04-23 22:21 ------- Yup, realpath() was broken for AIX, probably Solaris as well. HUT/CC is going to install OpenSSH for all OS's with BROKEN_REALPATH defined. I think OpenSSH should reverse the logic for BROKEN_REALPATH, eg. define SAFE_REALPATH only for OS's that have a working realpath(), otherwise use openbsd-compat/realpath.c by default. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 22:30:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:30:52 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423123052.6A8D3E928@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From aet at cc.hut.fi 2002-04-23 22:30 ------- Created an attachment (id=86) One-liner patch for broken AIX realpath(), should apply to any recent version ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 22:33:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:33:46 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423123346.84088E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From aet at cc.hut.fi 2002-04-23 22:33 ------- Created an attachment (id=87) Alternative patch for realpath(); reverse the logic for BROKEN_REALPATH ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 22:48:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:48:12 +1000 (EST) Subject: [Bug 221] updates for OpenSC support Message-ID: <20020423124812.01431E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=221 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-23 22:48 ------- Changes applied ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 22:51:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:51:25 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423125125.BDE31E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-04-23 22:51 ------- The AIX patch has been applied, but I am reticent to apply the SAFE_REALPATH patch. Is there any runtime test we could do to ascertain whether the libc provided realpath() is broken? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 22:54:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 22:54:55 +1000 (EST) Subject: [Bug 212] Add netgroup support to ssh-keyscan Message-ID: <20020423125455.38E7EE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=212 ------- Additional Comments From djm at mindrot.org 2002-04-23 22:54 ------- A standalone netgroupcat would be very useful for other things too - I recommend that you chose this path. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 23:01:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:01:19 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020423130119.5EDC0E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-04-23 23:01 ------- Please try tommorrows snapshot (check that Bug #213 is mentioned in the Changelog). It should fix the problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 23:08:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:08:36 +1000 (EST) Subject: [Bug 214] IRIX utmp problem loginrec.c: line_abbrevname() goes wrong Message-ID: <20020423130836.CF56BE916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=214 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-04-23 23:08 ------- Similar patch applied - please test tommorow's snapshot (make sure the bug is mentioned in the Changelog) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Stig.Venaas at uninett.no Tue Apr 23 23:13:38 2002 From: Stig.Venaas at uninett.no (Stig Venaas) Date: Tue, 23 Apr 2002 15:13:38 +0200 Subject: problem with X11 forwarding and use_localhost on Linux (solution) Message-ID: <20020423151338.A28061@sverresborg.uninett.no> On Linux (and others that define DONT_TRY_OTHER_AF) x11_create_display_inet() will only use the first entry returned by getaddrinfo(). When binding sockets to "ANY" this is fine on Linux since a PF_INET6 socket bound to ANY will also include IPv4. However when x11_use_localhost (X11UseLocalhost) is set, this is a problem. getaddrinfo() will then return an AF_INET6 entry with IPv6 address ::1 and also AF_INET entry with IPv4 address 127.0.0.1. Currently one binds only to the first (unless that bind fails), but should bind to both. Even on Linux, a bind to ::1 does not include 127.0.0.1. I think this can be fixed with the following patch: --- channels-orig.c Tue Mar 26 04:26:25 2002 +++ channels.c Tue Apr 23 15:09:28 2002 @@ -2392,7 +2392,8 @@ if (num_socks == NUM_SOCKS) break; #else - break; + if (!x11_use_localhost || num_socks == NUM_SOCKS) + break; #endif } freeaddrinfo(aitop); Stig From mouring at etoh.eviladmin.org Tue Apr 23 23:20:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Apr 2002 08:20:29 -0500 (CDT) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: Message-ID: Note the portable CVS does not have the patch defined in Niels' post. I'm still recollecting myself from my trip last week. - Ben On Tue, 23 Apr 2002, Damien Miller wrote: > > > On Tue, 23 Apr 2002, Anders Nordby wrote: > > > Hi, > > > > On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote: > > > 2. Impact: > > > > > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > > > > > Local users may gain privileged access for OpenSSH < 3.3 > > > > > > No privileged access is possible for OpenSSH with > > > UsePrivsep enabled. > > > > OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on > > ftp.openbsd.org. > > It is a little way from ready yet. Please try the CVS snapshots if you are > interested :) > > Remember, unless you have compiled portable OpenSSH with KrbIV support > (--with-kerberos4) *and* AFS support (--with-afs) *and* have set > "kerberosTGTPassing yes" in sshd_config, then you are not vulnerable. > > -d > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Apr 23 23:23:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:23:30 +1000 (EST) Subject: [Bug 206] -SNAP-20020409: build failures on AIX 3.2.5 with XLC 1.2.1.16 Message-ID: <20020423132330.9B260E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=206 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-23 23:23 ------- Applied - thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 23:24:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:24:34 +1000 (EST) Subject: [Bug 208] SCO build/runtime fixes Message-ID: <20020423132434.4E3A6E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 ------- Additional Comments From djm at mindrot.org 2002-04-23 23:24 ------- For the truncate() problem, I'd prefer to see a replacement function in openbsd-compat. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Apr 23 23:26:40 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Apr 2002 23:26:40 +1000 (EST) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: Message-ID: On Tue, 23 Apr 2002, Ben Lindstrom wrote: > Note the portable CVS does not have the patch defined in Niels' post. I'm > still recollecting myself from my trip last week. I just committed a more recent fix from Markus. -d From mouring at etoh.eviladmin.org Tue Apr 23 23:23:09 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Apr 2002 08:23:09 -0500 (CDT) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: <20020423111506.C29777@cygbert.vinschen.de> Message-ID: On Tue, 23 Apr 2002, Corinna Vinschen wrote: > On Tue, Apr 23, 2002 at 05:16:29PM +1000, Damien Miller wrote: > > On Tue, 23 Apr 2002, Anders Nordby wrote: > > > On Sat, Apr 20, 2002 at 11:39:31PM -0400, Niels Provos wrote: > > > > Local users may gain privileged access for OpenSSH < 3.3 > > > > > > OpenSSH 3.3? Is that a typo, or is it not ready yet? It's not on > > > ftp.openbsd.org. > > > > It is a little way from ready yet. Please try the CVS snapshots if you are > > interested :) > > Just curious: What's happened to 3.2? > 3.2 will end up being an OpenBSD release only. - Ben From bugzilla-daemon at mindrot.org Tue Apr 23 23:31:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:31:52 +1000 (EST) Subject: [Bug 182] ssh should still force SIGCHLD to be SIG_DFL when calling ssh-rand-helper Message-ID: <20020423133152.8533FE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=182 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-23 23:31 ------- Fixed in -current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 23:33:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:33:31 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020423133331.13F26E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Tue Apr 23 23:33:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:33:48 +1000 (EST) Subject: [Bug 200] readline support for sftp Message-ID: <20020423133348.7882BE906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=200 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |patch ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From bugzilla-daemon at mindrot.org Tue Apr 23 23:29:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:29:15 +1000 (EST) Subject: [Bug 194] still problems with libutil Message-ID: <20020423132915.02A41E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=194 ------- Additional Comments From djm at mindrot.org 2002-04-23 23:29 ------- This should be fixed in -current CVS, please test ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 23 23:39:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:39:06 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20020423133906.5451FE927@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From djm at mindrot.org 2002-04-23 23:38 ------- The PAM privsep changes will have broken this patch - can you remake it against -current? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Apr 23 23:45:21 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 23 Apr 2002 23:45:21 +1000 (EST) Subject: Please test snapshots Message-ID: Tomorrows snapshot synchronises us with OpenBSD CVS HEAD and includes fixes to several bugs. (Including the KrbIV/AFS/Tgt issue). Portable -current also makes PAM work (or seem to) when sshd is configured with UsePrivilegeSeparation=yes. This is still experimental, please let openssh-unix-dev@ know how you goes. -d From bugzilla-daemon at mindrot.org Tue Apr 23 23:55:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Apr 2002 23:55:25 +1000 (EST) Subject: [Bug 172] Add multiple AuthorizedKeyFiles options Message-ID: <20020423135525.353BAE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=172 ------- Additional Comments From alex.kiernan at thus.net 2002-04-23 23:55 ------- Created an attachment (id=88) Implement multiple authorized keys against CVS copy from openssh at anoncvs.be.openbsd.org:/cvs as of 2002/4/23 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Mary.Lee at am1.ericsson.se Tue Apr 23 23:57:51 2002 From: Mary.Lee at am1.ericsson.se (Mary Lee (EUS)) Date: Tue, 23 Apr 2002 08:57:51 -0500 Subject: UNSUBSCRIBE Message-ID: <9D648155F1FCD3119D5400508B09050306A6EA35@eamrcnt732.exu.ericsson.se> Please take me out of your member list. Thank you. Best regards, Mary. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020423/6d63516f/attachment.html From dharmendra.mohan at cacheflow.com Wed Apr 24 03:33:38 2002 From: dharmendra.mohan at cacheflow.com (Mohan, Dharmendra) Date: Tue, 23 Apr 2002 10:33:38 -0700 Subject: UNSUBSCRIBE Message-ID: Hi, please take me out of the mailing list. I tried unsuccessfully to unsubscribe using mailman but couldn't... hence the spam... -DM -----Original Message----- From: Mary Lee (EUS) [mailto:Mary.Lee at am1.ericsson.se] Sent: Tuesday, April 23, 2002 6:58 AM To: openssh-unix-dev at mindrot.org Subject: UNSUBSCRIBE Please take me out of your member list. Thank you. Best regards, Mary. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020423/e220070e/attachment.html From bugzilla-daemon at mindrot.org Wed Apr 24 04:28:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Apr 2002 04:28:38 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423182838.0BF84E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From aet at cc.hut.fi 2002-04-24 04:28 ------- Hmm, there could be. Anyway, it's more important to have working code than worry about bloating the executable with custom version of realpath(). At least XEmacs and SSH-3.1.0 directly use their own versions of realpath(), instead of trying to keep up with a list of broken architectures or bloating configure.ac with complex runtime tests etc. So, how about just using always openbsd-compat/realpath.c? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 24 04:34:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Apr 2002 04:34:41 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020423183441.1E5D7E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 ------- Additional Comments From mouring at eviladmin.org 2002-04-24 04:34 ------- I would perfer a rewiew of our realpath.c if we are going to always use it. As the person who put the code in I know I made a few minor short cuts to avoid importing in a ton of stuff from OpenBSD to get it to work under NeXT. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dcole at keysoftsys.com Wed Apr 24 04:29:44 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Tue, 23 Apr 2002 11:29:44 -0700 Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots References: Message-ID: <014a01c1eaf4$f0d14190$9b78a8c0@oedserver> I checked the patch Tim Rice originally attached. It works fine for me against the current cvs (maybe twenty minutes old or so). I would really like to trusted hp-ux working out of the box, so if there is anything I can do to help testing please let me know. Darren p.s. Message with attachment can be had at . Full "Re: PLEASE TEST snapshots" thread is at for those interested. ----- Original Message ----- From: "Tim Rice" To: "Kevin Steves" Cc: "Darren Cole" ; Sent: Saturday, April 13, 2002 1:08 PM Subject: Re: PLEASE TEST snapshots > On Sat, 13 Apr 2002, Kevin Steves wrote: > > > On Sat, 13 Apr 2002, Tim Rice wrote: [...cut...] > The patch seems to work fine on the SCO side. > I've attached a (slightly modified) diff -u version of attachment 67 > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > From bugzilla-daemon at mindrot.org Wed Apr 24 06:03:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Apr 2002 06:03:13 +1000 (EST) Subject: [Bug 218] make fails on IRIX 5.3 Message-ID: <20020423200313.8F866E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=218 ------- Additional Comments From steve at mailaps.org 2002-04-24 06:03 ------- I checked the file modification date on make and believe I must be using the SGI make provided with the MIPSPro C Compiler ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Apr 24 07:48:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Apr 2002 07:48:03 +1000 (EST) Subject: [Bug 218] make fails on IRIX 5.3 Message-ID: <20020423214803.6A83BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=218 steve at mailaps.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From steve at mailaps.org 2002-04-24 07:47 ------- I discovered that root had $SHELL=/bin/tcsh, setting it to /bin/sh fixed the problem. A suggestion would be to add SHELL to the Makefile, as zlib, openssl, and perl5 all built well in spite of this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From info at ninosdepapel.org Wed Apr 24 08:03:04 2002 From: info at ninosdepapel.org (info at ninosdepapel.org) Date: 23 Apr 2002 17:03:04 -0500 Subject: =?ISO-8859-1?B?SW52aXRhY2lvbiBHUkFUSVMgYWwgNXRvLiBCcmluZGlzIHBvciBsb3MgTmnxb3MgZGUgQ29sb21iaWE=?= Message-ID: <200204231803109.SM00180@ninosdepapel.org> -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020423/6e7fdd92/attachment.html From kevin at atomicgears.com Wed Apr 24 08:03:06 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Tue, 23 Apr 2002 15:03:06 -0700 (PDT) Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots In-Reply-To: <014a01c1eaf4$f0d14190$9b78a8c0@oedserver> Message-ID: On Tue, 23 Apr 2002, Darren Cole wrote: :I checked the patch Tim Rice originally attached. It works fine for me :against the current cvs (maybe twenty minutes old or so). I would really :like to trusted hp-ux working out of the box, so if there is anything I can :do to help testing please let me know. i have a problem with the following. why is it needed? +#ifdef TRUSTED_HPUX + /* + * Took two lines from a patch at: + * + * by John C. Bowman + * There is some speculation that you could possibly + * see data loss from this on usenet. But without + * this sshd does not exit on logout. + */ + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) + chan_read_failed(c); +#endif other than that the only other question is why did you add disable_ptmx_check? for now i have this, which is everything but the above against -current (the uselogin fix applied to HP-UX in general and has already been applied): Index: acconfig.h =================================================================== RCS file: /var/cvs/openssh/acconfig.h,v retrieving revision 1.134 diff -u -r1.134 acconfig.h --- acconfig.h 23 Apr 2002 20:45:56 -0000 1.134 +++ acconfig.h 23 Apr 2002 21:53:09 -0000 @@ -15,8 +15,8 @@ /* SCO workaround */ #undef BROKEN_SYS_TERMIO_H -/* Define if you have SCO protected password database */ -#undef HAVE_SCO_PROTECTED_PW +/* Define if you have SecureWare-based protected password database */ +#undef HAVE_SECUREWARE /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ /* from environment and PATH */ Index: auth-passwd.c =================================================================== RCS file: /var/cvs/openssh/auth-passwd.c,v retrieving revision 1.40 diff -u -r1.40 auth-passwd.c --- auth-passwd.c 4 Apr 2002 19:02:28 -0000 1.40 +++ auth-passwd.c 23 Apr 2002 21:53:11 -0000 @@ -55,11 +55,11 @@ # include # include # endif -# ifdef HAVE_SCO_PROTECTED_PW +# ifdef HAVE_SECUREWARE # include # include # include -# endif /* HAVE_SCO_PROTECTED_PW */ +# endif /* HAVE_SECUREWARE */ # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) # include # endif @@ -102,12 +102,9 @@ char *encrypted_password; char *pw_password; char *salt; -#ifdef __hpux +#if defined(__hpux) || defined(HAVE_SECUREWARE) struct pr_passwd *spw; -#endif -#ifdef HAVE_SCO_PROTECTED_PW - struct pr_passwd *spw; -#endif /* HAVE_SCO_PROTECTED_PW */ +#endif /* __hpux || HAVE_SECUREWARE */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif @@ -183,21 +180,20 @@ pw_password = spw->sp_pwdp; #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#ifdef HAVE_SCO_PROTECTED_PW - spw = getprpwnam(pw->pw_name); - if (spw != NULL) - pw_password = spw->ufld.fd_encrypt; -#endif /* HAVE_SCO_PROTECTED_PW */ - #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) pw_password = spw->pwa_passwd; #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ -#if defined(__hpux) +#ifdef HAVE_SECUREWARE + if ((spw = getprpwnam(pw->pw_name)) != NULL) + pw_password = spw->ufld.fd_encrypt; +#endif /* HAVE_SECUREWARE */ + +#if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) pw_password = spw->ufld.fd_encrypt; -#endif /* defined(__hpux) */ +#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ /* Check for users with no password. */ if ((password[0] == '\0') && (pw_password[0] == '\0')) @@ -214,18 +210,18 @@ else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ -# ifdef __hpux +# if defined(__hpux) && !defined(HAVE_SECUREWARE) if (iscomsec()) encrypted_password = bigcrypt(password, salt); else encrypted_password = crypt(password, salt); # else -# ifdef HAVE_SCO_PROTECTED_PW +# ifdef HAVE_SECUREWARE encrypted_password = bigcrypt(password, salt); # else encrypted_password = crypt(password, salt); -# endif /* HAVE_SCO_PROTECTED_PW */ -# endif /* __hpux */ +# endif /* HAVE_SECUREWARE */ +# endif /* __hpux && !defined(HAVE_SECUREWARE) */ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ Index: configure.ac =================================================================== RCS file: /var/cvs/openssh/configure.ac,v retrieving revision 1.52 diff -u -r1.52 configure.ac --- configure.ac 23 Apr 2002 20:45:56 -0000 1.52 +++ configure.ac 23 Apr 2002 21:53:25 -0000 @@ -91,6 +91,22 @@ *-*-darwin*) AC_DEFINE(BROKEN_GETADDRINFO) ;; +*-*-hpux10.26) + if test -z "$GCC"; then + CFLAGS="$CFLAGS -Ae" + fi + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" + IPADDR_IN_DISPLAY=yes + AC_DEFINE(HAVE_SECUREWARE) + AC_DEFINE(USE_PIPES) + AC_DEFINE(LOGIN_NO_ENDOPT) + AC_DEFINE(LOGIN_NEEDS_UTMPX) + AC_DEFINE(DISABLE_SHADOW) + AC_DEFINE(DISABLE_UTMP) + AC_DEFINE(SPT_TYPE,SPT_PSTAT) + LIBS="$LIBS -lxnet -lsec -lsecpw" + disable_ptmx_check=yes + ;; *-*-hpux10*) if test -z "$GCC"; then CFLAGS="$CFLAGS -Ae" @@ -235,7 +251,7 @@ no_dev_ptmx=1 AC_DEFINE(BROKEN_SYS_TERMIO_H) AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(BROKEN_SAVED_UIDS) AC_CHECK_FUNCS(getluid setluid) @@ -249,7 +265,7 @@ no_dev_ptmx=1 rsh_path="/usr/bin/rcmd" AC_DEFINE(USE_PIPES) - AC_DEFINE(HAVE_SCO_PROTECTED_PW) + AC_DEFINE(HAVE_SECUREWARE) AC_DEFINE(DISABLE_SHADOW) AC_CHECK_FUNCS(getluid setluid) MANTYPE=man @@ -1926,12 +1942,14 @@ fi if test -z "$no_dev_ptmx" ; then - AC_CHECK_FILE("/dev/ptmx", - [ - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) - have_dev_ptmx=1 - ] - ) + if test "x$disable_ptmx_check" != "xyes" ; then + AC_CHECK_FILE("/dev/ptmx", + [ + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) + have_dev_ptmx=1 + ] + ) + fi fi AC_CHECK_FILE("/dev/ptc", [ Index: sshd.c =================================================================== RCS file: /var/cvs/openssh/sshd.c,v retrieving revision 1.200 diff -u -r1.200 sshd.c --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200 +++ sshd.c 23 Apr 2002 21:53:35 -0000 @@ -48,6 +48,10 @@ #include #include #include +#ifdef HAVE_SECUREWARE +#include +#include +#endif #include "ssh.h" #include "ssh1.h" @@ -785,6 +789,9 @@ Key *key; int ret, key_used = 0; +#ifdef HAVE_SECUREWARE + (void)set_auth_parameters(ac, av); +#endif __progname = get_progname(av[0]); init_rng(); @@ -996,10 +1003,6 @@ /* Configuration looks good, so exit if in test mode. */ if (test_flag) exit(0); - -#ifdef HAVE_SCO_PROTECTED_PW - (void) set_auth_parameters(ac, av); -#endif /* Initialize the log (it is reinitialized below in case we forked). */ if (debug_flag && !inetd_flag) From dcole at keysoftsys.com Wed Apr 24 08:27:17 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Tue, 23 Apr 2002 15:27:17 -0700 Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots References: Message-ID: <018901c1eb16$1926ddf0$9b78a8c0@oedserver> ----- Original Message ----- From: "Kevin Steves" To: "Darren Cole" Cc: Sent: Tuesday, April 23, 2002 3:03 PM Subject: Re: Trusted HP-UX Patch from Re: PLEASE TEST snapshots > On Tue, 23 Apr 2002, Darren Cole wrote: > :I checked the patch Tim Rice originally attached. It works fine for me > :against the current cvs (maybe twenty minutes old or so). I would really > :like to trusted hp-ux working out of the box, so if there is anything I can > :do to help testing please let me know. > > i have a problem with the following. why is it needed? > > +#ifdef TRUSTED_HPUX > + /* > + * Took two lines from a patch at: > + * > + * by John C. Bowman > + * There is some speculation that you could possibly > + * see data loss from this on usenet. But without > + * this sshd does not exit on logout. > + */ > + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) > + chan_read_failed(c); > +#endif The problem is that you always hang on logout if I don't I have this code. If someone has a better fix I would love to have, I haven't found one yet. If I login, and imediately type exit without any other commands ssh hangs. This is really annoying, and since most haven't liked this change I put it only for TRUSTED_HPUX. > other than that the only other question is why did you add > disable_ptmx_check? Login wont work correctly if ptmx is used. From what I have found it appears to have to be one of the little weird things in truste hpux. > for now i have this, which is everything but the above against > -current (the uselogin fix applied to HP-UX in general and has > already been applied): Thanks a lot. If there is anyway to make the above better, or more acceptable for inclusion let me know. Darren Cole dcole at keysoftsys.com > Index: acconfig.h > =================================================================== > RCS file: /var/cvs/openssh/acconfig.h,v > retrieving revision 1.134 > diff -u -r1.134 acconfig.h > --- acconfig.h 23 Apr 2002 20:45:56 -0000 1.134 > +++ acconfig.h 23 Apr 2002 21:53:09 -0000 > @@ -15,8 +15,8 @@ > /* SCO workaround */ > #undef BROKEN_SYS_TERMIO_H > > -/* Define if you have SCO protected password database */ > -#undef HAVE_SCO_PROTECTED_PW > +/* Define if you have SecureWare-based