From Jason.Lacoss-Arnold at AGEDWARDS.com Fri Feb 1 00:20:58 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Thu, 31 Jan 2002 07:20:58 -0600 Subject: locked account accessable via pubkey auth Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E517@hqempn06.agedwards.com> HP-UX 11.00 from: man passwd -l Lock user account. from: man getspent getspent(3C) getspent(3C) NAME getspent, getspnam, setspent, endspent - access secure password entries, for trusted systems only. SYNOPSIS #include struct spwd * getspent (void); struct spwd * getspnam (const char *name); void setspent (void); void endspent (void); DESCRIPTION The routines getspent() and getspnam() return a pointer to the next secured password entry. Each entry is a spwd structure, declared in the shadow.h header file with the following members: char *sp_namp; /* the user's login name */ char *sp_pwdp; /* the encrypted password for the user */ long sp_lstchg; /* # of days from 1/1/70 when passwd was last modified */ long sp_min; /* min # of days allowed between password changes */ long sp_max; /* max # of days allowed between password changes */ long sp_warn; /* # of days before password expires and warning issued*/ long sp_inact; /* # of days between account inactive and disabled */ long sp_expire; /* # of days from 1/1/70 when account is locked */ unsigned long sp_flag;/* currently unused */ The getspent() routine returns a pointer to the first spwd structure when first called. Subsequent calls return pointers to successive spwd structures. Repeated calls to getspent() can be used to search all entries in the protected password database. The getspnam () routine searches password entries from beginning to end until a login name matching name is found, and returns a pointer to that entry. If the fields corresponding to sp_min, sp_max, sp_lstchg, sp_warn, sp_inact, sp_expire, or sp_flag are not specified in the entry, they default to -1. If an end-of-file or an error is encountered in reading or a format error is detected, these functions return a null pointer and; for an error, errno is set to EINVAL. The setspent() routine is used to reset access to the secured password entries. After setspent() is called, the subsequent call to getspent() returns the first secured password entry. This mechanism is used to allow repeated searches of the secured password entries. The endspent() routine is used to indicate that processing of secured password entries is complete. Hewlett-Packard Company - 1 - HP-UX Release 11.00: October 1997 getspent(3C) getspent(3C) getspent() is only supported on trusted systems. The secured password facility is implemented without the use of the /etc/shadow file. getspent(), getspnam(), setspent(), and endspent() read from the trusted system's protected password database (/tcb/files/auth/*/*) and not /etc/shadow. The file /etc/shadow is not used in any way by the HP-UX login facility. These routines return a null pointer and sets ERRNO to ENOENT if the system has not been converted to trusted system. In all other cases, the return value is set similarly to getprpwent(). See getprpwent(3) for more information. Programs using these routines must be compiled with -lsec. FILES /etc/passwd System Password file. /tcb/files/auth/*/* Protected password database, for trusted systems. SEE ALSO getpwent(3C), getprpwent(3), passwd(4). DIAGNOSTICS getspent(), getspnam(), and fgetspent() return a null pointer on EOF or error. STANDARDS CONFORMANCE getspent : SVID3 Thanks, --Jason Lacoss-Arnold, Systems Technical Specialist Technical Services - Unix Arch. 314-955-8501 -----Original Message----- From: Frank Cusack [mailto:fcusack at fcusack.com] Sent: Wednesday, January 30, 2002 18:01 To: Damien Miller Cc: openssh-unix-dev at mindrot.org; Dost, Alexander Subject: Re: locked account accessable via pubkey auth On Wed, Jan 30, 2002 at 03:39:38PM +1100, Damien Miller wrote: > On Tue, 29 Jan 2002, Frank Cusack wrote: > > > On Tue, Jan 29, 2002 at 08:48:51AM -0600, Albert Chin wrote: > > > On Tue, Jan 29, 2002 at 12:56:55PM +0100, Dost, Alexander wrote: > > > > maybe this is a silly question ;-) But why is it possible to login on a > > > > machine with a locked account (passwd -l ) via pubkey-authentication > > > > (authorized_keys) ? > > > > huh.. This is definitely a bug; probably in the Solaris PAM libs. I can > > look into this, unfortunately not within a day or so. > > I don't think it is a bug even. Having accounts with locked passwords, but > still accessible via pubkey auth is a very useful thing. I agree, that is useful, but whether or not it's a bug depends on the meaning of 'passwd -l'. SUSv2 does not define the passwd command, so I guess this is implementation-dependent. On Solaris 8, passwd(8) says -l "Locks password entry for _name_". It does not say that it locks the *account*. So this would seem to be consistent with pubkey auth still being allowed. Even so, I would tend to think it should lock the "account". I don't know if this list is a good place for it, but personally I would be interested in hearing arguments for either. Can someone report on what the HP-UX man page says? I'd also be interested to see the man page for HP-UX getspent(). (Another email in this thread says HP-UX prevents pubkey auth after 'passwd -l'.) /fc _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *************************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. *************************************************************************************** -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020131/cf61d62b/attachment.html From Nicolas.Williams at ubsw.com Fri Feb 1 01:02:10 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 09:02:10 -0500 Subject: [Bug 91] timeout patches In-Reply-To: <20020131115322.9D21AEBEC@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Thu, Jan 31, 2002 at 10:53:22PM +1100 References: <20020131115322.9D21AEBEC@shitei.mindrot.org> Message-ID: <20020131090209.R27398@sm2p1386swk.wdr.com> On Thu, Jan 31, 2002 at 10:53:22PM +1100, bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=91 > > ------- Additional Comments From markus at openbsd.org 2002-01-31 22:53 ------- > please try to have one feature per patch. > > 1. as to protocolkeepalive: isn't this what tcp-keepalives are for? TCP keepalives are unreliable; the TCP keepalive timer usually cannot be set per-socket and cannot be negotiated. > 2. why use sigaction? sshd does a similar thing, but just uses alarm() Why use SIGALARM? Why not use the select() timeout instead? > 3. why not wrap exchange_indentification into alarm, like sshd does? > 4. not all ssh1 implementations will accept your ignore message I don't remember SSHv2 having a keepalive message. Maybe it should. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Fri Feb 1 01:05:37 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 09:05:37 -0500 Subject: locked account accessable via pubkey auth In-Reply-To: <20020130174218.G29096@google.com>; from fcusack@fcusack.com on Wed, Jan 30, 2002 at 05:42:18PM -0800 References: <200201310103.g0V13o3g954659@jurassic.eng.sun.com> <20020130174218.G29096@google.com> Message-ID: <20020131090535.S27398@sm2p1386swk.wdr.com> On Wed, Jan 30, 2002 at 05:42:18PM -0800, Frank Cusack wrote: > On Wed, Jan 30, 2002 at 05:02:37PM -0800, Darren Moffat wrote: > > New in Solaris 9 is pam_unix_account(5) which says: > > > > pam_unix_account provides functionality to the PAM account > > management stack. The function pam(3PAM) function retrieves > > password aging information from the repositories specified > > in nsswitch.conf(4), and verifies that the user's account > > and password have not expired. > > hmm... This seems broken. If I want a certain service to check pam_unix, > I list it in pam.conf. Instead, I'm now supposed to call pam_unix_account() > specifically? Is pam_unix_account() somehow different than the normal > pam account mgmt w/ pam_unix in pam.conf? The intent of this (AFAICT) is > so that an app can always check against pam_unix, regardless of what's in > pam.conf -- broken. Sorry, this is getting OT. Hmmmm, I haven't played with Solaris 9 yet, but that sounds like a special PAM stack configured only with pam_unix that can be used to check a Unix account's status independently of what PAM stack the app used for authentication in the first place. > /fc Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Fri Feb 1 01:22:39 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Jan 2002 15:22:39 +0100 Subject: [Bug 91] timeout patches In-Reply-To: <20020131090209.R27398@sm2p1386swk.wdr.com> References: <20020131115322.9D21AEBEC@shitei.mindrot.org> <20020131090209.R27398@sm2p1386swk.wdr.com> Message-ID: <20020131142238.GB14690@faui02> please keep bugzilla discussions to the bugzilla interface. On Thu, Jan 31, 2002 at 09:02:10AM -0500, Nicolas Williams wrote: > > 2. why use sigaction? sshd does a similar thing, but just uses alarm() > > Why use SIGALARM? Why not use the select() timeout instead? similar things should have similar implementations, but feel free to rewrite *_exchange_identification(). if you do, then please make it consistent. -m From ed at UDel.Edu Fri Feb 1 02:00:40 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 31 Jan 2002 10:00:40 -0500 (EST) Subject: x509 for hostkeys. In-Reply-To: <20020131120909.A28305@folly> Message-ID: Quick question... what is $ENV set to in your environment for the "cat" command or does your shell not do "$" subs within "<<" sections? Thanks, Ed On Thu, 31 Jan 2002, Markus Friedl wrote: > Date: Thu, 31 Jan 2002 12:09:10 +0100 > From: Markus Friedl > To: openssh at openbsd.org, openssh-unix-dev at mindrot.org > Subject: x509 for hostkeys. > > This (very quick) patch allows you to connect with the commercial > ssh.com windows client and use x509 certs for hostkeys. You have > to import your CA cert (ca.crt) in the windows client and certify > your hostkey: > > $ cat << 'EOF' > x509v3.cnf > CERTPATHLEN = 1 > CERTUSAGE = digitalSignature,keyCertSign > CERTIP = 0.0.0.0 > [x509v3_CA] > basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN > keyUsage=$ENV::CERTUSAGE > [x509v3_IPAddr] > subjectAltName=IP:$ENV::CERTIP > [x509v3_DNSName] > subjectAltName=DNS:$ENV::CERTDNS > EOF > $ CERTDNS=myipaddr; export CERTDNS > $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr > $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \ > -CAkey ca.key -CAcreateserial \ > -extfile x509v3.cnf -extensions x509v3_DNSName \ > -out HOSTKEY.crt > $ umask 077 > $ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert > $ echo HostKey /etc/ssh_host_rsa_key+cert > sshd_config-test > $ sudo sshd -p 2222 -ddd -f sshd_config-test Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From markus at openbsd.org Fri Feb 1 02:03:19 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Jan 2002 16:03:19 +0100 Subject: x509 for hostkeys. In-Reply-To: References: <20020131120909.A28305@folly> Message-ID: <20020131150319.GD14690@faui02> On Thu, Jan 31, 2002 at 10:00:40AM -0500, Ed Phillips wrote: > Quick question... what is $ENV set to in your environment for the "cat" > command or does your shell not do "$" subs within "<<" sections? not if you 'EOF' but read the mail more as instructions, don't use copy&pase :) From Nicolas.Williams at ubsw.com Fri Feb 1 02:09:51 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 10:09:51 -0500 Subject: x509 for hostkeys. In-Reply-To: ; from ed@UDel.Edu on Thu, Jan 31, 2002 at 10:00:40AM -0500 References: <20020131120909.A28305@folly> Message-ID: <20020131100949.T27398@sm2p1386swk.wdr.com> Ed, This is an RTFM. "Here documents" with the end-of-input marker quoted do are not interpolated. Nico On Thu, Jan 31, 2002 at 10:00:40AM -0500, Ed Phillips wrote: > Quick question... what is $ENV set to in your environment for the "cat" > command or does your shell not do "$" subs within "<<" sections? > > Thanks, > > Ed > > On Thu, 31 Jan 2002, Markus Friedl wrote: > > > Date: Thu, 31 Jan 2002 12:09:10 +0100 > > From: Markus Friedl > > To: openssh at openbsd.org, openssh-unix-dev at mindrot.org > > Subject: x509 for hostkeys. > > > > This (very quick) patch allows you to connect with the commercial > > ssh.com windows client and use x509 certs for hostkeys. You have > > to import your CA cert (ca.crt) in the windows client and certify > > your hostkey: > > > > $ cat << 'EOF' > x509v3.cnf [...] > Ed Phillips University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From ed at UDel.Edu Fri Feb 1 03:01:17 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 31 Jan 2002 11:01:17 -0500 (EST) Subject: x509 for hostkeys. In-Reply-To: <20020131100949.T27398@sm2p1386swk.wdr.com> Message-ID: On Thu, 31 Jan 2002, Nicolas Williams wrote: > Date: Thu, 31 Jan 2002 10:09:51 -0500 > From: Nicolas Williams > To: Ed Phillips > Cc: Markus Friedl , openssh at openbsd.org, > openssh-unix-dev at mindrot.org > Subject: Re: x509 for hostkeys. > > Ed, > > This is an RTFM. "Here documents" with the end-of-input marker quoted do > are not interpolated. What manual? tcsh, bash, sh, csh, jsh, ksh... ??? He didn't say which shell he's using... or what OS that shell is running on... ;-P Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From ed at UDel.Edu Fri Feb 1 03:04:53 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 31 Jan 2002 11:04:53 -0500 (EST) Subject: x509 for hostkeys. In-Reply-To: <20020131150319.GD14690@faui02> Message-ID: On Thu, 31 Jan 2002, Markus Friedl wrote: > Date: Thu, 31 Jan 2002 16:03:19 +0100 > From: Markus Friedl > To: Ed Phillips > Cc: openssh at openbsd.org, openssh-unix-dev at mindrot.org > Subject: Re: x509 for hostkeys. > > On Thu, Jan 31, 2002 at 10:00:40AM -0500, Ed Phillips wrote: > > Quick question... what is $ENV set to in your environment for the "cat" > > command or does your shell not do "$" subs within "<<" sections? > > not if you 'EOF' > > but read the mail more as instructions, don't use copy&pase :) Of course... that's how I'm reading it. Copy+Paste as root from email = BAD! ;-) Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From Darren.Moffat at eng.sun.com Fri Feb 1 04:11:35 2002 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 31 Jan 2002 09:11:35 -0800 (PST) Subject: locked account accessable via pubkey auth Message-ID: <200201311711.g0VHBj3g128866@jurassic.eng.sun.com> >On Wed, Jan 30, 2002 at 05:02:37PM -0800, Darren Moffat wrote: >> New in Solaris 9 is pam_unix_account(5) which says: >> >> pam_unix_account provides functionality to the PAM account >> management stack. The function pam(3PAM) function retrieves >> password aging information from the repositories specified >> in nsswitch.conf(4), and verifies that the user's account >> and password have not expired. > >hmm... This seems broken. If I want a certain service to check pam_unix, >I list it in pam.conf. Instead, I'm now supposed to call pam_unix_account() >specifically? Is pam_unix_account() somehow different than the normal >pam account mgmt w/ pam_unix in pam.conf? The intent of this (AFAICT) is >so that an app can always check against pam_unix, regardless of what's in >pam.conf -- broken. Sorry, this is getting OT. You completely missunderstood what pam_unix_account(5) is. The 5 is the hint - it is a module not a function. We have made no changes to the API for applications or modules. We took the big gob of pam_unix that we had from 2.6 though 8 and split it into smaller chunks to be more consistant with what is in the Open Group spec and to make it easier for people to just replace the password validation routines. The new default pam.conf is attached. >> passwd(1)'s description of the -l flag does still say: >> -l Locks password entry for name. >> >> >> Note that it doesn't say it locks the password it says locks the "password >> entry", implying it disables access to the account. I agree this could >> be clearer - I'll see what I can do about getting it changed. > >Do you know if a patch will be available for Solaris 8? I'll look into it. -- Darren J Moffat -------------- next part -------------- # #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authenctication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass From markus at openbsd.org Fri Feb 1 04:18:24 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 31 Jan 2002 18:18:24 +0100 Subject: signal transmission in ssh2 Message-ID: <20020131181824.A14818@folly> does somebody like this? Index: Makefile.inc =================================================================== RCS file: /cvs/src/usr.bin/ssh/Makefile.inc,v retrieving revision 1.21 diff -u -r1.21 Makefile.inc --- Makefile.inc 30 Oct 2001 20:32:31 -0000 1.21 +++ Makefile.inc 16 Nov 2001 12:07:22 -0000 @@ -10,7 +10,7 @@ CDIAGFLAGS+= -Wmissing-prototypes CDIAGFLAGS+= -Wunused -#DEBUG=-g +DEBUG=-g #CFLAGS+= -DSMARTCARD #LDADD+= -lsectok Index: clientloop.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/clientloop.c,v retrieving revision 1.95 diff -u -r1.95 clientloop.c --- clientloop.c 10 Jan 2002 11:24:04 -0000 1.95 +++ clientloop.c 31 Jan 2002 17:17:19 -0000 @@ -103,6 +103,8 @@ */ static volatile sig_atomic_t received_window_change_signal = 0; static volatile sig_atomic_t received_signal = 0; +/* send signal to remote program: 0 disabled, 1 enabled, 2 pending */ +static volatile sig_atomic_t send_signal = 0; /* Flag indicating whether the user\'s terminal is in non-blocking mode. */ static int in_non_blocking_mode = 0; @@ -173,7 +175,10 @@ signal_handler(int sig) { received_signal = sig; - quit_pending = 1; + if (send_signal == 1) + send_signal = 2; + else + quit_pending = 1; } /* @@ -765,6 +770,26 @@ leave_raw_mode(); } +static char * +sig2name(int sig) +{ +#define SIG(x) if (sig == SIG ## x) return #x + SIG(ABRT); + SIG(ALRM); + SIG(FPE); + SIG(HUP); + SIG(ILL); + SIG(INT); + SIG(KILL); + SIG(PIPE); + SIG(QUIT); + SIG(SEGV); + SIG(TERM); + SIG(USR1); + SIG(USR2); + return ""; +} + /* * Implements the interactive session with the server. This is called after * the user has been authenticated, and a command has been started on the @@ -778,7 +803,7 @@ fd_set *readset = NULL, *writeset = NULL; double start_time, total_time; int max_fd = 0, max_fd2 = 0, len, rekeying = 0, nalloc = 0; - char buf[100]; + char *signame, buf[100]; debug("Entering interactive session."); @@ -819,6 +844,10 @@ client_init_dispatch(); + /* for protocol v2 we try to send the signal to the remote host */ + if (compat20 && !have_pty && ssh2_chan_id != -1) + send_signal = 1; + /* Set signal handlers to restore non-blocking mode. */ signal(SIGINT, signal_handler); signal(SIGQUIT, signal_handler); @@ -899,6 +928,18 @@ xxx_kex->done = 0; kex_send_kexinit(xxx_kex); need_rekeying = 0; + } + if (send_signal == 2) { + send_signal = 0; + signame = sig2name(received_signal); + debug("Sending SIG%s to the remote host.", + signame); + packet_start(SSH2_MSG_CHANNEL_REQUEST); + packet_put_int(session_ident); + packet_put_cstring("signal"); + packet_put_char(0); + packet_put_cstring(signame); + packet_send(); } } Index: session.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/session.c,v retrieving revision 1.122 diff -u -r1.122 session.c --- session.c 29 Jan 2002 22:46:41 -0000 1.122 +++ session.c 31 Jan 2002 17:17:21 -0000 @@ -1375,6 +1375,47 @@ } } +static int +name2sig(char *name) +{ +#define SIG(x) if (strcmp(name, #x) == 0) return SIG ## x + SIG(ABRT); + SIG(ALRM); + SIG(FPE); + SIG(HUP); + SIG(ILL); + SIG(INT); + SIG(KILL); + SIG(PIPE); + SIG(QUIT); + SIG(SEGV); + SIG(TERM); + SIG(USR1); + SIG(USR2); + return -1; +} + +static int +session_signal_req(Session *s) +{ + char *signame; + int sig; + + signame = packet_get_string(NULL); + sig = name2sig(signame); + xfree(signame); + packet_done(); + + if (sig >= 0 && s->pid > 0) { + debug("session_signal_req: killpg(%d, %d)", + s->pid, sig); + if (killpg(s->pid, sig) < 0) + error("session_signal_req: killpg(%d, %d): %s", + s->pid, sig, strerror(errno)); + } + return 0; +} + void session_input_channel_req(int id, void *arg) { @@ -1419,6 +1460,8 @@ } if (strcmp(rtype, "window-change") == 0) { success = session_window_change_req(s); + } else if (strcmp(rtype, "signal") == 0) { + success = session_signal_req(s); } if (reply) { From Nicolas.Williams at ubsw.com Fri Feb 1 04:26:42 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 12:26:42 -0500 Subject: locked account accessable via pubkey auth In-Reply-To: <200201311711.g0VHBj3g128866@jurassic.eng.sun.com>; from Darren.Moffat@eng.sun.com on Thu, Jan 31, 2002 at 09:11:35AM -0800 References: <200201311711.g0VHBj3g128866@jurassic.eng.sun.com> Message-ID: <20020131122640.V27398@sm2p1386swk.wdr.com> On Thu, Jan 31, 2002 at 09:11:35AM -0800, Darren Moffat wrote: > You completely missunderstood what pam_unix_account(5) is. The 5 is the > hint - it is a module not a function. We have made no changes to > the API for applications or modules. > > We took the big gob of pam_unix that we had from 2.6 though 8 and > split it into smaller chunks to be more consistant with what is in the > Open Group spec and to make it easier for people to just replace the > password validation routines. > > The new default pam.conf is attached. > > -- > Darren J Moffat Content-Description: pam.conf > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 Cool. Very cool. I have wanted this sort of thing... Now, it would be cooler still if you could specify which Unix account backend to use (files, nis, nisplus, ldap). And with respect to pam_krb5, is your current approach still to make it a sort of convenience kinit-in-PAM? Or can Solaris 9 really use Kerberos V for user password authentication? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Fri Feb 1 04:36:01 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 12:36:01 -0500 Subject: signal transmission in ssh2 In-Reply-To: <20020131181824.A14818@folly>; from markus@openbsd.org on Thu, Jan 31, 2002 at 06:18:24PM +0100 References: <20020131181824.A14818@folly> Message-ID: <20020131123559.W27398@sm2p1386swk.wdr.com> On Thu, Jan 31, 2002 at 06:18:24PM +0100, Markus Friedl wrote: > does somebody like this? I've not used it. I like the idea. I'll try it. But: When would the client receive a signal? It runs in raw mode, right? Or would this apply only to non-pty sessions? Shouldn't this be available via ~ escapes? As in ~kHUP? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Darren.Moffat at eng.sun.com Fri Feb 1 04:59:19 2002 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 31 Jan 2002 09:59:19 -0800 (PST) Subject: locked account accessable via pubkey auth Message-ID: <200201311759.g0VHxS3g137182@jurassic.eng.sun.com> Offtopic for this list but I believe there are people who hang out here that would be interested in the answer. >And with respect to pam_krb5, is your current approach still to make it >a sort of convenience kinit-in-PAM? Or can Solaris 9 really use Kerberos >V for user password authentication? It is really authentication. Fixed under bug# 4516495 for Solaris 9. -- Darren J Moffat From Darren.Moffat at eng.sun.com Fri Feb 1 05:03:27 2002 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 31 Jan 2002 10:03:27 -0800 (PST) Subject: [Bug 83] New: fork() fails when there are PAM limits set Message-ID: <200201311803.g0VI3a3g138071@jurassic.eng.sun.com> >> The problem is, when you set some resource limits in /etc/security/limits.conf >> for group X - nproc 20 ( maximum of running user processes - 20 ), and try to >> log with some user with group X, sshd says 'fork failed - resource temporary >> unavialable'. There are no other processes running for this user, and as far as >> i've seen, it makes something like authenticate-set limits-fork()-setuid() , and >> because there is a moment when it's running under root with really lowered >> limits, it bombs out. >> Any solutions? > >My understanding of this is that it's a result of a fundamental >mis-design of PAM - you have to do the entire PAM conversation in one >go (as root), so this sort of PAM-based limiting is always going to be >prone to this sort of error. No. There is nothing wrong with the PAM API. The problem here is misconfiguration of particular pam module provided by some Linux distributions and how it interacts with OpenSSH. The problem is the module not the PAM API. -- Darren J Moffat From ed at UDel.Edu Fri Feb 1 06:00:03 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 31 Jan 2002 14:00:03 -0500 (EST) Subject: locked account accessable via pubkey auth In-Reply-To: <200201311711.g0VHBj3g128866@jurassic.eng.sun.com> Message-ID: On Thu, 31 Jan 2002, Darren Moffat wrote: > We took the big gob of pam_unix that we had from 2.6 though 8 and > split it into smaller chunks to be more consistant with what is in the > Open Group spec and to make it easier for people to just replace the > password validation routines. > > The new default pam.conf is attached. What version of Solaris will this pam.conf and the associated libraries be available in? Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From Darren.Moffat at eng.sun.com Fri Feb 1 06:02:08 2002 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Thu, 31 Jan 2002 11:02:08 -0800 (PST) Subject: locked account accessable via pubkey auth Message-ID: <200201311902.g0VJ2I3g150694@jurassic.eng.sun.com> >On Thu, 31 Jan 2002, Darren Moffat wrote: > >> We took the big gob of pam_unix that we had from 2.6 though 8 and >> split it into smaller chunks to be more consistant with what is in the >> Open Group spec and to make it easier for people to just replace the >> password validation routines. >> >> The new default pam.conf is attached. > >What version of Solaris will this pam.conf and the associated libraries be >available in? Solaris 9. -- Darren J Moffat From bugzilla-daemon at mindrot.org Fri Feb 1 06:28:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 1 Feb 2002 06:28:35 +1100 (EST) Subject: [Bug 88] scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Message-ID: <20020131192835.D2C26EC07@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=88 ------- Additional Comments From brectanu at naxs.net 2002-02-01 06:28 ------- Not exactly. Yes, ssh1/scp1 is not installed on the remote machine, however the commant should NOT be using ssh1/scp1 on the remote machine - it should be using SSH protocol 2. This is the problem. When OpenSSH sends the 'scp -v -t' command to the remote machine (SSH v3.1.0), the remote version of SSH is now interpreting the '-t' option as a SSH1 compatibility flag. Pre-SSH v3.1.0 there was not a '-t' option to scp and thus no problem. Now, however, there is a problem with the new version of comercial SSH and a conflicting '-t' option between SSH and OpenSSH scp. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 1 06:39:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 1 Feb 2002 06:39:35 +1100 (EST) Subject: [Bug 88] scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Message-ID: <20020131193935.92B31EC2A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=88 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-02-01 06:39 ------- OpenSSH scp speaks rcp protocol. SSH Corp's scp speaks SFTP protocol. Please use SFTP or install scp1 from the older SSH Corp package. Some year when someone gets time they may teach our scp to speak sftp. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 1 06:43:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 1 Feb 2002 06:43:29 +1100 (EST) Subject: [Bug 88] scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Message-ID: <20020131194329.086F6EC2D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=88 ------- Additional Comments From brectanu at naxs.net 2002-02-01 06:43 ------- Here is the verbose output of the scp command to send 'testfile' to the remote host. I have changed the names to protect the innocent and commented inline where the problem is. Here is from SSH v3.1.0 man page on the new '-t' option... -t or -f These options are reserved for scp1 compatibility mode. If they are used with scp2, it gives them as arguments to scp1 to handle the connection. Here is the trace... client% scp -v testfile remote.host.some.domain:. Executing: program /usr/bin/ssh host remote.host.some.domain, user (unspecified), command scp -v -t . OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1002 geteuid 1002 anon 1 debug1: Connecting to remote.host.some.domain [nnn.nnn.nnn.nnn] port 22. debug1: temporarily_use_uid: 1002/203 (e=1002) debug1: restore_uid debug1: temporarily_use_uid: 1002/203 (e=1002) debug1: restore_uid debug1: Connection established. debug1: identity file /home/clientuser/.ssh/identity type 0 debug1: identity file /home/clientuser/.ssh/id_rsa type -1 debug1: identity file /home/clientuser/.ssh/id_dsa type 2 debug1: Remote protocol version 2.0, remote software version 3.1.0 SSH Secure Shell (non-commercial) debug1: no match: 3.1.0 SSH Secure Shell (non-commercial) Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.2p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 479/1024 debug1: sending SSH2_MSG_KEXDH_INIT debug1: expecting SSH2_MSG_KEXDH_REPLY debug1: Host 'remote.host.some.domain' is known and matches the DSA host key. debug1: Found key in /home/clientuser/.ssh/known_hosts:9 debug1: bits set: 470/1024 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/clientuser/.ssh/id_dsa debug1: input_userauth_pk_ok: pkalg ssh-dss blen 432 lastkey 0x808f690 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: fd 4 setting O_NONBLOCK debug1: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 >>> Here, the 'scp -v -t' command is sent to remote server... debug1: Sending command: scp -v -t . debug1: channel 0: open confirm rwindow 100000 rmax 32768 debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug1: channel 0: output open -> drain debug1: channel 0: input open -> closed debug1: channel 0: close_read debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write >>> Here is the error from remote host regarding the '-t' option to scp. >>> Note we were speaking SSH protocol 2, not 1. The '-t' option >>> forced the protocol 1 compatibility mode on the remote side, but >>> there is not protocol 1 installed (should not need it). scp: warning: Executing scp1 compatibility. scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 is in your PATH). debug1: channel 0: almost dead debug1: channel 0: gc: notify user debug1: channel 0: gc: user detached debug1: channel 0: send close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: client-session, nchannels 1 debug1: fd 0 clearing O_NONBLOCK debug1: fd 1 clearing O_NONBLOCK debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.1 seconds debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0 debug1: Exit status 255 lost connection ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 1 06:46:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 1 Feb 2002 06:46:12 +1100 (EST) Subject: [Bug 88] scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Message-ID: <20020131194612.428A6EC2E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=88 ------- Additional Comments From brectanu at naxs.net 2002-02-01 06:46 ------- Prior to SSH v3.1.0 scp from OpenSSH to SSH worked fine, BTW. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 1 07:09:49 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 1 Feb 2002 07:09:49 +1100 (EST) Subject: [Bug 88] scp for OpenSSH v3.0.2p1 fails to commercial SSH v3.1.0 server (new -t option to SSH's scp) Message-ID: <20020131200949.BAD43E97C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=88 ------- Additional Comments From mouring at eviladmin.org 2002-02-01 07:09 ------- > Prior to SSH v3.1.0 scp from OpenSSH to SSH worked fine, BTW. Please file a bug report with SSH Corp. -t is a required flag to notify the remote end that it is acting in server mode. To not define it breaks the original rcp concept which the first scp was based off of. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tori at ringstrom.mine.nu Fri Feb 1 08:10:24 2002 From: tori at ringstrom.mine.nu (Tobias Ringstrom) Date: Thu, 31 Jan 2002 22:10:24 +0100 (CET) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <3C572A6A.6B60C488@hp.com> Message-ID: On Tue, 29 Jan 2002, Rick Jones wrote: > OK, I can see now that it will stop where you had things stop, so > clearly bwdelay+1 is insufficient, I think we need bwdelay+2 in this > instance with a socket buffer size of bwdelay. I tried to diagram it out > and it was ugly, but I think it result in at least two REQ's being set > at once each time after the intial singleton and tripple. > > The reason to have the socket buffer only bwdelay is so that when that > first tripple hits the third response cannot go into the socket buffer > and hit TCP until the fifth(?) request arrives, so the fourth response > ACK's both the four request and the fifth request. (It does this because > it was sent by the app to TCP after the fifth request arrived because > the fifth request acked the second response) I think I have that right > though I am in a maze of twist passages :) ...and do not want to go there either. Yes, you might achieve what you propose with a carefully selected socket buffer, but after a while you will have to send a window update or some other little silly packet and you're toast again... You'll probably find a way around that too, but I'd rather enable TCP_NODELAY and be done with it, I think. :-) /Tobias From paw at noh.ucsd.edu Fri Feb 1 08:28:09 2002 From: paw at noh.ucsd.edu (Pat Wilson) Date: Thu, 31 Jan 2002 13:28:09 -0800 (PST) Subject: kerberized ssh on Mac OS X? Message-ID: <200201312128.g0VLS9J11060@noh.ucsd.edu> Sigh. Is anyone here working getting K5 kerberized ssh onto Mac OS X? I'm having trouble building with the Apple krb5 and OS X include files - seems fp.h gets sucked in by something, and it's got it's own idea of what "log()" is... Is there a better place to ask this question? Be gentle, please. Thanks. --paw Pat Wilson paw at ucsd.edu From rick_jones2 at hp.com Fri Feb 1 08:28:31 2002 From: rick_jones2 at hp.com (Rick Jones) Date: Thu, 31 Jan 2002 13:28:31 -0800 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option References: Message-ID: <3C59B6FF.94E661F2@hp.com> > > The reason to have the socket buffer only bwdelay is so that when that > > first tripple hits the third response cannot go into the socket buffer > > and hit TCP until the fifth(?) request arrives, so the fourth response > > ACK's both the four request and the fifth request. (It does this > > because it was sent by the app to TCP after the fifth request arrived > > because the fifth request acked the second response) I think I have > > that right though I am in a maze of twist passages :) > > ...and do not want to go there either. Yes, you might achieve what you > propose with a carefully selected socket buffer, but after a while you > will have to send a window update or some other little silly packet and > you're toast again... You'll probably find a way around that too, but > I'd rather enable TCP_NODELAY and be done with it, I think. :-) typcial application programmer attitude :) I was doing the back flips there to deal with the initite speeds and such and to guarantee things in the proper sequence, from those experiements I ran yesterday, it appears that timing is pretty-much key. what are the request and reponse sizes involved in sftp anyhow? any ideas yet what sort of bandwidth delay products are going to be targetted? rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From tori at ringstrom.mine.nu Fri Feb 1 08:29:51 2002 From: tori at ringstrom.mine.nu (Tobias Ringstrom) Date: Thu, 31 Jan 2002 22:29:51 +0100 (CET) Subject: Use of TCP_NODELAY in commercial SSH Message-ID: In order to test my overlapping request path for sftp on another ssh server, I downloaded ssh2 version 3.1.0 from ssh.com. Having downloaded it, I decided to study the use of TCP_NODELAY in that implementation. Here's what I found: * Both ssh2 and sshd2 has a NoDelay config option which is false by default. * The ssh2 client does not enable or disable NoDelay because of a channel type (such as pty or X11). * The sftp2 client uses "-o NoDelay=yes" when starting its ssh "proxy" which helps get, but not put. * The sftp2 server does not enable NoDelay (since there is no way to do so I guess). /Tobias From Nicolas.Williams at ubsw.com Fri Feb 1 08:46:49 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 31 Jan 2002 16:46:49 -0500 Subject: Use of TCP_NODELAY in commercial SSH In-Reply-To: ; from tori@ringstrom.mine.nu on Thu, Jan 31, 2002 at 10:29:51PM +0100 References: Message-ID: <20020131164648.Y27398@sm2p1386swk.wdr.com> On Thu, Jan 31, 2002 at 10:29:51PM +0100, Tobias Ringstrom wrote: > In order to test my overlapping request path for sftp on another ssh > server, I downloaded ssh2 version 3.1.0 from ssh.com. Having downloaded > it, I decided to study the use of TCP_NODELAY in that implementation. > Here's what I found: More evidence for the need to have messages at the SSHv2 layer to handle setting/unsetting TCP_NODELAY. :) > /Tobias Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From stuge at cdy.org Fri Feb 1 09:19:13 2002 From: stuge at cdy.org (Peter Stuge) Date: Thu, 31 Jan 2002 23:19:13 +0100 Subject: signal transmission in ssh2 In-Reply-To: <20020131181824.A14818@folly>; from markus@openbsd.org on Thu, Jan 31, 2002 at 06:18:24PM +0100 References: <20020131181824.A14818@folly> Message-ID: <20020131231913.C28982@foo.birdnet.se> On Thu, Jan 31, 2002 at 06:18:24PM +0100, Markus Friedl wrote: > does somebody like this? It's part of the draft, that's reason enough to put it in, IMO. I like it. If anyone feels like it, the sig2name/name2sig could be made more complex to allow for arbitrary signal passing from a given system to a remote system of the same kind, which could be useful. I'm thinking of the draft text in section 4.10 of the connection protocol; Additional signal names MAY be sent in the format "sig-name at xyz", where `sig-name' and `xyz' may be anything a particular implementor wants (except the `@' sign). However, it is suggested that if a `configure' script is used, the non-standard signal names it finds be encoded as "SIG at xyz.config.guess" where `SIG' is the signal name without the "SIG" prefix, and `xyz' be the host type, as determined by `config.guess'. So much mail, so not enough time. //Peter -- irc: CareBear\ irl: Peter Stuge From tori at ringstrom.mine.nu Fri Feb 1 09:25:59 2002 From: tori at ringstrom.mine.nu (Tobias Ringstrom) Date: Thu, 31 Jan 2002 23:25:59 +0100 (CET) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <3C59B6FF.94E661F2@hp.com> Message-ID: On Thu, 31 Jan 2002, Rick Jones wrote: > what are the request and reponse sizes involved in sftp anyhow? Approximately: Request: 64 bytes Window update: 48 bytes (sent every 32 kB data received right now) Response: ~8200 bytes > any ideas yet what sort of bandwidth delay products are going to be > targetted? Everything from LANs to the upcoming interplanetary information highways of course... :-) /Tobias From djast at cs.toronto.edu Fri Feb 1 10:02:36 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Thu, 31 Jan 2002 18:02:36 -0500 Subject: signal transmission in ssh2 In-Reply-To: Your message of "Thu, 31 Jan 2002 12:18:24 EST." <20020131181824.A14818@folly> Message-ID: <02Jan31.180309edt.453147-1882@jane.cs.toronto.edu> On Thu, 31 Jan 2002 12:18:24 EST, Markus Friedl writes: > + if (sig >= 0 && s->pid > 0) { > + debug("session_signal_req: killpg(%d, %d)", > + s->pid, sig); > + if (killpg(s->pid, sig) < 0) > + error("session_signal_req: killpg(%d, %d): %s", > + s->pid, sig, strerror(errno)); Is it safe for the server to be doing this? Isn't the server running as root when this code runs? If the process for the session exec()s a privileged program, I'm worried that this might potentially allow a signal to be sent to a program which the user would not otherwise be allowed to deliver a signal to. (I think "s->pid > 0" could be changed to "s->pid > 1", for the sake of defensiveness; s->pid should never equal 1, but if it ever did happen, the consequences might be disastrous: on some systems, process group 1 is reserved for kernel processes.) -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From rick_jones2 at hp.com Fri Feb 1 10:14:44 2002 From: rick_jones2 at hp.com (Rick Jones) Date: Thu, 31 Jan 2002 15:14:44 -0800 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option References: Message-ID: <3C59CFE4.3B33715E@hp.com> > > what are the request and reponse sizes involved in sftp anyhow? > > Approximately: > Request: 64 bytes > Window update: 48 bytes (sent every 32 kB data received right now) > Response: ~8200 bytes I'm going to guess that the response is 8217 bytes? (I saw that in some https stuff recently...) I'm going to show additional extreme ignorance. If a window update is sent every 32kB of data, doesn't that imply that there are at least four requests outstanding at any one time? Is it possible to have data sent without there being an outstanding request? Otherwise, I find it odd that there would be a window update since the quantity of data outstanding would be controlled by the arrival of requests. > > any ideas yet what sort of bandwidth delay products are going to be > > targetted? > > Everything from LANs to the upcoming interplanetary information highways > of course... :-) Thankfully, there will be gateways for the interplanetary stuff and we won't be running TCP end-to-end, and we'll all have to go back to thinking in batch terms so we can ignore that for now. I guess that leaves things like 100Mbit/s transcontinental links and the odd geosync satellite. rick jones -- Wisdom Teeth are impacted, people are affected by the effects of events. these opinions are mine, all mine; HP might not want them anyway... :) feel free to post, OR email to raj in cup.hp.com but NOT BOTH... From djm at mindrot.org Fri Feb 1 10:39:27 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 1 Feb 2002 10:39:27 +1100 (EST) Subject: signal transmission in ssh2 In-Reply-To: <02Jan31.180309edt.453147-1882@jane.cs.toronto.edu> Message-ID: On Thu, 31 Jan 2002, Dan Astoorian wrote: > On Thu, 31 Jan 2002 12:18:24 EST, Markus Friedl writes: > > + if (sig >= 0 && s->pid > 0) { > > + debug("session_signal_req: killpg(%d, %d)", > > + s->pid, sig); > > + if (killpg(s->pid, sig) < 0) > > + error("session_signal_req: killpg(%d, %d): %s", > > + s->pid, sig, strerror(errno)); > > Is it safe for the server to be doing this? Isn't the server running as > root when this code runs? > > If the process for the session exec()s a privileged program, I'm worried > that this might potentially allow a signal to be sent to a program which > the user would not otherwise be allowed to deliver a signal to. A gratuitous fork+set[ug]id before the killpg would take care of this, but is a little ugly. -d From mbabcock at fibrespeed.net Fri Feb 1 15:07:01 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Thu, 31 Jan 2002 23:07:01 -0500 Subject: OpenSSH Key Storage Message-ID: <20020201040701.GX26603@godzilla.fibrespeed.net> I have had a brief discussion with Damien Miller (below) about storing host port values in the known_hosts file so as to track multiple ssh sessions (with independant keys) that run on a single host but accept connections on different ports. If it were possible to state that a given key for a remote host belonged to that host's ssh session on port 23 and that another key belonged to that same host but the session available on port 22, it would take away some of the grief in managing such connections. I am presently using host aliases in the options file to handle this as Damien suggested but explaining this to my clients is difficult when SSH (commercial) has this seemingly simple feature built in. > On Fri, Feb 01, 2002 at 10:17:07AM +1100, Damien Miller wrote: > > On Thu, 31 Jan 2002, Michael T. Babcock wrote: > > > > > Without having looked at the config parsing code, does openssh care about > > > how long the line is? Could the additional information be stored after the > > > key string on the same line? > > > > No, that is used for key comments. > > If I may take up more of your time with this, the first pre-space > section is for hostname(s). What if the port were specified here? > > host,ipaddress,port:22 1024 35 keyvalue1 > host,ipaddress,port:23 1024 35 keyvalue2 > > As long as the port 22 entry comes first, there are no conflicts that I > can see and portable OpenSSH is quite happy to connect and validate the > key in version 3.0.2p1. The additional information can, however, be > used by more recent versions to select the correct line. PS, I am not subscribed to this list. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From dan at doxpara.com Fri Feb 1 19:18:39 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Fri, 1 Feb 2002 00:18:39 -0800 Subject: OpenSSH Key Storage References: <20020201040701.GX26603@godzilla.fibrespeed.net> Message-ID: <013101c1aaf9$0d871620$8201000a@effugas> > I have had a brief discussion with Damien Miller (below) about storing > host port values in the known_hosts file so as to track multiple ssh > sessions (with independant keys) that run on a single host but accept > connections on different ports. If it were possible to state that a > given key for a remote host belonged to that host's ssh session on port > 23 and that another key belonged to that same host but the session > available on port 22, it would take away some of the grief in managing > such connections. > > I am presently using host aliases in the options file to handle this as > Damien suggested but explaining this to my clients is difficult when SSH > (commercial) has this seemingly simple feature built in. Would you name your web servers after the IP addresses they were on? Ever seen an https host named https://443.foobar.com? Of course not. How you got there is not where you are, when it comes to computer networks. (Yes, this is another divergence from the human experience. When teleporters become a reality, this may very well change.) Look. Just because a daemon exists on a host doesn't mean it's necessarily that host's daemon, especially if it's not on the standard port, even more especially if that port is less than 1024. Port forwarding is a *really useful thing*. To wit: Take two hosts, a client and a server, that cannot establish outgoing sessions with eachother but may each send traffic to some broker over tcp/22 (or any other port). The server SSH's into the broker and reates a remote port forward from remote's 2022 to 127.0.0.1:22. Then the client SSH's into the broker and creates a local port forward on 3022 to be forwarded to the broker's 127.0.0.1:2022. Now, the client may SSH into the server by connecting to 127.0.0.1:2022, and by using the HostKeyAlias, will verify the identity of the server. This looks something like this: server$ ssh user at broker -R2022:127.0.0.1:22 client$ ssh user at broker -L3022:127.0.0.1:2022 [new window] client$ ssh -o HostKeyAlias=server -p 2022 user at 127.0.0.1 The reason I'm documenting this entire process is simple: The key the client receives from 127.0.0.1:2022 is the one of the server. It's not "the broker on port 3022". It's not "localhost on port 2022". It's not even "the server, oh on port 22." It's _the_ _server_. That's its identity. Now, it is certainly possible for multiple SSH daemons to be actually be run on the same machine. If they have identical keys, that's fine -- perhaps a newer revision of sshd_config is being tested on an alternate port, perhaps a backup sshd is live in case the primary one crashes, or perhaps it's the same actual daemon listening on multiple ports to assist in firewall piercing(like when sshd is told to listen on port 443). We don't care how we got that correctly hostkeyed SSH daemon, we just care we got it. But, ah, if the keys are different, the question is WHY. We have to presume that a host that is not providing its correct keying material in fact cannot. Any user can run an sshd on port 2022 just as easily as he can type ssh user at host -R2022:127.0.0.1:22. What separates his SSH-1.99-OpenSSH_3.0.1p1 from the real one isn't the route taken by the client but the key offered by the daemon. If he's offering a different key, he's effectively a different host, perhaps with some of the same services available but presumptively not an identical amount of trust to the legitimate identity. A daemon that cannot offer its correct host key is for all intents and purposes a different host, and needs to be treated as such. Don't get me wrong -- it can be really, really useful to create a separate sshd with highly restricted permissions, able only to administer the restricted level it lives at and even with a buffer overflow go no farther. We can do this by executing something like: server# su -l webuser -c "/usr/sbin/sshd -p 2022 -f /etc/sshd_config -h /home/webuser/sshd_user/userkey1 -h /home/webuser/sshd_user/userkey2" That fits fine in a rc.local script, or could even be directly executed over ssh or command line as the user. But the client *needs to know* that this account is of a different identity -- it's not a root owned key that's being hosted, but some restricted other identity host key. So we rename it. client$ ssh user at server -o HostKeyAlias="webserver" -p 2022 It's a different host we're trusting. It's a different server we're trusting. If the processes are accidentally running on the same machine, who cares. You don't trust IPs and you don't trust ports. Try, and you find yourself accepting keys you should -- after all, it's the right host, who cares if the network itself is redirecting the port -- and being unable to update your network infrastructure at will. If the Windows SSH daemons behave as you describe, there's probably some damaging hacks against them via corrupted ssh:// URLs. This all being said -- I actively dislike HostKeyAlias syntax and find it unwieldy. Cryptographically correct it may be, but we can -- and should -- do better. Bug me privately if you want to see what I was up to with this; suffice it to say, it's an uglier problem than I expected(as I found out at Defcon when I was trying to explain it to a crowd. That was pretty embarassing.) --Dan From markus at openbsd.org Fri Feb 1 19:43:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 1 Feb 2002 09:43:35 +0100 Subject: OpenSSH Key Storage In-Reply-To: <20020201040701.GX26603@godzilla.fibrespeed.net> References: <20020201040701.GX26603@godzilla.fibrespeed.net> Message-ID: <20020201084334.GB13371@faui02> if i connect to folly.openssh.com then i want the host key verified against the entry for folly.openssh.com if i connect to folly.openssh.com via a forwarded connection on somehost.example.bla, port 2222 then i want the host key verified against the entry for folly.openssh.com and not against somehost.example.bla, port 2222 because in both cases i really connect to folly.openssh.com storing the same key with different 'names' does not make sense to me. with "HostKeyAlias folly.openssh.com" i say: while the tcp connect is to "somehost.example.bla, port 2222" make sure that i really connect to folly.openssh.com moreover, with the current implemenation known_hosts is also used for hostbased authentication. if the client's hostkey is looked up in known_hosts what does 'port' mean? if "somehost.example.bla, port 2222" is stored in known_hosts, then folly.openssh.com can hide as somehost.example.bla. it has been suggested that the server tells the client: lookup the hostkey under this 'name'. does this really help? doesn't this mean the server binds name to key? shouln't the client do this instead? -m From lemming at netcentrum.cz Fri Feb 1 21:38:58 2002 From: lemming at netcentrum.cz (Michal Kara) Date: Fri, 1 Feb 2002 11:38:58 +0100 Subject: Key fingerprint logging In-Reply-To: <200201291602.g0TG2Rmh016291@etoh.eviladmin.org>; from mouring@etoh.eviladmin.org on Tue, Jan 29, 2002 at 10:02:27AM -0600 References: <20020129154054.A20373@netcentrum.cz> <200201291602.g0TG2Rmh016291@etoh.eviladmin.org> Message-ID: <20020201113858.A12530@netcentrum.cz> > > I have made a patch against OpenSSH 3.0.2p1 which allows the fingerprint of > > the accepted key to be printed in the log message. It works with SSH1-RSA and > > SSH2 pubkey (DSA+RSA) authentication. > > > > This feature is controllable by the LogKeyFingerprint config option (turned > > off by default). > > > > Unless I am wrong I believe -current already has this funcionality. Just > it does not add another configuration option since is is always on. Not always - only when you have verbose logging. And the way it is implemented makes it not-so-easy to assign fingerprint to login, since the FP is printed on a separate line. You'd have to keep track which PID accepted which key to be able to tell for which user the key was accepted. My version added FP information to the "Accepted RSA from ... " (or equivalent in ssh2) line, so it was "all in one". Anyway, you probably would not be willing to change your implementation :-) Michal From Nicolas.Williams at ubsw.com Sat Feb 2 02:08:36 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 1 Feb 2002 10:08:36 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020201084334.GB13371@faui02>; from markus@openbsd.org on Fri, Feb 01, 2002 at 09:43:35AM +0100 References: <20020201040701.GX26603@godzilla.fibrespeed.net> <20020201084334.GB13371@faui02> Message-ID: <20020201100834.Z27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 09:43:35AM +0100, Markus Friedl wrote: > it has been suggested that the server tells the client: > lookup the hostkey under this 'name'. > does this really help? doesn't this mean the server > binds name to key? shouln't the client do this instead? SSH RSA/DSA keys are nameless. Whatever name the server tells the client it has seems to me should be suspect. > -m Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Sat Feb 2 02:41:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 1 Feb 2002 16:41:28 +0100 Subject: signal transmission in ssh2 In-Reply-To: <20020131231913.C28982@foo.birdnet.se> References: <20020131181824.A14818@folly> <20020131231913.C28982@foo.birdnet.se> Message-ID: <20020201154128.GA1515@faui02> On Thu, Jan 31, 2002 at 11:19:13PM +0100, Peter Stuge wrote: > It's part of the draft, that's reason enough to put it in, IMO. but it's not a 'must'. > I like it. > > > If anyone feels like it, the sig2name/name2sig could be made more complex to > allow for arbitrary signal passing from a given system to a remote system of > the same kind, which could be useful. > > I'm thinking of the draft text in section 4.10 of the connection protocol; this is the part that i don't like: > Additional signal names MAY be sent in the format "sig-name at xyz", where > `sig-name' and `xyz' may be anything a particular implementor wants (except > the `@' sign). However, it is suggested that if a `configure' script is > used, the non-standard signal names it finds be encoded as > "SIG at xyz.config.guess" where `SIG' is the signal name without the "SIG" > prefix, and `xyz' be the host type, as determined by `config.guess'. From mouring at etoh.eviladmin.org Sat Feb 2 02:15:08 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Fri, 1 Feb 2002 09:15:08 -0600 (CST) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: from Tobias Ringstrom at "Feb 1, 2002 02:08:20 pm" Message-ID: <200202011515.g11FF8RI018778@etoh.eviladmin.org> > On Fri, 1 Feb 2002, Markus Friedl wrote: > > > On Fri, Feb 01, 2002 at 11:38:02AM +0100, Tobias Ringstrom wrote: > > > IMHO, you > > > would also benefit from a development model with a development and a > > > stable branch. > > > > I don't see why? > > > > The OpenSSH-current from the CVS is the development branch. > > I don't see how this helps for testing your patches. I don't > > think candidate patches should go into the development > > before everyone tests the patches. Even patches for > > the development branch need testing before the get into > > the development branch. > > Testing yes, but how much? I think mailing list members are much more > likely to test release candidates (or even snapshots) than to patch and > test individual patches. > http://www.openssh.com/portable.html has snapshots every night. Yet no large mass of people are testing it. > Basic testing by the developer and a quick review should be enough to > apply the patch, IMHO. If further user based testing reveals problems, > they can be fixed, or the patch reverted. > > > However, we're going to have a time based release schedule, > > OpenBSD benefits from this, and OpenSSH will probaly, too. > > Just add release candidates some time before the release, and I'm sure it > will work out nicely. > There is a at least 3 calls I try to make before we release portable tree asking for people to do compile tests of the current snapshots.. Some days I hear feedback. Some days I don't. Without flying out to every person's house on this list and beeting them with a blunt object until they finally download and test there is not much we can do. (Personal Note: Feel safe.. I'm not a person to do such things. =) I always try to get a Linux (Mandrake is this flavor of the month), OpenStep 4.2, and Solaris 2.5.1 and 7 compiling in before we make a release. I know a few others in the portable group try to test on all SCOs before the relase, but there are too many possible combinations to test and I know for a fact I'm not in the position to test everything from krb4 to s/key at my house (Even if I've compiled s/key in the past to help debug why it was broken). Doing OpenSSH-3.1.0-Pre2, pre3, pre4-mouring-fixing-bug release will not help us. Hell it barely works in the Linux community!!! =) On a side note: ANY PATCHES THAT ARE NOT IN BUGZILLA WILL/MAY BE LOST. PLEASE ENSURE THEY GET INTO THE TRACKING SYSTEM. - Ben From mbabcock at fibrespeed.net Sat Feb 2 03:30:14 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Fri, 1 Feb 2002 11:30:14 -0500 Subject: OpenSSH Key Storage In-Reply-To: <013101c1aaf9$0d871620$8201000a@effugas> References: <20020201040701.GX26603@godzilla.fibrespeed.net> <013101c1aaf9$0d871620$8201000a@effugas> Message-ID: <20020201163013.GZ26603@godzilla.fibrespeed.net> > Would you name your web servers after the IP addresses they were on? Ever > seen an https host named https://443.foobar.com? That is not an equivalent comparison. Would I use a different SSL certificate on www.fibrespeed.net:443 and www.fibrespeed.net:444? Yes. Would I expect the browser to know the difference? Yes. > Of course not. How you got there is not where you are, when it comes to Actually, the name you used to get there is all that matters if you're going to allow connecting to secure sites by name at all. We don't force people to use ssh 1.2.2.3 , we allow them to say ssh myhost.mydomain.com -p 1234 and so they should be allowed to expect ssh to know that they're on "myhost.mydomain.com on port 1234". > Look. Just because a daemon exists on a host doesn't mean it's necessarily > that host's daemon, especially if it's not on the standard port, even more > especially if that port is less than 1024. Port forwarding is a *really > useful thing*. To wit: Excuse me, but my server runs SSH on several ports and some of them are actually TCP redirects to internal servers. That is why I care about this feature; how I get to those servers is not consistent, but their keys should all be stored in a way that if I repeat my actions, I'll get no key warnings. ssh -p 22 site.domain.com ssh -p 23 site.domain.com (redirects to site2.domain.com) ssh -p 22 site2.domain.com Just because 2 and 3 are the same and have the same key doesn't mean SSH shouldn't know about the difference between 1 and 2. I'm ignoring the rest of your rant for the above reasons ... -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From mbabcock at fibrespeed.net Sat Feb 2 03:34:42 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Fri, 1 Feb 2002 11:34:42 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020201100834.Z27398@sm2p1386swk.wdr.com> References: <20020201040701.GX26603@godzilla.fibrespeed.net> <20020201084334.GB13371@faui02> <20020201100834.Z27398@sm2p1386swk.wdr.com> Message-ID: <20020201163442.GB26603@godzilla.fibrespeed.net> On Fri, Feb 01, 2002 at 10:08:36AM -0500, Nicolas Williams wrote: > On Fri, Feb 01, 2002 at 09:43:35AM +0100, Markus Friedl wrote: > > it has been suggested that the server tells the client: > > lookup the hostkey under this 'name'. > > does this really help? doesn't this mean the server > > binds name to key? shouln't the client do this instead? > > SSH RSA/DSA keys are nameless. Whatever name the server tells the client > it has seems to me should be suspect. I agree wholely; the client should track each unique connection description in its known hosts file(s). Connecting differently to the same host (different ports are the only way to change your connection in TCP/IP in this way) should lead to different stored key lines. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From vinschen at redhat.com Sat Feb 2 03:37:26 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 1 Feb 2002 17:37:26 +0100 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <200202011515.g11FF8RI018778@etoh.eviladmin.org> References: <200202011515.g11FF8RI018778@etoh.eviladmin.org> Message-ID: <20020201173726.B7566@cygbert.vinschen.de> On Fri, Feb 01, 2002 at 09:15:08AM -0600, mouring wrote: > There is a at least 3 calls I try to make before we release portable tree > asking for people to do compile tests of the current snapshots.. Some > days I hear feedback. Some days I don't. Without flying out to every > person's house on this list and beeting them with a blunt object until > they finally download and test there is not much we can do. (Personal > Note: Feel safe.. I'm not a person to do such things. =) > > I always try to get a Linux (Mandrake is this flavor of the month), > OpenStep 4.2, and Solaris 2.5.1 and 7 compiling in before we make a > release. I know a few others in the portable group try to test on > all SCOs before the relase, but there are too many possible combinations > to test and I know for a fact I'm not in the position to test everything > from krb4 to s/key at my house (Even if I've compiled s/key in the past to > help debug why it was broken). > > Doing OpenSSH-3.1.0-Pre2, pre3, pre4-mouring-fixing-bug release will > not help us. Hell it barely works in the Linux community!!! =) Huh? I didn't miss such a call for post 3.0.2p1, did I? I'm always keen to test if it still builds and run on Cygwin, obviously, so I'm very interested in that call for testing. I'm subscribed to openssh-unix-dev since nearly two years now and at least two times I was surprised to see that a new version has been released. I expected to get that call in this forum but there it was, version X.YpZ without an explicit call for testing. I can't keep track of all threads so I'd really appreciate a mail which calls for testing with a non-ambiguous subject. And a final note that version X.YpZ has been released would be nice, too. Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From jblaine at linus.mitre.org Sat Feb 2 03:56:30 2002 From: jblaine at linus.mitre.org (Jeff Blaine) Date: Fri, 1 Feb 2002 11:56:30 -0500 (EST) Subject: 3.0.2p1 under IRIX (coredumps) Message-ID: Hello, I am unable to build a working OpenSSH 3.0.2p1 for IRIX 6.5 using either 1. gcc 2.95.3 + binutils 2.11.2 2. SGI MIPSpro cc, CC=cc, LD=/usr/bin/ld, CFLAGS='-mips3 -n32' Under both setups: - zlib seems to build fine - OpenSSL seems to build fine and tests out okay - OpenSSH builds, and then: openssh-3.0.2p1 % ./ssh -v myhost Trace/BPT/RangeErr/DivZero/Ovflow trap (core dumped) openssh-3.0.2p1 % openssh-3.0.2p1 % ls -ld core -rw-r--r-- 1 jblaine nuucp 393216 Feb 1 11:51 core openssh-3.0.2p1 % dbx ./ssh dbx version 7.3 MR 55458_Apr30_MR Apr 30 1999 13:44:41 Unable to find or process rld object list at address 0x0:( dbx internal status code 7) Core file does not correspond to executable Executable /afs/rcf.mitre.org/system/src/local/ssh/030/openssh-3.0.2p1/./ssh (dbx) run Process 241534 (ssh) started Process 241534 (ssh) stopped on signal SIGTRAP: Trace/BPT trap at [:0 ,0x1001bfc8] (dbx) - Building on another box (IP23) in /tmp instead of in AFS space gives me the same exact results. Could someone please tell me how to get this to build and run? From djast at cs.toronto.edu Sat Feb 2 04:00:34 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Fri, 1 Feb 2002 12:00:34 -0500 Subject: OpenSSH Key Storage In-Reply-To: Your message of "Fri, 01 Feb 2002 03:43:35 EST." <20020201084334.GB13371@faui02> Message-ID: <02Feb1.120040edt.453147-1882@jane.cs.toronto.edu> On Fri, 01 Feb 2002 03:43:35 EST, Markus Friedl writes: > if i connect to > folly.openssh.com > then i want the host key verified against the entry for > folly.openssh.com This might be a silly question: The ssh client looks up the name provided on the command line in the known_hosts databases, and compares the key provided by the server against the one looked up. Might it not make more sense for the mapping to happen in the other direction? I.e., to look up the key provided by the server to get a list of known names and addresses associated with it? That way, if I type ssh -p 2202 proxy.example.com and that ultimately gets to folly.openssh.com:22, then the SSH client could issue a warning like "You have requested a connection to proxy.example.com, but the host you have connected to identifies itself with the host key belonging to folly.openssh.com. Are you sure you want to continue connecting?" Optionally, there could be a mechanism for the client to remember this equivalence. I think this behaviour could be an improvement over the current behaviour of saying the host is simply unknown. (I frequently get "authenticity...can't be established" warnings because I used a partially-qualified name or a CNAME for a host I've connected to before.) It may not be trivial to implement this behaviour, however. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From markus at openbsd.org Sat Feb 2 04:14:03 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 1 Feb 2002 18:14:03 +0100 Subject: ANNOUNCE: PRE-release of lsftp (fwd) Message-ID: <20020201181403.B2563@folly> fyi -------------- next part -------------- An embedded message was scrubbed... From: "Pontus =?iso-8859-1?q?Sk=F6ld?=" Subject: ANNOUNCE: PRE-release of lsftp Date: 01 Feb 2002 14:03:21 +0100 Size: 3822 Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020201/fee9d9bd/attachment.mht From Nicolas.Williams at ubsw.com Sat Feb 2 05:10:57 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 1 Feb 2002 13:10:57 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent Message-ID: <20020201131056.A27398@sm2p1386swk.wdr.com> Background ========== "ssh -f ..." causes ssh to fork into the background when userauth successfully completes. WHAT === With this patch "ssh -f -f ..." causes ssh to fork into the background when the first forwarded port/x11 display/agent is successfully opened. WHY === This feature makes launching remote X11 apps more reliable: when ssh exits it must have exited because the app exited, and you can observe the error messages / exit status, OR because the app opened the display, meaning it can now display any future errors. **** ALSO, "ssh -f -f ..." actually detaches from the tty, and it closes the session channel correctly. Please see the forkoff() function added to clientloop.c: it correctly closes the channel for the SSHv2 session. Comments? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- -------------- next part -------------- Index: 3_0_2p1.1/ssh.c --- 3_0_2p1.1/ssh.c Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_double_dash_f.1/ssh.c Fri, 01 Feb 2002 12:59:13 -0500 @@ -111,6 +111,7 @@ * background. */ int fork_after_authentication_flag = 0; +int wait_for_port_open_before_fork = 0; /* * General data structure for command line options and options configurable @@ -330,6 +331,8 @@ stdin_null_flag = 1; break; case 'f': + if (fork_after_authentication_flag) + wait_for_port_open_before_fork = 1; fork_after_authentication_flag = 1; stdin_null_flag = 1; break; @@ -1164,7 +1167,7 @@ id = ssh_session2_open(); /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) + if (fork_after_authentication_flag && !wait_for_port_open_before_fork) if (daemon(1, 1) < 0) fatal("daemon() failed: %.200s", strerror(errno)); Index: 3_0_2p1.1/clientloop.c --- 3_0_2p1.1/clientloop.c Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_double_dash_f.1/clientloop.c Fri, 01 Feb 2002 12:59:13 -0500 @@ -95,6 +95,9 @@ */ extern char *host; +extern int fork_after_authentication_flag; +extern int wait_for_port_open_before_fork; + /* * Flag to indicate that we have received a window change signal which has * not yet been processed. This will cause a message indicating the new @@ -1007,6 +1010,80 @@ /*********/ +/* + * Detach the program (continue to serve connections, + * but put in background and no more new connections). + */ +static +void +forkoff(int stop_listening, int detach) +{ + pid_t pid; + int fd; + Channel *c; + + /* Restore tty modes. */ + leave_raw_mode(); + + /* Stop listening for new connections. */ + if (stop_listening) + channel_stop_listening(); + + fprintf(stderr, "Forking off into the background - %s", + stop_listening ? "no longer listening" : "still listening"); + + /* Fork into background. */ + pid = fork(); + if (pid < 0) { + error("fork: %.100s", strerror(errno)); + return; + } + if (pid != 0) { /* This is the parent. */ + /* The parent just exits. */ + exit(0); + } + + c = channel_lookup(session_ident); + if (c == NULL) + error("couldn't lookup session channel"); + + /* The child continues serving connections. */ + /* fake EOF on stdin */ + if (compat20) { + buffer_append(&stdin_buffer, "\004", 1); + } else if (!stdin_eof) { + /* + * Sending SSH_CMSG_EOF alone does not always appear + * to be enough. So we try to send an EOF character + * first. + */ + packet_start(SSH_CMSG_STDIN_DATA); + packet_put_string("\004", 1); + packet_send(); + /* Close stdin. */ + stdin_eof = 1; + if (buffer_len(&stdin_buffer) == 0) { + packet_start(SSH_CMSG_EOF); + packet_send(); + } + } + + if (detach) { + chan_read_failed(c); + chan_write_failed(c); + channel_close_fds(c); + fd = open(_PATH_DEVNULL, O_RDWR, 0); + if (fd < 0) + return; + (void) dup2(fd, STDIN_FILENO); + (void) dup2(fd, STDOUT_FILENO); + (void) dup2(fd, STDERR_FILENO); + if (fd > 2) + (void) close(fd); + (void) setsid(); + } +} + static void client_input_stdout_data(int type, int plen, void *ctxt) { @@ -1187,6 +1264,8 @@ packet_put_int(c->local_maxpacket); packet_send(); } + if (fork_after_authentication_flag && wait_for_port_open_before_fork) + forkoff(0, 1); } else { debug("failure %s", ctype); packet_start(SSH2_MSG_CHANNEL_OPEN_FAILURE); Index: 3_0_2p1.1/channels.h --- 3_0_2p1.1/channels.h Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_double_dash_f.1/channels.h Fri, 01 Feb 2002 12:59:13 -0500 @@ -153,6 +153,7 @@ void channel_register_filter(int, channel_filter_fn *); void channel_cancel_cleanup(int); int channel_close_fd(int *); +void channel_close_fds(Channel *); /* protocol handler */ Index: 3_0_2p1.1/channels.c --- 3_0_2p1.1/channels.c Wed, 21 Nov 2001 10:38:46 -0500 +++ 3_0_2p1_double_dash_f.1/channels.c Fri, 01 Feb 2002 12:59:13 -0500 @@ -301,7 +301,7 @@ /* Close all channel fd/socket. */ -static void +void channel_close_fds(Channel *c) { debug3("channel_close_fds: channel %d: r %d w %d e %d", -------------- next part -------------- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From carson at taltos.org Sat Feb 2 05:18:08 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 01 Feb 2002 13:18:08 -0500 Subject: OpenSSH Key Storage Message-ID: <11158775.1012569488@[172.25.113.221]> If you want to bind identity to a server, you have only 2 valid options: - Pass the server's identity in-band, and have the client use that when validating keys. This avoids a layering violation. - Have the client validate the key against the layer 3/4 info - i.e. the IP:PORT pair. Nothing else is sane. Servers on different ports are different servers, that may, or may not, have the same keys. Requiring config file gymnastics is bogus. Sadly, after reading the RFC, it looks like the server never sends its name during the key exchange, making the first (and better) option impossible. I hope I'm wrong and just mis-understood the documents. -- Carson From mbabcock at fibrespeed.net Sat Feb 2 05:19:11 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Fri, 1 Feb 2002 13:19:11 -0500 Subject: OpenSSH Key Storage Message-ID: <20020201181911.GK26603@godzilla.fibrespeed.net> On Fri, Feb 01, 2002 at 07:04:36PM +0100, Markus Friedl wrote: > > No, you're blaming that supposed behaviour incorrectly; that > > would happen already if the user connected to that machine that > > way. In fact, if I connect to my server on a different port, it > > tells me the key has changed -- which it hasn't; its just a different > > session. > > well, show should ssh know? SSH should know that a connection is a remote host + ip pair, the same as TCP does, which SSH rides on. Host+IP is how all connections in TCP are described; we all know that. How the user connects to the remote machine is what is important; if I connect using an alias "Comp1" then I configure that and go. If I connect using specified ports, that should work equally well. You're confusing user behaviour and software behaviour I think. > > This is fixed manually with the config file, but the behaviour you > > describe could happen _now_, with or without my proposed change. > > well, but your proposed change encourages this behaviour, while > HostKeyAlias does not. No, my proposed change simply decreases the need for HostKeyAlias which you seem to like (and I don't think should be necessary in many cases). My proposal means that users (who have situations like the one I described) don't have to contend with OpenSSH claiming their host key has changed; this leads to people just always saying "yes" to the verification prompt and decreases secure usage. I cannot think of a good reason _not_ to support the storage of keys on a host+ip basis. It does not, in any case described, decrease security from what we have now and I believe it increases security. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From carson at taltos.org Sat Feb 2 05:22:35 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 01 Feb 2002 13:22:35 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020201084334.GB13371@faui02> References: <20020201084334.GB13371@faui02> Message-ID: <11425218.1012569755@[172.25.113.221]> --On Friday, February 01, 2002 9:43 AM +0100 Markus Friedl wrote: > it has been suggested that the server tells the client: > lookup the hostkey under this 'name'. > does this really help? doesn't this mean the server > binds name to key? shouln't the client do this instead? No. Because the client can't. It doesn't have enough information. You can hack it into the client statically via the current alias mechanism, but it is amazingly fragile and breaks if anything changes. The server, on the other hand, knows it's identity. And proves it with it's keypair. A rogue host can claim to be mine, but the keypair won't match. Now, you can try to use DNS as a sucky insecure CA, but is that _really_ a good idea? -- Carson From carson at taltos.org Sat Feb 2 05:26:15 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 01 Feb 2002 13:26:15 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020201100834.Z27398@sm2p1386swk.wdr.com> References: <20020201100834.Z27398@sm2p1386swk.wdr.com> Message-ID: <11644614.1012569974@[172.25.113.221]> --On Friday, February 01, 2002 10:08 AM -0500 Nicolas Williams wrote: > SSH RSA/DSA keys are nameless. Whatever name the server tells the client > it has seems to me should be suspect. Of course it's suspect. Which is why the client must validate the host key. Possesion of the key material _is_ identity, as far as SSH is concerned. Anything else requires a trusted third party. A kerberos KDC is a good trusted third party. A CA is a semi-trusted third party, in my opinion. The global DNS is an almost completely untrusted third party. Which one do you propose using? -- Carson From bugzilla-daemon at mindrot.org Sat Feb 2 05:39:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 05:39:07 +1100 (EST) Subject: [Bug 92] New: Feature: -f -f, like -f, but fork() after port/display/agent open Message-ID: <20020201183907.D57D9EC54@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=92 Summary: Feature: -f -f, like -f, but fork() after port/display/agent open Product: Portable OpenSSH Version: 3.0.2p1 Platform: All URL: http://marc.theaimsgroup.com/?l=openssh-unix- dev&m=101258768002274&w=2 OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com New ssh option, "-f -f", like "-f", but fork() after the first successful forwarded port/display/agent channel open. The idea is that a successful forwarded port/display/agent channel open implies that the remote command started successfully and can report errors in some manner other than by writing to stderr or exiting with a non-zero exit code. So that is a great time for ssh to fork() off. Also see new forkoff() function added to clientloop.c - it correctly, I think, closes the session channel. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Sat Feb 2 05:37:20 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 1 Feb 2002 19:37:20 +0100 Subject: OpenSSH Key Storage In-Reply-To: <11158775.1012569488@[172.25.113.221]> References: <11158775.1012569488@[172.25.113.221]> Message-ID: <20020201183720.GC14164@faui02> On Fri, Feb 01, 2002 at 01:18:08PM -0500, Carson Gaspar wrote: > Sadly, after reading the RFC, it looks like the server never sends its name > during the key exchange, making the first (and better) option impossible. I > hope I'm wrong and just mis-understood the documents. why should the server send it's name? if you trust the name the server sends, then you can trust the key, too. From carson at taltos.org Sat Feb 2 05:58:22 2002 From: carson at taltos.org (Carson Gaspar) Date: Fri, 01 Feb 2002 13:58:22 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020201183720.GC14164@faui02> References: <20020201183720.GC14164@faui02> Message-ID: <13571414.1012571901@[172.25.113.221]> --On Friday, February 01, 2002 7:37 PM +0100 Markus Friedl wrote: > On Fri, Feb 01, 2002 at 01:18:08PM -0500, Carson Gaspar wrote: >> Sadly, after reading the RFC, it looks like the server never sends its >> name during the key exchange, making the first (and better) option >> impossible. I hope I'm wrong and just mis-understood the documents. > > why should the server send it's name? if you trust the name > the server sends, then you can trust the key, too. I'm not _sure_ I understand. Are you saying that: (a) - receive the host key - if the host key exists in known_hosts, trust it. is equivilant to: (b) - receive the name and host key - if the name/key pair exists in known_hosts, trust it ? Hmmm.... it may be. Let's look at what happens now: (c) - receive the host key - if the (name|ip)/key pair exists in known_hosts, trust it Let's examine the threat model: Previous known_hosts entry: - Attacker spoofs host, without stealing key. (a) issues unknown host warning. (b) and (c) issue host key changed warnings. - Attacker spoofs host, after stealing key. None of the methods issue a warning. - Attacker steals key, but does not spoof IP address or DNS entry. (c) treats as new key. No previous known_hosts entry: - Attacker spoofs host, with or without key - All 3 methods issue unknown host warning. So I think (a) differs from (b) in 2 ways: - (b) allows ssh to differentiate identity key changes from new identities. - (b) allows ssh to present the identity in a human-friendly format. (b) differs from (c) as follows: - (c) has the IP or DNS external binding validation (which could optionally be applied as an extension to (b)), but I assert that it adds dubious extra security. - (c) cannot determine if different IP:PORT pairs, or different names, or sets of names and IP:PORT pairs are the same identity without manual configuration Can anyone find a flaw in my analysis? Did I miss any corner cases? -- Carson From Nicolas.Williams at ubsw.com Sat Feb 2 06:10:09 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 1 Feb 2002 14:10:09 -0500 Subject: OpenSSH Key Storage In-Reply-To: <11644614.1012569974@[172.25.113.221]>; from carson@taltos.org on Fri, Feb 01, 2002 at 01:26:15PM -0500 References: <20020201100834.Z27398@sm2p1386swk.wdr.com> <11644614.1012569974@[172.25.113.221]> Message-ID: <20020201141008.B27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 01:26:15PM -0500, Carson Gaspar wrote: > > > --On Friday, February 01, 2002 10:08 AM -0500 Nicolas Williams > wrote: > > > SSH RSA/DSA keys are nameless. Whatever name the server tells the client > > it has seems to me should be suspect. > > Of course it's suspect. Which is why the client must validate the host key. > Possesion of the key material _is_ identity, as far as SSH is concerned. > Anything else requires a trusted third party. A kerberos KDC is a good > trusted third party. A CA is a semi-trusted third party, in my opinion. The > global DNS is an almost completely untrusted third party. Which one do you > propose using? I proposed nothing :) But I do use Kerberos (with OpenSSH too). > -- > Carson Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Sat Feb 2 06:23:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 06:23:30 +1100 (EST) Subject: [Bug 92] Feature: -f -f, like -f, but fork() after port/display/agent open Message-ID: <20020201192330.1F095EC5B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=92 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-02-02 06:23 ------- Created an attachment (id=15) feature patch for -f -f ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Sat Feb 2 06:37:19 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 1 Feb 2002 14:37:19 -0500 Subject: OpenSSH Key Storage In-Reply-To: <13571414.1012571901@[172.25.113.221]>; from carson@taltos.org on Fri, Feb 01, 2002 at 01:58:22PM -0500 References: <20020201183720.GC14164@faui02> <13571414.1012571901@[172.25.113.221]> Message-ID: <20020201143717.C27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 01:58:22PM -0500, Carson Gaspar wrote: > Can anyone find a flaw in my analysis? Did I miss any corner cases? With (b) the client can verify that the server is who it claims to be, but not whether that is who the user wanted to connect to. So an attacker could redirect the client to a different host than the user meant, and the client will think all's ok. The client would have to check that the server's claimed name is different than the one the user asked for and would then have to prompt the user - or look up the server's claimed name in an aliases list and check the user's requested server name against the server's aliases. Let's not kid ourselves - if you use DNS and not DNSSEC or something better, then you have the same problem: an attacker can spoof a DNS response while ssh is looking up the user's requested server name and point the ssh client at a different host withot the client or the user being any the wiser. BUT, DNS spoofing is a problem external to SSH and can be fixed without changing SSH. > -- > Carson Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From janfrode at parallab.uib.no Sat Feb 2 07:13:06 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Fri, 1 Feb 2002 21:13:06 +0100 Subject: 3.0.2p1 under IRIX (coredumps) In-Reply-To: References: Message-ID: <20020201201306.GA21180@ii.uib.no> On Fri, Feb 01, 2002 at 11:56:30AM -0500, Jeff Blaine wrote: > Hello, > > I am unable to build a working OpenSSH 3.0.2p1 for IRIX 6.5 using either > > 1. gcc 2.95.3 + binutils 2.11.2 > > 2. SGI MIPSpro cc, CC=cc, LD=/usr/bin/ld, CFLAGS='-mips3 -n32' > I don't know why it fails for you, but here's a tarball of my build: ftp://ftp.ii.uib.no/pub/janfrode/openssh-3.0.2p1-bin.tar.gz OpenSSH has been configured with the following options: User binaries: /usr/openssh/bin System binaries: /usr/openssh/sbin Configuration files: /usr/openssh/etc Askpass program: /usr/openssh/libexec/ssh-askpass Manual pages: /usr/openssh/man/manX PID file: /usr/openssh/etc sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/openssh/bin Random number collection: Builtin (timeout 200) Manpage format: man PAM support: no KerberosIV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no Host: mips-sgi-irix6.2 Compiler: cc Compiler flags: -g Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib Libraries: -lz -lgen -lcrypto 'make install' puts everything under /usr/openssh/. Hope this helps.. -jf From mouring at etoh.eviladmin.org Sat Feb 2 06:52:39 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Fri, 1 Feb 2002 13:52:39 -0600 (CST) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <20020201173726.B7566@cygbert.vinschen.de> from Corinna Vinschen at "Feb 1, 2002 05:37:26 pm" Message-ID: <200202011952.g11JqdcI018964@etoh.eviladmin.org> > Huh? I didn't miss such a call for post 3.0.2p1, did I? I'm always > keen to test if it still builds and run on Cygwin, obviously, so I'm > very interested in that call for testing. > > I'm subscribed to openssh-unix-dev since nearly two years now and at > least two times I was surprised to see that a new version has been > released. I expected to get that call in this forum but there it was, > version X.YpZ without an explicit call for testing. I can't keep > track of all threads so I'd really appreciate a mail which calls for > testing with a non-ambiguous subject. And a final note that version > X.YpZ has been released would be nice, too. > 3.0.2p1 I had very little involvement with. I was handling personal issues. Around the 2.5.x and above releases when I could get an answer as to when we considered releasing it I would call for testers of the CVS tree. Or we have called at random times for testing after major distruption of the code. I don't think I'll have much involvement in 3.1 release since I'm still dealing with houses, new dead servers, and insurance companies (almost as bad a lawyers some days =). However, majority of the 2.5.x+ release I've made a post two weeks out from when the original date was set to release. =) Trust me I'm not ragging on any directly on this list. I know some people quietly are testing and I am very greatful. Lack of bug reports could also be people got frustrated because we would lose patches after testing. However I'm hoping with bugzilla we at least have them with the original report (which should HOPEFULLY save me from having 200+ email in my mailbox with unknown status). And with the fact we are getting down to a SINGLE portable release per OpenBSD release shows either stable code or enough testing to catch bugs. - Ben From jblaine at linus.mitre.org Sat Feb 2 07:54:19 2002 From: jblaine at linus.mitre.org (Jeff Blaine) Date: Fri, 1 Feb 2002 15:54:19 -0500 (EST) Subject: 3.0.2p1 under IRIX (coredumps) In-Reply-To: <20020201201306.GA21180@ii.uib.no> Message-ID: Jan-Frode, I certainly appreciate the offer and any time you put into it, but for security reasons I need to build something like this from source code. I wish I could use your build and be done with it, but it's just not an option for us. Again, thank you though! > On Fri, Feb 01, 2002 at 11:56:30AM -0500, Jeff Blaine wrote: > > Hello, > > > > I am unable to build a working OpenSSH 3.0.2p1 for IRIX 6.5 using either > > > > 1. gcc 2.95.3 + binutils 2.11.2 > > > > 2. SGI MIPSpro cc, CC=cc, LD=/usr/bin/ld, CFLAGS='-mips3 -n32' > > > > I don't know why it fails for you, but here's a tarball of my build: >... > 'make install' puts everything under /usr/openssh/. Hope this helps.. From vinschen at redhat.com Sat Feb 2 08:10:45 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 1 Feb 2002 22:10:45 +0100 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <200202011952.g11JqdcI018964@etoh.eviladmin.org> References: <20020201173726.B7566@cygbert.vinschen.de> <200202011952.g11JqdcI018964@etoh.eviladmin.org> Message-ID: <20020201221045.E11608@cygbert.vinschen.de> On Fri, Feb 01, 2002 at 01:52:39PM -0600, mouring wrote: > > Huh? I didn't miss such a call for post 3.0.2p1, did I? I'm always > > keen to test if it still builds and run on Cygwin, obviously, so I'm > > very interested in that call for testing. > > > > I'm subscribed to openssh-unix-dev since nearly two years now and at > > least two times I was surprised to see that a new version has been > > released. I expected to get that call in this forum but there it was, > > version X.YpZ without an explicit call for testing. I can't keep > > track of all threads so I'd really appreciate a mail which calls for > > testing with a non-ambiguous subject. And a final note that version > > X.YpZ has been released would be nice, too. > > > 3.0.2p1 I had very little involvement with. I was handling personal issues. > [...] I haven't intended to accuse you doing or not doing something. I don't mean you should be personal responsible for sending specific types of organisational mailings. It's just hard to follow sometimes when specific announcement are missing. I'm just a porter to *one* platform. I'm not subscribed to the other openssh mailing lists since I'm only interested in the `portable' aspect of OpenSSH (sure I'm using it daily, but..., you know...). And I really like to have the latest version available for the Cygwin users. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Sat Feb 2 08:44:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 08:44:07 +1100 (EST) Subject: [Bug 93] New: Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020201214407.4474EE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 Summary: Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Product: Portable OpenSSH Version: 3.0.2p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh-add AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jprondak at visualmedia.com This patches allows ssh-add to try and load all the identity files listed in ssh_config or ~/.ssh/config. In addition ssh-add will try and use passphrases from a previous key first before prompting for a passphrase (only if there is more than one IdentityFile listed) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 2 08:45:45 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 08:45:45 +1100 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020201214545.090B9E986@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 ------- Additional Comments From jprondak at visualmedia.com 2002-02-02 08:45 ------- Created an attachment (id=16) ssh-add.c patch to search ssh_config for IdentityFile(s) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Sat Feb 2 08:38:40 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 1 Feb 2002 13:38:40 -0800 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <20020201131056.A27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Fri, Feb 01, 2002 at 01:10:57PM -0500 References: <20020201131056.A27398@sm2p1386swk.wdr.com> Message-ID: <20020201133839.R3915@google.com> On Fri, Feb 01, 2002 at 01:10:57PM -0500, Nicolas Williams wrote: > ALSO, "ssh -f -f ..." actually detaches from the tty, and it closes the > session channel correctly. > > Please see the forkoff() function added to clientloop.c: it correctly > closes the channel for the SSHv2 session. > > Comments? "-f -f" is fairly ugly. /fc From Nicolas.Williams at ubsw.com Sat Feb 2 09:02:37 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 1 Feb 2002 17:02:37 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <20020201133839.R3915@google.com>; from fcusack@fcusack.com on Fri, Feb 01, 2002 at 01:38:40PM -0800 References: <20020201131056.A27398@sm2p1386swk.wdr.com> <20020201133839.R3915@google.com> Message-ID: <20020201170235.E27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 01:38:40PM -0800, Frank Cusack wrote: > > Comments? > > "-f -f" is fairly ugly. Really? I thought it was cute, like -v -v -v, say :) What would you suggest? Originally I implemented (locally) this as a -o option and the option name was horrible, "WaitForPortOpenBeforeFork", because I couldn't think of a very short, yet very descriptive option name for this feature. So after much thought -f -f seemed like the easiest way to add this without polluting the option namespace and without requiring some longish option name. > /fc Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Sat Feb 2 09:12:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 09:12:55 +1100 (EST) Subject: [Bug 94] New: Userdefineable identification string Message-ID: <20020201221255.51DEEEC66@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 Summary: Userdefineable identification string Product: Portable OpenSSH Version: 3.0.2p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jprondak at visualmedia.com This patch allows one to change the software version and comment field(s) in the identification string. The ident strings is of the form "SSH-protoversion-softwareversion comments" as per draft-ietf-secsh-transport-11.txt. The identstring still conforms to the spec. But there could be a possibilty of some sompatability issues. But that should be up to the user/administrator They are of the form VersionString "My_Version_1.0" CommentString "test" in sshd_config ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 2 09:15:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 09:15:15 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020201221515.0D73BEC6E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-02 09:15 ------- Created an attachment (id=17) Patch to sshd to allow a userdefinable identification string ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 2 09:24:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 09:24:39 +1100 (EST) Subject: [Bug 95] New: Allow '%' expansion to work in ssh and ssh-add Message-ID: <20020201222439.02C6CE97E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=95 Summary: Allow '%' expansion to work in ssh and ssh-add Product: Portable OpenSSH Version: 3.0.2p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jprondak at visualmedia.com By moving expand_filename() from auth.c into tildexpand.c, '%' substitution can be used but any programs that use tilde_expand_filename() as opposed to just sshd. The reason for this was to allow for IdentityFile inclusion like as follows: [..ssh_config..] IdentityFile /var/spool/ssh/%u/idenity IdentityFile ~/.ssh/identity ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 2 09:25:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 09:25:57 +1100 (EST) Subject: [Bug 95] Allow '%' expansion to work in ssh and ssh-add Message-ID: <20020201222557.56BB5EC72@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=95 ------- Additional Comments From jprondak at visualmedia.com 2002-02-02 09:25 ------- Created an attachment (id=18) patch to tildexpand.c and auth.c to allow '%' substitution everywhere ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 2 09:52:02 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 09:52:02 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020201225202.14CE5E97E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From djm at mindrot.org 2002-02-02 09:51 ------- The identity string is used for bug/feature compatibility. As the protocol spec is not an RFC yet, it may also be needed in future. Have a look at compat.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Sat Feb 2 09:58:25 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Fri, 1 Feb 2002 14:58:25 -0800 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <20020201170235.E27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Fri, Feb 01, 2002 at 05:02:37PM -0500 References: <20020201131056.A27398@sm2p1386swk.wdr.com> <20020201133839.R3915@google.com> <20020201170235.E27398@sm2p1386swk.wdr.com> Message-ID: <20020201145824.G4068@google.com> On Fri, Feb 01, 2002 at 05:02:37PM -0500, Nicolas Williams wrote: > On Fri, Feb 01, 2002 at 01:38:40PM -0800, Frank Cusack wrote: > > > Comments? > > > > "-f -f" is fairly ugly. > > Really? I thought it was cute, like -v -v -v, say :) Well, I dislike that too. :-) > What would you suggest? I have no alternate suggestion (other than using GNU-like --long-options). > Originally I implemented (locally) this as a -o option and the option > name was horrible, "WaitForPortOpenBeforeFork", because I couldn't think > of a very short, yet very descriptive option name for this feature. > > So after much thought -f -f seemed like the easiest way to add this > without polluting the option namespace and without requiring some > longish option name. /fc From bugzilla-daemon at mindrot.org Sat Feb 2 10:07:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 2 Feb 2002 10:07:29 +1100 (EST) Subject: [Bug 76] scp won't transfer files to or from the root under Cygwin Message-ID: <20020201230729.88FF3EC79@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=76 ------- Additional Comments From bradshaw at staff.crosswalk.com 2002-02-02 10:07 ------- Created an attachment (id=19) cvs diff for the one line patch needed to fix this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sat Feb 2 09:34:47 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Fri, 1 Feb 2002 16:34:47 -0600 (CST) Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <20020201145824.G4068@google.com> from Frank Cusack at "Feb 1, 2002 02:58:25 pm" Message-ID: <200202012234.g11MYlqg024911@etoh.eviladmin.org> > On Fri, Feb 01, 2002 at 05:02:37PM -0500, Nicolas Williams wrote: > > On Fri, Feb 01, 2002 at 01:38:40PM -0800, Frank Cusack wrote: > > > > Comments? > > > > > > "-f -f" is fairly ugly. > > > > Really? I thought it was cute, like -v -v -v, say :) > > Well, I dislike that too. :-) > > > What would you suggest? > > I have no alternate suggestion (other than using GNU-like --long-options). > > > Originally I implemented (locally) this as a -o option and the option > > name was horrible, "WaitForPortOpenBeforeFork", because I couldn't think > > of a very short, yet very descriptive option name for this feature. > > > > So after much thought -f -f seemed like the easiest way to add this > > without polluting the option namespace and without requiring some > > longish option name. > Four words.. over my dead body =) -f -f does not bother me as long as it is well documented. However I hate the --some-command-that-we-may-not-use-offen-but-hell-we-wanted-an-option. I hate GNU longopt... - Ben From wendyp at cray.com Sat Feb 2 10:19:30 2002 From: wendyp at cray.com (Wendy Palm) Date: Fri, 01 Feb 2002 17:19:30 -0600 Subject: /dev/urandom Message-ID: <3C5B2282.CE47B43F@cray.com> if i want to learn more about implementing a /dev/urandom, where would be a good place to start? thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From brhamon at cisco.com Sat Feb 2 10:43:13 2002 From: brhamon at cisco.com (Brian Hamon) Date: Fri, 01 Feb 2002 17:43:13 -0600 Subject: /dev/urandom In-Reply-To: <3C5B2282.CE47B43F@cray.com> Message-ID: <4.3.2.7.2.20020201174149.05137ce8@3rdclass.cisco.com> ANDIrand is an implementation on Solaris that includes source, and may provide a guide: http://www.cosy.sbg.ac.at/~andi/ At 05:19 PM 2/1/2002, Wendy Palm wrote: >if i want to learn more about implementing a /dev/urandom, >where would be a good place to start? > >thanks, >wendy > > >-- >wendy palm >Cray OS Sustaining Engineering, Cray Inc. >wendyp at cray.com, 651-605-9154 >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From djm at mindrot.org Sat Feb 2 11:40:13 2002 From: djm at mindrot.org (Damien Miller) Date: 02 Feb 2002 11:40:13 +1100 Subject: /dev/urandom In-Reply-To: <3C5B2282.CE47B43F@cray.com> References: <3C5B2282.CE47B43F@cray.com> Message-ID: <1012610415.6509.1.camel@mothra> On Sat, 2002-02-02 at 10:19, Wendy Palm wrote: > > if i want to learn more about implementing a /dev/urandom, > where would be a good place to start? OpenBSD's BSD licensed driver, of course :) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/dev/rnd.c -d From djast at cs.toronto.edu Sat Feb 2 12:07:06 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Fri, 1 Feb 2002 20:07:06 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: Your message of "Fri, 01 Feb 2002 17:34:47 EST." <200202012234.g11MYlqg024911@etoh.eviladmin.org> Message-ID: <02Feb1.200717edt.453147-1882@jane.cs.toronto.edu> On Fri, 01 Feb 2002 17:34:47 EST, mouring writes: > > =) -f -f does not bother me as long as it is well documented. However I > hate the --some-command-that-we-may-not-use-offen-but-hell-we-wanted-an-optio > n. In general, IMHO, options should be idempotent; i.e., "-Z -Z" should have the same effect as '-Z'. Among the reasons for this: a wrapper program should be able to add options to a command line in order to assure a specific behaviour. For example, if a wrapper wants to suppress diagnostics, it should just be able to add "-q" option. If wrappers are nested, and each adds its own "-q" option, they shouldn't interfere with each other. There is historical precedent for more -v's making output more verbose, but the idea of '-f -f' having a *qualitatively* different meaning than '-f' is a little unsettling. You're not using "-f -f" to mean "-f, only more so"; it appears as if you just didn't want to use up another letter for a option with nearly identical semantics. As for --long-options, Ben is quite right. We already have -[alphAbetsouP] and -o `cat /usr/dict/words`, and adding GNUisms won't supply anything that these existing mechanisms can't deal with perfectly well. As for Nicolas's comment: > > Originally I implemented (locally) this as a -o option and the option > > name was horrible, "WaitForPortOpenBeforeFork", because I couldn't think > > of a very short, yet very descriptive option name for this feature. Think harder :-) My opinion, for what it's worth, is that the difficulty in giving the feature a simple name reflects the fact that it's not a very elegant feature in the context of the existing design. (A cleaner design would be for -f to make ssh background itself only after the exec() of the command on the server side had succeeded, so that you wouldn't need a separate option to make sure the command was launched successfully. Unfortunately, the elegance of this design is more than offset by the fact that it's completely and utterly impossible to implement. I apologize for the minute of your life you just wasted reading this paragraph.) Cheers, -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From rjmooney at aboveground.cx Sat Feb 2 15:33:40 2002 From: rjmooney at aboveground.cx (Robert Mooney) Date: Fri, 1 Feb 2002 23:33:40 -0500 Subject: disabling the authentication agent? Message-ID: Is there any way to disable the authentication agent globally? I'm not quite sure I understand it's purpose. Here is some background info: workstation: Key pair (dsa). host1: No key pair. No authorized_keys. host2: Has my workstation's key in authorized_keys. I ssh to host1 from my workstation. I ssh to host2 from host1. I am asked for a password. Good. I ssh to host2 from my workstation. I am logged in via pubkey auth. I relogin to host2 from host1. I am not asked for a password. Why? It doesn't sit well with me when a host allows me to login without a pass- word, when I haven't configured it that way (I realize it may be OK, but still...) host1:~$ ssh -vvv host2 OpenSSH_3.0.2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1000 geteuid 0 anon 1 debug1: Connecting to host2 [] port 22. debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: restore_uid debug1: Connection established. debug1: read PEM private key done: type DSA debug1: read PEM private key done: type RSA debug1: identity file /home/rjmooney/.ssh/identity type -1 debug1: identity file /home/rjmooney/.ssh/id_rsa type -1 debug1: identity file /home/rjmooney/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.0.2 debug1: match: OpenSSH_3.0.2 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.2 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 134/256 debug1: bits set: 1614/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'host2' is known and matches the RSA host key. debug1: Found key in /home/rjmooney/.ssh/known_hosts:1 debug1: bits set: 1616/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key "Robert Mooney at workstation" debug1: input_userauth_pk_ok: pkalg ssh-dss blen 819 lastkey 0x490a0 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: shell debug1: channel 0: open confirm rwindow 0 rmax 16384 Last login: Fri Feb 1 22:31:04 2002 from host1 host2:~$ - Rob -- Robert Mooney (rjmooney at aboveground.cx) www: http://www.aboveground.cx/~rjmooney/ From mats.andersson at appgate.com Sat Feb 2 18:37:21 2002 From: mats.andersson at appgate.com (Andersson, Mats) Date: Sat, 2 Feb 2002 08:37:21 +0100 (CET) Subject: OpenSSH Key Storage In-Reply-To: <11425218.1012569755@[172.25.113.221]> Message-ID: On Fri, 1 Feb 2002, Carson Gaspar wrote: > > it has been suggested that the server tells the client: > > lookup the hostkey under this 'name'. > > No. Because the client can't. It doesn't have enough information. You can > hack it into the client statically via the current alias mechanism, but it I don't see the problem here? The client (and only it) knows what name/port it connected to and only it knows who it expects to find there, the ONLY method of identifying the host I can think of is to store the host keys in a list searchable with host/port pairs (the "state" in the transport layer probably knows where its TCP endpoint is connected so it should be able to do the lookup right?). Cheers, /Mats From tori at ringstrom.mine.nu Sun Feb 3 04:08:25 2002 From: tori at ringstrom.mine.nu (Tobias Ringstrom) Date: Sat, 2 Feb 2002 18:08:25 +0100 (CET) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <200202011515.g11FF8RI018778@etoh.eviladmin.org> Message-ID: On Fri, 1 Feb 2002, mouring wrote: > http://www.openssh.com/portable.html has snapshots every night. Yet > no large mass of people are testing it. I think the general public is too lazy to test a new version every day. The snapshots just before a release will probably get more testing if they are advertised appropriately, i.e. not lost in the background noise. > There is a at least 3 calls I try to make before we release portable tree > asking for people to do compile tests of the current snapshots.. Some > days I hear feedback. Some days I don't. Without flying out to every > person's house on this list and beeting them with a blunt object until > they finally download and test there is not much we can do. (Personal > Note: Feel safe.. I'm not a person to do such things. =) It may be a good thing that you get few responses. :-) People have the (depressing?) habit of not reporting successes. Hard to know if that is the case, of course. It may also help to have a (low volume) announcement mailing list for announcing release candidates as well as releases. > Doing OpenSSH-3.1.0-Pre2, pre3, pre4-mouring-fixing-bug release will > not help us. Hell it barely works in the Linux community!!! =) The Linux release "system" has lots of problem, no doubt. One recent good thing was the introduction of release candidates. (I know it's nothing new in other projects.) Ideally, there will be no changes from the release candidate to the real release. > On a side note: ANY PATCHES THAT ARE NOT IN BUGZILLA WILL/MAY BE LOST. > PLEASE ENSURE THEY GET INTO THE TRACKING SYSTEM. Good point. I'll add my patches there if I decide to stay. /Tobias From linux_4ever at yahoo.com Sun Feb 3 04:35:14 2002 From: linux_4ever at yahoo.com (Steve G) Date: Sat, 2 Feb 2002 09:35:14 -0800 (PST) Subject: openssh-3.0.2p1 BUGs Message-ID: <20020202173514.55394.qmail@web9606.mail.yahoo.com> Hello, I looked through the latest stable version of openssh (3.0.2p1) and found a number of items that concerned me. I'm not terribly familiar with the coding, so patches are probably better left to someone else. Anyways, here a list of issues that I think someone should look at. Cheers, Steve Grubb -------- File Line Description Channels.c 1195 If nc == NULL, this line segfaults. Test at 1187 should probably return 1716 If c == NULL, this line segfaults. Test at 1712 should probably return 1762 If c == NULL, this line segfaults. Test at 1760 should probably return 1802 If c == NULL, this line segfaults. Test at 1797 should probably return 1827 If c == NULL, this line segfaults. Test at 1819 should probably return 1856 Test is done for NULL at 1854, but c is passed regardless. 1869 If c == NULL, this line segfaults. Test at 1866 should probably return 1892 If c == NULL, this line segfaults. Test at 1887 should probably return 1938 Test of c == NULL. Continues processing calling free_channel with c 1972 If c == NULL, this line segfaults. Test at 1968 should probably return 2449 Variable socks has not be initted since 2409 ! 2598 Strchr could return a NULL is $DISPLAY does not have a ?:? in it ! Deattack.c 139 Test at 132 for IV == NULL should probably bypass this area. Will segfault in this line if IV == NULL. Kexgex.c 304 If dh == NULL, this line segfaults. Test at 299 should probably return Ssh.c 88 IPv4or6 is an int. Line 136 of channels.c declares a static int for same variable. ??? Clientloop.c 1120 If c == NULL, this line segfaults. Test at 1116 should probably return 0 1146 If c == NULL, this line segfaults. Test at 1142 should probably return 1234 If c == NULL, this line segfaults. Test at 1224 should probably return Sshd.c 106 IPv4or6 is an int. Line 136 of channels.c declares a static int for same variable. ??? Auth2-chall.c 261 Test at 246 check for > 0. If nresp == 0, response never gets alloc?ed and is still NULL at line 261. Session.c 1476 There?s several ways that cp could still be NULL by the time it gets to this line. Especially if AIX is defined. Better checking of cp is needed leading up to this line. 2021 Are all session tty members guaranteed to have a ?/? in their name? If not, this line segfaults because of the return from strrchr. __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com From mouring at etoh.eviladmin.org Sun Feb 3 08:29:05 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Sat, 2 Feb 2002 15:29:05 -0600 (CST) Subject: Version two of progressbar for scp/sftp Message-ID: <200202022129.g12LT528009167@etoh.eviladmin.org> Again, this has been lightly tested. I think there still are a few glitchs. 1. stole progressmeter() from scp.c - clean up and simplified a little to remove the 'flag' status. It now understands how to initialize itself and how to terminate itself. Along with a malloced status bar instead of the original fix width bar. 2. removed all initialization code from scp.c for progressmeter() and moved to updateprogressmeter(). 3. Added two callback per upload/download function in sftp-client.c. One to start the session the second to clean up after itself (same logic as in scp now). 4. fixed up sftp-int.c to pass the call backs. Note, I normally don't do callbacks. So I need someone to review to ensure I did not mungle anything up. Plus I normally don't use signal() and I need to know if in the (*func)(int) define if I can use the (int) legal without any unwanted. Again, patch against OpenBSD code. scp.c will fail to apply cleaning, but is an easy fix (just I only have my OpenBSD box around me at this moment). The sooner I get feedback on this the sooner I can get back to looking at maybe including readline/libedit support into sftp. And that should take care of most whinings about UI stuff in sftp (Most of the code to support readline is written, just needs better testing and some cleanup work). - Ben Index: misc.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.c,v retrieving revision 1.15 diff -u -r1.15 misc.c --- misc.c 2002/01/24 21:09:25 1.15 +++ misc.c 2002/02/02 21:47:40 @@ -310,3 +310,135 @@ args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; } + +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ +static int +foregroundproc(void) +{ + static pid_t pgrp = -1; + int ctty_pgrp; + + if (pgrp == -1) + pgrp = getpgrp(); + + return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && + ctty_pgrp == pgrp)); +} + +void +progressmeter(off_t statbytes, off_t totalbytes, char *filename) +{ +#define STALLTIME 5 /* number of seconds before xfer assumed "stalled" */ + static const char prefixes[] = " KMGTP"; + static char *progressbar = NULL, file = NULL; + static struct timeval *start = NULL, lastupdate; + static off_t lastsize; + static size_t progressbar_size = 0; + struct timeval now, td, wait; + off_t cursize, abbrevsize; + double elapsed; + int ratio, barlength, i, remaining; + char buf[256]; + + if (!start) { + start = xmalloc(sizeof(struct timeval)); + (void) gettimeofday(start, (struct timezone *) 0); + lastupdate = *start; + lastsize = 0; + } + if (foregroundproc() == 0) + return; + + (void) gettimeofday(&now, (struct timezone *) 0); + cursize = statbytes; + if (totalbytes != 0) { + ratio = 100.0 * cursize / totalbytes; + ratio = MAX(ratio, 0); + ratio = MIN(ratio, 100); + } else + ratio = 100; + + snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", (filename?filename:""), ratio); + + barlength = getttywidth() - 51; + if (barlength > progressbar_size) { + progressbar_size = barlength; + progressbar = xrealloc(progressbar, barlength); + memset(progressbar, '*', barlength); + } + + if (barlength > 0) { + i = barlength * ratio / 100; + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "|%.*s%*s|", i, progressbar, barlength - i, ""); + } + i = 0; + abbrevsize = cursize; + while (abbrevsize >= 100000 && i < sizeof(prefixes)) { + i++; + abbrevsize >>= 10; + } + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", + (unsigned long long) abbrevsize, prefixes[i], + prefixes[i] == ' ' ? ' ' : 'B'); + + timersub(&now, &lastupdate, &wait); + if (cursize > lastsize) { + lastupdate = now; + lastsize = cursize; + if (wait.tv_sec >= STALLTIME) { + start->tv_sec += wait.tv_sec; + start->tv_usec += wait.tv_usec; + } + wait.tv_sec = 0; + } + timersub(&now, start, &td); + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); + + if ((totalbytes != statbytes) && + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " --:-- ETA"); + } else if (wait.tv_sec >= STALLTIME) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " - stalled -"); + } else { + if (totalbytes != statbytes) + remaining = (int)(totalbytes / (statbytes / elapsed) - + elapsed); + else + remaining = elapsed; + + i = remaining / 3600; + if (i) + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "%2d:", i); + else + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " "); + i = remaining % 3600; + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "%02d:%02d%s", i / 60, i % 60, + (totalbytes != statbytes) ? " ETA" : " "); + } + atomicio(write, fileno(stdout), buf, strlen(buf)); + + if (totalbytes == statbytes) { + atomicio(write, fileno(stdout), "\n", 1); + + /* Clean up for next usage */ + xfree(start); + start = NULL; + } +} + +int +getttywidth(void) +{ + struct winsize winsize; + + if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) + return (winsize.ws_col ? winsize.ws_col : 80); + else + return (80); +} Index: misc.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/misc.h,v retrieving revision 1.11 diff -u -r1.11 misc.h --- misc.h 2002/01/24 21:09:25 1.11 +++ misc.h 2002/02/02 21:47:40 @@ -30,4 +30,8 @@ int num; int nalloc; }; + void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); + +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ Index: scp.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/scp.c,v retrieving revision 1.86 diff -u -r1.86 scp.c --- scp.c 2001/12/05 03:56:39 1.86 +++ scp.c 2002/02/02 21:47:40 @@ -83,24 +83,12 @@ #include "log.h" #include "misc.h" -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ -#define STALLTIME 5 -/* alarm() interval for updating progress meter */ -#define PROGRESSTIME 1 - -/* Visual statistics about files as they are transferred. */ -void progressmeter(int); - -/* Returns width of the terminal (for progress meter calculations). */ -int getttywidth(void); +static void updateprogressmeter(int done); int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); /* Struct for addargs */ arglist args; -/* Time a transfer started. */ -static struct timeval start; - /* Number of bytes of current file transferred so far. */ volatile off_t statbytes; @@ -542,7 +530,7 @@ } if (showprogress) { totalbytes = stb.st_size; - progressmeter(-1); + updateprogressmeter(0); } /* Keep writing after an error so that we stay sync'd up. */ for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { @@ -564,7 +552,7 @@ } } if (showprogress) - progressmeter(1); + updateprogressmeter(1); if (close(fd) < 0 && !haderr) haderr = errno; @@ -808,7 +796,7 @@ if (showprogress) { totalbytes = size; - progressmeter(-1); + updateprogressmeter(0); } statbytes = 0; for (count = i = 0; i < size; i += 4096) { @@ -844,7 +832,8 @@ } } if (showprogress) - progressmeter(1); + updateprogressmeter(1); + if (count != 0 && wrerr == NO && (j = atomicio(write, ofd, bp->buf, count)) != count) { wrerr = YES; @@ -1040,139 +1029,18 @@ } static void -updateprogressmeter(int ignore) -{ - int save_errno = errno; - - progressmeter(0); - signal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - errno = save_errno; -} - -static int -foregroundproc(void) -{ - static pid_t pgrp = -1; - int ctty_pgrp; - - if (pgrp == -1) - pgrp = getpgrp(); - - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && - ctty_pgrp == pgrp)); -} - -void -progressmeter(int flag) +updateprogressmeter(int done) { - static const char prefixes[] = " KMGTP"; - static struct timeval lastupdate; - static off_t lastsize; - struct timeval now, td, wait; - off_t cursize, abbrevsize; - double elapsed; - int ratio, barlength, i, remaining; - char buf[256]; - - if (flag == -1) { - (void) gettimeofday(&start, (struct timezone *) 0); - lastupdate = start; - lastsize = 0; - } - if (foregroundproc() == 0) - return; + int save_errno = errno; - (void) gettimeofday(&now, (struct timezone *) 0); - cursize = statbytes; - if (totalbytes != 0) { - ratio = 100.0 * cursize / totalbytes; - ratio = MAX(ratio, 0); - ratio = MIN(ratio, 100); - } else - ratio = 100; - - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); - - barlength = getttywidth() - 51; - if (barlength > 0) { - i = barlength * ratio / 100; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "|%.*s%*s|", i, - "***************************************" - "***************************************" - "***************************************" - "***************************************", - barlength - i, ""); - } - i = 0; - abbrevsize = cursize; - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { - i++; - abbrevsize >>= 10; - } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", - (unsigned long long) abbrevsize, prefixes[i], - prefixes[i] == ' ' ? ' ' : 'B'); - - timersub(&now, &lastupdate, &wait); - if (cursize > lastsize) { - lastupdate = now; - lastsize = cursize; - if (wait.tv_sec >= STALLTIME) { - start.tv_sec += wait.tv_sec; - start.tv_usec += wait.tv_usec; - } - wait.tv_sec = 0; - } - timersub(&now, &start, &td); - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); - - if (flag != 1 && - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " --:-- ETA"); - } else if (wait.tv_sec >= STALLTIME) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " - stalled -"); - } else { - if (flag != 1) - remaining = (int)(totalbytes / (statbytes / elapsed) - - elapsed); - else - remaining = elapsed; - - i = remaining / 3600; - if (i) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%2d:", i); - else - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " "); - i = remaining % 3600; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%02d:%02d%s", i / 60, i % 60, - (flag != 1) ? " ETA" : " "); - } - atomicio(write, fileno(stdout), buf, strlen(buf)); - - if (flag == -1) { - signal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - } else if (flag == 1) { + + progressmeter(statbytes, totalbytes, curfile); + if (done == 0) { + signal(SIGALRM, updateprogressmeter); + alarm(PROGRESSTIME); + } else alarm(0); - atomicio(write, fileno(stdout), "\n", 1); - statbytes = 0; - } -} - -int -getttywidth(void) -{ - struct winsize winsize; - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) - return (winsize.ws_col ? winsize.ws_col : 80); - else - return (80); + errno = save_errno; } + Index: sftp-client.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.c,v retrieving revision 1.19 diff -u -r1.19 sftp-client.c --- sftp-client.c 2001/12/19 07:18:56 1.19 +++ sftp-client.c 2002/02/02 21:47:41 @@ -49,6 +49,11 @@ /* Message ID */ static u_int msg_id = 1; +/* Progress Meter items */ +off_t statbytes = 0; +off_t totalbytes = 0; +char *curfile = NULL; + static void send_msg(int fd, Buffer *m) { @@ -670,7 +675,7 @@ int do_download(int fd_in, int fd_out, char *remote_path, char *local_path, - int pflag) + int pflag, void (*progressbar)(int)) { int local_fd; u_int expected_id, handle_len, mode, type, id; @@ -723,6 +728,11 @@ return(-1); } + totalbytes = a->size; + curfile = remote_path; + if (progressbar) + (progressbar)(0); + /* Read from remote and write to local */ offset = 0; for (;;) { @@ -784,6 +794,7 @@ offset += len; xfree(data); + statbytes = offset; } status = do_close(fd_in, fd_out, handle, handle_len); @@ -802,15 +813,21 @@ } done: + if (progressbar) + (progressbar)(1); close(local_fd); buffer_free(&msg); xfree(handle); + statbytes = 0; + totalbytes = 0; + curfile = NULL; + return status; } int do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, - int pflag) + int pflag, void (*progressbar)(int)) { int local_fd; u_int handle_len, id; @@ -860,6 +877,10 @@ buffer_free(&msg); return(-1); } + totalbytes = a.size; + curfile = local_path; + if (progressbar) + (progressbar)(0); /* Read from local and write to remote */ offset = 0; @@ -903,6 +924,7 @@ (unsigned long long)offset); offset += len; + statbytes = offset; } if (close(local_fd) == -1) { @@ -920,8 +942,14 @@ status = do_close(fd_in, fd_out, handle, handle_len); done: + if (progressbar) + (progressbar)(1); xfree(handle); buffer_free(&msg); + statbytes = 0; + totalbytes = 0; + curfile = NULL; + return status; } Index: sftp-client.h =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-client.h,v retrieving revision 1.6 diff -u -r1.6 sftp-client.h --- sftp-client.h 2001/06/26 06:33:01 1.6 +++ sftp-client.h 2002/02/02 21:47:41 @@ -88,16 +88,14 @@ /* Return target of symlink 'path' - caller must free result */ char *do_readlink(int, int, char *); -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ - /* * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(int, int, char *, char *, int); +int do_download(int, int, char *, char *, int, void (*)(int)); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times * if 'pflag' is set */ -int do_upload(int, int, char *, char *, int); +int do_upload(int, int, char *, char *, int, void (*)(int)); Index: sftp-int.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/sftp-int.c,v retrieving revision 1.41 diff -u -r1.41 sftp-int.c --- sftp-int.c 2001/12/19 07:18:56 1.41 +++ sftp-int.c 2002/02/02 21:47:41 @@ -34,6 +34,7 @@ #include "xmalloc.h" #include "log.h" #include "pathnames.h" +#include "misc.h" #include "sftp.h" #include "sftp-common.h" @@ -115,6 +116,24 @@ }; static void +updateprogressmeter(int done) +{ + int save_errno = errno; + extern off_t statbytes; + extern off_t totalbytes; + extern char *curfile; + + progressmeter(statbytes, totalbytes, curfile); + if (done == 0) { + signal(SIGALRM, updateprogressmeter); + alarm(PROGRESSTIME); + } else + alarm(0); + + errno = save_errno; +} + +static void help(void) { printf("Available commands:\n"); @@ -382,8 +401,8 @@ err = -1; goto out; } - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, + NULL); goto out; } @@ -406,8 +425,8 @@ } else abs_dst = tmp; - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, + updateprogressmeter) == -1) err = -1; xfree(abs_dst); abs_dst = NULL; @@ -464,8 +483,8 @@ } abs_dst = make_absolute(abs_dst, pwd); } - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, + updateprogressmeter); goto out; } @@ -488,8 +507,8 @@ } else abs_dst = make_absolute(tmp, pwd); - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, + updateprogressmeter) == -1) err = -1; } From stevesk at pobox.com Sun Feb 3 09:35:01 2002 From: stevesk at pobox.com (Kevin Steves) Date: Sat, 2 Feb 2002 14:35:01 -0800 (PST) Subject: OpenSSH Key Storage In-Reply-To: <02Feb1.120040edt.453147-1882@jane.cs.toronto.edu> Message-ID: On Fri, 1 Feb 2002, Dan Astoorian wrote: :> if i connect to :> folly.openssh.com :> then i want the host key verified against the entry for :> folly.openssh.com : :This might be a silly question: : :The ssh client looks up the name provided on the command line in the :known_hosts databases, and compares the key provided by the server :against the one looked up. yes, modulo Host, HostKeyAlias and HostName ssh_config and -o handling. also, CheckHostIP. :Might it not make more sense for the mapping to happen in the other :direction? I.e., to look up the key provided by the server to get a :list of known names and addresses associated with it? : :That way, if I type : ssh -p 2202 proxy.example.com : :and that ultimately gets to folly.openssh.com:22, then the SSH client :could issue a warning like "You have requested a connection to :proxy.example.com, but the host you have connected to identifies itself :with the host key belonging to folly.openssh.com. Are you sure you want :to continue connecting?" it's an interesting approach. i think many of us would prefer not to have a bunch of duplicated keys in known_hosts databases. the rigorous approach is to process this manually via HostKeyAlias, however i believe we also want to support direct address:port storage and verification. :Optionally, there could be a mechanism for the client to remember this :equivalence. : :I think this behaviour could be an improvement over the current :behaviour of saying the host is simply unknown. (I frequently get :"authenticity...can't be established" warnings because I used a :partially-qualified name or a CNAME for a host I've connected to :before.) : :It may not be trivial to implement this behaviour, however. i agree. From bugzilla-daemon at mindrot.org Sun Feb 3 16:03:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 3 Feb 2002 16:03:50 +1100 (EST) Subject: [Bug 62] compilation error on openstep 4.0 Message-ID: <20020203050350.93800E924@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=62 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|openssh-unix-dev at mindrot.org|mouring at eviladmin.org ------- Additional Comments From mouring at eviladmin.org 2002-02-03 16:03 ------- I'll look at this.. I totally missed this even occurred! ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Feb 4 03:08:03 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 17:08:03 +0100 Subject: openssh-3.0.2p1 BUGs In-Reply-To: <20020202173514.55394.qmail@web9606.mail.yahoo.com> References: <20020202173514.55394.qmail@web9606.mail.yahoo.com> Message-ID: <20020203160803.GB18159@faui02> On Sat, Feb 02, 2002 at 09:35:14AM -0800, Steve G wrote: > Deattack.c 139 Test at 132 for IV == NULL should > probably bypass this area. Will segfault in this line > if IV == NULL. that's strange, since IV is always NULL for openssh. From bugzilla-daemon at mindrot.org Mon Feb 4 03:59:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 4 Feb 2002 03:59:33 +1100 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020203165933.04042E92F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 ------- Additional Comments From markus at openbsd.org 2002-02-04 03:59 ------- i don't like the idea of parsing ssh_config in ssh-add. -current ssh-add tries to load all 3 default key. that's enough for the default. it's easy to add more keys on the command line. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mjt at tls.msk.ru Mon Feb 4 03:59:57 2002 From: mjt at tls.msk.ru (Michael Tokarev) Date: Sun, 03 Feb 2002 19:59:57 +0300 Subject: X.509 support in ssh (revisited) References: <20020123164246.GD5255@faui02> <20020123183954.GB21895@faui02> <00c801c1a465$574e83a0$5001000a@effugas> <20020125094109.Q19778@justice.loyola.edu> <02e001c1a5dd$05c53410$5001000a@effugas> Message-ID: <3C5D6C8D.BDA6ACBA@tls.msk.ru> Dan Kaminsky wrote: [] > If I had the config.log from previous builds -- which I may or may not have > even built myself -- this could be useful. I'm wondering about embedding > this information in sshd itself as a #define ... maybe have the ability to > do something like: > > ./configure `/usr/sbin/sshd --configure` > > to clone the original configuration options. Like e.g. gnome-config, glib-config, etc? A shell script, e.g. openssh-config, with all the "interesting" options, will be fine here. Or a config file in the same directory as other config files, e.g. /etc/[open]ssh[d]_config.default. Regards, Michael. From bugzilla-daemon at mindrot.org Mon Feb 4 04:12:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 4 Feb 2002 04:12:08 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020203171208.37FF8E9BA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-04 04:12 ------- i don't see why the version string should be changed. it's used for bug-detection. if we are bug free, then we can have a fixed version string. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Feb 4 04:31:44 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 18:31:44 +0100 Subject: disabling the authentication agent? In-Reply-To: ; from rjmooney@aboveground.cx on Fri, Feb 01, 2002 at 11:33:40PM -0500 References: Message-ID: <20020203183144.G13026@folly> On Fri, Feb 01, 2002 at 11:33:40PM -0500, Robert Mooney wrote: > > Is there any way to disable the authentication agent globally? I'm not > quite sure I understand it's purpose. Here is some background info: > > workstation: Key pair (dsa). > host1: No key pair. No authorized_keys. > host2: Has my workstation's key in authorized_keys. > > I ssh to host1 from my workstation. > I ssh to host2 from host1. I am asked for a password. Good. > I ssh to host2 from my workstation. I am logged in via pubkey auth. > I relogin to host2 from host1. I am not asked for a password. Why? host1 has not authorized_keys and you are not asked for a password? then you probably have a password-less account. this has nothing to do with the 'authentication agent'. From markus at openbsd.org Mon Feb 4 04:33:48 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 18:33:48 +0100 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: ; from tori@ringstrom.mine.nu on Sat, Feb 02, 2002 at 06:08:25PM +0100 References: <200202011515.g11FF8RI018778@etoh.eviladmin.org> Message-ID: <20020203183348.H13026@folly> On Sat, Feb 02, 2002 at 06:08:25PM +0100, Tobias Ringstrom wrote: > The Linux release "system" has lots of problem, no doubt. One recent good > thing was the introduction of release candidates. (I know it's nothing > new in other projects.) Ideally, there will be no changes from the > release candidate to the real release. it's simple. every snapshot is a release canditate and you can always test snapshots. From markus at openbsd.org Mon Feb 4 04:37:54 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 18:37:54 +0100 Subject: OpenSSH Key Storage In-Reply-To: <20020201163013.GZ26603@godzilla.fibrespeed.net>; from mbabcock@fibrespeed.net on Fri, Feb 01, 2002 at 11:30:14AM -0500 References: <20020201040701.GX26603@godzilla.fibrespeed.net> <013101c1aaf9$0d871620$8201000a@effugas> <20020201163013.GZ26603@godzilla.fibrespeed.net> Message-ID: <20020203183754.I13026@folly> On Fri, Feb 01, 2002 at 11:30:14AM -0500, Michael T. Babcock wrote: > Excuse me, but my server runs SSH on several ports and some of them are actually > TCP redirects to internal servers. That is why I care about this feature; how I > get to those servers is not consistent, but their keys should all be stored in > a way that if I repeat my actions, I'll get no key warnings. this is exactly what HostKeyAlias is for, just keep ssh_config uptodate. having users remember to use proxy port 1000 for the internal server a and proxy port 2000 for server b is hard. setting up ssh_config is simpler: Host A Hostname proxy Port 1000 HostKeyAlias A Host B Hostname proxy Port 2000 HostKeyAlias B so the users can use $ ssh A or $ ssh B without any problems. even with your suggested change, the users still have to type $ ssh -p 1000 proxy From markus at openbsd.org Mon Feb 4 04:41:05 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 18:41:05 +0100 Subject: OpenSSH Key Storage In-Reply-To: <02Feb1.120040edt.453147-1882@jane.cs.toronto.edu>; from djast@cs.toronto.edu on Fri, Feb 01, 2002 at 12:00:34PM -0500 References: <20020201084334.GB13371@faui02> <02Feb1.120040edt.453147-1882@jane.cs.toronto.edu> Message-ID: <20020203184105.J13026@folly> On Fri, Feb 01, 2002 at 12:00:34PM -0500, Dan Astoorian wrote: > Might it not make more sense for the mapping to happen in the other > direction? I.e., to look up the key provided by the server to get a > list of known names and addresses associated with it? this sounds like a nice idea to try. but it needs to be tried at first. -m From markus at openbsd.org Mon Feb 4 04:43:53 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 3 Feb 2002 18:43:53 +0100 Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <20020201221045.E11608@cygbert.vinschen.de>; from vinschen@redhat.com on Fri, Feb 01, 2002 at 10:10:45PM +0100 References: <20020201173726.B7566@cygbert.vinschen.de> <200202011952.g11JqdcI018964@etoh.eviladmin.org> <20020201221045.E11608@cygbert.vinschen.de> Message-ID: <20020203184353.K13026@folly> On Fri, Feb 01, 2002 at 10:10:45PM +0100, Corinna Vinschen wrote: > It's just hard to follow sometimes when specific announcement are > missing. I'm just a porter to *one* platform. I'm not subscribed > to the other openssh mailing lists since I'm only interested in the there is no 'other' mailing list. and this is the problem. perhaps we should have a list similar to the 'ssl-talk' list to get this one more 'low volume'. From mouring at etoh.eviladmin.org Mon Feb 4 04:26:06 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Sun, 3 Feb 2002 11:26:06 -0600 (CST) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <20020203184353.K13026@folly> from Markus Friedl at "Feb 3, 2002 06:43:53 pm" Message-ID: <200202031726.g13HQ6O3029952@etoh.eviladmin.org> > On Fri, Feb 01, 2002 at 10:10:45PM +0100, Corinna Vinschen wrote: > > It's just hard to follow sometimes when specific announcement are > > missing. I'm just a porter to *one* platform. I'm not subscribed > > to the other openssh mailing lists since I'm only interested in the > > there is no 'other' mailing list. and this is the problem. > perhaps we should have a list similar to the 'ssl-talk' list > to get this one more 'low volume'. We do have an announcement list if we would ever remember to post important things to it. This may seem anal but maybe we need a release document (at lest for portable) to document what things we should do, announce, etc. I know my memory some day is no better than swiss cheese. =) - Ben From mbabcock at fibrespeed.net Mon Feb 4 06:17:21 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Sun, 3 Feb 2002 14:17:21 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020203183754.I13026@folly> References: <20020201040701.GX26603@godzilla.fibrespeed.net> <013101c1aaf9$0d871620$8201000a@effugas> <20020201163013.GZ26603@godzilla.fibrespeed.net> <20020203183754.I13026@folly> Message-ID: <20020203191721.GU26603@godzilla.fibrespeed.net> On Sun, Feb 03, 2002 at 06:37:54PM +0100, Markus Friedl wrote: > having users remember to use proxy port 1000 for the > internal server a and proxy port 2000 for server b is > hard. setting up ssh_config is simpler: You don't understand -- I'm talking about what _users_ want; like me. I'm not the one who sets up their SSH sessions; they just want to use it. When I tell someone to install openssh and then connect to "server" at port 2000 for their website and port 2001 for their ftp site, it should work because openssh has all the information it needs to make it work. > even with your suggested change, the users > still have to type > $ ssh -p 1000 proxy If you read my original message carefully, that's exactly what I wanted. Mind you, ssh proxy:1000 would be much more consistent with URIs, but not at all necessary. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From rjmooney at aboveground.cx Mon Feb 4 09:57:32 2002 From: rjmooney at aboveground.cx (Robert Mooney) Date: Sun, 3 Feb 2002 17:57:32 -0500 Subject: disabling the authentication agent? In-Reply-To: <20020203183144.G13026@folly> Message-ID: I have passwords on both accounts. Let me rephrase: If I log in to host1 from workstation w/ password auth, and I log in to host2 from workstation w/ password auth, and I try to ssh from host1 to host2, host2 asks for a password. Fine. If I log in to host1 from workstation w/ password auth, and I log in to host2 from workstation w/ DSA public key auth, and I try to ssh from host1 to host2, host2 allows me to login w/o a password. Why? The only key in host2's authorized_keys is workstation. host1 doesn't have a key pair generated for that account. This leads me to believe the authentication agent is involved. Here is the ssh debug output from the host1 to host2 ssh: debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key "Robert Mooney at workstation" debug1: input_userauth_pk_ok: pkalg ssh-dss blen 819 lastkey 0x490a0 hint -1 debug1: ssh-userauth2 successful: method publickey Is there any way to disable the authentication agent in the server config? (There is a "no-agent-forwarding" option (see AUTHORIZED_KEYS FILE FORMAT in sshd(8), but that appears to have no effect on a DSA key, and is at the user level anyway. I want to be able to shut the feature off globally.) - Rob : -----Original Message----- : From: Markus Friedl [mailto:markus at openbsd.org] : Sent: Sunday, February 03, 2002 12:32 PM : To: Robert Mooney : Cc: openssh-unix-dev at mindrot.org : Subject: Re: disabling the authentication agent? : : : On Fri, Feb 01, 2002 at 11:33:40PM -0500, Robert Mooney wrote: : > : > Is there any way to disable the authentication agent globally? I'm not : > quite sure I understand it's purpose. Here is some background info: : > : > workstation: Key pair (dsa). : > host1: No key pair. No authorized_keys. : > host2: Has my workstation's key in authorized_keys. : > : > I ssh to host1 from my workstation. : > I ssh to host2 from host1. I am asked for a password. Good. : > I ssh to host2 from my workstation. I am logged in via pubkey auth. : > I relogin to host2 from host1. I am not asked for a password. Why? : : host1 has not authorized_keys and you are not asked for a password? : then you probably have a password-less account. : : this has nothing to do with the 'authentication agent'. : From djm at mindrot.org Mon Feb 4 11:41:50 2002 From: djm at mindrot.org (Damien Miller) Date: Mon, 4 Feb 2002 11:41:50 +1100 (EST) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: <200202031726.g13HQ6O3029952@etoh.eviladmin.org> Message-ID: On Sun, 3 Feb 2002, mouring wrote: > We do have an announcement list if we would ever remember to post > important things to it. There was a problem on the announcement mailing list that caused posts from Markus to disappear into the void. That was fixed a little while ago, but caused a few release notifications to disappear. -d From markus at openbsd.org Mon Feb 4 19:54:30 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 4 Feb 2002 09:54:30 +0100 Subject: OpenSSH Key Storage In-Reply-To: <20020203191721.GU26603@godzilla.fibrespeed.net> References: <20020201040701.GX26603@godzilla.fibrespeed.net> <013101c1aaf9$0d871620$8201000a@effugas> <20020201163013.GZ26603@godzilla.fibrespeed.net> <20020203183754.I13026@folly> <20020203191721.GU26603@godzilla.fibrespeed.net> Message-ID: <20020204085430.GA20362@faui02> On Sun, Feb 03, 2002 at 02:17:21PM -0500, Michael T. Babcock wrote: > Mind you, ssh proxy:1000 would be much more consistent with URIs, but not > at all necessary. but the URI namespace is a _horror_. mixing all kinds of notations. From Nicolas.Williams at ubsw.com Tue Feb 5 01:40:24 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 09:40:24 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <200202012234.g11MYlqg024911@etoh.eviladmin.org>; from mouring@etoh.eviladmin.org on Fri, Feb 01, 2002 at 04:34:47PM -0600 References: <20020201145824.G4068@google.com> <200202012234.g11MYlqg024911@etoh.eviladmin.org> Message-ID: <20020204094023.F27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 04:34:47PM -0600, mouring wrote: > Four words.. > > over > my > dead > body > > =) -f -f does not bother me as long as it is well documented. However I > hate the --some-command-that-we-may-not-use-offen-but-hell-we-wanted-an-option. Ok. I'll answer all (or most :) of the comments so far. I'm also interested in comments on the forkoff() function. And I hope -f -f it is; I suppose I could use -ff. > I hate GNU longopt... Is there an options style guide for OpenSSH development? > - Ben Thanks, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Tue Feb 5 01:52:25 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 09:52:25 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <02Feb1.200717edt.453147-1882@jane.cs.toronto.edu>; from djast@cs.toronto.edu on Fri, Feb 01, 2002 at 08:07:06PM -0500 References: <200202012234.g11MYlqg024911@etoh.eviladmin.org> <02Feb1.200717edt.453147-1882@jane.cs.toronto.edu> Message-ID: <20020204095224.G27398@sm2p1386swk.wdr.com> On Fri, Feb 01, 2002 at 08:07:06PM -0500, Dan Astoorian wrote: > On Fri, 01 Feb 2002 17:34:47 EST, mouring writes: > > > > =) -f -f does not bother me as long as it is well documented. However I > > hate the --some-command-that-we-may-not-use-offen-but-hell-we-wanted-an-optio > > n. > > In general, IMHO, options should be idempotent; i.e., "-Z -Z" should > have the same effect as '-Z'. This one almost is :) > Among the reasons for this: a wrapper program should be able to add > options to a command line in order to assure a specific behaviour. For > example, if a wrapper wants to suppress diagnostics, it should just be > able to add "-q" option. If wrappers are nested, and each adds its own > "-q" option, they shouldn't interfere with each other. Do you have any wrappers that add -f? I think I can code wrappers to be smart enough about this, so I'm not concerned. > There is historical precedent for more -v's making output more verbose, Yes. > but the idea of '-f -f' having a *qualitatively* different meaning than > '-f' is a little unsettling. You're not using "-f -f" to mean "-f, only > more so"; it appears as if you just didn't want to use up another letter > for a option with nearly identical semantics. No, I'm making "-f -f" mean "like -f, but a bit later". > As for --long-options, Ben is quite right. We already have > -[alphAbetsouP] and -o `cat /usr/dict/words`, and adding GNUisms won't > supply anything that these existing mechanisms can't deal with perfectly > well. I already said I wasn't going to use the long option name I'd originally come up with, it's not even in the patch I submitted. > As for Nicolas's comment: > > > > Originally I implemented (locally) this as a -o option and the option > > > name was horrible, "WaitForPortOpenBeforeFork", because I couldn't think > > > of a very short, yet very descriptive option name for this feature. > > Think harder :-) Sure. Have you any suggestions? > My opinion, for what it's worth, is that the difficulty in giving the > feature a simple name reflects the fact that it's not a very elegant > feature in the context of the existing design. I agree on principle. But there are exceptions to rules of thumb and I think this is one of them. Have you understood the feature? > (A cleaner design would be for -f to make ssh background itself only > after the exec() of the command on the server side had succeeded, so No, this does not guarantee that by the time ssh exits the X11 display has been opened by the remote command or that the remote command has exited. This is what I'm after. I need to know that when "ssh -f -f -X user at host someX11app" exits it is either because "someX11app" has opened the forwarded display or it exited without opening the display (and if so, with what error code) or that the remote shell couldn't find "someX11app." People use "ssh -f ..." as an approximation of "ssh -f -f ..." for launching X apps. Visual feedback tells them whether or not something went wrong. But suppose you're writing a GUI app so users can start X apps with a click of a mouse. How do you check for errors in starting the remote apps? If you use "ssh -f ..." you can't. And if you don't use -f you never know when the remote app has opened the display, so you never know when to stop paying attention to ssh's stderr and what not. But with "ssh -f -f ...", if you're starting an X11 app, it's fire and forget - when you get SIGCHLD and reap the ssh you'll know for sure if there was an error or not (the only way you wouldn't is if the remote app has some infinite loop bug). > that you wouldn't need a separate option to make sure the command was > launched successfully. Unfortunately, the elegance of this design is > more than offset by the fact that it's completely and utterly impossible > to implement. I apologize for the minute of your life you just wasted > reading this paragraph.) ? > Cheers, > > -- > Dan Astoorian People shouldn't think that it's better to have > Sysadmin, CSLab loved and lost than never loved at all. It's > djast at cs.toronto.edu not, it's better to have loved and won. All > www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Tue Feb 5 01:56:10 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 09:56:10 -0500 Subject: OpenSSH Key Storage In-Reply-To: ; from mats.andersson@appgate.com on Sat, Feb 02, 2002 at 08:37:21AM +0100 References: <11425218.1012569755@[172.25.113.221]> Message-ID: <20020204095609.H27398@sm2p1386swk.wdr.com> IMHO, the issue is dealing with forwarded sshd's. So the client really ought to have a separate option for specifying the name of the expected server host key separately from the host/port to which the client should actually connect. E.g., ssh -N the_server_I_want -l remote_user -p the_port the_host ... No ambiguity. Nico On Sat, Feb 02, 2002 at 08:37:21AM +0100, Andersson, Mats wrote: > > On Fri, 1 Feb 2002, Carson Gaspar wrote: > > > it has been suggested that the server tells the client: > > > lookup the hostkey under this 'name'. > > > > No. Because the client can't. It doesn't have enough information. You can > > hack it into the client statically via the current alias mechanism, but it > > I don't see the problem here? The client (and only it) knows what > name/port it connected to and only it knows who it expects to find there, > the ONLY method of identifying the host I can think of is to store the > host keys in a list searchable with host/port pairs (the "state" in the > transport layer probably knows where its TCP endpoint is connected so it > should be able to do the lookup right?). > > Cheers, > > /Mats -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Tue Feb 5 02:04:05 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 10:04:05 -0500 Subject: /dev/urandom In-Reply-To: <4.3.2.7.2.20020201174149.05137ce8@3rdclass.cisco.com>; from brhamon@cisco.com on Fri, Feb 01, 2002 at 05:43:13PM -0600 References: <3C5B2282.CE47B43F@cray.com> <4.3.2.7.2.20020201174149.05137ce8@3rdclass.cisco.com> Message-ID: <20020204100403.I27398@sm2p1386swk.wdr.com> If you have SUNWski / cryptorand or EGD, then you can use that for /dev/random and ANDIrand for /dev/urandom and have a background or cronned job to re-seed /dev/urandom from /dev/random from time to time because ANDIrand doesn't really try to gather entropy. Nico On Fri, Feb 01, 2002 at 05:43:13PM -0600, Brian Hamon wrote: > ANDIrand is an implementation on Solaris that includes source, and may > provide a guide: > > http://www.cosy.sbg.ac.at/~andi/ > > > At 05:19 PM 2/1/2002, Wendy Palm wrote: > > >if i want to learn more about implementing a /dev/urandom, > >where would be a good place to start? > > > >thanks, > >wendy > > > > > >-- > >wendy palm > >Cray OS Sustaining Engineering, Cray Inc. > >wendyp at cray.com, 651-605-9154 -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Tue Feb 5 02:19:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 4 Feb 2002 16:19:52 +0100 Subject: OpenSSH Key Storage In-Reply-To: <20020204095609.H27398@sm2p1386swk.wdr.com> References: <11425218.1012569755@[172.25.113.221]> <20020204095609.H27398@sm2p1386swk.wdr.com> Message-ID: <20020204151952.GA4925@faui02> On Mon, Feb 04, 2002 at 09:56:10AM -0500, Nicolas Williams wrote: > IMHO, the issue is dealing with forwarded sshd's. So the client really > ought to have a separate option for specifying the name of the expected > server host key separately from the host/port to which the client should > actually connect. that's what hostkeyalias does. From bugzilla-daemon at mindrot.org Tue Feb 5 02:43:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 02:43:33 +1100 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020204154333.EA3C7E9D7@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-02-05 02:43 ------- > i don't like the idea of parsing ssh_config in ssh-add. > > -current ssh-add tries to load all 3 default key. > that's enough for the default. > > it's easy to add more keys on the command line. Markus, One reason we want this is so that we can specify non-standard locations for identity files for app accounts that run daemons, things from cron, etc... It's a small patch and not at all far-fetched. I just ran smack into the MaxStartups option. How did that bug^H^H^Hfeature ever get in anyways. Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Tue Feb 5 02:36:41 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 10:36:41 -0500 Subject: OpenSSH Key Storage In-Reply-To: <20020204151952.GA4925@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 04:19:52PM +0100 References: <11425218.1012569755@[172.25.113.221]> <20020204095609.H27398@sm2p1386swk.wdr.com> <20020204151952.GA4925@faui02> Message-ID: <20020204103639.J27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 04:19:52PM +0100, Markus Friedl wrote: > On Mon, Feb 04, 2002 at 09:56:10AM -0500, Nicolas Williams wrote: > > IMHO, the issue is dealing with forwarded sshd's. So the client really > > ought to have a separate option for specifying the name of the expected > > server host key separately from the host/port to which the client should > > actually connect. > > that's what hostkeyalias does. Yes, but a pure-command-line option for doing the same would be nice. Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mats.andersson at appgate.com Tue Feb 5 02:40:21 2002 From: mats.andersson at appgate.com (Andersson, Mats) Date: Mon, 4 Feb 2002 16:40:21 +0100 (CET) Subject: OpenSSH Key Storage In-Reply-To: <20020204095609.H27398@sm2p1386swk.wdr.com> Message-ID: On Mon, 4 Feb 2002, Nicolas Williams wrote: > IMHO, the issue is dealing with forwarded sshd's. So the client really > ought to have a separate option for specifying the name of the Ok, I thought the issue was with different servers on different ports on same host. Forwarded servers seems to be handled by the alias function which is in openssh allready? (forwarded servers != servers at different ports). Cheers, /Mats From Nicolas.Williams at ubsw.com Tue Feb 5 02:51:29 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 10:51:29 -0500 Subject: OpenSSH Key Storage In-Reply-To: ; from mats.andersson@appgate.com on Mon, Feb 04, 2002 at 04:40:21PM +0100 References: <20020204095609.H27398@sm2p1386swk.wdr.com> Message-ID: <20020204105128.S27171@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 04:40:21PM +0100, Andersson, Mats wrote: > > On Mon, 4 Feb 2002, Nicolas Williams wrote: > > IMHO, the issue is dealing with forwarded sshd's. So the client really > > ought to have a separate option for specifying the name of the > > Ok, I thought the issue was with different servers on different ports on > same host. Forwarded servers seems to be handled by the alias function > which is in openssh allready? (forwarded servers != servers at different > ports). Sorry, what exactly is the difference, from the client's point of view, between forwarded servers and multiple servers on one host with different port numbers? If anything, the expectation that known host key names relate to hostnames as resolvable through the name services (e.g., DNS) is the thing that leads to any difference. I.e., the multiple servers on one host on multiple ports will all be expected to have the same name because it's one host(*). But the name is really a functional name. So, allowing a separation of host key name from hostname/port makes sense. If the ports in question are dynamically obtained for different runs then what other option is there? Dynamically updating known host keys / aliases? (*) ignore multi-homing for this. > Cheers, > > /Mats > Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From djast at cs.toronto.edu Tue Feb 5 02:59:48 2002 From: djast at cs.toronto.edu (Dan Astoorian) Date: Mon, 4 Feb 2002 10:59:48 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: Your message of "Mon, 04 Feb 2002 09:52:25 EST." <20020204095224.G27398@sm2p1386swk.wdr.com> Message-ID: <02Feb4.105952edt.453149-4635@jane.cs.toronto.edu> On Mon, 04 Feb 2002 09:52:25 EST, Nicolas Williams writes: > > Do you have any wrappers that add -f? I think I can code wrappers to be > smart enough about this, so I'm not concerned. You're approaching the question from the wrong direction. Can *you* guarantee that nobody else has wrappers that add -f? If someone has, do you think this feature justifies breaking their existing deployment when they upgrade OpenSSH, when this could trivially have been avoided? I'm not arguing because I have wrappers that your feature will break; I'm arguing because I don't want OpenSSH's design to grow unnecessary tumours. And for what it's worth, yes, I do have a wrapper which adds -f: my users use it to launch X applications. I could also add code to my wrapper to filter out multiple -f's. I shouldn't have to. > > but the idea of '-f -f' having a *qualitatively* different meaning than > > '-f' is a little unsettling. You're not using "-f -f" to mean "-f, only > > more so"; it appears as if you just didn't want to use up another letter > > for a option with nearly identical semantics. > > No, I'm making "-f -f" mean "like -f, but a bit later". And that's a substantial, qualitative difference. You're changing the interpretation of the return code, and in the case where the command doesn't happen to use forwarding features, you're preventing the backgrounding from taking place at all. Consider the difference in behaviour for: ssh -f -f remotehost 'sleep 600; date >> /var/run/foo' && echo "ok" with and without your patch. > > Think harder :-) > > Sure. Have you any suggestions? No, but then, I don't approve of the feature. > I agree on principle. But there are exceptions to rules of thumb and I > think this is one of them. Have you understood the feature? I haven't read the patch, but yes, I understand what you're trying to do with this feature, and I still think the benefits of this feature are outweighed by its poor fit into the existing design (which could make the feature difficult to maintain in the future). > > (A cleaner design would be for -f to make ssh background itself only > > after the exec() of the command on the server side had succeeded, so > > No, this does not guarantee that by the time ssh exits the X11 display > has been opened by the remote command or that the remote command has > exited. This is what I'm after. You can't guarantee that the X11 display has been opened successfully even if the forwarding has been established. The X11 display could refuse the connection at the X protocol level, or the X11 app could abort between opening the X11 server and mapping its first window, for any of a number of reasons. In any case, it's not ssh's job to make sure the application operates as intended. > People use "ssh -f ..." as an approximation of "ssh -f -f ..." for > launching X apps. Visual feedback tells them whether or not something > went wrong. Or stderr tells them. > But suppose you're writing a GUI app so users can start X apps with a > click of a mouse. How do you check for errors in starting the remote > apps? [...] Watch the stdout/stderr of the ssh process, and don't use -f. If you have an application for which you have a particular need to verify that it started up correctly, make the application output a positive acknowledgement to stdout or stderr, and have the launcher watch for it. The original purpose of -f was to let ssh stay in the foreground long enough to prompt for passphrases; if you're doing it from a window manager, there's usually no downside to just putting the whole process in the background. -- Dan Astoorian People shouldn't think that it's better to have Sysadmin, CSLab loved and lost than never loved at all. It's djast at cs.toronto.edu not, it's better to have loved and won. All www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican From Nicolas.Williams at ubsw.com Tue Feb 5 03:19:51 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 11:19:51 -0500 Subject: FEATURE: -f -f - fork after successful open of fwd port/display/agent In-Reply-To: <02Feb4.105952edt.453149-4635@jane.cs.toronto.edu>; from djast@cs.toronto.edu on Mon, Feb 04, 2002 at 10:59:48AM -0500 References: <20020204095224.G27398@sm2p1386swk.wdr.com> <02Feb4.105952edt.453149-4635@jane.cs.toronto.edu> Message-ID: <20020204111949.T27171@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 10:59:48AM -0500, Dan Astoorian wrote: > On Mon, 04 Feb 2002 09:52:25 EST, Nicolas Williams writes: > > > > Do you have any wrappers that add -f? I think I can code wrappers to be > > smart enough about this, so I'm not concerned. > > You're approaching the question from the wrong direction. Can *you* > guarantee that nobody else has wrappers that add -f? If someone has, do > you think this feature justifies breaking their existing deployment when > they upgrade OpenSSH, when this could trivially have been avoided? See below. > I'm not arguing because I have wrappers that your feature will break; > I'm arguing because I don't want OpenSSH's design to grow unnecessary > tumours. How is this a tumor? > And for what it's worth, yes, I do have a wrapper which adds -f: my > users use it to launch X applications. I could also add code to my > wrapper to filter out multiple -f's. I shouldn't have to. Precisely. You wouldn't mind an accidental -f -f because the ssh client will still exit pretty soon after starting. "ssh -f -f" will almost never change the behaviour vis-a-vis "-f" in a way that would "break" anything when it's used to start X11 apps. > > > but the idea of '-f -f' having a *qualitatively* different meaning than > > > '-f' is a little unsettling. You're not using "-f -f" to mean "-f, only > > > more so"; it appears as if you just didn't want to use up another letter > > > for a option with nearly identical semantics. > > > > No, I'm making "-f -f" mean "like -f, but a bit later". > > And that's a substantial, qualitative difference. You're changing the > interpretation of the return code, and in the case where the command > doesn't happen to use forwarding features, you're preventing the > backgrounding from taking place at all. Consider the difference in > behaviour for: Yes, this is the one time "-f -f" is a significant change vs. "-f". But, note that the "-f" option is intended for use with X11 app launching (see the ssh(1) man page). > > > Think harder :-) > > > > Sure. Have you any suggestions? > > No, but then, I don't approve of the feature. See below. > > I agree on principle. But there are exceptions to rules of thumb and I > > think this is one of them. Have you understood the feature? > > I haven't read the patch, but yes, I understand what you're trying to do > with this feature, and I still think the benefits of this feature are > outweighed by its poor fit into the existing design (which could make > the feature difficult to maintain in the future). Would you mind it if the option were "-ff"? > You can't guarantee that the X11 display has been opened successfully > even if the forwarding has been established. The X11 display could > refuse the connection at the X protocol level, or the X11 app could > abort between opening the X11 server and mapping its first window, for > any of a number of reasons. Nor can I guarantee that the remote app won't go into an infinite loop and never attempt to open the display. Yet I still find this feature useful because it allows me to catch most common errors. > In any case, it's not ssh's job to make sure the application operates as > intended. But ssh does bother to try to give me a remote command's exit code. > > People use "ssh -f ..." as an approximation of "ssh -f -f ..." for > > launching X apps. Visual feedback tells them whether or not something > > went wrong. > > Or stderr tells them. Too late with -f. > > But suppose you're writing a GUI app so users can start X apps with a > > click of a mouse. How do you check for errors in starting the remote > > apps? [...] > > Watch the stdout/stderr of the ssh process, and don't use -f. If you That means knowing what to look for (as opposed to looking for a non-zero exit number, at which point whatever was written to stderr can be presented to the user). > have an application for which you have a particular need to verify that > it started up correctly, make the application output a positive > acknowledgement to stdout or stderr, and have the launcher watch for it. That means changing the apps. > The original purpose of -f was to let ssh stay in the foreground long > enough to prompt for passphrases; if you're doing it from a window > manager, there's usually no downside to just putting the whole process > in the background. Sure, the GUI remote app launcher can deal with lots of ssh children. But how can it know that the apps actually got to open the display? Also, I'm still looking for comments on the forkoff() thing. It makes a big difference on Cygwin, where starting OpenSSH from a native Windows app causes a new command window to open - the forkoff() function I added has an option to detach from the tty (and close the session channel), which causes the window to go away as soon as OpenSSH -f orksoff. > -- > Dan Astoorian People shouldn't think that it's better to have > Sysadmin, CSLab loved and lost than never loved at all. It's > djast at cs.toronto.edu not, it's better to have loved and won. All > www.cs.toronto.edu/~djast/ the other options really suck. --Dan Redican Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Tue Feb 5 03:51:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 03:51:15 +1100 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020204165115.AE80DE94D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-02-05 03:51 ------- > I just ran smack into the MaxStartups option. How did that > bug^H^H^Hfeature ever get in anyways. I take this back, I get the point of that feature. I ran into it stress-testing OpenSSH. :) Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 03:51:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 03:51:59 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020204165159.C63F1E94D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 03:51 ------- The word is *if*. Secondly. I have had requests from some of my clients for the ability to change both the version and comment string(s). The version string for the sole purpose of hiding the version in the event of a security hole. Similarly to the way say bind or sendmail does. If other standards do why no openssh. As for the comment string this is not that all far fetched. I have the need to put information about an installation(i.e. internal version number, say for a companies internal package version. or for describing additional options.. gssapi?). In large environments it is hard to keep everything machine up to date. Let alone making a perfect installation. So one can have used openssh 3.0.2p1 but had multiple revisions of the package. And a quick way to audit said installation(s) would be to look at the comment field. And then use something like scanssh to gather the information. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 04:07:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 04:07:42 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020204170742.A4C44E9F2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-05 04:07 ------- why should we encourage people to run a broken version of openssh? why not edit version.h and include this information at compile time? if you have a revision of your modified sshd you will have to recompile anyway. changing version.h will possibly break compatibility. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 04:33:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 04:33:11 +1100 (EST) Subject: [Bug 93] Added ability for ssh-add to parse config files to retrieve a list of valid IdentityFiles. Message-ID: <20020204173311.4353FE9F7@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=93 ------- Additional Comments From markus at openbsd.org 2002-02-05 04:33 ------- /usr/bin/ssh is the only program that should read ssh_config. passing non-default keys to ssh-add is easy with the current version of ssh-add. of course we could have options and defaults for all kinds of uses, but openssh is already very fat. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 04:47:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 04:47:33 +1100 (EST) Subject: [Bug 96] New: bsd-cray.h modifications to allow correct UNICOS execution Message-ID: <20020204174733.29F6BE9E8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=96 Summary: bsd-cray.h modifications to allow correct UNICOS execution Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- openbsd-compat/bsd-cray.h.orig Tue Aug 14 15:31:49 2001 +++ openbsd-compat/bsd-cray.h Wed Jan 9 15:57:56 2002 @@ -4,8 +4,13 @@ #ifdef _CRAY void cray_init_job(struct passwd *); /* init cray job */ void cray_job_termination_handler(int); /* process end of job signal */ -void cray_setup(uid_t, char *); /* set cray limits */ extern char cray_tmpdir[]; /* cray tmpdir */ +#ifndef IA_SSHD +#define IA_SSHD IA_LOGIN +#endif +#ifndef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 64 +#endif #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 05:55:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 05:55:44 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020204185544.4F055E9D7@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 05:55 ------- >why should we encourage people to run a broken version of openssh? Why do you think it is broken?.. or is the compatibility handling just broken. > why not edit version.h and include this information at compile time? Why do you have to recompile?? That is where the term "runtime options" comes from. Fine. We disagree with the version string. But, the comment should be at least user configurable. >if you have a revision of your modified sshd you will have to recompile anyway. No... who says that you can't change just the config files and make a new package? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:16:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:16:23 +1100 (EST) Subject: [Bug 97] New: deattack.c modifications for correct UNICOS behavior Message-ID: <20020204191623.939E9E9C6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=97 Summary: deattack.c modifications for correct UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- deattack.c.orig Mon Feb 4 12:32:51 2002 +++ deattack.c Mon Feb 4 12:35:01 2002 @@ -101,11 +101,19 @@ if (h == NULL) { debug("Installing crc compensation attack detector."); n = l; +#ifdef _CRAY + h = (u_int16_t *) xmalloc(n * sizeof(u_int16_t)); +#else h = (u_int16_t *) xmalloc(n * HASH_ENTRYSIZE); +#endif /* _CRAY */ } else { if (l > n) { n = l; +#ifdef _CRAY + h = (u_int16_t *) xrealloc(h, n * sizeof(u_int16_t)); +#else h = (u_int16_t *) xrealloc(h, n * HASH_ENTRYSIZE); +#endif /* _CRAY */ } } @@ -128,7 +136,11 @@ } return (DEATTACK_OK); } +#ifdef _CRAY + for (i=0; i http://bugzilla.mindrot.org/show_bug.cgi?id=98 Summary: auth1.c modifications for correct UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- auth1.c.orig Mon Feb 4 12:32:51 2002 +++ auth1.c Mon Feb 4 12:36:32 2002 @@ -25,10 +25,18 @@ #include "session.h" #include "misc.h" #include "uidswap.h" +#ifdef _CRAY +#include +#endif /* _CRAY */ /* import */ extern ServerOptions options; +#ifdef _CRAY +extern void cray_login_failure(char *username, int errcode); +extern int cray_access_denied(char *username); +#endif /* _CRAY */ + /* * convert ssh auth msg type into description */ @@ -305,7 +313,15 @@ if (!authctxt->valid && authenticated) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); - +#ifdef _CRAY + if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated) { + cray_login_failure(authctxt->user, IA_UDBERR); + } + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:18:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:18:37 +1100 (EST) Subject: [Bug 99] New: auth2.c modifications for correct UNICOS behavior Message-ID: <20020204191837.2F5FBEA01@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=99 Summary: auth2.c modifications for correct UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- auth2.c.orig Mon Feb 4 12:32:51 2002 +++ auth2.c Mon Feb 4 12:38:44 2002 @@ -51,12 +51,20 @@ #include "hostfile.h" #include "canohost.h" #include "match.h" +#ifdef _CRAY +#include +#endif /* _CRAY */ /* import */ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; +#ifdef _CRAY +extern void cray_login_failure(char *username, int errcode); +extern int cray_access_denied(char *username); +#endif /* _CRAY */ + static Authctxt *x_authctxt = NULL; static int one = 1; @@ -245,6 +253,13 @@ authenticated = 0; #endif /* USE_PAM */ +#ifdef _CRAY + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _CRAY */ + /* Log before sending the reply */ auth_log(authctxt, authenticated, method, " ssh2"); @@ -269,6 +284,10 @@ #endif /* WITH_AIXAUTHENTICATE */ packet_disconnect(AUTH_FAIL_MSG, authctxt->user); } +#ifdef _CRAY + if (strcmp(method, "password") == 0) + cray_login_failure(authctxt->user, IA_UDBERR); +#endif /* _CRAY */ methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:20:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:20:47 +1100 (EST) Subject: [Bug 100] New: serverloop.c modifications for correct UNICOS behavior Message-ID: <20020204192047.D47E8EA06@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=100 Summary: serverloop.c modifications for correct UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- serverloop.c.orig Mon Feb 4 12:32:51 2002 +++ serverloop.c Mon Feb 4 12:43:31 2002 @@ -143,7 +143,9 @@ int save_errno = errno; debug("Received SIGCHLD."); child_terminated = 1; +#ifndef _CRAY mysignal(SIGCHLD, sigchld_handler); +#endif notify_parent(); errno = save_errno; } @@ -673,7 +675,11 @@ /* We no longer want our SIGCHLD handler to be called. */ mysignal(SIGCHLD, SIG_DFL); +#ifdef _CRAY + while((wait_pid = waitpid(-1, &wait_status, child_terminated ? WNOHANG : 0)) && errno == EINTR); +#else wait_pid = waitpid(-1, &wait_status, child_terminated ? WNOHANG : 0); +#endif /* _CRAY */ if (wait_pid == -1) packet_disconnect("wait: %.100s", strerror(errno)); else if (wait_pid != pid) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:22:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:22:43 +1100 (EST) Subject: [Bug 101] New: session.c modifications for correct UNICOS behavior Message-ID: <20020204192243.46EB9EA0A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=101 Summary: session.c modifications for correct UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- session.c.orig Mon Feb 4 12:32:52 2002 +++ session.c Mon Feb 4 13:03:18 2002 @@ -67,6 +67,10 @@ #include #endif /* WITH_IRIX_AUDIT */ +#ifdef _CRAY +#include +#endif + #if defined(HAVE_USERSEC_H) #include #endif @@ -494,11 +498,16 @@ if (dup2(err[0], 2) < 0) /* stderr */ perror("dup2 stderr"); #endif /* USE_PIPES */ - +#ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +#endif /* Do processing for the child (exec command etc). */ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -586,7 +595,12 @@ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA if (!(options.use_login && command == NULL)) + { +# ifdef _CRAY + cray_init_job(s->pw); /* set up cray jid and tmpdir */ +# endif /* _CRAY */ do_login(s, command); + } # ifdef LOGIN_NEEDS_UTMPX else do_pre_login(s); @@ -597,6 +611,9 @@ do_child(s, command); /* NOTREACHED */ } +#ifdef _CRAY + signal(WJSIGNAL, cray_job_termination_handler); +#endif /* _CRAY */ #ifdef HAVE_CYGWIN if (is_winnt) cygwin_set_impersonation_token(INVALID_HANDLE_VALUE); @@ -743,6 +760,7 @@ printf("%s\n", aixloginmsg); #endif /* WITH_AIXAUTHENTICATE */ +#ifndef _CRAY if (options.print_lastlog && last_login_time != 0) { time_string = ctime(&last_login_time); if (strchr(time_string, '\n')) @@ -752,6 +770,7 @@ else printf("Last login: %s from %s\r\n", time_string, hostna me); } +#endif /* ! _CRAY */ do_motd(); } @@ -1027,16 +1046,17 @@ if (options.use_login && command != NULL) options.use_login = 0; -#if !defined(HAVE_OSF_SIA) +#ifndef _CRAY +# if !defined(HAVE_OSF_SIA) if (!options.use_login) { -# ifdef HAVE_LOGIN_CAP +# ifdef HAVE_LOGIN_CAP if (!login_getcapbool(lc, "ignorenologin", 0) && pw->pw_uid) f = fopen(login_getcapstr(lc, "nologin", _PATH_NOLOGIN, _PATH_NOLOGIN), "r"); -# else /* HAVE_LOGIN_CAP */ +# else /* HAVE_LOGIN_CAP */ if (pw->pw_uid) f = fopen(_PATH_NOLOGIN, "r"); -# endif /* HAVE_LOGIN_CAP */ +# endif /* HAVE_LOGIN_CAP */ if (f) { /* /etc/nologin exists. Print its contents and exit. */ while (fgets(buf, sizeof(buf), f)) @@ -1045,7 +1065,10 @@ exit(254); } } -#endif /* HAVE_OSF_SIA */ +# endif /* HAVE_OSF_SIA */ +#else + cray_setup(pw->pw_uid, pw->pw_name, command); +#endif /* _CRAY */ /* Set login name, uid, gid, and groups. */ /* Login(1) does this as well, and it needs uid 0 for the "-h" @@ -1245,6 +1268,10 @@ if (original_command) child_set_env(&env, &envsize, "SSH_ORIGINAL_COMMAND", original_command); +#ifdef _CRAY + if (cray_tmpdir[0] != '\0') + child_set_env(&env, &envsize, "TMPDIR", cray_tmpdir); +#endif /* _CRAY */ #ifdef _AIX if ((cp = getenv("AUTHSTATE")) != NULL) @@ -1392,11 +1419,13 @@ "%.100s %.100s %.100s\n", options.xauth_location, s->auth_display[0], s->auth_proto, s->auth_data); +#ifndef _CRAY if (s->auth_display[1]) fprintf(stderr, "add %.100s %.100s %.100s\n", s->auth_display[1], s->auth_proto, s->auth_data); +#endif /* _CRAY */ } snprintf(cmd, sizeof cmd, "%s -q -", options.xauth_location); @@ -1405,10 +1434,12 @@ fprintf(f, "add %s %s %s\n", s->auth_display[0], s->auth_proto, s->auth_data); +#ifndef _CRAY if (s->auth_display[1]) fprintf(f, "add %s %s %s\n", s->auth_display[1], s->auth_proto, s->auth_data); +#endif /* _CRAY */ pclose(f); } else { fprintf(stderr, "Could not run %s\n", ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:23:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:23:50 +1100 (EST) Subject: [Bug 102] New: defines.h modifications for proper UNICOS behavior Message-ID: <20020204192350.99763EA0F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=102 Summary: defines.h modifications for proper UNICOS behavior Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com --- defines.h.orig Mon Feb 4 12:32:52 2002 +++ defines.h Mon Feb 4 13:04:07 2002 @@ -161,7 +161,11 @@ typedef short int int16_t; # else # ifdef _CRAY +# if (SIZEOF_SHORT_INT == 4) +typedef short int16_t; +# else typedef long int16_t; +# endif # else # error "16 bit int type not found." # endif /* _CRAY */ @@ -194,7 +198,11 @@ typedef unsigned short int u_int16_t; # else # ifdef _CRAY +# if (SIZEOF_SHORT_INT == 4) +typedef unsigned short u_int16_t; +# else typedef unsigned long u_int16_t; +# endif # else # error "16 bit int type not found." # endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:24:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:24:25 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020204192425.60790EA12@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From jprondak at visualmedia.com 2002-02-05 06:24 ------- I agree that the "version" string would/could cause problems with compatability. So I will drop the "version" string. The comment is another matter. What are your thoughts on generalizing the compat stuff.. maybe making it runtime and not compile time? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Feb 5 06:32:26 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 4 Feb 2002 20:32:26 +0100 Subject: hang on exit In-Reply-To: <20020105113623.A19062@folly> References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> Message-ID: <20020204193226.GA19980@faui02> untested, as i don't have access to a system that shows the hang-on-exit problem. Index: servconf.c =================================================================== RCS file: /cvs/openssh_cvs/servconf.c,v retrieving revision 1.74 diff -u -r1.74 servconf.c --- servconf.c 22 Jan 2002 12:35:12 -0000 1.74 +++ servconf.c 4 Feb 2002 15:46:05 -0000 @@ -91,6 +91,7 @@ options->permit_empty_passwd = -1; options->use_login = -1; options->allow_tcp_forwarding = -1; + options->allow_data_loss_on_pty = -1; options->num_allow_users = 0; options->num_deny_users = 0; options->num_allow_groups = 0; @@ -209,6 +210,8 @@ options->use_login = 0; if (options->allow_tcp_forwarding == -1) options->allow_tcp_forwarding = 1; + if (options->allow_data_loss_on_pty == -1) + options->allow_data_loss_on_pty = 0; if (options->gateway_ports == -1) options->gateway_ports = 0; if (options->max_startups == -1) @@ -257,7 +260,7 @@ sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sStrictModes, sEmptyPasswd, sKeepAlives, - sUseLogin, sAllowTcpForwarding, + sUseLogin, sAllowTcpForwarding, sAllowDataLossOnPty sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, @@ -321,6 +324,7 @@ { "uselogin", sUseLogin }, { "keepalive", sKeepAlives }, { "allowtcpforwarding", sAllowTcpForwarding }, + { "allowdatalossonpty", sAllowDataLossOnPty }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, { "allowgroups", sAllowGroups }, @@ -707,6 +711,10 @@ case sAllowTcpForwarding: intptr = &options->allow_tcp_forwarding; + goto parse_flag; + + case sAllowDataLossOnPty: + intptr = &options->allow_data_loss_on_pty; goto parse_flag; case sAllowUsers: Index: servconf.h =================================================================== RCS file: /cvs/openssh_cvs/servconf.h,v retrieving revision 1.42 diff -u -r1.42 servconf.h --- servconf.h 21 Dec 2001 03:45:49 -0000 1.42 +++ servconf.h 4 Feb 2002 15:46:05 -0000 @@ -98,6 +98,7 @@ * passwords. */ int use_login; /* If true, login(1) is used */ int allow_tcp_forwarding; + int allow_data_loss_on_pty; u_int num_allow_users; char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.94 diff -u -r1.94 serverloop.c --- serverloop.c 22 Jan 2002 12:29:23 -0000 1.94 +++ serverloop.c 4 Feb 2002 15:46:06 -0000 @@ -391,6 +391,11 @@ buffer_append(&stderr_buffer, buf, len); } } + if (child_terminated && options.allow_data_loss_on_pty == 1 && + fderr == -1 && !fdout_eof) { + close(fdout); + fdout_eof = 1; + } } /* Index: session.c =================================================================== RCS file: /cvs/openssh_cvs/session.c,v retrieving revision 1.166 diff -u -r1.166 session.c --- session.c 22 Jan 2002 12:16:34 -0000 1.166 +++ session.c 4 Feb 2002 15:46:06 -0000 @@ -1892,6 +1892,9 @@ */ if (c->ostate != CHAN_OUTPUT_CLOSED) chan_write_failed(c); + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN && + options.allow_data_loss_on_pty == 1) + chan_read_failed(c); s->chanid = -1; } From bugzilla-daemon at mindrot.org Tue Feb 5 06:43:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:43:51 +1100 (EST) Subject: [Bug 103] New: new openbsd-compat/bsd-cray.c file Message-ID: <20020204194351.943A2E9C6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=103 Summary: new openbsd-compat/bsd-cray.c file Product: Portable OpenSSH Version: 3.0.2p1 Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com please replace openbsd-compat/bsd-cray.c in it's entirety with the attached file. the new version provides the proper code to set correct attributes upon login, as well as other cray-specifics. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:45:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:45:46 +1100 (EST) Subject: [Bug 103] new openbsd-compat/bsd-cray.c file Message-ID: <20020204194546.D2E37EA1D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=103 ------- Additional Comments From wendyp at cray.com 2002-02-05 06:45 ------- Created an attachment (id=20) updated openbsd-compat/bsd-cray.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 5 06:46:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 06:46:36 +1100 (EST) Subject: [Bug 100] serverloop.c modifications for correct UNICOS behavior Message-ID: <20020204194636.5B6ADEA20@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=100 ------- Additional Comments From markus at openbsd.org 2002-02-05 06:46 ------- hm, why can't you do while(waitpid) ? