From bugzilla-daemon at mindrot.org Mon Jul 1 06:36:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Jul 2002 06:36:44 +1000 (EST) Subject: [Bug 326] New: Bug in AFS token forwarding Message-ID: <20020630203644.04069E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=326 Summary: Bug in AFS token forwarding Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P4 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: alfw at stanford.edu There is a bug in the code for getting AFS tokens in function send_afs_tokens() in sshconnect1.c Here is how the bug manifests itself: If I have an AFS token that is still valid _and_ one that was valid but is now expired then AFS token forwarding ignores both tokens instead of forwarding the still valid one. I can reproduce this problem on Red Hat Linux 7.2 systems with OpenSSH-3.4p1 (and probably all older versions) compiled with KTH-Krb4-1.1.1 (this is where the k_pioctl() function comes from; see below). I am using OpenAFS-1.2.5. The same happens on Solaris 8 (OpenSSH-3.4p1, KTH-Krb4-1.1.1, IBM/Transarc ASF). Here is the cause for the bug: The problem is that k_pioctl() returns -1 and "errno" returns an error code ENOTCONN for _all_ tokens it finds if there is an expired token present. The loop has to continue in this case although the _data_ returned by k_pioctl() is invalid. This invalidness can be checked by comparing the length of the "ClearToken" component with the size of the ClearToken struct. In OpenSSH-3.4p1 this condition is checked in sshconnect1.c line 814. But it is wrong to "break" out of the loop because of this condition. Jumping to the next token is the correct behavior. "errno" returns "EDOM" if all tokens are listed. Here is a patch that fixes this bug: --- sshconnect1.c.orig Fri Jun 28 13:25:51 2002 +++ sshconnect1.c Fri Jun 28 13:23:56 2002 @@ -797,7 +797,8 @@ parms.in_size = sizeof(i); parms.out = buf; parms.out_size = sizeof(buf); - if (k_pioctl(0, VIOCGETTOK, &parms, 0) != 0) + k_pioctl(0, VIOCGETTOK, &parms, 0); + if(errno == EDOM) break; p = buf; @@ -811,8 +812,7 @@ /* Get clear token. */ memcpy(&len, p, sizeof(len)); - if (len != sizeof(struct ClearToken)) - break; + if (len == sizeof(struct ClearToken)) { p += sizeof(len); memcpy(&ct, p, len); p += len; @@ -848,6 +848,7 @@ debug("AFS token for cell %s rejected.", server_cell); else if (type != SSH_SMSG_SUCCESS) packet_disconnect("Protocol error on AFS tokenresponse: %d", type); + } } } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From rtidd at speakeasy.net Mon Jul 1 09:27:56 2002 From: rtidd at speakeasy.net (Randy Tidd) Date: Sun, 30 Jun 2002 19:27:56 -0400 Subject: Password auth problem with openssh 3.4 and Linux 2.2.20 Message-ID: <008d01c2208d$c4134530$020a0a0a@grungebaby> After upgrading to openssh-3.4p1, password authentication is no longer working on my system. I'm running Linux RedHat 6.2 with: kernel 2.2.20 openssh-3.4p1 openssl-0.9.6 pam-0.72-6 pwdb-0.61-0 I've tried it with and without compression, with and without priv sep, and I always get errors like this: Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from 10.10.10.2 port 4320 ssh2 It worked with openssh-2.9p2. I upgraded because of the CERT advisory. I've double, triple, and quadruple checked my userid, password, SSH client (SecureCRT on Windows 2000), etc. and everything seems to be in order. I did see this comment in the ChangeLog: http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i 386.html "Revision 1.125 2002/06/26 15:42:57 misiek - 3.4 (pam still not working)" Is there a known problem with openssh 3.4 and PAM? Also I tried compiling openssh without PAM by passing in the "--without-pam" flag to configure but that did not seem to do anything -- "strings /usr/local/sbin/sshd | grep pam" still reveals that it is compiled in. Is there a way to disable or compile without PAM? Below is the output from sshd -d -d -d. Thanks in advance for any tips/info/advice. Randy Tidd rtidd at speakeasy.net debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. debug1: Server will not fork when running in debugging mode. Connection from 10.10.10.2 port 4351 debug1: Client protocol version 2.0; client software version 3.4 SecureCRT debug1: no match: 3.4 SecureCRT Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r ijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm ac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-dss,ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 126/256 debug1: bits set: 512/1026 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 515/1026 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user randy service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 11868 sp_expire -1 sp_lstchg 11868 sp_max 99999 debug3: Trying to reverse map address 10.10.10.2. debug2: input_userauth_request: setting up authctxt for randy debug2: input_userauth_request: try method none Failed none for randy from 10.10.10.2 port 4351 ssh2 debug1: userauth-request for user randy service ssh-connection method password debug1: attempt 1 failures 1 debug2: input_userauth_request: try method password Failed password for randy from 10.10.10.2 port 4351 ssh2 debug1: userauth-request for user randy service ssh-connection method password debug1: attempt 2 failures 2 debug2: input_userauth_request: try method password Failed password for randy from 10.10.10.2 port 4351 ssh2 Received disconnect from 10.10.10.2: 13: The user canceled authentication. debug1: Calling cleanup 0x80683fc(0x0) From mouring at etoh.eviladmin.org Mon Jul 1 09:33:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 30 Jun 2002 18:33:05 -0500 (CDT) Subject: Password auth problem with openssh 3.4 and Linux 2.2.20 In-Reply-To: <008d01c2208d$c4134530$020a0a0a@grungebaby> Message-ID: It works under Mandrake and Rehdat 7.x series. The only thing that is currently broken is password changing. So if the password expires it will not allow them to login. I have not clue what the PLD people are talk about. I do know that they do some pretty incorrect things in their patches. Much like their patch to allow 2.2. kernels to use compression (openssh-pseudo-mmap.patch). Which is incorrect. - Ben On Sun, 30 Jun 2002, Randy Tidd wrote: > After upgrading to openssh-3.4p1, password authentication is no longer > working on my system. I'm running Linux RedHat 6.2 with: > > kernel 2.2.20 > openssh-3.4p1 > openssl-0.9.6 > pam-0.72-6 > pwdb-0.61-0 > > I've tried it with and without compression, with and without priv sep, and I > always get errors like this: > > Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from > 10.10.10.2 port 4320 ssh2 > > It worked with openssh-2.9p2. I upgraded because of the CERT advisory. > I've double, triple, and quadruple checked my userid, password, SSH client > (SecureCRT on Windows 2000), etc. and everything seems to be in order. > > I did see this comment in the ChangeLog: > > http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i > 386.html > > "Revision 1.125 2002/06/26 15:42:57 misiek > - 3.4 (pam still not working)" > > Is there a known problem with openssh 3.4 and PAM? > > Also I tried compiling openssh without PAM by passing in the "--without-pam" > flag to configure but that did not seem to do anything -- "strings > /usr/local/sbin/sshd | grep pam" still reveals that it is compiled in. Is > there a way to disable or compile without PAM? > > Below is the output from sshd -d -d -d. Thanks in advance for any > tips/info/advice. > > Randy Tidd > rtidd at speakeasy.net > > > > debug1: sshd version OpenSSH_3.4p1 > debug1: private host key: #0 type 0 RSA1 > debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug3: Not a RSA1 key file /usr/local/etc/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: Server will not fork when running in debugging mode. > Connection from 10.10.10.2 port 4351 > debug1: Client protocol version 2.0; client software version 3.4 SecureCRT > debug1: no match: 3.4 SecureCRT > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_3.4p1 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r > ijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,r > ijndael-cbc at lysator.liu.se > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm > ac-md5-96 > debug2: kex_parse_kexinit: > hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hm > ac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: kex_parse_kexinit: > diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 > debug2: kex_parse_kexinit: ssh-dss,ssh-rsa > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: > aes128-cbc,aes192-cbc,aes256-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96 > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: none > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: > debug2: kex_parse_kexinit: first_kex_follows 0 > debug2: kex_parse_kexinit: reserved 0 > debug2: mac_init: found hmac-md5 > debug1: kex: client->server aes128-cbc hmac-md5 none > debug2: mac_init: found hmac-md5 > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 126/256 > debug1: bits set: 512/1026 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 515/1026 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user randy service ssh-connection method none > debug1: attempt 0 failures 0 > debug3: allowed_user: today 11868 sp_expire -1 sp_lstchg 11868 sp_max 99999 > debug3: Trying to reverse map address 10.10.10.2. > debug2: input_userauth_request: setting up authctxt for randy > debug2: input_userauth_request: try method none > Failed none for randy from 10.10.10.2 port 4351 ssh2 > debug1: userauth-request for user randy service ssh-connection method > password > debug1: attempt 1 failures 1 > debug2: input_userauth_request: try method password > Failed password for randy from 10.10.10.2 port 4351 ssh2 > debug1: userauth-request for user randy service ssh-connection method > password > debug1: attempt 2 failures 2 > debug2: input_userauth_request: try method password > Failed password for randy from 10.10.10.2 port 4351 ssh2 > Received disconnect from 10.10.10.2: 13: The user canceled authentication. > > debug1: Calling cleanup 0x80683fc(0x0) > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mgc8 at totalnet.ro Mon Jul 1 10:45:02 2002 From: mgc8 at totalnet.ro (Mihnea-Costin Grigore) Date: Mon, 1 Jul 2002 03:45:02 +0300 (EEST) Subject: Memory allocation gone awry with OpenSSH 3.(3,4)p1 Message-ID: Hello, I have recently upgraded from an older version of OpenSSH to the newer 3.3p1 (first) and now to 3.4p1 - because of the discovered vulnerabilities. The default setting for these versions is to use privilege separation, and this seems to trigger some weird bug with my systems, causing sshd to consume memory until it barfs. Details: 1. OpenSSH 3.3p1, privsep on, compression on: after authenticating someone, consumes all the available memory, eventually is killed by the kernel. If privsep or compression are off, everything is working fine; also, when logging in with another client (putty instead of ssh from the same release) everything seems to be working fine (could not get it to crash with putty). 2. OpenSSH 3.4p1 - same behaviour, except now there is a limit to the memory sshd tries to alloc, and it just dies with "fatal: buffer_append_space: alloc 10506240 not supported" anytime privsep is on and compression is on. After some digging, we were able to trace the problem to "buffer_uncompress" in compress.c - it seems that in some circumstances the inflate call returns Z_OK and incoming_stream.avail_out == 0, thus the program alloc's another sizeof(buf)-0 = 4096 bytes for the output_buffer, then repeats the call to inflate, which again returns status==0 and avail_out==0, thus entering an infinite loop. This is what happens under strace: =====[cut here]===== [pid 8379] old_mmap(NULL, 151552, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404cc000 [pid 8379] mremap(0x404cc000, 151552, 188416, MREMAP_MAYMOVE) = 0x404cc000 [pid 8379] mremap(0x404cc000, 188416, 225280, MREMAP_MAYMOVE) = 0x404cc000 [pid 8379] mremap(0x404cc000, 225280, 262144, MREMAP_MAYMOVE) = 0x404cc000 [pid 8379] mremap(0x404cc000, 262144, 299008, MREMAP_MAYMOVE) = 0x404cc000 [pid 8379] mremap(0x404cc000, 299008, 335872, MREMAP_MAYMOVE) = 0x404cc000 [... and so on, until the limit is reached or memory is full ...] =====[and here]===== Note the 151552 value, which is always the same when the program crashes and never appears when it doesn't... All of this leds me to believe that there is a bug in the "custom" memory allocating functions passed to zlib's inflate, and it is only triggered in some (peculiar) circumtances. The bug was reproduced on the following systems: 1. Linux 2.4.19-pre8 kernel, glibc 2.2.0, gcc 2.95.3, zlib 1.1.3 2. Linux 2.4.18 kernel, glibc 2.2.0, gcc 2.95.3, zlib 1.1.4 It was not possible to reproduce the bug on these systems: 1. Linux 2.4.19-pre9-ac2 kernel, glibc 2.2.5, gcc 3.0.4, zlib 1.1.4 2. Linux 2.4.17-ac3 kernel, glibc 2.2.0, gcc 2.95.2/egcs 1.1.2, zlib 1.1.4 In all the configurations the same compile-options where used, with and without optimizations, without any effect on the results. Hope we can solve this somehow... I can provide additional data/tests if required. Regards, -- Mihnea-Costin Grigore [ "Tenebus Ipsilo Ibinem Catehens" ] E-mail: mgc8 at totalnet.ro Home Page: http://mgc8.virtualave.net From su at b-q-c.com Mon Jul 1 12:48:21 2002 From: su at b-q-c.com (Simon Urbanek) Date: Mon, 01 Jul 2002 04:48:21 +0200 Subject: patch: readline support for sftp Message-ID: <3D1FC2F5.CA0BDAA3@b-q-c.com> Hello, I hope this is the right place to post this. I added readline support to the sftp client. It adds optional --with-readline parameter for configure to enable this feature. You'll of course need to re-run autoheader and autoconf after applying this patch. It's patched against 3.4p1 but should work with any recent openssh. It works fine for me (GNU/Linux) - feel free to test it and maybe include it in the main tree since I think many ppl will find this useful. The config test for readline is rather hacked by myself so I'm not sure if anything special except for readline headers, libs and termcap or curses are needed. If someone feels like replacing it with more generic readline detection, feel free. Please CC any comments to my e-mail address since I'm not on the mailing list. Thanks. Simon -- Simon Urbanek --------------------------------------------------------- e-mail : Simon at Urbanek.info ICQ : 41784514 Homepage: http://simon.urbanek.info/ Air conditioned environment, do not open Windows ! ... use Linux ! --------------------------------------------------------- -------------- next part -------------- diff -Nru openssh-3.4p1/Makefile.in openssh-3.4p1.readline/Makefile.in --- openssh-3.4p1/Makefile.in Wed Jun 26 01:45:42 2002 +++ openssh-3.4p1.readline/Makefile.in Mon Jul 1 04:14:05 2002 @@ -42,6 +42,7 @@ CFLAGS=@CFLAGS@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ LIBS=@LIBS@ +SFTPLIB=@SFTPLIB@ LIBPAM=@LIBPAM@ LIBWRAP=@LIBWRAP@ AR=@AR@ @@ -138,7 +139,7 @@ $(LD) -o $@ sftp-server.o sftp-common.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-int.o sftp-common.o sftp-glob.o - $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) + $(LD) -o $@ sftp.o sftp-client.o sftp-common.o sftp-int.o sftp-glob.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(SFTPLIB) ssh-rand-helper${EXEEXT}: $(LIBCOMPAT) libssh.a ssh-rand-helper.o $(LD) -o $@ ssh-rand-helper.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -Nru openssh-3.4p1/configure.ac openssh-3.4p1.readline/configure.ac --- openssh-3.4p1/configure.ac Wed Jun 26 00:35:16 2002 +++ openssh-3.4p1.readline/configure.ac Mon Jul 1 04:13:58 2002 @@ -23,6 +23,8 @@ AC_PATH_PROG(TEST_MINUS_S_SH, sh) AC_PATH_PROG(SH, sh) +SFTPLIB="" + # System features AC_SYS_LARGEFILE @@ -477,6 +479,51 @@ ] ) +# Check for readline support +READLINE="no" +AC_ARG_WITH(readline, + [ --with-readline Enable redline support], + [ + if test "x$withval" == "xyes" ; then + AC_CHECK_HEADERS(readline/readline.h readline/history.h, + AC_DEFINE(HAS_READLINE, 1, [If defined sftp uses readline library for user input.]), + [AC_MSG_RESULT(no) + AC_MSG_ERROR([** Cannot locate readline include files]) + ]) + + SFTPLIB="-lreadline" + AC_CHECK_LIB(ncurses, tputs, SFTPLIB="-lncurses $SFTPLIB" , + [AC_CHECK_LIB(curses, tputs, SFTPLIB="-lcurses $SFTPLIB" , + [AC_CHECK_LIB(termcap, tputs, SFTPLIB="-ltermcap $SFTPLIB") + ]) + ]) + + PRESERVE_LIBS="$LIBS" + LIBS="$LIBS $SFTPLIB" + AC_MSG_CHECKING([for readline support]) + AC_TRY_RUN( + [ +#include +#include +#include +int main() { add_history(rl_library_version); return 0; } + ], + [AC_MSG_RESULT(yes) + READLINE="yes" + ], + [ + AC_MSG_RESULT(no) + AC_MSG_ERROR([** Failed to compile small readline program]) + ]) + LIBS="$PRESERVE_LIBS" + else + READLINE="no" + fi + ] +) + +AC_SUBST(SFTPLIB) + # Check whether user wants S/Key support SKEY_MSG="no" AC_ARG_WITH(skey, @@ -2398,6 +2445,7 @@ echo " sshd superuser user PATH: $J" fi echo " Manpage format: $MANTYPE" +echo " readline support: $READLINE" echo " PAM support: ${PAM_MSG}" echo " KerberosIV support: $KRB4_MSG" echo " KerberosV support: $KRB5_MSG" @@ -2423,6 +2471,7 @@ echo "Preprocessor flags: ${CPPFLAGS}" echo " Linker flags: ${LDFLAGS}" echo " Libraries: ${LIBWRAP} ${LIBPAM} ${LIBS}" +echo " sftp libraries: ${SFTPLIB} ${LIBS}" echo "" diff -Nru openssh-3.4p1/sftp-int.c openssh-3.4p1.readline/sftp-int.c --- openssh-3.4p1/sftp-int.c Sun Jun 23 23:27:19 2002 +++ openssh-3.4p1.readline/sftp-int.c Mon Jul 1 04:14:20 2002 @@ -39,6 +39,11 @@ #include "sftp-client.h" #include "sftp-int.h" +#ifdef HAS_READLINE +#include +#include +#endif + /* File to read commands from */ extern FILE *infile; @@ -902,15 +907,26 @@ for (;;) { char *cp; - - printf("sftp> "); - - /* XXX: use libedit */ - if (fgets(cmd, sizeof(cmd), infile) == NULL) { - printf("\n"); - break; - } else if (infile != stdin) /* Bluff typing */ - printf("%s", cmd); +#ifdef HAS_READLINE + char *rl; + if (infile == stdin) { + rl=readline("sftp> "); + if (rl && *rl) add_history(rl); + strncpy(cmd,rl,sizeof(cmd)-1); + cmd[sizeof(cmd)-1]=0; + } else { +#endif + printf("sftp> "); + + /* XXX: use libedit */ + if (fgets(cmd, sizeof(cmd), infile) == NULL) { + printf("\n"); + break; + } else if (infile != stdin) /* Bluff typing */ + printf("%s", cmd); +#ifdef HAS_READLINE + }; +#endif cp = strrchr(cmd, '\n'); if (cp) From mouring at etoh.eviladmin.org Mon Jul 1 12:43:35 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 30 Jun 2002 21:43:35 -0500 (CDT) Subject: patch: readline support for sftp In-Reply-To: <3D1FC2F5.CA0BDAA3@b-q-c.com> Message-ID: Umm.. Minute the configure.ac stuff the patch at: http://bugzilla.mindrot.org/show_bug.cgi?id=200 is more complete. - Ben On Mon, 1 Jul 2002, Simon Urbanek wrote: > Hello, > > I hope this is the right place to post this. > > I added readline support to the sftp client. It adds optional > --with-readline parameter for configure to enable this feature. You'll > of course need to re-run autoheader and autoconf after applying this > patch. > > It's patched against 3.4p1 but should work with any recent openssh. It > works fine for me (GNU/Linux) - feel free to test it and maybe include > it in the main tree since I think many ppl will find this useful. The > config test for readline is rather hacked by myself so I'm not sure if > anything special except for readline headers, libs and termcap or curses > are needed. If someone feels like replacing it with more generic > readline detection, feel free. > > Please CC any comments to my e-mail address since I'm not on the mailing > list. Thanks. > > Simon > > -- > Simon Urbanek > > --------------------------------------------------------- > e-mail : Simon at Urbanek.info > ICQ : 41784514 > Homepage: http://simon.urbanek.info/ > > Air conditioned environment, do not open Windows ! > ... use Linux ! > --------------------------------------------------------- > > > From m_krivacek_spam at myrealbox.com Mon Jul 1 13:58:10 2002 From: m_krivacek_spam at myrealbox.com (Michael Krivacek) Date: Sun, 30 Jun 2002 22:58:10 -0500 (CDT) Subject: RTFM Help on Privilege Separation Programming In-Reply-To: Message-ID: Hi, This my first try at programming with OpenSSH. I am working on porting Securid Authentication to OpenSSH. I have been using the current code for S/Key support as my basis for what I need to modify. The non-privileged code seemed fairly straightforward on what was needed for each of the KbdintDevice functions (i.e. init_ctx, query, respond, etc) I have a system that works pretty well for non-privilege separation mode. Now I am trying to get my mind around the separation mode function requirements. Can one safely say that the S/Key code is complete in the portable 3.4.0p1 release? Thanks, Michael Krivacek -- From jmknoble at pobox.com Mon Jul 1 15:16:34 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 1 Jul 2002 01:16:34 -0400 Subject: Password auth problem with openssh 3.4 and Linux 2.2.20 In-Reply-To: <008d01c2208d$c4134530$020a0a0a@grungebaby>; from rtidd@speakeasy.net on Sun, Jun 30, 2002 at 07:27:56PM -0400 References: <008d01c2208d$c4134530$020a0a0a@grungebaby> Message-ID: <20020701011634.A6111@quipu.half.pint-stowp.cx> Circa 2002-Jun-30 19:27:56 -0400 dixit Randy Tidd: : After upgrading to openssh-3.4p1, password authentication is no longer : working on my system. I'm running Linux RedHat 6.2 with: : : kernel 2.2.20 : openssh-3.4p1 : openssl-0.9.6 : pam-0.72-6 You should upgrade to pam-0.72-20.6.x (from RH's FTP site). : pwdb-0.61-0 : : I've tried it with and without compression, with and without priv sep, and I : always get errors like this: : : Jun 30 19:07:48 sugarfreejazz sshd[1344]: Failed password for randy from : 10.10.10.2 port 4320 ssh2 Questions: - Did you build your openssh-3.4p1 by hand, or did you build an RPM package from the source RPM at ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/rpm/SRPMS/ ? - Is your system configured to use MD5 passwords (via /usr/sbin/authconfig)? If so, and if you built OpenSSH by hand, did you configure OpenSSH with support for MD5 passwords? - Did you have 'StrictModes no' in your old sshd_config? Do you have 'StrictModes yes' in the new one (or is it commented out, since 'yes' is the default)? Have you double-checked the permissions on your home directory and your ~/.ssh/ directory on the server you're trying to log into? - Set up a dummy (i.e., temporary) user account on the server, making sure the home directory is created and has mode 0700 (drwx------). Are you able to successfully log in as the dummy user? : It worked with openssh-2.9p2.[...] : : I did see this comment in the ChangeLog: : : http://www.rpmfind.net//linux/RPM/PLD/dists/nest/test/i386/openssh-3.4p1-2.i : 386.html : : "Revision 1.125 2002/06/26 15:42:57 misiek : - 3.4 (pam still not working)" That changelog appears to be from an RPM package built by PLD (the Polish Linux Distribution). Is that where you got the new OpenSSH you installed that isn't working? I'd recommend you get it from the ftp.openssh.com site rather than somewhere else. : Is there a known problem with openssh 3.4 and PAM? Not on Red Hat Linux 6.2. It's working fine at three or four different installations that i'm aware of at this very moment, including the machine i'm writing this from. : Also I tried compiling openssh without PAM by passing in the : "--without-pam" flag to configure but that did not seem to do : anything -- "strings /usr/local/sbin/sshd | grep pam" still reveals : that it is compiled in. Is there a way to disable or compile : without PAM? Are you certain that /usr/local/sbin/sshd is the freshly installed sshd? Or did it get installed somewhere else? If you were using the PLD RPM package, it is quite likely that sshd ended up as /usr/sbin/sshd instead. Unless you have unusual requirements (e.g., special patches, AFS libraries, etc.) i would very much recommend rebuilding from the source RPM from ftp.openssh.com as follows: rpm --rebuild --define='build_6x=1' openssh-3.4p1-1.src.rpm Then you can install the resulting binary RPM packages. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020701/9c9d4ed2/attachment.bin From bugzilla-daemon at mindrot.org Mon Jul 1 18:39:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Jul 2002 18:39:52 +1000 (EST) Subject: [Bug 327] New: monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020701083952.1DC73E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 Summary: monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dazo at netcom.no When enabling the Privilege separation, I get this message in line 117 (monitor_fdpass.c,v 1.3 2002/06/04 23:05:49 markus Exp $) It works ok on Linux 2.4.18 but not on 2.0.36 (Yes, I know I should upgrade) How can I help you to sort this out? I wasn't able to locate where CMSG_FIRSTHDR(...) was defined or struct cmsghdr dazo ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Mon Jul 1 19:02:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Jul 2002 11:02:52 +0200 Subject: Disabling compression in sshd causes problems In-Reply-To: <20020627122625.A2524@em.ca> References: <20020627122625.A2524@em.ca> Message-ID: <20020701090252.GC9947@folly> On Thu, Jun 27, 2002 at 12:26:25PM -0600, Bruce Guenter wrote: > Am I mistaken in thinking that disabling compression on the server would > simply silently disable compression for all connections to that server? not if the client really wants compression, as in your case. From binder at arago.de Mon Jul 1 19:15:57 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 1 Jul 2002 11:15:57 +0200 Subject: Disabling compression in sshd causes problems In-Reply-To: <20020701090252.GC9947@folly>; from markus@openbsd.org on Mon, Jul 01, 2002 at 11:02:52AM +0200 References: <20020627122625.A2524@em.ca> <20020701090252.GC9947@folly> Message-ID: <20020701111557.B1475859@ohm.arago.de> Hi! On Mon, Jul 01, 2002 at 11:02:52AM +0200, Markus Friedl wrote: > On Thu, Jun 27, 2002 at 12:26:25PM -0600, Bruce Guenter wrote: > > Am I mistaken in thinking that disabling compression on the > > server would simply silently disable compression for all > > connections to that server? > > not if the client really wants compression, as in your case. But shouldn't the behaviour be consistent across protocol versions? If I use ssh -1 -C to connect to a server that has compression disabled, I only get a warning, but the client connects fine. If I use ssh -2 -C, the connection attempt fails. It's easy to patch sshconnect2.c to not fail when the server does not support compression, it seems such a patch won't be accepted. Ciao Thomas From markus at openbsd.org Mon Jul 1 19:52:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Jul 2002 11:52:35 +0200 Subject: Disabling compression in sshd causes problems In-Reply-To: <20020701111557.B1475859@ohm.arago.de> References: <20020627122625.A2524@em.ca> <20020701090252.GC9947@folly> <20020701111557.B1475859@ohm.arago.de> Message-ID: <20020701095235.GA6998@folly> On Mon, Jul 01, 2002 at 11:15:57AM +0200, Thomas Binder wrote: > But shouldn't the behaviour be consistent across protocol > versions? If I use ssh -1 -C to connect to a server that has > compression disabled, I only get a warning, but the client > connects fine. If I use ssh -2 -C, the connection attempt fails. ok, then i'll change ssh -2 to match this behaviour. do we really need the warning? From binder at arago.de Mon Jul 1 20:10:49 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 1 Jul 2002 12:10:49 +0200 Subject: Disabling compression in sshd causes problems In-Reply-To: <20020701095235.GA6998@folly>; from markus@openbsd.org on Mon, Jul 01, 2002 at 11:52:35AM +0200 References: <20020627122625.A2524@em.ca> <20020701090252.GC9947@folly> <20020701111557.B1475859@ohm.arago.de> <20020701095235.GA6998@folly> Message-ID: <20020701121049.D1475859@ohm.arago.de> Hi! On Mon, Jul 01, 2002 at 11:52:35AM +0200, Markus Friedl wrote: > ok, then i'll change ssh -2 to match this behaviour. Tnx! > do we really need the warning? I don't, but some users will possible disagree on that. For those who do not need a warning message, the attached mini-patch will do. Note, though, that I haven't yet checked whether it has some unexpected side effects. Ciao Thomas -- Promptness is its own reward, if one lives by the clock instead of the sword. -------------- next part -------------- *** openssh-3.4p1.orig/sshconnect2.c Sun Jun 23 23:23:21 2002 --- openssh-3.4p1/sshconnect2.c Mon Jul 1 11:08:52 2002 *************** *** 95,101 **** compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); if (options.compression) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = ! myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib"; } else { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; --- 95,101 ---- compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_STOC]); if (options.compression) { myproposal[PROPOSAL_COMP_ALGS_CTOS] = ! myproposal[PROPOSAL_COMP_ALGS_STOC] = "zlib,none"; } else { myproposal[PROPOSAL_COMP_ALGS_CTOS] = myproposal[PROPOSAL_COMP_ALGS_STOC] = "none"; From hubertus.haniel at db.com Mon Jul 1 21:02:45 2002 From: hubertus.haniel at db.com (Hubertus A. Haniel) Date: Mon, 01 Jul 2002 12:02:45 +0100 Subject: 3.4p1 X forwarding under AIX Message-ID: <3D2036D5.7040806@db.com> Anybody seen this error before and know how to fix it? I only seem to get this under AIX (AIX 4.2.1 - haven't tried higher levels yet). I have not seen this under Solaris and Linux yet. debug1: Received X11 open request. debug1: fd 4 setting O_NONBLOCK debug1: fd 4 IS O_NONBLOCK debug1: channel 0: new [X11 connection from 127.0.0.1 port 3419] debug1: X11 connection uses different authentication protocol. debug1: X11 rejected 0 i1/o16 debug1: channel 0: read failed debug1: channel 0: input open -> drain debug1: channel 0: close_read debug1: channel 0: input: no drain shortcut debug1: channel 0: ibuf empty debug1: channel 0: input drain -> wait_oclose debug1: channel 0: send ieof debug1: channel 0: write failed debug1: channel 0: output open -> wait_ieof debug1: channel 0: send oclose debug1: channel 0: close_write debug1: X11 closed 0 i4/o64 debug1: channel 0: rcvd oclose debug1: channel 0: input wait_oclose -> closed debug1: channel 0: rcvd ieof debug1: channel 0: non-open channel 0: istate 8 != open channel 0: ostate 64 != open XIO: fatal IO error 32 (Broken pipe) on X server "localhost:11.0" after 0 requests (0 known processed) with 0 events remaining. The connection was probably broken by a server shutdown or KillClient. -- Hubertus A. Haniel Unix Engineering Deutsche Bank AG London From des at ofug.org Mon Jul 1 21:31:03 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 01 Jul 2002 13:31:03 +0200 Subject: [Bug 315] New: add miissing includes and defines for FREEBSD In-Reply-To: <20020628055058.9D82CE881@shitei.mindrot.org> References: <20020628055058.9D82CE881@shitei.mindrot.org> Message-ID: bugzilla-daemon at mindrot.org writes: > Summary: add miissing includes and defines for FREEBSD This is bogus; FreeBSD does not need this patch. Dirk, could you please coordinate your porting efforts with me? DES -- Dag-Erling Smorgrav - des at ofug.org From binder at arago.de Mon Jul 1 21:47:15 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 1 Jul 2002 13:47:15 +0200 Subject: 3.4p1 X forwarding under AIX In-Reply-To: <3D2036D5.7040806@db.com>; from hubertus.haniel@db.com on Mon, Jul 01, 2002 at 12:02:45PM +0100 References: <3D2036D5.7040806@db.com> Message-ID: <20020701134714.A1564649@ohm.arago.de> Hi! On Mon, Jul 01, 2002 at 12:02:45PM +0100, Hubertus A. Haniel wrote: > Anybody seen this error before and know how to fix it? I only > seem to get this under AIX (AIX 4.2.1 - haven't tried higher > levels yet). I have not seen this under Solaris and Linux yet. Try using X11UseLocalhost no in sshd_config. Does it make any difference? Ciao Thomas From hubertus.haniel at db.com Mon Jul 1 22:00:42 2002 From: hubertus.haniel at db.com (Hubertus A. Haniel) Date: Mon, 01 Jul 2002 13:00:42 +0100 Subject: 3.4p1 X forwarding under AIX References: <3D2036D5.7040806@db.com> Message-ID: <3D20446A.4020609@db.com> >Try using > >X11UseLocalhost no > >in sshd_config. Does it make any difference? Thanx for that - appears to work -- Hubertus A. Haniel Unix Engineering Deutsche Bank AG London Tel.: +44 (20) 754 76603 Mobile: +44 (7785) 395511 From bugzilla-daemon at mindrot.org Mon Jul 1 23:00:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 1 Jul 2002 23:00:59 +1000 (EST) Subject: [Bug 306] ssh on Tru64 returns " Name does not resolv to supplied parameters" Message-ID: <20020701130059.26EF9E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=306 ------- Additional Comments From jakari at bithose.com 2002-07-01 23:00 ------- Confirmed that ./configure --with-ipv4-default fixes the problem, thanks. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Tino.Barden at t-systems.com Mon Jul 1 23:04:29 2002 From: Tino.Barden at t-systems.com (Barden, Tino) Date: Mon, 1 Jul 2002 15:04:29 +0200 Subject: recursive scp fails on ReliantUNIX 5.43 (using OpenSSH 3.4p1) Message-ID: <3E808E5ADB5BD511929E0800060D9B79288115@U8P14.blf01.telekom.de> Hi, I have tried to make a recursive scp from a ReliantUNIX machine to an other UNIX machine and got an infinite loop on the source machine. A "normal" scp works well. Also strange is, that the first two letters of the directory respectively file name are missing in the output below. The destination machine produces a directory structure with growing subdirectory names. Below you can see the output of the test scenario: ************************************************************************************************************************************************************************************* XYZ $ ls -lR dir_ssh_test Gesamt 8 drwxr-x--- 2 user1 users 96 Jul 1 08:51 dir_a drwxr-x--- 2 user1 users 96 Jul 1 08:52 dir_b -r--r----- 1 user1 users 2590 Jul 1 08:50 file_1 -rw-r----- 1 user1 users 400 Jul 1 08:50 file_2 dir_ssh_test/dir_a: Gesamt 8 -r--r----- 1 user1 users 2590 Jul 1 08:51 file_1a -rw-r----- 1 user1 users 400 Jul 1 08:51 file_2a dir_ssh_test/dir_b: Gesamt 8 -r--r----- 1 user1 users 2590 Jul 1 08:52 file_1b -rw-r----- 1 user1 users 400 Jul 1 08:51 file_2b XYZ $ scp dir_ssh_test/file_1 XYZ:/tmp file_1 100% |*****************************| 2590 00:00 XYZ $ scp -r dir_ssh_test XYZ:/tmp dir_ssh_test: Too many open files dir_ssh_test: Too many open files dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory dir_ssh_test/r_b: No such file or directory dir_ssh_test/r_a: No such file or directory dir_ssh_test: Too many open files dir_ssh_test: Too many open files dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory dir_ssh_test/r_b: No such file or directory dir_ssh_test/r_a: No such file or directory dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory dir_ssh_test/r_b: No such file or directory dir_ssh_test/r_a: No such file or directory dir_ssh_test: Too many open files dir_ssh_test: Too many open files dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory dir_ssh_test/r_b: No such file or directory dir_ssh_test/r_a: No such file or directory dir_ssh_test: Too many open files dir_ssh_test: Too many open files dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory dir_ssh_test/r_b: No such file or directory dir_ssh_test/r_a: No such file or directory dir_ssh_test/le_1: No such file or directory dir_ssh_test/le_2: No such file or directory XYZ $ Killed XYZ $ ls -lR /tmp/dir_ssh_test Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test /tmp/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test/dir_ssh_test: Gesamt 0 drwxr-x--- 3 user1 users 96 Jul 1 09:01 dir_ssh_test ************************************************************************************************************************************************************************************* Does anybody have a solution for this problem? Regards, Tino From markus at openbsd.org Tue Jul 2 02:30:42 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 1 Jul 2002 18:30:42 +0200 Subject: Revised OpenSSH Security Advisory Message-ID: <20020701163042.GA15133@folly> This is the 4th revision of the Advisory. This document can be found at: http://www.openssh.com/txt/preauth.adv 1. Versions affected: Serveral versions of OpenSSH's sshd between 2.3.1 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. All versions between 2.3.1 and 3.3 contain a bug in the PAMAuthenticationViaKbdInt code. All versions between 2.9.9 and 3.3 contain a bug in the ChallengeResponseAuthentication code. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although some earlier versions are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. This option is enabled by default on OpenBSD and other systems. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. and Disable PAMAuthenticationViaKbdInt in sshd_config. Alternatively you can prevent privilege escalation if you enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. 6. Release Process: Information release was handled in the following way: a. We alerted the community via a number of news sites and large public mailing lists that a major security issue was coming, and that they should upgrade to OpenSSH >= 3.2, and enable UsePrivilegeSeparation as soon as possible. We also released OpenSSH 3.3 at the same time, without a fix for this serious new issue. The goal was to place the community on a security stance. b. We could not alert the community that disabling ChallengeResponseAuthentication solved the problem, since this would highlight that the bug is in about 500 out of 27,000 lines of code. c. We could not alert the community that the bug was SSH2-only, and tell them to disable protocol 2, since would have focused the problem in about 5,000 out of 27,000 lines of code. (And we did not think of this possible solution until after ISS had released their advisory). d. We did not tell people which versions were vulnerable, since the 2.9 to 2.9.9 transition was largely a rewrite of the ChallengeResponseAuthentication subsystem. This would have highlighted that as the problem area. e. We believed very strongly that the issue was unknown in the Blackhat community at the time. We also made the decision based on the subtlety of the problem. Finally, we believe that the SSH protocol is a security infrastructure protocol (with DNS and BGP), and that issues of this scope require more gentle care. f. We did not alert vendor contacts with detailed vulnerability information, since the list of vendors who include OpenSSH numbers around 80+. We were sure that any disclosure would leak very quickly. Another vulnerability came to our attention at roughly the same time (BSD resolver) and started leaking within 5 hours of vendor notification, so we tried to be very careful. g. We did not have a complete list of vulnerable systems because ISS did not do very complete testing, and we did not have access to all the systems to test on. Even so, we would not have wanted to alert the vendors as to which are vulnerable, because they might have figured out their configuration options and leaked the information. h. Some vendors were initally upset by this policy of non-disclosure, largely because the UsePrivilegeSeparation code was only about 90% functional in OpenSSH 3.3: - old linux kernels needed Compression disabled - extended Linux PAM did not work (but that is where the ChallengeResponseAuthentication bug was) Over a 48 hour period, a few of these vendors rapidly helped us to get these problems resolved, and we were able to release OpenSSH 3.4 which solved these problems to 99% user satisfaction, on almost all systems. The most helpful vendors were OpenWall Linux and Debian. i. ISS suddenly insisted on an early release of their advisory, 4 days earlier than ISS and we had planned. Some of us were awake for 37 hours to get OpenSSH 3.4 out the door with the fix, at the same time as the ISS advisory. j. We contacted CERT, and they released their announcement of this issue in record time -- around 24 hours. Dealing with CERT and ISS took more than 5 hours of telephone time. k. We have received mail from many users, including large and significant organizations, who were able to take a security stance by following our instructions about UsePrivilegeSeparation, disabling OpenSSH, filtering port 22, guessing at functional reduction, or preparing themselves for a new release at any time. l. We have not heard of a single machine which was broken into as a result of our release announcement method. m. The first public attack program for the vulnerability was posted to BUGTRAQ within a day after OpenSSH 3.4 was released, apparently having been written based on the bug description. We feel that this method of releasing served the community best for a "contained" vulnerability of this kind. We do not suggest this is neccessarily the correct information release process for all problems, and as firm believers of full disclosure have never suggested that, though we believe that disclosure must be carefully handled. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(received %u, expected %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; From andreas at conectiva.com.br Tue Jul 2 02:38:37 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Mon, 1 Jul 2002 13:38:37 -0300 Subject: sshd and file descriptors In-Reply-To: <20020626161056.R2377@google.com> References: <20020626220613.GO19640@conectiva.com.br> <20020626161056.R2377@google.com> Message-ID: <20020701163837.GA5593@conectiva.com.br> Em Wed, Jun 26, 2002 at 04:10:56PM -0700, Frank Cusack escreveu: > On Wed, Jun 26, 2002 at 07:06:13PM -0300, Andreas Hasenack wrote: > > > > Shouldn't a daemon close all fds before going into "daemon land"? > > What exactly is broken here? > > > > rpm Well, just to post JBJ's (predictable) response to this matter: (JBJ is ">") ---- > Do you mean 0,1,2 or other file descriptiors? Closing stdin/stdout/stderr > would certainly make testing of packaging a PITA. OTOH, rpm support would > be far easier ;-) Others, as Andreas has reported. [...] > But this isn't really an rpm problem. Daemons should undertake a close > of all open file descriptors. No if's, and's or but's. From bryanh at giraffe-data.com Tue Jul 2 03:02:53 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Mon, 01 Jul 2002 17:02:53 +0000 Subject: scp not tolerant of extraneous shell messages Message-ID: I spent some time debugging a failing Scp that turned out to be caused by the remote shell producing messages on Standard Output that aren't part of the SCP protocol. Scp from a remote system works by running another Scp on the remote system. The remote Scp writes SCP protocol messages (and file data) to its Standard Output, which the local Scp sees as Standard Input. But it's important to note that the remote Scp runs in a shell, and not just any shell -- an interactive shell. It's an interactive shell because its Standard Input and Standard Output are terminals, and the shell knows it and makes some decisions based on the assumption that there's a human being there. This makes Scp analogous to the file download function of an old-fashioned terminal emulator -- it's making automated use of a data stream intended for an intelligent human. So lets say the remote interactive shell puts an informational message on Standard Output as it starts up (mine does). The local SCP responds by issuing the received line verbatim, with no additional context, as an error message, and terminates. It apparently assumes that anything the shell says before remote Scp starts running must be a message explaining why it cannot run Scp. And that the message contains enough context that the Scp user will be able to tell what to fix and where. But the message may just be informational, in which case Scp terminates needlessly, and with no apparent indication of why. I propose that local Scp just ignore all messages on Standard Input until it sees something that looks like an SCP control record. If it never sees an SCP control record, it should issue an error message saying so, and include the last thing it _did_ see in that message. If there isn't something fundamentally wrong with this approach, I'll submit a patch. Ideally, I'd like to see a way to run remote Scp not in a shell at all. It would be far more robust and faster. Does the SSH protocol allow for such a thing? -- Bryan Henderson Phone 408-621-2000 San Jose, California From wendyp at cray.com Tue Jul 2 03:14:33 2002 From: wendyp at cray.com (Wendy Palm) Date: Mon, 01 Jul 2002 12:14:33 -0500 Subject: Disabling compression in sshd causes problems References: <20020627122625.A2524@em.ca> <20020701090252.GC9947@folly> <20020701111557.B1475859@ohm.arago.de> <20020701095235.GA6998@folly> Message-ID: <3D208DF9.4C31A80C@cray.com> i think we should have the warning only for debug messages. users complain about extraneous output. & i agree with the change - i've got users complaining about the compression problem already. thanks, wendy Markus Friedl wrote: > > On Mon, Jul 01, 2002 at 11:15:57AM +0200, Thomas Binder wrote: > > But shouldn't the behaviour be consistent across protocol > > versions? If I use ssh -1 -C to connect to a server that has > > compression disabled, I only get a warning, but the client > > connects fine. If I use ssh -2 -C, the connection attempt fails. > > ok, then i'll change ssh -2 to match this behaviour. > > do we really need the warning? > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Tue Jul 2 03:22:33 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 1 Jul 2002 12:22:33 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: Message-ID: You are really looking for sftp which has no shell dependancies. But in general. No.. Fix your startup scripts. scp is rcp in a ssh wrapper. and rcp will also fail. - Ben On Mon, 1 Jul 2002, Bryan Henderson wrote: > I spent some time debugging a failing Scp that turned out to be caused > by the remote shell producing messages on Standard Output that aren't > part of the SCP protocol. > > Scp from a remote system works by running another Scp on the remote > system. The remote Scp writes SCP protocol messages (and file data) > to its Standard Output, which the local Scp sees as Standard Input. > > But it's important to note that the remote Scp runs in a shell, and > not just any shell -- an interactive shell. It's an interactive shell > because its Standard Input and Standard Output are terminals, and the > shell knows it and makes some decisions based on the assumption that > there's a human being there. This makes Scp analogous to the file > download function of an old-fashioned terminal emulator -- it's making > automated use of a data stream intended for an intelligent human. > > So lets say the remote interactive shell puts an informational message > on Standard Output as it starts up (mine does). The local SCP > responds by issuing the received line verbatim, with no additional > context, as an error message, and terminates. It apparently assumes > that anything the shell says before remote Scp starts running must be > a message explaining why it cannot run Scp. And that the message > contains enough context that the Scp user will be able to tell what to > fix and where. > > But the message may just be informational, in which case Scp terminates > needlessly, and with no apparent indication of why. > > > I propose that local Scp just ignore all messages on Standard Input until > it sees something that looks like an SCP control record. If it never sees > an SCP control record, it should issue an error message saying so, and > include the last thing it _did_ see in that message. > > If there isn't something fundamentally wrong with this approach, I'll > submit a patch. > > > Ideally, I'd like to see a way to run remote Scp not in a shell at > all. It would be far more robust and faster. Does the SSH protocol > allow for such a thing? > > -- > Bryan Henderson Phone 408-621-2000 > San Jose, California > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dan at doxpara.com Tue Jul 2 04:11:53 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Mon, 01 Jul 2002 11:11:53 -0700 Subject: scp not tolerant of extraneous shell messages References: Message-ID: <3D209B69.5040606@doxpara.com> Ben Lindstrom wrote: >You are really looking for sftp which has no shell dependancies. > >But in general. No.. Fix your startup scripts. scp is rcp in a ssh >wrapper. and rcp will also fail. > > I did receive a report a while back stating some shell stuff was getting in the way of sftp-server. Lemme see if I can track it down... Ahhh. Here's the FAQ entry the guy quotes: http://www.snailbook.com/faq/sftp-corruption.auto.html === ftp and scp2 both actually work by running ssh in a subprocess, to connect to the remote host and run the file-transfer server (usually named sftp-server). For instance, the commandsftp /server/ might result in the following command being run (OpenSSH): |ssh /server/ -s -oForwardX11=no -oForwardAgent=no -oProtocol=2 sftp| scp2/sftp and sftp-server use a special file-transfer protocol, which they speak over this SSH session. The protocol is in fact based on the same packet protocol used by SSH. In order for this to work, the SSH session must be "clean"  that is, it must have on it only information transmitted by the programs at either end. What often happens, though, is that there are statements in either the system or per-user shell startup files on the server (.bashrc, .profile, /etc/csh.csrch,.login, etc.) which output text messages on login, intended to be read by humans (like fortune, echo "Hi there!", etc.). Such code should only produce output on interactive logins, when there is a tty attached to standard input. If it does not make this test, it will insert these text messages where they don't belong: in this case, polluting the protocol stream between scp2/sftp andsftp-server. The first four bytes of the text gets interpreted as a 32-bit packet length, which will usually be a wildly large number, provoking the error message above. Notice that: |1416586337 decimal = 546F6461 hex = "Toda" ASCII | suggesting a string beginning "Today..." (or maybe "Thank-you" in transliterated Hebrew). The reason the shell startup files are relevant at all, is that sshd employs the user's shell when starting any programs on the user's behalf (using e.g. /bin/sh -c "/command/"). This is a Unix tradition, and has advantages: * The user's usual setup (command aliases, environment variables, umask, etc.) are in effect when remote commands are run. * The common practice of setting an account's shell to/bin/false to disable it will prevent the owner from running any commands, should authentication still accidentally succeed for some reason. There has been a lot of argument about whether this is the right behavior, since having sshd instead exec sftp-server directly, without the shell, would avoid this frequent problem. I personally feel that using the shell is the right thing to do: having startup files that emit text messages when there is no user to read them is just a mistake. SSH2 has a Boolean configuration statementAllowCshrcSourcingWithSubsystems, set false by default, which causes sshd2 to pass the -f flag to the shell when running subsystem programs (sftp-server is run as an SSH-2 "subsystem"). With most shells, -f causes the shell to omit the normal startup file processing. This prevents the corruption problem, but introduces other difficulties. With file transfers, the umask setting is important, and people are confused when they find that the umask they set in their ~/.login file works with random remote commands (e.g. ssh /server/ touch foo), but is mysteriously ignored when using scp2/sftp. === From darren at horseplay.demon.co.uk Tue Jul 2 04:04:29 2002 From: darren at horseplay.demon.co.uk (Darren Evans) Date: Mon, 1 Jul 2002 19:04:29 +0100 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: Message-ID: <16631215275.20020701190429@horseplay.demon.co.uk> A workaround for sftp is to comment out fortune from the shell startup script allowed sftp to work, presumably too much information, may be useful to know of other circumstances for FAQ. Interestingly, I just tested this with 3.4p1 connecting to 3.3p1 server and it stills display's this behaviour, just add fortune to .bashrc to see it fudge. $ sftp user at myhost Connecting to myhost.. Received message too long 1113942382 $ scp user at myhost:file localhost Q: What's tan and black and looks great on a lawyer. Could be humurous under different cirsumstances. Regards, Darren Monday, July 1, 2002, 6:22:33 PM, you wrote: BL> You are really looking for sftp which has no shell dependancies. BL> But in general. No.. Fix your startup scripts. scp is rcp in a ssh BL> wrapper. and rcp will also fail. BL> - Ben BL> On Mon, 1 Jul 2002, Bryan Henderson wrote: >> I spent some time debugging a failing Scp that turned out to be caused >> by the remote shell producing messages on Standard Output that aren't >> part of the SCP protocol. >> >> Scp from a remote system works by running another Scp on the remote >> system. The remote Scp writes SCP protocol messages (and file data) >> to its Standard Output, which the local Scp sees as Standard Input. >> >> But it's important to note that the remote Scp runs in a shell, and >> not just any shell -- an interactive shell. It's an interactive shell >> because its Standard Input and Standard Output are terminals, and the >> shell knows it and makes some decisions based on the assumption that >> there's a human being there. This makes Scp analogous to the file >> download function of an old-fashioned terminal emulator -- it's making >> automated use of a data stream intended for an intelligent human. >> >> So lets say the remote interactive shell puts an informational message >> on Standard Output as it starts up (mine does). The local SCP >> responds by issuing the received line verbatim, with no additional >> context, as an error message, and terminates. It apparently assumes >> that anything the shell says before remote Scp starts running must be >> a message explaining why it cannot run Scp. And that the message >> contains enough context that the Scp user will be able to tell what to >> fix and where. >> >> But the message may just be informational, in which case Scp terminates >> needlessly, and with no apparent indication of why. >> >> >> I propose that local Scp just ignore all messages on Standard Input until >> it sees something that looks like an SCP control record. If it never sees >> an SCP control record, it should issue an error message saying so, and >> include the last thing it _did_ see in that message. >> >> If there isn't something fundamentally wrong with this approach, I'll >> submit a patch. >> >> >> Ideally, I'd like to see a way to run remote Scp not in a shell at >> all. It would be far more robust and faster. Does the SSH protocol >> allow for such a thing? >> >> -- >> Bryan Henderson Phone 408-621-2000 >> San Jose, California From bugzilla-daemon at mindrot.org Tue Jul 2 04:11:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 04:11:56 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020701181156.0D5C8E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 ------- Additional Comments From jmknoble at pobox.com 2002-07-02 04:11 ------- Could you please check the error message again? Is it: mm_receive_fd: recvmsg: expected received 1 got nnnnnnnn or is it this: mm_receive_fd: expected type 1 got nnnnnnnn ? Those are two different problems, within a few lines of each other. The exact text of the error message is important. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From epa98 at doc.ic.ac.uk Tue Jul 2 04:20:13 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Mon, 1 Jul 2002 19:20:13 +0100 (BST) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D209B69.5040606@doxpara.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Perhaps scp could have a special -diagnose option which runs 'echo hello' at the remote end, and checks that the text received is just 'hello'. That would save unfortunate users a lot of headscratching in future. Of course, this is really a suggestion for the rcp program since scp is just rcp-over-SSH. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD4DBQE9IJ1fIMp73jhGogoRAlIKAJj5zMAjqPWFWnEB0FgdGUc+TmxgAKCAWiE1 DqIlOHes5Z4ItHbnZFPd6A== =m4r5 -----END PGP SIGNATURE----- From foster at dim.ucsd.edu Tue Jul 2 04:39:32 2002 From: foster at dim.ucsd.edu (David Foster) Date: Mon, 1 Jul 2002 11:39:32 -0700 (PDT) Subject: Compiling OpenSSH 3.4p1 on SunOS 4.1.4 Message-ID: <200207011839.g61IdWw01343@dim.ucsd.edu> Note that this wasn't necessary on previous versions of OpenSSH under SunOS 4.1.4. Dave Foster ------------- Begin Forwarded Message ------------- Date: Mon, 1 Jul 2002 11:21:25 -0700 (PDT) From: spl at camshaft.ucsd.edu To: foster at dim.ucsd.edu Subject: Re: Oh SunOS guru... (OpenSSH compile on Pitstop) > Ok, I FINALLY GET OpenSSH to configure on Pitstop, getting around > the OpenSSL problem, and now I get this... > > gcc -o ssh-agent ssh-agent.o -L. -Lopenbsd-compat/ -L/usr/local/lib > -L/usr/local/lib -lssh -lopenbsd-compat -lz -lcrypto > openbsd-compat//libopenbsd-compat.a(setenv.o): In function `setenv': > /auto/usr/local_src/openssh-3.4p1/SunOS/4.1.4/openbsd-compat/setenv.c:126: > undefined reference to `memmove' > collect2: ld returned 1 exit status > make: *** [ssh-agent] Error 1 > > > Is this brain damage in OpenSSH or SunOS 4.1.4? Both. Edit setenv.c and add the macro #define memmove(s1,s2,l) bcopy(s2,s1,l) somewhere at the top of the file. memmove() doesn't exist in the SunOS libc. Note that s1, and s2 are swapped. This is intentional. ------------- End Forwarded Message ------------- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= David Foster National Center for Microscopy and Imaging Research Programmer/Analyst University of California, San Diego dfoster at ucsd.edu Department of Neuroscience, Mail 0608 (858) 534-7968 http://ncmir.ucsd.edu/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The reasonable man adapts himself to the world; the unreasonable one persists in trying to adapt the world to himself. Therefore, all progress depends on the unreasonable." -- George Bernard Shaw From johnh at aproposretail.com Tue Jul 2 05:39:34 2002 From: johnh at aproposretail.com (John Hardin) Date: 01 Jul 2002 12:39:34 -0700 Subject: TO SYMMETRY AND ASYMMETRY-----NOW ADD SUPERSYMMETRY In-Reply-To: <000701c21fbc$d8cfb980$35ee68cf@Koerner> References: <000701c21fbc$d8cfb980$35ee68cf@Koerner> Message-ID: <1025552376.14666.1.camel@johnh.apropos.com> On Sat, 2002-06-29 at 15:32, Carla Koerner Hein wrote: > I give up! I'd be happy to discuss hypercubes, set-to-set calculation > or any aspect of supersymmetrical encryption/decryption with anyone > who can jolt the Homeland Defense boys to attention. Can you do it? I'm sure Bruce Schneier would love to chat with you. Why don't you drop him a line? -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- In the Lion the Mighty Lion the Zebra sleeps tonight... Dee de-ee-ee-ee-ee de de de we um umma way! ----------------------------------------------------------------------- 16 days until Apropos Forum 2002 From fcusack at fcusack.com Tue Jul 2 05:48:24 2002 From: fcusack at fcusack.com (Frank Cusack) Date: Mon, 1 Jul 2002 12:48:24 -0700 Subject: sshd and file descriptors In-Reply-To: <20020701163837.GA5593@conectiva.com.br>; from andreas@conectiva.com.br on Mon, Jul 01, 2002 at 01:38:37PM -0300 References: <20020626220613.GO19640@conectiva.com.br> <20020626161056.R2377@google.com> <20020701163837.GA5593@conectiva.com.br> Message-ID: <20020701124823.B3134@google.com> On Mon, Jul 01, 2002 at 01:38:37PM -0300, Andreas Hasenack wrote: > > But this isn't really an rpm problem. Daemons should undertake a close > > of all open file descriptors. No if's, and's or but's. It is an rpm problem. Why should every daemon have to play fixup for rpm? You might have old old daemons you don't have source for, I guess you have to wrapper those? I'm not saying daemon's shouldn't close open fd's, but that doesn't exonerate rpm. /fc From tim at hoganzoo.com Tue Jul 2 06:13:56 2002 From: tim at hoganzoo.com (Tim Hogan) Date: Mon, 1 Jul 2002 14:13:56 -0600 (MDT) Subject: (no subject) Message-ID: <60977.192.18.101.5.1025554436.squirrel@webmail.hoganzoo.com> From gert at greenie.muc.de Tue Jul 2 06:31:02 2002 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 1 Jul 2002 22:31:02 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <16631215275.20020701190429@horseplay.demon.co.uk>; from darren@horseplay.demon.co.uk on Mon, Jul 01, 2002 at 07:04:29PM +0100 References: <16631215275.20020701190429@horseplay.demon.co.uk> Message-ID: <20020701223102.D4788@greenie.muc.de> Hi, On Mon, Jul 01, 2002 at 07:04:29PM +0100, Darren Evans wrote: > Interestingly, I just tested this with 3.4p1 connecting to 3.3p1 > server and it stills display's this behaviour, just add fortune > to .bashrc to see it fudge. Things that produce output do not belong into .bashrc. Put them in .bash_profile, and they will only be displayed for *interactive* logins, not for non-interactive logins (in the usual definition, shell called as "-bash", .rc files read, .profile(s) not). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Tue Jul 2 06:33:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 06:33:38 +1000 (EST) Subject: [Bug 328] New: starting sshd yeilds PRNG not seeded Message-ID: <20020701203338.CB91DE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=328 Summary: starting sshd yeilds PRNG not seeded Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P1 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gwalters at carfund.com PRNGD seems to be working fine according to egd. When I go to start 3.4p1 version of sshd, I get PRNG not seeded and that is all. This used to work with 3.01p1 of sshd. Any help is appretiated. Gary Walters ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 2 06:45:39 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 06:45:39 +1000 (EST) Subject: [Bug 328] starting sshd yeilds PRNG not seeded Message-ID: <20020701204539.33F32E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=328 ------- Additional Comments From luc at suryo.com 2002-07-02 06:45 ------- This may not be a openssh problem.... If the openssh/openssl was compiled to use /dev/urandom (or /dev/random) and your system does not have the proper path installed to support /dev/urandom (or /dev/urandom) this is what you will see when you try to start sshd/ssh check if this is the case: ls -l /dev/*random strings {path-to}/sshd | grep random strings {path-to}/ssh | grep random i'm not sure IF openssh should use another methode in case there is no /dev/random (or /dev/urandom) as openssl is the one that tells openssh what to use (am i correct?) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From thomas at melusine.cuivre.fr.eu.org Tue Jul 2 07:51:39 2002 From: thomas at melusine.cuivre.fr.eu.org (Thomas Quinot) Date: Mon, 1 Jul 2002 23:51:39 +0200 Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' Message-ID: <20020701235139.A71075@melusine.cuivre.fr.eu.org> I have been trying to install 3.4p1 on a number of machines. Servers on ia64 Linux, i386 Linux and SPARC Solaris are all working like charms. On the other hand, I am having trouble at least with HPUX 11, DEC OSF 5.1 and Unixware: on all those systems, sshd bails out after authentication with an error in buffer_append_space. Here is the output of sshd -d on the UnixWare machine (uname -a: "UnixWare sofia 5 7.1.0 i386 x86at SCO UNIX_SVR5") debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.10.0.172 port 35503 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug1: list_hostkey_types: ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 zlib debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 121/256 debug1: bits set: 1614/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1588/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user quinot service ssh-connection method none debug1: attempt 0 failures 0 Failed none for quinot from 10.10.0.172 port 35503 ssh2 Failed none for quinot from 10.10.0.172 port 35503 ssh2 debug1: userauth-request for user quinot service ssh-connection method hostbased debug1: attempt 1 failures 1 debug1: userauth_hostbased: cuser quinot chost vienna.int.domain.com. pkalg s sh-dss slen 55 debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid Failed hostbased for quinot from 10.10.0.172 port 35503 ssh2 debug1: userauth-request for user quinot service ssh-connection method hostbased debug1: attempt 2 failures 2 debug1: userauth_hostbased: cuser quinot chost vienna.int.domain.com. pkalg s sh-rsa slen 143 debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: ssh_rsa_verify: signature correct Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 debug1: monitor_child_preauth: quinot has been authenticated by privileged proce ss debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: server_init_dispatch_20 buffer_append_space: alloc 10506240 not supported debug1: Calling cleanup 0x807e3ec(0x0) debug1: Calling cleanup 0x807e3ec(0x0) -- Thomas.Quinot at Cuivre.FR.EU.ORG From james at firstaidmusic.com Tue Jul 2 09:03:24 2002 From: james at firstaidmusic.com (James Dennis) Date: Mon, 1 Jul 2002 18:03:24 -0500 Subject: jailing transfer-only accounts In-Reply-To: <000501c21dfb$5ab17010$40331eac@dehls> References: <000501c21dfb$5ab17010$40331eac@dehls> Message-ID: <20020701180324.14de224f.james@firstaidmusic.com> This has been discussed quite a bit on this mailing list. The general idea is that most of the way's of jailing people are '.' hacks. That's what my patch on chrootssh.sourceforge.net is. Until a proper method is devised and approved by the OpenSSH crew, an officially supported jail function won't be appearing anytime soon. The OpenSSH guys are great at making sure everything is up to par and I definitly appreciate what they're doing, but that's also why there isn't an official jailing feature yet. Anyone up to the challenge? I'd be happy to help if anyone is seriously interested. -James P.S. chrootssh.sourceforge.net has the '.' hack and may or may not be useful. It is not officially supported, but it works quite well for me. On Thu, 27 Jun 2002 18:54:49 +0200 "Hans Nohack" wrote: > hello, > > we need to transfer files in a secure way with different partners and > clients. > at the momet we're using commercial ssh because we found it the only way to > transfer files in a jailed environment and without offering a login shell. > we'd like to use openssh but found only some patches and wrapper scripts but > nothing "official" to do what we need. > i could image (and read on many lists) that lots of people seem to need this > feature. > will it be part of the "official" openssh some day? > > thanks > hans > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020701/55ba143c/attachment.bin From carson at taltos.org Tue Jul 2 08:30:56 2002 From: carson at taltos.org (Carson Gaspar) Date: Mon, 01 Jul 2002 18:30:56 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <16631215275.20020701190429@horseplay.demon.co.uk> References: <16631215275.20020701190429@horseplay.demon.co.uk> Message-ID: <178044625.1025548256@[192.168.0.2]> --On Monday, July 01, 2002 7:04 PM +0100 Darren Evans wrote: > A workaround for sftp is to comment out fortune from the shell > startup script allowed sftp to work, presumably too much information, > may be useful to know of other circumstances for FAQ. The (or at least a) correct way to do this is to wrap the offending commands in a test for tty-ness. In a POSIX shell: if [ -t 1 ]; # Is fd 1 a tty? echo "I have a tty! Whee!" fortune fi -- Carson From Maria.Wiese at McKesson.com Tue Jul 2 09:35:31 2002 From: Maria.Wiese at McKesson.com (Wiese, Maria) Date: Mon, 1 Jul 2002 16:35:31 -0700 Subject: More information regarding UserProvilegeSEparation Message-ID: <23ED36D4661BD51199E000D0B782508D02F806C3@ddce0051.mckesson.com> I am trying to upgrade from OpenSSH 3.1p1 to Openssh 3.4p1 due to the Cert advisory and would like to know more about the Privilege Separation. Can't find very good information on the web. For example, I added a userid of sshd, but did not give it a home directory or special group permissions. Anything I need to know about creating this userid ?. Any problems I should know for Solaris or AIX before I start upgrading my production servers?. Should I wait for 3.4.1 release ? Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. From tim at multitalents.net Tue Jul 2 10:35:38 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 1 Jul 2002 17:35:38 -0700 (PDT) Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: <20020701235139.A71075@melusine.cuivre.fr.eu.org> Message-ID: On Mon, 1 Jul 2002, Thomas Quinot wrote: > I have been trying to install 3.4p1 on a number of machines. > Servers on ia64 Linux, i386 Linux and SPARC Solaris are all working > like charms. On the other hand, I am having trouble at least with > HPUX 11, DEC OSF 5.1 and Unixware: on all those systems, sshd bails > out after authentication with an error in buffer_append_space. > > Here is the output of sshd -d on the UnixWare machine > (uname -a: "UnixWare sofia 5 7.1.0 i386 x86at SCO UNIX_SVR5") I can not duplicate this problem on any of my UnixWare boxes. I have 2.03, 2.13, 7.1.1, & OpenUNIX 8.0.0 running fine here. These lines in buffer.c are where it's stopping. if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", buffer->alloc); You are asking it to allocate 0xa05000. Perhaps run truss(1) on sshd to see if that sheds any light on the problem > > debug1: sshd version OpenSSH_3.4p1 > debug1: private host key: #0 type 0 RSA1 > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug1: Bind to port 2222 on 0.0.0.0. > Server listening on 0.0.0.0 port 2222. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 10.10.0.172 port 35503 > debug1: Client protocol version 2.0; client software version > OpenSSH_3.4p1 > debug1: match: OpenSSH_3.4p1 pat OpenSSH* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_3.4p1 > debug1: list_hostkey_types: ssh-rsa > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 zlib > debug1: kex: server->client aes128-cbc hmac-md5 zlib > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 121/256 > debug1: bits set: 1614/3191 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 1588/3191 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: Enabling compression at level 6. > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user quinot service ssh-connection method > none > debug1: attempt 0 failures 0 > Failed none for quinot from 10.10.0.172 port 35503 ssh2 > Failed none for quinot from 10.10.0.172 port 35503 ssh2 > debug1: userauth-request for user quinot service ssh-connection method > hostbased > debug1: attempt 1 failures 1 > debug1: userauth_hostbased: cuser quinot chost vienna.int.domain.com. > pkalg s > sh-dss slen 55 > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > Failed hostbased for quinot from 10.10.0.172 port 35503 ssh2 > debug1: userauth-request for user quinot service ssh-connection method > hostbased > debug1: attempt 2 failures 2 > debug1: userauth_hostbased: cuser quinot chost vienna.int.domain.com. > pkalg s > sh-rsa slen 143 > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: temporarily_use_uid: 529/101 (e=0) > debug1: restore_uid > debug1: ssh_rsa_verify: signature correct > Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 > Accepted hostbased for quinot from 10.10.0.172 port 35503 ssh2 > debug1: monitor_child_preauth: quinot has been authenticated by > privileged proce > ss > debug1: newkeys: mode 0 > debug1: newkeys: mode 1 > debug1: Entering interactive session for SSH2. > debug1: fd 8 setting O_NONBLOCK > debug1: fd 10 setting O_NONBLOCK > debug1: server_init_dispatch_20 > buffer_append_space: alloc 10506240 not supported > debug1: Calling cleanup 0x807e3ec(0x0) > debug1: Calling cleanup 0x807e3ec(0x0) > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From drosih at rpi.edu Tue Jul 2 11:33:36 2002 From: drosih at rpi.edu (Garance A Drosihn) Date: Mon, 1 Jul 2002 21:33:36 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: Message-ID: At 12:22 PM -0500 7/1/02, Ben Lindstrom wrote: >You are really looking for sftp which has no shell dependancies. > >But in general. No.. Fix your startup scripts. scp is rcp in a >ssh wrapper. and rcp will also fail. For what it is worth, I fixed this in my own shell processing by moving any message-producing commands inside of: if [ "$TERM" != "dumb" ] ; then echo "Welcome!" fi -- Garance Alistair Drosehn = gad at gilead.netel.rpi.edu Senior Systems Programmer or gad at freebsd.org Rensselaer Polytechnic Institute or drosih at rpi.edu From djm at mindrot.org Tue Jul 2 12:31:08 2002 From: djm at mindrot.org (Damien Miller) Date: 02 Jul 2002 12:31:08 +1000 Subject: New PAM kbd-int diff Message-ID: <1025577068.28700.22.camel@xenon> Below is a new PAM kbd-int diff based on FreeBSD's code. This code makes PAM kbd-int work with privilege separation. Contrary to what I have previously stated - it *does* handle multiple prompts. What it does not handle is multiple passes through the PAM conversation function, which would be required for expired password changing. I would really appreciate some additional eyes over the monitor code as I would like to get PAM kbd-int+privsep working. -d Index: auth.h =================================================================== RCS file: /var/cvs/openssh/auth.h,v retrieving revision 1.42 diff -u -r1.42 auth.h --- auth.h 6 Jun 2002 20:52:37 -0000 1.42 +++ auth.h 2 Jul 2002 02:19:35 -0000 @@ -133,7 +133,6 @@ #endif /* KRB5 */ #include "auth-pam.h" -#include "auth2-pam.h" Authctxt *do_authentication(void); Authctxt *do_authentication2(void); Index: auth2-chall.c =================================================================== RCS file: /var/cvs/openssh/auth2-chall.c,v retrieving revision 1.19 diff -u -r1.19 auth2-chall.c --- auth2-chall.c 26 Jun 2002 13:58:40 -0000 1.19 +++ auth2-chall.c 2 Jul 2002 02:19:35 -0000 @@ -40,11 +40,17 @@ #ifdef BSD_AUTH extern KbdintDevice bsdauth_device; +extern KbdintDevice mm_bsdauth_device; #else #ifdef SKEY extern KbdintDevice skey_device; +extern KbdintDevice mm_skey_device; #endif #endif +#ifdef USE_PAM +extern KbdintDevice sshpam_device; +extern KbdintDevice mm_sshpam_device; +#endif KbdintDevice *devices[] = { #ifdef BSD_AUTH @@ -54,6 +60,23 @@ &skey_device, #endif #endif +#ifdef USE_PAM + &sshpam_device, +#endif + NULL +}; + +KbdintDevice *mm_devices[] = { +#ifdef BSD_AUTH + &mm_bsdauth_device, +#else +#ifdef SKEY + &mm_skey_device, +#endif +#ifdef USE_PAM + &mm_sshpam_device, +#endif +#endif NULL }; @@ -320,18 +343,8 @@ void privsep_challenge_enable(void) { -#ifdef BSD_AUTH - extern KbdintDevice mm_bsdauth_device; -#endif -#ifdef SKEY - extern KbdintDevice mm_skey_device; -#endif - /* As long as SSHv1 has devices[0] hard coded this is fine */ -#ifdef BSD_AUTH - devices[0] = &mm_bsdauth_device; -#else -#ifdef SKEY - devices[0] = &mm_skey_device; -#endif -#endif + int i; + + for(i = 0; devices[i] != NULL; i++) + devices[i] = mm_devices[i]; } Index: auth2-kbdint.c =================================================================== RCS file: /var/cvs/openssh/auth2-kbdint.c,v retrieving revision 1.1 diff -u -r1.1 auth2-kbdint.c --- auth2-kbdint.c 6 Jun 2002 20:27:56 -0000 1.1 +++ auth2-kbdint.c 2 Jul 2002 02:19:35 -0000 @@ -49,10 +49,6 @@ if (options.challenge_response_authentication) authenticated = auth2_challenge(authctxt, devs); -#ifdef USE_PAM - if (authenticated == 0 && options.pam_authentication_via_kbd_int) - authenticated = auth2_pam(authctxt); -#endif xfree(devs); xfree(lang); #ifdef HAVE_CYGWIN Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.14 diff -u -r1.14 auth2-pam.c --- auth2-pam.c 28 Jun 2002 16:48:12 -0000 1.14 +++ auth2-pam.c 2 Jul 2002 02:19:35 -0000 @@ -1,166 +1,382 @@ +/*- + * Modified from code from FreeBSD: + * + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * This software was developed for the FreeBSD Project by ThinkSec AS and + * NAI Labs, the Security Research Division of Network Associates, Inc. + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the + * DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/crypto/openssh/auth2-pam.c,v 1.1 2002/03/21 12:18:27 des Exp $ + */ + +/* + * XXX: todo: + * - Make this module handle multiple passes through the PAM + * conversation function. Currently it exits after each reply. + * It should stick around do it can process password change + * requests, etc. + * + * - Conver to buffer_() API instead of SOCK_DGRAM messages + */ + #include "includes.h" -RCSID("$Id: auth2-pam.c,v 1.14 2002/06/28 16:48:12 mouring Exp $"); #ifdef USE_PAM +RCSID("$Id$"); + #include #include "ssh.h" -#include "ssh2.h" #include "auth.h" -#include "auth-pam.h" -#include "packet.h" #include "xmalloc.h" -#include "dispatch.h" #include "log.h" +#include "monitor_wrap.h" + +extern char *__progname; -static int do_pam_conversation_kbd_int(int num_msg, - const struct pam_message **msg, struct pam_response **resp, - void *appdata_ptr); -void input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt); - -struct { - int finished, num_received, num_expected; - int *prompts; - struct pam_response *responses; -} context_pam2 = {0, 0, 0, NULL}; - -static struct pam_conv conv2 = { - do_pam_conversation_kbd_int, - NULL, +struct sshpam_ctxt { + char *user; + pid_t pid; + int sock; + int done; }; -int -auth2_pam(Authctxt *authctxt) +/* + * Send message to parent or child. + */ +static int +sshpam_send(struct sshpam_ctxt *ctxt, char *fmt, ...) { - int retval = -1; - - if (authctxt->user == NULL) - fatal("auth2_pam: internal error: no user"); + va_list ap; + char *mstr, buf[2048]; + size_t len; + int r; + + va_start(ap, fmt); + len = vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + if (len == -1 || len >= sizeof(buf)) + fatal("sshpam_send: message too long"); + mstr = xstrdup(buf); + if (ctxt->pid != 0) + debug2("to child: %d bytes", len); + r = send(ctxt->sock, mstr, len + 1, MSG_EOR); + free(mstr); + return (r); +} - conv2.appdata_ptr = authctxt; - do_pam_set_conv(&conv2); +/* + * Peek at first byte of next message. + */ +static int +sshpam_peek(struct sshpam_ctxt *ctxt) +{ + char ch; - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, - &input_userauth_info_response_pam); - retval = (do_pam_authenticate(0) == PAM_SUCCESS); - dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL); + if (recv(ctxt->sock, &ch, 1, MSG_PEEK) < 1) + return (-1); + return (ch); +} - return retval; +/* + * Receive a message from parent or child. + */ +static char * +sshpam_receive(struct sshpam_ctxt *ctxt) +{ + char *buf; + size_t len; + ssize_t rlen; + + len = 64; + buf = NULL; + do { + len *= 2; + buf = xrealloc(buf, len); + rlen = recv(ctxt->sock, buf, len, MSG_PEEK); + if (rlen < 1) { + xfree(buf); + return (NULL); + } + } while (rlen == len); + if (recv(ctxt->sock, buf, len, 0) != rlen) { + xfree(buf); + return (NULL); + } + if (ctxt->pid != 0) + debug2("from child: %s", buf); + return (buf); } +/* + * Conversation function for child process. + */ static int -do_pam_conversation_kbd_int(int num_msg, const struct pam_message **msg, - struct pam_response **resp, void *appdata_ptr) +sshpam_child_conv(int n, + const struct pam_message **msg, + struct pam_response **resp, + void *data) { - int i, j, done; - char *text; + struct sshpam_ctxt *ctxt; + int i; - context_pam2.finished = 0; - context_pam2.num_received = 0; - context_pam2.num_expected = 0; - context_pam2.prompts = xmalloc(sizeof(int) * num_msg); - context_pam2.responses = xmalloc(sizeof(struct pam_response) * num_msg); - memset(context_pam2.responses, 0, sizeof(struct pam_response) * num_msg); - - text = NULL; - for (i = 0, context_pam2.num_expected = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - switch (style) { - case PAM_PROMPT_ECHO_ON: + ctxt = data; + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((*resp = calloc(n, sizeof(struct pam_response))) == NULL) + return (PAM_BUF_ERR); + for (i = 0; i < n; ++i) { + resp[i]->resp_retcode = 0; + resp[i]->resp = NULL; + switch (msg[i]->msg_style) { case PAM_PROMPT_ECHO_OFF: - context_pam2.num_expected++; + sshpam_send(ctxt, "p%s", msg[i]->msg); + resp[i]->resp = sshpam_receive(ctxt); + break; + case PAM_PROMPT_ECHO_ON: + sshpam_send(ctxt, "P%s", msg[i]->msg); + resp[i]->resp = sshpam_receive(ctxt); break; - case PAM_TEXT_INFO: case PAM_ERROR_MSG: - default: - /* Capture all these messages to be sent at once */ - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); + /*sshpam_send(ctxt, "e%s", msg[i]->msg);*/ break; + case PAM_TEXT_INFO: + /*sshpam_send(ctxt, "i%s", msg[i]->msg);*/ + break; + default: + goto fail; } } - - if (context_pam2.num_expected == 0) - return PAM_SUCCESS; - - packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST); - packet_put_cstring(""); /* Name */ - packet_put_cstring(""); /* Instructions */ - packet_put_cstring(""); /* Language */ - packet_put_int(context_pam2.num_expected); - - for (i = 0, j = 0; i < num_msg; i++) { - int style = PAM_MSG_MEMBER(msg, i, msg_style); - - /* Skip messages which don't need a reply */ - if (style != PAM_PROMPT_ECHO_ON && style != PAM_PROMPT_ECHO_OFF) - continue; - - context_pam2.prompts[j++] = i; - if (text) { - message_cat(&text, PAM_MSG_MEMBER(msg, i, msg)); - packet_put_cstring(text); - text = NULL; - } else - packet_put_cstring(PAM_MSG_MEMBER(msg, i, msg)); - packet_put_char(style == PAM_PROMPT_ECHO_ON); + return (PAM_SUCCESS); + fail: + while (i--) { + if (resp[i]->resp) { + memset(resp[i]->resp, '\0', strlen(resp[i]->resp)); + free(resp[i]->resp); + } } - packet_send(); - packet_write_wait(); + free(*resp); + *resp = NULL; + return (PAM_CONV_ERR); +} +/* + * Child process. + */ +static void * +sshpam_child(struct sshpam_ctxt *ctxt) +{ + struct pam_conv conv = { sshpam_child_conv, ctxt }; + pam_handle_t *sshpamh; + int err; + + err = pam_start(SSHD_PAM_SERVICE, ctxt->user, &conv, &sshpamh); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_authenticate(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; + err = pam_acct_mgmt(sshpamh, 0); + if (err != PAM_SUCCESS) + goto auth_fail; +#if 0 /* - * Grabbing control of execution and spinning until we get what - * we want is probably rude, but it seems to work properly, and - * the client *should* be in lock-step with us, so the loop should - * only be traversed once. + * Can't switch this on until we can handle multiple passes through + * the conversation function */ - while(context_pam2.finished == 0) { - done = 1; - dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr); - if (context_pam2.finished == 0) - debug("extra packet during conversation"); - } - - if (context_pam2.num_received == context_pam2.num_expected) { - *resp = context_pam2.responses; - return PAM_SUCCESS; - } else - return PAM_CONV_ERR; + err = pam_acct_mgmt(sshpamh, 0); + if (err == PAM_NEW_AUTHTOK_REQD) + err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (err != PAM_SUCCESS) + goto auth_fail; +#endif + sshpam_send(ctxt, "=OK"); + pam_end(sshpamh, err); + exit(0); + + auth_fail: + sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err)); + pam_end(sshpamh, err); + exit(0); } -void -input_userauth_info_response_pam(int type, u_int32_t seqnr, void *ctxt) +void * +sshpam_init_ctx(Authctxt *authctxt) { - Authctxt *authctxt = ctxt; - unsigned int nresp = 0, rlen = 0, i = 0; - char *resp; - - if (authctxt == NULL) - fatal("input_userauth_info_response_pam: no authentication context"); + struct sshpam_ctxt *ctxt; + int socks[2]; + int i; + + debug3("PAM kbd-int init ctx"); + + ctxt = xmalloc(sizeof *ctxt); + ctxt->user = xstrdup(authctxt->user); + ctxt->done = 0; + if (socketpair(AF_UNIX, SOCK_DGRAM, PF_UNSPEC, socks) == -1) { + error("%s: failed create sockets: %s", + __func__, strerror(errno)); + xfree(ctxt); + return (NULL); + } + if ((ctxt->pid = fork()) == -1) { + error("%s: failed to fork auth-pam child: %s", + __func__, strerror(errno)); + close(socks[0]); + close(socks[1]); + xfree(ctxt); + return (NULL); + } + if (ctxt->pid == 0) { + /* close everything except our end of the pipe */ + ctxt->sock = socks[1]; + for (i = 0; i < getdtablesize(); ++i) + if (i != ctxt->sock) + close(i); + sshpam_child(ctxt); + /* not reached */ + exit(1); + } + ctxt->sock = socks[0]; + close(socks[1]); + return (ctxt); +} - nresp = packet_get_int(); /* Number of responses. */ - debug("got %d responses", nresp); +int +sshpam_query(void *ctx, char **name, char **info, + u_int *num, char ***prompts, u_int **echo_on) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; + debug3("PAM kbd-int query"); - if (nresp != context_pam2.num_expected) - fatal("%s: Received incorrect number of responses " - "(expected %d, received %u)", __func__, - context_pam2.num_expected, nresp); + if ((msg = sshpam_receive(ctxt)) == NULL) + return (-1); + *name = xstrdup(""); + *info = xstrdup(""); + *prompts = xmalloc(sizeof(char *)); + *echo_on = xmalloc(sizeof(u_int)); + switch (*msg) { + case 'P': /* Prompt with echo */ + case 'p': /* Prompt without echo */ + *num = 1; + **prompts = xstrdup(msg + 1); + **echo_on = (*msg == 'P'); + break; + case '=': /* Result */ + *num = 0; + **echo_on = 0; + ctxt->done = 1; + break; + case '!': /* Error */ + error("%s", msg + 1); + default: + *num = 0; + **echo_on = 0; + xfree(msg); + ctxt->done = -1; + return (-1); + } + xfree(msg); + return (0); +} - if (nresp > 100) - fatal("%s: too many replies", __func__); +int +sshpam_respond(void *ctx, u_int num, char **resp) +{ + struct sshpam_ctxt *ctxt = ctx; + char *msg; - for (i = 0; i < nresp; i++) { - int j = context_pam2.prompts[i]; + debug3("PAM kbd-int %d responses", num); - resp = packet_get_string(&rlen); - context_pam2.responses[j].resp_retcode = PAM_SUCCESS; - context_pam2.responses[j].resp = xstrdup(resp); - xfree(resp); - context_pam2.num_received++; + debug2(__func__); + switch (ctxt->done) { + case 1: + return (0); + case 0: + break; + default: + return (-1); + } + if (num != 1) { + error("expected one response, got %u", num); + return (-1); } + sshpam_send(ctxt, "%s", *resp); + switch (sshpam_peek(ctxt)) { + case 'P': /* Prompt with echo */ + case 'p': /* Prompt with no echo */ + return (1); + case '=': /* Result */ + msg = sshpam_receive(ctxt); + xfree(msg); + ctxt->done = 1; + return (0); + default: /* Error */ + msg = sshpam_receive(ctxt); + if (*msg == '!') + error("%s", msg + 1); + xfree(msg); + ctxt->done = -1; + return (-1); + } +} + +void +sshpam_free_ctx(void *ctxtp) +{ + struct sshpam_ctxt *ctxt = ctxtp; - context_pam2.finished = 1; + debug3("Freeing PAM kbd-int ctx"); - packet_check_eom(); + close(ctxt->sock); + kill(ctxt->pid, SIGHUP); + /* XXX: wait()? */ + xfree(ctxt->user); + xfree(ctxt); } -#endif + +KbdintDevice sshpam_device = { + "pam", + sshpam_init_ctx, + sshpam_query, + sshpam_respond, + sshpam_free_ctx +}; + +KbdintDevice mm_sshpam_device = { + "pam", + mm_sshpam_init_ctx, + mm_sshpam_query, + mm_sshpam_respond, + mm_sshpam_free_ctx +}; + +#endif /* USE_PAM */ Index: auth2-pam.h =================================================================== RCS file: auth2-pam.h diff -N auth2-pam.h --- auth2-pam.h 9 Feb 2001 01:55:36 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,8 +0,0 @@ -/* $Id: auth2-pam.h,v 1.2 2001/02/09 01:55:36 djm Exp $ */ - -#include "includes.h" -#ifdef USE_PAM - -int auth2_pam(Authctxt *authctxt); - -#endif /* USE_PAM */ Index: auth2.c =================================================================== RCS file: /var/cvs/openssh/auth2.c,v retrieving revision 1.107 diff -u -r1.107 auth2.c --- auth2.c 21 Jun 2002 06:21:11 -0000 1.107 +++ auth2.c 2 Jul 2002 02:19:35 -0000 @@ -85,10 +85,6 @@ /* challenge-response is implemented via keyboard interactive */ if (options.challenge_response_authentication) options.kbd_interactive_authentication = 1; - if (options.pam_authentication_via_kbd_int) - options.kbd_interactive_authentication = 1; - if (use_privsep) - options.pam_authentication_via_kbd_int = 0; dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); Index: monitor.c =================================================================== RCS file: /var/cvs/openssh/monitor.c,v retrieving revision 1.22 diff -u -r1.22 monitor.c --- monitor.c 27 Jun 2002 00:12:58 -0000 1.22 +++ monitor.c 2 Jul 2002 02:19:36 -0000 @@ -118,6 +118,17 @@ #ifdef USE_PAM int mm_answer_pam_start(int, Buffer *); +int mm_answer_sshpam_init_ctx(int, Buffer *); +int mm_answer_sshpamquery(int, Buffer *); +int mm_answer_sshpamrespond(int, Buffer *); +int mm_answer_sshpam_free_ctx(int, Buffer *); + +static void *sshpam_auth_ctxt = NULL; /* Local state for PAM kbd-int device */ + +extern void *sshpam_init_ctx(Authctxt *); +extern int sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +extern int sshpam_respond(void *, u_int , char **); +extern void sshpam_free_ctx(void *); #endif static Authctxt *authctxt; @@ -155,7 +166,11 @@ {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, MON_ONCE, mm_answer_sshpam_init_ctx}, {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE, mm_answer_sshpam_free_ctx}, #endif #ifdef BSD_AUTH {MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery}, @@ -199,6 +214,13 @@ #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif +#ifdef USE_PAM + {MONITOR_REQ_PAM_INIT_CTX, 0, mm_answer_sshpam_init_ctx}, + {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, + {MONITOR_REQ_PAMQUERY, MON_ISAUTH, mm_answer_sshpamquery}, + {MONITOR_REQ_PAMRESPOND, MON_AUTH, mm_answer_sshpamrespond}, + {MONITOR_REQ_PAM_FREE_CTX, 0, mm_answer_sshpam_free_ctx}, +#endif {0, 0, NULL} }; @@ -731,6 +753,100 @@ xfree(user); + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_INIT_CTX, 1); + + return (0); +} + +int +mm_answer_sshpam_init_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __func__); + + if (sshpam_auth_ctxt == NULL) + sshpam_auth_ctxt = sshpam_init_ctx(authctxt); + + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1); + + return (0); +} + +int +mm_answer_sshpamquery(int socket, Buffer *m) +{ + char *name, *infotxt; + u_int numprompts; + u_int *echo_on; + char **prompts; + int res; + + if (sshpam_auth_ctxt == NULL) + fatal("%s: No PAM kbd-int auth context", __func__); + + res = sshpam_query(sshpam_auth_ctxt, &name, &infotxt, &numprompts, + &prompts, &echo_on); + + if (res != -1) + debug3("%s: challenge %s", __func__, prompts[0]); + + buffer_clear(m); + buffer_put_int(m, res); + if (res != -1) + buffer_put_cstring(m, prompts[0]); + + debug3("%s: sending PAM challenge res: %d", __func__, res); + mm_request_send(socket, MONITOR_ANS_PAMQUERY, m); + + if (res != -1) { + xfree(name); + xfree(infotxt); + xfree(prompts); + xfree(echo_on); + } + + return (0); +} + +int +mm_answer_sshpamrespond(int socket, Buffer *m) +{ + char *response, *rs[1]; + int authok; + + if (sshpam_auth_ctxt == NULL) + fatal("%s: No PAM kbd-int auth context", __func__); + + response = buffer_get_string(m, NULL); + rs[0] = response; + + authok = sshpam_respond(sshpam_auth_ctxt, 1, rs); + debug3("%s: <%s> = <%d>", __func__, response, authok); + xfree(response); + + buffer_clear(m); + buffer_put_int(m, authok); + + debug3("%s: sending authenticated: %d", __func__, authok == 0); + mm_request_send(socket, MONITOR_ANS_PAMRESPOND, m); + + auth_method = "pam"; + + sshpam_free_ctx(sshpam_auth_ctxt); + sshpam_auth_ctxt = NULL; + + return (authok == 0); +} + + +int +mm_answer_sshpam_free_ctx(int socket, Buffer *m) +{ + debug3("%s: entering", __func__); + + if (sshpam_auth_ctxt != NULL) + sshpam_free_ctx(sshpam_auth_ctxt); + + sshpam_auth_ctxt = NULL; return (0); } #endif @@ -1149,6 +1265,10 @@ /* Turn on permissions for getpwnam */ monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1); + +#ifdef USE_PAM + monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1); +#endif return (0); } Index: monitor.h =================================================================== RCS file: /var/cvs/openssh/monitor.h,v retrieving revision 1.8 diff -u -r1.8 monitor.h --- monitor.h 11 Jun 2002 16:42:49 -0000 1.8 +++ monitor.h 2 Jul 2002 02:19:36 -0000 @@ -39,6 +39,10 @@ MONITOR_REQ_BSDAUTHRESPOND, MONITOR_ANS_BSDAUTHRESPOND, MONITOR_REQ_SKEYQUERY, MONITOR_ANS_SKEYQUERY, MONITOR_REQ_SKEYRESPOND, MONITOR_ANS_SKEYRESPOND, + MONITOR_REQ_PAM_INIT_CTX, + MONITOR_REQ_PAMQUERY, MONITOR_ANS_PAMQUERY, + MONITOR_REQ_PAMRESPOND, MONITOR_ANS_PAMRESPOND, + MONITOR_REQ_PAM_FREE_CTX, MONITOR_REQ_KEYALLOWED, MONITOR_ANS_KEYALLOWED, MONITOR_REQ_KEYVERIFY, MONITOR_ANS_KEYVERIFY, MONITOR_REQ_KEYEXPORT, Index: monitor_wrap.c =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.c,v retrieving revision 1.13 diff -u -r1.13 monitor_wrap.c --- monitor_wrap.c 27 Jun 2002 00:23:03 -0000 1.13 +++ monitor_wrap.c 2 Jul 2002 02:19:36 -0000 @@ -830,6 +830,85 @@ return ((authok == 0) ? -1 : 0); } +void * +mm_sshpam_init_ctx(struct Authctxt *authctxt) +{ + Buffer m; + + debug3("%s: entering", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAM_INIT_CTX, &m); + + return (authctxt); +} + +int +mm_sshpam_query(void *ctx, char **name, char **infotxt, + u_int *numprompts, char ***prompts, u_int **echo_on) +{ + Buffer m; + int res; + char *challenge; + + debug3("%s: entering", __func__); + + buffer_init(&m); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAMQUERY, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_PAMQUERY, &m); + res = buffer_get_int(&m); + if (res == -1) { + debug3("%s: no challenge", __func__); + buffer_free(&m); + return (-1); + } + + /* Get the challenge, and format the response */ + challenge = buffer_get_string(&m, NULL); + buffer_free(&m); + + debug3("%s: received challenge: %s", __func__, challenge); + + mm_chall_setup(name, infotxt, numprompts, prompts, echo_on); + + (*prompts)[0] = challenge; + + return (0); +} + +int +mm_sshpam_respond(void *ctx, u_int numresponses, char **responses) +{ + Buffer m; + int authok; + + debug3("%s: entering", __func__); + if (numresponses != 1) + return (-1); + + buffer_init(&m); + buffer_put_cstring(&m, responses[0]); + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_PAMRESPOND, &m); + + mm_request_receive_expect(pmonitor->m_recvfd, + MONITOR_ANS_PAMRESPOND, &m); + + authok = buffer_get_int(&m); + buffer_free(&m); + + return (authok); +} + +void +mm_sshpam_free_ctx(void *ctxtp) +{ + /* + * Dummy function to fill out KbdintDevice struct. The acutal + * freeing of the ctxt is done automatically on auth completion + */ +} + void mm_ssh1_session_id(u_char session_id[16]) { Index: monitor_wrap.h =================================================================== RCS file: /var/cvs/openssh/monitor_wrap.h,v retrieving revision 1.6 diff -u -r1.6 monitor_wrap.h --- monitor_wrap.h 13 May 2002 01:07:42 -0000 1.6 +++ monitor_wrap.h 2 Jul 2002 02:19:36 -0000 @@ -83,6 +83,12 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* pam */ +void *mm_sshpam_init_ctx(struct Authctxt *); +int mm_sshpam_query(void *, char **, char **, u_int *, char ***, u_int **); +int mm_sshpam_respond(void *, u_int, char **); +void mm_sshpam_free_ctx(void *); + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); Index: servconf.c =================================================================== RCS file: /var/cvs/openssh/servconf.c,v retrieving revision 1.93 diff -u -r1.93 servconf.c --- servconf.c 25 Jun 2002 03:22:04 -0000 1.93 +++ servconf.c 2 Jul 2002 02:19:36 -0000 @@ -55,10 +55,6 @@ { memset(options, 0, sizeof(*options)); - /* Portable-specific options */ - options->pam_authentication_via_kbd_int = -1; - - /* Standard Options */ options->num_ports = 0; options->ports_from_cmdline = 0; options->listen_addrs = NULL; @@ -130,11 +126,6 @@ void fill_default_server_options(ServerOptions *options) { - /* Portable-specific options */ - if (options->pam_authentication_via_kbd_int == -1) - options->pam_authentication_via_kbd_int = 0; - - /* Standard Options */ if (options->protocol == SSH_PROTO_UNKNOWN) options->protocol = SSH_PROTO_1|SSH_PROTO_2; if (options->num_host_key_files == 0) { @@ -271,9 +262,6 @@ /* Keyword tokens. */ typedef enum { sBadOption, /* == unknown option */ - /* Portable-specific options */ - sPAMAuthenticationViaKbdInt, - /* Standard Options */ sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime, sPermitRootLogin, sLogFacility, sLogLevel, sRhostsAuthentication, sRhostsRSAAuthentication, sRSAAuthentication, @@ -307,9 +295,6 @@ const char *name; ServerOpCodes opcode; } keywords[] = { - /* Portable-specific options */ - { "PAMAuthenticationViaKbdInt", sPAMAuthenticationViaKbdInt }, - /* Standard Options */ { "port", sPort }, { "hostkey", sHostKeyFile }, { "hostdsakey", sHostKeyFile }, /* alias */ @@ -453,12 +438,6 @@ charptr = NULL; opcode = parse_token(arg, filename, linenum); switch (opcode) { - /* Portable-specific options */ - case sPAMAuthenticationViaKbdInt: - intptr = &options->pam_authentication_via_kbd_int; - goto parse_flag; - - /* Standard Options */ case sBadOption: return -1; case sPort: Index: servconf.h =================================================================== RCS file: /var/cvs/openssh/servconf.h,v retrieving revision 1.49 diff -u -r1.49 servconf.h --- servconf.h 21 Jun 2002 01:09:47 -0000 1.49 +++ servconf.h 2 Jul 2002 02:19:36 -0000 @@ -130,7 +130,6 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; - int pam_authentication_via_kbd_int; } ServerOptions; void initialize_server_options(ServerOptions *); Index: sshd_config =================================================================== RCS file: /var/cvs/openssh/sshd_config,v retrieving revision 1.52 diff -u -r1.52 sshd_config --- sshd_config 27 Jun 2002 16:59:51 -0000 1.52 +++ sshd_config 2 Jul 2002 02:19:36 -0000 @@ -69,10 +69,6 @@ # Kerberos TGT Passing only works with the AFS kaserver #KerberosTgtPassing no -# Set this to 'yes' to enable PAM keyboard-interactive authentication -# Warning: enabling this may bypass the setting of 'PasswordAuthentication' -#PAMAuthenticationViaKbdInt no - #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes From djm at mindrot.org Tue Jul 2 12:37:40 2002 From: djm at mindrot.org (Damien Miller) Date: 02 Jul 2002 12:37:40 +1000 Subject: RTFM Help on Privilege Separation Programming In-Reply-To: References: Message-ID: <1025577460.28716.25.camel@xenon> On Mon, 2002-07-01 at 13:58, Michael Krivacek wrote: > > Hi, > > This my first try at programming with OpenSSH. I am working on > porting Securid Authentication to OpenSSH. I have been using the > current code for S/Key support as my basis for what I need to > modify. The non-privileged code seemed fairly straightforward on > what was needed for each of the KbdintDevice functions (i.e. > init_ctx, query, respond, etc) I have a system that works pretty > well for non-privilege separation mode. > > Now I am trying to get my mind around the separation mode > function requirements. Can one safely say that the S/Key code > is complete in the portable 3.4.0p1 release? Have a look at the PAM kbd-int patch that I just posted for a working example of how to hook up a kbd-int module through privsep. -d From djm at mindrot.org Tue Jul 2 12:53:50 2002 From: djm at mindrot.org (Damien Miller) Date: 02 Jul 2002 12:53:50 +1000 Subject: TO SYMMETRY AND ASYMMETRY-----NOW ADD SUPERSYMMETRY In-Reply-To: <000701c21fbc$d8cfb980$35ee68cf@Koerner> References: <000701c21fbc$d8cfb980$35ee68cf@Koerner> Message-ID: <1025578430.28700.28.camel@xenon> On Sun, 2002-06-30 at 08:32, Carla Koerner Hein wrote: > Open Letter to Developers, > > Is there any way you can cut through the mob scene at > Homeland Defense with a powerful new encryption/decryption > formula? The government cryptography bunch are stuck in > symmetry and asymmetry and are deaf/dumb/blind to > supersymmetry. Thanks, you just made my day... -d From bugzilla-daemon at mindrot.org Tue Jul 2 18:02:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 18:02:04 +1000 (EST) Subject: [Bug 328] starting sshd yeilds PRNG not seeded Message-ID: <20020702080204.B3FA9E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=328 ------- Additional Comments From djm at mindrot.org 2002-07-02 18:02 ------- You will need to supply a fair bit more information: 1. How did you configure OpenSSH? (The "./configure" commandline and the summary it prints would be sufficient) 2. How have you configured OpenSSL? Has it been built or configured to use EGD itself? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 2 18:02:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 18:02:57 +1000 (EST) Subject: [Bug 328] starting sshd yeilds PRNG not seeded Message-ID: <20020702080257.2C79DE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=328 ------- Additional Comments From djm at mindrot.org 2002-07-02 18:02 ------- If you are running the built-in PRNG support, try also running "ssh-rand-helper -v -v -v" from the commandline. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 2 18:21:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 18:21:29 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020702082129.3B696E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 ------- Additional Comments From dazo at netcom.no 2002-07-02 18:21 ------- The message I receive is: mm_receive_fd: expected type 1 got nnnnnnnn I added a little more debuging to be shure, and I'm 100% shure that the program failes in line 117 in the monitor_fdpass.c file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From manik.surtani at conchango.com Tue Jul 2 19:34:07 2002 From: manik.surtani at conchango.com (Manik Surtani) Date: Tue, 02 Jul 2002 10:34:07 +0100 Subject: Silly question on DH key exch in ssh Message-ID: <3D21738F.5070406@conchango.com> Hey all. Apologies if this is the wrong place to post this question. I'm developing an open source Java SSH (v2) client API, and need a bit of help. 1) After receiving the KEXDH_RESPONSE packet, reading SSH Transport Layer Protocol (March 2002), Section 5.2, Output from Key Exchange: do I assume that, in HASH (K || H || "A" || session_id), H is a mpint? The spec states that K is a mpint but doesnt specify for H. 2) Also, how do I communicate my public key to the server? From the spec, I gather that the next packet to send is a SSH_MSG_NEWKEYS with no data following ... am I wrong? Help is very much appreciated... -- Manik Surtani Conchango 'Innovative Change in Business' T 44 (0) 1784 221829 M 44 (0) 7786 702 706 E manik.surtani at conchango.com http://www.conchango.com The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error, please notify us as soon as possible. The unauthorised use, disclosure, copying or alteration of this message is forbidden. _____________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Control Centre. From markus at openbsd.org Tue Jul 2 19:44:20 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Jul 2002 11:44:20 +0200 Subject: Silly question on DH key exch in ssh In-Reply-To: <3D21738F.5070406@conchango.com> References: <3D21738F.5070406@conchango.com> Message-ID: <20020702094420.GB179@faui02> check kexdh.c in the openssh source. On Tue, Jul 02, 2002 at 10:34:07AM +0100, Manik Surtani wrote: > Hey all. > > Apologies if this is the wrong place to post this question. > > I'm developing an open source Java SSH (v2) client API, and need a bit > of help. > > 1) After receiving the KEXDH_RESPONSE packet, reading SSH Transport > Layer Protocol (March 2002), Section 5.2, Output from Key Exchange: do > I assume that, in HASH (K || H || "A" || session_id), H is a mpint? The > spec states that K is a mpint but doesnt specify for H. > > 2) Also, how do I communicate my public key to the server? From the > spec, I gather that the next packet to send is a SSH_MSG_NEWKEYS with no > data following ... am I wrong? > > Help is very much appreciated... > > -- > Manik Surtani > Conchango > 'Innovative Change in Business' > > T 44 (0) 1784 221829 > M 44 (0) 7786 702 706 > E manik.surtani at conchango.com > > http://www.conchango.com > > The information contained in this message is confidential and is > intended for the addressee only. If you have received this message in > error, please notify us as soon as possible. The unauthorised use, > disclosure, copying or alteration of this message is forbidden. > > > _____________________________________________________________________ > This message has been checked for all known viruses by the MessageLabs > Virus Control Centre. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Tue Jul 2 20:39:56 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Jul 2002 12:39:56 +0200 Subject: hostbased authentication problem in 3.4 In-Reply-To: <20020628153500.GA18644@cad.gatech.edu> References: <20020628153500.GA18644@cad.gatech.edu> Message-ID: <20020702103956.GE3566@folly> On Fri, Jun 28, 2002 at 11:35:00AM -0400, Vincent Fox wrote: > I am seeing the same issues as another recent post, hostbased > authentication in 3.4p1 not seeming to work. I tried the ssh-keysign.c > patch posted, didn't seem to fix the problem. this is a know bug, check this for a patch: http://bugzilla.mindrot.org/show_bug.cgi?id=304 this will be fixed in 3.5, sorry. From dtucker at zip.com.au Tue Jul 2 22:10:37 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 02 Jul 2002 22:10:37 +1000 Subject: AIX usrinfo() cleanup. References: <3D1949CD.B4225432@zip.com.au> <20020628225856.D17901@greenie.muc.de> Message-ID: <3D21983D.B96EAB41@zip.com.au> Gert Doering wrote: > On Fri, Jun 28, 2002 at 12:03:15PM -0500, Ben Lindstrom wrote: > > I'm more in favor of totally dumping TTY= setting until someone screams. > > If you ask me: drop it, and throw out junky code. If someone besides us > needs usrinfo (and we do not use TTY=) they will complain. That's my vote too. At the moment I don't know of any affected programs. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From barel_bhai at yahoo.com Tue Jul 2 22:30:40 2002 From: barel_bhai at yahoo.com (raam raam) Date: Tue, 2 Jul 2002 05:30:40 -0700 (PDT) Subject: Version Information In-Reply-To: <20020702080257.2C79DE881@shitei.mindrot.org> Message-ID: <20020702123040.20412.qmail@web20507.mail.yahoo.com> Hi All As in the drafts there is a compatablity for older version. Please tell what are the version available as I saw first version as 1.5 . Best Regards Barel __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com From mgc8 at totalnet.ro Tue Jul 2 22:48:50 2002 From: mgc8 at totalnet.ro (Mihnea-Costin Grigore) Date: Tue, 2 Jul 2002 15:48:50 +0300 (EEST) Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: <20020701235139.A71075@melusine.cuivre.fr.eu.org> Message-ID: On Mon, 1 Jul 2002, Thomas Quinot wrote: > I have been trying to install 3.4p1 on a number of machines. > Servers on ia64 Linux, i386 Linux and SPARC Solaris are all working > like charms. On the other hand, I am having trouble at least with > HPUX 11, DEC OSF 5.1 and Unixware: on all those systems, sshd bails > out after authentication with an error in buffer_append_space. I think this is the same problem that I encountered and written about in the message from July 1st ("Memory allocation gone awry with OpenSSH 3.(3,4)p1")... It is the same pattern: first we authenticate ok: > debug1: monitor_child_preauth: quinot has been authenticated by > privileged process [...snip...] > buffer_append_space: alloc 10506240 not supported Then the server tries to alloc. way too much memory and dies. Obviously, this bug affects more systems and should be treated with some attention... I'd be willing to help, as soon as someone points me in the right direction (there are more details as to what I already tried/found out, in the original message)... Regards, -- Mihnea-Costin Grigore [ "Tenebus Ipsilo Ibinem Catehens" ] E-mail: mgc8 at totalnet.ro Home Page: http://mgc8.virtualave.net From markus at openbsd.org Tue Jul 2 23:04:10 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Jul 2002 15:04:10 +0200 Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: <20020701235139.A71075@melusine.cuivre.fr.eu.org> References: <20020701235139.A71075@melusine.cuivre.fr.eu.org> Message-ID: <20020702130410.GA28308@faui02> can you provide sshd -ddd output, too? From thomas at cuivre.fr.eu.org Tue Jul 2 23:14:55 2002 From: thomas at cuivre.fr.eu.org (Thomas Quinot) Date: Tue, 2 Jul 2002 15:14:55 +0200 Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: <20020702130410.GA28308@faui02>; from markus@openbsd.org on Tue, Jul 02, 2002 at 03:04:10PM +0200 References: <20020701235139.A71075@melusine.cuivre.fr.eu.org> <20020702130410.GA28308@faui02> Message-ID: <20020702151455.A54647@melusine.cuivre.fr.eu.org> Le 2002-07-02, Markus Friedl ?crivait : > can you provide sshd -ddd output, too? See below. Additionnally, disabling compression seems to work around the problem (this is a bit strange -- I thought I had tried that...), at least in the UnixWare case. Thomas. debug3: Seeding PRNG from /usr/local/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 10.10.0.140 port 3349 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-0.0woody1 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-0.0woody1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 22482 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 102:60001 debug1: list_hostkey_types: ssh-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 zlib debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 zlib debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 118/256 debug1: bits set: 1589/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1575/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 811e360(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: Enabling compression at level 6. debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user quinot service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for quinot debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for quinot from 10.10.0.140 port 3349 ssh2 Failed none for quinot from 10.10.0.140 port 3349 ssh2 debug3: mm_request_receive entering debug1: userauth-request for user quinot service ssh-connection method hostbased debug1: attempt 1 failures 1 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser quinot chost paris.int.domain.com. pkalg ssh-dss slen 55 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 8120be0 debug3: Trying to reverse map address 10.10.0.140. debug2: userauth_hostbased: chost paris.int.domain.com. resolvedname paris.int.domain.com ipaddr 10.10.0.140 debug2: stripping trailing dot from chost paris.int.domain.com. debug2: auth_rhosts2: clientuser quinot hostname paris.int.domain.com ipaddr 10.10.0.140 debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug2: userauth_hostbased: access allowed by auth_rhosts2 debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts debug1: temporarily_use_uid: 529/101 (e=0) debug3: check_host_in_hostfile: filename /paris.a/quinot/.ssh/known_hosts debug3: key_read: type mismatch debug1: restore_uid debug2: check_key_in_hostfiles: key not found for paris.int.domain.com debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts2 debug1: temporarily_use_uid: 529/101 (e=0) debug3: check_host_in_hostfile: filename /paris.a/quinot/.ssh/known_hosts2 debug3: key_read: type mismatch debug1: restore_uid debug2: check_key_in_hostfiles: key not found for paris.int.domain.com debug3: mm_answer_keyallowed: key 8120be0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted by .shosts. debug3: mm_send_debug: Sending debug: Accepted host paris.int.domain.com ip 10.10.0.140 client_user quinot server_user quinot debug2: userauth_hostbased: authenticated 0 Failed hostbased for quinot from 10.10.0.140 port 3349 ssh2 debug1: userauth-request for user quinot service ssh-connection method hostbased debug1: attempt 2 failures 2 debug2: input_userauth_request: try method hostbased debug1: userauth_hostbased: cuser quinot chost paris.int.domain.com. pkalg ssh-rsa slen 143 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 8120be0 debug2: userauth_hostbased: chost paris.int.domain.com. resolvedname paris.int.domain.com ipaddr 10.10.0.140 debug2: stripping trailing dot from chost paris.int.domain.com. debug2: auth_rhosts2: clientuser quinot hostname paris.int.domain.com ipaddr 10.10.0.140 debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug1: temporarily_use_uid: 529/101 (e=0) debug1: restore_uid debug2: userauth_hostbased: access allowed by auth_rhosts2 debug3: check_host_in_hostfile: filename /usr/local/etc/ssh_known_hosts debug1: temporarily_use_uid: 529/101 (e=0) debug3: check_host_in_hostfile: filename /paris.a/quinot/.ssh/known_hosts debug3: check_host_in_hostfile: match line 146 debug1: restore_uid debug2: check_key_in_hostfiles: key ok for paris.int.domain.com debug3: mm_answer_keyallowed: key 8120be0 is allowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_send_debug: Sending debug: Accepted by .shosts. debug3: mm_send_debug: Sending debug: Accepted host paris.int.domain.com ip 10.10.0.140 client_user quinot server_user quinot debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyverify: key 8120be0 signature verified debug3: mm_request_send entering: type 23 debug2: userauth_hostbased: authenticated 1 Accepted hostbased for quinot from 10.10.0.140 port 3349 ssh2 debug3: mm_send_keystate: Sending new keys: 81211f8 8121240 debug3: mm_newkeys_to_blob: converting 81211f8 debug3: mm_newkeys_to_blob: converting 8121240 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state Accepted hostbased for quinot from 10.10.0.140 port 3349 ssh2 debug1: monitor_child_preauth: quinot has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 8120de0(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 8120de0(118) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug2: User child is on pid 22483 debug3: mm_request_receive entering debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 8 setting O_NONBLOCK debug1: fd 10 setting O_NONBLOCK debug1: server_init_dispatch_20 buffer_append_space: alloc 10506240 not supported debug1: Calling cleanup 0x807e3ec(0x0) debug1: Calling cleanup 0x807e3ec(0x0) -- Thomas.Quinot at Cuivre.FR.EU.ORG From bugzilla-daemon at mindrot.org Tue Jul 2 23:31:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 23:31:23 +1000 (EST) Subject: [Bug 124] Terminal hangs when data is streaming to it... Message-ID: <20020702133123.20587E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=124 ------- Additional Comments From leigh at solinno.co.uk 2002-07-02 23:31 ------- Created an attachment (id=126) AIX trace of ssh session hanging during output ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 2 23:58:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 2 Jul 2002 23:58:58 +1000 (EST) Subject: [Bug 124] Terminal hangs when data is streaming to it... Message-ID: <20020702135858.27970E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=124 ------- Additional Comments From leigh at solinno.co.uk 2002-07-02 23:58 ------- This bug has been annoying me for months. I have been doing some further investigation over the last couple of days, including tracing the hang, which I have just added as an attachment. All my testing has been done using 3.4p1 running on AIX 4.3.3 ML08 (and ML09). OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f. Output generation command: perl -e 'while(1){print"O","X"x78}' This command hangs in under 2 seconds for me. Test results ------------ (openssh means the above version, ssh2 means ssh.com v3.1.2 CLIENT) rlogin testserver -> openssh localhost -> generate output -> HANG telnet testserver -> openssh localhost -> generate output -> HANG openssh testserver -> generate output -> okay openssh testserver -> openssh localhost -> generate output -> okay rlogin testserver -> ssh2 localhost -> generate output -> okay From markus at openbsd.org Tue Jul 2 23:37:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Jul 2002 15:37:28 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: Message-ID: <20020702133728.GA23781@folly> On Mon, Jul 01, 2002 at 12:22:33PM -0500, Ben Lindstrom wrote: > You are really looking for sftp which has no shell dependancies. no, sftp has, but a lot of things have. of course you can hack magic things into sftp/sftp-server and discard the output from .profile. -m From dan at doxpara.com Wed Jul 3 01:48:57 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 02 Jul 2002 08:48:57 -0700 Subject: scp not tolerant of extraneous shell messages References: <20020702133728.GA23781@folly> Message-ID: <3D21CB69.50809@doxpara.com> > > >>You are really looking for sftp which has no shell dependancies. >> >> >no, sftp has, but a lot of things have. > >of course you can hack magic things into sftp/sftp-server >and discard the output from .profile. > > Markus-- Why should sftp-server have any shell dependancy at all? I was under the impression the whole point of the subsystem interface was to finally gain independance from the vagaries of the shell. Indeed, poking through the code, session.c:1630 looks like it's executing the command directly...just a straight do_exec(s, cmd). So how is the shell still coming through w/ init strings? --Dan From markus at openbsd.org Wed Jul 3 01:41:11 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 2 Jul 2002 17:41:11 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21CB69.50809@doxpara.com> References: <20020702133728.GA23781@folly> <3D21CB69.50809@doxpara.com> Message-ID: <20020702154111.GC9035@faui02> On Tue, Jul 02, 2002 at 08:48:57AM -0700, Dan Kaminsky wrote: > Why should sftp-server have any shell dependancy at all? I was > under the impression the whole point of the subsystem interface was to > finally gain independance from the vagaries of the shell. more people think the shell should always be involved. otherwise you can still sftp if the shell is set to /bin/false for example. -m From mouring at etoh.eviladmin.org Wed Jul 3 01:32:42 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Jul 2002 10:32:42 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <20020702154111.GC9035@faui02> Message-ID: On Tue, 2 Jul 2002, Markus Friedl wrote: > On Tue, Jul 02, 2002 at 08:48:57AM -0700, Dan Kaminsky wrote: > > Why should sftp-server have any shell dependancy at all? I was > > under the impression the whole point of the subsystem interface was to > > finally gain independance from the vagaries of the shell. > > more people think the shell should always be involved. > > otherwise you can still sftp if the shell is set > to /bin/false for example. > > Only way around it would be trusting /etc/shells - Ben From Nicolas.Williams at ubsw.com Wed Jul 3 01:57:41 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 2 Jul 2002 11:57:41 -0400 Subject: scp not tolerant of extraneous shell messages Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F25@NSTMC005PEX1.ubsgs.ubsgroup.net> On Tue, 2 Jul 2002, Ben Lindstrom wrote: > On Tue, 2 Jul 2002, Markus Friedl wrote: > > more people think the shell should always be involved. > > > > otherwise you can still sftp if the shell is set > > to /bin/false for example. > > Only way around it would be trusting /etc/shells You still need to execute the shell because of environmental issues, some of which can't be handled through mechanisms provided by OpenSSH (e.g., umask). The umask could be made settable through auth_keys options or other ~/.ssh mechanisms, but even so, that would mean that users would have to setup such things in multiple locations and, in any case, it really would be surprising if shell initialization were not done at all (it's certainly a very useful thing). Why can't users learn? This is really a FAQ and you could probably automate the closing of bug reports filed about it :) :) Year ago I must have made the same mistake - heck, I remember making the mistake of writing test.c, compiling, running "test" and nothing happening. Yeah, let's rename /bin/test, yeah - oh and change all the shells too (after they stop working :) - NOT. This is just another Unix-ism - we learn to live with and to love it because there is expressive power implied within that we don't want to give up. So please keep using the shell to invoke sub-system servers. > - Ben Cheers, Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Wed Jul 3 01:58:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Jul 2002 10:58:29 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD125F25@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: On Tue, 2 Jul 2002 Nicolas.Williams at ubsw.com wrote: > On Tue, 2 Jul 2002, Ben Lindstrom wrote: > > On Tue, 2 Jul 2002, Markus Friedl wrote: > > > more people think the shell should always be involved. > > > > > > otherwise you can still sftp if the shell is set > > > to /bin/false for example. > > > > Only way around it would be trusting /etc/shells > > You still need to execute the shell because of environmental > issues, some of which can't be handled through mechanisms > provided by OpenSSH (e.g., umask). The umask could be made > settable through auth_keys options or other ~/.ssh mechanisms, > but even so, that would mean that users would have to setup > such things in multiple locations and, in any case, it really > would be surprising if shell initialization were not done at > all (it's certainly a very useful thing). > umask can and is ignored by some sftp clients. Mainly ones that are windows based. Mainly SSH Corp derived last I checked (a year ago). So you are trusting that the software on the other side honors umask which is a false thing to do since some sftp clients propogate their beliefs (real or fictional) of what the permissions should be. - Ben From Nicolas.Williams at ubsw.com Wed Jul 3 02:21:10 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 2 Jul 2002 12:21:10 -0400 Subject: scp not tolerant of extraneous shell messages Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F28@NSTMC005PEX1.ubsgs.ubsgroup.net> I spoke of sub-systems generally - sftp may or may not care about umask settings - other sub-systems might in fact care. Nico -- On Tue, 2 Jul 2002, Ben Lindstrom wrote: > umask can and is ignored by some sftp clients. Mainly ones that are > windows based. Mainly SSH Corp derived last I checked (a year ago). > > So you are trusting that the software on the other side > honors umask which > is a false thing to do since some sftp clients propogate their beliefs > (real or fictional) of what the permissions should be. > > - Ben > > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Wed Jul 3 02:16:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Jul 2002 11:16:45 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD125F28@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: On Tue, 2 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > I spoke of sub-systems generally - sftp may or may not care > about umask settings - other sub-systems might in fact care. > Which would be a flaw in the subsystem application that was written. Unless you know for a fact that subsystem will *NEVER* be implemented on a non-UNIX based platform. In reality, file permissions should be set by the application or by the end-user that is connecting. To do so otherwise is non-portable. After saying that. I still agree that the user's shell needs to be ran. =) Because it's the correct way for UNIX to handle things. From ed at UDel.Edu Wed Jul 3 02:33:55 2002 From: ed at UDel.Edu (Ed Phillips) Date: Tue, 2 Jul 2002 12:33:55 -0400 (EDT) Subject: PAMAuthenticationViaKbdInt no Message-ID: If I set it to "no", should I still be able to login with a typed-in password? I get messages such as these: --- Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug1: userauth-request for user ed service ssh-connection method password Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug1: attempt 1 failures 1 Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug2: input_userauth_request: try method password Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.debug] debug1: PAM Password authentication accepted for user "ed" Jul 2 12:23:39 remedy.udel.edu sshd[6811]: [ID 800047 local4.info] Accepted password for ed from 128.175.1.9 port 33485 ssh2 --- What is a typical example of PAM "challenge response" authentication as referred to in sshd(8) under the explanation for "PAMAuthenticationViaKbdInt"? Just a sanity check... Thanks, Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Wed Jul 3 02:45:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 02:45:35 +1000 (EST) Subject: [Bug 329] New: gmake install prefix=... does not work with the privsep-path Message-ID: <20020702164535.023CEE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=329 Summary: gmake install prefix=... does not work with the privsep-path Product: Portable OpenSSH Version: -current Platform: MIPS OS/Version: IRIX Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wolfgang.dautermann at fh-joanneum.at To build a package I do ./configure --prefix=/somewhere ... gmake gmake install prefix=/tmp/installroot And then usually a "cd /tmp/installroot ; find ." gives you the files which openssh would install and which should be included in the Package. That does not work with 3.4p1 because (a) the configure-option "--prefix" does not influence the "--with-privsep-path" Option (which it should be, I believe) (b) The prefix in the command "gmake install prefix=/tmp/installroot" does not respect the "prefix=..."-option when creating the privsep-path: $ gmake install prefix=/tmp/installroot [...] mkdir /tmp/installroot/man/man8 ./mkinstalldirs /tmp/installroot/libexec mkdir /tmp/installroot/libexec ./mkinstalldirs /var/empty mkdir /var/empty Cannot create directory "/var/empty": Permission denied [...] Package building would be easier if the "prefix" option would work for the privsep-path. Bye, Wolfgang ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Wed Jul 3 03:01:42 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 2 Jul 2002 19:01:42 +0200 Subject: [Bug 329] New: gmake install prefix=... does not work with the privsep-path In-Reply-To: <20020702164535.023CEE881@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Wed, Jul 03, 2002 at 02:45:35AM +1000 References: <20020702164535.023CEE881@shitei.mindrot.org> Message-ID: <20020702190142.A1797923@ohm.arago.de> Hi! On Wed, Jul 03, 2002 at 02:45:35AM +1000, bugzilla-daemon at mindrot.org wrote: > To build a package I do > > ./configure --prefix=/somewhere ... > gmake > gmake install prefix=/tmp/installroot > > And then usually a "cd /tmp/installroot ; find ." gives you the files which > openssh would install and which should be included in the Package. > > That does not work with 3.4p1 because > (a) the configure-option "--prefix" does not influence the > "--with-privsep-path" Option (which it should be, I believe) > (b) The prefix in the command "gmake install prefix=/tmp/installroot" does not > respect the "prefix=..."