protected password database */ > +#undef HAVE_SECUREWARE > > /* If your header files don't define LOGIN_PROGRAM, then use this (detected) */ > /* from environment and PATH */ > Index: auth-passwd.c > =================================================================== > RCS file: /var/cvs/openssh/auth-passwd.c,v > retrieving revision 1.40 > diff -u -r1.40 auth-passwd.c > --- auth-passwd.c 4 Apr 2002 19:02:28 -0000 1.40 > +++ auth-passwd.c 23 Apr 2002 21:53:11 -0000 > @@ -55,11 +55,11 @@ > # include > # include > # endif > -# ifdef HAVE_SCO_PROTECTED_PW > +# ifdef HAVE_SECUREWARE > # include > # include > # include > -# endif /* HAVE_SCO_PROTECTED_PW */ > +# endif /* HAVE_SECUREWARE */ > # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) > # include > # endif > @@ -102,12 +102,9 @@ > char *encrypted_password; > char *pw_password; > char *salt; > -#ifdef __hpux > +#if defined(__hpux) || defined(HAVE_SECUREWARE) > struct pr_passwd *spw; > -#endif > -#ifdef HAVE_SCO_PROTECTED_PW > - struct pr_passwd *spw; > -#endif /* HAVE_SCO_PROTECTED_PW */ > +#endif /* __hpux || HAVE_SECUREWARE */ > #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) > struct spwd *spw; > #endif > @@ -183,21 +180,20 @@ > pw_password = spw->sp_pwdp; > #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ > > -#ifdef HAVE_SCO_PROTECTED_PW > - spw = getprpwnam(pw->pw_name); > - if (spw != NULL) > - pw_password = spw->ufld.fd_encrypt; > -#endif /* HAVE_SCO_PROTECTED_PW */ > - > #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) > if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) > pw_password = spw->pwa_passwd; > #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ > > -#if defined(__hpux) > +#ifdef HAVE_SECUREWARE > + if ((spw = getprpwnam(pw->pw_name)) != NULL) > + pw_password = spw->ufld.fd_encrypt; > +#endif /* HAVE_SECUREWARE */ > + > +#if defined(__hpux) && !defined(HAVE_SECUREWARE) > if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) > pw_password = spw->ufld.fd_encrypt; > -#endif /* defined(__hpux) */ > +#endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ > > /* Check for users with no password. */ > if ((password[0] == '\0') && (pw_password[0] == '\0')) > @@ -214,18 +210,18 @@ > else > encrypted_password = crypt(password, salt); > #else /* HAVE_MD5_PASSWORDS */ > -# ifdef __hpux > +# if defined(__hpux) && !defined(HAVE_SECUREWARE) > if (iscomsec()) > encrypted_password = bigcrypt(password, salt); > else > encrypted_password = crypt(password, salt); > # else > -# ifdef HAVE_SCO_PROTECTED_PW > +# ifdef HAVE_SECUREWARE > encrypted_password = bigcrypt(password, salt); > # else > encrypted_password = crypt(password, salt); > -# endif /* HAVE_SCO_PROTECTED_PW */ > -# endif /* __hpux */ > +# endif /* HAVE_SECUREWARE */ > +# endif /* __hpux && !defined(HAVE_SECUREWARE) */ > #endif /* HAVE_MD5_PASSWORDS */ > > /* Authentication is accepted if the encrypted passwords are identical. */ > Index: configure.ac > =================================================================== > RCS file: /var/cvs/openssh/configure.ac,v > retrieving revision 1.52 > diff -u -r1.52 configure.ac > --- configure.ac 23 Apr 2002 20:45:56 -0000 1.52 > +++ configure.ac 23 Apr 2002 21:53:25 -0000 > @@ -91,6 +91,22 @@ > *-*-darwin*) > AC_DEFINE(BROKEN_GETADDRINFO) > ;; > +*-*-hpux10.26) > + if test -z "$GCC"; then > + CFLAGS="$CFLAGS -Ae" > + fi > + CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED= 1" > + IPADDR_IN_DISPLAY=yes > + AC_DEFINE(HAVE_SECUREWARE) > + AC_DEFINE(USE_PIPES) > + AC_DEFINE(LOGIN_NO_ENDOPT) > + AC_DEFINE(LOGIN_NEEDS_UTMPX) > + AC_DEFINE(DISABLE_SHADOW) > + AC_DEFINE(DISABLE_UTMP) > + AC_DEFINE(SPT_TYPE,SPT_PSTAT) > + LIBS="$LIBS -lxnet -lsec -lsecpw" > + disable_ptmx_check=yes > + ;; > *-*-hpux10*) > if test -z "$GCC"; then > CFLAGS="$CFLAGS -Ae" > @@ -235,7 +251,7 @@ > no_dev_ptmx=1 > AC_DEFINE(BROKEN_SYS_TERMIO_H) > AC_DEFINE(USE_PIPES) > - AC_DEFINE(HAVE_SCO_PROTECTED_PW) > + AC_DEFINE(HAVE_SECUREWARE) > AC_DEFINE(DISABLE_SHADOW) > AC_DEFINE(BROKEN_SAVED_UIDS) > AC_CHECK_FUNCS(getluid setluid) > @@ -249,7 +265,7 @@ > no_dev_ptmx=1 > rsh_path="/usr/bin/rcmd" > AC_DEFINE(USE_PIPES) > - AC_DEFINE(HAVE_SCO_PROTECTED_PW) > + AC_DEFINE(HAVE_SECUREWARE) > AC_DEFINE(DISABLE_SHADOW) > AC_CHECK_FUNCS(getluid setluid) > MANTYPE=man > @@ -1926,12 +1942,14 @@ > fi > > if test -z "$no_dev_ptmx" ; then > - AC_CHECK_FILE("/dev/ptmx", > - [ > - AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) > - have_dev_ptmx=1 > - ] > - ) > + if test "x$disable_ptmx_check" != "xyes" ; then > + AC_CHECK_FILE("/dev/ptmx", > + [ > + AC_DEFINE_UNQUOTED(HAVE_DEV_PTMX) > + have_dev_ptmx=1 > + ] > + ) > + fi > fi > AC_CHECK_FILE("/dev/ptc", > [ > Index: sshd.c > =================================================================== > RCS file: /var/cvs/openssh/sshd.c,v > retrieving revision 1.200 > diff -u -r1.200 sshd.c > --- sshd.c 2 Apr 2002 20:48:20 -0000 1.200 > +++ sshd.c 23 Apr 2002 21:53:35 -0000 > @@ -48,6 +48,10 @@ > #include > #include > #include > +#ifdef HAVE_SECUREWARE > +#include > +#include > +#endif > > #include "ssh.h" > #include "ssh1.h" > @@ -785,6 +789,9 @@ > Key *key; > int ret, key_used = 0; > > +#ifdef HAVE_SECUREWARE > + (void)set_auth_parameters(ac, av); > +#endif > __progname = get_progname(av[0]); > init_rng(); > > @@ -996,10 +1003,6 @@ > /* Configuration looks good, so exit if in test mode. */ > if (test_flag) > exit(0); > - > -#ifdef HAVE_SCO_PROTECTED_PW > - (void) set_auth_parameters(ac, av); > -#endif > > /* Initialize the log (it is reinitialized below in case we forked). */ > if (debug_flag && !inetd_flag) > > From djm at mindrot.org Wed Apr 24 09:03:15 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 24 Apr 2002 09:03:15 +1000 (EST) Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots In-Reply-To: Message-ID: On Tue, 23 Apr 2002, Kevin Steves wrote: > On Tue, 23 Apr 2002, Darren Cole wrote: > :I checked the patch Tim Rice originally attached. It works fine for me > :against the current cvs (maybe twenty minutes old or so). I would really > :like to trusted hp-ux working out of the box, so if there is anything I can > :do to help testing please let me know. > > i have a problem with the following. why is it needed? > > +#ifdef TRUSTED_HPUX > + /* > + * Took two lines from a patch at: > + * > + * by John C. Bowman > + * There is some speculation that you could possibly > + * see data loss from this on usenet. But without > + * this sshd does not exit on logout. > + */ > + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) > + chan_read_failed(c); > +#endif That is the broken "hang on exit" "fix" which has been explicitly rejected a number of times in the past. -d From tim at multitalents.net Wed Apr 24 10:39:48 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Apr 2002 17:39:48 -0700 (PDT) Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots In-Reply-To: Message-ID: On Tue, 23 Apr 2002, Kevin Steves wrote: [snip] > for now i have this, which is everything but the above against > -current (the uselogin fix applied to HP-UX in general and has > already been applied): [patch snipped] I had to manually apply 1 hunk to configure.ac (white space problem) but other than that, it still seems to work fine on the SCO side. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Wed Apr 24 16:40:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Apr 2002 16:40:57 +1000 (EST) Subject: [Bug 226] New: open ssh appears to stop password change prompts from Solaris Message-ID: <20020424064057.D70AFE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=226 Summary: open ssh appears to stop password change prompts from Solaris Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.bockmann at customs.gov.au We are in the process of rolling out version 3.1 of openssh across 30 Solaris servers running 2.5.1. to 2.8 on a variety of hardware from Ultra 10's to E4500's. All is going well thank you except: Our password policy requires that users change em within 30 days and we lock em out if they do not access the server for 90 days. Our problem is that when we get to the password change warning stage they are locked out if using openssh. I presume because the solaris response is to send the Please change your password message rather than grant access. This causes ssh on the client machine to respond with "Permission denied please try again" and a further password prompt. We get a similar result if we use tera term. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jancs at dsv.su.se Wed Apr 24 19:29:50 2002 From: jancs at dsv.su.se (Christer Jansson) Date: Wed, 24 Apr 2002 11:29:50 +0200 (MET DST) Subject: OpenSSH and support for KTH-Krb4 Message-ID: Hello, I have tried to compile openssh-3.1p1 and then two later snapshots. It seems that I can not have support for KTH-Krb4, according to this errorlist from make: gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -R/usr/local/ssl/lib -L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -lssh -lopenbsd-compat -lresolv -ldes -lkrb -lz -lsocket -lnsl -lcrypto -ldes ld: fatal: symbol `des_key_sched' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_is_weak_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_set_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_set_odd_parity' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_check_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: File processing errors. No output written to ssh collect2: ld returned 1 exit status This is a conflict then, between /usr/local/ssl/lib/ and /usr/athena/lib. My system is Solaris 7 sun4u sparc SUNW,Ultra-5_10 and my configure params was: ./configure --prefix=/usr --with-kerberos4=/usr/athena --without-pam --with-tcp-wrappers --sysconfdir=/etc No, how can I solve this? Is there any workaround known i the community of OpenSHH? Any advice is welcome off course. Best Regards.... //Christer J From hin at stacken.kth.se Wed Apr 24 19:43:16 2002 From: hin at stacken.kth.se (Hans Insulander) Date: 24 Apr 2002 11:43:16 +0200 Subject: OpenSSH and support for KTH-Krb4 In-Reply-To: Christer Jansson's message of "Wed, 24 Apr 2002 11:29:50 +0200 (MET DST)" References: Message-ID: <86n0vtv3d7.fsf@hink.hin.nu> Christer Jansson writes: > Hello, > > I have tried to compile openssh-3.1p1 and then two > later snapshots. It seems that I can not have support > for KTH-Krb4, according to this errorlist from make: [snip] > No, how can I solve this? Is there any workaround known i the > community of OpenSHH? Any advice is welcome off course. You need to recompile KTH-KRB4 with openssl-support. Use the --with-openssl flag to configure. -- --- Hans Insulander , SM0UTY ----------------------- Of all the things I've lost, I miss my mind the most. From jan.iven at cern.ch Wed Apr 24 20:01:11 2002 From: jan.iven at cern.ch (Jan IVEN) Date: 24 Apr 2002 12:01:11 +0200 Subject: OpenSSH and support for KTH-Krb4 In-Reply-To: References: Message-ID: An embedded and charset-unspecified text was scrubbed... Name: CMD Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020424/4436d41a/attachment.ksh From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Apr 24 20:14:51 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 24 Apr 2002 12:14:51 +0200 Subject: OpenSSH and support for KTH-Krb4 In-Reply-To: References: Message-ID: <20020424101451.GA20404@serv01.aet.tu-cottbus.de> On Wed, Apr 24, 2002 at 12:01:11PM +0200, Jan IVEN wrote: > >>>>> "CJ" == Christer Jansson writes: > CJ> I have tried to compile openssh-3.1p1 and then two > CJ> later snapshots. It seems that I can not have support > CJ> for KTH-Krb4, according to this errorlist from make: > .. > CJ> This is a conflict then, between /usr/local/ssl/lib/ and > CJ> /usr/athena/lib. > > CJ> My system is Solaris 7 sun4u sparc SUNW,Ultra-5_10 and > CJ> my configure params was: > > CJ> ./configure --prefix=/usr --with-kerberos4=/usr/athena --without-pam > CJ> --with-tcp-wrappers --sysconfdir=/etc > > CJ> No, how can I solve this? Is there any workaround known i the > CJ> community of OpenSHH? Any advice is welcome off course. > > I am getting around this by explicitly modifying generated files :-( > Any advice on how to do this The Right Way (tm) is welcome. See > the attached script I use for compilation... Beyond the advice of rebuilding KRB with OpenSSL support: OpenSSL's namespace has been modified for the upcoming 0.9.7 release in order to resolve this conflict. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From cleber.junior at atl.com.br Wed Apr 24 23:13:54 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Wed, 24 Apr 2002 10:13:54 -0300 Subject: Password in SSH scrips Message-ID: Hi, Suppose my backup server has to copy every day at the end of the night, all files from the Web Server. So every day I will have a script that copies files using SCP. I USE HP-UX . But this script must work without anyone entering passwords. I know that SCP will need Passwords. How can I make a script with this feature ? Using keygen ? If posssible, describe with details how can I make some script, for example: - cd /tmp - lcd /tmp - scp list.cfg root at mactest - echo OK I have the same problem for SFTP. Can anyone help me ? Att, Jorge Cleber JUNIOR cleber.junior at atl.com.br ATL - Algar Telecom Leste IT - System Security Office (SSO) Tel: (21) 2528-9303 ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - Algar Telecom Leste Ltda. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From markus at openbsd.org Wed Apr 24 23:27:41 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 24 Apr 2002 15:27:41 +0200 Subject: Password in SSH scrips In-Reply-To: References: Message-ID: <20020424132741.GA20811@faui02> http://www.snailbook.com/faq/no-passphrase.auto.html From jancs at dsv.su.se Wed Apr 24 17:18:45 2002 From: jancs at dsv.su.se (Christer Jansson) Date: Wed, 24 Apr 2002 09:18:45 +0200 (MET DST) Subject: OpenSSH and support for KTH-Krb4 Message-ID: Hello, I have tried to compile openssh-3.1p1 and then two later snapshots. It seems that I can not have support for KTH-Krb4, according to this errorlist from make: gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -R/usr/local/ssl/lib -L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -L/usr/athena/lib -R/usr/athena/lib -lssh -lopenbsd-compat -lresolv -ldes -lkrb -lz -lsocket -lnsl -lcrypto -ldes ld: fatal: symbol `des_key_sched' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_is_weak_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_set_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_set_odd_parity' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: symbol `des_check_key' is multiply-defined: (file /usr/athena/lib/libdes.a(set_key.o) and file /usr/local/ssl/lib/libcrypto.a(set_key.o)); ld: fatal: File processing errors. No output written to ssh collect2: ld returned 1 exit status A conflict between /usr/athena/lib/libdes.a(set_key.o) and usr/local/ssl/lib/libcrypto.a(set_key.o). My system is Solaris 7 sun4u sparc SUNW,Ultra-5_10 and my configure params was: ./configure --prefix=/usr --with-kerberos4=/usr/athena --without-pam --with-tcp-wrappers --sysconfdir=/etc No, how can I solve this? Is there any workaround known i the community of OpenSHH? Any advice is welcome offcourse. Best Regards.... //Christer J From cleber.junior at atl.com.br Thu Apr 25 00:15:25 2002 From: cleber.junior at atl.com.br (Jorge Cleber Teixeira de Almeida Junior) Date: Wed, 24 Apr 2002 11:15:25 -0300 Subject: OpenSSH server on NT - reboot ? Message-ID: Hi, When I install an OpenSSH server on a NT machine, do I need to reboot it ? regards, Jorge Cleber JUNIOR cleber.junior at atl.com.br ATL - Algar Telecom Leste IT - System Security Office (SSO) Tel: (21) 2528-9303 ==================================================================== O conte?do desta mensagem e todos os seus anexos s?o para uso restrito, confidencial e est?o protegidos legalmente, sendo endere?ado somente ao(s) destinat?rio(s) e n?o deve ser divulgado sem pr?via autoriza??o. Se voc? n?o ? o destinat?rio desta mensagem, ou o respons?vel pela entrega desta, voc? n?o est? autorizado a revelar, copiar, distribuir ou reter esta mensagem ou qualquer parte da mesma. O uso impr?prio ser? tratado conforme as normas da ATL - Algar Telecom Leste Ltda. Opini?es, conclus?es, ou outras informa??es nesta mensagem que n?o se relacionam com a linha de neg?cios da ATL devem ser compreendidas como n?o sendo fornecidas e nem de responsabilidades desta empresa. ==================================================================== From d_wllms at lanl.gov Thu Apr 25 01:58:32 2002 From: d_wllms at lanl.gov (David Williams User Acct) Date: Wed, 24 Apr 2002 09:58:32 -0600 Subject: Password in SSH scrips References: Message-ID: <3CC6D628.B198BCB1@lanl.gov> I do something very similar with rsync using ssh as an rsh replacement. Using rsync you don't have to script a session and you also get some additional atime/mtime and delete features. -- David M. Williams Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From rene.klootwijk at nl.abnamro.com Thu Apr 25 01:56:51 2002 From: rene.klootwijk at nl.abnamro.com (rene.klootwijk at nl.abnamro.com) Date: Wed, 24 Apr 2002 17:56:51 +0200 Subject: hostbased authentication and the root account Message-ID: We have a problem using hostbased authentication in combination with the root account. We use hostbased authentication to hop from a 'management server' where we use strong authentication to several systems in a cluster. The management server is defined in shosts.equiv and the public key of this server is defined in ssh_known_hosts. This setup works for all users except for the root user (which is needed for maintenance scripts to work). We've got it working for the root account by specifying the management server in the /root/.shosts file and setting the IgnoreRhosts option to no. This is not what we want, we want to ignore user specific shost files, so setting the IgnoreRhosts option to yes. In the source of auth-rhosts.c, line 205, an if statement specifies that the central shosts.equiv file is only checked for accounts other than root. Why is this? Regards, Rene --------------------------------------------------------------------------- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorised use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. --------------------------------------------------------------------------- From ed at UDel.Edu Thu Apr 25 02:27:17 2002 From: ed at UDel.Edu (Ed Phillips) Date: Wed, 24 Apr 2002 12:27:17 -0400 (EDT) Subject: hostbased authentication and the root account In-Reply-To: Message-ID: On Wed, 24 Apr 2002 rene.klootwijk at nl.abnamro.com wrote: > Date: Wed, 24 Apr 2002 17:56:51 +0200 > From: rene.klootwijk at nl.abnamro.com > To: openssh-unix-dev at mindrot.org > Subject: hostbased authentication and the root account > > We have a problem using hostbased authentication in combination with the > root account. We use hostbased authentication to hop from a 'management > server' where we use strong authentication to several systems in a cluster. > The management server is defined in shosts.equiv and the public key of this > server is defined in ssh_known_hosts. This setup works for all users except The ssh_known_hosts file is a means for the client to check hostkeys when connecting to some sshd on some other system. If you put the managment server's public key (sshd_host_rsa_key.pub) in the /etc/ssh_known_hosts file on the other machines, you're ensuring that you can connect to the management server from the other machines with ssh without a manual hostkey check. From what you're describing, unless I'm reading wrong, it seems like you are wanting to make ssh connections from the management server to the other machines... in which case you need all of the other machines' hostkeys installed in /etc/ssh_known_hosts on the management server. > for the root user (which is needed for maintenance scripts to work). We've > got it working for the root account by specifying the management server in > the /root/.shosts file and setting the IgnoreRhosts option to no. This is > not what we want, we want to ignore user specific shost files, so setting > the IgnoreRhosts option to yes. In the source of auth-rhosts.c, line 205, > an if statement specifies that the central shosts.equiv file is only > checked for accounts other than root. Why is this? I don't know why... but the way we do this kind of thing is to create a keypair for the root user on the management server, store the private key in a "protected" file (mode 0600, owner root, on a local disk) with no passphrase, and copy the public key to /.ssh/authorized_keys2 on each system where we want to run something as root using ssh from the management server. I think this is the preferred way, as opposed to putting a passphrase in a file that would then be used to decrypt a private key, or resorting to something like .shosts or .rhosts. I think the main reason it's preferred is because it is less (not?) susceptable to IP spoofing, assuming you can keep the hostkeys secure. Sorry to leave your question unanswered, but I hope this helps nonetheless. ;-) Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Thu Apr 25 05:03:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Apr 2002 05:03:04 +1000 (EST) Subject: [Bug 226] open ssh appears to stop password change prompts from Solaris Message-ID: <20020424190304.928BFE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=226 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stevesk at pobox.com 2002-04-25 05:03 ------- changing an expired password is not supported on non-PAM configurations. but i am continuing to look into this and hope to have a fix in the next release. getspent(3) expire fields are not well documented and there is at least one issue with how we interpret sp_lstchg now. *** This bug has been marked as a duplicate of 14 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From foomail123 at yahoo.com Thu Apr 25 06:13:16 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 13:13:16 -0700 (PDT) Subject: need help in ssh client: key exchange Message-ID: <20020424201316.81189.qmail@web20101.mail.yahoo.com> Hello, I have a problem with ssh client. I have: SSH-2.0-OpenSSH_2.3.1p1 When I try to connect to a sshd server (USING V2): Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2 or Remote protocol version 2.0, remote software version OpenSSH_3.0.1p1 I get error (looking at codebase): In sshconnect2.c: ssh_dhgex_client(kex, host, hostaddr, client_kexinit, server_kexinit); if (key_verify(server_host_key, (u_char *)signature, slen, hash, 20) != 1){ fatal("key_verify failed for server_host_key"); exit(-109); } I see: (gdb) p key->type $1 = 1 which would mean: KEY_RSA. Can someone please let me know: why in file key.c: case KEY_RSA: return ssh_rsa_verify(key, signature, signaturelen, data, datalen); break; when would routine: ssh_rsa_verify(..) fail and why ? I am trying to do password based authentication on V2. Is it mandatory that v2 used only RSA based authentication ? Any help/info is appreciated. Thank you, __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From foomail123 at yahoo.com Thu Apr 25 07:00:58 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 14:00:58 -0700 (PDT) Subject: Fwd: need help in ssh client: key exchange Message-ID: <20020424210058.42399.qmail@web20108.mail.yahoo.com> This is debugs seen on server, whose keys are not accepted by the client: debug1: Seeding random number generator debug1: sshd version OpenSSH_2.5.2p2 debug1: load_private_key_autodetect: type 0 RSA1 debug1: read SSH2 private key done: name rsa w/o comment success 1 debug1: load_private_key_autodetect: type 1 RSA debug1: read SSH2 private key done: name dsa w/o comment success 1 debug1: load_private_key_autodetect: type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from a.b.c.d port xxx debug1: Client protocol version 2.0; client software version OpenSSH_2.3.1p1 debug1: match: OpenSSH_2.3.1p1 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_2.5.2p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: send KEXINIT debug1: done debug1: wait KEXINIT debug1: got kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug1: got kexinit: ssh-rsa,ssh-dss debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192 -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lys ator.liu.se debug1: got kexinit: 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192 -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lys ator.liu.se debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com debug1: got kexinit: none debug1: got kexinit: none debug1: got kexinit: debug1: got kexinit: debug1: first kex follow: 0 debug1: reserved: 0 debug1: done debug1: kex: client->server 3des-cbc hmac-sha1 none debug1: kex: server->client 3des-cbc hmac-sha1 none debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. debug1: dh_gen_key: priv key bits set: 197/384 debug1: bits set: 1016/2049 debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. debug1: bits set: 1039/2049 debug1: send SSH2_MSG_NEWKEYS. debug1: done: send SSH2_MSG_NEWKEYS. debug1: Wait SSH2_MSG_NEWKEYS. Connection closed by a.b.c.d debug1: Calling cleanup 0x8065fa0(0x0) Note: forwarded message attached. __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ -------------- next part -------------- An embedded message was scrubbed... From: foo foo Subject: need help in ssh client: key exchange Date: Wed, 24 Apr 2002 13:13:16 -0700 (PDT) Size: 3272 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020424/aff4d6b3/attachment.mht From foomail123 at yahoo.com Thu Apr 25 08:08:49 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 15:08:49 -0700 (PDT) Subject: Fwd: need help in ssh client: key exchange In-Reply-To: <20020424210058.42399.qmail@web20108.mail.yahoo.com> Message-ID: <20020424220849.2447.qmail@web20101.mail.yahoo.com> more info, I see: <..clipped.. > Wait SSH2_MSG_KEX_DH_GEX_REPLY. Got SSH2_MSG_KEXDH_REPLY. ssh_rsa_verify: RSA_verify failed: error:04077077:rsa routines:RSA_verify:wrong signature length ssh_rsa_verify: signature incorrect key_verify failed for server_host_key <..clipped..