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Tue Feb 5 07:00:19 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 15:00:19 -0500 Subject: forkoff() Message-ID: <20020204150017.K27398@sm2p1386swk.wdr.com> Please review the function below, forkoff(), meant to be used in clientloop.c instead of daemon() and the code in process_escapes(). The intention is to make ~D ( like ~& but also detach) possible and to make it possible for ssh -f (or ssh -f -f - see other thread on this) to detach, not just forkoff(). I also intend to use the same detach technique in a feature patch for the hang-on-exit behaviour that's been hashed to death. I.e., I might like to add an option to control ssh's behaviour when the remote session exits, the behaviours being: wait for the channel to be closed [current, default], close all channels and exit, background, detach and force exit. To make detaching and some of the hang-on-exit options work correctly I need a way to force a channel closed and to do it in way that is correct wrt to the SSHv2 protocol. The forkoff() function below does that, I think, but it would be nice to have confirmation. Comments? Nico static void forkoff(int stop_listening, int detach) { pid_t pid; int fd; Channel *c; /* Restore tty modes. */ leave_raw_mode(); /* Stop listening for new connections. */ if (stop_listening) channel_stop_listening(); fprintf(stderr, "Forking off into the background - %s", stop_listening ? "no longer listening" : "still listening"); /* Fork into background. */ pid = fork(); if (pid < 0) { error("fork: %.100s", strerror(errno)); return; } if (pid != 0) { /* This is the parent. */ /* The parent just exits. */ exit(0); } c = channel_lookup(session_ident); if (c == NULL) error("couldn't lookup session channel"); /* The child continues serving connections. */ /* fake EOF on stdin */ if (compat20) { buffer_append(&stdin_buffer, "\004", 1); } else if (!stdin_eof) { /* * Sending SSH_CMSG_EOF alone does not always appear * to be enough. So we try to send an EOF character * first. */ packet_start(SSH_CMSG_STDIN_DATA); packet_put_string("\004", 1); packet_send(); /* Close stdin. */ stdin_eof = 1; if (buffer_len(&stdin_buffer) == 0) { packet_start(SSH_CMSG_EOF); packet_send(); } } if (detach) { /* * There should be a chan_wont_read()/chan_wont_write() * API, differing only in the debug messages used. */ chan_read_failed(c); chan_write_failed(c); channel_close_fds(c); fd = open(_PATH_DEVNULL, O_RDWR, 0); if (fd < 0) return; (void) dup2(fd, STDIN_FILENO); (void) dup2(fd, STDOUT_FILENO); (void) dup2(fd, STDERR_FILENO); if (fd > 2) (void) close(fd); (void) setsid(); } } -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Tue Feb 5 07:04:51 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 15:04:51 -0500 Subject: hang on exit In-Reply-To: <20020204193226.GA19980@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 08:32:26PM +0100 References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> Message-ID: <20020204150449.L27398@sm2p1386swk.wdr.com> Woa! What's up with this? Why a server-side patch? I thought we'd all agreed that this needs to be a client-side decision. After all, the client knows when the session exits and can choose what to do. I just posted a function which has code to force a channel closed. That has to be possible in order to provide some of the hang-on-exit options that have been discussed here. I used chan_read_failed() and chan_write_failed() and channel_close_fds(). I see that you're using chan_read_failed() here, so, can I conclude that that is the right approach to forcing channel closures? Nico On Mon, Feb 04, 2002 at 08:32:26PM +0100, Markus Friedl wrote: > untested, as i don't have access to a system that > shows the hang-on-exit problem. > > Index: servconf.c > =================================================================== > RCS file: /cvs/openssh_cvs/servconf.c,v > retrieving revision 1.74 > diff -u -r1.74 servconf.c > --- servconf.c 22 Jan 2002 12:35:12 -0000 1.74 > +++ servconf.c 4 Feb 2002 15:46:05 -0000 > @@ -91,6 +91,7 @@ > options->permit_empty_passwd = -1; > options->use_login = -1; > options->allow_tcp_forwarding = -1; > + options->allow_data_loss_on_pty = -1; > options->num_allow_users = 0; > options->num_deny_users = 0; > options->num_allow_groups = 0; > @@ -209,6 +210,8 @@ > options->use_login = 0; > if (options->allow_tcp_forwarding == -1) > options->allow_tcp_forwarding = 1; > + if (options->allow_data_loss_on_pty == -1) > + options->allow_data_loss_on_pty = 0; > if (options->gateway_ports == -1) > options->gateway_ports = 0; > if (options->max_startups == -1) > @@ -257,7 +260,7 @@ > sPrintMotd, sPrintLastLog, sIgnoreRhosts, > sX11Forwarding, sX11DisplayOffset, > sStrictModes, sEmptyPasswd, sKeepAlives, > - sUseLogin, sAllowTcpForwarding, > + sUseLogin, sAllowTcpForwarding, sAllowDataLossOnPty > sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > @@ -321,6 +324,7 @@ > { "uselogin", sUseLogin }, > { "keepalive", sKeepAlives }, > { "allowtcpforwarding", sAllowTcpForwarding }, > + { "allowdatalossonpty", sAllowDataLossOnPty }, > { "allowusers", sAllowUsers }, > { "denyusers", sDenyUsers }, > { "allowgroups", sAllowGroups }, > @@ -707,6 +711,10 @@ > > case sAllowTcpForwarding: > intptr = &options->allow_tcp_forwarding; > + goto parse_flag; > + > + case sAllowDataLossOnPty: > + intptr = &options->allow_data_loss_on_pty; > goto parse_flag; > > case sAllowUsers: > Index: servconf.h > =================================================================== > RCS file: /cvs/openssh_cvs/servconf.h,v > retrieving revision 1.42 > diff -u -r1.42 servconf.h > --- servconf.h 21 Dec 2001 03:45:49 -0000 1.42 > +++ servconf.h 4 Feb 2002 15:46:05 -0000 > @@ -98,6 +98,7 @@ > * passwords. */ > int use_login; /* If true, login(1) is used */ > int allow_tcp_forwarding; > + int allow_data_loss_on_pty; > u_int num_allow_users; > char *allow_users[MAX_ALLOW_USERS]; > u_int num_deny_users; > Index: serverloop.c > =================================================================== > RCS file: /cvs/openssh_cvs/serverloop.c,v > retrieving revision 1.94 > diff -u -r1.94 serverloop.c > --- serverloop.c 22 Jan 2002 12:29:23 -0000 1.94 > +++ serverloop.c 4 Feb 2002 15:46:06 -0000 > @@ -391,6 +391,11 @@ > buffer_append(&stderr_buffer, buf, len); > } > } > + if (child_terminated && options.allow_data_loss_on_pty == 1 && > + fderr == -1 && !fdout_eof) { > + close(fdout); > + fdout_eof = 1; > + } > } > > /* > Index: session.c > =================================================================== > RCS file: /cvs/openssh_cvs/session.c,v > retrieving revision 1.166 > diff -u -r1.166 session.c > --- session.c 22 Jan 2002 12:16:34 -0000 1.166 > +++ session.c 4 Feb 2002 15:46:06 -0000 > @@ -1892,6 +1892,9 @@ > */ > if (c->ostate != CHAN_OUTPUT_CLOSED) > chan_write_failed(c); > + if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN && > + options.allow_data_loss_on_pty == 1) > + chan_read_failed(c); > s->chanid = -1; > } > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Tue Feb 5 07:14:18 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 4 Feb 2002 21:14:18 +0100 Subject: hang on exit In-Reply-To: <20020204150449.L27398@sm2p1386swk.wdr.com> References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020204150449.L27398@sm2p1386swk.wdr.com> Message-ID: <20020204201418.GC20263@faui02> On Mon, Feb 04, 2002 at 03:04:51PM -0500, Nicolas Williams wrote: > What's up with this? Why a server-side patch? I thought we'd all agreed > that this needs to be a client-side decision. because a) people expect telnet-like behaviour, b) it needs to work with existing installations and c) the patch is simple. btw, what about trimming quotes? more than 5 lines are usually not needed (can the listserver trim postings?), and this list is already hard to read. From bugzilla-daemon at mindrot.org Tue Feb 5 07:43:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 07:43:55 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020204204355.E9504EA0A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From markus at openbsd.org 2002-02-05 07:43 ------- i don't understand how moving compat.c would simplify the code or simplify handling. i prefer each version of openssh have a fixed and defined behaviour. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Tue Feb 5 07:40:16 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 15:40:16 -0500 Subject: hang on exit In-Reply-To: <20020204201418.GC20263@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 09:14:18PM +0100 References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020204150449.L27398@sm2p1386swk.wdr.com> <20020204201418.GC20263@faui02> Message-ID: <20020204154015.M27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 09:14:18PM +0100, Markus Friedl wrote: > On Mon, Feb 04, 2002 at 03:04:51PM -0500, Nicolas Williams wrote: > > What's up with this? Why a server-side patch? I thought we'd all agreed > > that this needs to be a client-side decision. > > because > a) people expect telnet-like behaviour, > b) it needs to work with existing installations and Is this what other SSH implementations do? Or do they handle this on the client side? If most SSH impl do this on the server side then I think you're right that the expectation is that so should OpenSSH, ugly though that is. > c) the patch is simple. What about my other question, about the API for forcing channel closures? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Tue Feb 5 08:02:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 08:02:06 +1100 (EST) Subject: [Bug 95] Allow '%' expansion to work in ssh and ssh-add Message-ID: <20020204210206.7BF4CEA19@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=95 ------- Additional Comments From markus at openbsd.org 2002-02-05 08:02 ------- you leak memory every time you call expand_filename(). so the patch expands ~ first and then % ? hm, shouldn't there be only just _one_ interface. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Feb 5 08:09:42 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 4 Feb 2002 22:09:42 +0100 Subject: forkoff() In-Reply-To: <20020204150017.K27398@sm2p1386swk.wdr.com> References: <20020204150017.K27398@sm2p1386swk.wdr.com> Message-ID: <20020204210941.GA23124@faui02> On Mon, Feb 04, 2002 at 03:00:19PM -0500, Nicolas Williams wrote: > Please review the function below, forkoff(), meant to be used in > clientloop.c instead of daemon() and the code in process_escapes(). > > The intention is to make ~D ( like ~& but also detach) possible and to > make it possible for ssh -f (or ssh -f -f - see other thread on this) > to detach, not just forkoff(). > > I also intend to use the same detach technique in a feature patch for > the hang-on-exit behaviour that's been hashed to death. I.e., I might > like to add an option to control ssh's behaviour when the remote session > exits, the behaviours being: wait for the channel to be closed [current, > default], close all channels and exit, background, detach and force > exit. > > To make detaching and some of the hang-on-exit options work correctly I > need a way to force a channel closed and to do it in way that is > correct wrt to the SSHv2 protocol. The forkoff() function below does > that, I think, but it would be nice to have confirmation. > > Comments? > > Nico > > static > void > forkoff(int stop_listening, int detach) > { > pid_t pid; > int fd; > Channel *c; > > /* Restore tty modes. */ > leave_raw_mode(); > > /* Stop listening for new connections. */ > if (stop_listening) > channel_stop_listening(); > > fprintf(stderr, "Forking off into the background - %s", > stop_listening ? "no longer listening" : "still listening"); > > /* Fork into background. */ > pid = fork(); > if (pid < 0) { > error("fork: %.100s", strerror(errno)); > return; > } > if (pid != 0) { /* This is the parent. */ > /* The parent just exits. */ > exit(0); > } > > c = channel_lookup(session_ident); ^^ there is no channel for ssh1 in ssh1 login sessions are different from, say, tcp-fwded channels. > if (c == NULL) > error("couldn't lookup session channel"); > > /* The child continues serving connections. */ > /* fake EOF on stdin */ > if (compat20) { > buffer_append(&stdin_buffer, "\004", 1); i don't like the \004 magic in the current code. > } else if (!stdin_eof) { > /* > * Sending SSH_CMSG_EOF alone does not always appear > * to be enough. So we try to send an EOF character > * first. > */ > packet_start(SSH_CMSG_STDIN_DATA); > packet_put_string("\004", 1); > packet_send(); > /* Close stdin. */ > stdin_eof = 1; > if (buffer_len(&stdin_buffer) == 0) { > packet_start(SSH_CMSG_EOF); > packet_send(); > } > } > > if (detach) { > /* > * There should be a chan_wont_read()/chan_wont_write() > * API, differing only in the debug messages used. > */ > chan_read_failed(c); > chan_write_failed(c); ^^^ you cannot call chan_xxx_failed for every channel state, please check nchan2.ms > channel_close_fds(c); you still want to keep the channel? why? > fd = open(_PATH_DEVNULL, O_RDWR, 0); > if (fd < 0) > return; > (void) dup2(fd, STDIN_FILENO); > (void) dup2(fd, STDOUT_FILENO); > (void) dup2(fd, STDERR_FILENO); > if (fd > 2) > (void) close(fd); > (void) setsid(); > } i'm not sure this works like expected. From michael at bizsystems.com Tue Feb 5 08:24:28 2002 From: michael at bizsystems.com (Michael Robinton) Date: Mon, 4 Feb 2002 13:24:28 -0800 (PST) Subject: hang on exit Message-ID: > Woa! > > What's up with this? Why a server-side patch? I thought we'd all > agreed that this needs to be a client-side decision. After all, the > client knows when the session exits and can choose what to do. > It is the server side that is making the (bad -- my opinion) decision about when to disconnect and thus what needs to be tweaked. I've offered an available linux box to Markus to mess around with. Michael From dan at doxpara.com Tue Feb 5 08:38:56 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 4 Feb 2002 13:38:56 -0800 Subject: hang on exit References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020204150449.L27398@sm2p1386swk.wdr.com> Message-ID: <038a01c1adc4$59713070$8201000a@effugas> > What's up with this? Why a server-side patch? I thought we'd all agreed > that this needs to be a client-side decision. After all, the client > knows when the session exits and can choose what to do. Server hosts zombie processes -- I don't *want* to trust clients to not break my servers...do ya? --Dan From Nicolas.Williams at ubsw.com Tue Feb 5 08:35:45 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 16:35:45 -0500 Subject: forkoff() In-Reply-To: <20020204210941.GA23124@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 10:09:42PM +0100 References: <20020204150017.K27398@sm2p1386swk.wdr.com> <20020204210941.GA23124@faui02> Message-ID: <20020204163544.N27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 10:09:42PM +0100, Markus Friedl wrote: > On Mon, Feb 04, 2002 at 03:00:19PM -0500, Nicolas Williams wrote: > ^^ there is no channel for ssh1 > in ssh1 login sessions are different from, say, tcp-fwded channels. Ok, I'll make this just background and not detach for ssh1. > i don't like the \004 magic in the current code. Yeah, I just copied it. I didn't get why it was there. I'll not use it. > > chan_read_failed(c); > > chan_write_failed(c); > ^^^ you cannot call chan_xxx_failed for every channel state, I see that. I can easily add a check. In any case, a chan_wont_read() / chan_wont_write() API could work like chan_*_failed() but not call error() if the channel is not in an appropriate state. And a chan_wont_*() API would produce appropriate debug messages. > please check nchan2.ms How can I view that on Solaris? Groff comes close to producing the right PS output, but no cigar. > > channel_close_fds(c); > > you still want to keep the channel? why? No, I don't. Why does forkoff() calling channel_close_fds(c) make you think I want to keep the channel? In any case, channel_close_fds(c) closes the dups of the stdio fildes here, which is something I need done in order to properly detach. > > fd = open(_PATH_DEVNULL, O_RDWR, 0); ... > > (void) setsid(); > > i'm not sure this works like expected. What? The open(devnull)/dup2()/setsid() bits? Why wouldn't it? It sure does in my testing. Thanks, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Tue Feb 5 08:36:52 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Mon, 4 Feb 2002 16:36:52 -0500 Subject: hang on exit In-Reply-To: <038a01c1adc4$59713070$8201000a@effugas>; from dan@doxpara.com on Mon, Feb 04, 2002 at 01:38:56PM -0800 References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020204150449.L27398@sm2p1386swk.wdr.com> <038a01c1adc4$59713070$8201000a@effugas> Message-ID: <20020204163650.O27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 01:38:56PM -0800, Dan Kaminsky wrote: > > What's up with this? Why a server-side patch? I thought we'd all agreed > > that this needs to be a client-side decision. After all, the client > > knows when the session exits and can choose what to do. > > Server hosts zombie processes -- I don't *want* to trust clients to not > break my servers...do ya? But that still remains possible when not using a PTY. *shrug* > --Dan > Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Tue Feb 5 11:02:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 11:02:43 +1100 (EST) Subject: [Bug 94] Userdefineable identification string Message-ID: <20020205000243.C8863E956@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=94 ------- Additional Comments From djm at mindrot.org 2002-02-05 11:02 ------- This patch adds obscurity at best, it doesn't help security at all. In fact, it encourages people not to upgrade their vulnerable servers. The attackers won't care about a faked version - they'll just try their exploits regardless (in fact weird protocol ident strings would make me more interested). On top of this, it ruins any chance of being able to interop should we find protocol bugs or if the wire spec changes again. Making the compat stuff runtime may be a good idea for other reasons, but not to support silly hacks like this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh-unix-dev at progressive-comp.com Tue Feb 5 12:10:37 2002 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Mon, 4 Feb 2002 20:10:37 -0500 Subject: disabling the authentication agent? Message-ID: <200202050110.UAA23970@mailer.progressive-comp.com> On 2002-02-03, "Robert Mooney" wrote: > If I log in to host1 from workstation w/ password auth, and > I log in to host2 from workstation w/ DSA public key auth, and ...Using ssh-agent on workstation for this connection? > I try to ssh from host1 to host2, host2 allows me to login w/o a > password. > Why? Perhaps because you have agent-forwarding turned on when ssh'ing from workstation to host1? Even though you are logging in to host1 w/a password, that ssh session has access to your agent. Test this by doing an 'ssh-add -l' on host1 after logging in to it. If this is it, adding 'AgentForwarding no' to $etc/ssh_config or ~/.ssh/config (either for all hosts, or just for host1) and it should stop. IIRC that is the default nowadays though, so perhaps this is not the problem... > Is there any way to disable the authentication agent in the server > config? You mean in host1's sshd_config file, correct? I do not believe so. There is arguably room for an sshd_config option for this (after all there's options to control other kinds of forwarding), but it's not something one usually sees unless one is using pubkey auth in the first place, which you are not when you log into host1. To be clear: it's the intermediate host for which such a setting matters. There is no way for a destination host to tell the difference between an agent-forwarded pubkey auth and a direct pubkey auth, provided the host the connection comes from is permitted by any from="" entry in the authorized_keys file. This is unfortunate. -- Hank Leininger From bugzilla-daemon at mindrot.org Tue Feb 5 18:46:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 5 Feb 2002 18:46:24 +1100 (EST) Subject: [Bug 104] New: [WISHLIST] sftpfs? Message-ID: <20020205074624.C2420E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=104 Summary: [WISHLIST] sftpfs? Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rainman at owlnet.rice.edu CC: rainman at owlnet.rice.edu Would it be possible to look into the creation of an filesystem based on the sftp client/server? 1) For paranoid networks where portblocking is enabled on everything but http, sftp, and ssh, it would be ideal for sharing files. 2) For those wishing to create a simple means of VPN, an sftpfs would provide an ideal secure p2p file sharing method. 3) Samba was able to create a filesystem on top of a client/server architecture, so the concept doesn't seem too unreasonable. Any comments? -jag ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Tue Feb 5 19:38:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 5 Feb 2002 09:38:35 +0100 Subject: hang on exit In-Reply-To: <20020204163650.O27398@sm2p1386swk.wdr.com> References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020204150449.L27398@sm2p1386swk.wdr.com> <038a01c1adc4$59713070$8201000a@effugas> <20020204163650.O27398@sm2p1386swk.wdr.com> Message-ID: <20020205083835.GA25255@faui02> On Mon, Feb 04, 2002 at 04:36:52PM -0500, Nicolas Williams wrote: > On Mon, Feb 04, 2002 at 01:38:56PM -0800, Dan Kaminsky wrote: > > > What's up with this? Why a server-side patch? I thought we'd all agreed > > > that this needs to be a client-side decision. After all, the client > > > knows when the session exits and can choose what to do. > > > > Server hosts zombie processes -- I don't *want* to trust clients to not > > break my servers...do ya? > > But that still remains possible when not using a PTY. w/o a pty this matches rsh. From Nicolas.Williams at ubsw.com Wed Feb 6 02:15:34 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 5 Feb 2002 10:15:34 -0500 Subject: forkoff() In-Reply-To: <20020204163544.N27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Mon, Feb 04, 2002 at 04:35:45PM -0500 References: <20020204150017.K27398@sm2p1386swk.wdr.com> <20020204210941.GA23124@faui02> <20020204163544.N27398@sm2p1386swk.wdr.com> Message-ID: <20020205101532.P27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 04:35:45PM -0500, Nicolas Williams wrote: Will a chan_wont_read()/chan_wont_write() API be welcome? > > please check nchan2.ms > > How can I view that on Solaris? Groff comes close to producing the right > PS output, but no cigar. I got it. It's "gpic nchan2.ms|groff -ms -Tps|lp ..." I'll write a Makefile.in target for it and submit a patch... Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From stevensl at corp.earthlink.net Wed Feb 6 03:03:05 2002 From: stevensl at corp.earthlink.net (Steven S) Date: Tue, 5 Feb 2002 11:03:05 -0500 (EST) Subject: Openssh 2.9.x + Pam_Linux Message-ID: <20020205105407.O79145-100000@johngalt.ems.mindspring.net> I noticed a bit of odd behavior with openssh + pam_linux a while back. I do not know if anyone else has seen this since there are a few hoops that have to be jumped through. Background: RedHat 6.2 (heavily customized) running on intel box. Running pam-0.72-20.6.x + Openssh-2.9.9p2-1 (both redhat) Problem: Set a user account to expire as of yesterday (via shadow entry) Set the users account to allow login after it expires. On login user is prompted that the password has expired and to please change it. Password field echo's the entered password across! for example it looks like this (me at mybox) $ ssh me at anotherbox me at anotherbox's password: Your password has expired; please change it! Warning: Your password has expired, please change it now Changing password for me (current) UNIX password: test.1234 New UNIX password: test.1234 Password unchanged Connection to anotherbox closed by remote host. Connection to anotherbox closed. TCP dumps show its indeed coming across the session encrypted but something is spitting out plaintext. The Linux-Pam list suggested I mention it here to see if anyone else has seen it. The /etc/pam.d/sshd entry is identical to other login methods but do not exhibit this behavour. Any thoughts? From Nicolas.Williams at ubsw.com Wed Feb 6 03:26:08 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 5 Feb 2002 11:26:08 -0500 Subject: New forkoff() and chan_wont_read/write() API Message-ID: <20020205112606.Q27398@sm2p1386swk.wdr.com> Markus, How's this patch? - a chan_wont_read()/chan_wont_write() API is added that is very much like chan_read_failed()/chan_write_failed(), but for the debug messages and chan_wont_*() don't ever call error() The 3.0.2p1 channel_pre_x11_open() uses chan_*_failed() but looks like it ought to use chan_wont_*() instead :) - forkoff() no longer fakes EOF for SSHv2 (still does for SSHv1 - dunno what to do there) - the session channel lookup, chan_wont_*(), chan_close_fds(), detach bit is only done for SSHv2 Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- -------------- next part -------------- Index: 3_0_2p1.1/nchan.c --- 3_0_2p1.1/nchan.c Wed, 21 Nov 2001 10:38:46 -0500 jd (OpenSSH/i/40_nchan.c 1.1.1.1 644) +++ 3_0_2p1_w_gssk5_ubsw_experimental.6/nchan.c Tue, 05 Feb 2002 11:25:25 -0500 willian (OpenSSH/i/40_nchan.c 1.1.1.4 644) @@ -66,10 +66,12 @@ /* events concerning the INPUT from socket for channel (istate) */ chan_event_fn *chan_rcvd_oclose = NULL; chan_event_fn *chan_read_failed = NULL; +chan_event_fn *chan_wont_read = NULL; chan_event_fn *chan_ibuf_empty = NULL; /* events concerning the OUTPUT from channel for socket (ostate) */ chan_event_fn *chan_rcvd_ieof = NULL; chan_event_fn *chan_write_failed = NULL; +chan_event_fn *chan_wont_write = NULL; chan_event_fn *chan_obuf_empty = NULL; /* * ACTIONS: should never update the channel states @@ -137,6 +139,28 @@ } } static void +chan_wont_read_12(Channel *c) +{ + debug("channel %d: wont read", c->self); + switch (c->istate) { + case CHAN_INPUT_OPEN: + debug("channel %d: input open -> drain", c->self); + chan_shutdown_read(c); + c->istate = CHAN_INPUT_WAIT_DRAIN; +#if 0 + if (buffer_len(&c->input) == 0) { + debug("channel %d: input: no drain shortcut", c->self); + chan_ibuf_empty(c); + } +#endif + break; + default: + debug("channel %d: chan_wont_read for istate %d", + c->self, c->istate); + break; + } +} +static void chan_ibuf_empty1(Channel *c) { debug("channel %d: ibuf empty", c->self); @@ -221,6 +245,27 @@ } } static void +chan_wont_write1(Channel *c) +{ + debug("channel %d: wont write", c->self); + switch (c->ostate) { + case CHAN_OUTPUT_OPEN: + debug("channel %d: output open -> wait_ieof", c->self); + chan_send_oclose1(c); + c->ostate = CHAN_OUTPUT_WAIT_IEOF; + break; + case CHAN_OUTPUT_WAIT_DRAIN: + debug("channel %d: output wait_drain -> closed", c->self); + chan_send_oclose1(c); + c->ostate = CHAN_OUTPUT_CLOSED; + break; + default: + debug("channel %d: chan_wont_write for ostate %d", + c->self, c->ostate); + break; + } +} +static void chan_obuf_empty1(Channel *c) { debug("channel %d: obuf empty", c->self); @@ -369,6 +414,27 @@ } } static void +chan_wont_write2(Channel *c) +{ + debug("channel %d: wont write", c->self); + switch (c->ostate) { + case CHAN_OUTPUT_OPEN: + debug("channel %d: output open -> closed", c->self); + chan_shutdown_write(c); /* ?? */ + c->ostate = CHAN_OUTPUT_CLOSED; + break; + case CHAN_OUTPUT_WAIT_DRAIN: + debug("channel %d: output drain -> closed", c->self); + chan_shutdown_write(c); + c->ostate = CHAN_OUTPUT_CLOSED; + break; + default: + debug("channel %d: chan_wont_write for ostate %d", + c->self, c->ostate); + break; + } +} +static void chan_obuf_empty2(Channel *c) { debug("channel %d: obuf empty", c->self); @@ -496,18 +562,22 @@ if (compat20) { chan_rcvd_oclose = chan_rcvd_oclose2; chan_read_failed = chan_read_failed_12; + chan_wont_read = chan_wont_read_12; chan_ibuf_empty = chan_ibuf_empty2; chan_rcvd_ieof = chan_rcvd_ieof2; chan_write_failed = chan_write_failed2; + chan_wont_write = chan_wont_write2; chan_obuf_empty = chan_obuf_empty2; } else { chan_rcvd_oclose = chan_rcvd_oclose1; chan_read_failed = chan_read_failed_12; + chan_wont_read = chan_wont_read_12; chan_ibuf_empty = chan_ibuf_empty1; chan_rcvd_ieof = chan_rcvd_ieof1; chan_write_failed = chan_write_failed1; + chan_wont_write = chan_wont_write2; chan_obuf_empty = chan_obuf_empty1; } } Index: 3_0_2p1.1/clientloop.c --- 3_0_2p1.1/clientloop.c Wed, 21 Nov 2001 10:38:46 -0500 jd (OpenSSH/j/41_clientloop 1.1.2.1 644) +++ 3_0_2p1_w_gssk5_ubsw_experimental.6/clientloop.c Tue, 05 Feb 2002 11:16:16 -0500 willian (OpenSSH/j/41_clientloop 1.1.2.7 644) @@ -1007,6 +1051,81 @@ /*********/ +/* + * Detach the program (continue to serve connections, + * but put in background and no more new connections). + */ +static +void +forkoff(int stop_listening, int detach) +{ + pid_t pid; + int fd; + Channel *c; + + /* Restore tty modes. */ + leave_raw_mode(); + + /* Stop listening for new connections. */ + if (stop_listening) + channel_stop_listening(); + + fprintf(stderr, "Forking off into the background - %s, %s", + stop_listening ? "no longer listening" : "still listening", + detach ? "detaching" : "not detaching"); + + /* Fork into background. */ + pid = fork(); + if (pid < 0) { + error("fork: %.100s", strerror(errno)); + return; + } + if (pid != 0) { /* This is the parent. */ + /* The parent just exits. */ + exit(0); + } + + /* fake EOF on stdin for SSHv1 */ + if (!compat20 && !stdin_eof) { + /* + * Sending SSH_CMSG_EOF alone does not always appear + * to be enough. So we try to send an EOF character + * first. + */ + packet_start(SSH_CMSG_STDIN_DATA); + packet_put_string("\004", 1); + packet_send(); + /* Close stdin. */ + stdin_eof = 1; + if (buffer_len(&stdin_buffer) == 0) { + packet_start(SSH_CMSG_EOF); + packet_send(); + } + } + + if (!compat20) + return; + + c = channel_lookup(session_ident); + if (c == NULL) + error("couldn't lookup session channel"); + + if (detach) { + chan_wont_read(c); + chan_wont_write(c); + channel_close_fds(c); + fd = open(_PATH_DEVNULL, O_RDWR, 0); + if (fd < 0) + return; + (void) dup2(fd, STDIN_FILENO); + (void) dup2(fd, STDOUT_FILENO); + (void) dup2(fd, STDERR_FILENO); + if (fd > 2) + (void) close(fd); + (void) setsid(); + } +} + static void client_input_stdout_data(int type, int plen, void *ctxt) { Index: 3_0_2p1.1/channels.h --- 3_0_2p1.1/channels.h Wed, 21 Nov 2001 10:38:46 -0500 jd (OpenSSH/j/46_channels.h 1.2.1.1 644) +++ 3_0_2p1_w_gssk5_ubsw_experimental.6/channels.h Tue, 05 Feb 2002 11:04:53 -0500 willian (OpenSSH/j/46_channels.h 1.2.1.3 644) @@ -153,6 +153,7 @@ void channel_register_filter(int, channel_filter_fn *); void channel_cancel_cleanup(int); int channel_close_fd(int *); +void channel_close_fds(Channel *); /* protocol handler */ @@ -224,11 +225,13 @@ /* for the input state */ extern chan_event_fn *chan_rcvd_oclose; extern chan_event_fn *chan_read_failed; +extern chan_event_fn *chan_wont_read; extern chan_event_fn *chan_ibuf_empty; /* for the output state */ extern chan_event_fn *chan_rcvd_ieof; extern chan_event_fn *chan_write_failed; +extern chan_event_fn *chan_wont_write; extern chan_event_fn *chan_obuf_empty; #endif Index: 3_0_2p1.1/channels.c --- 3_0_2p1.1/channels.c Wed, 21 Nov 2001 10:38:46 -0500 jd (OpenSSH/j/47_channels.c 1.2.2.1 644) +++ 3_0_2p1_w_gssk5_ubsw_experimental.6/channels.c Thu, 17 Jan 2002 14:17:25 -0500 willian (OpenSSH/j/47_channels.c 1.2.2.2 644) @@ -301,7 +301,7 @@ /* Close all channel fd/socket. */ -static void +void channel_close_fds(Channel *c) { debug3("channel_close_fds: channel %d: r %d w %d e %d", -------------- next part -------------- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mbabcock at fibrespeed.net Wed Feb 6 03:35:07 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Tue, 5 Feb 2002 11:35:07 -0500 Subject: COPY_SIZE #define Message-ID: <20020205163507.GE26603@godzilla.fibrespeed.net> I noticed the "XXX: what should this be?" w.r.t. COPY_SIZE in sftp-client.c. I made up the following quick patch to allow a new command-line argument, "-B" (for 'buffer' size) to specify this value. I haven't done any strict benchmarking yet, but -B65535 is faster than -B8192 which is much faster than -B16. PS again, I am not on this list, so please CC me any replies. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ -------------- next part -------------- diff -p -u openssh-3.0.2p1/scp.c openssh-3.0.2p1-mtb1/scp.c --- openssh-3.0.2p1/scp.c Sun Oct 21 20:53:59 2001 +++ openssh-3.0.2p1-mtb1/scp.c Tue Feb 5 11:18:46 2002 @@ -966,7 +966,7 @@ void usage() { (void) fprintf(stderr, - "usage: scp [-pqrvBC46] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]\n" + "usage: scp [-pqrvBC46] [-B bufsize] [-F config] [-S ssh] [-P port] [-c cipher] [-i identity]\n" " [-o option] f1 f2\n" " or: scp [options] f1 ... fn directory\n"); exit(1); diff -p -u openssh-3.0.2p1/sftp-client.c openssh-3.0.2p1-mtb1/sftp-client.c --- openssh-3.0.2p1/sftp-client.c Wed Jul 18 11:45:45 2001 +++ openssh-3.0.2p1-mtb1/sftp-client.c Tue Feb 5 11:24:12 2002 @@ -44,7 +44,9 @@ RCSID("$OpenBSD: sftp-client.c,v 1.18 20 /* How much data to read/write at at time during copies */ /* XXX: what should this be? */ -#define COPY_SIZE 8192 +/* MTB: get around the issue by using a dynamic value with the same default. */ +/* #define COPY_SIZE 8129 */ +extern unsigned int COPY_SIZE; /* Message ID */ static u_int msg_id = 1; @@ -870,7 +872,11 @@ do_upload(int fd_in, int fd_out, char *l offset = 0; for(;;) { int len; - char data[COPY_SIZE]; + char *data; + + if ((data = malloc(COPY_SIZE)) == NULL) + fatal("Couldn't allocate %ld bytes for data buffer; %s", + (long)COPY_SIZE, strerror(errno)); /* * Can't use atomicio here because it returns 0 on EOF, thus losing diff -p -u openssh-3.0.2p1/sftp.c openssh-3.0.2p1-mtb1/sftp.c --- openssh-3.0.2p1/sftp.c Wed Sep 19 20:57:56 2001 +++ openssh-3.0.2p1-mtb1/sftp.c Tue Feb 5 11:19:25 2002 @@ -48,6 +48,7 @@ char *__progname; char *ssh_program = _PATH_SSH_PROGRAM; FILE* infile; +unsigned int COPY_SIZE=8192; static void connect_to_server(char **args, int *in, int *out, pid_t *sshpid) @@ -95,7 +96,7 @@ usage(void) { fprintf(stderr, "usage: sftp [-1Cv] [-b batchfile] [-F config] [-o option] [-s subsystem|path]\n" - " [-S program] [user@]host[:file [file]]\n"); + " [-B bufsize] [-S program] [user@]host[:file [file]]\n"); exit(1); } @@ -122,8 +123,11 @@ main(int argc, char **argv) ll = SYSLOG_LEVEL_INFO; infile = stdin; /* Read from STDIN unless changed by -b */ - while ((ch = getopt(argc, argv, "1hvCo:s:S:b:F:")) != -1) { + while ((ch = getopt(argc, argv, "1hvCo:s:S:b:F:B:")) != -1) { switch (ch) { + case 'B': + COPY_SIZE = atoi(optarg); + break; case 'C': addargs(&args, "-C"); break; From mbabcock at fibrespeed.net Wed Feb 6 03:36:51 2002 From: mbabcock at fibrespeed.net (Michael T. Babcock) Date: Tue, 5 Feb 2002 11:36:51 -0500 Subject: Patch follow-up Message-ID: <20020205163651.GF26603@godzilla.fibrespeed.net> PS, that patch, as should be obvious when viewed, is against the portable OpenSSH. I do not have any *BSD boxen so I can't test patches against unpatched OpenSSH. -- Michael T. Babcock CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) http://www.fibrespeed.net/~mbabcock/ From mouring at etoh.eviladmin.org Wed Feb 6 03:11:00 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Tue, 5 Feb 2002 10:11:00 -0600 (CST) Subject: COPY_SIZE #define In-Reply-To: <20020205163507.GE26603@godzilla.fibrespeed.net> from "Michael T. Babcock" at "Feb 5, 2002 11:35:07 am" Message-ID: <200202051611.g15GB1ns018922@etoh.eviladmin.org> > I noticed the "XXX: what should this be?" w.r.t. COPY_SIZE in > sftp-client.c. I made up the following quick patch to allow a new > command-line argument, "-B" (for 'buffer' size) to specify this value. > > I haven't done any strict benchmarking yet, but -B65535 is faster than > -B8192 which is much faster than -B16. > > PS again, I am not on this list, so please CC me any replies. This feature has been added to the -current tree a week ago and was just pulled into the portable tree a few days ago. - Ben From Nicolas.Williams at ubsw.com Wed Feb 6 06:45:09 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 5 Feb 2002 14:45:09 -0500 Subject: forkoff() In-Reply-To: <20020204210941.GA23124@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 10:09:42PM +0100 References: <20020204150017.K27398@sm2p1386swk.wdr.com> <20020204210941.GA23124@faui02> Message-ID: <20020205144508.R27398@sm2p1386swk.wdr.com> On Mon, Feb 04, 2002 at 10:09:42PM +0100, Markus Friedl wrote: > i'm not sure this works like expected. In the context of the -f -f patch it works fine. Just for kicks I added a ~d escape to call forkoff(1, 1) and indeed, it DOESN'T WORK as expected. The problem is that SSH2_MSG_CHANNEL_CLOSE is never sent to close the session, so the session continues to exist and the remote shell continues to run (idle) while the client sits there in the background doing nothing. Adding a call to chan_send_oclose2() would fix that (*) - so does passing SIGHUP :) (*) Should be safe - I don't see how that could lead to the CLOSE message being sent twice. Since the idea is to force a channel closed any buffered data should be dropped and the channel [io]states set to closed, thus preventing additional close msgs from being sent; no EOF msg will be sent thus, but who cares, the CLOSE msg suffices. Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Wed Feb 6 07:08:15 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 5 Feb 2002 15:08:15 -0500 Subject: forkoff() In-Reply-To: <20020205144508.R27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Tue, Feb 05, 2002 at 02:45:09PM -0500 References: <20020204150017.K27398@sm2p1386swk.wdr.com> <20020204210941.GA23124@faui02> <20020205144508.R27398@sm2p1386swk.wdr.com> Message-ID: <20020205150813.S27398@sm2p1386swk.wdr.com> Yes, that works. So, to force a channel closed I need a function that sets the channel istate/ostate to closed, sends a CLOSE msg, sets the close sent flag and closes the associated channel file descriptors. That seems to work. I can then add a ~d escape that detaches the client from the tty and which then exits as soon as all the other open channels (e.g., forwarded X11 displays) are closed. And it still works in the context of the -f -f patch. Markus, do you see anything wrong with that approach? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Jarno.Huuskonen at uku.fi Wed Feb 6 08:12:28 2002 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Tue, 5 Feb 2002 23:12:28 +0200 Subject: Openssh 2.9.x + Pam_Linux In-Reply-To: <20020205105407.O79145-100000@johngalt.ems.mindspring.net> References: <20020205105407.O79145-100000@johngalt.ems.mindspring.net> Message-ID: <20020205211228.GA56850@messi.uku.fi> On Tue, Feb 05, Steven S wrote: [cut] > Background: > RedHat 6.2 (heavily customized) running on intel box. > Running pam-0.72-20.6.x + Openssh-2.9.9p2-1 (both redhat) > > Password field echo's the entered password across! Try upgrading to OpenSSH-3.0.2p1. I noticed the same echo problem, but the newer OpenSSH version don't echo the password. -Jarno -- Jarno Huuskonen From Nicolas.Williams at ubsw.com Wed Feb 6 08:29:40 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 5 Feb 2002 16:29:40 -0500 Subject: chan_force_close() In-Reply-To: <20020205150813.S27398@sm2p1386swk.wdr.com>; from Nicolas.Williams@ubsw.com on Tue, Feb 05, 2002 at 03:08:15PM -0500 References: <20020204150017.K27398@sm2p1386swk.wdr.com> <20020204210941.GA23124@faui02> <20020205144508.R27398@sm2p1386swk.wdr.com> <20020205150813.S27398@sm2p1386swk.wdr.com> Message-ID: <20020205162938.T27398@sm2p1386swk.wdr.com> How's this for nchan.c? I'm testing it with forkoff(X, 1) and -ddd/-vvv, with and without -f, -f -f, and it's working just fine. Nico static void chan_force_close1(Channel *c) { error("channel %d: dont know how to force an ssh1 channel closed"); } static void chan_force_close2(Channel *c) { if (c->ostate == CHAN_OUTPUT_CLOSED && c->istate == CHAN_INPUT_CLOSED && c->flags & CHAN_CLOSE_SENT) return; debug("channel %d: force close", c->self); c->ostate = CHAN_OUTPUT_CLOSED; c->istate = CHAN_INPUT_CLOSED; if (buffer_len(&c->output)) buffer_consume(&c->output, buffer_len(&c->output)); if (c->flags & CHAN_CLOSE_SENT) return; packet_start(SSH2_MSG_CHANNEL_CLOSE); packet_put_int(c->remote_id); packet_send(); c->flags |= CHAN_CLOSE_SENT; chan_shutdown_read(c); chan_shutdown_write(c); channel_close_fds(c); } -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From djm at mindrot.org Thu Feb 7 00:19:35 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 7 Feb 2002 00:19:35 +1100 (EST) Subject: COPY_SIZE #define In-Reply-To: <20020205163507.GE26603@godzilla.fibrespeed.net> Message-ID: On Tue, 5 Feb 2002, Michael T. Babcock wrote: > I noticed the "XXX: what should this be?" w.r.t. COPY_SIZE in > sftp-client.c. I made up the following quick patch to allow a new > command-line argument, "-B" (for 'buffer' size) to specify this value. Already in current CVS -d From hans-gunther.borrmann at rz.uni-freiburg.de Thu Feb 7 01:15:16 2002 From: hans-gunther.borrmann at rz.uni-freiburg.de (H.G.Borrmann) Date: Wed, 06 Feb 2002 15:15:16 +0100 Subject: AIX reading /etc/environment out of step. References: Message-ID: <3C613A74.CA2D4965@rz.uni-freiburg.de> "Booker C. Bense" wrote: > On Tue, 22 Jan 2002 mouring at etoh.eviladmin.org wrote: > > > > > > > On Tue, 22 Jan 2002, Gert Doering wrote: > > > > > Hi, > > > > > > On Tue, Jan 22, 2002 at 12:09:13PM -0600, mouring at etoh.eviladmin.org wrote: > > > > I was discussing with Don about a private topic..and while skimming the > > > > code I noticed that during a 'ssh mouring at site ls' the /etc/environment > > > > is *ONLY* read if the remote machine is an AIX box. This is undocumented > > > > and I'm wondering if someone using AIX could explain WHY it exists in the > > > > session.c:do_child()? No other OS has this. I don't see why AIX should > > > > require it. > > > > > > All other ways to log into AIX read this. So by doing it you're easing > > > switchover from rlogin/whatever to ssh. > > > > - It's the AIX way. There are variables set in there that are required > for interaction with the system libraries. You either have to read it > or duplicate it. > > - Booker C. Bense > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev The init process reads /etc/environment when it starts and puts all variables in its environment which is inherited by all processes. So there is no need to read /etc/environment again. Thats what I know. -- .______________________________________________________________. |H.G.Borrmann |Tel.: (0761) 203-4652 | |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 | |Hermann-Herder-Str. 10 D79104 FREIBURG | From markus at openbsd.org Wed Feb 6 05:44:47 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 5 Feb 2002 19:44:47 +0100 Subject: Openssh 2.9.x + Pam_Linux In-Reply-To: <20020205105407.O79145-100000@johngalt.ems.mindspring.net>; from stevensl@corp.earthlink.net on Tue, Feb 05, 2002 at 11:03:05AM -0500 References: <20020205105407.O79145-100000@johngalt.ems.mindspring.net> Message-ID: <20020205194447.A28544@folly> On Tue, Feb 05, 2002 at 11:03:05AM -0500, Steven S wrote: > TCP dumps show its indeed coming across the session encrypted but > something is spitting out plaintext. The Linux-Pam list suggested I can you please show the tcpdump output? From ssklar at stanford.edu Thu Feb 7 02:03:25 2002 From: ssklar at stanford.edu (Sandor W. Sklar) Date: Wed, 6 Feb 2002 07:03:25 -0800 Subject: AIX reading /etc/environment out of step. In-Reply-To: <3C613A74.CA2D4965@rz.uni-freiburg.de> References: <3C613A74.CA2D4965@rz.uni-freiburg.de> Message-ID: At 3:15 PM +0100 2/6/02, H.G.Borrmann wrote: > >The init process reads /etc/environment when it starts and puts all >variables in >its environment which is inherited by all >processes. So there is no need to read /etc/environment again. Thats >what I know. > If that is true, then you are saying that a system reboot is required whenever changes are made to that file? I don't think so. -s- -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS Non impediti ratione cogitationis. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From Nicolas.Williams at ubsw.com Thu Feb 7 02:07:48 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 6 Feb 2002 10:07:48 -0500 Subject: COPY_SIZE #define In-Reply-To: <20020205163507.GE26603@godzilla.fibrespeed.net>; from mbabcock@fibrespeed.net on Tue, Feb 05, 2002 at 11:35:07AM -0500 References: <20020205163507.GE26603@godzilla.fibrespeed.net> Message-ID: <20020206100746.U27398@sm2p1386swk.wdr.com> NOTE: Your patch to scp.c is incorrect. It only patches the usage() function and SCP already has a -B option, so it can't be added there, unless the brilliant idea that was mentioned in the scp -1/-2 thread of having a generic option (-O?) for passing options to the backend is added. And yes, it's in -current. Cheers, Nico On Tue, Feb 05, 2002 at 11:35:07AM -0500, Michael T. Babcock wrote: > I noticed the "XXX: what should this be?" w.r.t. COPY_SIZE in > sftp-client.c. I made up the following quick patch to allow a new > command-line argument, "-B" (for 'buffer' size) to specify this value. > > I haven't done any strict benchmarking yet, but -B65535 is faster than > -B8192 which is much faster than -B16. > > PS again, I am not on this list, so please CC me any replies. > -- > Michael T. Babcock > CTO, FibreSpeed Ltd. (Hosting, Security, Consultation, Database, etc) > http://www.fibrespeed.net/~mbabcock/ -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From markus at openbsd.org Thu Feb 7 02:21:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 6 Feb 2002 16:21:23 +0100 Subject: Openssh 2.9.x + Pam_Linux In-Reply-To: <20020206101058.X85119-200000@johngalt.ems.mindspring.net> References: <20020205194447.A28544@folly> <20020206101058.X85119-200000@johngalt.ems.mindspring.net> Message-ID: <20020206152123.GA11650@faui02> On Wed, Feb 06, 2002 at 10:15:21AM -0500, Steven S wrote: > unless i'm clueless on tcpdump, its definatly not sending in plaintext but > its echoing. > > $ ssh me at anotherhost > me at anotherhost's password: > Your password has expired; please change it! > Warning: Your password has expired, please change it now > Changing password for me > (current) UNIX password: test.1234 ^^^^^^^^^^^^^^^^^^^^^^^6 > Connection to nightshift closed by remote host. > Connection to nightshift closed. ah, i think this has been fixed. From stevensl at corp.earthlink.net Thu Feb 7 02:28:15 2002 From: stevensl at corp.earthlink.net (Steven S) Date: Wed, 6 Feb 2002 10:28:15 -0500 (EST) Subject: Openssh 2.9.x + Pam_Linux In-Reply-To: <20020206152123.GA11650@faui02> Message-ID: <20020206102753.H85119-100000@johngalt.ems.mindspring.net> in a later version of Openssh? or Pam_Linux? On Wed, 6 Feb 2002, Markus Friedl wrote: > > ah, i think this has been fixed. > From mouring at etoh.eviladmin.org Thu Feb 7 02:16:12 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 09:16:12 -0600 (CST) Subject: Openssh 2.9.x + Pam_Linux In-Reply-To: <20020206102753.H85119-100000@johngalt.ems.mindspring.net> from Steven S at "Feb 6, 2002 10:28:15 am" Message-ID: <200202061516.g16FGCh9015673@etoh.eviladmin.org> In a later version of OpenSSH. - Ben > > in a later version of Openssh? or Pam_Linux? > > On Wed, 6 Feb 2002, Markus Friedl wrote: > > > > ah, i think this has been fixed. > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From hans-gunther.borrmann at rz.uni-freiburg.de Thu Feb 7 03:04:41 2002 From: hans-gunther.borrmann at rz.uni-freiburg.de (H.G.Borrmann) Date: Wed, 06 Feb 2002 17:04:41 +0100 Subject: AIX reading /etc/environment out of step. References: <3C613A74.CA2D4965@rz.uni-freiburg.de> Message-ID: <3C615419.B05DB4A@rz.uni-freiburg.de> "Sandor W. Sklar" wrote: > At 3:15 PM +0100 2/6/02, H.G.Borrmann wrote: > > > >The init process reads /etc/environment when it starts and puts all > >variables in > >its environment which is inherited by all > >processes. So there is no need to read /etc/environment again. Thats > >what I know. > > > > If that is true, then you are saying that a system reboot is required > whenever changes are made to that file? I don't think so. > > -s- > -- > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > Sandor W. Sklar - Unix Systems Administrator - Stanford University ITSS > Non impediti ratione cogitationis. > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I'm wrong. I just checked it. But in early releases of AIX it was true. I still have a manual which states this behavior. Sorry H.G.Borrmann -- .______________________________________________________________. |H.G.Borrmann |Tel.: (0761) 203-4652 | |Rechenzentrum der Universitaet Freiburg|Fax: (0761) 203-4643 | |Hermann-Herder-Str. 10 D79104 FREIBURG | From bugzilla-daemon at mindrot.org Thu Feb 7 03:49:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 03:49:39 +1100 (EST) Subject: [Bug 105] New: scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020206164939.5B228E91E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 Summary: scp protocol 2 over a hippi interface takes 6 times longer Product: Portable OpenSSH Version: 3.0.2p1 Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: pas50 at cam.ac.uk scp of a 25Mb file over a hippi interface takes 159s with protocol 2 and 22 seconds with protocol 1. Over fast ethernet it takes 20s with protocal 2 and 22s with protocol 1. Snooping the hippi for protocol 1 has packets like 16:33:54.465436 hartree-hippi0 -> hodgkin TCP D=22 S=57066 Ack=851535706 Seq=1272028889 Len=61440 Win=40767 16:33:54.550683 hodgkin -> hartree-hippi0 TCP D=57066 S=22 Ack=1272090329 Seq=851535706 Len=0 Win=19188 ~62k packet size and for protocol 2 16:33:19.024288 hodgkin -> hartree-hippi0 TCP D=57060 S=22 Ack=2852340565 Seq=845515278 Len=0 Win=61440 16:33:19.040910 hodgkin -> hartree-hippi0 TCP D=57060 S=22 Ack=2852356997 Seq=845515278 Len=48 Win=61440 16:33:19.047481 hartree-hippi0 -> hodgkin TCP D=22 S=57060 Ack=845515326 Seq=2852356997 Len=16432 Win=40767 ~16k packet size. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jblaine at mitre.org Thu Feb 7 06:04:47 2002 From: jblaine at mitre.org (Jeff Blaine) Date: Wed, 06 Feb 2002 14:04:47 -0500 Subject: 3.0.2p1 under IRIX (coredumps) In-Reply-To: Message-ID: <3686972744.1013004287@jblaine-pc.MITRE.ORG> Please? Anyone? Who handles the "Yes, OpenSSH works under IRIX" claim on the OpenSSH page? I really would like to get this to build and run properly :< Any comments would be great, even if it's "I can't look into this for a week or two, but will get back to you." Friday 2/1: > Hello, > > I am unable to build a working OpenSSH 3.0.2p1 for IRIX 6.5 using either > > 1. gcc 2.95.3 + binutils 2.11.2 > > 2. SGI MIPSpro cc, CC=cc, LD=/usr/bin/ld, CFLAGS='-mips3 -n32' > > Under both setups: > > - zlib seems to build fine > - OpenSSL seems to build fine and tests out okay > - OpenSSH builds, and then: > > openssh-3.0.2p1 % ./ssh -v myhost > Trace/BPT/RangeErr/DivZero/Ovflow trap (core dumped) > openssh-3.0.2p1 % > openssh-3.0.2p1 % ls -ld core > -rw-r--r-- 1 jblaine nuucp 393216 Feb 1 11:51 core > openssh-3.0.2p1 % dbx ./ssh > dbx version 7.3 MR 55458_Apr30_MR Apr 30 1999 13:44:41 > Unable to find or process rld object list at address 0x0:( dbx > internal status code 7) Core file does not correspond to executable > Executable > /afs/rcf.mitre.org/system/src/local/ssh/030/openssh-3.0.2p1/./ssh > (dbx) run > Process 241534 (ssh) started > Process 241534 (ssh) stopped on signal SIGTRAP: Trace/BPT trap type: overflow> at [:0 ,0x1001bfc8] (dbx) > > - Building on another box (IP23) in /tmp instead of in AFS space gives me > the same exact results. > > Could someone please tell me how to get this to build and run? > From bugzilla-daemon at mindrot.org Thu Feb 7 06:54:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 06:54:31 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020206195431.2D29CE926@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From markus at openbsd.org 2002-02-07 06:54 ------- could you please try this without scp? e.g. cat file | ssh -1 -c 3des 'cat > f' cat file | ssh -2 -c 3des-cbc 'cat > f2' thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 7 06:55:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 06:55:00 +1100 (EST) Subject: [Bug 104] [WISHLIST] sftpfs? Message-ID: <20020206195500.B0619E918@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=104 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-02-07 06:54 ------- yes, the sftp-server protocol is like a filesystem protocol, so this shouldn't be hard. doing things in unix will be harder than with plan9, but it's not impossible. however, i don't think this has something to do with openssh :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Thu Feb 7 06:23:10 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 13:23:10 -0600 (CST) Subject: SFTP Status Bar.. Message-ID: <200202061923.g16JNAGf005441@etoh.eviladmin.org> This is the LAST version I plan on doing.. If I hear no feed back good or bad. Then I'll assume I've wasted my time on a feature that people whine about but don't care to try. This is against 3.0.2pX so it should be VERY easy for anyone to test. - Ben diff -ur openssh-3.0.2p1/misc.c openssh/misc.c --- openssh-3.0.2p1/misc.c Tue Jul 3 23:46:58 2001 +++ openssh/misc.c Wed Feb 6 13:15:55 2002 @@ -30,6 +30,7 @@ #include "misc.h" #include "log.h" #include "xmalloc.h" +#include "atomicio.h" /* remove newline at end of string */ char * @@ -304,6 +305,139 @@ args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); args->list[args->num++] = xstrdup(buf); args->list[args->num] = NULL; +} + +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ +static int +foregroundproc(void) +{ + static pid_t pgrp = -1; + int ctty_pgrp; + + if (pgrp == -1) + pgrp = getpgrp(); + + return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && + ctty_pgrp == pgrp)); +} + +int +getttywidth(void) +{ + struct winsize winsize; + + if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) + return (winsize.ws_col ? winsize.ws_col : 80); + else + return (80); +} + +void +progressmeter(off_t statbytes, off_t totalbytes, char *filename) +{ +#define STALLTIME 5 /* number of seconds before xfer assumed "stalled" */ + static const char prefixes[] = " KMGTP"; + static char *progressbar = NULL; + static struct timeval *start = NULL, lastupdate; + static off_t lastsize; + static size_t progressbar_size = 0; + struct timeval now, td, wait; + off_t cursize, abbrevsize; + double elapsed; + int ratio, barlength, i, remaining; + char buf[256]; + + if (!start) { + start = xmalloc(sizeof(struct timeval)); + (void) gettimeofday(start, (struct timezone *) 0); + lastupdate = *start; + lastsize = 0; + } + if (foregroundproc() == 0) + return; + + (void) gettimeofday(&now, (struct timezone *) 0); + cursize = statbytes; + if (totalbytes != 0) { + ratio = 100.0 * cursize / totalbytes; + ratio = MAX(ratio, 0); + ratio = MIN(ratio, 100); + } else + ratio = 100; + + barlength = getttywidth() - 51; + if (barlength > progressbar_size) { + progressbar_size = barlength; + progressbar = xrealloc(progressbar, barlength); + memset(progressbar, '*', barlength); + } + + snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", + (filename?filename:""), ratio); + if (barlength > 0) { + i = barlength * ratio / 100; + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "|%.*s%*s|", i, progressbar, barlength - i, ""); + } + i = 0; + abbrevsize = cursize; + while (abbrevsize >= 100000 && i < sizeof(prefixes)) { + i++; + abbrevsize >>= 10; + } + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", + (unsigned long long) abbrevsize, prefixes[i], + prefixes[i] == ' ' ? ' ' : 'B'); + + timersub(&now, &lastupdate, &wait); + if (cursize > lastsize) { + lastupdate = now; + lastsize = cursize; + if (wait.tv_sec >= STALLTIME) { + start->tv_sec += wait.tv_sec; + start->tv_usec += wait.tv_usec; + } + wait.tv_sec = 0; + } + timersub(&now, start, &td); + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); + + if ((totalbytes != statbytes) && + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " --:-- ETA"); + } else if (wait.tv_sec >= STALLTIME) { + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " - stalled -"); + } else { + if (totalbytes != statbytes) + remaining = (int)(totalbytes / (statbytes / elapsed) - + elapsed); + else + remaining = elapsed; + + i = remaining / 3600; + if (i) + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "%2d:", i); + else + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + " "); + i = remaining % 3600; + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), + "%02d:%02d%s", i / 60, i % 60, + (totalbytes != statbytes) ? " ETA" : " "); + } + atomicio(write, fileno(stdout), buf, strlen(buf)); + + if (totalbytes == statbytes) { + atomicio(write, fileno(stdout), "\n", 1); + + /* Clean up for next usage */ + xfree(start); + start = NULL; + statbytes = 0; + } } mysig_t Only in openssh: misc.c.orig diff -ur openssh-3.0.2p1/misc.h openssh/misc.h --- openssh-3.0.2p1/misc.h Wed Jul 4 12:25:55 2001 +++ openssh/misc.h Wed Feb 6 13:02:33 2002 @@ -29,7 +29,11 @@ int num; int nalloc; }; + void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); + +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ /* wrapper for signal interface */ typedef void (*mysig_t)(int); diff -ur openssh-3.0.2p1/scp.c openssh/scp.c --- openssh-3.0.2p1/scp.c Sun Oct 21 19:53:59 2001 +++ openssh/scp.c Wed Feb 6 13:07:33 2002 @@ -89,32 +89,12 @@ char *__progname; #endif -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ -#define STALLTIME 5 -/* alarm() interval for updating progress meter */ -#define PROGRESSTIME 1 - -/* Progress meter bar */ -#define BAR \ - "************************************************************"\ - "************************************************************"\ - "************************************************************"\ - "************************************************************" -#define MAX_BARLENGTH (sizeof(BAR) - 1) - -/* Visual statistics about files as they are transferred. */ -void progressmeter(int); - -/* Returns width of the terminal (for progress meter calculations). */ -int getttywidth(void); +static void updateprogressmeter(int done); int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); /* Struct for addargs */ arglist args; -/* Time a transfer started. */ -static struct timeval start; - /* Number of bytes of current file transferred so far. */ volatile off_t statbytes; @@ -569,7 +549,7 @@ } if (showprogress) { totalbytes = stb.st_size; - progressmeter(-1); + updateprogressmeter(0); } /* Keep writing after an error so that we stay sync'd up. */ for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { @@ -591,7 +571,7 @@ } } if (showprogress) - progressmeter(1); + updateprogressmeter(1); if (close(fd) < 0 && !haderr) haderr = errno; @@ -835,7 +815,7 @@ if (showprogress) { totalbytes = size; - progressmeter(-1); + updateprogressmeter(0); } statbytes = 0; for (count = i = 0; i < size; i += 4096) { @@ -871,7 +851,8 @@ } } if (showprogress) - progressmeter(1); + updateprogressmeter(1); + if (count != 0 && wrerr == NO && (j = atomicio(write, ofd, bp->buf, count)) != count) { wrerr = YES; @@ -1079,140 +1060,17 @@ } static void -updateprogressmeter(int ignore) +updateprogressmeter(int done) { - int save_errno = errno; - - progressmeter(0); - mysignal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - errno = save_errno; -} - -static int -foregroundproc(void) -{ - static pid_t pgrp = -1; - int ctty_pgrp; - - if (pgrp == -1) - pgrp = getpgrp(); + int save_errno = errno; -#ifdef HAVE_TCGETPGRP - return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && - ctty_pgrp == pgrp); -#else - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && - ctty_pgrp == pgrp)); -#endif -} -void -progressmeter(int flag) -{ - static const char prefixes[] = " KMGTP"; - static struct timeval lastupdate; - static off_t lastsize; - struct timeval now, td, wait; - off_t cursize, abbrevsize; - double elapsed; - int ratio, barlength, i, remaining; - char buf[256]; - - if (flag == -1) { - (void) gettimeofday(&start, (struct timezone *) 0); - lastupdate = start; - lastsize = 0; - } - if (foregroundproc() == 0) - return; + progressmeter(statbytes, totalbytes, curfile); + if (done == 0) { + mysignal(SIGALRM, updateprogressmeter); + alarm(PROGRESSTIME); + } else + alarm(0); - (void) gettimeofday(&now, (struct timezone *) 0); - cursize = statbytes; - if (totalbytes != 0) { - ratio = 100.0 * cursize / totalbytes; - ratio = MAX(ratio, 0); - ratio = MIN(ratio, 100); - } else - ratio = 100; - - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); - - barlength = getttywidth() - 51; - barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; - if (barlength > 0) { - i = barlength * ratio / 100; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "|%.*s%*s|", i, BAR, barlength - i, ""); - } - i = 0; - abbrevsize = cursize; - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { - i++; - abbrevsize >>= 10; - } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", - (unsigned long) abbrevsize, prefixes[i], - prefixes[i] == ' ' ? ' ' : 'B'); - - timersub(&now, &lastupdate, &wait); - if (cursize > lastsize) { - lastupdate = now; - lastsize = cursize; - if (wait.tv_sec >= STALLTIME) { - start.tv_sec += wait.tv_sec; - start.tv_usec += wait.tv_usec; - } - wait.tv_sec = 0; - } - timersub(&now, &start, &td); - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); - - if (flag != 1 && - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " --:-- ETA"); - } else if (wait.tv_sec >= STALLTIME) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " - stalled -"); - } else { - if (flag != 1) - remaining = (int)(totalbytes / (statbytes / elapsed) - - elapsed); - else - remaining = elapsed; - - i = remaining / 3600; - if (i) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%2d:", i); - else - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " "); - i = remaining % 3600; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%02d:%02d%s", i / 60, i % 60, - (flag != 1) ? " ETA" : " "); - } - atomicio(write, fileno(stdout), buf, strlen(buf)); - - if (flag == -1) { - mysignal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - } else if (flag == 1) { - alarm(0); - atomicio(write, fileno(stdout), "\n", 1); - statbytes = 0; - } -} - -int -getttywidth(void) -{ - struct winsize winsize; - - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) - return (winsize.ws_col ? winsize.ws_col : 80); - else - return (80); + errno = save_errno; } diff -ur openssh-3.0.2p1/sftp-client.c openssh/sftp-client.c --- openssh-3.0.2p1/sftp-client.c Wed Jul 18 10:45:45 2001 +++ openssh/sftp-client.c Wed Feb 6 13:02:34 2002 @@ -49,6 +49,11 @@ /* Message ID */ static u_int msg_id = 1; +/* Progress Meter items */ +off_t statbytes = 0; +off_t totalbytes = 0; +char *curfile = NULL; + static void send_msg(int fd, Buffer *m) { @@ -671,7 +676,7 @@ int do_download(int fd_in, int fd_out, char *remote_path, char *local_path, - int pflag) + int pflag, void (*progressbar)(int)) { int local_fd; u_int expected_id, handle_len, mode, type, id; @@ -724,6 +729,11 @@ return(-1); } + totalbytes = a->size; + curfile = remote_path; + if (progressbar) + (progressbar)(0); + /* Read from remote and write to local */ offset = 0; for(;;) { @@ -785,6 +795,7 @@ offset += len; xfree(data); + statbytes = offset; } status = do_close(fd_in, fd_out, handle, handle_len); @@ -807,15 +818,18 @@ } done: + if (progressbar) + (progressbar)(1); close(local_fd); buffer_free(&msg); xfree(handle); + return status; } int do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, - int pflag) + int pflag, void (*progressbar)(int)) { int local_fd; u_int handle_len, id; @@ -865,6 +879,10 @@ buffer_free(&msg); return(-1); } + totalbytes = a.size; + curfile = local_path; + if (progressbar) + (progressbar)(0); /* Read from local and write to remote */ offset = 0; @@ -908,6 +926,7 @@ (u_int64_t)offset); offset += len; + statbytes = offset; } if (close(local_fd) == -1) { @@ -925,8 +944,10 @@ status = do_close(fd_in, fd_out, handle, handle_len); done: + if (progressbar) + (progressbar)(1); xfree(handle); buffer_free(&msg); + return status; } - diff -ur openssh-3.0.2p1/sftp-client.h openssh/sftp-client.h --- openssh-3.0.2p1/sftp-client.h Tue Jul 3 23:07:13 2001 +++ openssh/sftp-client.h Wed Feb 6 13:02:34 2002 @@ -88,16 +88,14 @@ /* Return target of symlink 'path' - caller must free result */ char *do_readlink(int, int, char *); -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ - /* * Download 'remote_path' to 'local_path'. Preserve permissions and times * if 'pflag' is set */ -int do_download(int, int, char *, char *, int); +int do_download(int, int, char *, char *, int, void (*)(int)); /* * Upload 'local_path' to 'remote_path'. Preserve permissions and times * if 'pflag' is set */ -int do_upload(int, int, char *, char *, int); +int do_upload(int, int, char *, char *, int, void (*)(int)); diff -ur openssh-3.0.2p1/sftp-int.c openssh/sftp-int.c --- openssh-3.0.2p1/sftp-int.c Wed Aug 15 18:22:57 2001 +++ openssh/sftp-int.c Wed Feb 6 13:02:34 2002 @@ -32,6 +32,7 @@ #include "xmalloc.h" #include "log.h" #include "pathnames.h" +#include "misc.h" #include "sftp.h" #include "sftp-common.h" @@ -113,6 +114,24 @@ }; static void +updateprogressmeter(int done) +{ + int save_errno = errno; + extern off_t statbytes; + extern off_t totalbytes; + extern char *curfile; + + progressmeter(statbytes, totalbytes, curfile); + if (done == 0) { + mysignal(SIGALRM, updateprogressmeter); + alarm(PROGRESSTIME); + } else + alarm(0); + + errno = save_errno; +} + +static void help(void) { printf("Available commands:\n"); @@ -380,8 +399,8 @@ err = -1; goto out; } - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, + NULL); goto out; } @@ -404,8 +423,8 @@ } else abs_dst = tmp; - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, + updateprogressmeter) == -1) err = -1; xfree(abs_dst); abs_dst = NULL; @@ -462,8 +481,8 @@ } abs_dst = make_absolute(abs_dst, pwd); } - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, + updateprogressmeter); goto out; } @@ -486,8 +505,8 @@ } else abs_dst = make_absolute(tmp, pwd); - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, + updateprogressmeter) == -1) err = -1; } From bugzilla-daemon at mindrot.org Thu Feb 7 07:12:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 07:12:14 +1100 (EST) Subject: [Bug 106] New: RFE: --without-rpath configure option Message-ID: <20020206201214.3EF7EE926@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=106 Summary: RFE: --without-rpath configure option Product: Portable OpenSSH Version: 3.0.2p1 Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Nicolas.Williams at ubsw.com I build OpenSSH with local OpenSSL/Zlib/Kerberos/... packages that are not in their final install directories (in part because I build some of those with --disable-shared and statically link in their libraries into OpenSSH), so the current configure gets the -R linker flags wrong. This patch adds a configure option, --without-rpath, to disable automatic use of -R; I can then add the correct -R linker arguments, if any, through --with-ldflags=... Patch will be attached. Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 7 07:13:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 07:13:52 +1100 (EST) Subject: [Bug 106] RFE: --without-rpath configure option Message-ID: <20020206201352.CABC4E99A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=106 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-02-07 07:13 ------- Created an attachment (id=21) configure.ac patch that adds --without-rpath option ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Thu Feb 7 07:53:41 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 6 Feb 2002 15:53:41 -0500 Subject: SFTP Status Bar.. In-Reply-To: <200202061923.g16JNAGf005441@etoh.eviladmin.org>; from mouring@etoh.eviladmin.org on Wed, Feb 06, 2002 at 01:23:10PM -0600 References: <200202061923.g16JNAGf005441@etoh.eviladmin.org> Message-ID: <20020206155339.V27398@sm2p1386swk.wdr.com> Works, though the patch to scp.c doesn't apply cleanly. Also, you're enabling the progress bar only on multiple transfers, not on one transfer. Perhaps there should be a separate sftp command to enable/disable the progress bar. How's that for testing feedback? :) Nico On Wed, Feb 06, 2002 at 01:23:10PM -0600, mouring wrote: > This is the LAST version I plan on doing.. If I hear no feed back good > or bad. Then I'll assume I've wasted my time on a feature that people > whine about but don't care to try. This is against 3.0.2pX so it > should be VERY easy for anyone to test. > > - Ben > > diff -ur openssh-3.0.2p1/misc.c openssh/misc.c > --- openssh-3.0.2p1/misc.c Tue Jul 3 23:46:58 2001 > +++ openssh/misc.c Wed Feb 6 13:15:55 2002 > @@ -30,6 +30,7 @@ > #include "misc.h" > #include "log.h" > #include "xmalloc.h" > +#include "atomicio.h" > > /* remove newline at end of string */ > char * > @@ -304,6 +305,139 @@ > args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); > args->list[args->num++] = xstrdup(buf); > args->list[args->num] = NULL; > +} > + > +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ > +static int > +foregroundproc(void) > +{ > + static pid_t pgrp = -1; > + int ctty_pgrp; > + > + if (pgrp == -1) > + pgrp = getpgrp(); > + > + return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > + ctty_pgrp == pgrp)); > +} > + > +int > +getttywidth(void) > +{ > + struct winsize winsize; > + > + if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > + return (winsize.ws_col ? winsize.ws_col : 80); > + else > + return (80); > +} > + > +void > +progressmeter(off_t statbytes, off_t totalbytes, char *filename) > +{ > +#define STALLTIME 5 /* number of seconds before xfer assumed "stalled" */ > + static const char prefixes[] = " KMGTP"; > + static char *progressbar = NULL; > + static struct timeval *start = NULL, lastupdate; > + static off_t lastsize; > + static size_t progressbar_size = 0; > + struct timeval now, td, wait; > + off_t cursize, abbrevsize; > + double elapsed; > + int ratio, barlength, i, remaining; > + char buf[256]; > + > + if (!start) { > + start = xmalloc(sizeof(struct timeval)); > + (void) gettimeofday(start, (struct timezone *) 0); > + lastupdate = *start; > + lastsize = 0; > + } > + if (foregroundproc() == 0) > + return; > + > + (void) gettimeofday(&now, (struct timezone *) 0); > + cursize = statbytes; > + if (totalbytes != 0) { > + ratio = 100.0 * cursize / totalbytes; > + ratio = MAX(ratio, 0); > + ratio = MIN(ratio, 100); > + } else > + ratio = 100; > + > + barlength = getttywidth() - 51; > + if (barlength > progressbar_size) { > + progressbar_size = barlength; > + progressbar = xrealloc(progressbar, barlength); > + memset(progressbar, '*', barlength); > + } > + > + snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", > + (filename?filename:""), ratio); > + if (barlength > 0) { > + i = barlength * ratio / 100; > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "|%.*s%*s|", i, progressbar, barlength - i, ""); > + } > + i = 0; > + abbrevsize = cursize; > + while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > + i++; > + abbrevsize >>= 10; > + } > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", > + (unsigned long long) abbrevsize, prefixes[i], > + prefixes[i] == ' ' ? ' ' : 'B'); > + > + timersub(&now, &lastupdate, &wait); > + if (cursize > lastsize) { > + lastupdate = now; > + lastsize = cursize; > + if (wait.tv_sec >= STALLTIME) { > + start->tv_sec += wait.tv_sec; > + start->tv_usec += wait.tv_usec; > + } > + wait.tv_sec = 0; > + } > + timersub(&now, start, &td); > + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > + > + if ((totalbytes != statbytes) && > + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " --:-- ETA"); > + } else if (wait.tv_sec >= STALLTIME) { > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " - stalled -"); > + } else { > + if (totalbytes != statbytes) > + remaining = (int)(totalbytes / (statbytes / elapsed) - > + elapsed); > + else > + remaining = elapsed; > + > + i = remaining / 3600; > + if (i) > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "%2d:", i); > + else > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " "); > + i = remaining % 3600; > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "%02d:%02d%s", i / 60, i % 60, > + (totalbytes != statbytes) ? " ETA" : " "); > + } > + atomicio(write, fileno(stdout), buf, strlen(buf)); > + > + if (totalbytes == statbytes) { > + atomicio(write, fileno(stdout), "\n", 1); > + > + /* Clean up for next usage */ > + xfree(start); > + start = NULL; > + statbytes = 0; > + } > } > > mysig_t > Only in openssh: misc.c.orig > diff -ur openssh-3.0.2p1/misc.h openssh/misc.h > --- openssh-3.0.2p1/misc.h Wed Jul 4 12:25:55 2001 > +++ openssh/misc.h Wed Feb 6 13:02:33 2002 > @@ -29,7 +29,11 @@ > int num; > int nalloc; > }; > + > void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); > +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); > + > +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ > > /* wrapper for signal interface */ > typedef void (*mysig_t)(int); > diff -ur openssh-3.0.2p1/scp.c openssh/scp.c > --- openssh-3.0.2p1/scp.c Sun Oct 21 19:53:59 2001 > +++ openssh/scp.c Wed Feb 6 13:07:33 2002 > @@ -89,32 +89,12 @@ > char *__progname; > #endif > > -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ > -#define STALLTIME 5 > -/* alarm() interval for updating progress meter */ > -#define PROGRESSTIME 1 > - > -/* Progress meter bar */ > -#define BAR \ > - "************************************************************"\ > - "************************************************************"\ > - "************************************************************"\ > - "************************************************************" > -#define MAX_BARLENGTH (sizeof(BAR) - 1) > - > -/* Visual statistics about files as they are transferred. */ > -void progressmeter(int); > - > -/* Returns width of the terminal (for progress meter calculations). */ > -int getttywidth(void); > +static void updateprogressmeter(int done); > int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); > > /* Struct for addargs */ > arglist args; > > -/* Time a transfer started. */ > -static struct timeval start; > - > /* Number of bytes of current file transferred so far. */ > volatile off_t statbytes; > > @@ -569,7 +549,7 @@ > } > if (showprogress) { > totalbytes = stb.st_size; > - progressmeter(-1); > + updateprogressmeter(0); > } > /* Keep writing after an error so that we stay sync'd up. */ > for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { > @@ -591,7 +571,7 @@ > } > } > if (showprogress) > - progressmeter(1); > + updateprogressmeter(1); > > if (close(fd) < 0 && !haderr) > haderr = errno; > @@ -835,7 +815,7 @@ > > if (showprogress) { > totalbytes = size; > - progressmeter(-1); > + updateprogressmeter(0); > } > statbytes = 0; > for (count = i = 0; i < size; i += 4096) { > @@ -871,7 +851,8 @@ > } > } > if (showprogress) > - progressmeter(1); > + updateprogressmeter(1); > + > if (count != 0 && wrerr == NO && > (j = atomicio(write, ofd, bp->buf, count)) != count) { > wrerr = YES; > @@ -1079,140 +1060,17 @@ > } > > static void > -updateprogressmeter(int ignore) > +updateprogressmeter(int done) > { > - int save_errno = errno; > - > - progressmeter(0); > - mysignal(SIGALRM, updateprogressmeter); > - alarm(PROGRESSTIME); > - errno = save_errno; > -} > - > -static int > -foregroundproc(void) > -{ > - static pid_t pgrp = -1; > - int ctty_pgrp; > - > - if (pgrp == -1) > - pgrp = getpgrp(); > + int save_errno = errno; > > -#ifdef HAVE_TCGETPGRP > - return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && > - ctty_pgrp == pgrp); > -#else > - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > - ctty_pgrp == pgrp)); > -#endif > -} > > -void > -progressmeter(int flag) > -{ > - static const char prefixes[] = " KMGTP"; > - static struct timeval lastupdate; > - static off_t lastsize; > - struct timeval now, td, wait; > - off_t cursize, abbrevsize; > - double elapsed; > - int ratio, barlength, i, remaining; > - char buf[256]; > - > - if (flag == -1) { > - (void) gettimeofday(&start, (struct timezone *) 0); > - lastupdate = start; > - lastsize = 0; > - } > - if (foregroundproc() == 0) > - return; > + progressmeter(statbytes, totalbytes, curfile); > + if (done == 0) { > + mysignal(SIGALRM, updateprogressmeter); > + alarm(PROGRESSTIME); > + } else > + alarm(0); > > - (void) gettimeofday(&now, (struct timezone *) 0); > - cursize = statbytes; > - if (totalbytes != 0) { > - ratio = 100.0 * cursize / totalbytes; > - ratio = MAX(ratio, 0); > - ratio = MIN(ratio, 100); > - } else > - ratio = 100; > - > - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); > - > - barlength = getttywidth() - 51; > - barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; > - if (barlength > 0) { > - i = barlength * ratio / 100; > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "|%.*s%*s|", i, BAR, barlength - i, ""); > - } > - i = 0; > - abbrevsize = cursize; > - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > - i++; > - abbrevsize >>= 10; > - } > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", > - (unsigned long) abbrevsize, prefixes[i], > - prefixes[i] == ' ' ? ' ' : 'B'); > - > - timersub(&now, &lastupdate, &wait); > - if (cursize > lastsize) { > - lastupdate = now; > - lastsize = cursize; > - if (wait.tv_sec >= STALLTIME) { > - start.tv_sec += wait.tv_sec; > - start.tv_usec += wait.tv_usec; > - } > - wait.tv_sec = 0; > - } > - timersub(&now, &start, &td); > - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > - > - if (flag != 1 && > - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " --:-- ETA"); > - } else if (wait.tv_sec >= STALLTIME) { > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " - stalled -"); > - } else { > - if (flag != 1) > - remaining = (int)(totalbytes / (statbytes / elapsed) - > - elapsed); > - else > - remaining = elapsed; > - > - i = remaining / 3600; > - if (i) > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "%2d:", i); > - else > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " "); > - i = remaining % 3600; > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "%02d:%02d%s", i / 60, i % 60, > - (flag != 1) ? " ETA" : " "); > - } > - atomicio(write, fileno(stdout), buf, strlen(buf)); > - > - if (flag == -1) { > - mysignal(SIGALRM, updateprogressmeter); > - alarm(PROGRESSTIME); > - } else if (flag == 1) { > - alarm(0); > - atomicio(write, fileno(stdout), "\n", 1); > - statbytes = 0; > - } > -} > - > -int > -getttywidth(void) > -{ > - struct winsize winsize; > - > - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > - return (winsize.ws_col ? winsize.ws_col : 80); > - else > - return (80); > + errno = save_errno; > } > diff -ur openssh-3.0.2p1/sftp-client.c openssh/sftp-client.c > --- openssh-3.0.2p1/sftp-client.c Wed Jul 18 10:45:45 2001 > +++ openssh/sftp-client.c Wed Feb 6 13:02:34 2002 > @@ -49,6 +49,11 @@ > /* Message ID */ > static u_int msg_id = 1; > > +/* Progress Meter items */ > +off_t statbytes = 0; > +off_t totalbytes = 0; > +char *curfile = NULL; > + > static void > send_msg(int fd, Buffer *m) > { > @@ -671,7 +676,7 @@ > > int > do_download(int fd_in, int fd_out, char *remote_path, char *local_path, > - int pflag) > + int pflag, void (*progressbar)(int)) > { > int local_fd; > u_int expected_id, handle_len, mode, type, id; > @@ -724,6 +729,11 @@ > return(-1); > } > > + totalbytes = a->size; > + curfile = remote_path; > + if (progressbar) > + (progressbar)(0); > + > /* Read from remote and write to local */ > offset = 0; > for(;;) { > @@ -785,6 +795,7 @@ > > offset += len; > xfree(data); > + statbytes = offset; > } > status = do_close(fd_in, fd_out, handle, handle_len); > > @@ -807,15 +818,18 @@ > } > > done: > + if (progressbar) > + (progressbar)(1); > close(local_fd); > buffer_free(&msg); > xfree(handle); > + > return status; > } > > int > do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, > - int pflag) > + int pflag, void (*progressbar)(int)) > { > int local_fd; > u_int handle_len, id; > @@ -865,6 +879,10 @@ > buffer_free(&msg); > return(-1); > } > + totalbytes = a.size; > + curfile = local_path; > + if (progressbar) > + (progressbar)(0); > > /* Read from local and write to remote */ > offset = 0; > @@ -908,6 +926,7 @@ > (u_int64_t)offset); > > offset += len; > + statbytes = offset; > } > > if (close(local_fd) == -1) { > @@ -925,8 +944,10 @@ > status = do_close(fd_in, fd_out, handle, handle_len); > > done: > + if (progressbar) > + (progressbar)(1); > xfree(handle); > buffer_free(&msg); > + > return status; > } > - > diff -ur openssh-3.0.2p1/sftp-client.h openssh/sftp-client.h > --- openssh-3.0.2p1/sftp-client.h Tue Jul 3 23:07:13 2001 > +++ openssh/sftp-client.h Wed Feb 6 13:02:34 2002 > @@ -88,16 +88,14 @@ > /* Return target of symlink 'path' - caller must free result */ > char *do_readlink(int, int, char *); > > -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ > - > /* > * Download 'remote_path' to 'local_path'. Preserve permissions and times > * if 'pflag' is set > */ > -int do_download(int, int, char *, char *, int); > +int do_download(int, int, char *, char *, int, void (*)(int)); > > /* > * Upload 'local_path' to 'remote_path'. Preserve permissions and times > * if 'pflag' is set > */ > -int do_upload(int, int, char *, char *, int); > +int do_upload(int, int, char *, char *, int, void (*)(int)); > diff -ur openssh-3.0.2p1/sftp-int.c openssh/sftp-int.c > --- openssh-3.0.2p1/sftp-int.c Wed Aug 15 18:22:57 2001 > +++ openssh/sftp-int.c Wed Feb 6 13:02:34 2002 > @@ -32,6 +32,7 @@ > #include "xmalloc.h" > #include "log.h" > #include "pathnames.h" > +#include "misc.h" > > #include "sftp.h" > #include "sftp-common.h" > @@ -113,6 +114,24 @@ > }; > > static void > +updateprogressmeter(int done) > +{ > + int save_errno = errno; > + extern off_t statbytes; > + extern off_t totalbytes; > + extern char *curfile; > + > + progressmeter(statbytes, totalbytes, curfile); > + if (done == 0) { > + mysignal(SIGALRM, updateprogressmeter); > + alarm(PROGRESSTIME); > + } else > + alarm(0); > + > + errno = save_errno; > +} > + > +static void > help(void) > { > printf("Available commands:\n"); > @@ -380,8 +399,8 @@ > err = -1; > goto out; > } > - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); > - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); > + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, > + NULL); > goto out; > } > > @@ -404,8 +423,8 @@ > } else > abs_dst = tmp; > > - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); > - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, > + updateprogressmeter) == -1) > err = -1; > xfree(abs_dst); > abs_dst = NULL; > @@ -462,8 +481,8 @@ > } > abs_dst = make_absolute(abs_dst, pwd); > } > - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); > - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); > + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, > + updateprogressmeter); > goto out; > } > > @@ -486,8 +505,8 @@ > } else > abs_dst = make_absolute(tmp, pwd); > > - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); > - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, > + updateprogressmeter) == -1) > err = -1; > } > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Thu Feb 7 07:56:04 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 6 Feb 2002 15:56:04 -0500 Subject: signal transmission in ssh2 In-Reply-To: <20020131181824.A14818@folly>; from markus@openbsd.org on Thu, Jan 31, 2002 at 06:18:24PM +0100 References: <20020131181824.A14818@folly> Message-ID: <20020206155602.W27398@sm2p1386swk.wdr.com> On Thu, Jan 31, 2002 at 06:18:24PM +0100, Markus Friedl wrote: > does somebody like this? Should the client exit after passing the signal? Or should it wait, either for the server or for the [same?] signal to arrive again? How about a ~k escape for passing a signal without having to send it to the client? Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Thu Feb 7 07:31:44 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 14:31:44 -0600 (CST) Subject: SFTP Status Bar.. In-Reply-To: <20020206155339.V27398@sm2p1386swk.wdr.com> from Nicolas Williams at "Feb 6, 2002 03:53:41 pm" Message-ID: <200202062031.g16KVi55022528@etoh.eviladmin.org> > Works, though the patch to scp.c doesn't apply cleanly. > > Also, you're enabling the progress bar only on multiple transfers, not > on one transfer. Perhaps there should be a separate sftp command to > enable/disable the progress bar. > Intersting.. this is only true for 'get' and did not exist in my first version of the patch. Put is fine.. but starts off at 100% then starts counting right. as for scp.c.. That is the strangest thing I've seen.. Why would the diffing fail to create a right patch.. That is strange indead. - Ben From wendyp at cray.com Thu Feb 7 08:31:10 2002 From: wendyp at cray.com (Wendy Palm) Date: Wed, 06 Feb 2002 15:31:10 -0600 Subject: SFTP Status Bar.. References: <200202061923.g16JNAGf005441@etoh.eviladmin.org> Message-ID: <3C61A09E.922B5E79@cray.com> how do you "turn it on"? is it automatic/default? mouring wrote: > > This is the LAST version I plan on doing.. If I hear no feed back good > or bad. Then I'll assume I've wasted my time on a feature that people > whine about but don't care to try. This is against 3.0.2pX so it > should be VERY easy for anyone to test. > > - Ben > > diff -ur openssh-3.0.2p1/misc.c openssh/misc.c > --- openssh-3.0.2p1/misc.c Tue Jul 3 23:46:58 2001 > +++ openssh/misc.c Wed Feb 6 13:15:55 2002 > @@ -30,6 +30,7 @@ > #include "misc.h" > #include "log.h" > #include "xmalloc.h" > +#include "atomicio.h" > > /* remove newline at end of string */ > char * > @@ -304,6 +305,139 @@ > args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); > args->list[args->num++] = xstrdup(buf); > args->list[args->num] = NULL; > +} > + > +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ > +static int > +foregroundproc(void) > +{ > + static pid_t pgrp = -1; > + int ctty_pgrp; > + > + if (pgrp == -1) > + pgrp = getpgrp(); > + > + return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > + ctty_pgrp == pgrp)); > +} > + > +int > +getttywidth(void) > +{ > + struct winsize winsize; > + > + if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > + return (winsize.ws_col ? winsize.ws_col : 80); > + else > + return (80); > +} > + > +void > +progressmeter(off_t statbytes, off_t totalbytes, char *filename) > +{ > +#define STALLTIME 5 /* number of seconds before xfer assumed "stalled" */ > + static const char prefixes[] = " KMGTP"; > + static char *progressbar = NULL; > + static struct timeval *start = NULL, lastupdate; > + static off_t lastsize; > + static size_t progressbar_size = 0; > + struct timeval now, td, wait; > + off_t cursize, abbrevsize; > + double elapsed; > + int ratio, barlength, i, remaining; > + char buf[256]; > + > + if (!start) { > + start = xmalloc(sizeof(struct timeval)); > + (void) gettimeofday(start, (struct timezone *) 0); > + lastupdate = *start; > + lastsize = 0; > + } > + if (foregroundproc() == 0) > + return; > + > + (void) gettimeofday(&now, (struct timezone *) 0); > + cursize = statbytes; > + if (totalbytes != 0) { > + ratio = 100.0 * cursize / totalbytes; > + ratio = MAX(ratio, 0); > + ratio = MIN(ratio, 100); > + } else > + ratio = 100; > + > + barlength = getttywidth() - 51; > + if (barlength > progressbar_size) { > + progressbar_size = barlength; > + progressbar = xrealloc(progressbar, barlength); > + memset(progressbar, '*', barlength); > + } > + > + snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", > + (filename?filename:""), ratio); > + if (barlength > 0) { > + i = barlength * ratio / 100; > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "|%.*s%*s|", i, progressbar, barlength - i, ""); > + } > + i = 0; > + abbrevsize = cursize; > + while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > + i++; > + abbrevsize >>= 10; > + } > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", > + (unsigned long long) abbrevsize, prefixes[i], > + prefixes[i] == ' ' ? ' ' : 'B'); > + > + timersub(&now, &lastupdate, &wait); > + if (cursize > lastsize) { > + lastupdate = now; > + lastsize = cursize; > + if (wait.tv_sec >= STALLTIME) { > + start->tv_sec += wait.tv_sec; > + start->tv_usec += wait.tv_usec; > + } > + wait.tv_sec = 0; > + } > + timersub(&now, start, &td); > + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > + > + if ((totalbytes != statbytes) && > + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " --:-- ETA"); > + } else if (wait.tv_sec >= STALLTIME) { > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " - stalled -"); > + } else { > + if (totalbytes != statbytes) > + remaining = (int)(totalbytes / (statbytes / elapsed) - > + elapsed); > + else > + remaining = elapsed; > + > + i = remaining / 3600; > + if (i) > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "%2d:", i); > + else > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + " "); > + i = remaining % 3600; > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > + "%02d:%02d%s", i / 60, i % 60, > + (totalbytes != statbytes) ? " ETA" : " "); > + } > + atomicio(write, fileno(stdout), buf, strlen(buf)); > + > + if (totalbytes == statbytes) { > + atomicio(write, fileno(stdout), "\n", 1); > + > + /* Clean up for next usage */ > + xfree(start); > + start = NULL; > + statbytes = 0; > + } > } > > mysig_t > Only in openssh: misc.c.orig > diff -ur openssh-3.0.2p1/misc.h openssh/misc.h > --- openssh-3.0.2p1/misc.h Wed Jul 4 12:25:55 2001 > +++ openssh/misc.h Wed Feb 6 13:02:33 2002 > @@ -29,7 +29,11 @@ > int num; > int nalloc; > }; > + > void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); > +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); > + > +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ > > /* wrapper for signal interface */ > typedef void (*mysig_t)(int); > diff -ur openssh-3.0.2p1/scp.c openssh/scp.c > --- openssh-3.0.2p1/scp.c Sun Oct 21 19:53:59 2001 > +++ openssh/scp.c Wed Feb 6 13:07:33 2002 > @@ -89,32 +89,12 @@ > char *__progname; > #endif > > -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ > -#define STALLTIME 5 > -/* alarm() interval for updating progress meter */ > -#define PROGRESSTIME 1 > - > -/* Progress meter bar */ > -#define BAR \ > - "************************************************************"\ > - "************************************************************"\ > - "************************************************************"\ > - "************************************************************" > -#define MAX_BARLENGTH (sizeof(BAR) - 1) > - > -/* Visual statistics about files as they are transferred. */ > -void progressmeter(int); > - > -/* Returns width of the terminal (for progress meter calculations). */ > -int getttywidth(void); > +static void updateprogressmeter(int done); > int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); > > /* Struct for addargs */ > arglist args; > > -/* Time a transfer started. */ > -static struct timeval start; > - > /* Number of bytes of current file transferred so far. */ > volatile off_t statbytes; > > @@ -569,7 +549,7 @@ > } > if (showprogress) { > totalbytes = stb.st_size; > - progressmeter(-1); > + updateprogressmeter(0); > } > /* Keep writing after an error so that we stay sync'd up. */ > for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { > @@ -591,7 +571,7 @@ > } > } > if (showprogress) > - progressmeter(1); > + updateprogressmeter(1); > > if (close(fd) < 0 && !haderr) > haderr = errno; > @@ -835,7 +815,7 @@ > > if (showprogress) { > totalbytes = size; > - progressmeter(-1); > + updateprogressmeter(0); > } > statbytes = 0; > for (count = i = 0; i < size; i += 4096) { > @@ -871,7 +851,8 @@ > } > } > if (showprogress) > - progressmeter(1); > + updateprogressmeter(1); > + > if (count != 0 && wrerr == NO && > (j = atomicio(write, ofd, bp->buf, count)) != count) { > wrerr = YES; > @@ -1079,140 +1060,17 @@ > } > > static void > -updateprogressmeter(int ignore) > +updateprogressmeter(int done) > { > - int save_errno = errno; > - > - progressmeter(0); > - mysignal(SIGALRM, updateprogressmeter); > - alarm(PROGRESSTIME); > - errno = save_errno; > -} > - > -static int > -foregroundproc(void) > -{ > - static pid_t pgrp = -1; > - int ctty_pgrp; > - > - if (pgrp == -1) > - pgrp = getpgrp(); > + int save_errno = errno; > > -#ifdef HAVE_TCGETPGRP > - return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && > - ctty_pgrp == pgrp); > -#else > - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > - ctty_pgrp == pgrp)); > -#endif > -} > > -void > -progressmeter(int flag) > -{ > - static const char prefixes[] = " KMGTP"; > - static struct timeval lastupdate; > - static off_t lastsize; > - struct timeval now, td, wait; > - off_t cursize, abbrevsize; > - double elapsed; > - int ratio, barlength, i, remaining; > - char buf[256]; > - > - if (flag == -1) { > - (void) gettimeofday(&start, (struct timezone *) 0); > - lastupdate = start; > - lastsize = 0; > - } > - if (foregroundproc() == 0) > - return; > + progressmeter(statbytes, totalbytes, curfile); > + if (done == 0) { > + mysignal(SIGALRM, updateprogressmeter); > + alarm(PROGRESSTIME); > + } else > + alarm(0); > > - (void) gettimeofday(&now, (struct timezone *) 0); > - cursize = statbytes; > - if (totalbytes != 0) { > - ratio = 100.0 * cursize / totalbytes; > - ratio = MAX(ratio, 0); > - ratio = MIN(ratio, 100); > - } else > - ratio = 100; > - > - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); > - > - barlength = getttywidth() - 51; > - barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; > - if (barlength > 0) { > - i = barlength * ratio / 100; > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "|%.*s%*s|", i, BAR, barlength - i, ""); > - } > - i = 0; > - abbrevsize = cursize; > - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > - i++; > - abbrevsize >>= 10; > - } > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", > - (unsigned long) abbrevsize, prefixes[i], > - prefixes[i] == ' ' ? ' ' : 'B'); > - > - timersub(&now, &lastupdate, &wait); > - if (cursize > lastsize) { > - lastupdate = now; > - lastsize = cursize; > - if (wait.tv_sec >= STALLTIME) { > - start.tv_sec += wait.tv_sec; > - start.tv_usec += wait.tv_usec; > - } > - wait.tv_sec = 0; > - } > - timersub(&now, &start, &td); > - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > - > - if (flag != 1 && > - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " --:-- ETA"); > - } else if (wait.tv_sec >= STALLTIME) { > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " - stalled -"); > - } else { > - if (flag != 1) > - remaining = (int)(totalbytes / (statbytes / elapsed) - > - elapsed); > - else > - remaining = elapsed; > - > - i = remaining / 3600; > - if (i) > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "%2d:", i); > - else > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - " "); > - i = remaining % 3600; > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > - "%02d:%02d%s", i / 60, i % 60, > - (flag != 1) ? " ETA" : " "); > - } > - atomicio(write, fileno(stdout), buf, strlen(buf)); > - > - if (flag == -1) { > - mysignal(SIGALRM, updateprogressmeter); > - alarm(PROGRESSTIME); > - } else if (flag == 1) { > - alarm(0); > - atomicio(write, fileno(stdout), "\n", 1); > - statbytes = 0; > - } > -} > - > -int > -getttywidth(void) > -{ > - struct winsize winsize; > - > - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > - return (winsize.ws_col ? winsize.ws_col : 80); > - else > - return (80); > + errno = save_errno; > } > diff -ur openssh-3.0.2p1/sftp-client.c openssh/sftp-client.c > --- openssh-3.0.2p1/sftp-client.c Wed Jul 18 10:45:45 2001 > +++ openssh/sftp-client.c Wed Feb 6 13:02:34 2002 > @@ -49,6 +49,11 @@ > /* Message ID */ > static u_int msg_id = 1; > > +/* Progress Meter items */ > +off_t statbytes = 0; > +off_t totalbytes = 0; > +char *curfile = NULL; > + > static void > send_msg(int fd, Buffer *m) > { > @@ -671,7 +676,7 @@ > > int > do_download(int fd_in, int fd_out, char *remote_path, char *local_path, > - int pflag) > + int pflag, void (*progressbar)(int)) > { > int local_fd; > u_int expected_id, handle_len, mode, type, id; > @@ -724,6 +729,11 @@ > return(-1); > } > > + totalbytes = a->size; > + curfile = remote_path; > + if (progressbar) > + (progressbar)(0); > + > /* Read from remote and write to local */ > offset = 0; > for(;;) { > @@ -785,6 +795,7 @@ > > offset += len; > xfree(data); > + statbytes = offset; > } > status = do_close(fd_in, fd_out, handle, handle_len); > > @@ -807,15 +818,18 @@ > } > > done: > + if (progressbar) > + (progressbar)(1); > close(local_fd); > buffer_free(&msg); > xfree(handle); > + > return status; > } > > int > do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, > - int pflag) > + int pflag, void (*progressbar)(int)) > { > int local_fd; > u_int handle_len, id; > @@ -865,6 +879,10 @@ > buffer_free(&msg); > return(-1); > } > + totalbytes = a.size; > + curfile = local_path; > + if (progressbar) > + (progressbar)(0); > > /* Read from local and write to remote */ > offset = 0; > @@ -908,6 +926,7 @@ > (u_int64_t)offset); > > offset += len; > + statbytes = offset; > } > > if (close(local_fd) == -1) { > @@ -925,8 +944,10 @@ > status = do_close(fd_in, fd_out, handle, handle_len); > > done: > + if (progressbar) > + (progressbar)(1); > xfree(handle); > buffer_free(&msg); > + > return status; > } > - > diff -ur openssh-3.0.2p1/sftp-client.h openssh/sftp-client.h > --- openssh-3.0.2p1/sftp-client.h Tue Jul 3 23:07:13 2001 > +++ openssh/sftp-client.h Wed Feb 6 13:02:34 2002 > @@ -88,16 +88,14 @@ > /* Return target of symlink 'path' - caller must free result */ > char *do_readlink(int, int, char *); > > -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ > - > /* > * Download 'remote_path' to 'local_path'. Preserve permissions and times > * if 'pflag' is set > */ > -int do_download(int, int, char *, char *, int); > +int do_download(int, int, char *, char *, int, void (*)(int)); > > /* > * Upload 'local_path' to 'remote_path'. Preserve permissions and times > * if 'pflag' is set > */ > -int do_upload(int, int, char *, char *, int); > +int do_upload(int, int, char *, char *, int, void (*)(int)); > diff -ur openssh-3.0.2p1/sftp-int.c openssh/sftp-int.c > --- openssh-3.0.2p1/sftp-int.c Wed Aug 15 18:22:57 2001 > +++ openssh/sftp-int.c Wed Feb 6 13:02:34 2002 > @@ -32,6 +32,7 @@ > #include "xmalloc.h" > #include "log.h" > #include "pathnames.h" > +#include "misc.h" > > #include "sftp.h" > #include "sftp-common.h" > @@ -113,6 +114,24 @@ > }; > > static void > +updateprogressmeter(int done) > +{ > + int save_errno = errno; > + extern off_t statbytes; > + extern off_t totalbytes; > + extern char *curfile; > + > + progressmeter(statbytes, totalbytes, curfile); > + if (done == 0) { > + mysignal(SIGALRM, updateprogressmeter); > + alarm(PROGRESSTIME); > + } else > + alarm(0); > + > + errno = save_errno; > +} > + > +static void > help(void) > { > printf("Available commands:\n"); > @@ -380,8 +399,8 @@ > err = -1; > goto out; > } > - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); > - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); > + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, > + NULL); > goto out; > } > > @@ -404,8 +423,8 @@ > } else > abs_dst = tmp; > > - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); > - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, > + updateprogressmeter) == -1) > err = -1; > xfree(abs_dst); > abs_dst = NULL; > @@ -462,8 +481,8 @@ > } > abs_dst = make_absolute(abs_dst, pwd); > } > - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); > - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); > + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, > + updateprogressmeter); > goto out; > } > > @@ -486,8 +505,8 @@ > } else > abs_dst = make_absolute(tmp, pwd); > > - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); > - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, > + updateprogressmeter) == -1) > err = -1; > } > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Thu Feb 7 07:56:54 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 14:56:54 -0600 (CST) Subject: SFTP Status Bar.. In-Reply-To: <3C61A09E.922B5E79@cray.com> from Wendy Palm at "Feb 6, 2002 03:31:10 pm" Message-ID: <200202062056.g16Kusci002742@etoh.eviladmin.org> It is default on, but as what William pointed out single gets seem not to trigger it for some odd reason (looking into it now). - Ben > how do you "turn it on"? is it automatic/default? > > mouring wrote: > > > > This is the LAST version I plan on doing.. If I hear no feed back good > > or bad. Then I'll assume I've wasted my time on a feature that people > > whine about but don't care to try. This is against 3.0.2pX so it > > should be VERY easy for anyone to test. > > > > - Ben > > > > diff -ur openssh-3.0.2p1/misc.c openssh/misc.c > > --- openssh-3.0.2p1/misc.c Tue Jul 3 23:46:58 2001 > > +++ openssh/misc.c Wed Feb 6 13:15:55 2002 > > @@ -30,6 +30,7 @@ > > #include "misc.h" > > #include "log.h" > > #include "xmalloc.h" > > +#include "atomicio.h" > > > > /* remove newline at end of string */ > > char * > > @@ -304,6 +305,139 @@ > > args->list = xrealloc(args->list, args->nalloc * sizeof(char *)); > > args->list[args->num++] = xstrdup(buf); > > args->list[args->num] = NULL; > > +} > > + > > +/* scp/sftp progression meter (from src/usr.bin/ftp/util.c) */ > > +static int > > +foregroundproc(void) > > +{ > > + static pid_t pgrp = -1; > > + int ctty_pgrp; > > + > > + if (pgrp == -1) > > + pgrp = getpgrp(); > > + > > + return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > > + ctty_pgrp == pgrp)); > > +} > > + > > +int > > +getttywidth(void) > > +{ > > + struct winsize winsize; > > + > > + if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > > + return (winsize.ws_col ? winsize.ws_col : 80); > > + else > > + return (80); > > +} > > + > > +void > > +progressmeter(off_t statbytes, off_t totalbytes, char *filename) > > +{ > > +#define STALLTIME 5 /* number of seconds before xfer assumed "stalled" */ > > + static const char prefixes[] = " KMGTP"; > > + static char *progressbar = NULL; > > + static struct timeval *start = NULL, lastupdate; > > + static off_t lastsize; > > + static size_t progressbar_size = 0; > > + struct timeval now, td, wait; > > + off_t cursize, abbrevsize; > > + double elapsed; > > + int ratio, barlength, i, remaining; > > + char buf[256]; > > + > > + if (!start) { > > + start = xmalloc(sizeof(struct timeval)); > > + (void) gettimeofday(start, (struct timezone *) 0); > > + lastupdate = *start; > > + lastsize = 0; > > + } > > + if (foregroundproc() == 0) > > + return; > > + > > + (void) gettimeofday(&now, (struct timezone *) 0); > > + cursize = statbytes; > > + if (totalbytes != 0) { > > + ratio = 100.0 * cursize / totalbytes; > > + ratio = MAX(ratio, 0); > > + ratio = MIN(ratio, 100); > > + } else > > + ratio = 100; > > + > > + barlength = getttywidth() - 51; > > + if (barlength > progressbar_size) { > > + progressbar_size = barlength; > > + progressbar = xrealloc(progressbar, barlength); > > + memset(progressbar, '*', barlength); > > + } > > + > > + snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", > > + (filename?filename:""), ratio); > > + if (barlength > 0) { > > + i = barlength * ratio / 100; > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + "|%.*s%*s|", i, progressbar, barlength - i, ""); > > + } > > + i = 0; > > + abbrevsize = cursize; > > + while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > > + i++; > > + abbrevsize >>= 10; > > + } > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5llu %c%c ", > > + (unsigned long long) abbrevsize, prefixes[i], > > + prefixes[i] == ' ' ? ' ' : 'B'); > > + > > + timersub(&now, &lastupdate, &wait); > > + if (cursize > lastsize) { > > + lastupdate = now; > > + lastsize = cursize; > > + if (wait.tv_sec >= STALLTIME) { > > + start->tv_sec += wait.tv_sec; > > + start->tv_usec += wait.tv_usec; > > + } > > + wait.tv_sec = 0; > > + } > > + timersub(&now, start, &td); > > + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > > + > > + if ((totalbytes != statbytes) && > > + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + " --:-- ETA"); > > + } else if (wait.tv_sec >= STALLTIME) { > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + " - stalled -"); > > + } else { > > + if (totalbytes != statbytes) > > + remaining = (int)(totalbytes / (statbytes / elapsed) - > > + elapsed); > > + else > > + remaining = elapsed; > > + > > + i = remaining / 3600; > > + if (i) > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + "%2d:", i); > > + else > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + " "); > > + i = remaining % 3600; > > + snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > + "%02d:%02d%s", i / 60, i % 60, > > + (totalbytes != statbytes) ? " ETA" : " "); > > + } > > + atomicio(write, fileno(stdout), buf, strlen(buf)); > > + > > + if (totalbytes == statbytes) { > > + atomicio(write, fileno(stdout), "\n", 1); > > + > > + /* Clean up for next usage */ > > + xfree(start); > > + start = NULL; > > + statbytes = 0; > > + } > > } > > > > mysig_t > > Only in openssh: misc.c.orig > > diff -ur openssh-3.0.2p1/misc.h openssh/misc.h > > --- openssh-3.0.2p1/misc.h Wed Jul 4 12:25:55 2001 > > +++ openssh/misc.h Wed Feb 6 13:02:33 2002 > > @@ -29,7 +29,11 @@ > > int num; > > int nalloc; > > }; > > + > > void addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3))); > > +void progressmeter(off_t statbytes, off_t totalbytes, char *curfile); > > + > > +#define PROGRESSTIME 1 /* alarm() interval for updating progress meter */ > > > > /* wrapper for signal interface */ > > typedef void (*mysig_t)(int); > > diff -ur openssh-3.0.2p1/scp.c openssh/scp.c > > --- openssh-3.0.2p1/scp.c Sun Oct 21 19:53:59 2001 > > +++ openssh/scp.c Wed Feb 6 13:07:33 2002 > > @@ -89,32 +89,12 @@ > > char *__progname; > > #endif > > > > -/* For progressmeter() -- number of seconds before xfer considered "stalled" */ > > -#define STALLTIME 5 > > -/* alarm() interval for updating progress meter */ > > -#define PROGRESSTIME 1 > > - > > -/* Progress meter bar */ > > -#define BAR \ > > - "************************************************************"\ > > - "************************************************************"\ > > - "************************************************************"\ > > - "************************************************************" > > -#define MAX_BARLENGTH (sizeof(BAR) - 1) > > - > > -/* Visual statistics about files as they are transferred. */ > > -void progressmeter(int); > > - > > -/* Returns width of the terminal (for progress meter calculations). */ > > -int getttywidth(void); > > +static void updateprogressmeter(int done); > > int do_cmd(char *host, char *remuser, char *cmd, int *fdin, int *fdout, int argc); > > > > /* Struct for addargs */ > > arglist args; > > > > -/* Time a transfer started. */ > > -static struct timeval start; > > - > > /* Number of bytes of current file transferred so far. */ > > volatile off_t statbytes; > > > > @@ -569,7 +549,7 @@ > > } > > if (showprogress) { > > totalbytes = stb.st_size; > > - progressmeter(-1); > > + updateprogressmeter(0); > > } > > /* Keep writing after an error so that we stay sync'd up. */ > > for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { > > @@ -591,7 +571,7 @@ > > } > > } > > if (showprogress) > > - progressmeter(1); > > + updateprogressmeter(1); > > > > if (close(fd) < 0 && !haderr) > > haderr = errno; > > @@ -835,7 +815,7 @@ > > > > if (showprogress) { > > totalbytes = size; > > - progressmeter(-1); > > + updateprogressmeter(0); > > } > > statbytes = 0; > > for (count = i = 0; i < size; i += 4096) { > > @@ -871,7 +851,8 @@ > > } > > } > > if (showprogress) > > - progressmeter(1); > > + updateprogressmeter(1); > > + > > if (count != 0 && wrerr == NO && > > (j = atomicio(write, ofd, bp->buf, count)) != count) { > > wrerr = YES; > > @@ -1079,140 +1060,17 @@ > > } > > > > static void > > -updateprogressmeter(int ignore) > > +updateprogressmeter(int done) > > { > > - int save_errno = errno; > > - > > - progressmeter(0); > > - mysignal(SIGALRM, updateprogressmeter); > > - alarm(PROGRESSTIME); > > - errno = save_errno; > > -} > > - > > -static int > > -foregroundproc(void) > > -{ > > - static pid_t pgrp = -1; > > - int ctty_pgrp; > > - > > - if (pgrp == -1) > > - pgrp = getpgrp(); > > + int save_errno = errno; > > > > -#ifdef HAVE_TCGETPGRP > > - return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && > > - ctty_pgrp == pgrp); > > -#else > > - return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && > > - ctty_pgrp == pgrp)); > > -#endif > > -} > > > > -void > > -progressmeter(int flag) > > -{ > > - static const char prefixes[] = " KMGTP"; > > - static struct timeval lastupdate; > > - static off_t lastsize; > > - struct timeval now, td, wait; > > - off_t cursize, abbrevsize; > > - double elapsed; > > - int ratio, barlength, i, remaining; > > - char buf[256]; > > - > > - if (flag == -1) { > > - (void) gettimeofday(&start, (struct timezone *) 0); > > - lastupdate = start; > > - lastsize = 0; > > - } > > - if (foregroundproc() == 0) > > - return; > > + progressmeter(statbytes, totalbytes, curfile); > > + if (done == 0) { > > + mysignal(SIGALRM, updateprogressmeter); > > + alarm(PROGRESSTIME); > > + } else > > + alarm(0); > > > > - (void) gettimeofday(&now, (struct timezone *) 0); > > - cursize = statbytes; > > - if (totalbytes != 0) { > > - ratio = 100.0 * cursize / totalbytes; > > - ratio = MAX(ratio, 0); > > - ratio = MIN(ratio, 100); > > - } else > > - ratio = 100; > > - > > - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); > > - > > - barlength = getttywidth() - 51; > > - barlength = (barlength <= MAX_BARLENGTH)?barlength:MAX_BARLENGTH; > > - if (barlength > 0) { > > - i = barlength * ratio / 100; > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - "|%.*s%*s|", i, BAR, barlength - i, ""); > > - } > > - i = 0; > > - abbrevsize = cursize; > > - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { > > - i++; > > - abbrevsize >>= 10; > > - } > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", > > - (unsigned long) abbrevsize, prefixes[i], > > - prefixes[i] == ' ' ? ' ' : 'B'); > > - > > - timersub(&now, &lastupdate, &wait); > > - if (cursize > lastsize) { > > - lastupdate = now; > > - lastsize = cursize; > > - if (wait.tv_sec >= STALLTIME) { > > - start.tv_sec += wait.tv_sec; > > - start.tv_usec += wait.tv_usec; > > - } > > - wait.tv_sec = 0; > > - } > > - timersub(&now, &start, &td); > > - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); > > - > > - if (flag != 1 && > > - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - " --:-- ETA"); > > - } else if (wait.tv_sec >= STALLTIME) { > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - " - stalled -"); > > - } else { > > - if (flag != 1) > > - remaining = (int)(totalbytes / (statbytes / elapsed) - > > - elapsed); > > - else > > - remaining = elapsed; > > - > > - i = remaining / 3600; > > - if (i) > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - "%2d:", i); > > - else > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - " "); > > - i = remaining % 3600; > > - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), > > - "%02d:%02d%s", i / 60, i % 60, > > - (flag != 1) ? " ETA" : " "); > > - } > > - atomicio(write, fileno(stdout), buf, strlen(buf)); > > - > > - if (flag == -1) { > > - mysignal(SIGALRM, updateprogressmeter); > > - alarm(PROGRESSTIME); > > - } else if (flag == 1) { > > - alarm(0); > > - atomicio(write, fileno(stdout), "\n", 1); > > - statbytes = 0; > > - } > > -} > > - > > -int > > -getttywidth(void) > > -{ > > - struct winsize winsize; > > - > > - if (ioctl(fileno(stdout), TIOCGWINSZ, &winsize) != -1) > > - return (winsize.ws_col ? winsize.ws_col : 80); > > - else > > - return (80); > > + errno = save_errno; > > } > > diff -ur openssh-3.0.2p1/sftp-client.c openssh/sftp-client.c > > --- openssh-3.0.2p1/sftp-client.c Wed Jul 18 10:45:45 2001 > > +++ openssh/sftp-client.c Wed Feb 6 13:02:34 2002 > > @@ -49,6 +49,11 @@ > > /* Message ID */ > > static u_int msg_id = 1; > > > > +/* Progress Meter items */ > > +off_t statbytes = 0; > > +off_t totalbytes = 0; > > +char *curfile = NULL; > > + > > static void > > send_msg(int fd, Buffer *m) > > { > > @@ -671,7 +676,7 @@ > > > > int > > do_download(int fd_in, int fd_out, char *remote_path, char *local_path, > > - int pflag) > > + int pflag, void (*progressbar)(int)) > > { > > int local_fd; > > u_int expected_id, handle_len, mode, type, id; > > @@ -724,6 +729,11 @@ > > return(-1); > > } > > > > + totalbytes = a->size; > > + curfile = remote_path; > > + if (progressbar) > > + (progressbar)(0); > > + > > /* Read from remote and write to local */ > > offset = 0; > > for(;;) { > > @@ -785,6 +795,7 @@ > > > > offset += len; > > xfree(data); > > + statbytes = offset; > > } > > status = do_close(fd_in, fd_out, handle, handle_len); > > > > @@ -807,15 +818,18 @@ > > } > > > > done: > > + if (progressbar) > > + (progressbar)(1); > > close(local_fd); > > buffer_free(&msg); > > xfree(handle); > > + > > return status; > > } > > > > int > > do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, > > - int pflag) > > + int pflag, void (*progressbar)(int)) > > { > > int local_fd; > > u_int handle_len, id; > > @@ -865,6 +879,10 @@ > > buffer_free(&msg); > > return(-1); > > } > > + totalbytes = a.size; > > + curfile = local_path; > > + if (progressbar) > > + (progressbar)(0); > > > > /* Read from local and write to remote */ > > offset = 0; > > @@ -908,6 +926,7 @@ > > (u_int64_t)offset); > > > > offset += len; > > + statbytes = offset; > > } > > > > if (close(local_fd) == -1) { > > @@ -925,8 +944,10 @@ > > status = do_close(fd_in, fd_out, handle, handle_len); > > > > done: > > + if (progressbar) > > + (progressbar)(1); > > xfree(handle); > > buffer_free(&msg); > > + > > return status; > > } > > - > > diff -ur openssh-3.0.2p1/sftp-client.h openssh/sftp-client.h > > --- openssh-3.0.2p1/sftp-client.h Tue Jul 3 23:07:13 2001 > > +++ openssh/sftp-client.h Wed Feb 6 13:02:34 2002 > > @@ -88,16 +88,14 @@ > > /* Return target of symlink 'path' - caller must free result */ > > char *do_readlink(int, int, char *); > > > > -/* XXX: add callbacks to do_download/do_upload so we can do progress meter */ > > - > > /* > > * Download 'remote_path' to 'local_path'. Preserve permissions and times > > * if 'pflag' is set > > */ > > -int do_download(int, int, char *, char *, int); > > +int do_download(int, int, char *, char *, int, void (*)(int)); > > > > /* > > * Upload 'local_path' to 'remote_path'. Preserve permissions and times > > * if 'pflag' is set > > */ > > -int do_upload(int, int, char *, char *, int); > > +int do_upload(int, int, char *, char *, int, void (*)(int)); > > diff -ur openssh-3.0.2p1/sftp-int.c openssh/sftp-int.c > > --- openssh-3.0.2p1/sftp-int.c Wed Aug 15 18:22:57 2001 > > +++ openssh/sftp-int.c Wed Feb 6 13:02:34 2002 > > @@ -32,6 +32,7 @@ > > #include "xmalloc.h" > > #include "log.h" > > #include "pathnames.h" > > +#include "misc.h" > > > > #include "sftp.h" > > #include "sftp-common.h" > > @@ -113,6 +114,24 @@ > > }; > > > > static void > > +updateprogressmeter(int done) > > +{ > > + int save_errno = errno; > > + extern off_t statbytes; > > + extern off_t totalbytes; > > + extern char *curfile; > > + > > + progressmeter(statbytes, totalbytes, curfile); > > + if (done == 0) { > > + mysignal(SIGALRM, updateprogressmeter); > > + alarm(PROGRESSTIME); > > + } else > > + alarm(0); > > + > > + errno = save_errno; > > +} > > + > > +static void > > help(void) > > { > > printf("Available commands:\n"); > > @@ -380,8 +399,8 @@ > > err = -1; > > goto out; > > } > > - printf("Fetching %s to %s\n", g.gl_pathv[0], abs_dst); > > - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag); > > + err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, > > + NULL); > > goto out; > > } > > > > @@ -404,8 +423,8 @@ > > } else > > abs_dst = tmp; > > > > - printf("Fetching %s to %s\n", g.gl_pathv[i], abs_dst); > > - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > > + if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, > > + updateprogressmeter) == -1) > > err = -1; > > xfree(abs_dst); > > abs_dst = NULL; > > @@ -462,8 +481,8 @@ > > } > > abs_dst = make_absolute(abs_dst, pwd); > > } > > - printf("Uploading %s to %s\n", g.gl_pathv[0], abs_dst); > > - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag); > > + err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, > > + updateprogressmeter); > > goto out; > > } > > > > @@ -486,8 +505,8 @@ > > } else > > abs_dst = make_absolute(tmp, pwd); > > > > - printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst); > > - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag) == -1) > > + if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, > > + updateprogressmeter) == -1) > > err = -1; > > } > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > From Nicolas.Williams at ubsw.com Thu Feb 7 08:49:00 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Wed, 6 Feb 2002 16:49:00 -0500 Subject: SFTP Status Bar.. In-Reply-To: <200202062031.g16KVi55022528@etoh.eviladmin.org>; from mouring@etoh.eviladmin.org on Wed, Feb 06, 2002 at 02:31:44PM -0600 References: <20020206155339.V27398@sm2p1386swk.wdr.com> <200202062031.g16KVi55022528@etoh.eviladmin.org> Message-ID: <20020206164858.X27398@sm2p1386swk.wdr.com> For large files the bar stops at the second * and then does not update until the transfer is complete (put). Also, I did "put *"; * matched, among other things, a directory, and sftp exited (not cored). It would be nice if the protocol had a find-style protocol command. It would also be nice if the client could copy entire filsystem structures. It would also be nice if the protocol supported rdiff-style ops (i.e., get rsync signature for a remote file, get delta for a remote file given a local file's rsync signature, patch a file with an rsync patch file). Then we could have a clean replacement for rsync :) The protocol wishlist belongs at the IETF SECSH WG, I know. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Thu Feb 7 08:29:48 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 15:29:48 -0600 (CST) Subject: SFTP Status Bar.. In-Reply-To: <20020206164858.X27398@sm2p1386swk.wdr.com> from Nicolas Williams at "Feb 6, 2002 04:49:00 pm" Message-ID: <200202062129.g16LTnfb009964@etoh.eviladmin.org> > For large files the bar stops at the second * and then does not update > until the transfer is complete (put). > That can easily be resolved.. Just unsure why the same code for scp does not do the samething. The solution is to remove the alarm() and family and just move the callback into the big transfer loop. Not my favorate idea because it updates TOO quickly IMHO. Damien, what are you views on how the sftp progressmeter callback should work? The reason why 'get' for a single case did not show the bar was because I put NULL instead of the callback function and forgot to change it back. > Also, I did "put *"; * matched, among other things, a directory, and > sftp exited (not cored). > sftp-int.c:/* XXX: recursive operations */ Would you like to implement it? > It would be nice if the protocol had a find-style protocol command. > UGH.. You want sftpfs not sftp. =P > It would also be nice if the client could copy entire filsystem > structures. > See above comment about "put *" > It would also be nice if the protocol supported rdiff-style ops (i.e., > get rsync signature for a remote file, get delta for a remote file given > a local file's rsync signature, patch a file with an rsync patch file). > See above comment about sftpfs. > Then we could have a clean replacement for rsync :) > > The protocol wishlist belongs at the IETF SECSH WG, I know. > Attacked is a new diff against sftp-int.c and sftp-client.c. Restore your old version first before applying (I won't do intermediate diffs too much of a pain ). corrects: - put single request uses callback - callback moved into big data push/pull loops for assured updated. - Ben --- sftp-int.c Wed Feb 6 15:14:05 2002 +++ sftp-client.c Wed Feb 6 15:16:28 2002 @@ -22,918 +22,923 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* XXX: globbed ls */ -/* XXX: recursive operations */ +/* XXX: memleaks */ +/* XXX: signed vs unsigned */ +/* XXX: redesign to allow concurrent overlapped operations */ +/* XXX: we use fatal too much, error may be more appropriate in places */ +/* XXX: copy between two remote sites */ #include "includes.h" -RCSID("$OpenBSD: sftp-int.c,v 1.41 2001/12/19 07:18:56 deraadt Exp $"); - -#include +RCSID("$OpenBSD: sftp-client.c,v 1.19 2001/12/19 07:18:56 deraadt Exp $"); #include "buffer.h" +#include "bufaux.h" +#include "getput.h" #include "xmalloc.h" #include "log.h" -#include "pathnames.h" -#include "misc.h" +#include "atomicio.h" #include "sftp.h" #include "sftp-common.h" -#include "sftp-glob.h" #include "sftp-client.h" -#include "sftp-int.h" - -/* File to read commands from */ -extern FILE *infile; -/* Version of server we are speaking to */ -int version; - -/* Seperators for interactive commands */ -#define WHITESPACE " \t\r\n" - -/* Commands for interactive mode */ -#define I_CHDIR 1 -#define I_CHGRP 2 -#define I_CHMOD 3 -#define I_CHOWN 4 -#define I_GET 5 -#define I_HELP 6 -#define I_LCHDIR 7 -#define I_LLS 8 -#define I_LMKDIR 9 -#define I_LPWD 10 -#define I_LS 11 -#define I_LUMASK 12 -#define I_MKDIR 13 -#define I_PUT 14 -#define I_PWD 15 -#define I_QUIT 16 -#define I_RENAME 17 -#define I_RM 18 -#define I_RMDIR 19 -#define I_SHELL 20 -#define I_SYMLINK 21 -#define I_VERSION 22 - -struct CMD { - const char *c; - const int n; -}; - -const struct CMD cmds[] = { - { "bye", I_QUIT }, - { "cd", I_CHDIR }, - { "chdir", I_CHDIR }, - { "chgrp", I_CHGRP }, - { "chmod", I_CHMOD }, - { "chown", I_CHOWN }, - { "dir", I_LS }, - { "exit", I_QUIT }, - { "get", I_GET }, - { "mget", I_GET }, - { "help", I_HELP }, - { "lcd", I_LCHDIR }, - { "lchdir", I_LCHDIR }, - { "lls", I_LLS }, - { "lmkdir", I_LMKDIR }, - { "ln", I_SYMLINK }, - { "lpwd", I_LPWD }, - { "ls", I_LS }, - { "lumask", I_LUMASK }, - { "mkdir", I_MKDIR }, - { "put", I_PUT }, - { "mput", I_PUT }, - { "pwd", I_PWD }, - { "quit", I_QUIT }, - { "rename", I_RENAME }, - { "rm", I_RM }, - { "rmdir", I_RMDIR }, - { "symlink", I_SYMLINK }, - { "version", I_VERSION }, - { "!", I_SHELL }, - { "?", I_HELP }, - { NULL, -1} -}; +/* How much data to read/write at at time during copies */ +/* XXX: what should this be? */ +#define COPY_SIZE 8192 + +/* Message ID */ +static u_int msg_id = 1; + +/* Progress Meter items */ +off_t statbytes = 0; +off_t totalbytes = 0; +char *curfile = NULL; static void -updateprogressmeter(int done) +send_msg(int fd, Buffer *m) { - int save_errno = errno; - extern off_t statbytes; - extern off_t totalbytes; - extern char *curfile; - - progressmeter(statbytes, totalbytes, curfile); -/* - if (done == 0) { - signal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - } else if (done == 1) - alarm(0); -*/ - errno = save_errno; + int mlen = buffer_len(m); + int len; + Buffer oqueue; + + buffer_init(&oqueue); + buffer_put_int(&oqueue, mlen); + buffer_append(&oqueue, buffer_ptr(m), mlen); + buffer_consume(m, mlen); + + len = atomicio(write, fd, buffer_ptr(&oqueue), buffer_len(&oqueue)); + if (len <= 0) + fatal("Couldn't send packet: %s", strerror(errno)); + + buffer_free(&oqueue); } static void -help(void) +get_msg(int fd, Buffer *m) { - printf("Available commands:\n"); - printf("cd path Change remote directory to 'path'\n"); - printf("lcd path Change local directory to 'path'\n"); - printf("chgrp grp path Change group of file 'path' to 'grp'\n"); - printf("chmod mode path Change permissions of file 'path' to 'mode'\n"); - printf("chown own path Change owner of file 'path' to 'own'\n"); - printf("help Display this help text\n"); - printf("get remote-path [local-path] Download file\n"); - printf("lls [ls-options [path]] Display local directory listing\n"); - printf("ln oldpath newpath Symlink remote file\n"); - printf("lmkdir path Create local directory\n"); - printf("lpwd Print local working directory\n"); - printf("ls [path] Display remote directory listing\n"); - printf("lumask umask Set local umask to 'umask'\n"); - printf("mkdir path Create remote directory\n"); - printf("put local-path [remote-path] Upload file\n"); - printf("pwd Display remote working directory\n"); - printf("exit Quit sftp\n"); - printf("quit Quit sftp\n"); - printf("rename oldpath newpath Rename remote file\n"); - printf("rmdir path Remove remote directory\n"); - printf("rm path Delete remote file\n"); - printf("symlink oldpath newpath Symlink remote file\n"); - printf("version Show SFTP version\n"); - printf("!command Execute 'command' in local shell\n"); - printf("! Escape to local shell\n"); - printf("? Synonym for help\n"); + u_int len, msg_len; + unsigned char buf[4096]; + + len = atomicio(read, fd, buf, 4); + if (len == 0) + fatal("Connection closed"); + else if (len == -1) + fatal("Couldn't read packet: %s", strerror(errno)); + + msg_len = GET_32BIT(buf); + if (msg_len > 256 * 1024) + fatal("Received message too long %d", msg_len); + + while (msg_len) { + len = atomicio(read, fd, buf, MIN(msg_len, sizeof(buf))); + if (len == 0) + fatal("Connection closed"); + else if (len == -1) + fatal("Couldn't read packet: %s", strerror(errno)); + + msg_len -= len; + buffer_append(m, buf, len); + } } static void -local_do_shell(const char *args) +send_string_request(int fd, u_int id, u_int code, char *s, + u_int len) { - int status; - char *shell; - pid_t pid; + Buffer msg; - if (!*args) - args = NULL; - - if ((shell = getenv("SHELL")) == NULL) - shell = _PATH_BSHELL; - - if ((pid = fork()) == -1) - fatal("Couldn't fork: %s", strerror(errno)); - - if (pid == 0) { - /* XXX: child has pipe fds to ssh subproc open - issue? */ - if (args) { - debug3("Executing %s -c \"%s\"", shell, args); - execl(shell, shell, "-c", args, (char *)NULL); - } else { - debug3("Executing %s", shell); - execl(shell, shell, (char *)NULL); - } - fprintf(stderr, "Couldn't execute \"%s\": %s\n", shell, - strerror(errno)); - _exit(1); - } - if (waitpid(pid, &status, 0) == -1) - fatal("Couldn't wait for child: %s", strerror(errno)); - if (!WIFEXITED(status)) - error("Shell exited abormally"); - else if (WEXITSTATUS(status)) - error("Shell exited with status %d", WEXITSTATUS(status)); + buffer_init(&msg); + buffer_put_char(&msg, code); + buffer_put_int(&msg, id); + buffer_put_string(&msg, s, len); + send_msg(fd, &msg); + debug3("Sent message fd %d T:%d I:%d", fd, code, id); + buffer_free(&msg); } static void -local_do_ls(const char *args) +send_string_attrs_request(int fd, u_int id, u_int code, char *s, + u_int len, Attrib *a) { - if (!args || !*args) - local_do_shell(_PATH_LS); - else { - int len = strlen(_PATH_LS " ") + strlen(args) + 1; - char *buf = xmalloc(len); - - /* XXX: quoting - rip quoting code from ftp? */ - snprintf(buf, len, _PATH_LS " %s", args); - local_do_shell(buf); - xfree(buf); - } + Buffer msg; + + buffer_init(&msg); + buffer_put_char(&msg, code); + buffer_put_int(&msg, id); + buffer_put_string(&msg, s, len); + encode_attrib(&msg, a); + send_msg(fd, &msg); + debug3("Sent message fd %d T:%d I:%d", fd, code, id); + buffer_free(&msg); } -static char * -path_append(char *p1, char *p2) +static u_int +get_status(int fd, int expected_id) { - char *ret; - int len = strlen(p1) + strlen(p2) + 2; + Buffer msg; + u_int type, id, status; + + buffer_init(&msg); + get_msg(fd, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + if (type != SSH2_FXP_STATUS) + fatal("Expected SSH2_FXP_STATUS(%d) packet, got %d", + SSH2_FXP_STATUS, type); + + status = buffer_get_int(&msg); + buffer_free(&msg); - ret = xmalloc(len); - strlcpy(ret, p1, len); - if (strcmp(p1, "/") != 0) - strlcat(ret, "/", len); - strlcat(ret, p2, len); + debug3("SSH2_FXP_STATUS %d", status); - return(ret); + return(status); } static char * -make_absolute(char *p, char *pwd) +get_handle(int fd, u_int expected_id, u_int *len) { - char *abs; + Buffer msg; + u_int type, id; + char *handle; + + buffer_init(&msg); + get_msg(fd, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + if (type == SSH2_FXP_STATUS) { + int status = buffer_get_int(&msg); + + error("Couldn't get handle: %s", fx2txt(status)); + return(NULL); + } else if (type != SSH2_FXP_HANDLE) + fatal("Expected SSH2_FXP_HANDLE(%d) packet, got %d", + SSH2_FXP_HANDLE, type); - /* Derelativise */ - if (p && p[0] != '/') { - abs = path_append(pwd, p); - xfree(p); - return(abs); - } else - return(p); + handle = buffer_get_string(&msg, len); + buffer_free(&msg); + + return(handle); } -static int -infer_path(const char *p, char **ifp) +static Attrib * +get_decode_stat(int fd, u_int expected_id, int quiet) { - char *cp; + Buffer msg; + u_int type, id; + Attrib *a; + + buffer_init(&msg); + get_msg(fd, &msg); - cp = strrchr(p, '/'); - if (cp == NULL) { - *ifp = xstrdup(p); - return(0); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + debug3("Received stat reply T:%d I:%d", type, id); + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + if (type == SSH2_FXP_STATUS) { + int status = buffer_get_int(&msg); + + if (quiet) + debug("Couldn't stat remote file: %s", fx2txt(status)); + else + error("Couldn't stat remote file: %s", fx2txt(status)); + return(NULL); + } else if (type != SSH2_FXP_ATTRS) { + fatal("Expected SSH2_FXP_ATTRS(%d) packet, got %d", + SSH2_FXP_ATTRS, type); } + a = decode_attrib(&msg); + buffer_free(&msg); - if (!cp[1]) { - error("Invalid path"); + return(a); +} + +int +do_init(int fd_in, int fd_out) +{ + int type, version; + Buffer msg; + + buffer_init(&msg); + buffer_put_char(&msg, SSH2_FXP_INIT); + buffer_put_int(&msg, SSH2_FILEXFER_VERSION); + send_msg(fd_out, &msg); + + buffer_clear(&msg); + + get_msg(fd_in, &msg); + + /* Expecting a VERSION reply */ + if ((type = buffer_get_char(&msg)) != SSH2_FXP_VERSION) { + error("Invalid packet back from SSH2_FXP_INIT (type %d)", + type); + buffer_free(&msg); return(-1); } + version = buffer_get_int(&msg); - *ifp = xstrdup(cp + 1); - return(0); + debug2("Remote version: %d", version); + + /* Check for extensions */ + while (buffer_len(&msg) > 0) { + char *name = buffer_get_string(&msg, NULL); + char *value = buffer_get_string(&msg, NULL); + + debug2("Init extension: \"%s\"", name); + xfree(name); + xfree(value); + } + + buffer_free(&msg); + + return(version); +} + +int +do_close(int fd_in, int fd_out, char *handle, u_int handle_len) +{ + u_int id, status; + Buffer msg; + + buffer_init(&msg); + + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_CLOSE); + buffer_put_int(&msg, id); + buffer_put_string(&msg, handle, handle_len); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_CLOSE I:%d", id); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't close file: %s", fx2txt(status)); + + buffer_free(&msg); + + return(status); } + static int -parse_getput_flags(const char **cpp, int *pflag) +do_lsreaddir(int fd_in, int fd_out, char *path, int printflag, + SFTP_DIRENT ***dir) { - const char *cp = *cpp; + Buffer msg; + u_int type, id, handle_len, i, expected_id, ents = 0; + char *handle; - /* Check for flags */ - if (cp[0] == '-' && cp[1] && strchr(WHITESPACE, cp[2])) { - switch (cp[1]) { - case 'p': - case 'P': - *pflag = 1; - break; - default: - error("Invalid flag -%c", cp[1]); - return(-1); + id = msg_id++; + + buffer_init(&msg); + buffer_put_char(&msg, SSH2_FXP_OPENDIR); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, path); + send_msg(fd_out, &msg); + + buffer_clear(&msg); + + handle = get_handle(fd_in, id, &handle_len); + if (handle == NULL) + return(-1); + + if (dir) { + ents = 0; + *dir = xmalloc(sizeof(**dir)); + (*dir)[0] = NULL; + } + + for (;;) { + int count; + + id = expected_id = msg_id++; + + debug3("Sending SSH2_FXP_READDIR I:%d", id); + + buffer_clear(&msg); + buffer_put_char(&msg, SSH2_FXP_READDIR); + buffer_put_int(&msg, id); + buffer_put_string(&msg, handle, handle_len); + send_msg(fd_out, &msg); + + buffer_clear(&msg); + + get_msg(fd_in, &msg); + + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + debug3("Received reply T:%d I:%d", type, id); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + + if (type == SSH2_FXP_STATUS) { + int status = buffer_get_int(&msg); + + debug3("Received SSH2_FXP_STATUS %d", status); + + if (status == SSH2_FX_EOF) { + break; + } else { + error("Couldn't read directory: %s", + fx2txt(status)); + do_close(fd_in, fd_out, handle, handle_len); + return(status); + } + } else if (type != SSH2_FXP_NAME) + fatal("Expected SSH2_FXP_NAME(%d) packet, got %d", + SSH2_FXP_NAME, type); + + count = buffer_get_int(&msg); + if (count == 0) + break; + debug3("Received %d SSH2_FXP_NAME responses", count); + for (i = 0; i < count; i++) { + char *filename, *longname; + Attrib *a; + + filename = buffer_get_string(&msg, NULL); + longname = buffer_get_string(&msg, NULL); + a = decode_attrib(&msg); + + if (printflag) + printf("%s\n", longname); + + if (dir) { + *dir = xrealloc(*dir, sizeof(**dir) * + (ents + 2)); + (*dir)[ents] = xmalloc(sizeof(***dir)); + (*dir)[ents]->filename = xstrdup(filename); + (*dir)[ents]->longname = xstrdup(longname); + memcpy(&(*dir)[ents]->a, a, sizeof(*a)); + (*dir)[++ents] = NULL; + } + + xfree(filename); + xfree(longname); } - cp += 2; - *cpp = cp + strspn(cp, WHITESPACE); } + buffer_free(&msg); + do_close(fd_in, fd_out, handle, handle_len); + xfree(handle); + return(0); } -static int -get_pathname(const char **cpp, char **path) +int +do_ls(int fd_in, int fd_out, char *path) +{ + return(do_lsreaddir(fd_in, fd_out, path, 1, NULL)); +} + +int +do_readdir(int fd_in, int fd_out, char *path, SFTP_DIRENT ***dir) +{ + return(do_lsreaddir(fd_in, fd_out, path, 0, dir)); +} + +void free_sftp_dirents(SFTP_DIRENT **s) { - const char *cp = *cpp, *end; - char quot; int i; - cp += strspn(cp, WHITESPACE); - if (!*cp) { - *cpp = cp; - *path = NULL; - return (0); + for (i = 0; s[i]; i++) { + xfree(s[i]->filename); + xfree(s[i]->longname); + xfree(s[i]); } + xfree(s); +} - /* Check for quoted filenames */ - if (*cp == '\"' || *cp == '\'') { - quot = *cp++; - - end = strchr(cp, quot); - if (end == NULL) { - error("Unterminated quote"); - goto fail; - } - if (cp == end) { - error("Empty quotes"); - goto fail; - } - *cpp = end + 1 + strspn(end + 1, WHITESPACE); - } else { - /* Read to end of filename */ - end = strpbrk(cp, WHITESPACE); - if (end == NULL) - end = strchr(cp, '\0'); - *cpp = end + strspn(end, WHITESPACE); - } +int +do_rm(int fd_in, int fd_out, char *path) +{ + u_int status, id; - i = end - cp; - - *path = xmalloc(i + 1); - memcpy(*path, cp, i); - (*path)[i] = '\0'; - return(0); + debug2("Sending SSH2_FXP_REMOVE \"%s\"", path); - fail: - *path = NULL; - return (-1); + id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_REMOVE, path, strlen(path)); + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't delete file: %s", fx2txt(status)); + return(status); } -static int -is_dir(char *path) +int +do_mkdir(int fd_in, int fd_out, char *path, Attrib *a) { - struct stat sb; + u_int status, id; - /* XXX: report errors? */ - if (stat(path, &sb) == -1) - return(0); + id = msg_id++; + send_string_attrs_request(fd_out, id, SSH2_FXP_MKDIR, path, + strlen(path), a); - return(sb.st_mode & S_IFDIR); + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't create directory: %s", fx2txt(status)); + + return(status); } -static int -remote_is_dir(int in, int out, char *path) +int +do_rmdir(int fd_in, int fd_out, char *path) +{ + u_int status, id; + + id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_RMDIR, path, strlen(path)); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't remove directory: %s", fx2txt(status)); + + return(status); +} + +Attrib * +do_stat(int fd_in, int fd_out, char *path, int quiet) +{ + u_int id; + + id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_STAT, path, strlen(path)); + return(get_decode_stat(fd_in, id, quiet)); +} + +Attrib * +do_lstat(int fd_in, int fd_out, char *path, int quiet) +{ + u_int id; + + id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_LSTAT, path, strlen(path)); + return(get_decode_stat(fd_in, id, quiet)); +} + +Attrib * +do_fstat(int fd_in, int fd_out, char *handle, u_int handle_len, int quiet) +{ + u_int id; + + id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_FSTAT, handle, handle_len); + return(get_decode_stat(fd_in, id, quiet)); +} + +int +do_setstat(int fd_in, int fd_out, char *path, Attrib *a) { + u_int status, id; + + id = msg_id++; + send_string_attrs_request(fd_out, id, SSH2_FXP_SETSTAT, path, + strlen(path), a); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't setstat on \"%s\": %s", path, + fx2txt(status)); + + return(status); +} + +int +do_fsetstat(int fd_in, int fd_out, char *handle, u_int handle_len, + Attrib *a) +{ + u_int status, id; + + id = msg_id++; + send_string_attrs_request(fd_out, id, SSH2_FXP_FSETSTAT, handle, + handle_len, a); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't fsetstat: %s", fx2txt(status)); + + return(status); +} + +char * +do_realpath(int fd_in, int fd_out, char *path) +{ + Buffer msg; + u_int type, expected_id, count, id; + char *filename, *longname; Attrib *a; - /* XXX: report errors? */ - if ((a = do_stat(in, out, path, 1)) == NULL) - return(0); - if (!(a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) - return(0); - return(a->perm & S_IFDIR); + expected_id = id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_REALPATH, path, strlen(path)); + + buffer_init(&msg); + + get_msg(fd_in, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + + if (type == SSH2_FXP_STATUS) { + u_int status = buffer_get_int(&msg); + + error("Couldn't canonicalise: %s", fx2txt(status)); + return(NULL); + } else if (type != SSH2_FXP_NAME) + fatal("Expected SSH2_FXP_NAME(%d) packet, got %d", + SSH2_FXP_NAME, type); + + count = buffer_get_int(&msg); + if (count != 1) + fatal("Got multiple names (%d) from SSH_FXP_REALPATH", count); + + filename = buffer_get_string(&msg, NULL); + longname = buffer_get_string(&msg, NULL); + a = decode_attrib(&msg); + + debug3("SSH_FXP_REALPATH %s -> %s", path, filename); + + xfree(longname); + + buffer_free(&msg); + + return(filename); } -static int -process_get(int in, int out, char *src, char *dst, char *pwd, int pflag) +int +do_rename(int fd_in, int fd_out, char *oldpath, char *newpath) { - char *abs_src = NULL; - char *abs_dst = NULL; - char *tmp; - glob_t g; - int err = 0; - int i; + Buffer msg; + u_int status, id; - abs_src = xstrdup(src); - abs_src = make_absolute(abs_src, pwd); + buffer_init(&msg); - memset(&g, 0, sizeof(g)); - debug3("Looking up %s", abs_src); - if (remote_glob(in, out, abs_src, 0, NULL, &g)) { - error("File \"%s\" not found.", abs_src); - err = -1; - goto out; - } - - /* Only one match, dst may be file, directory or unspecified */ - if (g.gl_pathv[0] && g.gl_matchc == 1) { - if (dst) { - /* If directory specified, append filename */ - if (is_dir(dst)) { - if (infer_path(g.gl_pathv[0], &tmp)) { - err = 1; - goto out; - } - abs_dst = path_append(dst, tmp); - xfree(tmp); - } else - abs_dst = xstrdup(dst); - } else if (infer_path(g.gl_pathv[0], &abs_dst)) { - err = -1; - goto out; - } - err = do_download(in, out, g.gl_pathv[0], abs_dst, pflag, - updateprogressmeter); - goto out; - } - - /* Multiple matches, dst may be directory or unspecified */ - if (dst && !is_dir(dst)) { - error("Multiple files match, but \"%s\" is not a directory", - dst); - err = -1; - goto out; - } - - for (i = 0; g.gl_pathv[i]; i++) { - if (infer_path(g.gl_pathv[i], &tmp)) { - err = -1; - goto out; - } - if (dst) { - abs_dst = path_append(dst, tmp); - xfree(tmp); - } else - abs_dst = tmp; - - if (do_download(in, out, g.gl_pathv[i], abs_dst, pflag, - updateprogressmeter) == -1) - err = -1; - xfree(abs_dst); - abs_dst = NULL; - } - -out: - xfree(abs_src); - if (abs_dst) - xfree(abs_dst); - globfree(&g); - return(err); + /* Send rename request */ + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_RENAME); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, oldpath); + buffer_put_cstring(&msg, newpath); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_RENAME \"%s\" -> \"%s\"", oldpath, + newpath); + buffer_free(&msg); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, newpath, + fx2txt(status)); + + return(status); } -static int -process_put(int in, int out, char *src, char *dst, char *pwd, int pflag) +int +do_symlink(int fd_in, int fd_out, char *oldpath, char *newpath) { - char *tmp_dst = NULL; - char *abs_dst = NULL; - char *tmp; - glob_t g; - int err = 0; - int i; + Buffer msg; + u_int status, id; - if (dst) { - tmp_dst = xstrdup(dst); - tmp_dst = make_absolute(tmp_dst, pwd); - } - - memset(&g, 0, sizeof(g)); - debug3("Looking up %s", src); - if (glob(src, 0, NULL, &g)) { - error("File \"%s\" not found.", src); - err = -1; - goto out; - } - - /* Only one match, dst may be file, directory or unspecified */ - if (g.gl_pathv[0] && g.gl_matchc == 1) { - if (tmp_dst) { - /* If directory specified, append filename */ - if (remote_is_dir(in, out, tmp_dst)) { - if (infer_path(g.gl_pathv[0], &tmp)) { - err = 1; - goto out; - } - abs_dst = path_append(tmp_dst, tmp); - xfree(tmp); - } else - abs_dst = xstrdup(tmp_dst); - } else { - if (infer_path(g.gl_pathv[0], &abs_dst)) { - err = -1; - goto out; - } - abs_dst = make_absolute(abs_dst, pwd); - } - err = do_upload(in, out, g.gl_pathv[0], abs_dst, pflag, - updateprogressmeter); - goto out; - } - - /* Multiple matches, dst may be directory or unspecified */ - if (tmp_dst && !remote_is_dir(in, out, tmp_dst)) { - error("Multiple files match, but \"%s\" is not a directory", - tmp_dst); - err = -1; - goto out; - } - - for (i = 0; g.gl_pathv[i]; i++) { - if (infer_path(g.gl_pathv[i], &tmp)) { - err = -1; - goto out; - } - if (tmp_dst) { - abs_dst = path_append(tmp_dst, tmp); - xfree(tmp); - } else - abs_dst = make_absolute(tmp, pwd); - - if (do_upload(in, out, g.gl_pathv[i], abs_dst, pflag, - updateprogressmeter) == -1) - err = -1; - } - -out: - if (abs_dst) - xfree(abs_dst); - if (tmp_dst) - xfree(tmp_dst); - return(err); + buffer_init(&msg); + + /* Send rename request */ + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_SYMLINK); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, oldpath); + buffer_put_cstring(&msg, newpath); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_SYMLINK \"%s\" -> \"%s\"", oldpath, + newpath); + buffer_free(&msg); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) + error("Couldn't rename file \"%s\" to \"%s\": %s", oldpath, newpath, + fx2txt(status)); + + return(status); } -static int -parse_args(const char **cpp, int *pflag, unsigned long *n_arg, - char **path1, char **path2) +char * +do_readlink(int fd_in, int fd_out, char *path) { - const char *cmd, *cp = *cpp; - char *cp2; - int base = 0; - long l; - int i, cmdnum; + Buffer msg; + u_int type, expected_id, count, id; + char *filename, *longname; + Attrib *a; + + expected_id = id = msg_id++; + send_string_request(fd_out, id, SSH2_FXP_READLINK, path, strlen(path)); + + buffer_init(&msg); + + get_msg(fd_in, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + + if (type == SSH2_FXP_STATUS) { + u_int status = buffer_get_int(&msg); + + error("Couldn't readlink: %s", fx2txt(status)); + return(NULL); + } else if (type != SSH2_FXP_NAME) + fatal("Expected SSH2_FXP_NAME(%d) packet, got %d", + SSH2_FXP_NAME, type); + + count = buffer_get_int(&msg); + if (count != 1) + fatal("Got multiple names (%d) from SSH_FXP_READLINK", count); + + filename = buffer_get_string(&msg, NULL); + longname = buffer_get_string(&msg, NULL); + a = decode_attrib(&msg); - /* Skip leading whitespace */ - cp = cp + strspn(cp, WHITESPACE); + debug3("SSH_FXP_READLINK %s -> %s", path, filename); - /* Ignore blank lines */ - if (!*cp) + xfree(longname); + + buffer_free(&msg); + + return(filename); +} + +int +do_download(int fd_in, int fd_out, char *remote_path, char *local_path, + int pflag, void (*progressbar)(int)) +{ + int local_fd; + u_int expected_id, handle_len, mode, type, id; + u_int64_t offset; + char *handle; + Buffer msg; + Attrib junk, *a; + int status; + + a = do_stat(fd_in, fd_out, remote_path, 0); + if (a == NULL) return(-1); - /* Figure out which command we have */ - for (i = 0; cmds[i].c; i++) { - int cmdlen = strlen(cmds[i].c); - - /* Check for command followed by whitespace */ - if (!strncasecmp(cp, cmds[i].c, cmdlen) && - strchr(WHITESPACE, cp[cmdlen])) { - cp += cmdlen; - cp = cp + strspn(cp, WHITESPACE); - break; - } + /* XXX: should we preserve set[ug]id? */ + if (a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) + mode = S_IWRITE | (a->perm & 0777); + else + mode = 0666; + + if ((a->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && + (a->perm & S_IFDIR)) { + error("Cannot download a directory: %s", remote_path); + return(-1); } - cmdnum = cmds[i].n; - cmd = cmds[i].c; - /* Special case */ - if (*cp == '!') { - cp++; - cmdnum = I_SHELL; - } else if (cmdnum == -1) { - error("Invalid command."); + local_fd = open(local_path, O_WRONLY | O_CREAT | O_TRUNC, mode); + if (local_fd == -1) { + error("Couldn't open local file \"%s\" for writing: %s", + local_path, strerror(errno)); return(-1); } - /* Get arguments and parse flags */ - *pflag = *n_arg = 0; - *path1 = *path2 = NULL; - switch (cmdnum) { - case I_GET: - case I_PUT: - if (parse_getput_flags(&cp, pflag)) - return(-1); - /* Get first pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify at least one path after a " - "%s command.", cmd); - return(-1); - } - /* Try to get second pathname (optional) */ - if (get_pathname(&cp, path2)) - return(-1); - break; - case I_RENAME: - case I_SYMLINK: - if (get_pathname(&cp, path1)) - return(-1); - if (get_pathname(&cp, path2)) - return(-1); - if (!*path1 || !*path2) { - error("You must specify two paths after a %s " - "command.", cmd); - return(-1); - } - break; - case I_RM: - case I_MKDIR: - case I_RMDIR: - case I_CHDIR: - case I_LCHDIR: - case I_LMKDIR: - /* Get pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify a path after a %s command.", - cmd); - return(-1); - } - break; - case I_LS: - /* Path is optional */ - if (get_pathname(&cp, path1)) - return(-1); - break; - case I_LLS: - case I_SHELL: - /* Uses the rest of the line */ - break; - case I_LUMASK: - base = 8; - case I_CHMOD: - base = 8; - case I_CHOWN: - case I_CHGRP: - /* Get numeric arg (mandatory) */ - l = strtol(cp, &cp2, base); - if (cp2 == cp || ((l == LONG_MIN || l == LONG_MAX) && - errno == ERANGE) || l < 0) { - error("You must supply a numeric argument " - "to the %s command.", cmd); - return(-1); - } - cp = cp2; - *n_arg = l; - if (cmdnum == I_LUMASK && strchr(WHITESPACE, *cp)) - break; - if (cmdnum == I_LUMASK || !strchr(WHITESPACE, *cp)) { - error("You must supply a numeric argument " - "to the %s command.", cmd); - return(-1); - } - cp += strspn(cp, WHITESPACE); + buffer_init(&msg); - /* Get pathname (mandatory) */ - if (get_pathname(&cp, path1)) - return(-1); - if (*path1 == NULL) { - error("You must specify a path after a %s command.", - cmd); - return(-1); - } - break; - case I_QUIT: - case I_PWD: - case I_LPWD: - case I_HELP: - case I_VERSION: - break; - default: - fatal("Command not implemented"); + /* Send open request */ + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_OPEN); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, remote_path); + buffer_put_int(&msg, SSH2_FXF_READ); + attrib_clear(&junk); /* Send empty attributes */ + encode_attrib(&msg, &junk); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_OPEN I:%d P:%s", id, remote_path); + + handle = get_handle(fd_in, id, &handle_len); + if (handle == NULL) { + buffer_free(&msg); + close(local_fd); + return(-1); } - *cpp = cp; - return(cmdnum); -} + totalbytes = a->size; + curfile = remote_path; -static int -parse_dispatch_command(int in, int out, const char *cmd, char **pwd) -{ - char *path1, *path2, *tmp; - int pflag, cmdnum, i; - unsigned long n_arg; - Attrib a, *aa; - char path_buf[MAXPATHLEN]; - int err = 0; - glob_t g; - - path1 = path2 = NULL; - cmdnum = parse_args(&cmd, &pflag, &n_arg, &path1, &path2); - - memset(&g, 0, sizeof(g)); - - /* Perform command */ - switch (cmdnum) { - case -1: - break; - case I_GET: - err = process_get(in, out, path1, path2, *pwd, pflag); - break; - case I_PUT: - err = process_put(in, out, path1, path2, *pwd, pflag); - break; - case I_RENAME: - path1 = make_absolute(path1, *pwd); - path2 = make_absolute(path2, *pwd); - err = do_rename(in, out, path1, path2); - break; - case I_SYMLINK: - if (version < 3) { - error("The server (version %d) does not support " - "this operation", version); - err = -1; - } else { - path2 = make_absolute(path2, *pwd); - err = do_symlink(in, out, path1, path2); - } - break; - case I_RM: - path1 = make_absolute(path1, *pwd); - remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - printf("Removing %s\n", g.gl_pathv[i]); - if (do_rm(in, out, g.gl_pathv[i]) == -1) - err = -1; - } - break; - case I_MKDIR: - path1 = make_absolute(path1, *pwd); - attrib_clear(&a); - a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; - a.perm = 0777; - err = do_mkdir(in, out, path1, &a); - break; - case I_RMDIR: - path1 = make_absolute(path1, *pwd); - err = do_rmdir(in, out, path1); - break; - case I_CHDIR: - path1 = make_absolute(path1, *pwd); - if ((tmp = do_realpath(in, out, path1)) == NULL) { - err = 1; - break; - } - if ((aa = do_stat(in, out, tmp, 0)) == NULL) { - xfree(tmp); - err = 1; - break; - } - if (!(aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS)) { - error("Can't change directory: Can't check target"); - xfree(tmp); - err = 1; - break; - } - if (!S_ISDIR(aa->perm)) { - error("Can't change directory: \"%s\" is not " - "a directory", tmp); - xfree(tmp); - err = 1; - break; - } - xfree(*pwd); - *pwd = tmp; - break; - case I_LS: - if (!path1) { - do_ls(in, out, *pwd); - break; - } - path1 = make_absolute(path1, *pwd); - if ((tmp = do_realpath(in, out, path1)) == NULL) - break; - xfree(path1); - path1 = tmp; - if ((aa = do_stat(in, out, path1, 0)) == NULL) - break; - if ((aa->flags & SSH2_FILEXFER_ATTR_PERMISSIONS) && - !S_ISDIR(aa->perm)) { - error("Can't ls: \"%s\" is not a directory", path1); - break; - } - do_ls(in, out, path1); - break; - case I_LCHDIR: - if (chdir(path1) == -1) { - error("Couldn't change local directory to " - "\"%s\": %s", path1, strerror(errno)); - err = 1; - } - break; - case I_LMKDIR: - if (mkdir(path1, 0777) == -1) { - error("Couldn't create local directory " - "\"%s\": %s", path1, strerror(errno)); - err = 1; - } - break; - case I_LLS: - local_do_ls(cmd); - break; - case I_SHELL: - local_do_shell(cmd); - break; - case I_LUMASK: - umask(n_arg); - printf("Local umask: %03lo\n", n_arg); - break; - case I_CHMOD: - path1 = make_absolute(path1, *pwd); - attrib_clear(&a); - a.flags |= SSH2_FILEXFER_ATTR_PERMISSIONS; - a.perm = n_arg; - remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - printf("Changing mode on %s\n", g.gl_pathv[i]); - do_setstat(in, out, g.gl_pathv[i], &a); - } - break; - case I_CHOWN: - path1 = make_absolute(path1, *pwd); - remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - if (!(aa = do_stat(in, out, g.gl_pathv[i], 0))) - continue; - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", g.gl_pathv[i]); - continue; - } - printf("Changing owner on %s\n", g.gl_pathv[i]); - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->uid = n_arg; - do_setstat(in, out, g.gl_pathv[i], aa); - } - break; - case I_CHGRP: - path1 = make_absolute(path1, *pwd); - remote_glob(in, out, path1, GLOB_NOCHECK, NULL, &g); - for (i = 0; g.gl_pathv[i]; i++) { - if (!(aa = do_stat(in, out, g.gl_pathv[i], 0))) - continue; - if (!(aa->flags & SSH2_FILEXFER_ATTR_UIDGID)) { - error("Can't get current ownership of " - "remote file \"%s\"", g.gl_pathv[i]); - continue; + /* Read from remote and write to local */ + offset = 0; + for (;;) { + u_int len; + char *data; + + id = expected_id = msg_id++; + + buffer_clear(&msg); + buffer_put_char(&msg, SSH2_FXP_READ); + buffer_put_int(&msg, id); + buffer_put_string(&msg, handle, handle_len); + buffer_put_int64(&msg, offset); + buffer_put_int(&msg, COPY_SIZE); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_READ I:%d O:%llu S:%u", + id, (unsigned long long)offset, COPY_SIZE); + + buffer_clear(&msg); + + get_msg(fd_in, &msg); + type = buffer_get_char(&msg); + id = buffer_get_int(&msg); + debug3("Received reply T:%d I:%d", type, id); + if (id != expected_id) + fatal("ID mismatch (%d != %d)", id, expected_id); + if (type == SSH2_FXP_STATUS) { + status = buffer_get_int(&msg); + + if (status == SSH2_FX_EOF) + break; + else { + error("Couldn't read from remote " + "file \"%s\" : %s", remote_path, + fx2txt(status)); + do_close(fd_in, fd_out, handle, handle_len); + goto done; } - printf("Changing group on %s\n", g.gl_pathv[i]); - aa->flags &= SSH2_FILEXFER_ATTR_UIDGID; - aa->gid = n_arg; - do_setstat(in, out, g.gl_pathv[i], aa); + } else if (type != SSH2_FXP_DATA) { + fatal("Expected SSH2_FXP_DATA(%d) packet, got %d", + SSH2_FXP_DATA, type); } - break; - case I_PWD: - printf("Remote working directory: %s\n", *pwd); - break; - case I_LPWD: - if (!getcwd(path_buf, sizeof(path_buf))) - error("Couldn't get local cwd: %s", + + data = buffer_get_string(&msg, &len); + if (len > COPY_SIZE) + fatal("Received more data than asked for %d > %d", + len, COPY_SIZE); + + debug3("In read loop, got %d offset %llu", len, + (unsigned long long)offset); + if (atomicio(write, local_fd, data, len) != len) { + error("Couldn't write to \"%s\": %s", local_path, strerror(errno)); - else - printf("Local working directory: %s\n", - path_buf); - break; - case I_QUIT: - return(-1); - case I_HELP: - help(); - break; - case I_VERSION: - printf("SFTP protocol version %d\n", version); - break; - default: - fatal("%d is not implemented", cmdnum); - } - - if (g.gl_pathc) - globfree(&g); - if (path1) - xfree(path1); - if (path2) - xfree(path2); - - /* If an error occurs in batch mode we should abort. */ - if (infile != stdin && err > 0) - return -1; + do_close(fd_in, fd_out, handle, handle_len); + status = -1; + xfree(data); + goto done; + } + + offset += len; + xfree(data); + statbytes = offset; + if (progressbar) + (progressbar)(0); + } + status = do_close(fd_in, fd_out, handle, handle_len); + + /* Override umask and utimes if asked */ + if (pflag && fchmod(local_fd, mode) == -1) + error("Couldn't set mode on \"%s\": %s", local_path, + strerror(errno)); + if (pflag && (a->flags & SSH2_FILEXFER_ATTR_ACMODTIME)) { + struct timeval tv[2]; + tv[0].tv_sec = a->atime; + tv[1].tv_sec = a->mtime; + tv[0].tv_usec = tv[1].tv_usec = 0; + if (utimes(local_path, tv) == -1) + error("Can't set times on \"%s\": %s", local_path, + strerror(errno)); + } - return(0); -} +done: + close(local_fd); + buffer_free(&msg); + xfree(handle); + + return status; +} + +int +do_upload(int fd_in, int fd_out, char *local_path, char *remote_path, + int pflag, void (*progressbar)(int)) +{ + int local_fd; + u_int handle_len, id; + u_int64_t offset; + char *handle; + Buffer msg; + struct stat sb; + Attrib a; + int status; -void -interactive_loop(int fd_in, int fd_out, char *file1, char *file2) -{ - char *pwd; - char *dir = NULL; - char cmd[2048]; - - version = do_init(fd_in, fd_out); - if (version == -1) - fatal("Couldn't initialise connection to server"); - - pwd = do_realpath(fd_in, fd_out, "."); - if (pwd == NULL) - fatal("Need cwd"); - - if (file1 != NULL) { - dir = xstrdup(file1); - dir = make_absolute(dir, pwd); - - if (remote_is_dir(fd_in, fd_out, dir) && file2 == NULL) { - printf("Changing to: %s\n", dir); - snprintf(cmd, sizeof cmd, "cd \"%s\"", dir); - parse_dispatch_command(fd_in, fd_out, cmd, &pwd); - } else { - if (file2 == NULL) - snprintf(cmd, sizeof cmd, "get %s", dir); - else - snprintf(cmd, sizeof cmd, "get %s %s", dir, - file2); + if ((local_fd = open(local_path, O_RDONLY, 0)) == -1) { + error("Couldn't open local file \"%s\" for reading: %s", + local_path, strerror(errno)); + return(-1); + } + if (fstat(local_fd, &sb) == -1) { + error("Couldn't fstat local file \"%s\": %s", + local_path, strerror(errno)); + close(local_fd); + return(-1); + } + stat_to_attrib(&sb, &a); - parse_dispatch_command(fd_in, fd_out, cmd, &pwd); - return; - } + a.flags &= ~SSH2_FILEXFER_ATTR_SIZE; + a.flags &= ~SSH2_FILEXFER_ATTR_UIDGID; + a.perm &= 0777; + if (!pflag) + a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME; + + buffer_init(&msg); + + /* Send open request */ + id = msg_id++; + buffer_put_char(&msg, SSH2_FXP_OPEN); + buffer_put_int(&msg, id); + buffer_put_cstring(&msg, remote_path); + buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|SSH2_FXF_TRUNC); + encode_attrib(&msg, &a); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_OPEN I:%d P:%s", id, remote_path); + + buffer_clear(&msg); + + handle = get_handle(fd_in, id, &handle_len); + if (handle == NULL) { + close(local_fd); + buffer_free(&msg); + return(-1); } - setvbuf(stdout, NULL, _IOLBF, 0); - setvbuf(infile, NULL, _IOLBF, 0); + totalbytes = a.size; + curfile = local_path; + /* Read from local and write to remote */ + offset = 0; for (;;) { - char *cp; + int len; + char data[COPY_SIZE]; - printf("sftp> "); + /* + * Can't use atomicio here because it returns 0 on EOF, thus losing + * the last block of the file + */ + do + len = read(local_fd, data, COPY_SIZE); + while ((len == -1) && (errno == EINTR || errno == EAGAIN)); - /* XXX: use libedit */ - if (fgets(cmd, sizeof(cmd), infile) == NULL) { - printf("\n"); + if (len == -1) + fatal("Couldn't read from \"%s\": %s", local_path, + strerror(errno)); + if (len == 0) break; - } else if (infile != stdin) /* Bluff typing */ - printf("%s", cmd); - cp = strrchr(cmd, '\n'); - if (cp) - *cp = '\0'; + buffer_clear(&msg); + buffer_put_char(&msg, SSH2_FXP_WRITE); + buffer_put_int(&msg, ++id); + buffer_put_string(&msg, handle, handle_len); + buffer_put_int64(&msg, offset); + buffer_put_string(&msg, data, len); + send_msg(fd_out, &msg); + debug3("Sent message SSH2_FXP_WRITE I:%d O:%llu S:%u", + id, (unsigned long long)offset, len); + + status = get_status(fd_in, id); + if (status != SSH2_FX_OK) { + error("Couldn't write to remote file \"%s\": %s", + remote_path, fx2txt(status)); + do_close(fd_in, fd_out, handle, handle_len); + close(local_fd); + goto done; + } + debug3("In write loop, got %d offset %llu", len, + (unsigned long long)offset); + + offset += len; + statbytes = offset; + if (progressbar); + (progressbar)(0); + } - if (parse_dispatch_command(fd_in, fd_out, cmd, &pwd)) - break; + if (close(local_fd) == -1) { + error("Couldn't close local file \"%s\": %s", local_path, + strerror(errno)); + do_close(fd_in, fd_out, handle, handle_len); + status = -1; + goto done; } - xfree(pwd); + + /* Override umask and utimes if asked */ + if (pflag) + do_fsetstat(fd_in, fd_out, handle, handle_len, &a); + + status = do_close(fd_in, fd_out, handle, handle_len); + +done: + xfree(handle); + buffer_free(&msg); + + return status; } From wendyp at cray.com Thu Feb 7 09:32:02 2002 From: wendyp at cray.com (Wendy Palm) Date: Wed, 06 Feb 2002 16:32:02 -0600 Subject: SFTP Status Bar.. References: <200202062056.g16Kusci002742@etoh.eviladmin.org> Message-ID: <3C61AEE2.F3B0485A@cray.com> ok, in that case- works for multiples on the crays, however, the name of the file isn't making it in the output sftp> get f* /ptmp/wendyp/ftpdir/ 100% |*****************************| 102 KB 00:00 /ptmp/wendyp/ftpdir/ 99% |**************************** | 31770 00:00 /ptmp/wendyp/ftpdir/ 100% |*****************************| 1505 KB 00:01 /ptmp/wendyp/ftpdir/ 100% |*****************************| 91042 00:00 /ptmp/wendyp/ftpdir/ 100% |*****************************| 246 KB 00:01 sftp> quit (same problem on my redhat linux box) however, to get it to compile, i had to modify misc.c/foregroundproc() to static int foregroundproc(void) { static pid_t pgrp = -1; int ctty_pgrp; if (pgrp == -1) pgrp = getpgrp(); #ifdef HAVE_TCGETPGRP return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && ctty_pgrp == pgrp); #else return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && ctty_pgrp== pgrp)); #endif } mouring wrote: > > It is default on, but as what William pointed out single gets > seem not to trigger it for some odd reason (looking into it now). > > - Ben > -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From wendyp at cray.com Thu Feb 7 10:43:52 2002 From: wendyp at cray.com (Wendy Palm) Date: Wed, 06 Feb 2002 17:43:52 -0600 Subject: SFTP Status Bar.. References: <200202062056.g16Kusci002742@etoh.eviladmin.org> <3C61AEE2.F3B0485A@cray.com> Message-ID: <3C61BFB8.38035CFF@cray.com> my apologies. after sending the email, i realized it was a field-size issue. file names show up for shorter pathnames easily. just a wierd coincidence. wendy Wendy Palm wrote: > > ok, in that case- > > works for multiples on the crays, however, the name of the file isn't making it > in the output > sftp> get f* > /ptmp/wendyp/ftpdir/ 100% |*****************************| 102 KB 00:00 > /ptmp/wendyp/ftpdir/ 99% |**************************** | 31770 00:00 > /ptmp/wendyp/ftpdir/ 100% |*****************************| 1505 KB 00:01 > /ptmp/wendyp/ftpdir/ 100% |*****************************| 91042 00:00 > /ptmp/wendyp/ftpdir/ 100% |*****************************| 246 KB 00:01 > sftp> quit > > (same problem on my redhat linux box) > > however, to get it to compile, i had to modify > misc.c/foregroundproc() to > > static int > foregroundproc(void) > { > static pid_t pgrp = -1; > int ctty_pgrp; > > if (pgrp == -1) > pgrp = getpgrp(); > > #ifdef HAVE_TCGETPGRP > return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && > ctty_pgrp == pgrp); > #else > return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && ctty_pgrp== pgrp)); > #endif > } > > mouring wrote: > > > > It is default on, but as what William pointed out single gets > > seem not to trigger it for some odd reason (looking into it now). > > > > - Ben > > > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Thu Feb 7 12:25:45 2002 From: mouring at etoh.eviladmin.org (mouring) Date: Wed, 6 Feb 2002 19:25:45 -0600 (CST) Subject: SFTP Status Bar.. In-Reply-To: <3C61BFB8.38035CFF@cray.com> from Wendy Palm at "Feb 6, 2002 05:43:52 pm" Message-ID: <200202070125.g171Pjuk007147@etoh.eviladmin.org> I had planed on throwing a strrchr() in there after things were correct. This is the same behavior as scp. Just let it be noted.=) As for my last patch.. IGNORE it..I did not mean to diff sftp-int against sft-client. Just in a rush between a low point of another project. I'll get a complete patch out later. - Ben > my apologies. after sending the email, i realized it was a field-size issue. > file names show up for shorter pathnames easily. just a wierd coincidence. > > wendy > > > Wendy Palm wrote: > > > > ok, in that case- > > > > works for multiples on the crays, however, the name of the file isn't making it > > in the output > > sftp> get f* > > /ptmp/wendyp/ftpdir/ 100% |*****************************| 102 KB 00:00 > > /ptmp/wendyp/ftpdir/ 99% |**************************** | 31770 00:00 > > /ptmp/wendyp/ftpdir/ 100% |*****************************| 1505 KB 00:01 > > /ptmp/wendyp/ftpdir/ 100% |*****************************| 91042 00:00 > > /ptmp/wendyp/ftpdir/ 100% |*****************************| 246 KB 00:01 > > sftp> quit > > > > (same problem on my redhat linux box) > > > > however, to get it to compile, i had to modify > > misc.c/foregroundproc() to > > > > static int > > foregroundproc(void) > > { > > static pid_t pgrp = -1; > > int ctty_pgrp; > > > > if (pgrp == -1) > > pgrp = getpgrp(); > > > > #ifdef HAVE_TCGETPGRP > > return ((ctty_pgrp = tcgetpgrp(STDOUT_FILENO)) != -1 && > > ctty_pgrp == pgrp); > > #else > > return ((ioctl(STDOUT_FILENO, TIOCGPGRP, &ctty_pgrp) != -1 && ctty_pgrp== pgrp)); > > #endif > > } > > > > mouring wrote: > > > > > > It is default on, but as what William pointed out single gets > > > seem not to trigger it for some odd reason (looking into it now). > > > > > > - Ben > > > > > > > -- > > wendy palm > > Cray OS Sustaining Engineering, Cray Inc. > > wendyp at cray.com, 651-605-9154 > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > From bugzilla-daemon at mindrot.org Thu Feb 7 14:43:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 14:43:20 +1100 (EST) Subject: [Bug 104] [WISHLIST] sftpfs? Message-ID: <20020207034320.5B650E951@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=104 ------- Additional Comments From dan at doxpara.com 2002-02-07 14:43 ------- If I remember right, it didn't seem too hard to adapt smbfs/smbmount to operate over SSH. I'll document this later, even if it only works on Linux. For Windows, smb connections are portlocked to 139, but an intermediary system on one subnet can expose systems on another. There's a project, nbfw(netbios forward), that allows some pretty large scale windows networking forwarding. Again, I'll be documenting this later. The real problem is that there's no simple/cross platform VFS subsystem that doesn't require serious kernel knowledge to interface with. There *are* some interesting systems that we could try to interface sftp with, but in the end, fixing client side VFS isn't our domain. --Dan ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 7 16:55:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 16:55:36 +1100 (EST) Subject: [Bug 107] New: syntax error in 'configure' under Solaris 8 Message-ID: <20020207055536.80A73E989@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=107 Summary: syntax error in 'configure' under Solaris 8 Product: Portable OpenSSH Version: 3.0.2p1 Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: brian at bluecoat93.org Unable to run even 'configure --help' on Solaris 8: bash-2.04# pwd /sw/build/openssh-3.0.2p1 bash-2.04# uname -a SunOS hardcase 5.8 Generic_108528-03 sun4u sparc bash-2.04# ./configure ./configure: syntax error at line 53: `else' unexpected Explicitly running configure under bash gets a bit farther, but still fails: bash-2.04# bash ./configure checking for gcc... gcc checking for C compiler default output... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for executable suffix... checking for object suffix... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes configure: error: cannot run /bin/sh ./config.sub ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 7 20:51:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 7 Feb 2002 20:51:54 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020207095154.C101FE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-07 20:51 ------- time `cat lapack.ibm.tar.gz | ssh -1 -c 3des hodgkin 'cat > f' ` 10.6u 0.6s 0:24 45% 954+790k 0+0io 0pf+0w time `cat lapack.ibm.tar.gz | ssh -2 -c 3des-cbc hodgkin 'cat > f2' ` 8.9u 0.7s 2:40 6% 929+631k 0+0io 0pf+0w My colleague has done some investigating and has found something up with select. "I have added some diagnostics to packet.c and clientloop.c. It is clear that the slow select calls are not working properly - in particular, they are returning after about 0.2 seconds WITHOUT having set a descriptor. Subsequent calls work. It seems to be input from the connexion that is the problem. I suspect a failure to communicate from the HiPPI driver, which then triggers a timeout." ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh at jguk.org Thu Feb 7 21:38:20 2002 From: openssh at jguk.org (openssh) Date: Thu, 07 Feb 2002 19:38:20 +0900 Subject: [openssh-dev]: disable ProxyCommand from being used? Message-ID: <3C62591C.3010205@jguk.org> Hello, Is there a way to disable the ProxyCommand from being used? I am currently on a local lan, but all my ssh goes through the firewall machine to get back to my laptop sittng next to me.. I have spoken to Goto-san and he does not know of a current solution to this problem. JG From openssh at jguk.org Thu Feb 7 21:40:34 2002 From: openssh at jguk.org (openssh) Date: Thu, 07 Feb 2002 19:40:34 +0900 Subject: [openssh-dev]: Updated SOCKS / SSH guide Message-ID: <3C6259A2.8030207@jguk.org> hello I have attached an updated version of my guide to using ssh through a socks server. I have incorporated feedback from several people. Please can this be hosted on openssh.com ? JG -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-socks-0.3.html.gz Type: application/gzip Size: 3004 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020207/00a9cd7f/attachment.bin From markus at openbsd.org Thu Feb 7 21:58:57 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 7 Feb 2002 11:58:57 +0100 Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <3C62591C.3010205@jguk.org> References: <3C62591C.3010205@jguk.org> Message-ID: <20020207105857.GA8707@faui02> On Thu, Feb 07, 2002 at 07:38:20PM +0900, openssh wrote: > Hello, > > Is there a way to disable the ProxyCommand from being used? > > I am currently on a local lan, but all my ssh goes through the firewall > machine to get back to my laptop sittng next to me.. > > I have spoken to Goto-san and he does not know of a current solution to > this problem. i don't understand you problem. if you don't want to use it, why do you use it? or is it triggered by ssh_config ? they you can overwrite the config with your .ssh/config. From markus at openbsd.org Thu Feb 7 22:07:05 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 7 Feb 2002 12:07:05 +0100 Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020207105857.GA8707@faui02> References: <3C62591C.3010205@jguk.org> <20020207105857.GA8707@faui02> Message-ID: <20020207110704.GB8707@faui02> On Thu, Feb 07, 2002 at 11:58:57AM +0100, Markus Friedl wrote: > On Thu, Feb 07, 2002 at 07:38:20PM +0900, openssh wrote: > > Hello, > > > > Is there a way to disable the ProxyCommand from being used? > > > > I am currently on a local lan, but all my ssh goes through the firewall > > machine to get back to my laptop sittng next to me.. > > > > I have spoken to Goto-san and he does not know of a current solution to > > this problem. > > i don't understand you problem. s/you/your/ > if you don't want to use it, why do you use it? > > or is it triggered by ssh_config ? > > they you can overwrite the config with your .ssh/config. s/they/then/ From dan at doxpara.com Thu Feb 7 22:18:53 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Thu, 7 Feb 2002 03:18:53 -0800 Subject: [openssh-dev]: disable ProxyCommand from being used? References: <3C62591C.3010205@jguk.org> <20020207105857.GA8707@faui02> Message-ID: <014d01c1afc9$399de160$1701000a@effugas> > i don't understand you problem. > > if you don't want to use it, why do you use it? > > or is it triggered by ssh_config ? > > they you can overwrite the config with your .ssh/config. Sounds like the majority of the time, he's connecting to hosts that require proxy support to connect to. Occasionally though, he connects to something on his local subnet, and would rather go directly. Using a .ssh/config would override his remote connections, and: ssh -o ProxyCommand="" user at host ...doesn't work. There are four possible solutions that come to mind: 1) Have a separate config file, ssh_noproxy, then do: ssh -f ~/ssh_noproxy user at host 2) Find some way to use the weak conditionals in the config file to only apply the ProxyCommand to hosts outside the present subnet. I don't think this is possible. 3) Create a shell script, sshp, with the following command: #!/usr/bin/bash exec ssh -o ProxyCommand %h %p $@ then use sshp instead of ssh whenever accessing ssh using a proxy 4) Add null proxy parsing so that command line can eliminate the proxycommand entirely. --dan From markus at openbsd.org Thu Feb 7 22:30:51 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 7 Feb 2002 12:30:51 +0100 Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <014d01c1afc9$399de160$1701000a@effugas> References: <3C62591C.3010205@jguk.org> <20020207105857.GA8707@faui02> <014d01c1afc9$399de160$1701000a@effugas> Message-ID: <20020207113051.GC8707@faui02> $ cat .ssh/config Host bla-noproxy Hostname bla ... $ ssh bla-noproxy On Thu, Feb 07, 2002 at 03:18:53AM -0800, Dan Kaminsky wrote: > > i don't understand you problem. > > > > if you don't want to use it, why do you use it? > > > > or is it triggered by ssh_config ? > > > > they you can overwrite the config with your .ssh/config. > > Sounds like the majority of the time, he's connecting to hosts that require > proxy support to connect to. Occasionally though, he connects to something > on his local subnet, and would rather go directly. Using a .ssh/config > would override his remote connections, and: > > ssh -o ProxyCommand="" user at host > > ...doesn't work. > > There are four possible solutions that come to mind: > > 1) Have a separate config file, ssh_noproxy, then do: ssh -f ~/ssh_noproxy > user at host > 2) Find some way to use the weak conditionals in the config file to only > apply the ProxyCommand to hosts outside the present subnet. I don't think > this is possible. > 3) Create a shell script, sshp, with the following command: > #!/usr/bin/bash > exec ssh -o ProxyCommand %h %p $@ > then use sshp instead of ssh whenever accessing ssh using a proxy > 4) Add null proxy parsing so that command line can eliminate the > proxycommand entirely. > > --dan > > From gotoh at taiyo.co.jp Thu Feb 7 23:30:41 2002 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Thu, 07 Feb 2002 21:30:41 +0900 (JST) Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <014d01c1afc9$399de160$1701000a@effugas> References: <3C62591C.3010205@jguk.org> <20020207105857.GA8707@faui02> <014d01c1afc9$399de160$1701000a@effugas> Message-ID: <20020207.213041.65409120.gotoh@taiyo.co.jp> >>>>> at Thu, 7 Feb 2002 03:18:53 -0800 >>>>> dan == "Dan Kaminsky" said, dan> ssh -o ProxyCommand="" user at host dan> ...doesn't work. When I talk with him, I didn't have fine solution. But now I have one solution for limited case. If you want to use proxy command only for out side the wall, write ~/.ssh/config like this: -----begin----- Host !*.local.net ProxyCommand connect -S firewall.local.net %h %s ----- end ----- I think almost users are enough with this. Or, another solution is: -----begin----- ### using proxy command with direct connection Host *.local.net ProxyCommand connect %h %s ### using proxy command with SOCKS connection Host * ProxyCommand connect -S firewall.local.net %h %s ----- end ----- --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From johan.legros at canal-plus.fr Fri Feb 8 01:02:41 2002 From: johan.legros at canal-plus.fr (johan.legros at canal-plus.fr) Date: Thu, 07 Feb 2002 15:02:41 +0100 Subject: chroot patch for openssh 3.0.2p1 Message-ID: <3C628901.24EC505@canal-plus.fr> High all, I'm running openssh 3.0.2p1 and it seems that the chroot patch delivered in the /contrib folder of the portable distrib does not apply to this release. Does anyone know if i can find an updated patch. Thanks -- Johan LEGROS Direction Informatique R?seau & T?l?com Tel : +33 1 71 71 56 62 Fax : +33 1 71 71 55 77 Email : jlegros at canal-plus.fr URL : www.canalplus-technologies.com CANAL+ TECHNOLOGIES 34 place Raoul Dautry 75906 PARIS CEDEX 15 From Nicolas.Williams at ubsw.com Fri Feb 8 01:39:46 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Thu, 7 Feb 2002 09:39:46 -0500 Subject: SFTP Status Bar.. In-Reply-To: <200202062129.g16LTnfb009964@etoh.eviladmin.org>; from mouring@etoh.eviladmin.org on Wed, Feb 06, 2002 at 03:29:48PM -0600 References: <20020206164858.X27398@sm2p1386swk.wdr.com> <200202062129.g16LTnfb009964@etoh.eviladmin.org> Message-ID: <20020207093944.Y27398@sm2p1386swk.wdr.com> On Wed, Feb 06, 2002 at 03:29:48PM -0600, mouring wrote: > > For large files the bar stops at the second * and then does not update > > until the transfer is complete (put). > > > That can easily be resolved.. Just unsure why the same code for > scp does not do the samething. The solution is to remove the > alarm() and family and just move the callback into the big transfer > loop. Not my favorate idea because it updates TOO quickly IMHO. If you know the file size ahead of time you can calculate how many transfers have to pass between status bar updates. > The reason why 'get' for a single case did not show the bar was because > I put NULL instead of the callback function and forgot to > change it back. Yes. I wondered why... oversight. > > Also, I did "put *"; * matched, among other things, a directory, and > > sftp exited (not cored). > > > sftp-int.c:/* XXX: recursive operations */ > > Would you like to implement it? Hmmmm, someday. I don't need this at work, so that makes it hard, but it might be nice to make sftp print an error message and not quit - I might write that up. > > It would be nice if the protocol had a find-style protocol command. > > > UGH.. You want sftpfs not sftp. =P No, I'm thinking about how you can list a directory and get the files' attributes in one go, now. Adding a find-style operation would be a protocol optimization as much as including attributes in a directory listing is. > - Ben -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Fri Feb 8 04:32:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 8 Feb 2002 04:32:00 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020207173200.3710BE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-08 04:31 ------- This is a problem with the nagle algoithm and a delayed ack timer http://www.rs6000.ibm.com/support/sp/perf/nagle21.html describes the problem over an IBM switch which again is a network with a large MTU. (The same problem accors using scp over this type of network.) The best solution to this is to be able to have larger packets for networks that can support them. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ksa at SLAC.Stanford.EDU Fri Feb 8 04:59:19 2002 From: ksa at SLAC.Stanford.EDU (Karl Amrhein) Date: Thu, 07 Feb 2002 09:59:19 -0800 Subject: openssh never cleans out Xauthority Message-ID: <20020207175918.GA5513@slac.stanford.edu> Why doesn't openssh bother to clean out the entries it places in .Xauthority? The file just keeps growing and growing... -- Karl Amrhein, | www.slac.stanford.edu/~ksa SLAC Computing Services, Systems Group | 650.926.5083 Bldg 50, 364 --------------------------------------------------------------------- To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com For additional commands, e-mail: secureshell-help at securityfocus.com From marya at st.jip.co.jp Fri Feb 8 13:18:11 2002 From: marya at st.jip.co.jp (Shinichi Maruyama) Date: Fri, 08 Feb 2002 11:18:11 +0900 (JST) Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020207.213041.65409120.gotoh@taiyo.co.jp> References: <20020207105857.GA8707@faui02> <014d01c1afc9$399de160$1701000a@effugas> <20020207.213041.65409120.gotoh@taiyo.co.jp> Message-ID: <20020208.111811.78702833.marya@st.jip.co.jp> gotoh> >>>>> at Thu, 7 Feb 2002 03:18:53 -0800 gotoh> >>>>> dan == "Dan Kaminsky" said, gotoh> gotoh> dan> ssh -o ProxyCommand="" user at host gotoh> dan> ...doesn't work. gotoh> gotoh> When I talk with him, I didn't have fine solution. gotoh> But now I have one solution for limited case. gotoh> If you want to use proxy command only for out side the wall, gotoh> write ~/.ssh/config like this: gotoh> gotoh> -----begin----- gotoh> Host !*.local.net gotoh> ProxyCommand connect -S firewall.local.net %h %s gotoh> ----- end ----- gotoh> gotoh> I think almost users are enough with this. I do want to do this. But Host syntax does not allow '!' for negative match. In readconf.c, I think it's better to use match_hostname() like this (not tested yet). --- readconf.c.orig Tue Feb 5 10:26:35 2002 +++ readconf.c Fri Feb 8 10:25:11 2002 @@ -647,12 +647,17 @@ case oHost: *activep = 0; - while ((arg = strdelim(&s)) != NULL && *arg != '\0') - if (match_pattern(host, arg)) { + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + int matched = match_hostname(host, arg, strlen(arg)) ; + if (matched == 1) { debug("Applying options for %.100s", arg); *activep = 1; break; + } else if (matched == -1) { /* negative match */ + debug("Not applying options for %.100s", arg); + break; } + } /* Avoid garbage check below, as strdelim is done. */ return 0; -- Sinichi Maruyama Japan Information Processing Service,Co,Ltd. 2-4-24 Toyo, Koto-ku ,Tokyo, 135, Japan From yua at yudesigns.com Fri Feb 8 13:39:59 2002 From: yua at yudesigns.com (Alex Yu) Date: Thu, 7 Feb 2002 21:39:59 -0500 Subject: feature request in sshd: require both "pubkey" & "password" Message-ID: <000801c1b049$e74192a0$6401000a@monkey> Hi, I have a feature request in sshd. A feature that only allows user who passes both public key and password authentication to login. Alex From gotoh at taiyo.co.jp Fri Feb 8 17:07:54 2002 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Fri, 08 Feb 2002 15:07:54 +0900 (JST) Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020208.111811.78702833.marya@st.jip.co.jp> References: <014d01c1afc9$399de160$1701000a@effugas> <20020207.213041.65409120.gotoh@taiyo.co.jp> <20020208.111811.78702833.marya@st.jip.co.jp> Message-ID: <20020208.150754.16174647.gotoh@taiyo.co.jp> >>>>> at Fri, 08 Feb 2002 11:18:11 +0900 (JST) >>>>> marya == Shinichi Maruyama said, gotoh> -----begin----- gotoh> Host !*.local.net gotoh> ProxyCommand connect -S firewall.local.net %h %s gotoh> ----- end ----- gotoh> gotoh> I think almost users are enough with this. marya> I do want to do this. But Host syntax does not allow '!' for marya> negative match. marya> In readconf.c, I think it's better to use match_hostname() marya> like this (not tested yet). Yeah, I've tried your patch. Then we can write ~/.ssh/config like this: -----begin----- ## Apply to any host which does not match with "*.local.net" Host !*.local.net * ProxyCommand connect -S firewall.local.net %h %p ----- end ----- ## NOTE: Second '*' may be required because "host.remote.net" does not ## match with "!*.local.net". It's behaviour of match_hostname(). But, if you use HostName option as host alias, above config might not work as you want. For example, with config bellow, "ssh foo" command apply both entry, then it invokes proxy command. -----begin----- ## Host foo foo.local.net HostName foo.local.net ## Apply to any host which does not match with "*.local.net" Host !*.local.net * ProxyCommand connect -S firewall.local.net %h %p ----- end ----- As long as we recognize this behaviour, I think your patch can be used to switch use of proxy command. --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From gotoh at taiyo.co.jp Fri Feb 8 18:42:08 2002 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Fri, 08 Feb 2002 16:42:08 +0900 (JST) Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020208.150754.16174647.gotoh@taiyo.co.jp> References: <20020207.213041.65409120.gotoh@taiyo.co.jp> <20020208.111811.78702833.marya@st.jip.co.jp> <20020208.150754.16174647.gotoh@taiyo.co.jp> Message-ID: <20020208.164208.78672704.gotoh@taiyo.co.jp> >>>>> at Fri, 08 Feb 2002 15:07:54 +0900 (JST) >>>>> gotoh == Shun-ichi GOTO said, gotoh> -----begin----- gotoh> ## Apply to any host which does not match with "*.local.net" gotoh> Host !*.local.net * gotoh> ProxyCommand connect -S firewall.local.net %h %p gotoh> ----- end ----- gotoh> ## NOTE: Second '*' may be required because "host.remote.net" does not gotoh> ## match with "!*.local.net". It's behaviour of match_hostname(). What's about following patch? Difference is behaviour of matching "host.remote.net" with "!*.local.net". --- readconf.c 7 Nov 2001 01:18:31 -0000 1.1.1.2 +++ readconf.c 8 Feb 2002 07:38:25 -0000 @@ -647,12 +647,16 @@ case oHost: *activep = 0; - while ((arg = strdelim(&s)) != NULL && *arg != '\0') - if (match_pattern(host, arg)) { + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { + int match = match_hostname(host, arg, strlen(arg)); + if (*arg=='!') + match = !match; + if (match) { debug("Applying options for %.100s", arg); *activep = 1; break; } + } /* Avoid garbage check below, as strdelim is done. */ return 0; With this patch, we can specify ProxyCommand option without extra '*' like this: -----begin----- Host !