openssh-unix-dev digest, Vol 1 #505 - 15 msgs
Leonard Raphael
raphale1 at icpd.sonera.fi
Thu Jul 25 15:40:26 EST 2002
subscribe openssh-unix-dev at mindrot.org
> Send openssh-unix-dev mailing list submissions to
> openssh-unix-dev at mindrot.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> or, via email, send a message with subject or body 'help' to
> openssh-unix-dev-request at mindrot.org
>
> You can reach the person managing the list at
> openssh-unix-dev-admin at mindrot.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of openssh-unix-dev digest..."
>
>
> Today's Topics:
>
> 1. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch)
> 2. Re: OpenSSH 3.4p1 "PRNG is not seeded" (Lutz Jaenicke)
> 3. Re: ssh-keygen listing fingerprints little unclear (Markus Friedl)
> 4. Re: OpenSSH 3.4p1 hostbased auth - howto? (Markus Friedl)
> 5. scp bug? or is it intended? (Lapo Luchini)
> 6. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tim Rice)
> 7. Re: scp bug? or is it intended? (Ben Lindstrom)
> 8. pam problems with securid patch (Edward Quick)
> 9. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering)
> 10. Re: OpenSSH 3.4p1 hostbased auth - howto? (Gert Doering)
> 11. Re: privilege separation breaks dns lookups (Gert Doering)
> 12. Re: OpenSSH 3.4p1 hostbased auth - howto? (Tony Finch)
> 13. [Bug 369] New: Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
> 14. [Bug 369] Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
> 15. [Bug 369] Inconsistant exiit status from scp
> (bugzilla-daemon at mindrot.org)
>
> --__--__--
>
> Message: 1
> To: kevin at kevindegraaf.net
> From: Tony Finch <dot at dotat.at>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
> Date: Wed, 24 Jul 2002 12:09:43 +0100
>
> Kevin DeGraaf <kevin at kevindegraaf.net> wrote:
> >
> >5. On both machines, I created /etc/ssh/sshd_config:
> >
> >UsePrivilegeSeparation yes
>
> This is the problem. It's a manifestation of the bug I reported a month
> ago on this list with the subject "privilege separation breaks dns
> lookups".
> There is a patch but it hasn't been committed.
>
> Tony.
> --
> f.a.n.finch <dot at dotat.at> http://dotat.at/
> NORTH FITZROY SOLE LUNDY FASTNET: WEST OR SOUTHWEST 3 OR 4, INCREASING 5
> LATER. OCCASIONAL DRIZZLE. GOOD BECOMING MODERATE OR POOR.
>
> --__--__--
>
> Message: 2
> Date: Wed, 24 Jul 2002 15:00:38 +0200
> From: Lutz Jaenicke <Lutz.Jaenicke at aet.TU-Cottbus.DE>
> To: OpenSSH Development <openssh-unix-dev at mindrot.org>
> Subject: Re: OpenSSH 3.4p1 "PRNG is not seeded"
> Organization: BTU Cottbus, Allgemeine Elektrotechnik
>
> On Tue, Jul 23, 2002 at 07:42:59PM -0700, David Marshall wrote:
> > I upgraded from OpenSSH_3.0.2p1 to OpenSSH 3.4p1. Starting SSHD or
> > ssh-keygen I'm getting the "PRNG is not seeded".
> >
> > I have verified that prngd is running and "egc.pl
> /var/spool/prngd/pool get"
> > runs just fine reporting 32800 bits of entropy.
>
> Did you configure with "--with-prngd-socket=/var/spool/prngd/pool", such
> that OpenSSH picks up the socket? As /var/spool/prngd/pool is not one of
> the recommended standard locations (recommondations from OpenSSL for
> support
> in 0.9.7), it might not be picked up automatically.