> Is there a known/incompatibility issue with 2.3.1 OpenSSH client and higher software version Open_sshd ? Thank you, --- foo foo wrote: > > This is debugs seen on server, whose keys are > not accepted by the client: > > > debug1: Seeding random number generator > debug1: sshd version OpenSSH_2.5.2p2 > debug1: load_private_key_autodetect: type 0 RSA1 > debug1: read SSH2 private key done: name rsa w/o > comment success 1 > debug1: load_private_key_autodetect: type 1 RSA > debug1: read SSH2 private key done: name dsa w/o > comment success 1 > debug1: load_private_key_autodetect: type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in > debugging > mode. > Connection from a.b.c.d port xxx > debug1: Client protocol version 2.0; client software > version OpenSSH_2.3.1p1 > debug1: match: OpenSSH_2.3.1p1 pat ^OpenSSH > Enabling compatibility mode for protocol 2.0 > debug1: Local version string > SSH-1.99-OpenSSH_2.5.2p2 > debug1: Rhosts Authentication disabled, originating > port not trusted. > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: send KEXINIT > debug1: done > debug1: wait KEXINIT > debug1: got kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug1: got kexinit: ssh-rsa,ssh-dss > debug1: got kexinit: > 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192 > -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lys > ator.liu.se > debug1: got kexinit: > 3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes128-cbc,aes192 > -cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-cbc at lys > ator.liu.se > debug1: got kexinit: > hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com > debug1: got kexinit: > hmac-sha1,hmac-md5,hmac-ripemd160 at openssh.com > debug1: got kexinit: none > debug1: got kexinit: none > debug1: got kexinit: > debug1: got kexinit: > debug1: first kex follow: 0 > debug1: reserved: 0 > debug1: done > debug1: kex: client->server 3des-cbc hmac-sha1 none > debug1: kex: server->client 3des-cbc hmac-sha1 none > debug1: Wait SSH2_MSG_KEX_DH_GEX_REQUEST. > debug1: Sending SSH2_MSG_KEX_DH_GEX_GROUP. > debug1: dh_gen_key: priv key bits set: 197/384 > debug1: bits set: 1016/2049 > debug1: Wait SSH2_MSG_KEX_DH_GEX_INIT. > debug1: bits set: 1039/2049 > debug1: send SSH2_MSG_NEWKEYS. > debug1: done: send SSH2_MSG_NEWKEYS. > debug1: Wait SSH2_MSG_NEWKEYS. > Connection closed by a.b.c.d > debug1: Calling cleanup 0x8065fa0(0x0) > > > > > > Note: forwarded message attached. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > ATTACHMENT part 2 message/rfc822 > From: foo foo > Subject: need help in ssh client: key exchange > To: openssh-unix-dev at mindrot.org > Date: Wed, 24 Apr 2002 13:13:16 -0700 (PDT) > > Hello, > > I have a problem with ssh client. > I have: > > SSH-2.0-OpenSSH_2.3.1p1 > > When I try to connect to a sshd server (USING V2): > Remote protocol version 1.99, remote software > version > OpenSSH_2.5.2p2 > > or > > Remote protocol version 2.0, remote software version > OpenSSH_3.0.1p1 > > > I get error (looking at codebase): > > In sshconnect2.c: > > ssh_dhgex_client(kex, host, hostaddr, > client_kexinit, > server_kexinit); > > > if (key_verify(server_host_key, (u_char > *)signature, slen, hash, 20) != 1){ > fatal("key_verify failed for > server_host_key"); > exit(-109); > } > > > I see: > (gdb) p key->type > $1 = 1 > > which would mean: KEY_RSA. > > Can someone please let me know: why in > file key.c: > case KEY_RSA: > return ssh_rsa_verify(key, signature, > signaturelen, data, datalen); > break; > > when would routine: > > ssh_rsa_verify(..) fail and why ? > > I am trying to do password based authentication > on V2. Is it mandatory that v2 used only RSA based > authentication ? > > Any help/info is appreciated. > > Thank you, > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From foomail123 at yahoo.com Thu Apr 25 09:12:46 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 16:12:46 -0700 (PDT) Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a Message-ID: <20020424231246.6082.qmail@web20107.mail.yahoo.com> Using OpenSSH 2.3.1 client and OpenSSL 0.9.6a When trying to ssh to OpenSSH server of higher versions SSH-1.99-OpenSSH_2.5.2p2 or such, I see error in RSA key exchange: RSA_verify(..)routine. I see: error at:int RSA_verify(int dtype, unsigned char *m, unsigned int m_len, unsigned char *sigbuf, unsigned int siglen, RSA *rsa) { int i,ret=0,sigtype; unsigned char *p,*s; X509_SIG *sig=NULL; if (siglen != (unsigned int)RSA_size(rsa)) { RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); return(0); } debugger output: Breakpoint 1, RSA_verify (dtype=64, m=0x199d380 "mB?\tP???\t?Wz\227\226?\a0?[?UU", m_len=20, sigbuf=0x1990300 "\0205:\t\026\217????\206b#??nG?\177??\002U*P^9\0213?]??f\225?:?m\005\215\225??n????\205?\205?'?\220??,e#?\2150\025K\em?\022Wn\177[@?\fQ?4w3g?yX???\024\b\2222????F[p??n??r?(??\017?\214\177\220;qI?Z,.Bv\026$R?", siglen=128, rsa=0x198b700) at bsd/tools/openssl/crypto/rsa/rsa_sign.c:147 147 if (siglen != (unsigned int)RSA_size(rsa)) (gdb) x/40x 0x198b7a0: 0x00000041 0x00000000 0x00008000 0x00000000 0x198b7b0: 0x00000000 0x00000000 0x00000000 0x00008000 0x198b7c0: 0xe5b83d65 0x00000001 0x5555686d 0x61632d6d 0x198b7d0: 0x64352d39 0x36005555 0x00000000 0x00000000 0x198b7e0: 0x00000000 0x00000000 0x00000000 0x00000000 0x198b7f0: 0x00000000 0x00000000 0xfeefdead 0x0198b778 0x198b800: 0x0186ed14 0x00000000 0x0199d2a0 0x0199d280 0x198b810: 0x00000000 0x0199d360 0x0199d380 0x00000001 0x198b820: 0x0198b780 0x00000000 0x00000000 0x00000000 0x198b830: 0x00000000 0x00000000 0x00000000 0x00000000 (gdb) p *rsa $3 = {pad = 0, version = 0, meth = 0x195bb1c, n = 0x199d480, e = 0x199d3c0, d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 = 0x0, iqmp = 0x0, ex_data = { sk = 0x0, dummy = 1848469362}, references = 1, flags = 6, _method_mod_n = 0x0, _method_mod_p = 0x0, _method_mod_q = 0x0, bignum_data = 0x0, blinding = 0x0} (gdb) x/40x 0x199d480 0x199d480: 0x0199d4a0 0x00000001 0x00000001 0x00000000 0x199d490: 0x00000001 0x55550000 0xef025555 0x00000008 0x199d4a0: 0x00000023 0xffffffff 0x555535d2 0x55550000 0x199d4b0: 0x55550000 0x00000000 0xfeefdead 0x0199d3d8 0x199d4c0: 0x0186ed14 0x8bcb35d2 0x00000000 0x00000000 0x199d4d0: 0x55550000 0x00000000 0xfeefdead 0x0199d4f8 0x199d4e0: 0x00000000 0x00000000 0x00000000 0x00000000 0x199d4f0: 0x00000000 0x00000000 0xfeefdead 0x0199d518 0x199d500: 0x00000000 0x00000000 0x00000000 0x00000000 0x199d510: 0x00000000 0x00000000 0xfeefdead 0x0199d538 (gdb) Does anyone know issues with OpenSSL or OpenSSH above versions ? Is there any compatiblity issue ? Can someone share their knowledge ? Thank you, __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From Frank.Smith at unilever.com Thu Apr 25 09:50:25 2002 From: Frank.Smith at unilever.com (Frank Smith) Date: Wed, 24 Apr 2002 19:50:25 -0400 Subject: OpenSSH Security Advisory (adv.token) Message-ID: On Saturday, April 20, 2002 11:40 PM, Niels Provos [SMTP:provos at citi.umich.edu] wrote: > A buffer overflow exists in OpenSSH's sshd if sshd has been compiled > with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing > has been enabled in the sshd_config file. Ticket and token passing > is not enabled by default. > > 1. Systems affected: > ... > 2. Impact: > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > Local users may gain privileged access for OpenSSH < 3.3 > > No privileged access is possible for OpenSSH with > UsePrivsep enabled. > > 3. Solution: > ... from where did you get openssh version 3.3? as of today (24 apr), openssh's website listed version 3.1p1 as the current version. frank smith frank.smith at unilever.com From jason at shalott.net Thu Apr 25 11:43:25 2002 From: jason at shalott.net (Jason Stone) Date: Wed, 24 Apr 2002 18:43:25 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: Message-ID: <20020424183932.U9319-100000@walter> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > A buffer overflow exists in OpenSSH's sshd if sshd has been compiled > > with Kerberos/AFS support and KerberosTgtPassing or AFSTokenPassing > > has been enabled in the sshd_config file. Ticket and token passing > > is not enabled by default. > > > > 1. Systems affected: > > ... > > 2. Impact: > > > > Remote users may gain privileged access for OpenSSH < 2.9.9 > > > > Local users may gain privileged access for OpenSSH < 3.3 > > from where did you get openssh version 3.3? as of today (24 apr), > openssh's website listed version 3.1p1 as the current version. This is the forthcoming new release. It's been being tested for a while now and will be released... soon. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8x189swXMWWtptckRAvBkAKD4Q1dO8PoNHdzmNHJ2/WO7ZMyofQCfYGgV iCTxKtF8KySz44t55MW6apc= =hnK+ -----END PGP SIGNATURE----- From foomail123 at yahoo.com Thu Apr 25 11:43:21 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 18:43:21 -0700 (PDT) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: Message-ID: <20020425014321.34768.qmail@web20102.mail.yahoo.com> True, but.. 1) I am not using Kerberos or such features. 2) the client is from OpenSSH2.3.1 (my earlier email) not 2.2 version. 3) The issue is that OpenSSH.2.5.2 and higher. is sending RSA key and 2.3.1 client complains of incorrect key lengh. (see my debug output). --- Frank Smith wrote: > On Saturday, April 20, 2002 11:40 PM, Niels Provos > [SMTP:provos at citi.umich.edu] > wrote: > > A buffer overflow exists in OpenSSH's sshd if sshd > has been compiled > > with Kerberos/AFS support and KerberosTgtPassing > or AFSTokenPassing > > has been enabled in the sshd_config file. Ticket > and token passing > > is not enabled by default. > > > > 1. Systems affected: > > ... > > 2. Impact: > > > > Remote users may gain privileged access > for OpenSSH < 2.9.9 > > > > Local users may gain privileged access for > OpenSSH < 3.3 > > > > No privileged access is possible for > OpenSSH with > > UsePrivsep enabled. > > > > 3. Solution: > > ... > > from where did you get openssh version 3.3? as of > today (24 apr), openssh's > website listed version 3.1p1 as the current version. > > frank smith > frank.smith at unilever.com > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From 2beds at rogers.com Thu Apr 25 14:11:25 2002 From: 2beds at rogers.com (Kim & Kyle Bedell) Date: Wed, 24 Apr 2002 21:11:25 -0700 Subject: ssh-rand-helper probs Message-ID: <000501c1ec0f$451a4a60$0500a8c0@tbird> Hi all Am i doing this right? Is this the right list to post to? If not, a quick lesson in ettiquette for me would not hurt. As I am both just starting to use newsgroups and SSH, I am not entirely familiar with the processes. I have a question about ssh-rand-helper. First an outline: I am currently using the SSH packages for Solaris 2.8 available at sunfreeware.com. The environment is Solaris 8 (2.8) on sun4u platforms (ultras). At work, I have constructed a boot and installation server, an Ultra 450 that amongst other things, installs, configures SSH and auto-generates SSH keys as part of the client build. No problems there, it works quite nicely so that when the client finishes building, it can be immediately deployed. At home however, I practice and experiment alot. I use an SS20 with 224MB of RAM as a boot server but I get a different set of errors depending on what I do: The first time I tried this type of installation of SSH at home however I got an error that read: "ld.so.1: /a/usr/local/bin/ssh-keygen: fatal: libz.so: open failed: No such file or directory. Killed" So........just feed it some env parameters ....like LD_LIBRARY_PATH... right? nope tried that and got this: "(rand child) Couldn't exec '/usr/local/libexec/ssh-rannd-helper': No such file or directory ssh-rand-helper child produced insufficient data" This sounds like: 1. It really cant find the specified path/filename but then how did the second part occur, that being: "ssh-rand-helper child produced insufficient data" It also sounds like prngd is not doing its job but I have sat in on the build and watched it start up in a cmd tool window while the client builds. This only happens when I use a script (!) and again, it only happens here at home on this sparc20. (Did I say that already?) :) After the client finishes building, I can manually generate keys using the ssh-keygen utility without incident. the relevant excerpt from the customization script that I uses is here: -------------text snipped---------------- LD_LIBRARY_PATH=/a/usr/local/lib:/usr/local/lib:/usr/lib export LD_LIBRARY_PATH echo "##########################################" echo "# #" echo "# Installing and configuring #" echo "# samba and SSH (Secure Shell) #" echo "# #" echo "##########################################" pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/vnc/vnc-3.3.3r2-sol8-sparc-local all mkdir -p /a/usr/local/samba pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/samba/samba-2.2.2-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/zlib-1.1.4-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/perl-5.6.1-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/egd-0.8-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/prngd-0.9.23-sol8-sparc-local all #pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/tcp_wrappers_7.6-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssl-0.9.6c-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssh-3.1p1-sol8-sparc-local all sleep 3 cat /a/var/sadm/system/logs/sysidtool.log >/a/usr/local/etc/prngd-seed echo "##########################################" echo "# #" echo "# (SSH) Creating seed file #" echo "# #" echo "##########################################" sleep 2 cp ${SU_CONFIG_DIR}/packages/sshpkgs/prngd /a/etc/init.d/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/sshd /a/etc/init.d/. chown root:sys /a/etc/init.d/prngd chown root:sys /a/etc/init.d/sshd chmod 544 /a/etc/init.d/prngd chmod 544 /a/etc/init.d/sshd ln -s /etc/init.d/sshd /a/etc/rc2.d/S98sshd ln -s /etc/init.d/prngd /a/etc/rc2.d/S98prngd cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.allow /a/etc/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.deny /a/etc/. cd /var mkdir -p spool/prngd /a/usr/local/bin/prngd /var/spool/prngd/pool sleep 3 echo "###################################" echo "Attempting to create socket: "pool"" echo "###################################" sleep 3 /a/usr/local/bin/ssh-keygen -t rsa1 -f /a/usr/local/etc/ssh_host_key -N "" /a/usr/local/bin/ssh-keygen -t dsa -f /a/usr/local/etc/ssh_host_dsa_key -N "" /a/usr/local/bin/ssh-keygen -t rsa -f /a/usr/local/etc/ssh_host_rsa_key -N "" echo "##########################################" --------------text snipped--------------- Any ideas? All advice appreciated and I thank you in advance Kyle From djm at mindrot.org Thu Apr 25 12:23:51 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Apr 2002 12:23:51 +1000 (EST) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: Message-ID: On Wed, 24 Apr 2002, Frank Smith wrote: > from where did you get openssh version 3.3? as of today (24 apr), openssh's > website listed version 3.1p1 as the current version. There is no 3.3 yet, the next release will probably be 3.2.1 (and will close the hole). If you haven't build OpenSSH with KrbIV *and* AFS support, you aren't vulnerable anyway. -d From djm at mindrot.org Thu Apr 25 12:22:00 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 25 Apr 2002 12:22:00 +1000 (EST) Subject: OpenSSH Security Advisory (adv.token) In-Reply-To: <20020425014321.34768.qmail@web20102.mail.yahoo.com> Message-ID: On Wed, 24 Apr 2002, foo foo wrote: > > True, but.. > > 1) I am not using Kerberos or such features. > > 2) the client is from OpenSSH2.3.1 (my earlier email) > not 2.2 version. > > 3) The issue is that OpenSSH.2.5.2 and higher. is > sending RSA key and 2.3.1 client complains of > incorrect key lengh. (see my debug output). Upgrade to a more recent version - 2.3.1 has a serious exploitable hole, 2.5.2 has problems too. -d From PChandana at novell.com Thu Apr 25 13:24:39 2002 From: PChandana at novell.com (Chandana Pavuluru) Date: Wed, 24 Apr 2002 21:24:39 -0600 Subject: With LDAP Message-ID: Hi, Any work done on using LDAP as an administrative tool for managing SSH servers and users ? Any reference is highly appreciated. Thanks and Regards, Chandana Pavuluru Novell, Inc., a leading provider of Net business solutions http://www.novell.com "Art in the dreams of a lucky few, science in the minds of learned crew and technology at the hands of trendy you." -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020424/42f44f43/attachment.html -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: Chandana Pavuluru.vcf Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020424/42f44f43/attachment.ksh From foomail123 at yahoo.com Thu Apr 25 16:14:53 2002 From: foomail123 at yahoo.com (foo foo) Date: Wed, 24 Apr 2002 23:14:53 -0700 (PDT) Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a In-Reply-To: <20020424231246.6082.qmail@web20107.mail.yahoo.com> Message-ID: <20020425061453.55258.qmail@web20110.mail.yahoo.com> While I hear many suggestions to move to newer release, can someone shed light on a solution to the problem as immediate help !? Can someone who has knowledge of this section of code please suggestion some pointers/solutions ? In snippet below, 'siglen' is 128 (per debugger) but RSA_size(..) returns 1 ! BTW, the system the client is running on is NetBSD1.4.2 --- foo foo wrote: > Using OpenSSH 2.3.1 client and OpenSSL 0.9.6a > > When trying to ssh to OpenSSH server of > higher versions SSH-1.99-OpenSSH_2.5.2p2 or such, > > I see error in RSA key exchange: > RSA_verify(..)routine. > > I see: > > error at:int RSA_verify(int dtype, unsigned char *m, > unsigned int m_len, > unsigned char *sigbuf, unsigned int siglen, > RSA *rsa) > { > int i,ret=0,sigtype; > unsigned char *p,*s; > X509_SIG *sig=NULL; > > if (siglen != (unsigned int)RSA_size(rsa)) > { > > RSAerr(RSA_F_RSA_VERIFY,RSA_R_WRONG_SIGNATURE_LENGTH); > return(0); > } > > > debugger output: > > Breakpoint 1, RSA_verify (dtype=64, > m=0x199d380 "mB?\tP???\t?Wz\227\226?\a0?[?UU", > m_len=20, > sigbuf=0x1990300 > "\0205:\t\026\217????\206b#??nG?\177??\002U*P^9\0213?]??f\225?:?m\005\215\225??n????\205?\205?'?\220??,e#?\2150\025K\em?\022Wn\177[@?\fQ?4w3g?yX???\024\b\2222????F[p??n??r?(??\017?\214\177\220;qI?Z,.Bv\026$R?", > siglen=128, rsa=0x198b700) at > bsd/tools/openssl/crypto/rsa/rsa_sign.c:147 > 147 if (siglen != (unsigned > int)RSA_size(rsa)) > (gdb) x/40x > 0x198b7a0: 0x00000041 0x00000000 > 0x00008000 0x00000000 > 0x198b7b0: 0x00000000 0x00000000 > 0x00000000 0x00008000 > 0x198b7c0: 0xe5b83d65 0x00000001 > 0x5555686d 0x61632d6d > 0x198b7d0: 0x64352d39 0x36005555 > 0x00000000 0x00000000 > 0x198b7e0: 0x00000000 0x00000000 > 0x00000000 0x00000000 > 0x198b7f0: 0x00000000 0x00000000 > 0xfeefdead 0x0198b778 > 0x198b800: 0x0186ed14 0x00000000 > 0x0199d2a0 0x0199d280 > 0x198b810: 0x00000000 0x0199d360 > 0x0199d380 0x00000001 > 0x198b820: 0x0198b780 0x00000000 > 0x00000000 0x00000000 > 0x198b830: 0x00000000 0x00000000 > 0x00000000 0x00000000 > (gdb) p *rsa > $3 = {pad = 0, version = 0, meth = 0x195bb1c, n = > 0x199d480, e = 0x199d3c0, > d = 0x0, p = 0x0, q = 0x0, dmp1 = 0x0, dmq1 = 0x0, > iqmp = 0x0, ex_data = { > sk = 0x0, dummy = 1848469362}, references = 1, > flags = 6, > _method_mod_n = 0x0, _method_mod_p = 0x0, > _method_mod_q = 0x0, > bignum_data = 0x0, blinding = 0x0} > (gdb) x/40x 0x199d480 > 0x199d480: 0x0199d4a0 0x00000001 > 0x00000001 0x00000000 > 0x199d490: 0x00000001 0x55550000 > 0xef025555 0x00000008 > 0x199d4a0: 0x00000023 0xffffffff > 0x555535d2 0x55550000 > 0x199d4b0: 0x55550000 0x00000000 > 0xfeefdead 0x0199d3d8 > 0x199d4c0: 0x0186ed14 0x8bcb35d2 > 0x00000000 0x00000000 > 0x199d4d0: 0x55550000 0x00000000 > 0xfeefdead 0x0199d4f8 > 0x199d4e0: 0x00000000 0x00000000 > 0x00000000 0x00000000 > 0x199d4f0: 0x00000000 0x00000000 > 0xfeefdead 0x0199d518 > 0x199d500: 0x00000000 0x00000000 > 0x00000000 0x00000000 > 0x199d510: 0x00000000 0x00000000 > 0xfeefdead 0x0199d538 > (gdb) > > > Does anyone know issues with OpenSSL or OpenSSH > above versions ? Is there any compatiblity issue ? > > Can someone share their knowledge ? > > Thank you, > > > > > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From stuge at cdy.org Thu Apr 25 16:47:05 2002 From: stuge at cdy.org (Peter Stuge) Date: Thu, 25 Apr 2002 08:47:05 +0200 Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a In-Reply-To: <20020425061453.55258.qmail@web20110.mail.yahoo.com>; from foomail123@yahoo.com on Wed, Apr 24, 2002 at 11:14:53PM -0700 References: <20020424231246.6082.qmail@web20107.mail.yahoo.com> <20020425061453.55258.qmail@web20110.mail.yahoo.com> Message-ID: <20020425084705.A11270@foo.birdnet.se> On Wed, Apr 24, 2002 at 11:14:53PM -0700, foo foo wrote: > > While I hear many suggestions to move to newer > release, > can someone shed light on a solution to the > problem as immediate help !? "Upgrade!" IS the immediate help. Even more so because the version you are using has security issues. Downloading and compiling a new version might take half an hour, deployment at your site is hopefully something you already have a system for, the upgrade will take a lot less time than digging around in gdb. Don't get me wrong, developers appreciate your effort to really nail the problem, but the version you are using is so old that noone cares too much about it anymore. //Peter From markus at openbsd.org Thu Apr 25 17:35:22 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 25 Apr 2002 09:35:22 +0200 Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a In-Reply-To: <20020424231246.6082.qmail@web20107.mail.yahoo.com> References: <20020424231246.6082.qmail@web20107.mail.yahoo.com> Message-ID: <20020425073522.GA13736@faui02> On Wed, Apr 24, 2002 at 04:12:46PM -0700, foo foo wrote: > Using OpenSSH 2.3.1 rsa for ssh2 could be broken in 2.3.1, but i don't remember. please check the cvs logs and upgrade. From Jason.Lacoss-Arnold at AGEDWARDS.com Thu Apr 25 21:53:47 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 25 Apr 2002 06:53:47 -0500 Subject: ssh-rand-helper probs Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E84E@hqempn06.agedwards.com> It sounds to me like your problem is only occuring while performing ssh functions under a /a mount (I'm assuming off of a cdrom or net boot, possibly during jumpstart)? If so, I suspect that portions of ssh are compiled to look for fully qualified paths that would exist if they were under /a, but don't exist directory under / The easiest solution may just be to install a runonce type script in /etc/rc3.d that generates the keys (if not present) and then deletes itself. Alternatively, you may try compiling it from scratch. I know that recent versions have a pkgproto, although we roll our own, so I'm not sure how well it handles the alternate mount point issue. It might also require some sort of trickery