*.local.net ProxyCommand connect -S firewall.local.net %h %s ----- end ----- --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From gotoh at taiyo.co.jp Fri Feb 8 20:00:26 2002 From: gotoh at taiyo.co.jp (Shun-ichi GOTO) Date: Fri, 08 Feb 2002 18:00:26 +0900 (JST) Subject: Expansion of hostname Message-ID: <20020208.180026.128231997.gotoh@taiyo.co.jp> # This issue is also related to # Subject: Re: [openssh-dev]: disable ProxyCommand from being used? On reading ~/.ssh/config file, host name which is specified by command line and check with 'Host' line, is constant for the whole of reading. If this host name is expanded by 'HostName' option value, it's worth for making config file simple and usefull 'Host' can be used as alias to 'HostName' value, I think. For example: -----begin----- # options only for foo.some.net Host foo Protorol 1 HostName foo.some.net # options only for bar.some.net Host bar Protocol 2 HostName foo.some.net # options for ALL OF *.some.net hosts including # both foo.some.net and bar.some.net Host *.some.net ForwardAgent yes ----- end ----- Following patch does this behaviour. --- readconf.c 7 Nov 2001 01:18:31 -0000 1.1.1.2 +++ readconf.c 8 Feb 2002 08:04:10 -0000 @@ -720,8 +720,9 @@ default: linenum = 0; while (fgets(line, sizeof(line), f)) { /* Update line number counter. */ + const char *hostname = (options->hostname)? options->hostname: host; linenum++; - if (process_config_line(options, host, line, filename, linenum, &active) != 0) + if (process_config_line(options, hostname, line, filename, linenum, &active) != 0) bad_options++; } fclose(f); Is this behaviour acceptable? --- Regards, Shun-ichi Goto R&D Group, TAIYO Corp., Tokyo, JAPAN From djm at mindrot.org Fri Feb 8 21:51:24 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 8 Feb 2002 21:51:24 +1100 (EST) Subject: [PATCH] Added NoDelay config option and nodelay subsystem option In-Reply-To: Message-ID: On Sat, 2 Feb 2002, Tobias Ringstrom wrote: > On Fri, 1 Feb 2002, mouring wrote: > > > http://www.openssh.com/portable.html has snapshots every night. Yet > > no large mass of people are testing it. > > I think the general public is too lazy to test a new version every day. > The snapshots just before a release will probably get more testing if they > are advertised appropriately, i.e. not lost in the background noise. We usually do call out for testers a few weeks before a release and try to get as much platform coverage as possible. > It may also help to have a (low volume) announcement mailing list for > announcing release candidates as well as releases. We have openssh-unix-announce at mindrot.org, but I have never used it for prerelease announcements. Perhaps this is a good idea... > The Linux release "system" has lots of problem, no doubt. One recent good > thing was the introduction of release candidates. (I know it's nothing > new in other projects.) Ideally, there will be no changes from the > release candidate to the real release. What like 2.4.0 :) -d From markus at openbsd.org Fri Feb 8 21:01:11 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 8 Feb 2002 11:01:11 +0100 Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020208.111811.78702833.marya@st.jip.co.jp>; from marya@st.jip.co.jp on Fri, Feb 08, 2002 at 11:18:11AM +0900 References: <20020207105857.GA8707@faui02> <014d01c1afc9$399de160$1701000a@effugas> <20020207.213041.65409120.gotoh@taiyo.co.jp> <20020208.111811.78702833.marya@st.jip.co.jp> Message-ID: <20020208110111.A9695@folly> yes, that's a good idea. it will also make matching case-insensitive. On Fri, Feb 08, 2002 at 11:18:11AM +0900, Shinichi Maruyama wrote: > --- readconf.c.orig Tue Feb 5 10:26:35 2002 > +++ readconf.c Fri Feb 8 10:25:11 2002 > @@ -647,12 +647,17 @@ > > case oHost: > *activep = 0; > - while ((arg = strdelim(&s)) != NULL && *arg != '\0') > - if (match_pattern(host, arg)) { > + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { > + int matched = match_hostname(host, arg, strlen(arg)) ; > + if (matched == 1) { > debug("Applying options for %.100s", arg); > *activep = 1; > break; > + } else if (matched == -1) { /* negative match */ > + debug("Not applying options for %.100s", arg); > + break; > } > + } > /* Avoid garbage check below, as strdelim is done. */ > return 0; > > -- > Sinichi Maruyama > Japan Information Processing Service,Co,Ltd. > 2-4-24 Toyo, Koto-ku ,Tokyo, 135, Japan > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Fri Feb 8 23:59:21 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 8 Feb 2002 13:59:21 +0100 Subject: x509 for hostkeys. In-Reply-To: <20020131120909.A28305@folly> References: <20020131120909.A28305@folly> Message-ID: <20020208125921.GA8045@faui02> who did try this? no success stories? no feedback? no comments? no x509 in openssh-3.1? On Thu, Jan 31, 2002 at 12:09:10PM +0100, Markus Friedl wrote: > This (very quick) patch allows you to connect with the commercial > ssh.com windows client and use x509 certs for hostkeys. You have > to import your CA cert (ca.crt) in the windows client and certify > your hostkey: From markus at openbsd.org Sat Feb 9 00:03:16 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 8 Feb 2002 14:03:16 +0100 Subject: Expansion of hostname In-Reply-To: <20020208.180026.128231997.gotoh@taiyo.co.jp>; from gotoh@taiyo.co.jp on Fri, Feb 08, 2002 at 06:00:26PM +0900 References: <20020208.180026.128231997.gotoh@taiyo.co.jp> Message-ID: <20020208140316.A894@folly> On Fri, Feb 08, 2002 at 06:00:26PM +0900, Shun-ichi GOTO wrote: > --- readconf.c 7 Nov 2001 01:18:31 -0000 1.1.1.2 > +++ readconf.c 8 Feb 2002 08:04:10 -0000 > @@ -720,8 +720,9 @@ default: > linenum = 0; > while (fgets(line, sizeof(line), f)) { > /* Update line number counter. */ > + const char *hostname = (options->hostname)? options->hostname: host; > linenum++; > - if (process_config_line(options, host, line, filename, linenum, &active) != 0) > + if (process_config_line(options, hostname, line, filename, linenum, &active) != 0) > bad_options++; > } > fclose(f); > > > > Is this behaviour acceptable? i think this will break many config files. From mstone at cs.loyola.edu Sat Feb 9 00:30:18 2002 From: mstone at cs.loyola.edu (Michael Stone) Date: Fri, 8 Feb 2002 08:30:18 -0500 Subject: x509 for hostkeys. In-Reply-To: <20020208125921.GA8045@faui02>; from markus@openbsd.org on Fri, Feb 08, 2002 at 01:59:21PM +0100 References: <20020131120909.A28305@folly> <20020208125921.GA8045@faui02> Message-ID: <20020208083018.T20374@justice.loyola.edu> On Fri, Feb 08, 2002 at 01:59:21PM +0100, Markus Friedl wrote: > who did try this? > no success stories? > no feedback? > no comments? > no x509 in openssh-3.1? maybe openssh (and putty) are successful enough that no one cares about the commercial windows client. :) -- Mike Stone From mstone at cs.loyola.edu Sat Feb 9 00:35:12 2002 From: mstone at cs.loyola.edu (Michael Stone) Date: Fri, 8 Feb 2002 08:35:12 -0500 Subject: 3.0.2p1 under IRIX (coredumps) In-Reply-To: <3686972744.1013004287@jblaine-pc.MITRE.ORG>; from jblaine@mitre.org on Wed, Feb 06, 2002 at 02:04:47PM -0500 References: <3686972744.1013004287@jblaine-pc.MITRE.ORG> Message-ID: <20020208083512.U20374@justice.loyola.edu> On Wed, Feb 06, 2002 at 02:04:47PM -0500, Jeff Blaine wrote: > Please? Anyone? Who handles the "Yes, OpenSSH works under IRIX" > claim on the OpenSSH page? I really would like to get this to > build and run properly :< Any comments would be great, even if it's > "I can't look into this for a week or two, but will get back to you." It works for a number of people. No one else can duplicate the problem. Your dbx output is far from illuminating. Could you try building with mipspro (you didn't mention the version, or the OS patchlevel for that matter) with debugging enabled in the CFLAGS to see if you can get a more useful dump? -- Mike Stone From bugzilla-daemon at mindrot.org Sat Feb 9 00:53:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 9 Feb 2002 00:53:34 +1100 (EST) Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install" Message-ID: <20020208135334.7AE64EA87@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=68 ------- Additional Comments From Todd.Bowden at atosorigin.com 2002-02-09 00:53 ------- The comments are below. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 9 01:54:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 9 Feb 2002 01:54:52 +1100 (EST) Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install" Message-ID: <20020208145452.C0F15E9A1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=68 ------- Additional Comments From djm at mindrot.org 2002-02-09 01:54 ------- Did you run "make install" as root? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Feb 9 02:09:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 9 Feb 2002 02:09:07 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020208150907.E1F87EA98@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-09 02:09 ------- Changing channels.h #define CHAN_SES_WINDOW_DEFAULT (32*1024) #define CHAN_TCP_WINDOW_DEFAULT (32*1024) to #define CHAN_SES_WINDOW_DEFAULT (256*1024) #define CHAN_TCP_WINDOW_DEFAULT (256*1024) Fixes the buffer problem. Scp is still 8 times slower than rcp. The time isn't used in CPU so there is still scope for improvement. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mdecker77 at aol.com Sat Feb 9 02:04:38 2002 From: mdecker77 at aol.com (Martin Decker) Date: Fri, 8 Feb 2002 16:04:38 +0100 (CET) Subject: SCP Problem with OpenSSH 3.0.2p1 linux->solaris Message-ID: Hello, i am experiencing scp hangs. This command is executed: system("/usr/bin/scp -v -v -v -C root\@$ip:$LOG_DIR_CLIENT$SYSTEM_LOG"."_transfer $LOG_DIR_SERVER$SYSTEM_LOG-$ip >$SSH_STEP3_LOG 2>&1"); from within a perl script. From Nicolas.Williams at ubsw.com Sat Feb 9 02:43:53 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 8 Feb 2002 10:43:53 -0500 Subject: SCP Problem with OpenSSH 3.0.2p1 linux->solaris In-Reply-To: ; from mdecker77@aol.com on Fri, Feb 08, 2002 at 04:04:38PM +0100 References: Message-ID: <20020208104351.Z27398@sm2p1386swk.wdr.com> The server is not sending a close message after receiving the client's ieof. I wonder if that would might be a result of the SIGCHLD race. Try this: find the sshd corresponding to a hanging connection, then see it has a defunct child, and, if it does, kill -CHLD that sshd's pid. If the connection then closes and the client exits then this is the SIGCHLD race bug. Search the list for posts from Markus Friedl with "suggested fix for the sigchld race" as the Subject:; you'll find a patch that fixes the problem. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From ed at UDel.Edu Sat Feb 9 03:15:05 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 8 Feb 2002 11:15:05 -0500 (EST) Subject: x509 for hostkeys. In-Reply-To: <20020208125921.GA8045@faui02> Message-ID: Sorry to take so long... I fully intend to test this ASAP... I just haven't gotten the time yet ("real" work on other things intrudes). On Fri, 8 Feb 2002, Markus Friedl wrote: > Date: Fri, 8 Feb 2002 13:59:21 +0100 > From: Markus Friedl > To: openssh-unix-dev at mindrot.org > Subject: Re: x509 for hostkeys. > > who did try this? > no success stories? > no feedback? > no comments? > no x509 in openssh-3.1? > > On Thu, Jan 31, 2002 at 12:09:10PM +0100, Markus Friedl wrote: > > This (very quick) patch allows you to connect with the commercial > > ssh.com windows client and use x509 certs for hostkeys. You have > > to import your CA cert (ca.crt) in the windows client and certify > > your hostkey: > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From ed at UDel.Edu Sat Feb 9 03:17:19 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 8 Feb 2002 11:17:19 -0500 (EST) Subject: x509 for hostkeys. In-Reply-To: <20020208083018.T20374@justice.loyola.edu> Message-ID: On Fri, 8 Feb 2002, Michael Stone wrote: > Date: Fri, 8 Feb 2002 08:30:18 -0500 > From: Michael Stone > To: openssh-unix-dev at mindrot.org > Subject: Re: x509 for hostkeys. > > On Fri, Feb 08, 2002 at 01:59:21PM +0100, Markus Friedl wrote: > > who did try this? > > no success stories? > > no feedback? > > no comments? > > no x509 in openssh-3.1? > > maybe openssh (and putty) are successful enough that no one cares about > the commercial windows client. :) What do you mean? Does putty support X.509 host key certificates? Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From mdecker77 at aol.com Sat Feb 9 03:49:09 2002 From: mdecker77 at aol.com (Martin Decker) Date: Fri, 8 Feb 2002 17:49:09 +0100 (CET) Subject: SCP Problem with OpenSSH 3.0.2p1 linux->solaris In-Reply-To: <20020208112252.T27171@sm2p1386swk.wdr.com> Message-ID: Hi again, i tried it out: i do have a defunct child: pid ppid 23353 1499 /usr/local/sbin/sshd ps -ef|grep 23353 root 23354 23353 0 0:00 kill -l 1) SIGHUP 2) SIGINT 3) SIGQUIT 4) SIGILL 5) SIGTRAP 6) SIGABRT 7) SIGEMT 8) SIGFPE 9) SIGKILL 10) SIGBUS 11) SIGSEGV 12) SIGSYS 13) SIGPIPE 14) SIGALRM 15) SIGTERM 16) SIGUSR1 17) SIGUSR2 18) SIGCHLD 19) SIGPWR 20) SIGWINCH 21) SIGURG 22) SIGIO 23) SIGSTOP 24) SIGTSTP 25) SIGCONT 26) SIGTTIN 27) SIGTTOU 28) SIGVTALRM 29) SIGPROF 30) SIGXCPU 31) SIGXFSZ 32) SIGWAITING 33) SIGLWP 34) SIGFREEZE 35) SIGTHAW 36) SIGCANCEL shows 18 for SIGCHLD. but kill -SIGCHLD 23354 or kill -18 23354 does not kill the defunct process. My script still hangs after the kill. Any ideas? Martin // Martin Decker, Systems Engineer, Data Center Operations // // AOL Germany, Dingolfinger-Str. 2-4, D-81673 Munich, Germany // // AIM: mdecker77 mail: mdecker77 at aol.com ICQ: 15620821 // // Phone:+49.8966572214 // On Fri, 8 Feb 2002, Nicolas Williams wrote: > On Fri, Feb 08, 2002 at 05:10:57PM +0100, Martin Decker wrote: > > hi nico, > > > > thanks for your ultra-quick reply! ;-) > > Was that it? > > > is this bug also related to hangs of remote ssh commands, e.g.: > > > > ${SSH} -v ${TARGET} "${CHOWN} -R services:services ${out_dir} > >/dev/null 2>&1" >> ${LOGFILE} 2>&1 > > > > Or is the sigchld race only concerning scp commands? > > No, this bug affects any use of SSH where remote commands are run, and > that includes sctp and sftp and interactive ssh logins and specifying a > remote command on the ssh command line. > > And it affects all platforms, though some less than others as it's a > timing issue. The fix is easy and the patch has been posted (thanks to > Markus) and I bet the next release will include it. > > BTW, I'm not a member of the OpenSSH devl team... > > > Thanks in advance, > > > > Martin > > > Cheers, > > Nico > -- > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > From Nicolas.Williams at ubsw.com Sat Feb 9 03:52:50 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 8 Feb 2002 11:52:50 -0500 Subject: SCP Problem with OpenSSH 3.0.2p1 linux->solaris In-Reply-To: ; from mdecker77@aol.com on Fri, Feb 08, 2002 at 05:49:09PM +0100 References: <20020208112252.T27171@sm2p1386swk.wdr.com> Message-ID: <20020208115249.W27171@sm2p1386swk.wdr.com> On Fri, Feb 08, 2002 at 05:49:09PM +0100, Martin Decker wrote: > Hi again, > > i tried it out: > > i do have a defunct child: > pid ppid > 23353 1499 /usr/local/sbin/sshd > > shows 18 for SIGCHLD. > > but kill -SIGCHLD 23354 or kill -18 23354 does not kill the defunct > process. My script still hangs after the kill. Send the signal to the sshd. That tells the sshd that there's a defunct child process to cleanup. The bug is that the sshd missed that signal when the kernel generated it automatically. > Any ideas? > > Martin Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mdecker77 at aol.com Sat Feb 9 04:03:17 2002 From: mdecker77 at aol.com (Martin Decker) Date: Fri, 8 Feb 2002 18:03:17 +0100 (CET) Subject: SCP Problem with OpenSSH 3.0.2p1 linux->solaris Message-ID: Hello! I can confirm. The problem was the "sigchld race" and I will try to fix it with a patch. I will have a close look at the mailing list archive. Thanks very much! Martin // Martin Decker, Systems Engineer, Data Center Operations // // AOL Germany, Dingolfinger-Str. 2-4, D-81673 Munich, Germany // // AIM: mdecker77 mail: mdecker77 at aol.com ICQ: 15620821 // // Phone:+49.8966572214 // From bugzilla-daemon at mindrot.org Sat Feb 9 06:00:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 9 Feb 2002 06:00:59 +1100 (EST) Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install" Message-ID: <20020208190059.5E689E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=68 ------- Additional Comments From Todd.Bowden at atosorigin.com 2002-02-09 06:00 ------- Yes I did run it as root. It did create the manpages for all the others but not for ssh-add and scp. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From imorgan at nas.nasa.gov Sat Feb 9 07:37:25 2002 From: imorgan at nas.nasa.gov (Iain Morgan) Date: Fri, 8 Feb 2002 12:37:25 -0800 (PST) Subject: x509 for hostkeys. In-Reply-To: <20020208125921.GA8045@faui02> from "Markus Friedl" at Feb 08, 2002 01:59:21 PM Message-ID: <200202082037.MAA00384@nopython.nas.nasa.gov> You may already be aware of this, but there is a variant of ssh (gsi-ssh) that is included with the Globus Toolkit. GSI (Grid Security Infrastructure) uses x509 certificates and thus gsi-ssh does. I would imagine that the Globus group would be interested in x509 support being added to OpenSSH. A jumping-off point for information about GSI (and Globus) would be: www.globus.org/toolkit/security.html On Fri Feb 8 04:59:21 2002, Markus Friedl wrote: > > who did try this? > no success stories? > no feedback? > no comments? > no x509 in openssh-3.1? > > On Thu, Jan 31, 2002 at 12:09:10PM +0100, Markus Friedl wrote: > > This (very quick) patch allows you to connect with the commercial > > ssh.com windows client and use x509 certs for hostkeys. You have > > to import your CA cert (ca.crt) in the windows client and certify > > your hostkey: > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Iain Morgan NAS Desktop Support Group From helm at fionn.es.net Sat Feb 9 07:53:50 2002 From: helm at fionn.es.net (Michael Helm) Date: Fri, 08 Feb 2002 12:53:50 -0800 Subject: x509 for hostkeys. In-Reply-To: Your message of "Fri, 08 Feb 2002 12:37:25 PST." <200202082037.MAA00384@nopython.nas.nasa.gov> Message-ID: <200202082053.MAA10824@fionn.es.net> Iain Morgan writes: > You may already be aware of this, but there is a variant of ssh (gsi-ssh) > that is included with the Globus Toolkit. GSI (Grid Security http://www.ncsa.uiuc.edu/Divisions/ACES/GSI/openssh/ I think they took over support of the openssh work. GSI & how it works might be rather different from whatever openssh has in mind for x509 support. From carson at taltos.org Sun Feb 10 07:32:55 2002 From: carson at taltos.org (Carson Gaspar) Date: Sat, 09 Feb 2002 15:32:55 -0500 Subject: feature request in sshd: require both "pubkey" & "password" In-Reply-To: <000801c1b049$e74192a0$6401000a@monkey> References: <000801c1b049$e74192a0$6401000a@monkey> Message-ID: <8276851.1013268775@[192.168.0.245]> --On Thursday, February 07, 2002 9:39 PM -0500 Alex Yu wrote: > I have a feature request in sshd. A feature that only allows user who > passes both public key and password authentication to login. I wrote such a patch, that implements ordered requirements. (e.g. publickey _then_ password). The feedback from Markus was that the functionality (not the code) was too complicated. He said he wanted something simple, like a bitfield, without ordering. Since that doesn't meet my requirements, I guess I'm stuck maintaining forked code (*sigh*). But if someone else wanted to do the less-functional patch, it might be accepted. -- Carson From dan at doxpara.com Sun Feb 10 08:17:20 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Sat, 9 Feb 2002 13:17:20 -0800 Subject: feature request in sshd: require both "pubkey" & "password" References: <000801c1b049$e74192a0$6401000a@monkey> <8276851.1013268775@[192.168.0.245]> Message-ID: <010401c1b1af$293be9b0$1701000a@effugas> > > I have a feature request in sshd. A feature that only allows user who > > passes both public key and password authentication to login. > > I wrote such a patch, that implements ordered requirements. (e.g. publickey > _then_ password). The feedback from Markus was that the functionality (not > the code) was too complicated. He said he wanted something simple, like a > bitfield, without ordering. Since that doesn't meet my requirements, I > guess I'm stuck maintaining forked code (*sigh*). But if someone else > wanted to do the less-functional patch, it might be accepted. What security advantage do you perceive through ordered requirements? AND ops generally commute. If there was an external access authenticator, like a small app that communicated with a smart card or external database, then ordered requirements would be appropriate: For example, you might want to verify somebody had a local passphrase and a global(i.e. external) password, but not challenge for global password until the local side was satisfied. --Dan From Jarno.Huuskonen at uku.fi Sun Feb 10 22:42:33 2002 From: Jarno.Huuskonen at uku.fi (Jarno Huuskonen) Date: Sun, 10 Feb 2002 13:42:33 +0200 Subject: Strange read_passphrase behaviour ? In-Reply-To: <20020127172331.GA90182@messi.uku.fi> References: <20020127085624.GA79100@messi.uku.fi> <20020127152311.E30885@folly> <20020127172331.GA90182@messi.uku.fi> Message-ID: <20020210114233.GA98366@messi.uku.fi> Hi, On Sun, Jan 27, Jarno Huuskonen wrote: > On Sun, Jan 27, Markus Friedl wrote: > > why do you get ENOTTY? > > I think it was the util-linux bug where login didn't set controlling > tty. It was on some test install box that had the buggy util-linux and > it didn't have eth0 configured. If I logged in as root and manually > brought eth0 up then ssh some.host.com would fail to read the password > and just send empty password three times to some.host.com > (open(/dev/tty) returned -1). (Funny thing was that after logout/login > (when eth0 was up) ssh was able to read the password from tty). > > The tty problem is/was something with util-linux, but I think that ssh > should handle ENOTTY more "gracefully". > > > should ssh auto-set Batchmode=yes for ENOTTY? > > This might work. I'll try to test it (I still have the buggy util-linux > around). BTW I failed to mention that I tested this with openssh-3.0.2p1. I finally managed to test this issue a bit further: I made a really ugly hack and forced read_passphrase to set option.batch_mode if readpassphrase returned NULL. This way ssh didn't loop three times sending empty password to the server (it sends the empty password once). Perhaps a better fix would be for read_passphrase return NULL to the caller if it can't read password and let caller worry about it. I'm not sure how well for example auth-pam.c is able to cope if read_passphrase returns NULL. -Jarno -- Jarno Huuskonen From openssh at pryan.org Sun Feb 10 23:04:24 2002 From: openssh at pryan.org (Patrick Ryan) Date: Sun, 10 Feb 2002 04:04:24 -0800 (PST) Subject: STP Patch Integration? In-Reply-To: <20020210120902.A59A3E92A@shitei.mindrot.org> Message-ID: Hi, I am wondering whether the SRP patch is going to be integrated into the OpenSSH distribution. I highly encourage it be integrated into the next distribution. Thanks, Patrick From markus at openbsd.org Mon Feb 11 02:36:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 10 Feb 2002 16:36:31 +0100 Subject: Strange read_passphrase behaviour ? In-Reply-To: <20020210114233.GA98366@messi.uku.fi>; from Jarno.Huuskonen@uku.fi on Sun, Feb 10, 2002 at 01:42:33PM +0200 References: <20020127085624.GA79100@messi.uku.fi> <20020127152311.E30885@folly> <20020127172331.GA90182@messi.uku.fi> <20020210114233.GA98366@messi.uku.fi> Message-ID: <20020210163631.A14529@folly> On Sun, Feb 10, 2002 at 01:42:33PM +0200, Jarno Huuskonen wrote: > Perhaps a better fix would be for read_passphrase return NULL to the > caller if it can't read password and let caller worry about it. I'm not > sure how well for example auth-pam.c is able to cope if read_passphrase > returns NULL. most of the callers to read_passphrase do not check for NULL. perhaps i'm going to add a flag to read_passphrase to allow return of NULL. From carson at taltos.org Mon Feb 11 05:47:11 2002 From: carson at taltos.org (Carson Gaspar) Date: Sun, 10 Feb 2002 13:47:11 -0500 Subject: feature request in sshd: require both "pubkey" & "password" In-Reply-To: <010401c1b1af$293be9b0$1701000a@effugas> References: <010401c1b1af$293be9b0$1701000a@effugas> Message-ID: <88329581.1013348831@[192.168.0.245]> --On Saturday, February 09, 2002 1:17 PM -0800 Dan Kaminsky wrote: > What security advantage do you perceive through ordered requirements? AND > ops generally commute. If you require a public key first, you protect against password guessing attacks - especially if you have failed password account lockouts. -- Carson From openssh-unix-dev at progressive-comp.com Mon Feb 11 17:58:50 2002 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Mon, 11 Feb 2002 01:58:50 -0500 Subject: chroot patch for openssh 3.0.2p1 Message-ID: <200202110658.BAA11285@mailer.progressive-comp.com> On 2002-02-07, johan.legros at canal-plus.fr wrote: > High all, > I'm running openssh 3.0.2p1 and it seems that the chroot patch > delivered > in the /contrib folder of the portable distrib does not apply to this > release. > Does anyone know if i can find an updated patch. I have some patches to openssh that include a very slightly massaged version of the chroot patch from /contrib. However, I don't remember that patch being broken, per se (then again it's been some months since I incorporated that patch...) http://www.theaimsgroup.com/~hlein/haqs/#openssh The above patch may have more in it than you want, however (though shouldn't break anything nor change any expected behavior). HTH, Hank Leininger From bugzilla-daemon at mindrot.org Mon Feb 11 21:30:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 11 Feb 2002 21:30:10 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020211103010.81A49E915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-11 21:30 ------- time `cat lapack.ibm.tar.gz | ssh -1 -c 3des hodgkin 'cat > f' ` 9.2u 0.7s 0:22 44% 887+761k 0+0io 0pf+0w time `cat lapack.ibm.tar.gz | ssh -2 -c 3des-cbc hodgkin 'cat > f2' ` 8.7u 0.7s 0:22 41% 888+630k 0+0io 0pf+0w time `cat lapack.ibm.tar.gz | rsh hodgkin 'cat > f2' ` 0.0u 0.0s 0:01 2% 77+214k 0+0io 0pf+0w ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From yuliy at mobiltel.bg Mon Feb 11 22:49:58 2002 From: yuliy at mobiltel.bg (Yuliy Minchev) Date: Mon, 11 Feb 2002 13:49:58 +0200 (EET) Subject: Disconnect on OpenBSD In-Reply-To: <200202110658.BAA11285@mailer.progressive-comp.com> Message-ID: Hi. I'm using OpenBSD 3.0 server with default installation of OpenSSH 3.0. My problem is that sshd disconnect inactive session after unknown interval. I use OpenSSH on varios platforms and no where else sshd does not disconect inactive users. Any clues? TIA yuliy -- Yuliy Minchev, UNIX Administrator From bugzilla-daemon at mindrot.org Tue Feb 12 01:11:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 01:11:36 +1100 (EST) Subject: [Bug 108] New: Enable continuation with '\' (backslash) in /etc/ssh/sshd_config (feature request) Message-ID: <20020211141136.0D40DE915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=108 Summary: Enable continuation with '\' (backslash) in /etc/ssh/sshd_config (feature request) Product: Portable OpenSSH Version: 2.9.9p2 Platform: ix86 OS/Version: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: e.maryniak at pobox.com Feature request, short synopsis: Enable continuation with '\' (backslash) in /etc/ssh/sshd_config. Rationale: Analogous to Apache's and other configuration files, it would be nice if long config lines in, e.g., sshd_config, could be split up. Example: AllowUsers user1 at host1.somewhere.com user1 at host2.somewhere.com \ user2 at host1.somewhere.com user2 at host3.somewhere.com etc. This is especially handy when (remotely) logged in on a 80x24 char tty and when doing screen copy & pastes on 80col tty's because some terminal emulators insert a \n even for wrapped lines at col. 80. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 03:30:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 03:30:19 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020211163019.14BA0E957@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From markus at openbsd.org 2002-02-12 03:30 ------- hm, i think #define CHAN_SES_WINDOW_DEFAULT (256*1024) #define CHAN_TCP_WINDOW_DEFAULT (256*1024) generates packets > 32k, but i have to cross check. does 64*1024 help. what about using a faster cipher in your tests? :) e.g blowfish? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From GILBERT.R.LOOMIS at saic.com Tue Feb 12 03:32:55 2002 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Mon, 11 Feb 2002 11:32:55 -0500 Subject: Disconnect on OpenBSD Message-ID: <3C1E3607B37295439F7C409EFBA08E680E28DC@COL-581-EXS01> Yuliy-- Based on my experience this is usually due to one of two things outside of SSH: - You're accessing the system through a firewall that has an idle timeout set (the situation here). - Your login shell on the server side has an idle timeout set--this is particularly common with csh/tcsh. You might check the above--I *don't* believe that it's anything specific to OpenSSH or OpenBSD 3.0, though, since I use both regularly along with other platforms. Every time something like this has happened to me or other folks here, it's always turned out to be one or the other of the above. --Rip > -----Original Message----- > From: Yuliy Minchev [mailto:yuliy at mobiltel.bg] > Sent: Monday, 11 February, 2002 06:50 > To: openssh-unix-dev at mindrot.org > Subject: Disconnect on OpenBSD > > > > Hi. > > I'm using OpenBSD 3.0 server with default installation of OpenSSH 3.0. > My problem is that sshd disconnect inactive session after unknown > interval. > I use OpenSSH on varios platforms and no where else sshd does not > disconect inactive users. > > Any clues? > > TIA > > yuliy > > -- > Yuliy Minchev, > UNIX Administrator > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Feb 12 04:09:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 04:09:00 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020211170900.A4C06E920@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-12 04:08 ------- time `cat lapack.ibm.tar.gz | ssh -2 -c blowfish-cbc hodgkin 'cat > f2' ` 2.6u 0.6s 0:06 46% 736+532k 0+0io 0pf+0w Yep much faster but still not more than half the time in the cpu. Yep packet size is a function of these values #define CHAN_SES_PACKET_DEFAULT (CHAN_SES_WINDOW_DEFAULT/2) #define CHAN_TCP_PACKET_DEFAULT (CHAN_TCP_WINDOW_DEFAULT/2) The networks I saw the problem on hippi and IBM sp switch both have a MTU of 64k so I wanted these values to be atleast 128 and went for 256 to be sure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 04:43:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 04:43:19 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020211174319.62543E95F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-12 04:43 ------- with 64 giving 32k packet time `cat lapack.ibm.tar.gz | ssh -2 -c 3des-cbc -p 1025 hodgkin 'cat > f2' ` 8.9u 0.7s 1:47 8% 887+629k 0+0io 0pf+0w with 128 giving 64k packet time `cat lapack.ibm.tar.gz | ssh -2 -c 3des-cbc -p 1025 hodgkin 'cat > f2' ` 9.0u 0.6s 0:23 41% 895+633k 0+0io 0pf+0w ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 08:11:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 08:11:28 +1100 (EST) Subject: [Bug 109] New: sftp hangs when a tcsh user types quit or exit Message-ID: <20020211211128.5186EE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=109 Summary: sftp hangs when a tcsh user types quit or exit Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sftp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: andrewb at cs.mcgill.ca When using sftp I found that when quiting the application, it would hang. It exits when one does a ^C. I checked my .cshrc to make sure that ignoreeof was not set or anything else that could be preventing me from exiting. I did the test recommended for sftp/scp in the FAQ, that works at it should. I then asked a co-worker to try and he had no problems. The difference between our 2 accounts was that I use tcsh and he uses bash. I then set my shell to bash, and quit worked without any problems. Below is the output from running sftp in verbose mode: sftp> version SFTP protocol version 3 sftp> quit debug1: channel 0: read<=0 rfd 4 len 0 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> closed debug1: channel 0: send eof debug1: channel 0: rcvd eof debug1: channel 0: output open -> drain debug1: channel 0: obuf empty debug1: channel 0: output drain -> closed debug1: channel 0: close_write debug1: channel 0: send close debug2: channel 0: no data after CLOSE debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug1: channel 0: rcvd close debug2: channel 0: no data after CLOSE debug1: channel 0: is dead debug1: channel_free: channel 0: status: The following connections are open: #0 client-session (t4 r0 i8/0 o128/0 fd -1/-1) debug1: channel_free: channel 0: dettaching channel user Killed by signal 2. debug1: Calling cleanup 0x805a760(0x0) debug1: Calling cleanup 0x8063370(0x0) I also downloaded and tried the snapshot of : openssh-SNAP-20020211.tar.gz That had the same problem. If any of you need more information please let me know. Andrew. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 08:16:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 08:16:52 +1100 (EST) Subject: [Bug 109] sftp hangs when a tcsh user types quit or exit Message-ID: <20020211211652.57EF2E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=109 ------- Additional Comments From andrewb at cs.mcgill.ca 2002-02-12 08:16 ------- Silly me I forgot to mentiont the version of Solaris that we are running. SunOS 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-25 Sorry about that. Andrew. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Feb 12 08:16:51 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 11 Feb 2002 13:16:51 -0800 (PST) Subject: OpenSHH on SCO Open Server 3 Message-ID: Is anyone still using OpenSSH on SCO Open Server 3? My clients no longer run Open Server 3. The entropy gathering code changes have broken the Open Server 3 build. If there is still interest I'll work on it. If not, I have no need for it. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From gert at greenie.muc.de Tue Feb 12 08:25:05 2002 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 11 Feb 2002 22:25:05 +0100 Subject: OpenSHH on SCO Open Server 3 In-Reply-To: ; from Tim Rice on Mon, Feb 11, 2002 at 01:16:51PM -0800 References: Message-ID: <20020211222505.A2293@greenie.muc.de> Hi, On Mon, Feb 11, 2002 at 01:16:51PM -0800, Tim Rice wrote: > Is anyone still using OpenSSH on SCO Open Server 3? I am. > My clients no longer run Open Server 3. > The entropy gathering code changes have broken the Open Server 3 build. Didn't notice that yet (haven't had any time to compile snapshots). Will look into it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gerberb at zenez.com Tue Feb 12 08:36:55 2002 From: gerberb at zenez.com (Boyd Lynn Gerber) Date: Mon, 11 Feb 2002 14:36:55 -0700 (MST) Subject: OpenSHH on SCO Open Server 3 In-Reply-To: Message-ID: On Mon, 11 Feb 2002, Tim Rice wrote: > Is anyone still using OpenSSH on SCO Open Server 3? > My clients no longer run Open Server 3. > The entropy gathering code changes have broken the Open Server 3 build. > If there is still interest I'll work on it. > If not, I have no need for it. Yes, I have around 200 clients still running it and they are running very old versions because I have not had time to setup a machine and debug it. Thanks, -- Boyd Gerber ZENEZ 3748 Valley Forge Road, Magna Utah 84044 From rac at tenzing.org Tue Feb 12 08:54:28 2002 From: rac at tenzing.org (Roger Cornelius) Date: Mon, 11 Feb 2002 16:54:28 -0500 Subject: OpenSHH on SCO Open Server 3 In-Reply-To: Message-ID: <200202112154.g1BLsSi22398@tenzing.org> Tim Rice (tim at multitalents.net) wrote: > >Is anyone still using OpenSSH on SCO Open Server 3? >My clients no longer run Open Server 3. >The entropy gathering code changes have broken the Open Server 3 build. >If there is still interest I'll work on it. >If not, I have no need for it. I don't think SCO ever had a product called OpenServer 3. Do you mean Open Desktop 3? I'm using OpenSSH on SCO OpenServer 5.0.6a (which is the current release) without problems. -- Roger Cornelius rac at tenzing.org From tim at multitalents.net Tue Feb 12 09:24:03 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 11 Feb 2002 14:24:03 -0800 (PST) Subject: OpenSHH on SCO Open Server 3 In-Reply-To: <200202112154.g1BLsSi22398@tenzing.org> Message-ID: On Mon, 11 Feb 2002, Roger Cornelius wrote: > Tim Rice (tim at multitalents.net) wrote: > > > > >Is anyone still using OpenSSH on SCO Open Server 3? > >My clients no longer run Open Server 3. > >The entropy gathering code changes have broken the Open Server 3 build. > >If there is still interest I'll work on it. > >If not, I have no need for it. > > I don't think SCO ever had a product called OpenServer 3. Do you mean > Open Desktop 3? Open Desktop was the 2 user version. Open Server started at 16 users and included some things Open Desktop did not have. > > I'm using OpenSSH on SCO OpenServer 5.0.6a (which is the current > release) without problems. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Tue Feb 12 10:16:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 10:16:04 +1100 (EST) Subject: [Bug 45] configure refines a function in skey, which then bombs Message-ID: <20020211231604.AF72EE935@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=45 ------- Additional Comments From pekkas at netcore.fi 2002-02-12 10:16 ------- This happens on RHL72 too. Patch attached; will describe the situation on the mailing list in more detail. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 10:18:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 10:18:16 +1100 (EST) Subject: [Bug 45] configure refines a function in skey, which then bombs Message-ID: <20020211231816.E9E0FE970@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=45 ------- Additional Comments From pekkas at netcore.fi 2002-02-12 10:18 ------- Created an attachment (id=22) fix skey linking ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Tue Feb 12 10:14:40 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 12 Feb 2002 01:14:40 +0200 (EET) Subject: [PATCH]: RHL72 --with-skey linking problems Message-ID: Hi, On Red Hat Linux 7.2, it appears one cannot compile with --with-skey; configure fails with: checking for skey_keyinfo... no configure: error: ** Incomplete or missing s/key libraries. even though skey 1.1.5 libraries are installed from the location mentioned in INSTALL. This has also happened with Solaris it seems: http://bugzilla.mindrot.org/show_bug.cgi?id=45 A patch to configure.ac is attached here and to bugzilla. It may require some tuning, but the basics seem to be ok and it works here. Full log below was: --8<-- configure:5982: checking for skey_keyinfo configure:6025: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lskey -lutil -lz -lnsl >&5 /usr/bin/ld: Warning: size of symbol `f' changed from 4 to 26 in skeysubr.o /usr/bin/ld: Warning: type of symbol `f' changed from 1 to 2 in skeysubr.o collect2: ld returned 1 exit status configure:6028: $? = 1 configure: failed program was: #line 5987 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char skey_keyinfo (); below. */ #include /* Override any gcc2 internal prototype to avoid an error. */ #ifdef __cplusplus extern "C" #endif /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char skey_keyinfo (); char (*f) (); #ifdef F77_DUMMY_MAIN # ifdef __cplusplus extern "C" # endif int F77_DUMMY_MAIN() { return 1; } #endif int main () { /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined (__stub_skey_keyinfo) || defined (__stub___skey_keyinfo) choke me #else f = skey_keyinfo; #endif ; return 0; } configure:6044: result: no configure:6050: error: ** Incomplete or missing s/key libraries. --8<-- A _workaround_ is: --8<-- --- openssh-3.0.2p1.orig/configure Sun Dec 2 01:38:55 2001 +++ openssh-3.0.2p1/configure Tue Feb 12 00:09:24 2002 @@ -6153,8 +6153,7 @@ #endif /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ -char skey_keyinfo (); -char (*f) (); +char *skey_keyinfo (); #ifdef F77_DUMMY_MAIN # ifdef __cplusplus @@ -6171,7 +6170,7 @@ #if defined (__stub_skey_keyinfo) || defined (__stub___skey_keyinfo) choke me #else -f = skey_keyinfo; +skey_keyinfo; #endif ; --8<-- (renaming 'f' also would help I guess.) Tested on 3.0.2p1 but also happens on the latest snapshot. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------- next part -------------- --- openssh/configure.ac Sat Nov 3 21:09:33 2001 +++ openssh.new/configure.ac Tue Feb 12 01:02:46 2002 @@ -507,9 +507,16 @@ LIBS="-lskey $LIBS" SKEY_MSG="yes" - AC_CHECK_FUNC(skey_keyinfo, - [], + AC_MSG_CHECKING([for s/key support]) + AC_TRY_RUN( [ +#include +#include +int main() { char *ff = skey_keyinfo(""); ff=""; return 0; } + ], + [AC_MSG_RESULT(yes)], + [ + AC_MSG_RESULT(no) AC_MSG_ERROR([** Incomplete or missing s/key libraries.]) ]) fi From djm at mindrot.org Tue Feb 12 12:52:29 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Feb 2002 12:52:29 +1100 (EST) Subject: Disconnect on OpenBSD In-Reply-To: Message-ID: On Mon, 11 Feb 2002, Yuliy Minchev wrote: > > Hi. > > I'm using OpenBSD 3.0 server with default installation of OpenSSH 3.0. > My problem is that sshd disconnect inactive session after unknown > interval. > I use OpenSSH on varios platforms and no where else sshd does not > disconect inactive users. If you have a NAT device or stateful firewall between the client and the server, quiescent TCP sessions may be getting timed out. OpenSSH doesn't have its own timeout. -d From openssh at jguk.org Tue Feb 12 13:56:44 2002 From: openssh at jguk.org (openssh) Date: Tue, 12 Feb 2002 11:56:44 +0900 Subject: [openssh-dev]: disable ProxyCommand from being used? References: <3C62591C.3010205@jguk.org> <20020207105857.GA8707@faui02> <014d01c1afc9$399de160$1701000a@effugas> Message-ID: <3C68846C.9070608@jguk.org> Hello, Thank you for the sugestions. How about this? $ ssh -d localmachine Currently -d is not in use in the ssh --help list. Could a "-d" options be added to disable the use of the ProxyCommand? also is there any reason why ssh --help is not in alphabetical order? numbered options first then alphabetically. JG > > Sounds like the majority of the time, he's connecting to hosts that require > proxy support to connect to. Occasionally though, he connects to something > on his local subnet, and would rather go directly. Using a .ssh/config > would override his remote connections, and: > > ssh -o ProxyCommand="" user at host > > ...doesn't work. > > There are four possible solutions that come to mind: > > 1) Have a separate config file, ssh_noproxy, then do: ssh -f ~/ssh_noproxy > user at host > 2) Find some way to use the weak conditionals in the config file to only > apply the ProxyCommand to hosts outside the present subnet. I don't think > this is possible. > 3) Create a shell script, sshp, with the following command: > #!/usr/bin/bash > exec ssh -o ProxyCommand %h %p $@ > then use sshp instead of ssh whenever accessing ssh using a proxy > 4) Add null proxy parsing so that command line can eliminate the > proxycommand entirely. > From tom at arcot.com Tue Feb 12 14:26:16 2002 From: tom at arcot.com (Tom Wu) Date: Mon, 11 Feb 2002 19:26:16 -0800 Subject: SRP Patch Integration? References: Message-ID: <3C688B58.79B92FDD@arcot.com> Patrick Ryan wrote: > > Hi, > > I am wondering whether the SRP patch is going to be integrated into the > OpenSSH distribution. I highly encourage it be integrated into the next > distribution. For those unfamiliar with the SRP patches to OpenSSH, they can be found at: http://members.tripod.com/professor_tom/archives/ The current patch applies to OpenSSH-3.0.2p1. For those on the list not familiar with how SRP authentication works, more information is available at: http://srp.stanford.edu/ Simply stated, SRP is a strong password authentication protocol that resists passive/active network attack, and when used in conjunction with OpenSSH, solves the "unknown host key" problem without requiring host key fingerprint verification or PKI deployment (e.g. X.509 certs). Put another way, is there any good reason *not* to fold these patches into OpenSSH proper? > Thanks, > Patrick Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From scott at doc.net.au Tue Feb 12 14:57:29 2002 From: scott at doc.net.au (Scott Howard) Date: Tue, 12 Feb 2002 14:57:29 +1100 Subject: [Patch] Xauthority file in /tmp Message-ID: <20020212035729.GA22218@milliways.doc.net.au> This issue has been discussed here and elsewhere a fair bit in the past year or so, but to re-address the issue... As of OpenSSH 2.9.something the ability to have an Xauthority located in /tmp was removed, with the following description in the ChangeLog : - markus at cvs.openbsd.org 2001/06/12 21:21:29 [session.c] remove xauth-cookie-in-tmp handling. use default $XAUTHORITY, since we do already trust $HOME/.ssh you can use .ssh/sshrc and .ssh/environment if you want to customize the location of the xauth cookies Whilst this reasoning does make sense, it presumes one thing - that the users home directory exists on the machine. On a workstation this will generally be the case, but it's not unusual for users/admins not to have home directories on servers, which means that since this patch xforwarding has been broken in such cases. The attached patch (also available at http://www.docbert.org/outgoing/xauthority-in-tmp.patch ) re-introduces this feature via a configuration option "XauthorityInTmp". The default value of this variable is "no" (ie, the default behaviour is unchanged). The majority of the code had been copied from 2.9p1 (The last general releases which put xauthority in /tmp), with a few minor modification, including security improvements for removing the files in /tmp, which I believe were what lead (at least in part) to the original removal of this code. Scott. -------------- next part -------------- diff -r --unified openssh-3.0.2p1.orig/servconf.c openssh-3.0.2p1/servconf.c --- openssh-3.0.2p1.orig/servconf.c Wed Nov 14 00:03:15 2001 +++ openssh-3.0.2p1/servconf.c Tue Feb 12 14:21:14 2002 @@ -64,6 +64,7 @@ options->x11_forwarding = -1; options->x11_display_offset = -1; options->xauth_location = NULL; + options->xauthority_in_tmp = -1; options->strict_modes = -1; options->keepalives = -1; options->log_facility = (SyslogFacility) - 1; @@ -258,7 +259,7 @@ sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, - sBanner, sReverseMappingCheck, sHostbasedAuthentication, + sBanner, sReverseMappingCheck, sHostbasedAuthentication, sXAuthorityInTmp, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sDeprecated @@ -313,6 +314,7 @@ { "x11forwarding", sX11Forwarding }, { "x11displayoffset", sX11DisplayOffset }, { "xauthlocation", sXAuthLocation }, + { "xauthorityintmp", sXAuthorityInTmp }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, { "uselogin", sUseLogin }, @@ -669,6 +671,10 @@ case sXAuthLocation: charptr = &options->xauth_location; goto parse_filename; + + case sXAuthorityInTmp: + intptr = &options->xauthority_in_tmp; + goto parse_flag; case sStrictModes: intptr = &options->strict_modes; diff -r --unified openssh-3.0.2p1.orig/servconf.h openssh-3.0.2p1/servconf.h --- openssh-3.0.2p1.orig/servconf.h Thu Sep 13 02:40:06 2001 +++ openssh-3.0.2p1/servconf.h Tue Feb 12 14:12:51 2002 @@ -56,6 +56,7 @@ int x11_display_offset; /* What DISPLAY number to start * searching at */ char *xauth_location; /* Location of xauth program */ + int xauthority_in_tmp; /* If true, put .Xauthority file in /tmp/ssh-xxxxxx */ int strict_modes; /* If true, require string home dir modes. */ int keepalives; /* If true, set SO_KEEPALIVE. */ char *ciphers; /* Supported SSH2 ciphers. */ diff -r --unified openssh-3.0.2p1.orig/session.c openssh-3.0.2p1/session.c --- openssh-3.0.2p1.orig/session.c Sun Dec 2 10:37:08 2001 +++ openssh-3.0.2p1/session.c Tue Feb 12 12:01:51 2002 @@ -151,6 +151,9 @@ extern int startup_pipe; extern void destroy_sensitive_data(void); +/* Local Xauthority file. */ +static char *xauthfile = NULL; + /* original command from peer. */ const char *original_command = NULL; @@ -220,6 +223,28 @@ #endif } +xauthfile_cleanup_proc(void *_pw) +{ + struct passwd *pw = _pw; + + debug("xauthfile_cleanup_proc called"); + + if (xauthfile != NULL) { + char *p; + temporarily_use_uid(pw); + unlink(xauthfile); + p = strrchr(xauthfile, '/'); + if (p != NULL) { + *p = '\0'; + rmdir(xauthfile); + } + xfree(xauthfile); + xauthfile = NULL; + restore_uid(); + } +} + + /* * Prepares for an interactive session. This is called after the user has * been successfully authenticated. During this message exchange, pseudo @@ -1300,6 +1325,8 @@ do_pam_environment(&env, &envsize); #endif /* USE_PAM */ + if (xauthfile) + child_set_env(&env, &envsize, "XAUTHORITY", xauthfile); if (auth_get_socket_name() != NULL) child_set_env(&env, &envsize, SSH_AUTHSOCKET_ENV_NAME, auth_get_socket_name()); @@ -2039,6 +2066,7 @@ session_setup_x11fwd(Session *s) { struct stat st; + int fd; if (no_x11_forwarding_flag) { packet_send_debug("X11 forwarding disabled in user configuration file."); @@ -2067,6 +2095,28 @@ debug("x11_create_display_inet failed."); return 0; } + + if (options.xauthority_in_tmp && (xauthfile == NULL)) { + /* If required, setup a temp .Xauthority file in /tmp */ + xauthfile = xmalloc(MAXPATHLEN); + strlcpy(xauthfile, "/tmp/ssh-XXXXXXXX", MAXPATHLEN); + temporarily_use_uid(s->pw); + if (mkdtemp(xauthfile) == NULL) { + restore_uid(); + error("private X11 dir: mkdtemp %s failed: %s", + xauthfile, strerror(errno)); + xfree(xauthfile); + xauthfile = NULL; + } else { + strlcat(xauthfile, "/cookies", MAXPATHLEN); + fd = open(xauthfile, O_RDWR|O_CREAT|O_EXCL, 0600); + if (fd >= 0) + close(fd); + restore_uid(); + fatal_add_cleanup((void (*) (void *)) xauthfile_cleanup_proc, s->pw); + } + } + return 1; } @@ -2074,4 +2124,6 @@ do_authenticated2(Authctxt *authctxt) { server_loop2(authctxt); + if (xauthfile) + xauthfile_cleanup_proc(authctxt->pw); } From provos at citi.umich.edu Tue Feb 12 15:34:25 2002 From: provos at citi.umich.edu (Niels Provos) Date: Mon, 11 Feb 2002 23:34:25 -0500 Subject: SRP Patch Integration? Message-ID: <20020212043425.6F7D2207C1@citi.umich.edu> >Simply stated, SRP is a strong password authentication protocol that >resists passive/active network attack, and when used in conjunction with >OpenSSH, solves the "unknown host key" problem without requiring host >key fingerprint verification or PKI deployment (e.g. X.509 certs). Put >another way, is there any good reason *not* to fold these patches into >OpenSSH proper? SRP would be useful to have. However, as it is patented I do not know if it can be included in OpenSSH. The grant in the patent seems to place restrictions on the licensee. It is not clear if EKE or SPEKE patents are required for a SRP implementation. As far as I see it, everything that is patented is tainted. Somebody who has money to pay a lawer needs to investigate this further. Niels. From nyt at countercultured.net Tue Feb 12 16:07:46 2002 From: nyt at countercultured.net (Rob Mosher) Date: Tue, 12 Feb 2002 00:07:46 -0500 (EST) Subject: openssh + pam errors (fwd) Message-ID: heres a fix for pam support im openssh, inline and attached.. openssh calls do_pam_session early, before a fork(). it does this on the proc still running as root, so it checks the users limits, against what root has running, and depending on limits can fail at the fork() (and almost always does). this patch moves it past the fork. ive been running it for a couple of weeks and everything seems good. i used to have to use uselogin yes and set the limits with login because openssh was broken, but this takes care of it. ---------- Forwarded message ---------- Date: Mon, 11 Feb 2002 23:05:54 -0500 From: Dug Song To: Rob Mosher Subject: Re: openssh + pam errors send this patch to openssh-unix-dev at mindrot.org Damien Miller maintains the OpenSSH-portable tree, he'll know what to do with it... -d. --- http://www.monkey.org/~dugsong/ --- old/session.c Sat Dec 1 18:37:08 2001 +++ session.c Tue Feb 12 00:03:37 2002 @@ -437,7 +437,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -494,6 +493,9 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); +#endif /* USE_PAM */ do_child(s, command); /* NOTREACHED */ } @@ -555,7 +557,6 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); do_pam_setcred(1); #endif @@ -580,6 +581,9 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, s->tty); +#endif /* USE_PAM */ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA Rob Mosher Lead Programmer / Sr Systems Engineer Lightning Internet Services, LLC -------------- next part -------------- --- old/session.c Sat Dec 1 18:37:08 2001 +++ session.c Tue Feb 12 00:03:37 2002 @@ -437,7 +437,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -494,6 +493,9 @@ #endif /* USE_PIPES */ /* Do processing for the child (exec command etc). */ +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, NULL); +#endif /* USE_PAM */ do_child(s, command); /* NOTREACHED */ } @@ -555,7 +557,6 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); do_pam_setcred(1); #endif @@ -580,6 +581,9 @@ /* Close the extra descriptor for the pseudo tty. */ close(ttyfd); +#if defined(USE_PAM) + do_pam_session(s->pw->pw_name, s->tty); +#endif /* USE_PAM */ /* record login, etc. similar to login(1) */ #ifndef HAVE_OSF_SIA From openssh at pryan.org Tue Feb 12 16:50:44 2002 From: openssh at pryan.org (Patrick Ryan) Date: Mon, 11 Feb 2002 21:50:44 -0800 (PST) Subject: SRP Patch Integration? In-Reply-To: <20020212043425.6F7D2207C1@citi.umich.edu> Message-ID: Attached below is the license from SRP 1.7.4. The license claims the SRP distribution is free, does not depend on any encumbered algorithms, and is licensed under a BSD style license, including the "author attribution" provision from the original BSD license. If you are still unsure if SRP is okay to use, Tom Wu, as the author of the SRP protocl, will certainly be an authoritative source to say whether it is patented and to address other concerns. Licensing --------- SRP is royalty-free worldwide for commercial and non-commercial use. The SRP library has been carefully written not to depend on any encumbered algorithms, and it is distributed under a standard BSD-style Open Source license which is shown below. This license covers implementations based on the SRP library as well as independent implementations based on RFC 2945. The SRP distribution itself contains algorithms and code from various freeware packages; these parts fall under both the SRP Open Source license and the packages' own licenses. Care has been taken to ensure that these licenses are compatible with Open Source distribution, but it is the responsibility of the licensee to comply with the terms of these licenses. This disclaimer also applies to third-party libraries that may be linked into the distribution, since they may contain patented intellectual property. The file "Copyrights" contains a list of the copyrights incorporated by portions of the software. Broader use of the SRP authentication technology, such as variants incorporating the use of an explicit server secret (SRP-Z), may require a license; please contact the Stanford Office of Technology Licensing (http://otl.stanford.edu/) for more information about terms and conditions. This software is covered under the following copyright: /* * Copyright (c) 1997-2001 The Stanford SRP Authentication Project * All Rights Reserved. * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. * * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * * In addition, the following conditions apply: * * 1. Any software that incorporates the SRP authentication technology * is requested to display the following acknowlegment: * "This product uses the 'Secure Remote Password' cryptographic * authentication system developed by Tom Wu (tjw at CS.Stanford.EDU)." * * 2. Any software that incorporates all or part of the SRP distribution * itself must display the following acknowledgment: * "This product includes software developed by Tom Wu and Eugene * Jhong for the SRP Distribution (http://srp.stanford.edu/)." * * 3. Redistributions in source or binary form must retain an intact copy * of this copyright notice and list of conditions. */ Address all questions regarding this license to: Tom Wu tjw at cs.Stanford.EDU On Mon, 11 Feb 2002, Niels Provos wrote: > >Simply stated, SRP is a strong password authentication protocol that > >resists passive/active network attack, and when used in conjunction with > >OpenSSH, solves the "unknown host key" problem without requiring host > >key fingerprint verification or PKI deployment (e.g. X.509 certs). Put > >another way, is there any good reason *not* to fold these patches into > >OpenSSH proper? > SRP would be useful to have. However, as it is patented I do not know > if it can be included in OpenSSH. The grant in the patent seems to > place restrictions on the licensee. > > It is not clear if EKE or SPEKE patents are required for a SRP > implementation. > > As far as I see it, everything that is patented is tainted. > Somebody who has money to pay a lawer needs to investigate > this further. > > Niels. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Feb 12 17:15:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 17:15:24 +1100 (EST) Subject: [Bug 83] PAM limits applied incorrectly Message-ID: <20020212061524.7E04AE987@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|fork() fails when there are |PAM limits applied |PAM limits set |incorrectly ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Tue Feb 12 17:16:35 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Feb 2002 17:16:35 +1100 (EST) Subject: openssh + pam errors (fwd) In-Reply-To: Message-ID: On Tue, 12 Feb 2002, Rob Mosher wrote: > heres a fix for pam support im openssh, inline and attached.. openssh > calls do_pam_session early, before a fork(). it does this on the proc > still running as root, so it checks the users limits, against what root > has running, and depending on limits can fail at the fork() (and almost > always does). this patch moves it past the fork. ive been running it for > a couple of weeks and everything seems good. i used to have to use > uselogin yes and set the limits with login because openssh was broken, > but this takes care of it. BTW this is bug #83[1], here is my commentry on the bug itself. Please post followups through bugzilla. > The problem is that we call pam_session as root, before we fork the > child. Therefore the server picks up the limits, rather than the child. > > I recall that we tried moving the pam_session call to the child a while > (~18 months) ago to avoid this problem, but other stuff broke much > worse. IIRC the breakage was because we did pam_session stuff in one > process (as non-root) and then did cleanup in another process (as > root). > > A possible way around this is with a gratuitous fork() before we call > pam_session, but that is pretty ugly. -d [1] http://bugzilla.mindrot.org/show_bug.cgi?id=83 From djm at mindrot.org Tue Feb 12 17:24:58 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Feb 2002 17:24:58 +1100 (EST) Subject: SRP Patch Integration? In-Reply-To: Message-ID: On Mon, 11 Feb 2002, Patrick Ryan wrote: > Attached below is the license from SRP 1.7.4. The license claims the SRP > distribution is free, does not depend on any encumbered algorithms, and is > licensed under a BSD style license, including the "author attribution" > provision from the original BSD license. If you are still unsure if SRP > is okay to use, Tom Wu, as the author of the SRP protocl, will certainly > be an authoritative source to say whether it is patented and to address > other concerns. You didn't read Niels' email properly - he was referring to the EKE and SPEKE patents which antedate SRP and may cover it, not the licensing conditions of SRP itself. There has been a fair amount of doubt raised in the past over this. We are not interested in lay discussion on whether or not this is the case, we would be interested in *legal* (i.e from an IP lawyer) opinions on the matter. > * 2. Any software that incorporates all or part of the SRP distribution > * itself must display the following acknowledgment: > * "This product includes software developed by Tom Wu and Eugene > * Jhong for the SRP Distribution (http://srp.stanford.edu/)." I am ambivalent about this too. Display? where? (docs?, runtime?) -d From bugzilla-daemon at mindrot.org Tue Feb 12 17:28:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 17:28:35 +1100 (EST) Subject: [Bug 83] PAM limits applied incorrectly Message-ID: <20020212062835.3CEC6E9B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From nyt at countercultured.net 2002-02-12 17:28 ------- in do_exec_no_pty i put do_pam_session it above do_child, in do_exec_pty i put it right before you record the login and right after close(ttyfd). i do not see any problems with this, what problems have you seen this produce? i've been running it like this on my server and it seems to set limits properly, log users in properly, etc. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Feb 12 17:34:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 12 Feb 2002 17:34:55 +1100 (EST) Subject: [Bug 83] PAM limits applied incorrectly Message-ID: <20020212063455.54D4DE9AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From djm at mindrot.org 2002-02-12 17:34 ------- IIRC we saw segfaults on Solaris and other weirdness on HPUX, but is was a while ago and my memory was rusty. What OS are you using your patch on? If you can gather success stories from the PAM-aware OSs (openssh-unix-dev@ is the place to ask for these), then we can apply the patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From openssh at pryan.org Tue Feb 12 17:30:07 2002 From: openssh at pryan.org (Patrick Ryan) Date: Mon, 11 Feb 2002 22:30:07 -0800 (PST) Subject: SRP Patch Integration? In-Reply-To: Message-ID: Ah, okay, I see. There is some discussion regarding SRP at "http://www.ietf.org/ietf/IPR/WU-SRP". Perhaps someone at Stanford could help in this regard. It's probably clear that I'm not a lawyer, so I'll go back to coding now. :P From gert at greenie.muc.de Tue Feb 12 19:21:09 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 12 Feb 2002 09:21:09 +0100 Subject: OpenSHH on SCO Open Server 3 In-Reply-To: <200202112154.g1BLsSi22398@tenzing.org>; from Roger Cornelius on Mon, Feb 11, 2002 at 04:54:28PM -0500 References: <200202112154.g1BLsSi22398@tenzing.org> Message-ID: <20020212092109.A2557@greenie.muc.de> Hi, On Mon, Feb 11, 2002 at 04:54:28PM -0500, Roger Cornelius wrote: > I don't think SCO ever had a product called OpenServer 3. Do you mean > Open Desktop 3? ODT 3 = OSR 3. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From deraadt at cvs.openbsd.org Tue Feb 12 20:00:44 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 02:00:44 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Mon, 11 Feb 2002 23:34:25 EST." <20020212043425.6F7D2207C1@citi.umich.edu> Message-ID: <200202120900.g1C90iWU002725@cvs.openbsd.org> > >Simply stated, SRP is a strong password authentication protocol that > >resists passive/active network attack, and when used in conjunction with > >OpenSSH, solves the "unknown host key" problem without requiring host > >key fingerprint verification or PKI deployment (e.g. X.509 certs). Put > >another way, is there any good reason *not* to fold these patches into > >OpenSSH proper? > SRP would be useful to have. However, as it is patented I do not know > if it can be included in OpenSSH. The grant in the patent seems to > place restrictions on the licensee. > > It is not clear if EKE or SPEKE patents are required for a SRP > implementation. > > As far as I see it, everything that is patented is tainted. > Somebody who has money to pay a lawer needs to investigate > this further. Niels says there are patent issues. Now someone will stand up and say that there are no issues. Such a person would be wrong. There ARE issues. The rules say that we can instrument a cut-down version of the full EKE protocols, but not a full version. The rules constrain our development freedom. Well, want to know what my opinion is about such rules? The people who made such rules can rot in hell. Perhaps we will just wait for an alternative that has no stupid rules. We've been doing a good job of sticking it to patent idiots, and I do not think we should stop. Stanford wants to slow use of new technology. Fine with me. Other technology will appear. I urge other people to developer alternatives to the EKE stuff. From deraadt at cvs.openbsd.org Tue Feb 12 20:02:28 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 02:02:28 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Mon, 11 Feb 2002 21:50:44 PST." Message-ID: <200202120902.g1C92SWU024340@cvs.openbsd.org> > Broader use of the SRP authentication technology, such as variants > incorporating the use of an explicit server secret (SRP-Z), may > require a license; please contact the Stanford Office of Technology > Licensing (http://otl.stanford.edu/) for more information about > terms and conditions. Unacceptable. Let us wait for something better to come along. From tusker at tusker.org Tue Feb 12 23:01:13 2002 From: tusker at tusker.org (Damien Mascord) Date: Tue, 12 Feb 2002 23:01:13 +1100 Subject: SSH-1.0-SSH_Version_Mapper ? Message-ID: <5.1.0.14.2.20020212225825.03373e28@10.0.0.1> Hi guys, Feb 12 22:46:24 fallen sshd[10026]: [ID 800047 auth.info] scanned from xxx.xxx.xxx.xxx with SSH-1.0-SSH_Version_Mapper. Don't panic. Just wondering whether anyone here has anymore information on this type of scan? Cheers, Damien From tusker at UNSW.EDU.AU Tue Feb 12 23:06:23 2002 From: tusker at UNSW.EDU.AU (Damien Mascord) Date: Tue, 12 Feb 2002 23:06:23 +1100 Subject: SSH-1.0-SSH_Version_Mapper ? Message-ID: <5.1.0.14.2.20020212230617.0336ae40@10.0.0.1> Hi guys, Feb 12 22:46:24 fallen sshd[10026]: [ID 800047 auth.info] scanned from xxx.xxx.xxx.xxx with SSH-1.0-SSH_Version_Mapper. Don't panic. Just wondering whether anyone here has anymore information on this type of scan? Cheers, Damien From djm at mindrot.org Tue Feb 12 23:43:31 2002 From: djm at mindrot.org (Damien Miller) Date: Tue, 12 Feb 2002 23:43:31 +1100 (EST) Subject: SSH-1.0-SSH_Version_Mapper ? In-Reply-To: <5.1.0.14.2.20020212230617.0336ae40@10.0.0.1> Message-ID: On Tue, 12 Feb 2002, Damien Mascord wrote: > Hi guys, > > Feb 12 22:46:24 fallen sshd[10026]: [ID 800047 auth.info] scanned from > xxx.xxx.xxx.xxx with SSH-1.0-SSH_Version_Mapper. Don't panic. > > Just wondering whether anyone here has anymore information on this type of > scan? http://www.monkey.org/~provos/scanssh/ -d From frank at bcsi.ca Wed Feb 13 00:35:05 2002 From: frank at bcsi.ca (Frank S. Bernhardt) Date: Tue, 12 Feb 2002 08:35:05 -0500 Subject: SSH Client Hangs after logging in to SSHD References: <00e601c1b2f4$d33deda0$050aa8c0@cilsa.org.ar> Message-ID: <3C691A08.FC601DB5@bcsi.ca> I'm not a ssh expert and I don't know if the log is good or bad, but I too am running OpenSHH under OpenServer. I find that after I connect, the return key has no effect unless I first type: stty sane j If you've hit before that you must first press j a couple of times to clean out the buffer. After I type the above command, everything seems to work ok. Interestingly when I connect from a Linux box using ssh I don't seem to need to do this. I hope this helps. Federico Coco wrote: > Please, I need your help > > My config. > SCO V5.05 > OpenSSL V0.9.6b > OpenSSH V2.9p2 > > I start sshd in debugging mode, and this is what I see: > > debug2: Command 'last' timed out > debug2: Command 'df' timed out > debug2: Command 'vmstat' timed out > debug1: Seeded RNG with 35 bytes from programs > debug1: Seeded RNG with 3 bytes from system calls > debug1: sshd version OpenSSH_2.9p2 > debug1: private host key: #0 type 0 RSA1 > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > Generating 768 bit RSA key. > RSA key generation complete. > > After that I tried to connect from my ssh client, Putty, this is what I see: > > debug1: Server will not fork when running in debugging mode. > Connection from 192.168.10.5 port 1368 > debug1: Client protocol version 1.5; client software version PuTTY > debug1: no match: PuTTY > debug1: Local version string SSH-1.99-OpenSSH_2.9p2 > debug1: Rhosts Authentication disabled, originating port not trusted. > debug1: Sent 768 bit server key and 1024 bit host key. > debug1: Encryption type: 3des > debug1: Received session key; encryption turned on. > > Now I have a login on the screen, so I will enter a user: > > Connection from 192.168.10.5 port 1368 > debug1: Client protocol version 1.5; client software version PuTTY > debug1: no match: PuTTY > debug1: Local version string SSH-1.99-OpenSSH_2.9p2 > debug1: Rhosts Authentication disabled, originating port not trusted. > debug1: Sent 768 bit server key and 1024 bit host key. > debug1: Encryption type: 3des > debug1: Received session key; encryption turned on. > debug1: Installing crc compensation attack detector. > debug1: Attempting authentication for federico. > > Now I will enter the password: > > Accepted password for federico from 192.168.10.5 port 1368 > debug1: session_new: init > debug1: session_new: session 0 > debug1: Allocating pty. > debug1: Entering interactive session. > debug1: fd 10 setting O_NONBLOCK > debug1: fd 11 IS O_NONBLOCK > debug1: server_init_dispatch_13 > debug1: server_init_dispatch_15 > > After this I can see the prompt on the terminal, but everything is hanged, I > 'm not able to type anything. > > Then I close Putty: > > Read error from remote host: Connection reset by peer > debug1: Calling cleanup 0x8056d2c(0x810f3c0) > debug1: pty_cleanup_proc: /dev/ttyp13 > debug1: Calling cleanup 0x8067870(0x0) > debug1: Calling cleanup 0x806ccac(0x0) > debug1: writing PRNG seed to file file://.ssh/prng_seed > > I don't know what is going on. > Can you give me any clues. > > TIA > > --------------------------------------------------------------------- > To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com > For additional commands, e-mail: secureshell-help at securityfocus.com -- Regards Frank S. Bernhardt b.c.s.i. 14 Halton Court Markham, ON. L3P 6R3 905-471-1691 Voice 905-471-3016 FAX frank at bcsi.ca --------------------------------------------------------------------- To unsubscribe, e-mail: secureshell-unsubscribe at securityfocus.com For additional commands, e-mail: secureshell-help at securityfocus.com From bugzilla-daemon at mindrot.org Wed Feb 13 01:20:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 01:20:57 +1100 (EST) Subject: [Bug 83] PAM limits applied incorrectly Message-ID: <20020212142057.1BA06E9A3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=83 ------- Additional Comments From nyt at countercultured.net 2002-02-13 01:20 ------- unfortunately, i dont have the time to pursue this deeper right now, but it would be good if someone else did so this can get fixed. im running debian (unstable). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jblaine at mitre.org Wed Feb 13 02:52:27 2002 From: jblaine at mitre.org (Jeff Blaine) Date: Tue, 12 Feb 2002 10:52:27 -0500 Subject: [openssh-unix-dev] Re: 3.0.2p1 under IRIX (coredumps) In-Reply-To: <200202061925.g16JPRc28484@fire.its.uiowa.edu> Message-ID: <4193833435.1013511147@jblaine-pc.MITRE.ORG> Solution: 1. OpenSSH 3.0.1p1 builds and runs fine under our IRIX. 2. OpenSSH 3.0.2p1 does _not_ Someone broke something and I'm telling Mom. --On Wednesday, February 06, 2002 1:25 PM -0600 David Bronder wrote: > I was able to build OpenSSH 3.0.1p1 under 6.5.13m (I think) not > long ago > > Jeff Blaine wrote: >> >> Please? Anyone? Who handles the "Yes, OpenSSH works under IRIX" >> claim on the OpenSSH page? I really would like to get this to >> build and run properly :< Any comments would be great, even if it's >> "I can't look into this for a week or two, but will get back to you." >> >> Friday 2/1: >> >> > Hello, >> > >> > I am unable to build a working OpenSSH 3.0.2p1 for IRIX 6.5 using either >> > >> > 1. gcc 2.95.3 + binutils 2.11.2 >> > >> > 2. SGI MIPSpro cc, CC=cc, LD=/usr/bin/ld, CFLAGS='-mips3 -n32' >> > >> > Under both setups: >> > >> > - zlib seems to build fine >> > - OpenSSL seems to build fine and tests out okay >> > - OpenSSH builds, and then: >> > >> > openssh-3.0.2p1 % ./ssh -v myhost >> > Trace/BPT/RangeErr/DivZero/Ovflow trap (core dumped) >> > openssh-3.0.2p1 % >> > openssh-3.0.2p1 % ls -ld core >> > -rw-r--r-- 1 jblaine nuucp 393216 Feb 1 11:51 core >> > openssh-3.0.2p1 % dbx ./ssh >> > dbx version 7.3 MR 55458_Apr30_MR Apr 30 1999 13:44:41 >> > Unable to find or process rld object list at address 0x0:( dbx >> > internal status code 7) Core file does not correspond to executable >> > Executable >> > /afs/rcf.mitre.org/system/src/local/ssh/030/openssh-3.0.2p1/./ssh >> > (dbx) run >> > Process 241534 (ssh) started >> > Process 241534 (ssh) stopped on signal SIGTRAP: Trace/BPT trap >> > at [:0 ,0x1001bfc8] (dbx) >> > >> > - Building on another box (IP23) in /tmp instead of in AFS space gives me >> > the same exact results. >> > >> > Could someone please tell me how to get this to build and run? >> > > > > -- > Hello World. David Bronder - Systems > Admin Segmentation Fault ITS-SPA, Univ. > of Iowa Core dumped, disk trashed, quota filled, soda warm. > david-bronder at uiowa.edu From tom at arcot.com Wed Feb 13 04:05:18 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 09:05:18 -0800 Subject: SRP Patch Integration? References: <200202120900.g1C90iWU002725@cvs.openbsd.org> Message-ID: <3C694B4E.FD197007@arcot.com> Theo de Raadt wrote: > > Niels says there are patent issues. Now someone will stand up and say > that there are no issues. Such a person would be wrong. There ARE > issues. The rules say that we can instrument a cut-down version of > the full EKE protocols, but not a full version. The rules constrain > our development freedom. Well, want to know what my opinion is about The above indicates a serious misunderstanding of the distinction between SRP (which is free) and SRP-Z (which needs licensing). SRP is not a "cut-down version" of EKE, it is a functionally-equivalent workaround. If you want absolute ability to modify algorithms without fear of patents, then you've excluded most public-key algorithms already. By your standards, you shouldn't be using DSA, since minor modifications/tweaks to it can result in a patented discrete-log signature scheme. Are you really willing to apply this stance objectively and uniformly to all of OpenSSH? > such rules? The people who made such rules can rot in hell. Perhaps > we will just wait for an alternative that has no stupid rules. > > We've been doing a good job of sticking it to patent idiots, and I do > not think we should stop. > > Stanford wants to slow use of new technology. Fine with me. Other > technology will appear. I urge other people to developer alternatives > to the EKE stuff. You seem to have interpreted the situation precisely backwards. EKE is the patented, non-free technology. I invented SRP and insisted that it be available royalty-free so that Open Source developers had the opportunity to use strong password technology without having to pay royalties. I respect your opinions, but please make sure you get the facts straight about who is really "slow[ing] use of new technology". Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From tom at arcot.com Wed Feb 13 04:30:35 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 09:30:35 -0800 Subject: SRP Patch Integration? References: <20020212043425.6F7D2207C1@citi.umich.edu> Message-ID: <3C69513B.7346D5FE@arcot.com> Niels Provos wrote: > > SRP would be useful to have. However, as it is patented I do not know > if it can be included in OpenSSH. The grant in the patent seems to > place restrictions on the licensee. Are you referring to the distinction between SRP and SRP-Z? The SRP userauth mechansim is specifically based on RFC2945, which is royalty-free, and does not use SRP-Z in any way. Or were there some other "restrictions" you were concerned about? > It is not clear if EKE or SPEKE patents are required for a SRP > implementation. > > As far as I see it, everything that is patented is tainted. > Somebody who has money to pay a lawer needs to investigate > this further. This is an unreasonable position. Are you familiar with U.S. Patent number 5,231,668? Its title is "Digital Signature Algorithm". Doesn't OpenSSH uses DSA? Who paid for that investigation? The reasoning is backwards, that's the problem. Being patented is clearly not the issue here. If it were, half the algorithms in OpenSSH would fail that test. One still needs to come up with a reason why a patent would pose a problem for OpenSSH, and no such good reason has surfaced for SRP, which leads me to believe the IP issue is a red herring. > Niels. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From tom at arcot.com Wed Feb 13 04:34:10 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 09:34:10 -0800 Subject: SRP Patch Integration? References: Message-ID: <3C695212.CDC18CB2@arcot.com> Damien Miller wrote: > > > * 2. Any software that incorporates all or part of the SRP distribution > > * itself must display the following acknowledgment: > > * "This product includes software developed by Tom Wu and Eugene > > * Jhong for the SRP Distribution (http://srp.stanford.edu/)." > > I am ambivalent about this too. Display? where? (docs?, runtime?) In the same place that you display the acknowledgment for OpenSSL. :-) > -d Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From Patrick.Maigron at int-evry.fr Wed Feb 13 04:37:11 2002 From: Patrick.Maigron at int-evry.fr (Patrick Maigron) Date: Tue, 12 Feb 2002 18:37:11 +0100 Subject: Problem with ssh-keyscan: no hostkey alg Message-ID: <20020212173711.GD6208@orion.int-evry.fr> Hi, I am using ssh-keyscan with a list of hosts, such as: ssh-keyscan -t rsa -f hosts_for_keyscan Some of the hosts in the list have dsa, but no rsa keys. For such hosts, the command displays: no hostkey alg When this is the case for 2 hosts, this message appears twice AND SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are returned for the following hosts. Here is the part of the trace corresponding to the problem. In this example hosts 157.159.100.120 and 157.159.100.122 have dsa but no rsa keys. (The problem is even more annoying if I use ssh-keyscan -t rsa1,rsa,dsa, because after the 2 hosts the whole command stops and NO RSA1 KEYS AT ALL ARE RETRIEVED.) It seems that a function cleanup is called for the first host, and not the second one ? Patrick. ----- > ssh-keyscan -v -t rsa -f hosts_for_keyscan > known_hosts_from_keyscan ... # 157.159.100.120 SSH-1.99-OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none no hostkey alg debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x21ba0(0x0) debug1: Calling cleanup 0x1c324(0x0) debug1: match: OpenSSH_2.3.0p1 pat ^OpenSSH_2\.3\.0 # 157.159.100.122 SSH-1.99-OpenSSH_2.3.0p1 Enabling compatibility mode for protocol 2.0 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none no hostkey alg debug1: writing PRNG seed to file /Users/teleinf4/patrick/.ssh/prng_seed From deraadt at cvs.openbsd.org Wed Feb 13 05:06:25 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 11:06:25 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Tue, 12 Feb 2002 09:30:35 PST." <3C69513B.7346D5FE@arcot.com> Message-ID: <200202121806.g1CI6PWU024119@cvs.openbsd.org> > Are you referring to the distinction between SRP and SRP-Z? The SRP > userauth mechansim is specifically based on RFC2945, which is > royalty-free, and does not use SRP-Z in any way. Or were there some > other "restrictions" you were concerned about? The space is specifically not free. > > It is not clear if EKE or SPEKE patents are required for a SRP > > implementation. > > > > As far as I see it, everything that is patented is tainted. > > Somebody who has money to pay a lawer needs to investigate > > this further. > > This is an unreasonable position. Are you familiar with U.S. Patent > number 5,231,668? Its title is "Digital Signature Algorithm". Doesn't > OpenSSH uses DSA? Who paid for that investigation? I read a decleration that the US government, in making DSA a standard, protects the community from patent issues. As I understand, the same kind of protection exists for DES and now for AES. I've had other dealings with Stanford over patents and such. They've been the biggest assholes I've ever had to deal with. Xerox was easier to deal with. I don't even want to bother touching anything in their space. > The reasoning is backwards, that's the problem. Being patented is > clearly not the issue here. If it were, half the algorithms in OpenSSH > would fail that test. One still needs to come up with a reason why a > patent would pose a problem for OpenSSH, and no such good reason has > surfaced for SRP, which leads me to believe the IP issue is a red > herring. Well, tough. You just seem to be upset because we've decided to wait for something else to show up in the field. I think the benefit to threat ratio is bad enough that we should just wait. Sorry Tom. You should have fought the lawyers more when you sold your soul. From tom at arcot.com Wed Feb 13 05:26:58 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 10:26:58 -0800 Subject: SRP Patch Integration? References: <200202121806.g1CI6PWU024119@cvs.openbsd.org> Message-ID: <3C695E72.392EA4EA@arcot.com> Theo de Raadt wrote: > > > Are you referring to the distinction between SRP and SRP-Z? The SRP > > userauth mechansim is specifically based on RFC2945, which is > > royalty-free, and does not use SRP-Z in any way. Or were there some > > other "restrictions" you were concerned about? > > The space is specifically not free. It's no less free than the public-key signature space, yet you use digital signature algorithms in OpenSSH. > > > As far as I see it, everything that is patented is tainted. > > > Somebody who has money to pay a lawer needs to investigate > > > this further. > > > > This is an unreasonable position. Are you familiar with U.S. Patent > > number 5,231,668? Its title is "Digital Signature Algorithm". Doesn't > > OpenSSH uses DSA? Who paid for that investigation? > > I read a decleration that the US government, in making DSA a standard, > protects the community from patent issues. As I understand, the same > kind of protection exists for DES and now for AES. Where can I find a copy of this statement? I'd like to see if Stanford can be persuaded to issue a similar statement, since it appears to offer you sufficient assurance. AFAIK, the USG said, "we don't think there are any patent concerns" and that was it. In _Applied Cryptography_, p. 493, Schneier gives a more in-depth detailing of the IP situation, which mirrors that of SRP precisely. > I've had other dealings with Stanford over patents and such. They've > been the biggest assholes I've ever had to deal with. Xerox was > easier to deal with. I don't even want to bother touching anything in > their space. Can you give an example of this behavior? Are you honestly saying that it's fair to punish someone (me) for behavior that I had no control or knowledge of? Are you saying that even if Stanford makes an effort to improve its practices, that it's too late and that your mind is closed to the possibility? > > The reasoning is backwards, that's the problem. Being patented is > > clearly not the issue here. If it were, half the algorithms in OpenSSH > > would fail that test. One still needs to come up with a reason why a > > patent would pose a problem for OpenSSH, and no such good reason has > > surfaced for SRP, which leads me to believe the IP issue is a red > > herring. > > Well, tough. > > You just seem to be upset because we've decided to wait for something > else to show up in the field. I'm upset because you seem to be giving a (poor) reason for refusing to consider SRP, and then refusing even to apply that same reasoning to other technologies that OpenSSH already uses. It's the lack of integrity that bothers me. > I think the benefit to threat ratio is bad enough that we should just > wait. > > Sorry Tom. You should have fought the lawyers more when you sold your > soul. The ad-homming doesn't really help either. I suppose fighting to make a technology royalty-free is "selling one's soul" given sufficiently twisted definitions. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From rac at tenzing.org Wed Feb 13 05:25:09 2002 From: rac at tenzing.org (Roger Cornelius) Date: Tue, 12 Feb 2002 13:25:09 -0500 Subject: SSH Client Hangs after logging in to SSHD In-Reply-To: <3C691A08.FC601DB5@bcsi.ca> Message-ID: <200202121825.g1CIP9505042@tenzing.org> "Frank S. Bernhardt" (frank at bcsi.ca) wrote: >I'm not a ssh expert and I don't know if the log is good or bad, but I too am >running OpenSHH under OpenServer. I find that after I connect, the return key >has no effect unless I first type: > > stty sane j > >If you've hit before that you must first press j a couple of times >to clean out the buffer. After I type the above command, everything seems to >work ok. Interestingly when I connect from a Linux box using ssh I don't seem to >need to do this. My experience on SCO OpenServer has been that pre2.9 versions of OpenSSH had the above problem. Connecting to a 2.9 or later sshd with a pre 2.9 ssh also had this problem. Do you fall in this category? I tested only between OpenServer boxes, so can't comment on Linux or others. Below is a patch to 3.0.2p1 session.c (sshd) which fixes the problem for me. Again, I've only tested between two OSR5 boxes. I'd be interested to know if it has any adverse affects on a linux (or other) box connecting to an OSR5 one. You'll need to either add -DSCO_OSR5 to --with-cflags when you run configure, or just remove the SCO_OSR5 ifdefs from the patch after applying it. Roger *** Orig/openssh-3.0.2p1/session.c Sat Dec 1 18:37:08 2001 --- openssh-3.0.2p1/session.c Wed Jan 2 14:49:06 2002 *************** *** 1622,1627 **** --- 1622,1634 ---- { u_int len; int n_bytes; + #ifdef SCO_OSR5 + /* + * needed only for compatibility w/pre 2.9 openssh versions which + * connect to our sshd + */ + struct termios tio; + #endif /* SCO_OSR5 */ if (no_pty_flag) { debug("Allocating a pty not permitted for this authentication."); *************** *** 1679,1684 **** --- 1686,1710 ---- packet_done(); session_proctitle(s); + + #ifdef SCO_OSR5 + /* + * needed only for compatibility w/pre 2.9 openssh versions which + * connect to our sshd + */ + if (tcgetattr(s->ptyfd, &tio) < 0) + log("Getting tty modes for pty failed: %.100s", strerror(errno)); + else { + tio.c_lflag |= (ECHO | ISIG | ICANON); + tio.c_oflag |= (OPOST | ONLCR); + tio.c_iflag |= ICRNL; + + /* Set the new modes for the terminal. */ + if (tcsetattr(s->ptyfd, TCSANOW, &tio) < 0) + log("Setting tty modes for pty failed: %.100s", strerror(errno)); + } + #endif /* SCO_OSR5 */ + return 1; } -- Roger Cornelius rac at tenzing.org From deraadt at cvs.openbsd.org Wed Feb 13 05:36:19 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 11:36:19 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Tue, 12 Feb 2002 10:26:58 PST." <3C695E72.392EA4EA@arcot.com> Message-ID: <200202121836.g1CIaJWU001278@cvs.openbsd.org> > > The space is specifically not free. > > It's no less free than the public-key signature space, yet you use > digital signature algorithms in OpenSSH. As far as I know, the space of algorithms we are using today is in use by so many parties under the understanding that noone will ever be able to realistically make an attack against that space. > > > This is an unreasonable position. Are you familiar with U.S. Patent > > > number 5,231,668? Its title is "Digital Signature Algorithm". Doesn't > > > OpenSSH uses DSA? Who paid for that investigation? > > > > I read a decleration that the US government, in making DSA a standard, > > protects the community from patent issues. As I understand, the same > > kind of protection exists for DES and now for AES. > > Where can I find a copy of this statement? I cannot precisely remember, but I recall it because it felt so nice and cosy. It was the US government trying to make sure the user had some protection. I am tired of people like Stanford having such protection, when we do not. > I'd like to see if Stanford > can be persuaded to issue a similar statement, since it appears to offer > you sufficient assurance. Simple. Have them drop the patent, make it free. Standards should not contain references to patents. I am firm. It is why we are fighting Cisco in the VRRP space as well. > AFAIK, the USG said, "we don't think there > are any patent concerns" and that was it. In _Applied Cryptography_, p. > 493, Schneier gives a more in-depth detailing of the IP situation, which > mirrors that of SRP precisely. Schneier apparently did not think of it as a crime against society. > > I've had other dealings with Stanford over patents and such. They've > > been the biggest assholes I've ever had to deal with. Xerox was > > easier to deal with. I don't even want to bother touching anything in > > their space. > > Can you give an example of this behavior? I have been talking with Stanford for over a year trying to get a few measly copyright notices on some ancient crappy multicast tools slightly modified to permit completely free use. 5 other groups involved in that code, including University of Southern California and Xerox, responded quickly, tried to understand the situation, and then fixed their licenses. Stanford is the biggest pain in the ass I have ever dealt with on a legal front (worse than ssh.com) and I do not want to have anything further to do with them. > Are you honestly saying that > it's fair to punish someone (me) for behavior that I had no control or > knowledge of? I am not punishing you. I am protecting us. > Are you saying that even if Stanford makes an effort to > improve its practices, that it's too late and that your mind is closed > to the possibility? Go ahead, try to convince them. I am not going to bother talking to their lawyers again. > > > The reasoning is backwards, that's the problem. Being patented is > > > clearly not the issue here. If it were, half the algorithms in OpenSSH > > > would fail that test. One still needs to come up with a reason why a > > > patent would pose a problem for OpenSSH, and no such good reason has > > > surfaced for SRP, which leads me to believe the IP issue is a red > > > herring. > > > > Well, tough. > > > > You just seem to be upset because we've decided to wait for something > > else to show up in the field. > > I'm upset because you seem to be giving a (poor) reason for refusing to > consider SRP, I feel our reasons are well founded. > and then refusing even to apply that same reasoning to > other technologies that OpenSSH already uses. The other technologies are well established, and we are protected by the entire industry. With SRP, we become a first user, and a target. It's an RFC. Wow. So is VRRP, and look how screwed up that space is with patents. > It's the lack of > integrity that bothers me. Oh, really. Thanks. I'll remember that comment. How funny. > > I think the benefit to threat ratio is bad enough that we should just > > wait. > > > > Sorry Tom. You should have fought the lawyers more when you sold your > > soul. > > The ad-homming doesn't really help either. I suppose fighting to make a > technology royalty-free is "selling one's soul" given sufficiently > twisted definitions. I am not attacking you. I am making a stand against new IP questions. Sorry if you feel otherwise. From tom at arcot.com Wed Feb 13 06:22:27 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 11:22:27 -0800 Subject: SRP Patch Integration? References: <200202121836.g1CIaJWU001278@cvs.openbsd.org> Message-ID: <3C696B73.F9B9091F@arcot.com> Theo de Raadt wrote: > > > > The space is specifically not free. > > > > It's no less free than the public-key signature space, yet you use > > digital signature algorithms in OpenSSH. > > As far as I know, the space of algorithms we are using today is in use > by so many parties under the understanding that noone will ever be able > to realistically make an attack against that space. So your argument is based on the "everybody else is doing it" fallacy? Do you think a judge would accept that argument if you were sued? Besides, OpenSSH would hardly be the "first user" as you claim below. > > > > This is an unreasonable position. Are you familiar with U.S. Patent > > > > number 5,231,668? Its title is "Digital Signature Algorithm". Doesn't > > > > OpenSSH uses DSA? Who paid for that investigation? > > > > > > I read a decleration that the US government, in making DSA a standard, > > > protects the community from patent issues. As I understand, the same > > > kind of protection exists for DES and now for AES. > > > > Where can I find a copy of this statement? > > I cannot precisely remember, but I recall it because it felt so nice and > cosy. It was the US government trying to make sure the user had some > protection. I am tired of people like Stanford having such protection, > when we do not. That last statement makes no sense. Stanford is trying to make sure the user has some protection as well, by *specifically* making anything based on RFC2945 free. > > I'd like to see if Stanford > > can be persuaded to issue a similar statement, since it appears to offer > > you sufficient assurance. > > Simple. Have them drop the patent, make it free. Yet you did not demand this from the USG. Strange, and inconsistent. > Standards should not contain references to patents. I am firm. It is > why we are fighting Cisco in the VRRP space as well. > > > AFAIK, the USG said, "we don't think there > > are any patent concerns" and that was it. In _Applied Cryptography_, p. > > 493, Schneier gives a more in-depth detailing of the IP situation, which > > mirrors that of SRP precisely. > > Schneier apparently did not think of it as a crime against society. Right, and neither is the royalty-free license for SRP. > > > I've had other dealings with Stanford over patents and such. They've > > > been the biggest assholes I've ever had to deal with. Xerox was > > > easier to deal with. I don't even want to bother touching anything in > > > their space. > > > > Can you give an example of this behavior? > > I have been talking with Stanford for over a year trying to get a few > measly copyright notices on some ancient crappy multicast tools > slightly modified to permit completely free use. 5 other groups > involved in that code, including University of Southern California and > Xerox, responded quickly, tried to understand the situation, and then > fixed their licenses. Stanford is the biggest pain in the ass I have > ever dealt with on a legal front (worse than ssh.com) and I do not > want to have anything further to do with them. Which group at Stanford controlled these multicast tools? Stanford's a pretty big place. Isn't it possible that the group you're dealing with has nothing to do with the people handling SRP? Are you the slightest bit interested in getting at the truth of the matter? > > Are you honestly saying that > > it's fair to punish someone (me) for behavior that I had no control or > > knowledge of? > > I am not punishing you. I am protecting us. From frank at bcsi.ca Wed Feb 13 06:46:05 2002 From: frank at bcsi.ca (Frank S. Bernhardt) Date: Tue, 12 Feb 2002 14:46:05 -0500 Subject: SSH Client Hangs after logging in to SSHD References: <200202121825.g1CIP9505042@tenzing.org> Message-ID: <3C6970FD.7C9BEDB6@bcsi.ca> Thanks for the patch. I'm red-faced to say that I'm currently running openssh-2.3.0p1 with openssl-0.9.6. My motto is "If it's working, leave it alone". I guess I could try to get 3.9.2p1 up and running. I don't enjoy this "build stuff" as I'm a COBOL programmer, not a C programmer and it's always quite painful and time consuming for me to get it working. I've given up on OpenUNIX 8 for now. I've gotten it to the stage where I'm missing some library and have no clue as to where to get it from (yes, I'm clueless). Anyway, it's not that important right now. I'll keep you informed as to how I make out (please scan the obituaries on a regular basis). Thanks again. Roger Cornelius wrote: > "Frank S. Bernhardt" (frank at bcsi.ca) wrote: > > >I'm not a ssh expert and I don't know if the log is good or bad, but I too am > >running OpenSHH under OpenServer. I find that after I connect, the return key > >has no effect unless I first type: > > > > stty sane j > > > >If you've hit before that you must first press j a couple of times > >to clean out the buffer. After I type the above command, everything seems to > >work ok. Interestingly when I connect from a Linux box using ssh I don't seem to > >need to do this. > > My experience on SCO OpenServer has been that pre2.9 versions of OpenSSH > had the above problem. Connecting to a 2.9 or later sshd with a pre 2.9 > ssh also had this problem. Do you fall in this category? I tested only > between OpenServer boxes, so can't comment on Linux or others. > > Below is a patch to 3.0.2p1 session.c (sshd) which fixes the problem for > me. Again, I've only tested between two OSR5 boxes. I'd be interested > to know if it has any adverse affects on a linux (or other) box > connecting to an OSR5 one. > > You'll need to either add -DSCO_OSR5 to --with-cflags when you run > configure, or just remove the SCO_OSR5 ifdefs from the patch after > applying it. > > Roger > > *** Orig/openssh-3.0.2p1/session.c Sat Dec 1 18:37:08 2001 > --- openssh-3.0.2p1/session.c Wed Jan 2 14:49:06 2002 > *************** > *** 1622,1627 **** > --- 1622,1634 ---- > { > u_int len; > int n_bytes; > + #ifdef SCO_OSR5 > + /* > + * needed only for compatibility w/pre 2.9 openssh versions which > + * connect to our sshd > + */ > + struct termios tio; > + #endif /* SCO_OSR5 */ > > if (no_pty_flag) { > debug("Allocating a pty not permitted for this authentication."); > *************** > *** 1679,1684 **** > --- 1686,1710 ---- > > packet_done(); > session_proctitle(s); > + > + #ifdef SCO_OSR5 > + /* > + * needed only for compatibility w/pre 2.9 openssh versions which > + * connect to our sshd > + */ > + if (tcgetattr(s->ptyfd, &tio) < 0) > + log("Getting tty modes for pty failed: %.100s", strerror(errno)); > + else { > + tio.c_lflag |= (ECHO | ISIG | ICANON); > + tio.c_oflag |= (OPOST | ONLCR); > + tio.c_iflag |= ICRNL; > + > + /* Set the new modes for the terminal. */ > + if (tcsetattr(s->ptyfd, TCSANOW, &tio) < 0) > + log("Setting tty modes for pty failed: %.100s", strerror(errno)); > + } > + #endif /* SCO_OSR5 */ > + > return 1; > } > > > -- > Roger Cornelius rac at tenzing.org -- Regards Frank S. Bernhardt b.c.s.i. 14 Halton Court Markham, ON. L3P 6R3 905-471-1691 Voice 905-471-3016 FAX frank at bcsi.ca From wknox at mitre.org Wed Feb 13 07:08:24 2002 From: wknox at mitre.org (William R. Knox) Date: Tue, 12 Feb 2002 15:08:24 -0500 (EST) Subject: SRP Patch Integration? In-Reply-To: <200202121836.g1CIaJWU001278@cvs.openbsd.org> Message-ID: On Tue, 12 Feb 2002, Theo de Raadt wrote: > Date: Tue, 12 Feb 2002 11:36:19 -0700 > From: Theo de Raadt > To: Tom Wu > Cc: Niels Provos , openssh-unix-dev at mindrot.org, > Markus.Friedl at informatik.uni-erlangen.de, deraadt at openbsd.org > Subject: Re: SRP Patch Integration? > ... > > > I'd like to see if Stanford > > can be persuaded to issue a similar statement, since it appears to offer > > you sufficient assurance. > > Simple. Have them drop the patent, make it free. > > Standards should not contain references to patents. I am firm. It is > why we are fighting Cisco in the VRRP space as well. > ... Now, I am not a lawyer (which means I am going to try and think poorly like one, I know), but how is having a patent at all related to whether or not something is free? Isn't that a licensing issue, which is, I thought, entirely separate from a patent? Doesn't a patent just effectively register an idea with the federal government and prevent other people from claiming that they had the same idea first? Doesn't this then prevent other people from coming in and charging other people for something which you thought up and which you were going to allow people to use for free? Just my two cents, for what it's worth (two cents, I guess). Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation From bugzilla-daemon at mindrot.org Wed Feb 13 07:56:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 07:56:50 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020212205650.1D44CE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From markus at openbsd.org 2002-02-13 07:56 ------- hm, ok, lets try this. keep CHAN_SES_PACKET_DEFAULT fixed: #define CHAN_SES_PACKET_DEFAULT (16*1024) and change the _window_ size to #define CHAN_SES_WINDOW_DEFAULT (CHAN_SES_PACKET_DEFAULT*4) you can try to increase the 4. this means the ssh client will send 4 packets before waiting for an ACK from the server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From deraadt at cvs.openbsd.org Wed Feb 13 08:03:18 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 14:03:18 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Tue, 12 Feb 2002 15:08:24 EST." Message-ID: <200202122103.g1CL3IWU013674@cvs.openbsd.org> > Now, I am not a lawyer (which means I am going to try and think poorly > like one, I know), but how is having a patent at all related to whether or > not something is free? Isn't that a licensing issue, which is, I thought, > entirely separate from a patent? Since we are talking about completely free software, I am astounded you are unable to think this through. > Doesn't a patent just effectively > register an idea with the federal government and prevent other people from > claiming that they had the same idea first? No. They establish a fee payment schedule. > Doesn't this then prevent > other people from coming in and charging other people for something which > you thought up and which you were going to allow people to use for free? No. In my experience, there is no such thing as a defensive patent. From dan at doxpara.com Wed Feb 13 08:31:21 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 12 Feb 2002 13:31:21 -0800 Subject: SRP Patch Integration? References: <20020212043425.6F7D2207C1@citi.umich.edu> <3C69513B.7346D5FE@arcot.com> Message-ID: <001d01c1b40c$a9fcaa80$1701000a@effugas> > Are you referring to the distinction between SRP and SRP-Z? The SRP > userauth mechansim is specifically based on RFC2945, which is > royalty-free, and does not use SRP-Z in any way. Or were there some > other "restrictions" you were concerned about? This is an uncomfortable situation for me, as I was one of the major champions of getting SRP in. My concern is that we have a "license" for integrating SRP in one specific way, but the more we do to use it in new and interesting ways, the more we leave the purview of what Stanford will allow us to do. I'd like to use SRP to authenticate unknown host keys, for instance. Is that a new use? Is it arguable? Tom, I know the bar has been raised on you repeatedly, and every time you manage to overcome one hurdle, another one pops up. And that sucks, alot, because SRP has a gynormous amount of potential. (If there wasn't such a feeding frenzy for the vaporware profits of certificate management, your system would be *the* standard). But I see Theo's worry: The moment we start using the SRP protocol a tiny bit outside the expected uses mentioned in the RFC, we *might* fall out of compliance. Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com From tom at arcot.com Wed Feb 13 09:15:06 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 14:15:06 -0800 Subject: SRP Patch Integration? References: <20020212043425.6F7D2207C1@citi.umich.edu> <3C69513B.7346D5FE@arcot.com> <001d01c1b40c$a9fcaa80$1701000a@effugas> Message-ID: <3C6993EA.E2544B18@arcot.com> Dan Kaminsky wrote: > > > Are you referring to the distinction between SRP and SRP-Z? The SRP > > userauth mechansim is specifically based on RFC2945, which is > > royalty-free, and does not use SRP-Z in any way. Or were there some > > other "restrictions" you were concerned about? > > This is an uncomfortable situation for me, as I was one of the major > champions of getting SRP in. > > My concern is that we have a "license" for integrating SRP in one specific > way, but the more we do to use it in new and interesting ways, the more we > leave the purview of what Stanford will allow us to do. Perhaps I can clarify. The royalty-free license isn't quite that narrow. I decided to make the SRP/SRP-Z distinction because I felt that the distiction was fairly fundamental, with differing fields of use. By drawing the line where I did, my intention was to make it trivial to determine what is free and what isn't without having to consult experts. Again, remember that this has always been the case with public-key crypto. If OpenSSH were to explore, for example, ECC, you'd be likely to find an even more tangled web of IP issues; at some point, reasonable decisions have to be made in good faith for any progress to occur. > I'd like to use SRP to authenticate unknown host keys, for instance. Is > that a new use? Is it arguable? It clearly and unarguably falls under the royalty-free terms. > Tom, I know the bar has been raised on you repeatedly, and every time you > manage to overcome one hurdle, another one pops up. And that sucks, alot, > because SRP has a gynormous amount of potential. (If there wasn't such a Yes, that's exactly what I'm objecting to. I'm a pretty staunch OSS advocate - I put together the SRP distribution under a BSD license - so it bothers me to see others on the same team, as it were, seeming to prefer stagnation instead of making reasonable judgements about new technology. I object to the obvious double-standards at work here, though it seems that at least some of them stem from one developer's personal experiences instead of from the community as a whole, so I guess I don't feel so bad about being singled out for unwarranted criticism. > feeding frenzy for the vaporware profits of certificate management, your > system would be *the* standard). But I see Theo's worry: The moment we > start using the SRP protocol a tiny bit outside the expected uses mentioned > in the RFC, we *might* fall out of compliance. Remember, although the license mentions the RFC, it does so only as a concrete, absolute example of what is free, and does not attempt to limit coverage to the RFC. If there is ever a question about the license, however, I have expressed my commitment to answering all such questions in good faith, since I'd rather see design decisions made by engineers, not lawyers. > Yours Truly, > > Dan Kaminsky > DoxPara Research > http://www.doxpara.com Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From tom at arcot.com Wed Feb 13 09:19:44 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 14:19:44 -0800 Subject: SRP Patch Integration? References: <200202122103.g1CL3IWU013674@cvs.openbsd.org> Message-ID: <3C6994FF.8694AD69@arcot.com> Theo de Raadt wrote: > > > Doesn't a patent just effectively > > register an idea with the federal government and prevent other people from > > claiming that they had the same idea first? > > No. They establish a fee payment schedule. I thought that was the job of the licensing department, not the patent office. So what is the fee payment schedule for US Patent #5,231,668, "Digital Signature Algorithm"? Or is that a counterexample? Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From deraadt at cvs.openbsd.org Wed Feb 13 09:21:35 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 15:21:35 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Tue, 12 Feb 2002 14:19:44 PST." <3C6994FF.8694AD69@arcot.com> Message-ID: <200202122221.g1CMLZWU029001@cvs.openbsd.org> Please stop mailing me in this discussion. I tried to explain very clearly why we are not integrating the code, but Tom persists in trying to blame me for making the decision unsoundly. I am making a safe decision -- SRP does not provide enough benefit considering possible legal risks. I wish there was no risk. Your statement of there being no risk is not enough. Sorry. That is my interpretation, as someone who has had to fight way too many such legal battles. Now please let me get back to work. I've got a fair bit to do. From deraadt at cvs.openbsd.org Wed Feb 13 09:25:25 2002 From: deraadt at cvs.openbsd.org (Theo de Raadt) Date: Tue, 12 Feb 2002 15:25:25 -0700 Subject: SRP Patch Integration? In-Reply-To: Your message of "Tue, 12 Feb 2002 14:15:06 PST." <3C6993EA.E2544B18@arcot.com> Message-ID: <200202122225.g1CMPPWU017568@cvs.openbsd.org> > Again, remember that this has always been the case with public-key > crypto. If OpenSSH were to explore, for example, ECC, you'd be likely > to find an even more tangled web of IP issues; at some point, reasonable > decisions have to be made in good faith for any progress to occur. That is a reason we will never move towards any of the ECC space. There are free parts of the ECC space, but there are so many conflicting threats, we just won't go there. Don't you get it do you? We don't investigate if there is a threat. We assume the worst. We're not stupid enough to play some stupid game with possible future legal outcomes. As markus says, "i think that even _having_ to ask a lawyer is a threat". From bugzilla-daemon at mindrot.org Wed Feb 13 09:32:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 09:32:29 +1100 (EST) Subject: [Bug 110] New: bogus error messages in lastlog_get_entry() Message-ID: <20020212223229.2FD90E9F5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=110 Summary: bogus error messages in lastlog_get_entry() Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: peak at argo.troja.mff.cuni.cz When sshd tries to read beyond the end of lastlog, e.g. when logging to a high-uid user that has never logged in yet, atomicio() returns 0 and lastlog_get_entry() generates a bogus error message for errno==0 (e.g. "lastlog_get_entry: Error reading from /var/log/lastlog: Success"). The following patch prevents it. Also, I made an attempt to report partial reads in a proper way. diff -urN openssh-3.0.2p1.old/loginrec.c openssh-3.0.2p1/loginrec.c --- openssh-3.0.2p1.old/loginrec.c Tue Oct 30 03:50:40 2001 +++ openssh-3.0.2p1/loginrec.c Tue Feb 12 23:16:43 2002 @@ -1486,15 +1486,23 @@ lastlog_get_entry(struct logininfo *li) { struct lastlog last; - int fd; + int fd, r; if (!lastlog_openseek(li, &fd, O_RDONLY)) return 0; - if (atomicio(read, fd, &last, sizeof(last)) != sizeof(last)) { + r = atomicio(read, fd, &last, sizeof(last)); + if (r == 0) { + /* no recorded login */ + memset(&last, '\0', sizeof(last)); + } else if (r != sizeof(last)) { close(fd); - log("lastlog_get_entry: Error reading from %s: %s", - LASTLOG_FILE, strerror(errno)); + if (r == -1) + log("lastlog_get_entry: Error reading from %s: %s", + LASTLOG_FILE, strerror(errno)); + else + log("lastlog_get_entry: Error reading from %s: read %d bytes, expected %d", + LASTLOG_FILE, r, sizeof(last)); return 0; } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tom at arcot.com Wed Feb 13 09:55:20 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 14:55:20 -0800 Subject: SRP Patch Integration? References: <200202122225.g1CMPPWU017568@cvs.openbsd.org> Message-ID: <3C699D58.A142A2AF@arcot.com> Theo de Raadt wrote: > > Don't you get it do you? We don't investigate if there is a threat. > We assume the worst. We're not stupid enough to play some stupid game > with possible future legal outcomes. But that's the problem with assumptions - they may be wrong. And when you refuse to listen to evidence that the threat is in fact identical to existing threats (e.g. DSA) that you have deemed acceptable, it tends to call into question the judgement of the person making that assuption. > I tried to explain very clearly why we are not integrating the code, > but Tom persists in trying to blame me for making the decision > unsoundly. I believe that decision *is* unsound, primarily because you've seemingly made up your mind based on inaccurate information, broad generalizations, and double standards. For someone who constantly demands that people write code and improve OpenSSH instead of complaining, your attitude given that somebody *has* written the code is, to put it mildly, counterproductive. > I am making a safe decision -- SRP does not provide enough > benefit considering possible legal risks. I wish there was no risk. > Your statement of there being no risk is not enough. Sorry. Is it ever really safe to stagnate in the software industry? Even Open Source software has to innovate, if it wants to compete effectively with Closed Source projects, not to mention other OSS projects. Theo, if you don't want to respond to me, that's your perogative. I'd like to hear the opinions of other OpenSSH developers on the list, though. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From bugzilla-daemon at mindrot.org Wed Feb 13 10:00:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 10:00:29 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020212230029.70D2AE9E9@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From markus at openbsd.org 2002-02-13 10:00 ------- Created an attachment (id=23) like this ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 10:20:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 10:20:32 +1100 (EST) Subject: [Bug 111] New: sshd syslogs raw untrusted data Message-ID: <20020212232032.2C50DE8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 Summary: sshd syslogs raw untrusted data Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: peak at argo.troja.mff.cuni.cz There are multiple occurences of log() et al using untrusted data (received from a client, read from ~/.ssh/*), including any special characters, as a part of the message. On some systems, namely Solaris (up to and including version 8), this is a bad thing because syslog() passes any character it gets to syslogd, including a newline that is interpreted as a message separator. For instance, when a single LF is sent to port 22, the following is logged: Feb 12 23:29:56 blah sshd[1234]: Bad protocol version identification ' Feb 12 23:29:56 blah ' from 127.0.0.1 This way, sshd could be abused to generate bogus syslog messages by remote (!) users. Yes, such an implementation of syslog()/syslogd is stupid but it is much easier to patch OpenSSH than Solaris. :) I made a patch against 3.0.2p1 processing untrusted data with vis() whenever they are passed to log() et al (I had to re-add vis.[ch]) but I am not sure whether I got all cases covered. It would probably be more efficient to add vis() to do_log()...as long as the potential ambiguity in cases where more than one piece of untrusted data is logged (e.g. method and authctx->user in auth_log()) is considered harmless. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 10:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 10:30:09 +1100 (EST) Subject: [Bug 111] sshd syslogs raw untrusted data Message-ID: <20020212233009.23165E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 ------- Additional Comments From markus at openbsd.org 2002-02-13 10:30 ------- that's strange, either syslog() or syslogd should do vis() ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed Feb 13 10:25:34 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 00:25:34 +0100 Subject: Problem with ssh-keyscan: no hostkey alg In-Reply-To: <20020212173711.GD6208@orion.int-evry.fr>; from Patrick.Maigron@int-evry.fr on Tue, Feb 12, 2002 at 06:37:11PM +0100 References: <20020212173711.GD6208@orion.int-evry.fr> Message-ID: <20020213002534.A12853@folly> On Tue, Feb 12, 2002 at 06:37:11PM +0100, Patrick Maigron wrote: > When this is the case for 2 hosts, this message appears twice AND > SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are > returned for the following hosts. does this happen with a recent snapshot, too? From markus at openbsd.org Wed Feb 13 10:27:29 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 00:27:29 +0100 Subject: SRP Patch Integration? In-Reply-To: <3C688B58.79B92FDD@arcot.com>; from tom@arcot.com on Mon, Feb 11, 2002 at 07:26:16PM -0800 References: <3C688B58.79B92FDD@arcot.com> Message-ID: <20020213002729.B12853@folly> On Mon, Feb 11, 2002 at 07:26:16PM -0800, Tom Wu wrote: > Simply stated, SRP is a strong password authentication protocol that > resists passive/active network attack, and when used in conjunction with > OpenSSH, solves the "unknown host key" problem without requiring host > key fingerprint verification or PKI deployment (e.g. X.509 certs). Put AFAIK the same applies to SSH2 w/ pubkey auth. From tom at arcot.com Wed Feb 13 10:45:49 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 15:45:49 -0800 Subject: SRP Patch Integration? References: <3C688B58.79B92FDD@arcot.com> <20020213002729.B12853@folly> Message-ID: <3C69A92C.E76CBFE0@arcot.com> Markus Friedl wrote: > > On Mon, Feb 11, 2002 at 07:26:16PM -0800, Tom Wu wrote: > > Simply stated, SRP is a strong password authentication protocol that > > resists passive/active network attack, and when used in conjunction with > > OpenSSH, solves the "unknown host key" problem without requiring host > > key fingerprint verification or PKI deployment (e.g. X.509 certs). Put > > AFAIK the same applies to SSH2 w/ pubkey auth. Yes, but doesn't the client need a copy of the encrypted private key somewhere? When you log in from a new location, you need to initialize the credentials there out-of-band. With SRP or any other strong password technology, this isn't necessary - the password itself is the authenticator. Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From bugzilla-daemon at mindrot.org Wed Feb 13 10:58:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 10:58:34 +1100 (EST) Subject: [Bug 111] sshd syslogs raw untrusted data Message-ID: <20020212235834.96CBAEA07@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=111 ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-02-13 10:58 ------- The OS was S-o-l-a-r-i-s. Not OpenBSD. :) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 11:33:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 11:33:08 +1100 (EST) Subject: [Bug 112] New: Using host key fingerprint instead of "yes" Message-ID: <20020213003308.C56DFEA03@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=112 Summary: Using host key fingerprint instead of "yes" Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: peak at argo.troja.mff.cuni.cz I am too paranoid to say "yes, continue connecting" blindly (yes, I know I am wierd ) but I am also too lazy to compare fingerprints manually or keep known_hosts on all my machines synchronized. Fortunately, I have found a way to make my life easier: if I patch ssh to interpret a matching fingerprint as "yes", I can copy & paste the expected fingerprint from a different place (file, ssh-keygen -l on another machine) with several mouse movements and let ssh do the hard work itself. :) Well, I do not really think you will make such a change in the official version. Anyway, here is a patch I made just in case someone finds it useful: diff -urN openssh-3.0.2p1.old/sshconnect.c openssh-3.0.2p1/sshconnect.c --- openssh-3.0.2p1.old/sshconnect.c Wed Oct 10 07:07:45 2001 +++ openssh-3.0.2p1/sshconnect.c Wed Feb 6 02:19:58 2002 @@ -487,7 +487,7 @@ /* defaults to 'no' */ static int -confirm(const char *prompt) +confirm(const char *prompt, const char *altyes) { char buf[1024]; FILE *f; @@ -515,6 +515,8 @@ retval = 1; else if (strcmp(buf, "no") == 0) retval = 0; + else if (altyes != NULL && strcmp(buf, altyes) == 0) + retval = 1; else fprintf(stderr, "Please type 'yes' or 'no': "); @@ -697,10 +699,11 @@ "%s key fingerprint is %s.\n" "Are you sure you want to continue connecting " "(yes/no)? ", host, ip, type, fp); - xfree(fp); - if (!confirm(prompt)) { + if (!confirm(prompt, fp)) { + xfree(fp); goto fail; } + xfree(fp); } if (options.check_host_ip && ip_status == HOST_NEW) { snprintf(hostline, sizeof(hostline), "%s,%s", host, ip); @@ -815,7 +818,7 @@ goto fail; } else if (options.strict_host_key_checking == 2) { if (!confirm("Are you sure you want " - "to continue connecting (yes/no)? ")) { + "to continue connecting (yes/no)? ", NULL)) { goto fail; } } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 11:43:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 11:43:43 +1100 (EST) Subject: [Bug 112] Using host key fingerprint instead of "yes" Message-ID: <20020213004343.18448EA03@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=112 ------- Additional Comments From dan at doxpara.com 2002-02-13 11:43 ------- Heh, I kinda like that. You should update the yes/no prompt to say that pasting the expected host key will result in appropriate testing, as well as providing some sort of error if the remote side *doesn't* match the key pasted in. I hadn't thought of cut and paste as useful like that. --Dan ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 11:50:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 11:50:00 +1100 (EST) Subject: [Bug 113] New: input_userauth_request: illegal user ... Message-ID: <20020213005000.47334EA03@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 Summary: input_userauth_request: illegal user ... Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: peak at argo.troja.mff.cuni.cz I think it is pointless to print this message in input_userauth_request() because invalid users are always be reported by auth_log() in userauth_finish(). It should be demoted to a debugging message. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 12:10:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 12:10:59 +1100 (EST) Subject: [Bug 114] New: Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020213011059.8E658EA03@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 Summary: Invalid users vs. PAM (protocol 1 only (?)) Product: Portable OpenSSH Version: -current Platform: All OS/Version: Linux Status: NEW Severity: minor Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: peak at argo.troja.mff.cuni.cz do_authentication() in auth1.c does not call start_pam() for invalid users but auth_pam_password() calls do_pam_set_conv() before it checks user validity. This means pam_set_item() is called will NULL pamh and Linux PAM is unhappy and syslogs a complaint (see http://archives.neohapsis.com/archives/pam-list/2001-04/0111.html). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Feb 13 13:13:00 2002 From: djm at mindrot.org (Damien Miller) Date: Wed, 13 Feb 2002 13:13:00 +1100 (EST) Subject: SRP Patch Integration? In-Reply-To: <3C69A92C.E76CBFE0@arcot.com> Message-ID: On Tue, 12 Feb 2002, Tom Wu wrote: > Markus Friedl wrote: > > > > On Mon, Feb 11, 2002 at 07:26:16PM -0800, Tom Wu wrote: > > > Simply stated, SRP is a strong password authentication protocol that > > > resists passive/active network attack, and when used in conjunction with > > > OpenSSH, solves the "unknown host key" problem without requiring host > > > key fingerprint verification or PKI deployment (e.g. X.509 certs). Put > > > > AFAIK the same applies to SSH2 w/ pubkey auth. > > Yes, but doesn't the client need a copy of the encrypted private key > somewhere? When you log in from a new location, you need to initialize > the credentials there out-of-band. With SRP or any other strong > password technology, this isn't necessary - the password itself is the > authenticator. You need to initialise a password out of band too. -d From tom at arcot.com Wed Feb 13 13:26:52 2002 From: tom at arcot.com (Tom Wu) Date: Tue, 12 Feb 2002 18:26:52 -0800 Subject: SRP Patch Integration? References: Message-ID: <3C69CEEC.6B81392F@arcot.com> Damien Miller wrote: > > On Tue, 12 Feb 2002, Tom Wu wrote: > > > Markus Friedl wrote: > > > > > > On Mon, Feb 11, 2002 at 07:26:16PM -0800, Tom Wu wrote: > > > > Simply stated, SRP is a strong password authentication protocol that > > > > resists passive/active network attack, and when used in conjunction with > > > > OpenSSH, solves the "unknown host key" problem without requiring host > > > > key fingerprint verification or PKI deployment (e.g. X.509 certs). Put > > > > > > AFAIK the same applies to SSH2 w/ pubkey auth. > > > > Yes, but doesn't the client need a copy of the encrypted private key > > somewhere? When you log in from a new location, you need to initialize > > the credentials there out-of-band. With SRP or any other strong > > password technology, this isn't necessary - the password itself is the > > authenticator. > > You need to initialise a password out of band too. Once, on any given server with a strong password mechanism. With pubkey auth, it seems you would need to initialize the credential out-of-band for every {client, server} pair. Ordinary users already have enough trouble with passwords as it is; at least SRP gives them more security without having to change the way they interact with the system. > -d Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." From bugzilla-daemon at mindrot.org Wed Feb 13 22:51:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 22:51:55 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020213115155.523F4E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From pas50 at cam.ac.uk 2002-02-13 22:51 ------- time `cat lapack.ibm.tar.gz | local/bin/ssh -2 -c 3des-cbc -p 10222 hodgkin 'cat > f2' ` 8.8u 0.8s 0:23 41% 671+630k 0+0io 137pf+0w with these changes. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 23:00:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 23:00:16 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020213120016.B9F2FE902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 ------- Additional Comments From djm at mindrot.org 2002-02-13 23:00 ------- Created an attachment (id=24) Fake username for invalid ssh protocol 1 users ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 23:00:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 23:00:48 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020213120048.3EC61E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 ------- Additional Comments From djm at mindrot.org 2002-02-13 23:00 ------- Does the attached patch help? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 23:02:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 23:02:42 +1100 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020213120242.BF427EA1B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 ------- Additional Comments From djm at mindrot.org 2002-02-13 23:02 ------- What if they disconnect before that? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Patrick.Maigron at int-evry.fr Wed Feb 13 22:58:30 2002 From: Patrick.Maigron at int-evry.fr (Patrick Maigron) Date: Wed, 13 Feb 2002 12:58:30 +0100 Subject: Problem with ssh-keyscan: no hostkey alg In-Reply-To: <20020213002534.A12853@folly> References: <20020212173711.GD6208@orion.int-evry.fr> <20020213002534.A12853@folly> Message-ID: <20020213115830.GA17153@orion.int-evry.fr> On Wed, Feb 13, 2002 at 12:25:34AM +0100, Markus Friedl wrote: > On Tue, Feb 12, 2002 at 06:37:11PM +0100, Patrick Maigron wrote: > > When this is the case for 2 hosts, this message appears twice AND > > SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are > > returned for the following hosts. > > does this happen with a recent snapshot, too? Sorry, I forget the version numbers... The client is OpenSSH_3.0.2p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f SunOS orion 5.5.1 Generic_103640-24 sun4u sparc SUNW,Ultra-5_10 The servers are SSH Version OpenSSH_2.3.0p1, protocol versions 1.5/2.0. Compiled with SSL (0x0090600f). Linux A20401 2.2.18 #1 Wed Jan 24 12:28:55 GMT 2001 i686 unknown Configured with RSA1 and DSA keys, no RSA keys. Only the 2 first hosts in the command are queried: orion> ssh-keyscan -t rsa A20401 A20403 A20404 # A20401 SSH-1.99-OpenSSH_2.3.0p1 no hostkey alg # A20403 SSH-1.99-OpenSSH_2.3.0p1 no hostkey alg orion> I don't have permissions on the Linux servers, but I configured an OpenSSH_3.0.2p1 server on my Solaris host with no RSA keys, and I queried myself. The result is the same: orion> ssh-keyscan -t rsa orion orion orion # orion SSH-1.99-OpenSSH_3.0.2p1 no hostkey alg # orion SSH-1.99-OpenSSH_3.0.2p1 no hostkey alg orion> I avoided the problem by querying rsa1 rsa and dsa separately, but it is annoying not to be able to use "-t rsa1,rsa,dsa"... Patrick. From bugzilla-daemon at mindrot.org Wed Feb 13 23:07:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 23:07:18 +1100 (EST) Subject: [Bug 106] RFE: --without-rpath configure option Message-ID: <20020213120718.6446FE91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=106 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From djm at mindrot.org 2002-02-13 23:07 ------- Applied, thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Feb 13 23:14:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 13 Feb 2002 23:14:56 +1100 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020213121456.95620E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 ------- Additional Comments From djm at mindrot.org 2002-02-13 23:14 ------- so a PAM session module is setting the last login time before we retrieve it? Why not just disable the module in the PAM config? BTW you should attach your patch using the "create a new attachment" link (under the keywords entry). Pasting them into the comments makes them near impossible to apply. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed Feb 13 23:07:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 13:07:56 +0100 Subject: Problem with ssh-keyscan: no hostkey alg In-Reply-To: <20020213115830.GA17153@orion.int-evry.fr> References: <20020212173711.GD6208@orion.int-evry.fr> <20020213002534.A12853@folly> <20020213115830.GA17153@orion.int-evry.fr> Message-ID: <20020213120756.GA13798@faui02> On Wed, Feb 13, 2002 at 12:58:30PM +0100, Patrick Maigron wrote: > On Wed, Feb 13, 2002 at 12:25:34AM +0100, Markus Friedl wrote: > > On Tue, Feb 12, 2002 at 06:37:11PM +0100, Patrick Maigron wrote: > > > When this is the case for 2 hosts, this message appears twice AND > > > SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are > > > returned for the following hosts. > > > > does this happen with a recent snapshot, too? > > Sorry, I forget the version numbers... ok, i can reproduce this problem... From markus at openbsd.org Wed Feb 13 23:47:49 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 13:47:49 +0100 Subject: Problem with ssh-keyscan: no hostkey alg In-Reply-To: <20020212173711.GD6208@orion.int-evry.fr> References: <20020212173711.GD6208@orion.int-evry.fr> Message-ID: <20020213124748.GA14288@faui02> On Tue, Feb 12, 2002 at 06:37:11PM +0100, Patrick Maigron wrote: > When this is the case for 2 hosts, this message appears twice AND > SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are > returned for the following hosts. this ugly hack should help. fatal() cannot be called twice. Index: log.c =================================================================== RCS file: /cvs/openssh_cvs/log.c,v retrieving revision 1.19 diff -u -r1.19 log.c --- log.c 4 Jul 2001 04:46:58 -0000 1.19 +++ log.c 13 Feb 2002 12:48:35 -0000 @@ -228,16 +228,17 @@ (u_long) proc, (u_long) context); } +int ssh_fatal_cleanup_running = 0; + /* Cleanup and exit */ void fatal_cleanup(void) { struct fatal_cleanup *cu, *next_cu; - static int called = 0; - if (called) + if (ssh_fatal_cleanup_running) exit(255); - called = 1; + ssh_fatal_cleanup_running = 1; /* Call cleanup functions. */ for (cu = fatal_cleanups; cu; cu = next_cu) { next_cu = cu->next; Index: ssh-keyscan.c =================================================================== RCS file: /cvs/openssh_cvs/ssh-keyscan.c,v retrieving revision 1.37 diff -u -r1.37 ssh-keyscan.c --- ssh-keyscan.c 14 Nov 2001 21:40:45 -0000 1.37 +++ ssh-keyscan.c 13 Feb 2002 12:48:35 -0000 @@ -659,8 +659,12 @@ static void fatal_callback(void *arg) { - if (nonfatal_fatal) + extern int ssh_fatal_cleanup_running; + + if (nonfatal_fatal) { + ssh_fatal_cleanup_running = 0; longjmp(kexjmp, -1); + } } static void From Patrick.Maigron at int-evry.fr Thu Feb 14 00:42:38 2002 From: Patrick.Maigron at int-evry.fr (Patrick Maigron) Date: Wed, 13 Feb 2002 14:42:38 +0100 Subject: Problem with ssh-keyscan: no hostkey alg In-Reply-To: <20020213124748.GA14288@faui02> References: <20020212173711.GD6208@orion.int-evry.fr> <20020213124748.GA14288@faui02> Message-ID: <20020213134238.GB19590@orion.int-evry.fr> On Wed, Feb 13, 2002 at 01:47:49PM +0100, Markus Friedl wrote: > On Tue, Feb 12, 2002 at 06:37:11PM +0100, Patrick Maigron wrote: > > When this is the case for 2 hosts, this message appears twice AND > > SSH-KEYSCAN STOPS QUERYING, which means that no keys at all are > > returned for the following hosts. > > this ugly hack should help. > > fatal() cannot be called twice. Great, it works out fine. Thanks for the (ugly but) rapid patch. From bugzilla-daemon at mindrot.org Thu Feb 14 01:35:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 01:35:57 +1100 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020213143557.41AA2EA2D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 ------- Additional Comments From wknox at mitre.org 2002-02-14 01:35 ------- Created an attachment (id=25) Patch as an attachment for use of use ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 14 02:08:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 02:08:40 +1100 (EST) Subject: [Bug 87] Last logon that gets reported upon login is the current login time Message-ID: <20020213150840.F362AEA2D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=87 ------- Additional Comments From wknox at mitre.org 2002-02-14 02:08 ------- The update is happening (I believe) due to the call to pam_open_session in the do_pam_session function. Can you change the behavior of pam_open_session by modifying your pam configuration (this is a serious question, as I am by no means a PAM expert)? And even if you can, wouldn't it be nice if users didn't have to? After all, I just let ssh use the default entries in the pam configuration file, and it would be a pain to have to set up separate entries for ssh just so I could keep the session entry as the default. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From epa98 at doc.ic.ac.uk Thu Feb 14 02:54:03 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Wed, 13 Feb 2002 15:54:03 +0000 (GMT) Subject: Warning message at password prompt Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I've patched my local OpenSSH (currently 2.9p2, but the same patch applies to 3.0.2) to allow the cipher 'none' for both SSH1 and SSH2 connections. With SSH1, there is already code to print a warning that any password you enter will be sent in plain text. However the userauth_passwd() in sshconnect2.c does not have any such warning. I would like to discourage the users from sending plain-text passwords across the wire, even if the rest of the session is unencrypted. I can't work out how to do this, how to let userauth_passwd() take different actions depending on what encryption is being used. As far as I can see this information is hidden from sshconnect2.c. There is access to the Options, which could tell you whether 'none' was originally listed as an acceptable cipher but not whether it is actually being used. Could someone suggest a clean way to do this, to find out from sshconnect2.c what encryption is being used? Perhaps it is obvious and I've just missed it. BTW, the patch is at , but it's a bit dangerous to apply precisely because it sends plaintext passwords without warning. I would like to make it a bit safer while still allowing the user to choose how much security is appropriate. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8aowdIMp73jhGogoRAuWrAJ4xHK5MBaQZC/NG4dxIfNYdfGF9ggCfVZKt z8NQFZvlu572fETtTQPiaXg= =z2AM -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Thu Feb 14 03:16:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 03:16:38 +1100 (EST) Subject: [Bug 115] New: AIX has no TAILQ_FOREACH() Message-ID: <20020213161638.0B27BEA35@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=115 Summary: AIX has no TAILQ_FOREACH() Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P3 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gert at greenie.muc.de AIX 4.3.3.0 has a with TAILQ_ENTRY, TAILQ_HEAD, _INSERT and _REMOVE, but no TAILQ_FOREACH. Setting #define HAVE_BOGUS_SYS_QUEUE_H 1 in config.h fixes this. checking build system type... powerpc-ibm-aix4.3.3.0 checking host system type... powerpc-ibm-aix4.3.3.0 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ed at UDel.Edu Thu Feb 14 03:41:10 2002 From: ed at UDel.Edu (Ed Phillips) Date: Wed, 13 Feb 2002 11:41:10 -0500 (EST) Subject: x509 test patch - can't compile Message-ID: cc -g -I. -I. -I/opt/openssl-0.9.6c/include -I. -I/usr/local/include -DETCDIR=\"/opt/openssh-3.0.2p1-x509/etc\" -D_PATH_SSH_PROGRAM=\"/opt/openssh-3.0.2p1-x509/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/openssh-3.0.2p1-x509/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/opt/openssh-3.0.2p1-x509/libexec/sftp-server\" -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c key.c "key.c", line 197: warning: argument #3 is incompatible with prototype: prototype: pointer to uint : "./key.h", line 75 argument : pointer to int "key.c", line 499: warning: argument #3 is incompatible with prototype: prototype: pointer to uint : "./key.h", line 75 argument : pointer to int "key.c", line 501: warning: argument #3 is incompatible with prototype: prototype: pointer to char : "./uuencode.h", line 29 argument : pointer to uchar "key.c", line 679: warning: argument #2 is incompatible with prototype: prototype: pointer to const char : "./buffer.h", line 33 argument : pointer to uchar "key.c", line 741: warning: improper pointer/integer combination: arg #2 "key.c", line 741: prototype mismatch: 2 args passed, 3 expected "key.c", line 741: operand cannot have void type: op "=" "key.c", line 741: assignment type mismatch: pointer to uchar "=" void cc: acomp failed for key.c *** Error code 2 make: Fatal error: Command failed for target `key.o' Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Thu Feb 14 05:46:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 05:46:59 +1100 (EST) Subject: [Bug 116] New: Openssh Shadow expiration failure on IRIX 6.5.14 Message-ID: <20020213184659.5551DE933@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=116 Summary: Openssh Shadow expiration failure on IRIX 6.5.14 Product: Portable OpenSSH Version: 3.0.2p1 Platform: MIPS OS/Version: IRIX Status: NEW Severity: major Priority: P3 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: cg1maverick at c4.com I have compiled openssh3.0.2p1 on my SGI running IRIX 6.5.14. When I try expiring a user password in the /etc/shadow file, I cannot login. I continually get prompted for my password and I never get logged in. I viewed the config.h file after doing a ./configure in the openssh directory and found the following flags turned on: #define HAS_SHADOW_EXPIRE 1 #define HAVE_SHADOW_H 1 Could you please let me know of any extra compiling flags or other fixes for this problem? Thank you, Ryan Bathauer ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 14 07:27:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 07:27:56 +1100 (EST) Subject: [Bug 84] last command provides incorrect information on Solaris 8 Message-ID: <20020213202756.56B0FE933@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=84 ------- Additional Comments From wknox at mitre.org 2002-02-14 07:27 ------- Created an attachment (id=26) Patch as attachment for easier use ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From fcusack at fcusack.com Thu Feb 14 08:15:42 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 13 Feb 2002 13:15:42 -0800 Subject: hang on exit In-Reply-To: <20020204193226.GA19980@faui02>; from markus@openbsd.org on Mon, Feb 04, 2002 at 08:32:26PM +0100 References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> Message-ID: <20020213131541.D18854@google.com> On Mon, Feb 04, 2002 at 08:32:26PM +0100, Markus Friedl wrote: > untested, as i don't have access to a system that > shows the hang-on-exit problem. > + options->allow_data_loss_on_pty = -1; Can someone explain why this has been discouraged for a long time based on it "allowing data loss", when on obsd it does this by default? It is my understanding that a patch like this has not made it into the distro because of concerns that an active background process might have data to send us. It is also my understanding that obsd discards that data. ISTM the correct fix is to do 'shopt huponexit' or whatever your shell requires. Or, is it more PC to have the 'discard data' behaviour b/c rsh does this? /fc From bugzilla-daemon at mindrot.org Thu Feb 14 08:27:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 08:27:12 +1100 (EST) Subject: [Bug 28] CRC error ocured while transfering with sftp Message-ID: <20020213212712.1E75DE916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=28 ------- Additional Comments From djm at mindrot.org 2002-02-14 08:27 ------- Created an attachment (id=27) quick & dirty sftp torture test ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 14 08:28:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 08:28:24 +1100 (EST) Subject: [Bug 28] CRC error ocured while transfering with sftp Message-ID: <20020213212824.40E65E9AD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=28 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME ------- Additional Comments From djm at mindrot.org 2002-02-14 08:28 ------- The attached test rand for six hours with no corruption. If anyone can replicate corruption, please file a new bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sakari.ailus at luukku.com Thu Feb 14 08:28:19 2002 From: sakari.ailus at luukku.com (Sakari Ailus) Date: Wed, 13 Feb 2002 23:28:19 +0200 Subject: Problem with using both pam_listfile to deny logins and pubkey authentication Message-ID: <3C6ADA73.9080304@luukku.com> Hi, I'm trying to use pam_listfile.so to deny logins from all others but few users (names in /etc/loginusers). With password authentication it works fine, but with public key authentication OpenSSH lets in users whose names arent't in /etc/loginusers. AllowUsers in sshd_config does what one would expect. I'm using OpenSSH-3.0.2p1 on Debian testing (package version 1:3.0.2p1-6) and tried this also on stable (OpenSSH package version 1:3.0.1p1-0 from unstable); the situation is same there. Has anyone else noticed this or is it Debian's or my own problem? /etc/pam.d/ssh: --- #%PAM-1.0 auth required pam_listfile.so item=user sense=allow file=/etc/loginusers onerr=fail auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] account required pam_unix.so session required pam_unix.so session optional pam_lastlog.so # [1] session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_unix.so --- -- Sakari Ailus sakari.ailus at luukku.com From markus at openbsd.org Thu Feb 14 08:30:07 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 22:30:07 +0100 Subject: hang on exit In-Reply-To: <20020213131541.D18854@google.com> References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020213131541.D18854@google.com> Message-ID: <20020213213007.GB7731@faui02> On Wed, Feb 13, 2002 at 01:15:42PM -0800, Frank Cusack wrote: > On Mon, Feb 04, 2002 at 08:32:26PM +0100, Markus Friedl wrote: > > untested, as i don't have access to a system that > > shows the hang-on-exit problem. > > > + options->allow_data_loss_on_pty = -1; > > Can someone explain why this has been discouraged for a long time based > on it "allowing data loss", when on obsd it does this by default? are you talking about the kernel? > It > is my understanding that a patch like this has not made it into the distro > because of concerns that an active background process might have data to > send us. all other patches did discard data for the non-pty case, too, and this is not acceptible. nobody can tell us why sshd receives an EOF when reading from a pty if there are backgrounded processes on BSD systems and not on other systems. i sent this patch to so people can test whether discarding data would indeed help for the hang-on-exit problem, so that we can decide whether we do this by default. this would match the telnetd behaviour, but sshd != telnetd, and i really don't like the idea of loosing data. -m From bugzilla-daemon at mindrot.org Thu Feb 14 08:39:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 08:39:48 +1100 (EST) Subject: [Bug 106] RFE: --without-rpath configure option Message-ID: <20020213213948.496AFEA48@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=106 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-02-14 08:39 ------- fixed ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Feb 14 08:33:40 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 08:33:40 +1100 (EST) Subject: Warning message at password prompt In-Reply-To: Message-ID: On Wed, 13 Feb 2002, Edward Avis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've patched my local OpenSSH (currently 2.9p2, but the same > patch applies to 3.0.2) to allow the cipher 'none' for both SSH1 and > SSH2 connections. With SSH1, there is already code to print a warning > that any password you enter will be sent in plain text. However the > userauth_passwd() in sshconnect2.c does not have any such warning. I > would like to discourage the users from sending plain-text passwords > across the wire, even if the rest of the session is unencrypted. I don't understand, OpenSSH always uses encryption. -d From bugzilla-daemon at mindrot.org Thu Feb 14 08:43:05 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 08:43:05 +1100 (EST) Subject: [Bug 115] AIX has no TAILQ_FOREACH() Message-ID: <20020213214305.ADC65EA52@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=115 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-02-14 08:43 ------- Fixed in -current. Thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at eng.sun.com Thu Feb 14 08:37:46 2002 From: Darren.Moffat at eng.sun.com (Darren Moffat) Date: Wed, 13 Feb 2002 13:37:46 -0800 (PST) Subject: Problem with using both pam_listfile to deny logins and pubkey authentication Message-ID: <200202132138.g1DLc1AK517772@jurassic.eng.sun.com> >I'm trying to use pam_listfile.so to deny logins from all others but few >users (names in /etc/loginusers). With password authentication it works >fine, but with public key authentication OpenSSH lets in users whose >names arent't in /etc/loginusers. AllowUsers in sshd_config does what >one would expect. This is NOT a problem with OpenSSH it does all the correct PAM calls. The problem is your PAM module. You have it listed against auth which makes me belive it is implmenting pam_authenticate. This is NOT an auth action it is an account mangement action. I have a very similar module that I wrote but it does it correctly as a pam_sm_acct_mgmt() implementation not a pam_sm_authenticate(). >Has anyone else noticed this or is it Debian's or my own problem? Who ever wrote the pam_listfile module, they didn't fully understand what they were writting. Authentication in PAM is about proving to the system who you are. Account Management is about the system deciding if the already authenticated user (either via PAM or external means in the case of ssh with public keys or cron) is allowed into this machine at this time. You have my permission to forward this message to the author of the pam_listfile module. -- Darren J Moffat From bugzilla-daemon at mindrot.org Thu Feb 14 08:50:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 08:50:38 +1100 (EST) Subject: [Bug 116] Openssh Shadow expiration failure on IRIX 6.5.14 Message-ID: <20020213215038.50792EA5D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=116 ------- Additional Comments From djm at mindrot.org 2002-02-14 08:50 ------- OpenSSH doesn't currently support changing expired passwords unless you build with PAM support. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Feb 14 08:43:36 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 08:43:36 +1100 (EST) Subject: hang on exit In-Reply-To: <20020213131541.D18854@google.com> Message-ID: On Wed, 13 Feb 2002, Frank Cusack wrote: > On Mon, Feb 04, 2002 at 08:32:26PM +0100, Markus Friedl wrote: > > untested, as i don't have access to a system that > > shows the hang-on-exit problem. > > > + options->allow_data_loss_on_pty = -1; > > Can someone explain why this has been discouraged for a long time based > on it "allowing data loss", when on obsd it does this by default? Does OpenBSD do it? To my knowledge no-one has heeded my request to investigate this fully. -d From djm at mindrot.org Thu Feb 14 08:45:29 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 08:45:29 +1100 (EST) Subject: Problem with using both pam_listfile to deny logins and pubkey authentication In-Reply-To: <3C6ADA73.9080304@luukku.com> Message-ID: On Wed, 13 Feb 2002, Sakari Ailus wrote: > Hi, > > I'm trying to use pam_listfile.so to deny logins from all others but few > users (names in /etc/loginusers). With password authentication it works > fine, but with public key authentication OpenSSH lets in users whose > names arent't in /etc/loginusers. AllowUsers in sshd_config does what > one would expect. > auth required pam_listfile.so item=user sense=allow > file=/etc/loginusers onerr=fail We bypass auth modules for public key authentication. If you can get the listfile module to run as an 'account' or 'session' module it should work. Alternately you could use OpenSSH's builtin Allow/DenyUser functionality. -d From fcusack at fcusack.com Thu Feb 14 08:51:53 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Wed, 13 Feb 2002 13:51:53 -0800 Subject: hang on exit In-Reply-To: <20020213213007.GB7731@faui02>; from markus@openbsd.org on Wed, Feb 13, 2002 at 10:30:07PM +0100 References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020213131541.D18854@google.com> <20020213213007.GB7731@faui02> Message-ID: <20020213135153.E18854@google.com> On Wed, Feb 13, 2002 at 10:30:07PM +0100, Markus Friedl wrote: > On Wed, Feb 13, 2002 at 01:15:42PM -0800, Frank Cusack wrote: > > On Mon, Feb 04, 2002 at 08:32:26PM +0100, Markus Friedl wrote: > > > untested, as i don't have access to a system that > > > shows the hang-on-exit problem. > > > > > + options->allow_data_loss_on_pty = -1; > > > > Can someone explain why this has been discouraged for a long time based > > on it "allowing data loss", when on obsd it does this by default? > > are you talking about the kernel? I guess so. My understanding (from reading this list) is that the openbsd kernel does something different for children of an exiting sshd and while this patch implements an option for Linux (and perhaps other OSes), on openbsd this is always the behaviour. Is this correct? > > It > > is my understanding that a patch like this has not made it into the distro > > because of concerns that an active background process might have data to > > send us. > > all other patches did discard data for the non-pty case, too, and this > is not acceptible. Ahh, that is a notable distinction. What does openbsd do for the non-pty case? > nobody can tell us why sshd receives an EOF when reading from a pty if > there are backgrounded processes on BSD systems and not on other > systems. ahh... I will try to investigate this, but don't expect anything. Hopefully folks on this list can answer this. > i sent this patch to so people can test whether discarding data > would indeed help for the hang-on-exit problem, so that we can > decide whether we do this by default. this would match the telnetd > behaviour, but sshd != telnetd, and i really don't like the idea > of loosing data. Neither do I. I just rewrote a bunch of scripts used locally to explicitly redirect /dev/null for fd {0,1,2}, which seems more correct, IMHO. I'll put this patch into production and give some feedback in a month or so. /fc From markus at openbsd.org Thu Feb 14 09:21:29 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 13 Feb 2002 23:21:29 +0100 Subject: hang on exit In-Reply-To: <20020213135153.E18854@google.com> References: <3C34836E.4090203@db.com> <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020213131541.D18854@google.com> <20020213213007.GB7731@faui02> <20020213135153.E18854@google.com> Message-ID: <20020213222129.GD10765@faui02> On Wed, Feb 13, 2002 at 01:51:53PM -0800, Frank Cusack wrote: > > all other patches did discard data for the non-pty case, too, and this > > is not acceptible. > > Ahh, that is a notable distinction. What does openbsd do for the non-pty > case? for the non-pty case ssh blocks (on OpenBSD, too), like rsh does. > Neither do I. I just rewrote a bunch of scripts used locally to explicitly > redirect /dev/null for fd {0,1,2}, which seems more correct, IMHO. I'll > put this patch into production and give some feedback in a month or so. yes, this is what daemons and scripts should do. the can print to stdout, but when they have done initializing they should close stdout. but many people here seem not to agree. From bugzilla-daemon at mindrot.org Thu Feb 14 10:12:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 10:12:14 +1100 (EST) Subject: [Bug 112] Using host key fingerprint instead of "yes" Message-ID: <20020213231214.24C6AE92F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=112 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From markus at openbsd.org 2002-02-14 10:12 ------- i think this is cool idea. do you want to write documentation for this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Feb 14 10:20:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 10:20:27 +1100 (EST) Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer Message-ID: <20020213232027.BFD0CE92F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=105 ------- Additional Comments From markus at openbsd.org 2002-02-14 10:20 ------- so, this helps, too? what happens if you #define CHAN_SES_WINDOW_DEFAULT (CHAN_SES_PACKET_DEFAULT*20) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From michael at insulin-pumpers.org Thu Feb 14 10:29:32 2002 From: michael at insulin-pumpers.org (Michael) Date: Wed, 13 Feb 2002 15:29:32 -0800 Subject: hang on exit In-Reply-To: <20020213213007.GB7731@faui02> References: <20020213131541.D18854@google.com> Message-ID: <200202132329.g1DNThnE013607@ns2.is.bizsystems.com> > i sent this patch to so people can test whether discarding data > would indeed help for the hang-on-exit problem, so that we can > decide whether we do this by default. this would match the telnetd > behaviour, but sshd != telnetd, and i really don't like the idea of > loosing data. > Loosing data is much preferable to having the clients/users broken or inappropriately coded process screw up the host server. The sysadm should be the one making the decision about whether or not the sshd daemon is allowed to hang "forever" if the user/client invokes a broken program, not the user/client who is generally half brain dead anyway. This solution may not be "ideal", but it is what works and what is necessary in a real world environment where not everything is perfect. The argument is really one about "perfect" solutions, not what works. Lets get back to the real world and produce code that works as it is expected to, not what would be great in a lab or test environment. It's not necessary for the default behavior to throw away data, but it would be nice to have the choice and the ability to keep the host platform free of zombie sshd's from brain dead users. BTW, the linux box is still sitting there if you want to test your code there. Michael Michael at Insulin-Pumpers.org From markus at openbsd.org Thu Feb 14 10:29:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 14 Feb 2002 00:29:31 +0100 Subject: [openssh-dev]: disable ProxyCommand from being used? In-Reply-To: <20020208.164208.78672704.gotoh@taiyo.co.jp>; from gotoh@taiyo.co.jp on Fri, Feb 08, 2002 at 04:42:08PM +0900 References: <20020207.213041.65409120.gotoh@taiyo.co.jp> <20020208.111811.78702833.marya@st.jip.co.jp> <20020208.150754.16174647.gotoh@taiyo.co.jp> <20020208.164208.78672704.gotoh@taiyo.co.jp> Message-ID: <20020214002930.A32651@folly> On Fri, Feb 08, 2002 at 04:42:08PM +0900, Shun-ichi GOTO wrote: > --- readconf.c 7 Nov 2001 01:18:31 -0000 1.1.1.2 > +++ readconf.c 8 Feb 2002 07:38:25 -0000 > @@ -647,12 +647,16 @@ > > case oHost: > *activep = 0; > - while ((arg = strdelim(&s)) != NULL && *arg != '\0') > - if (match_pattern(host, arg)) { > + while ((arg = strdelim(&s)) != NULL && *arg != '\0') { > + int match = match_hostname(host, arg, strlen(arg)); > + if (*arg=='!') > + match = !match; > + if (match) { > debug("Applying options for %.100s", arg); > *activep = 1; > break; > } > + } > /* Avoid garbage check below, as strdelim is done. */ > return 0; I'm not sure. This is not consistent with the how !pattern works in other parts of openssh... From ghouart at ulb.ac.be Fri Feb 15 08:37:30 2002 From: ghouart at ulb.ac.be (Super-User) Date: Thu, 14 Feb 2002 13:37:30 -0800 Subject: problem installing openssh-3.0.2p1 on irix6.5 Message-ID: <3C6C2E1A.C8AC49BC@ulb.ac.be> problem installing openssh-3.0.2p1 on irix6.5 (SGI Indigo2) : zlib+openssl installed tardist from sgifreeware detected conflicts source from ftp://openbsd.rug.ac.be/pub/OpenBSD/OpenSSH/portable/ don't install error message : ./configure >> checking for gcc... no >> checking for cc... cc >> checking for C compiler default output... configure: error: C compiler cannot create executables any suggestion ? thanks hinv **** FPU: MIPS R10010 Floating Point Chip Revision: 0.0 CPU: MIPS R10000 Processor Chip Revision: 2.5 1 175 MHZ IP28 Processor Main memory size: 96 Mbytes Secondary unified instruction/data cache size: 1 Mbyte Instruction cache size: 32 Kbytes Data cache size: 32 Kbytes Integral SCSI controller 0: Version WD33C93B, revision D Disk drive: unit 1 on SCSI controller 0 Integral SCSI controller 1: Version WD33C93B, revision D CDROM: unit 4 on SCSI controller 1 On-board serial ports: 2 On-board bi-directional parallel port Graphics board: Solid Impact Integral Ethernet: ec0, version 1 Iris Audio Processor: version A2 revision 1.1.0 EISA bus: adapter 0 From djm at mindrot.org Thu Feb 14 20:25:23 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 20:25:23 +1100 (EST) Subject: problem installing openssh-3.0.2p1 on irix6.5 In-Reply-To: <3C6C2E1A.C8AC49BC@ulb.ac.be> Message-ID: On Thu, 14 Feb 2002, Super-User wrote: > problem installing openssh-3.0.2p1 on irix6.5 (SGI Indigo2) : > > zlib+openssl installed > tardist from sgifreeware detected conflicts > > source from ftp://openbsd.rug.ac.be/pub/OpenBSD/OpenSSH/portable/ don't > install > error message : > ./configure > >> checking for gcc... no > >> checking for cc... cc > >> checking for C compiler default output... configure: error: C > compiler cannot create executables > > any suggestion ? thanks Have a look in config.log, there should be a more descriptive error message. -d From djm at mindrot.org Thu Feb 14 20:26:20 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 20:26:20 +1100 (EST) Subject: x509 test patch - can't compile In-Reply-To: Message-ID: On Wed, 13 Feb 2002, Ed Phillips wrote: > cc -g -I. -I. -I/opt/openssl-0.9.6c/include -I. -I/usr/local/include > -DETCDIR=\"/opt/openssh-3.0.2p1-x509/etc\" > -D_PATH_SSH_PROGRAM=\"/opt/openssh-3.0.2p1-x509/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/openssh-3.0.2p1-x509/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/opt/openssh-3.0.2p1-x509/libexec/sftp-server\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c key.c > "key.c", line 197: warning: argument #3 is incompatible with prototype: > prototype: pointer to uint : "./key.h", line 75 > argument : pointer to int > "key.c", line 499: warning: argument #3 is incompatible with prototype: > prototype: pointer to uint : "./key.h", line 75 > argument : pointer to int > "key.c", line 501: warning: argument #3 is incompatible with prototype: > prototype: pointer to char : "./uuencode.h", line 29 > argument : pointer to uchar > "key.c", line 679: warning: argument #2 is incompatible with prototype: > prototype: pointer to const char : "./buffer.h", line 33 > argument : pointer to uchar > "key.c", line 741: warning: improper pointer/integer combination: arg #2 > "key.c", line 741: prototype mismatch: 2 args passed, 3 expected > "key.c", line 741: operand cannot have void type: op "=" > "key.c", line 741: assignment type mismatch: > pointer to uchar "=" void What is line 741? -d From bugzilla-daemon at mindrot.org Thu Feb 14 20:39:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 14 Feb 2002 20:39:06 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020214093906.600F1EA6F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-02-14 20:39 ------- It works for me - committing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Thu Feb 14 20:51:44 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 20:51:44 +1100 (EST) Subject: hang on exit In-Reply-To: <20020204193226.GA19980@faui02> Message-ID: On Mon, 4 Feb 2002, Markus Friedl wrote: > untested, as i don't have access to a system that > shows the hang-on-exit problem. The patch needs a comma at EOL here: > - sUseLogin, sAllowTcpForwarding, > + sUseLogin, sAllowTcpForwarding, sAllowDataLossOnPty Otherwise it works as advertised for both protocols 1 & 2: sessions with a tty get terminated as soon as the child exits, sessions without wait for the grandchildren. In testing the patch I noticed something weird - on an unpatched -current 'ssh -t localhost "sleep 20 & exit"' will exit immediately, but 'ssh localhost "sleep 20 & exit"' will not. Interactive sessions behave as expected. It appears that in the non-interactive, pty case the grandchild gets a SIGHUP. -d From epa98 at doc.ic.ac.uk Thu Feb 14 21:10:07 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Thu, 14 Feb 2002 10:10:07 +0000 (GMT) Subject: Warning message at password prompt In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 14 Feb 2002, Damien Miller wrote: >>I've patched my local OpenSSH (currently 2.9p2, but the same patch >>applies to 3.0.2) to allow the cipher 'none' for both SSH1 and SSH2 >>connections. With SSH1, there is already code to print a warning >>that any password you enter will be sent in plain text. However the >>userauth_passwd() in sshconnect2.c does not have any such warning. >I don't understand, OpenSSH always uses encryption. I just wanted to ask if there is any way for userauth_passwd() to find out what kind of encryption is being used. Then if the encryption is 'none' it can print a warning or maybe disallow plain text passwords entirely. The standard OpenSSH release does not support 'none', only 3DES and Blowfish (AFAIK), so there is no need for such a warning. But I would like to add the code for it to my local copy which I have patched to enable unencrypted connections. I understand that the OpenSSH maintainers don't want to support this in the main release, but it is useful to me and to some others. If anyone could suggest ways to find out what from sshconnect2.c what cipher is being used, that would be a real help. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a40BIMp73jhGogoRAsdVAJ4oCko1w/mGyISDiJFzLbckeEbzrwCfXMUa KA65Bh4hao6KEX7llBB/ct8= =u3IU -----END PGP SIGNATURE----- From djm at mindrot.org Thu Feb 14 21:26:58 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 21:26:58 +1100 (EST) Subject: Warning message at password prompt In-Reply-To: Message-ID: On Thu, 14 Feb 2002, Edward Avis wrote: > If anyone could suggest ways to find out what from sshconnect2.c what > cipher is being used, that would be a real help. Why don't you send a debugging message from kex.c if you negotiate cipher none in either direction? -d From epa98 at doc.ic.ac.uk Thu Feb 14 21:38:10 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Thu, 14 Feb 2002 10:38:10 +0000 (GMT) Subject: Warning message at password prompt In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 14 Feb 2002, Damien Miller wrote: >>If anyone could suggest ways to find out what from sshconnect2.c what >>cipher is being used, that would be a real help. > >Why don't you send a debugging message from kex.c if you negotiate >cipher none in either direction? So it is kex.c that negotiates the cipher to use. And this is negotiated just once at the start of the connection. (Just checking) I could print a warning if 'none' is negotiated, but I would prefer to set a global flag and test it at the password prompt. The cipher 'none' is used only if explicitly asked for on the command line, so warning about the user's deliberate choice seems redundant. But sending a password in cleartext is so serious that I would like an additional are-you-sure for that. This is consistent with what protocol version 1 does (the warning code is still there although it doesn't normally get used). Do you think that creating a new global variable (using_insecure_cipher, say) is the best way to implement this? I could do that but I wanted to check first that there is no cleaner way. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a5OTIMp73jhGogoRAluvAJ9p/AXtN14YI94ZFXfW1uJSmqsFHgCfdwAS EKNjQwhb4PD737pbtMbTHdU= =iCE5 -----END PGP SIGNATURE----- From mstone at cs.loyola.edu Thu Feb 14 22:28:50 2002 From: mstone at cs.loyola.edu (Michael Stone) Date: Thu, 14 Feb 2002 06:28:50 -0500 Subject: Warning message at password prompt In-Reply-To: ; from epa98@doc.ic.ac.uk on Thu, Feb 14, 2002 at 10:10:07AM +0000 References: Message-ID: <20020214062850.E25452@justice.loyola.edu> On Thu, Feb 14, 2002 at 10:10:07AM +0000, Edward Avis wrote: > enable unencrypted connections. I understand that the OpenSSH > maintainers don't want to support this in the main release, but it is > useful to me and to some others. People keep saying that, but you might as well benchmark it--I've always seen that there's enough slowdown in other places that turning off encryption doesn't really buy you much on a modern machine. -- Mike Stone From djm at mindrot.org Thu Feb 14 22:32:37 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 22:32:37 +1100 (EST) Subject: Warning message at password prompt In-Reply-To: Message-ID: On Thu, 14 Feb 2002, Edward Avis wrote: > On Thu, 14 Feb 2002, Damien Miller wrote: > > >>If anyone could suggest ways to find out what from sshconnect2.c what > >>cipher is being used, that would be a real help. > > > >Why don't you send a debugging message from kex.c if you negotiate > >cipher none in either direction? > > So it is kex.c that negotiates the cipher to use. And this is > negotiated just once at the start of the connection. (Just checking) Renegotiation may happen at any time. > I could print a warning if 'none' is negotiated, but I would prefer to > set a global flag and test it at the password prompt. You could use an approach like I do in my keynote policy patch[1] and pull the cipher out of packet.c. You can then test the cipher at the time of the prompt directly. -d [1] http://www.mindrot.org/~djm/ssh-keynote/ssh-keynote-20020214.diff From djm at mindrot.org Thu Feb 14 22:40:16 2002 From: djm at mindrot.org (Damien Miller) Date: Thu, 14 Feb 2002 22:40:16 +1100 (EST) Subject: Warning message at password prompt In-Reply-To: <20020214062850.E25452@justice.loyola.edu> Message-ID: On Thu, 14 Feb 2002, Michael Stone wrote: > On Thu, Feb 14, 2002 at 10:10:07AM +0000, Edward Avis wrote: > > enable unencrypted connections. I understand that the OpenSSH > > maintainers don't want to support this in the main release, but it is > > useful to me and to some others. > > People keep saying that, but you might as well benchmark it--I've always > seen that there's enough slowdown in other places that turning off > encryption doesn't really buy you much on a modern machine. Especially with a fast cipher (aes,blowfish,arcfour) and the Markus' changes detailed in http://bugzilla.mindrot.org/show_bug.cgi?id=105 -d From epa98 at doc.ic.ac.uk Thu Feb 14 22:55:02 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Thu, 14 Feb 2002 11:55:02 +0000 (GMT) Subject: Warning message at password prompt In-Reply-To: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 14 Feb 2002, Damien Miller wrote: >>>Why don't you send a debugging message from kex.c if you negotiate >>>cipher none in either direction? >> >>So it is kex.c that negotiates the cipher to use. And this is >>negotiated just once at the start of the connection. (Just checking) > >Renegotiation may happen at any time. That's what I was afraid of. I really only want to look at the cipher used at the time the password prompt is printed. I assume this will always be the same cipher used to send the password. Hang on - I know that a new key(s) can be chosen at any time, but can the actual cipher used change? If I start a connection using 3DES, can it suddenly change to Blowfish due to renegotiation? This is surely impossible in practice unless the server's preferences change. >You could use an approach like I do in my keynote policy patch[1] and >pull the cipher out of packet.c. You can then test the cipher at the >time of the prompt directly. >[1] http://www.mindrot.org/~djm/ssh-keynote/ssh-keynote-20020214.diff Thanks, I will have a look at this. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a6WYIMp73jhGogoRApvvAJ405UYYOGWBSTFa1B7HEE26QIx2CwCdHf8Q eje9UOO/4pA5P5t770zPEdI= =7S6K -----END PGP SIGNATURE----- From epa98 at doc.ic.ac.uk Thu Feb 14 23:04:52 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Thu, 14 Feb 2002 12:04:52 +0000 (GMT) Subject: Warning message at password prompt In-Reply-To: <20020214062850.E25452@justice.loyola.edu> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 14 Feb 2002, Michael Stone wrote: >>enable unencrypted connections. I understand that the OpenSSH >>maintainers don't want to support this in the main release, but it is >>useful to me and to some others. > >People keep saying that, but you might as well benchmark it--I've >always seen that there's enough slowdown in other places that turning >off encryption doesn't really buy you much on a modern machine. I will certainly benchmark and post a summary of results to this list. With SSH v1 protocol there seemed to be a noticeable speedup, but I need to get some concrete numbers. This seems like a good moment to ask another question: should I prefer RSA or DSA authentication with protocol 2? I have heard mumblings that DSA is somehow less secure (or less banged-upon) than RSA, and that now the RSA patent has expired there's no reason to use DSA. DSA seems a lot slower, so I would like to switch if possible. I hope this question is not off-topic for the developers' list, it does need a real expert to answer it. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8a6flIMp73jhGogoRAvIFAJ9VKg70cheQ41iwKif6kdOFbr926wCfRKT/ mqtdUKJwaxvzcmffDGInozs= =WEPH -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Fri Feb 15 00:06:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 00:06:18 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020214130618.7F385EA9C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 abartlet at samba.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From abartlet at samba.org 2002-02-15 00:06 ------- Why NOUSER? What is wrong with the user they specified? Why can't we do the full auth for the user - let PAM do its thing and then bail? This would allow users who use pam_unix's 'audit' flag (for example) to get accurate and consistant failed password logs across all deamons on a system. Then, if for some reason PAM still thinks they are perfectly valid (despite no /etc/passwd entry) *then* we kill it off. How does this sound? I'll propose a patch if required. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Fri Feb 15 00:15:44 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Feb 2002 00:15:44 +1100 (EST) Subject: Warning message at password prompt In-Reply-To: Message-ID: On Thu, 14 Feb 2002, Edward Avis wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Thu, 14 Feb 2002, Michael Stone wrote: > > >>enable unencrypted connections. I understand that the OpenSSH > >>maintainers don't want to support this in the main release, but it is > >>useful to me and to some others. > > > >People keep saying that, but you might as well benchmark it--I've > >always seen that there's enough slowdown in other places that turning > >off encryption doesn't really buy you much on a modern machine. > > I will certainly benchmark and post a summary of results to this list. > With SSH v1 protocol there seemed to be a noticeable speedup, but I need > to get some concrete numbers. Don't use cipher none with protocol 1, then only thing protecting you is an easily calculated CRC. protocol 2 has a proper MAC at least. > This seems like a good moment to ask another question: should I prefer > RSA or DSA authentication with protocol 2? I have heard mumblings that > DSA is somehow less secure (or less banged-upon) than RSA, and that now > the RSA patent has expired there's no reason to use DSA. DSA seems a > lot slower, so I would like to switch if possible. I hope this question > is not off-topic for the developers' list, it does need a real expert to > answer it. RSA is faster, I don't know of any attacks on DSA. -d From bugzilla-daemon at mindrot.org Fri Feb 15 00:26:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 00:26:46 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020214132646.5B400EAD1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 djm at mindrot.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From djm at mindrot.org 2002-02-15 00:26 ------- NOUSER hides disclosure of passwords from users who accidentally type their password into a login prompt. please open another buf if you want to change the functionality. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 15 01:21:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 01:21:51 +1100 (EST) Subject: [Bug 114] Invalid users vs. PAM (protocol 1 only (?)) Message-ID: <20020214142151.08F2FEAA1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=114 ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-02-15 01:21 ------- Well, when a user types his/her password as a login name, it will probably appear in the log anyway (in a message generated by sshd itself: Feb 14 15:07:14 kunhuta sshd[17775]: Failed password for illegal user blabla from 127.0.0.1 port 2995). Nevertheless, the patch appears to solve the problem I reported. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 15 01:41:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 01:41:27 +1100 (EST) Subject: [Bug 113] input_userauth_request: illegal user ... Message-ID: <20020214144127.D53E9EA9D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=113 ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-02-15 01:41 ------- Hmm...well...if clients can prevent sshd from logging a failed authentication attempt then we have a much wider and much more serious problem and "input_userauth_request: illegal user ..." does not solve it--what if the username was valid? what if the client connected using protocol 1? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ed at UDel.Edu Fri Feb 15 01:35:53 2002 From: ed at UDel.Edu (Ed Phillips) Date: Thu, 14 Feb 2002 09:35:53 -0500 (EST) Subject: x509 test patch - can't compile In-Reply-To: Message-ID: It's line 741 of key.c in 3.0.2p1 with the x509 patch (that Markus posted a couple weeks ago) applied. The call to buffer_append_space has the wrong number of args: case KEY_RSA: if (key->x509) { /* XXX ssh.com does not accept a key name here */ len = i2d_X509(key->x509, NULL); --> buf = buffer_append_space(&b, len); i2d_X509(key->x509, &buf); } else { buffer_put_cstring(&b, key_ssh_name(key)); buffer_put_bignum2(&b, key->rsa->e); buffer_put_bignum2(&b, key->rsa->n); } What's the correct way to fix this? It seems to be a departure from the "cram stuff into b" mentality that the surrounding code is doing... By the way, Markus, does this patch include code to make the OpenSSH client verify the server's host key with x509, or does this just patch just make the server tack on the x509 stuff so that SSH.COM's client could use it? Thanks, Ed On Thu, 14 Feb 2002, Damien Miller wrote: > Date: Thu, 14 Feb 2002 20:26:20 +1100 (EST) > From: Damien Miller > To: Ed Phillips > Cc: OpenSSH Development > Subject: Re: x509 test patch - can't compile > > On Wed, 13 Feb 2002, Ed Phillips wrote: > > > cc -g -I. -I. -I/opt/openssl-0.9.6c/include -I. -I/usr/local/include > > -DETCDIR=\"/opt/openssh-3.0.2p1-x509/etc\" > > -D_PATH_SSH_PROGRAM=\"/opt/openssh-3.0.2p1-x509/bin/ssh\" > > -D_PATH_SSH_ASKPASS_DEFAULT=\"/opt/openssh-3.0.2p1-x509/libexec/ssh-askpass\" > > -D_PATH_SFTP_SERVER=\"/opt/openssh-3.0.2p1-x509/libexec/sftp-server\" > > -D_PATH_SSH_PIDDIR=\"/var/run\" -DHAVE_CONFIG_H -c key.c > > "key.c", line 197: warning: argument #3 is incompatible with prototype: > > prototype: pointer to uint : "./key.h", line 75 > > argument : pointer to int > > "key.c", line 499: warning: argument #3 is incompatible with prototype: > > prototype: pointer to uint : "./key.h", line 75 > > argument : pointer to int > > "key.c", line 501: warning: argument #3 is incompatible with prototype: > > prototype: pointer to char : "./uuencode.h", line 29 > > argument : pointer to uchar > > "key.c", line 679: warning: argument #2 is incompatible with prototype: > > prototype: pointer to const char : "./buffer.h", line 33 > > argument : pointer to uchar > > "key.c", line 741: warning: improper pointer/integer combination: arg #2 > > "key.c", line 741: prototype mismatch: 2 args passed, 3 expected > > "key.c", line 741: operand cannot have void type: op "=" > > "key.c", line 741: assignment type mismatch: > > pointer to uchar "=" void > > What is line 741? > > -d > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From jaearick at colby.edu Fri Feb 15 02:57:54 2002 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu, 14 Feb 2002 10:57:54 -0500 (EST) Subject: 3.0.2p1: all sshd processes owned by root Message-ID: Hi, I installed 3.0.2p1 on our Solaris 8 systems this week (new to ssh), and when I look at the process list for sshd, I see: root 14547 1 0 10:35:29 ? 0:00 /opt/openssh/sbin/sshd root 14548 14547 0 10:35:36 ? 0:01 /opt/openssh/sbin/sshd Process 14547 is the deamon listening on port 22, but process 14548 is my connection from elsewhere. I consider it a design flaw (cough, bug) that this process is owned by root and not by the user who made the connection, eg: root 14547 1 0 10:35:29 ? 0:00 /opt/openssh/sbin/sshd joeblow 14548 14547 0 10:35:36 ? 0:01 /opt/openssh/sbin/sshd So, I looked at the source code for sshd. Why are there no setuid() and setgid() calls in the code to change to the user, after the child process is forked off to process the new connection? It looks like the uid and gid of the user should be known after do_authentication() or do_authentication2() has been called, so the ownership of the forked daemon could be changed after this point. Why isn't it? --- Jeff Earickson, Colby College From bugzilla-daemon at mindrot.org Fri Feb 15 03:43:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 03:43:03 +1100 (EST) Subject: [Bug 112] Using host key fingerprint instead of "yes" Message-ID: <20020214164303.95885EA85@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=112 ------- Additional Comments From peak at argo.troja.mff.cuni.cz 2002-02-15 03:42 ------- I can do it (now when I know other people like such a feature) but I am not sure what kind of documentation (besides proper prompts and other messages from ssh) should be written? Should this behaviour be described in ssh.1? Or elsewhere? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Feb 15 04:59:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 15 Feb 2002 04:59:24 +1100 (EST) Subject: [Bug 112] Using host key fingerprint instead of "yes" Message-ID: <20020214175924.44EFCEA9C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=112 ------- Additional Comments From djast at cs.toronto.edu 2002-02-15 04:59 ------- I'd like to propose a slight modification to the feature, because I'm concerned that unsophisticated users may use it incorrectly. If the SSH client outputs a fingerprint, and then prompts the user to enter the fingerprint for the host, a user who does not understand the purpose of this procedure may simply cut and paste the fingerprint that was just displayed. Although this is no less secure than the user simply typing "yes" to accept the host identification blindly, it may result in a false sense of security for users who do not understand the purpose of the key fingerprints. This problem could be addressed by introducing a client-side option which controls whether the client should handle an unknown host by: a) displaying the fingerprint and prompting for yes/no (as previously); or b) not displaying the fingerprint by default, and instead prompting for the user to enter the host's fingerprint. This option would be set to do (a) by users who generally wish to compare fingerprints manually, and to (b) by those who generally wish to have ssh do the comparison for them. In the case of (b), this could be enhanced so that the user can type "yes" to accept the host key sight-unseen, or "show" to display the fingerprint and re-prompt. Just a suggestion. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Fri Feb 15 08:28:41 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Feb 2002 08:28:41 +1100 (EST) Subject: x509 test patch - can't compile In-Reply-To: Message-ID: On Thu, 14 Feb 2002, Ed Phillips wrote: > It's line 741 of key.c in 3.0.2p1 with the x509 patch The patch was against -current. > By the way, Markus, does this patch include code to make the OpenSSH > client verify the server's host key with x509, or does this just > patch just make the server tack on the x509 stuff so that SSH.COM's > client could use it? The patch is for the server only, there was no client support included. -d From djm at mindrot.org Fri Feb 15 08:31:26 2002 From: djm at mindrot.org (Damien Miller) Date: Fri, 15 Feb 2002 08:31:26 +1100 (EST) Subject: 3.0.2p1: all sshd processes owned by root In-Reply-To: Message-ID: On Thu, 14 Feb 2002, Jeff A. Earickson wrote: > Hi, > > I installed 3.0.2p1 on our Solaris 8 systems this week (new to ssh), > and when I look at the process list for sshd, I see: > > root 14547 1 0 10:35:29 ? 0:00 /opt/openssh/sbin/sshd > root 14548 14547 0 10:35:36 ? 0:01 /opt/openssh/sbin/sshd > > Process 14547 is the deamon listening on port 22, but process 14548 is > my connection from elsewhere. I consider it a design flaw (cough, bug) > that this process is owned by root and not by the user who made the > connection, eg: > > root 14547 1 0 10:35:29 ? 0:00 /opt/openssh/sbin/sshd > joeblow 14548 14547 0 10:35:36 ? 0:01 /opt/openssh/sbin/sshd > > So, I looked at the source code for sshd. Why are there no setuid() and > setgid() calls in the code to change to the user, after the child process > is forked off to process the new connection? It looks like the uid and > gid of the user should be known after do_authentication() or > do_authentication2() has been called, so the ownership of the forked > daemon could be changed after this point. Why isn't it? The server needs to be able to write logout entries to [uw]tmp and lastlog, clean up pty's and keep a copy of the private host key for key renegotiation. -d From kevin at tgivan.com Fri Feb 15 08:53:56 2002 From: kevin at tgivan.com (kevin at tgivan.com) Date: Thu, 14 Feb 2002 13:53:56 -0800 Subject: [Patch] Changes to openbsd.html Message-ID: <20020214215356.GA3454@tgivan.com> 'ello Markus/folks@, I downloaded 3.0.2 today and went and looked at openbsd.html and found some errors. Patch attached. Patch for http://www.openssh.com/openbsd.html Hope that helps, Rgds -- Kevin Sindhu Systems Engineer TGI Technologies Inc. 107 E 3rd Avenue Tel: (604) 872-6676 Ext 321 Vancouver V5T 1C7 Fax: (604) 872-6601 British Columbia, Canada -------------- next part -------------- --- openbsd.html Tue Feb 12 03:32:02 2002 +++ openbsd.html.mod Thu Feb 14 13:43:45 2002 @@ -26,7 +26,7 @@

