openssh-unix-dev digest, Vol 1 #505 - 15 msgs

Leonard Raphael raphale1 at icpd.sonera.fi
Thu Jul 25 15:40:26 EST 2002


subscribe  openssh-unix-dev at mindrot.org




> Send openssh-unix-dev mailing list submissions to
> 	openssh-unix-dev at mindrot.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> or, via email, send a message with subject or body 'help' to
> 	openssh-unix-dev-request at mindrot.org
> 
> You can reach the person managing the list at
> 	openssh-unix-dev-admin at mindrot.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssh-unix-dev digest..."
> 
> 
> Today's Topics:
> 
>    1. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch)
>    2. Re: OpenSSH 3.4p1 "PRNG is not seeded" (Lutz Jaenicke)
>    3. Re: ssh-keygen listing fingerprints little unclear (Markus Friedl)
>    4. Re: OpenSSH 3.4p1 hostbased auth - howto? (Markus Friedl)
>    5. scp bug? or is it intended? (Lapo Luchini)
>    6. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tim Rice)
>    7. Re: scp bug? or is it intended? (Ben Lindstrom)
>    8. pam problems with securid patch (Edward Quick)
>    9. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering)
>   10. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering)
>   11. Re: privilege separation breaks dns lookups (Gert Doering)
>   12. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch)
>   13. [Bug 369] New: Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
>   14. [Bug 369] Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
>   15. [Bug 369] Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
> 
> --__--__--
> 
> Message: 1
> To: kevin at kevindegraaf.net
> From: Tony Finch <dot at dotat.at>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> Date: Wed, 24 Jul 2002 12:09:43 +0100
> 
> Kevin DeGraaf <kevin at kevindegraaf.net> wrote:
> >
> >5. On both machines, I created /etc/ssh/sshd_config:
> >
> >UsePrivilegeSeparation yes
> 
> This is the problem. It's a manifestation of the bug I reported a month
> ago on this list with the subject "privilege separation breaks dns
> lookups".
> There is a patch but it hasn't been committed.
> 
> Tony.
> -- 
> f.a.n.finch <dot at dotat.at> http://dotat.at/
> NORTH FITZROY SOLE LUNDY FASTNET: WEST OR SOUTHWEST 3 OR 4, INCREASING 5
> LATER. OCCASIONAL DRIZZLE. GOOD BECOMING MODERATE OR POOR.
> 
> --__--__--
> 
> Message: 2
> Date: Wed, 24 Jul 2002 15:00:38 +0200
> From: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>
> To: OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: OpenSSH 3.4p1 "PRNG is not seeded"
> Organization: BTU Cottbus, Allgemeine Elektrotechnik
> 
> On Tue, Jul 23, 2002 at 07:42:59PM -0700, David Marshall wrote:
> > I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or
> > ssh-keygen I'm getting the "PRNG is not seeded".
> > 
> > I have verified that prngd is running and "egc.pl
> /var/spool/prngd/pool get"
> > runs just fine reporting 32800 bits of entropy.
> 
> Did you configure with "--with-prngd-socket=/var/spool/prngd/pool", such
> that OpenSSH picks up the socket? As /var/spool/prngd/pool is not one of
> the recommended standard locations (recommondations from OpenSSL for
> support
> in 0.9.7), it might not be picked up automatically.
> 
> Best regards,
> 	Lutz
> -- 
> Lutz Jaenicke
> Lutz.Jaenicke at aet.TU-Cottbus.DE
> http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> BTU Cottbus, Allgemeine Elektrotechnik
> Universitaetsplatz 3-4, D-03044 Cottbus
> 
> --__--__--
> 
> Message: 3
> Date: Wed, 24 Jul 2002 15:54:24 +0200
> From: Markus Friedl <markus at openbsd.org>
> To: Magnus Bodin <magnus at bodin.org>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: ssh-keygen listing fingerprints little unclear
> 
> nice, do you have a patch?
> 
> On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote:
> > 
> > Since ssh-keygen is not listing the _types_ of keys I have in my file,
> > wouldn't it be a good idea to make the -t switch filtering out the 
> > selected type of key when doing a listing with -l? 
> > 
> > i.e. in this case I see both rsa1, rsa, and dss keys: 
> > 
> > $ ssh-keygen -l -f ~/.ssh/known_hosts
> > 
> > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com 
> > 1024 9d:f8:d4:62:dc:3d:fb:26:2a:03:f4:d3:5f:8b:df:39 pingu.framtid.nu
> > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu
> > 
> > So if I do  
> > 
> > $ ssh-keygen -l -t rsa -f ~/.ssh/known_hosts 
> > 
> > I actually would like to see
> > 
> > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com
> > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu 
> > 
> > Doesn't it make sense?