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke
> Lutz.Jaenicke at aet.TU-Cottbus.DE
> http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> BTU Cottbus, Allgemeine Elektrotechnik
> Universitaetsplatz 3-4, D-03044 Cottbus
>
> --__--__--
>
> Message: 3
> Date: Wed, 24 Jul 2002 15:54:24 +0200
> From: Markus Friedl <markus at openbsd.org>
> To: Magnus Bodin <magnus at bodin.org>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: ssh-keygen listing fingerprints little unclear
>
> nice, do you have a patch?
>
> On Wed, Jul 24, 2002 at 09:35:34AM +0200, Magnus Bodin wrote:
> >
> > Since ssh-keygen is not listing the _types_ of keys I have in my file,
> > wouldn't it be a good idea to make the -t switch filtering out the
> > selected type of key when doing a listing with -l?
> >
> > i.e. in this case I see both rsa1, rsa, and dss keys:
> >
> > $ ssh-keygen -l -f ~/.ssh/known_hosts
> >
> > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com
> > 1024 9d:f8:d4:62:dc:3d:fb:26:2a:03:f4:d3:5f:8b:df:39 pingu.framtid.nu
> > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu
> >
> > So if I do
> >
> > $ ssh-keygen -l -t rsa -f ~/.ssh/known_hosts
> >
> > I actually would like to see
> >
> > 1024 a9:4f:0b:b6:33:d7:d0:ad:6a:11:b4:57:25:7e:1e:f8 fluff.x42.com
> > 1024 69:6a:0e:49:01:c6:ef:16:65:3e:26:39:21:e2:84:fe pingu.framtid.nu
> >
> > Doesn't it make sense?
> > (or adding the types to the listing)
> >
> > /magnus
> >
> > --
> > http://x42.com/
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> --__--__--
>
> Message: 4
> Date: Wed, 24 Jul 2002 15:53:50 +0200
> From: Markus Friedl <markus at openbsd.org>
> To: Tony Finch <dot at dotat.at>
> Cc: kevin at kevindegraaf.net, openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
>
> > This is the problem. It's a manifestation of the bug I reported a
> month
> > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > There is a patch but it hasn't been committed.
>
> but there should be no DNS lookups in the unprivileged code...
>
> --__--__--
>
> Message: 5
> Date: Wed, 24 Jul 2002 16:00:40 +0200
> From: Lapo Luchini <lapo at lapo.it>
> Reply-To: Lapo Luchini <lapo at lapo.it>
> To: openssh-unix-dev at mindrot.org
> Subject: scp bug? or is it intended?
>
> Please enlightnen me on a subject, which is easily explained by example
> (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with latest
>
> openssh-portable installed):
>
> lapo at CYBERONE ~
> $ scp lapo at cyberx:Luth\'ol.pcg .
> bash: -c: line 1: unexpected EOF while looking for matching `''
> bash: -c: line 2: syntax error: unexpected end of file
>
> lapo at CYBERONE ~
> $ scp lapo at cyberx:Luth\\\'ol.pcg .
> Luth'ol.pcg 100% |*****************************| 2066
> 00:00
>
> I guess that the fact that command line is interpreted also on remote
> side should be hidden from the user... IMHO first command line should
> work and second one should not.
>
> Please notice also that I'm not subscribed to this ML.
> If this behaviour is intended, sorry for the message, but then I'd say
> it should th least noted in the "man" page that the command line will be
>
> interpreted twice.
>
> OpenSSH in always better and better, keep up the good work =)
> Lapo
>
> --
> Lapo 'Raist' Luchini
> lapo at lapo.it (PGP & X.509 keys available)
> http://www.lapo.it (ICQ UIN: 529796)
>
>
> --__--__--
>
> Message: 6
> Date: Wed, 24 Jul 2002 07:08:57 -0700 (PDT)
> From: Tim Rice <tim at multitalents.net>
> To: Tony Finch <dot at dotat.at>
> Cc: kevin at kevindegraaf.net, <openssh-unix-dev at mindrot.org>
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
>
> On Wed, 24 Jul 2002, Tony Finch wrote:
>
> > Kevin DeGraaf <kevin at kevindegraaf.net> wrote:
> > >
> > >5. On both machines, I created /etc/ssh/sshd_config:
> > >
> > >UsePrivilegeSeparation yes
> >
> > This is the problem. It's a manifestation of the bug I reported a
> month
> > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > There is a patch but it hasn't been committed.