The following versions of OpenSSH are available for putting on your -OpenBSD machines: +OpenBSD machines(download to /usr/src/):

    @@ -39,7 +39,7 @@ modifications: 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.2.tgz
+# tar xvfz ../openssh-3.0.2.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -56,9 +56,9 @@
 To extract and install it on your OpenBSD 2.9 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.2.tgz
+# tar xvfz ../openssh-3.0.2.tgz
 # cd ssh
-# patch -p0 < .../openbsd29_3.0.2.patch
+# patch -p0 < ../../openbsd29_3.0.2.patch
 # make obj
 # make cleandir
 # make depend
@@ -72,9 +72,9 @@
 To extract and install it on your OpenBSD 2.8 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.2.tgz
+# tar xvfz ../openssh-3.0.2.tgz
 # cd ssh
-# patch -p0 < .../openbsd28_3.0.2.patch
+# patch -p0 < ../../openbsd28_3.0.2.patch
 # make obj
 # make cleandir
 # make depend
@@ -88,9 +88,9 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.2.tgz
+# tar xvfz ../openssh-3.0.2.tgz
 # cd ssh
-# patch -p0 < .../openbsd27_3.0.2.patch
+# patch -p0 < ../../openbsd27_3.0.2.patch
 # make obj
 # make cleandir
 # make depend
@@ -113,7 +113,7 @@
 modifications:
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.1.tgz
+# tar xvfz ../openssh-3.0.1.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -130,9 +130,9 @@
 To extract and install it on your OpenBSD 2.9 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.1.tgz
+# tar xvfz ../openssh-3.0.1.tgz
 # cd ssh
-# patch -p0 < .../openbsd29_3.0.1.patch
+# patch -p0 < ../../openbsd29_3.0.1.patch
 # make obj
 # make cleandir
 # make depend
@@ -146,9 +146,9 @@
 To extract and install it on your OpenBSD 2.8 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.1.tgz
+# tar xvfz ../openssh-3.0.1.tgz
 # cd ssh
-# patch -p0 < .../openbsd28_3.0.1.patch
+# patch -p0 < ../../openbsd28_3.0.1.patch
 # make obj
 # make cleandir
 # make depend
@@ -162,9 +162,9 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.1.tgz
+# tar xvfz ../openssh-3.0.1.tgz
 # cd ssh
-# patch -p0 < .../openbsd27_3.0.1.patch
+# patch -p0 < ../../openbsd27_3.0.1.patch
 # make obj
 # make cleandir
 # make depend
@@ -187,7 +187,7 @@
 modifications:
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.tgz
+# tar xvfz ../openssh-3.0.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -201,7 +201,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-3.0.tgz
+# tar xvfz ../openssh-3.0.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -226,7 +226,7 @@
 modifications:
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.9.9.tgz
+# tar xvfz ../openssh-2.9.9.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -240,7 +240,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.9.9.tgz
+# tar xvfz ../openssh-2.9.9.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -265,7 +265,7 @@
 modifications:
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.9.tgz
+# tar xvfz ../openssh-2.9.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -279,7 +279,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.9.tgz
+# tar xvfz ../openssh-2.9.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -304,7 +304,7 @@
 modifications:
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.5.2.tgz
+# tar xvfz ../openssh-2.5.2.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -318,7 +318,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.5.2.tgz
+# tar xvfz ../openssh-2.5.2.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -346,7 +346,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.5.1.tgz
+# tar xvfz ../openssh-2.5.1.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -377,7 +377,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.3.0.tgz
+# tar xvfz ../openssh-2.3.0.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -401,7 +401,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.2.0.tgz
+# tar xvfz ../openssh-2.2.0.tgz
 # cd ssh
 comment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile, using a # character.
 # make obj
@@ -421,7 +421,7 @@
 To extract and install it on your OpenBSD 2.6 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.2.0.tgz
+# tar xvfz ../openssh-2.2.0.tgz
 # patch -p0 < openbsd26_2.2.0.patch
 # cd ssh
 uncomment 'CFLAGS+=-DHAVE_LOGIN_CAP' in sshd/Makefile
@@ -451,7 +451,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.1.1.tgz
+# tar xvfz ../openssh-2.1.1.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -470,8 +470,8 @@
 To extract and install it on your OpenBSD 2.6 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.1.1.tgz
-# patch -p0 < openbsd26_2.1.1.patch
+# tar xvfz ../openssh-2.1.1.tgz
+# patch -p0 < ../../openbsd26_2.1.1.patch
 # cd ssh
 # make obj
 # make cleandir
@@ -499,7 +499,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.1.0.tgz
+# tar xvfz ../openssh-2.1.0.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -518,7 +518,7 @@
 To extract and install it on your OpenBSD 2.6 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-2.1.0.tgz
+# tar xvfz ../openssh-2.1.0.tgz
 # patch -p0 < openbsd26_2.1.0.patch
 # cd ssh
 # make obj
@@ -548,7 +548,7 @@
 To extract and install it on your OpenBSD 2.7 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-1.2.3.tgz
+# tar xvfz ../openssh-1.2.3.tgz
 # cd ssh
 # make obj
 # make cleandir
@@ -567,7 +567,7 @@
 To extract and install it on your OpenBSD 2.6 system:
    