with compile time flags to switch from fully qualified paths to relative paths. As a last resort, you could come up with some link trickery. For example, you could compile ssh to be installed in /a/usr/local/openssh and then on your production server, create a /a link to / -----Original Message----- From: Kim & Kyle Bedell [mailto:2beds at rogers.com] Sent: Wednesday, April 24, 2002 11:11 PM To: openssh-unix-dev at mindrot.org Subject: ssh-rand-helper probs Hi all Am i doing this right? Is this the right list to post to? If not, a quick lesson in ettiquette for me would not hurt. As I am both just starting to use newsgroups and SSH, I am not entirely familiar with the processes. I have a question about ssh-rand-helper. First an outline: I am currently using the SSH packages for Solaris 2.8 available at sunfreeware.com. The environment is Solaris 8 (2.8) on sun4u platforms (ultras). At work, I have constructed a boot and installation server, an Ultra 450 that amongst other things, installs, configures SSH and auto-generates SSH keys as part of the client build. No problems there, it works quite nicely so that when the client finishes building, it can be immediately deployed. At home however, I practice and experiment alot. I use an SS20 with 224MB of RAM as a boot server but I get a different set of errors depending on what I do: The first time I tried this type of installation of SSH at home however I got an error that read: "ld.so.1: /a/usr/local/bin/ssh-keygen: fatal: libz.so: open failed: No such file or directory. Killed" So........just feed it some env parameters ....like LD_LIBRARY_PATH... right? nope tried that and got this: "(rand child) Couldn't exec '/usr/local/libexec/ssh-rannd-helper': No such file or directory ssh-rand-helper child produced insufficient data" This sounds like: 1. It really cant find the specified path/filename but then how did the second part occur, that being: "ssh-rand-helper child produced insufficient data" It also sounds like prngd is not doing its job but I have sat in on the build and watched it start up in a cmd tool window while the client builds. This only happens when I use a script (!) and again, it only happens here at home on this sparc20. (Did I say that already?) :) After the client finishes building, I can manually generate keys using the ssh-keygen utility without incident. the relevant excerpt from the customization script that I uses is here: -------------text snipped---------------- LD_LIBRARY_PATH=/a/usr/local/lib:/usr/local/lib:/usr/lib export LD_LIBRARY_PATH echo "##########################################" echo "# #" echo "# Installing and configuring #" echo "# samba and SSH (Secure Shell) #" echo "# #" echo "##########################################" pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/vnc/vnc-3.3.3r2-sol8-sparc-local all mkdir -p /a/usr/local/samba pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/samba/samba-2.2.2-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/zlib-1.1.4-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/perl-5.6.1-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/egd-0.8-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/prngd-0.9.23-sol8-sparc-local all #pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/tcp_wrappers_7.6-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssl-0.9.6c-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssh-3.1p1-sol8-sparc-local all sleep 3 cat /a/var/sadm/system/logs/sysidtool.log >/a/usr/local/etc/prngd-seed echo "##########################################" echo "# #" echo "# (SSH) Creating seed file #" echo "# #" echo "##########################################" sleep 2 cp ${SU_CONFIG_DIR}/packages/sshpkgs/prngd /a/etc/init.d/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/sshd /a/etc/init.d/. chown root:sys /a/etc/init.d/prngd chown root:sys /a/etc/init.d/sshd chmod 544 /a/etc/init.d/prngd chmod 544 /a/etc/init.d/sshd ln -s /etc/init.d/sshd /a/etc/rc2.d/S98sshd ln -s /etc/init.d/prngd /a/etc/rc2.d/S98prngd cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.allow /a/etc/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.deny /a/etc/. cd /var mkdir -p spool/prngd /a/usr/local/bin/prngd /var/spool/prngd/pool sleep 3 echo "###################################" echo "Attempting to create socket: "pool"" echo "###################################" sleep 3 /a/usr/local/bin/ssh-keygen -t rsa1 -f /a/usr/local/etc/ssh_host_key -N "" /a/usr/local/bin/ssh-keygen -t dsa -f /a/usr/local/etc/ssh_host_dsa_key -N "" /a/usr/local/bin/ssh-keygen -t rsa -f /a/usr/local/etc/ssh_host_rsa_key -N "" echo "##########################################" --------------text snipped--------------- Any ideas? All advice appreciated and I thank you in advance Kyle _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020425/d7e53fe1/attachment.html From bugzilla-daemon at mindrot.org Fri Apr 26 00:10:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 00:10:10 +1000 (EST) Subject: [Bug 214] IRIX utmp problem loginrec.c: line_abbrevname() goes wrong Message-ID: <20020425141010.96EF3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=214 phgrau at zedat.fu-berlin.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From phgrau at zedat.fu-berlin.de 2002-04-26 00:10 ------- After testing snap 20020424 I think this bug is fixed, thank you ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andrew189643 at messpro.com Fri Apr 26 01:14:27 2002 From: andrew189643 at messpro.com (andrew189643 at messpro.com) Date: Thu, 25 Apr 2002 08:14:27 -0700 Subject: ===Medical Breakthrough...Aging can be reversed=== 189643 Message-ID: <200204251524.g3PFO4n15043@proxy.jamsil.hs.kr> All HGH (Human Growth Hormone) products are not the same. There are three different types of products. Yet, all three are advertised as if they where the same. The three types are: 1) Homeopathic HGH 2) Pre-cursor HGH 3) Real or synthetic HGH (delivered by injection or, by an oral spray method). Do you know differences? Call us and we'll explain them to you. Our toll free number is 888-621-7300. For more information on HGH read on............ ***************************************************************************** HAVE YOU HEARD OF HUMAN GROWTH HORMONE (HGH)??? Released by your own pituitary gland, HGH starts declining in your 20s, even more in your 30s and 40s, eventually resulting in the shrinkage of major organs -- plus, all other symptoms related to old age. IN THOUSANDS OF CLINICAL STUDIES, HGH HAS BEEN SHOWN TO ACCOMPLISH THE FOLLOWING: * Reduce Body Fat and Build Lean Muscle WITHOUT EXERCISE! * Enhance Sexual Performance * Remove Wrinkles and Cellulite * Lower Blood Pressure and Improve Cholesterol Profile * Improve Sleep, Vision and Memory * Restore Hair Color and Growth * Strengthen the Immune System * Increase Energy and Cardiac Output * Turn back your body's Biological Time Clock 10 - 20 years * Live Longer AND Stronger All natural and organic plant based FEEL 10 YEARS YOUNGER WITH ORAL SPRAY HGH. GUARANTEED We are the manufacturer and we sell directly to Doctors, Chiropractors, and consumers world wide the highest grade HGH Oral Spray available. With internet marketing, we are able to save advertising cost and pass those savings along to you. But you must act now. To receive more information call us now. TOLL FREE 1-888-621-7300 We must speak to you in person to qualify your usage. All of your questions will be addressed and answered in a friendly, no pressure manner. Our main purpose is to provide you with information so you can make an educated decision. For more information call 1-888-621-7300 If you are on line write down our phone number and call us when you can. Soon, you and your loved ones will be very glad you did. Read what people are saying: "The effects of 6 months of GH on lean body mass and fat were equivalent in magnitude to the changes incurred during 10-20 years of aging." Dr. Daniel Rudman, MD, New England Journal of Medicine. "Within four months, my body fat decreased form 30% down to 21%! I noticed my skin is more supple and my overall mental outlook improved significantly." D.W., New Jersey "We have been on the spray for just 3 weeks now, and besides the tremendous energy we both feel, my husbands allergies and spells of depression have lifted. I am healing extremely fast after an accident and have lost 7 lbs. without trying!" C.B., Flagstaff. AZ Thanks for reading our letter, The HGH Staff USA Division PS: The HGH Staff guarantees the highest quality and lowest price. We manufacture and ship directly to your door. Offer expires 19 April 2002 Call us now 1-888-621-7300 *********************************************************** ======= End of message ======== To Qualify for a Free HGH Consultation call the HGH Staff -- Today. *********************************************************** The following statement is provided to be in compliance with commercial email laws. If you do not wish to receive further mailings, please click reply and type remvoe in the subject box. Then click send. This message is in full compliance with U.S. Federal requirements for commercial email under bill S.1618 Title lll, Section 301, Paragraph (a)(2)(C) passed by the 105th U.S. Congress and is not considered SPAM since it includes a remove mechanism. *********************************************************** This message is not intended for residents in the states of CA, NC, NV, RI, TN, VA & WA. Screening of addresses has been done to the best of our technical ability. *********************************************************** Call us now 1-888-621-7300 for your free HGH consultation. From vinschen at redhat.com Fri Apr 26 01:38:35 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 25 Apr 2002 17:38:35 +0200 Subject: Please test snapshots In-Reply-To: References: Message-ID: <20020425173835.E13521@cygbert.vinschen.de> On Tue, Apr 23, 2002 at 11:45:21PM +1000, Damien Miller wrote: > > Tomorrows snapshot synchronises us with OpenBSD CVS HEAD and > includes fixes to several bugs. (Including the KrbIV/AFS/Tgt > issue). > > Portable -current also makes PAM work (or seem to) when sshd > is configured with UsePrivilegeSeparation=yes. This is still > experimental, please let openssh-unix-dev@ know how you goes. I'm getting a *lot* of warnings with the current version from CVS, e. g.: i686-pc-cygwin-gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I../src -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/sbin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/sbin/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/usr/sbin/ssh-rand-helper\" -DHAVE_CONFIG_H -c ../src/sftp-common.c In file included from /usr/include/fcntl.h:14, from ../src/includes.h:27, from ../src/sftp-common.c:26: /usr/include/sys/fcntl.h:43: warning: `O_NONBLOCK' redefined ../src/defines.h:56: warning: this is the location of the previous definition In file included from /usr/include/sys/fcntl.h:164, from /usr/include/fcntl.h:14, from ../src/includes.h:27, from ../src/sftp-common.c:26: /usr/include/sys/stat.h:100: warning: `S_IRWXU' redefined ../src/defines.h:82: warning: this is the location of the previous definition /usr/include/sys/stat.h:102: warning: `S_IWUSR' redefined ../src/defines.h:76: warning: this is the location of the previous definition [... and so on, and so on, ...] This is introduced by including `defines.h' from `include.h'. The problem is that `defines.h' already has been included previously from `config.h'. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From vinschen at redhat.com Fri Apr 26 01:46:53 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 25 Apr 2002 17:46:53 +0200 Subject: Please test snapshots In-Reply-To: <20020425173835.E13521@cygbert.vinschen.de> References: <20020425173835.E13521@cygbert.vinschen.de> Message-ID: <20020425174653.G13521@cygbert.vinschen.de> On Thu, Apr 25, 2002 at 05:38:35PM +0200, Corinna Vinschen wrote: > On Tue, Apr 23, 2002 at 11:45:21PM +1000, Damien Miller wrote: > > > > Tomorrows snapshot synchronises us with OpenBSD CVS HEAD and > > includes fixes to several bugs. (Including the KrbIV/AFS/Tgt > > issue). > > > > Portable -current also makes PAM work (or seem to) when sshd > > is configured with UsePrivilegeSeparation=yes. This is still > > experimental, please let openssh-unix-dev@ know how you goes. > > I'm getting a *lot* of warnings with the current version from CVS, > e. g.: > > i686-pc-cygwin-gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I../src -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/sbin/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/sbin/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DSSH_RAND_HELPER=\"/usr/sbin/ssh-rand-helper\" -DHAVE_CONFIG_H -c ../src/sftp-common.c > In file included from /usr/include/fcntl.h:14, > from ../src/includes.h:27, > from ../src/sftp-common.c:26: > /usr/include/sys/fcntl.h:43: warning: `O_NONBLOCK' redefined > ../src/defines.h:56: warning: this is the location of the previous definition > In file included from /usr/include/sys/fcntl.h:164, > from /usr/include/fcntl.h:14, > from ../src/includes.h:27, > from ../src/sftp-common.c:26: > /usr/include/sys/stat.h:100: warning: `S_IRWXU' redefined > ../src/defines.h:82: warning: this is the location of the previous definition > /usr/include/sys/stat.h:102: warning: `S_IWUSR' redefined > ../src/defines.h:76: warning: this is the location of the previous definition > [... and so on, and so on, ...] > > > This is introduced by including `defines.h' from `include.h'. > The problem is that `defines.h' already has been included previously > from `config.h'. I'm sorry, that isn't quite correctly explained. The problem occurs *because* of the inclusion in `config.h'. If `defines.h' is only included by `includes.h', the problem disappears. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From kevin at atomicgears.com Fri Apr 26 02:33:54 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Apr 2002 09:33:54 -0700 (PDT) Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots In-Reply-To: <018901c1eb16$1926ddf0$9b78a8c0@oedserver> Message-ID: On Tue, 23 Apr 2002, Darren Cole wrote: :> + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) :> + chan_read_failed(c); :> +#endif : :The problem is that you always hang on logout if I don't I have this code. :If someone has a better fix I would love to have, I haven't found one yet. :If I login, and imediately type exit without any other commands ssh hangs. :This is really annoying, and since most haven't liked this change I put it :only for TRUSTED_HPUX. does it happen on 10.20 with uselogin=yes? also see: http://www.snailbook.com/faq/background-jobs.auto.html :> other than that the only other question is why did you add :> disable_ptmx_check? : :Login wont work correctly if ptmx is used. From what I have found it :appears to have to be one of the little weird things in truste hpux. does telnetd use STREAMS ptys? :> for now i have this, which is everything but the above against :> -current (the uselogin fix applied to HP-UX in general and has :> already been applied): : :Thanks a lot. If there is anyway to make the above better, or more :acceptable for inclusion let me know. should i apply that then? your remaining issue is the hang. did you review the auth-passwd.c changes? :> --- auth-passwd.c 4 Apr 2002 19:02:28 -0000 1.40 :> +++ auth-passwd.c 23 Apr 2002 21:53:11 -0000 :> @@ -55,11 +55,11 @@ :> # include :> # include :> # endif :> -# ifdef HAVE_SCO_PROTECTED_PW :> +# ifdef HAVE_SECUREWARE :> # include :> # include :> # include :> -# endif /* HAVE_SCO_PROTECTED_PW */ :> +# endif /* HAVE_SECUREWARE */ is audit.h really required here? From kevin at atomicgears.com Fri Apr 26 03:09:40 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Apr 2002 10:09:40 -0700 (PDT) Subject: problem with X11 forwarding and use_localhost on Linux (solution) In-Reply-To: <20020423151338.A28061@sverresborg.uninett.no> Message-ID: On Tue, 23 Apr 2002, Stig Venaas wrote: :On Linux (and others that define DONT_TRY_OTHER_AF) :x11_create_display_inet() will only use the first entry returned by :getaddrinfo(). When binding sockets to "ANY" this is fine on Linux :since a PF_INET6 socket bound to ANY will also include IPv4. However :when x11_use_localhost (X11UseLocalhost) is set, this is a problem. :getaddrinfo() will then return an AF_INET6 entry with IPv6 address :::1 and also AF_INET entry with IPv4 address 127.0.0.1. Currently :one binds only to the first (unless that bind fails), but should :bind to both. Even on Linux, a bind to ::1 does not include :127.0.0.1. : :I think this can be fixed with the following patch: : :--- channels-orig.c Tue Mar 26 04:26:25 2002 :+++ channels.c Tue Apr 23 15:09:28 2002 :@@ -2392,7 +2392,8 @@ : if (num_socks == NUM_SOCKS) : break; : #else :- break; :+ if (!x11_use_localhost || num_socks == NUM_SOCKS) :+ break; : #endif : } : freeaddrinfo(aitop); this is what is in: http://bugzilla.mindrot.org/show_bug.cgi?id=164 i still don't understand exactly why DONT_TRY_OTHER_AF is needed? From dcole at keysoftsys.com Fri Apr 26 03:50:24 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Thu, 25 Apr 2002 10:50:24 -0700 Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots References: Message-ID: <00ae01c1ec81$ca8cdc90$9b78a8c0@oedserver> > On Tue, 23 Apr 2002, Darren Cole wrote: > :> + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) > :> + chan_read_failed(c); > :> +#endif > : > :The problem is that you always hang on logout if I don't I have this code. > :If someone has a better fix I would love to have, I haven't found one yet. > :If I login, and imediately type exit without any other commands ssh hangs. > :This is really annoying, and since most haven't liked this change I put it > :only for TRUSTED_HPUX. > > does it happen on 10.20 with uselogin=yes? > also see: > http://www.snailbook.com/faq/background-jobs.auto.html I don't know if this is a problem on 10.20 as I only have 10.26 boxen and few 11 right now. Maybe tomorrow or next week (customers in the office today) I will scare one up and try it. Thanks for the link, I think I have an idea on where to look in hpux 10.26 and in the opensshd to figure out why this problem happens more often on 10.26 hpux. > :> other than that the only other question is why did you add > :> disable_ptmx_check? > : > :Login wont work correctly if ptmx is used. From what I have found it > :appears to have to be one of the little weird things in trusted hpux. > > does telnetd use STREAMS ptys? I honestly don't know off the top of my head. I'll look it up and find out. > :> for now i have this, which is everything but the above against > :> -current (the uselogin fix applied to HP-UX in general and has > :> already been applied): > : > :Thanks a lot. If there is anyway to make the above better, or more > :acceptable for inclusion let me know. > > should i apply that then? your remaining issue is the hang. Everything but the hang solution seems to have been passed by everyone. > did you review the auth-passwd.c changes? > > :> --- auth-passwd.c 4 Apr 2002 19:02:28 -0000 1.40 > :> +++ auth-passwd.c 23 Apr 2002 21:53:11 -0000 > :> @@ -55,11 +55,11 @@ > :> # include > :> # include > :> # endif > :> -# ifdef HAVE_SCO_PROTECTED_PW > :> +# ifdef HAVE_SECUREWARE > :> # include > :> # include > :> # include > :> -# endif /* HAVE_SCO_PROTECTED_PW */ > :> +# endif /* HAVE_SECUREWARE */ > > is audit.h really required here? I don't think it is needed for Trusted HPUX (compiled with it included and without. Each time had the same set of warnings). Someone on SCO will have to comment for them, I think that is why it was included. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From foomail123 at yahoo.com Fri Apr 26 04:03:35 2002 From: foomail123 at yahoo.com (foo foo) Date: Thu, 25 Apr 2002 11:03:35 -0700 (PDT) Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a In-Reply-To: <20020425073522.GA13736@faui02> Message-ID: <20020425180335.74932.qmail@web20102.mail.yahoo.com> Is there anyway that from the client, I can force server to fallback on other methods (DSA, password ..) ? If I make client fail for RSA (during RSA authen.), would server fallback ? Is this possible ? If so, any pointers ? Also: how do I access cvs logs, as mentioned below ? Thank you very much, --- Markus Friedl wrote: > On Wed, Apr 24, 2002 at 04:12:46PM -0700, foo foo > wrote: > > Using OpenSSH 2.3.1 > > rsa for ssh2 could be broken in 2.3.1, but i don't > remember. > please check the cvs logs and upgrade. > ______________________________________________________________________ > OpenSSL Project > http://www.openssl.org > Development Mailing List > openssl-dev at openssl.org > Automated List Manager majordomo at openssl.org __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ From bugzilla-daemon at mindrot.org Fri Apr 26 04:18:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 04:18:37 +1000 (EST) Subject: [Bug 184] 3.1p1 openssh fails to build a working sshd on Trusted HP-UX 10.26 Message-ID: <20020425181837.B92A8E933@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=184 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-04-26 04:18 ------- applied modified patch ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is. From WhitakerK at MTMC.ARMY.MIL Fri Apr 26 04:43:18 2002 From: WhitakerK at MTMC.ARMY.MIL (Whitaker, Kenneth) Date: Thu, 25 Apr 2002 14:43:18 -0400 Subject: Issues with SFTP Message-ID: <7933C6521AA7D211A41A0000D11BAFBF08A77559@hq11.army.mil> Any new updates on these issues ? > - no ascii mode only binary what is "ascii" ? > - no verbose or indication of bytes transfered (you would do an ls after > sftp is done) sftp is a unix tool, so it usually cries only on errors. From mouring at etoh.eviladmin.org Fri Apr 26 04:41:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 25 Apr 2002 13:41:07 -0500 (CDT) Subject: RSA_verify question on OpenSSH Client w/ OpenSSL0.9.6a In-Reply-To: <20020425180335.74932.qmail@web20102.mail.yahoo.com> Message-ID: [Striped OpenSSL since they are not us] The unoffical OpenSSH Portable web CVS access can be down from below (I think I have all the bugs worked out). http://www.eviladmin.org/cgi-bin/cvsweb.cgi/ However, http://www.openssh.com/portable.html has instructions on checking out the CVS tree from a CVS mirror. - Ben On Thu, 25 Apr 2002, foo foo wrote: > > Is there anyway that from the client, I can force > server to fallback on other methods (DSA, password ..) > ? > If I make client fail for RSA (during RSA authen.), > would server fallback ? Is this possible ? If so, > any pointers ? > > Also: how do I access cvs logs, as mentioned below ? > > Thank you very much, > > > --- Markus Friedl wrote: > > On Wed, Apr 24, 2002 at 04:12:46PM -0700, foo foo > > wrote: > > > Using OpenSSH 2.3.1 > > > > rsa for ssh2 could be broken in 2.3.1, but i don't > > remember. > > please check the cvs logs and upgrade. > > > ______________________________________________________________________ > > OpenSSL Project > > http://www.openssl.org > > Development Mailing List > > openssl-dev at openssl.org > > Automated List Manager > majordomo at openssl.org > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Games - play chess, backgammon, pool and more > http://games.yahoo.