>
> What platform are you on? It's working fine on my platforms.
>
> >
> > Tony.
> >
>
> --
> Tim Rice Multitalents (707) 887-1469
> tim at multitalents.net
>
>
>
> --__--__--
>
> Message: 7
> Date: Wed, 24 Jul 2002 09:04:13 -0500 (CDT)
> From: Ben Lindstrom <mouring at etoh.eviladmin.org>
> To: Lapo Luchini <lapo at lapo.it>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: scp bug? or is it intended?
>
>
> This is the correct behavior.
>
> Otherwise the following would not work:
>
> scp host.com:dir/\* .
>
> Remember scp on the other end runs in your shell. So you have to
> contend
> with double escapes (same with rcp) to gain the behavior you want.
>
> - Ben
>
> On Wed, 24 Jul 2002, Lapo Luchini wrote:
>
> > Please enlightnen me on a subject, which is easily explained by
> example
> > (cyberone is a Cygwin1.3.12/WinXPpro and cyberx is a FreeBSD with
> latest
> > openssh-portable installed):
> >
> > lapo at CYBERONE ~
> > $ scp lapo at cyberx:Luth\'ol.pcg .
> > bash: -c: line 1: unexpected EOF while looking for matching `''
> > bash: -c: line 2: syntax error: unexpected end of file
> >
> > lapo at CYBERONE ~
> > $ scp lapo at cyberx:Luth\\\'ol.pcg .
> > Luth'ol.pcg 100% |*****************************| 2066
> 00:00
> >
> > I guess that the fact that command line is interpreted also on remote
> > side should be hidden from the user... IMHO first command line should
> > work and second one should not.
> >
> > Please notice also that I'm not subscribed to this ML.
> > If this behaviour is intended, sorry for the message, but then I'd say
> > it should th least noted in the "man" page that the command line will
> be
> > interpreted twice.
> >
> > OpenSSH in always better and better, keep up the good work =)
> > Lapo
> >
> > --
> > Lapo 'Raist' Luchini
> > lapo at lapo.it (PGP & X.509 keys available)
> > http://www.lapo.it (ICQ UIN: 529796)
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
>
> --__--__--
>
> Message: 8
> From: "Edward Quick" <edwardquick at hotmail.com>
> To: openssh-unix-dev at mindrot.org
> Subject: pam problems with securid patch
> Date: Wed, 24 Jul 2002 14:18:24 +0000
>
> Hi,
>
> I have the securID patch applied to openssh3.4p-1 and it's compiled with
>
> pam. The problem I'm getting is that SecurID auth works OK, but normal
> password auth doesn't. I narrowed down the failure to the following
> section
> in auth-pam.c :
>
> __pampasswd = password;
>
> pamstate = INITIAL_LOGIN;
> pam_retval = do_pam_authenticate(
> options.permit_empty_passwd == 0 ? PAM_DISALLOW_NULL_AUTHTOK
> :
> 0);
>
> but I can't see how this works. Can anyone enlighten me please? I know
> that
> the password is correct but pam_retval is still not equal to
> PAM_SUCCESS.
>
> Cheers,
>
> Ed.
>
> _________________________________________________________________
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> --__--__--
>
> Message: 9
> Date: Wed, 24 Jul 2002 16:24:29 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Markus Friedl <markus at openbsd.org>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
>
> Hi,
>
> On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> > but there should be no DNS lookups in the unprivileged code...
>
> The protocol 1 / RhostsRSAAuthentication handler seems to be doing
> reverse
> lookups, and fails. This is how it looks here:
>
> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
> debug3: mm_answer_authpassword: sending result 0
> debug3: mm_request_receive_expect entering: type 11
> debug3: mm_request_send entering: type 11
> debug3: mm_request_receive entering
> Failed none for gert from 195.30.1.25 port 760
> debug3: mm_auth_password: user not authenticated
> debug3: mm_request_receive entering
> debug1: Trying rhosts with RSA host authentication for client user gert
> debug3: Trying to reverse map address 195.30.1.25.