 
     # cd /usr/src/usr.bin
-# tar xvfz .../openssh-1.2.3.tgz
+# tar xvfz ../openssh-1.2.3.tgz
 # cd ssh
 # patch -p1 < openbsd26_1.2.3.patch
 # make obj
@@ -582,6 +582,7 @@
 If you are interested in seeing if there are any OpenSSH patches,
 see the
 OpenBSD errata pages.
+B
 
    
 
 
    

From bugzilla-daemon at mindrot.org  Fri Feb 15 09:56:26 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 09:56:26 +1100 (EST)
Subject: [Bug 117] New: OpenSSH second-guesses PAM
Message-ID: <20020214225626.CCD35E881@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=117

           Summary: OpenSSH second-guesses PAM
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: abartlet at samba.org


As I described in bug 114, OpenSSH makes assumptions about how PAM operates, and
denies it acess to potentially critical information about failed logins. 

This problem occurs if you want to use PAM to obtain a consistant audit history
across all system deamons - OpenSSH traditionally would not even start PAM, and
now starts it specifying 'NOUSER' as the login name.

I feel that the correct behaviour is to always call PAM.  There are two
particular reasons:  Firstly, it ensures that PAM gets to decide that a user is
invalid, and log it appropriatly.  OpenSSH can add its own checks to the top,
but the first decision should be with PAM.

The second is to prevent username guessing attacks - by always calling PAM the
system should always suffer the same timeouts/delays no matter the existance of
the attempted login.

Another (almost certainly less convincing) reason is that it would make it
easier for sombody to write an OpenSSH based deamon that didn't service logins -
like an authenticated proxy service that uses SSH for secure transport to the
firewall.  In this case the user almost certainly doesn't exist locally, but PAM
can still be useful for authenticaion.  (OK, so this is really oddball, but my
main concern is the first two reasons).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Fri Feb 15 10:06:36 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 10:06:36 +1100 (EST)
Subject: [Bug 116] Openssh Shadow expiration failure on IRIX 6.5.14
Message-ID: <20020214230636.14356E881@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=116

dwd at bell-labs.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE



------- Additional Comments From dwd at bell-labs.com  2002-02-15 10:06 -------


*** This bug has been marked as a duplicate of 14 ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Fri Feb 15 10:10:10 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 10:10:10 +1100 (EST)
Subject: [Bug 117] OpenSSH second-guesses PAM
Message-ID: <20020214231010.7AD51EAF4@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=117





------- Additional Comments From djm at mindrot.org  2002-02-15 10:10 -------
> OpenSSH traditionally would not even start PAM, and
> now starts it specifying 'NOUSER' as the login name.

We have always used NOUSER, the recent patch just makes it consistent between
protocols 1 and 2.

> The second is to prevent username guessing attacks - by 
> always calling PAM the system should always suffer the 
> same timeouts/delays no matter the existance of the 
> attempted login.

I don't think this is the case: the auth code attempts 
all authentications with the fake username anyway, so 
this should not be an issue unless the PAM modules 
themselves are broken.

We rely on getpwnam() working in lots of places, so changing 
this would be a fair amount of work.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bill.taylor at esker.com  Fri Feb 15 10:10:20 2002
From: bill.taylor at esker.com (Taylor, Bill)
Date: Thu, 14 Feb 2002 17:10:20 -0600
Subject: Bad packet length rarely but still too often
Message-ID: 

Hi,

Just got on this group and wonder if anyone can help.

I ported Openssh-2.1.1p2 to windows to use with our emulation
software. Sometimes via ssh 2 I get a bad packet length  when doing
repeated keystrokes(Sit in vi and append then hold down a key for a bit).

For the most part it works but I suspect the ported code base had flaws
that can not be fixed without porting a newer codebase....

Tell me it ain't so..... :-)

I have 2.9.9 and 3.0.2 on a sun and two different NetBSD machines and it
does it occasionally on them all.

What do I need to do?


From djm at mindrot.org  Fri Feb 15 10:40:28 2002
From: djm at mindrot.org (Damien Miller)
Date: Fri, 15 Feb 2002 10:40:28 +1100 (EST)
Subject: Bad packet length rarely but still too often
In-Reply-To: 
Message-ID: 

On Thu, 14 Feb 2002, Taylor, Bill wrote:

> Hi,
> 
> Just got on this group and wonder if anyone can help.
> 
> I ported Openssh-2.1.1p2 to windows to use with our emulation
> software. Sometimes via ssh 2 I get a bad packet length  when doing
> repeated keystrokes(Sit in vi and append then hold down a key for a bit).
> 
> For the most part it works but I suspect the ported code base had flaws
> that can not be fixed without porting a newer codebase....

You should update anyway, 2.1.1 had a widely exploited remote security 
bug.

> Tell me it ain't so..... :-)
> 
> I have 2.9.9 and 3.0.2 on a sun and two different NetBSD machines and it
> does it occasionally on them all.

What are the versions on the client and server when it fails?

I have never seen the issue and I can't replicate it with 3.0.2 using your 
above recipe.

-d




From bugzilla-daemon at mindrot.org  Fri Feb 15 10:47:25 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 10:47:25 +1100 (EST)
Subject: [Bug 117] OpenSSH second-guesses PAM
Message-ID: <20020214234725.F20B9EAF4@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=117





------- Additional Comments From Darren.Moffat at Sun.COM  2002-02-15 10:47 -------
There is nothing wrong with calling pam_set_item to set an item to NULL and in
fact there are modules on Solaris that do exactly that for PAM_AUTHTOK.

PAM on Solaris would not have syslogged the pam_set_item message that is 
described in bug 114

There is nothing wrong in having a syslog message for pam_set_item being
called with the item value as NULL, however since it is perfectly valid to do
so this should be a debug only syslog message and either the case being
reported had pam framework debugging enabled or there is a bug in the Linux PAM
framework library.

It is perfectly valid to pass NULL as the user into pam_start; pam_start
ultimately calls pam_set_item to setup the PAM_USER.  If the application does
that then it should use pam_get_item(pamh, PAM_USER, &user) to find out which
user was authenticated if pam_authenticate returned PAM_SUCCESS.

I would rather that OpenSSH passed NULL to pam_start than passing NOUSER.  There
could potentially be modules on the stack that will prompt for a user name
if PAM_USER is empty - this is perfectly valid PAM according to the XSSO spec
(which Linux PAM does not comply with - it has extended and embraced in an
incompatible way in some areas).
Passing the string "NOUSER" takes a way a valid username out of the namespace,
what if there really was a user called nouser (The user account for some 
subsystem called 'no' for example or someone called Neil Ouser) the
pam_authenticate call might actually succeed - this probably isn't what you were 
expecting to happen in this case.

PAM_USER == NULL means I the application don't know the user name, anything else
is taken to mean you the application are trying to authenticate the named user.

I believe the correct fix is for OpenSSH to pass NULL to pam_start when it
doesn't know the username and pass the username when it does.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bill.taylor at esker.com  Fri Feb 15 11:03:31 2002
From: bill.taylor at esker.com (Taylor, Bill)
Date: Thu, 14 Feb 2002 18:03:31 -0600
Subject: Bad packet length rarely but still too often
Message-ID: 

The client is the 2.1.1 code which I ported and the server behaves the same
for
any recent server 2.9 or newer. I am not saying that it is not in a change I
made
in our port. It could be there but sftp and scp and most ssh2 sessions work.

I do not know if there is a timing glitch in my windows code or something
long since fixed in the base code. We do not run a sshd on our client
systems but
generate multiple ssh sessions to hosts as needed. 

-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Thursday, February 14, 2002 5:40 PM
To: Taylor, Bill
Cc: openssh-unix-dev at mindrot.org
Subject: Re: Bad packet length rarely but still too often


On Thu, 14 Feb 2002, Taylor, Bill wrote:

> Hi,
> 
> Just got on this group and wonder if anyone can help.
> 
> I ported Openssh-2.1.1p2 to windows to use with our emulation
> software. Sometimes via ssh 2 I get a bad packet length  when doing
> repeated keystrokes(Sit in vi and append then hold down a key for a bit).
> 
> For the most part it works but I suspect the ported code base had flaws
> that can not be fixed without porting a newer codebase....

You should update anyway, 2.1.1 had a widely exploited remote security 
bug.

> Tell me it ain't so..... :-)
> 
> I have 2.9.9 and 3.0.2 on a sun and two different NetBSD machines and it
> does it occasionally on them all.

What are the versions on the client and server when it fails?

I have never seen the issue and I can't replicate it with 3.0.2 using your 
above recipe.

-d



From bugzilla-daemon at mindrot.org  Fri Feb 15 11:13:20 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 11:13:20 +1100 (EST)
Subject: [Bug 117] OpenSSH second-guesses PAM
Message-ID: <20020215001320.5D73EEAF4@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=117





------- Additional Comments From abartlet at samba.org  2002-02-15 11:13 -------
The problem is that OpenSSH knows the username perfectly well at this stage.  It
just refuses to pass it on to PAM!

This means that PAM cannot log the fact that an invalid login was attempted -
which is my primary issue here.  I am doing some work on a product that is
hoping to use PAM to log all authenticaion failures in a consistant manner
across all system deamons.  

I see know reason why PAM cannot be told the truth, allowing this kind of thing
without ugly hacks to OpenSSH itself (the current way this is done).  

auth_sia_password() doesn't take a 'struct passwd' argument, why should PAM have
to?  (The bits of auth_pam_password() and auth_password() that deal with the
pw->uid feild should really be in a single function, elsewhere)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From djm at mindrot.org  Fri Feb 15 11:14:15 2002
From: djm at mindrot.org (Damien Miller)
Date: Fri, 15 Feb 2002 11:14:15 +1100 (EST)
Subject: Bad packet length rarely but still too often
In-Reply-To: 
Message-ID: 

On Thu, 14 Feb 2002, Taylor, Bill wrote:

> The client is the 2.1.1 code which I ported and the server behaves the
> same for any recent server 2.9 or newer. I am not saying that it is
> not in a change I made in our port. It could be there but sftp and scp
> and most ssh2 sessions work.
> 
> I do not know if there is a timing glitch in my windows code or
> something long since fixed in the base code. We do not run a sshd on
> our client systems but generate multiple ssh sessions to hosts as
> needed.

As I said, I have never seen that error in normal usage - even when I
was using 2.1.1 or earlier.

-d




From openssh at openbsd.org  Fri Feb 15 11:15:47 2002
From: openssh at openbsd.org (Markus Friedl)
Date: Fri, 15 Feb 2002 01:15:47 +0100
Subject: hang on exit
In-Reply-To: <200202132329.g1DNThnE013607@ns2.is.bizsystems.com>; from michael@insulin-pumpers.org on Wed, Feb 13, 2002 at 03:29:32PM -0800
References: <20020213131541.D18854@google.com> <20020213213007.GB7731@faui02> <200202132329.g1DNThnE013607@ns2.is.bizsystems.com>
Message-ID: <20020215011546.A31768@folly>

On Wed, Feb 13, 2002 at 03:29:32PM -0800, Michael wrote:
> Loosing data is much preferable to having the clients/users broken or 
> inappropriately coded process screw up the host server.

I don't think many people are happy if ssh discards data, but
we had this before.

> The argument is really one about "perfect" solutions, not what works. 
> Lets get back to the real world and produce code that works as it is 
> expected to, not what would be great in a lab or test environment. 

Well, in the real world ssh is used to tranfer information
not to discard information.

> It's not necessary for the default behavior to throw away data, but 
> it would be nice to have the choice and the ability to keep the 
> host platform free of zombie sshd's from brain dead users.

Is it really SSH's job to fix broken scripts?

> BTW, the linux box is still sitting there if you want to test your 
> code there.

I don't have time for testing my own diffs on you linux box, sorry.
Why don't you?


From markus at openbsd.org  Fri Feb 15 11:17:22 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 15 Feb 2002 01:17:22 +0100
Subject: Warning message at password prompt
In-Reply-To: ; from epa98@doc.ic.ac.uk on Thu, Feb 14, 2002 at 12:04:52PM +0000
References: <20020214062850.E25452@justice.loyola.edu> 
Message-ID: <20020215011722.B31768@folly>

On Thu, Feb 14, 2002 at 12:04:52PM +0000, Edward Avis wrote:
> With SSH v1 protocol there seemed to be a noticeable speedup, but I need
> to get some concrete numbers.

I don't think that SSH v1 with 3des is faster than SSH v2 with aes128-cbc :)


From markus at openbsd.org  Fri Feb 15 11:19:27 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 15 Feb 2002 01:19:27 +0100
Subject: x509 test patch - can't compile
In-Reply-To: ; from ed@UDel.Edu on Thu, Feb 14, 2002 at 09:35:53AM -0500
References:  
Message-ID: <20020215011927.C31768@folly>

On Thu, Feb 14, 2002 at 09:35:53AM -0500, Ed Phillips wrote:
> It's line 741 of key.c in 3.0.2p1 with the x509 patch (that Markus posted
> a couple weeks ago) applied.  The call to buffer_append_space has the
> wrong number of args:
> 
>         case KEY_RSA:
>                 if (key->x509) {
>                         /* XXX ssh.com does not accept a key name here */
>                         len = i2d_X509(key->x509, NULL);
> -->                     buf = buffer_append_space(&b, len);

try to change this to 

			buffer_append_space(&b, &buf, len);

>                         i2d_X509(key->x509, &buf);
>                 } else {
>                         buffer_put_cstring(&b, key_ssh_name(key));
>                         buffer_put_bignum2(&b, key->rsa->e);
>                         buffer_put_bignum2(&b, key->rsa->n);
>                 }
> 
> 
> What's the correct way to fix this?  It seems to be a departure from the
> "cram stuff into b" mentality that the surrounding code is doing...
> 
> By the way, Markus, does this patch include code to make the OpenSSH
> client verify the server's host key with x509, or does this just patch

no.

> just make the server tack on the x509 stuff so that SSH.COM's client could
> use it?

yes.


From fcusack at fcusack.com  Fri Feb 15 20:41:22 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 01:41:22 -0800
Subject: CVS for portable?
Message-ID: <20020215014122.B30179@google.com>

The instructions on  are incorrect.
(There is no 'openssh' module.)

TIA,
/fc


From fcusack at fcusack.com  Fri Feb 15 20:48:23 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 01:48:23 -0800
Subject: Warning message at password prompt
In-Reply-To: ; from epa98@doc.ic.ac.uk on Thu, Feb 14, 2002 at 10:10:07AM +0000
References:  
Message-ID: <20020215014823.A2946@google.com>

On Thu, Feb 14, 2002 at 10:10:07AM +0000, Edward Avis wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 14 Feb 2002, Damien Miller wrote:
> 
> >>I've patched my local OpenSSH (currently 2.9p2, but the same patch
> >>applies to 3.0.2) to allow the cipher 'none' for both SSH1 and SSH2
> >>connections.  With SSH1, there is already code to print a warning
> >>that any password you enter will be sent in plain text.  However the
> >>userauth_passwd() in sshconnect2.c does not have any such warning.

Your patch is inadequate, then. :-) Try this, it works for me.  It's against
3.0.2p1.  You need 'none2' otherwise you can't do a 'none' encryption with
protocol 2.  (In the openssh implementation, "keywords" for encryption types
cannot be shared for protocol 1/2.)

--- openssh.orig/cipher.c
+++ openssh/cipher.c
@@ -364,6 +364,10 @@
 		blowfish_setkey, blowfish_setiv,
 		blowfish_ssh1_encrypt, blowfish_ssh1_decrypt },
 
+	{ "none2",
+		SSH_CIPHER_SSH2, 8, 0,
+		none_setkey, none_setiv,
+		none_crypt, none_crypt },
 	{ "3des-cbc",
 		SSH_CIPHER_SSH2, 8, 24,
 		des3_setkey, des3_setiv,
@@ -419,6 +423,7 @@
 	u_int mask = 0;
 	mask |= 1 << SSH_CIPHER_3DES;           /* Mandatory */
 	mask |= 1 << SSH_CIPHER_BLOWFISH;
+	mask |= 1 << SSH_CIPHER_NONE;
 	if (client) {
 		mask |= 1 << SSH_CIPHER_DES;
 	}

--- openssh.orig/ssh.c
+++ openssh/ssh.c
@@ -438,6 +438,8 @@
 					options.ciphers = "3des-cbc";
 				else if (options.cipher == SSH_CIPHER_BLOWFISH)
 					options.ciphers = "blowfish-cbc";
+				else if (options.cipher == SSH_CIPHER_NONE)
+					options.ciphers = "none2";
 				else
 					options.ciphers = (char *)-1;
 			}

--- openssh.orig/sshconnect1.c
+++ openssh/sshconnect1.c
@@ -848,7 +848,7 @@
 			error("Permission denied, please try again.");
 		if (options.cipher == SSH_CIPHER_NONE)
 			log("WARNING: Encryption is disabled! "
-			    "Reponse will be transmitted in clear text.");
+			    "Response will be transmitted in clear text.");
 		response = read_passphrase(prompt, RP_ECHO);
 		if (strcmp(response, "") == 0) {
 			xfree(response);

--- openssh.orig/sshconnect2.c
+++ openssh/sshconnect2.c
@@ -449,6 +449,9 @@
 	if(attempt != 1)
 		error("Permission denied, please try again.");
 
+	if (!strcmp("none2", options.ciphers))
+		log("WARNING: Encryption is disabled! "
+		    "Response will be transmitted in clear text.");
 	snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
 	    authctxt->server_user, authctxt->host);
 	password = read_passphrase(prompt, 0);
@@ -750,6 +753,9 @@
 		return 0;
 	}
 
+	if (!strcmp("none2", options.ciphers))
+		log("WARNING: Encryption is disabled! "
+		    "Response will be transmitted in clear text.");
 	debug2("userauth_kbdint");
 	packet_start(SSH2_MSG_USERAUTH_REQUEST);
 	packet_put_cstring(authctxt->server_user);
--- openssh.orig/ssh.1
+++ openssh/ssh.1
@@ -391,7 +391,7 @@
 .It Fl b Ar bind_address
 Specify the interface to transmit from on machines with multiple
 interfaces or aliased addresses.
-.It Fl c Ar blowfish|3des|des
+.It Fl c Ar blowfish|3des|des|none
 Selects the cipher to use for encrypting the session.
 .Ar 3des
 is used by default.
@@ -743,9 +743,10 @@
 in protocol version 1.
 Currently,
 .Dq blowfish ,
-.Dq 3des ,
+.Dq 3des
+.Dq des ,
 and
-.Dq des
+.Dq none
 are supported.
 .Ar des
 is only supported in the


From fcusack at fcusack.com  Fri Feb 15 20:50:17 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 01:50:17 -0800
Subject: Warning message at password prompt
In-Reply-To: ; from epa98@doc.ic.ac.uk on Thu, Feb 14, 2002 at 10:10:07AM +0000
References:  
Message-ID: <20020215015016.B2946@google.com>

On Thu, Feb 14, 2002 at 10:10:07AM +0000, Edward Avis wrote:
> The standard OpenSSH release does not support 'none', only 3DES and
> Blowfish (AFAIK), so there is no need for such a warning.  But I would
> like to add the code for it to my local copy which I have patched to
> enable unencrypted connections.  I understand that the OpenSSH
> maintainers don't want to support this in the main release, but it is
> useful to me and to some others.

BTW, I agree, 'none' encryption is very useful.  I think it should be
in the source by default (but disabled in the default sshd_config).

/fc


From bugzilla-daemon at mindrot.org  Fri Feb 15 21:11:00 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 21:11:00 +1100 (EST)
Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer
Message-ID: <20020215101100.58720EB1C@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=105





------- Additional Comments From pas50 at cam.ac.uk  2002-02-15 21:10 -------
hartree_a [4] time `cat lapack.ibm.tar.gz | local/bin/ssh -2 -c 3des-cbc -p 1222
hodgkin 'cat > f2' `
8.8u 0.6s 0:23 40% 672+633k 0+0io 140pf+0w

No affect going from 4 to 20. Basically anthing that increases the window
default above 32 helps.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Fri Feb 15 21:44:21 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Fri, 15 Feb 2002 21:44:21 +1100 (EST)
Subject: [Bug 118] New: Implement TIS (protocol 1) via PAM
Message-ID: <20020215104421.78C2EEAF4@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=118

           Summary: Implement TIS (protocol 1) via PAM
           Product: Portable OpenSSH
           Version: -current
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P3
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: fcusack at fcusack.com


Currently, TIS is handled "natively" by sshd and only supports
S/Key.  With this patch, TIS is done via PAM, which gives a lot
more flexibility on choice of "backend", eg you could do x9.9 tokens
with protocol 1.

It's a little bit less flexible if you have a server you want to
be capable of doing either C/R or password.  You can't do both
via PAM in protocol 1.  But the patch doesn't *break* doing both,
you need merely turn off the TISviaPAM option and you are limited
to the builtin S/Key for C/R.

I hope this cut/pastes ok.

This also fixes a bug in the current TIS handling, it turns echo on
when doing TIS.

diff -uNr openssh-3.0.2p1.orig/auth-pam.c openssh-3.0.2p1/auth-pam.c
--- openssh-3.0.2p1.orig/auth-pam.c	Fri Nov  9 12:22:17 2001
+++ openssh-3.0.2p1/auth-pam.c	Fri Feb 15 02:17:19 2002
@@ -26,6 +26,8 @@
 
 #ifdef USE_PAM
 #include "ssh.h"
+#include "ssh1.h"
+#include "packet.h"
 #include "xmalloc.h"
 #include "log.h"
 #include "auth-pam.h"
@@ -54,6 +56,8 @@
 
 /* states for do_pam_conversation() */
 enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
+/* which type of prompts we should handle, set in auth_pam_password */
+static int pamprompt;
 /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
 static int password_change_required = 0;
 /* remember whether the last pam_authenticate() succeeded or not */
@@ -98,6 +102,10 @@
 	int count;
 	char buf[1024];
 
+	u_int dlen;
+	int plen, type;
+	char *response;
+
 	/* PAM will free this later */
 	reply = malloc(num_msg * sizeof(*reply));
 	if (reply == NULL)
@@ -111,10 +119,40 @@
 			 */
 			switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
 			case PAM_PROMPT_ECHO_ON:
-				free(reply);
-				return PAM_CONV_ERR;
+				if (pamprompt != PAM_PROMPT_ECHO_ON ||
+				    (*msg)[count].msg == NULL) {
+					free(reply);
+					return PAM_CONV_ERR;
+				}
+
+				/* handle challenge/response (ssh1 TIS) */
+				/* Send the challenge */
+				strlcpy(buf, PAM_MSG_MEMBER(msg, count, msg),
+					sizeof(buf));
+				debug("sending challenge '%s'", buf);
+				packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
+				packet_put_cstring(buf);
+				packet_send();
+				packet_write_wait();
+
+				/* Give the response to the PAM module */
+				if ((type = packet_read(&plen)) !=
+				    SSH_CMSG_AUTH_TIS_RESPONSE) {
+					free(reply);
+					return PAM_CONV_ERR;
+				}
+				debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");
+				response = packet_get_string(&dlen);
+				debug("got response '%s'", response);
+				packet_integrity_check(plen, 4 + dlen, type);
+				reply[count].resp = xstrdup(response);
+				reply[count].resp_retcode = PAM_SUCCESS;
+				xfree(response);
+				break;
+
 			case PAM_PROMPT_ECHO_OFF:
-				if (__pampasswd == NULL) {
+				if (__pampasswd == NULL ||
+				    pamprompt != PAM_PROMPT_ECHO_OFF) {
 					free(reply);
 					return PAM_CONV_ERR;
 				}
@@ -198,8 +236,8 @@
 	}
 }
 
-/* Attempt password authentation using PAM */
-int auth_pam_password(struct passwd *pw, const char *password)
+/* Attempt password authentication using PAM */
+int auth_pam_password(struct passwd *pw, const char *password, int prompt_type)
{
 	extern ServerOptions options;
 	int pam_retval;
@@ -211,12 +249,14 @@
 		return 0;
 	if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD)
 		return 0;
-	if (*password == '\0' && options.permit_empty_passwd == 0)
+ 	if (*password == '\0' && options.permit_empty_passwd == 0 &&
+ 	    prompt_type == PAM_PROMPT_ECHO_OFF)
 		return 0;
 
 	__pampasswd = password;
 
 	pamstate = INITIAL_LOGIN;
+ 	pamprompt = prompt_type;
 	pam_retval = do_pam_authenticate(
 	    options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0);
 	if (pam_retval == PAM_SUCCESS) {
diff -uNr openssh-3.0.2p1.orig/auth-pam.h openssh-3.0.2p1/auth-pam.h
--- openssh-3.0.2p1.orig/auth-pam.h	Mon Mar 26 22:12:24 2001
+++ openssh-3.0.2p1/auth-pam.h	Fri Feb 15 02:15:02 2002
@@ -7,7 +7,7 @@
 
 void start_pam(const char *user);
 void finish_pam(void);
-int auth_pam_password(struct passwd *pw, const char *password);
+int auth_pam_password(struct passwd *pw, const char *password, int
prompt_type);
 char **fetch_pam_environment(void);
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);
diff -uNr openssh-3.0.2p1.orig/auth1.c openssh-3.0.2p1/auth1.c
--- openssh-3.0.2p1.orig/auth1.c	Tue Nov 13 04:46:19 2001
+++ openssh-3.0.2p1/auth1.c	Fri Feb 15 02:15:02 2002
@@ -85,7 +85,7 @@
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
 #ifdef USE_PAM
-	    auth_pam_password(pw, "")) {
+	    auth_pam_password(pw, "", PAM_PROMPT_ECHO_OFF)) {
 #elif defined(HAVE_OSF_SIA)
 	    0) {
 #else
@@ -252,7 +252,8 @@
 
 #ifdef USE_PAM
 			/* Do PAM auth with password */
-			authenticated = auth_pam_password(pw, password);
+			authenticated = auth_pam_password(pw, password,
+							  PAM_PROMPT_ECHO_OFF);
 #elif defined(HAVE_OSF_SIA)
 			/* Do SIA auth with password */
 			authenticated = auth_sia_password(authctxt->user, 
@@ -269,6 +270,15 @@
 		case SSH_CMSG_AUTH_TIS:
 			debug("rcvd SSH_CMSG_AUTH_TIS");
 			if (options.challenge_response_authentication == 1) {
+#ifdef USE_PAM
+			    if (options.tis_via_pam == 1) {
+				authenticated = auth_pam_password(pw, "",
+							  PAM_PROMPT_ECHO_ON);
+				break;
+			    } else {
+#else
+			    {
+#endif /* USE_PAM */
 				char *challenge = get_challenge(authctxt);
 				if (challenge != NULL) {
 					debug("sending challenge '%s'", challenge);
@@ -279,6 +289,7 @@
 					packet_write_wait();
 					continue;
 				}
+			    }
 			}
 			break;
 		case SSH_CMSG_AUTH_TIS_RESPONSE:
diff -uNr openssh-3.0.2p1.orig/auth2.c openssh-3.0.2p1/auth2.c
--- openssh-3.0.2p1.orig/auth2.c	Tue Nov 13 04:46:19 2001
+++ openssh-3.0.2p1/auth2.c	Fri Feb 15 02:20:36 2002
@@ -345,7 +345,7 @@
 		return(0);
 #endif
 #ifdef USE_PAM
-	return auth_pam_password(authctxt->pw, "");
+	return auth_pam_password(authctxt->pw, "", PAM_PROMPT_ECHO_OFF);
 #elif defined(HAVE_OSF_SIA)
 	return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
@@ -370,7 +370,7 @@
 		check_nt_auth(1, authctxt->pw->pw_uid) &&
 #endif
 #ifdef USE_PAM
-	    auth_pam_password(authctxt->pw, password) == 1)
+	    auth_pam_password(authctxt->pw, password, PAM_PROMPT_ECHO_OFF) == 1) #elif
defined(HAVE_OSF_SIA)
 	    auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
diff -uNr openssh-3.0.2p1.orig/servconf.c openssh-3.0.2p1/servconf.c
--- openssh-3.0.2p1.orig/servconf.c	Tue Nov 13 05:03:15 2001
+++ openssh-3.0.2p1/servconf.c	Fri Feb 15 02:15:05 2002
@@ -88,6 +88,7 @@
 	options->password_authentication = -1;
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
+	options->tis_via_pam = -1;
 	options->permit_empty_passwd = -1;
 	options->use_login = -1;
 	options->allow_tcp_forwarding = -1;
@@ -249,7 +250,7 @@
 #ifdef AFS
 	sAFSTokenPassing,
 #endif
-	sChallengeResponseAuthentication,
+	sChallengeResponseAuthentication, sTISviaPAM,
 	sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset,
@@ -304,6 +305,7 @@
 	{ "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
 	{ "challengeresponseauthentication", sChallengeResponseAuthentication }, 	{
"skeyauthentication", sChallengeResponseAuthentication }, /* alias */
+	{ "tisviapam", sTISviaPAM },
 	{ "checkmail", sDeprecated },
 	{ "listenaddress", sListenAddress },
 	{ "printmotd", sPrintMotd },
@@ -648,6 +650,10 @@
 
 		case sChallengeResponseAuthentication:
 			intptr = &options->challenge_response_authentication;
+			goto parse_flag;
+
+		case sTISviaPAM:
+			intptr = &options->tis_via_pam;
 			goto parse_flag;
 
 		case sPrintMotd:
diff -uNr openssh-3.0.2p1.orig/servconf.h openssh-3.0.2p1/servconf.h
--- openssh-3.0.2p1.orig/servconf.h	Wed Sep 12 09:40:06 2001
+++ openssh-3.0.2p1/servconf.h	Fri Feb 15 02:15:05 2002
@@ -94,6 +94,7 @@
 						 * authentication. */
 	int     kbd_interactive_authentication;	/* If true, permit */
 	int     challenge_response_authentication;
+	int	tis_via_pam;			/* Use PAM for TIS? */
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
 	int     use_login;	/* If true, login(1) is used */
diff -uNr openssh-3.0.2p1.orig/sshconnect1.c openssh-3.0.2p1/sshconnect1.c
--- openssh-3.0.2p1.orig/sshconnect1.c	Tue Oct  9 22:03:12 2001
+++ openssh-3.0.2p1/sshconnect1.c	Fri Feb 15 02:15:05 2002
@@ -849,7 +849,7 @@
 		if (options.cipher == SSH_CIPHER_NONE)
 			log("WARNING: Encryption is disabled! "
 			    "Reponse will be transmitted in clear text.");
-		response = read_passphrase(prompt, 0);
+		response = read_passphrase(prompt, RP_ECHO);
 		if (strcmp(response, "") == 0) {
 			xfree(response);
 			break;
diff -uNr openssh-3.0.2p1.orig/sshd.8 openssh-3.0.2p1/sshd.8
--- openssh-3.0.2p1.orig/sshd.8	Sat Dec  1 15:37:08 2001
+++ openssh-3.0.2p1/sshd.8	Fri Feb 15 02:15:05 2002
@@ -379,6 +379,12 @@
 are supported.
 The default is
 .Dq yes .
+.It Cm TISviaPAM
+Specifies whether protocol version 1 challenge response authentication (TIS)
+should be handled via PAM.  This is incompatible with with password
+authentication.
+The default is
+.Dq no .
 .It Cm Ciphers
 Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
diff -uNr openssh-3.0.2p1.orig/sshd_config openssh-3.0.2p1/sshd_config
--- openssh-3.0.2p1.orig/sshd_config	Thu Sep 20 16:15:44 2001
+++ openssh-3.0.2p1/sshd_config	Fri Feb 15 02:15:05 2002
@@ -52,6 +52,9 @@
 
 # Uncomment to disable s/key passwords 
 #ChallengeResponseAuthentication no
+# Do ssh1 TIS authentication (challenge/response) via PAM?
+# ChallengeResponseAuthentication must be set for this to take effect.
+#TISviaPAM no
 
 # Uncomment to enable PAM keyboard-interactive authentication 
 # Warning: enabling this may bypass the setting of 'PasswordAuthentication'



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From vda at port.imtp.ilyichevsk.odessa.ua  Sat Feb 16 02:49:01 2002
From: vda at port.imtp.ilyichevsk.odessa.ua (Denis Vlasenko)
Date: Fri, 15 Feb 2002 13:49:01 -0200
Subject: ssh can't resolve hostnames thru WINS
Message-ID: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>

[Please CC me, I'm not on the list]

My box is on a mostly Windows-populated network.
Naturally, I set up Samba and added WINS as a name resolution option.