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Fri Apr 26 04:51:03 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Apr 2002 11:51:03 -0700 (PDT) Subject: Please test snapshots In-Reply-To: <20020425173835.E13521@cygbert.vinschen.de> Message-ID: On Thu, 25 Apr 2002, Corinna Vinschen wrote: > On Tue, Apr 23, 2002 at 11:45:21PM +1000, Damien Miller wrote: > > > > Tomorrows snapshot synchronises us with OpenBSD CVS HEAD and > > includes fixes to several bugs. (Including the KrbIV/AFS/Tgt > > issue). > > > > Portable -current also makes PAM work (or seem to) when sshd > > is configured with UsePrivilegeSeparation=yes. This is still > > experimental, please let openssh-unix-dev@ know how you goes. > > I'm getting a *lot* of warnings with the current version from CVS, > e. g.: > [snip] You are using CVS, right? Looks like what I got with a stale config.h / config.h.in. Did you run autoreconf instead of just autoconf? > > This is introduced by including `defines.h' from `include.h'. > The problem is that `defines.h' already has been included previously > from `config.h'. > > Corinna > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From vinschen at redhat.com Fri Apr 26 05:04:37 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 25 Apr 2002 21:04:37 +0200 Subject: Please test snapshots In-Reply-To: References: <20020425173835.E13521@cygbert.vinschen.de> Message-ID: <20020425210437.K13521@cygbert.vinschen.de> On Thu, Apr 25, 2002 at 11:51:03AM -0700, Tim Rice wrote: > On Thu, 25 Apr 2002, Corinna Vinschen wrote: > > I'm getting a *lot* of warnings with the current version from CVS, > > e. g.: > > > [snip] > > You are using CVS, right? > > Looks like what I got with a stale config.h / config.h.in. > > Did you run autoreconf instead of just autoconf? Oops, no. That solves it. Sorry, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From tim at multitalents.net Fri Apr 26 05:29:12 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Apr 2002 12:29:12 -0700 (PDT) Subject: Trusted HP-UX Patch from Re: PLEASE TEST snapshots In-Reply-To: <00ae01c1ec81$ca8cdc90$9b78a8c0@oedserver> Message-ID: On Thu, 25 Apr 2002, Darren Cole wrote: > > did you review the auth-passwd.c changes? > > :> +# ifdef HAVE_SECUREWARE > > :> # include > > :> # include > > :> # include > > :> -# endif /* HAVE_SCO_PROTECTED_PW */ > > :> +# endif /* HAVE_SECUREWARE */ > > > > is audit.h really required here? > > I don't think it is needed for Trusted HPUX (compiled with it included and > without. Each time had the same set of warnings). Someone on SCO will have > to comment for them, I think that is why it was included. > from the getprpwnam() man page ... getprpwent, getprpwuid, getprpwnam, setprpwent, endprpwent, putprpwnam -- manipulate protected password database entry Syntax ====== cc . . . -lprot -lx #include #include #include #include ... I haven't tried leaving it out. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From djm at mindrot.org Fri Apr 26 08:36:59 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Apr 2002 08:36:59 +1000 (EST) Subject: Please test snapshots In-Reply-To: <20020425173835.E13521@cygbert.vinschen.de> Message-ID: On Thu, 25 Apr 2002, Corinna Vinschen wrote: > This is introduced by including `defines.h' from `include.h'. > The problem is that `defines.h' already has been included previously > from `config.h'. It shouldn't be included from config.h anymore. Have you run autoheader? -d From djm at mindrot.org Fri Apr 26 10:52:34 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Apr 2002 10:52:34 +1000 (EST) Subject: PAM keyboard-interactive Message-ID: The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.17 diff -u -r1.17 auth2-chall.c --- auth2-chall.c 22 Mar 2002 02:30:43 -0000 1.17 +++ auth2-chall.c 24 Apr 2002 01:03:14 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice pam_device; +extern KbdintDevice mm_pam_device; +#endif KbdintDevice *devices[] = { #ifdef BSD_AUTH @@ -54,6 +60,23 @@ &skey_device, #endif #endif +#ifdef USE_PAM + &pam_device, +#endif + NULL +}; + +KbdintDevice *mm_devices[] = { +#ifdef BSD_AUTH + &mm_bsdauth_device, +#else +#ifdef SKEY + &mm_skey_device, +#endif +#ifdef USE_PAM + &mm_pam_device, +#endif +#endif NULL }; @@ -314,18 +337,8 @@ void privsep_challenge_enable(void) { -#ifdef BSD_AUTH - extern KbdintDevice mm_bsdauth_device; -#endif -#ifdef SKEY - extern KbdintDevice mm_skey_device; -#endif - /* As long as SSHv1 has devices[0] hard coded this is fine */ -#ifdef BSD_AUTH - devices[0] = &mm_bsdauth_device; -#else -#ifdef SKEY - devices[0] = &mm_skey_device; -#endif -#endif + int i; + + for(i = 0; devices[i] != NULL; i++) + devices[i] = mm_devices[i]; } Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 24 Apr 2002 01:03:15 -0000 @@ -1,158 +1,344 @@ +/*- + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/crypto/openssh/auth2-pam.c,v 1.1 2002/03/21 12:18:27 des Exp $ + */ + #include "includes.h" -RCSID("$Id: auth2-pam.c,v 1.12 2002/01/22 12:43:13 djm Exp $"); #ifdef USE_PAM +RCSID("$FreeBSD: src/crypto/openssh/auth2-pam.c,v 1.1 2002/03/21 12:18:27 des Exp $"); + #include -#include "ssh.h" -#include "ssh2.h" #include "auth.h" -#include "auth-pam.h" -#include "packet.h" #include "xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct pam_ctxt { + char *pam_user; + pid_t pam_pid; + int pam_sock; + int pam_done; }; -int -auth2_pam(Authctxt *authctxt) -{ - int retval = -1; +static void pam_free_ctx(void *); - if (authctxt->user == NULL) - fatal("auth2_pam: internal error: no user"); +/* + * Send message to parent or child. + */ +static int +pam_send(struct pam_ctxt *ctxt, char *fmt, ...) +{ + va_list ap; + char *mstr, buf[2048]; + size_t len; + int r; + + va_start(ap, fmt); + len = vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + if (len == -1 || len > sizeof(buf)) + fatal("pam_send: message too long"); + mstr = xstrdup(buf); + if (ctxt->pam_pid != 0) + debug2("to child: %d bytes", len); + r = send(ctxt->pam_sock, mstr, len + 1, MSG_EOR); + free(mstr); + return (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +pam_peek(struct pam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->pam_sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +pam_receive(struct pam_ctxt *ctxt) +{ + char *buf; + size_t len; + ssize_t rlen; + + len = 64; + buf = NULL; + do { + len *= 2; + buf = xrealloc(buf, len); + rlen = recv(ctxt->pam_sock, buf, len, MSG_PEEK); + if (rlen < 1) { + xfree(buf); + return (NULL); + } + } while (rlen == len); + if (recv(ctxt->pam_sock, buf, len, 0) != rlen) { + xfree(buf); + return (NULL); + } + if (ctxt->pam_pid != 0) + debug2("from child: %s", buf); + return (buf); } +/* + * Conversation function for child process. + */ static int -do_pam_conversation_kbd_int(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr) +pam_child_conv(int n, + const struct pam_message **msg, + struct pam_response **resp, + void *data) { - int i, j, done; - char *text; + struct pam_ctxt *ctxt; + int i; - context_pam2.finished = 0; - context_pam2.num_received = 0; - context_pam2.num_expected = 0; - context_pam2.prompts = xmalloc(sizeof(int) * num_msg); - context_pam2.responses = xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof **resp)) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + pam_send(ctxt, "p%s", msg[i]->msg); + resp[i]->resp = pam_receive(ctxt); + break; + case PAM_PROMPT_ECHO_ON: + pam_send(ctxt, "P%s", msg[i]->msg); + resp[i]->resp = pam_receive(ctxt); break; - case PAM_TEXT_INFO: case PAM_ERROR_MSG: - default: - /* Capture all these messages to be sent at once */ - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); + /*pam_send(ctxt, "e%s", msg[i]->msg);*/ break; + case PAM_TEXT_INFO: + /*pam_send(ctxt, "i%s", msg[i]->msg);*/ + break; + default: + goto fail; } } + return (PAM_SUCCESS); + fail: + while (i) + free(resp[--i]); + /* XXX: bzero responses too */ + free(*resp); + *resp = NULL; + return (PAM_CONV_ERR); +} - if (context_pam2.num_expected == 0) - return PAM_SUCCESS; +/* + * Child process. + */ +static void * +pam_child(struct pam_ctxt *ctxt) +{ + struct pam_conv pam_conv = { pam_child_conv, ctxt }; + pam_handle_t *pamh; + int pam_err; + + pam_err = pam_start("sshd", ctxt->pam_user, &pam_conv, &pamh); + if (pam_err != PAM_SUCCESS) + goto auth_fail; + pam_err = pam_authenticate(pamh, 0); + if (pam_err != PAM_SUCCESS) + goto auth_fail; + pam_send(ctxt, "=OK"); + pam_end(pamh, pam_err); + exit(0); + auth_fail: + pam_send(ctxt, "!%s", pam_strerror(pamh, pam_err)); + pam_end(pamh, pam_err); + exit(0); +} - packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); - packet_put_cstring(""); /* Name */ - packet_put_cstring(""); /* Instructions */ - packet_put_cstring(""); /* Language */ - packet_put_int(context_pam2.num_expected); - - for (i = 0, j = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - - /* Skip messages which don't need a reply */ - if (style != PAM_PROMPT_ECHO_ON && style != PAM_PROMPT_ECHO_OFF) - continue; - - context_pam2.prompts[j++] = i; - if (text) { - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); - packet_put_cstring(text); - text = NULL; - } else - packet_put_cstring(PAM_MSG_MEMBER(msg, i, msg)); - packet_put_char(style == PAM_PROMPT_ECHO_ON); - } - packet_send(); - packet_write_wait(); - - /* - * Grabbing control of execution and spinning until we get what - * we want is probably rude, but it seems to work properly, and - * the client *should* be in lock-step with us, so the loop should - * only be traversed once. - */ - while(context_pam2.finished == 0) { - done = 1; - dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr); - if(context_pam2.finished == 0) - debug("extra packet during conversation"); - } - - if(context_pam2.num_received == context_pam2.num_expected) { - *resp = context_pam2.responses; - return PAM_SUCCESS; - } else - return PAM_CONV_ERR; -} - -void -input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt) -{ - Authctxt *authctxt = ctxt; - unsigned int nresp = 0, rlen = 0, i = 0; - char *resp; - - if (authctxt == NULL) - fatal("input_userauth_info_response_pam: no authentication context"); - - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); - - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; - - resp = packet_get_string(&rlen); - context_pam2.responses[j].resp_retcode = PAM_SUCCESS; - context_pam2.responses[j].resp = xstrdup(resp); - xfree(resp); - context_pam2.num_received++; +static void * +pam_init_ctx(Authctxt *authctxt) +{ + struct pam_ctxt *ctxt; + int socks[2]; + int i; + + ctxt = xmalloc(sizeof *ctxt); + ctxt->pam_user = xstrdup(authctxt->user); + ctxt->pam_done = 0; + if (socketpair(AF_UNIX, SOCK_DGRAM, PF_UNSPEC, socks) == -1) { + error("%s: failed create sockets: %s", + __func__, strerror(errno)); + xfree(ctxt); + return (NULL); + } + if ((ctxt->pam_pid = fork()) == -1) { + error("%s: failed to fork auth-pam child: %s", + __func__, strerror(errno)); + close(socks[0]); + close(socks[1]); + xfree(ctxt); + return (NULL); + } + if (ctxt->pam_pid == 0) { + /* close everything except our end of the pipe */ + ctxt->pam_sock = socks[1]; + for (i = 0; i < getdtablesize(); ++i) + if (i != ctxt->pam_sock) + close(i); + pam_child(ctxt); + /* not reached */ + exit(1); } + ctxt->pam_sock = socks[0]; + close(socks[1]); + return (ctxt); +} - context_pam2.finished = 1; +int +pam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + struct pam_ctxt *ctxt = ctx; + char *msg; - packet_check_eom(); + if ((msg = pam_receive(ctxt)) == NULL) + return (-1); + *name = xstrdup(""); + *info = xstrdup(""); + *prompts = xmalloc(sizeof(char *)); + *echo_on = xmalloc(sizeof(u_int)); + switch (*msg) { + case 'P': + **echo_on = 1; + case 'p': + *num = 1; + **prompts = xstrdup(msg + 1); + **echo_on = (*msg == 'P'); + break; + case '=': + *num = 0; + **echo_on = 0; + ctxt->pam_done = 1; + break; + case '!': + error("%s", msg + 1); + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->pam_done = -1; + return (-1); + } + xfree(msg); + return (0); } -#endif +int +pam_respond(void *ctx, u_int num, char **resp) +{ + struct pam_ctxt *ctxt = ctx; + char *msg; + + debug2(__func__); + switch (ctxt->pam_done) { + case 1: + return (0); + case 0: + break; + default: + return (-1); + } + if (num != 1) { + error("expected one response, got %u", num); + return (-1); + } + pam_send(ctxt, "%s", *resp); + switch (pam_peek(ctxt)) { + case 'P': + case 'p': + return (1); + case '=': + msg = pam_receive(ctxt); + xfree(msg); + ctxt->pam_done = 1; + return (0); + default: + msg = pam_receive(ctxt); + if (*msg == '!') + error("%s", msg + 1); + xfree(msg); + ctxt->pam_done = -1; + return (-1); + } +} + +static void +pam_free_ctx(void *ctxtp) +{ + struct pam_ctxt *ctxt = ctxtp; + + close(ctxt->pam_sock); + kill(ctxt->pam_pid, SIGHUP); + /* XXX: wait()? */ + xfree(ctxt->pam_user); + xfree(ctxt); +} + +KbdintDevice pam_device = { + "pam", + pam_init_ctx, + pam_query, + pam_respond, + pam_free_ctx +}; + +KbdintDevice mm_pam_device = { + "pam", + mm_pam_init_ctx, + mm_pam_query, + mm_pam_respond, + mm_pam_free_ctx +}; + +#endif /* USE_PAM */ Index: auth2.c =================================================================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.100 diff -u -r1.100 auth2.c --- auth2.c 23 Apr 2002 10:28:49 -0000 1.100 +++ auth2.c 24 Apr 2002 01:03:17 -0000 @@ -119,8 +119,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); @@ -370,10 +368,6 @@ if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); -#ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) - authenticated = auth2_pam(authctxt); -#endif xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.5 diff -u -r1.5 monitor.h --- monitor.h 23 Apr 2002 10:28:49 -0000 1.5 +++ monitor.h 24 Apr 2002 01:03:17 -0000 @@ -38,6 +38,10 @@ MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, + MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX, + MONITOR_REQ_PAMQUERY, MONITOR_ANS_PAMQUERY, + MONITOR_REQ_PAMRESPOND, MONITOR_ANS_PAMRESPOND, + MONITOR_REQ_PAM_FREE_CTX, MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, MONITOR_REQ_KEYEXPORT, Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.6 diff -u -r1.6 monitor_wrap.c --- monitor_wrap.c 23 Apr 2002 10:28:49 -0000 1.6 +++ monitor_wrap.c 24 Apr 2002 01:03:18 -0000 @@ -804,6 +804,77 @@ return ((authok == 0) ? -1 : 0); } +void * +mm_pam_init_ctx(struct Authctxt *authctxt) +{ + fatal("Not implemented"); + return (NULL); +} + +int +mm_pam_query(void *ctx, char **name, char **infotxt, + u_int *numprompts, char ***prompts, u_int **echo_on) +{ + Buffer m; + int res; + char *challenge; + + debug3("%s: entering", __FUNCTION__); + + buffer_init(&m); + mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAMQUERY, &m); + + mm_request_receive_expect(monitor->m_recvfd, MONITOR_ANS_PAMQUERY, &m); + res = buffer_get_int(&m); + if (res == -1) { + debug3("%s: no challenge", __FUNCTION__); + buffer_free(&m); + return (-1); + } + + /* Get the challenge, and format the response */ + challenge = buffer_get_string(&m, NULL); + buffer_free(&m); + + debug3("%s: received challenge: %s", __FUNCTION__, challenge); + + mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); + + (*prompts)[0] = challenge; + xfree(challenge); + + return (0); +} + +int +mm_pam_respond(void *ctx, u_int numresponses, char **responses) +{ + Buffer m; + int authok; + + debug3("%s: entering", __FUNCTION__); + if (numresponses != 1) + return (-1); + + buffer_init(&m); + buffer_put_cstring(&m, responses[0]); + mm_request_send(monitor->m_recvfd, MONITOR_REQ_PAMRESPOND, &m); + + mm_request_receive_expect(monitor->m_recvfd, + MONITOR_ANS_PAMRESPOND, &m); + + authok = buffer_get_int(&m); + buffer_free(&m); + + return ((authok == 0) ? -1 : 0); +} + +void +mm_pam_free_ctx(void *ctxtp) +{ + fatal("Not implemented"); +} + void mm_ssh1_session_id(u_char session_id[16]) { Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.5 diff -u -r1.5 monitor_wrap.h --- monitor_wrap.h 23 Apr 2002 10:28:49 -0000 1.5 +++ monitor_wrap.h 24 Apr 2002 01:03:18 -0000 @@ -82,6 +82,12 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* pam */ +void *mm_pam_init_ctx(struct Authctxt *); +int mm_pam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_pam_respond(void *, u_int, char **); +void mm_pam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.86 diff -u -r1.86 servconf.c --- servconf.c 23 Apr 2002 11:04:52 -0000 1.86 +++ servconf.c 24 Apr 2002 01:03:20 -0000 @@ -55,10 +55,6 @@ { memset(options, 0, sizeof(*options)); - /* Portable-specific options */ - options->pam_authentication_via_kbd_int = -1; - - /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; @@ -129,11 +125,6 @@ void fill_default_server_options(ServerOptions *options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -258,9 +249,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, @@ -294,9 +282,6 @@ const char *name; ServerOpCodes opcode; } keywords[] = { - /* Portable-specific options */ - { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, - /* Standard Options */ { "port", sPort }, { "hostkey", sHostKeyFile }, { "hostdsakey", sHostKeyFile }, /* alias */ @@ -440,12 +425,6 @@ charptr = NULL; opcode = parse_token(arg, filename, linenum); switch (opcode) { - /* Portable-specific options */ - case sPAMAuthenticationViaKbdInt: - intptr = &options->pam_authentication_via_kbd_int; - goto parse_flag; - - /* Standard Options */ case sBadOption: return -1; case sPort: Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.48 diff -u -r1.48 servconf.h --- servconf.h 22 Mar 2002 03:11:50 -0000 1.48 +++ servconf.h 24 Apr 2002 01:03:20 -0000 @@ -129,7 +129,6 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; - int pam_authentication_via_kbd_int; } ServerOptions; void initialize_server_options(ServerOptions *); Index: sshd_config =================================================================== RCS file: /var/cvs/openssh/sshd_config,v retrieving revision 1.46 diff -u -r1.46 sshd_config --- sshd_config 23 Apr 2002 11:04:53 -0000 1.46 +++ sshd_config 24 Apr 2002 01:03:21 -0000 @@ -69,10 +69,6 @@ # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no -# Set this to 'yes' to enable PAM keyboard-interactive authentication -# Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt yes - #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes From bugzilla-daemon at mindrot.org Fri Apr 26 11:10:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:10:22 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020426011022.675A4E932@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 ------- Additional Comments From djm at mindrot.org 2002-04-26 11:10 ------- Is -current compiling OK? Can we close this bug? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 11:12:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:12:13 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020426011213.48264E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-04-26 11:12 ------- Can't replicate ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 11:30:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:30:57 +1000 (EST) Subject: [Bug 209] HP-UX 10.20 "make" problem Message-ID: <20020426013057.8311FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=209 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-26 11:30 ------- Fixed in -current (we only uudecode Ssh.bin.uu during distribution preparation). Note that CVS users will need to run "make distprep" in their tree, or uudecode Ssh.bin.uu manually ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 11:31:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:31:22 +1000 (EST) Subject: [Bug 137] 'make install' fails because of missing uudecode Message-ID: <20020426013122.41822E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=137 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-26 11:31 ------- Fixed in -current (we only uudecode Ssh.bin.uu during distribution preparation). Note that CVS users will need to run "make distprep" in their tree, or uudecode Ssh.bin.uu manually ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 11:36:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:36:52 +1000 (EST) Subject: [Bug 178] Content of /etc/nologin isn't shown to users, fix triggers probably AIX bug Message-ID: <20020426013652.A3463E93C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=178 ------- Additional Comments From djm at mindrot.org 2002-04-26 11:36 ------- Adding arbitrary sleep() calls is a great way to get servers hanging at unpredictable times - e.g. under high system load, 2 seconds may not be enough Have you raised the issue with IBM? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 11:53:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 11:53:45 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020426015345.92C69E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 dtaylor at ejasent.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WORKSFORME | ------- Additional Comments From dtaylor at ejasent.com 2002-04-26 11:53 ------- As I said, from the code (and the output) you can see each existing dir or dir/include is not *appended* to CPPFLAGS, but *replaces* the previous. So I claim "configure --with-ssl-dir=/usr/local/ssl" works only in the following cases: 1. OpenSSL headers are installed in /usr/local/include (or any one of the directories CPPFLAGS is initially set to)and no directory in "for" list exists. 2. OpenSSL headers are installed in the last existing directory in "for" list If my claim is incorrect, please explain and I apologize in advance. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Fri Apr 26 12:41:28 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Apr 2002 19:41:28 -0700 (PDT) Subject: expire checks Message-ID: i'm working on this. this is what i have now. sp_inact is not handled consistently across shadow platforms, so i'm going to not address that right now. the following is the predecessor to bug14. what is the timeframe for 3.2.1p1? markus suggested a few more weeks. Index: auth.c =================================================================== RCS file: /var/cvs/openssh/auth.c,v retrieving revision 1.51 diff -u -r1.51 auth.c --- auth.c 22 Mar 2002 03:08:31 -0000 1.51 +++ auth.c 24 Apr 2002 19:51:00 -0000 @@ -80,18 +80,35 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ spw = getspnam(pw->pw_name); if (spw != NULL) { - int days = time(NULL) / 86400; + time_t today = time(NULL) / DAY; + debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" + " sp_max %d", (int)today, (int)spw->sp_expire, + (int)spw->sp_lstchg, (int)spw->sp_max); - /* Check account expiry */ - if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) + /* + * We assume account and password expiration occurs the + * day after the day specified. + */ + if (spw->sp_expire != -1 && today > spw->sp_expire) { + log("Account %.100s has expired", pw->pw_name); return 0; + } - /* Check password expiry */ - if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && - (days > (spw->sp_lstchg + spw->sp_max))) + if (spw->sp_lstchg == 0) { + log("User %.100s password has expired (root forced)", + pw->pw_name); return 0; + } + + if (spw->sp_max != -1 && + today > spw->sp_lstchg + spw->sp_max) { + log("User %.100s password has expired (password aged)", + pw->pw_name); + return 0; + } } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ From tim at multitalents.net Fri Apr 26 14:18:22 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Apr 2002 21:18:22 -0700 (PDT) Subject: [Bug 168] "Could not find working OpenSSL library" In-Reply-To: <20020426015345.92C69E881@shitei.mindrot.org> Message-ID: On Fri, 26 Apr 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=168 > > ------- Additional Comments From dtaylor at ejasent.com 2002-04-26 11:53 ------- > As I said, from the code (and the output) you can see each existing dir or > dir/include is not *appended* to CPPFLAGS, but *replaces* the previous. So I > claim "configure --with-ssl-dir=/usr/local/ssl" works only in the following > cases: > > 1. OpenSSL headers are installed in /usr/local/include (or any one of the > directories CPPFLAGS is initially set to)and no directory in "for" list exists. > > 2. OpenSSL headers are installed in the last existing directory in "for" list > > If my claim is incorrect, please explain and I apologize in advance. Please test the attached patch to configure.ac. If you don't have autoconf 2.52 e-mail me for configure -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.orig Thu Apr 25 12:41:57 2002 +++ configure.ac Thu Apr 25 21:10:24 2002 @@ -702,169 +702,52 @@ ) fi -# The big search for OpenSSL +# Search for OpenSSL +saved_CPPFLAGS="$CPPFLAGS" +saved_LDFLAGS="$LDFLAGS" AC_ARG_WITH(ssl-dir, [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], [ if test "x$withval" != "xno" ; then - tryssldir=$withval - fi - ] -) - -saved_LIBS="$LIBS" -saved_LDFLAGS="$LDFLAGS" -saved_CPPFLAGS="$CPPFLAGS" -if test "x$prefix" != "xNONE" ; then - tryssldir="$tryssldir $prefix" -fi -AC_CACHE_CHECK([for OpenSSL directory], ac_cv_openssldir, [ - for ssldir in $tryssldir "" /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - CPPFLAGS="$saved_CPPFLAGS" - LDFLAGS="$saved_LDFLAGS" - LIBS="$saved_LIBS -lcrypto" - - # Skip directories if they don't exist - if test ! -z "$ssldir" -a ! -d "$ssldir" ; then - continue; - fi - if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then - # Try to use $ssldir/lib if it exists, otherwise - # $ssldir - if test -d "$ssldir/lib" ; then - LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" - if test ! -z "$need_dash_r" ; then - LDFLAGS="-R$ssldir/lib $LDFLAGS" + if test -d "$withval/lib"; then + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" fi else - LDFLAGS="-L$ssldir $saved_LDFLAGS" - if