-option when creating the privsep-path: > [...] > > Package building would be easier if the "prefix" option would work for the > privsep-path. You actually want to use gmake install DESTDIR=/tmp/installroot Overriding prefix is not the correct way to install into a temporary directory. Ciao Thomas -- The opulence of the front office door varies inversely with the fundamental solvency of the firm. From bugzilla-daemon at mindrot.org Wed Jul 3 03:10:02 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 03:10:02 +1000 (EST) Subject: [Bug 329] gmake install prefix=... does not work with the privsep-path Message-ID: <20020702171002.E94F6E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=329 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-07-03 03:09 ------- use DESTDIR= prefix= is not valid solution to your problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Wed Jul 3 03:11:41 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 2 Jul 2002 13:11:41 -0400 Subject: scp not tolerant of extraneous shell messages Message-ID: <17D3D857B26112409EA372EB0AFE39DD14978D@NSTMC005PEX1.ubsgs.ubsgroup.net> On Tue, 2 Jul 2002, Ben Lindstrom wrote: > On Tue, 2 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > I spoke of sub-systems generally - sftp may or may not care > > about umask settings - other sub-systems might in fact care. > > Which would be a flaw in the subsystem application that was written. > Unless you know for a fact that subsystem will *NEVER* be > implemented on a > non-UNIX based platform. By using the shell to launch the sub-system you win platform independence with respect to setting of umask. Q.E.D. As for other sub-systems and their use of permissions: there is nothing wrong with assuming that ACLs/umasks/whatever are set correctly and that new files created by a sub-system will therefore inherit the correct permissions. To do otherwise would defeat useful mechanisms for setting default permissions (possibly in context-sensitive ways, as with ACLs, which can be inherited from a file's containing directory) > In reality, file permissions should be set by the application > or by the > end-user that is connecting. To do so otherwise is non-portable. The setting of file permissions itself varies from platform to platform. Some apps should indeed set permissions directly (e.g., package managers) and some should not (because having file perms set by directory ACLs or process umasks can be a very useful thing) and some should give the user the option (I believe this ought to include file transfer applications [and protocols]). > After saying that. I still agree that the user's shell needs > to be ran. > =) Because it's the correct way for UNIX to handle things. Good. :) Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From egarff at omniture.com Wed Jul 3 03:14:08 2002 From: egarff at omniture.com (Eric Garff) Date: 02 Jul 2002 11:14:08 -0600 Subject: Hang when run via crond Message-ID: <1025630048.7155.30.camel@egarff.superstats.com> Greetings, I apologize if this has been answered before, but I have tried to do the obligatory search and haven't found a clear answer. Running OpenSSH 3.4 (well, pretty much any version) using protocol 2 and run via crond we see the connection never "close", "end", or whatever you wish to call it. This is running on a "modified" RedHat 6.2 machine. configure arguments are as follows: ./configure --sysconfdir=/etc --with-tcp-wrappers --without-pam --with-ssl-dir=/usr/local/src/openssl-0.9.5a --with-md5-passwords Any help is appreciated, and once again, I apologize if this is a redundant question. Thanks, -- Eric Garff System Administrator egarff at omniture.com 801.722.0134 Omniture http://www.omniture.com "Unique Questions, Precise Answers" From dan at doxpara.com Wed Jul 3 03:33:22 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 02 Jul 2002 10:33:22 -0700 Subject: scp not tolerant of extraneous shell messages References: Message-ID: <3D21E3E2.2080208@doxpara.com> > > >After saying that. I still agree that the user's shell needs to be ran. >=) Because it's the correct way for UNIX to handle things. > > OK, so I modify my .profile to execute arbitrary commands. Look mah, every time I access a file on a machine, it's "implied" that I have the right to execute stuff on it too. You *do* realize this is the kind of logic that's cursed us with macro virii, right? *Sigh* SFTP executes from lower security (command execution) to higher security (file exchange). It's actually less secure than FTP. The fix involves detecting an SFTP client in the connection headers, launching an SSHD that refuses to do anything *but* run sftp-server, and removing all exec style functionality from it. That gives us a clean file transfer environment w/ SSH-class comm security. --Dan From Nicolas.Williams at ubsw.com Wed Jul 3 03:30:55 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Tue, 2 Jul 2002 13:30:55 -0400 Subject: scp not tolerant of extraneous shell messages Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> On Tue, July 02 2002, Dan Kaminsky wrote: > OK, so I modify my .profile to execute arbitrary commands. Look mah, > every time I access a file on a machine, it's "implied" that > I have the > right to execute stuff on it too. > > You *do* realize this is the kind of logic that's cursed us > with macro > virii, right? No. I don't see the connection to macro virii. > *Sigh* SFTP executes from lower security (command execution) > to higher > security (file exchange). It's actually less secure than FTP. A lot of things work this way. As long as the shell command line is built securely and the shell setup (including /etc/profile and ~/.profile) is secure there is nothing wrong. Yes, users can shoot their feet and legs off if you let them. Use a restricted shell if you must. Perhaps SSHD should be configurable with respect to how sub- systems are started - in fact, I don't why why it shouldn't be so (though someone is bound to complain about code and config option bloat...). > The fix involves detecting an SFTP client in the connection headers, > launching an SSHD that refuses to do anything *but* run > sftp-server, and > removing all exec style functionality from it. That gives us a clean > file transfer environment w/ SSH-class comm security. You can't detect the client's intention to run SFTP until after the SSHv2 connection setup, which kinda means you must run SSHD first. > --Dan Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dan at doxpara.com Wed Jul 3 04:06:54 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 02 Jul 2002 11:06:54 -0700 Subject: scp not tolerant of extraneous shell messages References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <3D21EBBE.5010608@doxpara.com> > > >No. I don't see the connection to macro virii. > > My apologies, I thought it was more obvious. I open a file. I want to read what it has to say. I want to see its images, understand its material, possibly modify it myself. I don't want it to read what *I* have to say, though. I don't want it to see my images, my material, and absolutely not modify my material. By sending a mail onto this mailing list, I inserted myself into hundreds, maybe thousands of file systems throughout the world. For good or bad, I've been granted the capability to write to a limited subset of the data stores of others. I suspect that ability would be revoked quite rapidly if I could execute arbitrary commands with it. The separation between document and executable goes down to psychology -- that which I learn is not that which I do. Microsoft wrote large portions of their "knowledge exchange system"(Word) in an executable language; it's why the platform is quite virus ridden now. They're suffering similarly using Internet Explorer as their default viewer in Outlook Express. >A lot of things work this way. As long as the shell command >line is built securely and the shell setup (including >/etc/profile and ~/.profile) is secure there is nothing wrong. > > Oh? Name an FTPD that does. Just one. How bout a web server? Yes, web servers do allow execution through shells. That's essentially CGI, which isn't mandatory, isn't enabled by default, and is always kept a separate and vaguely dangerous segment of the system. For good reason. >Yes, users can shoot their feet and legs off if you let them. > Unfortunately, users are trying to shoot my feet and legs off. They modify their .profile to run an exploit that hacks my file server and trojans my data. >Use a restricted shell if you must. > > Restricted shells have always been somewhat irrelevant; they fail in Windows due to excess complexity and they fail in Unix because everything and its mother can open subshells(lynx, vi, emacs, sftp-server, etc.) >Perhaps SSHD should be configurable with respect to how sub- >systems are started - in fact, I don't why why it shouldn't be >so (though someone is bound to complain about code and config >option bloat...). > > Secure by default. >You can't detect the client's intention to run SFTP until >after the SSHv2 connection setup, which kinda means you must >run SSHD first. > > Well, it's obvious now that SFTP fails to live up to its first initial as is, so that leaves us with: 1) SFTP on a different port 2) SFTP detected during client negotiation Incidentally, if you don't believe my conclusion about SFTP, I offer you the following thought experiment: Would you rather give me access to an account through wu-ftpd or sftp? There are issues, incidentally, with making it easier to define sets of users that are allowed to sftp in and others that can sftp and ssh in. Maybe we can do something interesting with AllowGroups. --Dan From download at ahpcc.unm.edu Wed Jul 3 04:03:59 2002 From: download at ahpcc.unm.edu (download (Jim Prewett)) Date: Tue, 2 Jul 2002 12:03:59 -0600 (MDT) Subject: pam and openssh Message-ID: All, I'm trying to use PAM to replicate the authorized user functionality in commercial ssh. In the past, I've patched openssh to do this, but I think that solution is fairly ugly (and requires me to patch with each new release of openssh which is really bad). I want to do this: 0. use openssh for all communication with this machine. 1. check a user's identity using their password/key/etc. 2. if /etc/nologin exists, check a file /etc/authuser and if the user is in that file, allow them anyway. If /etc/nologin doesn't exist, allow the user. 3. always allow root to log in (given a correct passwd, key, etc.) After struggling with several PAM configurations, I put a debug line in session.c and it seems to be overriding PAM! /etc/nologin seems to always be checked by openssh and the session gets closed if it exists (in do_nologin() in session.c in 3.4p1). Is this proper behaviour of openssh? Am I missing something? Thanks for any help you can provide, Jim Prewett p.s. I'm using a stock RedHat 7.3 GNU/Linux install and openssh is configured like this: ./configure --with-privsep-user=nobody --with-tcp-wrappers --with-pam --with-md5-passwords --with-ipv4-default ------------------------------------------------------------------------------- \x83\xec\x0c\x31\xc0\x31\xd2\x68\x2f\x73\x68\x21\x68\x2f\x62\x69\x6e\x89\xe3 \x88\x43\x07\x50\x50\x53\x53\xb0\x3b\xcd\x80\x89\xf6 Don't forget FreeBSD! ------------------------------------------------------------------------------- From mouring at etoh.eviladmin.org Wed Jul 3 03:52:51 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Jul 2002 12:52:51 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21EBBE.5010608@doxpara.com> Message-ID: [..] > Incidentally, if you don't believe my conclusion about SFTP, I offer you > the following thought experiment: Would you rather give me access to an > account through wu-ftpd or sftp? > > There are issues, incidentally, with making it easier to define sets of > users that are allowed to sftp in and others that can sftp and ssh in. > Maybe we can do something interesting with AllowGroups. > sftp. Because the sftp setup I use forces the user to be chroot() into their ~/WWW directory so they can not modify their ~/.ssh nor any dot files within ~/. Removing executing their shell gains you nothing if you still let them play in the ~/.ssh/ section. I'm really interested in why you allow users to modify your login files for your personal account.=) - Ben From Nicolas.Williams at ubsw.com Wed Jul 3 04:14:10 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 2 Jul 2002 14:14:10 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21EBBE.5010608@doxpara.com>; from dan@doxpara.com on Tue, Jul 02, 2002 at 11:06:54AM -0700 References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> <3D21EBBE.5010608@doxpara.com> Message-ID: <20020702141409.A528@W0594878> On Tue, Jul 02, 2002 at 11:06:54AM -0700, Dan Kaminsky wrote: > The separation between document and executable goes down to psychology > -- that which I learn is not that which I do. Microsoft wrote large > portions of their "knowledge exchange system"(Word) in an executable > language; it's why the platform is quite virus ridden now. They're > suffering similarly using Internet Explorer as their default viewer in > Outlook Express. SFTP-SERVER won't be executing any of your files just because it's executed by SSHD with an intermediary shell. If you don't want to allow users to modify ~/.profile and do nasty things then don't (see my comment re: restricted shells). So there is no connection to macro virii. > >A lot of things work this way. As long as the shell command > >line is built securely and the shell setup (including > >/etc/profile and ~/.profile) is secure there is nothing wrong. > > > > > Oh? > > Name an FTPD that does. Just one. I didn't claim that FTPD was one. Just that many things are started with "/bin/sh -c ..." (because it's useful). > Unfortunately, users are trying to shoot my feet and legs off. They > modify their .profile to run an exploit that hacks my file server and > trojans my data. Don't let them. I don't see why you'd let them just because you're only letting them do SFTP! > >Use a restricted shell if you must. > > > > > Restricted shells have always been somewhat irrelevant; they fail in > Windows due to excess complexity and they fail in Unix because > everything and its mother can open subshells(lynx, vi, emacs, > sftp-server, etc.) Sure, but you're already talking about doing SFTP only. So the shell escapes you mention wouldn't be an issue. > >Perhaps SSHD should be configurable with respect to how sub- > >systems are started - in fact, I don't why why it shouldn't be > >so (though someone is bound to complain about code and config > >option bloat...). > > > > > Secure by default. *shrug* I'm not an OpenSSH developer. > >You can't detect the client's intention to run SFTP until > >after the SSHv2 connection setup, which kinda means you must > >run SSHD first. > > > > > Well, it's obvious now that SFTP fails to live up to its first initial > as is, so that leaves us with: > > 1) SFTP on a different port > 2) SFTP detected during client negotiation > > Incidentally, if you don't believe my conclusion about SFTP, I offer you > the following thought experiment: Would you rather give me access to an > account through wu-ftpd or sftp? I just wouldn't give you an account :) SFTP. And I'd use a restricted shell, and a forced command and you'd never be allowed an interactive shell and you might not even have an account as such but access to a special account for this purpose, like an anonymous FTP setup say. Oops, that brings up chroot - different thread - one of the answers given there was essentially (paraphrasing) "write a user shell which does the chrooting ..." and I think the same applies here. > There are issues, incidentally, with making it easier to define sets of > users that are allowed to sftp in and others that can sftp and ssh in. > Maybe we can do something interesting with AllowGroups. Agreed. I think it would be nice to be able to configure sub-systems in interesting ways through sshd_config... And if you could ask that SFTP be exec()ed without a shell intermediary, fine - as long as the other option remains available. > --Dan > Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dan at doxpara.com Wed Jul 3 04:27:21 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Tue, 02 Jul 2002 11:27:21 -0700 Subject: scp not tolerant of extraneous shell messages References: Message-ID: <3D21F089.6060901@doxpara.com> > > >sftp. Because the sftp setup I use forces the user to be chroot() into >their ~/WWW directory so they can not modify their ~/.ssh nor any dot >files within ~/. Removing executing their shell gains you nothing if you >still let them play in the ~/.ssh/ section. > > Well, I still get access to your network. Potentially, I might be able to hijack incoming SFTP connections, extract the passwords, and get into other people's shells. Your solution does lock people to passwords, btw :-) And it sure as hell ain't as elegant as "you can write what you want, but we ain't executing any of it from the file transfer system." You'd really take the (honestly) theoretical gain of crypto over the very concrete loss of somebody else being able to run arbitrary code on your machine? >I'm really interested in why you allow users to modify your login files >for your personal account.=) > > Well, personally I equate executable permission with eventual root compromise, but that's just a personal quirk. --Dan From Nicolas.Williams at ubsw.com Wed Jul 3 04:23:23 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 2 Jul 2002 14:23:23 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21F089.6060901@doxpara.com>; from dan@doxpara.com on Tue, Jul 02, 2002 at 11:27:21AM -0700 References: <3D21F089.6060901@doxpara.com> Message-ID: <20020702142322.B528@W0594878> On Tue, Jul 02, 2002 at 11:27:21AM -0700, Dan Kaminsky wrote: > >sftp. Because the sftp setup I use forces the user to be chroot() into > >their ~/WWW directory so they can not modify their ~/.ssh nor any dot > >files within ~/. Removing executing their shell gains you nothing if you > >still let them play in the ~/.ssh/ section. > > > > > Well, I still get access to your network. Potentially, I might be able > to hijack incoming SFTP connections, extract the passwords, and get into > other people's shells. You clearly fail to understand SSHv2 and SFTP. And just because you don't grant direct access to ~/.ssh/authorized_key doesn't means that you cannot give your users any way to manage their authorized public keys (see below). Besides, I fail to see why giving you access using wu-ftpd wouldn't have the same results if giving you access to sftp would have such results. > Your solution does lock people to passwords, btw :-) And it sure as > hell ain't as elegant as "you can write what you want, but we ain't > executing any of it from the file transfer system." You can still give the users ways to manage their authorized keys, but not let them edit ~/.ssh/authorized_keys (because you might want to force commands or other things). SourceForge lets users manage auth keys through a web interface - you can do the same too. > You'd really take the (honestly) theoretical gain of crypto over the > very concrete loss of somebody else being able to run arbitrary code on > your machine? Again, SFTP-SERVER won't be running client-sent files. It's your job to adequately protect dot files. > >I'm really interested in why you allow users to modify your login files > >for your personal account.=) > > > > > Well, personally I equate executable permission with eventual root > compromise, but that's just a personal quirk. See above. > --Dan Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bryanh at giraffe-data.com Wed Jul 3 05:39:57 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Tue, 02 Jul 2002 19:39:57 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: (mouring@etoh.eviladmin.org) References: Message-ID: >scp is rcp in a ssh wrapper. and rcp will also fail. I don't follow. Are you saying there's value in making scp fail with no meaningful error indication where rcp would do the same? I don't see it. I think making scp successfully transfer a file even though rcp would not would be a good thing. >Fix your startup scripts. I assume the fix you're talking about is making the startup scripts detect that the shell isn't really interactive (I'm not sure how it would) and running the scp command as if it were a shell script instead? Or is it making the shell never produce any output, even when a human is there looking? I don't know if I made it clear, but the shell is smart enough to perform differently in each of the three ways one might start it: 1) a login shell -- in this case, it might issue greetings, read mail, etc.; 2) an interactive non-login shell -- no greetings, but still possible interactions with a human user and environment settings relevant to an interactive session; 3) noninteractive shell -- this is just a program interpreter, so it doesn't do anything but run the commands you feed it. Ssh goes out of its way to create (2), defining a pseudo terminal so that the shell believes it is talking to a person. It can't then turn around and say the shell must understand that there's no person there. If I'm going to make special adjustments to my system to make scp work, it would make more sense just to run a local version of scp that does a better job of emulating a person than to put special cases into my interactive shell. (And that's not a big deal for me -- I'm just trying to save others some trouble). -- Bryan Henderson Phone 408-621-2000 San Jose, California From bryanh at giraffe-data.com Wed Jul 3 05:46:53 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Tue, 02 Jul 2002 19:46:53 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: (epa98@doc.ic.ac.uk) References: Message-ID: >Perhaps scp could have a special -diagnose option which runs 'echo >hello' at the remote end, and checks that the text received is just >'hello'. That would save unfortunate users a lot of headscratching in >future. That would certainly be a nice thing to do for the users -- though actually harder to do than just making scp act like the terminal emulator download program that it is and just ignore junk before the protocol starts. A middle ground -- not changing the function of scp, but reducing the diagnosis time when people run into this -- is just to fix the error message scp issues when it gets unexpected garbage from the other side. Today, the message is the garbage itself. Attaching a few words of explanation would do wonders. Also, add more narrative to the -v output. In my own debugging effort, I ended up adding several useful messages. >Of course, this is really a suggestion for the rcp program since scp >is just rcp-over-SSH. Again, I'm confused about the connection. I know scp aims to substitute for rcp, but do they actually share code? Would an enhancement to scp have to go into rcp too for engineering purposes? -- Bryan Henderson Phone 408-621-2000 San Jose, California From bugzilla-daemon at mindrot.org Wed Jul 3 05:58:01 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 05:58:01 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020702195801.536A2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 ------- Additional Comments From jmknoble at pobox.com 2002-07-03 05:57 ------- Use the attached patch (against the openssh-SNAP-20020702 snapshot). An explanation is in the openssh-unix-dev archives: http://www.mindrot.org/pipermail/openssh-unix-dev/2002-June/013903.html ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 05:59:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 05:59:31 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020702195931.B77EAE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 ------- Additional Comments From jmknoble at pobox.com 2002-07-03 05:59 ------- Created an attachment (id=127) Patch to enable mm_receive_fd() to work under Linux kernel-2.0.x ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bryanh at giraffe-data.com Wed Jul 3 06:13:57 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Tue, 02 Jul 2002 20:13:57 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <20020702154111.GC9035@faui02> (markus@openbsd.org) References: <20020702133728.GA23781@folly> <3D21CB69.50809@doxpara.com> <20020702154111.GC9035@faui02> Message-ID: >> Why should sftp-server have any shell dependancy at all? I was >> under the impression the whole point of the subsystem interface was to >> finally gain independance from the vagaries of the shell. > >more people think the shell should always be involved. > >otherwise you can still sftp if the shell is set >to /bin/false for example. I haven't used sftp, but I see the same thing Dan does in the code: when you use a subsystem such as sftp, there's no shell. I note that it is possible to use sftp without a subsystem, though, by specifying the sftp server program on the sftp command, and in that case the server program runs under a shell just like scp. A system administrator who sets up users for limited system access (i.e. sets the "shell" in /etc/passwd for some users to something besides a full-access shell), does not enable an sftp subsystem. (He also doesn't run an ftp or cvs daemon, unless he configures it to limit access to particular users). And that's why we have to look at scp even in cases where sftp might look more appropriate. Scp doesn't require any special service or permission on the remote end. And ideally, it wouldn't require the remote end to tailor its regular shell to scp-type things either. -- Bryan Henderson Phone 408-621-2000 San Jose, California From Nicolas.Williams at ubsw.com Wed Jul 3 06:28:44 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Tue, 2 Jul 2002 16:28:44 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: ; from bryanh@giraffe-data.com on Tue, Jul 02, 2002 at 08:13:57PM +0000 References: <20020702133728.GA23781@folly> <3D21CB69.50809@doxpara.com> <20020702154111.GC9035@faui02> Message-ID: <20020702162844.A530@W0594878> On Tue, Jul 02, 2002 at 08:13:57PM +0000, Bryan Henderson wrote: > I haven't used sftp, but I see the same thing Dan does in the code: > when you use a subsystem such as sftp, there's no shell. I note that it > is possible to use sftp without a subsystem, though, by specifying the > sftp server program on the sftp command, and in that case the server > program runs under a shell just like scp. See session.c:session_subsystem_req(), which calls session.c:do_exec(), which calls session.c:do_exec_no_pty() which calls session.c:do_child(), which, at the very end does this if the session is non-interactive (or, rather, if the variable "command" has a non-null value): argv[0] = (char *) cp; argv[1] = "-c"; argv[2] = (char *) command; argv[3] = NULL; execve(shell, argv, env); perror(shell); exit(1); So sub-system servers are executed via a shell - the user's shell. Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From thomas at cuivre.fr.eu.org Wed Jul 3 07:04:50 2002 From: thomas at cuivre.fr.eu.org (Thomas Quinot) Date: Tue, 2 Jul 2002 23:04:50 +0200 Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: ; from mgc8@totalnet.ro on Tue, Jul 02, 2002 at 03:48:50PM +0300 References: <20020701235139.A71075@melusine.cuivre.fr.eu.org> Message-ID: <20020702230450.A1241@melusine.cuivre.fr.eu.org> Le 2002-07-02, Mihnea-Costin Grigore ?crivait : > I think this is the same problem that I encountered and written about > in the message from July 1st ("Memory allocation gone awry with OpenSSH > 3.(3,4)p1")... It is the same pattern: Hum, that might well be. I have added some debugging messages (patch attached) and there is something *very* weird going on with that call to inflat(): it seems to produce endless output while not consuming any input at all: debug1: PRE inc_stream.in: 4001d4ee 16 debug1: PRE inc_stream.out: 7b03aca0 4096 debug1: POST inc_stream.in: 4001d4ee 16 debug1: POST inc_stream.out: 7b03bca0 0 [repeated ad lib] so either we pass incorrect data to inflate(), or there is a plain bug in zlib that went undiscovered so far... *** dist/openssh-3.4p1/compress.c Fri Mar 22 02:51:25 2002 --- openssh-3.4p1/compress.c Tue Jul 2 22:57:13 2002 *************** *** 138,144 **** --- 138,154 ---- incoming_stream.next_out = buf; incoming_stream.avail_out = sizeof(buf); + debug ("PRE inc_stream.in: %p %d", incoming_stream.next_in, + incoming_stream.avail_in); + debug ("PRE inc_stream.out: %p %d", incoming_stream.next_out, + incoming_stream.avail_out); + status = inflate(&incoming_stream, Z_PARTIAL_FLUSH); + debug ("POST inc_stream.in: %p %d", incoming_stream.next_in, + incoming_stream.avail_in); + debug ("POST inc_stream.out: %p %d", incoming_stream.next_out, + incoming_stream.avail_out); + switch (status) { case Z_OK: buffer_append(output_buffer, buf, -- Thomas.Quinot at Cuivre.FR.EU.ORG From bryanh at giraffe-data.com Wed Jul 3 07:11:34 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Tue, 02 Jul 2002 21:11:34 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <20020702162844.A530@W0594878> (Nicolas.Williams@ubsw.com) References: <20020702133728.GA23781@folly> <3D21CB69.50809@doxpara.com> <20020702154111.GC9035@faui02> <20020702162844.A530@W0594878> Message-ID: >So sub-system servers are executed via a shell - the user's shell. OK, I see. Not sure why I didn't before, unless I was blinded my fundamental belief that there's some difference between a subsystem and an ordinary command. :-) So what is the essential difference between a subsystem and an ordinary command? I see that the .sshrc doesn't get executed for a subsystem, and that sshd looks up the subsystem program by a special name rather than the client having to supply the filename. Is that it? It doesn't seem like enough to justify the extra concept. Did this maybe work differently in the past? Because the naming of the functions and source code comments such as "Performs common processing for the child ... and executing the command or shell" seem to obscure the fact that the fundamental function of this code is to execute the user's shell, no matter what. -- Bryan Henderson Phone 408-621-2000 San Jose, California From mouring at etoh.eviladmin.org Wed Jul 3 07:04:53 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 2 Jul 2002 16:04:53 -0500 (CDT) Subject: scp not tolerant of extraneous shell messages In-Reply-To: Message-ID: On Tue, 2 Jul 2002, Bryan Henderson wrote: > >So sub-system servers are executed via a shell - the user's shell. > > OK, I see. Not sure why I didn't before, unless I was blinded my > fundamental belief that there's some difference between a subsystem > and an ordinary command. :-) > > So what is the essential difference between a subsystem and an ordinary > command? I see that the .sshrc doesn't get executed for a subsystem, and > that sshd looks up the subsystem program by a special name rather than > the client having to supply the filename. Is that it? It doesn't seem > like enough to justify the extra concept. > As far as I can figure... SSH Corp got pissed at the 'scp: not found' issue with people not being smart enough to handle pathing right. So they added a bit of bloat to do subsystems. In which all you have to do is say 'Hey, I want service XYZ' and the server knows what your taking about without depending on any path look up. And thus Subsystems was born in the IETF draft. - Ben From klewall at uvic.ca Wed Jul 3 07:30:13 2002 From: klewall at uvic.ca (Kim Lewall) Date: Tue, 2 Jul 2002 14:30:13 -0700 (PDT) Subject: ssh_rsa_verify: RSA_verify failed: error: In-Reply-To: Message-ID: Thanks, that seems to have solved it. On Thu, 27 Jun 2002, Ben Lindstrom wrote: > > Try the following patch: > > http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh-keysign.c.diff?r1=1.4&r2=1.5 > > On Thu, 27 Jun 2002, Kim Lewall wrote: > > > Host based authentication does not seem to be working for us after > > upgrading to openssh-3.4p1 (we were at openssh-3.1p1) (openssl is at > > 0.96d). Any time we try to connect from another unix box also running > > openssh-3.4p1, we get the following error (on the server side) and host > > based auth fails (it falls back to password prompt). > > > > sshd[15038]: error: ssh_rsa_verify: RSA_verify failed: > > error:04077068:lib(4):func(119):reason(104) -------------------- Kim Lewall tel 250/721-7650 Systems Programmer klewall at uvic.ca cel 250/213-7887 University of Victoria Cle D039 fax 250/721-8778 From gert at greenie.muc.de Wed Jul 3 07:41:40 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 2 Jul 2002 23:41:40 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: ; from bryanh@giraffe-data.com on Tue, Jul 02, 2002 at 07:39:57PM +0000 References: Message-ID: <20020702234139.C7293@greenie.muc.de> Hi, On Tue, Jul 02, 2002 at 07:39:57PM +0000, Bryan Henderson wrote: > commands you feed it. Ssh goes out of its way to create (2), defining a > pseudo terminal so that the shell believes it is talking to a > person. It can't then turn around and say the shell must understand that > there's no person there. Ummm. Why do you assume that scp is using a pty? It doesn't do that for me - try running "scp -v", unless it tells something like debug1: Requesting pty. it is not. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From thomas at cuivre.fr.eu.org Wed Jul 3 07:52:00 2002 From: thomas at cuivre.fr.eu.org (Thomas Quinot) Date: Tue, 2 Jul 2002 23:52:00 +0200 Subject: 3.4p1: 'buffer_append_space: alloc 10506240 not supported' In-Reply-To: <20020702130410.GA28308@faui02>; from markus@openbsd.org on Tue, Jul 02, 2002 at 03:04:10PM +0200 References: <20020701235139.A71075@melusine.cuivre.fr.eu.org> <20020702130410.GA28308@faui02> Message-ID: <20020702235200.A15887@melusine.cuivre.fr.eu.org> OK, apparently I had various ancient versions of zlib hanging around. Upgrading them to 1.1.4 resolved the problem. Thomas. -- Thomas.Quinot at Cuivre.FR.EU.ORG From bryanh at giraffe-data.com Wed Jul 3 07:54:41 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Tue, 02 Jul 2002 21:54:41 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <20020702234139.C7293@greenie.muc.de> (gert@greenie.muc.de) References: <20020702234139.C7293@greenie.muc.de> Message-ID: >Ummm. Why do you assume that scp is using a pty? >It doesn't do that for me I assume it only because the shell comes up in interactive mode, which it is supposed to do only when standard input and output are terminals. And because that's what Ssh would do normally (i.e. without a command). At least that's what I thought. I'll check it out. -- Bryan Henderson Phone 408-621-2000 San Jose, California From carson at taltos.org Wed Jul 3 08:19:15 2002 From: carson at taltos.org (Carson Gaspar) Date: Tue, 02 Jul 2002 18:19:15 -0400 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: Message-ID: <15469874.1025633955@[172.25.113.221]> --On Tuesday, July 02, 2002 7:39 PM +0000 Bryan Henderson wrote: > I assume the fix you're talking about is making the startup scripts detect > that the shell isn't really interactive (I'm not sure how it would) and > running the scp command as if it were a shell script instead? Or is it > making the shell never produce any output, even when a human is there > looking? This is _not_ rocket science. As I said before (but you apparantly didn't read: if [ -t 1 ]; then stuff that outputs to stdout/stderr fi -- Carson From jesus at omniti.com Wed Jul 3 08:29:25 2002 From: jesus at omniti.com (Theo Schlossnagle) Date: Tue, 02 Jul 2002 18:29:25 -0400 Subject: OpenSSH 3.4p1 and SecurID Message-ID: <3D222945.2050604@omniti.com> I have received many queries as to the status of the SecurID patch for openssh 3.4. I finally found some time in my schedule to port and test. The integrated SecurID patches for OpenSSH version 3.4p1 are now available at the same old place: http://www.omniti.com/~jesus/projects/ The porting effort included moving all auth code to the new privilege separation model. Enjoy. -- Theo Schlossnagle Principal Consultant OmniTI Computer Consulting, Inc. -- http://www.omniti.com/ Phone: +1 301 776 6376 Fax: +1 410 880 4879 1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984 2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7 From bugzilla-daemon at mindrot.org Wed Jul 3 09:21:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 09:21:23 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020702232123.396D3E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 ------- Additional Comments From dgatwood at apple.com 2002-07-03 09:21 ------- This isn't a security risk from what I can see. It's a risk of reading a bogus file descriptor (or the wrong file descriptor). If somebody can muck with your file descriptors enough to make this a security bug, then they're root already. :-) The fix for this, ideally, should be to detect the bogus value, report a warning in the system log, and continue. If you get a valid file descriptor, then clearly the message is really of the type expected, or else it's garbage. Either way, the worst it can do is maybe provide a really obscure local DOS attack.... As long as there are appropriate warnings in the system log about this being a kernel bug, it seems reasonable to work around it in this way. Please consider adding such a workaround to the official tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 09:30:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 09:30:09 +1000 (EST) Subject: [Bug 330] New: Add OPIE support Message-ID: <20020702233009.AF68EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=330 Summary: Add OPIE support Product: Portable OpenSSH Version: -current Platform: All URL: http://people.freebsd.org/~des/software/opie.diff OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: des at ofug.org The patch referenced by the URL adds support for OPIE as a replacement for S/Key. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From djm at mindrot.org Wed Jul 3 09:48:24 2002 From: djm at mindrot.org (Damien Miller) Date: 03 Jul 2002 09:48:24 +1000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: Message-ID: <1025653705.28700.37.camel@xenon> On Wed, 2002-07-03 at 05:46, Bryan Henderson wrote: > >Perhaps scp could have a special -diagnose option which runs 'echo > >hello' at the remote end, and checks that the text received is just > >'hello'. That would save unfortunate users a lot of headscratching in > >future. > > That would certainly be a nice thing to do for the users -- though actually > harder to do than just making scp act like the terminal emulator download > program that it is and just ignore junk before the protocol starts. What is wrong with "ssh somehost /bin/true"? This has long been documented at http://www.openssh.com/faq.html#2.9 -d From bryanh at giraffe-data.com Wed Jul 3 10:05:14 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Wed, 03 Jul 2002 00:05:14 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <20020702234139.C7293@greenie.muc.de> (gert@greenie.muc.de) Message-ID: >Ummm. Why do you assume that scp is using a pty? >It doesn't do that for me Aha. The mystery unfolds. Scp is not in fact using a pty; the shell's Standard Input is not a terminal, and the shell does not consider itself to be an interactive shell (per Bash's $- variable). My indication that it is interactive was the fact that it ran .bashrc, which is specifically intended to set up an interactive shell session. I went back to Bash documentation, and found this gem: "Bash attempts to determine when it is being run by the remote shell daemon, usually Rshd. If Bash determines it is being run by Rshd, it reads and executes commands from ~/.bashrc..." It does not say what black magic Bash uses to determine it is being run by Rshd, but it seems reasonable to assume that Ssh/Scp is falling into this trap. This is a major hack in Bash, and I think the most reasonable thing is to unhack it by putting logic in .bashrc to skip the whole thing if the shell is not interactive. That means Scp and Sftp don't have to worry about ignoring messages that are intended for interactive users. I still think it would do more good than harm for them to do so (after all, if Bash is broken, it's broken), but I guess I'm not nearly as righteous about it now. I still have debugging and error message improvements that will make this sort of thing easier to track down; I will submit a patch. -- Bryan Henderson Phone 408-621-2000 San Jose, California From stevev at darkwing.uoregon.edu Wed Jul 3 10:19:52 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Tue, 2 Jul 2002 17:19:52 -0700 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: <20020702234139.C7293@greenie.muc.de> Message-ID: <15650.17192.40281.592787@darkwing.uoregon.edu> Bryan Henderson writes: > My indication that it is interactive was the fact that it ran .bashrc, > which is specifically intended to set up an interactive shell session. .bash_login is for interactive login sessions. .bashrc is read by any invocation of bash. This is similar to the distinction between .login and .cshrc in csh. .bashrc should generate no output. Commands invoked in .bash_login can generate output or even prompt for input. From imiller at bsd.uchicago.edu Wed Jul 3 14:03:54 2002 From: imiller at bsd.uchicago.edu (Ian Miller) Date: Tue, 02 Jul 2002 23:03:54 -0500 Subject: opie support? Message-ID: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> I see that you have s/key support in ssh, any plans to add opie support as well ? just asking .. From bugzilla-daemon at mindrot.org Wed Jul 3 17:32:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 17:32:43 +1000 (EST) Subject: [Bug 331] New: ssh w/o privilege separation does not work for non-root users Message-ID: <20020703073243.A6C8FE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=331 Summary: ssh w/o privilege separation does not work for non-root users Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P3 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: norbert.bladt at t-systems.ch Hi, I am trying to use Openssh 3.4p1 in Redhat Linux 6.2 with UsePrivilegeSeparation disabled. As soon as I am using it as user root it works to connect to other systems running older versions of Openssh (2.3.0p1). If I am running this as a user, the following message appears (end of output of ssh -vv appended here): debug1: Found key in /home/norbert/.ssh/known_hosts:72 debug1: Encryption type: blowfish debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x805ff88(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 17:34:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 17:34:24 +1000 (EST) Subject: [Bug 331] ssh w/o privilege separation does not work for non-root users Message-ID: <20020703073424.9E156E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=331 ------- Additional Comments From norbert.bladt at t-systems.ch 2002-07-03 17:34 ------- Forgot to mention the kernel version: 2.2.14-5.0, sorry. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 17:46:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 17:46:42 +1000 (EST) Subject: [Bug 327] monitor_fdpass.c: Expected 1 got 1075033556 - Privilege Separation Message-ID: <20020703074642.6D467E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=327 dazo at netcom.no changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From dazo at netcom.no 2002-07-03 17:46 ------- This seems to work! Thank ya'll! Dazo ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 18:04:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 18:04:08 +1000 (EST) Subject: [Bug 332] New: Authentication failures after updating to 3.4.p1 Message-ID: <20020703080408.034FAE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=332 Summary: Authentication failures after updating to 3.4.p1 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: tom at daemon.de Recently upgraded to latest 3.4.p1. System is Linux Debian. Compiled from Source, no special flags supplied to configure. Am using the same config file as before and created the sshd user. While root Login is allowed by configuration, sshd refuses root logins. Message is "Failed password for root...". Another user cannot login too. It is an unprivileged user. He gets the same message, but the password is definetly correct because unchanged. My own account works, it is also unprivileged, but is a member of the group wheel (0). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From wichert at wiggy.net Wed Jul 3 18:10:35 2002 From: wichert at wiggy.net (Wichert Akkerman) Date: Wed, 3 Jul 2002 10:10:35 +0200 Subject: opie support? In-Reply-To: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> References: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> Message-ID: <20020703081035.GI12377@wiggy.net> Previously Ian Miller wrote: > I see that you have s/key support in ssh, any plans to add opie support as > well ? I wrote a patch for it a while ago, you should be able to find it in the list archives. There seemed to be little interested in merging it though (too bad since s/key is a dead project now). Wichert. -- _________________________________________________________________ /wichert at wiggy.net This space intentionally left occupied \ | wichert at deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From markus at openbsd.org Wed Jul 3 18:11:31 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 10:11:31 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: <20020702133728.GA23781@folly> <3D21CB69.50809@doxpara.com> <20020702154111.GC9035@faui02> Message-ID: <20020703081130.GA30818@folly> On Tue, Jul 02, 2002 at 08:13:57PM +0000, Bryan Henderson wrote: > >> Why should sftp-server have any shell dependancy at all? I was > >> under the impression the whole point of the subsystem interface was to > >> finally gain independance from the vagaries of the shell. > > > >more people think the shell should always be involved. > > > >otherwise you can still sftp if the shell is set > >to /bin/false for example. > > I haven't used sftp, but I see the same thing Dan does in the code: > when you use a subsystem such as sftp, there's no shell. there is a shell involved. the loginshell is used to run the command. From markus at openbsd.org Wed Jul 3 18:25:11 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 10:25:11 +0200 Subject: opie support? In-Reply-To: <20020703081035.GI12377@wiggy.net> References: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> <20020703081035.GI12377@wiggy.net> Message-ID: <20020703082510.GC18609@faui02> On Wed, Jul 03, 2002 at 10:10:35AM +0200, Wichert Akkerman wrote: > I wrote a patch for it a while ago, you should be able to find it in > the list archives. There seemed to be little interested in merging it > though (too bad since s/key is a dead project now). i think you just need to s/skey/opie/ From wichert at wiggy.net Wed Jul 3 18:54:17 2002 From: wichert at wiggy.net (Wichert Akkerman) Date: Wed, 3 Jul 2002 10:54:17 +0200 Subject: opie support? In-Reply-To: <20020703082510.GC18609@faui02> References: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> <20020703081035.GI12377@wiggy.net> <20020703082510.GC18609@faui02> Message-ID: <20020703085417.GJ12377@wiggy.net> Previously Markus Friedl wrote: > i think you just need to s/skey/opie/ Not quite, if you do that you will introduce a small security problem (replay attack) and some memory leakage iirc. Wichert. -- _________________________________________________________________ /wichert at wiggy.net This space intentionally left occupied \ | wichert at deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From markus at openbsd.org Wed Jul 3 19:03:34 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 11:03:34 +0200 Subject: opie support? In-Reply-To: <20020703085417.GJ12377@wiggy.net> References: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> <20020703081035.GI12377@wiggy.net> <20020703082510.GC18609@faui02> <20020703085417.GJ12377@wiggy.net> Message-ID: <20020703090334.GD18609@faui02> On Wed, Jul 03, 2002 at 10:54:17AM +0200, Wichert Akkerman wrote: > Previously Markus Friedl wrote: > > i think you just need to s/skey/opie/ > > Not quite, if you do that you will introduce a small security problem > (replay attack) and some memory leakage iirc. hm, so what are the differences? From wichert at wiggy.net Wed Jul 3 19:15:35 2002 From: wichert at wiggy.net (Wichert Akkerman) Date: Wed, 3 Jul 2002 11:15:35 +0200 Subject: opie support? In-Reply-To: <20020703090334.GD18609@faui02> References: <5.1.0.14.2.20020702230253.02c4d298@huggins.bsd.uchicago.edu> <20020703081035.GI12377@wiggy.net> <20020703082510.GC18609@faui02> <20020703085417.GJ12377@wiggy.net> <20020703090334.GD18609@faui02> Message-ID: <20020703091535.GO12377@wiggy.net> Previously Markus Friedl wrote: > hm, so what are the differences? I'm at work at the moment and don't have them at hand, I'll check my archives at home tonight. You should be able to find the discussion in the openssh-unix-dev archives as well. Wichert. -- _________________________________________________________________ /wichert at wiggy.net This space intentionally left occupied \ | wichert at deephackmode.org http://www.liacs.nl/~wichert/ | | 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0 2805 3CB8 9250 2FA3 BC2D | From bugzilla-daemon at mindrot.org Wed Jul 3 19:56:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 19:56:07 +1000 (EST) Subject: [Bug 324] privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Message-ID: <20020703095607.7B410E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=324 ------- Additional Comments From jan.iven at cern.ch 2002-07-03 19:56 ------- Created an attachment (id=128) KRB4/5 auth with privsep ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 3 19:57:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 3 Jul 2002 19:57:59 +1000 (EST) Subject: [Bug 324] privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Message-ID: <20020703095759.03A0BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=324 ------- Additional Comments From jan.iven at cern.ch 2002-07-03 19:57 ------- (neither TGT forwarding nor AFS tokens needs privsep), reduced to just KRB4/5 auth. I suspect that KerberosPassword will be slightly broken since the ticket file name does not go back to the session environment. To be confirmed, I am using PAM now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From binder at arago.de Wed Jul 3 20:01:09 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 3 Jul 2002 12:01:09 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <15650.17192.40281.592787@darkwing.uoregon.edu>; from stevev@darkwing.uoregon.edu on Tue, Jul 02, 2002 at 05:19:52PM -0700 References: <20020702234139.C7293@greenie.muc.de> <15650.17192.40281.592787@darkwing.uoregon.edu> Message-ID: <20020703120109.A2288943@ohm.arago.de> Hi! On Tue, Jul 02, 2002 at 05:19:52PM -0700, Steve VanDevender wrote: > .bashrc is read by any invocation of bash. Nope. Quoting from bash's man page: -- snip -- When an interactive shell that is not a login shell is started, bash reads and executes commands from ~/.bashrc, if that file exists. This may be inhibited by using the --norc option. The --rcfile file option will force bash to read and execute commands from file instead of ~/.bashrc. When bash is started non-interactively, to run a shell script, for example, it looks for the variable BASH_ENV in the environment, expands its value if it appears there, and uses the expanded value as the name of a file to read and execute. Bash behaves as if the following command were exe- cuted: if [ -n "$BASH_ENV" ]; then . "$BASH_ENV"; fi but the value of the PATH variable is not used to search for the file name. -- snap -- That's easily proved: $ cat ~/.bashrc echo This is from .bashrc $ bash This is from .bashrc $ bash -c /bin/true [No output] > This is similar to the distinction between .login and .cshrc in > csh. Not quite. csh is the shell that /really/ reads its rc file even for running commands via -c or executing hash bang scripts. But not bash, nor ksh. Ciao Thomas From barel_bhai at yahoo.com Wed Jul 3 21:09:44 2002 From: barel_bhai at yahoo.com (raam raam) Date: Wed, 3 Jul 2002 04:09:44 -0700 (PDT) Subject: SSH Test Tool In-Reply-To: <20020703120109.A2288943@ohm.arago.de> Message-ID: <20020703110944.10758.qmail@web20501.mail.yahoo.com> Hi Is there any test tool available for testing SSH Best Regards Rajesh __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com From vinschen at redhat.com Wed Jul 3 22:27:17 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 3 Jul 2002 14:27:17 +0200 Subject: [PATCH]: Change Cygwin contrib files to better support PrivSep Message-ID: <20020703142717.Y21857@cygbert.vinschen.de> Hi, the following patch patches the files in contrib/cygwin. The changes are necessary to allow a better support of privilege separation. On NT machines the script asks now if it should create a user called "sshd" and all that. Additionally it creates the /etc/ssh_config and /etc/sshd_config files follows the latest versions. Would you mind to apply this to the official OpenSSH repository? Thanks, Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com -------------- next part -------------- Index: contrib/cygwin/README =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/README,v retrieving revision 1.9 diff -u -p -r1.9 README --- contrib/cygwin/README 30 Apr 2002 03:53:13 -0000 1.9 +++ contrib/cygwin/README 3 Jul 2002 12:29:16 -0000 @@ -1,6 +1,30 @@ This package is the actual port of OpenSSH to Cygwin 1.3. =========================================================================== +Important change since 3.4p1-2: + +This version adds privilege separation as default setting, see +/usr/doc/openssh/README.privsep. According to that document the +privsep feature requires a non-privileged account called 'sshd'. + +The new ssh-host-config file which is part of this version asks +to create 'sshd' as local user if you want to use privilege +separation. If you confirm, it creates that NT user and adds +the necessary entry to /etc/passwd. + +On 9x/Me systems the script just sets UsePrivilegeSeparation to "no" +since that feature doesn't make any sense on a system which doesn't +differ between privileged and unprivileged users. + +The new ssh-host-config script also adds the /var/empty directory +needed by privilege separation. When creating the /var/empty directory +by yourself, please note that in contrast to the README.privsep document +the owner sshould not be "root" but the user which is running sshd. So, +in the standard configuration this is SYSTEM. The ssh-host-config script +chowns /var/empty accordingly. +=========================================================================== + +=========================================================================== Important change since 3.0.1p1-2: This version introduces the ability to register sshd as service on Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.5 diff -u -p -r1.5 ssh-host-config --- contrib/cygwin/ssh-host-config 12 Apr 2002 17:44:14 -0000 1.5 +++ contrib/cygwin/ssh-host-config 3 Jul 2002 12:29:16 -0000 @@ -18,6 +18,11 @@ progname=$0 auto_answer="" port_number=22 +privsep_configured=no +privsep_used=yes +sshd_in_passwd=no +sshd_in_sam=no + request() { if [ "${auto_answer}" = "yes" ] @@ -90,6 +95,10 @@ do esac done +# Check if running on NT +_sys="`uname -a`" +_nt=`expr "$_sys" : "CYGWIN_NT"` + # Check for running ssh/sshd processes first. Refuse to do anything while # some ssh processes are still running @@ -126,6 +135,38 @@ then fi fi +# Create /var/log and /var/log/lastlog if not already existing + +if [ -f /var/log ] +then + echo "Creating /var/log failed\!" +else + if [ ! -d /var/log ] + then + mkdir -p /var/log + fi + if [ -d /var/log/lastlog ] + then + echo "Creating /var/log/lastlog failed\!" + elif [ ! -f /var/log/lastlog ] + then + cat /dev/null > /var/log/lastlog + fi +fi + +# Create /var/empty file used as chroot jail for privilege separation +if [ -f /var/empty ] +then + echo "Creating /var/empty failed\!" +else + mkdir -p /var/empty + # On NT change ownership of that dir to user "system" + if [ $_nt -gt 0 ] + then + chown system.system /var/empty + fi +fi + # Check for an old installation in ${OLDPREFIX} unless ${OLDPREFIX} isn't # the same as ${PREFIX} @@ -219,9 +260,10 @@ if [ ! -f "${SYSCONFDIR}/ssh_config" ] then echo "Generating ${SYSCONFDIR}/ssh_config file" cat > ${SYSCONFDIR}/ssh_config << EOF -# This is ssh client systemwide configuration file. This file provides -# defaults for users, and the values can be changed in per-user configuration -# files or on the command line. +# This is the ssh client system-wide configuration file. See +# ssh_config(5) for more information. This file provides defaults for +# users, and the values can be changed in per-user configuration files +# or on the command line. # Configuration data is parsed as follows: # 1. command line options @@ -237,20 +279,19 @@ then # ForwardAgent no # ForwardX11 no # RhostsAuthentication no -# RhostsRSAAuthentication yes +# RhostsRSAAuthentication no # RSAAuthentication yes # PasswordAuthentication yes -# FallBackToRsh no -# UseRsh no # BatchMode no # CheckHostIP yes -# StrictHostKeyChecking yes +# StrictHostKeyChecking ask # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_dsa # IdentityFile ~/.ssh/id_rsa # Port 22 # Protocol 2,1 -# Cipher blowfish +# Cipher 3des +# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ EOF if [ "$port_number" != "22" ] @@ -271,17 +312,75 @@ then then echo "Can't overwrite. ${SYSCONFDIR}/sshd_config is write protected." fi + else + grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes fi fi -# Create default sshd_config from here script +# Prior to creating or modifying sshd_config, care for privilege separation + +if [ "$privsep_configured" != "yes" ] +then + if [ $_nt -gt 0 ] + then + echo "Privilege separation is set to yes by default since OpenSSH 3.3." + echo "However, this requires a non-privileged account called 'sshd'." + echo "For more info on privilege separation read /usr/doc/openssh/README.privsep." + echo + if request "Shall privilege separation be used?" + then + privsep_used=yes + grep -q '^sshd:' ${SYSCONFDIR}/passwd && sshd_in_passwd=yes + net user sshd >/dev/null 2>&1 && sshd_in_sam=yes + if [ "$sshd_in_passwd" != "yes" ] + then + if [ "$sshd_in_sam" != "yes" ] + then + echo "Warning: The following function requires administrator privileges!" + if request "Shall this script create a local user 'sshd' on this machine?" + then + dos_var_empty=`cygpath -w /var/empty` + net user sshd /add /fullname:"sshd privsep" "/HOMEDIR:$dos_var_empty" > /dev/null 2>&1 && sshd_in_sam=yes + if [ "$sshd_in_sam" != "yes" ] + then + echo "Warning: Creating the user 'sshd' failed!" + fi + fi + fi + if [ "$sshd_in_sam" != "yes" ] + then + echo "Warning: Can't create user 'sshd' in ${SYSCONFDIR}/passwd!" + echo " Privilege separation set to 'no' again!" + echo " Check your ${SYSCONFDIR}/sshd_config file!" + privsep_used=no + else + mkpasswd -l -u sshd >> ${SYSCONFDIR}/passwd + fi + fi + else + privsep_used=no + fi + else + # On 9x don't use privilege separation. Since security isn't + # available it just adds useless addtional processes. + privsep_used=no + fi +fi + +# Create default sshd_config from here script or modify to add the +# missing privsep configuration option if [ ! -f "${SYSCONFDIR}/sshd_config" ] then echo "Generating ${SYSCONFDIR}/sshd_config file" cat > ${SYSCONFDIR}/sshd_config << EOF -# This is the sshd server system-wide configuration file. See sshd(8) -# for more information. +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options change a +# default value. Port $port_number #Protocol 2,1 @@ -289,66 +388,77 @@ Port $port_number #ListenAddress :: # HostKey for protocol version 1 -HostKey /etc/ssh_host_key +#HostKey ${SYSCONFDIR}/ssh_host_key # HostKeys for protocol version 2 -HostKey /etc/ssh_host_rsa_key -HostKey /etc/ssh_host_dsa_key +#HostKey ${SYSCONFDIR}/ssh_host_rsa_key +#HostKey ${SYSCONFDIR}/ssh_host_dsa_key # Lifetime and size of ephemeral version 1 server ke -KeyRegenerationInterval 3600 -ServerKeyBits 768 +#KeyRegenerationInterval 3600 +#ServerKeyBits 768 # Logging -SyslogFacility AUTH -LogLevel INFO #obsoletes QuietMode and FascistLogging +#SyslogFacility AUTH +#LogLevel INFO # Authentication: -LoginGraceTime 600 -PermitRootLogin yes +#LoginGraceTime 600 +#PermitRootLogin yes # The following setting overrides permission checks on host key files # and directories. For security reasons set this to "yes" when running # NT/W2K, NTFS and CYGWIN=ntsec. StrictModes no -RSAAuthentication yes -PubkeyAuthentication yes +#RSAAuthentication yes +#PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # rhosts authentication should not be used -RhostsAuthentication no +#RhostsAuthentication no # Don't read ~/.rhosts and ~/.shosts files -IgnoreRhosts yes -# For this to work you will also need host keys in /etc/ssh_known_hosts -RhostsRSAAuthentication no +#IgnoreRhosts yes +# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts +#RhostsRSAAuthentication no # similar for protocol version 2 -HostbasedAuthentication no -# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication -#IgnoreUserKnownHosts yes +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# RhostsRSAAuthentication and HostbasedAuthentication +#IgnoreUserKnownHosts no # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes -PermitEmptyPasswords no +#PasswordAuthentication yes +#PermitEmptyPasswords no -X11Forwarding no -X11DisplayOffset 10 -PrintMotd yes -#PrintLastLog no -KeepAlive yes +# Change to no to disable s/key passwords +#ChallengeResponseAuthentication yes + +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PrintMotd yes +#PrintLastLog yes +#KeepAlive yes #UseLogin no +UsePrivilegeSeparation $privsep_used +#Compression yes -#MaxStartups 10:30:60 -#Banner /etc/issue.net -#ReverseMappingCheck yes +#MaxStartups 10 +# no default banner path +#Banner /some/path +#VerifyReverseMapping no +# override default of no subsystems Subsystem sftp /usr/sbin/sftp-server EOF +elif [ "$privsep_configured" != "yes" ] +then + echo >> ${SYSCONFDIR}/sshd_config + echo "UsePrivilegeSeparation $privsep_used" >> ${SYSCONFDIR}/sshd_config fi # Care for services file -_sys="`uname -a`" -_nt=`expr "$_sys" : "CYGWIN_NT"` if [ $_nt -gt 0 ] then _wservices="${SYSTEMROOT}\\system32\\drivers\\etc\\services" @@ -403,8 +513,8 @@ umount "${_services}" umount "${_serv_tmp}" # Care for inetd.conf file -_inetcnf="/etc/inetd.conf" -_inetcnf_tmp="/etc/inetd.conf.$$" +_inetcnf="${SYSCONFDIR}/inetd.conf" +_inetcnf_tmp="${SYSCONFDIR}/inetd.conf.$$" if [ -f "${_inetcnf}" ] then @@ -442,25 +552,6 @@ then fi fi -# Create /var/log and /var/log/lastlog if not already existing - -if [ -f /var/log ] -then - echo "Creating /var/log failed\!" -else - if [ ! -d /var/log ] - then - mkdir /var/log - fi - if [ -d /var/log/lastlog ] - then - echo "Creating /var/log/lastlog failed\!" - elif [ ! -f /var/log/lastlog ] - then - cat /dev/null > /var/log/lastlog - fi -fi - # On NT ask if sshd should be installed as service if [ $_nt -gt 0 ] then @@ -477,7 +568,7 @@ then [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" then - chown system /etc/ssh* + chown system /${SYSCONFDIR}/ssh* echo echo "The service has been installed under LocalSystem account." fi From Robert.Dahlem at siemens.com Wed Jul 3 22:54:36 2002 From: Robert.Dahlem at siemens.com (Robert Dahlem) Date: Wed, 03 Jul 2002 14:54:36 +0200 Subject: --{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0 Message-ID: <200207031254.g63Csag26656@mail3.siemens.de> Hi, According to ChangeLog someone "(bal)" removed -{enable/disable}-suid-ssh from configure (dating from 2002/06/07). Don't know the reason, probably this has something to do with PrivilegeSeparation. Consequence is: Users with UID != 0 are no longer able to allocate privileged ports, sshd answers "Rhosts Authentication disabled, originating port will not be trusted". Bang, there they sit. :-) Ok, "chmod u+s ssh scp" does help as first aid. My question is: Is SUID on ssh/scp considered dangerous? Are there other reasons one should avoid this? Regards, Robert -- Robert.Dahlem at siemens.com Siemens Business Services - FS GF KORDOBA-Outsourcing Tel: +49-69-797-6530 Fax: +49-69-797-6599 ---------------------------------------------------------------------- Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email software; far better than Outlook. Try it sometime. From markus at openbsd.org Wed Jul 3 23:03:34 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 15:03:34 +0200 Subject: --{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0 In-Reply-To: <200207031254.g63Csag26656@mail3.siemens.de> References: <200207031254.g63Csag26656@mail3.siemens.de> Message-ID: <20020703130334.GA2077@faui02> On Wed, Jul 03, 2002 at 02:54:36PM +0200, Robert Dahlem wrote: > Ok, "chmod u+s ssh scp" does help as first aid. please don't set add an s-bit to scp, as it allows everyone on your system to overwrite all files. > My question is: Is SUID on ssh/scp considered dangerous? Are there other > reasons one should avoid this? 1) rhosts authentication should be avoided 2) only rhosts-rsa authentication needs an sbit. a privileged port is just needed for older sshd servers 3) hostbased authentication in protocol 2 does not need a sbit on ssh, they use ssh-keysign instead. -m From mouring at etoh.eviladmin.org Wed Jul 3 22:54:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 07:54:07 -0500 (CDT) Subject: --{enable/disable}-suid-ssh removed, rhosts auth gone when UID != 0 In-Reply-To: <200207031254.g63Csag26656@mail3.siemens.de> Message-ID: It ws removed because RhostAuth is the only thing depending on it, and it was felt if you want to use the feature (which is not recommented) that you can setuid it yourself. HostBased Authentication is now handled by ssh-keysign which is setuid instead. Much smaller amount of code to audit. - Ben On Wed, 3 Jul 2002, Robert Dahlem wrote: > Hi, > > According to ChangeLog someone "(bal)" removed -{enable/disable}-suid-ssh > from configure (dating from 2002/06/07). Don't know the reason, probably > this has something to do with PrivilegeSeparation. > > Consequence is: Users with UID != 0 are no longer able to allocate > privileged ports, sshd answers "Rhosts Authentication disabled, > originating port will not be trusted". Bang, there they sit. :-) > > Ok, "chmod u+s ssh scp" does help as first aid. > > My question is: Is SUID on ssh/scp considered dangerous? Are there other > reasons one should avoid this? > > Regards, > Robert > > > -- > Robert.Dahlem at siemens.com > Siemens Business Services - FS GF KORDOBA-Outsourcing > Tel: +49-69-797-6530 Fax: +49-69-797-6599 > ---------------------------------------------------------------------- > Sent using PMMail (http://www.pmmail2000.com) - fast, decent, email > software; far better than Outlook. Try it sometime. > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From markus at openbsd.org Thu Jul 4 01:02:46 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 17:02:46 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: <17D3D857B26112409EA372EB0AFE39DD125F25@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <20020703150246.GA14294@folly> On Tue, Jul 02, 2002 at 10:58:29AM -0500, Ben Lindstrom wrote: > umask can and is ignored by some sftp clients. Mainly ones that are > windows based. Mainly SSH Corp derived last I checked (a year ago). but that can only be fixed by ugly server-side hacks. i think this bug got fixed in the windows clients. From markus at openbsd.org Thu Jul 4 01:05:10 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 17:05:10 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21E3E2.2080208@doxpara.com> References: <3D21E3E2.2080208@doxpara.com> Message-ID: <20020703150510.GB14294@folly> On Tue, Jul 02, 2002 at 10:33:22AM -0700, Dan Kaminsky wrote: > > > > > >After saying that. I still agree that the user's shell needs to be ran. > >=) Because it's the correct way for UNIX to handle things. > > > > > OK, so I modify my .profile to execute arbitrary commands. Look mah, > every time I access a file on a machine, it's "implied" that I have the > right to execute stuff on it too. well, if you have a restricted account, then you cannot edit .profile. if you don't want to have .profile like features available for users, don't give them a powerful shell. you could also set the loginshell to sftp-server for example. From markus at openbsd.org Thu Jul 4 01:09:27 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 17:09:27 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21EBBE.5010608@doxpara.com> References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> <3D21EBBE.5010608@doxpara.com> Message-ID: <20020703150927.GD14294@folly> On Tue, Jul 02, 2002 at 11:06:54AM -0700, Dan Kaminsky wrote: > Would you rather give me access to an > account through wu-ftpd or sftp? sftp :) -m From markus at openbsd.org Thu Jul 4 01:11:42 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 17:11:42 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21F089.6060901@doxpara.com> References: <3D21F089.6060901@doxpara.com> Message-ID: <20020703151142.GE14294@folly> On Tue, Jul 02, 2002 at 11:27:21AM -0700, Dan Kaminsky wrote: > Well, I still get access to your network. Potentially, I might be able > to hijack incoming SFTP connections, extract the passwords, and get into > other people's shells. so you found a buffer overflow in sftp-server? please send a bug report. From markus at openbsd.org Thu Jul 4 01:08:23 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 3 Jul 2002 17:08:23 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D21EBBE.5010608@doxpara.com> References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> <3D21EBBE.5010608@doxpara.com> Message-ID: <20020703150822.GC14294@folly> On Tue, Jul 02, 2002 at 11:06:54AM -0700, Dan Kaminsky wrote: > Name an FTPD that does. Just one. yes, that's the point. ftpds run with the environment of root or a less trused user, but usually not under the uid of the authenticated user. however, sftp-server runs under the environment of the authenticated user, so it's much more resticted. as i said before, don't give away powerful shells if you don't want to give away powerful shells. -m From manik.surtani at conchango.com Thu Jul 4 02:47:16 2002 From: manik.surtani at conchango.com (Manik Surtani) Date: Wed, 03 Jul 2002 17:47:16 +0100 Subject: Java, JCE and OpenSSH Message-ID: <3D232A94.4000508@conchango.com> Hello, all. Firstly, sorry for the cross-posting... Has anyone out there tried to use JCE (1.2.1, with JDK1.3.1) to create a Diffie Hellman key using the group1 prime modulus and base generator, and then pass on the public key to an OpenSSH (v3.1) server as a part of the diffie-hellman-group1-sha1 key exchange? For some reason, the ssh server rejects the key saying it is invalid ... I have successfully MANUALLY implemented this (by using the prime modulus p, the base generator g, and a large random number r, using the DH algorithm specified in the SSH 2.0 IETF paper), and the public key I generate here is accepted by the SSH server. Why is it then, that the JCE implementation of the DH keygen algorithm, produces keys that are not accepted? Has anyone else experienced this? Am I doing something stupid? Help is much appreciated! Thanks in advance, -- Manik Surtani Conchango 'Innovative Change in Business' T 44 (0) 1784 221829 M 44 (0) 7786 702 706 E manik.surtani at conchango.com http://www.conchango.com The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error, please notify us as soon as possible. The unauthorised use, disclosure, copying or alteration of this message is forbidden. _____________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Control Centre. From bugzilla-daemon at mindrot.org Thu Jul 4 02:52:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 02:52:24 +1000 (EST) Subject: [Bug 333] New: X11 forwarding not working in OpenSSH 3.4p1 Message-ID: <20020703165224.CC902E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=333 Summary: X11 forwarding not working in OpenSSH 3.4p1 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: stripes at tigerlair.com X11 forwarding is not working on OpenSSH 3.4p1 on my Debian boxes. I have set the X11Forwarding to yes in both the client and server configurations, and the output of the debugging says nothing about the X settings or Xauthority. I have xauth installed in my path. I have emailed the secureshell at securityfocus.com mailing list and no one understands what's going on and why it doesn't work. Just let me know what else you need from me. $ uname -a Linux swamp 2.4.17 #1 Fri Feb 22 11:08:36 PST 2002 i686 unknown ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From epa98 at doc.ic.ac.uk Thu Jul 4 05:39:45 2002 From: epa98 at doc.ic.ac.uk (Edward Avis) Date: Wed, 3 Jul 2002 20:39:45 +0100 (BST) Subject: scp not tolerant of extraneous shell messages In-Reply-To: <1025653705.28700.37.camel@xenon> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 3 Jul 2002, Damien Miller wrote: >>>Perhaps scp could have a special -diagnose option which runs 'echo >>>hello' at the remote end, and checks that the text received is just >>>'hello'. >What is wrong with "ssh somehost /bin/true"? Not as idiot-proof. >This has long been documented at http://www.openssh.com/faq.html#2.9 But as evidenced by previous messages to this list, some people - even intelligent, relatively clueful people - do not read the FAQ, or forget what it says. They might be more likely to find the right answer if scp gave a bit more prompting (either with -diagnose or with a different error message). Besides, scp -diagnose could be a place to test for other common scp problems, beside spurious stdout text. The reason for the suggestion is not technical, it's more like a kind of additional documentation. - -- Ed Avis Finger for PGP key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE9I1MFIMp73jhGogoRArvcAJ9y5un3IFJ8xaEUd+89aW+lOZxltACeJ8/G PscMWz4O4cV30xoaN8mOPiw= =b0np -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Thu Jul 4 05:41:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 05:41:58 +1000 (EST) Subject: [Bug 333] X11 forwarding not working in OpenSSH 3.4p1 Message-ID: <20020703194158.5376FE904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=333 ------- Additional Comments From stevesk at pobox.com 2002-07-04 05:41 ------- i will guess configure did not find an xauth when it was built ($PATH is irrelevant here). please verify. see $HOME/.ssh/rc example in sshd.8 which can be used as a workaround in this case. djm: autoconf-2.53 exposes a bug for xauth path detection. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bryanh at giraffe-data.com Thu Jul 4 06:21:29 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Wed, 03 Jul 2002 20:21:29 +0000 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <15650.17192.40281.592787@darkwing.uoregon.edu> (stevev@darkwing.uoregon.edu) References: <20020702234139.C7293@greenie.muc.de> <15650.17192.40281.592787@darkwing.uoregon.edu> Message-ID: >.bashrc is read by any invocation of bash. Not according to the Bash user's guide or practice. .bashrc is for interactive non-login shells. The file that runs for ALL Bash invocations is the one whose name is in the environment variable $BASH_ENV. So: - in .bash_login, you put your "good morning" type greetings. - in .bashrc you set up your prompt. - in ($ENV_BASH), you set PATH. If Bash actually followed its own principles, scp would not have a problem, because Bash would not run .bashrc. It is only because the rshd hack (wherein Bash apparently mistakes the scp session for an interactive rsh session) makes Bash invoke .bashrc in a shell that is not interactive that scp has a problem with conversational messages from .bashrc. -- Bryan Henderson Phone 408-621-2000 San Jose, California From dan at doxpara.com Thu Jul 4 06:37:59 2002 From: dan at doxpara.com (Dan Kaminsky) Date: Wed, 03 Jul 2002 13:37:59 -0700 Subject: scp not tolerant of extraneous shell messages References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> <3D21EBBE.5010608@doxpara.com> <20020703150822.GC14294@folly> Message-ID: <3D2360A7.4010101@doxpara.com> Markus Friedl wrote: >On Tue, Jul 02, 2002 at 11:06:54AM -0700, Dan Kaminsky wrote: > > >>Name an FTPD that does. Just one. >> >> > >yes, that's the point. ftpds run with the environment >of root or a less trused user, but usually not under >the uid of the authenticated user. > >however, sftp-server runs under the environment of >the authenticated user, so it's much more resticted. > BFD. A brick wall is always more secure than a locked gate; it's why OpenBSD has always been more secure than your stock Linux distro. No 7956456456 daemons listening for something they didn't expect. I'll take "no opportunity to execute arbitrary commands within any account" over "will only execute commands the shell happens to like" any day. >as i said before, don't give away powerful shells >if you don't want to give away powerful shells. > > So many externalities! Want secure key management? Use some outside web page, hope it's secure, let use know if you write a good one! Want a secure file transfer system? Use some outside shell, I heard one was made a while ago! I'm all for encapsulation, but I'm seriously not seeing SFTP being what it should be. A remote shell simply gives you far more power than a standard FTP connection does -- full control over port forwarding, true system root(oh, that's another external package), and so on. We need another class of SSH connection that does nothing else but serves files. It's a different security level, Markus. That which is obviously authorized in the shell context is an utter security breach in the file context. SSH is awesome for remote shells. It...needs help for remote file access. --Dan From bugzilla-daemon at mindrot.org Thu Jul 4 08:08:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 08:08:46 +1000 (EST) Subject: [Bug 334] New: SSH hangs when run via a cronjob (ssh2) Message-ID: <20020703220846.1EE54E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=334 Summary: SSH hangs when run via a cronjob (ssh2) Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: egarff at omniture.com SSH hangs upon exit when running from a cronjob. Server only allows SSH2 (does not appear to have the same problem when using Protocol 1). Redhat 6.2 Hardware independant. Using OpenSSL 0.9.5a configure line: ./configure --sysconfdir=/etc --with-tcp-wrappers --without-pam --with-ssl-dir=/usr/local/src/openssl-0.9.5a --with-md5-passwords The application is to execute remote code on another server via "passwordless" ssh. Keys generated are rsa. When run manually (outside cron), executes and exits normally. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From des at ofug.org Thu Jul 4 08:48:47 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 04 Jul 2002 00:48:47 +0200 Subject: New PAM kbd-int diff In-Reply-To: <1025577068.28700.22.camel@xenon> References: <1025577068.28700.22.camel@xenon> Message-ID: A non-text attachment was scrubbed... Name: pam.diff Type: text/x-patch Size: 19971 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020704/65e97537/attachment.bin From mouring at etoh.eviladmin.org Thu Jul 4 09:12:52 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 18:12:52 -0500 (CDT) Subject: AIX usrinfo() cleanup. In-Reply-To: <3D21983D.B96EAB41@zip.com.au> Message-ID: > > If you ask me: drop it, and throw out junky code. If someone besides us > > needs usrinfo (and we do not use TTY=) they will complain. > > That's my vote too. At the moment I don't know of any affected programs. > Ok.. Gert, I need to verify you wrote the original code right? I need it for copyright reasons. This is what I'm commiting. Test it and tell me if I broke something. This also adds 2-clause BSD license which I assume is acceptable since the code was pulled from session.c which was 2-clause to start with. - Ben Index: session.c =================================================================== RCS file: /var/cvs/openssh/session.c,v retrieving revision 1.208 diff -u -r1.208 session.c --- session.c 26 Jun 2002 13:51:06 -0000 1.208 +++ session.c 3 Jul 2002 23:21:35 -0000 @@ -1209,8 +1209,7 @@ irix_setusercontext(pw); # endif /* defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) */ # ifdef _AIX - /* XXX: Disable tty setting. Enabled if required later */ - aix_usrinfo(pw, &tty, -1); + aix_usrinfo(pw); # endif /* _AIX */ /* Permanently switch to the desired uid. */ permanently_set_uid(pw); Index: openbsd-compat/port-aix.c =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-aix.c,v retrieving revision 1.3 diff -u -r1.3 port-aix.c --- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 +++ openbsd-compat/port-aix.c 3 Jul 2002 23:21:36 -0000 @@ -1,3 +1,25 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ #include "includes.h" #ifdef _AIX @@ -6,21 +28,21 @@ #include <../xmalloc.h> /* - * AIX has a "usrinfo" area where logname and - * other stuff is stored - a few applications - * actually use this and die if it's not set + * AIX has a "usrinfo" area where logname and other stuff is stored - + * a few applications actually use this and die if it's not set + * + * NOTE: TTY= should be set, but since no one uses it and it's hard to + * acquire due to privsep code. We will just drop support. */ void -aix_usrinfo(struct passwd *pw, char *tty, int ttyfd) +aix_usrinfo(struct passwd *pw) { u_int i; - char *cp=NULL; + char *cp; - if (ttyfd == -1) - tty[0] = '\0'; - cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); - i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, - pw->pw_name, 0, tty, 0, 0); + cp = xmalloc(16 + 2 * strlen(pw->pw_name)); + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c%c", pw->pw_name, 0, + pw->pw_name, 0, 0); if (usrinfo(SETUINFO, cp, i) == -1) fatal("Couldn't set usrinfo: %s", strerror(errno)); debug3("AIX/UsrInfo: set len %d", i); Index: openbsd-compat/port-aix.h =================================================================== RCS file: /var/cvs/openssh/openbsd-compat/port-aix.h,v retrieving revision 1.4 diff -u -r1.4 port-aix.h --- openbsd-compat/port-aix.h 21 Jun 2002 00:01:19 -0000 1.4 +++ openbsd-compat/port-aix.h 3 Jul 2002 23:21:36 -0000 @@ -1,5 +1,26 @@ -#ifdef _AIX - -void aix_usrinfo(struct passwd *pw, char *tty, int ttyfd); +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifdef _AIX +void aix_usrinfo(struct passwd *pw); #endif /* _AIX */ From mouring at etoh.eviladmin.org Thu Jul 4 09:14:31 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 18:14:31 -0500 (CDT) Subject: AIX and Privsep. In-Reply-To: <3D21983D.B96EAB41@zip.com.au> Message-ID: Outside the patch I just sent. *IS* there any other open bugs, issues or problems with AIX and Privsep. Or with AIX in general? I want to close out that platform and move to a new platform to work on. Does all AIX versions have a tolerable mmap()? - Ben From bob at proulx.com Thu Jul 4 09:31:29 2002 From: bob at proulx.com (Bob Proulx) Date: Wed, 3 Jul 2002 17:31:29 -0600 Subject: scp not tolerant of extraneous shell messages In-Reply-To: References: <20020702234139.C7293@greenie.muc.de> <15650.17192.40281.592787@darkwing.uoregon.edu> Message-ID: <20020703233129.GE17265@misery.proulx.com> > If Bash actually followed its own principles, scp would not have a > problem, because Bash would not run .bashrc. It is only because the > rshd hack (wherein Bash apparently mistakes the scp session for an > interactive rsh session) makes Bash invoke .bashrc in a shell that is > not interactive that scp has a problem with conversational messages > from .bashrc. The root of the problem is that rshd uses a compiled in PATH which rarely contains what the user needs. (The same for ssh. But that has been discussed at length and future development outlined.) Therefore as a workaround bash loads a .bashrc which can set up PATH and other variables so that the rsh will actually work. I don't like it either. But it does add functionality which would otherwise be missing. Even typing in a hard coded path to a program (/usr/local/bin/foo) won't work if that program in turn calls another program from the same location (/usr/local/bin/bar). It is all hacks upon hacks. Bob From mouring at etoh.eviladmin.org Thu Jul 4 09:22:08 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 18:22:08 -0500 (CDT) Subject: [PATCH]: Change Cygwin contrib files to better support PrivSep In-Reply-To: <20020703142717.Y21857@cygbert.vinschen.de> Message-ID: Appled, thanks. On Wed, 3 Jul 2002, Corinna Vinschen wrote: > Hi, > > the following patch patches the files in contrib/cygwin. The changes > are necessary to allow a better support of privilege separation. > On NT machines the script asks now if it should create a user called > "sshd" and all that. Additionally it creates the /etc/ssh_config > and /etc/sshd_config files follows the latest versions. > > Would you mind to apply this to the official OpenSSH repository? > > Thanks, > Corinna > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > From insideout at barak.net.il Thu Jul 4 11:26:30 2002 From: insideout at barak.net.il (PostMaster @ I.O. Ltd.) Date: Thu, 4 Jul 2002 03:26:30 +0200 Subject: secureid and CA Message-ID: <002f01c222f9$d34809f0$0200000a@insideout.co.il> Hello to all the Great "crypto" People (... my first time in this list ..) I'm trying to compile openSSH-3.4p1 with the SecureID patch taken from: http://www.omniti.com/~jesus/projects/openssh-3.4p1+SecurID_v1.patch I'm having trouble to compile the patched openSSH over the Cygwin platform. this is probably since there is no cygwin SecureID agent available , so i'm using the linux one (Redhat). does anyone has a solution ? I've read the archives regarding the issue of secureid agent , and it seems that openssh would like to base auth over PAM. as PAM will solve some applications compatibility issues, it won't solve cases such as cygwin. as far as I know , there is now PAM port to cygwin. the aim of all this is to build a BUILT-IN feature in openssh to have auth option via some kind of a certification authority CA (like ace server). that way regardless of the platform (and the local users and so on) , it will be possible to auth to the ssh spereaded around in our network. therefor i'd would like to ask you people to consider again, to built in openssh feature of secureid agent. TIA , Ran Sasson , Inside OutSourcing (I.O.) Ltd. From john at venus.ark.com Thu Jul 4 10:47:44 2002 From: john at venus.ark.com (John Furman) Date: Wed, 3 Jul 2002 17:47:44 -0700 (PDT) Subject: Chroot patch (v3.4p1) Message-ID: The following is a patch I've been working on to support a "ChrootUser" option in the sshd_config file. I was looking for a way to offer sftp access and at the same time restict interactive shell access. This patch is a necessary first step (IMO). It applies clean with 'patch -l'. Also attached is a shell script that helps to build a chrooted home dir on a RedHat 7.2 box. (I would appreciate some feedback from a core developer as to whether this looks to be a useful approach or not.) --- openssh-3.4p1.vanilla/servconf.c Mon Jun 24 23:22:04 2002 +++ openssh-3.4p1/servconf.c Wed Jul 3 11:23:26 2002 @@ -292,7 +292,7 @@ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, @@ -360,6 +360,7 @@ { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, + { "chrootusers", sChrootUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, @@ -779,6 +780,16 @@ } break; + case sChrootUsers: + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_chroot_users >= MAX_CHROOT_USERS) + fatal( "%s line %d: too many chroot users.", + filename, linenum); + options->chroot_users[options->num_chroot_users++] = + xstrdup(arg); + } + break; + case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) --- openssh-3.4p1.vanilla/servconf.h Thu Jun 20 21:09:47 2002 +++ openssh-3.4p1/servconf.h Wed Jul 3 11:23:26 2002 @@ -20,6 +20,7 @@ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ #define MAX_DENY_USERS 256 /* Max # users on deny list. */ +#define MAX_CHROOT_USERS 256 /* Max # users on chroot list. */ #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -104,6 +105,8 @@ char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; char *deny_users[MAX_DENY_USERS]; + u_int num_chroot_users; + char *chroot_users[MAX_CHROOT_USERS]; u_int num_allow_groups; char *allow_groups[MAX_ALLOW_GROUPS]; u_int num_deny_groups; --- openssh-3.4p1.vanilla/session.c Wed Jun 26 09:51:06 2002 +++ openssh-3.4p1/session.c Wed Jul 3 16:29:01 2002 @@ -57,6 +57,8 @@ #include "canohost.h" #include "session.h" #include "monitor_wrap.h" +#include "match.h" +#include "readconf.h" #ifdef HAVE_CYGWIN #include @@ -64,6 +66,8 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#define CHROOT + /* func */ Session *session_new(void); @@ -1160,6 +1164,12 @@ do_setusercontext(struct passwd *pw) { char tty='\0'; + int i; +#ifdef CHROOT + char *new_root = "/"; + const char *hostname = NULL; + const char *ipaddr = NULL; +#endif /* CHROOT */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1187,6 +1197,26 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#ifdef CHROOT + + if (options.num_chroot_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + for (i = 0; i < options.num_chroot_users; i++) { + if (match_user(pw->pw_name, hostname, ipaddr, + options.chroot_users[i])) { + if(chroot(pw->pw_dir) != 0) { + fatal("Couldn't chroot to user directory %s", + pw->pw_dir); + } + else + pw->pw_dir = new_root; + } + } + } + + +#endif /* CHROOT */ if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); Regards, -- John Furman -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-3.4p1-chroot-patch.tar.gz Type: application/x-gzip Size: 2616 bytes Desc: Shell script & patch tarball Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020703/b9a95ed0/attachment.bin From dtucker at zip.com.au Thu Jul 4 11:28:54 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Jul 2002 11:28:54 +1000 Subject: AIX and Privsep. References: Message-ID: <3D23A4D6.E6B7A78@zip.com.au> Ben Lindstrom wrote: > Outside the patch I just sent. *IS* there any other open bugs, issues > or problems with AIX and Privsep. Not that I'm aware of. > Or with AIX in general? All of the issues I'm aware of are in Bugzilla. The most important is not incrementing the failed login count, which allows password-guessing attacks: http://bugzilla.mindrot.org/show_bug.cgi?id=145 A macro name collision that prevents compiling with the native compiler: http://bugzilla.mindrot.org/show_bug.cgi?id=265 There's a few others where the resolution isn't clear. > I want to close out that platform and move to a new platform to work on. Thanks for your work so far! > Does all AIX versions have a tolerable mmap()? Depending on what you mean, I think so. 4.[23].x have MAP_ANONYMOUS and MAP_SHARED and seem to work. I don't have access to 5.1 but I suspect the same applies. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Jul 4 11:59:11 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 20:59:11 -0500 (CDT) Subject: [AIX/IBMers read] Re: AIX and Privsep. In-Reply-To: <3D23A4D6.E6B7A78@zip.com.au> Message-ID: On Thu, 4 Jul 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > Outside the patch I just sent. *IS* there any other open bugs, issues > > or problems with AIX and Privsep. > > Not that I'm aware of. > > > Or with AIX in general? > > All of the issues I'm aware of are in Bugzilla. > > The most important is not incrementing the failed login count, which > allows password-guessing attacks: > http://bugzilla.mindrot.org/show_bug.cgi?id=145 > applied, but Konqueror is crashing too much to close it. Close the report if the problem goes away. > A macro name collision that prevents compiling with the native compiler: > http://bugzilla.mindrot.org/show_bug.cgi?id=265 > I was looking at that. I don't see a problem with it. Unless anyone in the portable group objects I'll commit it in a day or so. > There's a few others where the resolution isn't clear. > The one about bad realpath(). I really need to get back and verify my hack of OpenBSD realpath(). Maybe there is a less complex one that is under BSD license that can be suggested. I know the one in the OpenBSD tree strings along about 5 or 6 more files to get it to work. Which may be overkill. The others I don't see a resolution without some way of being able to verify it on another platform. I'm really not interested in any more wierd hacks. Can someone from IBM that is lurking on the list dedicate yourself to looking at http://bugzilla.mindrot.org at the unresolved (there are like 4 counting the two we are talking about that will be closed soon) and advise? > > I want to close out that platform and move to a new platform to work on. > > Thanks for your work so far! > > > Does all AIX versions have a tolerable mmap()? > > Depending on what you mean, I think so. 4.[23].x have MAP_ANONYMOUS and > MAP_SHARED and seem to work. > I don't have access to 5.1 but I suspect the same applies. > I assume nothing lower then 4.x is really in production any more? - Ben From dtucker at zip.com.au Thu Jul 4 12:28:26 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Jul 2002 12:28:26 +1000 Subject: [AIX/IBMers read] Re: AIX and Privsep. References: Message-ID: <3D23B2CA.83152B07@zip.com.au> Ben Lindstrom wrote: > I assume nothing lower then 4.x is really in production any more? They might be, but they're not supported. (Neither it 4.2, for that matter, but I still have a couple of boxes that haven't been upgraded yet, so I still test on it). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Thu Jul 4 12:46:49 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Jul 2002 12:46:49 +1000 Subject: [AIX/IBMers read] Re: AIX and Privsep. References: Message-ID: <3D23B719.373CA6C@zip.com.au> In late-breaking news, this is building from -current on AIX: gcc -o ssh-keysign ssh-keysign.o -L. -Lopenbsd-compat/ -L/usr/local/lib -lssh -lopenbsd-compat -lz -lcrypto ld: 0711-317 ERROR: Undefined symbol: .initialize_options ld: 0711-317 ERROR: Undefined symbol: .read_config_file ld: 0711-317 ERROR: Undefined symbol: .fill_default_options ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status make: *** [ssh-keysign] Error 1 It looks like ssh-keysign now needs these functions from readconf.c. Adding readconf.o to the gcc line allows it to link. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From carson at taltos.org Thu Jul 4 13:03:55 2002 From: carson at taltos.org (Carson Gaspar) Date: Wed, 03 Jul 2002 23:03:55 -0400 Subject: secureid and CA In-Reply-To: <002f01c222f9$d34809f0$0200000a@insideout.co.il> References: <002f01c222f9$d34809f0$0200000a@insideout.co.il> Message-ID: <17358703.1025737435@[192.168.0.2]> --On Thursday, July 04, 2002 3:26 AM +0200 "PostMaster @ I.O. Ltd." wrote: > Hello to all the Great "crypto" People (... my first time in this list ..) > I'm trying to compile openSSH-3.4p1 with the SecureID patch taken from: > http://www.omniti.com/~jesus/projects/openssh-3.4p1+SecurID_v1.patch > I'm having trouble to compile the patched openSSH over the Cygwin > platform. this is probably since there is no cygwin SecureID agent > available , so i'm using the linux one (Redhat). > does anyone has a solution ? No. There is no solution, unless RSA provides SecurID libraries for Cygwin. Which I don't see happening anytime soon. > the aim of all this is to build a BUILT-IN feature in openssh to have auth > option via some kind of > a certification authority CA (like ace server). > that way regardless of the platform (and the local users and so on) , > it will be possible to auth to the ssh spereaded around in our network. The ACE server has _nothing_ to do with a CA. It does no public key crypto at all. It just does DES. It also has an "interesting" way of transmitting the shared secret (although rumour has it the current rev fixed that). -- Carson From mouring at etoh.eviladmin.org Thu Jul 4 12:58:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 3 Jul 2002 21:58:14 -0500 (CDT) Subject: [AIX/IBMers read] Re: AIX and Privsep. In-Reply-To: <3D23B719.373CA6C@zip.com.au> Message-ID: Ya I saw that after I walked away to figure out how to fix the mess the last owners left me under my deck. It should be fixed plus the aix_usrinfo() patch is in now. - Ben On Thu, 4 Jul 2002, Darren Tucker wrote: > In late-breaking news, this is building from -current on AIX: > > gcc -o ssh-keysign ssh-keysign.o -L. -Lopenbsd-compat/ -L/usr/local/lib > -lssh -lopenbsd-compat -lz -lcrypto > ld: 0711-317 ERROR: Undefined symbol: .initialize_options > ld: 0711-317 ERROR: Undefined symbol: .read_config_file > ld: 0711-317 ERROR: Undefined symbol: .fill_default_options > ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more > information. > collect2: ld returned 8 exit status > make: *** [ssh-keysign] Error 1 > > It looks like ssh-keysign now needs these functions from readconf.c. > Adding readconf.o to the gcc line allows it to link. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From dtucker at zip.com.au Thu Jul 4 16:12:36 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 04 Jul 2002 16:12:36 +1000 Subject: [AIX/IBMers read] Re: AIX and Privsep. References: Message-ID: <3D23E754.4880B3B@zip.com.au> Ben Lindstrom wrote: [AIX problems] > > The most important is not incrementing the failed login count, which > > allows password-guessing attacks: > > http://bugzilla.mindrot.org/show_bug.cgi?id=145 > > applied, but Konqueror is crashing too much to close it. Close the report > if the problem goes away. OK, I've tried -cvs on AIX 4.2.1 and 4.3.3. Account lockout works fine on 4.3.3. It doesn't work on 4.2.1, because it doesn't get compiled in. Configure doesn't define WITH_AIXAUTHENTICATE because authenticate() is in libs.a which isn't linked. Seting LDFLAGS="-ls" before running configure defines WITH_AIXAUTHENTICATE and lockout works OK. The existing configure.ac works on 4.3.3 authenticate() is in libc.a too. What's the consensus? a) Do nothing and make people using 4.2.1 set LDFLAGS themselves. b) Add "-ls" to LDFLAGS for AIX in configure.ac. This works on 4.[23] but I'm not sure about 5.1. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gert at greenie.muc.de Thu Jul 4 17:04:00 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Jul 2002 09:04:00 +0200 Subject: [AIX/IBMers read] Re: AIX and Privsep. In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jul 03, 2002 at 08:59:11PM -0500 References: <3D23A4D6.E6B7A78@zip.com.au> Message-ID: <20020704090400.H10692@greenie.muc.de> Hi, On Wed, Jul 03, 2002 at 08:59:11PM -0500, Ben Lindstrom wrote: > I assume nothing lower then 4.x is really in production any more? We have a handful of 3.2.4 and 3.2.5 systems left, but those are phased out. If SSH isn't working there, we have even stronger arguments to get them upgraded :-) (But I'll try anyway and report back. But that's low-prio) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From janfrode at parallab.uib.no Thu Jul 4 17:17:38 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Thu, 4 Jul 2002 09:17:38 +0200 Subject: AIX and Privsep. In-Reply-To: References: <3D21983D.B96EAB41@zip.com.au> Message-ID: <20020704071738.GA12185@ii.uib.no> On Wed, Jul 03, 2002 at 06:14:31PM -0500, Ben Lindstrom wrote: > > Outside the patch I just sent. *IS* there any other open bugs, issues > or problems with AIX and Privsep. Or with AIX in general? > Really minor issues, but since you asked.. OpenSSH is not setting the environment variables AUTHSTATE or LOGIN or the variables defined in /etc/security/environ. It doesn't handle password expiry or the ADMCHG flag to force the users to change their passwords. -jf From markus at openbsd.org Thu Jul 4 17:41:52 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 09:41:52 +0200 Subject: scp not tolerant of extraneous shell messages In-Reply-To: <3D2360A7.4010101@doxpara.com> References: <17D3D857B26112409EA372EB0AFE39DD125F2A@NSTMC005PEX1.ubsgs.ubsgroup.net> <3D21EBBE.5010608@doxpara.com> <20020703150822.GC14294@folly> <3D2360A7.4010101@doxpara.com> Message-ID: <20020704074152.GC11296@faui02> no. ssh is a unix tool, for regular unix shell accounts. sftp makes file transfer over ssh easiert to use (some might disagree). sftp is a unix tool, for regular unix shell accounts. if you want to have restricted shit, you have to start thinking. From gert at greenie.muc.de Thu Jul 4 17:47:21 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Jul 2002 09:47:21 +0200 Subject: AIX usrinfo() cleanup. In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jul 03, 2002 at 06:12:52PM -0500 References: <3D21983D.B96EAB41@zip.com.au> Message-ID: <20020704094720.J10692@greenie.muc.de> Hi, On Wed, Jul 03, 2002 at 06:12:52PM -0500, Ben Lindstrom wrote: > > > If you ask me: drop it, and throw out junky code. If someone besides us > > > needs usrinfo (and we do not use TTY=) they will complain. > > > > That's my vote too. At the moment I don't know of any affected programs. > > Ok.. Gert, I need to verify you wrote the original code right? I need it > for copyright reasons. I wrote the first hack, and "someone of the regular portable workers" rewrote it a bit (but I forgot who that was). > This is what I'm commiting. Test it and tell me if I broke something. I can't test it right now (different customer today), but from the looks of it, it should be fine. > This also adds 2-clause BSD license which I assume is acceptable since the > code was pulled from session.c which was 2-clause to start with. No objections. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From leigh at solinno.co.uk Thu Jul 4 19:05:29 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 4 Jul 2002 10:05:29 +0100 (BST) Subject: AIX and Privsep. In-Reply-To: <20020704071738.GA12185@ii.uib.no> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> Message-ID: <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> On Wed, Jul 03, 2002 at 06:14:31PM -0500, Ben Lindstrom wrote: > > Outside the patch I just sent. *IS* there any other open bugs, issues > or problems with AIX and Privsep. Or with AIX in general? I would be very grateful if bug 124 could be sorted out. http://bugzilla.mindrot.org/show_bug.cgi?id=124 The attached patch is a workaround for this bug (against 3.4p1). Would it, or something like it, be acceptable? Cheers, Leigh. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: osshaixbug.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020704/7db9943e/attachment.ksh From insideout at barak.net.il Thu Jul 4 20:22:51 2002 From: insideout at barak.net.il (PostMaster @ I.O. Ltd.) Date: Thu, 4 Jul 2002 12:22:51 +0200 Subject: Fw: secureid and CA Message-ID: <00a501c22344$c0b3c3b0$0200000a@insideout.co.il> > | The ACE server has _nothing_ to do with a CA I know . But still there should be some kind of feature to offer "centralized authentication" with no relying on the 2 ssh sides, anyone agree ? (I suggested the ACE for 3 reasons: the team here find it reasonbly o.k - at list by looking in the archives it's quite known it's a good starting point - i think) TIA , Ran Sasson I.O. Ltd. From pavel at debian.org Thu Jul 4 19:17:50 2002 From: pavel at debian.org (Pavel Tcholakov) Date: Thu, 4 Jul 2002 11:17:50 +0200 Subject: Just to say... Message-ID: <200207041117.50141.pavel@debian.org> Hi guys, Yesterday I had a look at the openssh code for the first time, and I was greatly impressed by its structure, quality, and readability. A big thanks to everyone involved! You're creating a great piece of software. Cheers, Pavel From vinschen at redhat.com Thu Jul 4 19:27:10 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Thu, 4 Jul 2002 11:27:10 +0200 Subject: [PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT Message-ID: <20020704112710.M21857@cygbert.vinschen.de> Hi, I've sent that patch once already but it seems more or less forgotten in the tumultuous days of the latest vulnerability. It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined on platforms not supporting the concept of "privileged" ports only accessible by privileged users but which allow everyone to use these ports. This patch removes some Cygwin dependencies from the code. Otherwise, if this patch isn't applied, we definitely need another #ifndef HAVE_CYGWIN in serverloop.c otherwise serverside port forwarding for reserverd ports doesn't work in Cygwin's 3.4 version. The official Cygwin release of 3.4 contains that additional HAVE_CYGWIN patch so far. Corinna Index: acconfig.h =================================================================== RCS file: /cvs/openssh_cvs/acconfig.h,v retrieving revision 1.141 diff -u -p -r1.141 acconfig.h --- acconfig.h 25 Jun 2002 22:35:16 -0000 1.141 +++ acconfig.h 4 Jul 2002 09:13:29 -0000 @@ -310,6 +310,9 @@ /* Define if X11 doesn't support AF_UNIX sockets on that system */ #undef NO_X11_UNIX_SOCKETS +/* Define if the concept of ports only accessible to superusers isn't known */ +#undef NO_IPPORT_RESERVED_CONCEPT + /* Needed for SCO and NeXT */ #undef BROKEN_SAVED_UIDS Index: configure.ac =================================================================== RCS file: /cvs/openssh_cvs/configure.ac,v retrieving revision 1.73 diff -u -p -r1.73 configure.ac --- configure.ac 28 Jun 2002 00:37:33 -0000 1.73 +++ configure.ac 4 Jul 2002 09:13:30 -0000 @@ -86,6 +86,7 @@ case "$host" in AC_DEFINE(IPV4_DEFAULT) AC_DEFINE(IP_TOS_IS_BROKEN) AC_DEFINE(NO_X11_UNIX_SOCKETS) + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) AC_DEFINE(BROKEN_FD_PASSING) AC_DEFINE(SETGROUPS_NOOP) ;; Index: readconf.c =================================================================== RCS file: /cvs/openssh_cvs/readconf.c,v retrieving revision 1.75 diff -u -p -r1.75 readconf.c --- readconf.c 21 Jun 2002 00:41:52 -0000 1.75 +++ readconf.c 4 Jul 2002 09:13:31 -0000 @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh u_short host_port) { Forward *fwd; -#ifndef HAVE_CYGWIN +#ifndef NO_IPPORT_RESERVED_CONCEPT extern uid_t original_real_uid; if (port < IPPORT_RESERVED && original_real_uid != 0) fatal("Privileged ports can only be forwarded by root."); Index: serverloop.c =================================================================== RCS file: /cvs/openssh_cvs/serverloop.c,v retrieving revision 1.102 diff -u -p -r1.102 serverloop.c --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 +++ serverloop.c 4 Jul 2002 09:13:34 -0000 @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ /* check permissions */ if (!options.allow_tcp_forwarding || - no_port_forwarding_flag || - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { + no_port_forwarding_flag +#ifndef NO_IPPORT_RESERVED_CONCEPT + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) +#endif + ) { success = 0; packet_send_debug("Server has disabled port forwarding."); } else { -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Thu Jul 4 19:45:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 19:45:13 +1000 (EST) Subject: [Bug 335] New: Compile PROBLEM!!!! Message-ID: <20020704094513.E6D24E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 Summary: Compile PROBLEM!!!! Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: k3rmit at libero.it giving this configure string: ./configure --prefix=/usr --sysconfdir=/etc/ssh --localstatedir=/var --with- entropy-timeout --with-rand-helper --with-md5-passwords --with-4in6 and compiling it, it gives me an error at ssh-rand-helper.c compilation and stops compiling!!!! make: *** [ssh-rand-helper.o] Error 1 i'm using gcc version 2.95.3 20010315 (release) on a i586 machine. Please fix this Alb3 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 4 21:50:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 21:50:19 +1000 (EST) Subject: [Bug 335] Compile PROBLEM!!!! Message-ID: <20020704115019.B047BE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 ------- Additional Comments From dtucker at zip.com.au 2002-07-04 21:50 ------- Which distribution and release? What was the actual error message? (Generally you'll need to capture the last 10-15 lines.) And were all those exclamation marks really necessary? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 4 22:25:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 4 Jul 2002 22:25:17 +1000 (EST) Subject: [Bug 336] New: ssh does not compile on Linux with libc5 and 2.0 kernel Message-ID: <20020704122517.ECD83E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=336 Summary: ssh does not compile on Linux with libc5 and 2.0 kernel Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: johanw at xs4all.nl When compiling ssh on an older Linux system with a 2.0 kernel and libc5, compile errors arise because configure erroneously defines HAVE_CONTROL_IN_MSGHDR in config.h. This results in undefined references: ./libssh.a(monitor_fdpass.o): In function `mm_send_fd': /Packages/ssh/openssh-3.4p1/monitor_fdpass.c:54: undefined reference to `CMSG_FIRSTHDR' /Packages/ssh/openssh-3.4p1/monitor_fdpass.c:58: undefined reference to `CMSG_DATA' ./libssh.a(monitor_fdpass.o): In function `mm_receive_fd': /Packages/ssh/openssh-3.4p1/monitor_fdpass.c:114: undefined reference to `CMSG_FIRSTHDR' /Packages/ssh/openssh-3.4p1/monitor_fdpass.c:118: undefined reference to `CMSG_DATA' make: *** [ssh] Error 1 Commenting out the line /* #define HAVE_CONTROL_IN_MSGHDR 1 */ results in a working version, although PrivilegeSeparation does not work then and you have to disable it in the config file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From manik.surtani at conchango.com Thu Jul 4 23:55:04 2002 From: manik.surtani at conchango.com (Manik Surtani) Date: Thu, 04 Jul 2002 14:55:04 +0100 Subject: DH keys exchanged - encoding? Message-ID: <3D2453B8.1080708@conchango.com> Hi, Could anyone pls help by telling me how the DH pubkey from the server (f) is encoded when it is sent back to me? I understand that it comes across as an mpint, but after I decode the mpint into the bytes that make up the number, what does this number represent? Is it a X509 encoded key? Or is it something else? The reason for my question: I am trying to write a ssh client in Java, using JCE for the crypto. When I get the server key, and use the raw bytes to create an X509EncodedKeySpec, I get errors relating to invalid data ... Help appreciated. Cheers, -- Manik Surtani Conchango 'Innovative Change in Business' T 44 (0) 1784 221829 M 44 (0) 7786 702 706 E manik.surtani at conchango.com http://www.conchango.com The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error, please notify us as soon as possible. The unauthorised use, disclosure, copying or alteration of this message is forbidden. _____________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Control Centre. From markus at openbsd.org Fri Jul 5 00:01:37 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 16:01:37 +0200 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> Message-ID: <20020704140137.GA2247@folly> On Thu, Jul 04, 2002 at 12:48:47AM +0200, Dag-Erling Smorgrav wrote: > I really don't understand what you're doing here - it seems you're > mixing some old FreeBSD code with some newer FreeBSD code, changing it > here and there, and generally making a mess of it. I realize that > this code is quite hairy, but if you have any problems with it all you > have to do is ask. well, sometimes you don't get an answer. > The PAM code in FreeBSD-CURRENT (and -STABLE as of half an hour ago) > handles multiple passes just fine. I've attached a diff of selected > FreeBSD files relative to OpenSSH 3.4p1. Hope you find it useful. > The auth2-pam-freebsd.c entirely replaces auth2-pam.c, I just used a > different name to avoid merge conflicts when upgrading in the future. i'd prefer it auth2-pam-freebsd.c would not use another method for sending messages over filedescriptors. other parts of ssh (sftp-server, monitor) use the standard buffer.c API for sending messages, see msg.c. -m From markus at openbsd.org Fri Jul 5 00:04:42 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 16:04:42 +0200 Subject: DH keys exchanged - encoding? In-Reply-To: <3D2453B8.1080708@conchango.com> References: <3D2453B8.1080708@conchango.com> Message-ID: <20020704140442.GB7703@faui02> On Thu, Jul 04, 2002 at 02:55:04PM +0100, Manik Surtani wrote: > Hi, > > Could anyone pls help by telling me how the DH pubkey from the server > (f) is encoded when it is sent back to me? I understand that it comes > across as an mpint, but after I decode the mpint into the bytes that > make up the number, what does this number represent? Is it a X509 > encoded key? Or is it something else? how is this related to x.509? it's just a multiple precision integers in two's complement format check draft-ietf-secsh-architecture-XX again: mpint Represents multiple precision integers in two's complement format, stored as a string, 8 bits per byte, MSB first. Negative numbers have the value 1 as the most significant bit of the first byte of the data partition. If the most significant bit would be set for a positive number, the number MUST be preceded by a zero byte. Unnecessary leading bytes with the value 0 or 255 MUST NOT be included. The value zero MUST be stored as a string with zero bytes of data. By convention, a number that is used in modular computations in Z_n SHOULD be represented in the range 0 <= x < n. Examples: value (hex) representation (hex) --------------------------------------------------------------- 0 00 00 00 00 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7 80 00 00 00 02 00 80 -1234 00 00 00 02 ed cc -deadbeef 00 00 00 05 ff 21 52 41 11 From markus at openbsd.org Fri Jul 5 00:08:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 16:08:25 +0200 Subject: Chroot patch (v3.4p1) In-Reply-To: References: Message-ID: <20020704140825.GB2247@folly> On Wed, Jul 03, 2002 at 05:47:44PM -0700, John Furman wrote: > + { "chrootusers", sChrootUsers }, please pipe the patch through unexpand. > + if(chroot(pw->pw_dir) != 0) { please don't chroot into $HOME but a configurable (sub)directory, similar to the AuthorizedKeysFile option, e.g ChrootDir %h/public_html otherwise people start messing around with $HOME/.ssh/ or $HOME/.forward, etc. -m From manik.surtani at conchango.com Fri Jul 5 00:08:05 2002 From: manik.surtani at conchango.com (Manik Surtani) Date: Thu, 04 Jul 2002 15:08:05 +0100 Subject: DH keys exchanged - encoding? References: <3D2453B8.1080708@conchango.com> <20020704140442.GB7703@faui02> Message-ID: <3D2456C5.5060401@conchango.com> Its just that when I try and construct a PublicKey object using the JCE libraries, it expects the bytes in a X509 encoding. When I do this manually (i.e., using the DH algos directly and NOT using JCE), everything works well. But I'd prefer to use JCE and all the crypto libraries provided, rather than to rewrite it all. Perhaps what is needed then is for me to write an X509 encoder/decoder so that I could use JCE with this? Markus Friedl wrote: > On Thu, Jul 04, 2002 at 02:55:04PM +0100, Manik Surtani wrote: > >>Hi, >> >>Could anyone pls help by telling me how the DH pubkey from the server >>(f) is encoded when it is sent back to me? I understand that it comes >>across as an mpint, but after I decode the mpint into the bytes that >>make up the number, what does this number represent? Is it a X509 >>encoded key? Or is it something else? > > > > how is this related to x.509? it's just a > > multiple precision integers in two's complement format > > check draft-ietf-secsh-architecture-XX again: > > mpint > > Represents multiple precision integers in two's complement format, > stored as a string, 8 bits per byte, MSB first. Negative numbers > have the value 1 as the most significant bit of the first byte of > the data partition. If the most significant bit would be set for > a positive number, the number MUST be preceded by a zero byte. > Unnecessary leading bytes with the value 0 or 255 MUST NOT be > included. The value zero MUST be stored as a string with zero > bytes of data. > > By convention, a number that is used in modular computations in > Z_n SHOULD be represented in the range 0 <= x < n. > > Examples: > value (hex) representation (hex) > --------------------------------------------------------------- > 0 00 00 00 00 > 9a378f9b2e332a7 00 00 00 08 09 a3 78 f9 b2 e3 32 a7 > 80 00 00 00 02 00 80 > -1234 00 00 00 02 ed cc > -deadbeef 00 00 00 05 ff 21 52 41 11 > > _____________________________________________________________________ > This message has been checked for all known viruses by the MessageLabs Virus Control Centre. -- Manik Surtani Conchango 'Innovative Change in Business' T 44 (0) 1784 221829 M 44 (0) 7786 702 706 E manik.surtani at conchango.com http://www.conchango.com The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error, please notify us as soon as possible. The unauthorised use, disclosure, copying or alteration of this message is forbidden. _____________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Control Centre. From bugzilla-daemon at mindrot.org Fri Jul 5 01:11:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 01:11:14 +1000 (EST) Subject: [Bug 44] Can't pass KRB4 TGT on RH7.2 due to glibc mkstemp Message-ID: <20020704151114.3BBE7E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=44 ------- Additional Comments From jan.iven at cern.ch 2002-07-05 01:11 ------- Update: I have reported this to the glibc people, who say that they will not modify their mkstemp(). (http://bugs.gnu.org/cgi-bin/gnatsweb.pl?debug=&database=default&cmd=view+audit-trail&cmd=view&pr=3573) Attached is a patch to configure{ac,in} to detect this and force using the bsd_compat functions. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 01:12:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 01:12:32 +1000 (EST) Subject: [Bug 44] Can't pass KRB4 TGT on RH7.2 due to glibc mkstemp Message-ID: <20020704151232.58D00E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=44 ------- Additional Comments From jan.iven at cern.ch 2002-07-05 01:12 ------- Created an attachment (id=129) patch to allow configure to detect an overly strict mkstemp() ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From des at ofug.org Fri Jul 5 01:17:24 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 04 Jul 2002 17:17:24 +0200 Subject: New PAM kbd-int diff In-Reply-To: <20020704140137.GA2247@folly> References: <1025577068.28700.22.camel@xenon> <20020704140137.GA2247@folly> Message-ID: Markus Friedl writes: > i'd prefer it auth2-pam-freebsd.c would not use another method > for sending messages over filedescriptors. other parts of ssh > (sftp-server, monitor) use the standard buffer.c API for sending > messages, see msg.c. You're right. I wasn't very familiar with OpenSSH yet when I origianlly wrote that code. DES -- Dag-Erling Smorgrav - des at ofug.org From magnus at bodin.org Fri Jul 5 01:22:49 2002 From: magnus at bodin.org (Magnus Bodin) Date: Thu, 4 Jul 2002 17:22:49 +0200 Subject: SSH Test Tool In-Reply-To: <20020703110944.10758.qmail@web20501.mail.yahoo.com> References: <20020703120109.A2288943@ohm.arago.de> <20020703110944.10758.qmail@web20501.mail.yahoo.com> Message-ID: <20020704152249.GX15769@bodin.org> On Wed, Jul 03, 2002 at 04:09:44AM -0700, raam raam wrote: > Hi > > Is there any test tool available for testing SSH Test ssh with -v -v -v or use the testscript from the snailbook: http://www.snailbook.com/tools.html /magnus -- http://x42.com/ From markus at openbsd.org Fri Jul 5 01:29:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 17:29:25 +0200 Subject: AIX and Privsep. In-Reply-To: <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> Message-ID: <20020704152925.GA2046@folly> On Thu, Jul 04, 2002 at 10:05:29AM +0100, Leigh Brown wrote: > > - window = CHAN_SES_WINDOW_DEFAULT; > - packetmax = CHAN_SES_PACKET_DEFAULT; > if (tty_flag) { > - window >>= 1; > - packetmax >>= 1; > + window = CHAN_TTY_WINDOW_DEFAULT; > + packetmax = CHAN_TTY_PACKET_DEFAULT; > + } else { > + window = CHAN_SES_WINDOW_DEFAULT; > + packetmax = CHAN_SES_PACKET_DEFAULT; that's not the right place to fix, because the bug affects what can be written on the server side. i think you need sth like: Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.180 diff -u -r1.180 channels.c --- channels.c 4 Jul 2002 08:12:15 -0000 1.180 +++ channels.c 4 Jul 2002 15:30:18 -0000 @@ -1287,6 +1287,10 @@ data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); len = write(c->wfd, data, dlen); +#ifdef AIX + if (compat20 && c->isatty && dlen >= 8*1024) + dlen = 8*1024; +#endif if (len < 0 && (errno == EINTR || errno == EAGAIN)) return 1; if (len <= 0) { From troy at shun.org Fri Jul 5 01:41:20 2002 From: troy at shun.org (troy) Date: Thu, 4 Jul 2002 10:41:20 -0500 Subject: AIX usrinfo() cleanup. In-Reply-To: References: <3D21983D.B96EAB41@zip.com.au> Message-ID: <20020704154120.GA21553@shun.org> Quoting Ben Lindstrom (mouring at etoh.eviladmin.org): > This is what I'm commiting. Test it and tell me if I broke something. > > RCS file: /var/cvs/openssh/openbsd-compat/port-aix.c,v > retrieving revision 1.3 > diff -u -r1.3 port-aix.c > --- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 > +++ openbsd-compat/port-aix.c 3 Jul 2002 23:21:36 -0000 [snip] > - if (ttyfd == -1) > - tty[0] = '\0'; > - cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); > - i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, > - pw->pw_name, 0, tty, 0, 0); > + cp = xmalloc(16 + 2 * strlen(pw->pw_name)); > + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c%c", pw->pw_name, 0, > + pw->pw_name, 0, 0); Doesn't sprintf add a trailing NULL to the end? Don't you need to xmalloc(16+2*strlen(pw->pw_name)+1)? -- GPG keyid=4C04D07A GPG fingerprint=A63A 4719 C7D6 0BF7 B487 7B4C 2B38 487B 4C04 D07A From gert at greenie.muc.de Fri Jul 5 01:45:07 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Jul 2002 17:45:07 +0200 Subject: AIX usrinfo() cleanup. In-Reply-To: <20020704154120.GA21553@shun.org>; from troy@shun.org on Thu, Jul 04, 2002 at 10:41:20AM -0500 References: <3D21983D.B96EAB41@zip.com.au> <20020704154120.GA21553@shun.org> Message-ID: <20020704174507.C23842@greenie.muc.de> Hi, On Thu, Jul 04, 2002 at 10:41:20AM -0500, troy wrote: > > - cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); > > - i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, > > - pw->pw_name, 0, tty, 0, 0); > > + cp = xmalloc(16 + 2 * strlen(pw->pw_name)); > > + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c%c", pw->pw_name, 0, > > + pw->pw_name, 0, 0); > > Doesn't sprintf add a trailing NULL to the end? Don't you need to > xmalloc(16+2*strlen(pw->pw_name)+1)? Indeed. The new string is 5 (plus strlen(tty)) characters shorter, not 6. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From leigh at solinno.co.uk Fri Jul 5 01:59:03 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 4 Jul 2002 16:59:03 +0100 (BST) Subject: AIX and Privsep. In-Reply-To: <20020704152925.GA2046@folly> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> <20020704152925.GA2046@folly> Message-ID: <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> Markus Friedl wrote: > On Thu, Jul 04, 2002 at 10:05:29AM +0100, Leigh Brown wrote: >> >> - window = CHAN_SES_WINDOW_DEFAULT; >> - packetmax = CHAN_SES_PACKET_DEFAULT; >> if (tty_flag) { >> - window >>= 1; >> - packetmax >>= 1; >> + window = CHAN_TTY_WINDOW_DEFAULT; >> + packetmax = CHAN_TTY_PACKET_DEFAULT; >> + } else { >> + window = CHAN_SES_WINDOW_DEFAULT; >> + packetmax = CHAN_SES_PACKET_DEFAULT; > > that's not the right place to fix, because the bug affects > what can be written on the server side. > > i think you need sth like: > > Index: channels.c > =================================================================== RCS > file: /cvs/src/usr.bin/ssh/channels.c,v > retrieving revision 1.180 > diff -u -r1.180 channels.c > --- channels.c 4 Jul 2002 08:12:15 -0000 1.180 > +++ channels.c 4 Jul 2002 15:30:18 -0000 > @@ -1287,6 +1287,10 @@ > data = buffer_ptr(&c->output); > dlen = buffer_len(&c->output); > len = write(c->wfd, data, dlen); > +#ifdef AIX > + if (compat20 && c->isatty && dlen >= 8*1024) > + dlen = 8*1024; > +#endif > if (len < 0 && (errno == EINTR || errno == EAGAIN)) > return 1; > if (len <= 0) { I don't understand the difference, but I don't care, because your fix seems to work. Ironically, that's where I put my original "hack". I'd be grateful if you could put that workaround in, possibly with a comment like "workaround for AIX bug in 4.3.3ML03 and above". Cheers, Leigh. From markus at openbsd.org Fri Jul 5 02:02:09 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 4 Jul 2002 18:02:09 +0200 Subject: AIX and Privsep. In-Reply-To: <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> <20020704152925.GA2046@folly> <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> Message-ID: <20020704160209.GA22422@faui02> On Thu, Jul 04, 2002 at 04:59:03PM +0100, Leigh Brown wrote: > I don't understand the difference, but I don't care, because your fix > seems to work. Ironically, that's where I put my original "hack". your patch limits the size of packets. this patch limits the amount of data written to the pty. usually the size of the packet equals the amount written to the pty, but it could be different. -m From openssh-unix-dev at progressive-comp.com Fri Jul 5 02:32:36 2002 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Thu, 4 Jul 2002 12:32:36 -0400 Subject: Chroot patch (v3.4p1) Message-ID: <200207041632.g64GWaJ22869@marc2.theaimsgroup.com> On 2002-07-04, John Furman wrote: > The following is a patch I've been working on to support a "ChrootUser" > option in the sshd_config file. [snip] > --- openssh-3.4p1.vanilla/session.c Wed Jun 26 09:51:06 2002 > +++ openssh-3.4p1/session.c Wed Jul 3 16:29:01 2002 [snip] > @@ -1187,6 +1197,26 @@ > > if (setlogin(pw->pw_name) < 0) > error("setlogin failed: %s", strerror(errno)); > +#ifdef CHROOT > + > + if (options.num_chroot_users > 0) { > + hostname = [snip] Note that this like every(?) other chroot patch for openssh floating around (including the one I maintain) does not work on *BSD, that is, any system which has HAVE_LOGIN_CAP defined. All the chroot patches chroot between setlogin( ... ) and setgid(); initgroups();. The problem is, that code path is #ifdef'ed out where HAVE_LOGIN_CAP is set, and the following is used instead: if (setusercontext(lc, pw, pw->pw_uid, (LOGIN_SETALL & ~LOGIN_SETPATH)) < 0) { perror("unable to set user context"); exit(1); } This was first reported to me by lumpy at musicvision.com, who tried to get chroot working on a freebsd box. I have no FreeBSD or OpenBSD systems where chrooting sshd is important, so haven't spent much time testing a fix. I'm not sure if moving the chroot calls above the block in question, or simply replicating the chroot code inside both code paths is appropriate. -- Hank Leininger From bugzilla-daemon at mindrot.org Fri Jul 5 02:36:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 02:36:14 +1000 (EST) Subject: [Bug 337] New: utmp/wtmp logging Message-ID: <20020704163614.793F3E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=337 Summary: utmp/wtmp logging Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Linux Status: NEW Severity: enhancement Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: thomas at koeller.dyndns.org sshd seems to perform utmp/wtmp logging only if the remote client requests an interactive shell, and not if a command is to be executed. However, such a command may also establish an interactive connection, such as a remote X session, and it would be desirable then to be able to perform utmp/wtmp logging in this case. There should be a way to accomplish this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 02:46:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 02:46:18 +1000 (EST) Subject: [Bug 335] Compile PROBLEM!!!! Message-ID: <20020704164618.1885CE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 ------- Additional Comments From jmknoble at pobox.com 2002-07-05 02:46 ------- Why are you trying to build with --with-rand-helper on Linux? Linux has a perfectly good /dev/random and /dev/urandom, which OpenSSL will use by default. No external entropy gathering process is necessary. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From d.schroeter at gmx.de Fri Jul 5 05:16:28 2002 From: d.schroeter at gmx.de (=?ISO-8859-15?Q?Daniel_Schr=F6ter?=) Date: Thu, 04 Jul 2002 19:16:28 +0000 Subject: With bounds checking patch for gcc-3.1 problems if using AES Message-ID: <3D249F0C.90600@gmx.de> Hello developers, some informations before I come to the problem: At work we're using Open-SSH 3.4p1 under Solaris 8. I compiled the Open-SSH by myself with gcc-3.1. In the gcc is the bounds checking patch included (http://web.inter.nl.net/hcc/Haj.Ten.Brugge/bounds-checking-gcc-3.1-1.01.patch.bz2). With this patch I compiled: - prngd 0.9.25 - zlib 1.1.4 - Open-SSL 0.9.6d Everything works fine.... :-) ....if I doesn't use AES :-( Here a list: aes128-cbc --> Connection closed by 127.0.0.1 3des-cbc --> Okay blowfish-cbc --> Okay cast128-cbc --> Okay arcfour --> Okay aes192-cbc --> Connection closed by 127.0.0.1 aes256-cbc --> Connection closed by 127.0.0.1 If I doesn't use a gcc with the bounds checking patch the problem doesn't occur. If I set: $ export GCC_BOUNDS_OPTS="-no-message -no-statistics -never-fatal" and switch off Bounds Checking it works also with AES. The problem is on both sites (client and server). I give you some debuging output. I switched off on the client site the bounds checking and use 3des-cbc for encrytion: [client-site] $ export GCC_BOUNDS_OPTS="-no-message -no-statistics -never-fatal" [client-site] $ ssh -vvv -c 3des-cbc localhost OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /opt/BBKEssh/etc/ssh_config debug3: Seeding PRNG from /opt/BBKEssh/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [::1] port 22. ssh: connect to address ::1 port 22: Network is unreachable debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/test/.ssh/identity type -1 debug1: identity file /home/test/.ssh/id_rsa type -1 debug1: identity file /home/test/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 190/384 debug1: bits set: 2006/4095 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/test/.ssh/known_hosts debug3: check_host_in_hostfile: match line 5 debug1: Host 'localhost' is known and matches the RSA host key. debug1: Found key in /home/test/.ssh/known_hosts:5 debug1: bits set: 2088/4095 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: start over, passed a different list publickey,password,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: next auth method to try is publickey debug1: try privkey: /home/test/.ssh/identity debug3: no such identity: /home/test/.ssh/identity debug1: try privkey: /home/test/.ssh/id_rsa debug3: no such identity: /home/test/.ssh/id_rsa debug1: try pubkey: /home/test/.ssh/id_dsa debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 1bad20 hint 2 debug2: input_userauth_pk_ok: fp 20:18:ad:14:34:f4:db:be:04:f3:b0:dd:19:80:26:1b debug3: sign_and_send_pubkey debug3: no such identity: /home/test/.ssh/id_dsa debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: next auth method to try is keyboard-interactive debug2: userauth_kbdint debug2: we sent a keyboard-interactive packet, wait for reply debug1: authentications that can continue: publickey,password,keyboard-interactive debug3: userauth_kbdint: disable: no info_req_seen debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: debug3: authmethod_is_enabled password debug1: next auth method to try is password ^C [server-site] # export GCC_BOUNDS_OPTS="-no-message -no-statistics" [server-site]# /opt/BBKEssh/sbin/sshd -f /opt/BBKEssh/etc/sshd_config -ddd debug3: Seeding PRNG from /opt/BBKEssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /opt/BBKEssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /opt/BBKEssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 33098 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug3: privsep user:group 101:100 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug2: Network child is on pid 3586 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: 3des-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server 3des-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 4096 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug1: dh_gen_key: priv key bits set: 201/384 debug1: bits set: 2088/4095 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 2006/4095 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 1ea800(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user test service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: allowed_user: today 11871 sp_expire -1 sp_lstchg 11864 sp_max -1 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for test debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for test from 127.0.0.1 port 33098 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for test from 127.0.0.1 port 33098 ssh2 debug1: userauth-request for user test service ssh-connection method publickey debug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1da260 debug1: temporarily_use_uid: 100/1 (e=0) debug1: trying public key file /home/test/.ssh/authorized_keys debug3: secure_filename: checking '/home/test/.ssh' debug3: secure_filename: checking '/home/test' debug3: secure_filename: terminating check at '/home/test' debug1: matching key found: file /home/test/.ssh/authorized_keys, line 1 Found matching DSA key: 20:18:ad:14:34:f4:db:be:04:f3:b0:dd:19:80:26:1b debug1: restore_uid debug3: mm_answer_keyallowed: key 1da260 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for test from 127.0.0.1 port 33098 ssh2 debug1: userauth-request for user test service ssh-connection method keyboard-interactive debug1: attempt 2 failures 1 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=test devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for test from 127.0.0.1 port 33098 ssh2 --------------------- Now with aes-128: [client-site] $ export GCC_BOUNDS_OPTS="-no-message -no-statistics -never-fatal" [client-site] $ ssh -vvv -c aes128-cbc localhost OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /opt/BBKEssh/etc/ssh_config debug3: Seeding PRNG from /opt/BBKEssh/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [::1] port 22. ssh: connect to address ::1 port 22: Network is unreachable debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/test/.ssh/identity type -1 debug1: identity file /home/test/.ssh/id_rsa type -1 debug1: identity file /home/test/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 135/256 debug1: bits set: 1582/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY Connection closed by 127.0.0.1 debug1: Calling cleanup 0x6a5a8(0x0) [server-site] # export GCC_BOUNDS_OPTS="-no-message -no-statistics" [server-site]# /opt/BBKEssh/sbin/sshd -f /opt/BBKEssh/etc/sshd_config -ddd debug3: Seeding PRNG from /opt/BBKEssh/libexec/ssh-rand-helper debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /opt/BBKEssh/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /opt/BBKEssh/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on ::. Server listening on :: port 22. debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 127.0.0.1 port 33100 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug3: privsep user:group 101:100 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug2: Network child is on pid 3623 debug3: preauth child monitor started debug3: mm_request_receive entering debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug1: dh_gen_key: priv key bits set: 135/256 debug1: bits set: 1564/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1582/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 1ea800(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 :0:Bounds error: in memcpy with 0x1a5a38 and 0x1a5a30 for 16, source and destination objects overlap. :0: Pointer value: 0x1a5a38 :0: Object `send_context': :0: Address in memory: 0x1a5a20 .. 