I found out that some programs now can use NetBIOS names, other can't.
openssh falls into latter category :-(

I found that openssh use this snippet to convert hostname to ip:

if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
    fatal("%s: %.100s: %s", __progname, host,
        gai_strerror(gaierr));

and it fails for me exactly in this if() when I say "ssh ".
OTOH, ping uses code similar to

struct hostent *hp;
hp = gethostbyname(hostname);

and this works for WINS names.

My openssh version: openssh-3.0.2p1

Will try to patch ssh, although I'm know nothing about network programming.

Happy hacking,
--
vda


From mstone at cs.loyola.edu  Sat Feb 16 00:14:59 2002
From: mstone at cs.loyola.edu (Michael Stone)
Date: Fri, 15 Feb 2002 08:14:59 -0500
Subject: Warning message at password prompt
In-Reply-To: <20020215015016.B2946@google.com>; from fcusack@fcusack.com on Fri, Feb 15, 2002 at 01:50:17AM -0800
References:   <20020215015016.B2946@google.com>
Message-ID: <20020215081459.L25452@justice.loyola.edu>

On Fri, Feb 15, 2002 at 01:50:17AM -0800, Frank Cusack wrote:
> BTW, I agree, 'none' encryption is very useful.  I think it should be
> in the source by default (but disabled in the default sshd_config).

Benchmarks to back up the proof by assertion?

-- 
Mike Stone


From fcusack at fcusack.com  Sat Feb 16 00:29:26 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 05:29:26 -0800
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>; from vda@port.imtp.ilyichevsk.odessa.ua on Fri, Feb 15, 2002 at 01:49:01PM -0200
References: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>
Message-ID: <20020215052926.A10832@google.com>

On Fri, Feb 15, 2002 at 01:49:01PM -0200, Denis Vlasenko wrote:
> [Please CC me, I'm not on the list]
> 
> My box is on a mostly Windows-populated network.
> Naturally, I set up Samba and added WINS as a name resolution option.
> 
> I found out that some programs now can use NetBIOS names, other can't.
> openssh falls into latter category :-(
> 
> I found that openssh use this snippet to convert hostname to ip:
> 
> if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
>     fatal("%s: %.100s: %s", __progname, host,
>         gai_strerror(gaierr));
> 
> and it fails for me exactly in this if() when I say "ssh ".
> OTOH, ping uses code similar to
> 
> struct hostent *hp;
> hp = gethostbyname(hostname);
> 
> and this works for WINS names.

You must have a 'wins' entry in your nsswitch.conf.  I guess getaddrinfo()
doesn't support nsswitch correctly.  Judging by this email:
 I'd say
it doesn't.

/fc



From gert at greenie.muc.de  Sat Feb 16 00:32:52 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 15 Feb 2002 14:32:52 +0100
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>; from Denis Vlasenko on Fri, Feb 15, 2002 at 01:49:01PM -0200
References: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>
Message-ID: <20020215143252.C17549@greenie.muc.de>

Hi,

On Fri, Feb 15, 2002 at 01:49:01PM -0200, Denis Vlasenko wrote:
> I found that openssh use this snippet to convert hostname to ip:
> 
> if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
>     fatal("%s: %.100s: %s", __progname, host,
>         gai_strerror(gaierr));

This is the "best" and *current* way to do hostname to IP resolution.

> and it fails for me exactly in this if() when I say "ssh ".
> OTOH, ping uses code similar to
> 
> struct hostent *hp;
> hp = gethostbyname(hostname);

This is "the old way", which can't do IPv6 (and has other limitations).

> and this works for WINS names.

Sounds like a microsoft weirdness to me... 

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From epa98 at doc.ic.ac.uk  Sat Feb 16 01:31:35 2002
From: epa98 at doc.ic.ac.uk (Edward Avis)
Date: Fri, 15 Feb 2002 14:31:35 +0000 (GMT)
Subject: Warning message at password prompt
In-Reply-To: <20020215014823.A2946@google.com>
Message-ID: 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 15 Feb 2002, Frank Cusack wrote:

[patching to enable cipher 'none']

>You need 'none2' otherwise you can't do a 'none' encryption with
>protocol 2.  (In the openssh implementation, "keywords" for encryption types
>cannot be shared for protocol 1/2.)

Actually that is just what I did in my patch, with this change to
cipher.c:

- -	if (c == NULL || c->number != SSH_CIPHER_SSH2) {
+	/* SSH_CIPHER_NONE can be used by both protocol 1 and 2 */
+	if (c == NULL || (c->number != SSH_CIPHER_SSH2
+			  && c->number != SSH_CIPHER_NONE)) {

Since none_setkey() and friends seem to fit both the protocol 1 and
protocol 2 interface, it seemed best to have the single cipher name
'none' in both cases.

(In fact, I'd say that cipher names _should_ be shared between
protocols, with the lookup being done based on name and protocol
version.  Then 'ssh -1 -c 3des' and 'ssh -2 -c 3des' would use the
current 3des and 3des-cbc respectively, without the user having to
memorize those names.  But for my own use I implemented this only for
'none'.)

>--- openssh.orig/sshconnect2.c
>+++ openssh/sshconnect2.c
>@@ -449,6 +449,9 @@
> 	if(attempt != 1)
> 		error("Permission denied, please try again.");
>
>+	if (!strcmp("none2", options.ciphers))
>+		log("WARNING: Encryption is disabled! "
>+		    "Response will be transmitted in clear text.");

Are you sure that is correct?  It tests the options given when invoking
ssh (or in a config file), but that's not necessarily the same as the
actual cipher that was negotiated.  Or maybe it is in the current
implementation, but should sshconnect2.c know that?

I'm just a bit unhappy with trying to figure out the cipher in use by
looking at the options struct.  Surely there is a way to get the
definitive answer of what cipher is being _used_.

OTOH, I see now that the password-warning code for SSH1 protocol does
the same thing, looking at the options rather than finding the answer
directly, so maybe it is acceptable.  This will break if at some future
date the options specify a list of ciphers, only one of which is used
after negotiating with the server.

Another interesting question: is it worthwhile giving a similar warning
if plain DES is used?  Do we think that password-sniffing by breaking
DES encryption is a threat, and a much greater threat than just
eavesdropping on or hijacking a DES connection without passwords, and a
big enough threat that the user should be warned again even if '-c des'
was explicitly chosen?  Perhaps not.  It seems that the proper way to
handle these warnings is for the cipher to have an extra field
'is_insecure', which the password prompt could test rather than having
hardcoded knowledge of particular strings like 'none'.

- -- 
Ed Avis 
Finger for PGP key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8bRvIIMp73jhGogoRAuVRAJ4x4aZhBWo3KIlqEHzIqPuki4oDngCfdaIX
wkVT75c6a7lm1J/jngI/mXc=
=L4CN
-----END PGP SIGNATURE-----



From Nicolas.Williams at ubsw.com  Sat Feb 16 02:24:06 2002
From: Nicolas.Williams at ubsw.com (Nicolas Williams)
Date: Fri, 15 Feb 2002 10:24:06 -0500
Subject: hang on exit
In-Reply-To: <20020213222129.GD10765@faui02>; from markus@openbsd.org on Wed, Feb 13, 2002 at 11:21:29PM +0100
References: <20020103172818.A15928@faui02> <20020104091526.B1025@foo.birdnet.se> <20020104093229.B20222@wdr.com> <20020104184505.H9973@zax.half.pint-stowp.cx> <20020105113623.A19062@folly> <20020204193226.GA19980@faui02> <20020213131541.D18854@google.com> <20020213213007.GB7731@faui02> <20020213135153.E18854@google.com> <20020213222129.GD10765@faui02>
Message-ID: <20020215102404.A27398@sm2p1386swk.wdr.com>

On Wed, Feb 13, 2002 at 11:21:29PM +0100, Markus Friedl wrote:
> yes, this is what daemons and scripts should do.
> the can print to stdout, but when they have done
> initializing they should close stdout.
> 
> but many people here seem not to agree.

I still think this should really be a client-side feature. Are you
suggesting that it be done on the server side for the pty case only
because there are clients out there that don't have a feature to do this
data loss diconnect on their own?

Nico
-- 
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.



From markus at openbsd.org  Sat Feb 16 07:00:01 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 15 Feb 2002 21:00:01 +0100
Subject: CVS for portable?
In-Reply-To: <20020215014122.B30179@google.com>; from fcusack@fcusack.com on Fri, Feb 15, 2002 at 01:41:22AM -0800
References: <20020215014122.B30179@google.com>
Message-ID: <20020215210001.A7761@folly>

On Fri, Feb 15, 2002 at 01:41:22AM -0800, Frank Cusack wrote:
> The instructions on  are incorrect.
> (There is no 'openssh' module.)

does openssh_cvs work?


From mouring at etoh.eviladmin.org  Sat Feb 16 06:27:21 2002
From: mouring at etoh.eviladmin.org (mouring)
Date: Fri, 15 Feb 2002 13:27:21 -0600 (CST)
Subject: IRIX cleanup.
Message-ID: 

Can I get someone from the IRIX group to apply this patch to the
3.0.2pX release and reconfigure/compile.  I'm trying to clean out
do_child() in perparation of a larger patch to that part of the code.

Also if someone could give me the hint for the right compiler magic
to wrap the code in instead of what I'm doing now.  I'd be thankful.

Thanks

- Ben


diff -urN openssh-3.0.2p1/openbsd-compat/Makefile.in openssh-irix/openbsd-compat/Makefile.in
--- openssh-3.0.2p1/openbsd-compat/Makefile.in	Wed Sep 19 21:07:51 2001
+++ openssh-irix/openbsd-compat/Makefile.in	Thu Feb 14 22:50:17 2002
@@ -18,7 +18,7 @@

 OPENBSD=base64.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o

-COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o
+COMPAT=bsd-arc4random.o bsd-cray.o bsd-cygwin_util.o bsd-irix.o bsd-misc.o bsd-nextstep.o bsd-snprintf.o bsd-waitpid.o fake-getaddrinfo.o fake-getnameinfo.o

 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
diff -urN openssh-3.0.2p1/openbsd-compat/bsd-irix.c openssh-irix/openbsd-compat/bsd-irix.c
--- openssh-3.0.2p1/openbsd-compat/bsd-irix.c	Wed Dec 31 18:00:00 1969
+++ openssh-irix/openbsd-compat/bsd-irix.c	Thu Feb 14 23:08:00 2002
@@ -0,0 +1,61 @@
+#include "includes.h"
+
+#if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
+
+#ifdef WITH_IRIX_PROJECT
+#include 
+#endif /* WITH_IRIX_PROJECT */
+#ifdef WITH_IRIX_JOBS
+#include 
+#endif
+#ifdef WITH_IRIX_AUDIT
+#include 
+#endif /* WITH_IRIX_AUDIT */
+
+void
+irix_setusercontext(struct passwd *pw)
+{
+#ifdef WITH_IRIX_PROJECT
+        prid_t projid;
+#endif /* WITH_IRIX_PROJECT */
+#ifdef WITH_IRIX_JOBS
+        jid_t jid = 0;
+#else
+# ifdef WITH_IRIX_ARRAY
+        int jid = 0;
+# endif /* WITH_IRIX_ARRAY */
+#endif /* WITH_IRIX_JOBS */
+
+#ifdef WITH_IRIX_JOBS
+        jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
+        if (jid == -1)
+                fatal("Failed to create job container: %.100s",
+                    strerror(errno));
+#endif /* WITH_IRIX_JOBS */
+#ifdef WITH_IRIX_ARRAY
+        /* initialize array session */
+        if (jid == 0  && newarraysess() != 0)
+                fatal("Failed to set up new array session: %.100s",
+                    strerror(errno));
+#endif /* WITH_IRIX_ARRAY */
+#ifdef WITH_IRIX_PROJECT
+        /* initialize irix project info */
+        if ((projid = getdfltprojuser(pw->pw_name)) == -1) {
+                debug("Failed to get project id, using projid 0");
+                projid = 0;
+        }
+        if (setprid(projid))
+                fatal("Failed to initialize project %d for %s: %.100s",
+                    (int)projid, pw->pw_name, strerror(errno));
+#endif /* WITH_IRIX_PROJECT */
+#ifdef WITH_IRIX_AUDIT
+        if (sysconf(_SC_AUDIT)) {
+                debug("Setting sat id to %d", (int) pw->pw_uid);
+                if (satsetid(pw->pw_uid))
+                        debug("error setting satid: %.100s", strerror(errno));
+        }
+#endif /* WITH_IRIX_AUDIT */
+}
+
+
+#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
diff -urN openssh-3.0.2p1/openbsd-compat/bsd-irix.h openssh-irix/openbsd-compat/bsd-irix.h
--- openssh-3.0.2p1/openbsd-compat/bsd-irix.h	Wed Dec 31 18:00:00 1969
+++ openssh-irix/openbsd-compat/bsd-irix.h	Thu Feb 14 23:06:23 2002
@@ -0,0 +1,5 @@
+#if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
+
+void irix_setusercontext(struct passwd *pw);
+
+#endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
diff -urN openssh-3.0.2p1/openbsd-compat/openbsd-compat.h openssh-irix/openbsd-compat/openbsd-compat.h
--- openssh-3.0.2p1/openbsd-compat/openbsd-compat.h	Wed Sep 19 21:07:51 2001
+++ openssh-irix/openbsd-compat/openbsd-compat.h	Thu Feb 14 22:56:33 2002
@@ -40,5 +40,6 @@

 /* Routines for a single OS platform */
 #include "bsd-cray.h"
+#include "bsd-irix.h"

 #endif /* _OPENBSD_H */
Binary files openssh-3.0.2p1/scard/Ssh.bin and openssh-irix/scard/Ssh.bin differ
diff -urN openssh-3.0.2p1/session.c openssh-irix/session.c
--- openssh-3.0.2p1/session.c	Sat Dec  1 17:37:08 2001
+++ openssh-irix/session.c	Thu Feb 14 23:07:31 2002
@@ -57,16 +57,6 @@
 #include "canohost.h"
 #include "session.h"

-#ifdef WITH_IRIX_PROJECT
-#include 
-#endif /* WITH_IRIX_PROJECT */
-#ifdef WITH_IRIX_JOBS
-#include 
-#endif
-#ifdef WITH_IRIX_AUDIT
-#include 
-#endif /* WITH_IRIX_AUDIT */
-
 #if defined(HAVE_USERSEC_H)
 #include 
 #endif
@@ -1038,16 +1028,6 @@
 	struct stat st;
 	char *argv[10];
 	int do_xauth;
-#ifdef WITH_IRIX_PROJECT
-	prid_t projid;
-#endif /* WITH_IRIX_PROJECT */
-#ifdef WITH_IRIX_JOBS
-	jid_t jid = 0;
-#else
-#ifdef WITH_IRIX_ARRAY
-	int jid = 0;
-#endif /* WITH_IRIX_ARRAY */
-#endif /* WITH_IRIX_JOBS */

 	do_xauth =
 	    s->display != NULL && s->auth_proto != NULL && s->auth_data != NULL;
@@ -1130,39 +1110,9 @@
 			 */
 			do_pam_setcred(0);
 #  endif /* USE_PAM */
-#  ifdef WITH_IRIX_JOBS
-			jid = jlimit_startjob(pw->pw_name, pw->pw_uid, "interactive");
-			if (jid == -1) {
-				fatal("Failed to create job container: %.100s",
-				      strerror(errno));
-			}
-#  endif /* WITH_IRIX_JOBS */
-#  ifdef WITH_IRIX_ARRAY
-			/* initialize array session */
-			if (jid == 0) {
-				if (newarraysess() != 0)
-					fatal("Failed to set up new array session: %.100s",
-					      strerror(errno));
-			}
-#  endif /* WITH_IRIX_ARRAY */
-#  ifdef WITH_IRIX_PROJECT
-			/* initialize irix project info */
-			if ((projid = getdfltprojuser(pw->pw_name)) == -1) {
-			  debug("Failed to get project id, using projid 0");
-			  projid = 0;
-			}
-			if (setprid(projid))
-			  fatal("Failed to initialize project %d for %s: %.100s",
-				(int)projid, pw->pw_name, strerror(errno));
-#  endif /* WITH_IRIX_PROJECT */
-#ifdef WITH_IRIX_AUDIT
-			if (sysconf(_SC_AUDIT)) {
-				debug("Setting sat id to %d", (int) pw->pw_uid);
-				if (satsetid(pw->pw_uid))
-					debug("error setting satid: %.100s", strerror(errno));
-			}
-#endif /* WITH_IRIX_AUDIT */
-
+#  if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY)
+			irix_setusercontext(pw);
+#  endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
 #ifdef _AIX
 			/*
 			 * AIX has a "usrinfo" area where logname and



From cawlfiel at austin.ibm.com  Sat Feb 16 08:39:43 2002
From: cawlfiel at austin.ibm.com (cawlfiel)
Date: Fri, 15 Feb 2002 15:39:43 -0600
Subject: OpenSSH test server?
Message-ID: <3C6D801F.3E25AD6E@austin.ibm.com>

Hey guys, is there a publicly-available server out there to which I can
connect my OpenSSH client?  I'm just looking for a system that I can
connect to (preferably 2.9.9p2), verify the session is working properly,
and disconnect.   

Thanks,
Kevin Cawlfield


From fcusack at fcusack.com  Sat Feb 16 09:56:14 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 14:56:14 -0800
Subject: CVS for portable?
In-Reply-To: <20020215210001.A7761@folly>; from markus@openbsd.org on Fri, Feb 15, 2002 at 09:00:01PM +0100
References: <20020215014122.B30179@google.com> <20020215210001.A7761@folly>
Message-ID: <20020215145613.D26346@google.com>

On Fri, Feb 15, 2002 at 09:00:01PM +0100, Markus Friedl wrote:
> On Fri, Feb 15, 2002 at 01:41:22AM -0800, Frank Cusack wrote:
> > The instructions on  are incorrect.
> > (There is no 'openssh' module.)
> 
> does openssh_cvs work?

I should have mentioned, I did a 'cvs checkout modules' and there is no
mention of any *ssh*.  It's just the openbsd source tree.

/fc


From markus at openbsd.org  Sat Feb 16 10:05:56 2002
From: markus at openbsd.org (Markus Friedl)
Date: Sat, 16 Feb 2002 00:05:56 +0100
Subject: CVS for portable?
In-Reply-To: <20020215145613.D26346@google.com>
References: <20020215014122.B30179@google.com> <20020215210001.A7761@folly> <20020215145613.D26346@google.com>
Message-ID: <20020215230555.GA7213@faui02>

On Fri, Feb 15, 2002 at 02:56:14PM -0800, Frank Cusack wrote:
> On Fri, Feb 15, 2002 at 09:00:01PM +0100, Markus Friedl wrote:
> > On Fri, Feb 15, 2002 at 01:41:22AM -0800, Frank Cusack wrote:
> > > The instructions on  are incorrect.
> > > (There is no 'openssh' module.)
> > 
> > does openssh_cvs work?
> 
> I should have mentioned, I did a 'cvs checkout modules' and there is no
> mention of any *ssh*.  It's just the openbsd source tree.

i don't see
	cvs checkout modules
mentioned on the web site.

the instructions from the web site work fine for me:

export CVSROOT=openssh at anoncvs.be.openbsd.org:/cvs
export CVS_RSH=/usr/bin/ssh
cvs get openssh

-m


From fcusack at fcusack.com  Sat Feb 16 10:14:54 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 15:14:54 -0800
Subject: CVS for portable?
In-Reply-To: <20020215230555.GA7213@faui02>; from markus@openbsd.org on Sat, Feb 16, 2002 at 12:05:56AM +0100
References: <20020215014122.B30179@google.com> <20020215210001.A7761@folly> <20020215145613.D26346@google.com> <20020215230555.GA7213@faui02>
Message-ID: <20020215151453.E26346@google.com>

On Sat, Feb 16, 2002 at 12:05:56AM +0100, Markus Friedl wrote:
> the instructions from the web site work fine for me:
> 
> export CVSROOT=openssh at anoncvs.be.openbsd.org:/cvs
> export CVS_RSH=/usr/bin/ssh
> cvs get openssh

yup, it's working now.  Perhaps I had a typo last night.  Oh, I bet I
didn't copy/paste and instead of openssh at anoncvs I was using anoncvs at anoncvs.

thanks,
/fc


From djm at mindrot.org  Sat Feb 16 11:11:58 2002
From: djm at mindrot.org (Damien Miller)
Date: Sat, 16 Feb 2002 11:11:58 +1100 (EST)
Subject: OpenSSH test server?
In-Reply-To: <3C6D801F.3E25AD6E@austin.ibm.com>
Message-ID: 

On Fri, 15 Feb 2002, cawlfiel wrote:

> Hey guys, is there a publicly-available server out there to which I can
> connect my OpenSSH client?  I'm just looking for a system that I can
> connect to (preferably 2.9.9p2), verify the session is working properly,
> and disconnect.   

No, but you can run sshd on just about anything.

-d



From djm at mindrot.org  Sat Feb 16 11:15:52 2002
From: djm at mindrot.org (Damien Miller)
Date: Sat, 16 Feb 2002 11:15:52 +1100 (EST)
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua>
Message-ID: 

On Fri, 15 Feb 2002, Denis Vlasenko wrote:

> [Please CC me, I'm not on the list]
> 
> My box is on a mostly Windows-populated network.
> Naturally, I set up Samba and added WINS as a name resolution option.
> 
> I found out that some programs now can use NetBIOS names, other can't.
> openssh falls into latter category :-(
> 
> I found that openssh use this snippet to convert hostname to ip:
> 
> if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
>     fatal("%s: %.100s: %s", __progname, host,
>         gai_strerror(gaierr));
> 
> and it fails for me exactly in this if() when I say "ssh ".
> OTOH, ping uses code similar to
> 
> struct hostent *hp;
> hp = gethostbyname(hostname);
> 
> and this works for WINS names.

If you do this, you'll lose IPv6 capability.

-d



From bugzilla-daemon at mindrot.org  Sat Feb 16 12:26:51 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 16 Feb 2002 12:26:51 +1100 (EST)
Subject: [Bug 119] New: Occassionally, SSH failed to connect and timeout after 2 hrs!
Message-ID: <20020216012651.34B76EB3F@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=119

           Summary: Occassionally, SSH failed to connect and timeout after 2
                    hrs!
           Product: Portable OpenSSH
           Version: older versions
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: anguslau at hongkong.com


Output with ssh -vvv
=====================
Tue Feb 12 04:10:04 HKT 2002
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Seeding random number generator^M
debug1: Rhosts Authentication disabled, originating port will not be trusted.^M
debug1: ssh_connect: getuid 0 geteuid 0 anon 1^M
debug1: Connecting to vtms_hbbak [10.37.70.213] port 22.^M
debug1: Connection established.^M
debug3: Bad RSA1 key file /root/.ssh/identity.^M
debug2: key_type_from_name: unknown key type '-----BEGIN'^M
debug3: key_read: no key found^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug1: Seeding random number generator^M
debug1: Rhosts Authentication disabled, originating port will not be trusted.^M
debug1: ssh_connect: getuid 0 geteuid 0 anon 1^M
debug1: Connecting to MYHOST [10.20.30.40] port 22.^M
debug1: Connection established.^M
debug3: Bad RSA1 key file /root/.ssh/identity.^M
debug2: key_type_from_name: unknown key type '-----BEGIN'^M
debug3: key_read: no key found^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug3: key_read: no space^M
debug2: key_type_from_name: unknown key type '-----END'^M
debug3: key_read: no key found^M
debug1: identity file /root/.ssh/identity type 1^M
debug1: unknown identity file /root/.ssh/id_rsa^M
debug1: identity file /root/.ssh/id_rsa type -1^M
debug1: unknown identity file /root/.ssh/id_dsa^M
debug1: identity file /root/.ssh/id_dsa type -1^M
ssh_exchange_identification: read: Connection reset by peer^M
debug1: Calling cleanup 0x8061610(0x0)^M
Tue Feb 12 06:11:39 HKT 2002
==============================
Normally should read
=====================
.....
debug1: unknown identity file /root/.ssh/id_rsa^M
debug1: identity file /root/.ssh/id_rsa type -1^M
debug1: unknown identity file /root/.ssh/id_dsa^M
debug1: identity file /root/.ssh/id_dsa type -1^M
debug1: Remote protocol version 1.99, remote software version OpenSSH_2.5.2p2^M
debug1: match: OpenSSH_2.5.2p2 pat ^OpenSSH^M
.....



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From fcusack at fcusack.com  Sat Feb 16 12:56:35 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Fri, 15 Feb 2002 17:56:35 -0800
Subject: Warning message at password prompt
In-Reply-To: ; from epa98@doc.ic.ac.uk on Fri, Feb 15, 2002 at 02:31:35PM +0000
References: <20020215014823.A2946@google.com> 
Message-ID: <20020215175634.C25293@google.com>

On Fri, Feb 15, 2002 at 02:31:35PM +0000, Edward Avis wrote:
> On Fri, 15 Feb 2002, Frank Cusack wrote:
> 
> [patching to enable cipher 'none']
> 
> >You need 'none2' otherwise you can't do a 'none' encryption with
> >protocol 2.  (In the openssh implementation, "keywords" for encryption types
> >cannot be shared for protocol 1/2.)
> 
> Actually that is just what I did in my patch, with this change to
> cipher.c:
> 
> - -	if (c == NULL || c->number != SSH_CIPHER_SSH2) {
> +	/* SSH_CIPHER_NONE can be used by both protocol 1 and 2 */
> +	if (c == NULL || (c->number != SSH_CIPHER_SSH2
> +			  && c->number != SSH_CIPHER_NONE)) {
> 
> Since none_setkey() and friends seem to fit both the protocol 1 and
> protocol 2 interface, it seemed best to have the single cipher name
> 'none' in both cases.

I had the same thing originally but opted for 'none2' in the end.
I don't remember why, maybe it was a bad choice after all.

> (In fact, I'd say that cipher names _should_ be shared between
> protocols, with the lookup being done based on name and protocol
> version.  Then 'ssh -1 -c 3des' and 'ssh -2 -c 3des' would use the
> current 3des and 3des-cbc respectively, without the user having to
> memorize those names.  But for my own use I implemented this only for
> 'none'.)

They do.  'ssh -1 -c 3des' and 'ssh -2 -c 3des' both work as the user
expects.

> >--- openssh.orig/sshconnect2.c
> >+++ openssh/sshconnect2.c
> >@@ -449,6 +449,9 @@
> > 	if(attempt != 1)
> > 		error("Permission denied, please try again.");
> >
> >+	if (!strcmp("none2", options.ciphers))
> >+		log("WARNING: Encryption is disabled! "
> >+		    "Response will be transmitted in clear text.");
> 
> Are you sure that is correct?  It tests the options given when invoking
> ssh (or in a config file), but that's not necessarily the same as the
> actual cipher that was negotiated.  Or maybe it is in the current
> implementation, but should sshconnect2.c know that?

I'm not sure it is correct.  I merely "followed along" with what the ssh1
case already did.

> I'm just a bit unhappy with trying to figure out the cipher in use by
> looking at the options struct.  Surely there is a way to get the
> definitive answer of what cipher is being _used_.

Yeah, but it can change at any time, even during the password exchange.
Although, no implementation is likely to actually do this.

> OTOH, I see now that the password-warning code for SSH1 protocol does
> the same thing, looking at the options rather than finding the answer
> directly, so maybe it is acceptable.  This will break if at some future
> date the options specify a list of ciphers, only one of which is used
> after negotiating with the server.

yep.  darn.  So a better patch is probably in order.  I had never even
considered that the warning was based on requested cipher vs used cipher.
With ssh1 this is not an issue.  In real life though, this shouldn't
be an issue; you should never "down-negotiate" to 'none' encryption.

> Another interesting question: is it worthwhile giving a similar warning
> if plain DES is used?  Do we think that password-sniffing by breaking

Already done.

/fc


From epa98 at doc.ic.ac.uk  Sat Feb 16 21:08:19 2002
From: epa98 at doc.ic.ac.uk (Edward Avis)
Date: Sat, 16 Feb 2002 10:08:19 +0000 (GMT)
Subject: Warning message at password prompt
In-Reply-To: <20020215175634.C25293@google.com>
Message-ID: 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since in principle the cipher used can be renegotiated at any time,
what's needed is a warning that the password _might_ be sent as
cleartext.  So the password prompt needs to find out whether 'none' is
included in the list of ciphers that the client accepts.  If none is not
in that list, then we know that down-negotiating to none is impossible
and it's safe to send a password over the link.

Previously I didn't want to use the options struct because I thought
that the cipher chosen by the user might not be the same as the one that
was negotiated.  However, since the warning should actually occur based
on the possibility of choosing 'none', perhaps the options struct is the
place to look to find whether none could be chosen.

Am I right in thinking that the options solely determines what ciphers
the client will accept in negotiation?

Another interesting possibility is to start off with say 3DES for the
initial authentication and sending of passwords, then renegotiate to
none or some faster cipher to send most of the data.  But that is beyond
the scope of what I want to do.

- -- 
Ed Avis 
Finger for PGP key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8bi+fIMp73jhGogoRAtFtAJ4vryGj9Z6yPX2Uz3RmavYrznuyzwCfc8D1
VFbSAi75M/IACDJxyFak2V4=
=e9SK
-----END PGP SIGNATURE-----



From vda at port.imtp.ilyichevsk.odessa.ua  Sun Feb 17 01:57:22 2002
From: vda at port.imtp.ilyichevsk.odessa.ua (Denis Vlasenko)
Date: Sat, 16 Feb 2002 12:57:22 -0200
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <20020215052926.A10832@google.com>
References: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua> <20020215052926.A10832@google.com>
Message-ID: <200202161057.g1GAvLm02591@Port.imtp.ilyichevsk.odessa.ua>

On 15 February 2002 11:29, Frank Cusack wrote:
> > [Please CC me, I'm not on the list]
> >
> > My box is on a mostly Windows-populated network.
> > Naturally, I set up Samba and added WINS as a name resolution option.
> >
> > I found out that some programs now can use NetBIOS names, other can't.
> > openssh falls into latter category :-(
> >
> > I found that openssh use this snippet to convert hostname to ip:
> >
> > if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
> >     fatal("%s: %.100s: %s", __progname, host,
> >         gai_strerror(gaierr));
> >
> > and it fails for me exactly in this if() when I say "ssh ".
> > OTOH, ping uses code similar to
> >
> > struct hostent *hp;
> > hp = gethostbyname(hostname);
> >
> > and this works for WINS names.
>
> You must have a 'wins' entry in your nsswitch.conf.

I do have it, or else ping (and many other programs) won't resolve
hostnames via WINS server.

> I guess getaddrinfo()
> doesn't support nsswitch correctly.  Judging by this email:
>  I'd say
> it doesn't.

I'm new to these things, where should I look to fix it? Glibc?


On 15 February 2002 11:32, Gert Doering wrote:
> > I found that openssh use this snippet to convert hostname to ip:
> >
> > if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
> >     fatal("%s: %.100s: %s", __progname, host,
> >         gai_strerror(gaierr));
>
> This is the "best" and *current* way to do hostname to IP resolution.
>
> > and it fails for me exactly in this if() when I say "ssh ".
> > OTOH, ping uses code similar to
> >
> > struct hostent *hp;
> > hp = gethostbyname(hostname);
>
> This is "the old way", which can't do IPv6 (and has other limitations).
>
> > and this works for WINS names.
>
> Sounds like a microsoft weirdness to me...

!?  It has nothing to do with M$, it is a Linux box...
--
vda


From vda at port.imtp.ilyichevsk.odessa.ua  Sun Feb 17 02:25:23 2002
From: vda at port.imtp.ilyichevsk.odessa.ua (Denis Vlasenko)
Date: Sat, 16 Feb 2002 13:25:23 -0200
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: 
References: 
Message-ID: <200202161125.g1GBPKm02663@Port.imtp.ilyichevsk.odessa.ua>

On 15 February 2002 22:15, Damien Miller wrote:
> On Fri, 15 Feb 2002, Denis Vlasenko wrote:
> > [Please CC me, I'm not on the list]
> >
> > My box is on a mostly Windows-populated network.
> > Naturally, I set up Samba and added WINS as a name resolution option.
> >
> > I found out that some programs now can use NetBIOS names, other can't.
> > openssh falls into latter category :-(
> >
> > I found that openssh use this snippet to convert hostname to ip:
> >
> > if((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0)
> >     fatal("%s: %.100s: %s", __progname, host,
> >         gai_strerror(gaierr));
> >
> > and it fails for me exactly in this if() when I say "ssh ".
> > OTOH, ping uses code similar to
> >
> > struct hostent *hp;
> > hp = gethostbyname(hostname);
> >
> > and this works for WINS names.
>
> If you do this, you'll lose IPv6 capability.

I don't use IPv6, but I agree we need right fix, not a dirty hack.
It seems getaddrinfo does not use WINS for name resolution as it should
(I have all required libs and config (nsswitch.conf)) in place.

Where does getaddrinfo live? In glibc?
--
vda


From mouring at etoh.eviladmin.org  Sun Feb 17 01:03:34 2002
From: mouring at etoh.eviladmin.org (mouring)
Date: Sat, 16 Feb 2002 08:03:34 -0600 (CST)
Subject: Warning message at password prompt
In-Reply-To: 
Message-ID: 


On Sat, 16 Feb 2002, Edward Avis wrote:

[..]
> Another interesting possibility is to start off with say 3DES for the
> initial authentication and sending of passwords, then renegotiate to
> none or some faster cipher to send most of the data.  But that is beyond
> the scope of what I want to do.
>

Renegotiation can only be done by the server.  Therefor you would either
need to set the rekeying option to some insanely low time and pray to
god the user made it in time. Then you would be interrupted consistant for
rekeying which would have impact on preformance of the protocol and
preformance of the server/client involved (rekey is still expensive
on slower boxes)..

Or con someone at ssh-ietf at netbsd.net to change the current IETF draft--
that is a year over due for RFC publishing--to allow the client to
request a rekey.  Which in and of itself could be a resource attack
unless you limit the client's rekey requests to post-authenitification.

I really dislike the idea of -c 'none'.  If I wanted -c 'none' I'd use
rsh/telnet/ftp/rcp/etc. RSA/DSA keys are not enough of a bonus in my
view to prompt ssh as a 'glorified telnet'.

=) But that is just my world view.  I don't expect people to agree
with me on my personal beliefs (gawd would that be a boring world and
one I could not live in.. UGH).

- Ben



From fcusack at fcusack.com  Sun Feb 17 02:17:19 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Sat, 16 Feb 2002 07:17:19 -0800
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <200202161057.g1GAvLm02591@Port.imtp.ilyichevsk.odessa.ua>; from vda@port.imtp.ilyichevsk.odessa.ua on Sat, Feb 16, 2002 at 12:57:22PM -0200
References: <200202151149.g1FBmxt26507@Port.imtp.ilyichevsk.odessa.ua> <20020215052926.A10832@google.com> <200202161057.g1GAvLm02591@Port.imtp.ilyichevsk.odessa.ua>
Message-ID: <20020216071718.A28940@google.com>

On Sat, Feb 16, 2002 at 12:57:22PM -0200, Denis Vlasenko wrote:
> On 15 February 2002 11:29, Frank Cusack wrote:
> 
> > getaddrinfo()
> 
> I'm new to these things, where should I look to fix it? Glibc?

On Linux, yes.

/fc


From markus at openbsd.org  Sun Feb 17 07:22:24 2002
From: markus at openbsd.org (Markus Friedl)
Date: Sat, 16 Feb 2002 21:22:24 +0100
Subject: Warning message at password prompt
In-Reply-To: ; from mouring@etoh.eviladmin.org on Sat, Feb 16, 2002 at 08:03:34AM -0600
References:  
Message-ID: <20020216212224.B26958@folly>

On Sat, Feb 16, 2002 at 08:03:34AM -0600, mouring wrote:
> Renegotiation can only be done by the server.

no, try ~R


From mstone at cs.loyola.edu  Mon Feb 18 05:28:43 2002
From: mstone at cs.loyola.edu (Michael Stone)
Date: Sun, 17 Feb 2002 13:28:43 -0500
Subject: IRIX cleanup.
In-Reply-To: ; from mouring@etoh.eviladmin.org on Fri, Feb 15, 2002 at 01:27:21PM -0600
References: 
Message-ID: <20020217132843.E6750@justice.loyola.edu>

On Fri, Feb 15, 2002 at 01:27:21PM -0600, mouring wrote:
> Also if someone could give me the hint for the right compiler magic
> to wrap the code in instead of what I'm doing now.  I'd be thankful.

Could you rephrase that, I'm having trouble parsing...

-- 
Mike Stone


From mouring at etoh.eviladmin.org  Mon Feb 18 05:49:55 2002
From: mouring at etoh.eviladmin.org (mouring)
Date: Sun, 17 Feb 2002 12:49:55 -0600 (CST)
Subject: IRIX cleanup.
In-Reply-To: <20020217132843.E6750@justice.loyola.edu>
Message-ID: 

On AIX I can do #ifdef ddd

On Sun, 17 Feb 2002, Michael Stone wrote:

> On Fri, Feb 15, 2002 at 01:27:21PM -0600, mouring wrote:
> > Also if someone could give me the hint for the right compiler magic
> > to wrap the code in instead of what I'm doing now.  I'd be thankful.
>
> Could you rephrase that, I'm having trouble parsing...
>

I need the preprocessing define that the gcc/cc compiler sets for IRIX.

So I can do something like:

#ifdef _IRIX
[..]
#endif /* _IRIX */

instead of the #ifdef mess I have now.

- Ben




From bugzilla-daemon at mindrot.org  Mon Feb 18 08:43:43 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 18 Feb 2002 08:43:43 +1100 (EST)
Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer
Message-ID: <20020217214343.7D70FE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=105





------- Additional Comments From markus at openbsd.org  2002-02-18 08:43 -------
what about this?

Index: channels.c
===================================================================
RCS file: /cvs/openssh_cvs/channels.c,v
retrieving revision 1.138
diff -u -r1.138 channels.c
--- channels.c  8 Feb 2002 11:07:17 -0000       1.138
+++ channels.c  17 Feb 2002 21:34:48 -0000
@@ -1227,7 +1227,7 @@
 static int
 channel_handle_rfd(Channel *c, fd_set * readset, fd_set * writeset)
 {
-       char buf[16*1024];
+       char buf[64*1024];
        int len;

        if (c->rfd != -1 &&




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From djm at mindrot.org  Mon Feb 18 14:43:08 2002
From: djm at mindrot.org (Damien Miller)
Date: Mon, 18 Feb 2002 14:43:08 +1100 (EST)
Subject: ssh can't resolve hostnames thru WINS
In-Reply-To: <200202161125.g1GBPKm02663@Port.imtp.ilyichevsk.odessa.ua>
Message-ID: 

On Sat, 16 Feb 2002, Denis Vlasenko wrote:

> > If you do this, you'll lose IPv6 capability.
> 
> I don't use IPv6, but I agree we need right fix, not a dirty hack.
> It seems getaddrinfo does not use WINS for name resolution as it should
> (I have all required libs and config (nsswitch.conf)) in place.
> 
> Where does getaddrinfo live? In glibc?

yes, getaddrinfo usually lives in libc.

-d



From bugzilla-daemon at mindrot.org  Mon Feb 18 18:58:37 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 18 Feb 2002 18:58:37 +1100 (EST)
Subject: [Bug 120] New: sshd fails pty chown() when run as non-root userid
Message-ID: <20020218075837.58691E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120

           Summary: sshd fails pty chown() when run as non-root userid
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: idallen at freenet.carleton.ca


I have to run a private copy of sshd (on AIX) as non-root because the local
admin won't install the real thing.
As non-root, I can't chown() ptys.  The sshd function pty_setowner() fails and
so does sshd
when I try an interactive (shell) login.  The chown() should not be attempted if
sshd is running as non-root.
(All the occurrences of chown() in sshpty.c need this checking.)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From roberto.bertucci at netscalibur.it  Mon Feb 18 20:39:29 2002
From: roberto.bertucci at netscalibur.it (Roberto Bertucci)
Date: Mon, 18 Feb 2002 10:39:29 +0100
Subject: Problem with Sol8 and LDAP
Message-ID: <5.1.0.14.2.20020218103511.03454eb8@mail2.netscalibur.it>

Hi, i am experiencing a problem with ssh 3.0.2.p1 running on Solaris 2.8.
Everything works fine with local users (i.e. with local passwd and shadow 
entries). With LDAP authenticated users, i obtain:

treno at tao[!] -> ssh -v
Segmentation Fault (core dumped)

The probem is the same with 2.x releases.

Thank you,
Roberto Bertucci



From bugzilla-daemon at mindrot.org  Mon Feb 18 21:07:25 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 18 Feb 2002 21:07:25 +1100 (EST)
Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer
Message-ID: <20020218100725.5A4CDE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=105





------- Additional Comments From pas50 at cam.ac.uk  2002-02-18 21:07 -------
time `cat lapack.ibm.tar.gz | local/bin/ssh -2 -c 3des-cbc -p 10222 hodgkin 'cat
> f2' `
8.8u 0.7s 0:29 33% 681+701k 0+0io 139pf+0w

That didn't seem to help. I checked for reproducability.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From markus at openbsd.org  Tue Feb 19 00:59:01 2002
From: markus at openbsd.org (Markus Friedl)
Date: Mon, 18 Feb 2002 14:59:01 +0100
Subject: Warning message at password prompt
In-Reply-To: 
References: <20020214062850.E25452@justice.loyola.edu> 
Message-ID: <20020218135900.GA19023@faui02>

On Thu, Feb 14, 2002 at 12:04:52PM +0000, Edward Avis wrote:
> I will certainly benchmark and post a summary of results to this list.

here are some results:

cpu0: Intel Pentium III (Coppermine) ("GenuineIntel" 686-class) 745 MHz

http://www.monkey.org/~markus/openssh/LOG
http://www.monkey.org/~markus/openssh/cipher-speed.sh

test-driver:

http://www.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/ssh/test-exec.sh

test try ciphers: proto 2 cipher none mac none
    0.44s real     0.09s user     0.06s system

test try ciphers: proto 2 cipher arcfour mac none
    0.97s real     0.32s user     0.04s system

test try ciphers: proto 2 cipher none mac hmac-md5-96
    1.21s real     0.44s user     0.04s system

test try ciphers: proto 2 cipher aes128-cbc mac none
    1.46s real     0.52s user     0.03s system

test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5
    7.42s real     3.43s user     0.08s system


From ed at UDel.Edu  Tue Feb 19 01:31:41 2002
From: ed at UDel.Edu (Ed Phillips)
Date: Mon, 18 Feb 2002 09:31:41 -0500 (EST)
Subject: Problem with Sol8 and LDAP
In-Reply-To: <5.1.0.14.2.20020218103511.03454eb8@mail2.netscalibur.it>
Message-ID: 

On Mon, 18 Feb 2002, Roberto Bertucci wrote:

> Date: Mon, 18 Feb 2002 10:39:29 +0100
> From: Roberto Bertucci 
> To: openssh-unix-dev at mindrot.org
> Subject: Problem with Sol8 and LDAP
>
> Hi, i am experiencing a problem with ssh 3.0.2.p1 running on Solaris 2.8.

What patches do you have installed for Sol8?  Did you install all of the
recommended patches along with relevent LDAP/PAM patches?  What does your
/etc/nsswitch.conf look like?  What does /etc/pam.conf look like?

> Everything works fine with local users (i.e. with local passwd and shadow
> entries). With LDAP authenticated users, i obtain:
>
> treno at tao[!] -> ssh -v
> Segmentation Fault (core dumped)

We need a little more than "core dumped" to be able to solve the
problem... can you provide truss output?  Is "treno" user a that is logged
in via PAM+LDAP (there is an sshd process involved) or is this a user who
is on the console trying to ssh out of the system?

> The probem is the same with 2.x releases.

I've never seen the client dump core like this, even on a system that has
PAM configured to use LDAP.

	Ed

Ed Phillips  University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key



From bugzilla-daemon at mindrot.org  Tue Feb 19 04:24:32 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 04:24:32 +1100 (EST)
Subject: [Bug 105] scp protocol 2 over a hippi interface takes 6 times longer
Message-ID: <20020218172432.7972BE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=105

markus at openbsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From markus at openbsd.org  2002-02-19 04:24 -------
there should be no difference between protocol 1 and 2 now.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 19 04:29:15 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 04:29:15 +1100 (EST)
Subject: [Bug 120] sshd fails pty chown() when run as non-root userid
Message-ID: <20020218172915.4E80EE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120





------- Additional Comments From markus at openbsd.org  2002-02-19 04:29 -------
can you allocate ptys as non-root?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 19 04:35:41 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 04:35:41 +1100 (EST)
Subject: [Bug 90] [PATCH] Make the quiet options behave consistently
Message-ID: <20020218173541.164BFE960@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=90

markus at openbsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED



------- Additional Comments From markus at openbsd.org  2002-02-19 04:35 -------
we could fix the documentation instead:

Index: ssh.1
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.1,v
retrieving revision 1.147
diff -u -r1.147 ssh.1
--- ssh.1       9 Feb 2002 17:37:34 -0000       1.147
+++ ssh.1       18 Feb 2002 17:27:53 -0000
@@ -521,7 +521,6 @@
 .It Fl q
 Quiet mode.
 Causes all warning and diagnostic messages to be suppressed.
-Only fatal errors are displayed.
 .It Fl s
 May be used to request invocation of a subsystem on the remote system.
Subsystems are a feature of the SSH2 protocol which facilitate the use
 of SSH as a secure transport for other applications (eg. sftp). The




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 19 04:56:58 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 04:56:58 +1100 (EST)
Subject: [Bug 120] sshd fails pty chown() when run as non-root userid
Message-ID: <20020218175658.29A1AE960@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120





------- Additional Comments From idallen at freenet.carleton.ca  2002-02-19 04:56 -------
Yes, the previous (non-open) version of sshd that I compiled and installed on
this AIX machine worked fine, even though it couldn't chown the ptys.  The AIX
ptys are set up this way:
acadaix%~[507] ls -l /dev/pts/99
crw-rw-rw-   1 root     system    25, 99 Apr 25 2001  /dev/pts/99
You can use them, you just can't chown them!




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 19 05:03:04 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 05:03:04 +1100 (EST)
Subject: [Bug 120] sshd fails pty chown() when run as non-root userid
Message-ID: <20020218180304.6FFC0E960@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120





------- Additional Comments From markus at openbsd.org  2002-02-19 05:03 -------
can other users access the tty and snoop data?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 19 05:04:50 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 05:04:50 +1100 (EST)
Subject: [Bug 90] [PATCH] Make the quiet options behave consistently
Message-ID: <20020218180450.DF65DE96B@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=90

markus at openbsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From markus at openbsd.org  2002-02-19 05:04 -------
"Only fatal errors are displayed." has been removed from ssh.1 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From datqtruong at yahoo.com  Tue Feb 19 08:02:35 2002
From: datqtruong at yahoo.com (dat truong)
Date: Mon, 18 Feb 2002 13:02:35 -0800 (PST)
Subject: purpose of scp -B?
In-Reply-To: <20020125100829.A28091@folly>
Message-ID: <20020218210235.75371.qmail@web14508.mail.yahoo.com>

Hi,

Does anybody know the intention of scp -B?
Is it for batch mode processing?  I assume
that it does not require an ssh agent running.

Please help.  Many thanks in advance.

-Dat Truong

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com


From rebel at atrey.karlin.mff.cuni.cz  Tue Feb 19 18:32:34 2002
From: rebel at atrey.karlin.mff.cuni.cz (Michal Svec)
Date: Tue, 19 Feb 2002 08:32:34 +0100 (CET)
Subject: hostkey checking
Message-ID: 

Hi!

Is it somehow possible to disable the known_hosts checking for some hosts?
The StrictHostKeyChecking affects only the asking about new computers, but
doesn't affect the changed ones.

I need it for the test computers, which are reinstalled twice/hour and
I really don't like editing .ssh/known_hosts each time :-(

Thanks
Michal



From fcusack at fcusack.com  Tue Feb 19 19:13:17 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Tue, 19 Feb 2002 00:13:17 -0800
Subject: hostkey checking
In-Reply-To: ; from rebel@atrey.karlin.mff.cuni.cz on Tue, Feb 19, 2002 at 08:32:34AM +0100
References: 
Message-ID: <20020219001317.B6360@google.com>

On Tue, Feb 19, 2002 at 08:32:34AM +0100, Michal Svec wrote:
> Is it somehow possible to disable the known_hosts checking for some hosts?
> The StrictHostKeyChecking affects only the asking about new computers, but
> doesn't affect the changed ones.
> 
> I need it for the test computers, which are reinstalled twice/hour and
> I really don't like editing .ssh/known_hosts each time :-(

Why don't you save the host keys then?  Change your reinstall process
to install the saved host key rather then generate a new one.

But anyway, StrictHostKeyChecking does affect changed host keys.  You can
easily set it to 'no' for only certain hosts.  Even with 'no', certain
types of authentication will not be allowed, that's an easy behaviour
to change (1 or 2 line patch), but I would recommend you install known
host keys instead.

/fc


From rebel at atrey.karlin.mff.cuni.cz  Tue Feb 19 19:24:25 2002
From: rebel at atrey.karlin.mff.cuni.cz (Michal Svec)
Date: Tue, 19 Feb 2002 09:24:25 +0100 (CET)
Subject: hostkey checking
In-Reply-To: <20020219001317.B6360@google.com>
Message-ID: 

Hi!

On Tue, 19 Feb 2002, Frank Cusack wrote:

> On Tue, Feb 19, 2002 at 08:32:34AM +0100, Michal Svec wrote:
> > Is it somehow possible to disable the known_hosts checking for some hosts?
> > The StrictHostKeyChecking affects only the asking about new computers, but
> > doesn't affect the changed ones.
> > 
> > I need it for the test computers, which are reinstalled twice/hour and
> > I really don't like editing .ssh/known_hosts each time :-(
> 
> Why don't you save the host keys then?  Change your reinstall process
> to install the saved host key rather then generate a new one.

Sadly, I'm testing just the standard reinstall process for which I can't
do such changes (I'd use it otherwise).

> But anyway, StrictHostKeyChecking does affect changed host keys.  You can
> easily set it to 'no' for only certain hosts.  Even with 'no', certain
> types of authentication will not be allowed, that's an easy behaviour
> to change (1 or 2 line patch), but I would recommend you install known
> host keys instead.

I'd just need some DisableHostKeyChecking option so I can disable it
completely for some hosts. I know this would be a security risk doing it
in general, but on a per-host basis it could be acceptable.

Do you have any objections including such an option in the standard
openssh? I think that having such possibility is a good thing in closed
(temporary) environments where the security needs not to be so paranoid.

Regards
Michal

BTW could you please send me that patch?



From fcusack at fcusack.com  Tue Feb 19 19:57:23 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Tue, 19 Feb 2002 00:57:23 -0800
Subject: hostkey checking
In-Reply-To: ; from rebel@atrey.karlin.mff.cuni.cz on Tue, Feb 19, 2002 at 09:24:25AM +0100
References: <20020219001317.B6360@google.com> 
Message-ID: <20020219005723.G6360@google.com>

On Tue, Feb 19, 2002 at 09:24:25AM +0100, Michal Svec wrote:
> On Tue, 19 Feb 2002, Frank Cusack wrote:
> > On Tue, Feb 19, 2002 at 08:32:34AM +0100, Michal Svec wrote:
> > > Is it somehow possible to disable the known_hosts checking for some hosts?
> > > The StrictHostKeyChecking affects only the asking about new computers, but
> > > doesn't affect the changed ones.
> > > 
> > > I need it for the test computers, which are reinstalled twice/hour and
> > > I really don't like editing .ssh/known_hosts each time :-(

Automate; that is what computers are best at. :-)

> I'd just need some DisableHostKeyChecking option so I can disable it
> completely for some hosts. I know this would be a security risk doing it
> in general, but on a per-host basis it could be acceptable.
> 
> Do you have any objections including such an option in the standard
> openssh? I think that having such possibility is a good thing in closed
> (temporary) environments where the security needs not to be so paranoid.

I'm not one of the openssh developers, but I think I can safely
say there's no way such an option is going to make it into openssh.
You're probably going to get a lot of flames just for suggesting it. :-)

> BTW could you please send me that patch?

There are other easy ways to do this.  eg, use a quick one-line perl script
to wipe the hostkeys out of .ssh/known_hosts:

    perl -i -ne 'print unless /^test/' $HOME/.ssh/known_hosts

or do something like

   alias testssh "ssh -o UserKnownHostsFiles=/dev/null"

or any number of things along those lines.

/fc


From bugzilla-daemon at mindrot.org  Tue Feb 19 20:37:20 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 19 Feb 2002 20:37:20 +1100 (EST)
Subject: [Bug 120] sshd fails pty chown() when run as non-root userid
Message-ID: <20020219093720.03304E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120





------- Additional Comments From idallen at freenet.carleton.ca  2002-02-19 20:37 -------
I'm not a pty expert.  I don't think you can "snoop" characters from a pty
without preventing them from going to the original application.  If the pty
is opened O_EXCL, I think that locks out anyone else.  (Actually, given
the documentation below, it seems that only one process can open the
control half of the pty even without O_EXCL.)  Certainly many 
unpriv applications manage to use ptys without being root.  I just haven't
programmed that in a decade or so, so I don't know the current methodology.


From roberto.bertucci at netscalibur.it  Tue Feb 19 20:51:12 2002
From: roberto.bertucci at netscalibur.it (Roberto Bertucci)
Date: Tue, 19 Feb 2002 10:51:12 +0100
Subject: Problem with Sol8 and LDAP
In-Reply-To: 
References: <5.1.0.14.2.20020218103511.03454eb8@mail2.netscalibur.it>
Message-ID: <5.1.0.14.2.20020219104201.02e405b8@mail2.netscalibur.it>

Thank you for your answer.
I took a little time to update Solaris to the last recommended patch level 
(rel. 04 Feb 2002).
The problem is still here.

User treno (this is me) is connected via telnet and authenticated against 
LDAP server (netscape 4.1).

Even a truss is not useful:
treno at tao[!] -> truss ssh -v
truss: cannot trace set-id or unreadable object file: /usr/local/bin/ssh

I am attaching pam.conf and nsswitch.conf

Thank you,
RB



At 09.31 18/02/2002 -0500, Ed Phillips wrote:
>On Mon, 18 Feb 2002, Roberto Bertucci wrote:
>
> > Date: Mon, 18 Feb 2002 10:39:29 +0100
> > From: Roberto Bertucci 
> > To: openssh-unix-dev at mindrot.org
> > Subject: Problem with Sol8 and LDAP
> >
> > Hi, i am experiencing a problem with ssh 3.0.2.p1 running on Solaris 2.8.
>
>What patches do you have installed for Sol8?  Did you install all of the
>recommended patches along with relevent LDAP/PAM patches?  What does your
>/etc/nsswitch.conf look like?  What does /etc/pam.conf look like?
>
> > Everything works fine with local users (i.e. with local passwd and shadow
> > entries). With LDAP authenticated users, i obtain:
> >
> > treno at tao[!] -> ssh -v
> > Segmentation Fault (core dumped)
>
>We need a little more than "core dumped" to be able to solve the
>problem... can you provide truss output?  Is "treno" user a that is logged
>in via PAM+LDAP (there is an sshd process involved) or is this a user who
>is on the console trying to ssh out of the system?
>
> > The probem is the same with 2.x releases.
>
>I've never seen the client dump core like this, even on a system that has
>PAM configured to use LDAP.
>
>         Ed
>
>Ed Phillips  University of Delaware (302) 831-6082
>Systems Programmer III, Network and Systems Services
>finger -l ed at polycut.nss.udel.edu for PGP public key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsswitch.conf
Type: application/octet-stream
Size: 787 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020219/0a9c9e12/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam.conf
Type: application/octet-stream
Size: 2342 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020219/0a9c9e12/attachment-0001.obj 

From djm at mindrot.org  Tue Feb 19 21:05:33 2002
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Feb 2002 21:05:33 +1100 (EST)
Subject: hostkey checking
In-Reply-To: 
Message-ID: 

On Tue, 19 Feb 2002, Michal Svec wrote:

> 
> Hi!
> 
> Is it somehow possible to disable the known_hosts checking for some hosts?
> The StrictHostKeyChecking affects only the asking about new computers, but
> doesn't affect the changed ones.

This is what I use for a test maching on our office LAN:

Host test
	UserKnownHostsFile /dev/null
	UserKnownHostsFile2 /dev/null
	StrictHostKeyChecking no
	ForwardX11 no
	ForwardAgent no
	Ciphers arcfour,aes128-cbc,3des-cbc,blowfish-cbc

-d



From jg at jguk.org  Tue Feb 19 22:22:10 2002
From: jg at jguk.org (J. Grant)
Date: Tue, 19 Feb 2002 20:22:10 +0900
Subject: [openssh-unix-dev]: Subject of email
Message-ID: <3C723562.4060005@jguk.org>

Hello

Would it be possible for the Subject line of this list to be prefixed
with [openssh-unix-dev]:  ? I'm on many lists and this is the only one
that does'nt. It aids readability and means we all can prioritise all
emails in our inbox better. IMO.

It should be possible to decide if one wants to read an email from the
subject. I believe.

Have I just started a flame war? I hope now, I can't be the only one
wondering why there is not subject on emails.. can I?

JG




From djm at mindrot.org  Tue Feb 19 23:07:01 2002
From: djm at mindrot.org (Damien Miller)
Date: Tue, 19 Feb 2002 23:07:01 +1100 (EST)
Subject: [openssh-unix-dev]: Subject of email
In-Reply-To: <3C723562.4060005@jguk.org>
Message-ID: 

On Tue, 19 Feb 2002, J. Grant wrote:

> Hello
> 
> Would it be possible for the Subject line of this list to be prefixed
> with [openssh-unix-dev]:  ? I'm on many lists and this is the only one
> that does'nt. It aids readability and means we all can prioritise all
> emails in our inbox better. IMO.

You can filter on the "Sender:" header field which is present in every
message forwarded by the list server. IMO adding spam to the subject
header ruins readability on my 80x40 pine MUA as I can't see the real
subjects anymore.

-d



From Jason.Lacoss-Arnold at AGEDWARDS.com  Wed Feb 20 00:11:09 2002
From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason)
Date: Tue, 19 Feb 2002 07:11:09 -0600
Subject: Problem with Sol8 and LDAP
Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E5E5@hqempn06.agedwards.com>

You have to be root on Solaris to truss a setuid executable (which ssh is).
So try (as root):
root at tao[!] -> truss ssh -l treno -v

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Roberto Bertucci [mailto:roberto.bertucci at netscalibur.it]
Sent: Tuesday, February 19, 2002 3:51
To: Ed Phillips
Cc: OpenSSH Development
Subject: Re: Problem with Sol8 and LDAP


Thank you for your answer.
I took a little time to update Solaris to the last recommended patch level 
(rel. 04 Feb 2002).
The problem is still here.

User treno (this is me) is connected via telnet and authenticated against 
LDAP server (netscape 4.1).

Even a truss is not useful:
treno at tao[!] -> truss ssh -v
truss: cannot trace set-id or unreadable object file: /usr/local/bin/ssh

I am attaching pam.conf and nsswitch.conf

Thank you,
RB



At 09.31 18/02/2002 -0500, Ed Phillips wrote:
>On Mon, 18 Feb 2002, Roberto Bertucci wrote:
>
> > Date: Mon, 18 Feb 2002 10:39:29 +0100
> > From: Roberto Bertucci 
> > To: openssh-unix-dev at mindrot.org
> > Subject: Problem with Sol8 and LDAP
> >
> > Hi, i am experiencing a problem with ssh 3.0.2.p1 running on Solaris
2.8.
>
>What patches do you have installed for Sol8?  Did you install all of the
>recommended patches along with relevent LDAP/PAM patches?  What does your
>/etc/nsswitch.conf look like?  What does /etc/pam.conf look like?
>
> > Everything works fine with local users (i.e. with local passwd and
shadow
> > entries). With LDAP authenticated users, i obtain:
> >
> > treno at tao[!] -> ssh -v
> > Segmentation Fault (core dumped)
>
>We need a little more than "core dumped" to be able to solve the
>problem... can you provide truss output?  Is "treno" user a that is logged
>in via PAM+LDAP (there is an sshd process involved) or is this a user who
>is on the console trying to ssh out of the system?
>
> > The probem is the same with 2.x releases.
>
>I've never seen the client dump core like this, even on a system that has
>PAM configured to use LDAP.
>
>         Ed
>
>Ed Phillips  University of Delaware (302) 831-6082
>Systems Programmer III, Network and Systems Services
>finger -l ed at polycut.nss.udel.edu for PGP public key


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020219/e1cc3810/attachment.html 

From roberto.bertucci at netscalibur.it  Wed Feb 20 00:52:49 2002
From: roberto.bertucci at netscalibur.it (Roberto Bertucci)
Date: Tue, 19 Feb 2002 14:52:49 +0100
Subject: Problem with Sol8 and LDAP
In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E5E5@hqempn06.agedwards.
 com>
Message-ID: <5.1.0.14.2.20020219145130.02d85010@mail2.netscalibur.it>

Hello,
root is locally defined (not authenticated against LDAP) and for users of 
such kind, ssh works.....
The problem is only for pure LDAP athenticatred users.


Thank you,
RB


At 07.11 19/02/2002 -0600, Lacoss-Arnold, Jason wrote:

>You have to be root on Solaris to truss a setuid executable (which ssh 
>is).  So try (as root):
>root at tao[!] -> truss ssh -l treno -v
>
>Thanks,
>--Jason Lacoss-Arnold, Systems Technical Specialist
>Technical Services - Unix Arch.
>314-955-8501
>
>-----Original Message-----
>From: Roberto Bertucci 
>[mailto:roberto.bertucci at netscalibur.it] 
>
>Sent: Tuesday, February 19, 2002 3:51
>To: Ed Phillips
>Cc: OpenSSH Development
>Subject: Re: Problem with Sol8 and LDAP
>
>Thank you for your answer.
>I took a little time to update Solaris to the last recommended patch level
>(rel. 04 Feb 2002).
>The problem is still here.
>
>User treno (this is me) is connected via telnet and authenticated against
>LDAP server (netscape 4.1).
>
>Even a truss is not useful:
>treno at tao[!] -> truss ssh -v
>truss: cannot trace set-id or unreadable object file: /usr/local/bin/ssh
>
>I am attaching pam.conf and nsswitch.conf
>
>Thank you,
>RB
>
>
>At 09.31 18/02/2002 -0500, Ed Phillips wrote:
> >On Mon, 18 Feb 2002, Roberto Bertucci wrote:
> >
> > > Date: Mon, 18 Feb 2002 10:39:29 +0100
> > > From: Roberto Bertucci 
> > > To: openssh-unix-dev at mindrot.org
> > > Subject: Problem with Sol8 and LDAP
> > >
> > > Hi, i am experiencing a problem with ssh 3.0.2.p1 running on Solaris 
> 2.8.
> >
> >What patches do you have installed for Sol8?  Did you install all of the
> >recommended patches along with relevent LDAP/PAM patches?  What does your
> >/etc/nsswitch.conf look like?  What does /etc/pam.conf look like?
> >
> > > Everything works fine with local users (i.e. with local passwd and 
> shadow
> > > entries). With LDAP authenticated users, i obtain:
> > >
> > > treno at tao[!] -> ssh -v
> > > Segmentation Fault (core dumped)
> >
> >We need a little more than "core dumped" to be able to solve the
> >problem... can you provide truss output?  Is "treno" user a that is logged
> >in via PAM+LDAP (there is an sshd process involved) or is this a user who
> >is on the console trying to ssh out of the system?
> >
> > > The probem is the same with 2.x releases.
> >
> >I've never seen the client dump core like this, even on a system that has
> >PAM configured to use LDAP.
> >
> >         Ed
> >
> >Ed Phillips  University of Delaware (302) 831-6082
> >Systems Programmer III, Network and Systems Services
> >finger -l ed at polycut.nss.udel.edu for PGP public key
>
>
>***************************************************************************************
>WARNING: All e-mail sent to and from this address will be received or
>otherwise recorded by the A.G. Edwards corporate e-mail system and is
>subject to archival, monitoring or review by, and/or disclosure to,
>someone other than the recipient.
>***************************************************************************************



From ed at UDel.Edu  Wed Feb 20 01:38:40 2002
From: ed at UDel.Edu (Ed Phillips)
Date: Tue, 19 Feb 2002 09:38:40 -0500 (EST)
Subject: Problem with Sol8 and LDAP
In-Reply-To: <5.1.0.14.2.20020219104201.02e405b8@mail2.netscalibur.it>
Message-ID: 

On Tue, 19 Feb 2002, Roberto Bertucci wrote:

> Date: Tue, 19 Feb 2002 10:51:12 +0100
> From: Roberto Bertucci 
> To: Ed Phillips 
> Cc: OpenSSH Development 
> Subject: Re: Problem with Sol8 and LDAP
>
> Thank you for your answer.
> I took a little time to update Solaris to the last recommended patch level
> (rel. 04 Feb 2002).
> The problem is still here.
>
> User treno (this is me) is connected via telnet and authenticated against
> LDAP server (netscape 4.1).
>
> Even a truss is not useful:
> treno at tao[!] -> truss ssh -v
> truss: cannot trace set-id or unreadable object file: /usr/local/bin/ssh

Run truss in another shell as "root" with:

# truss -o xx -a -e -r all -w all -v all -u\* -pf 

Run the command in treno's shell and then CTRL-C out of the truss.  Send
us the output file ("xx").

> I am attaching pam.conf and nsswitch.conf

Looks okay.

Thanks,

	Ed

Ed Phillips  University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key



From roberto.bertucci at netscalibur.it  Wed Feb 20 01:44:59 2002
From: roberto.bertucci at netscalibur.it (Roberto Bertucci)
Date: Tue, 19 Feb 2002 15:44:59 +0100
Subject: Problem with Sol8 and LDAP
In-Reply-To: 
References: <5.1.0.14.2.20020219104201.02e405b8@mail2.netscalibur.it>
Message-ID: <5.1.0.14.2.20020219154427.0462d7d0@mail2.netscalibur.it>

OK, done!
Hope this can help

Thanx again,
RB

At 09.38 19/02/2002 -0500, Ed Phillips wrote:
>On Tue, 19 Feb 2002, Roberto Bertucci wrote:
>
> > Date: Tue, 19 Feb 2002 10:51:12 +0100
> > From: Roberto Bertucci 
> > To: Ed Phillips 
> > Cc: OpenSSH Development 
> > Subject: Re: Problem with Sol8 and LDAP
> >
> > Thank you for your answer.
> > I took a little time to update Solaris to the last recommended patch level
> > (rel. 04 Feb 2002).
> > The problem is still here.
> >
> > User treno (this is me) is connected via telnet and authenticated against
> > LDAP server (netscape 4.1).
> >
> > Even a truss is not useful:
> > treno at tao[!] -> truss ssh -v
> > truss: cannot trace set-id or unreadable object file: /usr/local/bin/ssh
>
>Run truss in another shell as "root" with:
>
># truss -o xx -a -e -r all -w all -v all -u\* -pf 
>
>Run the command in treno's shell and then CTRL-C out of the truss.  Send
>us the output file ("xx").
>
> > I am attaching pam.conf and nsswitch.conf
>
>Looks okay.
>
>Thanks,
>
>         Ed
>
>Ed Phillips  University of Delaware (302) 831-6082
>Systems Programmer III, Network and Systems Services
>finger -l ed at polycut.nss.udel.edu for PGP public key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xx.zip
Type: application/zip
Size: 55418 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020219/05f6058c/attachment.zip 

From ed at UDel.Edu  Wed Feb 20 01:52:55 2002
From: ed at UDel.Edu (Ed Phillips)
Date: Tue, 19 Feb 2002 09:52:55 -0500 (EST)
Subject: Problem with Sol8 and LDAP
In-Reply-To: <5.1.0.14.2.20020219104201.02e405b8@mail2.netscalibur.it>
Message-ID: 

Do you have patch 108993-05 installed?  nss_ldap.so is pretty broken
without it.  I don't think this patch is on the "recommended" list, so you
probably have to install it separately (check /var/sadm/patch to see if
it's already installed).

Also, if you're going to be using PAM, you'll probably want to make sure
you have 112218-01, which addresses a security issue (and is probably on
the "recommended" list but check anyway).

Thanks,

	Ed

On Tue, 19 Feb 2002, Roberto Bertucci wrote:

> Date: Tue, 19 Feb 2002 10:51:12 +0100
> From: Roberto Bertucci 
> To: Ed Phillips 
> Cc: OpenSSH Development 
> Subject: Re: Problem with Sol8 and LDAP
>
> Thank you for your answer.
> I took a little time to update Solaris to the last recommended patch level
> (rel. 04 Feb 2002).
> The problem is still here.

Ed Phillips  University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key



From roberto.bertucci at netscalibur.it  Wed Feb 20 01:58:59 2002
From: roberto.bertucci at netscalibur.it (Roberto Bertucci)
Date: Tue, 19 Feb 2002 15:58:59 +0100
Subject: Problem with Sol8 and LDAP
In-Reply-To: 
References: <5.1.0.14.2.20020219104201.02e405b8@mail2.netscalibur.it>
Message-ID: <5.1.0.14.2.20020219155759.04514d00@mail2.netscalibur.it>

Yes, i have both patches (probably they were in recommended cluster):


treno at tao[!] -> showrev -p | grep "108993"
Patch: 109035-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu
Patch: 109033-01 Obsoletes:  Requires: 108993-01, 108997-01 
Incompatibles:  Packages: SUNWcsu, SUNWcsxu
Patch: 109031-01 Obsoletes:  Requires: 108993-01, 109029-01, 108997-01 
Incompatibles:  Packages: SUNWcsu
Patch: 109023-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu, SUNWcsxu
Patch: 109021-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu
Patch: 109017-01 Obsoletes:  Requires: 108993-01, 108997-01 
Incompatibles:  Packages: SUNWcsu
Patch: 109015-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu
Patch: 109011-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu, SUNWxcu4
Patch: 109007-04 Obsoletes:  Requires: 108528-01, 108989-01, 108991-02, 
108993-01, 108997-01 Incompatibles:  Packages: SUNWcsu, SUNWesu
Patch: 109005-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsu, SUNWcsr
Patch: 109007-06 Obsoletes:  Requires: 108528-01, 108989-01, 108991-02, 
108993-01, 108997-01 Incompatibles:  Packages: SUNWcsu, SUNWesu
Patch: 108993-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsr, 
SUNWcslx, SUNWcsl, SUNWnisu, SUNWhea
Patch: 108997-03 Obsoletes:  Requires: 108993-01 Incompatibles:  Packages: 
SUNWcsr, SUNWcslx, SUNWcsl, SUNWarc, SUNWarcx, SUNWcstl, SUNWcstlx, SUNWhea
Patch: 108999-01 Obsoletes:  Requires: 108991-02, 108993-01, 108528-01, 
108989-01, 108997-01 Incompatibles:  Packages: SUNWcsr, SUNWcslx, SUNWcsl
Patch: 108993-02 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcsr, 
SUNWcslx, SUNWcsl, SUNWnisu, SUNWhea
Patch: 108993-05 Obsoletes: 110194-01, 110390-02, 111090-03 Requires: 
108991-12 Incompatibles:  Packages: SUNWcsr, SUNWcslx, SUNWcsl, SUNWnisu, 
SUNWhea
Patch: 109221-05 Obsoletes: 108960-01 Requires: 108993-01 
Incompatibles:  Packages: SUNWadmap, SUNWadmc
Patch: 109221-06 Obsoletes: 108960-01 Requires: 108993-01 
Incompatibles:  Packages: SUNWadmap, SUNWadmc
Patch: 109013-02 Obsoletes:  Requires: 108528-01, 108989-01, 108991-02, 
108993-01, 108997-01 Incompatibles:  Packages: SUNWesu
Patch: 109037-01 Obsoletes:  Requires: 108993-01, 108997-01 
Incompatibles:  Packages: SUNWnisr
Patch: 109029-01 Obsoletes:  Requires: 108993-01, 108997-01 
Incompatibles:  Packages: SUNWpl5u
treno at tao[!] -> showrev -p | grep 112218
Patch: 112218-01 Obsoletes:  Requires:  Incompatibles:  Packages: SUNWcslx, 
SUNWcsl


RB

At 09.52 19/02/2002 -0500, Ed Phillips wrote:
>Do you have patch 108993-05 installed?  nss_ldap.so is pretty broken
>without it.  I don't think this patch is on the "recommended" list, so you
>probably have to install it separately (check /var/sadm/patch to see if
>it's already installed).
>
>Also, if you're going to be using PAM, you'll probably want to make sure
>you have 112218-01, which addresses a security issue (and is probably on
>the "recommended" list but check anyway).
>
>Thanks,
>
>         Ed
>
>On Tue, 19 Feb 2002, Roberto Bertucci wrote:
>
> > Date: Tue, 19 Feb 2002 10:51:12 +0100
> > From: Roberto Bertucci 
> > To: Ed Phillips 
> > Cc: OpenSSH Development 
> > Subject: Re: Problem with Sol8 and LDAP
> >
> > Thank you for your answer.
> > I took a little time to update Solaris to the last recommended patch level
> > (rel. 04 Feb 2002).
> > The problem is still here.
>
>Ed Phillips  University of Delaware (302) 831-6082
>Systems Programmer III, Network and Systems Services
>finger -l ed at polycut.nss.udel.edu for PGP public key



From mouring at etoh.eviladmin.org  Wed Feb 20 03:04:03 2002
From: mouring at etoh.eviladmin.org (mouring)
Date: Tue, 19 Feb 2002 10:04:03 -0600 (CST)
Subject: hostkey checking
In-Reply-To: <20020219005723.G6360@google.com>
Message-ID: 


On Tue, 19 Feb 2002, Frank Cusack wrote:
> On Tue, Feb 19, 2002 at 09:24:25AM +0100, Michal Svec wrote:
> > On Tue, 19 Feb 2002, Frank Cusack wrote:
[..]
> >
> > Do you have any objections including such an option in the standard
> > openssh? I think that having such possibility is a good thing in closed
> > (temporary) environments where the security needs not to be so paranoid.
>
> I'm not one of the openssh developers, but I think I can safely
> say there's no way such an option is going to make it into openssh.
> You're probably going to get a lot of flames just for suggesting it. :-)
>
I will object to it.

> > BTW could you please send me that patch?
>
> There are other easy ways to do this.  eg, use a quick one-line perl script
> to wipe the hostkeys out of .ssh/known_hosts:
>
>     perl -i -ne 'print unless /^test/' $HOME/.ssh/known_hosts
>
> or do something like
>
>    alias testssh "ssh -o UserKnownHostsFiles=/dev/null"
>
I think this is his best bet.  It is simple and requires zero
modifications to solve his problem.  And also keeps his known_hosts
clean.

- Ben




From jim at users.de  Wed Feb 20 07:16:38 2002
From: jim at users.de (Matthias Jim Knopf)
Date: Tue, 19 Feb 2002 21:16:38 +0100 (MET)
Subject: purpose of scp -B?
In-Reply-To: <20020218210235.75371.qmail@web14508.mail.yahoo.com>
Message-ID: 

Hey-ho dat truong! Am 2002-02-18 13:02 meintest Du

> Does anybody know the intention of scp -B?
> Is it for batch mode processing?  I assume
> that it does not require an ssh agent running.

Although I'm not sure about the real intention of the programmers, but the
effect of this switch is, that in case any other authentication method
faild, this command will EXIT with an error-code, rather than ask a
non-existing user for a password!
In fact I guess an scp -B is the only chance to automatically check,
whether a pubkey-authentication successfully works without a password.

Diese Sendung wurde Ihnen praesentiert von Jim
PGP encrypted mails welcome!
---
 Unix? view of sex:
 unzip ; touch ; finger ; mount ; gasp ; yes ; umount ; sleep



From bugzilla-daemon at mindrot.org  Wed Feb 20 07:57:14 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 20 Feb 2002 07:57:14 +1100 (EST)
Subject: [Bug 120] sshd fails pty chown() when run as non-root userid
Message-ID: <20020219205714.1FC47E99F@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=120





------- Additional Comments From stevesk at pobox.com  2002-02-20 07:57 -------
for systems with STREAMS ptys grantpt() calls a set-uid
helper program to change pty ownership and modes.
with some investigation and rework of pty handling we could
potentially use this behaviour for certain platforms.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From magnus at bodin.org  Wed Feb 20 07:56:48 2002
From: magnus at bodin.org (Magnus Bodin)
Date: Tue, 19 Feb 2002 21:56:48 +0100
Subject: [meta, ot] Re: [openssh-unix-dev]: Subject of email
In-Reply-To: 
References: <3C723562.4060005@jguk.org> 
Message-ID: <20020219205648.GH11884@bodin.org>

On Tue, Feb 19, 2002 at 11:07:01PM +1100, Damien Miller wrote:
> On Tue, 19 Feb 2002, J. Grant wrote:
> 
> > Hello
> > 
> > Would it be possible for the Subject line of this list to be prefixed
> > with [openssh-unix-dev]:  ? I'm on many lists and this is the only one
> > that does'nt. It aids readability and means we all can prioritise all
> > emails in our inbox better. IMO.
> 
> You can filter on the "Sender:" header field which is present in every
> message forwarded by the list server. IMO adding spam to the subject
> header ruins readability on my 80x40 pine MUA as I can't see the real
> subjects anymore.

As this mailinglist follow (which all mailinglists should) RFC2919
, then everyone can filter on 'List-Id'.

_THAT_ field is the field to demand from your mailinglist manager.
Nothing else.

Most decent mailinglists already supports it.

/magnus

-- 
http://x42.com/


From bugzilla-daemon at mindrot.org  Wed Feb 20 08:24:45 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 20 Feb 2002 08:24:45 +1100 (EST)
Subject: [Bug 121] New: ssh hangs on exit (not damon, nor background)
Message-ID: <20020219212445.61CF5E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=121

           Summary: ssh hangs on exit (not damon, nor background)
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: joshua.mehlman at morganstanley.com


ssh running on Solaris 2.8 ocasionaly hangs on exit. I run the command
ssh -v server hostname 
we have also seen this with different commands and even just getting a shell.
(note I have tryed with -t, -n and of course without the -v and a -v -v -v give
no more info)
and about 1 time out of 1000 it hangs.
The verbose output is as follows:
debug1: Sending command: hostname
debug1: channel 0: open confirm rwindow 0 rmax 16384
debug1: channel 0: rcvd eof
debug1: channel 0: output open -> drain
server
debug1: channel 0: obuf empty
debug1: channel 0: output drain -> closed
debug1: channel 0: close_write


Then comes the hang. Note that this is differnt than the bg file wait issue.

an netstat on the client:
client# netstat -a | grep server
client.34819        server.ssh         17520      0 33580      0 ESTABLISHED
client.34820        server.ssh         17520      0 33580      0 TIME_WAIT


and one on the server:
server# netstat -a | grep client
server.full.domain.name.com.ssh client.34819        33580      0 17520      0
ESTABLISHED

and some ps :
client# ps -ef | grep hostname
    root 19944  2917  0 12:32:19 ?        0:01 /usr/local/bin/ssh -n -v server
hostname

server# ps -ef | grep ssh
    root  3439 10524  0 12:32:21 ?        0:01 /services/ssh/sbin/sshd



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Wed Feb 20 08:45:34 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 20 Feb 2002 08:45:34 +1100 (EST)
Subject: [Bug 121] ssh hangs on exit (not damon, nor background)
Message-ID: <20020219214534.C804EE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=121

joshua.mehlman at morganstanley.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|other                       |Solaris
           Platform|Other                       |Sparc





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Wed Feb 20 08:46:21 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 20 Feb 2002 08:46:21 +1100 (EST)
Subject: [Bug 109] sftp hangs when a tcsh user types quit or exit
Message-ID: <20020219214621.15F52E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=109

joshua.mehlman at morganstanley.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|Solaris                     |other
           Platform|UltraSparc                  |Other





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From Nicolas.Williams at ubsw.com  Wed Feb 20 08:43:13 2002
From: Nicolas.Williams at ubsw.com (Nicolas Williams)
Date: Tue, 19 Feb 2002 16:43:13 -0500
Subject: [Bug 121] New: ssh hangs on exit (not damon, nor background)
In-Reply-To: <20020219212445.61CF5E8EA@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Wed, Feb 20, 2002 at 08:24:45AM +1100
References: <20020219212445.61CF5E8EA@shitei.mindrot.org>
Message-ID: <20020219164312.B27398@sm2p1386swk.wdr.com>

This sounds like the SIGCHLD race bug.

Check if the sshd has a defunct child when hanging - if so, send SIGCHLD
to the sshd and watch the connection close.

Search the list. Patches have been posted.

Cheers,

Nico


On Wed, Feb 20, 2002 at 08:24:45AM +1100, bugzilla-daemon at mindrot.org wrote:
> http://bugzilla.mindrot.org/show_bug.cgi?id=121
> 
>            Summary: ssh hangs on exit (not damon, nor background)
>            Product: Portable OpenSSH
>            Version: 3.0.2p1
>           Platform: Other
>         OS/Version: other
>             Status: NEW
>           Severity: normal
>           Priority: P2
>          Component: ssh
>         AssignedTo: openssh-unix-dev at mindrot.org
>         ReportedBy: joshua.mehlman at morganstanley.com
> 
> 
> ssh running on Solaris 2.8 ocasionaly hangs on exit. I run the command
> ssh -v server hostname 
> we have also seen this with different commands and even just getting a shell.
> (note I have tryed with -t, -n and of course without the -v and a -v -v -v give
> no more info)
> and about 1 time out of 1000 it hangs.
> The verbose output is as follows:
> debug1: Sending command: hostname
> debug1: channel 0: open confirm rwindow 0 rmax 16384
> debug1: channel 0: rcvd eof
> debug1: channel 0: output open -> drain
> server
> debug1: channel 0: obuf empty
> debug1: channel 0: output drain -> closed
> debug1: channel 0: close_write
> 
> 
> Then comes the hang. Note that this is differnt than the bg file wait issue.
> 
> an netstat on the client:
> client# netstat -a | grep server
> client.34819        server.ssh         17520      0 33580      0 ESTABLISHED
> client.34820        server.ssh         17520      0 33580      0 TIME_WAIT
> 
> 
> and one on the server:
> server# netstat -a | grep client
> server.full.domain.name.com.ssh client.34819        33580      0 17520      0
> ESTABLISHED
> 
> and some ps :
> client# ps -ef | grep hostname
>     root 19944  2917  0 12:32:19 ?        0:01 /usr/local/bin/ssh -n -v server
> hostname
> 
> server# ps -ef | grep ssh
>     root  3439 10524  0 12:32:21 ?        0:01 /services/ssh/sbin/sshd
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
-DISCLAIMER: an automatically appended disclaimer may follow. By posting-
-to a public e-mail mailing list I hereby grant permission to distribute-
-and copy this message.-

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.



From woods at weird.com  Wed Feb 20 11:07:07 2002
From: woods at weird.com (Greg A. Woods)
Date: Tue, 19 Feb 2002 19:07:07 -0500 (EST)
Subject: purpose of scp -B?
In-Reply-To: <20020218210235.75371.qmail@web14508.mail.yahoo.com>
References: <20020125100829.A28091@folly>
	<20020218210235.75371.qmail@web14508.mail.yahoo.com>
Message-ID: <20020220000707.E314AB5@proven.weird.com>

[ On Monday, February 18, 2002 at 13:02:35 (-0800), dat truong wrote: ]
> Subject: purpose of scp -B?
>
> Does anybody know the intention of scp -B?

I assume you're talking about OpenSSH....  (there's no such option in
the 'scp' that comes with SSH-3.1.0) 

> Is it for batch mode processing?

     -B      Selects batch mode (prevents asking for passwords or passphras-
             es).

Yup, seems so.....

>  I assume
> that it does not require an ssh agent running.

I dunno -- have you tried it (I never use ssh-agent in the first place
so I wouldn't know if it's still needed with 'scp -B' or not).

-- 
								Greg A. Woods

+1 416 218-0098;  ;  ;  
Planix, Inc. ; VE3TCP; Secrets of the Weird 


From rachit at ensim.com  Wed Feb 20 11:50:26 2002
From: rachit at ensim.com (Rachit Siamwalla)
Date: Tue, 19 Feb 2002 16:50:26 -0800
Subject: purpose of scp -B?
Message-ID: <9AC41B8C4781464695BB013F106FCA31041E9D64@nasdaq.ms.ensim.com>

Batch mode does not require ssh-agent.

Useful in non-interactive scripts (you don't want a any questions blocking your script).

It also supresses the "host key not found, are you sure you want to continue connecting?" question. (basically fails instead unless some conf variable is set to ignore it).

-rchit

-----Original Message-----
From: woods at weird.com [mailto:woods at weird.com]
Sent: Tuesday, February 19, 2002 4:07 PM
To: dat truong
Cc: openssh-unix-dev at mindrot.org; secureshell at securityfocus.com
Subject: Re: purpose of scp -B?


[ On Monday, February 18, 2002 at 13:02:35 (-0800), dat truong wrote: ]
> Subject: purpose of scp -B?
>
> Does anybody know the intention of scp -B?

I assume you're talking about OpenSSH....  (there's no such option in
the 'scp' that comes with SSH-3.1.0) 

> Is it for batch mode processing?

     -B      Selects batch mode (prevents asking for passwords or passphras-
             es).

Yup, seems so.....

>  I assume
> that it does not require an ssh agent running.

I dunno -- have you tried it (I never use ssh-agent in the first place
so I wouldn't know if it's still needed with 'scp -B' or not).

-- 
								Greg A. Woods

+1 416 218-0098;  ;  ;  
Planix, Inc. ; VE3TCP; Secrets of the Weird 
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


From kouril at ics.muni.cz  Wed Feb 20 20:33:07 2002
From: kouril at ics.muni.cz (Daniel Kouril)
Date: Wed, 20 Feb 2002 10:33:07 +0100
Subject: Fix AFS and Kerberos interaction
In-Reply-To: <20020123153540.A31514@odorn.ics.muni.cz>; from kouril@ics.muni.cz on Wed, Jan 23, 2002 at 03:35:40PM +0100
References: <20020123153540.A31514@odorn.ics.muni.cz>
Message-ID: <20020220103307.A21770@odorn.ics.muni.cz>

On Wed, Jan 23, 2002 at 03:35:40PM +0100, Daniel Kouril wrote:
> Hello,
> 
> I going to use ssh with Kerberos V5 support along with support for AFS. I
> don't want to use Kerberos V4 or AFS token passing. The only thing I need
> from AFS is creating an AFS token (using appropriate function from krb5 API)
> after user's authentication. It seems to me that such scenario is not much
> supported by the current code.  Rather it is assumed only Kerberos 4 will be
> used with AFS. 
> 
> Please, could you have a look at the enclosed patch? The main purpose of it
> is to enclose those parts dealing with AFS or KRB4 ticket passing between
> #ifdef AFS && KRB4 (instead of only AFS as in the current code). The patch is
> created against OpenSSH  3.0.2p1, tested with Heimdal implementation of
> Kerberos V5.
> 
> Would it be possible to add the patch to the standard distribution?
> 
> with best regards
> 
> --
> Daniel Kouril

Hi all,
I sent this mail some month ago and haven't received any response yet.
Please, could somebody let me know if the patch is acceptable to be included
in the standard distribution? I think the patch is quite simple but I could
adapt it in any way if required. As I believe I'm not alone who is interested
in using Kerberos V5 along with AFS I think the patch would make our life
much easier. Thank you.

best regards

--
Daniel Kouril
-------------- next part --------------
--- Makefile.in	2002/01/23 10:09:09	1.1
+++ Makefile.in	2002/01/23 10:10:50
@@ -50,7 +50,7 @@
 
 SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o
 
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-chall.o auth2-chall.o auth-rhosts.o auth-options.o auth-krb4.o auth-krb5.o auth-pam.o auth2-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o auth-sia.o sshpty.o sshlogin.o loginrec.o servconf.o serverloop.o md5crypt.o session.o groupaccess.o auth-skey.o auth-bsdauth.o
 
 MANPAGES	= scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out
 MANPAGES_IN	= scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1
--- auth-krb4.c	2002/01/23 10:50:54	1.1
+++ auth-krb4.c	2002/01/23 10:55:40
@@ -34,11 +34,12 @@
 #include "uidswap.h"
 #include "auth.h"
 
+#ifdef KRB4
+
 #ifdef AFS
 #include "radix.h"
 #endif
 
-#ifdef KRB4
 extern ServerOptions options;
 
 static int
@@ -279,9 +280,7 @@
 	packet_write_wait();
 	return (1);
 }
-#endif /* KRB4 */
 
-#ifdef AFS
 int
 auth_krb4_tgt(Authctxt *authctxt, const char *string)
 {
@@ -370,4 +369,4 @@
 	
 	return (1);
 }
-#endif /* AFS */
+#endif /* KRB4 */
--- auth.h	2002/01/23 12:01:53	1.1
+++ auth.h	2002/01/23 12:14:19
@@ -102,14 +102,15 @@
 int     auth_krb4(Authctxt *, KTEXT, char **);
 int	auth_krb4_password(Authctxt *, const char *);
 void    krb4_cleanup_proc(void *);
+#endif /* KRB4 */
 
 #ifdef AFS
 #include 
+#ifdef KRB4
 int     auth_krb4_tgt(Authctxt *, const char *);
 int     auth_afs_token(Authctxt *, const char *);
-#endif /* AFS */
-
 #endif /* KRB4 */
+#endif /* AFS */
 
 #ifdef KRB5
 int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client);
--- auth1.c	2002/01/23 12:15:49	1.1
+++ auth1.c	2002/01/23 12:17:26
@@ -162,11 +162,11 @@
 		case SSH_CMSG_HAVE_KERBEROS_TGT:
 			packet_send_debug("Kerberos TGT passing disabled before authentication.");
 			break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 		case SSH_CMSG_HAVE_AFS_TOKEN:
 			packet_send_debug("AFS token passing disabled before authentication.");
 			break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
 #endif /* AFS || KRB5 */
 			
 		case SSH_CMSG_AUTH_RHOSTS:
--- radix.c	2002/01/23 10:13:32	1.1
+++ radix.c	2002/01/23 10:27:36
@@ -27,7 +27,7 @@
 
 RCSID("$OpenBSD: radix.c,v 1.16 2001/06/23 15:12:19 itojun Exp $");
 
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 #include 
 
 #include 
@@ -211,4 +211,4 @@
 
 	return 1;
 }
-#endif /* AFS */
+#endif /* AFS && KRB4 */
--- readconf.c	2002/01/23 12:18:23	1.1
+++ readconf.c	2002/01/23 12:23:17
@@ -102,7 +102,7 @@
 #if defined(AFS) || defined(KRB5)
 	oKerberosTgtPassing,
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	oAFSTokenPassing,
 #endif
 	oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward,
@@ -147,7 +147,7 @@
 #if defined(AFS) || defined(KRB5)
 	{ "kerberostgtpassing", oKerberosTgtPassing },
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	{ "afstokenpassing", oAFSTokenPassing },
 #endif
 	{ "fallbacktorsh", oFallBackToRsh },
@@ -368,7 +368,7 @@
 		intptr = &options->kerberos_tgt_passing;
 		goto parse_flag;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	case oAFSTokenPassing:
 		intptr = &options->afs_token_passing;
 		goto parse_flag;
@@ -757,7 +757,7 @@
 #if defined(AFS) || defined(KRB5)
 	options->kerberos_tgt_passing = -1;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	options->afs_token_passing = -1;
 #endif
 	options->password_authentication = -1;
@@ -839,7 +839,7 @@
 	if (options->kerberos_tgt_passing == -1)
 		options->kerberos_tgt_passing = 1;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = 1;
 #endif
--- readconf.h	2002/01/23 12:18:23	1.1
+++ readconf.h	2002/01/23 12:23:17
@@ -47,7 +47,7 @@
 #if defined(AFS) || defined(KRB5)
 	int     kerberos_tgt_passing;	/* Try Kerberos TGT passing. */
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	int     afs_token_passing;	/* Try AFS token passing. */
 #endif
 	int     password_authentication;	/* Try password
--- servconf.c	2002/01/23 10:56:44	1.1
+++ servconf.c	2002/01/23 11:06:44
@@ -12,9 +12,13 @@
 #include "includes.h"
 RCSID("$OpenBSD: servconf.c,v 1.91 2001/11/12 18:17:07 markus Exp $");
 
-#if defined(KRB4) || defined(KRB5)
+#if defined(KRB4)
 #include 
 #endif
+#ifdef KRB5
+#include 
+#define KEYFILE "/etc/krb5.keytab"
+#endif
 #ifdef AFS
 #include 
 #endif
@@ -82,7 +86,7 @@
 #if defined(AFS) || defined(KRB5)
 	options->kerberos_tgt_passing = -1;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	options->afs_token_passing = -1;
 #endif
 	options->password_authentication = -1;
@@ -190,7 +194,7 @@
 	if (options->kerberos_tgt_passing == -1)
 		options->kerberos_tgt_passing = 0;
 #endif
-#ifdef AFS	
+#if defined(AFS) && defined(KRB4)
 	if (options->afs_token_passing == -1)
 		options->afs_token_passing = k_hasafs();
 #endif
@@ -246,7 +250,7 @@
 #if defined(AFS) || defined(KRB5)
 	sKerberosTgtPassing,
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	sAFSTokenPassing,
 #endif
 	sChallengeResponseAuthentication,
@@ -297,7 +301,7 @@
 #if defined(AFS) || defined(KRB5)
 	{ "kerberostgtpassing", sKerberosTgtPassing },
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	{ "afstokenpassing", sAFSTokenPassing },
 #endif
 	{ "passwordauthentication", sPasswordAuthentication },
@@ -632,7 +636,7 @@
 			intptr = &options->kerberos_tgt_passing;
 			goto parse_flag;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 		case sAFSTokenPassing:
 			intptr = &options->afs_token_passing;
 			goto parse_flag;
--- servconf.h	2002/01/23 10:56:44	1.1
+++ servconf.h	2002/01/23 11:07:37
@@ -87,7 +87,7 @@
 	int     kerberos_tgt_passing;	/* If true, permit Kerberos TGT
 					 * passing. */
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	int     afs_token_passing;	/* If true, permit AFS token passing. */
 #endif
 	int     password_authentication;	/* If true, permit password
--- session.c	2002/01/23 11:08:20	1.1
+++ session.c	2002/01/23 12:12:42
@@ -343,19 +343,19 @@
 						verbose("Kerberos v5 TGT refused for %.100s", s->authctxt->user);
 #endif /* KRB5 */
 				} else {
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 					if (auth_krb4_tgt(s->authctxt, kdata))
 						success = 1;
 					else
 						verbose("Kerberos v4 TGT refused for %.100s", s->authctxt->user);
-#endif /* AFS */
+#endif /* AFS && KRB4 */
 				}
 				xfree(kdata);
 			}
 			break;
 #endif /* AFS || KRB5 */
 			
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 		case SSH_CMSG_HAVE_AFS_TOKEN:
 			if (!options.afs_token_passing || !k_hasafs()) {
 				verbose("AFS token passing disabled.");
@@ -372,7 +372,7 @@
 				xfree(token);
 			}
 			break;
-#endif /* AFS */
+#endif /* AFS && KRB4 */
 
 		case SSH_CMSG_EXEC_SHELL:
 		case SSH_CMSG_EXEC_CMD:
@@ -1370,6 +1370,10 @@
 			krb_afslog(cell, 0);
 		
 		krb_afslog(0, 0);
+#ifdef KRB5
+		krb5_afslog(s->authctxt->krb5_ctx, s->authctxt->krb5_fwd_ccache,
+		            NULL, NULL);
+#endif
 	}
 #endif /* AFS */
 
--- ssh.c	2002/01/23 12:28:10	1.1
+++ ssh.c	2002/01/23 12:30:58
@@ -159,9 +159,9 @@
 	     _PATH_SSH_USER_CONFFILE);
 	fprintf(stderr, "  -A          Enable authentication agent forwarding.\n");
 	fprintf(stderr, "  -a          Disable authentication agent forwarding (default).\n");
-#ifdef AFS
+#if defined(AFS) || defined(KRB5)
 	fprintf(stderr, "  -k          Disable Kerberos ticket and AFS token forwarding.\n");
-#endif				/* AFS */
+#endif				/* AFS || KRB5 */
 	fprintf(stderr, "  -X          Enable X11 connection forwarding.\n");
 	fprintf(stderr, "  -x          Disable X11 connection forwarding (default).\n");
 	fprintf(stderr, "  -i file     Identity for public key authentication "
@@ -351,10 +351,14 @@
 		case 'A':
 			options.forward_agent = 1;
 			break;
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 		case 'k':
 			options.kerberos_tgt_passing = 0;
 			options.afs_token_passing = 0;
+			break;
+#elif defined(KRB5)
+		case 'k':
+			options.kerberos_tgt_passing = 0;
 			break;
 #endif
 		case 'i':
--- sshconnect1.c	2002/01/23 10:28:25	1.1
+++ sshconnect1.c	2002/01/23 12:05:15
@@ -26,8 +26,10 @@
 #endif
 #ifdef AFS
 #include 
+#ifdef KRB4
 #include "radix.h"
 #endif
+#endif
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -685,7 +687,7 @@
 }
 #endif /* KRB5 */
 
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 static void
 send_krb4_tgt(void)
 {
@@ -806,7 +808,7 @@
 	}
 }
 
-#endif /* AFS */
+#endif /* AFS && KRB4 */
 
 /*
  * Tries to authenticate with any string-based challenge/response system.
@@ -1255,7 +1257,7 @@
 		krb5_free_context(context);
 #endif
 	
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	/* Try Kerberos v4 TGT passing if the server supports it. */
 	if ((supported_authentications & (1 << SSH_PASS_KERBEROS_TGT)) &&
 	    options.kerberos_tgt_passing) {
@@ -1270,7 +1272,7 @@
 			log("WARNING: Encryption is disabled! Token will be transmitted in the clear!");
 		send_afs_tokens();
 	}
-#endif /* AFS */
+#endif /* AFS && KRB4 */
 
 	return;	/* need statement after label */
 }
--- sshd.c	2002/01/23 10:41:05	1.1
+++ sshd.c	2002/01/23 12:12:42
@@ -1289,7 +1289,7 @@
 	if (options.kerberos_tgt_passing)
 		auth_mask |= 1 << SSH_PASS_KERBEROS_TGT;
 #endif
-#ifdef AFS
+#if defined(AFS) && defined(KRB4)
 	if (options.afs_token_passing)
 		auth_mask |= 1 << SSH_PASS_AFS_TOKEN;
 #endif

From ed at UDel.Edu  Thu Feb 21 01:21:45 2002
From: ed at UDel.Edu (Ed Phillips)
Date: Wed, 20 Feb 2002 09:21:45 -0500 (EST)
Subject: x509 for hostkeys.
In-Reply-To: <20020131120909.A28305@folly>
Message-ID: 

Well, I succesfully got the patched version working, but as it turns out,
we don't have the "commercial" version of the SSH.COM software here at
UD... and the free-for-non-commercial-use client doesn't support PKI.

Maybe at some point I'll get time to implement the client bits in
OpenSSH... but until then, I won't be able to test the X.509 hostkey
patch.

	Ed

On Thu, 31 Jan 2002, Markus Friedl wrote:

> Date: Thu, 31 Jan 2002 12:09:10 +0100
> From: Markus Friedl 
> To: openssh at openbsd.org, openssh-unix-dev at mindrot.org
> Subject: x509 for hostkeys.
>
> This (very quick) patch allows you to connect with the commercial
> ssh.com windows client and use x509 certs for hostkeys.  You have
> to import your CA cert (ca.crt) in the windows client and certify
> your hostkey:
>
> $ cat << 'EOF' > x509v3.cnf
> CERTPATHLEN             = 1
> CERTUSAGE               = digitalSignature,keyCertSign
> CERTIP                  = 0.0.0.0
> [x509v3_CA]
> basicConstraints=critical,CA:true,pathlen:$ENV::CERTPATHLEN
> keyUsage=$ENV::CERTUSAGE
> [x509v3_IPAddr]
> subjectAltName=IP:$ENV::CERTIP
> [x509v3_DNSName]
> subjectAltName=DNS:$ENV::CERTDNS
> EOF
> $ CERTDNS=myipaddr; export CERTDNS
> $ openssl req -new -key /etc/ssh_host_rsa_key -out HOSTKEY.csr
> $ openssl x509 -req -days 365 -in HOSTKEY.csr -CA ca.crt \
> 	-CAkey ca.key -CAcreateserial \
> 	-extfile x509v3.cnf -extensions x509v3_DNSName \
> 	-out HOSTKEY.crt
> $ umask 077
> $ cat /etc/ssh_host_rsa_key HOSTKEY.crt > /etc/ssh_host_rsa_key+cert
> $ echo HostKey  /etc/ssh_host_rsa_key+cert > sshd_config-test
> $ sudo sshd -p 2222 -ddd -f sshd_config-test
>
> Index: authfile.c
> ===================================================================
> RCS file: /home/markus/cvs/ssh/authfile.c,v
> retrieving revision 1.45
> diff -u -r1.45 authfile.c
> --- authfile.c	29 Dec 2001 21:56:01 -0000	1.45
> +++ authfile.c	31 Jan 2002 10:50:53 -0000
> @@ -460,6 +460,24 @@
>  		error("PEM_read_PrivateKey: mismatch or "
>  		    "unknown EVP_PKEY save_type %d", pk->save_type);
>  	}
> +	if (prv != NULL) {
> +		/* try to get a certificate if we have the private key */
> +		prv->x509 = PEM_read_X509(fp, NULL, NULL, (char *)passphrase);
> +		if (prv->x509 != NULL) {
> +			debug("PEM_read_X509");
> +#ifdef DEBUG_X509
> +			X509_print_fp(stdout, prv->x509);
> +			{
> +				EVP_PKEY *pkey = X509_get_pubkey(prv->x509);
> +				if (pkey->type == EVP_PKEY_RSA) {
> +					debug("PEM_read_X509 -> RSA");
> +				} else if (pkey->type == EVP_PKEY_DSA) {
> +					debug("PEM_read_X509 -> DSA");
> +				}
> +			}
> +#endif
> +		}
> +	}
>  	fclose(fp);
>  	if (pk != NULL)
>  		EVP_PKEY_free(pk);
> Index: key.c
> ===================================================================
> RCS file: /home/markus/cvs/ssh/key.c,v
> retrieving revision 1.39
> diff -u -r1.39 key.c
> --- key.c	25 Jan 2002 22:07:40 -0000	1.39
> +++ key.c	31 Jan 2002 10:26:53 -0000
> @@ -53,10 +53,12 @@
>  	RSA *rsa;
>  	DSA *dsa;
>  	k = xmalloc(sizeof(*k));
> +	memset(k, 0, sizeof(*k));
>  	k->type = type;
>  	k->flags = 0;
>  	k->dsa = NULL;
>  	k->rsa = NULL;
> +	k->x509 = NULL;
>  	switch (k->type) {
>  	case KEY_RSA1:
>  	case KEY_RSA:
> @@ -141,6 +143,10 @@
>  		fatal("key_free: bad key type %d", k->type);
>  		break;
>  	}
> +	if (k->x509 != NULL) {
> +		X509_free(k->x509);
> +		k->x509 = NULL;
> +	}
>  	xfree(k);
>  }
>  int
> @@ -538,6 +544,8 @@
>  {
>  	switch (k->type) {
>  	case KEY_RSA:
> +		if (k->x509)
> +			return "x509v3-sign-rsa";
>  		return "ssh-rsa";
>  		break;
>  	case KEY_DSA:
> @@ -641,6 +649,10 @@
>  		return KEY_RSA;
>  	} else if (strcmp(name, "ssh-dss") == 0) {
>  		return KEY_DSA;
> +	} else if (strcmp(name, "x509v3-sign-rsa") == 0) {
> +		return KEY_RSA;
> +	} else if (strcmp(name, "x509v3-sign-dss") == 0) {
> +		return KEY_DSA;
>  	}
>  	debug2("key_type_from_name: unknown key type '%s'", name);
>  	return KEY_UNSPEC;
> @@ -739,9 +751,16 @@
>  		buffer_put_bignum2(&b, key->dsa->pub_key);
>  		break;
>  	case KEY_RSA:
> -		buffer_put_cstring(&b, key_ssh_name(key));
> -		buffer_put_bignum2(&b, key->rsa->e);
> -		buffer_put_bignum2(&b, key->rsa->n);
> +		if (key->x509) {
> +			/* XXX ssh.com does not accept a key name here */
> +			len = i2d_X509(key->x509, NULL);
> +			buf = buffer_append_space(&b, len);
> +			i2d_X509(key->x509, &buf);
> +		} else {
> +			buffer_put_cstring(&b, key_ssh_name(key));
> +			buffer_put_bignum2(&b, key->rsa->e);
> +			buffer_put_bignum2(&b, key->rsa->n);
> +		}
>  		break;
>  	default:
>  		error("key_to_blob: unsupported key type %d", key->type);
> Index: key.h
> ===================================================================
> RCS file: /home/markus/cvs/ssh/key.h,v
> retrieving revision 1.17
> diff -u -r1.17 key.h
> --- key.h	17 Sep 2001 19:27:15 -0000	1.17
> +++ key.h	30 Jan 2002 15:23:11 -0000
> @@ -28,6 +28,7 @@
>
>  #include 
>  #include 
> +#include 
>
>  typedef struct Key Key;
>  enum types {
> @@ -53,6 +54,7 @@
>  	int	 flags;
>  	RSA	*rsa;
>  	DSA	*dsa;
> +	X509	*x509;
>  };
>
>  Key	*key_new(int);
> Index: ssh-rsa.c
> ===================================================================
> RCS file: /home/markus/cvs/ssh/ssh-rsa.c,v
> retrieving revision 1.15
> diff -u -r1.15 ssh-rsa.c
> --- ssh-rsa.c	25 Jan 2002 21:42:11 -0000	1.15
> +++ ssh-rsa.c	31 Jan 2002 09:23:53 -0000
> @@ -91,7 +91,11 @@
>  	}
>  	/* encode signature */
>  	buffer_init(&b);
> +#if 0
>  	buffer_put_cstring(&b, "ssh-rsa");
> +#else
> +	buffer_put_cstring(&b, key_ssh_name(key));
> +#endif
>  	buffer_put_string(&b, sig, slen);
>  	len = buffer_len(&b);
>  	ret = xmalloc(len);
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

Ed Phillips  University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key



From william.hahn at ps.ge.com  Thu Feb 21 01:47:48 2002
From: william.hahn at ps.ge.com (william.hahn at ps.ge.com)
Date: Wed, 20 Feb 2002 09:47:48 -0500
Subject: Is there a way to tell the sshd to ignore the security check on t
	he user's home permissions?
Message-ID: <01777D788919D5118EDD00508BCFEA7B01BDDEBB@nyschx16psge.sch.ge.com>

Is there a way to tell the sshd to ignore the security check on the user's
home permissions?


debug3: secure_filename: checking '/ftpdata/pxdata/pold/data/.ssh'
debug3: secure_filename: checking '/ftpdata/pxdata/pold/data'
Authentication refused: bad ownership or modes for directory
/ftpdata/pxdata/fold/data
debug1: restore_uid
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for bold from 3.72.144.164 port 1201 ssh2
Authentication refused: bad ownership or modes for directory


From mjs at ams.org  Thu Feb 21 02:59:31 2002
From: mjs at ams.org (Matt Studley)
Date: Wed, 20 Feb 2002 10:59:31 -0500 (EST)
Subject: Is there a way to tell the sshd to ignore the security check on
 t he user's home permissions?
In-Reply-To: <01777D788919D5118EDD00508BCFEA7B01BDDEBB@nyschx16psge.sch.ge.com>
Message-ID: 

I believe that you can set the StrictModes option to 'no' in the
sshd_config file and this will skip the security check.  This is strongly
discouraged however, as it is a security risk.  Even if StrictModes is set
enabled, you can defeat it by compiling sshd with the
--enable-group-writeability flag which makes group writable files
acceptable to StrictModes (if this is in fact what you want).  A note,
sshd does not check ACL's so you might use this avenue to accomplish what
you want.  Hope this helps.