> > (or adding the types to the listing)
> > 
> > /magnus
> > 
> > -- 
> > http://x42.com/ 
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> --__--__--
> 
> Message: 4
> Date: Wed, 24 Jul 2002 15:53:50 +0200
> From: Markus Friedl <markus at openbsd.org>
> To: Tony Finch <dot at dotat.at>
> Cc: kevin at kevindegraaf.net, openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> 
> > This is the problem. It's a manifestation of the bug I reported a
> month
> > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > There is a patch but it hasn't been committed.
> 
> but there should be no DNS lookups in the  unprivileged code...
> 
> --__--__--
> 
> Message: 5
> Date: Wed, 24 Jul 2002 16:00:40 +0200
> From: Lapo Luchini <lapo at lapo.it>
> Reply-To: Lapo Luchini <lapo at lapo.it>
> To: openssh-unix-dev at mindrot.org
> Subject: scp bug? or is it intended?
> 
> Please enlightnen me on a subject, which is easily explained by example 
> (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest
> 
> openssh-portable installed):
> 
> lapo at CYBERONE ~
> $ scp lapo at cyberx:Luth\'ol.pcg .
> bash: -c: line 1: unexpected EOF while looking for matching `''
> bash: -c: line 2: syntax error: unexpected end of file
> 
> lapo at CYBERONE ~
> $ scp lapo at cyberx:Luth\\\'ol.pcg .
> Luth'ol.pcg          100% |*****************************|  2066
> 00:00
> 
> I guess that the fact that command line is interpreted also on remote
> side should be hidden from the user... IMHO first command line should 
> work and second one should not.
> 
> Please notice also that I'm not subscribed to this ML.
> If this behaviour is intended, sorry for the message, but then I'd say 
> it should th least noted in the "man" page that the command line will be
> 
> interpreted twice.
> 
> OpenSSH in always better and better, keep up the good work =)
> Lapo
> 
> -- 
> Lapo 'Raist' Luchini
> lapo at lapo.it (PGP & X.509 keys available)
> http://www.lapo.it (ICQ UIN: 529796)
> 
> 
> --__--__--
> 
> Message: 6
> Date: Wed, 24 Jul 2002 07:08:57 -0700 (PDT)
> From: Tim Rice <tim at multitalents.net>
> To: Tony Finch <dot at dotat.at>
> Cc: kevin at kevindegraaf.net, <openssh-unix-dev at mindrot.org>
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> 
> On Wed, 24 Jul 2002, Tony Finch wrote:
> 
> > Kevin DeGraaf <kevin at kevindegraaf.net> wrote:
> > >
> > >5. On both machines, I created /etc/ssh/sshd_config:
> > >
> > >UsePrivilegeSeparation yes
> >
> > This is the problem. It's a manifestation of the bug I reported a
> month
> > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > There is a patch but it hasn't been committed.
> 
> What platform are you on? It's working fine on my platforms.
> 
> >
> > Tony.
> >
> 
> -- 
> Tim Rice				Multitalents	(707) 887-1469
> tim at multitalents.net
> 
> 
> 
> --__--__--
> 
> Message: 7
> Date: Wed, 24 Jul 2002 09:04:13 -0500 (CDT)
> From: Ben Lindstrom <mouring at etoh.eviladmin.org>
> To: Lapo Luchini <lapo at lapo.it>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: scp bug? or is it intended?
> 
> 
> This is the correct behavior.
> 
> Otherwise the following would not work:
> 
> scp host.com:dir/\* .
> 
> Remember scp on the other end runs in your shell.  So you have to
> contend
> with double escapes (same with rcp) to gain the behavior you want.
> 
> - Ben
> 
> On Wed, 24 Jul 2002, Lapo Luchini wrote:
> 
> > Please enlightnen me on a subject, which is easily explained by
> example
> > (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with
> latest
> > openssh-portable installed):
> >
> > lapo at CYBERONE ~
> > $ scp lapo at cyberx:Luth\'ol.pcg .
> > bash: -c: line 1: unexpected EOF while looking for matching `''
> > bash: -c: line 2: syntax error: unexpected end of file
> >
> > lapo at CYBERONE ~
> > $ scp lapo at cyberx:Luth\\\'ol.pcg .