0x1a6a9f :0: Size: 4224 bytes :0: Element size: 1 bytes :0: Number of elements: 4224 :0: Created at: packet.c, line 87 :0: Storage class: static debug1: Calling cleanup 0x82b04(0x0) ------------------- If I use aes to connect to an "normal" Open-SSH server I get the same error (only on client site). One more output with bounds checking and connection to a Mandrake 8.2 System with Open-SSH 3.1p1: [client-site] $ export GCC_BOUNDS_OPTS="-no-message -no-statistics" [client-site] $ ssh -vvv -c aes128-cbc 172.23.66.44 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /opt/BBKEssh/etc/ssh_config debug3: Seeding PRNG from /opt/BBKEssh/libexec/ssh-rand-helper debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 172.23.66.44 [172.23.66.44] port 22. debug1: Connection established. debug1: identity file /home/test/.ssh/identity type -1 debug1: identity file /home/test/.ssh/id_rsa type -1 debug1: identity file /home/test/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1 debug1: match: OpenSSH_3.1p1 pat OpenSSH_2.*,OpenSSH_3.0*,OpenSSH_3.1* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug3: RNG is ready, skipping seeding debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: aes128-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 132/256 debug1: bits set: 1589/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/test/.ssh/known_hosts debug3: check_host_in_hostfile: match line 4 debug1: Host '172.23.66.44' is known and matches the RSA host key. debug1: Found key in /home/test/.ssh/known_hosts:4 debug1: bits set: 1597/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 :0:Bounds error: in memcpy with 0x18b978 and 0x18b970 for 16, source and destination objects overlap. :0: Pointer value: 0x18b978 :0: Object `send_context': :0: Address in memory: 0x18b960 .. 0x18c9df :0: Size: 4224 bytes :0: Element size: 1 bytes :0: Number of elements: 4224 :0: Created at: packet.c, line 87 :0: Storage class: static Okay the problem is in the line 87 in the packet.c file. But it is still "Created at". So I tried to debug it. I installed GDB/DDD and read documentations..... I recompiled openssh with debuging information and without optimization (the problem still exists): $ export CC=/buba/gcc/bin/gcc CFLAGS="-g -fbounds-checking -I/buba/zlib/include" SYSLIBS="-lsocket -lnsl" LDFLAGS="-fbounds-checking" $ ./configure --prefix=/opt/BBKEssh --with-zlib=/buba/zlib/lib --without-rsh --disable-suid-ssh --with-prngd-socket=/var/spool/prngd/pool --without-pam --with-ssl-dir=/opt/BBKEssh I debuged it to line monitor.c:480. If I say "next" to line: mm_request_send(socket, MONITOR_ANS_SIGN, m); The function doesn't end :-( If I use "continue" on an earlier breakpoint I get the same bounds checking error. Can somebody help me? Is there a bug in the bounds checking patch or in Open-SSH? I'm no C- and GDB-expert. I'm very happy to come to this point. Just mail if you need additional information or I should try out something. Thanks in advance! Bye Daniel ps: I'm not subscribed. Please CC me. From mouring at etoh.eviladmin.org Fri Jul 5 03:22:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 4 Jul 2002 12:22:59 -0500 (CDT) Subject: AIX and Privsep. In-Reply-To: <20020704071738.GA12185@ii.uib.no> Message-ID: On Thu, 4 Jul 2002, Jan-Frode Myklebust wrote: > On Wed, Jul 03, 2002 at 06:14:31PM -0500, Ben Lindstrom wrote: > > > > Outside the patch I just sent. *IS* there any other open bugs, issues > > or problems with AIX and Privsep. Or with AIX in general? > > > > Really minor issues, but since you asked.. > > OpenSSH is not setting the environment variables AUTHSTATE or LOGIN or > the variables defined in /etc/security/environ. It doesn't handle > password expiry or the ADMCHG flag to force the users to change their > passwords. > > Do I hear you begging to submit a patch for peer review to solve theses problems? Remember I don't have an AIX box near me or I'd be more than happy to fix it. The next box I'm acquiring is an SGI Indy box. - Ben From Roumen.Petrov at skalasoft.com Fri Jul 5 03:46:33 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Thu, 04 Jul 2002 20:46:33 +0300 Subject: DH keys exchanged - encoding? Message-ID: <3D2489F9.1080702@skalasoft.com> Hi Manik, OpenSSH is without support for X509 keys. On page http://satva.skalasoft.com/~rumen/openssh/ you can found diffs which add X509 certificate support. About JCE - I don`t know. From mouring at etoh.eviladmin.org Fri Jul 5 03:51:48 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 4 Jul 2002 12:51:48 -0500 (CDT) Subject: AIX usrinfo() cleanup. In-Reply-To: <20020704174507.C23842@greenie.muc.de> Message-ID: On Thu, 4 Jul 2002, Gert Doering wrote: > Hi, > > On Thu, Jul 04, 2002 at 10:41:20AM -0500, troy wrote: > > > - cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); > > > - i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, > > > - pw->pw_name, 0, tty, 0, 0); > > > + cp = xmalloc(16 + 2 * strlen(pw->pw_name)); > > > + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c%c", pw->pw_name, 0, > > > + pw->pw_name, 0, 0); > > > > Doesn't sprintf add a trailing NULL to the end? Don't you need to > > xmalloc(16+2*strlen(pw->pw_name)+1)? > > Indeed. The new string is 5 (plus strlen(tty)) characters shorter, not 6. > The other question that I was going to ask was why are we putting 3 \0 at the end of the string? - Ben From bugzilla-daemon at mindrot.org Fri Jul 5 04:11:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 04:11:55 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020704181155.AD922E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 ------- Additional Comments From mouring at eviladmin.org 2002-07-05 04:11 ------- Applied. Reopen w/ new patch if more problems are found. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 04:12:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 04:12:22 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020704181222.53F22E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-05 04:12 ------- Applied. Reopen w/ new patch if more problems are found. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 04:14:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 04:14:38 +1000 (EST) Subject: [Bug 124] Terminal hangs when data is streaming to it... Message-ID: <20020704181438.0215DE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=124 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-05 04:14 ------- Commited fix by Markus. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 04:21:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 04:21:40 +1000 (EST) Subject: [Bug 265] Build problems with 3.2.3p1 under AIX 4.3.2 Message-ID: <20020704182140.8F9D5E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=265 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-05 04:21 ------- #undef it instead of changing name. Patch in tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 5 06:00:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 06:00:28 +1000 (EST) Subject: [Bug 332] Authentication failures after updating to 3.4.p1 Message-ID: <20020704200028.2F717E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=332 tom at daemon.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED Summary|Authentication failures |Authentication failures |after updating to 3.4.p1 |after updating to 3.4.p1 ------- Additional Comments From tom at daemon.de 2002-07-05 06:00 ------- forgot to add MD5 support. Sorry, my failure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jirka at zajpt.cz Fri Jul 5 07:17:38 2002 From: jirka at zajpt.cz (Jirka Zajpt) Date: Thu, 04 Jul 2002 23:17:38 +0200 Subject: possible bug Message-ID: <3D24BB72.6030105@zajpt.cz> I don't know if that what I found is real bug, but I think that it's important. When you give a valid user at login, openssh waits something about 3 seconds after giving password (I'am not sure if its depends on system configuration). But when you give user which does not exist, openssh does not wait the same time. This allows to detect valid user on a target system. Jirka Zajpt, From mouring at etoh.eviladmin.org Fri Jul 5 07:16:49 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 4 Jul 2002 16:16:49 -0500 (CDT) Subject: possible bug In-Reply-To: <3D24BB72.6030105@zajpt.cz> Message-ID: Platform, configuration, etc would be a useful thing. On Thu, 4 Jul 2002, Jirka Zajpt wrote: > I don't know if that what I found is real bug, but I think that it's > important. > > When you give a valid user at login, openssh waits something about 3 > seconds after giving password (I'am not sure if its depends on system > configuration). But when you give user which does not exist, openssh > does not wait the same time. This allows to detect valid user on a > target system. > > Jirka Zajpt, > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jirka at zajpt.cz Fri Jul 5 07:46:18 2002 From: jirka at zajpt.cz (Jirka Zajpt) Date: Thu, 04 Jul 2002 23:46:18 +0200 Subject: possible bug References: Message-ID: <3D24C22A.7050804@zajpt.cz> I checked that on 5 machines, platforms were openbsd3.0 and red hat linux 7.2-7.3. And configuration was default in most cases. Jirka Zajpt, Ben Lindstrom wrote: >Platform, configuration, etc would be a useful thing. > >On Thu, 4 Jul 2002, Jirka Zajpt wrote: > > > >>I don't know if that what I found is real bug, but I think that it's >>important. >> >>When you give a valid user at login, openssh waits something about 3 >>seconds after giving password (I'am not sure if its depends on system >>configuration). But when you give user which does not exist, openssh >>does not wait the same time. This allows to detect valid user on a >>target system. >> >>Jirka Zajpt, >> >>_______________________________________________ >>openssh-unix-dev at mindrot.org mailing list >>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev >> >> >> > > >. > > > From gert at greenie.muc.de Fri Jul 5 07:58:01 2002 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 4 Jul 2002 23:58:01 +0200 Subject: AIX usrinfo() cleanup. In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jul 04, 2002 at 12:51:48PM -0500 References: <20020704174507.C23842@greenie.muc.de> Message-ID: <20020704235801.B4428@greenie.muc.de> Hi, On Thu, Jul 04, 2002 at 12:51:48PM -0500, Ben Lindstrom wrote: > > > > - cp = xmalloc(22 + strlen(tty) + 2 * strlen(pw->pw_name)); > > > > - i = sprintf(cp, "LOGNAME=%s%cNAME=%s%cTTY=%s%c%c", pw->pw_name, 0, > > > > - pw->pw_name, 0, tty, 0, 0); > > > > + cp = xmalloc(16 + 2 * strlen(pw->pw_name)); > > > > + i = sprintf(cp, "LOGNAME=%s%cNAME=%s%c%c", pw->pw_name, 0, > > > > + pw->pw_name, 0, 0); > > > > > > Doesn't sprintf add a trailing NULL to the end? Don't you need to > > > xmalloc(16+2*strlen(pw->pw_name)+1)? > > > > Indeed. The new string is 5 (plus strlen(tty)) characters shorter, not 6. > > The other question that I was going to ask was why are we putting 3 \0 at > the end of the string? Well... my original version had the two %c%c ... ,0,0 there to make it really explicit that it's "two 0-bytes here to terminate the list of items". Of course the implicit 0-byte added by sprintf will do. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bryanh at giraffe-data.com Fri Jul 5 09:59:49 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Thu, 04 Jul 2002 23:59:49 +0000 Subject: libcrypto requires libdl Message-ID: My libcrypto does dynamic library linking (dlopen(), etc) and consequently prerequires libdl. I.e. if you link with -lcrypto, you must also specify -ldl. I don't know how unique this situation is to me, but it causes configure to fail. The symptom is that configure complains that libcrypto does not exist (because it does a test link to test for existence of libcrypto and assumes that any failure means libcrypto does not exist). It looks to me like configure needs to try with -ldl too. Adding -ldl to LDFLAGS made everything work. -- Bryan Henderson Phone 408-621-2000 San Jose, California From bryanh at giraffe-data.com Fri Jul 5 10:13:01 2002 From: bryanh at giraffe-data.com (Bryan Henderson) Date: Fri, 05 Jul 2002 00:13:01 +0000 Subject: Need configure parameter for SSH_PROGRAM Message-ID: I am impressed by all the paths that Configure lets me set for Openssh. I don't think I've ever seen an Autoconf package give me so much flexibility. But I found one missing. Makefile.in has SSH_PROGRAM hardcoded as @BINDIR@/ssh. It would be nice if I could specify the whole value as a Configure parameter. Being able to override it with an environment variable would be even nicer. I don't like to build paths into binaries -- it makes them less portable. In fact, in my make file, I set SSH_PROGRAM to "ssh" (note no absolute path) just for that reason. Ssh may live in different places in different environments, but in any environment where I use these programs, PATH tells where the user wants it to be found. -- Bryan Henderson Phone 408-621-2000 San Jose, California From tim at multitalents.net Fri Jul 5 11:50:31 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jul 2002 18:50:31 -0700 (PDT) Subject: [AIX/IBMers read] Re: AIX and Privsep. In-Reply-To: <3D23E754.4880B3B@zip.com.au> Message-ID: On Thu, 4 Jul 2002, Darren Tucker wrote: > It doesn't work on 4.2.1, because it doesn't get compiled in. Configure > doesn't define WITH_AIXAUTHENTICATE because authenticate() is in libs.a > which isn't linked. Seting LDFLAGS="-ls" before running configure > defines WITH_AIXAUTHENTICATE and lockout works OK. > > The existing configure.ac works on 4.3.3 authenticate() is in libc.a > too. > > What's the consensus? Fix configure.ac Does the attached patch work? > a) Do nothing and make people using 4.2.1 set LDFLAGS themselves. > b) Add "-ls" to LDFLAGS for AIX in configure.ac. This works on 4.[23] > but I'm not sure about 5.1. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net -------------- next part -------------- --- configure.ac.old Mon Jul 1 13:38:23 2002 +++ configure.ac Thu Jul 4 18:46:54 2002 @@ -71,7 +71,12 @@ ) LDFLAGS="$saved_LDFLAGS" fi - AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)]) + AC_CHECK_FUNC(authenticate, [AC_DEFINE(WITH_AIXAUTHENTICATE)], + [AC_CHECK_LIB(libs,authenticate, + [AC_DEFINE(WITH_AIXAUTHENTICATE) + LIBS="$LIBS -ls" + ]) + ]) AC_DEFINE(BROKEN_GETADDRINFO) AC_DEFINE(BROKEN_REALPATH) dnl AIX handles lastlog as part of its login message From dtucker at zip.com.au Fri Jul 5 13:01:16 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Jul 2002 13:01:16 +1000 Subject: [AIX/IBMers read] Re: AIX and Privsep. References: Message-ID: <3D250BFC.EBEA6A69@zip.com.au> Tim Rice wrote: > > What's the consensus? > > Fix configure.ac > Does the attached patch work? It makes no difference. On 4.2.1 I ran "make distprep" then configure but config.h still didn't define WITH_AIXAUTHENTICATE. If it makes any difference , autoreconf is version 2.52. config.log: [snip] configure:3119: checking for authenticate configure:3156: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I/usr/local/include -L/usr/local/lib conftest.c >&5 cc1: warning: changing search order for system directory "/usr/local/include" cc1: warning: as it has already been specified as a non-system directory ld: 0711-317 ERROR: Undefined symbol: authenticate ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information. collect2: ld returned 8 exit status configure:3159: $? = 1 configure: failed program was: #line 3125 "configure" [snip] -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Fri Jul 5 13:38:01 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 4 Jul 2002 20:38:01 -0700 (PDT) Subject: [AIX/IBMers read] Re: AIX and Privsep. In-Reply-To: <3D250BFC.EBEA6A69@zip.com.au> Message-ID: On Fri, 5 Jul 2002, Darren Tucker wrote: > Tim Rice wrote: > > > What's the consensus? > > > > Fix configure.ac > > Does the attached patch work? > > It makes no difference. On 4.2.1 I ran "make distprep" then configure > but config.h still didn't define WITH_AIXAUTHENTICATE. If it makes any > difference , autoreconf is version 2.52. It would have helped it I hadn't made a mistake. + [AC_CHECK_LIB(libs,authenticate, should be + [AC_CHECK_LIB(s,authenticate, > > config.log: > [snip] > configure:3119: checking for authenticate > configure:3156: gcc -o conftest -g -O2 -Wall -Wpointer-arith > -Wno-uninitialized -I/usr/local/include -L/usr/local/lib conftest.c > >&5 > cc1: warning: changing search order for system directory > "/usr/local/include" > cc1: warning: as it has already been specified as a non-system > directory > ld: 0711-317 ERROR: Undefined symbol: authenticate > ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more > information. > collect2: ld returned 8 exit status > configure:3159: $? = 1 > configure: failed program was: > #line 3125 "configure" > [snip] > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From john at furman.net Fri Jul 5 13:40:50 2002 From: john at furman.net (John Furman) Date: Thu, 4 Jul 2002 20:40:50 -0700 (PDT) Subject: Chroot patch (v3.4p1) Message-ID: On Thu, 4 Jul 2002 10:08 AM, Markus Friedl wrote: > > + if(chroot(pw->pw_dir) != 0) { > > please don't chroot into $HOME but a configurable (sub)directory, > similar to the AuthorizedKeysFile option, e.g > > ChrootDir %h/public_html > > otherwise people start messing around with $HOME/.ssh/ > or $HOME/.forward, etc. > > -m Thanks! Here is the latest. It includes a ChrootDir option. diff -uNr openssh-3.4p1.vanilla/auth.c openssh-3.4p1/auth.c --- openssh-3.4p1.vanilla/auth.c Wed May 22 01:06:28 2002 +++ openssh-3.4p1/auth.c Thu Jul 4 21:47:31 2002 @@ -351,6 +351,12 @@ return expand_filename(options.authorized_keys_file2, pw); } +char * +chroot_dir(struct passwd *pw) +{ + return expand_filename(options.chroot_dir, pw); +} + /* return ok if key exists in sysfile or userfile */ HostStatus check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, diff -uNr openssh-3.4p1.vanilla/auth.h openssh-3.4p1/auth.h --- openssh-3.4p1.vanilla/auth.h Thu Jun 6 16:52:37 2002 +++ openssh-3.4p1/auth.h Thu Jul 4 21:47:31 2002 @@ -165,6 +165,7 @@ char *expand_filename(const char *, struct passwd *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); +char *chroot_dir(struct passwd *); int secure_filename(FILE *, const char *, struct passwd *, char *, size_t); diff -uNr openssh-3.4p1.vanilla/pathnames.h openssh-3.4p1/pathnames.h --- openssh-3.4p1.vanilla/pathnames.h Thu Jun 6 15:57:34 2002 +++ openssh-3.4p1/pathnames.h Thu Jul 4 22:20:42 2002 @@ -97,6 +97,9 @@ /* backward compat for protocol v2 */ #define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" +/* */ +#define _SSH_USER_CHROOT_DIR "chome" + /* * Per-user and system-wide ssh "rc" files. These files are executed with * /bin/sh before starting the shell or command if they exist. They will be diff -uNr openssh-3.4p1.vanilla/servconf.c openssh-3.4p1/servconf.c --- openssh-3.4p1.vanilla/servconf.c Mon Jun 24 23:22:04 2002 +++ openssh-3.4p1/servconf.c Thu Jul 4 21:47:31 2002 @@ -120,6 +120,7 @@ options->verify_reverse_mapping = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; + options->chroot_dir = NULL; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; @@ -252,6 +253,8 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->chroot_dir == NULL) + options->chroot_dir = _SSH_USER_CHROOT_DIR; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -292,12 +295,12 @@ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sChrootDir, sUsePrivilegeSeparation, sDeprecated } ServerOpCodes; @@ -360,6 +363,7 @@ { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, + { "chrootusers", sChrootUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, @@ -375,6 +379,7 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, + { "chrootdir", sChrootDir }, { "useprivilegeseparation", sUsePrivilegeSeparation}, { NULL, sBadOption } }; @@ -779,6 +784,16 @@ } break; + case sChrootUsers: + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_chroot_users >= MAX_CHROOT_USERS) + fatal( "%s line %d: too many chroot users.", + filename, linenum); + options->chroot_users[options->num_chroot_users++] = + xstrdup(arg); + } + break; + case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) @@ -893,6 +908,10 @@ &options->authorized_keys_file2; goto parse_filename; + case sChrootDir: + charptr = &options->chroot_dir; + goto parse_filename; + case sClientAliveInterval: intptr = &options->client_alive_interval; goto parse_time; diff -uNr openssh-3.4p1.vanilla/servconf.h openssh-3.4p1/servconf.h --- openssh-3.4p1.vanilla/servconf.h Thu Jun 20 21:09:47 2002 +++ openssh-3.4p1/servconf.h Thu Jul 4 21:47:31 2002 @@ -20,6 +20,7 @@ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ #define MAX_DENY_USERS 256 /* Max # users on deny list. */ +#define MAX_CHROOT_USERS 256 /* Max # users on chroot list. */ #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -104,6 +105,8 @@ char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; char *deny_users[MAX_DENY_USERS]; + u_int num_chroot_users; + char *chroot_users[MAX_CHROOT_USERS]; u_int num_allow_groups; char *allow_groups[MAX_ALLOW_GROUPS]; u_int num_deny_groups; @@ -130,6 +133,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + char *chroot_dir; int pam_authentication_via_kbd_int; } ServerOptions; diff -uNr openssh-3.4p1.vanilla/session.c openssh-3.4p1/session.c --- openssh-3.4p1.vanilla/session.c Wed Jun 26 09:51:06 2002 +++ openssh-3.4p1/session.c Thu Jul 4 22:22:03 2002 @@ -57,6 +57,8 @@ #include "canohost.h" #include "session.h" #include "monitor_wrap.h" +#include "match.h" +#include "readconf.h" #ifdef HAVE_CYGWIN #include @@ -64,6 +66,8 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#define CHROOT + /* func */ Session *session_new(void); @@ -1160,6 +1164,14 @@ do_setusercontext(struct passwd *pw) { char tty='\0'; + int i; +#ifdef CHROOT + char *new_root = "/"; + char *new_home = NULL; + char *dir = NULL; + const char *hostname = NULL; + const char *ipaddr = NULL; +#endif /* CHROOT */ #ifdef HAVE_CYGWIN if (is_winnt) { @@ -1187,6 +1199,29 @@ if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +#ifdef CHROOT + + if (options.num_chroot_users > 0) { + for (i = 0; i < options.num_chroot_users; i++) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + if (match_user(pw->pw_name, hostname, ipaddr, + options.chroot_users[i])) { + dir = chroot_dir(pw); + new_home = dir; + xfree(dir); + if(chroot(new_home) != 0) { + fatal("Couldn't chroot to user directory %s", + new_home); + } + else + pw->pw_dir = new_root; + } + } + } + + +#endif /* CHROOT */ if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); Regards, -- John Furman From dtucker at zip.com.au Fri Jul 5 14:25:48 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Jul 2002 14:25:48 +1000 Subject: [AIX/IBMers read] Re: AIX and Privsep. References: Message-ID: <3D251FCC.BE6D2D64@zip.com.au> Tim Rice wrote: > > It makes no difference. On 4.2.1 I ran "make distprep" then configure > > but config.h still didn't define WITH_AIXAUTHENTICATE. If it makes any > > difference , autoreconf is version 2.52. > > It would have helped it I hadn't made a mistake. > + [AC_CHECK_LIB(libs,authenticate, > should be > + [AC_CHECK_LIB(s,authenticate, That works on 4.2.1 and 4.3.3 (defines WITH_AIXAUTHENTICATE on both). I suspect I'll regret helping fix the account lockout, though. (Probably every time I lock myself out :-). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From janfrode at parallab.uib.no Fri Jul 5 16:50:54 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Fri, 5 Jul 2002 08:50:54 +0200 Subject: AIX and Privsep. In-Reply-To: References: <20020704071738.GA12185@ii.uib.no> Message-ID: <20020705065054.GA15377@ii.uib.no> On Thu, Jul 04, 2002 at 12:22:59PM -0500, Ben Lindstrom wrote: > > > Really minor issues, but since you asked.. > > > > OpenSSH is not setting the environment variables AUTHSTATE or LOGIN or > > the variables defined in /etc/security/environ. It doesn't handle > > password expiry or the ADMCHG flag to force the users to change their > > passwords. > > > > > > Do I hear you begging to submit a patch for peer review to solve theses > problems? > Sure, with a little help I should be able to fix this. I'll look into it once I return from vacation (august). -jf From jmknoble at pobox.com Fri Jul 5 17:37:10 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Fri, 5 Jul 2002 03:37:10 -0400 Subject: libcrypto requires libdl In-Reply-To: ; from bryanh@giraffe-data.com on Thu, Jul 04, 2002 at 11:59:49PM +0000 References: Message-ID: <20020705033710.F4791@zax.half.pint-stowp.cx> Circa 2002-Jul-04 23:59:49 +0000 dixit Bryan Henderson: : My libcrypto does dynamic library linking (dlopen(), etc) and : consequently prerequires libdl. [...] : It looks to me like configure needs to try with -ldl too. : : Adding -ldl to LDFLAGS made everything work. http://bugzilla.mindrot.org/show_bug.cgi?id=307 -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020705/a726d85f/attachment.bin From dtucker at zip.com.au Fri Jul 5 18:06:11 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Jul 2002 18:06:11 +1000 Subject: AIX and Privsep. References: <20020704071738.GA12185@ii.uib.no> <20020705065054.GA15377@ii.uib.no> Message-ID: <3D255373.A97612C1@zip.com.au> > > > OpenSSH is not setting the environment variables AUTHSTATE or LOGIN or > > > the variables defined in /etc/security/environ. It doesn't handle > > > password expiry or the ADMCHG flag to force the users to change their > > > passwords. authenticate() sets AUTHSTATE as long as you call it (see earlier thread about 4.2.1, -ls and configure.ac) $ ssh devaix43 dtucker at devaix43's password: dtucker at devaix43> echo $AUTHSTATE compat -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From janfrode at parallab.uib.no Fri Jul 5 18:17:23 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Fri, 5 Jul 2002 10:17:23 +0200 Subject: AIX and Privsep. In-Reply-To: <3D255373.A97612C1@zip.com.au> References: <20020704071738.GA12185@ii.uib.no> <20020705065054.GA15377@ii.uib.no> <3D255373.A97612C1@zip.com.au> Message-ID: <20020705081723.GA15576@ii.uib.no> On Fri, Jul 05, 2002 at 06:06:11PM +1000, Darren Tucker wrote: > > authenticate() sets AUTHSTATE as long as you call it (see earlier thread > about 4.2.1, -ls and configure.ac) > > $ ssh devaix43 > dtucker at devaix43's password: > dtucker at devaix43> echo $AUTHSTATE > compat But it doesn't default to compat like it should (?) if you log in via pubkey: % ssh tre tre% echo $AUTHSTATE tre% Other AIX programs calling setpenv() will default to "compat".. Not having this set seems to have caused med some problems, so I'd like OpenSSH to set this default as well. Preferably I'd like OpenSSH to call setpenv() to set up the full AIX evironment, but I don't know if that can work since setpenv() will execute the users shell and not limit itself to setting the environment variables. -jf From manik.surtani at conchango.com Fri Jul 5 18:26:35 2002 From: manik.surtani at conchango.com (Manik Surtani) Date: Fri, 05 Jul 2002 09:26:35 +0100 Subject: DH keys exchanged - encoding? References: <3D2489F9.1080702@skalasoft.com> Message-ID: <3D25583B.4060404@conchango.com> Hi, Roumen. Great, this really is what I wanted to know. I dont need/want to patch openSSH to add x509 key support though. All JCE keys are x509 encoded, so if I want JCE keys to work with openSSH, I need to write a x509 codec for JCE. Cheers! Manik Roumen.Petrov at skalasoft.com wrote: > Hi Manik, > OpenSSH is without support for X509 keys. On page > http://satva.skalasoft.com/~rumen/openssh/ you can found diffs which add > X509 certificate support. > About JCE - I don`t know. > > > > _____________________________________________________________________ > This message has been checked for all known viruses by the MessageLabs > Virus Control Centre. -- Manik Surtani Conchango 'Innovative Change in Business' T 44 (0) 1784 221829 M 44 (0) 7786 702 706 E manik.surtani at conchango.com http://www.conchango.com The information contained in this message is confidential and is intended for the addressee only. If you have received this message in error, please notify us as soon as possible. The unauthorised use, disclosure, copying or alteration of this message is forbidden. _____________________________________________________________________ This message has been checked for all known viruses by the MessageLabs Virus Control Centre. From dtucker at zip.com.au Fri Jul 5 18:44:05 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 05 Jul 2002 18:44:05 +1000 Subject: AIX and Privsep. References: <20020704071738.GA12185@ii.uib.no> <20020705065054.GA15377@ii.uib.no> <3D255373.A97612C1@zip.com.au> <20020705081723.GA15576@ii.uib.no> Message-ID: <3D255C55.6FEC7775@zip.com.au> Jan-Frode Myklebust wrote: > But it doesn't default to compat like it should (?) if you log in via > pubkey: Gotcha. If you're going to set it for pubkey I guess the only sane thing you can use is "compat" since it's the default. > Preferably I'd like OpenSSH to call setpenv() to set up the full AIX > evironment, but I don't know if that can work since setpenv() will > execute the users shell and not limit itself to setting the > environment variables. Didn't we just go down that path? http://bugzilla.mindrot.org/show_bug.cgi?id=261 Or are we talking about replacing wherever sshd exec's the shell with setpenv()? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From janfrode at parallab.uib.no Fri Jul 5 19:02:26 2002 From: janfrode at parallab.uib.no (Jan-Frode Myklebust) Date: Fri, 5 Jul 2002 11:02:26 +0200 Subject: AIX and Privsep. In-Reply-To: <3D255C55.6FEC7775@zip.com.au> References: <20020704071738.GA12185@ii.uib.no> <20020705065054.GA15377@ii.uib.no> <3D255373.A97612C1@zip.com.au> <20020705081723.GA15576@ii.uib.no> <3D255C55.6FEC7775@zip.com.au> Message-ID: <20020705090226.GB15648@ii.uib.no> On Fri, Jul 05, 2002 at 06:44:05PM +1000, Darren Tucker wrote: > > Didn't we just go down that path? > http://bugzilla.mindrot.org/show_bug.cgi?id=261 Yes we did, and I mistakingly used it wrong here in the start.. not realizing that setpenv() executed a shell and broke scp/sftp and other environment settings. It got called too early. > > Or are we talking about replacing wherever sshd exec's the shell with > setpenv()? Yes, that's what I'd prefer. i.e. use setpenv() instead of trying to reimplement it.. -jf From provos at citi.umich.edu Fri Jul 5 19:23:38 2002 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 5 Jul 2002 05:23:38 -0400 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> Message-ID: <20020705092338.GR32246@citi.citi.umich.edu> On Thu, Jul 04, 2002 at 12:48:47AM +0200, Dag-Erling Smorgrav wrote: > The auth2-pam-freebsd.c entirely replaces auth2-pam.c, I just used a > different name to avoid merge conflicts when upgrading in the future. the openssh code uses a 2-clause BSD license to make it as free as possible. Could you please, change your license to 2-clause, too. Thanks, Niels. From des at ofug.org Fri Jul 5 21:12:27 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 05 Jul 2002 13:12:27 +0200 Subject: New PAM kbd-int diff In-Reply-To: <20020705092338.GR32246@citi.citi.umich.edu> References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> Message-ID: Niels Provos writes: > On Thu, Jul 04, 2002 at 12:48:47AM +0200, Dag-Erling Smorgrav wrote: > > The auth2-pam-freebsd.c entirely replaces auth2-pam.c, I just used a > > different name to avoid merge conflicts when upgrading in the future. > the openssh code uses a 2-clause BSD license to make it as free as > possible. Could you please, change your license to 2-clause, too. No. DES -- Dag-Erling Smorgrav - des at ofug.org From bugzilla-daemon at mindrot.org Fri Jul 5 21:25:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 5 Jul 2002 21:25:59 +1000 (EST) Subject: [Bug 337] utmp/wtmp logging Message-ID: <20020705112559.BF4DCE915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=337 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-07-05 21:25 ------- sshd should just care about it's own ptys. if a fwded X application uses pty's then it should update wtmp itself. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From leigh at solinno.co.uk Fri Jul 5 23:12:06 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Fri, 5 Jul 2002 14:12:06 +0100 (BST) Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> <20020704152925.GA2046@folly> <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> Message-ID: <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> Hi, I have to say sorry. I thought I'd tested your patch correctly but I was wrong (probably I'd left my other code hanging around). Luckily, you put the test after the write instead of before, so it needs to be changed anyway :-) It seems that c->isatty is only set if nonblock is true, which is not the case for some reason. I changed the test to use isatty(c->wfd) instead and that made it work; I hope that is acceptable. I've attached a patch against last night's snapshot that does as I've described. Cheers, Leigh. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: osshaix-2.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020705/3d962991/attachment.ksh From markus at openbsd.org Fri Jul 5 23:42:14 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 5 Jul 2002 15:42:14 +0200 Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> <20020704152925.GA2046@folly> <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> Message-ID: <20020705134214.GA3586@faui02> On Fri, Jul 05, 2002 at 02:12:06PM +0100, Leigh Brown wrote: > diff -ur openssh/channels.c openssh.local/channels.c > --- openssh/channels.c Thu Jul 4 19:11:10 2002 > +++ openssh.local/channels.c Fri Jul 5 13:58:27 2002 > @@ -1278,12 +1278,13 @@ > buffer_len(&c->output) > 0) { > data = buffer_ptr(&c->output); > dlen = buffer_len(&c->output); > - len = write(c->wfd, data, dlen); oops. > #ifdef _AIX > /* XXX: Later AIX versions can't push as much data to tty */ > - if (compat20 && c->isatty && dlen >= 8*1024) > + if (compat20 && isatty(c->wfd) && dlen > 8*1024) { do you really need to check isatty(c->wfd) ? > dlen = 8*1024; > + } > #endif > + len = write(c->wfd, data, dlen); > if (len < 0 && (errno == EINTR || errno == EAGAIN)) > return 1; > if (len <= 0) { From leigh at solinno.co.uk Sat Jul 6 00:09:25 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Fri, 5 Jul 2002 15:09:25 +0100 (BST) Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: <20020705134214.GA3586@faui02> References: <3D21983D.B96EAB41@zip.com.au> <20020704071738.GA12185@ii.uib.no> <52390.193.133.92.239.1025773529.squirrel@lbbrown.homeip.net> <20020704152925.GA2046@folly> <52186.193.133.92.239.1025798343.squirrel@lbbrown.homeip.net> <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> <20020705134214.GA3586@faui02> Message-ID: <43324.193.133.92.239.1025878165.squirrel@lbbrown.homeip.net> Markus Friedl wrote: > On Fri, Jul 05, 2002 at 02:12:06PM +0100, Leigh Brown wrote: >> diff -ur openssh/channels.c openssh.local/channels.c >> --- openssh/channels.c Thu Jul 4 19:11:10 2002 >> +++ openssh.local/channels.c Fri Jul 5 13:58:27 2002 [...] >> #ifdef _AIX >> /* XXX: Later AIX versions can't push as much data to tty */ >> - if (compat20 && c->isatty && dlen >= 8*1024) >> + if (compat20 && isatty(c->wfd) && dlen > 8*1024) { > > do you really need to check isatty(c->wfd) ? I have to be totally guided by you. The c->isatty did not work so I replaced it with the closest match I could find. It would work without that predicate... Cheers, Leigh. From des at ofug.org Sat Jul 6 01:25:07 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 05 Jul 2002 17:25:07 +0200 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> <20020704140137.GA2247@folly> Message-ID: A non-text attachment was scrubbed... Name: pam.diff Type: text/x-patch Size: 8442 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020705/1e5b907f/attachment.bin From provos at citi.umich.edu Sat Jul 6 01:33:37 2002 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 5 Jul 2002 11:33:37 -0400 Subject: [jlevine@utcnist.colorado.edu: Privilege separation] Message-ID: <20020705153337.GE32246@citi.citi.umich.edu> Is this a known problem? Niels. ----- Forwarded message from Judah Levine ----- Date: Fri, 5 Jul 2002 08:58:46 -0600 (MDT) From: Judah Levine To: provos at citi.umich.edu Subject: Privilege separation Hello, I have just installed openssh-3.4p1 on a COMPAQ/DEC/HP Alpha running True64 UNIX v4.0F. The privilege separation option does not seem to work properly. The syslog error message suggests that the problem is that the sshd child crashes when it attempts to create an audgen record after the password has been accepted and authenticated. The program appears to work normally if I disable UsePrivilegeSeparation in the configuration file. I have looked through the various read-me and configuration files, but I don't see any way to fix this. Judah Levine Department of Physics and JILA University of Colorado ----- End forwarded message ----- From mouring at etoh.eviladmin.org Sat Jul 6 01:55:21 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Jul 2002 10:55:21 -0500 (CDT) Subject: [jlevine@utcnist.colorado.edu: Privilege separation] In-Reply-To: <20020705153337.GE32246@citi.citi.umich.edu> Message-ID: Yes it's a known issue. However I'm at a standstill until people get back to me on solutions. I've written a privsep patch, but there is an issue as to how SIA sessions are initialized and handled that is tripping everything up. If I had an OSF/1 box w/ SIA it would be easier to debug, but alas I have to depending on the kindless of strangers. =) - Ben On Fri, 5 Jul 2002, Niels Provos wrote: > Is this a known problem? > > Niels. > > ----- Forwarded message from Judah Levine ----- > > Date: Fri, 5 Jul 2002 08:58:46 -0600 (MDT) > From: Judah Levine > To: provos at citi.umich.edu > Subject: Privilege separation > > Hello, > I have just installed openssh-3.4p1 on a COMPAQ/DEC/HP Alpha running > True64 UNIX v4.0F. The privilege separation option does not seem to > work properly. The syslog error message suggests that the problem is > that the sshd child crashes when it attempts to create an audgen record > after the password has been accepted and authenticated. The program > appears to work normally if I disable UsePrivilegeSeparation in the > configuration file. I have looked through the various read-me and > configuration files, but I don't see any way to fix this. > > Judah Levine > Department of Physics and JILA > University of Colorado > > > ----- End forwarded message ----- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Jeff_Newton at pmc-sierra.com Sat Jul 6 02:27:29 2002 From: Jeff_Newton at pmc-sierra.com (Jeff Newton) Date: Fri, 05 Jul 2002 09:27:29 -0700 Subject: FallBackToRsh in 3.4p1 Message-ID: <3D25C8F1.BCD0516A@pmc-sierra.com> Why was FallBackToRsh has been depricated in 3.4p1? I found this to be a useful feature for migrating users to SSH. I wish I could do a wholesale replacement of telnet and rsh in my environment but that is not realistic at this point. I think a better course of action would be to have the option disabled by default and force those that want it to re-enable. Heck, you could even require a configure flag to add it in at compile time. Any chance FallBackToRsh can be readded in 3.4p2? Cheers, -- Jeff Newton, CISSP Information Security Analyst PMC-Sierra Inc. From bugzilla-daemon at mindrot.org Sat Jul 6 04:20:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 6 Jul 2002 04:20:48 +1000 (EST) Subject: [Bug 338] New: X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020705182048.86F8EE881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 Summary: X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Product: Portable OpenSSH Version: -current Platform: Sparc URL: ftp://gandalf.cc.purdue.edu/pub/ssh/ssh-X11-bug.tgz OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jrj at purdue.edu X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1. When a client tries to connect it reports: Xlib: connection to "localhost:20.0" refused by server Xlib: Invalid MIT-MAGIC-COOKIE-1 key Error: Can't open display: localhost:20.0 Environment is Solaris 2.6 on both sides (ssh and sshd). This worked just fine before the upgrade (with 2.9.9p2 on both sides). I have further debugged it to being related to the 3.4p1 client side. If I connect to either a 2.9.9p2 or 3.4p1 server with a 2.9.9p2 client, I can start an X11 client. If I connect to either server with a 3.4p1 client, it fails. I tried both settings for X11UseLocalhost and can see the change to the DISPLAY environment variable (so I know the X11UseLocalhost change was taking place), but it made no difference to the problem. I do not normally have a $HOME/.ssh/rc file. I tried using the example in the sshd man page, but that also had no effect. I do not have a $HOME/.ssh/environment or /etc/ssh/sshrc file. The debugging files, and build output, indicate xauth was found and is being run. As far as I recall, I only made two other changes at the time 3.4p1 was installed. One was to put "Protocol 2" in sshd_config to disable protocol version 1. The other was to comment out some "UseRSH" lines in my own $HOME/.ssh/config file since that no longer appears to be supported (which is very unfortunate -- but that's a different matter). The following file: ftp://gandalf.cc.purdue.edu/pub/ssh/ssh-X11-bug.tgz contains copies of my config files, the build environment output, and log files from my tests. The test involved two machines. Gandalf is a X11 workstation, i.e. it has the display. Fortress is another Solaris machine where I wanted to start an client (xclock) and have it show up on the gandalf display. So the test, from gandalf, was: ssh fortress /usr/openwin/bin/xclock Files named "client.*" are from the ssh side (gandalf). Files named "server.*" are from the sshd side (fortress). Files named "*ssh-2*" are using the 2.9.9p2 ssh, while those named "*ssh-3*" are using 3.4p1. Files named "*sshd-2*" are using the 2.9.9p2 sshd, while those named "*sshd-3*" are using 3.4p1. All files are with "-v -v -v" and "-d -d -d". John R. Jackson, Technical Software Specialist, jrj at purdue.edu ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From provos at citi.umich.edu Sat Jul 6 05:33:27 2002 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 5 Jul 2002 15:33:27 -0400 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> Message-ID: <20020705193327.GP32246@citi.citi.umich.edu> On Fri, Jul 05, 2002 at 01:12:27PM +0200, Dag-Erling Smorgrav wrote: > Niels Provos writes: > > the openssh code uses a 2-clause BSD license to make it as free as > > possible. Could you please, change your license to 2-clause, too. > No. That is a very terse reply. Why don't you elaborate so that your motiviation can be understood. Niels. From vinschen at redhat.com Sat Jul 6 05:39:28 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Fri, 5 Jul 2002 21:39:28 +0200 Subject: [PATCH]: Fix a bug in contrib/cygwin/ssh-host-config Message-ID: <20020705213928.W21857@cygbert.vinschen.de> Hi, the following patch fixes a wrong path in a chown command. The additional leading slash collides with accessing SMB shares using double slashes as in "//server/share" on Windows systems. Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.6 diff -u -p -r1.6 ssh-host-config --- contrib/cygwin/ssh-host-config 3 Jul 2002 23:33:20 -0000 1.6 +++ contrib/cygwin/ssh-host-config 5 Jul 2002 19:39:06 -0000 @@ -568,7 +568,7 @@ then [ -z "${_cygwin}" ] && _cygwin="binmode ntsec tty" if cygrunsrv -I sshd -d "CYGWIN sshd" -p /usr/sbin/sshd -a -D -e "CYGWIN=${_cygwin}" then - chown system /${SYSCONFDIR}/ssh* + chown system ${SYSCONFDIR}/ssh* echo echo "The service has been installed under LocalSystem account." fi -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From alexander at newald.de Sat Jul 6 06:02:47 2002 From: alexander at newald.de (Alexander Newald) Date: Fri, 5 Jul 2002 22:02:47 +0200 Subject: Traffic accounting patch Message-ID: <001b01c2245e$ef851fc0$6f01a8c0@teddy> Hello, I like to force openssh (latest version) to log traffic accounting information via syslog. I managed to path openssh with a ported version of the traffic accounting patch for 2.5.1 The ported patch however is not by me. The problem is that I noticed that sftp subsystem usage is not logged when clients (the offical ssh client seems to do it) do not log off but simply disconnect somehow. I managed to add some code to the source to let openssh even log the data if a client simply disconnects. My problem is that I do not find the piece of code that let me recognize the userid/username of the user currently using the sftp-server executable. Where can I find the routine that returns the current userid (wthin the sftp-server code) ? Thanks, Alexander Newald From des at ofug.org Sat Jul 6 06:07:47 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 05 Jul 2002 22:07:47 +0200 Subject: New PAM kbd-int diff In-Reply-To: <20020705193327.GP32246@citi.citi.umich.edu> References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> <20020705193327.GP32246@citi.citi.umich.edu> Message-ID: Niels Provos writes: > On Fri, Jul 05, 2002 at 01:12:27PM +0200, Dag-Erling Smorgrav wrote: > > Niels Provos writes: > > > the openssh code uses a 2-clause BSD license to make it as free as > > > possible. Could you please, change your license to 2-clause, too. > > No. > That is a very terse reply. Why don't you elaborate so that your > motiviation can be understood. I don't choose the license, my client does. And I find it extremely presumptuous of you to ask me to change it like you did. Try "would it be possible..." next time. DES -- Dag-Erling Smorgrav - des at ofug.org From markus at openbsd.org Sat Jul 6 06:53:28 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 5 Jul 2002 22:53:28 +0200 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> <20020705193327.GP32246@citi.citi.umich.edu> Message-ID: <20020705205328.GB5428@faui02> On Fri, Jul 05, 2002 at 10:07:47PM +0200, Dag-Erling Smorgrav wrote: > Niels Provos writes: > > On Fri, Jul 05, 2002 at 01:12:27PM +0200, Dag-Erling Smorgrav wrote: > > > Niels Provos writes: > > > > the openssh code uses a 2-clause BSD license to make it as free as > > > > possible. Could you please, change your license to 2-clause, too. > > > No. > > That is a very terse reply. Why don't you elaborate so that your > > motiviation can be understood. > > I don't choose the license, my client does. And I find it extremely > presumptuous of you to ask me to change it like you did. Try "would > it be possible..." next time. We removed all extra clauses from OpenSSH and got very positive feedback. We don't really want to go back, so Niels' question is very legitimate. Please stop insulting him. We cannot intgrate 3-clause code. -m From mouring at etoh.eviladmin.org Sat Jul 6 06:52:14 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Jul 2002 15:52:14 -0500 (CDT) Subject: Traffic accounting patch In-Reply-To: <001b01c2245e$ef851fc0$6f01a8c0@teddy> Message-ID: > Where can I find the routine that returns the current userid (wthin the > sftp-server code) ? > getuid? sftp-server does run as the user. So just use normal commands to find out who you are and acquire the data that way. - Ben From joachim.falk at gmx.de Sat Jul 6 07:06:27 2002 From: joachim.falk at gmx.de (Joachim Falk) Date: Fri, 05 Jul 2002 23:06:27 +0200 Subject: environment forwarding patch for 3.4p1 Message-ID: <3D260A53.8080201@gmx.de> I have updated my environment-forwarding patch for the OpenSSH 3.4p1 release. It now works with privileg separation too. With the applied patch it is possibly to forward environment variables from the client to the server. The server will start the user shell with the forwarded environment variables merged with the standard environemnt provided by the sshd daemon. This will only work for security reasons if the user shell is listed in /etc/shells. The documentation is included in ssh_condfig(5) & sshd_config(5). See ForwardEnv and EnvApproved sections. The patch is an implementation of the method specified in section 4.4 "Environment Variable Passing" of the IETF draft "draft-ietf-secsh-connect-15.txt" (http://www.snailbook.com/docs/connection.txt). The patch is hosted on http://home.t-online.de/home/joachim_falk/patches/index.html. Best regards Joachim Falk From provos at citi.umich.edu Sat Jul 6 08:49:54 2002 From: provos at citi.umich.edu (Niels Provos) Date: Fri, 5 Jul 2002 18:49:54 -0400 Subject: New PAM kbd-int diff In-Reply-To: References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> <20020705193327.GP32246@citi.citi.umich.edu> Message-ID: <20020705224954.GA32407@citi.citi.umich.edu> On Fri, Jul 05, 2002 at 10:07:47PM +0200, Dag-Erling Smorgrav wrote: > I don't choose the license, my client does. And I find it extremely > presumptuous of you to ask me to change it like you did. Try "would > it be possible..." next time. I do not think that I was being "presumptuous." I do not know if you are a native speaker or not. I am not, but just to be on the same page, here is the definition that I use for pre.sump.tu.ous \pri-'z*m(p)-ch*-w*s; -'z*m(p)-sh*s, -ch*s\ aj [ME, fr. MF presumptueux, fr. LL praesumptuosus, irreg. fr. prae]sumptio : overstepping due bounds : taking liberties : OVERWEENING - pre.sump.tu.ous.ly av I said: Could you please. Which I believe is courteous enough for an email. Maybe you have an agenda that I am unaware of. However, I believe that I was polite, and all your communication with me so far has been either terse or rude. Maybe both. I asked because the OpenSSH code is two-clause, and for vendors to adapt the code a two-clause license is better. Maybe you could ask the client who is paying you to do the work, if a license change is possible. I suppose your client would like your code to be merged into OpenSSH? Regards, Niels Provos. From tim at multitalents.net Sat Jul 6 09:23:46 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 5 Jul 2002 16:23:46 -0700 (PDT) Subject: [PATCH]: Fix a bug in contrib/cygwin/ssh-host-config In-Reply-To: <20020705213928.W21857@cygbert.vinschen.de> Message-ID: Applied. Thanks. On Fri, 5 Jul 2002, Corinna Vinschen wrote: > Hi, > > the following patch fixes a wrong path in a chown command. The > additional leading slash collides with accessing SMB shares using > double slashes as in "//server/share" on Windows systems. > > Corinna > > Index: contrib/cygwin/ssh-host-config > - chown system /${SYSCONFDIR}/ssh* > + chown system ${SYSCONFDIR}/ssh* > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Sat Jul 6 09:16:00 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 5 Jul 2002 18:16:00 -0500 (CDT) Subject: New PAM kbd-int diff In-Reply-To: <20020705224954.GA32407@citi.citi.umich.edu> Message-ID: On Fri, 5 Jul 2002, Niels Provos wrote: > On Fri, Jul 05, 2002 at 10:07:47PM +0200, Dag-Erling Smorgrav wrote: > > I don't choose the license, my client does. And I find it extremely > > presumptuous of you to ask me to change it like you did. Try "would > > it be possible..." next time. > I do not think that I was being "presumptuous." I do not know if you > are a native speaker or not. I am not, but just to be on the same > page, here is the definition that I use for > > pre.sump.tu.ous \pri-'z*m(p)-ch*-w*s; -'z*m(p)-sh*s, -ch*s\ aj [ME, fr. MF > presumptueux, fr. LL praesumptuosus, irreg. fr. prae]sumptio : overstepping > due bounds : taking liberties : OVERWEENING - pre.sump.tu.ous.ly av > > I said: Could you please. Which I believe is courteous enough for an > email. Maybe you have an agenda that I am unaware of. However, I > believe that I was polite, and all your communication with me so far > has been either terse or rude. Maybe both. > I suspect the issue is that 'Can' and 'Could' (even if it sounds right and the dictionary defination implies it is right) is incorrect way to ask for permission or request. 'Will' or 'Would' is the correct way. With that said... As a native English speaker (American, not british) I will be the first to admit that the language sucks. - Ben From des at ofug.org Sat Jul 6 22:18:24 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 06 Jul 2002 14:18:24 +0200 Subject: New PAM kbd-int diff In-Reply-To: <20020705224954.GA32407@citi.citi.umich.edu> References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> <20020705193327.GP32246@citi.citi.umich.edu> <20020705224954.GA32407@citi.citi.umich.edu> Message-ID: Niels Provos writes: > I asked because the OpenSSH code is two-clause, and for vendors to > adapt the code a two-clause license is better. Maybe you could ask the > client who is paying you to do the work, if a license change is > possible. I will inquire. DES -- Dag-Erling Smorgrav - des at ofug.org From kevin at atomicgears.com Sun Jul 7 03:11:30 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 6 Jul 2002 10:11:30 -0700 Subject: AIX usrinfo() cleanup. In-Reply-To: References: <3D21983D.B96EAB41@zip.com.au> Message-ID: <20020706171130.GB1475@jenny.crlsca.adelphia.net> On Wed, Jul 03, 2002 at 06:12:52PM -0500, Ben Lindstrom wrote: > diff -u -r1.3 port-aix.c > --- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 > +++ openbsd-compat/port-aix.c 3 Jul 2002 23:21:36 -0000 > @@ -1,3 +1,25 @@ > +/* we need: Copyright (c) DATE AUTHOR. All rights reserved. > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in the > + * documentation and/or other materials provided with the distribution. From bugzilla-daemon at mindrot.org Sun Jul 7 04:00:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 7 Jul 2002 04:00:53 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020706180053.4DF88E902@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 ------- Additional Comments From stevesk at pobox.com 2002-07-07 04:00 ------- will look into this ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Sun Jul 7 07:00:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 6 Jul 2002 16:00:41 -0500 (CDT) Subject: AIX usrinfo() cleanup. In-Reply-To: <20020706171130.GB1475@jenny.crlsca.adelphia.net> Message-ID: Yes I know.. I missed it when I patched it last time. I'll get to it tonight. The origin code is Gert Doering's. On Sat, 6 Jul 2002, Kevin Steves wrote: > On Wed, Jul 03, 2002 at 06:12:52PM -0500, Ben Lindstrom wrote: > > diff -u -r1.3 port-aix.c > > --- openbsd-compat/port-aix.c 21 Jun 2002 00:01:19 -0000 1.3 > > +++ openbsd-compat/port-aix.c 3 Jul 2002 23:21:36 -0000 > > @@ -1,3 +1,25 @@ > > +/* > > we need: > Copyright (c) DATE AUTHOR. All rights reserved. > > > + * Redistribution and use in source and binary forms, with or without > > + * modification, are permitted provided that the following conditions > > + * are met: > > + * 1. Redistributions of source code must retain the above copyright > > + * notice, this list of conditions and the following disclaimer. > > + * 2. Redistributions in binary form must reproduce the above copyright > > + * notice, this list of conditions and the following disclaimer in the > > + * documentation and/or other materials provided with the distribution. > From vinschen at redhat.com Sun Jul 7 20:00:37 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Sun, 7 Jul 2002 12:00:37 +0200 Subject: [PATCH]: Some fixes in contrib/cygwin/ssh-host-config Message-ID: <20020707120037.D21857@cygbert.vinschen.de> Hi, the attached patch changes the ssh-host-config script in the following way: - Actually exit if ssh processes are still running. The "exit 1" is commented out for testing purposes and I accidentally left it this way when sending the patch to this list :-( - Create the Windows NT account "sshd" so that it's deactivated. So even if the administrator(s) for some reason allow to login w/o password, nobody can login to the sshd account. This is e. g. a problem on XP Home machines where login w/o password is *gulp* a default setting. - Create the /etc/passwd entry for "sshd" so that the shell is set to /bin/false instead of /bin/bash. Thanks, Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.7 diff -u -p -r1.7 ssh-host-config --- contrib/cygwin/ssh-host-config 5 Jul 2002 23:22:32 -0000 1.7 +++ contrib/cygwin/ssh-host-config 7 Jul 2002 09:52:24 -0000 @@ -107,7 +107,7 @@ then echo echo "There are still ssh processes running. Please shut them down first." echo - #exit 1 + exit 1 fi # Check for ${SYSCONFDIR} directory @@ -340,7 +340,7 @@ then if request "Shall this script create a local user 'sshd' on this machine?" then dos_var_empty=`cygpath -w /var/empty` - net user sshd /add /fullname:"sshd privsep" "/HOMEDIR:$dos_var_empty" > /dev/null 2>&1 && sshd_in_sam=yes + net user sshd /add /fullname:"sshd privsep" "/homedir:$dos_var_empty" /active:no > /dev/null 2>&1 && sshd_in_sam=yes if [ "$sshd_in_sam" != "yes" ] then echo "Warning: Creating the user 'sshd' failed!" @@ -354,7 +354,7 @@ then echo " Check your ${SYSCONFDIR}/sshd_config file!" privsep_used=no else - mkpasswd -l -u sshd >> ${SYSCONFDIR}/passwd + mkpasswd -l -u sshd | sed -e 's/bash$/false/' >> ${SYSCONFDIR}/passwd fi fi else -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Mon Jul 8 01:48:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Jul 2002 01:48:25 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020707154825.DE9D8E932@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 dyw at iohk.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|major |normal Keywords| |help-wanted OS/Version|Linux |BSDI Summary|Compile PROBLEM!!!! |OpenSSL headers do not match | |your library ------- Additional Comments From dyw at iohk.com 2002-07-08 01:48 ------- checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library On BSD/OS 4.2 with OpenSSL 0.9.6d, no problem configuring and compiling 3.1p1, but both 3.3p1 and 3.4p1 ended configuration with the above error message. I checked but did not find unknown duplicate header files from previous versions of OpenSSL. Perhaps I was looking at the wrong places. Best regards David WU dyw at iohk.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Mon Jul 8 07:08:36 2002 From: tim at multitalents.net (Tim Rice) Date: Sun, 7 Jul 2002 14:08:36 -0700 (PDT) Subject: [PATCH]: Some fixes in contrib/cygwin/ssh-host-config In-Reply-To: <20020707120037.D21857@cygbert.vinschen.de> Message-ID: Applied. On Sun, 7 Jul 2002, Corinna Vinschen wrote: > Hi, > > the attached patch changes the ssh-host-config script in the following > way: > > - Actually exit if ssh processes are still running. The "exit 1" > is commented out for testing purposes and I accidentally left it > this way when sending the patch to this list :-( > > - Create the Windows NT account "sshd" so that it's deactivated. > So even if the administrator(s) for some reason allow to login > w/o password, nobody can login to the sshd account. This is > e. g. a problem on XP Home machines where login w/o password is > *gulp* a default setting. > > - Create the /etc/passwd entry for "sshd" so that the shell is set > to /bin/false instead of /bin/bash. > > > Thanks, > Corinna > [snip] -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Mon Jul 8 10:57:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Jul 2002 10:57:32 +1000 (EST) Subject: [Bug 336] ssh does not compile on Linux with libc5 and 2.0 kernel Message-ID: <20020708005732.5FFADE961@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=336 ------- Additional Comments From tim at multitalents.net 2002-07-08 10:57 ------- Please post the section of your config.log where it is doing the msghdr tests. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 8 14:02:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Jul 2002 14:02:11 +1000 (EST) Subject: [Bug 339] New: 3.4p1: UsePrivilegeSeparation breaks key fingerprint logging Message-ID: <20020708040211.523AEE961@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=339 Summary: 3.4p1: UsePrivilegeSeparation breaks key fingerprint logging Product: Portable OpenSSH Version: -current Platform: All URL: http://www.catnook.com/misc/sshd-key-fp-logging.txt OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: jos at catnook.com See URL. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tjruwase at stanford.edu Mon Jul 8 15:41:51 2002 From: tjruwase at stanford.edu (Olatunji Oluwabukunmi Ruwase) Date: Sun, 7 Jul 2002 22:41:51 -0700 (PDT) Subject: "Help with EVP_CipherInit" Message-ID: Hello, I am working on a bounds checking gcc(based on Richard Jones work) with a low enough overhead that will make it acceptable in production code. And i obtained openssh-3.2.2p1 with the view of testing the effectiveness of my code detecting the recently reported vunerability,but my code fails on with an error report of a use of memcpy with overlapping source and destination regions. I have being able to narrow it down to a call to EVP_CipherInit in cipher.c:224(function cipher_init). I checked but couldn't find any man page of EVP_CipherInit. I will appreciate if u can give me any info on the implementation of EVP_CipherInit such as to explain this scenario. Below are some information i hope will be useful. Thanks tunji Debugging using ddd shows this error comes up the 4th time this line is executed and the arguments to cipher_init are Breakpoint 5, cipher_init (cc=0x814ede0, cipher=0x813fc40, key=0x8189480 "?\2110\231?%\210??d?\222zv\236?6QO]", keylen=16, iv=0x8189420 "nf?^'oQo?V???????\f?W", ivlen=16, encrypt=1) at cipher.c:224 Below is the output i obtained running directly [tjruwase at speedracer openssh-3.2.2p1]$ ./ssh tjruwase at minnow Bounds Checking GCC v gcc-3.0-3.0 Copyright (C) 1995 Richard W.M. Jones Bounds Checking comes with ABSOLUTELY NO WARRANTY. For details see file `COPYING' that should have come with the source to this program. Bounds Checking is free software, and you are welcome to redistribute it under certain conditions. See the file `COPYING' for details. For more information, set GCC_BOUNDS_OPTS to `-help' :0:Bounds error: in memcpy with 0x814edf8 and 0x814edf0 for 16, source and destination objects overlap. :0: Pointer value: 0x814edf8 :0: Object `send_context': :0: Address in memory: 0x814ede0 .. 0x814fe5f :0: Size: 4224 bytes :0: Element size: 1 bytes :0: Number of elements: 4224 :0: Created at: packet.c, line 86 :0: Storage class: static Abort (core dumped) [tjruwase at speedracer openssh-3.2.2p1]$ From pekkas at netcore.fi Mon Jul 8 17:18:20 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Mon, 8 Jul 2002 10:18:20 +0300 (EEST) Subject: [Bug 44] Can't pass KRB4 TGT on RH7.2 due to glibc mkstemp In-Reply-To: <20020704151114.3BBE7E881@shitei.mindrot.org> Message-ID: Wouldn't a proper approach be to fix the KRB4 TGT code? On Fri, 5 Jul 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=44 > > > > > > ------- Additional Comments From jan.iven at cern.ch 2002-07-05 01:11 ------- > Update: I have reported this to the glibc people, who say that they will not > modify their mkstemp(). > (http://bugs.gnu.org/cgi-bin/gnatsweb.pl?debug=&database=default&cmd=view+audit-trail&cmd=view&pr=3573) > > Attached is a patch to configure{ac,in} to detect this and force using the > bsd_compat functions. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From jan.iven at cern.ch Mon Jul 8 18:04:12 2002 From: jan.iven at cern.ch (Jan IVEN) Date: 08 Jul 2002 10:04:12 +0200 Subject: [Bug 44] Can't pass KRB4 TGT on RH7.2 due to glibc mkstemp In-Reply-To: References: Message-ID: >>>>> "PS" == Pekka Savola writes: PS> Wouldn't a proper approach be to fix the KRB4 TGT code? Frankly, I like the current filenames. Bloating them with XXXXXX is of course an option. Would you advocate that we do this for all platforms, or just the overly strict glibc [in which case we could need the configure patch]? Regards Jan From bugzilla-daemon at mindrot.org Mon Jul 8 19:46:08 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Jul 2002 19:46:08 +1000 (EST) Subject: [Bug 340] New: Segmentation Fault Message-ID: <20020708094608.0F6F1E961@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=340 Summary: Segmentation Fault Product: Portable OpenSSH Version: 3.1p1 Platform: ix86 OS/Version: Solaris Status: NEW Severity: normal Priority: P1 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: malkema at vsrt.nl I used the manual from http://www.sunfreeware.com/opensshdoc.html to install openssh on my 5.8 solaris X86 system. zlib, prngd, egd, perl, openssl installed & working. When i try to generate a key i get an Segmentation fault. This is what i get when i run ssh-keygen in GDB: Program received signal SIGSEGV, Segmentation fault. 0xdfae9deb in ?? () (gdb) backtrace #0 0xdfae9deb in ?? () #1 0xdfaf3673 in ?? () #2 0xdfae31ca in ?? () #3 0x8047cc4 in ?? () Cannot access memory at address 0x2 Maybe someone can help me a step further... :-) Mark Alkema ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 8 21:12:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 8 Jul 2002 21:12:00 +1000 (EST) Subject: [Bug 340] Segmentation Fault Message-ID: <20020708111200.B0DEAE976@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=340 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Segmentation Fault |Segmentation Fault ------- Additional Comments From dtucker at zip.com.au 2002-07-08 21:11 ------- Correct me if I'm wrong but I get the impression you downloaded sunfreeware's binary packages? If so then you should really contact them for help or to report bugs. They're the only ones who know how the packages were configured and compiled. That said, my gut feel is that this is and OpenSSL library version issue (ie you got 0.9.6c and your binaries are linked against 0.9.6d or vice versa). Both versions have the same library version identifier (0.9.6) but are *NOT* binary compatible. The OpenSSL docs recommend against dynamically linking like that, I might add. Also, 3.1p1 has a known vulnerability. Since 3.4p1 appears to be available for your platform I suggest you use that instead. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andrew at andrew.triumf.ca Tue Jul 9 00:34:42 2002 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Mon, 8 Jul 2002 07:34:42 -0700 (PDT) Subject: PATH problem in Irix. Message-ID: I recently compiled openssh 3.4p1 for SGI Irix, and found the same problem I'd had with 2.5. Viz. that Irix /usr/include/paths.h defines _PATH_USERPATH, not USER_PATH, so that defines.h doesn't find it and we get the default, which is missing /usr/bsd (which on Irix has things like head, more, lpr) and /usr/bin/X11. This annoys the users, who want X11 to work. I added a test to defines.h, as follows: --- openssh-3.4p1/defines.h Mon Jun 24 09:26:49 2002 +++ defines.h Sun Jul 7 00:33:08 2002 @@ -296,6 +296,14 @@ # define _PATH_STDPATH USER_PATH #endif +#ifdef _PATH_USERPATH +# ifdef _PATH_STDPATH +# undef _PATH_STDPATH +# endif +# define _PATH_STDPATH _PATH_USERPATH +#endif + + #ifndef _PATH_STDPATH # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" #endif There's also a _PATH_ROOTPATH defined for root defaults, but I didn't try to implement that for root login. -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From bugzilla-daemon at mindrot.org Tue Jul 9 00:53:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 00:53:50 +1000 (EST) Subject: [Bug 341] New: Return Code unpredictable Message-ID: <20020708145350.4BEFAE980@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=341 Summary: Return Code unpredictable Product: Portable OpenSSH Version: -current Platform: Other OS/Version: AIX Status: NEW Severity: normal Priority: P3 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: norbert.weuster at mgi.de hello, I try to use ssh in a script (ttt.ksh) like this: #!/bin/ksh ssh date echo $? if I start ttt.ksh, it will always work and return 0. if I start ttt.ksh without a tty, e.g. "echo ttt.ksh|at now", it will always work, but the return code will be unpredictable 255 or 0. any hints or solutions? best regards Norbert Weuster ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Jul 9 01:46:49 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 8 Jul 2002 08:46:49 -0700 (PDT) Subject: PATH problem in Irix. In-Reply-To: Message-ID: On Mon, 8 Jul 2002, Andrew Daviel wrote: > > I recently compiled openssh 3.4p1 for SGI Irix, and found the same problem > I'd had with 2.5. > > Viz. that Irix /usr/include/paths.h defines _PATH_USERPATH, not USER_PATH, > so that defines.h doesn't find it and we get the default, which is missing > /usr/bsd (which on Irix has things like head, more, lpr) and /usr/bin/X11. > This annoys the users, who want X11 to work. > This may be a better solution. Please test. If you don't have autoconf 2.52, e-mail me for configure ---------------< cut >---------------- --- configure.ac.old Sun Jul 7 13:43:36 2002 +++ configure.ac Mon Jul 8 08:42:26 2002 @@ -2002,7 +2002,11 @@ # include #endif #ifndef _PATH_STDPATH -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# ifdef _PATH_USERPATH /* Irix */ +# define _PATH_STDPATH _PATH_USERPATH +# else +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" +# endif #endif #include #include ---------------< end cut >---------------- > > I added a test to defines.h, as follows: > > --- openssh-3.4p1/defines.h Mon Jun 24 09:26:49 2002 > +++ defines.h Sun Jul 7 00:33:08 2002 > @@ -296,6 +296,14 @@ > # define _PATH_STDPATH USER_PATH > #endif > > +#ifdef _PATH_USERPATH > +# ifdef _PATH_STDPATH > +# undef _PATH_STDPATH > +# endif > +# define _PATH_STDPATH _PATH_USERPATH > +#endif > + > + > #ifndef _PATH_STDPATH > # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" > #endif > > > There's also a _PATH_ROOTPATH defined for root defaults, but I didn't try > to implement that for root login. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Tue Jul 9 03:22:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 03:22:58 +1000 (EST) Subject: [Bug 342] New: RhostsRSAAuthentication does not work with 3.4p1 Message-ID: <20020708172258.625D7E979@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=342 Summary: RhostsRSAAuthentication does not work with 3.4p1 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: hinsen at cnrs-orleans.fr After upgrading our machines (all running RedHat Linux 7.1) to OpenSSH 3.4p1, connections using RhostsRSAAuthentication seem to be impossible. ssh does not even try this mode of authentication, even when it is the only one enabled in the configuration file. This is my ssh_config: Host * ForwardX11 yes Protocol 1,2 RhostsAuthentication no RhostsRSAAuthentication yes HostbasedAuthentication yes RSAAuthentication no PasswordAuthentication no And this is my sshd_config: IgnoreUserKnownHosts yes X11Forwarding yes RhostsAuthentication no RhostsRSAAuthentication yes HostbasedAuthentication no RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no Subsystem sftp /usr/libexec/openssh/sftp-server Finally, the protocol of running "ssh -v chinon" (chinon being the name of a computer) between two machines with identical ssh configurations and which are in each other's "known hosts" list: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to chinon [163.9.6.107] port 22. debug1: Connection established. debug1: identity file /users1/hinsen/.ssh/identity type 0 debug1: identity file /users1/hinsen/.ssh/id_rsa type -1 debug1: identity file /users1/hinsen/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'chinon' is known and matches the RSA1 host key. debug1: Found key in /etc/ssh/ssh_known_hosts:3 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. Permission denied. debug1: Calling cleanup 0x80651d0(0x0) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 04:08:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 04:08:27 +1000 (EST) Subject: [Bug 343] New: Only try connect to first address when creating tunnel Message-ID: <20020708180827.A4876E986@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=343 Summary: Only try connect to first address when creating tunnel Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: stig at venaas.com In connect_to() in channels.c there is a loop trying to connect to each address returned by getaddrinfo() until connect() is successful or EINPROGRESS is returned. The socket is non-blocking so unless something immediately fails, EINPROGRESS is returned and we happily leave the loop. Then when we later attempt to write to the socket, we realize that we're not connected. No route to host, connection refused etc. I would like sshd to try another address if possible when this happens. Or in other words, loop through all candidates until we are absolutely positive we have established a connection. I think this can be done by selecting the socket for writing without actually writing anything. I'm happy to elaborate why this is a real life problem if necessary. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 05:29:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 05:29:53 +1000 (EST) Subject: [Bug 344] New: syntax error in bsd-misc.c / utimes() Message-ID: <20020708192953.CB30CE986@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=344 Summary: syntax error in bsd-misc.c / utimes() Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gert at greenie.muc.de bsd-misc.c needs the following patch to compile on SCO 3.2v4.2 (which has no utimes()). I did not test this, just tried to adapt the code to what the utimes() man pages on FreeBSD says it should do. Someone needs more coffee here :-) -------- snip -------- --- bsd-misc.c 3 Jul 2002 23:50:00 -0000 1.9 +++ bsd-misc.c 8 Jul 2002 19:30:26 -0000 @@ -93,8 +93,8 @@ { struct utimbuf ub; - ub.actime = tvp[0]->tv_sec; - ub.modtime = tvp[1]->tv_usec; + ub.actime = tvp[0].tv_sec; + ub.modtime = tvp[1].tv_sec; return(utime(filename, &ub)); } ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 05:35:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 05:35:26 +1000 (EST) Subject: [Bug 344] syntax error in bsd-misc.c / utimes() Message-ID: <20020708193526.74989E979@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=344 ------- Additional Comments From mouring at eviladmin.org 2002-07-09 05:35 ------- Tim and I are talking about this. I need to fix my version that I commited of this to current. This breaks UnixWare since UnixWare does not seem to handle it right for some odd reason. - Ben ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 05:40:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 05:40:35 +1000 (EST) Subject: [Bug 345] New: w (uptime) command still indicates user is logged in after logout Message-ID: <20020708194035.BB4E9E95C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=345 Summary: w (uptime) command still indicates user is logged in after logout Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: minor Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dave.anglin at nrc.ca The build system is hppa1.1-hp-hpux10.20 and openssh is version 3.4p1. The w (uptime) command indicates a user is still logged in after logout. The problem wasn't present in 3.1p1 even though writing to utmp is disabled. Other commands such as who and last generate correct results. /dev/pts/* appear to be correctly released. Looking at config.h, I noticed that writing to utmp was disabled: /* Define if you don't want to use utmp */ #define DISABLE_UTMP 1 Commenting this out and rebuilding, fixed the problem. Disabling writing to wtmp seems to be the default (ie, I didn't disable it when running configure). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 06:15:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 06:15:29 +1000 (EST) Subject: [Bug 346] New: ssh fails with -C flag when connecting to a compression disabled server Message-ID: <20020708201529.E356EE948@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=346 Summary: ssh fails with -C flag when connecting to a compression disabled server Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wallp at earthlink.net If using ssh or scp with the following flags -C the process will die with "no matching comp found: client zlib server none" if the server has Compression disabled. The output with -v is as follows. OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to wildcard [10.0.1.2] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received no matching comp found: client zlib server none debug1: Calling cleanup 0x80643e4(0x0) Some older systems. Notably Linux with a 2.2 kernel cannot have Privledge User support and Compression enabled at the same time. Atleast on my system it cannot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 06:51:16 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 06:51:16 +1000 (EST) Subject: [Bug 344] syntax error in bsd-misc.c / utimes() Message-ID: <20020708205116.E11EEE948@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=344 ------- Additional Comments From gert at greenie.muc.de 2002-07-09 06:51 ------- Well, what's in there is syntacticatlly incorrect (gcc barfs about the "->", as tvp[0]-> will do a double dereference on a single pointer), and it's also semantically incorrect as the second value should not be tv_*u*sec. What is breaking on UnixWare? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 07:13:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 07:13:14 +1000 (EST) Subject: [Bug 344] syntax error in bsd-misc.c / utimes() Message-ID: <20020708211314.5ECD3E948@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=344 ------- Additional Comments From tim at multitalents.net 2002-07-09 07:13 ------- UnixWare is happy with Gert's patch. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 07:40:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 07:40:54 +1000 (EST) Subject: [Bug 344] syntax error in bsd-misc.c / utimes() Message-ID: <20020708214054.095BAE916@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=344 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-09 07:40 ------- Already commited. I'd like to know what NeXT did not mind it. I'll have to test it when I get home. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Tue Jul 9 12:03:03 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 8 Jul 2002 19:03:03 -0700 (PDT) Subject: patch for openssh/contrib/solaris/buildpkg.sh In-Reply-To: <20020524163151.A3228@rufus.net> Message-ID: On Fri, 24 May 2002, kevin brintnall wrote: > Here is a small patch for OpenSSH 3.2.3p1.. Applied. Thanks. Next time please use diff -u or diff -c > > When the package postinstall script runs, it presumes that the package > will be installed relative to the current / directory.. If this package > is installed as part of a Solaris Jumpstart installation, this will not be > the case. Consequentially, the /etc/ssh/sshd_config.default will never > get copied to /etc/ssh/sshd_config on the new operating system. > > The Solaris package installer defines the environment variable > PKG_INSTALL_ROOT to point to the root directory of the installed package. > The attached patch makes the postinstall script aware of this. It should > now function as designed in a Jumpstart environment also (or any other > environment where the PKG_INSTALL_ROOT != /) > > Cheers! > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Tue Jul 9 15:44:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 15:44:43 +1000 (EST) Subject: [Bug 341] Return Code unpredictable Message-ID: <20020709054443.3ABC3E93D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=341 ------- Additional Comments From norbert.weuster at mgi.de 2002-07-09 15:44 ------- the optinal Flags -n and/or -T doesn't change the situation ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 18:23:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 18:23:52 +1000 (EST) Subject: [Bug 324] privsep break KRB4 auth, KRB4 TGT forwarding and AFS token forwarding Message-ID: <20020709082352.A6805E94B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=324 ------- Additional Comments From jan.iven at cern.ch 2002-07-09 18:23 ------- Created an attachment (id=130) (fixing a "xfree" of an uninitialized buffer, in case KRB4 auth fails) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 20:33:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 20:33:10 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020709103310.61F8DE95F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-07-09 20:33 ------- some bsd/os patch for bsd/os 4.2 did update OpenSSL, but failed to update either libcrypto.a or the includes. please tell bsdi. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 9 21:03:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 9 Jul 2002 21:03:52 +1000 (EST) Subject: [Bug 340] Segmentation Fault Message-ID: <20020709110352.4BA17E995@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=340 malkema at vsrt.nl changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From malkema at vsrt.nl 2002-07-09 21:03 ------- Thankx for yer help, i did installed the latest ssh & ssl pkg from sunfreeware It works just fine now. :-) Mark. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Tue Jul 9 23:00:48 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 9 Jul 2002 15:00:48 +0200 Subject: [PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT In-Reply-To: <20020704112710.M21857@cygbert.vinschen.de> References: <20020704112710.M21857@cygbert.vinschen.de> Message-ID: <20020709150048.L21857@cygbert.vinschen.de> Hi, may I ask what's about this one? As I said, if it's unacceptable to use something like NO_IPPORT_RESERVED_CONCEPT, we need at least a HAVE_CYGWIN in serverloop.c which is currently missing. Corinna On Thu, Jul 04, 2002 at 11:27:10AM +0200, Corinna Vinschen wrote: > Hi, > > I've sent that patch once already but it seems more or less forgotten > in the tumultuous days of the latest vulnerability. > > It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined > on platforms not supporting the concept of "privileged" ports only > accessible by privileged users but which allow everyone to use these > ports. > > This patch removes some Cygwin dependencies from the code. > > Otherwise, if this patch isn't applied, we definitely need another > #ifndef HAVE_CYGWIN in serverloop.c otherwise serverside port forwarding > for reserverd ports doesn't work in Cygwin's 3.4 version. The official > Cygwin release of 3.4 contains that additional HAVE_CYGWIN patch so far. > > Corinna > > > Index: acconfig.h > =================================================================== > RCS file: /cvs/openssh_cvs/acconfig.h,v > retrieving revision 1.141 > diff -u -p -r1.141 acconfig.h > --- acconfig.h 25 Jun 2002 22:35:16 -0000 1.141 > +++ acconfig.h 4 Jul 2002 09:13:29 -0000 > @@ -310,6 +310,9 @@ > /* Define if X11 doesn't support AF_UNIX sockets on that system */ > #undef NO_X11_UNIX_SOCKETS > > +/* Define if the concept of ports only accessible to superusers isn't known */ > +#undef NO_IPPORT_RESERVED_CONCEPT > + > /* Needed for SCO and NeXT */ > #undef BROKEN_SAVED_UIDS > > Index: configure.ac > =================================================================== > RCS file: /cvs/openssh_cvs/configure.ac,v > retrieving revision 1.73 > diff -u -p -r1.73 configure.ac > --- configure.ac 28 Jun 2002 00:37:33 -0000 1.73 > +++ configure.ac 4 Jul 2002 09:13:30 -0000 > @@ -86,6 +86,7 @@ case "$host" in > AC_DEFINE(IPV4_DEFAULT) > AC_DEFINE(IP_TOS_IS_BROKEN) > AC_DEFINE(NO_X11_UNIX_SOCKETS) > + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) > AC_DEFINE(BROKEN_FD_PASSING) > AC_DEFINE(SETGROUPS_NOOP) > ;; > Index: readconf.c > =================================================================== > RCS file: /cvs/openssh_cvs/readconf.c,v > retrieving revision 1.75 > diff -u -p -r1.75 readconf.c > --- readconf.c 21 Jun 2002 00:41:52 -0000 1.75 > +++ readconf.c 4 Jul 2002 09:13:31 -0000 > @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh > u_short host_port) > { > Forward *fwd; > -#ifndef HAVE_CYGWIN > +#ifndef NO_IPPORT_RESERVED_CONCEPT > extern uid_t original_real_uid; > if (port < IPPORT_RESERVED && original_real_uid != 0) > fatal("Privileged ports can only be forwarded by root."); > Index: serverloop.c > =================================================================== > RCS file: /cvs/openssh_cvs/serverloop.c,v > retrieving revision 1.102 > diff -u -p -r1.102 serverloop.c > --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 > +++ serverloop.c 4 Jul 2002 09:13:34 -0000 > @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ > > /* check permissions */ > if (!options.allow_tcp_forwarding || > - no_port_forwarding_flag || > - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { > + no_port_forwarding_flag > +#ifndef NO_IPPORT_RESERVED_CONCEPT > + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) > +#endif > + ) { > success = 0; > packet_send_debug("Server has disabled port forwarding."); > } else { > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus at openbsd.org Tue Jul 9 23:16:10 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 9 Jul 2002 15:16:10 +0200 Subject: [PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT In-Reply-To: <20020709150048.L21857@cygbert.vinschen.de> References: <20020704112710.M21857@cygbert.vinschen.de> <20020709150048.L21857@cygbert.vinschen.de> Message-ID: <20020709131609.GA15567@faui02> On Tue, Jul 09, 2002 at 03:00:48PM +0200, Corinna Vinschen wrote: > Hi, > > may I ask what's about this one? As I said, if it's unacceptable > to use something like NO_IPPORT_RESERVED_CONCEPT, we need at least > a HAVE_CYGWIN in serverloop.c which is currently missing. i think we should have something like NO_IPPORT_RESERVED_CONCEPT, but people are busy. -m From mouring at etoh.eviladmin.org Tue Jul 9 23:55:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 9 Jul 2002 08:55:15 -0500 (CDT) Subject: [PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT In-Reply-To: <20020709150048.L21857@cygbert.vinschen.de> Message-ID: Applied. It's been in my mailbox, but when you have 161 messages all that need some form of attention things are slowly done if they are not in my direct line of view. - Ben On Tue, 9 Jul 2002, Corinna Vinschen wrote: > Hi, > > may I ask what's about this one? As I said, if it's unacceptable > to use something like NO_IPPORT_RESERVED_CONCEPT, we need at least > a HAVE_CYGWIN in serverloop.c which is currently missing. > > Corinna > > > On Thu, Jul 04, 2002 at 11:27:10AM +0200, Corinna Vinschen wrote: > > Hi, > > > > I've sent that patch once already but it seems more or less forgotten > > in the tumultuous days of the latest vulnerability. > > > > It adds a new define NO_IPPORT_RESERVED_CONCEPT which can be defined > > on platforms not supporting the concept of "privileged" ports only > > accessible by privileged users but which allow everyone to use these > > ports. > > > > This patch removes some Cygwin dependencies from the code. > > > > Otherwise, if this patch isn't applied, we definitely need another > > #ifndef HAVE_CYGWIN in serverloop.c otherwise serverside port forwarding > > for reserverd ports doesn't work in Cygwin's 3.4 version. The official > > Cygwin release of 3.4 contains that additional HAVE_CYGWIN patch so far. > > > > Corinna > > > > > > Index: acconfig.h > > =================================================================== > > RCS file: /cvs/openssh_cvs/acconfig.h,v > > retrieving revision 1.141 > > diff -u -p -r1.141 acconfig.h > > --- acconfig.h 25 Jun 2002 22:35:16 -0000 1.141 > > +++ acconfig.h 4 Jul 2002 09:13:29 -0000 > > @@ -310,6 +310,9 @@ > > /* Define if X11 doesn't support AF_UNIX sockets on that system */ > > #undef NO_X11_UNIX_SOCKETS > > > > +/* Define if the concept of ports only accessible to superusers isn't known */ > > +#undef NO_IPPORT_RESERVED_CONCEPT > > + > > /* Needed for SCO and NeXT */ > > #undef BROKEN_SAVED_UIDS > > > > Index: configure.ac > > =================================================================== > > RCS file: /cvs/openssh_cvs/configure.ac,v > > retrieving revision 1.73 > > diff -u -p -r1.73 configure.ac > > --- configure.ac 28 Jun 2002 00:37:33 -0000 1.73 > > +++ configure.ac 4 Jul 2002 09:13:30 -0000 > > @@ -86,6 +86,7 @@ case "$host" in > > AC_DEFINE(IPV4_DEFAULT) > > AC_DEFINE(IP_TOS_IS_BROKEN) > > AC_DEFINE(NO_X11_UNIX_SOCKETS) > > + AC_DEFINE(NO_IPPORT_RESERVED_CONCEPT) > > AC_DEFINE(BROKEN_FD_PASSING) > > AC_DEFINE(SETGROUPS_NOOP) > > ;; > > Index: readconf.c > > =================================================================== > > RCS file: /cvs/openssh_cvs/readconf.c,v > > retrieving revision 1.75 > > diff -u -p -r1.75 readconf.c > > --- readconf.c 21 Jun 2002 00:41:52 -0000 1.75 > > +++ readconf.c 4 Jul 2002 09:13:31 -0000 > > @@ -199,7 +199,7 @@ add_local_forward(Options *options, u_sh > > u_short host_port) > > { > > Forward *fwd; > > -#ifndef HAVE_CYGWIN > > +#ifndef NO_IPPORT_RESERVED_CONCEPT > > extern uid_t original_real_uid; > > if (port < IPPORT_RESERVED && original_real_uid != 0) > > fatal("Privileged ports can only be forwarded by root."); > > Index: serverloop.c > > =================================================================== > > RCS file: /cvs/openssh_cvs/serverloop.c,v > > retrieving revision 1.102 > > diff -u -p -r1.102 serverloop.c > > --- serverloop.c 25 Jun 2002 23:17:37 -0000 1.102 > > +++ serverloop.c 4 Jul 2002 09:13:34 -0000 > > @@ -972,8 +972,11 @@ server_input_global_request(int type, u_ > > > > /* check permissions */ > > if (!options.allow_tcp_forwarding || > > - no_port_forwarding_flag || > > - (listen_port < IPPORT_RESERVED && pw->pw_uid != 0)) { > > + no_port_forwarding_flag > > +#ifndef NO_IPPORT_RESERVED_CONCEPT > > + || (listen_port < IPPORT_RESERVED && pw->pw_uid != 0) > > +#endif > > + ) { > > success = 0; > > packet_send_debug("Server has disabled port forwarding."); > > } else { > > > > -- > > Corinna Vinschen > > Cygwin Developer > > Red Hat, Inc. > > mailto:vinschen at redhat.com > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > Corinna Vinschen > Cygwin Developer > Red Hat, Inc. > mailto:vinschen at redhat.com > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From vinschen at redhat.com Wed Jul 10 00:40:06 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Tue, 9 Jul 2002 16:40:06 +0200 Subject: [PATCH]: Remove HAVE_CYGWIN in favor of NO_IPPORT_RESERVED_CONCEPT In-Reply-To: References: <20020709150048.L21857@cygbert.vinschen.de> Message-ID: <20020709164006.N21857@cygbert.vinschen.de> On Tue, Jul 09, 2002 at 08:55:15AM -0500, Ben Lindstrom wrote: > > Applied. Thanks. > It's been in my mailbox, but when you have 161 messages all that need some > form of attention things are slowly done if they are not in my direct line > of view. Sure, same here. That's the reason that sometimes the contributor pings the maintainer ;-) Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From d.schroeter at gmx.de Wed Jul 10 05:07:48 2002 From: d.schroeter at gmx.de (=?ISO-8859-15?Q?Daniel_Schr=F6ter?=) Date: Tue, 09 Jul 2002 19:07:48 +0000 Subject: With bounds checking patch for gcc-3.1 problems if using AES References: <3D249F0C.90600@gmx.de> Message-ID: <3D2B3484.9000906@gmx.de> Hello developers, Daniel Schr?ter wrote: > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > :0:Bounds error: in memcpy with 0x1a5a38 and 0x1a5a30 for 16, > source and destination objects overlap. > :0: Pointer value: 0x1a5a38 > :0: Object `send_context': > :0: Address in memory: 0x1a5a20 .. 0x1a6a9f > :0: Size: 4224 bytes > :0: Element size: 1 bytes > :0: Number of elements: 4224 > :0: Created at: packet.c, line 87 > :0: Storage class: static > debug1: Calling cleanup 0x82b04(0x0) like I said, I'm not the coding-expert, but I have some additional informations and a solution. I compiled OpenSSL with the CFLAG "-g" and now I get the file and linenumber where the problem occured: debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 evp_enc.c:105:Bounds error: in memcpy with 0x2bfc40 and 0x2bfc38 for 16, source and destination objects overlap. evp_enc.c:105: Pointer value: 0x2bfc40 evp_enc.c:105: Object `send_context': evp_enc.c:105: Address in memory: 0x2bfc28 .. 0x2c0ca7 evp_enc.c:105: Size: 4224 bytes evp_enc.c:105: Element size: 1 bytes evp_enc.c:105: Number of elements: 4224 evp_enc.c:105: Created at: packet.c, line 87 evp_enc.c:105: Storage class: static debug1: Calling cleanup 0x91178(0x0) The line 105 in file openssl-0.9.6d/crypto/evp/evp_enc.c is (maybe) the problem.: memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); So I take an update to ftp://ftp.openssl.org/snapshot/openssl-SNAP-20020707.tar.gz and it works fine. Also the Beta2 from openssl-0.9.7 works fine. Sorry for the wrong mailingliste I have taken and that the bug is already fixed. Bye -- ========================================================= PGP keyID: 9EA3FF2C $ gpg --keyserver wwwkeys.de.pgp.net --recv-key 9EA3FF2C ========================================================= From gert at greenie.muc.de Wed Jul 10 03:31:04 2002 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 9 Jul 2002 19:31:04 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <3D2B3484.9000906@gmx.de>; from d.schroeter@gmx.de on Tue, Jul 09, 2002 at 07:07:48PM +0000 References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> Message-ID: <20020709193103.A19869@greenie.muc.de> Hi, On Tue, Jul 09, 2002 at 07:07:48PM +0000, Daniel Schr?ter wrote: > The line 105 in file openssl-0.9.6d/crypto/evp/evp_enc.c is (maybe) the > problem.: > > memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); > > So I take an update to > ftp://ftp.openssl.org/snapshot/openssl-SNAP-20020707.tar.gz > and it works fine. Also the Beta2 from openssl-0.9.7 works fine. Thanks for pointing that out. It might explain the problems I have with ssh -2 on FreeBSD 2.2.x - everything core dumps as soon as it hits a DSA or RSA2 key. Possibly the memcpy in 2.2 works "the other way round" as compared to 3.x and 4.x, and thus it bombs there. I will try that approach as soon as 0.9.7 is officially released... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From carson at taltos.org Wed Jul 10 03:54:23 2002 From: carson at taltos.org (Carson Gaspar) Date: Tue, 09 Jul 2002 13:54:23 -0400 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020709193103.A19869@greenie.muc.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709193103.A19869@greenie.muc.de> Message-ID: <604367484.1026222863@[172.25.113.221]> --On Tuesday, July 09, 2002 7:31 PM +0200 Gert Doering wrote: > Thanks for pointing that out. It might explain the problems I have > with ssh -2 on FreeBSD 2.2.x - everything core dumps as soon as it > hits a DSA or RSA2 key. Possibly the memcpy in 2.2 works "the other way > round" as compared to 3.x and 4.x, and thus it bombs there. Try doing a s/memcpy/memmove/ on the appropriate source line. memove() is guaranteed to do overlapping copies correctly. memcpy() is not. bcopy() usually works - the BSD ones do, but at least some sysv versions do not. UNIX98 bcopy() does handle overlapping ranges. -- Carson From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jul 10 03:59:48 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 9 Jul 2002 19:59:48 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <3D2B3484.9000906@gmx.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> Message-ID: <20020709175948.GA29587@serv01.aet.tu-cottbus.de> On Tue, Jul 09, 2002 at 07:07:48PM +0000, Daniel Schr?ter wrote: > like I said, I'm not the coding-expert, but I have some additional > informations and a solution. I compiled OpenSSL with the CFLAG "-g" and > now I get the file and linenumber where the problem occured: > > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > evp_enc.c:105:Bounds error: in memcpy with 0x2bfc40 and 0x2bfc38 for 16, > source and destination objects overlap. > evp_enc.c:105: Pointer value: 0x2bfc40 > evp_enc.c:105: Object `send_context': > evp_enc.c:105: Address in memory: 0x2bfc28 .. 0x2c0ca7 > evp_enc.c:105: Size: 4224 bytes > evp_enc.c:105: Element size: 1 bytes > evp_enc.c:105: Number of elements: 4224 > evp_enc.c:105: Created at: packet.c, line 87 > evp_enc.c:105: Storage class: static > debug1: Calling cleanup 0x91178(0x0) > > The line 105 in file openssl-0.9.6d/crypto/evp/evp_enc.c is (maybe) the > problem.: > > memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); > > So I take an update to > ftp://ftp.openssl.org/snapshot/openssl-SNAP-20020707.tar.gz > and it works fine. Also the Beta2 from openssl-0.9.7 works fine. Your analysis indicates the following: ctx->iv and ctx->oiv are members of evp_cipher_ctx_st (aka EVP_CIPHER_CTX), located one after the other in memory. Both are of the size EVP_MAX_IV_LENGTH which is 8 in 0.9.6x and 16 for 0.9.7 and later. If the length of the IV is larger than 8 bytes, an overlapping memory copy may occur: ... #define RIJNDAEL_BLOCKSIZE 16 rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; I did not check out the details of OpenSSH's AES implementation, but AES is not part of OpenSSL 0.9.6x and it seems that it was added in the EVP style by the OpenSSH people. However, this implementation might fail due to the too small buffers in evp_cipher_ctx_st. > Sorry for the wrong mailingliste I have taken and that the bug is > already fixed. If my analysis (based on a short glance into both OpenSSL's and OpenSSH's sources) is correct, this mailing list _is_ appropriate. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From Eric.Pavlov at wpafb.af.mil Wed Jul 10 06:14:42 2002 From: Eric.Pavlov at wpafb.af.mil (Pavlov Eric J Contr AFRL/MLOC) Date: Tue, 9 Jul 2002 16:14:42 -0400 Subject: Openssh 3.4p1 and Krb5 Message-ID: <53A10F824E50D511820800508BDF3F2204AD25C2@fszhtv12.wpafb.af.mil> Hi All, I am running openssh with kerberos 5 protocol 2 on several different unix platforms courtesy of Simon's patch at www.sxw.org.uk (Thanks again Simon et all!) Openssh 3.2 and earlier had compiled and run successfully for me on all platforms, but I have had limited success with 3.4. It compiles and runs flawlessly on redhat 7.1, 7.2 and 7.3. But on Solaris 8 and Irix 6.5.15, it will compile, but will not talk to our KDC with password authentication or accept tickets from other machines. These are machines that compiled and ran kerberized openssh3.2 flawlessly. Debug mode on sshd shows it trying method gssapi, but it always fails early on. I can include this information if it would be helpful. Has anyone else out there run into trouble with this? Any ideas? I have been running ./configure --with-privsep-user=nobody --with-kerberos5=/usr/local Thanks again, Eric From bugzilla-daemon at mindrot.org Wed Jul 10 06:50:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 06:50:09 +1000 (EST) Subject: [Bug 347] New: wrong macro used Message-ID: <20020709205009.7B48FE931@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=347 Summary: wrong macro used Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rodney at bond.net This is with version 3.4p1 of OpenSSH. In the file "loginrec.c", function utmpx_get_entry(), around line #1252 the macro WTMP_FILE is used when it should be WTMPX_FILE (note the 'X'). OpenSSH 3.4p1 will not compile because of this when the build is configured to use wtmpx. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 07:02:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 07:02:09 +1000 (EST) Subject: [Bug 348] New: infinite loop scanning wtmpx Message-ID: <20020709210209.15B93E931@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=348 Summary: infinite loop scanning wtmpx Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rodney at bond.net This is with OpenSSH 3.4p1. In the function wtmpx_get_entry() in the file loginrec.c from lines 1264 through 1292 there is a while-loop with the test condition of "!found". Within the while-loop when the test condition wtmpx_islogin() returns true the action "found = 1;" should be done. Otherwise the while-loop will loop forever on a wtmpx login entry and the entry following it. Found while running the code. When "found = 1;" is added before line 1286 (the "continue;") the code performs as would be expected. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From wendyp at cray.com Wed Jul 10 07:23:10 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 09 Jul 2002 16:23:10 -0500 Subject: default socket buffer length Message-ID: <3D2B543E.13E7AD11@cray.com> i have a site that needs to increase the socket buffer size. this is something i really don't know much about, myself. they need to increase it to at least 300k to get decent performance (specifically for scp). what is the current default & are there any known ramifications to increasing it? thanks, wendy -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From provos at citi.umich.edu Wed Jul 10 17:37:28 2002 From: provos at citi.umich.edu (Niels Provos) Date: Wed, 10 Jul 2002 03:37:28 -0400 Subject: [protois@ensea.fr: NVIDIA and Privilege Separation] Message-ID: <20020710073728.GU13515@citi.citi.umich.edu> Does someone understand this? I do not. Niels. ----- Forwarded message from laurent Protois ----- Subject: NVIDIA and Privilege Separation From: laurent Protois To: provos at citi.umich.edu X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 10 Jul 2002 09:29:45 +0200 Hi Niels, i have a little problem with openssh 3.4 and Nvidia kernel driver: On all my machines openssh 3.4 deamon run ok, except where NVIDIA kernel module (2960) had been install,sshd crash saying : users Privilege Separation does not exist ... NVIDIA and "Privilege Separation" doesn't seems to be compatible ??? Graham Short have noticed the problem too : I had "users Privilege Separation does not exist ..." too & I have an Nvidia card. Fixed it by erasing sshd (rpm --erase ...) and then re-installing it. Don't know what the cause was & didn't know it was related to Nvidia, but is working now on the latest RPM. Graham The packages i used are : NVIDIA_GLX-1.0-2960.i386.rpm NVIDIA_kernel-1.0-2960.mdk82up.i586.rpm openssh-3.4p1-1.1mdk.i586.rpm by today, i can't use drivers NVIDIA and openssh-3.4 together with Privilege Separation on my Mandrake 8.2 machines. if you have an idea ? Mandrake or Nvidia ? Thanks -- ___________________________________________________________________ Laurent Protois (Systemes & Reseaux) Centre de Ressources Informatiques (CRI) de l'ENSEA Ecole Nationale Sup?rieure de l'Electronique et de ses Applications 6, avenue du Ponceau - 95014 Cergy Pontoise Cedex tel: 01 30 73 66 26 fax: 01 30 73 66 67 email: protois at ensea.fr web: http://www.ensea.fr ___________________________________________________________________ ----- End forwarded message ----- From gert at greenie.muc.de Wed Jul 10 18:03:06 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 10 Jul 2002 10:03:06 +0200 Subject: [protois@ensea.fr: NVIDIA and Privilege Separation] In-Reply-To: <20020710073728.GU13515@citi.citi.umich.edu>; from provos@citi.umich.edu on Wed, Jul 10, 2002 at 03:37:28AM -0400 References: <20020710073728.GU13515@citi.citi.umich.edu> Message-ID: <20020710100305.I19869@greenie.muc.de> Hi, I don't... but I can verify that sshd with PrivSep works on a SuSE 8.0 system with the SuSE NVIDIA drivers and the SuSE openssh packages. (The packages seem to have been compiled on 2.2, and claim that Compression + PrivSep is not supported, but otherwise, it works). gert On Wed, Jul 10, 2002 at 03:37:28AM -0400, Niels Provos wrote: > Does someone understand this? I do not. > > Niels. > > ----- Forwarded message from laurent Protois ----- > > Subject: NVIDIA and Privilege Separation > From: laurent Protois > To: provos at citi.umich.edu > X-Mailer: Ximian Evolution 1.0.7-1mdk > Date: 10 Jul 2002 09:29:45 +0200 > > Hi Niels, > > i have a little problem with openssh 3.4 and Nvidia kernel driver: > > On all my machines openssh 3.4 deamon run ok, > except where NVIDIA kernel module (2960) had been install,sshd crash > saying : > > users Privilege Separation does not exist ... > > NVIDIA and "Privilege Separation" doesn't seems > to be compatible ??? > > Graham Short have noticed the problem too : > > I had "users Privilege Separation does not exist ..." too & I have an > Nvidia card. > > Fixed it by erasing sshd (rpm --erase ...) and then re-installing it. > > Don't know what the cause was & didn't know it was related to Nvidia, > but is working now on the latest RPM. > > Graham > > The packages i used are : > > NVIDIA_GLX-1.0-2960.i386.rpm > NVIDIA_kernel-1.0-2960.mdk82up.i586.rpm > openssh-3.4p1-1.1mdk.i586.rpm > > by today, i can't use drivers NVIDIA and openssh-3.4 together with > Privilege Separation on my Mandrake 8.2 machines. > > if you have an idea ? > Mandrake or Nvidia ? > > Thanks > > -- > ___________________________________________________________________ > Laurent Protois (Systemes & Reseaux) > Centre de Ressources Informatiques (CRI) de l'ENSEA > Ecole Nationale Sup?rieure de l'Electronique et de ses Applications > 6, avenue du Ponceau - 95014 Cergy Pontoise Cedex > tel: 01 30 73 66 26 fax: 01 30 73 66 67 > email: protois at ensea.fr web: http://www.ensea.fr > ___________________________________________________________________ > > ----- End forwarded message ----- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From bugzilla-daemon at mindrot.org Wed Jul 10 19:05:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 19:05:59 +1000 (EST) Subject: [Bug 349] New: There is no log of failed logins Message-ID: <20020710090559.87D5AE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=349 Summary: There is no log of failed logins Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: berry.perzon at nogui.se Under AIX, all failed logins are recorded in /etc/security/failedlogin. If I try to login with ex telnet, the logfile is uppdated, but when I use openSSH, no information is added to the logfile. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 19:27:50 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 19:27:50 +1000 (EST) Subject: [Bug 349] There is no log of failed logins Message-ID: <20020710092750.8E436E923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=349 berry.perzon at nogui.se changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From berry.perzon at nogui.se 2002-07-10 19:27 ------- *** This bug has been marked as a duplicate of 145 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 19:27:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 19:27:58 +1000 (EST) Subject: [Bug 145] sshd fails to increment AIX login failed counter Message-ID: <20020710092758.4066BE9A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=145 berry.perzon at nogui.se changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |berry.perzon at nogui.se ------- Additional Comments From berry.perzon at nogui.se 2002-07-10 19:27 ------- *** Bug 349 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 19:42:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 19:42:26 +1000 (EST) Subject: [Bug 349] There is no log of failed logins Message-ID: <20020710094226.83E4EE925@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=349 ------- Additional Comments From dtucker at zip.com.au 2002-07-10 19:42 ------- The fix for this has already been committed to cvs and will be included in the next release. If you need a fix now, you can apply the patch http://bugzilla.mindrot.org/showattachment.cgi?attach_id=116 to 3.4p1 and recompile. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 20:03:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 20:03:57 +1000 (EST) Subject: [Bug 350] New: sshd leaks fd to pty for interactive sessions Message-ID: <20020710100357.6AFBBE923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 Summary: sshd leaks fd to pty for interactive sessions Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mindrot at extern.wiggy.net Using OpenSSH 3.4p1 with publickey authentication I get an extra fd 10 to the pty: [tornado;~]-15> ssh localhost [tornado;~]-1> ls -l /proc/467/fd total 0 lrwx------ 1 wichert wichert 64 Jul 10 12:02 0 -> /dev/pts/3 lrwx------ 1 wichert wichert 64 Jul 10 12:02 1 -> /dev/pts/3 lrwx------ 1 wichert wichert 64 Jul 10 12:02 10 -> /dev/pts/3 lrwx------ 1 wichert wichert 64 Jul 10 12:02 2 -> /dev/pts/3 (467 being the pid of the shell created) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 20:10:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 20:10:38 +1000 (EST) Subject: [Bug 350] sshd leaks fd to pty for interactive sessions Message-ID: <20020710101038.5C6ECE9AD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 ------- Additional Comments From mindrot at extern.wiggy.net 2002-07-10 20:10 ------- This happens with both privsep enabled and disabled. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 20:40:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 20:40:23 +1000 (EST) Subject: [Bug 350] sshd leaks fd to pty for interactive sessions Message-ID: <20020710104023.B41F2E923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 ------- Additional Comments From markus at openbsd.org 2002-07-10 20:40 ------- i get this with ksh(1) on OpenBSD, but not with rc(1), and ktrace suggest that it's a fctnl with F_DUPFD done by ksh, so i think it's not sshd's fault. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gfhgfFSUucM at themail.com Thu Jul 11 10:37:37 2002 From: gfhgfFSUucM at themail.com (gfhgfFSUucM at themail.com) Date: Wed, 10 Jul 2002 20:37:37 -0400 Subject: tonrer cartridges Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020710/bf52f288/attachment.html From bugzilla-daemon at mindrot.org Wed Jul 10 21:44:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 21:44:59 +1000 (EST) Subject: [Bug 350] sshd leaks fd to pty for interactive sessions Message-ID: <20020710114459.3C28EE91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 ------- Additional Comments From mindrot at extern.wiggy.net 2002-07-10 21:44 ------- More information: I get this with multiple different shells (bash and zsh). I am also able to reproduce this with OpenSSH 3.0.2p1. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 21:54:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 21:54:51 +1000 (EST) Subject: [Bug 350] sshd leaks fd to pty for interactive sessions Message-ID: <20020710115451.D4C84E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 ------- Additional Comments From markus at openbsd.org 2002-07-10 21:54 ------- did you try a non-jobcontrol shell? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 10 22:03:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 10 Jul 2002 22:03:36 +1000 (EST) Subject: [Bug 350] sshd leaks fd to pty for interactive sessions Message-ID: <20020710120336.B39B2E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=350 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-07-10 22:03 ------- i can reproduce this on OpenBSD with ksh from the console, so it's not an OpenSSH bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From vinschen at redhat.com Wed Jul 10 22:07:58 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 10 Jul 2002 14:07:58 +0200 Subject: [PATCH] Care for permissions of /var/empty in contrib/cygwin/ssh-host-config Message-ID: <20020710140758.F24137@cygbert.vinschen.de> Hi, the following patch explicitely sets the permissions on /var/empty to 755 when running the ssh-host-config script on Cygwin. I never thought it would be necessary but apparently there are actually users working with a umask of 0. Sigh. Corinna Index: contrib/cygwin/ssh-host-config =================================================================== RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v retrieving revision 1.8 diff -u -p -r1.8 ssh-host-config --- contrib/cygwin/ssh-host-config 7 Jul 2002 21:07:47 -0000 1.8 +++ contrib/cygwin/ssh-host-config 10 Jul 2002 12:10:10 -0000 @@ -163,6 +163,7 @@ else # On NT change ownership of that dir to user "system" if [ $_nt -gt 0 ] then + chmod 755 /var/empty chown system.system /var/empty fi fi -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From mouring at etoh.eviladmin.org Wed Jul 10 23:02:24 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 10 Jul 2002 08:02:24 -0500 (CDT) Subject: [protois@ensea.fr: NVIDIA and Privilege Separation] In-Reply-To: <20020710073728.GU13515@citi.citi.umich.edu> Message-ID: I have no clue what he is talking about. I'm running Mandrake Cooker w/ NVIDIA and the defaly OpenSSH 3.4p1 package from Mandrake and it works just fine. - Ben On Wed, 10 Jul 2002, Niels Provos wrote: > Does someone understand this? I do not. > > Niels. > > ----- Forwarded message from laurent Protois ----- > > Subject: NVIDIA and Privilege Separation > From: laurent Protois > To: provos at citi.umich.edu > X-Mailer: Ximian Evolution 1.0.7-1mdk > Date: 10 Jul 2002 09:29:45 +0200 > > Hi Niels, > > i have a little problem with openssh 3.4 and Nvidia kernel driver: > > On all my machines openssh 3.4 deamon run ok, > except where NVIDIA kernel module (2960) had been install,sshd crash > saying : > > users Privilege Separation does not exist ... > > NVIDIA and "Privilege Separation" doesn't seems > to be compatible ??? > > Graham Short have noticed the problem too : > > I had "users Privilege Separation does not exist ..." too & I have an > Nvidia card. > > Fixed it by erasing sshd (rpm --erase ...) and then re-installing it. > > Don't know what the cause was & didn't know it was related to Nvidia, > but is working now on the latest RPM. > > Graham > > The packages i used are : > > NVIDIA_GLX-1.0-2960.i386.rpm > NVIDIA_kernel-1.0-2960.mdk82up.i586.rpm > openssh-3.4p1-1.1mdk.i586.rpm > > by today, i can't use drivers NVIDIA and openssh-3.4 together with > Privilege Separation on my Mandrake 8.2 machines. > > if you have an idea ? > Mandrake or Nvidia ? > > Thanks > > -- > ___________________________________________________________________ > Laurent Protois (Systemes & Reseaux) > Centre de Ressources Informatiques (CRI) de l'ENSEA > Ecole Nationale Sup?rieure de l'Electronique et de ses Applications > 6, avenue du Ponceau - 95014 Cergy Pontoise Cedex > tel: 01 30 73 66 26 fax: 01 30 73 66 67 > email: protois at ensea.fr web: http://www.ensea.fr > ___________________________________________________________________ > > ----- End forwarded message ----- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From des at ofug.org Wed Jul 10 23:21:31 2002 From: des at ofug.org (Dag-Erling Smorgrav) Date: 10 Jul 2002 15:21:31 +0200 Subject: New PAM kbd-int diff In-Reply-To: <20020705224954.GA32407@citi.citi.umich.edu> References: <1025577068.28700.22.camel@xenon> <20020705092338.GR32246@citi.citi.umich.edu> <20020705193327.GP32246@citi.citi.umich.edu> <20020705224954.GA32407@citi.citi.umich.edu> Message-ID: Niels Provos writes: > I asked because the OpenSSH code is two-clause, and for vendors to > adapt the code a two-clause license is better. Maybe you could ask the > client who is paying you to do the work, if a license change is > possible. They're not really happy about it, but will grant an exception for this case if you really can't accept a three-clause license. May I ask why you object so much to the third clause? DES -- Dag-Erling Smorgrav - des at ofug.org From tim at multitalents.net Wed Jul 10 23:49:24 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 10 Jul 2002 06:49:24 -0700 (PDT) Subject: [PATCH] Care for permissions of /var/empty in contrib/cygwin/ssh-host-config In-Reply-To: <20020710140758.F24137@cygbert.vinschen.de> Message-ID: On Wed, 10 Jul 2002, Corinna Vinschen wrote: > Hi, > > the following patch explicitely sets the permissions on /var/empty > to 755 when running the ssh-host-config script on Cygwin. I never > thought it would be necessary but apparently there are actually > users working with a umask of 0. Sigh. Is this patch needed? The current Makefile.in does (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) > > Corinna > > Index: contrib/cygwin/ssh-host-config > =================================================================== > RCS file: /cvs/openssh_cvs/contrib/cygwin/ssh-host-config,v > retrieving revision 1.8 > diff -u -p -r1.8 ssh-host-config > --- contrib/cygwin/ssh-host-config 7 Jul 2002 21:07:47 -0000 1.8 > +++ contrib/cygwin/ssh-host-config 10 Jul 2002 12:10:10 -0000 > @@ -163,6 +163,7 @@ else > # On NT change ownership of that dir to user "system" > if [ $_nt -gt 0 ] > then > + chmod 755 /var/empty > chown system.system /var/empty > fi > fi > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Must_Book at address.com Thu Jul 11 00:01:34 2002 From: Must_Book at address.com (Dr. Carter) Date: Wed, 10 Jul 2002 10:01:34 -0400 Subject: It is beneficial to your library & its patrons to have the book (Please suggest) Message-ID: <4190-22002731014134720@oemcomputer> Dear Sir/Ma'am: It is significantly beneficial to your library and its patrons to have a book titled "Complete Conduct Principles for the 21st Century" by Dr. John Newton. Please suggest to your local library(ies) that the book be purchased. This is a great contribution you can make to your neighborhood! "I find it heartening that you are crusading on behalf of this worthy book. It has occupied a space on our shelves for some time now. To have this book in our library is a quiet source of pride to me, the librarian." said Mr. Don Brusha, a highly respectable Librarian of Avon Park Library in Avon Park, Florida, USA, in a letter to me regarding the book. This book is a MUST for EVERYONE to be better prepared for personal conduct for the 21st century. EVERY LIBRARY SHOULD HAVE IT. You may ask yourself > How to make people respect you > How to win friends > How to let your conduct help your health, work, job, career, relationships, spirit, mind, well-being, ... > How to make your life smoother and happier > How to do whatever you like without being unpleasant to other people > How to develop good conduct in your children or students > How to make the world peaceful and better You (and the library patrons) can find all the answers to these questions, and much more, in this great book. BENEFITS to each individual reader: Many! -- such as for health, work, job, career, self-improvement, education, relationships, spirit, mind, well-being, and much more -- almost all the areas that are important to you in the 21st century. People around you will benefit, too. (Please see the preface of the book for details.) EVERYONE may find this book useful and helpful, regardless of age (from children to oldsters), occupation, rank, status, gender, religious beliefs, nationality, country, or region. If you are a parent or a teacher, you can learn how to develop good conduct in your children or students from this book. Please advise your children or students to read the book. It will result in great benefits for both you and them. The book's content is obvious from its title. The complete useful conduct principles cover not only what we should do, but also what we should not do -- especially those faults people make often and easily. "The book will also be effective for violence prevention for the whole society." said some experts. This timely, unique, and very important book is designed to suit most people, and is self-contained and user-friendly. This book is significantly different and better than competitive works. Some of its innovative contents may help solve problems that Western culture cannot. The book's merit and importance have been recognized and praised by many experts, elected public officials, and world leaders. How to make the world peaceful and better --- You (and the library patrons) can find the solution in the book. Let's work together to make the world peaceful and better! The author, John Newton, holds a Ph.D. from MIT, and does researches at Harvard. His long-term research on "The personal conduct in the human society of the 21st century" resulted in this book. It is published by Nicer Century World Organization, headquartered beside Harvard University and MIT, two leading institutes of new knowledge and literature. It has the Library of Congress Cataloging-in-Publication data. Trade hardcover (case bound, Smyth sewn; with dust jacket) ISBN 0967370574; trade paperback (perfect bound) ISBN 0967370582. Bound durably and functionally to stand up to heavy library use. 60 lb natural acid-free excellent and healthful paper. 5.5inX8.5in. 192 pages. Including Principle Index and General Index. Self-contained. Again, please suggest to your local library(ies) that the book be purchased. Your effort to make a great contribution to your family and neighborhood and the whole society will be highly appreciated. Sincerely yours, Tom Carter, Ph.D. President, Nicer Century World Organization Massachusetts, USA (Nicer Century World Organization is an educational, non-profit, non-partisan organization; it endeavors to make the 21st century nicer than ever before. To accomplish its mission, Nicer Century World Organization is proud to introduce this book.) From vinschen at redhat.com Thu Jul 11 00:16:35 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 10 Jul 2002 16:16:35 +0200 Subject: [PATCH] Care for permissions of /var/empty in contrib/cygwin/ssh-host-config In-Reply-To: References: <20020710140758.F24137@cygbert.vinschen.de> Message-ID: <20020710161635.G24137@cygbert.vinschen.de> On Wed, Jul 10, 2002 at 06:49:24AM -0700, Tim Rice wrote: > On Wed, 10 Jul 2002, Corinna Vinschen wrote: > > > Hi, > > > > the following patch explicitely sets the permissions on /var/empty > > to 755 when running the ssh-host-config script on Cygwin. I never > > thought it would be necessary but apparently there are actually > > users working with a umask of 0. Sigh. > > Is this patch needed? > The current Makefile.in does > (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) The Cygwin installation only installs the absolutely needed files. It doesn't install any directories. The host configuration is completely done by ssh-host-config. So either the script calls umask or chmod or mkdir -m, but one of them is needed. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From tim at multitalents.net Thu Jul 11 00:40:58 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 10 Jul 2002 07:40:58 -0700 (PDT) Subject: [PATCH] Care for permissions of /var/empty in contrib/cygwin/ssh-host-config In-Reply-To: <20020710161635.G24137@cygbert.vinschen.de> Message-ID: OK, applied. On Wed, 10 Jul 2002, Corinna Vinschen wrote: > On Wed, Jul 10, 2002 at 06:49:24AM -0700, Tim Rice wrote: > > On Wed, 10 Jul 2002, Corinna Vinschen wrote: > > > > > Hi, > > > > > > the following patch explicitely sets the permissions on /var/empty > > > to 755 when running the ssh-host-config script on Cygwin. I never > > > thought it would be necessary but apparently there are actually > > > users working with a umask of 0. Sigh. > > > > Is this patch needed? > > The current Makefile.in does > > (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) > > The Cygwin installation only installs the absolutely needed files. > It doesn't install any directories. > > The host configuration is completely done by ssh-host-config. So > either the script calls umask or chmod or mkdir -m, but one of them > is needed. > > Corinna > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From markus at openbsd.org Thu Jul 11 01:26:17 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 10 Jul 2002 17:26:17 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020709175948.GA29587@serv01.aet.tu-cottbus.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> Message-ID: <20020710152617.GB7480@folly> On Tue, Jul 09, 2002 at 07:59:48PM +0200, Lutz Jaenicke wrote: > > The line 105 in file openssl-0.9.6d/crypto/evp/evp_enc.c is (maybe) the > > problem.: > > > > memcpy(ctx->iv, ctx->oiv, EVP_CIPHER_CTX_iv_length(ctx)); ... > ctx->iv and ctx->oiv are members of evp_cipher_ctx_st (aka EVP_CIPHER_CTX), > located one after the other in memory. Both are of the size EVP_MAX_IV_LENGTH > which is 8 in 0.9.6x and 16 for 0.9.7 and later. If the length of the IV > is larger than 8 bytes, an overlapping memory copy may occur: > ... > #define RIJNDAEL_BLOCKSIZE 16 > rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE; i think that OpenSSL should not do the copying for the IV, since OpenSSH's evp rijdael module handles the IV itself (this is _because_ older OpenSSL libs are limited to 8 byte IVs). what versions of OpenSSL do support EVP_CIPH_CUSTOM_IV? would it be appropriate to use this option? From markus at openbsd.org Thu Jul 11 01:35:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 10 Jul 2002 17:35:35 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020710152617.GB7480@folly> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> Message-ID: <20020710153535.GB23442@faui02> can you try something like this: folly% cvs diff -u cipher.c Index: cipher.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/cipher.c,v retrieving revision 1.60 diff -u -r1.60 cipher.c --- cipher.c 23 Jun 2002 03:26:52 -0000 1.60 +++ cipher.c 10 Jul 2002 15:36:29 -0000 @@ -525,7 +525,7 @@ rijndal_cbc.cleanup = ssh_rijndael_cleanup; rijndal_cbc.do_cipher = ssh_rijndael_cbc; rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | - EVP_CIPH_ALWAYS_CALL_INIT; + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; return (&rijndal_cbc); } #endif [1] From solidaridad at mundocooperante.org Thu Jul 11 01:49:07 2002 From: solidaridad at mundocooperante.org (solidaridad at mundocooperante.org) Date: 10 Jul 2002 10:49:07 -0500 Subject: =?ISO-8859-1?B?UG9zdHVsYWNp824gZGVsIFBhZHJlIE1hbm9sbyBkZSBOafFvcyBkZSBQYXBlbA==?= Message-ID: <200207101744.SM01432@mundocooperante.org> -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- (This safeguard is not inserted when using the registered version) -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------------------------------------------------------------- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020710/b460baea/attachment.html From vinschen at redhat.com Thu Jul 11 02:37:56 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 10 Jul 2002 18:37:56 +0200 Subject: [PATCH] Care for permissions of /var/empty in contrib/cygwin/ssh-host-config In-Reply-To: References: <20020710161635.G24137@cygbert.vinschen.de> Message-ID: <20020710183756.H24137@cygbert.vinschen.de> On Wed, Jul 10, 2002 at 07:40:58AM -0700, Tim Rice wrote: > > OK, applied. Thanks! Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From bugzilla-daemon at mindrot.org Thu Jul 11 02:49:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Jul 2002 02:49:53 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020710164953.924A9E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 ------- Additional Comments From anders+opensshbugs at totem.fix.no 2002-07-11 02:49 ------- Please try: Add in sshd_config: XAuthLocation /usr/openwin/bin/xauth And in ssh_config: Host * ForwardX11 yes ForwardAgent yes XAuthLocation /usr/openwin/bin/xauth ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sfsQAdbSa at hotmail.com Thu Jul 11 18:20:03 2002 From: sfsQAdbSa at hotmail.com (sfsQAdbSa at hotmail.com) Date: Thu, 11 Jul 2002 04:20:03 -0400 Subject: tonrer cartridges Message-ID: An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020711/edee379d/attachment.html From bugzilla-daemon at mindrot.org Thu Jul 11 05:50:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Jul 2002 05:50:28 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020710195028.95714E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 jrj at purdue.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From jrj at purdue.edu 2002-07-11 05:50 ------- I figured out the problem. The real culprit is, of all things, the version of bash that Sun now releases. The ./configure script tries to find a "good" shell to use. On one of my machines (2.6) I had stupidly created a /bin/bash symlink and it found that ahead of /bin/ksh. On one of my Solaris 8 machines it found the Sun version. On all the others I had forced ./configure to use /bin/ksh or it found it first on its own. Those mismatches, of course, led to all sorts of confusion as it appeared to me xauth was running OK. In either case, bash is not capable of finding xauth properly with the code that's in ./configure. I added some debugging code and it does something like this: Looking for /bin/xauth Looking for /usr/bin/xauth Looking for /usr/local/bin/xauth ... Looking for /usr/openwin/bin:/bin:/usr/bin:/usr/local/bin:.../xauth It's clearly having trouble breaking $PATH apart, and, as luck would have it, the problem is with the last element, which is where it puts /usr/openwin/bin to look for xauth. Sigh. Bash was also was causing me other problems, which is why on most of my machines I put "CONFIG_SHELL=/bin/ksh" in the ./configure environment. Had I remembered to do that everyplace, I wouldn't have gone down this twisty path. The other two solutions to this (--with-xauth and XAuthLocation) should both work, but only fix the xauth discovery issue. I'd be real suspicious of other things bash was messing up, though. I tried to add some code to ssh.c to detect when xauth was missing, which might have speeded up diagnosing this, but it got more complicated than I wanted to spend time on. You don't appear to have a text file documenting OS specific issues, but I suggest a note someplace warning Solaris builders to stay away from bash. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From andreas at conectiva.com.br Thu Jul 11 06:36:44 2002 From: andreas at conectiva.com.br (Andreas Hasenack) Date: Wed, 10 Jul 2002 17:36:44 -0300 Subject: [protois@ensea.fr: NVIDIA and Privilege Separation] In-Reply-To: <20020710100305.I19869@greenie.muc.de> References: <20020710073728.GU13515@citi.citi.umich.edu> <20020710100305.I19869@greenie.muc.de> Message-ID: <20020710203643.GL6436@conectiva.com.br> Em Wed, Jul 10, 2002 at 10:03:06AM +0200, Gert Doering escreveu: > I don't... but I can verify that sshd with PrivSep works on a SuSE 8.0 > system with the SuSE NVIDIA drivers and the SuSE openssh packages. Works on my system (conectiva linux snapshot if somebody cares) too: openssh-3.4p1+privsep and nvidia kernel driver for a geforce2 From bugzilla-daemon at mindrot.org Thu Jul 11 08:14:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 11 Jul 2002 08:14:32 +1000 (EST) Subject: [Bug 351] New: wishlist: aliases in .ssh/config Message-ID: <20020710221432.94799E920@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=351 Summary: wishlist: aliases in .ssh/config Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: enhancement Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: hssnepole at tigerfood.org The problem: I've got access to several domains that get different ssh configuration options, such as Host *.someplace.com User felix ForwardX11 yes Host *.anotherplace.com User flee Spandex yes [etc...] which is simple enough, but then there are several hosts within each domain that I'd like to refer to with short aliases, which means adding many lines like Host z Hostname zymurgy.anotherplace.com which is also simple enough, but then each of these has to include all the options that I've specified for *.anotherplace.com too. This is more awkward and messy than I think it should be. Potential solution 1: I'd like a new config directive like "HostAlias X Y" which would be something like this: When I do "ssh z" and it sees the .ssh/config line HostAlias z zymurgy.anotherplace.com then it replaces its idea of the hostname with zymurgy.anotherplace.com and then continues scanning the config file for options pertaining to that. Potential solution 2: Add a new configuration directive "SeeAlsoHost X". When ssh processes that directive, it re-reads .ssh/config for settings that pertain to host X. This is more complicated than solution 1, but more general and maybe more useful. I haven't looked at implementing either of these. If nobody else does, I might get to it in a couple months. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Fri Jul 12 07:41:56 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Jul 2002 14:41:56 -0700 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <20020710195028.95714E8EA@shitei.mindrot.org> References: <20020710195028.95714E8EA@shitei.mindrot.org> Message-ID: <20020711214156.GF2025@jenny.crlsca.adelphia.net> > ------- Additional Comments From jrj at purdue.edu 2002-07-11 05:50 ------- > I figured out the problem. cool, thanks! > The real culprit is, of all things, the version of bash that Sun now > releases. The ./configure script tries to find a "good" shell to use. > On one of my machines (2.6) I had stupidly created a /bin/bash symlink > and it found that ahead of /bin/ksh. On one of my Solaris 8 machines it > found the Sun version. On all the others I had forced ./configure to use > /bin/ksh or it found it first on its own. Those mismatches, of course, > led to all sorts of confusion as it appeared to me xauth was running OK. > > In either case, bash is not capable of finding xauth properly with the > code that's in ./configure. I added some debugging code and it does > something like this: > > Looking for /bin/xauth > Looking for /usr/bin/xauth > Looking for /usr/local/bin/xauth > ... > Looking for /usr/openwin/bin:/bin:/usr/bin:/usr/local/bin:.../xauth > > It's clearly having trouble breaking $PATH apart, and, as luck would > have it, the problem is with the last element, which is where it puts > /usr/openwin/bin to look for xauth. Sigh. that's a known problem with using autoconf 2.53. can someone bugzilla that? is it a bash problem or autoconf? > I tried to add some code to ssh.c to detect when xauth was missing, > which might have speeded up diagnosing this, but it got more complicated > than I wanted to spend time on. > > You don't appear to have a text file documenting OS specific issues, but I > suggest a note someplace warning Solaris builders to stay away from bash. perhaps something like this? Index: ssh.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh.c,v retrieving revision 1.181 diff -u -r1.181 ssh.c --- ssh.c 3 Jul 2002 14:21:05 -0000 1.181 +++ ssh.c 11 Jul 2002 21:37:07 -0000 @@ -710,11 +710,16 @@ FILE *f; int got_data = 0, i; char *display; + struct stat st; *_proto = proto; *_data = data; proto[0] = data[0] = '\0'; - if (options.xauth_location && (display = getenv("DISPLAY"))) { + if (!options.xauth_location || + (stat(options.xauth_location, &st) == -1)) { + debug("No xauth program."); + } else { + display = getenv("DISPLAY"); /* Try to get Xauthority information for the display. */ if (strncmp(display, "localhost:", 10) == 0) /* @@ -748,6 +753,7 @@ if (!got_data) { u_int32_t rand = 0; + log("Warning: No xauth data; using fake authentication data for X11 forwarding."); strlcpy(proto, "MIT-MAGIC-COOKIE-1", sizeof proto); for (i = 0; i < 16; i++) { if (i % 4 == 0) From jrj at gandalf.cc.purdue.edu Fri Jul 12 09:58:13 2002 From: jrj at gandalf.cc.purdue.edu (John R. Jackson) Date: Thu, 11 Jul 2002 18:58:13 -0500 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: Your message of "Thu, 11 Jul 2002 14:41:56 MST." <20020711214156.GF2025@jenny.crlsca.adelphia.net> Message-ID: <200207112358.g6BNwDPq003387@gandalf.cc.purdue.edu> >... is it a bash problem or autoconf? It's bash. Ksh has no problem running ./configure and finding xauth, and as I mentioned, adding debugging statements clearly show it is messing up the for loop or the breaking apart of $PATH. However, I tried one quick minimized test case and it worked fine, so it's probably not a trivial/obvious thing to debug. >perhaps something like this? >... That's the (second :-) approach I was considering. Your patch looks fine to me without actually trying it. John R. Jackson, Technical Software Specialist, jrj at purdue.edu From tim at multitalents.net Fri Jul 12 10:11:04 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Jul 2002 17:11:04 -0700 (PDT) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <200207112358.g6BNwDPq003387@gandalf.cc.purdue.edu> Message-ID: On Thu, 11 Jul 2002, John R. Jackson wrote: > >... is it a bash problem or autoconf? > > It's bash. Ksh has no problem running ./configure and finding xauth, I say it's an autoconf problem. We've had multiple reports of problems with configure generated by autoconf 2.53. I've personally experienced other problems with configure scripts generated by autoconf 2.53 The most annoying one was configure failing when the source tree was read only. > and as I mentioned, adding debugging statements clearly show it is > messing up the for loop or the breaking apart of $PATH. > > However, I tried one quick minimized test case and it worked fine, > so it's probably not a trivial/obvious thing to debug. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Fri Jul 12 10:08:34 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Jul 2002 17:08:34 -0700 Subject: default socket buffer length In-Reply-To: <3D2B543E.13E7AD11@cray.com> References: <3D2B543E.13E7AD11@cray.com> Message-ID: <20020712000834.GJ2025@jenny.crlsca.adelphia.net> On Tue, Jul 09, 2002 at 04:23:10PM -0500, Wendy Palm wrote: > i have a site that needs to increase the socket buffer size. > this is something i really don't know much about, myself. > > they need to increase it to at least 300k to get decent performance > (specifically for scp). > > what is the current default & are there any known ramifications > to increasing it? default and maximum depend on OS, and may be tunable there. we don't set SO_RCVBUF/SO_SNDBUF now. it's something that should be looked into in terms of bulk transfer speedups, but i'm not sure if there's a general strategy we should use, for example trying to raise it to some value in some or all cases, that will be appropriate for most platforms. that vs. just adding tunables, which we'd like to avoid. there's more Nagle work to do as well. From kevin at atomicgears.com Fri Jul 12 10:19:47 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 11 Jul 2002 17:19:47 -0700 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: References: <200207112358.g6BNwDPq003387@gandalf.cc.purdue.edu> Message-ID: <20020712001947.GK2025@jenny.crlsca.adelphia.net> On Thu, Jul 11, 2002 at 05:11:04PM -0700, Tim Rice wrote: > > >... is it a bash problem or autoconf? > > > > It's bash. Ksh has no problem running ./configure and finding xauth, > > I say it's an autoconf problem. We've had multiple reports of problems > with configure generated by autoconf 2.53. I've personally experienced > other problems with configure scripts generated by autoconf 2.53 > The most annoying one was configure failing when the source tree was > read only. either way, let's figure out a fix/workaround for the next release because this is biting many people. have autoconf bugs been filed? using 2.52 is not the right long-term answer. From tim at multitalents.net Fri Jul 12 10:29:37 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Jul 2002 17:29:37 -0700 (PDT) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <20020712001947.GK2025@jenny.crlsca.adelphia.net> Message-ID: On Thu, 11 Jul 2002, Kevin Steves wrote: > On Thu, Jul 11, 2002 at 05:11:04PM -0700, Tim Rice wrote: > > > >... is it a bash problem or autoconf? > > > > > > It's bash. Ksh has no problem running ./configure and finding xauth, > > > > I say it's an autoconf problem. We've had multiple reports of problems > > with configure generated by autoconf 2.53. I've personally experienced > > other problems with configure scripts generated by autoconf 2.53 > > The most annoying one was configure failing when the source tree was > > read only. > > either way, let's figure out a fix/workaround for the next release Agreed > because this is biting many people. have autoconf bugs been filed? I don't know. I have not filed any. > using 2.52 is not the right long-term answer. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From abcde7 at SoftHome.net Fri Jul 12 10:36:08 2002 From: abcde7 at SoftHome.net (abcde7) Date: Fri, 12 Jul 2002 09:36:08 +0900 Subject: =?ISO-2022-JP?B?GyRCOS1FZyEhRiNFRE06OzM5LUVnOClDTjt2GyhC?= =?ISO-2022-JP?B?GyRCJE44NSRHJE42MiRtJDckJE9DISM5VEAvGyhC?= =?ISO-2022-JP?B?GyRCQUo+WSROPEJCThsoQg==?= Message-ID: <0712102093608.166@VAIO-AL2SJAOY51> $B!ICN$C$F$FNI$+$C$?>pJs$NG[?.$G$9!I(B $B!!!!4+M6%a!<%k$G$O$"$j$^$;$s!#L5MQ$NJ}$K$O!"(B $B!!!!:o=|$NY$NZ8@!"B,NL;N$N=q$$$??^LL!">Z5r$N\$7$/$O2<5-$N%[!<%`%Z!<%8$r$4Mw2<$5$$!#(B $B!!(Bhttp://www.geocities.co.jp/WallStreet/9584/ $B%a!<%k$4ITMW$NJ}$O!"2<5-(BURL$B$K%"%/%;%9$7$F2<$5$$(B $B!!!!(Blive727 at livedoor.com From drosih at rpi.edu Fri Jul 12 13:37:04 2002 From: drosih at rpi.edu (Garance A Drosihn) Date: Thu, 11 Jul 2002 23:37:04 -0400 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <20020711214156.GF2025@jenny.crlsca.adelphia.net> References: <20020710195028.95714E8EA@shitei.mindrot.org> <20020711214156.GF2025@jenny.crlsca.adelphia.net> Message-ID: At 2:41 PM -0700 7/11/02, Kevin Steves wrote: > > ------- Additional Comments From jrj at purdue.edu 2002-07-11 05:50 ------- > > In either case, bash is not capable of finding xauth properly > > with the code that's in ./configure. I added some debugging > > code and it does something like this: > > >> Looking for /bin/xauth >> Looking for /usr/bin/xauth >> Looking for /usr/local/bin/xauth >> ... >> Looking for /usr/openwin/bin:/bin:/usr/bin:/usr/local/bin:.../xauth >> > > It's clearly having trouble breaking $PATH apart, and, as luck > > would have it, the problem is with the last element, which is > > where it puts /usr/openwin/bin to look for xauth. Sigh. > >that's a known problem with using autoconf 2.53. can someone bugzilla >that? is it a bash problem or autoconf? I only skim through this mailing list, but I do remember running into a "similar-sounding" bug in autoconf at one point. I do not know if this is relevant to the above problem, but here's some comments I wrote at the time: dnl - we found that the last paramter to AC_PATH_PROGS has to be dnl - a variable ref (ie, $SNDPATH). If you want to add paths to dnl - a variable (like PATH), you can't just append those extra dnl - paths to the parameter specified on AC_PATH_PROGS, or the dnl - script generated will not work with some versions of /bin/sh SNDPATH=$PATH:/usr/sbin:/usr/demo/SOUND AC_PATH_PROGS(SNDCMD,sndplay sfplay play,/bin/true,$SNDPATH) I think the problematic version had been doing: AC_PATH_PROGS(SNDCMD,sndplay sfplay play,/bin/true, $PATH:/usr/sbin:/usr/demo/SOUND) Apologies if this is totally irrelevant to the xauth problem... -- Garance Alistair Drosehn = gad at gilead.netel.rpi.edu Senior Systems Programmer or gad at freebsd.org Rensselaer Polytechnic Institute or drosih at rpi.edu From jrj at gandalf.cc.purdue.edu Fri Jul 12 13:52:05 2002 From: jrj at gandalf.cc.purdue.edu (John R. Jackson) Date: Thu, 11 Jul 2002 22:52:05 -0500 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: Your message of "Thu, 11 Jul 2002 17:19:47 MST." <20020712001947.GK2025@jenny.crlsca.adelphia.net> Message-ID: <200207120352.g6C3q5Pq004609@gandalf.cc.purdue.edu> >either way, let's figure out a fix/workaround for the next release >because this is biting many people. have autoconf bugs been filed? >using 2.52 is not the right long-term answer. Oh, fine. :-) I spent another hour or so looking at the problem and found a way around this at the autoconf level. Bash has a problem with this construct: as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin do IFS=$as_save_IFS ... The first thing I noticed was that ./configure is very carefully *not* using ':' as the PATH separator (damned Windows machines :-). That's one problem that I'll bet *nobody* is thinking about (and is mis-documented in the autoconf stuff). The second problem (that I think is bash's fault) is that it's apparently not expanding $PATH:x:y:z properly after the IFS change (as a guess). In any case, the following patch appears to solve the problem on my Solaris systems. It should obviously undergo significant testing elsewhere. In addition to (hopefully) fixing the PATH problem, it removes some odd looking code about explicitly setting xauth_path to /usr/openwin/bin/xauth. It shouldn't be needed if the other code is working (maybe it was a previous workaround attempt to this problem?), unless I misunderstood something (not that that ever happens :-). Bash still doesn't work right on my systems (it reports a syntax error running ./config.sub that you release from automake). If I get a few more minutes sometime I'll try to figure that one out, too. JJ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/octet-stream Size: 1411 bytes Desc: autoconf-PATH-patch Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020711/648fae7c/attachment.obj From benny at bennyvision.com Fri Jul 12 14:53:05 2002 From: benny at bennyvision.com (C. Bensend) Date: Thu, 11 Jul 2002 23:53:05 -0500 (CDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d Message-ID: Hey folks, I am having a devil of a time compiling 3.4p1 on HP-UX 11.00. I'm running gcc 2.95.2, OpenSSL 0.9.6d, and zlib 1.1.4. I have two questions, but here's the first... I am getting the dreaded: *** zlib missing - please install first or check config.log *** error when running configure, no matter what options I give it. --with-zlib doesn't help at all - I've tried it with two different installations of zlib in two different places, and it's ignored them both. I did make sure to clean up the old zlib before I installed the new, so I don't think it's a problem with the different versions. Why is '--with-zlib' ignoring my wishes? And yes, I did a 'make clean' and/or 'make distclean'. :) ls -l /usr/lib/libz* -rwxr-xr-x 1 root root 85856 Jul 11 21:07 /usr/lib/libz.a* It finds the new OpenSSL installation just fine. *boggle* My second question has to do with compiling OpenSSH statically. I have set my CFLAGS env variable to be "-static", I have used the '--enable-static=yes' option to configure, and I have even gone so far as to modify the Makefile and openbsd-compat/Makefile to include '-static' in the CFLAGS, but every time it has compiled dynamically. Don't ask me why it compiled several times and not others - I don't know the answer to that question... I have been experimenting with 'make clean' and 'make distclean' to make sure I didn't bork something in the source, so I'm not sure what I did differently. Either way, even when it did build, it didn't build statically. I did search the mailing list archives, as well as googling for answers, and I haven't found anything yet. If someone could take a few minutes to help me, I'd appreciate it very much. :) Benny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always carry a short length of fibre-optic cable. If you get lost, then you can drop it on the ground, wait ten minutes, and ask the backhoe operator how to get back to civilization. -Alan Frame From tim at multitalents.net Fri Jul 12 15:20:34 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 11 Jul 2002 22:20:34 -0700 (PDT) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <200207120352.g6C3q5Pq004609@gandalf.cc.purdue.edu> Message-ID: On Thu, 11 Jul 2002, John R. Jackson wrote: > Oh, fine. :-) I spent another hour or so looking at the problem and > found a way around this at the autoconf level. Cool, I'll look at it this weekend. > In addition to (hopefully) fixing the PATH problem, it removes > some odd looking code about explicitly setting xauth_path to > /usr/openwin/bin/xauth. It shouldn't be needed if the other code is > working (maybe it was a previous workaround attempt to this problem?), > unless I misunderstood something (not that that ever happens :-). > The odd looking code about explicitly setting xauth_path to /usr/openwin/bin/xauth is bacause it first finds an xauth that is in a directory that ia symbolic link to /usr/openwin -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From RBlahut at aol.com Fri Jul 12 17:39:03 2002 From: RBlahut at aol.com (RBlahut at aol.com) Date: Fri, 12 Jul 2002 03:39:03 EDT Subject: specifying passphrase on command line Message-ID: i hope this is correct forum, but i've modified the openssh-3.4p1 so that a -z option can be used to specify a passphrase on a command line. i'm sure that there several good (security) reasonz not to do it, but i can think of at least 2 reasonz why i would want it. would my modificationz be worthy of submission as an optional patch or as configure option? if not, may i post my changez on my own web site? thank u for ur time! randy blahut rblahut at aol.com From dmeranda at iac.net Fri Jul 12 17:54:29 2002 From: dmeranda at iac.net (Deron Meranda) Date: Fri, 12 Jul 2002 03:54:29 -0400 (EDT) Subject: HP-UX slow login problem found? Message-ID: <200207120754.g6C7sUCX078943@iac.net> I think I finally figured out the problem that many people have been having with extremely long login times under HP-UX 11.x. The problem is really in OpenSSL, and in particular the Diffie-Hellman parameter generation routines under the PA-RISC processor. I suspect this may not be a problem with the IA64 (Itanium) processors. This especially shows up if you use the gcc compiler. Fortunately I have access to Rational Quantify, a very powerful profiler which led me down to just a few lines of assembly code causing almost the whole delay. I finally have an ssh/sshd executable under HP which logs in almost instantaneously. I wouldn't consider this a complete solution yet, especially if you don't have access to HP's ANSI C compiler, and I haven't thoroughly tested this whole configuration. But this information may still prove quite useful. I'm using the latest of everything... OpenSSH 3.4p1 OpenSSL 0.9.7 Beta 2 libz 1.1.4 gcc 3.1 (using gas from binutils 2.12.1) HP ANSI C compiler (version B.11.01.06) Although this is a 64-bit OS, I'm compiling everything in 32-bit mode. I'm running on an 9000/L2000-44 under HP-UX 11.0. This is a two-processor 440MHz PA-RISC 2.0 system. If you only have a PA-RISC 1.x processor I think you may still be out of luck?? You can check your processor version by running the command "getconf CPU_VERSION". If it returns 532 or higher you have a 2.0 processor. There are basically two extremely slow routines in OpenSSL which show up if you compile it "out of the box": RSA operations and DH parameter generation. You can test how fast these are with the following... $ openssl speed rsa # tests all RSA operations $ openssl dhparam -text 128 # generates DH parameters (128-bit) The RSA test is pretty accurate--you can compare this with other systems like Linux on a PC. The DH test is unfortunately very random..some runs will be quick and others slow. You'll have to run it many times and with different bit sizes to guage how slow it is. Again, comparing to a Linux box may be useful. You will almost defintely see the HP version being much slower than Linux/Intel (on Pentium3/Athlon). This is because in practice the Intel chips seem to have much faster integer performance; whereas the PA-RISC is much faster with floating point. Unfortunately for you, most crypto is integer based. Just to give you a comparison point, here's my numbers (after optimizing it as described below)... sign verify sign/s verify/s rsa 512 bits 0.0023s 0.0002s 432.2 5402.4 rsa 1024 bits 0.0094s 0.0005s 106.8 2132.8 rsa 2048 bits 0.0519s 0.0014s 19.3 690.2 rsa 4096 bits 0.3258s 0.0049s 3.1 203.4 Without my changes, even with gcc -O3, my speeds were about 100 times slower! The DH speed is much harder to measure, but it was definitely real slow with the gcc compiled version. Okay, what's going on inside the OpenSSL code.... there are two small functions which are responsible for about 95% of the CPU clock cycles. These are bn_mul_add_words() in the file crypto/bn/bn_asm.c and the function BN_mod_word() in the file crypto/bn/bn_word.c. The first is responsible for the miserable RSA speeds, and the later for the horrible DH speeds. I'll discuss how to speed each of these up separately. The bn_mul_add_words() function is by default implemented in the file bn_asm.c. However, neither the gcc or HP C compiler seem to be able to optimize that implementation very well. As that function can be called thousands if not millions of times, every last clock cycle is extremely important. Fortunately there is some hand-crafted assembly code in an alternate implementation. It can be found in the OpenSSL distribution in the file crypto/bn/asm/pa-risc2.s. You need to use that file instead of the generic bn_asm.c file. However, there are some restrictions...that file only works with HP's assembler (not gas), only on PA-RISC 2.0 systems, and it is not relocatable/PIC (can't be used in a shared library). I haven't completely figured out OpenSSL's non-standard configure scripts. But it is easy enough to just assemble it yourself and then replace that object in the libcrypto.a library. ar d libcrypto.a bn_asm.o ar r libcrypto.a pa-risc2.o ranlib libcrypt.a Then relink the openssl executable. Rerun your RSA speed test..hopefully the results should be very pleasant. Now, for the Diffie-Hellman part (the primary reason for SSH slowness). There is no assembly version of the bn_word.c file. And unfortunately gcc's optimizer, even with gcc 3.1 and with -O3 and -march=2.0, is pretty poor. This basically is because gcc invokes some millicode routines to do the 64-bit modulus "%" operation. I've found though that HP's ANSI C compiler with the correct optimization arguments is able to produce some PA-RISC 2.0 specific instructions which make it very fast in comparison (say by 100 clock cycles). cc +O3 +ESlit +DA2.0 +DS2.0 -Ae \ -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 \ -I/opt/gnu/include \ -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -D_REENTRANT \ -DB_ENDIAN -DMD32_XARRAY -c bn_word.c -o bn_word.o Also throw in +Z if you're trying to make a shared library (but see note about pa-risc2.s file above). Except for those two files (pa-risc2.s and bn_word.c), you can use gcc for everything else. I've been using gcc 3.1, with -O3 -march=2.0 Now, if all goes well, you'll have a new libcrypto.a. Compile and link OpenSSH against that one and you should see fast logins, finally! Note, both the server (sshd) and the client (ssh) need to be recompiled/relinked, as both generate their half of the DH parameters. Deron Meranda From bugzilla-daemon at mindrot.org Fri Jul 12 17:59:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 12 Jul 2002 17:59:10 +1000 (EST) Subject: [Bug 352] New: UTMP does not seem to be updated on logout Message-ID: <20020712075910.B47DCE975@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=352 Summary: UTMP does not seem to be updated on logout Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Lutz.Jaenicke at aet.TU-Cottbus.DE Since I have installed 3.[34]p1 with privsep on HP-UX 10.20, UTMP entries seem not to record the logout anymore, so that "who" prints misleading entries. It seems, that WTMP is not touched by this problem, as "last" gives the expected output. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Fri Jul 12 20:43:30 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 12 Jul 2002 12:43:30 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020710153535.GB23442@faui02> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> Message-ID: <20020712104330.GA27317@folly> did anyone check this? On Wed, Jul 10, 2002 at 05:35:35PM +0200, Markus Friedl wrote: > can you try something like this: > > folly% cvs diff -u cipher.c > Index: cipher.c > =================================================================== > RCS file: /cvs/src/usr.bin/ssh/cipher.c,v > retrieving revision 1.60 > diff -u -r1.60 cipher.c > --- cipher.c 23 Jun 2002 03:26:52 -0000 1.60 > +++ cipher.c 10 Jul 2002 15:36:29 -0000 > @@ -525,7 +525,7 @@ > rijndal_cbc.cleanup = ssh_rijndael_cleanup; > rijndal_cbc.do_cipher = ssh_rijndael_cbc; > rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | > - EVP_CIPH_ALWAYS_CALL_INIT; > + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; > return (&rijndal_cbc); > } > #endif > [1] > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From dtucker at zip.com.au Fri Jul 12 20:52:20 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Fri, 12 Jul 2002 20:52:20 +1000 Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d References: Message-ID: <3D2EB4E4.CD33951B@zip.com.au> "C. Bensend" wrote: > I am having a devil of a time compiling 3.4p1 on HP-UX > 11.00. I'm running gcc 2.95.2, OpenSSL 0.9.6d, and zlib 1.1.4. > I have two questions, but here's the first... I am getting the dreaded: > > *** zlib missing - please install first or check config.log *** I realise this might be stating the blindingly obvious, but what did config.log say? My guess is you're missing the zlib header files. $ sudo rm /usr/local/include/zlib.h /usr/local/include/zconf.h $ ./configure [snip] configure: error: *** zlib missing - please install first or check config.log *** -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From jrj at gandalf.cc.purdue.edu Fri Jul 12 23:18:14 2002 From: jrj at gandalf.cc.purdue.edu (John R. Jackson) Date: Fri, 12 Jul 2002 08:18:14 -0500 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: Your message of "Thu, 11 Jul 2002 22:20:34 MST." Message-ID: <200207121318.g6CDIFPq010056@gandalf.cc.purdue.edu> >The odd looking code about explicitly setting xauth_path to >/usr/openwin/bin/xauth is bacause it first finds an xauth that >is in a directory that ia symbolic link to /usr/openwin So? What's wrong with that? If I had specifically installed X11R6 on my Solaris system and was using that, the code would ignore the "correct" X11R6 xauth it found in favor of /usr/openwin/bin. That's seems wrong. Put another way, if /usr/openwin/xauth exists, why bother searching for xauth at all? The old code is going to force it to that anyway. It might has well have been: if test -x /usr/openwin/bin/xauth ; then xauth_path="/usr/openwin/bin/xauth" else ... AC_PATH_PROG(xauth_path, xauth, , $TestPath) fi Seems to me the code should trust the builder to have set up PATH properly (just one of the bajillion things you're expected to know if you run ./configure yourself). If it finds the "wrong" xauth, the builder needs to either change PATH or use --with-xauth. I have to do that all the time (and expect to need to) with other packages that find things I have symlinked out of my own home directory ~/bin. Note that this is a different case than the original problem of not finding xauth at all when the code should have. >Tim Rice JJ From gert at greenie.muc.de Fri Jul 12 23:50:42 2002 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 12 Jul 2002 15:50:42 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020712104330.GA27317@folly>; from markus@openbsd.org on Fri, Jul 12, 2002 at 12:43:30PM +0200 References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> Message-ID: <20020712155041.D17492@greenie.muc.de> Hi, On Fri, Jul 12, 2002 at 12:43:30PM +0200, Markus Friedl wrote: > did anyone check this? I tried it, but it doesn't solve my problem (and thinking about it, there is no way how it could). My problem is this: gert at moebius:/tmp$ ssh-keygen -t dsa -f /tmp/dsa-key -N "" Generating public/private dsa key pair. Your identification has been saved in /tmp/dsa-key. Memory fault gert at moebius:/tmp$ ssh-keygen -t rsa -f /tmp/rsa-key -N "" Generating public/private rsa key pair. Your identification has been saved in /tmp/rsa-key. Memory fault gert at moebius:/tmp$ ls -l *sa-key* -rw------- 1 gert wheel 668 Jul 12 15:47 dsa-key -rw-r--r-- 1 gert wheel 0 Jul 12 15:47 dsa-key.pub -rw------- 1 gert wheel 887 Jul 12 15:47 rsa-key -rw-r--r-- 1 gert wheel 0 Jul 12 15:47 rsa-key.pub Same problem in ssh: gert at moebius:/tmp$ ssh -v -2 moebius2 ... debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY The authenticity of host 'moebius2 (195.30.1.100)' can't be established. RSA key fingerprint is 54:0c:18:e4:4a:4a:23:8d:c2:c9:5b:2e:1c:8b:24:4a. Are you sure you want to continue connecting (yes/no)? yes Memory fault - all sorts of key handling with DSA or RSA2 keys leads to core dumping, while everything done with RSA1 keys works just fine. "ssh -1" has no problems whatsoever either. Happens *only* on FreeBSD 2.1.x machines, with x > 5. As this machine will go out of service "soon" anyway, I haven't done any in-depth debugging yet. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From Lutz.Jaenicke at aet.TU-Cottbus.DE Sat Jul 13 00:07:55 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Fri, 12 Jul 2002 16:07:55 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020712155041.D17492@greenie.muc.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <20020712155041.D17492@greenie.muc.de> Message-ID: <20020712140755.GA543@serv01.aet.tu-cottbus.de> On Fri, Jul 12, 2002 at 03:50:42PM +0200, Gert Doering wrote: > On Fri, Jul 12, 2002 at 12:43:30PM +0200, Markus Friedl wrote: > > did anyone check this? > > I tried it, but it doesn't solve my problem (and thinking about it, there > is no way how it could). The IV-memcopy() problem was identified in the interfacing between OpenSSH and OpenSSL based on the traceback sent by Daniel Schroeter. (Unfortunately Daniel did not yet report back whether his problem is solved now.) Obviously, you ran into another problem, for which another traceback would be required... > - all sorts of key handling with DSA or RSA2 keys leads to core dumping, > while everything done with RSA1 keys works just fine. "ssh -1" has > no problems whatsoever either. > > Happens *only* on FreeBSD 2.1.x machines, with x > 5. > > As this machine will go out of service "soon" anyway, I haven't done any > in-depth debugging yet. If it would be a bug inside FreeBSD's routines, debugging would be a waste of time. One can however not be sure. Maybe there is a bug in OpenSSH (or OpenSSL, that's why I am following the thread closely) that just becomes visible under certain conditions. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From markus at openbsd.org Sat Jul 13 00:40:05 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 12 Jul 2002 16:40:05 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020712155041.D17492@greenie.muc.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <20020712155041.D17492@greenie.muc.de> Message-ID: <20020712144005.GB10197@faui02> On Fri, Jul 12, 2002 at 03:50:42PM +0200, Gert Doering wrote: > Hi, > > On Fri, Jul 12, 2002 at 12:43:30PM +0200, Markus Friedl wrote: > > did anyone check this? > > I tried it, but it doesn't solve my problem (and thinking about it, there > is no way how it could). no, this patch tries do disable the memcpy for AES, since our AES does IV handling itself. -m From dtucker at zip.com.au Sat Jul 13 01:00:57 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 13 Jul 2002 01:00:57 +1000 Subject: HP-UX slow login problem found? References: <200207120754.g6C7sUCX078943@iac.net> Message-ID: <3D2EEF29.6DCDCBDD@zip.com.au> Deron Meranda wrote: > I think I finally figured out the problem that many people have been > having with extremely long login times under HP-UX 11.x. Nice work tracking it down. Have you reported it to the GCC folks? It's not likely they'll fix it if they don't know about it. They've even got a problem class for it: "pessimizes-code". -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From benny at bennyvision.com Sat Jul 13 01:12:15 2002 From: benny at bennyvision.com (C. Bensend) Date: Fri, 12 Jul 2002 10:12:15 -0500 (CDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: <3D2EB4E4.CD33951B@zip.com.au> Message-ID: On Fri, 12 Jul 2002, Darren Tucker wrote: > > *** zlib missing - please install first or check config.log *** > > I realise this might be stating the blindingly obvious, but what did > config.log say? Nothing really caught my eye, but this goes a bit deeper into the build process than I usually dive. If you would like to see the output, I have placed it at: http://www.bennyvision.com/config.log > My guess is you're missing the zlib header files. > $ sudo rm /usr/local/include/zlib.h /usr/local/include/zconf.h > $ ./configure > [snip] > configure: error: *** zlib missing - please install first or check > config.log *** I wish it were that simple... I quadruple-checked again this morning: benny at myhost 31: ls -l /usr/include/*z* -rw-r--r-- 1 root root 7810 Jul 11 21:07 /usr/include/zconf.h -rw-r--r-- 1 root root 40900 Jul 11 21:07 /usr/include/zlib.h benny at myhost 32: ls -l /usr/lib/*z* lrwxrwxrwt 1 root root 38 Feb 21 2001 /usr/lib/libddcrx48z.a@ -> /opt/graphics/common/lib/libddcrx48z.a lrwxrwxrwt 1 root root 38 Feb 21 2001 /usr/lib/libddcrx48z.sl@ -> /opt/graphics/common/lib/libddcrx48z.1 -rwxr-xr-x 1 root root 85856 Jul 11 21:07 /usr/lib/libz.a* -r--r--r-- 1 bin bin 11871 Apr 26 1999 /usr/lib/tztab Thanks for taking the time to respond - I really appreciate the help. :) Benny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always carry a short length of fibre-optic cable. If you get lost, then you can drop it on the ground, wait ten minutes, and ask the backhoe operator how to get back to civilization. -Alan Frame From bugzilla-daemon at mindrot.org Sat Jul 13 01:22:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Jul 2002 01:22:29 +1000 (EST) Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <20020712152229.E9E4AE969@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=273 ------- Additional Comments From sam at neutrino.phy.uct.ac.za 2002-07-13 01:22 ------- i also have this exact same problem using OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f i start a program with "nohup &" and upon returning to my native machine, the terminal is balnk, frozen with no bash prompt. i must kill the ssh pid form another terminal to get my original terminal back. thanks, Sam ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Sat Jul 13 01:23:54 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 12 Jul 2002 08:23:54 -0700 (PDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: Message-ID: On Fri, 12 Jul 2002, C. Bensend wrote: > > On Fri, 12 Jul 2002, Darren Tucker wrote: > > > > *** zlib missing - please install first or check config.log *** > > > > I realise this might be stating the blindingly obvious, but what did > > config.log say? > > Nothing really caught my eye, but this goes a bit deeper into > the build process than I usually dive. If you would like to > see the output, I have placed it at: > > http://www.bennyvision.com/config.log /usr/bin/ld: Can't find library for -lxnet The configure script is expecting your system to have libxnet but ld can't find it. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wendyp at cray.com Sat Jul 13 01:32:31 2002 From: wendyp at cray.com (Wendy Palm) Date: Fri, 12 Jul 2002 10:32:31 -0500 Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d References: Message-ID: <3D2EF68F.7B6332A8@cray.com> this is the bad line- configure:5361: gcc -o conftest -static -Wall -Wpointer-arith -Wno-uninitialized -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 conftest.c -lz -lxnet -lsec >&5 /usr/bin/ld: Can't find library for -lxnet collect2: ld returned 1 exit status configure:5364: $? = 1 configure: failed program was: ... that failure is all over the config.log. what happens when you remove "-lxnet" from your compile line? (what the heck is xnet anyway?) "C. Bensend" wrote: > > On Fri, 12 Jul 2002, Darren Tucker wrote: > > > > *** zlib missing - please install first or check config.log *** > > > > I realise this might be stating the blindingly obvious, but what did > > config.log say? > > Nothing really caught my eye, but this goes a bit deeper into > the build process than I usually dive. If you would like to > see the output, I have placed it at: > > http://www.bennyvision.com/config.log > > > My guess is you're missing the zlib header files. > > $ sudo rm /usr/local/include/zlib.h /usr/local/include/zconf.h > > $ ./configure > > [snip] > > configure: error: *** zlib missing - please install first or check > > config.log *** > > I wish it were that simple... I quadruple-checked again this > morning: > > benny at myhost 31: ls -l /usr/include/*z* > -rw-r--r-- 1 root root 7810 Jul 11 21:07 > /usr/include/zconf.h > -rw-r--r-- 1 root root 40900 Jul 11 21:07 > /usr/include/zlib.h > > benny at myhost 32: ls -l /usr/lib/*z* > lrwxrwxrwt 1 root root 38 Feb 21 2001 > /usr/lib/libddcrx48z.a@ -> /opt/graphics/common/lib/libddcrx48z.a > lrwxrwxrwt 1 root root 38 Feb 21 2001 > /usr/lib/libddcrx48z.sl@ -> /opt/graphics/common/lib/libddcrx48z.1 > -rwxr-xr-x 1 root root 85856 Jul 11 21:07 /usr/lib/libz.a* > -r--r--r-- 1 bin bin 11871 Apr 26 1999 /usr/lib/tztab > > Thanks for taking the time to respond - I really appreciate the > help. :) > > Benny > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Always carry a short length of fibre-optic cable. If > you get lost, then you can drop it on the ground, wait > ten minutes, and ask the backhoe operator how to get > back to civilization. -Alan Frame > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From benny at bennyvision.com Sat Jul 13 01:36:05 2002 From: benny at bennyvision.com (C. Bensend) Date: Fri, 12 Jul 2002 10:36:05 -0500 (CDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: Message-ID: On Fri, 12 Jul 2002, Tim Rice wrote: > /usr/bin/ld: Can't find library for -lxnet > > The configure script is expecting your system to have libxnet but > ld can't find it. benny at myhost 27: ls -l /usr/lib/libxnet* -r-xr-xr-x 1 bin bin 102400 Nov 6 1997 /usr/lib/libxnet.1* -r-xr-xr-x 1 bin bin 20480 Nov 6 1997 /usr/lib/libxnet.2* lrwxr-xr-x 1 root sys 18 Feb 21 2001 /usr/lib/libxnet.sl@ -> /usr/lib/libxnet.2 I'm beginning to believe I'm cursed at times... I've never in my life had such problems building OpenSSH... In fact, this is the same host I've been building my HP-UX binaries on for some time now. Any thoughts? Benny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always carry a short length of fibre-optic cable. If you get lost, then you can drop it on the ground, wait ten minutes, and ask the backhoe operator how to get back to civilization. -Alan Frame From bugzilla-daemon at mindrot.org Sat Jul 13 02:35:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Jul 2002 02:35:53 +1000 (EST) Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <20020712163553.9EB94E9AA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=273 ------- Additional Comments From jmknoble at pobox.com 2002-07-13 02:35 ------- > i start a program with "nohup &" and > upon returning to my native machine, the terminal > is balnk, frozen with no bash prompt. Don't do that. Do this instead: (nohup &) Note the order of the '&' and the enclosing parentheses. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 13 04:04:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Jul 2002 04:04:58 +1000 (EST) Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <20020712180458.C30CBE95E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=273 ------- Additional Comments From kerry.schwab at wnco.com 2002-07-13 04:04 ------- (nohup ./script &) is a workaround of sorts, but that's not really a good answer. People expect ssh to be an rsh replacement, and rsh doesn't require a double fork to avoid the hang-on-exit. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Sat Jul 13 04:15:09 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Fri, 12 Jul 2002 14:15:09 -0400 Subject: OpenSSH & MinGW? Message-ID: <17D3D857B26112409EA372EB0AFE39DD149793@NSTMC005PEX1.ubsgs.ubsgroup.net> I'm interested in building just the OpenSSH clients with MinGW. I figure that the OpenSSL libraries and just the ssh client should be relatively easy to build as they wouldn't require fork()/exec() and the like (well, ssh_askpass() uses fork()/exec(), but that's minor). The other clients, scp and sftp, will require #ifdef hacks so that they use the Windows spawn()/CreateProcess() APIs instead of fork()/exec() to run the ssh program. Any other glaring gotchas? Has anyone done this? Hmmm, I'd need the MIT krb5 stuff to build under MinGW as well... Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Sat Jul 13 04:21:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Jul 2002 04:21:09 +1000 (EST) Subject: [Bug 353] New: login failure on tru64 Message-ID: <20020712182109.D0FF0E9B8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=353 Summary: login failure on tru64 Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: critical Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: weberc at grc.nia.nih.gov Server OS Tru64 5.1a current patchkit, (march or may 02 depending on box) using LDAP authentication module for Tru64 IAELDAM570 or 580. Using openssh 2.9x and 3.3x my users with LDAP accounts could log in via ssh. Using 3.4p1, the users will get the error "cannot set login uid 1000: error Not owner." The root user with a passwd account works fine. A non-priv passwd user gets the same error with the uid depending on the user account. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Sat Jul 13 04:25:10 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Fri, 12 Jul 2002 14:25:10 -0400 Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F5A@NSTMC005PEX1.ubsgs.ubsgroup.net> > People expect ssh to be an rsh replacement, > and rsh doesn't require a double fork > to avoid the hang-on-exit. This thing comes up over and over again. And the same back-and-forth arguments take place. SSH is more than a secure RSH. It truly is. You can't have it be two conflicting things at the same time. Read the archives. I believe people can learn. I really do. [NOTE: I'm not an OpenSSH developer nor do I speak for them.] Cheers, Nico -- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From ed at UDel.Edu Sat Jul 13 04:59:56 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 12 Jul 2002 14:59:56 -0400 (EDT) Subject: OpenSSH & MinGW? In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD149793@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: On Fri, 12 Jul 2002 Nicolas.Williams at ubsw.com wrote: > Date: Fri, 12 Jul 2002 14:15:09 -0400 > From: Nicolas.Williams at ubsw.com > To: openssh-unix-dev at mindrot.org > Subject: OpenSSH & MinGW? > > > I'm interested in building just the OpenSSH clients with MinGW. > > I figure that the OpenSSL libraries and just the ssh client should be > relatively easy to build as they wouldn't require fork()/exec() and the > like (well, ssh_askpass() uses fork()/exec(), but that's minor). > > The other clients, scp and sftp, will require #ifdef hacks so that they > use the Windows spawn()/CreateProcess() APIs instead of fork()/exec() to > run the ssh program. > > Any other glaring gotchas? Well, the tty-related stuff would be a headache for starters - an "MS-DOS prompt" isn't really a tty-compatible entity, except in the DOS "look-I-can-print-funky-DOS-symbols-and-escape-sequences" sense. That problem in itself is probably enough to snuff any urges I might to port to MinGW. You really need a terminal emulator to run the ssh client "inside of". Also, on Windows there is no "open", "close", etc., but there is "_open", "_close", etc.,... and some of them have different arguments or omit arguments. Basically, there's a lot of hacking you would have to do, at minimum... > Has anyone done this? > > Hmmm, I'd need the MIT krb5 stuff to build under MinGW as well... I don't know if anyone has tried it with MinGW, but certainly people do this sort of port to Cygwin (not that it helps you any). Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From egarff at omniture.com Sat Jul 13 05:00:21 2002 From: egarff at omniture.com (Eric Garff) Date: 12 Jul 2002 13:00:21 -0600 Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD125F5A@NSTMC005PEX1.ubsgs.ubsgroup.net> References: <17D3D857B26112409EA372EB0AFE39DD125F5A@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <1026500421.5331.35.camel@egarff.superstats.com> On Fri, 2002-07-12 at 12:25, Nicolas.Williams at ubsw.com wrote: > SSH is more than a secure RSH. It truly is. You can't have it > be two conflicting things at the same time. From Nicolas.Williams at ubsw.com Sat Jul 13 05:17:46 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 12 Jul 2002 15:17:46 -0400 Subject: OpenSSH & MinGW? In-Reply-To: ; from ed@UDel.Edu on Fri, Jul 12, 2002 at 02:59:56PM -0400 References: <17D3D857B26112409EA372EB0AFE39DD149793@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <20020712151746.A515@W0594878> On Fri, Jul 12, 2002 at 02:59:56PM -0400, Ed Phillips wrote: > On Fri, 12 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > Any other glaring gotchas? > > Well, the tty-related stuff would be a headache for starters - an "MS-DOS > prompt" isn't really a tty-compatible entity, except in the DOS > "look-I-can-print-funky-DOS-symbols-and-escape-sequences" sense. That > problem in itself is probably enough to snuff any urges I might to port to > MinGW. You really need a terminal emulator to run the ssh client "inside > of". Yes. Echo-off prompting would have to be done differently. That's about the extent of client-side tty-handling in OpenSSH though. Not too bad. > Also, on Windows there is no "open", "close", etc., but there is "_open", > "_close", etc.,... and some of them have different arguments or omit > arguments. Such things can be worked out. > Basically, there's a lot of hacking you would have to do, at minimum... I've been guessing so - I was hoping someone had tried who could give me some advice on the matter. > > Hmmm, I'd need the MIT krb5 stuff to build under MinGW as well... > > I don't know if anyone has tried it with MinGW, but certainly people do > this sort of port to Cygwin (not that it helps you any). Actually, that was thinko. The MIT krb5 stuff compiles natively on Windows (it's called MIT Kfw - Kerberos For Windows). So there's the answer to that. OpenSSL and MIT krb5 and zlib should all build with MingW no problem - OpenSSH's ssh(1) is another matter. > Ed Thanks, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From Nicolas.Williams at ubsw.com Sat Jul 13 05:10:55 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Fri, 12 Jul 2002 15:10:55 -0400 Subject: [Bug 273] sshd hangs on shell exit if user spawned child with/bin/nohup Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F5B@NSTMC005PEX1.ubsgs.ubsgroup.net> Perhaps the man page should be fixed then, because neither rsh nor rlogin provide any kind of port forwarding, or X11 forwarding, etc... Also, the comparison between ssh and rsh is more appropriate if you're talking about SSHv1 and much less so if you're talking about SSHv2. Nico -- > -----Original Message----- > From: Eric Garff [mailto:egarff at omniture.com] > Sent: Friday, July 12, 2002 3:00 PM > To: Williams, Nicolas > Cc: openssh-unix-dev at mindrot.org > Subject: RE: [Bug 273] sshd hangs on shell exit if user spawned child > with/bin/nohup > > > On Fri, 2002-07-12 at 12:25, Nicolas.Williams at ubsw.com wrote: > > SSH is more than a secure RSH. It truly is. You can't have it > > be two conflicting things at the same time. > > From the openssh "man ssh" page: > > "It is intended to replace rlogin and rsh, and provide secure > encrypted > communications between two untrusted hosts over an insecure network." > > I can agree that it is "more" than secure RSH, but if it plans to > replace it, shouldn't it have the same functionality? > > -- > Eric Garff > System Administrator > egarff at omniture.com > 801.722.0134 > > Omniture > http://www.omniture.com > "Unique Questions, Precise Answers" > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From kevin at atomicgears.com Sat Jul 13 05:35:41 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 12 Jul 2002 12:35:41 -0700 Subject: HP-UX slow login problem found? In-Reply-To: <200207120754.g6C7sUCX078943@iac.net> References: <200207120754.g6C7sUCX078943@iac.net> Message-ID: <20020712193541.GB2283@jenny.crlsca.adelphia.net> ./Configure hpux-parisc2-cc will pull in asm/pa-risc2.o I'll copy Chris (author of that code) in case he has any thoughts. On Fri, Jul 12, 2002 at 03:54:29AM -0400, Deron Meranda wrote: > I think I finally figured out the problem that many people have been > having with extremely long login times under HP-UX 11.x. The problem > is really in OpenSSL, and in particular the Diffie-Hellman parameter > generation routines under the PA-RISC processor. I suspect this may > not be a problem with the IA64 (Itanium) processors. This especially > shows up if you use the gcc compiler. Fortunately I have access to > Rational Quantify, a very powerful profiler which led me down to just > a few lines of assembly code causing almost the whole delay. > > I finally have an ssh/sshd executable under HP which logs in almost > instantaneously. I wouldn't consider this a complete solution yet, > especially if you don't have access to HP's ANSI C compiler, and I > haven't thoroughly tested this whole configuration. But this > information may still prove quite useful. > > I'm using the latest of everything... > > OpenSSH 3.4p1 > OpenSSL 0.9.7 Beta 2 > libz 1.1.4 > gcc 3.1 (using gas from binutils 2.12.1) > HP ANSI C compiler (version B.11.01.06) > > Although this is a 64-bit OS, I'm compiling everything in 32-bit mode. > > I'm running on an 9000/L2000-44 under HP-UX 11.0. This is a > two-processor 440MHz PA-RISC 2.0 system. If you only have a PA-RISC > 1.x processor I think you may still be out of luck?? You can check > your processor version by running the command "getconf CPU_VERSION". > If it returns 532 or higher you have a 2.0 processor. > > There are basically two extremely slow routines in OpenSSL which show > up if you compile it "out of the box": RSA operations and DH parameter > generation. You can test how fast these are with the following... > > $ openssl speed rsa # tests all RSA operations > $ openssl dhparam -text 128 # generates DH parameters (128-bit) > > The RSA test is pretty accurate--you can compare this with other > systems like Linux on a PC. The DH test is unfortunately very > random..some runs will be quick and others slow. You'll have to run > it many times and with different bit sizes to guage how slow it is. > Again, comparing to a Linux box may be useful. You will almost > defintely see the HP version being much slower than Linux/Intel (on > Pentium3/Athlon). This is because in practice the Intel chips seem to > have much faster integer performance; whereas the PA-RISC is much > faster with floating point. Unfortunately for you, most crypto is > integer based. Just to give you a comparison point, here's my numbers > (after optimizing it as described below)... > > sign verify sign/s verify/s > rsa 512 bits 0.0023s 0.0002s 432.2 5402.4 > rsa 1024 bits 0.0094s 0.0005s 106.8 2132.8 > rsa 2048 bits 0.0519s 0.0014s 19.3 690.2 > rsa 4096 bits 0.3258s 0.0049s 3.1 203.4 > > Without my changes, even with gcc -O3, my speeds were about 100 times > slower! The DH speed is much harder to measure, but it was definitely > real slow with the gcc compiled version. > > Okay, what's going on inside the OpenSSL code.... there are two small > functions which are responsible for about 95% of the CPU clock cycles. > These are bn_mul_add_words() in the file crypto/bn/bn_asm.c and the > function BN_mod_word() in the file crypto/bn/bn_word.c. The first is > responsible for the miserable RSA speeds, and the later for the > horrible DH speeds. I'll discuss how to speed each of these up > separately. > > The bn_mul_add_words() function is by default implemented in the file > bn_asm.c. However, neither the gcc or HP C compiler seem to be able > to optimize that implementation very well. As that function can be > called thousands if not millions of times, every last clock cycle is > extremely important. Fortunately there is some hand-crafted assembly > code in an alternate implementation. It can be found in the OpenSSL > distribution in the file crypto/bn/asm/pa-risc2.s. You need to use > that file instead of the generic bn_asm.c file. However, there are > some restrictions...that file only works with HP's assembler (not > gas), only on PA-RISC 2.0 systems, and it is not relocatable/PIC > (can't be used in a shared library). > > I haven't completely figured out OpenSSL's non-standard configure > scripts. But it is easy enough to just assemble it yourself and then > replace that object in the libcrypto.a library. > > ar d libcrypto.a bn_asm.o > ar r libcrypto.a pa-risc2.o > ranlib libcrypt.a > > Then relink the openssl executable. Rerun your RSA speed > test..hopefully the results should be very pleasant. > > > Now, for the Diffie-Hellman part (the primary reason for SSH > slowness). There is no assembly version of the bn_word.c file. And > unfortunately gcc's optimizer, even with gcc 3.1 and with -O3 and > -march=2.0, is pretty poor. This basically is because gcc invokes > some millicode routines to do the 64-bit modulus "%" operation. I've > found though that HP's ANSI C compiler with the correct optimization > arguments is able to produce some PA-RISC 2.0 specific instructions > which make it very fast in comparison (say by 100 clock cycles). > > cc +O3 +ESlit +DA2.0 +DS2.0 -Ae \ > -DOPENSSL_THREADS -D_REENTRANT -DDSO_DL -DOPENSSL_NO_KRB5 \ > -I/opt/gnu/include \ > -DOPENSSL_NO_RC5 -DOPENSSL_NO_IDEA -D_REENTRANT \ > -DB_ENDIAN -DMD32_XARRAY -c bn_word.c -o bn_word.o > > Also throw in +Z if you're trying to make a shared library (but see > note about pa-risc2.s file above). > > Except for those two files (pa-risc2.s and bn_word.c), you can use gcc > for everything else. I've been using gcc 3.1, with -O3 -march=2.0 > > Now, if all goes well, you'll have a new libcrypto.a. Compile and > link OpenSSH against that one and you should see fast logins, finally! > Note, both the server (sshd) and the client (ssh) need to be > recompiled/relinked, as both generate their half of the DH parameters. > > Deron Meranda > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From ed at UDel.Edu Sat Jul 13 05:40:00 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 12 Jul 2002 15:40:00 -0400 (EDT) Subject: [Bug 273] sshd hangs on shell exit if user spawned child with /bin/nohup In-Reply-To: <1026500421.5331.35.camel@egarff.superstats.com> Message-ID: On 12 Jul 2002, Eric Garff wrote: > Date: 12 Jul 2002 13:00:21 -0600 > From: Eric Garff > To: Nicolas.Williams at ubsw.com > Cc: openssh-unix-dev at mindrot.org > Subject: RE: [Bug 273] sshd hangs on shell exit if user spawned child > with /bin/nohup > > On Fri, 2002-07-12 at 12:25, Nicolas.Williams at ubsw.com wrote: > > SSH is more than a secure RSH. It truly is. You can't have it > > be two conflicting things at the same time. > > >From the openssh "man ssh" page: > > "It is intended to replace rlogin and rsh, and provide secure encrypted > communications between two untrusted hosts over an insecure network." > > I can agree that it is "more" than secure RSH, but if it plans to > replace it, shouldn't it have the same functionality? A replacement doesn't necessarily need to work the same as what it's replacing. Maybe they should use words like "It is intended to be a secure alternative to rlogin and rsh..." Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From kevin at atomicgears.com Sat Jul 13 05:43:17 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 12 Jul 2002 12:43:17 -0700 Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: <3D2EF68F.7B6332A8@cray.com> References: <3D2EF68F.7B6332A8@cray.com> Message-ID: <20020712194317.GC2283@jenny.crlsca.adelphia.net> On Fri, Jul 12, 2002 at 10:32:31AM -0500, Wendy Palm wrote: > what happens when you remove "-lxnet" from your compile line? > (what the heck is xnet anyway?) see xopen_networking(7), which basically is needed to have a more modern socket interface. for what it's worth, here is chatr output from my sshd. i don't use gcc, and build according to: http://www.atomicgears.com/papers/osshhpux.html [stevesk at jenny stevesk]$ chatr /opt/openssh/sbin/sshd /opt/openssh/sbin/sshd: shared executable shared library dynamic path search: SHLIB_PATH disabled second embedded path disabled first Not Defined shared library list: dynamic /usr/lib/libpam.1 dynamic /usr/lib/libnsl.1 dynamic /usr/lib/libxnet.2 dynamic /usr/lib/libsec.2 dynamic /usr/lib/libc.2 shared library binding: deferred From ed at UDel.Edu Sat Jul 13 06:01:58 2002 From: ed at UDel.Edu (Ed Phillips) Date: Fri, 12 Jul 2002 16:01:58 -0400 (EDT) Subject: OpenSSH & MinGW? In-Reply-To: <20020712151746.A515@W0594878> Message-ID: On Fri, 12 Jul 2002, Nicolas Williams wrote: > Date: Fri, 12 Jul 2002 15:17:46 -0400 > From: Nicolas Williams > To: Ed Phillips > Cc: OpenSSH Development > Subject: Re: OpenSSH & MinGW? > > On Fri, Jul 12, 2002 at 02:59:56PM -0400, Ed Phillips wrote: > > On Fri, 12 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > > Any other glaring gotchas? > > > > Well, the tty-related stuff would be a headache for starters - an "MS-DOS > > prompt" isn't really a tty-compatible entity, except in the DOS > > "look-I-can-print-funky-DOS-symbols-and-escape-sequences" sense. That > > problem in itself is probably enough to snuff any urges I might to port to > > MinGW. You really need a terminal emulator to run the ssh client "inside > > of". > > Yes. Echo-off prompting would have to be done differently. That's about > the extent of client-side tty-handling in OpenSSH though. Not too bad. That's specific to the ssh client itself, but the problem on Windows is that a "console-mode" application runs in an "MS-DOS Prompt" window. That window has no terminal functions (as opposed to an xterm running on a Unix box). If you type into an MS-DOS Prompt window that is running the ssh client that is calling "read(0, ...)", will it receive every keystroke immediately when you type it? I doubt it. Maybe some sort of Windows-console-mode curses library could do it, or some GUI terminal emulator API. It would be easy enough to try to write a console-mode program that just calls _read(0, ...) and _write(1, ...) and see what keystrokes can make it through, and whether you have to press return before you see them, and whether ctrl-c can make it through, etc. It's amazing how easy it is to forget all of the "machinery" that is between a simple keystroke and a remote application... ;-) > > Also, on Windows there is no "open", "close", etc., but there is "_open", > > "_close", etc.,... and some of them have different arguments or omit > > arguments. > > Such things can be worked out. Agreed. > > Basically, there's a lot of hacking you would have to do, at minimum... > > I've been guessing so - I was hoping someone had tried who could give me > some advice on the matter. > > > > Hmmm, I'd need the MIT krb5 stuff to build under MinGW as well... > > > > I don't know if anyone has tried it with MinGW, but certainly people do > > this sort of port to Cygwin (not that it helps you any). > > Actually, that was thinko. The MIT krb5 stuff compiles natively on > Windows (it's called MIT Kfw - Kerberos For Windows). So there's the > answer to that. OpenSSL and MIT krb5 and zlib should all build with > MingW no problem Okay... I forgot about the Kerberos For Windows "initiative". It was pretty "ugly" last time I looked. MS-DOS .bat programs to rename source files and such... ugh. > - OpenSSH's ssh(1) is another matter. Yes... as far as I can see. You might find source to a Windows-ified telnet or rlogin client and see how their built (whether they're using console-mode or some GUI terminal layer). Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key From bugzilla-daemon at mindrot.org Sat Jul 13 06:14:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 13 Jul 2002 06:14:32 +1000 (EST) Subject: [Bug 325] PermitRootLogin forced-commands-only & privsep - not working together Message-ID: <20020712201432.57413E9E0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=325 ------- Additional Comments From hlein at progressive-comp.com 2002-07-13 06:14 ------- Seeing this here too; it appears that when auth2.c:userauth_finish is called, forced_command has been cleared (or perhaps, never set in that forked sshd) so the call to auth_root_allowed(method) returns 0. The following patch makes forced-command logins as root work again, but I doubt this is the right fix. In fact the below may have serious problems; no warranties. Looking at (but not testing) today's snapshot, this appears to still be a problem. If so I'm surpised more people haven't run into this...? --- openssh-3.4p1/auth2.c Fri Jun 21 02:21:11 2002 +++ openssh-3.4p1-hap-2/auth2.c Fri Jul 12 15:35:52 2002 @@ -206,6 +206,7 @@ /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && + !options.permit_root_login == PERMIT_FORCED_ONLY && !auth_root_allowed(method)) authenticated = 0; ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Nicolas.Williams at ubsw.com Sat Jul 13 06:19:06 2002 From: Nicolas.Williams at ubsw.com (Nicolas Williams) Date: Fri, 12 Jul 2002 16:19:06 -0400 Subject: OpenSSH & MinGW? In-Reply-To: ; from ed@UDel.Edu on Fri, Jul 12, 2002 at 04:01:58PM -0400 References: <20020712151746.A515@W0594878> Message-ID: <20020712161906.A520@W0594878> On Fri, Jul 12, 2002 at 04:01:58PM -0400, Ed Phillips wrote: > > Yes. Echo-off prompting would have to be done differently. That's about > > the extent of client-side tty-handling in OpenSSH though. Not too bad. > > That's specific to the ssh client itself, but the problem on Windows is > that a "console-mode" application runs in an "MS-DOS Prompt" window. I neglected to mention that I don't care about terminal emulation or console mode. Pipes though are more interesting - scp/sftp need them to talk to ssh. Nah - I think the solution is to go with something like Kermit-95. > Ed Cheers, Nico -- -DISCLAIMER: an automatically appended disclaimer may follow. By posting- -to a public e-mail mailing list I hereby grant permission to distribute- -and copy this message.- Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From dtucker at zip.com.au Sat Jul 13 10:39:35 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 13 Jul 2002 10:39:35 +1000 Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d References: Message-ID: <3D2F76C7.2C16FEB9@zip.com.au> "C. Bensend" wrote: > On Fri, 12 Jul 2002, Tim Rice wrote: > > /usr/bin/ld: Can't find library for -lxnet > benny at myhost 27: ls -l /usr/lib/libxnet* My libraries have the same size and datestamps. > I've never in my life had such problems building OpenSSH... > In fact, this is the same host I've been building my HP-UX > binaries on for some time now. Any thoughts? Another libxnet somewhere else in $LIBRARY_PATH? You could try export LIBRARY_PATH=/usr/lib:/usr/ccs/lib:/usr/local/lib then make distclean && ../configure FWIW, 3.4p1 compiles fine on my C240 (HP-UX 11.00, gcc-3.1). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From john at furman.net Sat Jul 13 10:49:13 2002 From: john at furman.net (John Furman) Date: Fri, 12 Jul 2002 17:49:13 -0700 (PDT) Subject: Chroot patch (v3.4p1) Message-ID: To: openssh-unix-dev at mindrot.org Subject: Re: Chroot patch (v3.4p1) On 4 Jul 2002 12:32:36 -0400 Hank Leininger wrote: >> The following is a patch I've been working on to support a "ChrootUser" >> option in the sshd_config file. [snip] >Note that this like every(?) other chroot patch for openssh floating around >(including the one I maintain) does not work on *BSD, that is, any system >which has HAVE_LOGIN_CAP defined. All the chroot patches chroot between [snip] >fix. I'm not sure if moving the chroot calls above the block in question, >or simply replicating the chroot code inside both code paths is >appropriate. >-- >Hank Leininger Your supposition is correct, Hank. I have moved the 'chroot' code above the HAVE_LOGIN_CAP/setusercontext call and corrected the issue you mention. (Took some doin' as I had to free up an OpenBSD 3.x box to test on. ;-) I have created a patch for OpenSSH-v3.4 that I will post as well. Below is a patch for v3.4p1. It supports two additional options in the sshd_config. ChrootDir - Configured as with AuthorizedKeysFile %T tokens etc... Defaults to a subdir named 'chome' relative to users home dir. ChrootUser - Configured as with AllowUsers. user1 user2 at 10.10.2.20 user3 at some.host.com ---------------------------------------------- diff -uNr openssh-3.4p1.vanilla/auth.c openssh-3.4p1/auth.c --- openssh-3.4p1.vanilla/auth.c Wed May 22 01:06:28 2002 +++ openssh-3.4p1/auth.c Wed Jul 10 23:48:11 2002 @@ -351,6 +351,12 @@ return expand_filename(options.authorized_keys_file2, pw); } +char * +chroot_dir(struct passwd *pw) +{ + return expand_filename(options.chroot_dir, pw); +} + /* return ok if key exists in sysfile or userfile */ HostStatus check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, diff -uNr openssh-3.4p1.vanilla/auth.h openssh-3.4p1/auth.h --- openssh-3.4p1.vanilla/auth.h Thu Jun 6 16:52:37 2002 +++ openssh-3.4p1/auth.h Wed Jul 10 23:48:11 2002 @@ -165,6 +165,7 @@ char *expand_filename(const char *, struct passwd *); char *authorized_keys_file(struct passwd *); char *authorized_keys_file2(struct passwd *); +char *chroot_dir(struct passwd *); int secure_filename(FILE *, const char *, struct passwd *, char *, size_t); diff -uNr openssh-3.4p1.vanilla/pathnames.h openssh-3.4p1/pathnames.h --- openssh-3.4p1.vanilla/pathnames.h Thu Jun 6 15:57:34 2002 +++ openssh-3.4p1/pathnames.h Wed Jul 10 23:48:11 2002 @@ -97,6 +97,9 @@ /* backward compat for protocol v2 */ #define _PATH_SSH_USER_PERMITTED_KEYS2 ".ssh/authorized_keys2" +/* default user chroot directory */ +#define _SSH_USER_CHROOT_DIR "chome" + /* * Per-user and system-wide ssh "rc" files. These files are executed with * /bin/sh before starting the shell or command if they exist. They will be diff -uNr openssh-3.4p1.vanilla/servconf.c openssh-3.4p1/servconf.c --- openssh-3.4p1.vanilla/servconf.c Mon Jun 24 23:22:04 2002 +++ openssh-3.4p1/servconf.c Wed Jul 10 23:48:11 2002 @@ -120,6 +120,7 @@ options->verify_reverse_mapping = -1; options->client_alive_interval = -1; options->client_alive_count_max = -1; + options->chroot_dir = NULL; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; @@ -252,6 +253,8 @@ } if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->chroot_dir == NULL) + options->chroot_dir = _SSH_USER_CHROOT_DIR; /* Turn privilege separation on by default */ if (use_privsep == -1) @@ -292,12 +295,12 @@ sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, sUseLogin, sAllowTcpForwarding, sCompression, - sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, + sAllowUsers, sDenyUsers, sChrootUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, sBanner, sVerifyReverseMapping, sHostbasedAuthentication, sHostbasedUsesNameFromPacketOnly, sClientAliveInterval, - sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, + sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sChrootDir, sUsePrivilegeSeparation, sDeprecated } ServerOpCodes; @@ -360,6 +363,7 @@ { "allowtcpforwarding", sAllowTcpForwarding }, { "allowusers", sAllowUsers }, { "denyusers", sDenyUsers }, + { "chrootusers", sChrootUsers }, { "allowgroups", sAllowGroups }, { "denygroups", sDenyGroups }, { "ciphers", sCiphers }, @@ -375,6 +379,7 @@ { "clientalivecountmax", sClientAliveCountMax }, { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, + { "chrootdir", sChrootDir }, { "useprivilegeseparation", sUsePrivilegeSeparation}, { NULL, sBadOption } }; @@ -779,6 +784,16 @@ } break; + case sChrootUsers: + while ((arg = strdelim(&cp)) && *arg != '\0') { + if (options->num_chroot_users >= MAX_CHROOT_USERS) + fatal( "%s line %d: too many chroot users.", + filename, linenum); + options->chroot_users[options->num_chroot_users++] = + xstrdup(arg); + } + break; + case sAllowGroups: while ((arg = strdelim(&cp)) && *arg != '\0') { if (options->num_allow_groups >= MAX_ALLOW_GROUPS) @@ -893,6 +908,10 @@ &options->authorized_keys_file2; goto parse_filename; + case sChrootDir: + charptr = &options->chroot_dir; + goto parse_filename; + case sClientAliveInterval: intptr = &options->client_alive_interval; goto parse_time; diff -uNr openssh-3.4p1.vanilla/servconf.h openssh-3.4p1/servconf.h --- openssh-3.4p1.vanilla/servconf.h Thu Jun 20 21:09:47 2002 +++ openssh-3.4p1/servconf.h Wed Jul 10 23:48:11 2002 @@ -20,6 +20,7 @@ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ #define MAX_DENY_USERS 256 /* Max # users on deny list. */ +#define MAX_CHROOT_USERS 256 /* Max # users on chroot list. */ #define MAX_ALLOW_GROUPS 256 /* Max # groups on allow list. */ #define MAX_DENY_GROUPS 256 /* Max # groups on deny list. */ #define MAX_SUBSYSTEMS 256 /* Max # subsystems. */ @@ -104,6 +105,8 @@ char *allow_users[MAX_ALLOW_USERS]; u_int num_deny_users; char *deny_users[MAX_DENY_USERS]; + u_int num_chroot_users; + char *chroot_users[MAX_CHROOT_USERS]; u_int num_allow_groups; char *allow_groups[MAX_ALLOW_GROUPS]; u_int num_deny_groups; @@ -130,6 +133,7 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; + char *chroot_dir; int pam_authentication_via_kbd_int; } ServerOptions; diff -uNr openssh-3.4p1.vanilla/session.c openssh-3.4p1/session.c --- openssh-3.4p1.vanilla/session.c Wed Jun 26 09:51:06 2002 +++ openssh-3.4p1/session.c Fri Jul 12 15:37:58 2002 @@ -57,6 +57,8 @@ #include "canohost.h" #include "session.h" #include "monitor_wrap.h" +#include "match.h" +#include "readconf.h" #ifdef HAVE_CYGWIN #include @@ -64,6 +66,10 @@ #define is_winnt (GetVersion() < 0x80000000) #endif +#ifndef HAVE_CYGWIN +#define CHROOT +#endif + /* func */ Session *session_new(void); @@ -1169,6 +1175,38 @@ #ifdef HAVE_SETPCRED setpcred(pw->pw_name); #endif /* HAVE_SETPCRED */ +#ifdef CHROOT + int i; + char *new_root = "/"; + char *new_home = NULL; + char *dir = NULL; + const char *hostname = NULL; + const char *ipaddr = NULL; + + if (options.num_chroot_users > 0) { + hostname = get_canonical_hostname(options.verify_reverse_mapping); + ipaddr = get_remote_ipaddr(); + for (i = 0; i < options.num_chroot_users; i++) { + if (match_user(pw->pw_name, hostname, ipaddr, + options.chroot_users[i])) { + dir = chroot_dir(pw); + new_home = dir; + xfree(dir); + if(chdir(new_home) == -1) + fatal("chdir to %s failed: %s", + new_home, strerror(errno)); + if(chroot(new_home) == -1) { + fatal("chroot to %s failed: %s", + new_home, strerror(errno)); + } + else + pw->pw_dir = new_root; + } + } + } + + +#endif /* CHROOT */ #ifdef HAVE_LOGIN_CAP #ifdef __bsdi__ setpgid(0, 0); -------------------------------- Regards, -- John Furman From amarpal.singh at ip-unity.com Sat Jul 13 15:46:27 2002 From: amarpal.singh at ip-unity.com (Amarpal Singh) Date: Fri, 12 Jul 2002 22:46:27 -0700 Subject: ssh-keygen Message-ID: <02ba01c22a30$a2643c30$25b4a8c0@COSMOS> Hi All, Where do I get ssh-keygen (1 and 2) free downloads? How are RSA-1, RSA-2 and DSA-2 related to ssh-keygen1 and ssh-keygen2? Thanks Amarpal. From barel_bhai at yahoo.com Sat Jul 13 16:07:55 2002 From: barel_bhai at yahoo.com (raam raam) Date: Fri, 12 Jul 2002 23:07:55 -0700 (PDT) Subject: socekt query In-Reply-To: <20020712161906.A520@W0594878> Message-ID: <20020713060755.79837.qmail@web20503.mail.yahoo.com> Hi All We are opeing a stream socket to run SSH over TCP . If we get two packet at a time then how to find out the boundary of the packet because SSH messages can be merged while receiving from the socket. Regards Barel __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com From benny at bennyvision.com Sat Jul 13 16:52:42 2002 From: benny at bennyvision.com (C. Bensend) Date: Sat, 13 Jul 2002 01:52:42 -0500 (CDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: <3D2F76C7.2C16FEB9@zip.com.au> Message-ID: On Sat, 13 Jul 2002, Darren Tucker wrote: > > I've never in my life had such problems building OpenSSH... > > In fact, this is the same host I've been building my HP-UX > > binaries on for some time now. Any thoughts? > > Another libxnet somewhere else in $LIBRARY_PATH? You could try > export LIBRARY_PATH=/usr/lib:/usr/ccs/lib:/usr/local/lib > then make distclean && ../configure Excellent thought, but I have checked that already. But, and this is an honest question (you guys probably know a lot more about this than I do), are we chasing the wrong problem? Configure isn't bombing on libxnet... While it is certainly complaining about it in config.log, it's not a fatal error like the zlib one is. But, I'm guessing this could be a problem that is being incorrectly reported by configure... > FWIW, 3.4p1 compiles fine on my C240 (HP-UX 11.00, gcc-3.1). Gadzooks, with the exception of the gcc version, that's the exact machine I'm building on. :/ Benny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always carry a short length of fibre-optic cable. If you get lost, then you can drop it on the ground, wait ten minutes, and ask the backhoe operator how to get back to civilization. -Alan Frame From benny at bennyvision.com Sat Jul 13 17:00:20 2002 From: benny at bennyvision.com (C. Bensend) Date: Sat, 13 Jul 2002 02:00:20 -0500 (CDT) Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: <20020712194317.GC2283@jenny.crlsca.adelphia.net> Message-ID: On Fri, 12 Jul 2002, Kevin Steves wrote: > for what it's worth, here is chatr output from my sshd. > i don't use gcc, and build according to: > http://www.atomicgears.com/papers/osshhpux.html I don't have any HP compiler licenses availible for this machine, so it's either use gcc here or juggle some zlib and OpenSSL bidness on one of my production build machines [which I'd rather avoid, the developers already beat the hell out of them]. Thank you VERY much for your paper above - I googled for such a thing, but never found yours. I think what I'm going to do on Monday is reinstall this machine (it's purely for my own software building uses, no data is stored there) to make sure I don't have funkiness in all the GNU software I've installed. It is possible I've mucked something up, but I'm still concerned about configure "seemingly" ignoring my '--with-zlib' option. Further insight is still VERY much appreciated - I'll let you know what happens on Monday, if I get a chance to blow that machine away. Thanks to everyone that's helped so far! :) Benny ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Always carry a short length of fibre-optic cable. If you get lost, then you can drop it on the ground, wait ten minutes, and ask the backhoe operator how to get back to civilization. -Alan Frame From dtucker at zip.com.au Sat Jul 13 18:24:59 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 13 Jul 2002 18:24:59 +1000 Subject: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d References: Message-ID: <3D2FE3DB.8F2315E6@zip.com.au> "C. Bensend" wrote: > On Sat, 13 Jul 2002, Darren Tucker wrote: [extra libxnet?] > Excellent thought, but I have checked that already. But, and > this is an honest question (you guys probably know a lot more > about this than I do), are we chasing the wrong problem? > Configure isn't bombing on libxnet... While it is certainly > complaining about it in config.log, it's not a fatal error > like the zlib one is. By comparing my config.log to yours, I've figured out why you're getting the xnet errors: you're compiling with -static and there's no libxnet.a. If I set CFLAGS=-static I'm able to reproduce your problem. > But, I'm guessing this could be a problem that is being > incorrectly reported by configure... The missing library is causing a link failure. (I suspect it's causing configure to get a bunch of other settings wrong too.) $ cat conftest.c char deflate(); int main () { deflate(); return 0; } $ gcc conftest.c -lz $ gcc conftest.c -lz -lxnet $ gcc conftest.c -lz -static $ gcc conftest.c -lz -static -lxnet /usr/ccs/bin/ld: Can't find library: "xnet" collect2: ld returned 1 exit status > > FWIW, 3.4p1 compiles fine on my C240 (HP-UX 11.00, gcc-3.1). > Gadzooks, with the exception of the gcc version, that's the > exact machine I'm building on. :/ What are you doing on my machine and why did you downgrade gcc :-? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From miipekk at ihme.org Sat Jul 13 19:16:37 2002 From: miipekk at ihme.org (Miika Pekkarinen) Date: Sat, 13 Jul 2002 12:16:37 +0300 (EEST) Subject: [PATCH]: scp program improved Message-ID: Hi, I have made a patch which improves scp utility. It adds two new features: rate limit and resume support. With rate limit it's possible to limit transfer speed. Resume allows to continue file transfer where it was last interrupted. Also the progress meter was improved. Here is my patch, please send comments about it and what I can do better if there is something to fix. --- openssh-3.4p1.orig/scp.c Sat Jul 13 11:38:42 2002 +++ openssh-3.4p1/scp.c Sat Jul 13 11:49:23 2002 @@ -14,6 +14,25 @@ * called by a name other than "ssh" or "Secure Shell". */ /* + * Few patches for the original version: + * + Added rate limit feature (-R) + * + Added resume feature (-a) + * + Progress meter improved + * + * Description: + * Rate limit adds a new switch -R. With rate limit it's possible to + * control how much traffic you would like to allow for the file + * transfer. Option format for this switch is -R [kMG]. + * Value is in bytes per second. + * + * Resume allows to continue last transfer if it was interrupted etc. + * But be careful when using resume feature because it will ALWAYS + * append to the remote file if any exists, i.e., resume doesn't make + * any timestamp checks currently. + * + * 2002 Miika Pekkarinen + */ +/* * Copyright (c) 1999 Theo de Raadt. All rights reserved. * Copyright (c) 1999 Aaron Campbell. All rights reserved. * @@ -119,6 +138,9 @@ /* This is set to non-zero to enable verbose mode. */ int verbose_mode = 0; +/* This disables resume mode for default */ +int resume_mode = 0; + /* This is set to zero if the progressmeter is not desired. */ int showprogress = 1; @@ -202,6 +224,7 @@ uid_t userid; int errs, remin, remout; int pflag, iamremote, iamrecursive, targetshouldbedirectory; +off_t rate_limit = 0; #define CMDNEEDS 64 char cmd[CMDNEEDS]; /* must hold "rcp -r -p -d\0" */ @@ -223,7 +246,10 @@ char *targ; extern char *optarg; extern int optind; - + int factor, i; /* For rate limit */ + const char factors[] = "kMMGGG"; + char *c; + __progname = get_progname(argv[0]); args.list = NULL; @@ -233,7 +259,7 @@ addargs(&args, "-oClearAllForwardings yes"); fflag = tflag = 0; - while ((ch = getopt(argc, argv, "dfprtvBCc:i:P:q1246S:o:F:")) != -1) + while ((ch = getopt(argc, argv, "adfprtvBCc:i:P:q1246S:o:F:R:")) != -1) switch (ch) { /* User-visible flags. */ case '1': @@ -249,6 +275,18 @@ case 'F': addargs(&args, "-%c%s", ch, optarg); break; + case 'a': /* Resume mode */ + resume_mode = 1; + break; + case 'R': /* Rate limit */ + factor = 1; + for (i = 0; i < sizeof(factors) - 1; i++) + if ((c = strchr(optarg, factors[i])) != NULL) + factor *= 1000; + if (c) + (*c) = '\0'; + rate_limit = atoi(optarg) * factor; + break; case 'P': addargs(&args, "-p%s", optarg); break; @@ -320,10 +358,13 @@ remin = remout = -1; /* Command to be executed on remote system using "ssh". */ - (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s", - verbose_mode ? " -v" : "", - iamrecursive ? " -r" : "", pflag ? " -p" : "", - targetshouldbedirectory ? " -d" : ""); + (void) snprintf(cmd, sizeof cmd, "scp%s%s%s%s%s -R %llu", + verbose_mode ? " -v" : "", + iamrecursive ? " -r" : "", pflag ? " -p" : "", + targetshouldbedirectory ? " -d" : "", + resume_mode ? " -a" : "", rate_limit); + if (!rate_limit) + *(strstr(cmd, " -R")) = '\0'; (void) signal(SIGPIPE, lostconn); @@ -482,14 +523,18 @@ char *argv[]; { struct stat stb; + struct timeval wait, lastupdate, now; static BUF buffer; BUF *bp; - off_t i, amt, result; + off_t i, amt, result, bcounter; int fd, haderr, indx; - char *last, *name, buf[2048]; + char *last, *name, buf[2048], c; int len; + /* For rate limit */ + int buf_size, cur_mod; + long int sleep_time; - for (indx = 0; indx < argc; ++indx) { + for (indx = 0; indx < argc; ++indx) { name = argv[indx]; statbytes = 0; len = strlen(name); @@ -536,14 +581,19 @@ if (response() < 0) goto next; } + if (resume_mode) + c = 'R'; + else + c = 'C'; + #define FILEMODEMASK (S_ISUID|S_ISGID|S_IRWXU|S_IRWXG|S_IRWXO) #ifdef HAVE_LONG_LONG_INT - snprintf(buf, sizeof buf, "C%04o %lld %s\n", + snprintf(buf, sizeof buf, "%c%04o %lld %s\n", c, (u_int) (stb.st_mode & FILEMODEMASK), (long long)stb.st_size, last); #else /* XXX: Handle integer overflow? */ - snprintf(buf, sizeof buf, "C%04o %lu %s\n", + snprintf(buf, sizeof buf, "%c%04o %lu %s\n", c, (u_int) (stb.st_mode & FILEMODEMASK), (u_long) stb.st_size, last); #endif @@ -558,12 +608,42 @@ next: (void) close(fd); continue; } + + /* Calculate optimal buffer size for rate limit if enabled */ + if (rate_limit) { + for (i = buf_size = cur_mod = bp->cnt; i >= 100; i--) { + result = rate_limit % i; + if (result < cur_mod) { + cur_mod = result; + buf_size = i; + } + } + bp->cnt = buf_size; + if (verbose_mode) + printf ("Buffer size: %u\n", buf_size); + } + + i = 0; + if (resume_mode) { + if (bp->cnt < 20) + goto next; + + /* Get the file size if resume mode used */ + (void) atomicio(read, remin, buf, 20); + buf[20] = '\0'; + statbytes = i = atoll(buf); + lseek(fd, i, SEEK_SET); + if (verbose_mode) + printf("Continuing at: %llu\n", i); + } + if (showprogress) { totalbytes = stb.st_size; progressmeter(-1); } + /* Keep writing after an error so that we stay sync'd up. */ - for (haderr = i = 0; i < stb.st_size; i += bp->cnt) { + for (haderr = bcounter = 0; i < stb.st_size; i += bp->cnt) { amt = bp->cnt; if (i + amt > stb.st_size) amt = stb.st_size - i; @@ -572,6 +652,26 @@ if (result != amt) haderr = result >= 0 ? EIO : errno; } + + if (rate_limit) { + if (bcounter >= rate_limit / 2) { + (void) gettimeofday(&now, (struct timezone *) 0); + timersub(&now, &lastupdate, &wait); + + sleep_time = ((double)(bcounter / (rate_limit + * (double)(wait.tv_usec / 1000000.0)) - 0) + * (double)wait.tv_usec); + if (sleep_time < 0) + sleep_time = 0; + + usleep(sleep_time); + (void) gettimeofday(&now, (struct timezone *) 0); + lastupdate = now; + + bcounter = 0; + } + } + if (haderr) (void) atomicio(write, remout, bp->buf, amt); else { @@ -579,8 +679,10 @@ if (result != amt) haderr = result >= 0 ? EIO : errno; statbytes += result; + bcounter += result; } } + if (showprogress) progressmeter(1); @@ -666,7 +768,8 @@ int setimes, targisdir, wrerrno = 0; char ch, *cp, *np, *targ, *why, *vect[1], buf[2048]; struct timeval tv[2]; - + int resume = 0; + #define atime tv[0] #define mtime tv[1] #define SCREWUP(str) do { why = str; goto screwup; } while (0) @@ -734,7 +837,7 @@ (void) atomicio(write, remout, "", 1); continue; } - if (*cp != 'C' && *cp != 'D') { + if (*cp != 'C' && *cp != 'D' && *cp != 'R') { /* * Check for the case "rcp remote:foo\* local:bar". * In this case, the line "No match." can be returned @@ -748,6 +851,11 @@ } SCREWUP("expected control record"); } + + /* Set resume mode on if requested */ + if (*cp == 'R') + resume = 1; + mode = 0; for (++cp; cp < buf + 5; cp++) { if (*cp < '0' || *cp > '7') @@ -812,11 +920,31 @@ } omode = mode; mode |= S_IWRITE; - if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { + i = statbytes = 0; + if (resume != 1) { + if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) { bad: run_err("%s: %s", np, strerror(errno)); - continue; + continue; + } + /* Send response */ + (void) atomicio(write, remout, "", 1); + } else { + if ((ofd = open(np, O_WRONLY | O_APPEND | O_CREAT, mode)) < 0) { + run_err("%s: %s", np, strerror(errno)); + continue; + } + /* Send response */ + (void) atomicio(write, remout, "", 1); + + /* Get the file size and send it to the remote + * process so it can continue sending data from + * the right position */ + i = statbytes = lseek(ofd, 0, SEEK_END); + + snprintf(buf, sizeof(buf), "%llu", i); + (void) atomicio(write, remout, buf, 20); } - (void) atomicio(write, remout, "", 1); + if ((bp = allocbuf(&buffer, ofd, 4096)) == NULL) { (void) close(ofd); continue; @@ -828,8 +956,7 @@ totalbytes = size; progressmeter(-1); } - statbytes = 0; - for (count = i = 0; i < size; i += 4096) { + for (count = 0; i < size; i += 4096) { amt = 4096; if (i + amt > size) amt = size - i; @@ -957,8 +1084,8 @@ usage(void) { (void) fprintf(stderr, - "usage: scp [-pqrvBC46] [-F config] [-S program] [-P port]\n" - " [-c cipher] [-i identity] [-o option]\n" + "usage: scp [-apqrvBC46] [-F config] [-S program] [-P port]\n" + " [-c cipher] [-i identity] [-R rate] [-o option]\n" " [[user@]host1:]file1 [...] [[user@]host2:]file2\n"); exit(1); } @@ -1098,110 +1225,191 @@ #endif } -void -progressmeter(int flag) -{ - static const char prefixes[] = " KMGTP"; - static struct timeval lastupdate; - static off_t lastsize; - struct timeval now, td, wait; - off_t cursize, abbrevsize; - double elapsed; - int ratio, barlength, i, remaining; - char buf[512]; - - if (flag == -1) { - (void) gettimeofday(&start, (struct timezone *) 0); - lastupdate = start; - lastsize = 0; - } - if (foregroundproc() == 0) - return; +/* Functions for progress meter */ +#define MAX_PREFIXLEN 30 +#define MAX_GAUGELEN 200 - (void) gettimeofday(&now, (struct timezone *) 0); - cursize = statbytes; - if (totalbytes != 0) { - ratio = 100.0 * cursize / totalbytes; - ratio = MAX(ratio, 0); - ratio = MIN(ratio, 100); - } else - ratio = 100; - - snprintf(buf, sizeof(buf), "\r%-20.20s %3d%% ", curfile, ratio); - - barlength = getttywidth() - 51; - if (barlength > 0) { - i = barlength * ratio / 100; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "|%.*s%*s|", i, - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************" - "*******************************************************", - barlength - i, ""); - } - i = 0; - abbrevsize = cursize; - while (abbrevsize >= 100000 && i < sizeof(prefixes)) { - i++; - abbrevsize >>= 10; - } - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), " %5lu %c%c ", - (unsigned long) abbrevsize, prefixes[i], - prefixes[i] == ' ' ? ' ' : 'B'); - - timersub(&now, &lastupdate, &wait); - if (cursize > lastsize) { - lastupdate = now; - lastsize = cursize; - if (wait.tv_sec >= STALLTIME) { - start.tv_sec += wait.tv_sec; - start.tv_usec += wait.tv_usec; - } - wait.tv_sec = 0; - } - timersub(&now, &start, &td); - elapsed = td.tv_sec + (td.tv_usec / 1000000.0); +void get_prefixed(off_t value, char *prefixed) +{ + static const char prefixes[] = " KMGT"; + int i = 0; + + for (i = 0; value >= 1024 && i < sizeof(prefixes); i++) { + value >>= 10; + } + + if (i > 0) + snprintf(prefixed, MAX_PREFIXLEN, "%u %ciB", + (unsigned int)value, prefixes[i]); + else + snprintf(prefixed, MAX_PREFIXLEN, "%u B", (unsigned int)value); +} - if (flag != 1 && - (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " --:-- ETA"); - } else if (wait.tv_sec >= STALLTIME) { - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " - stalled -"); - } else { - if (flag != 1) - remaining = (int)(totalbytes / (statbytes / elapsed) - - elapsed); - else - remaining = elapsed; +void get_prefixed_data(off_t value, char *prefixed) +{ + static const char prefixes[] = " kMGT"; + double temp = value; + int i = 0; + + for (i = 0; temp >= 1000 && i < sizeof(prefixes); i++) { + temp /= 1000.0; + } + + if (i > 0) + snprintf(prefixed, MAX_PREFIXLEN, "%u %cB", + (unsigned int)temp, prefixes[i]); + else + snprintf(prefixed, MAX_PREFIXLEN, "%u B", (unsigned int)temp); +} - i = remaining / 3600; - if (i) - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%2d:", i); - else - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - " "); - i = remaining % 3600; - snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), - "%02d:%02d%s", i / 60, i % 60, - (flag != 1) ? " ETA" : " "); - } - atomicio(write, fileno(stdout), buf, strlen(buf)); +void gauge(unsigned int width, float ratio, char *buf) +{ + const float step = width / 100.0; + char temp[MAX_GAUGELEN + 1] = ""; + int i, n; + + if (width >= MAX_GAUGELEN) + return ; + + n = (float)step * ((float)ratio); + for (i = 0; (i < n) && (i < width); i++) + temp[i] = '='; + + if (i < width) + temp[i] = '>'; + + for (i++; i < width; i++) + temp[i] = '-'; + + snprintf(buf, MAX_GAUGELEN, "[%s]", temp); +} - if (flag == -1) { - mysignal(SIGALRM, updateprogressmeter); - alarm(PROGRESSTIME); - } else if (flag == 1) { - alarm(0); - atomicio(write, fileno(stdout), "\n", 1); - statbytes = 0; - } +void progressmeter(int flag) +{ + static const char indicator[] = "|/-\\"; + static struct timeval lastupdate; + static off_t lastsize; + struct timeval now, td, wait; + static off_t cursize, cur_speed = 1; + static double temp = 1; + static char speed[MAX_PREFIXLEN] = "0 B"; + double elapsed; + static int ind_value = 0; + float ratio; + int hours, mins, secs, remaining; + char buf[512], eta[20], buf_gauge[MAX_GAUGELEN] = "", filename[512]; + char pre_cursize[MAX_PREFIXLEN], pre_totalsize[MAX_PREFIXLEN]; + int len, len2, len3, ttywidth = getttywidth(); + + snprintf(filename, 512, "%s", curfile); + if (flag == -1) { + (void) gettimeofday(&start, (struct timezone *) 0); + lastupdate = start; + lastsize = 0; + } + if (foregroundproc() == 0) + return; + + (void) gettimeofday(&now, (struct timezone *) 0); + cursize = statbytes; + if (totalbytes != 0) { + ratio = 100.0 * cursize / totalbytes; + /* ratio = MAX(ratio, 0); + ratio = MIN(ratio, 100); */ + } else + ratio = 100; + + get_prefixed(cursize, pre_cursize); + get_prefixed(totalbytes, pre_totalsize); + + timersub(&now, &lastupdate, &wait); + if (cursize > lastsize) { + lastupdate = now; + if (wait.tv_sec >= STALLTIME) { + start.tv_sec += wait.tv_sec; + start.tv_usec += wait.tv_usec; + } + + temp = (double)(wait.tv_usec / 1000000.0); + if ((long int)temp == 0) + temp = 1; + + cur_speed = (double)(cursize - lastsize) / temp; + if (flag != 1) + get_prefixed_data(cur_speed, speed); + + wait.tv_sec = 0; + lastsize = cursize; + } + if ((long int)cur_speed == 0) + cur_speed = 1; + timersub(&now, &start, &td); + elapsed = td.tv_sec + (td.tv_usec / 1000000.0); + + if (flag != 1 && + (statbytes <= 0 || elapsed <= 0.0 || cursize > totalbytes)) { + snprintf(eta, sizeof(eta), "--.--.--"); + } else if (wait.tv_sec >= STALLTIME) { + snprintf(eta, sizeof(eta), "stalled"); + } else { + if (flag != 1) + remaining = (int)((totalbytes - statbytes) / cur_speed); + else + remaining = elapsed; + + hours = remaining / 3600; + mins = (remaining / 60) - (hours * 60); + secs = remaining - (3600 * hours) - (60 * mins); + + snprintf(eta, sizeof(eta), "%2.2u.%2.2u.%2.2u", + hours, mins, secs); + } + + /* Determine best size for progress meter */ + snprintf(buf, sizeof(buf), "'' %s of %s [] %c (%2.1f%%) %s/s ETA: %s ", + pre_cursize, pre_totalsize, indicator[ind_value], ratio, speed, eta); + + len = strlen(buf); + len2 = strlen(filename); + + if (ttywidth - len - len2 < 10) { + len3 = ttywidth - len - len2 - 10; + len2 = MAX(len2 + len3, 20); + if (len2 < 20) { + filename[18] = '.'; + filename[19] = '.'; + filename[20] = '\0'; + } else if (len2 < sizeof(filename)) { + filename[len2 - 2] = '.'; + filename[len2 - 1] = '.'; + filename[len2] = '\0'; + } + } + len2 = strlen(filename); + + gauge(MAX(ttywidth - len - len2, 0), ratio, buf_gauge); + snprintf(buf, sizeof(buf), "\r'%s' %s of %s %s %c (%2.1f%%) %s/s ETA: %s", + filename, pre_cursize, pre_totalsize, buf_gauge, indicator[ind_value], + ratio, speed, eta); + + if (ttywidth < sizeof(buf)) + buf[ttywidth] = '\0'; + + if (ind_value == 3) + ind_value = 0; + else + ind_value++; + + atomicio(write, fileno(stdout), buf, strlen(buf)); + + if (flag == -1) { + mysignal(SIGALRM, updateprogressmeter); + alarm(PROGRESSTIME); + } else if (flag == 1) { + alarm(0); + atomicio(write, fileno(stdout), "\n", 1); + statbytes = 0; + } } int --- openssh-3.4p1.orig/scp.1 Sat Jul 13 11:38:42 2002 +++ openssh-3.4p1/scp.1 Sat Jul 13 11:21:33 2002 @@ -3,6 +3,7 @@ .\" scp.1 .\" .\" Author: Tatu Ylonen +.\" Patched: Miika Pekkarinen .\" .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland .\" All rights reserved @@ -19,12 +20,13 @@ .Nd secure copy (remote file copy program) .Sh SYNOPSIS .Nm scp -.Op Fl pqrvBC1246 +.Op Fl apqrvBC1246 .Op Fl F Ar ssh_config .Op Fl S Ar program .Op Fl P Ar port .Op Fl c Ar cipher .Op Fl i Ar identity_file +.Op Fl R Ar rate_limit .Op Fl o Ar ssh_option .Sm off .Oo @@ -59,6 +61,12 @@ .Pp The options are as follows: .Bl -tag -width Ds +.It Fl a +Sets resume mode on. When copying a file which already exists on the +remote machine scp will try to continue the data transfer where it was +last interrupted. Please be careful when using this flag because scp +will always append to the remote file if any exists. Both sides have to +support this feature. .It Fl c Ar cipher Selects the cipher to use for encrypting the data transfer. This option is directly passed to @@ -68,6 +76,12 @@ authentication is read. This option is directly passed to .Xr ssh 1 . +.It Fl R Ar rate_limit +With rate limit it's possible to control how much traffic you would +like to allow for the file transfer. For example to limit bandwidth +usage to 20 kilobytes per second is specified using +.Ic scp -R 20k . +Source host must support rate limit. .It Fl p Preserves modification times, access times, and modes from the original file. -- Miika Pekkarinen miika at ihme.org From mouring at etoh.eviladmin.org Sun Jul 14 05:22:47 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 13 Jul 2002 14:22:47 -0500 (CDT) Subject: PATH problem in Irix. In-Reply-To: Message-ID: Andrew, Have you tested this so we can import this into the tree? I won't have my SGI Indy box for another few weeks. - Ben On Mon, 8 Jul 2002, Tim Rice wrote: > On Mon, 8 Jul 2002, Andrew Daviel wrote: > > > > > I recently compiled openssh 3.4p1 for SGI Irix, and found the same problem > > I'd had with 2.5. > > > > Viz. that Irix /usr/include/paths.h defines _PATH_USERPATH, not USER_PATH, > > so that defines.h doesn't find it and we get the default, which is missing > > /usr/bsd (which on Irix has things like head, more, lpr) and /usr/bin/X11. > > This annoys the users, who want X11 to work. > > > This may be a better solution. Please test. > If you don't have autoconf 2.52, e-mail me for configure > ---------------< cut >---------------- > --- configure.ac.old Sun Jul 7 13:43:36 2002 > +++ configure.ac Mon Jul 8 08:42:26 2002 > @@ -2002,7 +2002,11 @@ > # include > #endif > #ifndef _PATH_STDPATH > -# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" > +# ifdef _PATH_USERPATH /* Irix */ > +# define _PATH_STDPATH _PATH_USERPATH > +# else > +# define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" > +# endif > #endif > #include > #include > ---------------< end cut >---------------- > > > > I added a test to defines.h, as follows: > > > > --- openssh-3.4p1/defines.h Mon Jun 24 09:26:49 2002 > > +++ defines.h Sun Jul 7 00:33:08 2002 > > @@ -296,6 +296,14 @@ > > # define _PATH_STDPATH USER_PATH > > #endif > > > > +#ifdef _PATH_USERPATH > > +# ifdef _PATH_STDPATH > > +# undef _PATH_STDPATH > > +# endif > > +# define _PATH_STDPATH _PATH_USERPATH > > +#endif > > + > > + > > #ifndef _PATH_STDPATH > > # define _PATH_STDPATH "/usr/bin:/bin:/usr/sbin:/sbin" > > #endif > > > > > > There's also a _PATH_ROOTPATH defined for root defaults, but I didn't try > > to implement that for root login. > > > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Sun Jul 14 07:11:16 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 13 Jul 2002 17:11:16 -0400 Subject: ssh-keygen In-Reply-To: <02ba01c22a30$a2643c30$25b4a8c0@COSMOS>; from amarpal.singh@ip-unity.com on Fri, Jul 12, 2002 at 10:46:27PM -0700 References: <02ba01c22a30$a2643c30$25b4a8c0@COSMOS> Message-ID: <20020713171116.B10490@zax.half.pint-stowp.cx> Circa 2002-Jul-12 22:46:27 -0700 dixit Amarpal Singh: : Hi All, : : Where do I get ssh-keygen (1 and 2) free downloads? This question does not make sense. The ssh-keygen program is part of the OpenSSH software and comes with it. : How are RSA-1, RSA-2 and DSA-2 related to ssh-keygen1 and : ssh-keygen2? There is no 'ssh-keygen1' or 'ssh-keygen2' with OpenSSH, only 'ssh-keygen'. Perhaps you are looking for one of SSH Communications' products (www.ssh.com)? -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020713/d9464fca/attachment.bin From bugzilla-daemon at mindrot.org Sun Jul 14 13:31:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 14 Jul 2002 13:31:54 +1000 (EST) Subject: [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail Message-ID: <20020714033154.E704EE921@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From jrj at purdue.edu 2002-07-14 13:31 ------- Created an attachment (id=131) Update of bug #2 patch to 3.4p1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jul 14 13:38:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 14 Jul 2002 13:38:38 +1000 (EST) Subject: [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail Message-ID: <20020714033838.92E09E9F4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From jrj at purdue.edu 2002-07-14 13:38 ------- The above attachment includes an update of the original patch by Darren J. Moffat at Sun for this problem. I took his 3.1p1 based patch and: * updated it to 3.4p1 * added autoconf support to auto-detect the need for the extra functions * fixed one incredibly minor potential (probably would never happen) memory leak * added support for earlier versions of Solaris (pre-IPv6, e.g. 2.6) Note that if BSM is enabled, the code disables (with a warning) the privilege separation feature. This is because the audit functions must be done as root, which is the parent of the two processes, and the data would not flow back down into the child. At least, I didn't see any easy way to do it (but I didn't look all that hard). If BSM is not enabled, privilege separation will be used (or not) as it would without the patch. John R. Jackson, Technical Software Specialist, jrj at purdue.edu ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 15 07:46:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 07:46:47 +1000 (EST) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <20020714214647.07087E921@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=323 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-07-15 07:46 ------- Fixed in current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Darren.Moffat at Sun.COM Mon Jul 15 07:51:21 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Sun, 14 Jul 2002 14:51:21 -0700 (PDT) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <200207142152.g6ELqiuP490735@jurassic.eng.sun.com> >Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it It exists in Solaris 9 but not on previous releases: $ uname -srp SunOS 5.9 sparc $ arp Usage: arp hostname arp -a [-n] arp -d hostname arp -s hostname ether_addr [temp] [pub] [trail] arp -f filename -- Darren J Moffat From tim at multitalents.net Mon Jul 15 07:59:32 2002 From: tim at multitalents.net (Tim Rice) Date: Sun, 14 Jul 2002 14:59:32 -0700 (PDT) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it In-Reply-To: <200207142152.g6ELqiuP490735@jurassic.eng.sun.com> Message-ID: On Sun, 14 Jul 2002, Darren Moffat wrote: > > >Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds > still uses it > > It exists in Solaris 9 but not on previous releases: > The sugested fix was to change "arp -a -n" to "arp -n -a" I trust that Solaris 9 can handle arp -n -a -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From Darren.Moffat at Sun.COM Mon Jul 15 08:07:04 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Sun, 14 Jul 2002 15:07:04 -0700 (PDT) Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it Message-ID: <200207142208.g6EM8RuP491779@jurassic.eng.sun.com> >Date: Sun, 14 Jul 2002 14:59:32 -0700 (PDT) >From: Tim Rice >X-X-Sender: tim at ou8.int.multitalents.net >To: Darren Moffat >cc: openssh-unix-dev at mindrot.org >Subject: Re: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds still uses it > >On Sun, 14 Jul 2002, Darren Moffat wrote: > >> >> >Subject: [Bug 323] arp -n flag doesn't exist under Solaris, ssh_prng_cmds >> still uses it >> >> It exists in Solaris 9 but not on previous releases: >> >The sugested fix was to change "arp -a -n" to "arp -n -a" >I trust that Solaris 9 can handle arp -n -a yes it can. $ Net to Media Table: IPv4 Device IP Address Mask Flags Phys Addr ------ -------------------- --------------- ----- --------------- hme0 192.168.1.1 255.255.255.255 00:06:25:5b:0b:0d hme0 192.168.1.2 255.255.255.255 SP 08:00:20:fd:ae:c3 hme0 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00 -- Darren J Moffat From bugzilla-daemon at mindrot.org Mon Jul 15 08:34:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 08:34:06 +1000 (EST) Subject: [Bug 347] wrong macro used Message-ID: <20020714223406.E34CEE998@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=347 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-07-15 08:33 ------- Fixed in current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 15 08:51:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 08:51:32 +1000 (EST) Subject: [Bug 348] infinite loop scanning wtmpx Message-ID: <20020714225132.92C5AE9B3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=348 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-07-15 08:51 ------- Fixxed in current ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 15 17:05:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 17:05:44 +1000 (EST) Subject: [Bug 354] New: sshd with privsep doesn't do pam session setup properly Message-ID: <20020715070544.D6450E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=354 Summary: sshd with privsep doesn't do pam session setup properly Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: rudolph at getsystems.com when logging in to an openssh >=3.4p1 sshd (I haven't tested earlier than that, but I have tested up to the snapshot from the 14/7/2002) setrlimit, through the pam session setup, isn't called in the appropriate place to allow specified users to have higher ulimits than the server is started with. This ought to work, as pam limits are allowed to specify arbitrarily high limits for users listed. The problem appears to be that do_pam_session is being called after we drop to the user's uid. Without privsep turned on, this all work, as we drop to the user's uid after do_pam_session. Specifically: with privsep on, do_setusercontext in privsep_postauth (sshd.c) is called before do_pam_session in do_exec_pty (session.c). Without privsep, we only drop root privs in do_child (session.c), which is after we do_exec_pty, since (obviously) the former code/call to do_setusercontext is unreached. A possible (does appear to work, though not properly tested) solution is to simply call do_pam_session in privsep_postauth before the do_setusercontext call, though I am unsure of the ramifications of this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 15 19:39:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 19:39:26 +1000 (EST) Subject: [Bug 332] Authentication failures after updating to 3.4.p1 Message-ID: <20020715093926.1B705E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=332 ------- Additional Comments From b.hunt at emuse-tech.com 2002-07-15 19:39 ------- thanks tom ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Mon Jul 15 21:52:14 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 15 Jul 2002 21:52:14 +1000 Subject: Patch: remove unused tty variable from session.c Message-ID: <3D32B76E.D29CDFD7@zip.com.au> Hi. This was added just before 3.4p1 for passing to aix_usrinfo and is now unused. -Daz. Index: session.c =================================================================== RCS file: /cvs/openssh/session.c,v retrieving revision 1.210 diff -u -r1.210 session.c --- session.c 4 Jul 2002 03:08:41 -0000 1.210 +++ session.c 15 Jul 2002 11:50:14 -0000 @@ -1159,8 +1159,6 @@ void do_setusercontext(struct passwd *pw) { - char tty='\0'; - #ifdef HAVE_CYGWIN if (is_winnt) { #else /* HAVE_CYGWIN */ -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From bugzilla-daemon at mindrot.org Mon Jul 15 22:01:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 15 Jul 2002 22:01:11 +1000 (EST) Subject: [Bug 308] openssh 3.4 won't install or run on Solaris 8, on an Ultra 10 Sparc station Message-ID: <20020715120111.97794E92D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=308 ------- Additional Comments From dtucker at zip.com.au 2002-07-15 22:01 ------- /var/empty should be owned by root and mode 0755: # ls -ld /var/empty drwxr-xr-x 2 root sys 512 Jul 15 21:44 /var/empty ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Mon Jul 15 22:32:16 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 15 Jul 2002 22:32:16 +1000 Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <3D32C0D0.AC976412@zip.com.au> Hi. Solaris packages created by buildpkg.sh don't create privsep user or group and sshd won't start until they are created (or privsep is disabled): ## Executing postinstall script. starting /usr/local/sbin/sshd... Privilege separation user sshd does not exist /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd... bailing. The attached patch (against -cvs) ports the relevant parts from the AIX package builder. I've tested it on Solaris 8 only and would be interested to know if it works on other SysV-based systems. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: contrib/solaris/buildpkg.sh =================================================================== RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v retrieving revision 1.5 diff -u -r1.5 buildpkg.sh --- contrib/solaris/buildpkg.sh 9 Jul 2002 02:02:11 -0000 1.5 +++ contrib/solaris/buildpkg.sh 15 Jul 2002 12:32:49 -0000 @@ -98,6 +98,19 @@ eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2` done + +## Collect value of privsep user +for confvar in SSH_PRIVSEP_USER +do + eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h` +done + +## Set privsep defaults if not defined +if [ -z "$SSH_PRIVSEP_USER" ] +then + SSH_PRIVSEP_USER=sshd +fi + ## Extract common info requires for the 'info' part of the package. VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'` @@ -213,6 +226,33 @@ [ -d $piddir ] || installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 755 root sys installf -f ${PKGNAME} + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +then + echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" + echo "or group." +else + echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." + + # create group if required + if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep group $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep group $SSH_PRIVSEP_USER." + groupadd $SSH_PRIVSEP_USER + fi + + # Create user if required + if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + then + echo "PrivSep user $SSH_PRIVSEP_USER already exists." + else + echo "Creating PrivSep user $SSH_PRIVSEP_USER." + useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER + passwd -l $SSH_PRIVSEP_USER + fi +fi [ "\${POST_INS_START}" = "yes" ] && ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start exit 0 From gert at greenie.muc.de Mon Jul 15 22:44:28 2002 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 15 Jul 2002 14:44:28 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020712140755.GA543@serv01.aet.tu-cottbus.de>; from Lutz.Jaenicke@aet.TU-Cottbus.DE on Fri, Jul 12, 2002 at 04:07:55PM +0200 References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <20020712155041.D17492@greenie.muc.de> <20020712140755.GA543@serv01.aet.tu-cottbus.de> Message-ID: <20020715144428.A23141@greenie.muc.de> Hi, On Fri, Jul 12, 2002 at 04:07:55PM +0200, Lutz Jaenicke wrote: [..] > > - all sorts of key handling with DSA or RSA2 keys leads to core dumping, > > while everything done with RSA1 keys works just fine. "ssh -1" has > > no problems whatsoever either. > > > > Happens *only* on FreeBSD 2.1.x machines, with x > 5. > > > > As this machine will go out of service "soon" anyway, I haven't done any > > in-depth debugging yet. > > If it would be a bug inside FreeBSD's routines, debugging would be a waste > of time. One can however not be sure. Maybe there is a bug in OpenSSH > (or OpenSSL, that's why I am following the thread closely) that just becomes > visible under certain conditions. I tracked this down today. It is not a bug in OpenSSL :-) and not really a bug in OpenSSH. The crash happens inside uuencode() which calls __b64_ntop(). From tracing with gdb, it seems __b64_ntop() is completely zero'ing the stack... This happens only with the system __b64_ntop() (/usr/lib/libc.so.3.0), but not with the openbsd-compat/base64.c one. It works fine if I modify config.h after configure, and set "#undef HAVE___B64_NTOP". I write this to document it as a "known operating system problem", but I don't think it's worth to invest effort into fixing it - FreeBSD 2.1 is *old*. If someone besides us runs into this problem, he should be able to find the solution in the archives now :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From d.schroeter at gmx.de Tue Jul 16 04:57:08 2002 From: d.schroeter at gmx.de (=?ISO-8859-1?Q?Daniel_Schr=F6ter?=) Date: Mon, 15 Jul 2002 18:57:08 +0000 Subject: With bounds checking patch for gcc-3.1 problems if using AES References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> Message-ID: <3D331B04.4010608@gmx.de> Hello, I'm back from holidays and I tried today the patch from Markus Friedl. There is a #ifndef SSH_OLD_EVP in "my" cipher.c file so it looks now this way: rijndal_cbc.cleanup = ssh_rijndael_cleanup; rijndal_cbc.do_cipher = ssh_rijndael_cbc; #ifndef SSH_OLD_EVP rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; #endif return (&rijndal_cbc); } #endif With this patch it looks good :-) [~/src/openssh/openssh-3.4p1.diff.test]$ export GCC_BOUNDS_OPTS="-no-message -no-statistics" [~/src/openssh/openssh-3.4p1.diff.test]$ ./ssh localhost [...] debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none [...] test at localhost's password: Thanks for your help! Bye Daniel -- ========================================================= PGP keyID: 9EA3FF2C $ gpg --keyserver wwwkeys.de.pgp.net --recv-key 9EA3FF2C ========================================================= From mouring at etoh.eviladmin.org Tue Jul 16 03:45:46 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 12:45:46 -0500 (CDT) Subject: Patch: remove unused tty variable from session.c In-Reply-To: <3D32B76E.D29CDFD7@zip.com.au> Message-ID: Thanks, Applied. On Mon, 15 Jul 2002, Darren Tucker wrote: > Hi. > This was added just before 3.4p1 for passing to aix_usrinfo and is now > unused. > > -Daz. > > Index: session.c > =================================================================== > RCS file: /cvs/openssh/session.c,v > retrieving revision 1.210 > diff -u -r1.210 session.c > --- session.c 4 Jul 2002 03:08:41 -0000 1.210 > +++ session.c 15 Jul 2002 11:50:14 -0000 > @@ -1159,8 +1159,6 @@ > void > do_setusercontext(struct passwd *pw) > { > - char tty='\0'; > - > #ifdef HAVE_CYGWIN > if (is_winnt) { > #else /* HAVE_CYGWIN */ > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From amarpal.singh at ip-unity.com Tue Jul 16 03:54:13 2002 From: amarpal.singh at ip-unity.com (Amarpal Singh) Date: Mon, 15 Jul 2002 10:54:13 -0700 Subject: -t option in ssh-keygen Message-ID: <02ca01c22c28$a1df86d0$25b4a8c0@COSMOS> Hi All, I just downloaded and installed openssh3.4p1 and triued to run ssh-keygen with -t option. It complains -t to be an illegel option. Its ssh-keygen version 1.2.20 The documentation does document -t option. Am I doing something wrong? ~A~ From mouring at etoh.eviladmin.org Tue Jul 16 03:55:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 12:55:45 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D32C0D0.AC976412@zip.com.au> Message-ID: Hmm.. Does this work with JumpStart? Can you add users at install time? - Ben On Mon, 15 Jul 2002, Darren Tucker wrote: > Hi. > Solaris packages created by buildpkg.sh don't create privsep user or > group and sshd won't start until they are created (or privsep is > disabled): > > ## Executing postinstall script. > starting /usr/local/sbin/sshd... Privilege separation user sshd does not > exist > /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd... > bailing. > > The attached patch (against -cvs) ports the relevant parts from the AIX > package builder. I've tested it on Solaris 8 only and would be > interested to know if it works on other SysV-based systems. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From Nicolas.Williams at ubsw.com Tue Jul 16 04:17:38 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Mon, 15 Jul 2002 14:17:38 -0400 Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F62@NSTMC005PEX1.ubsgs.ubsgroup.net> You sure can... Nico -- > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: Monday, July 15, 2002 1:56 PM > To: Darren Tucker > Cc: OpenSSH Devel List > Subject: Re: Patch: Solaris packages don't create privsep > user or group > > > > > Hmm.. Does this work with JumpStart? Can you add users at > install time? > > - Ben > > On Mon, 15 Jul 2002, Darren Tucker wrote: > > > Hi. > > Solaris packages created by buildpkg.sh don't create > privsep user or > > group and sshd won't start until they are created (or privsep is > > disabled): > > > > ## Executing postinstall script. > > starting /usr/local/sbin/sshd... Privilege separation user > sshd does not > > exist > > /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd... > > bailing. > > > > The attached patch (against -cvs) ports the relevant > parts from the AIX > > package builder. I've tested it on Solaris 8 only and would be > > interested to know if it works on other SysV-based systems. > > > > -- > > Darren Tucker (dtucker at zip.com.au) > > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > > Good judgement comes with experience. Unfortunately, > the experience > > usually comes from bad judgement. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Tue Jul 16 04:14:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 13:14:02 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD125F62@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: On Mon, 15 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > You sure can... > Let me rephrase. HAS anyone tried this with jumpstart? Or done something like it that can verify that it will be acceptable. - Ben From luc at suryo.com Tue Jul 16 04:38:08 2002 From: luc at suryo.com (Luc I. Suryo) Date: Mon, 15 Jul 2002 13:38:08 -0500 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: References: <17D3D857B26112409EA372EB0AFE39DD125F62@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <20020715183808.GA9502@nc1701.suryo.com> > > Let me rephrase. HAS anyone tried this with jumpstart? Or done something > like it that can verify that it will be acceptable. Yes, I have done this, in fact you can do quite some with jumpstart. In de 'rule' file one can defined a 'profile' for teh client and a 'finishing-profile' and the can be scripts. And within the scripts you can all call other script. hope this is clear? -- Kind regards, Luc Suryo From mouring at etoh.eviladmin.org Tue Jul 16 04:29:22 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 13:29:22 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <20020715183808.GA9502@nc1701.suryo.com> Message-ID: On Mon, 15 Jul 2002, Luc I. Suryo wrote: > > > > > Let me rephrase. HAS anyone tried this with jumpstart? Or done something > > like it that can verify that it will be acceptable. > > Yes, I have done this, in fact you can do quite some with jumpstart. > Did you look at the proposed patch? I really don't want to release 3.5 to have people using JumpStart with our scripts bitching about a broken package. =) Not as if I've seen many people beg for JumpStart safe package to start with. - Ben From Nicolas.Williams at ubsw.com Tue Jul 16 04:41:26 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Mon, 15 Jul 2002 14:41:26 -0400 Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F63@NSTMC005PEX1.ubsgs.ubsgroup.net> Yes. You can edit any config file you want during JumpStart. Just make sure that you handle $PKG_INSTAL_ROOT and the like correctly. The pkg should either have an edit script for /etc/password or it should do its thing in the postinstall script and then use installf to indicate that it edited /etc/passwd. Cheers, Nico -- > -----Original Message----- > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > Sent: Monday, July 15, 2002 2:14 PM > To: Williams, Nicolas > Cc: openssh-unix-dev at mindrot.org > Subject: RE: Patch: Solaris packages don't create privsep > user or group > > > > > > On Mon, 15 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > > > > You sure can... > > > > Let me rephrase. HAS anyone tried this with jumpstart? Or > done something > like it that can verify that it will be acceptable. > > - Ben > > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Tue Jul 16 04:32:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 13:32:43 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <17D3D857B26112409EA372EB0AFE39DD125F63@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: Which we should support now (IIRC the ChangeLog).. That is all I wanted to know.=) - Ben On Mon, 15 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > Yes. > > You can edit any config file you want during JumpStart. > > Just make sure that you handle $PKG_INSTAL_ROOT and the > like correctly. > > The pkg should either have an edit script for /etc/password > or it should do its thing in the postinstall script and > then use installf to indicate that it edited /etc/passwd. > > Cheers, > > Nico > -- > > > -----Original Message----- > > From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] > > Sent: Monday, July 15, 2002 2:14 PM > > To: Williams, Nicolas > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: Patch: Solaris packages don't create privsep > > user or group > > > > > > > > > > > > On Mon, 15 Jul 2002 Nicolas.Williams at ubsw.com wrote: > > > > > > > > You sure can... > > > > > > > Let me rephrase. HAS anyone tried this with jumpstart? Or > > done something > > like it that can verify that it will be acceptable. > > > > - Ben > > > > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > From mouring at etoh.eviladmin.org Tue Jul 16 04:37:05 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 13:37:05 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D32C0D0.AC976412@zip.com.au> Message-ID: Commited.. - Ben On Mon, 15 Jul 2002, Darren Tucker wrote: > Hi. > Solaris packages created by buildpkg.sh don't create privsep user or > group and sshd won't start until they are created (or privsep is > disabled): > > ## Executing postinstall script. > starting /usr/local/sbin/sshd... Privilege separation user sshd does not > exist > /etc/init.d/opensshd: Error 255 starting /usr/local/sbin/sshd... > bailing. > > The attached patch (against -cvs) ports the relevant parts from the AIX > package builder. I've tested it on Solaris 8 only and would be > interested to know if it works on other SysV-based systems. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From mouring at etoh.eviladmin.org Tue Jul 16 05:20:43 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 14:20:43 -0500 (CDT) Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> Message-ID: Markus, any quarms? - Ben On Fri, 5 Jul 2002, Leigh Brown wrote: > Hi, > > I have to say sorry. I thought I'd tested your patch correctly but I > was wrong (probably I'd left my other code hanging around). Luckily, > you put the test after the write instead of before, so it needs to be > changed anyway :-) > > It seems that c->isatty is only set if nonblock is true, which is not > the case for some reason. I changed the test to use isatty(c->wfd) > instead and that made it work; I hope that is acceptable. > > I've attached a patch against last night's snapshot that does as I've > described. > > Cheers, > > Leigh. > > > diff -ur openssh/channels.c openssh.local/channels.c --- openssh/channels.c Thu Jul 4 19:11:10 2002 +++ openssh.local/channels.c Fri Jul 5 13:58:27 2002 @@ -1278,12 +1278,13 @@ buffer_len(&c->output) > 0) { data = buffer_ptr(&c->output); dlen = buffer_len(&c->output); - len = write(c->wfd, data, dlen); #ifdef _AIX /* XXX: Later AIX versions can't push as much data to tty */ - if (compat20 && c->isatty && dlen >= 8*1024) + if (compat20 && isatty(c->wfd) && dlen > 8*1024) { dlen = 8*1024; + } #endif + len = write(c->wfd, data, dlen); if (len < 0 && (errno == EINTR || errno == EAGAIN)) return 1; if (len <= 0) { From mouring at etoh.eviladmin.org Tue Jul 16 05:24:20 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 14:24:20 -0500 (CDT) Subject: [Bug 345] New: w (uptime) command still indicates user is logged in after logout (fwd) Message-ID: Hmm.. All the hp/ux of the 10.x era has that set in the configure.ac. - Ben ---------- Forwarded message ---------- Date: Tue, 9 Jul 2002 05:40:35 +1000 (EST) From: bugzilla-daemon at mindrot.org To: openssh-unix-dev at mindrot.org Subject: [Bug 345] New: w (uptime) command still indicates user is logged in after logout http://bugzilla.mindrot.org/show_bug.cgi?id=345 Summary: w (uptime) command still indicates user is logged in after logout Product: Portable OpenSSH Version: -current Platform: HPPA OS/Version: HP-UX Status: NEW Severity: minor Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dave.anglin at nrc.ca The build system is hppa1.1-hp-hpux10.20 and openssh is version 3.4p1. The w (uptime) command indicates a user is still logged in after logout. The problem wasn't present in 3.1p1 even though writing to utmp is disabled. Other commands such as who and last generate correct results. /dev/pts/* appear to be correctly released. Looking at config.h, I noticed that writing to utmp was disabled: /* Define if you don't want to use utmp */ #define DISABLE_UTMP 1 Commenting this out and rebuilding, fixed the problem. Disabling writing to wtmp seems to be the default (ie, I didn't disable it when running configure). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From chris at obelix.hedonism.cx Tue Jul 16 05:38:02 2002 From: chris at obelix.hedonism.cx (Christian Vogel) Date: Mon, 15 Jul 2002 21:38:02 +0200 Subject: -t option in ssh-keygen In-Reply-To: <02ca01c22c28$a1df86d0$25b4a8c0@COSMOS> References: <02ca01c22c28$a1df86d0$25b4a8c0@COSMOS> Message-ID: <20020715193802.GB1584@emil.frop.org> Hi, > I just downloaded and installed openssh3.4p1 and triued to run ssh-keygen > with -t option. It complains -t to be an illegel option. Its ssh-keygen > version 1.2.20 Most likely some commercial-ssh-version-1's keygen has not been removed from your system. openssh3.4p1's keygen supports the -t version: emil:chris$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/chris/.ssh/id_rsa): DEVELOPERS: There should be a -V (Version) option for all ssh-commands. Chris -- The ten thousand things How long do any persist? Netscape, too, has gone. -- Jason Willoughby From dtucker at zip.com.au Tue Jul 16 08:10:13 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Jul 2002 08:10:13 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D334845.96AB7A0B@zip.com.au> Ben Lindstrom wrote: > Hmm.. Does this work with JumpStart? Can you add users at install time? I didn't even consider that. We use jumpstart to build machines but don't install sshd until after the first boot (ie not in the finish_script). I'll try to dig up some spare hardware to try it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From d_wllms at lanl.gov Tue Jul 16 08:13:41 2002 From: d_wllms at lanl.gov (David Williams) Date: Mon, 15 Jul 2002 16:13:41 -0600 Subject: Patch: Solaris packages don't create privsep user or group References: <3D32C0D0.AC976412@zip.com.au> Message-ID: <3D334915.725F546D@lanl.gov> Hi, Hopefully this doesn't seem like hair-splitting but I'd like to suggest the following additions to Darren's patch. This allows for the option of turning off priv_sep at package build time: Index: openssh/contrib/solaris/buildpkg.sh =================================================================== RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v retrieving revision 1.6 diff -u -r1.6 buildpkg.sh --- openssh/contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000 1.6 +++ openssh/contrib/solaris/buildpkg.sh 15 Jul 2002 22:06:25 -0000 @@ -23,6 +23,7 @@ # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes +#USE_PRIVSEP=no # list of system directories we do NOT want to change owner/group/perms # when installing our package SYSTEM_DIR="/etc \ @@ -140,6 +141,9 @@ $FAKE_ROOT/${sysconfdir}/sshd_config [ "${X11_FORWARDING}" = yes ] && \ perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \ + $FAKE_ROOT/${sysconfdir}/sshd_config +[ "${USE_PRIVSEP}" = no ] && \ + perl -p -i -e "s/#UsePrivilegeSeparation yes/UsePrivilegeSeparation no/" \ $FAKE_ROOT/${sysconfdir}/sshd_config # fix PrintMotd perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \ -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From tim at multitalents.net Tue Jul 16 08:57:13 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 15 Jul 2002 15:57:13 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D334915.725F546D@lanl.gov> Message-ID: On Mon, 15 Jul 2002, David Williams wrote: > Hi, > Hopefully this doesn't seem like hair-splitting but I'd like to suggest > the following additions to Darren's patch. This allows for the option > of turning off priv_sep at package build time: Would it be better to have a build time option or an install time option? > > Index: openssh/contrib/solaris/buildpkg.sh > =================================================================== > + $FAKE_ROOT/${sysconfdir}/sshd_config > +[ "${USE_PRIVSEP}" = no ] && \ > + perl -p -i -e "s/#UsePrivilegeSeparation > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Tue Jul 16 09:00:08 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Jul 2002 09:00:08 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: <3D32C0D0.AC976412@zip.com.au> <3D334915.725F546D@lanl.gov> Message-ID: <3D3353F8.B9ACD5C0@zip.com.au> David Williams wrote: > Hopefully this doesn't seem like hair-splitting but I'd like to suggest > the following additions to Darren's patch. This allows for the option > of turning off priv_sep at package build time: That's fine by me but I didn't write buildpkg.sh. The author(s) might like to comment. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From d_wllms at lanl.gov Tue Jul 16 09:10:56 2002 From: d_wllms at lanl.gov (David Williams) Date: Mon, 15 Jul 2002 17:10:56 -0600 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D335680.AA652E76@lanl.gov> For my intended audience it would probably be better to do it at build time. But I can see an issue with force feeding end-users. How about I do a little more work and allow for both options. I had been working on this very thing when Darren submitted his patch. Tim Rice wrote: > > On Mon, 15 Jul 2002, David Williams wrote: > > Would it be better to have a build time option or an install time option? > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From mouring at etoh.eviladmin.org Tue Jul 16 09:13:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 18:13:10 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D335680.AA652E76@lanl.gov> Message-ID: I would perfer runtime. The build time option should at best set the default. - Ben On Mon, 15 Jul 2002, David Williams wrote: > For my intended audience it would probably be better to do it at build > time. But I can see an issue with force feeding end-users. > > How about I do a little more work and allow for both options. I had > been working on this very thing when Darren submitted his patch. > > > Tim Rice wrote: > > > > On Mon, 15 Jul 2002, David Williams wrote: > > > > Would it be better to have a build time option or an install time option? > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > -- > David M. Williams, CISSP Phone: 505-665-5021 > Systems Engineer, CCN-2 Fax: 505-667-7428 > Los Alamos National Laboratory Email: d_wllms at lanl.gov > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From d_wllms at lanl.gov Tue Jul 16 09:42:04 2002 From: d_wllms at lanl.gov (David Williams) Date: Mon, 15 Jul 2002 17:42:04 -0600 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D335DCC.57C1A25C@lanl.gov> Hey Ben, So when I submitted the build time option bit I was only following your pattern of providing a commented out option with a value assigned that is opposite to that set in sshd_conf. As far as the runtime option goes, should the runtime selection take precedence over the sshd_config settings? It's your baby, I'll write it either way. Dave Ben Lindstrom wrote: > > I would perfer runtime. The build time option should at best set the > default. > > - Ben -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From mouring at etoh.eviladmin.org Tue Jul 16 09:52:56 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 18:52:56 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D335DCC.57C1A25C@lanl.gov> Message-ID: On Mon, 15 Jul 2002, David Williams wrote: > Hey Ben, > So when I submitted the build time option bit I was only following your > pattern of providing a commented out option with a value assigned that > is opposite to that set in sshd_conf. > Oh boy.. this code has exceeded what I originally wrote. =) > As far as the runtime option goes, should the runtime selection take > precedence over the sshd_config settings? It's your baby, I'll write > it either way. > You know.. On second thought looking over the code no where else do we prompt the installer for such questions. I think that if we set this precedence then we should prompt for ever other two items. Lets just leave it as a buildtime option. - Ben From d_wllms at lanl.gov Tue Jul 16 10:16:00 2002 From: d_wllms at lanl.gov (David Williams) Date: Mon, 15 Jul 2002 18:16:00 -0600 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D3365C0.E1C42B42@lanl.gov> Ben Lindstrom wrote: > > On Mon, 15 Jul 2002, David Williams wrote: > > > Hey Ben, > > So when I submitted the build time option bit I was only following your > > pattern of providing a commented out option with a value assigned that > > is opposite to that set in sshd_conf. > > > > Oh boy.. this code has exceeded > what I originally wrote. =) You should see what I was adding to it! > > > As far as the runtime option goes, should the runtime selection take > > precedence over the sshd_config settings? It's your baby, I'll write > > it either way. > > > > You know.. On second thought looking over the code no where else do we > prompt the installer for such questions. I think that if we set this > precedence then we should prompt for ever other two items. > > Lets just leave it as a buildtime option. > OK, let me clean my patch up a bit more then. As I was looking over the code ;^) I noticed that with the buildtime option I can consolidate the PrivSep stuff a bit for cleanliness sake. > - Ben -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From tim at multitalents.net Tue Jul 16 10:32:52 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 15 Jul 2002 17:32:52 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D3365C0.E1C42B42@lanl.gov> Message-ID: On Mon, 15 Jul 2002, David Williams wrote: > Ben Lindstrom wrote: > > > > Oh boy.. this code has exceeded > > what I originally wrote. =) > > You should see what I was adding to it! Hmm, maybe I should wait and see what you have before I go making my mods. I was going to add suport for local additions to the postinstall, preinstall, etc. scripts at build time. So if you had a postinstall.local file in your build dir it would be included in the postinstall script. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From d_wllms at lanl.gov Tue Jul 16 10:42:25 2002 From: d_wllms at lanl.gov (David Williams) Date: Mon, 15 Jul 2002 18:42:25 -0600 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D336BF1.6AD3EA9A@lanl.gov> Hey Tim, That's exactly what I did. I was also in the process of adding a sshd_config.local as well so that I could propagate changes at buildtime. Tim Rice wrote: > > On Mon, 15 Jul 2002, David Williams wrote: > > > Ben Lindstrom wrote: > > > > > > Oh boy.. this code has exceeded > > > what I originally wrote. =) > > > > You should see what I was adding to it! > > Hmm, maybe I should wait and see what you have before I go making my mods. > > I was going to add suport for local additions to the postinstall, > preinstall, etc. scripts at build time. So if you had a postinstall.local > file in your build dir it would be included in the postinstall script. > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net -- David M. Williams, CISSP Phone: 505-665-5021 Systems Engineer, CCN-2 Fax: 505-667-7428 Los Alamos National Laboratory Email: d_wllms at lanl.gov From mouring at etoh.eviladmin.org Tue Jul 16 10:37:21 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 15 Jul 2002 19:37:21 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D336BF1.6AD3EA9A@lanl.gov> Message-ID: Sadly.. great minds think too much alike. That came to me also. That way we don't have all these special cases that I start to see cropping up really quickly. - Ben On Mon, 15 Jul 2002, David Williams wrote: > Hey Tim, > That's exactly what I did. I was also in the process of adding a > sshd_config.local as well so that I could propagate changes at > buildtime. > > Tim Rice wrote: > > > > On Mon, 15 Jul 2002, David Williams wrote: > > > > > Ben Lindstrom wrote: > > > > > > > > Oh boy.. this code has exceeded > > > > what I originally wrote. =) > > > > > > You should see what I was adding to it! > > > > Hmm, maybe I should wait and see what you have before I go making my mods. > > > > I was going to add suport for local additions to the postinstall, > > preinstall, etc. scripts at build time. So if you had a postinstall.local > > file in your build dir it would be included in the postinstall script. > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > -- > David M. Williams, CISSP Phone: 505-665-5021 > Systems Engineer, CCN-2 Fax: 505-667-7428 > Los Alamos National Laboratory Email: d_wllms at lanl.gov > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From dtucker at zip.com.au Tue Jul 16 10:50:30 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Jul 2002 10:50:30 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: <3D334845.96AB7A0B@zip.com.au> Message-ID: <3D336DD6.C8385F34@zip.com.au> Darren Tucker wrote: > Ben Lindstrom wrote: > > Hmm.. Does this work with JumpStart? Can you add users at install time? > > I didn't even consider that. We use jumpstart to build machines but > don't install sshd until after the first boot (ie not in the > finish_script). I'll try to dig up some spare hardware to try it. OK I can confirm that it does NOT work with Jumpstart. useradd and groupadd try to modify the read-only files on the jumpstart NFS image. Should we: (a) move them to the /etc/init.d/openssh script same as the keygens (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd (c) chroot tricks? (d) ? I prefer (a). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Darren.Moffat at Sun.COM Tue Jul 16 12:02:51 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Mon, 15 Jul 2002 19:02:51 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <200207160204.g6G24GuP707936@jurassic.eng.sun.com> >Should we: >(a) move them to the /etc/init.d/openssh script same as the keygens >(b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd >(c) chroot tricks? >(d) ? > >I prefer (a). (b) is what would be done by a Solaris shipped package. Given that the format of /etc/passwd and /etc/shadow are stable interfaces there is no problem doing that. The more you add to the openssh init.d script the longer it takes to startup that Solaris instance - this is an issue for some people. -- Darren J Moffat From tim at multitalents.net Tue Jul 16 12:41:21 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 15 Jul 2002 19:41:21 -0700 (PDT) Subject: opensshd.in Message-ID: I've had the wrong sshd daemon killed by "killing using alternate method" too many times. Would this cause anyone any grief? --- opensshd.in.old Sun Oct 21 16:42:02 2001 +++ opensshd.in Mon Jul 15 19:34:16 2002 @@ -3,11 +3,8 @@ # # Stripped PRNGd out of it for the time being. -AWK=/usr/bin/awk CAT=/usr/bin/cat KILL=/usr/bin/kill -PS=/usr/bin/ps -XARGS=/usr/bin/xargs prefix=%%openSSHDir%% etcdir=%%configDir%% @@ -20,12 +17,6 @@ HOST_KEY_DSA=$etcdir/ssh_host_dsa_key HOST_KEY_RSA=$etcdir/ssh_host_rsa_key -killproc() { - _procname=$1 - _signal=$2 - ${PS} -u root | ${AWK} '/'"$_procname"'$/ {print $1}' | ${XARGS} ${KILL} -} - checkkeys() { if [ ! -f $HOST_KEY_RSA1 ]; then @@ -46,8 +37,7 @@ if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then ${KILL} ${PID} else - echo "Unable to read PID file, killing using alternate method" - killproc sshd TERM + echo "Unable to read PID file" fi } -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Tue Jul 16 16:18:17 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Jul 2002 16:18:17 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: <200207160204.g6G24GuP707936@jurassic.eng.sun.com> Message-ID: <3D33BAA8.D5976982@zip.com.au> Darren Moffat wrote: > >Should we: > >(a) move them to the /etc/init.d/openssh script same as the keygens > >(b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd > >(c) chroot tricks? > >(d) ? > > > >I prefer (a). > > (b) is what would be done by a Solaris shipped package. Given that the > format of /etc/passwd and /etc/shadow are stable interfaces there is > no problem doing that. How about something like the attached patch (b+c)? (Currently untested, please don't commit.) Or is it too convoluted? > The more you add to the openssh init.d script the longer it takes to > startup that Solaris instance - this is an issue for some people. Doing it in the init script would mean that if someone enabled privsep and restarted it would magically work. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: contrib/solaris/buildpkg.sh =================================================================== RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v retrieving revision 1.6 diff -u -r1.6 buildpkg.sh --- contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000 1.6 +++ contrib/solaris/buildpkg.sh 16 Jul 2002 06:19:16 -0000 @@ -20,6 +20,8 @@ PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} +SSHDUID=22 # Default privsep uid +SSHDGID=22 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes @@ -227,6 +229,12 @@ installf -f ${PKGNAME} +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi + if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null then echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" @@ -235,22 +243,32 @@ echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." # create group if required - if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep group $SSH_PRIVSEP_USER already exists." else + # Use gid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + sshdgid="-g 22" + fi echo "Creating PrivSep group $SSH_PRIVSEP_USER." - groupadd $SSH_PRIVSEP_USER + $chroot groupadd \$sshdgid $SSH_PRIVSEP_USER fi # Create user if required - if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep user $SSH_PRIVSEP_USER already exists." else + # Use uid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + sshduid="-u 22" + fi echo "Creating PrivSep user $SSH_PRIVSEP_USER." - useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER - passwd -l $SSH_PRIVSEP_USER + $chroot useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + $chroot passwd -l $SSH_PRIVSEP_USER fi fi From barel_bhai at yahoo.com Tue Jul 16 18:26:48 2002 From: barel_bhai at yahoo.com (raam raam) Date: Tue, 16 Jul 2002 01:26:48 -0700 (PDT) Subject: SSH and SSL In-Reply-To: <20020628114543.GB7488@faui02> Message-ID: <20020716082648.50508.qmail@web20510.mail.yahoo.com> Hi All Can somebody tells me whats the difference between SSL and SSH. I feel whatever is done by SSH can be done by SSL therefore why do we need SSH . Is there any documnet available somewhere which can explain the difference / usages of SSL and SSH Regards Barel __________________________________________________ Do You Yahoo!? Yahoo! Autos - Get free new car price quotes http://autos.yahoo.com From dtucker at zip.com.au Tue Jul 16 18:48:58 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 16 Jul 2002 18:48:58 +1000 Subject: SSH and SSL References: <20020716082648.50508.qmail@web20510.mail.yahoo.com> Message-ID: <3D33DDF9.9F6570DB@zip.com.au> raam raam wrote: > Can somebody tells me whats the difference between SSL > and SSH. I feel whatever is done by SSH can be done by > SSL therefore why do we need SSH . > > Is there any documnet available somewhere which can > explain the difference / usages of SSL and SSH http://www.google.com/search?q=difference+between+ssh+ssl Results 1 - 10 of about 6,290 The first two hits are: "What is the difference between SSH and SSL?" http://www.rpatrick.com/tech/ssh-ssl/ "What's the difference between SSH and SSL/TLS?" http://www.snailbook.com/faq/ssl.auto.html -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Tue Jul 16 18:15:35 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 16 Jul 2002 10:15:35 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <3D331B04.4010608@gmx.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <3D331B04.4010608@gmx.de> Message-ID: <20020716081535.GC26371@folly> On Mon, Jul 15, 2002 at 06:57:08PM +0000, Daniel Schr?ter wrote: > rijndal_cbc.cleanup = ssh_rijndael_cleanup; > rijndal_cbc.do_cipher = ssh_rijndael_cbc; > #ifndef SSH_OLD_EVP > rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | > EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; > #endif > return (&rijndal_cbc); > } thanks, i've added EVP_CIPH_CUSTOM_IV. the only problem remains is systems with OpenSSL 0.9.5 (SSH_OLD_EVP) they will probably still copy out of bounds. From markus at openbsd.org Tue Jul 16 18:11:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 16 Jul 2002 10:11:25 +0200 Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: References: <54937.193.133.92.239.1025874726.squirrel@lbbrown.homeip.net> Message-ID: <20020716081124.GB26371@folly> On Mon, Jul 15, 2002 at 02:20:43PM -0500, Ben Lindstrom wrote: > Markus, any quarms? c->isatty is only set on the server side. so if this is a client-side problem, too, then we probably need your patch (but calling isatty for every write might be a problem). From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 16 19:39:33 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 16 Jul 2002 11:39:33 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020716081535.GC26371@folly> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <3D331B04.4010608@gmx.de> <20020716081535.GC26371@folly> Message-ID: <20020716093933.GB10385@serv01.aet.tu-cottbus.de> On Tue, Jul 16, 2002 at 10:15:35AM +0200, Markus Friedl wrote: > On Mon, Jul 15, 2002 at 06:57:08PM +0000, Daniel Schr?ter wrote: > > rijndal_cbc.cleanup = ssh_rijndael_cleanup; > > rijndal_cbc.do_cipher = ssh_rijndael_cbc; > > #ifndef SSH_OLD_EVP > > rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | > > EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; > > #endif > > return (&rijndal_cbc); > > } > > thanks, i've added EVP_CIPH_CUSTOM_IV. > > the only problem remains is systems with OpenSSL 0.9.5 (SSH_OLD_EVP) > they will probably still copy out of bounds. It's a systematic problem as 0.9.5 is no longer maintained (and it would not make sense to further maintain it, as later versions contain the necessary means (EVP_CIPH_CUSTOM_IV) to handle the problem). -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From markus at openbsd.org Tue Jul 16 19:53:19 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 16 Jul 2002 11:53:19 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020716093933.GB10385@serv01.aet.tu-cottbus.de> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <3D331B04.4010608@gmx.de> <20020716081535.GC26371@folly> <20020716093933.GB10385@serv01.aet.tu-cottbus.de> Message-ID: <20020716095319.GB19216@faui02> On Tue, Jul 16, 2002 at 11:39:33AM +0200, Lutz Jaenicke wrote: > On Tue, Jul 16, 2002 at 10:15:35AM +0200, Markus Friedl wrote: > > On Mon, Jul 15, 2002 at 06:57:08PM +0000, Daniel Schr?ter wrote: > > > rijndal_cbc.cleanup = ssh_rijndael_cleanup; > > > rijndal_cbc.do_cipher = ssh_rijndael_cbc; > > > #ifndef SSH_OLD_EVP > > > rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | > > > EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; > > > #endif > > > return (&rijndal_cbc); > > > } > > > > thanks, i've added EVP_CIPH_CUSTOM_IV. > > > > the only problem remains is systems with OpenSSL 0.9.5 (SSH_OLD_EVP) > > they will probably still copy out of bounds. > > It's a systematic problem as 0.9.5 is no longer maintained (and it would not > make sense to further maintain it, as later versions contain the > necessary means (EVP_CIPH_CUSTOM_IV) to handle the problem). yes, but people still use it. From Lutz.Jaenicke at aet.TU-Cottbus.DE Tue Jul 16 20:24:55 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Tue, 16 Jul 2002 12:24:55 +0200 Subject: With bounds checking patch for gcc-3.1 problems if using AES In-Reply-To: <20020716095319.GB19216@faui02> References: <3D249F0C.90600@gmx.de> <3D2B3484.9000906@gmx.de> <20020709175948.GA29587@serv01.aet.tu-cottbus.de> <20020710152617.GB7480@folly> <20020710153535.GB23442@faui02> <20020712104330.GA27317@folly> <3D331B04.4010608@gmx.de> <20020716081535.GC26371@folly> <20020716093933.GB10385@serv01.aet.tu-cottbus.de> <20020716095319.GB19216@faui02> Message-ID: <20020716102455.GA11306@serv01.aet.tu-cottbus.de> On Tue, Jul 16, 2002 at 11:53:19AM +0200, Markus Friedl wrote: > On Tue, Jul 16, 2002 at 11:39:33AM +0200, Lutz Jaenicke wrote: > > On Tue, Jul 16, 2002 at 10:15:35AM +0200, Markus Friedl wrote: > > > On Mon, Jul 15, 2002 at 06:57:08PM +0000, Daniel Schr?ter wrote: > > > > rijndal_cbc.cleanup = ssh_rijndael_cleanup; > > > > rijndal_cbc.do_cipher = ssh_rijndael_cbc; > > > > #ifndef SSH_OLD_EVP > > > > rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH | > > > > EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV; > > > > #endif > > > > return (&rijndal_cbc); > > > > } > > > > > > thanks, i've added EVP_CIPH_CUSTOM_IV. > > > > > > the only problem remains is systems with OpenSSL 0.9.5 (SSH_OLD_EVP) > > > they will probably still copy out of bounds. > > > > It's a systematic problem as 0.9.5 is no longer maintained (and it would not > > make sense to further maintain it, as later versions contain the > > necessary means (EVP_CIPH_CUSTOM_IV) to handle the problem). > > yes, but people still use it. I know. But I don't see what could be done about it. Either OpenSSH or OpenSSL have to do something about it, if something should be done at all. * OpenSSH uses OpenSSL beyond its specs, so it does not make it OpenSSL's problem. In fact, the solution would be to change either OpenSSL's API (add a corresponding flag and #define, which may affect compatility) or extend the array sizes, which whould break binary compatibility anyway. So the reason why several distributions stay with 0.9.5, (binary) compatiblity would be lost anyway. Thus I don't see any way to bring up 0.9.5 to handle the problem in a way not breaking other things, in which case we do have a better solution: use 0.9.6x or later. As for a cleaner solution: I would recommend to disable AES support for OpenSSL 0.9.5x as it seems to create problems that cannot easily be resolved, and recommend people to update their OpenSSL release. If they do not update, they still get OpenSSH working, but with a limited set of ciphers. No security issue involved by leaving AES out. If they want AES support, sorry, please update the version of OpenSSL. Best, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From bugzilla-daemon at mindrot.org Tue Jul 16 20:30:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Jul 2002 20:30:40 +1000 (EST) Subject: [Bug 355] New: No last login message with PrivSep under AIX Message-ID: <20020716103040.88FCFEA02@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=355 Summary: No last login message with PrivSep under AIX Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: Heinrich.Mislik at univie.ac.at When a user connects to 3.4p1 on AIX with privilege separation on, no last login message is displayed. It seems, that the message is retrieved by a call to loginsuccess() as root, the output of the message is done in the nonprivileged child. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 16 22:49:03 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 16 Jul 2002 22:49:03 +1000 (EST) Subject: [Bug 341] Return Code unpredictable Message-ID: <20020716124903.15364E91E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=341 norbert.weuster at mgi.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From norbert.weuster at mgi.de 2002-07-16 22:48 ------- after creating user "sshd" and/or a reboot, the problem couldn't be reproduced. best regards Norbert Weuster ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dwanek at dexter.it-ias.depaul.edu Tue Jul 16 23:25:09 2002 From: dwanek at dexter.it-ias.depaul.edu (Dan Wanek) Date: Tue, 16 Jul 2002 08:25:09 -0500 (CDT) Subject: HP-UX PAM with Trusted System patch Message-ID: I'm fairly new to the list and new to submitting patches. Can someone please verify the attached patch for running a HP-UX Trusted System with PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify the user via __pamh after the call to permanently_set_uid in session.c. So I called do_pam_session prior to the call and added a function do_pam_set_tty in order to set the tty after allocation. -- Dan Wanek -------------- next part -------------- diff -u -r openssh-3.4p1/auth-pam.c openssh-3.4p1-dw/auth-pam.c --- openssh-3.4p1/auth-pam.c Tue May 7 21:27:56 2002 +++ openssh-3.4p1-dw/auth-pam.c Tue Jul 16 07:54:05 2002 @@ -294,6 +294,18 @@ session_opened = 1; } +/* Set the TTY after session is open */ +void do_pam_set_tty(const char *ttyname) { + int pam_retval; + if (ttyname != NULL) { + debug("PAM setting tty to \"%.200s\"", ttyname); + pam_retval = pam_set_item(__pamh, PAM_TTY, ttyname); + if (pam_retval != PAM_SUCCESS) + fatal("PAM set tty failed[%d]: %.200s", + pam_retval, PAM_STRERROR(__pamh, pam_retval)); + } +} + /* Set PAM credentials */ void do_pam_setcred(int init) { Only in openssh-3.4p1-dw: auth-pam.c.orig diff -u -r openssh-3.4p1/auth-pam.h openssh-3.4p1-dw/auth-pam.h --- openssh-3.4p1/auth-pam.h Thu Apr 4 13:02:28 2002 +++ openssh-3.4p1-dw/auth-pam.h Tue Jul 16 07:54:05 2002 @@ -12,6 +12,7 @@ int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); void do_pam_session(char *username, const char *ttyname); +void do_pam_set_tty(const char *ttyname); void do_pam_setcred(int init); void print_pam_messages(void); int is_pam_password_change_required(void); Only in openssh-3.4p1-dw: auth-pam.h.orig diff -u -r openssh-3.4p1/session.c openssh-3.4p1-dw/session.c --- openssh-3.4p1/session.c Wed Jun 26 08:51:06 2002 +++ openssh-3.4p1-dw/session.c Tue Jul 16 07:54:06 2002 @@ -461,7 +461,6 @@ session_proctitle(s); #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, NULL); do_pam_setcred(1); if (is_pam_password_change_required()) packet_disconnect("Password change required but no " @@ -579,7 +578,7 @@ ttyfd = s->ttyfd; #if defined(USE_PAM) - do_pam_session(s->pw->pw_name, s->tty); + do_pam_set_tty(s->tty); do_pam_setcred(1); #endif @@ -1204,6 +1203,13 @@ * Reestablish them here. */ do_pam_setcred(0); + + /* + * We need to open the session here because PAM on HP-UX does not + * work after the call to permanently_set_uid. + */ + do_pam_session(pw->pw_name,NULL); + # endif /* USE_PAM */ # if defined(WITH_IRIX_PROJECT) || defined(WITH_IRIX_JOBS) || defined(WITH_IRIX_ARRAY) irix_setusercontext(pw); Only in openssh-3.4p1-dw: session.c.orig From bugzilla-daemon at mindrot.org Wed Jul 17 04:27:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Jul 2002 04:27:20 +1000 (EST) Subject: [Bug 356] New: 3.4p1 hostbased authentication between Linux and Solaris Message-ID: <20020716182720.8956BE949@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=356 Summary: 3.4p1 hostbased authentication between Linux and Solaris Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: major Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mikep at onet.on.ca Hostbased authentication is failing with a (Mandrake) Linux client and Solaris server; all works between the Solaris (2.6/7/8) hosts, and also for IRIX 6.2 (all built from source code), and Solaris client to Linux server works. It fails between Linux hosts, both with the RPMs and when built from source. Failing session looks like it should work (remote server accepts .rhosts), but fails locally; debug shows: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to enfm [128.100.102.112] port 22. debug1: Connection established. debug1: identity file /home/enfm/mikep/.ssh/identity type -1 debug1: identity file /home/enfm/mikep/.ssh/id_rsa type -1 debug1: identity file /home/enfm/mikep/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 124/256 debug1: bits set: 1581/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/enfm/mikep/.ssh/known_hosts2 debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2 debug2: key_type_from_name: unknown key type '1024' debug3: key_read: no key found debug3: key_read: type mismatch debug3: check_host_in_hostfile: match line 34 debug3: check_host_in_hostfile: filename /home/enfm/mikep/.ssh/known_hosts2 debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts2 debug2: key_type_from_name: unknown key type '1024' debug3: key_read: no key found debug3: key_read: type mismatch debug3: check_host_in_hostfile: match line 34 debug1: Host 'enfm' is known and matches the RSA host key. debug1: Found key in /etc/ssh/ssh_known_hosts2:34 debug1: bits set: 1575/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug3: start over, passed a different list publickey,password,keyboard-interactive,hostbased debug3: preferred hostbased,publickey,keyboard-interactive,password debug3: authmethod_lookup hostbased debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled hostbased debug1: next auth method to try is hostbased debug2: userauth_hostbased: chost enfm-pc8.utcc.utoronto.ca. debug1: ssh_keysign called debug3: msg_send: type 2 debug3: msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host enfm-pc8.utcc.utoronto.ca ip 128.100.102.101 client_user mikep server_user mikep debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug2: userauth_hostbased: chost enfm-pc8.utcc.utoronto.ca. debug1: ssh_keysign called debug3: msg_send: type 2 debug3: msg_recv entering debug2: we sent a hostbased packet, wait for reply debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host enfm-pc8.utcc.utoronto.ca ip 128.100.102.101 client_user mikep server_user mikep debug1: authentications that can continue: publickey,password,keyboard-interactive,hostbased debug1: userauth_hostbased: no more client hostkeys ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Jul 17 04:58:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 16 Jul 2002 13:58:13 -0500 (CDT) Subject: AIX hang problem again (was Re: AIX and Privsep.) In-Reply-To: <20020716081124.GB26371@folly> Message-ID: Leigh, Things are in your ball park. If it is not solved by the end of the week I'm yanking the current incorrect fix from the system until such time as a correct solution is presented. If you want 3.5 to ship without this issue it is your job to solve it. - Ben On Tue, 16 Jul 2002, Markus Friedl wrote: > On Mon, Jul 15, 2002 at 02:20:43PM -0500, Ben Lindstrom wrote: > > Markus, any quarms? > > c->isatty is only set on the server side. > > so if this is a client-side problem, too, then we probably need > your patch (but calling isatty for every write might be a problem). > From jmknoble at pobox.com Wed Jul 17 05:52:38 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 16 Jul 2002 15:52:38 -0400 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D336DD6.C8385F34@zip.com.au>; from dtucker@zip.com.au on Tue, Jul 16, 2002 at 10:50:30AM +1000 References: <3D334845.96AB7A0B@zip.com.au> <3D336DD6.C8385F34@zip.com.au> Message-ID: <20020716155238.B30965@zax.half.pint-stowp.cx> Circa 2002-Jul-16 10:50:30 +1000 dixit Darren Tucker: : Darren Tucker wrote: : > Ben Lindstrom wrote: : > > Hmm.. Does this work with JumpStart? Can you add users at install time? : > : > I didn't even consider that. We use jumpstart to build machines but : > don't install sshd until after the first boot (ie not in the : > finish_script). I'll try to dig up some spare hardware to try it. : : OK I can confirm that it does NOT work with Jumpstart. useradd and : groupadd try to modify the read-only files on the jumpstart NFS image. : : Should we: : (a) move them to the /etc/init.d/openssh script same as the keygens : (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd : (c) chroot tricks? : (d) ? : : I prefer (a). My preference would be: (d) Move them to an 'openssh-setup' script that does the following: - creates /var/empty if it doesn't exist - sets proper ownership and permissions on /var/empty - creates the privsep user/group using usual tools - if desired, turns on/off privsep in sshd_config - other optional post-install setup (such as creating a service directory for use with svscan/supervise/multilog from djb's daemontools package ). This is the only sane way to deal with post-install package configuration. I've been using such a schema for some time to handle post-install configuration both for homegrown Encap packages of OpenSSH on HP-UX, AIX, and Slolaris, and for my homegrown RPM packages for various Linux flavors. -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020716/947921a6/attachment.bin From kcurrie at cisco.com Wed Jul 17 06:28:17 2002 From: kcurrie at cisco.com (Kevin Currie) Date: Tue, 16 Jul 2002 15:28:17 -0500 Subject: Solaris privsep and compression. Message-ID: <3D3481E1.40605@cisco.com> Has anybody got privsep and compression working together on Solaris 2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but on 2.5.1/2.6 it says: # ./sshd -p 6666 This platform does not support both privilege separation and compression Compression disabled -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Currie | | | | SysAdmin/ECS Security | .|||. .|||. | email: Cisco Systems | ..:|||||||:...:|||||||:.. |kcurrie(at)cisco.com Austin, Texas |-----------------------------| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From mouring at etoh.eviladmin.org Wed Jul 17 06:20:17 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 16 Jul 2002 15:20:17 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <20020716155238.B30965@zax.half.pint-stowp.cx> Message-ID: On Tue, 16 Jul 2002, Jim Knoble wrote: > Circa 2002-Jul-16 10:50:30 +1000 dixit Darren Tucker: > > : Darren Tucker wrote: > : > Ben Lindstrom wrote: > : > > Hmm.. Does this work with JumpStart? Can you add users at install time? > : > > : > I didn't even consider that. We use jumpstart to build machines but > : > don't install sshd until after the first boot (ie not in the > : > finish_script). I'll try to dig up some spare hardware to try it. > : > : OK I can confirm that it does NOT work with Jumpstart. useradd and > : groupadd try to modify the read-only files on the jumpstart NFS image. > : > : Should we: > : (a) move them to the /etc/init.d/openssh script same as the keygens > : (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd > : (c) chroot tricks? > : (d) ? > : > : I prefer (a). > > My preference would be: > > (d) Move them to an 'openssh-setup' script that does the following: > Admin required to manually run it, or a form of SysV 'first time' startup script? - Ben From tim at multitalents.net Wed Jul 17 06:34:05 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 16 Jul 2002 13:34:05 -0700 (PDT) Subject: Solaris privsep and compression. In-Reply-To: <3D3481E1.40605@cisco.com> Message-ID: On Tue, 16 Jul 2002, Kevin Currie wrote: > Has anybody got privsep and compression working together on Solaris > 2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but > on 2.5.1/2.6 it says: Pull a current snapshot and try it. I added support last weekend. Works on Solaris 7 > > # ./sshd -p 6666 > This platform does not support both privilege separation and compression > Compression disabled > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Wed Jul 17 06:23:57 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 16 Jul 2002 15:23:57 -0500 (CDT) Subject: Solaris privsep and compression. In-Reply-To: <3D3481E1.40605@cisco.com> Message-ID: Try the most recent snapshot: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ - Ben On Tue, 16 Jul 2002, Kevin Currie wrote: > Has anybody got privsep and compression working together on Solaris > 2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but > on 2.5.1/2.6 it says: > > # ./sshd -p 6666 > This platform does not support both privilege separation and compression > Compression disabled > > > > > -- > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Kevin Currie | | | | > SysAdmin/ECS Security | .|||. .|||. | email: > Cisco Systems | ..:|||||||:...:|||||||:.. |kcurrie(at)cisco.com > Austin, Texas |-----------------------------| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Jul 17 06:25:54 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 16 Jul 2002 15:25:54 -0500 (CDT) Subject: opensshd.in In-Reply-To: Message-ID: Fine with me. I think that until we get a working setproctitle() under solaris it would be more problematic then it is work. - Ben On Mon, 15 Jul 2002, Tim Rice wrote: > > I've had the wrong sshd daemon killed by "killing using alternate method" > too many times. > > Would this cause anyone any grief? > > > --- opensshd.in.old Sun Oct 21 16:42:02 2001 > +++ opensshd.in Mon Jul 15 19:34:16 2002 > @@ -3,11 +3,8 @@ > # > # Stripped PRNGd out of it for the time being. > > -AWK=/usr/bin/awk > CAT=/usr/bin/cat > KILL=/usr/bin/kill > -PS=/usr/bin/ps > -XARGS=/usr/bin/xargs > > prefix=%%openSSHDir%% > etcdir=%%configDir%% > @@ -20,12 +17,6 @@ > HOST_KEY_DSA=$etcdir/ssh_host_dsa_key > HOST_KEY_RSA=$etcdir/ssh_host_rsa_key > > -killproc() { > - _procname=$1 > - _signal=$2 > - ${PS} -u root | ${AWK} '/'"$_procname"'$/ {print $1}' | ${XARGS} ${KILL} > -} > - > > checkkeys() { > if [ ! -f $HOST_KEY_RSA1 ]; then > @@ -46,8 +37,7 @@ > if [ ${PID:=0} -gt 1 -a ! "X$PID" = "X " ]; then > ${KILL} ${PID} > else > - echo "Unable to read PID file, killing using alternate method" > - killproc sshd TERM > + echo "Unable to read PID file" > fi > } > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Wed Jul 17 07:07:45 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Tue, 16 Jul 2002 17:07:45 -0400 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: ; from mouring@etoh.eviladmin.org on Tue, Jul 16, 2002 at 03:20:17PM -0500 References: <20020716155238.B30965@zax.half.pint-stowp.cx> Message-ID: <20020716170745.D30965@zax.half.pint-stowp.cx> Circa 2002-Jul-16 15:20:17 -0500 dixit Ben Lindstrom: : On Tue, 16 Jul 2002, Jim Knoble wrote: : > (d) Move them to an 'openssh-setup' script that does the following: : : Admin required to manually run it, or a form of SysV 'first time' startup : script? Whichever. I have no problem with the admin running it, even the following in /etc/init.d/openssh (or whatever it's called) seems fine to me: || or even: || The benefit of the admin running it manually is that s/he can choose privsep or whatever at that time (e.g., via command-line options or envariables). A well-written script would be able to run in both contexts.... For what it's worth.... -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020716/34715175/attachment.bin From wknox at mitre.org Wed Jul 17 07:09:57 2002 From: wknox at mitre.org (William R. Knox) Date: Tue, 16 Jul 2002 17:09:57 -0400 (EDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: Message-ID: Here are the checkinstall script and the postinstall script that I use in my openssh package for Solaris. They create the keys and the group and user for ssh (sshd), and, if the package is being installed in a different root, create an init script that will run these things and then remove itself on the next reboot. Feel free to use any part of this. The /var/empty directory is, by the way, installed by the package itself. Bill Knox Senior Operating Systems Programmer/Analyst The MITRE Corporation On Tue, 16 Jul 2002, Ben Lindstrom wrote: > Date: Tue, 16 Jul 2002 15:20:17 -0500 (CDT) > From: Ben Lindstrom > To: Jim Knoble > Cc: OpenSSH Devel List > Subject: Re: Patch: Solaris packages don't create privsep user or group > > > > On Tue, 16 Jul 2002, Jim Knoble wrote: > > > Circa 2002-Jul-16 10:50:30 +1000 dixit Darren Tucker: > > > > : Darren Tucker wrote: > > : > Ben Lindstrom wrote: > > : > > Hmm.. Does this work with JumpStart? Can you add users at install time? > > : > > > : > I didn't even consider that. We use jumpstart to build machines but > > : > don't install sshd until after the first boot (ie not in the > > : > finish_script). I'll try to dig up some spare hardware to try it. > > : > > : OK I can confirm that it does NOT work with Jumpstart. useradd and > > : groupadd try to modify the read-only files on the jumpstart NFS image. > > : > > : Should we: > > : (a) move them to the /etc/init.d/openssh script same as the keygens > > : (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd > > : (c) chroot tricks? > > : (d) ? > > : > > : I prefer (a). > > > > My preference would be: > > > > (d) Move them to an 'openssh-setup' script that does the following: > > > > Admin required to manually run it, or a form of SysV 'first time' startup > script? > > - Ben > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -------------- next part -------------- if [ "$PKG_INSTALL_ROOT" = "/" -o "$PKG_INSTALL_ROOT" = "" ]; then if [ ${PRIVSEPGROUP} -eq 0 ]; then echo "Adding PrivSep group sshd" groupadd -g 60000 sshd else echo "PrivSep group sshd already exists" fi if [ ${PRIVSEPUSER} -eq 0 ]; then echo "Adding PrivSep user sshd" useradd -u 60000 -g sshd -c 'OpenSSH Privilege Separation user' -d /var/empty -s /bin/false sshd else echo "PrivSep user sshd already exists" fi installf MTopenssh /usr/local/etc/ssh_host_key installf MTopenssh /usr/local/etc/ssh_host_key.pub installf MTopenssh /usr/local/etc/ssh_host_rsa_key installf MTopenssh /usr/local/etc/ssh_host_rsa_key.pub installf MTopenssh /usr/local/etc/ssh_host_dsa_key installf MTopenssh /usr/local/etc/ssh_host_dsa_key.pub umask 022 if test -f /usr/local/etc/ssh_host_key; then echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_key." else echo "Generating protocol level 1 host key." /usr/local/bin/ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N '' fi if test -f /usr/local/etc/ssh_host_rsa_key; then echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_rsa_key." else echo "Generating protocol level 2 RSA host key." /usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key -N '' fi if test -f /usr/local/etc/ssh_host_dsa_key; then echo "You already have a host key in $PKG_INSTALL_ROOT/usr/local/etc/ssh_host_dsa_key." else echo "Generating protocol level 2 DSA host key." /usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key -N '' fi installf -f MTopenssh cat < $TEMP_INIT_SCRIPT < /dev/null 2>&1; then PRIVSEPGROUP=1 fi if grep "^sshd:" ${PKG_INSTALL_ROOT}/etc/passwd > /dev/null 2>&1; then PRIVSEPUSER=1 fi /bin/cat >$1 < >Here are the checkinstall script and the postinstall script that I use in >my openssh package for Solaris. They create the keys and the group and >user for ssh (sshd), and, if the package is being installed in a different >root, create an init script that will run these things and then remove >itself on the next reboot. Feel free to use any part of this. The >/var/empty directory is, by the way, installed by the package itself. Creating the keys in a postinstall script makes the package incompatible with Jumpstart Flash installations. It is a better idea to keep the current practice and create the keys at boot time if they don't already exist. In Solaris 9 we create the keys at boot time and also modified sys-unconfig to remove the keys from the system. Both of these ensure that Flash archives can be created that don't contain the identity of the original system. -- Darren J Moffat From dtucker at zip.com.au Wed Jul 17 09:54:28 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Jul 2002 09:54:28 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: <200207160204.g6G24GuP707936@jurassic.eng.sun.com> <3D33BAA8.D5976982@zip.com.au> Message-ID: <3D34B234.5910AD6D@zip.com.au> Darren Tucker wrote: > How about something like the attached patch (b+c)? (Currently untested, > please don't commit.) Or is it too convoluted? FWIW here's a patch that works (on Solaris 7 anyway) during a jumpstart finish_script (ie with pkgadd -R). If a consensus is reached about a better way to do the account/group stuff I'll be happy to post a new patch. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: contrib/solaris/buildpkg.sh =================================================================== RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v retrieving revision 1.6 diff -u -r1.6 buildpkg.sh --- contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000 1.6 +++ contrib/solaris/buildpkg.sh 16 Jul 2002 12:19:46 -0000 @@ -20,6 +20,8 @@ PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} +SSHDUID=22 # Default privsep uid +SSHDGID=22 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes @@ -227,7 +229,13 @@ installf -f ${PKGNAME} -if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null then echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" echo "or group." @@ -235,22 +243,32 @@ echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." # create group if required - if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep group $SSH_PRIVSEP_USER already exists." else + # Use gid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + sshdgid="-g 22" + fi echo "Creating PrivSep group $SSH_PRIVSEP_USER." - groupadd $SSH_PRIVSEP_USER + \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER fi # Create user if required - if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep user $SSH_PRIVSEP_USER already exists." else + # Use uid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + sshduid="-u 22" + fi echo "Creating PrivSep user $SSH_PRIVSEP_USER." - useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER - passwd -l $SSH_PRIVSEP_USER + \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER fi fi From dcole at keysoftsys.com Wed Jul 17 11:05:48 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Tue, 16 Jul 2002 18:05:48 -0700 Subject: HP-UX PAM with Trusted System patch References: Message-ID: <014201c22d2e$28884540$9b78a8c0@oedserver> The patch looks reasonable, but I don't believe Trust HP-UX has pam or at least we don't have it on our machines. I even asked around the office and no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or are you talking about something version other than Trusted HP-UX 10.26? Later version of HP-UX may have pam (I think 11i does), but I don't know of any later version of Trusted HP-UX than 10.26. Darren Cole ----- Original Message ----- From: "Dan Wanek" To: Sent: Tuesday, July 16, 2002 6:25 AM Subject: HP-UX PAM with Trusted System patch > I'm fairly new to the list and new to submitting patches. Can someone > please verify the attached patch for running a HP-UX Trusted System with > PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify > the user via __pamh after the call to permanently_set_uid in session.c. > So I called do_pam_session prior to the call and added a function > do_pam_set_tty in order to set the tty after allocation. > > -- > Dan Wanek > > From mouring at etoh.eviladmin.org Wed Jul 17 11:12:55 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 16 Jul 2002 20:12:55 -0500 (CDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D34B234.5910AD6D@zip.com.au> Message-ID: Minor pissy thing. =-) + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + sshdgid="-g 22" + fi sshdgid="-g $SSHDGID" same with the sshduid check. Why? Because it allows us to change SSHDGID/SSHDUID in a single location that makes sense. - Ben On Wed, 17 Jul 2002, Darren Tucker wrote: > Darren Tucker wrote: > > How about something like the attached patch (b+c)? (Currently untested, > > please don't commit.) Or is it too convoluted? > > FWIW here's a patch that works (on Solaris 7 anyway) during a jumpstart > finish_script (ie with pkgadd -R). > > If a consensus is reached about a better way to do the account/group > stuff I'll be happy to post a new patch. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From benny at bennyvision.com Wed Jul 17 11:45:58 2002 From: benny at bennyvision.com (C. Bensend) Date: Tue, 16 Jul 2002 20:45:58 -0500 (CDT) Subject: [SOLVED] Re: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL 0.9.6d In-Reply-To: <3D2FE3DB.8F2315E6@zip.com.au> Message-ID: Hey folks, My problem with building 3.4p1 on HP-UX has been solved, and as promised I'm sending this to the list for the benefit of the archives. > "C. Bensend" wrote: > > On Sat, 13 Jul 2002, Darren Tucker wrote: > [extra libxnet?] > > Excellent thought, but I have checked that already. But, and > > this is an honest question (you guys probably know a lot more > > about this than I do), are we chasing the wrong problem? > > Configure isn't bombing on libxnet... While it is certainly > > complaining about it in config.log, it's not a fatal error > > like the zlib one is. > > By comparing my config.log to yours, I've figured out why you're getting > the xnet errors: you're compiling with -static and there's no libxnet.a. > > If I set CFLAGS=-static I'm able to reproduce your problem. > > > But, I'm guessing this could be a problem that is being > > incorrectly reported by configure... > > The missing library is causing a link failure. (I suspect it's causing > configure to get a bunch of other settings wrong too.) Darren was completely correct - use of the "-static" value in CFLAGS was causing configure to become ... confused. As a static library for libxnet wasn't availible on HP-UX (11.00), it was causing a link failure, _as well as_ incorrectly stating that it couldn't find zlib. The solution: 1) Removed all traces of zlib from the system just to be safe 2) Removed all traces of OpenSSL from the system, JTBS 3) Rebuilt both zlib and OpenSSL, installing them to a temp directory 4) Rebuild OpenSSH, pointing configure at said zlib and OpenSSL I was originally trying to build OpenSSH statically so I wouldn't have to muck with the OpenSSL installations on my production boxen, as our proprietary web applications are also built against OpenSSL. However, Darren mentioned that by default, OpenSSL and zlib compile statically (a thousand thanks for your help and patience, Darren). So, I went ahead and build OpenSSH dynamically. Sure enough, the SSL and zlib stuff was built in statically. Not quite what I was aiming for originally, but certainly an acceptable solution. I didn't realize this about OpenSSL and zlib. That'll learn me. So - the end result? Happy OpenSSH depot for HP-UX 11.00. A billion thanks to Darren, Kevin, Wendy, and Tim for their help, and hopefully someone else will benefit from this information. Benny ps: Could this be categorized as an obscure bug in the configure process? Shouldn't configure have bombed on -static being used when static libraries weren't availible, instead of complaining about something else (zlib)? Not being argumentative or complaining or anything, it just would have been a lot quicker to track this down if I had seen a "configure: libxnet.a not found" or something similar. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Listening to this egghead is giving me worms." -- Odyssey 5, on Showtime From dtucker at zip.com.au Wed Jul 17 12:54:40 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Jul 2002 12:54:40 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D34DC70.7E7192AE@zip.com.au> Ben Lindstrom wrote: > sshdgid="-g $SSHDGID" > > same with the sshduid check. Damn. I missed those when I added the variables. New patch attached. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: contrib/solaris/buildpkg.sh =================================================================== RCS file: /cvs/openssh/contrib/solaris/buildpkg.sh,v retrieving revision 1.6 diff -u -r1.6 buildpkg.sh --- contrib/solaris/buildpkg.sh 15 Jul 2002 18:49:21 -0000 1.6 +++ contrib/solaris/buildpkg.sh 17 Jul 2002 02:56:23 -0000 @@ -20,6 +20,8 @@ PKGNAME=OpenSSH SYSVINIT_NAME=opensshd MAKE=${MAKE:="make"} +SSHDUID=22 # Default privsep uid +SSHDGID=22 # Default privsep gid # uncomment these next two as needed #PERMIT_ROOT_LOGIN=no #X11_FORWARDING=yes @@ -227,7 +229,13 @@ installf -f ${PKGNAME} -if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' $sysconfdir/sshd_config >/dev/null +# Use chroot to handle PKG_INSTALL_ROOT +if [ ! -z "\${PKG_INSTALL_ROOT}" ] +then + chroot="chroot \${PKG_INSTALL_ROOT}" +fi + +if egrep '^[ \t]*UsePrivilegeSeparation[ \t]+no' \${PKG_INSTALL_ROOT}/$sysconfdir/sshd_config >/dev/null then echo "UsePrivilegeSeparation disabled in config, not creating PrivSep user" echo "or group." @@ -235,22 +243,32 @@ echo "UsePrivilegeSeparation enabled in config (or defaulting to on)." # create group if required - if cut -f1 -d: /etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep group $SSH_PRIVSEP_USER already exists." else + # Use gid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null + then + sshdgid="-g $SSHDGID" + fi echo "Creating PrivSep group $SSH_PRIVSEP_USER." - groupadd $SSH_PRIVSEP_USER + \$chroot /usr/sbin/groupadd \$sshdgid $SSH_PRIVSEP_USER fi # Create user if required - if cut -f1 -d: /etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null + if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null then echo "PrivSep user $SSH_PRIVSEP_USER already exists." else + # Use uid of 22 if possible + if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null + then + sshduid="-u $SSHDUID" + fi echo "Creating PrivSep user $SSH_PRIVSEP_USER." - useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER $SSH_PRIVSEP_USER - passwd -l $SSH_PRIVSEP_USER + \$chroot /usr/sbin/useradd -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER + \$chroot /usr/bin/passwd -l $SSH_PRIVSEP_USER fi fi From dwanek at depaul.edu Wed Jul 17 14:12:24 2002 From: dwanek at depaul.edu (Dan Wanek) Date: Tue, 16 Jul 2002 23:12:24 -0500 Subject: HP-UX PAM with Trusted System patch In-Reply-To: <014201c22d2e$28884540$9b78a8c0@oedserver> Message-ID: <000701c22d48$27ae6130$0a02a8c0@dwhome> Darren, The patch is intended for HP-UX 11.0 and 11i. These are the only versions we have in production and are the only ones I've tested the patch on. You're right though, I don't think PAM was included until version 11.0. On a separate note, 11.0 doesn't like the unified diff format so I've attached the same patch for 11.0 if anyone wants to try it. I've had one request already. 11i should be fine, however. -- Dan Wanek -----Original Message----- From: openssh-unix-dev-admin at mindrot.org [mailto:openssh-unix-dev-admin at mindrot.org] On Behalf Of Darren Cole Sent: Tuesday, July 16, 2002 8:06 PM To: Dan Wanek; openssh-unix-dev at mindrot.org Subject: Re: HP-UX PAM with Trusted System patch The patch looks reasonable, but I don't believe Trust HP-UX has pam or at least we don't have it on our machines. I even asked around the office and no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or are you talking about something version other than Trusted HP-UX 10.26? Later version of HP-UX may have pam (I think 11i does), but I don't know of any later version of Trusted HP-UX than 10.26. Darren Cole ----- Original Message ----- From: "Dan Wanek" To: Sent: Tuesday, July 16, 2002 6:25 AM Subject: HP-UX PAM with Trusted System patch > I'm fairly new to the list and new to submitting patches. Can someone > please verify the attached patch for running a HP-UX Trusted System with > PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify > the user via __pamh after the call to permanently_set_uid in session.c. > So I called do_pam_session prior to the call and added a function > do_pam_set_tty in order to set the tty after allocation. > > -- > Dan Wanek > > _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: diff.ossh Type: application/octet-stream Size: 2393 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020716/8a87fa76/attachment.obj From bugzilla-daemon at mindrot.org Wed Jul 17 14:44:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Jul 2002 14:44:13 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020717044413.E0935E94A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 ------- Additional Comments From tim at multitalents.net 2002-07-17 14:44 ------- Created an attachment (id=132) fix for autoconf 2.53 PATH problems ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 17 14:46:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 17 Jul 2002 14:46:12 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020717044612.1386CE94A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 ------- Additional Comments From tim at multitalents.net 2002-07-17 14:45 ------- Could someone with autoconf 2.53 test attachment 132 and see if it fixes the xauth problem. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From frankl at redwind.biz Wed Jul 17 17:14:18 2002 From: frankl at redwind.biz (Frank Li) Date: Wed, 17 Jul 2002 00:14:18 -0700 Subject: ssh bug Message-ID: <010401c22d63$05ec0000$0a0ca8c0@win2000> Hi, I have a trouble on open ssh, from time to time I got error from messages file (solaris 8) say sshd socket close, can somebody tell me why. Thanks Frank -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020717/c4766488/attachment.html From sidd_ait at rediffmail.com Wed Jul 17 20:37:40 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 17 Jul 2002 10:37:40 -0000 Subject: subscribing mailing list Message-ID: <20020717103740.31256.qmail@webmail16.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020717/8be37ef6/attachment.ksh From dtucker at zip.com.au Wed Jul 17 21:30:09 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 17 Jul 2002 21:30:09 +1000 Subject: [SOLVED] Re: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL0.9.6d References: Message-ID: <3D355541.A20F91@zip.com.au> "C. Bensend" wrote: > ps: Could this be categorized as an obscure bug in the configure > process? Shouldn't configure have bombed on -static being used > when static libraries weren't availible, instead of complaining > about something else (zlib)? Not being argumentative or complaining > or anything, it just would have been a lot quicker to track this > down if I had seen a "configure: libxnet.a not found" or something > similar. I'm not very familiar with autoconf but how about the attached patch (tested on HP-UX 11.00)? $ LDFLAGS=-static ./configure [snip] checking for t_error in -lxnet... no configure: error: *** -lxnet needed on HP-UX - check config.log *** $ ./configure [snip] Libraries: -lz -lnsl -lxnet -lsec -lcrypto -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.79 diff -u -r1.79 configure.ac --- configure.ac 14 Jul 2002 20:36:50 -0000 1.79 +++ configure.ac 17 Jul 2002 11:19:53 -0000 @@ -113,7 +113,8 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) - LIBS="$LIBS -lxnet -lsec -lsecpw" + LIBS="$LIBS -lsec -lsecpw" + AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) disable_ptmx_check=yes ;; *-*-hpux10*) @@ -128,7 +129,8 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) - LIBS="$LIBS -lxnet -lsec" + LIBS="$LIBS -lsec" + AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; *-*-hpux11*) CPPFLAGS="$CPPFLAGS -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1" @@ -140,7 +142,8 @@ AC_DEFINE(DISABLE_SHADOW) AC_DEFINE(DISABLE_UTMP) AC_DEFINE(SPT_TYPE,SPT_PSTAT) - LIBS="$LIBS -lxnet -lsec" + LIBS="$LIBS -lsec" + AC_CHECK_LIB(xnet, t_error, ,AC_MSG_ERROR([*** -lxnet needed on HP-UX - check config.log ***])) ;; *-*-irix5*) CPPFLAGS="$CPPFLAGS -I/usr/local/include" From Jason.Lacoss-Arnold at AGEDWARDS.com Wed Jul 17 21:46:50 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Wed, 17 Jul 2002 06:46:50 -0500 Subject: HP-UX PAM with Trusted System patch Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA03240420@hqempn06.agedwards.com> Trusted HP-UX refers to any HP-UX running with the /tcb crap and various other security related extentions. On any of our systems from 10.20 through 11.11, you can go into SAM and choose "Convert to trusted system" or somesuch. -----Original Message----- From: Darren Cole [mailto:dcole at keysoftsys.com] Sent: Tuesday, July 16, 2002 8:06 PM To: Dan Wanek; openssh-unix-dev at mindrot.org Subject: Re: HP-UX PAM with Trusted System patch The patch looks reasonable, but I don't believe Trust HP-UX has pam or at least we don't have it on our machines. I even asked around the office and no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or are you talking about something version other than Trusted HP-UX 10.26? Later version of HP-UX may have pam (I think 11i does), but I don't know of any later version of Trusted HP-UX than 10.26. Darren Cole ----- Original Message ----- From: "Dan Wanek" To: Sent: Tuesday, July 16, 2002 6:25 AM Subject: HP-UX PAM with Trusted System patch > I'm fairly new to the list and new to submitting patches. Can someone > please verify the attached patch for running a HP-UX Trusted System with > PAM and OpenSSH 3.4p1? The problem seemed to be that pam couldn't verify > the user via __pamh after the call to permanently_set_uid in session.c. > So I called do_pam_session prior to the call and added a function > do_pam_set_tty in order to set the tty after allocation. > > -- > Dan Wanek > > _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020717/3c8255e3/attachment.html From GILBERT.R.LOOMIS at saic.com Wed Jul 17 23:42:35 2002 From: GILBERT.R.LOOMIS at saic.com (Loomis, Rip) Date: Wed, 17 Jul 2002 09:42:35 -0400 Subject: Solaris sshd socket close (was: ssh bug) Message-ID: <3C1E3607B37295439F7C409EFBA08E680E2CF9@US-Columbia-CIST.mail.saic.com> Frank-- > Hi, I have a trouble on open ssh, from time to time I got error from > messages file (solaris 8) say sshd socket close, can somebody tell me why. First, it helps if you give your message a better subject than "ssh bug". Second, if this is on a system with port 22 exposed to un-trusted networks, there's a good chance that the messages you're seeing are being generated by folks trying to exploit one of the recent bugs in zlib/OpenSSH. As long as you're running a current version of OpenSSH, you should be okay--but if you would like more help, please post the exact messages from syslog or /var/adm/messages that you're seeing. --Rip From Nicolas.Williams at ubsw.com Wed Jul 17 23:56:48 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Wed, 17 Jul 2002 09:56:48 -0400 Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F6E@NSTMC005PEX1.ubsgs.ubsgroup.net> Darren, How can a package's checkinstall/postinstall detect that JSS Flash is being used? Nico -- > -----Original Message----- > From: Darren J Moffat [mailto:Darren.Moffat at Sun.COM] > Sent: Tuesday, July 16, 2002 5:21 PM > To: openssh-unix-dev at mindrot.org; wknox at mitre.org > Subject: Re: Patch: Solaris packages don't create privsep > user or group > > > >Here are the checkinstall script and the postinstall script > that I use in > >my openssh package for Solaris. They create the keys and the > group and > >user for ssh (sshd), and, if the package is being installed > in a different > >root, create an init script that will run these things and > then remove > >itself on the next reboot. Feel free to use any part of this. The > >/var/empty directory is, by the way, installed by the package itself. > > Creating the keys in a postinstall script makes the package > incompatible > with Jumpstart Flash installations. It is a better idea to keep the > current practice and create the keys at boot time if they > don't already > exist. > > In Solaris 9 we create the keys at boot time and also > modified sys-unconfig > to remove the keys from the system. Both of these ensure that Flash > archives can be created that don't contain the identity of > the original > system. > > -- > Darren J Moffat > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From bugzilla-daemon at mindrot.org Thu Jul 18 00:55:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 00:55:00 +1000 (EST) Subject: [Bug 357] New: SSH does not handle "Protocol" option in ~/.ssh/options properly Message-ID: <20020717145500.2C50AEA4C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=357 Summary: SSH does not handle "Protocol" option in ~/.ssh/options properly Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dfs at roaringpenguin.com Running OpenSSH 3.4p1 on Linux. Here's the contents of ~/.ssh/options: Host * UsePrivilegedPort no Protocol 1 Host shevy HostName shevy.roaringpenguin.com User dfs Protocol 2 Port 23 When I do "ssh -v shevy", we see: OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /home/dfs/.ssh/config debug1: Applying options for * debug1: Applying options for shevy debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to shevy.roaringpenguin.com [192.168.2.1] port 23. debug1: Connection established. debug1: identity file /home/dfs/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'shevy.roaringpenguin.com' is known and matches the RSA1 host key. debug1: Found key in /home/dfs/.ssh/known_hosts:7 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication via agent with 'dfs at shishi.skoll.ca' debug1: Received RSA challenge from server. debug1: Sending response to RSA challenge. debug1: Remote: RSA authentication accepted. debug1: RSA authentication accepted by server. debug1: Requesting pty. debug1: fd 3 setting TCP_NODELAY debug1: Requesting shell. debug1: Entering interactive session. Last login: Wed Jul 17 10:47:58 2002 from shishi.roaringpenguin.com As you see, it used Protocol 1 instead of Protocol 2. When I explicitly put -2 on the command line, it works as expected: $ ssh -v -2 shevy OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /home/dfs/.ssh/config debug1: Applying options for shevy debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to shevy.roaringpenguin.com [192.168.2.1] port 23. debug1: Connection established. debug1: identity file /home/dfs/.ssh/id_rsa type -1 debug1: identity file /home/dfs/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 119/256 debug1: bits set: 1598/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY ... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 00:56:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 00:56:42 +1000 (EST) Subject: [Bug 357] SSH does not handle "Protocol" option in ~/.ssh/options properly Message-ID: <20020717145642.C0382EA4C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=357 ------- Additional Comments From dfs at roaringpenguin.com 2002-07-18 00:56 ------- Sorry; my illustrated output for the second case was wrong. It should look like this: $ ssh -v -2 shevy OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090603f debug1: Reading configuration data /home/dfs/.ssh/config debug1: Applying options for * debug1: Applying options for shevy debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to shevy.roaringpenguin.com [192.168.2.1] port 23. debug1: Connection established. debug1: identity file /home/dfs/.ssh/id_rsa type 0 debug1: identity file /home/dfs/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 115/256 debug1: bits set: 1559/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'shevy.roaringpenguin.com' is known and matches the RSA host key. debug1: Found key in /home/dfs/.ssh/known_hosts:6 debug1: bits set: 1597/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/dfs/.ssh/id_dsa debug1: input_userauth_pk_ok: pkalg ssh-dss blen 433 lastkey 0x80890f0 hint -1 debug1: ssh-userauth2 successful: method publickey debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: channel request 0: pty-req debug1: channel request 0: shell debug1: fd 3 setting TCP_NODELAY debug1: channel 0: open confirm rwindow 0 rmax 32768 Last login: Wed Jul 17 10:54:41 2002 from shishi.roaringpenguin.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kcurrie at cisco.com Thu Jul 18 02:05:15 2002 From: kcurrie at cisco.com (Kevin Currie) Date: Wed, 17 Jul 2002 11:05:15 -0500 Subject: Solaris privsep and compression. References: Message-ID: <3D3595BB.9000600@cisco.com> Thanks Tim and Ben-- I'll give it a shot today. Tim Rice wrote: > On Tue, 16 Jul 2002, Kevin Currie wrote: > > >> Has anybody got privsep and compression working together on Solaris >>2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but >>on 2.5.1/2.6 it says: > > > Pull a current snapshot and try it. I added support last weekend. > Works on Solaris 7 > > >># ./sshd -p 6666 >>This platform does not support both privilege separation and compression >>Compression disabled >> > > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Currie | | | | SysAdmin/ECS Security | .|||. .|||. | email: Cisco Systems | ..:|||||||:...:|||||||:.. | kcurrie at cisco.com Austin, Texas |-----------------------------| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From kcurrie at cisco.com Thu Jul 18 02:11:06 2002 From: kcurrie at cisco.com (Kevin Currie) Date: Wed, 17 Jul 2002 11:11:06 -0500 Subject: Success using current snapshot was:Re: Solaris privsep and compression. References: Message-ID: <3D35971A.804@cisco.com> Excellent! Using the latest snapshot, compression works on Solaris 2.6. Tim Rice wrote: > On Tue, 16 Jul 2002, Kevin Currie wrote: > > >> Has anybody got privsep and compression working together on Solaris >>2.6 and 2.5.1? I have no problem getting it working under Solaris 8, but >>on 2.5.1/2.6 it says: > > > Pull a current snapshot and try it. I added support last weekend. > Works on Solaris 7 > > >># ./sshd -p 6666 >>This platform does not support both privilege separation and compression >>Compression disabled >> > > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Currie | | | | SysAdmin/ECS Security | .|||. .|||. | email: Cisco Systems | ..:|||||||:...:|||||||:.. | kcurrie at cisco.com Austin, Texas |-----------------------------| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From binder at arago.de Thu Jul 18 01:49:27 2002 From: binder at arago.de (Thomas Binder) Date: Wed, 17 Jul 2002 17:49:27 +0200 Subject: [Bug 357] New: SSH does not handle "Protocol" option in ~/.ssh/options properly In-Reply-To: <20020717145500.2C50AEA4C@shitei.mindrot.org>; from bugzilla-daemon@mindrot.org on Thu, Jul 18, 2002 at 12:55:00AM +1000 References: <20020717145500.2C50AEA4C@shitei.mindrot.org> Message-ID: <20020717174927.A5841843@ohm.arago.de> Hi! On Thu, Jul 18, 2002 at 12:55:00AM +1000, bugzilla-daemon at mindrot.org wrote: > Running OpenSSH 3.4p1 on Linux. Here's the contents of ~/.ssh/options: > > Host * > UsePrivilegedPort no > Protocol 1 > > Host shevy > HostName shevy.roaringpenguin.com > User dfs > Protocol 2 > Port 23 > > When I do "ssh -v shevy", we see: > [...] > As you see, it used Protocol 1 instead of Protocol 2. When I > explicitly put -2 on the command line, it works as expected: You should read the documentation. From ssh_config's manpage: -- snip -- Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. -- snap -- Ciao Thomas From bugzilla-daemon at mindrot.org Thu Jul 18 01:59:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 01:59:26 +1000 (EST) Subject: [Bug 357] SSH does not handle "Protocol" option in ~/.ssh/options properly Message-ID: <20020717155926.87C96E917@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=357 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-07-18 01:59 ------- first match counts, see the documentation. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dfs at roaringpenguin.com Thu Jul 18 02:14:22 2002 From: dfs at roaringpenguin.com (David F. Skoll) Date: Wed, 17 Jul 2002 12:14:22 -0400 (EDT) Subject: [Bug 357] New: SSH does not handle "Protocol" option in ~/.ssh/options properly In-Reply-To: <20020717174927.A5841843@ohm.arago.de> Message-ID: Hi, Thomas. > You should read the documentation. From ssh_config's manpage: Doh, sorry. I was under the impression it was the exact opposite: That later values overrode earlier ones. Sorry to have troubled you. Regards, David. From Darren.Moffat at Sun.COM Thu Jul 18 02:37:03 2002 From: Darren.Moffat at Sun.COM (Darren Moffat) Date: Wed, 17 Jul 2002 09:37:03 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <200207171638.g6HGcTuP223939@jurassic.eng.sun.com> >How can a package's checkinstall/postinstall detect that >JSS Flash is being used? It can't. When you use Jumpstart Flash you install the system from packages as normal. Then run sys-unconfig and create flash archives (basically cpio bundles with extra info). For a package to be Jumpstart Flash "safe" it shouldn't do anything to the system that isn't generic to all installs. In the case of sshd the keys identify a particular system so you really don't want them in your flash archives. -- Darren J Moffat From Nicolas.Williams at ubsw.com Thu Jul 18 03:22:17 2002 From: Nicolas.Williams at ubsw.com (Nicolas.Williams at ubsw.com) Date: Wed, 17 Jul 2002 13:22:17 -0400 Subject: Patch: Solaris packages don't create privsep user or group Message-ID: <17D3D857B26112409EA372EB0AFE39DD125F71@NSTMC005PEX1.ubsgs.ubsgroup.net> Right. But I was wondering if the pkg could detect that it's being installed on a build intended to be a Flash Start archive image. A response file could do it I suppose... In any case, even when doing a Flash install there is still a finish script that runs for every build, yes? If so then one can write a finish script to re-gen keys and leave existing pkgs that gen keys alone. Cheers, Nico -- > -----Original Message----- > From: Darren Moffat [mailto:Darren.Moffat at Sun.COM] > Sent: Wednesday, July 17, 2002 12:37 PM > To: Williams, Nicolas > Cc: openssh-unix-dev at mindrot.org > Subject: RE: Patch: Solaris packages don't create privsep > user or group > > > >How can a package's checkinstall/postinstall detect that > >JSS Flash is being used? > > It can't. > > When you use Jumpstart Flash you install the system from packages > as normal. Then run sys-unconfig and create flash archives (basically > cpio bundles with extra info). > > For a package to be Jumpstart Flash "safe" it shouldn't do anything to > the system that isn't generic to all installs. In the case of sshd > the keys identify a particular system so you really don't want them > in your flash archives. > > -- > Darren J Moffat > > Visit our website at http://www.ubswarburg.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. From mouring at etoh.eviladmin.org Thu Jul 18 03:35:37 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 17 Jul 2002 12:35:37 -0500 (CDT) Subject: [Bug 357] New: SSH does not handle "Protocol" option in ~/.ssh/options properly In-Reply-To: Message-ID: If this is invalid please close it. On Wed, 17 Jul 2002, David F. Skoll wrote: > Hi, Thomas. > > > You should read the documentation. From ssh_config's manpage: > > Doh, sorry. I was under the impression it was the exact opposite: > That later values overrode earlier ones. > > Sorry to have troubled you. > > Regards, > > David. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From kschinck at ems.jsc.nasa.gov Thu Jul 18 04:47:59 2002 From: kschinck at ems.jsc.nasa.gov (Schincke, Keith) Date: Wed, 17 Jul 2002 13:47:59 -0500 Subject: Problem with OSF1 and Openssh > 3.1p1 and XForwarding Message-ID: <1408A865DCF403478A33EE887F874732042C9CF9@jsc-mail03.jsc.nasa.gov> OS: Tru64 5.1 OpenSSH version: 3.2.2p1 and higher. Problem: after upgrading sshd my servers no longer forward X11 connections. I ran the server as 'sshd -d' and saw that the server was successfully creating and binding the IPV6 socket but failing to bind the IPV4 socket. The error message is: Bind to port 22 on 0.0.0.0 failed: Address already in use. Also, when channels.c tries to open the forwarded X11 port (6010 -> 7000) the same error is reported. OpenSSH 3.1p1 opens a IPV4 socket only and of course succeeds on the X11 forwarding. Any ideas, corrections and suggestions will be greatly received. Keith From kcurrie at cisco.com Thu Jul 18 05:04:05 2002 From: kcurrie at cisco.com (Kevin Currie) Date: Wed, 17 Jul 2002 14:04:05 -0500 Subject: 3.4p1 ssh-agent auth-retry patch available: was: Re: Updated ssh-agent authentication retry patch available References: <20020531232300.GB97603@lizzy.catnook.com> Message-ID: <3D35BFA5.9060608@cisco.com> I see Jos has updated his patch to work against 3.4p1, and I've applied it with success. From my standpoint, this patch is absolutely REQUIRED and ssh's utility is greatly reduced without it. It's simply impossible to run 30+ ssh-agent authenticated sessions at once without this patch-- you get WAY too many failures. I am 100% behind this being included in the main distribution, is there anybody who isn't?? For those that don't think this should be included, how do you propose to handle a large amount of concurrent authentications? comments welcome! Jos Backus wrote: > This patch against OpenSSH 3.2.3p1 implements an ssh-agent authentication > retry mechanism which is useful when starting many ssh clients in a short > period of time. The number of retries and the maximum delay between retries is > runtime-configurable using > > AuthMaxRetries > AuthRetryDelay > > The patch is available at: > > http://www.catnook.com/patches/openssh-3.2.3p1-auth-retry.patch > > While I have no hopes of this being merged into the main OpenSSH distribution, > perhaps other people may find it useful. Comments welcome. > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Kevin Currie | | | | SysAdmin/ECS Security | .|||. .|||. | email: Cisco Systems | ..:|||||||:...:|||||||:.. |kcurrie(at)cisco.com Austin, Texas |-----------------------------| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From tim at mcgarry.ch Thu Jul 18 06:10:39 2002 From: tim at mcgarry.ch (Tim McGarry) Date: Wed, 17 Jul 2002 22:10:39 +0200 Subject: Patch: Solaris packages don't create privsep user or group References: <17D3D857B26112409EA372EB0AFE39DD125F71@NSTMC005PEX1.ubsgs.ubsgroup.net> Message-ID: <000a01c22dce$06175320$c902a8c0@cablecom.ch> Or another possibility would be to do absolutely nothing on the pkgadd other than add the core files, handle key generation, checking/creating users when necessary with the rc script that starts sshd on the next boot. Tim ----- Original Message ----- From: To: Cc: Sent: Wednesday, July 17, 2002 7:22 PM Subject: RE: Patch: Solaris packages don't create privsep user or group > > Right. But I was wondering if the pkg could detect that it's > being installed on a build intended to be a Flash Start > archive image. A response file could do it I suppose... > > In any case, even when doing a Flash install there is still a > finish script that runs for every build, yes? If so then one > can write a finish script to re-gen keys and leave existing > pkgs that gen keys alone. > > Cheers, > > Nico > -- > > > -----Original Message----- > > From: Darren Moffat [mailto:Darren.Moffat at Sun.COM] > > Sent: Wednesday, July 17, 2002 12:37 PM > > To: Williams, Nicolas > > Cc: openssh-unix-dev at mindrot.org > > Subject: RE: Patch: Solaris packages don't create privsep > > user or group > > > > > > >How can a package's checkinstall/postinstall detect that > > >JSS Flash is being used? > > > > It can't. > > > > When you use Jumpstart Flash you install the system from packages > > as normal. Then run sys-unconfig and create flash archives (basically > > cpio bundles with extra info). > > > > For a package to be Jumpstart Flash "safe" it shouldn't do anything to > > the system that isn't generic to all installs. In the case of sshd > > the keys identify a particular system so you really don't want them > > in your flash archives. > > > > -- > > Darren J Moffat > > > > > > Visit our website at http://www.ubswarburg.com > > This message contains confidential information and is intended only > for the individual named. If you are not the named addressee you > should not disseminate, distribute or copy this e-mail. Please > notify the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > > E-mail transmission cannot be guaranteed to be secure or error-free > as information could be intercepted, corrupted, lost, destroyed, > arrive late or incomplete, or contain viruses. The sender therefore > does not accept liability for any errors or omissions in the contents > of this message which arise as a result of e-mail transmission. If > verification is required please request a hard-copy version. This > message is provided for informational purposes and should not be > construed as a solicitation or offer to buy or sell any securities or > related financial instruments. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Thu Jul 18 06:04:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 17 Jul 2002 15:04:07 -0500 (CDT) Subject: Testing Call Message-ID: Ok.. I'm starting official testing calls early this release. I'd like to have more feedback and more time for handling fixes. If people could test snapshots (http://www.openssh.org/portable.html, pick your favorate mirror and select snapshots directory) and report failures it would be useful. For those with pmake install there is regress/ which you can try out. It may help any platform issues. I know some platforms will outright fail (AIX). Hopefully post 3.5 we can look at supplying gnu make files. For those that build packages for yourself/others from the contrib/ section also let us know what needs to be updated. With the changes to the Solaris/Sysv package that I think it needs to be retested on non-solaris platforms (Tim, do you still have Daz's last patch to buildpkg.sh so you could test under SCO or should I just commit it and we can play cvs tag?). Known issues: 1. Tru64 (OSF/1) w/ SIA still is broken under Privsep. (For partial privsep support change config.h /* #undef DISABLE_FD_PASSING */ to #define DISABLE_FD_PASSING 1) If we can't come up with a solution by 3.5 release then I'll just set DISABLE_FD_PASSING for the 3.5 release. The issue is how the SIA sessioning is getting horked. And without someone giving me a tru64 box or access (w/ root) for a few days it is pretty much never going to be fixed. Ya, I know.=) I hate touching other people's servers and even worse having root on them. 2. AIX (some version) stall on large data output. Current CVS patch is wrong and will be pulled unless an agreement can be made. 3. Any platform lacking mmap() will not have compression (Sorry fokes, this is not an issue really..This is a fact of life.) Those platforms lacking a usable MAP_ANON should test the release. It should fall back to /dev/zero mmap() then back to sparse files. NOTE: The fall back is runtime so if one could (gawd) compile and run OpenSSH on multiple kernel release it should do the right thing. 4. NeXTStep is more than likely borken. I'm pretty sure.=) It lies about having a mmap(). I'll look into it once I get my NeXT box back on the network unless someone can fire off a simple patch to solve it. 5. Pam changes have not been merged. So password changing is still disabled. I'm looking mostly for privsep issues. If you have a platform that has an issue with privsep and you are part of the main portable tree (uwin and cray are excluded at this moment) it needs to be discussed or you'll be suffering for another 4+ months. Side notes: uwin - You going to resend a patch againt -current for review? cray - This weekend or next week. =) I've promised this forever. Let me know what non-intrustive syncs we can do to lessen your tracking. Lastly, I'd like to thank all of you for bearing with us during the last few months. I'm sure it is was frustrating to you as it is for us.=) Let me state something right now.. *NO NEW FEATURES* 3.5 is a patch release to stablize out every platform. Don't suggest, don't push, don't even THINK about thinking about suggestion new features. I'm serious. You will be ignored. - Ben From bugzilla-daemon at mindrot.org Thu Jul 18 06:25:12 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 06:25:12 +1000 (EST) Subject: [Bug 308] openssh 3.4 won't install or run on Solaris 8, on an Ultra 10 Sparc station Message-ID: <20020717202512.E5AEFE9B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=308 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-07-18 06:25 ------- README.privsep covers this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From zbyszek at bci.waw.pl Thu Jul 18 06:34:09 2002 From: zbyszek at bci.waw.pl (zbyszekk) Date: Wed, 17 Jul 2002 22:34:09 +0200 Subject: new functionality possible? Message-ID: <02c901c22dd1$528fdd50$0202a8c0@BCI2> I am only user of OpenBSD not a programmer :( I wonder if such idea is feasible to combine easy to use "mount" command regarding nfs with functionality of OpenSSH to eliminate the need to use of nfs. I would imagine "mount" command with the option -s to invoke eg. "mount_snfs" command which would use ssh, scp, sftp protocols to open and mount remote directory in local directory tree securely. (I know combination of nfs over ssh, it's not that) Just a question. From bugzilla-daemon at mindrot.org Thu Jul 18 06:45:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 06:45:52 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020717204552.16A51E9B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-18 06:45 ------- Ok.. I'll mark this as resolved since IBM agreed it was a bug. I've looked over our realpath() and it should be fine (only minor modifications) for all cases. I could be conviced into having a ./configure --use-our-realpath or something like that. And have it documented to discuss nfs and realpath(). I'm not inclined to always use it. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Thu Jul 18 06:38:18 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 17 Jul 2002 15:38:18 -0500 (CDT) Subject: new functionality possible? In-Reply-To: <02c901c22dd1$528fdd50$0202a8c0@BCI2> Message-ID: http://sourceforge.net/projects/lufs It is a userspace filesystem that as one of it's subprojects allows to mount sftp servers as filesystems. Not sure if it works under OpenBSD. But I really don't think OpenSSH has any business in kernel space. - Ben On Wed, 17 Jul 2002, zbyszekk wrote: > I am only user of OpenBSD not a programmer :( > I wonder if such idea is feasible to combine easy to use > "mount" command regarding nfs with functionality of > OpenSSH to eliminate the need to use of nfs. > I would imagine "mount" command with the option -s > to invoke eg. "mount_snfs" command which would use > ssh, scp, sftp protocols to open and mount remote > directory in local directory tree securely. > (I know combination of nfs over ssh, it's not that) > Just a question. > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Thu Jul 18 07:04:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:04:19 +1000 (EST) Subject: [Bug 259] UsePrivilegeSeparation crashed sshd under Linux 2.2 Message-ID: <20020717210419.4FE4DE9C8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=259 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:04 ------- Fixed in CVS tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:09:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:09:00 +1000 (EST) Subject: [Bug 29] ssh with publickey authentication to AIX system fails with NFS mounted home directory Message-ID: <20020717210900.7AEF9E9C4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=29 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:08 ------- *** This bug has been marked as a duplicate of 220 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:09:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:09:11 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020717210911.E9E65E9C8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kdeen at msi.umn.edu ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:09 ------- *** Bug 29 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:10:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:10:44 +1000 (EST) Subject: [Bug 237] Key authentication failed with SSH 2 / Path wrong Message-ID: <20020717211044.E66B6E9C8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=237 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:10 ------- *** This bug has been marked as a duplicate of 220 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:10:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:10:59 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020717211059.5880CE9C6@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |s_guegan at voila.fr ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:10 ------- *** Bug 237 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:13:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:13:15 +1000 (EST) Subject: [Bug 220] sshd fails to read other users authorized_keys over nfs as root Message-ID: <20020717211315.192FCE9C9@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=220 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED OS/Version|All |Solaris Resolution|FIXED | ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:12 ------- I'll re-open this since it is a Solaris issue. This should be breached with Sun to see if there is a patch level that solves this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Jason.Lacoss-Arnold at AGEDWARDS.com Thu Jul 18 07:13:34 2002 From: Jason.Lacoss-Arnold at AGEDWARDS.com (Lacoss-Arnold, Jason) Date: Wed, 17 Jul 2002 16:13:34 -0500 Subject: Testing Call Message-ID: <6808DCE827EBD5119DFB0002A58EF4DA03240437@hqempn06.agedwards.com> I hope to have time to test, but I have a quick question: I caught the message that PAM is working for some transactions, but the last patch I saw said that it still doesn't work for password changes. Did I miss a patch, or is that still broken? We've got to choose a new version to deploy enterprise-wide within the next week or two and I've got to decide if we want to wait for 3.5 or go with 3.2 which IIRC was the last version with a functional PAM. Will it work if privsep is disabled and relavent sections of code uncommented? Thanks in advance, --Jason -----Original Message----- From: Ben Lindstrom [mailto:mouring at etoh.eviladmin.org] Sent: Wednesday, July 17, 2002 3:04 PM To: OpenSSH Development Subject: Testing Call Ok.. I'm starting official testing calls early this release. I'd like to have more feedback and more time for handling fixes. If people could test snapshots (http://www.openssh.org/portable.html, pick your favorate mirror and select snapshots directory) and report failures it would be useful. For those with pmake install there is regress/ which you can try out. It may help any platform issues. I know some platforms will outright fail (AIX). Hopefully post 3.5 we can look at supplying gnu make files. For those that build packages for yourself/others from the contrib/ section also let us know what needs to be updated. With the changes to the Solaris/Sysv package that I think it needs to be retested on non-solaris platforms (Tim, do you still have Daz's last patch to buildpkg.sh so you could test under SCO or should I just commit it and we can play cvs tag?). Known issues: 1. Tru64 (OSF/1) w/ SIA still is broken under Privsep. (For partial privsep support change config.h /* #undef DISABLE_FD_PASSING */ to #define DISABLE_FD_PASSING 1) If we can't come up with a solution by 3.5 release then I'll just set DISABLE_FD_PASSING for the 3.5 release. The issue is how the SIA sessioning is getting horked. And without someone giving me a tru64 box or access (w/ root) for a few days it is pretty much never going to be fixed. Ya, I know.=) I hate touching other people's servers and even worse having root on them. 2. AIX (some version) stall on large data output. Current CVS patch is wrong and will be pulled unless an agreement can be made. 3. Any platform lacking mmap() will not have compression (Sorry fokes, this is not an issue really..This is a fact of life.) Those platforms lacking a usable MAP_ANON should test the release. It should fall back to /dev/zero mmap() then back to sparse files. NOTE: The fall back is runtime so if one could (gawd) compile and run OpenSSH on multiple kernel release it should do the right thing. 4. NeXTStep is more than likely borken. I'm pretty sure.=) It lies about having a mmap(). I'll look into it once I get my NeXT box back on the network unless someone can fire off a simple patch to solve it. 5. Pam changes have not been merged. So password changing is still disabled. I'm looking mostly for privsep issues. If you have a platform that has an issue with privsep and you are part of the main portable tree (uwin and cray are excluded at this moment) it needs to be discussed or you'll be suffering for another 4+ months. Side notes: uwin - You going to resend a patch againt -current for review? cray - This weekend or next week. =) I've promised this forever. Let me know what non-intrustive syncs we can do to lessen your tracking. Lastly, I'd like to thank all of you for bearing with us during the last few months. I'm sure it is was frustrating to you as it is for us.=) Let me state something right now.. *NO NEW FEATURES* 3.5 is a patch release to stablize out every platform. Don't suggest, don't push, don't even THINK about thinking about suggestion new features. I'm serious. You will be ignored. - Ben _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev *********************************************************************************** WARNING: All e-mail sent to and from this address will be received or otherwise recorded by the A.G. Edwards corporate e-mail system and is subject to archival, monitoring or review by, and/or disclosure to, someone other than the recipient. ************************************************************************************ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020717/5be8e351/attachment.html From bugzilla-daemon at mindrot.org Thu Jul 18 07:17:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:17:06 +1000 (EST) Subject: [Bug 298] sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020717211706.12F8AE9DC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:16 ------- Can you retest with either 3.4 or the -cvs? Close it if it is fixed otherwise provide more information. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:20:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:20:42 +1000 (EST) Subject: [Bug 356] 3.4p1 hostbased authentication between Linux and Solaris Message-ID: <20020717212042.E0278E9E1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=356 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:20 ------- Test the -cvs or snapshots. This should be fixed. Reopen if not. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:27:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:27:52 +1000 (EST) Subject: [Bug 346] ssh fails with -C flag when connecting to a compression disabled server Message-ID: <20020717212752.3BE72E9FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=346 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:27 ------- -C fails more gracefully in -cvs ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:34:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:34:21 +1000 (EST) Subject: [Bug 319] Privilege Separation failing on OSF1 v5.1 Message-ID: <20020717213421.8CCBFE9CD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=319 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:34 ------- *** This bug has been marked as a duplicate of 296 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:34:31 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:34:31 +1000 (EST) Subject: [Bug 296] Priv separation does not work on OSF/1 Message-ID: <20020717213431.CB57BE9FC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=296 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |wadelljs at bp.com ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:34 ------- *** Bug 319 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 07:53:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 07:53:42 +1000 (EST) Subject: [Bug 41] Static compilation Message-ID: <20020717215342.8CD0DE9CD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=41 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-18 07:53 ------- I believe this was fixed in 3.4, but I know it is fixed in -cvs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jos at catnook.com Thu Jul 18 08:26:47 2002 From: jos at catnook.com (Jos Backus) Date: Wed, 17 Jul 2002 15:25:47 -0701 Subject: 3.4p1 ssh-agent auth-retry patch available: was: Re: Updated ssh-agent authentication retry patch available In-Reply-To: <3D35BFA5.9060608@cisco.com> References: <20020531232300.GB97603@lizzy.catnook.com> <3D35BFA5.9060608@cisco.com> Message-ID: <20020717222609.GD22496@lizzy.catnook.com> I'm happy to hear people find this useful (it's indispensable here at work) and would be interested in hearing about any problems. The updated patch can be downloaded from http://www.catnook.com/patches/openssh-3.4p1-auth-retry.patch Cheers, Jos On Wed, Jul 17, 2002 at 02:04:05PM -0500, Kevin Currie wrote: > I see Jos has updated his patch to work against 3.4p1, and I've > applied > it with success. From my standpoint, this patch is absolutely REQUIRED and > ssh's utility is greatly reduced without it. It's simply impossible to run > 30+ ssh-agent authenticated sessions at once without this patch-- you get > WAY too many > failures. I am 100% behind this being included in the main distribution, is > there anybody who isn't?? For those that don't think this should be > included, > how do you propose to handle a large amount of concurrent authentications? > > comments welcome! -- Jos Backus _/ _/_/_/ Santa Clara, CA _/ _/ _/ _/ _/_/_/ _/ _/ _/ _/ jos at catnook.com _/_/ _/_/_/ require 'std/disclaimer' From archie at packetdesign.com Thu Jul 18 09:18:32 2002 From: archie at packetdesign.com (Archie Cobbs) Date: Wed, 17 Jul 2002 16:18:32 -0700 Subject: [Patch] SSH through HTTP proxy using CONNECT Message-ID: <3D35FB48.1D126F1@packetdesign.com> Hi, I'm not a subscriber to this list so please CC: me in any replies. I found myself in a situation where I was behind a corporate firewall that allowed only web requests to the outside world (and furthermore those requests had to be via their proxy server). Therefore, I couldn't SSH to the outside world. However, the HTTP proxy 'CONNECT' method, which is normally used to support SSL requests, can be used to do this. This worked great for me. Attached is a patch to SSH version 2.9 (comes with FreeBSD 4.5-REL) to implement 'ProxyServer' and 'ProxyPort' options, also specifiable on the command line using '-r'. E.g.: ssh -r 10.12.114.3:8080 foobar at some.server.com Then ssh will go through the HTTP proxy at 10.12.114.3 8080 and tell it to 'CONNECT' to 'some.server.com:22'. I found it useful so perhaps others would too. Please let me know whether or not you decide to include it in the standard SSH. Thanks, -Archie __________________________________________________________________________ Archie Cobbs * Packet Design * http://www.packetdesign.com -------------- next part -------------- diff -ur -x CVS /usr/src/crypto/openssh/readconf.c src/readconf.c --- /usr/src/crypto/openssh/readconf.c Thu Sep 27 18:33:34 2001 +++ src/readconf.c Wed Jul 17 16:14:44 2002 @@ -108,6 +108,7 @@ #endif oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, oUser, oHost, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, + oProxyServer, oProxyPort, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, oCompressionLevel, oKeepAlives, oNumberOfPasswordPrompts, @@ -158,6 +159,8 @@ { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, + { "proxyserver", oProxyServer }, + { "proxyport", oProxyPort }, { "port", oPort }, { "cipher", oCipher }, { "ciphers", oCiphers }, @@ -484,6 +487,14 @@ xfree(string); return 0; + case oProxyServer: + charptr = &options->proxy_server; + goto parse_string; + + case oProxyPort: + intptr = &options->proxy_port; + goto parse_int; + case oPort: intptr = &options->port; parse_int: @@ -765,6 +776,8 @@ options->hostname = NULL; options->host_key_alias = NULL; options->proxy_command = NULL; + options->proxy_server = NULL; + options->proxy_port = -1; options->user = NULL; options->escape_char = -1; options->system_hostfile = NULL; @@ -894,6 +907,7 @@ if (options->log_level == (LogLevel) - 1) options->log_level = SYSLOG_LEVEL_INFO; /* options->proxy_command should not be set by default */ + /* options->proxy_server should not be set by default */ /* options->user will be set in the main program if appropriate */ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ diff -ur -x CVS /usr/src/crypto/openssh/readconf.h src/readconf.h --- /usr/src/crypto/openssh/readconf.h Thu Sep 27 18:33:34 2001 +++ src/readconf.h Wed Jul 17 16:14:44 2002 @@ -83,6 +83,8 @@ char *hostname; /* Real host to connect. */ char *host_key_alias; /* hostname alias for .ssh/known_hosts */ char *proxy_command; /* Proxy command for connecting the host. */ + char *proxy_server; /* HTTP proxy server to relay through. */ + int proxy_port; /* HTTP proxy server port. */ char *user; /* User to log in as. */ int escape_char; /* Escape character; -2 = none */ diff -ur -x CVS /usr/src/crypto/openssh/ssh.c src/ssh.c --- /usr/src/crypto/openssh/ssh.c Thu Sep 27 18:33:35 2001 +++ src/ssh.c Wed Jul 17 16:14:44 2002 @@ -175,6 +175,7 @@ fprintf(stderr, " -R listen-port:host:port Forward remote port to local address\n"); fprintf(stderr, " These cause %s to listen for connections on a port, and\n", __progname); fprintf(stderr, " forward them to the other side by connecting to host:port.\n"); + fprintf(stderr, " -r host:prt Connect using specified HTTP proxy.\n"); fprintf(stderr, " -C Enable compression.\n"); fprintf(stderr, " -N Do not execute a shell or command.\n"); fprintf(stderr, " -g Allow remote hosts to connect to forwarded ports.\n"); @@ -309,7 +310,7 @@ opt = av[optind][1]; if (!opt) usage(); - if (strchr("eilcmpLRDo", opt)) { /* options with arguments */ + if (strchr("eilcmpLRDor", opt)) { /* options with arguments */ optarg = av[optind] + 2; if (strcmp(optarg, "") == 0) { if (optind >= ac - 1) @@ -481,6 +482,15 @@ /* NOTREACHED */ } add_local_forward(&options, fwd_port, buf, fwd_host_port); + break; + case 'r': + if (sscanf(optarg, "%255[^:]:%u", buf, + &options.proxy_port) != 2) { + fprintf(stderr, "Bad HTTP proxy '%s'.\n", optarg); + usage(); + /* NOTREACHED */ + } + options.proxy_server = xstrdup(buf); break; case 'D': diff -ur -x CVS /usr/src/crypto/openssh/sshconnect.c src/sshconnect.c --- /usr/src/crypto/openssh/sshconnect.c Thu Sep 27 18:33:35 2001 +++ src/sshconnect.c Wed Jul 17 16:14:44 2002 @@ -198,7 +198,9 @@ int gaierr; int on = 1; int sock = -1, attempt; + int connect_port; char ntop[NI_MAXHOST], strport[NI_MAXSERV]; + const char *connect_host; struct addrinfo hints, *ai, *aitop; struct linger linger; struct servent *sp; @@ -218,14 +220,21 @@ if (proxy_command != NULL) return ssh_proxy_connect(host, port, pw, proxy_command); - /* No proxy command. */ + /* If an HTTP proxy is given, connect to it first. */ + if (options.proxy_server != NULL) { + connect_host = options.proxy_server; + connect_port = options.proxy_port; + } else { + connect_host = host; + connect_port = port; + } memset(&hints, 0, sizeof(hints)); hints.ai_family = IPv4or6; hints.ai_socktype = SOCK_STREAM; - snprintf(strport, sizeof strport, "%d", port); - if ((gaierr = getaddrinfo(host, strport, &hints, &aitop)) != 0) - fatal("%s: %.100s: %s", __progname, host, + snprintf(strport, sizeof strport, "%d", connect_port); + if ((gaierr = getaddrinfo(connect_host, strport, &hints, &aitop)) != 0) + fatal("%s: %.100s: %s", __progname, connect_host, gai_strerror(gaierr)); /* @@ -293,6 +302,29 @@ /* Return failure if we didn't get a successful connection. */ if (attempt >= connection_attempts) return 0; + + /* Connect through HTTP proxy. */ + if (options.proxy_server != NULL) { + char buf[512]; + int state; + char byte; + + debug("Sending proxy CONNECT."); + + snprintf(buf, sizeof(buf), "CONNECT %s:%d HTTP/1.0\r\n\r\n", + host, port); + write(sock, buf, strlen(buf)); + for (state = 0; state < 4; ) { + if (read(sock, &byte, 1) != 1) + return 0; + if (byte == ((state & 1) ? '\n' : '\r')) + state++; + else + state = 0; + } + + debug("Read proxy response."); + } debug("Connection established."); From kevin at atomicgears.com Thu Jul 18 10:01:32 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 17 Jul 2002 17:01:32 -0700 Subject: [Patch] SSH through HTTP proxy using CONNECT In-Reply-To: <3D35FB48.1D126F1@packetdesign.com> References: <3D35FB48.1D126F1@packetdesign.com> Message-ID: <20020718000132.GB4326@scott.crlsca.adelphia.net> On Wed, Jul 17, 2002 at 04:18:32PM -0700, Archie Cobbs wrote: > Then ssh will go through the HTTP proxy at 10.12.114.3 8080 > and tell it to 'CONNECT' to 'some.server.com:22'. > > I found it useful so perhaps others would too. Please let me know > whether or not you decide to include it in the standard SSH. This is best done via a ProxyCommand helper. I use a perl script written by Urban Kaveus. Sun ships SSH with a C helper program. From dtucker at zip.com.au Thu Jul 18 10:02:49 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Jul 2002 10:02:49 +1000 Subject: [Patch] SSH through HTTP proxy using CONNECT References: <3D35FB48.1D126F1@packetdesign.com> Message-ID: <3D3605A9.911483B0@zip.com.au> Archie Cobbs wrote: > Attached is a patch to SSH version 2.9 (comes with FreeBSD 4.5-REL) > to implement 'ProxyServer' and 'ProxyPort' options, also specifiable > on the command line using '-r'. You can do this without modifying the code by using the appropriate ProxyCommand, eg: http://www.taiyo.co.jp/~gotoh/ssh/connect.html -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kevin at atomicgears.com Thu Jul 18 10:32:29 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 17 Jul 2002 17:32:29 -0700 Subject: HP-UX PAM with Trusted System patch In-Reply-To: <014201c22d2e$28884540$9b78a8c0@oedserver> References: <014201c22d2e$28884540$9b78a8c0@oedserver> Message-ID: <20020718003229.GE4326@scott.crlsca.adelphia.net> On Tue, Jul 16, 2002 at 06:05:48PM -0700, Darren Cole wrote: > The patch looks reasonable, but I don't believe Trust HP-UX has pam or at > least we don't have it on our machines. I even asked around the office and > no one thinks we have pam on 10.26. Are we mistaken or missing a patch? Or > are you talking about something version other than Trusted HP-UX 10.26? > Later version of HP-UX may have pam (I think 11i does), but I don't know of > any later version of Trusted HP-UX than 10.26. Base HP-UX (10.20, 11.0, 11.11) supports a configuration known as "trusted system", previously also called "commercial security". There are also other HP-UX CMW and "trusted OS" versions (I don't keep track of those). And there is some similarity in some of the protected password database stuff (/tcb), which has a Secureware heritage. PAM was available starting with HP-UX 10.X, but it was only supported for use by CDE. 11.X should fully support PAM (with some hand-waving in terms of what that might really mean--for example there is no 64-bit libpam). From dtucker at zip.com.au Thu Jul 18 10:53:02 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Jul 2002 10:53:02 +1000 Subject: Testing Call References: Message-ID: <3D36116E.7CA41838@zip.com.au> Ben Lindstrom wrote: > For those that build packages for yourself/others from the contrib/ > section also let us know what needs to be updated. This patch to buildbff.sh fixes the following problems reported by Val Baranov: * doesn't work when run from contrib/aix * doesn't clean up package build directory The patch has been up for a while. I had originally intended adding optional SRC support before submitting but haven't had time to do so. http://www.zip.com.au/~dtucker/openssh/openssh-3.4p1-aixbff.patch -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Thu Jul 18 10:51:38 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 17 Jul 2002 19:51:38 -0500 (CDT) Subject: Testing Call In-Reply-To: <3D36116E.7CA41838@zip.com.au> Message-ID: Applied. On Thu, 18 Jul 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > For those that build packages for yourself/others from the contrib/ > > section also let us know what needs to be updated. > > This patch to buildbff.sh fixes the following problems reported by Val > Baranov: > * doesn't work when run from contrib/aix > * doesn't clean up package build directory > > The patch has been up for a while. I had originally intended adding > optional SRC support before submitting but haven't had time to do so. > > http://www.zip.com.au/~dtucker/openssh/openssh-3.4p1-aixbff.patch > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. > From elessar at numenor.org Thu Jul 18 11:19:05 2002 From: elessar at numenor.org (Kenneth Lareau) Date: Wed, 17 Jul 2002 18:19:05 -0700 Subject: 'buildpkg.sh' for OpenSSH - non-interactive install? Message-ID: <200207180119.g6I1J5NS023735@delirium.numenor.org> I have a minor issue with the 'buildpkg.sh' script in the contrib/solaris directory for OpenSSH (3.4p1 in my case) that I'm hoping might be solvable. First off, I'd like to say that I've been quite happy with the script; for interactive installs, it's worked great. My problem is occurring due to my attempts to make it work non-interac- tively, however, within an init script used for Solaris Jumpstart. In the script I created, I've generated the necessary admin and response files to allow for no interaction with the user, and when the script is run from a command prompt, it works without a hitch. If the script is run during bootup (as an init script), it seems to bomb on the preinstall script with the following error message: pkgadd: ERROR: freopen(/dev/tty, "a", stdout) failed, errno=6 pkgadd: ERROR: preinstall script did not complete successfully Looking up the error number, which corresponds to ENXIO, it seems to be unable to find /dev/tty, which is understandable since it's being run non-interactively; however, I'm not quite certain why it's attempting to do that, and so far everyone I've talked to has been uncertain as well. Is there something obvious to this that I'm missing? Any help would be greatly appreciated on his issue. Kenneth Lareau elessar at numenor.org From bugzilla-daemon at mindrot.org Thu Jul 18 11:22:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 11:22:41 +1000 (EST) Subject: [Bug 358] New: password authentication fails Message-ID: <20020718012241.4DE87EA35@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=358 Summary: password authentication fails Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: critical Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: snark at annwm.lbl.gov After upgrading from openssh-3.1p1-1 to openssh-3.4p1-1 (built locally from srpm downloaded from openssh.org), passwordAuthentication fails to work. log messages are: Jul 17 17:56:24 annwm sshd(pam_unix)[13376]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=pdsflx005.nersc.gov user=henp Jul 17 17:56:26 annwm sshd[13376]: debug1: PAM Password authentication for "henp" failed[7]: Authentication failure Configuration files have not changed between versions. If I revert to old version of ssh, problem vanishes. PublickeyAuthentication and RSAAuthentication methods both work fine. Base system is RedHat 6.2, kernel 2.4.17 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Thu Jul 18 11:51:10 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Jul 2002 11:51:10 +1000 Subject: 'buildpkg.sh' for OpenSSH - non-interactive install? References: <200207180119.g6I1J5NS023735@delirium.numenor.org> Message-ID: <3D361F0E.9F78818@zip.com.au> Kenneth Lareau wrote: [non-interactive pkgadd failure] > pkgadd: ERROR: freopen(/dev/tty, "a", stdout) failed, errno=6 > pkgadd: ERROR: preinstall script did not complete successfully This is a bug in pkgadd (Sun bug ID 1143634). I use the following workaround: pkgadd -a openssh.admin -n \ -r openssh.response \ -d "OpenSSH-SunOS-`uname -r`.pkg" OpenSSH \ >/tmp/ssh.txt 2>&1 cat /tmp/ssh.txt -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From tim at multitalents.net Thu Jul 18 11:54:37 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 17 Jul 2002 18:54:37 -0700 (PDT) Subject: Testing Call In-Reply-To: Message-ID: On Wed, 17 Jul 2002, Ben Lindstrom wrote: > > For those with pmake install there is regress/ which you can try out. It > may help any platform issues. I know some platforms will outright fail > (AIX). Hopefully post 3.5 we can look at supplying gnu make files. I think gert supplied us with one. (it's in my inbox somewhere) Looks like none of us has had time to test it yet. > For those that build packages for yourself/others from the contrib/ > section also let us know what needs to be updated. With the changes to > the Solaris/Sysv package that I think it needs to be retested on > non-solaris platforms (Tim, do you still have Daz's last patch to > buildpkg.sh so you could test under SCO or should I just commit it and we > can play cvs tag?). I've still got it. I'll test it soon. The only thing I didn't like was uid/gid of 22 Anyone have a problem with using 67 for the uid/gid? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From kevin at atomicgears.com Thu Jul 18 12:04:43 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Wed, 17 Jul 2002 19:04:43 -0700 Subject: Testing Call In-Reply-To: <6808DCE827EBD5119DFB0002A58EF4DA03240437@hqempn06.agedwards.com> References: <6808DCE827EBD5119DFB0002A58EF4DA03240437@hqempn06.agedwards.com> Message-ID: <20020718020443.GK4326@scott.crlsca.adelphia.net> On Wed, Jul 17, 2002 at 04:13:34PM -0500, Lacoss-Arnold, Jason wrote: > I hope to have time to test, but I have a quick question: > > I caught the message that PAM is working for some transactions, but the last > patch I saw said that it still doesn't work for password changes. Did I > miss a patch, or is that still broken? We've got to choose a new version to > deploy enterprise-wide within the next week or two and I've got to decide if > we want to wait for 3.5 or go with 3.2 which IIRC was the last version with > a functional PAM. > > Will it work if privsep is disabled and relavent sections of code > uncommented? I don't think there is 1 person that has a handle on all the PAM issues or has reviewed all the various patches available. There are several different issues and confusion exists. I'll try to coordinate the issues, but I'm busy and most others are as well. Stay tuned. From tim at multitalents.net Thu Jul 18 12:24:30 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 17 Jul 2002 19:24:30 -0700 (PDT) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: <200207120352.g6C3q5Pq004609@gandalf.cc.purdue.edu> Message-ID: On Thu, 11 Jul 2002, John R. Jackson wrote: > >either way, let's figure out a fix/workaround for the next release > >because this is biting many people. have autoconf bugs been filed? > >using 2.52 is not the right long-term answer. > > Oh, fine. :-) I spent another hour or so looking at the problem and > found a way around this at the autoconf level. > > Bash has a problem with this construct: > > as_save_IFS=$IFS; IFS=$PATH_SEPARATOR > for as_dir in $PATH:/usr/X/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/openwin/bin > do > IFS=$as_save_IFS > ... I've commited a variation of your patch to configure.ac Please test and close the bug -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Thu Jul 18 12:37:24 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 12:37:24 +1000 (EST) Subject: [Bug 298] sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020718023724.44828E939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 sshbugs at wayne47.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From sshbugs at wayne47.com 2002-07-18 12:37 ------- Looks like 2.4 dealt with the problem ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 12:38:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 12:38:30 +1000 (EST) Subject: [Bug 298] sshd fails to set user context, preventing all logins, also setgroups is failing Message-ID: <20020718023830.DC17EE939@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=298 ------- Additional Comments From sshbugs at wayne47.com 2002-07-18 12:38 ------- Make that 3.4 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Thu Jul 18 13:42:27 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 17 Jul 2002 20:42:27 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D34DC70.7E7192AE@zip.com.au> Message-ID: On Wed, 17 Jul 2002, Darren Tucker wrote: > Ben Lindstrom wrote: > > sshdgid="-g $SSHDGID" > > > > same with the sshduid check. > > Damn. I missed those when I added the variables. New patch attached. > I've tested the patch. A couple of things. if cut -f3 -d: ${PKG_INSTALL_ROOT}/etc/group | egrep '^'67'$' >/dev/null then sshdgid="-g 67" fi should be if cut -f3 -d: ${PKG_INSTALL_ROOT}/etc/group | egrep '^'67'$' >/dev/null then : else sshdgid="-g 67" fi Same for the /etc/passwd check. The one that bothers me is that adding the user/group is not optional. I put a lot of work into being able to build/install a test package without touching important files on what may be a production system. I see a couple of options. Add a prompt to request or wrap groupadd/useradd around a test -z "${TEST_DIR}" I'm leaning towards adding a prompt to request. Opinions? -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Thu Jul 18 14:07:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:07:51 +1000 (EST) Subject: [Bug 312] canhost.h needs to be included Message-ID: <20020718040751.78457EA4A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=312 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:07 ------- why is it required? i don't see any canohost.h functions in those files. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:11:59 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:11:59 +1000 (EST) Subject: [Bug 313] undefined type in older cc's Message-ID: <20020718041159.7DD51EA4A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=313 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:11 ------- tim, can you look at this one? it looks like that is the only ulong in the tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:24:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:24:11 +1000 (EST) Subject: [Bug 320] Cannot build 3.4p1 Message-ID: <20020718042411.907D0EA41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=320 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:24 ------- i'm not sure. what does this show: $ grep HAVE___[Ff] config.h /* #undef HAVE___FUNCTION__ */ #define HAVE___func__ 1 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:33:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:33:37 +1000 (EST) Subject: [Bug 342] RhostsRSAAuthentication does not work with 3.4p1 Message-ID: <20020718043337.3B7FFEA41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=342 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:33 ------- ssh is by default not set-uid root. re-open if this is the the cause. RhostsRSAAuthentication Specifies whether to try rhosts based authentication with RSA host authentication. The argument must be ``yes'' or ``no''. The default is ``no''. This option applies to protocol version 1 only and requires ssh to be setuid root. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:39:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:39:22 +1000 (EST) Subject: [Bug 333] X11 forwarding not working in OpenSSH 3.4p1 Message-ID: <20020718043922.7DC44EA41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=333 ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:39 ------- set XAuthLocation in ssh and sshd config and test. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:49:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:49:55 +1000 (EST) Subject: [Bug 352] UTMP does not seem to be updated on logout Message-ID: <20020718044955.CE733EA66@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=352 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:49 ------- this looks like a dup of 345. Lutz, re-open if not. *** This bug has been marked as a duplicate of 345 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 14:50:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 14:50:13 +1000 (EST) Subject: [Bug 345] w (uptime) command still indicates user is logged in after logout Message-ID: <20020718045013.2FEA8EA66@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=345 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |Lutz.Jaenicke at aet.TU- | |Cottbus.DE ------- Additional Comments From stevesk at pobox.com 2002-07-18 14:49 ------- *** Bug 352 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:04:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:04:55 +1000 (EST) Subject: [Bug 302] make install reports that separation user does not exist... Message-ID: <20020718050455.D9B44EA66@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=302 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:04 ------- fixed in current: - (tim) [Makefile.in] replace "id sshd" with "sshd -t" ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:18:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:18:06 +1000 (EST) Subject: [Bug 235] While PermitEmptyPasswords no, user can connect, entering ANY other password Message-ID: <20020718051806.F10EAEA41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=235 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:17 ------- this was fixed in openbsd and is documented for linux PAM. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:28:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:28:51 +1000 (EST) Subject: [Bug 239] ssh didn't resolv name server on HPUX 11i Message-ID: <20020718052851.61C8BEA41@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=239 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:28 ------- HP's getaddrinfo() does not work on IPv4-only systems. i have made them aware of this, but i did not a receive defect ID. closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:31:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:31:38 +1000 (EST) Subject: [Bug 243] fatal: buffer_get Message-ID: <20020718053138.8EE2DEA78@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=243 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:31 ------- no additional info provided. closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:33:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:33:48 +1000 (EST) Subject: [Bug 244] Remote port forwarding on solaris 8x86 doesn't work Message-ID: <20020718053348.2340BEA76@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=244 ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:33 ------- can anyone dup this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:40:35 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:40:35 +1000 (EST) Subject: [Bug 245] SSH can not log out under Solaris 2.6 Message-ID: <20020718054035.88A0EEA7A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=245 ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:40 ------- asked millert at openbsd.org. we still don't know why setsid() breaks solaris. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:43:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:43:07 +1000 (EST) Subject: [Bug 246] md5_crypt conflict fails Message-ID: <20020718054307.028AFEA88@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=246 ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:42 ------- tim, should this be closed INVALID? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:46:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:46:43 +1000 (EST) Subject: [Bug 256] Expired password unchangeable again with pam support Message-ID: <20020718054643.3E97AEA7A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=256 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 ------- this was done as a temp workaround to 188. make it a dup. *** This bug has been marked as a duplicate of 188 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:46:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:46:53 +1000 (EST) Subject: [Bug 188] pam_chauthtok() is called too late Message-ID: <20020718054653.AA2F1EA84@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smueller at atsec.com ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 ------- *** Bug 256 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:55:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:55:23 +1000 (EST) Subject: [Bug 264] sshd leaves around temporary directories in /tmp Message-ID: <20020718055523.0616AEA96@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=264 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:55 ------- should only see this when sshd killed with -9 closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 15:59:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 15:59:30 +1000 (EST) Subject: [Bug 267] Build problems with 3.2.3p1 under Tru64 UNIX 4.0D Message-ID: <20020718055930.10CF9EA7F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=267 ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:59 ------- tim, it appears this should go in? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:07:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:07:56 +1000 (EST) Subject: [Bug 274] scp fails if target account has echo "somestuff" as last line in .profile Message-ID: <20020718060756.46836EA95@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=274 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:07 ------- can't put anything into RCP stream. closing. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:10:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:10:32 +1000 (EST) Subject: [Bug 275] openssh 3.2.3p1 make fails Message-ID: <20020718061032.8AC12EA99@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=275 ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:10 ------- SunOs 4.1.4 users: what happened here? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:11:23 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:11:23 +1000 (EST) Subject: [Bug 312] canhost.h needs to be included Message-ID: <20020718061123.63CC0EA99@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=312 ------- Additional Comments From dirk.meyer at dinoex.sub.org 2002-07-18 16:11 ------- Well it is conditional. # grep -C -n get_canonical_hostname auth2.c.orig 236- /* XXX: privsep */ 237- loginfailed(authctxt->user, 238: get_canonical_hostname(options.verify_reverse_mapping), 239- "ssh"); 240-#endif /* WITH_AIXAUTHENTICATE */ # grep -C -n get_canonical_hostname auth1.c.orig 327- /* XXX: privsep */ 328- loginfailed(authctxt->user, 329: get_canonical_hostname(options.verify_reverse_mapping), 330- "ssh"); 331-#endif /* WITH_AIXAUTHENTICATE */ ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:14:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:14:51 +1000 (EST) Subject: [Bug 282] ttymodes sent can be invalid Message-ID: <20020718061451.456DFEA92@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=282 ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:14 ------- a linux person needs to dig into this one ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:18:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:18:25 +1000 (EST) Subject: [Bug 287] URL wrong in INSTALL file Message-ID: <20020718061825.0BF49EA96@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=287 ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:18 ------- djm, what should be here now? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:25:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:25:42 +1000 (EST) Subject: [Bug 295] rpm specfile needs build prereqs for Kerberos Message-ID: <20020718062542.749A4EA98@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=295 ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:25 ------- this seems to make sense. can linux/rpm/krb folks comment? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 16:30:20 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 16:30:20 +1000 (EST) Subject: [Bug 297] sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20020718063020.98E20E925@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 ------- Additional Comments From stevesk at pobox.com 2002-07-18 16:30 ------- what are we doing with openssl 0.9.5 issues? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 17:43:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 17:43:15 +1000 (EST) Subject: [Bug 297] sshd version 3.3 incompatible with pre-3.3 clients in ssh1 mode Message-ID: <20020718074315.7D257E925@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=297 ------- Additional Comments From markus at openbsd.org 2002-07-18 17:43 ------- we should apply the patch from bug#138 http://bugzilla.mindrot.org/showattachment.cgi?attach_id=121 that makes ssh1-bf work with OpenSSL 0.9.5 but recommend >= 0.9.6 we should also disable AES in OpenSSL 0.9.5 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 18 18:00:53 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 18:00:53 +1000 (EST) Subject: [Bug 204] Authentication fails when username contains an at-sign Message-ID: <20020718080053.BBB4EE9D4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=204 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From markus at openbsd.org 2002-07-18 18:00 ------- patch commited (some time ago) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Jul 18 18:46:54 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 18 Jul 2002 10:46:54 +0200 Subject: Testing Call In-Reply-To: References: Message-ID: <20020718084653.GB19263@folly> On Wed, Jul 17, 2002 at 03:04:07PM -0500, Ben Lindstrom wrote: > For those with pmake install there is regress/ which you can try out. It > may help any platform issues. I know some platforms will outright fail > (AIX). Hopefully post 3.5 we can look at supplying gnu make files. we could ship a simple script: % cat run-tests.sh pwd=`pwd` for test in connect \ proxy-connect \ connect-privsep \ proto-version \ proto-mismatch \ exit-status \ transfer \ stderr-data \ stderr-after-eof \ broken-pipe \ try-ciphers \ yes-head \ agent \ keyscan \ sftp \ forwarding ; do sh test-exec.sh $pwd $pwd/${test}.sh done From dtucker at zip.com.au Thu Jul 18 19:31:23 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Thu, 18 Jul 2002 19:31:23 +1000 Subject: Patch: Solaris packages don't create privsep user or group References: Message-ID: <3D368AEB.8235338C@zip.com.au> Tim Rice wrote: > should be > if cut -f3 -d: ${PKG_INSTALL_ROOT}/etc/group | egrep '^'67'$' >/dev/null > then > : > else > sshdgid="-g 67" > fi > Same for the /etc/passwd check. Good point. > I put a lot of work into being able to build/install a test package > without touching important files on what may be a production system. Is there any reason you don't use pkgadd -R for your testing instead? (Assuming it's available on all supported SysV platforms). It would allow you to simplify buildpkg and help ensure that Jumpstart installs continue to work. You could also test and deploy the same packages rather than rebuilding them. See attachment for example scaffolding, tested on Solaris 7 only. > The one that bothers me is that adding the user/group is not optional. > > I see a couple of options. Add a prompt to request or wrap groupadd/useradd > around a test -z "${TEST_DIR}" > > I'm leaning towards adding a prompt to request. > Opinions? As it stands the creation of the user and group are contingent on privsep being enabled. If privsep is enabled and you want sshd to work then the having the user and group isn't optional. I'd put it in /etc/init.d/opensshd. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- #!/bin/sh testroot=/tmp/testinstall rm -rf $testroot mkdir -p $testroot/etc/rc0.d $testroot/etc/rc1.d $testroot/etc/rc2.d \ $testroot/etc/rcS.d $testroot/usr/sbin $testroot/usr/bin $testroot/etc touch $testroot/etc/passwd $testroot/etc/group cat >fake.c < int main(int argc, char **argv) { int i; printf("Pretending to"); for(i=0; i References: Message-ID: <20020718114434.U6932@cygbert.vinschen.de> On Wed, Jul 17, 2002 at 03:04:07PM -0500, Ben Lindstrom wrote: > > Ok.. I'm starting official testing calls early this release. I'd like to > have more feedback and more time for handling fixes. OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc Askpass program: /usr/sbin/ssh-askpass Manual pages: /usr/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: yes MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: OpenSSL internal ONLY Host: i686-pc-cygwin Compiler: i686-pc-cygwin-gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: Linker flags: Libraries: -lwrap -lz /usr/lib/textmode.o -lcrypto Current from CVS, builds and runs fine. Corinna -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From leigh at solinno.co.uk Thu Jul 18 20:30:09 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 18 Jul 2002 11:30:09 +0100 (BST) Subject: Testing Call In-Reply-To: References: Message-ID: <38720.193.133.92.239.1026988209.squirrel@lbbrown.homeip.net> Yesterday, Ben Lindstrom wrote: > 2. AIX (some version) stall on large data output. Current CVS patch is > wrong and will be pulled unless an agreement can be made. The (apparent) bug in AIX applies to AIX 4.3.3ML03 and above. Having at last found a solution that works I'd be really grateful if we can have a workaround for the bug before the release. I have attached a patch that moves the workaround to the correct place, above the write, and changes "c->isatty" to "isatty(c->wfd)", because c->isatty is not true if nonblock is false (I don't know why it is setup like this). It may not be the most correct or efficient solution, but it only applies to AIX, and without it openssh locks up solid very easily when ssh'ing from a box that you telnet'd or rlogin'd to. Please apply! BTW I'm running last night's snapshot with this patch applied and privilege separation enabled, and it all seems to be working fine. I will report if I encounter any problems. Cheers, Leigh. -------------- next part -------------- A non-text attachment was scrubbed... Name: aix.fix.patch Type: application/octet-stream Size: 596 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020718/18844d62/attachment.obj From leigh at solinno.co.uk Thu Jul 18 21:12:07 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 18 Jul 2002 12:12:07 +0100 (BST) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <38720.193.133.92.239.1026988209.squirrel@lbbrown.homeip.net> References: <38720.193.133.92.239.1026988209.squirrel@lbbrown.homeip.net> Message-ID: <35818.193.133.92.239.1026990727.squirrel@lbbrown.homeip.net> I wrote: > Yesterday, Ben Lindstrom wrote: >> 2. AIX (some version) stall on large data output. Current CVS patch >> is wrong and will be pulled unless an agreement can be made. > > The (apparent) bug in AIX applies to AIX 4.3.3ML03 and above. Having > at last found a solution that works I'd be really grateful if we can > have a workaround for the bug before the release. > > I have attached a patch that moves the workaround to the correct place, > above the write, and changes "c->isatty" to "isatty(c->wfd)", because > c->isatty is not true if nonblock is false (I don't know why it is > setup like this). > > It may not be the most correct or efficient solution, but it only > applies to AIX, and without it openssh locks up solid very easily > when ssh'ing from a box that you telnet'd or rlogin'd to. > > Please apply! > > BTW I'm running last night's snapshot with this patch applied and > privilege separation enabled, and it all seems to be working fine. I > will report if I encounter any problems. Sorry guys, I just realised that you've been sending me email and I've not read it, due to (my) bad mail filtering rules. It was just chance that I happened to read Ben's testing email. I've read your emails now and obviously I'd still like to apply the patch. However, if using isatty is a problem (I know it causes a system call), please give me a hint as to a preferred solution and I'll cook something up. Cheers, Leigh. From leigh at solinno.co.uk Thu Jul 18 21:57:09 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Thu, 18 Jul 2002 12:57:09 +0100 (BST) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <35818.193.133.92.239.1026990727.squirrel@lbbrown.homeip.net> References: <38720.193.133.92.239.1026988209.squirrel@lbbrown.homeip.net> <35818.193.133.92.239.1026990727.squirrel@lbbrown.homeip.net> Message-ID: <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> I wrote: > Sorry guys, I just realised that you've been sending me email and > I've not read it, due to (my) bad mail filtering rules. It was just > chance that I happened to read Ben's testing email. I've read your > emails now and obviously I'd still like to apply the patch. However, > if using isatty is a problem (I know it causes a system call), please > give me a hint as to a preferred solution and I'll cook something up. How about the attached patch? I could wrap #ifdef _AIX around the wfd_isatty member definition and initialisation if required, but I don't think it causes any harm as it is. Cheers, Leigh. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: aix.fix2.diff Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020718/230e43ab/attachment.ksh From markus at openbsd.org Thu Jul 18 22:00:01 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 18 Jul 2002 14:00:01 +0200 Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> References: <38720.193.133.92.239.1026988209.squirrel@lbbrown.homeip.net> <35818.193.133.92.239.1026990727.squirrel@lbbrown.homeip.net> <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> Message-ID: <20020718120001.GC10133@faui02> makes sense to me. From mgregis at sorint.it Thu Jul 18 22:41:55 2002 From: mgregis at sorint.it (massimiliano gregis) Date: Thu, 18 Jul 2002 14:41:55 +0200 Subject: openssh 3.4 solaris pkg & privsep error Message-ID: <11cb310ba7.10ba711cb3@sorint.it> Hello, this is MAx Gregis from Italy. I send you this e.mail about privsep error with OSSH 3.4 on Solaris 2.6 an Solaris 7. Usually i find the error of compression disabled if i use SSHD qith inetd daemon. But if i put this entry: sshd:23:respawn:/usr/local/sbin/sshd -D > /dev/null 2>&1 in /etc/inittab ( and after a good "init q" for reading new inittab) In this mode i don't find that error and useprivilegeseparation and compression run. Probably the problem is INETD daemon that doesn't use MMAP in the right mode ( probably, but i'm not sure about this ) Please let me know the news. Max From bugzilla-daemon at mindrot.org Thu Jul 18 23:26:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 18 Jul 2002 23:26:51 +1000 (EST) Subject: [Bug 345] w (uptime) command still indicates user is logged in after logout Message-ID: <20020718132651.C978CE9C0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=345 ------- Additional Comments From Lutz.Jaenicke at aet.TU-Cottbus.DE 2002-07-18 23:26 ------- I "trace"ed a little bit: * on login, both /etc/utmpx and /etc/utmp are updated with the login- information * on logout, only /etc/utmpx is updated who (=w) only reads /etc/utmp, so that it gets wrong login information. This applies to today's CVS (2002/07/18). As far as I have added debugging statements, utmpx_write_library() is called for both login and logout. According to the manual page, pututxline() should translate the utmpx entry into an utmp entry and also update utmp accordingly. This only seems to happen for login, not for logout. As far as I have looked over the code, I do not understand, why utmpx_perform_logout() calls line_abbrevname() again (conditionally), as the same code is also part of construct_utmpx(), isn't it? Also utx.ut_type should have been set before unconditionally in construct_utmpx(). So much for now. It seems that the rest is somewhere buried inside pututxline() which does not provide too much diagnostics... Oh, I just see, that in utmpx_perform_login(), there is called utmpx_write_direct(li, &ut) for the case of !UTMPX_USE_LIBRARY (note the "&ut" instead of "&utx", but it does not apply here anyway). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From miipekk at ihme.org Thu Jul 18 23:35:45 2002 From: miipekk at ihme.org (Miika Pekkarinen) Date: Thu, 18 Jul 2002 16:35:45 +0300 (EEST) Subject: Comments needed Message-ID: Hi, could somebody answer to my scp patch that I sent 2002-07-13? -- Miika Pekkarinen miika at ihme.org From ayamura at ayamura.org Fri Jul 19 02:28:06 2002 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Fri, 19 Jul 2002 01:28:06 +0900 Subject: hard-coded MM_SWAP_TEMPLATE Message-ID: <86r8i1knl5.wl@sea.ayamura.org> Hard-coded MM_SWAP_TEMPLATE defined as "/var/run/sshd.mm.XXXXXXXX" in openssh-SNAP-20020718/openbsd-compat/xmmap.c should not be used because "/var/run" directory does not exist on some platohomes. -- ayamura Ayamura KIKUCHI, M.D., Ph.D. From elessar at numenor.org Fri Jul 19 02:31:26 2002 From: elessar at numenor.org (Kenneth Lareau) Date: Thu, 18 Jul 2002 09:31:26 -0700 Subject: 'buildpkg.sh' for OpenSSH - non-interactive install? In-Reply-To: Message from Darren Tucker of "Thu, 18 Jul 2002 11:51:10 +1000." <3D361F0E.9F78818@zip.com.au> Message-ID: <200207181631.g6IGVQNR024974@delirium.numenor.org> Thank you, that seems to have done the trick. However, given the age of that bug ID (there are a few newer, related ones in sunsolve), you think Sun would've done something about this by now. :) Once again, thanks for the help, it was greatly appreciated. Kenneth Lareau elessar at numenor.org In message <3D361F0E.9F78818 at zip.com.au>, Darren Tucker writes: >Kenneth Lareau wrote: >[non-interactive pkgadd failure] >> pkgadd: ERROR: freopen(/dev/tty, "a", stdout) failed, errno=6 >> pkgadd: ERROR: preinstall script did not complete successfully > >This is a bug in pkgadd (Sun bug ID 1143634). I use the following >workaround: > >pkgadd -a openssh.admin -n \ > -r openssh.response \ > -d "OpenSSH-SunOS-`uname -r`.pkg" OpenSSH \ > >/tmp/ssh.txt 2>&1 > cat /tmp/ssh.txt > >-- >Darren Tucker (dtucker at zip.com.au) >GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience >usually comes from bad judgement. > From bugzilla-daemon at mindrot.org Fri Jul 19 02:32:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 02:32:29 +1000 (EST) Subject: [Bug 313] undefined type in older cc's Message-ID: <20020718163229.CF828EA42@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=313 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-07-19 02:32 ------- This is fine. I've just commited the cahnge. Closing this bug. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 02:42:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 02:42:00 +1000 (EST) Subject: [Bug 333] X11 forwarding not working in OpenSSH 3.4p1 Message-ID: <20020718164200.1FE56EA2C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=333 ------- Additional Comments From stripes at tigerlair.com 2002-07-19 02:41 ------- Still did not work. I tried the XAuthLocation as well. I will email you the debugging output from the client and server. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 02:42:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 02:42:47 +1000 (EST) Subject: [Bug 246] md5_crypt conflict fails Message-ID: <20020718164247.05F94EA2C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=246 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From tim at multitalents.net 2002-07-19 02:42 ------- No resonse from quelrods at mail.utexas.edu (James) in 2 months, I'm marking it INVALID and closing. Reopen if it's still a problem in the current code. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 02:48:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 02:48:48 +1000 (EST) Subject: [Bug 333] X11 forwarding not working in OpenSSH 3.4p1 Message-ID: <20020718164848.072DFEA4F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=333 ------- Additional Comments From stripes at tigerlair.com 2002-07-19 02:48 ------- SSHD debugging output: Script started on Wed Jul 3 10:02:26 2002 florida:/home/gator# /usr/sbin/sshd -ddd debug1: sshd version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 131.215.145.120 port 59317 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 Debian 1:3.4p1-2 debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-2 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-2 debug2: Network child is on pid 15444 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 101:65534 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,a es256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,a es256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac -sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac -sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: blowfish-cbcdebug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac -sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac -sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server blowfish-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client blowfish-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 126/256 debug1: bits set: 1598/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1605/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x809ade8(143) debug3: mm_request_send entering: type 5 debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keysdebug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user gator service ssh-connection method none debug1: attempt 0 failures 0 debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for gator debug3: mm_start_pam entering debug3: mm_request_send entering: type 37 debug3: monitor_read: checking request 37 debug1: Starting up PAM with username "gator" debug3: Trying to reverse map address 131.215.145.120. debug3: mm_inform_authserv entering debug3: mm_request_send entering: type 3 debug2: input_userauth_request: try method none debug3: mm_auth_password entering debug1: PAM setting rhost to "swamp.cacr.caltech.edu" debug2: monitor_read: 37 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 3 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 3 used once, disabling now debug3: mm_request_receive entering debug3: mm_request_send entering: type 10 debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 Failed none for gator from 131.215.145.120 port 59317 ssh2 debug3: mm_request_receive entering debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug3: mm_auth_password: user not authenticated Failed none for gator from 131.215.145.120 port 59317 ssh2 debug1: userauth-request for user gator service ssh-connection method publickey debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sentdebug1: attempt 1 failures 1 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809ee58 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /home/gator/.ssh/authorized_keys debug3: secure_filename: checking '/home/gator/.ssh' debug3: secure_filename: checking '/home/gator' debug3: secure_filename: terminating check at '/home/gator' debug3: key_read: type mismatch debug2: user_key_allowed: check options: 'ssh-dss AAAAB3NzaC1kc3MAAACBAIfmujXvz4NVGS3JLDSdON ExLTZXP9IPC/xHEQq3HlC97/pceZzK1RILa4EZ+y0M+cZ2XfxUwRffWeODqJvwsTXu+OSAh1b8IwkhnReMiJ1UzwSsUu eNJH5WXc5EOKRDbus7+GSm3cCOxTg1PPQMCRVfhudZQ3UAs+rETtCC8wU7AAAAFQDQx/sUoWHaFABHnkIfnvgF7UksTw AAAIAQBZ+Kw9wkM7XiiVILs/s+zg/eCx796qJJZ/LlhnY527w0O6dydHRAFVj7GtegKSNJ4Q2Q/2DpCbG5mcrbsBantv LV8O0dz7H0twlcnJulgYVj7OEjIRvlHME3FQ+roqnRHxVMXUZciDRZYyW3IY2Vj1uMOj12tYLZvo74vWhaKgAAAIEAhw fbVWVxAa8GllFIA5l4SJYP7a5E+pe4kPi2GBlBeLonCEUUmFuIyn9sX4C0LI+98ZKSoth+QljNUOYbeB53iMrfGEy5Km NOPg5zm9DEBbsU638wRJmYWNzfqEntNr0pBE5J9+vpfCBllYGhbukEquA7dQ4AhRsG7ItpKosHhH0= gator at swamp ' debug2: key_type_from_name: unknown key type 'AAAAB3NzaC1kc3MAAACBAIfmujXvz4NVGS3JLDSdONExLT ZXP9IPC/xHEQq3HlC97/pceZzK1RILa4EZ+y0M+cZ2XfxUwRffWeODqJvwsTXu+OSAh1b8IwkhnReMiJ1UzwSsUueNJH 5WXc5EOKRDbus7+GSm3cCOxTg1PPQMCRVfhudZQ3UAs+rETtCC8wU7AAAAFQDQx/sUoWHaFABHnkIfnvgF7UksTwAAAI AQBZ+Kw9wkM7XiiVILs/s+zg/eCx796qJJZ/LlhnY527w0O6dydHRAFVj7GtegKSNJ4Q2Q/2DpCbG5mcrbsBantvLV8O 0dz7H0twlcnJulgYVj7OEjIRvlHME3FQ+roqnRHxVMXUZciDRZYyW3IY2Vj1uMOj12tYLZvo74vWhaKgAAAIEAhwfbVW VxAa8GllFIA5l4SJYP7a5E+pe4kPi2GBlBeLonCEUUmFuIyn9sX4C0LI+98ZKSoth+QljNUOYbeB53iMrfGEy5KmNOPg 5zm9DEBbsU638wRJmYWNzfqEntNr0pBE5J9+vpfCBllYGhbukEquA7dQ4AhRsG7ItpKosHhH0=' debug3: key_read: no key found debug2: user_key_allowed: advance: 'AAAAB3NzaC1kc3MAAACBAIfmujXvz4NVGS3JLDSdONExLTZXP9IPC/xH EQq3HlC97/pceZzK1RILa4EZ+y0M+cZ2XfxUwRffWeODqJvwsTXu+OSAh1b8IwkhnReMiJ1UzwSsUueNJH5WXc5EOKRD bus7+GSm3cCOxTg1PPQMCRVfhudZQ3UAs+rETtCC8wU7AAAAFQDQx/sUoWHaFABHnkIfnvgF7UksTwAAAIAQBZ+Kw9wk M7XiiVILs/s+zg/eCx796qJJZ/LlhnY527w0O6dydHRAFVj7GtegKSNJ4Q2Q/2DpCbG5mcrbsBantvLV8O0dz7H0twlc nJulgYVj7OEjIRvlHME3FQ+roqnRHxVMXUZciDRZYyW3IY2Vj1uMOj12tYLZvo74vWhaKgAAAIEAhwfbVWVxAa8GllFI A5l4SJYP7a5E+pe4kPi2GBlBeLonCEUUmFuIyn9sX4C0LI+98ZKSoth+QljNUOYbeB53iMrfGEy5KmNOPg5zm9DEBbsU 638wRJmYWNzfqEntNr0pBE5J9+vpfCBllYGhbukEquA7dQ4AhRsG7ItpKosHhH0= gator at swamp ' debug3: key_read: type mismatch debug2: user_key_allowed: check options: 'ssh-dss AAAAB3NzaC1kc3MAAACBALQAYY2jizgVw7Q4GZ0Ygs LZxgjt/0DEmVbjDGULPyYFesu6uMf6izcmE/1urXaZPNWVGL3C4VU7mdSHJ1F24nZRc2qrXQlHD2p76m0Q1rQKV+FTF8 BLOvHZ44cMWR3xcHTn0+b0egrPRVCn1OQxz/aRQ/9IqPPdmAsw0DqJGP93AAAAFQDZs2rVXGnuIx+2HYXmyOayBHIdYQ AAAIAtolAP8QmUd+8WKQN6jes/SnPH9gDoYJp+S0vBdg4adoZWDq92/Nx0m8n8iEIfQVkMR/qca/eTXrnfpsFLAPBwXd vFU/bZYf6KPCZoMRUT+fiC0lgacSAkgtFBBQa+TSq69h4Zunc2NW5jOPvLQMfIkFy34b6+rAs4rnYGLMT9wAAAAIBZls 9gB1jkR/uvgvStF5Kbc+k8fUjXxA8BOT9LvwW2KUruMxfYfuL9brykkhgUwT6GTSj6gmpP6LOArita/FXECJkz9nWZUX jiROgmanmSSKuK1KKZ4ypqdwqQE/DV26n/ZGsCiF6pimuQZaBj4UgOErdTMUn9A47LSHfS/Ty0ng== stripes at tiger debug2: key_type_from_name: unknown key type 'AAAAB3NzaC1kc3MAAACBALQAYY2jizgVw7Q4GZ0YgsLZxg jt/0DEmVbjDGULPyYFesu6uMf6izcmE/1urXaZPNWVGL3C4VU7mdSHJ1F24nZRc2qrXQlHD2p76m0Q1rQKV+FTF8BLOv HZ44cMWR3xcHTn0+b0egrPRVCn1OQxz/aRQ/9IqPPdmAsw0DqJGP93AAAAFQDZs2rVXGnuIx+2HYXmyOayBHIdYQAAAI AtolAP8QmUd+8WKQN6jes/SnPH9gDoYJp+S0vBdg4adoZWDq92/Nx0m8n8iEIfQVkMR/qca/eTXrnfpsFLAPBwXdvFU/ bZYf6KPCZoMRUT+fiC0lgacSAkgtFBBQa+TSq69h4Zunc2NW5jOPvLQMfIkFy34b6+rAs4rnYGLMT9wAAAAIBZls9gB1 jkR/uvgvStF5Kbc+k8fUjXxA8BOT9LvwW2KUruMxfYfuL9brykkhgUwT6GTSj6gmpP6LOArita/FXECJkz9nWZUXjiRO gmanmSSKuK1KKZ4ypqdwqQE/DV26n/ZGsCiF6pimuQZaBj4UgOErdTMUn9A47LSHfS/Ty0ng==' debug3: key_read: no key found debug2: user_key_allowed: advance: 'AAAAB3NzaC1kc3MAAACBALQAYY2jizgVw7Q4GZ0YgsLZxgjt/0DEmVbj DGULPyYFesu6uMf6izcmE/1urXaZPNWVGL3C4VU7mdSHJ1F24nZRc2qrXQlHD2p76m0Q1rQKV+FTF8BLOvHZ44cMWR3x cHTn0+b0egrPRVCn1OQxz/aRQ/9IqPPdmAsw0DqJGP93AAAAFQDZs2rVXGnuIx+2HYXmyOayBHIdYQAAAIAtolAP8QmU d+8WKQN6jes/SnPH9gDoYJp+S0vBdg4adoZWDq92/Nx0m8n8iEIfQVkMR/qca/eTXrnfpsFLAPBwXdvFU/bZYf6KPCZo MRUT+fiC0lgacSAkgtFBBQa+TSq69h4Zunc2NW5jOPvLQMfIkFy34b6+rAs4rnYGLMT9wAAAAIBZls9gB1jkR/uvgvSt F5Kbc+k8fUjXxA8BOT9LvwW2KUruMxfYfuL9brykkhgUwT6GTSj6gmpP6LOArita/FXECJkz9nWZUXjiROgmanmSSKuK 1KKZ4ypqdwqQE/DV26n/ZGsCiF6pimuQZaBj4UgOErdTMUn9A47LSHfS/Ty0ng== stripes at tigerden ' debug1: restore_uid debug2: key not found debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /home/gator/.ssh/authorized_keys2 debug1: restore_uid debug3: mm_answer_keyallowed: key 0x809ee58 is disallowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa Failed publickey for gator from 131.215.145.120 port 59317 ssh2 debug1: userauth-request for user gator service ssh-connection method publickey debug1: attempt 2 failures 2 debug2: input_userauth_request: try method publickey debug1: test whether pkalg/pkblob are acceptable debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809e088 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /home/gator/.ssh/authorized_keys debug3: secure_filename: checking '/home/gator/.ssh' debug3: secure_filename: checking '/home/gator' debug3: secure_filename: terminating check at '/home/gator' debug1: matching key found: file /home/gator/.ssh/authorized_keys, line 1 Found matching DSA key: dc:6a:b9:03:1b:18:29:47:c3:20:49:1e:59:89:94:66 debug1: restore_uid debug3: mm_answer_keyallowed: key 0x809e088 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss Postponed publickey for gator from 131.215.145.120 port 59317 ssh2 debug1: userauth-request for user gator service ssh-connection method publickey debug1: attempt 3 failures 2 debug2: input_userauth_request: try method publickey debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x809e260 debug1: temporarily_use_uid: 1000/1000 (e=0) debug1: trying public key file /home/gator/.ssh/authorized_keys debug3: secure_filename: checking '/home/gator/.ssh' debug3: secure_filename: checking '/home/gator' debug3: secure_filename: terminating check at '/home/gator' debug1: matching key found: file /home/gator/.ssh/authorized_keys, line 1 Found matching DSA key: dc:6a:b9:03:1b:18:29:47:c3:20:49:1e:59:89:94:66 debug1: restore_uid debug3: mm_answer_keyallowed: key 0x809e260 is allowed debug3: mm_request_send entering: type 21 debug3: mm_request_receive entering debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: mm_key_verify entering debug3: mm_request_send entering: type 22 debug3: monitor_read: checking request 22 debug1: ssh_dss_verify: signature correct debug3: mm_answer_keyverify: key 0x809deb0 signature verified debug3: mm_request_send entering: type 23 debug2: pam_acct_mgmt() = 0 Accepted publickey for gator from 131.215.145.120 port 59317 ssh2 debug1: monitor_child_preauth: gator has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 24 debug3: mm_request_receive entering debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY debug3: mm_request_receive_expect entering: type 23 debug3: mm_request_receive entering debug2: userauth_pubkey: authenticated 1 pkalg ssh-dss Accepted publickey for gator from 131.215.145.120 port 59317 ssh2 debug3: mm_send_keystate: Sending new keys: 0x8094ef8 0x8094d90 debug3: mm_newkeys_to_blob: converting 0x8094ef8 debug3: mm_newkeys_to_blob: converting 0x8094d90 debug3: mm_send_keystate: New keys have been sent debug3: mm_send_keystate: Sending compression state debug3: mm_request_send entering: type 24 debug3: mm_send_keystate: Finished sending state debug3: mm_newkeys_from_blob: 0x809a0f8(112) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x809a0f8(112) debug2: mac_init: found hmac-md5 debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug2: User child is on pid 15445 debug3: mm_request_receive entering debug1: PAM establishing creds debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug3: mm_request_send entering: type 25 debug3: monitor_read: checking request 25 debug3: mm_answer_pty entering debug1: session_new: init debug1: session_new: session 0debug3: mm_answer_pty: tty /dev/pts/3 ptyfd 3 debug3: mm_request_receive entering debug3: mm_pty_allocate: waiting for MONITOR_ANS_PTY debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug1: session_pty_req: session 0 alloc /dev/pts/3 debug3: tty_parse_modes: SSH2 n_bytes 256 debug3: tty_parse_modes: ospeed 38400 debug3: tty_parse_modes: ispeed 38400 debug3: tty_parse_modes: 1 3 debug3: tty_parse_modes: 2 28 debug3: tty_parse_modes: 3 8 debug3: tty_parse_modes: 4 21 debug3: tty_parse_modes: 5 4 debug3: tty_parse_modes: 6 0 debug3: tty_parse_modes: 7 0 debug3: tty_parse_modes: 8 17 debug3: tty_parse_modes: 9 19 debug3: tty_parse_modes: 10 26 debug3: tty_parse_modes: 12 18 debug3: tty_parse_modes: 13 127 debug3: tty_parse_modes: 14 22 debug3: tty_parse_modes: 18 15 debug3: tty_parse_modes: 30 1 debug3: tty_parse_modes: 31 0 debug3: tty_parse_modes: 32 0 debug3: tty_parse_modes: 33 0 debug3: tty_parse_modes: 34 0 debug3: tty_parse_modes: 35 0 debug3: tty_parse_modes: 36 1 debug3: tty_parse_modes: 37 0 debug3: tty_parse_modes: 38 1 debug3: tty_parse_modes: 39 0 debug3: tty_parse_modes: 40 0 debug3: tty_parse_modes: 41 1 debug3: tty_parse_modes: 50 1 debug3: tty_parse_modes: 51 1 debug3: tty_parse_modes: 52 0 debug3: tty_parse_modes: 53 1 debug3: tty_parse_modes: 54 1 debug3: tty_parse_modes: 55 1 debug3: tty_parse_modes: 56 0 debug3: tty_parse_modes: 57 0 debug3: tty_parse_modes: 58 0 debug3: tty_parse_modes: 59 1 debug3: tty_parse_modes: 60 1 debug3: tty_parse_modes: 61 1 debug3: tty_parse_modes: 62 0 debug3: tty_parse_modes: 70 1 debug3: tty_parse_modes: 71 0 debug3: tty_parse_modes: 72 1 debug3: tty_parse_modes: 73 0 debug3: tty_parse_modes: 74 0 debug3: tty_parse_modes: 75 0 debug3: tty_parse_modes: 90 1 debug3: tty_parse_modes: 91 1 debug3: tty_parse_modes: 92 0 debug3: tty_parse_modes: 93 0 debug1: server_input_channel_req: channel 0 request x11-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req x11-req debug1: fd 11 setting O_NONBLOCK debug2: fd 11 is O_NONBLOCK debug1: channel 1: new [X11 inet listener] debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM setting tty to "/dev/pts/3" debug1: PAM establishing creds debug1: fd 4 setting TCP_NODELAY debug1: channel 0: rfd 10 isatty debug1: fd 10 setting O_NONBLOCK debug2: fd 9 is O_NONBLOCK debug1: Setting controlling tty using TIOCSCTTY. debug1: Received SIGCHLD. debug1: session_by_pid: pid 15446 debug1: session_exit_message: session 0 channel 0 pid 15446 debug1: channel request 0: exit-status debug1: session_exit_message: release channel 0 debug1: channel 0: write failed debug1: channel 0: close_write debug1: channel 0: output open -> closed debug1: session_close: session 0 pid 15446 debug3: mm_request_send entering: type 27 debug2: notify_done: reading debug1: channel 0: read<=0 rfd 10 len -1 debug1: channel 0: read failed debug1: channel 0: close_read debug1: channel 0: input open -> drain debug1: channel 0: ibuf empty debug1: channel 0: send eof debug1: channel 0: input drain -> closed debug1: channel 0: send close debug3: channel 0: will not send data after close debug3: monitor_read: checking request 27 debug3: mm_answer_pty_cleanup entering debug1: session_by_tty: session 0 tty /dev/pts/3 debug3: mm_session_close: session 0 pid 15445 debug3: mm_session_close: tty /dev/pts/3 ptyfd 3 debug1: session_pty_cleanup: session 0 release /dev/pts/3 debug3: mm_request_receive entering debug1: channel 0: rcvd close debug3: channel 0: will not send data after close debug1: channel 0: is dead debug1: channel 0: garbage collecting debug1: channel_free: channel 0: server-session, nchannels 2 debug3: channel_free: status: The following connections are open: #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1) debug3: channel_close_fds: channel 0: r -1 w -1 e -1 Connection closed by remote host. debug1: channel_free: channel 1: X11 inet listener, nchannels 1 debug3: channel_free: status: The following connections are open: debug3: channel_close_fds: channel 1: r 11 w 11 e -1 Closing connection to 131.215.145.120 debug3: mm_request_send entering: type 38 debug3: monitor_read: checking request 38 debug3: mm_answer_term: tearing down sessions debug3: mm_request_send entering: type 26 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ayamura at ayamura.org Fri Jul 19 02:50:43 2002 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Fri, 19 Jul 2002 01:50:43 +0900 Subject: address = xmmap(size); Message-ID: <86ptxlkmjg.wl@sea.ayamura.org> monitor_mm.c, line = 94 in openssh-SNAP-20020718 A value of type "int" cannot be assigned to an entity of type "void *". address = xmmap(size); ^ -- ayamura Ayamura KIKUCHI, M.D., Ph.D. From tim at multitalents.net Fri Jul 19 02:48:43 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Jul 2002 09:48:43 -0700 (PDT) Subject: hard-coded MM_SWAP_TEMPLATE In-Reply-To: <86r8i1knl5.wl@sea.ayamura.org> Message-ID: On Fri, 19 Jul 2002, Ayamura KIKUCHI wrote: > Hard-coded MM_SWAP_TEMPLATE defined as "/var/run/sshd.mm.XXXXXXXX" > in openssh-SNAP-20020718/openbsd-compat/xmmap.c should not be used > because "/var/run" directory does not exist on some platohomes. I thought about that. But I didn't think there were any platforms other than Linux 2.2 that would use that section of code. What platform are you running where this code will be trigered? Ie. The system has mmap() but neither MAP_ANON nor /dev/zero work > > -- ayamura > Ayamura KIKUCHI, M.D., Ph.D. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From ayamura at ayamura.org Fri Jul 19 03:11:47 2002 From: ayamura at ayamura.org (Ayamura KIKUCHI) Date: Fri, 19 Jul 2002 02:11:47 +0900 Subject: hard-coded MM_SWAP_TEMPLATE In-Reply-To: References: <86r8i1knl5.wl@sea.ayamura.org> Message-ID: <86ofd5klkc.wl@sea.ayamura.org> > > Hard-coded MM_SWAP_TEMPLATE defined as "/var/run/sshd.mm.XXXXXXXX" > > in openssh-SNAP-20020718/openbsd-compat/xmmap.c should not be used > > because "/var/run" directory does not exist on some platforms. > I thought about that. But I didn't think there were any platforms > other than Linux 2.2 that would use that section of code. > > What platform are you running where this code will be trigered? > Ie. The system has mmap() but neither MAP_ANON nor /dev/zero work I understand you. -- ayamura Ayamura KIKUCHI, M.D., Ph.D. From tim at multitalents.net Fri Jul 19 03:30:19 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Jul 2002 10:30:19 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D368AEB.8235338C@zip.com.au> Message-ID: On Thu, 18 Jul 2002, Darren Tucker wrote: > Tim Rice wrote: > > I put a lot of work into being able to build/install a test package > > without touching important files on what may be a production system. > > Is there any reason you don't use pkgadd -R for your testing instead? > (Assuming it's available on all supported SysV platforms). It would No, Seems to be Solaris only. > allow you to simplify buildpkg and help ensure that Jumpstart installs > continue to work. You could also test and deploy the same packages > rather than rebuilding them. > > See attachment for example scaffolding, tested on Solaris 7 only. Nice. Too bad UnixWare doesn't support -R. Could have saved some work. I'm going wrap groupadd/useradd around a test -z "${TEST_DIR}" -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Fri Jul 19 03:33:32 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 03:33:32 +1000 (EST) Subject: [Bug 359] New: passwd -f not working with openssh Message-ID: <20020718173332.6ED33EAC9@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=359 Summary: passwd -f not working with openssh Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: drruiz at hotmail.com when I issue a passwd -f on one of the user accounts and then attempt to ssh to the same server as that user, I cannot login with the original password or any password for that matter. Howerver, if I log out of the server completly and login from the login screen I will be promted for a new password after I login. When I use telnet, it works just fine. I can ssh back to the server and I am prompted for a new password after I login. I am using openSSH 3.4p1 on Solaris 8. Thanks for your help, Danny drruiz at hotmail.com ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From linkonpower at hotmail.com Fri Jul 19 03:26:03 2002 From: linkonpower at hotmail.com (linkonpower at hotmail.com) Date: Thu, 18 Jul 2002 12:26:03 -0500 Subject: Home Business Message-ID: <418-22002741817263340@hppav> WANT TO MAKE MONEY? $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ HOT BUSINESS OPPERTUNITY AVAILABLE fOR THOSE WHO QUALIFY... 1. MUST BE A UNITED STATES RESIDENT 2. MUST BE 21 YEARS OF AGE OR OVER. YOU WILL SHARE IN DIALYSIS CENTERS OF AMERICA LATEST CASH INCOME STREAM. EARN OVER 30% RETURN ON YOUR MONEY! INTEREST PAID ANNUALLY! COMPLETELY LEGAL. TO FIND OUT ALL THE HOW'S AND WHY'S, REPLY TODAY WITH YOUR NAME, STATE AND COMPLETE PHONE NUMBER. DETAILS WILL SOON FOLLOW! This message is sent in compliance of the new email bill section 301. Per Section 301, Paragraph (a) (2) (c) of S. 1618, further transmissions to you by the sender of this email will be stopped at no cost to you. Screening of addresses has been done to the best of our technical ability. We respect all removal requests. To be removed, please reply to the email address specified with the word ?Remove? contained in the subject line Removal Email: linkonpower at hotmail.com From tim at multitalents.net Fri Jul 19 04:37:32 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 18 Jul 2002 11:37:32 -0700 (PDT) Subject: address = xmmap(size); In-Reply-To: <86ptxlkmjg.wl@sea.ayamura.org> Message-ID: On Fri, 19 Jul 2002, Ayamura KIKUCHI wrote: > monitor_mm.c, line = 94 in openssh-SNAP-20020718 > > A value of type "int" cannot be assigned to an entity of type "void *". > > address = xmmap(size); > ^ Oops, forgot to declare xmmap(). Thanks for catching that. Should be in the next SNAP > > -- ayamura > Ayamura KIKUCHI, M.D., Ph.D. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Fri Jul 19 04:51:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 04:51:57 +1000 (EST) Subject: [Bug 267] Build problems with 3.2.3p1 under Tru64 UNIX 4.0D Message-ID: <20020718185157.CD8CAE994@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=267 tim at multitalents.net changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From tim at multitalents.net 2002-07-19 04:51 ------- I've commited a change that should fix this. Please test the next SNAP. Reopen the bug if not fixed. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 05:24:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 05:24:10 +1000 (EST) Subject: [Bug 360] New: PrivilegeSeperation does not work with LDAP authentication through PAM Message-ID: <20020718192410.E2364E957@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=360 Summary: PrivilegeSeperation does not work with LDAP authentication through PAM Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gmsilver at uslinux.net LDAP authentication via PAM is refused (and no logs are generated) when UsePrivilegeSeperation is enabled. Disabling PrivilegeSeperation fixes this, though sacrafices the benefits of PrivilegeSeperation. Normal unix authentication through PAM is unaffected - only pam_ldap experiences this problem. Can be duplicated under Debian Linux, Woody release. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 05:49:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 05:49:14 +1000 (EST) Subject: [Bug 320] Cannot build 3.4p1 Message-ID: <20020718194914.6920DE994@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=320 ------- Additional Comments From ddkilzer at theracingworld.com 2002-07-19 05:49 ------- The version of (g)cc being used by the reporter doesn't support the __func__ directive from the ISO C99 standard. See this web page for details: http://gcc.gnu.org/onlinedocs/gcc/Function-Names.html A similar bug for openssh-3.1p1-6 for Red Hat Linux has more information: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=67621 And here's the patch attached to that bug that corrects the problem for older versions of gcc. https://bugzilla.redhat.com/bugzilla/showattachment.cgi?attach_id=65825 NOTE: I haven't looked at the source for openssh-3.4p1 so there could be an issue with checking for the availability of __func__ in the configure script that could be the cause of this issue. The patch above fixed the issue for me when building openssh-3.4p1-6 SRPM on Red Hat 6.2, though. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 06:21:19 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 06:21:19 +1000 (EST) Subject: [Bug 295] rpm specfile needs build prereqs for Kerberos Message-ID: <20020718202119.87B01E977@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=295 ------- Additional Comments From nalin at redhat.com 2002-07-19 06:21 ------- Looks correct to me. (Appears to already be fixed in CVS.) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From pekkas at netcore.fi Fri Jul 19 06:34:34 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Thu, 18 Jul 2002 23:34:34 +0300 (EEST) Subject: Comments needed In-Reply-To: Message-ID: On Thu, 18 Jul 2002, Miika Pekkarinen wrote: > Hi, could somebody answer to my scp patch that I sent 2002-07-13? Perhaps people don't feel a need to have a kitchen sink; 1) rate-limiting seems like an unnecessary feature (very few TCP applications do this anyway) 2) resuming might be interesting, but for "serious" file transfers, using e.g. rsync is preferred. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From bugzilla-daemon at mindrot.org Fri Jul 19 06:40:18 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 06:40:18 +1000 (EST) Subject: [Bug 320] Cannot build 3.4p1 Message-ID: <20020718204018.4C2BEEAB8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=320 ------- Additional Comments From mouring at eviladmin.org 2002-07-19 06:40 ------- The logic we use is such: configure checks if __FUNCTION__ exists configure checks if __func__ exists And in defines.h we do: #if !defined(HAVE___func__) && defined(HAVE___FUNCTION__) # define __func__ __FUNCTION__ #elif !defined(HAVE___func__) # define __func__ "" #endif So if there is no possible way of doing __func__ we just set it to nothing. That way we still have code compatibility at the cost of readable debugging. I hate the whole __func__ vs __FUNCTION__ crap. I really don't like the fact we started depending on those. So the issue has to be in how configure is doing it's job. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jnerad at cimedia.com Fri Jul 19 06:57:09 2002 From: jnerad at cimedia.com (Jack Nerad) Date: Thu, 18 Jul 2002 16:57:09 -0400 Subject: Testing Call References: Message-ID: <3D372BA5.4010908@cimedia.com> Ben Lindstrom wrote: > Ok.. I'm starting official testing calls early this release. I'd like to > have more feedback and more time for handling fixes. > Compilation warnings gcc -v Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-98) after ./configure gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c cipher.c:65: warning: initialization from incompatible pointer type cipher.c:66: warning: initialization from incompatible pointer type cipher.c:70: warning: initialization from incompatible pointer type cipher.c:71: warning: initialization from incompatible pointer type cipher.c:72: warning: initialization from incompatible pointer type cipher.c:73: warning: initialization from incompatible pointer type cipher.c: In function `cipher_get_keycontext': cipher.c:706: warning: comparison of distinct pointer types lacks a cast cipher.c: In function `cipher_set_keycontext': cipher.c:721: warning: comparison of distinct pointer types lacks a cast gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c mac.c mac.c:42: warning: initialization from incompatible pointer type mac.c:43: warning: initialization from incompatible pointer type mac.c:44: warning: initialization from incompatible pointer type mac.c:45: warning: initialization from incompatible pointer type mac.c:46: warning: initialization from incompatible pointer type mac.c:47: warning: initialization from incompatible pointer type gcc -g -O2 -Wall -Wpointer-arith -Wno-uninitialized -I. -I. -I/usr/local/ssl/include -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c monitor_mm.c monitor_mm.c: In function `mm_create': monitor_mm.c:94: warning: implicit declaration of function `xmmap' monitor_mm.c:94: warning: assignment makes pointer from integer without a cast From Leakin at dfw.Nostrum.com Fri Jul 19 07:03:23 2002 From: Leakin at dfw.Nostrum.com (Lee Eakin) Date: Thu, 18 Jul 2002 16:03:23 -0500 Subject: Comments needed In-Reply-To: References: Message-ID: <20020718210323.GD28312@japh.itg.ti.com> FYI, rsync will give you bandwidth limiting as well (--bwlimit). ---begin quoted text--- > From: Pekka Savola > To: Miika Pekkarinen > Cc: openssh-unix-dev at mindrot.org > Subject: Re: Comments needed > > On Thu, 18 Jul 2002, Miika Pekkarinen wrote: > > Hi, could somebody answer to my scp patch that I sent 2002-07-13? > > Perhaps people don't feel a need to have a kitchen sink; > > 1) rate-limiting seems like an unnecessary feature (very few TCP > applications do this anyway) > > 2) resuming might be interesting, but for "serious" file transfers, using > e.g. rsync is preferred. > > -- > Pekka Savola "Tell me of difficulties surmounted, > Netcore Oy not those you stumble over and fall" > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev ---end quoted text--- -- Lee Eakin - leakin at dfw.nostrum.com Blessed are the young, for they shall inherit the national debt. Herbert Hoover From bugzilla-daemon at mindrot.org Fri Jul 19 10:06:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 10:06:56 +1000 (EST) Subject: [Bug 312] canhost.h needs to be included Message-ID: <20020719000656.EFE90E97E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=312 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-07-19 10:06 ------- i see. they were re/moved about 2 weeks ago. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 10:06:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 10:06:57 +1000 (EST) Subject: [Bug 361] New: PRNGD not yet seeded & SSH banner stills show previous banner Message-ID: <20020719000657.F161AEAAD@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=361 Summary: PRNGD not yet seeded & SSH banner stills show previous banner Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P3 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: lisa.m.mcclain at saic.com 1. I have successfully added the most current packages such as PRNG, ZLIB, Openssl and Openssh3.4p1 on SPARC Solaris 7 with no problem. However I've been having problems on the Intel/Sparc Solaris 8 platforms. Packages installed: openssh-3.4p1, openssl-0.9.6d, zlib-1.14 and prngd.0.9.25 When Generating either keys either line below, I would received an error: PRNG not seeded. It appears theirs a missing link or path. ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" First I've seeded it with the following command: /usr/local/sbin/prngd /var/spool/prngd/pool Then tried running the ssh-keygen with no luck. /usr/local/sbin and /usr/local/bin are in its patch and sourced in addition to Rebooting the systems. I've also unpackaged PRNG and everything associated with it and added the Sunsolve Patch 112438-01 however after installing it, It appears the patch conflicted with an IDS software. Once uninstalled, the software was able to run Do I need to to build it versa adding the package? 2. After adding Openssh3.4p1 onto Solaris 7 Sparc platform, wanted to see if the system updating by running ssh -V The out was correct, however if I telnet to port 22, it shows the previous version of ssh. Why? How can I fix this? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Jul 19 14:53:38 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 18 Jul 2002 23:53:38 -0500 (CDT) Subject: openssh 3.4 solaris pkg & privsep error In-Reply-To: <11cb310ba7.10ba711cb3@sorint.it> Message-ID: Check out the lastest snapshot. and I really suggest you not run any sshd from inetd. - Ben On Thu, 18 Jul 2002, massimiliano gregis wrote: > Hello, > > this is MAx Gregis from Italy. > I send you this e.mail about privsep error with OSSH 3.4 on Solaris 2.6 > an Solaris 7. > > Usually i find the error of compression disabled if i use SSHD qith > inetd daemon. > > But if i put this entry: > > sshd:23:respawn:/usr/local/sbin/sshd -D > /dev/null 2>&1 > > in /etc/inittab ( and after a good "init q" for reading new inittab) > > In this mode i don't find that error and useprivilegeseparation and > compression run. > > Probably the problem is INETD daemon that doesn't use MMAP in the right > mode ( probably, but i'm not sure about this ) > > Please let me know the news. > Max > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Fri Jul 19 15:22:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 15:22:25 +1000 (EST) Subject: [Bug 362] New: Loss of change password functionality Message-ID: <20020719052225.85984E992@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=362 Summary: Loss of change password functionality Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.bockmann at customs.gov.au Because of the reported root compromise vunerability we have upgraded our Solaris servers to the latest current version of ssh. It all works fine thanks, except the PAM interface with Solaris. The impact is that users can no longer be notified that their password needs to be changed. Instead they are locked out. I raised this issue with Sun who are responsible for the PAM which appears to be the main offender. Their response is shown below: Sent: Friday, 12 July 2002 17:13 To: dirk.bockmann at customs.gov.au Subject: 10243779 - Openssh Dirk, Previous versions of OpenSSH worked correctly with the Solaris PAM module up until privsep was added by OpenSSH to overcome a security vunerability issue. The privsep architecture which has been designed is not compatible with PAM, and is outside the scope of how PAM is normally used. ie: It breaks the PAM standard. An alternative is to upgrade to Solaris 9 which ships with SunSSH (a product based on OpenSSH which does not have privsep and by default is not vunerable to the security exploit which privsep resolves). Also, for your reference if there is any feature in OpenSSH 3.3 or newer which does not exist in SunSSH you can log a request for enhancement for the new feature to be included in future releases. Let me know if you require any further information/assistance. Regards, Nicholas Any ideas on where we can progress from here please? WE are far from being in a position to upgrade to Solaris 2.9 many of our machines are still on 2.5.1 because that is what the applications require. WOuld appreciate your advice. Thanks, Dirk ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 15:48:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 15:48:28 +1000 (EST) Subject: [Bug 363] New: No logging of SSH activities under Solaris BSM Message-ID: <20020719054828.8EE5EE94E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=363 Summary: No logging of SSH activities under Solaris BSM Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: dirk.bockmann at customs.gov.au Hi, We have been requested to move to comprehensive logging using Solaris BSM. Our testing shows that transactions via the ssh interface are not logged. Sun have explained this by the following response. We are interested in the comment that Sun has provided Openssh with code to enable BSM logging and if there is any intention to proceed with this please? :------ Prior to the release of the Sun version of OpenSSH with Solaris 9, I don't believe that there exists a version of SSH which is BSM enabled. I.e, an application or service has to have BSM specific code in it to register itself with the audit daemon. The SSH with Solaris 9 is not supported on previous versions of Solaris. I don't know if that means that it won't work.... SSH does log its activity via syslogd, so you might find what you are looking for in /var/log/syslog (or wherever you're pointing syslogd to). Sun has given the BSM code for SSH back to OpenSSH. I don't know whether this means that anyone has done a generic version for Solaris that does include BSM capabilities that will run on 2.5.1 etc. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 17:37:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 17:37:25 +1000 (EST) Subject: [Bug 361] PRNGD not yet seeded & SSH banner stills show previous banner Message-ID: <20020719073725.2B586E94E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=361 ------- Additional Comments From Lutz.Jaenicke at aet.TU-Cottbus.DE 2002-07-19 17:37 ------- OpenSSH's "configure" command will only pick up a new installation of PRNGD, when it is running during the call to configure. Thus make sure to * install prngd first and check its proper operation. * then run OpenSSH's configure command and check the output at the end: it should show the correct entropy source. * then compile and install OpenSSL Finally make sure to stop the daemon listening on port 22 and start the new one, otherwise it will not become active until reboot ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Fri Jul 19 18:42:15 2002 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 19 Jul 2002 10:42:15 +0200 Subject: Testing Call In-Reply-To: ; from mouring@etoh.eviladmin.org on Wed, Jul 17, 2002 at 03:04:07PM -0500 References: Message-ID: <20020719104214.C22465@greenie.muc.de> Hi, On Wed, Jul 17, 2002 at 03:04:07PM -0500, Ben Lindstrom wrote: > Ok.. I'm starting official testing calls early this release. I'd like to > have more feedback and more time for handling fixes. from current CVS (Jul 19): OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /bin:/usr/bin:/usr/local/bin:/usr/local/games/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: yes TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: TCP localhost:3300 Host: i586-pc-sco3.2v4.2 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -Dftruncate=chsize -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib Libraries: -lskey -lintl -lz -lrpc -lyp -lrpc -lsocket -los -lprot -lx -ltinfo -lm -lcrypto compilation completes without errors, basic testing of ssh, sshd, sftp doesn't exhibit any surprises. UsePrivilegeSeparation still doesn't work (due to no socketpair()), but that's nothing unexpected. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus at openbsd.org Fri Jul 19 18:59:12 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 19 Jul 2002 10:59:12 +0200 Subject: Comments needed In-Reply-To: References: Message-ID: <20020719085912.GB23161@folly> On Thu, Jul 18, 2002 at 04:35:45PM +0300, Miika Pekkarinen wrote: > Hi, could somebody answer to my scp patch that I sent 2002-07-13? resume requires the modifictation of the RCP protocol, not something i'd like to do. we should rather hack SFTP protocol support into scp. -m From sidd_ait at rediffmail.com Fri Jul 19 21:47:56 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 19 Jul 2002 11:47:56 -0000 Subject: info for code Message-ID: <20020719114756.12752.qmail@webmail14.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020719/575207a9/attachment.ksh From markus at openbsd.org Fri Jul 19 22:05:13 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 19 Jul 2002 14:05:13 +0200 Subject: info for code In-Reply-To: <20020719114756.12752.qmail@webmail14.rediffmail.com> References: <20020719114756.12752.qmail@webmail14.rediffmail.com> Message-ID: <20020719120513.GA25239@faui02> www.openssh.com From bugzilla-daemon at mindrot.org Fri Jul 19 22:30:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 22:30:26 +1000 (EST) Subject: [Bug 364] New: resolution for bug 302 doesn`t appear to work Message-ID: <20020719123026.E87A9EAD8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=364 Summary: resolution for bug 302 doesn`t appear to work Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mkoopman at csc.com I have been trying to resolve issues shown by bug 302 as i`m getting error id sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" when running a make install. The bug fix advises to change id sshd to id sshd - t in makefile.in however I only have id $(SSH_PRIVSEP_USER) in my makefile.in. When i substitute sshd -t for the variable I still get the same error. Your help would be much appreciated. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 23:01:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 23:01:00 +1000 (EST) Subject: [Bug 365] New: .ssh/environment not read when home = / Message-ID: <20020719130100.9CC7FEAE5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=365 Summary: .ssh/environment not read when home = / Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Cygwin on NT/2k Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: bradshaw at staff.crosswalk.com Under the cygwin environment, when the user sets their home directory to root the .ssh/environment file isn't read in properly. This is similar to past pathing problems in OpenSSH where the path that is assembled to find the file begins with two slashes, instead of one. Under Cygwin this indicates a network share, not the root of the file system. The attached path merely checks to see if home = / and, if so, doesn't use it when assembling the path to .ssh/environment. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 19 23:01:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 19 Jul 2002 23:01:58 +1000 (EST) Subject: [Bug 365] .ssh/environment not read when home = / Message-ID: <20020719130158.7768FEAE5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=365 ------- Additional Comments From bradshaw at staff.crosswalk.com 2002-07-19 23:01 ------- Created an attachment (id=133) Correct .ssh/environment path under cygwin ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From Margaret_Doll at Brown.edu Fri Jul 19 23:24:52 2002 From: Margaret_Doll at Brown.edu (Margaret Doll) Date: Fri, 19 Jul 2002 09:24:52 -0400 Subject: [Bug 364] on ssh 3.4 - Privilee separation user /"sshd." does not exist Message-ID: Dear ssh group, I am having the same problem as reported by mkoopman at cac.com on July 19th on various SUN platforms which I manage. I would appreciate notification of when the bug is fixed or any work-around. Until then I am running 3.4 without the "UsePrivilegeSeparation". Thanks for any help. From kencutshall at hotmail.com Sat Jul 20 00:08:01 2002 From: kencutshall at hotmail.com (Ken Cutshall) Date: Fri, 19 Jul 2002 10:08:01 -0400 Subject: Pledge of Allegiance. Please forward Message-ID: <200207191411.g6JEBCH65729@postoffice.telstra.net> An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020719/c3f9c0d6/attachment.html From tomoyuki at pobox.com Sat Jul 20 00:31:49 2002 From: tomoyuki at pobox.com (Tomoyuki Murakami) Date: Fri, 19 Jul 2002 23:31:49 +0900 (JST) Subject: [Patch] SSH through HTTP proxy using CONNECT In-Reply-To: <3D3605A9.911483B0@zip.com.au> References: <3D35FB48.1D126F1@packetdesign.com> <3D3605A9.911483B0@zip.com.au> Message-ID: <20020719.233149.74744944.tomoyuki@pobox.com> >>> On Thu, 18 Jul 2002 10:02:49 +1000, >>> Darren Tucker wrote: dtucker> You can do this without modifying the code by using the appropriate dtucker> ProxyCommand, eg: dtucker> dtucker> http://www.taiyo.co.jp/~gotoh/ssh/connect.html I saw the same reply in this list more than once. heh. Actually, I am using the 'connect' command and feel it absolutely useful in this kind of situation. So, how about making those helper tools to go shipping with openssh's source as "contrib/" or something ? --- Tomo. From hlehmann at fh-lausitz.de Sat Jul 20 01:38:28 2002 From: hlehmann at fh-lausitz.de (Heiko Lehmann) Date: Fri, 19 Jul 2002 17:38:28 +0200 (CEST) Subject: Prob: openssh askpass DISPLAY Permission denied Message-ID: Hallo! I did upgrade openssh to version OpenSSH_3.4p1. But now I cant enter my password. It seems to be because of the combination of askpass and DISPLAY-variable. ?? Which I must do to around the same functionality as with the version 2.9 (without X11-ssh-askpass) ?? regards heiko --------------------------- - Test without ssh-askpass lukas # ~ $ echo $DISPLAY ksh: DISPLAY: unbound variable lukas # ~ $ ssh -x -l admin 217.85.101.12 Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). lukas # ~ $ export DISPLAY=WORKSTATION:0 lukas # ~ $ ssh -x -l admin 217.85.101.12 ssh_askpass: exec(/usr/local/libexec/ssh-askpass): No such file or directory ---------------------------- - Test with ssh-askpass ## cp veryoldcommercialssh-2.4/ssh-askpass /usr/local/libexec lukas # ~ $ ssh -x -l admin 217.85.101.12 Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). lukas # ~ $ echo $DISPLAY ksh: DISPLAY: unbound variable lukas # ~ $ export DISPLAY=WORKSTATION:0 lukas # ~ $ ssh -x -l admin 217.85.101.12 ## open window to enter passort --------------------------- From bugzilla-daemon at mindrot.org Sat Jul 20 03:21:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:21:22 +1000 (EST) Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 Message-ID: <20020719172122.CFA00EAFC@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=338 jrj at purdue.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED ------- Additional Comments From jrj at purdue.edu 2002-07-20 03:21 ------- I've verified the suggested patch in the 07/17/02 attachment takes care of the problem. John R. Jackson, Technical Software Specialist, jrj at purdue.edu ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jrj at gandalf.cc.purdue.edu Sat Jul 20 03:22:22 2002 From: jrj at gandalf.cc.purdue.edu (John R. Jackson) Date: Fri, 19 Jul 2002 12:22:22 -0500 Subject: [Bug 338] X11 forwarding no longer works after upgrading from 2.9.9p2 to 3.4p1 In-Reply-To: Your message of "Wed, 17 Jul 2002 19:24:30 MST." Message-ID: <200207191722.g6JHMNPq024879@gandalf.cc.purdue.edu> >I've commited a variation of your patch to configure.ac >Please test and close the bug Done. Thanks for your help (and tolerance :-) with this. >Tim Rice John R. Jackson, Technical Software Specialist, jrj at purdue.edu From bugzilla-daemon at mindrot.org Sat Jul 20 03:29:14 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:29:14 +1000 (EST) Subject: [Bug 364] resolution for bug 302 doesn`t appear to work Message-ID: <20020719172914.81634EB05@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=364 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:29 ------- Ignore it or use -cvs. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kupiec at ias.edu Sat Jul 20 03:29:17 2002 From: kupiec at ias.edu (Bob Kupiec) Date: Fri, 19 Jul 2002 13:29:17 -0400 Subject: Update to SecurID ACE patches Message-ID: <20020719172917.GA14184@potassium.net.ias.edu> Hello, I've redone Theo Schlossnagle's SecurID patches for openssh to support the ACE 5.0 API. The new API takes advantage of two-step authentication and multithreaded support. If anyone is interested, please let me know. I've tried contacting Theo for him to incorporate it, but haven't received any respose yet. Note that Theo's patch includes a "AllowNonSecurID" sshd_config option which allows people with normal shells to bypass SecurID and use password authentication. However, his patch is still broken when using ssh2 and privilege seperation. I haven't been able to fix that part. :( -- Bob Kupiec Security/Network Administrator Email: kupiec at ias.edu Institute for Advanced Study Phone: 609-734-8179 Einstein Drive (B014) Fax: 609-951-4418 Princeton, NJ 08540-4907 From bugzilla-daemon at mindrot.org Sat Jul 20 03:36:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:36:27 +1000 (EST) Subject: [Bug 275] openssh 3.2.3p1 make fails Message-ID: <20020719173627.E4B45EB0E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=275 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:36 ------- This should be fixed in CVS. Headers were not being correctly included. retest with a shapshot or the CVS tree and reopen if issue persists. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 03:45:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:45:46 +1000 (EST) Subject: [Bug 359] passwd -f not working with openssh Message-ID: <20020719174546.47D08EB0F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=359 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:45 ------- *** This bug has been marked as a duplicate of 362 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 03:45:58 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:45:58 +1000 (EST) Subject: [Bug 362] Loss of change password functionality Message-ID: <20020719174558.E59CAEB16@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=362 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |drruiz at hotmail.com ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:45 ------- *** Bug 359 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 03:58:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:58:51 +1000 (EST) Subject: [Bug 363] No logging of SSH activities under Solaris BSM Message-ID: <20020719175851.18215EB1A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=363 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:58 ------- *** This bug has been marked as a duplicate of 125 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 03:59:22 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 03:59:22 +1000 (EST) Subject: [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail Message-ID: <20020719175922.8D1D5EAD8@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=125 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dirk.bockmann at customs.gov.au ------- Additional Comments From mouring at eviladmin.org 2002-07-20 03:58 ------- *** Bug 363 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 04:05:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 04:05:48 +1000 (EST) Subject: [Bug 125] with BSM auditing, cron editing thru ssh session causes cron jobs to fail Message-ID: <20020719180548.CC349EB20@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=125 ------- Additional Comments From mouring at eviladmin.org 2002-07-20 04:05 ------- One does not just override the sshd_config. Fail hard if Privsep and BSM are used together. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 20 04:14:25 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 20 Jul 2002 04:14:25 +1000 (EST) Subject: [Bug 181] Undocumented mget and mput in sftp Message-ID: <20020719181425.B456AEB22@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=181 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From mouring at eviladmin.org 2002-07-20 04:14 ------- mget/mput will stay undocumented. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at kevindegraaf.net Sat Jul 20 04:59:01 2002 From: kevin at kevindegraaf.net (Kevin DeGraaf) Date: Fri, 19 Jul 2002 14:59:01 -0400 Subject: OpenSSH 3.4p1 hostbased auth - howto? Message-ID: <200207191459.01150.kevin@kevindegraaf.net> How do you enable hostbased authentication in OpenSSH? I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to be able to ssh from either of the machines to the other, as any user, without using passwords or per-user keys. My /etc/ssh/sshd_config contains: [...] IgnoreRhosts no HostbasedAuthentication yes [...] My /etc/ssh/ssh_config contains: [...] HostbasedAuthentication yes [...] I created the known hosts file like so: box1# cd /etc/ssh box1# cp ssh_host_dsa_key.pub ssh_known_hosts2 I replicated the config directory: box2# rm -rf /etc/ssh box2# mkdir /etc/ssh box2# chown 0755 /etc/ssh box2# rcp box1:/etc/ssh/* /etc/ssh I restarted the daemons: box1# /sbin/service sshd restart box2# /sbin/service sshd restart Here's the client debugging output: [...] debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is hostbased debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host ohm-master1 ip 192.168.1.1 client_user root server_user root debug1: authentications that can continue: publickey,password,hostbased debug1: Remote: Accepted by .rhosts. debug1: Remote: Accepted host ohm-master1 ip 192.168.1.1 client_user root server_user root debug1: authentications that can continue: publickey,password,hostbased debug1: userauth_hostbased: no more client hostkeys debug1: next auth method to try is publickey debug1: try privkey: /root/.ssh/identity debug1: try privkey: /root/.ssh/id_rsa debug1: try privkey: /root/.ssh/id_dsa debug1: next auth method to try is password root at m2's password: What did I miss? -- Kevin DeGraaf From tim at multitalents.net Sat Jul 20 05:29:11 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 19 Jul 2002 12:29:11 -0700 (PDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: <200207191459.01150.kevin@kevindegraaf.net> Message-ID: On Fri, 19 Jul 2002, Kevin DeGraaf wrote: > How do you enable hostbased authentication in OpenSSH? > > I have two Red Hat 7.3 machines running openssh-3.4p1, and I would like to > be able to ssh from either of the machines to the other, as any user, > without using passwords or per-user keys. > > My /etc/ssh/sshd_config contains: > [...] > IgnoreRhosts no > HostbasedAuthentication yes > [...] > > My /etc/ssh/ssh_config contains: > [...] Host * HostbasedAuthentication yes or Host box1 HostName box1.kevindegraaf.net HostbasedAuthentication yes Host box2 HostName box2.kevindegraaf.net HostbasedAuthentication yes > HostbasedAuthentication yes > [...] > > I created the known hosts file like so: > box1# cd /etc/ssh > box1# cp ssh_host_dsa_key.pub ssh_known_hosts2 Use ssh_known_hosts You will have to edit ssh_known_hosts It will look like box1,box1.kevindegraaf.net,192.168.99.1 ssh-dss _box1's_key_here box2,box2.kevindegraaf.net,192.168.99.2 ssh-dss _box2's_key_here Now the shosts.equiv file (does not need to be world readable) box1.kevindegraaf.net box2.kevindegraaf.net > > I replicated the config directory: > > box2# rm -rf /etc/ssh > box2# mkdir /etc/ssh > box2# chown 0755 /etc/ssh > box2# rcp box1:/etc/ssh/* /etc/ssh Not quite what you wanted to do. To fix box2, remove the keys and generate new keys. Each machine must have different keys. Now put the public key from all your machines in ssh_known_hosts and distribute ssh_known_hosts and shosts.equiv to each machine. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Sat Jul 20 05:41:56 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 19 Jul 2002 12:41:56 -0700 (PDT) Subject: [SOLVED] Re: Building 3.4p1 on HP-UX 11.00, gcc, zlib 1.1.4, OpenSSL0.9.6d In-Reply-To: <3D355541.A20F91@zip.com.au> Message-ID: I've commited the patch. Thanks. On Wed, 17 Jul 2002, Darren Tucker wrote: > "C. Bensend" wrote: > > ps: Could this be categorized as an obscure bug in the configure > > process? Shouldn't configure have bombed on -static being used > > when static libraries weren't availible, instead of complaining > > about something else (zlib)? Not being argumentative or complaining > > or anything, it just would have been a lot quicker to track this > > down if I had seen a "configure: libxnet.a not found" or something > > similar. > > I'm not very familiar with autoconf but how about the attached patch > (tested on HP-UX 11.00)? > > $ LDFLAGS=-static ./configure > [snip] > checking for t_error in -lxnet... no > configure: error: *** -lxnet needed on HP-UX - check config.log *** > > $ ./configure > [snip] > Libraries: -lz -lnsl -lxnet -lsec -lcrypto > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From openssh-unix-dev at progressive-comp.com Sat Jul 20 06:31:44 2002 From: openssh-unix-dev at progressive-comp.com (Hank Leininger) Date: Fri, 19 Jul 2002 16:31:44 -0400 Subject: Testing Call Message-ID: <200207192031.g6JKVig03087@marc2.theaimsgroup.com> On 2002-07-17, Ben Lindstrom wrote: > If people could test snapshots (http://www.openssh.org/portable.html, > pick your favorate mirror and select snapshots directory) and report > failures it would be useful. [snip] > I'm looking mostly for privsep issues. If you have a platform that has > an issue with privsep and you are part of the main portable tree (uwin > and cray are excluded at this moment) it needs to be discussed or > you'll be suffering for another 4+ months. Per bug 325[1] reported by jfm at bitfactor.com on 2002-06-29 and echoed by me 2002-07-12, 'PermitRootLogin forced-commands-only' is broken when privsep is enabled (at least on Linux 2.2.x/glibc 2.[12], but that does not seem to matter). From my report: ...it appears that when auth2.c:userauth_finish is called, forced_command has been cleared (or perhaps, never set in that forked sshd) so the call to auth_root_allowed(method) returns 0. I included a "dumb but makes the problem go away" patch in the report. I've just tested 2002-07-19's snapshot, and forced root commands are still refused when 'PermitRootLogin forced-commands-only' is set. > Lastly, I'd like to thank all of you for bearing with us during the last > few months. I'm sure it is was frustrating to you as it is for us.=) Thank YOU and the rest of the team for putting up with all us cranky users over the last few months. :-P [1] http://bugzilla.mindrot.org/show_bug.cgi?id=325 -- Hank Leininger From guyverdh at mchsi.com Sat Jul 20 07:02:48 2002 From: guyverdh at mchsi.com (guyverdh at mchsi.com) Date: Fri, 19 Jul 2002 21:02:48 +0000 Subject: sftp / scp extension Message-ID: <20020719210248.OYG25309.sccmmhc02.mchsi.com@sccqwbc01> We have a need to allow for encrypted file transfers around the internet, but do not wish to expose our systems completely. What we would like to see is either an extension to the scp / sftp code to use an sftp_config or scp_config type file that places restrictions on directory movement, upload locations, download locations, etc... Essentially run the sftp-server or scp code within a chrooted environment within the users directory could be sufficient, although allowing more movement / flexibility based on a config file would be preferable. If at all possible something similiar to the ftpaccess file used with wu-ftpd. From dcole at keysoftsys.com Sat Jul 20 08:28:43 2002 From: dcole at keysoftsys.com (Darren Cole) Date: Fri, 19 Jul 2002 15:28:43 -0700 Subject: HP-UX works or (Re: Testing Call) References: Message-ID: <00b601c22f73$b5ff09d0$9b78a8c0@oedserver> HP-UX 10.26 seems to work fine in initial testing with priv sep enabled. (from cvs pulled yesterday). For the record there is a hang on exit problem with 10.26. After extensive hacking at the problem was determined to be a 10.26 issue. Waiting on HP for now. Temporary work around is to add these two lines to one line from the end of session_exit_message() in session.c : if (s->ttyfd != -1 && c->istate == CHAN_INPUT_OPEN) chan_read_failed(c); This comes from John C. Bowman's patch. This can cause possible data loss, but for us the chance of data loss far outweighs the hang on exit. Ignore the below, unless you want a more thorough explanation. When all child pty's are closed, the select calls does not return as expected when using older style /dev/pty and friends. In the manpages when all children are closed the select call should return in such a case. The reason the old style are used over others (/dev/ptmx and such) is that login will not authenticate unless the older style /dev/pty and friends are used (Trusted CMW issues of login). Using /dev/tmx will return as expected, but then login wont work. The better solution might be to quit using login altogether, and move all necessary work into the ssh (set clearance, drop privilege, audit, note login in the right files, check roles, etc). But then the UseLogin option wont work on HP-UX 10.26. Figured this would at least give some record of openssh on HP-UX 10.26 issues. Darren Cole dcole at keysoftsys.com ----- Original Message ----- From: "Ben Lindstrom" To: "OpenSSH Development" Sent: Wednesday, July 17, 2002 1:04 PM Subject: Testing Call > > Ok.. I'm starting official testing calls early this release. I'd like to > have more feedback and more time for handling fixes. > > If people could test snapshots (http://www.openssh.org/portable.html, pick > your favorate mirror and select snapshots directory) and report failures > it would be useful. From mouring at etoh.eviladmin.org Sat Jul 20 09:26:02 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 19 Jul 2002 18:26:02 -0500 (CDT) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> Message-ID: On Thu, 18 Jul 2002, Leigh Brown wrote: > I wrote: > > Sorry guys, I just realised that you've been sending me email and > > I've not read it, due to (my) bad mail filtering rules. It was just > > chance that I happened to read Ben's testing email. I've read your > > emails now and obviously I'd still like to apply the patch. However, > > if using isatty is a problem (I know it causes a system call), please > > give me a hint as to a preferred solution and I'll cook something up. > > How about the attached patch? I could wrap #ifdef _AIX around the > wfd_isatty member definition and initialisation if required, but I > don't think it causes any harm as it is. > I need to verify does this affect 5L? - Ben From sidd_ait at rediffmail.com Sat Jul 20 18:20:10 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 20 Jul 2002 08:20:10 -0000 Subject: installation procedure Message-ID: <20020720082010.20535.qmail@webmail15.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020720/5509ec1b/attachment.ksh From dtucker at zip.com.au Sat Jul 20 21:52:36 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 20 Jul 2002 21:52:36 +1000 Subject: Testing Call References: Message-ID: <3D394F04.19F37916@zip.com.au> Ben Lindstrom wrote: > For those with pmake install there is regress/ which you can try out. It > may help any platform issues. I know some platforms will outright fail > (AIX). Hopefully post 3.5 we can look at supplying gnu make files. Received: from yahoo.com ([195.226.71.10]) by mangalore.zipworld.com.au (8.9.3/8.9.3) with SMTP id VAA12577; Sat, 20 Jul 2002 21:22:32 +1000 From: ourgreatestdealsonearth3178e01 at yahoo.com Received: from unknown (173.109.241.138) by rly-xl05.dohuya.com with esmtp; 20 Jul 0102 01:22:16 +0800 Received: from unknown (110.179.235.111) by symail.kustanai.co.kr with asmtp; Sat, 20 Jul 0102 09:16:20 +0100 Received: from unknown (HELO mail.gimmixx.net) (74.202.20.88) by f64.law4.hottestmale.com with asmtp; Sat, 20 Jul 0102 10:10:24 +0100 Reply-To: Message-ID: <001a15d20c5d$6333d8d7$2bb60aa2 at vtjvei> To: Smart.Shopper at mangalore.zipworld.com.au Subject: The Mighty Pro Grill ! ADV 9415pwmF0-138fo-14 Date: Sat, 20 Jul 0102 20:59:50 -1000 MiME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_00C6_43D01D7C.C7471A75" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 Importance: Normal ------=_NextPart_000_00C6_43D01D7C.C7471A75 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: base64 PGh0bWw+DQo8aGVhZD4gDQo8bWV0YSBuYW1lPSJHRU5FUkFUT1IiIGNvbnRl bnQ9Ik1pY3Jvc29mdCBGcm9udFBhZ2UgNS4wIj4NCjxtZXRhIG5hbWU9IlBy b2dJZCIgY29udGVudD0iRnJvbnRQYWdlLkVkaXRvci5Eb2N1bWVudCI+DQo8 bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQv aHRtbDsgY2hhcnNldD13aW5kb3dzLTEyNTIiPg0KPHRpdGxlPkhlYWx0aHkg QWxsIEFtZXJpY2FuIENvb2tpbmcgYWxsIHllYXIgcm91bmQ8L3RpdGxlPg0K PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgY2VsbFNwYWNpbmc9IjAiIGNlbGxQ YWRkaW5nPSIwIiB3aWR0aD0iMTAwJSI+DQogIDx0cj4NCiAgICA8dGQgdkFs aWduPSJ0b3AiIGFsaWduPSJtaWRkbGUiPg0KICAgIDx0YWJsZSBjZWxsU3Bh Y2luZz0iMCIgY2VsbFBhZGRpbmc9IjAiIHdpZHRoPSI1NTQiIGJvcmRlcj0i MCIgaGVpZ2h0PSI1ODciPg0KICAgICAgPHRyPg0KICAgICAgICA8dGQgdkFs aWduPSJ0b3AiIGFsaWduPSJyaWdodCIgaGVpZ2h0PSI1ODciPg0KICAgICAg ICA8cCBhbGlnbj0iY2VudGVyIj48YSBocmVmPSJodHRwOi8vd3d3LndoaXRl Y2Fyc2VhdC5jb20iPg0KICAgICAgICA8aW1nIHNyYz0iaHR0cDovL3d3dy53 aGl0ZWNhcnNlYXQuY29tL2ltZy9mYW1fZW1haWxfMDEuZ2lmIiBib3JkZXI9 IjAiIE5PU0VORD0iMSIgd2lkdGg9IjE0MSIgaGVpZ2h0PSIyMTMiPg0KCTxi cj4NCiAgICAgICAgPGEgaHJlZj0iaHR0cDovL3d3dy53aGl0ZWNhcnNlYXQu Y29tIj4NCiAgICAgICAgPGltZyBoZWlnaHQ9IjM3IiBzcmM9Imh0dHA6Ly93 d3cud2hpdGVjYXJzZWF0LmNvbS9pbWcvZmFtX2VtYWlsX2NsaWNraGVyZS5n aWYiIHdpZHRoPSIxNDEiIGJvcmRlcj0iMCIgTk9TRU5EPSIxIj4NCgk8L2E+ PC9wPg0KICAgICAgICA8cCBhbGlnbj0iY2VudGVyIj4NCgkgICZuYnNwOzxi PjxzdHJpa2U+PGZvbnQgc2l6ZT0iNSI+UmV0YWlsIFByaWNlICQyNy45NTwv Zm9udD48L3N0cmlrZT48L2I+PC9wPg0KICAgICAgICA8aDEgYWxpZ249ImNl bnRlciI+PGZvbnQgY29sb3I9IiNmZjAwMDAiPjxmb250IHNpemU9IjciPk5P VyBPTkxZPC9mb250Pg0KICAgICAgICA8Zm9udCBzaXplPSI3Ij4kNC45NSE8 L2ZvbnQ+PC9mb250PjwvaDE+DQogICAgICAgIDxoMSBhbGlnbj0iY2VudGVy Ij48Zm9udCBmYWNlPSJ2ZXJkYW5hLGFyaWFsIiBzaXplPSIyIj48YSBocmVm PSJodHRwOi8vd3d3LndoaXRlY2Fyc2VhdC5jb20iPg0KICAgICAgICA8aW1n IGJvcmRlcj0iMCIgc3JjPSJodHRwOi8vd3d3LndoaXRlY2Fyc2VhdC5jb20v aW1nL21pZ2h0eXByby5qcGciIHdpZHRoPSIxMzgiIGhlaWdodD0iMTAwIj48 L2ZvbnQ+PC9oMT4NCiAgICAgICAgPC90ZD4NCiAgICAgICAgPHRkIHZBbGln bj0idG9wIiBhbGlnbj0ibGVmdCIgaGVpZ2h0PSI1ODciPjxhIGhyZWY9Imh0 dHA6Ly93d3cud2hpdGVjYXJzZWF0LmNvbSI+DQogICAgICAgIDxpbWcgc3Jj PSJodHRwOi8vd3d3LndoaXRlY2Fyc2VhdC5jb20vaW1nL2ZhbV9lbWFpbF8w Mi5naWYiIGJvcmRlcj0iMCIgTk9TRU5EPSIxIiB3aWR0aD0iNDEzIiBoZWln aHQ9IjEwNiI+DQogICAgICAgIDxwIGFsaWduPSJjZW50ZXIiPjxmb250IGNv bG9yPSIjZmYwMDAwIiBzaXplPSI0Ij5IZWFsdGh5IEFsbCBBbWVyaWNhbiAN CiAgICAgICAgQ29va2luZyBhbGwgeWVhciByb3VuZCAhPC9mb250Pjxmb250 IHNpemU9IjQiPiA8L2ZvbnQ+IDwvcD4NCiAgICAgICAgPHRhYmxlIHdpZHRo PSI0MTMiIGhlaWdodD0iMzkyIj4NCiAgICAgICAgICA8dHI+DQogICAgICAg ICAgICA8dGQgYWxpZ249ImxlZnQiIGhlaWdodD0iMzg4Ij48Zm9udCBmYWNl PSJ2ZXJkYW5hLGFyaWFsIiBzaXplPSIyIj5Ob3cgeW91IGNhbiANCiAgICAg ICAgICAgIGhhdmUgdGhlIGdyZWF0IHRhc3RlLCB0ZXh0dXJlIGFuZCBmbGF2 b3Igb2YgZ3JpbGxlZCBmb29kIHJpZ2h0IGluIA0KICAgICAgICAgICAgeW91 ciBob21lLCBhbnl0aW1lIHllYXIgJ3JvdW5kIHdpdGhvdXQgYXdrd2FyZCBl cXVpcG1lbnQuIFRoZSA8Yj5NaWdodHkgDQogICAgICAgICAgICBQcm8gR3Jp bGw8L2I+IHR1cm5zIGFueSBlbGVjdHJpYyBvciBnYXMgc3RvdmUgaW50byBh IGdyaWxsaW5nIG1hcnZlbC4gDQogICAgICAgICAgICBUaGUgbm9uLXN0aWNr IHByZWNpc2lvbiBjb29rIGdyaWxsIHBsYXRlIHNlYXJzIHRoZSBmb29kIHRv IGdvbGRlbiANCiAgICAgICAgICAgIGJyb3duIGNoYXIgZ3JpbGxlZCBwZXJm ZWN0aW9uIHdoaWxlIHRoZSBmbGF2b3IgcmluZyBzdGVhbXMgYmFjayB0aGUg DQogICAgICAgICAgICBuYXR1cmFsIGZsYXZvcnMgaW5mdXNpbmcgdGhlIGZv b2Qgd2l0aCBpbmNyZWRpYmxlIHRhc3RlLiBUaGUgZ3JlYXNlIA0KICAgICAg ICAgICAgYW5kIGZhdHMgcm9sbCBoYXJtbGVzc2x5IGF3YXkgc28geW91J3Jl IGVhdGluZyBsb3cgZmF0LiBHcmlsbCANCiAgICAgICAgICAgIGJ1cmdlcnMs IGhvdCBkb2dzLCBzdGVha3MgYW5kIGNob3BzLCBjaGlja2VuLCBzaHJpbXAg a2Fib2JzLCBhbmQgDQogICAgICAgICAgICBtZWx0IGluIHlvdXIgbW91dGgg Z3JpbGxlZCB2ZWdldGFibGVzLiBUaGUgPGI+TWlnaHR5IFBybyBHcmlsbDwv Yj4gZXZlbiANCiAgICAgICAgICAgIGdvZXMgaW50byB0aGUgb3ZlbiBmb3Ig bG93IGZhdCBtZWF0IGxvYWYgYW5kIENvcm5pc2ggZ2FtZSBoZW4uIEFsc28g DQogICAgICAgICAgICBncmVhdCBmb3IgUlZzLCBib2F0cyBhbmQgY2FtcGVy cy48L2ZvbnQ+PGZvbnQgZmFjZT0idmVyZGFuYSxhcmlhbCIgc2l6ZT0iMiI+ PHVsPg0KICAgICAgICAgICAgICA8bGk+U21va2VsZXNzIEdyaWxsIENvbnZl cnRzIFlvdXIgU3RvdmUgdG8gaW5kb29yIEJhcmJlY3VlIDwvbGk+DQogICAg ICAgICAgICAgIDxsaT5Vc2Ugb24gRWxlY3RyaWMsIEdhcyBvciBQcm9wYW5l IHN0b3ZlcyA8L2xpPg0KICAgICAgICAgICAgICA8bGk+V2F0ZXItRmlsbGVk IG91dGVyIHJpbmcgY2F0Y2hlcyBmYXQgYW5kIGp1aWNlcyBkdXJpbmcgY29v a2luZywgDQogICAgICAgICAgICAgIGVsaW1pbmF0ZXMgc21va2UgYW5kIHNw bGF0dGVyaW5nIDwvbGk+DQogICAgICAgICAgICAgIDxsaT5Ob24tc3RpY2sg c3VyZmFjZSBmb3IgZWFzeSBjbGVhbnVwIDwvbGk+DQogICAgICAgICAgICAg IDxsaT5ObyBmdXNzaW5nIHdpdGggY2hhcmNvYWwgb3Igd2FpdGluZyBmb3Ig dGhlIGZpcmUgdG8gaGVhdCB1cA0KICAgICAgICAgICAgICA8L2xpPg0KICAg ICAgICAgICAgICA8bGk+R3JlYXQgZm9yIGNoaWNrZW4sIGZpc2gsIHN0ZWFr LCBob3QgZG9ncywgaGFtYnVyZ2VycywgDQogICAgICAgICAgICAgIHZlZ2V0 YWJsZXMsIG1vcmUuLi48L2xpPg0KICAgICAgICAgICAgPC91bD4NCiAgICAg ICAgICAgIDwvZm9udD4NCiAgICAgICAgICAgIDwvdGQ+DQogICAgICAgICAg PC90cj4NCiAgICAgICAgPC90YWJsZT4NCiAgICAgICAgPHAgYWxpZ249ImNl bnRlciI+DQogICAgICAgIDxpbWcgYWx0PSJNYXN0ZXIgQ2FyZCIgc3JjPSJo dHRwOi8vd3d3LndoaXRlY2Fyc2VhdC5jb20vaW1nL21jbG9nby5naWYiIGJv cmRlcj0iMCIgd2lkdGg9IjYwIiBoZWlnaHQ9IjM2Ij4NCgkgIDxpbWcgYWx0 PSJWaXNhIENhcmQiIHNyYz0iaHR0cDovL3d3dy53aGl0ZWNhcnNlYXQuY29t L2ltZy92aXNhLmdpZiIgYm9yZGVyPSIwIiB3aWR0aD0iNjAiIGhlaWdodD0i MzgiPg0KICAgICAgICA8L3RkPg0KICAgICAgPC90cj4NCiAgICA8L3RhYmxl PiANCiAgICA8L3RkPg0KICA8L3RyPg0KPC90YWJsZT4NCjxkaXYgYWxpZ249 ImNlbnRlciI+DQogIDxjZW50ZXI+DQogIDx0YWJsZSBib3JkZXI9IjAiIGNl bGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgc3R5bGU9ImJvcmRlci1j b2xsYXBzZTogY29sbGFwc2UiIGJvcmRlcmNvbG9yPSIjMTExMTExIiB3aWR0 aD0iNjElIiBpZD0iQXV0b051bWJlcjEiPg0KICAgIDx0cj4NCiAgICAgIDx0 ZCB3aWR0aD0iMTAwJSI+PHR0Pg0KICAgICAgPGZvbnQgZmFjZT0iQXJpYWws SGVsdmV0aWNhLHNhbnMtc2VyaWYiIGNvbG9yPSIjODA4MDgwIiBzaXplPSIx Ij5USElTIA0KICAgICAgTUVTU0FHRSBJUyBCRUlORyBTRU5UIElOIENPTVBM SUFOQ0UgV0lUSCBQRU5ESU5HIEVNQUlMIEJJTExTICZhbXA7IExBV1M6Jm5i c3A7IA0KICAgICAgU0VDVElPTiAzMDEuIFBFUiBTRUNUSU9OLCBQQVJBR1JB UEggKGEpICgyKSAoYykgb2YgUy4gMTYxOC4gVGhpcyBtZXNzYWdlIA0KICAg ICAgaXMgbm90IGludGVuZGVkIGZvciByZXNpZGVudHMgaW4gdGhlIFN0YXRl IG9mIFdBLCBOViwgQ0EgJmFtcDsgVkEuIFNjcmVlbmluZyANCiAgICAgIG9m IGFkZHJlc3NlcyBoYXMgYmVlbiBkb25lIHRvIHRoZSBiZXN0IG9mIG91ciB0 ZWNobmljYWwgYWJpbGl0eS4gV2UgaG9ub3IgDQogICAgICBhbGwgcmVtb3Zh bCByZXF1ZXN0cy4gVG8gYmUgcmVtb3ZlZCBmcm9tIG91ciBkYXRhYmFzZSwg cGxlYXNlIGRvIA0KICAgICAgZm9sbG93aW5nOyBSZXBseSB0byBtZXNzYWdl IHdpdGggdGhlIHdvcmQgJnF1b3Q7UmVtb3ZlJnF1b3Q7IGluIHRoZSBzdWJq ZWN0IGxpbmUuIA0KICAgICAgRW1haWwgcmVwbGllcyBtYXkgdGFrZSB1cCB0 byA1IGJ1c2luZXNzIGRheXMgdG8gcHJvY2Vzcy48L2ZvbnQ+PC90dD48L3Rk Pg0KICAgIDwvdHI+DQogIDwvdGFibGU+DQogIDwvY2VudGVyPg0KPC9kaXY+ DQo8L2JvZHk+DQo8L2h0bWw+DQoNCjg2MDJiVHlBMC04NzFyQ3VRNjA3MGZI cHI0LTY3MGhOVnVsMzI= -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Jul 20 22:00:58 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 20 Jul 2002 22:00:58 +1000 Subject: Testing Call: OK AIX 4.3.3 References: Message-ID: <3D3950FA.A8BB1C6E@zip.com.au> Ben Lindstrom wrote: > For those with pmake install there is regress/ which you can try out. It > may help any platform issues. I know some platforms will outright fail > (AIX). Hopefully post 3.5 we can look at supplying gnu make files. Apologies for the previous message (had a small cut-and-paste accident :-). Builds and test OK on AIX 4.3.3. Regression tests seem OK. I wasn't sure what to expect, I've included the results below. I needed to make some modifications to the tests which I'll clean up and post. I don't think they reduce portability but I could be wrong. OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /usr/local/etc Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: powerpc-ibm-aix4.3.3.0 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/include Linker flags: -L/usr/local/ssl/lib -L/usr/local/lib Libraries: -lz -lcrypto $ ./run-tests.sh ok simple connect ok proxy connect ok proxy connect with privsep ok sshd version with different protocol combinations ok protocol version mismatch test remote exit status: proto 1 status 0 test remote exit status: proto 1 status 1 test remote exit status: proto 1 status 4 test remote exit status: proto 1 status 5 test remote exit status: proto 1 status 44 test remote exit status: proto 2 status 0 test remote exit status: proto 2 status 1 test remote exit status: proto 2 status 4 test remote exit status: proto 2 status 5 test remote exit status: proto 2 status 44 ok remote exit status transfer data: proto 1 transfer data: proto 2 ok transfer data test stderr data transfer: proto 1 () test stderr data transfer: proto 2 () test stderr data transfer: proto 1 (-n) test stderr data transfer: proto 2 (-n) ok stderr data transfer ok stderr data after eof ok broken pipe test test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5 test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5 test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher arcfour mac hmac-sha1 test try ciphers: proto 2 cipher arcfour mac hmac-md5 test try ciphers: proto 2 cipher arcfour mac hmac-sha1-96 test try ciphers: proto 2 cipher arcfour mac hmac-md5-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5-96 test try ciphers: proto 1 cipher 3des test try ciphers: proto 1 cipher blowfish ok try ciphers ok yes pipe head ok simple agent test ok keyscan test basic sftp put/get: buffer_size 5 num_requests 1 test basic sftp put/get: buffer_size 5 num_requests 2 test basic sftp put/get: buffer_size 5 num_requests 10 test basic sftp put/get: buffer_size 1000 num_requests 1 test basic sftp put/get: buffer_size 1000 num_requests 2 test basic sftp put/get: buffer_size 1000 num_requests 10 test basic sftp put/get: buffer_size 32000 num_requests 1 test basic sftp put/get: buffer_size 32000 num_requests 2 test basic sftp put/get: buffer_size 32000 num_requests 10 test basic sftp put/get: buffer_size 64000 num_requests 1 test basic sftp put/get: buffer_size 64000 num_requests 2 test basic sftp put/get: buffer_size 64000 num_requests 10 ok basic sftp put/get ok local and remote forwarding -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From dtucker at zip.com.au Sat Jul 20 22:25:32 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 20 Jul 2002 22:25:32 +1000 Subject: Testing Call: OK HP-UX 11.00 References: Message-ID: <3D3956BC.AE12BE5A@zip.com.au> Compiles and tests OK on HP-UX 11.00. Regression tests seem OK. I did find that neither ssh nor sshd work when compiled as a 64-bit binary with gcc. I don't know if there would ever be a good reason to do this; you can run a 32-bit ssh/sshd on a 64-bit capable system. OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: yes Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Unix domain socket "/var/run/egd-pool" Host: hppa2.0w-hp-hpux11.00 Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized Preprocessor flags: -I/usr/local/ssl/include -D_HPUX_SOURCE -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXT ENDED=1 Linker flags: -L/usr/local/ssl/lib Libraries: -lz -lnsl -lxnet -lsec -lcrypto $ ./run-tests.sh ok simple connect ok proxy connect ok proxy connect with privsep ok sshd version with different protocol combinations ok protocol version mismatch test remote exit status: proto 1 status 0 test remote exit status: proto 1 status 1 test remote exit status: proto 1 status 4 test remote exit status: proto 1 status 5 test remote exit status: proto 1 status 44 test remote exit status: proto 2 status 0 test remote exit status: proto 2 status 1 test remote exit status: proto 2 status 4 test remote exit status: proto 2 status 5 test remote exit status: proto 2 status 44 ok remote exit status transfer data: proto 1 transfer data: proto 2 ok transfer data test stderr data transfer: proto 1 () test stderr data transfer: proto 2 () test stderr data transfer: proto 1 (-n) test stderr data transfer: proto 2 (-n) ok stderr data transfer ok stderr data after eof ok broken pipe test test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5 test try ciphers: proto 2 cipher 3des-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher 3des-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher blowfish-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5 test try ciphers: proto 2 cipher cast128-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher cast128-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher arcfour mac hmac-sha1 test try ciphers: proto 2 cipher arcfour mac hmac-md5 test try ciphers: proto 2 cipher arcfour mac hmac-sha1-96 test try ciphers: proto 2 cipher arcfour mac hmac-md5-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes192-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes192-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5 test try ciphers: proto 2 cipher aes256-cbc mac hmac-sha1-96 test try ciphers: proto 2 cipher aes256-cbc mac hmac-md5-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-sha1-96 test try ciphers: proto 2 cipher rijndael-cbc at lysator.liu.se mac hmac-md5-96 test try ciphers: proto 1 cipher 3des test try ciphers: proto 1 cipher blowfish ok try ciphers ok yes pipe head ok simple agent test ok keyscan test basic sftp put/get: buffer_size 5 num_requests 1 test basic sftp put/get: buffer_size 5 num_requests 2 test basic sftp put/get: buffer_size 5 num_requests 10 test basic sftp put/get: buffer_size 1000 num_requests 1 test basic sftp put/get: buffer_size 1000 num_requests 2 test basic sftp put/get: buffer_size 1000 num_requests 10 test basic sftp put/get: buffer_size 32000 num_requests 1 test basic sftp put/get: buffer_size 32000 num_requests 2 test basic sftp put/get: buffer_size 32000 num_requests 10 test basic sftp put/get: buffer_size 64000 num_requests 1 test basic sftp put/get: buffer_size 64000 num_requests 2 test basic sftp put/get: buffer_size 64000 num_requests 10 ok basic sftp put/get ok local and remote forwarding -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From leigh at solinno.co.uk Sat Jul 20 23:31:30 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Sat, 20 Jul 2002 14:31:30 +0100 (BST) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: References: <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> Message-ID: <3077.158.152.5.90.1027171890.squirrel@lbbrown.homeip.net> Ben Lindstrom wrote: > On Thu, 18 Jul 2002, Leigh Brown wrote: >> How about the attached patch? I could wrap #ifdef _AIX around the >> wfd_isatty member definition and initialisation if required, but I >> don't think it causes any harm as it is. > > I need to verify does this affect 5L? I'll check a 5L box on Monday. Cheers, Leigh. From sidd_ait at rediffmail.com Sun Jul 21 01:46:04 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 20 Jul 2002 15:46:04 -0000 Subject: installation problem Message-ID: <20020720154604.2040.qmail@webmail29.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020720/af59c0f3/attachment.ksh From mouring at etoh.eviladmin.org Sun Jul 21 01:48:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sat, 20 Jul 2002 10:48:01 -0500 (CDT) Subject: installation problem In-Reply-To: <20020720154604.2040.qmail@webmail29.rediffmail.com> Message-ID: README README.privsep INSTALL are all provided within the package. Please read them. - Ben On 20 Jul 2002, siddharth sharma rajput wrote: > > hi , > before installing openssh > is it necessary to install zlib and openssl ?? > if yes where can i get the material > > please help me......... > bye > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From kevin at atomicgears.com Sun Jul 21 03:46:31 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 20 Jul 2002 10:46:31 -0700 Subject: Testing Call: OK HP-UX 11.00 In-Reply-To: <3D3956BC.AE12BE5A@zip.com.au> References: <3D3956BC.AE12BE5A@zip.com.au> Message-ID: <20020720174631.GA16534@scott.crlsca.adelphia.net> On Sat, Jul 20, 2002 at 10:25:32PM +1000, Darren Tucker wrote: > Compiles and tests OK on HP-UX 11.00. Regression tests seem OK. > > I did find that neither ssh nor sshd work when compiled as a 64-bit > binary with gcc. I don't know if there would ever be a good reason to do > this; you can run a 32-bit ssh/sshd on a 64-bit capable system. And it's generally recommended that apps be 32-bit, unless there are specific reasons to be 64-bit. I'm only aware of this issue: http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=101070270613460&w=2 Which hasn't been important enough to deal with (also given the lack of 64-bit libpam). From weiss at uni-mainz.de Sun Jul 21 04:00:36 2002 From: weiss at uni-mainz.de (Juergen Weiss) Date: 20 Jul 2002 20:00:36 +0200 Subject: opensc smartcard support does not work Message-ID: Hi, sorry, I'm not on the list, so please answer directly. I use opensc-0.7.0 and pcsc-lite-1.1.1 under FreeBSD 4.6 with Gemplus 410 and 430 smartcard readers and Schlumberger cryptoflex smartcards. I used openssh-3.2.2p1 but the relevant file scard-opensc.c is unchanged in 3.4. RSA authentication to a remote host running opensshd did not work with the smartcard. Investigating the problem I found, that the signature is not ASN1 encoded, when using smartcards. The following diff solves the problem: *** ../openssh-3.2.2p1.orig/scard-opensc.c Tue Apr 23 14:48:46 2002 --- ./scard-opensc.c Sat Jul 20 19:32:19 2002 *************** *** 89,94 **** --- 89,98 ---- r = sc_establish_context(&ctx, "openssh"); if (r) goto err; + if (sc_reader_id < 0 || sc_reader_id >= ctx->reader_count) { + r = SC_ERROR_NO_READERS_FOUND; + goto err; + } r = sc_connect_card(ctx->reader[sc_reader_id], 0, &card); if (r) goto err; *************** *** 190,212 **** unsigned char *sigret, unsigned int *siglen, RSA *rsa) { struct sc_pkcs15_object *key_obj; ! int r; unsigned long flags = 0; r = sc_prkey_op_init(rsa, &key_obj); ! if (r) ! return -1; /* FIXME: length of sigret correct? */ /* FIXME: check 'type' and modify flags accordingly */ ! flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_SHA1; r = sc_pkcs15_compute_signature(p15card, key_obj, flags, ! m, m_len, sigret, RSA_size(rsa)); sc_unlock(card); if (r < 0) { error("sc_pkcs15_compute_signature() failed: %s", sc_strerror(r)); goto err; } *siglen = r; return 1; err: --- 194,253 ---- unsigned char *sigret, unsigned int *siglen, RSA *rsa) { struct sc_pkcs15_object *key_obj; ! int i, j, r; unsigned long flags = 0; + X509_SIG sig; + X509_ALGOR algor; + ASN1_TYPE parameter; + ASN1_OCTET_STRING digest; + unsigned char *p,*s = NULL; r = sc_prkey_op_init(rsa, &key_obj); ! if (r) { ! error("sc_prkey_op_init failed: %s", ! sc_strerror(r)); ! return 0; ! } ! ! debug3("inlength %d\n", m_len); ! sig.algor= &algor; ! sig.algor->algorithm=OBJ_nid2obj(type); ! ! parameter.type=V_ASN1_NULL; ! parameter.value.ptr=NULL; ! sig.algor->parameter= ¶meter; ! ! sig.digest= &digest; ! sig.digest->data=m; ! sig.digest->length=m_len; ! ! i=i2d_X509_SIG(&sig,NULL); ! ! debug3("x509 sig inlength %d\n", i); ! ! j=RSA_size(rsa); ! if ((i-RSA_PKCS1_PADDING) > j) { ! error("too big %d %d",i-RSA_PKCS1_PADDING,j); ! return 0; ! } ! ! s=xmalloc(RSA_size(rsa)+1); ! p=s; ! i2d_X509_SIG(&sig,&p); ! ! /* FIXME: length of sigret correct? */ /* FIXME: check 'type' and modify flags accordingly */ ! flags = SC_ALGORITHM_RSA_PAD_PKCS1 | SC_ALGORITHM_RSA_HASH_NONE; r = sc_pkcs15_compute_signature(p15card, key_obj, flags, ! s, i, sigret, RSA_size(rsa)); sc_unlock(card); if (r < 0) { error("sc_pkcs15_compute_signature() failed: %s", sc_strerror(r)); goto err; } + debug3("sc_sign %d\n", r); *siglen = r; return 1; err: Regards Juergen Weiss -- Juergen Weiss | Universitaet Mainz, Zentrum fuer Datenverarbeitung, weiss at uni-mainz.de| 55099 Mainz, Tel: +49(6131)39-26361, FAX: +49(6131)39-26407 From bugzilla-daemon at mindrot.org Sun Jul 21 05:05:56 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 21 Jul 2002 05:05:56 +1000 (EST) Subject: [Bug 231] ssh-keygen has fatal error while updating comment in RSA1 key Message-ID: <20020720190556.27FF1E904@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=231 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From stevesk at pobox.com 2002-07-21 05:05 ------- fixed: - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sun Jul 21 05:27:28 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 21 Jul 2002 05:27:28 +1000 (EST) Subject: [Bug 366] New: .cvsignore shouldn't be in distrib Message-ID: <20020720192728.626C1E8FF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=366 Summary: .cvsignore shouldn't be in distrib Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: nagler at bivio.biz CC: nagler at bivio.biz The .cvsignore files in the distrib (3.4p1) cause configure, config.h.in, etc. to not be checked in on a cvs import. I don't think .cvsignore files belong in the distrib. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jmknoble at pobox.com Sun Jul 21 05:32:19 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Sat, 20 Jul 2002 15:32:19 -0400 Subject: installation procedure In-Reply-To: <20020720082010.20535.qmail@webmail15.rediffmail.com>; from sidd_ait@rediffmail.com on Sat, Jul 20, 2002 at 08:20:10AM -0000 References: <20020720082010.20535.qmail@webmail15.rediffmail.com> Message-ID: <20020720153219.A22646@quipu.half.pint-stowp.cx> Circa 2002-Jul-20 08:20:10 -0000 dixit siddharth sharma rajput: : hi, : please give me information : of the steps needed to install : the openssh OpenSSH comes with installation instructions: ftp://ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/INSTALL -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 249 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020720/a9034848/attachment.bin From dtucker at zip.com.au Sun Jul 21 10:56:49 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 21 Jul 2002 10:56:49 +1000 Subject: Testing Call: OK HP-UX 11.00 References: <3D3956BC.AE12BE5A@zip.com.au> <20020720174631.GA16534@scott.crlsca.adelphia.net> Message-ID: <3D3A06D1.6A0F6E4@zip.com.au> Kevin Steves wrote: > On Sat, Jul 20, 2002 at 10:25:32PM +1000, Darren Tucker wrote: [64-bit ssh/sshd on HP-UX 11.00 doesn't work] > > And it's generally recommended that apps be 32-bit, unless there > are specific reasons to be 64-bit. I thought that was the case. I mentioned it only because it might be a symptom of some other problem and I don't know enough to tell. The problem I see is not the one you referred to. Sshd will go to 100% cpu and do nothing else. Ssh does the following (talking to an otherwise working 32-bit sshd). If this is worth pursuing, let me know and I'll open a bugzilla bug, otherwise I'll consider the matter closed. -Daz. # file ssh ssh: ELF-64 executable object file - PA-RISC 2.0 (LP64) # ./ssh -v localhost OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [0.0.0.0] port 22. debug1: Connection established. debug1: identity file /.ssh/identity type -1 debug1: identity file /.ssh/id_rsa type -1 debug1: identity file /.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 127/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 238/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 355/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 481/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 601/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 740/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 857/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 986/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 1123/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 1250/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 1371/256 debug1: bits set: 0/3191 invalid public DH value (0/3191) debug1: dh_gen_key: priv key bits set: 1487/256 dh_gen_key: too many bad keys: giving up debug1: Calling cleanup 0x8000000000021b08(0x0) -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From kevin at atomicgears.com Sun Jul 21 11:11:00 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Sat, 20 Jul 2002 18:11:00 -0700 Subject: Testing Call: OK HP-UX 11.00 In-Reply-To: <3D3A06D1.6A0F6E4@zip.com.au> References: <3D3956BC.AE12BE5A@zip.com.au> <20020720174631.GA16534@scott.crlsca.adelphia.net> <3D3A06D1.6A0F6E4@zip.com.au> Message-ID: <20020721011100.GA22996@scott.crlsca.adelphia.net> On Sun, Jul 21, 2002 at 10:56:49AM +1000, Darren Tucker wrote: > The problem I see is not the one you referred to. Sshd will go to 100% > cpu and do nothing else. Ssh does the following (talking to an otherwise > working 32-bit sshd). > > debug1: dh_gen_key: priv key bits set: 1371/256 > debug1: bits set: 0/3191 > invalid public DH value (0/3191) > debug1: dh_gen_key: priv key bits set: 1487/256 > dh_gen_key: too many bad keys: giving up > debug1: Calling cleanup 0x8000000000021b08(0x0) does openssl pass make test? From dtucker at zip.com.au Sun Jul 21 12:41:39 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sun, 21 Jul 2002 12:41:39 +1000 Subject: Testing Call: OK HP-UX 11.00 References: <3D3956BC.AE12BE5A@zip.com.au> <20020720174631.GA16534@scott.crlsca.adelphia.net> <3D3A06D1.6A0F6E4@zip.com.au> <20020721011100.GA22996@scott.crlsca.adelphia.net> Message-ID: <3D3A1F63.FE9AE044@zip.com.au> Kevin Steves wrote: > > On Sun, Jul 21, 2002 at 10:56:49AM +1000, Darren Tucker wrote: > > The problem I see is not the one you referred to. Sshd will go to 100% > > cpu and do nothing else. Ssh does the following (talking to an otherwise > > working 32-bit sshd). > > > > debug1: dh_gen_key: priv key bits set: 1371/256 > > debug1: bits set: 0/3191 > > invalid public DH value (0/3191) > > debug1: dh_gen_key: priv key bits set: 1487/256 > > dh_gen_key: too many bad keys: giving up > > debug1: Calling cleanup 0x8000000000021b08(0x0) > > does openssl pass make test? Just checked. No it doesn't. Chalk it up to build error. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From Michael.Galonska at sskm.de Sat Jul 20 22:26:50 2002 From: Michael.Galonska at sskm.de (Michael.Galonska at sskm.de) Date: Sat, 20 Jul 2002 14:26:50 +0200 Subject: Problem with SSHD-Daemon (OpenSSH) Message-ID: Hello, i have problems with the ssh-daemon. Problem: sshd daemon would not start, complained about Not enough entropy in RNG The same message comes by ssh-keygen . Platfrom: OS/390-UnixSystemServices 2.10 / OpenSSH_2.9p1 I have the bin-Version from the IBM-Redbook SG24-5944-01 (Open Source Software for z/OS and OS/390 UNIX - http://www-1.ibm.com/servers/eserver/zseries/zos/unix/redbook/index.html) and the Code is install under /usr/local/ . Can someone tell me how to rectify this? I've been thru the archives of this list, didn't find anything . Thanks! Michael Galonska Bitte beachten Sie auch unsere Sicherheitshinweise zum Thema e-Mail unter http://www.sskm.de/security. Stadtsparkasse M?nchen - Anstalt des ?ffentlichen Rechts - Amtsgericht M?nchen - HRA 75459. From mouring at etoh.eviladmin.org Sun Jul 21 15:43:36 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Sun, 21 Jul 2002 00:43:36 -0500 (CDT) Subject: Problem with SSHD-Daemon (OpenSSH) In-Reply-To: Message-ID: We have no clue how IBM compiled that code. Even looking at redbook documentation is suggested it may be using the internal RNG generator. We need to see the output of: sshd -d -d -d or ssh -v -v -v macine Or else we have no clue how to help you. Redbook says the source is 2.9pX release. We are counting down to 3.5pX release. Just for your knowledge. Wonder why no one at IBM spent the time to work with us to port to z/OS? Is the user based that small for OS/390? - Ben On Sat, 20 Jul 2002 Michael.Galonska at sskm.de wrote: > Hello, > > i have problems with the ssh-daemon. > > Problem: sshd daemon would not start, complained about > > Not enough entropy in RNG > > The same message comes by ssh-keygen . > > Platfrom: OS/390-UnixSystemServices 2.10 / OpenSSH_2.9p1 > > I have the bin-Version from the IBM-Redbook SG24-5944-01 (Open Source > Software for z/OS and OS/390 UNIX - > http://www-1.ibm.com/servers/eserver/zseries/zos/unix/redbook/index.html) > and the Code is install under /usr/local/ . > > > Can someone tell me how to rectify this? I've been thru the archives of this list, didn't find anything . > > Thanks! > > Michael Galonska > Bitte beachten Sie auch unsere Sicherheitshinweise zum Thema e-Mail unter > http://www.sskm.de/security. > > Stadtsparkasse M?nchen - Anstalt des ?ffentlichen Rechts - Amtsgericht > M?nchen - HRA 75459. > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From sidd_ait at rediffmail.com Sun Jul 21 19:01:18 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 21 Jul 2002 09:01:18 -0000 Subject: problem in openssl installation Message-ID: <20020721090118.8445.qmail@webmail16.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020721/52b8f7ba/attachment.ksh From sidd_ait at rediffmail.com Sun Jul 21 23:55:25 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 21 Jul 2002 13:55:25 -0000 Subject: source problem Message-ID: <20020721135525.6325.qmail@webmail28.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020721/f684cd68/attachment.ksh From stuge-openssh-unix-dev at cdy.org Mon Jul 22 03:54:47 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 21 Jul 2002 19:54:47 +0200 Subject: source problem In-Reply-To: <20020721135525.6325.qmail@webmail28.rediffmail.com>; from sidd_ait@rediffmail.com on Sun, Jul 21, 2002 at 01:55:25PM -0000 References: <20020721135525.6325.qmail@webmail28.rediffmail.com> Message-ID: <20020721195446.A11317@foo.birdnet.se> On Sun, Jul 21, 2002 at 01:55:25PM -0000, siddharth sharma rajput wrote: > > hi , > i am installing openssh Hello. We all KNOW that you are trying to install OpenSSH by this time. You have sent a number of emails asking for help with various problems. > please tell me links , where i can get information > about the source code (comments for source code) "Use the source, Luke." - You have access to the source code, use that: read the source code. No text can explain what the code does better than the actual code. If you know some C it's not very difficult to figure out. You will want to keep a copy of the SSH version 2 protocol drafts available for reference as well, but read them through first, at least two times, to grasp what SSH is actually about. //Peter From stuge-openssh-unix-dev at cdy.org Mon Jul 22 04:09:31 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Sun, 21 Jul 2002 20:09:31 +0200 Subject: OT: rant [was Re: problem in openssl installation] In-Reply-To: <20020721090118.8445.qmail@webmail16.rediffmail.com>; from sidd_ait@rediffmail.com on Sun, Jul 21, 2002 at 09:01:18AM -0000 References: <20020721090118.8445.qmail@webmail16.rediffmail.com> Message-ID: <20020721200931.B11317@foo.birdnet.se> On Sun, Jul 21, 2002 at 09:01:18AM -0000, siddharth sharma rajput wrote: > > hi , > while installing openssl > which is to be installed before installing ssh > after doing tar > it is not generating configure file > but a directory named apps > please tell me how to proceed Why don't you ask your vendor these questions? Why don't you use a prepackaged version of OpenSSH and OpenSSL for your distribution? Anyway, building from sources is rarely very difficult with open source software. Usually there is a README and/or INSTALL file that details the installation, if not you can probably find installation instructions on the package homepage. Read the manual, read the README file, read the INSTALL file. They're there for a reason. > please reply soon This isn't a support mailing list, this is a developer mailing list. Please don't follow my bad example and prolong this thread, I send this one message only to make you stop sending any more unneeded requests for installation help, when the entire procedure is readily documented on the web in several places and in the documentation of the software packages you wish to install. Don't expect many more replies to inquiries concerning installation problems, especially not trivial installation problems with some OTHER software than OpenSSH. //Peter From fredo at aracnet.com Mon Jul 22 13:29:39 2002 From: fredo at aracnet.com (Fred Obermann) Date: 21 Jul 2002 20:29:39 -0700 Subject: impedence mismatch between openssh 3.4p1 and openssl 0.9.6d on SCO OpenServer 3.2 5.0.6 Message-ID: <1027308581.13524.20.camel@gauss> Hi, I have been trying to build openssh 3.4p1 on SCO Open Server xxx It requires the libcrypto.a library produced by OpenSSL. So, I downloaded and installed OpenSSL 0.9.6d. As part of the configure process for OpenSSH, 'configure' checks for version of libcrypto.a with RAND_add(). RAND_add is defined in rand_lib.c and during the build of OpenSSH, I can see that rand_lib.c is compiled and linked into libcrypto.a However, when I run configure for OpenSSH, it complains: configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** Do any of you folks have an idea why this might be. FredO The relevant portion of the log file looks like this: ----------------------------------------------------------------- configure:7782: result: yes configure:8167: cc -o conftest -g -I/usr/local/include -L/usr/local/lib conftest.c -lz -lsocket -lprot -lx -ltinfo -lm -lcrypto >&5 undefined first referenced symbol in file RAND_add conftest.o i386ld fatal: Symbol referencing errors. No output written to conftest configure:8170: $? = 13 configure: failed program was: #line 8125 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ #ifdef __cplusplus extern "C" #endif /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char RAND_add (); #ifdef F77_DUMMY_MAIN # ifdef __cplusplus extern "C" # endif int F77_DUMMY_MAIN() { return 1; } #endif int main () { RAND_add (); ; return 0; } configure:8218: cc -o conftest -g -I/usr/local/ssl/include -I/usr/local/include -L/usr/local/ssl/lib -L/usr/local/lib conftest.c -lz -lsocket -lprot -lx -ltinfo -lm -lcrypto >&5 undefined first referenced symbol in file RAND_add conftest.o i386ld fatal: Symbol referencing errors. No output written to conftest configure:8221: $? = 13 configure: failed program was: #line 8192 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ #ifdef __cplusplus extern "C" #endif /* We use char because int might match the return type of a gcc2 builtin and then its argument prototype would still apply. */ char RAND_add (); #ifdef F77_DUMMY_MAIN # ifdef __cplusplus extern "C" # endif int F77_DUMMY_MAIN() { return 1; } #endif int main () { RAND_add (); ; return 0; } configure:8237: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) *** ----------------------------------------------------------------- From Michael.Galonska at sskm.de Mon Jul 22 18:50:47 2002 From: Michael.Galonska at sskm.de (Michael.Galonska at sskm.de) Date: Mon, 22 Jul 2002 10:50:47 +0200 Subject: Antwort: Re: Problem with SSHD-Daemon (OpenSSH) Message-ID: Hi Ben, here is the output from sshd -d -d -d: mvs2:sygm:/usr/local/sbin:#./sshd -d -d -d debug3: Reading output from 'ls -alni /var/log' debug3: Time elapsed: 459 msec debug2: Command 'ls -alni /var/log' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/log' debug3: Reading output from 'ls -alni /var/adm' debug3: Time elapsed: 143 msec debug2: Command 'ls -alni /var/adm' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/adm' debug3: Reading output from 'ls -alni /var/mail' debug3: Time elapsed: 286 msec debug2: Command 'ls -alni /var/mail' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/mail' debug3: Reading output from 'ls -alni /var/adm/syslog' debug3: Time elapsed: 221 msec debug2: Command 'ls -alni /var/adm/syslog' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/adm/syslog' debug3: Reading output from 'ls -alni /var/spool/mail' debug3: Time elapsed: 313 msec debug2: Command 'ls -alni /var/spool/mail' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/spool/mail' debug3: Reading output from 'ls -alni /tmp' debug3: Time elapsed: 263 msec debug2: Command 'ls -alni /tmp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /tmp' debug3: Reading output from 'ls -alni /var/tmp' debug3: Time elapsed: 275 msec debug2: Command 'ls -alni /var/tmp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/tmp' debug3: Reading output from 'ls -alni /usr/lpp' debug3: Time elapsed: 140 msec debug2: Command 'ls -alni /usr/lpp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /usr/lpp' debug3: Reading output from 'ls -alni /etc' debug3: Time elapsed: 218 msec debug2: Command 'ls -alni /etc' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /etc' debug3: Reading output from 'ls -alni /opt' debug3: Time elapsed: 218 msec debug2: Command 'ls -alni /opt' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /opt' debug3: Reading output from 'ls -alni /bin' debug3: Time elapsed: 243 msec debug2: Command 'ls -alni /bin' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /bin' debug3: Reading output from 'ls -alni /' debug3: Time elapsed: 199 msec debug2: Command 'ls -alni /' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /' debug3: Reading output from 'ls -alni /etc/IBM' debug3: Time elapsed: 344 msec debug2: Command 'ls -alni /etc/IBM' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /etc/IBM' debug3: Reading output from 'ls -alni /var' debug3: Time elapsed: 225 msec debug2: Command 'ls -alni /var' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var' debug3: Reading output from 'ps -efl' debug3: Time elapsed: 273 msec debug2: Command 'ps -efl' timed out debug3: Got 0.00 bytes of entropy from 'ps -efl' debug3: Reading output from 'who -i' debug3: Time elapsed: 210 msec debug2: Command 'who -i' timed out debug3: Got 0.00 bytes of entropy from 'who -i' debug3: Reading output from 'df' debug3: Time elapsed: 113 msec debug2: Command 'df' timed out debug3: Got 0.00 bytes of entropy from 'df' debug3: Reading output from 'df -P' debug3: Time elapsed: 333 msec debug2: Command 'df -P' timed out debug3: Got 0.00 bytes of entropy from 'df -P' debug3: Reading output from 'df -v' debug3: Time elapsed: 148 msec debug2: Command 'df -v' timed out debug3: Got 0.00 bytes of entropy from 'df -v' debug3: Reading output from 'date' debug3: Time elapsed: 190 msec debug2: Command 'date' timed out debug3: Got 0.00 bytes of entropy from 'date' debug3: Reading output from 'ipcs -a' debug3: Time elapsed: 318 msec debug2: Command 'ipcs -a' timed out debug3: Got 0.00 bytes of entropy from 'ipcs -a' debug3: Reading output from 'tail -200 /var/adm/syslog' debug3: Time elapsed: 196 msec debug2: Command 'tail -200 /var/adm/syslog' timed out debug3: Got 0.00 bytes of entropy from 'tail -200 /var/adm/syslog' debug1: Seeded RNG with 6 bytes from programs debug1: Seeded RNG with 3 bytes from system calls Not enough entropy in RN debug1: Calling cleanup 0x1ba34d60(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed I test the command sshd -d -d -d several times and by once attempt the sshd-Daemon started for any minutes. After that the sshd-Daemon send the same message (Not enough entropy in RN) everytime. Can i port the Version 3.5pX to OS/390 / z/os? Can you tell me how to handle ? Best Regards, Michael Galonska Stadtsparkasse M?nchen OA-SM-ZS Ungererstr. 75 80805 M?nchen http://www.sskm.de -------------------------------------------------------- Mail: michael_galonska at sskm.de Tel. (089) 2167-6901 Fax. (089) 2167-8-6901 Bitte beachten Sie auch unsere Sicherheitshinweise zum Thema e-Mail unter http://www.sskm.de/security. Stadtsparkasse M?nchen - Anstalt des ?ffentlichen Rechts - Amtsgericht M?nchen - HRA 75459. From hadmut at danisch.de Mon Jul 22 18:52:36 2002 From: hadmut at danisch.de (Hadmut Danisch) Date: Mon, 22 Jul 2002 10:52:36 +0200 Subject: Web-Proxy-Option? Message-ID: <20020722085236.GA2732@danisch.de> Hi, I'd like to suggest adding a web proxy option to the ssh client. Sometimes you're in a LAN without any direct connection to the internet, but with a web proxy which supports the CONNECT command for ssl connections. The ssh client could use these proxies as well. regards Hadmut From markus at openbsd.org Mon Jul 22 19:07:40 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Jul 2002 11:07:40 +0200 Subject: Web-Proxy-Option? In-Reply-To: <20020722085236.GA2732@danisch.de> References: <20020722085236.GA2732@danisch.de> Message-ID: <20020722090740.GA5668@faui02> there are hundreds of similar proxies, just use them with the ProxyCommand option. From Michael.Galonska at sskm.de Mon Jul 22 22:39:33 2002 From: Michael.Galonska at sskm.de (Michael.Galonska at sskm.de) Date: Mon, 22 Jul 2002 14:39:33 +0200 Subject: Antwort: Re: Problem with SSHD-Daemon (OpenSSH) Message-ID: Hi Ben, I test the command sshd -d -d -d several times and mostly the sshd-Daemon not started and sometimes the sshd-Daemon started, with the message: debug1: Seeded RNG with 16 bytes from programs debug1: Seeded RNG with 3 bytes from system calls debug1: sshd version OpenSSH_2.9p1 debug1: private host key: #0 type 0 RSA1 debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. After that the sshd-Daemon is stop normal, the sshd-Daemon started or not started (Not enough entropy in RN). Best Regards Michael ---------------------- Weitergeleitet von Michael Galonska/SSKMUCN/DE am 22.07.2002 14:34 --------------------------- Michael Galonska 22.07.2002 10:50 An: Ben Lindstrom Kopie: Openssh-unix-dev at mindrot.org Thema: Antwort: Re: Problem with SSHD-Daemon (OpenSSH) (Document link: Michael Galonska) Hi Ben, here is the output from sshd -d -d -d: mvs2:sygm:/usr/local/sbin:#./sshd -d -d -d debug3: Reading output from 'ls -alni /var/log' debug3: Time elapsed: 459 msec debug2: Command 'ls -alni /var/log' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/log' debug3: Reading output from 'ls -alni /var/adm' debug3: Time elapsed: 143 msec debug2: Command 'ls -alni /var/adm' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/adm' debug3: Reading output from 'ls -alni /var/mail' debug3: Time elapsed: 286 msec debug2: Command 'ls -alni /var/mail' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/mail' debug3: Reading output from 'ls -alni /var/adm/syslog' debug3: Time elapsed: 221 msec debug2: Command 'ls -alni /var/adm/syslog' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/adm/syslog' debug3: Reading output from 'ls -alni /var/spool/mail' debug3: Time elapsed: 313 msec debug2: Command 'ls -alni /var/spool/mail' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/spool/mail' debug3: Reading output from 'ls -alni /tmp' debug3: Time elapsed: 263 msec debug2: Command 'ls -alni /tmp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /tmp' debug3: Reading output from 'ls -alni /var/tmp' debug3: Time elapsed: 275 msec debug2: Command 'ls -alni /var/tmp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var/tmp' debug3: Reading output from 'ls -alni /usr/lpp' debug3: Time elapsed: 140 msec debug2: Command 'ls -alni /usr/lpp' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /usr/lpp' debug3: Reading output from 'ls -alni /etc' debug3: Time elapsed: 218 msec debug2: Command 'ls -alni /etc' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /etc' debug3: Reading output from 'ls -alni /opt' debug3: Time elapsed: 218 msec debug2: Command 'ls -alni /opt' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /opt' debug3: Reading output from 'ls -alni /bin' debug3: Time elapsed: 243 msec debug2: Command 'ls -alni /bin' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /bin' debug3: Reading output from 'ls -alni /' debug3: Time elapsed: 199 msec debug2: Command 'ls -alni /' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /' debug3: Reading output from 'ls -alni /etc/IBM' debug3: Time elapsed: 344 msec debug2: Command 'ls -alni /etc/IBM' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /etc/IBM' debug3: Reading output from 'ls -alni /var' debug3: Time elapsed: 225 msec debug2: Command 'ls -alni /var' timed out debug3: Got 0.00 bytes of entropy from 'ls -alni /var' debug3: Reading output from 'ps -efl' debug3: Time elapsed: 273 msec debug2: Command 'ps -efl' timed out debug3: Got 0.00 bytes of entropy from 'ps -efl' debug3: Reading output from 'who -i' debug3: Time elapsed: 210 msec debug2: Command 'who -i' timed out debug3: Got 0.00 bytes of entropy from 'who -i' debug3: Reading output from 'df' debug3: Time elapsed: 113 msec debug2: Command 'df' timed out debug3: Got 0.00 bytes of entropy from 'df' debug3: Reading output from 'df -P' debug3: Time elapsed: 333 msec debug2: Command 'df -P' timed out debug3: Got 0.00 bytes of entropy from 'df -P' debug3: Reading output from 'df -v' debug3: Time elapsed: 148 msec debug2: Command 'df -v' timed out debug3: Got 0.00 bytes of entropy from 'df -v' debug3: Reading output from 'date' debug3: Time elapsed: 190 msec debug2: Command 'date' timed out debug3: Got 0.00 bytes of entropy from 'date' debug3: Reading output from 'ipcs -a' debug3: Time elapsed: 318 msec debug2: Command 'ipcs -a' timed out debug3: Got 0.00 bytes of entropy from 'ipcs -a' debug3: Reading output from 'tail -200 /var/adm/syslog' debug3: Time elapsed: 196 msec debug2: Command 'tail -200 /var/adm/syslog' timed out debug3: Got 0.00 bytes of entropy from 'tail -200 /var/adm/syslog' debug1: Seeded RNG with 6 bytes from programs debug1: Seeded RNG with 3 bytes from system calls Not enough entropy in RN debug1: Calling cleanup 0x1ba34d60(0x0) debug1: writing PRNG seed to file //.ssh/prng_seed I test the command sshd -d -d -d several times and by once attempt the sshd-Daemon started for any minutes. After that the sshd-Daemon send the same message (Not enough entropy in RN) everytime. Can i port the Version 3.5pX to OS/390 / z/os? Can you tell me how to handle ? Best Regards, Michael Galonska Stadtsparkasse M?nchen OA-SM-ZS Ungererstr. 75 80805 M?nchen http://www.sskm.de -------------------------------------------------------- Mail: michael_galonska at sskm.de Tel. (089) 2167-6901 Fax. (089) 2167-8-6901 Bitte beachten Sie auch unsere Sicherheitshinweise zum Thema e-Mail unter http://www.sskm.de/security. Stadtsparkasse M?nchen - Anstalt des ?ffentlichen Rechts - Amtsgericht M?nchen - HRA 75459. From dtucker at zip.com.au Mon Jul 22 22:57:46 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Mon, 22 Jul 2002 22:57:46 +1000 Subject: [Patch] Improve portability of regression tests Message-ID: <3D3C014A.B311EFAC@zip.com.au> Hello All. As promised, here is what I needed to do to get the regression tests to work on AIX & HPUX. It goes into a bit of detail in the hope that others might be able to get them running on their platforms. I've run these mods on AIX 4.3.3, HP-UX 11.00, Solaris 8, Redhat 7.3 and OpenBSD 3.0. The problems I encountered: * prereqs (pmake, md5sum) * bad directory owner/mode causing auth failures * echo -n doesn't always work * some "id"'s don't know -n or -u * some platforms have no /dev/stdin * some tests AIX fails when sshd runs as non-root user * path problems I used Markus' run-tests.sh script as a starting point. This reduced the need for pmake. I got md5sum from GNU textutils. Useful pointers: md5sum: http://www.gnu.org/software/textutils/textutils.html [bp]make: http://www.crufty.net/ftp/pub/sjg/ While testing I turned up LogLevel to DEBUG for the sshd under test. This showed "bad ownership or modes for directory" in syslog. The regress directory and all of its parents must be owned by the testing user or root and must be mode 755 or stricter. (Some of mine were owned by bin and group writable). Some tests use "echo -n" for a echoing without newline. This left -n's in inconvenient places (eg known_hosts files). I created a "echon" function in the test driver "test-exec.sh" that will (hopefully) work everywhere. I replaced "id -nu" with "whoami". (Solaris' "id" doesn't know -u or -n). The sftp test uses /dev/stdin to send commands to sftp via the -b (batch) option. Some platforms (eg AIX & HP-UX) don't have /dev/stdin or equivalent. I moved the commands to a normal file. The call to loginrestricted() in auth.c fails when sshd is running as a non-root user. I added a "${SUDO}" to ssh_proxy's ProxyCommand. You'll need to define SUDO in test-exec.sh on AIX or some tests will fail. I had problems with paths, so I added more explicit ones. This may not be necessary. One other thing: do authorized_keys_root, copy.1 and copy.2 need to be in CVS? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: regress/Makefile =================================================================== RCS file: /cvs/openssh/regress/Makefile,v retrieving revision 1.1 diff -u -r1.1 Makefile --- regress/Makefile 1 May 2002 03:17:34 -0000 1.1 +++ regress/Makefile 22 Jul 2002 12:33:34 -0000 @@ -39,9 +39,10 @@ ssh-keygen -yf t2.out | diff - ${.CURDIR}/rsa_openssh.pub t3: - ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub |\ - ssh-keygen -if /dev/stdin |\ + ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >${.CURDIR}/rsa_secsh.pub + ssh-keygen -if ${.CURDIR}/rsa_secsh.pub | \ diff - ${.CURDIR}/rsa_openssh.pub + rm -f ${.CURDIR}/rsa_secsh.pub t4: ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\ Index: regress/runtests.sh =================================================================== RCS file: /cvs/openssh/regress/runtests.sh,v retrieving revision 1.1 diff -u -r1.1 runtests.sh --- regress/runtests.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/runtests.sh 22 Jul 2002 12:33:42 -0000 @@ -1,13 +1,45 @@ #!/bin/sh -TEST_SSH_SSH=../ssh -TEST_SSH_SSHD=../sshd -TEST_SSH_SSHAGENT=../ssh-agent -TEST_SSH_SSHADD=../ssh-add -TEST_SSH_SSHKEYGEN=../ssh-keygen -TEST_SSH_SSHKEYSCAN=../ssh-keyscan -TEST_SSH_SFTP=../sftp -TEST_SSH_SFTPSERVER=../sftp-server +pwd=`pwd` +bindir=`dirname $pwd` +PATH="$bindir:$PATH" +export PATH -pmake +TEST_SSH_TRACE=no # Enable for more detail in test +TEST_SSH_QUIET=no # Suppress status output +export TEST_SSH_TRACE TEST_SSH_QUIET +# Path to binaries to test +TEST_SSH_SSH=$bindir/ssh +TEST_SSH_SSHD=$bindir/sshd +TEST_SSH_SSHAGENT=$bindir/ssh-agent +TEST_SSH_SSHADD=$bindir/ssh-add +TEST_SSH_SSHKEYGEN=$bindir/ssh-keygen +TEST_SSH_SSHKEYSCAN=$bindir/ssh-keyscan +TEST_SSH_SFTP=$bindir/sftp +TEST_SSH_SFTPSERVER=$bindir/sftp-server +export TEST_SSH_SSH TEST_SSH_SSHD TEST_SSH_SSHAGENT TEST_SSH_SSHADD +export TEST_SSH_SSHKEYGEN TEST_SSH_SSHKEYSCAN TEST_SSH_SFTP TEST_SSH_SFTPSERVER + +if [ -x `which pmake` ]; then + pmake +else + for test in connect \ + proxy-connect \ + connect-privsep \ + proto-version \ + proto-mismatch \ + exit-status \ + transfer \ + stderr-data \ + stderr-after-eof \ + broken-pipe \ + try-ciphers \ + yes-head \ + agent \ + keyscan \ + sftp \ + forwarding ; do + sh test-exec.sh $pwd $pwd/${test}.sh + done +fi Index: regress/sftp.sh =================================================================== RCS file: /cvs/openssh/regress/sftp.sh,v retrieving revision 1.1 diff -u -r1.1 sftp.sh --- regress/sftp.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/sftp.sh 22 Jul 2002 12:33:42 -0000 @@ -6,6 +6,12 @@ DATA=/bin/ls COPY=${OBJ}/copy +cat >`pwd`/batch < /dev/null 2>&1 << EOF - version - get $DATA ${COPY}.1 - put $DATA ${COPY}.2 -EOF + ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b `pwd`/batch \ + > /dev/null 2>&1 r=$? if [ $r -ne 0 ]; then fail "sftp failed with $r" @@ -27,3 +29,5 @@ cmp $DATA ${COPY}.2 || fail "corrupted copy after put" done done + +rm -f `pwd`/batch Index: regress/ssh-com.sh =================================================================== RCS file: /cvs/openssh/regress/ssh-com.sh,v retrieving revision 1.1 diff -u -r1.1 ssh-com.sh --- regress/ssh-com.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/ssh-com.sh 22 Jul 2002 12:33:42 -0000 @@ -63,7 +63,7 @@ # convert and append DSA hostkey ( - echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 ' + echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub ) >> $OBJ/known_hosts Index: regress/test-exec.sh =================================================================== RCS file: /cvs/openssh/regress/test-exec.sh,v retrieving revision 1.1 diff -u -r1.1 test-exec.sh --- regress/test-exec.sh 1 May 2002 03:17:35 -0000 1.1 +++ regress/test-exec.sh 22 Jul 2002 12:33:42 -0000 @@ -2,7 +2,7 @@ # Placed in the Public Domain. PORT=4242 -USER=`id -un` +USER=`whoami` SUDO= #SUDO=sudo @@ -72,6 +72,18 @@ #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER # helper +echon() +{ + if [ "x`echo -n`" = "x" ]; then + echo -n "$@" + elif [ "x`/bin/echo '\c'`" = "x" ]; then + /bin/echo "$@\c" + else + fatal "Don't know how to echo without newline." + fi + +} + cleanup () { if [ -f $PIDFILE ]; then @@ -111,7 +123,7 @@ fatal () { - echo -n "FATAL: " + echon "FATAL: " fail "$@" cleanup exit $RESULT @@ -169,7 +181,7 @@ # known hosts file for client ( - echo -n 'localhost-with-alias,127.0.0.1,::1 ' + echon 'localhost-with-alias,127.0.0.1,::1 ' cat $OBJ/$t.pub ) >> $OBJ/known_hosts @@ -189,7 +201,7 @@ # create a proxy version of the client config ( cat $OBJ/ssh_config - echo proxycommand ${SSHD} -i -f $OBJ/sshd_proxy + echo proxycommand ${SUDO} ${SSHD} -i -f $OBJ/sshd_proxy ) > $OBJ/ssh_proxy # check proxy config From markus at openbsd.org Mon Jul 22 23:22:45 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Jul 2002 15:22:45 +0200 Subject: [Patch] Improve portability of regression tests In-Reply-To: <3D3C014A.B311EFAC@zip.com.au> References: <3D3C014A.B311EFAC@zip.com.au> Message-ID: <20020722132244.GC5668@faui02> On Mon, Jul 22, 2002 at 10:57:46PM +1000, Darren Tucker wrote: > As promised, here is what I needed to do to get the regression tests to > work on AIX & HPUX. It goes into a bit of detail in the hope that others thx! > One other thing: do authorized_keys_root, copy.1 and copy.2 need to be > in CVS? no. > DATA=/bin/ls > COPY=${OBJ}/copy > > +cat >`pwd`/batch < - echo proxycommand ${SSHD} -i -f $OBJ/sshd_proxy > + echo proxycommand ${SUDO} ${SSHD} -i -f $OBJ/sshd_proxy sshd only works as 'root' for you? this is probably required for PAM. the ${SUDO} should not be necessary on all systems. -m From markus at openbsd.org Mon Jul 22 23:24:32 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 22 Jul 2002 15:24:32 +0200 Subject: [Patch] Improve portability of regression tests In-Reply-To: <3D3C014A.B311EFAC@zip.com.au> References: <3D3C014A.B311EFAC@zip.com.au> Message-ID: <20020722132432.GD5668@faui02> On Mon, Jul 22, 2002 at 10:57:46PM +1000, Darren Tucker wrote: > * prereqs (pmake, md5sum) md5 should just be needed to generate some random content for files. cp /dev/null ${DATA} for i in 1 2 3 4 5 6; do (date;echo $i) | md5 >> ${DATA} done md5 is not really needed. From bugzilla-daemon at mindrot.org Mon Jul 22 23:39:11 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 22 Jul 2002 23:39:11 +1000 (EST) Subject: [Bug 345] w (uptime) command still indicates user is logged in after logout Message-ID: <20020722133911.7C367E92B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=345 ------- Additional Comments From Lutz.Jaenicke at aet.TU-Cottbus.DE 2002-07-22 23:39 ------- More inputs: The problem appears only with privilege separation enabled, it does not appear without privsep. I have added some debugging information and it seems, that the difference between privsep and not is, that without privsep the utmp(x) modifications are performed by 2 processes: the login is performed by the process being the child (later becoming the shell) while the logout is handled by the sshd process. With privsep enabled, both login and logout are handled by the same sshd process (thus pututxline() is called from the same process). I don't know, in how far this influences the process, as the pututxline() function is not open source. Maybe some state information is incorrectly handled, such that the second pututxline() process does handle /etc/utmpx but then has a problem with the /etc/utmp update. This is however just a guess until know. For what it seems to me now, it is more a problem that is caused by HP-UX than a problem of OpenSSH. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Tue Jul 23 00:07:41 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Jul 2002 00:07:41 +1000 Subject: [Patch] Improve portability of regression tests References: <3D3C014A.B311EFAC@zip.com.au> <20020722132244.GC5668@faui02> Message-ID: <3D3C11AD.685105EA@zip.com.au> Markus Friedl wrote: > > +cat >`pwd`/batch < please use ${OBJ}/batch instead, > ${OBJ} points to a temporary directory (or it should). OK, will do. > sshd only works as 'root' for you? this is probably required > for PAM. the ${SUDO} should not be necessary on > all systems. What about making it conditional on uname = AIX or something? AIX doesn't have PAM. It seems to be the call to loginrestrictions() in auth.c. The man page doesn't say that root privs are needed but I suspect they are. Without them, you get the following in the syslog: "Login restricted for dtucker: Your account has been locked; please see the system administrator." It's lying. > > * prereqs (pmake, md5sum) > md5 should just be needed to generate some random content > for files. md5 not a big deal to install once you know where to look. I just mentioned it in case anyone else needs it. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mouring at etoh.eviladmin.org Tue Jul 23 00:21:23 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 09:21:23 -0500 (CDT) Subject: [Patch] Improve portability of regression tests In-Reply-To: <3D3C11AD.685105EA@zip.com.au> Message-ID: On Tue, 23 Jul 2002, Darren Tucker wrote: > Markus Friedl wrote: > > > +cat >`pwd`/batch < > please use ${OBJ}/batch instead, > > ${OBJ} points to a temporary directory (or it should). > > OK, will do. > > > sshd only works as 'root' for you? this is probably required > > for PAM. the ${SUDO} should not be necessary on > > all systems. > > What about making it conditional on uname = AIX or something? > avoid uname. Unless you have a clause for platforms lacking uname. There are older systems that just plain don't have it (Thank you Steven Jobs.. We love you Steven Jobs.. ). - Ben From binder at arago.de Tue Jul 23 00:56:51 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 22 Jul 2002 16:56:51 +0200 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <3D336DD6.C8385F34@zip.com.au>; from dtucker@zip.com.au on Tue, Jul 16, 2002 at 10:50:30AM +1000 References: <3D334845.96AB7A0B@zip.com.au> <3D336DD6.C8385F34@zip.com.au> Message-ID: <20020722165651.A6998839@ohm.arago.de> Hi! On Tue, Jul 16, 2002 at 10:50:30AM +1000, Darren Tucker wrote: > OK I can confirm that it does NOT work with Jumpstart. useradd > and groupadd try to modify the read-only files on the jumpstart > NFS image. > > Should we: > (a) move them to the /etc/init.d/openssh script same as the keygens > (b) attempt to hand-hack $PKG_INSTALL_ROOT/etc/passwd > (c) chroot tricks? > (d) ? (c) /usr/sbin/chroot "$PKG_INSTALL_ROOT" "$PKG_INSTALL_ROOT/usr/sbin/useradd" [...] seems to work flawlessly. Of course, this assumes that useradd is already installed in the target environment, but as useradd's part of SUNWcsu, it's quite unlikely it isn't. One could also think about (d) use sed/awk class (un)install scripts for /etc/passwd and /etc/group This is similar to (b), but IMO a "cleaner" approach. Ciao Thomas From binder at arago.de Tue Jul 23 01:11:16 2002 From: binder at arago.de (Thomas Binder) Date: Mon, 22 Jul 2002 17:11:16 +0200 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <20020722165651.A6998839@ohm.arago.de>; from binder@arago.de on Mon, Jul 22, 2002 at 04:56:51PM +0200 References: <3D334845.96AB7A0B@zip.com.au> <3D336DD6.C8385F34@zip.com.au> <20020722165651.A6998839@ohm.arago.de> Message-ID: <20020722171116.A7023934@ohm.arago.de> Hi! On Mon, Jul 22, 2002 at 04:56:51PM +0200, Thomas Binder wrote: > (c) /usr/sbin/chroot "$PKG_INSTALL_ROOT" "$PKG_INSTALL_ROOT/usr/sbin/useradd" [...] Oops, one "$PKG_INSTALL_ROOT" too much here ... Should of course have been /usr/sbin/chroot "$PKG_INSTALL_ROOT" /usr/sbin/useradd [...] Ciao Thomas From leigh at solinno.co.uk Tue Jul 23 01:18:41 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Mon, 22 Jul 2002 16:18:41 +0100 (BST) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <3077.158.152.5.90.1027171890.squirrel@lbbrown.homeip.net> References: <45568.193.133.92.239.1026993429.squirrel@lbbrown.homeip.net> <3077.158.152.5.90.1027171890.squirrel@lbbrown.homeip.net> Message-ID: <42227.193.133.92.239.1027351121.squirrel@lbbrown.homeip.net> I wrote: > Ben Lindstrom wrote: >> On Thu, 18 Jul 2002, Leigh Brown wrote: >>> How about the attached patch? I could wrap #ifdef _AIX around the >>> wfd_isatty member definition and initialisation if required, but I >>> don't think it causes any harm as it is. >> >> I need to verify does this affect 5L? > > I'll check a 5L box on Monday. The bug does indeed effect AIX 5L (the box I tested is running 5.1.0.0). Luckily, the fix still works :-) Cheers, Leigh. From mouring at etoh.eviladmin.org Tue Jul 23 01:15:24 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 10:15:24 -0500 (CDT) Subject: AIX hang problem again (was Re: Testing Call) In-Reply-To: <42227.193.133.92.239.1027351121.squirrel@lbbrown.homeip.net> Message-ID: Applied. Thanks. On Mon, 22 Jul 2002, Leigh Brown wrote: > I wrote: > > Ben Lindstrom wrote: > >> On Thu, 18 Jul 2002, Leigh Brown wrote: > >>> How about the attached patch? I could wrap #ifdef _AIX around the > >>> wfd_isatty member definition and initialisation if required, but I > >>> don't think it causes any harm as it is. > >> > >> I need to verify does this affect 5L? > > > > I'll check a 5L box on Monday. > > The bug does indeed effect AIX 5L (the box I tested is running 5.1.0.0). > Luckily, the fix still works :-) > > Cheers, > > Leigh. > > > > From mouring at etoh.eviladmin.org Tue Jul 23 01:18:00 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 10:18:00 -0500 (CDT) Subject: Antwort: Re: Problem with SSHD-Daemon (OpenSSH) In-Reply-To: Message-ID: On Mon, 22 Jul 2002 Michael.Galonska at sskm.de wrote: > > Hi Ben, > > here is the output from sshd -d -d -d: > > mvs2:sygm:/usr/local/sbin:#./sshd -d -d -d > debug3: Reading output from 'ls -alni /var/log' > debug3: Time elapsed: 459 msec > debug2: Command 'ls -alni /var/log' timed out ^^^^^^^^ Fix your ssh_prng_cmds file so you don't get timed outs. - Ben From kumareshind at gmx.net Tue Jul 23 01:55:35 2002 From: kumareshind at gmx.net (kumar) Date: Mon, 22 Jul 2002 21:25:35 +0530 Subject: Kerberos-4 client configuration Message-ID: <010b01c23198$3b779d40$390110ac@kovaiteam> Hi all, I want to configure Kerberos as the authenticating service for Secure Shell.I am using a Linux machine as the KDC. I have successfully configured the server (Linux machine) as KDC. My client machine is HP-UX Version 11.11. Now when i initialize the client for kerberos by running "kinit" in the HP-UX machine(client), it displays "kinit: Time is out of bounds (krb_rd_req)". Documents educated me to use NTP to synchronize the time of the server and the client.I could run service "ntpd" in server(Linux machine). So anybody please educate me how to synchronize the two machine's time so that i can use the kerberos service. Thanks in advance. -Kumaresh. From mouring at etoh.eviladmin.org Tue Jul 23 01:45:19 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 10:45:19 -0500 (CDT) Subject: Kerberos-4 client configuration In-Reply-To: <010b01c23198$3b779d40$390110ac@kovaiteam> Message-ID: One normally runs ntpd on every machine and configures it to fetch time from one of the atomic clocks. That should keep your machines in sync enough for Kerb not to whine. - Ben On Mon, 22 Jul 2002, kumar wrote: > Hi all, > > I want to configure Kerberos as the authenticating service for Secure > Shell.I am using a Linux machine as the KDC. > I have successfully configured the server (Linux machine) as KDC. > My client machine is HP-UX Version 11.11. > Now when i initialize the client for kerberos by running "kinit" in the > HP-UX machine(client), it displays > "kinit: Time is out of bounds (krb_rd_req)". > Documents educated me to use NTP to synchronize the time of the server and > the client.I could run service "ntpd" in server(Linux machine). > So anybody please educate me how to synchronize the two machine's time so > that i can use the kerberos service. > > Thanks in advance. > -Kumaresh. > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From jmknoble at pobox.com Tue Jul 23 02:16:53 2002 From: jmknoble at pobox.com (Jim Knoble) Date: Mon, 22 Jul 2002 12:16:53 -0400 Subject: Kerberos-4 client configuration In-Reply-To: ; from mouring@etoh.eviladmin.org on Mon, Jul 22, 2002 at 10:45:19AM -0500 References: <010b01c23198$3b779d40$390110ac@kovaiteam> Message-ID: <20020722121653.J30965@zax.half.pint-stowp.cx> Circa 2002-Jul-22 10:45:19 -0500 dixit Ben Lindstrom: : One normally runs ntpd on every machine and configures it to fetch time : from one of the atomic clocks. (Or preferably from one of the publically available Stratum 2 servers, to be polite: http://www.eecis.udel.edu/~mills/ntp/servers.htm ). -- jim knoble | jmknoble at pobox.com | http://www.pobox.com/~jmknoble/ (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 262 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020722/621c8ce8/attachment.bin From kumareshind at gmx.net Tue Jul 23 04:06:04 2002 From: kumareshind at gmx.net (kumar) Date: Mon, 22 Jul 2002 23:36:04 +0530 Subject: Kerberos-4 client configuration References: Message-ID: <014c01c231aa$76319f00$390110ac@kovaiteam> Thanks for all your responses.I could manage to sync the time.But i found trouble in making the services to communicate through Kerberos. Any good tutorial available for kerberos authentication setup. I am using a tutorial http://www.pdc.kth.se/kth-krb/doc/kth-krb_4.html This helped me more to set the server and the client. The above tutorial contains one info like this: ---------------------------------------------------------------------------- ------- "If no matching realm is found in `krb.realms', DNS is searched for the correct realm. For example, if we are looking for host `a.b.c', `krb4-realm.a.b.c' is first tried and then `krb4-realm.b.c' and so on. The entry should be a TXT record containing the name of the realm, such as: krb4-realm.pdc.kth.se. 7200 TXT "NADA.KTH.SE" ---------------------------------------------------------------------------- ------------ Where should we add this line?To what file we have to add this line? I am using a client machine running HP-UX (11.11) , kerberos-IV, Version 1.1.4. Server Linux(2.4.17) , kerberos-IV version 1.1.4 as the server.Do we have to add any entry in DNS to use kerberos? thanks, Kumaresh > > One normally runs ntpd on every machine and configures it to fetch time > >from one of the atomic clocks. That should keep your machines in sync > enough for Kerb not to whine. > > - Ben > > On Mon, 22 Jul 2002, kumar wrote: > > > Hi all, > > > > I want to configure Kerberos as the authenticating service for Secure > > Shell.I am using a Linux machine as the KDC. > > I have successfully configured the server (Linux machine) as KDC. > > My client machine is HP-UX Version 11.11. > > Now when i initialize the client for kerberos by running "kinit" in the > > HP-UX machine(client), it displays > > "kinit: Time is out of bounds (krb_rd_req)". > > Documents educated me to use NTP to synchronize the time of the server and > > the client.I could run service "ntpd" in server(Linux machine). > > So anybody please educate me how to synchronize the two machine's time so > > that i can use the kerberos service. > > > > Thanks in advance. > > -Kumaresh. > > > > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > From tim at multitalents.net Tue Jul 23 07:04:09 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 22 Jul 2002 14:04:09 -0700 (PDT) Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: <20020722171116.A7023934@ohm.arago.de> Message-ID: On Mon, 22 Jul 2002, Thomas Binder wrote: > Hi! > > On Mon, Jul 22, 2002 at 04:56:51PM +0200, Thomas Binder wrote: > > (c) /usr/sbin/chroot "$PKG_INSTALL_ROOT" "$PKG_INSTALL_ROOT/usr/sbin/useradd" [...] > > Oops, one "$PKG_INSTALL_ROOT" too much here ... Should of course > have been > > /usr/sbin/chroot "$PKG_INSTALL_ROOT" /usr/sbin/useradd [...] Allready in CVS. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wendyp at cray.com Tue Jul 23 07:37:24 2002 From: wendyp at cray.com (Wendy Palm) Date: Mon, 22 Jul 2002 16:37:24 -0500 Subject: address = xmmap(size); References: Message-ID: <3D3C7B14.59EDAD12@cray.com> is there a reason that the xmmap() declaration is inside the #ifdef HAVE_SYS_MMAN_H ? crays don't have sys/mman.h, but need xmmap declared. shouldn't everyone? wendy Tim Rice wrote: > > On Fri, 19 Jul 2002, Ayamura KIKUCHI wrote: > > > monitor_mm.c, line = 94 in openssh-SNAP-20020718 > > > > A value of type "int" cannot be assigned to an entity of type "void *". > > > > address = xmmap(size); > > ^ > > Oops, forgot to declare xmmap(). Thanks for catching that. > Should be in the next SNAP > > > > > -- ayamura > > Ayamura KIKUCHI, M.D., Ph.D. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From mouring at etoh.eviladmin.org Tue Jul 23 07:30:45 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 16:30:45 -0500 (CDT) Subject: address = xmmap(size); In-Reply-To: <3D3C7B14.59EDAD12@cray.com> Message-ID: Should be #ifdef HAVE_MMAP. I'll glance at it when I get home if Tim does not get to it before hand. - Ben On Mon, 22 Jul 2002, Wendy Palm wrote: > is there a reason that the xmmap() declaration is inside > the #ifdef HAVE_SYS_MMAN_H ? > > crays don't have sys/mman.h, but need xmmap declared. > shouldn't everyone? > > wendy > > Tim Rice wrote: > > > > On Fri, 19 Jul 2002, Ayamura KIKUCHI wrote: > > > > > monitor_mm.c, line = 94 in openssh-SNAP-20020718 > > > > > > A value of type "int" cannot be assigned to an entity of type "void *". > > > > > > address = xmmap(size); > > > ^ > > > > Oops, forgot to declare xmmap(). Thanks for catching that. > > Should be in the next SNAP > > > > > > > > -- ayamura > > > Ayamura KIKUCHI, M.D., Ph.D. > > > _______________________________________________ > > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > -- > > Tim Rice Multitalents (707) 887-1469 > > tim at multitalents.net > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > -- > wendy palm > Cray OS Sustaining Engineering, Cray Inc. > wendyp at cray.com, 651-605-9154 > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Jul 23 08:37:13 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:37:13 +1000 (EST) Subject: [Bug 367] New: patches for Cray port Message-ID: <20020722223713.05DECE950@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 Summary: patches for Cray port Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Miscellaneous AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: wendyp at cray.com attached please find the patches required for the port to Cray Unicos/Unicosmk systems as of 0722 snapshot. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:38:40 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:38:40 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020722223840.3D738E987@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From wendyp at cray.com 2002-07-23 08:38 ------- Created an attachment (id=134) cray patches ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:40:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:40:33 +1000 (EST) Subject: [Bug 96] bsd-cray.h modifications to allow correct UNICOS execution Message-ID: <20020722224033.A55C5E98F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=96 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:40 ------- superceeded by 367. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:41:51 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:41:51 +1000 (EST) Subject: [Bug 100] serverloop.c modifications for correct UNICOS behavior Message-ID: <20020722224151.29227E99D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=100 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:41 ------- superceeded by bug 367. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:45:47 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:45:47 +1000 (EST) Subject: [Bug 99] auth2.c modifications for correct UNICOS behavior Message-ID: <20020722224547.EB0BEE9B0@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=99 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:45 ------- superceeded by bug 367. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:42:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:42:43 +1000 (EST) Subject: [Bug 224] configure.ac changes for crays Message-ID: <20020722224243.E08B3E9A2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=224 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:42 ------- superceeded by bug 367 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:43:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:43:30 +1000 (EST) Subject: [Bug 98] auth1.c modifications for correct UNICOS behavior Message-ID: <20020722224330.7476DE99D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=98 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:43 ------- superceeded by bug 367. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:44:44 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:44:44 +1000 (EST) Subject: [Bug 101] session.c modifications for correct UNICOS behavior Message-ID: <20020722224444.2BF01E993@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=101 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:44 ------- superceeded by bug 367 ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Tue Jul 23 08:46:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 08:46:30 +1000 (EST) Subject: [Bug 103] new openbsd-compat/bsd-cray.c file Message-ID: <20020722224630.E0F2FE9AE@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=103 wendyp at cray.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From wendyp at cray.com 2002-07-23 08:46 ------- superceeded by bug 367. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Tue Jul 23 09:09:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 22 Jul 2002 18:09:10 -0500 (CDT) Subject: [Bug 367] patches for Cray port In-Reply-To: <20020722223840.3D738E987@shitei.mindrot.org> Message-ID: Two questions. 1 - is openbsd-compat/bsd-cray.[ch] going away now? 2 - Where is USE_[UW]TMP used? They are defined, but never seem to be used. - Ben On Tue, 23 Jul 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=367 > > > > > > ------- Additional Comments From wendyp at cray.com 2002-07-23 08:38 ------- > Created an attachment (id=134) > cray patches > > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Tue Jul 23 09:35:52 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 23 Jul 2002 09:35:52 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020722233552.CD594E9AF@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From mouring at eviladmin.org 2002-07-23 09:35 ------- - (bal) [configure.ac defines.h loginrec.c sshd.c sshpty.c] Partial sync with Cray (mostly #ifdef renaming). Patch by wendyp at cray.com. Partial sync to start with. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kumareshind at gmx.net Tue Jul 23 13:54:18 2002 From: kumareshind at gmx.net (kumar) Date: Tue, 23 Jul 2002 09:24:18 +0530 Subject: [Patch] Improve portability of regression tests References: <3D3C014A.B311EFAC@zip.com.au> Message-ID: <005301c231fc$a2a95080$390110ac@kovaiteam> Hello All, I want to test OpenSSH in HP-UX box.Regarding regression tests, do anyone have the test scripts. thanks in advance, Kumaresh. > Hello All. > As promised, here is what I needed to do to get the regression tests to > work on AIX & HPUX. It goes into a bit of detail in the hope that others > might be able to get them running on their platforms. I've run these > mods on AIX 4.3.3, HP-UX 11.00, Solaris 8, Redhat 7.3 and OpenBSD 3.0. > > The problems I encountered: > * prereqs (pmake, md5sum) > * bad directory owner/mode causing auth failures > * echo -n doesn't always work > * some "id"'s don't know -n or -u > * some platforms have no /dev/stdin > * some tests AIX fails when sshd runs as non-root user > * path problems > > I used Markus' run-tests.sh script as a starting point. This reduced > the need for pmake. I got md5sum from GNU textutils. Useful pointers: > md5sum: http://www.gnu.org/software/textutils/textutils.html > [bp]make: http://www.crufty.net/ftp/pub/sjg/ > > While testing I turned up LogLevel to DEBUG for the sshd under test. > This showed "bad ownership or modes for directory" in syslog. The > regress directory and all of its parents must be owned by the testing > user or root and must be mode 755 or stricter. (Some of mine were owned > by bin and group writable). > > Some tests use "echo -n" for a echoing without newline. This left -n's > in inconvenient places (eg known_hosts files). I created a "echon" > function in the test driver "test-exec.sh" that will (hopefully) work > everywhere. > > I replaced "id -nu" with "whoami". (Solaris' "id" doesn't know -u or > -n). > > The sftp test uses /dev/stdin to send commands to sftp via the -b > (batch) option. Some platforms (eg AIX & HP-UX) don't have /dev/stdin or > equivalent. I moved the commands to a normal file. > > The call to loginrestricted() in auth.c fails when sshd is running as a > non-root user. I added a "${SUDO}" to ssh_proxy's ProxyCommand. You'll > need to define SUDO in test-exec.sh on AIX or some tests will fail. > > I had problems with paths, so I added more explicit ones. This may not > be necessary. > > One other thing: do authorized_keys_root, copy.1 and copy.2 need to be > in CVS? > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. ---------------------------------------------------------------------------- ---- > Index: regress/Makefile > =================================================================== > RCS file: /cvs/openssh/regress/Makefile,v > retrieving revision 1.1 > diff -u -r1.1 Makefile > --- regress/Makefile 1 May 2002 03:17:34 -0000 1.1 > +++ regress/Makefile 22 Jul 2002 12:33:34 -0000 > @@ -39,9 +39,10 @@ > ssh-keygen -yf t2.out | diff - ${.CURDIR}/rsa_openssh.pub > > t3: > - ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub |\ > - ssh-keygen -if /dev/stdin |\ > + ssh-keygen -ef ${.CURDIR}/rsa_openssh.pub >${.CURDIR}/rsa_secsh.pub > + ssh-keygen -if ${.CURDIR}/rsa_secsh.pub | \ > diff - ${.CURDIR}/rsa_openssh.pub > + rm -f ${.CURDIR}/rsa_secsh.pub > > t4: > ssh-keygen -lf ${.CURDIR}/rsa_openssh.pub |\ > Index: regress/runtests.sh > =================================================================== > RCS file: /cvs/openssh/regress/runtests.sh,v > retrieving revision 1.1 > diff -u -r1.1 runtests.sh > --- regress/runtests.sh 1 May 2002 03:17:35 -0000 1.1 > +++ regress/runtests.sh 22 Jul 2002 12:33:42 -0000 > @@ -1,13 +1,45 @@ > #!/bin/sh > > -TEST_SSH_SSH=../ssh > -TEST_SSH_SSHD=../sshd > -TEST_SSH_SSHAGENT=../ssh-agent > -TEST_SSH_SSHADD=../ssh-add > -TEST_SSH_SSHKEYGEN=../ssh-keygen > -TEST_SSH_SSHKEYSCAN=../ssh-keyscan > -TEST_SSH_SFTP=../sftp > -TEST_SSH_SFTPSERVER=../sftp-server > +pwd=`pwd` > +bindir=`dirname $pwd` > +PATH="$bindir:$PATH" > +export PATH > > -pmake > +TEST_SSH_TRACE=no # Enable for more detail in test > +TEST_SSH_QUIET=no # Suppress status output > +export TEST_SSH_TRACE TEST_SSH_QUIET > > +# Path to binaries to test > +TEST_SSH_SSH=$bindir/ssh > +TEST_SSH_SSHD=$bindir/sshd > +TEST_SSH_SSHAGENT=$bindir/ssh-agent > +TEST_SSH_SSHADD=$bindir/ssh-add > +TEST_SSH_SSHKEYGEN=$bindir/ssh-keygen > +TEST_SSH_SSHKEYSCAN=$bindir/ssh-keyscan > +TEST_SSH_SFTP=$bindir/sftp > +TEST_SSH_SFTPSERVER=$bindir/sftp-server > +export TEST_SSH_SSH TEST_SSH_SSHD TEST_SSH_SSHAGENT TEST_SSH_SSHADD > +export TEST_SSH_SSHKEYGEN TEST_SSH_SSHKEYSCAN TEST_SSH_SFTP TEST_SSH_SFTPSERVER > + > +if [ -x `which pmake` ]; then > + pmake > +else > + for test in connect \ > + proxy-connect \ > + connect-privsep \ > + proto-version \ > + proto-mismatch \ > + exit-status \ > + transfer \ > + stderr-data \ > + stderr-after-eof \ > + broken-pipe \ > + try-ciphers \ > + yes-head \ > + agent \ > + keyscan \ > + sftp \ > + forwarding ; do > + sh test-exec.sh $pwd $pwd/${test}.sh > + done > +fi > Index: regress/sftp.sh > =================================================================== > RCS file: /cvs/openssh/regress/sftp.sh,v > retrieving revision 1.1 > diff -u -r1.1 sftp.sh > --- regress/sftp.sh 1 May 2002 03:17:35 -0000 1.1 > +++ regress/sftp.sh 22 Jul 2002 12:33:42 -0000 > @@ -6,6 +6,12 @@ > DATA=/bin/ls > COPY=${OBJ}/copy > > +cat >`pwd`/batch < +version > +get $DATA ${COPY}.1 > +put $DATA ${COPY}.2 > +EOF > + > BUFFERSIZE="5 1000 32000 64000" > REQUESTS="1 2 10" > > @@ -13,12 +19,8 @@ > for R in ${REQUESTS}; do > verbose "test $tid: buffer_size $B num_requests $R" > rm -f ${COPY}.1 ${COPY}.2 > - ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b /dev/stdin \ > - > /dev/null 2>&1 << EOF > - version > - get $DATA ${COPY}.1 > - put $DATA ${COPY}.2 > -EOF > + ${SFTP} -P ${SFTPSERVER} -B $B -R $R -b `pwd`/batch \ > + > /dev/null 2>&1 > r=$? > if [ $r -ne 0 ]; then > fail "sftp failed with $r" > @@ -27,3 +29,5 @@ > cmp $DATA ${COPY}.2 || fail "corrupted copy after put" > done > done > + > +rm -f `pwd`/batch > Index: regress/ssh-com.sh > =================================================================== > RCS file: /cvs/openssh/regress/ssh-com.sh,v > retrieving revision 1.1 > diff -u -r1.1 ssh-com.sh > --- regress/ssh-com.sh 1 May 2002 03:17:35 -0000 1.1 > +++ regress/ssh-com.sh 22 Jul 2002 12:33:42 -0000 > @@ -63,7 +63,7 @@ > > # convert and append DSA hostkey > ( > - echo -n 'ssh2-localhost-with-alias,127.0.0.1,::1 ' > + echon 'ssh2-localhost-with-alias,127.0.0.1,::1 ' > ${SSHKEYGEN} -if ${SRC}/dsa_ssh2.pub > ) >> $OBJ/known_hosts > > Index: regress/test-exec.sh > =================================================================== > RCS file: /cvs/openssh/regress/test-exec.sh,v > retrieving revision 1.1 > diff -u -r1.1 test-exec.sh > --- regress/test-exec.sh 1 May 2002 03:17:35 -0000 1.1 > +++ regress/test-exec.sh 22 Jul 2002 12:33:42 -0000 > @@ -2,7 +2,7 @@ > # Placed in the Public Domain. > > PORT=4242 > -USER=`id -un` > +USER=`whoami` > SUDO= > #SUDO=sudo > > @@ -72,6 +72,18 @@ > #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER > > # helper > +echon() > +{ > + if [ "x`echo -n`" = "x" ]; then > + echo -n "$@" > + elif [ "x`/bin/echo '\c'`" = "x" ]; then > + /bin/echo "$@\c" > + else > + fatal "Don't know how to echo without newline." > + fi > + > +} > + > cleanup () > { > if [ -f $PIDFILE ]; then > @@ -111,7 +123,7 @@ > > fatal () > { > - echo -n "FATAL: " > + echon "FATAL: " > fail "$@" > cleanup > exit $RESULT > @@ -169,7 +181,7 @@ > > # known hosts file for client > ( > - echo -n 'localhost-with-alias,127.0.0.1,::1 ' > + echon 'localhost-with-alias,127.0.0.1,::1 ' > cat $OBJ/$t.pub > ) >> $OBJ/known_hosts > > @@ -189,7 +201,7 @@ > # create a proxy version of the client config > ( > cat $OBJ/ssh_config > - echo proxycommand ${SSHD} -i -f $OBJ/sshd_proxy > + echo proxycommand ${SUDO} ${SSHD} -i -f $OBJ/sshd_proxy > ) > $OBJ/ssh_proxy > > # check proxy config > > > From tim at multitalents.net Tue Jul 23 14:33:36 2002 From: tim at multitalents.net (Tim Rice) Date: Mon, 22 Jul 2002 21:33:36 -0700 (PDT) Subject: impedence mismatch between openssh 3.4p1 and openssl 0.9.6d on SCO OpenServer 3.2 5.0.6 In-Reply-To: <1027308581.13524.20.camel@gauss> Message-ID: On 21 Jul 2002, Fred Obermann wrote: > Hi, I have been trying to build openssh 3.4p1 on SCO Open Server xxx > It requires the libcrypto.a library produced by OpenSSL. > > So, I downloaded and installed OpenSSL 0.9.6d. Do you have rs506a loaded? Did you install in /usr/local/ssl ? Did OpenSSL's make test pass? Have you tried a current snapshot? BTW it works fine here ... tim at sco506e 7% /usr/local/ssl/bin/openssl version OpenSSL 0.9.6d 9 May 2002 tim at sco506e 8% ./ssh -V OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f tim at sco506e 9% uname -a SCO_SV sco506e 3.2 5.0.6 i386 ... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From fredo at aracnet.com Tue Jul 23 15:23:21 2002 From: fredo at aracnet.com (Fred Obermann) Date: 22 Jul 2002 22:23:21 -0700 Subject: impedence mismatch between openssh 3.4p1 and openssl 0.9.6d on SCO OpenServer 3.2 5.0.6 In-Reply-To: References: Message-ID: <1027401668.3055.11.camel@gauss> Hi Tim, Thanks for your reply. rs506a is installed libcrypto.a is installed in /usr/local/ssl/ OpenSSL's make test did pass On Mon, 2002-07-22 at 21:33, Tim Rice wrote: > On 21 Jul 2002, Fred Obermann wrote: > > > Hi, I have been trying to build openssh 3.4p1 on SCO Open Server xxx > > It requires the libcrypto.a library produced by OpenSSL. > > > > So, I downloaded and installed OpenSSL 0.9.6d. > > Do you have rs506a loaded? > Did you install in /usr/local/ssl ? > Did OpenSSL's make test pass? > Have you tried a current snapshot? > > BTW it works fine here > ... > tim at sco506e 7% /usr/local/ssl/bin/openssl version > OpenSSL 0.9.6d 9 May 2002 > tim at sco506e 8% ./ssh -V > OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f > tim at sco506e 9% uname -a > SCO_SV sco506e 3.2 5.0.6 i386 > ... > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > From dtucker at zip.com.au Tue Jul 23 15:35:17 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Tue, 23 Jul 2002 15:35:17 +1000 Subject: [Patch] Improve portability of regression tests References: <3D3C014A.B311EFAC@zip.com.au> <005301c231fc$a2a95080$390110ac@kovaiteam> Message-ID: <3D3CEB15.F5F27A12@zip.com.au> kumar wrote: > I want to test OpenSSH in HP-UX box.Regarding regression tests, do anyone > have the test scripts. They're in the regress/ directory. Basically: 1. Grab a snapshot or do "cvs update -dP" 2. Apply the patch in the previous message. 3. Rebuild configure ("make -f Makefile.in distprep") 4. ./configure && make 5. cd regress && sh runtests.sh -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From markus at openbsd.org Tue Jul 23 17:41:08 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 23 Jul 2002 09:41:08 +0200 Subject: Web-Proxy-Option? In-Reply-To: <1027361720.21562.10.camel@johnh.apropos.com> References: <20020722085236.GA2732@danisch.de> <20020722090740.GA5668@faui02> <1027361720.21562.10.camel@johnh.apropos.com> Message-ID: <20020723074108.GC10537@faui02> http://www.agroman.net/corkscrew/ for example. From binder at arago.de Tue Jul 23 19:25:34 2002 From: binder at arago.de (Thomas Binder) Date: Tue, 23 Jul 2002 11:25:34 +0200 Subject: Patch: Solaris packages don't create privsep user or group In-Reply-To: ; from tim@multitalents.net on Mon, Jul 22, 2002 at 02:04:09PM -0700 References: <20020722171116.A7023934@ohm.arago.de> Message-ID: <20020723112533.A5800071@ohm.arago.de> Hi! On Mon, Jul 22, 2002 at 02:04:09PM -0700, Tim Rice wrote: > > /usr/sbin/chroot "$PKG_INSTALL_ROOT" /usr/sbin/useradd [...] > > Allready in CVS. OK, haven't checked that, sorry. Ciao Thomas From Roumen.Petrov at skalasoft.com Tue Jul 23 21:58:11 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Tue, 23 Jul 2002 14:58:11 +0300 Subject: [Patch] Improve portability of regression tests Message-ID: <3D3D44D3.4070508@skalasoft.com> > > >On Mon, Jul 22, 2002 at 10:57:46PM +1000, Darren Tucker wrote: >> * prereqs (pmake, md5sum) > >md5 should just be needed to generate some random content >for files. > OpenSSH use openssl. To genarate random content we can use "openssl rand ". > >cp /dev/null ${DATA} >for i in 1 2 3 4 5 6; do > (date;echo $i) | md5 >> ${DATA} >done > > >md5 is not really needed. > From pekkas at netcore.fi Tue Jul 23 22:12:21 2002 From: pekkas at netcore.fi (Pekka Savola) Date: Tue, 23 Jul 2002 15:12:21 +0300 (EEST) Subject: [Patch] Improve portability of regression tests In-Reply-To: <3D3D44D3.4070508@skalasoft.com> Message-ID: On Tue, 23 Jul 2002 Roumen.Petrov at skalasoft.com wrote: > >On Mon, Jul 22, 2002 at 10:57:46PM +1000, Darren Tucker wrote: > >> * prereqs (pmake, md5sum) > > > >md5 should just be needed to generate some random content > >for files. > > > > OpenSSH use openssl. To genarate random content we can use "openssl rand > ". Wasting OpenSSL randomness may be a bit overkill here. After all, the output does not have to be randomly "secure". -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords From sidd_ait at rediffmail.com Tue Jul 23 23:37:19 2002 From: sidd_ait at rediffmail.com (siddharth sharma rajput) Date: 23 Jul 2002 13:37:19 -0000 Subject: to override existing sshd daemon Message-ID: <20020723133719.22077.qmail@webmail28.rediffmail.com> An embedded and charset-unspecified text was scrubbed... Name: not available Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020723/c3d8238e/attachment.ksh From markus at openbsd.org Tue Jul 23 23:46:29 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 23 Jul 2002 15:46:29 +0200 Subject: to override existing sshd daemon In-Reply-To: <20020723133719.22077.qmail@webmail28.rediffmail.com> References: <20020723133719.22077.qmail@webmail28.rediffmail.com> Message-ID: <20020723134629.GB23195@faui02> how can you add new features if you don't know how to replace the existing one? On Tue, Jul 23, 2002 at 01:37:19PM -0000, siddharth sharma rajput wrote: > > > hi , > to override the previous sshd daemon with > the one i have installed using openssh > what changes i will have to do > in my red hat linux 7.1 > so that i can change existing code > to add some new features and use my > own server > > > bye > siddharth > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From sopko at cs.unc.edu Tue Jul 23 23:54:26 2002 From: sopko at cs.unc.edu (John W. Sopko Jr.) Date: Tue, 23 Jul 2002 09:54:26 -0400 Subject: Irix UseLogin wtmp/utmp bug Message-ID: <3D3D6012.E6592062@cs.unc.edu> I am using the "UseLogin yes" configuration parameter to call the /usr/bin/login program on SGI Irix, (we are using Irix version 6.5.13). I do this because the SGI login program is AFS awhere and checks out a token for you and I do not want to compile the Kerberos version of sshd, (it is to messy for me to support). Everything seems to work fine accept the wtmp(x) and utmp(x) files do not get updated? The problem existed in openssh 3.0.2 I just upgraded to 3.4 and still have the problem. Here is what I have found, if anyone has any info that would be great else I will have to live with this: The login program is execl'd in the sesssion.c file using the execl() call: ---------- static void launch_login(struct passwd *pw, const char *hostname) { char *env_init[] = {"MYENV=null", NULL}; /* Launch login(1). */ fprintf(stderr, "X11 forwarding not supported with IRIX login.\n"); fprintf(stderr, "Must enter password again to get AFS token,\n"); /* execl(LOGIN_PROGRAM, "login", "-h", hostname, */ execl(LOGIN_PROGRAM, "login", #ifdef xxxLOGIN_NEEDS_TERM (s->term ? s->term : "unknown"), #endif /* LOGIN_NEEDS_TERM */ #ifdef LOGIN_NO_ENDOPT /* "-p", "-f", pw->pw_name, (char *)NULL); */ pw->pw_name, (char *)NULL); #else /* "-p", "-f", "--", pw->pw_name, (char *)NULL); */ pw->pw_name, (char *)NULL); #endif ---------- Note I made a few changes here since the SGI login program only supports the following options, (from the sgi man page): login(1) NAME login - sign on SYNOPSIS login [ -d device ] [ name [ environ ... ]] After the ifdef's are applied above login gets called as: execl(LOGIN_PROGRAM, "login",pw->pw_name, (char *)NULL); Which equates to "/usr/bin/login user_name". When a user logs in the login program gets executed, the user gets prompted twice for their password, they get an AFS token. The wtmp/utmp files are not updated and I cannot tell who is logged in or has been logged in. I think it is up to the SGI login program to update these files at this point, not the sshd daemon. If I do not use the UseLogin option the sshd daemon updated the wtmp/utmp files just fine, (but I do not get an AFS token). I can call the /usr/bin/login program once I am logged into a session that uses the UseLogin option and the wtmp/utmp files still do not get updated! But if I call /usr/bin/login from the command line while logged into a sshd session that does NOT use UseLogin the wtmp/utmp files do get updated. This leads me to believe when the login program is execl'ed it inherits the sshd environment variables and there is something that the /usr/bin/login program detects that causes it not to update wtmp/umtp? I tried to prove this by using the execle() call instead of execl(). The execle() call allows you to pass a new environment in an array. I set the environment array to contain just one variable. I was able to login but this did not fix the problem! I searched SGI's support for any updates to the /usr/bin/login program and couldnot find anything. Note that on SGI the /usr/bin/login program is a link to /usr/lib/iaf/scheme. I placed this program directly in the execl call, execl("/usr/lib/iaf/scheme",... and this did not help. I also tried to enable-- and disable-- the following configure options,(which I could not find any documentation on), and this did not help: --disable-utmp disable use of utmp even if detected no --disable-utmpx disable use of utmpx even if detected no --disable-wtmp disable use of wtmp even if detected no --disable-wtmpx disable use of wtmpx even if detected no Any ideas out there? -- John W. Sopko Jr. University of North Carolina email: sopko at cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 135 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 From tim at multitalents.net Wed Jul 24 00:11:24 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Jul 2002 07:11:24 -0700 (PDT) Subject: impedence mismatch between openssh 3.4p1 and openssl 0.9.6d on SCO OpenServer 3.2 5.0.6 In-Reply-To: <1027401668.3055.11.camel@gauss> Message-ID: On 22 Jul 2002, Fred Obermann wrote: > Hi Tim, > Thanks for your reply. > > rs506a is installed > libcrypto.a is installed in /usr/local/ssl/ > OpenSSL's make test did pass Is libcrypto.a really installed in /usr/local/ssl/ or did you mean that libcrypto.a is in /usr/local/ssl/lib ? > > > On Mon, 2002-07-22 at 21:33, Tim Rice wrote: > > On 21 Jul 2002, Fred Obermann wrote: > > > > > Hi, I have been trying to build openssh 3.4p1 on SCO Open Server xxx > > > It requires the libcrypto.a library produced by OpenSSL. > > > > > > So, I downloaded and installed OpenSSL 0.9.6d. > > > > Do you have rs506a loaded? > > Did you install in /usr/local/ssl ? > > Did OpenSSL's make test pass? > > Have you tried a current snapshot? > > > > BTW it works fine here > > ... > > tim at sco506e 7% /usr/local/ssl/bin/openssl version > > OpenSSL 0.9.6d 9 May 2002 > > tim at sco506e 8% ./ssh -V > > OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f > > tim at sco506e 9% uname -a > > SCO_SV sco506e 3.2 5.0.6 i386 > > ... -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From wendyp at cray.com Wed Jul 24 00:51:25 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 23 Jul 2002 09:51:25 -0500 Subject: [Bug 367] patches for Cray port References: Message-ID: <3D3D6D6D.A12CA798@cray.com> Ben Lindstrom wrote: > > Two questions. > > 1 - is openbsd-compat/bsd-cray.[ch] going away now? no, they are still necessary. my error that it did not get included. i will add an attachment. > > 2 - Where is USE_[UW]TMP used? They are defined, but never seem to be > used. also my error. left in from an earlier modification. please ignore. > > - Ben > > On Tue, 23 Jul 2002 bugzilla-daemon at mindrot.org wrote: > > > http://bugzilla.mindrot.org/show_bug.cgi?id=367 > > > > > > > > > > > > ------- Additional Comments From wendyp at cray.com 2002-07-23 08:38 ------- > > Created an attachment (id=134) > > cray patches > > > > > > > > > > ------- You are receiving this mail because: ------- > > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From bugzilla-daemon at mindrot.org Wed Jul 24 01:15:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Jul 2002 01:15:17 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020723151517.6A15BE923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From wendyp at cray.com 2002-07-24 01:15 ------- Created an attachment (id=135) complete replacement of openbsd-compat/bsd-cray.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 24 01:16:06 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Jul 2002 01:16:06 +1000 (EST) Subject: [Bug 367] patches for Cray port Message-ID: <20020723151606.926CFE923@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=367 ------- Additional Comments From wendyp at cray.com 2002-07-24 01:16 ------- Created an attachment (id=136) complete replacement of openbsd-compat/bsd-cray.h ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Wed Jul 24 00:56:00 2002 From: markus at openbsd.org (Markus Friedl) Date: Tue, 23 Jul 2002 16:56:00 +0200 Subject: [Patch] Improve portability of regression tests In-Reply-To: <3D3D44D3.4070508@skalasoft.com> References: <3D3D44D3.4070508@skalasoft.com> Message-ID: <20020723145600.GA23631@folly> yes, you could use > > (date;echo $i) | openssl md5 >> ${DATA} From mouring at etoh.eviladmin.org Wed Jul 24 02:53:53 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 11:53:53 -0500 (CDT) Subject: [Bug 367] patches for Cray port In-Reply-To: <20020723151517.6A15BE923@shitei.mindrot.org> Message-ID: /* * bsd-cray.c * * (C) COPYRIGHT CRAY, INC. * ALL RIGHTS RESERVED. * * This file contains the functions required for proper execution * on UNICOS systems. * */ We are keeping the original 2-license BSD right? Or are we changing the license? - Ben On Wed, 24 Jul 2002 bugzilla-daemon at mindrot.org wrote: > http://bugzilla.mindrot.org/show_bug.cgi?id=367 > > > > > > ------- Additional Comments From wendyp at cray.com 2002-07-24 01:15 ------- > Created an attachment (id=135) > complete replacement of openbsd-compat/bsd-cray.c > > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From wendyp at cray.com Wed Jul 24 03:21:35 2002 From: wendyp at cray.com (Wendy Palm) Date: Tue, 23 Jul 2002 12:21:35 -0500 Subject: [Bug 367] patches for Cray port References: Message-ID: <3D3D909F.16F3B060@cray.com> sorry, same license as other files. Ben Lindstrom wrote: > > /* > * bsd-cray.c > * > * (C) COPYRIGHT CRAY, INC. > * ALL RIGHTS RESERVED. > * > * This file contains the functions required for proper execution > * on UNICOS systems. > * > */ > > We are keeping the original 2-license BSD right? Or are we changing the > license? > > - Ben > > On Wed, 24 Jul 2002 bugzilla-daemon at mindrot.org wrote: > > > http://bugzilla.mindrot.org/show_bug.cgi?id=367 > > > > > > > > > > > > ------- Additional Comments From wendyp at cray.com 2002-07-24 01:15 ------- > > Created an attachment (id=135) > > complete replacement of openbsd-compat/bsd-cray.c > > > > > > > > > > ------- You are receiving this mail because: ------- > > You are the assignee for the bug, or are watching the assignee. > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From kumareshind at gmx.net Wed Jul 24 03:13:52 2002 From: kumareshind at gmx.net (kumar) Date: Tue, 23 Jul 2002 22:43:52 +0530 Subject: Kerberos V auth References: Message-ID: <003901c2326f$4e5d4810$390110ac@kovaiteam> Hello All, I am using Kerberos V for auth.I am using HP-UX 11i. When i run the kadmin it prompts for password and when i enter the password it gives the following error and aborted. Any help...... /usr/lib/dld.sl: Unresolved symbol: dce_g_ipv6_enabled (data) from /usr/lib/libd4r.1 /usr/lib/dld.sl: Unresolved module for symbol: getservbyname_r (code) from /opt/krb5/lib/libk5.sl Abort(coredump) Advance thanks Kumaresh From johnh at aproposretail.com Wed Jul 24 04:35:15 2002 From: johnh at aproposretail.com (John Hardin) Date: 23 Jul 2002 11:35:15 -0700 Subject: Web-Proxy-Option? In-Reply-To: <20020723074108.GC10537@faui02> References: <20020722085236.GA2732@danisch.de> <20020722090740.GA5668@faui02> <1027361720.21562.10.camel@johnh.apropos.com> <20020723074108.GC10537@faui02> Message-ID: <1027449315.26546.34.camel@johnh.apropos.com> On Tue, 2002-07-23 at 00:41, Markus Friedl wrote: > http://www.agroman.net/corkscrew/ > > for example. Sorry, I may have been unclear. You stated that there were many SSH proxycommand scripts available. I asked if there was a central list of them. (I like to ask generally-informative questions like that on lists... :) A quick google doesn't find any such resource. Does the OpenSSH project maintain such a list on the main website? If not, perhaps it should. Or is there only an HTTP proxycommand so far? Thanks. -- John Hardin Internal Systems Administrator voice: (425) 672-1304 Apropos Retail Management Systems, Inc. fax: (425) 672-0192 ----------------------------------------------------------------------- "To disable the Internet to save EMI and Disney is the moral equivalent of burning down the library of Alexandria to ensure the livelihood of monastic scribes." -- John Ippolito of the Guggenheim ----------------------------------------------------------------------- 304 days until The Matrix Reloaded From mooney at dogbert.cc.ndsu.NoDak.edu Wed Jul 24 06:06:38 2002 From: mooney at dogbert.cc.ndsu.NoDak.edu (Tim Mooney) Date: Tue, 23 Jul 2002 15:06:38 -0500 (CDT) Subject: Irix UseLogin wtmp/utmp bug In-Reply-To: <3D3D6012.E6592062@cs.unc.edu> Message-ID: In regard to: Irix UseLogin wtmp/utmp bug, John W. Sopko Jr. said (at...: >I think it is up to the SGI login program to update these files at this >point, not the sshd daemon. If I do not use the UseLogin option the >sshd daemon updated the wtmp/utmp files just fine, (but I do not get an >AFS token). > >I can call the /usr/bin/login program once I am logged into a session >that >uses the UseLogin option and the wtmp/utmp files still do not get >updated! > >But if I call /usr/bin/login from the command line while logged into a >sshd session that does NOT use UseLogin the wtmp/utmp files do get >updated. I agree that it should be up to the SGI login program to update the requisite files, and the fact that it works differently if you invoke it after your login shell starts with UseLogin set does suggest that sshd might be doing something that's tripping up /usr/bin/login. Two suggestions: 1) Temporarily set UseLogin /tmp/login-script.sh and have the script run the `env' command and dump that to some file. That will get you what env your "login" program is seeing. 2) After setting UseLogin back to UseLogin /usr/bin/login Use SGI's truss-equivalent, par, to trace the system calls that login is executing on your behalf. That may help, or it might not. The fact that you tried execle and a stripped environment and still didn't get the utmp/wtmp accounting probably means its not environment related, but trying #1 anyway might be useful. If you solve the problem, be sure to summarize to the list -- it's an interesting one. Tim -- Tim Mooney mooney at dogbert.cc.ndsu.NoDak.edu Information Technology Services (701) 231-1076 (Voice) Room 242-J6, IACC Building (701) 231-8541 (Fax) North Dakota State University, Fargo, ND 58105-5164 From stuge-openssh-unix-dev at cdy.org Wed Jul 24 06:13:44 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Tue, 23 Jul 2002 22:13:44 +0200 Subject: Web-Proxy-Option? In-Reply-To: <1027449315.26546.34.camel@johnh.apropos.com>; from johnh@aproposretail.com on Tue, Jul 23, 2002 at 11:35:15AM -0700 References: <20020722085236.GA2732@danisch.de> <20020722090740.GA5668@faui02> <1027361720.21562.10.camel@johnh.apropos.com> <20020723074108.GC10537@faui02> <1027449315.26546.34.camel@johnh.apropos.com> Message-ID: <20020723221344.A28021@foo.birdnet.se> On Tue, Jul 23, 2002 at 11:35:15AM -0700, John Hardin wrote: > On Tue, 2002-07-23 at 00:41, Markus Friedl wrote: > > http://www.agroman.net/corkscrew/ > > > > for example. > > Sorry, I may have been unclear. > > You stated that there were many SSH proxycommand scripts available. I > asked if there was a central list of them. (I like to ask > generally-informative questions like that on lists... :) A quick google > doesn't find any such resource. Try searching for "http proxy tunnel" on freshmeat.net, I got 10 hits where at least four seem to do the desired thing. The first hit on google on the same search is the program "httptunnel".. Might or might not be what you want. > Does the OpenSSH project maintain such a list on the main website? If > not, perhaps it should. Probably not, it's not OpenSSH specific. > Or is there only an HTTP proxycommand so far? ProxyCommand in OpenSSH is the means to use whatever proxying system you can think of. OpenSSH doesn't care at all about what kind of system it is, and doesn't have to, the exercise of finding or making a suitable client for use with the ProxyCommand option is left to the reader. It's a violently useful feature, I wish more software had it. //Peter From cawlfiel at austin.ibm.com Wed Jul 24 07:07:08 2002 From: cawlfiel at austin.ibm.com (cawlfiel) Date: Tue, 23 Jul 2002 16:07:08 -0500 Subject: AIX and ADMCHG Message-ID: <3D3DC57B.BA1B2885@austin.ibm.com> In AIX, whenever a root user or a member of the security group changes a user's password, the ADMCHG attribute is set which means that the next time the user logs in, he will be forced to change his password. However, ssh is currently ignoring ADMCHG. I havn't seen any mention of this on the mailing list or Bugzilla, so I'm considering writing a patch to correct this problem. Has anyone else looked at this? ----------------------- Kevin Cawlfield AIX IP Security cawlfiel at austin.ibm.com ----------------------- From kevin at kevindegraaf.net Wed Jul 24 08:07:28 2002 From: kevin at kevindegraaf.net (Kevin DeGraaf) Date: Tue, 23 Jul 2002 18:07:28 -0400 (EDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: > Use ssh_known_hosts > You will have to edit ssh_known_hosts > Now the shosts.equiv file (does not need to be world readable) > Not quite what you wanted to do. > To fix box2, remove the keys and generate new keys. > Each machine must have different keys. > Now put the public key from all your machines in ssh_known_hosts and > distribute ssh_known_hosts and shosts.equiv to each machine. Okay, I removed all the old configuration and did this: 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys (SSH1-RSA, SSH2-RSA, and SSH2-DSA). 2. On both machines, I created /etc/ssh/ssh_known_hosts: m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... = m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... = 3. On both machines, I created /etc/shosts.equiv: m1 m2 m1.ohm.calvin.edu m2.ohm.calvin.edu 4. On both machines, I created /etc/ssh/ssh_config: Host * HostbasedAuthentication yes 5. On both machines, I created /etc/ssh/sshd_config: Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key PermitRootLogin without-password RhostsAuthentication yes IgnoreRhosts no HostbasedAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no PrintMotd no PrintLastLog no UsePrivilegeSeparation yes Subsystem sftp /usr/local/libexec/sftp-server 6. On both machines, I restarted sshd: m1# service sshd restart m2# service sshd restart 7. I attemped a passwordless, keyless, hostbased connection: debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is hostbased debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by /etc/hosts.equiv. debug1: authentications that can continue: publickey,password,hostbased debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by /etc/hosts.equiv. debug1: authentications that can continue: publickey,password,hostbased debug1: userauth_hostbased: no more client hostkeys debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /home/kevin/.ssh/id_dsa debug1: authentications that can continue: publickey,password,hostbased debug1: try privkey: /home/kevin/.ssh/identity debug1: try privkey: /home/kevin/.ssh/id_rsa debug1: try pubkey: /home/kevin/.ssh/id_dsa debug1: authentications that can continue: publickey,password,hostbased debug1: next auth method to try is password kevin at m2's password: Again, any pointers regarding how my configuration differs from the necessary configuration will be most appreciated. (In case you're wondering: yes, I realize that there are no publically-available 'A' records for m1/m2.ohm.calvin.edu, but be assured there are copies of dnscache and tinydns running on 'm1' that provide these records to my Beowulf cluster machines). -- Kevin DeGraaf From mouring at etoh.eviladmin.org Wed Jul 24 08:26:59 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 17:26:59 -0500 (CDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: I believe I've stated this before, but I will again: - markus at cvs.openbsd.org 2002/06/26 22:27:32 [ssh-keysign.c] bug #304, xfree(data) called to early; openssh at sigint.cs.purdue.edu Please try the current snapshots. - ben On Tue, 23 Jul 2002, Kevin DeGraaf wrote: > > Use ssh_known_hosts > > You will have to edit ssh_known_hosts > > Now the shosts.equiv file (does not need to be world readable) > > Not quite what you wanted to do. > > To fix box2, remove the keys and generate new keys. > > Each machine must have different keys. > > Now put the public key from all your machines in ssh_known_hosts and > > distribute ssh_known_hosts and shosts.equiv to each machine. > > Okay, I removed all the old configuration and did this: > > 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys > (SSH1-RSA, SSH2-RSA, and SSH2-DSA). > > 2. On both machines, I created /etc/ssh/ssh_known_hosts: > > m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... = > m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... = > > 3. On both machines, I created /etc/shosts.equiv: > > m1 > m2 > m1.ohm.calvin.edu > m2.ohm.calvin.edu > > 4. On both machines, I created /etc/ssh/ssh_config: > > Host * > HostbasedAuthentication yes > > 5. On both machines, I created /etc/ssh/sshd_config: > > Port 22 > Protocol 2 > > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > > PermitRootLogin without-password > > RhostsAuthentication yes > IgnoreRhosts no > HostbasedAuthentication yes > > PermitEmptyPasswords no > ChallengeResponseAuthentication no > > PrintMotd no > PrintLastLog no > UsePrivilegeSeparation yes > > Subsystem sftp /usr/local/libexec/sftp-server > > 6. On both machines, I restarted sshd: > > m1# service sshd restart > m2# service sshd restart > > 7. I attemped a passwordless, keyless, hostbased connection: > > debug1: authentications that can continue: publickey,password,hostbased > debug1: next auth method to try is hostbased > debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by > /etc/hosts.equiv. > debug1: authentications that can continue: publickey,password,hostbased > debug1: Remote: Accepted for m1.ohm.calvin.edu [192.168.1.1] by > /etc/hosts.equiv. > debug1: authentications that can continue: publickey,password,hostbased > debug1: userauth_hostbased: no more client hostkeys > debug1: next auth method to try is publickey > debug1: userauth_pubkey_agent: testing agent key /home/kevin/.ssh/id_dsa > debug1: authentications that can continue: publickey,password,hostbased > debug1: try privkey: /home/kevin/.ssh/identity > debug1: try privkey: /home/kevin/.ssh/id_rsa > debug1: try pubkey: /home/kevin/.ssh/id_dsa > debug1: authentications that can continue: publickey,password,hostbased > debug1: next auth method to try is password > kevin at m2's password: > > Again, any pointers regarding how my configuration differs from the > necessary configuration will be most appreciated. > > (In case you're wondering: yes, I realize that there are no > publically-available 'A' records for m1/m2.ohm.calvin.edu, but be assured > there are copies of dnscache and tinydns running on 'm1' that provide > these records to my Beowulf cluster machines). > > -- > Kevin DeGraaf > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From kevin at kevindegraaf.net Wed Jul 24 09:29:42 2002 From: kevin at kevindegraaf.net (Kevin DeGraaf) Date: Tue, 23 Jul 2002 19:29:42 -0400 (EDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: > I believe I've stated this before, but I will again: > > - markus at cvs.openbsd.org 2002/06/26 22:27:32 > [ssh-keysign.c] > bug #304, xfree(data) called to early; openssh at sigint.cs.purdue.edu > > Please try the current snapshots. Okay, I upgraded both machines to openssh-SNAP-20020722. The problem persists. Any other ideas? I wish very strongly that I could use OpenSSH, but hostbased authentication is a *requirement* at our site. Combining this with the multiple-hostkey-per-IP problem, I think I don't have much of a choice but to go back to ssh.com's SSH... :( -- Kevin DeGraaf From mouring at etoh.eviladmin.org Wed Jul 24 09:22:18 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 18:22:18 -0500 (CDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: Check to make sure that ssh-keysign is setuid also. - Ben On Tue, 23 Jul 2002, Kevin DeGraaf wrote: > > I believe I've stated this before, but I will again: > > > > - markus at cvs.openbsd.org 2002/06/26 22:27:32 > > [ssh-keysign.c] > > bug #304, xfree(data) called to early; openssh at sigint.cs.purdue.edu > > > > Please try the current snapshots. > > Okay, I upgraded both machines to openssh-SNAP-20020722. The problem > persists. Any other ideas? > > I wish very strongly that I could use OpenSSH, but hostbased > authentication is a *requirement* at our site. Combining this with the > multiple-hostkey-per-IP problem, I think I don't have much of a choice but > to go back to ssh.com's SSH... :( > > -- > Kevin DeGraaf > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Jul 24 10:55:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 19:55:07 -0500 (CDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: On Tue, 23 Jul 2002, Kevin DeGraaf wrote: > > Use ssh_known_hosts > > You will have to edit ssh_known_hosts > > Now the shosts.equiv file (does not need to be world readable) > > Not quite what you wanted to do. > > To fix box2, remove the keys and generate new keys. > > Each machine must have different keys. > > Now put the public key from all your machines in ssh_known_hosts and > > distribute ssh_known_hosts and shosts.equiv to each machine. > > Okay, I removed all the old configuration and did this: > > 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys > (SSH1-RSA, SSH2-RSA, and SSH2-DSA). > > 2. On both machines, I created /etc/ssh/ssh_known_hosts: > > m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... = > m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... = > all host names must have a '.' behind it. or else they will not work. IE: my.host.com.,226.165.46.10 ssh-rsa AAA[..]= > 3. On both machines, I created /etc/shosts.equiv: > > m1 > m2 > m1.ohm.calvin.edu > m2.ohm.calvin.edu > Same here: my.host.com. Suggestion.. sshd -d -d -d and ssh -v -v -v are your friend. - Ben From mouring at etoh.eviladmin.org Wed Jul 24 11:13:12 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 20:13:12 -0500 (CDT) Subject: AIX and ADMCHG In-Reply-To: <3D3DC57B.BA1B2885@austin.ibm.com> Message-ID: For password change to be handled correctly one needs to implement SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and the corresponding SSH_MSG_USERAUTH_REQUEST. I thought I saw a patch floating around for the general support but I don't have it link to it off hand. http://search.ietf.org/internet-drafts/draft-ietf-secsh-userauth-15.txt - Ben On Tue, 23 Jul 2002, cawlfiel wrote: > In AIX, whenever a root user or a member of the security group changes a > user's password, the ADMCHG attribute is set which means that the next > time the user logs in, he will be forced to change his password. > However, ssh is currently ignoring ADMCHG. > > I havn't seen any mention of this on the mailing list or Bugzilla, so > I'm considering writing a patch to correct this problem. Has anyone > else looked at this? > > ----------------------- > > Kevin Cawlfield > AIX IP Security > cawlfiel at austin.ibm.com > > ----------------------- > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Jul 24 11:18:24 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 20:18:24 -0500 (CDT) Subject: AIX and ADMCHG In-Reply-To: Message-ID: Ok.. I did see it.=) It is in the source. - Ben On Tue, 23 Jul 2002, Ben Lindstrom wrote: > > > For password change to be handled correctly one needs to implement > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and the corresponding > SSH_MSG_USERAUTH_REQUEST. > > I thought I saw a patch floating around for the general support but I > don't have it link to it off hand. > > http://search.ietf.org/internet-drafts/draft-ietf-secsh-userauth-15.txt > > - Ben > > On Tue, 23 Jul 2002, cawlfiel wrote: > > > In AIX, whenever a root user or a member of the security group changes a > > user's password, the ADMCHG attribute is set which means that the next > > time the user logs in, he will be forced to change his password. > > However, ssh is currently ignoring ADMCHG. > > > > I havn't seen any mention of this on the mailing list or Bugzilla, so > > I'm considering writing a patch to correct this problem. Has anyone > > else looked at this? > > > > ----------------------- > > > > Kevin Cawlfield > > AIX IP Security > > cawlfiel at austin.ibm.com > > > > ----------------------- > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From tim at multitalents.net Wed Jul 24 12:07:42 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Jul 2002 19:07:42 -0700 (PDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: On Tue, 23 Jul 2002, Ben Lindstrom wrote: > > > On Tue, 23 Jul 2002, Kevin DeGraaf wrote: > > > > Use ssh_known_hosts > > > You will have to edit ssh_known_hosts > > > Now the shosts.equiv file (does not need to be world readable) > > > Not quite what you wanted to do. > > > To fix box2, remove the keys and generate new keys. > > > Each machine must have different keys. > > > Now put the public key from all your machines in ssh_known_hosts and > > > distribute ssh_known_hosts and shosts.equiv to each machine. > > > > Okay, I removed all the old configuration and did this: > > > > 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys > > (SSH1-RSA, SSH2-RSA, and SSH2-DSA). > > > > 2. On both machines, I created /etc/ssh/ssh_known_hosts: > > > > m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... = > > m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... = > > > > all host names must have a '.' behind it. or else they will > not work. > > IE: > > my.host.com.,226.165.46.10 ssh-rsa AAA[..]= I don't have dots on the end and it works fine here. > > > 3. On both machines, I created /etc/shosts.equiv: ^^^^ This may not work. On my machines where --sysconfdir=/etc/ssh my shosts.equiv is in /etc/ssh > > m1 > > m2 > > m1.ohm.calvin.edu > > m2.ohm.calvin.edu > > > > Same here: > > my.host.com. Hmm, I don't have dots at the end here ethier. Probably was needed on erlier versions. > > Suggestion.. sshd -d -d -d and ssh -v -v -v are your friend. > The only change I make to sshd_config (that's hostbased related) is HostbasedAuthentication yes All others are defaults. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Wed Jul 24 12:12:33 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Jul 2002 12:12:33 +1000 (EST) Subject: [Bug 368] New: TTSSH will not connect to OpenSSH_3.4p1 Message-ID: <20020724021233.75504E9E3@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=368 Summary: TTSSH will not connect to OpenSSH_3.4p1 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: NetBSD Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: mindrot at regs.nebcorp.com The popular TeraTerm TTSSH ssh client is having problems connecting to sshd. TTSSH will throw a dialog box with the message: "Detected corrupted data; connection terminating." "Detected corrupted data; connection terminating." ... and then exit. Pretty annoying. Here's debugging output: debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /usr/pkg/etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.0.4 port 4910 debug1: Client protocol version 1.5; client software version TTSSH/1.5.4 Win32 debug1: no match: TTSSH/1.5.4 Win32 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug2: Network child is on pid 18843 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 16:16 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug3: mm_request_send entering: type 28 debug3: monitor_read: checking request 28 debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_request_send entering: type 29 debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Installing crc compensation attack detector. Disconnecting: Corrupted check bytes on input. debug1: Calling cleanup 0x80678c0(0x0) debug1: Calling cleanup 0x80678c0(0x0) The machine running it: regs at vietnam|~% uname -a NetBSD vietnam.doof.nebcorp.com 1.5.2 NetBSD 1.5.2 (GENERIC) #3: Sat Aug 18 23:37:05 CEST 2001 he at hamster.urc.uninett.no:/usr/src/sys/arch/i386/compile/GENERIC i386 And an OpenBSD machine running the non-portable server works fine: debug1: sshd version OpenSSH_3.4 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 64.81.49.197 port 57869 debug1: Client protocol version 1.5; client software version TTSSH/1.5.4 Win32 debug1: no match: TTSSH/1.5.4 Win32 debug1: Local version string SSH-1.99-OpenSSH_3.4 debug2: Network child is on pid 29316 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 32767:32767 debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: blowfish debug3: mm_request_send entering: type 28 debug3: monitor_read: checking request 28 debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: mm_request_send entering: type 29 debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 ... Any ideas? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 24 12:16:57 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 24 Jul 2002 12:16:57 +1000 (EST) Subject: [Bug 368] TTSSH will not connect to OpenSSH_3.4p1 Message-ID: <20020724021657.8A2E7E9ED@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=368 ------- Additional Comments From mindrot at regs.nebcorp.com 2002-07-24 12:16 ------- Just make life easier: TeraTerm 2.3 http://hp.vector.co.jp/authors/VA002416/ttermp23.zip TTSSH 1.5.4 plugin http://www.cs.cmu.edu/~roc/ttssh154.zip ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Wed Jul 24 12:05:41 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 21:05:41 -0500 (CDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: On Tue, 23 Jul 2002, Tim Rice wrote: > On Tue, 23 Jul 2002, Ben Lindstrom wrote: > > > > > > > On Tue, 23 Jul 2002, Kevin DeGraaf wrote: > > > > > > Use ssh_known_hosts > > > > You will have to edit ssh_known_hosts > > > > Now the shosts.equiv file (does not need to be world readable) > > > > Not quite what you wanted to do. > > > > To fix box2, remove the keys and generate new keys. > > > > Each machine must have different keys. > > > > Now put the public key from all your machines in ssh_known_hosts and > > > > distribute ssh_known_hosts and shosts.equiv to each machine. > > > > > > Okay, I removed all the old configuration and did this: > > > > > > 1. On m1.ohm.calvin.edu and m2.ohm.calvin.edu, I generated new hostkeys > > > (SSH1-RSA, SSH2-RSA, and SSH2-DSA). > > > > > > 2. On both machines, I created /etc/ssh/ssh_known_hosts: > > > > > > m1,m1.ohm.calvin.edu,192.168.1.1 ssh-dsa AAAAB3Nza ... = > > > m2,m2.ohm.calvin.edu,192.168.1.2 ssh-dsa AAAAB3Nza ... = > > > > > > > all host names must have a '.' behind it. or else they will > > not work. > > > > IE: > > > > my.host.com.,226.165.46.10 ssh-rsa AAA[..]= > > I don't have dots on the end and it works fine here. > I can't get it to work with -cvs without them. - Ben From dmarshall at esilicon.com Wed Jul 24 12:42:59 2002 From: dmarshall at esilicon.com (David Marshall) Date: Tue, 23 Jul 2002 19:42:59 -0700 Subject: OpenSSH 3.4p1 "PRNG is not seeded" Message-ID: <691874941F1F954198F7E7FCBAEF1FAE0D20E8@exchange00.SC.ESILICON.COM> I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or ssh-keygen I'm getting the "PRNG is not seeded". I have verified that prngd is running and "egc.pl /var/spool/prngd/pool get" runs just fine reporting 32800 bits of entropy. My platform is Solaris 8 (sparc) and I downloaded binaries from www.sunfreeware.com. My guess is the build of OpenSSH 3.4.p1 is looking for prngd in a different location than my configuration. Does anyone have any suggestions as to how I can debug this? David Marshall From dtucker at zip.com.au Wed Jul 24 13:09:32 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Jul 2002 13:09:32 +1000 Subject: OpenSSH 3.4p1 "PRNG is not seeded" References: <691874941F1F954198F7E7FCBAEF1FAE0D20E8@exchange00.SC.ESILICON.COM> Message-ID: <3D3E1A6C.5227215F@zip.com.au> David Marshall wrote: > My platform is Solaris 8 (sparc) and I downloaded binaries from > www.sunfreeware.com. My guess is you don't have the Solaris 8 /dev/random patch. Did you read http://www.sunfreeware.com/openssh8.html and install patch 112438-01? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From mandar at webchat.chatsystems.com Wed Jul 24 13:38:59 2002 From: mandar at webchat.chatsystems.com (mandar at webchat.chatsystems.com) Date: Tue, 23 Jul 2002 22:38:59 -0500 (CDT) Subject: AIX and ADMCHG In-Reply-To: Message-ID: Ben, For AIX, does the server use getuserpw() to check the ADMCHG flag before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or not? After the inital exchange, on AIX, it'll need to run a newpass() with perhaps a getuserattr() for a more complete explanation of the rules should the password be too weak, before sending the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass with a SSH_MSG_USERAUTH_SUCCESS. Some of this may need to run in the PrivSep process. I'm assuming the PAM support code does something along the same lines... Sorry, just some random thoughts - haven't actually looked at the source. But ADMCHG was on my list of things to fix since we did the failedlogincount in #145 (btw, Darren, thanks for following up and integrating it into the source ;), but never got around to it. If we're missing this for AIX, I think we should welcome Kevin's patch ;) - Mandar On Tue, 23 Jul 2002, Ben Lindstrom wrote: > Date: Tue, 23 Jul 2002 20:18:24 -0500 (CDT) > From: Ben Lindstrom > To: cawlfiel > Cc: openssh-unix-dev at mindrot.org > Subject: Re: AIX and ADMCHG > > > Ok.. I did see it.=) It is in the source. > > - Ben > > On Tue, 23 Jul 2002, Ben Lindstrom wrote: > > > > > > > For password change to be handled correctly one needs to implement > > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and the corresponding > > SSH_MSG_USERAUTH_REQUEST. > > > > I thought I saw a patch floating around for the general support but I > > don't have it link to it off hand. > > > > http://search.ietf.org/internet-drafts/draft-ietf-secsh-userauth-15.txt > > > > - Ben > > > > On Tue, 23 Jul 2002, cawlfiel wrote: > > > > > In AIX, whenever a root user or a member of the security group changes a > > > user's password, the ADMCHG attribute is set which means that the next > > > time the user logs in, he will be forced to change his password. > > > However, ssh is currently ignoring ADMCHG. > > > > > > I havn't seen any mention of this on the mailing list or Bugzilla, so > > > I'm considering writing a patch to correct this problem. Has anyone > > > else looked at this? > > > > > > ----------------------- > > > > > > Kevin Cawlfield > > > AIX IP Security > > > cawlfiel at austin.ibm.com > > > > > > ----------------------- > > > _______________________________________________ > > > openssh-unix-dev at mindrot.org mailing list > > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Wed Jul 24 13:57:07 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Tue, 23 Jul 2002 22:57:07 -0500 (CDT) Subject: AIX and ADMCHG In-Reply-To: Message-ID: On Tue, 23 Jul 2002 mandar at webchat.chatsystems.com wrote: > Ben, > > For AIX, does the server use getuserpw() to check the ADMCHG flag > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or > not? After the inital exchange, on AIX, it'll need to run a newpass() with > perhaps a getuserattr() for a more complete explanation of the rules > should the password be too weak, before sending the > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass > with a SSH_MSG_USERAUTH_SUCCESS. > Right now *NOTHING* is checked. Not for bsd_auth, not for pam, not for aix, or not for /etc/shadow. =) > Some of this may need to run in the PrivSep process. I'm assuming the > PAM support code does something along the same lines... > > Sorry, just some random thoughts - haven't actually looked at the > source. But ADMCHG was on my list of things to fix since we did the > failedlogincount in #145 (btw, Darren, thanks for following up and > integrating it into the source ;), but never got around to it. > > If we're missing this for AIX, I think we should welcome Kevin's patch > ;) > I can also start looking at this once I get comfortable with the AIX box that has been loaned to me. However, I don't believe Kevin's patch uses ssh2 password change protocol (not sure I have not seen in a few months). What ever we do should use that feature of the protocol since it allows us better security. Which brings up a question on should we support password change for v1? I'm inclined to say no. At least handle v2 protocol first. I have a question out to markus because I can see where the code belongs, but I can't figure out how to actually trigger it correctly. However, don't expect this to be in 3.5.. This is pretty much 3.6 materal. - Ben From tim at multitalents.net Wed Jul 24 14:12:17 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Jul 2002 21:12:17 -0700 (PDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: On Tue, 23 Jul 2002, Ben Lindstrom wrote: > > > IE: > > > > > > my.host.com.,226.165.46.10 ssh-rsa AAA[..]= > > > > I don't have dots on the end and it works fine here. > > > > I can't get it to work with -cvs without them. > > - Ben Interesting. I've been using hostbased auth here for at least 9 months and haven't needed the trailing dots. The version I'm running now is Jul 14 cvs. How strange. I wonder what's different. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From tim at multitalents.net Wed Jul 24 14:17:03 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 23 Jul 2002 21:17:03 -0700 (PDT) Subject: OpenSSH 3.4p1 "PRNG is not seeded" In-Reply-To: <691874941F1F954198F7E7FCBAEF1FAE0D20E8@exchange00.SC.ESILICON.COM> Message-ID: On Tue, 23 Jul 2002, David Marshall wrote: > I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or > ssh-keygen I'm getting the "PRNG is not seeded". > > I have verified that prngd is running and "egc.pl /var/spool/prngd/pool get" > runs just fine reporting 32800 bits of entropy. This probably has something to do with it. 20020720 - (stevesk) [ssh-keygen.c] bug #231: always init/seed_rng(). Try a current snapshot. > > My platform is Solaris 8 (sparc) and I downloaded binaries from > www.sunfreeware.com. As Darren said in another reply, you may want to get the /dev/random patch. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Wed Jul 24 14:50:01 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Wed, 24 Jul 2002 14:50:01 +1000 Subject: OpenSSH 3.4p1 hostbased auth - howto? References: Message-ID: <3D3E31F9.EFF8B517@zip.com.au> Tim Rice wrote: > Interesting. I've been using hostbased auth here for at least 9 months > and haven't needed the trailing dots. > The version I'm running now is Jul 14 cvs. > How strange. I wonder what's different. DNS or resolver config? Entries in hosts file? -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From gert at greenie.muc.de Wed Jul 24 16:55:05 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Jul 2002 08:55:05 +0200 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: ; from kevin@kevindegraaf.net on Tue, Jul 23, 2002 at 07:29:42PM -0400 References: Message-ID: <20020724085504.B944@greenie.muc.de> Hi, On Tue, Jul 23, 2002 at 07:29:42PM -0400, Kevin DeGraaf wrote: > Okay, I upgraded both machines to openssh-SNAP-20020722. The problem > persists. Any other ideas? Try running "sshd -d -d". It will usually tell you *why* the client's attempt to use hostbased doesn't work - like "wrong permissions for the target user's home directory" or so. (I have asked for better diagnostic messages on the client side before, but Markus seems to think it's a security problem to tell the client why some sort of authentication isn't permitted, and thus you need to run the server in debug mode) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From magnus at bodin.org Wed Jul 24 17:35:34 2002 From: magnus at bodin.org (Magnus Bodin) Date: Wed, 24 Jul 2002 09:35:34 +0200 Subject: ssh-keygen listing fingerprints little unclear Message-ID: <20020724073534.GA3420@bodin.org> Since ssh-keygen is not listing the _types_ of keys I have in my file, wouldn't it be a good idea to make the -t switch filtering out the selected type of key when doing a listing with -l? i.e. in this case I see both rsa1, rsa, and dss keys: $ ssh-keygen -l -f ~/.ssh/known_hosts 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com 1024 9d:f8:d4:62:dc:3d:fb:26:2a:03:f4:d3:5f:8b:df:39 pingu.framtid.nu 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu So if I do $ ssh-keygen -l -t rsa -f ~/.ssh/known_hosts I actually would like to see 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu Doesn't it make sense? (or adding the types to the listing) /magnus -- http://x42.com/ From dot at dotat.at Wed Jul 24 21:09:43 2002 From: dot at dotat.at (Tony Finch) Date: Wed, 24 Jul 2002 12:09:43 +0100 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: References: Message-ID: Kevin DeGraaf wrote: > >5. On both machines, I created /etc/ssh/sshd_config: > >UsePrivilegeSeparation yes This is the problem. It's a manifestation of the bug I reported a month ago on this list with the subject "privilege separation breaks dns lookups". There is a patch but it hasn't been committed. Tony. -- f.a.n.finch http://dotat.at/ NORTH FITZROY SOLE LUNDY FASTNET: WEST OR SOUTHWEST 3 OR 4, INCREASING 5 LATER. OCCASIONAL DRIZZLE. GOOD BECOMING MODERATE OR POOR. From Lutz.Jaenicke at aet.TU-Cottbus.DE Wed Jul 24 23:00:38 2002 From: Lutz.Jaenicke at aet.TU-Cottbus.DE (Lutz Jaenicke) Date: Wed, 24 Jul 2002 15:00:38 +0200 Subject: OpenSSH 3.4p1 "PRNG is not seeded" In-Reply-To: <691874941F1F954198F7E7FCBAEF1FAE0D20E8@exchange00.SC.ESILICON.COM> References: <691874941F1F954198F7E7FCBAEF1FAE0D20E8@exchange00.SC.ESILICON.COM> Message-ID: <20020724130038.GA17319@serv01.aet.tu-cottbus.de> On Tue, Jul 23, 2002 at 07:42:59PM -0700, David Marshall wrote: > I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or > ssh-keygen I'm getting the "PRNG is not seeded". > > I have verified that prngd is running and "egc.pl /var/spool/prngd/pool get" > runs just fine reporting 32800 bits of entropy. Did you configure with "--with-prngd-socket=/var/spool/prngd/pool", such that OpenSSH picks up the socket? As /var/spool/prngd/pool is not one of the recommended standard locations (recommondations from OpenSSL for support in 0.9.7), it might not be picked up automatically. Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus From markus at openbsd.org Wed Jul 24 23:54:24 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 24 Jul 2002 15:54:24 +0200 Subject: ssh-keygen listing fingerprints little unclear In-Reply-To: <20020724073534.GA3420@bodin.org> References: <20020724073534.GA3420@bodin.org> Message-ID: <20020724135424.GB21382@faui02> nice, do you have a patch? On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote: > > Since ssh-keygen is not listing the _types_ of keys I have in my file, > wouldn't it be a good idea to make the -t switch filtering out the > selected type of key when doing a listing with -l? > > i.e. in this case I see both rsa1, rsa, and dss keys: > > $ ssh-keygen -l -f ~/.ssh/known_hosts > > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com > 1024 9d:f8:d4:62:dc:3d:fb:26:2a:03:f4:d3:5f:8b:df:39 pingu.framtid.nu > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu > > So if I do > > $ ssh-keygen -l -t rsa -f ~/.ssh/known_hosts > > I actually would like to see > > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu > > Doesn't it make sense? > (or adding the types to the listing) > > /magnus > > -- > http://x42.com/ > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From markus at openbsd.org Wed Jul 24 23:53:50 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 24 Jul 2002 15:53:50 +0200 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: References: Message-ID: <20020724135350.GA21382@faui02> > This is the problem. It's a manifestation of the bug I reported a month > ago on this list with the subject "privilege separation breaks dns lookups". > There is a patch but it hasn't been committed. but there should be no DNS lookups in the unprivileged code... From lapo at lapo.it Thu Jul 25 00:00:40 2002 From: lapo at lapo.it (Lapo Luchini) Date: Wed, 24 Jul 2002 16:00:40 +0200 Subject: scp bug? or is it intended? Message-ID: <3D3EB308.2010509@lapo.it> Please enlightnen me on a subject, which is easily explained by example (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest openssh-portable installed): lapo at CYBERONE ~ $ scp lapo at cyberx:Luth\'ol.pcg . bash: -c: line 1: unexpected EOF while looking for matching `'' bash: -c: line 2: syntax error: unexpected end of file lapo at CYBERONE ~ $ scp lapo at cyberx:Luth\\\'ol.pcg . Luth'ol.pcg 100% |*****************************| 2066 00:00 I guess that the fact that command line is interpreted also on remote side should be hidden from the user... IMHO first command line should work and second one should not. Please notice also that I'm not subscribed to this ML. If this behaviour is intended, sorry for the message, but then I'd say it should th least noted in the "man" page that the command line will be interpreted twice. OpenSSH in always better and better, keep up the good work =) Lapo -- Lapo 'Raist' Luchini lapo at lapo.it (PGP & X.509 keys available) http://www.lapo.it (ICQ UIN: 529796) From tim at multitalents.net Thu Jul 25 00:08:57 2002 From: tim at multitalents.net (Tim Rice) Date: Wed, 24 Jul 2002 07:08:57 -0700 (PDT) Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: Message-ID: On Wed, 24 Jul 2002, Tony Finch wrote: > Kevin DeGraaf wrote: > > > >5. On both machines, I created /etc/ssh/sshd_config: > > > >UsePrivilegeSeparation yes > > This is the problem. It's a manifestation of the bug I reported a month > ago on this list with the subject "privilege separation breaks dns lookups". > There is a patch but it hasn't been committed. What platform are you on? It's working fine on my platforms. > > Tony. > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From mouring at etoh.eviladmin.org Thu Jul 25 00:04:13 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Wed, 24 Jul 2002 09:04:13 -0500 (CDT) Subject: scp bug? or is it intended? In-Reply-To: <3D3EB308.2010509@lapo.it> Message-ID: This is the correct behavior. Otherwise the following would not work: scp host.com:dir/\* . Remember scp on the other end runs in your shell. So you have to contend with double escapes (same with rcp) to gain the behavior you want. - Ben On Wed, 24 Jul 2002, Lapo Luchini wrote: > Please enlightnen me on a subject, which is easily explained by example > (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest > openssh-portable installed): > > lapo at CYBERONE ~ > $ scp lapo at cyberx:Luth\'ol.pcg . > bash: -c: line 1: unexpected EOF while looking for matching `'' > bash: -c: line 2: syntax error: unexpected end of file > > lapo at CYBERONE ~ > $ scp lapo at cyberx:Luth\\\'ol.pcg . > Luth'ol.pcg 100% |*****************************| 2066 00:00 > > I guess that the fact that command line is interpreted also on remote > side should be hidden from the user... IMHO first command line should > work and second one should not. > > Please notice also that I'm not subscribed to this ML. > If this behaviour is intended, sorry for the message, but then I'd say > it should th least noted in the "man" page that the command line will be > interpreted twice. > > OpenSSH in always better and better, keep up the good work =) > Lapo > > -- > Lapo 'Raist' Luchini > lapo at lapo.it (PGP & X.509 keys available) > http://www.lapo.it (ICQ UIN: 529796) > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From edwardquick at hotmail.com Thu Jul 25 00:18:24 2002 From: edwardquick at hotmail.com (Edward Quick) Date: Wed, 24 Jul 2002 14:18:24 +0000 Subject: pam problems with securid patch Message-ID: Hi, I have the securID patch applied to openssh3.4p-1 and it's compiled with pam. The problem I'm getting is that SecurID auth works OK, but normal password auth doesn't. I narrowed down the failure to the following section in auth-pam.c : __pampasswd = password; pamstate = INITIAL_LOGIN; pam_retval = do_pam_authenticate( options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK : 0); but I can't see how this works. Can anyone enlighten me please? I know that the password is correct but pam_retval is still not equal to PAM_SUCCESS. Cheers, Ed. _________________________________________________________________ Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com From gert at greenie.muc.de Thu Jul 25 00:24:29 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Jul 2002 16:24:29 +0200 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: <20020724135350.GA21382@faui02>; from markus@openbsd.org on Wed, Jul 24, 2002 at 03:53:50PM +0200 References: <20020724135350.GA21382@faui02> Message-ID: <20020724162429.C23685@greenie.muc.de> Hi, On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote: > > This is the problem. It's a manifestation of the bug I reported a month > > ago on this list with the subject "privilege separation breaks dns lookups". > > There is a patch but it hasn't been committed. > but there should be no DNS lookups in the unprivileged code... The protocol 1 / RhostsRSAAuthentication handler seems to be doing reverse lookups, and fails. This is how it looks here: debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_send entering: type 11 debug3: mm_request_receive entering Failed none for gert from 195.30.1.25 port 760 debug3: mm_auth_password: user not authenticated debug3: mm_request_receive entering debug1: Trying rhosts with RSA host authentication for client user gert debug3: Trying to reverse map address 195.30.1.25. Could not reverse map address 195.30.1.25. debug1: Rhosts RSA authentication: canonical host 195.30.1.25 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: monitor_read: checking request 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_answer_keyallowed entering debug3: mm_request_receive_expect entering: type 21 debug3: mm_answer_keyallowed: key_from_blob: 0x80951d0 debug3: mm_request_receive entering debug3: Trying to reverse map address 195.30.1.25. debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr 195.30.1.25 debug1: restore_uid debug1: restore_uid debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts ... Without PrivSep, the log is as follows: debug1: Attempting authentication for gert. debug1: Trying rhosts with RSA host authentication for client user gert debug3: Trying to reverse map address 195.30.1.25. debug1: Rhosts RSA authentication: canonical host moebius.space.net debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr 195.30.1.25 debug1: restore_uid debug1: restore_uid debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Thu Jul 25 00:25:22 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Jul 2002 16:25:22 +0200 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: ; from tim@multitalents.net on Wed, Jul 24, 2002 at 07:08:57AM -0700 References: Message-ID: <20020724162522.D23685@greenie.muc.de> hi, On Wed, Jul 24, 2002 at 07:08:57AM -0700, Tim Rice wrote: > > This is the problem. It's a manifestation of the bug I reported a month > > ago on this list with the subject "privilege separation breaks dns lookups". > > There is a patch but it hasn't been committed. > What platform are you on? It's working fine on my platforms. I see this on FreeBSD 4.1.1-RELEASE. Interesting enough, FreeBSD 4.1 and 4.2 work fine. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From gert at greenie.muc.de Thu Jul 25 00:32:08 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 24 Jul 2002 16:32:08 +0200 Subject: privilege separation breaks dns lookups In-Reply-To: <20020629193835.GG1757@jenny.crlsca.adelphia.net>; from kevin@atomicgears.com on Sat, Jun 29, 2002 at 12:38:35PM -0700 References: <20020626232631.F26954@chiark.greenend.org.uk> <20020629193835.GG1757@jenny.crlsca.adelphia.net> Message-ID: <20020724163208.F23685@greenie.muc.de> Hi, On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote: > On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote: > > When the unprivileged child has chrooted it can no longer open > > /etc/resolv.conf, so if the resolver hasn't yet initialized itself then > > dns lookups will not be possible. This is unfortunately what normally > > happens, but sshd falls back gracefully. > > can you try this? > > Index: sshd.c > =================================================================== [..] > error("setsockopt SO_KEEPALIVE: %.100s", strerror(errno)); > + > + /* > + * Initialize the resolver. This may not happen automatically > + * before privsep chroot(). > + */ > + if ((_res.options & RES_INIT) == 0) { > + debug("res_init()"); > + res_init(); > + } I won't claim to understand why it is necessary, but your patch fixes the "wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE machine with PrivSep and RhostsRSAAuthentication enabled. Sorry for not responding more quickly - I passed this to a colleague who just didn't do the test :-( gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From dot at dotat.at Thu Jul 25 01:26:42 2002 From: dot at dotat.at (Tony Finch) Date: Wed, 24 Jul 2002 16:26:42 +0100 Subject: OpenSSH 3.4p1 hostbased auth - howto? In-Reply-To: <20020724135350.GA21382@faui02>; from markus@openbsd.org on Wed, Jul 24, 2002 at 03:53:50PM +0200 References: <20020724135350.GA21382@faui02> Message-ID: <20020724162642.A8886@chiark.greenend.org.uk> On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote: > > This is the problem. It's a manifestation of the bug I reported a month > > ago on this list with the subject "privilege separation breaks dns lookups". > > There is a patch but it hasn't been committed. > > but there should be no DNS lookups in the unprivileged code... This is on FreeBSD-4.6-STABLE using the openssh-portable port (which is 3.4p1) The backtrace of the offending DNS lookup is #0 0x8061450 in get_remote_hostname (socket=5, verify_reverse_mapping=0) at canohost.c:81 #1 0x8061714 in get_canonical_hostname (verify_reverse_mapping=0) at canohost.c:194 #2 0x8050021 in input_userauth_request (type=50, seq=5, ctxt=0x80990c0) at auth2.c:147 #3 0x8067fcf in dispatch_run (mode=0, done=0x80990c0, ctxt=0x80990c0) at dispatch.c:93 #4 0x804fef8 in do_authentication2 () at auth2.c:96 #5 0x804e365 in main (ac=4, av=0xbfbffab0) at sshd.c:1507 The call to get_canonical_hostname in input_userauth_request is part of the FreeBSD patch set, so I'll report the bug to them. Tony. -- f.a.n.finch http://dotat.at/ FISHER GERMAN BIGHT: WEST OR NORTHWEST 5 OR 6, BUT 7 IN NORTHEAST FISHER AT FIRST, DECREASING 4 IN SOUTHWEST FISHER AND IN GERMAN BIGHT. SHOWERS. GOOD. From bugzilla-daemon at mindrot.org Thu Jul 25 04:05:54 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Jul 2002 04:05:54 +1000 (EST) Subject: [Bug 369] New: Inconsistant exiit status from scp Message-ID: <20020724180554.C91FCE96C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 Summary: Inconsistant exiit status from scp Product: Portable OpenSSH Version: 3.0.2p1 Platform: ix86 OS/Version: FreeBSD Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: oberman at es.net Teh man page states that scp returns 0 for success and >0 for failure. This is non-standard. Worse, it may return 0 after a failure. scp -B bogus at system:file1 file1 If authentication fails, the string "Permision denied" is sent to STDERR, but the status is 0, making this indistinguishable from success without an extra check of the test sent to STDERR. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 25 04:25:43 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Jul 2002 04:25:43 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020724182543.71AFBE9C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From markus at openbsd.org 2002-07-25 04:25 ------- 0 for success and >0 for failure _is_ standard on unix. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Thu Jul 25 04:26:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Jul 2002 04:26:46 +1000 (EST) Subject: [Bug 369] Inconsistant exiit status from scp Message-ID: <20020724182646.4448CE9C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=369 ------- Additional Comments From markus at openbsd.org 2002-07-25 04:26 ------- scp chould check ssh's exit status. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Jul 25 06:12:22 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 24 Jul 2002 22:12:22 +0200 Subject: Web-Proxy-Option? In-Reply-To: <20020723221344.A28021@foo.birdnet.se> References: <20020722085236.GA2732@danisch.de> <20020722090740.GA5668@faui02> <1027361720.21562.10.camel@johnh.apropos.com> <20020723074108.GC10537@faui02> <1027449315.26546.34.camel@johnh.apropos.com> <20020723221344.A28021@foo.birdnet.se> Message-ID: <20020724201222.GB16223@folly> On Tue, Jul 23, 2002 at 10:13:44PM +0200, Peter Stuge wrote: > It's a violently useful feature, I wish more software had it. yes, it allows ssh to talk to sshd w/o any TCP. e.g. over a serial line. From moj at cheappops.com Thu Jul 25 07:43:43 2002 From: moj at cheappops.com (moj) Date: Wed, 24 Jul 2002 16:43:43 -0500 Subject: (no subject) Message-ID: <20020724214459.9B889E9A4@shitei.mindrot.org> Want to watch HARDCORE PORN MOVIES ? Our site is voted the #1 BROADBAND MOVIE SITE ONLINE ! Click this link to WATCH OUR STEAMING CHIX IN ACTION : http://www.froggyhost.com/clubs/sexmoviestoday/ To unsubscribe from our list enter you email here : http://www.froggyhost.com/clubs/remove/ [G0BK5NKIYs5] From andrew at andrew.triumf.ca Thu Jul 25 09:27:29 2002 From: andrew at andrew.triumf.ca (Andrew Daviel) Date: Wed, 24 Jul 2002 16:27:29 -0700 (PDT) Subject: CRC errors RedHat 6/PuTTY/openssh 3.4 Message-ID: I recently upgraded my servers to 3.4p1 and have been having a problem connecting with an old Windows SSH1 client by Cedomir Igaly, and also with PuTTY which I just downloaded. I get a "CRC error". This is with OpenSSH that I built from the SRPM, setting the flag in the spec file for RHL 6. My RH6 ssh talks both ways to OpenSSH_2.9.9 (RedHat patch) and to sshd 3.4 on RedHat 7.2. My Windows clients talk to the sshd 3.4 on RedHat 7.2 and to OpenSSH_2 OpenSSH for Windows seems to talk to my RH6 sshd, as does WinSCP, but I'm not sure about other clients. I'd like to use a graphical ssh Windows client (or at least one where I can have scrollbars and black-on-white text, instead of DOS box grey-on-black) Any suggestions ? -- Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 security at triumf.ca From stuge-openssh-unix-dev at cdy.org Thu Jul 25 09:54:35 2002 From: stuge-openssh-unix-dev at cdy.org (Peter Stuge) Date: Thu, 25 Jul 2002 01:54:35 +0200 Subject: CRC errors RedHat 6/PuTTY/openssh 3.4 In-Reply-To: ; from andrew@andrew.triumf.ca on Wed, Jul 24, 2002 at 04:27:29PM -0700 References: Message-ID: <20020725015435.C32639@foo.birdnet.se> On Wed, Jul 24, 2002 at 04:27:29PM -0700, Andrew Daviel wrote: > > Any suggestions ? Have PuTTY talk SSH 2 with OpenSSH. Works like a charm. (Check out the "SSH" node in the configuration tree to the left of the connection window, in newer releases of PuTTY.) //Peter From bugzilla-daemon at mindrot.org Thu Jul 25 10:14:27 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Jul 2002 10:14:27 +1000 (EST) Subject: [Bug 370] New: scp incompatibility when connecting to Commercial SSH server Message-ID: <20020725001427.93644E9A4@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=370 Summary: scp incompatibility when connecting to Commercial SSH server Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: scp AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: thewizard75 at hotmail.com My coworker is attempting to transfer files from one UNIX/Linux system to my server using scp. The server is running: SSH-2.0-3.2.0 SSH Secure Shell (non-commercial) Linux hrothgar.math.hmc.edu 2.4.18 #2 SMP Sat Mar 16 10:46:41 PST 2002 i686 unknown and he is running: OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f or OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f or many more, including new 3.4 The scp client, when invoked with -v, yields: (one example, others similar) Executing: program /usr/local/bin/ssh host hrothgar.math.hmc.edu, user , command scp -v -t OpenSSH_3.2.3p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /usr/local/etc/ssh_config^M debug1: Rhosts Authentication disabled, originating port will not be trusted.^M debug1: restore_uid^M debug1: ssh_connect: getuid 20358 geteuid 0 anon 1^M debug1: Connecting to hrothgar.math.hmc.edu [134.173.34.62] port 22.^M debug1: temporarily_use_uid: 20358/14750 (e=0)^M debug1: restore_uid^M debug1: temporarily_use_uid: 20358/14750 (e=0)^M debug1: restore_uid^M debug1: Connection established.^M debug1: read PEM private key done: type DSA^M debug1: read PEM private key done: type RSA^M debug1: identity file /home//.ssh/identity type -1^M debug1: identity file /home//.ssh/id_rsa type -1^M debug1: identity file /home//.ssh/id_dsa type -1^M debug1: Remote protocol version 2.0, remote software version 3.2.0 SSH Secure Shell (non-commercial)^M debug1: no match: 3.2.0 SSH Secure Shell (non-commercial)^M Enabling compatibility mode for protocol 2.0^M debug1: Local version string SSH-2.0-OpenSSH_3.2.3p1^M debug1: SSH2_MSG_KEXINIT sent^M debug1: SSH2_MSG_KEXINIT received^M debug1: kex: server->client aes128-cbc hmac-md5 none^M debug1: kex: client->server aes128-cbc hmac-md5 none^M debug1: dh_gen_key: priv key bits set: 111/256^M debug1: bits set: 492/1024^M debug1: sending SSH2_MSG_KEXDH_INIT^M debug1: expecting SSH2_MSG_KEXDH_REPLY^M debug1: Host 'hrothgar.math.hmc.edu' is known and matches the DSA host key.^M debug1: Found key in /home//.ssh/known_hosts:2^M debug1: bits set: 491/1024^M debug1: ssh_dss_verify: signature correct^M debug1: kex_derive_keys^M debug1: newkeys: mode 1^M debug1: SSH2_MSG_NEWKEYS sent^M debug1: waiting for SSH2_MSG_NEWKEYS^M debug1: newkeys: mode 0^M debug1: SSH2_MSG_NEWKEYS received^M debug1: done: ssh_kex2.^M debug1: send SSH2_MSG_SERVICE_REQUEST^M debug1: service_accept: ssh-userauth^M debug1: got SSH2_MSG_SERVICE_ACCEPT^M debug1: authentications that can continue: publickey,password^M debug1: next auth method to try is publickey^M debug1: try privkey: /home//.ssh/identity^M debug1: try privkey: /home//.ssh/id_rsa^M debug1: try privkey: /home//.ssh/id_dsa^M debug1: next auth method to try is password^M debug1: ssh-userauth2 successful: method password^M debug1: fd 5 setting O_NONBLOCK^M debug1: fd 6 setting O_NONBLOCK^M debug1: fd 7 setting O_NONBLOCK^M debug1: channel 0: new [client-session]^M debug1: send channel open 0^M debug1: Entering interactive session.^M debug1: ssh_session2_setup: id 0^M debug1: Sending command: scp -v -t /home/^M debug1: channel request 0: exec^M debug1: channel 0: open confirm rwindow 100000 rmax 32768^M scp: warning: Executing scp1. debug1: client_input_channel_req: channel 0 rtype exit-status reply 0^M debug1: channel 0: rcvd close^M debug1: channel 0: output open -> drain^M debug1: channel 0: close_read^M debug1: channel 0: input open -> closed^M scp: FATAL: Executing ssh1 in compatibility mode failed (Check that scp1 is in your PATH). debug1: channel 0: obuf empty^M debug1: channel 0: close_write^M debug1: channel 0: output drain -> closed^M debug1: channel 0: almost dead^M debug1: channel 0: gc: notify user^M debug1: channel 0: gc: user detached^M debug1: channel 0: send close^M debug1: channel 0: is dead^M debug1: channel 0: garbage collecting^M debug1: channel_free: channel 0: client-session, nchannels 1^M debug1: fd 0 clearing O_NONBLOCK^M debug1: fd 1 clearing O_NONBLOCK^M debug1: fd 2 clearing O_NONBLOCK^M debug1: Transferred: stdin 0, stdout 0, stderr 0 bytes in 0.3 seconds^M debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 0.0^M Now, I know that the server does not have SSH1 installed for compatibility purposes, so OpenSSH's scp (talking to a v.2 server) should really use the sftp subsystem to talk to the server (instead of falling back to old scp1 behavior). This is a serious bug/feature of OpenSSH that is precluding many people at my institution from using scp to copy from machines with OpenSSH to machines with SSH. Since sftp does not contain commands allowing for the transfer of entire directories / multiple files, this is severely crippling the work they are trying to do. Moving from SSH to OpenSSH on the server is not an option, as there are other bugs in OpenSSH that would debilitate the server in other transactions it makes. So is this bug/feature known, and are there any sensible workarounds / timetable when scp will attempt to use the subsystem sftp on v. 2 servers before falling back to old scp1 behavior? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From raphale1 at icpd.sonera.fi Thu Jul 25 15:40:26 2002 From: raphale1 at icpd.sonera.fi (Leonard Raphael) Date: Thu, 25 Jul 2002 08:40:26 +0300 (EET DST) Subject: openssh-unix-dev digest, Vol 1 #505 - 15 msgs In-Reply-To: Message-ID: subscribe openssh-unix-dev at mindrot.org > Send openssh-unix-dev mailing list submissions to > openssh-unix-dev at mindrot.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > or, via email, send a message with subject or body 'help' to > openssh-unix-dev-request at mindrot.org > > You can reach the person managing the list at > openssh-unix-dev-admin at mindrot.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of openssh-unix-dev digest..." > > > Today's Topics: > > 1. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch) > 2. Re: OpenSSH 3.4p1 "PRNG is not seeded" (Lutz Jaenicke) > 3. Re: ssh-keygen listing fingerprints little unclear (Markus Friedl) > 4. Re: OpenSSH 3.4p1 hostbased auth - howto? (Markus Friedl) > 5. scp bug? or is it intended? (Lapo Luchini) > 6. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tim Rice) > 7. Re: scp bug? or is it intended? (Ben Lindstrom) > 8. pam problems with securid patch (Edward Quick) > 9. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering) > 10. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering) > 11. Re: privilege separation breaks dns lookups (Gert Doering) > 12. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch) > 13. [Bug 369] New: Inconsistant exiit status from scp > (bugzilla-daemon at mindrot.org) > 14. [Bug 369] Inconsistant exiit status from scp > (bugzilla-daemon at mindrot.org) > 15. [Bug 369] Inconsistant exiit status from scp > (bugzilla-daemon at mindrot.org) > > --__--__-- > > Message: 1 > To: kevin at kevindegraaf.net > From: Tony Finch > Cc: openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > Date: Wed, 24 Jul 2002 12:09:43 +0100 > > Kevin DeGraaf wrote: > > > >5. On both machines, I created /etc/ssh/sshd_config: > > > >UsePrivilegeSeparation yes > > This is the problem. It's a manifestation of the bug I reported a month > ago on this list with the subject "privilege separation breaks dns > lookups". > There is a patch but it hasn't been committed. > > Tony. > -- > f.a.n.finch http://dotat.at/ > NORTH FITZROY SOLE LUNDY FASTNET: WEST OR SOUTHWEST 3 OR 4, INCREASING 5 > LATER. OCCASIONAL DRIZZLE. GOOD BECOMING MODERATE OR POOR. > > --__--__-- > > Message: 2 > Date: Wed, 24 Jul 2002 15:00:38 +0200 > From: Lutz Jaenicke > To: OpenSSH Development > Subject: Re: OpenSSH 3.4p1 "PRNG is not seeded" > Organization: BTU Cottbus, Allgemeine Elektrotechnik > > On Tue, Jul 23, 2002 at 07:42:59PM -0700, David Marshall wrote: > > I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or > > ssh-keygen I'm getting the "PRNG is not seeded". > > > > I have verified that prngd is running and "egc.pl > /var/spool/prngd/pool get" > > runs just fine reporting 32800 bits of entropy. > > Did you configure with "--with-prngd-socket=/var/spool/prngd/pool", such > that OpenSSH picks up the socket? As /var/spool/prngd/pool is not one of > the recommended standard locations (recommondations from OpenSSL for > support > in 0.9.7), it might not be picked up automatically. > > Best regards, > Lutz > -- > Lutz Jaenicke > Lutz.Jaenicke at aet.TU-Cottbus.DE > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > > --__--__-- > > Message: 3 > Date: Wed, 24 Jul 2002 15:54:24 +0200 > From: Markus Friedl > To: Magnus Bodin > Cc: openssh-unix-dev at mindrot.org > Subject: Re: ssh-keygen listing fingerprints little unclear > > nice, do you have a patch? > > On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote: > > > > Since ssh-keygen is not listing the _types_ of keys I have in my file, > > wouldn't it be a good idea to make the -t switch filtering out the > > selected type of key when doing a listing with -l? > > > > i.e. in this case I see both rsa1, rsa, and dss keys: > > > > $ ssh-keygen -l -f ~/.ssh/known_hosts > > > > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com > > 1024 9d:f8:d4:62:dc:3d:fb:26:2a:03:f4:d3:5f:8b:df:39 pingu.framtid.nu > > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu > > > > So if I do > > > > $ ssh-keygen -l -t rsa -f ~/.ssh/known_hosts > > > > I actually would like to see > > > > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com > > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu > > > > Doesn't it make sense? > > (or adding the types to the listing) > > > > /magnus > > > > -- > > http://x42.com/ > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > --__--__-- > > Message: 4 > Date: Wed, 24 Jul 2002 15:53:50 +0200 > From: Markus Friedl > To: Tony Finch > Cc: kevin at kevindegraaf.net, openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > > > This is the problem. It's a manifestation of the bug I reported a > month > > ago on this list with the subject "privilege separation breaks dns > lookups". > > There is a patch but it hasn't been committed. > > but there should be no DNS lookups in the unprivileged code... > > --__--__-- > > Message: 5 > Date: Wed, 24 Jul 2002 16:00:40 +0200 > From: Lapo Luchini > Reply-To: Lapo Luchini > To: openssh-unix-dev at mindrot.org > Subject: scp bug? or is it intended? > > Please enlightnen me on a subject, which is easily explained by example > (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest > > openssh-portable installed): > > lapo at CYBERONE ~ > $ scp lapo at cyberx:Luth\'ol.pcg . > bash: -c: line 1: unexpected EOF while looking for matching `'' > bash: -c: line 2: syntax error: unexpected end of file > > lapo at CYBERONE ~ > $ scp lapo at cyberx:Luth\\\'ol.pcg . > Luth'ol.pcg 100% |*****************************| 2066 > 00:00 > > I guess that the fact that command line is interpreted also on remote > side should be hidden from the user... IMHO first command line should > work and second one should not. > > Please notice also that I'm not subscribed to this ML. > If this behaviour is intended, sorry for the message, but then I'd say > it should th least noted in the "man" page that the command line will be > > interpreted twice. > > OpenSSH in always better and better, keep up the good work =) > Lapo > > -- > Lapo 'Raist' Luchini > lapo at lapo.it (PGP & X.509 keys available) > http://www.lapo.it (ICQ UIN: 529796) > > > --__--__-- > > Message: 6 > Date: Wed, 24 Jul 2002 07:08:57 -0700 (PDT) > From: Tim Rice > To: Tony Finch > Cc: kevin at kevindegraaf.net, > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > > On Wed, 24 Jul 2002, Tony Finch wrote: > > > Kevin DeGraaf wrote: > > > > > >5. On both machines, I created /etc/ssh/sshd_config: > > > > > >UsePrivilegeSeparation yes > > > > This is the problem. It's a manifestation of the bug I reported a > month > > ago on this list with the subject "privilege separation breaks dns > lookups". > > There is a patch but it hasn't been committed. > > What platform are you on? It's working fine on my platforms. > > > > > Tony. > > > > -- > Tim Rice Multitalents (707) 887-1469 > tim at multitalents.net > > > > --__--__-- > > Message: 7 > Date: Wed, 24 Jul 2002 09:04:13 -0500 (CDT) > From: Ben Lindstrom > To: Lapo Luchini > Cc: openssh-unix-dev at mindrot.org > Subject: Re: scp bug? or is it intended? > > > This is the correct behavior. > > Otherwise the following would not work: > > scp host.com:dir/\* . > > Remember scp on the other end runs in your shell. So you have to > contend > with double escapes (same with rcp) to gain the behavior you want. > > - Ben > > On Wed, 24 Jul 2002, Lapo Luchini wrote: > > > Please enlightnen me on a subject, which is easily explained by > example > > (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with > latest > > openssh-portable installed): > > > > lapo at CYBERONE ~ > > $ scp lapo at cyberx:Luth\'ol.pcg . > > bash: -c: line 1: unexpected EOF while looking for matching `'' > > bash: -c: line 2: syntax error: unexpected end of file > > > > lapo at CYBERONE ~ > > $ scp lapo at cyberx:Luth\\\'ol.pcg . > > Luth'ol.pcg 100% |*****************************| 2066 > 00:00 > > > > I guess that the fact that command line is interpreted also on remote > > side should be hidden from the user... IMHO first command line should > > work and second one should not. > > > > Please notice also that I'm not subscribed to this ML. > > If this behaviour is intended, sorry for the message, but then I'd say > > it should th least noted in the "man" page that the command line will > be > > interpreted twice. > > > > OpenSSH in always better and better, keep up the good work =) > > Lapo > > > > -- > > Lapo 'Raist' Luchini > > lapo at lapo.it (PGP & X.509 keys available) > > http://www.lapo.it (ICQ UIN: 529796) > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > > --__--__-- > > Message: 8 > From: "Edward Quick" > To: openssh-unix-dev at mindrot.org > Subject: pam problems with securid patch > Date: Wed, 24 Jul 2002 14:18:24 +0000 > > Hi, > > I have the securID patch applied to openssh3.4p-1 and it's compiled with > > pam. The problem I'm getting is that SecurID auth works OK, but normal > password auth doesn't. I narrowed down the failure to the following > section > in auth-pam.c : > > __pampasswd = password; > > pamstate = INITIAL_LOGIN; > pam_retval = do_pam_authenticate( > options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK > : > 0); > > but I can't see how this works. Can anyone enlighten me please? I know > that > the password is correct but pam_retval is still not equal to > PAM_SUCCESS. > > Cheers, > > Ed. > > _________________________________________________________________ > Join the world's largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > --__--__-- > > Message: 9 > Date: Wed, 24 Jul 2002 16:24:29 +0200 > From: Gert Doering > To: Markus Friedl > Cc: Tony Finch , kevin at kevindegraaf.net, > openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > > Hi, > > On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote: > > > This is the problem. It's a manifestation of the bug I reported a > month > > > ago on this list with the subject "privilege separation breaks dns > lookups". > > > There is a patch but it hasn't been committed. > > but there should be no DNS lookups in the unprivileged code... > > The protocol 1 / RhostsRSAAuthentication handler seems to be doing > reverse > lookups, and fails. This is how it looks here: > > debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD > debug3: mm_answer_authpassword: sending result 0 > debug3: mm_request_receive_expect entering: type 11 > debug3: mm_request_send entering: type 11 > debug3: mm_request_receive entering > Failed none for gert from 195.30.1.25 port 760 > debug3: mm_auth_password: user not authenticated > debug3: mm_request_receive entering > debug1: Trying rhosts with RSA host authentication for client user gert > debug3: Trying to reverse map address 195.30.1.25. > > Could not reverse map address 195.30.1.25. > debug1: Rhosts RSA authentication: canonical host 195.30.1.25 > debug3: mm_key_allowed entering > debug3: mm_request_send entering: type 20 > debug3: monitor_read: checking request 20 > debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED > debug3: mm_answer_keyallowed entering > debug3: mm_request_receive_expect entering: type 21 > debug3: mm_answer_keyallowed: key_from_blob: 0x80951d0 > debug3: mm_request_receive entering > debug3: Trying to reverse map address 195.30.1.25. > debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr > 195.30.1.25 > debug1: restore_uid > debug1: restore_uid > debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts > debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts > ... > > Without PrivSep, the log is as follows: > > debug1: Attempting authentication for gert. > debug1: Trying rhosts with RSA host authentication for client user gert > debug3: Trying to reverse map address 195.30.1.25. > > debug1: Rhosts RSA authentication: canonical host moebius.space.net > debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr > 195.30.1.25 > debug1: restore_uid > debug1: restore_uid > debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts > debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts > > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert.doering at physik.tu-muenchen.de > > --__--__-- > > Message: 10 > Date: Wed, 24 Jul 2002 16:25:22 +0200 > From: Gert Doering > To: Tim Rice > Cc: Tony Finch , kevin at kevindegraaf.net, > openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > > hi, > > On Wed, Jul 24, 2002 at 07:08:57AM -0700, Tim Rice wrote: > > > This is the problem. It's a manifestation of the bug I reported a > month > > > ago on this list with the subject "privilege separation breaks dns > lookups". > > > There is a patch but it hasn't been committed. > > What platform are you on? It's working fine on my platforms. > > I see this on FreeBSD 4.1.1-RELEASE. > > Interesting enough, FreeBSD 4.1 and 4.2 work fine. > > gert > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert.doering at physik.tu-muenchen.de > > --__--__-- > > Message: 11 > Date: Wed, 24 Jul 2002 16:32:08 +0200 > From: Gert Doering > To: Kevin Steves > Cc: Tony Finch , openssh-unix-dev at mindrot.org, > stevesk at pobox.com > Subject: Re: privilege separation breaks dns lookups > > Hi, > > On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote: > > On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote: > > > When the unprivileged child has chrooted it can no longer open > > > /etc/resolv.conf, so if the resolver hasn't yet initialized itself > then > > > dns lookups will not be possible. This is unfortunately what > normally > > > happens, but sshd falls back gracefully. > > > > can you try this? > > > > Index: sshd.c > > =================================================================== > [..] > > error("setsockopt SO_KEEPALIVE: %.100s", > strerror(errno)); > > + > > + /* > > + * Initialize the resolver. This may not happen automatically > > + * before privsep chroot(). > > + */ > > + if ((_res.options & RES_INIT) == 0) { > > + debug("res_init()"); > > + res_init(); > > + } > > I won't claim to understand why it is necessary, but your patch fixes > the > "wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE > machine > with PrivSep and RhostsRSAAuthentication enabled. > > Sorry for not responding more quickly - I passed this to a colleague who > just didn't do the test :-( > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert.doering at physik.tu-muenchen.de > > --__--__-- > > Message: 12 > Date: Wed, 24 Jul 2002 16:26:42 +0100 > From: Tony Finch > To: Markus Friedl > Cc: Tony Finch , kevin at kevindegraaf.net, > openssh-unix-dev at mindrot.org > Subject: Re: OpenSSH 3.4p1 hostbased auth - howto? > > On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote: > > > This is the problem. It's a manifestation of the bug I reported a > month > > > ago on this list with the subject "privilege separation breaks dns > lookups". > > > There is a patch but it hasn't been committed. > > > > but there should be no DNS lookups in the unprivileged code... > > This is on FreeBSD-4.6-STABLE using the openssh-portable port (which is > 3.4p1) The backtrace of the offending DNS lookup is > > #0 0x8061450 in get_remote_hostname (socket=5, > verify_reverse_mapping=0) at canohost.c:81 > #1 0x8061714 in get_canonical_hostname (verify_reverse_mapping=0) at > canohost.c:194 > #2 0x8050021 in input_userauth_request (type=50, seq=5, ctxt=0x80990c0) > at auth2.c:147 > #3 0x8067fcf in dispatch_run (mode=0, done=0x80990c0, ctxt=0x80990c0) > at dispatch.c:93 > #4 0x804fef8 in do_authentication2 () at auth2.c:96 > #5 0x804e365 in main (ac=4, av=0xbfbffab0) at sshd.c:1507 > > The call to get_canonical_hostname in input_userauth_request is part of > the FreeBSD patch set, so I'll report the bug to them. > > Tony. > -- > f.a.n.finch http://dotat.at/ > FISHER GERMAN BIGHT: WEST OR NORTHWEST 5 OR 6, BUT 7 IN NORTHEAST FISHER > AT > FIRST, DECREASING 4 IN SOUTHWEST FISHER AND IN GERMAN BIGHT. SHOWERS. > GOOD. > > --__--__-- > > Message: 13 > From: bugzilla-daemon at mindrot.org > To: openssh-unix-dev at mindrot.org > Subject: [Bug 369] New: Inconsistant exiit status from scp > Date: Thu, 25 Jul 2002 04:05:54 +1000 (EST) > > http://bugzilla.mindrot.org/show_bug.cgi?id=369 > > Summary: Inconsistant exiit status from scp > Product: Portable OpenSSH > Version: 3.0.2p1 > Platform: ix86 > OS/Version: FreeBSD > Status: NEW > Severity: normal > Priority: P2 > Component: scp > AssignedTo: openssh-unix-dev at mindrot.org > ReportedBy: oberman at es.net > > > Teh man page states that scp returns 0 for success and >0 for failure. > This is > non-standard. > Worse, it may return 0 after a failure. > scp -B bogus at system:file1 file1 > If authentication fails, the string "Permision denied" is sent to > STDERR, but > the status is 0, making this indistinguishable from success without an > extra > check of > the test sent to STDERR. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > --__--__-- > > Message: 14 > From: bugzilla-daemon at mindrot.org > To: openssh-unix-dev at mindrot.org > Subject: [Bug 369] Inconsistant exiit status from scp > Date: Thu, 25 Jul 2002 04:25:43 +1000 (EST) > > http://bugzilla.mindrot.org/show_bug.cgi?id=369 > > > > > > ------- Additional Comments From markus at openbsd.org 2002-07-25 04:25 > ------- > 0 for success and >0 for failure _is_ standard on unix. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > --__--__-- > > Message: 15 > From: bugzilla-daemon at mindrot.org > To: openssh-unix-dev at mindrot.org > Subject: [Bug 369] Inconsistant exiit status from scp > Date: Thu, 25 Jul 2002 04:26:46 +1000 (EST) > > http://bugzilla.mindrot.org/show_bug.cgi?id=369 > > > > > > ------- Additional Comments From markus at openbsd.org 2002-07-25 04:26 > ------- > scp chould check ssh's exit status. > > > > ------- You are receiving this mail because: ------- > You are the assignee for the bug, or are watching the assignee. > > > --__--__-- > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > End of openssh-unix-dev Digest > From bugzilla-daemon at mindrot.org Thu Jul 25 20:04:37 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Thu, 25 Jul 2002 20:04:37 +1000 (EST) Subject: [Bug 368] TTSSH will not connect to OpenSSH_3.4p1 Message-ID: <20020725100437.5D872E921@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=368 ------- Additional Comments From markus at openbsd.org 2002-07-25 20:04 ------- it looks like the monitor process is sending data over the network. you could change packet.c to printout the current pid and the packet type for every packet sent. the monitor process is not allowed to call packet_send. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From markus at openbsd.org Thu Jul 25 21:55:37 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 25 Jul 2002 13:55:37 +0200 Subject: ssh-keygen listing fingerprints little unclear In-Reply-To: <20020724073534.GA3420@bodin.org> References: <20020724073534.GA3420@bodin.org> Message-ID: <20020725115537.GB9824@folly> On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote: > Since ssh-keygen is not listing the _types_ of keys I have in my file, > wouldn't it be a good idea to make the -t switch filtering out the > selected type of key when doing a listing with -l? i think -l should list the key type, too. From magnus at bodin.org Thu Jul 25 22:04:24 2002 From: magnus at bodin.org (Magnus Bodin) Date: Thu, 25 Jul 2002 14:04:24 +0200 Subject: ssh-keygen listing fingerprints little unclear In-Reply-To: <20020725115537.GB9824@folly> References: <20020724073534.GA3420@bodin.org> <20020725115537.GB9824@folly> Message-ID: <20020725120424.GA15898@bodin.org> On Thu, Jul 25, 2002 at 01:55:37PM +0200, Markus Friedl wrote: > On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote: > > Since ssh-keygen is not listing the _types_ of keys I have in my file, > > wouldn't it be a good idea to make the -t switch filtering out the > > selected type of key when doing a listing with -l? > > i think -l should list the key type, too. ok. I've started to provide a patch, but have not yet had time to look into how ssh-keygen is retrieving the key-type from the file. I guess it's done in key_read(). What about the 'old' types that occur in at least some of my known_hosts-file, which reads '1024 33', '1024 37' and so forth. How do they map onto KEY_RSA, KEY_DSA etc? Are they all KEY_RSA1? Should they be shown as if they were of the 'new' rsa1-type? They of course not need to be matched with e.g. -lt 33 (my filter suggestion) as they all should be converted. /magnus -- http://x42.com/ From markus at openbsd.org Thu Jul 25 22:16:59 2002 From: markus at openbsd.org (Markus Friedl) Date: Thu, 25 Jul 2002 14:16:59 +0200 Subject: ssh-keygen listing fingerprints little unclear In-Reply-To: <20020725120424.GA15898@bodin.org> References: <20020724073534.GA3420@bodin.org> <20020725115537.GB9824@folly> <20020725120424.GA15898@bodin.org> Message-ID: <20020725121659.GA2722@faui02> On Thu, Jul 25, 2002 at 02:04:24PM +0200, Magnus Bodin wrote: > ok. I've started to provide a patch, but have not yet had time to look into > how ssh-keygen is retrieving the key-type from the file. I guess it's done > in key_read(). What about the 'old' types that occur in at least some > of my known_hosts-file, which reads '1024 33', '1024 37' and so forth. How > do they map onto KEY_RSA, KEY_DSA etc? Are they all KEY_RSA1? Should they > be shown as if they were of the 'new' rsa1-type? they are all KEY_RSA1. you should just print key_name(key). as to the filter: Index: ssh-keygen.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v retrieving revision 1.101 diff -u -r1.101 ssh-keygen.c --- ssh-keygen.c 23 Jun 2002 09:39:55 -0000 1.101 +++ ssh-keygen.c 25 Jul 2002 12:15:49 -0000 @@ -441,11 +441,14 @@ FILE *f; Key *public; char *comment = NULL, *cp, *ep, line[16*1024], *fp; - int i, skip = 0, num = 1, invalid = 1; + int i, skip = 0, num = 1, invalid = 1, key_filter = KEY_UNSPEC; enum fp_rep rep; enum fp_type fptype; struct stat st; + if (key_type_name != NULL) + key_filter = key_type_from_name(key_type_name); + fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5; rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX; @@ -513,6 +516,11 @@ key_free(public); continue; } + } + if (key_filter != KEY_UNSPEC && + key_filter != public->type) { + key_free(public); + continue; } comment = *cp ? cp : comment; fp = key_fingerprint(public, fptype, rep); From Roumen.Petrov at skalasoft.com Thu Jul 25 23:22:00 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Thu, 25 Jul 2002 16:22:00 +0300 Subject: [Patch] Improve portability of regression tests - version 2 References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> Message-ID: <3D3FFB78.1050108@skalasoft.com> OpenBSD patch: http://satva.skalasoft.com/~rumen/openssh/temp/regress-openbsd.diff.gz About new patch: - "echo -n ..." is relpased with "echon" function - "id -n..." changed witch "whoami" - "md5sum" in stderr-after-eof.sh => "openssl md5" - Makefile is more common (not only for pmake) - AuthorizedKeysFile is "$HOME/.ssh/authorized_keys_test_$USER" and new variable AUTHORIZED_KEYS_FILE is defined (fix problem with directory permitions) - test "sshd_config" contain line: "Subsystem sftp $SFTPSERVER" - point to newbuild. Tips for portable version: a.) get regress from openbsd cvs: CVS_RSH=ssh cvs -d anoncvs at anoncvs.be.openbsd.org:/cvs get src/regress/usr.bin/ssh b.) apply patch c.) get portable from cvs d.) replace conntent of regress directory with content of openbsd (see point a.) e.) patch portable "Makefile.in" with http://satva.skalasoft.com/~rumen/openssh/temp/regress-portable.diff.gz f.) run: ./configure [options] make make tests ..... NOTES: - (sample): make tests LTESTS="sftp regress" with run all targets t1-t7 defined in regress Makefile plus only "sftp.sh" and "regress.sh" tests. Work around is to move commands from makefile to shell scripts. - first argument of "test-exec.sh" must be absolute path otherwise script (I too) cannot found pidfile. From bugzilla-daemon at mindrot.org Fri Jul 26 00:06:07 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Jul 2002 00:06:07 +1000 (EST) Subject: [Bug 371] New: OpenSSH fails to build on Alpha True64 in cipher.c Message-ID: <20020725140607.33DC1E922@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=371 Summary: OpenSSH fails to build on Alpha True64 in cipher.c Product: Portable OpenSSH Version: -current Platform: Alpha OS/Version: OSF/1 Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: eesrjhc at bath.ac.uk $uname -a OSF1 cavendish.bath.ac.uk V5.0 1094 alpha Installed Openssl-0.96d in /usr/local/openssl Configured OpenSSH-3.4p1 with: export DEC_CC="-I/usr/local/include " CC="cc -std1" ./configure which reports: OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: man PAM support: no KerberosIV support: no KerberosV support: no Smartcard support: no AFS support: no S/KEY support: no TCP Wrappers support: no MD5 password support: no IP address in $DISPLAY hack: no Use IPv4 by default hack: no Translate v4 in v6 hack: no BSD Auth support: no Random number source: ssh-rand-helper ssh-rand-helper collects from: Command hashing (timeout 200) Host: alphaev67-dec-osf5.0 Compiler: cc -std1 Compiler flags: -g Preprocessor flags: Linker flags: Libraries: -lz -lsecurity -ldb -lm -laud -lcrypto then run "make" which fails: cc -std1 -g -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c cipher.c cc: Warning: cipher.c, line 65: In the initializer for ciphers[0].evptype, the referenced type of the pointer value "EVP_enc_null" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, -------------------------------------------------------^ cc: Warning: cipher.c, line 66: In the initializer for ciphers[1].evptype, the referenced type of the pointer value "EVP_des_cbc" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, ------------------------------------------------------^ cc: Warning: cipher.c, line 70: In the initializer for ciphers[4].evptype, the referenced type of the pointer value "EVP_des_ede3_cbc" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, --------------------------------------------------------^ cc: Warning: cipher.c, line 71: In the initializer for ciphers[5].evptype, the referenced type of the pointer value "EVP_bf_cbc" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, --------------------------------------------------------^ cc: Warning: cipher.c, line 72: In the initializer for ciphers[6].evptype, the referenced type of the pointer value "EVP_cast5_cbc" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, --------------------------------------------------------^ cc: Warning: cipher.c, line 73: In the initializer for ciphers[7].evptype, the referenced type of the pointer value "EVP_rc4" is "function () returning pointer to struct evp_cipher_st", which is not compatible with "function () returning pointer to const struct evp_cipher_st". (ptrmismatch) { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, --------------------------------------------------------^ cc: Error: cipher.c, line 706: In this statement, "c->evptype" and "EVP_rc4" cannot be compared for equality or inequality. (noequality) if (c->evptype == EVP_rc4) { ------------^ cc: Error: cipher.c, line 721: In this statement, "c->evptype" and "EVP_rc4" cannot be compared for equality or inequality. (noequality) if (c->evptype == EVP_rc4) { ------------^ *** Exit 1 Let me know if you need more info. Roger. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bobv5rr76 at excite.com Fri Jul 26 02:24:09 2002 From: bobv5rr76 at excite.com (bobv5rr76 at excite.com) Date: Thu, 25 Jul 2002 12:24:09 -0400 Subject: ....re::clearer talking Message-ID: <0000769d7b67$00007e70$000044dc@> If you use a protablephone check this out. This will help you with reception problems. http://www.mailcomesandgoes.com/affiliate4/booster.htm Wish not : http://www.mailcomesandgoes.com/affiliate4/removeme.html Hi, From wendyp at cray.com Fri Jul 26 03:14:50 2002 From: wendyp at cray.com (Wendy Palm) Date: Thu, 25 Jul 2002 12:14:50 -0500 Subject: OpenSSH 3.4p1's top level .cvsignore file Message-ID: <3D40320A.BCDC87BE@cray.com> anyone who can help me understand- one of my developers reimported openssh snapshot from 0722 into cvs. he sent me the following email about an error he believes is in the snapshot i'm not a cvs-knowledgeable person, so i'm not all that clear on this, but should *.in files be in .cvsignore? i tried checking a later snapshot, but 0722 seems to be the latest one. .cvsignore is dated jun 26. wendy -------- Original Message -------- Wendy, I just noticed that the OpenSSH 3.4p1 tar file has a .cvsignore file at the top level and in it, it has config.h.in which I believe should NOT be ignored. This prevents the resulting re-importation of OpenSSH 3.4p1 back into CVS from being complete and yields a weird openbsd-compat/bsd-arc4random.c compile error. -- wendy palm Cray OS Sustaining Engineering, Cray Inc. wendyp at cray.com, 651-605-9154 From tim at multitalents.net Fri Jul 26 03:24:51 2002 From: tim at multitalents.net (Tim Rice) Date: Thu, 25 Jul 2002 10:24:51 -0700 (PDT) Subject: OpenSSH 3.4p1's top level .cvsignore file In-Reply-To: <3D40320A.BCDC87BE@cray.com> Message-ID: On Thu, 25 Jul 2002, Wendy Palm wrote: > > > anyone who can help me understand- > > one of my developers reimported openssh snapshot from 0722 > into cvs. he sent me the following email about an error he believes > is in the snapshot > i'm not a cvs-knowledgeable person, so i'm not all that > clear on this, but should *.in files be in .cvsignore? config.h.in is generated by autoreconf when acconfig.h is changed. So yes, config.h.in should be ignored. > > i tried checking a later snapshot, but 0722 seems to be the latest one. > .cvsignore is dated jun 26. > > wendy > -------- Original Message -------- > > Wendy, > > I just noticed that the OpenSSH 3.4p1 tar file has a .cvsignore > file at the top level and in it, it has config.h.in which I believe > should NOT be ignored. This prevents the resulting re-importation > of OpenSSH 3.4p1 back into CVS from being complete and yields > a weird openbsd-compat/bsd-arc4random.c compile error. > > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From stevev at darkwing.uoregon.edu Fri Jul 26 03:28:02 2002 From: stevev at darkwing.uoregon.edu (Steve VanDevender) Date: Thu, 25 Jul 2002 10:28:02 -0700 Subject: [Bug 371] New: OpenSSH fails to build on Alpha True64 in cipher.c In-Reply-To: <20020725140607.33DC1E922@shitei.mindrot.org> References: <20020725140607.33DC1E922@shitei.mindrot.org> Message-ID: <15680.13602.611201.31235@darkwing.uoregon.edu> bugzilla-daemon at mindrot.org writes: > Configured OpenSSH-3.4p1 with: > export DEC_CC="-I/usr/local/include " > CC="cc -std1" ./configure > cc -std1 -g -I. -I. -DSSHDIR=\"/usr/local/etc\" > -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" > -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" > -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" > -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" > -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" > -DSSH_RAND_HELPER=\"/usr/local/libexec/ssh-rand-helper\" -DHAVE_CONFIG_H -c > cipher.c > cc: Warning: cipher.c, line 65: In the initializer for ciphers[0].evptype, the > referenced type of the pointer value "EVP_enc_null" is "function () returning > pointer to struct evp_cipher_st", which is not compatible with "function () > returning pointer to const struct evp_cipher_st". (ptrmismatch) > { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, > -------------------------------------------------------^ Dump the "-std1" in your CFLAGS, and it should build. -std1 invokes a somewhat overly picky ANSI C mode. I configured OpenSSH 3.4p1 under Digital UNIX 4.0g with CC="cc -I/usr/local/include -L/usr/shlib -L/usr/local/lib \ -D_SOCKADDR_LEN" CFLAGS="-fast" ./configure --sysconfdir=/etc/ssh \ --with-tcp-wrappers --with-prngd-socket=/var/run/entropy \ --with-default-path=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin And it works for me. From dot at dotat.at Fri Jul 26 04:16:29 2002 From: dot at dotat.at (Tony Finch) Date: Thu, 25 Jul 2002 19:16:29 +0100 Subject: [PATCH] prevent users from changing their environment Message-ID: <20020725191629.A8677@chiark.greenend.org.uk> We have a system on which users are given a very restricted environment (their shell is a menu) where they should not be able to run arbitrary commands. However, because their shell is not statically linked, ld.so provides a nice clutch of holes for them to exploit. The patch below adds a new configuration option to sshd which quashes their attempts to set LD_PRELOAD etc. using ~/.ssh/environment or the environment= option in their ~/.ssh/authorized_keys files. It was generated against the OpenBSD version of OpenSSH but applies to the portable version too. Tony. -- f.a.n.finch http://dotat.at/ SOUTH UTSIRE: NORTHWEST 3 OR 4, OCCASIONALLY 5, BACKING SOUTH FOR A TIME. RAIN AT TIMES. MODERATE OR GOOD. --- sshd_config.5 9 Jul 2002 17:46:25 -0000 1.5 +++ sshd_config.5 24 Jul 2002 16:55:29 -0000 @@ -459,6 +459,21 @@ If this option is set to .Dq no root is not allowed to login. +.It Cm PermitUserEnvironment +Specifies whether +.Pa ~/.ssh/environment +is read by +.Nm sshd +and whether +.Cm environment= +options in +.Pa ~/.ssh/authorized_keys +files are permitted. +The default is +.Dq yes . +This option is useful for locked-down installations where +.Ev LD_PRELOAD +and suchlike can cause security problems. .It Cm PidFile Specifies the file that contains the process ID of the .Nm sshd --- sshd_config 20 Jun 2002 23:37:12 -0000 1.56 +++ sshd_config 24 Jul 2002 16:55:27 -0000 @@ -75,6 +75,7 @@ #KeepAlive yes #UseLogin no #UsePrivilegeSeparation yes +#PermitUserEnvironment yes #Compression yes #MaxStartups 10 --- servconf.h 20 Jun 2002 23:05:55 -0000 1.58 +++ servconf.h 24 Jul 2002 16:55:26 -0000 @@ -97,6 +97,7 @@ int challenge_response_authentication; int permit_empty_passwd; /* If false, do not permit empty * passwords. */ + int permit_user_env; /* If true, read ~/.ssh/environment */ int use_login; /* If true, login(1) is used */ int compression; /* If true, compression is allowed */ int allow_tcp_forwarding; --- servconf.c 23 Jun 2002 09:46:51 -0000 1.112 +++ servconf.c 24 Jul 2002 16:55:26 -0000 @@ -87,6 +87,7 @@ options->kbd_interactive_authentication = -1; options->challenge_response_authentication = -1; options->permit_empty_passwd = -1; + options->permit_user_env = -1; options->use_login = -1; options->compression = -1; options->allow_tcp_forwarding = -1; @@ -204,6 +205,8 @@ options->challenge_response_authentication = 1; if (options->permit_empty_passwd == -1) options->permit_empty_passwd = 0; + if (options->permit_user_env == -1) + options->permit_user_env = 1; if (options->use_login == -1) options->use_login = 0; if (options->compression == -1) @@ -259,7 +262,7 @@ sPrintMotd, sPrintLastLog, sIgnoreRhosts, sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, sStrictModes, sEmptyPasswd, sKeepAlives, - sUseLogin, sAllowTcpForwarding, sCompression, + sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, @@ -319,6 +322,7 @@ { "xauthlocation", sXAuthLocation }, { "strictmodes", sStrictModes }, { "permitemptypasswords", sEmptyPasswd }, + { "permituserenvironment", sPermitUserEnvironment }, { "uselogin", sUseLogin }, { "compression", sCompression }, { "keepalive", sKeepAlives }, @@ -670,6 +674,10 @@ case sEmptyPasswd: intptr = &options->permit_empty_passwd; + goto parse_flag; + + case sPermitUserEnvironment: + intptr = &options->permit_user_env; goto parse_flag; case sUseLogin: --- auth-options.c 21 Jul 2002 18:32:20 -0000 1.25 +++ auth-options.c 24 Jul 2002 16:55:25 -0000 @@ -133,7 +133,8 @@ goto next_option; } cp = "environment=\""; - if (strncasecmp(opts, cp, strlen(cp)) == 0) { + if (options.permit_user_env && + strncasecmp(opts, cp, strlen(cp)) == 0) { char *s; struct envstring *new_envstring; --- session.c 22 Jul 2002 11:03:06 -0000 1.145 +++ session.c 24 Jul 2002 16:55:27 -0000 @@ -899,7 +899,7 @@ auth_sock_name); /* read $HOME/.ssh/environment. */ - if (!options.use_login) { + if (options.permit_user_env && !options.use_login) { snprintf(buf, sizeof buf, "%.200s/.ssh/environment", pw->pw_dir); read_environment_file(&env, &envsize, buf); From bugzilla-daemon at mindrot.org Fri Jul 26 04:43:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Jul 2002 04:43:55 +1000 (EST) Subject: [Bug 370] scp incompatibility when connecting to Commercial SSH server Message-ID: <20020725184355.19B1EE944@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=370 jmknoble at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From jmknoble at pobox.com 2002-07-26 04:43 ------- OpenSSH's scp uses the same protocol as rcp. SSH.com's scp uses the SFTP protocol. They're not compatible. Consider using rsync (http://www.samba.org/rsync/) instead. *** This bug has been marked as a duplicate of 248 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Fri Jul 26 04:44:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Fri, 26 Jul 2002 04:44:00 +1000 (EST) Subject: [Bug 248] scp doesn't support ssh2 protocol Message-ID: <20020725184400.29C33EA1F@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=248 jmknoble at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |thewizard75 at hotmail.com ------- Additional Comments From jmknoble at pobox.com 2002-07-26 04:43 ------- *** Bug 370 has been marked as a duplicate of this bug. *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From mouring at etoh.eviladmin.org Fri Jul 26 05:16:10 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 25 Jul 2002 14:16:10 -0500 (CDT) Subject: [PATCH] prevent users from changing their environment In-Reply-To: <20020725191629.A8677@chiark.greenend.org.uk> Message-ID: Why are you using a restricted shell that is not staticly compiled? That is asking for trouble. I don't see why we need to apply this to work around an issue with an incorrect configuration you have decided to use. - Ben On Thu, 25 Jul 2002, Tony Finch wrote: > We have a system on which users are given a very restricted environment > (their shell is a menu) where they should not be able to run arbitrary > commands. However, because their shell is not statically linked, ld.so > provides a nice clutch of holes for them to exploit. The patch below > adds a new configuration option to sshd which quashes their attempts > to set LD_PRELOAD etc. using ~/.ssh/environment or the environment= > option in their ~/.ssh/authorized_keys files. It was generated against > the OpenBSD version of OpenSSH but applies to the portable version too. > > Tony. > -- > f.a.n.finch http://dotat.at/ > SOUTH UTSIRE: NORTHWEST 3 OR 4, OCCASIONALLY 5, BACKING SOUTH FOR A TIME. RAIN > AT TIMES. MODERATE OR GOOD. > > > --- sshd_config.5 9 Jul 2002 17:46:25 -0000 1.5 > +++ sshd_config.5 24 Jul 2002 16:55:29 -0000 > @@ -459,6 +459,21 @@ > If this option is set to > .Dq no > root is not allowed to login. > +.It Cm PermitUserEnvironment > +Specifies whether > +.Pa ~/.ssh/environment > +is read by > +.Nm sshd > +and whether > +.Cm environment= > +options in > +.Pa ~/.ssh/authorized_keys > +files are permitted. > +The default is > +.Dq yes . > +This option is useful for locked-down installations where > +.Ev LD_PRELOAD > +and suchlike can cause security problems. > .It Cm PidFile > Specifies the file that contains the process ID of the > .Nm sshd > --- sshd_config 20 Jun 2002 23:37:12 -0000 1.56 > +++ sshd_config 24 Jul 2002 16:55:27 -0000 > @@ -75,6 +75,7 @@ > #KeepAlive yes > #UseLogin no > #UsePrivilegeSeparation yes > +#PermitUserEnvironment yes > #Compression yes > > #MaxStartups 10 > --- servconf.h 20 Jun 2002 23:05:55 -0000 1.58 > +++ servconf.h 24 Jul 2002 16:55:26 -0000 > @@ -97,6 +97,7 @@ > int challenge_response_authentication; > int permit_empty_passwd; /* If false, do not permit empty > * passwords. */ > + int permit_user_env; /* If true, read ~/.ssh/environment */ > int use_login; /* If true, login(1) is used */ > int compression; /* If true, compression is allowed */ > int allow_tcp_forwarding; > --- servconf.c 23 Jun 2002 09:46:51 -0000 1.112 > +++ servconf.c 24 Jul 2002 16:55:26 -0000 > @@ -87,6 +87,7 @@ > options->kbd_interactive_authentication = -1; > options->challenge_response_authentication = -1; > options->permit_empty_passwd = -1; > + options->permit_user_env = -1; > options->use_login = -1; > options->compression = -1; > options->allow_tcp_forwarding = -1; > @@ -204,6 +205,8 @@ > options->challenge_response_authentication = 1; > if (options->permit_empty_passwd == -1) > options->permit_empty_passwd = 0; > + if (options->permit_user_env == -1) > + options->permit_user_env = 1; > if (options->use_login == -1) > options->use_login = 0; > if (options->compression == -1) > @@ -259,7 +262,7 @@ > sPrintMotd, sPrintLastLog, sIgnoreRhosts, > sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost, > sStrictModes, sEmptyPasswd, sKeepAlives, > - sUseLogin, sAllowTcpForwarding, sCompression, > + sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression, > sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups, > sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile, > sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups, > @@ -319,6 +322,7 @@ > { "xauthlocation", sXAuthLocation }, > { "strictmodes", sStrictModes }, > { "permitemptypasswords", sEmptyPasswd }, > + { "permituserenvironment", sPermitUserEnvironment }, > { "uselogin", sUseLogin }, > { "compression", sCompression }, > { "keepalive", sKeepAlives }, > @@ -670,6 +674,10 @@ > > case sEmptyPasswd: > intptr = &options->permit_empty_passwd; > + goto parse_flag; > + > + case sPermitUserEnvironment: > + intptr = &options->permit_user_env; > goto parse_flag; > > case sUseLogin: > --- auth-options.c 21 Jul 2002 18:32:20 -0000 1.25 > +++ auth-options.c 24 Jul 2002 16:55:25 -0000 > @@ -133,7 +133,8 @@ > goto next_option; > } > cp = "environment=\""; > - if (strncasecmp(opts, cp, strlen(cp)) == 0) { > + if (options.permit_user_env && > + strncasecmp(opts, cp, strlen(cp)) == 0) { > char *s; > struct envstring *new_envstring; > > --- session.c 22 Jul 2002 11:03:06 -0000 1.145 > +++ session.c 24 Jul 2002 16:55:27 -0000 > @@ -899,7 +899,7 @@ > auth_sock_name); > > /* read $HOME/.ssh/environment. */ > - if (!options.use_login) { > + if (options.permit_user_env && !options.use_login) { > snprintf(buf, sizeof buf, "%.200s/.ssh/environment", > pw->pw_dir); > read_environment_file(&env, &envsize, buf); > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From carson at taltos.org Fri Jul 26 05:41:27 2002 From: carson at taltos.org (Carson Gaspar) Date: Thu, 25 Jul 2002 15:41:27 -0400 Subject: [PATCH] prevent users from changing their environment In-Reply-To: References: Message-ID: <55956000.1027611687@[192.168.0.2]> --On Thursday, July 25, 2002 2:16 PM -0500 Ben Lindstrom wrote: > Why are you using a restricted shell that is not staticly compiled? That > is asking for trouble. I don't see why we need to apply this to work > around an issue with an incorrect configuration you have decided to use. Just try to build a completely statically linked binary under Solaris. And take a nap or something - you're sounding really grouchy. -- Carson From mouring at etoh.eviladmin.org Fri Jul 26 05:54:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Thu, 25 Jul 2002 14:54:01 -0500 (CDT) Subject: [PATCH] prevent users from changing their environment In-Reply-To: <55956000.1027611687@[192.168.0.2]> Message-ID: On Thu, 25 Jul 2002, Carson Gaspar wrote: > > > --On Thursday, July 25, 2002 2:16 PM -0500 Ben Lindstrom > wrote: > > > Why are you using a restricted shell that is not staticly compiled? That > > is asking for trouble. I don't see why we need to apply this to work > > around an issue with an incorrect configuration you have decided to use. > > Just try to build a completely statically linked binary under Solaris. > Then it is an OS defect. My point still holds true. Of course this all begs to ask.. "Why do you allow them to muck around in ~/.ssh/ to start with?!" Refer back to the chroot() + sftp/ssh arguments that occur ever 3 - 4 months on this list. > And take a nap or something - you're sounding really grouchy. > This should shows you that reading into emails is a bad thing. Normally reading me even in person is not even advise. I'm actually in a good mood. I have new hardware to deploy at home for OpenSSH project. Now, if I could only arrange to pick up my Indy that I the traded my SS20 for. I'll be extremely happy. Hopefully this weekend. Otherwise next month. - Ben From kevin at atomicgears.com Fri Jul 26 07:20:46 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Jul 2002 14:20:46 -0700 Subject: [Patch] Improve portability of regression tests In-Reply-To: <20020723145600.GA23631@folly> References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> Message-ID: <20020725212046.GH16664@scott.crlsca.adelphia.net> On Tue, Jul 23, 2002 at 04:56:00PM +0200, Markus Friedl wrote: > yes, you could use > > > > (date;echo $i) | openssl md5 >> ${DATA} if possible i'd rather not rely on openssl/md5/md5sum. and i'd prefer md5 over openssl. but is something like cksum sufficent here? From mjt at tls.msk.ru Fri Jul 26 07:23:11 2002 From: mjt at tls.msk.ru (Michael Tokarev) Date: Fri, 26 Jul 2002 01:23:11 +0400 Subject: [PATCH] prevent users from changing their environment References: Message-ID: <3D406C3F.94816C1E@tls.msk.ru> Ben Lindstrom wrote: > > Why are you using a restricted shell that is not staticly compiled? That > is asking for trouble. I don't see why we need to apply this to work > around an issue with an incorrect configuration you have decided to use. Most if not all restricted shells relies on environment - i.e. $PATH where to find executables, or something like $ALLOWED_COMMANDS. Shell itself will not allow to change environment, but it will use variables passed to it (or read from .profile etc). If a user allowed to modify environment before entering restricted shell, this will not be restricted shell anymore. That to say - not only LD_PRELOAD etc for dynamically linked shell is in trouble, but any other variables as well. /mjt From kevin at atomicgears.com Fri Jul 26 07:42:04 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Jul 2002 14:42:04 -0700 Subject: AIX and ADMCHG In-Reply-To: References: Message-ID: <20020725214204.GI16664@scott.crlsca.adelphia.net> On Tue, Jul 23, 2002 at 10:57:07PM -0500, Ben Lindstrom wrote: > > For AIX, does the server use getuserpw() to check the ADMCHG flag > > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or > > not? After the inital exchange, on AIX, it'll need to run a newpass() with > > perhaps a getuserattr() for a more complete explanation of the rules > > should the password be too weak, before sending the > > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass > > with a SSH_MSG_USERAUTH_SUCCESS. > > Right now *NOTHING* is checked. Not for bsd_auth, not for pam, not for > aix, or not for /etc/shadow. =) This is referring to password strength checking? > > Some of this may need to run in the PrivSep process. I'm assuming the > > PAM support code does something along the same lines... > > > > Sorry, just some random thoughts - haven't actually looked at the > > source. But ADMCHG was on my list of things to fix since we did the > > failedlogincount in #145 (btw, Darren, thanks for following up and > > integrating it into the source ;), but never got around to it. > > > > If we're missing this for AIX, I think we should welcome Kevin's patch > > ;) > > I can also start looking at this once I get comfortable with the AIX box > that has been loaned to me. > > However, I don't believe Kevin's patch uses ssh2 password change protocol > (not sure I have not seen in a few months). What ever we do should use > that feature of the protocol since it allows us better security. I'm not sure if this refers to me, but which patch is this? > Which brings up a question on should we support password change for v1? > I'm inclined to say no. At least handle v2 protocol first. We should support Protocol 1 for password change. PAM users should look at current auth-pam.c which has solar's efforts in this area. I think we can re-enable password change for PAM now, but there are some other things I need to check. From gregw at packetstorm.com Fri Jul 26 07:45:38 2002 From: gregw at packetstorm.com (Gregory Wright) Date: 25 Jul 2002 17:45:38 -0400 Subject: scp hangs Message-ID: <1027619555.1585.27.camel@henwife> Hello, When running scp (from openssh-3.4p1) on our linux systems we are experiencing hangs after authentication. According to the debug messages, authentication succeeds but the file itself is not transferred. Openssh is built using OpenSSL 0.9.6d. The command scp foo 192.168.1.111:/tmp will hang until the connection times out. Below are the client and server side logs. An strace of the client and server sides (using -f to follow the child process) shows that both are stuck in select() with NULL timeout. So they will both wait forever until they receive some input. Using ssh to log in interactively works fine. The problem is shown below using password authentication, but it also happens using RSA authentication. We have a system with identical hardware and the same ssh installation (Openssh-3.4p1 + OpenSSL 0.9.6d) that does shows the problem only sporadically. On the system that generated the logs below, scp always fails. The one peculiarity of our system is that /var is on a separate partition which is reformatted on boot. A skeleton /var filesystem is copied into the new /var. This is because these systems are designed for unattended kiosks, where the only service intervention is to cycle the power. I have no idea if this is relevant or not, but it is a peculiarity. Our linux kernel is 2.4.17 and the glibc is 2.2.5. The system is built from a Linux from Scratch "distribution". I would appreciate knowing if anyone has seen something like this before and how it might be worked around. Thanks! Best Wishes, Greg Wright The portion of the client strace log that shows the trouble is below. (I can provide the rest if it helps.) [pid 1438] close(4) = 0 [pid 1438] dup(0) = 4 [pid 1438] dup(1) = 5 [pid 1438] dup(2) = 6 [pid 1438] ioctl(4, TCGETS, 0xbffff604) = -1 EINVAL (Invalid argument) [pid 1438] fcntl(4, F_GETFL) = 0 (flags O_RDONLY) [pid 1438] fcntl(4, F_SETFL, O_RDONLY|O_NONBLOCK) = 0 [pid 1438] ioctl(5, TCGETS, 0xbffff604) = -1 EINVAL (Invalid argument) [pid 1438] fcntl(5, F_GETFL) = 0x1 (flags O_WRONLY) [pid 1438] fcntl(5, F_SETFL, O_WRONLY|O_NONBLOCK) = 0 [pid 1438] ioctl(6, TCGETS, {B38400 opost isig icanon echo ...