Matt Studley
American Mathematical Society
UNIX Sys Admin        		  "Quantum Mechanics -
mjs at ams.org			  	The dreams that stuff is made of"

On Wed, 20 Feb 2002 william.hahn at ps.ge.com wrote:

> Is there a way to tell the sshd to ignore the security check on the user's
> home permissions?
>
>
> debug3: secure_filename: checking '/ftpdata/pxdata/pold/data/.ssh'
> debug3: secure_filename: checking '/ftpdata/pxdata/pold/data'
> Authentication refused: bad ownership or modes for directory
> /ftpdata/pxdata/fold/data
> debug1: restore_uid
> debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
> Failed publickey for bold from 3.72.144.164 port 1201 ssh2
> Authentication refused: bad ownership or modes for directory
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>



From bugzilla-daemon at mindrot.org  Thu Feb 21 03:21:38 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 03:21:38 +1100 (EST)
Subject: [Bug 122] New: sshd does not update wtmpx at end of session
Message-ID: <20020220162138.3ED2CE9AE@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=122

           Summary: sshd does not update wtmpx at end of session
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: jaearick at colby.edu
                CC: jaearick at colby.edu


I have discovered that sshd does not write a ut_type = 8 (DEAD_PROCESS)
record into /var/adm/wtmpx, but it does write such a record into /var/adm/utmpx.  The net effect of this is that it looks like ssh users
never log out when you run "last" or other codes that analyze wtmpx.

I wrote a small C program to read and write out every record in /var/adm/wtmpx.
Then I logged into and out of my test machine with telnet, rlogin, and ssh.
Then I ran my C program to look at the results.  Here they are:

user:line:pid:type:exit/term:host:time
joeblow:pts/3:8477:7:0/0:0:cayuga:Wed Feb 20 10:08:43 2002
joeblow:pts/3:8477:8:0/0:0:cayuga:Wed Feb 20 10:08:57 2002
joeblow:pts/3:8509:7:0/0:0:cayuga:Wed Feb 20 10:09:16 2002
joeblow:pts/3:8509:8:0/0:0:cayuga:Wed Feb 20 10:09:55 2002
joeblow:pts/3:8546:7:0/0:0:cayuga:Wed Feb 20 10:10:08 2002

The first two records are for telnet, the second two for rlogin, the last
for ssh.  No type=8 record for ssh.  I can send you the C code that reads
/var/adm/wtmpx if you need it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From fcusack at fcusack.com  Thu Feb 21 04:24:11 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Wed, 20 Feb 2002 09:24:11 -0800
Subject: x509 for hostkeys.
In-Reply-To: ; from ed@UDel.Edu on Wed, Feb 20, 2002 at 09:21:45AM -0500
References: <20020131120909.A28305@folly> 
Message-ID: <20020220092411.B5552@google.com>

On Wed, Feb 20, 2002 at 09:21:45AM -0500, Ed Phillips wrote:
> Well, I succesfully got the patched version working, but as it turns out,
> we don't have the "commercial" version of the SSH.COM software here at
> UD... and the free-for-non-commercial-use client doesn't support PKI.
> 
> Maybe at some point I'll get time to implement the client bits in
> OpenSSH... but until then, I won't be able to test the X.509 hostkey
> patch.

If you are unable to test it how do you know you got it working?  Do you
mean you got it patched and compiling successfully?  Can you post an
updated patch (if it's different than your original one)?

thanks
/fc


From mouring at etoh.eviladmin.org  Thu Feb 21 04:31:35 2002
From: mouring at etoh.eviladmin.org (mouring)
Date: Wed, 20 Feb 2002 11:31:35 -0600 (CST)
Subject: Call for testing.
Message-ID: 

Recently we made somemajor changes to do_child() in
OpenSSH -current.  Those changes included splitting it up
into smaller chunks to help with readability and also to
extract out IRIX and AIX specific code to reduce the number
of lines in our diffs against the OpenSSH tree.

I need people to do some testing on different platforms to ensure
that all the right #ifdef/#endif bits got put back in right.

The main platforms I'm concern with is AIX, IRIX, and OSF.  Since
those had the most amount of #ifdef/#endif within the code.  However
Cygwin and Linux (PAM) also was in there (I know it compiles under
Redhat 7.2, just could not do a running test).

Grab it here:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/openssh-SNAP-20020220.tar.gz

Or from any openbsd mirror site.

Thanks

- Ben



From jh at oobleck.astro.cornell.edu  Thu Feb 21 05:37:06 2002
From: jh at oobleck.astro.cornell.edu (Joe Harrington)
Date: Wed, 20 Feb 2002 13:37:06 -0500
Subject: feature request: add -a to scp for archive-style copy
Message-ID: <200202201837.g1KIb6017804@oobleck.astro.cornell.edu>

This is a feature request for scp.  scp has no easy option to copy
symlinks, etc. to reproduce a directory tree.  The -r option follows
symlinks and reads the data out of device files when copying.  A few
years ago, the -a option was added to normal cp, replacing the
cumbersome and arcane

(cd wherever1 ; tar cf - whatever) | (cd wherever2 ; tar xpf - )

with

cp -a wherever1/whatever wherever2

Adding a -a option to scp would likewise eliminate the need for the
even more obscure but frequently-typed

ssh wherever1 -l whoever "(cd wherever2 ; tar cf - whatever)" | (cd
wherever3 ; tar xpf - )

Instead, it would be

scp -a whoever at wherever1:wherever2/whatever wherever3

(cpio fans can make the appropriate replacements).

The -a feature doesn't exist under Red Hat's openssh-2.9p2-12, and I
can't find release notes for any more recent version on openssh.org.
If it has been discussed or (!) implemented in 3.0.X, thanks!

--jh--


From ed at UDel.Edu  Thu Feb 21 06:08:15 2002
From: ed at UDel.Edu (Ed Phillips)
Date: Wed, 20 Feb 2002 14:08:15 -0500 (EST)
Subject: x509 for hostkeys.
In-Reply-To: <20020220092411.B5552@google.com>
Message-ID: 

On Wed, 20 Feb 2002, Frank Cusack wrote:

> Date: Wed, 20 Feb 2002 09:24:11 -0800
> From: Frank Cusack 
> To: Ed Phillips 
> Cc: OpenSSH Development 
> Subject: Re: x509 for hostkeys.
>
> On Wed, Feb 20, 2002 at 09:21:45AM -0500, Ed Phillips wrote:
> > Well, I succesfully got the patched version working, but as it turns out,
> > we don't have the "commercial" version of the SSH.COM software here at
> > UD... and the free-for-non-commercial-use client doesn't support PKI.
> >
> > Maybe at some point I'll get time to implement the client bits in
> > OpenSSH... but until then, I won't be able to test the X.509 hostkey
> > patch.
>
> If you are unable to test it how do you know you got it working?
> Do you mean you got it patched and compiling successfully?

Working, in the sense that I successfully compiled the patched code (after
a crucial change from Markus), and the resulting sshd seems to load the
host key+cert and send it out to a client properly... but I can't complete
the test because I don't have the "commercial" SSH.COM client that
supports PKI.

> Can you post an updated patch (if it's different than your original
> one)?

It's the original patch submitted by Markus, and the one-line change that
he submitted to the list last week.  You should probably check the list
archives for the relevent posts if you want to try out the patch.  If you
apply the original patch that Markus posted, and then change line 741 of
key.c to:

			buffer_append_space(&b, &buf, len);

... you should be able to get it to compile at least.  Then you need to
create a CA keypair, and follow Markus' instructions for making a hostkey
certificate and installing it for the test.

I'd post a new version of Markus' patch, but everyone seems to want a
"unified diff" and Sol8 /usr/bin/diff doesn't seem to do that...

	Ed

Ed Phillips  University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key



From pekkas at netcore.fi  Thu Feb 21 06:36:50 2002
From: pekkas at netcore.fi (Pekka Savola)
Date: Wed, 20 Feb 2002 21:36:50 +0200 (EET)
Subject: feature request: add -a to scp for archive-style copy
In-Reply-To: <200202201837.g1KIb6017804@oobleck.astro.cornell.edu>
Message-ID: 

On Wed, 20 Feb 2002, Joe Harrington wrote:
> This is a feature request for scp.  scp has no easy option to copy
> symlinks, etc. to reproduce a directory tree.  The -r option follows
> symlinks and reads the data out of device files when copying.  A few
> years ago, the -a option was added to normal cp, replacing the
> cumbersome and arcane
> 
> (cd wherever1 ; tar cf - whatever) | (cd wherever2 ; tar xpf - )
> 
> with
> 
> cp -a wherever1/whatever wherever2
> 
> Adding a -a option to scp would likewise eliminate the need for the
> even more obscure but frequently-typed

I like this personally, but I doubt main OpenSSH people agree.. partially 
because BSD make doesn't support 'cp -a'.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords



From jmknoble at pobox.com  Thu Feb 21 07:09:25 2002
From: jmknoble at pobox.com (Jim Knoble)
Date: Wed, 20 Feb 2002 15:09:25 -0500
Subject: feature request: add -a to scp for archive-style copy
In-Reply-To: <200202201837.g1KIb6017804@oobleck.astro.cornell.edu>; from jh@oobleck.astro.cornell.edu on Wed, Feb 20, 2002 at 01:37:06PM -0500
References: <200202201837.g1KIb6017804@oobleck.astro.cornell.edu>
Message-ID: <20020220150925.B22365@shell.ntrnet.net>

Circa 2002-Feb-20 13:37:06 -0500 dixit Joe Harrington:

: This is a feature request for scp.  scp has no easy option to copy
: symlinks, etc. to reproduce a directory tree.  The -r option follows
: symlinks and reads the data out of device files when copying.  A few
: years ago, the -a option was added to normal cp, replacing the
: cumbersome and arcane
  [...]

'cp -a', to my knowledge, only works with the cp from GNU fileutils.

I recommend using 'rsync -a'---it does exactly what you ask.  In fact,
i recommend using rsync instead of scp for almost all cases, in
particular because it avoids potential problems with SSHv1/SSHv2
compatibility when one of the client/server pair is OpenSSH and the
other is SSH.com's.

-- 
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/


From cjc5 at po.cwru.edu  Thu Feb 21 07:22:01 2002
From: cjc5 at po.cwru.edu (Craig J Copi)
Date: Wed, 20 Feb 2002 15:22:01 -0500
Subject: feature request: add -a to scp for archive-style copy 
In-Reply-To: Your message of "Wed, 20 Feb 2002 15:09:25 EST."
             <20020220150925.B22365@shell.ntrnet.net> 
Message-ID: <200202202022.g1KKM1d16928@aether.PHYS.cwru.edu>

Jim Knoble writes:
>Circa 2002-Feb-20 13:37:06 -0500 dixit Joe Harrington:
>
>: This is a feature request for scp.  scp has no easy option to copy
>: symlinks, etc. to reproduce a directory tree.  The -r option follows
>: symlinks and reads the data out of device files when copying.  A few
>: years ago, the -a option was added to normal cp, replacing the
>: cumbersome and arcane
>  [...]
>
>'cp -a', to my knowledge, only works with the cp from GNU fileutils.

-a == -pRd  where
-p is preserve
-R is recurse
-d is "don't dereference symlinks"

For OpenBSD cp this appears to be equivalent to -pRP.

scp already has -r and -p, it does not have the equivalent of -d or -P.
So is such a thing useful for scp?  Using rsync/tar/... isn't that hard.

Craig


From austin at coremetrics.com  Thu Feb 21 07:28:40 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 14:28:40 -0600
Subject: feature request: add -a to scp for archive-style copy
In-Reply-To: <200202202022.g1KKM1d16928@aether.PHYS.cwru.edu>
References: <200202202022.g1KKM1d16928@aether.PHYS.cwru.edu>
Message-ID: <1014236920.10758.5.camel@UberGeek>

I think this is useful for minimal systems, where you don't want
rsync/tar to exist. 

On Wed, 2002-02-20 at 14:22, Craig J Copi wrote:
> Jim Knoble writes:
> >Circa 2002-Feb-20 13:37:06 -0500 dixit Joe Harrington:
> >
> >: This is a feature request for scp.  scp has no easy option to copy
> >: symlinks, etc. to reproduce a directory tree.  The -r option follows
> >: symlinks and reads the data out of device files when copying.  A few
> >: years ago, the -a option was added to normal cp, replacing the
> >: cumbersome and arcane
> >  [...]
> >
> >'cp -a', to my knowledge, only works with the cp from GNU fileutils.
> 
> -a == -pRd  where
> -p is preserve
> -R is recurse
> -d is "don't dereference symlinks"
> 
> For OpenBSD cp this appears to be equivalent to -pRP.
> 
> scp already has -r and -p, it does not have the equivalent of -d or -P.
> So is such a thing useful for scp?  Using rsync/tar/... isn't that hard.
> 
> Craig
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From joshua.mehlman at morganstanley.com  Thu Feb 21 07:52:53 2002
From: joshua.mehlman at morganstanley.com (Joshua Mehlman)
Date: Wed, 20 Feb 2002 12:52:53 -0800 (PST)
Subject: [Bug 121] New: ssh hangs on exit (not damon, nor background)
In-Reply-To: <20020219164312.B27398@sm2p1386swk.wdr.com>
Message-ID: 

Sorry it took so long to get back (it is much eayser to test for it with a
client change). But I have been able to reproduce 3 times in the past 4h
without the pach and 0 with. Thanks much and sorry for not thinging that
this was the problem that I was seeing. The discription was pritty old and
looked a little different to me.
I assume that this patch will be in the next rel?

                           -----------------------
                            Joshua B. Mehlman
                            Systems Administrator
                            Morgan Stanley Online
                           -----------------------

On Tue, 19 Feb 2002, Nicolas Williams wrote:

> This sounds like the SIGCHLD race bug.
>
> Check if the sshd has a defunct child when hanging - if so, send SIGCHLD
> to the sshd and watch the connection close.
>
> Search the list. Patches have been posted.
>
> Cheers,
>
> Nico
>
>
> On Wed, Feb 20, 2002 at 08:24:45AM +1100, bugzilla-daemon at mindrot.org wrote:
> > http://bugzilla.mindrot.org/show_bug.cgi?id=121
> >
> >            Summary: ssh hangs on exit (not damon, nor background)
> >            Product: Portable OpenSSH
> >            Version: 3.0.2p1
> >           Platform: Other
> >         OS/Version: other
> >             Status: NEW
> >           Severity: normal
> >           Priority: P2
> >          Component: ssh
> >         AssignedTo: openssh-unix-dev at mindrot.org
> >         ReportedBy: joshua.mehlman at morganstanley.com
> >
> >
> > ssh running on Solaris 2.8 ocasionaly hangs on exit. I run the command
> > ssh -v server hostname
> > we have also seen this with different commands and even just getting a shell.
> > (note I have tryed with -t, -n and of course without the -v and a -v -v -v give
> > no more info)
> > and about 1 time out of 1000 it hangs.
> > The verbose output is as follows:
> > debug1: Sending command: hostname
> > debug1: channel 0: open confirm rwindow 0 rmax 16384
> > debug1: channel 0: rcvd eof
> > debug1: channel 0: output open -> drain
> > server
> > debug1: channel 0: obuf empty
> > debug1: channel 0: output drain -> closed
> > debug1: channel 0: close_write
> >
> >
> > Then comes the hang. Note that this is differnt than the bg file wait issue.
> >
> > an netstat on the client:
> > client# netstat -a | grep server
> > client.34819        server.ssh         17520      0 33580      0 ESTABLISHED
> > client.34820        server.ssh         17520      0 33580      0 TIME_WAIT
> >
> >
> > and one on the server:
> > server# netstat -a | grep client
> > server.full.domain.name.com.ssh client.34819        33580      0 17520      0
> > ESTABLISHED
> >
> > and some ps :
> > client# ps -ef | grep hostname
> >     root 19944  2917  0 12:32:19 ?        0:01 /usr/local/bin/ssh -n -v server
> > hostname
> >
> > server# ps -ef | grep ssh
> >     root  3439 10524  0 12:32:21 ?        0:01 /services/ssh/sbin/sshd
> >
> >
> >
> > ------- You are receiving this mail because: -------
> > You are the assignee for the bug, or are watching the assignee.
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> --
> -DISCLAIMER: an automatically appended disclaimer may follow. By posting-
> -to a public e-mail mailing list I hereby grant permission to distribute-
> -and copy this message.-
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named.  If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail.  Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses.  The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission.  If
> verification is required please request a hard-copy version.  This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>



From bugzilla-daemon at mindrot.org  Thu Feb 21 08:05:36 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 08:05:36 +1100 (EST)
Subject: [Bug 121] ssh hangs on exit (not damon, nor background)
Message-ID: <20020220210536.596ACE9DB@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=121

joshua.mehlman at morganstanley.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE



------- Additional Comments From joshua.mehlman at morganstanley.com  2002-02-21 08:05 -------


*** This bug has been marked as a duplicate of 79 ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 21 08:05:42 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 08:05:42 +1100 (EST)
Subject: [Bug 79] A race with select() in SIGCHLD handling causes hangs occasionally
Message-ID: <20020220210542.42911E9DE@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=79

joshua.mehlman at morganstanley.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |joshua.mehlman at morganstanley
                   |                            |.com



------- Additional Comments From joshua.mehlman at morganstanley.com  2002-02-21 08:05 -------
*** Bug 121 has been marked as a duplicate of this bug. ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are on the CC list for the bug, or are watching someone who is.


From bugzilla-daemon at mindrot.org  Thu Feb 21 08:41:01 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 08:41:01 +1100 (EST)
Subject: [Bug 112] Using host key fingerprint instead of "yes"
Message-ID: <20020220214101.59E29E92A@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=112





------- Additional Comments From peak at argo.troja.mff.cuni.cz  2002-02-21 08:40 -------
I have modified the patch to accept "yes"/"no"/"check". When you say "check", it
prompts for a fingerprint ("Enter the expected key fingerprint (DO NOT copy the
fingerprint that might have been displayed earlier)"), compares it with the key
received from the server, and prints the result ("The fingerprints match." /
"The fingerprints do not match.").




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 21 08:43:36 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 08:43:36 +1100 (EST)
Subject: [Bug 112] Using host key fingerprint instead of "yes"
Message-ID: <20020220214336.AE437E943@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=112





------- Additional Comments From peak at argo.troja.mff.cuni.cz  2002-02-21 08:43 -------
Created an attachment (id=28)
improved fingerprint checking patch against CVS




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 21 09:00:40 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 09:00:40 +1100 (EST)
Subject: [Bug 112] Using host key fingerprint instead of "yes"
Message-ID: <20020220220040.87F2DE9DE@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=112





------- Additional Comments From mouring at eviladmin.org  2002-02-21 09:00 -------
Would it be better not to display the foriegn finger print in check mode?
This may ensure that the user is not cutting and pasting the wrong entry.

- Ben



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 21 09:11:24 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 09:11:24 +1100 (EST)
Subject: [Bug 123] New: ssh linked with libpam
Message-ID: <20020220221124.3597CE9DE@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=123

           Summary: ssh linked with libpam
           Product: Portable OpenSSH
           Version: -current
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: peak at argo.troja.mff.cuni.cz


When you run configure with --with-pam, all programs, including ssh and other
client progs, are linked with libpam. This is pointless because only sshd needs
PAM, and it can become a real (albeit minor) problem if libpam is linked
dynamically because the resulting binaries will not work without libpam.so.N
even if they do not use it. My autoconf wizardry level is not high enough to
provide a real patch but I suppose one should add a special AC_SUBST for libpam,
change the action of AC_CHECK_LIB(pam, pam_set_item, , ...) to modify this
special variable (rather than LIBS) and add this subst to sshd's rule in
Makefile.in.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 21 09:19:03 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 09:19:03 +1100 (EST)
Subject: [Bug 112] Using host key fingerprint instead of "yes"
Message-ID: <20020220221903.4D4D0E92A@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=112





------- Additional Comments From maf at appgate.com  2002-02-21 09:18 -------
One could print the foreign id with dots instead of colons.
Then refuse that format on input. That way you can not just simply
cut'n'paste it.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From jmknoble at pobox.com  Thu Feb 21 09:50:02 2002
From: jmknoble at pobox.com (Jim Knoble)
Date: Wed, 20 Feb 2002 17:50:02 -0500
Subject: [Bug 112] Using host key fingerprint instead of "yes"
In-Reply-To: <20020220221903.4D4D0E92A@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Thu, Feb 21, 2002 at 09:19:03AM +1100
References: <20020220221903.4D4D0E92A@shitei.mindrot.org>
Message-ID: <20020220175002.C22365@shell.ntrnet.net>

Circa 2002-Feb-21 09:19:03 +1100 dixit bugzilla-daemon at mindrot.org:

: http://bugzilla.mindrot.org/show_bug.cgi?id=112
: 
: ------- Additional Comments From maf at appgate.com  2002-02-21 09:18 -------
: One could print the foreign id with dots instead of colons.
: Then refuse that format on input. That way you can not just simply
: cut'n'paste it.

Yuck.  That would just make ssh appear stupid.  Much better to simply
not display the fingerprint, as Ben suggested.

-- 
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/


From bugzilla-daemon at mindrot.org  Thu Feb 21 09:59:31 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 21 Feb 2002 09:59:31 +1100 (EST)
Subject: [Bug 112] Using host key fingerprint instead of "yes"
Message-ID: <20020220225931.23673E9EE@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=112





------- Additional Comments From djast at cs.toronto.edu  2002-02-21 09:59 -------
But the whole *point* of the patch is to cut and paste it--from a trusted
source.  This would usually be "ssh-keygen -l", but it could also be the output
of another previous ssh session (run from a more trustworthy context).

Poisoning the format of the displayed fingerprint is an ugly approach; with all
due respect, the only argument for taking that tack is that it's easier to code
than designing it correctly (i.e., in such a manner that it doesn't spit out the
answer to the question it's asking.)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From austin at coremetrics.com  Thu Feb 21 10:26:39 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 17:26:39 -0600
Subject: Files >2GB?
Message-ID: <1014247599.31968.1.camel@UberGeek>

OpenSSH 2.9p2 portable doesn't seem to like files >2GB. 

Is there an option for this, or a way to enable file transfers of files
>2GB using scp or sftp?
TIA
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From Jason.Lacoss-Arnold at AGEDWARDS.com  Thu Feb 21 10:40:29 2002
From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason)
Date: Wed, 20 Feb 2002 17:40:29 -0600
Subject: Files >2GB?
Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>

./configure --enable-largefile

Which should be the default IMO, but hey, who asked me.

Thanks,
--Jason Lacoss-Arnold, Systems Technical Specialist
Technical Services - Unix Arch.
314-955-8501


-----Original Message-----
From: Austin Gonyou [mailto:austin at coremetrics.com]
Sent: Wednesday, February 20, 2002 17:27
To: openssh-unix-dev at mindrot.org
Subject: Files >2GB?


OpenSSH 2.9p2 portable doesn't seem to like files >2GB. 

Is there an option for this, or a way to enable file transfers of files
>2GB using scp or sftp?
TIA
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


***************************************************************************************
WARNING:  All e-mail sent to and from this address will be received or
otherwise recorded by the A.G. Edwards corporate e-mail system and is
subject to archival, monitoring or review by, and/or disclosure to,
someone other than the recipient.
***************************************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020220/8e0a5448/attachment.html 

From austin at coremetrics.com  Thu Feb 21 10:46:50 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 17:46:50 -0600
Subject: Files >2GB?
In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>
References: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>
Message-ID: <1014248810.30763.3.camel@UberGeek>

Ahh...since we've got the RPM's on here, not from src, that would
explain why we can't necessarily over come it. I'll go modify a srpm and
rebuild that! THX.

On Wed, 2002-02-20 at 17:40, Lacoss-Arnold, Jason wrote:
> ./configure --enable-largefile 
> 
> Which should be the default IMO, but hey, who asked me. 
> 
> Thanks, 
> --Jason Lacoss-Arnold, Systems Technical Specialist 
> Technical Services - Unix Arch. 
> 314-955-8501 
> 
> 
> -----Original Message----- 
> From: Austin Gonyou [ mailto:austin at coremetrics.com
>  ] 
> Sent: Wednesday, February 20, 2002 17:27 
> To: openssh-unix-dev at mindrot.org 
> Subject: Files >2GB? 
> 
> 
> OpenSSH 2.9p2 portable doesn't seem to like files >2GB. 
> 
> Is there an option for this, or a way to enable file transfers of files 
> >2GB using scp or sftp? 
> TIA 
> -- 
> Austin Gonyou 
> Systems Architect, CCNA 
> Coremetrics, Inc. 
> Phone: 512-698-7250 
> email: austin at coremetrics.com 
> 
> "It is the part of a good shepherd to shear his flock, not to skin it." 
> Latin Proverb 
> _______________________________________________ 
> openssh-unix-dev at mindrot.org mailing list 
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>   
> 
> 
> 
> ************************************************************************
> ***************
> WARNING: All e-mail sent to and from this address will be received or
> otherwise recorded by the A.G. Edwards corporate e-mail system and is
> subject to archival, monitoring or review by, and/or disclosure to,
> someone other than the recipient.
> ************************************************************************
> ***************
> 
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From austin at coremetrics.com  Thu Feb 21 11:53:02 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 18:53:02 -0600
Subject: Files >2GB?
In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>
References: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>
Message-ID: <1014252782.31966.16.camel@UberGeek>

Is there a way to tell that largefiles are on once the configure is
done?

I can't seem to find any reference in the portable source to largefile,
etc.

also, is that the *exact* syntax TBS?

On Wed, 2002-02-20 at 17:40, Lacoss-Arnold, Jason wrote:
> ./configure --enable-largefile 
> 
> Which should be the default IMO, but hey, who asked me. 
> 
> Thanks, 
> --Jason Lacoss-Arnold, Systems Technical Specialist 
> Technical Services - Unix Arch. 
> 314-955-8501 
> 
> 
> -----Original Message----- 
> From: Austin Gonyou [ mailto:austin at coremetrics.com
>  ] 
> Sent: Wednesday, February 20, 2002 17:27 
> To: openssh-unix-dev at mindrot.org 
> Subject: Files >2GB? 
> 
> 
> OpenSSH 2.9p2 portable doesn't seem to like files >2GB. 
> 
> Is there an option for this, or a way to enable file transfers of files 
> >2GB using scp or sftp? 
> TIA 
> -- 
> Austin Gonyou 
> Systems Architect, CCNA 
> Coremetrics, Inc. 
> Phone: 512-698-7250 
> email: austin at coremetrics.com 
> 
> "It is the part of a good shepherd to shear his flock, not to skin it." 
> Latin Proverb 
> _______________________________________________ 
> openssh-unix-dev at mindrot.org mailing list 
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>   
> 
> 
> 
> ************************************************************************
> ***************
> WARNING: All e-mail sent to and from this address will be received or
> otherwise recorded by the A.G. Edwards corporate e-mail system and is
> subject to archival, monitoring or review by, and/or disclosure to,
> someone other than the recipient.
> ************************************************************************
> ***************
> 
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From djm at mindrot.org  Thu Feb 21 12:19:45 2002
From: djm at mindrot.org (Damien Miller)
Date: Thu, 21 Feb 2002 12:19:45 +1100 (EST)
Subject: Files >2GB?
In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA57E606@hqempn06.agedwards.com>
Message-ID: 

On Wed, 20 Feb 2002, Lacoss-Arnold, Jason wrote:

> ./configure --enable-largefile
> 
> Which should be the default IMO, but hey, who asked me.

It should be autodetected. I don't know whether 2.9 did the checking, but
3.02p1 should. Please report a bug if it does not work.

-d




From austin at coremetrics.com  Thu Feb 21 12:45:32 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 19:45:32 -0600
Subject: Files >2GB?
In-Reply-To: 
References: 
Message-ID: <1014255932.30768.36.camel@UberGeek>

Looking at the source of 2.9* portable, there is no refernce to
largefile anywhere. 

3.0.x does just fine.

I was a little upset to see that cause in the 2.9px anouncment I found
on google, >2gb files was listed as a feature/fix. 

I'm having a little trouble getting the src rpm to compile though..so
I'm going to just use the source..

the error I get is:



+ ./configure i386-redhat-linux --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib
--libexecdir=/usr/libexec --localstatedir=/var --sharedstatedir=/usr/com
--mandir=/usr/share/man --infodir=/usr/share/info
--libexecdir=/usr/libexec/openssh --datadir=/usr/share/openssh
--with-pam --with-tcp-wrappers --with-rsh=/usr/bin/rsh
--with-default-path=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
configure: WARNING: you should use --build, --host, --target
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... 64
checking for _LARGE_FILES value needed for large files... no
configure: WARNING: ****** Your snprintf() function is broken, complain
to your vendor
+ make
In file included from ../config.h:821,
                 from ../includes.h:22,
                 from bsd-arc4random.c:25:
../defines.h:238:59: operator '(' has no left operand
make[1]: *** [bsd-arc4random.o] Error 1
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
error: Bad exit status from /var/tmp/rpm-tmp.90917 (%build)
    Bad exit status from /var/tmp/rpm-tmp.90917 (%build)


I thought it was cause I still had some src lying around from an attempt
at modifying the openssh.spec to ensure largefiles were enabled by
default, but that failed too with the same error. 

I deleted all my stuff(everything in
/usr/src/redhat/SOURCES|SPECS|BUILD), tried with a newly downloaded src
rpm and I get the same thing.

My configuration:

binutils 2.11.2(from source)
kernel 2.4.17-xfs-aa
gcc 3.0.3 (from source)
glibc 2.2.5 (from source)

Dual 933, Dell 1550.


On Wed, 2002-02-20 at 19:19, Damien Miller wrote:
> On Wed, 20 Feb 2002, Lacoss-Arnold, Jason wrote:
> 
> > ./configure --enable-largefile
> > 
> > Which should be the default IMO, but hey, who asked me.
> 
> It should be autodetected. I don't know whether 2.9 did the checking,
> but
> 3.02p1 should. Please report a bug if it does not work.
> 
> -d
> 
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From mouring at etoh.eviladmin.org  Thu Feb 21 12:23:10 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Wed, 20 Feb 2002 19:23:10 -0600 (CST)
Subject: Files >2GB?
In-Reply-To: <1014252782.31966.16.camel@UberGeek>
Message-ID: 

Upgrade to 3.0.2.  Older versions had autoconf issues with
64bit files.

- Ben

On 20 Feb 2002, Austin Gonyou wrote:

> Is there a way to tell that largefiles are on once the configure is
> done?
>
> I can't seem to find any reference in the portable source to largefile,
> etc.
>
> also, is that the *exact* syntax TBS?
>
> On Wed, 2002-02-20 at 17:40, Lacoss-Arnold, Jason wrote:
> > ./configure --enable-largefile
> >
> > Which should be the default IMO, but hey, who asked me.
> >
> > Thanks,
> > --Jason Lacoss-Arnold, Systems Technical Specialist
> > Technical Services - Unix Arch.
> > 314-955-8501
> >
> >
> > -----Original Message-----
> > From: Austin Gonyou [ mailto:austin at coremetrics.com
> >  ]
> > Sent: Wednesday, February 20, 2002 17:27
> > To: openssh-unix-dev at mindrot.org
> > Subject: Files >2GB?
> >
> >
> > OpenSSH 2.9p2 portable doesn't seem to like files >2GB.
> >
> > Is there an option for this, or a way to enable file transfers of files
> > >2GB using scp or sftp?
> > TIA
> > --
> > Austin Gonyou
> > Systems Architect, CCNA
> > Coremetrics, Inc.
> > Phone: 512-698-7250
> > email: austin at coremetrics.com
> >
> > "It is the part of a good shepherd to shear his flock, not to skin it."
> > Latin Proverb
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > 
> >
> >
> >
> > ************************************************************************
> > ***************
> > WARNING: All e-mail sent to and from this address will be received or
> > otherwise recorded by the A.G. Edwards corporate e-mail system and is
> > subject to archival, monitoring or review by, and/or disclosure to,
> > someone other than the recipient.
> > ************************************************************************
> > ***************
> >
> --
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
>
> "It is the part of a good shepherd to shear his flock, not to skin it."
> Latin Proverb
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>



From austin at coremetrics.com  Thu Feb 21 13:31:28 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 20 Feb 2002 20:31:28 -0600
Subject: Files >2GB?
In-Reply-To: 
References: 
Message-ID: <1014258688.20867.10.camel@UberGeek>

NP. Already did. :) 

On Wed, 2002-02-20 at 19:23, Ben Lindstrom wrote:
> 
> Upgrade to 3.0.2.  Older versions had autoconf issues with
> 64bit files.
> 
> - Ben
> 
> On 20 Feb 2002, Austin Gonyou wrote:
> 
> > Is there a way to tell that largefiles are on once the configure is
> > done?
> >
> > I can't seem to find any reference in the portable source to
> largefile,
> > etc.
> >
> > also, is that the *exact* syntax TBS?
> >
> > On Wed, 2002-02-20 at 17:40, Lacoss-Arnold, Jason wrote:
> > > ./configure --enable-largefile
> > >
> > > Which should be the default IMO, but hey, who asked me.
> > >
> > > Thanks,
> > > --Jason Lacoss-Arnold, Systems Technical Specialist
> > > Technical Services - Unix Arch.
> > > 314-955-8501
> > >
> > >
> > > -----Original Message-----
> > > From: Austin Gonyou [ mailto:austin at coremetrics.com
> > >  ]
> > > Sent: Wednesday, February 20, 2002 17:27
> > > To: openssh-unix-dev at mindrot.org
> > > Subject: Files >2GB?
> > >
> > >
> > > OpenSSH 2.9p2 portable doesn't seem to like files >2GB.
> > >
> > > Is there an option for this, or a way to enable file transfers of
> files
> > > >2GB using scp or sftp?
> > > TIA
> > > --
> > > Austin Gonyou
> > > Systems Architect, CCNA
> > > Coremetrics, Inc.
> > > Phone: 512-698-7250
> > > email: austin at coremetrics.com
> > >
> > > "It is the part of a good shepherd to shear his flock, not to skin
> it."
> > > Latin Proverb
> > > _______________________________________________
> > > openssh-unix-dev at mindrot.org mailing list
> > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > > 
> > >
> > >
> > >
> > >
> ************************************************************************
> > > ***************
> > > WARNING: All e-mail sent to and from this address will be received
> or
> > > otherwise recorded by the A.G. Edwards corporate e-mail system and
> is
> > > subject to archival, monitoring or review by, and/or disclosure to,
> > > someone other than the recipient.
> > >
> ************************************************************************
> > > ***************
> > >
> > --
> > Austin Gonyou
> > Systems Architect, CCNA
> > Coremetrics, Inc.
> > Phone: 512-698-7250
> > email: austin at coremetrics.com
> >
> > "It is the part of a good shepherd to shear his flock, not to skin
> it."
> > Latin Proverb
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From jmknoble at pobox.com  Thu Feb 21 18:22:21 2002
From: jmknoble at pobox.com (Jim Knoble)
Date: Thu, 21 Feb 2002 02:22:21 -0500
Subject: Files >2GB?
In-Reply-To: <1014255932.30768.36.camel@UberGeek>; from austin@coremetrics.com on Wed, Feb 20, 2002 at 07:45:32PM -0600
References:  <1014255932.30768.36.camel@UberGeek>
Message-ID: <20020221022221.A28416@shell.ntrnet.net>

Circa 2002-Feb-20 19:45:32 -0600 dixit Austin Gonyou:

: Looking at the source of 2.9* portable, there is no refernce to
: largefile anywhere. 
: 
: 3.0.x does just fine.
: 
: I was a little upset to see that cause in the 2.9px anouncment I found
: on google, >2gb files was listed as a feature/fix. 
: 
: I'm having a little trouble getting the src rpm to compile though..so
: I'm going to just use the source..

Why don't you use the source RPM (or the binary one, if you're on Red
Hat Linux 7.2) from ftp.openssh.com?  Damien's pretty good about making
sure it works (and in fact the source RPM build fine on releases as old
as RHL-6.2).

: configure: WARNING: ****** Your snprintf() function is broken, complain
: to your vendor

What system are you building on?  You shouldn't get this on any recent
system, unless you've done something weird with either OpenSSH's source
or your system include files.  Or, potentially, you have a broken
compiler installation...?

-- 
jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/


From tomh at po.crl.go.jp  Thu Feb 21 21:27:06 2002
From: tomh at po.crl.go.jp (Tom Holroyd)
Date: Thu, 21 Feb 2002 19:27:06 +0900 (JST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

On Wed, 20 Feb 2002, mouring wrote:

> The main platforms I'm concern with is AIX, IRIX, and OSF.  Since
> those had the most amount of #ifdef/#endif within the code.  However
> Cygwin and Linux (PAM) also was in there (I know it compiles under
> Redhat 7.2, just could not do a running test).

I just got 20020220, and tried it out on IRIX64 6.5.

cc-1551 cc: WARNING File = sftp-client.c, Line = 802
  The variable "local_fd" is used before its value is set.

                close(local_fd);
                      ^

I dunno if that's new but it doesn't look good.  Other than that,
after I installed ssh-rand-helper in the right place it worked fine.

Dr. Tom Holroyd
"I am, as I said, inspired by the biological phenomena in which
chemical forces are used in repetitious fashion to produce all
kinds of weird effects (one of which is the author)."
	-- Richard Feynman, _There's Plenty of Room at the Bottom_



From vinschen at redhat.com  Thu Feb 21 21:38:55 2002
From: vinschen at redhat.com (Corinna Vinschen)
Date: Thu, 21 Feb 2002 11:38:55 +0100
Subject: Call for testing.
In-Reply-To: 
References: 
Message-ID: <20020221113855.K23094@cygbert.vinschen.de>

On Wed, Feb 20, 2002 at 11:31:35AM -0600, mouring wrote:
> 
> Recently we made somemajor changes to do_child() in
> OpenSSH -current.  Those changes included splitting it up
> into smaller chunks to help with readability and also to
> extract out IRIX and AIX specific code to reduce the number
> of lines in our diffs against the OpenSSH tree.
> 
> I need people to do some testing on different platforms to ensure
> that all the right #ifdef/#endif bits got put back in right.
> 
> The main platforms I'm concern with is AIX, IRIX, and OSF.  Since
> those had the most amount of #ifdef/#endif within the code.  However
> Cygwin and Linux (PAM) also was in there (I know it compiles under
> Redhat 7.2, just could not do a running test).
> 
> Grab it here:
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/openssh-SNAP-20020220.tar.gz

I took the latest from CVS to compile for Cygwin and I found just
a slip of the pen:

Index: session.c
===================================================================
RCS file: /cvs/openssh_cvs/session.c,v
retrieving revision 1.180
diff -u -p -r1.180 session.c
--- session.c	19 Feb 2002 21:58:21 -0000	1.180
+++ session.c	21 Feb 2002 10:37:38 -0000
@@ -1103,7 +1103,7 @@ static void
 do_setusercontext(struct passwd *pw)
 {
 #ifdef HAVE_CYGWIN
-	if (iswinnt) {
+	if (is_winnt) {
 #else /* HAVE_CYGWIN */
 	if (getuid() == 0 || geteuid() == 0) {
 #endif /* HAVE_CYGWIN */

Corinna

-- 
Corinna Vinschen
Cygwin Developer
Red Hat, Inc.
mailto:vinschen at redhat.com


From mouring at etoh.eviladmin.org  Fri Feb 22 01:39:31 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Thu, 21 Feb 2002 08:39:31 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

You compiled with jobs/project/etc support for IRIX and it seems to
behave correctly?

- Ben

On Thu, 21 Feb 2002, Tom Holroyd wrote:

> On Wed, 20 Feb 2002, mouring wrote:
>
> > The main platforms I'm concern with is AIX, IRIX, and OSF.  Since
> > those had the most amount of #ifdef/#endif within the code.  However
> > Cygwin and Linux (PAM) also was in there (I know it compiles under
> > Redhat 7.2, just could not do a running test).
>
> I just got 20020220, and tried it out on IRIX64 6.5.
>
> cc-1551 cc: WARNING File = sftp-client.c, Line = 802
>   The variable "local_fd" is used before its value is set.
>
>                 close(local_fd);
>                       ^
>
> I dunno if that's new but it doesn't look good.  Other than that,
> after I installed ssh-rand-helper in the right place it worked fine.
>
> Dr. Tom Holroyd
> "I am, as I said, inspired by the biological phenomena in which
> chemical forces are used in repetitious fashion to produce all
> kinds of weird effects (one of which is the author)."
> 	-- Richard Feynman, _There's Plenty of Room at the Bottom_
>
>



From mouring at etoh.eviladmin.org  Fri Feb 22 01:48:38 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Thu, 21 Feb 2002 08:48:38 -0600 (CST)
Subject: Call for testing.
In-Reply-To: <20020221113855.K23094@cygbert.vinschen.de>
Message-ID: 


On Thu, 21 Feb 2002, Corinna Vinschen wrote:
[..]
>
> I took the latest from CVS to compile for Cygwin and I found just
> a slip of the pen:
>
[..]

Thanks.  Fixed.

- Ben



From jclonguet at free.fr  Fri Feb 22 06:20:31 2002
From: jclonguet at free.fr (Jean-Charles Longuet)
Date: Thu, 21 Feb 2002 20:20:31 +0100
Subject: [PATCH] Connect timeout
Message-ID: <3C75487F.516EBE2D@free.fr>


Here is a new version of this patch, that do not use setjmp() but
a select() call instead. The (expected) behaviour is still the same :
avoiding spending too much time when doing an ssh() on a down host.
Another minor change is the use of the time format in the
ConnectTimeout argument (you can now things like '1m30s' if you want).
I use it mostly with rsync/rdist to fasten updates.

 Patch was tested on Linux and Solaris, and compiled OK on HP-UX 10.20.
Please notify me if things go bad on other platforms.

 The patch can also be found on:
http://charts.free.fr/openssh-3.0.1p1-timeout-1.01.patch

 PS: please cc: me regarding this patch for any suggestion/correction.

--
        Jean-Charles Longuet
-------------- next part --------------
--- openssh-3.0.2p1/readconf.c.ORIG	Wed Oct  3 19:39:39 2001
+++ openssh-3.0.2p1/readconf.c	Wed Feb 20 20:08:20 2002
@@ -115,7 +115,8 @@
 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-	oClearAllForwardings, oNoHostAuthenticationForLocalhost 
+	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+	oConnectTimeout
 } OpCodes;
 
 /* Textual representations of the tokens. */
@@ -187,6 +188,7 @@
 	{ "smartcarddevice", oSmartcardDevice },
 	{ "clearallforwardings", oClearAllForwardings }, 
 	{ "nohostauthenticationforlocalhost", oNoHostAuthenticationForLocalhost }, 
+	{ "connecttimeout", oConnectTimeout }, 
 	{ NULL, 0 }
 };
 
@@ -294,6 +296,19 @@
 		/* don't panic, but count bad options */
 		return -1;
 		/* NOTREACHED */
+
+	case oConnectTimeout:
+		intptr = &options->connection_timeout;
+parse_time:
+		arg = strdelim(&s);
+		if (!arg || *arg == '\0')
+			fatal("%.200s line %d: Missing time argument.", filename, linenum);
+		if ((value = convtime(arg)) == -1)
+			fatal("%.200s line %d: Invalid time argument.", filename, linenum);
+		if (*intptr == -1)
+		*intptr = value;
+		break;
+
 	case oForwardAgent:
 		intptr = &options->forward_agent;
 parse_flag:
@@ -775,6 +790,7 @@
 	options->compression_level = -1;
 	options->port = -1;
 	options->connection_attempts = -1;
+	options->connection_timeout = -1;
 	options->number_of_password_prompts = -1;
 	options->cipher = -1;
 	options->ciphers = NULL;
--- openssh-3.0.2p1/readconf.h.ORIG	Wed Oct  3 19:39:39 2001
+++ openssh-3.0.2p1/readconf.h	Wed Feb 20 20:08:20 2002
@@ -68,6 +68,8 @@
 	int     port;		/* Port to connect. */
 	int     connection_attempts;	/* Max attempts (seconds) before
 					 * giving up */
+	int     connection_timeout;	/* Max time (seconds) before
+					 * aborting connection attempt */
 	int     number_of_password_prompts;	/* Max number of password
 						 * prompts. */
 	int     cipher;		/* Cipher to use. */
--- openssh-3.0.2p1/ssh.1.ORIG	Mon Nov 12 01:05:49 2001
+++ openssh-3.0.2p1/ssh.1	Wed Feb 20 20:08:20 2002
@@ -804,6 +804,12 @@
 The argument must be an integer.
 This may be useful in scripts if the connection sometimes fails.
 The default is 1.
+.It Cm ConnectTimeout
+Specifies the timeout used when connecting to the ssh
+server, instead of using default system values. This value is used
+only when the target is down or really unreachable, not when it
+refuses the connection. This may be usefull for tools using ssh
+for communication, as it avoid long TCP timeouts.
 .It Cm DynamicForward
 Specifies that a TCP/IP port on the local machine be forwarded
 over the secure channel, and the application
--- openssh-3.0.2p1/ssh.c.ORIG	Mon Nov 12 00:52:04 2001
+++ openssh-3.0.2p1/ssh.c	Wed Feb 20 20:08:20 2002
@@ -674,7 +674,7 @@
 	/* Open a connection to the remote host. */
 
 	cerr = ssh_connect(host, &hostaddr, options.port, IPv4or6,
-	    options.connection_attempts,
+	    options.connection_attempts, options.connection_timeout,
 	    original_effective_uid != 0 || !options.use_privileged_port,
 	    pw, options.proxy_command);
 
--- openssh-3.0.2p1/sshconnect.c.ORIG	Wed Oct 10 07:07:45 2001
+++ openssh-3.0.2p1/sshconnect.c	Wed Feb 20 20:08:52 2002
@@ -221,6 +221,64 @@
 	return sock;
 }
 
+int
+timeout_connect(int sockfd, const struct sockaddr *serv_addr,
+    socklen_t addrlen, int timeout)
+{
+	int rc;
+	fd_set fds;
+
+        int optval = 0;
+        socklen_t optlen = sizeof(optval);
+	struct timeval tv;
+
+
+	if (timeout <= 0)
+		return(connect(sockfd, serv_addr, addrlen));
+
+	if (fcntl(sockfd, F_SETFL, O_NONBLOCK) < 0)
+	{
+		return -1;
+	}
+
+	rc = connect(sockfd, serv_addr, addrlen);
+	if (rc == 0)
+		return 0;
+	if (errno != EINPROGRESS)
+		return -1;
+
+	FD_ZERO(&fds);
+	FD_SET(sockfd, &fds);
+	tv.tv_sec = timeout;
+	tv.tv_usec = 0;
+	rc=select(sockfd+1, NULL, &fds, NULL, &tv);
+
+	switch(rc) {
+	case 0:
+		errno = ETIMEDOUT;
+	case -1:
+		return -1;
+		break;
+	case 1:
+		if (getsockopt(sockfd, SOL_SOCKET, SO_ERROR, &optval, &optlen) == -1)
+			return -1;
+		if (optval != 0)
+		{
+			errno = optval;
+			return -1;
+		}
+		return 0;
+
+	default:
+		/* Should not occur */
+		return -1;
+		break;
+	}
+
+	return -1;
+
+}
+
 /*
  * Opens a TCP/IP connection to the remote server on the given host.
  * The address of the remote host will be returned in hostaddr.
@@ -240,7 +298,7 @@
  */
 int
 ssh_connect(const char *host, struct sockaddr_storage * hostaddr,
-    u_short port, int family, int connection_attempts,
+    u_short port, int family, int connection_attempts, int connection_timeout,
     int anonymous, struct passwd *pw, const char *proxy_command)
 {
 	int gaierr;
@@ -322,7 +380,8 @@
 			 * the remote uid as root.
 			 */
 			temporarily_use_uid(pw);
-			if (connect(sock, ai->ai_addr, ai->ai_addrlen) >= 0) {
+			if (timeout_connect(sock, ai->ai_addr, ai->ai_addrlen,
+					connection_timeout) >= 0) {
 				/* Successful connection. */
 				memcpy(hostaddr, ai->ai_addr, ai->ai_addrlen);
 				restore_uid();
--- openssh-3.0.2p1/sshconnect.h.ORIG	Wed Oct 10 07:07:45 2001
+++ openssh-3.0.2p1/sshconnect.h	Wed Feb 20 20:08:20 2002
@@ -28,7 +28,7 @@
 
 int
 ssh_connect(const char *, struct sockaddr_storage *, u_short, int, int,
-    int, struct passwd *, const char *);
+    int, int, struct passwd *, const char *);
 
 void
 ssh_login(Key **, int, const char *, struct sockaddr *, struct passwd *);

From michael at insulin-pumpers.org  Fri Feb 22 06:34:06 2002
From: michael at insulin-pumpers.org (Michael)
Date: Thu, 21 Feb 2002 11:34:06 -0800
Subject: hang on exit bug under Linux 
In-Reply-To: <00b601c17f75$8f1936a0$1701000a@effugas>
Message-ID: <200202211933.g1LJXdnC013837@ns2.is.bizsystems.com>

Just thought I'd mention that when you restart "init"

kill -HUP 1

ssh 3.02p1 hangs as expected. What data would I expect back from 
that??

Hopefully the next release will include one or more of the proposed 
fixes that will allow a linux openssh daemon to release a client on 
logout after something as innocuous as this.

Michael
Michael at Insulin-Pumpers.org


From fcusack at fcusack.com  Fri Feb 22 07:05:06 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Thu, 21 Feb 2002 12:05:06 -0800
Subject: hang on exit bug under Linux
In-Reply-To: <200202211933.g1LJXdnC013837@ns2.is.bizsystems.com>; from michael@insulin-pumpers.org on Thu, Feb 21, 2002 at 11:34:06AM -0800
References: <00b601c17f75$8f1936a0$1701000a@effugas> <200202211933.g1LJXdnC013837@ns2.is.bizsystems.com>
Message-ID: <20020221120506.B2267@google.com>

On Thu, Feb 21, 2002 at 11:34:06AM -0800, Michael wrote:
> Just thought I'd mention that when you restart "init"
> 
> kill -HUP 1
> 
> ssh 3.02p1 hangs as expected. What data would I expect back from 
> that??

I don't see that behaviour.  I assume you are talking about an sshd
patched with the "AllowDataLossOnPty" patch.

    ssh localhost -t "sleep 20 & exit"

returns immediately before and after 'kill -HUP 1'.  Perhaps you aren't
requesting a pty in your test?

/fc


From austin at coremetrics.com  Fri Feb 22 07:41:02 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 21 Feb 2002 14:41:02 -0600
Subject: Files >2GB?
In-Reply-To: <20020221022221.A28416@shell.ntrnet.net>
References: <20020221022221.A28416@shell.ntrnet.net>
Message-ID: <1014324062.17469.12.camel@UberGeek>

On Thu, 2002-02-21 at 01:22, Jim Knoble wrote:
> Circa 2002-Feb-20 19:45:32 -0600 dixit Austin Gonyou:
....
> : I'm having a little trouble getting the src rpm to compile though..so
> : I'm going to just use the source..
> 
> Why don't you use the source RPM (or the binary one, if you're on Red
> Hat Linux 7.2) from ftp.openssh.com?  Damien's pretty good about making
> sure it works (and in fact the source RPM build fine on releases as old
> as RHL-6.2).

The src RPM would NOT build. I posted comments yesterday. 

> 
> : configure: WARNING: ****** Your snprintf() function is broken,
> complain
> : to your vendor
> 
> What system are you building on?  You shouldn't get this on any recent
> system, unless you've done something weird with either OpenSSH's source
> or your system include files.  Or, potentially, you have a broken
> compiler installation...?

I got that from a RH 7.2 box with gcc 3.0.3 glibc 2.2.5. 

I compile my glibc and gcc myself since RH's glibc is not yet beyond
2.2.4-19.21 or some such thing, and gcc3 is a little hokey. I don't much
like their implementation of certain things. 

The source compiles and works just fine from portable, just not the src
rpm. The main problem goes that when I take the src rpm to a 7.1 box,
which I'll use to build and upgrade others from the resulting RPMs, is
that I can't even build the RPM. It breaks with what I posted yesterday.

-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb


From fcusack at fcusack.com  Fri Feb 22 08:07:08 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Thu, 21 Feb 2002 13:07:08 -0800
Subject: hang on exit bug under Linux
In-Reply-To: <20020221120506.B2267@google.com>; from fcusack@fcusack.com on Thu, Feb 21, 2002 at 12:05:06PM -0800
References: <00b601c17f75$8f1936a0$1701000a@effugas> <200202211933.g1LJXdnC013837@ns2.is.bizsystems.com> <20020221120506.B2267@google.com>
Message-ID: <20020221130708.A2554@google.com>

On Thu, Feb 21, 2002 at 12:05:06PM -0800, Frank Cusack wrote:
> On Thu, Feb 21, 2002 at 11:34:06AM -0800, Michael wrote:
> > Just thought I'd mention that when you restart "init"
> > 
> > kill -HUP 1
> > 
> > ssh 3.02p1 hangs as expected. What data would I expect back from 
> > that??
> 
> I don't see that behaviour.  I assume you are talking about an sshd
> patched with the "AllowDataLossOnPty" patch.
> 
>     ssh localhost -t "sleep 20 & exit"
> 
> returns immediately before and after 'kill -HUP 1'.  Perhaps you aren't
> requesting a pty in your test?

Feeling that I might have misread the message, I tried other things also,
like ssh root at localhost -t "kill -HUP 1 & exit" which also returns
immediately.

I did find something very interesting, 'ssh localhost -t "sleep 20 & exit"'
always returns immediately, even on an unpatched sshd.  It's only when
I do a plain "ssh localhost" and then run "sleep 20 & exit" interactively,
do I see any effect from the patch.  I would have sworn I had seen hangs
when using the first form, but I am unable to reproduce it.

/fc



From michael at insulin-pumpers.org  Fri Feb 22 08:16:59 2002
From: michael at insulin-pumpers.org (Michael)
Date: Thu, 21 Feb 2002 13:16:59 -0800
Subject: hang on exit bug under Linux
In-Reply-To: <20020221120506.B2267@google.com>
References: <200202211933.g1LJXdnC013837@ns2.is.bizsystems.com>; from michael@insulin-pumpers.org on Thu, Feb 21, 2002 at 11:34:06AM -0800
Message-ID: <200202212116.g1LLGZnI014046@ns2.is.bizsystems.com>

> On Thu, Feb 21, 2002 at 11:34:06AM -0800, Michael wrote:
> > Just thought I'd mention that when you restart "init"
> > 
> > kill -HUP 1
> > 
> > ssh 3.02p1 hangs as expected. What data would I expect back from 
> > that??
> 
> I don't see that behaviour.  I assume you are talking about an sshd
> patched with the "AllowDataLossOnPty" patch.
> 
>     ssh localhost -t "sleep 20 & exit"
> 
> returns immediately before and after 'kill -HUP 1'.  Perhaps you
> aren't requesting a pty in your test?
> 

simpler than that....
unpatched 3.02.p1

local:~# ssh some.remotehost.com
some:~# kill -HUP 1
some:~# exit
hangs......
Michael at Insulin-Pumpers.org


From ssklar at stanford.edu  Fri Feb 22 08:41:17 2002
From: ssklar at stanford.edu (Sandor W. Sklar)
Date: Thu, 21 Feb 2002 13:41:17 -0800
Subject: Call for testing (aix problem)
In-Reply-To: 
References: 
Message-ID: 

At 11:31 AM -0600 2/20/02, mouring wrote:
>Recently we made somemajor changes to do_child() in
>OpenSSH -current.  Those changes included splitting it up
>into smaller chunks to help with readability and also to
>extract out IRIX and AIX specific code to reduce the number
>of lines in our diffs against the OpenSSH tree.

System: AIX 4.3.3.0, ML-08
Compiler IBM C for AIX 5.0.1.0

OpenSSH has been configured with the following options:
                  User binaries: /usr/local/bin
                System binaries: /usr/local/sbin
            Configuration files: /usr/local/etc
                Askpass program: /usr/local/libexec/ssh-askpass
                   Manual pages: /usr/local/man/catX
                       PID file: /var/tmp
         sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                 Manpage format: cat
                    PAM support: no
             KerberosIV support: no
              Smartcard support: no
                    AFS support: no
                  S/KEY support: no
           TCP Wrappers support: no
           MD5 password support: no
    IP address in $DISPLAY hack: no
       Use IPv4 by default hack: yes
        Translate v4 in v6 hack: no
               BSD Auth support: no
           Random number source: ssh-rand-helper
  ssh-rand-helper collects from: Unix domain socket "/dev/egd-pool"

               Host: powerpc-ibm-aix4.3.3.0
           Compiler: /usr/bin/cc
     Compiler flags: -g
Preprocessor flags: -I/usr/local/ssl/include  -I/usr/local/include
       Linker flags: -L/usr/local/ssl/lib  -L/usr/local/lib 
-blibpath:/usr/lib:/lib:/usr/local/lib
          Libraries: -lz  -lcrypto

[ very early in the "make" process, just after doing the "fixpaths" lines ...]


(cd openbsd-compat && make)
make[1]: Entering directory `/home/ssklar/openssh/openbsd-compat'
/usr/bin/cc -g -I. -I.. -I. -I./.. -I/usr/local/ssl/include 
-I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c
"../openbsd-compat/port-aix.h", line 8.26: 1506-277 (S) Syntax error: 
possible missing ')' or ','?
"../openbsd-compat/port-aix.h", line 8.6: 1506-282 (S) The type of 
the parameters must be specified in a prototype.
make[1]: *** [bsd-arc4random.o] Error 1
make[1]: Leaving directory `/home/ssklar/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2



-- 
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.   
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


From jjaakkol at cs.Helsinki.FI  Fri Feb 22 08:42:49 2002
From: jjaakkol at cs.Helsinki.FI (Jani Jaakkola)
Date: Thu, 21 Feb 2002 23:42:49 +0200 (EET)
Subject: hang on exit bug under Linux
In-Reply-To: <200202212116.g1LLGZnI014046@ns2.is.bizsystems.com>
Message-ID: 

On Thu, 21 Feb 2002, Michael wrote:

> > On Thu, Feb 21, 2002 at 11:34:06AM -0800, Michael wrote:
> > > Just thought I'd mention that when you restart "init"
> > > 
> > > kill -HUP 1
> > > 
> > > ssh 3.02p1 hangs as expected. What data would I expect back from 
> > > that??
> > 
> > I don't see that behaviour.  I assume you are talking about an sshd
> > patched with the "AllowDataLossOnPty" patch.
> > 
> >     ssh localhost -t "sleep 20 & exit"
> > 
> > returns immediately before and after 'kill -HUP 1'.  Perhaps you
> > aren't requesting a pty in your test?
> > 
> 
> simpler than that....
> unpatched 3.02.p1
> 
> local:~# ssh some.remotehost.com
> some:~# kill -HUP 1
> some:~# exit
> hangs......

You must have some login script which starts something in the 
background. Or a shell which does not actually exit on command 
exit. Or kill is not /bin/kill but is something else (weird shell alias?) 
instead.

Or then it is a completely different problem than the usual 
'hang on exit' one. I certainly do not see any behaviour like that
(but I get the hang on exit when I leave processes which are not 
properly daemonized in the background. Which, IMHO, is as things should 
be).

- Jani



From austin at coremetrics.com  Fri Feb 22 11:10:55 2002
From: austin at coremetrics.com (Austin Gonyou)
Date: 21 Feb 2002 18:10:55 -0600
Subject: [Fwd: [Bug 90] [PATCH] Make the quiet options behave consistently]
Message-ID: <1014336655.22466.53.camel@UberGeek>

I keep getting these sent to me. I had about 200 of them before I
deleted them all.
-- 
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com

"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb
-------------- next part --------------
An embedded message was scrubbed...
From: bugzilla-daemon at mindrot.org
Subject: [Bug 90] [PATCH] Make the quiet options behave consistently
Date: Mon, 18 Feb 2002 12:04:50 -0600
Size: 1889
Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020221/de9731b2/attachment.mht 

From tomh at po.crl.go.jp  Fri Feb 22 12:55:31 2002
From: tomh at po.crl.go.jp (Tom Holroyd)
Date: Fri, 22 Feb 2002 10:55:31 +0900 (JST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

On Thu, 21 Feb 2002, Ben Lindstrom wrote:

>
> You compiled with jobs/project/etc support for IRIX and it seems to
> behave correctly?

I just untarred and said "./configure; make".  What is
"jobs/project/etc support"?



From mouring at etoh.eviladmin.org  Fri Feb 22 12:49:34 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Thu, 21 Feb 2002 19:49:34 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

Ermm..it is some oddish IRIX thing.. I guess if your just doing
./configure then check your config.h for a bunch of WITH_IRIX_*
options.

But I have to assume it is all right if it compiles.

On Fri, 22 Feb 2002, Tom Holroyd wrote:

> On Thu, 21 Feb 2002, Ben Lindstrom wrote:
>
> >
> > You compiled with jobs/project/etc support for IRIX and it seems to
> > behave correctly?
>
> I just untarred and said "./configure; make".  What is
> "jobs/project/etc support"?
>
>



From tomh at po.crl.go.jp  Fri Feb 22 13:40:09 2002
From: tomh at po.crl.go.jp (Tom Holroyd)
Date: Fri, 22 Feb 2002 11:40:09 +0900 (JST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

On Thu, 21 Feb 2002, Ben Lindstrom wrote:

> Ermm..it is some oddish IRIX thing.. I guess if your just doing
> ./configure then check your config.h for a bunch of WITH_IRIX_*
> options.

> grep IRIX config.h
#define WITH_IRIX_ARRAY 1
/* Define if you want IRIX project management */
#define WITH_IRIX_PROJECT 1
/* Define if you want IRIX audit trails */
#define WITH_IRIX_AUDIT 1
/* Define if you want IRIX kernel jobs */
/* #undef WITH_IRIX_JOBS */

This works.  Would you like me to test some other options?



From mouring at etoh.eviladmin.org  Fri Feb 22 13:01:27 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Thu, 21 Feb 2002 20:01:27 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

Nope..That was all I wanted to verify on IRIX.

Thanks.

- Ben

On Fri, 22 Feb 2002, Tom Holroyd wrote:

> On Thu, 21 Feb 2002, Ben Lindstrom wrote:
>
> > Ermm..it is some oddish IRIX thing.. I guess if your just doing
> > ./configure then check your config.h for a bunch of WITH_IRIX_*
> > options.
>
> > grep IRIX config.h
> #define WITH_IRIX_ARRAY 1
> /* Define if you want IRIX project management */
> #define WITH_IRIX_PROJECT 1
> /* Define if you want IRIX audit trails */
> #define WITH_IRIX_AUDIT 1
> /* Define if you want IRIX kernel jobs */
> /* #undef WITH_IRIX_JOBS */
>
> This works.  Would you like me to test some other options?
>
>



From markus at openbsd.org  Fri Feb 22 21:48:34 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 22 Feb 2002 11:48:34 +0100
Subject: Really odd bug: sshd process exits but ssh process does not.
In-Reply-To: <20020218081230.E9177@eeg.ccf.org>; from wooledg@eeg.ccf.org on Mon, Feb 18, 2002 at 08:12:30AM -0500
References: <20020208220555.MQQA29924.femail39.sdc1.sfba.home.com@there> <20020211084534.G1473@eeg.ccf.org> <20020216212716.A20376@folly> <20020218081230.E9177@eeg.ccf.org>
Message-ID: <20020222114834.H8234@folly>

On Mon, Feb 18, 2002 at 08:12:30AM -0500, Greg Wooledge wrote:
> In this particular
> detail, I'd personally prefer ssh to work as I expect it to, rather
> than as rsh works.

ssh cannot read your mind, so it does not know what you expect it to do.

OpenSSH's sshd tries to avoid data loss. Avoiding data
loss is more important than building workarounds for broken
backgrounded processes.


From d-b at home.se  Fri Feb 22 22:50:51 2002
From: d-b at home.se (Daniel Bergman)
Date: Fri, 22 Feb 2002 12:50:51 +0100
Subject: scp on the client-side requires scp on the server-side as well
Message-ID: <744899048.1014382251@localhost>

Hi,

A couple of days ago I realized that 'scp' on the client-side requires 
'scp' on the server-side as well.

client:scp -> server:sshd -> server:scp

It this really the way it should be? IMHO it seems like a bad design.

I usually create a Solaris-package with prngd, sshd, ssh-keygen and name it 
OpenSSH-3.x.x-serveronly but now I have to also include 'scp'. Is it 
possible to modify 'scp' on the server-side to _only_ act as a receiver?

Regards,
Daniel

--
Daniel Bergman
Phone: 08 - 55066265
Mobile: 070 - 289 30 39
Fax: 08 - 59827056
Email: d-b at home.se


From markus at openbsd.org  Fri Feb 22 22:54:36 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 22 Feb 2002 12:54:36 +0100
Subject: scp on the client-side requires scp on the server-side as well
In-Reply-To: <744899048.1014382251@localhost>
References: <744899048.1014382251@localhost>
Message-ID: <20020222115436.GC27950@faui02>

On Fri, Feb 22, 2002 at 12:50:51PM +0100, Daniel Bergman wrote:
> Hi,
> 
> A couple of days ago I realized that 'scp' on the client-side requires 
> 'scp' on the server-side as well.
> 
> client:scp -> server:sshd -> server:scp
> 
> It this really the way it should be? IMHO it seems like a bad design.

yes, this is how rcp and scp work. if you don't like this, you have
to use SFTP and add SFTP support to our scp client.


From d-b at home.se  Fri Feb 22 23:06:22 2002
From: d-b at home.se (Daniel Bergman)
Date: Fri, 22 Feb 2002 13:06:22 +0100
Subject: scp on the client-side requires scp on the server-side as well
In-Reply-To: <20020222115436.GC27950@faui02>
References: <20020222115436.GC27950@faui02>
Message-ID: <745830928.1014383182@localhost>

>> Hi,
>>
>> A couple of days ago I realized that 'scp' on the client-side requires
>> 'scp' on the server-side as well.
>>
>> client:scp -> server:sshd -> server:scp
>>
>> It this really the way it should be? IMHO it seems like a bad design.
>
> yes, this is how rcp and scp work. if you don't like this, you have
> to use SFTP and add SFTP support to our scp client.

I might just do that, would it be hard?

Regards,
Daniel

--
Daniel Bergman
Phone: 08 - 55066265
Mobile: 070 - 289 30 39
Fax: 08 - 59827056
Email: d-b at home.se


From mouring at etoh.eviladmin.org  Sat Feb 23 01:47:14 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Fri, 22 Feb 2002 08:47:14 -0600 (CST)
Subject: scp on the client-side requires scp on the server-side as well
In-Reply-To: <745830928.1014383182@localhost>
Message-ID: 


On Fri, 22 Feb 2002, Daniel Bergman wrote:

> >> Hi,
> >>
> >> A couple of days ago I realized that 'scp' on the client-side requires
> >> 'scp' on the server-side as well.
> >>
> >> client:scp -> server:sshd -> server:scp
> >>
> >> It this really the way it should be? IMHO it seems like a bad design.
> >
> > yes, this is how rcp and scp work. if you don't like this, you have
> > to use SFTP and add SFTP support to our scp client.
>
> I might just do that, would it be hard?
>
Should not be too bad.. all the code is in the tree.  Look at
sftp-client.c.  Just requires creative linking and some sane way of
informing scp to use sftp protocol instead of rcp protocol.

- Ben



From bugzilla-daemon at mindrot.org  Sat Feb 23 05:45:33 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 23 Feb 2002 05:45:33 +1100 (EST)
Subject: [Bug 94] Userdefineable identification string
Message-ID: <20020222184533.A53CBEA33@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=94

markus at openbsd.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From markus at openbsd.org  2002-02-23 05:45 -------
after some discussion we decided that this wont happen.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From markus at openbsd.org  Sat Feb 23 05:47:42 2002
From: markus at openbsd.org (Markus Friedl)
Date: Fri, 22 Feb 2002 19:47:42 +0100
Subject: Call for testing.
In-Reply-To: 
References: 
Message-ID: <20020222184742.GB24557@faui02>

I'd like everyone to test snapshots on all platforms
against all possible ssh versions, since we're going
to release OpenSSH 3.1 in March.

I'd also like to have people port and run the regression tests from
 http://www.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/ssh/
extend them or contribute new tests.

Thanks,
-markus


From bugzilla-daemon at mindrot.org  Sat Feb 23 05:57:48 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 23 Feb 2002 05:57:48 +1100 (EST)
Subject: [Bug 124] New: Terminal hangs when data is streaming to it...
Message-ID: <20020222185748.75443EA3C@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124

           Summary: Terminal hangs when data is streaming to it...
           Product: Portable OpenSSH
           Version: 2.9.9p2
          Platform: Other
        OS/Version: AIX
            Status: NEW
          Severity: critical
          Priority: P1
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: jbrown75 at csc.com


I have a number of users that are experiencing problems with terminal hangs 
when they output reports to the terminal. The slower the network the higher the 
frequesncy of the problem. Basically, the terminal will stop dead and will not 
recover. You have to kill the window to get rid of the terminal session. I've 
noticed the following:

 The process does not exit. Instead, acts like it did not get an xon.
 If you kill the process, the window does not free up.
 The same behavior is evident using reflections, putty, Exceed as terminal 
emulators.

I have searched the ssh databases but have not found a match and unfortunately 
I will have to remove this access if a resolution is not found quickly due to 
the frequency of the problem.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From jeh at profitlogic.com  Sat Feb 23 05:51:56 2002
From: jeh at profitlogic.com (Justin Hahn)
Date: Fri, 22 Feb 2002 13:51:56 -0500
Subject: Weird problems on solaris 7 & 8
Message-ID: <3C76934C.1070908@profitlogic.com>

I'm seeing some extremely odd behavior with solaris. I have a suspicion 
it's me, but here's the story and maybe someone can suggest an avenue of 
investigation. This seems to be happening with any release of openssh 
since at least 2.5.2p1.

1) Problem #1: If SSH protocol 1 is enabled then sshd segfaults right 
off. This turns out to be because the call to arc4random_stir is 
corrupting memory and making sensitive_data.server_key non NULL. When 
key_free is then called on it's UNALLOCATED storage, you get a pretty 
seg fault.

2) Problem #3: snprintf doesn't like the %.100s specifier.  For some 
reason 00s gets printed, and all the arguments get shifted. This breaks 
all sorts of things in all sorts of horrible ways. Some basic 
experimentation seems to indicate that if I take the .100 bit out and 
just leave %s behind that things will work. This is obviously the wrong 
fix. Note that this happens regardless of whether BROKEN_SNPRINTF is 
defined or not. (it isn't by default, but adding it to the top of 
bsd-snprintf.c and recompiling doesn't seem to help any.)

Any ideas?

--jeh
(Note I'm not subscribed, so please cc: me. Thanks!)





From bugzilla-daemon at mindrot.org  Sat Feb 23 06:10:13 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 23 Feb 2002 06:10:13 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020222191013.41F14EA37@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From markus at openbsd.org  2002-02-23 06:10 -------
what does "streaming" mean?
what does "output reports" mean?
do you have more detailed reports?
do you have debugging output? what clients are involved?
what servers? does the same happen with openssh 3.0.2?
does the same happen with a recent snapshot?




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Sat Feb 23 06:18:27 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 23 Feb 2002 06:18:27 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020222191827.768D0E915@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From jbrown75 at csc.com  2002-02-23 06:18 -------
By streaming I mean the data is substantial. Pages are output to the stdout.
Unfortunately, I do not have more detailed reports as the terminal just hangs. 
How can I get a more detailed interaction?

I am in the process of compiling 3.0.2 and will try that as soon as possible.

Not sure what a snapshot is?





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Sat Feb 23 06:24:04 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Sat, 23 Feb 2002 06:24:04 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020222192404.B5765E915@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From ssklar at stanford.edu  2002-02-23 06:24 -------
I think you're experiencing a problem that I first posted to the list about in March of 2001.  (I got no response.)  Below is the contents of the mail that I posted back then ...

I believe that there is a bug in OpenSSH that affects its usage on AIX 4.3.3 - Maintenance Level 3 and higher.  This bug was introduced by a change by IBM in the "/usr/lib/drivers/ptydd" driver, and it affected IBM's own telnetd daemon (reference ).  However, IBM chose not to fix the cause of the problem, but to instead modify telnetd to deal with the issue.

The problem occurs in the sshd program; when a program on the server writes a zero-length string to the terminal, the sshd daemon abruptly closes the connection, logging no information.  The following code causes the problem to exhibit itself:

#include 
#include 
main()
{
    int tty_fd;
    int old_tty_fd;
    int old_stdout_fd;
    char str[100];

    old_tty_fd = open("/dev/tty",O_RDWR);
    tty_fd = dup(old_tty_fd);    /* 1 will be /dev/tty */
    close(old_tty_fd);

    strcpy(str,"this is the last thing you will see if sshd is broken.\n");
        fprintf(stderr,"len = %d str = %s",strlen(str),str);
    write(tty_fd,str,strlen(str));
    strcpy(str,"");
        fprintf(stderr,"len = %d str = %s\n",strlen(str),str);
    write(tty_fd,str,strlen(str));    /* we die here on 433 */
        fprintf(stderr,"if you can read this then all is good.\n");
}


This bug pops up with both OpenSSH 2.3.0.p1 and 2.5.1p1 (and with the commercial ssh 1.2.26), but only when the daemon is running on 4.3.3-ML3 or higher.  The same daemon works fine on AIX 4.3.2-ML2, and 4.3.3 with no ML applied.

With a lot of help, I figured that the cause of the disconnect is a comparison in the "serverloop.c" file.  Changing the comparison operator from a "<=" to just a "<" in the serverloop.c file fixes the issue.  Here is the code block (taken from the 2.3.0p1 source distribution:

  +304          /* Read and buffer any available stdout data from the program. */
  +305          if (!fdout_eof && FD_ISSET(fdout, readset)) {
  +306                  len = read(fdout, buf, sizeof(buf));
  +307                  if (len < 0 && (errno == EINTR || errno == EAGAIN)) {
  +308                          /* do nothing */
  +309                  } else if (len <= 0) {
  +310                          fdout_eof = 1;
  +311                  } else {
  +312                          buffer_append(&stdout_buffer, buf, len);
  +313                          fdout_bytes += len;
  +314                  }

Line # 309 needs to be changed to ...

  +309                  } else if (len < 0) {


Making the above change in the 2.3.0p1 and the 2.5.1p1 source distributions solves the problem, however, I don't know if there might be any other ill effect, or if the change will have an effect on other platforms.

----------

I haven't seen any resolution of this issue.  I took the "cowardly" way out (meaning, I can't code) by replacing the file "/usr/lib/drivers/ptydd" on my upgraded aix boxen with one from ML-02.

Meta-P.S.: This is the first time I'm using Bugzilla.  Am I doing the right thing?  -s-



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From djm at mindrot.org  Sun Feb 24 18:23:36 2002
From: djm at mindrot.org (Damien Miller)
Date: Sun, 24 Feb 2002 18:23:36 +1100 (EST)
Subject: Files >2GB?
In-Reply-To: <20020221022221.A28416@shell.ntrnet.net>
Message-ID: 

On Thu, 21 Feb 2002, Jim Knoble wrote:

> : I'm having a little trouble getting the src rpm to compile though..so
> : I'm going to just use the source..
> 
> Why don't you use the source RPM (or the binary one, if you're on Red
> Hat Linux 7.2) from ftp.openssh.com?  Damien's pretty good about making
> sure it works (and in fact the source RPM build fine on releases as old
> as RHL-6.2).

You will need to install Redhat's errata updates (esp the RPM ones) to
be able to build the srpm though.

-d



From djm at mindrot.org  Sun Feb 24 18:28:51 2002
From: djm at mindrot.org (Damien Miller)
Date: Sun, 24 Feb 2002 18:28:51 +1100 (EST)
Subject: [Fwd: [Bug 90] [PATCH] Make the quiet options behave consistently]
In-Reply-To: <1014336655.22466.53.camel@UberGeek>
Message-ID: 

On 21 Feb 2002, Austin Gonyou wrote:

> I keep getting these sent to me. I had about 200 of them before I
> deleted them all.

Anyone who is getting repeat messages:

Is your mailserver behind a Cisco PIX or a PPPoE DSL connection?

-d



From florin at sgi.com  Sun Feb 24 18:40:30 2002
From: florin at sgi.com (Florin Andrei)
Date: 23 Feb 2002 23:40:30 -0800
Subject: SFTP with dummy shells
Message-ID: <1014536430.18631.5.camel@stantz.corp.sgi.com>

Guys,

There was some discussion a while ago on this list about making SFTP
connections for users that don't have a "valid" shell. The solution i
saw on the list was to use sftp-server as a shell.
Now, that's fine and it seems to work. However, i would like to provide
SFTP access to users with arbitrary shells, no matter if the shell exits
immediately (/bin/false) or not (some #!/usr/bin/dialog script).
This would be a kick-ass feature! :-)

-- 
Florin Andrei

"When the prime minister is appearing at product launches by a company
twice found by courts to be abusing a monopoly and facing billions of
dollars in lawsuits, you have to ask questions." - Alan Cox



From mouring at etoh.eviladmin.org  Sun Feb 24 18:38:53 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 01:38:53 -0600 (CST)
Subject: SFTP with dummy shells
In-Reply-To: <1014536430.18631.5.camel@stantz.corp.sgi.com>
Message-ID: 


I don't like that idea.. When I set a shell to /bin/false I expect
all deamons to honor that shell.  And not to go behind my back and
execute some random command for the user.. Be it rsh, ssh, telnet, etc.

How do you implement this for sftp-server only in a sane way?  Can't
put it in the sftp-server code.  By time it hits there it is too late.
Which means you have to add a feature to the the sshd to decide if
that subsystem should honor /etc/shells or some other option to define
what is valid behavior.  In the worse case 'sftp-server' may be allowed
to run with a dummy shell /bin/splat  where 'my-home-made-BBS'
should be ran with a real shell.  And even worse..   'my-MUD' may be
allowed to run /bin/digdug but should not allow /bin/splat to be a valid
dummy shell.  So now you have to support reading multiple /etc/shells
instead of solving it in a simplier way.


I don't think it is really the subsystem's job.  Any correctly written
dummy shell can detect a '-c sftp-server' and hanlde it gracefully
(and no /bin/false is not a dummy shell, IMNSHO =).

 To go back to a really old argument.  Subsystem's sole job is to
manage services better to remove the 'is the calling server in my $PATH
and named 'foo-bar-cat'.  Nothing more.. Nothing less.  OpenSSH's sftp
client proves it is not a required functionality (from a desing view, not
from an RFC view) with the ability to do sftp over protocol 1.

Dummy shells should have enough brains to detect the subsystem request and
handle it transparently.  It is not that hard of a thing to do in most
shell script style languages.

And I don't feel it is something that needs to be handle at the sshd level
because it can be handled at a lower level just as safe.

- Ben

On 23 Feb 2002, Florin Andrei wrote:

> Guys,
>
> There was some discussion a while ago on this list about making SFTP
> connections for users that don't have a "valid" shell. The solution i
> saw on the list was to use sftp-server as a shell.
> Now, that's fine and it seems to work. However, i would like to provide
> SFTP access to users with arbitrary shells, no matter if the shell exits
> immediately (/bin/false) or not (some #!/usr/bin/dialog script).
> This would be a kick-ass feature! :-)
>
> --
> Florin Andrei
>
> "When the prime minister is appearing at product launches by a company
> twice found by courts to be abusing a monopoly and facing billions of
> dollars in lawsuits, you have to ask questions." - Alan Cox
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>



From dmanton at emea.att.com  Mon Feb 25 02:54:19 2002
From: dmanton at emea.att.com (Manton, Doug)
Date: Sun, 24 Feb 2002 15:54:19 -0000
Subject: Call for testing.
Message-ID: 

Hi Ben,

The compilation of port-aix fails because the Session type is undefined.
I tried moving this definition out of session.c into session-types.h and
including it from port-aix.h and session.c.  I had to include auth.h,
usersec.h and xmalloc.h to get port-aix to compile cleanly since it
relies on types and functions defined therein.

However, this broke sshconnect2.c.  It seems that sshconnect2.c defines
an Authctxt that conflicts with the one defined in auth.h.

Patch attached to clarify my explanation.  I will continue to look at
this during the week.  Any ideas greatly received.

Best wishes,

Doug Manton, AT&T Business Commercial Security 
---------------------------------------------- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: session-types.h
Type: application/octet-stream
Size: 2057 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020224/94bb3cf2/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-aix.patch
Type: application/octet-stream
Size: 2027 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020224/94bb3cf2/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2714 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020224/94bb3cf2/attachment.bin 

From mouring at etoh.eviladmin.org  Mon Feb 25 04:18:46 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 11:18:46 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

On Sun, 24 Feb 2002, Manton, Doug wrote:

> Hi Ben,
>
> The compilation of port-aix fails because the Session type is undefined.
> I tried moving this definition out of session.c into session-types.h and
> including it from port-aix.h and session.c.  I had to include auth.h,
> usersec.h and xmalloc.h to get port-aix to compile cleanly since it
> relies on types and functions defined therein.
>
> However, this broke sshconnect2.c.  It seems that sshconnect2.c defines
> an Authctxt that conflicts with the one defined in auth.h.
>
> Patch attached to clarify my explanation.  I will continue to look at
> this during the week.  Any ideas greatly received.
>
Eep.. I got a better idea.=) Lets leave the session structures where
they belong and just pass what we need from them to do the work.  Try
the attached patch.

Somewhere in the back of my mind I knew I should not have depending
on 'Session *s' to be useful. =)

Index: session.c
===================================================================
RCS file: /var/cvs/openssh/session.c,v
retrieving revision 1.181
diff -u -r1.181 session.c
--- session.c	21 Feb 2002 15:37:04 -0000	1.181
+++ session.c	24 Feb 2002 18:04:44 -0000
@@ -57,10 +57,6 @@
 #include "canohost.h"
 #include "session.h"

-#if defined(HAVE_USERSEC_H)
-#include 
-#endif
-
 #ifdef HAVE_CYGWIN
 #include 
 #include 
@@ -1147,7 +1143,7 @@
 		irix_setusercontext(pw);
 #  endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */
 #ifdef _AIX
-		aix_usrinfo(s)
+		aix_usrinfo(s->pw, s->tty, s->ttyfd);
 #endif
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
Index: openbsd-compat/port-aix.c
===================================================================
RCS file: /var/cvs/openssh/openbsd-compat/port-aix.c,v
retrieving revision 1.1
diff -u -r1.1 port-aix.c
--- openbsd-compat/port-aix.c	19 Feb 2002 20:27:57 -0000	1.1
+++ openbsd-compat/port-aix.c	24 Feb 2002 18:04:44 -0000
@@ -2,7 +2,12 @@

 #ifdef _AIX

+#ifdef HAVE_USERSEC_H
+#include 
+#endif /* HAVE_USERSEC_H */
+
 #include 
+#include <../xmalloc.h>

 /* AIX limits */
 #if defined(HAVE_GETUSERATTR) && !defined(S_UFSIZE_HARD) && defined(S_UFSIZE)
@@ -101,17 +106,16 @@
  * actually use this and die if it's not set
  */
 void
-aix_usrinfo(Session *s)
+aix_usrinfo(struct passwd *pw, char *tty, int ttyfd)
 {
-	struct passwd *pw = s->pw;
 	u_int i;
-	const char *cp=NULL;
+	char *cp=NULL;

-	if (s->ttyfd == -1)
-		s->tty[0] = '\0';
-	cp = xmalloc(22 + strlen(s->tty) + 2 * strlen(pw->pw_name));
+	if (ttyfd == -1)
+		tty[0] = '\0';
+	cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name));
 	i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0,
-	    pw->pw_name, 0, s->tty, 0, 0);
+	    pw->pw_name, 0, tty, 0, 0);
 	if (usrinfo(SETUINFO, cp, i) == -1)
 		fatal("Couldn't set usrinfo: %s", strerror(errno));
 	debug3("AIX/UsrInfo: set len %d", i);



From bob at proulx.com  Mon Feb 25 05:24:23 2002
From: bob at proulx.com (Bob Proulx)
Date: Sun, 24 Feb 2002 11:24:23 -0700
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
Message-ID: <200202241824.g1OION530715@torment.proulx.com>

I have been searching the archives and confused about some points that
I am hoping could be cleared up.

  RSA versus DSA

I seem to see a lot of messages saying this.  That DSA is slow.  DSA
was added only to avoid a patent which is now expired.  RSA is the
preferred authentification method.  DSA should be avoided.  Which all
sounds fine to me and I think I agree with that.  Assuming this
applies to both host keys and user keys it seems that you cannot
disable this for host keys when using Protocol 2.  Is that required
for compatibility or other reason?

  Protocol 1 versus Protocol 2

OpenSSH 3.x defaults to Protocol 2,1.  Fine.  But ssh-keygen and
ssh-add default to creating and using rsa1 keys, which means using
Protocol 1, but using DSA host keys.  I think.  Which makes actually
using Protocol 2 much more of an exercise for users.  Is there a
reason that ssh-keygen and ssh-add use rsa1 while the others use
Protocol 2 which would seem to be rsa?  Since they are trivial to
patch so that all default to 'rsa' keys and work nicely with Protocol
2 then I assume there must have been a reason that a full move to
'rsa' keys have not already happened.

I am setting up new people to use ssh and I want to get them going in
a direction of least thrash from now forward.  What are your
recommendations?  Answers or discussion for these questions would be
great additions to the FAQ or near there in the online docs.  At least
I could not find anything definitive and I spent a fair amount of time
searching documentation and reading the mail archives.

Thanks
Bob


From bugzilla-daemon at mindrot.org  Mon Feb 25 05:32:49 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 05:32:49 +1100 (EST)
Subject: [Bug 122] sshd does not update wtmpx at end of session
Message-ID: <20020224183249.90938E95E@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=122





------- Additional Comments From tim at multitalents.net  2002-02-25 05:32 -------
I spent some time looking into this. Initially I did see that last was reporting
users still logged in that had logged out of their ssh connection. I noticed 
logintest showed everything working as expected. Now I can not duplicate the
problem. I didn't change any code but I did zero out wtmpx during my tests.
Now I can etheir log in using rlogin or ssh and last shows the correct
information after logout.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From markus at openbsd.org  Mon Feb 25 05:35:21 2002
From: markus at openbsd.org (Markus Friedl)
Date: Sun, 24 Feb 2002 19:35:21 +0100
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <200202241824.g1OION530715@torment.proulx.com>
References: <200202241824.g1OION530715@torment.proulx.com>
Message-ID: <20020224183521.GA2268@faui02>

On Sun, Feb 24, 2002 at 11:24:23AM -0700, Bob Proulx wrote:
> I have been searching the archives and confused about some points that
> I am hoping could be cleared up.
> 
>   RSA versus DSA
> 
> I seem to see a lot of messages saying this.  That DSA is slow.  DSA
> was added only to avoid a patent which is now expired.  RSA is the
> preferred authentification method.  DSA should be avoided.  Which all
> sounds fine to me and I think I agree with that.  Assuming this
> applies to both host keys and user keys it seems that you cannot
> disable this for host keys when using Protocol 2.

define 'disable'. you can delete the DSA host key.

> Is that required
> for compatibility or other reason?

the SSH2 'standard' defines:

   The following public key and/or certificate formats are currently defined:

   ssh-dss              REQUIRED     sign    Simple DSS
   ssh-rsa              RECOMMENDED  sign    Simple RSA

There is a large installed base of DSA keys.

>   Protocol 1 versus Protocol 2
> 
> OpenSSH 3.x defaults to Protocol 2,1.  Fine.  But ssh-keygen and
> ssh-add default to creating and using rsa1 keys, which means using
> Protocol 1, but using DSA host keys.

in OpenSSH 3.1:
	ssh-keygen will no longer have a default key type.
	ssh-add will try to add all 3 key types.

-m


From bugzilla-daemon at mindrot.org  Mon Feb 25 05:50:35 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 05:50:35 +1100 (EST)
Subject: [Bug 107] syntax error in 'configure' under Solaris 8
Message-ID: <20020224185035.9D057E916@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=107

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From tim at multitalents.net  2002-02-25 05:50 -------
Works fine here.
SunOS sun1 5.8 Generic_108528-09 sun4m sparc SUNW,SPARCstation-5

Perhaps it's time to load a new patch cluster from sun.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From mouring at etoh.eviladmin.org  Mon Feb 25 05:04:54 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 12:04:54 -0600 (CST)
Subject: Weird problems on solaris 7 & 8
In-Reply-To: <3C76934C.1070908@profitlogic.com>
Message-ID: 


On Fri, 22 Feb 2002, Justin Hahn wrote:

> I'm seeing some extremely odd behavior with solaris. I have a suspicion
> it's me, but here's the story and maybe someone can suggest an avenue of
> investigation. This seems to be happening with any release of openssh
> since at least 2.5.2p1.
>
> 1) Problem #1: If SSH protocol 1 is enabled then sshd segfaults right
> off. This turns out to be because the call to arc4random_stir is
> corrupting memory and making sensitive_data.server_key non NULL. When
> key_free is then called on it's UNALLOCATED storage, you get a pretty
> seg fault.
>
I can't replicate this, nor can I see this in the code.  In Solaris 2.5.1
nor 7.

> 2) Problem #3: snprintf doesn't like the %.100s specifier.  For some
> reason 00s gets printed, and all the arguments get shifted. This breaks
> all sorts of things in all sorts of horrible ways. Some basic
> experimentation seems to indicate that if I take the .100 bit out and
> just leave %s behind that things will work. This is obviously the wrong
> fix. Note that this happens regardless of whether BROKEN_SNPRINTF is
> defined or not. (it isn't by default, but adding it to the top of
> bsd-snprintf.c and recompiling doesn't seem to help any.)
>
I can't replicate this eithe.  bsd-snprintf.c was replaced with a
version of my choice to help get the NeXTStep port to stablize out.


What compiler are you using?  I've done compiles using gcc (forgot which
version), and an OLD ProC intel.

- Ben



From bugzilla-daemon at mindrot.org  Mon Feb 25 06:02:19 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 06:02:19 +1100 (EST)
Subject: [Bug 122] sshd does not update wtmpx at end of session
Message-ID: <20020224190219.39CE4E96D@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=122

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |DUPLICATE



------- Additional Comments From tim at multitalents.net  2002-02-25 06:02 -------
Now that I look at bug 84 I see that "last username" shows the wrong info.
I'm marking this a duplicate of 84


*** This bug has been marked as a duplicate of 84 ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Mon Feb 25 06:02:24 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 06:02:24 +1100 (EST)
Subject: [Bug 84] last command provides incorrect information on Solaris 8
Message-ID: <20020224190224.96449E96F@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=84

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jaearick at colby.edu



------- Additional Comments From tim at multitalents.net  2002-02-25 06:02 -------
*** Bug 122 has been marked as a duplicate of this bug. ***



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Mon Feb 25 06:23:19 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 06:23:19 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020224192319.98D49E96C@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From markus at openbsd.org  2002-02-25 06:23 -------
what kind of clients are used? what protocol?
how can i reproduce this? what operating systems?
what happens if sshd is used in debugmode?
does sshd print errors? where does sshd hang?
can you trace sshd's system calls?

you can get the latest snapshot from
www.openssh.com/portable.html

it has many bugs from 3.0.2 fixed



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From dmanton at emea.att.com  Mon Feb 25 06:48:50 2002
From: dmanton at emea.att.com (Manton, Doug)
Date: Sun, 24 Feb 2002 19:48:50 -0000
Subject: Call for testing.
Message-ID: 

> Eep.. I got a better idea.=) Lets leave the session structures where
> they belong and just pass what we need from them to do the work.  Try
> the attached patch.

Good call.  I applied the patch, updated the prototype for aix_usrinfo
but got the following when trying to compile session.c :

xlC -qlanglvl=extended -I. -I.  -I/usr/local/include
-DSSHDIR=\"/usr/local/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
-D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
-D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
-D_PATH_SSH_PIDDIR=\"/var/run\"
-DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H
-c session.c
"session.c", line 967.14: 1506-045 (S) Undeclared identifier cp.
"session.c", line 1146.29: 1506-045 (S) Undeclared identifier s.

The attached patch allows a clean compilation of port-aix.c and
session.c.  Please can you take a look and highlight any problems?  A
quick test appears successful, but real testing will have to wait until
I am back in the office during the week :(

Many thanks,

Doug Manton, AT&T Business Commercial Security
----------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20020224-aix.patch
Type: application/octet-stream
Size: 2989 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020224/acd2df70/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2714 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020224/acd2df70/attachment.bin 

From mouring at etoh.eviladmin.org  Mon Feb 25 06:45:54 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 13:45:54 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 


On Sun, 24 Feb 2002, Manton, Doug wrote:

> > Eep.. I got a better idea.=) Lets leave the session structures where
> > they belong and just pass what we need from them to do the work.  Try
> > the attached patch.
>
> Good call.  I applied the patch, updated the prototype for aix_usrinfo
> but got the following when trying to compile session.c :
>
> xlC -qlanglvl=extended -I. -I.  -I/usr/local/include
> -DSSHDIR=\"/usr/local/etc\"  -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\"
> -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\"
> -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\"
> -D_PATH_SSH_PIDDIR=\"/var/run\"
> -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H
> -c session.c
> "session.c", line 967.14: 1506-045 (S) Undeclared identifier cp.
> "session.c", line 1146.29: 1506-045 (S) Undeclared identifier s.
>

As for the cp issue...I'd rather do the following:

#ifdef _AIX
        {
                char *cp;

                if ((cp = getenv("AUTHSTATE")) != NULL)
                        child_set_env(&env, &envsize, "AUTHSTATE", cp);
                if ((cp = getenv("KRB5CCNAME")) != NULL)
                        child_set_env(&env, &envsize, "KRB5CCNAME", cp);
                read_environment_file(&env, &envsize, "/etc/environment");
        }
#endif


I'll commit the changes to port-aix.[ch] since those are agreeable.

And I'll commit the above if it is also agreeable.  Which leaves us
with just dealing with aix_usrinfo(..);

During the week can you try putting aix_usrinfo(pw, s->tty, s->ttyfd)
before the do_setusercontext(pw) in do_child(s);  And see if we can
solve it that way?  I suspect that usrinfo() has to take place as
root and not as a normal user.

Otherwise I will have to see if Markus would be agreeable to change
do_setusercontext() to Session *s because some other platforms may need
other bits of the session structure down the road.

- Ben



From bob at proulx.com  Mon Feb 25 07:42:36 2002
From: bob at proulx.com (Bob Proulx)
Date: Sun, 24 Feb 2002 13:42:36 -0700
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <20020224183521.GA2268@faui02>
References: <200202241824.g1OION530715@torment.proulx.com>
	<20020224183521.GA2268@faui02>
Message-ID: <15481.20540.275295.941643@torment.proulx.com>

> >   RSA versus DSA
> > Assuming this applies to both host keys and user keys it seems
> > that you cannot disable [DSA] for host keys when using Protocol 2.

> define 'disable'. you can delete the DSA host key.

Negative on being able to delete the DSA host key.  If you either
remove the dsa host key or remove the 'HostKey /etc/ssh_host_dsa_key'
line from the /etc/sshd_config file then sshd will never again speak
Protocol 2.  It says this:

  Protocol major versions differ: 2 vs. 1

Apparently having the line 'HostKey /etc/ssh_host_rsa_key' is not
sufficient to support Protocol 2 connections.  Protocol 1 connections
continue operating fine in either case.

This is with both sides runing version SSH-1.99-OpenSSH_3.0.2p1.

Bob


From florin at sgi.com  Mon Feb 25 07:45:26 2002
From: florin at sgi.com (Florin Andrei)
Date: 24 Feb 2002 12:45:26 -0800
Subject: SFTP with dummy shells
In-Reply-To: 
References: 
Message-ID: <1014583526.27099.9.camel@stantz.corp.sgi.com>

On Sat, 2002-02-23 at 23:38, Ben Lindstrom wrote:
> 
> I don't like that idea.. When I set a shell to /bin/false I expect
> all deamons to honor that shell.  And not to go behind my back and
> execute some random command for the user.. Be it rsh, ssh, telnet, etc.

Well, the thing i would like to do is to provide SFTP to some users,
deny /bin/sh to them, while still being able to provide SSH for some
other users.
If SFTP would have been the only requirement, that would be simple:
install an FTP daemon that provides SFTP. But i need both SFTP and SSH,
and the access is not uniform for all users: some of them should have
/bin/sh (so they do SFTP and full shell), some other /bin/false (so they
do only SFTP) and some other should have a /usr/bin/dialog wrapper of
some sort (they do SFTP and run just a restricted wrapper in the shell).
A reasonable and elegant solution for this is to have the entire SFTP
subsystem shell-independent.

> I don't think it is really the subsystem's job.  Any correctly written
> dummy shell can detect a '-c sftp-server' and hanlde it gracefully
> (and no /bin/false is not a dummy shell, IMNSHO =).

Hmmm... Actually, that sounds interesting. :-)
So, "-c sftp-server" is the only command passed to the shell?

-- 
Florin Andrei

"When the prime minister is appearing at product launches by a company
twice found by courts to be abusing a monopoly and facing billions of
dollars in lawsuits, you have to ask questions." - Alan Cox



From mouring at etoh.eviladmin.org  Mon Feb 25 07:08:59 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 14:08:59 -0600 (CST)
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <15481.20540.275295.941643@torment.proulx.com>
Message-ID: 


On Sun, 24 Feb 2002, Bob Proulx wrote:

> > >   RSA versus DSA
> > > Assuming this applies to both host keys and user keys it seems
> > > that you cannot disable [DSA] for host keys when using Protocol 2.
>
> > define 'disable'. you can delete the DSA host key.
>
> Negative on being able to delete the DSA host key.  If you either
> remove the dsa host key or remove the 'HostKey /etc/ssh_host_dsa_key'
> line from the /etc/sshd_config file then sshd will never again speak
> Protocol 2.  It says this:
>
>   Protocol major versions differ: 2 vs. 1
>
> Apparently having the line 'HostKey /etc/ssh_host_rsa_key' is not
> sufficient to support Protocol 2 connections.  Protocol 1 connections
> continue operating fine in either case.
>
> This is with both sides runing version SSH-1.99-OpenSSH_3.0.2p1.
>

# diff -u /etc/sshd_config sshd_config
--- /etc/sshd_config    Fri Jan 25 17:04:06 2002
+++ sshd_config Sun Feb 24 14:04:49 2002
@@ -3,8 +3,8 @@
 # This is the sshd server system-wide configuration file.  See sshd(8)
 # for more information.

-Port 22
-Protocol 2
+Port 2020
+Protocol 2,1
 #ListenAddress 0.0.0.0
 #ListenAddress ::

@@ -12,7 +12,6 @@
 HostKey /etc/ssh_host_key
 # HostKeys for protocol version 2
 HostKey /etc/ssh_host_rsa_key
-HostKey /etc/ssh_host_dsa_key

 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600

$ sshd -f sshd_config

$ ssh -1 -p2020 localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA1 key fingerprint is 97:58:59:d7:db:cc:c6:98:d4:38:3a:63:a2:4f:e8:cc.
Are you sure you want to continue connecting (yes/no)?

# ssh -2 -p2020 localhost
root at localhost's password:


In my case I tend to disable protocol 1 because I don't require it.

I don't see what your problem.

- Ben



From mouring at etoh.eviladmin.org  Mon Feb 25 07:14:45 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 14:14:45 -0600 (CST)
Subject: SFTP with dummy shells
In-Reply-To: <1014583526.27099.9.camel@stantz.corp.sgi.com>
Message-ID: 

On 24 Feb 2002, Florin Andrei wrote:
> On Sat, 2002-02-23 at 23:38, Ben Lindstrom wrote:
[..]
> > I don't think it is really the subsystem's job.  Any correctly written
> > dummy shell can detect a '-c sftp-server' and hanlde it gracefully
> > (and no /bin/false is not a dummy shell, IMNSHO =).
>
> Hmmm... Actually, that sounds interesting. :-)
> So, "-c sftp-server" is the only command passed to the shell?
>
Yes it is.. For v1 (no subsystem) or v2 (w/ subsystem).

I think the only cause may may run into problems is with your dialog code.
I can't remember if it supports the ability to get command line arguments.

So you may have to rethink how you use Dialog..

- Ben



From stevesk at pobox.com  Mon Feb 25 07:53:39 2002
From: stevesk at pobox.com (Kevin Steves)
Date: Sun, 24 Feb 2002 12:53:39 -0800 (PST)
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <15481.20540.275295.941643@torment.proulx.com>
Message-ID: 

On Sun, 24 Feb 2002, Bob Proulx wrote:
:> define 'disable'. you can delete the DSA host key.
:
:Negative on being able to delete the DSA host key.  If you either
:remove the dsa host key or remove the 'HostKey /etc/ssh_host_dsa_key'
:line from the /etc/sshd_config file then sshd will never again speak
:Protocol 2.  It says this:
:
:  Protocol major versions differ: 2 vs. 1
:
:Apparently having the line 'HostKey /etc/ssh_host_rsa_key' is not
:sufficient to support Protocol 2 connections.  Protocol 1 connections
:continue operating fine in either case.

that should work.  sshd -d would be useful.

[root at jenny openssh]# ./sshd -d -p24
debug1: sshd version OpenSSH_3.0.2p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: Bind to port 24 on 0.0.0.0.
Server listening on 0.0.0.0 port 24.
Generating 768 bit RSA key.
RSA key generation complete.




From bob at proulx.com  Mon Feb 25 08:00:49 2002
From: bob at proulx.com (Bob Proulx)
Date: Sun, 24 Feb 2002 14:00:49 -0700
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: 
References: <15481.20540.275295.941643@torment.proulx.com>
	
Message-ID: <15481.21633.383150.715358@torment.proulx.com>

> # diff -u /etc/sshd_config sshd_config
[...]
> +Port 2020
> +Protocol 2,1
> -HostKey /etc/ssh_host_dsa_key
[...]
> $ sshd -f sshd_config

Interesting.  Right there this dies for me.

  cd /etc
  cp sshd_config sshd_config.hacked
  edit sshd_config.hacked
  diff -u0 | grep -v ^@@
  --- sshd_config Sun Feb 24 13:47:16 2002
  +++ sshd_config.hacked  Sun Feb 24 13:53:52 2002
  -Port 22
  -#Protocol 2,1
  +Port 2022
  +Protocol 2,1
  -HostKey /etc/ssh_host_dsa_key
  +# HostKey /etc/ssh_host_dsa_key

  [root at joseki /etc]# sshd -f sshd_config.hacked
  Disabling protocol version 2. Could not load host key

  telnet localhost 2022
  SSH-1.5-OpenSSH_3.0.2p1

I will dig around in the code a little and see what I find.

> # ssh -2 -p2020 localhost
> root at localhost's password:

Since you normally use Protocol 2 this host is already in your
known_hosts file.  Which means I can't see if this is using the DSA
host key or an RSA host key.

Bob


From mouring at etoh.eviladmin.org  Mon Feb 25 07:36:23 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 14:36:23 -0600 (CST)
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <15481.21633.383150.715358@torment.proulx.com>
Message-ID: 


On Sun, 24 Feb 2002, Bob Proulx wrote:

>
> > # diff -u /etc/sshd_config sshd_config
> [...]
> > +Port 2020
> > +Protocol 2,1
> > -HostKey /etc/ssh_host_dsa_key
> [...]
> > $ sshd -f sshd_config
>
> Interesting.  Right there this dies for me.
>
>   cd /etc
>   cp sshd_config sshd_config.hacked
>   edit sshd_config.hacked
>   diff -u0 | grep -v ^@@
>   --- sshd_config Sun Feb 24 13:47:16 2002
>   +++ sshd_config.hacked  Sun Feb 24 13:53:52 2002
>   -Port 22
>   -#Protocol 2,1
>   +Port 2022
>   +Protocol 2,1
>   -HostKey /etc/ssh_host_dsa_key
>   +# HostKey /etc/ssh_host_dsa_key
>
>   [root at joseki /etc]# sshd -f sshd_config.hacked
>   Disabling protocol version 2. Could not load host key
>
>   telnet localhost 2022
>   SSH-1.5-OpenSSH_3.0.2p1
>
> I will dig around in the code a little and see what I find.
>
> > # ssh -2 -p2020 localhost
> > root at localhost's password:
>
> Since you normally use Protocol 2 this host is already in your
> known_hosts file.  Which means I can't see if this is using the DSA
> host key or an RSA host key.
>
To tell you the truth.. it is RSA.. I did not think about passing a DSA
key.  I tend to disable DSA key support.

Again it goes back to my own personal policy of "any unrequired feature
that can be easily disabled should be disabled".  Just so happens this
box has DSA key support enabled.

$ ssh -1 -o"HostKeyAlgorithms ssh-dss" localhost
Protocol major versions differ: 1 vs. 2

Hmm.. Interesting..

- Ben



From mouring at etoh.eviladmin.org  Mon Feb 25 07:39:11 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 14:39:11 -0600 (CST)
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: 
Message-ID: 


On Sun, 24 Feb 2002, Ben Lindstrom wrote:

>
>
> On Sun, 24 Feb 2002, Bob Proulx wrote:
>
> >
> > > # diff -u /etc/sshd_config sshd_config
> > [...]
> > > +Port 2020
> > > +Protocol 2,1
> > > -HostKey /etc/ssh_host_dsa_key
> > [...]
> > > $ sshd -f sshd_config
> >
> > Interesting.  Right there this dies for me.
> >
> >   cd /etc
> >   cp sshd_config sshd_config.hacked
> >   edit sshd_config.hacked
> >   diff -u0 | grep -v ^@@
> >   --- sshd_config Sun Feb 24 13:47:16 2002
> >   +++ sshd_config.hacked  Sun Feb 24 13:53:52 2002
> >   -Port 22
> >   -#Protocol 2,1
> >   +Port 2022
> >   +Protocol 2,1
> >   -HostKey /etc/ssh_host_dsa_key
> >   +# HostKey /etc/ssh_host_dsa_key
> >
> >   [root at joseki /etc]# sshd -f sshd_config.hacked
> >   Disabling protocol version 2. Could not load host key
> >
> >   telnet localhost 2022
> >   SSH-1.5-OpenSSH_3.0.2p1
> >
> > I will dig around in the code a little and see what I find.
> >
> > > # ssh -2 -p2020 localhost
> > > root at localhost's password:
> >
> > Since you normally use Protocol 2 this host is already in your
> > known_hosts file.  Which means I can't see if this is using the DSA
> > host key or an RSA host key.
> >
> To tell you the truth.. it is RSA.. I did not think about passing a DSA
> key.  I tend to disable DSA key support.
>
> Again it goes back to my own personal policy of "any unrequired feature
> that can be easily disabled should be disabled".  Just so happens this
> box has DSA key support enabled.
>
> $ ssh -1 -o"HostKeyAlgorithms ssh-dss" localhost
> Protocol major versions differ: 1 vs. 2
>
Scratch that it should be:

$ ssh -p2020 -o"HostKeyAlgorithms ssh-dss" localhost
no hostkey alg

Which is what I would expect.  Forcing DSA keys onto a server that does
not suppot DSA keys.

- Ben



From bob at proulx.com  Mon Feb 25 08:26:07 2002
From: bob at proulx.com (Bob Proulx)
Date: Sun, 24 Feb 2002 14:26:07 -0700
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: 
References: <15481.20540.275295.941643@torment.proulx.com>
	
Message-ID: <15481.23151.189157.838665@torment.proulx.com>

> that should work.  sshd -d would be useful.

In that case I must have something really stupid in the sshd_config
file to which I am blind.  But it is almost the stock one distributed
with openssh-3.0.2p1.  Here is what I get.

> [root at jenny openssh]# ./sshd -d -p24
> debug1: sshd version OpenSSH_3.0.2p1
> debug1: private host key: #0 type 0 RSA1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #1 type 1 RSA
> debug1: Bind to port 24 on 0.0.0.0.
> Server listening on 0.0.0.0 port 24.
> Generating 768 bit RSA key.
> RSA key generation complete.

[root at joseki /etc]# sshd -d -f sshd_config.hacked
debug1: Seeding random number generator
debug1: sshd version OpenSSH_3.0.2p1
debug1: private host key: #0 type 0 RSA1
debug1: private host key: #1 type 0 RSA1        <----- Should this be RSA?
Disabling protocol version 2. Could not load host key
socket: Invalid argument
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
Generating 768 bit RSA key.
RSA key generation complete.

Hmm..

  cmp /etc/ssh_host_key /etc/ssh_host_rsa_key
  [no differences]

That must be the source of my problem.  Regenerating the rsa2 key to
see if this solves the problem...

That was it!  Problem solved.  Somewhere along the way I had
(apparently) believed that an rsa host key was an rsa host key and
could be 'cp /etc/ssh_host_key /etc/ssh_host_rsa_key' since I had
obviously done that and they were both rsa1 files.  And with nothing
to ever change that key again that is the way that it was.

Thanks
Bob


From d-b at home.se  Mon Feb 25 08:35:11 2002
From: d-b at home.se (Daniel Bergman)
Date: Sun, 24 Feb 2002 22:35:11 +0100
Subject: RSA versus DSA / Protocol 1 versus Protocol 2
In-Reply-To: <20020224183521.GA2268@faui02>
References: <20020224183521.GA2268@faui02>
Message-ID: <1446980.1014590111@localhost>

I'm sorry for coming in this late.
I would really appreciate a list of pros and cons of each algorithm, RSA - 
DSA.

Regards,
Daniel

> On Sun, Feb 24, 2002 at 11:24:23AM -0700, Bob Proulx wrote:
>> I have been searching the archives and confused about some points that
>> I am hoping could be cleared up.
>>
>>   RSA versus DSA
>>
>> I seem to see a lot of messages saying this.  That DSA is slow.  DSA
>> was added only to avoid a patent which is now expired.  RSA is the
>> preferred authentification method.  DSA should be avoided.  Which all
>> sounds fine to me and I think I agree with that.  Assuming this
>> applies to both host keys and user keys it seems that you cannot
>> disable this for host keys when using Protocol 2.
>
> define 'disable'. you can delete the DSA host key.
>
>> Is that required
>> for compatibility or other reason?
>
> the SSH2 'standard' defines:
>
>    The following public key and/or certificate formats are currently
> defined:
>
>    ssh-dss              REQUIRED     sign    Simple DSS
>    ssh-rsa              RECOMMENDED  sign    Simple RSA
>
> There is a large installed base of DSA keys.
>
>>   Protocol 1 versus Protocol 2
>>
>> OpenSSH 3.x defaults to Protocol 2,1.  Fine.  But ssh-keygen and
>> ssh-add default to creating and using rsa1 keys, which means using
>> Protocol 1, but using DSA host keys.
>
> in OpenSSH 3.1:
> 	ssh-keygen will no longer have a default key type.
> 	ssh-add will try to add all 3 key types.
>
> -m
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>



--
Daniel Bergman
Phone: 08 - 55066265
Mobile: 070 - 289 30 39
Fax: 08 - 59827056
Email: d-b at home.se


From deraadt at cvs.openbsd.org  Mon Feb 25 08:40:02 2002
From: deraadt at cvs.openbsd.org (Theo de Raadt)
Date: Sun, 24 Feb 2002 14:40:02 -0700
Subject: RSA versus DSA / Protocol 1 versus Protocol 2 
In-Reply-To: Your message of "Sun, 24 Feb 2002 22:35:11 +0100."
             <1446980.1014590111@localhost> 
Message-ID: <200202242140.g1OLe2WU015247@cvs.openbsd.org>

> I would really appreciate a list of pros and cons of each algorithm, RSA - 
> DSA.