> > Luth'ol.pcg          100% |*****************************|  2066
> 00:00
> >
> > I guess that the fact that command line is interpreted also on remote
> > side should be hidden from the user... IMHO first command line should
> > work and second one should not.
> >
> > Please notice also that I'm not subscribed to this ML.
> > If this behaviour is intended, sorry for the message, but then I'd say
> > it should th least noted in the "man" page that the command line will
> be
> > interpreted twice.
> >
> > OpenSSH in always better and better, keep up the good work =)
> > Lapo
> >
> > --
> > Lapo 'Raist' Luchini
> > lapo at lapo.it (PGP & X.509 keys available)
> > http://www.lapo.it (ICQ UIN: 529796)
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
> 
> 
> --__--__--
> 
> Message: 8
> From: "Edward Quick" <edwardquick at hotmail.com>
> To: openssh-unix-dev at mindrot.org
> Subject: pam problems with securid patch
> Date: Wed, 24 Jul 2002 14:18:24 +0000
> 
> Hi,
> 
> I have the securID patch applied to openssh3.4p-1 and it's compiled with
> 
> pam. The problem I'm getting is that SecurID auth works OK, but normal 
> password auth doesn't. I narrowed down the failure to the following
> section 
> in auth-pam.c :
> 
> __pampasswd = password;
> 
>         pamstate = INITIAL_LOGIN;
>         pam_retval = do_pam_authenticate(
>             options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK
> : 
> 0);
> 
> but I can't see how this works.  Can anyone enlighten me please? I know
> that 
> the password is correct but pam_retval is still not equal to
> PAM_SUCCESS.
> 
> Cheers,
> 
> Ed.
> 
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail. 
> http://www.hotmail.com
> 
> 
> --__--__--
> 
> Message: 9
> Date: Wed, 24 Jul 2002 16:24:29 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Markus Friedl <markus at openbsd.org>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> 	openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> 
> Hi,
> 
> On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> > but there should be no DNS lookups in the  unprivileged code...
> 
> The protocol 1 / RhostsRSAAuthentication handler seems to be doing
> reverse
> lookups, and fails.  This is how it looks here:
> 
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_send entering: type 11
> debug3: mm_request_receive entering
> Failed none for gert from 195.30.1.25 port 760
> debug3: mm_auth_password: user not authenticated
> debug3: mm_request_receive entering
> debug1: Trying rhosts with RSA host authentication for client user gert
> debug3: Trying to reverse map address 195.30.1.25.
> <long pause (about a minute)>
> Could not reverse map address 195.30.1.25.
> debug1: Rhosts RSA authentication: canonical host 195.30.1.25
> debug3: mm_key_allowed entering
> debug3: mm_request_send entering: type 20
> debug3: monitor_read: checking request 20
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> debug3: mm_answer_keyallowed entering
> debug3: mm_request_receive_expect entering: type 21
> debug3: mm_answer_keyallowed: key_from_blob: 0x80951d0
> debug3: mm_request_receive entering
> debug3: Trying to reverse map address 195.30.1.25.
> debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr
> 195.30.1.25
> debug1: restore_uid
> debug1: restore_uid
> debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
> debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts
> ...
> 
> Without PrivSep, the log is as follows:
> 
> debug1: Attempting authentication for gert.
> debug1: Trying rhosts with RSA host authentication for client user gert
> debug3: Trying to reverse map address 195.30.1.25.
> <no delay here>
> debug1: Rhosts RSA authentication: canonical host moebius.space.net
> debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr
> 195.30.1.25
> debug1: restore_uid
> debug1: restore_uid
> debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
> debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts
> 
> 
> gert
> 
> -- 
> USENET is *not* the non-clickable part of WWW!
>  
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
> 
> --__--__--
> 
> Message: 10
> Date: Wed, 24 Jul 2002 16:25:22 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Tim Rice <tim at multitalents.net>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> 	openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> 
> hi,
> 
> On Wed, Jul 24, 2002 at 07:08:57AM -0700, Tim Rice wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> > What platform are you on? It's working fine on my platforms.
> 
> I see this on FreeBSD 4.1.1-RELEASE.  
> 
> Interesting enough, FreeBSD 4.1 and 4.2 work fine.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>  
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
> 
> --__--__--
> 
> Message: 11
> Date: Wed, 24 Jul 2002 16:32:08 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Kevin Steves <kevin at atomicgears.com>
> Cc: Tony Finch <dot at dotat.at>, openssh-unix-dev at mindrot.org,
> 	stevesk at pobox.com
> Subject: Re: privilege separation breaks dns lookups
> 
> Hi,
> 
> On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote:
> > On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> > > When the unprivileged child has chrooted it can no longer open
> > > /etc/resolv.conf, so if the resolver hasn't yet initialized itself
> then
> > > dns lookups will not be possible. This is unfortunately what
> normally
> > > happens, but sshd falls back gracefully.