}) = 0 [pid 1438] gettimeofday({1027615805, 895450}, NULL) = 0 [pid 1438] rt_sigaction(SIGINT, {0x80538a4, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 [pid 1438] rt_sigaction(SIGQUIT, {0x80538a4, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 [pid 1438] rt_sigaction(SIGTERM, {0x80538a4, [], SA_RESTART|0x4000000}, {SIG_DFL}, 8) = 0 [pid 1438] select(7, [3], [3], NULL, NULL) = 1 (out [3]) [pid 1438] write(3, "\234\231\277\177\16\315\317\207m\306\3522F\203<\275w\326"..., 64) = 64 [pid 1438] select(7, [3], [], NULL, NULL) = 1 (in [3]) [pid 1438] read(3, "\353\246&.\207\10\276\333K\203\325\267N\207\247\266\212"..., 8192) = 48 [pid 1438] getsockname(3, {sin_family=AF_INET, sin_port=htons(2019), sin_addr=inet_addr("192.168.1.5")}}, [16]) = 0 [pid 1438] setsockopt(3, SOL_IP, IP_TOS, [8], 4) = 0 [pid 1438] select(7, [3], [3], NULL, NULL) = 1 (out [3]) [pid 1438] write(3, "\v{fu\371\332O\370\376O\6)\226\362\303\32I\216\32Z\t\303"..., 64) = 64 [pid 1438] select(7, [3], [], NULL, NULL ...and there it stops. The client side log: h> scp -v foo 192.168.1.111:/tmp Executing: program /usr/bin/ssh host 192.168.1.111, user (unspecified), command scp -v -t /tmp OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to 192.168.1.111 [192.168.1.111] port 22. debug1: Connection established. debug1: identity file /root/.ssh/identity type 0 debug1: identity file /root/.ssh/id_rsa type 1 debug1: identity file /root/.ssh/id_dsa type 2 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 116/256 debug1: bits set: 1561/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '192.168.1.111' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:41 debug1: bits set: 1556/3191 debug1: ssh_rsa_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_rsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: userauth_pubkey_agent: testing agent key /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: try pubkey: /root/.ssh/id_rsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: try pubkey: /root/.ssh/id_dsa debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is keyboard-interactive debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is password root at 192.168.1.111's password: debug1: ssh-userauth2 successful: method password debug1: fd 4 setting O_NONBLOCK debug1: fd 5 setting O_NONBLOCK debug1: channel 0: new [client-session] debug1: send channel open 0 debug1: Entering interactive session. debug1: ssh_session2_setup: id 0 debug1: Sending command: scp -v -t /tmp debug1: channel request 0: exec debug1: channel 0: open confirm rwindow 0 rmax 32768 The server side log: debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type 0 RSA1 debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 22 on 0.0.0.0. Server listening on 0.0.0.0 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.5 port 1743 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.4p1 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: client->server aes128-cbc hmac-md5 none debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 121/256 debug1: bits set: 1598/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1618/3191 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user root service ssh-connection method none debug1: attempt 0 failures 0 Failed none for root from 192.168.1.5 port 1743 ssh2 Failed none for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 1 failures 1 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid Failed publickey for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 2 failures 2 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid Failed publickey for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 3 failures 3 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid Failed publickey for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method publickey debug1: attempt 4 failures 4 debug1: test whether pkalg/pkblob are acceptable debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys debug1: restore_uid debug1: temporarily_use_uid: 0/0 (e=0) debug1: trying public key file /root/.ssh/authorized_keys2 debug1: restore_uid Failed publickey for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method keyboard-interactive debug1: attempt 5 failures 5 debug1: keyboard-interactive devs debug1: auth2_challenge: user=root devs= debug1: kbdint_alloc: devices '' Failed keyboard-interactive for root from 192.168.1.5 port 1743 ssh2 debug1: userauth-request for user root service ssh-connection method password debug1: attempt 6 failures 6 Accepted password for root from 192.168.1.5 port 1743 ssh2 debug1: monitor_child_preauth: root has been authenticated by privileged processAccepted password for root from 192.168.1.5 port 1743 ssh2 debug1: newkeys: mode 0 debug1: newkeys: mode 1 debug1: Entering interactive session for SSH2. debug1: fd 3 setting O_NONBLOCK debug1: fd 7 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 131072 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session Read error from remote host: Connection timed out debug1: Calling cleanup 0x8060534(0x0) debug1: channel_free: channel 0: server-session, nchannels 1 debug1: Calling cleanup 0x806c570(0x0) -- Gregory Wright Chief Technical Officer PacketStorm Communications, Inc. 20 Meridian Road Eatontown, New Jersey 07724 1 732 544-2434 ext. 206 1 732 544-2437 [fax] gwright at packetstorm.com -- Gregory Wright Chief Technical Officer PacketStorm Communications, Inc. 20 Meridian Road Eatontown, New Jersey 07724 1 732 544-2434 ext. 206 1 732 544-2437 [fax] gwright at packetstorm.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020725/38526f0f/attachment.html From cmadams at hiwaay.net Fri Jul 26 08:35:11 2002 From: cmadams at hiwaay.net (Chris Adams) Date: Thu, 25 Jul 2002 17:35:11 -0500 Subject: [Bug 371] New: OpenSSH fails to build on Alpha True64 in cipher.c In-Reply-To: <15680.13602.611201.31235@darkwing.uoregon.edu>; from stevev@darkwing.uoregon.edu on Thu, Jul 25, 2002 at 10:28:02AM -0700 References: <20020725140607.33DC1E922@shitei.mindrot.org> <15680.13602.611201.31235@darkwing.uoregon.edu> Message-ID: <20020725173511.I33911@hiwaay.net> Once upon a time, Steve VanDevender said: > Dump the "-std1" in your CFLAGS, and it should build. -std1 invokes a > somewhat overly picky ANSI C mode. I configured OpenSSH 3.4p1 under > Digital UNIX 4.0g with > > CC="cc -I/usr/local/include -L/usr/shlib -L/usr/local/lib \ > -D_SOCKADDR_LEN" CFLAGS="-fast" ./configure --sysconfdir=/etc/ssh \ > --with-tcp-wrappers --with-prngd-socket=/var/run/entropy \ > --with-default-path=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin With OpenSSL 0.9.6c/OpenSSH 3.4p1, I used CC="cc -I/usr/local/include" and CFLAGS="-O -ieee -std1 -arch generic -tune ev67" and it worked fine. I haven't yet had a chance to look at the OpenSSH snapshot (I know, Tru64/privsep needs testing/work). -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From kevin at atomicgears.com Fri Jul 26 08:36:14 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Thu, 25 Jul 2002 15:36:14 -0700 Subject: HP-UX works or (Re: Testing Call) In-Reply-To: <00b601c22f73$b5ff09d0$9b78a8c0@oedserver> References: <00b601c22f73$b5ff09d0$9b78a8c0@oedserver> Message-ID: <20020725223614.GK16664@scott.crlsca.adelphia.net> On Fri, Jul 19, 2002 at 03:28:43PM -0700, Darren Cole wrote: > The better solution might be to quit using login altogether, and move > all necessary work into the ssh (set clearance, drop privilege, audit, note > login in the right files, check roles, etc). But then the UseLogin option > wont work on HP-UX 10.26. Figured this would at least give some record of > openssh on HP-UX 10.26 issues. That is the best way to support the CMW/trusted features. We were running 1.2.X with Chris Dalton's multi-level SSH work on HP's SWP/VVOS/VirtualVault platform from 1998. HP now supports OpenSSH on that platform, though it appears they may use UseLogin=yes. From dot at dotat.at Fri Jul 26 11:31:09 2002 From: dot at dotat.at (Tony Finch) Date: Fri, 26 Jul 2002 02:31:09 +0100 Subject: [PATCH] prevent users from changing their environment In-Reply-To: ; from mouring@etoh.eviladmin.org on Thu, Jul 25, 2002 at 02:16:10PM -0500 References: <20020725191629.A8677@chiark.greenend.org.uk> Message-ID: <20020726023109.A8224@chiark.greenend.org.uk> On Thu, Jul 25, 2002 at 02:16:10PM -0500, Ben Lindstrom wrote: > > Why are you using a restricted shell that is not staticly compiled? The ABI for Solaris is dynamic only. Only binaries in /sbin are statically linked, and only Sun compile them, and they are not used as login shells. $ uname -a SunOS prism.csi.cam.ac.uk 5.6 Generic_105181-31 sun4u sparc SUNW,Ultra-1 $ ldd /bin/sh libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 /usr/platform/SUNW,Ultra-1/lib/libc_psr.so.1 $ ldd /usr/bin/ksh libsocket.so.1 => /usr/lib/libsocket.so.1 libnsl.so.1 => /usr/lib/libnsl.so.1 libc.so.1 => /usr/lib/libc.so.1 libdl.so.1 => /usr/lib/libdl.so.1 libmp.so.2 => /usr/lib/libmp.so.2 /usr/platform/SUNW,Ultra-1/lib/libc_psr.so.1 In my case the shell is a menu system rather than a shell. Tony. -- f.a.n.finch http://dotat.at/ NORTH FITZROY SOLE: WEST OR SOUTHWEST 3 OR 4. DRIZZLE. MODERATE OR POOR. From dot at dotat.at Fri Jul 26 11:59:32 2002 From: dot at dotat.at (Tony Finch) Date: Fri, 26 Jul 2002 02:59:32 +0100 Subject: [PATCH] prevent users from changing their environment In-Reply-To: References: <55956000.1027611687@[192.168.0.2]> Message-ID: Ben Lindstrom wrote: >On Thu, 25 Jul 2002, Carson Gaspar wrote: >> >> Just try to build a completely statically linked binary under Solaris. > >Then it is an OS defect. My point still holds true. It is a feature -- Solaris has an impressive amount of binary compatibility. >Of course this all begs to ask.. "Why do you allow them to muck around in >~/.ssh/ to start with?!" Refer back to the chroot() + sftp/ssh arguments >that occur ever 3 - 4 months on this list. In our situation chroot isn't a solution. Users are allowed to upload and download any files they want -- usually mailboxes, since this is a mail server, but that implies that we can't restrict things at that point. Secondly, they are allowed to put things in ~/.ssh so that they can use public key authentication. The two combined mean that even if the chroot were initially restricted, it could be exploited and turned into a warez distribution point etc. We have been using a patch like this for several years, and since I think it would be helpful in environments other than ours, and since I believe in contributing improvements to software that I use, I thought you -- or your users -- might like to benefit from my work. Tony. -- f.a.n.finch http://dotat.at/ LUNDY FASTNET IRISH SEA SHANNON: WEST OR SOUTHWEST 3 OR 4, OCCASIONALLY 5. OCCASIONAL DRIZZLE. MODERATE OR GOOD, OCCASIONALLY POOR. From bob at proulx.com Fri Jul 26 13:29:02 2002 From: bob at proulx.com (Bob Proulx) Date: Thu, 25 Jul 2002 21:29:02 -0600 Subject: [PATCH] prevent users from changing their environment In-Reply-To: References: <55956000.1027611687@[192.168.0.2]> Message-ID: <20020726032902.GA25232@misery.proulx.com> > In our situation chroot isn't a solution. Users are allowed to upload > and download any files they want -- usually mailboxes, since this is > a mail server, but that implies that we can't restrict things at that > point. Secondly, they are allowed to put things in ~/.ssh so that they > can use public key authentication. The two combined mean that even if > the chroot were initially restricted, it could be exploited and turned > into a warez distribution point etc. I myself would set up something like that differently. I might allow them unrestricted upload but I would use filesystem permissions to keep them from accessing ~/.ssh/ (and other files) so as to protect anyone from being able to get out of the box they were placed in. To allow them to be able to place keys into the authorized_keys file I would create a cgi interface on a web page. I would scan the uploaded key for trojans before having the program place it into the final location of the authorized_keys file. This way users would be able to add/modify keys and upload download files but are otherwise prevented from elevating that to any other privileges on the machine. Many will be thinking of Sourceforge which does something similar. But you case need not be as extensive as sourceforge and a simple cgi should suffice. > We have been using a patch like this for several years, and since I > think it would be helpful in environments other than ours, and since > I believe in contributing improvements to software that I use, I > thought you -- or your users -- might like to benefit from my work. Hmm... Please don't take this harshly but as a consumer of this I dislike your proposed design on philosophical grounds. It seems wrong way to try to add security in the way you are proposing it. It is like pushing a string. It is at the wrong end. Bob From request at verba-volant.net Fri Jul 26 18:33:56 2002 From: request at verba-volant.net (request at verba-volant.net) Date: Fri, 26 Jul 2002 18:33:56 +1000 (EST) Subject: Verba Volant Message-ID: <20020726083356.DA264E902@shitei.mindrot.org> 26-JUL-02 We have been requested to insert the following email address, "openssh-unix-dev at mindrot.org", in the Verba Volant Newsletter database. Through this daily service you will receive a quotation, selected from amongst the most celebrated philosophers, writers and poets of all time and translated into many languages and dialects by volunteers worldwide. If you would like to confirm your subscription to Verba Volant, please click on the following link: http://www.verba-volant.net/pls/vvolant/subscribe?lang=en&email=openssh-unix-dev at mindrot.org If you do not wish to click on the link, your subscription will be cancelled. Thank you for your time. Verba Volant 26-JUL-02 Il nous a ?t? demand? d'ajouter l'adresse ?lectronique "openssh-unix-dev at mindrot.org" dans la liste des destinataires de Verba Volant, un service qui tous les jours vous adressera une citation s?lectionn?e parmi les ?uvres des meilleurs philosophes, ?crivains, po?tes de tous les temps et traduite en de tr?s nombreuses langues gr?ce ? des volontaires du monde entier. Pour confirmer l'inscription ? Verba Volant, veuillez vous connecter au lien suivant: http://www.verba-volant.net/pls/vvolant/subscribe?lang=fr&email=openssh-unix-dev at mindrot.org Si vous pr?f?rez ne pas cliquer sur le lien, vous ne recevrez rien. Merci dans tous les cas de nous avoir accord? quelques secondes. Verba Volant 26-JUL-02 Se nos ha solicitado insertar la direcci?n de correo electr?nico "openssh-unix-dev at mindrot.org" en el listado de env?os de Verba Volant, un servicio que diariamente le enviar? citas elegidas entre los mejores filosofos, escritores, poetas, etc., traducidas a varios idiomas y dialectos. Dichas citas est?n traducidas por voluntarios que se conectan a nuestra web desde todo el mundo. Si quiere confirmar la suscripci?n a Verba Volant, le rogamos entre en: http://www.verba-volant.net/pls/vvolant/subscribe?lang=es&email=openssh-unix-dev at mindrot.org Si no entra en la direcci?n se?alada no recibir? las citas. Muchas gracias por el tiempo que nos ha dedicado. Verba Volant 26-JUL-02 Ci ? stato chiesto di inserire l'indirizzo di posta elettronica "openssh-unix-dev at mindrot.org" nell'elenco dei destinatari di Verba Volant, un servizio che ogni giorno ti invier? una citazione scelta tra quelle dei migliori filosofi, scrittori, poeti di tutti i tempi e tradotta in moltissime lingue e dialetti grazie alla collaborazione di volontari da tutto il mondo. Se desideri confermare l'iscrizione, ti preghiamo di collegarti al seguente link: http://www.verba-volant.net/pls/vvolant/subscribe?lang=it&email=openssh-unix-dev at mindrot.org Nel caso preferissi non cliccare sul link, non riceverai nulla. Grazie comunque per i secondi che ci hai dedicato. Cordiali saluti. From dot at dotat.at Fri Jul 26 19:34:49 2002 From: dot at dotat.at (Tony Finch) Date: Fri, 26 Jul 2002 10:34:49 +0100 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <20020726032902.GA25232@misery.proulx.com> References: <55956000.1027611687@[192.168.0.2]> Message-ID: bob at proulx.com (Bob Proulx) wrote: > >Hmm... Please don't take this harshly but as a consumer of this I >dislike your proposed design on philosophical grounds. It seems wrong >way to try to add security in the way you are proposing it. It is >like pushing a string. It is at the wrong end. This is like the old joke where you ask a yokel the way to your destination and he replies, "Well, I wouldn't start from here." I don't have any choice about where I'm starting from because this is what the system has evolved into after nine years, and it has tens of thousands of users of inertia -- many of them still use unencrypted telnet, POP, and IMAP. I've just started work here and I'm trying to reduce the number of patches we have to maintain locally. This kind of security problem has been well-known since the LD_PRELOAD telnetd vulnerability of 1995. Of course in the sshd case it's only a local shell-escape exploit rather than a remote root exploit, but it's still a big pain for people trying to set up black-box systems. Without this patch, sshd would be a weak point in the security of our system. Tony. -- f.a.n.finch http://dotat.at/ FISHER: WESTERLY 4 OR 5, DECREASING 3 LATER. RAIN DYING OUT. GOOD OCCASIONALLY MODERATE. From kumareshind at gmx.net Fri Jul 26 20:54:07 2002 From: kumareshind at gmx.net (kumar) Date: Fri, 26 Jul 2002 16:24:07 +0530 Subject: Kerberos V help References: Message-ID: <008d01c23492$c7345380$390110ac@kovaiteam> Hello All, I am using Kerberos-V in my machine (HP-UX version 11.11) and i successfully installed it. When i run the setup service # /opt/krb5/sbin/krb5setup options entered: ---------------- 1) Configure as a Primary Security Server 2) Default Security mechanism DES-MD5 3) Do you want to stash the principal database key on your local disk (y/n)? [y] : n 4) Secondary security server - q (skipped) 6) Realm name : TESTDOMAIN.COM /opt/krb5/krb.conf moved to /opt/krb5/krb.conf.keep /opt/krb5/krb.realms moved to /opt/krb5/krb.realms.keep /opt/krb5/kpropd.ini moved to /opt/krb5/kpropd.ini.keep Creating krb.conf and krb.realms files Copying admin_acl_file and password.policy file onto KRB5_ROOT dir You will be prompted for the database Master Password. It is important that you DO NOT FORGET this password. Enter Password: Re-enter Password: kerberos_config[64]: 3664 Abort(coredump) ERROR: Unable to create the database. Press 'Enter' Key to go back to the main menu... Also when i run kadmin # ./kadmin Enter password: ****** The error is : ------------- /usr/lib/dld.sl: Unresolved symbol: dce_g_ipv6_enabled (data) from /usr/lib/libd4r.1 /usr/lib/dld.sl: Unresolved module for symbol: getservbyname_r (code) from /opt/krb5/lib/libk5.sl Abort(coredump) Suggestions to fix the problem is most welcomed and advance thanks for help. regards Kumaresh. kumaresh_ind at gmx.net kumareshind at gmx.net From dmeranda at iac.net Fri Jul 26 21:04:30 2002 From: dmeranda at iac.net (Deron Meranda) Date: Fri, 26 Jul 2002 07:04:30 -0400 (EDT) Subject: HP-UX 11 Corrupted MAC errors Message-ID: <200207261104.g6QB4UVa067186@iac.net> Using 3.4p1 under HP-UX 11.0 I am repeatedly getting disconnected with Corrupted MAC on input. I am connecting from a RedHat Linux client (at 3.1p1). The incorrect MAC is appearing on the server packet receive side. Never get an invalid MAC on the client side. I'm currently diving into packet.c to try to find this, but the behavior is so strange and predictable I thought I'd see if anybody else has ever seen this. The strange thing is that the MAC error always occurs when starting an X application (emacs) using X forwarding, sometime between the X authentication check and when the window gets mapped (because it never appears). I don't get corrupted MAC errors anyplace else. I've even forwarded other TCP ports through the ssh session and they cause no corrupt MACs either...only X sessions. This happens with about 75% regularity..in those cases where it successfully gets the window mapped that channel never has problems no matter how long I use it. But each additional X forwarding channel I open has about a 75% chance of a corrupt MAC during or around the X authentication phase. Enabling or disabling compression has no effect. Choice of hmac-md5 or hmac-sha1 has no effect. Choice of cipher aes128-cbc or 3des-cbc has no effect. I have linked against several OpenSSL versions 0.9.6d - hp-parisc (optimized for PA-RISC 1.1, no assembly) 0.9.6d - hp-parisc2 (optimized for PA-RISC 2.0 with assembly) 0.9.7beta2 - hp-parisc2 All OpenSSL's pass their tests. I'm also using these same OpenSSL libraries in Apache/mod_ssl and have not seen any errors there yet. Any obvious thoughts before I spend a lot of time tracing through the packet and crypto code? The obvious first question to answer; is this OpenSSL or OpenSSH...I just don't know yet, but I suspect the later. Deron Meranda From bugzilla-daemon at mindrot.org Sat Jul 27 01:04:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Jul 2002 01:04:34 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020726150434.97679E881@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 kzembower at jhuccp.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From kzembower at jhuccp.org 2002-07-27 01:04 ------- Get this error running ./configure on openssh-3.4p1: checking whether OpenSSL's headers match the library... no configure: error: Your OpenSSL headers do not match your library Installed openssl-0.9.6d and openssl-engine-0.9.6d to try to correct this error, but still got the same result. Didn't see the resolution, even though the bug is marked "resolved". Sorry if I missed it; please point it out to me. Thanks for your work on this problem -Kevin Zembower kzembower at jhuccp.org ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Sat Jul 27 02:01:04 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Jul 2002 02:01:04 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020726160104.2D327E91B@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 ------- Additional Comments From dtucker at zip.com.au 2002-07-27 02:01 ------- It's normally an openssl installation problem. Check your config.log. Then check your system for multiple libcrypto.a's, libcrypto.so's and/or opensslv.h's. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From kevin at atomicgears.com Sat Jul 27 02:11:24 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 26 Jul 2002 09:11:24 -0700 Subject: Kerberos V help In-Reply-To: <008d01c23492$c7345380$390110ac@kovaiteam> References: <008d01c23492$c7345380$390110ac@kovaiteam> Message-ID: <20020726161124.GB24103@scott.crlsca.adelphia.net> On Fri, Jul 26, 2002 at 04:24:07PM +0530, kumar wrote: > kerberos_config[64]: 3664 Abort(coredump) > ERROR: Unable to create the database. > Press 'Enter' Key to go back to the main menu... > > Also when i run kadmin > # ./kadmin > Enter password: ****** > The error is : > ------------- > /usr/lib/dld.sl: Unresolved symbol: dce_g_ipv6_enabled (data) from > /usr/lib/libd4r.1 > /usr/lib/dld.sl: Unresolved module for symbol: getservbyname_r (code) from > /opt/krb5/lib/libk5.sl > Abort(coredump) it looks like a version/library/patch incompatability issue. there has been at least one recent patch (add getaddrinfo()) that assumed ipv6 was installed. suggest you call HP support. From kevin at atomicgears.com Sat Jul 27 02:23:19 2002 From: kevin at atomicgears.com (Kevin Steves) Date: Fri, 26 Jul 2002 09:23:19 -0700 Subject: HP-UX 11 Corrupted MAC errors In-Reply-To: <200207261104.g6QB4UVa067186@iac.net> References: <200207261104.g6QB4UVa067186@iac.net> Message-ID: <20020726162319.GC24103@scott.crlsca.adelphia.net> On Fri, Jul 26, 2002 at 07:04:30AM -0400, Deron Meranda wrote: > Using 3.4p1 under HP-UX 11.0 I am repeatedly getting disconnected with > Corrupted MAC on input. I am connecting from a RedHat Linux client > (at 3.1p1). > > The incorrect MAC is appearing on the server packet receive side. > Never get an invalid MAC on the client side. I'm currently diving > into packet.c to try to find this, but the behavior is so strange and > predictable I thought I'd see if anybody else has ever seen this. i would look into the client side as well. the sender could be sending an invalid MAC. can you dup with HP->HP? > The strange thing is that the MAC error always occurs when starting an > X application (emacs) using X forwarding, sometime between the X > authentication check and when the window gets mapped (because it never > appears). I don't get corrupted MAC errors anyplace else. I've even > forwarded other TCP ports through the ssh session and they cause no > corrupt MACs either...only X sessions. This happens with about 75% > regularity..in those cases where it successfully gets the window > mapped that channel never has problems no matter how long I use it. > But each additional X forwarding channel I open has about a 75% chance > of a corrupt MAC during or around the X authentication phase. hmm, strange. > Enabling or disabling compression has no effect. > Choice of hmac-md5 or hmac-sha1 has no effect. > Choice of cipher aes128-cbc or 3des-cbc has no effect. > > I have linked against several OpenSSL versions > 0.9.6d - hp-parisc (optimized for PA-RISC 1.1, no assembly) > 0.9.6d - hp-parisc2 (optimized for PA-RISC 2.0 with assembly) > 0.9.7beta2 - hp-parisc2 i use 0.9.6d with "hpux-parisc1_1-cc" with no problems on 11.11. > All OpenSSL's pass their tests. I'm also using these same OpenSSL > libraries in Apache/mod_ssl and have not seen any errors there yet. > > Any obvious thoughts before I spend a lot of time tracing through the > packet and crypto code? The obvious first question to answer; is this > OpenSSL or OpenSSH...I just don't know yet, but I suspect the later. From mgrennan at hertz.com Sat Jul 27 05:31:23 2002 From: mgrennan at hertz.com (Mark Grennan) Date: 26 Jul 2002 14:31:23 -0500 Subject: AIX issues Message-ID: <1027711883.22720.84.camel@dcs1185> Hello everyone, I have been given the task of working out a number of issues with OpenSSH for my company (Hertz). I have been following the mailing list for several days now and I'm beginning to compile a list of who is working on what. To make my task faster, it would nice if the people working on the following issues would drop me a email before I start to rewrite their code and get it wrong. :-) I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2. I'm sure some of these issues have been fixed. The issues are: 1. Allows login even though the password has expired either from age or after being reset by a security analyst. 2. Doesn't update AIX's "failed login count", consequently the ID is not locked after 5 invalid login attempts. 3. Doesn't record the failed login in AIX's failedlogin log. 4. Doesn't post logged in users to the wtmp file causing it to appear as if no one is logged in. 5. Corrupts the file that stores the last login date for users making it impossible to lock or remove accounts for inactivity. 6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any users can use ftp through SSH. 7. Syslog entries for SSH login don't differentiate between SSH, SFTP, or other tunneled logins. 8. OpenSSH doesn't show user logouts in syslog like F-Secure does. My first step is to move both envirements to 3.4p1 and retest. From gert at greenie.muc.de Sat Jul 27 06:02:53 2002 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 26 Jul 2002 22:02:53 +0200 Subject: AIX issues In-Reply-To: <1027711883.22720.84.camel@dcs1185>; from mgrennan@hertz.com on Fri, Jul 26, 2002 at 02:31:23PM -0500 References: <1027711883.22720.84.camel@dcs1185> Message-ID: <20020726220253.C3778@greenie.muc.de> hi, On Fri, Jul 26, 2002 at 02:31:23PM -0500, Mark Grennan wrote: > 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in. I haven't seen this with OpenSSH 3.3p1 or 3.4p1 on AIX 4.2.x or 4.3.x. So maybe your version of OpenSSH is just too old. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From mouring at etoh.eviladmin.org Sat Jul 27 05:53:29 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Fri, 26 Jul 2002 14:53:29 -0500 (CDT) Subject: AIX issues In-Reply-To: <1027711883.22720.84.camel@dcs1185> Message-ID: On 26 Jul 2002, Mark Grennan wrote: > Hello everyone, > > I have been given the task of working out a number of issues with > OpenSSH for my company (Hertz). > > I have been following the mailing list for several days now and I'm > beginning to compile a list of who is working on what. To make my task > faster, it would nice if the people working on the following issues > would drop me a email before I start to rewrite their code and get it > wrong. :-) > > I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2. > I'm sure some of these issues have been fixed. > > The issues are: > > 1. Allows login even though the password has expired either from age > or after being reset by a security analyst. > This is an outstanding issue. I doubt this will be fixed by 3.5 release. Mainly because one has to do two different paths. First one would be for v1 protocol (password change over TTY) and the other is v2 (password change via SSH_MSG_CHANGE_PASSWORD_REQ). The latter does not have a serverside framework just client side. > 2. Doesn't update AIX's "failed login count", consequently the ID is > not locked after 5 invalid login attempts. > > 3. Doesn't record the failed login in AIX's failedlogin log. > > 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in. > These should be fixed. I did not get around to setting up my 5.x/4.3.3 box that was donated to me for testing. (Tonight, I hope!) > 5. Corrupts the file that stores the last login date for users > making it impossible to lock or remove accounts for inactivity. > Not heard of this. > 6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any > users can use ftp through SSH. > I believe we stated it was not correct to depends on /etc/ftpusers. Check the mailinglist archives. > 7. Syslog entries for SSH login don't differentiate between SSH, > SFTP, or other tunneled logins. > Don't think it should. sftp is just like doing 'ssh remote /path/to/sftp-server'. Never looked at how tunneling is logged. > 8. OpenSSH doesn't show user logouts in syslog like F-Secure does. > > My first step is to move both envirements to 3.4p1 and retest. > Test with the current snapshots. There was a whole slew of fixes Daz, myself, and others have done since 3.4 release. There are no new features in --current. It is all bug fixes so it should be just as safe as 3.4. From markus at openbsd.org Sat Jul 27 00:41:59 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 26 Jul 2002 16:41:59 +0200 Subject: [Patch] Improve portability of regression tests - version 2 In-Reply-To: <3D3FFB78.1050108@skalasoft.com> References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> <3D3FFB78.1050108@skalasoft.com> Message-ID: <20020726144159.GA18695@folly> On Thu, Jul 25, 2002 at 04:22:00PM +0300, Roumen.Petrov at skalasoft.com wrote: > - test "sshd_config" contain line: "Subsystem sftp $SFTPSERVER" - ok, but what test is using this? -m From markus at openbsd.org Sat Jul 27 00:46:06 2002 From: markus at openbsd.org (Markus Friedl) Date: Fri, 26 Jul 2002 16:46:06 +0200 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <20020725191629.A8677@chiark.greenend.org.uk> References: <20020725191629.A8677@chiark.greenend.org.uk> Message-ID: <20020726144605.GB18695@folly> hm, sshd already suffers from far to many options. is making $HOME/.ssh unwriteable not an option? From dot at dotat.at Sat Jul 27 08:20:30 2002 From: dot at dotat.at (Tony Finch) Date: Fri, 26 Jul 2002 23:20:30 +0100 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <20020726144605.GB18695@folly>; from markus@openbsd.org on Fri, Jul 26, 2002 at 04:46:06PM +0200 References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> Message-ID: <20020726232030.C3529@chiark.greenend.org.uk> On Fri, Jul 26, 2002 at 04:46:06PM +0200, Markus Friedl wrote: > > hm, sshd already suffers from far to many options. Yes, and Unix authentication is too complicated :-( > is making $HOME/.ssh unwriteable not an option? Unfortunately not because there are too many ways for the users to make it writable again (they can delete and create directories and files in their home directories with ftp and scp and the menu system). We might be able to lock things down more in a future version of the system, but we're stuck with the way it is until then. Thanks for being receptive. Tony. -- f.a.n.finch http://dotat.at/ SOUTH FITZROY: NORTH OR NORTHWEST 4, BUT 5 OR 6 SOUTH OF CAPE FINISTERRE. FAIR. MODERATE OR GOOD. From tan_chee_koon at iesingapore.gov.sg Sat Jul 27 12:15:04 2002 From: tan_chee_koon at iesingapore.gov.sg (tan_chee_koon at iesingapore.gov.sg) Date: Sat, 27 Jul 2002 10:15:04 +0800 Subject: openssh problem Message-ID: Hi SSH developers, > I have a Solaris 8 machine which I have installed openssh ver3.4p1 from > www.sunfreeware.com. > I have configured it to work in a chroot environment and the daemon is able > to start without any > problem. > > I start the sshd daemon as follows : > > /usr/sbin/chroot /ftphome /usr/local/sbin/sshd > > I do a sftp connection to the localhost to test the connection. > > However, there is still an error while connecting. This error occur after I > enter my > password successfully. The error message is as follows : > > sshd [1944] : fatal : monitor_read : unsupported_request : 24. > > It seemed to me that the login went through but it simply disconnects > immediately after that with the above error message. > > Seeking your advice please. > > I attached the debug session from the sshd as follows. I am very sure the > password is correct. > > Thanks > ============================================================================== > > debug1: sshd version OpenSSH_3.4p1 > debug1: private host key: #0 type 0 RSA1 > debug1: read PEM private key done: type RSA > debug1: private host key: #1 type 1 RSA > debug1: read PEM private key done: type DSA > debug1: private host key: #2 type 2 DSA > debug1: Bind to port 22 on ::. > Server listening on :: port 22. > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > Generating 768 bit RSA key. > RSA key generation complete. > debug1: Server will not fork when running in debugging mode. > Connection from 127.0.0.1 port 32948 > debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 > debug1: match: OpenSSH_3.4p1 pat OpenSSH* > Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-1.99-OpenSSH_3.4p1 > debug1: list_hostkey_types: ssh-rsa,ssh-dss > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: client->server aes128-cbc hmac-md5 none > debug1: kex: server->client aes128-cbc hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received > debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent > debug1: dh_gen_key: priv key bits set: 134/256 > debug1: bits set: 1602/3191 > debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT > debug1: bits set: 1528/3191 > debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent > debug1: kex_derive_keys > debug1: newkeys: mode 1 > debug1: SSH2_MSG_NEWKEYS sent > debug1: waiting for SSH2_MSG_NEWKEYS > debug1: newkeys: mode 0 > debug1: SSH2_MSG_NEWKEYS received > debug1: KEX done > debug1: userauth-request for user cheekoon service ssh-connection method > none > debug1: attempt 0 failures 0 > debug1: Starting up PAM with username "cheekoon" > debug1: PAM setting rhost to "localhost" > Failed none for cheekoon from 127.0.0.1 port 32948 ssh2 > Failed none for cheekoon from 127.0.0.1 port 32948 ssh2 > debug1: userauth-request for user cheekoon service ssh-connection method > keyboard-interactive > debug1: attempt 1 failures 1 > debug1: keyboard-interactive devs > debug1: auth2_challenge: user=cheekoon devs= > debug1: kbdint_alloc: devices '' > Failed keyboard-interactive for cheekoon from 127.0.0.1 port 32948 ssh2 > debug1: userauth-request for user cheekoon service ssh-connection method > password > debug1: attempt 2 failures 2 > debug1: PAM Password authentication accepted for user "cheekoon" > PAM rejected by account configuration[7]: Permission denied > Failed password for cheekoon from 127.0.0.1 port 32948 ssh2 > Accepted password for cheekoon from 127.0.0.1 port 32948 ssh2 > monitor_read: unsupported request: 24 > debug1: Calling cleanup 0x2f7e8(0x0) > debug1: Calling cleanup 0x4b560(0x0) > From bugzilla-daemon at mindrot.org Sat Jul 27 12:14:41 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Jul 2002 12:14:41 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020727021441.AB61BE932@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From stevesk at pobox.com 2002-07-27 12:14 ------- /tmp is the most portable world-writable location. as to hiding them with dot, i just don't see strong justification for this. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dtucker at zip.com.au Sat Jul 27 12:45:20 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 27 Jul 2002 12:45:20 +1000 Subject: [Patch] Improve diags for "OpenSSL headers match library" configure test Message-ID: <3D420940.87FF7482@zip.com.au> Hello All, After seeing what is probably the zillionth "OpenSSL headers don't match library" bug report I made the following mod to configure.ac. It always writes the versions of the library and headers to config.log and prints them to stdout if they don't match. Hopefully this will help diagnose these problems in future. Example output below. -Daz. $ ./configure [snip] checking whether OpenSSL's headers match the library... library 90602f headers 90604f no configure: error: Your OpenSSL headers do not match your library and config.log: configure:8458: ./conftest OpenSSL library 90602f headers 90604f configure:8461: $? = 1 configure: program exited with status 1 -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.84 diff -u -r1.84 configure.ac --- configure.ac 23 Jul 2002 00:00:06 -0000 1.84 +++ configure.ac 27 Jul 2002 02:35:58 -0000 @@ -769,9 +769,18 @@ AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_TRY_RUN( [ +#include #include #include -int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } +int main(void) { + fprintf(stderr,"OpenSSL library %x headers %x\n", SSLeay(), OPENSSL_VERSION_NUMBER); + if (SSLeay() == OPENSSL_VERSION_NUMBER) { + return(0); + } else { + printf("library %x headers %x ", SSLeay(), OPENSSL_VERSION_NUMBER); + return(1); + } +} ], [ AC_MSG_RESULT(yes) From dtucker at zip.com.au Sat Jul 27 12:53:42 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 27 Jul 2002 12:53:42 +1000 Subject: [PATCH] prevent users from changing their environment References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> Message-ID: <3D420B36.1B40AA7E@zip.com.au> Markus Friedl wrote: > hm, sshd already suffers from far to many options. > is making $HOME/.ssh unwriteable not an option? You'd have to make sure $HOME isn't writeable either, otherwise the the users could just rename .ssh and create a new one. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. From flick at almaden.ibm.com Sat Jul 27 13:24:27 2002 From: flick at almaden.ibm.com (Myron Flickner) Date: Fri, 26 Jul 2002 20:24:27 -0700 Subject: scp fails with openssh 3.4p1 cywin release Message-ID: <001101c2351d$1d3ee4e0$2a0b0109@almaden.ibm.com> Two Windows 2k cygwin machines running openssh 3.4p1 results in the following failures 1 - scp -p failes with error "protocol error: atime.usec not delimited" 2 - an scp of a pdf file results in a corrupt copy. My guess is that this is due to cr/lf translations. Once it failed on one file I didn't try other since I don't trust it. Imaging away / flick -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020726/b3fdcbc0/attachment.html From tim at multitalents.net Sat Jul 27 14:09:53 2002 From: tim at multitalents.net (Tim Rice) Date: Fri, 26 Jul 2002 21:09:53 -0700 (PDT) Subject: [Patch] Improve diags for "OpenSSL headers match library" configure test In-Reply-To: <3D420940.87FF7482@zip.com.au> Message-ID: On Sat, 27 Jul 2002, Darren Tucker wrote: > Hello All, > After seeing what is probably the zillionth "OpenSSL headers don't > match library" bug report I made the following mod to configure.ac. It > always writes the versions of the library and headers to config.log and > prints them to stdout if they don't match. > > Hopefully this will help diagnose these problems in future. Example > output below. > > -Daz. I think I remember the autoconf docs recomending against using printf() in tests. Look at the test in the --with-default-path section for how you might do it differently. -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From dtucker at zip.com.au Sat Jul 27 15:38:47 2002 From: dtucker at zip.com.au (Darren Tucker) Date: Sat, 27 Jul 2002 15:38:47 +1000 Subject: [Patch] Improve diags for "OpenSSL headers match library"configure test References: Message-ID: <3D4231E7.91B20C24@zip.com.au> Tim Rice wrote: > I think I remember the autoconf docs recomending against using printf() > in tests. Look at the test in the --with-default-path section for > how you might do it differently. I did a quick search of the autoconf docs and the only thing I was able to find was http://www.gnu.org/manual/autoconf/html_node/Guidelines.html which says "Test programs should not write anything to the standard output." There doesn't seem to be a prohibition on stderr. Interestingly, it also says "Test programs should exit, not return, from main, because on some systems (old Suns, at least) the argument to return in main is ignored." There are 5 instances of return() instead of exit(), including this OpenSSL test. I also looked at the --with-default-path handling. It seems to be that way because the output needs to be used later by configure. Failing the OpenSSL check is fatal, and the object here is to capture some data for later diagnosis. Writing to stderr is logged, so I don't think the added complexity is needed. With all that in mind, what about this patch? It only writes to stderr and the output only appears in config.log. -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- Index: configure.ac =================================================================== RCS file: /cvs/openssh/configure.ac,v retrieving revision 1.84 diff -u -r1.84 configure.ac --- configure.ac 23 Jul 2002 00:00:06 -0000 1.84 +++ configure.ac 27 Jul 2002 05:36:15 -0000 @@ -769,9 +769,13 @@ AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_TRY_RUN( [ +#include #include #include -int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } +int main(void) { + fprintf(stderr,"OpenSSL library %x headers %x\n", SSLeay(), OPENSSL_VERSION_NUMBER); + exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); +} ], [ AC_MSG_RESULT(yes) From bugzilla-daemon at mindrot.org Sat Jul 27 17:43:00 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sat, 27 Jul 2002 17:43:00 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020727074300.27DBAE98C@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 ------- Additional Comments From dtucker at zip.com.au 2002-07-27 17:42 ------- FYI I've put up some hints and a tool for diagnosing this type of problem up on http://www.zip.com.au/~dtucker/openssh/. The tool (hopefully) finds all instances of OpenSSL and displays their versions and there's a patch to configure that displays the version it finds. With these you might be able to determine which ones configure is using. Currently tested on Redhat with GCC only. Example output: $ ./findssl.sh Searching for OpenSSL header files. 0x0090604fL /usr/include/openssl/opensslv.h 0x0090604fL /usr/local/ssl/include/openssl/opensslv.h Searching for OpenSSL shared library files. 0x0090602fL /lib/libcrypto.so.0.9.6b 0x0090602fL /lib/libcrypto.so.2 0x0090581fL /usr/lib/libcrypto.so.0 0x0090602fL /usr/lib/libcrypto.so 0x0090581fL /usr/lib/libcrypto.so.0.9.5a 0x0090600fL /usr/lib/libcrypto.so.0.9.6 0x0090600fL /usr/lib/libcrypto.so.1 Searching for OpenSSL static library files. 0x0090602fL /usr/lib/libcrypto.a 0x0090604fL /usr/local/ssl/lib/libcrypto.a ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From sean at conman.org Sun Jul 28 05:04:46 2002 From: sean at conman.org (Sean Conner) Date: Sat, 27 Jul 2002 15:04:46 -0400 (EDT) Subject: Patch to OpenSSH-3.4p1/monitor_mm.c for Linux 2.0 Message-ID: <200207271904.PAA17315@conman.org> I had to modify the file monitor_mm.c to get the privledge separation to work for Linux 2.0.36 (and above) and am passing on the patch to you; if there is a better place to send this, please let me know. I've included a new #define (USE_MMAP_DEV_ZERO) to select this patch, but am not including the patch to config.h---if there's a better name for it, please, by all means, change it. Thanks for your time and consideration. Sean --- openssh-3.4p1/monitor_mm.c Tue Jun 25 20:29:03 2002 +++ openssh-3.4p1.new/monitor_mm.c Fri Jul 26 03:00:35 2002 @@ -85,10 +85,24 @@ mm->mmalloc = mmalloc; #ifdef HAVE_MMAP_ANON_SHARED +# ifdef USE_MMAP_DEV_ZERO + { + int fh; + + fh = open("/dev/zero",O_RDWR); + if (fh == -1) + fatal("mmap(`/dev/zero'): %s",strerror(errno)); + + address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_PRIVATE,fh,0); + if (address == MAP_FAILED) + fatal("mmap(%lu,%d): %s",(u_long)size,fh,strerror(errno)); + } +# else address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); if (address == MAP_FAILED) fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); +# endif #else fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", __func__); From tusker at tusker.org Sat Jul 27 21:38:28 2002 From: tusker at tusker.org (Damien Mascord) Date: Sat, 27 Jul 2002 19:38:28 +0800 Subject: OpenSSH 3.4p1 on SourceMage client ssh fails Message-ID: <5.1.1.5.2.20020727191949.039d3588@tusker.org> Hi guys, I have a OpenSSH 3.4p1 installation on a SourceMage box, and I am trying to connect to a OpenSSH 3.3p1 installation on a RedHat 7.x box and any other machine. The client fails with a "Host key verification failed." Any other client connects correctly to the RedHat box, and any other server that I try to connect to from the SourceMage box fails with the same error message. The output of the debug for ssh client and ssh are as attached. I can connect to the SourceMage box fine from any client, though cannot connect outwards... any ideas? Damien --------------------------- The configure that I used for OpenSSH 3.4p1 on the SourceMage box is as follows: ./configure --prefix=/usr \ --sysconfdir=/etc/ssh \ --with-md5-passwords \ --mandir=/usr/share/man \ I am also using OpenSSL 0.9.6d. $ openssl version OpenSSL 0.9.6d 9 May 2002 The debug output on the 3.3p1 RedHat box: sshd -d -d -d -p 4022 debug1: sshd version OpenSSH_3.3 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 4022 on 0.0.0.0. Server listening on 0.0.0.0 port 4022. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 218.186.116.42 port 36256 debug1: Client protocol version 2.0; client software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-1.99-OpenSSH_3.3 debug2: Network child is on pid 29415 debug3: preauth child monitor started debug3: mm_request_receive entering debug3: privsep user:group 74:74 debug1: list_hostkey_types: ssh-rsa,ssh-dss debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received debug3: mm_request_send entering: type 0 debug3: mm_choose_dh: waiting for MONITOR_ANS_MODULI debug3: mm_request_receive_expect entering: type 1 debug3: mm_request_receive entering debug3: monitor_read: checking request 0 debug3: mm_answer_moduli: got parameters: 1024 2048 8192 debug3: mm_request_send entering: type 1 debug2: monitor_read: 0 used once, disabling now debug3: mm_request_receive entering debug3: mm_choose_dh: remaining 0 debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent debug1: dh_gen_key: priv key bits set: 132/256 debug1: bits set: 1566/3191 debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT debug1: bits set: 1626/3191 debug3: mm_key_sign entering debug3: mm_request_send entering: type 4 debug3: monitor_read: checking request 4 debug3: mm_answer_sign debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN debug3: mm_request_receive_expect entering: type 5 debug3: mm_request_receive entering debug3: mm_answer_sign: signature 0x80a09a0(143) debug3: mm_request_send entering: type 5 debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering Connection closed by 218.186.116.42 debug1: Calling cleanup 0x806e1a0(0x0) debug1: Calling cleanup 0x806e1a0(0x0) For the 3.3p1 Redhat box: ssh -v -v -v tusker@ -p 4022 OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to grim.optus.nu [211.28.94.42] port 4022. debug1: Connection established. debug1: identity file /home/tusker/.ssh/identity type -1 debug1: identity file /home/tusker/.ssh/id_rsa type -1 debug1: identity file /home/tusker/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.3 debug1: match: OpenSSH_3.3 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: none debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc at lysator.liu.se debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at openssh.com,hmac-sha1-96,hmac-md5-96 debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: none,zlib debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: debug2: kex_parse_kexinit: first_kex_follows 0 debug2: kex_parse_kexinit: reserved 0 debug2: mac_init: found hmac-md5 debug1: kex: server->client aes128-cbc hmac-md5 none debug2: mac_init: found hmac-md5 debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 131/256 debug1: bits set: 1626/3191 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug3: check_host_in_hostfile: filename /home/tusker/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: filename /home/tusker/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts Host key verification failed. debug1: Calling cleanup 0x8068fb0(0x0) For a 1.2.26 SSH box: ssh -v -v -v tusker@ OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090604f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to disorder.com.au [216.94.9.84] port 22. debug1: Connection established. debug1: identity file /home/tusker/.ssh/identity type -1 debug1: identity file /home/tusker/.ssh/id_rsa type -1 debug1: identity file /home/tusker/.ssh/id_dsa type -1 debug1: Remote protocol version 1.5, remote software version 1.2.26 debug1: match: 1.2.26 pat 1.2.1*,1.2.2*,1.2.3* debug1: Local version string SSH-1.5-OpenSSH_3.4p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug3: check_host_in_hostfile: filename /home/tusker/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts debug3: check_host_in_hostfile: filename /home/tusker/.ssh/known_hosts debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts Host key verification failed. debug1: Calling cleanup 0x8068fb0(0x0) From michalsc at email.uc.edu Sun Jul 28 12:22:17 2002 From: michalsc at email.uc.edu (Steven Michalske) Date: Sat, 27 Jul 2002 22:22:17 -0400 Subject: feature request Message-ID: <200207272222.22404.michalsc@email.uc.edu> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 for the ssh-add program it would be nice to have it add keys listed in a plain text file. such as a file ~/.ssh/keylist I looked at the code but I do not know how to code c, I could learn but I thought to ask the devlopers first :-P thank you guys Steven Michalske -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9Q1VeJhwOdxS4dYERAva3AJ4wmPpjhEm+uaEFyPsNbj/eSkzIgwCeKIMd LqverpKqsylezO52Bd7NoAI= =xVkZ -----END PGP SIGNATURE----- From bugzilla-daemon at mindrot.org Sun Jul 28 19:01:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Jul 2002 19:01:36 +1000 (EST) Subject: [Bug 372] New: [authkrb5] : KRB5CCNAME set to pointer Message-ID: <20020728090136.3FD7AE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=372 Summary: [authkrb5] : KRB5CCNAME set to pointer Product: Portable OpenSSH Version: -current Platform: All OS/Version: All Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: basalt at easynet.fr openssh 3.4 /3.2 at least seen on i386 and sparc, with net/openbsd, cygwin ... when trying to authentify trough kerberos V, KRB5CCNAME var set to wrong value on client : shiva:krb {50} klist klist: No ticket file: 0x506c0 v4-ticket file: /tmp/tkt1003 klist: No ticket file (tf_util) think it something near do_setup_env in session.c : 892 #ifdef KRB5 893 if (s->authctxt->krb5_ticket_file) 894 child_set_env(&env, &envsize, "KRB5CCNAME", 895 (char *)s->authctxt->krb5_ticket_file); 896 #endif hope this help ! regards, Julien ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Sun Jul 28 20:02:43 2002 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 28 Jul 2002 12:02:43 +0200 Subject: OpenSSH 3.4p1 on SourceMage client ssh fails In-Reply-To: <5.1.1.5.2.20020727191949.039d3588@tusker.org>; from tusker@tusker.org on Sat, Jul 27, 2002 at 07:38:28PM +0800 References: <5.1.1.5.2.20020727191949.039d3588@tusker.org> Message-ID: <20020728120242.C5658@greenie.muc.de> Hi, On Sat, Jul 27, 2002 at 07:38:28PM +0800, Damien Mascord wrote: > I have a OpenSSH 3.4p1 installation on a SourceMage box, and I am trying to > connect to a OpenSSH 3.3p1 installation on a RedHat 7.x box and any other > machine. > > The client fails with a "Host key verification failed." From bugzilla-daemon at mindrot.org Sun Jul 28 21:26:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Sun, 28 Jul 2002 21:26:48 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020728112648.173C0E8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From simons+mindrot at cryp.to 2002-07-28 21:26 ------- Is there any strong justification for _not_ hiding them with a dot? Or could you add a configure option (or run-time configure option) that let's me change this without having to patch the source code? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tusker at tusker.org Sun Jul 28 23:47:33 2002 From: tusker at tusker.org (Damien Mascord) Date: Sun, 28 Jul 2002 21:47:33 +0800 Subject: OpenSSH 3.4p1 on SourceMage client ssh fails In-Reply-To: <20020728120242.C5658@greenie.muc.de> References: <5.1.1.5.2.20020727191949.039d3588@tusker.org> <5.1.1.5.2.20020727191949.039d3588@tusker.org> Message-ID: <5.1.1.5.2.20020728214324.034fb3d0@tusker.org> Gert, ahh! non world writeable /dev/tty* was the issue... Thanks for the apt answer... any reason why this wasn't picked up on the debug or verbose?? Damien At 12:02 PM 28/07/2002 +0200, Gert Doering wrote: >Hi, > >On Sat, Jul 27, 2002 at 07:38:28PM +0800, Damien Mascord wrote: > > I have a OpenSSH 3.4p1 installation on a SourceMage box, and I am > trying to > > connect to a OpenSSH 3.3p1 installation on a RedHat 7.x box and any other > > machine. > > > > The client fails with a "Host key verification failed." > > >From the debug, it seems as if the client is not asking you to accept an >(yet-unknown) server key, but just checking all possible locations, not >finding the key, and giving up. > >I have seen a similar effect on a system that had a /dev/tty entry that >was not world-writeable (thus the ssh client couldn't open it to ask for >a confirmation). > >The effect will also happen if you have "StrictHostKeyChecking yes" in >ssh_config - set that to "ask", otherwise it will fail if the key isn't >known in advance. > >gert >-- >USENET is *not* the non-clickable part of WWW! > >//www.muc.de/~gert/ >Gert Doering - Munich, Germany gert at greenie.muc.de >fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From gert at greenie.muc.de Mon Jul 29 04:25:38 2002 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 28 Jul 2002 20:25:38 +0200 Subject: OpenSSH 3.4p1 on SourceMage client ssh fails In-Reply-To: <5.1.1.5.2.20020728214324.034fb3d0@tusker.org>; from tusker@tusker.org on Sun, Jul 28, 2002 at 09:47:33PM +0800 References: <5.1.1.5.2.20020727191949.039d3588@tusker.org> <5.1.1.5.2.20020727191949.039d3588@tusker.org> <20020728120242.C5658@greenie.muc.de> <5.1.1.5.2.20020728214324.034fb3d0@tusker.org> Message-ID: <20020728202538.E5658@greenie.muc.de> Hi, On Sun, Jul 28, 2002 at 09:47:33PM +0800, Damien Mascord wrote: > non world writeable /dev/tty* was the issue... Ummm. Just to clarify that: /dev/tty (with no '*') has to be world-writeable, /dev/tty* (all that tty devices) should not be. > Thanks for the apt answer... any reason why this wasn't picked up on the > debug or verbose?? Hmmm. As far as I remember, the code just assumes "if I can't access /dev/tty, it means 'ssh' is running from cron or something similar, without a controlling tty - so just assume there was no positive answer and go ahead". Markus: I think a debug message to that extent would be helpful, something like: debug1: can't open /dev/tty (%m), assuming negative answer (if the second part is appropriate). It's relevant for pass-phrase reading, and for "new host key" confirmation (at least). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From markus at openbsd.org Mon Jul 29 04:34:25 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 28 Jul 2002 20:34:25 +0200 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <3D420B36.1B40AA7E@zip.com.au> References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> <3D420B36.1B40AA7E@zip.com.au> Message-ID: <20020728183424.GA26307@folly> On Sat, Jul 27, 2002 at 12:53:42PM +1000, Darren Tucker wrote: > Markus Friedl wrote: > > hm, sshd already suffers from far to many options. > > is making $HOME/.ssh unwriteable not an option? > > You'd have to make sure $HOME isn't writeable either, otherwise the the > users could just rename .ssh and create a new one. yes, for restricted users $HOME must not be writeable. From carson at taltos.org Mon Jul 29 04:41:16 2002 From: carson at taltos.org (Carson Gaspar) Date: Sun, 28 Jul 2002 14:41:16 -0400 Subject: OpenSSH 3.4p1 on SourceMage client ssh fails In-Reply-To: <5.1.1.5.2.20020728214324.034fb3d0@tusker.org> References: <5.1.1.5.2.20020728214324.034fb3d0@tusker.org> Message-ID: <311545125.1027867276@[192.168.0.2]> --On Sunday, July 28, 2002 9:47 PM +0800 Damien Mascord wrote: > non world writeable /dev/tty* was the issue... > > Thanks for the apt answer... any reason why this wasn't picked up on the > debug or verbose?? OpenSSH suffers from being "differently instrumented", in politically correct terms. Library / system call failures are only logged if someone thought it was useful to log the error for some reason. Looking at the code: sshconnect.c:confirm() calls readpass.c:read_passphrase() with the flags set to RP_ECHO. And there's the problem. The following code (from read_passphrase) hides the error by returning a zero-length string: if (readpassphrase(prompt, buf, sizeof buf, rppflags) == NULL) { if (flags & RP_ALLOW_EOF) return NULL; return xstrdup(""); } If you want to fix it so an error is usefully logged, you should change confirm() from: for (msg = prompt;;msg = again) { p = read_passphrase(msg, RP_ECHO); if (p == NULL || (p[0] == '\0') || (p[0] == '\n') || strncasecmp(p, "no", 2) == 0) ret = 0; to something more like for (msg = prompt;;msg = again) { p = read_passphrase(msg, RP_ECHO | RP_ALLOW_EOF); if (p == NULL) { if (errno == ENOTTY) { /* Do something here */ } /* Do something else here */ return 0; /* You must do this! Or bad things happen when you fall through! /* } if ((p[0] == '\0') || (p[0] == '\n') || strncasecmp(p, "no", 2) == 0) ret = 0; And, completly irrelavant to your issue: - sshpty.c has code inside an #ifdef _CRAY block that uses "/dev/tty", not _PATH_TTY -- Carson From markus at openbsd.org Mon Jul 29 05:14:10 2002 From: markus at openbsd.org (Markus Friedl) Date: Sun, 28 Jul 2002 21:14:10 +0200 Subject: feature request In-Reply-To: <200207272222.22404.michalsc@email.uc.edu> References: <200207272222.22404.michalsc@email.uc.edu> Message-ID: <20020728191410.GA3313@folly> On Sat, Jul 27, 2002 at 10:22:17PM -0400, Steven Michalske wrote: > such as a file ~/.ssh/keylist i don't think this will happen as you can do ssh-add `cat ~/.ssh/keylist` From bugzilla-daemon at mindrot.org Mon Jul 29 08:53:30 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Jul 2002 08:53:30 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020728225330.7860CE8EA@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From mouring at eviladmin.org 2002-07-29 08:53 ------- Because you end up with worthless options and feature creep. There are too many options as it is right now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at mcgarry.ch Mon Jul 29 15:22:21 2002 From: tim at mcgarry.ch (Tim McGarry) Date: Mon, 29 Jul 2002 07:22:21 +0200 Subject: feature request References: <200207272222.22404.michalsc@email.uc.edu> <20020728191410.GA3313@folly> Message-ID: <000901c236bf$eaedc660$c902a8c0@cablecom.ch> It's really not needed, what might make it easier though, would be if ssh-add could look for the private key if it was given the location of the public key, then statements like shh-add .ssh/id*pub could easily be used to add all keys Cheers Tim McGarry ----- Original Message ----- From: "Markus Friedl" To: "Steven Michalske" Cc: Sent: Sunday, July 28, 2002 9:14 PM Subject: Re: feature request > On Sat, Jul 27, 2002 at 10:22:17PM -0400, Steven Michalske wrote: > > such as a file ~/.ssh/keylist > > i don't think this will happen as you can do > ssh-add `cat ~/.ssh/keylist` > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From bugzilla-daemon at mindrot.org Mon Jul 29 18:21:34 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Jul 2002 18:21:34 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020729082134.030A6E94A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From simons+mindrot at cryp.to 2002-07-29 18:21 ------- Changing the name of the /tmp/ssh-xxxx directory to /tmp/.ssh-xxx won't require any options to be added but it would still solve my problem ... somewhat. Would you please consider doing that then? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Mon Jul 29 18:32:09 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Jul 2002 18:32:09 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020729083209.02815E94A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From markus at openbsd.org 2002-07-29 18:32 ------- why is it a problem if they are visible? they should be. apart from this, changing the name might break existing scripts. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From abartlet at samba.org Mon Jul 29 18:39:51 2002 From: abartlet at samba.org (Andrew Bartlett) Date: Mon, 29 Jul 2002 18:39:51 +1000 Subject: [PATCH] prevent users from changing their environment References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> Message-ID: <3D44FF57.C6A4BDB3@bartlett.house> Markus Friedl wrote: > > hm, sshd already suffers from far to many options. And too many features like ssh/environment in the first place. My worry is that people do need restricted shell setups, and most (myself included, it seems) stuff it up. Basicly, OpenSSH makes it impossible to construct a restricted shell as a standalone component. It would be really good if doing this 'right' was easier - the curent situation just means that people *think* they have done somthing that they havn't actually done. The same applies to the (related) SFTP question. > is making $HOME/.ssh unwriteable not an option? For my server, this is certainly not somthing I can change. How is this for an idea: There was a similar issue I raised a year ago - .ssh/rc was being exectuted by SSH directly - now it uses the user's shell to exec /bin/sh to run the file. Could we do the same here? Is there some way can pass the environment variables to the user's shell so it can set them? I was thinking that you could '$SHELL -c "cat .ssh/environment" or similar (which would fail on a restricted shell) to ensure that the restricted shell is honered. (But there must be a better way...) Andrew Bartlett -- Andrew Bartlett abartlet at pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet at samba.org Student Network Administrator, Hawker College abartlet at hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net From markus at openbsd.org Mon Jul 29 18:55:58 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 29 Jul 2002 10:55:58 +0200 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <3D44FF57.C6A4BDB3@bartlett.house> References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> <3D44FF57.C6A4BDB3@bartlett.house> Message-ID: <20020729085557.GA2029@faui02> On Mon, Jul 29, 2002 at 06:39:51PM +1000, Andrew Bartlett wrote: > Markus Friedl wrote: > > > > hm, sshd already suffers from far to many options. > > And too many features like ssh/environment in the first place. sure, but it's in there since 1995. i'd really like to drop it for good. From bugzilla-daemon at mindrot.org Mon Jul 29 19:04:46 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Mon, 29 Jul 2002 19:04:46 +1000 (EST) Subject: [Bug 291] /tmp/ssh-xxxx socket directories clutter up /tmp Message-ID: <20020729090446.3DFD7E906@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=291 ------- Additional Comments From simons+mindrot at cryp.to 2002-07-29 19:04 ------- Well, it is a problem because on a multi-user system there are _hundreds_ of them. And it's not only hundreds of ssh-agent sockets, it's hundreds of Emacs server sockets, ORBit sockets, X11 sockets and so on and so forth. Once the system has been up and running for a few weeks, you cannot possibly read the output from a "ls /tmp" without getting a 23" screen first ... ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From dot at dotat.at Mon Jul 29 20:20:49 2002 From: dot at dotat.at (Tony Finch) Date: Mon, 29 Jul 2002 11:20:49 +0100 Subject: [PATCH] prevent users from changing their environment In-Reply-To: <20020729085557.GA2029@faui02>; from markus@openbsd.org on Mon, Jul 29, 2002 at 10:55:58AM +0200 References: <20020725191629.A8677@chiark.greenend.org.uk> <20020726144605.GB18695@folly> <3D44FF57.C6A4BDB3@bartlett.house> <20020729085557.GA2029@faui02> Message-ID: <20020729112049.A27632@chiark.greenend.org.uk> On Mon, Jul 29, 2002 at 10:55:58AM +0200, Markus Friedl wrote: > > sure, but it's in there since 1995. i'd really like > to drop [~/.ssh/environment] for good. Here's a suggestion for way to acheive that: incorporate my patch :-) with the default set to off and a note in the docco that the feature is deprecated, then when people have had a few releases to migrate you can remove it altogether. Tony. -- f.a.n.finch http://dotat.at/ DOVER WIGHT PORTLAND: VARIABLE 3, BECOMING CYCLONIC IN DOVER. THUNDERY SHOWERS. MODERATE WITH FOG PATCHES. From leigh at solinno.co.uk Mon Jul 29 21:33:08 2002 From: leigh at solinno.co.uk (Leigh Brown) Date: Mon, 29 Jul 2002 12:33:08 +0100 (BST) Subject: CVS Snapshots Message-ID: <64438.193.133.92.239.1027942388.squirrel@lbbrown.homeip.net> Hi, There don't seem to be any CVS snapshots being produced at the moment (since 22/7). My environment is severely restricted here and snapshots are the easiest way for me to keep up with the CVS tree. Is this a temporary problem or are they gone for good? Cheers, Leigh. From wpilorz at bdk.pl Mon Jul 29 22:31:55 2002 From: wpilorz at bdk.pl (Wojtek Pilorz) Date: Mon, 29 Jul 2002 14:31:55 +0200 (CEST) Subject: Patch to OpenSSH-3.4p1/monitor_mm.c for Linux 2.0 In-Reply-To: <200207271904.PAA17315@conman.org> Message-ID: On Sat, 27 Jul 2002, Sean Conner wrote: > Date: Sat, 27 Jul 2002 15:04:46 -0400 (EDT) > From: Sean Conner > To: openssh-unix-dev at mindrot.org > Subject: Patch to OpenSSH-3.4p1/monitor_mm.c for Linux 2.0 > > > I had to modify the file monitor_mm.c to get the privledge separation to > work for Linux 2.0.36 (and above) and am passing on the patch to you; if > there is a better place to send this, please let me know. I've included a > new #define (USE_MMAP_DEV_ZERO) to select this patch, but am not including > the patch to config.h---if there's a better name for it, please, by all > means, change it. > > Thanks for your time and consideration. > > Sean You do not ever close fh; is that intentional? Best regards, Wojtek > > --- openssh-3.4p1/monitor_mm.c Tue Jun 25 20:29:03 2002 > +++ openssh-3.4p1.new/monitor_mm.c Fri Jul 26 03:00:35 2002 > @@ -85,10 +85,24 @@ > mm->mmalloc = mmalloc; > > #ifdef HAVE_MMAP_ANON_SHARED > +# ifdef USE_MMAP_DEV_ZERO > + { > + int fh; > + > + fh = open("/dev/zero",O_RDWR); > + if (fh == -1) > + fatal("mmap(`/dev/zero'): %s",strerror(errno)); > + > + address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_PRIVATE,fh,0); > + if (address == MAP_FAILED) > + fatal("mmap(%lu,%d): %s",(u_long)size,fh,strerror(errno)); > + } > +# else > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > -1, 0); > if (address == MAP_FAILED) > fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > +# endif > #else > fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", > __func__); > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From Roumen.Petrov at skalasoft.com Mon Jul 29 22:27:20 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Mon, 29 Jul 2002 15:27:20 +0300 Subject: [Patch] Improve portability of regression tests - version 2 References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> <3D3FFB78.1050108@skalasoft.com> <20020726144159.GA18695@folly> Message-ID: <3D4534A8.7010408@skalasoft.com> Markus Friedl wrote: >On Thu, Jul 25, 2002 at 04:22:00PM +0300, Roumen.Petrov at skalasoft.com wrote: > > >>- test "sshd_config" contain line: "Subsystem sftp $SFTPSERVER" - >> >> > >ok, but what test is using this? > currently sftp.sh call sftp with -P option => we can skip "Subsystem sftp ..." in sshd_config but with Subsystem option test environment is more clean and point to bulld executable, not to installed. From markus at openbsd.org Mon Jul 29 22:50:01 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 29 Jul 2002 14:50:01 +0200 Subject: [Patch] Improve portability of regression tests - version 2 In-Reply-To: <3D4534A8.7010408@skalasoft.com> References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> <3D3FFB78.1050108@skalasoft.com> <20020726144159.GA18695@folly> <3D4534A8.7010408@skalasoft.com> Message-ID: <20020729125001.GA17085@faui02> On Mon, Jul 29, 2002 at 03:27:20PM +0300, Roumen.Petrov at skalasoft.com wrote: > currently sftp.sh call sftp with -P option => we can skip "Subsystem > sftp ..." in sshd_config > but with Subsystem option test environment is more clean and point to > bulld executable, not to installed. yes, it's cleaner. and FYI: no Subsystem entry means no subsystem is defineed. From mouring at etoh.eviladmin.org Mon Jul 29 22:43:15 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 29 Jul 2002 07:43:15 -0500 (CDT) Subject: CVS Snapshots In-Reply-To: <64438.193.133.92.239.1027942388.squirrel@lbbrown.homeip.net> Message-ID: Check back in 24hrs. Damien was having some server problems so none of the CVS trees or snapshots were updated until midday yesterday (or that is when I noticed I was no longer getting "connection failure'. - Ben On Mon, 29 Jul 2002, Leigh Brown wrote: > Hi, > > There don't seem to be any CVS snapshots being produced at the moment > (since 22/7). My environment is severely restricted here and snapshots > are the easiest way for me to keep up with the CVS tree. Is this a > temporary problem or are they gone for good? > > Cheers, > > Leigh. > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From mouring at etoh.eviladmin.org Mon Jul 29 22:43:56 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 29 Jul 2002 07:43:56 -0500 (CDT) Subject: Patch to OpenSSH-3.4p1/monitor_mm.c for Linux 2.0 In-Reply-To: Message-ID: Please look at the --current tree before suggestioning fixes. This has been in for a few weeks now. - Ben On Mon, 29 Jul 2002, Wojtek Pilorz wrote: > On Sat, 27 Jul 2002, Sean Conner wrote: > > > Date: Sat, 27 Jul 2002 15:04:46 -0400 (EDT) > > From: Sean Conner > > To: openssh-unix-dev at mindrot.org > > Subject: Patch to OpenSSH-3.4p1/monitor_mm.c for Linux 2.0 > > > > > > I had to modify the file monitor_mm.c to get the privledge separation to > > work for Linux 2.0.36 (and above) and am passing on the patch to you; if > > there is a better place to send this, please let me know. I've included a > > new #define (USE_MMAP_DEV_ZERO) to select this patch, but am not including > > the patch to config.h---if there's a better name for it, please, by all > > means, change it. > > > > Thanks for your time and consideration. > > > > Sean > You do not ever close fh; is that intentional? > > Best regards, > > Wojtek > > > > > > --- openssh-3.4p1/monitor_mm.c Tue Jun 25 20:29:03 2002 > > +++ openssh-3.4p1.new/monitor_mm.c Fri Jul 26 03:00:35 2002 > > @@ -85,10 +85,24 @@ > > mm->mmalloc = mmalloc; > > > > #ifdef HAVE_MMAP_ANON_SHARED > > +# ifdef USE_MMAP_DEV_ZERO > > + { > > + int fh; > > + > > + fh = open("/dev/zero",O_RDWR); > > + if (fh == -1) > > + fatal("mmap(`/dev/zero'): %s",strerror(errno)); > > + > > + address = mmap(NULL,size,PROT_WRITE|PROT_READ,MAP_PRIVATE,fh,0); > > + if (address == MAP_FAILED) > > + fatal("mmap(%lu,%d): %s",(u_long)size,fh,strerror(errno)); > > + } > > +# else > > address = mmap(NULL, size, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, > > -1, 0); > > if (address == MAP_FAILED) > > fatal("mmap(%lu): %s", (u_long)size, strerror(errno)); > > +# endif > > #else > > fatal("%s: UsePrivilegeSeparation=yes and Compression=yes not supported", > > __func__); > > > > _______________________________________________ > > openssh-unix-dev at mindrot.org mailing list > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > From sbade at austin.ibm.com Mon Jul 29 23:22:39 2002 From: sbade at austin.ibm.com (Steven Bade) Date: Mon, 29 Jul 2002 08:22:39 -0500 Subject: AIX issues References: <1027711883.22720.84.camel@dcs1185> Message-ID: <3D45419F.3020205@austin.ibm.com> Mark.... At least on 5.1, openSSH is supported by IBM via it's AIX support channels. You might want to also take these up via a PMR or 2... Mark Grennan wrote: > Hello everyone, > > I have been given the task of working out a number of issues with > OpenSSH for my company (Hertz). > > I have been following the mailing list for several days now and I'm > beginning to compile a list of who is working on what. To make my task > faster, it would nice if the people working on the following issues > would drop me a email before I start to rewrite their code and get it > wrong. :-) > > I am dealing with AIX 4.3.3, AIX 5.x, and OpenSSH 2.5.1p1 and 2.9.9p2. > I'm sure some of these issues have been fixed. > > The issues are: > > 1. Allows login even though the password has expired either from age > or after being reset by a security analyst. > > 2. Doesn't update AIX's "failed login count", consequently the ID is > not locked after 5 invalid login attempts. > > 3. Doesn't record the failed login in AIX's failedlogin log. > > 4. Doesn't post logged in users to the wtmp file causing it to > appear as if no one is logged in. > > 5. Corrupts the file that stores the last login date for users > making it impossible to lock or remove accounts for inactivity. > > 6. Doesn't honor the /etc/ftpusers to restrict sftp access. Any > users can use ftp through SSH. > > 7. Syslog entries for SSH login don't differentiate between SSH, > SFTP, or other tunneled logins. > > 8. OpenSSH doesn't show user logouts in syslog like F-Secure does. > > My first step is to move both envirements to 3.4p1 and retest. > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Steven A. Bade UNIX Network Security Cryptographic Strategy and Development Architecture sbade at austin.ibm.com T/L 678-4799 (512)-838-4799 -- To convert from Hogsheads to Cubic Feet - Multiply by 8.4219 "Two-way communication is necessary to proactively facilitate acceptance and involvement and to get insights about the journey it takes to get where we want" this mess is so big and so bad and so tall, we cannot clean it up, there is no way at all (Cat in the Hat) From msmall at arrow.lz.att.com Mon Jul 29 23:52:25 2002 From: msmall at arrow.lz.att.com (Morgan Small) Date: Mon, 29 Jul 2002 09:52:25 -0400 Subject: Unix Performance slow executing ssh and scp Message-ID: We currently upgraded to the OpenSSH3.4 version using RSA, protocol 2. Doing some minor testing we noticed that the performance took about twice as long to execute an ssh/scp command using this product versus another product using RSA, protocol 1. Are there any specific configuration changes in the config files or unix parameters to make the performance faster. Thanks Morgan Small small at att.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020729/4b669383/attachment.html -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 2950 bytes Desc: not available Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20020729/4b669383/attachment.jpe From Roumen.Petrov at skalasoft.com Mon Jul 29 23:59:42 2002 From: Roumen.Petrov at skalasoft.com (Roumen.Petrov at skalasoft.com) Date: Mon, 29 Jul 2002 16:59:42 +0300 Subject: [Patch] Improve portability of regression tests - version 2 References: <3D3D44D3.4070508@skalasoft.com> <20020723145600.GA23631@folly> <3D3FFB78.1050108@skalasoft.com> <20020726144159.GA18695@folly> <3D4534A8.7010408@skalasoft.com> <20020729125001.GA17085@faui02> Message-ID: <3D454A4E.6060109@skalasoft.com> Markus Friedl wrote: >On Mon, Jul 29, 2002 at 03:27:20PM +0300, Roumen.Petrov at skalasoft.com wrote: > > >>currently sftp.sh call sftp with -P option => we can skip "Subsystem >>sftp ..." in sshd_config >>but with Subsystem option test environment is more clean and point to >>bulld executable, not to installed. >> >> > >yes, it's cleaner. and FYI: no Subsystem entry means >no subsystem is defineed. > > O.K.: patch on http://satva.skalasoft.com/~rumen/openssh/temp/regress-openbsd.diff.gz is without Subsystem in sshd_config. From florin at sgi.com Tue Jul 30 03:27:48 2002 From: florin at sgi.com (Florin Andrei) Date: 29 Jul 2002 10:27:48 -0700 Subject: Valgrind Message-ID: <1027963668.1691.5.camel@stantz.corp.sgi.com> http://developer.kde.org/~sewardj/ Valgrind is a GPL'd tool to help you find memory-management problems in your programs. When a program is run under Valgrind's supervision, all reads and writes of memory are checked, and calls to malloc/new/free/delete are intercepted. As a result, Valgrind can detect problems such as: * Use of uninitialised memory * Reading/writing memory after it has been free'd * Reading/writing off the end of malloc'd blocks * Reading/writing inappropriate areas on the stack * Memory leaks -- where pointers to malloc'd blocks are lost forever * Passing of uninitialised and/or unaddressible memory to system calls * Mismatched use of malloc/new/new [] vs free/delete/delete [] * Some misuses of the POSIX pthreads API -- Florin Andrei "Some times are fuzzier than others." - Dan Farmer & Wietse Venema From markus at openbsd.org Tue Jul 30 04:47:37 2002 From: markus at openbsd.org (Markus Friedl) Date: Mon, 29 Jul 2002 20:47:37 +0200 Subject: Valgrind In-Reply-To: <1027963668.1691.5.camel@stantz.corp.sgi.com> References: <1027963668.1691.5.camel@stantz.corp.sgi.com> Message-ID: <20020729184737.GC7199@faui02> where is your valgrind report for openssh? On Mon, Jul 29, 2002 at 10:27:48AM -0700, Florin Andrei wrote: > http://developer.kde.org/~sewardj/ > > Valgrind is a GPL'd tool to help you find memory-management problems in > your programs. When a program is run under Valgrind's supervision, all > reads and writes of memory are checked, and calls to > malloc/new/free/delete are intercepted. As a result, Valgrind can detect > problems such as: > > * Use of uninitialised memory > * Reading/writing memory after it has been free'd > * Reading/writing off the end of malloc'd blocks > * Reading/writing inappropriate areas on the stack > * Memory leaks -- where pointers to malloc'd blocks are lost forever > * Passing of uninitialised and/or unaddressible memory to system > calls > * Mismatched use of malloc/new/new [] vs free/delete/delete [] > * Some misuses of the POSIX pthreads API > > -- > Florin Andrei > > "Some times are fuzzier than others." - Dan Farmer & Wietse Venema > > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev From mouring at etoh.eviladmin.org Tue Jul 30 08:05:01 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 29 Jul 2002 17:05:01 -0500 (CDT) Subject: AIX and ADMCHG In-Reply-To: <20020725214204.GI16664@scott.crlsca.adelphia.net> Message-ID: On Thu, 25 Jul 2002, Kevin Steves wrote: > On Tue, Jul 23, 2002 at 10:57:07PM -0500, Ben Lindstrom wrote: > > > For AIX, does the server use getuserpw() to check the ADMCHG flag > > > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or > > > not? After the inital exchange, on AIX, it'll need to run a newpass() with > > > perhaps a getuserattr() for a more complete explanation of the rules > > > should the password be too weak, before sending the > > > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass > > > with a SSH_MSG_USERAUTH_SUCCESS. > > > > Right now *NOTHING* is checked. Not for bsd_auth, not for pam, not for > > aix, or not for /etc/shadow. =) > > This is referring to password strength checking? > No password expiring. I don't think it is OpenSSH's job to whine at the user for bad passwords. It should be PAM, BSD_AUTH, etc job. > > > Some of this may need to run in the PrivSep process. I'm assuming the > > > PAM support code does something along the same lines... > > > > > > Sorry, just some random thoughts - haven't actually looked at the > > > source. But ADMCHG was on my list of things to fix since we did the > > > failedlogincount in #145 (btw, Darren, thanks for following up and > > > integrating it into the source ;), but never got around to it. > > > > > > If we're missing this for AIX, I think we should welcome Kevin's patch > > > ;) > > > > I can also start looking at this once I get comfortable with the AIX box > > that has been loaned to me. > > > > However, I don't believe Kevin's patch uses ssh2 password change protocol > > (not sure I have not seen in a few months). What ever we do should use > > that feature of the protocol since it allows us better security. > > I'm not sure if this refers to me, but which patch is this? > You had a patch (or I swore it was you =) that either allowed v1 or v2 password change for shadowed password files. Or at least a start of a patch. > > Which brings up a question on should we support password change for v1? > > I'm inclined to say no. At least handle v2 protocol first. > > We should support Protocol 1 for password change. PAM users should > look at current auth-pam.c which has solar's efforts in this area. > I think we can re-enable password change for PAM now, but there are > some other things I need to check. > Still we need to look at Protocol 2. And I'm totally and utterly confused as to where password change code should even go. - Ben From mouring at etoh.eviladmin.org Tue Jul 30 08:06:53 2002 From: mouring at etoh.eviladmin.org (Ben Lindstrom) Date: Mon, 29 Jul 2002 17:06:53 -0500 (CDT) Subject: [Patch] Improve diags for "OpenSSL headers match library"configure test In-Reply-To: <3D4231E7.91B20C24@zip.com.au> Message-ID: Suggestion. Can we seperate the tests? OpenSSL header version you have is... OpenSSL library version you have is.. Error: Header and Library conflict, please check for multiple version installed. Or something like that. - Ben On Sat, 27 Jul 2002, Darren Tucker wrote: > Tim Rice wrote: > > I think I remember the autoconf docs recomending against using printf() > > in tests. Look at the test in the --with-default-path section for > > how you might do it differently. > > I did a quick search of the autoconf docs and the only thing I was able > to find was > http://www.gnu.org/manual/autoconf/html_node/Guidelines.html which says > "Test programs should not write anything to the standard output." There > doesn't seem to be a prohibition on stderr. > > Interestingly, it also says "Test programs should exit, not return, from > main, because on some systems (old Suns, at least) the argument to > return in main is ignored." There are 5 instances of return() instead of > exit(), including this OpenSSL test. > > I also looked at the --with-default-path handling. It seems to be that > way because the output needs to be used later by configure. Failing the > OpenSSL check is fatal, and the object here is to capture some data for > later diagnosis. Writing to stderr is logged, so I don't think the added > complexity is needed. > > With all that in mind, what about this patch? It only writes to stderr > and the output only appears in config.log. > > -- > Darren Tucker (dtucker at zip.com.au) > GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 > Good judgement comes with experience. Unfortunately, the experience > usually comes from bad judgement. From bugzilla-daemon at mindrot.org Tue Jul 30 08:57:38 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Jul 2002 08:57:38 +1000 (EST) Subject: [Bug 320] Cannot build 3.4p1 Message-ID: <20020729225738.BE898E921@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=320 russel at russel.org.uk changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From russel at russel.org.uk 2002-07-30 08:57 ------- I am embarrassed. I think this problem was almost entirely my fault and nothing to do with the OpenSSH system -- there is an issue with the configure system though. At the time of initially trying to build OpenSSH 3.4p1 I was using gcc 2.9.5 -- I have subsequently upgraded to 3.1. However, it transpired that 2.8.1 was also installed on the machine I was building OpenSSH on. Whilst gcc -v reported 2.9.5, this was due to some aliases and was not true of the gcc used by the more resticted path used within the make system. Thus the initial pass of ./configure found 2.9.5 and found all the necessary declarations/definitions, the actual compilation used 2.8.1 which did not and hence the problem. So although the actual error message is due to use of an inappropriate gcc, now removed, there is an issue here that the initial configuration used a compiler that was not used during tha actual compilation, i.e. there was a phase error that was not in control of the user, i.e. me. I was upgrading a large number of packages at the time I reported this problem and basically forgot to retract the bug when I rationalized my compilers (by installing 3.1 and removing everything else). Apologies for this, please forgive me. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From jan.iven at cern.ch Tue Jul 30 17:36:36 2002 From: jan.iven at cern.ch (Jan IVEN) Date: 30 Jul 2002 09:36:36 +0200 Subject: patch: disable credential forwarding after password auth. Message-ID: Dear list, since the order of authentication and AFS token/KRB TGT forwarding changed (around 3.0), we have had problems with users accidentally overwriting their credentials from a "password" login with forwarded credentials. E.g. user A logs in as user B, but stays with the AFS permissions of user A. A workaround is to use "-k" on these sessions, but "it worked without before...". The appended patch rejects credential forwarding after a successful password authentication. While there may be uses for such a credential forwarding after password auth (remote cell credentials), in my experience practically nobody uses them (at least not here). Now, if somebody has ideas how to interoperate with older clients (which try to do the credential forwarding before authentication), I'd be most grateful. Best regards Jan --- openssh-3.4p1.orig/auth-passwd.c Fri Jun 21 08:05:13 2002 +++ openssh-3.4p1/auth-passwd.c Mon Jul 29 16:39:48 2002 @@ -89,14 +89,19 @@ int auth_password(Authctxt *authctxt, const char *password) { + int retval = 0; #if defined(USE_PAM) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_pam_password(authctxt, password); + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } + retval=auth_pam_password(authctxt, password); + goto out; #elif defined(HAVE_OSF_SIA) - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; - return auth_sia_password(authctxt, password); + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } + retval=auth_sia_password(authctxt, password); + goto out; #else struct passwd * pw = authctxt->pw; char *encrypted_password; @@ -118,19 +123,23 @@ #endif /* deny if no user. */ - if (pw == NULL) - return 0; + if (pw == NULL) { + retval=0 ; goto out; + } #ifndef HAVE_CYGWIN - if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) - return 0; + if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { + retval=0 ; goto out; + } #endif - if (*password == '\0' && options.permit_empty_passwd == 0) - return 0; + if (*password == '\0' && options.permit_empty_passwd == 0) { + retval=0 ; goto out; + } #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + if (ret == 1 || ret == 0) { + retval=ret ; goto out; + } /* Fall back to ordinary passwd authentication. */ } #endif @@ -138,29 +147,34 @@ if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); - if (hToken == INVALID_HANDLE_VALUE) - return 0; + if (hToken == INVALID_HANDLE_VALUE) { + retval=0 ; goto out; + } cygwin_set_impersonation_token(hToken); - return 1; + retval=1; + goto out; } #endif #ifdef WITH_AIXAUTHENTICATE - return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + retval=(authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); + goto out; #endif #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(authctxt, password); - if (ret == 1 || ret == 0) - return ret; + if (ret == 1 || ret == 0) { + retval=ret ; goto out; + } /* Fall back to ordinary passwd authentication. */ } #endif #ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", - (char *)password) == 0) - return 0; - else - return 1; + (char *)password) == 0) { + retval=0 ; goto out; + } else { + retval=1 ; goto out; + } #endif pw_password = pw->pw_passwd; @@ -189,8 +203,9 @@ #endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ /* Check for users with no password. */ - if ((password[0] == '\0') && (pw_password[0] == '\0')) - return 1; + if ((password[0] == '\0') && (pw_password[0] == '\0')) { + retval=1 ; goto out; + } if (pw_password[0] != '\0') salt = pw_password; @@ -218,6 +233,17 @@ #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ - return (strcmp(encrypted_password, pw_password) == 0); + retval=(strcmp(encrypted_password, pw_password) == 0); + goto out; #endif /* !USE_PAM && !HAVE_OSF_SIA */ + + + out: + + if (retval) { + debug("Disabling KRB4 TGT and AFS token forwarding after successful password auth"); + options.afs_token_passing = 0; + options.kerberos_tgt_passing = 0; + } + return retval; } From bugzilla-daemon at mindrot.org Tue Jul 30 18:49:36 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Tue, 30 Jul 2002 18:49:36 +1000 (EST) Subject: [Bug 372] [RFE] [authkrb5] : KRB5CCNAME set to pointer Message-ID: <20020730084936.5305BE99E@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=372 basalt at easynet.fr changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement Summary|[authkrb5] : KRB5CCNAME set |[RFE] [authkrb5] : |to pointer |KRB5CCNAME set to pointer ------- Additional Comments From basalt at easynet.fr 2002-07-30 18:49 ------- think this is not a bug but just a functionnality partially implemented ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From basalt at easynet.fr Tue Jul 30 18:54:44 2002 From: basalt at easynet.fr (basalt at easynet.fr) Date: Tue, 30 Jul 2002 10:54:44 +0200 (CEST) Subject: openssh+krb5 tickets Message-ID: <1028019284.3d46545473e80@hermes1.mail.easynet.fr> Is ticket part of krb5 auth include in openssh or is auth- krb5.c just to \"validate\" password against kdc ? From msmall at arrow.lz.att.com Tue Jul 30 22:21:19 2002 From: msmall at arrow.lz.att.com (Morgan Small) Date: Tue, 30 Jul 2002 08:21:19 -0400 Subject: Unix Performance slow executing ssh and scp Message-ID: We currently upgraded to the OpenSSH3.4 version using RSA, protocol 2. Doing some minor testing we noticed that the performance took about twice as long to execute an ssh/scp command using this product versus another product using RSA, protocol 1. Are there any specific configuration changes in the config files or unix parameters to make the performance faster. Thanks Morgan Small small at att.com From b.courtin at t-online.net Wed Jul 31 00:24:10 2002 From: b.courtin at t-online.net (Courtin Bert) Date: Tue, 30 Jul 2002 16:24:10 +0200 Subject: OpenSSL Security Advisory [30 July 2002] Message-ID: <60F1F87A64834D45A1EBAE9618305FB80120BE88@qeo00200> Hi, FYI - don't sue me for posting this here - I know, everyone who needs this info *should* have it already, but maybe not ;-) Kind regards, B. Courtin -- OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 ========== A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --------------- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? ---------------- Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --------------- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -------------- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements ---------------- The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 ========== Vulnerabilities --------------- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? ---------------- Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --------------- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits -------- There are no known exploits for this vulnerability. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements ---------------- This vulnerability was discovered by Adi Stav and James Yonan independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: http://www.openssl.org/news/secadv_20020730.txt From bugzilla-daemon at mindrot.org Wed Jul 31 02:25:55 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 02:25:55 +1000 (EST) Subject: [Bug 373] New: Error in the make install Message-ID: <20020730162555.843D9E9A5@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=373 Summary: Error in the make install Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: shaila at engr.colostate.edu Hi I am trying to build ssh on a Ultra 10 machine running Solaris 8. I downloaded the pathc for the /drv/random and openssl. i installed both of them and did not face any problem. Then I downloaded openssh3.4p1. Configuration and make did not give me any problems. But make install gave me the following error message :- d sshd || \ echo "WARNING: Privilege separation user \"sshd\" does not exist" uid=60000(sshd) gid=60000(sshd) I added the sshd user to the /etc/passwd file as follows:- sshd:x:60000:60000:Openssh Privilege Separation user :/var/empty:/bin/false but I still get the same error. Can someone PLEASE help me or direct me to the location where I can find the solution. I really need to get the openssh installed soon since this is one of our servers. Thanks in advance ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 31 02:55:10 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 02:55:10 +1000 (EST) Subject: [Bug 373] Error in the make install Message-ID: <20020730165510.0619BE92A@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=373 markus at openbsd.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From markus at openbsd.org 2002-07-31 02:55 ------- this is neither new nor an error but it got fixed. thanks ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From rob at hagopian.net Wed Jul 31 05:02:13 2002 From: rob at hagopian.net (Rob Hagopian) Date: Tue, 30 Jul 2002 15:02:13 -0400 (EDT) Subject: [PATCH] prevent users from changing their environment In-Reply-To: <3D44FF57.C6A4BDB3@bartlett.house> Message-ID: On Mon, 29 Jul 2002, Andrew Bartlett wrote: > Markus Friedl wrote: > > > > hm, sshd already suffers from far to many options. > > And too many features like ssh/environment in the first place. Absolutely - if there's a feature like that surely there should be a config option to turn it off... -Rob From bugzilla-daemon at mindrot.org Wed Jul 31 05:09:15 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 05:09:15 +1000 (EST) Subject: [Bug 335] OpenSSL headers do not match your library Message-ID: <20020730190915.9C916E9B2@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=335 kzembower at jhuccp.org changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au Status|REOPENED |RESOLVED Resolution| |FIXED ------- Additional Comments From kzembower at jhuccp.org 2002-07-31 05:09 ------- Darren, thank you so much for your help. With your guidance, I was able to get OpenSSH 3.4.1 installed on my three remaining hosts. For what it's worth, here's some of my notes. The patch at your page didn't want to work at first. Here's what I did to make it work: centernet:/tmp/openssh-3.4p1 # patch -i tucker.patch configure.ac patching file configure.ac Hunk #1 FAILED at 769. 1 out of 1 hunk FAILED -- saving rejects to file configure.ac.rej centernet:/tmp/openssh-3.4p1 # cat configure.ac.rej *************** *** 769,777 **** AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_TRY_RUN( [ #include #include - int main(void) { return(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); } ], [ AC_MSG_RESULT(yes) --- 769,781 ---- AC_MSG_CHECKING([whether OpenSSL's headers match the library]) AC_TRY_RUN( [ + #include #include #include + int main(void) { + fprintf(stderr,"OpenSSL library %x headers %x\n", SSLeay(), OPENSSL_VERSION_NUMBER); + exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); + } ], [ AC_MSG_RESULT(yes) centernet:/tmp/openssh-3.4p1 # patch -i tucker.patch -F 3 configure.ac patching file configure.ac Hunk #1 succeeded at 774 with fuzz 3 (offset 5 lines). centernet:/tmp/openssh-3.4p1 # As you can see, I increased the 'fuzz factor' (-F) to three from the default of 2. One two of my three hosts that failed in the OpenSSH install, the findssl.sh script found differing libraries, but on the third, it didn't find any libraries at all. Regardless, all these systems were SuSE 7.1 or 7.2. I used 'rpm -e --nodeps openssl' to remove the previous version (I don't use any of the dependancies that it reported broken), then reinstalled OpenSSL (not the engine) 0.9.6d. After that, the installation of OpenSSH 3.4 went normally. Thank you again for your work on this problem -Kevin Zembower ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 31 05:23:17 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 05:23:17 +1000 (EST) Subject: [Bug 374] New: uidswap.c doesn't compile on SCO 3.2v4.2 Message-ID: <20020730192317.17CE3E9B1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=374 Summary: uidswap.c doesn't compile on SCO 3.2v4.2 Product: Portable OpenSSH Version: -current Platform: ix86 OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Build system AssignedTo: openssh-unix-dev at mindrot.org ReportedBy: gert at greenie.muc.de patch needed: --- uidswap.c 23 Jul 2002 21:29:50 -0000 1.34 +++ uidswap.c 30 Jul 2002 19:21:20 -0000 @@ -114,8 +114,8 @@ if (!temporarily_use_uid_effective) fatal("restore_uid: temporarily_use_uid not effective"); - debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid); #ifdef SAVED_IDS_WORK_WITH_SETEUID + debug("restore_uid: %u/%u", (u_int)saved_euid, (u_int)saved_egid); /* Set the effective uid back to the saved privileged uid. */ if (seteuid(saved_euid) < 0) fatal("seteuid %u: %.100s", (u_int)saved_euid, strerror(errno)); ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From keith.schincke1 at jsc.nasa.gov Wed Jul 31 05:31:18 2002 From: keith.schincke1 at jsc.nasa.gov (SCHINCKE, KEITH (JSC-SM) (LM)) Date: Tue, 30 Jul 2002 14:31:18 -0500 Subject: Alpha, configure and (brain dead) bash? Message-ID: <1408A865DCF403478A33EE887F874732042C9F36@jsc-mail03.jsc.nasa.gov> System: Alpha Tru64 5.1a, openssh 3.4p1 and bash 2.04. Problem: when configure comes to the test to find xauth, it is not able to find it in /usr/bin/X11. This path is listed as one to test while looking for xauth. It is of course found if I define the exact path with --with-xauth. Any one good with configure and bash to help me get this automatically found? Thanks in advance, Keith From bugzilla-daemon at mindrot.org Wed Jul 31 05:33:29 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 05:33:29 +1000 (EST) Subject: [Bug 374] uidswap.c doesn't compile on SCO 3.2v4.2 Message-ID: <20020730193329.A171CE944@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=374 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED ------- Additional Comments From mouring at eviladmin.org 2002-07-31 05:33 ------- Yep, sorry. This should be fixed in the CVS Tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From ew-ssh at kegger.national-security.net Tue Jul 30 22:49:33 2002 From: ew-ssh at kegger.national-security.net (ew-ssh at kegger.national-security.net) Date: Tue, 30 Jul 2002 12:49:33 +0000 (UTC) Subject: OpenSSL <=0.9.6d vulnerability Message-ID: Are there any portions of OpenSSH which utilize vulnerable parts of OpenSSL? I need to know if recompiling against 0.9.6e is necessary. --Eric From bugzilla-daemon at mindrot.org Wed Jul 31 06:01:21 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 06:01:21 +1000 (EST) Subject: [Bug 287] URL wrong in INSTALL file Message-ID: <20020730200121.3B9EEE9C1@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=287 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-07-31 06:01 ------- Can't find reference in -cvs tree. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From tim at multitalents.net Wed Jul 31 06:16:09 2002 From: tim at multitalents.net (Tim Rice) Date: Tue, 30 Jul 2002 13:16:09 -0700 (PDT) Subject: Alpha, configure and (brain dead) bash? In-Reply-To: <1408A865DCF403478A33EE887F874732042C9F36@jsc-mail03.jsc.nasa.gov> Message-ID: On Tue, 30 Jul 2002, SCHINCKE, KEITH (JSC-SM) (LM) wrote: > System: Alpha Tru64 5.1a, openssh 3.4p1 and bash 2.04. > > Problem: when configure comes to the test to find xauth, it is not able to > find it in /usr/bin/X11. This path is listed as one to test while looking > for xauth. It is of course found if I define the exact path with > --with-xauth. > > Any one good with configure and bash to help me get this automatically > found? This should be fixed in CVS. Grab a current SNAP and retest. > > Thanks in advance, > > Keith > _______________________________________________ > openssh-unix-dev at mindrot.org mailing list > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > -- Tim Rice Multitalents (707) 887-1469 tim at multitalents.net From bugzilla-daemon at mindrot.org Wed Jul 31 06:45:48 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 06:45:48 +1000 (EST) Subject: [Bug 126] ssh-keyscan hangs or crashes accessing Sun ssh host Message-ID: <20020730204548.A380DE94D@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=126 mouring at eviladmin.org changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Additional Comments From mouring at eviladmin.org 2002-07-31 06:45 ------- 4 months with no one recreating it. Reopen if still a problem ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From keith.schincke1 at jsc.nasa.gov Wed Jul 31 07:26:38 2002 From: keith.schincke1 at jsc.nasa.gov (SCHINCKE, KEITH (JSC-SM) (LM)) Date: Tue, 30 Jul 2002 16:26:38 -0500 Subject: Alpha, configure and (brain dead) bash? Message-ID: <1408A865DCF403478A33EE887F874732042C9F42@jsc-mail03.jsc.nasa.gov> >> Any one good with configure and bash to help me get this automatically >> found? > This should be fixed in CVS. Grab a current SNAP and retest. Yep, the current cvs works. Any one know what tar program is used to make the snapshot? It was not recognized by the Digital version. Damn Alphas. :) Thanks for the help. From ew-ssh at kegger.national-security.net Wed Jul 31 00:51:21 2002 From: ew-ssh at kegger.national-security.net (ew-ssh at kegger.national-security.net) Date: Tue, 30 Jul 2002 14:51:21 +0000 (UTC) Subject: openssl+openssh Message-ID: On second thought...at which point in the code does openssh use openssl? Would this take place while the "little guy" is jailed off in some obscure non-root location? If that's the case, then do we have to worry about the ssl bug in privsep'd installations? To what extent do we even need to worry about the openssl problem? --Eric From bugzilla-daemon at mindrot.org Wed Jul 31 09:14:26 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 09:14:26 +1000 (EST) Subject: [Bug 342] RhostsRSAAuthentication does not work with 3.4p1 Message-ID: <20020730231426.95DAEE915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=342 djast at cs.toronto.edu changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | ------- Additional Comments From djast at cs.toronto.edu 2002-07-31 09:14 ------- When PrivilegeSeparation is enabled, RhostsRSAAuthentication seems to look up the connecting host in the known_hosts file by IP address rather than by name. The tests below were run as root on the client side, so setuid is not an issue. With UsePrivilegeSeparation=yes, sshd -d -d -d reports: [...] debug1: Attempting authentication for root. debug3: mm_auth_password entering debug3: mm_request_send entering: type 10 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 11 debug3: mm_request_receive entering debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_answer_authpassword: sending result 0 debug3: mm_request_send entering: type 11 debug3: mm_auth_password: user not authenticated Failed none for root from 128.100.2.31 port 56036 debug3: mm_request_receive entering debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host 128.100.2.31 debug3: mm_key_allowed entering debug3: mm_request_send entering: type 20 debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED debug3: mm_request_receive_expect entering: type 21 debug3: mm_request_receive entering debug3: monitor_read: checking request 20 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 1414a0 debug3: Trying to reverse map address 128.100.2.31. debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug1: temporarily_use_uid: 0/1 (e=0/1) debug3: check_host_in_hostfile: filename /.ssh/known_hosts debug1: restore_uid: 0/1 debug2: check_key_in_hostfiles: key not found for 128.100.2.31 debug3: mm_answer_keyallowed: key 1414a0 is disallowed debug3: mm_append_debug: Appending debug messages for child debug3: mm_request_send entering: type 21 debug3: mm_send_debug: Sending debug: Accepted by .rhosts. debug3: mm_send_debug: Sending debug: Accepted host jane.cs ip 128.100.2.31 client_user root server_user root debug1: Rhosts with RSA host authentication denied: unknown or invalid host key Failed rhosts-rsa for root from 128.100.2.31 port 56036 ruser root With UsePrivilegeSeparation=no: [...] debug1: Attempting authentication for root. debug1: Trying rhosts with RSA host authentication for client user root debug3: Trying to reverse map address 128.100.2.31. debug1: Rhosts RSA authentication: canonical host jane.cs debug2: auth_rhosts2: clientuser root hostname jane.cs ipaddr 128.100.2.31 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug1: temporarily_use_uid: 0/1 (e=0/1) debug1: restore_uid: 0/1 debug3: check_host_in_hostfile: filename /usr/slocal/etc/ssh_known_hosts debug3: check_host_in_hostfile: match line 11 debug2: check_key_in_hostfiles: key ok for jane.cs Rhosts with RSA host authentication accepted for root, root on jane.cs. Accepted rhosts-rsa for root from 128.100.2.31 port 56048 ruser root The first case fails and the second succeeds, because the sshd_known_hosts file contains an entry for *.cs but not for 128.100.2.31. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From bugzilla-daemon at mindrot.org Wed Jul 31 17:13:42 2002 From: bugzilla-daemon at mindrot.org (bugzilla-daemon at mindrot.org) Date: Wed, 31 Jul 2002 17:13:42 +1000 (EST) Subject: [Bug 341] Return Code unpredictable Message-ID: <20020731071342.817C3E915@shitei.mindrot.org> http://bugzilla.mindrot.org/show_bug.cgi?id=341 norbert.weuster at mgi.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | ------- Additional Comments From norbert.weuster at mgi.de 2002-07-31 17:13 ------- can reproduce situation again. problem still exists ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. From gert at greenie.muc.de Wed Jul 31 17:44:36 2002 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 31 Jul 2002 09:44:36 +0200 Subject: openssl+openssh In-Reply-To: ; from ew-ssh@kegger.national-security.net on Tue, Jul 30, 2002 at 02:51:21PM +0000 References: Message-ID: <20020731094435.F19638@greenie.muc.de> Hi, On Tue, Jul 30, 2002 at 02:51:21PM +0000, ew-ssh at kegger.national-security.net wrote: > On second thought...at which point in the code does openssh use openssl? > Would this take place while the "little guy" is jailed off in some obscure > non-root location? If that's the case, then do we have to worry about the > ssl bug in privsep'd installations? To what extent do we even need to > worry about the openssl problem? PrivSep can prevent a remote break-in with file system access. What PrivSep can not prevent is a break-in with network access from the insecure host - which could then be abused for DDOS or SPAM relaying or other attacks based on things that this machine can do in the network that an "outside" machine can't do. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert.doering at physik.tu-muenchen.de From vinschen at redhat.com Wed Jul 31 19:59:09 2002 From: vinschen at redhat.com (Corinna Vinschen) Date: Wed, 31 Jul 2002 11:59:09 +0200 Subject: [PATCH]: Match Cygwin version check to reality Message-ID: <20020731115909.G3921@cygbert.vinschen.de> Hi, the following patch rearranges some checkings in bsd-cygwin-util.c to keep in sync with Cygwin versions. I moved the uname() check into it's own function so that it's easier to add further checks when necessary. Corinna Index: openbsd-compat/bsd-cygwin_util.c =================================================================== RCS file: /cvs/openssh_cvs/openbsd-compat/bsd-cygwin_util.c,v retrieving revision 1.8 diff -u -p -r1.8 bsd-cygwin_util.c --- openbsd-compat/bsd-cygwin_util.c 15 Apr 2002 22:00:52 -0000 1.8 +++ openbsd-compat/bsd-cygwin_util.c 31 Jul 2002 09:47:29 -0000 @@ -43,6 +43,7 @@ RCSID("$Id: bsd-cygwin_util.c,v 1.8 2002 #define is_winnt (GetVersion() < 0x80000000) #define ntsec_on(c) ((c) && strstr((c),"ntsec") && !strstr((c),"nontsec")) +#define ntsec_off(c) ((c) && strstr((c),"nontsec")) #define ntea_on(c) ((c) && strstr((c),"ntea") && !strstr((c),"nontea")) #if defined(open) && open == binary_open @@ -74,6 +75,56 @@ int binary_pipe(int fd[2]) return ret; } +#define HAS_CREATE_TOKEN 1 +#define HAS_NTSEC_BY_DEFAULT 2 + +static int has_capability(int what) +{ + /* has_capability() basically calls uname() and checks if + specific capabilities of Cygwin can be evaluated from that. + This simplifies the calling functions which only have to ask + for a capability using has_capability() instead of having + to figure that out by themselves. */ + static int inited; + static int has_create_token; + static int has_ntsec_by_default; + + if (!inited) { + struct utsname uts; + char *c; + + if (!uname(&uts)) { + int major_high = 0; + int major_low = 0; + int minor = 0; + int api_major_version = 0; + int api_minor_version = 0; + char *c; + + sscanf(uts.release, "%d.%d.%d", &major_high, + &major_low, &minor); + c = strchr(uts.release, '('); + if (c) + sscanf(c + 1, "%d.%d", &api_major_version, + &api_minor_version); + if (major_high > 1 || + (major_high == 1 && (major_low > 3 || + (major_low == 3 && minor >= 2)))) + has_create_token = 1; + if (api_major_version > 0 || api_minor_version >= 56) + has_ntsec_by_default = 1; + inited = 1; + } + } + switch (what) { + case HAS_CREATE_TOKEN: + return has_create_token; + case HAS_NTSEC_BY_DEFAULT: + return has_ntsec_by_default; + } + return 0; +} + int check_nt_auth(int pwd_authenticated, struct passwd *pw) { /* @@ -93,19 +144,14 @@ int check_nt_auth(int pwd_authenticated, return 0; if (is_winnt) { if (has_create_token < 0) { - struct utsname uts; - int major_high = 0, major_low = 0, minor = 0; char *cygwin = getenv("CYGWIN"); has_create_token = 0; - if (ntsec_on(cygwin) && !uname(&uts)) { - sscanf(uts.release, "%d.%d.%d", - &major_high, &major_low, &minor); - if (major_high > 1 || - (major_high == 1 && (major_low > 3 || - (major_low == 3 && minor >= 2)))) - has_create_token = 1; - } + if (has_capability(HAS_CREATE_TOKEN) && + (ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)))) + has_create_token = 1; } if (has_create_token < 1 && !pwd_authenticated && geteuid() != pw->pw_uid) @@ -128,7 +174,9 @@ int check_ntsec(const char *filename) /* Evaluate current CYGWIN settings. */ cygwin = getenv("CYGWIN"); allow_ntea = ntea_on(cygwin); - allow_ntsec = ntsec_on(cygwin); + allow_ntsec = ntsec_on(cygwin) || + (has_capability(HAS_NTSEC_BY_DEFAULT) && + !ntsec_off(cygwin)); /* * `ntea' is an emulation of POSIX attributes. It doesn't support -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:vinschen at redhat.com From markus at openbsd.org Wed Jul 31 20:45:36 2002 From: markus at openbsd.org (Markus Friedl) Date: Wed, 31 Jul 2002 12:45:36 +0200 Subject: privsep+kerb5+ssh1 Message-ID: <20020731104536.GA22295@folly> please test Olaf Kirch's patch. it looks fine to me, but i don't to K5. i'd like to see this in the next release. thx -m -------------- next part -------------- --- openssh-3.4p1/auth-krb5.c.krb Sun Jun 9 21:41:48 2002 +++ openssh-3.4p1/auth-krb5.c Tue Jul 23 15:15:43 2002 @@ -73,18 +73,17 @@ * from the ticket */ int -auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client) +auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *reply) { krb5_error_code problem; krb5_principal server; - krb5_data reply; krb5_ticket *ticket; int fd, ret; ret = 0; server = NULL; ticket = NULL; - reply.length = 0; + reply->length = 0; problem = krb5_init(authctxt); if (problem) @@ -131,7 +130,7 @@ /* if client wants mutual auth */ problem = krb5_mk_rep(authctxt->krb5_ctx, authctxt->krb5_auth_ctx, - &reply); + reply); if (problem) goto err; @@ -144,19 +143,16 @@ krb5_unparse_name(authctxt->krb5_ctx, authctxt->krb5_user, client); - packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); - packet_put_string((char *) reply.data, reply.length); - packet_send(); - packet_write_wait(); - ret = 1; err: if (server) krb5_free_principal(authctxt->krb5_ctx, server); if (ticket) krb5_free_ticket(authctxt->krb5_ctx, ticket); - if (reply.length) - xfree(reply.data); + if (!ret && reply->length) { + xfree(reply->data); + memset(reply, 0, sizeof(*reply)); + } if (problem) { if (authctxt->krb5_ctx != NULL) --- openssh-3.4p1/auth1.c.krb Fri Jun 21 08:21:11 2002 +++ openssh-3.4p1/auth1.c Tue Jul 23 15:15:43 2002 @@ -133,15 +133,23 @@ #endif /* KRB4 */ } else { #ifdef KRB5 - krb5_data tkt; + krb5_data tkt, reply; tkt.length = dlen; tkt.data = kdata; - if (auth_krb5(authctxt, &tkt, &client_user)) { + if (PRIVSEP(auth_krb5(authctxt, &tkt, &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); + + /* Send response to client */ + packet_start(SSH_SMSG_AUTH_KERBEROS_RESPONSE); + packet_put_string((char *) reply.data, reply.length); + packet_send(); + packet_write_wait(); + if (reply.length) + xfree(reply.data); } #endif /* KRB5 */ } --- openssh-3.4p1/monitor.c.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/monitor.c Tue Jul 23 15:15:43 2002 @@ -121,6 +121,10 @@ int mm_answer_pam_chauthtok(int, Buffer *); #endif +#ifdef KRB5 +int mm_answer_krb5(int, Buffer *); +#endif + static Authctxt *authctxt; static BIGNUM *ssh1_challenge = NULL; /* used for ssh1 rsa auth */ @@ -201,6 +205,9 @@ #ifdef USE_PAM {MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start}, #endif +#ifdef KRB5 + {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5}, +#endif {0, 0, NULL} }; @@ -1333,6 +1340,42 @@ return (success); } + +#ifdef KRB5 +int +mm_answer_krb5(int socket, Buffer *m) +{ + krb5_data tkt, reply; + char *client_user; + unsigned int len; + int success; + + /* use temporary var to avoid size issues on 64bit arch */ + tkt.data = buffer_get_string(m, &len); + tkt.length = len; + + success = auth_krb5(authctxt, &tkt, &client_user, &reply); + + if (tkt.length) + xfree(tkt.data); + + buffer_clear(m); + buffer_put_int(m, success); + + if (success) { + buffer_put_cstring(m, client_user); + buffer_put_string(m, reply.data, reply.length); + if (client_user) + xfree(client_user); + if (reply.length) + xfree(reply.data); + } + mm_request_send(socket, MONITOR_ANS_KRB5, m); + + return success; +} +#endif + int mm_answer_term(int socket, Buffer *req) { --- openssh-3.4p1/monitor.h.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/monitor.h Tue Jul 23 15:15:43 2002 @@ -51,6 +51,7 @@ MONITOR_REQ_RSARESPONSE, MONITOR_ANS_RSARESPONSE, MONITOR_REQ_PAM_START, MONITOR_REQ_PAM_CHAUTHTOK, MONITOR_ANS_PAM_CHAUTHTOK, + MONITOR_REQ_KRB5, MONITOR_ANS_KRB5, MONITOR_REQ_TERM }; --- openssh-3.4p1/monitor_wrap.c.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/monitor_wrap.c Tue Jul 23 15:18:23 2002 @@ -1040,3 +1040,38 @@ return (success); } + +#ifdef KRB5 +int +mm_auth_krb5(void *ctx, void *argp, char **userp, void *resp) +{ + krb5_data *tkt, *reply; + Buffer m; + int success; + + debug3("%s entering", __func__); + tkt = (krb5_data *) argp; + reply = (krb5_data *) resp; + + buffer_init(&m); + buffer_put_string(&m, tkt->data, tkt->length); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_KRB5, &m); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_KRB5, &m); + + success = buffer_get_int(&m); + if (success) { + unsigned int len; + + *userp = buffer_get_string(&m, NULL); + reply->data = buffer_get_string(&m, &len); + reply->length = len; + } else { + memset(reply, 0, sizeof(*reply)); + *userp = NULL; + } + + buffer_free(&m); + return (success); +} +#endif --- openssh-3.4p1/monitor_wrap.h.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/monitor_wrap.h Tue Jul 23 15:19:00 2002 @@ -84,6 +84,13 @@ int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **); int mm_skey_respond(void *, u_int, char **); +/* auth_krb5 */ +#ifdef KRB5 +/* auth and reply are really krb5_data objects, but we don't want to + * include all of the krb5 headers here */ +int mm_auth_krb5(void *authctxt, void *auth, char **client, void *reply); +#endif + /* zlib allocation hooks */ void *mm_zalloc(struct mm_master *, u_int, u_int); --- openssh-3.4p1/servconf.c.krb Tue Jul 23 15:15:43 2002 +++ openssh-3.4p1/servconf.c Tue Jul 23 15:15:43 2002 @@ -17,7 +17,7 @@ #endif #if defined(KRB5) #ifdef HEIMDAL -#include +#include #else /* Bodge - but then, so is using the kerberos IV KEYFILE to get a Kerberos V * keytab */ --- openssh-3.4p1/auth.h.krb Thu Jun 6 22:52:37 2002 +++ openssh-3.4p1/auth.h Tue Jul 23 15:25:35 2002 @@ -126,7 +126,7 @@ #endif /* KRB4 */ #ifdef KRB5 -int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client); +int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(void *authctxt); From morton at eik.bme.hu Wed Jul 31 22:05:51 2002 From: morton at eik.bme.hu (Marton Fabo) Date: Wed, 31 Jul 2002 14:05:51 +0200 Subject: port to platform without unix domain sockets Message-ID: <5.1.0.14.2.20020731135640.00af3230@rufusz> Hello! I tried to compile OpenSSH on my platform (BeOS), and had lots of failures due to lack of support for UNIX domain sockets, which OpenSSH seems to be using at many places. Do any of you have any ideas, or is there a working routine for _easily_ avoiding usage of such sockets (for example, by using inet domain sockets instead), while keeping the features that normally rely on them (e.g. ssh-agent)? Please note that currently I'm not on this list, so please Cc any responses to my own address. thx mortee From sales at huloaders.com Wed Jul 31 23:24:04 2002 From: sales at huloaders.com (HULOADERS) Date: Wed, 31 Jul 2002 21:24:04 +0800 Subject: Weekly newsletter updates Message-ID: <200207311324.g6VDO4wi012825@ns1.ns.com> We are pleased to announce that our new format for the newsletter will be strictly online for the next 3 weeks. Please review it at your leisure. http://www.dssmobster.com/newsletter.html ________________________________________________ Also, dont forget to visit our new corporate sponsors http://www.huloaders.com. Thank you, webmaster at dssmobster.com ------------------------------------------------------------------------- To be removed from this mailing list click on the link below http://dssmobster.com/cgi-bin/mail.cgi?openssh-unix-dev at mindrot.org From ed at UDel.Edu Wed Jul 31 23:39:13 2002 From: ed at UDel.Edu (Ed Phillips) Date: Wed, 31 Jul 2002 09:39:13 -0400 (EDT) Subject: OpenSSL Security Advisory [30 July 2002] In-Reply-To: <60F1F87A64834D45A1EBAE9618305FB80120BE88@qeo00200> Message-ID: On Tue, 30 Jul 2002, Courtin Bert wrote: > Date: Tue, 30 Jul 2002 16:24:10 +0200 > From: Courtin Bert > To: openssh-unix-dev at mindrot.org > Subject: OpenSSL Security Advisory [30 July 2002] > > > Hi, > > FYI - don't sue me for posting this here - I know, everyone who needs this info *should* have it already, but maybe not ;-) > > Kind regards, > B. Courtin > > -- > > OpenSSL Security Advisory [30 July 2002] > > This advisory consists of two independent advisories, merged, and is > an official OpenSSL advisory. > > [... SNIP ...] Does OpenSSH use any of the "expoitable" features outlined in the recent OpenSSL advisories? Ed Ed Phillips University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key