test ! -z "$need_dash_r" ; then - LDFLAGS="-R$ssldir $LDFLAGS" + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" fi fi - # Try to use $ssldir/include if it exists, otherwise - # $ssldir - if test -d "$ssldir/include" ; then - CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" else - CPPFLAGS="-I$ssldir $saved_CPPFLAGS" + CPPFLAGS="-I${withval} ${CPPFLAGS}" fi fi - - # Basic test to check for compatible version and correct linking - # *does not* test for RSA - that comes later. - AC_TRY_RUN( - [ -#include -#include -int main(void) -{ - char a[2048]; - memset(a, 0, sizeof(a)); - RAND_add(a, sizeof(a), sizeof(a)); - return(RAND_status() <= 0); -} - ], - [ - found_crypto=1 - break; - ], [] - ) - - if test ! -z "$found_crypto" ; then - break; - fi - done - - if test -z "$found_crypto" ; then - AC_MSG_ERROR([Could not find working OpenSSL library, please install or check config.log]) - fi - if test -z "$ssldir" ; then - ssldir="(system)" - fi - - ac_cv_openssldir=$ssldir -]) - -if (test ! -z "$ac_cv_openssldir" && test "x$ac_cv_openssldir" != "x(system)") ; then - AC_DEFINE(HAVE_OPENSSL) - dnl Need to recover ssldir - test above runs in subshell - ssldir=$ac_cv_openssldir - if test ! -z "$ssldir" -a "x$ssldir" != "x/usr"; then - # Try to use $ssldir/lib if it exists, otherwise - # $ssldir - if test -d "$ssldir/lib" ; then - LDFLAGS="-L$ssldir/lib $saved_LDFLAGS" - if test ! -z "$need_dash_r" ; then - LDFLAGS="-R$ssldir/lib $LDFLAGS" - fi - else - LDFLAGS="-L$ssldir $saved_LDFLAGS" - if test ! -z "$need_dash_r" ; then - LDFLAGS="-R$ssldir $LDFLAGS" - fi - fi - # Try to use $ssldir/include if it exists, otherwise - # $ssldir - if test -d "$ssldir/include" ; then - CPPFLAGS="-I$ssldir/include $saved_CPPFLAGS" - else - CPPFLAGS="-I$ssldir $saved_CPPFLAGS" - fi - fi -fi -LIBS="$saved_LIBS -lcrypto" - -# Now test RSA support -saved_LIBS="$LIBS" -AC_MSG_CHECKING([for RSA support]) -for WANTS_RSAREF in "" 1 ; do - if test -z "$WANTS_RSAREF" ; then - LIBS="$saved_LIBS" - else - LIBS="$saved_LIBS -lRSAglue -lrsaref" - fi - AC_TRY_RUN([ -#include -#include -#include -#include -#include -int main(void) -{ - int num; RSA *key; static unsigned char p_in[] = "blahblah"; - unsigned char c[256], p[256]; - memset(c, 0, sizeof(c)); RAND_add(c, sizeof(c), sizeof(c)); - if ((key=RSA_generate_key(512, 3, NULL, NULL))==NULL) return(1); - num = RSA_public_encrypt(sizeof(p_in) - 1, p_in, c, key, RSA_PKCS1_PADDING); - return(-1 == RSA_private_decrypt(num, c, p, key, RSA_PKCS1_PADDING)); -} - ], + ] +) +LIBS="-lcrypto $LIBS" +AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), [ - rsa_works=1 - break; - ], []) -done -LIBS="$saved_LIBS" - -if test ! -z "$no_rsa" ; then - AC_MSG_RESULT(disabled) - RSA_MSG="disabled" -else - if test -z "$rsa_works" ; then - AC_MSG_WARN([*** No RSA support found *** ]) - RSA_MSG="no" - else - if test -z "$WANTS_RSAREF" ; then - AC_MSG_RESULT(yes) - RSA_MSG="yes" + dnl Check default openssl install dir + if test -n "${need_dash_r}"; then + LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" else - RSA_MSG="yes (using RSAref)" - AC_MSG_RESULT(using RSAref) - LIBS="$LIBS -lcrypto -lRSAglue -lrsaref" + LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" fi - fi -fi + CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" + AC_TRY_LINK_FUNC(RAND_add, AC_DEFINE(HAVE_OPENSSL), + [ + AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) + ] + ) + ] +) + # Sanity check OpenSSL headers AC_MSG_CHECKING([whether OpenSSL's headers match the library]) From bugzilla-daemon at mindrot.org Fri Apr 26 14:23:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 14:23:57 +1000 (EST) Subject: [Bug 227] New: 2nd Client Instance Can Login Without Authorization Message-ID: <20020426042357.D7836E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 Summary: 2nd Client Instance Can Login Without Authorization Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: security Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: drchang at hawaii.edu I'm using Red Hat Linux 7.2 with the Red Hat binary RPM version of OpenSSH 3.1p1. I've noticed that when I'm logged in to the server from my local network using SSH2 and public key authentication, if I log in from another SSH2 client, an unauthorized key will be able to login to the server. Additionally, if a valid key is present on the 2nd client, no passphrase will be prompted for when connecting. In each instance, I'm logging into the same user account. In summary, if I'm logged in already, and I then I login using another client using public key authentication, the 2nd instance will not require a valid key for the server. All forms of authentication by host have been disabled in sshd_config. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 15:03:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 15:03:47 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426050347.78EC8E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From mouring at eviladmin.org 2002-04-26 15:03 ------- Provide us with your environment and a reproducable example. The only thing I can think of is that you are using ssh-agent and you've registered your key with the agent the first time. Thus it is now usable for all following SSH sessions (from your account) without having to decrypt the key. Other than using ssh-agent I can't see nor reproduce this with 3.1 compiled from the OpenSSH portable tree (non-Redhat RPM) or under OpenBSD using -current. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 16:00:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 16:00:31 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020426060031.54A17E93C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 ------- Additional Comments From djm at mindrot.org 2002-04-26 16:00 ------- You claim is incorrect: we break from the search loop if/when a test program correctly executes. In this case, you are left with the correct directory in $ssldir If the test program doesn't compile or execute then you get the error message. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 16:55:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 16:55:18 +1000 (EST) Subject: [Bug 180] [PATCH] sshd sets no ToS bit on connections with IPv4-mapped IPv6 addresses Message-ID: <20020426065518.01F53E93E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=180 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-04-26 16:55 ------- Committed something similar, please test CVS -current. In future, please attach patches (Using the "Create a new attachment" link) rather than pasting them inline. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Fri Apr 26 16:56:52 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Apr 2002 16:56:52 +1000 (EST) Subject: expire checks In-Reply-To: Message-ID: On Thu, 25 Apr 2002, Kevin Steves wrote: > i'm working on this. this is what i have now. sp_inact is not handled > consistently across shadow platforms, so i'm going to not address that > right now. the following is the predecessor to bug14. > > what is the timeframe for 3.2.1p1? markus suggested a few more weeks. That sounds OK for me. I'd really like to see privsep tested more on more platforms. -d From ewheeler at kaico.com Fri Apr 26 17:09:46 2002 From: ewheeler at kaico.com (ewheeler at kaico.com) Date: Fri, 26 Apr 2002 00:09:46 -0700 (PDT) Subject: expire checks In-Reply-To: Message-ID: I would love to be a beta for privsep if the portable will compile for linux (I've not tried yet). Is there a cvs somewhere I should pull from? Does privsep work under linux? On Fri, 26 Apr 2002, Damien Miller wrote: > > > On Thu, 25 Apr 2002, Kevin Steves wrote: > > > i'm working on this. this is what i have now. sp_inact is not handled > > consistently across shadow platforms, so i'm going to not address that > > right now. the following is the predecessor to bug14. > > > > what is the timeframe for 3.2.1p1? markus suggested a few more weeks. > > That sounds OK for me. I'd really like to see privsep tested more on more > platforms. > > -d > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Eric Wheeler Network Administrator KAICO 20417 SW 70th Ave. Tualatin, OR 97062 www.kaico.com Voice: 503.692.5268 From djm at mindrot.org Fri Apr 26 17:35:21 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Apr 2002 17:35:21 +1000 (EST) Subject: expire checks In-Reply-To: Message-ID: On Fri, 26 Apr 2002, ewheeler at kaico.com wrote: > I would love to be a beta for privsep if the portable will compile for > linux (I've not tried yet). Is there a cvs somewhere I should pull > from? Does privsep work under linux? Anonymous CVS access and daily snapshots are available from places listed on http://www.openssh.com/portable.html Privsep should work quite well under Linux if you don't enable PAM. I have committed some code to get PAM privsep working, but it is not very well tested and does break on Solaris and HP/UX (sorry Kevin!). PAM Kbd-int authentication using privsep is completetly untested and will surely break unless you try the very experimental patch I sent earlier today. We also need people with OSF/1 machines to check how privsep works with the SIA stuff. -d From bugzilla-daemon at mindrot.org Fri Apr 26 17:41:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 17:41:10 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426074110.6FC6CE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From markus at openbsd.org 2002-04-26 17:41 ------- could you please provide an example? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 17:50:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 17:50:54 +1000 (EST) Subject: [Bug 180] [PATCH] sshd sets no ToS bit on connections with IPv4-mapped IPv6 addresses Message-ID: <20020426075054.EBF6EE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=180 ------- Additional Comments From markus at openbsd.org 2002-04-26 17:50 ------- This is what itojun wrote: On many systems, IP_TOS setsockopt on AF_INET6 socket does not work. This is because there is no standard behavior defined for setsockopt(IP_TOS) over AF_INET6 socket. Therefore, you will want to take either of the following routes: - apply the submitted patch itself, and ignore error returns at setsockopt(IP_TOS) - do not apply the patch, and convert IPv4-mapped address into normal IPv4 address before opening socket (hence we will use it as normal IPv4 address on AF_INET socket). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 19:39:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 19:39:07 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426093907.5F0F8E941@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From drchang at hawaii.edu 2002-04-26 19:39 ------- Here is what is happening. I've replaced information with variables where necessary to maintain privacy. I'm connected and logged in from one workstation (HOST_X) using publickey authentication. If from another workstation (HOST_Y) I execute: # ssh -v -2 -c $CIPHER -l $USERNAME $HOSTNAME OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 6726 geteuid 6726 anon 1 debug1: Connecting to $HOSTNAME [$HOSTNAME] port 22. debug1: temporarily_use_uid: 6726/100 (e=6726) debug1: restore_uid debug1: temporarily_use_uid: 6726/100 (e=6726) debug1: restore_uid debug1: Connection established. debug1: identity file /$PATH/id_rsa type - 1 debug1: identity file /$PATH/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0- OpenSSH_3.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client $CIPHER $CIPHER2 none debug1: kex: client->server $CIPHER $CIPHER2 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 255/512 debug1: bits set: 2018/4095 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '$HOSTNAME' is known and matches the RSA host key. debug1: Found key in /$PATH/known_hosts:1 debug1: bits set: 2118/4095 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: cipher_init: set keylen (16 -> 32) debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: cipher_init: set keylen (16 - > 32) debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,keyboard- interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key "$USER at HOST_X" debug1: input_userauth_pk_ok: pkalg ssh-dss blen 817 lastkey 1381a8 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: Requesting authentication agent forwarding. debug1: channel request 0: auth-agent- req at openssh.com debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: $DATE_TIME from $LAST_HOST I get connected without any prompt for a passphrase for my private key. The key available on this workstation need not be in .authorized_keys for a login to occur. Also "$USER@$HOST_X" is not the address listed in the key of the workstation making the connection. Rather, it is "$USER at HOST_Y". "$USER@$HOST_X" is the address listed in the key of the workstation already logged in. So it appears that "$USER@$HOST_Y" can connect using "$USER at HOST_X"'s credentials. HOST_X and HOST_Y are on totally different networks. HOST_X and HOST_Y reference completely different keys. Here are the RPM's in use. They are the latest binaries from Red Hat: # rpm -qa | grep ssh openssh-askpass-3.1p1- 2 openssh-3.1p1-2 openssh-server-3.1p1-2 openssh-clients-3.1p1-2 Linux kernel is 2.4.9- 31 using Red Hat Linux 7.2. I did not configure ssh-agent for anything. It doesn't appear to be in use. Explicit settings in sshd_config are: PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no IgnoreUserKnownHosts yes PasswordAuthentication no I shall have to try compiling from source to see if that makes a difference. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 19:41:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 19:41:37 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426094137.3C136E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From drchang at hawaii.edu 2002-04-26 19:41 ------- Sorry about the linefeeds; cut and paste didn't work too well. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 20:34:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 20:34:30 +1000 (EST) Subject: [Bug 228] New: pam_krb5 on Solaris creates credentials with wrong owner Message-ID: <20020426103430.1B366E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=228 Summary: pam_krb5 on Solaris creates credentials with wrong owner Product: Portable OpenSSH Version: 3.1p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gunnar at Astrogator.SE pam_setcred() is called before the UID is set to the users own, and pam_krb5 on Solaris sets the owner of of the /tmp/krb5cc_xxx file to root. The pam_krb5 module should really check this, but it does not, and a simple workaround is to move the setcred call to after the UID setting. *** session.c-ORG Mon Feb 25 16:48:03 2002 --- session.c Mon Apr 22 03:48:01 2002 *************** *** 1135,1140 **** --- 1135,1145 ---- exit(1); } endgrent(); + # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) + irix_setusercontext(pw); + # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ + /* Permanently switch to the desired uid. */ + permanently_set_uid(pw); # ifdef USE_PAM /* * PAM credentials may take the form of supplementary groups. *************** *** 1143,1153 **** */ do_pam_setcred(0); # endif /* USE_PAM */ - # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) - irix_setusercontext(pw); - # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ - /* Permanently switch to the desired uid. */ - permanently_set_uid(pw); #endif } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) --- 1148,1153 ---- ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 21:05:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 21:05:20 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426110520.A6413E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From djm at mindrot.org 2002-04-26 21:05 ------- Please use attachments next time. In any case, your debug trace shows a successful login using public key authentication. Have you configured this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 21:06:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 21:06:48 +1000 (EST) Subject: [Bug 228] pam_krb5 on Solaris creates credentials with wrong owner Message-ID: <20020426110648.88D6DE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=228 ------- Additional Comments From djm at mindrot.org 2002-04-26 21:06 ------- Solaris PAM breaks in other ways if the PAM stuff is done after the fork+setuid. CVS -current contains built-in krbV support, can you try that instead? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 21:14:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 21:14:53 +1000 (EST) Subject: [Bug 180] [PATCH] sshd sets no ToS bit on connections with IPv4-mapped IPv6 addresses Message-ID: <20020426111453.0E983E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=180 ------- Additional Comments From djm at mindrot.org 2002-04-26 21:14 ------- hmmm, does this apply to Linux's "original" implementation of IPv6 (where this hack is occasionally needed) too? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 21:16:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 21:16:52 +1000 (EST) Subject: [Bug 180] [PATCH] sshd sets no ToS bit on connections with IPv4-mapped IPv6 addresses Message-ID: <20020426111652.27DA3E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=180 ------- Additional Comments From djm at mindrot.org 2002-04-26 21:16 ------- FYI This hack is only switched on by default for Linux ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 21:33:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 21:33:35 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020426113335.6F39EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From drchang at hawaii.edu 2002-04-26 21:33 ------- $USER at HOST_X (more accurately, the key that $USER at HOST_X uses) is the only user (key) authorized in .$authorized_keys. When this user is logged in via sshd, using their key for pubkey authentication, then when $USER at HOST_Y connects, they connect as $USER at HOST_X, as seen in the debug trace. $USER at HOST_Y is not listed in .$authorized_keys. So $USER at HOST_X is configured, $USER at HOST_Y is not. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Apr 26 22:02:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 22:02:31 +1000 (EST) Subject: [Bug 178] Content of /etc/nologin isn't shown to users, fix triggers probably AIX bug Message-ID: <20020426120231.C3A88E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=178 ------- Additional Comments From Ralf.Wenk at fh-karlsruhe.de 2002-04-26 22:02 ------- No. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri Apr 26 21:59:55 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 26 Apr 2002 13:59:55 +0200 Subject: Revised OpenSSH Security Advisory (adv.token) Message-ID: <20020426115955.GA20796@folly> This is the 2nd revision of the Advisory. Buffer overflow in OpenSSH's sshd if AFS has been configured on the system or if KerberosTgtPassing or AFSTokenPassing has been enabled in the sshd_config file. Ticket and token passing is not enabled by default. 1. Systems affected: All Versions of OpenSSH with AFS/Kerberos token passing compiled in and enabled (either in the system or in sshd_config) contain a buffer overflow. Token passing is disabled by default and only available in protocol version 1. 2. Impact: Remote users can get privileged access for OpenSSH < 2.9.9 Local users can get privileged access for OpenSSH < 3.2.1 No privileged access is possible for OpenSSH with UsePrivilegeSeparation enabled. 3. Solution: Apply the matching patch: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.1-adv.token.patch ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.1p1-adv.token.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/024_sshafs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/019_sshafs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/001_sshafs.patch 4. Credits: Marcell Fodor EOF From cmadams at hiwaay.net Fri Apr 26 23:19:25 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 26 Apr 2002 08:19:25 -0500 Subject: expire checks In-Reply-To: ; from djm@mindrot.org on Fri, Apr 26, 2002 at 05:35:21PM +1000 References: Message-ID: <20020426081925.B173248@hiwaay.net> Once upon a time, Damien Miller said: > We also need people with OSF/1 machines to check how privsep works with > the SIA stuff. I've been meaning to ask: what exactly _is_ privsep (is there some documentation somewhere)? I'll see how things go on OSF/1 aka Tru64 with privsep as soon as I know how to try. :-) -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bugzilla-daemon at mindrot.org Fri Apr 26 23:18:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Apr 2002 23:18:29 +1000 (EST) Subject: [Bug 229] New: openssh 3.1p1 configure script aborts at "checking for OpenSSL directory" under Solaris 8 Message-ID: <20020426131829.1BADDE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=229 Summary: openssh 3.1p1 configure script aborts at "checking for OpenSSL directory" under Solaris 8 Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: critical Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: brigham.seaver at tc.faa.gov Error: "configure; error: Could not find working OpenSSL library, please install or check config.log." openssl 0.9.6.c is properly installed under /usr/local/ssl. The script for openssh 2.1.1p3 and subsequent installation completes successfully without errors. OS is SUNOS r5.8 (Solaris 2.8) sparc, install is using GCC v 2.95.3. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Fri Apr 26 23:33:02 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 26 Apr 2002 23:33:02 +1000 (EST) Subject: expire checks In-Reply-To: <20020426081925.B173248@hiwaay.net> Message-ID: On Fri, 26 Apr 2002, Chris Adams wrote: > Once upon a time, Damien Miller said: > > We also need people with OSF/1 machines to check how privsep works with > > the SIA stuff. > > I've been meaning to ask: what exactly _is_ privsep (is there some > documentation somewhere)? I'll see how things go on OSF/1 aka Tru64 > with privsep as soon as I know how to try. :-) http://www.citi.umich.edu/u/provos/ssh/privsep.html -d From cmadams at hiwaay.net Sat Apr 27 00:09:12 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Fri, 26 Apr 2002 09:09:12 -0500 Subject: expire checks In-Reply-To: ; from djm@mindrot.org on Fri, Apr 26, 2002 at 11:33:02PM +1000 References: <20020426081925.B173248@hiwaay.net> Message-ID: <20020426090912.E173248@hiwaay.net> Once upon a time, Damien Miller said: > > I've been meaning to ask: what exactly _is_ privsep (is there some > > documentation somewhere)? I'll see how things go on OSF/1 aka Tru64 > > with privsep as soon as I know how to try. :-) > > http://www.citi.umich.edu/u/provos/ssh/privsep.html Okay, I'm looking at this now. One suggestion: it could use a little more documentation (things like "/var/empty" and such). However, it does not work on Tru64. The problem is that session_setup_sia(), currently called from session.c/do_child(), needs to run as root. It accesses the protected password database to verify the account is active and to log the access (most recent access is logged in the protected password database). I'm still trying to get a handle on how privsep works in the code; any suggestions for how to handle this? -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From bugzilla-daemon at mindrot.org Sat Apr 27 01:47:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Apr 2002 01:47:26 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020426154726.013B3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 ------- Additional Comments From wendyp at cray.com 2002-04-27 01:47 ------- the last download i did was 23 april, and as of that date, it was compiling just fine (as i noted on that day). as far as Crays are concerned, go ahead and close it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sascha-ml-openssh-unix-dev at silbe.org Sat Apr 27 01:56:06 2002 From: sascha-ml-openssh-unix-dev at silbe.org (Sascha Silbe) Date: Fri, 26 Apr 2002 17:56:06 +0200 Subject: openssh 3.1p1 & autoconf 2.53 Message-ID: <20020426175605.A4707@cube.sascha.silbe.org> If I leave the openssh sources untouched, it works fine with paths containing a comma (,). But after just running autoconf (without touching anything else), configure chokes on these paths: === Begin screenshot === configure: creating ./config.status config.status: creating Makefile sed: -e expression #1, char 435: Unknown option to 's' config.status: creating openbsd-compat/Makefile sed: -e expression #1, char 480: Unknown option to 's' config.status: creating scard/Makefile sed: -e expression #1, char 453: Unknown option to 's' config.status: creating ssh_prng_cmds sed: -e expression #1, char 445: Unknown option to 's' config.status: creating config.h === End screenshot === That's because the paths are used unquoted in config.status: === Begin extract from config.status === sed " :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s, at configure_input@,$configure_input,;t t s, at srcdir@,$ac_srcdir,;t t s, at abs_srcdir@,$ac_abs_srcdir,;t t s, at top_srcdir@,$ac_top_srcdir,;t t s, at abs_top_srcdir@,$ac_abs_top_srcdir,;t t s, at builddir@,$ac_builddir,;t t s, at abs_builddir@,$ac_abs_builddir,;t t s, at top_builddir@,$ac_top_builddir,;t t s, at abs_top_builddir@,$ac_abs_top_builddir,;t t s, at INSTALL@,$ac_INSTALL,;t t " $ac_file_inputs | (eval "$ac_sed_cmds") >$tmp/out === End extract from config.status === I'm unsure whether openssh or autoconf is responsible for this. I did not find anything in configure.ac that could cause it, but all cases with similar problems that I could find in the list archives for autoconf were problems in the packages using autoconf, not in autoconf itself, so I thought I'd try it on this list first. Any ideas how to fix this? I need to patch configure.ac to link openssh statically (urgently needed because the openssl team keeps breaking binary compatibility even on patch level releases). CU/Lnx Sascha Registered Linux User #77587 (http://counter.li.org/) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020426/cd8d190c/attachment.bin From dschiebe at cisco.com Sat Apr 27 05:50:05 2002 From: dschiebe at cisco.com (Schieber, Dustin) Date: Fri, 26 Apr 2002 15:50:05 -0400 Subject: SFTP hang on exit - 3.1p1 Message-ID: I'm consistently getting a hang on exit when I sftp from a host running openssh 2.9p1 (hpux or solaris) to a Solaris host running openssh 3.1p1. Based on the limited testing I've done I have found this does not happen when the source and destination are both running 3.1p1. # sftp xxx Connecting to xxx... sftp> ls blah blah blah sftp>exit HANG Is this a known bug? Looks a lot like the ssh hang-on-exit problem related to open file handles. -das From fcusack at fcusack.com Sat Apr 27 07:05:12 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 26 Apr 2002 14:05:12 -0700 Subject: [Bug 117] OpenSSH second-guesses PAM In-Reply-To: <20020417133947.66C0BE95D@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Wed, Apr 17, 2002 at 11:39:47PM +1000 References: <20020417133947.66C0BE95D@shitei.mindrot.org> Message-ID: <20020426140511.J4820@google.com> On Wed, Apr 17, 2002 at 11:39:47PM +1000, bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=117 > > ------- Additional Comments From djm at mindrot.org 2002-04-17 23:39 ------- > > You are eliminating the possibility that sshd might want to authenticate > > someone without a local account (requesting a non-login service?). > > PAM shouldn't be abused to to be a getpw* replacement. Quoth > http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt: > > ] (c) We do not address the source of information obtained from the > ] "`getXbyY()'" family of calls (e.g., `getpwnam()'). I don't understand how this supports the argument for 'NOUSER'. Passing on the real username is not [ab]using PAM for getpw* functionality. /fc From djm at mindrot.org Sat Apr 27 12:41:21 2002 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Apr 2002 12:41:21 +1000 (EST) Subject: [Bug 117] OpenSSH second-guesses PAM In-Reply-To: <20020426140511.J4820@google.com> Message-ID: On Fri, 26 Apr 2002, Frank Cusack wrote: > On Wed, Apr 17, 2002 at 11:39:47PM +1000, bugzilla-daemon at mindrot.org wrote: > > http://bugzilla.mindrot.org/show_bug.cgi?id=117 > > > > ------- Additional Comments From djm at mindrot.org 2002-04-17 23:39 ------- > > > You are eliminating the possibility that sshd might want to authenticate > > > someone without a local account (requesting a non-login service?). > > > > PAM shouldn't be abused to to be a getpw* replacement. Quoth > > http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt: > > > > ] (c) We do not address the source of information obtained from the > > ] "`getXbyY()'" family of calls (e.g., `getpwnam()'). > > I don't understand how this supports the argument for 'NOUSER'. Passing > on the real username is not [ab]using PAM for getpw* functionality. I was referring to your comment: > You are eliminating the possibility that sshd might want to authenticate > someone without a local account (requesting a non-login service?). -d From djm at mindrot.org Sat Apr 27 13:23:07 2002 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Apr 2002 13:23:07 +1000 (EST) Subject: expire checks In-Reply-To: <20020426090912.E173248@hiwaay.net> Message-ID: On Fri, 26 Apr 2002, Chris Adams wrote: > Once upon a time, Damien Miller said: > > > I've been meaning to ask: what exactly _is_ privsep (is there some > > > documentation somewhere)? I'll see how things go on OSF/1 aka Tru64 > > > with privsep as soon as I know how to try. :-) > > > > http://www.citi.umich.edu/u/provos/ssh/privsep.html > > Okay, I'm looking at this now. One suggestion: it could use a little > more documentation (things like "/var/empty" and such). > > I'm still trying to get a handle on how privsep works in the code; any > suggestions for how to handle this? The picture on the above website descibes the flow pretty well. In the code, the unprivileged child calls functions in monitor_wrap.c which pass requests to the privileged parent over a socket, these requests are demarshalled and processed in monitor.c. The PRIVSEP(func) macro will execute either func() or mm_func() (from monitor_wrap.c) depending on whether use_privsep is activated. > However, it does not work on Tru64. The problem is that > session_setup_sia(), currently called from session.c/do_child(), needs > to run as root. It accesses the protected password database to verify > the account is active and to log the access (most recent access is > logged in the protected password database). This looks very similar to what we do for pam_start. Have a look at monitor_mm.c and monitor_wrap.c to see how this is passed from child to parent. -d From djm at mindrot.org Sat Apr 27 13:28:11 2002 From: djm at mindrot.org (Damien Miller) Date: Sat, 27 Apr 2002 13:28:11 +1000 (EST) Subject: openssh 3.1p1 & autoconf 2.53 In-Reply-To: <20020426175605.A4707@cube.sascha.silbe.org> Message-ID: On Fri, 26 Apr 2002, Sascha Silbe wrote: > If I leave the openssh sources untouched, it works fine with paths > containing a comma (,). But after just running autoconf (without touching > anything else), configure chokes on these paths: [snip] > find anything in configure.ac that could cause it, but all cases with similar > problems that I could find in the list archives for autoconf were problems in > the packages using autoconf, not in autoconf itself, so I thought I'd try it > on this list first. This looks like a problem with autoconf, you should report it as a bug to them. > Any ideas how to fix this? I need to patch configure.ac to link openssh > statically (urgently needed because the openssl team keeps breaking binary > compatibility even on patch level releases). TO statically link in OpenSSL, I just do a: perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile after running configure. -d From bugzilla-daemon at mindrot.org Sat Apr 27 18:34:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Apr 2002 18:34:51 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020427083451.A0134E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-04-27 18:34 ------- you are confused. you are using agent forwarding. as you say: only the key USER at HOST_X is allowed and this key is used: debug1: userauth_pubkey_agent: testing agent key "$USER at HOST_X" debug1: input_userauth_pk_ok: pkalg ssh-dss blen 817 lastkey 1381a8 hint -1 debug1: ssh-userauth2 successful: method publickey ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Sascha at silbe.org Sat Apr 27 19:16:32 2002 From: Sascha at silbe.org (Sascha at silbe.org) Date: Sat, 27 Apr 2002 11:16:32 +0200 Subject: openssh 3.1p1 & autoconf 2.53 In-Reply-To: ; from djm@mindrot.org on Sat, Apr 27, 2002 at 01:28:11PM +1000 References: <20020426175605.A4707@cube.sascha.silbe.org> Message-ID: <20020427111632.C25297@cube.sascha.silbe.org> On Sat, Apr 27, 2002 at 01:28:11PM +1000, Damien Miller [DM] wrote: DM> This looks like a problem with autoconf, you should report it as a bug to them. OK, will do that now. DM> TO statically link in OpenSSL, I just do a: DM> perl -pi -e "s|-lcrypto|/usr/lib/libcrypto.a|g" Makefile I don't like patching Makefile when using autoconf. It's configures task to create the right Makefile. CU/Lnx Sascha Registered Linux User #77587 (http://counter.li.org/) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020427/175e9647/attachment.bin From bugzilla-daemon at mindrot.org Sat Apr 27 19:49:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Apr 2002 19:49:04 +1000 (EST) Subject: [Bug 227] 2nd Client Instance Can Login Without Authorization Message-ID: <20020427094904.4A47BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=227 ------- Additional Comments From drchang at hawaii.edu 2002-04-27 19:49 ------- Thankfully I am confused! Thanks for pointing out the "agent forwarding". I've figured out that since I was using the same client, with this feature unwittingly enabled, to handle both connections during testing that it was the client that was maintaining my credentials. When this feature is disabled, the appropriate keys are authenticated or denied as expected. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 01:44:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 01:44:00 +1000 (EST) Subject: [Bug 229] openssh 3.1p1 configure script aborts at "checking for OpenSSL directory" under Solaris 8 Message-ID: <20020427154400.3D559E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=229 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From tim at multitalents.net 2002-04-28 01:43 ------- This is a duplicate of # 168 *** This bug has been marked as a duplicate of 168 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 01:44:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 01:44:07 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020427154407.006DFE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |brigham.seaver at tc.faa.gov ------- Additional Comments From tim at multitalents.net 2002-04-28 01:44 ------- *** Bug 229 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 01:50:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 01:50:43 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020427155043.2F7DFE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 ------- Additional Comments From tim at multitalents.net 2002-04-28 01:50 ------- Created an attachment (id=89) configure.ac patch (ssl search cleanup) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 01:55:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 01:55:01 +1000 (EST) Subject: [Bug 168] "Could not find working OpenSSL library" Message-ID: <20020427155501.19A9DE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=168 ------- Additional Comments From tim at multitalents.net 2002-04-28 01:54 ------- Please test the patch in attachment (id=89) We wre about to put this in a while back but it was right before a release so we didn't. (Then we forgot about it) :-( ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 02:04:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 02:04:43 +1000 (EST) Subject: [Bug 205] PrivSep needs to be a compile-time option Message-ID: <20020427160443.6E49CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=205 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-04-28 02:04 ------- Wendy says close it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From cazinx at online.fr Sun Apr 28 01:19:11 2002 From: cazinx at online.fr (Xavier Cazin) Date: 27 Apr 2002 17:19:11 +0200 Subject: Enlightenment needed on file transfer Message-ID: <87d6wlnp8w.fsf@online.fr> Hello, I'm experiencing strange behavior on ssh-enabled file transfers (scp and rsync): When connecting to the Internet through an RTC PPP link to a certain provider, file transfers from a remote host (debian potato) to my local host (debian woody) get immediately stuck when issued from the local host, while they work very well when issued from the remote host. On the other hand, no problem with shell connections nor with rsync dry-runs. Also, if I connect to another provider, everything works as expected. Do you have any idea of what might happen? Thank you very much in advance, Xavier From bugzilla-daemon at mindrot.org Sun Apr 28 02:53:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 02:53:42 +1000 (EST) Subject: [Bug 213] -SNAP-20020410 fails to compile under AIX 4.3.3 Message-ID: <20020427165342.B94C8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=213 dmanton at emea.att.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From dmanton at emea.att.com 2002-04-28 02:53 ------- openssh-SNAP-20020427 now compiles and runs with IBM xlc 5 under AIX 4.3.3 ML9. Thanks for the fix :-) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 06:33:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 06:33:19 +1000 (EST) Subject: [Bug 208] SCO build/runtime fixes Message-ID: <20020427203319.1C161E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 ------- Additional Comments From tim at multitalents.net 2002-04-28 06:33 ------- Created an attachment (id=90) add truncate() to bsd-misc.[ch] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Apr 28 06:34:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Apr 2002 06:34:22 +1000 (EST) Subject: [Bug 208] SCO build/runtime fixes Message-ID: <20020427203422.AA6BBE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=208 ------- Additional Comments From tim at multitalents.net 2002-04-28 06:34 ------- Please try the patch in attachment 90 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sun Apr 28 13:07:04 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 28 Apr 2002 13:07:04 +1000 Subject: Enlightenment needed on file transfer References: <87d6wlnp8w.fsf@online.fr> Message-ID: <3CCB6758.C63058C5@zip.com.au> Xavier Cazin wrote: > When connecting to the Internet through an RTC PPP link to a certain > provider, file transfers from a remote host (debian potato) to my > local host (debian woody) get immediately stuck when issued from the > local host, while they work very well when issued from the remote > host. Is there a firewall or packet filter? If there is then it might be an MTU problem. Check the MTU on both your PPP interface and remote host's ethernet and set the higher one to equal the lower (or drop both to 576 and work up until it breaks). Also check both hosts to see if their path MTU discovery is enabled (cat /proc/sys/net/ipv4/ip_no_pmtu_disc should be 0). You might need to play with the MTU settings as this can be something of a black art due to the number of variables: host behaviour, mtu's, pmtu discovery, firewall behaviour, every link MTU between hosts, phase of the moon.... you get the idea. -Daz. From norbert at linuxnetworks.de Mon Apr 29 01:36:47 2002 From: norbert at linuxnetworks.de (Norbert Sendetzky) Date: Sun, 28 Apr 2002 17:36:47 +0200 Subject: OpenSSH server stops returning data from a server module In-Reply-To: <20020410221839.GA2529@folly> References: <200204101827.UAA21406@post.webmailer.de> <20020410221839.GA2529@folly> Message-ID: <200204281538.RAA18321@post.webmailer.de> Hi all I believe I've finally found the problem, why the OpenSSH Server stopped forwarding of the replies from the server module! > > After the connection between the ssh client and the server is > > established, the user is authenticated and the server module is > > loaded, the application starts sending messages to the server > > module. The server module then responds to the former request. > > After around 1K of data returned by the server module, the > > OpenSSH server stops forwarding the data returned by the server > > module, so the failure is deterministic. The problem seems to be that the server module writes a lot of debug messages to stderr and the server can handle only a certain amount. After I changed the location where the messages are written to from stderr to a file descriptor pointing to a real file, everything is fine. Can someone please verify my observation? Norbert From bugzilla-daemon at mindrot.org Mon Apr 29 10:50:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Apr 2002 10:50:39 +1000 (EST) Subject: [Bug 230] New: UsePrivilegeSeparation turns off Banner. Message-ID: <20020429005039.068C7E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 Summary: UsePrivilegeSeparation turns off Banner. Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: OpenBSD Status: NEW Severity: normal Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: krh at lemniscate.net I have "Banner /etc/motd" and "UsePrivilegeSeparation yes" in my sshd configuration. When I "ssh localhost", I get: $ ssh localhost krh at localhost's password: Last login: Sun Apr 28 17:29:10 2002 from localhost.lemniscate.net $ as if I had no banner. Turning off UsePrivilegeSeparation fixes this; the banner comes up like it's supposed to. I only have ix86 OpenBSD systems to test this against, but I suspect it's not limited to them. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Apr 29 10:53:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Apr 2002 10:53:24 +1000 (EST) Subject: [Bug 230] UsePrivilegeSeparation turns off Banner. Message-ID: <20020429005324.2FDD3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 ------- Additional Comments From krh at lemniscate.net 2002-04-29 10:53 ------- I should add that I also have PrintMotd off so that the motd is printed only once, and yes, I am connecting with the SSH 2 protocol. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bias at pobox.com Mon Apr 29 13:11:55 2002 From: bias at pobox.com (Liston Bias) Date: Sun, 28 Apr 2002 22:11:55 -0500 (CDT) Subject: ssh-rand-helper probs Message-ID: It appears you are doing this through jumpstart as indicated in initial reply. The rc script is a an easy option. Another options would be to create a symlink from your boot image install directory to the /a directory. For example, we store our openssh-related files in /usr/local/openssh. Therefore, we can do a symlink from. 'JUMPBASE'/Solaris_8/Tools/Boot/usr/local/openssh to ../../a/usr/local/openssh when ssh-keygen looks for ssh_rand_helper in /usr/local/openssh/libexec during jump install, it find it. Regards, Liston -------- It sounds to me like your problem is only occuring while performing ssh functions under a /a mount (I'm assuming off of a cdrom or net boot, possibly during jumpstart)? If so, I suspect that portions of ssh are compiled to look for fully qualified paths that would exist if they were under /a, but don't exist directory under / The easiest solution may just be to install a runonce type script in /etc/rc3.d that generates the keys (if not present) and then deletes itself. Alternatively, you may try compiling it from scratch. I know that recent versions have a pkgproto, although we roll our own, so I'm not sure how well it handles the alternate mount point issue. It might also require some sort of trickery with compile time flags to switch from fully qualified paths to relative paths. As a last resort, you could come up with some link trickery. For example, you could compile ssh to be installed in /a/usr/local/openssh and then on your production server, create a /a link to / -----Original Message----- From: Kim & Kyle Bedell [mailto:2beds at rogers.com] Sent: Wednesday, April 24, 2002 11:11 PM To: openssh-unix-dev at mindrot.org Subject: ssh-rand-helper probs Hi all Am i doing this right? Is this the right list to post to? If not, a quick lesson in ettiquette for me would not hurt. As I am both just starting to use newsgroups and SSH, I am not entirely familiar with the processes. I have a question about ssh-rand-helper. First an outline: I am currently using the SSH packages for Solaris 2.8 available at sunfreeware.com. The environment is Solaris 8 (2.8) on sun4u platforms (ultras). At work, I have constructed a boot and installation server, an Ultra 450 that amongst other things, installs, configures SSH and auto-generates SSH keys as part of the client build. No problems there, it works quite nicely so that when the client finishes building, it can be immediately deployed. At home however, I practice and experiment alot. I use an SS20 with 224MB of RAM as a boot server but I get a different set of errors depending on what I do: The first time I tried this type of installation of SSH at home however I got an error that read: "ld.so.1: /a/usr/local/bin/ssh-keygen: fatal: libz.so: open failed: No such file or directory. Killed" So........just feed it some env parameters ....like LD_LIBRARY_PATH... right? nope tried that and got this: "(rand child) Couldn't exec '/usr/local/libexec/ssh-rannd-helper': No such file or directory ssh-rand-helper child produced insufficient data" This sounds like: 1. It really cant find the specified path/filename but then how did the second part occur, that being: "ssh-rand-helper child produced insufficient data" It also sounds like prngd is not doing its job but I have sat in on the build and watched it start up in a cmd tool window while the client builds. This only happens when I use a script (!) and again, it only happens here at home on this sparc20. (Did I say that already?) :) After the client finishes building, I can manually generate keys using the ssh-keygen utility without incident. the relevant excerpt from the customization script that I uses is here: -------------text snipped---------------- LD_LIBRARY_PATH=/a/usr/local/lib:/usr/local/lib:/usr/lib export LD_LIBRARY_PATH echo "##########################################" echo "# #" echo "# Installing and configuring #" echo "# samba and SSH (Secure Shell) #" echo "# #" echo "##########################################" pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/vnc/vnc-3.3.3r2-sol8-sparc-local all mkdir -p /a/usr/local/samba pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/samba/samba-2.2.2-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/zlib-1.1.4-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/perl-5.6.1-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/egd-0.8-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/prngd-0.9.23-sol8-sparc-local all #pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/tcp_wrappers_7.6-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssl-0.9.6c-sol8-sparc-local all pkgadd -R /a -a ${ADMIN_FILE} -d ${SU_CONFIG_DIR}/packages/sshpkgs/openssh-3.1p1-sol8-sparc-local all sleep 3 cat /a/var/sadm/system/logs/sysidtool.log >/a/usr/local/etc/prngd-seed echo "##########################################" echo "# #" echo "# (SSH) Creating seed file #" echo "# #" echo "##########################################" sleep 2 cp ${SU_CONFIG_DIR}/packages/sshpkgs/prngd /a/etc/init.d/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/sshd /a/etc/init.d/. chown root:sys /a/etc/init.d/prngd chown root:sys /a/etc/init.d/sshd chmod 544 /a/etc/init.d/prngd chmod 544 /a/etc/init.d/sshd ln -s /etc/init.d/sshd /a/etc/rc2.d/S98sshd ln -s /etc/init.d/prngd /a/etc/rc2.d/S98prngd cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.allow /a/etc/. cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.deny /a/etc/. cd /var mkdir -p spool/prngd /a/usr/local/bin/prngd /var/spool/prngd/pool sleep 3 echo "###################################" echo "Attempting to create socket: "pool"" echo "###################################" sleep 3 /a/usr/local/bin/ssh-keygen -t rsa1 -f /a/usr/local/etc/ssh_host_key -N "" /a/usr/local/bin/ssh-keygen -t dsa -f /a/usr/local/etc/ssh_host_dsa_key -N "" /a/usr/local/bin/ssh-keygen -t rsa -f /a/usr/local/etc/ssh_host_rsa_key -N "" echo "##########################################" --------------text snipped--------------- Any ideas? All advice appreciated and I thank you in advance Kyle _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ ------_=_NextPart_001_01C1EC4F.DB727F10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: ssh-rand-helper probs