Go buy a book.


From dan at doxpara.com  Mon Feb 25 09:19:33 2002
From: dan at doxpara.com (Dan Kaminsky)
Date: Sun, 24 Feb 2002 14:19:33 -0800
Subject: RSA versus DSA / Protocol 1 versus Protocol 2 
References: <200202242140.g1OLe2WU015247@cvs.openbsd.org>
Message-ID: <016101c1bd81$56228be0$1701000a@effugas>

> > I would really appreciate a list of pros and cons of each algorithm,
RSA -
> > DSA.
>
> Go buy a book.

I don't think any book actually refers to pros or cons of RSA vs. DSA for
SSH usage.  At one point, DSA was explicitly distrusted by the PuTTY
developers due to a severe weakness if badly implemented.  Quoting from
their FAQ:

===
A.7.3 How come PuTTY now supports DSA, when the website used to say how
insecure it was?
DSA has a major weakness if badly implemented: it relies on a random number
generator to far too great an extent. If the random number generator
produces a number an attacker can predict, the DSA private key is exposed -
meaning that the attacker can log in as you on all systems that accept that
key.

The PuTTY policy changed because the developers were informed of ways to
implement DSA which do not suffer nearly as badly from this weakness, and
indeed which don't need to rely on random numbers at all. For this reason we
now believe PuTTY's DSA implementation is probably OK. However, if you have
the choice, we still recommend you use RSA instead.

===

The pragmatic view of RSA vs. DSA:  RSA is faster, DSA is more deployed for
SSH2 use.  Using the same RSA key for SSH1 and SSH2 is, last I checked,
probably a cryptographic disaster.  In my mind, this is enough of a reason
to default to DSA.  (If nothing else, making key generation scripts fail
because we changed the syntax yet again is probably a bad idea.)

--Dan






From gert at greenie.muc.de  Mon Feb 25 09:28:45 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Sun, 24 Feb 2002 23:28:45 +0100
Subject: Call for testing.
In-Reply-To: ; from Ben Lindstrom on Sun, Feb 24, 2002 at 01:45:54PM -0600
References:  
Message-ID: <20020224232845.B18157@greenie.muc.de>

Hi,

On Sun, Feb 24, 2002 at 01:45:54PM -0600, Ben Lindstrom wrote:
> During the week can you try putting aix_usrinfo(pw, s->tty, s->ttyfd)
> before the do_setusercontext(pw) in do_child(s);  And see if we can
> solve it that way?  I suspect that usrinfo() has to take place as
> root and not as a normal user.

Yes, this is correct.  usrinfo() is some kind of "environment settable
only by root".

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From mouring at etoh.eviladmin.org  Mon Feb 25 09:06:51 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Sun, 24 Feb 2002 16:06:51 -0600 (CST)
Subject: Call for testing.
In-Reply-To: <20020224232845.B18157@greenie.muc.de>
Message-ID: 

The real question is if we can put it before do_setusercontext(pw)
and avoid changing the syntax of do_setusercontext() to use Session
instead of 'struct passwd'.

That seems to be the last issue to resolve for AIX at this time.

- Ben
On Sun, 24 Feb 2002, Gert Doering wrote:

> Hi,
>
> On Sun, Feb 24, 2002 at 01:45:54PM -0600, Ben Lindstrom wrote:
> > During the week can you try putting aix_usrinfo(pw, s->tty, s->ttyfd)
> > before the do_setusercontext(pw) in do_child(s);  And see if we can
> > solve it that way?  I suspect that usrinfo() has to take place as
> > root and not as a normal user.
>
> Yes, this is correct.  usrinfo() is some kind of "environment settable
> only by root".
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de
>



From b_smith44 at hotmail.com  Mon Feb 25 10:45:22 2002
From: b_smith44 at hotmail.com (Bob Smith)
Date: Sun, 24 Feb 2002 15:45:22 -0800
Subject: Sol8/pam_krb5/OpenSSH 3.0.2
Message-ID: 

with the following pam.conf entries, after being prompted for a login 
password the connection is closed:

other   auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
other   auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass


the system logs the error:

sshd[4215]: fatal: input_userauth_info_response_pam: no authentication 
context


if the pam.conf entry is changed to the following less than desirable entry:

other   auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
other   auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass


and 'UseLogin' is set to 'yes' then a user can login however scp fails. if 
the above pam.conf entry is used and 'UseLogin' is set to 'no' then both ssh 
and scp fail.

regardless of the pam.conf configuration, if 'UseLogin' is set to 'no' and 
the user is being authenticated by either pam_unix or pam_krb5 then password 
expiration (forced change) is ignored.

any help would be appreciated.


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.



From bugzilla-daemon at mindrot.org  Mon Feb 25 13:03:48 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Mon, 25 Feb 2002 13:03:48 +1100 (EST)
Subject: [Bug 84] last command provides incorrect information on Solaris 8
Message-ID: <20020225020348.EADC3E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=84

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From tim at multitalents.net  2002-02-25 13:03 -------
The patch works (thanks) and doesn't seem to break other platforms I've tested
so I'm commiting the patch to CVS.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From dmanton at emea.att.com  Mon Feb 25 22:29:29 2002
From: dmanton at emea.att.com (Manton, Doug)
Date: Mon, 25 Feb 2002 11:29:29 -0000
Subject: Call for testing.
Message-ID: 

> During the week can you try putting aix_usrinfo(pw, s->tty, s->ttyfd)
> before the do_setusercontext(pw) in do_child(s);  And see if we can
> solve it that way?  I suspect that usrinfo() has to take place as
> root and not as a normal user.

Please take a look at the attached.  This compiles and appears to work.

Does anyone know of a utility or application that relies on AIX usrinfo
being set?  I would really like to test the whole aix_usrinfo against the
real application requirement.

Many thanks,

Doug Manton, AT&T Business Commercial Security 
---------------------------------------------- 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20020225-aix.patch
Type: application/octet-stream
Size: 1150 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020225/da418d97/attachment.obj 

From ojoa at gatrixx.com  Mon Feb 25 23:47:45 2002
From: ojoa at gatrixx.com (Oliver Joa)
Date: Mon, 25 Feb 2002 13:47:45 +0100
Subject: link statically
Message-ID: <20020225134745.G1887@asterix.gallier.de>

hi,

i have downloaded the linux-version of openssh-3.0.2p1. i wanted
to compile it statically with the following configure-statement:

./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam 
--with-md5-passwords --with-v4-default --with-ldflags=-static 
--with-ssl-dir=/usr/local/opt/openssl

It worked for the older 2.9 version, but now i get the following error:

gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o 
readconf.o clientloop.o -L. -Lopenbsd-compat/ 
-L/usr/local/opt/openssl/lib  -static -lssh -lopenbsd-compat -lpam -ldl 
-lutil -lz -lnsl  -lcrypto 
/usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libc.a(getopt.o): In 
function `_getopt_internal':
/usr/src/build/40453-i386/BUILD/glibc-2.2.4/posix/getopt.c:516: 
multiple definition of `optind'
openbsd-compat//libopenbsd-compat.a(getopt.o):/home/olli/openssh-3.0.2p1/openbsd-compat/getopt.c:64: 
first defined here
/usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libc.a(getopt.o): In 
function `_getopt_internal':
/usr/src/build/40453-i386/BUILD/glibc-2.2.4/posix/getopt.c:516: 
multiple definition of `opterr'
openbsd-compat//libopenbsd-compat.a(getopt.o):/home/olli/openssh-3.0.2p1/openbsd-compat/getopt.c:64: 
first defined here
collect2: ld returned 1 exit status
make: *** [ssh] Error 1

Do you have a idea, whats the problem? how can i compile
it statically?

oliver

-- 
Dipl. Inf. (FH) Oliver Joa
senior IT-architect

Gatrixx NetSolutions GmbH
Karl-Goetz-Strasse 5
97424 Schweinfurt
Fon +49 9721 797 420
Fax +49 9383 999-58
Mobil +49 160 47874 62
mailto:ojoa at gatrixx.com, ojoa at gmx.net, ojoa at yahoo.com, oliver at j-o-a.de

Weitere Informationen erhalten Sie unter:
http://www.gedif.de/



From jeh at profitlogic.com  Tue Feb 26 01:27:26 2002
From: jeh at profitlogic.com (Justin Hahn)
Date: Mon, 25 Feb 2002 09:27:26 -0500
Subject: Weird problems on solaris 7 & 8
Message-ID: <419A3E73A18BD211A17000105A1C37E90148AB77@mail.grossprofit.com>

> I can't replicate this, nor can I see this in the code.  In 
> Solaris 2.5.1 nor 7.

After several hours more poking around it appears it had something to do
with openssl. I don't quite know what was causing it, but a rebuild cleared
it up.

I can no longer reliably reproduce this, but something was VERY VERY wrong
with openssl. (I went back to the code tree that produced it and it failed
make test with a segfault)

> What compiler are you using?  I've done compiles using gcc 
> (forgot which version), and an OLD ProC intel.

gcc 2.95.3, gcc 3.0.3 and SunPro 6 update 2 (all solaris...)


Anyhow, sorry for the false alarm. It didn't occur to me for some time that
it could be openssl. 

Thanks.

--jeh


From bugzilla-daemon at mindrot.org  Tue Feb 26 06:00:56 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 06:00:56 +1100 (EST)
Subject: [Bug 68] Manpage for ssh-add and scp missing after "make install"
Message-ID: <20020225190056.43086E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=68





------- Additional Comments From tim at multitalents.net  2002-02-26 06:00 -------
It's a problem prior to the "make install" stage.
Try removing any 0 byte .out files. Run make and look for errors.
I don't know what MANTYPE HP-UX uses but it it's cat look for a 
sed problem. If MANTYPE = man, look for a problem with mdoc2man.pl
(See lines 134-144 of Makefile)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 07:50:57 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 07:50:57 +1100 (EST)
Subject: [Bug 53] trying to build on Caldera OpenUNIX 8.0.0,  die in openbsd-compat
Message-ID: <20020225205057.1A891E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=53

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME



------- Additional Comments From tim at multitalents.net  2002-02-26 07:50 -------
Any of the current snapshots build just fine for me on 
Caldera Open UNIX 8. If you have trouble with a current snapshot,
re-open this bug.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 07:51:15 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 07:51:15 +1100 (EST)
Subject: [Bug 87] Last logon that gets reported upon login is the current login time
Message-ID: <20020225205115.2326BE8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=87





------- Additional Comments From wknox at mitre.org  2002-02-26 07:51 -------
Created an attachment (id=29)
There was an error in the previous patch - use this one




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From robs at chelsea.net  Tue Feb 26 08:00:46 2002
From: robs at chelsea.net (Rob Saccoccio)
Date: Mon, 25 Feb 2002 16:00:46 -0500
Subject: [PATCH] AllowRootHostsEquiv
Message-ID: 


This patch allows the [s]hosts.equiv functionality to be enabled for root
via a new directive, AllowRootHostsEquiv.

The patch is against openssh-3.0.2p1.

--robs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-3.0.2p1-hostsequiv.patch
Type: application/octet-stream
Size: 3118 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020225/0a2589f0/attachment.obj 

From bugzilla-daemon at mindrot.org  Tue Feb 26 08:22:32 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 08:22:32 +1100 (EST)
Subject: [Bug 41] Static compilation
Message-ID: <20020225212232.12D24E998@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=41





------- Additional Comments From stevesk at pobox.com  2002-01-06 11:10 -------
a patch would speed up fixing this.  can someone produce one?

------- Additional Comments From tim at multitalents.net  2002-02-26 08:22 -------
What platform do you have this problem on?
SCO builds static binaries just fine. UnixWare doesn't have a chance
due to no libsocket.a
Solaris and Linux (Caldera & RH) don't have libpam.a so there is no
chance there (with PAM).
Please update the OS: check box.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 08:45:38 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 08:45:38 +1100 (EST)
Subject: [Bug 41] Static compilation
Message-ID: <20020225214538.9A4A5E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=41





------- Additional Comments From Darren.Moffat at Sun.COM  2002-02-26 08:45 -------
Solaris does actually provide a libpam.a for 32bit binaries.  Solaris has
no static libraries for 64bit - because static linking is evil and almost
never needed by 3rd party developers.

However static linking against libpam doesn't make much sense, libpam's job in
life is to bring in dynamic modules.

The only time you should be statically linking is when the binary is critical
to system startup or recovery and can run without any external dependancies.
Using PAM fails this check since the modules it needs for authentication
may not be available and in a default Solaris install are in the /usr/ 
filesystem.

I would really discourage any one from doing static linking on Solaris as
the binaries are not guaranteed to be upwardly compatible if you do - static
binaries could even fail when adding patches.


* Static linking prevents libc_psr.so.1 from working for platform
  specifics. This library automatically enables dynamically linked
  programs from linking in platform specific versions of various
  library routines which are optimized for a particular platform.
  These include platform optimized versions of some string functions
  and other frequently called functions.

* Patches to system libaries for bug fixes and performance enhancements
  are not automatically picked up by the application.

* Security fixes in system libraries are not available to statically linked
  applications.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 08:54:18 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 08:54:18 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020225215418.17843E8EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From jbrown75 at csc.com  2002-02-26 08:54 -------
Upgraded one system to 3.0.2 and problem still persists. It appears that the 
slower the network the more often the problem presents itself. My gut feeling 
is that it has something to do with flow control but can't prove it.  Any way I 
can trap where the software is when it halts?




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From gert at greenie.muc.de  Tue Feb 26 09:00:55 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 25 Feb 2002 23:00:55 +0100
Subject: Call for testing.
In-Reply-To: ; from Manton, Doug on Mon, Feb 25, 2002 at 11:29:29AM -0000
References: 
Message-ID: <20020225230055.C27931@greenie.muc.de>

Hi,

On Mon, Feb 25, 2002 at 11:29:29AM -0000, Manton, Doug wrote:
> Does anyone know of a utility or application that relies on AIX usrinfo
> being set?  

We have, unfortunately.

> I would really like to test the whole aix_usrinfo against the
> real application requirement.

I'll try to compile & test on 4.3.3 tomorrow.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From mouring at etoh.eviladmin.org  Tue Feb 26 08:48:53 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Mon, 25 Feb 2002 15:48:53 -0600 (CST)
Subject: Call for testing.
In-Reply-To: <20020225230055.C27931@greenie.muc.de>
Message-ID: 

I commited the change so tomorrow please grab the snapshot and try it.

- Ben

On Mon, 25 Feb 2002, Gert Doering wrote:

> Hi,
>
> On Mon, Feb 25, 2002 at 11:29:29AM -0000, Manton, Doug wrote:
> > Does anyone know of a utility or application that relies on AIX usrinfo
> > being set?
>
> We have, unfortunately.
>
> > I would really like to test the whole aix_usrinfo against the
> > real application requirement.
>
> I'll try to compile & test on 4.3.3 tomorrow.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de
>



From matthewt at hq.psa.com.sg  Tue Feb 26 13:24:10 2002
From: matthewt at hq.psa.com.sg (MATTHEW TAN, CUSSID)
Date: Tue, 26 Feb 2002 10:24:10 +0800
Subject: problem running ssh-keygen in Solaris 8 x86
Message-ID: <4E6D5F09E791D41192ED00D0B78F7B3504B85E7D@tpcxsvr1.psa>

Hi,

I encountered the following when i run the below command on my Solaris 8 x86
box:
#ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""

I got the following error:
Segmentation fault - core dumped

Does anyone have any idea what is wrong? I am using pre-compiled packages
downloaded from sunfreeware.com.

Regards,
Matthew




This communication contains confidential or privileged information. If you
are not the intended recipient, please notify us IMMEDIATELY that you have
received it and destroy it. We are not liable for any unauthorised sending
of or interference with this communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020226/2b0071bd/attachment.html 

From fcusack at fcusack.com  Tue Feb 26 13:41:39 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Mon, 25 Feb 2002 18:41:39 -0800
Subject: problem running ssh-keygen in Solaris 8 x86
In-Reply-To: <4E6D5F09E791D41192ED00D0B78F7B3504B85E7D@tpcxsvr1.psa>; from matthewt@hq.psa.com.sg on Tue, Feb 26, 2002 at 10:24:10AM +0800
References: <4E6D5F09E791D41192ED00D0B78F7B3504B85E7D@tpcxsvr1.psa>
Message-ID: <20020225184139.B1388@google.com>

On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> Hi,
> 
> I encountered the following when i run the below command on my Solaris 8 x86
> box:
> #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> 
> I got the following error:
> Segmentation fault - core dumped
> 
> Does anyone have any idea what is wrong? I am using pre-compiled packages
> downloaded from sunfreeware.com.

Asked and answered.

Stack trace would be useful.  And/or 'truss -u' output, if trimmed well.

/fc


From mouring at etoh.eviladmin.org  Tue Feb 26 13:11:07 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Mon, 25 Feb 2002 20:11:07 -0600 (CST)
Subject: problem running ssh-keygen in Solaris 8 x86
In-Reply-To: <20020225184139.B1388@google.com>
Message-ID: 

On Mon, 25 Feb 2002, Frank Cusack wrote:

> On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> > Hi,
> >
> > I encountered the following when i run the below command on my Solaris 8 x86
> > box:
> > #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> >
> > I got the following error:
> > Segmentation fault - core dumped
> >
> > Does anyone have any idea what is wrong? I am using pre-compiled packages
> > downloaded from sunfreeware.com.
>
> Asked and answered.
>
> Stack trace would be useful.  And/or 'truss -u' output, if trimmed well.
>

Majority of the time I've seen this it is due to problems with mismatch
OpenSSL/OpenSSH or badly compiled OpenSSL.

- Ben




From matthewt at hq.psa.com.sg  Tue Feb 26 13:53:50 2002
From: matthewt at hq.psa.com.sg (MATTHEW TAN, CUSSID)
Date: Tue, 26 Feb 2002 10:53:50 +0800
Subject: problem running ssh-keygen in Solaris 8 x86
Message-ID: <4E6D5F09E791D41192ED00D0B78F7B3504B85E7E@tpcxsvr1.psa>

I am using openssh-3.0.2p1 and openssl-0.9.6b.
Any problems with such a combination?

-----Original Message-----
From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
Sent: Tuesday, February 26, 2002 10:11 AM
To: Frank Cusack
Cc: MATTHEW TAN, CUSSID; 'openssh-unix-dev at mindrot.org'
Subject: Re: problem running ssh-keygen in Solaris 8 x86



On Mon, 25 Feb 2002, Frank Cusack wrote:

> On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> > Hi,
> >
> > I encountered the following when i run the below command on my Solaris 8
x86
> > box:
> > #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> >
> > I got the following error:
> > Segmentation fault - core dumped
> >
> > Does anyone have any idea what is wrong? I am using pre-compiled
packages
> > downloaded from sunfreeware.com.
>
> Asked and answered.
>
> Stack trace would be useful.  And/or 'truss -u' output, if trimmed well.
>

Majority of the time I've seen this it is due to problems with mismatch
OpenSSL/OpenSSH or badly compiled OpenSSL.

- Ben

This communication contains confidential or privileged information. If you
are not the intended recipient, please notify us IMMEDIATELY that you have
received it and destroy it. We are not liable for any unauthorised sending
of or interference with this communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020226/2539a7bd/attachment.html 

From mouring at etoh.eviladmin.org  Tue Feb 26 13:20:06 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Mon, 25 Feb 2002 20:20:06 -0600 (CST)
Subject: problem running ssh-keygen in Solaris 8 x86
In-Reply-To: <4E6D5F09E791D41192ED00D0B78F7B3504B85E7E@tpcxsvr1.psa>
Message-ID: 

Was the version you download compiled to link to openssh-0.9.6?

- Ben

On Tue, 26 Feb 2002, MATTHEW TAN, CUSSID wrote:

> I am using openssh-3.0.2p1 and openssl-0.9.6b.
> Any problems with such a combination?
>
> -----Original Message-----
> From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org]
> Sent: Tuesday, February 26, 2002 10:11 AM
> To: Frank Cusack
> Cc: MATTHEW TAN, CUSSID; 'openssh-unix-dev at mindrot.org'
> Subject: Re: problem running ssh-keygen in Solaris 8 x86
>
>
>
> On Mon, 25 Feb 2002, Frank Cusack wrote:
>
> > On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> > > Hi,
> > >
> > > I encountered the following when i run the below command on my Solaris 8
> x86
> > > box:
> > > #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> > >
> > > I got the following error:
> > > Segmentation fault - core dumped
> > >
> > > Does anyone have any idea what is wrong? I am using pre-compiled
> packages
> > > downloaded from sunfreeware.com.
> >
> > Asked and answered.
> >
> > Stack trace would be useful.  And/or 'truss -u' output, if trimmed well.
> >
>
> Majority of the time I've seen this it is due to problems with mismatch
> OpenSSL/OpenSSH or badly compiled OpenSSL.
>
> - Ben
>
> This communication contains confidential or privileged information. If you
> are not the intended recipient, please notify us IMMEDIATELY that you have
> received it and destroy it. We are not liable for any unauthorised sending
> of or interference with this communication.
>



From ssklar at stanford.edu  Tue Feb 26 14:58:20 2002
From: ssklar at stanford.edu (Sandor W. Sklar)
Date: Mon, 25 Feb 2002 19:58:20 -0800
Subject: Call for testing.
In-Reply-To: 
References: 
Message-ID: 

At 3:48 PM -0600 2/25/02, Ben Lindstrom wrote:
>I commited the change so tomorrow please grab the snapshot and try it.


openssh-SNAP-20020225.tar.gz, AIX 4.3.3.0-ML08, IBM C for AIX compiler  ...

bacci:/home/ssklar/openssh $ make
... (snip) ...
(cd openbsd-compat && make)
make[1]: Entering directory `/home/ssklar/openssh/openbsd-compat'
/usr/bin/cc -g -I. -I.. -I. -I./.. -I/usr/local/ssl/include 
-I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c
"../log.h", line 51.27: 1506-046 (S) Syntax error.
"../openbsd-compat/port-aix.h", line 8.6: 1506-485 (S) Parameter 
declaration list is incompatible with declarator for aix_usrinfo.
"bsd-arc4random.c", line 28.1: 1506-045 (S) Undeclared identifier rcsid.
"bsd-arc4random.c", line 28.1: 1506-277 (S) Syntax error: possible 
missing ';' or ','?
make[1]: *** [bsd-arc4random.o] Error 1
make[1]: Leaving directory `/home/ssklar/openssh/openbsd-compat'
make: *** [openbsd-compat/libopenbsd-compat.a] Error 2

I think that this is the same error I got with the snapshot from 5 
days ago, that I reported.  Should I be using bugzilla to submit this 
reply to your call for testing?

--Sandy

>
>- Ben
>
>On Mon, 25 Feb 2002, Gert Doering wrote:
>
>>  Hi,
>>
>>  On Mon, Feb 25, 2002 at 11:29:29AM -0000, Manton, Doug wrote:
>>  > Does anyone know of a utility or application that relies on AIX usrinfo
>>  > being set?
>>
>>  We have, unfortunately.
>>
>>  > I would really like to test the whole aix_usrinfo against the
>>  > real application requirement.
>>
>>  I'll try to compile & test on 4.3.3 tomorrow.
>>
>>  gert
>>
>>  --
>>  USENET is *not* the non-clickable part of WWW!
>> 
>>//www.muc.de/~gert/
>>  Gert Doering - Munich, Germany 
>>gert at greenie.muc.de
>>  fax: +49-89-35655025 
>>gert.doering at physik.tu-muenchen.de
>>
>
>_______________________________________________
>openssh-unix-dev at mindrot.org mailing list
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


-- 
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.   
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


From mouring at etoh.eviladmin.org  Tue Feb 26 14:19:33 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Mon, 25 Feb 2002 21:19:33 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 

This has been handled in the snapshot that will be coming out
tonight.  This is what Doug, Gert and myself were talking about.

- Ben

On Mon, 25 Feb 2002, Sandor W. Sklar wrote:

> At 3:48 PM -0600 2/25/02, Ben Lindstrom wrote:
> >I commited the change so tomorrow please grab the snapshot and try it.
>
>
> openssh-SNAP-20020225.tar.gz, AIX 4.3.3.0-ML08, IBM C for AIX compiler  ...
>
> bacci:/home/ssklar/openssh $ make
> ... (snip) ...
> (cd openbsd-compat && make)
> make[1]: Entering directory `/home/ssklar/openssh/openbsd-compat'
> /usr/bin/cc -g -I. -I.. -I. -I./.. -I/usr/local/ssl/include
> -I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c
> "../log.h", line 51.27: 1506-046 (S) Syntax error.
> "../openbsd-compat/port-aix.h", line 8.6: 1506-485 (S) Parameter
> declaration list is incompatible with declarator for aix_usrinfo.
> "bsd-arc4random.c", line 28.1: 1506-045 (S) Undeclared identifier rcsid.
> "bsd-arc4random.c", line 28.1: 1506-277 (S) Syntax error: possible
> missing ';' or ','?
> make[1]: *** [bsd-arc4random.o] Error 1
> make[1]: Leaving directory `/home/ssklar/openssh/openbsd-compat'
> make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> I think that this is the same error I got with the snapshot from 5
> days ago, that I reported.  Should I be using bugzilla to submit this
> reply to your call for testing?
>
> --Sandy
>
> >
> >- Ben
> >
> >On Mon, 25 Feb 2002, Gert Doering wrote:
> >
> >>  Hi,
> >>
> >>  On Mon, Feb 25, 2002 at 11:29:29AM -0000, Manton, Doug wrote:
> >>  > Does anyone know of a utility or application that relies on AIX usrinfo
> >>  > being set?
> >>
> >>  We have, unfortunately.
> >>
> >>  > I would really like to test the whole aix_usrinfo against the
> >>  > real application requirement.
> >>
> >>  I'll try to compile & test on 4.3.3 tomorrow.
> >>
> >>  gert
> >>
> >>  --
> >>  USENET is *not* the non-clickable part of WWW!
> >>
> >>//www.muc.de/~gert/
> >>  Gert Doering - Munich, Germany
> >>gert at greenie.muc.de
> >>  fax: +49-89-35655025
> >>gert.doering at physik.tu-muenchen.de
> >>
> >
> >_______________________________________________
> >openssh-unix-dev at mindrot.org mailing list
> >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> --
>    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>    Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
>    Non impediti ratione cogitationis.   
>    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>



From ssklar at stanford.edu  Tue Feb 26 15:11:46 2002
From: ssklar at stanford.edu (Sandor W. Sklar)
Date: Mon, 25 Feb 2002 20:11:46 -0800
Subject: Call for testing.
In-Reply-To: 
References: 
Message-ID: 

At 9:19 PM -0600 2/25/02, Ben Lindstrom wrote:
>This has been handled in the snapshot that will be coming out
>tonight.  This is what Doug, Gert and myself were talking about.

oh, ok, sorry.  so I should be looking for SNAP-20020226.tar.gz?

thanks, -s-

>
>- Ben
>
>On Mon, 25 Feb 2002, Sandor W. Sklar wrote:
>
>>  At 3:48 PM -0600 2/25/02, Ben Lindstrom wrote:
>>  >I commited the change so tomorrow please grab the snapshot and try it.
>>
>>
>>  openssh-SNAP-20020225.tar.gz, AIX 4.3.3.0-ML08, IBM C for AIX compiler  ...
>>
>>  bacci:/home/ssklar/openssh $ make
>>  ... (snip) ...
>>  (cd openbsd-compat && make)
>>  make[1]: Entering directory `/home/ssklar/openssh/openbsd-compat'
>>  /usr/bin/cc -g -I. -I.. -I. -I./.. -I/usr/local/ssl/include
>>  -I/usr/local/include -DHAVE_CONFIG_H -c bsd-arc4random.c
>>  "../log.h", line 51.27: 1506-046 (S) Syntax error.
>>  "../openbsd-compat/port-aix.h", line 8.6: 1506-485 (S) Parameter
>>  declaration list is incompatible with declarator for aix_usrinfo.
>>  "bsd-arc4random.c", line 28.1: 1506-045 (S) Undeclared identifier rcsid.
>>  "bsd-arc4random.c", line 28.1: 1506-277 (S) Syntax error: possible
>>  missing ';' or ','?
>>  make[1]: *** [bsd-arc4random.o] Error 1
>>  make[1]: Leaving directory `/home/ssklar/openssh/openbsd-compat'
>>  make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>>
>>  I think that this is the same error I got with the snapshot from 5
>>  days ago, that I reported.  Should I be using bugzilla to submit this
>>  reply to your call for testing?
>>
>>  --Sandy
>>
>>  >
>>  >- Ben
>>  >
>>  >On Mon, 25 Feb 2002, Gert Doering wrote:
>>  >
>>  >>  Hi,
>>  >>
>>  >>  On Mon, Feb 25, 2002 at 11:29:29AM -0000, Manton, Doug wrote:
>>  >>  > Does anyone know of a utility or application that relies on 
>>AIX usrinfo
>>  >>  > being set?
>>  >>
>>  >>  We have, unfortunately.
>>  >>
>>  >>  > I would really like to test the whole aix_usrinfo against the
>>  >>  > real application requirement.
>>  >>
>>  >>  I'll try to compile & test on 4.3.3 tomorrow.
>>  >>
>>  >>  gert
>>  >>
>>  >>  --
>>  >>  USENET is *not* the non-clickable part of WWW!
>>  >>
>>  >>//www.muc.de/~gert/
>>  >>  Gert Doering - Munich, Germany
>>  >>gert at greenie.muc.de
>>  >>  fax: +49-89-35655025
>>  >>gert.doering at physik.tu-muenchen.de
>>  >>
>>  >
>>  >_______________________________________________
>>  >openssh-unix-dev at mindrot.org mailing list
>>  >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
>>
>>  --
>> 
>>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>>     Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford 
>>University ITSS
>>     Non impediti ratione cogitationis. 
>>
>> 
>>=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
>>


-- 
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   Sandor W. Sklar  -  Unix Systems Administrator  -  Stanford University ITSS
   Non impediti ratione cogitationis.   
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


From bugzilla-daemon at mindrot.org  Tue Feb 26 16:58:06 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 16:58:06 +1100 (EST)
Subject: [Bug 123] ssh linked with libpam
Message-ID: <20020226055806.B794DE9E5@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=123

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|openssh-unix-dev at mindrot.org|tim at multitalents.net



------- Additional Comments From tim at multitalents.net  2002-02-26 16:58 -------
I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From tim at multitalents.net  Tue Feb 26 16:52:39 2002
From: tim at multitalents.net (Tim Rice)
Date: Mon, 25 Feb 2002 21:52:39 -0800 (PST)
Subject: [patch] openssh 3.0.2p1: Libwrap gets linked in unnecessarily
In-Reply-To: 
Message-ID: 


I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.

On Fri, 18 Jan 2002, Maciej W. Rozycki wrote:

> Hello,
>
>  There is a small but annoying problem with linking libwrap in openssh.
> The library is added to LIBS which makes it be linked in to all binaries.
> This is unnecessary and leads to bogus dependencies if libwrap is a shared
> library.
>
>  Following is a trivial fix that reserves a separate autoconf substitution
> variable LIBWRAP, which is only used for sshd.  Please apply.
>
>   Maciej
>
>

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From bugzilla-daemon at mindrot.org  Tue Feb 26 17:01:32 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 17:01:32 +1100 (EST)
Subject: [Bug 102] defines.h modifications for proper UNICOS behavior
Message-ID: <20020226060132.DC4B8E9EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=102

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|openssh-unix-dev at mindrot.org|tim at multitalents.net



------- Additional Comments From tim at multitalents.net  2002-02-26 17:01 -------
I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 17:04:50 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 17:04:50 +1100 (EST)
Subject: [Bug 45] configure  refines a function in skey, which then bombs
Message-ID: <20020226060450.2AA9EE9F1@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=45

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|openssh-unix-dev at mindrot.org|tim at multitalents.net



------- Additional Comments From tim at multitalents.net  2002-02-26 17:04 -------
I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 17:03:13 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 17:03:13 +1100 (EST)
Subject: [Bug 74] Use of sig_atomic_t breaks SunOS4 compile
Message-ID: <20020226060313.DE90CE9EA@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=74

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|openssh-unix-dev at mindrot.org|tim at multitalents.net



------- Additional Comments From tim at multitalents.net  2002-02-26 17:03 -------
I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Tue Feb 26 17:07:42 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Tue, 26 Feb 2002 17:07:42 +1100 (EST)
Subject: [Bug 12] incomplete configure checks for 64 bit int types
Message-ID: <20020226060742.5FA64E9FD@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=12

tim at multitalents.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|openssh-unix-dev at mindrot.org|tim at multitalents.net



------- Additional Comments From tim at multitalents.net  2002-02-26 17:07 -------
I've addressed this bug (and several others) in modifications i'm in
the process of testing now. If all my machines build OK I'll commit in
the morning.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From fcusack at fcusack.com  Tue Feb 26 17:32:55 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Mon, 25 Feb 2002 22:32:55 -0800
Subject: problem running ssh-keygen in Solaris 8 x86
In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Feb 25, 2002 at 08:11:07PM -0600
References: <20020225184139.B1388@google.com> 
Message-ID: <20020225223254.K1388@google.com>

On Mon, Feb 25, 2002 at 08:11:07PM -0600, Ben Lindstrom wrote:
> 
> On Mon, 25 Feb 2002, Frank Cusack wrote:
> 
> > On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> > > Hi,
> > >
> > > I encountered the following when i run the below command on my Solaris 8 x86
> > > box:
> > > #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> > >
> > > I got the following error:
> > > Segmentation fault - core dumped
> 
> Majority of the time I've seen this it is due to problems with mismatch
> OpenSSL/OpenSSH or badly compiled OpenSSL.

My suspicion also; I suspect the binary is linked against version x of
openssl but version y is installed (with the same major number / soname).

/fc



From gert at greenie.muc.de  Tue Feb 26 22:51:02 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 12:51:02 +0100
Subject: Call for testing.
In-Reply-To: ; from Ben Lindstrom on Mon, Feb 25, 2002 at 03:48:53PM -0600
References: <20020225230055.C27931@greenie.muc.de> 
Message-ID: <20020226125102.D28221@greenie.muc.de>

Hi,

On Mon, Feb 25, 2002 at 03:48:53PM -0600, Ben Lindstrom wrote:
> I commited the change so tomorrow please grab the snapshot and try it.

Did so just now.

- cvs update (-d)
- make clean ; autoreconf ; ./configure (with skey)
- make
  -> didn't compile with installed openssl (0.9.5a), bombs out in cipher.c
     - interesting enough, last week's snapshot (before the reorganization)
     still built with 0.9.5a.

- installed openssl-0.9.6c, ./configure, make -> went fine

- tested: everything related to aix_usrinfo works fine, basic login/logout
  tests with password and .shosts, protocol -1 and -2, also work.

So...

 + good job!

 + can we add a check to configure for "this version of openssl is too 
   old"? This would be a lot easier for people to understand than 
   "configure works fine, but compiling cipher.c bombs with undefined 
   EVP_CIPHER_CTX_set_key_length".

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From markus at openbsd.org  Tue Feb 26 23:33:48 2002
From: markus at openbsd.org (Markus Friedl)
Date: Tue, 26 Feb 2002 13:33:48 +0100
Subject: Call for testing.
In-Reply-To: <20020226125102.D28221@greenie.muc.de>
References: <20020225230055.C27931@greenie.muc.de>  <20020226125102.D28221@greenie.muc.de>
Message-ID: <20020226123348.GA10496@faui02>

On Tue, Feb 26, 2002 at 12:51:02PM +0100, Gert Doering wrote:
>   -> didn't compile with installed openssl (0.9.5a), bombs out in cipher.c

I changed cipher.c to make it work with 0.9.6 and 0.9.7 and libdes


From gert at greenie.muc.de  Tue Feb 26 23:46:46 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 13:46:46 +0100
Subject: Call for testing.
In-Reply-To: <20020226123348.GA10496@faui02>; from Markus Friedl on Tue, Feb 26, 2002 at 01:33:48PM +0100
References: <20020225230055.C27931@greenie.muc.de>  <20020226125102.D28221@greenie.muc.de> <20020226123348.GA10496@faui02>
Message-ID: <20020226134646.E28221@greenie.muc.de>

Hi,

On Tue, Feb 26, 2002 at 01:33:48PM +0100, Markus Friedl wrote:
> On Tue, Feb 26, 2002 at 12:51:02PM +0100, Gert Doering wrote:
> >   -> didn't compile with installed openssl (0.9.5a), bombs out in cipher.c
> I changed cipher.c to make it work with 0.9.6 and 0.9.7 and libdes

No offense intended.  I just noticed this, and thought it might be a good
idea to let others know about it :-)

gert


-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From gert at greenie.muc.de  Tue Feb 26 23:52:12 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 13:52:12 +0100
Subject: Call for testing.
In-Reply-To: <20020222184742.GB24557@faui02>; from Markus Friedl on Fri, Feb 22, 2002 at 07:47:42PM +0100
References:  <20020222184742.GB24557@faui02>
Message-ID: <20020226135212.F28221@greenie.muc.de>

Hi,

On Fri, Feb 22, 2002 at 07:47:42PM +0100, Markus Friedl wrote:
> I'd also like to have people port and run the regression tests from
>  http://www.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/ssh/
> extend them or contribute new tests.

Is there a sane way to get this whole package, instead of klicking on
every file and then on "download"?

I do not run OpenBSD, so if it can be anon-cvs'ed, I'd appreciate a
pointer how to do that.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From markus at openbsd.org  Tue Feb 26 23:53:12 2002
From: markus at openbsd.org (Markus Friedl)
Date: Tue, 26 Feb 2002 13:53:12 +0100
Subject: Call for testing.
In-Reply-To: <20020226134646.E28221@greenie.muc.de>
References: <20020225230055.C27931@greenie.muc.de>  <20020226125102.D28221@greenie.muc.de> <20020226123348.GA10496@faui02> <20020226134646.E28221@greenie.muc.de>
Message-ID: <20020226125312.GB10496@faui02>

On Tue, Feb 26, 2002 at 01:46:46PM +0100, Gert Doering wrote:
> > I changed cipher.c to make it work with 0.9.6 and 0.9.7 and libdes
> 
> No offense intended.  I just noticed this, and thought it might be a good
> idea to let others know about it :-)

hm, perhaps we can make it work with 0.9.5x as well...


From markus at openbsd.org  Wed Feb 27 00:05:05 2002
From: markus at openbsd.org (Markus Friedl)
Date: Tue, 26 Feb 2002 14:05:05 +0100
Subject: Call for testing.
In-Reply-To: <20020226135212.F28221@greenie.muc.de>
References:  <20020222184742.GB24557@faui02> <20020226135212.F28221@greenie.muc.de>
Message-ID: <20020226130505.GC10496@faui02>

On Tue, Feb 26, 2002 at 01:52:12PM +0100, Gert Doering wrote:
> Hi,
> 
> On Fri, Feb 22, 2002 at 07:47:42PM +0100, Markus Friedl wrote:
> > I'd also like to have people port and run the regression tests from
> >  http://www.openbsd.org/cgi-bin/cvsweb/src/regress/usr.bin/ssh/
> > extend them or contribute new tests.
> 
> Is there a sane way to get this whole package, instead of klicking on
> every file and then on "download"?
> 
> I do not run OpenBSD, so if it can be anon-cvs'ed, I'd appreciate a
> pointer how to do that.

mkdir tmp && cd tmp
CVS_RSH=ssh cvs -d anoncvs at anoncvs.be.openbsd.org:/cvs get src/regress/usr.bin/ssh

the makefile needs probably some modifications on non-openbsd


From gert at greenie.muc.de  Wed Feb 27 01:05:15 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 15:05:15 +0100
Subject: Call for testing.
In-Reply-To: <20020226130505.GC10496@faui02>; from Markus Friedl on Tue, Feb 26, 2002 at 02:05:05PM +0100
References:  <20020222184742.GB24557@faui02> <20020226135212.F28221@greenie.muc.de> <20020226130505.GC10496@faui02>
Message-ID: <20020226150515.G28221@greenie.muc.de>

Hi,

On Tue, Feb 26, 2002 at 02:05:05PM +0100, Markus Friedl wrote:
> mkdir tmp && cd tmp
> CVS_RSH=ssh cvs -d anoncvs at anoncvs.be.openbsd.org:/cvs get src/regress/usr.bin/ssh

Thanks.

> the makefile needs probably some modifications on non-openbsd

Not only "probably" :-) - .CURDIR is a BSD-Makeism, and so is:

#.for t in ${LTESTS}
#REGRESSTARGETS+=t-${t}
#t-${t}:
#       sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
#.endfor

#.include 

Commenting these out and replacing it with:

ltest:
        for t in $(LTESTS) ; do \
            sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$$t.sh ; \
        done

most "T" tests run, except for:

T3:

ssh-keygen -ef /gnulocal/src/openssh_regress/regress/rsa_openssh.pub |\
        ssh-keygen -if /dev/stdin |\
        diff - /gnulocal/src/openssh_regress/regress/rsa_openssh.pub
/dev/stdin: No such file or directory
0a1
> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDsilwKcaKN6wSMNd1WgQ9+HRqQEkD0kCTVttrazGu0OhBU3Uko+dFD1Ip0CxdXmN25JQWxOYF7h/Ocu8P3jzv3RTX87xKR0YzlXTLX+SLtF/ySebS3xWPrlfRUDhh03hR5V+8xxvvy9widPYKw/oItwGSueOsEq1LTczCDv2dAjQ==
gmake: *** [t3] Error 1

(no /dev/stdin on AIX)

T6:

gd at hilb0:/gnulocal/src/openssh_regress/regress> gmake t6
ssh-keygen -if /gnulocal/src/openssh_regress/regress/dsa_ssh2.prv > t6.out1
ssh_dss_sign: sign failed
xrealloc: out of memory (new_size 4026587360 bytes)
gmake: *** [t6] Error 255

(oops?!)


As for test-exec.sh, this is more tricky... - it's heavily using "echo -n"
to suppress newlines, and this does not work on SysV "echo"'s (you have
to do "echo 'bla\c'" there).

It might work to call the script with bash, which can do both, but I
have no bash installed here (yet), and AIX /bin/sh and /bin/ksh can't 
do "echo -n".

For testing, I just copied "GNU echo", which understands -n, and 
hard-coded "./gecho" into the *.sh scripts.

Further, I had to remove "Kerberosauthentication no" from the generated
ssh_config files, as the locally built ssh does not have that, and add 
"StrictModes no" to sshd_config (our shared build/source tree is group-
writeable, which I can't change).

* connect.sh - works with "SUDO=sudo" set
* proxy-connect.sh - works if run as root, doesn't work as normal user
                     (I couldn't determine whether this is a bug or
		     whether it's supposed to not work as non-root user)
* all other ltest's up to pipe-head run fine as "root".

* agent fails with a confusing error message, which could be caused by
  our non-typical setup

  /usr/bin/bsh: sshd:  not found.
  ssh_exchange_identification: Connection closed by remote host
  agent fwd proto 1 failed (exit code 0)
  /usr/bin/bsh: sshd:  not found.
  ssh_exchange_identification: Connection closed by remote host
  agent fwd proto 2 failed (exit code 0)
  failed simple agent test

* ssh-keyscan fails (root and non-root) with

  ssh-keyscan -t dsa failed with: 255
  failed keyscan

* forwarding works as root and non-root ("ok local and remote forwarding")

My diffs are appended below.

gert
-------- snip --------
Index: Makefile
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/Makefile,v
retrieving revision 1.5
diff -u -r1.5 Makefile
--- Makefile	22 Feb 2002 12:31:35 -0000	1.5
+++ Makefile	26 Feb 2002 14:06:21 -0000
@@ -23,6 +23,10 @@
 		rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
 		ls.copy
 
+.CURDIR=/gnulocal/src/openssh_regress/regress
+.OBJDIR=`pwd`
+all: $(REGRESSTARGETS)
+
 t1:
 	ssh-keygen -if ${.CURDIR}/rsa_ssh2.prv | diff - ${.CURDIR}/rsa_openssh.prv
 
@@ -57,10 +61,15 @@
 	ssh-keygen -lf t7.out > /dev/null
 	ssh-keygen -Bf t7.out > /dev/null
 
-.for t in ${LTESTS}
-REGRESSTARGETS+=t-${t}
-t-${t}:
-	sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
-.endfor
+ltest:
+	for t in $(LTESTS) ; do \
+    	    sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/$$t.sh ; \
+	done 
+
+#.for t in ${LTESTS}
+#REGRESSTARGETS+=t-${t}
+#t-${t}:
+#	sh ${.CURDIR}/test-exec.sh ${.OBJDIR} ${.CURDIR}/${t}.sh
+#.endfor
 
-.include 
+#.include 
Index: agent.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/agent.sh,v
retrieving revision 1.5
diff -u -r1.5 agent.sh
--- agent.sh	17 Feb 2002 22:22:45 -0000	1.5
+++ agent.sh	26 Feb 2002 14:06:21 -0000
@@ -19,7 +19,7 @@
 		fail "ssh-add -l did not fail with exit code 1"
 	fi
 	trace "overwrite authorized keys"
-	echo -n > $OBJ/authorized_keys_$USER
+	./gecho -n > $OBJ/authorized_keys_$USER
 	for t in rsa rsa1; do
 		# generate user key for agent
 		rm -f $OBJ/$t-agent
Index: proto-version.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/proto-version.sh,v
retrieving revision 1.2
diff -u -r1.2 proto-version.sh
--- proto-version.sh	16 Feb 2002 01:09:47 -0000	1.2
+++ proto-version.sh	26 Feb 2002 14:06:21 -0000
@@ -8,7 +8,7 @@
 {
 	version=$1
 	expect=$2
-	banner=`echo -n | sshd -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+	banner=`./gecho -n | sshd -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
 	case ${banner} in
 	SSH-1.99-*)
 		proto=199
Index: ssh-com.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/ssh-com.sh,v
retrieving revision 1.2
diff -u -r1.2 ssh-com.sh
--- ssh-com.sh	16 Feb 2002 01:09:47 -0000	1.2
+++ ssh-com.sh	26 Feb 2002 14:06:21 -0000
@@ -63,7 +63,7 @@
 
 # convert and append DSA hostkey
 (
-	echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 '
+	./gecho -n 'ssh2-localhost-with-alias,127.0.0.1,::1 '
 	ssh-keygen -if ${SRC}/dsa_ssh2.pub
 ) >> $OBJ/known_hosts
 
Index: test-exec.sh
===================================================================
RCS file: /cvs/src/regress/usr.bin/ssh/test-exec.sh,v
retrieving revision 1.9
diff -u -r1.9 test-exec.sh
--- test-exec.sh	18 Feb 2002 14:30:12 -0000	1.9
+++ test-exec.sh	26 Feb 2002 14:06:21 -0000
@@ -3,8 +3,8 @@
 
 PORT=4242
 USER=`id -un`
-SUDO=
-#SUDO=sudo
+#SUDO=
+SUDO=sudo
 
 OBJ=$1
 if [ "x$OBJ" = "x" ]; then
@@ -72,7 +72,7 @@
 
 fatal ()
 {
-	echo -n "FATAL: "
+	./gecho -n "FATAL: "
 	fail "$@"
 	cleanup
 	exit $RESULT
@@ -91,6 +91,7 @@
 	PidFile			$PIDFILE
 	AuthorizedKeysFile	$OBJ/authorized_keys_%u
 	LogLevel		QUIET
+	StrictModes		no
 EOF
 
 # server config for proxy connects
@@ -112,7 +113,6 @@
 	PubkeyAuthentication	yes
 	ChallengeResponseAuthentication	no
 	HostbasedAuthentication	no
-	KerberosAuthentication	no
 	PasswordAuthentication	no
 	RhostsAuthentication	no
 	RhostsRSAAuthentication	no
@@ -128,7 +128,7 @@
 
 	# known hosts file for client
 	(
-		echo -n 'localhost-with-alias,127.0.0.1,::1 '
+		./gecho -n 'localhost-with-alias,127.0.0.1,::1 '
 		cat $OBJ/$t.pub
 	) >> $OBJ/known_hosts
 

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From scot at poptart.org  Tue Feb 26 21:23:03 2002
From: scot at poptart.org (Scot Elliott)
Date: Tue, 26 Feb 2002 10:23:03 +0000 (GMT)
Subject: Locale problems on Solaris
Message-ID: 

Hi there.

With OpenSSH 3.0.2p1 on Solaris, the locale does not appear to get set
correctly at login, as it does with, say telnet:

/etc/default/init:
 TZ=GB
 CMASK=022
 LC_COLLATE=en_GB.ISO8859-1
 LC_CTYPE=en_GB.ISO8859-1
 LC_MESSAGES=C
 LC_MONETARY=en_GB.ISO8859-1
 LC_NUMERIC=en_GB.ISO8859-1
 LC_TIME=en_GB.ISO8859-1

When logging in via SSH:
 scot /home/scot > locale
 LANG=
 LC_CTYPE="C"
 LC_NUMERIC="C"
 LC_TIME="C"
 LC_COLLATE="C"
 LC_MONETARY="C"
 LC_MESSAGES="C"
 LC_ALL=

When logging in via telnet:
 scot /home/scot > locale
 LANG=
 LC_CTYPE=en_GB.ISO8859-1
 LC_NUMERIC=en_GB.ISO8859-1
 LC_TIME=en_GB.ISO8859-1
 LC_COLLATE=en_GB.ISO8859-1
 LC_MONETARY=en_GB.ISO8859-1
 LC_MESSAGES=C
 LC_ALL=


I'd expect the default locale to have been set I think.  Any ideas?

Thanks

Scot




From mouring at etoh.eviladmin.org  Wed Feb 27 02:14:48 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 09:14:48 -0600 (CST)
Subject: Call for testing.
In-Reply-To: <20020226125102.D28221@greenie.muc.de>
Message-ID: 


On Tue, 26 Feb 2002, Gert Doering wrote:

> Hi,
>
> On Mon, Feb 25, 2002 at 03:48:53PM -0600, Ben Lindstrom wrote:
> > I commited the change so tomorrow please grab the snapshot and try it.
>
> Did so just now.
>
> - cvs update (-d)
> - make clean ; autoreconf ; ./configure (with skey)
> - make
>   -> didn't compile with installed openssl (0.9.5a), bombs out in cipher.c
>      - interesting enough, last week's snapshot (before the reorganization)
>      still built with 0.9.5a.
>
I'm well aware of the 0.9.5a issue.  We did a massive change to cipher.c.
I have not gotten back to seeing if we can still use anything pre 0.9.6,
but my gut feeling (since we are using a struct field that does not
exist in older versions) is that 0.9.6 is our new standard.

> - installed openssl-0.9.6c, ./configure, make -> went fine
>
> - tested: everything related to aix_usrinfo works fine, basic login/logout
>   tests with password and .shosts, protocol -1 and -2, also work.
>
> So...
>
>  + good job!
>
>  + can we add a check to configure for "this version of openssl is too
>    old"? This would be a lot easier for people to understand than
>    "configure works fine, but compiling cipher.c bombs with undefined
>    EVP_CIPHER_CTX_set_key_length".
>

Maybe.. EVP_CIPHER_CTX_set_key_length() is a macro.  I would just
check that the release of OpenSSL is equal or greater than 0.9.6
if we decide to go that way.

- Ben



From gert at greenie.muc.de  Wed Feb 27 03:07:15 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 17:07:15 +0100
Subject: Call for testing.
In-Reply-To: ; from Ben Lindstrom on Tue, Feb 26, 2002 at 09:14:48AM -0600
References: <20020226125102.D28221@greenie.muc.de> 
Message-ID: <20020226170715.D15053@greenie.muc.de>

Hi,

On Tue, Feb 26, 2002 at 09:14:48AM -0600, Ben Lindstrom wrote:
> >  + can we add a check to configure for "this version of openssl is too
> >    old"? This would be a lot easier for people to understand than
> >    "configure works fine, but compiling cipher.c bombs with undefined
> >    EVP_CIPHER_CTX_set_key_length".
> >
> 
> Maybe.. EVP_CIPHER_CTX_set_key_length() is a macro.  I would just
> check that the release of OpenSSL is equal or greater than 0.9.6
> if we decide to go that way.

Would be fine with me.  I just wanted to emphasize that if we know that
a certain version is required, a clear message to that extent would be
far better than a compilation problem in cipher.c...

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From markus at openbsd.org  Wed Feb 27 03:13:53 2002
From: markus at openbsd.org (Markus Friedl)
Date: Tue, 26 Feb 2002 17:13:53 +0100
Subject: Call for testing.
In-Reply-To: <20020226150515.G28221@greenie.muc.de>; from gert@greenie.muc.de on Tue, Feb 26, 2002 at 03:05:15PM +0100
References:  <20020222184742.GB24557@faui02> <20020226135212.F28221@greenie.muc.de> <20020226130505.GC10496@faui02> <20020226150515.G28221@greenie.muc.de>
Message-ID: <20020226171353.A29948@folly>

On Tue, Feb 26, 2002 at 03:05:15PM +0100, Gert Doering wrote:
> most "T" tests run, except for:

cool.

> * ssh-keyscan fails (root and non-root) with
> 
>   ssh-keyscan -t dsa failed with: 255
>   failed keyscan

this indicates a bug in ssh-keyscan that got fixed recently (not
sure whether it's in -portable).


From bugzilla-daemon at mindrot.org  Wed Feb 27 03:28:41 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Wed, 27 Feb 2002 03:28:41 +1100 (EST)
Subject: [Bug 124] Terminal hangs when data is streaming to it...
Message-ID: <20020226162841.E3D91E92A@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=124





------- Additional Comments From jbrown75 at csc.com  2002-02-27 03:28 -------
Below is debug output from putty. I have cut the bottom of the debug file for 
you to work with. If you need the entire file I will send directly to you.
The background is: executing ls -lR from the / directory to produce the hang.


  000001e0  34 20 4f 63 74 20 32 33 20 31 38 3a 34 32 20 62  4 Oct 23 18:42 b
  000001f0  6f 73 2e 6d 73 67 2e 5a 48 5f 43 4e 2e 34 2e 33  os.msg.ZH_CN.4.3
  00000200  2e 33 2e 30                                      .3.0
Incoming packet type 17 / 0x11 (SSH1_SMSG_STDOUT_DATA)
  00000000  00 00 02 00 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .....I.1..-rwxrw
  00000010  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000020  20 20 32 30 32 20 20 20 20 20 20 32 36 33 31 36    202      26316
  00000030  38 30 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  80 Oct 23 18:28 
  00000040  62 6f 73 2e 6d 73 67 2e 5a 68 5f 43 4e 2e 34 2e  bos.msg.Zh_CN.4.
  00000050  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000060  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000070  20 32 30 32 20 20 20 20 20 20 20 32 37 38 35 32   202       27852
  00000080  38 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  8 Oct 23 18:37 b
  00000090  6f 73 2e 6d 73 67 2e 5a 68 5f 43 4e 2e 34 2e 33  os.msg.Zh_CN.4.3
  000000a0  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  000000b0  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  000000c0  20 20 32 30 32 20 20 20 20 20 20 32 36 39 33 31    202      26931
  000000d0  32 30 20 4f 63 74 20 32 33 20 31 38 3a 32 37 20  20 Oct 23 18:27 
  000000e0  62 6f 73 2e 6d 73 67 2e 5a 68 5f 54 57 2e 34 2e  bos.msg.Zh_TW.4.
  000000f0  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000100  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000110  20 32 30 32 20 20 20 20 20 20 20 32 38 39 37 39   202       28979
  00000120  32 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  2 Oct 23 18:37 b
  00000130  6f 73 2e 6d 73 67 2e 5a 68 5f 54 57 2e 34 2e 33  os.msg.Zh_TW.4.3
  00000140  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000150  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000160  20 20 32 30 32 20 20 20 20 20 20 33 31 35 31 38    202      31518
  00000170  37 32 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  72 Oct 23 18:28 
  00000180  62 6f 73 2e 6d 73 67 2e 63 61 5f 45 53 2e 34 2e  bos.msg.ca_ES.4.
  00000190  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  000001a0  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  000001b0  20 32 30 32 20 20 20 20 20 20 20 33 32 39 37 32   202       32972
  000001c0  38 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  8 Oct 23 18:37 b
  000001d0  6f 73 2e 6d 73 67 2e 63 61 5f 45 53 2e 34 2e 33  os.msg.ca_ES.4.3
  000001e0  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  000001f0  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000200  20 20 32 30                                        20
Incoming packet type 17 / 0x11 (SSH1_SMSG_STDOUT_DATA)
  00000000  00 00 02 00 32 20 20 20 20 20 20 33 30 33 37 31  ....2      30371
  00000010  38 34 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  84 Oct 23 18:28 
  00000020  62 6f 73 2e 6d 73 67 2e 63 73 5f 43 5a 2e 34 2e  bos.msg.cs_CZ.4.
  00000030  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000040  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000050  20 32 30 32 20 20 20 20 20 20 20 33 32 33 35 38   202       32358
  00000060  34 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  4 Oct 23 18:37 b
  00000070  6f 73 2e 6d 73 67 2e 63 73 5f 43 5a 2e 34 2e 33  os.msg.cs_CZ.4.3
  00000080  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000090  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  000000a0  20 20 32 30 32 20 20 20 20 20 20 33 32 33 35 38    202      32358
  000000b0  34 30 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  40 Oct 23 18:28 
  000000c0  62 6f 73 2e 6d 73 67 2e 64 65 5f 44 45 2e 34 2e  bos.msg.de_DE.4.
  000000d0  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  000000e0  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  000000f0  20 32 30 32 20 20 20 20 20 20 20 33 34 30 39 39   202       34099
  00000100  32 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  2 Oct 23 18:37 b
  00000110  6f 73 2e 6d 73 67 2e 64 65 5f 44 45 2e 34 2e 33  os.msg.de_DE.4.3
  00000120  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000130  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000140  20 20 32 30 32 20 20 20 20 20 20 33 31 37 32 33    202      31723
  00000150  35 32 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  52 Oct 23 18:28 
  00000160  62 6f 73 2e 6d 73 67 2e 65 6e 5f 55 53 2e 34 2e  bos.msg.en_US.4.
  00000170  33 2e 30 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.0.0.I..-rwxrwx
  00000180  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000190  20 32 30 32 20 20 20 20 20 20 20 32 36 35 32 31   202       26521
  000001a0  36 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  6 Oct 23 18:37 b
  000001b0  6f 73 2e 6d 73 67 2e 65 6e 5f 55 53 2e 34 2e 33  os.msg.en_US.4.3
  000001c0  2e 30 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .0.0.I.1..-rwxrw
  000001d0  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  000001e0  20 20 32 30 32 20 20 20 20 20 20 33 32 31 35 33    202      32153
  000001f0  36 30 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  60 Oct 23 18:28 
  00000200  62 6f 73 2e                                      bos.
Incoming packet type 17 / 0x11 (SSH1_SMSG_STDOUT_DATA)
  00000000  00 00 02 00 6d 73 67 2e 65 73 5f 45 53 2e 34 2e  ....msg.es_ES.4.
  00000010  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000020  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000030  20 32 30 32 20 20 20 20 20 20 20 33 33 37 39 32   202       33792
  00000040  30 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  0 Oct 23 18:37 b
  00000050  6f 73 2e 6d 73 67 2e 65 73 5f 45 53 2e 34 2e 33  os.msg.es_ES.4.3
  00000060  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000070  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000080  20 20 32 30 32 20 20 20 20 20 20 32 39 36 32 39    202      29629
  00000090  34 34 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  44 Oct 23 18:28 
  000000a0  62 6f 73 2e 6d 73 67 2e 66 72 5f 46 52 2e 34 2e  bos.msg.fr_FR.4.
  000000b0  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  000000c0  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  000000d0  20 32 30 32 20 20 20 20 20 20 20 33 33 37 39 32   202       33792
  000000e0  30 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  0 Oct 23 18:37 b
  000000f0  6f 73 2e 6d 73 67 2e 66 72 5f 46 52 2e 34 2e 33  os.msg.fr_FR.4.3
  00000100  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000110  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000120  20 20 32 30 32 20 20 20 20 20 20 33 30 38 39 34    202      30894
  00000130  30 38 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  08 Oct 23 18:28 
  00000140  62 6f 73 2e 6d 73 67 2e 68 75 5f 48 55 2e 34 2e  bos.msg.hu_HU.4.
  00000150  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000160  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000170  20 32 30 32 20 20 20 20 20 20 20 33 33 35 38 37   202       33587
  00000180  32 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  2 Oct 23 18:37 b
  00000190  6f 73 2e 6d 73 67 2e 68 75 5f 48 55 2e 34 2e 33  os.msg.hu_HU.4.3
  000001a0  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  000001b0  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  000001c0  20 20 32 30 32 20 20 20 20 20 20 33 31 39 35 39    202      31959
  000001d0  30 34 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  04 Oct 23 18:28 
  000001e0  62 6f 73 2e 6d 73 67 2e 69 74 5f 49 54 2e 34 2e  bos.msg.it_IT.4.
  000001f0  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000200  72 2d 2d 20                                      r-- 
Incoming packet type 17 / 0x11 (SSH1_SMSG_STDOUT_DATA)
  00000000  00 00 02 00 20 20 31 20 72 6f 6f 74 20 20 20 20  ....  1 root    
  00000010  20 32 30 32 20 20 20 20 20 20 20 33 33 31 37 37   202       33177
  00000020  36 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  6 Oct 23 18:37 b
  00000030  6f 73 2e 6d 73 67 2e 69 74 5f 49 54 2e 34 2e 33  os.msg.it_IT.4.3
  00000040  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000050  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000060  20 20 32 30 32 20 20 20 20 20 20 33 31 39 36 39    202      31969
  00000070  32 38 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  28 Oct 23 18:28 
  00000080  62 6f 73 2e 6d 73 67 2e 6a 61 5f 4a 50 2e 34 2e  bos.msg.ja_JP.4.
  00000090  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  000000a0  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  000000b0  20 32 30 32 20 20 20 20 20 20 20 33 34 33 30 34   202       34304
  000000c0  30 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  0 Oct 23 18:37 b
  000000d0  6f 73 2e 6d 73 67 2e 6a 61 5f 4a 50 2e 34 2e 33  os.msg.ja_JP.4.3
  000000e0  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  000000f0  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  00000100  20 20 32 30 32 20 20 20 20 20 20 33 31 32 36 32    202      31262
  00000110  37 32 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  72 Oct 23 18:28 
  00000120  62 6f 73 2e 6d 73 67 2e 6b 6f 5f 4b 52 2e 34 2e  bos.msg.ko_KR.4.
  00000130  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  00000140  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  00000150  20 32 30 32 20 20 20 20 20 20 20 33 32 32 35 36   202       32256
  00000160  30 20 4f 63 74 20 32 33 20 31 38 3a 33 37 20 62  0 Oct 23 18:37 b
  00000170  6f 73 2e 6d 73 67 2e 6b 6f 5f 4b 52 2e 34 2e 33  os.msg.ko_KR.4.3
  00000180  2e 33 2e 30 2e 49 2e 31 0d 0a 2d 72 77 78 72 77  .3.0.I.1..-rwxrw
  00000190  78 72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20  xr--   1 root   
  000001a0  20 20 32 30 32 20 20 20 20 20 20 33 31 34 37 37    202      31477
  000001b0  37 36 20 4f 63 74 20 32 33 20 31 38 3a 32 38 20  76 Oct 23 18:28 
  000001c0  62 6f 73 2e 6d 73 67 2e 70 6c 5f 50 4c 2e 34 2e  bos.msg.pl_PL.4.
  000001d0  33 2e 33 2e 30 2e 49 0d 0a 2d 72 77 78 72 77 78  3.3.0.I..-rwxrwx
  000001e0  72 2d 2d 20 20 20 31 20 72 6f 6f 74 20 20 20 20  r--   1 root    
  000001f0  20 32 30 32 20 20 20 20 20 20 20 33 32 38 37 30   202       32870
  00000200  34 20 4f 63                                      4 Oc
Incoming packet type 17 / 0x11 (SSH1_SMSG_STDOUT_DATA)
  00000000  00 00 00 26 74 20 32 33 20 31 38 3a 33 37 20 62  ...&t 23 18:37 b
  00000010  6f 73 2e 6d 73 67 2e 70 6c 5f 50 4c 2e 34 2e 33  os.msg.pl_PL.4.3
  00000020  2e 33 2e 30 2e 49 2e 31 0d 0a                    .3.0.I.1..
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....
Outgoing packet type 16 / 0x10 (SSH1_CMSG_STDIN_DATA)
  00000000  00 00 00 01 0d                                   .....




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From rdawes at mweb.co.za  Wed Feb 27 03:38:28 2002
From: rdawes at mweb.co.za (Rogan Dawes)
Date: Tue, 26 Feb 2002 18:38:28 +0200
Subject: logging of which key authenticated?
Message-ID: <001401c1bee4$073b9210$feec1ec4@rampage>

Hi folks,

I was wondering if it were possible to log which key is used to authenticate
a user logging in?

In our scenario, our client is wanting to use SSH keys to control shared
access to Unix accounts, including root. It is obviously possible to add
multiple keys into the authorized_keys file, however, it is not possible to
see which user/key was actually presented, at a reasonable logging level.

I have looked at the source code, and it seems relatively simple to log
this - In the most verbose debug mode, the *line number* of the key in the
file IS printed/logged. It would just be a question of moving that logging
command from the most verbose mode to the normal logging mode, or creating
an option to support it.

Obviously this would be supported with syslogging to a remote log server to
prevent log tampering, and hiding the evidence.

Naturally our client does not want to maintain this themselves, in case a
future upgrade to the latest OpenSSH wipes out their change.

If I were to create a patch to provide this functionality, would it be
accepted, or is there some fundamental objection to doing this?

It makes more sense to me to log something like the comment in the public
key, rather than the key itself, or just the line number. Are there security
implications to this other than "What happens if the user edits the
'authorized_keys file and changes the comment?" Does the logging step occur
as "root", or as the authenticated user, if it is non-root?

Thanks

Rogan



From jhawk at MIT.EDU  Wed Feb 27 03:58:35 2002
From: jhawk at MIT.EDU (John Hawkinson)
Date: Tue, 26 Feb 2002 11:58:35 -0500
Subject: logging of which key authenticated?
In-Reply-To: <001401c1bee4$073b9210$feec1ec4@rampage>
References: <001401c1bee4$073b9210$feec1ec4@rampage>
Message-ID: <20020226165835.GB3548@multics.mit.edu>

Rogan Dawes  wrote on Tue, 26 Feb 2002
at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:

> If I were to create a patch to provide this functionality, would it be
> accepted, or is there some fundamental objection to doing this?

I think that logging the key is a good idea.

> It makes more sense to me to log something like the comment in the
> public key, rather than the key itself, or just the line number. Are
> there security implications to this other than "What happens if the
> user edits the 'authorized_keys file and changes the comment?" Does
> the logging step occur as "root", or as the authenticated user, if
> it is non-root?

I would suggest you log the fingerprint of the key, along with the
comment parenthetically.

bogus idea: You could go all-out and have the syntax for your logging
option define % escapes for the fingerprint, the comment, the pathname
to the authorized_keys_file, the line number, and the entire key
itself, and allow the administrator to provide a printf-style format
string for the key logging. (I think this is silly, and that the
fingerprint and the comment should be sufficient...)

--jhawk


From mouring at etoh.eviladmin.org  Wed Feb 27 03:34:25 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 10:34:25 -0600 (CST)
Subject: logging of which key authenticated?
In-Reply-To: <20020226165835.GB3548@multics.mit.edu>
Message-ID: 

Keys are logged in the -current tree.

- Ben

On Tue, 26 Feb 2002, John Hawkinson wrote:

> Rogan Dawes  wrote on Tue, 26 Feb 2002
> at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:
>
> > If I were to create a patch to provide this functionality, would it be
> > accepted, or is there some fundamental objection to doing this?
>
> I think that logging the key is a good idea.
>
> > It makes more sense to me to log something like the comment in the
> > public key, rather than the key itself, or just the line number. Are
> > there security implications to this other than "What happens if the
> > user edits the 'authorized_keys file and changes the comment?" Does
> > the logging step occur as "root", or as the authenticated user, if
> > it is non-root?
>
> I would suggest you log the fingerprint of the key, along with the
> comment parenthetically.
>
> bogus idea: You could go all-out and have the syntax for your logging
> option define % escapes for the fingerprint, the comment, the pathname
> to the authorized_keys_file, the line number, and the entire key
> itself, and allow the administrator to provide a printf-style format
> string for the key logging. (I think this is silly, and that the
> fingerprint and the comment should be sufficient...)
>
> --jhawk
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>



From mouring at etoh.eviladmin.org  Wed Feb 27 03:46:59 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 10:46:59 -0600 (CST)
Subject: Call for testing.
In-Reply-To: <20020226171353.A29948@folly>
Message-ID: 


On Tue, 26 Feb 2002, Markus Friedl wrote:

> On Tue, Feb 26, 2002 at 03:05:15PM +0100, Gert Doering wrote:
> > most "T" tests run, except for:
>
> cool.
>
> > * ssh-keyscan fails (root and non-root) with
> >
> >   ssh-keyscan -t dsa failed with: 255
> >   failed keyscan
>
> this indicates a bug in ssh-keyscan that got fixed recently (not
> sure whether it's in -portable).

We are 10 patches behind at this moment..

Damien,

I have to test my changes on the whatneedsit.sh script on a non-OpenBSD
box, but I found a few errors due to GNUified cut and the fact we have
two RCSID in auth-krb5.c since it came from the FreeBSD source.  I'll
try to verify it tonight.  and post a copy of the changes on the private
list.

- Ben





From mouring at etoh.eviladmin.org  Wed Feb 27 04:30:01 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 11:30:01 -0600 (CST)
Subject: Call for testing.
In-Reply-To: 
Message-ID: 


On Tue, 26 Feb 2002, Ben Lindstrom wrote:
> On Tue, 26 Feb 2002, Markus Friedl wrote:
> > On Tue, Feb 26, 2002 at 03:05:15PM +0100, Gert Doering wrote:
[..]
> > this indicates a bug in ssh-keyscan that got fixed recently (not
> > sure whether it's in -portable).
>
> We are 10 patches behind at this moment..
>
11.. Off by 1..=)  We should be synced again for the time being.

Someone in the portable (not me at this point =) should use Gert's patch
and bring the regression testing into the openssh portable tree to
make testing easier for portable group.

- Ben



From carson at taltos.org  Wed Feb 27 05:12:15 2002
From: carson at taltos.org (Carson Gaspar)
Date: Tue, 26 Feb 2002 13:12:15 -0500
Subject: Call for testing.
In-Reply-To: <20020226150515.G28221@greenie.muc.de>
References: <20020226150515.G28221@greenie.muc.de>
Message-ID: <10681419.1014729134@[172.25.113.221]>


--On Tuesday, February 26, 2002 3:05 PM +0100 Gert Doering 
 wrote:

> /dev/stdin: No such file or directory
> (no /dev/stdin on AIX)

Do you have /dev/fd? If so, /dev/fd/0 might be a replacement, if I'm 
guessing the semantics of /dev/stdin correctly.

-- 
Carson



From mouring at etoh.eviladmin.org  Wed Feb 27 04:49:46 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 11:49:46 -0600 (CST)
Subject: Locale problems on Solaris
In-Reply-To: <73699233.1014751536@localhost>
Message-ID: 


In --current one should just be able to put in do_setup_env() a:

	read_environment_file(&env, &envsize, "/etc/default/init");

for 3.0.2 it would be do_child()

- Ben

On Tue, 26 Feb 2002, Daniel Bergman wrote:

>
> I've also experienced this which I solved by setting the locale variables
> in /etc/profile but I rather would like SSH to set the right locale for me.
>
> Regards,
> Daniel
>
> > Hi there.
> >
> > With OpenSSH 3.0.2p1 on Solaris, the locale does not appear to get set
> > correctly at login, as it does with, say telnet:
> >
> > /etc/default/init:
> >  TZ=GB
> >  CMASK=022
> >  LC_COLLATE=en_GB.ISO8859-1
> >  LC_CTYPE=en_GB.ISO8859-1
> >  LC_MESSAGES=C
> >  LC_MONETARY=en_GB.ISO8859-1
> >  LC_NUMERIC=en_GB.ISO8859-1
> >  LC_TIME=en_GB.ISO8859-1
> >
> > When logging in via SSH:
> >  scot /home/scot > locale
> >  LANG=
> >  LC_CTYPE="C"
> >  LC_NUMERIC="C"
> >  LC_TIME="C"
> >  LC_COLLATE="C"
> >  LC_MONETARY="C"
> >  LC_MESSAGES="C"
> >  LC_ALL=
> >
> > When logging in via telnet:
> >  scot /home/scot > locale
> >  LANG=
> >  LC_CTYPE=en_GB.ISO8859-1
> >  LC_NUMERIC=en_GB.ISO8859-1
> >  LC_TIME=en_GB.ISO8859-1
> >  LC_COLLATE=en_GB.ISO8859-1
> >  LC_MONETARY=en_GB.ISO8859-1
> >  LC_MESSAGES=C
> >  LC_ALL=
> >
> >
> > I'd expect the default locale to have been set I think.  Any ideas?
> >
> > Thanks
> >
> > Scot
> >
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> >
>
>
>
> --
> Daniel Bergman
> Phone: 08 - 55066265
> Mobile: 070 - 289 30 39
> Fax: 08 - 59827056
> Email: d-b at home.se
>



From djast at cs.toronto.edu  Wed Feb 27 06:02:05 2002
From: djast at cs.toronto.edu (Dan Astoorian)
Date: Tue, 26 Feb 2002 14:02:05 -0500
Subject: Locale problems on Solaris 
In-Reply-To: Your message of "Tue, 26 Feb 2002 12:49:46 EST."
              
Message-ID: <02Feb26.140207edt.453131-538@jane.cs.toronto.edu>

On Tue, 26 Feb 2002 12:49:46 EST, Ben Lindstrom writes:
> 
> 
> In --current one should just be able to put in do_setup_env() a:
> 
> 	read_environment_file(&env, &envsize, "/etc/default/init");

This may be a usable workaround, but it's the wrong solution.  Despite
appearances, /etc/default/init does NOT contain environment variables
(per se).  Aside from LANG and LC_*, it contains configuration for
/etc/init such as TZ and CMASK, which should not get folded into the
user environment.

It would be preferable to copy LANG, NLSPATH, and all variables
beginning with "LC_" into /etc/environment or $HOME/.ssh/environment.

If you want to fix it in sshd, you should do it by copying those
variables from the parent sshd process to the session, not be reading
/etc/default/init.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican


From rdawes at mweb.co.za  Wed Feb 27 07:15:11 2002
From: rdawes at mweb.co.za (Rogan Dawes)
Date: Tue, 26 Feb 2002 22:15:11 +0200
Subject: logging of which key authenticated?
References: 
Message-ID: <009301c1bf02$52f39720$feec1ec4@rampage>

That's great! Any ideas about a release date?

Rogan

----- Original Message -----
From: "Ben Lindstrom" 
To: "John Hawkinson" 
Cc: "Rogan Dawes" ; 
Sent: Tuesday, February 26, 2002 6:34 PM
Subject: Re: logging of which key authenticated?


>
> Keys are logged in the -current tree.
>
> - Ben
>
> On Tue, 26 Feb 2002, John Hawkinson wrote:
>
> > Rogan Dawes  wrote on Tue, 26 Feb 2002
> > at 18:38:28 +0200 in <001401c1bee4$073b9210$feec1ec4 at rampage>:
> >
> > > If I were to create a patch to provide this functionality, would it be
> > > accepted, or is there some fundamental objection to doing this?
> >
> > I think that logging the key is a good idea.
> >
> > > It makes more sense to me to log something like the comment in the
> > > public key, rather than the key itself, or just the line number. Are
> > > there security implications to this other than "What happens if the
> > > user edits the 'authorized_keys file and changes the comment?" Does
> > > the logging step occur as "root", or as the authenticated user, if
> > > it is non-root?
> >
> > I would suggest you log the fingerprint of the key, along with the
> > comment parenthetically.
> >
> > bogus idea: You could go all-out and have the syntax for your logging
> > option define % escapes for the fingerprint, the comment, the pathname
> > to the authorized_keys_file, the line number, and the entire key
> > itself, and allow the administrator to provide a printf-style format
> > string for the key logging. (I think this is silly, and that the
> > fingerprint and the comment should be sufficient...)
> >
> > --jhawk
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev



From d-b at home.se  Wed Feb 27 08:19:29 2002
From: d-b at home.se (Daniel Bergman)
Date: Tue, 26 Feb 2002 22:19:29 +0100
Subject: Locale problems on Solaris 
In-Reply-To: <02Feb26.140207edt.453131-538@jane.cs.toronto.edu>
References: <02Feb26.140207edt.453131-538@jane.cs.toronto.edu>
Message-ID: <84132916.1014761969@localhost>

I agree with Dan!
Since init reads /etc/default/init and then, on most systems anyway, 
launches SSH from /etc/rc[23].d/S[00-99]opensshd, sshd parent process 
should have the "correct" locale setting. So copying those variables from 
the parent seems like the right approach.

Coping LANG, NLSPATH and LC_* variables into /etc/environment might not be 
a bad idea for sysadmins anyway. /etc/profile or ~/.profile should source 
that file.

Regards,
Daniel

> This may be a usable workaround, but it's the wrong solution.  Despite
> appearances, /etc/default/init does NOT contain environment variables
> (per se).  Aside from LANG and LC_*, it contains configuration for
> /etc/init such as TZ and CMASK, which should not get folded into the
> user environment.
>
> It would be preferable to copy LANG, NLSPATH, and all variables
> beginning with "LC_" into /etc/environment or $HOME/.ssh/environment.
>
> If you want to fix it in sshd, you should do it by copying those
> variables from the parent sshd process to the session, not be reading
> /etc/default/init.
>
> --
> Dan Astoorian               People shouldn't think that it's better to



--
Daniel Bergman
Phone: 08 - 55066265
Mobile: 070 - 289 30 39
Fax: 08 - 59827056
Email: d-b at home.se


From gert at greenie.muc.de  Wed Feb 27 08:18:36 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 26 Feb 2002 22:18:36 +0100
Subject: Call for testing.
In-Reply-To: <10681419.1014729134@[172.25.113.221]>; from Carson Gaspar on Tue, Feb 26, 2002 at 01:12:15PM -0500
References: <20020226150515.G28221@greenie.muc.de> <10681419.1014729134@[172.25.113.221]>
Message-ID: <20020226221836.A8840@greenie.muc.de>

Hi,

On Tue, Feb 26, 2002 at 01:12:15PM -0500, Carson Gaspar wrote:
> > /dev/stdin: No such file or directory
> > (no /dev/stdin on AIX)
> 
> Do you have /dev/fd? If so, /dev/fd/0 might be a replacement, if I'm 
> guessing the semantics of /dev/stdin correctly.

Unfortunately, no.  Neither /proc/fd.

(Ditto for SCO 3, btw., and most likely for most other SVR3 based platforms)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From mouring at etoh.eviladmin.org  Wed Feb 27 08:04:36 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Tue, 26 Feb 2002 15:04:36 -0600 (CST)
Subject: Locale problems on Solaris 
In-Reply-To: <84132916.1014761969@localhost>
Message-ID: 

Maybe instead of loading up OpenSSH's do_setup_env with hundreds of
potentally unique user variables we should provide a sshd_config option
like 'ChildEnv' which would allow the admin decide what they would to
export.

Then provide Solaris, AIX, etc examples of 'commmonly used' ones
somewhere in contrib/ or in (cringes) sshd_config.

It seems a bit more reasonable then having 30+ different #if
_SOMEPLATFORM/#endif code in OpenSSH portable.

Granted it is semi-redundant since /etc/environment serves the same
thing.  Just ensuring people remember to update it when changes
occur.

- Ben

On Tue, 26 Feb 2002, Daniel Bergman wrote:

>
> I agree with Dan!
> Since init reads /etc/default/init and then, on most systems anyway,
> launches SSH from /etc/rc[23].d/S[00-99]opensshd, sshd parent process
> should have the "correct" locale setting. So copying those variables from
> the parent seems like the right approach.
>
> Coping LANG, NLSPATH and LC_* variables into /etc/environment might not be
> a bad idea for sysadmins anyway. /etc/profile or ~/.profile should source
> that file.
>
> Regards,
> Daniel
>
> > This may be a usable workaround, but it's the wrong solution.  Despite
> > appearances, /etc/default/init does NOT contain environment variables
> > (per se).  Aside from LANG and LC_*, it contains configuration for
> > /etc/init such as TZ and CMASK, which should not get folded into the
> > user environment.
> >
> > It would be preferable to copy LANG, NLSPATH, and all variables
> > beginning with "LC_" into /etc/environment or $HOME/.ssh/environment.
> >
> > If you want to fix it in sshd, you should do it by copying those
> > variables from the parent sshd process to the session, not be reading
> > /etc/default/init.
> >
> > --
> > Dan Astoorian               People shouldn't think that it's better to
>
>
>
> --
> Daniel Bergman
> Phone: 08 - 55066265
> Mobile: 070 - 289 30 39
> Fax: 08 - 59827056
> Email: d-b at home.se
>



From b_smith44 at hotmail.com  Wed Feb 27 11:12:36 2002
From: b_smith44 at hotmail.com (Bob Smith)
Date: Tue, 26 Feb 2002 16:12:36 -0800
Subject: openssh & solaris
Message-ID: 

while trying to sort out the PAM incompatabilities between openssh 3.0.2p1 
and solaris 8 and sun's pam_krb5 i got some things to work. i'm really not 
sure where the appropriate place to submit patches is so for now i'm sending 
them here.

this patch will allow PAM interoperability when using sun's pam_krb5 without 
using the system login routine (this way X forwarding will work). both ssh 
and scp work when using the following pam.conf entry:

sshd  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
sshd  auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass


NOTE: when authenticating against pam_krb5 a user with an expired passwd 
cannot login. when authenticating against pam_unix a user with an expired 
passwd can login and is not prompted to change their password.

NOTE: "pam_setcred: error Permission denied" errors are still issued when 
exiting a session.


*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c  Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
        do_pam_set_conv(&conv);

        debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh,
!           init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
        if (pam_retval != PAM_SUCCESS) {
                if (was_authenticated)
                        fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
        do_pam_set_conv(&conv);

        debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
        if (pam_retval != PAM_SUCCESS) {
                if (was_authenticated)
                        fatal("PAM setcred failed[%d]: %.200s",


_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx



From b_smith44 at hotmail.com  Wed Feb 27 11:16:49 2002
From: b_smith44 at hotmail.com (Bob Smith)
Date: Tue, 26 Feb 2002 16:16:49 -0800
Subject: openssh & solaris (part 2)
Message-ID: 

this patch will allow PAM authentication when using sun's pam_krb5 before 
pam_unix in the PAM stack. without this patch a pam.conf entry like:

sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
sshd auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass

would fail with the error "input_userauth_info_response_pam: no 
authentication context".

NOTE: when authenticating against pam_krb5 a user with an expired passwd 
cannot login. when authenticating against pam_unix a user with an expired 
passwd can login and is not prompted to change their password.

NOTE: "pam_setcred: error Permission denied" errors are still issued when 
exiting a session.


*** auth2-pam.c-        Tue Feb 26 15:30:14 2002
--- auth2-pam.c Tue Feb 26 15:31:26 2002
***************
*** 134,141 ****
--- 134,143 ----
        unsigned int nresp = 0, rlen = 0, i = 0;
        char *resp;

+ /*
        if (authctxt == NULL)
                fatal("input_userauth_info_response_pam: no authentication 
context");
+ */

        nresp = packet_get_int();       /* Number of responses. */
        debug("got %d responses", nresp);

_________________________________________________________________
Join the world?s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com



From scot at poptart.org  Wed Feb 27 21:59:12 2002
From: scot at poptart.org (Scot Elliott)
Date: Wed, 27 Feb 2002 10:59:12 +0000 (GMT)
Subject: Locale problems on Solaris
In-Reply-To: 
Message-ID: 

Actually from a quick truss of a telnetd process, it seems it calls
setlocale().  I'd suggest that's the way to go rather than reading in
/etc/default/init.


Scot


On Tue, 26 Feb 2002, Ben Lindstrom wrote:

>
>
> In --current one should just be able to put in do_setup_env() a:
>
> 	read_environment_file(&env, &envsize, "/etc/default/init");
>
> for 3.0.2 it would be do_child()
>
> - Ben
>
> On Tue, 26 Feb 2002, Daniel Bergman wrote:
>
> >
> > I've also experienced this which I solved by setting the locale variables
> > in /etc/profile but I rather would like SSH to set the right locale for me.
> >
> > Regards,
> > Daniel
> >
> > > Hi there.
> > >
> > > With OpenSSH 3.0.2p1 on Solaris, the locale does not appear to get set
> > > correctly at login, as it does with, say telnet:
> > >
> > > /etc/default/init:
> > >  TZ=GB
> > >  CMASK=022
> > >  LC_COLLATE=en_GB.ISO8859-1
> > >  LC_CTYPE=en_GB.ISO8859-1
> > >  LC_MESSAGES=C
> > >  LC_MONETARY=en_GB.ISO8859-1
> > >  LC_NUMERIC=en_GB.ISO8859-1
> > >  LC_TIME=en_GB.ISO8859-1
> > >
> > > When logging in via SSH:
> > >  scot /home/scot > locale
> > >  LANG=
> > >  LC_CTYPE="C"
> > >  LC_NUMERIC="C"
> > >  LC_TIME="C"
> > >  LC_COLLATE="C"
> > >  LC_MONETARY="C"
> > >  LC_MESSAGES="C"
> > >  LC_ALL=
> > >
> > > When logging in via telnet:
> > >  scot /home/scot > locale
> > >  LANG=
> > >  LC_CTYPE=en_GB.ISO8859-1
> > >  LC_NUMERIC=en_GB.ISO8859-1
> > >  LC_TIME=en_GB.ISO8859-1
> > >  LC_COLLATE=en_GB.ISO8859-1
> > >  LC_MONETARY=en_GB.ISO8859-1
> > >  LC_MESSAGES=C
> > >  LC_ALL=
> > >
> > >
> > > I'd expect the default locale to have been set I think.  Any ideas?
> > >
> > > Thanks
> > >
> > > Scot
> > >
> > >
> > > _______________________________________________
> > > openssh-unix-dev at mindrot.org mailing list
> > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
> > >
> >
> >
> >
> > --
> > Daniel Bergman
> > Phone: 08 - 55066265
> > Mobile: 070 - 289 30 39
> > Fax: 08 - 59827056
> > Email: d-b at home.se
> >
>
>



From markus at openbsd.org  Wed Feb 27 21:59:39 2002
From: markus at openbsd.org (Markus Friedl)
Date: Wed, 27 Feb 2002 11:59:39 +0100
Subject: logging of which key authenticated?
In-Reply-To: <009301c1bf02$52f39720$feec1ec4@rampage>; from rdawes@mweb.co.za on Tue, Feb 26, 2002 at 10:15:11PM +0200
References:  <009301c1bf02$52f39720$feec1ec4@rampage>
Message-ID: <20020227115939.D7042@folly>

On Tue, Feb 26, 2002 at 10:15:11PM +0200, Rogan Dawes wrote:
> That's great! Any ideas about a release date?

probably depends on how well the snapshots get tested.


From bugzilla-daemon at mindrot.org  Thu Feb 28 00:43:24 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 00:43:24 +1100 (EST)
Subject: [Bug 125] New: with BSM auditing, cron editing thru ssh session causes cron jobs to fail
Message-ID: <20020227134324.31F98E919@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=125

           Summary: with BSM auditing, cron editing thru ssh session causes
                    cron jobs to fail
           Product: Portable OpenSSH
           Version: -current
          Platform: Other
        OS/Version: Solaris
            Status: NEW
          Severity: major
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: andrew at sydelko.org


This is to re-open bug #2. With BSM auditing turned on under Solaris,
editing a crontab through an ssh session causes all cron jobs for that
user to fail to run (with a "cron audit problem). Darren Moffat and Sun
supposedly have provided patches to fix this, but they have yet to be
included.

At the very least, can you allow the patches to be available so that we
may fix this fairly mission-critical bug in our network.

Thanks,

--andy.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 28 03:25:59 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 03:25:59 +1100 (EST)
Subject: [Bug 126] New: ssh-keyscan hangs or crashes accessing Sun ssh host
Message-ID: <20020227162559.0EE89E921@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=126

           Summary: ssh-keyscan hangs or crashes accessing Sun ssh host
           Product: Portable OpenSSH
           Version: -current
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: jss at ast.cam.ac.uk


When trying to do a keyscan on a machine running Sun's ssh daemon, the
ssh-keyscan hangs indefinitely.

For example:

xpc1:~/code> ./ssh-keyscan cass37.ast.cam.ac.uk
# cass37.ast.cam.ac.uk SSH-2.0-Sun_SSH_1.0
[... hangs here consuming most of the cpu ...]

strace shows something like this repeated:

read(3, "", 1349676892)                 = 0
gettimeofday({1014826290, 123906}, NULL) = 0
gettimeofday({1014826290, 125461}, NULL) = 0

With a long file of hosts including a sun ssh one the keyscan can crash with an
error in xmalloc attempting to allocate too much memory.

xmalloc: out of memory (allocating 1349676920 bytes)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From djast at cs.toronto.edu  Thu Feb 28 03:28:22 2002
From: djast at cs.toronto.edu (Dan Astoorian)
Date: Wed, 27 Feb 2002 11:28:22 -0500
Subject: Locale problems on Solaris 
In-Reply-To: Your message of "Wed, 27 Feb 2002 05:59:12 EST."
              
Message-ID: <02Feb27.112825edt.453131-538@jane.cs.toronto.edu>

On Wed, 27 Feb 2002 05:59:12 EST, Scot Elliott writes:
> Actually from a quick truss of a telnetd process, it seems it calls
> setlocale().  I'd suggest that's the way to go rather than reading in
> /etc/default/init.

I don't think setlocale() solves the problem.  I believe it's the case
that setlocale(LC_...,"") uses the LC_*/LANG environment variables (as
opposed to setting them); and that nothing setlocale() does is inherited
through an exec*() call.

-- 
Dan Astoorian               People shouldn't think that it's better to have
Sysadmin, CSLab             loved and lost than never loved at all.  It's
djast at cs.toronto.edu        not, it's better to have loved and won.  All
www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican


From scot at poptart.org  Thu Feb 28 03:36:22 2002
From: scot at poptart.org (Scot Elliott)
Date: Wed, 27 Feb 2002 16:36:22 +0000 (GMT)
Subject: Locale problems on Solaris 
In-Reply-To: <02Feb27.112825edt.453131-538@jane.cs.toronto.edu>
Message-ID: 

Ahh I think you're right yes.  In Solaris, the /etc/default/init variables
are set by init and inherited by all system processes, hense creating a
default locale.  In the environment of the sshd running on my Solaris box,
the LC_ and LANG vars are set, but not in the shell that's run by sshd.
So the setlocale() done by the shell doesn't do anythng.  I OpenSSH
removing these variables before exec()ing?

Scot


--
Scot Elliott      (E)scot at poptart.org      (T)07813 651654      (F)07092 010646
PGP key at http://www.poptart.org/scot.asc


On Wed, 27 Feb 2002, Dan Astoorian wrote:

> On Wed, 27 Feb 2002 05:59:12 EST, Scot Elliott writes:
> > Actually from a quick truss of a telnetd process, it seems it calls
> > setlocale().  I'd suggest that's the way to go rather than reading in
> > /etc/default/init.
>
> I don't think setlocale() solves the problem.  I believe it's the case
> that setlocale(LC_...,"") uses the LC_*/LANG environment variables (as
> opposed to setting them); and that nothing setlocale() does is inherited
> through an exec*() call.
>
> --
> Dan Astoorian               People shouldn't think that it's better to have
> Sysadmin, CSLab             loved and lost than never loved at all.  It's
> djast at cs.toronto.edu        not, it's better to have loved and won.  All
> www.cs.toronto.edu/~djast/  the other options really suck.    --Dan Redican
>



From pekkas at netcore.fi  Thu Feb 28 03:55:26 2002
From: pekkas at netcore.fi (Pekka Savola)
Date: Wed, 27 Feb 2002 18:55:26 +0200 (EET)
Subject: PATCH: nroff detection wrong, by default uses mantype=cat
Message-ID: 

Hi,

Just tested the latest snapshot on RHL72 via building RPM's of it.

Nroff detection was wrong, and if no --with-mantype was specified, the 
type would always revert to cat.  This one-byter fixes it.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords
-------------- next part --------------
--- configure.ac~	Wed Feb 27 08:12:35 2002
+++ configure.ac	Wed Feb 27 18:43:45 2002
@@ -1798,7 +1798,7 @@
 	]
 )
 if test -z "$MANTYPE"; then
-	AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin:/usr/ucb)
+	AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin /usr/ucb)
 	if ${NROFF} -mdoc ${srcdir}/ssh.1 >/dev/null 2>&1; then
 		MANTYPE=doc
 	elif ${NROFF} -man ${srcdir}/ssh.1 >/dev/null 2>&1; then

From bugzilla-daemon at mindrot.org  Thu Feb 28 04:17:43 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 04:17:43 +1100 (EST)
Subject: [Bug 126] ssh-keyscan hangs or crashes accessing Sun ssh host
Message-ID: <20020227171743.BFD12E99A@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=126





------- Additional Comments From Darren.Moffat at Sun.COM  2002-02-28 04:17 -------
I can't reproduce this with the ssh-keyscan from OpenSSH 3.0p1 and the
latest sshd in Solaris.  Can you add debug output from the Solaris machine.

It is possible that this was a bug in the Solaris shipped sshd that has been
fixed since Beta Refresh.

Or it might be a bug in -current which I haven't checked yet.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 28 04:46:54 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 04:46:54 +1100 (EST)
Subject: [Bug 126] ssh-keyscan hangs or crashes accessing Sun ssh host
Message-ID: <20020227174654.1B8DAE9CC@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=126

jss at ast.cam.ac.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|-current                    |3.0.2p1



------- Additional Comments From jss at ast.cam.ac.uk  2002-02-28 04:46 -------
Sorry - wrong version number for OpenSSH. I've corrected it. I haven't got
access to the ssh server which breaks it, but I might try to ask one of the
sysadmins nicely!






------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From gert at greenie.muc.de  Thu Feb 28 05:05:31 2002
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 27 Feb 2002 19:05:31 +0100
Subject: [Bug 126] New: ssh-keyscan hangs or crashes accessing Sun ssh host
In-Reply-To: <20020227162559.0EE89E921@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Thu, Feb 28, 2002 at 03:25:59AM +1100
References: <20020227162559.0EE89E921@shitei.mindrot.org>
Message-ID: <20020227190531.B18408@greenie.muc.de>

Hi,

On Thu, Feb 28, 2002 at 03:25:59AM +1100, bugzilla-daemon at mindrot.org wrote:
>            Summary: ssh-keyscan hangs or crashes accessing Sun ssh host
>            Product: Portable OpenSSH
[..]
> With a long file of hosts including a sun ssh one the keyscan can crash with an
> error in xmalloc attempting to allocate too much memory.
> 
> xmalloc: out of memory (allocating 1349676920 bytes)

Looks suspiciously like the thing I saw in the regression test yesterday
which is fixed in OpenBSD but not yet in -portable.

gert


-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert.doering at physik.tu-muenchen.de


From bugzilla-daemon at mindrot.org  Thu Feb 28 05:34:06 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 05:34:06 +1100 (EST)
Subject: [Bug 127] New: PAM with ssh authentication and pam_krb5 doesn't work properly
Message-ID: <20020227183406.4DECBE9F5@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=127

           Summary: PAM with ssh authentication and pam_krb5 doesn't work
                    properly
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: b_smith44 at hotmail.com


when using authenticating against pam_krb5 a user can only login when sshd is 
configured to use the system's login routine. the byproduct of this problem is 
that the user can not use X forwarding.

this patch fixes the problem by modifying the call to pam_setcred to only use 
the PAM_ESTABLISH_CRED flag.

users can now login (at least with solaris 8) with the pam.conf entry:

sshd  auth sufficient /usr/lib/security/$ISA/pam_unix.so.1
sshd  auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1 try_first_pass


*** auth-pam.c- Mon Feb 25 18:36:04 2002
--- auth-pam.c  Tue Feb 26 10:05:31 2002
***************
*** 297,304 ****
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh,
!           init ? PAM_ESTABLISH_CRED : PAM_REINITIALIZE_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",
--- 297,303 ----
       do_pam_set_conv(&conv);

       debug("PAM establishing creds");
!       pam_retval = pam_setcred(__pamh, PAM_ESTABLISH_CRED);
       if (pam_retval != PAM_SUCCESS) {
               if (was_authenticated)
                       fatal("PAM setcred failed[%d]: %.200s",



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 28 05:38:15 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 05:38:15 +1100 (EST)
Subject: [Bug 128] New: PAM with ssh authentication and pam_krb5 doesn't work properly
Message-ID: <20020227183815.3828AE9F5@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=128

           Summary: PAM with ssh authentication and pam_krb5 doesn't work
                    properly
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: b_smith44 at hotmail.com


when authenticating against pam_krb5 before pam_unix the user can not login, 
sshd logs the error "input_userauth_info_response_pam: no authentication 
context".

i don't know why this is failing, this patch fixes the problem by removing the 
check for an authentication context.

users can now login with the pam.conf entry:

sshd auth sufficient /usr/lib/security/$ISA/pam_krb5.so.1
sshd auth required /usr/lib/security/$ISA/pam_unix.so.1 try_first_pass


*** auth2-pam.c-        Tue Feb 26 15:30:14 2002
--- auth2-pam.c Tue Feb 26 15:31:26 2002
***************
*** 134,141 ****
--- 134,143 ----
       unsigned int nresp = 0, rlen = 0, i = 0;
       char *resp;

+ /*
       if (authctxt == NULL)
               fatal("input_userauth_info_response_pam: no authentication 
context");
+ */

       nresp = packet_get_int();       /* Number of responses. */
       debug("got %d responses", nresp);



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From bugzilla-daemon at mindrot.org  Thu Feb 28 05:43:12 2002
From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org)
Date: Thu, 28 Feb 2002 05:43:12 +1100 (EST)
Subject: [Bug 129] New: PAM with ssh authentication fails treat PAM_NEW_AUTHTOK_REQD properly
Message-ID: <20020227184312.B8B83EA14@shitei.mindrot.org>

http://bugzilla.mindrot.org/show_bug.cgi?id=129

           Summary: PAM with ssh authentication fails treat
                    PAM_NEW_AUTHTOK_REQD properly
           Product: Portable OpenSSH
           Version: 3.0.2p1
          Platform: UltraSparc
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: b_smith44 at hotmail.com


when using ssh's authentication against either pam_unix or pam_krb5 expired 
passwords are not treated properly.

with pam_unix: sshd: users are not prompted to change their password and can 
login.

with pam_unix: scp: users are not prompted to change their password and can 
transfer files.

with pam_krb5: sshd: users are not prompted to change their password and cannot 
login.

with pam_krb5: scp: users are not prompted to change their password and can 
transfer files.


currently the only way to get expired passwords treated correctly by sshd is to 
use the system's login routine with pam_unix. there is no way to get scp to 
behave properly.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


From mouring at etoh.eviladmin.org  Thu Feb 28 05:23:12 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Wed, 27 Feb 2002 12:23:12 -0600 (CST)
Subject: [Bug 126] New: ssh-keyscan hangs or crashes accessing Sun ssh
 host
In-Reply-To: <20020227190531.B18408@greenie.muc.de>
Message-ID: 

[..]
> Looks suspiciously like the thing I saw in the regression test yesterday
> which is fixed in OpenBSD but not yet in -portable.
>
It should be fixed in portable as of last night when I resynced.

- Ben



From ojoa at gatrixx.com  Thu Feb 28 09:06:54 2002
From: ojoa at gatrixx.com (Oliver Joa)
Date: Wed, 27 Feb 2002 23:06:54 +0100
Subject: static link
Message-ID: <20020227230654.C1124@asterix.gallier.de>

hi,

i have downloaded the linux-version of openssh-3.0.2p1. i wanted
to compile it statically with the following configure-statement:

./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam 
--with-md5-passwords --with-v4-default --with-ldflags=-static 
--with-ssl-dir=/usr/local/opt/openssl

It worked for the older 2.9 version, but now i get the following error:

gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o 
readconf.o clientloop.o -L. -Lopenbsd-compat/ 
-L/usr/local/opt/openssl/lib  -static -lssh -lopenbsd-compat -lpam -ldl 
-lutil -lz -lnsl  -lcrypto 
/usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libc.a(getopt.o): In 
function `_getopt_internal':
/usr/src/build/40453-i386/BUILD/glibc-2.2.4/posix/getopt.c:516: 
multiple definition of `optind'
openbsd-compat//libopenbsd-compat.a(getopt.o):/home/olli/openssh-3.0.2p1/openbsd-compat/getopt.c:64: 
first defined here
/usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libc.a(getopt.o): In 
function `_getopt_internal':
/usr/src/build/40453-i386/BUILD/glibc-2.2.4/posix/getopt.c:516: multiple
definition of `opterr'
openbsd-compat//libopenbsd-compat.a(getopt.o):/home/olli/openssh-3.0.2p1/openbsd-compat/getopt.c:64: 
first defined here
collect2: ld returned 1 exit status
make: *** [ssh] Error 1

Do you have a idea, whats the problem? how can i compile
it statically?

oliver

-- 
Dipl. Inf. (FH) Oliver Joa
senior IT-architect

Gatrixx NetSolutions GmbH
Karl-Goetz-Strasse 5
97424 Schweinfurt
Fon +49 9721 797 420
Fax +49 9383 999-58
Mobil +49 160 47874 62
mailto:ojoa at gatrixx.com, ojoa at gmx.net, ojoa at yahoo.com, oliver at j-o-a.de

Weitere Informationen erhalten Sie unter:
http://www.gedif.de/



From fcusack at fcusack.com  Thu Feb 28 10:44:55 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Wed, 27 Feb 2002 15:44:55 -0800
Subject: static link
In-Reply-To: <20020227230654.C1124@asterix.gallier.de>; from ojoa@gatrixx.com on Wed, Feb 27, 2002 at 11:06:54PM +0100
References: <20020227230654.C1124@asterix.gallier.de>
Message-ID: <20020227154454.W17669@google.com>

On Wed, Feb 27, 2002 at 11:06:54PM +0100, Oliver Joa wrote:
> hi,
> 
> i have downloaded the linux-version of openssh-3.0.2p1. i wanted
> to compile it statically with the following configure-statement:
> 
> ./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam 
> --with-md5-passwords --with-v4-default --with-ldflags=-static 
> --with-ssl-dir=/usr/local/opt/openssl
> 
> Do you have a idea, whats the problem? how can i compile
> it statically?

Well, I don't know the answer to your question, but --with-pam and static
should be mutually exclusive.

/fc


From mouring at etoh.eviladmin.org  Thu Feb 28 12:59:52 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Wed, 27 Feb 2002 19:59:52 -0600 (CST)
Subject: static link
In-Reply-To: <20020227230654.C1124@asterix.gallier.de>
Message-ID: 


On Wed, 27 Feb 2002, Oliver Joa wrote:

> hi,
>
> i have downloaded the linux-version of openssh-3.0.2p1. i wanted
> to compile it statically with the following configure-statement:
>
> ./configure --prefix=/usr/local/opt/openssh-3.0.2p1 --with-pam
> --with-md5-passwords --with-v4-default --with-ldflags=-static
> --with-ssl-dir=/usr/local/opt/openssl
>

first off.. --with-md5-passwords is a worthless option if --with-pam
is set.  Since pam handles des vs md5 vs "password encryption of the
month club".

> It worked for the older 2.9 version, but now i get the following error:
>
> gcc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o
> readconf.o clientloop.o -L. -Lopenbsd-compat/
> -L/usr/local/opt/openssl/lib  -static -lssh -lopenbsd-compat -lpam -ldl
> -lutil -lz -lnsl  -lcrypto
> /usr/lib/gcc-lib/i386-redhat-linux/2.96/../../../libc.a(getopt.o): In
> function `_getopt_internal':
> /usr/src/build/40453-i386/BUILD/glibc-2.2.4/posix/getopt.c:516:
> multiple definition of `optind'
> openbsd-compat//libopenbsd-compat.a(getopt.o):/home/olli/openssh-3.0.2p1/openbsd-compat/getopt.c:64:
> first defined here

Second off.. Since glibc does not support 'int optreset;' functionality
implemented in most BSDes.  We have to include our own.  As a result
a clash occurs on staticly compiling.

To hack around to support -static on most platforms lacking optreset
is too ugly to implement IMNSHO (and I think others agreed by lack
of implementing it).

If you really wish to play around go to openbsd-compat/getopt.c

and change 'opterr' and 'optind' to

extern int opterr;
extern int optind;

However if your mother dies due to the fact a crosswalk turns green
while the redlight is on.. It is not our fault. =)

And the concept of -static and --with-pam are not always compatible.

- Ben



From mouring at etoh.eviladmin.org  Thu Feb 28 13:06:07 2002
From: mouring at etoh.eviladmin.org (Ben Lindstrom)
Date: Wed, 27 Feb 2002 20:06:07 -0600 (CST)
Subject: PATCH: nroff detection wrong, by default uses mantype=cat
In-Reply-To: 
Message-ID: 

On Wed, 27 Feb 2002, Pekka Savola wrote:

> Hi,
>
> Just tested the latest snapshot on RHL72 via building RPM's of it.
>
> Nroff detection was wrong, and if no --with-mantype was specified, the
> type would always revert to cat.  This one-byter fixes it.

Hmm...I get "Manpage Format: doc" with this patch under RH 7.2 without
this patch.

This was CVS snapshot as of a days ago when Tim was working on some
of the outstanding configure.ac bugs.

- Ben




From fcusack at fcusack.com  Thu Feb 28 15:05:35 2002
From: fcusack at fcusack.com (Frank Cusack)
Date: Wed, 27 Feb 2002 20:05:35 -0800
Subject: problem running ssh-keygen in Solaris 8 x86
In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Feb 25, 2002 at 08:11:07PM -0600
References: <20020225184139.B1388@google.com> 
Message-ID: <20020227200534.C17669@google.com>

> > On Tue, Feb 26, 2002 at 10:24:10AM +0800, MATTHEW TAN, CUSSID wrote:
> > > I encountered the following when i run the below command on my Solaris 8 x86
> > > box:
> > > #ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
> > >
> > > I got the following error:
> > > Segmentation fault - core dumped
> > >
> > > Does anyone have any idea what is wrong? I am using pre-compiled packages
> > > downloaded from sunfreeware.com.

I followed up with the orig poster and determined that his binary was
corrupt.  I attempted to download this package myself; my browser
fails to download it at all, wget succeeds but on unpacking the
ssh-keygen is corrupt.

/fc


From gkam at cennantech.com  Thu Feb 28 15:23:57 2002
From: gkam at cennantech.com (Gary Kam)
Date: Wed, 27 Feb 2002 20:23:57 -0800
Subject: Subscribe
Message-ID: 



Gary Kam
Cennan Technologies
(909) 444-2130

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 1204 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020227/b661cc91/attachment.bin 

From tim at multitalents.net  Thu Feb 28 16:03:14 2002
From: tim at multitalents.net (Tim Rice)
Date: Wed, 27 Feb 2002 21:03:14 -0800 (PST)
Subject: PATCH: nroff detection wrong, by default uses mantype=cat
In-Reply-To: 
Message-ID: 

On Wed, 27 Feb 2002, Pekka Savola wrote:

> Hi,
>
> Just tested the latest snapshot on RHL72 via building RPM's of it.
>
> Nroff detection was wrong, and if no --with-mantype was specified, the
> type would always revert to cat.  This one-byter fixes it.
>
-       AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin:/usr/ucb)
+       AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin /usr/ucb)


The test in configure.ac is correct.
If I test your patch with this striped down configure.ac it fails.
	AC_INIT
	AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin /usr/ucb)
	echo $NROFF
checking for nroff... no
checking for awf... no
/bin/false

Leaving the : in (remember, this is a PATH) it works correctly.
checking for nroff... /usr/bin/nroff
/usr/bin/nroff

Look in config.log to find out what is hapening on your system.

-- 
Tim Rice				Multitalents	(707) 887-1469
tim at multitalents.net




From pekkas at netcore.fi  Thu Feb 28 18:29:39 2002
From: pekkas at netcore.fi (Pekka Savola)
Date: Thu, 28 Feb 2002 09:29:39 +0200 (EET)
Subject: PATCH: nroff detection wrong, by default uses mantype=cat
In-Reply-To: 
Message-ID: 

On Wed, 27 Feb 2002, Tim Rice wrote:
> On Wed, 27 Feb 2002, Pekka Savola wrote:
> 
> > Hi,
> >
> > Just tested the latest snapshot on RHL72 via building RPM's of it.
> >
> > Nroff detection was wrong, and if no --with-mantype was specified, the
> > type would always revert to cat.  This one-byter fixes it.
> >
> -       AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin:/usr/ucb)
> +       AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin /usr/ucb)
> 
> 
> The test in configure.ac is correct.
> If I test your patch with this striped down configure.ac it fails.
> 	AC_INIT
> 	AC_PATH_PROGS(NROFF, nroff awf, /bin/false, /usr/bin /usr/ucb)
> 	echo $NROFF
> checking for nroff... no
> checking for awf... no
> /bin/false
> 
> Leaving the : in (remember, this is a PATH) it works correctly.
> checking for nroff... /usr/bin/nroff
> /usr/bin/nroff

Exactly the opposite happens for me: configure finds /usr/bin/nroff only 
with the patch.

Please take a look at the configure without a patch:

--8<--
for as_dir in /usr/bin:/usr/ucb
do
  IFS=$as_save_IFS
  test -z "$as_dir" && as_dir=.
  for ac_exec_ext in '' $ac_executable_extensions; do
  if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
    ac_cv_path_NROFF="$as_dir/$ac_word$ac_exec_ext"
    echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5
    break 2
  fi
done
--8<--

the first 'for' seems to make absolutely no sense if there is a ':' there;
it seems to look for an executable like '/usr/bin:/usr/ucb/nroff' then?

The contents of config.log don't help either:

configure:14779: checking for nroff
configure:14812: result: no
configure:14779: checking for awf
configure:14812: result: no

Perhaps there is a mismatch in assumptions what autoconf should do and 
what autoconf does.

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords




From dmanton at emea.att.com  Thu Feb 28 22:49:32 2002
From: dmanton at emea.att.com (Manton, Doug)
Date: Thu, 28 Feb 2002 11:49:32 -0000
Subject: UseLogin under AIX 4.3.3
Message-ID: 

Hi,
 
If I enable "UseLogin" under AIX, I get the following message upon
login:
 
  /dev/pts/2: 3004-004 You must "exec" login from the lowest login
shell.
 
The manpage states:
 
"In order to preserve the integrity of the system, only one session at a
time is
allowed to be logged in to a port. This means that the login command
entered
from the shell prompt cannot succeed, as both the original session and
the new
login session would be on the same port. However, the exec login command
succeeds because a new shell replaces the current one. The login command
is
typically a built-in shell command, causing the shell to replace
itself."
 
Any ideas how I could fix this?  I wouldn't usually enable this option,
but I am trying to PD a problem on a system that will not trust a user
account that comes in via SSH and I am hoping that using login will
solve the problem.
 
Many thanks,
 
Doug Manton, AT&T Business Commercial Security 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020228/feafe7d1/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2714 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020228/feafe7d1/attachment.bin