> > 
> > can you try this?
> > 
> > Index: sshd.c
> > ===================================================================
> [..]
> >  		error("setsockopt SO_KEEPALIVE: %.100s",
> strerror(errno));
> > +
> > +	/*
> > +	 * Initialize the resolver.  This may not happen automatically
> > +	 * before privsep chroot().
> > +	 */
> > +	if ((_res.options & RES_INIT) == 0) {
> > +		debug("res_init()");
> > +		res_init();
> > +	}
> 
> I won't claim to understand why it is necessary, but your patch fixes
> the
> "wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE
> machine
> with PrivSep and RhostsRSAAuthentication enabled.
> 
> Sorry for not responding more quickly - I passed this to a colleague who
> just didn't do the test :-(
> 
> gert
> 
> -- 
> USENET is *not* the non-clickable part of WWW!
>  
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
> 
> --__--__--
> 
> Message: 12
> Date: Wed, 24 Jul 2002 16:26:42 +0100
> From: Tony Finch <dot at dotat.at>
> To: Markus Friedl <markus at openbsd.org>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> 	openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> 
> On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> > 
> > but there should be no DNS lookups in the  unprivileged code...
> 
> This is on FreeBSD-4.6-STABLE using the openssh-portable port (which is
> 3.4p1) The backtrace of the offending DNS lookup is
> 
> #0  0x8061450 in get_remote_hostname (socket=5,
> verify_reverse_mapping=0) at canohost.c:81
> #1  0x8061714 in get_canonical_hostname (verify_reverse_mapping=0) at
> canohost.c:194
> #2  0x8050021 in input_userauth_request (type=50, seq=5, ctxt=0x80990c0)
> at auth2.c:147
> #3  0x8067fcf in dispatch_run (mode=0, done=0x80990c0, ctxt=0x80990c0)
> at dispatch.c:93
> #4  0x804fef8 in do_authentication2 () at auth2.c:96
> #5  0x804e365 in main (ac=4, av=0xbfbffab0) at sshd.c:1507
> 
> The call to get_canonical_hostname in input_userauth_request is part of
> the FreeBSD patch set, so I'll report the bug to them.
> 
> Tony.
> -- 
> f.a.n.finch <dot at dotat.at> http://dotat.at/
> FISHER GERMAN BIGHT: WEST OR NORTHWEST 5 OR 6, BUT 7 IN NORTHEAST FISHER
> AT
> FIRST, DECREASING 4 IN SOUTHWEST FISHER AND IN GERMAN BIGHT. SHOWERS.
> GOOD.
> 
> --__--__--
> 
> Message: 13
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] New: Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:05:54 +1000 (EST)
> 
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
> 
>            Summary: Inconsistant exiit status from scp
>            Product: Portable OpenSSH
>            Version: 3.0.2p1
>           Platform: ix86
>         OS/Version: FreeBSD
>             Status: NEW
>           Severity: normal
>           Priority: P2
>          Component: scp
>         AssignedTo: openssh-unix-dev at mindrot.org
>         ReportedBy: oberman at es.net
> 
> 
> Teh man page states that scp returns 0 for success and >0 for failure.
> This is
> non-standard.
> Worse, it may return 0 after a failure.
> scp -B bogus at system:file1 file1
> If authentication fails, the string "Permision denied" is sent to
> STDERR, but
> the status is 0, making this indistinguishable from success without an
> extra
> check of
> the test sent to STDERR.
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> 
> --__--__--
> 
> Message: 14
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:25:43 +1000 (EST)
> 
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
> 
> 
> 
> 
> 
> ------- Additional Comments From markus at openbsd.org  2002-07-25 04:25
> -------
> 0 for success and >0 for failure _is_ standard on unix.
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> 
> --__--__--
> 
> Message: 15
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:26:46 +1000 (EST)
> 
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
> 
> 
> 
> 
> 
> ------- Additional Comments From markus at openbsd.org  2002-07-25 04:26
> -------
> scp chould check ssh's exit status.
> 
> 
> 
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
> 
> 
> --__--__--
> 
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 
> End of openssh-unix-dev Digest
> 




More information about the openssh-unix-dev mailing list