> <long pause (about a minute)>
> Could not reverse map address 195.30.1.25.
> debug1: Rhosts RSA authentication: canonical host 195.30.1.25
> debug3: mm_key_allowed entering
> debug3: mm_request_send entering: type 20
> debug3: monitor_read: checking request 20
> debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
> debug3: mm_answer_keyallowed entering
> debug3: mm_request_receive_expect entering: type 21
> debug3: mm_answer_keyallowed: key_from_blob: 0x80951d0
> debug3: mm_request_receive entering
> debug3: Trying to reverse map address 195.30.1.25.
> debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr
> 195.30.1.25
> debug1: restore_uid
> debug1: restore_uid
> debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
> debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts
> ...
>
> Without PrivSep, the log is as follows:
>
> debug1: Attempting authentication for gert.
> debug1: Trying rhosts with RSA host authentication for client user gert
> debug3: Trying to reverse map address 195.30.1.25.
> <no delay here>
> debug1: Rhosts RSA authentication: canonical host moebius.space.net
> debug2: auth_rhosts2: clientuser gert hostname moebius.space.net ipaddr
> 195.30.1.25
> debug1: restore_uid
> debug1: restore_uid
> debug3: check_host_in_hostfile: filename /etc/ssh/ssh_known_hosts
> debug3: check_host_in_hostfile: filename /home/gert/.ssh/known_hosts
>
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
>
> --__--__--
>
> Message: 10
> Date: Wed, 24 Jul 2002 16:25:22 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Tim Rice <tim at multitalents.net>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
>
> hi,
>
> On Wed, Jul 24, 2002 at 07:08:57AM -0700, Tim Rice wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> > What platform are you on? It's working fine on my platforms.
>
> I see this on FreeBSD 4.1.1-RELEASE.
>
> Interesting enough, FreeBSD 4.1 and 4.2 work fine.
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
>
> --__--__--
>
> Message: 11
> Date: Wed, 24 Jul 2002 16:32:08 +0200
> From: Gert Doering <gert at greenie.muc.de>
> To: Kevin Steves <kevin at atomicgears.com>
> Cc: Tony Finch <dot at dotat.at>, openssh-unix-dev at mindrot.org,
> stevesk at pobox.com
> Subject: Re: privilege separation breaks dns lookups
>
> Hi,
>
> On Sat, Jun 29, 2002 at 12:38:35PM -0700, Kevin Steves wrote:
> > On Wed, Jun 26, 2002 at 11:26:31PM +0100, Tony Finch wrote:
> > > When the unprivileged child has chrooted it can no longer open
> > > /etc/resolv.conf, so if the resolver hasn't yet initialized itself
> then
> > > dns lookups will not be possible. This is unfortunately what
> normally
> > > happens, but sshd falls back gracefully.
> >
> > can you try this?
> >
> > Index: sshd.c
> > ===================================================================
> [..]
> > error("setsockopt SO_KEEPALIVE: %.100s",
> strerror(errno));
> > +
> > + /*
> > + * Initialize the resolver. This may not happen automatically
> > + * before privsep chroot().
> > + */
> > + if ((_res.options & RES_INIT) == 0) {
> > + debug("res_init()");
> > + res_init();
> > + }
>
> I won't claim to understand why it is necessary, but your patch fixes
> the
> "wait a minute" problem when logging into a FreeBSD 4.1.1-RELEASE
> machine
> with PrivSep and RhostsRSAAuthentication enabled.