It sounds to me like your problem is only occuring while = performing ssh functions under a /a mount (I'm assuming off of a cdrom or n= et boot, possibly during jumpstart)?

If so, I suspect that portions of ssh are compiled to loo= k for fully qualified paths that would exist if they were under /a, but don= 't exist directory under /

The easiest solution may just be to install a runonce typ= e script in /etc/rc3.d that generates the keys (if not present) and then de= letes itself.

Alternatively, you may try compiling it from scratch.&nbs= p; I know that recent versions have a pkgproto, although we roll our own, s= o I'm not sure how well it handles the alternate mount point issue.  I= t might also require some sort of trickery with compile time flags to switc= h from fully qualified paths to relative paths.  As a last resort, you= could come up with some link trickery.  For example, you could compil= e ssh to be installed in /a/usr/local/openssh and then on your production s= erver, create a /a link to /

-----Original Message-----
From: Kim & Kyle Bedell [mailto:2beds at rogers.com]
Sent: Wednesday, April 24, 2002 11:11 PM
To: openssh-unix-dev at mindrot.org
Subject: ssh-rand-helper probs


Hi all

    Am i doing this right? Is this the rig= ht list to post to? If not, a
quick lesson in ettiquette for me would not hurt.  = As I am both just
starting to use newsgroups and SSH, I am not entirely fa= miliar with the
processes.  I have a question about ssh-rand-helper= .  First an outline:   I
am currently using the SSH packages for Solaris 2.8 avai= lable at
sunfreeware.com.  The environment is Solaris 8 (2.8= ) on sun4u platforms
(ultras).  At work, I have constructed a boot and i= nstallation server, an
Ultra 450 that amongst other things, installs, configure= s SSH and
auto-generates SSH keys as part of the client build.&nbs= p; No problems there, it
works quite nicely so that when the client finishes buil= ding, it can be
immediately deployed.  At home however, I practice = and experiment alot.  I
use an SS20 with 224MB of RAM as a boot server but I get= a different set of
errors depending on what I do:

The first time I tried this type of installation of SSH a= t home however I
got an error that read:

 "ld.so.1: /a/usr/local/bin/ssh-keygen: fatal: = libz.so: open failed: No such
file or directory.  Killed"

So........just feed it some env parameters ....like LD_LI= BRARY_PATH...
right?    nope

tried that and got this:

"(rand child) Couldn't exec '/usr/local/libexec/ssh-= rannd-helper':  No such
file or directory
ssh-rand-helper child produced insufficient data"

This sounds like:  1.  It really cant find the = specified path/filename but
then how did the second part occur, that being:  &q= uot;ssh-rand-helper child
produced insufficient data"  It also sounds li= ke prngd is not doing its job
but I have sat in on the build and watched it start up i= n a cmd tool window
while the client builds.
This only happens when I use a script (!) and again, it = only happens here at
home on this sparc20.  (Did I say that already?)&nb= sp;  :) After the client
finishes building,  I can manually generate keys us= ing the ssh-keygen
utility without incident.

the relevant excerpt from the customization script that I= uses is here:
-------------text snipped----------------
LD_LIBRARY_PATH=3D/a/usr/local/lib:/usr/local/lib:/usr/l= ib
export LD_LIBRARY_PATH
echo "##########################################&qu= ot;
echo "#
#"
echo "#       Install= ing and configuring
#"
echo "#      samba and SSH= (Secure Shell)          =             &nb= sp;    #"
echo "#
#"
echo "##########################################&qu= ot;
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/vnc/vnc-3.3.3r2-sol8-sparc-loc= al all
mkdir -p /a/usr/local/samba
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/samba/samba-2.2.2-sol8-sparc-l= ocal all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/zlib-1.1.4-sol8-sparc-= local all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/perl-5.6.1-sol8-sparc-= local all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/egd-0.8-sol8-sparc-loc= al all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/prngd-0.9.23-sol8-spar= c-local all
#pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/tcp_wrappers_7.6-sol8-= sparc-local all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/openssl-0.9.6c-sol8-sp= arc-local all
pkgadd -R /a -a ${ADMIN_FILE} -d
${SU_CONFIG_DIR}/packages/sshpkgs/openssh-3.1p1-sol8-spa= rc-local all
sleep 3
cat /a/var/sadm/system/logs/sysidtool.log >/a/usr/loc= al/etc/prngd-seed
echo "##########################################&qu= ot;
echo "#
#"
echo "#       (SSH) C= reating seed file         &nbs= p;            &= nbsp;           &nbs= p; #"
echo "#
#"
echo "##########################################&qu= ot;
sleep 2
cp ${SU_CONFIG_DIR}/packages/sshpkgs/prngd /a/etc/init.d= /.
cp ${SU_CONFIG_DIR}/packages/sshpkgs/sshd /a/etc/init.d/= .
chown root:sys /a/etc/init.d/prngd
chown root:sys /a/etc/init.d/sshd
chmod 544 /a/etc/init.d/prngd
chmod 544 /a/etc/init.d/sshd
ln -s /etc/init.d/sshd /a/etc/rc2.d/S98sshd
ln -s /etc/init.d/prngd /a/etc/rc2.d/S98prngd
cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.allow /a/etc/= .
cp ${SU_CONFIG_DIR}/packages/sshpkgs/hosts.deny /a/etc/.=
cd /var
mkdir -p spool/prngd
/a/usr/local/bin/prngd /var/spool/prngd/pool
sleep 3
echo "###################################"
echo "Attempting to create socket: "pool"= "
echo "###################################"
sleep 3
/a/usr/local/bin/ssh-keygen -t rsa1 -f /a/usr/local/etc/= ssh_host_key -N ""
/a/usr/local/bin/ssh-keygen -t dsa -f /a/usr/local/etc/s= sh_host_dsa_key -N
""
/a/usr/local/bin/ssh-keygen -t rsa -f /a/usr/local/etc/s= sh_host_rsa_key -N
""
echo "##########################################&qu= ot;
--------------text snipped---------------


Any ideas?  All advice appreciated and I thank you i= n advance

Kyle

_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/open= ssh-unix-dev



***************************************************************************= ********
WARNING: All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************= *********
 ------_=_NextPart_001_01C1EC4F.DB727F10-- _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From fcusack at fcusack.com Mon Apr 29 14:44:50 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Sun, 28 Apr 2002 21:44:50 -0700 Subject: ssh-rand-helper probs In-Reply-To: ; from bias@pobox.com on Sun, Apr 28, 2002 at 10:11:55PM -0500 References: Message-ID: <20020428214450.B773@google.com> > Hi all > > Am i doing this right? Is this the right list to post to? If not, a > quick lesson in ettiquette for me would not hurt. As I am both just > starting to use newsgroups and SSH, I am not entirely familiar with the > processes. One comment: lose the html email. > I > am currently using the SSH packages for Solaris 2.8 available at > sunfreeware.com. The environment is Solaris 8 (2.8) on sun4u platforms > (ultras). At work, I have constructed a boot and installation server, an > The first time I tried this type of installation of SSH at home however I > got an error that read: > > "ld.so.1: /a/usr/local/bin/ssh-keygen: fatal: libz.so: open failed: No > such > file or directory. Killed" > > So........just feed it some env parameters ....like LD_LIBRARY_PATH... > right? nope No, because the shared lib paths are hardcoded in (generally a good thing). > the relevant excerpt from the customization script that I uses is here: Well, do you understand that the problem is your newly installed disk is mounted on /a, not /? I imagine so, from the looks of your script, and your mention of seting LD_LIBRARY_PATH. So before I give you the answer, :-) I would ask why you want to generate the keys at install time? I don't see a part in the script where you squirrel the keys away someone on the install server, but you may have not included that part. If you are not saving the key (eg, to use for known_hosts distribution) then the easiest thing is to just don't generate the keys. The rc.d startup script should generate the keys if they don't exist. If it doesn't, then you should complain to sunfreeware.com. But to make it work without that, a good bet is to run the commands under chroot: chroot /a /usr/bin/ssh-keygen ... chroot /a ... An alternative might be to have the postinstall script do it chroot $PKG_INSTALL_ROOT /usr/bin/ssh-keygen ... ... then you just copy the keys out after installing. /fc From Stig.Venaas at uninett.no Mon Apr 29 19:32:21 2002 From: Stig.Venaas at uninett.no (Stig Venaas) Date: Mon, 29 Apr 2002 11:32:21 +0200 Subject: problem with X11 forwarding and use_localhost on Linux (solution) In-Reply-To: ; from kevin@atomicgears.com on Thu, Apr 25, 2002 at 10:09:40AM -0700 References: <20020423151338.A28061@sverresborg.uninett.no> Message-ID: <20020429113221.A10505@sverresborg.uninett.no> On Thu, Apr 25, 2002 at 10:09:40AM -0700, Kevin Steves wrote: > : #else > :- break; > :+ if (!x11_use_localhost || num_socks == NUM_SOCKS) > :+ break; > : #endif > : } > : freeaddrinfo(aitop); > > this is what is in: > http://bugzilla.mindrot.org/show_bug.cgi?id=164 Right, I should have checked there. > i still don't understand exactly why DONT_TRY_OTHER_AF is needed? It's needed because if you first bind an IPv6 socket to the ANY address, then subsequent IPv4 bind will fail on Linux. You could of course remove DONT_TRY_OTHER_AF, but then you need to ignore the error on the IPv4 bind call. Currently it will clean up (closing the already opened IPv6 socket), and then try the next display (which will again fail) until MAX_DISPLAYS is reached, and it will then simply fail. If the code for the ANY case was separated from the x11_use_localhost case, you would only need DONT_TRY_OTHER_AF in the ANY part, that is the only part where Linux is different from *BSD. Stig From vinschen at redhat.com Mon Apr 29 20:12:30 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Mon, 29 Apr 2002 12:12:30 +0200 Subject: [PATCH]: Cygwin README still mentiones regex libs Message-ID: <20020429121230.A12016@cygbert.vinschen.de> Hi, the Cygwin README file still contains the hint, that the regex lib is needed to compile OpenSSH. The following patch removes that from the README. Could somebody please apply it? Thanks, Corinna Index: contrib/cygwin/README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.8 diff -u -p -r1.8 README --- contrib/cygwin/README 29 Dec 2001 03:10:10 -0000 1.8 +++ contrib/cygwin/README 29 Apr 2002 10:07:15 -0000 @@ -172,8 +172,8 @@ configure are used for the Cygwin binary --sysconfdir=/etc \ --libexecdir='${exec_prefix}/sbin' -You must have installed the zlib, openssl and regex packages to -be able to build OpenSSH! +You must have installed the zlib and openssl packages to be able to +build OpenSSH! Please send requests, error reports etc. to cygwin at cygwin.com. -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From amcintosh at atreus-systems.com Tue Apr 30 02:17:37 2002 From: amcintosh at atreus-systems.com (Allan McIntosh) Date: Mon, 29 Apr 2002 11:17:37 -0500 (CDT) Subject: SSH client, dup, pty. Message-ID: Hey, I am hoping that some one on this list may be able to help me. I started investigate the possibility of forking a process, the child then attach to a pty, dup std[in|out] to the pty, then exec the ssh client. For some reason, the ssh client still prompted straight to stdin and stdout rather than through the pty that I created. There seem to be a few issues with this. Can someone tell me if it is possible to achieve this set up before I spend to much time on it. Thanks From bugzilla-daemon at mindrot.org Tue Apr 30 01:51:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Apr 2002 01:51:56 +1000 (EST) Subject: [Bug 230] UsePrivilegeSeparation turns off Banner. Message-ID: <20020429155156.E017EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 ------- Additional Comments From stevesk at pobox.com 2002-04-30 01:51 ------- currently, with privsep on, the banner file needs to be in /var/empty. so if your banner is /etc/issue, you need /var/empty/etc/issue. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Apr 30 11:23:29 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Apr 2002 11:23:29 +1000 (EST) Subject: SSH client, dup, pty. In-Reply-To: Message-ID: On Mon, 29 Apr 2002, Allan McIntosh wrote: > Hey, > > I am hoping that some one on this list may be able to help me. > > I started investigate the possibility of forking a process, the child then > attach to a pty, dup std[in|out] to the pty, then exec the ssh client. > > For some reason, the ssh client still prompted straight to stdin and > stdout rather than through the pty that I created. You probably haven't set the controlling terminal, have a look at Stevens _Advanced Programming in the Unix Environment_ or sshpty.c:pty_make_controlling_tty() for how to do this across common platforms. -d From bugzilla-daemon at mindrot.org Tue Apr 30 11:46:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Apr 2002 11:46:45 +1000 (EST) Subject: [Bug 230] UsePrivilegeSeparation turns off Banner. Message-ID: <20020430014645.6BBFCE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 ------- Additional Comments From djm at mindrot.org 2002-04-30 11:46 ------- Created an attachment (id=91) Make Banner work with privsep as expected ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 30 11:47:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Apr 2002 11:47:49 +1000 (EST) Subject: [Bug 230] UsePrivilegeSeparation turns off Banner. Message-ID: <20020430014749.9A399E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 ------- Additional Comments From djm at mindrot.org 2002-04-30 11:47 ------- Could you please try the attached patch? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Apr 30 12:14:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Apr 2002 12:14:52 +1000 (EST) Subject: [Bug 230] UsePrivilegeSeparation turns off Banner. Message-ID: <20020430021452.232C7E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=230 ------- Additional Comments From provos at citi.umich.edu 2002-04-30 12:14 ------- That diff looks good to me. I can not test right now, but it is the right approach. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Apr 30 13:57:26 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 29 Apr 2002 20:57:26 -0700 (PDT) Subject: [PATCH]: Cygwin README still mentiones regex libs In-Reply-To: <20020429121230.A12016@cygbert.vinschen.de> Message-ID: On Mon, 29 Apr 2002, Corinna Vinschen wrote: > Hi, > > the Cygwin README file still contains the hint, that the regex lib > is needed to compile OpenSSH. The following patch removes that > from the README. Could somebody please apply it? Done. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From jancs at dsv.su.se Tue Apr 30 18:32:07 2002 From: jancs at dsv.su.se (Christer Jansson) Date: Tue, 30 Apr 2002 10:32:07 +0200 (MET DST) Subject: OpenSSH - make install coredump for dsa key pair Message-ID: Hello fellow OpenSSH workers, I have encounter this when I was installing OpenSSH: Generating public/private rsa1 key pair. Your identification has been saved in /etc/ssh_host_key. Your public key has been saved in /etc/ssh_host_key.pub. ****************************************************** Generating public/private dsa key pair. Bus Error - core dumped ****************************************************** Generating public/private rsa key pair. Your identification has been saved in /etc/ssh_host_rsa_key. Your public key has been saved in /etc/ssh_host_rsa_key.pub. ..... rsa1 and rsa comes through. Any idea why? And what can be done? I am using Solaris 7 on a sun4u sparc SUN W,Ultra-5_10 Best Regards.... //Christer J From djm at mindrot.org Tue Apr 30 18:39:29 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 30 Apr 2002 18:39:29 +1000 (EST) Subject: OpenSSH - make install coredump for dsa key pair In-Reply-To: Message-ID: On Tue, 30 Apr 2002, Christer Jansson wrote: > > Hello fellow OpenSSH workers, > > I have encounter this when I was installing OpenSSH: > > Generating public/private rsa1 key pair. > Your identification has been saved in /etc/ssh_host_key. > Your public key has been saved in /etc/ssh_host_key.pub. > > ****************************************************** > Generating public/private dsa key pair. > Bus Error - core dumped The most common cause of this that I have seen is problems with the OpenSSL library. E.g. mismatched library vs header versions or compiler options. -d From movie at mbcmovieenglish.co.kr Wed Apr 3 22:08:10 2002 From: movie at mbcmovieenglish.co.kr (=?ks_c_5601-1987?B?vK2/77nMtfC+7g==?=) Date: Wed, 03 Apr 2002 21:08:10 +0900 Subject: =?ks_c_5601-1987?B?W7GksO1db3BlbnNzaC11bml4LWRldrTUwfax3b3Fw7vHz73DuOkguau34bv5x8PAuyC15biztM+02S4=?= Message-ID: <20020510120702.3E625E881@shitei.mindrot.org> Untitled Document ? ???? ??? ??? ?? ?????. ? ? ??? ????? ?? ?? ? ?? ?? ?? ?? ?? ? 50?? ??[??]?????. ? E-mail ??? ??? ?? ??????,????? ??? ????? ??? ?? ????. ? ??? E-mail??? ??? ??? ??? ????? ?????? ????. ? ??? ??? ?????? ????? ?????. ??????? ??? ????? ??? ??? ?? ?? ????? ???? ?? ????? ?? ???? ?? ???? ??? ?? ? ??? ???? ????. ?? ????? ?? ???? ???? ? ???? ??? ??? ???? ???? ????. ??? ??? ????? ??? ?? ???? ??? ??? ? ? ??? ? ??? ????. ?? ? ?? ??? ??? ?? ???? 10? ??? ??? ??? ?? ??? ? ?? ????. ??, ? ??? ??? Body Language ? ?? ???? ?? ? ????. ?? ??? ??? ??? ??? ???. ?????? ??? ?? ??? ??? ????. ?????? ??cd? ?????????. ???? : www.mbcmovieenglish.co.kr ? ??? ?? ??,???? ?? ??? ???? ??? ??? ?? (????) ?13?? ???? ???? ????(???? 2002.01.09 ??) [???? ? ???? ??]?? ??? ???? ?? (???? ??????) [????? ?? ?]???? ????? ??? (???? 2002.02.18??) ? ????? ? impression Murder in the First Did he, in any way, give the impression of one who was insane? (??, ?? ???? , ??? ????? ?? ??????) LongKiss Goodnight She might be under the mistaken impression Mommy gives a fuck. (??? ?? ? ? ??? ???? ????) Dead Poets Society But I don't think I have to warn you boys his age are very impressionable. (? ??? ???? ???? ???? ???? ? ???.) Dead Poets Society Well, your reprimand made quite an impression, I'm sure. (?????? ??? ?? ?? ??? ?? ??? ????.) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020403/e10b236b/attachment.html From contact at asquad.com Wed Apr 17 19:36:17 2002 From: contact at asquad.com (Contact) Date: Wed, 17 Apr 2002 03:36:17 -0600 Subject: A-SQUAD Security Message-ID: <20030417091826.6AF5B9420B@shitei.mindrot.org> This is a message to my fellow network security professionals, www.asquad.com is formed by a group of security professionals with experience and knowledge. Even so, we would like your participation in the exchanging of ideas and your contribution of knowledge. We would appreciate your input about our web site and our Forum. We invite you to check out our site and register to become part of our Forum. One of our latest Security Analyst additions is a security professional who has worked for NASA implementing their security. After exchanging ideas, he decided to join our team. Very good things can happen from being communicative. We would like to hear from you and know what you think. Pay us a visit and drop us a line in our forum! Regards, The A-SQUAD team Why security assessments? http://www.asquad.com/need_for_vulnerability_assessmen.htm A-SQUAD FORUM! http://www.asquad.com/forum/ A-SQUAD Engineer Profiles http://www.asquad.com/profiles2.htm