>
> Sorry for not responding more quickly - I passed this to a colleague who
> just didn't do the test :-(
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025
> gert.doering at physik.tu-muenchen.de
>
> --__--__--
>
> Message: 12
> Date: Wed, 24 Jul 2002 16:26:42 +0100
> From: Tony Finch <dot at dotat.at>
> To: Markus Friedl <markus at openbsd.org>
> Cc: Tony Finch <dot at dotat.at>, kevin at kevindegraaf.net,
> openssh-unix-dev at mindrot.org
> Subject: Re: OpenSSH 3.4p1 hostbased auth - howto?
>
> On Wed, Jul 24, 2002 at 03:53:50PM +0200, Markus Friedl wrote:
> > > This is the problem. It's a manifestation of the bug I reported a
> month
> > > ago on this list with the subject "privilege separation breaks dns
> lookups".
> > > There is a patch but it hasn't been committed.
> >
> > but there should be no DNS lookups in the unprivileged code...
>
> This is on FreeBSD-4.6-STABLE using the openssh-portable port (which is
> 3.4p1) The backtrace of the offending DNS lookup is
>
> #0 0x8061450 in get_remote_hostname (socket=5,
> verify_reverse_mapping=0) at canohost.c:81
> #1 0x8061714 in get_canonical_hostname (verify_reverse_mapping=0) at
> canohost.c:194
> #2 0x8050021 in input_userauth_request (type=50, seq=5, ctxt=0x80990c0)
> at auth2.c:147
> #3 0x8067fcf in dispatch_run (mode=0, done=0x80990c0, ctxt=0x80990c0)
> at dispatch.c:93
> #4 0x804fef8 in do_authentication2 () at auth2.c:96
> #5 0x804e365 in main (ac=4, av=0xbfbffab0) at sshd.c:1507
>
> The call to get_canonical_hostname in input_userauth_request is part of
> the FreeBSD patch set, so I'll report the bug to them.
>
> Tony.
> --
> f.a.n.finch <dot at dotat.at> http://dotat.at/
> FISHER GERMAN BIGHT: WEST OR NORTHWEST 5 OR 6, BUT 7 IN NORTHEAST FISHER
> AT
> FIRST, DECREASING 4 IN SOUTHWEST FISHER AND IN GERMAN BIGHT. SHOWERS.
> GOOD.
>
> --__--__--
>
> Message: 13
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] New: Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:05:54 +1000 (EST)
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
>
> Summary: Inconsistant exiit status from scp
> Product: Portable OpenSSH
> Version: 3.0.2p1
> Platform: ix86
> OS/Version: FreeBSD
> Status: NEW
> Severity: normal
> Priority: P2
> Component: scp
> AssignedTo: openssh-unix-dev at mindrot.org
> ReportedBy: oberman at es.net
>
>
> Teh man page states that scp returns 0 for success and >0 for failure.
> This is
> non-standard.
> Worse, it may return 0 after a failure.
> scp -B bogus at system:file1 file1
> If authentication fails, the string "Permision denied" is sent to
> STDERR, but
> the status is 0, making this indistinguishable from success without an
> extra
> check of
> the test sent to STDERR.
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> --__--__--
>
> Message: 14
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:25:43 +1000 (EST)
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
>
>
>
>
>
> ------- Additional Comments From markus at openbsd.org 2002-07-25 04:25
> -------
> 0 for success and >0 for failure _is_ standard on unix.
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
> --__--__--
>
> Message: 15
> From: bugzilla-daemon at mindrot.org
> To: openssh-unix-dev at mindrot.org
> Subject: [Bug 369] Inconsistant exiit status from scp
> Date: Thu, 25 Jul 2002 04:26:46 +1000 (EST)
>
> http://bugzilla.mindrot.org/show_bug.cgi?id=369
>
>
>
>
>
> ------- Additional Comments From markus at openbsd.org 2002-07-25 04:26
> -------
> scp chould check ssh's exit status.
>
>
>
> ------- You are receiving this mail because: -------
> You are the assignee for the bug, or are watching the assignee.
>
>
> --__--__--
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
> End of openssh-unix-dev Digest
>
More information about the openssh-unix-dev
mailing list